import KernelEx-4.5-RC4

2025-07-18 23:11:19 +03:00 · 2018-11-03 16:22:27 +03:00
parent 39526d0a36
commit e8dd043a25
66 changed files with 3327 additions and 69 deletions
--- a/core/internals.cpp
+++ b/core/internals.cpp
@ -250,7 +250,7 @@ static IMTE*** find_mod_table()

 	IMTE*** ret;
 	
-	DWORD* res = find_unique_pattern((void*) iGetProcAddress(h_kernel32, (LPSTR)23), 0x20, pat, pat_len, pat_name);
+	DWORD* res = find_unique_pattern((void*) GetK32OrdinalAddress(23), 0x20, pat, pat_len, pat_name);
 	
 	ret = (IMTE***)*res;
 	DBGPRINTF(("%s @ 0x%08x\n", pat_name, ret));
@ -265,7 +265,7 @@ static MRFromHLib_t find_MRFromHLib()

 	MRFromHLib_t ret;

-	DWORD* res = find_unique_pattern((void*) iGetProcAddress(h_kernel32, (LPSTR)23), 0x20, pat, pat_len, pat_name);
+	DWORD* res = find_unique_pattern((void*) GetK32OrdinalAddress(23), 0x20, pat, pat_len, pat_name);
 	if (!res)
 		return NULL;

@ -441,9 +441,9 @@ int internals_init()
 	DBGPRINTF(("internals_init()\n"));
 	h_kernel32 = GetModuleHandle("kernel32");
 	ppmteModTable = find_mod_table();
+	MRFromHLib = find_MRFromHLib();
 	krnl32lock = find_krnl32lock();
 	pppdbCur = find_curPDB();
-	MRFromHLib = find_MRFromHLib();
 	pimteMax = find_pimteMax();
 	TIDtoTDB = find_TIDtoTDB();
 	MRLoadTree = find_MRLoadTree();
@ -454,7 +454,7 @@ int internals_init()
 	is_winme = (GetVersion() == 0xc0005a04);
 	bool modinit_rslt = ModuleInitializer_init();

-	if (!h_kernel32 || !ppmteModTable || !krnl32lock || !pppdbCur || !MRFromHLib
+	if (!h_kernel32 || !ppmteModTable || !MRFromHLib || !krnl32lock || !pppdbCur
 			|| !pimteMax || !TIDtoTDB || !MRLoadTree || !FreeLibTree 
 			|| !FreeLibRemove || !AllocHandle || !instdir_rslt 
 			|| !modinit_rslt)
--- a/core/resolver.cpp
+++ b/core/resolver.cpp
@ -659,8 +659,8 @@ static BOOL WINAPI IsKnownKexDLL(char* name, const char* ext)
 {
 	LONG res;
 	DWORD type;
-	char path[MAX_PATH];
-	DWORD size = sizeof(path);
+	char new_path[MAX_PATH];
+	DWORD size = sizeof(new_path);

 	if (ext && strcmp(ext, "DLL") != 0)
 		return FALSE;
@ -670,12 +670,33 @@ static BOOL WINAPI IsKnownKexDLL(char* name, const char* ext)
 	
 	if (are_extensions_enabled())
 	{
-		//workaround windows bug
-		int pos = strlen(name) - 4;
-		if (pos > 0 && name[pos] == '.')
-		name[pos] = '\0';
+		int len = strlen(name);

-		res = RegQueryValueEx(known_dlls_key, name, NULL, &type, (BYTE*) path, &size);
+		//workaround windows bug
+		int pos = len - 4;
+		if (pos > 0 && name[pos] == '.')
+		{
+			name[pos] = '\0';
+			len = pos;
+		}
+
+		char* file = name;
+
+		//find where directory part ends
+		while (len > 0)
+		{
+			len--;
+			if (name[len] == '\\')
+			{
+				file = name + len + 1;
+				break;
+			}
+		}
+
+		if (!len || (len == system_path_len && !strncmp(name, system_path, len)))
+			res = RegQueryValueEx(known_dlls_key, file, NULL, &type, (BYTE*) new_path, &size);
+		else
+			res = ERROR_INVALID_FUNCTION;
 	}
 	else
 		res = ERROR_INVALID_FUNCTION;
@ -683,7 +704,7 @@ static BOOL WINAPI IsKnownKexDLL(char* name, const char* ext)
 	if (res == ERROR_SUCCESS && type == REG_SZ)
 	{
 		memcpy(name, (const char*) kernelex_dir, kernelex_dir.length());
-		memcpy(name + kernelex_dir.length(), path, size);
+		memcpy(name + kernelex_dir.length(), new_path, size);
 		return TRUE;
 	}
 	else
@ -725,13 +746,31 @@ static BOOL WINAPI KexResourceCheck(DWORD un0, DWORD un1, DWORD un2, DWORD* pNam
 	return GetOrdinal(un0, un1, un2, pNameOrId, pResult, un3);
 }

+/** Retrieves address of kernel32 function exported by ordinal.
+ * @param [in] ord function ordinal number
+ * @return function address or NULL if not found
+ */
+PROC WINAPI GetK32OrdinalAddress(WORD wOrd)
+{
+	IMAGE_DOS_HEADER* dosh = (IMAGE_DOS_HEADER*) h_kernel32;
+	IMAGE_NT_HEADERS* nth = (IMAGE_NT_HEADERS*)((LONG)dosh + dosh->e_lfanew);
+	return OriExportFromOrdinal(nth, wOrd);
+}
+
+/** GetProcAddress variant used to bypass CORE's resolver hook 
+ *  (get real procedure address not overridden one).
+ * @param [in] hModule module handle
+ * @param [in] lpProcName procedure name or ordinal number (high word zeroed)
+ * @return function address or NULL if not found
+ */
 PROC WINAPI iGetProcAddress(HMODULE hModule, LPCSTR lpProcName)
 {
-	IMAGE_DOS_HEADER* dos_hdr;
-	IMAGE_NT_HEADERS* nt_hdr;
+	DBGASSERT(MRFromHLib != NULL);
+	DBGASSERT(ppmteModTable != NULL);

-	dos_hdr = (IMAGE_DOS_HEADER*) hModule;
-	nt_hdr = (IMAGE_NT_HEADERS*)((int)dos_hdr + dos_hdr->e_lfanew);
+	MODREF* mr = MRFromHLib(hModule);
+	IMTE* imte = (*ppmteModTable)[mr->mteIndex];
+	IMAGE_NT_HEADERS* nt_hdr = imte->pNTHdr;

 	if ((DWORD)lpProcName < 0x10000) 
 		return OriExportFromOrdinal(nt_hdr, LOWORD(lpProcName));
--- a/core/resolver.h
+++ b/core/resolver.h
@ -90,6 +90,7 @@ extern LONG old_jtab[];
 bool are_extensions_enabled();
 bool are_extensions_enabled_module(const char* path);
 DWORD encode_address(DWORD addr, const ApiLibrary* apilib);
+PROC WINAPI GetK32OrdinalAddress(WORD wOrd);
 PROC WINAPI iGetProcAddress(HMODULE hModule, LPCSTR lpProcName);
 PROC WINAPI ExportFromOrdinal(IMTE_KEX* target, MODREF* caller, BOOL is_static, WORD ordinal);
 PROC WINAPI ExportFromName(IMTE_KEX* target, MODREF* caller, BOOL is_static, WORD hint, LPCSTR name);