Fix hook for 32-bit ntdll!RtlUserThreadStart

bb107 · bb107 · commit b72afcf6ddd8 · 2023-03-10T11:22:54.000+08:00
diff --git a/MemoryModule/MmpTls.cpp b/MemoryModule/MmpTls.cpp
@@ -282,6 +282,7 @@ DWORD NTAPI MmpUserThreadStart(LPVOID lpThreadParameter) {
     return Context.ThreadStartRoutine(Context.ThreadParameter);
 }
 
+#ifdef _WIN64
 VOID NTAPI HookRtlUserThreadStart(
     _In_ PTHREAD_START_ROUTINE Function,
     _In_ PVOID Parameter) {
@@ -291,6 +292,36 @@ VOID NTAPI HookRtlUserThreadStart(
 
     return MmpGlobalDataPtr->MmpTls->Hooks.OriginRtlUserThreadStart(MmpUserThreadStart, &Context);
 }
+#else
+VOID
+__declspec(naked)
+HookRtlUserThreadStart(
+    _In_ PTHREAD_START_ROUTINE Function,    //eax
+    _In_ PVOID Parameter) {                 //ebx
+    __asm {
+        // THREAD_CONTEXT Context;
+        sub esp, 8;
+
+        // Context.ThreadStartRoutine = PTHREAD_START_ROUTINE(Function);
+        mov dword ptr ds : [esp] , eax;
+
+        // Context.ThreadParameter = Parameter;
+        mov dword ptr ds : [esp + 4] , ebx;
+        
+        mov eax, MmpUserThreadStart;
+        mov ebx, esp;
+
+        // Shadow stack for ntdll!RtlUserThreadStart
+        sub esp, 8;
+
+        // MmpGlobalDataPtr->MmpTls->Hooks.OriginRtlUserThreadStart(MmpUserThreadStart, &Context);
+        mov ecx, MmpGlobalDataPtr;
+        mov ecx, dword ptr ds : [ecx + 0x48] ;
+        mov ecx, dword ptr ds : [ecx + 0x48] ;
+        call ecx;
+    }
+}
+#endif
 
 VOID NTAPI HookLdrShutdownThread(VOID) {
 
diff --git a/test/test.cpp b/test/test.cpp
@@ -118,41 +118,28 @@ int test() {
     return 0;
 }
 
-void test_uef() {
-    auto buffer = ReadDllFile("a.dll");
+void test_cf() {
+    auto buffer = ReadDllFile("CoreFoundation.dll");
 
-    HMODULE hm = LoadLibraryMemory(buffer);
-    auto pfn = GetProcAddress(hm, "unhandled_exception");
+    if (buffer) {
+        HMODULE hm = LoadLibraryMemory(buffer);
+        delete[]buffer;
 
-    auto result = pfn();
-    if (result == 1234) {
-        printf("mmpp success\n");
+        if (hm) {
+            printf("Load success: %p\n", hm);
+            FreeLibraryMemory(hm);
+        }
+        else {
+            printf("Load fail: %d\n", GetLastError());
+        }
     }
 
     return;
 }
 
-void Tp() {
-    auto pool = CreateThreadpool(nullptr);
-    if (pool) {
-
-        SetThreadpoolThreadMaximum(pool, 1);
-        SetThreadpoolThreadMinimum(pool, 1);
-
-        Sleep(1000);
-
-        CloseThreadpool(pool);
-    }
-}
-
 int main() {
-
     DisplayStatus();
-    test();
-    
-    Tp();
-
-    WaitForSingleObject(NtCurrentProcess(), INFINITE);
+    test_cf();
 
     return 0;
 }
