bug fix

VeroFess · Jan 29, 2023 · 671ace4 · 671ace4
1 parent fea4c5b
commit 671ace4
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 56 deletions.
diff --git a/SbieHide/APIHook.cpp b/SbieHide/APIHook.cpp
@@ -60,6 +60,11 @@ NTSTATUS NTAPI NtQueryObjectProxy(_In_opt_ HANDLE Handle, _In_ OBJECT_INFORMATIO
             return Status;
         }
 
+        if (ObjectName.Length < 7) {
+            RtlFreeUnicodeString(&ObjectName);
+            return Status;
+        }
+
         if ((wcsstr(ObjectName.Buffer, L"SBIEDLL") != 0) || (wcsstr(ObjectName.Buffer, L"SBIEHIDE") != 0)) {
             RtlZeroMemory(reinterpret_cast<POBJECT_NAME_INFORMATION>(ObjectInformation)->Name.Buffer, reinterpret_cast<POBJECT_NAME_INFORMATION>(ObjectInformation)->Name.MaximumLength);
             reinterpret_cast<POBJECT_NAME_INFORMATION>(ObjectInformation)->Name.Length = 0;
@@ -100,6 +105,11 @@ NTSTATUS NTAPI NtQueryInformationFileProxy(_In_ HANDLE FileHandle, _Out_ PIO_STA
                 return Status;
             }
 
+            if (UpperFileName.Length < 7) {
+                RtlFreeUnicodeString(&UpperFileName);
+                return Status;
+            }
+
             if ((wcsstr(UpperFileName.Buffer, L"SBIEDLL") != 0) || (wcsstr(UpperFileName.Buffer, L"SBIEHIDE") != 0)) {
                 RtlZeroMemory(FileInformation, Length);
                 RtlFreeUnicodeString(&UpperFileName);
@@ -127,6 +137,11 @@ NTSTATUS NTAPI NtQueryInformationFileProxy(_In_ HANDLE FileHandle, _Out_ PIO_STA
                 return Status;
             }
 
+            if (UpperFileName.Length < 7) {
+                RtlFreeUnicodeString(&UpperFileName);
+                return Status;
+            }
+
             if ((wcsstr(UpperFileName.Buffer, L"SBIEDLL") != 0) || (wcsstr(UpperFileName.Buffer, L"SBIEHIDE") != 0)) {
                 RtlZeroMemory(FileInformation, Length);
                 RtlFreeUnicodeString(&UpperFileName);

diff --git a/SbieHide/HideFromPEB.cpp b/SbieHide/HideFromPEB.cpp
@@ -1,6 +1,8 @@
 #include "HideFromPEB.h"
 #include "MemoryImageHideInformation.h"
 
+#include <stdio.h>
+
 VOID EraseModuleNameFromPeb() {
     PPEB                  ProcessEnvironmentBlock = nullptr;
     PLIST_ENTRY           FirstEntry              = nullptr;
@@ -18,57 +20,33 @@ VOID EraseModuleNameFromPeb() {
         CurrentEntryData = CONTAINING_RECORD(reinterpret_cast<PLDR_DATA_TABLE_ENTRY>(CurrentEntry), LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
 
         if (IsAddressShouldHide(CurrentEntryData->DllBase)) {
+            if (FirstEntry == CurrentEntry) {
+                FirstEntry = CurrentEntry->Flink;
+            }
+
             NextEntry                                = CurrentEntry->Flink;
             CurrentEntryData->HashLinks.Blink->Flink = CurrentEntryData->HashLinks.Flink;
             CurrentEntryData->HashLinks.Flink->Blink = CurrentEntryData->HashLinks.Blink;
-            CurrentEntry->Blink->Flink               = CurrentEntry->Flink;
-            CurrentEntry->Flink->Blink               = CurrentEntry->Blink;
-
-            RtlZeroMemory(CurrentEntryData->BaseDllName.Buffer, CurrentEntryData->BaseDllName.MaximumLength);
-            RtlZeroMemory(CurrentEntryData->FullDllName.Buffer, CurrentEntryData->FullDllName.MaximumLength);
-            RtlZeroMemory(CurrentEntryData, sizeof(PLDR_DATA_TABLE_ENTRY));
-
-            CurrentEntry = NextEntry;
-            continue;
-        }
-
-        CurrentEntry = CurrentEntry->Flink;
-    }
-
-    FirstEntry = CurrentEntry = ProcessEnvironmentBlock->Ldr->InMemoryOrderModuleList.Flink;
-
-    while (CurrentEntry->Flink != FirstEntry) {
-        CurrentEntryData = CONTAINING_RECORD(reinterpret_cast<PLDR_DATA_TABLE_ENTRY>(CurrentEntry), LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
-
-        if (IsAddressShouldHide(CurrentEntryData->DllBase)) {
-            NextEntry                  = CurrentEntry->Flink;
-            CurrentEntry->Blink->Flink = CurrentEntry->Flink;
-            CurrentEntry->Flink->Blink = CurrentEntry->Blink;
-
-            RtlZeroMemory(CurrentEntryData->BaseDllName.Buffer, CurrentEntryData->BaseDllName.MaximumLength);
-            RtlZeroMemory(CurrentEntryData->FullDllName.Buffer, CurrentEntryData->FullDllName.MaximumLength);
-            RtlZeroMemory(CurrentEntryData, sizeof(PLDR_DATA_TABLE_ENTRY));
-
-            CurrentEntry = NextEntry;
-            continue;
-        }
 
-        CurrentEntry = CurrentEntry->Flink;
-    }
+            CurrentEntryData->InLoadOrderLinks.Blink->Flink = CurrentEntryData->InLoadOrderLinks.Flink;
+            CurrentEntryData->InLoadOrderLinks.Flink->Blink = CurrentEntryData->InLoadOrderLinks.Blink;
 
-    FirstEntry = CurrentEntry = ProcessEnvironmentBlock->Ldr->InInitializationOrderModuleList.Flink;
+            CurrentEntryData->InMemoryOrderLinks.Blink->Flink = CurrentEntryData->InMemoryOrderLinks.Flink;
+            CurrentEntryData->InMemoryOrderLinks.Flink->Blink = CurrentEntryData->InMemoryOrderLinks.Blink;
 
-    while (CurrentEntry->Flink != FirstEntry) {
-        CurrentEntryData = CONTAINING_RECORD(reinterpret_cast<PLDR_DATA_TABLE_ENTRY>(CurrentEntry), LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks);
+            CurrentEntryData->InInitializationOrderLinks.Blink->Flink = CurrentEntryData->InInitializationOrderLinks.Flink;
+            CurrentEntryData->InInitializationOrderLinks.Flink->Blink = CurrentEntryData->InInitializationOrderLinks.Blink;
 
-        if (IsAddressShouldHide(CurrentEntryData->DllBase)) {
-            NextEntry                  = CurrentEntry->Flink;
-            CurrentEntry->Blink->Flink = CurrentEntry->Flink;
-            CurrentEntry->Flink->Blink = CurrentEntry->Blink;
+            CurrentEntryData->NodeModuleLink.Blink->Flink = CurrentEntryData->NodeModuleLink.Flink;
+            CurrentEntryData->NodeModuleLink.Flink->Blink = CurrentEntryData->NodeModuleLink.Blink;
 
             RtlZeroMemory(CurrentEntryData->BaseDllName.Buffer, CurrentEntryData->BaseDllName.MaximumLength);
             RtlZeroMemory(CurrentEntryData->FullDllName.Buffer, CurrentEntryData->FullDllName.MaximumLength);
-            RtlZeroMemory(CurrentEntryData, sizeof(PLDR_DATA_TABLE_ENTRY));
+            #ifdef _WIN64
+                        RtlZeroMemory(CurrentEntryData, 136);
+            #else
+                        RtlZeroMemory(CurrentEntryData, 72);
+            #endif
 
             CurrentEntry = NextEntry;
             continue;

diff --git a/SbieHide/LibEntry.cpp b/SbieHide/LibEntry.cpp
@@ -12,7 +12,7 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
         InitMemoryImageHideInformation();
 
 		EraseModuleNameFromPeb();
-
+        EraseModuleNameFromPeb();
 		EnableApiHook();
 		break;
 	case DLL_THREAD_ATTACH:

diff --git a/SbieHide/MemoryImageHideInformation.cpp b/SbieHide/MemoryImageHideInformation.cpp
@@ -17,7 +17,7 @@ BOOLEAN InitMemoryImageHideInformation() {
 
     while (reinterpret_cast<PLDR_DATA_TABLE_ENTRY>(CONTAINING_RECORD(CurrentEntry->InMemoryOrderLinks.Flink, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks)) != FirstEntry) {
 
-        if (_wcsnicmp(CurrentEntry->BaseDllName.Buffer, L"sbiedll.dll", CurrentEntry->BaseDllName.Length) == 0) {
+        if (_wcsnicmp(CurrentEntry->BaseDllName.Buffer, L"sbiedll.dll", CurrentEntry->BaseDllName.Length) == 0 || _wcsnicmp(CurrentEntry->BaseDllName.Buffer, L"sbiedll", CurrentEntry->BaseDllName.Length) == 0) {
             MemoryImageHideInformationList.push_back(MemoryImageHideInformation(reinterpret_cast<ULONG_PTR>(CurrentEntry->DllBase), reinterpret_cast<ULONG_PTR>(CurrentEntry->DllBase) + CurrentEntry->SizeOfImage));
             IsSandboxieModuleFound = TRUE;
         }

diff --git a/SbieHide/SbieHide.vcxproj b/SbieHide/SbieHide.vcxproj
@@ -89,7 +89,7 @@
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <SDLCheck>true</SDLCheck>
-      <PreprocessorDefinitions>WIN32;NDEBUG;SBIEHIDE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;SBIEHIDE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
     </ClCompile>
@@ -120,7 +120,7 @@
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <SDLCheck>true</SDLCheck>
-      <PreprocessorDefinitions>NDEBUG;SBIEHIDE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;NDEBUG;SBIEHIDE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
     </ClCompile>

diff --git a/SbieTestConsole/ConsoleEntry.cpp b/SbieTestConsole/ConsoleEntry.cpp
@@ -51,7 +51,7 @@ VOID CheckSandboxieByQueryVirtualMemoryMappedFilename() {
         return;
     }
 
-    Status = NtQueryVirtualMemory(NtCurrentProcess(), GetModuleHandleA("sbiehide.dll"), MemoryMappedFilenameInformation, NameBuffer, 0x1000, &ReturnedLength);
+    Status = NtQueryVirtualMemory(NtCurrentProcess(), GetModuleHandleA("sbiehide.dll") + 100, MemoryMappedFilenameInformation, NameBuffer, 0x1000, &ReturnedLength);
 
     if (Status != STATUS_ACCESS_DENIED) {
         printf("Sbiedll found! check hook\n");

diff --git a/SbieTestConsole/SbieTestConsole.vcxproj b/SbieTestConsole/SbieTestConsole.vcxproj
@@ -88,8 +88,9 @@
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <SDLCheck>true</SDLCheck>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -116,8 +117,9 @@
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <SDLCheck>true</SDLCheck>
-      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>_CRT_SECURE_NO_WARNINGS;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -128,11 +130,9 @@
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="ConsoleEntry.cpp" />
-    <ClCompile Include="Process.cpp" />
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="MINT.h" />
-    <ClInclude Include="Process.h" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">

diff --git a/SbieTestConsole/SbieTestConsole.vcxproj.filters b/SbieTestConsole/SbieTestConsole.vcxproj.filters
@@ -18,16 +18,10 @@
     <ClCompile Include="ConsoleEntry.cpp">
       <Filter>源文件</Filter>
     </ClCompile>
-    <ClCompile Include="Process.cpp">
-      <Filter>源文件</Filter>
-    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="MINT.h">
       <Filter>头文件</Filter>
     </ClInclude>
-    <ClInclude Include="Process.h">
-      <Filter>头文件</Filter>
-    </ClInclude>
   </ItemGroup>
 </Project>