Updated Readme

Vicshann · May 2, 2020 · 9915705 · 9915705
1 parent 80c6649
commit 9915705
Show file tree

Hide file tree

Showing 14 changed files with 117 additions and 122 deletions.
diff --git a/GhostBanner.gif b/GhostBanner.gif
diff --git a/InjectLib/InjectDll.cpp b/InjectLib/InjectDll.cpp
diff --git a/InjectLib/InjectDll.h b/InjectLib/InjectDll.h
@@ -14,15 +14,6 @@
   WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
 */
 
-#include <intrin.h>
-//#include <Windows.h>
-#include "Utils.h"
-#include "UniHook.hpp"
-#include "json.h"
-#include "NtDllEx.hpp"
-#include "CompileTime.hpp"
-#include "InjDllLdr.hpp"
-#include "GhostDbg.hpp"
 #include "..\..\GlobalInjector\GInjer\LoaderCode.h"
 
 //====================================================================================
@@ -34,7 +25,7 @@ void _stdcall LoadConfiguration(void);
 void _stdcall SaveConfiguration(int BinFmt=-1);
 void _stdcall UnInitApplication(void);
 bool _stdcall InitApplication(void);
-int _fastcall DbgUsrReqCallback(ShMem::CMessageIPC::SMsgHdr* Req, PVOID ArgA, UINT ArgB);
+int _fastcall DbgUsrReqCallback(NShMem::CMessageIPC::SMsgHdr* Req, PVOID ArgA, UINT ArgB);
 //------------------------------------------------------------------------------------
 bool _cdecl ProcExpDispBefore(volatile PVOID ArgA, volatile PVOID ArgB, volatile PVOID ArgC, volatile PVOID ArgD, volatile PVOID RetVal);
 bool _cdecl ProcExpDispAfter(volatile PVOID ArgA, volatile PVOID ArgB, volatile PVOID ArgC, volatile PVOID ArgD, volatile PVOID RetVal);

diff --git a/InjectLib/InjectDll.vcxproj b/InjectLib/InjectDll.vcxproj
@@ -359,10 +359,11 @@ copy /Y "$(OutDir)$(TargetName)$(TargetExt)" "$(SolutionDir)BUILD\RELEASE\$(Solu
     <ClCompile Include="InjectDll.cpp" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="..\COMMON\Common.hpp" />
     <ClInclude Include="..\COMMON\CompileTime.hpp" />
-    <ClInclude Include="..\COMMON\FormatPE.h" />
+    <ClInclude Include="..\COMMON\FormatPE.hpp" />
     <ClInclude Include="..\COMMON\GhostDbg.hpp" />
-    <ClInclude Include="..\COMMON\HDE.h" />
+    <ClInclude Include="..\COMMON\HDE.hpp" />
     <ClInclude Include="..\COMMON\InjDllLdr.hpp" />
     <ClInclude Include="..\COMMON\json.h" />
     <ClInclude Include="..\COMMON\MiniString.h" />

diff --git a/InjectLib/InjectDll.vcxproj.filters b/InjectLib/InjectDll.vcxproj.filters
@@ -35,12 +35,6 @@
     <ClInclude Include="..\COMMON\ThirdParty\ntdll\ntdll.h">
       <Filter>Common</Filter>
     </ClInclude>
-    <ClInclude Include="..\COMMON\FormatPE.h">
-      <Filter>Common</Filter>
-    </ClInclude>
-    <ClInclude Include="..\COMMON\HDE.h">
-      <Filter>Common</Filter>
-    </ClInclude>
     <ClInclude Include="..\COMMON\json.h">
       <Filter>Common</Filter>
     </ClInclude>
@@ -68,5 +62,14 @@
     <ClInclude Include="..\COMMON\NtDllEx.hpp">
       <Filter>Common</Filter>
     </ClInclude>
+    <ClInclude Include="..\COMMON\Common.hpp">
+      <Filter>Common</Filter>
+    </ClInclude>
+    <ClInclude Include="..\COMMON\FormatPE.hpp">
+      <Filter>Common</Filter>
+    </ClInclude>
+    <ClInclude Include="..\COMMON\HDE.hpp">
+      <Filter>Common</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>
diff --git a/NOTES.txt b/NOTES.txt
@@ -32,9 +32,9 @@ TODO:
  IPC SRW locks
  Enable Config files
  IDA compatibility
- Fix NativeCreateThread on latest Windows 10
  Fix extreme slowness on Windows XP (Sync problem? Fix for GhostDrv)   // https://communities.vmware.com/thread/466749
  GInjer compatibility (Especially WOW64 debugging)
+ Wait for attach and ignore events until that (GInjer, requires config)
 
 ISSUES:
  Software breakpoints is very dangerous to set if not all threads are suspended on a Debug Event

diff --git a/README.md b/README.md
@@ -0,0 +1,8 @@
+
+
+<img align="center" hspace="20" src="/GhostBanner.gif">
+
+<p align="center">                 
+  <h1 align="center">GhostDbg</h1>
+</p> 
+
diff --git a/README.txt b/README.txt
diff --git a/XDbgPlugin/MainIcon.ico b/XDbgPlugin/MainIcon.ico
diff --git a/XDbgPlugin/Resources.rc b/XDbgPlugin/Resources.rc
@@ -7,6 +7,7 @@ LANGUAGE LANG_ENGLISH, SUBLANG_DEFAULT
 #pragma code_page(1251)
 #endif //_WIN32
 
+1 ICON "MainIcon.ico"
 5 ICON "LogoIcon.ico" 
 MAINICON RCDATA "MainIcon.png"            // ICON
 InjLib RCDATA  INJLIBPATH

diff --git a/XDbgPlugin/XDbgPlugin.cpp b/XDbgPlugin/XDbgPlugin.cpp
@@ -19,16 +19,16 @@
 #pragma comment(linker,"/NODEFAULTLIB")
 
 
-typedef ShMem  SHM;     
-typedef GhDbg  XNI;
+typedef NShMem  SHM;     
+typedef NGhDbg  XNI;
 
 // ---------- SETTINGS ------------------
 bool PLogOnly    = false;       // Just log usage of Debug API  
 bool PEnabled    = false;       // Enable the GhostDbg plugin
 bool AllowInject = true;        // Allow to load inject DLL into a target process(Attach). Else only processes with already injected GhostDbg DLLs will be visible
 bool AllowInjNew = true;        // Allow to load inject DLL into a target process(Create).
 bool SuspendProc = true;        // It is safer to keep a target process suspended while IPC and GhostDbg Client initializing but some timeouts may be detected
-UINT InjFlags    = InjLdr::mfInjMap|InjLdr::mfRunRMTH|InjLdr::mfRawRMTH;
+UINT InjFlags    = NInjLdr::mfInjMap|NInjLdr::mfRunRMTH|NInjLdr::mfRawRMTH;
 UINT WaitForInj  = 3000;
 //---------------------------------------
 
@@ -94,7 +94,7 @@ wchar_t WorkFolder[MAX_PATH];
 
 //===========================================================================
 BOOL APIENTRY DLLMain(HMODULE hModule, DWORD ReasonCall, LPVOID lpReserved) 
-{	
+{	 
  switch (ReasonCall)	    
   {			 
    case DLL_PROCESS_ATTACH:
@@ -110,7 +110,7 @@ BOOL APIENTRY DLLMain(HMODULE hModule, DWORD ReasonCall, LPVOID lpReserved)
      NSTR::StrCopy(CfgFilePath, WorkFolder);
      NSTR::StrCopy(GetFileExt(CfgFilePath), L"ini");
 
-     LoadConfiguration();	
+     LoadConfiguration();   
 	 if(LogMode & lmCons){AllocConsole();/*SetWinConsoleSizes(1000, 500, 1000, 500);*/}
 	 LOGMSG("Starting up... (Time=%016llX), Owner='%ls'", SysTimeToTime64(NNTDLL::GetSystemTime()), &StartUpDir);	
      TrimFilePath(StartUpDir);
@@ -131,7 +131,7 @@ BOOL APIENTRY DLLMain(HMODULE hModule, DWORD ReasonCall, LPVOID lpReserved)
 }
 //====================================================================================
 void _stdcall LoadConfiguration(void)
-{                  
+{   
  LogMode       = INIRefreshValueInt<PWSTR>(CFGSECNAME, L"LogMode",   LogMode,  CfgFilePath);
  PLogOnly      = INIRefreshValueInt<PWSTR>(CFGSECNAME, L"PLogOnly",  PLogOnly, CfgFilePath);
  PEnabled      = INIRefreshValueInt<PWSTR>(CFGSECNAME, L"PEnabled",  PEnabled, CfgFilePath);
@@ -140,12 +140,15 @@ void _stdcall LoadConfiguration(void)
  SuspendProc   = INIRefreshValueInt<PWSTR>(CFGSECNAME, L"SuspendProc",  SuspendProc, CfgFilePath); 
  InjFlags      = INIRefreshValueInt<PWSTR>(CFGSECNAME, L"InjectFlags",  InjFlags, CfgFilePath); 
  WaitForInj    = INIRefreshValueInt<PWSTR>(CFGSECNAME, L"WaitForInj",  WaitForInj, CfgFilePath); 
-
- PVOID pNtDll = GetNtDllBaseFast(); 
+
+ LOGMSG("Initializing...");   
+ PVOID pNtDll = NPEFMT::GetNtDllBaseFast(); 
+ LOGMSG("SystemNtDllBase: %p", pNtDll);   
  NtDllSize = GetRealModuleSize(pNtDll);
  NtDllBase = VirtualAlloc(NULL,NtDllSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE); 
- memcpy(NtDllBase,pNtDll,NtDllSize);
- LOGMSG("Clean copy of NtDll: %p", NtDllBase); 
+ LOGMSG("CopyNtDllBase=%p, NtDllSize=%08X", NtDllBase, NtDllSize);
+ CopyValidModuleMem(pNtDll, NtDllBase, NtDllSize);    // On Win7 x64 some regions of ntdll.dll are in reserved state 
+ LOGMSG("Done"); 
 }
 //------------------------------------------------------------------------------------
 void _stdcall SaveConfiguration(void)
@@ -190,8 +193,8 @@ void _cdecl MenuHandler(CBTYPE Type, PLUG_CB_MENUENTRY *info)
      SaveConfiguration();
     break;      
    case MENU_ID_USERAWTHREADS:
-     if(InjFlags & InjLdr::mfRawRMTH)InjFlags &= ~InjLdr::mfRawRMTH;
-       else InjFlags |= InjLdr::mfRawRMTH;  
+     if(InjFlags & NInjLdr::mfRawRMTH)InjFlags &= ~NInjLdr::mfRawRMTH;
+       else InjFlags |= NInjLdr::mfRawRMTH;  
      SaveConfiguration();
     break;          
    case MENU_ID_ABOUT: 
@@ -274,7 +277,7 @@ extern "C" __declspec(dllexport) void _cdecl plugsetup(PLUG_SETUPSTRUCT* setupSt
  plugin_menuentrysetchecked(PluginHandle,MENU_ID_CHK_CANINJ,AllowInject);
  plugin_menuentrysetchecked(PluginHandle,MENU_ID_CHK_CANINJNEW,AllowInjNew);
  plugin_menuentrysetchecked(PluginHandle,MENU_ID_SUSPPROCESS,SuspendProc);
- plugin_menuentrysetchecked(PluginHandle,MENU_ID_USERAWTHREADS,InjFlags & InjLdr::mfRawRMTH);
+ plugin_menuentrysetchecked(PluginHandle,MENU_ID_USERAWTHREADS,InjFlags & NInjLdr::mfRawRMTH);
 
  ICONDATA ico;
  UINT ResSize = 0;
@@ -418,7 +421,7 @@ int _stdcall InjectProcess(HANDLE hProcess, DWORD ProcessID)
 {
  CArr<BYTE> DllData;
  wchar_t DllPath[MAX_PATH];
- UINT Flags   = InjFlags|InjLdr::mfRawMod|fmCryHdr|fmCryImp|fmCryExp|fmCryRes;    // TODO: Inject method to cfg (Separated)
+ UINT Flags   = InjFlags|NInjLdr::mfRawMod|NPEFMT::fmCryHdr|NPEFMT::fmCryImp|NPEFMT::fmCryExp|NPEFMT::fmCryRes;    // TODO: Inject method to cfg (Separated)
  UINT ResSize = 0;
  PVOID InjLib = NULL;
  NSTR::StrCopy(DllPath, StartUpDir);
@@ -438,7 +441,7 @@ int _stdcall InjectProcess(HANDLE hProcess, DWORD ProcessID)
    else InjLib = GetResource(hInst, "InjLib", RT_RCDATA, &ResSize);
  if(!InjLib || !ResSize){DBGMSG("No InjLib found!"); return -1;}
  bool POpened = (hProcess == NULL);
- if(POpened)hProcess = InjLdr::OpenRemoteProcess(ProcessID, Flags, SuspendProc);   
+ if(POpened)hProcess = NInjLdr::OpenRemoteProcess(ProcessID, Flags, SuspendProc);   
  if(!hProcess)return -2; 
  if(SuspendProc)
   {
@@ -450,8 +453,8 @@ int _stdcall InjectProcess(HANDLE hProcess, DWORD ProcessID)
     }
      else hLstProc = hProcess;
   } 
- if(!POpened && NNTDLL::IsWinXPOrOlder())Flags &= ~InjLdr::mfRawRMTH;    // On Windows XP this Csr unfriendly thread will catch a process initialization APC!  // A DebugApi remote thread will also catch this APC and DebugApi threas is also not registered with Csr   // On latest Win10 raw threads can`t be injected in notepad.exe (Access Denied)
- int res = InjLdr::InjModuleIntoProcessAndExec(hProcess, InjLib, ResSize, Flags|InjLdr::mfResSyscall, 3, NULL, NULL, NtDllBase, 0x10000);   // mfResSyscall is required to avoid self interception    // Only .text(Data merged), .bss and .rdata 
+ if(!POpened && NNTDLL::IsWinXPOrOlder())Flags &= ~NInjLdr::mfRawRMTH;    // On Windows XP this Csr unfriendly thread will catch a process initialization APC!  // A DebugApi remote thread will also catch this APC and DebugApi threas is also not registered with Csr   // On latest Win10 raw threads can`t be injected in notepad.exe (Access Denied)
+ int res = NInjLdr::InjModuleIntoProcessAndExec(hProcess, InjLib, ResSize, Flags|NInjLdr::mfResSyscall, 3, NULL, NULL, NtDllBase, 0x10000);   // mfResSyscall is required to avoid self interception    // Only .text(Data merged), .bss and .rdata 
  if(POpened && !SuspendProc)CloseHandle(hProcess);     // Close after OpenRemoteProcess
  if(res < 0){DBGMSG("InjModuleIntoProcessAndExec failed with %i",res); if(SuspendProc)NtResumeProcess(hProcess); return -3;}    // Cannot terminate without a specific permission
  for(int ctr=WaitForInj;ctr > 0;ctr-=100)

diff --git a/XDbgPlugin/XDbgPlugin.h b/XDbgPlugin/XDbgPlugin.h
@@ -14,12 +14,7 @@
   WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 
 */ 
 
-#include <intrin.h>
-#include "Utils.h"
-#include "UniHook.hpp"
-#include "NtDllEx.hpp"
-#include "GhostDbg.hpp"
-#include "InjDllLdr.hpp"
+#include "Common.hpp"
 
 //====================================================================================
 #define CFGSECNAME L"Parameters"

diff --git a/XDbgPlugin/XDbgPlugin.vcxproj b/XDbgPlugin/XDbgPlugin.vcxproj
@@ -352,8 +352,9 @@ copy /Y "$(OutDir)$(TargetName)$(TargetExt)" "$(SolutionDir)BUILD\RELEASE\$(Solu
     <ClCompile Include="XDbgPlugin.cpp" />
   </ItemGroup>
   <ItemGroup>
-    <ClInclude Include="..\COMMON\FormatPE.h" />
-    <ClInclude Include="..\COMMON\HDE.h" />
+    <ClInclude Include="..\COMMON\Common.hpp" />
+    <ClInclude Include="..\COMMON\FormatPE.hpp" />
+    <ClInclude Include="..\COMMON\HDE.hpp" />
     <ClInclude Include="..\COMMON\InjDllLdr.hpp" />
     <ClInclude Include="..\COMMON\NtDllEx.hpp" />
     <ClInclude Include="..\COMMON\ShMemIPC.hpp" />

diff --git a/XDbgPlugin/XDbgPlugin.vcxproj.filters b/XDbgPlugin/XDbgPlugin.vcxproj.filters
@@ -35,18 +35,12 @@
     <ClInclude Include="..\COMMON\ThirdParty\ntdll\ntdll.h">
       <Filter>Common</Filter>
     </ClInclude>
-    <ClInclude Include="..\COMMON\FormatPE.h">
-      <Filter>Common</Filter>
-    </ClInclude>
     <ClInclude Include="..\COMMON\ShMemIPC.hpp">
       <Filter>Common</Filter>
     </ClInclude>
     <ClInclude Include="..\COMMON\Utils.h">
       <Filter>Common</Filter>
     </ClInclude>
-    <ClInclude Include="..\COMMON\HDE.h">
-      <Filter>Common</Filter>
-    </ClInclude>
     <ClInclude Include="..\COMMON\InjDllLdr.hpp">
       <Filter>Common</Filter>
     </ClInclude>
@@ -59,6 +53,15 @@
     <ClInclude Include="..\COMMON\NtDllEx.hpp">
       <Filter>Common</Filter>
     </ClInclude>
+    <ClInclude Include="..\COMMON\Common.hpp">
+      <Filter>Common</Filter>
+    </ClInclude>
+    <ClInclude Include="..\COMMON\FormatPE.hpp">
+      <Filter>Common</Filter>
+    </ClInclude>
+    <ClInclude Include="..\COMMON\HDE.hpp">
+      <Filter>Common</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="Resources.rc">