Bug 1:

Problem:

find_module_by_hash used a conditional SEH block around ExAcquireResourceSharedLite at PASSIVE_LEVEL.
Even though in my test case it executes at PASSIVE_LEVEL, the function occasionally triggered a FAST_ERESOURCE_PRECONDITION_VIOLATION or ATTEMPT_TO_WRITE_READONLY_MEMORY

Cause:

the function which has __try/__except block could have catched an internal exception and left the resource not acquired, later the resource was acceded regardless (resource_acquired boolean was defined and set but never was checked).

Solution:

• Fully restricted the routine at IRQL = PASSIVE_LEVEL as most of operations done implies paged memory access and syncs.
• Completely remove the conditional and SEH wrapper around resource acquisition.

Tested versions:

• Windows 10 22H2 (19045.3757)
• Windows 11 25H2 (26200.6584)

Bug 2:

on integrity.h:

constexpr uint32_t IMAGE_SCN_MEM_EXECUTE = 0x20000000;

Problem

IMAGE_SCN_MEM_EXECUTE is a macro defined in ntimage.h, attempting to define a constant/variable with the same name will make expression look like this after preprocessing

constexpr uint32_t 0x20000000 = 0x20000000;

which causes a compile time error.

Cause

Including ntimage.h in the working project

Solution

Wrapped the constant definition in a preprocessor guard