Vichingo455/wufuc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactoring

Browse Source
This commit is contained in:
zeffy
2017-06-05 15:17:39 -07:00
parent 2f4355e616
commit 9d90abc0de
3 changed files with 36 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
wufuc/core.c
View File

@@ -119,17 +119,16 @@ BOOL PatchWUModule(HMODULE hModule) {
if (!FindPattern(modinfo.lpBaseOfDll, modinfo.SizeOfImage, lpszPattern, 0, &offset)) { if (!FindPattern(modinfo.lpBaseOfDll, modinfo.SizeOfImage, lpszPattern, 0, &offset)) {
return FALSE; return FALSE;
} }
_tdbgprintf(_T("IsDeviceServiceable(void) matched at %p"), (UINT_PTR)modinfo.lpBaseOfDll + offset); SIZE_T rva = (SIZE_T)modinfo.lpBaseOfDll + offset;
_tdbgprintf(_T("IsDeviceServiceable(void) matched at %IX"), rva);
DWORD *lpdwResultIsNotCachedOffset = (DWORD *)((UINT_PTR)modinfo.lpBaseOfDll + offset + n1); BOOL *lpbNotRunOnce = (BOOL *)(rva + n1 + sizeof(DWORD) + *(DWORD *)(rva + n1));
BOOL *lpbResultIsNotCached = (BOOL *)((UINT_PTR)modinfo.lpBaseOfDll + offset + n1 + sizeof(DWORD) + *lpdwResultIsNotCachedOffset); if (*lpbNotRunOnce) {
if (*lpbResultIsNotCached) { *lpbNotRunOnce = FALSE;
*lpbResultIsNotCached = FALSE; _tdbgprintf(_T("Patched %p=%d"), lpbNotRunOnce, *lpbNotRunOnce);
_tdbgprintf(_T("Patched %p=%d"), lpbResultIsNotCached, *lpbResultIsNotCached);
} }
DWORD *lpdwCachedResultOffset = (DWORD *)((UINT_PTR)modinfo.lpBaseOfDll + offset + n2); BOOL *lpbCachedResult = (BOOL *)(rva + n2 + sizeof(DWORD) + *(DWORD *)(rva + n2));
BOOL *lpbCachedResult = (BOOL *)((UINT_PTR)modinfo.lpBaseOfDll + offset + n2 + sizeof(DWORD) + *lpdwCachedResultOffset);
if (!*lpbCachedResult) { if (!*lpbCachedResult) {
*lpbCachedResult = TRUE; *lpbCachedResult = TRUE;
_tdbgprintf(_T("Patched %p=%d"), lpbCachedResult, *lpbCachedResult); _tdbgprintf(_T("Patched %p=%d"), lpbCachedResult, *lpbCachedResult);

13
wufuc/service.c
View File

@@ -35,7 +35,6 @@ BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessI
if (QueryServiceStatusEx(hService, SC_STATUS_PROCESS_INFO, (LPBYTE)&lpBuffer, sizeof(lpBuffer), &cbBytesNeeded) && lpBuffer.dwProcessId) { if (QueryServiceStatusEx(hService, SC_STATUS_PROCESS_INFO, (LPBYTE)&lpBuffer, sizeof(lpBuffer), &cbBytesNeeded) && lpBuffer.dwProcessId) {
*lpdwProcessId = lpBuffer.dwProcessId; *lpdwProcessId = lpBuffer.dwProcessId;
result = TRUE; result = TRUE;
_tdbgprintf(_T("QueryServiceProcessId: Found %s pid %d"), lpServiceName, *lpdwProcessId);
} }
CloseServiceHandle(hService); CloseServiceHandle(hService);
return result; return result;
@@ -62,7 +61,6 @@ BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupNam
if (!_tcsicmp(*(p++), _T("-k"))) { if (!_tcsicmp(*(p++), _T("-k"))) {
_tcscpy_s(lpGroupName, dwSize, *p); _tcscpy_s(lpGroupName, dwSize, *p);
result = TRUE; result = TRUE;
_tdbgprintf(_T("Found %s svc group: %s"), lpServiceName, lpGroupName);
break; break;
} }
} }
@@ -76,23 +74,18 @@ BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwPro
RegGetValue(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"), lpServiceGroupName, RRF_RT_REG_MULTI_SZ, NULL, pvData, &uBytes); RegGetValue(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost"), lpServiceGroupName, RRF_RT_REG_MULTI_SZ, NULL, pvData, &uBytes);
LPTSTR lpSvc = (LPTSTR)pvData;
BOOL result = FALSE; BOOL result = FALSE;
while (*lpSvc) { for (LPTSTR p = (LPTSTR)pvData; *p; p += _tcslen(p) + 1) {
DWORD dwProcessId; DWORD dwProcessId;
TCHAR group[256]; TCHAR group[256];
if (get_svcpid(hSCManager, lpSvc, &dwProcessId)) { if (get_svcpid(hSCManager, p, &dwProcessId)) {
get_svcgname(hSCManager, lpSvc, group, _countof(group)); get_svcgname(hSCManager, p, group, _countof(group));
result = !_tcsicmp(group, lpServiceGroupName); result = !_tcsicmp(group, lpServiceGroupName);
if (result) {
}
} }
if (result) { if (result) {
*lpdwProcessId = dwProcessId; *lpdwProcessId = dwProcessId;
break; break;
} }
lpSvc += _tcslen(lpSvc) + 1;
} }
LocalFree(pvData); LocalFree(pvData);
return result; return result;

52
wufuc/util.c
View File

@@ -29,55 +29,55 @@ VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID l
if (lpOldAddress) { if (lpOldAddress) {
*lpOldAddress = *lpAddress; *lpOldAddress = *lpAddress;
} }
_tdbgprintf(_T("%S %p => %p"), lpFuncName, *lpAddress, lpNewAddress); _dbgprintf("%s %p => %p", lpFuncName, *lpAddress, lpNewAddress);
*lpAddress = lpNewAddress; *lpAddress = lpNewAddress;
VirtualProtect(lpAddress, sizeof(LPVOID), flOldProtect, &flNewProtect); VirtualProtect(lpAddress, sizeof(LPVOID), flOldProtect, &flNewProtect);
} }
LPVOID *FindIAT(HMODULE hModule, LPSTR lpFuncName) { LPVOID *FindIAT(HMODULE hModule, LPSTR lpFunctionName) {
PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)hModule; SIZE_T hm = (SIZE_T)hModule;
PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((LPBYTE)dos + dos->e_lfanew);
PIMAGE_IMPORT_DESCRIPTOR desc = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)dos + nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
for (PIMAGE_IMPORT_DESCRIPTOR iid = desc; iid->Name != 0; iid++) { for (PIMAGE_IMPORT_DESCRIPTOR iid = (PIMAGE_IMPORT_DESCRIPTOR)(hm +
for (int i = 0; *(i + (LPVOID*)(iid->FirstThunk + (SIZE_T)hModule)) != NULL; i++) { ((PIMAGE_NT_HEADERS)(hm + ((PIMAGE_DOS_HEADER)hm)->e_lfanew))->OptionalHeader
LPSTR name = (LPSTR)(*(i + (SIZE_T*)(iid->OriginalFirstThunk + (SIZE_T)hModule)) + (SIZE_T)hModule + 2); .DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
const uintptr_t n = (uintptr_t)name; .VirtualAddress); iid->Name; iid++) {
if (!(n & (sizeof(n) == 4 ? 0x80000000 : 0x8000000000000000)) && !_stricmp(lpFuncName, name)) {
return i + (LPVOID*)(iid->FirstThunk + (SIZE_T)hModule); LPVOID *p;
for (SIZE_T i = 0; *(p = i + (LPVOID *)(hm + iid->FirstThunk)); i++) {
LPSTR fn = (LPSTR)(hm + *(i + (SIZE_T *)(hm + iid->OriginalFirstThunk)) + 2);
if (!((uintptr_t)fn & IMAGE_ORDINAL_FLAG) && !_stricmp(lpFunctionName, fn)) {
return p;
} }
} }
} }
return NULL; return NULL;
} }
BOOL FindPattern(LPCBYTE lpBytes, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_T nStart, SIZE_T *lpOffset) { BOOL FindPattern(LPCBYTE pvData, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE_T nStart, SIZE_T *lpOffset) {
SIZE_T nPatternLength = strlen(lpszPattern); SIZE_T length = strlen(lpszPattern);
SIZE_T nMaskLength = nPatternLength / 2; SIZE_T nBytes;
if (nMaskLength > nNumberOfBytes || nPatternLength % 2) { if (length % 2 || (nBytes = length / 2) > nNumberOfBytes) {
return FALSE; return FALSE;
} }
LPBYTE lpPattern = malloc(nMaskLength * sizeof(BYTE)); LPBYTE lpBytes = malloc(nBytes * sizeof(BYTE));
BOOL *lpbMask = malloc(nMaskLength * sizeof(BOOL)); BOOL *lpbwc = malloc(nBytes * sizeof(BOOL));
LPSTR p = lpszPattern; LPSTR p = lpszPattern;
BOOL valid = TRUE; BOOL valid = TRUE;
for (SIZE_T i = 0; i < nMaskLength; i++) { for (SIZE_T i = 0; i < nBytes; i++) {
if (lpbMask[i] = strncmp(p, "??", 2)) { if ((lpbwc[i] = strncmp(p, "??", 2)) && sscanf_s(p, "%2hhx", &lpBytes[i]) != 1) {
if (sscanf_s(p, "%2hhx", &lpPattern[i]) != 1) {
valid = FALSE; valid = FALSE;
break; break;
}
} }
p += 2; p += 2;
} }
BOOL result = FALSE; BOOL result = FALSE;
if (valid) { if (valid) {
for (SIZE_T i = nStart; i < nNumberOfBytes - nStart - (nMaskLength - 1); i++) { for (SIZE_T i = nStart; i < nNumberOfBytes - nStart - (nBytes - 1); i++) {
BOOL found = TRUE; BOOL found = TRUE;
for (SIZE_T j = 0; j < nMaskLength; j++) { for (SIZE_T j = 0; j < nBytes; j++) {
if (lpbMask[j] && lpBytes[i + j] != lpPattern[j]) { if (lpbwc[j] && pvData[i + j] != lpBytes[j]) {
found = FALSE; found = FALSE;
break; break;
} }
@@ -89,8 +89,8 @@ BOOL FindPattern(LPCBYTE lpBytes, SIZE_T nNumberOfBytes, LPSTR lpszPattern, SIZE
} }
} }
} }
free(lpPattern); free(lpBytes);
free(lpbMask); free(lpbwc);
return result; return result;
} }