refactoring, update ci build scripts, etc

- cache results of CompareWindowsVersion() to shared variables to cut
down on redundant calls
- apply appveyor build version to artifacts (wip, could be broken)
- add .gitattributes
- finish patternfind.c (snr funcs unused, untested)
- delete COPYING.txt (it is created from LICENSE during the build
process)

wufuc/core.c

@@ -1,12 +1,12 @@
-#include <stdint.h>
 #include <Windows.h>
-#include <Psapi.h>
-#include <TlHelp32.h>
+#include <stdint.h>
 #include <tchar.h>
+#include <Psapi.h>
 #include <sddl.h>
 #include "service.h"
-#include "util.h"
 #include "patternfind.h"
+#include "util.h"
+#include "shared.h"
 #include "core.h"
 
 DWORD WINAPI NewThreadProc(LPVOID lpParam) {
@@ -23,8 +23,8 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
     }
 
     SECURITY_ATTRIBUTES sa;
-    sa.nLength = sizeof(sa);
-    ConvertStringSecurityDescriptorToSecurityDescriptor(_T("D:PAI(A;;FA;;;BA)"), SDDL_REVISION_1, &(sa.lpSecurityDescriptor), NULL);
+    sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+    ConvertStringSecurityDescriptorToSecurityDescriptor(_T("D:PAI(A;;FA;;;BA)"), SDDL_REVISION_1, &sa.lpSecurityDescriptor, NULL);
     sa.bInheritHandle = FALSE;
 
     HANDLE hEvent = CreateEvent(&sa, TRUE, FALSE, _T("Global\\wufuc_UnloadEvent"));
@@ -70,21 +70,23 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
 BOOL PatchWUAgentHMODULE(HMODULE hModule) {
     LPSTR pattern;
     SIZE_T offset00, offset01;
-    if (Is64BitWindows()) {
+#ifdef _AMD64_
         pattern = "FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????";
         offset00 = 10;
         offset01 = 18;
-    } else if (WindowsVersionCompare(VER_EQUAL, 6, 1, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)) {
+#elif defined(_X86_)
+    if (g_IsWindows7) {
         pattern = "833D????????00 743E E8???????? A3????????";
         offset00 = 2;
         offset01 = 15;
-    } else if (WindowsVersionCompare(VER_EQUAL, 6, 3, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)) {
+    } else if (g_IsWindows8Point1) {
         pattern = "8BFF 51 833D????????00 7507 A1????????";
         offset00 = 5;
         offset01 = 13;
     } else {
         return FALSE;
     }
+#endif
 
     MODULEINFO modinfo;
     GetModuleInformation(GetCurrentProcess(), hModule, &modinfo, sizeof(MODULEINFO));
@@ -99,14 +101,14 @@ BOOL PatchWUAgentHMODULE(HMODULE hModule) {
     _tdbgprintf(_T("Found address of IsDeviceServiceable. (%p)"), fpIsDeviceServiceable);
     BOOL result = FALSE;
     LPBOOL lpbFirstRun, lpbIsCPUSupportedResult;
-    if (Is64BitWindows()) {
+#ifdef _WIN64
         lpbFirstRun = (LPBOOL)(fpIsDeviceServiceable + offset00 + sizeof(uint32_t) + *(uint32_t *)(fpIsDeviceServiceable + offset00));
         lpbIsCPUSupportedResult = (LPBOOL)(fpIsDeviceServiceable + offset01 + sizeof(uint32_t) + *(uint32_t *)(fpIsDeviceServiceable + offset01));
-    } else {
+#elif defined(_WIN32)
         lpbFirstRun = (LPBOOL)(*(uintptr_t *)(fpIsDeviceServiceable + offset00));
         lpbIsCPUSupportedResult = (LPBOOL)(*(uintptr_t *)(fpIsDeviceServiceable + offset01));
-    }
-    
+#endif
+
     if (*lpbFirstRun) {
         *lpbFirstRun = FALSE;
         _tdbgprintf(_T("Changed first run to FALSE. (%p=%08x)"), lpbFirstRun, *lpbFirstRun);
@@ -114,7 +116,7 @@ BOOL PatchWUAgentHMODULE(HMODULE hModule) {
     }
     if (!*lpbIsCPUSupportedResult) {
         *lpbIsCPUSupportedResult = TRUE;
-        _tdbgprintf(_T("Changed cached result to TRUE. (%p=%08x)."), 
+        _tdbgprintf(_T("Changed cached result to TRUE. (%p=%08x)."),
             lpbIsCPUSupportedResult, *lpbIsCPUSupportedResult);
         result = TRUE;
     }

wufuc/dllmain.c

@@ -1,18 +1,19 @@
 #include <Windows.h>
 #include "core.h"
 #include "util.h"
+#include "shared.h"
 
 BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
     switch (ul_reason_for_call) {
     case DLL_PROCESS_ATTACH:
     {
-        DisableThreadLibraryCalls(hModule);
-        if (WindowsVersionCompare(VER_EQUAL, 6, 1, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)
-            || WindowsVersionCompare(VER_EQUAL, 6, 3, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)) {
-
-            HANDLE hThread = CreateThread(NULL, 0, NewThreadProc, NULL, 0, NULL);
-            CloseHandle(hThread);
+        if (!IsOperatingSystemSupported(&g_IsWindows7, &g_IsWindows8Point1)) {
+            return FALSE;
         }
+
+        DisableThreadLibraryCalls(hModule);
+        HANDLE hThread = CreateThread(NULL, 0, NewThreadProc, NULL, 0, NULL);
+        CloseHandle(hThread);
         break;
     }
     case DLL_PROCESS_DETACH:

wufuc/patternfind.c

@@ -1,7 +1,7 @@
 #include <Windows.h>
 #include "patternfind.h"
 
-/*  Work in progress. Ported to C from x64dbg's patternfind.cpp:
+/*  Ported to C from x64dbg's patternfind.cpp:
       <https://github.com/x64dbg/x64dbg/blob/development/src/dbg/patternfind.cpp>
 
     x64dbg license (GPL-3.0):
@@ -82,36 +82,36 @@ SIZE_T patternfind(LPCBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR patt
     return result;
 }
 
-//VOID patternwritebyte(LPBYTE byte, LPPATTERNBYTE pbyte) {
-//    BYTE n1 = (*byte >> 4) & 0xf;
-//    BYTE n2 = *byte & 0xf;
-//    if (!pbyte->nibble[0].wildcard) {
-//        n1 = pbyte->nibble[0].data;
-//    }
-//    if (!pbyte->nibble[1].wildcard) {
-//        n2 = pbyte->nibble[1].data;
-//    }
-//    *byte = ((n1 << 4) & 0xf0) | (n2 & 0xf);
-//}
-//
-//VOID patternwrite(LPBYTE data, SIZE_T datasize, LPCSTR pattern) {
-//    SIZE_T writepatternsize = strlen(pattern);
-//    if (writepatternsize > datasize) {
-//        writepatternsize = datasize;
-//    }
-//    LPPATTERNBYTE writepattern = calloc(writepatternsize, sizeof(PATTERNBYTE));
-//    if (!patterntransform(pattern, writepattern, &writepatternsize)) {
-//        return;
-//    }
-//    for (size_t i = 0; i < writepatternsize; i++) {
-//        patternwritebyte(&data[i], &writepattern[i]);
-//    }
-//}
-//
-//SIZE_T patternsnr(LPBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR searchpattern, LPCSTR replacepattern) {
-//    SIZE_T result = patternfind(data, datasize, startindex, searchpattern, NULL, 0);
-//    if (result == -1)
-//        return result;
-//    patternwrite(data + result, datasize - result, replacepattern);
-//    return result;
-//}
+VOID patternwritebyte(LPBYTE byte, LPPATTERNBYTE pbyte) {
+    BYTE n1 = (*byte >> 4) & 0xf;
+    BYTE n2 = *byte & 0xf;
+    if (!pbyte->nibble[0].wildcard) {
+        n1 = pbyte->nibble[0].data;
+    }
+    if (!pbyte->nibble[1].wildcard) {
+        n2 = pbyte->nibble[1].data;
+    }
+    *byte = ((n1 << 4) & 0xf0) | (n2 & 0xf);
+}
+
+VOID patternwrite(LPBYTE data, SIZE_T datasize, LPCSTR pattern) {
+    SIZE_T writepatternsize = strlen(pattern);
+    if (writepatternsize > datasize) {
+        writepatternsize = datasize;
+    }
+    LPPATTERNBYTE writepattern = calloc(writepatternsize, sizeof(PATTERNBYTE));
+    if (!patterntransform(pattern, writepattern, &writepatternsize)) {
+        return;
+    }
+    for (size_t i = 0; i < writepatternsize; i++) {
+        patternwritebyte(&data[i], &writepattern[i]);
+    }
+}
+
+SIZE_T patternsnr(LPBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR searchpattern, LPCSTR replacepattern) {
+    SIZE_T result = patternfind(data, datasize, startindex, searchpattern);
+    if (result == -1)
+        return result;
+    patternwrite(data + result, datasize - result, replacepattern);
+    return result;
+}

wufuc/patternfind.h

@@ -11,6 +11,6 @@ int hexchtoint(CHAR ch);
 SIZE_T formathexpattern(LPCSTR patterntext, LPSTR formattext, SIZE_T formattextsize);
 BOOL patterntransform(LPCSTR patterntext, LPPATTERNBYTE pattern, SIZE_T *patternsize);
 SIZE_T patternfind(LPCBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR pattern);
-//VOID patternwritebyte(LPBYTE byte, LPPATTERNBYTE pbyte);
-//VOID patternwrite(LPBYTE data, SIZE_T datasize, LPCSTR pattern)
-//SIZE_T patternsnr(LPBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR searchpattern, LPCSTR replacepattern);
+VOID patternwritebyte(LPBYTE byte, LPPATTERNBYTE pbyte);
+VOID patternwrite(LPBYTE data, SIZE_T datasize, LPCSTR pattern);
+SIZE_T patternsnr(LPBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR searchpattern, LPCSTR replacepattern);

wufuc/rundll32.c

@@ -3,11 +3,10 @@
 #include <tchar.h>
 #include "service.h"
 #include "util.h"
+#include "shared.h"
 
 void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
-    if (!WindowsVersionCompare(VER_EQUAL, 6, 1, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)
-        && !WindowsVersionCompare(VER_EQUAL, 6, 3, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)) {
-
+    if (!g_IsWindows7 && !g_IsWindows8Point1) {
         return;
     }
 

wufuc/service.h

@@ -2,19 +2,14 @@
 
 
 BOOL get_svcdllA(LPCSTR lpServiceName, LPSTR lpServiceDll, DWORD dwSize);
-
 BOOL get_svcdllW(LPCWSTR lpServiceName, LPWSTR lpServiceDll, DWORD dwSize);
+BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessId);
+BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupName, SIZE_T dwSize);
+BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize);
+BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId);
 
 #ifdef UNICODE
 #define get_svcdll get_svcdllW
 #else
 #define get_svcdll get_svcdllA
 #endif
-
-BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessId);
-
-BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupName, SIZE_T dwSize);
-
-BOOL get_svcpath(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpBinaryPathName, SIZE_T dwSize);
-
-BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwProcessId);

wufuc/shared.c

@@ -0,0 +1,4 @@
+#include <Windows.h>
+
+BOOL g_IsWindows7 = FALSE;
+BOOL g_IsWindows8Point1 = FALSE;

wufuc/shared.h

@@ -0,0 +1,4 @@
+#pragma once
+
+extern BOOL g_IsWindows7;
+extern BOOL g_IsWindows8Point1;

wufuc/util.c

@@ -1,25 +1,9 @@
 #include <Windows.h>
 #include <stdio.h>
-#include <TlHelp32.h>
 #include <tchar.h>
+#include <TlHelp32.h>
 #include "util.h"
-
-VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID lpNewAddress) {
-    LPVOID *lpAddress = FindIAT(hModule, lpFuncName);
-    if (!lpAddress || *lpAddress == lpNewAddress) {
-        return;
-    }
-
-    DWORD flOldProtect;
-    DWORD flNewProtect = PAGE_READWRITE;
-    VirtualProtect(lpAddress, sizeof(LPVOID), flNewProtect, &flOldProtect);
-    if (lpOldAddress) {
-        *lpOldAddress = *lpAddress;
-    }
-    _dbgprintf("Detoured %s from %p to %p.", lpFuncName, *lpAddress, lpNewAddress);
-    *lpAddress = lpNewAddress;
-    VirtualProtect(lpAddress, sizeof(LPVOID), flOldProtect, &flNewProtect);
-}
+#include "shared.h"
 
 LPVOID *FindIAT(HMODULE hModule, LPSTR lpFunctionName) {
     uintptr_t hm = (uintptr_t)hModule;
@@ -38,6 +22,23 @@ LPVOID *FindIAT(HMODULE hModule, LPSTR lpFunctionName) {
     return NULL;
 }
 
+VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID lpNewAddress) {
+    LPVOID *lpAddress = FindIAT(hModule, lpFuncName);
+    if (!lpAddress || *lpAddress == lpNewAddress) {
+        return;
+    }
+
+    DWORD flOldProtect;
+    DWORD flNewProtect = PAGE_READWRITE;
+    VirtualProtect(lpAddress, sizeof(LPVOID), flNewProtect, &flOldProtect);
+    if (lpOldAddress) {
+        *lpOldAddress = *lpAddress;
+    }
+    _dbgprintf("Detoured %s from %p to %p.", lpFuncName, *lpAddress, lpNewAddress);
+    *lpAddress = lpNewAddress;
+    VirtualProtect(lpAddress, sizeof(LPVOID), flOldProtect, &flNewProtect);
+}
+
 VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb) {
     HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
     THREADENTRY32 te;
@@ -68,7 +69,7 @@ VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T cb) {
     _tdbgprintf(_T("Resumed %d other threads."), cb);
 }
 
-BOOL WindowsVersionCompare(BYTE Operator, DWORD dwMajorVersion, DWORD dwMinorVersion, WORD wServicePackMajor, WORD wServicePackMinor, DWORD dwTypeMask) {
+BOOL CompareWindowsVersion(BYTE Operator, DWORD dwMajorVersion, DWORD dwMinorVersion, WORD wServicePackMajor, WORD wServicePackMinor, DWORD dwTypeMask) {
     OSVERSIONINFOEX osvi;
     ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
     osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
@@ -86,16 +87,12 @@ BOOL WindowsVersionCompare(BYTE Operator, DWORD dwMajorVersion, DWORD dwMinorVer
     return VerifyVersionInfo(&osvi, dwTypeMask, dwlConditionMask);
 }
 
-BOOL Is64BitWindows(void) {
-#if defined(_WIN64)
-    return TRUE;  // 64-bit programs run only on Win64
-#elif defined(_WIN32)
-    // 32-bit programs run on both 32-bit and 64-bit Windows
-    // so must sniff
-    BOOL f64 = FALSE;
-    return IsWow64Process(GetCurrentProcess(), &f64) && f64;
+BOOL IsOperatingSystemSupported(LPBOOL lpbIsWindows7, LPBOOL lpbIsWindows8Point1) {
+#if !defined(_AMD64_) && !defined(_X86_)
+    return FALSE;
 #else
-    return FALSE; // Win64 does not support Win16
+    return (*lpbIsWindows7 = CompareWindowsVersion(VER_EQUAL, 6, 1, 0, 0, VER_MAJORVERSION | VER_MINORVERSION))
+        || (*lpbIsWindows8Point1 = CompareWindowsVersion(VER_EQUAL, 6, 3, 0, 0, VER_MAJORVERSION | VER_MINORVERSION));
 #endif
 }
 

wufuc/util.h

@@ -3,33 +3,26 @@
 EXTERN_C IMAGE_DOS_HEADER __ImageBase;
 #define HINST_THISCOMPONENT ((HINSTANCE)&__ImageBase)
 
+LPVOID *FindIAT(HMODULE hModule, LPSTR lpFuncName);
 VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID lpNewAddress);
 
-#define DETOUR_IAT(x, y) \
-	LPVOID __LPORIGINAL##y; \
-	DetourIAT(x, #y, &__LPORIGINAL##y, &_##y)
-
-#define RESTORE_IAT(x, y) \
-	DetourIAT(x, #y, NULL, __LPORIGINAL##y)
-
-LPVOID *FindIAT(HMODULE hModule, LPSTR lpFuncName);
-
 VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb);
-
 VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T dwSize);
 
-BOOL WindowsVersionCompare(BYTE Operator, DWORD dwMajorVersion, DWORD dwMinorVersion, WORD wServicePackMajor, WORD wServicePackMinor, DWORD dwTypeMask);
-
-BOOL Is64BitWindows(void);
+BOOL CompareWindowsVersion(BYTE Operator, DWORD dwMajorVersion, DWORD dwMinorVersion, WORD wServicePackMajor, WORD wServicePackMinor, DWORD dwTypeMask);
+BOOL IsOperatingSystemSupported(LPBOOL lpbIsWindows7, LPBOOL lpbIsWindows8Point1);
 
 VOID _wdbgprintf(LPCWSTR format, ...);
 VOID _dbgprintf(LPCSTR format, ...);
-//#ifdef _DEBUG
+
+#define DETOUR_IAT(x, y) \
+    LPVOID _LPORIGINAL##y; \
+    DetourIAT(x, #y, &_LPORIGINAL##y, &_##y)
+#define RESTORE_IAT(x, y) \
+    DetourIAT(x, #y, NULL, _LPORIGINAL##y)
+
 #ifdef UNICODE
-#define _tdbgprintf _wdbgprintf
+#define _tdbgprintf  _wdbgprintf
 #else
-#define _tdbgprintf _dbgprintf
+#define _tdbgprintf  _dbgprintf
 #endif // !UNICODE
-//#else
-//#define _tdbgprintf(format, ...)
-//#endif // !_DEBUG

wufuc/wufuc.vcxproj

@@ -180,6 +180,7 @@
     <ClCompile Include="patternfind.c" />
     <ClCompile Include="rundll32.c" />
     <ClCompile Include="service.c" />
+    <ClCompile Include="shared.c" />
     <ClCompile Include="util.c" />
   </ItemGroup>
   <ItemGroup>
@@ -187,6 +188,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="core.h" />
+    <ClInclude Include="shared.h" />
     <ClInclude Include="patternfind.h" />
     <ClInclude Include="service.h" />
     <ClInclude Include="shellapihelper.h" />