[MEMORY] Restore Detours' system reserved range on NT5

KNSoft · Jul 27, 2024 · 9058b94 · 9058b94
1 parent b0e90d1
commit 9058b94
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 13 deletions.
diff --git a/...iki/Avoid Occupying System Reserved Region When Allocating Trampoline/README.md b/...iki/Avoid Occupying System Reserved Region When Allocating Trampoline/README.md
@@ -44,7 +44,7 @@ ASLR only reserves a range of 640MB in size for 32-bit systems, which can be dir
 
 `Ntdll.dll` is randomly loaded by ASLR to a memory address lower in the reserved range, and when the subsequent DLL layout bottoms out, it will wrap to the top of the reserved range and continue to be arranged, in which case the "1GB range after `Ntdll.dll`" is 2 discontinuous regions.
 
-[SlimDetours](https://github.com/KNSoft/KNSoft.SlimDetours)' implementation details and circumvention range are different from the above PR, furthermore, it no longer considers the obsolete NT5, and calls `NtQuerySystemInformation` to obtain a more accurate user address space range than hardcoded to help constrain the location of trampolines, see [KNSoft.SlimDetours/Source/SlimDetours/Memory.c at main · KNSoft/KNSoft.SlimDetours](../../../Source/SlimDetours/Memory.c).
+[SlimDetours](https://github.com/KNSoft/KNSoft.SlimDetours)' implementation details and circumvention range are different from the above PR, furthermore, NT5 and NT6+ are considered separately, and calls `NtQuerySystemInformation` to obtain a more accurate user address space range than hardcoded to help constrain the location of trampolines, see [KNSoft.SlimDetours/Source/SlimDetours/Memory.c at main · KNSoft/KNSoft.SlimDetours](../../../Source/SlimDetours/Memory.c).
 
 <br>
 <hr>

diff --git a/...oid Occupying System Reserved Region When Allocating Trampoline/README.zh-CN.md b/...oid Occupying System Reserved Region When Allocating Trampoline/README.zh-CN.md
@@ -44,7 +44,7 @@ static PVOID    s_pSystemRegionUpperBound   = (PVOID)(ULONG_PTR)0x80000000;
 
 `Ntdll.dll`被ASLR随机加载到保留范围内较低的内存地址，后续DLL随后排布触底时，将切换到保留范围顶部继续排布，在这个情况下“`Ntdll.dll`之后的1GB范围”便是2块不连续的区域。
 
-[SlimDetours](https://github.com/KNSoft/KNSoft.SlimDetours)的具体实现与规避范围均有别于上述PR，更进一步的，不再为已过时的NT5做考虑，并调用`NtQuerySystemInformation`获得比硬编码更确切的用户地址空间范围，协助约束Trampoline的选址，参考[KNSoft.SlimDetours/Source/SlimDetours/Memory.c于main · KNSoft/KNSoft.SlimDetours](../../../Source/SlimDetours/Memory.c)。
+[SlimDetours](https://github.com/KNSoft/KNSoft.SlimDetours)的具体实现与规避范围均有别于上述PR，更进一步的，为NT5与NT6+分别考虑，并调用`NtQuerySystemInformation`获得比硬编码更确切的用户地址空间范围，协助约束Trampoline的选址，参考[KNSoft.SlimDetours/Source/SlimDetours/Memory.c于main · KNSoft/KNSoft.SlimDetours](../../../Source/SlimDetours/Memory.c)。
 
 <br>
 <hr>

diff --git a/Source/SlimDetours/Memory.c b/Source/SlimDetours/Memory.c
@@ -69,20 +69,28 @@ detour_memory_init(VOID)
 
     /* Initialize memory management information */
     NtQuerySystemInformation(SystemBasicInformation, &g_sbi, sizeof(g_sbi), NULL);
+    if (NtCurrentPeb()->OSMajorVersion >= 6)
+    {
 #if defined(_WIN64)
-    PLDR_DATA_TABLE_ENTRY NtdllLdrEntry;
-
-    NtdllLdrEntry = CONTAINING_RECORD(NtCurrentPeb()->Ldr->InInitializationOrderModuleList.Flink,
-                                      LDR_DATA_TABLE_ENTRY,
-                                      InInitializationOrderModuleList);
-    s_ulSystemRegionLowUpperBound = (ULONG_PTR)NtdllLdrEntry->DllBase + NtdllLdrEntry->SizeOfImage - 1;
-    s_ulSystemRegionLowLowerBound = s_ulSystemRegionLowUpperBound - _1GB + 1;
-    if (s_ulSystemRegionLowLowerBound < SYSTEM_RESERVED_REGION_LOWEST)
+        PLDR_DATA_TABLE_ENTRY NtdllLdrEntry;
+
+        NtdllLdrEntry = CONTAINING_RECORD(NtCurrentPeb()->Ldr->InInitializationOrderModuleList.Flink,
+                                          LDR_DATA_TABLE_ENTRY,
+                                          InInitializationOrderModuleList);
+        s_ulSystemRegionLowUpperBound = (ULONG_PTR)NtdllLdrEntry->DllBase + NtdllLdrEntry->SizeOfImage - 1;
+        s_ulSystemRegionLowLowerBound = s_ulSystemRegionLowUpperBound - _1GB + 1;
+        if (s_ulSystemRegionLowLowerBound < SYSTEM_RESERVED_REGION_LOWEST)
+        {
+            s_ulSystemRegionHighLowerBound = s_ulSystemRegionLowLowerBound + SYSTEM_RESERVED_REGION_SIZE;
+            s_ulSystemRegionLowLowerBound = SYSTEM_RESERVED_REGION_LOWEST;
+        }
+#endif
+    } else
     {
-        s_ulSystemRegionHighLowerBound = s_ulSystemRegionLowLowerBound + SYSTEM_RESERVED_REGION_SIZE;
-        s_ulSystemRegionLowLowerBound = SYSTEM_RESERVED_REGION_LOWEST;
+        /* TODO: What if NT5 x64? Let's keep the original Detours behavior. */
+        s_ulSystemRegionLowUpperBound = 0x80000000;
+        s_ulSystemRegionLowLowerBound = 0x70000000;
     }
-#endif
 
     /* Initialize private heap */
     hHeap = RtlCreateHeap(HEAP_NO_SERIALIZE | HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);