Fixed bugs in the RegistryManager

Author: BeneficialCode

PEParser/PEParser.cpp

@@ -9,16 +9,16 @@
 
 
 PEParser::PEParser(const wchar_t* path) :_path(path) {
-	_hFile = ::CreateFile(path, GENERIC_READ | GENERIC_WRITE,
-		FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);
+	_hFile = ::CreateFile(path, GENERIC_READ,
+		FILE_SHARE_READ, nullptr, OPEN_EXISTING, 0, nullptr);
 	if (_hFile == INVALID_HANDLE_VALUE)
 		return;
 	::GetFileSizeEx(_hFile, &_fileSize);
-	_hMemMap = ::CreateFileMapping(_hFile, nullptr, PAGE_READWRITE, 0, 0, nullptr);
+	_hMemMap = ::CreateFileMapping(_hFile, nullptr, PAGE_READONLY, 0, 0, nullptr);
 	if (!_hMemMap)
 		return;
 
-	_address = (PBYTE)::MapViewOfFile(_hMemMap, FILE_MAP_ALL_ACCESS, 0, 0, 0);
+	_address = (PBYTE)::MapViewOfFile(_hMemMap, FILE_MAP_READ, 0, 0, 0);
 	if (!_address)
 		return;
 
@@ -496,4 +496,54 @@ void PEParser::RelocateImageByDelta(std::vector<RelocInfo>& relocs, const uint64
 
 PVOID PEParser::GetDataDirectoryAddress(UINT index, PULONG size) const {
 	return ::ImageDirectoryEntryToData(_address, FALSE, index, size);
+}
+
+void PEParser::SetDefaultFileAligment() {
+	if (IsPe64()) {
+		GetOptionalHeader64().FileAlignment = _fileAlignmentConstant;
+	}
+	else {
+		GetOptionalHeader32().FileAlignment = _fileAlignmentConstant;
+	}
+}
+
+DWORD PEParser::GetSectionAlignment() {
+	if (IsPe64()) {
+		return GetOptionalHeader64().SectionAlignment;
+	}
+	else {
+		return GetOptionalHeader32().SectionAlignment;
+	}
+}
+
+DWORD PEParser::GetFileAlignment() {
+	if (IsPe64()) {
+		return GetOptionalHeader64().FileAlignment;
+	}
+	else {
+		return GetOptionalHeader32().FileAlignment;
+	}
+}
+
+DWORD PEParser::AlignValue(DWORD badValue, DWORD alignTo) {
+	return (badValue + alignTo - 1) & ~(alignTo - 1);
+}
+
+void PEParser::AlignAllSectionHeaders() {
+	auto sections = _sections;
+	DWORD sectionAlignment = GetSectionAlignment();
+	DWORD fileAlignment = GetFileAlignment();
+	DWORD newFileSize = 0;
+	
+	newFileSize = _dosHeader->e_lfanew + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER) +
+		_ntHeader->FileHeader.SizeOfOptionalHeader * sizeof(IMAGE_SECTION_HEADER);
+
+	for (int i = 0; i < GetSectionCount(); ++i) {
+		sections[i].VirtualAddress = AlignValue(sections[i].VirtualAddress, sectionAlignment);
+		sections[i].Misc.VirtualSize = AlignValue(sections[i].Misc.VirtualSize, sectionAlignment);
+
+		sections[i].PointerToRawData = AlignValue(newFileSize, fileAlignment);
+		
+		newFileSize = sections[i].PointerToRawData + sections[i].SizeOfRawData;
+	}
 }

PEParser/PEParser.h

@@ -152,7 +152,7 @@ struct RelocInfo {
 	uint32_t count;
 };
 
-class PEParser final {
+class PEParser {
 public:
 	explicit PEParser(const wchar_t* path);
 	~PEParser();
@@ -171,6 +171,8 @@ class PEParser final {
 	const IMAGE_DATA_DIRECTORY* GetDataDirectory(int index) const;
 	const IMAGE_DOS_HEADER& GetDosHeader() const;
 	void* GetBaseAddress() const;
+	void AlignAllSectionHeaders();
+	DWORD AlignValue(DWORD badValue, DWORD alignTo);
 
 	ULONGLONG GetImageBase() const;
 
@@ -214,6 +216,9 @@ class PEParser final {
 	//const IMAGE_LOAD_CONFIG_DIRECTORY64* GetLoadConfiguration64() const;
 	//const IMAGE_LOAD_CONFIG_DIRECTORY32* GetLoadConfiguration32() const;
 	PVOID GetDataDirectoryAddress(UINT index, PULONG size) const;
+	void SetDefaultFileAligment();
+	DWORD GetSectionAlignment();
+	DWORD GetFileAlignment();
 
 	bool IsImportLib() const;
 	bool IsObjectFile() const;
@@ -229,6 +234,8 @@ class PEParser final {
 	std::vector<RelocInfo> GetRelocs(void* imageBase);
 	static void RelocateImageByDelta(std::vector<RelocInfo>& relocs, const uint64_t delta);
 
+protected:
+	static const DWORD _fileAlignmentConstant = 0x200;
 
 private:
 	bool IsObjectPe64() const;

WinArk/GotoKeyDlg.cpp

@@ -69,7 +69,7 @@ LRESULT CGotoKeyDlg::OnInitDialog(UINT /*uMsg*/, WPARAM /*wParam*/, LPARAM /*lPa
 		{ L"Lsa",LR"(HKLM\SYSTEM\CurrentControlSet\Control\Lsa)"},
 		{ L"LogonUI",LR"(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI)"},
 		{ L"Credential Providers",LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers)"},
-		{ L"DisallowRun",LR"(HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun)"},
+		{ L"DisallowCpl",LR"(HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl)"},
 		{ L"DisablePath",LR"(HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths)"},
 		{ L"Internet Settings",LR"(HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings)"},
 		{ L"Session Manager",LR"(HKLM\System\CurrentControlSet\Control\Session Manager)"},

WinArk/ImportRebuilder.cpp

@@ -0,0 +1,26 @@
+#include "stdafx.h"
+#include "ImportRebuilder.h"
+
+bool ImportRebuilder::RebuildImportTable(const WCHAR* newFilePath, 
+	std::map<DWORD_PTR, ImportModuleThunk>& moduleThunkMap){
+	bool ret = false;
+	std::map<DWORD_PTR, ImportModuleThunk> copyModule;
+	copyModule.insert(moduleThunkMap.begin(), moduleThunkMap.end());
+
+	if (IsValid()) {
+		SetDefaultFileAligment();
+
+		ret = BuildNewImportTable(copyModule);
+		if (ret) {
+			AlignAllSectionHeaders();
+
+		}
+	}
+	
+	return ret;
+}
+
+bool ImportRebuilder::BuildNewImportTable(std::map<DWORD_PTR, ImportModuleThunk>& moduleThunkMap) {
+
+	return true;
+}

WinArk/ImportRebuilder.h

@@ -0,0 +1,55 @@
+#pragma once
+
+#include <map>
+#include <PEParser.h>
+#include "Thunks.h"
+#include "IATReferenceScan.h"
+#include <PEParser.h>
+
+class ImportRebuilder: public PEParser{
+public:
+	ImportRebuilder(const WCHAR* file): PEParser(file) {
+	}
+	bool RebuildImportTable(const WCHAR* newFilePath, std::map<DWORD_PTR, ImportModuleThunk>& moduleThunkMap);
+	void EnableOFTSupport();
+	void EnableNewIATInSection(DWORD_PTR iatAddress, DWORD iatSize);
+
+private:
+	PIMAGE_IMPORT_DESCRIPTOR _pImportDescriptor = nullptr;
+	PIMAGE_THUNK_DATA _pThunkData = nullptr;
+	PIMAGE_IMPORT_BY_NAME _pImportByName = nullptr;
+
+	size_t _numberOfImportDescriptors;
+	size_t _sizeOfImportSection;
+	size_t _sizeOfApiAndModuleNames;
+	size_t _importSectionIndex;
+
+	// OriginalFirstThunk Array in import section
+	size_t _sizeOfOFTArray;
+	bool _useOFT;
+	bool _newIATInSection;
+	DWORD_PTR _iatAddress;
+
+	DWORD _iatSize;
+	DWORD _sizeOfJumpTable;
+
+	DWORD _directImportsJumpTableRVA;
+	BYTE* _pJmpTableMemory;
+	DWORD _newIATBaseAddressRVA;
+
+	DWORD FillImportSection(std::map<DWORD_PTR, ImportModuleThunk>& moduleThunkMap);
+	BYTE* GetMemoryPointerFromRVA(DWORD_PTR rva);
+	bool CreateNewImportSection(std::map<DWORD_PTR, ImportModuleThunk>& moduleThunkMap);
+	bool BuildNewImportTable(std::map<DWORD_PTR, ImportModuleThunk>& moduleThunkMap);
+	void SetFlagToIATSection(DWORD_PTR iatAddress);
+	size_t AddImportToImportTable(ImportThunk* pImportThunk, PIMAGE_THUNK_DATA* pThunkData, PIMAGE_IMPORT_BY_NAME pImportByName,
+		DWORD sectionOffset);
+	size_t AddImportDescriptor(ImportModuleThunk* pImportThunk, DWORD sectionOffset, DWORD sectionOffsetOFTArray);
+
+	void CalculateImportSize(std::map<DWORD_PTR, ImportModuleThunk>& moduleThunkMap);
+
+	void AddSepecialImportDescriptor(DWORD_PTR rvaFirstThunk, DWORD sectionOffsetOFTArray);
+	void PatchFileForNewIATLocation();
+	void ChangeIATBaseAddress(std::map<DWORD_PTR, ImportModuleThunk>& moduleThunkMap);
+	void PatchFileForDirectImportJumpTable();
+};

WinArk/View.cpp

@@ -1375,7 +1375,7 @@ LRESULT CRegistryManagerView::OnEditDelete(WORD, WORD, HWND, BOOL&){
 			}
 			list->AddCommand(cmd);
 		}
-		if (count == 1) // only up key selected
+		if (count == 0) // only up key selected
 			return 0;
 
 		if (count == 1)

WinArk/WinArk.vcxproj

@@ -109,7 +109,7 @@
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>_WIN64;_WINDOWS;STRICT;_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <LanguageStandard>stdcpplatest</LanguageStandard>
-      <AdditionalIncludeDirectories>..\PEParser;..\WinSysCore;..\PdbParser;..\Utils</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\PEParser;..\WinSysCore;..\PdbParser;..\Utils;..\diStorm3\include</AdditionalIncludeDirectories>
       <ConformanceMode>true</ConformanceMode>
       <ExceptionHandling>Sync</ExceptionHandling>
       <TreatWarningAsError>false</TreatWarningAsError>
@@ -261,6 +261,7 @@
     <ClCompile Include="HexEdit.cpp" />
     <ClCompile Include="IATReferenceScan.cpp" />
     <ClCompile Include="IATSearcher.cpp" />
+    <ClCompile Include="ImportRebuilder.cpp" />
     <ClCompile Include="ImportsHandling.cpp" />
     <ClCompile Include="KernelEATHookDlg.cpp" />
     <ClCompile Include="KernelEATHookTable.cpp" />
@@ -434,6 +435,7 @@
     <ClInclude Include="HexEdit.h" />
     <ClInclude Include="IATReferenceScan.h" />
     <ClInclude Include="IATSearcher.h" />
+    <ClInclude Include="ImportRebuilder.h" />
     <ClInclude Include="ImportsHandling.h" />
     <ClInclude Include="KernelEATHookDlg.h" />
     <ClInclude Include="KernelEATHookTable.h" />

WinArk/WinArk.vcxproj.filters

@@ -531,6 +531,9 @@
     <ClCompile Include="IATReferenceScan.cpp">
       <Filter>Scylla</Filter>
     </ClCompile>
+    <ClCompile Include="ImportRebuilder.cpp">
+      <Filter>Scylla</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="stdafx.h">
@@ -1070,6 +1073,9 @@
     <ClInclude Include="IATReferenceScan.h">
       <Filter>Scylla</Filter>
     </ClInclude>
+    <ClInclude Include="ImportRebuilder.h">
+      <Filter>Scylla</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="WinArk.rc">