bug fixes

src/BlackBone/ManualMap/MExcept.h

@@ -57,6 +57,11 @@ class MExcept
     /// <returns>Status code</returns>
     BLACKBONE_API NTSTATUS RemoveVEH( bool partial );
 
+    /// <summary>
+    /// Reset data
+    /// </summary>
+    BLACKBONE_API  inline void reset() { _pModTable.Free(); }
+
 private:
     MExcept( const MExcept& ) = delete;
     MExcept& operator =(const MExcept&) = delete;

src/BlackBone/ManualMap/MMap.cpp

@@ -115,7 +115,9 @@ const ModuleData* MMap::MapImageInternal(
     auto mod = FindOrMapModule( path, buffer, size, asImage, flags );
     if (mod == nullptr)
     {
+        NTSTATUS tmp = LastNtStatus();
         Cleanup();
+        LastNtStatus( tmp );
         return nullptr;
     }
 
@@ -246,6 +248,7 @@ const ModuleData* MMap::FindOrMapModule(
     status = buffer ? pImage->peImage.Load( buffer, size, !asImage ) : pImage->peImage.Load( path, flags & NoSxS ? true : false );
     if (!NT_SUCCESS( status ))
     {
+        LastNtStatus( status );
         BLACBONE_TRACE( L"ManualMap: Failed to load image '%ls'/0x%p. Status 0x%X", path.c_str(), buffer, status );
         pImage->peImage.Release();
         return nullptr;
@@ -1214,7 +1217,8 @@ NTSTATUS MMap::AllocateInHighMem( MemBlock& imageMem, size_t size )
 /// <returns></returns>
 void MMap::Cleanup()
 {
-    _pAContext.Reset();
+    reset();
+    MExcept::reset();
     _process.remote().reset();
 }
 

src/BlackBone/Misc/DynImport.h

@@ -40,7 +40,7 @@ class DynImport
     /// <param name="...args">Function args</param>
     /// <returns>Function result or STATUS_ORDINAL_NOT_FOUND if import not found</returns>
     template<typename T, typename... Args>
-    inline static NTSTATUS safeNativeCall( const std::string& name, Args... args )
+    inline static NTSTATUS safeNativeCall( const std::string& name, Args&&... args )
     {
         auto pfn = DynImport::get<T>( name );
         return pfn ? pfn( std::forward<Args>( args )... ) : STATUS_ORDINAL_NOT_FOUND;
@@ -54,10 +54,10 @@ class DynImport
     /// <param name="...args">Function args</param>
     /// <returns>Function result or 0 if import not found</returns>
     template<typename T, typename... Args>
-    inline static auto safeCall( const std::string& name, Args... args ) -> typename std::result_of<T(Args...)>::type
+    inline static auto safeCall( const std::string& name, Args&&... args ) -> typename std::result_of<T(Args...)>::type
     {
         auto pfn = DynImport::get<T>( name );
-        return pfn ? pfn( std::forward<Args>( args )... ) : (std::result_of<T( Args... )>::type )(0);
+        return pfn ? pfn( std::forward<Args>( args )... ) : (std::result_of<T( Args... )>::type)(0);
     }
 
     /// <summary>

src/BlackBone/PE/PEImage.cpp

@@ -98,10 +98,20 @@ NTSTATUS PEImage::Load( void* pData, size_t size, bool plainData /*= true */ )
     return PrepareACTX();
 }
 
+/// <summary>
+/// Reload closed image
+/// </summary>
+/// <returns>Status code</returns>
+NTSTATUS PEImage::Reload()
+{
+    return Load( _imagePath );
+}
+
 /// <summary>
 /// Release mapping, if any
 /// </summary>
-void PEImage::Release()
+/// <param name="temporary">Preserve file paths for file reopening</param>
+void PEImage::Release( bool temporary /*= false*/ )
 {
     if (_hctx != INVALID_HANDLE_VALUE)
     {
@@ -131,13 +141,16 @@ void PEImage::Release()
     _pImageHdr32 = nullptr;
     _pImageHdr64 = nullptr;
 
-    _imagePath.clear();
+    if(!temporary)
+    {
+        _imagePath.clear();
 
-    // Ensure temporary file is deleted
-    if (_noFile)
-        DeleteFileW( _manifestPath.c_str() );
+        // Ensure temporary file is deleted
+        if (_noFile)
+            DeleteFileW( _manifestPath.c_str() );
 
-    _manifestPath.clear();
+        _manifestPath.clear();
+    }
 }
 
 /// <summary>

src/BlackBone/PE/PEImage.h

@@ -104,10 +104,17 @@ class PEImage
     /// <returns>Status code</returns>
     BLACKBONE_API NTSTATUS Load( void* pData, size_t size, bool plainData = true );
 
+    /// <summary>
+    /// Reload closed image
+    /// </summary>
+    /// <returns>Status code</returns>
+    BLACKBONE_API NTSTATUS Reload();
+
     /// <summary>
     /// Release mapping, if any
     /// </summary>
-    BLACKBONE_API void Release();
+    /// <param name="temporary">Preserve file paths for file reopening</param>
+    BLACKBONE_API void Release( bool temporary = false );
 
     /// <summary>
     /// Parses PE image

src/BlackBone/Process/ProcessModules.cpp

@@ -383,38 +383,32 @@ const ModuleData* ProcessModules::Inject( const std::wstring& path, NTSTATUS* pS
     UNICODE_STRING ustr = { 0 };
     auto modName = _memory.Allocate( 0x1000, PAGE_READWRITE );
 
-    ustr.Buffer = reinterpret_cast<PWSTR>(modName.ptr<size_t>() + sizeof(ustr));
-    ustr.Length = static_cast<USHORT>(path.size() * sizeof(wchar_t));
+    ustr.Buffer = reinterpret_cast<PWSTR>(modName.ptr<intptr_t>() + sizeof( ustr ));
+    ustr.Length = static_cast<USHORT>(path.size() * sizeof( wchar_t ));
     ustr.MaximumLength = ustr.Length;
 
     modName.Write( 0, ustr );
-    modName.Write( sizeof(ustr), path.size() * sizeof(wchar_t), path.c_str() );
+    modName.Write( sizeof( ustr ), path.size() * sizeof( wchar_t ), path.c_str() );
 
     // Image and process have same processor architecture
     bool sameArch = (img.mType() == mt_mod64 && _core.isWow64() == false) || (img.mType() == mt_mod32 && _core.isWow64() == true);
     auto pLoadLibrary = GetExport( GetModule( L"kernel32.dll", LdrList, img.mType() ), "LoadLibraryW" ).procAddress;
 
-    // Try to use LoadLibrary if possible
-    if (pLoadLibrary != 0 && sameArch)
-    {
-        _proc.remote().ExecDirect( pLoadLibrary, modName.ptr() + sizeof( ustr ) );
-    }
     // Can't generate code through WOW64 barrier
-    else if ((barrier.type != wow_32_64 && img.mType() == mt_mod64) ||
-              (barrier.type == wow_32_32 || barrier.type == wow_64_64) )
+    if ((barrier.type != wow_32_64 && img.mType() == mt_mod64) || (barrier.type == wow_32_32 || barrier.type == wow_64_64))
     {
         auto pLdrLoadDll = GetExport( GetModule( L"ntdll.dll", Sections, img.mType() ), "LdrLoadDll" ).procAddress;
         if (pLdrLoadDll == 0)
         {
             if (pStatus)
-                *pStatus = STATUS_NOT_FOUND;
+                *pStatus = STATUS_ORDINAL_NOT_FOUND;
 
             return nullptr;
         }
 
         // Patch LdrFindOrMapDll to enable kernel32.dll loading
         #ifdef USE64
-        if (!_ldrPatched && IsWindows7OrGreater( ) && !IsWindows8OrGreater( ))
+        if (!_ldrPatched && IsWindows7OrGreater() && !IsWindows8OrGreater())
         {
             uint8_t patch[] = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
             auto patchBase = _proc.nativeLdr().LdrKernel32PatchAddress();
@@ -431,21 +425,21 @@ const ModuleData* ProcessModules::Inject( const std::wstring& path, NTSTATUS* pS
         }
         #endif
 
-        a.GenCall( (size_t)pLdrLoadDll, { 0, 0, modName.ptr<size_t>(), modName.ptr<size_t>() + 0x800 } );
+        a.GenCall( (intptr_t)pLdrLoadDll, { 0, 0, modName.ptr<intptr_t>(), modName.ptr<intptr_t>() + 0x800 } );
         a->ret();
 
         status = _proc.remote().ExecInNewThread( a->make(), a->getCodeSize(), res );
         if (NT_SUCCESS( status ))
             status = static_cast<NTSTATUS>(res);
     }
+    // Try to use LoadLibrary if possible
+    else if (pLoadLibrary != 0 && sameArch)
+        status = _proc.remote().ExecDirect( pLoadLibrary, modName.ptr() + sizeof( ustr ) );
 
     if (pStatus)
         *pStatus = status;
 
-    if (res == STATUS_SUCCESS)
-        return GetModule( path, LdrList, img.mType() );
-    else
-        return nullptr;
+    return (res == STATUS_SUCCESS) ? GetModule( path, LdrList, img.mType() ) : nullptr;
 }
 
 /// <summary>

src/BlackBone/Process/RPC/RemoteExec.cpp

@@ -418,7 +418,7 @@ NTSTATUS RemoteExec::CreateAPCEvent( DWORD threadID )
 
         wchar_t* szStringSecurityDis = L"S:(ML;;NW;;;LW)D:(A;;GA;;;S-1-15-2-1)(A;;GA;;;WD)";
         PSECURITY_DESCRIPTOR pDescriptor = nullptr;
-        BOOL res = ConvertStringSecurityDescriptorToSecurityDescriptorW( szStringSecurityDis, SDDL_REVISION_1, &pDescriptor, NULL );
+        ConvertStringSecurityDescriptorToSecurityDescriptorW( szStringSecurityDis, SDDL_REVISION_1, &pDescriptor, NULL );
 
         // Prepare Arguments
         ustr.Length = static_cast<USHORT>(wcslen( pEventName ) * sizeof(wchar_t));
@@ -433,7 +433,7 @@ NTSTATUS RemoteExec::CreateAPCEvent( DWORD threadID )
         if (pOpenEvent == 0)
             return false;
 
-        status = SAFE_NATIVE_CALL( NtCreateEvent, &_hWaitEvent, EVENT_ALL_ACCESS, &obAttr, 0, 0 );
+        status = SAFE_NATIVE_CALL( NtCreateEvent, &_hWaitEvent, EVENT_ALL_ACCESS, &obAttr, 0, static_cast<BOOLEAN>(FALSE) );
         if(pDescriptor)
             LocalFree( pDescriptor );
 

src/BlackBone/Process/Threads/Thread.cpp

@@ -38,7 +38,7 @@ Thread::~Thread()
 /// </summary>
 /// <param name="pteb">Process TEB</param>
 /// <returns>TEB pointer</returns>
-blackbone::ptr_t Thread::teb( _TEB32* pteb /*= nullptr */ ) const
+blackbone::ptr_t Thread::teb( _TEB32* pteb ) const
 {
     return _core->native()->getTEB( _handle, pteb );
 }
@@ -48,7 +48,7 @@ blackbone::ptr_t Thread::teb( _TEB32* pteb /*= nullptr */ ) const
 /// </summary>
 /// <param name="pteb">Process TEB</param>
 /// <returns>TEB pointer</returns>
-blackbone::ptr_t Thread::teb( _TEB64* pteb /*= nullptr */ ) const
+blackbone::ptr_t Thread::teb( _TEB64* pteb ) const
 {
     return _core->native()->getTEB( _handle, pteb );
 }

src/BlackBone/Process/Threads/Thread.h

@@ -119,14 +119,14 @@ class Thread
     /// </summary>
     /// <param name="pteb">Process TEB</param>
     /// <returns>TEB pointer</returns>
-    BLACKBONE_API ptr_t teb( _TEB32* pteb = nullptr ) const;
+    BLACKBONE_API ptr_t teb( _TEB32* pteb ) const;
 
     /// <summary>
     /// Get Native TEB
     /// </summary>
     /// <param name="pteb">Process TEB</param>
     /// <returns>TEB pointer</returns>
-    BLACKBONE_API ptr_t teb( _TEB64* pteb = nullptr ) const;
+    BLACKBONE_API ptr_t teb( _TEB64* pteb ) const;
 
     /// <summary>
     /// Get TEB