Added support for debug helper injection into x64 UWP apps

WheretIB · Jun 1, 2020 · 5078d75 · 5078d75
1 parent ad63065
commit 5078d75
Show file tree

Hide file tree

Showing 2 changed files with 86 additions and 4 deletions.
diff --git a/LuaDebugAttacher_x64/main.cpp b/LuaDebugAttacher_x64/main.cpp
@@ -1,16 +1,94 @@
 #include <stdlib.h>
 #include <stdio.h>
 
+#include <AclAPI.h>
+#include <Sddl.h>
 #include <Windows.h>
 
 #pragma warning(disable: 4996)
 
-// processId loadLibraryAddress dllNameAddress
+int AdjustAccessControlListForUwp(char *dllPath)
+{
+	// Get current Access Control List
+	PACL currentAcl = 0;
+	PSECURITY_DESCRIPTOR securityDescriptor = 0;
+
+	if(unsigned errorCode = GetNamedSecurityInfoA(dllPath, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, &currentAcl, 0, &securityDescriptor))
+	{
+		OutputDebugStringA("Call to 'GetNamedSecurityInfoA' failed\n");
+
+		char* msgBuf = nullptr;
+		FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, errorCode, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (char*)&msgBuf, 0, NULL);
+		OutputDebugStringA(msgBuf);
+
+		return 11;
+	}
+
+	// sid for all application packages
+	PSID sid;
+
+	if(ConvertStringSidToSidA("S-1-15-2-1", &sid) == 0)
+	{
+		OutputDebugStringA("Call to 'ConvertStringSidToSidA' failed\n");
+
+		char* msgBuf = nullptr;
+		FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (char*)&msgBuf, 0, NULL);
+		OutputDebugStringA(msgBuf);
+
+		return 12;
+	}
+
+	EXPLICIT_ACCESS_A access = { 0 };
+
+	access.grfAccessPermissions = GENERIC_READ | GENERIC_EXECUTE;
+	access.grfAccessMode = SET_ACCESS;
+	access.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
+	access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
+	access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+	access.Trustee.ptstrName = (LPSTR)sid;
+
+	// Set new access entry in the Access Control List
+	PACL updatedAcl = 0;
+
+	if(unsigned errorCode = SetEntriesInAclA(1, &access, currentAcl, &updatedAcl))
+	{
+		OutputDebugStringA("Call to 'SetEntriesInAclA' failed\n");
+
+		char* msgBuf = nullptr;
+		FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (char*)&msgBuf, 0, NULL);
+		OutputDebugStringA(msgBuf);
+
+		return 13;
+	}
+
+	// Set new Access Control List
+	if(unsigned errorCode = SetNamedSecurityInfoA((LPSTR)dllPath, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, updatedAcl, 0))
+	{
+		OutputDebugStringA("Call to 'SetNamedSecurityInfoA' failed\n");
+
+		char* msgBuf = nullptr;
+		FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (char*)&msgBuf, 0, NULL);
+		OutputDebugStringA(msgBuf);
+
+		return 14;
+	}
+
+	if(securityDescriptor)
+		LocalFree((HLOCAL)securityDescriptor);
+
+	if(updatedAcl)
+		LocalFree((HLOCAL)updatedAcl);
+
+	return 0;
+}
+
+// processId loadLibraryAddress dllNameAddress dllPath
 int main(int argc, char** argv)
 {
 	unsigned processId = strtoul(argv[1], nullptr, 10);
 	uintptr_t loadLibraryAddress = _strtoui64(argv[2], nullptr, 10);
 	uintptr_t dllNameAddress = _strtoui64(argv[3], nullptr, 10);
+	char *dllPath = argv[4];
 
 	char buf[256];
 	sprintf(buf, "Attacher %s %s %s\n", argv[1], argv[2], argv[3]);
@@ -20,7 +98,7 @@ int main(int argc, char** argv)
 
 	if(process == nullptr)
 	{
-		OutputDebugStringA("Failed to CreateRemoteThread\n");
+		OutputDebugStringA("Call to 'OpenProcess' failed\n");
 
 		char* msgBuf = nullptr;
 		FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (char*)&msgBuf, 0, NULL);
@@ -29,11 +107,13 @@ int main(int argc, char** argv)
 		return 1;
 	}
 
+	AdjustAccessControlListForUwp(dllPath);
+
 	auto thread = CreateRemoteThread(process, nullptr, 0, (DWORD(__stdcall*)(LPVOID))loadLibraryAddress, (void*)dllNameAddress, 0, nullptr);
 
 	if(thread == nullptr)
 	{
-		OutputDebugStringA("Failed to CreateRemoteThread\n");
+		OutputDebugStringA("Call to 'CreateRemoteThread' failed\n");
 
 		char* msgBuf = nullptr;
 		FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (char*)&msgBuf, 0, NULL);

diff --git a/LuaDkmDebuggerComponent/LocalComponent.cs b/LuaDkmDebuggerComponent/LocalComponent.cs
@@ -1898,7 +1898,7 @@ void IDkmModuleInstanceLoadNotification.OnModuleInstanceLoad(DkmModuleInstance m
                             return;
                         }
 
-                        var processStartInfo = new ProcessStartInfo(exePathName, $"{process.LivePart.Id} {processData.loadLibraryAddress} {dllNameAddress}")
+                        var processStartInfo = new ProcessStartInfo(exePathName, $"{process.LivePart.Id} {processData.loadLibraryAddress} {dllNameAddress} \"{dllPathName}\"")
                         {
                             CreateNoWindow = true,
                             RedirectStandardError = true,
@@ -1907,6 +1907,8 @@ void IDkmModuleInstanceLoadNotification.OnModuleInstanceLoad(DkmModuleInstance m
                             UseShellExecute = false
                         };
 
+                        log.Debug($"Launching '{exePathName}' with '{processStartInfo.Arguments}'");
+
                         try
                         {
                             var attachProcess = Process.Start(processStartInfo);