fix: Make Monika more resilient to updates

Some updates do not increment the raw build number, yet still shift the
`.data` segment of `ntoskrnl.exe`.

Monika now tries to extract the whole `ProductVersion` resource of
`ntoskrnl.exe`, then matches this string to known offsets.

Should this method turn out to be wrong, `PicoSppLocateProviderRoutines`
does another sanity check of the `Size` field to avoid corrupting
critical neighboring data.

Fixes #1.

Author: trungnt2910

lxmonika/lxmonika.vcxproj

@@ -123,6 +123,7 @@
     <ClInclude Include="pico.h" />
     <ClInclude Include="picosupport.h" />
     <ClInclude Include="PoolAllocator.h" />
+    <ClInclude Include="winresource.h" />
   </ItemGroup>
   <ItemGroup>
     <None Include="README.md" />

lxmonika/module.cpp

@@ -2,7 +2,9 @@
 
 #include "pe.h"
 #include "os.h"
+#include "winresource.h"
 
+#include "Logger.h"
 #include "PoolAllocator.h"
 
 extern "C"
@@ -178,3 +180,121 @@ MdlpGetProcAddress(
 
     return STATUS_NOT_FOUND;
 }
+
+NTSTATUS
+MdlpGetProductVersion(
+    _In_ HANDLE hModule,
+    _Out_ PCWSTR* pPProductVersion
+)
+{
+    if (hModule == NULL || pPProductVersion == NULL)
+    {
+        return STATUS_INVALID_PARAMETER;
+    }
+
+    PCHAR pStart = (PCHAR)hModule;
+
+    PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pStart;
+    PIMAGE_NT_HEADERS pPeHeader = (PIMAGE_NT_HEADERS)(pStart + pDosHeader->e_lfanew);
+
+    PIMAGE_RESOURCE_DIRECTORY pResourceDirectory = (PIMAGE_RESOURCE_DIRECTORY)(pStart +
+        pPeHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress);
+
+    // For calculating offsets.
+    PCHAR pRsrcSectionStart = (PCHAR)pResourceDirectory;
+
+    // The entries come right after the directory.
+    PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntryList = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)
+        (pResourceDirectory + 1);
+
+    SIZE_T uTotalEntries = pResourceDirectory->NumberOfIdEntries
+        + pResourceDirectory->NumberOfNamedEntries;
+
+    WORD pResourcePath[] =
+    {
+        (WORD)(ULONG_PTR)RT_VERSION,
+        // This param must be 1
+        // https://learn.microsoft.com/en-us/windows/win32/menurc/versioninfo-resource
+        1
+    };
+
+    const auto GoDownPath = [&](PIMAGE_RESOURCE_DIRECTORY_ENTRY pEntry)
+    {
+        pResourceDirectory = (PIMAGE_RESOURCE_DIRECTORY)
+            (pRsrcSectionStart + pEntry->OffsetToDirectory);
+
+        pEntryList = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)(pResourceDirectory + 1);
+        uTotalEntries = pResourceDirectory->NumberOfIdEntries
+            + pResourceDirectory->NumberOfNamedEntries;
+    };
+
+    for (SIZE_T i = 0; i < ARRAYSIZE(pResourcePath); ++i)
+    {
+        for (SIZE_T j = 0; j < uTotalEntries; ++j)
+        {
+            if (!pEntryList[j].NameIsString
+                && pEntryList[j].Id == pResourcePath[i]
+                && pEntryList[j].DataIsDirectory)
+            {
+                // Go down to the tree on this path.
+                GoDownPath(&pEntryList[j]);
+
+                Logger::LogTrace("Found level ", i + 1, " directory with ", uTotalEntries,
+                    " entries.");
+
+                goto found;
+            }
+        }
+
+        Logger::LogError("Cannot find level ", i + 1, " directory with ID ", pResourcePath[i]);
+        return STATUS_RESOURCE_TYPE_NOT_FOUND;
+
+    found:
+        continue;
+    }
+
+    // Take the first directory type entry. Should be a leaf of the VS_VERSIONINFO data type.
+    // https://learn.microsoft.com/en-us/windows/win32/menurc/vs-versioninfo
+    for (SIZE_T i = 0; i < uTotalEntries; ++i)
+    {
+        if (!pEntryList[i].DataIsDirectory)
+        {
+            PIMAGE_RESOURCE_DATA_ENTRY pDataEntry = (PIMAGE_RESOURCE_DATA_ENTRY)
+                (pRsrcSectionStart + pEntryList[i].OffsetToData);
+
+            SIZE_T uVersionInfoLength = pDataEntry->Size;
+            PCHAR pVersionInfoStart = pStart + pDataEntry->OffsetToData;
+
+            PCHAR pProductVersion = pVersionInfoStart;
+
+            // TODO: Implement actual resource string tree parsing.
+            const WCHAR pPattern[] = L"ProductVersion";
+            while (pProductVersion + sizeof(pPattern)
+                   <= pVersionInfoStart + uVersionInfoLength)
+            {
+                if (wcsncmp((PCWSTR)pProductVersion, pPattern, sizeof(pPattern)) != 0)
+                {
+                    ++pProductVersion;
+                    continue;
+                }
+
+                goto found_product_version;
+            }
+
+            Logger::LogError("Cannot find product version");
+            return STATUS_NOT_FOUND;
+
+        found_product_version:
+            // Align up a 32-bit boundary.
+            PWCHAR pProductVersionValue = (PWCHAR)ALIGN_UP_BY(
+                pProductVersion + sizeof(pPattern), 4);
+
+            *pPProductVersion = pProductVersionValue;
+            return STATUS_SUCCESS;
+        }
+    }
+
+    // No languages available?
+    Logger::LogError("Cannot find leaf");
+    return STATUS_RESOURCE_LANG_NOT_FOUND;
+}

lxmonika/module.h

@@ -43,6 +43,12 @@ NTSTATUS
         _Out_ PVOID* pProc
     );
 
+NTSTATUS
+    MdlpGetProductVersion(
+        _In_ HANDLE hModule,
+        _Out_ PCWSTR* pPProductVersion
+    );
+
 #ifdef __cplusplus
 }
 #endif

lxmonika/monika.cpp

@@ -68,6 +68,8 @@ MapInitialize()
 
     memcpy(&MaOriginalProviderRoutines, pProviderRoutines, sizeof(MaOriginalProviderRoutines));
 
+    Logger::LogTrace("Backed up original provider routines.");
+
     // All known versions of the struct contains valid pointers
     // for these members, so this should be safe.
     pProviderRoutines->DispatchSystemCall = MapSystemCallDispatch;
@@ -77,6 +79,8 @@ MapInitialize()
     pProviderRoutines->TerminateProcess = MapTerminateProcess;
     pProviderRoutines->WalkUserStack = MapWalkUserStack;
 
+    Logger::LogTrace("Successfully patched provider routines.");
+
     return STATUS_SUCCESS;
 }
 
@@ -94,6 +98,7 @@ MapCleanup()
 //
 // Pico handlers
 //
+
 extern "C"
 VOID
 MapSystemCallDispatch(

lxmonika/picosupport.cpp

@@ -43,36 +43,67 @@ PicoSppLocateProviderRoutines(
         return status;
     }
 
-    RTL_OSVERSIONINFOW osVersionInfo;
-    osVersionInfo.dwOSVersionInfoSize = sizeof(osVersionInfo);
-
-    status = RtlGetVersion(&osVersionInfo);
+    PCWSTR pVersionInfoStringUnicode;
+    MdlpGetProductVersion(hdlNtKernel, (PCWSTR*)&pVersionInfoStringUnicode);
 
     if (NT_SUCCESS(status))
     {
-        Logger::LogTrace("Detected Windows NT build ", osVersionInfo.dwBuildNumber);
+        CHAR pVersionInfoStringAnsi[32];
+        for (SIZE_T i = 0; i < ARRAYSIZE(pVersionInfoStringAnsi); ++i)
+        {
+            if (pVersionInfoStringUnicode[i] == L'\0')
+            {
+                pVersionInfoStringAnsi[i] = '\0';
+                break;
+            }
+            pVersionInfoStringAnsi[i] = (CHAR)pVersionInfoStringUnicode[i];
+        }
+
+        Logger::LogTrace("Detected Windows NT version ", pVersionInfoStringAnsi);
 
         PVOID pTarget = NULL;
 
-        switch (osVersionInfo.dwBuildNumber)
-        {
 #ifdef AMD64
-            // Windows 11 23H2
-            case 22621:
-                pTarget = (PCHAR)hdlNtKernel + 0xC37D00;
-            break;
-#endif
-            // TODO: Support more builds.
-            default:
-                Logger::LogWarning("Windows NT build ",
-                    osVersionInfo.dwBuildNumber, " is not supported.");
+        if (strncmp(pVersionInfoStringAnsi, "10.0.22621.2715",
+            sizeof(pVersionInfoStringAnsi)) == 0)
+        {
+            pTarget = (PCHAR)hdlNtKernel + 0xC37CA0;
         }
+#endif
 
         if (pTarget != NULL)
         {
             Logger::LogTrace("PspPicoProviderRoutines found at ", pTarget);
-            *pPpr = PspPicoProviderRoutines = (PPS_PICO_PROVIDER_ROUTINES)pTarget;
-            return STATUS_SUCCESS;
+            PPS_PICO_PROVIDER_ROUTINES pMaybeTheRightRoutines =
+                (PPS_PICO_PROVIDER_ROUTINES)pTarget;
+
+            // Do a size check first. This reduces the chance of wrong version handling code
+            // bootlooping Windows.
+            //
+            // It might be a good idea to check for the pointers in Lxss as well, however, this
+            // would defeat the purpose of using known offsets: To support situations where
+            // other drivers have patched the routines beforehand.
+            //
+            // ExitThread is chosen because it is the member right after DispatchSystemCall.
+            // DispatchSystemCall is absolutely necessary for any Pico provider to function.
+
+            if (pMaybeTheRightRoutines->Size <
+                FIELD_OFFSET(PS_PICO_PROVIDER_ROUTINES, ExitThread)
+                || pMaybeTheRightRoutines->Size > sizeof(PS_PICO_PROVIDER_ROUTINES) * 16)
+            {
+                Logger::LogWarning("Disregarding known offset due to size being suspicious: ",
+                    pMaybeTheRightRoutines->Size);
+            }
+            else
+            {
+                *pPpr = PspPicoProviderRoutines = pMaybeTheRightRoutines;
+                return STATUS_SUCCESS;
+            }
+        }
+        else
+        {
+            Logger::LogWarning("Windows NT version ", pVersionInfoStringAnsi,
+                " is not supported.");
         }
     }
 

lxmonika/winresource.h

@@ -0,0 +1,66 @@
+#pragma once
+
+#include <ntdef.h>
+#include <intsafe.h>
+
+// winresource.h
+//
+// Support definitions for handling Win32 resources.
+//
+// Based on WinUser.h
+
+#define IS_INTRESOURCE(_r) ((((ULONG_PTR)(_r)) >> 16) == 0)
+#define MAKEINTRESOURCEA(i) ((LPSTR)((ULONG_PTR)((WORD)(i))))
+#define MAKEINTRESOURCEW(i) ((LPWSTR)((ULONG_PTR)((WORD)(i))))
+#ifdef UNICODE
+#define MAKEINTRESOURCE  MAKEINTRESOURCEW
+#else
+#define MAKEINTRESOURCE  MAKEINTRESOURCEA
+#endif // !UNICODE
+
+/*
+ * Predefined Resource Types
+ */
+#define RT_CURSOR           MAKEINTRESOURCE(1)
+#define RT_BITMAP           MAKEINTRESOURCE(2)
+#define RT_ICON             MAKEINTRESOURCE(3)
+#define RT_MENU             MAKEINTRESOURCE(4)
+#define RT_DIALOG           MAKEINTRESOURCE(5)
+#define RT_STRING           MAKEINTRESOURCE(6)
+#define RT_FONTDIR          MAKEINTRESOURCE(7)
+#define RT_FONT             MAKEINTRESOURCE(8)
+#define RT_ACCELERATOR      MAKEINTRESOURCE(9)
+#define RT_RCDATA           MAKEINTRESOURCE(10)
+#define RT_MESSAGETABLE     MAKEINTRESOURCE(11)
+
+#define DIFFERENCE     11
+#define RT_GROUP_CURSOR MAKEINTRESOURCE((ULONG_PTR)(RT_CURSOR) + DIFFERENCE)
+#define RT_GROUP_ICON   MAKEINTRESOURCE((ULONG_PTR)(RT_ICON) + DIFFERENCE)
+#define RT_VERSION      MAKEINTRESOURCE(16)
+#define RT_DLGINCLUDE   MAKEINTRESOURCE(17)
+#if(WINVER >= 0x0400)
+#define RT_PLUGPLAY     MAKEINTRESOURCE(19)
+#define RT_VXD          MAKEINTRESOURCE(20)
+#define RT_ANICURSOR    MAKEINTRESOURCE(21)
+#define RT_ANIICON      MAKEINTRESOURCE(22)
+#endif /* WINVER >= 0x0400 */
+#define RT_HTML         MAKEINTRESOURCE(23)
+#ifdef RC_INVOKED
+#define RT_MANIFEST                        24
+#define CREATEPROCESS_MANIFEST_RESOURCE_ID  1
+#define ISOLATIONAWARE_MANIFEST_RESOURCE_ID 2
+#define ISOLATIONAWARE_NOSTATICIMPORT_MANIFEST_RESOURCE_ID 3
+#define ISOLATIONPOLICY_MANIFEST_RESOURCE_ID 4
+#define ISOLATIONPOLICY_BROWSER_MANIFEST_RESOURCE_ID 5
+#define MINIMUM_RESERVED_MANIFEST_RESOURCE_ID 1   /* inclusive */
+#define MAXIMUM_RESERVED_MANIFEST_RESOURCE_ID 16  /* inclusive */
+#else  /* RC_INVOKED */
+#define RT_MANIFEST                        MAKEINTRESOURCE(24)
+#define CREATEPROCESS_MANIFEST_RESOURCE_ID MAKEINTRESOURCE( 1)
+#define ISOLATIONAWARE_MANIFEST_RESOURCE_ID MAKEINTRESOURCE(2)
+#define ISOLATIONAWARE_NOSTATICIMPORT_MANIFEST_RESOURCE_ID MAKEINTRESOURCE(3)
+#define ISOLATIONPOLICY_MANIFEST_RESOURCE_ID MAKEINTRESOURCE(4)
+#define ISOLATIONPOLICY_BROWSER_MANIFEST_RESOURCE_ID MAKEINTRESOURCE(5)
+#define MINIMUM_RESERVED_MANIFEST_RESOURCE_ID MAKEINTRESOURCE( 1 /*inclusive*/)
+#define MAXIMUM_RESERVED_MANIFEST_RESOURCE_ID MAKEINTRESOURCE(16 /*inclusive*/)
+#endif /* RC_INVOKED */