Fixed dumb issue with function addresses (fuck apphelp and GetProcAddress)

Author: Broihon

GH Injector Library/Hook Scanner.cpp

@@ -27,7 +27,7 @@ static const char nt_functions[][MAX_PATH] =
 	"LdrGetProcedureAddressForCaller",
 	"LdrLockLoaderLock",
 	"LdrUnlockLoaderLock",
-	"RtlMoveMemory",
+	"memmove",
 	"RtlAllocateHeap",
 	"RtlFreeHeap",
 	"RtlHashUnicodeString",

GH Injector Library/Import Handler WOW64.cpp

@@ -133,7 +133,7 @@ DWORD ResolveImports_WOW64(ERROR_DATA & error_data)
 	if (LoadNtSymbolWOW64(S_FUNC(LdrGetDllHandleEx)))				return INJ_ERR_GET_SYMBOL_ADDRESS_FAILED;
 	if (LoadNtSymbolWOW64(S_FUNC(LdrGetProcedureAddress)))			return INJ_ERR_GET_SYMBOL_ADDRESS_FAILED;
 
-	if (LoadNtSymbolWOW64(S_FUNC(RtlMoveMemory)))					return INJ_ERR_GET_SYMBOL_ADDRESS_FAILED;
+	if (LoadNtSymbolWOW64(WOW64::memmove_WOW64, "memmove"))			return INJ_ERR_GET_SYMBOL_ADDRESS_FAILED;
 	if (LoadNtSymbolWOW64(S_FUNC(RtlZeroMemory)))					return INJ_ERR_GET_SYMBOL_ADDRESS_FAILED;
 	if (LoadNtSymbolWOW64(S_FUNC(RtlAllocateHeap)))					return INJ_ERR_GET_SYMBOL_ADDRESS_FAILED;
 	if (LoadNtSymbolWOW64(S_FUNC(RtlFreeHeap)))						return INJ_ERR_GET_SYMBOL_ADDRESS_FAILED;

GH Injector Library/Import Handler.cpp

@@ -6,18 +6,6 @@ using namespace NATIVE;
 
 #define S_FUNC(f) f, #f
 
-template <typename T>
-DWORD LoadExportedFunction(T & Function, const char * szFunction)
-{
-	Function = ReCa<T>(GetProcAddress(g_hNTDLL, szFunction));
-	if (!Function)
-	{
-		return GetLastError();
-	}
-
-	return INJ_ERR_SUCCESS;
-}
-
 template <typename T>
 DWORD LoadNtSymbolNative(T & Function, const char * szFunction)
 {
@@ -41,39 +29,7 @@ DWORD ResolveImports(ERROR_DATA & error_data)
 
 	WIN32_FUNC_INIT(LoadLibraryExW, hK32);
 	WIN32_FUNC_INIT(GetLastError, hK32);
-	if (!NATIVE::pLoadLibraryExW || !NATIVE::pGetLastError) return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-
-	if (LoadExportedFunction(S_FUNC(LdrLoadDll)))					return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-
-	if (LoadExportedFunction(S_FUNC(LdrGetDllHandleEx)))			return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(LdrGetProcedureAddress)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-
-	if (LoadExportedFunction(S_FUNC(NtQueryInformationProcess)))	return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(NtQuerySystemInformation)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(NtQueryInformationThread)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-
-	if (LoadExportedFunction(S_FUNC(RtlMoveMemory)))				return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(RtlZeroMemory)))				return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(RtlAllocateHeap)))				return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(RtlFreeHeap)))					return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-
-	if (LoadExportedFunction(S_FUNC(RtlAnsiStringToUnicodeString))) return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-
-	if (LoadExportedFunction(S_FUNC(RtlRbRemoveNode)))				return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	
-	if (LoadExportedFunction(S_FUNC(NtOpenFile)))					return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(NtReadFile)))					return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(NtSetInformationFile)))			return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(NtQueryInformationFile)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-
-	if (LoadExportedFunction(S_FUNC(NtClose)))						return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-
-	if (LoadExportedFunction(S_FUNC(NtAllocateVirtualMemory)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(NtFreeVirtualMemory)))			return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(NtProtectVirtualMemory)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-
-	if (LoadExportedFunction(S_FUNC(NtCreateThreadEx)))				return INJ_ERR_GET_PROC_ADDRESS_FAIL;
-	if (LoadExportedFunction(S_FUNC(RtlQueueApcWow64Thread)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (!NATIVE::pLoadLibraryExW || !NATIVE::pGetLastError) return INJ_ERR_GET_PROC_ADDRESS_FAIL;	
 
 	if (sym_ntdll_native_ret.wait_for(std::chrono::milliseconds(100)) != std::future_status::ready)
 	{
@@ -90,6 +46,37 @@ DWORD ResolveImports(ERROR_DATA & error_data)
 		return INJ_ERR_SYMBOL_INIT_FAIL;
 	}
 
+	if (LoadNtSymbolNative(S_FUNC(LdrLoadDll)))						return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+
+	if (LoadNtSymbolNative(S_FUNC(LdrGetDllHandleEx)))				return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(LdrGetProcedureAddress)))			return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+
+	if (LoadNtSymbolNative(S_FUNC(NtQueryInformationProcess)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(NtQuerySystemInformation)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(NtQueryInformationThread)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+
+	if (LoadNtSymbolNative(NATIVE::memmove, "memmove"))				return INJ_ERR_GET_PROC_ADDRESS_FAIL; //I hate compilers
+	if (LoadNtSymbolNative(S_FUNC(RtlZeroMemory)))					return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(RtlAllocateHeap)))				return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(RtlFreeHeap)))					return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+
+	if (LoadNtSymbolNative(S_FUNC(RtlAnsiStringToUnicodeString)))	return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+
+	if (LoadNtSymbolNative(S_FUNC(RtlRbRemoveNode)))				return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(NtOpenFile)))						return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(NtReadFile)))						return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(NtSetInformationFile)))			return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(NtQueryInformationFile)))			return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+
+	if (LoadNtSymbolNative(S_FUNC(NtClose)))						return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+
+	if (LoadNtSymbolNative(S_FUNC(NtAllocateVirtualMemory)))		return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(NtFreeVirtualMemory)))			return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(NtProtectVirtualMemory)))			return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+
+	if (LoadNtSymbolNative(S_FUNC(NtCreateThreadEx)))				return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+	if (LoadNtSymbolNative(S_FUNC(RtlQueueApcWow64Thread)))			return INJ_ERR_GET_PROC_ADDRESS_FAIL;
+
 	if (LoadNtSymbolNative(S_FUNC(LdrpLoadDll)))					return INJ_ERR_GET_SYMBOL_ADDRESS_FAILED;
 
 	if (LoadNtSymbolNative(S_FUNC(LdrpPreprocessDllName)))			return INJ_ERR_GET_SYMBOL_ADDRESS_FAILED;

GH Injector Library/Import Handler.h

@@ -38,7 +38,7 @@ namespace NATIVE
 	NT_FUNC(RtlInsertInvertedFunctionTable);
 	NT_FUNC(LdrpHandleTlsData);
 
-	NT_FUNC(RtlMoveMemory);
+	NT_FUNC(memmove);
 	NT_FUNC(RtlZeroMemory);
 	NT_FUNC(RtlAllocateHeap);
 	NT_FUNC(RtlFreeHeap);
@@ -89,7 +89,7 @@ namespace WOW64
 	WOW64_FUNCTION_POINTER(RtlInsertInvertedFunctionTable);
 	WOW64_FUNCTION_POINTER(LdrpHandleTlsData);
 
-	WOW64_FUNCTION_POINTER(RtlMoveMemory);
+	WOW64_FUNCTION_POINTER(memmove);
 	WOW64_FUNCTION_POINTER(RtlZeroMemory);
 	WOW64_FUNCTION_POINTER(RtlAllocateHeap);
 	WOW64_FUNCTION_POINTER(RtlFreeHeap);

GH Injector Library/Injection Generic WOW64.cpp

@@ -160,7 +160,7 @@ INJECTION_FUNCTION_TABLE_WOW64::INJECTION_FUNCTION_TABLE_WOW64()
 
 	WOW64_FUNC_CONSTRUCTOR_INIT(GetLastError);
 
-	WOW64_FUNC_CONSTRUCTOR_INIT(RtlMoveMemory);
+	WOW64_FUNC_CONSTRUCTOR_INIT(memmove);
 	WOW64_FUNC_CONSTRUCTOR_INIT(RtlZeroMemory);
 	WOW64_FUNC_CONSTRUCTOR_INIT(RtlFreeHeap);
 

GH Injector Library/Injection Generic.cpp

@@ -256,7 +256,7 @@ DWORD InjectionShell(INJECTION_DATA_INTERNAL * pData)
 				return INJ_ERR_INVALID_PEB_DATA;
 			}
 
-			f->RtlMoveMemory(base, ntdll_ldr->DllBase, header_size);
+			f->memmove(base, ntdll_ldr->DllBase, header_size);
 		}
 
 		pData->LastError = (DWORD)f->NtProtectVirtualMemory(hProc, &base, &header_size, old_access, &old_access);
@@ -326,7 +326,7 @@ INJECTION_FUNCTION_TABLE::INJECTION_FUNCTION_TABLE()
 
 	WIN32_FUNC_CONSTRUCTOR_INIT(GetLastError);
 
-	NT_FUNC_CONSTRUCTOR_INIT(RtlMoveMemory);
+	NT_FUNC_CONSTRUCTOR_INIT(memmove);
 	NT_FUNC_CONSTRUCTOR_INIT(RtlZeroMemory);
 	NT_FUNC_CONSTRUCTOR_INIT(RtlFreeHeap);
 

GH Injector Library/Injection Internal.h

@@ -12,7 +12,7 @@ ALIGN struct INJECTION_FUNCTION_TABLE
 
 	ALIGN WIN32_FUNC_LOCAL(GetLastError);
 
-	ALIGN NT_FUNC_LOCAL(RtlMoveMemory);
+	ALIGN NT_FUNC_LOCAL(memmove);
 	ALIGN NT_FUNC_LOCAL(RtlZeroMemory);
 	ALIGN NT_FUNC_LOCAL(RtlFreeHeap);
 
@@ -53,7 +53,7 @@ ALIGN_86 struct INJECTION_FUNCTION_TABLE_WOW64
 
 	ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(GetLastError);
 
-	ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(RtlMoveMemory);
+	ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(memmove);
 	ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(RtlZeroMemory);
 	ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(RtlFreeHeap);
 

GH Injector Library/Manual Mapping WOW64.cpp

@@ -160,7 +160,7 @@ MANUAL_MAPPING_FUNCTION_TABLE_WOW64::MANUAL_MAPPING_FUNCTION_TABLE_WOW64()
 	WOW64_FUNC_CONSTRUCTOR_INIT(NtProtectVirtualMemory);
 	WOW64_FUNC_CONSTRUCTOR_INIT(NtFreeVirtualMemory);
 
-	WOW64_FUNC_CONSTRUCTOR_INIT(RtlMoveMemory);
+	WOW64_FUNC_CONSTRUCTOR_INIT(memmove);
 	WOW64_FUNC_CONSTRUCTOR_INIT(RtlZeroMemory);
 	WOW64_FUNC_CONSTRUCTOR_INIT(RtlAllocateHeap);
 	WOW64_FUNC_CONSTRUCTOR_INIT(RtlFreeHeap);

GH Injector Library/Manual Mapping.cpp

@@ -96,6 +96,7 @@ DWORD MMAP_NATIVE::ManualMap(const wchar_t * szDllFile, HANDLE hTargetProc, LAUN
 	}
 
 	LOG("Data written\n");
+	LOG("NtSetInformationFile: %p\n", data.f.NtSetInformationFile);
 
 	DWORD remote_ret = 0;
 	DWORD dwRet = StartRoutine(hTargetProc, ReCa<f_Routine>(pShell), pArg, Method, (Flags & INJ_THREAD_CREATE_CLOAKED) != 0, remote_ret, Timeout, error_data);
@@ -198,7 +199,7 @@ __forceinline bool InitAnsiString(MANUAL_MAPPING_FUNCTION_TABLE * f, ANSI_STRING
 
 	String->Length		= Length;
 	String->MaxLength	= Length + 1 * sizeof(char);
-	f->RtlMoveMemory(String->szBuffer, szString, Length);
+	f->memmove(String->szBuffer, szString, Length);
 
 	return true;
 }
@@ -241,8 +242,8 @@ DWORD ManualMapping_Shell(MANUAL_MAPPING_DATA * pData)
 	}
 
 	//nt path prefix "\??\"
-	f->RtlMoveMemory(DllNtPath.szBuffer + 0, pData->NtPathPrefix, sizeof(wchar_t[4]));
-	f->RtlMoveMemory(DllNtPath.szBuffer + 4, pData->szPathBuffer, DllNtPath.Length);
+	f->memmove(DllNtPath.szBuffer + 0, pData->NtPathPrefix, sizeof(wchar_t[4]));
+	f->memmove(DllNtPath.szBuffer + 4, pData->szPathBuffer, DllNtPath.Length);
 	DllNtPath.Length += sizeof(wchar_t[4]);
 
 	UNICODE_STRING DllName = pData->DllName;
@@ -294,7 +295,7 @@ DWORD ManualMapping_Shell(MANUAL_MAPPING_DATA * pData)
 	LARGE_INTEGER ImageSize{ pNtHeaders->OptionalHeader.SizeOfImage };
 
 	DeleteObject(f, Headers);
-	
+
 	auto * fsi = NewObject<FILE_STANDARD_INFO>(f);
 	ntRet = f->NtQueryInformationFile(hDllFile, &io_status, fsi, sizeof(FILE_STANDARD_INFO), FILE_INFORMATION_CLASS::FileStandardInformation);
 	if (NT_FAIL(ntRet))
@@ -335,7 +336,7 @@ DWORD ManualMapping_Shell(MANUAL_MAPPING_DATA * pData)
 		f->NtFreeVirtualMemory(hProc, ReCa<void**>(&pRawData), &RawSize, MEM_RELEASE);
 		f->NtClose(hDllFile);
 
-		return INJ_MM_ERR_NT_READ_FILE;
+		return INJ_MM_ERR_SET_FILE_POSITION;
 	}
 
 	ntRet = f->NtReadFile(hDllFile, nullptr, nullptr, nullptr, &io_status, pRawData, fsi->AllocationSize.LowPart, nullptr, nullptr);
@@ -373,14 +374,14 @@ DWORD ManualMapping_Shell(MANUAL_MAPPING_DATA * pData)
 	}
 
 	//copy header and sections
-	f->RtlMoveMemory(pBase, pRawData, pOptionalHeader->SizeOfHeaders);
+	f->memmove(pBase, pRawData, pOptionalHeader->SizeOfHeaders);
 
 	auto * pCurrentSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders);
 	for (UINT i = 0; i != pFileHeader->NumberOfSections; ++i, ++pCurrentSectionHeader)
 	{
 		if (pCurrentSectionHeader->SizeOfRawData)
 		{
-			f->RtlMoveMemory(pBase + pCurrentSectionHeader->VirtualAddress, pRawData + pCurrentSectionHeader->PointerToRawData, pCurrentSectionHeader->SizeOfRawData);
+			f->memmove(pBase + pCurrentSectionHeader->VirtualAddress, pRawData + pCurrentSectionHeader->PointerToRawData, pCurrentSectionHeader->SizeOfRawData);
 		}
 	}
 
@@ -1003,7 +1004,7 @@ DWORD ManualMapping_Shell(MANUAL_MAPPING_DATA * pData)
 
 			auto * ntdll_ldr = ReCa<LDR_DATA_TABLE_ENTRY*>(pPEB->Ldr->InLoadOrderModuleListHead.Flink->Flink);			
 
-			f->RtlMoveMemory(pBase, ntdll_ldr->DllBase, pOptionalHeader->SizeOfHeaders);
+			f->memmove(pBase, ntdll_ldr->DllBase, pOptionalHeader->SizeOfHeaders);
 		}
 
 		if (Flags & INJ_MM_SET_PAGE_PROTECTIONS)
@@ -1046,7 +1047,7 @@ MANUAL_MAPPING_FUNCTION_TABLE::MANUAL_MAPPING_FUNCTION_TABLE()
 	NT_FUNC_CONSTRUCTOR_INIT(NtProtectVirtualMemory);
 	NT_FUNC_CONSTRUCTOR_INIT(NtFreeVirtualMemory);
 
-	NT_FUNC_CONSTRUCTOR_INIT(RtlMoveMemory);
+	NT_FUNC_CONSTRUCTOR_INIT(memmove);
 	NT_FUNC_CONSTRUCTOR_INIT(RtlZeroMemory);
 	NT_FUNC_CONSTRUCTOR_INIT(RtlAllocateHeap);
 	NT_FUNC_CONSTRUCTOR_INIT(RtlFreeHeap);

GH Injector Library/Manual Mapping.h

@@ -37,7 +37,7 @@ namespace MMAP_NATIVE
 		ALIGN NT_FUNC_LOCAL(NtProtectVirtualMemory);
 		ALIGN NT_FUNC_LOCAL(NtFreeVirtualMemory);
 
-		ALIGN NT_FUNC_LOCAL(RtlMoveMemory);
+		ALIGN NT_FUNC_LOCAL(memmove);
 		ALIGN NT_FUNC_LOCAL(RtlZeroMemory);
 		ALIGN NT_FUNC_LOCAL(RtlAllocateHeap);
 		ALIGN NT_FUNC_LOCAL(RtlFreeHeap);
@@ -100,7 +100,7 @@ namespace MMAP_WOW64
 		ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(NtProtectVirtualMemory);
 		ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(NtFreeVirtualMemory);
 
-		ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(RtlMoveMemory);
+		ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(memmove);
 		ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(RtlZeroMemory);
 		ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(RtlAllocateHeap);
 		ALIGN_86 WOW64_FUNCTION_POINTER_LOCAL(RtlFreeHeap);