One time global initialization

Author: DarthTon

src/BlackBone/BlackBone.vcxproj

@@ -567,6 +567,7 @@
     <ClCompile Include="ManualMap\MMap.cpp" />
     <ClCompile Include="ManualMap\Native\NtLoader.cpp" />
     <ClCompile Include="Misc\DynImport.cpp" />
+    <ClCompile Include="Misc\InitOnce.cpp" />
     <ClCompile Include="Misc\NameResolve.cpp" />
     <ClCompile Include="Misc\Utils.cpp" />
     <ClCompile Include="Patterns\PatternSearch.cpp" />
@@ -661,6 +662,7 @@
     <ClInclude Include="ManualMap\MMap.h" />
     <ClInclude Include="ManualMap\Native\NtLoader.h" />
     <ClInclude Include="Misc\DynImport.h" />
+    <ClInclude Include="Misc\InitOnce.h" />
     <ClInclude Include="Misc\NameResolve.h" />
     <ClInclude Include="Misc\Thunk.hpp" />
     <ClInclude Include="Misc\Trace.hpp" />

src/BlackBone/BlackBone.vcxproj.filters

@@ -192,6 +192,9 @@
     <ClCompile Include="Process\RPC\RemoteLocalHook.cpp">
       <Filter>Process\Remote</Filter>
     </ClCompile>
+    <ClCompile Include="Misc\InitOnce.cpp">
+      <Filter>Misc</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Config.h" />
@@ -441,5 +444,8 @@
     <ClInclude Include="Process\MultPtr.hpp">
       <Filter>Process</Filter>
     </ClInclude>
+    <ClInclude Include="Misc\InitOnce.h">
+      <Filter>Misc</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>

src/BlackBone/DriverControl/DriverControl.cpp

@@ -12,16 +12,8 @@ namespace blackbone
 
 DriverControl::DriverControl()
 {
-    HMODULE ntdll = GetModuleHandleW( L"ntdll.dll" );
-
-    LOAD_IMPORT( "NtLoadDriver", ntdll );
-    LOAD_IMPORT( "NtUnloadDriver", ntdll );
-    LOAD_IMPORT( "RtlDosPathNameToNtPathName_U", ntdll );
-    LOAD_IMPORT( "RtlInitUnicodeString", ntdll );
-    LOAD_IMPORT( "RtlFreeUnicodeString", ntdll );
 }
 
-
 DriverControl::~DriverControl()
 {
     //Unload();

src/BlackBone/ManualMap/Native/NtLoader.cpp

@@ -14,12 +14,6 @@ namespace blackbone
 NtLdr::NtLdr( Process& proc )
     : _process( proc )
 {
-    HMODULE hNtdll = GetModuleHandleW( L"ntdll.dll" );
-
-    LOAD_IMPORT( "RtlInitUnicodeString",   hNtdll );
-    LOAD_IMPORT( "RtlHashUnicodeString",   hNtdll );
-    LOAD_IMPORT( "RtlUpcaseUnicodeChar",   hNtdll );
-    LOAD_IMPORT( "RtlEncodeSystemPointer", hNtdll );
 }
 
 NtLdr::~NtLdr(void)

src/BlackBone/Misc/InitOnce.cpp

@@ -0,0 +1,121 @@
+#include "InitOnce.h"
+#include "../Include/Winheaders.h"
+#include "../Include/Macro.h"
+#include "DynImport.h"
+
+#include <string>
+#include <cassert>
+
+namespace blackbone
+{
+
+class InitOnce
+{
+public:
+    static bool Exec()
+    {
+        if(!_done)
+        {
+            GrantPriviledge( SE_DEBUG_NAME );
+            GrantPriviledge( SE_LOAD_DRIVER_NAME );
+            LoadFuncs();
+            _done = true;
+        }
+
+        return _done;
+    }
+
+private:
+    InitOnce() = delete;
+    InitOnce( const InitOnce& ) = delete;
+    InitOnce& operator=( const InitOnce& ) = delete;
+
+    /// <summary>
+    /// Grant current process arbitrary privilege
+    /// </summary>
+    /// <param name="name">Privilege name</param>
+    /// <returns>Status</returns>
+    static NTSTATUS GrantPriviledge( const std::wstring& name )
+    {
+        TOKEN_PRIVILEGES Priv, PrivOld;
+        DWORD cbPriv = sizeof( PrivOld );
+        HANDLE hToken;
+
+        if (!OpenThreadToken( GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken ))
+        {
+            if (GetLastError() != ERROR_NO_TOKEN)
+                return LastNtStatus();
+
+            if (!OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken ))
+                return LastNtStatus();
+        }
+
+        Priv.PrivilegeCount = 1;
+        Priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+        LookupPrivilegeValueW( NULL, name.c_str(), &Priv.Privileges[0].Luid );
+
+        if (!AdjustTokenPrivileges( hToken, FALSE, &Priv, sizeof( Priv ), &PrivOld, &cbPriv ))
+        {
+            CloseHandle( hToken );
+            return LastNtStatus();
+        }
+
+        if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
+        {
+            CloseHandle( hToken );
+            return LastNtStatus();
+        }
+
+        CloseHandle( hToken );
+        return STATUS_SUCCESS;
+    }
+
+    static void LoadFuncs()
+    {
+        HMODULE hNtdll = GetModuleHandleW( L"ntdll.dll" );
+        HMODULE hKernel32 = GetModuleHandleW( L"kernel32.dll" );
+
+        LOAD_IMPORT( "NtQuerySystemInformation",                 hNtdll );
+        LOAD_IMPORT( "RtlDosApplyFileIsolationRedirection_Ustr", hNtdll );
+        LOAD_IMPORT( "RtlInitUnicodeString",                     hNtdll );
+        LOAD_IMPORT( "RtlFreeUnicodeString",                     hNtdll );
+        LOAD_IMPORT( "RtlHashUnicodeString",                     hNtdll );
+        LOAD_IMPORT( "RtlUpcaseUnicodeChar",                     hNtdll );
+        LOAD_IMPORT( "NtQueryInformationProcess",                hNtdll );
+        LOAD_IMPORT( "NtSetInformationProcess",                  hNtdll );
+        LOAD_IMPORT( "NtQueryInformationThread",                 hNtdll );
+        LOAD_IMPORT( "NtDuplicateObject",                        hNtdll );
+        LOAD_IMPORT( "NtQueryObject",                            hNtdll );
+        LOAD_IMPORT( "NtQuerySection",                           hNtdll );
+        LOAD_IMPORT( "RtlCreateActivationContext",               hNtdll );
+        LOAD_IMPORT( "NtQueryVirtualMemory",                     hNtdll );
+        LOAD_IMPORT( "NtCreateThreadEx",                         hNtdll );
+        LOAD_IMPORT( "NtLockVirtualMemory",                      hNtdll );
+        LOAD_IMPORT( "NtSuspendProcess",                         hNtdll );
+        LOAD_IMPORT( "NtResumeProcess",                          hNtdll );
+        LOAD_IMPORT( "RtlImageNtHeader",                         hNtdll );
+        LOAD_IMPORT( "NtLoadDriver",                             hNtdll );
+        LOAD_IMPORT( "NtUnloadDriver",                           hNtdll );
+        LOAD_IMPORT( "RtlDosPathNameToNtPathName_U",             hNtdll );
+        LOAD_IMPORT( "NtOpenEvent",                              hNtdll );
+        LOAD_IMPORT( "NtCreateEvent",                            hNtdll );
+        LOAD_IMPORT( "NtQueueApcThread",                         hNtdll );
+        LOAD_IMPORT( "RtlEncodeSystemPointer",                   hNtdll );
+        LOAD_IMPORT( "NtWow64QueryInformationProcess64",         hNtdll );
+        LOAD_IMPORT( "NtWow64ReadVirtualMemory64",               hNtdll );
+        LOAD_IMPORT( "NtWow64WriteVirtualMemory64",              hNtdll );
+        LOAD_IMPORT( "Wow64GetThreadContext",                    hKernel32 );
+        LOAD_IMPORT( "Wow64SetThreadContext",                    hKernel32 );
+        LOAD_IMPORT( "Wow64SuspendThread",                       hKernel32 );
+        LOAD_IMPORT( "GetProcessDEPPolicy",                      hKernel32 );
+        LOAD_IMPORT( "QueryFullProcessImageNameW",               hKernel32 );
+    }
+
+private:
+    static bool _done;
+};
+
+bool InitOnce::_done = false;
+const bool g_Initialized = InitOnce::Exec();
+
+}

src/BlackBone/Misc/InitOnce.h

@@ -0,0 +1,5 @@
+#pragma once
+namespace blackbone
+{
+extern const bool g_Initialized;
+}

src/BlackBone/Misc/NameResolve.cpp

@@ -13,12 +13,6 @@ namespace blackbone
 
 NameResolve::NameResolve()
 {
-    HMODULE ntdll = GetModuleHandleW( L"ntdll.dll" );
-
-    LOAD_IMPORT( "NtQuerySystemInformation", ntdll );
-    LOAD_IMPORT( "RtlDosApplyFileIsolationRedirection_Ustr", ntdll );
-    LOAD_IMPORT( "RtlInitUnicodeString", ntdll );
-    LOAD_IMPORT( "RtlFreeUnicodeString", ntdll );
 }
 
 NameResolve::~NameResolve()

src/BlackBone/Misc/Utils.cpp

@@ -122,7 +122,7 @@ std::wstring Utils::GetExeDirectory()
     wchar_t imgName[MAX_PATH] = { 0 };
     DWORD len = ARRAYSIZE(imgName);
 
-    auto pFunc = reinterpret_cast<fnQueryFullProcessImageNameW>(LOAD_IMPORT( "QueryFullProcessImageNameW", L"kernel32.dll" ));
+    auto pFunc = GET_IMPORT( QueryFullProcessImageNameW );
     if (pFunc != nullptr)
         pFunc( GetCurrentProcess(), 0, imgName, &len );
     else

src/BlackBone/Process/Process.cpp

@@ -20,10 +20,11 @@ Process::Process()
     , _mmap( *this )
     , _nativeLdr( *this )
 {
-    GrantPriviledge( SE_DEBUG_NAME );
-    GrantPriviledge( SE_LOAD_DRIVER_NAME );
+    // Ensure InitOnce is called
+    auto i = g_Initialized;
+    UNREFERENCED_PARAMETER( i );
 
-    NameResolve::Instance().Initialize(); 
+    NameResolve::Instance().Initialize();
 }
 
 Process::~Process(void)
@@ -340,47 +341,6 @@ NTSTATUS Process::EnumHandles( std::vector<HandleInfo>& handles )
     return status;
 }
 
-
-/// <summary>
-/// Grant current process arbitrary privilege
-/// </summary>
-/// <param name="name">Privilege name</param>
-/// <returns>Status</returns>
-NTSTATUS Process::GrantPriviledge( const std::basic_string<TCHAR>& name )
-{
-    TOKEN_PRIVILEGES Priv, PrivOld;
-    DWORD cbPriv = sizeof(PrivOld);
-    HANDLE hToken;
-
-    if (!OpenThreadToken( GetCurrentThread(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, FALSE, &hToken ))
-    {
-        if (GetLastError() != ERROR_NO_TOKEN)
-            return LastNtStatus();
-
-        if (!OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken ))
-            return LastNtStatus();
-    }
-
-    Priv.PrivilegeCount = 1;
-    Priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
-    LookupPrivilegeValue( NULL, name.c_str(), &Priv.Privileges[0].Luid );
-
-    if (!AdjustTokenPrivileges( hToken, FALSE, &Priv, sizeof(Priv), &PrivOld, &cbPriv ))
-    {
-        CloseHandle( hToken );
-        return LastNtStatus();
-    }
-
-    if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
-    {
-        CloseHandle( hToken );
-        return LastNtStatus();
-    }
-    
-    CloseHandle( hToken );
-    return STATUS_SUCCESS;
-}
-
 /// <summary>
 /// Search for process by executable name
 /// </summary>

src/BlackBone/Process/Process.h

@@ -11,6 +11,7 @@
 #include "../ManualMap/MMap.h"
 
 #include "../Include/NativeStructures.h"
+#include "../Misc/InitOnce.h"
 
 #include <string>
 #include <list>
@@ -212,15 +213,9 @@ class Process
     BLACKBONE_API inline NtLdr&           nativeLdr()  { return _nativeLdr;  }  // Native loader routines
 
 private:
-    /// <summary>
-    /// Grant current process arbitrary privilege
-    /// </summary>
-    /// <param name="name">Privilege name</param>
-    /// <returns>Status</returns>
-    NTSTATUS GrantPriviledge( const std::basic_string<TCHAR>& name );
-
     Process(const Process&) = delete;
     Process& operator =(const Process&) = delete;
+
 private:
     ProcessCore     _core;          // Core routines and native subsystem
     ProcessModules  _modules;       // Module management

src/BlackBone/Process/ProcessCore.cpp

@@ -14,7 +14,6 @@ namespace blackbone
 ProcessCore::ProcessCore()
     : _native( nullptr )
 {
-    LOAD_IMPORT( "GetProcessDEPPolicy", L"kernel32.dll" );
 }
 
 ProcessCore::~ProcessCore()

src/BlackBone/Process/RPC/RemoteExec.cpp

@@ -19,9 +19,6 @@ RemoteExec::RemoteExec( Process& proc )
     , _hWaitEvent( NULL )
     , _apcPatched( false )
 {
-    LOAD_IMPORT( "NtOpenEvent", L"ntdll.dll" );
-    LOAD_IMPORT( "NtCreateEvent", L"ntdll.dll" );
-    LOAD_IMPORT( "NtQueueApcThread", L"ntdll.dll" );
 }
 
 RemoteExec::~RemoteExec()

src/BlackBone/Process/RPC/RemoteMemory.h

@@ -156,7 +156,7 @@ class RemoteMemory
     PageContext* _pSharedData = nullptr;    // Hook related data, shared between processes
     ptr_t _targetShare = 0;                 // Address of shared in data in target process
     bool _active = false;                   // Hook thread activity flag
-    bool _hooked[4];                        // Hook state
+    bool _hooked[4] = { 0 };                // Hook state
 };
 
 }

src/BlackBone/Subsystem/NativeSubsystem.cpp

@@ -41,27 +41,7 @@ Native::Native( HANDLE hProcess, bool x86OS /*= false*/ )
             _wowBarrier.type = wow_32_64;
         else
             _wowBarrier.type = wow_64_32;
-    }
-
-    HMODULE hNtdll = GetModuleHandleW( L"ntdll.dll" );
-    HMODULE hKernel32 = GetModuleHandleW( L"kernel32.dll" );
-    
-    LOAD_IMPORT( "NtQueryInformationProcess",  hNtdll );
-    LOAD_IMPORT( "NtSetInformationProcess",    hNtdll );
-    LOAD_IMPORT( "NtQueryInformationThread",   hNtdll );
-    LOAD_IMPORT( "NtDuplicateObject",          hNtdll );
-    LOAD_IMPORT( "NtQueryObject",              hNtdll );  
-    LOAD_IMPORT( "NtQuerySection",             hNtdll );
-    LOAD_IMPORT( "RtlCreateActivationContext", hNtdll );
-    LOAD_IMPORT( "NtQueryVirtualMemory",       hNtdll );
-    LOAD_IMPORT( "NtCreateThreadEx",           hNtdll );
-    LOAD_IMPORT( "NtLockVirtualMemory",        hNtdll );
-    LOAD_IMPORT( "NtSuspendProcess",           hNtdll );
-    LOAD_IMPORT( "NtResumeProcess",            hNtdll );
-    LOAD_IMPORT( "RtlImageNtHeader",           hNtdll );
-    LOAD_IMPORT( "Wow64GetThreadContext",      hKernel32 );
-    LOAD_IMPORT( "Wow64SetThreadContext",      hKernel32 );
-    LOAD_IMPORT( "Wow64SuspendThread",         hKernel32 );    
+    } 
 }
 
 /*

src/BlackBone/Subsystem/Wow64Subsystem.cpp

@@ -8,13 +8,6 @@ namespace blackbone
 NativeWow64::NativeWow64( HANDLE hProcess )
     : Native( hProcess )
 {
-    HMODULE ntdll32 = GetModuleHandleW( L"Ntdll.dll" );
-
-    LOAD_IMPORT( "NtWow64QueryInformationProcess64", ntdll32 );
-    LOAD_IMPORT( "NtWow64AllocateVirtualMemory64",   ntdll32 );
-    LOAD_IMPORT( "NtWow64QueryVirtualMemory64",      ntdll32 );
-    LOAD_IMPORT( "NtWow64ReadVirtualMemory64",       ntdll32 );
-    LOAD_IMPORT( "NtWow64WriteVirtualMemory64",      ntdll32 );
 }
 
 NativeWow64::~NativeWow64()