Add support for SetUnhandledExceptionFilter

Author: bb107

MemoryModule/MemoryModule.cpp

@@ -239,7 +239,7 @@ NTSTATUS MemoryLoadLibrary(
 		LPVOID(old_header->OptionalHeader.ImageBase),
 		old_header->OptionalHeader.SizeOfImage,
 		MEM_RESERVE,
-		PAGE_READWRITE
+		PAGE_EXECUTE_READWRITE
 	);
 	if (!base) {
 		if (old_header->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) {

MemoryModule/MmpTls.cpp

@@ -347,7 +347,11 @@ VOID NTAPI HookLdrShutdownThread(VOID) {
         entry = entry->Flink;
     }
 
-    --MmpGlobalDataPtr->MmpTls->MmpActiveThreadCount;
+    if (record) {
+        --MmpGlobalDataPtr->MmpTls->MmpActiveThreadCount;
+    }
+
+    assert(0 < (int)MmpGlobalDataPtr->MmpTls->MmpActiveThreadCount);
 
     LeaveCriticalSection(&MmpGlobalDataPtr->MmpTls->MmpTlspLock);
 
@@ -371,7 +375,7 @@ VOID NTAPI HookLdrShutdownThread(VOID) {
     }
     else {
         if (MmpGlobalDataPtr->MmpTls->MmpTlsList.Flink != &MmpGlobalDataPtr->MmpTls->MmpTlsList) {
-            assert(false);
+            assert(NtCurrentTeb()->ThreadLocalStoragePointer == nullptr);
         }
     }
 

a/dllmain.cpp

@@ -146,3 +146,45 @@ int thread() {
     return -1;
 }
 
+DWORD Value;
+volatile LPDWORD lpAddr;
+
+LONG WINAPI Filter(_In_ struct _EXCEPTION_POINTERS* ExceptionInfo) {
+
+    if (ExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_ACCESS_VIOLATION) {
+
+        lpAddr = &Value;
+
+        //  +++++++
+        // begin compiler specific
+        //  +++++++
+        
+        //ExceptionInfo->ContextRecord->Rip -= 7;
+        ExceptionInfo->ContextRecord->Rax = (ULONG_PTR)lpAddr;
+
+        //  +++++++
+        // end compiler specific
+        //  +++++++
+
+        return EXCEPTION_CONTINUE_EXECUTION;
+    }
+
+    return EXCEPTION_CONTINUE_SEARCH;
+}
+
+int unhandled_exception() {
+    auto filter = SetUnhandledExceptionFilter(Filter);
+    auto ff = SetUnhandledExceptionFilter(filter);
+
+    if (ff != Filter) {
+        printf("%p\t%p\t%p\nfailed\n", filter, ff, Filter);
+        return 0;
+    }
+
+    filter = SetUnhandledExceptionFilter(Filter);
+    lpAddr = nullptr;
+    *lpAddr = 1;
+    SetUnhandledExceptionFilter(filter);
+
+    return 1234;
+}

a/m.def

@@ -4,4 +4,5 @@ test = __test__
 thread
 Socket = ws2_32.WSASocketW
 VerifyTruse = wintrust.WinVerifyTrust
-test_user32
+test_user32
+unhandled_exception

test/test.cpp

@@ -1,4 +1,5 @@
 #include "../MemoryModule/stdafx.h"
+#include "../MemoryModule/LoadDllMemoryApi.h"
 #include <cstdio>
 
 static PVOID ReadDllFile(LPCSTR FileName) {
@@ -115,10 +116,22 @@ int test() {
     return 0;
 }
 
-int main() {
-    DisplayStatus();
+void test_uef() {
+    auto buffer = ReadDllFile("a.dll");
+
+    HMODULE hm = LoadLibraryMemory(buffer);
+    auto pfn = GetProcAddress(hm, "unhandled_exception");
+
+    auto result = pfn();
+    if (result == 1234) {
+        printf("mmpp success\n");
+    }
 
-    test();
+    return;
+}
+
+int main() {
+    test_uef();
 
     return 0;
 }