Vichingo455/wufuc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

some fixes/readability improvements

Browse Source
This commit is contained in:
zeffy
2018-03-02 16:56:11 -08:00
parent a5f8670ffe
commit e8cf90ef63
3 changed files with 63 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/wufuc/modulehelper.c
View File

@@ -37,10 +37,10 @@ bool mod_inject_and_begin_thread(
cbParam, cbParam,
MEM_RESERVE | MEM_COMMIT, MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE); PAGE_READWRITE);
if ( !pBaseAddress ) goto resume; if ( !pBaseAddress ) goto resume_process;
if ( !WriteProcessMemory(hProcess, pBaseAddress, pParam, cbParam, &cb) ) if ( !WriteProcessMemory(hProcess, pBaseAddress, pParam, cbParam, &cb) )
goto vfree; goto virt_free;
} }
if ( mod_inject_by_hmodule(hProcess, hModule, &hRemoteModule) ) { if ( mod_inject_by_hmodule(hProcess, hModule, &hRemoteModule) ) {
hThread = CreateRemoteThread(hProcess, hThread = CreateRemoteThread(hProcess,
@@ -56,10 +56,11 @@ bool mod_inject_and_begin_thread(
result = true; result = true;
} }
} }
vfree: virt_free:
if ( !result && pBaseAddress ) if ( !result && pBaseAddress )
VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE); VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE);
resume: NtResumeProcess(hProcess); resume_process:
NtResumeProcess(hProcess);
return result; return result;
} }
@@ -98,7 +99,7 @@ bool mod_inject(
dwProcessId = GetProcessId(hProcess); dwProcessId = GetProcessId(hProcess);
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if ( !hSnapshot ) goto resume; if ( !hSnapshot ) goto resume_process;
*phRemoteModule = mod_get_from_th32_snapshot(hSnapshot, *phRemoteModule = mod_get_from_th32_snapshot(hSnapshot,
pLibFilename); pLibFilename);
@@ -106,7 +107,7 @@ bool mod_inject(
CloseHandle(hSnapshot); CloseHandle(hSnapshot);
// already injected... still sets *phRemoteModule // already injected... still sets *phRemoteModule
if ( *phRemoteModule ) goto resume; if ( *phRemoteModule ) goto resume_process;
nSize = (cchLibFilename + 1) * sizeof *pLibFilename; nSize = (cchLibFilename + 1) * sizeof *pLibFilename;
pBaseAddress = VirtualAllocEx(hProcess, pBaseAddress = VirtualAllocEx(hProcess,
@@ -115,10 +116,10 @@ bool mod_inject(
MEM_RESERVE | MEM_COMMIT, MEM_RESERVE | MEM_COMMIT,
PAGE_READWRITE); PAGE_READWRITE);
if ( !pBaseAddress ) goto resume; if ( !pBaseAddress ) goto resume_process;
if ( !WriteProcessMemory(hProcess, pBaseAddress, pLibFilename, nSize, NULL) ) if ( !WriteProcessMemory(hProcess, pBaseAddress, pLibFilename, nSize, NULL) )
goto vfree; goto virt_free;
hThread = CreateRemoteThread(hProcess, hThread = CreateRemoteThread(hProcess,
NULL, NULL,
@@ -127,7 +128,7 @@ bool mod_inject(
pBaseAddress, pBaseAddress,
0, 0,
NULL); NULL);
if ( !hThread ) goto vfree; if ( !hThread ) goto virt_free;
WaitForSingleObject(hThread, INFINITE); WaitForSingleObject(hThread, INFINITE);
@@ -145,7 +146,9 @@ bool mod_inject(
result = GetExitCodeThread(hThread, (LPDWORD)phRemoteModule) != FALSE; result = GetExitCodeThread(hThread, (LPDWORD)phRemoteModule) != FALSE;
} }
CloseHandle(hThread); CloseHandle(hThread);
vfree: VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE); virt_free:
resume: NtResumeProcess(hProcess); VirtualFreeEx(hProcess, pBaseAddress, 0, MEM_RELEASE);
resume_process:
NtResumeProcess(hProcess);
return result; return result;
} }

2
src/wufuc/rundll32.c
View File

@@ -41,7 +41,7 @@ void CALLBACK RUNDLL32_StartW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, in
} }
ZeroMemory(&NotifyBuffer, sizeof NotifyBuffer); ZeroMemory(&NotifyBuffer, sizeof NotifyBuffer);
NotifyBuffer.dwVersion = SERVICE_NOTIFY_STATUS_CHANGE; NotifyBuffer.dwVersion = SERVICE_NOTIFY_STATUS_CHANGE;
NotifyBuffer.pfnNotifyCallback = cb_service_notify; NotifyBuffer.pfnNotifyCallback = (PFN_SC_NOTIFY_CALLBACK)cb_service_notify;
NotifyBuffer.pContext = (PVOID)&ctx; NotifyBuffer.pContext = (PVOID)&ctx;
while ( !Unloading && !Lagging ) { while ( !Unloading && !Lagging ) {
switch ( NotifyServiceStatusChangeW(hService, switch ( NotifyServiceStatusChangeW(hService,

20
src/wufuc/wufuc.c
View File

@@ -74,7 +74,10 @@ bool wufuc_hook(HMODULE hModule)
} }
// identify wuaueng.dll by its resource data // identify wuaueng.dll by its resource data
if ( !_wcsicmp(pInternalName, L"wuaueng.dll") ) { if ( _wcsicmp(pInternalName, L"wuaueng.dll") ) {
trace(L"Module internal name does not match. (%ls)", pInternalName);
goto free_iname;
}
pffi = ver_get_version_info_from_hmodule_alloc(hModule, L"\\", &cbffi); pffi = ver_get_version_info_from_hmodule_alloc(hModule, L"\\", &cbffi);
if ( !pffi ) { if ( !pffi ) {
trace(L"Failed to allocate version information from hmodule."); trace(L"Failed to allocate version information from hmodule.");
@@ -107,18 +110,17 @@ bool wufuc_hook(HMODULE hModule)
: "8BFF 51 833D????????00 7507 A1????????" : "8BFF 51 833D????????00 7507 A1????????"
#endif #endif
); );
if ( offset != -1 ) {
if ( offset == -1 ) { result = MH_CreateHook(
trace(L"Could not locate pattern offset!"); RtlOffsetToPointer(modinfo.lpBaseOfDll, offset),
break;
} else {
result = MH_CreateHook((PVOID)((uint8_t *)modinfo.lpBaseOfDll + offset),
IsDeviceServiceable_hook, IsDeviceServiceable_hook,
NULL) == MH_OK; NULL) == MH_OK;
} else {
trace(L"Could not locate pattern offset!");
} }
break; free_iname:
} else trace(L"Module internal name does not match. (%ls)", pInternalName);
free(pInternalName); free(pInternalName);
break;
} }
free(ptl); free(ptl);
return result; return result;