Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add protection to injection info list and kernel APC queue #19

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add protection to injection info list and kernel APC queue #19

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e1e438f
add injection info list locking using FAST_MUTEX
0xhido Oct 4, 2020
b19d96e
add kernel apc queue rundown protection
0xhido Oct 4, 2020
a5dcec9
fix typo
0xhido Oct 4, 2020
d030c05
fix typo
0xhido Oct 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 65 additions & 1 deletion src/injlib/injlib.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,12 @@ InjpInjectApcKernelRoutine(
_Inout_ PVOID* SystemArgument2
);

VOID
NTAPI
InjpInjectApcRundownRoutine(
_In_ PKAPC Apc
);

//
// reparse.c
//
Expand Down Expand Up @@ -381,6 +387,9 @@ UCHAR InjpThunkARM64[] = { //
//////////////////////////////////////////////////////////////////////////

LIST_ENTRY InjInfoListHead;
FAST_MUTEX InjInfoMutex;

EX_RUNDOWN_REF ApcRundownProtection;

INJ_METHOD InjMethod;

Expand Down Expand Up @@ -581,11 +590,25 @@ InjpQueueApc(
PsGetCurrentThread(), // Thread
OriginalApcEnvironment, // Environment
&InjpInjectApcKernelRoutine, // KernelRoutine
NULL, // RundownRoutine
&InjpInjectApcRundownRoutine, // RundownRoutine
NormalRoutine, // NormalRoutine
ApcMode, // ApcMode
NormalContext); // NormalContext


//
// Acquire rundown protection before inserting new
// KernelMode APC and release it after injecting
//

if (ApcMode == KernelMode) {
BOOLEAN acquired = ExAcquireRundownProtection(&ApcRundownProtection);
if (!acquired) {
ExFreePoolWithTag(Apc, INJ_MEMORY_TAG);
return STATUS_UNSUCCESSFUL;
}
}

BOOLEAN Inserted = KeInsertQueueApc(Apc, // Apc
SystemArgument1, // SystemArgument1
SystemArgument2, // SystemArgument2
Expand All @@ -594,6 +617,11 @@ InjpQueueApc(
if (!Inserted)
{
ExFreePoolWithTag(Apc, INJ_MEMORY_TAG);

if (ApcMode == KernelMode) {
ExReleaseRundownProtection(&ApcRundownProtection);
}

return STATUS_UNSUCCESSFUL;
}

Expand All @@ -615,6 +643,15 @@ InjpInjectApcNormalRoutine(
InjInject(InjectionInfo);
}

VOID
NTAPI
InjpInjectApcRundownRoutine(
_In_ PKAPC Apc
) {
ExFreePoolWithTag(Apc, INJ_MEMORY_TAG);
ExReleaseRundownProtection(&ApcRundownProtection);
}

VOID
NTAPI
InjpInjectApcKernelRoutine(
Expand Down Expand Up @@ -879,6 +916,13 @@ InjInitialize(
//

InitializeListHead(&InjInfoListHead);
ExInitializeFastMutex(&InjInfoMutex);

//
// Initialize APC rundown protection
//

ExInitializeRundownProtection(&ApcRundownProtection);

ULONG Flags = RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE
| RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING;
Expand Down Expand Up @@ -959,6 +1003,7 @@ InjDestroy(
//
// Release memory of all injection-info entries.
//
ExAcquireFastMutex(&InjInfoMutex);

PLIST_ENTRY NextEntry = InjInfoListHead.Flink;

Expand All @@ -980,6 +1025,14 @@ InjDestroy(
{
RtlFreeUnicodeString(&InjDllPath[Architecture]);
}

ExReleaseFastMutex(&InjInfoMutex);

//
// Prevent unloading while there are APCs in the queue
//

ExWaitForRundownProtectionRelease(&ApcRundownProtection);
}

NTSTATUS
Expand All @@ -991,6 +1044,8 @@ InjCreateInjectionInfo(
{
PINJ_INJECTION_INFO CapturedInjectionInfo;

ExAcquireFastMutex(&InjInfoMutex);

if (InjectionInfo && *InjectionInfo)
{
CapturedInjectionInfo = *InjectionInfo;
Expand All @@ -1003,6 +1058,7 @@ InjCreateInjectionInfo(

if (!CapturedInjectionInfo)
{
ExReleaseFastMutex(&InjInfoMutex);
return STATUS_INSUFFICIENT_RESOURCES;
}

Expand All @@ -1020,6 +1076,8 @@ InjCreateInjectionInfo(

InsertTailList(&InjInfoListHead, &CapturedInjectionInfo->ListEntry);


ExReleaseFastMutex(&InjInfoMutex);
return STATUS_SUCCESS;
}

Expand Down Expand Up @@ -1059,6 +1117,8 @@ InjFindInjectionInfo(
_In_ HANDLE ProcessId
)
{
ExAcquireFastMutex(&InjInfoMutex);

PLIST_ENTRY NextEntry = InjInfoListHead.Flink;

while (NextEntry != &InjInfoListHead)
Expand All @@ -1069,12 +1129,15 @@ InjFindInjectionInfo(

if (InjectionInfo->ProcessId == ProcessId)
{
ExReleaseFastMutex(&InjInfoMutex);
return InjectionInfo;
}

NextEntry = NextEntry->Flink;
}


ExReleaseFastMutex(&InjInfoMutex);
return NULL;
}

Expand Down Expand Up @@ -1255,6 +1318,7 @@ InjInject(
#endif

ZwClose(SectionHandle);
ExReleaseRundownProtection(&ApcRundownProtection);

if (NT_SUCCESS(Status) && InjectionInfo->ForceUserApc)
{
Expand Down