Driver: MMap: fixed APC_INDEX_MISMATCH BSOD

DarthTon · DarthTon · commit 76b626a1ed96 · 2017-04-09T17:35:00.000+03:00
diff --git a/src/BlackBoneDrv/Inject.c b/src/BlackBoneDrv/Inject.c
@@ -1,6 +1,7 @@
 #include "Private.h"
 #include "Routines.h"
 #include "Loader.h"
+#include "Utils.h"
 #include <Ntstrsafe.h>
 
 #define CALL_COMPLETE   0xC0371E7E
@@ -56,13 +57,11 @@ NTSTATUS BBInjectDll( IN PINJECT_DLL pData )
         PVOID LdrLoadDll = NULL;
         PVOID systemBuffer = NULL;
         BOOLEAN isWow64 = (PsGetProcessWow64Process( pProcess ) != NULL) ? TRUE : FALSE;
-        LARGE_INTEGER procTimeout = { 0 };
 
         // Process in signaled state, abort any operations
-        if (KeWaitForSingleObject( pProcess, Executive, KernelMode, FALSE, &procTimeout ) == STATUS_WAIT_0)
+        if (BBCheckProcessTermination( PsGetCurrentProcess() ))
         {
             DPRINT( "BlackBone: %s: Process %u is terminating. Abort\n", __FUNCTION__, pData->pid );
-
             if (pProcess)
                 ObDereferenceObject( pProcess );
 
@@ -109,8 +108,7 @@ NTSTATUS BBInjectDll( IN PINJECT_DLL pData )
                     );
             }
             __except (EXCEPTION_EXECUTE_HANDLER){
-                DPRINT( "BlackBone: %s: Fatal exception in BBMapUserImage. Exception code 0x%x\n", 
-                        __FUNCTION__, GetExceptionCode() );
+                DPRINT( "BlackBone: %s: Fatal exception in BBMapUserImage. Exception code 0x%x\n", __FUNCTION__, GetExceptionCode() );
             }
 
             KeUnstackDetachProcess( &apc );
@@ -384,11 +382,23 @@ NTSTATUS BBApcInject( IN PINJECT_BUFFER pUserBuf, IN HANDLE pid, IN ULONG initRV
             LARGE_INTEGER interval = { 0 };
             interval.QuadPart = -(5LL * 10 * 1000);
 
-            for (ULONG i = 0; pUserBuf->complete != CALL_COMPLETE && i < 10000; i++)
-                KeDelayExecutionThread( KernelMode, FALSE, &interval );
+            for (ULONG i = 0; i < 10000; i++)
+            {
+                if (BBCheckProcessTermination( PsGetCurrentProcess() ) || PsIsThreadTerminating( pThread ))
+                {
+                    status = STATUS_PROCESS_IS_TERMINATING;
+                    break;
+                }
+
+                if(pUserBuf->complete == CALL_COMPLETE)
+                    break;
+
+                if (!NT_SUCCESS( status = KeDelayExecutionThread( KernelMode, FALSE, &interval ) ))
+                    break;
+            }
 
             // Call init routine
-            if (pUserBuf->module != 0 && initRVA != 0)
+            if (NT_SUCCESS( status ) && pUserBuf->module != 0 && initRVA != 0)
             {
                 RtlCopyMemory( (PUCHAR)pUserBuf->buffer, InitArg, sizeof( pUserBuf->buffer ) );
                 BBQueueUserApc( pThread, (PUCHAR)pUserBuf->module + initRVA, pUserBuf->buffer, NULL, NULL, TRUE );
@@ -397,8 +407,8 @@ NTSTATUS BBApcInject( IN PINJECT_BUFFER pUserBuf, IN HANDLE pid, IN ULONG initRV
                 interval.QuadPart = -(100LL * 10 * 1000);
                 KeDelayExecutionThread( KernelMode, FALSE, &interval );
             }
-            else if (pUserBuf->module == 0)
-                DPRINT( "BlackBone: %s: Module base = 0. Aborting\n", __FUNCTION__ );
+            else
+                DPRINT( "BlackBone: %s: APC injection abnormal termination, status 0x%X\n", __FUNCTION__, status );
         }
     }
     else
diff --git a/src/BlackBoneDrv/MMap.c b/src/BlackBoneDrv/MMap.c
@@ -80,7 +80,8 @@ NTSTATUS BBResolveSxS( IN PMMAP_CONTEXT pContext, IN PUNICODE_STRING name, OUT P
 /// </summary>
 /// <param name="pContext">Map context</param>
 /// <param name="noTLS">If TRUE - TLS callbacks will no be invoked</param>
-void BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS );
+/// <returns>Status code</returns>
+NTSTATUS BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS );
 
 /// <summary>
 /// Call TLS callbacks
@@ -295,11 +296,11 @@ NTSTATUS BBMapUserImage(
     if (NT_SUCCESS( status ))
     {
         __try{
-            BBCallInitializers( &context, (flags & KNoTLS) != 0 );
+            status = BBCallInitializers( &context, (flags & KNoTLS) != 0 );
         }
         __except (EXCEPTION_EXECUTE_HANDLER) {
-            DPRINT( "BlackBone: %s: Exception during initialization phase.Exception code 0x%X\n", __FUNCTION__, GetExceptionCode() );
-            status = STATUS_UNHANDLED_EXCEPTION;
+            status = GetExceptionCode();
+            DPRINT( "BlackBone: %s: Exception during initialization phase.Exception code 0x%X\n", __FUNCTION__, status );
         }
     }
 
@@ -318,7 +319,8 @@ NTSTATUS BBMapUserImage(
     // Event
     if (context.pSync)
         ObDereferenceObject( context.pSync );
-    if (context.hSync)
+
+    if (context.hSync && !BBCheckProcessTermination( PsGetCurrentProcess() ))
         ZwClose( context.hSync );
 
     // Worker thread
@@ -1194,7 +1196,8 @@ NTSTATUS BBResolveImagePath(
 /// </summary>
 /// <param name="pContext">Map context</param>
 /// <param name="noTLS">If TRUE - TLS callbacks will no be invoked</param>
-void BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS )
+/// <returns>Status code</returns>
+NTSTATUS BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS )
 {
     for (PLIST_ENTRY pListEntry = pContext->modules.Flink; pListEntry != &pContext->modules; pListEntry = pListEntry->Flink)
     {
@@ -1209,10 +1212,18 @@ void BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS )
         if (noTLS == FALSE)
             BBCallTlsInitializers( pContext, pEntry->baseAddress );
 
+        NTSTATUS status = STATUS_SUCCESS;
         if (HEADER_VAL_T( pHeaders, AddressOfEntryPoint ))
         {
             PUCHAR entrypoint = pEntry->baseAddress + HEADER_VAL_T( pHeaders, AddressOfEntryPoint );
-            BBCallRoutine( FALSE, pContext, entrypoint, 3, pEntry->baseAddress, (PVOID)1, NULL );
+            status = BBCallRoutine( FALSE, pContext, entrypoint, 3, pEntry->baseAddress, (PVOID)1, NULL );
+        }
+
+        // Check if process is terminating
+        if (status != STATUS_SUCCESS && BBCheckProcessTermination( PsGetCurrentProcess() ))
+        {
+            DPRINT( "BlackBone: %s: Process is terminating, map aborted\n", __FUNCTION__ );
+            return STATUS_PROCESS_IS_TERMINATING;
         }
 
         //
@@ -1270,6 +1281,8 @@ void BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS )
 
         pEntry->initialized = TRUE;
     }
+
+    return STATUS_SUCCESS;
 }
 
 /// <summary>
@@ -1692,7 +1705,7 @@ NTSTATUS BBCallRoutine( IN BOOLEAN newThread, IN PMMAP_CONTEXT pContext, IN PVOI
 
     if (newThread)
     {
-        status = BBExecuteInNewThread( pContext->userMem->code, NULL, THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER, TRUE, NULL );
+        status = BBExecuteInNewThread( pContext->userMem->code, NULL, 0/*THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER*/, TRUE, NULL );
     }
     else
     {
diff --git a/src/BlackBoneDrv/Remap.c b/src/BlackBoneDrv/Remap.c
@@ -1,4 +1,5 @@
 #include "Remap.h"
+#include "Utils.h"
 #include <Ntstrsafe.h>
 
 RTL_AVL_TABLE g_ProcessPageTables;      // Mapping table
@@ -686,7 +687,6 @@ NTSTATUS BBMapMemory( IN PMAP_MEMORY pRemap, OUT PPROCESS_MAP_ENTRY* ppEntry )
     PROCESS_MAP_ENTRY processEntry = { 0 };
     PPROCESS_MAP_ENTRY pFoundEntry = NULL;
     BOOLEAN newEntry = FALSE;
-    LARGE_INTEGER timeout = { 0 };
 
     // Sanity checks
     // Can't remap self
@@ -707,7 +707,7 @@ NTSTATUS BBMapMemory( IN PMAP_MEMORY pRemap, OUT PPROCESS_MAP_ENTRY* ppEntry )
     }
 
     // Process in signaled state, abort any operations
-    if (KeWaitForSingleObject( pProcess, Executive, KernelMode, FALSE, &timeout ) == STATUS_WAIT_0)
+    if (BBCheckProcessTermination( pProcess ))
     {
         DPRINT( "BlackBone: %s: Process %u is terminating. Abort\n", __FUNCTION__, processEntry.target.pid );
 
@@ -815,7 +815,6 @@ NTSTATUS BBMapMemoryRegion( IN PMAP_MEMORY_REGION pRegion, OUT PMAP_MEMORY_REGIO
     BOOLEAN alreadyExists = FALSE;
     ULONG_PTR removedBase = 0;
     ULONG removedSize = 0;
-    LARGE_INTEGER timeout = { 0 };
 
     // Don't allow remapping of kernel addresses
     if (pRegion->base >= (ULONGLONG)MM_HIGHEST_USER_ADDRESS || pRegion->base + pRegion->size > (ULONGLONG)MM_HIGHEST_USER_ADDRESS)
@@ -842,7 +841,7 @@ NTSTATUS BBMapMemoryRegion( IN PMAP_MEMORY_REGION pRegion, OUT PMAP_MEMORY_REGIO
     }
 
     // Process in signaled state, abort any operations
-    if (KeWaitForSingleObject( pProcess, Executive, KernelMode, FALSE, &timeout ) == STATUS_WAIT_0)
+    if (BBCheckProcessTermination( pProcess ))
     {
         DPRINT( "BlackBone: %s: Process %u is terminating. Abort\n", __FUNCTION__, processEntry.target.pid );
 
@@ -995,7 +994,6 @@ NTSTATUS BBUnmapMemoryRegion( IN PUNMAP_MEMORY_REGION pRegion )
     PPROCESS_MAP_ENTRY pFoundEntry = NULL;
     PMAP_ENTRY pPageEntry = NULL;
     PEPROCESS pProcess = NULL;
-    LARGE_INTEGER timeout = { 0 };
     ULONG pageCount = ADDRESS_AND_SIZE_TO_SPAN_PAGES(pRegion->base, pRegion->size);
 
     // Sanity check
@@ -1013,7 +1011,7 @@ NTSTATUS BBUnmapMemoryRegion( IN PUNMAP_MEMORY_REGION pRegion )
     }
 
     // Process in signaled state, abort any operations
-    if (KeWaitForSingleObject( pProcess, Executive, KernelMode, FALSE, &timeout ) == STATUS_WAIT_0)
+    if (BBCheckProcessTermination( pProcess ))
     {
         DPRINT( "BlackBone: %s: Process %u is terminating. Abort\n", __FUNCTION__, pRegion->pid );
 
@@ -1107,8 +1105,6 @@ VOID BBCleanupPageList( IN BOOLEAN attached, IN PLIST_ENTRY pList )
 /// <returns>Status code</returns>
 NTSTATUS BBSafeHandleClose( IN PEPROCESS pProcess, IN HANDLE handle, IN KPROCESSOR_MODE mode )
 {
-    LARGE_INTEGER timeout = { 0 };
-
     ASSERT( pProcess != NULL );
     if (pProcess == NULL)
         return STATUS_INVALID_PARAMETER;
@@ -1117,7 +1113,7 @@ NTSTATUS BBSafeHandleClose( IN PEPROCESS pProcess, IN HANDLE handle, IN KPROCESS
     // If process is in signaled state, ObjectTable is already NULL
     // Thus is will lead to crash in ObCloseHandle->ExpLookupHandleTableEntry
     //
-    if (KeWaitForSingleObject( pProcess, Executive, KernelMode, FALSE, &timeout ) == STATUS_WAIT_0)
+    if (BBCheckProcessTermination( pProcess ))
         return STATUS_PROCESS_IS_TERMINATING;
 
     return ObCloseHandle( handle, mode );
diff --git a/src/BlackBoneDrv/Utils.c b/src/BlackBoneDrv/Utils.c
@@ -224,6 +224,17 @@ NTSTATUS BBSearchPattern( IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR le
     return STATUS_NOT_FOUND;
 }
 
+/// <summary>
+/// Check if process is terminating
+/// </summary>
+/// <param name="imageBase">Process</param>
+/// <returns>If TRUE - terminating</returns>
+BOOLEAN BBCheckProcessTermination( PEPROCESS pProcess )
+{
+    LARGE_INTEGER zeroTime = { 0 };
+    return KeWaitForSingleObject( pProcess, Executive, KernelMode, FALSE, &zeroTime ) == STATUS_WAIT_0;
+}
+
 ULONG GenPrologue32( IN PUCHAR pBuf )
 {
     *pBuf = 0x55;
diff --git a/src/BlackBoneDrv/Utils.h b/src/BlackBoneDrv/Utils.h
@@ -68,6 +68,13 @@ NTSTATUS BBSearchPattern( IN PCUCHAR pattern, IN UCHAR wildcard, IN ULONG_PTR le
 /// <returns>Status code</returns>
 NTSTATUS BBCreateCookie( IN PVOID imageBase );
 
+/// <summary>
+/// Check if process is terminating
+/// </summary>
+/// <param name="imageBase">Process</param>
+/// <returns>If TRUE - terminating</returns>
+BOOLEAN BBCheckProcessTermination( PEPROCESS pProcess );
+
 //
 // Machine code generation routines
 //

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,8 @@ NTSTATUS BBResolveSxS( IN PMMAP_CONTEXT pContext, IN PUNICODE_STRING name, OUT P`
`80`	`80`	`/// </summary>`
`81`	`81`	`/// <param name="pContext">Map context</param>`
`82`	`82`	`/// <param name="noTLS">If TRUE - TLS callbacks will no be invoked</param>`
`83`		`-void BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS );`
	`83`	`+/// <returns>Status code</returns>`
	`84`	`+NTSTATUS BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS );`
`84`	`85`
`85`	`86`	`/// <summary>`
`86`	`87`	`/// Call TLS callbacks`
`@@ -295,11 +296,11 @@ NTSTATUS BBMapUserImage(`
`295`	`296`	`if (NT_SUCCESS( status ))`
`296`	`297`	`{`
`297`	`298`	`__try{`
`298`		`- BBCallInitializers( &context, (flags & KNoTLS) != 0 );`
	`299`	`+ status = BBCallInitializers( &context, (flags & KNoTLS) != 0 );`
`299`	`300`	`}`
`300`	`301`	`__except (EXCEPTION_EXECUTE_HANDLER) {`
`301`		`- DPRINT( "BlackBone: %s: Exception during initialization phase.Exception code 0x%X\n", __FUNCTION__, GetExceptionCode() );`
`302`		`- status = STATUS_UNHANDLED_EXCEPTION;`
	`302`	`+ status = GetExceptionCode();`
	`303`	`+ DPRINT( "BlackBone: %s: Exception during initialization phase.Exception code 0x%X\n", __FUNCTION__, status );`
`303`	`304`	`}`
`304`	`305`	`}`
`305`	`306`
`@@ -318,7 +319,8 @@ NTSTATUS BBMapUserImage(`
`318`	`319`	`// Event`
`319`	`320`	`if (context.pSync)`
`320`	`321`	`ObDereferenceObject( context.pSync );`
`321`		`- if (context.hSync)`
	`322`	`+`
	`323`	`+ if (context.hSync && !BBCheckProcessTermination( PsGetCurrentProcess() ))`
`322`	`324`	`ZwClose( context.hSync );`
`323`	`325`
`324`	`326`	`// Worker thread`
`@@ -1194,7 +1196,8 @@ NTSTATUS BBResolveImagePath(`
`1194`	`1196`	`/// </summary>`
`1195`	`1197`	`/// <param name="pContext">Map context</param>`
`1196`	`1198`	`/// <param name="noTLS">If TRUE - TLS callbacks will no be invoked</param>`
`1197`		`-void BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS )`
	`1199`	`+/// <returns>Status code</returns>`
	`1200`	`+NTSTATUS BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS )`
`1198`	`1201`	`{`
`1199`	`1202`	`for (PLIST_ENTRY pListEntry = pContext->modules.Flink; pListEntry != &pContext->modules; pListEntry = pListEntry->Flink)`
`1200`	`1203`	`{`
`@@ -1209,10 +1212,18 @@ void BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS )`
`1209`	`1212`	`if (noTLS == FALSE)`
`1210`	`1213`	`BBCallTlsInitializers( pContext, pEntry->baseAddress );`
`1211`	`1214`
	`1215`	`+ NTSTATUS status = STATUS_SUCCESS;`
`1212`	`1216`	`if (HEADER_VAL_T( pHeaders, AddressOfEntryPoint ))`
`1213`	`1217`	`{`
`1214`	`1218`	`PUCHAR entrypoint = pEntry->baseAddress + HEADER_VAL_T( pHeaders, AddressOfEntryPoint );`
`1215`		`- BBCallRoutine( FALSE, pContext, entrypoint, 3, pEntry->baseAddress, (PVOID)1, NULL );`
	`1219`	`+ status = BBCallRoutine( FALSE, pContext, entrypoint, 3, pEntry->baseAddress, (PVOID)1, NULL );`
	`1220`	`+ }`
	`1221`	`+`
	`1222`	`+ // Check if process is terminating`
	`1223`	`+ if (status != STATUS_SUCCESS && BBCheckProcessTermination( PsGetCurrentProcess() ))`
	`1224`	`+ {`
	`1225`	`+ DPRINT( "BlackBone: %s: Process is terminating, map aborted\n", __FUNCTION__ );`
	`1226`	`+ return STATUS_PROCESS_IS_TERMINATING;`
`1216`	`1227`	`}`
`1217`	`1228`
`1218`	`1229`	`//`
`@@ -1270,6 +1281,8 @@ void BBCallInitializers( IN PMMAP_CONTEXT pContext, IN BOOLEAN noTLS )`
`1270`	`1281`
`1271`	`1282`	`pEntry->initialized = TRUE;`
`1272`	`1283`	`}`
	`1284`	`+`
	`1285`	`+ return STATUS_SUCCESS;`
`1273`	`1286`	`}`
`1274`	`1287`
`1275`	`1288`	`/// <summary>`
`@@ -1692,7 +1705,7 @@ NTSTATUS BBCallRoutine( IN BOOLEAN newThread, IN PMMAP_CONTEXT pContext, IN PVOI`
`1692`	`1705`
`1693`	`1706`	`if (newThread)`
`1694`	`1707`	`{`
`1695`		`- status = BBExecuteInNewThread( pContext->userMem->code, NULL, THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER, TRUE, NULL );`
	`1708`	`+ status = BBExecuteInNewThread( pContext->userMem->code, NULL, 0/THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER/, TRUE, NULL );`
`1696`	`1709`	`}`
`1697`	`1710`	`else`
`1698`	`1711`	`{`