0.6.1

- fixed x86 support - added june updates to supported updates - minor changes
2017-06-14 03:29:14 -07:00
parent c4a78a3e24
commit cda46fbc9f
8 changed files with 74 additions and 72 deletions
--- a/wufuc/core.c
+++ b/wufuc/core.c
@@ -1,3 +1,4 @@
+#include <stdint.h>
 #include <Windows.h>
 #include <Psapi.h>
 #include <TlHelp32.h>
@@ -64,61 +65,57 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
    CloseHandle(hEvent);
    _tdbgprintf(_T("See ya!"));
    FreeLibraryAndExitThread(HINST_THISCOMPONENT, 0);
-    return 0;
 }

 BOOL PatchWUAgentHMODULE(HMODULE hModule) {
-    LPSTR lpszPattern;
-    SIZE_T n1, n2;
-#ifdef _WIN64
-    lpszPattern = "FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????";
-    n1 = 10;
-    n2 = 18;
-#elif defined(_WIN32)
-    if (WindowsVersionCompare(VER_EQUAL, 6, 1, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)) {
-        lpszPattern = "833D????????00 743E E8???????? A3????????";
-        n1 = 2;
-        n2 = 15;
+    LPSTR pattern;
+    SIZE_T offset00, offset01;
+    if (Is64BitWindows()) {
+        pattern = "FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????";
+        offset00 = 10;
+        offset01 = 18;
+    } else if (WindowsVersionCompare(VER_EQUAL, 6, 1, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)) {
+        pattern = "833D????????00 743E E8???????? A3????????";
+        offset00 = 2;
+        offset01 = 15;
    } else if (WindowsVersionCompare(VER_EQUAL, 6, 3, 0, 0, VER_MAJORVERSION | VER_MINORVERSION)) {
-        lpszPattern = "8BFF 51 833D????????00 7507 A1????????";
-        n1 = 5;
-        n2 = 13;
+        pattern = "8BFF 51 833D????????00 7507 A1????????";
+        offset00 = 5;
+        offset01 = 13;
+    } else {
+        return FALSE;
    }
-#else
-    return FALSE;
-#endif

    MODULEINFO modinfo;
    GetModuleInformation(GetCurrentProcess(), hModule, &modinfo, sizeof(MODULEINFO));

-    SIZE_T rva = patternfind(modinfo.lpBaseOfDll, modinfo.SizeOfImage, 0, lpszPattern);
+    SIZE_T rva = patternfind(modinfo.lpBaseOfDll, modinfo.SizeOfImage, 0, pattern);
    if (rva == -1) {
        _tdbgprintf(_T("No pattern match!"));
        return FALSE;
    }
-    
-    SIZE_T fpIsDeviceServiceable = (SIZE_T)modinfo.lpBaseOfDll + rva;
-    _tdbgprintf(_T("Pattern match at offset %p."), fpIsDeviceServiceable);
-
+    uintptr_t baseAddress = (uintptr_t)modinfo.lpBaseOfDll;
+    uintptr_t fpIsDeviceServiceable = baseAddress + rva;
+    _tdbgprintf(_T("Found address of IsDeviceServiceable. (%p)"), fpIsDeviceServiceable);
    BOOL result = FALSE;
-
-    DWORD flOldProtect;
-    DWORD flNewProtect = PAGE_READWRITE;
-    BOOL *lpbNotRunOnce = (BOOL *)(fpIsDeviceServiceable + n1 + sizeof(DWORD) + *(DWORD *)(fpIsDeviceServiceable + n1));
-    if (*lpbNotRunOnce) {
-        VirtualProtect(lpbNotRunOnce, sizeof(BOOL), flNewProtect, &flOldProtect);
-        *lpbNotRunOnce = FALSE;
-        VirtualProtect(lpbNotRunOnce, sizeof(BOOL), flOldProtect, &flNewProtect);
-        _tdbgprintf(_T("Wrote value %d to address %p."), *lpbNotRunOnce, lpbNotRunOnce);
+    LPBOOL lpbFirstRun, lpbIsCPUSupportedResult;
+    if (Is64BitWindows()) {
+        lpbFirstRun = (LPBOOL)(fpIsDeviceServiceable + offset00 + sizeof(uint32_t) + *(uint32_t *)(fpIsDeviceServiceable + offset00));
+        lpbIsCPUSupportedResult = (LPBOOL)(fpIsDeviceServiceable + offset01 + sizeof(uint32_t) + *(uint32_t *)(fpIsDeviceServiceable + offset01));
+    } else {
+        lpbFirstRun = (LPBOOL)(*(uintptr_t *)(fpIsDeviceServiceable + offset00));
+        lpbIsCPUSupportedResult = (LPBOOL)(*(uintptr_t *)(fpIsDeviceServiceable + offset01));
+    }
+    
+    if (*lpbFirstRun) {
+        *lpbFirstRun = FALSE;
+        _tdbgprintf(_T("Changed first run to FALSE. (%p=%08x)"), lpbFirstRun, *lpbFirstRun);
        result = TRUE;
    }
-
-    BOOL *lpbCachedResult = (BOOL *)(fpIsDeviceServiceable + n2 + sizeof(DWORD) + *(DWORD *)(fpIsDeviceServiceable + n2));
-    if (!*lpbCachedResult) {
-        VirtualProtect(lpbCachedResult, sizeof(BOOL), flNewProtect, &flOldProtect);
-        *lpbCachedResult = TRUE;
-        VirtualProtect(lpbCachedResult, sizeof(BOOL), flOldProtect, &flNewProtect);
-        _tdbgprintf(_T("Wrote value %d to address %p."), *lpbCachedResult, lpbCachedResult);
+    if (!*lpbIsCPUSupportedResult) {
+        *lpbIsCPUSupportedResult = TRUE;
+        _tdbgprintf(_T("Changed cached result to TRUE. (%p=%08x)."), 
+            lpbIsCPUSupportedResult, *lpbIsCPUSupportedResult);
        result = TRUE;
    }
    return result;
--- a/wufuc/patternfind.c
+++ b/wufuc/patternfind.c
@@ -1,21 +1,20 @@
 #include <Windows.h>
 #include "patternfind.h"

-/* 
-    Work in progress. Ported to C from x64dbg's patternfind.cpp:
-        https://github.com/x64dbg/x64dbg/blob/development/src/dbg/patternfind.cpp
-     x64dbg license (GPL-3.0):
-        https://github.com/x64dbg/x64dbg/blob/development/LICENSE 
-*/
+/*  Work in progress. Ported to C from x64dbg's patternfind.cpp:
+      <https://github.com/x64dbg/x64dbg/blob/development/src/dbg/patternfind.cpp>

-int hexchtoint(CHAR ch) {
+    x64dbg license (GPL-3.0):
+      <https://github.com/x64dbg/x64dbg/blob/development/LICENSE> */
+
+int hexchtoint(CHAR c) {
    int result = -1;
-    if (ch >= '0' && ch <= '9') {
-        result = ch - '0';
-    } else if (ch >= 'A' && ch <= 'F') {
-        result = ch - 'A' + 10;
-    } else if (ch >= 'a' && ch <= 'f') {
-        result = ch - 'a' + 10;
+    if (c >= '0' && c <= '9') {
+        result = c - '0';
+    } else if (c >= 'A' && c <= 'F') {
+        result = c - 'A' + 10;
+    } else if (c >= 'a' && c <= 'f') {
+        result = c - 'a' + 10;
    }
    return result;
 }
@@ -43,11 +42,11 @@ BOOL patterntransform(LPCSTR patterntext, LPPATTERNBYTE pattern, SIZE_T *pattern
    cb = formathexpattern(patterntext, formattext, cb);

    if (cb % 2) {
-        formattext[++cb] = '?';
+        formattext[cb++] = '?';
    }
    formattext[cb] = '\0';

-    for (SIZE_T i = 0, j = 0, k = 0; i < cb; i++, j ^= 1, k = (i - j) / 2) {
+    for (SIZE_T i = 0, j = 0, k = 0; i < cb; i++, j ^= 1, k = (i - j) >> 1) {
        if (formattext[i] == '?') {
            pattern[k].nibble[j].wildcard = TRUE;
        } else {
@@ -56,7 +55,7 @@ BOOL patterntransform(LPCSTR patterntext, LPPATTERNBYTE pattern, SIZE_T *pattern
        }
    }
    free(formattext);
-    *patternsize = cb / 2;
+    *patternsize = cb >> 1;
    return TRUE;
 }

--- a/wufuc/util.c
+++ b/wufuc/util.c
@@ -22,7 +22,7 @@ VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID l
 }

 LPVOID *FindIAT(HMODULE hModule, LPSTR lpFunctionName) {
-    SIZE_T hm = (SIZE_T)hModule;
+    uintptr_t hm = (uintptr_t)hModule;

    for (PIMAGE_IMPORT_DESCRIPTOR iid = (PIMAGE_IMPORT_DESCRIPTOR)(hm + ((PIMAGE_NT_HEADERS)(hm + ((PIMAGE_DOS_HEADER)hm)->e_lfanew))
        ->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); iid->Name; iid++) {
--- a/wufuc/version.rc
+++ b/wufuc/version.rc