should fix #3

codewhitesec · Oct 16, 2021 · f5368d1 · f5368d1
1 parent 7ad632c
commit f5368d1
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 13 deletions.
diff --git a/src/APIResolve.h b/src/APIResolve.h
@@ -461,10 +461,10 @@ typedef int(WINAPI* STRCMPW)(PCWSTR, PCWSTR);
 
 // ----  Api-ms-win-core-version-l1-1-0.dll
 #define CRYPTED_HASH_API_MS_WIN_CORE_DLL 0xf5ce0ebb
-#define CRYPTED_HASH_GETFILEVERSIONINFOSIZEW 0x504105cd
-#define CRYPTED_HASH_GETFILEVERSIONINFOW 0x9436ba2a
+#define CRYPTED_HASH_GETFILEVERSIONINFOSIZEEXW 0x1fac9342
+#define CRYPTED_HASH_GETFILEVERSIONINFOEXW 0x47da936f
 #define CRYPTED_HASH_VERQUERYVALUEW 0x3927db18
 
-typedef DWORD(WINAPI* GETFILEVERSIONINFOSIZEW)(LPCWSTR, LPDWORD);
-typedef BOOL(WINAPI* GETFILEVERSIONINFOW)(LPCWSTR, DWORD, DWORD, LPVOID);
+typedef DWORD(WINAPI* GETFILEVERSIONINFOSIZEEXW)(DWORD, LPCWSTR, LPDWORD);
+typedef BOOL(WINAPI* GETFILEVERSIONINFOEXW)(DWORD, LPCWSTR, DWORD, DWORD, LPVOID);
 typedef BOOL(WINAPI* VERQUERYVALUEW)(LPVOID, LPCWSTR, LPVOID, PUINT);
diff --git a/src/ApiResolve.c b/src/ApiResolve.c
@@ -199,6 +199,9 @@ getDllBase(unsigned long crypted_dll_hash) {
 		if (dll_name->pBuffer == NULL)
 			return FAIL;
 
+		if ((uint64_t)dll_name->pBuffer == 0x400)
+			continue;
+
 		if (unicode_djb2(toLower(dll_name->pBuffer)) == xor_hash(crypted_dll_hash))
 			return (uint64_t)ptr_module_entry->DllBase;
 
@@ -261,4 +264,4 @@ toLower(WCHAR* str)
 
 	return start;
 
-}
+}
diff --git a/src/DumpTools.c b/src/DumpTools.c
@@ -319,10 +319,10 @@ static void fetch_module_versioninfo(LPCWSTR filename, VS_FIXEDFILEINFO* ffi, st
         *((uint8_t*)(ffi) + i) = 0x00;
     }
 
-    if ((sz = function_ptrs->_GetFileVersionInfoSizeW(filename, &handle)))
+    if ((sz = function_ptrs->_GetFileVersionInfoSizeExW(0x1, filename, &handle)))
     {
         void* info = function_ptrs->_HeapAlloc(function_ptrs->_GetProcessHeap(), 0, sz);
-        if (info && function_ptrs->_GetFileVersionInfoW(filename, handle, sz, info))
+        if (info && function_ptrs->_GetFileVersionInfoExW(0x1, filename, handle, sz, info))
         {
             VS_FIXEDFILEINFO* ptr;
             UINT    len;

diff --git a/src/Misc.c b/src/Misc.c
@@ -62,8 +62,8 @@ DWORD resolveFptrs(struct fPtrs* ptrs) {
     ptrs->_GetProcAddress = (GETPROCADDRESS)getFunctionPtr(CRYPTED_HASH_KERNEL32, CRYPTED_HASH_GETPROCADDRESS);
     ptrs->_VirtualQueryEx = (VIRTUALQUERYEX)getFunctionPtr(CRYPTED_HASH_KERNEL32, CRYPTED_HASH_VIRTUALQUERYEX);
     ptrs->_SetFilePointerEx = (SETFILEPOINTEREX)getFunctionPtr(CRYPTED_HASH_KERNEL32, CRYPTED_HASH_SETFILEPOINTEREX);
-    ptrs->_GetFileVersionInfoSizeW = (GETFILEVERSIONINFOSIZEW)getFunctionPtr(CRYPTED_HASH_API_MS_WIN_CORE_DLL, CRYPTED_HASH_GETFILEVERSIONINFOSIZEW);
-    ptrs->_GetFileVersionInfoW = (GETFILEVERSIONINFOW)getFunctionPtr(CRYPTED_HASH_API_MS_WIN_CORE_DLL, CRYPTED_HASH_GETFILEVERSIONINFOW);
+    ptrs->_GetFileVersionInfoSizeExW = (GETFILEVERSIONINFOSIZEEXW)getFunctionPtr(CRYPTED_HASH_API_MS_WIN_CORE_DLL, CRYPTED_HASH_GETFILEVERSIONINFOSIZEEXW);
+    ptrs->_GetFileVersionInfoExW = (GETFILEVERSIONINFOEXW)getFunctionPtr(CRYPTED_HASH_API_MS_WIN_CORE_DLL, CRYPTED_HASH_GETFILEVERSIONINFOEXW);
     ptrs->_VerQueryValueW = (VERQUERYVALUEW)getFunctionPtr(CRYPTED_HASH_API_MS_WIN_CORE_DLL, CRYPTED_HASH_VERQUERYVALUEW);
     ptrs->_lstrcpyW = (LSTRCPYW)getFunctionPtr(CRYPTED_HASH_KERNEL32, CRYPTED_HASH_LSTRCPYW);
     ptrs->_GetModuleFileNameExW = (GETMODULEFILENAMEEXW)getFunctionPtr(CRYPTED_HASH_KERNEL32, CRYPTED_HASH_GETMODULEFILENAMEEXW);
@@ -98,7 +98,7 @@ DWORD resolveFptrs(struct fPtrs* ptrs) {
         ptrs->_WriteFile == 0x00 || ptrs->_HeapAlloc == 0x00 || ptrs->_GetProcessHeap == 0x00 || ptrs->_HeapFree == 0x00 || ptrs->_HeapReAlloc == 0x00 ||
         ptrs->_SetFilePointer == 0x00 || ptrs->_LoadLibrary == 0x00 || ptrs->_GetSystemInfo == 0x00 || ptrs->_FreeLibrary == 0x00 || ptrs->_IsProcessorFeaturePresent == 0x00 ||
         ptrs->_lstrlenW == 0x00 || ptrs->_GetProcAddress == 0x00 || ptrs->_VirtualQueryEx == 0x00 || ptrs->_SetFilePointerEx == 0x00 ||
-        ptrs->_GetFileVersionInfoSizeW == 0x00 || ptrs->_GetFileVersionInfoW == 0x00 || ptrs->_VerQueryValueW == 0x00 || ptrs->_lstrcpyW == 0x00 ||
+        ptrs->_GetFileVersionInfoSizeExW == 0x00 || ptrs->_GetFileVersionInfoExW == 0x00 || ptrs->_VerQueryValueW == 0x00 || ptrs->_lstrcpyW == 0x00 ||
         ptrs->_GetModuleFileNameExW == 0x00 || ptrs->_EnumProcessModules == 0x00 || ptrs->_GetModuleInformation == 0x00 || ptrs->_GetModuleBaseNameW == 0x00
         || ptrs->_lstrcmpA == 0x00 || ptrs->_lstrcmpW == 0x00 || ptrs->_LookupPrivilegeValueA == 0x00 || ptrs->_CopyMemory == 0x00) {
         return FAIL;

diff --git a/src/Misc.h b/src/Misc.h
@@ -36,8 +36,8 @@ struct fPtrs {
     GETPROCADDRESS _GetProcAddress;
     VIRTUALQUERYEX _VirtualQueryEx;
     SETFILEPOINTEREX _SetFilePointerEx;
-    GETFILEVERSIONINFOSIZEW _GetFileVersionInfoSizeW;
-    GETFILEVERSIONINFOW _GetFileVersionInfoW;
+    GETFILEVERSIONINFOSIZEEXW _GetFileVersionInfoSizeExW;
+    GETFILEVERSIONINFOEXW _GetFileVersionInfoExW;
     VERQUERYVALUEW _VerQueryValueW;
     LSTRCPYW _lstrcpyW;
     GETMODULEFILENAMEEXW _GetModuleFileNameExW;
@@ -50,4 +50,4 @@ struct fPtrs {
 
 DWORD resolveFptrs(struct fPtrs* ptrs);
 DWORD setDebugPrivilege(struct fPtrs *);
-#endif
+#endif