updated to RS6; added test for private symbols

Author: DarthTon

src/3rd_party/VersionApi.h

@@ -26,6 +26,7 @@ enum eBuildThreshold
     Build_RS3 = 16299,
     Build_RS4 = 17134,
     Build_RS5 = 17763,
+    Build_RS6 = 18362,
     Build_RS_MAX = 99999,
 };
 
@@ -42,6 +43,7 @@ enum eVerShort
     Win10_RS3,      // Windows 10 Fall Creators update
     Win10_RS4,      // Windows 10 Spring Creators update
     Win10_RS5,      // Windows 10 October 2018 update
+    Win10_RS6,      // Windows 10 May 2019 update
 };
 
 struct WinVersion
@@ -103,7 +105,9 @@ BLACKBONE_API inline void InitVersion()
         switch (fullver)
         {
         case _WIN32_WINNT_WIN10:
-            if (g_WinVer.native.dwBuildNumber >= Build_RS5)
+            if (g_WinVer.native.dwBuildNumber >= Build_RS6)
+                g_WinVer.ver = Win10_RS6;
+            else if (g_WinVer.native.dwBuildNumber >= Build_RS5)
                 g_WinVer.ver = Win10_RS5;
             else if (g_WinVer.native.dwBuildNumber >= Build_RS4)
                 g_WinVer.ver = Win10_RS4;
@@ -273,6 +277,12 @@ IsWindows10RS5OrGreater()
     return IsWindowsVersionOrGreater( HIBYTE( _WIN32_WINNT_WIN10 ), LOBYTE( _WIN32_WINNT_WIN10 ), 0, Build_RS5 );
 }
 
+VERSIONHELPERAPI
+IsWindows10RS6OrGreater()
+{
+    return IsWindowsVersionOrGreater( HIBYTE( _WIN32_WINNT_WIN10 ), LOBYTE( _WIN32_WINNT_WIN10 ), 0, Build_RS6 );
+}
+
 VERSIONHELPERAPI
 IsWindowsServer()
 {

src/BlackBone/Include/HandleGuard.h

@@ -4,6 +4,15 @@
 namespace blackbone
 {
 
+template<typename T>
+struct non_zero
+{
+    static bool call( T handle ) noexcept
+    {
+        return intptr_t( handle ) != 0;
+    }
+};
+
 template<typename T>
 struct non_negative
 {
@@ -119,5 +128,6 @@ using Handle        = HandleGuard<HANDLE, &CloseHandle>;
 using ProcessHandle = HandleGuard<HANDLE, &CloseHandle, with_pseudo<non_negative>::type>;
 using ACtxHandle    = HandleGuard<HANDLE, &ReleaseActCtx>;
 using RegHandle     = HandleGuard<HKEY, &RegCloseKey>;
+using Mapping       = HandleGuard<void*, & UnmapViewOfFile, non_zero>;
 
 }

src/BlackBone/PE/PEImage.cpp

@@ -50,7 +50,7 @@ NTSTATUS PEImage::Load( const std::wstring& path, bool skipActx /*= false*/ )
         if (_hMapping)
         {
             _isPlainData = false;
-            _pFileBase = MapViewOfFile( _hMapping, FILE_MAP_READ, 0, 0, 0 );
+            _pFileBase = Mapping( MapViewOfFile( _hMapping, FILE_MAP_READ, 0, 0, 0 ) );
         }
         // Map as simple datafile
         else
@@ -59,7 +59,7 @@ NTSTATUS PEImage::Load( const std::wstring& path, bool skipActx /*= false*/ )
             _hMapping = CreateFileMappingW( _hFile, NULL, PAGE_READONLY, 0, 0, NULL );
 
             if (_hMapping)
-                _pFileBase = MapViewOfFile( _hMapping, FILE_MAP_READ, 0, 0, 0 );
+                _pFileBase = Mapping( MapViewOfFile( _hMapping, FILE_MAP_READ, 0, 0, 0 ) );
         }
 
         // Mapping failed
@@ -113,12 +113,7 @@ NTSTATUS PEImage::Reload()
 /// <param name="temporary">Preserve file paths for file reopening</param>
 void PEImage::Release( bool temporary /*= false*/ )
 {
-    if (_pFileBase)
-    {
-        UnmapViewOfFile( _pFileBase );
-        _pFileBase = nullptr;
-    }
-
+    _pFileBase.reset();
     _hMapping.reset();
     _hFile.reset();
     _hctx.reset();
@@ -156,7 +151,7 @@ NTSTATUS PEImage::Parse( void* pImageBase /*= nullptr*/ )
         return STATUS_INVALID_ADDRESS;
 
     // Get DOS header
-    pDosHdr = reinterpret_cast<const IMAGE_DOS_HEADER*>(_pFileBase);
+    pDosHdr = reinterpret_cast<const IMAGE_DOS_HEADER*>(_pFileBase.get());
 
     // File not a valid PE file
     if (pDosHdr->e_magic != IMAGE_DOS_SIGNATURE)
@@ -206,7 +201,7 @@ NTSTATUS PEImage::Parse( void* pImageBase /*= nullptr*/ )
     {
         _ILFlagOffset = static_cast<int32_t>(
             reinterpret_cast<uint8_t*>(pCorHdr)
-            - reinterpret_cast<uint8_t*>(_pFileBase)
+            - reinterpret_cast<uint8_t*>(_pFileBase.get())
             + static_cast<int32_t>(offsetof( IMAGE_COR20_HEADER, Flags )));
 
 #ifdef COMPILER_MSVC
@@ -322,7 +317,7 @@ mapImports& PEImage::GetImports( bool useDelayed /*= false*/ )
                     data.ptrRVA = pImportTbl->FirstThunk + IAT_Index;
                 // Save address to OrigianlFirstThunk
                 else
-                    data.ptrRVA = static_cast<uintptr_t>(AddressOfData) - reinterpret_cast<uintptr_t>(_pFileBase);
+                    data.ptrRVA = static_cast<uintptr_t>(AddressOfData) - reinterpret_cast<uintptr_t>(_pFileBase.get());
 
                 _imports[dllStr].emplace_back( data );
 
@@ -350,12 +345,12 @@ void PEImage::GetExports( vecExports& exports )
     if (pExport == 0)
         return;
 
-    DWORD *pAddressOfNames = reinterpret_cast<DWORD*>(pExport->AddressOfNames + reinterpret_cast<uintptr_t>(_pFileBase));
-    DWORD *pAddressOfFuncs = reinterpret_cast<DWORD*>(pExport->AddressOfFunctions + reinterpret_cast<uintptr_t>(_pFileBase));
-    WORD  *pAddressOfOrds  = reinterpret_cast<WORD*> (pExport->AddressOfNameOrdinals + reinterpret_cast<size_t>(_pFileBase));
+    DWORD *pAddressOfNames = reinterpret_cast<DWORD*>(pExport->AddressOfNames + reinterpret_cast<uintptr_t>(_pFileBase.get()));
+    DWORD *pAddressOfFuncs = reinterpret_cast<DWORD*>(pExport->AddressOfFunctions + reinterpret_cast<uintptr_t>(_pFileBase.get()));
+    WORD  *pAddressOfOrds  = reinterpret_cast<WORD*> (pExport->AddressOfNameOrdinals + reinterpret_cast<size_t>(_pFileBase.get()));
 
     for (DWORD i = 0; i < pExport->NumberOfNames; ++i)
-        exports.push_back( ExportData( reinterpret_cast<const char*>(_pFileBase)+pAddressOfNames[i], pAddressOfFuncs[pAddressOfOrds[i]] ) );
+        exports.push_back( ExportData( reinterpret_cast<const char*>(_pFileBase.get())+pAddressOfNames[i], pAddressOfFuncs[pAddressOfOrds[i]] ) );
 
     std::sort( exports.begin(), exports.end() );
     return Release( true );
@@ -414,15 +409,15 @@ uintptr_t PEImage::ResolveRVAToVA( uintptr_t Rva, AddressType type /*= VA*/ ) co
             {
                 if (Rva >= sec.VirtualAddress && Rva < sec.VirtualAddress + sec.Misc.VirtualSize)
                     if (type == VA)
-                        return reinterpret_cast<uintptr_t>(_pFileBase) + Rva - sec.VirtualAddress + sec.PointerToRawData;
+                        return reinterpret_cast<uintptr_t>(_pFileBase.get()) + Rva - sec.VirtualAddress + sec.PointerToRawData;
                     else
                         return Rva - sec.VirtualAddress + sec.PointerToRawData;
             }
 
             return 0;
         }
         else
-            return (type == VA) ? (reinterpret_cast<uintptr_t>(_pFileBase) + Rva) : Rva;
+            return (type == VA) ? (reinterpret_cast<uintptr_t>(_pFileBase.get()) + Rva) : Rva;
 
     default:
         return 0;
@@ -449,7 +444,7 @@ int PEImage::GetTLSCallbacks( module_t targetBase, std::vector<ptr_t>& result )
         return 0;
 
     // Not at base
-    if (imageBase() != reinterpret_cast<module_t>(_pFileBase))
+    if (imageBase() != reinterpret_cast<module_t>(_pFileBase.get()))
         pCallback = reinterpret_cast<uint64_t*>(ResolveRVAToVA( static_cast<size_t>(offset - imageBase()) ));
     else
         pCallback = reinterpret_cast<uint64_t*>(offset);

src/BlackBone/PE/PEImage.h

@@ -95,6 +95,8 @@ class PEImage
     BLACKBONE_API PEImage( void );
     BLACKBONE_API ~PEImage( void );
 
+    BLACKBONE_API PEImage( PEImage&& other ) = default;
+
     /// <summary>
     /// Load image from file
     /// </summary>
@@ -312,7 +314,7 @@ class PEImage
 private:
     Handle      _hFile;                         // Target file HANDLE
     Handle      _hMapping;                      // Memory mapping object
-    void*       _pFileBase = nullptr;           // Mapping base
+    Mapping     _pFileBase;                     // Mapping base
     bool        _isPlainData = false;           // File mapped as plain data file
     bool        _is64 = false;                  // Image is 64 bit
     bool        _isExe = false;                 // Image is an .exe file

src/BlackBone/Symbols/PatternLoader.cpp

@@ -73,7 +73,12 @@ void OSFillPatterns( std::unordered_map<ptr_t*, OffsetData>& patterns, SymbolDat
     {
         // LdrpHandleTlsData
         // 74 33 44 8D 43 09
-        auto offset = IsWindows10RS4OrGreater() ? 0x44 : 0x43;
+        auto offset = 0x43;
+        if(IsWindows10RS6OrGreater())
+            offset = 0x46;
+        else if (IsWindows10RS4OrGreater())
+            offset = 0x44;
+
         patterns.emplace( &result.LdrpHandleTlsData64, OffsetData{ "\x74\x33\x44\x8d\x43\x09", true, offset } );
 
         // RtlInsertInvertedFunctionTable
@@ -95,9 +100,19 @@ void OSFillPatterns( std::unordered_map<ptr_t*, OffsetData>& patterns, SymbolDat
         // LdrpHandleTlsData
         // 33 F6 85 C0 79 03 - RS5+
         // 8B C1 8D 4D AC/BC 51 - RS3-RS4
-        const auto pattern = IsWindows10RS4OrGreater() ? "\x8b\xc1\x8d\x4d\xac\x51" : "\x8b\xc1\x8d\x4d\xbc\x51";
-        const auto data = IsWindows10RS5OrGreater() ? OffsetData{ "\x33\xf6\x85\xc0\x79\x03", false, 0x2C } : OffsetData{ pattern, false, 0x18 };
-        patterns.emplace( &result.LdrpHandleTlsData32, data );
+        auto pattern = "\x8b\xc1\x8d\x4d\xbc\x51";
+        if (IsWindows10RS5OrGreater())
+            pattern = "\x33\xf6\x85\xc0\x79\x03";
+        else if (IsWindows10RS4OrGreater())
+            pattern = "\x8b\xc1\x8d\x4d\xac\x51";
+
+        offset = 0x18;
+        if (IsWindows10RS6OrGreater())
+            offset = 0x2E;
+        else if (IsWindows10RS5OrGreater())
+            offset = 0x2C;
+
+        patterns.emplace( &result.LdrpHandleTlsData32, OffsetData{ pattern, false, offset } );
 
         // LdrProtectMrdata
         // 75 24 85 F6 75 08

src/BlackBone/Symbols/SymbolLoader.cpp

@@ -32,34 +32,32 @@ SymbolLoader::SymbolLoader()
 /// <returns>Status code</returns>
 NTSTATUS SymbolLoader::Load( SymbolData& result )
 {
-    pe::PEImage ntdll32, ntdll64;
-    PDBHelper sym32, sym64;
-
-    wchar_t buf[MAX_PATH] = { 0 };
-    GetWindowsDirectoryW( buf, MAX_PATH );
-
-    std::wstring windir( buf );
-
-    if (_x86OS)
-    {
-        ntdll32.Load( std::wstring( windir + L"\\System32\\ntdll.dll" ), true );
-    }
-    else
-    {
-        FsRedirector fsr( _wow64Process );
+    auto [ntdll32, ntdll64] = LoadImages();
 
-        ntdll64.Load( std::wstring( windir + L"\\System32\\ntdll.dll" ), true );
-        ntdll32.Load( std::wstring( windir + L"\\SysWOW64\\ntdll.dll" ), true );       
-    }
+    // Get addresses from pdb
+    LoadFromSymbols( ntdll32, ntdll64, result );
+   
+    // Fill missing symbols from patterns
+    return LoadFromPatterns( ntdll32, ntdll64, result );
+}
 
+/// <summary>
+/// Load symbol addresses from PDBs
+/// </summary>
+/// <param name="ntdll32">Loaded x86 ntdll image</param>
+/// <param name="ntdll64">Loaded x64 ntdll image</param>
+/// <param name="result">Found symbols</param>
+/// <returns>Status code</returns>
+NTSTATUS SymbolLoader::LoadFromSymbols( const pe::PEImage& ntdll32, const pe::PEImage& ntdll64, SymbolData& result )
+{
+    PDBHelper sym32, sym64;
     HRESULT hr = sym32.Init( ntdll32.path(), ntdll32.imageBase() );
     if (!_x86OS && SUCCEEDED( hr ))
     {
         FsRedirector fsr( _wow64Process );
         hr = sym64.Init( ntdll64.path(), ntdll64.imageBase() );
     }
 
-    // Get addresses from pdb
     if (SUCCEEDED( hr ))
     {
         sym32.GetSymAddress( L"LdrpHandleTlsData", result.LdrpHandleTlsData32 );
@@ -75,10 +73,50 @@ NTSTATUS SymbolLoader::Load( SymbolData& result )
         sym64.GetSymAddress( L"LdrpReleaseTlsEntry", result.LdrpReleaseTlsEntry64 );
 
         sym32.GetSymAddress( L"LdrProtectMrdata", result.LdrProtectMrdata );
+
+        return STATUS_SUCCESS;
     }
-   
-    // Fill missing symbols from patterns
+
+    return STATUS_UNSUCCESSFUL;
+}
+
+/// <summary>
+/// Load symbol addresses from pattern scans
+/// </summary>
+/// <param name="ntdll32">Loaded x86 ntdll image</param>
+/// <param name="ntdll64">Loaded x64 ntdll image</param>
+/// <param name="result">Found symbols</param>
+/// <returns>Status code</returns>
+NTSTATUS SymbolLoader::LoadFromPatterns( const pe::PEImage& ntdll32, const pe::PEImage& ntdll64, SymbolData& result )
+{
     return ScanSymbolPatterns( ntdll32, ntdll64, result );
 }
 
+/// <summary>
+/// Load ntdll images from the disk
+/// </summary>
+/// <returns>Loaded x86 and x64 ntdll</returns>
+std::pair<pe::PEImage, pe::PEImage> SymbolLoader::LoadImages()
+{
+    pe::PEImage ntdll32, ntdll64;
+
+    wchar_t buf[MAX_PATH] = { 0 };
+    GetWindowsDirectoryW( buf, MAX_PATH );
+    std::wstring windir( buf );
+
+    if (_x86OS)
+    {
+        ntdll32.Load( std::wstring( windir + L"\\System32\\ntdll.dll" ), true );
+    }
+    else
+    {
+        FsRedirector fsr( _wow64Process );
+
+        ntdll64.Load( std::wstring( windir + L"\\System32\\ntdll.dll" ), true );
+        ntdll32.Load( std::wstring( windir + L"\\SysWOW64\\ntdll.dll" ), true );
+    }
+
+    return std::make_pair( std::move( ntdll32 ), std::move( ntdll64 ) );
+}
+
 }

src/BlackBone/Symbols/SymbolLoader.h

@@ -4,6 +4,11 @@
 namespace blackbone
 {
 
+namespace pe
+{
+    class PEImage;
+}
+
 class SymbolLoader
 {
 public:
@@ -16,6 +21,30 @@ class SymbolLoader
     /// <returns>Status code</returns>
     NTSTATUS Load( SymbolData& result );
 
+    /// <summary>
+    /// Load symbol addresses from PDBs
+    /// </summary>
+    /// <param name="ntdll32">Loaded x86 ntdll image</param>
+    /// <param name="ntdll64">Loaded x64 ntdll image</param>
+    /// <param name="result">Found symbols</param>
+    /// <returns>Status code</returns>
+    NTSTATUS LoadFromSymbols( const pe::PEImage& ntdll32, const pe::PEImage& ntdll64, SymbolData& result );
+
+    /// <summary>
+    /// Load symbol addresses from pattern scans
+    /// </summary>
+    /// <param name="ntdll32">Loaded x86 ntdll image</param>
+    /// <param name="ntdll64">Loaded x64 ntdll image</param>
+    /// <param name="result">Found symbols</param>
+    /// <returns>Status code</returns>
+    NTSTATUS LoadFromPatterns( const pe::PEImage& ntdll32, const pe::PEImage& ntdll64, SymbolData& result );
+
+    /// <summary>
+    /// Load ntdll images from the disk
+    /// </summary>
+    /// <returns>Loaded x86 and x64 ntdll</returns>
+    std::pair<pe::PEImage, pe::PEImage> LoadImages();
+
 private:
     bool _x86OS;            // x86 OS
     bool _wow64Process;     // Current process is wow64 process

src/BlackBoneTest/BlackBoneTest.vcxproj

@@ -315,6 +315,7 @@
     <ClInclude Include="Common.h" />
   </ItemGroup>
   <ItemGroup>
+    <ClCompile Include="TestSymbols.cpp" />
     <ClCompile Include="TestAsmJit.cpp" />
     <ClCompile Include="TestAsmVariant.cpp" />
     <ClCompile Include="TestDriver.cpp" />

src/BlackBoneTest/BlackBoneTest.vcxproj.filters

@@ -40,6 +40,9 @@
     <ClCompile Include="TestGuard.cpp">
       <Filter>Tests</Filter>
     </ClCompile>
+    <ClCompile Include="TestSymbols.cpp">
+      <Filter>Tests</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Common.h" />

src/BlackBoneTest/Common.h

@@ -10,6 +10,7 @@
 #include <BlackBone/Patterns/PatternSearch.h>
 #include <BlackBone/Asm/LDasm.h>
 #include <BlackBone/localHook/VTableHook.hpp>
+#include <BlackBone/Symbols/SymbolLoader.h>
 
 #include <iostream>
 #include <CppUnitTest.h>