| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
| |
The RtlPcToFileHeader hook consults loadedAddressRanges to identify
PCs that belong to manually-loaded modules. Entries were appended
during LoadLibrary but never removed when the module was freed, so
once the underlying allocation was returned to the OS and possibly
reused, the hook would still claim those PCs as ours and substitute
in a sentinel address, breaking unwind metadata lookup for whatever
legitimate module ended up at that range.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
RtlAddFunctionTable keeps a kernel-side pointer into the in-image
RUNTIME_FUNCTION array. Without a matching RtlDeleteFunctionTable,
freeing codeBase via VirtualFree leaves that pointer dangling.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
The two checks collapsed into one || meant the second error message
was unreachable. Drop NumberOfNames from the first check so both
diagnostics are reachable for their respective cases.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
| |
This also involves bumping wireguard-tools so that wg.exe is up to date.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
| |
It's not good to leave cruft around from the upgrade case when people
want to uninstall, so we remove wintun in the uninstaller manually
(without the help of wintun.dll, which we no longer ship). But also, so
that we can eventually drop that code, we also remove it
opportunistically when the manager starts.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS) is called
by cfgmgr32.dll's SwCreateDevice on the DLL's callback, it expects to
get the module of the DLL. But of course memory loaded modules means
there is none. This causes SwCreateDevice to fail.
GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS) internally
uses RtlPcToFileHeader. In turn, RtlPcToFileHeader looks things up in
the inverted function table, which has no stable interface across OS
releases. That means adding a proper module isn't going to work.
So instead we hook the IAT, so that we can intercept all calls to
RtlPcToFileHeader that come from GetModuleHandleEx's kernelbase.dll. If
the value to look up is within the range of a module we've memory
loaded, then we change the value to lookup to the hook function itself,
so that it winds up returning the main module.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
| |
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
| |
Go doesn't provide an easy way of passing a better timestamp to the log
package.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
| |
|
|
|
|
|
|
| |
Otherwise recent WDK binaries fail on ARM64, where an exception handler
is used for trapping an illegal instruction when ARMv8.1 atomics are
being tested for functionality.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
|
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|