DotNetTools: Add .NET6 auxiliary provider support

Author: dmex

plugins/DotNetTools/clrsup.c

@@ -84,13 +84,10 @@ VOID FreeClrProcessSupport(
     _In_ PCLR_PROCESS_SUPPORT Support
     )
 {
-    if (Support->DataProcess)
-        IXCLRDataProcess_Release(Support->DataProcess);
-    if (Support->DataTarget)
-        ICLRDataTarget_Release(Support->DataTarget);
-
-    if (Support->DacDllBase)
-        FreeLibrary(Support->DacDllBase);
+    if (Support->DataProcess) IXCLRDataProcess_Release(Support->DataProcess);
+    // Free the library here so we can cleanup in ICLRDataTarget_Release. (dmex)
+    if (Support->DacDllBase) FreeLibrary(Support->DacDllBase);
+    if (Support->DataTarget) ICLRDataTarget_Release(Support->DataTarget);
 
     PhFree(Support);
 }
@@ -1127,11 +1124,11 @@ BOOLEAN DnGetProcessCoreClrPath(
 
     if (!context.FileName)
     {
-        PPH_PROCESS_ITEM processItem;
-        
         // This image is probably 'SelfContained' since we couldn't find coreclr.dll,
         // return the path to the executable so we can check the embedded CLRDEBUGINFO. (dmex)
-        
+#ifdef _WIN64
+        PPH_PROCESS_ITEM processItem;
+
         if (processItem = PhReferenceProcessItem(ProcessId))
         {
             if (!PhIsNullOrEmptyString(processItem->FileName))
@@ -1144,7 +1141,16 @@ BOOLEAN DnGetProcessCoreClrPath(
 
             PhDereferenceObject(processItem);
         }
-        
+#else
+        PPH_STRING fileName;
+
+        if (NT_SUCCESS(PhGetProcessImageFileNameByProcessId(ProcessId, &fileName)))
+        {
+            *FileName = fileName;
+            dataTarget->SelfContained = TRUE;
+            return TRUE;
+        }
+#endif
         return FALSE;
     }
 
@@ -1157,6 +1163,30 @@ BOOLEAN DnGetProcessCoreClrPath(
     return TRUE;
 }
 
+static VOID DnCleanupDacAuxiliaryProvider(
+    _In_ ICLRDataTarget* DataTarget
+    )
+{
+    DnCLRDataTarget* dataTarget = (DnCLRDataTarget*)DataTarget;
+
+    if (dataTarget->SelfContained && dataTarget->DaccorePath)
+    {
+        PPH_STRING directoryPath;
+
+        if (directoryPath = PhGetBaseDirectory(dataTarget->DaccorePath))
+        {
+            PhDeleteDirectory(directoryPath);
+            PhDereferenceObject(directoryPath);
+        }
+        else
+        {
+            PhDeleteFileWin32(PhGetString(dataTarget->DaccorePath));
+        }
+    }
+
+    PhClearReference(&dataTarget->DaccorePath);
+}
+
 static BOOLEAN DnpMscordaccoreDirectoryCallback(
     _In_ PFILE_DIRECTORY_INFORMATION Information,
     _In_ PPH_LIST DirectoryList
@@ -1180,12 +1210,13 @@ static BOOLEAN DnpMscordaccoreDirectoryCallback(
 
 PVOID DnLoadMscordaccore(
     _In_ HANDLE ProcessId,
-    _In_ ICLRDataTarget *Target
+    _In_ ICLRDataTarget *DataTarget
     )
 {
     // \dotnet\shared\Microsoft.NETCore.App\ is the same path used by the CLR for DAC detection. (dmex)
     static PH_STRINGREF mscordaccorePathSr = PH_STRINGREF_INIT(L"%ProgramFiles%\\dotnet\\shared\\Microsoft.NETCore.App\\");
     static PH_STRINGREF mscordaccoreNameSr = PH_STRINGREF_INIT(L"\\mscordaccore.dll");
+    DnCLRDataTarget* dataTarget = (DnCLRDataTarget*)DataTarget;
     PVOID mscordacBaseAddress = NULL;
     HANDLE directoryHandle;
     PPH_LIST directoryList;
@@ -1195,14 +1226,13 @@ PVOID DnLoadMscordaccore(
     ULONG dataTargetTimeStamp = 0;
     ULONG dataTargetSizeOfImage = 0;
 
-    if (DnGetProcessCoreClrPath(ProcessId, Target, &dataTargetFileName))
+    if (DnGetProcessCoreClrPath(ProcessId, DataTarget, &dataTargetFileName))
     {
         PVOID imageBaseAddress;
 
         if (NT_SUCCESS(PhLoadLibraryAsImageResource(dataTargetFileName, &imageBaseAddress)))
         {
             PCLR_DEBUG_RESOURCE debugVersionInfo;
-            //PVOID mscordaccoreDllAddress;
 
             if (PhLoadResource(
                 imageBaseAddress,
@@ -1222,23 +1252,10 @@ PVOID DnLoadMscordaccore(
                 }
             }
 
-            //if (PhLoadResource(
-            //    imageBaseAddress,
-            //    L"MINIDUMP_EMBEDDED_AUXILIARY_PROVIDER",
-            //    RT_RCDATA,
-            //    NULL,
-            //    &mscordaccoreDllAddress
-            //    ))
-            //{
-            //    // TODO: Extract mscordaccore.dll from resource and PhVerifyFile. (dmex)
-            //}
-
             PhFreeLibraryAsImageResource(imageBaseAddress);
         }
 
         dataTargetDirectory = PhGetBaseDirectory(dataTargetFileName);
-
-        PhDereferenceObject(dataTargetFileName);
     }
 
     if (!(directoryPath = PhExpandEnvironmentStrings(&mscordaccorePathSr)))
@@ -1334,7 +1351,105 @@ PVOID DnLoadMscordaccore(
         PhClearReference(&fileName);
     }
 
+    if (!mscordacBaseAddress && dataTargetFileName && dataTarget->SelfContained)
+    {
+        PVOID imageBaseAddress;
+        PVOID mscordacResourceBuffer;
+        ULONG mscordacResourceLength;
+
+        if (NT_SUCCESS(PhLoadLibraryAsImageResource(dataTargetFileName, &imageBaseAddress)))
+        {
+            if (PhLoadResource(
+                imageBaseAddress,
+                L"MINIDUMP_EMBEDDED_AUXILIARY_PROVIDER",
+                RT_RCDATA,
+                &mscordacResourceLength,
+                &mscordacResourceBuffer
+                ))
+            {
+                static PH_STRINGREF tempFilePath = PH_STRINGREF_INIT(L"%TEMP%\\");
+                NTSTATUS status;
+                HANDLE fileHandle = NULL;
+                LARGE_INTEGER allocationSize;
+                PPH_STRING tempFileName;
+                WCHAR alphaString[32] = L"";
+
+                PhGenerateRandomAlphaString(alphaString, RTL_NUMBER_OF(alphaString));
+                tempFileName = PhExpandEnvironmentStrings(&tempFilePath);
+                tempFileName = PhConcatStringRefZ(&tempFileName->sr, alphaString);
+
+                if (NT_SUCCESS(status = PhCreateDirectory(tempFileName)))
+                {
+                    PhMoveReference(&tempFileName, PhConcatStringRef2(&tempFileName->sr, &mscordaccoreNameSr));
+
+                    allocationSize.QuadPart = mscordacResourceLength;
+                    status = PhCreateFileWin32Ex(
+                        &fileHandle,
+                        PhGetString(tempFileName),
+                        FILE_GENERIC_WRITE,
+                        &allocationSize,
+                        FILE_ATTRIBUTE_NORMAL,
+                        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+                        FILE_CREATE,
+                        FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY,
+                        NULL
+                        );
+                }
+
+                if (NT_SUCCESS(status) && fileHandle)
+                {
+                    IO_STATUS_BLOCK isb;
+
+                    status = NtWriteFile(
+                        fileHandle,
+                        NULL,
+                        NULL,
+                        NULL,
+                        &isb,
+                        mscordacResourceBuffer,
+                        mscordacResourceLength,
+                        NULL,
+                        NULL
+                        );
+
+                    NtClose(fileHandle);
+                }
+
+                if (NT_SUCCESS(status))
+                {
+                    VERIFY_RESULT verifyResult;
+                    PPH_STRING signerName;
+
+                    verifyResult = PhVerifyFile(
+                        PhGetString(tempFileName),
+                        &signerName
+                        );
+
+                    if (
+                        verifyResult == VrTrusted &&
+                        signerName && PhEqualString2(signerName, L"Microsoft Corporation", TRUE)
+                        )
+                    {
+                        mscordacBaseAddress = PhLoadLibrary(PhGetString(tempFileName));
+                    }
+
+                    if (mscordacBaseAddress)
+                        PhSetReference(&dataTarget->DaccorePath, tempFileName);
+                    else
+                        PhDeleteFileWin32(PhGetString(tempFileName));
+
+                    PhClearReference(&signerName);
+                }
+
+                PhClearReference(&tempFileName);
+            }
+
+            PhFreeLibraryAsImageResource(imageBaseAddress);
+        }
+    }
+
     PhClearReference(&dataTargetDirectory);
+    PhClearReference(&dataTargetFileName);
 
     return mscordacBaseAddress;
 }
@@ -1510,6 +1625,8 @@ ULONG STDMETHODCALLTYPE DnCLRDataTarget_Release(
     {
         NtClose(this->ProcessHandle);
 
+        DnCleanupDacAuxiliaryProvider(This);
+
         PhFree(this);
 
         return 0;
@@ -1615,6 +1732,7 @@ HRESULT STDMETHODCALLTYPE DnCLRDataTarget_GetImageBase(
     {
         if (this->SelfContained)
         {
+#ifdef _WIN64
             PPH_PROCESS_ITEM processItem;
             PPH_STRING baseName;
 
@@ -1639,6 +1757,29 @@ HRESULT STDMETHODCALLTYPE DnCLRDataTarget_GetImageBase(
 
                 PhDereferenceObject(processItem);
             }
+#else
+            PPH_STRING fileName;
+            PPH_STRING baseName;
+
+            if (NT_SUCCESS(PhGetProcessImageFileNameByProcessId(this->ProcessId, &fileName)))
+            {
+                if (baseName = PhGetBaseName(fileName))
+                {
+                    context.ImagePath = baseName->sr;
+                    PhEnumProcessModules(this->ProcessHandle, PhpGetImageBaseCallback, &context);
+                    PhDereferenceObject(baseName);
+
+                    if (context.BaseAddress)
+                    {
+                        *baseAddress = (CLRDATA_ADDRESS)context.BaseAddress;
+                        PhDereferenceObject(fileName);
+                        return S_OK;
+                    }
+                }
+
+                PhDereferenceObject(fileName);
+            }
+#endif
         }
 
         return E_FAIL;

plugins/DotNetTools/clrsup.h

@@ -151,6 +151,7 @@ typedef struct _DnCLRDataTarget
     BOOLEAN IsWow64;
     BOOLEAN SelfContained;
     PVOID DataTargetDllBase;
+    PPH_STRING DaccorePath;
 } DnCLRDataTarget;
 
 #define MAX_LONGPATH 1024