FIX watermark on insider versions without debug symbol requirement. Add RVA resolution, binary scans, and task install. #25
Open
jcnnik wants to merge 2 commits intomachineonamission:masterfrom
Open
Conversation
Introduce multi-tier RVA resolution and automation features. - Added scan_dll.rs: helpers to read/parse on-disk shell32.dll, section/RVA conversions, pattern save/load, and multi-pattern scanning. - Added structural_scan.rs: structural GDI-call heuristic to locate CDesktopWatermark::s_DesktopBuildPaint without PDBs (IAT lookup, indirect-call discovery, arg checks, .pdata/prologue fallback). - Added scheduled_task.rs: install/remove Windows scheduled task via PowerShell to re-run the inject command at logon. - Expanded cache_pdb.rs: implement fallback chain (cached .rva, symbol server via try_fetch, multi-pattern binary scan using patterns.bin, structural scan, and panic with manual recovery instructions); save patterns.bin and manage cached .rva files; added seed_rva to accept manual patch-rva. - Updated fetch_pdb.rs: try_fetch returns Option<Vec<u8>> and treats 404 as "PDB not yet available" while panicking on other network errors. - Updated explorer_modinfo.rs: added verify_rva that reads live explorer.exe memory to verify bytes (uses ReadProcessMemory). - Updated main.rs & help.txt: register new subcommands (patch-rva, install-task, remove-task), wire seed+inject flow for patch-rva, and document new commands in help text. Overall this change improves robustness when PDBs are missing by enabling cached RVAs, binary-pattern scanning, structural heuristics, manual seeding, and automated re-patching across logons.
There was a problem hiding this comment.
Pull request overview
This PR improves the tool’s ability to locate and patch CDesktopWatermark::s_DesktopBuildPaint even when Microsoft PDBs aren’t available, by adding on-disk DLL scanning heuristics, a multi-tier RVA resolution/caching pipeline, and optional scheduled-task automation to re-apply the patch at logon.
Changes:
- Added PE/section helpers plus single-/multi-pattern executable-section scanning and patterns.bin persistence.
- Implemented a structural scan (GDI IAT + call-site heuristics) and integrated it into the RVA fallback chain alongside cache + symbol-server fetching.
- Added new CLI subcommands (
patch-rva,install-task,remove-task) and scheduled task installation/removal via PowerShell.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/structural_scan.rs | Adds a no-PDB structural heuristic to locate the target function via import/call-site analysis. |
| src/scheduled_task.rs | Adds PowerShell-based scheduled task install/remove to auto-run inject at logon. |
| src/scan_dll.rs | Adds on-disk shell32.dll parsing helpers, RVA↔file-offset conversion, and pattern scanning + patterns.bin save/load. |
| src/main.rs | Wires new subcommands (patch-rva, install-task, remove-task) into the CLI. |
| src/fetch_pdb.rs | Updates symbol fetching to treat 404 as “not yet available” and return Option. |
| src/explorer_modinfo.rs | Adds live-process RVA verification via ReadProcessMemory. |
| src/cache_pdb.rs | Reworks RVA resolution into a fallback chain (cache → symbol server → pattern scan → structural scan). |
| help.txt | Documents new commands and updates inject command description. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+53
to
+60
| let anchor = scan_dll::read_at_rva(&dll_bytes, rva, 8).unwrap_or_default(); | ||
| let verified = unsafe { verify_rva(rva, &anchor) }; | ||
| if verified { | ||
| println!("Structural scan: verified RVA {rva:#x}. Caching..."); | ||
| save_rva_and_patterns(&dir, &guid, rva); | ||
| return rva; | ||
| } | ||
| eprintln!("Structural scan returned {rva:#x} but live-process verification failed."); |
Comment on lines
+27
to
+28
| let file = fs::read(rva_path).unwrap(); | ||
| return u32::from_be_bytes(file.try_into().unwrap()); |
Comment on lines
+9
to
+17
| pub fn try_fetch(url: String) -> Option<Vec<u8>> { | ||
| let resp = match ureq::get(url.as_str()).call() { | ||
| Ok(r) => r, | ||
| Err(ureq::Error::Status(404, _)) => { | ||
| println!("Symbol server returned 404 — PDB not yet available."); | ||
| return None; | ||
| } | ||
| Err(e) => panic!("Failed to fetch PDB: {e}"), | ||
| }; |
Comment on lines
+59
to
+69
| let e_lfanew = u32::from_le_bytes(dll[0x3C..0x40].try_into().ok()?) as usize; | ||
| let opt_hdr = e_lfanew + 24; | ||
| if opt_hdr + 2 > dll.len() { return None; } | ||
|
|
||
| // Require PE32+ (Magic = 0x020B) | ||
| let magic = u16::from_le_bytes(dll[opt_hdr..opt_hdr + 2].try_into().ok()?); | ||
| if magic != 0x020B { return None; } | ||
|
|
||
| // DataDirectory[1] (Import Directory) is at optional-header offset 120 | ||
| let import_dir_rva = | ||
| u32::from_le_bytes(dll[opt_hdr + 120..opt_hdr + 124].try_into().ok()?); |
Comment on lines
+112
to
+118
| if val & 0x8000_0000_0000_0000 == 0 { | ||
| // import by name: val is RVA to IMAGE_IMPORT_BY_NAME | ||
| let ibn_file = rva_to_file_offset(dll, val as u32)? as usize + 2; // skip Hint | ||
| if let Some(nul) = dll[ibn_file..].iter().position(|&b| b == 0) { | ||
| if let Ok(n) = std::str::from_utf8(&dll[ibn_file..ibn_file + nul]) { | ||
| if n == name { return Some(idx); } | ||
| } |
Comment on lines
+14
to
+33
| let e_lfanew = u32::from_le_bytes(dll[0x3C..0x40].try_into().unwrap()) as usize; | ||
| let num_sections = | ||
| u16::from_le_bytes(dll[e_lfanew + 6..e_lfanew + 8].try_into().unwrap()) as usize; | ||
| let opt_hdr_size = | ||
| u16::from_le_bytes(dll[e_lfanew + 20..e_lfanew + 22].try_into().unwrap()) as usize; | ||
| // PE sig (4) + COFF header (20) + optional header | ||
| let sec_base = e_lfanew + 24 + opt_hdr_size; | ||
|
|
||
| (0..num_sections) | ||
| .map(|i| { | ||
| let b = sec_base + i * 40; | ||
| Section { | ||
| virtual_size: u32::from_le_bytes(dll[b + 8..b + 12].try_into().unwrap()), | ||
| virtual_address: u32::from_le_bytes(dll[b + 12..b + 16].try_into().unwrap()), | ||
| raw_size: u32::from_le_bytes(dll[b + 16..b + 20].try_into().unwrap()), | ||
| ptr_to_raw: u32::from_le_bytes(dll[b + 20..b + 24].try_into().unwrap()), | ||
| characteristics: u32::from_le_bytes(dll[b + 36..b + 40].try_into().unwrap()), | ||
| } | ||
| }) | ||
| .collect() |
Comment on lines
+52
to
+55
| fn patch_rva(hex: &str) { | ||
| let rva = u32::from_str_radix(hex.trim_start_matches("0x").trim_start_matches("0X"), 16) | ||
| .unwrap_or_else(|_| panic!("invalid hex RVA: {hex}")); | ||
| println!("RVA is {rva:#x}"); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce multi-tier RVA resolution and automation features.
Overall this change improves robustness when PDBs are missing by enabling cached RVAs, binary-pattern scanning, structural heuristics, manual seeding, and automated re-patching across logons.
Fix for #21