-
Notifications
You must be signed in to change notification settings - Fork 5
/
HotPatch.h
237 lines (202 loc) · 6.8 KB
/
HotPatch.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
#ifndef HOTPATCH_H
#define HOTPATCH_H
#include <winternl.h>
//Alignment of all structures (if not explicitly written)
//must be 8 for x86 and 16 for the others
////////////////////////////////////////////////////////////
typedef enum _HOTPATCH_FIXUP_TYPE {
HOTP_Fixup_None = 0,
HOTP_Fixup_VA32 = 1,
HOTP_Fixup_PC32 = 2,
HOTP_Fixup_VA64 = 3,
HOTP_Fixup_PC64 = 4 //?
} HOTPATCH_FIXUP_TYPE;
//sizeof(HOTPATCH_FIXUP_ENTRY) must be 2
typedef struct _HOTPATCH_FIXUP_ENTRY {
WORD RvaOffset : 12;
WORD /*HOTPATCH_FIXUP_TYPE*/ FixupType : 4;
} HOTPATCH_FIXUP_ENTRY, *PHOTPATCH_FIXUP_ENTRY;
typedef struct _HOTPATCH_FIXUP_REGION {
unsigned int RvaHi : 20;
unsigned int Count : 12;
WORD /*HOTPATCH_FIXUP_ENTRY*/ Fixup[2]; //count always even
} HOTPATCH_FIXUP_REGION, *PHOTPATCH_FIXUP_REGION;
////////////////////////////////////////////////////////////
typedef enum _HOTPATCH_VALIDATION_OPTIONS {
HOTP_Valid_Hook_Target = 1 //skip
} HOTPATCH_VALIDATION_OPTIONS;
typedef struct _HOTPATCH_VALIDATION {
DWORD SourceRva;
DWORD TargetRva;
WORD ByteCount;
WORD /*HOTPATCH_VALIDATION_OPTIONS*/ OptionFlags;
} HOTPATCH_VALIDATION, *PHOTPATCH_VALIDATION;
////////////////////////////////////////////////////////////
typedef enum _HOTPATCH_HOOK_TYPE {
HOTP_Hook_None = 0,
HOTP_Hook_VA32 = 1,
HOTP_Hook_X86_JMP = 2,
HOTP_Hook_PCREL32 = 3, //not yet implemented
HOTP_Hook_X86_JMP2B = 4,
HOTP_Hook_VA64 = 16,
HOTP_Hook_IA64_BRL = 32,
HOTP_Hook_IA64_BR = 33, //not yet implemented
HOTP_Hook_AMD64_IND = 48,
HOTP_Hook_AMD64_CNT = 49
} HOTPATCH_HOOK_TYPE;
typedef struct _HOTPATCH_HOOK {
WORD /*HOTPATCH_HOOK_TYPE*/ HookType;
WORD HookOptions; //0..5 - size of available space
DWORD HookRva;
DWORD HotpRva;
DWORD ValidationRva;
} HOTPATCH_HOOK, *PHOTPATCH_HOOK;
////////////////////////////////////////////////////////////
typedef enum _HOTPATCH_MODULE_ID_METHOD {
HOTP_ID_None = 0,
HOTP_ID_PeHeaderHash1 = 1, //not yet supported
HOTP_ID_PeHeaderHash2 = 2,
HOTP_ID_PeChecksum = 3,
HOTP_ID_PeDebugSignature = 16 //not yet supported
} HOTPATCH_MODULE_ID_METHOD;
#define DEBUG_SIGNATURE_HOTPATCH 0xD201
#define DEBUG_SIGNATURE_COLDPATCH 0xD202
typedef struct _HOTPATCH_DEBUG_SIGNATURE {
WORD HotpatchVersion;
WORD Signature;
} HOTPATCH_DEBUG_SIGNATURE, *PHOTPATCH_DEBUG_SIGNATURE;
typedef struct _HOTPATCH_DEBUG_DATA {
ULONGLONG PEHashData;
ULONGLONG ChecksumData;
} HOTPATCH_DEBUG_DATA, *PHOTPATCH_DEBUG_DATA;
////////////////////////////////////////////////////////////
#define HOTP_SECTION_NAME ".hotp1 "
#define HOTP_SECTION_NAMELL 0x20203170746F682ELL
#define HOTP_SECTION_MIN_SIZE 80
#define HOTP_SIGNATURE 0x31544F48 //'HOT1'
#define HOTP_VERSION_1 0x00010000
typedef struct _HOTPATCH_HEADER {
DWORD Signature;
DWORD Version;
DWORD FixupRgnCount;
DWORD FixupRgnRva;
DWORD ValidationCount;
DWORD ValidationArrayRva;
DWORD HookCount;
DWORD HookArrayRva;
ULONGLONG OrigHotpBaseAddress;
ULONGLONG OrigTargetBaseAddress;
DWORD TargetNameRva;
DWORD ModuleIdMethod;
union {
ULONGLONG Quad;
GUID Guid;
struct {
GUID Guid;
DWORD Age;
} PdbSig;
BYTE Hash128[16];
BYTE Hash160[20];
} TargetModuleIdValue;
} HOTPATCH_HEADER, *PHOTPATCH_HEADER;
////////////////////////////////////////////////////////////
#define SystemHotpatchInformation 0x45
//coldpatch sub-functions
#define HOTP_RENAME_FILES 0x10000000 //RenameInfo //pre-Vista
#define HOTP_UPDATE_SYSDLL 0x40000000 //no info requred
#define HOTP_UPDATE_KNOWNDLL 0x08000000 //AtomicSwap
//hotpatch sub-functions
#define HOTP_USE_MODULE 0x20000000 //KernelInfo or InjectionInfo when calling Nt/ZwSetSystemInformation
//UserModeInfo when calling LdrHotPatchRoutine
#define HOTP_INJECT_THREAD 0x01000000 //InjectionInfo, HOTPATCH_USE_MODULE must be set //Vista
#define HOTP_KERNEL_MODULE 0x80000000 //KernelInfo, HOTPATCH_USE_MODULE must be set
//if none of the three flags above is set, CodeInfo is evaluated and applied directly
//hotpatch commands/states
#define HOTP_PATCH_APPLY 0x00000001 //command for KernelInfo or UserModeInfo (HOTPATCH_USE_MODULE is set)
//0 - remove, 1 - apply the patch
#define HOTP_PATCH_STATUS 0x00000001 //command for CodeInfo: 0 - apply, 1 - remove the patch
//status for CodeInfo: after CodeInfo ^ before CodeInfo ? success : failure
#define HOTP_PATCH_FAILURE 0x00800000 //intermediate flag
typedef struct _HOTPATCH_HOOK_DESCRIPTOR {
ULONG_PTR TargetAddress;
LPVOID MappedAddress;
DWORD CodeOffset;
DWORD CodeSize;
DWORD OrigCodeOffset;
DWORD ValidationOffset;
DWORD ValidationSize;
} HOTPATCH_HOOK_DESCRIPTOR, *PHOTPATCH_HOOK_DESCRIPTOR;
//typedef struct _IO_STATUS_BLOCK {
// union {
// LONG Status;
// PVOID Pointer;
// };
// ULONG_PTR Information;
//} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _FILE_RENAME_INFORMATION {
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
typedef struct _SYSTEM_HOTPATCH_CODE_INFORMATION {
DWORD Flags;
DWORD InfoSize;
union {
struct {
DWORD DescriptorsCount;
HOTPATCH_HOOK_DESCRIPTOR CodeDescriptors[1];
} CodeInfo;
struct {
WORD NameOffset;
WORD NameLegth;
} KernelInfo;
struct {
WORD NameOffset;
WORD NameLegth;
WORD TargetNameOffset;
WORD TargetNameLegth;
BOOLEAN PatchingFinished;
} UserModeInfo;
struct {
WORD NameOffset;
WORD NameLegth;
WORD TargetNameOffset;
WORD TargetNameLegth;
BOOLEAN PatchingFinished;
DWORD ReturnCode;
HANDLE TargetProcess;
} InjectionInfo;
struct {
HANDLE FileHandle1;
PIO_STATUS_BLOCK IoStatusBlock1;
PVOID /*PFILE_RENAME_INFORMATION*/ RenameInformation1;
DWORD RenameInformationLength1;
HANDLE FileHandle2;
PIO_STATUS_BLOCK IoStatusBlock2;
PVOID /*PFILE_RENAME_INFORMATION*/ RenameInformation2;
DWORD RenameInformationLength2;
} RenameInfo;
struct {
HANDLE ParentDirectory;
HANDLE ObjectHandle1;
HANDLE ObjectHandle2;
} AtomicSwap;
};
} SYSTEM_HOTPATCH_CODE_INFORMATION, *PSYSTEM_HOTPATCH_CODE_INFORMATION;
#define PATCHFLAG_COLDPATCH_VALID 0x00010000
#include <Winternl.h>
typedef struct _RTL_PATCH_HEADER {
LIST_ENTRY PatchList;
HMODULE PatchImageBase; //8
struct _RTL_PATCH_HEADER * NextPatch; //12
ULONG PatchFlags;
LONG PatchRefCount;
PHOTPATCH_HEADER HotpatchHeader;
UNICODE_STRING TargetDllName; //28
HMODULE TargetDllBase; //36
PLDR_DATA_TABLE_ENTRY TargetLdrDataTableEntry; //40
PLDR_DATA_TABLE_ENTRY PatchLdrDataTableEntry; //44
PSYSTEM_HOTPATCH_CODE_INFORMATION CodeInfo; //48
} RTL_PATCH_HEADER, *PRTL_PATCH_HEADER;
#endif HOTPATCH_H