Merged in Dreg_fr33project/x64_dbg (pull request x64dbg#19)

Set Page Memory Rights + JIT improves (fixes and admin check)

Author: mrexodia

x64_dbg_dbg/_dbgfunctions.cpp

@@ -112,6 +112,26 @@ static bool _getjitauto(bool* jit_auto)
     return dbggetjitauto(jit_auto, notfound, NULL, NULL);
 }
 
+static bool _isprocesselevated(void)
+{
+    return IsProcessElevated();
+}
+
+static bool _getpagerights(uint* addr, char* rights)
+{
+    return dbggetpagerights(addr, rights);
+}
+
+static bool _pagerightstostring(DWORD protect, char* rights)
+{
+    return dbgpagerightstostring(protect, rights);
+}
+
+static bool _setpagerights(uint* addr, char* rights)
+{
+    return dbgsetpagerights(addr, rights);
+}
+
 static bool _getjit(char* jit, bool jit64)
 {
     arch dummy;
@@ -180,4 +200,8 @@ void dbgfunctionsinit()
     _dbgfunctions.GetJitAuto = _getjitauto;
     _dbgfunctions.GetDefJit = dbggetdefjit;
     _dbgfunctions.GetProcessList = _getprocesslist;
+    _dbgfunctions.GetPageRights = _getpagerights;
+    _dbgfunctions.SetPageRights = _setpagerights;
+    _dbgfunctions.PageRightsToString = _pagerightstostring;
+    _dbgfunctions.IsProcessElevated = _isprocesselevated;
 }

x64_dbg_dbg/_dbgfunctions.h

@@ -57,6 +57,10 @@ typedef bool (*GETJIT)(char* jit, bool x64);
 typedef bool (*GETJITAUTO)(bool*);
 typedef bool (*GETDEFJIT)(char*);
 typedef bool (*GETPROCESSLIST)(DBGPROCESSINFO** entries, int* count);
+typedef bool (*GETPAGERIGHTS)(duint*, char*);
+typedef bool (*SETPAGERIGHTS)(duint*, char*);
+typedef bool (*PAGERIGHTSTOSTRING)(DWORD, char*);
+typedef bool (*ISPROCESSELEVATED)(void);
 
 typedef struct DBGFUNCTIONS_
 {
@@ -84,6 +88,10 @@ typedef struct DBGFUNCTIONS_
     GETJIT GetJit;
     GETDEFJIT GetDefJit;
     GETPROCESSLIST GetProcessList;
+    GETPAGERIGHTS GetPageRights;
+    SETPAGERIGHTS SetPageRights;
+    PAGERIGHTSTOSTRING PageRightsToString;
+    ISPROCESSELEVATED IsProcessElevated;
 } DBGFUNCTIONS;
 
 #ifdef BUILD_DBG

x64_dbg_dbg/debugger.cpp

@@ -1480,6 +1480,22 @@ void cbDetach()
     return;
 }
 
+
+bool IsProcessElevated()
+{
+    SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
+    PSID SecurityIdentifier;
+    if(!AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &SecurityIdentifier))
+        return 0;
+
+    BOOL IsAdminMember;
+    if(!CheckTokenMembership(NULL, SecurityIdentifier, &IsAdminMember))
+        IsAdminMember = FALSE;
+
+    FreeSid(SecurityIdentifier);
+    return IsAdminMember ? true : false;
+}
+
 bool _readwritejitkey(char* jit_key_value, DWORD* jit_key_vale_size, char* key, arch arch_in, arch* arch_out, readwritejitkey_error_t* error, bool write)
 {
     DWORD key_flags;
@@ -1491,7 +1507,15 @@ bool _readwritejitkey(char* jit_key_value, DWORD* jit_key_vale_size, char* key,
         * error = ERROR_RW;
 
     if(write)
+    {
+        if(!IsProcessElevated())
+        {
+            if(error != NULL)
+                * error = ERROR_RW_NOTADMIN;
+            return false;
+        }
         key_flags = KEY_WRITE;
+    }
     else
         key_flags = KEY_READ;
 
@@ -1512,7 +1536,7 @@ bool _readwritejitkey(char* jit_key_value, DWORD* jit_key_vale_size, char* key,
 
     if(arch_in == x64)
     {
-#ifdef _WIN32
+#ifndef _WIN64
         if(!IsWow64())
         {
             if(error != NULL)
@@ -1562,6 +1586,120 @@ bool _readwritejitkey(char* jit_key_value, DWORD* jit_key_vale_size, char* key,
     return true;
 }
 
+bool dbgpagerightstostring(DWORD protect, char* rights)
+{
+    memset(rights, 0, RIGHTS_STRING);
+
+    switch(protect & 0xFF)
+    {
+    case PAGE_EXECUTE:
+        strcpy(rights, "E---");
+        break;
+    case PAGE_EXECUTE_READ:
+        strcpy(rights, "ER--");
+        break;
+    case PAGE_EXECUTE_READWRITE:
+        strcpy(rights, "ERW-");
+        break;
+    case PAGE_EXECUTE_WRITECOPY:
+        strcpy(rights, "ERWC");
+        break;
+    case PAGE_NOACCESS:
+        strcpy(rights, "----");
+        break;
+    case PAGE_READONLY:
+        strcpy(rights, "-R--");
+        break;
+    case PAGE_READWRITE:
+        strcpy(rights, "-RW-");
+        break;
+    case PAGE_WRITECOPY:
+        strcpy(rights, "-RWC");
+        break;
+    }
+
+    if(protect & PAGE_GUARD)
+        strcat(rights, "G");
+    else
+        strcat(rights, "-");
+
+    return true;
+}
+
+void dbggetpageligned(uint* addr)
+{
+#ifdef _WIN64
+    * addr &=  0xFFFFFFFFFFFFF000;
+#else // _WIN32
+    * addr &= 0xFFFFF000;
+#endif // _WIN64
+}
+
+
+bool dbgpagerightsfromstring(DWORD* protect, char* rights_string)
+{
+    if(strlen(rights_string) < 2)
+        return false;
+
+    * protect = 0;
+    if(rights_string[0] == 'G' || rights_string[0] == 'g')
+    {
+        * protect |= PAGE_GUARD;
+        rights_string++;
+    }
+
+    if(_strcmpi(rights_string, "Execute") == 0)
+        * protect |= PAGE_EXECUTE;
+    else if(_strcmpi(rights_string, "ExecuteRead") == 0)
+        * protect |= PAGE_EXECUTE_READ;
+    else if(_strcmpi(rights_string, "ExecuteReadWrite") == 0)
+        * protect |= PAGE_EXECUTE_READWRITE;
+    else if(_strcmpi(rights_string, "ExecuteWriteCopy") == 0)
+        * protect |= PAGE_EXECUTE_WRITECOPY;
+    else if(_strcmpi(rights_string, "NoAccess") == 0)
+        * protect |= PAGE_NOACCESS;
+    else if(_strcmpi(rights_string, "ReadOnly") == 0)
+        * protect |= PAGE_READONLY;
+    else if(_strcmpi(rights_string, "ReadWrite") == 0)
+        * protect |= PAGE_READWRITE;
+    else if(_strcmpi(rights_string, "WriteCopy") == 0)
+        * protect |= PAGE_WRITECOPY;
+
+    if(* protect == 0)
+        return false;
+
+    return true;
+}
+
+bool dbgsetpagerights(uint* addr, char* rights_string)
+{
+    DWORD protect;
+    DWORD old_protect;
+
+    dbggetpageligned(addr);
+
+    if(!dbgpagerightsfromstring(& protect, rights_string))
+        return false;
+
+    if(VirtualProtectEx(fdProcessInfo->hProcess, (void*)*addr, PAGE_SIZE, protect, & old_protect) == 0)
+        return false;
+
+    // ADD ME: CALL TO UPDATE MEMORY VIEW HERE :-)
+
+    return true;
+}
+
+bool dbggetpagerights(uint* addr, char* rights)
+{
+    dbggetpageligned(addr);
+
+    MEMORY_BASIC_INFORMATION mbi;
+    if(VirtualQueryEx(fdProcessInfo->hProcess, (const void*)*addr, &mbi, sizeof(mbi)) == 0)
+        return false;
+
+    return dbgpagerightstostring(mbi.Protect, rights);
+}
+
 bool dbggetjitauto(bool* auto_on, arch arch_in, arch* arch_out, readwritejitkey_error_t* rw_error_out)
 {
     char jit_entry[4];

x64_dbg_dbg/debugger.h

@@ -10,12 +10,14 @@
 #define JIT_ENTRY_DEF_SIZE (MAX_PATH + sizeof(ATTACH_CMD_LINE) + 2)
 #define JIT_ENTRY_MAX_SIZE 512
 #define JIT_REG_KEY TEXT("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug")
+#define RIGHTS_STRING (sizeof("ERWCG") + 1)
 
 typedef enum
 {
     ERROR_RW = 0,
     ERROR_RW_FILE_NOT_FOUND,
-    ERROR_RW_NOTWOW64
+    ERROR_RW_NOTWOW64,
+    ERROR_RW_NOTADMIN
 } readwritejitkey_error_t;
 
 //structures
@@ -62,12 +64,18 @@ bool dbgisignoredexception(unsigned int exception);
 bool dbgcmdnew(const char* name, CBCOMMAND cbCommand, bool debugonly);
 bool dbgcmddel(const char* name);
 bool dbggetjit(char jit_entry[JIT_ENTRY_MAX_SIZE], arch arch_in, arch* arch_out, readwritejitkey_error_t*);
+bool dbggetpagerights(uint*, char*);
+bool dbgpagerightstostring(DWORD, char*);
+void dbggetpageligned(uint*);
+bool dbgpagerightsfromstring(DWORD*, char*);
+bool dbgsetpagerights(uint*, char*);
 bool dbgsetjit(char* jit_cmd, arch arch_in, arch* arch_out, readwritejitkey_error_t*);
 bool dbggetdefjit(char* jit_entry);
 bool _readwritejitkey(char*, DWORD*, char*, arch, arch*, readwritejitkey_error_t*, bool);
 bool dbggetjitauto(bool*, arch, arch*, readwritejitkey_error_t*);
 bool dbgsetjitauto(bool, arch, arch*, readwritejitkey_error_t*);
 bool dbglistprocesses(std::vector<PROCESSENTRY32>* list);
+bool IsProcessElevated();
 
 void cbStep();
 void cbRtrStep();

x64_dbg_dbg/debugger_commands.cpp

@@ -1437,6 +1437,11 @@ CMDRESULT cbDebugSetJITAuto(int argc, char* argv[])
 {
     arch actual_arch;
     bool set_jit_auto;
+    if(!IsProcessElevated())
+    {
+        dprintf("Error run the debugger as Admin to setjitauto\n");
+        return STATUS_ERROR;
+    }
     if(argc < 2)
     {
         dprintf("Error setting JIT Auto. Use ON:1 or OFF:0 arg or x64/x32, ON:1 or OFF:0.\n");
@@ -1512,6 +1517,11 @@ CMDRESULT cbDebugSetJIT(int argc, char* argv[])
     arch actual_arch;
     char* jit_debugger_cmd;
     char oldjit[MAX_SETTING_SIZE] = "";
+    if(!IsProcessElevated())
+    {
+        dprintf("Error run the debugger as Admin to setjit\n");
+        return STATUS_ERROR;
+    }
     if(argc < 2)
     {
         char path[JIT_ENTRY_DEF_SIZE];
@@ -1619,7 +1629,7 @@ CMDRESULT cbDebugSetJIT(int argc, char* argv[])
             if(rw_error == ERROR_RW_NOTWOW64)
                 dprintf("Error using x64 arg. The debugger is not a WOW64 process\n");
             else
-                dprintf("Error getting JIT %s\n", (actual_arch == x64) ? "x64" : "x32");
+                dprintf("Error setting JIT %s\n", (actual_arch == x64) ? "x64" : "x32");
             return STATUS_ERROR;
         }
     }
@@ -1686,5 +1696,55 @@ CMDRESULT cbDebugGetJIT(int argc, char* argv[])
 
     dprintf("JIT %s: %s\n", (actual_arch == x64) ? "x64" : "x32", get_entry);
 
+    return STATUS_CONTINUE;
+}
+
+CMDRESULT cbDebugGetPageRights(int argc, char* argv[])
+{
+    uint addr = 0;
+    char rights[RIGHTS_STRING];
+
+    if(argc != 2 || !valfromstring(argv[1], &addr))
+    {
+        dprintf("Error: using an address as arg1\n");
+        return STATUS_ERROR;
+    }
+
+    if(!dbggetpagerights(&addr, rights))
+    {
+        dprintf("Error getting rights of page: %s\n", argv[1]);
+        return STATUS_ERROR;
+    }
+
+    dprintf("Page: "fhex", Rights: %s\n", addr, rights);
+
+    return STATUS_CONTINUE;
+}
+
+CMDRESULT cbDebugSetPageRights(int argc, char* argv[])
+{
+    uint addr = 0;
+    char rights[RIGHTS_STRING];
+
+    if(argc != 3 || !valfromstring(argv[1], &addr))
+    {
+        dprintf("Error: using an address as arg1 and as arg2: Execute, ExecuteRead, ExecuteReadWrite, ExecuteWriteCopy, NoAccess, ReadOnly, ReadWrite, WriteCopy. You can add a G at first for add PAGE GUARD, example: GReadOnly\n");
+        return STATUS_ERROR;
+    }
+
+    if(!dbgsetpagerights(&addr, argv[2]))
+    {
+        dprintf("Error: Set rights of "fhex" with Rights: %s\n", addr, argv[2]);
+        return STATUS_ERROR;
+    }
+
+    if(!dbggetpagerights(&addr, rights))
+    {
+        dprintf("Error getting rights of page: %s\n", argv[1]);
+        return STATUS_ERROR;
+    }
+
+    dprintf("New rights of "fhex": %s\n", addr, rights);
+
     return STATUS_CONTINUE;
 }

x64_dbg_dbg/debugger_commands.h

@@ -55,5 +55,7 @@ CMDRESULT cbDebugDisableHardwareBreakpoint(int argc, char* argv[]);
 CMDRESULT cbDebugEnableMemoryBreakpoint(int argc, char* argv[]);
 CMDRESULT cbDebugDisableMemoryBreakpoint(int argc, char* argv[]);
 CMDRESULT cbDebugDownloadSymbol(int argc, char* argv[]);
+CMDRESULT cbDebugGetPageRights(int argc, char* argv[]);
+CMDRESULT cbDebugSetPageRights(int argc, char* argv[]);
 
 #endif //_DEBUGGER_COMMANDS_H

x64_dbg_dbg/x64_dbg.cpp

@@ -162,6 +162,8 @@ static void registercommands()
     dbgcmdnew("alloc", cbDebugAlloc, true); //allocate memory
     dbgcmdnew("free", cbDebugFree, true); //free memory
     dbgcmdnew("Fill\1memset", cbDebugMemset, true); //memset
+    dbgcmdnew("getpagerights\1getrightspage", cbDebugGetPageRights, true);
+    dbgcmdnew("setpagerights\1setrightspage", cbDebugSetPageRights, true);
 
     //plugins
     dbgcmdnew("StartScylla\1scylla\1imprec", cbDebugStartScylla, false); //start scylla