various cosmetic changes to please the code analyzer

EDRSandblast/Utils/KernelMemoryPrimitives.c

@@ -65,5 +65,6 @@ WriteKernelMemoryType(DWORD);
 WriteKernelMemoryType(DWORD64);
 
 BOOL TestReadPrimitive() {
-    return ReadKernelMemoryWORD(0) == *(WORD*)"MZ";
+    WORD startWord = ReadKernelMemoryWORD(0);
+    return ((startWord & 0xFF) == 'M') && ((startWord >> 8) == 'Z');
 }

EDRSandblast/Utils/PEParser.c

@@ -155,19 +155,19 @@ VOID PE_rebasePE(PE* pe, LPVOID newBaseAddress)
     assert(pe->relocations != NULL);
     PVOID oldBaseAddress = pe->baseAddress;
     pe->baseAddress = newBaseAddress;
+    intptr_t relativeOffset = ((intptr_t)newBaseAddress) - ((intptr_t)oldBaseAddress);
     for (DWORD i = 0; i < pe->nbRelocations; i++) {
         switch (pe->relocations[i].Type) {
         case IMAGE_REL_BASED_ABSOLUTE:
             break;
         case IMAGE_REL_BASED_HIGHLOW:
             relocDwAddress = (DWORD*)PE_RVA_to_Addr(pe, pe->relocations[i].RVA);
-            intptr_t relativeOffset = ((intptr_t)newBaseAddress) - ((intptr_t)oldBaseAddress);
             assert(relativeOffset <= MAXDWORD);
             *relocDwAddress += (DWORD)relativeOffset;
             break;
         case IMAGE_REL_BASED_DIR64:
             relocQwAddress = (QWORD*)PE_RVA_to_Addr(pe, pe->relocations[i].RVA);
-            *relocQwAddress += ((intptr_t)newBaseAddress) - ((intptr_t)oldBaseAddress);
+            *relocQwAddress += (QWORD)relativeOffset;
             break;
         default:
             printf_or_not("Unsupported relocation : 0x%x\nExiting...\n", pe->relocations[i].Type);

EDRSandblast/Utils/PdbParser.c

@@ -32,24 +32,30 @@ typedef struct PdbInfoStreamHeader_t {
 
 PVOID extractGuidFromPdb(LPWSTR filepath) {
 	GUID* guid = NULL;
+	HANDLE hMapping = NULL;
+	PBYTE filemap = NULL;
+	DWORD* StreamDirectory = NULL;
+	DWORD** StreamBlocks = NULL;
+	DWORD NumStreams = 0;
+
     HANDLE hFile = CreateFileW(filepath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 	if (hFile == INVALID_HANDLE_VALUE) {
 		return NULL;
 	}
-    HANDLE hMapping = CreateFileMappingW(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
+    hMapping = CreateFileMappingW(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
 	if (hMapping == NULL) {
-		goto clean_file;
+		goto clean;
 	}
-    PBYTE filemap = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
+    filemap = MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0);
 	if (filemap == NULL) {
-		goto clean_mapping;
+		goto clean;
 	}
 	SuperBlock* superblock = (SuperBlock*)filemap;
 	DWORD blockSize = superblock->BlockSize;
 	DWORD* StreamDirectoryBlockMap = (DWORD*)(filemap + (ULONG_PTR)superblock->BlockMapAddr * blockSize);
-	DWORD* StreamDirectory = calloc(superblock->NumDirectoryBytes, 1);
+	StreamDirectory = calloc(superblock->NumDirectoryBytes, 1);
 	if (StreamDirectory == NULL) {
-		goto clean_viewoffile;
+		goto clean;
 	}
 	DWORD StreamDirectoryBlockIndex = 0;
 	DWORD StreamDirectoryRemainingSize = superblock->NumDirectoryBytes;
@@ -62,18 +68,19 @@ PVOID extractGuidFromPdb(LPWSTR filepath) {
 		StreamDirectoryBlockIndex++;
 		StreamDirectoryRemainingSize -= SizeToCopy;
 	}
-	DWORD NumStreams = StreamDirectory[0];
+	NumStreams = StreamDirectory[0];
 	if (NumStreams < 2) {
-		goto clean_StreamDirectory;
+		NumStreams = 0;
+		goto clean;
 	}
-	DWORD** StreamBlocks = calloc(NumStreams, sizeof(DWORD*));
+	StreamBlocks = calloc(NumStreams, sizeof(DWORD*));
 	if (StreamBlocks == NULL) {
-		goto clean_StreamDirectory;
+		goto clean;
 	}
 	DWORD* StreamBlocksFlat = &StreamDirectory[1 + NumStreams];
 	DWORD i = 0;
 	if ((1 + NumStreams) >= superblock->NumDirectoryBytes / 4) {
-		goto clean_StreamBlocks;
+		goto clean;
 	}
 	for (DWORD stream_i = 0; stream_i < NumStreams; stream_i++) {
 		DWORD StreamSize = StreamDirectory[1 + stream_i];
@@ -81,7 +88,7 @@ PVOID extractGuidFromPdb(LPWSTR filepath) {
 		while (StreamBlockCount * blockSize < StreamSize) {
 			PVOID tmp = realloc(StreamBlocks[stream_i], ((SIZE_T)StreamBlockCount + 1) * sizeof(DWORD));
 			if (tmp == NULL) {
-				goto clean_StreamBlocks;
+				goto clean;
 			}
 			StreamBlocks[stream_i] = tmp;
 			StreamBlocks[stream_i][StreamBlockCount] = StreamBlocksFlat[i];
@@ -91,27 +98,37 @@ PVOID extractGuidFromPdb(LPWSTR filepath) {
 	}
 	DWORD PdbInfoStreamSize = StreamDirectory[1 + 1];
 	if (PdbInfoStreamSize == 0) {
-		goto clean_StreamBlocks;
+		goto clean;
 	}
 	PdbInfoStreamHeader* PdbInfoStream = (PdbInfoStreamHeader*)(filemap + (ULONG_PTR)StreamBlocks[1][0] * blockSize);
 	guid = calloc(1, sizeof(GUID));
 	if (guid == NULL) {
-		goto clean_StreamBlocks;
+		goto clean;
 	}
 	memcpy(guid, &PdbInfoStream->UniqueId, sizeof(GUID));
-clean_StreamBlocks:
-	for (DWORD stream_i = 0; stream_i < NumStreams; stream_i++) {
-		free(StreamBlocks[stream_i]);
+clean:
+	if (StreamBlocks) {
+		for (DWORD stream_i = 0; stream_i < NumStreams; stream_i++) {
+#pragma warning(disable : 6001) //compiler analysis is wrong for some reason (or maybe I am)
+			if (StreamBlocks[stream_i]) {
+#pragma warning(default: 6001)
+				free(StreamBlocks[stream_i]);
+			}
+		}
+		free(StreamBlocks);
+	}
+	if (StreamDirectory) {
+		free(StreamDirectory);
+	}
+	if (filemap) {
+		UnmapViewOfFile(filemap);
+	}
+	if (hMapping != NULL) {
+		CloseHandle(hMapping);
+	}
+	if (hFile != INVALID_HANDLE_VALUE) {
+		CloseHandle(hFile);
 	}
-	free(StreamBlocks);
-clean_StreamDirectory:
-	free(StreamDirectory);
-clean_viewoffile:
-	UnmapViewOfFile(filemap);
-clean_mapping:
-	CloseHandle(hMapping);
-clean_file:
-	CloseHandle(hFile);
 	return guid;
 }
 

EDRSandblast/Utils/ProcessDump.c

@@ -55,8 +55,8 @@ DWORD WINAPI dumpProcess(LPTSTR processName, TCHAR* outputDumpFile) {
     // Retrieve information about the first process,
     // and exit if unsuccessful
     if (!Process32First(hProcessSnap, &pe32)) {
-        _tprintf_or_not(TEXT("[!] %s dump failed: obtained invalid process handle\n"), processName); // show cause of failure
-        CloseHandle(hProcessSnap);          // clean the snapshot object
+        _tprintf_or_not(TEXT("[!] %s dump failed: obtained invalid process handle\n"), processName);
+        CloseHandle(hProcessSnap);
         return 1;
     }
 
@@ -64,7 +64,13 @@ DWORD WINAPI dumpProcess(LPTSTR processName, TCHAR* outputDumpFile) {
     //PE* dbghelpPe = PE_create(hDbghelp, TRUE);
     //_MiniDumpWriteDump MiniDumpWriteDumpFunc = (_MiniDumpWriteDump) PE_functionAddr(dbghelpPe, "MiniDumpWriteDump");
 
-    _MiniDumpWriteDump MiniDumpWriteDumpFunc = (_MiniDumpWriteDump) GetProcAddress(LoadLibrary(TEXT("dbghelp.dll")), "MiniDumpWriteDump");
+    HANDLE hDbghelp = LoadLibrary(TEXT("dbghelp.dll"));
+    if (hDbghelp == NULL) {
+        _tprintf_or_not(TEXT("[!] %s dump failed: could not load dbghelp.dll\n"), processName);
+        CloseHandle(hProcessSnap);
+        return 1;
+    }
+    _MiniDumpWriteDump MiniDumpWriteDumpFunc = (_MiniDumpWriteDump) GetProcAddress(hDbghelp, "MiniDumpWriteDump");
 
     // Now walk the snapshot of processes, and look for the specified process.
     do {

EDRSandblast/Utils/SW2_Syscalls.c

@@ -56,7 +56,7 @@ BOOL SW2_PopulateSyscallList(void)
     PSW2_SYSCALL_ENTRY Entries = SW2_SyscallList.Entries;
     for (DWORD nameOrdinal = 0; nameOrdinal < ntdll->exportedNamesLength; nameOrdinal++) {
         LPCSTR functionName = PE_RVA_to_Addr(ntdll, ntdll->exportedNames[nameOrdinal]);
-        if (*(WORD*)functionName == *((WORD*)"Zw")) {
+        if ((functionName[0] == 'Z') && (functionName[1] == 'w')) {
             Entries[i].Hash = SW2_HashSyscall(functionName);
             Entries[i].RVA = PE_functionRVA(ntdll, functionName);
             i++;