archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/protocols/msv_sspi/test/injection/injecter/injecter.cxx

709 lines
16 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2001 Microsoft Corporation
  5. Module Name:
  7. injecter.cxx
  9. Abstract:
  11. Injecter
  13. Author:
  15. Larry Zhu (LZhu) December 1, 2001 Created
  17. Environment:
  19. User Mode
  21. Revision History:
  23. --*/
  25. #include "precomp.hxx"
  26. #pragma hdrstop
  28. #include "injecter.hxx"
  30. DWORD
  31. AdjustDebugPriv(
  32. VOID
  33. )
  34. {
  35. HANDLE hToken = NULL;
  36. DWORD dwErr = 0;
  37. TOKEN_PRIVILEGES newPrivs = {0};
  39. if (!OpenProcessToken(
  40. GetCurrentProcess(),
  41. TOKEN_ADJUST_PRIVILEGES,
  42. &hToken))
  43. {
  44. dwErr = GetLastError();
  45. goto Cleanup;
  46. }
  48. if (!LookupPrivilegeValue(
  49. NULL,
  50. SE_DEBUG_NAME,
  51. &newPrivs.Privileges[0].Luid
  52. ))
  53. {
  54. dwErr = GetLastError();
  55. goto Cleanup;
  56. }
  58. newPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  59. newPrivs.PrivilegeCount = 1;
  61. if (!AdjustTokenPrivileges(
  62. hToken,
  63. FALSE,
  64. &newPrivs,
  65. 0,
  66. NULL,
  67. NULL
  68. ))
  69. {
  70. dwErr = GetLastError();
  71. goto Cleanup;
  72. }
  74. Cleanup:
  76. if (hToken)
  77. {
  78. CloseHandle(hToken);
  79. }
  81. return dwErr;
  82. }
  84. static DWORD
  85. WorkerFunc(
  86. IN REMOTE_INFO* pInfo
  87. )
  88. {
  89. HINSTANCE hDll = NULL;
  90. PFuncRunIt_t pFuncRunit = NULL;
  91. DWORD dwErr = -1;
  93. hDll = pInfo->pFuncLoadLibrary(pInfo->szDllName);
  95. if (hDll != NULL)
  96. {
  97. pFuncRunit = (PFuncRunIt_t) pInfo->pFuncGetProcAddress(
  98. hDll,
  99. pInfo->szProcName
  100. );
  102. if (pFuncRunit != NULL)
  103. {
  104. dwErr = pFuncRunit(
  105. pInfo->cbParameters,
  106. pInfo->Parameters
  107. );
  108. }
  109. else
  110. {
  111. dwErr = -3;
  112. }
  114. //
  115. // ERROR_NO_MORE_USER_HANDLES unload repeatedly
  116. // ERROR_SERVER_HAS_OPEN_HANDLES no unload at all
  117. // others unload once
  118. //
  120. if (ERROR_SERVER_HAS_OPEN_HANDLES != dwErr)
  121. {
  122. pInfo->pFuncFreeLibrary(hDll);
  124. //
  125. // unload abandoned dll
  126. //
  128. if (ERROR_NO_MORE_USER_HANDLES == dwErr)
  129. {
  130. while (pInfo->pFuncFreeLibrary(hDll))
  131. {
  132. // repeat FreeLibrary unit it fails
  133. }
  134. }
  135. }
  136. }
  137. else
  138. {
  139. dwErr = -2;
  140. }
  142. return dwErr;
  143. }
  145. static VOID
  146. MarkerFunc(
  147. VOID
  148. )
  149. {
  150. // empty
  151. }
  153. DWORD
  154. InjectDllToProcess(
  155. IN HANDLE hProc,
  156. IN PCSTR pszDllFileName,
  157. IN ULONG cbParameters,
  158. IN VOID* pvParameters
  159. )
  160. {
  161. DWORD dwErr = ERROR_SUCCESS;
  163. VOID* pRemoteAlloc = NULL;
  164. HANDLE hRemoteThread = NULL;
  165. HINSTANCE hKernel32 = NULL;
  166. HINSTANCE hDll = NULL;
  167. REMOTE_INFO* pRemInfo = NULL;
  168. ULONG cbRemInfo = 0;
  170. ULONG ulFuncSize = 0;
  171. ULONG ulBytesToAlloc = 0;
  172. CHAR szDllPath[MAX_PATH] = {0};
  173. SIZE_T dwBytesWritten = 0;
  174. DWORD dwIgnored;
  175. ULONG cbPadding = sizeof(ULONG);
  177. cbRemInfo = sizeof(REMOTE_INFO) + cbParameters | sizeof(VOID*); // add a safe zone
  178. pRemInfo = (REMOTE_INFO*) new CHAR [cbRemInfo];
  180. if (!pRemInfo)
  181. {
  182. dwErr = ERROR_OUTOFMEMORY;
  183. }
  185. RtlZeroMemory(pRemInfo, cbRemInfo);
  186. pRemInfo->cbParameters = cbParameters;
  188. hKernel32 = LoadLibraryA("Kernel32");
  189. if (!hKernel32)
  190. {
  191. dwErr = GetLastError();
  192. goto Cleanup;
  193. }
  195. pRemInfo->pFuncLoadLibrary = (PFuncLoadLib_t) GetProcAddress(hKernel32, "LoadLibraryA");
  196. if (!pRemInfo->pFuncLoadLibrary)
  197. {
  198. dwErr = GetLastError();
  199. goto Cleanup;
  200. }
  202. pRemInfo->pFuncGetProcAddress = (PFuncGetProcAddr_t) GetProcAddress(hKernel32, "GetProcAddress");
  203. if (!pRemInfo->pFuncGetProcAddress)
  204. {
  205. dwErr = GetLastError();
  206. goto Cleanup;
  207. }
  209. pRemInfo->pFuncFreeLibrary = (PFuncFreeLib_t) GetProcAddress(hKernel32, "FreeLibrary");
  210. if (!pRemInfo->pFuncFreeLibrary)
  211. {
  212. dwErr = GetLastError();
  213. goto Cleanup;
  214. }
  216. if (0 == GetModuleFileNameA(NULL, szDllPath, sizeof (szDllPath)))
  217. {
  218. dwErr = GetLastError();
  219. goto Cleanup;
  220. }
  222. strcpy(strrchr (szDllPath, '\\') + 1, pszDllFileName);
  223. strncpy(pRemInfo->szDllName, szDllPath, sizeof(pRemInfo->szDllName));
  225. strncpy(pRemInfo->szProcName, REMOTE_DLL_ENTRY, sizeof(pRemInfo->szProcName));
  227. pRemInfo->cbParameters = cbParameters;
  228. memcpy(&pRemInfo->Parameters, pvParameters, pRemInfo->cbParameters);
  230. ulFuncSize = (ULONG) ((ULONG_PTR) MarkerFunc - (ULONG_PTR) WorkerFunc);
  231. cbPadding = sizeof(void*) - ulFuncSize % sizeof(void*);
  232. ulBytesToAlloc = ulFuncSize + cbPadding + cbRemInfo;
  234. DebugPrintf(SSPI_LOG, "InjectDllToProcess dllname %s, ulBytesToAlloc %#x, cbRemInfo %#x\n",
  235. pszDllFileName, ulBytesToAlloc, cbRemInfo);
  236. DebugPrintf(SSPI_LOG, "pInfo->pFuncLoadLibrary %p\n", pRemInfo->pFuncLoadLibrary);
  237. DebugPrintf(SSPI_LOG, "pInfo->pFuncGetProcAddress %p\n", pRemInfo->pFuncGetProcAddress);
  238. DebugPrintf(SSPI_LOG, "pInfo->pFuncFreeLibrary %p\n", pRemInfo->pFuncFreeLibrary);
  240. DebugPrintf(SSPI_LOG, "pInfo->szDllName %s\n", pRemInfo->szDllName);
  242. DebugPrintf(SSPI_LOG, "pInfo->szProcName %s\n", pRemInfo->szProcName);
  244. DebugPrintf(SSPI_LOG, "pInfo->cbParameters %#x, pInfo->Parameters %p\n",
  245. pRemInfo->cbParameters, pRemInfo->Parameters);
  246. DebugPrintHex(SSPI_LOG, "Parameters", pRemInfo->cbParameters, pRemInfo->Parameters);
  248. pRemoteAlloc = VirtualAllocEx(
  249. hProc,
  250. NULL,
  251. ulBytesToAlloc,
  252. MEM_COMMIT,
  253. PAGE_READWRITE
  254. );
  255. if (pRemoteAlloc == NULL)
  256. {
  257. dwErr = GetLastError();
  258. goto Cleanup;
  259. }
  261. if (!WriteProcessMemory(
  262. hProc,
  263. pRemoteAlloc,
  264. (PVOID) WorkerFunc,
  265. ulFuncSize + cbPadding,
  266. &dwBytesWritten
  267. ))
  268. {
  269. dwErr = GetLastError();
  270. goto Cleanup;
  271. }
  273. if (!WriteProcessMemory(
  274. hProc,
  275. ((UCHAR*) pRemoteAlloc) + ulFuncSize + cbPadding,
  276. pRemInfo,
  277. cbRemInfo,
  278. &dwBytesWritten
  279. ))
  280. {
  281. dwErr = GetLastError();
  282. goto Cleanup;
  283. }
  285. DebugPrintf(SSPI_LOG,
  286. "InjectDllToProcess pRemoteAlloc %p, pRemInfo %p\n",
  287. pRemoteAlloc, ((UCHAR*) pRemoteAlloc) + ulFuncSize + cbPadding);
  289. hRemoteThread = CreateRemoteThread(
  290. hProc,
  291. NULL,
  292. 0,
  293. (PTHREAD_START_ROUTINE) pRemoteAlloc, // start address
  294. ((UCHAR*) pRemoteAlloc) + ulFuncSize + cbPadding, // parameter
  295. 0, // creation flags
  296. &dwIgnored
  297. );
  298. if (!hRemoteThread)
  299. {
  300. dwErr = GetLastError();
  301. goto Cleanup;
  302. }
  304. //
  305. // run Init()
  306. //
  308. dwErr = WaitForSingleObject(hRemoteThread, INFINITE);
  310. if (dwErr != ERROR_SUCCESS)
  311. {
  312. DebugPrintf(SSPI_ERROR, "WaitForSingleObject failed with %#x\n", dwErr);
  313. dwErr = GetLastError();
  314. }
  316. Cleanup:
  318. if (hKernel32)
  319. {
  320. FreeLibrary(hKernel32);
  321. }
  322. if (hRemoteThread)
  323. {
  324. CloseHandle(hRemoteThread);
  325. }
  327. if (pRemoteAlloc)
  328. {
  329. VirtualFreeEx(hProc, pRemoteAlloc, 0, MEM_RELEASE);
  330. }
  332. if (pRemInfo)
  333. {
  334. delete [] pRemInfo;
  335. }
  337. return dwErr;
  338. }
  340. DWORD
  341. FindPid(
  342. IN PCSTR pszImageFileName
  343. )
  344. {
  345. NTSTATUS Status ;
  347. PSYSTEM_PROCESS_INFORMATION pSystemInfo = NULL;
  348. PSYSTEM_PROCESS_INFORMATION pWalk = NULL;
  349. ANSI_STRING AnsiProcessName = {0};
  350. UNICODE_STRING ProcessName = {0};
  351. DWORD ulPid = 0;
  353. DebugPrintf(SSPI_LOG, "FindPid looking for %s\n", pszImageFileName);
  355. pSystemInfo = new SYSTEM_PROCESS_INFORMATION[1024];
  357. if ( !pSystemInfo )
  358. {
  359. DebugPrintf(SSPI_ERROR, "FindPid out of memory\n");
  360. return ERROR_SUCCESS;
  361. }
  363. Status = NtQuerySystemInformation(
  364. SystemProcessInformation,
  365. pSystemInfo,
  366. sizeof( SYSTEM_PROCESS_INFORMATION ) * 1024,
  367. NULL
  368. );
  370. if ( !NT_SUCCESS( Status ) )
  371. {
  372. DebugPrintf(SSPI_ERROR, "NtQuerySystemInformation failed with %#x\n", Status);
  373. return ERROR_SUCCESS;
  374. }
  376. RtlInitAnsiString(&AnsiProcessName, pszImageFileName);
  377. Status = RtlAnsiStringToUnicodeString(&ProcessName, &AnsiProcessName, TRUE);
  379. if ( !NT_SUCCESS( Status ) )
  380. {
  381. DebugPrintf(SSPI_ERROR, "RtlAnsiStringToUnicodeString failed with %#x\n", Status);
  382. return ERROR_SUCCESS;
  383. }
  385. pWalk = pSystemInfo ;
  387. while ( RtlCompareUnicodeString( &pWalk->ImageName, &ProcessName, TRUE ) != 0 )
  388. {
  389. if ( pWalk->NextEntryOffset == 0 )
  390. {
  391. pWalk = NULL ;
  392. break;
  393. }
  395. pWalk = (PSYSTEM_PROCESS_INFORMATION) ((PUCHAR) pWalk + pWalk->NextEntryOffset );
  396. }
  398. if ( !pWalk )
  399. {
  400. delete [] pSystemInfo;
  401. return ERROR_SUCCESS;
  402. }
  404. ulPid = PtrToUlong( pWalk->UniqueProcessId );
  406. delete [] pSystemInfo;
  408. return ulPid;
  409. }
  411. void
  412. DisplayUsage(
  413. IN PCSTR pszApp,
  414. IN OPTIONAL PCSTR pszArgs
  415. )
  416. {
  417. DebugPrintf(SSPI_ERROR, "\n\nUsage: %s <injectee.dll> [-p<PID>|-n<process name>] %s\n\n\n", pszApp, pszArgs ? pszArgs : "");
  418. }
  420. DWORD
  421. Init(
  422. IN PCSTR pszFileName,
  423. IN ULONG argc,
  424. IN PCSTR* argv,
  425. IN PCSTR pszDllName,
  426. IN PCSTR pszRunItProcName,
  427. IN PCSTR pszInitProcName,
  428. OUT ULONG* pcbParameters,
  429. OUT VOID** ppvParameters
  430. )
  431. {
  432. DWORD dwErr = ERROR_SUCCESS;
  434. HINSTANCE hDll = NULL;
  435. PFuncRunIt_t pFuncRunIt = NULL;
  436. PFuncInit_t pFuncInit = NULL;
  438. BOOLEAN bUseDefaulInitHandler = FALSE;
  440. hDll = LoadLibraryA(pszDllName);
  441. if (!hDll)
  442. {
  443. dwErr = GetLastError();
  444. goto Cleanup;
  445. }
  446. pFuncRunIt = (PFuncRunIt_t) GetProcAddress(hDll, pszRunItProcName);
  447. if (!pFuncRunIt)
  448. {
  449. dwErr = GetLastError();
  450. goto Cleanup;
  451. }
  452. pFuncInit = (PFuncInit_t) GetProcAddress(hDll, pszInitProcName);
  453. if (!pFuncInit)
  454. {
  455. dwErr = GetLastError();
  456. DebugPrintf(SSPI_WARN, "Init failed to locate %s %#x\n", REMOTE_DLL_INIT, dwErr);
  457. if (dwErr == ERROR_PROC_NOT_FOUND)
  458. {
  459. bUseDefaulInitHandler = TRUE;
  460. }
  461. else
  462. {
  463. goto Cleanup;
  464. }
  465. }
  466. else
  467. {
  468. dwErr = pFuncInit(
  469. argc,
  470. argv,
  471. pcbParameters,
  472. ppvParameters
  473. );
  474. if (dwErr == ERROR_CONTINUE)
  475. {
  476. bUseDefaulInitHandler = TRUE;
  477. }
  478. else if (dwErr == ERROR_INVALID_PARAMETER)
  479. {
  480. DisplayUsage(pszFileName, (PSTR) (*ppvParameters));
  481. goto Cleanup;
  482. }
  483. else if (dwErr != ERROR_SUCCESS)
  484. {
  485. DebugPrintf(SSPI_ERROR, "Init faield with %#x\n", dwErr);
  486. goto Cleanup;
  487. }
  488. }
  490. if (bUseDefaulInitHandler)
  491. {
  492. dwErr = InitDefaultHandler(argc, argv, pcbParameters, ppvParameters);
  493. }
  494. else
  495. {
  496. dwErr = ERROR_SUCCESS;
  497. }
  499. Cleanup:
  501. if (hDll)
  502. {
  503. FreeLibrary(hDll);
  504. }
  506. return dwErr;
  507. }
  509. int
  510. InitDefaultHandler(
  511. IN ULONG argc,
  512. IN PCSTR* argv,
  513. OUT ULONG* pcbParameters,
  514. OUT VOID** ppvParameters
  515. )
  516. {
  517. DWORD dwErr = ERROR_SUCCESS;
  519. CHAR Parameters[REMOTE_PACKET_SIZE] = {0};
  520. ULONG cbBuffer = sizeof(Parameters);
  521. VOID* pvParameters = NULL;
  522. ULONG cbParameters = 0;
  524. DebugPrintf(SSPI_LOG, "InitDefaultHandler is used\n");
  526. *pcbParameters = 0;
  527. *ppvParameters = NULL;
  529. for (ULONG i = 0; i < (ULONG) argc; i++)
  530. {
  531. cbBuffer -= _snprintf(Parameters + sizeof(Parameters) - cbBuffer, cbBuffer, "%s", argv[i]);
  532. cbBuffer--; // add a null
  533. }
  535. cbBuffer--; // the last null of multi-sz string
  537. cbParameters = sizeof(Parameters) - cbBuffer;
  539. pvParameters = new CHAR[cbParameters];
  541. if (pvParameters)
  542. {
  543. memcpy(pvParameters, Parameters, cbParameters);
  545. *ppvParameters = pvParameters;
  546. pvParameters = NULL;
  548. *pcbParameters = cbParameters;
  549. }
  550. else
  551. {
  552. dwErr = ERROR_OUTOFMEMORY;
  553. goto Cleanup;
  554. }
  556. Cleanup:
  558. if (pvParameters)
  559. {
  560. delete [] pvParameters;
  561. }
  563. return dwErr;
  564. }
  566. int __cdecl
  567. main(
  568. IN int argc,
  569. IN CHAR* argv[]
  570. )
  571. {
  572. DWORD dwErr = ERROR_SUCCESS;
  574. DWORD dwIgnored;
  575. HANDLE hLsassProc = NULL;
  576. HANDLE hReceiveThread = NULL;
  578. ULONG ulPid = 0;
  579. VOID* pvParameters = NULL;
  580. ULONG cbParamerter = 0;
  582. ULONG ulStart = 2;
  583. PSTR pszProcess = "lsass.exe";
  585. if (argc >= 3)
  586. {
  587. if ((argv[2][0] == '-') || (argv[2][0] == '/'))
  588. {
  589. if (argv[2][1] == 'n')
  590. {
  591. ulStart++;
  592. pszProcess = argv[2] + 2 * sizeof(char);
  593. }
  594. else if (argv[2][1] == 'p')
  595. {
  596. ulStart++;
  597. ulPid = strtol(argv[2] + 2 * sizeof(char), NULL, 0);
  598. }
  599. }
  600. }
  602. #if 0
  603. /* allow the user to override settings with command line switches */
  604. for (i = 1; i < argc; i++)
  605. {
  606. if ((*argv[i] == '-') || (*argv[i] == '/'))
  607. {
  608. switch (tolower(*(argv[i]+1)))
  609. {
  610. case 'd':
  611. fEncode = 0;
  612. break;
  613. case 'e':
  614. fEncode = 1;
  615. break;
  616. case 'i':
  617. fFixedStyle = 0;
  618. break;
  619. case 'f':
  620. pszFileName = argv[i] + 2;
  621. break;
  622. case 'h':
  623. case '?':
  624. default:
  625. Usage(argv[0]);
  626. }
  627. }
  628. else
  629. Usage(argv[0]);
  630. }
  631. #endif 0
  633. if ((argc >= 2) && (ulPid == 0))
  634. {
  635. ulPid = FindPid(pszProcess);
  636. }
  638. if (!ulPid)
  639. {
  640. DisplayUsage(argv[0], NULL);
  641. DebugPrintf(SSPI_ERROR, "%s failed: pszProcess is \"%s\", ulPid is %#x\n", argv[0], pszProcess, ulPid);
  642. goto Cleanup;
  643. }
  645. DebugPrintf(SSPI_LOG, "%s is injecting %s with pid %#x(%d)\n", argv[0], pszProcess, ulPid, ulPid);
  647. dwErr = Init(argv[0],
  648. argc - ulStart,
  649. (PCSTR*) reinterpret_cast<PSTR*>(argv + ulStart),
  650. argv[1],
  651. REMOTE_DLL_ENTRY,
  652. REMOTE_DLL_INIT,
  653. &cbParamerter,
  654. &pvParameters);
  655. if (dwErr != ERROR_SUCCESS)
  656. {
  657. DebugPrintf(SSPI_ERROR, "Init failed with error %#x\n", dwErr);
  658. goto Cleanup;
  659. }
  661. dwErr = AdjustDebugPriv();
  663. if (dwErr != ERROR_SUCCESS)
  664. {
  665. DebugPrintf(SSPI_ERROR, "EnableDebugPriv failed with error %#x\n", dwErr);
  666. goto Cleanup;
  667. }
  669. hLsassProc = OpenProcess(MAXIMUM_ALLOWED, FALSE, ulPid);
  671. if (!hLsassProc)
  672. {
  673. DebugPrintf(SSPI_ERROR, "OpenProcess pid %#x failed with last error %#x\n", ulPid, GetLastError());
  674. goto Cleanup;
  675. }
  677. dwErr = InjectDllToProcess(
  678. hLsassProc,
  679. argv[1],
  680. cbParamerter,
  681. pvParameters
  682. );
  683. if (dwErr != ERROR_SUCCESS)
  684. {
  685. DebugPrintf(SSPI_ERROR, "InjectDllToProcess failed with status %#x, dwErr %#x\n", dwErr);
  686. goto Cleanup;
  687. }
  689. Cleanup:
  691. if (pvParameters)
  692. {
  693. delete [] pvParameters;
  694. }
  696. if (hLsassProc)
  697. {
  698. CloseHandle(hLsassProc);
  699. }
  701. if (hReceiveThread)
  702. {
  703. CloseHandle(hReceiveThread);
  704. }
  706. return ERROR_SUCCESS;
  707. }