Skip to content

Commit

Permalink
Enable the SE_DEBUG_NAME privilege
Browse files Browse the repository at this point in the history
  • Loading branch information
@BeneficialCode
BeneficialCode committed Jan 3, 2025
1 parent aaf1060 commit 11fd323
Show file tree
Hide file tree
Showing 5 changed files with 54 additions and 16 deletions.
15 changes: 9 additions & 6 deletions PdbParser/SymbolHandler.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,10 +71,8 @@ SymbolHandler::~SymbolHandler() {
::CloseHandle(m_hProcess);
}

ULONG64 SymbolHandler::LoadSymbolsForModule(PCSTR moduleName,DWORD64 baseAddress,DWORD dllSize) {
_address = SymLoadModule64(m_hProcess, nullptr, moduleName, moduleName, baseAddress, dllSize);
if (_address == 0)
_address = SymLoadModuleEx(m_hProcess, nullptr, moduleName, nullptr, baseAddress, dllSize, nullptr, 0);
ULONG64 SymbolHandler::LoadSymbolsForModule(PCSTR imageName, PCSTR moduleName, DWORD64 baseAddress,DWORD dllSize) {
_address = SymLoadModuleEx(m_hProcess, nullptr, imageName, nullptr, baseAddress, dllSize, nullptr, 0);
return _address;
}

Expand Down Expand Up @@ -152,7 +150,7 @@ DWORD64 SymbolHandler::LoadKernelModule(DWORD64 address) {
fullpath.Replace("\\SystemRoot\\", "%SystemRoot%\\");
if (fullpath.Mid(1, 2) == "??")
fullpath = fullpath.Mid(4);
return LoadSymbolsForModule(fullpath, (DWORD64)module.ImageBase);
return LoadSymbolsForModule(fullpath, nullptr, (DWORD64)module.ImageBase);
}
}

Expand Down Expand Up @@ -245,7 +243,12 @@ IMAGEHLP_MODULE SymbolHandler::GetModuleInfo(DWORD64 address) {
ULONG_PTR SymbolHandler::GetSymbolAddressFromName(PCSTR name) {
auto symbol = std::make_unique<ImagehlpSymbol>();
auto info = symbol->GetSymbolInfo();
::SymGetSymFromName(m_hProcess, name, info);
BOOL success = ::SymGetSymFromName64(m_hProcess, name, info);
if (!success) {
DWORD error = ::GetLastError();
std::string value = to_string(error);
OutputDebugStringA(value.c_str());
}
return info->Address;
}

Expand Down
2 changes: 1 addition & 1 deletion PdbParser/SymbolHandler.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ class SymbolHandler final{
~SymbolHandler();

HANDLE GetHandle() const;
ULONG64 LoadSymbolsForModule(PCSTR moduleName, DWORD64 baseAddress = 0, DWORD dllSize = 0);
ULONG64 LoadSymbolsForModule(PCSTR imageName,PCSTR moduleName, DWORD64 baseAddress = 0, DWORD dllSize = 0);

ULONG_PTR GetSymbolAddressFromName(PCSTR name);

Expand Down
32 changes: 23 additions & 9 deletions WinArk/SymbolHelper.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,17 @@ void SymbolHelper::Init() {
_win32kPdb = pdbFile;
_win32kModule = std::string(pdbName, 0, pdbName.find("."));

std::string moduleName = std::string(pdbName, 0, pdbName.find("."));


#ifdef _WIN64
_win32kBase = (DWORD64)win32kBase;
#else
_win32kBase = (DWORD32)win32kBase;
#endif

_win32k.LoadSymbolsForModule(_win32kPdb.c_str(), moduleName.c_str(), _win32kBase, _win32kSize);

void* kernelBase = Helpers::GetKernelBase();
size = Helpers::GetKernelImageSize();

Expand All @@ -66,6 +71,8 @@ void SymbolHelper::Init() {
#else
_kernelBase = (DWORD)kernelBase;
#endif
moduleName = std::string(pdbName, 0, pdbName.find("."));
_kernel.LoadSymbolsForModule(_kernelPdb.c_str(), moduleName.c_str(), _kernelBase, _kernelSize);

void* flgmgrBase = Helpers::GetKernelModuleBase("fltmgr.sys");
size = Helpers::GetKernelModuleImageSize("fltmgr.sys");
Expand All @@ -82,6 +89,8 @@ void SymbolHelper::Init() {
#else
_fltmgrBase = (DWORD)flgmgrBase;
#endif
moduleName = std::string(pdbName, 0, pdbName.find("."));
_fltmgr.LoadSymbolsForModule(_fltmgrPdb.c_str(), moduleName.c_str(), _fltmgrBase, _fltmgrSize);

void* ciBase = Helpers::GetKernelModuleBase("ci.dll");
size = Helpers::GetKernelModuleImageSize("ci.dll");
Expand All @@ -98,13 +107,8 @@ void SymbolHelper::Init() {
#else
_ciBase = (DWORD)ciBase;
#endif

_win32k.LoadSymbolsForModule(_win32kPdb.c_str(), _win32kBase, _win32kSize);
_kernel.LoadSymbolsForModule(_kernelPdb.c_str(), _kernelBase, _kernelSize);
_fltmgr.LoadSymbolsForModule(_fltmgrPdb.c_str(), _fltmgrBase, _fltmgrSize);
_ci.LoadSymbolsForModule(_ciPdb.c_str(), _ciBase, _ciSize);


moduleName = std::string(pdbName, 0, pdbName.find("."));
_ci.LoadSymbolsForModule(_ciPdb.c_str(), moduleName.c_str(), _ciBase, _ciSize);
}

std::unique_ptr<SymbolInfo> SymbolHelper::GetSymbolFromAddress(DWORD64 address, PDWORD64 offset) {
Expand All @@ -118,13 +122,23 @@ std::unique_ptr<SymbolInfo> SymbolHelper::GetSymbolFromAddress(DWORD64 address,
// https://blog.csdn.net/xiaoxinjiang/article/details/7013488
ULONG64 SymbolHelper::GetKernelSymbolAddressFromName(PCSTR name) {
std::string symbolName = _kernelModule + "!" + name;
return _kernel.GetSymbolAddressFromName(symbolName.c_str());
ULONG64 addr = _kernel.GetSymbolAddressFromName(symbolName.c_str());
if (addr == 0) {
OutputDebugStringA(symbolName.c_str());
abort();
}
return addr;
}

ULONG64 SymbolHelper::GetWin32kSymbolAddressFromName(PCSTR name) {
// https://stackoverflow.com/questions/4867159/how-do-you-use-symloadmoduleex-to-load-a-pdb-file
std::string symbolName = _win32kModule + "!" + name;
return _win32k.GetSymbolAddressFromName(symbolName.c_str());
ULONG64 addr = _win32k.GetSymbolAddressFromName(symbolName.c_str());
if (addr == 0) {
OutputDebugStringA(symbolName.c_str());
abort();
}
return addr;
}

DWORD SymbolHelper::GetKernelStructMemberOffset(std::string name, std::string memberName) {
Expand Down
20 changes: 20 additions & 0 deletions WinArk/WinArk.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,24 @@ bool RemoveNotifyIcon() {
return Shell_NotifyIcon(NIM_DELETE, &notifyIcon);
}

bool EnableDebugPrivilege() {
HANDLE hToken;
if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
return false;

TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!::LookupPrivilegeValue(nullptr, SE_DEBUG_NAME, &tp.Privileges[0].Luid))
return false;

auto success = ::AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), nullptr, nullptr);
auto error = ::GetLastError();
::CloseHandle(hToken);

return success && error == ERROR_SUCCESS;
}

int Run(LPTSTR lpstrCmdLine = nullptr, int nCmdShow = SW_SHOWDEFAULT) {
CMessageLoop theLoop;
_Module.AddMessageLoop(&theLoop);
Expand Down Expand Up @@ -237,6 +255,8 @@ int WINAPI _tWinMain(HINSTANCE hInstance, HINSTANCE /*hPrevInstance*/, LPTSTR lp

SecurityHelper::EnablePrivilege(SE_SYSTEM_ENVIRONMENT_NAME, true);

EnableDebugPrivilege();

if (CheckInstall(lpstrCmdLine))
return 0;

Expand Down
1 change: 1 addition & 0 deletions WinArk/WinArk.vcxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>false</WholeProgramOptimization>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
Expand Down

0 comments on commit 11fd323

Please sign in to comment.