#修复R0map对wow64的支持

DragonQuestHero · Feb 7, 2024 · 9516a23 · 9516a23
1 parent 4a58a93
commit 9516a23
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 3 deletions.
diff --git a/Medusa/DLLInject.h b/Medusa/DLLInject.h
@@ -1,10 +1,13 @@
 #pragma once
 #include <windows.h>
 #include <fstream>
+#include <string_view>
 
 #include <TlHelp32.h>
 #include <Psapi.h>
 
+#include "Wow64Ext/wow64ext.h"
+
 
 class DLLInject
 {
@@ -32,6 +35,13 @@ class DLLInject
 		return result;
 	}
 public:
+	bool is_process64(HANDLE hProcess) {
+		BOOL wow64 = FALSE;
+		if (!IsWow64Process(hProcess, &wow64)) {
+			return false;
+		}
+		return !wow64;
+	}
 	bool injectdll_x64(const PROCESS_INFORMATION& pi, std::wstring dll) {
 		static unsigned char sc[] = {
 			0x9c,                                                                   // pushfq
@@ -138,7 +148,15 @@ class DLLInject
 		return true;
 	}
 	bool injectdll(const PROCESS_INFORMATION& pi, const std::wstring& x64dll) {
-		return injectdll_x64(pi, x64dll);
+		if (is_process64(pi.hProcess))
+		{
+			return injectdll_x64(pi, x64dll);
+		}
+		else
+		{
+			return false;
+		}
+
 	}
 	bool setdebugprivilege() {
 		TOKEN_PRIVILEGES tp = { 0 };

diff --git a/MedusaKernel/Modules.cc b/MedusaKernel/Modules.cc
@@ -116,7 +116,16 @@ bool Modules::R0MapInject(ULONG64 PID, ULONG64 Size, void* DLLImage)
 		KeStackAttachProcess(tempep, &kapc);
 		void* buffer = nullptr;
 		void* shellcode = nullptr;
-		ULONG64 shellcode_size = sizeof(MemLoadShellcode_x64);
+		unsigned char* temp_load_shellcode = nullptr;
+		if (PsGetProcessWow64Process(tempep) != NULL)
+		{
+			temp_load_shellcode = MemLoadShellcode_x86;
+		}
+		else
+		{
+			temp_load_shellcode = MemLoadShellcode_x64;
+		}
+		ULONG64 shellcode_size = sizeof(temp_load_shellcode);
 		ULONG64 buffer_size = Size;
 		status = ZwAllocateVirtualMemory(ZwCurrentProcess(), &shellcode, 0, &shellcode_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 		if (!NT_SUCCESS(status))
@@ -130,7 +139,7 @@ bool Modules::R0MapInject(ULONG64 PID, ULONG64 Size, void* DLLImage)
 			KeUnstackDetachProcess(&kapc);
 			return false;
 		}
-		RtlCopyMemory(shellcode, MemLoadShellcode_x64, sizeof(MemLoadShellcode_x64));
+		RtlCopyMemory(shellcode, temp_load_shellcode, shellcode_size);
 		RtlCopyMemory(buffer, DLLImage, Size);
 		HANDLE thread_handle = 0;
 		status = RtlCreateUserThread(ZwCurrentProcess(), 0, 0, 0, 0, 0, shellcode, buffer, &thread_handle, 0);

diff --git a/Readme.md b/Readme.md
@@ -2,6 +2,12 @@
 
 [English](https://github.com/DragonQuestHero/Medusa/blob/master/Readme-en.md)
 
+##### 更新日志:
+
+###### 2-7 修复了对wow64的模块查看错误 wow64注入目前只有r3map和r0map可用(神话给的代码太复杂
+
+
+
 ##### 我不在意GDT和IDT到底有没有被修改 也不想重复process hacker已经有的功能 更不在乎某个进程连接了哪个IP
 
 ##### 重点关注进程 内存 线程 内核等重灾区 大多ARK为了功能足够多舍弃了一些不好维护或添加或不够稳定的功能