Update Loader for 2.22 Prof v9+

Author: dedmen

src/host/loader/MemorySection.cpp

@@ -0,0 +1,42 @@
+#include "loader.hpp"
+
+#if _WIN32 || _WIN64
+#include <Psapi.h>
+#include <DbgHelp.h>
+#endif  // _WIN32 || _WIN64
+
+
+#include "MemorySection.hpp"
+
+#if _WIN32 || _WIN64
+MemorySections::MemorySections() {
+    MODULEINFO modInfo = {nullptr};
+    HMODULE hModule = GetModuleHandleA(nullptr);
+    GetModuleInformation(GetCurrentProcess(), hModule, &modInfo, sizeof(MODULEINFO));
+    const uintptr_t baseAddress = reinterpret_cast<uintptr_t>(modInfo.lpBaseOfDll);
+    const uintptr_t moduleSize = static_cast<uintptr_t>(modInfo.SizeOfImage);
+    //sections.push_back(MemorySection(modInfo));
+
+    auto dosHdr = (PIMAGE_DOS_HEADER)baseAddress;
+    auto NtHeader = (PIMAGE_NT_HEADERS)(baseAddress + dosHdr->e_lfanew);
+    WORD NumSections = NtHeader->FileHeader.NumberOfSections;
+    PIMAGE_SECTION_HEADER Section = IMAGE_FIRST_SECTION(NtHeader);
+    for (WORD i = 0; i < NumSections; i++)
+    {
+
+        MemorySection sec(baseAddress + Section->VirtualAddress, baseAddress + Section->VirtualAddress + Section->SizeOfRawData);
+        if (Section->Characteristics & IMAGE_SCN_MEM_READ)
+            sec.access = MemorySection::SectionAccess(sec.access | MemorySection::SectionAccess::R);
+        if (Section->Characteristics & IMAGE_SCN_MEM_WRITE)
+            sec.access = MemorySection::SectionAccess(sec.access | MemorySection::SectionAccess::W);
+        if (Section->Characteristics & IMAGE_SCN_MEM_EXECUTE)
+            sec.access = MemorySection::SectionAccess(sec.access | MemorySection::SectionAccess::X);
+
+        sections.emplace_back(sec);
+
+        printf("%-8s\t%x\t%x\t%x\n", Section->Name, Section->VirtualAddress,
+               Section->PointerToRawData, Section->SizeOfRawData);
+        Section++;
+    }
+}
+#endif  // _WIN32 || _WIN64

src/host/loader/MemorySection.hpp

@@ -1,7 +1,7 @@
 #pragma once
 
 
-    class MemorySection {
+class MemorySection {
 public:
 #if _WIN32 || _WIN64
     explicit MemorySection(const MODULEINFO& modInfo) noexcept : start(reinterpret_cast<uintptr_t>(modInfo.lpBaseOfDll)),
@@ -10,6 +10,16 @@
     MemorySection(uintptr_t _start, uintptr_t _end) noexcept : start(_start), end(_end) {}
     uintptr_t start;
     uintptr_t end;
+
+    enum SectionAccess
+    {
+        R = 1,
+        W = 2,
+        X = 4
+    };
+
+    SectionAccess access {SectionAccess(0)};
+
     inline size_t size() const {
         return end - start;
     }
@@ -56,14 +66,7 @@ class MemorySections {
 
 public:
 #if _WIN32 || _WIN64
-    MemorySections() {
-        MODULEINFO modInfo = {nullptr};
-        HMODULE hModule = GetModuleHandleA(nullptr);
-        GetModuleInformation(GetCurrentProcess(), hModule, &modInfo, sizeof(MODULEINFO));
-        const uintptr_t baseAddress = reinterpret_cast<uintptr_t>(modInfo.lpBaseOfDll);
-        const uintptr_t moduleSize = static_cast<uintptr_t>(modInfo.SizeOfImage);
-        sections.push_back(MemorySection(modInfo));
-    }
+    MemorySections();
 #endif  // _WIN32 || _WIN64
 #ifdef __linux__
     MemorySections(const char* path = "/proc/self/maps") {
@@ -127,10 +130,14 @@ class MemorySections {
     }
 
     bool IsInAnySection(uintptr_t address) const {
+        return GetSectionByAddress(address).has_value();
+    }
+
+    std::optional<MemorySection> GetSectionByAddress(uintptr_t address) const {
         for (const auto& section : sections) {
             if (section.start < address && address < section.end)
-                return true;
+                return section;
         }
-        return false;
+        return std::nullopt;
     }
 };

src/host/loader/loader.cpp

@@ -99,24 +99,24 @@ namespace intercept {
         return p->is_valid();
     }
 
-    static const char* getRTTIName(uintptr_t vtable) {
+    static const char* getRTTIName(uintptr_t classInstanceWithVtablePtr) {
         class v1 {
             virtual void doStuff() {}
         };
         class v2 : public v1 {
             virtual void doStuff() {}
         };
 
-        if (IsBadReadPtr(*(void**)vtable, sizeof(uintptr_t)))
+        if (IsBadReadPtr(*(void**)classInstanceWithVtablePtr, sizeof(uintptr_t)))
         {
             return "";
         }
 
 
-        v2* v = (v2*)vtable;
+        v2* v = (v2*)classInstanceWithVtablePtr;
         try {
             // Validate that we have a RTTI enabled type
-            if (!*reinterpret_cast<uintptr_t*>(vtable))  // vtable points to nothing, if it were a vtable there would be a function pointer there
+            if (!*reinterpret_cast<uintptr_t*>(classInstanceWithVtablePtr))  // vtable points to nothing, if it were a vtable there would be a function pointer there
                 return "";
 
             auto& typex = typeid(*v);
@@ -153,7 +153,54 @@ namespace intercept {
         auto future_allocatorVtablePtr = std::async(std::launch::deferred, [&memorySections, fut_stringOffset = std::move(future_stringOffset)]() mutable -> uintptr_t {
             uintptr_t stringOffset = fut_stringOffset.get();
 #ifndef __linux__
-            return (memorySections.findInMemory(reinterpret_cast<char*>(&stringOffset), sizeof(uintptr_t)) - sizeof(uintptr_t));
+
+
+
+            // stringOffset = char[] tbb4malloc
+            // Find next pointer
+            while (
+                ((*(uintptr_t*)stringOffset) & 0xFFF0000000000000) != 0      // Bad address
+                || ((*(uintptr_t*)stringOffset) & ~0xFFF0000000000000) == 0  // Not an address (align)
+            )
+                stringOffset += sizeof(uintptr_t);
+
+            // Should be RTTI locator, followed by vtable
+
+            // #TODO vtable first entry points to .text section
+            // The pointer above vtable, is the RTTI locator in .rdata, wóuld be easy if we had the sections seperately listed.
+
+            // We are looking for read-only followed by RX
+
+
+            auto IsValidVtableWithRTTI = [&memorySections](uintptr_t vtable) {
+                // First pointer is in .text, RX the first vtable function/destructor
+                // Previous pointer is .rdata, R the RTTI Locator
+
+                // Precondition, vtable is valid read ptr
+
+                auto funcPtr = memorySections.GetSectionByAddress(*(uintptr_t*)vtable);
+                auto locatorPtr = memorySections.GetSectionByAddress(*(uintptr_t*)(vtable - sizeof(uintptr_t)));
+
+                if (!funcPtr || !locatorPtr)
+                    return false;
+
+                if (!(funcPtr->access & MemorySection::SectionAccess::X))  // X must be
+                    return false;
+                if ((locatorPtr->access & ~MemorySection::SectionAccess::R))  // WX must not be
+                    return false;
+
+                return true;
+            };
+
+            while (!IsValidVtableWithRTTI(stringOffset))
+            {
+                stringOffset += sizeof(uintptr_t);
+            }
+
+            // We now have _a_ vtable, lets hope that's it.
+
+
+            return stringOffset;
 #elif _LINUX64
                 bool oldCompiler = *reinterpret_cast<uintptr_t*>(stringOffset - 8) == stringOffset;
 
@@ -193,6 +240,11 @@ namespace intercept {
                 }
             }
 
+            if (!result)
+            {
+                result = memorySections.findInMemoryPattern("\x48\x89\x5C\x24\x00\x48\x89\x74\x24\x00\x57\x48\x83\xEC\x20\xFF\x41\x00\x33\xF6\x48\x8B\x41\x00\x48\x8B\xD9\x48\x3B\xC1\x74\x00\x48\x85\xC0\x74\x00\x48\x83\xC0\xE0\x0F\x85\x00\x00\x00\x00\x48\x8B\x41\x00\x48\x8D\x79\x00\x48\x3B\xC7\x74\x00\x48\x85\xC0\x74\x00\x48\x83\xC0\xE0\x0F\x85\x00\x00\x00\x00\x48\x63\x51\x00\x48\x8B\x0D\x00\x00\x00\x00\x4C\x8B\xC2\x48\x8B\x01\xFF\x50\x00\x4C\x8B\xC0\x48\x85\xC0\x0F\x84\x00\x00\x00\x00\x48\x89\x70\x00\x48\x8D\x50\x00\x48\x89\x70\x00\x48\x85\xC0\x89\x30\x48\x0F\x44\xD6\x89\x70\x00\x48\x89\x58\x00\x48\x8B\x47\x00\x48\x89\x10\x48\x8B\x47\x00\x49\x89\x40\x00\x49\x89\x78\x00\xFF\x47\x00\x48\x89\x57\x00\x44\x8B\x4B\x00\x8B\x53\x00\x41\xFF\xC9\x4C\x63\x53\x00\x44\x0F\xAF\xCA\x49\x83\xC2\x30\x4D\x03\xD0\x49\x8B\xCA\x4D\x03\xCA\x4D\x3B\xD1\x73\x00\x66\x66\x66\x0F\x1F\x84\x00\x00\x00\x00\x00\x8B\xC2\x48\x03\xC1", "xxxx?xxxx?xxxxxxx?xxxxx?xxxxxxx?xxxx?xxxxxx????xxx?xxx?xxxx?xxxx?xxxxxx????xxx?xxx????xxxxxxxx?xxxxxxxx????xxx?xxx?xxx?xxxxxxxxxxx?xxx?xxx?xxxxxx?xxx?xxx?xx?xxx?xxx?xx?xxxxxx?xxxxxxxxxxxxxxxxxxxxx?xxxxxxx????xxxxx");
+            }
+
             return result;
         });
         auto future_poolFuncDealloc = std::async([&]() {
@@ -330,47 +382,21 @@ namespace intercept {
         const char* test = getRTTIName((uintptr_t)(&allocatorVtablePtr));
         assert(strcmp(test, "12MemFunctions") == 0);
 #else
-        const char* test = getRTTIName(allocatorVtablePtr);
-        bool vc143Allocator = false;
+        const char* test = getRTTIName((uintptr_t)(&allocatorVtablePtr));
+        constexpr bool vc143Allocator = true;
         if (strlen(test) == 0 || strcmp(test, ".?AVMemTableFunctions@@") != 0) {
-            allocatorVtablePtr -= 0x4B8;  // vc143 build
-            test = getRTTIName(allocatorVtablePtr);
-
-            if (strlen(test) == 0 || strcmp(test, ".?AVMemTableFunctions@@") != 0) {
-                // Okey... Lets go nuts.
-                allocatorVtablePtr -= 0x200;
-
-                auto canBeVtable = [&memorySections](uintptr_t value) {
-
-                    if (!memorySections.IsInAnySection(value))
-                        return false;
-
-                    for (size_t i = 0; i < 8; ++i) {
-                        // check if plausible that its a vtable
-                        uintptr_t funcAddress = *reinterpret_cast<uintptr_t*>(value + i*8);
-
-                        if (!memorySections.IsInAnySection(funcAddress))
-                            return false;
-                    }
-                    return true;
-                };
+            LOG(ERROR, "Loader failed on main allocator");
+            return false;
+        }
 
-                for (size_t i = allocatorVtablePtr; i < allocatorVtablePtr + 0x800; i+=8) {
-                    uintptr_t value = *reinterpret_cast<uintptr_t *>(i);
+        // Okey we have pointer to vtable, but we want pointer to class instance, find it
 
-                    if (!canBeVtable(value))
-                        continue;
+        allocatorVtablePtr = memorySections.findInMemory(reinterpret_cast<char*>(&allocatorVtablePtr), sizeof(uintptr_t));
 
-                    test = getRTTIName(i);
-                    if (strcmp(test, ".?AVMemTableFunctions@@") == 0)
-                    {
-                        allocatorVtablePtr = i;
-                        break;
-                    }
-                }
-            }
-
-            vc143Allocator = true;
+        test = getRTTIName(allocatorVtablePtr);
+        if (strlen(test) == 0 || strcmp(test, ".?AVMemTableFunctions@@") != 0) {
+            LOG(ERROR, "Loader failed on main allocator");
+            return false;
         }
 
         assert(strcmp(test, ".?AVMemTableFunctions@@") == 0);