removed ntdll madness

2014-03-05 14:28:08 +01:00 · 2014-03-05 14:28:08 +01:00 · 9eb47c282d
parent 8984545393
commit 9eb47c282d
8 changed files with 1145 additions and 1052 deletions
--- a/TitanEngine/TitanEngine.Handler.cpp
+++ b/TitanEngine/TitanEngine.Handler.cpp
--- a/TitanEngine/TitanEngine.Hider.cpp
+++ b/TitanEngine/TitanEngine.Hider.cpp
@ -5,33 +5,28 @@
 // TitanEngine.Hider.functions:
 __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
 {
-    typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
-    ULONG RequiredLen = 0;
-    void * PebAddress = 0;
-    PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
+	ULONG RequiredLen = 0;
+	void * PebAddress = 0;
+	PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);

-    if(!myProcessBasicInformation)
-        return 0;
+	if(!myProcessBasicInformation)
+		return 0;

-    fNtQueryInformationProcess cNtQueryInformationProcess = (fNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQueryInformationProcess");
+	if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
+	{
+		PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
+	}
+	else
+	{
+		if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS)
+		{
+			PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
+		}
+	}

-    if(cNtQueryInformationProcess != NULL)
-    {
-        if(cNtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
-        {
-            PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
-        }
-        else
-        {
-            if(cNtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS)
-            {
-                PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;
-            }
-        }
-    }

-    VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE);
-    return PebAddress;
+	VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE);
+	return PebAddress;
 }

 __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
--- a/TitanEngine/TitanEngine.Injector.cpp
+++ b/TitanEngine/TitanEngine.Injector.cpp
@ -26,13 +26,7 @@ __declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t*
    LPVOID remStringData;
    LPVOID remCodeData;
    ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedRemoteFreeLibrary - (ULONG_PTR)&injectedRemoteLoadLibrary);
-#if !defined(_WIN64)
-    typedef NTSTATUS(WINAPI *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
-#else
-    typedef NTSTATUS(__fastcall *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
-#endif
-    LPVOID ZwSetInformationThread = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwSetInformationThread");
-    fZwSetInformationThread cZwSetInformationThread = (fZwSetInformationThread)(ZwSetInformationThread);
+
    ULONG_PTR NumberOfBytesWritten;
    DWORD ThreadId;
    HANDLE hThread;
@ -56,10 +50,9 @@ __declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t*
            if(WaitForThreadExit)
            {
                hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
-                if(ZwSetInformationThread != NULL)
-                {
-                    cZwSetInformationThread(hThread, 0x11, NULL, NULL);
-                }
+
+                NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
+
                ResumeThread(hThread);
                WaitForSingleObject(hThread, INFINITE);
                VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
@ -120,13 +113,6 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h
    LPVOID remCodeData;
    ULONG_PTR remInjectSize1 = (ULONG_PTR)((ULONG_PTR)&injectedExitProcess - (ULONG_PTR)&injectedRemoteFreeLibrarySimple);
    ULONG_PTR remInjectSize2 = (ULONG_PTR)((ULONG_PTR)&injectedRemoteFreeLibrarySimple - (ULONG_PTR)&injectedRemoteFreeLibrary);
-#if !defined(_WIN64)
-    typedef NTSTATUS(WINAPI *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
-#else
-    typedef NTSTATUS(__fastcall *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
-#endif
-    LPVOID ZwSetInformationThread = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwSetInformationThread");
-    fZwSetInformationThread cZwSetInformationThread = (fZwSetInformationThread)(ZwSetInformationThread);
    ULONG_PTR NumberOfBytesWritten;
    DWORD ThreadId;
    HANDLE hThread;
@ -153,10 +139,9 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h
                if(WaitForThreadExit)
                {
                    hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
-                    if(ZwSetInformationThread != NULL)
-                    {
-                        cZwSetInformationThread(hThread, 0x11, NULL, NULL);
-                    }
+
+                    NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
+
                    ResumeThread(hThread);
                    WaitForSingleObject(hThread, INFINITE);
                    VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
@ -200,10 +185,7 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h
                if(WaitForThreadExit)
                {
                    hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
-                    if(ZwSetInformationThread != NULL)
-                    {
-                        cZwSetInformationThread(hThread, 0x11, NULL, NULL);
-                    }
+					NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
                    ResumeThread(hThread);
                    WaitForSingleObject(hThread, INFINITE);
                    VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
--- a/TitanEngine/TitanEngine.vcxproj
+++ b/TitanEngine/TitanEngine.vcxproj
@ -298,6 +298,7 @@
    <ClInclude Include="Global.TLS.h" />
    <ClInclude Include="LzmaDec.h" />
    <ClInclude Include="LzmaTypes.h" />
+    <ClInclude Include="ntdll.h" />
    <ClInclude Include="resource.h" />
    <ClInclude Include="scylla_wrapper.h" />
    <ClInclude Include="stdafx.h" />
--- a/TitanEngine/ntdll.h
+++ b/TitanEngine/ntdll.h
@ -0,0 +1,260 @@
+#pragma once
+
+#include <windows.h>
+
+#ifndef _WIN64
+#pragma comment(lib, "ntdll_x86.lib")
+#else
+#pragma comment(lib, "ntdll_x64.lib")
+#endif
+
+
+
+typedef LONG NTSTATUS;
+
+typedef struct _UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR  Buffer;
+} UNICODE_STRING, *PUNICODE_STRING;
+
+typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION {
+	ULONG Attributes;
+	ACCESS_MASK GrantedAccess;
+	ULONG HandleCount;
+	ULONG PointerCount;
+
+	ULONG Reserved[10];    // reserved for internal use
+
+} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION;
+
+typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION {
+
+	UNICODE_STRING TypeName;
+
+	ULONG Reserved [22];    // reserved for internal use
+
+} PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION;
+
+typedef struct _PROCESS_BASIC_INFORMATION {
+	PVOID Reserved1;
+	PVOID PebBaseAddress;
+	PVOID Reserved2[2];
+	ULONG_PTR UniqueProcessId;
+	PVOID Reserved3;
+} PROCESS_BASIC_INFORMATION;
+typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
+
+typedef enum _PROCESSINFOCLASS {
+	ProcessBasicInformation,
+	ProcessQuotaLimits,
+	ProcessIoCounters,
+	ProcessVmCounters,
+	ProcessTimes,
+	ProcessBasePriority,
+	ProcessRaisePriority,
+	ProcessDebugPort,
+	ProcessExceptionPort,
+	ProcessAccessToken,
+	ProcessLdtInformation,
+	ProcessLdtSize,
+	ProcessDefaultHardErrorMode,
+	ProcessIoPortHandlers,          // Note: this is kernel mode only
+	ProcessPooledUsageAndLimits,
+	ProcessWorkingSetWatch,
+	ProcessUserModeIOPL,
+	ProcessEnableAlignmentFaultFixup,
+	ProcessPriorityClass,
+	ProcessWx86Information,
+	ProcessHandleCount,
+	ProcessAffinityMask,
+	ProcessPriorityBoost,
+	ProcessDeviceMap,
+	ProcessSessionInformation,
+	ProcessForegroundInformation,
+	ProcessWow64Information,
+	ProcessImageFileName,
+	ProcessLUIDDeviceMapsEnabled,
+	ProcessBreakOnTermination,
+	ProcessDebugObjectHandle,
+	ProcessDebugFlags,
+	ProcessHandleTracing,
+	ProcessIoPriority,
+	ProcessExecuteFlags,
+	ProcessResourceManagement,
+	ProcessCookie,
+	ProcessImageInformation,
+	MaxProcessInfoClass             // MaxProcessInfoClass should always be the last enum
+} PROCESSINFOCLASS;
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+	SystemBasicInformation,
+	SystemProcessorInformation,             // obsolete...delete
+	SystemPerformanceInformation,
+	SystemTimeOfDayInformation,
+	SystemPathInformation,
+	SystemProcessInformation,
+	SystemCallCountInformation,
+	SystemDeviceInformation,
+	SystemProcessorPerformanceInformation,
+	SystemFlagsInformation,
+	SystemCallTimeInformation,
+	SystemModuleInformation,
+	SystemLocksInformation,
+	SystemStackTraceInformation,
+	SystemPagedPoolInformation,
+	SystemNonPagedPoolInformation,
+	SystemHandleInformation,
+	SystemObjectInformation,
+	SystemPageFileInformation,
+	SystemVdmInstemulInformation,
+	SystemVdmBopInformation,
+	SystemFileCacheInformation,
+	SystemPoolTagInformation,
+	SystemInterruptInformation,
+	SystemDpcBehaviorInformation,
+	SystemFullMemoryInformation,
+	SystemLoadGdiDriverInformation,
+	SystemUnloadGdiDriverInformation,
+	SystemTimeAdjustmentInformation,
+	SystemSummaryMemoryInformation,
+	SystemMirrorMemoryInformation,
+	SystemPerformanceTraceInformation,
+	SystemObsolete0,
+	SystemExceptionInformation,
+	SystemCrashDumpStateInformation,
+	SystemKernelDebuggerInformation,
+	SystemContextSwitchInformation,
+	SystemRegistryQuotaInformation,
+	SystemExtendServiceTableInformation,
+	SystemPrioritySeperation,
+	SystemVerifierAddDriverInformation,
+	SystemVerifierRemoveDriverInformation,
+	SystemProcessorIdleInformation,
+	SystemLegacyDriverInformation,
+	SystemCurrentTimeZoneInformation,
+	SystemLookasideInformation,
+	SystemTimeSlipNotification,
+	SystemSessionCreate,
+	SystemSessionDetach,
+	SystemSessionInformation,
+	SystemRangeStartInformation,
+	SystemVerifierInformation,
+	SystemVerifierThunkExtend,
+	SystemSessionProcessInformation,
+	SystemLoadGdiDriverInSystemSpace,
+	SystemNumaProcessorMap,
+	SystemPrefetcherInformation,
+	SystemExtendedProcessInformation,
+	SystemRecommendedSharedDataAlignment,
+	SystemComPlusPackage,
+	SystemNumaAvailableMemory,
+	SystemProcessorPowerInformation,
+	SystemEmulationBasicInformation,
+	SystemEmulationProcessorInformation,
+	SystemExtendedHandleInformation,
+	SystemLostDelayedWriteInformation,
+	SystemBigPoolInformation,
+	SystemSessionPoolTagInformation,
+	SystemSessionMappedViewInformation,
+	SystemHotpatchInformation,
+	SystemObjectSecurityMode,
+	SystemWatchdogTimerHandler,
+	SystemWatchdogTimerInformation,
+	SystemLogicalProcessorInformation,
+	SystemWow64SharedInformation,
+	SystemRegisterFirmwareTableInformationHandler,
+	SystemFirmwareTableInformation,
+	SystemModuleInformationEx,
+	SystemVerifierTriageInformation,
+	SystemSuperfetchInformation,
+	SystemMemoryListInformation,
+	SystemFileCacheInformationEx,
+	MaxSystemInfoClass  // MaxSystemInfoClass should always be the last enum
+} SYSTEM_INFORMATION_CLASS;
+
+typedef enum _OBJECT_INFORMATION_CLASS {
+	ObjectBasicInformation,
+	ObjectNameInformation,
+	ObjectTypeInformation,
+	ObjectTypesInformation,
+	ObjectHandleFlagInformation,
+	ObjectSessionInformation,
+	MaxObjectInfoClass  // MaxObjectInfoClass should always be the last enum
+} OBJECT_INFORMATION_CLASS;
+
+typedef enum _THREADINFOCLASS {
+	ThreadBasicInformation,
+	ThreadTimes,
+	ThreadPriority,
+	ThreadBasePriority,
+	ThreadAffinityMask,
+	ThreadImpersonationToken,
+	ThreadDescriptorTableEntry,
+	ThreadEnableAlignmentFaultFixup,
+	ThreadEventPair_Reusable,
+	ThreadQuerySetWin32StartAddress,
+	ThreadZeroTlsCell,
+	ThreadPerformanceCount,
+	ThreadAmILastThread,
+	ThreadIdealProcessor,
+	ThreadPriorityBoost,
+	ThreadSetTlsArrayAddress,
+	ThreadIsIoPending,
+	ThreadHideFromDebugger,
+	ThreadBreakOnTermination,
+	ThreadSwitchLegacyState,
+	ThreadIsTerminated,
+	MaxThreadInfoClass
+} THREADINFOCLASS;
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+	NTSYSCALLAPI
+		NTSTATUS
+		NTAPI
+		NtQueryInformationProcess (
+		__in HANDLE ProcessHandle,
+		__in PROCESSINFOCLASS ProcessInformationClass,
+		__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
+		__in ULONG ProcessInformationLength,
+		__out_opt PULONG ReturnLength
+		);
+
+	NTSYSCALLAPI
+		NTSTATUS
+		NTAPI
+		NtQueryObject (
+		__in HANDLE Handle,
+		__in OBJECT_INFORMATION_CLASS ObjectInformationClass,
+		__out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation,
+		__in ULONG ObjectInformationLength,
+		__out_opt PULONG ReturnLength
+		);
+
+	NTSYSCALLAPI
+		NTSTATUS
+		NTAPI
+		NtQuerySystemInformation (
+		__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
+		__out_bcount_opt(SystemInformationLength) PVOID SystemInformation,
+		__in ULONG SystemInformationLength,
+		__out_opt PULONG ReturnLength
+		);
+
+	NTSYSCALLAPI
+		NTSTATUS
+		NTAPI
+		NtSetInformationThread (
+		__in HANDLE ThreadHandle,
+		__in THREADINFOCLASS ThreadInformationClass,
+		__in_bcount(ThreadInformationLength) PVOID ThreadInformation,
+		__in ULONG ThreadInformationLength
+		);
+
+#ifdef __cplusplus
+};
+#endif
--- a/TitanEngine/ntdll_x64.lib
+++ b/TitanEngine/ntdll_x64.lib
--- a/TitanEngine/ntdll_x86.lib
+++ b/TitanEngine/ntdll_x86.lib
--- a/TitanEngine/stdafx.h
+++ b/TitanEngine/stdafx.h
@ -12,9 +12,8 @@
 #define WIN32_LEAN_AND_MEAN             // Exclude rarely-used stuff from Windows headers
 // Windows Header Files:
 #include <windows.h>
-#include <Winternl.h>
-
-
+//#include <winternl.h>
+#include "ntdll.h"
 #include "aplib.h"
 #include "LzmaDec.h"

@ -719,10 +718,6 @@ typedef struct

 // UnpackEngine.Handler:

-#define NTDLL_SystemHandleInfo 0x10
-#define ObjectBasicInformation 0
-#define ObjectNameInformation 1
-#define ObjectTypeInformation 2

 /*typedef enum _POOL_TYPE {
 	NonPagedPool,