diff --git a/src/wufuc/modulehelper.c b/src/wufuc/modulehelper.c index 7c5f901..829b7bd 100644 --- a/src/wufuc/modulehelper.c +++ b/src/wufuc/modulehelper.c @@ -37,10 +37,10 @@ bool mod_inject_and_begin_thread( cbParam, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); - if ( !pBaseAddress ) goto resume; + if ( !pBaseAddress ) goto resume_process; if ( !WriteProcessMemory(hProcess, pBaseAddress, pParam, cbParam, &cb) ) - goto vfree; + goto virt_free; } if ( mod_inject_by_hmodule(hProcess, hModule, &hRemoteModule) ) { hThread = CreateRemoteThread(hProcess, @@ -56,10 +56,11 @@ bool mod_inject_and_begin_thread( result = true; } } -vfree: +virt_free: if ( !result && pBaseAddress ) VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE); -resume: NtResumeProcess(hProcess); +resume_process: + NtResumeProcess(hProcess); return result; } @@ -98,7 +99,7 @@ bool mod_inject( dwProcessId = GetProcessId(hProcess); hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); - if ( !hSnapshot ) goto resume; + if ( !hSnapshot ) goto resume_process; *phRemoteModule = mod_get_from_th32_snapshot(hSnapshot, pLibFilename); @@ -106,7 +107,7 @@ bool mod_inject( CloseHandle(hSnapshot); // already injected... still sets *phRemoteModule - if ( *phRemoteModule ) goto resume; + if ( *phRemoteModule ) goto resume_process; nSize = (cchLibFilename + 1) * sizeof *pLibFilename; pBaseAddress = VirtualAllocEx(hProcess, @@ -115,10 +116,10 @@ bool mod_inject( MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); - if ( !pBaseAddress ) goto resume; + if ( !pBaseAddress ) goto resume_process; if ( !WriteProcessMemory(hProcess, pBaseAddress, pLibFilename, nSize, NULL) ) - goto vfree; + goto virt_free; hThread = CreateRemoteThread(hProcess, NULL, @@ -127,7 +128,7 @@ bool mod_inject( pBaseAddress, 0, NULL); - if ( !hThread ) goto vfree; + if ( !hThread ) goto virt_free; WaitForSingleObject(hThread, INFINITE); @@ -145,7 +146,9 @@ bool mod_inject( result = GetExitCodeThread(hThread, (LPDWORD)phRemoteModule) != FALSE; } CloseHandle(hThread); -vfree: VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE); -resume: NtResumeProcess(hProcess); +virt_free: + VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE); +resume_process: + NtResumeProcess(hProcess); return result; } diff --git a/src/wufuc/rundll32.c b/src/wufuc/rundll32.c index 4f22df2..f180bf8 100644 --- a/src/wufuc/rundll32.c +++ b/src/wufuc/rundll32.c @@ -41,7 +41,7 @@ void CALLBACK RUNDLL32_StartW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, in } ZeroMemory(&NotifyBuffer, sizeof NotifyBuffer); NotifyBuffer.dwVersion = SERVICE_NOTIFY_STATUS_CHANGE; - NotifyBuffer.pfnNotifyCallback = cb_service_notify; + NotifyBuffer.pfnNotifyCallback = (PFN_SC_NOTIFY_CALLBACK)cb_service_notify; NotifyBuffer.pContext = (PVOID)&ctx; while ( !Unloading && !Lagging ) { switch ( NotifyServiceStatusChangeW(hService, diff --git a/src/wufuc/wufuc.c b/src/wufuc/wufuc.c index b3ecfda..d720085 100644 --- a/src/wufuc/wufuc.c +++ b/src/wufuc/wufuc.c @@ -74,52 +74,54 @@ bool wufuc_hook(HMODULE hModule) } // identify wuaueng.dll by its resource data - if ( !_wcsicmp(pInternalName, L"wuaueng.dll") ) { - pffi = ver_get_version_info_from_hmodule_alloc(hModule, L"\\", &cbffi); - if ( !pffi ) { - trace(L"Failed to allocate version information from hmodule."); - break; - } - trace(L"Windows Update Agent version: %hu.%hu.%hu.%hu"), - HIWORD(pffi->dwProductVersionMS), - LOWORD(pffi->dwProductVersionMS), - HIWORD(pffi->dwProductVersionLS), - LOWORD(pffi->dwProductVersionLS); - - // assure wuaueng.dll is at least the minimum supported version - tmp = ((ver_verify_windows_7_sp1() && ver_compare_product_version(pffi, 7, 6, 7601, 23714) != -1) - || (ver_verify_windows_8_1() && ver_compare_product_version(pffi, 7, 9, 9600, 18621) != -1)); - free(pffi); - if ( !tmp ) { - trace(L"Windows Update Agent does not meet the minimum supported version."); - break; - } - if ( !GetModuleInformation(hProcess, hModule, &modinfo, sizeof modinfo) ) { - trace(L"Failed to get module information (%p)", hModule); - break; - } - offset = patternfind(modinfo.lpBaseOfDll, modinfo.SizeOfImage, -#ifdef _WIN64 - "FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????" -#else - ver_verify_windows_7_sp1() - ? "833D????????00 743E E8???????? A3????????" - : "8BFF 51 833D????????00 7507 A1????????" -#endif - ); - - if ( offset == -1 ) { - trace(L"Could not locate pattern offset!"); - break; - } else { - result = MH_CreateHook((PVOID)((uint8_t *)modinfo.lpBaseOfDll + offset), - IsDeviceServiceable_hook, - NULL) == MH_OK; - } - break; - } else trace(L"Module internal name does not match. (%ls)", pInternalName); - free(pInternalName); + if ( _wcsicmp(pInternalName, L"wuaueng.dll") ) { + trace(L"Module internal name does not match. (%ls)", pInternalName); + goto free_iname; } + pffi = ver_get_version_info_from_hmodule_alloc(hModule, L"\\", &cbffi); + if ( !pffi ) { + trace(L"Failed to allocate version information from hmodule."); + break; + } + trace(L"Windows Update Agent version: %hu.%hu.%hu.%hu"), + HIWORD(pffi->dwProductVersionMS), + LOWORD(pffi->dwProductVersionMS), + HIWORD(pffi->dwProductVersionLS), + LOWORD(pffi->dwProductVersionLS); + + // assure wuaueng.dll is at least the minimum supported version + tmp = ((ver_verify_windows_7_sp1() && ver_compare_product_version(pffi, 7, 6, 7601, 23714) != -1) + || (ver_verify_windows_8_1() && ver_compare_product_version(pffi, 7, 9, 9600, 18621) != -1)); + free(pffi); + if ( !tmp ) { + trace(L"Windows Update Agent does not meet the minimum supported version."); + break; + } + if ( !GetModuleInformation(hProcess, hModule, &modinfo, sizeof modinfo) ) { + trace(L"Failed to get module information (%p)", hModule); + break; + } + offset = patternfind(modinfo.lpBaseOfDll, modinfo.SizeOfImage, +#ifdef _WIN64 + "FFF3 4883EC?? 33DB 391D???????? 7508 8B05????????" +#else + ver_verify_windows_7_sp1() + ? "833D????????00 743E E8???????? A3????????" + : "8BFF 51 833D????????00 7507 A1????????" +#endif + ); + if ( offset != -1 ) { + result = MH_CreateHook( + RtlOffsetToPointer(modinfo.lpBaseOfDll, offset), + IsDeviceServiceable_hook, + NULL) == MH_OK; + } else { + trace(L"Could not locate pattern offset!"); + } +free_iname: + free(pInternalName); + break; + } free(ptl); return result; - } +}