archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/windows/appcompat/shims/specific/money2002.cpp

531 lines
14 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2002 Microsoft Corporation
  5. Module Name:
  7. Money2002.cpp
  9. Abstract:
  11. Retry passwords at 128-bit encryption if 40-bit fails. Most code from Money
  12. team.
  14. We have to patch the API directly since it is called from within it's own
  15. DLL, i.e. it doesn't go through the import table.
  17. The function we're patching is cdecl and is referenced by it's ordinal
  18. because the name is mangled.
  20. Notes:
  22. This is an app specific shim.
  24. History:
  26. 07/11/2002 linstev Created
  28. --*/
  30. #include "precomp.h"
  32. IMPLEMENT_SHIM_BEGIN(Money2002)
  33. #include "ShimHookMacro.h"
  34. #include <wincrypt.h>
  36. APIHOOK_ENUM_BEGIN
  37. APIHOOK_ENUM_ENTRY(LoadLibraryA)
  38. APIHOOK_ENUM_ENTRY(FreeLibrary)
  39. APIHOOK_ENUM_END
  41. #define Assert(a)
  43. void *crtmalloc(size_t size)
  44. {
  45. HMODULE hMod = GetModuleHandleW(L"msvcrt.dll");
  47. if (hMod) {
  49. typedef void * (__cdecl *_pfn_malloc)(size_t size);
  51. _pfn_malloc pfnmalloc = (_pfn_malloc) GetProcAddress(hMod, "malloc");
  52. if (pfnmalloc) {
  53. return pfnmalloc(size);
  54. }
  55. }
  57. return malloc(size);
  58. }
  60. void crtfree(void *memblock)
  61. {
  62. HMODULE hMod = GetModuleHandleW(L"msvcrt.dll");
  64. if (hMod) {
  66. _pfn_free pfnfree = (_pfn_free) GetProcAddress(hMod, "free");
  67. if (pfnfree) {
  68. pfnfree(memblock);
  69. return;
  70. }
  71. }
  73. free(memblock);
  74. }
  76. //
  77. // This section from the Money team
  78. //
  80. #define MAXLEN (100)
  81. #define ENCRYPT_BLOCK_SIZE (8)
  82. #define ENCRYPT_ALGORITHM CALG_RC2
  83. #define KEY_LENGTH (128)
  84. #define KEY_LENGTH40 (40)
  86. #define LgidMain(lcid) PRIMARYLANGID(LANGIDFROMLCID(lcid))
  87. #define LgidSub(lcid) SUBLANGID(LANGIDFROMLCID(lcid))
  89. // this function is only used for conversion
  90. BOOL FFrenchLCID()
  91. {
  92. LCID lcidSys=::GetSystemDefaultLCID();
  93. if (LgidMain(lcidSys)==LANG_FRENCH && LgidSub(lcidSys)==SUBLANG_FRENCH)
  94. return TRUE;
  95. else
  96. return FALSE;
  97. }
  99. // the smallest buffer size is 8
  100. #define BLOCKSIZE 8
  102. // process a block, either encrypt it or decrypt it
  103. // this function is only used for conversion
  104. void ProcessBlock(BOOL fEncrypt, BYTE * buffer)
  105. {
  106. BYTE mask[BLOCKSIZE]; // mask array
  107. BYTE temp[BLOCKSIZE]; // temporary array
  108. int rgnScramble[BLOCKSIZE]; // scramble array
  109. int i;
  111. // initialized scramble array
  112. for (i=0; i<BLOCKSIZE; i++)
  113. rgnScramble[i] = i;
  115. // generate mask and scramble indice
  116. for (i=0; i<BLOCKSIZE; i++)
  117. mask[i] = (BYTE)rand();
  119. for (i=0; i<4*BLOCKSIZE; i++)
  120. {
  121. int temp;
  122. int ind = rand() % BLOCKSIZE;
  123. temp = rgnScramble[i%BLOCKSIZE];
  124. rgnScramble[i%BLOCKSIZE] = rgnScramble[ind];
  125. rgnScramble[ind] = temp;
  126. }
  128. if (fEncrypt)
  129. {
  130. // xor encryption
  131. for (i=0; i<BLOCKSIZE; i++)
  132. mask[i] ^= buffer[i];
  134. // scramble the data
  135. for (i=0; i<BLOCKSIZE; i++)
  136. buffer[rgnScramble[i]] = mask[i];
  137. }
  138. else
  139. {
  140. // descramble the data
  141. for (i=0; i<BLOCKSIZE; i++)
  142. temp[i] = buffer[rgnScramble[i]];
  144. // xor decryption
  145. for (i=0; i<BLOCKSIZE; i++)
  146. buffer[i] = (BYTE) (temp[i] ^ mask[i]);
  147. }
  148. }
  151. // this function is only used for conversion
  152. BYTE * DecryptFrench(const BYTE * pbEncryptedBlob, DWORD cbEncryptedBlob, DWORD * pcbDecryptedBlob, LPCSTR szPassword)
  153. {
  154. BYTE buffer[BLOCKSIZE];
  155. int i;
  156. unsigned int seed = 0;
  157. unsigned int seedAdd = 0;
  158. BYTE * pb;
  159. BYTE * pbResult = NULL;
  160. unsigned int cBlocks;
  161. unsigned int cbResult = 0;
  162. unsigned int iBlocks;
  164. // make sure blob is at least 1 block long
  165. // and it's an integral number of blocks
  166. Assert(cbEncryptedBlob >= BLOCKSIZE);
  167. Assert(cbEncryptedBlob % BLOCKSIZE == 0);
  168. *pcbDecryptedBlob = 0;
  169. if (cbEncryptedBlob < BLOCKSIZE || cbEncryptedBlob % BLOCKSIZE != 0)
  170. return NULL;
  172. // calculate initial seed
  173. while (*szPassword)
  174. seed += *szPassword++;
  175. srand(seed);
  177. // retrieve the first block
  178. for (i=0; i<BLOCKSIZE; i++)
  179. buffer[i] = *pbEncryptedBlob++;
  180. ProcessBlock(FALSE, buffer);
  182. // find out the byte count and addon seed
  183. cbResult = *pcbDecryptedBlob = *((DWORD*)buffer);
  184. seedAdd = *(((DWORD*)buffer) + 1);
  186. // find out how many blocks we need
  187. cBlocks = 1 + (*pcbDecryptedBlob-1)/BLOCKSIZE;
  189. // make sure we have the right number of blocks
  190. Assert(cBlocks + 1 == cbEncryptedBlob / BLOCKSIZE);
  191. if (cBlocks + 1 == cbEncryptedBlob / BLOCKSIZE)
  192. {
  193. // allocate output memory
  194. pbResult = (BYTE*)crtmalloc(*pcbDecryptedBlob);
  195. if (pbResult)
  196. {
  197. // re-seed
  198. srand(seed + seedAdd);
  199. pb = pbResult;
  201. // process all blocks of data
  202. for (iBlocks=0; iBlocks<cBlocks; iBlocks++)
  203. {
  204. for (i=0; i<BLOCKSIZE; i++)
  205. buffer[i] = *pbEncryptedBlob++;
  206. ProcessBlock(FALSE, buffer);
  207. for (i=0; i<BLOCKSIZE && cbResult>0; i++, cbResult--)
  208. *pb++ = buffer[i];
  209. }
  210. }
  211. }
  213. if (!pbResult)
  214. *pcbDecryptedBlob = 0;
  215. return pbResult;
  216. }
  220. HCRYPTKEY CreateSessionKey(HCRYPTPROV hCryptProv, LPCSTR szPassword, BOOL fConvert, BOOL f40bit)
  221. {
  222. HCRYPTHASH hHash = 0;
  223. HCRYPTKEY hKey = 0;
  224. DWORD dwEffectiveKeyLen;
  225. DWORD dwPadding = PKCS5_PADDING;
  226. DWORD dwMode = CRYPT_MODE_CBC;
  228. if (f40bit)
  229. dwEffectiveKeyLen=KEY_LENGTH40;
  230. else
  231. dwEffectiveKeyLen= KEY_LENGTH;
  232. //--------------------------------------------------------------------
  233. // The file will be encrypted with a session key derived from a
  234. // password.
  235. // The session key will be recreated when the file is decrypted.
  237. //--------------------------------------------------------------------
  238. // Create a hash object.
  240. if (!CryptCreateHash(
  241. hCryptProv,
  242. CALG_MD5,
  243. 0,
  244. 0,
  245. &hHash))
  246. {
  247. goto CLEANUP;
  248. }
  250. //--------------------------------------------------------------------
  251. // Hash the password.
  253. if (!CryptHashData(
  254. hHash,
  255. (BYTE *)szPassword,
  256. strlen(szPassword)*sizeof(CHAR),
  257. 0))
  258. {
  259. goto CLEANUP;
  260. }
  261. //--------------------------------------------------------------------
  262. // Derive a session key from the hash object.
  264. if (!CryptDeriveKey(
  265. hCryptProv,
  266. ENCRYPT_ALGORITHM,
  267. hHash,
  268. (fConvert ? 0 : (KEY_LENGTH << 16) | CRYPT_EXPORTABLE),
  269. &hKey))
  270. {
  271. goto CLEANUP;
  272. }
  274. // set effective key length explicitly
  275. if (!CryptSetKeyParam(
  276. hKey,
  277. KP_EFFECTIVE_KEYLEN,
  278. (BYTE*)&dwEffectiveKeyLen,
  279. 0))
  280. {
  281. if(hKey)
  282. CryptDestroyKey(hKey);
  283. hKey = 0;
  284. goto CLEANUP;
  285. }
  287. if (!fConvert && !f40bit)
  288. {
  289. // set padding explicitly
  290. if (!CryptSetKeyParam(
  291. hKey,
  292. KP_PADDING,
  293. (BYTE*)&dwPadding,
  294. 0))
  295. {
  296. if(hKey)
  297. CryptDestroyKey(hKey);
  298. hKey = 0;
  299. goto CLEANUP;
  300. }
  302. // set mode explicitly
  303. if (!CryptSetKeyParam(
  304. hKey,
  305. KP_MODE,
  306. (BYTE*)&dwMode,
  307. 0))
  308. {
  309. if(hKey)
  310. CryptDestroyKey(hKey);
  311. hKey = 0;
  312. goto CLEANUP;
  313. }
  314. }
  317. //--------------------------------------------------------------------
  318. // Destroy the hash object.
  320. CLEANUP:
  322. if (hHash)
  323. CryptDestroyHash(hHash);
  325. return hKey;
  326. }
  329. BYTE * DecryptWorker(const BYTE * pbEncryptedBlob, DWORD cbEncryptedBlob, DWORD * pcbDecryptedBlob, LPCSTR szPassword, BOOL fConvert, BOOL f40bit, BOOL* pfRet)
  330. {
  331. HCRYPTPROV hCryptProv = NULL; // CSP handle
  332. HCRYPTKEY hKey = 0;
  333. DWORD cbDecryptedMessage = 0;
  334. BYTE* pbDecryptedMessage = NULL;
  335. DWORD dwBlockLen;
  336. DWORD dwBufferLen;
  338. Assert(pfRet);
  339. *pfRet=TRUE;
  340. //--------------------------------------------------------------------
  341. // Begin processing.
  343. Assert(pcbDecryptedBlob);
  345. *pcbDecryptedBlob = 0;
  347. if (!pbEncryptedBlob || cbEncryptedBlob == 0)
  348. return NULL;
  350. if (FFrenchLCID() && fConvert)
  351. return DecryptFrench(pbEncryptedBlob, cbEncryptedBlob, pcbDecryptedBlob, szPassword);
  353. //--------------------------------------------------------------------
  354. // Get a handle to a cryptographic provider.
  356. if (!CryptAcquireContext(
  357. &hCryptProv, // Address for handle to be returned.
  358. NULL, // Container
  359. (fConvert ? NULL : MS_ENHANCED_PROV), // Use the default provider.
  360. PROV_RSA_FULL, // Need to both encrypt and sign.
  361. CRYPT_VERIFYCONTEXT)) // flags.
  362. {
  363. Assert(FALSE);
  364. goto CLEANUP;
  365. }
  367. //--------------------------------------------------------------------
  368. // Create the session key.
  369. hKey = CreateSessionKey(hCryptProv, szPassword, fConvert, f40bit);
  370. if (!hKey)
  371. {
  372. goto CLEANUP;
  373. }
  375. dwBlockLen = cbEncryptedBlob;
  376. dwBufferLen = dwBlockLen;
  378. //--------------------------------------------------------------------
  379. // Allocate memory.
  380. pbDecryptedMessage = (BYTE *)crtmalloc(dwBufferLen);
  381. if (!pbDecryptedMessage)
  382. {
  383. // Out of memory
  384. goto CLEANUP;
  385. }
  387. memcpy(pbDecryptedMessage, pbEncryptedBlob, cbEncryptedBlob);
  388. cbDecryptedMessage = cbEncryptedBlob;
  390. //--------------------------------------------------------------------
  391. // Decrypt data.
  392. if (!CryptDecrypt(
  393. hKey,
  394. 0,
  395. TRUE,
  396. 0,
  397. pbDecryptedMessage,
  398. &cbDecryptedMessage))
  399. {
  400. crtfree(pbDecryptedMessage);
  401. pbDecryptedMessage = NULL;
  402. cbDecryptedMessage = 0;
  403. *pfRet=FALSE;
  404. goto CLEANUP;
  405. }
  407. //--------------------------------------------------------------------
  408. // Clean up memory.
  409. CLEANUP:
  411. if(hKey)
  412. CryptDestroyKey(hKey);
  414. if (hCryptProv)
  415. {
  416. CryptReleaseContext(hCryptProv,0);
  417. // The CSP has been released.
  418. }
  420. *pcbDecryptedBlob = cbDecryptedMessage;
  422. return pbDecryptedMessage;
  423. }
  425. BYTE * __cdecl Decrypt(const BYTE * pbEncryptedBlob, DWORD cbEncryptedBlob, DWORD * pcbDecryptedBlob, LPCSTR szEncryptionPassword, BOOL fConvert)
  426. {
  427. BYTE* pbDecryptedMessage;
  428. BOOL fRet;
  429. // try 128 bit first, if we fail, try 40 bit again.
  430. pbDecryptedMessage = DecryptWorker(pbEncryptedBlob, cbEncryptedBlob, pcbDecryptedBlob, szEncryptionPassword, fConvert, FALSE, &fRet);
  431. if (!fRet)
  432. {
  433. if (pbDecryptedMessage)
  434. crtfree(pbDecryptedMessage);
  435. pbDecryptedMessage = DecryptWorker(pbEncryptedBlob, cbEncryptedBlob, pcbDecryptedBlob, szEncryptionPassword, fConvert, TRUE, &fRet);
  436. }
  437. return pbDecryptedMessage;
  438. }
  440. //
  441. // End section from Money team
  442. //
  444. /*++
  446. Patch the Decrypt entry point.
  448. --*/
  450. CRITICAL_SECTION g_csPatch;
  451. DWORD g_dwDecrypt = (DWORD_PTR)&Decrypt;
  453. HINSTANCE
  454. APIHOOK(LoadLibraryA)(
  455. LPCSTR lpLibFileName
  456. )
  457. {
  458. HMODULE hMod = ORIGINAL_API(LoadLibraryA)(lpLibFileName);
  460. //
  461. // Wrap the patch in a critical section so we know the library won't be
  462. // freed underneath us
  463. //
  465. EnterCriticalSection(&g_csPatch);
  467. HMODULE hMoney = GetModuleHandleW(L"mnyutil.dll");
  468. if (hMoney) {
  469. // Patch the dll with a jump to our function
  471. LPBYTE lpProc = (LPBYTE) GetProcAddress(hMoney, (LPCSTR)290);
  473. if (lpProc) {
  474. __try {
  475. DWORD dwOldProtect;
  476. if (VirtualProtect((PVOID)lpProc, 5, PAGE_READWRITE, &dwOldProtect)) {
  477. *(WORD *)lpProc = 0x25ff; lpProc += 2;
  478. *(DWORD *)lpProc = (DWORD_PTR)&g_dwDecrypt;
  479. }
  480. } __except(1) {
  481. LOGN(eDbgLevelError, "[LoadLibraryA] Exception while patching entry point");
  482. }
  483. }
  484. }
  486. LeaveCriticalSection(&g_csPatch);
  488. return hMod;
  489. }
  491. BOOL
  492. APIHOOK(FreeLibrary)(
  493. HMODULE hModule
  494. )
  495. {
  496. EnterCriticalSection(&g_csPatch);
  497. BOOL bRet = ORIGINAL_API(FreeLibrary)(hModule);
  498. LeaveCriticalSection(&g_csPatch);
  500. return bRet;
  501. }
  503. /*++
  505. Register hooked functions
  507. --*/
  509. BOOL
  510. NOTIFY_FUNCTION(
  511. DWORD fdwReason
  512. )
  513. {
  514. if (fdwReason == DLL_PROCESS_ATTACH) {
  515. if (!InitializeCriticalSectionAndSpinCount(&g_csPatch, 0x80000000)) {
  516. LOGN(eDbgLevelError, "[NotifyFn] Failed to initialize critical section");
  517. return FALSE;
  518. }
  519. }
  521. return TRUE;
  522. }
  524. HOOK_BEGIN
  525. CALL_NOTIFY_FUNCTION
  526. APIHOOK_ENTRY(KERNEL32.DLL, LoadLibraryA)
  527. APIHOOK_ENTRY(KERNEL32.DLL, FreeLibrary)
  528. HOOK_END
  530. IMPLEMENT_SHIM_END