Rebase user dll VAs from host to remote.

InjectorCLI/CliMain.cpp

@@ -58,7 +58,6 @@ int wmain(int argc, wchar_t* argv[])
     g_log.SetLogCb(scl::Logger::Info, LogCallback);
     g_log.SetLogCb(scl::Logger::Error, LogCallback);
 
-    ReadNtApiInformation(&g_hdd);
     SetDebugPrivileges();
     //ChangeBadWindowText();
     g_settings.Load(g_scyllaHideIniPath.c_str());
@@ -102,6 +101,7 @@ int wmain(int argc, wchar_t* argv[])
 
     if (targetPid && dllPath)
     {
+        ReadNtApiInformation(&g_hdd, targetPid);
         wprintf(L"\nPID\t: %d 0x%X\nDLL Path: %s\n\n", targetPid, targetPid, dllPath);
         if (!startInjection(targetPid, dllPath))
             result = 1; // failure

PluginGeneric/Injector.cpp

@@ -26,7 +26,7 @@ BYTE* RemoteBreakinPatch;
 BYTE OllyRemoteBreakInReplacement[8];
 HANDLE hDebuggee;
 
-void ReadNtApiInformation(HOOK_DLL_DATA *hdd)
+void ReadNtApiInformation(HOOK_DLL_DATA *hdd, DWORD targetPid)
 {
     scl::User32Loader user32Loader;
     if (!user32Loader.FindSyscalls({
@@ -37,7 +37,7 @@ void ReadNtApiInformation(HOOK_DLL_DATA *hdd)
         "NtUserGetForegroundWindow",
         "NtUserGetClassName",
         "NtUserInternalGetWindowText",
-        "NtUserGetThreadState" }))
+        "NtUserGetThreadState" }, targetPid))
     {
         g_log.LogError(L"Failed to find user32.dll/win32u.dll syscalls!");
         return;

PluginGeneric/Injector.h

@@ -27,7 +27,7 @@ typedef struct _PROCESS_SUSPEND_INFO
     PTHREAD_SUSPEND_INFO ThreadSuspendInfo; // THREAD_SUSPEND_INFO[NumThreads]
 } PROCESS_SUSPEND_INFO, *PPROCESS_SUSPEND_INFO;
 
-void ReadNtApiInformation(HOOK_DLL_DATA *hdd);
+void ReadNtApiInformation(HOOK_DLL_DATA *hdd, DWORD ProcessId);
 
 void InstallAntiAttachHook();
 void startInjectionProcess(HANDLE hProcess, HOOK_DLL_DATA *hdd, BYTE * dllMemory, bool newProcess);

Scylla/User32Loader.cpp

@@ -2,6 +2,7 @@
 #include "Win32kSyscalls.h"
 #include "Scylla/OsInfo.h"
 #include "Scylla/Logger.h"
+#include "InjectorCLI/DynamicMapping.h"
 
 extern scl::Logger g_log;
 
@@ -21,7 +22,7 @@ scl::User32Loader::~User32Loader()
 }
 
 // Finds the requested user32/win32u syscalls by name for later retrieval with GetUserSyscallVa
-bool scl::User32Loader::FindSyscalls(const std::vector<std::string>& syscallNames)
+bool scl::User32Loader::FindSyscalls(const std::vector<std::string>& syscallNames, DWORD targetPid)
 {
 	if (Win32kUserDll == nullptr) // Failed to load user32.dll or win32u.dll
 		return false;
@@ -30,10 +31,15 @@ bool scl::User32Loader::FindSyscalls(const std::vector<std::string>& syscallName
 
 	if (OsBuildNumber >= 14393)
 	{
+
+        HANDLE hProcess = OpenProcess(PROCESS_SUSPEND_RESUME | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION | PROCESS_SET_INFORMATION, 0, targetPid);
+        HMODULE remoteBase = GetModuleBaseRemote(hProcess, L"win32u.dll");
+        CloseHandle(hProcess);
+
 		// On >= 10.0.14393.0 we can simply get the VAs from win32u.dll
 		for (const auto& syscallName : syscallNames)
 		{
-			const ULONG_PTR syscallAddress = (ULONG_PTR)GetProcAddress((HMODULE)Win32kUserDll, syscallName.c_str());
+			const ULONG_PTR syscallAddress = (ULONG_PTR)GetProcAddress((HMODULE)Win32kUserDll, syscallName.c_str()) - (ULONG_PTR)Win32kUserDll + (ULONG_PTR)remoteBase;
 			if (syscallAddress == 0)
 				return false;
 			FunctionNamesAndVas[syscallName] = syscallAddress;
@@ -51,11 +57,15 @@ bool scl::User32Loader::FindSyscalls(const std::vector<std::string>& syscallName
 		functionNamesAndSyscallNums[syscallName] = (ULONG_PTR)syscallNum;
 	}
 
+    HANDLE hProcess = OpenProcess(PROCESS_SUSPEND_RESUME | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION | PROCESS_SET_INFORMATION, 0, targetPid);
+    HMODULE remoteBase = GetModuleBaseRemote(hProcess, L"user32.dll");
+    CloseHandle(hProcess);
+
 	// Find the VAs of the functions we want
 	for (const auto& function : functionNamesAndSyscallNums)
 	{
 		const std::string syscallName = function.first;
-		const ULONG_PTR syscallAddress = FindSyscallByIndex((ULONG)function.second);
+		const ULONG_PTR syscallAddress = FindSyscallByIndex((ULONG)function.second) - (ULONG_PTR)Win32kUserDll + (ULONG_PTR)remoteBase;
 		if (syscallAddress != 0)
 		{
 			FunctionNamesAndVas[syscallName] = syscallAddress;
@@ -69,7 +79,7 @@ bool scl::User32Loader::FindSyscalls(const std::vector<std::string>& syscallName
 	}
 
 	// Sanity check the NtUserBlockInput VA as this is an exported syscall
-	const ULONG_PTR BlockInputVa = (ULONG_PTR)GetProcAddress((HMODULE)Win32kUserDll, "BlockInput");
+	const ULONG_PTR BlockInputVa = (ULONG_PTR)GetProcAddress((HMODULE)Win32kUserDll, "BlockInput") - (ULONG_PTR)Win32kUserDll + (ULONG_PTR)remoteBase;
 	if (BlockInputVa == 0)
 		return false;
 	const bool check = GetUserSyscallVa("NtUserBlockInput") == BlockInputVa;

Scylla/User32Loader.h

@@ -13,7 +13,7 @@ namespace scl
 		User32Loader();
 		~User32Loader();
 
-		bool FindSyscalls(const std::vector<std::string>& syscallNames);
+		bool FindSyscalls(const std::vector<std::string>& syscallNames, DWORD targetPid);
 
 		ULONG_PTR GetUserSyscallVa(const std::string& functionName) const { return FunctionNamesAndVas.at(functionName); }
 		LONG GetUserSyscallIndex(const std::string& functionName) const;

ScyllaHideGenericPlugin/ScyllaHideGenericPlugin.cpp

@@ -111,7 +111,7 @@ DLL_EXPORT void ScyllaHideDebugLoop(const DEBUG_EVENT* DebugEvent)
         {
             if (!status.bHooked)
             {
-                ReadNtApiInformation(&g_hdd);
+                ReadNtApiInformation(&g_hdd, status.ProcessId);
 
                 status.bHooked = true;
                 startInjection(status.ProcessId, &g_hdd, g_scyllaHideDllPath.c_str(), true);

ScyllaHideOlly1Plugin/ScyllaHideOlly1Plugin.cpp

@@ -487,7 +487,7 @@ extern "C" void DLL_EXPORT _ODBG_Pluginmainloop(DEBUG_EVENT *debugevent)
         {
             if (!bHooked)
             {
-                ReadNtApiInformation(&g_hdd);
+                ReadNtApiInformation(&g_hdd,ProcessId);
 
                 bHooked = true;
                 startInjection(ProcessId, &g_hdd, g_scyllaHideDllPath.c_str(), true);

ScyllaHideOlly2Plugin/ScyllaHideOlly2Plugin.cpp

@@ -397,7 +397,7 @@ extc void ODBG2_Pluginmainloop(DEBUG_EVENT *debugevent)
         {
             if (!bHooked)
             {
-                ReadNtApiInformation(&g_hdd);
+                ReadNtApiInformation(&g_hdd,ProcessId);
 
                 bHooked = true;
                 startInjection(ProcessId, &g_hdd, g_scyllaHideDllPath.c_str(), true);

ScyllaHideTEPlugin/ScyllaHideTEPlugin.cpp

@@ -85,7 +85,7 @@ extern "C" DLL_EXPORT void TitanDebuggingCallBack(LPDEBUG_EVENT debugEvent, int
             {
                 if (!bHooked)
                 {
-                    ReadNtApiInformation(&g_hdd);
+                    ReadNtApiInformation(&g_hdd, ProcessId);
 
                     bHooked = true;
                     startInjection(ProcessId, &g_hdd, g_scyllaHideDllPath.c_str(), true);

ScyllaHideX64DBGPlugin/ScyllaHideX64DBGPlugin.cpp

@@ -167,7 +167,7 @@ static void cbDebugloop(CBTYPE cbType, void* callbackInfo)
             //In newest x64dbg version the auto break on attach was removed so ScyllaHide would never inject.
             if (!bHooked)
             {
-                ReadNtApiInformation(&g_hdd);
+                ReadNtApiInformation(&g_hdd, ProcessId);
 
                 bHooked = true;
                 startInjection(ProcessId, &g_hdd, g_scyllaHideDllPath.c_str(), true);
@@ -192,7 +192,7 @@ static void cbDebugloop(CBTYPE cbType, void* callbackInfo)
         {
             if (!bHooked)
             {
-                ReadNtApiInformation(&g_hdd);
+                ReadNtApiInformation(&g_hdd, ProcessId);
 
                 bHooked = true;
                 startInjection(ProcessId, &g_hdd, g_scyllaHideDllPath.c_str(), true);