From cda46fbc9f348cddf0b85e1ecefb90e0d052644b Mon Sep 17 00:00:00 2001 From: zeffy Date: Wed, 14 Jun 2017 03:29:14 -0700 Subject: [PATCH] 0.6.1 - fixed x86 support - added june updates to supported updates - minor changes --- install/install_wufuc.bat | 14 ++-- install/uninstall_wufuc.bat | 10 ++- install/utility scripts/disable_wufuc.bat | 10 +-- wufuc.sln | 4 -- wufuc/core.c | 75 +++++++++++----------- wufuc/patternfind.c | 31 +++++---- wufuc/util.c | 2 +- wufuc/version.rc | Bin 1712 -> 1712 bytes 8 files changed, 74 insertions(+), 72 deletions(-) diff --git a/install/install_wufuc.bat b/install/install_wufuc.bat index 6fd8ae0..4027866 100644 --- a/install/install_wufuc.bat +++ b/install/install_wufuc.bat @@ -36,30 +36,34 @@ if /I "%PROCESSOR_ARCHITECTURE%"=="AMD64" ( goto :is_x64 ) if /I "%PROCESSOR_ARCHITECTURE%"=="x86" ( - set "WINDOWS_ARCHITECTURE=x86" - set "wufuc_dll=%~dp0wufuc32.dll" - goto :check_ver + goto :is_x86 ) ) goto :unsupported_os +:is_x86 +set "WINDOWS_ARCHITECTURE=x86" +set "wufuc_dll=%~dp0wufuc32.dll" +goto :get_ver + :is_x64 set "WINDOWS_ARCHITECTURE=x64" set "wufuc_dll=%~dp0wufuc64.dll" +:get_ver for /f "tokens=*" %%i in ('wmic /output:stdout datafile where "name='%wufuc_dll:\=\\%'" get Version /value ^| find "="') do set "%%i" title wufuc installer - v%Version% :check_ver wmic /output:stdout os get version | findstr "^6\.1\." >nul && ( set "WINDOWS_VER=6.1" - set "SUPPORTED_HOTFIXES=KB4019265 KB4019264 KB4015552 KB4015549 KB4015546 KB4012218" + set "SUPPORTED_HOTFIXES=KB4022722 KB4022719 KB4019265 KB4019264 KB4015552 KB4015549 KB4015546 KB4012218" echo Detected supported operating system: Windows 7 %WINDOWS_ARCHITECTURE% goto :check_hotfix ) wmic /output:stdout os get version | findstr "^6\.3\." >nul && ( set "WINDOWS_VER=8.1" - set "SUPPORTED_HOTFIXES=KB4019217 KB4019215 KB4015553 KB4015550 KB4015547 KB4012219" + set "SUPPORTED_HOTFIXES=KB4022726 KB4022717 KB4019217 KB4019215 KB4015553 KB4015550 KB4015547 KB4012219" echo Detected supported operating system: Windows 8.1 %WINDOWS_ARCHITECTURE% goto :check_hotfix ) diff --git a/install/uninstall_wufuc.bat b/install/uninstall_wufuc.bat index 518d846..0ad0626 100644 --- a/install/uninstall_wufuc.bat +++ b/install/uninstall_wufuc.bat @@ -34,17 +34,21 @@ if /I "%PROCESSOR_ARCHITECTURE%"=="AMD64" ( goto :is_x64 ) if /I "%PROCESSOR_ARCHITECTURE%"=="x86" ( - set "WINDOWS_ARCHITECTURE=x86" - set "wufuc_dll=%~dp0wufuc32.dll" - goto :confirmation + goto :is_x86 ) ) goto :die +:is_x86 +set "WINDOWS_ARCHITECTURE=x86" +set "wufuc_dll=%~dp0wufuc32.dll" +goto :get_ver + :is_x64 set "WINDOWS_ARCHITECTURE=x64" set "wufuc_dll=%~dp0wufuc64.dll" +:get_ver for /f "tokens=*" %%i in ('wmic /output:stdout datafile where "name='%wufuc_dll:\=\\%'" get Version /value ^| find "="') do set "%%i" title wufuc uninstaller - v%Version% diff --git a/install/utility scripts/disable_wufuc.bat b/install/utility scripts/disable_wufuc.bat index 7321a72..d377310 100644 --- a/install/utility scripts/disable_wufuc.bat +++ b/install/utility scripts/disable_wufuc.bat @@ -34,17 +34,19 @@ if /I "%PROCESSOR_ARCHITECTURE%"=="AMD64" ( goto :is_x64 ) if /I "%PROCESSOR_ARCHITECTURE%"=="x86" ( - set "WINDOWS_ARCHITECTURE=x86" - set "wufuc_dll=%~dp0..\wufuc32.dll" - goto :confirmation + goto :is_x86 ) ) goto :die +:is_x86 +set "wufuc_dll=%~dp0..\wufuc32.dll" +goto :disable + :is_x64 -set "WINDOWS_ARCHITECTURE=x64" set "wufuc_dll=%~dp0..\wufuc64.dll" +:disable set "wufuc_task=wufuc.{72EEE38B-9997-42BD-85D3-2DD96DA17307}" rundll32 "%wufuc_dll%",Rundll32Unload net start Schedule diff --git a/wufuc.sln b/wufuc.sln index 4df93c1..c0f7aff 100644 --- a/wufuc.sln +++ b/wufuc.sln @@ -15,20 +15,16 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution - Debug|Any CPU = Debug|Any CPU Debug|x64 = Debug|x64 Debug|x86 = Debug|x86 - Release|Any CPU = Release|Any CPU Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution - {00F96695-CE41-4C2F-A344-6219DFB4F887}.Debug|Any CPU.ActiveCfg = Debug|Win32 {00F96695-CE41-4C2F-A344-6219DFB4F887}.Debug|x64.ActiveCfg = Debug|x64 {00F96695-CE41-4C2F-A344-6219DFB4F887}.Debug|x64.Build.0 = Debug|x64 {00F96695-CE41-4C2F-A344-6219DFB4F887}.Debug|x86.ActiveCfg = Debug|Win32 {00F96695-CE41-4C2F-A344-6219DFB4F887}.Debug|x86.Build.0 = Debug|Win32 - {00F96695-CE41-4C2F-A344-6219DFB4F887}.Release|Any CPU.ActiveCfg = Release|Win32 {00F96695-CE41-4C2F-A344-6219DFB4F887}.Release|x64.ActiveCfg = Release|x64 {00F96695-CE41-4C2F-A344-6219DFB4F887}.Release|x64.Build.0 = Release|x64 {00F96695-CE41-4C2F-A344-6219DFB4F887}.Release|x86.ActiveCfg = Release|Win32 diff --git a/wufuc/core.c b/wufuc/core.c index db1f7be..dcfddde 100644 --- a/wufuc/core.c +++ b/wufuc/core.c @@ -1,3 +1,4 @@ +#include #include #include #include @@ -64,61 +65,57 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) { CloseHandle(hEvent); _tdbgprintf(_T("See ya!")); FreeLibraryAndExitThread(HINST_THISCOMPONENT, 0); - return 0; } BOOL PatchWUAgentHMODULE(HMODULE hModule) { - LPSTR lpszPattern; - SIZE_T n1, n2; -#ifdef _WIN64 - lpszPattern = "FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????"; - n1 = 10; - n2 = 18; -#elif defined(_WIN32) - if (WindowsVersionCompare(VER_EQUAL, 6, 1, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)) { - lpszPattern = "833D????????00 743E E8???????? A3????????"; - n1 = 2; - n2 = 15; + LPSTR pattern; + SIZE_T offset00, offset01; + if (Is64BitWindows()) { + pattern = "FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????"; + offset00 = 10; + offset01 = 18; + } else if (WindowsVersionCompare(VER_EQUAL, 6, 1, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)) { + pattern = "833D????????00 743E E8???????? A3????????"; + offset00 = 2; + offset01 = 15; } else if (WindowsVersionCompare(VER_EQUAL, 6, 3, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)) { - lpszPattern = "8BFF 51 833D????????00 7507 A1????????"; - n1 = 5; - n2 = 13; + pattern = "8BFF 51 833D????????00 7507 A1????????"; + offset00 = 5; + offset01 = 13; + } else { + return FALSE; } -#else - return FALSE; -#endif MODULEINFO modinfo; GetModuleInformation(GetCurrentProcess(), hModule, &modinfo, sizeof(MODULEINFO)); - SIZE_T rva = patternfind(modinfo.lpBaseOfDll, modinfo.SizeOfImage, 0, lpszPattern); + SIZE_T rva = patternfind(modinfo.lpBaseOfDll, modinfo.SizeOfImage, 0, pattern); if (rva == -1) { _tdbgprintf(_T("No pattern match!")); return FALSE; } - - SIZE_T fpIsDeviceServiceable = (SIZE_T)modinfo.lpBaseOfDll + rva; - _tdbgprintf(_T("Pattern match at offset %p."), fpIsDeviceServiceable); - + uintptr_t baseAddress = (uintptr_t)modinfo.lpBaseOfDll; + uintptr_t fpIsDeviceServiceable = baseAddress + rva; + _tdbgprintf(_T("Found address of IsDeviceServiceable. (%p)"), fpIsDeviceServiceable); BOOL result = FALSE; - - DWORD flOldProtect; - DWORD flNewProtect = PAGE_READWRITE; - BOOL *lpbNotRunOnce = (BOOL *)(fpIsDeviceServiceable + n1 + sizeof(DWORD) + *(DWORD *)(fpIsDeviceServiceable + n1)); - if (*lpbNotRunOnce) { - VirtualProtect(lpbNotRunOnce, sizeof(BOOL), flNewProtect, &flOldProtect); - *lpbNotRunOnce = FALSE; - VirtualProtect(lpbNotRunOnce, sizeof(BOOL), flOldProtect, &flNewProtect); - _tdbgprintf(_T("Wrote value %d to address %p."), *lpbNotRunOnce, lpbNotRunOnce); + LPBOOL lpbFirstRun, lpbIsCPUSupportedResult; + if (Is64BitWindows()) { + lpbFirstRun = (LPBOOL)(fpIsDeviceServiceable + offset00 + sizeof(uint32_t) + *(uint32_t *)(fpIsDeviceServiceable + offset00)); + lpbIsCPUSupportedResult = (LPBOOL)(fpIsDeviceServiceable + offset01 + sizeof(uint32_t) + *(uint32_t *)(fpIsDeviceServiceable + offset01)); + } else { + lpbFirstRun = (LPBOOL)(*(uintptr_t *)(fpIsDeviceServiceable + offset00)); + lpbIsCPUSupportedResult = (LPBOOL)(*(uintptr_t *)(fpIsDeviceServiceable + offset01)); + } + + if (*lpbFirstRun) { + *lpbFirstRun = FALSE; + _tdbgprintf(_T("Changed first run to FALSE. (%p=%08x)"), lpbFirstRun, *lpbFirstRun); result = TRUE; } - - BOOL *lpbCachedResult = (BOOL *)(fpIsDeviceServiceable + n2 + sizeof(DWORD) + *(DWORD *)(fpIsDeviceServiceable + n2)); - if (!*lpbCachedResult) { - VirtualProtect(lpbCachedResult, sizeof(BOOL), flNewProtect, &flOldProtect); - *lpbCachedResult = TRUE; - VirtualProtect(lpbCachedResult, sizeof(BOOL), flOldProtect, &flNewProtect); - _tdbgprintf(_T("Wrote value %d to address %p."), *lpbCachedResult, lpbCachedResult); + if (!*lpbIsCPUSupportedResult) { + *lpbIsCPUSupportedResult = TRUE; + _tdbgprintf(_T("Changed cached result to TRUE. (%p=%08x)."), + lpbIsCPUSupportedResult, *lpbIsCPUSupportedResult); result = TRUE; } return result; diff --git a/wufuc/patternfind.c b/wufuc/patternfind.c index 2f06b0b..8e5bd63 100644 --- a/wufuc/patternfind.c +++ b/wufuc/patternfind.c @@ -1,21 +1,20 @@ #include #include "patternfind.h" -/* - Work in progress. Ported to C from x64dbg's patternfind.cpp: - https://github.com/x64dbg/x64dbg/blob/development/src/dbg/patternfind.cpp - x64dbg license (GPL-3.0): - https://github.com/x64dbg/x64dbg/blob/development/LICENSE -*/ +/* Work in progress. Ported to C from x64dbg's patternfind.cpp: + -int hexchtoint(CHAR ch) { + x64dbg license (GPL-3.0): + */ + +int hexchtoint(CHAR c) { int result = -1; - if (ch >= '0' && ch <= '9') { - result = ch - '0'; - } else if (ch >= 'A' && ch <= 'F') { - result = ch - 'A' + 10; - } else if (ch >= 'a' && ch <= 'f') { - result = ch - 'a' + 10; + if (c >= '0' && c <= '9') { + result = c - '0'; + } else if (c >= 'A' && c <= 'F') { + result = c - 'A' + 10; + } else if (c >= 'a' && c <= 'f') { + result = c - 'a' + 10; } return result; } @@ -43,11 +42,11 @@ BOOL patterntransform(LPCSTR patterntext, LPPATTERNBYTE pattern, SIZE_T *pattern cb = formathexpattern(patterntext, formattext, cb); if (cb % 2) { - formattext[++cb] = '?'; + formattext[cb++] = '?'; } formattext[cb] = '\0'; - for (SIZE_T i = 0, j = 0, k = 0; i < cb; i++, j ^= 1, k = (i - j) / 2) { + for (SIZE_T i = 0, j = 0, k = 0; i < cb; i++, j ^= 1, k = (i - j) >> 1) { if (formattext[i] == '?') { pattern[k].nibble[j].wildcard = TRUE; } else { @@ -56,7 +55,7 @@ BOOL patterntransform(LPCSTR patterntext, LPPATTERNBYTE pattern, SIZE_T *pattern } } free(formattext); - *patternsize = cb / 2; + *patternsize = cb >> 1; return TRUE; } diff --git a/wufuc/util.c b/wufuc/util.c index 34fc152..3297c47 100644 --- a/wufuc/util.c +++ b/wufuc/util.c @@ -22,7 +22,7 @@ VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID l } LPVOID *FindIAT(HMODULE hModule, LPSTR lpFunctionName) { - SIZE_T hm = (SIZE_T)hModule; + uintptr_t hm = (uintptr_t)hModule; for (PIMAGE_IMPORT_DESCRIPTOR iid = (PIMAGE_IMPORT_DESCRIPTOR)(hm + ((PIMAGE_NT_HEADERS)(hm + ((PIMAGE_DOS_HEADER)hm)->e_lfanew)) ->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); iid->Name; iid++) { diff --git a/wufuc/version.rc b/wufuc/version.rc index 03b1abfe05f8ac6a42c8bc57002e5cd38feab118..f60354867b5267241bc281103dc4a8274ec3fae6 100644 GIT binary patch delta 57 zcmdnMyMcFt6RRPE4uio&cU>sspyb9$4$MG~9)rQ;dS>0tEG&B%;au^_cUZ3g0GYZD Ay#N3J delta 57 zcmdnMyMcFt6RQD(4ujD|cU>sspyb9$4$MG~9)r>3dS>0tEG&B%;au^_cUZ3g0Gb{S A!2kdN