Skip to content

Commit

Permalink
Fixed some Cuckoomon crashes using the ENSURE_* macros
Browse files Browse the repository at this point in the history
  • Loading branch information
@snemes
snemes committed Jun 4, 2018
1 parent 992e0b6 commit c03b86a
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 36 deletions.
48 changes: 16 additions & 32 deletions hook_process.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -209,47 +209,31 @@ HOOKDEF(BOOL, WINAPI, CreateProcessWithLogonW,
) {
BOOL ret;
LPWSTR origcommandline = NULL;

ENSURE_STRUCT(lpProcessInfo, PROCESS_INFORMATION);

if (lpCommandLine)
origcommandline = wcsdup(lpCommandLine);

ret = Old_CreateProcessWithLogonW(lpUsername, lpDomain, lpPassword, dwLogonFlags, lpApplicationName, lpCommandLine, dwCreationFlags | CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInfo);

if (lpProcessInfo) {
LOQ_bool("process", "uuuhuuhiipp",
"Username", lpUsername,
"Domain", lpDomain,
"Password", lpPassword,
"LogonFlags", dwLogonFlags,
"ApplicationName", lpApplicationName,
"CommandLine", origcommandline,
"CreationFlags", dwCreationFlags,
"ProcessId", lpProcessInfo->dwProcessId,
"ThreadId", lpProcessInfo->dwThreadId,
"ProcessHandle", lpProcessInfo->hProcess,
"ThreadHandle", lpProcessInfo->hThread
);
}
else {
LOQ_bool("process", "uuuhuuhiipp",
"Username", lpUsername,
"Domain", lpDomain,
"Password", lpPassword,
"LogonFlags", dwLogonFlags,
"ApplicationName", lpApplicationName,
"CommandLine", origcommandline,
"CreationFlags", dwCreationFlags,
"ProcessId", NULL,
"ThreadId", NULL,
"ProcessHandle", NULL,
"ThreadHandle", NULL
);
}
LOQ_bool("process", "uuuhuuhiipp",
"Username", lpUsername,
"Domain", lpDomain,
"Password", lpPassword,
"LogonFlags", dwLogonFlags,
"ApplicationName", lpApplicationName,
"CommandLine", origcommandline,
"CreationFlags", dwCreationFlags,
"ProcessId", lpProcessInfo->dwProcessId,
"ThreadId", lpProcessInfo->dwThreadId,
"ProcessHandle", lpProcessInfo->hProcess,
"ThreadHandle", lpProcessInfo->hThread
);

if (origcommandline)
free(origcommandline);

if (ret && lpProcessInfo) {
if (ret) {
pipe("PROCESS:%d:%d,%d", is_suspended(lpProcessInfo->dwProcessId, lpProcessInfo->dwThreadId), lpProcessInfo->dwProcessId, lpProcessInfo->dwThreadId);
if (!(dwCreationFlags & CREATE_SUSPENDED))
ResumeThread(lpProcessInfo->hThread);
Expand Down
9 changes: 5 additions & 4 deletions hook_thread.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ HOOKDEF(NTSTATUS, WINAPI, NtCreateThreadEx,
OUT PVOID lpBytesBuffer
) {
DWORD pid = pid_from_process_handle(ProcessHandle);

NTSTATUS ret = Old_NtCreateThreadEx(hThread, DesiredAccess,
ObjectAttributes, ProcessHandle, lpStartAddress, lpParameter,
CreateFlags | 1, StackZeroBits, SizeOfStackCommit, SizeOfStackReserve,
Expand All @@ -189,7 +189,7 @@ HOOKDEF(NTSTATUS, WINAPI, NtCreateThreadEx,

if (NT_SUCCESS(ret))
disable_sleep_skip();

return ret;
}

Expand Down Expand Up @@ -246,7 +246,7 @@ HOOKDEF(NTSTATUS, WINAPI, NtSetContextThread,
pipe("PROCESS:%d:%d,%d", is_suspended(pid, tid), pid, tid);

ret = Old_NtSetContextThread(ThreadHandle, Context);
if (Context->ContextFlags & CONTEXT_CONTROL)
if (Context != NULL && Context->ContextFlags & CONTEXT_CONTROL)
#ifdef _WIN64
LOQ_ntstatus("threading", "pp", "ThreadHandle", ThreadHandle, "InstructionPointer", Context->Rip);
#else
Expand Down Expand Up @@ -406,10 +406,11 @@ HOOKDEF(NTSTATUS, WINAPI, RtlCreateUserThread,
) {
DWORD pid;
NTSTATUS ret;
ENSURE_HANDLE(ThreadHandle);
ENSURE_CLIENT_ID(ClientId);

pid = pid_from_process_handle(ProcessHandle);

ret = Old_RtlCreateUserThread(ProcessHandle, SecurityDescriptor,
TRUE, StackZeroBits, StackReserved, StackCommit,
StartAddress, StartParameter, ThreadHandle, ClientId);
Expand Down
3 changes: 3 additions & 0 deletions log.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,9 @@ do { \
#define ENSURE_CLIENT_ID(param) \
CLIENT_ID _##param; memset(&_##param, 0, sizeof(_##param)); if (param == NULL) param = &_##param

#define ENSURE_HANDLE(param) \
HANDLE _##param; memset(&_##param, 0, sizeof(_##param)); if (param == NULL) param = &_##param

#define ENSURE_STRUCT(param, type) \
type _##param; memset(&_##param, 0, sizeof(_##param)); if(param == NULL) param = &_##param

Expand Down

0 comments on commit c03b86a

Please sign in to comment.