Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

108 lines
2.9 KiB

  1. /*++
  2. Copyright (c) 2000-2002 Microsoft Corporation
  3. Module Name:
  4. Shrinker.cpp
  5. Abstract:
  6. Fix Shrinker library problem. This library is hacking some ntdll and kernel32 opcode
  7. with unreliable way to do it.
  8. First, they try to search the matching opcode within 32 bytes from the hacked
  9. function (the function address retrieved from GetProcAddress and the opcode bytes
  10. retrieved via ReadProcessMemory).
  11. If they found it, then they replaced it with their opcode to redirect the call
  12. into their own routine.
  13. Unfortunately, opcode in Whistler has changed. So, the result will be unpredictable.
  14. They could be ended up with unexpected behavior from misreplacement of opcode
  15. or the app decided to terminated itself since the matching opcode can't be found.
  16. We fixed this by providing an exact matching opcode.
  17. Addition: Shrinker also checks against ExitProcess for exact opcodes, these
  18. values have recently changed and no longer match against their hard coded
  19. values. We now provide matching opcodes for ExitProcess also.
  20. Notes:
  21. Hooking ntdll!LdrAccessResource to emulate Win2K's version of it.
  22. Hooking Kernel32!ExitProcess to emulate Win2K's version of it.
  23. History:
  24. 11/17/2000 andyseti Created
  25. 04/30/2001 mnikkel Added ExitProcess
  26. 05/01/2001 mnikkel Corrected calls to ldraccessresource and exitprocess
  27. 02/20/2002 mnikkel Corrected exitprocess parameter to remove w4 warning
  28. --*/
  29. #include "precomp.h"
  30. #include <nt.h>
  31. IMPLEMENT_SHIM_BEGIN(Shrinker)
  32. #include "ShimHookMacro.h"
  33. APIHOOK_ENUM_BEGIN
  34. APIHOOK_ENUM_ENTRY(LdrAccessResource)
  35. APIHOOK_ENUM_ENTRY(ExitProcess)
  36. APIHOOK_ENUM_END
  37. __declspec(naked)
  38. NTSTATUS
  39. APIHOOK(LdrAccessResource)(
  40. IN PVOID /*DllHandle*/,
  41. IN const IMAGE_RESOURCE_DATA_ENTRY* /*ResourceDataEntry*/,
  42. OUT PVOID * /*Address*/ OPTIONAL,
  43. OUT PULONG /*Size*/ OPTIONAL)
  44. {
  45. _asm {
  46. push [esp+0x10] // shrinker lib needs these opcode signature (found in Win2K), -
  47. push [esp+0x10] // but the actual LdrAccessResource doesn't have them
  48. push [esp+0x10]
  49. push [esp+0x10]
  50. call dword ptr [LdrAccessResource]
  51. ret 0x10 // when exit, pop 16 bytes from stack.
  52. }
  53. }
  54. __declspec(naked)
  55. VOID
  56. APIHOOK(ExitProcess)(
  57. UINT /*uExitCode*/
  58. )
  59. {
  60. _asm {
  61. push ebp // shrinker is looking for these exact op codes in
  62. mov ebp,esp // ExitProcess, but the routine has changed.
  63. push 0xFFFFFFFF
  64. push 0x77e8f3b0
  65. push [ebp+4]
  66. call dword ptr [ExitProcess]
  67. pop ebp
  68. ret 4
  69. }
  70. }
  71. /*++
  72. Register hooked functions
  73. --*/
  74. HOOK_BEGIN
  75. APIHOOK_ENTRY(NTDLL.DLL, LdrAccessResource)
  76. APIHOOK_ENTRY(KERNEL32.DLL, ExitProcess)
  77. HOOK_END
  78. IMPLEMENT_SHIM_END