diff --git a/.gitignore b/.gitignore index 954cc866..0a19643f 100644 --- a/.gitignore +++ b/.gitignore @@ -10,6 +10,7 @@ Build/** *.VC.db *.VC.opendb *.sdf +*v12..suo *.suo # diff --git a/Doc/Logical.pdf b/Doc/Logical.pdf index dec470cb..6ad79792 100644 Binary files a/Doc/Logical.pdf and b/Doc/Logical.pdf differ diff --git a/Doc/Logical.vsdx b/Doc/Logical.vsdx index b18be77b..cbd1528d 100644 Binary files a/Doc/Logical.vsdx and b/Doc/Logical.vsdx differ diff --git a/Projects/Shark/AMD64/PatchGuardAMD64.c b/Projects/Shark/AMD64/PatchGuardAMD64.c index fc3dfbf1..a5006931 100644 --- a/Projects/Shark/AMD64/PatchGuardAMD64.c +++ b/Projects/Shark/AMD64/PatchGuardAMD64.c @@ -171,8 +171,6 @@ PgClearCallback( GetGpBlock(PgBlock)->vDbgPrint( PgBlock->ClearMessage[PgEncrypted], Object); - - PgBlock->Cleared++; #endif // DEBUG ExInitializeWorkItem( @@ -222,8 +220,6 @@ PgClearCallback( GetGpBlock(PgBlock)->vDbgPrint( PgBlock->ClearMessage[Object->Encrypted], Object); - - PgBlock->Cleared++; #endif // DEBUG GetGpBlock(PgBlock)->ExInterlockedRemoveHeadList( @@ -307,6 +303,7 @@ InitializePgBlock( u8ptr ControlPc = NULL; u8ptr TargetPc = NULL; u32 Length = 0; + u Index = 0; PIMAGE_NT_HEADERS NtHeaders = NULL; PIMAGE_SECTION_HEADER NtSection = NULL; ptr EndToLock = NULL; @@ -315,7 +312,6 @@ InitializePgBlock( UNICODE_STRING RoutineString = { 0 }; ptr RoutineAddress = NULL; u8 Selector = 0; - PPOOL_BIG_PAGES * PageTable = NULL; uptr PageTableSize = NULL; PRTL_BITMAP BitMap = NULL; @@ -462,7 +458,7 @@ InitializePgBlock( // 0F B6 04 08 movzx eax, byte ptr [rax+rcx] s8 MiGetSystemRegionType[] = - "48 c1 e9 27 81 e1 ff 01 00 00 8d 81 00 ff ff ff 48 8d 0d ?? ?? ?? ?? 0f b6 04 08"; + "48 c1 e9 27 81 e1 ff 01 00 00 8d 81 00 ff ff ff 48 8d 0d"; // 55 push rbp // 41 54 push r12 @@ -1108,24 +1104,19 @@ InitializePgBlock( NtSection->VirtualAddress + max(NtSection->SizeOfRawData, NtSection->Misc.VirtualSize); - if (GetGpBlock(PgBlock)->BuildNumber >= 18362) { + if (GetGpBlock(PgBlock)->BuildNumber >= 15063) { TargetPc = ScanBytes( ControlPc, EndToLock, MiGetSystemRegionType); if (NULL != TargetPc) { - TargetPc -= 0xf; - - RtlCopyMemory( - (ptr)&PgBlock->MiGetSystemRegionType, - &TargetPc, - sizeof(ptr)); + PgBlock->SystemRegionTypeArray = __rva_to_va(TargetPc + 0x13); #ifdef DEBUG vDbgPrint( - "[Shark] < %p > MiGetSystemRegionType\n", - PgBlock->MiGetSystemRegionType); + "[Shark] < %p > SystemRegionTypeArray\n", + PgBlock->SystemRegionTypeArray); #endif // DEBUG } } @@ -1139,16 +1130,20 @@ InitializePgBlock( Selector = 1; } else if (GetGpBlock(PgBlock)->BuildNumber >= 19041 && - GetGpBlock(PgBlock)->BuildNumber < 20295) { + GetGpBlock(PgBlock)->BuildNumber < 20000) { Selector = 2; } - else if (GetGpBlock(PgBlock)->BuildNumber >= 20279 && - GetGpBlock(PgBlock)->BuildNumber < 21327) { + else if (GetGpBlock(PgBlock)->BuildNumber >= 20000 && + GetGpBlock(PgBlock)->BuildNumber < 21000) { Selector = 3; } - else if (GetGpBlock(PgBlock)->BuildNumber >= 21327) { + else if (GetGpBlock(PgBlock)->BuildNumber >= 21000 && + GetGpBlock(PgBlock)->BuildNumber < 22000) { Selector = 4; } + else if (GetGpBlock(PgBlock)->BuildNumber >= 22000) { + Selector = 3; + } ControlPc = ScanBytes( ControlPc, @@ -1180,64 +1175,96 @@ InitializePgBlock( } } - RtlInitUnicodeString(&RoutineString, L"MmAllocateMappingAddressEx"); + if (GetGpBlock(PgBlock)->BuildNumber < 20000) { + RtlInitUnicodeString(&RoutineString, L"MmAllocateMappingAddressEx"); - RoutineAddress = MmGetSystemRoutineAddress(&RoutineString); + RoutineAddress = MmGetSystemRoutineAddress(&RoutineString); - if (NULL == RoutineAddress) { - RtlInitUnicodeString(&RoutineString, L"MmAllocateMappingAddress"); + if (NULL == RoutineAddress) { + RtlInitUnicodeString(&RoutineString, L"MmAllocateMappingAddress"); - RoutineAddress = MmGetSystemRoutineAddress(&RoutineString); - } + RoutineAddress = MmGetSystemRoutineAddress(&RoutineString); + } - if (NULL != RoutineAddress) { - ControlPc = RoutineAddress; + if (NULL != RoutineAddress) { + ControlPc = RoutineAddress; - while (TRUE) { - Length = DetourGetInstructionLength(ControlPc); + while (TRUE) { + Length = DetourGetInstructionLength(ControlPc); - if (1 == Length) { - if (0 == _cmpbyte(ControlPc[0], 0xc3)) { - break; + if (1 == Length) { + if (0 == _cmpbyte(ControlPc[0], 0xc3)) { + break; + } } - } - if (7 == Length) { - if (0 == _cmpbyte(ControlPc[0], 0x48) && - 0 == _cmpbyte(ControlPc[1], 0x8d) && - 0 == _cmpbyte(ControlPc[2], 0x0d)) { - TargetPc = __rva_to_va(ControlPc + 3); + if (7 == Length) { + if (0 == _cmpbyte(ControlPc[0], 0x48) && + 0 == _cmpbyte(ControlPc[1], 0x8d) && + 0 == _cmpbyte(ControlPc[2], 0x0d)) { + TargetPc = __rva_to_va(ControlPc + 3); - // struct _MI_SYSTEM_PTE_TYPE * - BitMap = TargetPc; + // struct _MI_SYSTEM_PTE_TYPE * + BitMap = TargetPc; - PgBlock->SystemPtes.NumberOfPtes = BitMap->SizeOfBitMap * 8; + PgBlock->SystemPtes.NumberOfPtes = BitMap->SizeOfBitMap * 8; #ifdef DEBUG - vDbgPrint( - "[Shark] < %p > NumberOfPtes\n", - PgBlock->SystemPtes.NumberOfPtes); + vDbgPrint( + "[Shark] < %p > NumberOfPtes\n", + PgBlock->SystemPtes.NumberOfPtes); #endif // DEBUG - if (GetGpBlock(PgBlock)->BuildNumber < 9600) { - PgBlock->SystemPtes.BasePte = - *(PMMPTE *)((u8ptr)(BitMap + 1) + sizeof(u32) * 2); - } - else { - PgBlock->SystemPtes.BasePte = *(PMMPTE *)(BitMap + 1); - } + if (GetGpBlock(PgBlock)->BuildNumber < 9600) { + PgBlock->SystemPtes.BasePte = + *(PMMPTE *)((u8ptr)(BitMap + 1) + sizeof(u32) * 2); + } + else { + PgBlock->SystemPtes.BasePte = *(PMMPTE *)(BitMap + 1); + } #ifdef DEBUG - vDbgPrint( - "[Shark] < %p > BasePte\n", - PgBlock->SystemPtes.BasePte); + vDbgPrint( + "[Shark] < %p > BasePte\n", + PgBlock->SystemPtes.BasePte); #endif // DEBUG - break; + break; + } } + + ControlPc += Length; } + } + } + else { + for (Index = 0; + Index < SYSTEM_REGION_TYPE_ARRAY_COUNT; + Index++) { + if (MiVaKernelStacks == + PgBlock->SystemRegionTypeArray[Index]) { + if (NULL == PgBlock->SystemPtes.BasePte) { + PgBlock->SystemPtes.BasePte = + GetPteAddress(__utop((Index | 0xFFFFFFE0) << 0x27)); + } - ControlPc += Length; + PgBlock->SystemPtes.NumberOfPtes += 0x40000000; + } + else { + if (NULL != PgBlock->SystemPtes.BasePte) { + break; + } + } } + +#ifdef DEBUG + vDbgPrint( + "[Shark] < %p > BasePte\n", + PgBlock->SystemPtes.BasePte); + + vDbgPrint( + "[Shark] < %p > NumberOfPtes\n", + PgBlock->SystemPtes.NumberOfPtes); +#endif // DEBUG } RtlCopyMemory( @@ -1359,9 +1386,9 @@ InitializePgBlock( // PgBlock->ClearMessage[1] = ClearMessage[1]; RtlCopyMemory( - &PgBlock->_ClearMessage[0x80], - ClearMessage[2], - strlen(ClearMessage[2])); + &PgBlock->_ClearMessage[0x80], + ClearMessage[2], + strlen(ClearMessage[2])); PgBlock->ClearMessage[2] = &PgBlock->_ClearMessage[0x80]; @@ -1446,94 +1473,94 @@ PgCreateObject( void NTAPI PgSetNewEntry( -__inout PPGBLOCK PgBlock, -__in PPGOBJECT Object, -__in ptr PatchGuardContext, -__in u64 RorKey + __inout PPGBLOCK PgBlock, + __in PPGOBJECT Object, + __in ptr PatchGuardContext, + __in u64 RorKey ) { - u64 LastRorKey = 0; - u32 RvaOfEntry = 0; - u64 FieldBuffer[PG_COMPARE_FIELDS_COUNT] = { 0 }; - u32 FieldIndex = 0; - u32 Index = 0; - ptr Pointer = NULL; + u64 LastRorKey = 0; + u32 RvaOfEntry = 0; + u64 FieldBuffer[PG_COMPARE_FIELDS_COUNT] = { 0 }; + u32 FieldIndex = 0; + u32 Index = 0; + ptr Pointer = NULL; - // xor code must be align 8 byte; - // get PatchGuard entry offset in encrypted code + // xor code must be align 8 byte; + // get PatchGuard entry offset in encrypted code - FieldIndex = (PgBlock->OffsetEntryPoint - - PgBlock->SizeCmpAppendDllSection) / sizeof(u64); + FieldIndex = (PgBlock->OffsetEntryPoint - + PgBlock->SizeCmpAppendDllSection) / sizeof(u64); - RtlCopyMemory( - FieldBuffer, - (u8ptr)PatchGuardContext + (PgBlock->OffsetEntryPoint & ~7), - sizeof(FieldBuffer)); + RtlCopyMemory( + FieldBuffer, + (u8ptr)PatchGuardContext + (PgBlock->OffsetEntryPoint & ~7), + sizeof(FieldBuffer)); - LastRorKey = RorKey; + LastRorKey = RorKey; - for (Index = 0; - Index < FieldIndex; - Index++) { - LastRorKey = PgBlock->Rol64(LastRorKey, Index); - } + for (Index = 0; + Index < FieldIndex; + Index++) { + LastRorKey = PgBlock->Rol64(LastRorKey, Index); + } - for (Index = 0; - Index < RTL_NUMBER_OF(FieldBuffer); - Index++) { - LastRorKey = PgBlock->Rol64(LastRorKey, FieldIndex + Index); - FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey; - } + for (Index = 0; + Index < RTL_NUMBER_OF(FieldBuffer); + Index++) { + LastRorKey = PgBlock->Rol64(LastRorKey, FieldIndex + Index); + FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey; + } - RvaOfEntry = *(u32ptr)((u8ptr)FieldBuffer + (PgBlock->OffsetEntryPoint & 7)); + RvaOfEntry = *(u32ptr)((u8ptr)FieldBuffer + (PgBlock->OffsetEntryPoint & 7)); - // copy PatchGuard entry head code to temp bufer and decode + // copy PatchGuard entry head code to temp bufer and decode - FieldIndex = (RvaOfEntry - PgBlock->SizeCmpAppendDllSection) / sizeof(u64); + FieldIndex = (RvaOfEntry - PgBlock->SizeCmpAppendDllSection) / sizeof(u64); - RtlCopyMemory( - FieldBuffer, - (u8ptr)PatchGuardContext + (RvaOfEntry & ~7), - sizeof(FieldBuffer)); + RtlCopyMemory( + FieldBuffer, + (u8ptr)PatchGuardContext + (RvaOfEntry & ~7), + sizeof(FieldBuffer)); - LastRorKey = RorKey; + LastRorKey = RorKey; - for (Index = 0; - Index < FieldIndex; - Index++) { - LastRorKey = PgBlock->Rol64(LastRorKey, Index); - } + for (Index = 0; + Index < FieldIndex; + Index++) { + LastRorKey = PgBlock->Rol64(LastRorKey, Index); + } - for (Index = 0; - Index < RTL_NUMBER_OF(FieldBuffer); - Index++) { - LastRorKey = PgBlock->Rol64(LastRorKey, FieldIndex + Index); - FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey; - } + for (Index = 0; + Index < RTL_NUMBER_OF(FieldBuffer); + Index++) { + LastRorKey = PgBlock->Rol64(LastRorKey, FieldIndex + Index); + FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey; + } - // set temp buffer PatchGuard entry head jmp to PgClearCallback and encrypt + // set temp buffer PatchGuard entry head jmp to PgClearCallback and encrypt - Pointer = (u8ptr)FieldBuffer + (RvaOfEntry & 7); + Pointer = (u8ptr)FieldBuffer + (RvaOfEntry & 7); - LockedBuildJumpCode(&Pointer, &Object->Body); + LockedBuildJumpCode(&Pointer, &Object->Body); - while (Index--) { - FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey; - LastRorKey = PgBlock->Ror64(LastRorKey, FieldIndex + Index); - } + while (Index--) { + FieldBuffer[Index] = FieldBuffer[Index] ^ LastRorKey; + LastRorKey = PgBlock->Ror64(LastRorKey, FieldIndex + Index); + } - // copy temp buffer PatchGuard entry head to old address, - // when PatchGuard code decrypt self jmp PgClearCallback. + // copy temp buffer PatchGuard entry head to old address, + // when PatchGuard code decrypt self jmp PgClearCallback. - RtlCopyMemory( - (u8ptr)PatchGuardContext + (RvaOfEntry & ~7), - FieldBuffer, - sizeof(FieldBuffer)); + RtlCopyMemory( + (u8ptr)PatchGuardContext + (RvaOfEntry & ~7), + FieldBuffer, + sizeof(FieldBuffer)); #ifdef DEBUG - vDbgPrint( - "[Shark] < %p > set new entry for encrypted context\n", - Object); + vDbgPrint( + "[Shark] < %p > set new entry for encrypted context\n", + Object); #endif // DEBUG } @@ -1637,7 +1664,7 @@ PgSetNewEntryWithBtc( Pointer = (PGUARD_BODY)((u8ptr)FieldBuffer + sizeof(u) - AlignOffset); - LockedBuildJumpCode(&Pointer, &Object->Body); + LockedBuildJumpCode(&Pointer, &Object->Body); RorKey = LastRorKey; Index = LastRorKeyOffset; @@ -1878,7 +1905,7 @@ PgSetTimerNewEntry( Pointer = &Object->Context[2]; - LockedBuildJumpCode(&Pointer, &Object->Body); + LockedBuildJumpCode(&Pointer, &Object->Body); Object->Context[2] ^= Object->Key; Object->Context[3] ^= Object->Key; @@ -2015,7 +2042,7 @@ PgSetBranchNewEntry( Pointer = &Object->Context[2]; - LockedBuildJumpCode(&Pointer, &Object->Body); + LockedBuildJumpCode(&Pointer, &Object->Body); Object->Context[2] ^= Object->Key; Object->Context[3] ^= Object->Key; @@ -2175,24 +2202,6 @@ PgCompareFields( PPGOBJECT Object = NULL; b Result = 0; - if (0 != PgBlock->Repeat) { - if (FALSE == IsListEmpty(&PgBlock->ObjectList)) { - Object = CONTAINING_RECORD( - PgBlock->ObjectList.Flink, - PGOBJECT, - Entry); - - while (&Object->Entry != &PgBlock->ObjectList) { - if (BaseAddress == Object->BaseAddress)return; - - Object = CONTAINING_RECORD( - Object->Entry.Flink, - PGOBJECT, - Entry); - } - } - } - if (FALSE != MmIsAddressValid(BaseAddress)) { if ((__ptou(PgBlock) >= __ptou(BaseAddress)) && (__ptou(PgBlock) < (__ptou(BaseAddress) + RegionSize))) { @@ -2461,13 +2470,11 @@ PgClearSystemPtesEncryptedContext( NumberOfPtes = PgBlock->SystemPtes.NumberOfPtes; #ifdef DEBUG - if (0 == PgBlock->Repeat) { - vDbgPrint( - "[Shark] < %p > SystemPtes < %p - %p >\n", - KeGetCurrentProcessorNumber(), - PgBlock->SystemPtes.BasePte, - PgBlock->SystemPtes.BasePte + NumberOfPtes); - } + vDbgPrint( + "[Shark] < %p > SystemPtes < %p - %p >\n", + KeGetCurrentProcessorNumber(), + PgBlock->SystemPtes.BasePte, + PgBlock->SystemPtes.BasePte + NumberOfPtes); #endif // DEBUG BitMapSize = @@ -2504,7 +2511,7 @@ PgClearSystemPtesEncryptedContext( if (StartingRunIndex - HintIndex >= BYTES_TO_PAGES(PgBlock->SizeINITKDBG)) { - /* + /* #ifdef DEBUG vDbgPrint( "[Shark] < %p > scan < %p - %08x > < %p, %p, %p, %p...>\n", @@ -2516,7 +2523,7 @@ PgClearSystemPtesEncryptedContext( __rduptr(__ptou(GetVaMappedByPte(PgBlock->SystemPtes.BasePte + HintIndex)) + 0x10), __rduptr(__ptou(GetVaMappedByPte(PgBlock->SystemPtes.BasePte + HintIndex)) + 0x18)); #endif // DEBUG - */ + */ PgCompareFields( PgBlock, @@ -2551,13 +2558,11 @@ PgClearPoolEncryptedContext( sizeof(POOL_BIG_PAGESEX) : sizeof(POOL_BIG_PAGES); #ifdef DEBUG - if (0 == PgBlock->Repeat) { - vDbgPrint( - "[Shark] < %p > BigPool < %p - %08x >\n", - KeGetCurrentProcessorNumber(), - *PgBlock->Pool.PoolBigPageTable, - *PgBlock->Pool.PoolBigPageTableSize); - } + vDbgPrint( + "[Shark] < %p > BigPool < %p - %08x >\n", + KeGetCurrentProcessorNumber(), + *PgBlock->Pool.PoolBigPageTable, + *PgBlock->Pool.PoolBigPageTableSize); #endif // DEBUG for (Index = 0; @@ -2590,7 +2595,7 @@ PgClearPoolEncryptedContext( } } - /* + /* #ifdef DEBUG vDbgPrint( "[Shark] < %p > scan < %p - %08x > < %p, %p, %p, %p...>\n", @@ -2602,7 +2607,7 @@ PgClearPoolEncryptedContext( __rduptr(__ptou(PAGE_ALIGN(PoolBigPage->Va)) + 0x10), __rduptr(__ptou(PAGE_ALIGN(PoolBigPage->Va)) + 0x18)); #endif // DEBUG - */ + */ PgCompareFields( PgBlock, @@ -3021,88 +3026,86 @@ PgClearWorker( Context = Argument; - if (0 == Context->PgBlock->Repeat) { - InitializePgBlock(Context->PgBlock); + InitializePgBlock(Context->PgBlock); - /* - if (os build >= 9600){ - // Header->Type = 0x15 - // Header->Hand = 0xac + /* + if (os build >= 9600){ + // Header->Type = 0x15 + // Header->Hand = 0xac - PgBlock->WorkerContext = struct _DISPATCHER_HEADER - } - else { - // CriticalWorkQueue = 0 - // DelayedWorkQueue = 1 + PgBlock->WorkerContext = struct _DISPATCHER_HEADER + } + else { + // CriticalWorkQueue = 0 + // DelayedWorkQueue = 1 - PgBlock->WorkerContext = enum _WORK_QUEUE_TYPE - } - */ + PgBlock->WorkerContext = enum _WORK_QUEUE_TYPE + } + */ - InitialStack = IoGetInitialStack(); + InitialStack = IoGetInitialStack(); - if (GetGpBlock(Context->PgBlock)->BuildNumber >= 9600) { - while ((u64)InitialStack != (u64)&Argument) { - Header = *(ptr *)InitialStack; + if (GetGpBlock(Context->PgBlock)->BuildNumber >= 9600) { + while ((u64)InitialStack != (u64)&Argument) { + Header = *(ptr *)InitialStack; - if (FALSE != MmIsAddressValid(Header)) { - if (FALSE != MmIsAddressValid((u8ptr)(Header + 1) - 1)) { - if (0x15 == Header->Type && - 0xac == Header->Hand) { - Context->PgBlock->WorkerContext = Header; + if (FALSE != MmIsAddressValid(Header)) { + if (FALSE != MmIsAddressValid((u8ptr)(Header + 1) - 1)) { + if (0x15 == Header->Type && + 0xac == Header->Hand) { + Context->PgBlock->WorkerContext = Header; - break; - } + break; } } - - InitialStack--; } + + InitialStack--; } - else { - Context->PgBlock->WorkerContext = UlongToPtr(CriticalWorkQueue); - } + } + else { + Context->PgBlock->WorkerContext = UlongToPtr(CriticalWorkQueue); + } - if (NT_SUCCESS(ZwQueryInformationThread( - ZwCurrentThread(), - ThreadQuerySetWin32StartAddress, - &Context->PgBlock->ExpWorkerThread, - sizeof(ptr), - &ReturnLength))) { - for (Index = 0; - Index < GetGpBlock(Context->PgBlock)->DebuggerDataBlock.SizeEThread; - Index += 8) { - if ((u)Context->PgBlock->ExpWorkerThread == - __rdsptr((u8ptr)KeGetCurrentThread() + Index)) { - GetGpBlock(Context->PgBlock)->OffsetKThreadWin32StartAddress = Index; + if (NT_SUCCESS(ZwQueryInformationThread( + ZwCurrentThread(), + ThreadQuerySetWin32StartAddress, + &Context->PgBlock->ExpWorkerThread, + sizeof(ptr), + &ReturnLength))) { + for (Index = 0; + Index < GetGpBlock(Context->PgBlock)->DebuggerDataBlock.SizeEThread; + Index += 8) { + if ((u)Context->PgBlock->ExpWorkerThread == + __rdsptr((u8ptr)KeGetCurrentThread() + Index)) { + GetGpBlock(Context->PgBlock)->OffsetKThreadWin32StartAddress = Index; - break; - } + break; } + } - if (GetGpBlock(Context->PgBlock)->BuildNumber >= 18362) { - TargetPc = (u8ptr)Context->PgBlock->ExpWorkerThread; + if (GetGpBlock(Context->PgBlock)->BuildNumber >= 18362) { + TargetPc = (u8ptr)Context->PgBlock->ExpWorkerThread; - while (TRUE) { - Length = DetourGetInstructionLength(TargetPc); + while (TRUE) { + Length = DetourGetInstructionLength(TargetPc); - if (6 == Length) { - if (0 == _cmpbyte(TargetPc[0], 0x8b) && - 0 == _cmpbyte(TargetPc[1], 0x83)) { - Context->PgBlock->OffsetSameThreadPassive = *(u32ptr)(TargetPc + 2); + if (6 == Length) { + if (0 == _cmpbyte(TargetPc[0], 0x8b) && + 0 == _cmpbyte(TargetPc[1], 0x83)) { + Context->PgBlock->OffsetSameThreadPassive = *(u32ptr)(TargetPc + 2); #ifdef DEBUG - vDbgPrint( - "[Shark] < %p > OffsetSameThreadPassive\n", - Context->PgBlock->OffsetSameThreadPassive); + vDbgPrint( + "[Shark] < %p > OffsetSameThreadPassive\n", + Context->PgBlock->OffsetSameThreadPassive); #endif // DEBUG - break; - } + break; } - - TargetPc += Length; } + + TargetPc += Length; } } } @@ -3130,9 +3133,9 @@ PgClearWorker( } if (GetGpBlock(Context->PgBlock)->BuildNumber >= 9600) { - if (0 == Context->PgBlock->WorkerContext || - NULL == Context->PgBlock->KiWaitNever || - NULL == Context->PgBlock->KiWaitAlways) { + if (0 == Context->PgBlock->WorkerContext || + NULL == Context->PgBlock->KiWaitNever || + NULL == Context->PgBlock->KiWaitAlways) { Chance = FALSE; } } @@ -3168,18 +3171,14 @@ PgClear( Context.PgBlock = PgBlock; - if (PgBlock->Cleared < PG_MAXIMUM_CONTEXT_COUNT) { - KeInitializeEvent(&Context.Notify, SynchronizationEvent, FALSE); - ExInitializeWorkItem(&Context.Worker, PgClearWorker, &Context); - ExQueueWorkItem(&Context.Worker, CriticalWorkQueue); + KeInitializeEvent(&Context.Notify, SynchronizationEvent, FALSE); + ExInitializeWorkItem(&Context.Worker, PgClearWorker, &Context); + ExQueueWorkItem(&Context.Worker, CriticalWorkQueue); - KeWaitForSingleObject( - &Context.Notify, - Executive, - KernelMode, - FALSE, - NULL); - - PgBlock->Repeat++; - } + KeWaitForSingleObject( + &Context.Notify, + Executive, + KernelMode, + FALSE, + NULL); } diff --git a/Projects/Shark/PatchGuard.h b/Projects/Shark/PatchGuard.h index 07519574..d715fc53 100644 --- a/Projects/Shark/PatchGuard.h +++ b/Projects/Shark/PatchGuard.h @@ -38,6 +38,10 @@ extern "C" { u NumberOfPages; } POOL_BIG_PAGES, *PPOOL_BIG_PAGES; +#ifdef _WIN64 + C_ASSERT(sizeof(POOL_BIG_PAGES) == sizeof(u) * 3); +#endif // _WIN64 + typedef struct _POOL_BIG_PAGESEX { ptr Va; u32 Key; @@ -46,6 +50,10 @@ extern "C" { u Unuse; } POOL_BIG_PAGESEX, *PPOOL_BIG_PAGESEX; +#ifdef _WIN64 + C_ASSERT(sizeof(POOL_BIG_PAGES) == sizeof(u) * 3); +#endif // _WIN64 + enum { PgPoolBigPage, PgSystemPtes, @@ -71,23 +79,25 @@ extern "C" { SAFEGUARD_BODY Body; }PGOBJECT, *PPGOBJECT; + // build number > 20000 typedef enum _MI_SYSTEM_VA_TYPE { - MiVaUnused, - MiVaSessionSpace, - MiVaProcessSpace, - MiVaBootLoaded, - MiVaPfnDatabase, - MiVaNonPagedPool, - MiVaPagedPool, - MiVaSpecialPoolPaged, - MiVaSystemCache, - MiVaSystemPtes, - MiVaHal, - MiVaSessionGlobalSpace, - MiVaDriverImages, - MiVaSystemPtesLarge, - MiVaKernelStacks, - MiVaSecureNonPagedPool, + MiVaUnused = 0, + MiVaSessionSpace = 1, + MiVaProcessSpace = 2, + MiVaBootLoaded = 3, + MiVaPfnDatabase = 4, + MiVaNonPagedPool = 5, + MiVaPagedPool = 6, + MiVaSpecialPoolPaged = 7, + MiVaSystemCache = 8, + MiVaSystemPtes = 9, + MiVaHal = 10, + MiVaSessionGlobalSpace = 11, + MiVaDriverImages = 12, + MiVaSystemPtesLarge = 13, + MiVaKernelStacks = 14, + MiVaSecureNonPagedPool = 15, + MiVaKernelShadowStacks = 16, MiVaMaximumType }MI_SYSTEM_VA_TYPE, *PMI_SYSTEM_VA_TYPE; @@ -102,7 +112,7 @@ extern "C" { #define PG_COMPARE_FIELDS_COUNT 0x00000004UI32 // 搜索时比较的 Context 成员数量 #define PG_COMPARE_BYTE_COUNT 0x00000010UI32 // 搜索 Worker 时比较的字节数量 - // EntryPoint 缓存大小 用来搜索头部的代码片段 ( 最小长度 = max(2 * 8 + 7, sizeof(GUARD_BODY)) ) + // EntryPoint 缓存大小 用来搜索头部的代码片段 ( 最小长度 = max(2 * 8 + 7, sizeof(GUARD_BODY)) ) #define PG_MAXIMUM_EP_BUFFER_COUNT ((max(2 * 8 + 7, sizeof(GUARD_BODY)) + 7) & ~7) #define PG_FIELD_BITS \ @@ -110,8 +120,6 @@ extern "C" { - PG_CMP_APPEND_DLL_SECTION_END) / sizeof(ptr)) - 1)) u8 Count; - u8 Cleared; - b Repeat; b BtcEnable; u32 OffsetEntryPoint; u32 SizeCmpAppendDllSection; @@ -143,16 +151,15 @@ extern "C" { struct { u NumberOfPtes; PMMPTE BasePte; - }SystemPtes; // system ptes + }SystemPtes; // system ptes + +#define SYSTEM_REGION_TYPE_ARRAY_COUNT 0x100 + + s8 * SystemRegionTypeArray; struct { ptr WorkerContext; - MI_SYSTEM_VA_TYPE - (NTAPI * MiGetSystemRegionType)( - __in ptr VirtualAddress - ); - void (NTAPI * ExpWorkerThread)( __in ptr StartContext diff --git a/Projects/Shark/Reload.c b/Projects/Shark/Reload.c index 9365c28d..59e5b72b 100644 --- a/Projects/Shark/Reload.c +++ b/Projects/Shark/Reload.c @@ -93,7 +93,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > BuildNumber\n", + "[Shark] < %p > BuildNumber\n", Block->BuildNumber); #endif // DEBUG @@ -108,7 +108,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > PsInitialSystemProcess\n", + "[Shark] < %p > PsInitialSystemProcess\n", Block->PsInitialSystemProcess); #endif // DEBUG @@ -123,7 +123,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > NumberProcessors\n", + "[Shark] < %p > NumberProcessors\n", Block->NumberProcessors); #endif // DEBUG @@ -133,7 +133,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > KeEnterCriticalRegion\n", + "[Shark] < %p > KeEnterCriticalRegion\n", Block->KeEnterCriticalRegion); #endif // DEBUG @@ -143,7 +143,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > KeLeaveCriticalRegion\n", + "[Shark] < %p > KeLeaveCriticalRegion\n", Block->KeLeaveCriticalRegion); #endif // DEBUG @@ -153,7 +153,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > ExAcquireSpinLockShared\n", + "[Shark] < %p > ExAcquireSpinLockShared\n", Block->ExAcquireSpinLockShared); #endif // DEBUG @@ -163,7 +163,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > ExReleaseSpinLockShared\n", + "[Shark] < %p > ExReleaseSpinLockShared\n", Block->ExReleaseSpinLockShared); #endif // DEBUG @@ -173,7 +173,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > DbgPrint\n", + "[Shark] < %p > DbgPrint\n", Block->DbgPrint); #endif // DEBUG @@ -183,7 +183,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > RtlCompareMemory\n", + "[Shark] < %p > RtlCompareMemory\n", Block->RtlCompareMemory); #endif // DEBUG @@ -193,7 +193,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > RtlRestoreContext\n", + "[Shark] < %p > RtlRestoreContext\n", Block->RtlRestoreContext); #endif // DEBUG @@ -203,7 +203,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > ExQueueWorkItem\n", + "[Shark] < %p > ExQueueWorkItem\n", Block->ExQueueWorkItem); #endif // DEBUG @@ -213,7 +213,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > ExFreePoolWithTag\n", + "[Shark] < %p > ExFreePoolWithTag\n", Block->ExFreePoolWithTag); #endif // DEBUG @@ -223,7 +223,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > KeBugCheckEx\n", + "[Shark] < %p > KeBugCheckEx\n", Block->KeBugCheckEx); #endif // DEBUG @@ -233,7 +233,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > ExInterlockedRemoveHeadList\n", + "[Shark] < %p > ExInterlockedRemoveHeadList\n", Block->ExInterlockedRemoveHeadList); #endif // DEBUG @@ -243,7 +243,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > ExAcquireRundownProtection\n", + "[Shark] < %p > ExAcquireRundownProtection\n", Block->ExAcquireRundownProtection); #endif // DEBUG @@ -253,7 +253,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > ExReleaseRundownProtection\n", + "[Shark] < %p > ExReleaseRundownProtection\n", Block->ExReleaseRundownProtection); #endif // DEBUG @@ -263,7 +263,7 @@ InitializeGpBlock( #ifdef DEBUG vDbgPrint( - "[Shark] [PatchGuard] < %p > ExWaitForRundownProtectionRelease\n", + "[Shark] < %p > ExWaitForRundownProtectionRelease\n", Block->ExWaitForRundownProtectionRelease); #endif // DEBUG diff --git a/README.md b/README.md index a332f006..6908c8c7 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,3 @@ -# Celebrating the centenary of the birth of the Communist Party of China. - # Shark Turn off PatchGuard in real time for win7 (7600) ~ later. diff --git a/Shark.v12.suo b/Shark.v12.suo deleted file mode 100644 index f7ca649e..00000000 Binary files a/Shark.v12.suo and /dev/null differ