MMap: APC SxS fix

DarthTon · DarthTon · commit 04808dcc23eb · 2016-12-15T00:05:55.000+02:00
diff --git a/src/BlackBone/Asm/AsmHelper32.cpp b/src/BlackBone/Asm/AsmHelper32.cpp
@@ -37,7 +37,7 @@ void AsmHelper32::GenPrologue( bool switchMode /*= false*/ )
 /// </summary>
 /// <param name="switchMode">Unused</param>
 /// <param name="retSize">Stack change value</param>
-void AsmHelper32::GenEpilogue( bool switchMode /*= false*/ , int retSize /*= WordSize */ )
+void AsmHelper32::GenEpilogue( bool switchMode /*= false*/ , int retSize /*= 0xC */ )
 {
     if (retSize == -1)
         retSize = WordSize;
diff --git a/src/BlackBone/Asm/AsmHelper32.h b/src/BlackBone/Asm/AsmHelper32.h
@@ -25,7 +25,7 @@ class AsmHelper32 : public AsmHelperBase
     /// </summary>
     /// <param name="switchMode">Unused</param>
     /// <param name="retSize">Stack change value</param>
-    virtual void GenEpilogue( bool switchMode = false, int retSize = 4 );
+    virtual void GenEpilogue( bool switchMode = false, int retSize = 0xC );
 
     /// <summary>
     /// Generate function call
diff --git a/src/BlackBone/Include/FunctionTypes.h b/src/BlackBone/Include/FunctionTypes.h
@@ -218,6 +218,14 @@ typedef NTSTATUS( NTAPI *fnRtlCreateActivationContext )(
     OUT PVOID*  ActCtx
     );
 
+typedef NTSTATUS( NTAPI* fnNtQueueApcThread )(
+    IN HANDLE ThreadHandle,
+    IN PVOID ApcRoutine, /*PKNORMAL_ROUTINE*/
+    IN PVOID NormalContext,
+    IN PVOID SystemArgument1,
+    IN PVOID SystemArgument2
+    );
+
 // RtlImageNtHeader
 typedef PIMAGE_NT_HEADERS( NTAPI* fnRtlImageNtHeader )(
     IN PVOID ModuleAddress
diff --git a/src/BlackBone/Process/RPC/RemoteExec.cpp b/src/BlackBone/Process/RPC/RemoteExec.cpp
@@ -21,6 +21,7 @@ RemoteExec::RemoteExec( Process& proc )
 {
     LOAD_IMPORT( "NtOpenEvent", L"ntdll.dll" );
     LOAD_IMPORT( "NtCreateEvent", L"ntdll.dll" );
+    LOAD_IMPORT( "NtQueueApcThread", L"ntdll.dll" );
 }
 
 RemoteExec::~RemoteExec()
@@ -137,7 +138,9 @@ NTSTATUS RemoteExec::ExecInWorkerThread( PVOID pCode, size_t size, uint64_t& cal
 #endif
 
     // Execute code in thread context
-    if (QueueUserAPC( _userCode.ptr<PAPCFUNC>(), _hWorkThd.handle(), _userCode.ptr<ULONG_PTR>() ))
+    // TODO: Find out why am I passing pRemoteCode as an argument???
+    auto pRemoteCode = _userCode.ptr<PVOID>();
+    if (NT_SUCCESS( SAFE_NATIVE_CALL( NtQueueApcThread, _hWorkThd.handle(), pRemoteCode, pRemoteCode, nullptr, nullptr ) ))
     {
         dwResult = WaitForSingleObject( _hWaitEvent, 30 * 1000 /*wait 30s*/ );
         callResult = _userData.Read<uint64_t>( RET_OFFSET, 0 );

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ void AsmHelper32::GenPrologue( bool switchMode /= false/ )`
`37`	`37`	`/// </summary>`
`38`	`38`	`/// <param name="switchMode">Unused</param>`
`39`	`39`	`/// <param name="retSize">Stack change value</param>`
`40`		`-void AsmHelper32::GenEpilogue( bool switchMode /= false/ , int retSize /= WordSize / )`
	`40`	`+void AsmHelper32::GenEpilogue( bool switchMode /= false/ , int retSize /= 0xC / )`
`41`	`41`	`{`
`42`	`42`	`if (retSize == -1)`
`43`	`43`	`retSize = WordSize;`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ RemoteExec::RemoteExec( Process& proc )`
`21`	`21`	`{`
`22`	`22`	`LOAD_IMPORT( "NtOpenEvent", L"ntdll.dll" );`
`23`	`23`	`LOAD_IMPORT( "NtCreateEvent", L"ntdll.dll" );`
	`24`	`+ LOAD_IMPORT( "NtQueueApcThread", L"ntdll.dll" );`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`RemoteExec::~RemoteExec()`
`@@ -137,7 +138,9 @@ NTSTATUS RemoteExec::ExecInWorkerThread( PVOID pCode, size_t size, uint64_t& cal`
`137`	`138`	`#endif`
`138`	`139`
`139`	`140`	`// Execute code in thread context`
`140`		`- if (QueueUserAPC( _userCode.ptr<PAPCFUNC>(), _hWorkThd.handle(), _userCode.ptr<ULONG_PTR>() ))`
	`141`	`+ // TODO: Find out why am I passing pRemoteCode as an argument???`
	`142`	`+ auto pRemoteCode = _userCode.ptr<PVOID>();`
	`143`	`+ if (NT_SUCCESS( SAFE_NATIVE_CALL( NtQueueApcThread, _hWorkThd.handle(), pRemoteCode, pRemoteCode, nullptr, nullptr ) ))`
`141`	`144`	`{`
`142`	`145`	`dwResult = WaitForSingleObject( _hWaitEvent, 30 * 1000 /wait 30s/ );`
`143`	`146`	`callResult = _userData.Read<uint64_t>( RET_OFFSET, 0 );`