From: André Hentschel Subject: [2/3] ntdll: Alter security cookie on WIN64 (try 2) Message-Id: <558082B1.5000404@dawncrow.de> Date: Tue, 16 Jun 2015 22:10:25 +0200 This time ARM64-only I had trouble with that patch for x86_64 when testing EmEditor... Still it is the only way to get an app on arm64 to start... --- dlls/ntdll/virtual.c | 22 ++++++++++++++++++++++ include/winnt.h | 23 +++++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/dlls/ntdll/virtual.c b/dlls/ntdll/virtual.c index 72309f6..b1ce169 100644 --- a/dlls/ntdll/virtual.c +++ b/dlls/ntdll/virtual.c @@ -1053,6 +1053,25 @@ static NTSTATUS stat_mapping_file( struct file_view *view, struct stat *st ) return status; } +static void set_security_cookie(const char *base, const IMAGE_NT_HEADERS *nt) +{ +#ifdef __aarch64__ + if (nt->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) + { + const IMAGE_NT_HEADERS64 *nt64 = (const IMAGE_NT_HEADERS64 *)nt; + DWORD addr; + + if(IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG < nt64->OptionalHeader.NumberOfRvaAndSizes && + (addr = nt64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress)) + { + IMAGE_LOAD_CONFIG_DIRECTORY64 *loadcfg = (IMAGE_LOAD_CONFIG_DIRECTORY64 *)(base + addr); + ULONGLONG *cookie = (ULONGLONG *)loadcfg->SecurityCookie; + + *cookie = 0x5ec0617fc0041eb9; + } + } +#endif +} /*********************************************************************** * map_image @@ -1307,6 +1326,9 @@ static NTSTATUS map_image( HANDLE hmapping, int fd, char *base, SIZE_T total_siz sec->Characteristics, sec->Name ); } + /* adjust security cookie */ + set_security_cookie(ptr, nt); + done: view->mapping = dup_mapping; view->map_protect = map_vprot; diff --git a/include/winnt.h b/include/winnt.h index 08e7f48..53f5ab1 100644 --- a/include/winnt.h +++ b/include/winnt.h @@ -3643,6 +3643,29 @@ typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY { DWORD SEHandlerCount; } IMAGE_LOAD_CONFIG_DIRECTORY, *PIMAGE_LOAD_CONFIG_DIRECTORY; +typedef struct _IMAGE_LOAD_CONFIG_DIRECTORY64 { + DWORD Size; + DWORD TimeDateStamp; + WORD MajorVersion; + WORD MinorVersion; + DWORD GlobalFlagsClear; + DWORD GlobalFlagsSet; + DWORD CriticalSectionDefaultTimeout; + ULONGLONG DeCommitFreeBlockThreshold; + ULONGLONG DeCommitTotalFreeThreshold; + ULONGLONG LockPrefixTable; + ULONGLONG MaximumAllocationSize; + ULONGLONG VirtualMemoryThreshold; + ULONGLONG ProcessAffinityMask; + DWORD ProcessHeapFlags; + WORD CSDVersion; + WORD Reserved1; + ULONGLONG EditList; + ULONGLONG SecurityCookie; + ULONGLONG SEHandlerTable; + ULONGLONG SEHandlerCount; +} IMAGE_LOAD_CONFIG_DIRECTORY64, *PIMAGE_LOAD_CONFIG_DIRECTORY64; + typedef struct _IMAGE_FUNCTION_ENTRY { DWORD StartingAddress; DWORD EndingAddress; -- 1.9.1