Updated to V4.6

Author: Broihon

GH Injector Library/Error.h

@@ -148,6 +148,7 @@
 #define SR_NTCTE_ERR_SHELLCODE_SETUP_FAIL	0x1010000B	//shellcode					: - 					: argument passed to the shellcode is 0
 #define SR_NTCTE_ERR_RPM_FAIL				0x1010000C	//ReadProcessMemory			: win32 error			: reading the results of the shellcode failed
 #define SR_NTCTE_ERR_CANT_FIND_THREAD		0x1010000D	//internal error			: -						: ProcessInfo class failed to resolve information about the new thread
+#define SR_NTCTE_ERR_NTQIT_FAIL				0x1010000E	//NtQueryInformationThread	: NTSTATUS				: failed to get THREAD_BASIC_INFORMATION
 
 
 ///////////////

GH Injector Library/FakeVEH WOW64.cpp

@@ -51,8 +51,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,5,0,0
- PRODUCTVERSION 4,5,0,0
+ FILEVERSION 4,6,0,0
+ PRODUCTVERSION 4,6,0,0
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -69,10 +69,10 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "Guided Hacking"
             VALUE "FileDescription", "Injection library of the GH Injector"
-            VALUE "FileVersion", "4.5.0.0"
+            VALUE "FileVersion", "4.6.0.0"
             VALUE "LegalCopyright", "Broihon (C) 1987 - 2035"
             VALUE "ProductName", "GH Injection Library"
-            VALUE "ProductVersion", "4.5.0.0"
+            VALUE "ProductVersion", "4.6.0.0"
         END
     END
     BLOCK "VarFileInfo"

GH Injector Library/FakeVEH.cpp

@@ -22,7 +22,7 @@
     <VCProjectVersion>15.0</VCProjectVersion>
     <ProjectGuid>{AC732425-E265-40FF-842F-C59CECE9A96C}</ProjectGuid>
     <RootNamespace>GHInjectorLibrary</RootNamespace>
-    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0.20348.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">

GH Injector Library/GH Injector Library.aps

@@ -331,20 +331,22 @@ DWORD __declspec(code_seg(".inj_sec$1")) __stdcall InjectionShell(INJECTION_DATA
 				return INJ_ERR_LDRP_PREPROCESS_FAILED;
 			}
 
-			ULONG_PTR unknown = 0;
+			NTSTATUS nt_out = 0;
 
 			if (pData->OSBuildNumber >= g_Win11_21H2) //Win11 prototype has an additional argument
 			{
 				auto _LdrpLoadDllInternal = ReCa<f_LdrpLoadDllInternal_WIN11>(f->LdrpLoadDllInternal);
-				pData->LastError = _LdrpLoadDllInternal(&pData->ModuleFileNameBundle.String, ctx, ctx_flags, 4, nullptr, nullptr, ReCa<LDR_DATA_TABLE_ENTRY_WIN11 **>(&entry_out), &unknown, 0);
+				_LdrpLoadDllInternal(&pData->ModuleFileNameBundle.String, ctx, ctx_flags, 4, nullptr, nullptr, ReCa<LDR_DATA_TABLE_ENTRY_WIN11 **>(&entry_out), &nt_out, 0);
 			}
 			else
 			{
-				pData->LastError = f->LdrpLoadDllInternal(&pData->ModuleFileNameBundle.String, ctx, ctx_flags, 4, nullptr, nullptr, ReCa<LDR_DATA_TABLE_ENTRY_WIN10 **>(&entry_out), &unknown);
+				f->LdrpLoadDllInternal(&pData->ModuleFileNameBundle.String, ctx, ctx_flags, 4, nullptr, nullptr, ReCa<LDR_DATA_TABLE_ENTRY_WIN10 **>(&entry_out), &nt_out);
 			}
 
-			if (NT_FAIL(pData->LastError))
+			if (NT_FAIL(nt_out))
 			{
+				pData->LastError = (DWORD)nt_out;
+
 				return INJ_ERR_LDRPLDLLINTERNAL_FAILED;
 			}
 		}

GH Injector Library/GH Injector Library.rc

@@ -447,7 +447,7 @@ __forceinline NTSTATUS LoadModule(MANUAL_MAPPING_DATA * pData, MANUAL_MAPPING_FU
 			DeleteObject(f, pModPathW);
 			DeleteObject(f, ModNameW->szBuffer);
 			DeleteObject(f, ModNameW);
-
+			
 			return ntRet;
 		}
 
@@ -470,16 +470,14 @@ __forceinline NTSTATUS LoadModule(MANUAL_MAPPING_DATA * pData, MANUAL_MAPPING_FU
 			ctx->OriginalFullDllName = ModNameW->szBuffer;
 		}
 
-		ULONG_PTR unknown3 = 0;
-
 		if (pData->OSBuildNumber >= g_Win11_21H2)
 		{
 			auto _LdrpLoadDllInternal = ReCa<f_LdrpLoadDllInternal_WIN11>(f->LdrpLoadDllInternal);
-			ntRet = _LdrpLoadDllInternal(&pModPathW->String, ctx, ctx_flags, 4, nullptr, nullptr, ReCa<LDR_DATA_TABLE_ENTRY_WIN11 **>(&entry_out), &unknown3, 0);
+			_LdrpLoadDllInternal(&pModPathW->String, ctx, ctx_flags, 4, nullptr, nullptr, ReCa<LDR_DATA_TABLE_ENTRY_WIN11 **>(&entry_out), &ntRet, 0);
 		}
 		else
 		{
-			ntRet = f->LdrpLoadDllInternal(&pModPathW->String, ctx, ctx_flags, 4, nullptr, nullptr, ReCa<LDR_DATA_TABLE_ENTRY_WIN10 **>(&entry_out), &unknown3);
+			f->LdrpLoadDllInternal(&pModPathW->String, ctx, ctx_flags, 4, nullptr, nullptr, ReCa<LDR_DATA_TABLE_ENTRY_WIN10 **>(&entry_out), &ntRet);
 		}
 
 		DeleteObject(f, ctx);
@@ -817,6 +815,7 @@ DWORD __declspec(code_seg(".mmap_sec$1")) __stdcall ManualMapping_Shell(MANUAL_M
 			veh_shell_data->ImgBase		= ReCa<ULONG_PTR>(pBase);
 			veh_shell_data->ImgSize		= pOptionalHeader->SizeOfImage;
 			veh_shell_data->OSVersion	= pData->OSVersion;
+
 			veh_shell_data->_LdrpInvertedFunctionTable	= f->LdrpInvertedFunctionTable;
 			veh_shell_data->_LdrProtectMrdata			= f->LdrProtectMrdata;
 
@@ -945,6 +944,18 @@ DWORD __declspec(code_seg(".mmap_sec$1")) __stdcall ManualMapping_Shell(MANUAL_M
 
 			if (NT_FAIL(ntRet))
 			{
+				if (ntRet == STATUS_APISET_NOT_HOSTED)
+				{
+					++pImportDescr;
+
+					if (pImportDescr >= ReCa<IMAGE_IMPORT_DESCRIPTOR *>(pBase + pImportDir->VirtualAddress + pImportDir->Size))
+					{
+						break;
+					}
+
+					continue;
+				}
+
 				//unable to load required library
 				ErrorBreak = true;
 				break;
@@ -1046,12 +1057,23 @@ DWORD __declspec(code_seg(".mmap_sec$1")) __stdcall ManualMapping_Shell(MANUAL_M
 		while (pDelayImportDescr && pDelayImportDescr->DllNameRVA)
 		{
 			char * szMod = ReCa<char *>(pBase + pDelayImportDescr->DllNameRVA);
-			
 			HINSTANCE hDll = NULL;
 			ntRet = LoadModule(pData, f, szMod, &hDll, &delay_imports);
 
 			if (NT_FAIL(ntRet))
 			{
+				if (ntRet == STATUS_APISET_NOT_HOSTED)
+				{
+					++pDelayImportDescr;
+
+					if (pDelayImportDescr >= ReCa<IMAGE_DELAYLOAD_DESCRIPTOR *>(pBase + pDelayImportDir->VirtualAddress + pDelayImportDir->Size))
+					{
+						break;
+					}
+
+					continue;
+				}
+
 				ErrorBreak = true;
 				break;
 			}
@@ -1217,9 +1239,9 @@ DWORD __declspec(code_seg(".mmap_sec$1")) __stdcall ManualMapping_Shell(MANUAL_M
 		bool partial = true;
 
 #ifdef _WIN64
-		if (veh_shell_fixed)
+		if (veh_shell_fixed) //really needed for x64?
 		{
-			//register VEH shell to fill handler list
+			//register VEH shell to fill SEH handler list
 			pData->hVEH = f->RtlAddVectoredExceptionHandler(0, ReCa<PVECTORED_EXCEPTION_HANDLER>(pVEHShell));
 		}
 #endif

GH Injector Library/GH Injector Library.vcxproj

@@ -30,6 +30,7 @@
 #define STATUS_UNSUCCESSFUL			0xC0000001
 #define STATUS_NOT_IMPLEMENTED		0xC0000002
 #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
+#define STATUS_APISET_NOT_HOSTED	0xC0000481
 
 #define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
 

GH Injector Library/Injection Generic.cpp

@@ -160,7 +160,7 @@ using f_LdrpLoadDll = NTSTATUS (__fastcall *)
 	LDR_DATA_TABLE_ENTRY		**	ldr_out
 );
 
-using f_LdrpLoadDllInternal = NTSTATUS (__fastcall *)
+using f_LdrpLoadDllInternal = VOID (__fastcall *)
 (
 	UNICODE_STRING				*	dll_path, 
 	LDRP_PATH_SEARCH_CONTEXT	*	search_path,
@@ -169,10 +169,10 @@ using f_LdrpLoadDllInternal = NTSTATUS (__fastcall *)
 	LDR_DATA_TABLE_ENTRY_WIN10	*	Unknown1,	//set to nullptr
 	LDR_DATA_TABLE_ENTRY_WIN10	*	Unknown2,	//set to nullptr
 	LDR_DATA_TABLE_ENTRY_WIN10	**	ldr_out,
-	ULONG_PTR					*	Unknown3	//set to pointer to nullptr
+	NTSTATUS					*	ntRet
 );
 
-using f_LdrpLoadDllInternal_WIN11 = NTSTATUS (__fastcall *)
+using f_LdrpLoadDllInternal_WIN11 = VOID (__fastcall *)
 (
 	UNICODE_STRING				*	dll_path, 
 	LDRP_PATH_SEARCH_CONTEXT	*	search_path,
@@ -181,7 +181,7 @@ using f_LdrpLoadDllInternal_WIN11 = NTSTATUS (__fastcall *)
 	LDR_DATA_TABLE_ENTRY_WIN11	*	Unknown1,	//set to nullptr
 	LDR_DATA_TABLE_ENTRY_WIN11	*	Unknown2,	//set to nullptr
 	LDR_DATA_TABLE_ENTRY_WIN11	**	ldr_out,
-	ULONG_PTR					*	Unknown3,	//set to pointer to nullptr
+	NTSTATUS					*	ntRet,
 	ULONG							Unknown4	//set to 0
 );
 
@@ -476,9 +476,9 @@ using f_LdrpTlsList					= LIST_ENTRY *;
 using f_RtlpUnhandledExceptionFilter	= ULONG_PTR *; //encrypted with RtlEncodePointer, points to kernel32.UnhandledExceptionFilter
 
 //kernel32.dll:
-using f_UnhandledExceptionFilter		= ULONG_PTR *; //PTOP_LEVEL_EXCEPTION_FILTER 
+using f_UnhandledExceptionFilter		= ULONG_PTR *; //PTOP_LEVEL_EXCEPTION_FILTER
 using f_SingleHandler					= ULONG_PTR *; //encrypted with RtlEncodePointer, points to kernel32.DefaultHandler
-using f_DefaultHandler					= ULONG_PTR *; //PTOP_LEVEL_EXCEPTION_FILTER 
+using f_DefaultHandler					= ULONG_PTR *; //PTOP_LEVEL_EXCEPTION_FILTER
 
 #pragma endregion
 

GH Injector Library/Manual Mapping.cpp

@@ -55,7 +55,8 @@ DWORD SR_NtCreateThreadEx(HANDLE hTargetProc, f_Routine pRoutine, void * pArg, D
 
 	if (Flags & INJ_CTF_SKIP_THREAD_ATTACH)
 	{
-		ntFlags |= THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH;
+		ntFlags |= THREAD_CREATE_FLAGS_CREATE_SUSPENDED;
+		//ntFlags |= THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH;
 	}
 
 	if (Flags & INJ_CTF_FAKE_TEB_CLIENT_ID)
@@ -297,7 +298,61 @@ DWORD SR_NtCreateThreadEx(HANDLE hTargetProc, f_Routine pRoutine, void * pArg, D
 		}
 
 		LOG(2, "Thread redirected\n");
+	}
+
+	if (Flags & INJ_CTF_SKIP_THREAD_ATTACH)
+	{
+		THREAD_BASIC_INFORMATION tbi{ 0 };
+		ntRet = NATIVE::NtQueryInformationThread(hThread, THREADINFOCLASS::ThreadBasicInformation, &tbi, sizeof(tbi), nullptr);
+		if (NT_FAIL(ntRet) || !tbi.TebBaseAddress)
+		{
+			INIT_ERROR_DATA(error_data, ntRet);
+
+			LOG(2, "NtQueryInformationThread failed: %08X\n", error_data.AdvErrorCode);
+
+			TerminateThread(hThread, 0);
+			CloseHandle(hThread);
 
+			VirtualFreeEx(hTargetProc, pMem, 0, MEM_RELEASE);
+
+			return SR_NTCTE_ERR_NTQIT_FAIL;
+		}
+
+		WORD same_teb_flags = 0;
+		if (!ReadProcessMemory(hTargetProc, ReCa<BYTE *>(tbi.TebBaseAddress) + TEB_SameTebFlags, &same_teb_flags, sizeof(same_teb_flags), nullptr))
+		{
+			INIT_ERROR_DATA(error_data, GetLastError());
+
+			LOG(2, "ReadProcessMemory failed: %08X\n", error_data.AdvErrorCode);
+
+			TerminateThread(hThread, 0);
+			CloseHandle(hThread);
+
+			VirtualFreeEx(hTargetProc, pMem, 0, MEM_RELEASE);
+
+			return SR_NTCTE_ERR_RPM_FAIL;
+		}
+
+		same_teb_flags |= TEB_SAMETEB_FLAGS_SkipAttach;
+		if (!WriteProcessMemory(hTargetProc, ReCa<BYTE *>(tbi.TebBaseAddress) + TEB_SameTebFlags, &same_teb_flags, sizeof(same_teb_flags), nullptr))
+		{
+			INIT_ERROR_DATA(error_data, GetLastError());
+
+			LOG(2, "WriteProcessMemory failed: %08X\n", error_data.AdvErrorCode);
+
+			TerminateThread(hThread, 0);
+			CloseHandle(hThread);
+
+			VirtualFreeEx(hTargetProc, pMem, 0, MEM_RELEASE);
+
+			return SR_NTCTE_ERR_WPM_FAIL;
+		}
+
+		LOG(2, "Fixed TEB flags\n");
+	}
+
+	if (ntFlags & THREAD_CREATE_FLAGS_CREATE_SUSPENDED)
+	{
 		if (ResumeThread(hThread) == (DWORD)-1)
 		{
 			INIT_ERROR_DATA(error_data, GetLastError());

GH Injector Library/NT Defs.h

@@ -19,7 +19,8 @@
 
 #define TEB_WowTebOffset_64 0x180C //Win10+ only
 
-#define TEB_SAMETEB_FLAGS_LoaderWorker 0x2000
+#define TEB_SAMETEB_FLAGS_SkipAttach	0x0008
+#define TEB_SAMETEB_FLAGS_LoaderWorker	0x2000
 
 #ifdef _WIN64
 #define TEB_SameTebFlags TEB_SameTebFlags_64

GH Injector Library/NT Funcs.h

@@ -55,6 +55,7 @@ ALIGN struct SR_REMOTE_DATA_VEH
 	ALIGN f_LdrProtectMrdata	pLdrProtectMrdata	= nullptr;
 	ALIGN LIST_ENTRY	*		pListHead			= nullptr;
 	ALIGN LIST_ENTRY	*		pFakeEntry			= nullptr;
+	ALIGN bool					bRemoveVEHBit		= false;
 };
 
 #define PTR_64_ARR 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -63,8 +64,8 @@ ALIGN struct SR_REMOTE_DATA_VEH
 #define SR_REMOTE_DATA_BUFFER_64 PTR_64_ARR PTR_64_ARR PTR_64_ARR PTR_64_ARR PTR_64_ARR PTR_64_ARR
 #define SR_REMOTE_DATA_BUFFER_86 PTR_86_ARR PTR_86_ARR PTR_86_ARR PTR_86_ARR PTR_86_ARR PTR_86_ARR
 
-#define SR_REMOTE_DATA_BUFFER_VEH_64 SR_REMOTE_DATA_BUFFER_64 PTR_64_ARR PTR_64_ARR PTR_64_ARR
-#define SR_REMOTE_DATA_BUFFER_VEH_86 SR_REMOTE_DATA_BUFFER_86 PTR_86_ARR PTR_86_ARR PTR_86_ARR
+#define SR_REMOTE_DATA_BUFFER_VEH_64 SR_REMOTE_DATA_BUFFER_64 PTR_64_ARR PTR_64_ARR PTR_64_ARR PTR_64_ARR
+#define SR_REMOTE_DATA_BUFFER_VEH_86 SR_REMOTE_DATA_BUFFER_86 PTR_86_ARR PTR_86_ARR PTR_86_ARR PTR_86_ARR
 
 #ifdef _WIN64
 	#define SR_REMOTE_DATA_BUFFER SR_REMOTE_DATA_BUFFER_64
@@ -125,6 +126,7 @@ ALIGN_86 struct SR_REMOTE_DATA_VEH_WOW64
 	ALIGN_86 DWORD pLdrProtectMrdata	= 0;
 	ALIGN_86 DWORD pListHead			= 0;
 	ALIGN_86 DWORD pFakeEntry			= 0;
+	ALIGN_86 DWORD bRemoveVEHBit		= 0;
 };
 
 #define SR_REMOTE_DATA_BUFFER_WOW64 SR_REMOTE_DATA_BUFFER_86

GH Injector Library/NtCreateThreadEx.cpp

@@ -6,11 +6,11 @@
 
 #define GH_INJ_MOD_NAME64W L"GH Injector - x64.dll"
 #define GH_INJ_MOD_NAME86W L"GH Injector - x86.dll"
-#define GH_INJ_VERSIONW L"4.5"
+#define GH_INJ_VERSIONW L"4.6"
 
 #define GH_INJ_MOD_NAME64A "GH Injector - x64.dll"
 #define GH_INJ_MOD_NAME86A "GH Injector - x86.dll"
-#define GH_INJ_VERSIONA "4.5"
+#define GH_INJ_VERSIONA "4.6"
 
 #ifdef _WIN64
 #define GH_INJ_MOD_NAMEW GH_INJ_MOD_NAME64W