Vichingo455/wufuc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

test

Browse Source
This commit is contained in:
zeffy
2017-11-29 20:03:22 -08:00
parent 2ebd9c9956
commit e7cd9756a1
63 changed files with 947 additions and 782 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CONTRIBUTING.md
View File

@@ -1,12 +1,12 @@
# Contributing guidelines
**English** | [русский](../../wiki/CONTRIBUTING-(русский)) | [Français](../../wiki/CONTRIBUTING-(Français)) | [Deutsch](../../wiki/CONTRIBUTING-(Deutsch)) | [Magyar](../../wiki/CONTRIBUTING-(Magyar)) | [Português Brasileiro](../../wiki/CONTRIBUTING-(Português-Brasileiro)) | [Italiano](../../wiki/CONTRIBUTING-(Italiano)) | [Español](../../wiki/CONTRIBUTING-(Español))
**English** | [Community translations](https://github.com/zeffy/wufuc/wiki)
## Reporting an issue [![](https://isitmaintained.com/badge/resolution/zeffy/wufuc.svg)](https://isitmaintained.com/project/zeffy/wufuc)
#### Before you create an issue, please make sure of the following:
- Are you using at least the [latest stable version](../../releases/latest)?
- Are you using at least the [latest stable version](https://github.com/zeffy/wufuc/releases/latest)?
- Have you tried restarting your computer?
#### After you've confirmed those things, please create an issue and include the following information:

11
DONATE.md
View File

@@ -1,13 +1,14 @@
# Help support the development of wufuc
Thanks for showing an interest in donating to the development of wufuc!
While any support is very highly appreciated please keep in mind that donating will not guarantee you better support or other perks, just a warm fuzzy feeling knowing you really helped me out. :)
Thanks for showing an interest in donating!
While any support is very highly appreciated, please keep in mind that donations should be considered gifts for my past efforts towards this project, and not made with the assumption of continued support. All donations go to the project maintainer, [**@zeffy**](https://github.com/zeffy).
## Donate Bitcoin
- [**Donate Bitcoin on <img src="https://dwsv3vn9of50v.cloudfront.net/assets/mycelium_gear_logo_colour-897bbac4d1f155bf64a34b6fc3ae04f2a1a622e016ea768220df9c83092bb930.svg" alt="Mycelium Gear" height="14">**](https://admin.gear.mycelium.com/gateways/3554/orders/new)
- [**Donate Bitcoin on Mycelium Gear**](https://admin.gear.mycelium.com/gateways/3554/orders/new)
## Other donation options
Currently I'm only accepting Bitcoin, but I'm open to adding other ways of donating as long as they respect my privacy.
If you know of a donation platform that fits this criteria and would like me to include it as an option, feel free to [create an issue](https://github.com/zeffy/wufuc/issues/new) and I will look into it.
Currently I'm only accepting Bitcoin, but I'm open to adding other ways of donating.
If you know of a good donation platform, feel free to [create an issue](https://github.com/zeffy/wufuc/issues/new) and I will look into it.

70
README.md
View File

@@ -1,18 +1,23 @@
# wufuc [![](https://ci.appveyor.com/api/projects/status/0s2unkpokttyslf0?svg=true)](https://ci.appveyor.com/project/zeffy/wufuc) [![](https://isitmaintained.com/badge/resolution/zeffy/wufuc.svg)](https://isitmaintained.com/project/zeffy/wufuc)
# wufuc
[![Donate Bitcoin](https://img.shields.io/badge/donate-bitcoin-f0962b.svg?logo=https%3A%2F%2Fcdn.rawgit.com%2Fzeffy%2Fwufuc%2Fbadges%2Fbitcoin.svg&style=flat-square)](https://admin.gear.mycelium.com/gateways/3554/orders/new) [![AppVeyor Builds](https://img.shields.io/appveyor/ci/zeffy/wufuc.svg?logo=appveyor&style=flat-square)](https://ci.appveyor.com/project/zeffy/wufuc) [![Chat on Telegram](https://img.shields.io/badge/chat-on%20telegram-499fe5.svg?logo=https%3A%2F%2Fcdn.rawgit.com%2Fzeffy%2Fwufuc%2Fbadges%2Ftelegram.svg&style=flat-square)](https://t.me/joinchat/HEo6LUvV_83O92WzbYXLeQ) [![All Releases](https://img.shields.io/github/downloads/zeffy/wufuc/total.svg?style=flat-square)](https://github.com/zeffy/wufuc/releases/latest)
**English** | [русский](../../wiki/README-(русский)) | [Français](../../wiki/README-(Français)) | [Deutsch](../../wiki/README-(Deutsch)) | [Magyar](../../wiki/README-(Magyar)) | [Português Brasileiro](../../wiki/README-(Português-Brasileiro)) | [Italiano](../../wiki/README-(Italiano)) | [Español](../../wiki/README-(Español))
**English** | [Community translations](https://github.com/zeffy/wufuc/wiki)
Disables the "Unsupported Hardware" message in Windows Update, and allows you to continue installing updates on Windows 7 and 8.1 systems with Intel Kaby Lake, AMD Ryzen, or other unsupported processors.
## Downloads [![](https://img.shields.io/github/downloads/zeffy/wufuc/total.svg)](../../releases)
## Downloads
- [**Click here for the latest stable version**](../../releases/latest)
[**Latest stable build**](https://github.com/zeffy/wufuc/releases/latest)
- [~~Unstable builds~~](https://ci.appveyor.com/project/zeffy/wufuc) **Discontinued until AppVeyor adds WDK support for Visual Studio 2017 ([appveyor/ci#1554](https://github.com/appveyor/ci/issues/1554))**
[Unstable builds](https://ci.appveyor.com/project/zeffy/wufuc)
## Donate
[**Click here for donation options!**](https://github.com/zeffy/wufuc/blob/master/DONATE.md)
## Preface
The changelog for Windows updates KB4012218 and KB4012219 included the following:
The release notes for Windows updates KB4012218 and KB4012219 included the following:
> Enabled detection of processor generation and hardware support when PC tries to scan or download updates through Windows Update.
@@ -23,17 +28,17 @@ This was essentially a big middle finger to anyone who decides to not "upgrade"
I've received user reports of the following CPUs all being blocked from receiving updates:
- [Intel Atom Z530](../../issues/7)
- [Intel Atom D525](../../issues/34)
- [Intel Core i5-M 560](../../issues/23)
- [Intel Core i5-4300M](../../issues/24)
- [Intel Pentium B940](../../issues/63)
- [AMD FX-8350](../../issues/32)
- [AMD Turion 64 Mobile Technology ML-34](../../issues/80)
- [Intel Atom Z530](https://github.com/zeffy/wufuc/issues/7)
- [Intel Atom D525](https://github.com/zeffy/wufuc/issues/34)
- [Intel Core i5-M 560](https://github.com/zeffy/wufuc/issues/23)
- [Intel Core i5-4300M](https://github.com/zeffy/wufuc/issues/24)
- [Intel Pentium B940](https://github.com/zeffy/wufuc/issues/63)
- [AMD FX-8350](https://github.com/zeffy/wufuc/issues/32)
- [AMD Turion 64 Mobile Technology ML-34](https://github.com/zeffy/wufuc/issues/80)
## Bad Microsoft!
If you are interested, you can read my original write up on discovering the CPU check [here](../../tree/old-kb4012218-19).
If you are interested, you can read my original write up on discovering the CPU check [here](https://github.com/zeffy/wufuc/tree/old-kb4012218-19).
## Features
@@ -42,7 +47,7 @@ If you are interested, you can read my original write up on discovering the CPU
- Completely free (as in freedom) software.
- Does not modify any system files.
- Byte pattern-based patching, which means it will usually keep working even after new updates come out.
- Absolutely zero dependencies.
- No dependencies.
## How it works
@@ -50,18 +55,21 @@ Basically, inside a system file called `wuaueng.dll` there are two functions res
`IsDeviceServiceable` simply calls `IsCPUSupported` once, and then re-uses the result that it receives on subsequent calls.
My patch takes advantage of this behavior by patching a couple of boolean values and basically making Windows Update think that it has already checked your processor, and the result was that it is indeed supported.
- The installer registers wufuc as a custom Application Verifier provider.
- When a `svchost.exe` process starts, the Windows PE loader automatically loads wufuc into its virtual address space.
- After that, wufuc will then check the command line of the process it was loaded into, then install some API hooks when appropriate:
* `LoadLibraryExW` hook will automatically patch `wuaueng.dll` as soon as it is loaded.
* `RegQueryValueExW` hook is necessary to provide compatibility with attempts by other third-parties at bypassing the CPU check. (see issue [#100](../../issues/100))
- If wufuc gets loaded by a `svchost.exe` process that isn't related to Windows Update, it goes into a dormant state and no hooks are applied.
- The installer registers a scheduled task that automatically starts wufuc on system boot/user log on.
- Depending on how the Windows Update service is configured to run, wufuc will:
* **Shared process**: inject itself into the service host process that Windows Update will run in when it starts.
* **Own process**: wait for the Windows Update service to start and then inject into it.
- After that, wufuc will install some API hooks when appropriate:
* `LoadLibraryExW` hook will automatically hook the `IsDeviceServiceable()` function inside `wuaueng.dll` when it is loaded.
* `RegQueryValueExW` hook is necessary to provide compatibility with [UpdatePack7R2](../../issues/100). This hook not applied when `wuauserv` is configured to run in its own process.
## How to deploy wufuc using Group Policy
## FAQ
### How to deploy wufuc using Group Policy
[There is a tutorial on the Advanced Installer website that explains how to do this](http://www.advancedinstaller.com/user-guide/tutorial-gpo.html).
## How to use unattended feature in the batch setup scripts
### How to use unattended feature in the batch setup scripts
`install_wufuc.bat` and `uninstall_wufuc.bat` both support two command line parameters that can be used alone, or combined to change the behavior of the scripts:
@@ -70,22 +78,21 @@ My patch takes advantage of this behavior by patching a couple of boolean values
These must be used from an elevated command line prompt.
## What to do if you get stuck on a black screen with just a cursor after the Windows boot animation
### How to manually remove wufuc v0.8.0.x when it is impossible to uninstall it normally
This will happen if wufuc somehow manages to crash the `svchost.exe` process that is responsible for displaying the login screen.
Normally this should **never ever** happen, because wufuc goes dormant in `svchost.exe` processes that are unrelated to Windows Update.
I have only encountered this during development with very unstable code, or by causing it intentionally.
This only applies to wufuc version 0.8.0.x, which was only available for download for a short period of time. Other versions are unaffected.
However, just in case this does happen to someone, here is how to fix it:
There was a fundamental issue with the method I tried using in this version that caused very serious system instability, such as User Account Control breaking, getting a black screen with just a cursor at boot or after logging out, or very slow overall system performance from multiple services crashing repeatedly which would eventually end in a blue screen of death. Many of these issues unfortunately made uninstalling wufuc nearly impossible. I apologize for any inconvenience this version of wufuc may have caused.
#### To manually uninstall wufuc v0.8.0.x:
1. [Boot into Safe Mode with Command Prompt](https://support.microsoft.com/en-us/help/17419/windows-7-advanced-startup-options-safe-mode).
2. In the command prompt type `regedit` and press enter.
3. Navigate to the key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options`
4. Expand the `Image File Execution Options` tree.
5. Locate the `svchost.exe` sub key, right-click it and press **Delete**.
6. Reboot.
7. You should be able to log in normally again.
8. **If this happens to you, please report it in the issues tab so I can try to figure out what is causing the crash!**
6. Reboot, and you should be able to log in normally again.
7. Open Add and Remove Programs, locate and run the normal wufuc uninstaller to complete the removal process.
## Sponsors
@@ -96,6 +103,5 @@ Advanced Installer's intuitive and friendly user interface allowed me to quickly
## Special thanks
- Alex Ionescu ([@ionescu007](https://github.com/ionescu007)) for his [_"Hooking Nirvana"_ presentation at REcon 2015](https://www.youtube.com/watch?v=bqU0y4FzvT0) and its corresponding [repository of example code](https://github.com/ionescu007/HookingNirvana).
- Wen Jia Liu ([@wj32](https://github.com/wj32)) for his awesome program [Process Hacker](https://github.com/processhacker2/processhacker) which has been absolutely instrumental in the development of wufuc, and also for his [`phnt`](https://github.com/processhacker2/processhacker/tree/master/phnt) headers.
- Duncan Ogilvie ([@mrexodia](https://github.com/mrexodia)) for his [`patternfind.cpp`](https://github.com/x64dbg/x64dbg/blob/development/src/dbg/patternfind.cpp) algorithm from [x64dbg](https://github.com/x64dbg/x64dbg).

0
phnt/README.md → inc/phnt/README.md
View File

0
phnt/include/ntdbg.h → inc/phnt/ntdbg.h
View File

169
phnt/include/ntexapi.h → inc/phnt/ntexapi.h
View File

@@ -833,7 +833,8 @@ typedef enum _WNF_DATA_SCOPE
WnfDataScopeSystem,
WnfDataScopeSession,
WnfDataScopeUser,
WnfDataScopeProcess
WnfDataScopeProcess,
WnfDataScopeMachine // REDSTONE3
} WNF_DATA_SCOPE;
typedef struct _WNF_TYPE_ID
@@ -1194,7 +1195,6 @@ NtAllocateUuids(
// rev
// private
// source:http://www.microsoft.com/whdc/system/Sysinternals/MoreThan64proc.mspx
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
@@ -1241,12 +1241,12 @@ typedef enum _SYSTEM_INFORMATION_CLASS
SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
SystemCurrentTimeZoneInformation, // q
SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION
SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)
SystemSessionCreate, // not implemented
SystemSessionDetach, // not implemented
SystemSessionInformation, // not implemented
SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION)
SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50
SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
SystemVerifierThunkExtend, // s (kernel-mode only)
@@ -1266,8 +1266,8 @@ typedef enum _SYSTEM_INFORMATION_CLASS
SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
SystemHotpatchInformation, // q; s
SystemObjectSecurityMode, // q // 70
SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION
SystemObjectSecurityMode, // q: ULONG // 70
SystemWatchdogTimerHandler, // s (kernel-mode only)
SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
@@ -1390,6 +1390,9 @@ typedef enum _SYSTEM_INFORMATION_CLASS
SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190
SystemIntegrityQuotaInformation,
SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION
SystemProcessorIdleMaskInformation, // since REDSTONE3
SystemSecureDumpEncryptionInformation,
SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS;
@@ -1576,7 +1579,9 @@ typedef struct _SYSTEM_PROCESS_INFORMATION
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
SYSTEM_THREAD_INFORMATION Threads[1]; // SystemProcessInformation
// SYSTEM_EXTENDED_THREAD_INFORMATION Threads[1]; // SystemExtendedProcessinformation
// SYSTEM_EXTENDED_THREAD_INFORMATION + SYSTEM_PROCESS_INFORMATION_EXTENSION // SystemFullProcessInformation
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef struct _SYSTEM_CALL_COUNT_INFORMATION
@@ -1790,12 +1795,25 @@ typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION
BOOLEAN Enable;
} SYSTEM_QUERY_TIME_ADJUST_INFORMATION, *PSYSTEM_QUERY_TIME_ADJUST_INFORMATION;
typedef struct _SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE
{
ULONGLONG TimeAdjustment;
ULONGLONG TimeIncrement;
BOOLEAN Enable;
} SYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE, *PSYSTEM_QUERY_TIME_ADJUST_INFORMATION_PRECISE;
typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION
{
ULONG TimeAdjustment;
BOOLEAN Enable;
} SYSTEM_SET_TIME_ADJUST_INFORMATION, *PSYSTEM_SET_TIME_ADJUST_INFORMATION;
typedef struct _SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE
{
ULONGLONG TimeAdjustment;
BOOLEAN Enable;
} SYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE, *PSYSTEM_SET_TIME_ADJUST_INFORMATION_PRECISE;
typedef enum _EVENT_TRACE_INFORMATION_CLASS
{
EventTraceKernelVersionInformation, // EVENT_TRACE_VERSION_INFORMATION
@@ -1817,6 +1835,8 @@ typedef enum _EVENT_TRACE_INFORMATION_CLASS
EventTraceStackCachingInformation, // EVENT_TRACE_STACK_CACHING_INFORMATION
EventTraceObjectTypeFilterInformation, // EVENT_TRACE_TAG_FILTER_INFORMATION
EventTraceSoftRestartInformation, // EVENT_TRACE_SOFT_RESTART_INFORMATION
EventTraceLastBranchConfigurationInformation, // REDSTONE3
EventTraceLastBranchEventListInformation,
MaxEventTraceInfoClass
} EVENT_TRACE_INFORMATION_CLASS;
@@ -2149,6 +2169,7 @@ typedef struct _SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
SIZE_T NumberOfBytesAvailableContiguous;
} SYSTEM_SESSION_MAPPED_VIEW_INFORMATION, *PSYSTEM_SESSION_MAPPED_VIEW_INFORMATION;
#if (PHNT_MODE != PHNT_MODE_KERNEL)
// private
typedef enum _SYSTEM_FIRMWARE_TABLE_ACTION
{
@@ -2166,6 +2187,7 @@ typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION
ULONG TableBufferLength;
UCHAR TableBuffer[1];
} SYSTEM_FIRMWARE_TABLE_INFORMATION, *PSYSTEM_FIRMWARE_TABLE_INFORMATION;
#endif
// private
typedef struct _SYSTEM_MEMORY_LIST_INFORMATION
@@ -2221,16 +2243,6 @@ typedef struct _SYSTEM_PROCESS_ID_INFORMATION
UNICODE_STRING ImageName;
} SYSTEM_PROCESS_ID_INFORMATION, *PSYSTEM_PROCESS_ID_INFORMATION;
#if (PHNT_MODE == PHNT_MODE_KERNEL)
typedef enum _FIRMWARE_TYPE
{
FirmwareTypeUnknown,
FirmwareTypeBios,
FirmwareTypeUefi,
FirmwareTypeMax
} FIRMWARE_TYPE, *PFIRMWARE_TYPE;
#endif
// private
typedef struct _SYSTEM_BOOT_ENVIRONMENT_INFORMATION
{
@@ -2273,13 +2285,20 @@ typedef struct _SYSTEM_SYSTEM_DISK_INFORMATION
UNICODE_STRING SystemDisk;
} SYSTEM_SYSTEM_DISK_INFORMATION, *PSYSTEM_SYSTEM_DISK_INFORMATION;
// private
// private (Windows 8.1 and above)
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT
{
ULONGLONG Hits; // ULONG in WIN8
ULONGLONG Hits;
UCHAR PercentFrequency;
} SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT, *PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT;
// private (Windows 7 and Windows 8)
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8
{
ULONG Hits;
UCHAR PercentFrequency;
} SYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8, *PSYSTEM_PROCESSOR_PERFORMANCE_HITCOUNT_WIN8;
// private
typedef struct _SYSTEM_PROCESSOR_PERFORMANCE_STATE_DISTRIBUTION
{
@@ -2662,7 +2681,7 @@ typedef struct _PROCESS_DISK_COUNTERS
} PROCESS_DISK_COUNTERS, *PPROCESS_DISK_COUNTERS;
// private
typedef struct _ENERGY_STATE_DURATION
typedef union _ENERGY_STATE_DURATION
{
union
{
@@ -2696,8 +2715,8 @@ typedef struct _PROCESS_ENERGY_VALUES
ULONG CompositionDirtyGenerated;
ULONG CompositionDirtyPropagated;
ULONG Reserved1;
ULONGLONG AttributedCycles[2][4];
ULONGLONG WorkOnBehalfCycles[2][4];
ULONGLONG AttributedCycles[4][2];
ULONGLONG WorkOnBehalfCycles[4][2];
} PROCESS_ENERGY_VALUES, *PPROCESS_ENERGY_VALUES;
typedef struct _TIMELINE_BITMAP
@@ -2711,7 +2730,7 @@ typedef struct _PROCESS_ENERGY_VALUES_EXTENSION
{
union
{
TIMELINE_BITMAP Timelines[9];
TIMELINE_BITMAP Timelines[14]; // 9 for REDSTONE2, 14 for REDSTONE3
struct
{
TIMELINE_BITMAP CpuTimeline;
@@ -2723,8 +2742,29 @@ typedef struct _PROCESS_ENERGY_VALUES_EXTENSION
TIMELINE_BITMAP CompositionRenderedTimeline;
TIMELINE_BITMAP CompositionDirtyGeneratedTimeline;
TIMELINE_BITMAP CompositionDirtyPropagatedTimeline;
TIMELINE_BITMAP InputTimeline; // REDSTONE3
TIMELINE_BITMAP AudioInTimeline;
TIMELINE_BITMAP AudioOutTimeline;
TIMELINE_BITMAP DisplayRequiredTimeline;
TIMELINE_BITMAP KeyboardInputTimeline;
};
};
union // REDSTONE3
{
ENERGY_STATE_DURATION Durations[5];
struct
{
ENERGY_STATE_DURATION InputDuration;
ENERGY_STATE_DURATION AudioInDuration;
ENERGY_STATE_DURATION AudioOutDuration;
ENERGY_STATE_DURATION DisplayRequiredDuration;
ENERGY_STATE_DURATION PSMBackgroundDuration;
};
};
ULONG KeyboardInput;
ULONG MouseInput;
} PROCESS_ENERGY_VALUES_EXTENSION, *PPROCESS_ENERGY_VALUES_EXTENSION;
typedef struct _PROCESS_EXTENDED_ENERGY_VALUES
@@ -2733,6 +2773,16 @@ typedef struct _PROCESS_EXTENDED_ENERGY_VALUES
PROCESS_ENERGY_VALUES_EXTENSION Extension;
} PROCESS_EXTENDED_ENERGY_VALUES, *PPROCESS_EXTENDED_ENERGY_VALUES;
// private
typedef enum _SYSTEM_PROCESS_CLASSIFICATION
{
SystemProcessClassificationNormal,
SystemProcessClassificationSystem,
SystemProcessClassificationSecureSystem,
SystemProcessClassificationMemCompression,
SystemProcessClassificationMaximum
} SYSTEM_PROCESS_CLASSIFICATION;
// private
typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION
{
@@ -2744,7 +2794,7 @@ typedef struct _SYSTEM_PROCESS_INFORMATION_EXTENSION
struct
{
ULONG HasStrongId : 1;
ULONG Classification : 4;
ULONG Classification : 4; // SYSTEM_PROCESS_CLASSIFICATION
ULONG BackgroundActivityModerated : 1;
ULONG Spare : 26;
};
@@ -2887,7 +2937,7 @@ typedef struct _SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
typedef struct _SYSTEM_ROOT_SILO_INFORMATION
{
ULONG NumberOfSilos;
HANDLE SiloIdList[1];
ULONG SiloIdList[1];
} SYSTEM_ROOT_SILO_INFORMATION, *PSYSTEM_ROOT_SILO_INFORMATION;
// private
@@ -2968,13 +3018,28 @@ typedef enum _SYSTEM_ACTIVITY_MODERATION_STATE
MaxSystemActivityModerationState
} SYSTEM_ACTIVITY_MODERATION_STATE;
// private
typedef struct _SYSTEM_ACTIVITY_MODERATION_EXE_STATE
// private - REDSTONE2
typedef struct _SYSTEM_ACTIVITY_MODERATION_EXE_STATE // REDSTONE3: Renamed SYSTEM_ACTIVITY_MODERATION_INFO
{
UNICODE_STRING ExePathNt;
SYSTEM_ACTIVITY_MODERATION_STATE ModerationState;
} SYSTEM_ACTIVITY_MODERATION_EXE_STATE, *PSYSTEM_ACTIVITY_MODERATION_EXE_STATE;
typedef enum _SYSTEM_ACTIVITY_MODERATION_APP_TYPE
{
SystemActivityModerationAppTypeClassic,
SystemActivityModerationAppTypePackaged,
MaxSystemActivityModerationAppType
} SYSTEM_ACTIVITY_MODERATION_APP_TYPE;
// private - REDSTONE3
typedef struct _SYSTEM_ACTIVITY_MODERATION_INFO
{
UNICODE_STRING Identifier;
SYSTEM_ACTIVITY_MODERATION_STATE ModerationState;
SYSTEM_ACTIVITY_MODERATION_APP_TYPE AppType;
} SYSTEM_ACTIVITY_MODERATION_INFO, *PSYSTEM_ACTIVITY_MODERATION_INFO;
// private
typedef struct _SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
{
@@ -3006,6 +3071,13 @@ typedef struct _SYSTEM_FLUSH_INFORMATION
ULONGLONG Reserved[2];
} SYSTEM_FLUSH_INFORMATION, *PSYSTEM_FLUSH_INFORMATION;
// private
typedef struct _SYSTEM_WRITE_CONSTRAINT_INFORMATION
{
ULONG WriteConstraintPolicy;
ULONG Reserved;
} SYSTEM_WRITE_CONSTRAINT_INFORMATION, *PSYSTEM_WRITE_CONSTRAINT_INFORMATION;
#if (PHNT_MODE != PHNT_MODE_KERNEL)
NTSYSCALLAPI
@@ -3153,35 +3225,31 @@ typedef struct _SYSDBG_TRIAGE_DUMP
} SYSDBG_TRIAGE_DUMP, *PSYSDBG_TRIAGE_DUMP;
// private
typedef struct _SYSDBG_LIVEDUMP_CONTROL_FLAGS
typedef union _SYSDBG_LIVEDUMP_CONTROL_FLAGS
{
union
struct
{
struct
{
ULONG UseDumpStorageStack : 1;
ULONG CompressMemoryPagesData : 1;
ULONG IncludeUserSpaceMemoryPages : 1;
ULONG Reserved : 28;
};
ULONG AsUlong;
ULONG UseDumpStorageStack : 1;
ULONG CompressMemoryPagesData : 1;
ULONG IncludeUserSpaceMemoryPages : 1;
ULONG Reserved : 29;
};
ULONG AsUlong;
} SYSDBG_LIVEDUMP_CONTROL_FLAGS, *PSYSDBG_LIVEDUMP_CONTROL_FLAGS;
// private
typedef struct _SYSDBG_LIVEDUMP_CONTROL_ADDPAGES
typedef union _SYSDBG_LIVEDUMP_CONTROL_ADDPAGES
{
union
struct
{
struct
{
ULONG HypervisorPages : 1;
ULONG Reserved : 31;
};
ULONG AsUlong;
ULONG HypervisorPages : 1;
ULONG Reserved : 31;
};
ULONG AsUlong;
} SYSDBG_LIVEDUMP_CONTROL_ADDPAGES, *PSYSDBG_LIVEDUMP_CONTROL_ADDPAGES;
#define SYSDBG_LIVEDUMP_CONTROL_VERSION 1
// private
typedef struct _SYSDBG_LIVEDUMP_CONTROL
{
@@ -3299,7 +3367,7 @@ typedef struct _KUSER_SHARED_DATA
LONG TimeZoneBiasStamp;
ULONG NtBuildNumber;
ULONG NtProductType;
NT_PRODUCT_TYPE NtProductType;
BOOLEAN ProductTypeIsValid;
UCHAR Reserved0[1];
USHORT NativeProcessorArchitecture;
@@ -3364,7 +3432,8 @@ typedef struct _KUSER_SHARED_DATA
ULONG DbgSecureBootEnabled : 1;
ULONG DbgMultiSessionSku : 1;
ULONG DbgMultiUsersInSessionSku : 1;
ULONG SpareBits : 22;
ULONG DbgStateSeparationEnabled : 1;
ULONG SpareBits : 21;
};
};
ULONG DataFlagsPad[1];
@@ -3397,7 +3466,9 @@ typedef struct _KUSER_SHARED_DATA
USHORT UnparkedProcessorCount;
ULONG EnclaveFeatureMask[4];
ULONG Reserved8;
ULONG TelemetryCoverageRound;
USHORT UserModeGlobalLogger[16];
ULONG ImageFileExecutionOptions;
@@ -3459,7 +3530,7 @@ C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemCallPad) == 0x310);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320);
C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8);
//C_ASSERT(sizeof(KUSER_SHARED_DATA) == 0x708); // Visual Studio has a problem with this
C_ASSERT(sizeof(KUSER_SHARED_DATA) == 0x708);
#define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)0x7ffe0000)

0
phnt/include/ntgdi.h → inc/phnt/ntgdi.h
View File

17
phnt/include/ntioapi.h → inc/phnt/ntioapi.h
View File

@@ -242,6 +242,7 @@ typedef enum _FILE_INFORMATION_CLASS
FileRenameInformationExBypassAccessCheck,
FileDesiredStorageClassInformation, // FILE_DESIRED_STORAGE_CLASS_INFORMATION // since REDSTONE2
FileStatInformation, // FILE_STAT_INFORMATION
FileMemoryPartitionInformation, // FILE_MEMORY_PARTITION_INFORMATION // since REDSTONE3
FileMaximumInformation
} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
@@ -679,6 +680,7 @@ typedef struct _FILE_ID_EXTD_BOTH_DIR_INFORMATION
WCHAR FileName[1];
} FILE_ID_EXTD_BOTH_DIR_INFORMATION, *PFILE_ID_EXTD_BOTH_DIR_INFORMATION;
// private
typedef struct _FILE_STAT_INFORMATION
{
LARGE_INTEGER FileId;
@@ -694,6 +696,21 @@ typedef struct _FILE_STAT_INFORMATION
ULONG EffectiveAccess;
} FILE_STAT_INFORMATION, *PFILE_STAT_INFORMATION;
// private
typedef struct _FILE_MEMORY_PARTITION_INFORMATION
{
HANDLE OwnerPartitionHandle;
union
{
struct
{
UCHAR NoCrossPartitionAccess;
UCHAR Spare[3];
};
ULONG AllFlags;
} Flags;
} FILE_MEMORY_PARTITION_INFORMATION, *PFILE_MEMORY_PARTITION_INFORMATION;
// NtQueryDirectoryFile types
typedef struct _FILE_DIRECTORY_INFORMATION

0
phnt/include/ntkeapi.h → inc/phnt/ntkeapi.h
View File

41
phnt/include/ntldr.h → inc/phnt/ntldr.h
View File

@@ -76,6 +76,8 @@ typedef enum _LDR_DLL_LOAD_REASON
LoadReasonDynamicLoad,
LoadReasonAsImageLoad,
LoadReasonAsDataLoad,
LoadReasonEnclavePrimary, // REDSTONE3
LoadReasonEnclaveDependency,
LoadReasonUnknown = -1
} LDR_DLL_LOAD_REASON, *PLDR_DLL_LOAD_REASON;
@@ -471,9 +473,25 @@ LdrUnregisterDllNotification(
// private
typedef struct _PS_MITIGATION_OPTIONS_MAP
{
ULONG_PTR Map[2];
union
{
ULONG_PTR Map[2]; // REDSTONE2
//struct
//{
// ULONG_PTR Depth : 16; // REDSTONE3
// ULONG_PTR Sequence : 48;
// ULONG_PTR Reserved : 4;
// ULONG_PTR NextEntry : 60;
//};
};
} PS_MITIGATION_OPTIONS_MAP, *PPS_MITIGATION_OPTIONS_MAP;
// private
typedef struct _PS_MITIGATION_AUDIT_OPTIONS_MAP
{
ULONG_PTR Map[2];
} PS_MITIGATION_AUDIT_OPTIONS_MAP, *PPS_MITIGATION_AUDIT_OPTIONS_MAP;
// private
typedef struct _PS_SYSTEM_DLL_INIT_BLOCK
{
@@ -496,6 +514,7 @@ typedef struct _PS_SYSTEM_DLL_INIT_BLOCK
ULONG_PTR CfgBitMapSize;
ULONG_PTR Wow64CfgBitMap;
ULONG_PTR Wow64CfgBitMapSize;
PS_MITIGATION_AUDIT_OPTIONS_MAP MitigationAuditOptionsMap; // REDSTONE3
} PS_SYSTEM_DLL_INIT_BLOCK, *PPS_SYSTEM_DLL_INIT_BLOCK;
#if (PHNT_VERSION >= PHNT_THRESHOLD)
@@ -552,6 +571,26 @@ LdrDisableThreadCalloutsForDll(
_In_ PVOID DllImageBase
);
// Resources
NTSYSAPI
NTSTATUS
NTAPI
LdrAccessResource(
_In_ PVOID BaseAddress,
_In_ PIMAGE_RESOURCE_DATA_ENTRY ResourceDataEntry,
_Out_opt_ PVOID *ResourceBuffer,
_Out_opt_ ULONG *ResourceLength
);
NTSYSAPI
NTSTATUS
NTAPI
LdrFindEntryForAddress(
_In_ PVOID BaseAddress,
_Out_ PLDR_DATA_TABLE_ENTRY *Entry
);
#endif // (PHNT_MODE != PHNT_MODE_KERNEL)
// Module information

0
phnt/include/ntlpcapi.h → inc/phnt/ntlpcapi.h
View File

0
phnt/include/ntmisc.h → inc/phnt/ntmisc.h
View File

92
phnt/include/ntmmapi.h → inc/phnt/ntmmapi.h
View File

@@ -24,7 +24,7 @@
#define PAGE_ENCLAVE_UNVALIDATED 0x20000000
// Region and section constants
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#define MEM_COMMIT 0x1000
#define MEM_RESERVE 0x2000
#define MEM_DECOMMIT 0x4000
@@ -34,19 +34,26 @@
#define MEM_MAPPED 0x40000
#define MEM_RESET 0x80000
#define MEM_TOP_DOWN 0x100000
#endif
#define MEM_WRITE_WATCH 0x200000
#define MEM_PHYSICAL 0x400000
#define MEM_ROTATE 0x800000
#define MEM_DIFFERENT_IMAGE_BASE_OK 0x800000
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#define MEM_RESET_UNDO 0x1000000
#endif
#define MEM_LARGE_PAGES 0x20000000
#define MEM_4MB_PAGES 0x80000000
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#define SEC_FILE 0x800000
#endif
#define SEC_IMAGE 0x1000000
#define SEC_PROTECTED_IMAGE 0x2000000
#if (PHNT_MODE != PHNT_MODE_KERNEL)
#define SEC_RESERVE 0x4000000
#define SEC_COMMIT 0x8000000
#endif
#define SEC_NOCACHE 0x10000000
#define SEC_WRITECOMBINE 0x40000000
#define SEC_LARGE_PAGES 0x80000000
@@ -55,6 +62,7 @@
#endif
#if (PHNT_MODE != PHNT_MODE_KERNEL)
// private
typedef enum _MEMORY_INFORMATION_CLASS
{
@@ -66,21 +74,22 @@ typedef enum _MEMORY_INFORMATION_CLASS
MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION
MemoryImageInformation, // MEMORY_IMAGE_INFORMATION
MemoryRegionInformationEx,
MemoryPrivilegedBasicInformation
MemoryPrivilegedBasicInformation,
MemoryEnclaveImageInformation, // since REDSTONE3
MemoryBasicInformationCapped
} MEMORY_INFORMATION_CLASS;
#if (PHNT_MODE == PHNT_MODE_KERNEL)
typedef struct _MEMORY_BASIC_INFORMATION
{
PVOID BaseAddress;
PVOID AllocationBase;
ULONG AllocationProtect;
SIZE_T RegionSize;
ULONG State;
ULONG Protect;
ULONG Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
#else
#define MemoryBasicInformation 0x0
#define MemoryWorkingSetInformation 0x1
#define MemoryMappedFilenameInformation 0x2
#define MemoryRegionInformation 0x3
#define MemoryWorkingSetExInformation 0x4
#define MemorySharedCommitInformation 0x5
#define MemoryImageInformation 0x6
#define MemoryRegionInformationEx 0x7
#define MemoryPrivilegedBasicInformation 0x8
#define MemoryEnclaveImageInformation 0x9
#define MemoryBasicInformationCapped 0xA
#endif
typedef struct _MEMORY_WORKING_SET_BLOCK
@@ -118,7 +127,9 @@ typedef struct _MEMORY_REGION_INFORMATION
ULONG MappedPageFile : 1;
ULONG MappedPhysical : 1;
ULONG DirectMapped : 1;
ULONG Reserved : 26;
ULONG SoftwareEnclave : 1; //REDSTONE3
ULONG PageSize64K : 1;
ULONG Reserved : 24;
};
};
SIZE_T RegionSize;
@@ -196,6 +207,7 @@ typedef struct _MEMORY_IMAGE_INFORMATION
{
ULONG ImagePartialMap : 1;
ULONG ImageNotExecutable : 1;
ULONG ImageSigningLevel : 1; // REDSTONE3
ULONG Reserved : 30;
};
};
@@ -296,8 +308,8 @@ typedef struct _MMPFN_MEMSNAP_INFORMATION
typedef enum _SECTION_INFORMATION_CLASS
{
SectionBasicInformation,
SectionImageInformation,
SectionBasicInformation, // q; SECTION_BASIC_INFORMATION
SectionImageInformation, // q; SECTION_IMAGE_INFORMATION
SectionRelocationInformation, // name:wow64:whNtQuerySection_SectionRelocationInformation
SectionOriginalBaseInformation, // PVOID BaseAddress
SectionInternalImageInformation, // SECTION_INTERNAL_IMAGE_INFORMATION // since REDSTONE2
@@ -369,10 +381,8 @@ typedef struct _SECTION_INTERNAL_IMAGE_INFORMATION
ULONG ExtendedFlags;
struct
{
ULONG ImageReturnFlowGuardEnabled : 1;
ULONG ImageReturnFlowGuardStrict : 1;
ULONG ImageExportSuppressionEnabled : 1;
ULONG Reserved : 29;
ULONG Reserved : 31;
};
};
} SECTION_INTERNAL_IMAGE_INFORMATION, *PSECTION_INTERNAL_IMAGE_INFORMATION;
@@ -471,12 +481,13 @@ NtQueryVirtualMemory(
#endif
// begin_private
#if (PHNT_MODE != PHNT_MODE_KERNEL)
typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS
{
VmPrefetchInformation,
VmPrefetchInformation, // ULONG
VmPagePriorityInformation,
VmCfgCallTargetInformation
VmCfgCallTargetInformation, // CFG_CALL_TARGET_LIST_INFORMATION // REDSTONE2
VmPageDirtyStateInformation // REDSTONE3
} VIRTUAL_MEMORY_INFORMATION_CLASS;
typedef struct _MEMORY_RANGE_ENTRY
@@ -485,6 +496,14 @@ typedef struct _MEMORY_RANGE_ENTRY
SIZE_T NumberOfBytes;
} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY;
typedef struct _CFG_CALL_TARGET_LIST_INFORMATION
{
ULONG NumberOfEntries;
ULONG Reserved;
PULONG NumberOfEntriesProcessed;
PCFG_CALL_TARGET_INFO CallTargetInfo;
} CFG_CALL_TARGET_LIST_INFORMATION, *PCFG_CALL_TARGET_LIST_INFORMATION;
#endif
// end_private
#if (PHNT_MODE != PHNT_MODE_KERNEL)
@@ -619,6 +638,14 @@ NtAreMappedFilesTheSame(
// Partitions
#ifndef MEMORY_PARTITION_QUERY_ACCESS
#define MEMORY_PARTITION_QUERY_ACCESS 0x0001
#define MEMORY_PARTITION_MODIFY_ACCESS 0x0002
#define MEMORY_PARTITION_ALL_ACCESS \
(STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | \
MEMORY_PARTITION_QUERY_ACCESS | MEMORY_PARTITION_MODIFY_ACCESS)
#endif
// private
typedef enum _MEMORY_PARTITION_INFORMATION_CLASS
{
@@ -646,10 +673,11 @@ typedef struct _MEMORY_PARTITION_CONFIGURATION_INFORMATION
ULONG_PTR ZeroPages;
ULONG_PTR FreePages;
ULONG_PTR StandbyPages;
ULONG StandbyPageCountByPriority[8]; // since REDSTONE2
ULONG RepurposedPagesByPriority[8];
ULONG MaximumCommitLimit;
ULONG DonatedPagesToPartitions;
ULONG_PTR StandbyPageCountByPriority[8]; // since REDSTONE2
ULONG_PTR RepurposedPagesByPriority[8];
ULONG_PTR MaximumCommitLimit;
ULONG_PTR DonatedPagesToPartitions;
ULONG PartitionId; // since REDSTONE3
} MEMORY_PARTITION_CONFIGURATION_INFORMATION, *PMEMORY_PARTITION_CONFIGURATION_INFORMATION;
// private
@@ -704,7 +732,13 @@ typedef struct _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION
ULONG Spare : 31;
};
ULONG AllFlags;
};
} Flags;
ULONG HandleAttributes;
ULONG DesiredAccess;
HANDLE LowCommitCondition; // \KernelObjects\LowCommitCondition
HANDLE HighCommitCondition; // \KernelObjects\HighCommitCondition
HANDLE MaximumCommitCondition; // \KernelObjects\MaximumCommitCondition
} MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION, *PMEMORY_PARTITION_MEMORY_EVENTS_INFORMATION;
#if (PHNT_MODE != PHNT_MODE_KERNEL)

0
phnt/include/ntnls.h → inc/phnt/ntnls.h
View File

0
phnt/include/ntobapi.h → inc/phnt/ntobapi.h
View File

40
phnt/include/ntpebteb.h → inc/phnt/ntpebteb.h
View File

@@ -4,6 +4,16 @@
typedef struct _RTL_USER_PROCESS_PARAMETERS *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION;
// private
typedef struct _ACTIVATION_CONTEXT_STACK
{
struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME* ActiveFrame;
LIST_ENTRY FrameListCache;
ULONG Flags;
ULONG NextCookieSequenceNumber;
ULONG StackId;
} ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
// symbols
typedef struct _PEB
{
@@ -62,9 +72,11 @@ typedef struct _PEB
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[2];
PVOID ReadOnlySharedMemoryBase;
PVOID HotpatchInformation;
PVOID ReadOnlySharedMemoryBase;
PVOID SharedData; // HotpatchInformation
PVOID *ReadOnlyStaticServerData;
PVOID AnsiCodePageData; // PCPTABLEINFO
PVOID OemCodePageData; // PCPTABLEINFO
PVOID UnicodeCaseTableData; // PNLSTABLEINFO
@@ -127,7 +139,7 @@ typedef struct _PEB
PVOID WerRegistrationData;
PVOID WerShipAssertPtr;
PVOID pContextData;
PVOID pUnused; // pContextData
PVOID pImageHeaderHash;
union
{
@@ -144,6 +156,8 @@ typedef struct _PEB
PVOID TppWorkerpListLock;
LIST_ENTRY TppWorkerpList;
PVOID WaitOnAddressHashTable[128];
PVOID TelemetryCoverageHeader; // REDSTONE3
ULONG CloudFileFlags;
} PEB, *PPEB;
#define GDI_BATCH_BUFFER_SIZE 310
@@ -188,17 +202,33 @@ typedef struct _TEB
LCID CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID ReservedForDebuggerInstrumentation[16];
PVOID SystemReserved1[37];
#ifdef _WIN64
PVOID SystemReserved1[30];
#else
PVOID SystemReserved1[26];
#endif
CHAR PlaceholderCompatibilityMode;
CHAR PlaceholderReserved[11];
ULONG ProxiedProcessId;
ACTIVATION_CONTEXT_STACK ActivationStack;
UCHAR WorkingOnBehalfTicket[8];
NTSTATUS ExceptionCode;
PVOID ActivationContextStackPointer;
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
ULONG_PTR InstrumentationCallbackSp;
ULONG_PTR InstrumentationCallbackPreviousPc;
ULONG_PTR InstrumentationCallbackPreviousSp;
#ifdef _WIN64
ULONG TxFsContext;
#endif
BOOLEAN InstrumentationCallbackDisabled;
#ifndef _WIN64
UCHAR SpareBytes[23];
ULONG TxFsContext;
#endif
GDI_TEB_BATCH GdiTebBatch;
CLIENT_ID RealClientId;
HANDLE GdiCachedProcessHandle;

0
phnt/include/ntpfapi.h → inc/phnt/ntpfapi.h
View File

0
phnt/include/ntpnpapi.h → inc/phnt/ntpnpapi.h
View File

0
phnt/include/ntpoapi.h → inc/phnt/ntpoapi.h
View File

123
phnt/include/ntpsapi.h → inc/phnt/ntpsapi.h
View File

@@ -180,6 +180,13 @@ typedef enum _PROCESSINFOCLASS
ProcessDisableSystemAllowedCpuSets,
ProcessWakeInformation, // PROCESS_WAKE_INFORMATION
ProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE
ProcessManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
ProcessCaptureTrustletLiveDump,
ProcessTelemetryCoverage,
ProcessEnclaveInformation,
ProcessEnableReadWriteVmLogging, // PROCESS_READWRITEVM_LOGGING_INFORMATION
ProcessUptimeInformation, // PROCESS_UPTIME_INFORMATION
ProcessImageSection,
MaxProcessInfoClass
} PROCESSINFOCLASS;
#endif
@@ -235,6 +242,8 @@ typedef enum _THREADINFOCLASS
ThreadSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2
ThreadDbgkWerReportActive,
ThreadAttachContainer,
ThreadManageWritesToExecutableMemory, // MANAGE_WRITES_TO_EXECUTABLE_MEMORY // since REDSTONE3
ThreadPowerThrottlingState, // THREAD_POWER_THROTTLING_STATE
MaxThreadInfoClass
} THREADINFOCLASS;
#endif
@@ -578,6 +587,9 @@ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION
PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY SignaturePolicy;
PROCESS_MITIGATION_FONT_DISABLE_POLICY FontDisablePolicy;
PROCESS_MITIGATION_IMAGE_LOAD_POLICY ImageLoadPolicy;
PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY SystemCallFilterPolicy;
PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY PayloadRestrictionPolicy;
PROCESS_MITIGATION_CHILD_PROCESS_POLICY ChildProcessPolicy;
};
} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
@@ -716,7 +728,9 @@ typedef struct _PROCESS_JOB_MEMORY_INFO
typedef struct _PROCESS_CHILD_PROCESS_INFORMATION
{
BOOLEAN ProhibitChildProcesses;
BOOLEAN EnableAutomaticOverride;
//BOOLEAN EnableAutomaticOverride; // REDSTONE2
BOOLEAN AlwaysAllowSecureChildProcess; // REDSTONE3
BOOLEAN AuditProhibitChildProcesses;
} PROCESS_CHILD_PROCESS_INFORMATION, *PPROCESS_CHILD_PROCESS_INFORMATION;
typedef struct _PROCESS_WAKE_INFORMATION
@@ -735,6 +749,45 @@ typedef struct _PROCESS_ENERGY_TRACKING_STATE
WCHAR Tag[64];
} PROCESS_ENERGY_TRACKING_STATE, *PPROCESS_ENERGY_TRACKING_STATE;
typedef struct _MANAGE_WRITES_TO_EXECUTABLE_MEMORY
{
ULONG Version : 8;
ULONG ProcessEnableWriteExceptions : 1;
ULONG ThreadAllowWrites : 1;
ULONG Spare : 22;
} MANAGE_WRITES_TO_EXECUTABLE_MEMORY, *PMANAGE_WRITES_TO_EXECUTABLE_MEMORY;
typedef struct _PROCESS_READWRITEVM_LOGGING_INFORMATION
{
union
{
BOOLEAN Flags;
struct
{
BOOLEAN EnableReadVmLogging : 1;
BOOLEAN EnableWriteVmLogging : 1;
BOOLEAN Unused : 6;
};
};
} PROCESS_READWRITEVM_LOGGING_INFORMATION, *PPROCESS_READWRITEVM_LOGGING_INFORMATION;
typedef struct _PROCESS_UPTIME_INFORMATION
{
ULONGLONG QueryInterruptTime;
ULONGLONG QueryUnbiasedTime;
ULONGLONG EndInterruptTime;
ULONGLONG TimeSinceCreation;
ULONGLONG Uptime;
ULONGLONG SuspendedTime;
union
{
ULONG HangCount : 4;
ULONG GhostCount : 4;
ULONG Crashed : 1;
ULONG Terminated : 1;
};
} PROCESS_UPTIME_INFORMATION, *PPROCESS_UPTIME_INFORMATION;
// end_private
#endif
@@ -1249,6 +1302,7 @@ typedef enum _PS_ATTRIBUTE_NUM
PsAttributeSafeOpenPromptOriginClaim,
PsAttributeBnoIsolation, // PS_BNO_ISOLATION_PARAMETERS
PsAttributeDesktopAppPolicy, // in ULONG
PsAttributeChpe, // since REDSTONE3
PsAttributeMax
} PS_ATTRIBUTE_NUM;
@@ -1400,7 +1454,15 @@ typedef enum _PS_MITIGATION_OPTION
PS_MITIGATION_OPTION_RETURN_FLOW_GUARD,
PS_MITIGATION_OPTION_LOADER_INTEGRITY_CONTINUITY,
PS_MITIGATION_OPTION_STRICT_CONTROL_FLOW_GUARD,
PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT
PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT,
PS_MITIGATION_OPTION_ROP_STACKPIVOT, // since REDSTONE3
PS_MITIGATION_OPTION_ROP_CALLER_CHECK,
PS_MITIGATION_OPTION_ROP_SIMEXEC,
PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER,
PS_MITIGATION_OPTION_EXPORT_ADDRESS_FILTER_PLUS,
PS_MITIGATION_OPTION_RESTRICT_CHILD_PROCESS_CREATION,
PS_MITIGATION_OPTION_IMPORT_ADDRESS_FILTER,
PS_MITIGATION_OPTION_MODULE_TAMPERING_PROTECTION
} PS_MITIGATION_OPTION;
// windows-internals-book:"Chapter 5"
@@ -1562,52 +1624,53 @@ NtCreateThreadEx(
#if (PHNT_MODE != PHNT_MODE_KERNEL)
// JOBOBJECTINFOCLASS
#define JobObjectBasicAccountingInformation 1
#define JobObjectBasicLimitInformation 2
#define JobObjectBasicProcessIdList 3
#define JobObjectBasicUIRestrictions 4
#define JobObjectSecurityLimitInformation 5
#define JobObjectEndOfJobTimeInformation 6
#define JobObjectAssociateCompletionPortInformation 7
#define JobObjectBasicAndIoAccountingInformation 8
#define JobObjectExtendedLimitInformation 9
#define JobObjectJobSetInformation 10
#define JobObjectGroupInformation 11
#define JobObjectNotificationLimitInformation 12
#define JobObjectLimitViolationInformation 13
#define JobObjectGroupInformationEx 14
#define JobObjectCpuRateControlInformation 15
// Note: We don't use an enum since it conflicts with the Windows SDK.
#define JobObjectBasicAccountingInformation 1 // JOBOBJECT_BASIC_ACCOUNTING_INFORMATION
#define JobObjectBasicLimitInformation 2 // JOBOBJECT_BASIC_LIMIT_INFORMATION
#define JobObjectBasicProcessIdList 3 // JOBOBJECT_BASIC_PROCESS_ID_LIST
#define JobObjectBasicUIRestrictions 4 // JOBOBJECT_BASIC_UI_RESTRICTIONS
#define JobObjectSecurityLimitInformation 5 // JOBOBJECT_SECURITY_LIMIT_INFORMATION
#define JobObjectEndOfJobTimeInformation 6 // JOBOBJECT_END_OF_JOB_TIME_INFORMATION
#define JobObjectAssociateCompletionPortInformation 7 // JOBOBJECT_ASSOCIATE_COMPLETION_PORT
#define JobObjectBasicAndIoAccountingInformation 8 // JOBOBJECT_BASIC_AND_IO_ACCOUNTING_INFORMATION
#define JobObjectExtendedLimitInformation 9 // JOBOBJECT_EXTENDED_LIMIT_INFORMATION
#define JobObjectJobSetInformation 10 // JOBOBJECT_JOBSET_INFORMATION
#define JobObjectGroupInformation 11 // USHORT
#define JobObjectNotificationLimitInformation 12 // JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION
#define JobObjectLimitViolationInformation 13 // JOBOBJECT_LIMIT_VIOLATION_INFORMATION
#define JobObjectGroupInformationEx 14 // GROUP_AFFINITY (ARRAY)
#define JobObjectCpuRateControlInformation 15 // JOBOBJECT_CPU_RATE_CONTROL_INFORMATION
#define JobObjectCompletionFilter 16
#define JobObjectCompletionCounter 17
#define JobObjectFreezeInformation 18
#define JobObjectExtendedAccountingInformation 19
#define JobObjectWakeInformation 20
#define JobObjectFreezeInformation 18 // JOBOBJECT_FREEZE_INFORMATION
#define JobObjectExtendedAccountingInformation 19 // JOBOBJECT_EXTENDED_ACCOUNTING_INFORMATION
#define JobObjectWakeInformation 20 // JOBOBJECT_WAKE_INFORMATION
#define JobObjectBackgroundInformation 21
#define JobObjectSchedulingRankBiasInformation 22
#define JobObjectTimerVirtualizationInformation 23
#define JobObjectCycleTimeNotification 24
#define JobObjectClearEvent 25
#define JobObjectInterferenceInformation 26
#define JobObjectInterferenceInformation 26 // JOBOBJECT_INTERFERENCE_INFORMATION
#define JobObjectClearPeakJobMemoryUsed 27
#define JobObjectMemoryUsageInformation 28
#define JobObjectMemoryUsageInformation 28 // JOBOBJECT_MEMORY_USAGE_INFORMATION // JOBOBJECT_MEMORY_USAGE_INFORMATION_V2
#define JobObjectSharedCommit 29
#define JobObjectContainerId 30
#define JobObjectIoRateControlInformation 31
#define JobObjectNetRateControlInformation 32
#define JobObjectNotificationLimitInformation2 33
#define JobObjectLimitViolationInformation2 34
#define JobObjectNetRateControlInformation 32 // JOBOBJECT_NET_RATE_CONTROL_INFORMATION
#define JobObjectNotificationLimitInformation2 33 // JOBOBJECT_NOTIFICATION_LIMIT_INFORMATION_2
#define JobObjectLimitViolationInformation2 34 // JOBOBJECT_LIMIT_VIOLATION_INFORMATION_2
#define JobObjectCreateSilo 35
#define JobObjectSiloBasicInformation 36
#define JobObjectSiloRootDirectory 37
#define JobObjectServerSiloBasicInformation 38
#define JobObjectServerSiloUserSharedData 39
#define JobObjectSiloBasicInformation 36 // SILOOBJECT_BASIC_INFORMATION
#define JobObjectSiloRootDirectory 37 // SILOOBJECT_ROOT_DIRECTORY
#define JobObjectServerSiloBasicInformation 38 // SERVERSILO_BASIC_INFORMATION
#define JobObjectServerSiloUserSharedData 39 // SILO_USER_SHARED_DATA
#define JobObjectServerSiloInitialize 40
#define JobObjectServerSiloRunningState 41
#define JobObjectIoAttribution 42
#define JobObjectMemoryPartitionInformation 43
#define JobObjectContainerTelemetryId 44
#define JobObjectSiloSystemRoot 45
#define JobObjectEnergyTrackingState 46
#define JobObjectEnergyTrackingState 46 // JOBOBJECT_ENERGY_TRACKING_STATE
#define JobObjectThreadImpersonationInformation 47
#define MaxJobObjectInfoClass 48

10
phnt/include/ntregapi.h → inc/phnt/ntregapi.h
View File

@@ -120,6 +120,7 @@ typedef enum _KEY_SET_INFORMATION_CLASS
KeySetVirtualizationInformation, // KEY_SET_VIRTUALIZATION_INFORMATION
KeySetDebugInformation,
KeySetHandleTagsInformation, // KEY_HANDLE_TAGS_INFORMATION
KeySetLayerInformation, // KEY_SET_LAYER_INFORMATION
MaxKeySetInfoClass
} KEY_SET_INFORMATION_CLASS;
@@ -138,6 +139,15 @@ typedef struct _KEY_HANDLE_TAGS_INFORMATION
ULONG HandleTags;
} KEY_HANDLE_TAGS_INFORMATION, *PKEY_HANDLE_TAGS_INFORMATION;
typedef struct _KEY_SET_LAYER_INFORMATION
{
ULONG IsTombstone : 1;
ULONG IsSupersedeLocal : 1;
ULONG IsSupersedeTree : 1;
ULONG ClassIsInherited : 1;
ULONG Reserved : 28;
} KEY_SET_LAYER_INFORMATION, *PKEY_SET_LAYER_INFORMATION;
typedef struct _KEY_CONTROL_FLAGS_INFORMATION
{
ULONG ControlFlags;

6
phnt/include/ntrtl.h → inc/phnt/ntrtl.h
View File

@@ -4562,6 +4562,12 @@ typedef struct _RTL_BITMAP
PULONG Buffer;
} RTL_BITMAP, *PRTL_BITMAP;
typedef struct _RTL_BITMAP_EX
{
ULONG64 SizeOfBitMap;
PULONG64 Buffer;
} RTL_BITMAP_EX, *PRTL_BITMAP_EX;
NTSYSAPI
VOID
NTAPI

0
phnt/include/ntsam.h → inc/phnt/ntsam.h
View File

0
phnt/include/ntseapi.h → inc/phnt/ntseapi.h
View File

0
phnt/include/ntsmss.h → inc/phnt/ntsmss.h
View File

0
phnt/include/nttmapi.h → inc/phnt/nttmapi.h
View File

0
phnt/include/nttp.h → inc/phnt/nttp.h
View File

1
phnt/include/ntwow64.h → inc/phnt/ntwow64.h
View File

@@ -167,6 +167,7 @@ typedef struct _LDR_DATA_TABLE_ENTRY32
ULONG ImplicitPathOptions;
ULONG ReferenceCount;
ULONG DependentLoadFlags;
UCHAR SigningLevel; // since REDSTONE2
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
typedef struct _CURDIR32

0
phnt/include/ntxcapi.h → inc/phnt/ntxcapi.h
View File

11
phnt/include/ntzwapi.h → inc/phnt/ntzwapi.h
View File

@@ -1537,17 +1537,6 @@ ZwExtendSection(
_Inout_ PLARGE_INTEGER NewSectionSize
);
NTSYSCALLAPI
NTSTATUS
NTAPI
ZwFilterBootOption(
_In_ FILTER_BOOT_OPTION_OPERATION FilterOperation,
_In_ ULONG ObjectType,
_In_ ULONG ElementType,
_In_reads_bytes_opt_(DataSize) PVOID Data,
_In_ ULONG DataSize
);
NTSYSCALLAPI
NTSTATUS
NTAPI

1
phnt/include/phnt.h → inc/phnt/phnt.h
View File

@@ -35,6 +35,7 @@
#define PHNT_THRESHOLD2 101
#define PHNT_REDSTONE 102
#define PHNT_REDSTONE2 103
#define PHNT_REDSTONE3 104
#ifndef PHNT_MODE
#define PHNT_MODE PHNT_MODE_USER

0
phnt/include/phnt_ntdef.h → inc/phnt/phnt_ntdef.h
View File

0
phnt/include/phnt_windows.h → inc/phnt/phnt_windows.h
View File

0
phnt/include/subprocesstag.h → inc/phnt/subprocesstag.h
View File

0
phnt/include/winsta.h → inc/phnt/winsta.h
View File

5
phnt/zw_options.txt
View File

@@ -1,5 +0,0 @@
base=include
in=ntdbg.h;ntexapi.h;ntgdi.h;ntioapi.h;ntkeapi.h;ntldr.h;ntlpcapi.h;ntmisc.h;ntmmapi.h;ntnls.h;ntobapi.h;ntpebteb.h;ntpfapi.h;ntpnpapi.h;ntpoapi.h;ntpsapi.h;ntregapi.h;ntrtl.h;ntsam.h;ntseapi.h;nttmapi.h;nttp.h;ntwow64.h;ntxcapi.h
out=ntzwapi.h
header=#ifndef _NTZWAPI_H\r\n#define _NTZWAPI_H\r\n\r\n// This file was automatically generated. Do not edit.\r\n\r\n
footer=#endif\r\n

4
wufuc.sln
View File

@@ -1,7 +1,7 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.26730.16
VisualStudioVersion = 15.0.27004.2008
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wufuc", "wufuc\wufuc.vcxproj", "{00F96695-CE41-4C2F-A344-6219DFB4F887}"
EndProject
@@ -20,7 +20,7 @@ EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Documentation", "Documentation", "{65210B26-9B74-4B7E-B777-7A2EE4162595}"
ProjectSection(SolutionItems) = preProject
CONTRIBUTING.md = CONTRIBUTING.md
DONATIONS.md = DONATIONS.md
DONATE.md = DONATE.md
LICENSE = LICENSE
README.md = README.md
EndProjectSection

45
wufuc/appverifier.h
View File

@@ -1,45 +0,0 @@
#pragma once
#include <phnt_windows.h>
#define DLL_PROCESS_VERIFIER 4
typedef VOID(NTAPI *RTL_VERIFIER_DLL_LOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
typedef VOID(NTAPI *RTL_VERIFIER_DLL_UNLOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
typedef VOID(NTAPI *RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK)(PVOID AllocationBase, SIZE_T AllocationSize);
typedef struct tagRTL_VERIFIER_THUNK_DESCRIPTOR
{
PCHAR ThunkName;
PVOID ThunkOldAddress;
PVOID ThunkNewAddress;
} RTL_VERIFIER_THUNK_DESCRIPTOR, *PRTL_VERIFIER_THUNK_DESCRIPTOR;
typedef struct tagRTL_VERIFIER_DLL_DESCRIPTOR
{
PWCHAR DllName;
DWORD DllFlags;
PVOID DllAddress;
PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks;
} RTL_VERIFIER_DLL_DESCRIPTOR, *PRTL_VERIFIER_DLL_DESCRIPTOR;
typedef struct tagRTL_VERIFIER_PROVIDER_DESCRIPTOR
{
DWORD Length;
PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls;
RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;
RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;
PWSTR VerifierImage;
DWORD VerifierFlags;
DWORD VerifierDebug;
PVOID RtlpGetStackTraceAddress;
PVOID RtlpDebugPageHeapCreate;
PVOID RtlpDebugPageHeapDestroy;
RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback;
} RTL_VERIFIER_PROVIDER_DESCRIPTOR, *PRTL_VERIFIER_PROVIDER_DESCRIPTOR;
typedef LSTATUS(WINAPI *LPFN_REGQUERYVALUEEXW)(HKEY, LPCWSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD);
typedef HMODULE(WINAPI *LPFN_LOADLIBRARYEXW)(LPCWSTR, HANDLE, DWORD);
extern LPFN_REGQUERYVALUEEXW *g_plpfnRegQueryValueExW;
extern LPFN_LOADLIBRARYEXW *g_plpfnLoadLibraryExW;

27
wufuc/callbacks.c
View File

@@ -1,15 +1,22 @@
#include "stdafx.h"
#include "callbacks.h"
#include "helpers.h"
#include <Psapi.h>
#include "tracing.h"
#include <phnt_windows.h>
VOID NTAPI VerifierDllLoadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
VOID CALLBACK ServiceNotifyCallback(PSERVICE_NOTIFYW pNotifyBuffer)
{
trace(L"dll load %ls, DllBase=%p, DllSize=%Iu", DllName, DllBase, DllSize);
}
HMODULE hModule;
VOID NTAPI VerifierDllUnloadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
{
trace(L"dll unload %ls, DllBase=%p, DllSize=%Iu", DllName, DllBase, DllSize);
switch ( pNotifyBuffer->dwNotificationStatus ) {
case ERROR_SUCCESS:
if ( inject_self_into_process(pNotifyBuffer->ServiceStatus.dwProcessId, &hModule) ) {
}
break;
case ERROR_SERVICE_MARKED_FOR_DELETE:
SetEvent((HANDLE)pNotifyBuffer->pContext);
break;
}
if ( pNotifyBuffer->pszServiceNames )
LocalFree((HLOCAL)pNotifyBuffer->pszServiceNames);
}

3
wufuc/callbacks.h
View File

@@ -2,5 +2,4 @@
#include <phnt_windows.h>
VOID NTAPI VerifierDllLoadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
VOID NTAPI VerifierDllUnloadCallback(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved);
VOID CALLBACK ServiceNotifyCallback(PSERVICE_NOTIFYW pNotifyBuffer);

57
wufuc/dllmain.c
View File

@@ -1,68 +1,15 @@
#include "appverifier.h"
#include "hooks.h"
#include "callbacks.h"
#include "helpers.h"
#include <stdbool.h>
#include <phnt_windows.h>
#include <phnt.h>
RTL_VERIFIER_THUNK_DESCRIPTOR g_vfThunkDescriptors[] = {
{ "RegQueryValueExW", NULL, (PVOID)&RegQueryValueExW_Hook },
{ "LoadLibraryExW", NULL, (PVOID)&LoadLibraryExW_Hook },
{ 0 } };
RTL_VERIFIER_DLL_DESCRIPTOR g_vfDllDescriptors[2];
RTL_VERIFIER_PROVIDER_DESCRIPTOR g_vfProviderDescriptor = {
sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR),
g_vfDllDescriptors/*,
(RTL_VERIFIER_DLL_LOAD_CALLBACK)&VerifierDllLoadCallback,
(RTL_VERIFIER_DLL_UNLOAD_CALLBACK)&VerifierDllUnloadCallback*/ };
LPFN_REGQUERYVALUEEXW *g_plpfnRegQueryValueExW;
LPFN_LOADLIBRARYEXW *g_plpfnLoadLibraryExW;
#include "stdafx.h"
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch ( ul_reason_for_call ) {
case DLL_PROCESS_ATTACH:
LdrDisableThreadCalloutsForDll((PVOID)hModule);
DisableThreadLibraryCalls(hModule);
break;
case DLL_PROCESS_DETACH:
break;
case DLL_PROCESS_VERIFIER:
if ( verify_win7() || verify_win81() ) {
UNICODE_STRING ImagePath;
RtlInitUnicodeString(&ImagePath, NULL);
RTL_QUERY_REGISTRY_TABLE QueryTable[2];
RtlSecureZeroMemory(&QueryTable, sizeof(QueryTable));
QueryTable[0].Name = L"ImagePath";
QueryTable[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
QueryTable[0].EntryContext = &ImagePath;
if ( RtlQueryRegistryValues(RTL_REGISTRY_SERVICES, L"wuauserv", QueryTable, NULL, NULL) == STATUS_SUCCESS
&& !RtlCompareUnicodeString(&NtCurrentPeb()->ProcessParameters->CommandLine, &ImagePath, TRUE) ) {
if ( verify_win7() )
g_vfDllDescriptors[0].DllName = L"kernel32.dll";
else if ( verify_win81() )
g_vfDllDescriptors[0].DllName = L"kernelbase.dll";
g_vfDllDescriptors[0].DllThunks = g_vfThunkDescriptors;
g_plpfnRegQueryValueExW = (LPFN_REGQUERYVALUEEXW *)&g_vfThunkDescriptors[0].ThunkOldAddress;
g_plpfnLoadLibraryExW = (LPFN_LOADLIBRARYEXW *)&g_vfThunkDescriptors[1].ThunkOldAddress;
}
RtlFreeUnicodeString(&ImagePath);
}
*(PRTL_VERIFIER_PROVIDER_DESCRIPTOR *)lpReserved = &g_vfProviderDescriptor;
break;
default:
break;
}
return TRUE;
}

5
wufuc/exports.def
View File

@@ -1,4 +1,5 @@
LIBRARY
EXPORTS
RUNDLL32_LegacyUnloadW @1
RUNDLL32_DeleteFileW @2
RUNDLL32_StartW @3
RUNDLL32_UnloadW @4
RUNDLL32_DeleteFileW @5

215
wufuc/helpers.c
View File

@@ -1,104 +1,163 @@
#include "stdafx.h"
#include "helpers.h"
#include <sddl.h>
#include <stdint.h>
#include <stdbool.h>
#include <phnt_windows.h>
#include <phnt.h>
bool verify_winver(
DWORD dwMajorVersion,
DWORD dwMinorVersion,
DWORD dwBuildNumber,
WORD wServicePackMajor,
WORD wServicePackMinor,
BYTE MajorVersionCondition,
BYTE MinorVersionCondition,
BYTE BuildNumberCondition,
BYTE ServicePackMajorCondition,
BYTE ServicePackMinorCondition
)
bool create_exclusive_mutex(const wchar_t *name, HANDLE *pmutex)
{
RTL_OSVERSIONINFOEXW osvi = { 0 };
osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOEXW);
HANDLE mutex;
osvi.dwMajorVersion = dwMajorVersion;
osvi.dwMinorVersion = dwMinorVersion;
osvi.dwBuildNumber = dwBuildNumber;
osvi.wServicePackMajor = wServicePackMajor;
osvi.wServicePackMinor = wServicePackMinor;
ULONGLONG ConditionMask = 0;
ULONG TypeMask = 0;
if ( MajorVersionCondition ) {
TypeMask |= VER_MAJORVERSION;
VER_SET_CONDITION(ConditionMask, VER_MAJORVERSION, MajorVersionCondition);
mutex = CreateMutexW(NULL, TRUE, name);
if ( mutex ) {
if ( GetLastError() == ERROR_ALREADY_EXISTS ) {
CloseHandle(mutex);
return false;
}
*pmutex = mutex;
return true;
}
if ( MinorVersionCondition ) {
TypeMask |= VER_MINORVERSION;
VER_SET_CONDITION(ConditionMask, VER_MINORVERSION, MinorVersionCondition);
}
if ( BuildNumberCondition ) {
TypeMask |= VER_BUILDNUMBER;
VER_SET_CONDITION(ConditionMask, VER_BUILDNUMBER, BuildNumberCondition);
}
if ( ServicePackMajorCondition ) {
TypeMask |= VER_SERVICEPACKMAJOR;
VER_SET_CONDITION(ConditionMask, VER_SERVICEPACKMAJOR, ServicePackMajorCondition);
}
if ( ServicePackMinorCondition ) {
TypeMask |= VER_SERVICEPACKMINOR;
VER_SET_CONDITION(ConditionMask, VER_SERVICEPACKMINOR, ServicePackMinorCondition);
}
return RtlVerifyVersionInfo(&osvi, TypeMask, ConditionMask) == STATUS_SUCCESS;
return false;
}
bool verify_win7(void)
bool create_event_with_security_descriptor(const wchar_t *descriptor, bool manualreset, bool initialstate, const wchar_t *name, HANDLE *pevent)
{
static bool a, b;
if ( !a ) {
b = verify_winver(6, 1, 0, 0, 0, VER_EQUAL, VER_EQUAL, 0, 0, 0);
a = true;
SECURITY_ATTRIBUTES sa = { sizeof sa };
HANDLE event;
if ( ConvertStringSecurityDescriptorToSecurityDescriptorW(descriptor, SDDL_REVISION_1, &sa.lpSecurityDescriptor, NULL) ) {
event = CreateEventW(&sa, manualreset, initialstate, name);
if ( event ) {
*pevent = event;
return true;
}
}
return b;
return false;
}
bool verify_win81(void)
bool inject_self_into_process(DWORD dwProcessId, HMODULE *phModule)
{
static bool a, b;
if ( !a ) {
b = verify_winver(6, 3, 0, 0, 0, VER_EQUAL, VER_EQUAL, 0, 0, 0);
a = true;
wchar_t szFilename[MAX_PATH];
DWORD nLength;
nLength = GetModuleFileNameW(PIMAGEBASE, szFilename, _countof(szFilename));
if ( nLength )
return inject_dll_into_process(dwProcessId, szFilename, nLength, phModule);
return false;
}
bool inject_dll_into_process(DWORD dwProcessId, const wchar_t *pszFilename, size_t nLength, HMODULE *phModule)
{
bool result = false;
HANDLE hProcess;
NTSTATUS Status;
LPVOID pBaseAddress;
HANDLE hThread;
HANDLE hModule = NULL;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if ( !hProcess ) return result;
Status = NtSuspendProcess(hProcess);
if ( !NT_SUCCESS(Status) ) goto L1;
pBaseAddress = VirtualAllocEx(hProcess, NULL, nLength + (sizeof *pszFilename), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if ( !pBaseAddress ) goto L2;
if ( WriteProcessMemory(hProcess, pBaseAddress, pszFilename, nLength, NULL)
&& (hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryW, pBaseAddress, 0, NULL)) ) {
WaitForSingleObject(hThread, INFINITE);
if ( sizeof(DWORD) < sizeof hModule ) {
} else {
GetExitCodeThread(hThread, (LPDWORD)&hModule);
}
if ( hModule ) {
result = true;
*phModule = hModule;
}
CloseHandle(hThread);
}
return b;
VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE);
L2: NtResumeProcess(hProcess);
L1: CloseHandle(hProcess);
return result;
}
wchar_t *find_fname(wchar_t *pPath)
const wchar_t *path_find_fname(const wchar_t *path)
{
wchar_t *pwc = wcsrchr(pPath, L'\\');
if ( pwc && *(++pwc) )
return pwc;
const wchar_t *pwc = NULL;
if ( path )
pwc = (const wchar_t *)wcsrchr(path, L'\\');
return pPath;
return (pwc && *(++pwc)) ? pwc : path;
}
bool file_exists(const wchar_t *path)
bool path_change_fname(const wchar_t *srcpath, const wchar_t *fname, wchar_t *dstpath, size_t size)
{
bool result;
wchar_t drive[_MAX_DRIVE];
wchar_t dir[_MAX_DIR];
result = !_wsplitpath_s(srcpath, drive, _countof(drive), dir, _countof(dir), NULL, 0, NULL, 0);
if ( result )
result = !_wmakepath_s(dstpath, size, drive, dir, fname, NULL);
return result;
}
bool path_file_exists(const wchar_t *path)
{
return GetFileAttributesW(path) != INVALID_FILE_ATTRIBUTES;
}
int compare_versions(
WORD wMajorA, WORD wMinorA, WORD wBuildA, WORD wRevisionA,
WORD wMajorB, WORD wMinorB, WORD wBuildB, WORD wRevisionB
)
bool path_expand_file_exists(const wchar_t *path)
{
if ( wMajorA < wMajorB ) return -1;
if ( wMajorA > wMajorB ) return 1;
if ( wMinorA < wMinorB ) return -1;
if ( wMinorA > wMinorB ) return 1;
if ( wBuildA < wBuildB ) return -1;
if ( wBuildA > wBuildB ) return 1;
if ( wRevisionA < wRevisionB ) return -1;
if ( wRevisionA > wRevisionB ) return 1;
bool result;
wchar_t *dst;
DWORD buffersize;
DWORD size;
dst = NULL;
size = 0;
do {
if ( size ) {
if ( dst )
free(dst);
dst = calloc(size, sizeof *dst);
}
buffersize = size;
size = ExpandEnvironmentStringsW(path, dst, buffersize);
} while ( buffersize < size );
result = path_file_exists(dst);
free(dst);
return result;
}
int ffi_ver_compare(VS_FIXEDFILEINFO *pffi, WORD wMajor, WORD wMinor, WORD wBuild, WORD wRev)
{
if ( HIWORD(pffi->dwProductVersionMS) < wMajor ) return -1;
if ( HIWORD(pffi->dwProductVersionMS) > wMajor ) return 1;
if ( LOWORD(pffi->dwProductVersionMS) < wMinor ) return -1;
if ( LOWORD(pffi->dwProductVersionMS) > wMinor ) return 1;
if ( HIWORD(pffi->dwProductVersionLS) < wBuild ) return -1;
if ( HIWORD(pffi->dwProductVersionLS) > wBuild ) return 1;
if ( LOWORD(pffi->dwProductVersionLS) < wRev ) return -1;
if ( LOWORD(pffi->dwProductVersionLS) > wRev ) return 1;
return 0;
}
size_t find_argv_option(const wchar_t **argv, size_t argc, const wchar_t *option)
{
size_t index = -1;
for ( size_t i = 1; i < argc; i++ ) {
if ( !_wcsicmp(argv[i], option) )
index = i;
}
if ( index == -1 )
return index;
return ++index < argc ? index : -1;
}

31
wufuc/helpers.h
View File

@@ -1,26 +1,13 @@
#pragma once
#include <stdbool.h>
bool create_exclusive_mutex(const wchar_t *name, HANDLE *pmutex);
bool create_event_with_security_descriptor(const wchar_t *descriptor, bool manualreset, bool initialstate, const wchar_t *name, HANDLE *pevent);
#include <phnt_windows.h>
bool inject_self_into_process(DWORD dwProcessId, HMODULE *phModule);
bool inject_dll_into_process(DWORD dwProcessId, const wchar_t *pszFilename, size_t nLength, HMODULE *phModule);
bool verify_winver(
DWORD dwMajorVersion,
DWORD dwMinorVersion,
DWORD dwBuildNumber,
WORD wServicePackMajor,
WORD wServicePackMinor,
BYTE MajorVersionCondition,
BYTE MinorVersionCondition,
BYTE BuildNumberCondition,
BYTE ServicePackMajorCondition,
BYTE ServicePackMinorCondition
);
bool verify_win7(void);
bool verify_win81(void);
wchar_t *find_fname(wchar_t *pPath);
bool file_exists(const wchar_t *path);
int compare_versions(
WORD wMajorA, WORD wMinorA, WORD wBuildA, WORD wRevisionA,
WORD wMajorB, WORD wMinorB, WORD wBuildB, WORD wRevisionB);
const wchar_t *path_find_fname(const wchar_t *path);
bool path_change_fname(const wchar_t *srcpath, const wchar_t *fname, wchar_t *dstpath, size_t size);
bool path_file_exists(const wchar_t *path);
bool path_expand_file_exists(const wchar_t *path);
int ffi_ver_compare(VS_FIXEDFILEINFO *pffi, WORD wMajor, WORD wMinor, WORD wBuild, WORD wRev);

178
wufuc/hooks.c
View File

@@ -1,156 +1,144 @@
#include "stdafx.h"
#include "hooks.h"
#include "appverifier.h"
#include "patchwua.h"
#include "helpers.h"
#include "tracing.h"
#include "rtl_malloc.h"
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <phnt_windows.h>
#include <phnt.h>
#include <Psapi.h>
LPFN_REGQUERYVALUEEXW g_pfnRegQueryValueExW;
LPFN_LOADLIBRARYEXW g_pfnLoadLibraryExW;
LSTATUS WINAPI RegQueryValueExW_Hook(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
LSTATUS WINAPI RegQueryValueExW_hook(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
{
LSTATUS result;
DWORD cbData;
NTSTATUS Status;
ULONG ResultLength;
PKEY_NAME_INFORMATION pkni;
size_t BufferCount;
int current;
int pos;
wchar_t *tmp;
size_t MaxCount;
size_t cbLength;
if ( (lpData && lpcbData)
&& (lpValueName && !_wcsicmp(lpValueName, L"ServiceDll")) ) {
// store original lpData buffer size
DWORD cbData = *lpcbData;
cbData = *lpcbData;
// this way the dll path is guaranteed to be null-terminated
result = RegGetValueW(hKey, NULL, lpValueName, RRF_RT_REG_EXPAND_SZ | RRF_NOEXPAND, lpType, lpData, lpcbData);
if ( result != ERROR_SUCCESS )
goto L1;
NTSTATUS Status;
ULONG ResultLength;
if ( result != ERROR_SUCCESS
|| (Status = NtQueryKey((HANDLE)hKey, KeyNameInformation, NULL, 0, &ResultLength),
Status != STATUS_BUFFER_OVERFLOW && Status != STATUS_BUFFER_TOO_SMALL) )
goto L_ret;
PKEY_NAME_INFORMATION pkni = rtl_malloc(ResultLength);
if ( NtQueryKey((HANDLE)hKey, KeyNameInformation, (PVOID)pkni, ResultLength, &ResultLength) != STATUS_SUCCESS )
goto L_free_pkni;
size_t BufferCount = pkni->NameLength / sizeof(wchar_t);
pkni = NULL;
ResultLength = 0;
do {
if ( ResultLength ) {
if ( pkni )
free(pkni);
pkni = malloc(ResultLength);
}
Status = NtQueryKey((HANDLE)hKey, KeyNameInformation, pkni, ResultLength, &ResultLength);
} while ( Status == STATUS_BUFFER_OVERFLOW || Status == STATUS_BUFFER_TOO_SMALL );
if ( !NT_SUCCESS(Status) )
goto L2;
BufferCount = pkni->NameLength / sizeof(wchar_t);
// change key name to lower-case because there is no case-insensitive version of _snwscanf_s
for ( size_t i = 0; i < BufferCount; i++ )
pkni->Name[i] = towlower(pkni->Name[i]);
int current, pos;
if ( _snwscanf_s(pkni->Name, BufferCount,
L"\\registry\\machine\\system\\controlset%03d\\services\\wuauserv\\parameters%n", &current, &pos) == 1
if ( !_wcslwr_s(pkni->Name, BufferCount) && _snwscanf_s(pkni->Name, BufferCount,
L"\\registry\\machine\\system\\controlset%03d\\services\\wuauserv\\parameters%n", &current, &pos) == 1
&& pos == BufferCount ) {
wchar_t drive[_MAX_DRIVE], dir[_MAX_DIR], fname[_MAX_FNAME], ext[_MAX_EXT];
_wsplitpath_s((wchar_t *)lpData,
drive, _countof(drive),
dir, _countof(dir),
fname, _countof(fname),
ext, _countof(ext));
const wchar_t *fname = path_find_fname((wchar_t *)lpData);
if ( !_wcsicmp(ext, L".dll")
&& (!_wcsicmp(fname, L"wuaueng2") // UpdatePack7R2
|| !_wcsicmp(fname, L"WuaCpuFix64") // WuaCpuFix
|| !_wcsicmp(fname, L"WuaCpuFix")) ) {
if ( !_wcsicmp(fname, L"wuaueng2.dll") // UpdatePack7R2
|| !_wcsicmp(fname, L"WuaCpuFix64.dll") // WuaCpuFix
|| !_wcsicmp(fname, L"WuaCpuFix.dll") ) {
wchar_t *tmp = rtl_malloc(cbData);
MaxCount = cbData / sizeof(wchar_t);
tmp = malloc(cbData);
path_change_fname((wchar_t *)lpData, L"wuaueng.dll", tmp, MaxCount);
if ( path_expand_file_exists(tmp)
&& !wcscpy_s((wchar_t *)lpData, MaxCount, tmp)
&& SUCCEEDED(StringCbLengthW((PNZWCH)lpData, cbData, &cbLength)) ) {
size_t MaxCount = cbData / sizeof(wchar_t);
_wmakepath_s(tmp, MaxCount, drive, dir, L"wuaueng", ext);
DWORD nSize = ExpandEnvironmentStringsW(tmp, NULL, 0);
wchar_t *lpDst = rtl_calloc(nSize, sizeof(wchar_t));
ExpandEnvironmentStringsW(tmp, lpDst, nSize);
rtl_free(tmp);
if ( file_exists(lpDst) ) {
_wmakepath_s((wchar_t *)lpData, MaxCount, drive, dir, L"wuaueng", ext);
*lpcbData = (DWORD)((wcslen((wchar_t *)lpData) + 1) * sizeof(wchar_t));
trace(L"Fixed wuauserv %ls path: %ls", lpValueName, lpDst);
*lpcbData = (DWORD)(cbLength + (sizeof UNICODE_NULL));
}
rtl_free(lpDst);
free(tmp);
}
}
L_free_pkni:
rtl_free(pkni);
L2: free(pkni);
} else {
// handle normally
result = (*g_plpfnRegQueryValueExW)(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData);
result = g_pfnRegQueryValueExW(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData);
}
L_ret:
return result;
L1: return result;
}
HMODULE WINAPI LoadLibraryExW_Hook(LPCWSTR lpFileName, HANDLE hFile, DWORD dwFlags)
HMODULE WINAPI LoadLibraryExW_hook(LPCWSTR lpFileName, HANDLE hFile, DWORD dwFlags)
{
HMODULE result = (*g_plpfnLoadLibraryExW)(lpFileName, hFile, dwFlags);
HMODULE result;
DWORD dwLen;
LPVOID pBlock;
PLANGANDCODEPAGE ptl;
UINT cb;
wchar_t lpSubBlock[38];
wchar_t *lpszInternalName;
UINT uLen;
VS_FIXEDFILEINFO *pffi;
wchar_t path[MAX_PATH];
const wchar_t *fname;
MODULEINFO modinfo;
result = g_pfnLoadLibraryExW(lpFileName, hFile, dwFlags);
if ( !result ) {
trace(L"Failed to load library: %ls (error code=%08X)", lpFileName, GetLastError());
goto L_ret;
goto L1;
}
trace(L"Loaded library: %ls", lpFileName);
DWORD dwLen = GetFileVersionInfoSizeW(lpFileName, NULL);
dwLen = GetFileVersionInfoSizeW(lpFileName, NULL);
if ( !dwLen )
goto L_ret;
LPVOID pBlock = rtl_malloc(dwLen);
goto L1;
pBlock = malloc(dwLen);
PLANGANDCODEPAGE ptl;
UINT cb;
if ( !GetFileVersionInfoW(lpFileName, 0, dwLen, pBlock)
|| !VerQueryValueW(pBlock, L"\\VarFileInfo\\Translation", (LPVOID *)&ptl, &cb) )
goto L_free_pBlock;
goto L2;
wchar_t lpSubBlock[38];
for ( size_t i = 0; i < (cb / sizeof(LANGANDCODEPAGE)); i++ ) {
swprintf_s(lpSubBlock, _countof(lpSubBlock),
L"\\StringFileInfo\\%04x%04x\\InternalName",
ptl[i].wLanguage,
L"\\StringFileInfo\\%04x%04x\\InternalName",
ptl[i].wLanguage,
ptl[i].wCodePage);
wchar_t *lpszInternalName;
UINT uLen;
if ( VerQueryValueW(pBlock, lpSubBlock, (LPVOID *)&lpszInternalName, &uLen)
&& !_wcsicmp(lpszInternalName, L"wuaueng.dll") ) {
VS_FIXEDFILEINFO *pffi;
VerQueryValueW(pBlock, L"\\", (LPVOID *)&pffi, &uLen);
WORD wMajor = HIWORD(pffi->dwProductVersionMS);
WORD wMinor = LOWORD(pffi->dwProductVersionMS);
WORD wBuild = HIWORD(pffi->dwProductVersionLS);
WORD wRevision = LOWORD(pffi->dwProductVersionLS);
wchar_t path[MAX_PATH];
GetModuleFileNameW(result, path, _countof(path));
wchar_t *fname = find_fname(path);
fname = path_find_fname(path);
if ( (verify_win7() && compare_versions(wMajor, wMinor, wBuild, wRevision, 7, 6, 7601, 23714) != -1)
|| (verify_win81() && compare_versions(wMajor, wMinor, wBuild, wRevision, 7, 9, 9600, 18621) != -1) ) {
if ( (/*verify_win7() &&*/ ffi_ver_compare(pffi, 7, 6, 7601, 23714) != -1)
|| (/*verify_win81() &&*/ ffi_ver_compare(pffi, 7, 9, 9600, 18621) != -1) ) {
trace(L"%ls version: %d.%d.%d.%d", fname, wMajor, wMinor, wBuild, wRevision);
MODULEINFO modinfo;
if ( GetModuleInformation(GetCurrentProcess(), result, &modinfo, sizeof(MODULEINFO)) ) {
if ( !patch_wua(modinfo.lpBaseOfDll, modinfo.SizeOfImage, fname) )
trace(L"Failed to patch %ls!", fname);
} else trace(L"Failed to get module information for %ls (%p) (couldn't patch)", fname, result);
} else trace(L"Unsupported %ls version: %d.%d.%d.%d (patching skipped)", fname, wMajor, wMinor, wBuild, wRevision);
}
}
break;
}
}
L_free_pBlock:
rtl_free(pBlock);
L_ret:
return result;
L2: free(pBlock);
L1: return result;
}
BOOL WINAPI IsDeviceServiceable_hook(void)
{
return TRUE;
}

10
wufuc/hooks.h
View File

@@ -8,5 +8,11 @@ typedef struct tagLANGANDCODEPAGE
WORD wCodePage;
} LANGANDCODEPAGE, *PLANGANDCODEPAGE;
LSTATUS WINAPI RegQueryValueExW_Hook(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData);
HMODULE WINAPI LoadLibraryExW_Hook(LPCWSTR lpFileName, HANDLE hFile, DWORD dwFlags);
typedef LSTATUS(WINAPI *LPFN_REGQUERYVALUEEXW)(HKEY, LPCWSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD);
typedef HMODULE(WINAPI *LPFN_LOADLIBRARYEXW)(LPCWSTR, HANDLE, DWORD);
extern LPFN_REGQUERYVALUEEXW g_pfnRegQueryValueExW;
extern LPFN_LOADLIBRARYEXW g_pfnLoadLibraryExW;
LSTATUS WINAPI RegQueryValueExW_hook(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData);
HMODULE WINAPI LoadLibraryExW_hook(LPCWSTR lpFileName, HANDLE hFile, DWORD dwFlags);

40
wufuc/patchwua.c
View File

@@ -1,14 +1,6 @@
#include "stdafx.h"
#include "patchwua.h"
#include "helpers.h"
#include "patternfind.h"
#include "tracing.h"
#include <stdint.h>
#include <stdbool.h>
#include <phnt_windows.h>
#include <phnt.h>
#ifdef _M_AMD64
static const PatchSet X64PatchSet = { "FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????", 0xA, 0x12 };
@@ -31,48 +23,48 @@ bool calculate_pointers(uintptr_t lpfn, const PatchSet *ps, LPBOOL *ppba, LPBOOL
return false;
}
bool patch_wua(void *lpBaseOfDll, size_t SizeOfImage, wchar_t *fname)
bool patch_wua(void *lpBaseOfDll, size_t SizeOfImage, const wchar_t *fname)
{
bool result = false;
const PatchSet *pps;
const PatchSet *pps = NULL;
#ifdef _M_AMD64
pps = &X64PatchSet;
#elif defined(_M_IX86)
if ( verify_win7() )
if ( 1/*verify_win7()*/ )
pps = &Win7X86PatchSet;
else if ( verify_win81() )
else if ( 1/*verify_win81()*/ )
pps = &Win81X86PatchSet;
else
goto L_ret;
else
goto L1;
#endif
unsigned char *ptr = patternfind(lpBaseOfDll, SizeOfImage, pps->Pattern);
if ( !ptr ) {
size_t offset = patternfind(lpBaseOfDll, SizeOfImage, pps->Pattern);
if ( offset == -1 ) {
trace(L"No pattern match! (couldn't patch)");
goto L_ret;
goto L1;
}
uintptr_t ptr = (uintptr_t)lpBaseOfDll + offset;
LPBOOL pba, pbb;
if ( calculate_pointers((uintptr_t)ptr, pps, &pba, &pbb) ) {
DWORD flOldProtect;
if ( *pba == TRUE ) {
if ( VirtualProtect(pba, sizeof(BOOL), PAGE_READWRITE, &flOldProtect) ) {
if ( VirtualProtect(pba, sizeof *pba, PAGE_READWRITE, &flOldProtect) ) {
*pba = FALSE;
trace(L"Patched value #1 at %ls!%p: %08X", fname, pba, *pba);
if ( !VirtualProtect(pba, sizeof(BOOL), flOldProtect, &flOldProtect) )
if ( !VirtualProtect(pba, sizeof *pba, flOldProtect, &flOldProtect) )
trace(L"Failed to restore memory region permissions at %ls!%p (error code=%08X)", fname, pba, GetLastError());
} else trace(L"Failed to change memory region permissions at %ls!%p (error code=%08X)", fname, pba, GetLastError());
}
if ( *pbb == FALSE ) {
if ( VirtualProtect(pbb, sizeof(BOOL), PAGE_READWRITE, &flOldProtect) ) {
if ( VirtualProtect(pbb, sizeof *pbb, PAGE_READWRITE, &flOldProtect) ) {
*pbb = TRUE;
trace(L"Patched value #2 at %ls!%p: %08X", fname, pbb, *pbb);
if ( !VirtualProtect(pbb, sizeof(BOOL), flOldProtect, &flOldProtect) )
if ( !VirtualProtect(pbb, sizeof *pbb, flOldProtect, &flOldProtect) )
trace(L"Failed to restore memory region permissions at %ls!%p: (error code=%08X)", fname, pbb, GetLastError());
} else trace(L"Failed to change memory region permissions at %ls!%p (error code=%08X)", fname, pbb, GetLastError());
}
result = !*pba && *pbb;
}
L_ret:
return result;
L1: return result;
}

2
wufuc/patchwua.h
View File

@@ -12,4 +12,4 @@ typedef struct tagPatchSet
} PatchSet;
bool calculate_pointers(uintptr_t lpfn, const PatchSet *ps, LPBOOL *ppba, LPBOOL *ppbb);
bool patch_wua(void *lpBaseOfDll, size_t SizeOfImage, wchar_t *fname);
bool patch_wua(void *lpBaseOfDll, size_t SizeOfImage, const wchar_t *fname);

68
wufuc/patternfind.c
View File

@@ -1,11 +1,6 @@
#include "stdafx.h"
#include "patternfind.h"
#include "rtl_malloc.h"
#include <stddef.h>
#include <stdbool.h>
#include <string.h>
static inline bool isHex(char ch)
{
return (ch >= '0' && ch <= '9') || (ch >= 'A' && ch <= 'F') || (ch >= 'a' && ch <= 'f');
@@ -51,14 +46,14 @@ static inline size_t formathexpattern(const char *patterntext, char *formattext,
bool patterntransform(const char *patterntext, PatternByte *pattern, size_t patternsize)
{
memset(pattern, 0, patternsize * sizeof(PatternByte));
memset(pattern, 0, patternsize * (sizeof *pattern));
size_t len = formathexpattern(patterntext, NULL, 0);
if ( !len || len / 2 > patternsize )
return false;
size_t size = len + 1;
char *formattext = rtl_malloc(size);
char *formattext = malloc(size);
formathexpattern(patterntext, formattext, size);
PatternByte newByte;
@@ -76,20 +71,21 @@ bool patterntransform(const char *patterntext, PatternByte *pattern, size_t patt
pattern[k++] = newByte;
}
}
free(formattext);
return true;
}
static inline bool patternmatchbyte(unsigned char byte, const PatternByte pbyte)
static inline bool patternmatchbyte(uint8_t byte, const PatternByte pbyte)
{
int matched = 0;
unsigned char n1 = (byte >> 4) & 0xF;
uint8_t n1 = (byte >> 4) & 0xF;
if ( pbyte.nibble[0].wildcard )
matched++;
else if ( pbyte.nibble[0].data == n1 )
matched++;
unsigned char n2 = byte & 0xF;
uint8_t n2 = byte & 0xF;
if ( pbyte.nibble[1].wildcard )
matched++;
else if ( pbyte.nibble[1].data == n2 )
@@ -98,20 +94,22 @@ static inline bool patternmatchbyte(unsigned char byte, const PatternByte pbyte)
return (matched == 2);
}
unsigned char *patternfind(unsigned char *data, size_t datasize, const char *pattern)
__declspec(noinline)
size_t patternfind(uint8_t *data, size_t datasize, const char *pattern)
{
size_t searchpatternsize = formathexpattern(pattern, NULL, 0) / 2;
PatternByte *searchpattern = rtl_calloc(searchpatternsize, sizeof(PatternByte));
PatternByte *searchpattern = calloc(searchpatternsize, sizeof(PatternByte));
unsigned char *result = NULL;
size_t result = -1;
if ( patterntransform(pattern, searchpattern, searchpatternsize) )
result = patternfind3(data, datasize, searchpattern, searchpatternsize);
rtl_free(searchpattern);
result = patternfind_pbyte(data, datasize, searchpattern, searchpatternsize);
free(searchpattern);
return result;
}
unsigned char *patternfind2(unsigned char *data, size_t datasize, unsigned char *pattern, size_t patternsize)
__declspec(noinline)
size_t patternfind_bytes(uint8_t *data, size_t datasize, const uint8_t *pattern, size_t patternsize)
{
if ( patternsize > datasize )
patternsize = datasize;
@@ -119,19 +117,20 @@ unsigned char *patternfind2(unsigned char *data, size_t datasize, unsigned char
if ( data[i] == pattern[pos] ) {
pos++;
if ( pos == patternsize )
return &data[i - patternsize + 1];
return i - patternsize + 1;
} else if ( pos > 0 ) {
i -= pos;
pos = 0; //reset current pattern position
}
}
return NULL;
return -1;
}
static inline void patternwritebyte(unsigned char *byte, const PatternByte pbyte)
static inline void patternwritebyte(uint8_t *byte, const PatternByte pbyte)
{
unsigned char n1 = (*byte >> 4) & 0xF;
unsigned char n2 = *byte & 0xF;
uint8_t n1 = (*byte >> 4) & 0xF;
uint8_t n2 = *byte & 0xF;
if ( !pbyte.nibble[0].wildcard )
n1 = pbyte.nibble[0].data;
if ( !pbyte.nibble[1].wildcard )
@@ -139,41 +138,44 @@ static inline void patternwritebyte(unsigned char *byte, const PatternByte pbyte
*byte = ((n1 << 4) & 0xF0) | (n2 & 0xF);
}
void patternwrite(unsigned char *data, size_t datasize, const char *pattern)
void patternwrite(uint8_t *data, size_t datasize, const char *pattern)
{
size_t writepatternsize = formathexpattern(pattern, NULL, 0) / 2;
PatternByte *writepattern = rtl_calloc(writepatternsize, sizeof(PatternByte));
PatternByte *writepattern = calloc(writepatternsize, sizeof(PatternByte));
if ( patterntransform(pattern, writepattern, writepatternsize) ) {
DWORD OldProtect;
BOOL result = VirtualProtect(data, writepatternsize, PAGE_READWRITE, &OldProtect);
if ( writepatternsize > datasize )
writepatternsize = datasize;
for ( size_t i = 0; i < writepatternsize; i++ )
patternwritebyte(&data[i], writepattern[i]);
result = VirtualProtect(data, writepatternsize, OldProtect, &OldProtect);
}
rtl_free(writepattern);
free(writepattern);
}
bool patternsnr(unsigned char *data, size_t datasize, const char *searchpattern, const char *replacepattern)
bool patternsnr(uint8_t *data, size_t datasize, const char *searchpattern, const char *replacepattern)
{
unsigned char *found = patternfind(data, datasize, searchpattern);
if ( !found )
size_t found = patternfind(data, datasize, searchpattern);
if ( found == -1 )
return false;
patternwrite(found, datasize - (found - data), replacepattern);
patternwrite(data + found, found - datasize, replacepattern);
return true;
}
unsigned char *patternfind3(unsigned char *data, size_t datasize, const PatternByte *pattern, size_t searchpatternsize)
size_t patternfind_pbyte(uint8_t *data, size_t datasize, const PatternByte *pattern, size_t searchpatternsize)
{
for ( size_t i = 0, pos = 0; i < datasize; i++ ) { //search for the pattern
if ( patternmatchbyte(data[i], pattern[pos]) ) { //check if our pattern matches the current byte
pos++;
if ( pos == searchpatternsize ) //everything matched
return &data[i - searchpatternsize + 1];
return i - searchpatternsize + 1;
} else if ( pos > 0 ) { //fix by Computer_Angel
i -= pos;
pos = 0; //reset current pattern position
}
}
return NULL;
return -1;
}

32
wufuc/patternfind.h
View File

@@ -1,42 +1,42 @@
#pragma once
#include <stddef.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
typedef struct tagPatternByte
typedef struct
{
struct PatternNibble
{
unsigned char data;
uint8_t data;
bool wildcard;
} nibble[2];
} PatternByte;
//returns: pointer to data when found, NULL when not found
unsigned char *patternfind(
unsigned char *data, //data
//returns: offset to data when found, -1 when not found
size_t patternfind(
uint8_t *data, //data
size_t datasize, //size of data
const char *pattern //pattern to search
);
//returns: pointer to data when found, NULL when not found
unsigned char *patternfind2(
unsigned char *data, //data
//returns: offset to data when found, -1 when not found
size_t patternfind_bytes(
uint8_t *data, //data
size_t datasize, //size of data
unsigned char *pattern, //bytes to search
const uint8_t *pattern, //bytes to search
size_t patternsize //size of bytes to search
);
//returns: nothing
void patternwrite(
unsigned char *data, //data
uint8_t *data, //data
size_t datasize, //size of data
const char *pattern //pattern to write
);
//returns: true on success, false on failure
bool patternsnr(
unsigned char *data, //data
uint8_t *data, //data
size_t datasize, //size of data
const char *searchpattern, //pattern to search
const char *replacepattern //pattern to write
@@ -49,9 +49,9 @@ bool patterntransform(
size_t patternsize //size of pattern
);
//returns: pointer to data when found, NULL when not found
unsigned char *patternfind3(
unsigned char *data, //data
//returns: offset to data when found, -1 when not found
size_t patternfind_pbyte(
uint8_t *data, //data
size_t datasize, //size of data
const PatternByte *pattern, //pattern to search
size_t searchpatternsize //size of pattern to search

70
wufuc/rtl_malloc.c
View File

@@ -1,70 +0,0 @@
#include "rtl_malloc.h"
#include <phnt_windows.h>
#include <phnt.h>
void *rtl_malloc(size_t size)
{
return RtlAllocateHeap(RtlProcessHeap(), 0, size);
}
void rtl_free(void *memblock)
{
RtlFreeHeap(RtlProcessHeap(), 0, memblock);
}
void *rtl_calloc(size_t num, size_t size)
{
return RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, num * size);
}
void *rtl_realloc(void *memblock, size_t size)
{
if ( !memblock )
return rtl_malloc(size);
if ( !size ) {
rtl_free(memblock);
return NULL;
}
return RtlReAllocateHeap(RtlProcessHeap(), 0, memblock, size);
}
void *_rtl_recalloc(void *memblock, size_t num, size_t size)
{
if ( !memblock )
return rtl_calloc(num, size);
if ( !num || !size ) {
rtl_free(memblock);
return NULL;
}
return RtlReAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, memblock, num * size);
}
void *_rtl_expand(void *memblock, size_t size)
{
return RtlReAllocateHeap(RtlProcessHeap(), HEAP_REALLOC_IN_PLACE_ONLY, memblock, size);
}
size_t _rtl_msize(void *memblock)
{
return RtlSizeHeap(RtlProcessHeap(), 0, memblock);
}
int _rtl_heapchk(void)
{
if ( !RtlValidateHeap(RtlProcessHeap(), 0, NULL) )
return -1;
return 0;
}
int _rtl_heapmin(void)
{
if ( !RtlCompactHeap(RtlProcessHeap(), 0) )
return -1;
return 0;
}

21
wufuc/rtl_malloc.h
View File

@@ -1,21 +0,0 @@
#pragma once
#include <stddef.h>
void *rtl_malloc(size_t size);
void rtl_free(void *memblock);
void *rtl_calloc(size_t num, size_t size);
void *rtl_realloc(void *memblock, size_t size);
void *_rtl_recalloc(void *memblock, size_t num, size_t size);
void *_rtl_expand(void *memblock, size_t size);
size_t _rtl_msize(void *memblock);
int _rtl_heapchk(void);
int _rtl_heapmin(void);

85
wufuc/rundll32.c
View File

@@ -1,26 +1,81 @@
#include <phnt_windows.h>
#include <shellapi.h>
#include "stdafx.h"
#include "callbacks.h"
#include "helpers.h"
void CALLBACK RUNDLL32_StartW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow)
{
HANDLE hMutex;
HANDLE hEvent;
bool Unloading;
bool Lagging;
SC_HANDLE hSCM;
SC_HANDLE hService;
SERVICE_NOTIFYW NotifyBuffer;
if ( !create_exclusive_mutex(L"Global\\{25020063-B5A7-4227-9FDF-25CB75E8C645}", &hMutex) )
return;
if ( !create_event_with_security_descriptor(L"D:(A;;0x001F0003;;;BA)", true, false, L"Global\\wufuc_UnloadEvent", &hEvent) )
goto L1;
Unloading = false;
do {
Lagging = false;
hSCM = OpenSCManagerW(NULL, NULL, SC_MANAGER_ENUMERATE_SERVICE);
if ( !hSCM ) goto L2;
hService = OpenServiceW(hSCM, L"wuauserv", SERVICE_QUERY_STATUS);
if ( !hService ) goto L3;
ZeroMemory(&NotifyBuffer, sizeof NotifyBuffer);
NotifyBuffer.dwVersion = SERVICE_NOTIFY_STATUS_CHANGE;
NotifyBuffer.pfnNotifyCallback = ServiceNotifyCallback;
NotifyBuffer.pContext = (PVOID)hEvent;
while ( !Unloading && !Lagging ) {
switch ( NotifyServiceStatusChangeW(hService,
SERVICE_NOTIFY_START_PENDING | SERVICE_NOTIFY_RUNNING,
&NotifyBuffer) ) {
case ERROR_SUCCESS:
Unloading = WaitForSingleObjectEx(hEvent, INFINITE, TRUE) == WAIT_OBJECT_0;
break;
case ERROR_SERVICE_NOTIFY_CLIENT_LAGGING:
trace(L"Client lagging!");
Lagging = true;
break;
default:
Unloading = true;
break;
}
}
CloseServiceHandle(hService);
L3: CloseServiceHandle(hSCM);
} while ( Lagging );
L2: CloseHandle(hEvent);
L1: ReleaseMutex(hMutex);
CloseHandle(hMutex);
}
void CALLBACK RUNDLL32_UnloadW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow)
{
HANDLE event;
event = OpenEventW(EVENT_MODIFY_STATE, FALSE, L"Global\\wufuc_UnloadEvent");
if ( event ) {
SetEvent(event);
CloseHandle(event);
}
}
void CALLBACK RUNDLL32_DeleteFileW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow)
{
int argc;
wchar_t **argv = CommandLineToArgvW(lpszCmdLine, &argc);
LPWSTR *argv;
argv = CommandLineToArgvW(lpszCmdLine, &argc);
if ( argv ) {
if ( !DeleteFileW(argv[0])
&& GetLastError() == ERROR_ACCESS_DENIED )
if ( !DeleteFileW(argv[0]) && GetLastError() == ERROR_ACCESS_DENIED )
MoveFileExW(argv[0], NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
LocalFree((HLOCAL)argv);
}
}
void CALLBACK RUNDLL32_LegacyUnloadW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow)
{
HANDLE Event = OpenEventW(EVENT_MODIFY_STATE, FALSE, L"Global\\wufuc_UnloadEvent");
if ( Event ) {
SetEvent(Event);
CloseHandle(Event);
}
}

11
wufuc/rundll32.h Normal file
View File

@@ -0,0 +1,11 @@
#pragma once
#ifdef UNICODE
#define RUNDLL32_Start RUNDLL32_StartW
#define RUNDLL32_Unload RUNDLL32_UnloadW
#define RUNDLL32_DeleteFile RUNDLL32_DeleteFileW
#else
#define RUNDLL32_Start RUNDLL32_StartA
#define RUNDLL32_Unload RUNDLL32_UnloadA
#define RUNDLL32_DeleteFile RUNDLL32_DeleteFileA
#endif // !UNICODE

7
wufuc/stdafx.c Normal file
View File

@@ -0,0 +1,7 @@
// stdafx.c : source file that includes just the standard includes
// stdafx.obj will contain the pre-compiled type information
#include "stdafx.h"
// TODO: reference any additional headers you need in STDAFX.H
// and not in this file

17
wufuc/stdafx.h Normal file
View File

@@ -0,0 +1,17 @@
#pragma once
#include "targetver.h"
#include <phnt_windows.h>
#include <phnt.h>
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <strsafe.h>
#include <shellapi.h>
#include <detours.h>
#include "tracing.h"
extern IMAGE_DOS_HEADER __ImageBase;
#define PIMAGEBASE ((HMODULE)&__ImageBase)

9
wufuc/targetver.h Normal file
View File

@@ -0,0 +1,9 @@
#pragma once
// Including SDKDDKVer.h defines the highest available Windows platform.
// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
#define _WIN32_WINNT _WIN32_WINNT_WIN7
#include <SDKDDKVer.h>

55
wufuc/tracing.c
View File

@@ -1,63 +1,14 @@
#include "stdafx.h"
#include "tracing.h"
#include "helpers.h"
#include "rtl_malloc.h"
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <phnt_windows.h>
#include <phnt.h>
void trace_sysinfo(void)
{
RTL_OSVERSIONINFOW osvi = { 0 };
osvi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
NTSTATUS status = RtlGetVersion(&osvi);
if ( NT_SUCCESS(status) ) {
trace(L"Windows version: %d.%d.%d (%Iu-bit)",
osvi.dwMajorVersion,
osvi.dwMinorVersion,
osvi.dwBuildNumber,
sizeof(uintptr_t) * 8);
} else trace(L"Failed to get Windows version (status=%08X)", status);
int CPUInfo[4];
__cpuidex(CPUInfo, 0x80000000, 0);
if ( CPUInfo[0] < 0x80000004 ) {
trace(L"This processor does not support the brand identification feature.");
return;
}
char brand[0x31];
uint32_t *u32ptr = (uint32_t *)&brand;
for ( int func = 0x80000002; func <= 0x80000004; func++ ) {
__cpuidex(CPUInfo, func, 0);
for ( int i = 0; i < 4; i++ )
*(u32ptr++) = CPUInfo[i];
}
size_t c = 0;
do {
if ( !isspace(brand[c]) )
break;
c++;
} while ( c < _countof(brand) );
trace(L"Processor: %hs", &brand[c]);
}
void trace_(const wchar_t *const format, ...)
{
static int shown_sysinfo = 0;
if ( !shown_sysinfo ) {
shown_sysinfo = 1;
trace_sysinfo();
}
va_list argptr;
va_start(argptr, format);
int count = _vscwprintf(format, argptr) + 1;
wchar_t *buffer = rtl_calloc(count, sizeof(wchar_t));
wchar_t *buffer = calloc(count, sizeof(wchar_t));
vswprintf_s(buffer, count, format, argptr);
va_end(argptr);
OutputDebugStringW(buffer);
rtl_free(buffer);
free(buffer);
}

4
wufuc/wufuc.rch
View File

@@ -2,10 +2,10 @@
#define WUFUC_RCH_INCLUDED
#pragma once
#ifndef BUILD_COMMIT_VERSION
#define BUILD_COMMIT_VERSION 0.8.0.0
#define BUILD_COMMIT_VERSION 1.0.0.0
#endif
#ifndef BUILD_VERSION_COMMA
#define BUILD_VERSION_COMMA 0,8,0,0
#define BUILD_VERSION_COMMA 1,0,0,0
#endif
#define STRINGIZE_(x) #x
#define STRINGIZE(x) STRINGIZE_(x)

105
wufuc/wufuc.vcxproj
View File

@@ -19,11 +19,11 @@
</ProjectConfiguration>
</ItemGroup>
<ItemGroup>
<ClInclude Include="appverifier.h" />
<ClInclude Include="callbacks.h" />
<ClInclude Include="helpers.h" />
<ClInclude Include="hooks.h" />
<ClInclude Include="rtl_malloc.h" />
<ClInclude Include="stdafx.h" />
<ClInclude Include="targetver.h" />
<ClInclude Include="helpers.h" />
<ClInclude Include="tracing.h" />
<ClInclude Include="patchwua.h" />
<ClInclude Include="patternfind.h" />
@@ -31,9 +31,14 @@
<ItemGroup>
<ClCompile Include="callbacks.c" />
<ClCompile Include="dllmain.c" />
<ClCompile Include="helpers.c" />
<ClCompile Include="hooks.c" />
<ClCompile Include="rtl_malloc.c" />
<ClCompile Include="stdafx.c">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
</ClCompile>
<ClCompile Include="helpers.c" />
<ClCompile Include="rundll32.c" />
<ClCompile Include="tracing.c" />
<ClCompile Include="patchwua.c" />
@@ -53,7 +58,7 @@
<ProjectGuid>{00F96695-CE41-4C2F-A344-6219DFB4F887}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>wufuc</RootNamespace>
<WindowsTargetPlatformVersion>10.0.15063.0</WindowsTargetPlatformVersion>
<WindowsTargetPlatformVersion>10.0.16299.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
@@ -106,7 +111,8 @@
<IntDir>$(ProjectDir)$(BaseIntermediateOutputPath)$(Configuration)\$(PlatformShortName)\</IntDir>
<TargetName>$(ProjectName)$(PlatformArchitecture)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IncludePath>$(SolutionDir)phnt\include;$(IncludePath)</IncludePath>
<IncludePath>$(SolutionDir)inc\phnt;$(SolutionDir)inc\detours;$(IncludePath)</IncludePath>
<LibraryPath>$(SolutionDir)lib\detours;$(LibraryPath)</LibraryPath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
@@ -114,7 +120,8 @@
<IntDir>$(ProjectDir)$(BaseIntermediateOutputPath)$(Configuration)\$(PlatformShortName)\</IntDir>
<TargetName>$(ProjectName)$(PlatformArchitecture)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IncludePath>$(SolutionDir)phnt\include;$(IncludePath)</IncludePath>
<IncludePath>$(SolutionDir)inc\phnt;$(SolutionDir)inc\detours;$(IncludePath)</IncludePath>
<LibraryPath>$(SolutionDir)lib\detours;$(LibraryPath)</LibraryPath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
@@ -122,7 +129,8 @@
<IntDir>$(ProjectDir)$(BaseIntermediateOutputPath)$(Configuration)\$(PlatformShortName)\</IntDir>
<TargetName>$(ProjectName)$(PlatformArchitecture)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IncludePath>$(SolutionDir)phnt\include;$(IncludePath)</IncludePath>
<IncludePath>$(SolutionDir)inc\phnt;$(SolutionDir)inc\detours;$(IncludePath)</IncludePath>
<LibraryPath>$(SolutionDir)lib\detours;$(LibraryPath)</LibraryPath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
@@ -130,26 +138,27 @@
<IntDir>$(ProjectDir)$(BaseIntermediateOutputPath)$(Configuration)\$(PlatformShortName)\</IntDir>
<TargetName>$(ProjectName)$(PlatformArchitecture)</TargetName>
<GenerateManifest>false</GenerateManifest>
<IncludePath>$(SolutionDir)phnt\include;$(IncludePath)</IncludePath>
<IncludePath>$(SolutionDir)inc\phnt;$(SolutionDir)inc\detours;$(IncludePath)</IncludePath>
<LibraryPath>$(SolutionDir)lib\detours;$(LibraryPath)</LibraryPath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WUFUC_EXPORTS;_NO_CRT_STDIO_INLINE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;_DEBUG;WUFUC_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<CompileAs>CompileAsC</CompileAs>
<BufferSecurityCheck>false</BufferSecurityCheck>
<SDLCheck>true</SDLCheck>
<PrecompiledHeader>Use</PrecompiledHeader>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
<EntryPointSymbol>DllMain</EntryPointSymbol>
<AdditionalDependencies>ntdll.lib;ntdllp.lib;version.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>
</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
<EntryPointSymbol>
</EntryPointSymbol>
<AdditionalDependencies>ntdll.lib;version.lib;detours.X86.MTd.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PreBuildEvent />
<ResourceCompile>
<PreprocessorDefinitions>X86;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
@@ -158,20 +167,20 @@
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>_DEBUG;_WINDOWS;_USRDLL;WUFUC_EXPORTS;_NO_CRT_STDIO_INLINE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>_DEBUG;WUFUC_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<CompileAs>CompileAsC</CompileAs>
<BufferSecurityCheck>false</BufferSecurityCheck>
<SDLCheck>true</SDLCheck>
<PrecompiledHeader>Use</PrecompiledHeader>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<AdditionalDependencies>ntdll.lib;ntdllp.lib;version.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
<EntryPointSymbol>DllMain</EntryPointSymbol>
<AdditionalLibraryDirectories>
</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
<EntryPointSymbol>
</EntryPointSymbol>
<AdditionalDependencies>ntdll.lib;version.lib;detours.X64.MTd.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PreBuildEvent />
<ResourceCompile>
<PreprocessorDefinitions>X64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
@@ -182,10 +191,12 @@
<Optimization>Full</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WUFUC_EXPORTS;_NO_CRT_STDIO_INLINE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>WIN32;NDEBUG;WUFUC_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<CompileAs>CompileAsC</CompileAs>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<BufferSecurityCheck>false</BufferSecurityCheck>
<SDLCheck>true</SDLCheck>
<PrecompiledHeader>Use</PrecompiledHeader>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<DebugInformationFormat>None</DebugInformationFormat>
</ClCompile>
<ResourceCompile Condition="'$(APPVEYOR)'=='True'">
<PreprocessorDefinitions>BUILD_COMMIT_VERSION=$(BUILD_COMMIT_VERSION);BUILD_VERSION_COMMA=$(BUILD_VERSION_COMMA);$(PreprocessorDefinitions)</PreprocessorDefinitions>
@@ -196,17 +207,11 @@
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
<ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
<EntryPointSymbol>DllMain</EntryPointSymbol>
<AdditionalDependencies>ntdll.lib;ntdllp.lib;version.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>
</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
<EntryPointSymbol>
</EntryPointSymbol>
<AdditionalDependencies>ntdll.lib;version.lib;detours.X86.MT.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SetChecksum>true</SetChecksum>
</Link>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
<PreBuildEvent />
<ResourceCompile>
<PreprocessorDefinitions>X86;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>
@@ -214,13 +219,15 @@
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Full</Optimization>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>NDEBUG;_WINDOWS;_USRDLL;WUFUC_EXPORTS;_NO_CRT_STDIO_INLINE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>NDEBUG;WUFUC_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<CompileAs>CompileAsC</CompileAs>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<BufferSecurityCheck>false</BufferSecurityCheck>
<PrecompiledHeader>Use</PrecompiledHeader>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<DebugInformationFormat>None</DebugInformationFormat>
</ClCompile>
<ResourceCompile Condition="'$(APPVEYOR)'=='True'">
<PreprocessorDefinitions>BUILD_COMMIT_VERSION=$(BUILD_COMMIT_VERSION);BUILD_VERSION_COMMA=$(BUILD_VERSION_COMMA);$(PreprocessorDefinitions)</PreprocessorDefinitions>
@@ -230,18 +237,10 @@
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>false</GenerateDebugInformation>
<AdditionalDependencies>ntdll.lib;ntdllp.lib;version.lib;%(AdditionalDependencies)</AdditionalDependencies>
<ModuleDefinitionFile>exports.def</ModuleDefinitionFile>
<EntryPointSymbol>DllMain</EntryPointSymbol>
<AdditionalLibraryDirectories>
</AdditionalLibraryDirectories>
<IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
<AdditionalDependencies>ntdll.lib;version.lib;detours.X64.MT.lib;%(AdditionalDependencies)</AdditionalDependencies>
<SetChecksum>true</SetChecksum>
</Link>
<PostBuildEvent>
<Command>
</Command>
</PostBuildEvent>
<PreBuildEvent />
<ResourceCompile>
<PreprocessorDefinitions>X64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ResourceCompile>

20
wufuc/wufuc.vcxproj.filters
View File

@@ -24,19 +24,19 @@
<ClInclude Include="callbacks.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="helpers.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="hooks.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="tracing.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="appverifier.h">
<ClInclude Include="targetver.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="rtl_malloc.h">
<ClInclude Include="stdafx.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="helpers.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
@@ -53,19 +53,19 @@
<ClCompile Include="dllmain.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="helpers.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="hooks.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="tracing.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="rtl_malloc.c">
<ClCompile Include="rundll32.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="rundll32.c">
<ClCompile Include="stdafx.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="helpers.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>

4
wufuc_setup/wufuc_setup.aip
View File

@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<DOCUMENT Type="Advanced Installer" CreateVersion="14.3" version="14.3" Modules="enterprise" RootPath="." Language="en" Id="{C0F6BB2D-9CA9-48FA-A0A3-1ED9F2CBB431}">
<DOCUMENT Type="Advanced Installer" CreateVersion="14.3" version="14.4" Modules="enterprise" RootPath="." Language="en" Id="{C0F6BB2D-9CA9-48FA-A0A3-1ED9F2CBB431}">
<COMPONENT cid="caphyon.advinst.msicomp.ProjectOptionsComponent">
<ROW Name="HiddenItems" Value="AutorunComponent;MultipleInstancesComponent;AppXProductDetailsComponent;AppXDependenciesComponent;AppXAppDetailsComponent;AppXVisualAssetsComponent;AppXCapabilitiesComponent;AppXAppDeclarationsComponent;AppXUriRulesComponent;MsiJavaComponent;AnalyticsComponent;ActSyncAppComponent;UserAccountsComponent;MsiClassComponent;WebApplicationsComponent;MsiOdbcDataSrcComponent;SqlConnectionComponent;SharePointSlnComponent;SilverlightSlnComponent"/>
</COMPONENT>
@@ -8,7 +8,7 @@
<ROW Property="AI_ThemeStyle" Value="default" MultiBuildValue="X64Build:classic#X86Build:classic" MsiKey="AI_ThemeStyle"/>
<ROW Property="ALLUSERS" Value="1"/>
<ROW Property="ARPCOMMENTS" Value="Enables Windows Update on PCs with unsupported processors." ValueLocId="*"/>
<ROW Property="ARPHELPLINK" Value="https://github.com/zeffy/wufuc/issues"/>
<ROW Property="ARPHELPLINK" Value="https://github.com/zeffy/wufuc/issues "/>
<ROW Property="ARPNOMODIFY" MultiBuildValue="X64Build:1#X86Build:1"/>
<ROW Property="ARPPRODUCTICON" Value="msiexec.exe" Type="8"/>
<ROW Property="ARPURLINFOABOUT" Value="https://github.com/zeffy/wufuc"/>

3
wufuc_setup/wufuc_setup.aiproj
View File

@@ -22,5 +22,6 @@
<SubType>Code</SubType>
</Compile>
</ItemGroup>
<Import Project="$(MSBuildExtensionsPath32)\Caphyon\Advanced Installer\AdvInstExtTasks.Targets" />
<Import Project="$(AdvancedInstallerMSBuildTargets)\AdvInstExtTasks.Targets" Condition="'$(AdvancedInstallerMSBuildTargets)' != ''" />
<Import Project="$(MSBuildExtensionsPath32)\Caphyon\Advanced Installer\AdvInstExtTasks.Targets" Condition="'$(AdvancedInstallerMSBuildTargets)' == ''" />
</Project>