Vichingo455/wufuc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

some fixes/readability improvements

Browse Source
This commit is contained in:
zeffy
2018-03-02 16:56:11 -08:00
parent a5f8670ffe
commit e8cf90ef63
3 changed files with 63 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/wufuc/modulehelper.c
View File

@@ -37,10 +37,10 @@ bool mod_inject_and_begin_thread(
cbParam,
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE);
if ( !pBaseAddress ) goto resume;
if ( !pBaseAddress ) goto resume_process;
if ( !WriteProcessMemory(hProcess, pBaseAddress, pParam, cbParam, &cb) )
goto vfree;
goto virt_free;
}
if ( mod_inject_by_hmodule(hProcess, hModule, &hRemoteModule) ) {
hThread = CreateRemoteThread(hProcess,
@@ -56,10 +56,11 @@ bool mod_inject_and_begin_thread(
result = true;
}
}
vfree:
virt_free:
if ( !result && pBaseAddress )
VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE);
resume: NtResumeProcess(hProcess);
resume_process:
NtResumeProcess(hProcess);
return result;
}
@@ -98,7 +99,7 @@ bool mod_inject(
dwProcessId = GetProcessId(hProcess);
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if ( !hSnapshot ) goto resume;
if ( !hSnapshot ) goto resume_process;
*phRemoteModule = mod_get_from_th32_snapshot(hSnapshot,
pLibFilename);
@@ -106,7 +107,7 @@ bool mod_inject(
CloseHandle(hSnapshot);
// already injected... still sets *phRemoteModule
if ( *phRemoteModule ) goto resume;
if ( *phRemoteModule ) goto resume_process;
nSize = (cchLibFilename + 1) * sizeof *pLibFilename;
pBaseAddress = VirtualAllocEx(hProcess,
@@ -115,10 +116,10 @@ bool mod_inject(
MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE);
if ( !pBaseAddress ) goto resume;
if ( !pBaseAddress ) goto resume_process;
if ( !WriteProcessMemory(hProcess, pBaseAddress, pLibFilename, nSize, NULL) )
goto vfree;
goto virt_free;
hThread = CreateRemoteThread(hProcess,
NULL,
@@ -127,7 +128,7 @@ bool mod_inject(
pBaseAddress,
0,
NULL);
if ( !hThread ) goto vfree;
if ( !hThread ) goto virt_free;
WaitForSingleObject(hThread, INFINITE);
@@ -145,7 +146,9 @@ bool mod_inject(
result = GetExitCodeThread(hThread, (LPDWORD)phRemoteModule) != FALSE;
}
CloseHandle(hThread);
vfree: VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE);
resume: NtResumeProcess(hProcess);
virt_free:
VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE);
resume_process:
NtResumeProcess(hProcess);
return result;
}

2
src/wufuc/rundll32.c
View File

@@ -41,7 +41,7 @@ void CALLBACK RUNDLL32_StartW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, in
}
ZeroMemory(&NotifyBuffer, sizeof NotifyBuffer);
NotifyBuffer.dwVersion = SERVICE_NOTIFY_STATUS_CHANGE;
NotifyBuffer.pfnNotifyCallback = cb_service_notify;
NotifyBuffer.pfnNotifyCallback = (PFN_SC_NOTIFY_CALLBACK)cb_service_notify;
NotifyBuffer.pContext = (PVOID)&ctx;
while ( !Unloading && !Lagging ) {
switch ( NotifyServiceStatusChangeW(hService,

94
src/wufuc/wufuc.c
View File

@@ -74,52 +74,54 @@ bool wufuc_hook(HMODULE hModule)
}
// identify wuaueng.dll by its resource data
if ( !_wcsicmp(pInternalName, L"wuaueng.dll") ) {
pffi = ver_get_version_info_from_hmodule_alloc(hModule, L"\\", &cbffi);
if ( !pffi ) {
trace(L"Failed to allocate version information from hmodule.");
break;
}
trace(L"Windows Update Agent version: %hu.%hu.%hu.%hu"),
HIWORD(pffi->dwProductVersionMS),
LOWORD(pffi->dwProductVersionMS),
HIWORD(pffi->dwProductVersionLS),
LOWORD(pffi->dwProductVersionLS);
// assure wuaueng.dll is at least the minimum supported version
tmp = ((ver_verify_windows_7_sp1() && ver_compare_product_version(pffi, 7, 6, 7601, 23714) != -1)
|| (ver_verify_windows_8_1() && ver_compare_product_version(pffi, 7, 9, 9600, 18621) != -1));
free(pffi);
if ( !tmp ) {
trace(L"Windows Update Agent does not meet the minimum supported version.");
break;
}
if ( !GetModuleInformation(hProcess, hModule, &modinfo, sizeof modinfo) ) {
trace(L"Failed to get module information (%p)", hModule);
break;
}
offset = patternfind(modinfo.lpBaseOfDll, modinfo.SizeOfImage,
#ifdef _WIN64
"FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????"
#else
ver_verify_windows_7_sp1()
? "833D????????00 743E E8???????? A3????????"
: "8BFF 51 833D????????00 7507 A1????????"
#endif
);
if ( offset == -1 ) {
trace(L"Could not locate pattern offset!");
break;
} else {
result = MH_CreateHook((PVOID)((uint8_t *)modinfo.lpBaseOfDll + offset),
IsDeviceServiceable_hook,
NULL) == MH_OK;
}
break;
} else trace(L"Module internal name does not match. (%ls)", pInternalName);
free(pInternalName);
if ( _wcsicmp(pInternalName, L"wuaueng.dll") ) {
trace(L"Module internal name does not match. (%ls)", pInternalName);
goto free_iname;
}
pffi = ver_get_version_info_from_hmodule_alloc(hModule, L"\\", &cbffi);
if ( !pffi ) {
trace(L"Failed to allocate version information from hmodule.");
break;
}
trace(L"Windows Update Agent version: %hu.%hu.%hu.%hu"),
HIWORD(pffi->dwProductVersionMS),
LOWORD(pffi->dwProductVersionMS),
HIWORD(pffi->dwProductVersionLS),
LOWORD(pffi->dwProductVersionLS);
// assure wuaueng.dll is at least the minimum supported version
tmp = ((ver_verify_windows_7_sp1() && ver_compare_product_version(pffi, 7, 6, 7601, 23714) != -1)
|| (ver_verify_windows_8_1() && ver_compare_product_version(pffi, 7, 9, 9600, 18621) != -1));
free(pffi);
if ( !tmp ) {
trace(L"Windows Update Agent does not meet the minimum supported version.");
break;
}
if ( !GetModuleInformation(hProcess, hModule, &modinfo, sizeof modinfo) ) {
trace(L"Failed to get module information (%p)", hModule);
break;
}
offset = patternfind(modinfo.lpBaseOfDll, modinfo.SizeOfImage,
#ifdef _WIN64
"FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????"
#else
ver_verify_windows_7_sp1()
? "833D????????00 743E E8???????? A3????????"
: "8BFF 51 833D????????00 7507 A1????????"
#endif
);
if ( offset != -1 ) {
result = MH_CreateHook(
RtlOffsetToPointer(modinfo.lpBaseOfDll, offset),
IsDeviceServiceable_hook,
NULL) == MH_OK;
} else {
trace(L"Could not locate pattern offset!");
}
free_iname:
free(pInternalName);
break;
}
free(ptl);
return result;
}
}