Try to discover LdrpInvertedFunctionTableSRWLock

capemon.c

@@ -506,6 +506,9 @@ extern void ignored_threads_init(void);
 extern CRITICAL_SECTION readfile_critsec, g_mutex, g_writing_log_buffer_mutex;
 BOOLEAN g_dll_main_complete;
 OSVERSIONINFOA g_osverinfo;
+int g_discover_LdrpInvertedFunctionTableSRWLock = 0;
+PSRWLOCK g_LdrpInvertedFunctionTableSRWLock = NULL;
+CRITICAL_SECTION g_discover_LdrpInvertedFunctionTableSRWLock_critsec;
 
 BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
 {
@@ -519,6 +522,8 @@ BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
 		DWORD pids[MAX_PROTECTED_PIDS];
 		unsigned int length = sizeof(pids);
 
+		InitializeCriticalSection(&g_discover_LdrpInvertedFunctionTableSRWLock_critsec);
+
 		/* we can sometimes be injected twice into a process, say if we queued up an APC that we timed out waiting to
 		   complete, and then did a successful createremotethread, so just do a cheap check for our hooks and fake that
 		   we loaded successfully
@@ -640,6 +645,26 @@ BOOL APIENTRY DllMain(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
 		}
 #endif
 
+		EnterCriticalSection(&g_discover_LdrpInvertedFunctionTableSRWLock_critsec);
+		if (!g_LdrpInvertedFunctionTableSRWLock) {
+			DebugOutput("Discovering LdrpInvertedFunctionTableSRWLock");
+
+			RUNTIME_FUNCTION rf;
+
+			memset(&rf, 0, sizeof(rf));
+			rf.BeginAddress = 0x100;
+			rf.EndAddress = 0x101;
+
+			g_discover_LdrpInvertedFunctionTableSRWLock = 1;
+			BOOL const res = RtlAddFunctionTable(&rf, 1, 0x100);
+
+			if (g_LdrpInvertedFunctionTableSRWLock)
+				DebugOutput("LdrpInvertedFunctionTableSRWLock discovered at 0x%p", g_LdrpInvertedFunctionTableSRWLock);
+			else
+				DebugOutput("no LdrpInvertedFunctionTableSRWLock discovered");
+		}
+		LeaveCriticalSection(&g_discover_LdrpInvertedFunctionTableSRWLock_critsec);
+
 		notify_successful_load();
 	}
 	else if(dwReason == DLL_PROCESS_DETACH) {

hook_special.c

@@ -39,6 +39,38 @@ static int bits_sent = 0;
 static int tasksched_sent = 0;
 static int interop_sent = 0;
 
+extern int g_discover_LdrpInvertedFunctionTableSRWLock;
+extern PSRWLOCK g_LdrpInvertedFunctionTableSRWLock;
+extern CRITICAL_SECTION g_discover_LdrpInvertedFunctionTableSRWLock_critsec;
+
+HOOKDEF(void, WINAPI, AcquireSRWLockExclusive,
+	__in PSRWLOCK SRWLock
+)
+{
+	EnterCriticalSection(&g_discover_LdrpInvertedFunctionTableSRWLock_critsec);
+	if (g_discover_LdrpInvertedFunctionTableSRWLock == 1) {
+		g_LdrpInvertedFunctionTableSRWLock = SRWLock;
+		g_discover_LdrpInvertedFunctionTableSRWLock = 0;
+	}
+	LeaveCriticalSection(&g_discover_LdrpInvertedFunctionTableSRWLock_critsec);
+
+	Old_AcquireSRWLockExclusive(SRWLock);
+}
+
+HOOKDEF(void, WINAPI, AcquireSRWLockShared,
+	__in PSRWLOCK SRWLock
+)
+{
+	EnterCriticalSection(&g_discover_LdrpInvertedFunctionTableSRWLock_critsec);
+	if (g_discover_LdrpInvertedFunctionTableSRWLock == 1) {
+		g_LdrpInvertedFunctionTableSRWLock = SRWLock;
+		g_discover_LdrpInvertedFunctionTableSRWLock = 0;
+	}
+	LeaveCriticalSection(&g_discover_LdrpInvertedFunctionTableSRWLock_critsec);
+
+	Old_AcquireSRWLockShared(SRWLock);
+}
+
 HOOKDEF_NOTAIL(WINAPI, LdrLoadDll,
 	__in_opt	PWCHAR PathToFile,
 	__in_opt	PULONG Flags,

hooking.c

@@ -252,13 +252,26 @@ static hook_info_t tmphookinfo;
 DWORD tmphookinfo_threadid;
 FILETIME ft;
 
+extern PSRWLOCK g_LdrpInvertedFunctionTableSRWLock;
+extern int g_discover_LdrpInvertedFunctionTableSRWLock;
+
 // returns 1 if we should call our hook, 0 if we should call the original function instead
 // on x86 this is actually: hook, esp, ebp
 // on x64 this is actually: hook, rsp, rip of hook (for unwind-based stack walking)
 int WINAPI enter_hook(hook_t *h, ULONG_PTR sp, ULONG_PTR ebp_or_rip)
 {
 	hook_info_t *hookinfo;
 
+	if (g_discover_LdrpInvertedFunctionTableSRWLock) {
+		if (h->new_func == &New_AcquireSRWLockShared || h->new_func == &New_AcquireSRWLockExclusive)
+			return 1;
+
+		return 0;
+	}
+
+	if (!g_LdrpInvertedFunctionTableSRWLock)
+		return 0;
+
 	if (h->fully_emulate)
 		return 1;
 

hooking_64.c

@@ -1073,6 +1073,9 @@ int hook_api(hook_t *h, int type)
 	return ret;
 }
 
+extern PSRWLOCK g_LdrpInvertedFunctionTableSRWLock;
+extern int g_discover_LdrpInvertedFunctionTableSRWLock;
+
 static unsigned int our_stackwalk(ULONG_PTR _rip, ULONG_PTR sp, PVOID *backtrace, unsigned int count)
 {
 	/* derived from http://www.nynaeve.net/Code/StackWalk64.cpp */
@@ -1084,6 +1087,9 @@ static unsigned int our_stackwalk(ULONG_PTR _rip, ULONG_PTR sp, PVOID *backtrace
 	ULONG_PTR establisherframe;
 	unsigned int frame;
 
+	if (!g_LdrpInvertedFunctionTableSRWLock || !TryAcquireSRWLockShared(g_LdrpInvertedFunctionTableSRWLock))
+		return 0;
+
 	__try
 	{
 		RtlCaptureContext(&ctx);

hooks.c

@@ -184,6 +184,9 @@ hook_t full_hooks[] = {
 	HOOK_NOTAIL_ALT(kernelbase, MoveFileWithProgressTransactedW, 6),
 	HOOK_NOTAIL_ALT(kernel32, MoveFileWithProgressTransactedW, 6),
 
+	HOOK(kernel32, AcquireSRWLockExclusive),
+	HOOK(kernel32, AcquireSRWLockShared),
+
 	// File Hooks
 	HOOK(ntdll, NtQueryAttributesFile),
 	HOOK(ntdll, NtQueryFullAttributesFile),

hooks.h

@@ -22,6 +22,14 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #include "ntapi.h"
 #include <tlhelp32.h>
 
+HOOKDEF(void, WINAPI, AcquireSRWLockExclusive,
+	__in PSRWLOCK SRWLock
+);
+
+HOOKDEF(void, WINAPI, AcquireSRWLockShared,
+	__in PSRWLOCK SRWLock
+);
+
 //
 // File Hooks
 //