From: André Hentschel <nerv@dawncrow.de>
Subject: [2/3] ntdll: Alter security cookie on WIN64 (try 2)
Message-Id: <558082B1.5000404@dawncrow.de>
Date: Tue, 16 Jun 2015 22:10:25 +0200

This time ARM64-only
I had trouble with that patch for x86_64 when testing EmEditor...
Still it is the only way to get an app on arm64 to start...

---
 dlls/ntdll/virtual.c | 22 ++++++++++++++++++++++
 include/winnt.h      | 23 +++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c
index 72309f6..b1ce169 100644
--- a/dlls/ntdll/virtual.c
+++ b/dlls/ntdll/virtual.c
@@ -1053,6 +1053,25 @@ static NTSTATUS stat_mapping_file( struct file_view *view, struct stat *st )
     return status;
 }
 
+static void set_security_cookie(const char *base, const IMAGE_NT_HEADERS *nt)
+{
+#ifdef __aarch64__
+    if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
+    {
+        const IMAGE_NT_HEADERS64 *nt64 = (const IMAGE_NT_HEADERS64 *)nt;
+        DWORD addr;
+
+        if(IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG < nt64->OptionalHeader.NumberOfRvaAndSizes &&
+           (addr = nt64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress))
+        {
+            IMAGE_LOAD_CONFIG_DIRECTORY64 *loadcfg = (IMAGE_LOAD_CONFIG_DIRECTORY64 *)(base + addr);
+            ULONGLONG *cookie = (ULONGLONG *)loadcfg->SecurityCookie;
+
+            *cookie = 0x5ec0617fc0041eb9;
+        }
+    }
+#endif
+}
 
 /***********************************************************************
  *           map_image
@@ -1307,6 +1326,9 @@ static NTSTATUS map_image( HANDLE hmapping, int fd, char *base, SIZE_T total_siz
                  sec->Characteristics, sec->Name );
     }
 
+    /* adjust security cookie */
+    set_security_cookie(ptr, nt);
+
  done:
     view->mapping = dup_mapping;
     view->map_protect = map_vprot;
diff --git a/include/winnt.h b/include/winnt.h
index 08e7f48..53f5ab1 100644
--- a/include/winnt.h
+++ b/include/winnt.h
@@ -3643,6 +3643,29 @@ typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY {
   DWORD SEHandlerCount;
 } IMAGE_LOAD_CONFIG_DIRECTORY, *PIMAGE_LOAD_CONFIG_DIRECTORY;
 
+typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY64 {
+  DWORD     Size;
+  DWORD     TimeDateStamp;
+  WORD      MajorVersion;
+  WORD      MinorVersion;
+  DWORD     GlobalFlagsClear;
+  DWORD     GlobalFlagsSet;
+  DWORD     CriticalSectionDefaultTimeout;
+  ULONGLONG DeCommitFreeBlockThreshold;
+  ULONGLONG DeCommitTotalFreeThreshold;
+  ULONGLONG LockPrefixTable;
+  ULONGLONG MaximumAllocationSize;
+  ULONGLONG VirtualMemoryThreshold;
+  ULONGLONG ProcessAffinityMask;
+  DWORD     ProcessHeapFlags;
+  WORD      CSDVersion;
+  WORD      Reserved1;
+  ULONGLONG EditList;
+  ULONGLONG SecurityCookie;
+  ULONGLONG SEHandlerTable;
+  ULONGLONG SEHandlerCount;
+} IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64;
+
 typedef struct _IMAGE_FUNCTION_ENTRY {
   DWORD StartingAddress;
   DWORD EndingAddress;

-- 
1.9.1