From 5a4e947354c70c1941368f3f6cf289f10c13aa1d Mon Sep 17 00:00:00 2001 From: Kevin Trocolli Date: Fri, 15 Sep 2023 19:52:26 -0400 Subject: [PATCH 1/3] carol: use createprocess hook --- carolhook/controlbd.c | 88 ------------------------------------------- carolhook/dllmain.c | 8 +++- 2 files changed, 7 insertions(+), 89 deletions(-) diff --git a/carolhook/controlbd.c b/carolhook/controlbd.c index a59fe65..63a65f4 100644 --- a/carolhook/controlbd.c +++ b/carolhook/controlbd.c @@ -8,8 +8,6 @@ #include "hook/iobuf.h" #include "hook/iohook.h" -#include "hook/table.h" - #include "carolhook/carol-dll.h" #include "carolhook/controlbd.h" @@ -38,39 +36,6 @@ static struct uart controlbd_uart; static uint8_t controlbd_written_bytes[520]; static uint8_t controlbd_readable_bytes[520]; -static BOOL WINAPI my_CreateProcessA( - LPCSTR lpApplicationName, - LPSTR lpCommandLine, - LPSECURITY_ATTRIBUTES lpProcessAttributes, - LPSECURITY_ATTRIBUTES lpThreadAttributes, - BOOL bInheritHandles, - DWORD dwCreationFlags, - LPVOID lpEnvironment, - LPCSTR lpCurrentDirectory, - LPSTARTUPINFOA lpStartupInfo, - LPPROCESS_INFORMATION lpProcessInformation -); -static BOOL (WINAPI *next_CreateProcessA)( - LPCSTR lpApplicationName, - LPSTR lpCommandLine, - LPSECURITY_ATTRIBUTES lpProcessAttributes, - LPSECURITY_ATTRIBUTES lpThreadAttributes, - BOOL bInheritHandles, - DWORD dwCreationFlags, - LPVOID lpEnvironment, - LPCSTR lpCurrentDirectory, - LPSTARTUPINFOA lpStartupInfo, - LPPROCESS_INFORMATION lpProcessInformation -); - -static const struct hook_symbol win32_hooks[] = { - { - .name = "CreateProcessA", - .patch = my_CreateProcessA, - .link = (void **) &next_CreateProcessA - } -}; - HRESULT controlbd_hook_init(const struct controlbd_config *cfg) { if (!cfg->enable) { @@ -85,12 +50,6 @@ HRESULT controlbd_hook_init(const struct controlbd_config *cfg) controlbd_uart.readable.bytes = controlbd_readable_bytes; controlbd_uart.readable.nbytes = sizeof(controlbd_readable_bytes); - hook_table_apply( - NULL, - "kernel32.dll", - win32_hooks, - _countof(win32_hooks)); - dprintf("Control Board: Init\n"); return iohook_push_handler(controlbd_handle_irp); @@ -378,50 +337,3 @@ static HRESULT controlbd_req_ack_any(uint8_t cmd) return iobuf_write(&controlbd_uart.readable, &resp, sizeof(resp)); } - -static BOOL WINAPI my_CreateProcessA( - LPCSTR lpApplicationName, - LPSTR lpCommandLine, - LPSECURITY_ATTRIBUTES lpProcessAttributes, - LPSECURITY_ATTRIBUTES lpThreadAttributes, - BOOL bInheritHandles, - DWORD dwCreationFlags, - LPVOID lpEnvironment, - LPCSTR lpCurrentDirectory, - LPSTARTUPINFOA lpStartupInfo, - LPPROCESS_INFORMATION lpProcessInformation -) -{ - dprintf("Control Board: my_CreateProcessA Hit! %s\n", lpCommandLine); - if (strncmp(".\\15312firm\\firmupdate_1113.exe", lpCommandLine, 31)) { - return next_CreateProcessA( - lpApplicationName, - lpCommandLine, - lpProcessAttributes, - lpThreadAttributes, - bInheritHandles, - dwCreationFlags, - lpEnvironment, - lpCurrentDirectory, - lpStartupInfo, - lpProcessInformation - ); - } - - dprintf("Control Board: Hooking child process\n"); - char new_cmd[MAX_PATH] = "inject -d -k carolhook.dll "; - strcat_s(new_cmd, MAX_PATH, lpCommandLine); - - return next_CreateProcessA( - lpApplicationName, - new_cmd, - lpProcessAttributes, - lpThreadAttributes, - bInheritHandles, - dwCreationFlags, - lpEnvironment, - lpCurrentDirectory, - lpStartupInfo, - lpProcessInformation - ); -} \ No newline at end of file diff --git a/carolhook/dllmain.c b/carolhook/dllmain.c index 55608c7..a80ea07 100644 --- a/carolhook/dllmain.c +++ b/carolhook/dllmain.c @@ -19,6 +19,7 @@ #include "hooklib/serial.h" #include "hooklib/spike.h" +#include "hooklib/createprocess.h" #include "platform/platform.h" @@ -122,7 +123,12 @@ static DWORD CALLBACK carol_pre_startup(void) if (FAILED(hr)) { goto fail; } - + + hr = createprocess_push_hook_a(".\\15312firm\\firmupdate_1113.exe", "inject -d -k carolhook.dll ", NULL); + + if (FAILED(hr)) { + goto fail; + } /* Initialize debug helpers */ spike_hook_init(L".\\segatools.ini"); From 528ec4379c0740cea9fed3545798eba1f20c36e2 Mon Sep 17 00:00:00 2001 From: Kevin Trocolli Date: Fri, 15 Sep 2023 19:57:11 -0400 Subject: [PATCH 2/3] createprocess: add replace_all flag --- carolhook/dllmain.c | 2 +- hooklib/createprocess.c | 19 ++++++++++++------- hooklib/createprocess.h | 13 +++++-------- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/carolhook/dllmain.c b/carolhook/dllmain.c index a80ea07..eca445b 100644 --- a/carolhook/dllmain.c +++ b/carolhook/dllmain.c @@ -124,7 +124,7 @@ static DWORD CALLBACK carol_pre_startup(void) goto fail; } - hr = createprocess_push_hook_a(".\\15312firm\\firmupdate_1113.exe", "inject -d -k carolhook.dll ", NULL); + hr = createprocess_push_hook_a(".\\15312firm\\firmupdate_1113.exe", "inject -d -k carolhook.dll ", NULL, false); if (FAILED(hr)) { goto fail; diff --git a/hooklib/createprocess.c b/hooklib/createprocess.c index d411aaf..e44ebdb 100644 --- a/hooklib/createprocess.c +++ b/hooklib/createprocess.c @@ -86,7 +86,7 @@ static size_t process_nsyms_w = 0; static CRITICAL_SECTION createproc_lock; -HRESULT createprocess_push_hook_w(const wchar_t *name, const wchar_t *head, const wchar_t *tail) { +HRESULT createprocess_push_hook_w(const wchar_t *name, const wchar_t *head, const wchar_t *tail, bool replace_all) { struct process_hook_sym_w *new_mem; struct process_hook_sym_w *new_proc; HRESULT hr; @@ -112,6 +112,7 @@ HRESULT createprocess_push_hook_w(const wchar_t *name, const wchar_t *head, cons new_proc->name = name; new_proc->head = head; new_proc->tail = tail; + new_proc->replace_all = replace_all; process_syms_w = new_mem; process_nsyms_w++; @@ -120,7 +121,7 @@ HRESULT createprocess_push_hook_w(const wchar_t *name, const wchar_t *head, cons return S_OK; } -HRESULT createprocess_push_hook_a(const char *name, const char *head, const char *tail) { +HRESULT createprocess_push_hook_a(const char *name, const char *head, const char *tail, bool replace_all) { struct process_hook_sym_a *new_mem; struct process_hook_sym_a *new_proc; @@ -146,6 +147,7 @@ HRESULT createprocess_push_hook_a(const char *name, const char *head, const char new_proc->name = name; new_proc->head = head; new_proc->tail = tail; + new_proc->replace_all = replace_all; process_syms_a = new_mem; process_nsyms_a++; @@ -184,17 +186,20 @@ static BOOL WINAPI my_CreateProcessA( ) { for (int i = 0; i < process_nsyms_a; i++) { - if (strncmp(process_syms_a->name, lpCommandLine, strlen(process_syms_a->name))) { + if (strncmp(process_syms_a[i].name, lpCommandLine, strlen(process_syms_a[i].name))) { continue; } dprintf("CreateProcess: Hooking child process %s %s\n", lpApplicationName, lpCommandLine); char new_cmd[MAX_PATH] = {0}; - strcat_s(new_cmd, MAX_PATH, process_syms_a->head); - strcat_s(new_cmd, MAX_PATH, lpCommandLine); + strcat_s(new_cmd, MAX_PATH, process_syms_a[i].head); - if (process_syms_a->tail != NULL) { - strcat_s(new_cmd, MAX_PATH, process_syms_a->tail); + if (!process_syms_a[i].replace_all) { + strcat_s(new_cmd, MAX_PATH, lpCommandLine); + } + + if (process_syms_a[i].tail != NULL) { + strcat_s(new_cmd, MAX_PATH, process_syms_a[i].tail); } dprintf("CreateProcess: Replaced CreateProcessA %s\n", new_cmd); diff --git a/hooklib/createprocess.h b/hooklib/createprocess.h index 93ed8f7..bf226d5 100644 --- a/hooklib/createprocess.h +++ b/hooklib/createprocess.h @@ -1,24 +1,21 @@ #pragma once #include +#include -HRESULT createprocess_push_hook_w(const wchar_t *name, const wchar_t *head, const wchar_t *tail); -HRESULT createprocess_push_hook_a(const char *name, const char *head, const char *tail); +HRESULT createprocess_push_hook_w(const wchar_t *name, const wchar_t *head, const wchar_t *tail, bool replace_all); +HRESULT createprocess_push_hook_a(const char *name, const char *head, const char *tail, bool replace_all); struct process_hook_sym_w { const wchar_t *name; - size_t name_size; const wchar_t *head; - size_t head_size; const wchar_t *tail; - size_t tail_size; + bool replace_all; }; struct process_hook_sym_a { const char *name; - size_t name_size; const char *head; - size_t head_size; const char *tail; - size_t tail_size; + bool replace_all; }; \ No newline at end of file From 5d04685c739ca0d92daf2bce3cca64c8acecc4cb Mon Sep 17 00:00:00 2001 From: Hay1tsme Date: Tue, 19 Sep 2023 10:33:30 -0400 Subject: [PATCH 3/3] update gitignore --- .gitignore | 13 ++++++++++++- .vscode/settings.json | 1 + 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 31da392..5b84f6e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,17 @@ .*.swp -.vscode/ +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +!.vscode/*.code-snippets + +# Local History for Visual Studio Code +.history/ + +# Built Visual Studio Code Extensions +*.vsix # Suggested names for build dirs build/ diff --git a/.vscode/settings.json b/.vscode/settings.json index 49872e4..9eb12eb 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,3 +1,4 @@ { "editor.formatOnSave": false, + "mesonbuild.configureOnOpen": false, }