Add pafish_get_PEB to access PEB, adapt for 64-bit support, updated access to NumberOfProcessors via PEB

2021-11-08 13:59:05 +01:00 · 2021-11-08 13:59:05 +01:00 · 6eeda58247
parent d56dea6e23
commit 6eeda58247
4 changed files with 66 additions and 12 deletions
--- a/pafish/gensandbox.c
+++ b/pafish/gensandbox.c
@ -127,13 +127,9 @@ int gensandbox_sleep_patched() {
 }

 int gensandbox_one_cpu() {
-	DWORD NumberOfProcessors = 0;
-	__asm__ volatile (
-			"mov %%fs:0x18, %%eax;"
-			"mov %%ds:0x30(%%eax), %%eax;"
-			"mov %%ds:0x64(%%eax), %%eax;"
-			: "=a"(NumberOfProcessors));
-	return NumberOfProcessors < 2 ? TRUE : FALSE;
+	struct _PEB_wine * PEB;
+	PEB = pafish_get_PEB();
+	return PEB->NumberOfProcessors < 2 ? TRUE : FALSE;
 }

 int gensandbox_one_cpu_GetSystemInfo() {
--- a/pafish/main.c
+++ b/pafish/main.c
@ -172,12 +172,10 @@ int main(void)
 		   &gensandbox_sleep_patched,
 		   "Sandbox traced by checking if Sleep() was patched using GetTickCount()",
 		   "hi_sandbox_sleep_gettickcount");
-#if __i386__
-	exec_check("Checking if NumberOfProcessors is < 2 via raw access",
+	exec_check("Checking if NumberOfProcessors is < 2 via PEB access",
 		   &gensandbox_one_cpu,
-		   "Sandbox traced by checking if NumberOfProcessors is less than 2 via raw access",
-		   "hi_sandbox_NumberOfProcessors_less_2_raw");
-#endif
+		   "Sandbox traced by checking if NumberOfProcessors is less than 2 via PEB access",
+		   "hi_sandbox_NumberOfProcessors_less_2_PEB");
 	exec_check("Checking if NumberOfProcessors is < 2 via GetSystemInfo()",
 		   &gensandbox_one_cpu_GetSystemInfo,
 		   "Sandbox traced by checking if NumberOfProcessors is less than 2 via GetSystemInfo()",
--- a/pafish/utils.c
+++ b/pafish/utils.c
@ -69,6 +69,21 @@ int pafish_iswow64() {
 	return (fniswow) && (fniswow(GetCurrentProcess(), &result) != 0) ? result : FALSE;
 }

+struct _PEB_wine * pafish_get_PEB() {
+	struct _PEB_wine * PEB_ptr;
+	__asm__ volatile (
+#if __i386__
+			"mov %%fs:0x18, %%eax;"
+			"mov %%ds:0x30(%%eax), %%eax;"
+#endif
+#if __x86_64__
+			"mov %%gs:0x30, %%rax;"
+			"mov %%ds:0x60(%%rax), %%rax;"
+#endif
+			: "=a"(PEB_ptr));
+	return PEB_ptr;
+}
+
 int pafish_exists_regkey(HKEY hKey, char * regkey_s) {
 	HKEY regkey;
 	LONG ret;
--- a/pafish/utils.h
+++ b/pafish/utils.h
@ -3,6 +3,49 @@
 #define UTILS_H

 #include <wbemidl.h>
+#include <windows.h>
+#include <winternl.h>
+
+typedef struct _RTL_BITMAP {
+	ULONG SizeOfBitMap;
+	PULONG Buffer;
+} RTL_BITMAP, *PRTL_BITMAP;
+
+/*
+  PEB data structure
+  https://github.com/wine-mirror/wine/blob/1aff1e6a370ee8c0213a0fd4b220d121da8527aa/include/winternl.h#L268
+*/
+typedef struct _PEB_wine
+{                                                                 /* win32/win64 */
+	BOOLEAN                      InheritedAddressSpace;             /* 000/000 */
+	BOOLEAN                      ReadImageFileExecOptions;          /* 001/001 */
+	BOOLEAN                      BeingDebugged;                     /* 002/002 */
+	BOOLEAN                      SpareBool;                         /* 003/003 */
+	HANDLE                       Mutant;                            /* 004/008 */
+	HMODULE                      ImageBaseAddress;                  /* 008/010 */
+	PPEB_LDR_DATA                LdrData;                           /* 00c/018 */
+	RTL_USER_PROCESS_PARAMETERS *ProcessParameters;                 /* 010/020 */
+	PVOID                        SubSystemData;                     /* 014/028 */
+	HANDLE                       ProcessHeap;                       /* 018/030 */
+	PRTL_CRITICAL_SECTION        FastPebLock;                       /* 01c/038 */
+	PVOID /*PPEBLOCKROUTINE*/    FastPebLockRoutine;                /* 020/040 */
+	PVOID /*PPEBLOCKROUTINE*/    FastPebUnlockRoutine;              /* 024/048 */
+	ULONG                        EnvironmentUpdateCount;            /* 028/050 */
+	PVOID                        KernelCallbackTable;               /* 02c/058 */
+	ULONG                        Reserved[2];                       /* 030/060 */
+	PVOID /*PPEB_FREE_BLOCK*/    FreeList;                          /* 038/068 */
+	ULONG                        TlsExpansionCounter;               /* 03c/070 */
+	PRTL_BITMAP                  TlsBitmap;                         /* 040/078 */
+	ULONG                        TlsBitmapBits[2];                  /* 044/080 */
+	PVOID                        ReadOnlySharedMemoryBase;          /* 04c/088 */
+	PVOID                        ReadOnlySharedMemoryHeap;          /* 050/090 */
+	PVOID                       *ReadOnlyStaticServerData;          /* 054/098 */
+	PVOID                        AnsiCodePageData;                  /* 058/0a0 */
+	PVOID                        OemCodePageData;                   /* 05c/0a8 */
+	PVOID                        UnicodeCaseTableData;              /* 060/0b0 */
+	ULONG                        NumberOfProcessors;                /* 064/0b8 */
+	ULONG                        NtGlobalFlag;                      /* 068/0bc */
+} PEB_wine, *PPEB_wine;

 int pafish_disable_wow64_fs_redirection(void * old);

@ -10,6 +53,8 @@ int pafish_revert_wow64_fs_redirection(void * old);

 int pafish_iswow64();

+struct _PEB_wine * pafish_get_PEB();
+
 int pafish_exists_regkey(HKEY hKey, char * regkey);

 int pafish_exists_regkey_value_str(HKEY, char *, char *, char *);