From 55ab75cc2a99301b0b3c81c459a2a4fc2a8e4500 Mon Sep 17 00:00:00 2001 From: Air14 Date: Thu, 16 Feb 2023 18:50:22 +0100 Subject: [PATCH] Fixed probing ReturnLength in HookedNtQueryInformationProcess and HookedNtQueryInformationThread --- HyperHideDrv/HookedFunctions.cpp | 37 ++++++++++++++------------------ 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/HyperHideDrv/HookedFunctions.cpp b/HyperHideDrv/HookedFunctions.cpp index 14f6e93..e517fa8 100644 --- a/HyperHideDrv/HookedFunctions.cpp +++ b/HyperHideDrv/HookedFunctions.cpp @@ -39,19 +39,17 @@ NTSTATUS NTAPI HookedNtQueryInformationProcess( ProcessInformationClass == ProcessHandleTracing) ) { - if (ProcessInformationLength != 0) + __try { - __try - { + if (ProcessInformationLength != 0) ProbeForRead(ProcessInformation, ProcessInformationLength, 4); - if (ReturnLength != 0) - ProbeForWrite(ReturnLength, 4, 1); - } - __except (EXCEPTION_EXECUTE_HANDLER) - { - return GetExceptionCode(); - } + if (ReturnLength != 0) + ProbeForWrite(ReturnLength, 4, 1); + } + __except (EXCEPTION_EXECUTE_HANDLER) + { + return GetExceptionCode(); } if (ProcessInformationClass == ProcessDebugObjectHandle) @@ -1001,21 +999,18 @@ NTSTATUS NTAPI HookedNtQueryInformationThread(HANDLE ThreadHandle, THREADINFOCLA ExGetPreviousMode() == UserMode && (ThreadInformationClass == ThreadHideFromDebugger || ThreadInformationClass == ThreadBreakOnTermination || ThreadInformationClass == ThreadWow64Context)) { - if (ThreadInformationLength != 0) + __try { const auto alignment = ThreadInformationLength < 4 ? 1 : 4; - - __try - { + if(ThreadInformationLength != 0) ProbeForRead(ThreadInformation, ThreadInformationLength, alignment); - if(ReturnLength != 0) - ProbeForWrite(ReturnLength, 4, 1); - } - __except (EXCEPTION_EXECUTE_HANDLER) - { - return GetExceptionCode(); - } + if(ReturnLength != 0) + ProbeForWrite(ReturnLength, 4, 1); + } + __except (EXCEPTION_EXECUTE_HANDLER) + { + return GetExceptionCode(); } if (ThreadInformationClass == ThreadHideFromDebugger)