Skip to content

Commit 2aa3cf9

Browse files
bb107bb107
committed
Reflective initialization in release configuration
1 parent 8d1454f commit 2aa3cf9

5 files changed

Lines changed: 58 additions & 28 deletions

File tree

MemoryModule/Initialize.cpp

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
#include "stdafx.h"
22
#include "LoaderPrivate.h"
33
#include <wchar.h>
4-
#include <cassert>
4+
#include <cstdio>
55

66
PMMP_GLOBAL_DATA MmpGlobalDataPtr;
77

@@ -544,7 +544,9 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
544544
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
545545
if (NT_SUCCESS(Initialize())) {
546546
if (lpReserved == (PVOID)-1) {
547-
assert(ReflectiveMapDll(hModule));
547+
if (!ReflectiveMapDll(hModule)) {
548+
RtlRaiseStatus(STATUS_NOT_SUPPORTED);
549+
}
548550
}
549551

550552
return TRUE;

MemoryModule/Loader.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ NTSTATUS NTAPI LdrLoadDllMemoryExW(
6161
//Unload modules previously loaded from memory
6262
NTSTATUS NTAPI LdrUnloadDllMemory(_In_ HMEMORYMODULE BaseAddress);
6363

64-
#ifndef _USRDLL
64+
#if (!defined(_USRDLL) && defined(_MEMORY_MODULE))
6565
#ifdef _WIN64
6666
#pragma comment(linker,"/export:LdrUnloadDllMemoryAndExitThread")
6767
#pragma comment(linker,"/export:FreeLibraryMemoryAndExitThread=LdrUnloadDllMemoryAndExitThread")

MemoryModule/MemoryModule.vcxproj

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -265,7 +265,7 @@
265265
<PrecompiledHeader>NotUsing</PrecompiledHeader>
266266
<WarningLevel>Level3</WarningLevel>
267267
<SDLCheck>true</SDLCheck>
268-
<PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
268+
<PreprocessorDefinitions>_MEMORY_MODULE;WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
269269
<ConformanceMode>true</ConformanceMode>
270270
<PrecompiledHeaderFile>
271271
</PrecompiledHeaderFile>
@@ -283,7 +283,7 @@
283283
<PrecompiledHeader>NotUsing</PrecompiledHeader>
284284
<WarningLevel>Level3</WarningLevel>
285285
<SDLCheck>true</SDLCheck>
286-
<PreprocessorDefinitions>WIN32;_DEBUG;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
286+
<PreprocessorDefinitions>_MEMORY_MODULE;WIN32;_DEBUG;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
287287
<ConformanceMode>true</ConformanceMode>
288288
<PrecompiledHeaderFile>
289289
</PrecompiledHeaderFile>
@@ -302,7 +302,7 @@
302302
<PrecompiledHeader>NotUsing</PrecompiledHeader>
303303
<WarningLevel>Level3</WarningLevel>
304304
<SDLCheck>true</SDLCheck>
305-
<PreprocessorDefinitions>_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
305+
<PreprocessorDefinitions>_MEMORY_MODULE;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
306306
<ConformanceMode>true</ConformanceMode>
307307
<PrecompiledHeaderFile>
308308
</PrecompiledHeaderFile>
@@ -320,7 +320,7 @@
320320
<PrecompiledHeader>NotUsing</PrecompiledHeader>
321321
<WarningLevel>Level3</WarningLevel>
322322
<SDLCheck>true</SDLCheck>
323-
<PreprocessorDefinitions>_DEBUG;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
323+
<PreprocessorDefinitions>_MEMORY_MODULE;_DEBUG;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
324324
<ConformanceMode>true</ConformanceMode>
325325
<PrecompiledHeaderFile>
326326
</PrecompiledHeaderFile>
@@ -341,7 +341,7 @@
341341
<FunctionLevelLinking>true</FunctionLevelLinking>
342342
<IntrinsicFunctions>true</IntrinsicFunctions>
343343
<SDLCheck>true</SDLCheck>
344-
<PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
344+
<PreprocessorDefinitions>_MEMORY_MODULE;WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
345345
<ConformanceMode>true</ConformanceMode>
346346
<PrecompiledHeaderFile>
347347
</PrecompiledHeaderFile>
@@ -363,7 +363,7 @@
363363
<FunctionLevelLinking>true</FunctionLevelLinking>
364364
<IntrinsicFunctions>true</IntrinsicFunctions>
365365
<SDLCheck>true</SDLCheck>
366-
<PreprocessorDefinitions>WIN32;NDEBUG;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
366+
<PreprocessorDefinitions>_MEMORY_MODULE;WIN32;NDEBUG;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
367367
<ConformanceMode>true</ConformanceMode>
368368
<PrecompiledHeaderFile>
369369
</PrecompiledHeaderFile>
@@ -386,7 +386,7 @@
386386
<FunctionLevelLinking>true</FunctionLevelLinking>
387387
<IntrinsicFunctions>true</IntrinsicFunctions>
388388
<SDLCheck>true</SDLCheck>
389-
<PreprocessorDefinitions>NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
389+
<PreprocessorDefinitions>_MEMORY_MODULE;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
390390
<ConformanceMode>true</ConformanceMode>
391391
<PrecompiledHeaderFile>
392392
</PrecompiledHeaderFile>
@@ -408,7 +408,7 @@
408408
<FunctionLevelLinking>true</FunctionLevelLinking>
409409
<IntrinsicFunctions>true</IntrinsicFunctions>
410410
<SDLCheck>true</SDLCheck>
411-
<PreprocessorDefinitions>NDEBUG;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
411+
<PreprocessorDefinitions>_MEMORY_MODULE;NDEBUG;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
412412
<ConformanceMode>true</ConformanceMode>
413413
<PrecompiledHeaderFile>
414414
</PrecompiledHeaderFile>

test/test.cpp

Lines changed: 45 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,12 @@
11
#include "../MemoryModule/stdafx.h"
22
#include "../MemoryModule/LoadDllMemoryApi.h"
33
#include <cstdio>
4+
#pragma comment(lib,"ntdll.lib")
45

5-
//PMMP_GLOBAL_DATA MmpGlobalDataPtr = *(PMMP_GLOBAL_DATA*)GetProcAddress(GetModuleHandleA("MemoryModule.dll"), "MmpGlobalDataPtr");
6+
PMMP_GLOBAL_DATA MmpGlobalDataPtr;
7+
8+
decltype(&LdrLoadDllMemoryExW)__LdrLoadDllMemoryExW;
9+
decltype(&LdrUnloadDllMemory)__LdrUnloadDllMemory;
610

711
static void DisplayStatus() {
812
printf(
@@ -41,7 +45,10 @@ static PVOID ReadDllFile(LPCSTR FileName) {
4145
return 0;
4246
}
4347
_fseeki64(f, 0, SEEK_SET);
44-
fread(buffer = new char[size], 1, size, f);
48+
49+
buffer = VirtualAlloc(0, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
50+
51+
fread(buffer, 1, size, f);
4552
fclose(f);
4653
return buffer;
4754
}
@@ -63,11 +70,10 @@ PVOID ReadDllFile2(LPCSTR FileName) {
6370
}
6471

6572
int test() {
66-
LPVOID buffer = ReadDllFile2("a.vmp.dll");
73+
LPVOID buffer = ReadDllFile2("a.dll");
6774

6875
HMODULE hModule = nullptr;
6976
FARPROC pfn = nullptr;
70-
DWORD MemoryModuleFeatures = 0;
7177

7278
typedef int(*_exception)(int code);
7379
_exception exception = nullptr;
@@ -76,12 +82,7 @@ int test() {
7682
HGLOBAL gRes;
7783
char str[10];
7884

79-
LdrQuerySystemMemoryModuleFeatures(&MemoryModuleFeatures);
80-
if (MemoryModuleFeatures != MEMORY_FEATURE_ALL) {
81-
printf("not support all features on this version of windows.\n");
82-
}
83-
84-
if (!NT_SUCCESS(LdrLoadDllMemoryExW(&hModule, nullptr, 0, buffer, 0, L"kernel64", nullptr))) goto end;
85+
if (!NT_SUCCESS(__LdrLoadDllMemoryExW(&hModule, nullptr, 0, buffer, 0, L"kernel64", nullptr))) goto end;
8586

8687
//forward export
8788
pfn = (decltype(pfn))(GetProcAddress(hModule, "Socket")); //ws2_32.WSASocketW
@@ -127,12 +128,44 @@ int test() {
127128
}
128129

129130
end:
130-
LdrUnloadDllMemory(hModule);
131-
delete[]buffer;
131+
__LdrUnloadDllMemory(hModule);
132+
VirtualFree(buffer, 0, MEM_RELEASE);
132133
return 0;
133134
}
134135

136+
ULONG_PTR ReflectiveLoaderOffset() {
137+
ULONG_PTR offset = 0;
138+
139+
auto hm = LoadLibrary(L"MemoryModule.dll");
140+
if (hm) {
141+
auto pfn = GetProcAddress(hm, "ReflectiveLoader");
142+
offset = ULONG_PTR(pfn) - ULONG_PTR(hm);
143+
144+
auto header = RtlImageNtHeader(hm);
145+
auto section = IMAGE_FIRST_SECTION(header);
146+
for (int i = 0; i < header->FileHeader.NumberOfSections; ++i, ++section) {
147+
if (offset >= section->VirtualAddress && offset < section->VirtualAddress + section->SizeOfRawData) {
148+
offset = ULONG_PTR(pfn) - (ULONG_PTR(hm) + section->VirtualAddress) + section->PointerToRawData;
149+
break;
150+
}
151+
}
152+
}
153+
154+
return offset;
155+
}
156+
157+
typedef ULONG_PTR(WINAPI* LOADER)(PVOID);
158+
135159
int main() {
160+
printf("%08x\n", ReflectiveLoaderOffset());
161+
auto buffer = ReadDllFile2("MemoryModule.dll");
162+
auto loader = LOADER(ULONG_PTR(buffer) + 0x96e0); //ReflectiveLoaderOffset() -> 0x96e0
163+
auto hm = (HMODULE)loader(buffer);
164+
165+
MmpGlobalDataPtr = *(PMMP_GLOBAL_DATA*)GetProcAddress(hm, "MmpGlobalDataPtr");
166+
__LdrLoadDllMemoryExW = (decltype(&LdrLoadDllMemoryExW))GetProcAddress(hm, "LdrLoadDllMemoryExW");
167+
__LdrUnloadDllMemory = (decltype(&LdrUnloadDllMemory))GetProcAddress(hm, "LdrUnloadDllMemory");
168+
136169
DisplayStatus();
137170
test();
138171

test/test.vcxproj

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -164,11 +164,6 @@
164164
</ExcludedFromBuild>
165165
</ClCompile>
166166
</ItemGroup>
167-
<ItemGroup>
168-
<ProjectReference Include="..\MemoryModule\MemoryModule.vcxproj">
169-
<Project>{5b1f46db-036e-4a50-af5f-f5d6584d42c6}</Project>
170-
</ProjectReference>
171-
</ItemGroup>
172167
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
173168
<ImportGroup Label="ExtensionTargets">
174169
</ImportGroup>

0 commit comments

Comments
 (0)