diff --git a/dlls/kernelx/dllmain.cpp b/dlls/kernelx/dllmain.cpp index be4328c..1b87572 100644 --- a/dlls/kernelx/dllmain.cpp +++ b/dlls/kernelx/dllmain.cpp @@ -4,50 +4,49 @@ // ReSharper disable CppClangTidyHicppMultiwayPathsCovered // ReSharper disable CppClangTidyClangDiagnosticInconsistentDllimport #include "pch.h" -#include "framework.h" +#include "kernelx.h" + + + +ANSI_STRING* DestinationString; +SYSTEM_BASIC_INFORMATION* System_Info; + +HINSTANCE hModule; + + BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD forwardReason, LPVOID lpvReserved) { + BOOL v4; switch (forwardReason) { case DLL_PROCESS_ATTACH: + + if (NtQuerySystemInformation(SystemBasicInformation, &System_Info, 0x40u, 0LL) >= 0) + { + v4 = true; + if (RtlUnicodeStringToAnsiString(DestinationString OUT, &NtCurrentTeb()->ProcessEnvironmentBlock->ProcessParameters->CommandLine, true) < 0) + { + DestinationString->Length = 0LL; + DestinationString->Buffer = 0LL; + } + RtlSetUnhandledExceptionFilter(UnhandledExceptionFilter); + } + else + { + v4 = 0; + } + hModule = hInstance; + sub_18001BB8C(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: + v4 = 1; + sub_18001BCA0(hInstance, forwardReason, lpvReserved); break; } return TRUE; } -void AcquireSRWLockExclusive_X(PSRWLOCK SRWLock) -{ - AcquireSRWLockExclusive(SRWLock); -} -void AcquireSRWLockShared_X(PSRWLOCK SRWLock) -{ - AcquireSRWLockShared(SRWLock); -} - -void EnterCriticalSection_X(LPCRITICAL_SECTION lpCriticalSection) -{ - EnterCriticalSection(lpCriticalSection); -} - -HANDLE GetProcessHeap_X() -{ - return GetProcessHeap(); -} - -// TODO: Need to figure out this function. -PVOID XMemAllocDefault_X(ULONG_PTR a1, UINT64 a2) -{ - return nullptr; -} - - -PVOID XMemAlloc_X(SIZE_T dwSize, ULONGLONG dwAttributes) -{ - return XMemAllocDefault_X(dwSize, dwAttributes); -} \ No newline at end of file diff --git a/dlls/kernelx/framework.h b/dlls/kernelx/framework.h index 54b83e9..5cef8ce 100644 --- a/dlls/kernelx/framework.h +++ b/dlls/kernelx/framework.h @@ -3,3 +3,4 @@ #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers // Windows Header Files #include +#include diff --git a/dlls/kernelx/kernelx.cpp b/dlls/kernelx/kernelx.cpp new file mode 100644 index 0000000..963d01a --- /dev/null +++ b/dlls/kernelx/kernelx.cpp @@ -0,0 +1,259 @@ +// ReSharper disable CppInconsistentNaming +// ReSharper disable CppParameterMayBeConst +// ReSharper disable CppDefaultCaseNotHandledInSwitchStatement +// ReSharper disable CppClangTidyHicppMultiwayPathsCovered +// ReSharper disable CppClangTidyClangDiagnosticInconsistentDllimport +#include "pch.h" +#include "framework.h" +#include "kernelx.h" + + + + +void AcquireSRWLockExclusive_X(PSRWLOCK SRWLock) +{ + AcquireSRWLockExclusive(SRWLock); +} + +void AcquireSRWLockShared_X(PSRWLOCK SRWLock) +{ + AcquireSRWLockShared(SRWLock); +} + +void EnterCriticalSection_X(LPCRITICAL_SECTION lpCriticalSection) +{ + EnterCriticalSection(lpCriticalSection); +} + +HANDLE GetProcessHeap_X() +{ + return GetProcessHeap(); +} + +// TODO: Need to figure out this function. +PVOID XMemAllocDefault_X(ULONG_PTR a1, UINT64 a2) +{ + return nullptr; +} + +PVOID XMemAlloc_X(SIZE_T dwSize, ULONGLONG dwAttributes) +{ + return XMemAllocDefault_X(dwSize, dwAttributes); +} + + + +// !!!!! +// Should be in ntdll.dll reimplementation, right now i'm just testing things with DLLMain entryPoint +PVOID RtlSetUnhandledExceptionFilter(PVOID ExceptionFilter) +{ + return EncodePointer(ExceptionFilter); +} + + + + + + + +// TODO +// absolutely temporary implementation I just want to make it work +// sub_18001BCA0 +char* qword_18002B880; +char* qword_18002B890; +HANDLE qword_18002B820; +HANDLE qword_18002B830; +HANDLE qword_18002B818; +HANDLE qword_18002B850; +HANDLE qword_18002B858; +HANDLE qword_18002B888; +HANDLE P; +char* dword_18002B84C; + +//sub_18001BB8C +int dword_18002BF68; + + +int sub_18001D528() +{ + //TODO +} + +INT16 sub_18001D768() +{ + //TODO +} + +int sub_18001D96C(int v2, unsigned short* codePageData, unsigned int p, bool t,long l) +{ + //TODO +} + +__int64 sub_18001BB8C() +{ + /*unsigned int v0; // ebx + unsigned __int16* AnsiCodePageData; // rdx + int v2; // ecx + PVOID v3; // rbx + HMODULE v4; // rcx + + v0 = 0; + if (!dword_18002B84C) + { + + v0 = sub_18001D528(); + if (!v0) + { + v0 = sub_18001D768(); + if (!v0) + { + // not sure + AnsiCodePageData = (unsigned __int16*)NtCurrentTeb()->ProcessEnvironmentBlock->ProcessParameters; + v2 = AnsiCodePageData[1]; + dword_18002BF68 = v2; + v0 = sub_18001D96C(v2, AnsiCodePageData, (unsigned int)&P, 0, 0LL); + if (!v0) + { + RtlAcquireSRWLockExclusive(&unk_18002B838); + qword_18002B828 = sub_18001EB38(127LL); + if (qword_18002B828) + { + RtlReleaseSRWLockExclusive(&unk_18002B838); + qword_18002B990 = 0LL; + qword_18002B980 = 0LL; + word_18002BF64 = 1; + Event = 0LL; + dword_18002B84C = 1; + } + else + { + RtlReleaseSRWLockExclusive(&unk_18002B838); + v3 = P; + v4 = (HMODULE) * ((_QWORD*)P + 8); + if (v4) + FreeLibrary(v4); + RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, v3); + P = 0LL; + return 87; + } + } + } + } + } + return v0;*/ + return 0; +} + + +// absolutely temporary implementation I just want to make it work +// decompilation from ghidra (it looks horrible lol) +NTSTATUS sub_18001BCA0(HINSTANCE hInstance, DWORD forwardReason, LPVOID lpvReserved) +{ + char* v0; // rax + __int64 v1; // rdi + __int64 v2; // rsi + char* v3; // rbx + HMODULE v4; // rcx + char* v5; // rbp + char* v6; // rax + __int64 v7; // rdi + __int64 v8; // rsi + char* v9; // r8 + char* v10; // rbx + PVOID v11; // rbx + HMODULE v12; // rcx + NTSTATUS result; // al + + + v0 = (char*)qword_18002B880; + if (qword_18002B880) + { + v1 = 0LL; + v2 = 197LL; + do + { + v3 = *(char**)&v0[v1]; + if (v3) + { + do + { + v4 = (HMODULE)v3[8]; + v5 = (char*)v3[9]; + if (v4) + FreeLibrary(v4); + HeapFree(GetProcessHeap(), 0, v3); + v3 = v5; + } while (v5); + v0 = (char*)qword_18002B880; + } + v1 += 8LL; + --v2; + } while (v2); + if (v0) + HeapFree(GetProcessHeap(), 0, qword_18002B880); + qword_18002B880 = 0LL; + } + v6 = (char*)qword_18002B890; + v7 = 0LL; + v8 = 128LL; + do + { + v9 = *(char**)&v6[v7]; + if (v9) + { + do + { + v10 = (char*)v9[10]; + HeapFree(GetProcessHeap(), 0, v9); + v9 = v10; + } while (v10); + v6 = (char*)qword_18002B890; + } + v7 += 8LL; + --v8; + } while (v8); + if (v6) + HeapFree(GetProcessHeap(), 0, qword_18002B890); + qword_18002B890 = 0LL; + if (qword_18002B888) + HeapFree(GetProcessHeap(), 0, qword_18002B888); + // P ?!? + v11 = P; + qword_18002B888 = 0LL; + v12 = (HMODULE) * ((char*)P + 8); + if (v12) + FreeLibrary(v12); + result = HeapFree(GetProcessHeap(), 0, v11); + P = 0LL; + if (GetModuleHandle) + { + result = NtClose(GetModuleHandle); + } + if (qword_18002B820) + { + result = NtClose(qword_18002B820); + qword_18002B820 = 0LL; + } + if (qword_18002B830) + { + result = NtClose(qword_18002B830); + qword_18002B830 = 0LL; + } + if (qword_18002B818) + { + result = NtClose(qword_18002B818); + qword_18002B818 = 0LL; + } + if (qword_18002B850) + { + result = NtClose(qword_18002B850); + qword_18002B850 = 0LL; + } + if (qword_18002B858) + { + result = NtClose(qword_18002B858); + qword_18002B858 = 0LL; + } + dword_18002B84C = 0; + return result; +} \ No newline at end of file diff --git a/dlls/kernelx/kernelx.h b/dlls/kernelx/kernelx.h new file mode 100644 index 0000000..57c24d9 --- /dev/null +++ b/dlls/kernelx/kernelx.h @@ -0,0 +1,26 @@ +#pragma once + +#include "framework.h" + +// EXE EXPORTS +extern "C" void AcquireSRWLockExclusive_X(PSRWLOCK SRWLock); + +extern "C" void AcquireSRWLockShared_X(PSRWLOCK SRWLock); + +extern "C" void EnterCriticalSection_X(LPCRITICAL_SECTION lpCriticalSection); + +extern "C" HANDLE GetProcessHeap_X(); + +// TODO: Need to figure out this function. +extern "C" PVOID XMemAllocDefault_X(ULONG_PTR a1, UINT64 a2); + +extern "C" PVOID XMemAlloc_X(SIZE_T dwSize, ULONGLONG dwAttributes); + +// EXE EXPORTS END + + +PVOID RtlSetUnhandledExceptionFilter(PVOID ExceptionFilter); + +__int64 sub_18001BB8C(); + +NTSTATUS sub_18001BCA0(HINSTANCE hInstance, DWORD forwardReason, LPVOID lpvReserved); \ No newline at end of file diff --git a/dlls/kernelx/kernelx.vcxproj b/dlls/kernelx/kernelx.vcxproj index dec256a..cc1becd 100644 --- a/dlls/kernelx/kernelx.vcxproj +++ b/dlls/kernelx/kernelx.vcxproj @@ -83,6 +83,7 @@ Windows true false + Exports.def @@ -102,6 +103,7 @@ true true false + Exports.def @@ -117,6 +119,7 @@ Windows true false + Exports.def @@ -136,14 +139,18 @@ true true false + ntdll.lib;%(AdditionalDependencies) + Exports.def + + Create Create @@ -152,10 +159,10 @@ - + - + diff --git a/dlls/ntdll/dllmain.cpp b/dlls/ntdll/dllmain.cpp deleted file mode 100644 index 6de40c6..0000000 --- a/dlls/ntdll/dllmain.cpp +++ /dev/null @@ -1,66 +0,0 @@ -// ReSharper disable CppInconsistentNaming -// ReSharper disable CppParameterMayBeConst -// ReSharper disable CppDefaultCaseNotHandledInSwitchStatement -// ReSharper disable CppClangTidyHicppMultiwayPathsCovered -// ReSharper disable CppClangTidyClangDiagnosticInconsistentDllimport -#include "pch.h" -#include "framework.h" - -BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD forwardReason, LPVOID lpvReserved) -{ - switch (forwardReason) - { - case DLL_PROCESS_ATTACH: - case DLL_THREAD_ATTACH: - case DLL_THREAD_DETACH: - case DLL_PROCESS_DETACH: - break; - } - - return TRUE; -} - -// TODO: I'm not sure what the return type or parameters are for this function. - - -/* -__int64 __fastcall TpSetPoolAffinityMask(__int64 a1, __int64 a2) -{ - __int64 result; // rax - __int64 v5; // rax - _BYTE v6[16]; // [rsp+30h] [rbp-38h] BYREF - __int64 v7; // [rsp+40h] [rbp-28h] - - if ( !a2 ) - return 3221225485LL; - result = ZwQueryInformationProcess(-1LL, 0LL, v6, 48LL, 0LL); - if ( (int)result >= 0 ) - { - if ( (a2 & v7) != a2 ) - return 3221225485LL; - if ( a1 ) - { - _InterlockedExchange64((volatile __int64 *)(a1 + 456), a2); - } - else - { - RtlAcquireSRWLockExclusive(&unk_18009DB38); - qword_18009DB28 = a2; - RtlReleaseSRWLockExclusive(&unk_18009DB38); - v5 = sub_18005E18C(); - if ( v5 ) - { - TpSetPoolAffinityMask(v5, a2); - sub_18005E0E8(&qword_18009DB30, &unk_18009DB38); - } - } - return 0LL; - } - return result; -} -*/ - -void TpSetPoolAffinityMask_X() -{ - // TODO: This needs an implementation. -} \ No newline at end of file diff --git a/dlls/ntdll/ntdll.vcxproj b/dlls/ntdll/ntdll.vcxproj index 9ea6ba5..a29c71b 100644 --- a/dlls/ntdll/ntdll.vcxproj +++ b/dlls/ntdll/ntdll.vcxproj @@ -22,7 +22,6 @@ - diff --git a/dlls/ntdll/ntdll.vcxproj.filters b/dlls/ntdll/ntdll.vcxproj.filters index 030a6e2..8a580e9 100644 --- a/dlls/ntdll/ntdll.vcxproj.filters +++ b/dlls/ntdll/ntdll.vcxproj.filters @@ -4,7 +4,6 @@ -