Merge branch 'MmpTlsFiber'

Author: bb107

MemoryModule/ImportTable.cpp

@@ -0,0 +1,178 @@
+#include "stdafx.h"
+
+typedef struct _MMP_IAT_HANDLE {
+
+	HMODULE hModule;
+	PMM_IAT_RESOLVER lpResolver;
+
+}MMP_IAT_HANDLE, * PMMP_IAT_HANDLE;
+
+HMODULE MmpLoadLibraryA(
+	_In_ LPCSTR lpModuleName,
+	_Out_ PMM_IAT_RESOLVER* lpModuleResolver) {
+
+	HMODULE hModule = nullptr;
+	PMM_IAT_RESOLVER resolver = nullptr;
+
+	EnterCriticalSection(&MmpGlobalDataPtr->MmpIat->MmpIatResolverListLock);
+
+	PLIST_ENTRY lpResolver = MmpGlobalDataPtr->MmpIat->MmpIatResolverList.Flink;
+	while (lpResolver != &MmpGlobalDataPtr->MmpIat->MmpIatResolverList) {
+		PMM_IAT_RESOLVER entry = CONTAINING_RECORD(lpResolver, MM_IAT_RESOLVER, MM_IAT_RESOLVER::InMmpIatResolverList);
+
+		hModule = entry->LoadLibraryProv(lpModuleName);
+		if (hModule) {
+			resolver = entry;
+			++entry->ReferenceCount;
+			break;
+		}
+
+		lpResolver = lpResolver->Flink;
+	}
+
+	LeaveCriticalSection(&MmpGlobalDataPtr->MmpIat->MmpIatResolverListLock);
+
+	*lpModuleResolver = resolver;
+	return hModule;
+}
+
+VOID MemoryFreeImportTable(_In_ PMEMORYMODULE hMemoryModule) {
+
+	EnterCriticalSection(&MmpGlobalDataPtr->MmpIat->MmpIatResolverListLock);
+
+	PMMP_IAT_HANDLE list = (PMMP_IAT_HANDLE)hMemoryModule->hModulesList;
+	for (DWORD i = 0; i < hMemoryModule->dwModulesCount; ++i) {
+		auto entry = list[i];
+		entry.lpResolver->FreeLibraryProv(entry.hModule);
+		--entry.lpResolver->ReferenceCount;
+	}
+
+	LeaveCriticalSection(&MmpGlobalDataPtr->MmpIat->MmpIatResolverListLock);
+
+
+	RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, hMemoryModule->hModulesList);
+	hMemoryModule->hModulesList = nullptr;
+	hMemoryModule->dwModulesCount = 0;
+}
+
+NTSTATUS MemoryResolveImportTable(
+	_In_ LPBYTE base,
+	_In_ PIMAGE_NT_HEADERS lpNtHeaders,
+	_In_ PMEMORYMODULE hMemoryModule) {
+	NTSTATUS status = STATUS_SUCCESS;
+	PIMAGE_IMPORT_DESCRIPTOR importDesc = nullptr;
+	DWORD count = 0;
+
+	do {
+		__try {
+			PIMAGE_DATA_DIRECTORY dir = &lpNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
+			PIMAGE_IMPORT_DESCRIPTOR iat = nullptr;
+
+			if (dir && dir->Size) {
+				iat = importDesc = PIMAGE_IMPORT_DESCRIPTOR(lpNtHeaders->OptionalHeader.ImageBase + dir->VirtualAddress);
+			}
+
+			if (iat) {
+				while (iat->Name) {
+					++count;
+					++iat;
+				}
+			}
+
+			if (importDesc && count) {
+				PMMP_IAT_HANDLE handles = (PMMP_IAT_HANDLE)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, sizeof(MMP_IAT_HANDLE) * count);
+				hMemoryModule->hModulesList = handles;
+				if (!hMemoryModule->hModulesList) {
+					status = STATUS_NO_MEMORY;
+					break;
+				}
+
+				for (DWORD i = 0; i < count; ++i, ++importDesc) {
+					uintptr_t* thunkRef;
+					FARPROC* funcRef;
+					PMM_IAT_RESOLVER resolver;
+					HMODULE handle = MmpLoadLibraryA((LPCSTR)(base + importDesc->Name), &resolver);
+
+					if (!handle) {
+						status = STATUS_DLL_NOT_FOUND;
+						break;
+					}
+
+					handles[hMemoryModule->dwModulesCount].hModule = handle;
+					handles[hMemoryModule->dwModulesCount++].lpResolver = resolver;
+					thunkRef = (uintptr_t*)(base + (importDesc->OriginalFirstThunk ? importDesc->OriginalFirstThunk : importDesc->FirstThunk));
+					funcRef = (FARPROC*)(base + importDesc->FirstThunk);
+					while (*thunkRef) {
+						*funcRef = GetProcAddress(
+							handle,
+							IMAGE_SNAP_BY_ORDINAL(*thunkRef) ? (LPCSTR)IMAGE_ORDINAL(*thunkRef) : (LPCSTR)PIMAGE_IMPORT_BY_NAME(base + (*thunkRef))->Name
+						);
+						if (!*funcRef) {
+							status = STATUS_ENTRYPOINT_NOT_FOUND;
+							break;
+						}
+						++thunkRef;
+						++funcRef;
+					}
+
+					if (!NT_SUCCESS(status))break;
+				}
+
+			}
+		}
+		__except (EXCEPTION_EXECUTE_HANDLER) {
+			status = GetExceptionCode();
+		}
+	} while (false);
+
+	if (!NT_SUCCESS(status)) {
+		MemoryFreeImportTable(hMemoryModule);
+	}
+
+	return status;
+}
+
+HANDLE WINAPI MmRegisterImportTableResolver(
+	_In_ MM_IAT_RESOLVER_ENTRY LoadLibraryProv,
+	_In_ MM_IAT_FREE_ENTRY FreeLibraryProv) {
+
+	HANDLE heap = RtlProcessHeap();
+	PMM_IAT_RESOLVER resolver = (PMM_IAT_RESOLVER)RtlAllocateHeap(heap, 0, sizeof(MM_IAT_RESOLVER));
+
+	if (resolver) {
+		EnterCriticalSection(&MmpGlobalDataPtr->MmpIat->MmpIatResolverListLock);
+
+		resolver->ReferenceCount = 1;
+		resolver->LoadLibraryProv = LoadLibraryProv;
+		resolver->FreeLibraryProv = FreeLibraryProv;
+		InsertTailList(&MmpGlobalDataPtr->MmpIat->MmpIatResolverList, &resolver->InMmpIatResolverList);
+
+		LeaveCriticalSection(&MmpGlobalDataPtr->MmpIat->MmpIatResolverListLock);
+	}
+
+	return resolver;
+}
+
+_Success_(return)
+BOOL WINAPI MmRemoveImportTableResolver(_In_ HANDLE hMmIatResolver) {
+
+	HANDLE heap = RtlProcessHeap();
+
+	if (hMmIatResolver == &MmpGlobalDataPtr->MmpIat->MmpIatResolverHead) {
+		return FALSE;
+	}
+
+	PMM_IAT_RESOLVER resolver = CONTAINING_RECORD(hMmIatResolver, MM_IAT_RESOLVER, MM_IAT_RESOLVER::InMmpIatResolverList);
+
+	EnterCriticalSection(&MmpGlobalDataPtr->MmpIat->MmpIatResolverListLock);
+
+	if (resolver->ReferenceCount > 1) {
+		LeaveCriticalSection(&MmpGlobalDataPtr->MmpIat->MmpIatResolverListLock);
+		return FALSE;
+	}
+
+	RemoveHeadList(&resolver->InMmpIatResolverList);
+	LeaveCriticalSection(&MmpGlobalDataPtr->MmpIat->MmpIatResolverListLock);
+
+	return RtlFreeHeap(heap, 0, hMmIatResolver);
+}

MemoryModule/ImportTable.h

@@ -0,0 +1,31 @@
+#pragma once
+
+typedef HMODULE(WINAPI* MM_IAT_RESOLVER_ENTRY)(LPCSTR lpModuleName);
+typedef BOOL(WINAPI* MM_IAT_FREE_ENTRY)(HMODULE hModule);
+
+typedef struct _MM_IAT_RESOLVER {
+
+	LIST_ENTRY InMmpIatResolverList;
+
+	MM_IAT_RESOLVER_ENTRY LoadLibraryProv;
+	MM_IAT_FREE_ENTRY FreeLibraryProv;
+
+	DWORD ReferenceCount;
+
+}MM_IAT_RESOLVER, * PMM_IAT_RESOLVER;
+
+VOID MemoryFreeImportTable(_In_ PMEMORYMODULE hMemoryModule);
+
+NTSTATUS MemoryResolveImportTable(
+	_In_ LPBYTE base,
+	_In_ PIMAGE_NT_HEADERS lpNtHeaders,
+	_In_ PMEMORYMODULE hMemoryModule
+);
+
+HANDLE WINAPI MmRegisterImportTableResolver(
+	_In_ MM_IAT_RESOLVER_ENTRY LoadLibraryProv,
+	_In_ MM_IAT_FREE_ENTRY FreeLibraryProv
+);
+
+_Success_(return)
+BOOL WINAPI MmRemoveImportTableResolver(_In_ HANDLE hMmIatResolver);

MemoryModule/Initialize.cpp

@@ -5,6 +5,10 @@
 
 PMMP_GLOBAL_DATA MmpGlobalDataPtr;
 
+#if MEMORY_MODULE_IS_PREVIEW(MEMORY_MODULE_MINOR_VERSION)
+#pragma message("WARNING: You are using a preview version of MemoryModulePP.")
+#endif
+
 PRTL_RB_TREE FindLdrpModuleBaseAddressIndex() {
     PRTL_RB_TREE LdrpModuleBaseAddressIndex = nullptr;
     PLDR_DATA_TABLE_ENTRY_WIN10 nt10 = decltype(nt10)(MmpGlobalDataPtr->MmpBaseAddressIndex->NtdllLdrEntry);
@@ -427,8 +431,10 @@ NTSTATUS InitializeLockHeld() {
 		status = MmpAllocateGlobalData();
 		if (!NT_SUCCESS(status)) {
 			if (status == STATUS_ALREADY_INITIALIZED) {
-				if ((MmpGlobalDataPtr->MajorVersion < MEMORY_MODULE_MAJOR_VERSION) ||
-					(MmpGlobalDataPtr->MajorVersion == MEMORY_MODULE_MAJOR_VERSION && MmpGlobalDataPtr->MinorVersion < MEMORY_MODULE_MINOR_VERSION)) {
+				if ((MmpGlobalDataPtr->MajorVersion != MEMORY_MODULE_MAJOR_VERSION) ||
+					MEMORY_MODULE_IS_PREVIEW(MmpGlobalDataPtr->MinorVersion) != MEMORY_MODULE_IS_PREVIEW(MEMORY_MODULE_MINOR_VERSION) ||
+					(MEMORY_MODULE_IS_PREVIEW(MEMORY_MODULE_MINOR_VERSION) ? MmpGlobalDataPtr->MinorVersion != MEMORY_MODULE_MINOR_VERSION :
+						MmpGlobalDataPtr->MinorVersion < MEMORY_MODULE_MINOR_VERSION)) {
 					status = STATUS_NOT_SUPPORTED;
 				}
 				else {
@@ -458,6 +464,7 @@ NTSTATUS InitializeLockHeld() {
 		MmpGlobalDataPtr->MmpTls = (PMMP_TLS_DATA)((LPBYTE)MmpGlobalDataPtr->MmpLdrEntry + sizeof(MMP_LDR_ENTRY_DATA));
 		MmpGlobalDataPtr->MmpDotNet = (PMMP_DOT_NET_DATA)((LPBYTE)MmpGlobalDataPtr->MmpTls + sizeof(MMP_TLS_DATA));
 		MmpGlobalDataPtr->MmpFunctions = (PMMP_FUNCTIONS)((LPBYTE)MmpGlobalDataPtr->MmpDotNet + sizeof(MMP_DOT_NET_DATA));
+		MmpGlobalDataPtr->MmpIat = (PMMP_IAT_DATA)((LPBYTE)MmpGlobalDataPtr->MmpFunctions + sizeof(MMP_FUNCTIONS));
 
 		PLDR_DATA_TABLE_ENTRY pNtdllEntry = RtlFindLdrTableEntryByBaseName(L"ntdll.dll");
 		MmpGlobalDataPtr->MmpBaseAddressIndex->NtdllLdrEntry = pNtdllEntry;
@@ -480,6 +487,14 @@ NTSTATUS InitializeLockHeld() {
 		MmpGlobalDataPtr->MmpFunctions->_MmpHandleTlsData = MmpHandleTlsData;
 		MmpGlobalDataPtr->MmpFunctions->_MmpReleaseTlsEntry = MmpReleaseTlsEntry;
 
+		InitializeCriticalSection(&MmpGlobalDataPtr->MmpIat->MmpIatResolverListLock);
+		InitializeListHead(&MmpGlobalDataPtr->MmpIat->MmpIatResolverList);
+		InitializeListHead(&MmpGlobalDataPtr->MmpIat->MmpIatResolverHead.InMmpIatResolverList);
+		MmpGlobalDataPtr->MmpIat->MmpIatResolverHead.LoadLibraryProv = LoadLibraryA;
+		MmpGlobalDataPtr->MmpIat->MmpIatResolverHead.FreeLibraryProv = FreeLibrary;
+		MmpGlobalDataPtr->MmpIat->MmpIatResolverHead.ReferenceCount = 1;
+		InsertTailList(&MmpGlobalDataPtr->MmpIat->MmpIatResolverList, &MmpGlobalDataPtr->MmpIat->MmpIatResolverHead.InMmpIatResolverList);
+
 		MmpTlsInitialize();
 
 		MmpGlobalDataPtr->MmpDotNet->Initialized = MmpGlobalDataPtr->MmpDotNet->PreHooked = FALSE;

MemoryModule/LdrEntry.cpp

@@ -151,7 +151,8 @@ BOOL NTAPI RtlInitializeLdrDataTableEntry(
 		entry->DdagNode->LoadCount = 1;
 		if (IsWin8) ((_LDR_DDAG_NODE_WIN8*)(entry->DdagNode))->ReferenceCount = 1;
 		entry->ImageDll = entry->LoadNotificationsSent = entry->EntryProcessed =
-			entry->InLegacyLists = entry->InIndexes = entry->ProcessAttachCalled = true;
+			entry->InLegacyLists = entry->InIndexes = true;
+		entry->ProcessAttachCalled = headers->OptionalHeader.AddressOfEntryPoint != 0;
 		entry->InExceptionTable = !(dwFlags & LOAD_FLAGS_NOT_ADD_INVERTED_FUNCTION);
 		entry->CorImage = CorImage;
 		entry->CorILOnly = CorIL;
@@ -184,7 +185,10 @@ BOOL NTAPI RtlInitializeLdrDataTableEntry(
 		LdrEntry->EntryPoint = (PLDR_INIT_ROUTINE)((size_t)BaseAddress + headers->OptionalHeader.AddressOfEntryPoint);
 		LdrEntry->ObsoleteLoadCount = 1;
 		if (!FlagsProcessed) {
-			LdrEntry->Flags = LDRP_IMAGE_DLL | LDRP_ENTRY_INSERTED | LDRP_ENTRY_PROCESSED | LDRP_PROCESS_ATTACH_CALLED;
+			LdrEntry->Flags = LDRP_IMAGE_DLL | LDRP_ENTRY_INSERTED | LDRP_ENTRY_PROCESSED;
+
+			if (headers->OptionalHeader.AddressOfEntryPoint != 0)LdrEntry->Flags |= LDRP_PROCESS_ATTACH_CALLED;
+
 			if (CorImage)LdrEntry->Flags |= LDRP_COR_IMAGE;
 		}
 		InitializeListHead(&LdrEntry->HashLinks);

MemoryModule/Loader.cpp

@@ -1,4 +1,5 @@
 #include "stdafx.h"
+#include <cmath>
 
 NTSTATUS NTAPI LdrMapDllMemory(
 	_In_ HMEMORYMODULE ViewBase,
@@ -64,6 +65,7 @@ NTSTATUS NTAPI LdrLoadDllMemoryExW(
 	if (dwFlags & LOAD_FLAGS_USE_DLL_NAME && (!DllName || !DllFullName))return STATUS_INVALID_PARAMETER_3;
 
 	if (DllName) {
+		int length = (int)wcslen(DllName);
 		PLIST_ENTRY ListHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList, ListEntry = ListHead->Flink;
 		PIMAGE_NT_HEADERS h1 = RtlImageNtHeader(BufferAddress), h2 = nullptr;
 		if (!h1)return STATUS_INVALID_IMAGE_FORMAT;
@@ -74,11 +76,19 @@ NTSTATUS NTAPI LdrLoadDllMemoryExW(
 
 			/* Check if it's being unloaded */
 			if (!CurEntry->InMemoryOrderLinks.Flink) continue;
+
+			auto dist = (CurEntry->BaseDllName.Length / sizeof(wchar_t)) - length;
+			bool equal = false;
+			if (dist == 0 || dist == 4) {
+				equal = !_wcsnicmp(DllName, CurEntry->BaseDllName.Buffer, length);
+			}
+			else {
+				continue;
+			}
 
 			/* Check if name matches */
-			if (!_wcsnicmp(DllName, CurEntry->BaseDllName.Buffer, (CurEntry->BaseDllName.Length / sizeof(wchar_t)) - 4) ||
-				!_wcsnicmp(DllName, CurEntry->BaseDllName.Buffer, CurEntry->BaseDllName.Length / sizeof(wchar_t))) {
-			
+			if (equal) {
+
 				/* Let's compare their headers */
 				if (!(h2 = RtlImageNtHeader(CurEntry->DllBase)))continue;
 				if (!(module = MapMemoryModuleHandle((HMEMORYMODULE)CurEntry->DllBase)))continue;