From c8fa45f002d1082d1c2cfe2a04fef42bc6b8e444 Mon Sep 17 00:00:00 2001 From: zeffy Date: Thu, 5 Oct 2017 15:29:32 -0700 Subject: [PATCH] fix crash on windows 7 x86 (still need to fix issue in windows 8.1) --- README.md | 4 ++-- wufuc/appverifier.h | 2 +- wufuc/dllmain.c | 13 +++++++------ wufuc/helpers.h | 1 - wufuc/patchwua.c | 2 +- wufuc/patternfind.c | 32 ++++++++++++++++---------------- 6 files changed, 27 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 07bddec..5e5985f 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,6 @@ The installer packages are created with Advanced Installer using an [open source ## Special thanks -- Alex Ionescu ([@ionescu007](https://github.com/ionescu007)) for his [_"Hooking Nirvana"_ presentation at REcon 2015](https://www.youtube.com/watch?v=bqU0y4FzvT0) and its corresponding [repository of example code](https://github.com/ionescu007/HookingNirvana). wufuc v0.8+ could not have been possible without his great work. +- Alex Ionescu ([@ionescu007](https://github.com/ionescu007)) for his [_"Hooking Nirvana"_ presentation at REcon 2015](https://www.youtube.com/watch?v=bqU0y4FzvT0) and its corresponding [repository of example code](https://github.com/ionescu007/HookingNirvana). - Wen Jia Liu ([@wj32](https://github.com/wj32)) for his awesome program [Process Hacker](https://github.com/processhacker2/processhacker) which has been absolutely instrumental in the development of wufuc, and also for his [`phnt`](https://github.com/processhacker2/processhacker/tree/master/phnt) headers. -- Duncan Ogilvie ([@mrexodia](https://github.com/mrexodia)) for his [`patternfind.cpp`](https://github.com/x64dbg/x64dbg/blob/development/src/dbg/patternfind.cpp) algorithm from [x64dbg](https://github.com/x64dbg/x64dbg). \ No newline at end of file +- Duncan Ogilvie ([@mrexodia](https://github.com/mrexodia)) for his [`patternfind.cpp`](https://github.com/x64dbg/x64dbg/blob/development/src/dbg/patternfind.cpp) algorithm from [x64dbg](https://github.com/x64dbg/x64dbg). diff --git a/wufuc/appverifier.h b/wufuc/appverifier.h index 1cd53e1..c2c452b 100644 --- a/wufuc/appverifier.h +++ b/wufuc/appverifier.h @@ -41,4 +41,4 @@ typedef struct tagRTL_VERIFIER_PROVIDER_DESCRIPTOR extern RTL_VERIFIER_THUNK_DESCRIPTOR g_vfADVAPIThunkDescriptors[]; extern RTL_VERIFIER_THUNK_DESCRIPTOR g_vfK32ThunkDescriptors[]; extern RTL_VERIFIER_DLL_DESCRIPTOR g_vfDllDescriptors[]; -extern RTL_VERIFIER_PROVIDER_DESCRIPTOR g_vfProviderDescriptor; \ No newline at end of file +extern RTL_VERIFIER_PROVIDER_DESCRIPTOR g_vfProviderDescriptor; diff --git a/wufuc/dllmain.c b/wufuc/dllmain.c index a6fbb76..2cc2a5b 100644 --- a/wufuc/dllmain.c +++ b/wufuc/dllmain.c @@ -35,20 +35,21 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserv if ( verify_winver(6, 1, 0, 0, 0, VER_EQUAL, VER_EQUAL, 0, 0, 0) || verify_winver(6, 3, 0, 0, 0, VER_EQUAL, VER_EQUAL, 0, 0, 0) ) { - RTL_QUERY_REGISTRY_TABLE QueryTable; + RTL_QUERY_REGISTRY_TABLE QueryTable[2]; RtlSecureZeroMemory(&QueryTable, sizeof(QueryTable)); - QueryTable.Name = L"ImagePath"; - QueryTable.Flags = RTL_QUERY_REGISTRY_DIRECT; + QueryTable[0].Name = L"ImagePath"; + QueryTable[0].Flags = RTL_QUERY_REGISTRY_DIRECT; UNICODE_STRING ImagePath; RtlInitUnicodeString(&ImagePath, NULL); - QueryTable.EntryContext = &ImagePath; + QueryTable[0].EntryContext = &ImagePath; + + //TODO: check status and maybe fix implementation? idk... NTSTATUS Status = RtlQueryRegistryValues(RTL_REGISTRY_SERVICES, L"wuauserv", - &QueryTable, + QueryTable, NULL, NULL); - // TODO: check status and maybe fix implementation? idk... if ( !RtlCompareUnicodeString(&NtCurrentPeb()->ProcessParameters->CommandLine, &ImagePath, TRUE) ) g_vfProviderDescriptor.ProviderDlls = g_vfDllDescriptors; } diff --git a/wufuc/helpers.h b/wufuc/helpers.h index 16b6055..3804e9d 100644 --- a/wufuc/helpers.h +++ b/wufuc/helpers.h @@ -22,4 +22,3 @@ BOOL file_exists(const wchar_t *path); int compare_versions( WORD wMajorA, WORD wMinorA, WORD wBuildA, WORD wRevisionA, WORD wMajorB, WORD wMinorB, WORD wBuildB, WORD wRevisionB); - diff --git a/wufuc/patchwua.c b/wufuc/patchwua.c index b77f888..8a0187b 100644 --- a/wufuc/patchwua.c +++ b/wufuc/patchwua.c @@ -74,4 +74,4 @@ bool patch_wua(void *lpBaseOfDll, size_t SizeOfImage, wchar_t *fname) } L_ret: return result; -} \ No newline at end of file +} diff --git a/wufuc/patternfind.c b/wufuc/patternfind.c index fa588a4..966821e 100644 --- a/wufuc/patternfind.c +++ b/wufuc/patternfind.c @@ -98,21 +98,6 @@ static inline bool patternmatchbyte(unsigned char byte, const PatternByte pbyte) return (matched == 2); } -unsigned char *patternfind3(unsigned char *data, size_t datasize, const PatternByte *pattern, size_t searchpatternsize) -{ - for ( size_t i = 0, pos = 0; i < datasize; i++ ) { //search for the pattern - if ( patternmatchbyte(data[i], pattern[pos]) ) { //check if our pattern matches the current byte - pos++; - if ( pos == searchpatternsize ) //everything matched - return &data[i - searchpatternsize + 1]; - } else if ( pos > 0 ) { //fix by Computer_Angel - i -= pos; - pos = 0; //reset current pattern position - } - } - return NULL; -} - unsigned char *patternfind(unsigned char *data, size_t datasize, const char *pattern) { size_t searchpatternsize = formathexpattern(pattern, NULL, 0) / 2; @@ -176,4 +161,19 @@ bool patternsnr(unsigned char *data, size_t datasize, const char *searchpattern, return false; patternwrite(found, datasize - (found - data), replacepattern); return true; -} \ No newline at end of file +} + +unsigned char *patternfind3(unsigned char *data, size_t datasize, const PatternByte *pattern, size_t searchpatternsize) +{ + for ( size_t i = 0, pos = 0; i < datasize; i++ ) { //search for the pattern + if ( patternmatchbyte(data[i], pattern[pos]) ) { //check if our pattern matches the current byte + pos++; + if ( pos == searchpatternsize ) //everything matched + return &data[i - searchpatternsize + 1]; + } else if ( pos > 0 ) { //fix by Computer_Angel + i -= pos; + pos = 0; //reset current pattern position + } + } + return NULL; +}