archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/sdktools/profiler/inject.c

239 lines
6.5 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. #include <windows.h>
  2. #include "inject.h"
  3. #include "profiler.h"
  5. BOOL g_bIsWin9X = FALSE;
  6. CHAR g_fnFinalizeInjection[MAX_PATH];
  7. HINSTANCE g_hProfileDLL = 0;
  9. HANDLE
  10. InjectDLL(DWORD dwEntryPoint,
  11. HANDLE hProcess,
  12. LPSTR pszDLLName)
  13. {
  14. CHAR szTempPath[MAX_PATH];
  15. HMODULE hKernel32;
  16. BOOL bResult = FALSE;
  17. INJECTIONSTUB injStub;
  18. DWORD dwLoadLibrary;
  19. DWORD dwGetProcAddress;
  20. DWORD dwBytesWritten;
  21. DWORD dwBytesRead;
  22. DWORD dwOldProtect;
  23. DWORD dwOldProtect2;
  24. PBYTE pSharedMem = 0;
  25. HANDLE hFileMap = 0;
  27. hKernel32 = GetModuleHandle("KERNEL32.DLL");
  28. dwLoadLibrary = (DWORD)GetProcAddress(hKernel32,
  29. "LoadLibraryA");
  30. if (0 == dwLoadLibrary) {
  31. bResult = FALSE;
  32. goto handleerror;
  33. }
  35. dwGetProcAddress = (DWORD)GetProcAddress(hKernel32,
  36. "GetProcAddress");
  37. if (0 == dwGetProcAddress) {
  38. bResult = FALSE;
  39. goto handleerror;
  40. }
  42. //
  43. // Initialize the asm for the stub
  44. //
  45. injStub.pCode[0] = 0x90; // int 3 or nop
  46. injStub.pCode[1] = 0x60; // pushad
  47. injStub.pCode[2] = 0x8d; // lea eax, [xxxxxxxx]
  48. injStub.pCode[3] = 0x05;
  49. *(DWORD *)(&(injStub.pCode[4])) = dwEntryPoint + (DWORD)&(injStub.szDLLName) - (DWORD)&injStub;
  50. injStub.pCode[8] = 0x50; // push eax
  51. injStub.pCode[9] = 0xff; // call dword ptr [xxxxxxxx] - LoadLibraryA
  52. injStub.pCode[10] = 0x15;
  53. *(DWORD *)(&(injStub.pCode[11])) = dwEntryPoint + 50;
  54. injStub.pCode[15] = 0x50; // push eax
  55. injStub.pCode[16] = 0x5b; // pop ebx
  56. injStub.pCode[17] = 0x8d; // lea eax, [xxxxxxxx]
  57. injStub.pCode[18] = 0x05;
  58. *(DWORD *)(&(injStub.pCode[19])) = dwEntryPoint + (DWORD)&(injStub.szEntryPoint) - (DWORD)&injStub;
  59. injStub.pCode[23] = 0x50; // push eax // module base
  60. injStub.pCode[24] = 0x53; // push ebx // function name
  61. injStub.pCode[25] = 0xff; // call dword ptr [xxxxxxxx] - GetProcAddress
  62. injStub.pCode[26] = 0x15;
  63. *(DWORD *)(&(injStub.pCode[27])) = dwEntryPoint + 54;
  64. injStub.pCode[31] = 0xff;
  65. injStub.pCode[32] = 0xd0;
  66. *(DWORD *)(&(injStub.pCode[50])) = dwLoadLibrary;
  67. *(DWORD *)(&(injStub.pCode[54])) = dwGetProcAddress;
  69. //
  70. // Create the file mapping object from the paging file
  71. //
  72. hFileMap = CreateFileMapping(INVALID_HANDLE_VALUE,
  73. NULL,
  74. PAGE_READWRITE,
  75. 0,
  76. sizeof(INJECTIONSTUB),
  77. "ProfilerSharedMem");
  78. if (0 == hFileMap) {
  79. bResult = FALSE;
  80. goto handleerror;
  81. }
  83. pSharedMem = (PBYTE)MapViewOfFile(hFileMap,
  84. FILE_MAP_ALL_ACCESS,
  85. 0,
  86. 0,
  87. sizeof(INJECTIONSTUB));
  88. if (0 == pSharedMem) {
  89. bResult = FALSE;
  90. goto handleerror;
  91. }
  93. //
  94. // Initialize injection stub
  95. //
  96. strcpy(injStub.szDLLName, pszDLLName);
  97. strcpy(injStub.szEntryPoint, DEFAULT_ENTRY_POINT);
  99. bResult = ReadProcessMemory(hProcess,
  100. (LPVOID)dwEntryPoint,
  101. (PVOID)pSharedMem,
  102. sizeof(INJECTIONSTUB),
  103. &dwBytesRead);
  104. if (FALSE == bResult) {
  105. bResult = FALSE;
  106. goto handleerror;
  107. }
  109. //
  110. // Write the stub code into the entry point
  111. //
  112. bResult = WriteProcessMemory(hProcess,
  113. (LPVOID)dwEntryPoint,
  114. (PVOID)&injStub,
  115. sizeof(INJECTIONSTUB),
  116. &dwBytesWritten);
  117. if (FALSE == bResult) {
  118. bResult = FALSE;
  119. goto handleerror;
  120. }
  122. handleerror:
  124. return hFileMap;
  125. }
  127. VOID
  128. RestoreImageFromInjection(VOID)
  129. {
  130. PIMAGE_NT_HEADERS pHeaders = 0;
  131. BOOL bResult;
  132. BOOL bError = FALSE;
  133. PVOID pBase = 0;
  134. DWORD dwEntryPoint;
  135. DWORD dwBytesRead;
  136. DWORD dwBytesWritten;
  137. PINJECTIONSTUB pInjStub;
  138. HANDLE hFileMap = 0;
  139. PBYTE pSharedMem = 0;
  140. OSVERSIONINFO verInfo;
  142. //
  143. // Get the entry point from the headers
  144. //
  145. pBase = (PVOID)GetModuleHandle(0);
  146. if (0 == pBase) {
  147. bError = TRUE;
  148. goto handleerror;
  149. }
  151. //
  152. // Dig out the PE information
  153. //
  154. pHeaders = ImageNtHeader2(pBase);
  155. if (0 == pHeaders) {
  156. bError = TRUE;
  157. goto handleerror;
  158. }
  160. dwEntryPoint = pHeaders->OptionalHeader.ImageBase + pHeaders->OptionalHeader.AddressOfEntryPoint;
  161. pInjStub = (PINJECTIONSTUB)dwEntryPoint;
  163. //
  164. // Open the memory mapped file and get the bits
  165. //
  166. hFileMap = OpenFileMapping(FILE_MAP_ALL_ACCESS,
  167. FALSE,
  168. "ProfilerSharedMem");
  170. if (0 == hFileMap) {
  171. bError = TRUE;
  172. goto handleerror;
  173. }
  175. pSharedMem = (PBYTE)MapViewOfFile(hFileMap,
  176. FILE_MAP_ALL_ACCESS,
  177. 0,
  178. 0,
  179. 0);
  180. if (0 == pSharedMem) {
  181. bError = TRUE;
  182. goto handleerror;
  183. }
  185. //
  186. // Replace the bits
  187. //
  188. bResult = WriteProcessMemory(GetCurrentProcess(),
  189. (PVOID)dwEntryPoint,
  190. (PVOID)pSharedMem,
  191. sizeof(INJECTIONSTUB),
  192. &dwBytesWritten);
  193. if (FALSE == bResult) {
  194. bError = TRUE;
  195. goto handleerror;
  196. }
  198. //
  199. // Set the OS information
  200. //
  201. ZeroMemory(&verInfo, sizeof(OSVERSIONINFO));
  203. verInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
  204. bResult = GetVersionExA(&verInfo);
  205. if (FALSE == bResult) {
  206. bError = TRUE;
  207. goto handleerror;
  208. }
  210. if (VER_PLATFORM_WIN32_NT == verInfo.dwPlatformId) {
  211. g_bIsWin9X = FALSE;
  212. }
  213. else if (VER_PLATFORM_WIN32_WINDOWS == verInfo.dwPlatformId) {
  214. g_bIsWin9X = TRUE;
  215. }
  216. else {
  217. //
  218. // Unsupported platform
  219. //
  220. ExitProcess(-1);
  221. }
  223. //
  224. // Finish profiler initializations
  225. //
  226. bResult = InitializeProfiler();
  227. if (FALSE == bResult) {
  228. bError = TRUE;
  229. goto handleerror;
  230. }
  232. handleerror:
  234. if (TRUE == bError) {
  235. ExitProcess(-1);
  236. }
  238. return;
  239. }