Skip to content

Commit 98ad329

Browse files
author
Requiem
committed
chore: replaced GetCurrentProcess() with pseudo-handle implementation
1 parent 5cfafc3 commit 98ad329

2 files changed

Lines changed: 37 additions & 32 deletions

File tree

src/cli.cpp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -309,7 +309,7 @@ static bool is_admin() {
309309
#elif (WINDOWS)
310310
bool is_admin = false;
311311
HANDLE hToken = nullptr;
312-
if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
312+
if (OpenProcessToken(reinterpret_cast<HANDLE>(-1LL), TOKEN_QUERY, &hToken)) {
313313
TOKEN_ELEVATION elevation{};
314314
DWORD dwSize;
315315
if (GetTokenInformation(hToken, TokenElevation, &elevation, sizeof(elevation), &dwSize)) {
@@ -731,7 +731,7 @@ static void general() {
731731
}
732732
#elif (CLI_WINDOWS)
733733
if (!is_admin()) {
734-
std::cout << note << " Not running as admin. Some important detections will be disabled.\n";
734+
std::cout << note << " Not running as admin - NVRAM detections will be disabled.\n";
735735
}
736736
#endif
737737

src/vmaware.hpp

Lines changed: 35 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1406,7 +1406,7 @@ struct VM {
14061406
#elif (WINDOWS)
14071407
bool is_admin = false;
14081408
HANDLE hToken = nullptr;
1409-
if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
1409+
if (OpenProcessToken(reinterpret_cast<HANDLE>(-1LL), TOKEN_QUERY, &hToken)) {
14101410
TOKEN_ELEVATION elevation{};
14111411
DWORD dwSize;
14121412
if (GetTokenInformation(hToken, TokenElevation, &elevation, sizeof(elevation), &dwSize)) {
@@ -1647,7 +1647,7 @@ struct VM {
16471647

16481648
[[nodiscard]] static bool is_running_under_translator() {
16491649
#if (WINDOWS && _WIN32_WINNT >= _WIN32_WINNT_WIN10)
1650-
const HANDLE hProcess = GetCurrentProcess();
1650+
const HANDLE hProcess = reinterpret_cast<HANDLE>(-1LL);
16511651
USHORT procMachine = 0, nativeMachine = 0;
16521652
const auto pIsWow64Process2 = &IsWow64Process2;
16531653

@@ -7437,7 +7437,7 @@ struct VM {
74377437
NTSTATUS status = ntQuerySystemInformation(SystemModuleInformation, nullptr, 0, &ulSize);
74387438
if (status != ((NTSTATUS)0xC0000004L)) return false;
74397439

7440-
const HANDLE hProcess = GetCurrentProcess();
7440+
const HANDLE hProcess = reinterpret_cast<HANDLE>(-1LL);
74417441
PVOID allocatedMemory = nullptr;
74427442
SIZE_T regionSize = ulSize;
74437443
ntAllocateVirtualMemory(hProcess, &allocatedMemory, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
@@ -7606,6 +7606,7 @@ struct VM {
76067606

76077607
BYTE* allocatedBuffer = nullptr;
76087608
SIZE_T allocatedSize = 0;
7609+
const HANDLE hProcess = reinterpret_cast<HANDLE>(-1LL);
76097610

76107611
if (!NT_SUCCESS(st)) {
76117612
DWORD reportedSize = 0;
@@ -7617,7 +7618,7 @@ struct VM {
76177618
allocatedSize = static_cast<SIZE_T>(reportedSize);
76187619
PVOID allocBase = nullptr;
76197620
SIZE_T regionSize = allocatedSize;
7620-
st = pNtAllocateVirtualMemory((HANDLE)-1, &allocBase, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
7621+
st = pNtAllocateVirtualMemory(hProcess, &allocBase, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
76217622
if (!NT_SUCCESS(st) || allocBase == nullptr) {
76227623
pNtClose(hDevice);
76237624
continue;
@@ -7630,7 +7631,7 @@ struct VM {
76307631
if (!NT_SUCCESS(st)) {
76317632
PVOID freeBase = reinterpret_cast<PVOID>(allocatedBuffer);
76327633
SIZE_T freeSize = allocatedSize;
7633-
pNtFreeVirtualMemory((HANDLE)-1, &freeBase, &freeSize, MEM_RELEASE);
7634+
pNtFreeVirtualMemory(hProcess, &freeBase, &freeSize, MEM_RELEASE);
76347635
pNtClose(hDevice);
76357636
continue;
76367637
}
@@ -7648,7 +7649,7 @@ struct VM {
76487649
if (allocatedBuffer) {
76497650
PVOID freeBase = reinterpret_cast<PVOID>(allocatedBuffer);
76507651
SIZE_T freeSize = allocatedSize;
7651-
pNtFreeVirtualMemory((HANDLE)-1, &freeBase, &freeSize, MEM_RELEASE);
7652+
pNtFreeVirtualMemory(hProcess, &freeBase, &freeSize, MEM_RELEASE);
76527653
allocatedBuffer = nullptr;
76537654
}
76547655
pNtClose(hDevice);
@@ -7668,7 +7669,7 @@ struct VM {
76687669
if (allocatedBuffer) {
76697670
PVOID freeBase = reinterpret_cast<PVOID>(allocatedBuffer);
76707671
SIZE_T freeSize = allocatedSize;
7671-
pNtFreeVirtualMemory((HANDLE)-1, &freeBase, &freeSize, MEM_RELEASE);
7672+
pNtFreeVirtualMemory(hProcess, &freeBase, &freeSize, MEM_RELEASE);
76727673
allocatedBuffer = nullptr;
76737674
}
76747675
pNtClose(hDevice);
@@ -7679,7 +7680,7 @@ struct VM {
76797680
if (allocatedBuffer) {
76807681
PVOID freeBase = reinterpret_cast<PVOID>(allocatedBuffer);
76817682
SIZE_T freeSize = allocatedSize;
7682-
pNtFreeVirtualMemory((HANDLE)-1, &freeBase, &freeSize, MEM_RELEASE);
7683+
pNtFreeVirtualMemory(hProcess, &freeBase, &freeSize, MEM_RELEASE);
76837684
allocatedBuffer = nullptr;
76847685
}
76857686
pNtClose(hDevice);
@@ -7828,7 +7829,7 @@ struct VM {
78287829
const int colorMgmtCaps = GetDeviceCaps(hdc, COLORMGMTCAPS);
78297830
ReleaseDC(nullptr, hdc);
78307831

7831-
return colorMgmtCaps == 0 || !(colorMgmtCaps & CM_GAMMA_RAMP);
7832+
return !(colorMgmtCaps & CM_GAMMA_RAMP) || colorMgmtCaps == 0;
78327833
}
78337834

78347835

@@ -8457,7 +8458,8 @@ struct VM {
84578458

84588459
PVOID execMem = nullptr;
84598460
SIZE_T regionSize = trampSize;
8460-
NTSTATUS st = pNtAllocateVirtualMemory((HANDLE)-1, &execMem, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
8461+
const HANDLE hProcess = reinterpret_cast<HANDLE>(-1LL);
8462+
NTSTATUS st = pNtAllocateVirtualMemory(hProcess, &execMem, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
84618463
if (!NT_SUCCESS(st) || !execMem) {
84628464
return false;
84638465
}
@@ -8467,15 +8469,15 @@ struct VM {
84678469
PVOID tmpBase = execMem;
84688470
SIZE_T tmpSz = trampSize;
84698471
ULONG oldProt = 0;
8470-
st = pNtProtectVirtualMemory((HANDLE)-1, &tmpBase, &tmpSz, PAGE_EXECUTE_READ, &oldProt);
8472+
st = pNtProtectVirtualMemory(hProcess, &tmpBase, &tmpSz, PAGE_EXECUTE_READ, &oldProt);
84718473
if (!NT_SUCCESS(st)) {
84728474
PVOID freeBase = execMem; SIZE_T freeSize = trampSize;
8473-
pNtFreeVirtualMemory((HANDLE)-1, &freeBase, &freeSize, MEM_RELEASE);
8475+
pNtFreeVirtualMemory(hProcess, &freeBase, &freeSize, MEM_RELEASE);
84748476
return false;
84758477
}
84768478
}
84778479

8478-
pNtFlushInstructionCache((HANDLE)-1, execMem, trampSize);
8480+
pNtFlushInstructionCache(hProcess, execMem, trampSize);
84798481

84808482
int hitCount = 0;
84818483

@@ -8485,7 +8487,7 @@ struct VM {
84858487

84868488
if (!NT_SUCCESS(pNtGetContextThread(thrHandle, &origCtx))) {
84878489
PVOID freeBase = execMem; SIZE_T freeSize = trampSize;
8488-
pNtFreeVirtualMemory((HANDLE)-1, &freeBase, &freeSize, MEM_RELEASE);
8490+
pNtFreeVirtualMemory(hProcess, &freeBase, &freeSize, MEM_RELEASE);
84898491
return false;
84908492
}
84918493

@@ -8498,7 +8500,7 @@ struct VM {
84988500
if (!NT_SUCCESS(pNtSetContextThread(thrHandle, &dbgCtx))) {
84998501
pNtSetContextThread(thrHandle, &origCtx);
85008502
PVOID freeBase = execMem; SIZE_T freeSize = trampSize;
8501-
pNtFreeVirtualMemory((HANDLE)-1, &freeBase, &freeSize, MEM_RELEASE);
8503+
pNtFreeVirtualMemory(hProcess, &freeBase, &freeSize, MEM_RELEASE);
85028504
return false;
85038505
}
85048506

@@ -8539,7 +8541,7 @@ struct VM {
85398541
pNtSetContextThread(thrHandle, &origCtx);
85408542

85418543
PVOID freeBase = execMem; SIZE_T freeSize = trampSize;
8542-
pNtFreeVirtualMemory((HANDLE)-1, &freeBase, &freeSize, MEM_RELEASE);
8544+
pNtFreeVirtualMemory(hProcess, &freeBase, &freeSize, MEM_RELEASE);
85438545

85448546
#endif
85458547
return hypervisorCaught;
@@ -8586,7 +8588,7 @@ struct VM {
85868588
return false;
85878589
}
85888590

8589-
const HANDLE hProcess = GetCurrentProcess();
8591+
const HANDLE hProcess = reinterpret_cast<HANDLE>(-1LL);
85908592
PVOID base = nullptr;
85918593
SIZE_T regionSize = sizeof(ud_opcodes);
85928594
NTSTATUS st = pNtAllocateVirtualMemory(hProcess, &base, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
@@ -8612,7 +8614,7 @@ struct VM {
86128614
saw_ud = true;
86138615
}
86148616

8615-
pNtFreeVirtualMemory((HANDLE)-1, &base, &regionSize, MEM_RELEASE);
8617+
pNtFreeVirtualMemory(hProcess, &base, &regionSize, MEM_RELEASE);
86168618

86178619
return !saw_ud;
86188620
}
@@ -8708,6 +8710,7 @@ struct VM {
87088710
const SIZE_T stubSize = sizeof(intelTemplate);
87098711
const bool isAmd = cpu::is_amd();
87108712

8713+
const HANDLE hProcess = reinterpret_cast<HANDLE>(-1LL);
87118714
const HMODULE ntdll = util::get_ntdll();
87128715
if (!ntdll) return false;
87138716

@@ -8726,7 +8729,7 @@ struct VM {
87268729

87278730
PVOID stub = nullptr;
87288731
SIZE_T regionSize = stubSize;
8729-
NTSTATUS st = pNtAllocateVirtualMemory((HANDLE)-1, &stub, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
8732+
NTSTATUS st = pNtAllocateVirtualMemory(hProcess, &stub, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
87308733
if (!NT_SUCCESS(st) || !stub) return false;
87318734

87328735
if (isAmd) {
@@ -8746,13 +8749,13 @@ struct VM {
87468749
*reinterpret_cast<u64*>(reinterpret_cast<u8*>(stub) + 35) = reinterpret_cast<u64>(static_cast<void*>(&vmcallResult));
87478750

87488751
ULONG oldProtect = 0;
8749-
st = pNtProtectVirtualMemory((HANDLE)-1, &stub, &regionSize, PAGE_EXECUTE_READ, &oldProtect);
8752+
st = pNtProtectVirtualMemory(hProcess, &stub, &regionSize, PAGE_EXECUTE_READ, &oldProtect);
87508753
if (!NT_SUCCESS(st)) {
8751-
pNtFreeVirtualMemory((HANDLE)-1, &stub, &regionSize, MEM_RELEASE);
8754+
pNtFreeVirtualMemory(hProcess, &stub, &regionSize, MEM_RELEASE);
87528755
return false;
87538756
}
87548757

8755-
pNtFlushInstructionCache((HANDLE)-1, stub, regionSize);
8758+
pNtFlushInstructionCache(hProcess, stub, regionSize);
87568759

87578760
auto tryPass = [&]() -> bool {
87588761
vmcallInfo.structsize = static_cast<u32>(sizeof(VMCallInfo));
@@ -8772,7 +8775,7 @@ struct VM {
87728775

87738776
const bool found = tryPass();
87748777

8775-
pNtFreeVirtualMemory((HANDLE)-1, &stub, &regionSize, MEM_RELEASE);
8778+
pNtFreeVirtualMemory(hProcess, &stub, &regionSize, MEM_RELEASE);
87768779

87778780
if (found) return core::add(brands::DBVM);
87788781

@@ -9060,7 +9063,7 @@ struct VM {
90609063
if (!util::is_admin()) return false;
90619064

90629065
HANDLE hToken = nullptr;
9063-
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return false;
9066+
if (!OpenProcessToken(reinterpret_cast<HANDLE>(-1LL), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return false;
90649067

90659068
LUID luid{};
90669069
bool priv_enabled = false;
@@ -9465,10 +9468,12 @@ struct VM {
94659468
return false;
94669469
}
94679470

9471+
const HANDLE hProcess = reinterpret_cast<HANDLE>(-1LL);
9472+
94689473
{
94699474
PVOID base = nullptr;
94709475
SIZE_T sz = targetSize;
9471-
NTSTATUS st2 = pNtAllocateVirtualMemory((HANDLE)-1, &base, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
9476+
NTSTATUS st2 = pNtAllocateVirtualMemory(hProcess, &base, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
94729477
if (!NT_SUCCESS(st2) || base == nullptr) {
94739478
proceed = false;
94749479
}
@@ -9489,7 +9494,7 @@ struct VM {
94899494
if (proceed) {
94909495
PVOID base = nullptr;
94919496
SIZE_T sz = codeSize;
9492-
NTSTATUS st2 = pNtAllocateVirtualMemory((HANDLE)-1, &base, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
9497+
NTSTATUS st2 = pNtAllocateVirtualMemory(hProcess, &base, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
94939498
if (!NT_SUCCESS(st2) || base == nullptr) {
94949499
proceed = false;
94959500
}
@@ -9501,12 +9506,12 @@ struct VM {
95019506
ULONG oldProt = 0;
95029507
PVOID tmpBase = exec_mem;
95039508
SIZE_T tmpSz = codeSize;
9504-
st2 = pNtProtectVirtualMemory((HANDLE)-1, &tmpBase, &tmpSz, PAGE_EXECUTE_READ, &oldProt);
9509+
st2 = pNtProtectVirtualMemory(hProcess, &tmpBase, &tmpSz, PAGE_EXECUTE_READ, &oldProt);
95059510
if (!NT_SUCCESS(st2)) {
95069511
proceed = false;
95079512
}
95089513
else {
9509-
pNtFlushInstructionCache((HANDLE)-1, exec_mem, codeSize);
9514+
pNtFlushInstructionCache(hProcess, exec_mem, codeSize);
95109515

95119516
using CodeFunc = void(*)();
95129517
using RunnerFn = int(*)(CodeFunc);
@@ -9535,12 +9540,12 @@ struct VM {
95359540

95369541
if (exec_mem) {
95379542
freeBase = exec_mem; freeSize = codeSize;
9538-
pNtFreeVirtualMemory((HANDLE)-1, &freeBase, &freeSize, MEM_RELEASE);
9543+
pNtFreeVirtualMemory(hProcess, &freeBase, &freeSize, MEM_RELEASE);
95399544
exec_mem = nullptr;
95409545
}
95419546
if (amd_target_mem) {
95429547
freeBase = amd_target_mem; freeSize = targetSize;
9543-
pNtFreeVirtualMemory((HANDLE)-1, &freeBase, &freeSize, MEM_RELEASE);
9548+
pNtFreeVirtualMemory(hProcess, &freeBase, &freeSize, MEM_RELEASE);
95449549
amd_target_mem = nullptr;
95459550
}
95469551

0 commit comments

Comments
 (0)