[BUGFIX] Fixed missing system check before applying the patch. Flush cache after

hasherezade · hasherezade · commit 78df8f1825dd · 2025-02-07T01:17:59.000+01:00
diff --git a/run_pe/main.cpp b/run_pe/main.cpp
@@ -3,7 +3,8 @@
 #include <tchar.h>
 #include "run_pe.h"
 
-LPCTSTR version = TEXT("0.1.9");
+LPCTSTR version = TEXT("0.2");
+
 bool g_PatchRequired = false;
 
 bool isWindows1124H2OrLater()
diff --git a/run_pe/patch_ntdll.cpp b/run_pe/patch_ntdll.cpp
@@ -17,26 +17,27 @@ bool patch_NtManageHotPatch32(HANDLE hProcess)
     if (!_NtManageHotPatch) {
         return false;
     }
-    ULONG_PTR stub_ptr = (ULONG_PTR)_NtManageHotPatch;
+    LPVOID stub_ptr = (LPVOID)_NtManageHotPatch;
 
-    if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {
+    if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {
         return false;
     }
     BYTE stub_buffer_orig[stub_size] = { 0 };
     SIZE_T out_bytes = 0;
-    if (!ReadProcessMemory(hProcess, (LPVOID)stub_ptr, stub_buffer_orig, stub_size, &out_bytes) || out_bytes != stub_size) {
+    if (!ReadProcessMemory(hProcess, stub_ptr, stub_buffer_orig, stub_size, &out_bytes) || out_bytes != stub_size) {
         return false;
     }
     // confirm it is a valid syscall stub:
     if (stub_buffer_orig[0] != 0xB8) {
         return false;
     }
-    if (!WriteProcessMemory(hProcess, (LPVOID)stub_ptr, hotpatch_patch, sizeof(hotpatch_patch), &out_bytes) || out_bytes != sizeof(hotpatch_patch)) {
+    if (!WriteProcessMemory(hProcess, stub_ptr, hotpatch_patch, sizeof(hotpatch_patch), &out_bytes) || out_bytes != sizeof(hotpatch_patch)) {
         return false;
     }
-    if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, oldProtect, &oldProtect)) {
+    if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, oldProtect, &oldProtect)) {
         return false;
     }
+    FlushInstructionCache(hProcess, stub_ptr, sizeof(hotpatch_patch));
     return true;
 }
 
@@ -65,26 +66,27 @@ bool patch_NtManageHotPatch64(HANDLE hProcess)
     if (!_NtManageHotPatch) {
         return false;
     }
-    ULONG_PTR stub_ptr = (ULONG_PTR)_NtManageHotPatch;
+    LPVOID stub_ptr = (LPVOID)_NtManageHotPatch;
 
-    if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {
+    if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {
         return false;
     }
     BYTE stub_buffer_orig[stub_size] = { 0 };
     SIZE_T out_bytes = 0;
-    if (!ReadProcessMemory(hProcess, (LPVOID)stub_ptr, stub_buffer_orig, stub_size, &out_bytes) || out_bytes != stub_size) {
+    if (!ReadProcessMemory(hProcess, stub_ptr, stub_buffer_orig, stub_size, &out_bytes) || out_bytes != stub_size) {
         return false;
     }
     // confirm it is a valid syscall stub:
     if (::memcmp(stub_buffer_orig, syscall_fill_pattern, syscall_pattern_start) != 0) {
         return false;
     }
-    if (!WriteProcessMemory(hProcess, (LPVOID)stub_ptr, hotpatch_patch, sizeof(hotpatch_patch), &out_bytes) || out_bytes != sizeof(hotpatch_patch)) {
+    if (!WriteProcessMemory(hProcess, stub_ptr, hotpatch_patch, sizeof(hotpatch_patch), &out_bytes) || out_bytes != sizeof(hotpatch_patch)) {
         return false;
     }
-    if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, oldProtect, &oldProtect)) {
+    if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, oldProtect, &oldProtect)) {
         return false;
     }
+    FlushInstructionCache(hProcess, stub_ptr, sizeof(hotpatch_patch));
     return true;
 }
 
@@ -104,9 +106,9 @@ bool patch_ZwQueryVirtualMemory(HANDLE hProcess, LPVOID module_ptr)
     if (!_ZwQueryVirtualMemory || _ZwQueryVirtualMemory < pos) {
         return false;
     }
-    ULONG_PTR stub_ptr = (ULONG_PTR)_ZwQueryVirtualMemory - pos;
+    LPVOID stub_ptr = (LPVOID)((ULONG_PTR)_ZwQueryVirtualMemory - pos);
 
-    if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {
+    if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {
         return false;
     }
     LPVOID patch_space = VirtualAllocEx(hProcess, 0, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
@@ -115,7 +117,7 @@ bool patch_ZwQueryVirtualMemory(HANDLE hProcess, LPVOID module_ptr)
     }
     BYTE stub_buffer_orig[stub_size] = { 0 };
     SIZE_T out_bytes = 0;
-    if (!ReadProcessMemory(hProcess, (LPVOID)stub_ptr, stub_buffer_orig, stub_size, &out_bytes) || out_bytes != stub_size) {
+    if (!ReadProcessMemory(hProcess, stub_ptr, stub_buffer_orig, stub_size, &out_bytes) || out_bytes != stub_size) {
         return false;
     }
     const BYTE nop_pattern[] = {0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00};
@@ -169,18 +171,19 @@ bool patch_ZwQueryVirtualMemory(HANDLE hProcess, LPVOID module_ptr)
 
     const SIZE_T trampoline_full_size = stub_size + pos + syscall_pattern_full + sizeof(jump_to_contnue);
 
-    if (!WriteProcessMemory(hProcess, (LPVOID)stub_ptr, stub_buffer_patched, stub_size, &out_bytes) || out_bytes != stub_size) {
+    if (!WriteProcessMemory(hProcess, stub_ptr, stub_buffer_patched, stub_size, &out_bytes) || out_bytes != stub_size) {
         return false;
     }
-    if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, oldProtect, &oldProtect)) {
+    if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, oldProtect, &oldProtect)) {
         return false;
     }
-    if (!WriteProcessMemory(hProcess, (LPVOID)patch_space, stub_buffer_trampoline, trampoline_full_size, &out_bytes) || out_bytes != trampoline_full_size) {
+    if (!WriteProcessMemory(hProcess, patch_space, stub_buffer_trampoline, trampoline_full_size, &out_bytes) || out_bytes != trampoline_full_size) {
         return false;
     }
-    if (!VirtualProtectEx(hProcess, (LPVOID)patch_space, stub_size, PAGE_EXECUTE_READ, &oldProtect)) {
+    if (!VirtualProtectEx(hProcess, patch_space, stub_size, PAGE_EXECUTE_READ, &oldProtect)) {
         return false;
     }
+    FlushInstructionCache(hProcess, stub_ptr, stub_size);
     return true;
 #endif
 }
diff --git a/run_pe/run_pe.cpp b/run_pe/run_pe.cpp
@@ -310,11 +310,13 @@ bool run_pe(IN LPCTSTR payloadPath, IN LPCTSTR targetPath, IN LPCTSTR cmdLine)
         free_pe_buffer(loaded_pe, payloadImageSize);
         return false;
     }
+    if (g_PatchRequired) {
 #ifndef _WIN64
-    patch_NtManageHotPatch32(pi.hProcess);
+        patch_NtManageHotPatch32(pi.hProcess);
 #else
-    patch_NtManageHotPatch64(pi.hProcess);
+        patch_NtManageHotPatch64(pi.hProcess);
 #endif
+    }
     //3. Perform the actual RunPE:
     bool isOk = _run_pe(loaded_pe, payloadImageSize, pi, is32bit_payload);
     //4. Cleanup:

Original file line number	Diff line number	Diff line change
`@@ -17,26 +17,27 @@ bool patch_NtManageHotPatch32(HANDLE hProcess)`
`17`	`17`	`if (!_NtManageHotPatch) {`
`18`	`18`	`return false;`
`19`	`19`	`}`
`20`		`- ULONG_PTR stub_ptr = (ULONG_PTR)_NtManageHotPatch;`
	`20`	`+ LPVOID stub_ptr = (LPVOID)_NtManageHotPatch;`
`21`	`21`
`22`		`- if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {`
	`22`	`+ if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {`
`23`	`23`	`return false;`
`24`	`24`	`}`
`25`	`25`	`BYTE stub_buffer_orig[stub_size] = { 0 };`
`26`	`26`	`SIZE_T out_bytes = 0;`
`27`		`- if (!ReadProcessMemory(hProcess, (LPVOID)stub_ptr, stub_buffer_orig, stub_size, &out_bytes) \|\| out_bytes != stub_size) {`
	`27`	`+ if (!ReadProcessMemory(hProcess, stub_ptr, stub_buffer_orig, stub_size, &out_bytes) \|\| out_bytes != stub_size) {`
`28`	`28`	`return false;`
`29`	`29`	`}`
`30`	`30`	`// confirm it is a valid syscall stub:`
`31`	`31`	`if (stub_buffer_orig[0] != 0xB8) {`
`32`	`32`	`return false;`
`33`	`33`	`}`
`34`		`- if (!WriteProcessMemory(hProcess, (LPVOID)stub_ptr, hotpatch_patch, sizeof(hotpatch_patch), &out_bytes) \|\| out_bytes != sizeof(hotpatch_patch)) {`
	`34`	`+ if (!WriteProcessMemory(hProcess, stub_ptr, hotpatch_patch, sizeof(hotpatch_patch), &out_bytes) \|\| out_bytes != sizeof(hotpatch_patch)) {`
`35`	`35`	`return false;`
`36`	`36`	`}`
`37`		`- if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, oldProtect, &oldProtect)) {`
	`37`	`+ if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, oldProtect, &oldProtect)) {`
`38`	`38`	`return false;`
`39`	`39`	`}`
	`40`	`+ FlushInstructionCache(hProcess, stub_ptr, sizeof(hotpatch_patch));`
`40`	`41`	`return true;`
`41`	`42`	`}`
`42`	`43`
`@@ -65,26 +66,27 @@ bool patch_NtManageHotPatch64(HANDLE hProcess)`
`65`	`66`	`if (!_NtManageHotPatch) {`
`66`	`67`	`return false;`
`67`	`68`	`}`
`68`		`- ULONG_PTR stub_ptr = (ULONG_PTR)_NtManageHotPatch;`
	`69`	`+ LPVOID stub_ptr = (LPVOID)_NtManageHotPatch;`
`69`	`70`
`70`		`- if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {`
	`71`	`+ if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {`
`71`	`72`	`return false;`
`72`	`73`	`}`
`73`	`74`	`BYTE stub_buffer_orig[stub_size] = { 0 };`
`74`	`75`	`SIZE_T out_bytes = 0;`
`75`		`- if (!ReadProcessMemory(hProcess, (LPVOID)stub_ptr, stub_buffer_orig, stub_size, &out_bytes) \|\| out_bytes != stub_size) {`
	`76`	`+ if (!ReadProcessMemory(hProcess, stub_ptr, stub_buffer_orig, stub_size, &out_bytes) \|\| out_bytes != stub_size) {`
`76`	`77`	`return false;`
`77`	`78`	`}`
`78`	`79`	`// confirm it is a valid syscall stub:`
`79`	`80`	`if (::memcmp(stub_buffer_orig, syscall_fill_pattern, syscall_pattern_start) != 0) {`
`80`	`81`	`return false;`
`81`	`82`	`}`
`82`		`- if (!WriteProcessMemory(hProcess, (LPVOID)stub_ptr, hotpatch_patch, sizeof(hotpatch_patch), &out_bytes) \|\| out_bytes != sizeof(hotpatch_patch)) {`
	`83`	`+ if (!WriteProcessMemory(hProcess, stub_ptr, hotpatch_patch, sizeof(hotpatch_patch), &out_bytes) \|\| out_bytes != sizeof(hotpatch_patch)) {`
`83`	`84`	`return false;`
`84`	`85`	`}`
`85`		`- if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, oldProtect, &oldProtect)) {`
	`86`	`+ if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, oldProtect, &oldProtect)) {`
`86`	`87`	`return false;`
`87`	`88`	`}`
	`89`	`+ FlushInstructionCache(hProcess, stub_ptr, sizeof(hotpatch_patch));`
`88`	`90`	`return true;`
`89`	`91`	`}`
`90`	`92`
`@@ -104,9 +106,9 @@ bool patch_ZwQueryVirtualMemory(HANDLE hProcess, LPVOID module_ptr)`
`104`	`106`	`if (!_ZwQueryVirtualMemory \|\| _ZwQueryVirtualMemory < pos) {`
`105`	`107`	`return false;`
`106`	`108`	`}`
`107`		`- ULONG_PTR stub_ptr = (ULONG_PTR)_ZwQueryVirtualMemory - pos;`
	`109`	`+ LPVOID stub_ptr = (LPVOID)((ULONG_PTR)_ZwQueryVirtualMemory - pos);`
`108`	`110`
`109`		`- if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {`
	`111`	`+ if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, PAGE_READWRITE, &oldProtect)) {`
`110`	`112`	`return false;`
`111`	`113`	`}`
`112`	`114`	`LPVOID patch_space = VirtualAllocEx(hProcess, 0, 0x1000, MEM_COMMIT \| MEM_RESERVE, PAGE_READWRITE);`
`@@ -115,7 +117,7 @@ bool patch_ZwQueryVirtualMemory(HANDLE hProcess, LPVOID module_ptr)`
`115`	`117`	`}`
`116`	`118`	`BYTE stub_buffer_orig[stub_size] = { 0 };`
`117`	`119`	`SIZE_T out_bytes = 0;`
`118`		`- if (!ReadProcessMemory(hProcess, (LPVOID)stub_ptr, stub_buffer_orig, stub_size, &out_bytes) \|\| out_bytes != stub_size) {`
	`120`	`+ if (!ReadProcessMemory(hProcess, stub_ptr, stub_buffer_orig, stub_size, &out_bytes) \|\| out_bytes != stub_size) {`
`119`	`121`	`return false;`
`120`	`122`	`}`
`121`	`123`	`const BYTE nop_pattern[] = {0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00};`
`@@ -169,18 +171,19 @@ bool patch_ZwQueryVirtualMemory(HANDLE hProcess, LPVOID module_ptr)`
`169`	`171`
`170`	`172`	`const SIZE_T trampoline_full_size = stub_size + pos + syscall_pattern_full + sizeof(jump_to_contnue);`
`171`	`173`
`172`		`- if (!WriteProcessMemory(hProcess, (LPVOID)stub_ptr, stub_buffer_patched, stub_size, &out_bytes) \|\| out_bytes != stub_size) {`
	`174`	`+ if (!WriteProcessMemory(hProcess, stub_ptr, stub_buffer_patched, stub_size, &out_bytes) \|\| out_bytes != stub_size) {`
`173`	`175`	`return false;`
`174`	`176`	`}`
`175`		`- if (!VirtualProtectEx(hProcess, (LPVOID)stub_ptr, stub_size, oldProtect, &oldProtect)) {`
	`177`	`+ if (!VirtualProtectEx(hProcess, stub_ptr, stub_size, oldProtect, &oldProtect)) {`
`176`	`178`	`return false;`
`177`	`179`	`}`
`178`		`- if (!WriteProcessMemory(hProcess, (LPVOID)patch_space, stub_buffer_trampoline, trampoline_full_size, &out_bytes) \|\| out_bytes != trampoline_full_size) {`
	`180`	`+ if (!WriteProcessMemory(hProcess, patch_space, stub_buffer_trampoline, trampoline_full_size, &out_bytes) \|\| out_bytes != trampoline_full_size) {`
`179`	`181`	`return false;`
`180`	`182`	`}`
`181`		`- if (!VirtualProtectEx(hProcess, (LPVOID)patch_space, stub_size, PAGE_EXECUTE_READ, &oldProtect)) {`
	`183`	`+ if (!VirtualProtectEx(hProcess, patch_space, stub_size, PAGE_EXECUTE_READ, &oldProtect)) {`
`182`	`184`	`return false;`
`183`	`185`	`}`
	`186`	`+ FlushInstructionCache(hProcess, stub_ptr, stub_size);`
`184`	`187`	`return true;`
`185`	`188`	`#endif`
`186`	`189`	`}`