various cosmetic changes to please the code analyzer

2026-06-11 01:41:20 +00:00 · 2022-09-23 17:50:52 +02:00
parent 09dc67bc65
commit 15c3b706f1
10 changed files with 84 additions and 48 deletions
@@ -166,6 +166,10 @@ NTSTATUS EnumEDRServices(fwBlockingRulesList* sFWEntries) {
        _tprintf_or_not(TEXT("[!] Could not enumerate EDR services (EnumServicesStatusEx failed: 0x%08lx)\n"), dwError);
        goto cleanup;
    }
+    if (dwByteCount * sizeof(BYTE) < lpServicesCount * sizeof(ENUM_SERVICE_STATUS_PROCESS)) {
+        _putts(TEXT("[!] Could not enumerate EDR services (problem in allocation)"));
+        goto cleanup;
+    }

    for (DWORD dwIndex = 0; dwIndex < lpServicesCount; dwIndex++) {
        dwByteCount = 0;
@@ -65,7 +65,7 @@ SYSCALL* GetSyscallTable(PDWORD syscallTableSize) {
    // Store all Zw* function as a syscall
    for (DWORD nameOrdinal = 0; nameOrdinal < ntdll_mem->exportedNamesLength; nameOrdinal++) {
        LPCSTR functionName = PE_RVA_to_Addr(ntdll_mem, ntdll_mem->exportedNames[nameOrdinal]);
-        if (*(WORD*)functionName == *((WORD*)"Zw")) {
+        if (functionName[0]=='Z' && functionName[1] == 'w') {
            if (g_nbSyscalls == g_nbSyscallsMax) {
                g_nbSyscallsMax *= 2;
                PVOID tmp = realloc(g_syscalls, g_nbSyscallsMax * sizeof(SYSCALL));
@@ -91,7 +91,9 @@ SYSCALL* GetSyscallTable(PDWORD syscallTableSize) {

    // Deduce the syscall numbers from order in table
    for (DWORD j = 0; j < g_nbSyscalls; j++) {
+#pragma warning(disable : 6386) //compiler analysis is wrong for some reason (or maybe I am)
        g_syscalls[j].Number = j;
+#pragma warning(disable : 6386)
    }
    // Sort the function back in alphabetical order
    qsort(g_syscalls, g_nbSyscalls, sizeof(SYSCALL), CmpSyscallsByName);
@@ -138,8 +140,9 @@ DWORD GetSyscallNumberFromExportOrdering(LPCSTR ntFunctionName) {
    if (zwFunctionName == NULL) {
        return INVALID_SYSCALL_NUMBER;
    }
-    *(WORD*)zwFunctionName = *(WORD*)"Zw";
-
+    zwFunctionName[0] = 'Z';
+    zwFunctionName[1] = 'w';
+    
    DWORD down = 0;
    DWORD up = syscallTableSize;
    while (up - down > 1) {
@@ -186,10 +186,12 @@ PVOID searchTrampolineInExecutableMemory(PVOID pattern, size_t patternSize, PVOI
    return NULL;
 }

-
-VOID unhook(HOOK* hook, UNHOOK_METHOD unhook_method) {
+/*
+* Returns TRUE iff the hook has been successfully removed
+*/
+BOOL _Check_return_ unhook(_In_ HOOK* hook, UNHOOK_METHOD unhook_method) {
    if (unhook_method == UNHOOK_NONE) {
-        return;
+        return FALSE;
    }

    const WCHAR* ntdlolFileName = L".\\ntdlol.txt";
@@ -241,12 +243,12 @@ VOID unhook(HOOK* hook, UNHOOK_METHOD unhook_method) {
        unmonitoredNtProtectVirtualMemory = (pNtProtectVirtualMemory)CreateSyscallStubWithVirtuallAlloc("NtProtectVirtualMemory");
        if (unmonitoredNtProtectVirtualMemory == NULL) {
            printf_or_not("Something wrong happened with CreateSyscallStubWithVirtuallAlloc, aborting...\n");
-            exit(EXIT_FAILURE);
+            return FALSE;
        }
        break;
    default:
        printf_or_not("Unhook method does not exist, exiting...\n");
-        exit(EXIT_FAILURE);
+        return FALSE;
        break;
    }

@@ -263,7 +265,7 @@ VOID unhook(HOOK* hook, UNHOOK_METHOD unhook_method) {
    );
    if (!NT_SUCCESS(status)) {
        debugf("unmonitoredNtProtectVirtualMemory 1 failed with status 0x%08x\n", status);
-        exit(1);
+        return FALSE;
    }

    for (size_t i = 0; i < patch.size; i++) {
@@ -279,7 +281,7 @@ VOID unhook(HOOK* hook, UNHOOK_METHOD unhook_method) {
    );
    if (!NT_SUCCESS(status)) {
        debugf("unmonitoredNtProtectVirtualMemory 2 failed with status 0x%08x\n", status);
-        exit(1);
+        return FALSE;
    }

    switch (unhook_method) {
@@ -291,6 +293,7 @@ VOID unhook(HOOK* hook, UNHOOK_METHOD unhook_method) {
        break;

    }
+    return TRUE;
 }