Skip to content

Commit 04ec41a

Browse files
KebsCSKebsCS
committed
fix auth for x64 client update
1 parent c35bb69 commit 04ec41a

1 file changed

Lines changed: 124 additions & 55 deletions

File tree

KBotExt/Auth.cpp

Lines changed: 124 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -151,81 +151,150 @@ std::wstring Auth::GetProcessCommandLine(const DWORD& processId)
151151
PULONG ReturnLength
152152
);
153153

154-
typedef struct _PROCESS_BASIC_INFORMATION {
155-
LONG ExitStatus;
156-
PVOID PebBaseAddress;
157-
ULONG_PTR AffinityMask;
158-
LONG BasePriority;
159-
HANDLE UniqueProcessId;
160-
HANDLE InheritedFromUniqueProcessId;
161-
} PROCESS_BASIC_INFORMATION;
162-
163-
typedef struct _UNICODE_STRING
164-
{
165-
USHORT Length;
166-
USHORT MaximumLength;
167-
PWSTR Buffer;
168-
} UNICODE_STRING, * PUNICODE_STRING;
169-
typedef const UNICODE_STRING* PCUNICODE_STRING;
170-
171154
std::wstring result;
172155
HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, 0, processId);
173156

174-
PROCESS_BASIC_INFORMATION pbi;
175-
ZeroMemory(&pbi, sizeof(pbi));
157+
SYSTEM_INFO si;
158+
GetNativeSystemInfo(&si);
176159

177-
tNtQueryInformationProcess NtQueryInformationProcess =
178-
(tNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
179-
if (NtQueryInformationProcess(processHandle, 0, &pbi, sizeof(pbi), 0) != 0)
180-
{
181-
MessageBoxA(0, "NtQueryInformationProcess failed", 0, 0);
182-
CloseHandle(processHandle);
183-
return {};
184-
}
160+
BOOL wow;
161+
IsWow64Process(GetCurrentProcess(), &wow);
185162

186-
#ifndef _WIN64
187-
DWORD ProcessParametersOffset = 0x10;
188-
DWORD CommandLineOffset = 0x40;
189-
#else
190-
DWORD ProcessParametersOffset = 0x20;
191-
DWORD CommandLineOffset = 0x70;
192-
#endif
163+
DWORD ProcessParametersOffset = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64 ? 0x20 : 0x10;
164+
DWORD CommandLineOffset = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64 ? 0x70 : 0x40;
193165

194166
DWORD pebSize = ProcessParametersOffset + 8; // size until ProcessParameters
195167
PBYTE peb = (PBYTE)malloc(pebSize);
196168
ZeroMemory(peb, pebSize);
197-
if (!ReadProcessMemory(processHandle, pbi.PebBaseAddress, peb, pebSize, NULL))
198-
{
199-
MessageBoxA(0, "PEB ReadProcessMemory failed", 0, 0);
200-
CloseHandle(processHandle);
201-
return {};
202-
}
203169

204170
DWORD processParametersSize = CommandLineOffset + 16;
205171
PBYTE processParameters = (PBYTE)malloc(processParametersSize);
206172
ZeroMemory(processParameters, processParametersSize);
207-
PBYTE* parameters = (PBYTE*)*(LPVOID*)(peb + ProcessParametersOffset);
208-
if (!ReadProcessMemory(processHandle, parameters, processParameters, processParametersSize, NULL))
173+
174+
if (wow)
209175
{
210-
MessageBoxA(0, "processParameters ReadProcessMemory failed", 0, 0);
176+
typedef struct _PROCESS_BASIC_INFORMATION_WOW64 {
177+
PVOID Reserved1[2];
178+
PVOID64 PebBaseAddress;
179+
PVOID Reserved2[4];
180+
ULONG_PTR UniqueProcessId[2];
181+
PVOID Reserved3[2];
182+
} PROCESS_BASIC_INFORMATION_WOW64;
183+
184+
typedef struct _UNICODE_STRING_WOW64 {
185+
USHORT Length;
186+
USHORT MaximumLength;
187+
PVOID64 Buffer;
188+
} UNICODE_STRING_WOW64;
189+
190+
typedef NTSTATUS(NTAPI* tNtWow64ReadVirtualMemory64)(
191+
IN HANDLE ProcessHandle,
192+
IN PVOID64 BaseAddress,
193+
OUT PVOID Buffer,
194+
IN ULONG64 Size,
195+
OUT PULONG64 NumberOfBytesRead);
196+
197+
PROCESS_BASIC_INFORMATION_WOW64 pbi;
198+
ZeroMemory(&pbi, sizeof(pbi));
199+
200+
tNtQueryInformationProcess NtQueryInformationProcess =
201+
(tNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtWow64QueryInformationProcess64");
202+
if (NtQueryInformationProcess(processHandle, 0, &pbi, sizeof(pbi), 0) != 0)
203+
{
204+
MessageBoxA(0, "NtQueryInformationProcess failed", 0, 0);
205+
CloseHandle(processHandle);
206+
return {};
207+
}
208+
209+
tNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 =
210+
(tNtWow64ReadVirtualMemory64)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtWow64ReadVirtualMemory64");
211+
212+
if (NtWow64ReadVirtualMemory64(processHandle, pbi.PebBaseAddress, peb, pebSize, NULL) != 0)
213+
{
214+
MessageBoxA(0, "PEB NtWow64ReadVirtualMemory64 failed", 0, 0);
215+
CloseHandle(processHandle);
216+
return {};
217+
}
218+
219+
PVOID64 parameters = (PVOID64) * ((PVOID64*)(peb + ProcessParametersOffset));
220+
if (NtWow64ReadVirtualMemory64(processHandle, parameters, processParameters, processParametersSize, NULL) != 0)
221+
{
222+
MessageBoxA(0, "processParameters NtWow64ReadVirtualMemory64 failed", 0, 0);
223+
CloseHandle(processHandle);
224+
return {};
225+
}
226+
227+
UNICODE_STRING_WOW64* pCommandLine = (UNICODE_STRING_WOW64*)(processParameters + CommandLineOffset);
228+
PWSTR commandLineCopy = (PWSTR)malloc(pCommandLine->MaximumLength);
229+
if (NtWow64ReadVirtualMemory64(processHandle, pCommandLine->Buffer, commandLineCopy, pCommandLine->MaximumLength, NULL) != 0)
230+
{
231+
MessageBoxA(0, "pCommandLine NtWow64ReadVirtualMemory64 failed", 0, 0);
232+
CloseHandle(processHandle);
233+
return {};
234+
}
235+
236+
result = std::wstring(commandLineCopy);
211237
CloseHandle(processHandle);
212-
return {};
213238
}
214-
215-
UNICODE_STRING* pCommandLine = (UNICODE_STRING*)(processParameters + CommandLineOffset);
216-
PWSTR commandLineBuffer = pCommandLine->Buffer;
217-
USHORT commandLineLen = pCommandLine->MaximumLength;
218-
PWSTR commandLineCopy = (PWSTR)malloc(commandLineLen);
219-
if (!ReadProcessMemory(processHandle, commandLineBuffer, commandLineCopy, commandLineLen, NULL))
239+
else
220240
{
221-
MessageBoxA(0, "pCommandLine ReadProcessMemory failed", 0, 0);
241+
typedef struct _PROCESS_BASIC_INFORMATION {
242+
LONG ExitStatus;
243+
PVOID PebBaseAddress;
244+
ULONG_PTR AffinityMask;
245+
LONG BasePriority;
246+
HANDLE UniqueProcessId;
247+
HANDLE InheritedFromUniqueProcessId;
248+
} PROCESS_BASIC_INFORMATION;
249+
250+
typedef struct _UNICODE_STRING
251+
{
252+
USHORT Length;
253+
USHORT MaximumLength;
254+
PWSTR Buffer;
255+
} UNICODE_STRING, * PUNICODE_STRING;
256+
typedef const UNICODE_STRING* PCUNICODE_STRING;
257+
258+
PROCESS_BASIC_INFORMATION pbi;
259+
ZeroMemory(&pbi, sizeof(pbi));
260+
261+
tNtQueryInformationProcess NtQueryInformationProcess =
262+
(tNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
263+
if (NtQueryInformationProcess(processHandle, 0, &pbi, sizeof(pbi), 0) != 0)
264+
{
265+
MessageBoxA(0, "NtQueryInformationProcess failed", 0, 0);
266+
CloseHandle(processHandle);
267+
return {};
268+
}
269+
270+
if (!ReadProcessMemory(processHandle, pbi.PebBaseAddress, peb, pebSize, NULL))
271+
{
272+
MessageBoxA(0, "PEB ReadProcessMemory failed", 0, 0);
273+
CloseHandle(processHandle);
274+
return {};
275+
}
276+
277+
PBYTE* parameters = (PBYTE*)*(LPVOID*)(peb + ProcessParametersOffset);
278+
if (!ReadProcessMemory(processHandle, parameters, processParameters, processParametersSize, NULL))
279+
{
280+
MessageBoxA(0, "processParameters ReadProcessMemory failed", 0, 0);
281+
CloseHandle(processHandle);
282+
return {};
283+
}
284+
285+
UNICODE_STRING* pCommandLine = (UNICODE_STRING*)(processParameters + CommandLineOffset);
286+
PWSTR commandLineCopy = (PWSTR)malloc(pCommandLine->MaximumLength);
287+
if (!ReadProcessMemory(processHandle, pCommandLine->Buffer, commandLineCopy, pCommandLine->MaximumLength, NULL))
288+
{
289+
MessageBoxA(0, "pCommandLine ReadProcessMemory failed", 0, 0);
290+
CloseHandle(processHandle);
291+
return {};
292+
}
293+
294+
result = std::wstring(commandLineCopy);
222295
CloseHandle(processHandle);
223-
return {};
224296
}
225297

226-
result = std::wstring(commandLineCopy);
227-
228-
CloseHandle(processHandle);
229298
return result;
230299
}
231300

0 commit comments

Comments
 (0)