Enigma: Set up NtProtectVirtualMemory immediately upon DLL load

Doing this in a separate thread has the possibility of failing, so I did this instead
praydog · Jan 22, 2024 · 2263953 · 2263953
1 parent 1ed9f31
commit 2263953
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/src/Main.cpp b/src/Main.cpp
@@ -7,6 +7,7 @@
 #include <utility/Module.hpp>
 #include <utility/Thread.hpp>
 
+#include "mods/IntegrityCheckBypass.hpp"
 #include "ExceptionHandler.hpp"
 #include "REFramework.hpp"
 
@@ -81,6 +82,8 @@ void startup_thread(HMODULE reframework_module) {
 
 BOOL APIENTRY DllMain(HANDLE handle, DWORD reason, LPVOID reserved) {
     if (reason == DLL_PROCESS_ATTACH) {
+        IntegrityCheckBypass::setup_pristine_syscall();
+
         CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)startup_thread, handle, 0, nullptr);
     }
 

diff --git a/src/mods/IntegrityCheckBypass.cpp b/src/mods/IntegrityCheckBypass.cpp
@@ -516,9 +516,13 @@ void IntegrityCheckBypass::remove_stack_destroyer() {
     spdlog::info("[IntegrityCheckBypass]: Patched stack destroyer!");
 }
 
-// hahahah i hate this
-void IntegrityCheckBypass::fix_virtual_protect() try {
-    spdlog::info("[IntegrityCheckBypass]: Fixing VirtualProtect...");
+void IntegrityCheckBypass::setup_pristine_syscall() {
+    if (s_pristine_protect_virtual_memory != nullptr) {
+        spdlog::info("[IntegrityCheckBypass]: NtProtectVirtualMemory already setup!");
+        return;
+    }
+
+    spdlog::info("[IntegrityCheckBypass]: Copying pristine NtProtectVirtualMemory...");
 
     auto nt_protect_virtual_memory = (NtProtectVirtualMemory_t)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtProtectVirtualMemory");
     if (nt_protect_virtual_memory == nullptr) {
@@ -536,6 +540,13 @@ void IntegrityCheckBypass::fix_virtual_protect() try {
     s_pristine_protect_virtual_memory = (decltype(s_pristine_protect_virtual_memory))VirtualAlloc(nullptr, 256, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
     memcpy(s_pristine_protect_virtual_memory, nt_protect_virtual_memory, 256);
     spdlog::info("[IntegrityCheckBypass]: Copied NtProtectVirtualMemory to 0x{:X}", (uintptr_t)s_pristine_protect_virtual_memory);
+}
+
+// hahahah i hate this
+void IntegrityCheckBypass::fix_virtual_protect() try {
+    spdlog::info("[IntegrityCheckBypass]: Fixing VirtualProtect...");
+
+    setup_pristine_syscall(); // Called earlier in DllMain
 
     // Now disassemble our pristine function and just remove anything that looks like its a displacement or memory reference with nops
     // im doing this because im too lazy to fix up the relocations

diff --git a/src/mods/IntegrityCheckBypass.hpp b/src/mods/IntegrityCheckBypass.hpp
@@ -21,6 +21,8 @@ class IntegrityCheckBypass : public Mod {
     static void immediate_patch_re8();
     static void immediate_patch_re4();
     static void remove_stack_destroyer();
+
+    static void setup_pristine_syscall();
     static void fix_virtual_protect();
 
 private: