archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/windows/appcompat/shims/specific/safedisc.cpp

203 lines
5.5 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2001 Microsoft Corporation
  5. Module Name:
  7. SafeDisc.cpp
  9. Abstract:
  11. Some versions of SafeDisc try to validate kernel32 by checking if certain
  12. APIs fall within a particular area in the PE image. Our BBT process moves
  13. everything around and therefore breaks their checks.
  15. This shim can be used to fix this problems by effectively moving the entry
  16. point of the APIs they test to a jump table located in a 'valid' location.
  18. The valid location itself is an API that isn't used, but does happen to lie
  19. before the export directory.
  21. Notes:
  23. This is an app specific shim.
  25. History:
  27. 06/15/2001 linstev Created
  29. --*/
  31. #include "precomp.h"
  33. IMPLEMENT_SHIM_BEGIN(SafeDisc)
  35. #include "ShimHookMacro.h"
  37. APIHOOK_ENUM_BEGIN
  38. APIHOOK_ENUM_END
  40. #pragma pack(1)
  42. //
  43. // Random API used as a placeholder for a jump table. It's offset must be less
  44. // than the export directory. Also, since it's overwritten with a jump table,
  45. // it should not be an API that is used.
  46. //
  47. CHAR *g_szRandomAPI = "CreateMailslotA";
  49. struct HOOK {
  50. CHAR *szName;
  51. FARPROC lpAddress;
  52. };
  53. HOOK g_aHooks[] = {
  54. { "ReadProcessMemory" , 0 },
  55. { "WriteProcessMemory" , 0 },
  56. { "VirtualProtect" , 0 },
  57. { "CreateProcessA" , 0 },
  58. { "CreateProcessW" , 0 },
  59. { "GetStartupInfoA" , 0 },
  60. { "GetStartupInfoW" , 0 },
  61. { "GetSystemTime" , 0 },
  62. { "GetSystemTimeAsFileTime" , 0 },
  63. { "TerminateProcess" , 0 },
  64. { "Sleep" , 0 }
  65. };
  66. DWORD g_dwHookCount = sizeof(g_aHooks) / sizeof(HOOK);
  68. BOOL Patch()
  69. {
  70. //
  71. // Get the kernel32 image base
  72. //
  73. HMODULE hKernel = GetModuleHandleW(L"kernel32");
  74. if (!hKernel) {
  75. goto Fail;
  76. }
  78. //
  79. // Get the address of the semi-random API where we'll put our jump table
  80. //
  81. FARPROC lpRandomAPI = GetProcAddress(hKernel, g_szRandomAPI);
  82. if (lpRandomAPI == NULL)
  83. {
  84. goto Fail;
  85. }
  87. //
  88. // Get the export directory
  89. //
  90. PIMAGE_DOS_HEADER pIDH = (PIMAGE_DOS_HEADER) hKernel;
  91. PIMAGE_NT_HEADERS pINTH = (PIMAGE_NT_HEADERS)((LPBYTE) hKernel + pIDH->e_lfanew);
  92. DWORD dwExportOffset = pINTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
  93. PIMAGE_EXPORT_DIRECTORY lpExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD_PTR)hKernel + dwExportOffset);
  95. //
  96. // Write out the jump table
  97. //
  98. LPBYTE lpCurrAPI = (LPBYTE) lpRandomAPI;
  99. for (UINT i=0; i<g_dwHookCount; i++) {
  100. //
  101. // Loop through each API and create a jump table entry for it
  102. //
  103. DWORD dwAPIOffset;
  105. g_aHooks[i].lpAddress = GetProcAddress(hKernel, g_aHooks[i].szName);
  106. dwAPIOffset = (DWORD)((DWORD_PTR) g_aHooks[i].lpAddress - (DWORD_PTR) hKernel);
  108. //
  109. // This API will cause problems for SafeDisc if it's after the export directory
  110. //
  111. if (dwAPIOffset > dwExportOffset) {
  112. //
  113. // Each jump table entry has the form: jmp dword ptr [address]
  114. //
  115. struct PATCH {
  116. WORD wJump;
  117. DWORD dwAddress;
  118. };
  119. PATCH patch = { 0x25FF, (DWORD_PTR)&g_aHooks[i].lpAddress };
  120. DWORD dwOldProtect;
  122. DPF("SafeDisc", eDbgLevelWarning, "API %s is being redirected", g_aHooks[i].szName);
  124. //
  125. // Write the jump table entry
  126. //
  127. if (!VirtualProtect(lpCurrAPI, sizeof(PATCH), PAGE_READWRITE, &dwOldProtect)) {
  128. goto Fail;
  129. }
  131. MoveMemory(lpCurrAPI, &patch, sizeof(PATCH));
  133. if (!VirtualProtect(lpCurrAPI, sizeof(PATCH), dwOldProtect, &dwOldProtect)) {
  134. goto Fail;
  135. }
  137. //
  138. // Now patch the export directory
  139. //
  140. LPDWORD lpExportList = (LPDWORD)((DWORD_PTR) hKernel + lpExportDirectory->AddressOfFunctions);
  141. for (UINT j=0; j<lpExportDirectory->NumberOfFunctions; j++) {
  142. if (*lpExportList == dwAPIOffset) {
  143. //
  144. // We've found the offset in the export directory, so patch it with the
  145. // new address
  146. //
  147. DWORD dwNewAPIOffset = (DWORD)((DWORD_PTR) lpCurrAPI - (DWORD_PTR) hKernel);
  149. if (!VirtualProtect(lpExportList, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect)) {
  150. goto Fail;
  151. }
  153. MoveMemory(lpExportList, &dwNewAPIOffset, sizeof(DWORD));
  155. if (!VirtualProtect(lpExportList, sizeof(DWORD), dwOldProtect, &dwOldProtect)) {
  156. goto Fail;
  157. }
  158. break;
  159. }
  160. lpExportList++;
  161. }
  163. lpCurrAPI += sizeof(PATCH);
  164. }
  165. }
  168. return TRUE;
  170. Fail:
  172. return FALSE;
  173. }
  175. /*++
  177. Register hooked functions
  179. --*/
  181. BOOL
  182. NOTIFY_FUNCTION(
  183. DWORD fdwReason)
  184. {
  185. if (fdwReason == DLL_PROCESS_ATTACH) {
  186. CHAR *lpCommandLine = COMMAND_LINE;
  188. if (lpCommandLine && (*lpCommandLine != '\0')) {
  189. g_szRandomAPI = lpCommandLine;
  190. }
  192. Patch();
  193. }
  195. return TRUE;
  196. }
  198. HOOK_BEGIN
  199. CALL_NOTIFY_FUNCTION
  200. HOOK_END
  202. IMPLEMENT_SHIM_END