update

Author: bb107

MemoryModule/BaseAddressIndex.cpp

@@ -1,7 +1,7 @@
 #include "stdafx.h"
 
 NTSTATUS NTAPI RtlInsertModuleBaseAddressIndexNode(IN PLDR_DATA_TABLE_ENTRY DataTableEntry, IN PVOID BaseAddress) {
-	auto LdrpModuleBaseAddressIndex = MmpGlobalDataPtr->LdrpModuleBaseAddressIndex;
+	auto LdrpModuleBaseAddressIndex = MmpGlobalDataPtr->MmpBaseAddressIndex.LdrpModuleBaseAddressIndex;
 	if (!LdrpModuleBaseAddressIndex)return STATUS_UNSUCCESSFUL;
 
 	PLDR_DATA_TABLE_ENTRY_WIN8 LdrNode = decltype(LdrNode)((size_t)LdrpModuleBaseAddressIndex - offsetof(LDR_DATA_TABLE_ENTRY_WIN8, BaseAddressIndexNode));
@@ -33,7 +33,7 @@ NTSTATUS NTAPI RtlInsertModuleBaseAddressIndexNode(IN PLDR_DATA_TABLE_ENTRY Data
 }
 
 NTSTATUS NTAPI RtlRemoveModuleBaseAddressIndexNode(IN PLDR_DATA_TABLE_ENTRY DataTableEntry) {
-	static auto tree{ MmpGlobalDataPtr->LdrpModuleBaseAddressIndex };
+	static auto tree{ MmpGlobalDataPtr->MmpBaseAddressIndex.LdrpModuleBaseAddressIndex };
 	if (!tree->Root)return STATUS_UNSUCCESSFUL;
 	RtlRbRemoveNode(tree, &PLDR_DATA_TABLE_ENTRY_WIN8(DataTableEntry)->BaseAddressIndexNode);
 	return STATUS_SUCCESS;

MemoryModule/Initialize.cpp

@@ -18,7 +18,7 @@ BOOLEAN MmpBuildSectionName(_Out_ PUNICODE_STRING SectionName) {
 
 PRTL_RB_TREE FindLdrpModuleBaseAddressIndex() {
     PRTL_RB_TREE LdrpModuleBaseAddressIndex = nullptr;
-    PLDR_DATA_TABLE_ENTRY_WIN10 nt10 = decltype(nt10)(MmpGlobalDataPtr->LdrpNtdllBase);
+    PLDR_DATA_TABLE_ENTRY_WIN10 nt10 = decltype(nt10)(MmpGlobalDataPtr->MmpBaseAddressIndex.NtdllLdrEntry);
     PRTL_BALANCED_NODE node = nullptr;
     if (!nt10 || !RtlIsWindowsVersionOrGreater(6, 2, 0))return nullptr;
     node = &nt10->BaseAddressIndexNode;
@@ -253,20 +253,24 @@ NTSTATUS InitializeLockHeld() {
         MmpGlobalDataPtr->MajorVersion = 1;
         MmpGlobalDataPtr->MinorVersion = 0;
 
-        MmpGlobalDataPtr->LdrpNtdllBase = RtlFindNtdllLdrEntry();
-		MmpGlobalDataPtr->LdrpHashTable = FindLdrpHashTable();
+		GetSystemInfo(&MmpGlobalDataPtr->SystemInfo);
 
-        MmpGlobalDataPtr->LdrpModuleBaseAddressIndex = FindLdrpModuleBaseAddressIndex();
+		MmpGlobalDataPtr->MmpBaseAddressIndex.NtdllLdrEntry = RtlFindLdrTableEntryByBaseName(L"ntdll.dll");
+        MmpGlobalDataPtr->MmpBaseAddressIndex.LdrpModuleBaseAddressIndex = FindLdrpModuleBaseAddressIndex();
 
-		MmpGlobalDataPtr->LdrpInvertedFunctionTable = FindLdrpInvertedFunctionTable();
+		MmpGlobalDataPtr->MmpLdrEntry.LdrpHashTable = FindLdrpHashTable();
+
+		MmpGlobalDataPtr->MmpInvertedFunctionTable.LdrpInvertedFunctionTable = FindLdrpInvertedFunctionTable();
 
         MmpGlobalDataPtr->MmpFeatures = MEMORY_FEATURE_SUPPORT_VERSION | MEMORY_FEATURE_LDRP_HEAP | MEMORY_FEATURE_LDRP_HANDLE_TLS_DATA | MEMORY_FEATURE_LDRP_RELEASE_TLS_ENTRY;
-        if (MmpGlobalDataPtr->LdrpModuleBaseAddressIndex)MmpGlobalDataPtr->MmpFeatures |= MEMORY_FEATURE_MODULE_BASEADDRESS_INDEX;
-        if (MmpGlobalDataPtr->LdrpHashTable)MmpGlobalDataPtr->MmpFeatures |= MEMORY_FEATURE_LDRP_HASH_TABLE;
-        if (MmpGlobalDataPtr->LdrpInvertedFunctionTable)MmpGlobalDataPtr->MmpFeatures |= MEMORY_FEATURE_INVERTED_FUNCTION_TABLE;
+        if (MmpGlobalDataPtr->MmpBaseAddressIndex.LdrpModuleBaseAddressIndex)MmpGlobalDataPtr->MmpFeatures |= MEMORY_FEATURE_MODULE_BASEADDRESS_INDEX;
+        if (MmpGlobalDataPtr->MmpLdrEntry.LdrpHashTable)MmpGlobalDataPtr->MmpFeatures |= MEMORY_FEATURE_LDRP_HASH_TABLE;
+        if (MmpGlobalDataPtr->MmpInvertedFunctionTable.LdrpInvertedFunctionTable)MmpGlobalDataPtr->MmpFeatures |= MEMORY_FEATURE_INVERTED_FUNCTION_TABLE;
 
 		MmpTlsInitialize();
 
+		MmpGlobalDataPtr->MmpDotNet.Initialized = MmpGlobalDataPtr->MmpDotNet.PreHooked = FALSE;
+
     } while (false);
 
     if (!NT_SUCCESS(status) && hSection)NtClose(hSection);

MemoryModule/InvertedFunctionTable.cpp

@@ -146,7 +146,7 @@ static NTSTATUS NTAPI RtlProtectMrdata(IN SIZE_T Protect) {
 
 	if (!MrdataBase) {
 		MEMORY_BASIC_INFORMATION mbi{};
-		status = NtQueryVirtualMemory(GetCurrentProcess(), MmpGlobalDataPtr->LdrpInvertedFunctionTable, MemoryBasicInformation, &mbi, sizeof(mbi), nullptr);
+		status = NtQueryVirtualMemory(GetCurrentProcess(), MmpGlobalDataPtr->MmpInvertedFunctionTable.LdrpInvertedFunctionTable, MemoryBasicInformation, &mbi, sizeof(mbi), nullptr);
 		if (!NT_SUCCESS(status))return status;
 		MrdataBase = mbi.BaseAddress;
 		size = mbi.RegionSize;
@@ -158,7 +158,7 @@ static NTSTATUS NTAPI RtlProtectMrdata(IN SIZE_T Protect) {
 }
 
 NTSTATUS NTAPI RtlInsertInvertedFunctionTable(IN PVOID BaseAddress, IN size_t ImageSize) {
-	auto table = PRTL_INVERTED_FUNCTION_TABLE(MmpGlobalDataPtr->LdrpInvertedFunctionTable);
+	auto table = PRTL_INVERTED_FUNCTION_TABLE(MmpGlobalDataPtr->MmpInvertedFunctionTable.LdrpInvertedFunctionTable);
 	if (!table)return STATUS_NOT_SUPPORTED;
 	bool need_virtual_protect = RtlIsWindowsVersionOrGreater(6, 3, 0);
 	NTSTATUS status;
@@ -177,7 +177,7 @@ NTSTATUS NTAPI RtlInsertInvertedFunctionTable(IN PVOID BaseAddress, IN size_t Im
 }
 
 NTSTATUS NTAPI RtlRemoveInvertedFunctionTable(IN PVOID ImageBase) {
-	auto table = PRTL_INVERTED_FUNCTION_TABLE(MmpGlobalDataPtr->LdrpInvertedFunctionTable);
+	auto table = PRTL_INVERTED_FUNCTION_TABLE(MmpGlobalDataPtr->MmpInvertedFunctionTable.LdrpInvertedFunctionTable);
 	bool need_virtual_protect = RtlIsWindowsVersionOrGreater(6, 3, 0);
 	NTSTATUS status;
 

MemoryModule/LdrEntry.cpp

@@ -1,8 +1,6 @@
 #include "stdafx.h"
 #include <cstddef>
 
-PLDR_DATA_TABLE_ENTRY const LdrpNtdllBase = RtlFindLdrTableEntryByBaseName(L"ntdll.dll");
-
 static NTSTATUS NTAPI RtlFreeDependencies(IN PLDR_DATA_TABLE_ENTRY_WIN10 LdrEntry) {
 	_LDR_DDAG_NODE* DependentDdgeNode = nullptr;
 	PLDR_DATA_TABLE_ENTRY_WIN10 ModuleEntry = nullptr;
@@ -254,7 +252,7 @@ NTSTATUS NTAPI RtlGetReferenceCount(IN PMEMORYMODULE pModule, OUT PULONG Count)
 
 VOID NTAPI RtlInsertMemoryTableEntry(IN PLDR_DATA_TABLE_ENTRY LdrEntry) {
 	PPEB_LDR_DATA PebData = NtCurrentPeb()->Ldr;
-	PLIST_ENTRY LdrpHashTable = MmpGlobalDataPtr->LdrpHashTable;
+	PLIST_ENTRY LdrpHashTable = MmpGlobalDataPtr->MmpLdrEntry.LdrpHashTable;
 	ULONG i;
 
 	/* Insert into hash table */

MemoryModule/LdrEntry.h

@@ -19,12 +19,6 @@ PLDR_DATA_TABLE_ENTRY NTAPI RtlFindLdrTableEntryByHandle(PVOID BaseAddress);
 
 PLDR_DATA_TABLE_ENTRY NTAPI RtlFindLdrTableEntryByBaseName(PCWSTR BaseName);
 
-extern PLDR_DATA_TABLE_ENTRY const LdrpNtdllBase;
-
-#define RtlFindNtdllLdrEntry()	(LdrpNtdllBase)
-
-
-
 //
 // Loader Data Table Entry Flags
 //

MemoryModule/MemoryModule.cpp

@@ -8,6 +8,23 @@
 
 #define GET_HEADER_DICTIONARY(headers, idx)  &headers->OptionalHeader.DataDirectory[idx]
 
+#define AlignValueUp(value, alignment) ((size_t(value) + size_t(alignment) + 1) & ~(size_t(alignment) - 1))
+
+#define OffsetPointer(data, offset) LPVOID(LPBYTE(data) + ptrdiff_t(offset))
+
+// Protection flags for memory pages (Executable, Readable, Writeable)
+static const int ProtectionFlags[2][2][2] = {
+	{
+		// not executable
+		{PAGE_NOACCESS, PAGE_WRITECOPY},
+		{PAGE_READONLY, PAGE_READWRITE},
+	}, {
+		// executable
+		{PAGE_EXECUTE, PAGE_EXECUTE_WRITECOPY},
+		{PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE},
+	},
+};
+
 int MmpSizeOfImageHeadersUnsafe(PVOID BaseAddress) {
 	PIMAGE_DOS_HEADER dh = (PIMAGE_DOS_HEADER)BaseAddress;
 	PIMAGE_NT_HEADERS nh = (PIMAGE_NT_HEADERS)((LPBYTE)BaseAddress + dh->e_lfanew);
@@ -38,29 +55,6 @@ bool WINAPI IsValidMemoryModuleHandle(HMEMORYMODULE hModule) {
 	return MapMemoryModuleHandle(hModule) != nullptr;
 }
 
-#define AlignValueUp(value, alignment) ((size_t(value) + size_t(alignment) + 1) & ~(size_t(alignment) - 1))
-
-#define OffsetPointer(data, offset) LPVOID(LPBYTE(data) + ptrdiff_t(offset))
-
-
-// Protection flags for memory pages (Executable, Readable, Writeable)
-static int ProtectionFlags[2][2][2] = {
-	{
-		// not executable
-		{PAGE_NOACCESS, PAGE_WRITECOPY},
-		{PAGE_READONLY, PAGE_READWRITE},
-	}, {
-		// executable
-		{PAGE_EXECUTE, PAGE_EXECUTE_WRITECOPY},
-		{PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE},
-	},
-};
-
-static SYSTEM_INFO sysInfo = []()->SYSTEM_INFO {
-	SYSTEM_INFO tmp;
-	GetNativeSystemInfo(&tmp);
-	return tmp;
-}();
 
 NTSTATUS MemoryResolveImportTable(
 	_In_ LPBYTE base,
@@ -271,7 +265,7 @@ NTSTATUS MemoryLoadLibrary(
 	//
 	// Allocate memory for image headers
 	//
-	size_t alignedHeadersSize = (DWORD)AlignValueUp(old_header->OptionalHeader.SizeOfHeaders + sizeof(MEMORYMODULE), sysInfo.dwPageSize);
+	size_t alignedHeadersSize = (DWORD)AlignValueUp(old_header->OptionalHeader.SizeOfHeaders + sizeof(MEMORYMODULE), MmpGlobalDataPtr->SystemInfo.dwPageSize);
 	if (!VirtualAlloc(base, alignedHeadersSize, MEM_COMMIT, PAGE_READWRITE)) {
 		VirtualFree(base, 0, MEM_RELEASE);
 		status = STATUS_NO_MEMORY;

MemoryModule/MmpDotNet.cpp

@@ -28,14 +28,6 @@ static decltype(&CloseHandle)OriginCloseHandle = CloseHandle;
 static GetFileVersion_T OriginGetFileVersion1 = nullptr;
 static GetFileVersion_T OriginGetFileVersion2 = nullptr;
 
-FILETIME AssemblyTimes;
-
-CRITICAL_SECTION MmpFakeHandleListLock;
-LIST_ENTRY MmpFakeHandleListHead;
-
-static BOOLEAN g_PreHooked = FALSE;
-static BOOLEAN g_Initialized = FALSE;
-
 BOOL MmpIsMemoryModuleFileName(
     _In_ LPCWSTR lpFileName,
     _Out_opt_ PLDR_DATA_TABLE_ENTRY *LdrEntry) {
@@ -87,17 +79,17 @@ VOID MmpInsertHandleEntry(
     entry->value = value;
     entry->bImageMapping = bImageMapping;
 
-    EnterCriticalSection(&MmpFakeHandleListLock);
-    InsertTailList(&MmpFakeHandleListHead, &entry->InMmpFakeHandleList);
-    LeaveCriticalSection(&MmpFakeHandleListLock);
+    EnterCriticalSection(&MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListLock);
+    InsertTailList(&MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListHead, &entry->InMmpFakeHandleList);
+    LeaveCriticalSection(&MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListLock);
 }
 
 PMMP_FAKE_HANDLE_LIST_ENTRY MmpFindHandleEntry(HANDLE hObject) {
 
     PMMP_FAKE_HANDLE_LIST_ENTRY result = nullptr;
-    EnterCriticalSection(&MmpFakeHandleListLock);
+    EnterCriticalSection(&MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListLock);
 
-    for (auto entry = MmpFakeHandleListHead.Flink; entry != &MmpFakeHandleListHead; entry = entry->Flink) {
+    for (auto entry = MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListHead.Flink; entry != &MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListHead; entry = entry->Flink) {
         auto CurEntry = CONTAINING_RECORD(entry, MMP_FAKE_HANDLE_LIST_ENTRY, MMP_FAKE_HANDLE_LIST_ENTRY::InMmpFakeHandleList);
 
         if (CurEntry->hObject == hObject) {
@@ -107,15 +99,15 @@ PMMP_FAKE_HANDLE_LIST_ENTRY MmpFindHandleEntry(HANDLE hObject) {
 
     }
 
-    LeaveCriticalSection(&MmpFakeHandleListLock);
+    LeaveCriticalSection(&MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListLock);
     return result;
 }
 
 VOID MmpFreeHandleEntry(PMMP_FAKE_HANDLE_LIST_ENTRY lpHandleEntry) {
-    EnterCriticalSection(&MmpFakeHandleListLock);
+    EnterCriticalSection(&MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListLock);
     RemoveEntryList(&lpHandleEntry->InMmpFakeHandleList);
     RtlFreeHeap(RtlProcessHeap(), 0, lpHandleEntry);
-    LeaveCriticalSection(&MmpFakeHandleListLock);
+    LeaveCriticalSection(&MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListLock);
 }
 
 HANDLE WINAPI HookCreateFileW(
@@ -156,7 +148,7 @@ BOOL WINAPI HookGetFileInformationByHandle(
         auto entry = (PLDR_DATA_TABLE_ENTRY)iter->value;
         auto module = MapMemoryModuleHandle((HMEMORYMODULE)entry->DllBase);
 
-        lpFileInformation->ftCreationTime = lpFileInformation->ftLastAccessTime = lpFileInformation->ftLastWriteTime = AssemblyTimes;
+        lpFileInformation->ftCreationTime = lpFileInformation->ftLastAccessTime = lpFileInformation->ftLastWriteTime = MmpGlobalDataPtr->MmpDotNet.AssemblyTimes;
         lpFileInformation->nFileSizeLow = module->dwImageFileSize;
 
         return TRUE;
@@ -185,7 +177,7 @@ BOOL WINAPI HookGetFileAttributesExW(
             LPWIN32_FILE_ATTRIBUTE_DATA data = (LPWIN32_FILE_ATTRIBUTE_DATA)lpFileInformation;
             auto module = MapMemoryModuleHandle((HMEMORYMODULE)entry->DllBase);
 
-            data->ftCreationTime = data->ftLastAccessTime = data->ftLastWriteTime = AssemblyTimes;
+            data->ftCreationTime = data->ftLastAccessTime = data->ftLastWriteTime = MmpGlobalDataPtr->MmpDotNet.AssemblyTimes;
             data->nFileSizeLow = module->dwImageFileSize;
             return TRUE;
         }
@@ -394,16 +386,16 @@ BOOL WINAPI MmpPreInitializeHooksForDotNet() {
 
     EnterCriticalSection(NtCurrentPeb()->FastPebLock);
 
-    if (!g_PreHooked) {
+    if (!MmpGlobalDataPtr->MmpDotNet.PreHooked) {
         HMODULE hModule = LoadLibraryW(L"mscoree.dll");
         if (hModule) {
             OriginGetFileVersion2 = (GetFileVersion_T)GetProcAddress(hModule, "GetFileVersion");
             if (OriginGetFileVersion2) {
 
-                GetSystemTimeAsFileTime(&AssemblyTimes);
+                GetSystemTimeAsFileTime(&MmpGlobalDataPtr->MmpDotNet.AssemblyTimes);
 
-                InitializeCriticalSection(&MmpFakeHandleListLock);
-                InitializeListHead(&MmpFakeHandleListHead);
+                InitializeCriticalSection(&MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListLock);
+                InitializeListHead(&MmpGlobalDataPtr->MmpDotNet.MmpFakeHandleListHead);
 
                 DetourTransactionBegin();
                 DetourUpdateThread(NtCurrentThread());
@@ -422,14 +414,14 @@ BOOL WINAPI MmpPreInitializeHooksForDotNet() {
 
                 DetourTransactionCommit();
 
-                g_PreHooked = TRUE;
+                MmpGlobalDataPtr->MmpDotNet.PreHooked = TRUE;
             }
         }
     }
 
     LeaveCriticalSection(NtCurrentPeb()->FastPebLock);
 
-    return g_PreHooked;
+    return MmpGlobalDataPtr->MmpDotNet.PreHooked;
 }
 
 BOOL WINAPI MmpInitializeHooksForDotNet() {
@@ -440,17 +432,17 @@ BOOL WINAPI MmpInitializeHooksForDotNet() {
 
             EnterCriticalSection(NtCurrentPeb()->FastPebLock);
 
-            if (!g_PreHooked) {
+            if (!MmpGlobalDataPtr->MmpDotNet.PreHooked) {
                 LeaveCriticalSection(NtCurrentPeb()->FastPebLock);
                 return FALSE;
             }
 
-            if (!g_Initialized) {
+            if (!MmpGlobalDataPtr->MmpDotNet.Initialized) {
                 DetourTransactionBegin();
                 DetourUpdateThread(NtCurrentThread());
                 DetourAttach((PVOID*)&OriginGetFileVersion1, HookGetFileVersion);
                 DetourTransactionCommit();
-                g_Initialized = TRUE;
+                MmpGlobalDataPtr->MmpDotNet.Initialized = TRUE;
             }
 
             LeaveCriticalSection(NtCurrentPeb()->FastPebLock);

MemoryModule/MmpGlobalData.h

@@ -1,29 +1,61 @@
 #pragma once
 
-typedef struct _MMP_GLOBAL_DATA {
-
-	WORD MajorVersion;
-	WORD MinorVersion;
-
-	DWORD MmpFeatures;
-
-	//BaseAddressIndex.cpp
+//BaseAddressIndex.cpp
+typedef struct _MMP_BASE_ADDRESS_INDEX_DATA {
 	PRTL_RB_TREE LdrpModuleBaseAddressIndex;
+	PLDR_DATA_TABLE_ENTRY NtdllLdrEntry;
+}MMP_BASE_ADDRESS_INDEX_DATA, * PMMP_BASE_ADDRESS_INDEX_DATA;
 
-	//InvertedFunctionTable.cpp
+//InvertedFunctionTable.cpp
+typedef struct _MMP_INVERTED_FUNCTION_TABLE_DATA {
 	PVOID LdrpInvertedFunctionTable;
+}MMP_INVERTED_FUNCTION_TABLE_DATA, * PMMP_INVERTED_FUNCTION_TABLE_DATA;
 
-	//LdrEntry.cpp
-	PLDR_DATA_TABLE_ENTRY LdrpNtdllBase;
+//LdrEntry.cpp
+typedef struct _MMP_LDR_ENTRY_DATA {
 	PLIST_ENTRY LdrpHashTable;
+}MMP_LDR_ENTRY_DATA, * PMMP_LDR_ENTRY_DATA;
 
-	//MmpTls.cpp
+//MmpTls.cpp
+typedef struct _MMP_TLS_DATA {
 	LIST_ENTRY MmpTlsList;
 	RTL_BITMAP MmpTlsBitmap;
 	SRWLOCK MmpTlsListLock;
 	CRITICAL_SECTION MmpTlspLock;
 	LIST_ENTRY MmpThreadLocalStoragePointer;
 	DWORD MmpActiveThreadCount;
+}MMP_TLS_DATA, * PMMP_TLS_DATA;
+
+//MmpDotNet.cpp
+typedef struct _MMP_DOT_NET_DATA {
+	FILETIME AssemblyTimes;
+
+	CRITICAL_SECTION MmpFakeHandleListLock;
+	LIST_ENTRY MmpFakeHandleListHead;
+
+	BOOLEAN PreHooked;
+	BOOLEAN Initialized;
+}MMP_DOT_NET_DATA, * PMMP_DOT_NET_DATA;
+
+typedef struct _MMP_GLOBAL_DATA {
+
+	WORD MajorVersion;
+	WORD MinorVersion;
+
+	DWORD MmpFeatures;
+
+	SYSTEM_INFO SystemInfo;
+
+	MMP_BASE_ADDRESS_INDEX_DATA MmpBaseAddressIndex;
+
+	MMP_INVERTED_FUNCTION_TABLE_DATA MmpInvertedFunctionTable;
+
+	MMP_LDR_ENTRY_DATA MmpLdrEntry;
+
+	MMP_TLS_DATA MmpTls;
+
+	MMP_DOT_NET_DATA MmpDotNet;
+
 }MMP_GLOBAL_DATA, * PMMP_GLOBAL_DATA;
 
-extern PMMP_GLOBAL_DATA MmpGlobalDataPtr;
+extern PMMP_GLOBAL_DATA MmpGlobalDataPtr;