ayoubfaouzi
diff --git a/‎al-khaser/AntiDebug/ScanForModules.cpp‎
Lines changed: 18 additions & 20 deletions b/‎al-khaser/AntiDebug/ScanForModules.cpp‎
Lines changed: 18 additions & 20 deletions
@@ -99,7 +99,7 @@ bool IsBadLibrary(TCHAR* filename, DWORD filenameLength)
 
 #ifdef _X86_
 	TCHAR syswow64Path[MAX_PATH];
-	SHGetFolderPath (NULL, CSIDL_SYSTEMX86, NULL, 0, syswow64Path);
+	SHGetFolderPath(NULL, CSIDL_SYSTEMX86, NULL, 0, syswow64Path);
 	StringCbCat(syswow64Path, MAX_PATH, _T("\\"));
 	size_t syswow64PathLength = 0;
 	StringCbLength(syswow64Path, MAX_PATH, &syswow64PathLength);
@@ -120,7 +120,7 @@ bool IsBadLibrary(TCHAR* filename, DWORD filenameLength)
 
 			//printf("systemDriveDevice: %S (%d)\n", systemDriveDevice, systemDriveDevicelength);
 
-			if (StrNCmpI(systemDriveDevice, filename, (int)(min(systemDriveDevicelength, filenameLength) / sizeof(TCHAR)) ) == 0)
+			if (StrNCmpI(systemDriveDevice, filename, (int)(min(systemDriveDevicelength, filenameLength) / sizeof(TCHAR))) == 0)
 			{
 				// path matched the NT file path
 				return false;
@@ -132,14 +132,14 @@ bool IsBadLibrary(TCHAR* filename, DWORD filenameLength)
 
 			//printf("systemRootPath: %S (%d)\n", systemRootPath, systemRootPathLength);
 
-			if (StrNCmpI(systemRootPath, normalisedPath, (int)(min(systemRootPathLength, normalisedPathLength) / sizeof(TCHAR)) ) == 0)
+			if (StrNCmpI(systemRootPath, normalisedPath, (int)(min(systemRootPathLength, normalisedPathLength) / sizeof(TCHAR))) == 0)
 			{
 				// path matched the regular system path
 				return false;
 			}
 
 #ifdef _X86_
-			if (IsWoW64() && StrNCmpI(syswow64Path, normalisedPath, (int)(min(syswow64PathLength, normalisedPathLength) / sizeof(TCHAR)) ) == 0)
+			if (IsWoW64() && StrNCmpI(syswow64Path, normalisedPath, (int)(min(syswow64PathLength, normalisedPathLength) / sizeof(TCHAR))) == 0)
 			{
 				// path matched the wow64 system path
 				return false;
@@ -164,15 +164,15 @@ BOOL ScanForModules_EnumProcessModulesEx_Internal(DWORD moduleFlag)
 	DWORD currentSize = 1024 * sizeof(HMODULE);
 	DWORD requiredSize = 0;
 	bool anyBadLibs = false;
-	
+
 	// the EnumProcessModulesEx API was moved from psapi.dll into kernel32.dll for Windows 7, then back out afterwards.
 	// check for availability of either.
 	if (!API::IsAvailable(API_EnumProcessModulesEx_PSAPI) && !API::IsAvailable(API_EnumProcessModulesEx_Kernel))
 	{
 		// neither available
 		return FALSE;
 	}
-	
+
 	// API is available in one of the two libraries, use whichever is available.
 	pEnumProcessModulesEx fnEnumProcessModulesEx;
 	if (API::IsAvailable(API_EnumProcessModulesEx_PSAPI))
@@ -235,7 +235,7 @@ BOOL ScanForModules_EnumProcessModulesEx_32bit()
 
 BOOL ScanForModules_EnumProcessModulesEx_64bit()
 {
-	
+
 	return ScanForModules_EnumProcessModulesEx_Internal(LIST_MODULES_64BIT);
 }
 
@@ -270,7 +270,7 @@ BOOL ScanForModules_MemoryWalk_GMI()
 
 		//printf("Scanning %p - %p ...\n", addr, regionEnd);
 
-		while(addr < regionEnd)
+		while (addr < regionEnd)
 		{
 			bool skippedForward = false;
 			if (VirtualQuery(addr, &memInfo, sizeof(MEMORY_BASIC_INFORMATION)) >= sizeof(MEMORY_BASIC_INFORMATION))
@@ -338,16 +338,16 @@ BOOL ScanForModules_MemoryWalk_Hidden()
 		while (addr < regionEnd)
 		{
 			bool skippedForward = false;
-			
+
 			if (GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, (TCHAR*)addr, &moduleHandle) == FALSE)
 			{
 				// not a known module
 				if ((region->State & MEM_COMMIT) == MEM_COMMIT &&
 					((region->Protect == PAGE_READONLY) ||
-					(region->Protect == PAGE_READWRITE) || 
-					(region->Protect == PAGE_EXECUTE_READ) || 
-					(region->Protect == PAGE_EXECUTE_READWRITE) || 
-					(region->Protect == PAGE_EXECUTE_WRITECOPY)))
+						(region->Protect == PAGE_READWRITE) ||
+						(region->Protect == PAGE_EXECUTE_READ) ||
+						(region->Protect == PAGE_EXECUTE_READWRITE) ||
+						(region->Protect == PAGE_EXECUTE_WRITECOPY)))
 				{
 					auto moduleData = static_cast<PBYTE>(region->BaseAddress);
 					if (moduleData[0] == 'M' && moduleData[1] == 'Z')
@@ -385,7 +385,7 @@ BOOL ScanForModules_MemoryWalk_Hidden()
 				}
 			}
 
-			SecureZeroMemory(moduleName, sizeof(TCHAR)*MAX_PATH);
+			SecureZeroMemory(moduleName, sizeof(TCHAR) * MAX_PATH);
 			DWORD len;
 			if ((len = GetMappedFileName(GetCurrentProcess(), region->AllocationBase, moduleName, MAX_PATH)) > 0)
 			{
@@ -413,7 +413,6 @@ BOOL ScanForModules_MemoryWalk_Hidden()
 BOOL ScanForModules_DotNetModuleStructures()
 {
 	HMODULE moduleHandle = 0;
-	TCHAR moduleName[MAX_PATH];
 
 	auto memoryRegions = enumerate_memory();
 
@@ -517,8 +516,7 @@ std::vector<LDR_DATA_TABLE_ENTRY*>* WalkLDR(PPEB_LDR_DATA ldrData)
 			printf(" [!] Error reading entry.\n");
 			break;
 		}
-	}
-	while (node != head);
+	} while (node != head);
 
 	entryList->pop_back();
 
@@ -603,7 +601,7 @@ BOOL ScanForModules_LDR_Direct()
 			{
 				PPEB64 peb64 = reinterpret_cast<PPEB64>(GetPeb64());
 				PEB_LDR_DATA64 ldrData = { 0 };
-				
+
 				if (peb64 && attempt_to_read_memory_wow64(&ldrData, sizeof(PEB_LDR_DATA64), peb64->Ldr))
 				{
 					auto ldrEntries = WalkLDR(&ldrData);
@@ -623,7 +621,7 @@ BOOL ScanForModules_LDR_Direct()
 						{
 							printf(" [!] Failed to read module name at %llx.\n", reinterpret_cast<ULONGLONG>(ldrEntry->FullDllName.Buffer));
 						}
-						delete [] dllNameBuffer;
+						delete[] dllNameBuffer;
 						delete ldrEntry;
 					}
 					delete ldrEntries;
@@ -635,7 +633,7 @@ BOOL ScanForModules_LDR_Direct()
 	return anyBadLibs ? TRUE : FALSE;
 }
 
-VOID NTAPI LdrEnumCallback(_In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, _In_ PVOID Parameter, _Out_ BOOLEAN *Stop)
+VOID NTAPI LdrEnumCallback(_In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, _In_ PVOID Parameter, _Out_ BOOLEAN* Stop)
 {
 	// add ldr entry to table from param
 	auto ldtEntries = static_cast<std::vector<LDR_DATA_TABLE_ENTRY>*>(Parameter);
Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ bool IsBadLibrary(TCHAR* filename, DWORD filenameLength)`
`99`	`99`
`100`	`100`	`#ifdef _X86_`
`101`	`101`	`TCHAR syswow64Path[MAX_PATH];`
`102`		`- SHGetFolderPath (NULL, CSIDL_SYSTEMX86, NULL, 0, syswow64Path);`
	`102`	`+ SHGetFolderPath(NULL, CSIDL_SYSTEMX86, NULL, 0, syswow64Path);`
`103`	`103`	`StringCbCat(syswow64Path, MAX_PATH, _T("\\"));`
`104`	`104`	`size_t syswow64PathLength = 0;`
`105`	`105`	`StringCbLength(syswow64Path, MAX_PATH, &syswow64PathLength);`
`@@ -120,7 +120,7 @@ bool IsBadLibrary(TCHAR* filename, DWORD filenameLength)`
`120`	`120`
`121`	`121`	`//printf("systemDriveDevice: %S (%d)\n", systemDriveDevice, systemDriveDevicelength);`
`122`	`122`
`123`		`- if (StrNCmpI(systemDriveDevice, filename, (int)(min(systemDriveDevicelength, filenameLength) / sizeof(TCHAR)) ) == 0)`
	`123`	`+ if (StrNCmpI(systemDriveDevice, filename, (int)(min(systemDriveDevicelength, filenameLength) / sizeof(TCHAR))) == 0)`
`124`	`124`	`{`
`125`	`125`	`// path matched the NT file path`
`126`	`126`	`return false;`
`@@ -132,14 +132,14 @@ bool IsBadLibrary(TCHAR* filename, DWORD filenameLength)`
`132`	`132`
`133`	`133`	`//printf("systemRootPath: %S (%d)\n", systemRootPath, systemRootPathLength);`
`134`	`134`
`135`		`- if (StrNCmpI(systemRootPath, normalisedPath, (int)(min(systemRootPathLength, normalisedPathLength) / sizeof(TCHAR)) ) == 0)`
	`135`	`+ if (StrNCmpI(systemRootPath, normalisedPath, (int)(min(systemRootPathLength, normalisedPathLength) / sizeof(TCHAR))) == 0)`
`136`	`136`	`{`
`137`	`137`	`// path matched the regular system path`
`138`	`138`	`return false;`
`139`	`139`	`}`
`140`	`140`
`141`	`141`	`#ifdef _X86_`
`142`		`- if (IsWoW64() && StrNCmpI(syswow64Path, normalisedPath, (int)(min(syswow64PathLength, normalisedPathLength) / sizeof(TCHAR)) ) == 0)`
	`142`	`+ if (IsWoW64() && StrNCmpI(syswow64Path, normalisedPath, (int)(min(syswow64PathLength, normalisedPathLength) / sizeof(TCHAR))) == 0)`
`143`	`143`	`{`
`144`	`144`	`// path matched the wow64 system path`
`145`	`145`	`return false;`
`@@ -164,15 +164,15 @@ BOOL ScanForModules_EnumProcessModulesEx_Internal(DWORD moduleFlag)`
`164`	`164`	`DWORD currentSize = 1024 * sizeof(HMODULE);`
`165`	`165`	`DWORD requiredSize = 0;`
`166`	`166`	`bool anyBadLibs = false;`
`167`		`-`
	`167`	`+`
`168`	`168`	`// the EnumProcessModulesEx API was moved from psapi.dll into kernel32.dll for Windows 7, then back out afterwards.`
`169`	`169`	`// check for availability of either.`
`170`	`170`	`if (!API::IsAvailable(API_EnumProcessModulesEx_PSAPI) && !API::IsAvailable(API_EnumProcessModulesEx_Kernel))`
`171`	`171`	`{`
`172`	`172`	`// neither available`
`173`	`173`	`return FALSE;`
`174`	`174`	`}`
`175`		`-`
	`175`	`+`
`176`	`176`	`// API is available in one of the two libraries, use whichever is available.`
`177`	`177`	`pEnumProcessModulesEx fnEnumProcessModulesEx;`
`178`	`178`	`if (API::IsAvailable(API_EnumProcessModulesEx_PSAPI))`
`@@ -235,7 +235,7 @@ BOOL ScanForModules_EnumProcessModulesEx_32bit()`
`235`	`235`
`236`	`236`	`BOOL ScanForModules_EnumProcessModulesEx_64bit()`
`237`	`237`	`{`
`238`		`-`
	`238`	`+`
`239`	`239`	`return ScanForModules_EnumProcessModulesEx_Internal(LIST_MODULES_64BIT);`
`240`	`240`	`}`
`241`	`241`
`@@ -270,7 +270,7 @@ BOOL ScanForModules_MemoryWalk_GMI()`
`270`	`270`
`271`	`271`	`//printf("Scanning %p - %p ...\n", addr, regionEnd);`
`272`	`272`
`273`		`- while(addr < regionEnd)`
	`273`	`+ while (addr < regionEnd)`
`274`	`274`	`{`
`275`	`275`	`bool skippedForward = false;`
`276`	`276`	`if (VirtualQuery(addr, &memInfo, sizeof(MEMORY_BASIC_INFORMATION)) >= sizeof(MEMORY_BASIC_INFORMATION))`
`@@ -338,16 +338,16 @@ BOOL ScanForModules_MemoryWalk_Hidden()`
`338`	`338`	`while (addr < regionEnd)`
`339`	`339`	`{`
`340`	`340`	`bool skippedForward = false;`
`341`		`-`
	`341`	`+`
`342`	`342`	`if (GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS \| GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, (TCHAR*)addr, &moduleHandle) == FALSE)`
`343`	`343`	`{`
`344`	`344`	`// not a known module`
`345`	`345`	`if ((region->State & MEM_COMMIT) == MEM_COMMIT &&`
`346`	`346`	`((region->Protect == PAGE_READONLY) \|\|`
`347`		`- (region->Protect == PAGE_READWRITE) \|\|`
`348`		`- (region->Protect == PAGE_EXECUTE_READ) \|\|`
`349`		`- (region->Protect == PAGE_EXECUTE_READWRITE) \|\|`
`350`		`- (region->Protect == PAGE_EXECUTE_WRITECOPY)))`
	`347`	`+ (region->Protect == PAGE_READWRITE) \|\|`
	`348`	`+ (region->Protect == PAGE_EXECUTE_READ) \|\|`
	`349`	`+ (region->Protect == PAGE_EXECUTE_READWRITE) \|\|`
	`350`	`+ (region->Protect == PAGE_EXECUTE_WRITECOPY)))`
`351`	`351`	`{`
`352`	`352`	`auto moduleData = static_cast<PBYTE>(region->BaseAddress);`
`353`	`353`	`if (moduleData[0] == 'M' && moduleData[1] == 'Z')`
`@@ -385,7 +385,7 @@ BOOL ScanForModules_MemoryWalk_Hidden()`
`385`	`385`	`}`
`386`	`386`	`}`
`387`	`387`
`388`		`- SecureZeroMemory(moduleName, sizeof(TCHAR)*MAX_PATH);`
	`388`	`+ SecureZeroMemory(moduleName, sizeof(TCHAR) * MAX_PATH);`
`389`	`389`	`DWORD len;`
`390`	`390`	`if ((len = GetMappedFileName(GetCurrentProcess(), region->AllocationBase, moduleName, MAX_PATH)) > 0)`
`391`	`391`	`{`
`@@ -413,7 +413,6 @@ BOOL ScanForModules_MemoryWalk_Hidden()`
`413`	`413`	`BOOL ScanForModules_DotNetModuleStructures()`
`414`	`414`	`{`
`415`	`415`	`HMODULE moduleHandle = 0;`
`416`		`- TCHAR moduleName[MAX_PATH];`
`417`	`416`
`418`	`417`	`auto memoryRegions = enumerate_memory();`
`419`	`418`
`@@ -517,8 +516,7 @@ std::vector<LDR_DATA_TABLE_ENTRY> WalkLDR(PPEB_LDR_DATA ldrData)`
`517`	`516`	`printf(" [!] Error reading entry.\n");`
`518`	`517`	`break;`
`519`	`518`	`}`
`520`		`- }`
`521`		`- while (node != head);`
	`519`	`+ } while (node != head);`
`522`	`520`
`523`	`521`	`entryList->pop_back();`
`524`	`522`
`@@ -603,7 +601,7 @@ BOOL ScanForModules_LDR_Direct()`
`603`	`601`	`{`
`604`	`602`	`PPEB64 peb64 = reinterpret_cast<PPEB64>(GetPeb64());`
`605`	`603`	`PEB_LDR_DATA64 ldrData = { 0 };`
`606`		`-`
	`604`	`+`
`607`	`605`	`if (peb64 && attempt_to_read_memory_wow64(&ldrData, sizeof(PEB_LDR_DATA64), peb64->Ldr))`
`608`	`606`	`{`
`609`	`607`	`auto ldrEntries = WalkLDR(&ldrData);`
`@@ -623,7 +621,7 @@ BOOL ScanForModules_LDR_Direct()`
`623`	`621`	`{`
`624`	`622`	`printf(" [!] Failed to read module name at %llx.\n", reinterpret_cast<ULONGLONG>(ldrEntry->FullDllName.Buffer));`
`625`	`623`	`}`
`626`		`- delete [] dllNameBuffer;`
	`624`	`+ delete[] dllNameBuffer;`
`627`	`625`	`delete ldrEntry;`
`628`	`626`	`}`
`629`	`627`	`delete ldrEntries;`
`@@ -635,7 +633,7 @@ BOOL ScanForModules_LDR_Direct()`
`635`	`633`	`return anyBadLibs ? TRUE : FALSE;`
`636`	`634`	`}`
`637`	`635`
`638`		`-VOID NTAPI LdrEnumCallback(_In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, _In_ PVOID Parameter, _Out_ BOOLEAN *Stop)`
	`636`	`+VOID NTAPI LdrEnumCallback(_In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, _In_ PVOID Parameter, _Out_ BOOLEAN* Stop)`
`639`	`637`	`{`
`640`	`638`	`// add ldr entry to table from param`
`641`	`639`	`auto ldtEntries = static_cast<std::vector<LDR_DATA_TABLE_ENTRY>*>(Parameter);`