Merge pull request #148 from GDATAAdvancedAnalytics/fix-vmprotect

Add compatibility for VMProtect 3.6+

Author: mrexodia

3rdparty/ntdll/ntdll.h

@@ -4535,6 +4535,47 @@ NTSTATUS
 	SIZE_T BufferSize,
 	PSIZE_T NumberOfBytesWritten
 	);
+
+typedef
+NTSTATUS
+(NTAPI
+*t_NtOpenFile)(
+    _Out_ PHANDLE FileHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+    _In_ ULONG ShareAccess,
+    _In_ ULONG OpenOptions
+    );
+
+typedef
+NTSTATUS
+(NTAPI
+*t_NtCreateSection)(
+    _Out_ PHANDLE SectionHandle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
+    _In_opt_ PLARGE_INTEGER MaximumSize,
+    _In_ ULONG SectionPageProtection,
+    _In_ ULONG AllocationAttributes,
+    _In_opt_ HANDLE FileHandle
+    );
+
+typedef
+NTSTATUS
+(NTAPI
+*t_NtMapViewOfSection)(
+    _In_ HANDLE SectionHandle,
+    _In_ HANDLE ProcessHandle,
+    _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID* BaseAddress,
+    _In_ ULONG_PTR ZeroBits,
+    _In_ SIZE_T CommitSize,
+    _Inout_opt_ PLARGE_INTEGER SectionOffset,
+    _Inout_ PSIZE_T ViewSize,
+    _In_ SECTION_INHERIT InheritDisposition,
+    _In_ ULONG AllocationType,
+    _In_ ULONG Win32Protect
+    );
 
 // win32k system calls
 // BlockInput

HookLibrary/Export.def

@@ -30,4 +30,7 @@ HookedNtUserGetForegroundWindow
 HookedNtUserQueryWindow
 HookedNtYieldExecution
 HookedOutputDebugStringA
-HookedNtResumeThread
+HookedNtResumeThread
+HookedNtOpenFile
+HookedNtCreateSection
+HookedNtMapViewOfSection

HookLibrary/HookLibrary.vcxproj

@@ -167,6 +167,7 @@
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
+    <ClCompile Include="..\Scylla\VersionPatch.cpp" />
     <ClCompile Include="HookedFunctions.cpp" />
     <ClCompile Include="HookHelper.cpp" />
     <ClCompile Include="DllMain.cpp" />
@@ -175,6 +176,7 @@
     <None Include="Export.def" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="..\Scylla\VersionPatch.h" />
     <ClInclude Include="HookedFunctions.h" />
     <ClInclude Include="HookHelper.h" />
     <ClInclude Include="HookMain.h" />

HookLibrary/HookLibrary.vcxproj.filters

@@ -24,6 +24,9 @@
     <ClCompile Include="DllMain.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\Scylla\VersionPatch.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="Export.def">
@@ -43,6 +46,9 @@
     <ClInclude Include="Tls.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\Scylla\VersionPatch.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <MASM Include="InstrumentationCallbackX86.asm">

HookLibrary/HookMain.h

@@ -116,6 +116,13 @@ typedef struct _HOOK_DLL_DATA {
     t_NtCreateThread dNtCreateThread;
     DWORD NtCreateThreadBackupSize;
 
+    t_NtOpenFile dNtOpenFile;
+    DWORD NtOpenFileBackupSize;
+    t_NtCreateSection dNtCreateSection;
+    DWORD NtCreateSectionBackupSize;
+    t_NtMapViewOfSection dNtMapViewOfSection;
+    DWORD NtMapViewOfSectionBackupSize;
+
 	/////////////////////////////////////////////////////////
 	t_GetTickCount dGetTickCount;
 	DWORD GetTickCountBackupSize;

HookLibrary/HookedFunctions.cpp

@@ -8,6 +8,8 @@ HOOK_DLL_DATA HookDllData = { 0 };
 #include "HookHelper.h"
 #include "Tls.h"
 
+#include "Scylla/VersionPatch.h"
+
 void FakeCurrentParentProcessId(PSYSTEM_PROCESS_INFORMATION pInfo);
 void FakeCurrentOtherOperationCount(PSYSTEM_PROCESS_INFORMATION pInfo);
 void FilterHandleInfo(PSYSTEM_HANDLE_INFORMATION pHandleInfo, PULONG pReturnLengthAdjust);
@@ -1143,3 +1145,107 @@ NTSTATUS NTAPI HookedNtResumeThread(HANDLE ThreadHandle, PULONG PreviousSuspendC
 		return HookDllData.dNtResumeThread(ThreadHandle, PreviousSuspendCount);
 	}
 }
+
+HANDLE hNtdllFile = INVALID_HANDLE_VALUE;
+HANDLE hNtdllSection = INVALID_HANDLE_VALUE;
+
+NTSTATUS NTAPI HookedNtOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions)
+{
+    NTSTATUS status = HookDllData.dNtOpenFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);
+
+    if (NT_SUCCESS(status))
+    {
+        UNICODE_STRING usNtdll;
+        RtlInitUnicodeString(&usNtdll, L"\\ntdll.dll");
+        if (RtlUnicodeStringContains(ObjectAttributes->ObjectName, &usNtdll, TRUE))
+        {
+            hNtdllFile = *FileHandle;
+        }
+    }
+
+    return status;
+}
+
+NTSTATUS NTAPI HookedNtCreateSection(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle)
+{
+    if (AllocationAttributes == SEC_IMAGE_NO_EXECUTE && RtlNtMajorVersion() <= 6 && (RtlNtMajorVersion() < 6 || RtlNtMinorVersion() < 2))
+    {
+        // Fix for VMProtect. It attempts to use SEC_IMAGE_NO_EXECUTE on OSes that don't support it.
+        AllocationAttributes = SEC_IMAGE;
+    }
+    NTSTATUS status = HookDllData.dNtCreateSection(SectionHandle, DesiredAccess, ObjectAttributes, MaximumSize, SectionPageProtection, AllocationAttributes, FileHandle);
+
+    if (NT_SUCCESS(status) && hNtdllFile != INVALID_HANDLE_VALUE && FileHandle == hNtdllFile)
+    {
+        hNtdllFile = INVALID_HANDLE_VALUE;
+        hNtdllSection = *SectionHandle;
+    }
+
+    return status;
+}
+
+void DestroyMappedNtApi(const char *szProcName, PVOID hRealNtdll, PVOID pMapping)
+{
+    PVOID ProcedureAddress;
+    ANSI_STRING ProcedureName;
+    RtlInitAnsiString(&ProcedureName, (PSTR)szProcName);
+    if (NT_SUCCESS(LdrGetProcedureAddress(hRealNtdll, &ProcedureName, 0, &ProcedureAddress)))
+    {
+        SIZE_T delta = (ULONG_PTR)ProcedureAddress - (ULONG_PTR)hRealNtdll;
+        PUCHAR pMappedApi = (PUCHAR)pMapping + delta;
+
+#ifdef _WIN64
+        if (*(PDWORD)pMappedApi != 0xB8D18B4C) // mov r10,rcx; mov eax, callNr
+            return;
+
+        PVOID ProtAddress = pMappedApi;
+        SIZE_T RegionSize = 5;
+        ULONG OldProtect;
+        if (NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess, &ProtAddress, &RegionSize, PAGE_READWRITE, &OldProtect)))
+        {
+            *(PWORD)pMappedApi = 0x0B0F; // UD2
+            *(PWORD)(pMappedApi + 3) = 0x0B0F; // UD2
+            NtProtectVirtualMemory(NtCurrentProcess, &ProtAddress, &RegionSize, OldProtect, &OldProtect);
+        }
+#else
+        if (*pMappedApi != 0xB8) // mov eax, callNr
+            return;
+
+        PVOID ProtAddress = pMappedApi;
+        SIZE_T RegionSize = 2;
+        ULONG OldProtect;
+        if (NT_SUCCESS(NtProtectVirtualMemory(NtCurrentProcess, &ProtAddress, &RegionSize, PAGE_READWRITE, &OldProtect)))
+        {
+            *(PWORD)pMappedApi = 0x0B0F; // UD2
+            NtProtectVirtualMemory(NtCurrentProcess, &ProtAddress, &RegionSize, OldProtect, &OldProtect);
+        }
+#endif
+    }
+}
+
+NTSTATUS NTAPI HookedNtMapViewOfSection(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect)
+{
+    NTSTATUS status = HookDllData.dNtMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize, SectionOffset, ViewSize, InheritDisposition, AllocationType, Win32Protect);
+
+    if (NT_SUCCESS(status) && ProcessHandle == NtCurrentProcess && hNtdllSection != INVALID_HANDLE_VALUE && SectionHandle == hNtdllSection)
+    {
+        hNtdllSection = INVALID_HANDLE_VALUE;
+        ApplyNtdllVersionPatch(ProcessHandle, *BaseAddress);
+
+        // Prevent syscall numbers from being extracted from API code.
+        PVOID hRealNtdll;
+        UNICODE_STRING usNtdll;
+        RtlInitUnicodeString(&usNtdll, L"ntdll.dll");
+        if (NT_SUCCESS(LdrGetDllHandle(NULL, NULL, &usNtdll, &hRealNtdll)))
+        {
+            DestroyMappedNtApi("NtSetInformationProcess", hRealNtdll, *BaseAddress); // If VMProtect can syscall this, it will unset the instrumentation callback.
+            DestroyMappedNtApi("NtQueryInformationProcess", hRealNtdll, *BaseAddress);
+            DestroyMappedNtApi("NtSetInformationThread", hRealNtdll, *BaseAddress);
+            DestroyMappedNtApi("NtQueryInformationThread", hRealNtdll, *BaseAddress);
+            DestroyMappedNtApi("NtQuerySystemInformation", hRealNtdll, *BaseAddress);
+            DestroyMappedNtApi("NtQueryVirtualMemory", hRealNtdll, *BaseAddress);
+        }
+    }
+
+    return status;
+}

HookLibrary/HookedFunctions.h

@@ -68,3 +68,7 @@ VOID NTAPI HookedKiUserExceptionDispatcher();//(PEXCEPTION_RECORD pExcptRec, PCO
 HWND NTAPI HookedNtUserFindWindowEx(HWND hWndParent, HWND hWndChildAfter, PUNICODE_STRING lpszClass, PUNICODE_STRING lpszWindow, DWORD dwType);
 
 NTSTATUS NTAPI HookedNtResumeThread(HANDLE ThreadHandle, PULONG PreviousSuspendCount);
+
+NTSTATUS NTAPI HookedNtOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
+NTSTATUS NTAPI HookedNtCreateSection(PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER MaximumSize, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle);
+NTSTATUS NTAPI HookedNtMapViewOfSection(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect);