mirror of
https://github.com/a0rtega/pafish
synced 2024-11-28 17:03:16 +03:00
Add pafish_get_PEB to access PEB, adapt for 64-bit support, updated access to NumberOfProcessors via PEB
This commit is contained in:
parent
d56dea6e23
commit
6eeda58247
@ -127,13 +127,9 @@ int gensandbox_sleep_patched() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
int gensandbox_one_cpu() {
|
int gensandbox_one_cpu() {
|
||||||
DWORD NumberOfProcessors = 0;
|
struct _PEB_wine * PEB;
|
||||||
__asm__ volatile (
|
PEB = pafish_get_PEB();
|
||||||
"mov %%fs:0x18, %%eax;"
|
return PEB->NumberOfProcessors < 2 ? TRUE : FALSE;
|
||||||
"mov %%ds:0x30(%%eax), %%eax;"
|
|
||||||
"mov %%ds:0x64(%%eax), %%eax;"
|
|
||||||
: "=a"(NumberOfProcessors));
|
|
||||||
return NumberOfProcessors < 2 ? TRUE : FALSE;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int gensandbox_one_cpu_GetSystemInfo() {
|
int gensandbox_one_cpu_GetSystemInfo() {
|
||||||
|
@ -172,12 +172,10 @@ int main(void)
|
|||||||
&gensandbox_sleep_patched,
|
&gensandbox_sleep_patched,
|
||||||
"Sandbox traced by checking if Sleep() was patched using GetTickCount()",
|
"Sandbox traced by checking if Sleep() was patched using GetTickCount()",
|
||||||
"hi_sandbox_sleep_gettickcount");
|
"hi_sandbox_sleep_gettickcount");
|
||||||
#if __i386__
|
exec_check("Checking if NumberOfProcessors is < 2 via PEB access",
|
||||||
exec_check("Checking if NumberOfProcessors is < 2 via raw access",
|
|
||||||
&gensandbox_one_cpu,
|
&gensandbox_one_cpu,
|
||||||
"Sandbox traced by checking if NumberOfProcessors is less than 2 via raw access",
|
"Sandbox traced by checking if NumberOfProcessors is less than 2 via PEB access",
|
||||||
"hi_sandbox_NumberOfProcessors_less_2_raw");
|
"hi_sandbox_NumberOfProcessors_less_2_PEB");
|
||||||
#endif
|
|
||||||
exec_check("Checking if NumberOfProcessors is < 2 via GetSystemInfo()",
|
exec_check("Checking if NumberOfProcessors is < 2 via GetSystemInfo()",
|
||||||
&gensandbox_one_cpu_GetSystemInfo,
|
&gensandbox_one_cpu_GetSystemInfo,
|
||||||
"Sandbox traced by checking if NumberOfProcessors is less than 2 via GetSystemInfo()",
|
"Sandbox traced by checking if NumberOfProcessors is less than 2 via GetSystemInfo()",
|
||||||
|
@ -69,6 +69,21 @@ int pafish_iswow64() {
|
|||||||
return (fniswow) && (fniswow(GetCurrentProcess(), &result) != 0) ? result : FALSE;
|
return (fniswow) && (fniswow(GetCurrentProcess(), &result) != 0) ? result : FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct _PEB_wine * pafish_get_PEB() {
|
||||||
|
struct _PEB_wine * PEB_ptr;
|
||||||
|
__asm__ volatile (
|
||||||
|
#if __i386__
|
||||||
|
"mov %%fs:0x18, %%eax;"
|
||||||
|
"mov %%ds:0x30(%%eax), %%eax;"
|
||||||
|
#endif
|
||||||
|
#if __x86_64__
|
||||||
|
"mov %%gs:0x30, %%rax;"
|
||||||
|
"mov %%ds:0x60(%%rax), %%rax;"
|
||||||
|
#endif
|
||||||
|
: "=a"(PEB_ptr));
|
||||||
|
return PEB_ptr;
|
||||||
|
}
|
||||||
|
|
||||||
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
|
int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
|
||||||
HKEY regkey;
|
HKEY regkey;
|
||||||
LONG ret;
|
LONG ret;
|
||||||
|
@ -3,6 +3,49 @@
|
|||||||
#define UTILS_H
|
#define UTILS_H
|
||||||
|
|
||||||
#include <wbemidl.h>
|
#include <wbemidl.h>
|
||||||
|
#include <windows.h>
|
||||||
|
#include <winternl.h>
|
||||||
|
|
||||||
|
typedef struct _RTL_BITMAP {
|
||||||
|
ULONG SizeOfBitMap;
|
||||||
|
PULONG Buffer;
|
||||||
|
} RTL_BITMAP, *PRTL_BITMAP;
|
||||||
|
|
||||||
|
/*
|
||||||
|
PEB data structure
|
||||||
|
https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L268
|
||||||
|
*/
|
||||||
|
typedef struct _PEB_wine
|
||||||
|
{ /* win32/win64 */
|
||||||
|
BOOLEAN InheritedAddressSpace; /* 000/000 */
|
||||||
|
BOOLEAN ReadImageFileExecOptions; /* 001/001 */
|
||||||
|
BOOLEAN BeingDebugged; /* 002/002 */
|
||||||
|
BOOLEAN SpareBool; /* 003/003 */
|
||||||
|
HANDLE Mutant; /* 004/008 */
|
||||||
|
HMODULE ImageBaseAddress; /* 008/010 */
|
||||||
|
PPEB_LDR_DATA LdrData; /* 00c/018 */
|
||||||
|
RTL_USER_PROCESS_PARAMETERS *ProcessParameters; /* 010/020 */
|
||||||
|
PVOID SubSystemData; /* 014/028 */
|
||||||
|
HANDLE ProcessHeap; /* 018/030 */
|
||||||
|
PRTL_CRITICAL_SECTION FastPebLock; /* 01c/038 */
|
||||||
|
PVOID /*PPEBLOCKROUTINE*/ FastPebLockRoutine; /* 020/040 */
|
||||||
|
PVOID /*PPEBLOCKROUTINE*/ FastPebUnlockRoutine; /* 024/048 */
|
||||||
|
ULONG EnvironmentUpdateCount; /* 028/050 */
|
||||||
|
PVOID KernelCallbackTable; /* 02c/058 */
|
||||||
|
ULONG Reserved[2]; /* 030/060 */
|
||||||
|
PVOID /*PPEB_FREE_BLOCK*/ FreeList; /* 038/068 */
|
||||||
|
ULONG TlsExpansionCounter; /* 03c/070 */
|
||||||
|
PRTL_BITMAP TlsBitmap; /* 040/078 */
|
||||||
|
ULONG TlsBitmapBits[2]; /* 044/080 */
|
||||||
|
PVOID ReadOnlySharedMemoryBase; /* 04c/088 */
|
||||||
|
PVOID ReadOnlySharedMemoryHeap; /* 050/090 */
|
||||||
|
PVOID *ReadOnlyStaticServerData; /* 054/098 */
|
||||||
|
PVOID AnsiCodePageData; /* 058/0a0 */
|
||||||
|
PVOID OemCodePageData; /* 05c/0a8 */
|
||||||
|
PVOID UnicodeCaseTableData; /* 060/0b0 */
|
||||||
|
ULONG NumberOfProcessors; /* 064/0b8 */
|
||||||
|
ULONG NtGlobalFlag; /* 068/0bc */
|
||||||
|
} PEB_wine, *PPEB_wine;
|
||||||
|
|
||||||
int pafish_disable_wow64_fs_redirection(void * old);
|
int pafish_disable_wow64_fs_redirection(void * old);
|
||||||
|
|
||||||
@ -10,6 +53,8 @@ int pafish_revert_wow64_fs_redirection(void * old);
|
|||||||
|
|
||||||
int pafish_iswow64();
|
int pafish_iswow64();
|
||||||
|
|
||||||
|
struct _PEB_wine * pafish_get_PEB();
|
||||||
|
|
||||||
int pafish_exists_regkey(HKEY hKey, char * regkey);
|
int pafish_exists_regkey(HKEY hKey, char * regkey);
|
||||||
|
|
||||||
int pafish_exists_regkey_value_str(HKEY, char *, char *, char *);
|
int pafish_exists_regkey_value_str(HKEY, char *, char *, char *);
|
||||||
|
Loading…
Reference in New Issue
Block a user