archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/base/wow64/regremap/w64shim.c

567 lines
18 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2002- Microsoft Corporation
  5. Module Name:
  7. w64shim.c
  9. Abstract:
  11. This module implement Handle redirection for registry redirection.
  13. Author:
  15. ATM Shafiqul Khalid (askhalid) 12-March-2002
  17. Revision History:
  19. --*/
  21. #include <nt.h>
  22. #include <ntrtl.h>
  23. #include <nturtl.h>
  24. #include <windows.h>
  25. #include <stdio.h>
  26. #include <ntregapi.h>
  28. #include "psapi.h"
  30. #define _WOW64REFLECTOR_
  32. #include "regremap.h"
  33. #include "wow64reg.h"
  34. #include "wow64reg\reflectr.h"
  37. #ifdef _WOW64DLLAPI_
  38. #include "wow64.h"
  39. #else
  40. #define ERRORLOG 1 //this one is completely dummy
  41. #define LOGPRINT(x)
  42. #define WOWASSERT(p)
  43. #endif //_WOW64DLLAPI_
  46. //HANDLE hIsDel = INVALID_HANDLE_VALUE;
  48. HANDLE h_IsDel;
  50. BOOL
  51. InitWow64Shim ( )
  52. /*++
  54. Routine Description:
  56. Initialize Shim engine for wow64.
  58. Arguments:
  60. None.
  62. Return Value:
  64. TRUE if the function succeed.
  65. FALSE otherwise.
  67. <TBD> this might allocate more memory and free up later.
  68. --*/
  69. {
  71. PPEB Peb = NtCurrentPeb ();
  72. PUNICODE_STRING Name = &Peb->ProcessParameters->ImagePathName;
  73. if ((Name->Length > 22) && (_wcsnicmp ( Name->Buffer + (Name->Length/2)-11, L"\\_isdel.exe",11) == 0)) {
  74. //
  75. // Image is _isdel.exe
  77. OBJECT_ATTRIBUTES ObjectAttributes;
  78. NTSTATUS Status;
  79. IO_STATUS_BLOCK statusBlock;
  80. UNICODE_STRING FileNameU;
  82. //
  83. // Open the file
  84. //
  85. if (!RtlDosPathNameToNtPathName_U(Name->Buffer,
  86. &FileNameU,
  87. NULL,
  88. NULL)) {
  89. // probably out-of-memory
  90. return FALSE;
  91. }
  93. InitializeObjectAttributes(&ObjectAttributes,
  94. &FileNameU,
  95. OBJ_CASE_INSENSITIVE,
  96. NULL,
  97. NULL);
  99. Status = NtOpenFile(&h_IsDel,
  100. FILE_READ_DATA,
  101. &ObjectAttributes,
  102. &statusBlock,
  103. 0, //FILE_SHARE_READ, //don't share
  104. 0);
  105. //
  106. // Nothing much we can do if the operation fails, its a plain hack.
  107. //
  109. RtlFreeHeap(RtlProcessHeap(), 0, FileNameU.Buffer);
  110. }
  111. return TRUE;
  112. }
  114. BOOL
  115. CloseWow64Shim ()
  116. {
  117. //
  118. // close all the resources allocated during shim Init.
  119. //
  120. if ( h_IsDel != INVALID_HANDLE_VALUE ) {
  121. NtClose (h_IsDel);
  122. h_IsDel = INVALID_HANDLE_VALUE;
  123. }
  124. return TRUE;
  125. }
  127. #ifdef DBG
  129. NTSTATUS
  130. LogDriverAccess (
  131. IN POBJECT_ATTRIBUTES ObjectAttributes
  132. )
  133. /*++
  135. Routine Description:
  137. If the application if trying to access driver [.sys] file, this API will dump a warning
  138. message in the debugger. In the long run this routine might call some API to include
  139. appropriate message to the event log so that administrator can diagnose this instance.
  140. In general creating 32bit driver files (mostly installation) on IA64 doesn't make any
  141. sense at all and admin might need to know what are those files and which apps are touhing
  142. them.
  145. Arguments:
  147. ObjectAttributes - object application is trying to access.
  149. Return Value:
  151. None.
  153. --*/
  154. {
  155. WCHAR DriverNameBuff[MAX_PATH];
  156. WCHAR ImageNameBuff[MAX_PATH];
  157. DWORD CopyLength;
  159. //
  160. // Those definition will move in a header file while logging event.
  161. //
  162. #define WOW64_DRIVER_EXT_NAME L".sys"
  163. #define WOW64_DRIVER_EXT_NAME_LENGTH (sizeof (WOW64_DRIVER_EXT_NAME)/sizeof(WCHAR) - 1 )
  165. try {
  166. if ( ( ObjectAttributes->ObjectName->Length > ( WOW64_DRIVER_EXT_NAME_LENGTH << 1 ))
  167. && !_wcsnicmp ( ObjectAttributes->ObjectName->Buffer - WOW64_DRIVER_EXT_NAME_LENGTH + (ObjectAttributes->ObjectName->Length>>1), WOW64_DRIVER_EXT_NAME, WOW64_DRIVER_EXT_NAME_LENGTH)) {
  169. PPEB Peb = NtCurrentPeb ();
  170. PUNICODE_STRING ImageName;
  171. RTL_UNICODE_STRING_BUFFER DosNameStrBuf;
  172. UNICODE_STRING NtNameStr;
  174. if (Peb->ProcessParameters == NULL)
  175. return STATUS_SUCCESS;
  177. ImageName = &Peb->ProcessParameters->ImagePathName;
  178. RtlInitUnicodeStringBuffer(&DosNameStrBuf, 0, 0);
  180. CopyLength = min (ObjectAttributes->ObjectName->Length, sizeof (DriverNameBuff) - sizeof (UNICODE_NULL)); //skip \??\ ==>8 byte
  181. RtlCopyMemory (DriverNameBuff, (PBYTE)ObjectAttributes->ObjectName->Buffer + ObjectAttributes->ObjectName->Length - CopyLength, CopyLength);
  182. DriverNameBuff[CopyLength>>1] = UNICODE_NULL; //make sure NULL terminated
  184. RtlInitUnicodeString(&NtNameStr, DriverNameBuff);
  185. if ( NT_SUCCESS(RtlAssignUnicodeStringBuffer(&DosNameStrBuf, &NtNameStr)) &&
  186. NT_SUCCESS(RtlNtPathNameToDosPathName(0, &DosNameStrBuf, NULL, NULL))) {
  188. DosNameStrBuf.String.Buffer[DosNameStrBuf.String.Length>>1] = UNICODE_NULL; // make sure NULL terminated is case it has been formatted.
  190. //
  191. // Extract Image name
  192. //
  193. ImageNameBuff[0] = UNICODE_NULL;
  194. if (ImageName->Length >0) {
  195. ASSERT (ImageName->Buffer != NULL);
  197. CopyLength = min (ImageName->Length, sizeof (ImageNameBuff) - sizeof (UNICODE_NULL));
  198. RtlCopyMemory (ImageNameBuff, (PBYTE)ImageName->Buffer + ImageName->Length - CopyLength, CopyLength);
  199. ImageNameBuff[CopyLength>>1] = UNICODE_NULL; //make sure NULL terminated
  200. }
  202. LOGPRINT((ERRORLOG,"Wow64-driver access warning: [%S] is a 32bit application trying to create/access 32bit driver [%S]\n", ImageNameBuff, DosNameStrBuf.String.Buffer));
  203. //
  204. // BUGBUG: deny access to write files.
  205. // Check file creation flag and also \drivers string.
  206. //
  207. return STATUS_ACCESS_DENIED;
  208. }
  209. RtlFreeUnicodeStringBuffer(&DosNameStrBuf);
  210. }
  211. } except( EXCEPTION_EXECUTE_HANDLER){
  213. return STATUS_SUCCESS;
  214. }
  215. return STATUS_SUCCESS;
  216. }
  217. #endif
  219. BOOL
  220. CheckAndThunkFileName (
  221. IN OUT POBJECT_ATTRIBUTES ObjectAttributes,
  222. IN OUT PULONG pShareAccess,
  223. IN ULONG DesiredAccess,
  224. IN ULONG Option,
  225. IN ULONG DespositionFlag,
  226. IN ULONG CallFlag //0 for NtOpenFile and 1- for NtCreateFile
  227. )
  228. {
  229. NTSTATUS Ret;
  230. PUNICODE_STRING Name = ObjectAttributes->ObjectName;
  231. PUNICODE_STRING NewName = NULL;
  233. //
  234. // Check if any install shield stuff
  235. // Following code should be active in the process that does deal with 16bit process.
  236. // Need to initialize some flag possibly NtVdm64
  237. //
  240. try {
  242. //
  243. // filter access for scripbuilder that pass
  244. // (ShareAccess= 0, DesAcc = 0x80100080, Options 0x60, Desposition = 1) that need to be failed
  245. // and (7, 0x100100, 204020, 0) and (7, 10080, 204040, 0) that doesn't need redirection
  246. //
  248. if (*pShareAccess == 0x7)
  249. return FALSE; //shared delete don't need any redirection
  250. //
  251. //
  252. //
  253. if (CallFlag == 0) // Don't redirect OpenCall for the time being this was a hack for Scriptbuilder
  254. return FALSE;
  256. if ((Name->Length > 22) && (_wcsnicmp ( Name->Buffer + (Name->Length/2)-11, L"\\_isdel.exe",11) == 0)) {
  257. // Check if the name is \_isdel.exe
  260. PPEB Peb = NtCurrentPeb ();
  261. PUNICODE_STRING ImageName = &Peb->ProcessParameters->ImagePathName;
  262. if (
  263. (ImageName->Length > 36) && //check if its scriptbuilder
  264. (_wcsnicmp ( ImageName->Buffer + (ImageName->Length/2)-18, L"\\scriptbuilder.exe",18) == 0)
  265. ) {
  269. //
  270. // The memory allocation contains a terminating NULL character, but the
  271. // Unicode string's Length does not.
  272. //
  274. SIZE_T SystemRootLength = wcslen(USER_SHARED_DATA->NtSystemRoot);
  275. SIZE_T NameLength = sizeof(L"\\??\\")-sizeof(WCHAR) +
  276. SystemRootLength*sizeof(WCHAR) +
  277. sizeof(L'\\') +
  278. sizeof(WOW64_SYSTEM_DIRECTORY_U)-sizeof(WCHAR) +
  279. sizeof(L"\\InstallShield\\_isdel.exe");
  281. NewName = Wow64AllocateTemp(sizeof(UNICODE_STRING)+NameLength);
  282. NewName->Length = (USHORT)NameLength-sizeof(WCHAR);
  283. NewName->MaximumLength = NewName->Length;
  284. NewName->Buffer = (PWSTR)(NewName+1);
  285. wcscpy(NewName->Buffer, L"\\??\\");
  286. wcscpy(&NewName->Buffer[4], USER_SHARED_DATA->NtSystemRoot);
  287. NewName->Buffer[4+SystemRootLength] = '\\';
  288. wcscpy(&NewName->Buffer[4+SystemRootLength+1], WOW64_SYSTEM_DIRECTORY_U);
  289. wcscpy(&NewName->Buffer[4+SystemRootLength+1+(sizeof(WOW64_SYSTEM_DIRECTORY_U)-sizeof (UNICODE_NULL))/sizeof(WCHAR)], L"\\InstallShield\\_isdel.exe");
  290. ObjectAttributes->ObjectName = NewName;
  291. ObjectAttributes->RootDirectory = NULL;
  293. //
  294. // DbgPrint ("\nPatched _isDel.exe Flag %x, %x, %x, %x, %x", *pShareAccess, DesiredAccess, Option, DespositionFlag, CallFlag);
  295. //
  297. if ( pShareAccess != NULL )
  298. *pShareAccess = 0;
  299. }
  301. } //if check _isdel
  302. } except( NULL, EXCEPTION_EXECUTE_HANDLER){
  304. return FALSE;
  305. }
  307. return TRUE;
  308. }
  310. NTSTATUS
  311. Wow64NtCreateFile(
  312. OUT PHANDLE FileHandle,
  313. IN ACCESS_MASK DesiredAccess,
  314. IN POBJECT_ATTRIBUTES ObjectAttributes,
  315. OUT PIO_STATUS_BLOCK IoStatusBlock,
  316. IN PLARGE_INTEGER AllocationSize OPTIONAL,
  317. IN ULONG FileAttributes,
  318. IN ULONG ShareAccess,
  319. IN ULONG CreateDisposition,
  320. IN ULONG CreateOptions,
  321. IN PVOID EaBuffer OPTIONAL,
  322. IN ULONG EaLength
  323. )
  325. /*++
  327. Routine Description:
  329. This service opens or creates a file, or opens a device. It is used to
  330. establish a file handle to the open device/file that can then be used
  331. in subsequent operations to perform I/O operations on. For purposes of
  332. readability, files and devices are treated as "files" throughout the
  333. majority of this module and the system service portion of the I/O system.
  334. The only time a distinction is made is when it is important to determine
  335. which is really being accessed. Then a distinction is also made in the
  336. comments.
  338. Arguments:
  340. FileHandle - A pointer to a variable to receive the handle to the open file.
  342. DesiredAccess - Supplies the types of access that the caller would like to
  343. the file.
  345. ObjectAttributes - Supplies the attributes to be used for file object (name,
  346. SECURITY_DESCRIPTOR, etc.)
  348. IoStatusBlock - Specifies the address of the caller's I/O status block.
  350. AllocationSize - Initial size that should be allocated to the file. This
  351. parameter only has an affect if the file is created. Further, if
  352. not specified, then it is taken to mean zero.
  354. FileAttributes - Specifies the attributes that should be set on the file,
  355. if it is created.
  357. ShareAccess - Supplies the types of share access that the caller would like
  358. to the file.
  360. CreateDisposition - Supplies the method for handling the create/open.
  362. CreateOptions - Caller options for how to perform the create/open.
  364. EaBuffer - Optionally specifies a set of EAs to be applied to the file if
  365. it is created.
  367. EaLength - Supplies the length of the EaBuffer.
  369. Return Value:
  371. The function value is the final status of the create/open operation.
  373. --*/
  375. {
  376. NTSTATUS Ret;
  378. #ifdef DBG
  379. Ret = LogDriverAccess ( ObjectAttributes);
  380. if (!NT_SUCCESS (Ret))
  381. return Ret;
  382. #endif
  384. if ( CreateDisposition == FILE_OPEN ){
  386. CheckAndThunkFileName (
  387. ObjectAttributes,
  388. &ShareAccess,
  389. DesiredAccess,
  390. CreateOptions,
  391. CreateDisposition,
  392. 1
  393. );
  394. }
  397. Ret = NtCreateFile(
  398. FileHandle,
  399. DesiredAccess,
  400. ObjectAttributes,
  401. IoStatusBlock,
  402. AllocationSize,
  403. FileAttributes,
  404. ShareAccess,
  405. CreateDisposition,
  406. CreateOptions,
  407. EaBuffer,
  408. EaLength
  409. );
  411. return Ret;
  412. }
  414. NTSTATUS
  415. Wow64NtOpenFile(
  416. OUT PHANDLE FileHandle,
  417. IN ACCESS_MASK DesiredAccess,
  418. IN POBJECT_ATTRIBUTES ObjectAttributes,
  419. OUT PIO_STATUS_BLOCK IoStatusBlock,
  420. IN ULONG ShareAccess,
  421. IN ULONG OpenOptions
  422. )
  423. {
  425. NTSTATUS Ret;
  427. CheckAndThunkFileName (
  428. ObjectAttributes,
  429. &ShareAccess,
  430. DesiredAccess,
  431. OpenOptions,
  432. 0,
  433. 0
  434. );
  436. Ret = NtOpenFile(
  437. FileHandle,
  438. DesiredAccess,
  439. ObjectAttributes,
  440. IoStatusBlock,
  441. ShareAccess,
  442. OpenOptions
  443. );
  445. return Ret;
  446. }
  448. /****************************************************************************/
  450. #define TOTAL_GUARD_REGION_RESERVE 0x3000 //64K memory
  451. #define SIGNATURE_SIZE 0x1000 //a small window in the reserved region to put signature
  453. DWORD dwCount=0;
  454. DWORD dwCountMax=0x5000;
  456. NTSTATUS
  457. Wow64DbgNtAllocateVirtualMemory (
  458. IN HANDLE ProcessHandle,
  459. IN OUT PVOID *BaseAddress,
  460. IN ULONG_PTR ZeroBits,
  461. IN OUT PSIZE_T RegionSize,
  462. IN ULONG AllocationType,
  463. IN ULONG Protect
  464. )
  465. {
  466. NTSTATUS St;
  467. NTSTATUS St1;
  469. PVOID Base1=NULL;
  470. SIZE_T RegionSizeExtra = 0;
  472. if ((dwCount++ > dwCountMax) && (*BaseAddress == NULL) && (MEM_RESERVE & AllocationType) && (*RegionSize = 0x10000 )) {
  473. *RegionSize +=TOTAL_GUARD_REGION_RESERVE;
  474. RegionSizeExtra = TOTAL_GUARD_REGION_RESERVE;
  475. //DbgPrint ("Guard page %x %x A:%x P:%x\n", *BaseAddress, *RegionSize, AllocationType, Protect);
  476. }
  478. St = NtAllocateVirtualMemory (
  479. ProcessHandle,
  480. BaseAddress,
  481. ZeroBits,
  482. RegionSize,
  483. AllocationType,
  484. Protect
  485. );
  487. if (NT_SUCCESS (St) && RegionSizeExtra ) {
  488. //
  489. // Commit some pages and return memory in the middle
  490. //
  491. SIZE_T R1 = SIGNATURE_SIZE;
  492. PWCHAR Name;
  494. Base1 = *BaseAddress;
  495. *BaseAddress = (PVOID)((ULONGLONG)(*BaseAddress)+RegionSizeExtra);
  496. *RegionSize -=TOTAL_GUARD_REGION_RESERVE;
  497. St1 = NtAllocateVirtualMemory (
  498. ProcessHandle,
  499. &Base1,
  500. ZeroBits,
  501. &R1,
  502. MEM_COMMIT,
  503. PAGE_READWRITE
  504. );
  506. //
  507. // Write the signature
  508. //
  510. if (NT_SUCCESS (St1)) {
  511. Name = (PWCHAR)(Base1);
  512. wcscpy (Name, L"ATM Shafiqul Khalid");
  513. }
  515. } //if extra region is to be committed.
  517. return St;
  518. }
  520. NTSTATUS
  521. Wow64DbgNtFreeVirtualMemory(
  522. IN HANDLE ProcessHandle,
  523. IN OUT PVOID *BaseAddress,
  524. IN OUT PSIZE_T RegionSize,
  525. IN ULONG FreeType
  526. )
  527. {
  528. NTSTATUS st;
  529. PVOID Base1;
  530. PWCHAR Name = (PWCHAR)(((ULONGLONG)*BaseAddress)-TOTAL_GUARD_REGION_RESERVE);
  531. MEMORY_BASIC_INFORMATION MemoryInformation;
  533. if ((dwCount > dwCountMax) && (MEM_RELEASE & FreeType)) {
  535. try {
  537. st = NtQueryVirtualMemory(ProcessHandle,
  538. Name,
  539. MemoryBasicInformation,
  540. &MemoryInformation,
  541. sizeof(MEMORY_BASIC_INFORMATION),
  542. NULL);
  544. if (NT_SUCCESS(st) && MemoryInformation.State == MEM_COMMIT)
  545. if (wcsncmp (Name, L"ATM Shafiqul Khalid", 20 )==0) {
  546. *RegionSize += TOTAL_GUARD_REGION_RESERVE;
  547. *BaseAddress = (PVOID)((ULONGLONG)(*BaseAddress)-TOTAL_GUARD_REGION_RESERVE);
  551. //DbgPrint ("#########Freeing Guarded Memory#########");
  552. }
  554. } except( NULL, EXCEPTION_EXECUTE_HANDLER){
  555. ;
  556. }
  558. }
  560. st = NtFreeVirtualMemory(
  561. ProcessHandle,
  562. BaseAddress,
  563. RegionSize,
  564. FreeType
  565. );
  566. return st;
  568. }