improved logging and more

- write cpu and os info to log - revise some log messages to be more uniform - remove reference to .gitattributes 😠 - refactor some stuff - refuse to load when in wow64 mode
2017-06-30 19:17:25 -07:00
parent b335dffba3
commit dd40fdc30a
7 changed files with 112 additions and 39 deletions
--- a/wufuc.sln
+++ b/wufuc.sln
@@ -7,7 +7,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wufuc", "wufuc\wufuc.vcxpro
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{8C2147FF-2B83-479B-813E-5ACB86F43042}"
 	ProjectSection(SolutionItems) = preProject
 		.gitattributes = .gitattributes
 		.gitignore = .gitignore
 		appveyor.yml = appveyor.yml
 		CONTRIBUTING.md = CONTRIBUTING.md
--- a/wufuc/core.c
+++ b/wufuc/core.c
@@ -54,7 +54,7 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
    WaitForSingleObject(hEvent, INFINITE);
-    dwprintf(L"Unload event was set.");
+    dwprintf(L"Unloading...");
    SuspendProcessThreads(dwProcessId, dwThreadId, lphThreads, _countof(lphThreads), &cb);
    RESTORE_IAT(hm, LoadLibraryExA);
@@ -62,7 +62,7 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) {
    ResumeAndCloseThreads(lphThreads, cb);
    CloseHandle(hEvent);
-    dwprintf(L"See ya!");
+    dwprintf(L"Bye bye!");
    close_log();
    FreeLibraryAndExitThread(HINST_THISCOMPONENT, 0);
 }
@@ -75,11 +75,11 @@ BOOL PatchWUAgentHMODULE(HMODULE hModule) {
        offset00 = 10;
        offset01 = 18;
 #elif defined(_X86_)
-    if (g_IsWindows7) {
+    if (IsWindows7()) {
        pattern = "833D????????00 743E E8???????? A3????????";
        offset00 = 2;
        offset01 = 15;
-    } else if (g_IsWindows8Point1) {
+    } else if (IsWindows8Point1()) {
        pattern = "8BFF 51 833D????????00 7507 A1????????";
        offset00 = 5;
        offset01 = 13;
@@ -97,13 +97,13 @@ BOOL PatchWUAgentHMODULE(HMODULE hModule) {
        return FALSE;
    }
    uintptr_t baseAddress = (uintptr_t)modinfo.lpBaseOfDll;
-    uintptr_t fpIsDeviceServiceable = baseAddress + rva;
+    uintptr_t lpfnIsDeviceServiceable = baseAddress + rva;
-    dwprintf(L"Found address of IsDeviceServiceable. (%p)", fpIsDeviceServiceable);
+    dwprintf(L"Address of wuaueng.dll!IsDeviceServiceable: %p", lpfnIsDeviceServiceable);
    BOOL result = FALSE;
    LPBOOL lpbFirstRun, lpbIsCPUSupportedResult;
 #ifdef _AMD64_
-        lpbFirstRun = (LPBOOL)(fpIsDeviceServiceable + offset00 + sizeof(uint32_t) + *(uint32_t *)(fpIsDeviceServiceable + offset00));
+        lpbFirstRun = (LPBOOL)(lpfnIsDeviceServiceable + offset00 + sizeof(uint32_t) + *(uint32_t *)(lpfnIsDeviceServiceable + offset00));
-        lpbIsCPUSupportedResult = (LPBOOL)(fpIsDeviceServiceable + offset01 + sizeof(uint32_t) + *(uint32_t *)(fpIsDeviceServiceable + offset01));
+        lpbIsCPUSupportedResult = (LPBOOL)(lpfnIsDeviceServiceable + offset01 + sizeof(uint32_t) + *(uint32_t *)(lpfnIsDeviceServiceable + offset01));
 #elif defined(_X86_)
        lpbFirstRun = (LPBOOL)(*(uintptr_t *)(fpIsDeviceServiceable + offset00));
        lpbIsCPUSupportedResult = (LPBOOL)(*(uintptr_t *)(fpIsDeviceServiceable + offset01));
@@ -111,12 +111,12 @@ BOOL PatchWUAgentHMODULE(HMODULE hModule) {
    if (*lpbFirstRun) {
        *lpbFirstRun = FALSE;
-        dwprintf(L"Unset first run var. (%p=%08x)", lpbFirstRun, *lpbFirstRun);
+        dwprintf(L"Patched FirstRun variable: %p = %08x", lpbFirstRun, *lpbFirstRun);
        result = TRUE;
    }
    if (!*lpbIsCPUSupportedResult) {
        *lpbIsCPUSupportedResult = TRUE;
-        dwprintf(L"Set cached result. (%p=%08x)", lpbIsCPUSupportedResult, *lpbIsCPUSupportedResult);
+        dwprintf(L"Patched cached wuaueng.dll!IsCPUSupported result: %p = %08x", lpbIsCPUSupportedResult, *lpbIsCPUSupportedResult);
        result = TRUE;
    }
    return result;
@@ -129,12 +129,11 @@ HMODULE WINAPI _LoadLibraryExA(
 ) {
    HMODULE result = LoadLibraryExA(lpFileName, hFile, dwFlags);
    if (result) {
-        dwprintf(L"Loaded %S.", lpFileName);
+        dwprintf(L"Loaded library: %S", lpFileName);
        CHAR path[MAX_PATH + 1];
        if (!get_svcdllA("wuauserv", path, _countof(path))) {
            return result;
        }
        if (!_stricmp(lpFileName, path) && PatchWUAgentHMODULE(result)) {
            dwprintf(L"Patched Windows Update module!");
        }
@@ -149,12 +148,11 @@ HMODULE WINAPI _LoadLibraryExW(
 ) {
    HMODULE result = LoadLibraryExW(lpFileName, hFile, dwFlags);
    if (result) {
-        dwprintf(L"Loaded library: %s.", lpFileName);
+        dwprintf(L"Loaded library: %s", lpFileName);
        WCHAR path[MAX_PATH + 1];
        if (!get_svcdllW(L"wuauserv", path, _countof(path))) {
            return result;
        }
        if (!_wcsicmp(lpFileName, path) && PatchWUAgentHMODULE(result)) {
            dwprintf(L"Patched Windows Update module!");
        }
--- a/wufuc/dllmain.c
+++ b/wufuc/dllmain.c
@@ -6,10 +6,9 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserv
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
    {
-        if (!IsOperatingSystemSupported(&g_IsWindows7, &g_IsWindows8Point1)) {
+        if (!IsOperatingSystemSupported() || IsWow64()) {
            return FALSE;
        }
        DisableThreadLibraryCalls(hModule);
        HANDLE hThread = CreateThread(NULL, 0, NewThreadProc, NULL, 0, NULL);
        CloseHandle(hThread);
--- a/wufuc/rundll32.c
+++ b/wufuc/rundll32.c
@@ -1,19 +1,41 @@
 #include <Windows.h>
 #include <TlHelp32.h>
 #include <tchar.h>
 #include <VersionHelpers.h>
 #include "service.h"
 #include "util.h"
 void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
    if (!g_IsWindows7 && !g_IsWindows8Point1) {
        return;
    }
    HANDLE hEvent = OpenEvent(SYNCHRONIZE, FALSE, _T("Global\\wufuc_UnloadEvent"));
    if (hEvent) {
        CloseHandle(hEvent);
        return;
    }
    LPWSTR osname;
    if (IsWindows7()) {
        if (IsWindowsServer()) {
            osname = L"Windows Server 2008 R2";
        } else {
            osname = L"Windows 7";
        }
    } else if (IsWindows8Point1()) {
        if (IsWindowsServer()) {
            osname = L"Windows Server 2012 R2";
        } else {
            osname = L"Windows 8.1";
        }
    }
    dwprintf(L"Operating System: %s %d-bit", osname, sizeof(uintptr_t) * 8);
    char brand[0x31];
    get_cpuid_brand(brand);
    SIZE_T i = 0;
    while (i < _countof(brand) && isspace(*(brand + i))) {
        i++;
    }
    dwprintf(L"Processor: %S", brand + i);
    SC_HANDLE hSCManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_CONNECT);
    if (!hSCManager) {
        return;
--- a/wufuc/service.c
+++ b/wufuc/service.c
@@ -44,9 +44,9 @@ BOOL get_svcpid(SC_HANDLE hSCManager, LPCTSTR lpServiceName, DWORD *lpdwProcessI
        *lpdwProcessId = lpBuffer.dwProcessId;
 #ifdef _UNICODE
-        dwprintf(L"Got pid for service %s: %d.", lpServiceName, *lpdwProcessId);
+        dwprintf(L"Service \"%s\" process ID: %d", lpServiceName, *lpdwProcessId);
 #else
-        dwprintf(L"Got pid for service %S: %d.", lpServiceName, *lpdwProcessId);
+        dwprintf(L"Service \"%S\" process ID: %d", lpServiceName, *lpdwProcessId);
 #endif
        result = TRUE;
    }
@@ -75,9 +75,9 @@ BOOL get_svcgname(SC_HANDLE hSCManager, LPCTSTR lpServiceName, LPTSTR lpGroupNam
            if (!_tcsicmp(*(p++), _T("-k")) && !_tcscpy_s(lpGroupName, dwSize, *p)) {
                result = TRUE;
 #ifdef _UNICODE
-                dwprintf(L"Got group name of service %s: %s.", lpServiceName, lpGroupName);
+                dwprintf(L"Service \"%s\" group name: %s", lpServiceName, lpGroupName);
 #else
-                dwprintf(L"Got group name of service %S: %S.", lpServiceName, lpGroupName);
+                dwprintf(L"Service \"%S\" group name: %S", lpServiceName, lpGroupName);
 #endif
                break;
            }
@@ -120,9 +120,9 @@ BOOL get_svcgpid(SC_HANDLE hSCManager, LPTSTR lpServiceGroupName, DWORD *lpdwPro
            *lpdwProcessId = dwProcessId;
            result = TRUE;
 #ifdef _UNICODE
-            dwprintf(L"Got pid for service group %s: %d.", lpServiceGroupName, *lpdwProcessId);
+            dwprintf(L"Service group \"%s\" process ID: %d", lpServiceGroupName, *lpdwProcessId);
 #else
-            dwprintf(L"Got pid for service group %S: %d.", lpServiceGroupName, *lpdwProcessId);
+            dwprintf(L"Service group \"%S\" process ID: %d", lpServiceGroupName, *lpdwProcessId);
 #endif
            break;
        }
--- a/wufuc/util.c
+++ b/wufuc/util.c
@@ -1,13 +1,20 @@
 #include <Windows.h>
 #include <stdio.h>
-#include <time.h>
+#include <stdint.h>
 #include <intrin.h> 
 #include <tchar.h>
 #include <TlHelp32.h>
 #include <Psapi.h>
 #include "util.h"
-BOOL g_IsWindows7 = FALSE;
+static BOOL checkedIsWindows7 = FALSE;
-BOOL g_IsWindows8Point1 = FALSE;
+static BOOL isWindows7 = FALSE;
 static BOOL checkedIsWindows8Point1 = FALSE;
 static BOOL isWindows8Point1 = FALSE;
 static LPFN_ISWOW64PROCESS fnIsWow64Process = NULL;
 static BOOL checkedIsWow64 = FALSE;
 static BOOL isWow64 = FALSE;
 static FILE *log_fp = NULL;
@@ -40,7 +47,7 @@ VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID l
    if (lpOldAddress) {
        *lpOldAddress = *lpAddress;
    }
-    dwprintf(L"Detoured %S from %p to %p.", lpFuncName, *lpAddress, lpNewAddress);
+    dwprintf(L"Modified %S import address: %p => %p", lpFuncName, *lpAddress, lpNewAddress);
    *lpAddress = lpNewAddress;
    VirtualProtect(lpAddress, sizeof(LPVOID), flOldProtect, &flNewProtect);
 }
@@ -64,7 +71,7 @@ VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThrea
    CloseHandle(hSnap);
    *lpcb = count;
-    dwprintf(L"Suspended %d other threads.", count);
+    dwprintf(L"Suspended %d other threads", count);
 }
 VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T cb) {
@@ -72,7 +79,7 @@ VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T cb) {
        ResumeThread(lphThreads[i]);
        CloseHandle(lphThreads[i]);
    }
-    dwprintf(L"Resumed %d other threads.", cb);
+    dwprintf(L"Resumed %d other threads", cb);
 }
 BOOL CompareWindowsVersion(BYTE Operator, DWORD dwMajorVersion, DWORD dwMinorVersion, WORD wServicePackMajor, WORD wServicePackMinor, DWORD dwTypeMask) {
@@ -93,15 +100,59 @@ BOOL CompareWindowsVersion(BYTE Operator, DWORD dwMajorVersion, DWORD dwMinorVer
    return VerifyVersionInfo(&osvi, dwTypeMask, dwlConditionMask);
 }
-BOOL IsOperatingSystemSupported(LPBOOL lpbIsWindows7, LPBOOL lpbIsWindows8Point1) {
+BOOL IsWindows7(void) {
    if (!checkedIsWindows7) {
        isWindows7 = CompareWindowsVersion(VER_EQUAL, 6, 1, 0, 0, VER_MAJORVERSION | VER_MINORVERSION);
        checkedIsWindows7 = TRUE;
    }
    return isWindows7;
 }
 BOOL IsWindows8Point1(void) {
    if (!checkedIsWindows8Point1) {
        isWindows8Point1 = CompareWindowsVersion(VER_EQUAL, 6, 3, 0, 0, VER_MAJORVERSION | VER_MINORVERSION);
        checkedIsWindows8Point1 = TRUE;
    }
    return isWindows8Point1;
 }
 BOOL IsOperatingSystemSupported(void) {
 #if !defined(_AMD64_) && !defined(_X86_)
    return FALSE;
 #else
-    return (*lpbIsWindows7 = CompareWindowsVersion(VER_EQUAL, 6, 1, 0, 0, VER_MAJORVERSION | VER_MINORVERSION))
+    return IsWindows7() || IsWindows8Point1();
        || (*lpbIsWindows8Point1 = CompareWindowsVersion(VER_EQUAL, 6, 3, 0, 0, VER_MAJORVERSION | VER_MINORVERSION));
 #endif
 }
 BOOL IsWow64(void) {
    if (!checkedIsWow64) {
        if (!fnIsWow64Process) {
            fnIsWow64Process = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "IsWow64Process");
        }
        if (fnIsWow64Process && fnIsWow64Process(GetCurrentProcess(), &isWow64)) {
            checkedIsWow64 = TRUE;
        }
    }
    return isWow64;
 }
 void get_cpuid_brand(char* brand) {
    int info[4];
    __cpuidex(info, 0x80000000, 0);
    if (info[0] < 0x80000004) {
        brand[0] = '\0';
        return;
    }
    uint32_t *char_as_int = (uint32_t *)brand;
    for (int op = 0x80000002; op <= 0x80000004; op++) {
        __cpuidex(info, op, 0);
        *(char_as_int++) = info[0];
        *(char_as_int++) = info[1];
        *(char_as_int++) = info[2];
        *(char_as_int++) = info[3];
    }
 }
 BOOL init_log(void) {
    if (log_fp) {
        return TRUE;
--- a/wufuc/util.h
+++ b/wufuc/util.h
@@ -3,8 +3,7 @@
 EXTERN_C IMAGE_DOS_HEADER __ImageBase;
 #define HINST_THISCOMPONENT ((HINSTANCE)&__ImageBase)
-extern BOOL g_IsWindows7;
+typedef BOOL(WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
 extern BOOL g_IsWindows8Point1;
 LPVOID *FindIAT(HMODULE hModule, LPSTR lpFuncName);
 VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID lpNewAddress);
@@ -13,7 +12,12 @@ VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThrea
 VOID ResumeAndCloseThreads(HANDLE *lphThreads, SIZE_T dwSize);
 BOOL CompareWindowsVersion(BYTE Operator, DWORD dwMajorVersion, DWORD dwMinorVersion, WORD wServicePackMajor, WORD wServicePackMinor, DWORD dwTypeMask);
-BOOL IsOperatingSystemSupported(LPBOOL lpbIsWindows7, LPBOOL lpbIsWindows8Point1);
+BOOL IsWindows7(void);
 BOOL IsWindows8Point1(void);
 BOOL IsOperatingSystemSupported(void);
 BOOL IsWow64(void);
 void get_cpuid_brand(char *brand);
 VOID dwprintf_(LPCWSTR format, ...);