Capesolo update

CAPE/CAPE.h

@@ -42,11 +42,12 @@ PVOID GetAllocationBase(PVOID Address);
 SIZE_T GetRegionSize(PVOID Address);
 SIZE_T GetAllocationSize(PVOID Address);
 SIZE_T GetAccessibleSize(PVOID Address);
+PVOID GetFunctionByName(HMODULE ModuleBase, PCHAR FunctionName);
 PVOID GetFunctionAddress(HMODULE ModuleBase, PCHAR FunctionName);
 BOOL IsAddressAccessible(PVOID Address);
 BOOL IsAddressExecutable(PVOID Address);
 BOOL TestPERequirements(PIMAGE_NT_HEADERS pNtHeader);
-SIZE_T GetMinPESize(PIMAGE_NT_HEADERS pNtHeader);
+SIZE_T GetMinPESize(PIMAGE_DOS_HEADER pDosHeader);
 double GetEntropy(PUCHAR Buffer);
 void SanitiseString(char *Dst, const char *Src, size_t Size);
 PCHAR TranslatePathFromDeviceToLetter(PCHAR DeviceFilePath);
@@ -77,9 +78,10 @@ int DumpImageInCurrentProcess(PVOID ImageBase);
 void DumpSectionViewsForPid(DWORD Pid);
 BOOL DumpRange(PVOID Address, SIZE_T Size);
 BOOL DumpStackRegion(void);
+void DumpStrings(void);
 
 BOOL ProcessDumped;
-unsigned int DumpCount;
+unsigned int DumpCount, DotNetCacheDumpCount;
 
 SYSTEM_INFO SystemInfo;
 PVOID CallingModule;

CAPE/Debugger.c

@@ -46,22 +46,21 @@ extern char *convert_address_to_dll_name_and_offset(ULONG_PTR addr, unsigned int
 extern PCHAR GetNameBySsn(unsigned int Number);
 extern void log_direct_syscall(const char *function, PVOID addr);
 extern unsigned int address_is_in_stack(DWORD Address);
-extern BOOL WoW64fix(void);
-extern BOOL WoW64PatchBreakpoint(unsigned int Register);
-extern BOOL WoW64UnpatchBreakpoint(unsigned int Register);
 extern BOOL SetInitialBreakpoints(PVOID ImageBase), Trace(struct _EXCEPTION_POINTERS* ExceptionInfo), SoftwareBreakpointCallback(struct _EXCEPTION_POINTERS* ExceptionInfo);
 extern BOOL BreakpointCallback(PBREAKPOINTINFO pBreakpointInfo, struct _EXCEPTION_POINTERS* ExceptionInfo);
+extern BOOL GuardPageCallback(struct _EXCEPTION_POINTERS* ExceptionInfo);
 extern void DebuggerOutput(_In_ LPCTSTR lpOutputString, ...), DoTraceOutput(PVOID Address);
-extern BOOL TraceRunning, BreakpointsSet, BreakpointsHit, StopTrace, BreakOnNtContinue, SyscallBreakpointSet;
+extern BOOL TraceRunning, BreakpointsSet, BreakpointsHit, StopTrace, SyscallBreakpointSet;
 extern PVECTORED_EXCEPTION_HANDLER SampleVectoredHandler;
 extern int StepOverRegister;
 extern int process_shutting_down;
 extern HANDLE DebuggerLog;
+extern PVOID GuardedPages;
 
 struct ThreadBreakpoints *MainThreadBreakpointList;
 unsigned int TrapIndex, DepthCount;
-PVOID _KiUserExceptionDispatcher;
-BOOL SetSingleStepMode(PCONTEXT Context, PVOID Handler), ClearSingleStepMode(PCONTEXT Context);
+PVOID KiUserExceptionDispatcher;
+BOOL BreakOnNtContinue, SetSingleStepMode(PCONTEXT Context, PVOID Handler), ClearSingleStepMode(PCONTEXT Context);
 lookup_t SoftBPs, SyscallBPs;
 SOFTBP SyscallBP;
 
@@ -104,32 +103,43 @@ HANDLE GetThreadHandle(DWORD ThreadId)
 }
 
 //**************************************************************************************
-BOOL PatchByte(LPVOID Address, BYTE Byte)
+BOOL PatchBytes(LPVOID Address, const char* HexBytes)
 //**************************************************************************************
 {
-	DWORD OldProtect;
+    if (!Address || !HexBytes || !IsAddressAccessible(Address))
+	{
+        DebugOutput("PatchBytes: Invalid address or hex string");
+        return FALSE;
+    }
 
-	if (!Address || !IsAddressAccessible(Address))
-		return FALSE;
+    SIZE_T HexLen = strlen(HexBytes);
+    if (HexLen == 0 || HexLen % 2 != 0)
+	{
+        DebugOutput("PatchBytes: Invalid hex string length %d", HexLen);
+        return FALSE;
+    }
 
-	if (!VirtualProtect(Address, 1, PAGE_EXECUTE_READWRITE, &OldProtect))
+    SIZE_T ByteCount = HexLen / 2;
+    DWORD OldProtect;
+    if (!VirtualProtect(Address, ByteCount, PAGE_EXECUTE_READWRITE, &OldProtect))
 	{
-		DebugOutput("PatchByte: Unable to change memory protection at 0x%p", Address);
-		return FALSE;
-	}
+        DebugOutput("PatchBytes: Failed to change memory protection at 0x%p", Address);
+        return FALSE;
+    }
 
-#ifdef DEBUG_COMMENTS
-	DebugOutput("PatchByte: Changed memory protection at 0x%p", Address);
-#endif
+    PBYTE Dest = (PBYTE)Address;
+    for (SIZE_T i = 0; i < HexLen; i += 2)
+	{
+        char HexByte[3] = { HexBytes[i], HexBytes[i + 1], '\0' };
+        BYTE Byte = (BYTE)strtoul(HexByte, NULL, 16);
+        *Dest++ = Byte;
+    }
 
-	*(PBYTE)Address = Byte;
+    VirtualProtect(Address, ByteCount, OldProtect, &OldProtect);
 
-#ifdef DEBUG_COMMENTS
-	DebugOutput("PatchByte: New instruction byte at 0x%p: 0x%x", Address, *(PBYTE)Address);
-#endif
-	VirtualProtect(Address, 1, OldProtect, &OldProtect);
+    DebugOutput("PatchBytes: Patched %zu bytes at 0x%p: %s", ByteCount, Address, HexBytes);
 
-	return TRUE;
+    return TRUE;
 }
 
 //**************************************************************************************
@@ -496,7 +506,7 @@ BOOL SyscallBreakpointHandler(struct _EXCEPTION_POINTERS* ExceptionInfo)
 	}
 #ifdef DEBUG_COMMENTS
 	else
-		DebugOutput("SyscallBreakpointHandler: Calling SSN 0x%x -> 0x%p: %s\n", SSN, Function, FunctionName);
+		DebugOutput("SyscallBreakpointHandler: Syscall at 0x%p, SSN 0x%x -> 0x%p: %s\n", ExceptionInfo->ExceptionRecord->ExceptionAddress, SSN, Function, FunctionName);
 #endif
 
 	log_direct_syscall(FunctionName, (PVOID)CIP);
@@ -603,85 +613,31 @@ LONG WINAPI CAPEExceptionFilter(struct _EXCEPTION_POINTERS* ExceptionInfo)
 
 		if (bp == 0 && ((DWORD_PTR)pBreakpointInfo->Address != ExceptionInfo->ContextRecord->Dr0))
 		{
-			DebugOutput("CAPEExceptionFilter: Anomaly detected! bp0 address (0x%p) different to BreakpointInfo (0x%x)!\n", ExceptionInfo->ContextRecord->Dr0, pBreakpointInfo->Address);
+			if (pBreakpointInfo->Address)
+				DebugOutput("CAPEExceptionFilter: Anomaly detected! bp0 address 0x%p different to internal breakpoint 0x%p\n", ExceptionInfo->ContextRecord->Dr0, pBreakpointInfo->Address);
 			return EXCEPTION_CONTINUE_SEARCH;
 		}
 
 		if (bp == 1 && ((DWORD_PTR)pBreakpointInfo->Address != ExceptionInfo->ContextRecord->Dr1))
 		{
-			DebugOutput("CAPEExceptionFilter: Anomaly detected! bp1 address (0x%p) different to BreakpointInfo (0x%x)!\n", ExceptionInfo->ContextRecord->Dr1, pBreakpointInfo->Address);
+			if (pBreakpointInfo->Address)
+				DebugOutput("CAPEExceptionFilter: Anomaly detected! bp1 address 0x%p different to internal breakpoint 0x%p\n", ExceptionInfo->ContextRecord->Dr1, pBreakpointInfo->Address);
 			return EXCEPTION_CONTINUE_SEARCH;
 		}
 
 		if (bp == 2 && ((DWORD_PTR)pBreakpointInfo->Address != ExceptionInfo->ContextRecord->Dr2))
 		{
-			DebugOutput("CAPEExceptionFilter: Anomaly detected! bp2 address (0x%p) different to BreakpointInfo (0x%x)!\n", ExceptionInfo->ContextRecord->Dr2, pBreakpointInfo->Address);
+			if (pBreakpointInfo->Address)
+				DebugOutput("CAPEExceptionFilter: Anomaly detected! bp2 address 0x%p different to internal breakpoint 0x%p\n", ExceptionInfo->ContextRecord->Dr2, pBreakpointInfo->Address);
 			return EXCEPTION_CONTINUE_SEARCH;
 		}
 
 		if (bp == 3 && ((DWORD_PTR)pBreakpointInfo->Address != ExceptionInfo->ContextRecord->Dr3))
 		{
-			DebugOutput("CAPEExceptionFilter: Anomaly detected! bp3 address (0x%p) different to BreakpointInfo (0x%x)!\n", ExceptionInfo->ContextRecord->Dr3, pBreakpointInfo->Address);
+			if (pBreakpointInfo->Address)
+				DebugOutput("CAPEExceptionFilter: Anomaly detected! bp3 address 0x%p different to internal breakpoint 0x%p\n", ExceptionInfo->ContextRecord->Dr3, pBreakpointInfo->Address);
 			return EXCEPTION_CONTINUE_SEARCH;
 		}
-#ifndef _WIN64
-		if (bp == 0 && ((DWORD_PTR)pBreakpointInfo->Type != ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE0))
-		{
-			if (pBreakpointInfo->Type == BP_READWRITE && ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE0 == BP_WRITE && address_is_in_stack((DWORD_PTR)pBreakpointInfo->Address))
-			{
-				DebugOutput("CAPEExceptionFilter: Reinstated BP_READWRITE on breakpoint %d (WoW64 workaround)\n", pBreakpointInfo->Register);
-
-				ContextSetThreadBreakpoint(ExceptionInfo->ContextRecord, pBreakpointInfo->Register, pBreakpointInfo->Size, (BYTE*)pBreakpointInfo->Address, pBreakpointInfo->Type, pBreakpointInfo->HitCount, pBreakpointInfo->Callback);
-			}
-			else
-			{
-				DebugOutput("CAPEExceptionFilter: Anomaly detected! bp0 type (0x%x) different to BreakpointInfo (0x%x)!\n", ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE0, pBreakpointInfo->Type);
-				CheckDebugRegisters(0, ExceptionInfo->ContextRecord);
-			}
-		}
-		if (bp == 1 && ((DWORD)pBreakpointInfo->Type != ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE1))
-		{
-			if (pBreakpointInfo->Type == BP_READWRITE && ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE1 == BP_WRITE && address_is_in_stack((DWORD_PTR)pBreakpointInfo->Address))
-			{
-				DebugOutput("CAPEExceptionFilter: Reinstated BP_READWRITE on breakpoint %d (WoW64 workaround)\n", pBreakpointInfo->Register);
-
-				ContextSetThreadBreakpoint(ExceptionInfo->ContextRecord, pBreakpointInfo->Register, pBreakpointInfo->Size, (BYTE*)pBreakpointInfo->Address, pBreakpointInfo->Type, pBreakpointInfo->HitCount, pBreakpointInfo->Callback);
-			}
-			else
-			{
-				DebugOutput("CAPEExceptionFilter: Anomaly detected! bp1 type (0x%x) different to BreakpointInfo (0x%x)!\n", ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE1, pBreakpointInfo->Type);
-				CheckDebugRegisters(0, ExceptionInfo->ContextRecord);
-			}
-		}
-		if (bp == 2 && ((DWORD)pBreakpointInfo->Type != ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE2))
-		{
-			if (pBreakpointInfo->Type == BP_READWRITE && ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE2 == BP_WRITE && address_is_in_stack((DWORD_PTR)pBreakpointInfo->Address))
-			{
-				DebugOutput("CAPEExceptionFilter: Reinstated BP_READWRITE on stack breakpoint %d (WoW64 workaround)\n", pBreakpointInfo->Register);
-
-				ContextSetThreadBreakpoint(ExceptionInfo->ContextRecord, pBreakpointInfo->Register, pBreakpointInfo->Size, (BYTE*)pBreakpointInfo->Address, pBreakpointInfo->Type, pBreakpointInfo->HitCount, pBreakpointInfo->Callback);
-			}
-			else
-			{
-				DebugOutput("CAPEExceptionFilter: Anomaly detected! bp2 type (0x%x) different to BreakpointInfo (0x%x)!\n", ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE2, pBreakpointInfo->Type);
-				CheckDebugRegisters(0, ExceptionInfo->ContextRecord);
-			}
-		}
-		if (bp == 3 && ((DWORD)pBreakpointInfo->Type != ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE3))
-		{
-			if (pBreakpointInfo->Type == BP_READWRITE && ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE3 == BP_WRITE && address_is_in_stack((DWORD_PTR)pBreakpointInfo->Address))
-			{
-				DebugOutput("CAPEExceptionFilter: Reinstated BP_READWRITE on breakpoint %d (WoW64 workaround)\n", pBreakpointInfo->Register);
-
-				ContextSetThreadBreakpoint(ExceptionInfo->ContextRecord, pBreakpointInfo->Register, pBreakpointInfo->Size, (BYTE*)pBreakpointInfo->Address, pBreakpointInfo->Type, pBreakpointInfo->HitCount, pBreakpointInfo->Callback);
-			}
-			else
-			{
-				DebugOutput("CAPEExceptionFilter: Anomaly detected! bp3 type (0x%x) different to BreakpointInfo (0x%x)!\n", ((PDR7)&(ExceptionInfo->ContextRecord->Dr7))->RWE3, pBreakpointInfo->Type);
-				CheckDebugRegisters(0, ExceptionInfo->ContextRecord);
-			}
-		}
-#endif // !_WIN64
 
 		if (pBreakpointInfo->HitCount)
 		{
@@ -810,6 +766,14 @@ LONG WINAPI CAPEExceptionFilter(struct _EXCEPTION_POINTERS* ExceptionInfo)
 #endif
 #endif
 	}
+	else if (ExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_GUARD_PAGE_VIOLATION)
+	{
+#ifdef DEBUG_COMMENTS
+		DebugOutput("CAPEExceptionFilter: Guard page violation at 0x%p\n", ExceptionInfo->ExceptionRecord->ExceptionAddress);
+#endif
+		if (GetAllocationBase(ExceptionInfo->ExceptionRecord->ExceptionAddress) == GuardedPages && GuardPageCallback(ExceptionInfo))
+			return EXCEPTION_CONTINUE_EXECUTION;
+	}
 
 	// Exceptions in capemon
 	if ((ULONG_PTR)ExceptionInfo->ExceptionRecord->ExceptionAddress >= g_our_dll_base && (ULONG_PTR)ExceptionInfo->ExceptionRecord->ExceptionAddress < (g_our_dll_base + g_our_dll_size))
@@ -917,11 +881,6 @@ BOOL ContextSetDebugRegisterEx
 	if (Type == BP_EXEC)
 		Length = 0;
 
-#ifndef _WIN64
-	if (Type == BP_READWRITE && address_is_in_stack((DWORD_PTR)Address))
-		WoW64PatchBreakpoint(Register);
-#endif
-
 	if (Register == 0)
 	{
 		*Dr0 = (DWORD_PTR)Address;
@@ -1063,11 +1022,6 @@ BOOL SetDebugRegister
 	if (Type == BP_EXEC)
 		Length = 0;
 
-#ifndef _WIN64
-	if (Type == BP_READWRITE && address_is_in_stack((DWORD_PTR)Address))
-		WoW64PatchBreakpoint(Register);
-#endif
-
 	if (Register == 0)
 	{
 		*Dr0 = (DWORD_PTR)Address;
@@ -1264,59 +1218,8 @@ BOOL ContextClearAllBreakpoints(PCONTEXT Context)
 BOOL ClearAllBreakpoints()
 //**************************************************************************************
 {
-	CONTEXT	Context;
-	PTHREADBREAKPOINTS ThreadBreakpoints;
-	unsigned int Register;
-
-	ThreadBreakpoints = MainThreadBreakpointList;
-
-	while (ThreadBreakpoints)
-	{
-		if (!ThreadBreakpoints->ThreadId)
-		{
-			DebugOutput("ClearAllBreakpoints: Error: no thread id for thread breakpoints 0x%x.\n", ThreadBreakpoints);
-			return FALSE;
-		}
-
-		if (!ThreadBreakpoints->ThreadHandle)
-		{
-			DebugOutput("ClearAllBreakpoints: Error no thread handle for thread %d.\n", ThreadBreakpoints->ThreadId);
-			return FALSE;
-		}
-
-		for (Register = 0; Register < NUMBER_OF_DEBUG_REGISTERS; Register++)
-		{
-			ThreadBreakpoints->BreakpointInfo[Register].Size = 0;
-			ThreadBreakpoints->BreakpointInfo[Register].Address = NULL;
-			ThreadBreakpoints->BreakpointInfo[Register].Type = 0;
-			ThreadBreakpoints->BreakpointInfo[Register].HitCount = 0;
-			ThreadBreakpoints->BreakpointInfo[Register].Callback = NULL;
-		}
-
-		memset(&Context, 0, sizeof(CONTEXT));
-		Context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
-
-		Context.Dr0 = 0;
-		Context.Dr1 = 0;
-		Context.Dr2 = 0;
-		Context.Dr3 = 0;
-		Context.Dr6 = 0;
-		Context.Dr7 = 0;
-
-		if (!SetThreadContext(ThreadBreakpoints->ThreadHandle, &Context))
-		{
-#ifdef DEBUG_COMMENTS
-			DebugOutput("ClearAllBreakpoints: Error setting thread context (thread %d).\n", ThreadBreakpoints->ThreadId);
-#endif
-			return FALSE;
-		}
-#ifdef DEBUG_COMMENTS
-		else
-			DebugOutput("ClearAllBreakpoints: Cleared breakpoints for thread %d (handle 0x%x).\n", ThreadBreakpoints->ThreadId, ThreadBreakpoints->ThreadHandle);
-#endif
-
-		ThreadBreakpoints = ThreadBreakpoints->NextThreadBreakpoints;
-	}
+	for (unsigned int Register = 0; Register < NUMBER_OF_DEBUG_REGISTERS; Register++)
+		ClearBreakpoint(Register);
 
 	ClearSoftwareBreakpoints();
 
@@ -1372,11 +1275,6 @@ BOOL ContextClearBreakpointEx(PCONTEXT Context, PBREAKPOINTINFO pBreakpointInfo,
 		Dr7->L3 = 0;
 	}
 
-#ifndef _WIN64
-	if (pBreakpointInfo->Type == BP_READWRITE && address_is_in_stack((DWORD_PTR)pBreakpointInfo->Address))
-		WoW64UnpatchBreakpoint(pBreakpointInfo->Register);
-#endif
-
 	pBreakpointInfo->Address = 0;
 	pBreakpointInfo->Size = 0;
 	pBreakpointInfo->Type = 0;
@@ -1864,11 +1762,6 @@ BOOL ClearDebugRegister
 		Dr7->L3 = 0;
 	}
 
-#ifndef _WIN64
-	if (Type == BP_READWRITE && address_is_in_stack((DWORD_PTR)Address))
-		WoW64UnpatchBreakpoint(Register);
-#endif
-
 	Context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
 
 	if (!SetThreadContext(hThread, &Context))
@@ -2736,27 +2629,22 @@ BOOL InitialiseDebugger(void)
 	}
 
 	// Store address of KiUserExceptionDispatcher
-	_KiUserExceptionDispatcher = GetProcAddress(GetModuleHandle("ntdll"), "KiUserExceptionDispatcher");
+	HMODULE ntdll = GetModuleHandle("ntdll");
+	KiUserExceptionDispatcher = GetProcAddress(ntdll, "KiUserExceptionDispatcher");
 
-	if (_KiUserExceptionDispatcher == NULL)
+	if (KiUserExceptionDispatcher == NULL)
 	{
 		DebugOutput("InitialiseDebugger error: could not resolve ntdll::KiUserExceptionDispatcher.\n");
 		return FALSE;
 	}
 #ifdef DEBUG_COMMENTS
-	else DebugOutput("InitialiseDebugger: ntdll::KiUserExceptionDispatcher = 0x%p\n", _KiUserExceptionDispatcher);
+	else DebugOutput("InitialiseDebugger: ntdll::KiUserExceptionDispatcher = 0x%p\n", KiUserExceptionDispatcher);
 #endif
 
 	// Initialise global variables
 	ChildProcessId = 0;
 	SingleStepHandler = NULL;
 
-#ifndef _WIN64
-	// Ensure wow64 patch is installed if needed
-	if (!g_config.msi)
-		WoW64fix();
-#endif
-
 	g_config.debugger = 1;
 	DebuggerInitialised = TRUE;
 
@@ -2802,7 +2690,7 @@ void NtContinueHandler(PCONTEXT ThreadContext)
 
 	TrackExecution(CIP);
 
-	if (BreakpointsSet)
+	if (g_config.debugger)
 	{
 		DWORD ThreadId = GetCurrentThreadId();
 		PTHREADBREAKPOINTS ThreadBreakpoints = GetThreadBreakpoints(ThreadId);

CAPE/Debugger.h

@@ -181,7 +181,7 @@ BOOL InitialiseDebugger(void);
 BOOL ResumeFromBreakpoint(PCONTEXT Context);
 void OutputThreadBreakpoints(DWORD ThreadId);
 void DebugOutputThreadBreakpoints();
-BOOL PatchByte(LPVOID Address, BYTE Byte);
+BOOL PatchBytes(LPVOID Address, const char* HexBytes);
 
 void ShowStack(DWORD_PTR StackPointer, unsigned int NumberOfRecords);