fixed wrong memmove definition, enabled compiler optimizations, shell functions are now in own section (no more size guessing), removed obsolete stuff, updated shellcodes

Author: Broihon

GH Injector Library/Download Manager.cpp

@@ -0,0 +1,94 @@
+#include "pch.h"
+
+#include "Download Manager.h"
+
+HANDLE DownloadManager::hInterrupEvent = CreateEvent(nullptr, TRUE, FALSE, nullptr);
+
+HRESULT __stdcall DownloadManager::QueryInterface(const IID & riid, void ** ppvObject)
+{
+    UNREFERENCED_PARAMETER(riid);
+    UNREFERENCED_PARAMETER(ppvObject);
+
+    return E_NOINTERFACE;
+}
+
+ULONG __stdcall DownloadManager::AddRef(void)
+{
+    return 1;
+}
+
+ULONG __stdcall DownloadManager::Release(void)
+{
+    return 1;
+}
+
+HRESULT __stdcall DownloadManager::OnStartBinding(DWORD dwReserved, IBinding * pib)
+{
+    UNREFERENCED_PARAMETER(dwReserved);
+    UNREFERENCED_PARAMETER(pib);
+
+    return S_OK;
+}
+
+HRESULT __stdcall DownloadManager::GetPriority(LONG * pnPriority)
+{
+    UNREFERENCED_PARAMETER(pnPriority);
+
+    return S_OK;
+}
+
+HRESULT __stdcall DownloadManager::OnLowResource(DWORD reserved)
+{
+    UNREFERENCED_PARAMETER(reserved);
+
+    return S_OK;
+}
+
+HRESULT __stdcall DownloadManager::OnStopBinding(HRESULT hresult, LPCWSTR szError)
+{
+    UNREFERENCED_PARAMETER(hresult);
+    UNREFERENCED_PARAMETER(szError);
+
+    return S_OK;
+}
+
+HRESULT __stdcall DownloadManager::GetBindInfo(DWORD * grfBINDF, BINDINFO *pbindinfo)
+{
+    UNREFERENCED_PARAMETER(grfBINDF);
+    UNREFERENCED_PARAMETER(pbindinfo);
+
+    return S_OK;
+}
+
+HRESULT __stdcall DownloadManager::OnDataAvailable(DWORD grfBSCF, DWORD dwSize, FORMATETC * pformatetc, STGMEDIUM * pstgmed)
+{
+    UNREFERENCED_PARAMETER(grfBSCF);
+    UNREFERENCED_PARAMETER(dwSize);
+    UNREFERENCED_PARAMETER(pformatetc);
+    UNREFERENCED_PARAMETER(pstgmed);
+
+    return S_OK;
+}
+
+HRESULT __stdcall DownloadManager::OnObjectAvailable(const IID & riid, IUnknown * punk)
+{
+    UNREFERENCED_PARAMETER(riid);
+    UNREFERENCED_PARAMETER(punk);
+
+    return S_OK;
+}
+
+HRESULT __stdcall DownloadManager::OnProgress(ULONG ulProgress, ULONG ulProgressMax, ULONG ulStatusCode, LPCWSTR szStatusText)
+{
+    UNREFERENCED_PARAMETER(ulProgress);
+    UNREFERENCED_PARAMETER(ulProgressMax);
+    UNREFERENCED_PARAMETER(ulStatusCode);
+    UNREFERENCED_PARAMETER(szStatusText);
+
+    if (WaitForSingleObject(hInterrupEvent, 0) == WAIT_OBJECT_0)
+    {
+        return E_ABORT;
+    }
+
+    return S_OK;
+}

GH Injector Library/Download Manager.h

@@ -0,0 +1,37 @@
+//Stolen from here:
+//https://stackoverflow.com/a/5292277
+//by User Hans Passant
+
+#pragma once
+
+#include <windows.h>
+
+class DownloadManager : public IBindStatusCallback
+{
+
+public:
+
+    HRESULT __stdcall QueryInterface(const IID & riid, void ** ppvObject);
+
+    ULONG STDMETHODCALLTYPE AddRef(void);
+
+    ULONG STDMETHODCALLTYPE Release(void);
+
+    virtual HRESULT STDMETHODCALLTYPE OnStartBinding(DWORD dwReserved, IBinding *pib);
+
+    virtual HRESULT STDMETHODCALLTYPE GetPriority(LONG * pnPriority);
+
+    virtual HRESULT STDMETHODCALLTYPE OnLowResource(DWORD reserved);
+
+    virtual HRESULT STDMETHODCALLTYPE OnStopBinding(HRESULT hresult, LPCWSTR szError);
+
+    virtual HRESULT STDMETHODCALLTYPE GetBindInfo(DWORD * grfBINDF, BINDINFO *pbindinfo);
+
+    virtual HRESULT STDMETHODCALLTYPE OnDataAvailable(DWORD grfBSCF, DWORD dwSize, FORMATETC * pformatetc, STGMEDIUM *pstgmed);
+
+    virtual HRESULT STDMETHODCALLTYPE OnObjectAvailable(const IID & riid, IUnknown * punk);
+
+    HRESULT __stdcall OnProgress(ULONG ulProgress, ULONG ulProgressMax, ULONG ulStatusCode, LPCWSTR szStatusText);
+
+    static HANDLE hInterrupEvent;
+};

GH Injector Library/GH Injector Library.vcxproj

@@ -136,10 +136,10 @@
       <TreatWarningAsError>true</TreatWarningAsError>
       <PrecompiledHeader>Use</PrecompiledHeader>
       <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
-      <CallingConvention>StdCall</CallingConvention>
       <LanguageStandard>stdcpp17</LanguageStandard>
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <ControlFlowGuard>false</ControlFlowGuard>
+      <Optimization>MaxSpeed</Optimization>
     </ClCompile>
     <Link>
       <GenerateDebugInformation>false</GenerateDebugInformation>
@@ -157,12 +157,14 @@
       <LanguageStandard>stdcpp17</LanguageStandard>
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <ControlFlowGuard>false</ControlFlowGuard>
+      <Optimization>MaxSpeed</Optimization>
     </ClCompile>
     <Link>
       <GenerateDebugInformation>false</GenerateDebugInformation>
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
+    <ClInclude Include="Download Manager.h" />
     <ClInclude Include="Eject.h" />
     <ClInclude Include="Error.h" />
     <ClInclude Include="Handle Hijacking.h" />
@@ -180,6 +182,7 @@
     <ClInclude Include="WOW64 Shells.h" />
   </ItemGroup>
   <ItemGroup>
+    <ClCompile Include="Download Manager.cpp" />
     <ClCompile Include="Eject.cpp" />
     <ClCompile Include="Handle Hijacking.cpp" />
     <ClCompile Include="Hook Scanner WOW64.cpp" />

GH Injector Library/GH Injector Library.vcxproj.filters

@@ -81,6 +81,9 @@
     <ClInclude Include="WOW64 Shells.h">
       <Filter>Quelldateien\wow64\Injection Methods</Filter>
     </ClInclude>
+    <ClInclude Include="Download Manager.h">
+      <Filter>Headerdateien</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="Handle Hijacking.cpp">
@@ -161,5 +164,8 @@
     <ClCompile Include="Injection Generic WOW64.cpp">
       <Filter>Quelldateien\wow64\Injection Methods</Filter>
     </ClCompile>
+    <ClCompile Include="Download Manager.cpp">
+      <Filter>Quelldateien</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>

GH Injector Library/Injection Generic WOW64.cpp

@@ -93,10 +93,6 @@ DWORD InjectDLL_WOW64(const wchar_t * szDllFile, HANDLE hTargetProc, INJECTION_M
 		return INJ_ERR_WPM_FAIL;
 	}
 
-	printf("LoadLibraryExW: %08X\n", data.f.LoadLibraryExW);
-	printf("LdrLoadDll    : %08X\n", data.f.LdrLoadDll);
-	printf("LdrpLoadDll   : %08X\n", data.f.LdrpLoadDll);
-
 	LOG("Data written\n");
 
 	DWORD remote_ret = 0;

GH Injector Library/Injection Generic.cpp

@@ -3,12 +3,10 @@
 #include "Injection Internal.h"
 #include "Manual Mapping.h"
 
-#pragma optimize("", off)
-
 using namespace NATIVE;
 
-DWORD InjectionShell(INJECTION_DATA_INTERNAL * pData);
-DWORD InjectionShell_End();
+DWORD __declspec(code_seg(".inj_sec$1")) __stdcall InjectionShell(INJECTION_DATA_INTERNAL * pData);
+DWORD __declspec(code_seg(".inj_sec$2")) InjectionShell_End();
 
 DWORD InjectDLL(const wchar_t * szDllFile, HANDLE hTargetProc, INJECTION_MODE Mode, LAUNCH_METHOD Method, DWORD Flags, HINSTANCE & hOut, DWORD Timeout, ERROR_DATA & error_data)
 {
@@ -140,7 +138,7 @@ DWORD InjectDLL(const wchar_t * szDllFile, HANDLE hTargetProc, INJECTION_MODE Mo
 	return INJ_ERR_SUCCESS;
 }
 
-DWORD InjectionShell(INJECTION_DATA_INTERNAL * pData)
+DWORD __declspec(code_seg(".inj_sec$1")) __stdcall InjectionShell(INJECTION_DATA_INTERNAL * pData)
 {
 	if (!pData)
 	{
@@ -318,7 +316,7 @@ DWORD InjectionShell(INJECTION_DATA_INTERNAL * pData)
 	return INJ_ERR_SUCCESS;
 }
 
-DWORD InjectionShell_End()
+DWORD __declspec(code_seg(".inj_sec$2")) InjectionShell_End()
 {
 	return 0;
 }
@@ -342,6 +340,4 @@ INJECTION_FUNCTION_TABLE::INJECTION_FUNCTION_TABLE()
 	NT_FUNC_CONSTRUCTOR_INIT(LdrpModuleBaseAddressIndex);
 	NT_FUNC_CONSTRUCTOR_INIT(LdrpMappingInfoIndex);
 	NT_FUNC_CONSTRUCTOR_INIT(LdrpHeap);
-}
-
-#pragma optimize("", on)
+}

GH Injector Library/Manual Mapping WOW64.cpp

@@ -5,8 +5,6 @@
 #include "Manual Mapping.h"
 #include "WOW64 Shells.h"
 
-#pragma optimize("", off)
-
 using namespace WOW64;
 using namespace MMAP_WOW64;
 
@@ -180,6 +178,4 @@ MANUAL_MAPPING_FUNCTION_TABLE_WOW64::MANUAL_MAPPING_FUNCTION_TABLE_WOW64()
 	WOW64_FUNC_CONSTRUCTOR_INIT(LdrpHeap);
 }
 
-#pragma optimize("", on)
-
 #endif

GH Injector Library/Manual Mapping.cpp

@@ -1,14 +1,11 @@
 #include "pch.h"
 
 #include "Manual Mapping.h"
-
-#pragma optimize("", off)
-
 using namespace NATIVE;
 using namespace MMAP_NATIVE;
 
-DWORD ManualMapping_Shell(MANUAL_MAPPING_DATA * pData);
-DWORD ManualMapping_Shell_End();
+DWORD __declspec(code_seg(".mmap_sec$1")) __stdcall ManualMapping_Shell(MANUAL_MAPPING_DATA * pData);
+DWORD __declspec(code_seg(".mmap_sec$2")) ManualMapping_Shell_End();
 
 DWORD MMAP_NATIVE::ManualMap(const wchar_t * szDllFile, HANDLE hTargetProc, LAUNCH_METHOD Method, DWORD Flags, HINSTANCE & hOut, DWORD Timeout, ERROR_DATA & error_data)
 {
@@ -209,7 +206,7 @@ __forceinline bool InitAnsiString(MANUAL_MAPPING_FUNCTION_TABLE * f, ANSI_STRING
 	return true;
 }
 
-DWORD ManualMapping_Shell(MANUAL_MAPPING_DATA * pData)
+DWORD __declspec(code_seg(".mmap_sec$1")) __stdcall ManualMapping_Shell(MANUAL_MAPPING_DATA * pData)
 {
 	if (!pData)
 	{
@@ -263,7 +260,7 @@ DWORD ManualMapping_Shell(MANUAL_MAPPING_DATA * pData)
 
 	HANDLE hDllFile = nullptr;
 
-	ntRet = f->NtOpenFile(&hDllFile, FILE_GENERIC_READ, oa, &io_status, FILE_SHARE_READ, 0x20);
+	ntRet = f->NtOpenFile(&hDllFile, FILE_GENERIC_READ, oa, &io_status, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
 
 	DeleteObject(f, oa);
 	DeleteObject(f, DllNtPath.szBuffer);
@@ -802,7 +799,6 @@ DWORD ManualMapping_Shell(MANUAL_MAPPING_DATA * pData)
 	if ((Flags & INJ_MM_EXECUTE_TLS) && pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size)
 	{
 		auto * pTLS = ReCa<IMAGE_TLS_DIRECTORY*>(pBase + pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
-
 		//LdrpHandleTlsData either crashes or returns STATUS_SUCCESS -> no point in error checking
 		//It also only accesses the DllBase member of the ldr entry thus a dummy entry is sufficient
 
@@ -1041,7 +1037,7 @@ DWORD ManualMapping_Shell(MANUAL_MAPPING_DATA * pData)
 	return INJ_ERR_SUCCESS;
 }
 
-DWORD ManualMapping_Shell_End()
+DWORD __declspec(code_seg(".mmap_sec$2")) ManualMapping_Shell_End()
 { 
 	return 1; 
 }
@@ -1079,6 +1075,4 @@ MANUAL_MAPPING_FUNCTION_TABLE::MANUAL_MAPPING_FUNCTION_TABLE()
 	NT_FUNC_CONSTRUCTOR_INIT(LdrpHeap);
 
 	pLdrpHeap = nullptr;
-}
-
-#pragma optimize("", on)
+}

GH Injector Library/NT Stuff.h

@@ -25,16 +25,14 @@
 #endif
 
 #define THREAD_CREATE_FLAGS_CREATE_SUSPENDED	0x00000001
-#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH  0x00000002
 #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER	0x00000004
 
 #define OBJ_CASE_INSENSITIVE 0x00000040
 
 #define STATUS_SUCCESS				0x00000000
-#define STATUS_UNSUCCESSFUL			0xC0000001
 #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
 
-#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT   0x00000001
+#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
 
 typedef LONG KPRIORITY;
 
@@ -617,7 +615,7 @@ using f_LdrpHandleTlsData = NTSTATUS (__fastcall*)
 	LDR_DATA_TABLE_ENTRY * pEntry
 );
 
-using f_memmove = VOID (__stdcall*)
+using f_memmove = VOID (__cdecl*)
 (
 	PVOID	UNALIGNED	Destination,
 	LPCVOID	UNALIGNED	Source,

GH Injector Library/NtCreateThreadEx WOW64.cpp

@@ -19,7 +19,8 @@ DWORD SR_NtCreateThreadEx_WOW64(HANDLE hTargetProc, f_Routine_WOW64 pRoutine, DW
 
 		pEntrypoint = pi.GetEntrypoint();
 	}
-	DWORD Flags		= THREAD_CREATE_FLAGS_CREATE_SUSPENDED | THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH | THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER;
+
+	DWORD Flags		= THREAD_CREATE_FLAGS_CREATE_SUSPENDED | THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER;
 	HANDLE hThread	= nullptr;
 
 	void * pMem = VirtualAllocEx(hTargetProc, nullptr, 0x200, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);