You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
410 lines
11 KiB
410 lines
11 KiB
//************************************************************************
|
|
//
|
|
// dpmfntd.c : Dynamic Patch Module for NTDLL API family
|
|
//
|
|
// History:
|
|
// 26-jan-02 cmjones created it.
|
|
//
|
|
//************************************************************************
|
|
#ifdef DBG
|
|
unsigned long dwLogLevel = 0;
|
|
#endif
|
|
|
|
#include <nt.h>
|
|
#include <ntrtl.h>
|
|
#include <nturtl.h>
|
|
#include <windows.h>
|
|
#include "dpmtbls.h"
|
|
#include "dpmdbg.h" // include handy debug print macros
|
|
#include "shimdb.h"
|
|
|
|
BOOL DllInitProc(HMODULE hModule, DWORD Reason, PCONTEXT pContext);
|
|
PFAMILY_TABLE DpmInitFamTable(PFAMILY_TABLE,
|
|
HMODULE,
|
|
PVOID,
|
|
PVOID,
|
|
LPWSTR,
|
|
PDPMMODULESETS);
|
|
void DpmDestroyFamTable(PFAMILY_TABLE pgDpmFamTbl, PFAMILY_TABLE pFT);
|
|
|
|
|
|
#define GROW_HEAP_AS_NEEDED 0
|
|
HANDLE hHeap = NULL;
|
|
|
|
DWORD dwTlsIndex;
|
|
char szShimEngDll[] = "\\ShimEng.dll";
|
|
|
|
BOOL DllInitProc(HMODULE hModule, DWORD Reason, PCONTEXT pContext)
|
|
{
|
|
BOOL bRet = TRUE;
|
|
|
|
UNREFERENCED_PARAMETER(hModule);
|
|
UNREFERENCED_PARAMETER(pContext);
|
|
|
|
switch(Reason) {
|
|
|
|
case DLL_PROCESS_ATTACH:
|
|
|
|
if((hHeap = HeapCreate(0, 4096, GROW_HEAP_AS_NEEDED)) == NULL) {
|
|
DPMDBGPRN("NTVDM::DpmfNtd:Can't initialize heap!\n");
|
|
bRet = FALSE;
|
|
}
|
|
|
|
dwTlsIndex = TlsAlloc();
|
|
if(dwTlsIndex == TLS_OUT_OF_INDEXES) {
|
|
DPMDBGPRN("NTVDM::DpmfNtd:Can't initialize TLS!\n");
|
|
bRet = FALSE;
|
|
}
|
|
|
|
break;
|
|
|
|
case DLL_PROCESS_DETACH:
|
|
if(hHeap) {
|
|
HeapDestroy(hHeap);
|
|
}
|
|
TlsFree(dwTlsIndex);
|
|
break;
|
|
}
|
|
|
|
return bRet;
|
|
}
|
|
|
|
|
|
|
|
|
|
PFAMILY_TABLE DpmInitFamTable(PFAMILY_TABLE pgDpmFamTbl,
|
|
HMODULE hMod,
|
|
PVOID hSdb,
|
|
PVOID pSdbQuery,
|
|
LPWSTR pwszAppFilePath,
|
|
PDPMMODULESETS pModSet)
|
|
{
|
|
int i, numApis, len;
|
|
PVOID lpdpmfn;
|
|
PFAMILY_TABLE pFT = NULL;
|
|
PVOID *pFN = NULL;
|
|
PVOID *pShimTbl = NULL;
|
|
PAPIDESC pApiDesc = NULL;
|
|
VDMTABLE VdmTbl;
|
|
char szShimEng[MAX_PATH];
|
|
HMODULE hModShimEng = NULL;
|
|
LPFNSE_SHIMNTVDM lpShimNtvdm;
|
|
|
|
DPMDBGPRN("NTVDM::DpmfNtd:Initialziing File I/O API tables\n");
|
|
|
|
|
|
// Get hooked API count from global table
|
|
numApis = pgDpmFamTbl->numHookedAPIs;
|
|
|
|
// Allocate a new family table
|
|
pFT = (PFAMILY_TABLE)HeapAlloc(hHeap,
|
|
HEAP_ZERO_MEMORY,
|
|
sizeof(FAMILY_TABLE));
|
|
if(!pFT) {
|
|
DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:malloc 1 failed\n");
|
|
goto ErrorExit;
|
|
}
|
|
|
|
// Allocate the shim dispatch table for this family in this task
|
|
pShimTbl = (PVOID *)HeapAlloc(hHeap,
|
|
HEAP_ZERO_MEMORY,
|
|
numApis * sizeof(PVOID));
|
|
if(!pShimTbl) {
|
|
DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:malloc 2 failed\n");
|
|
goto ErrorExit;
|
|
}
|
|
pFT->pDpmShmTbls = pShimTbl;
|
|
|
|
// Allocate an array of ptrs to hooked API's
|
|
pFN = (PVOID *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, numApis * sizeof(PVOID));
|
|
|
|
if(!pFN) {
|
|
DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:malloc 3 failed\n");
|
|
goto ErrorExit;
|
|
}
|
|
pFT->pfn = pFN;
|
|
|
|
pFT->numHookedAPIs = numApis;
|
|
pFT->hMod = hMod;
|
|
|
|
// Allocate a temp array of APIDESC structs to help attach shims
|
|
pApiDesc = (PAPIDESC)HeapAlloc(hHeap,
|
|
HEAP_ZERO_MEMORY,
|
|
numApis * sizeof(APIDESC));
|
|
if(!pApiDesc) {
|
|
DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:malloc 4 failed\n");
|
|
goto ErrorExit;
|
|
}
|
|
VdmTbl.nApiCount = numApis;
|
|
VdmTbl.ppfnOrig = pShimTbl;
|
|
VdmTbl.pApiDesc = pApiDesc;
|
|
|
|
// Fill in the family table with ptrs to the patch functions in this DLL.
|
|
for(i = 0; i < numApis; i++) {
|
|
|
|
// must start with 1 since EXPORT ordinals can't be == 0
|
|
lpdpmfn = (PVOID)GetProcAddress(hMod, (LPCSTR)MAKELONG(i+1, 0));
|
|
if(!lpdpmfn) {
|
|
DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:Unable to get proc address\n");
|
|
goto ErrorExit;
|
|
}
|
|
|
|
// save ptr to the real API in the shim table until it gets shimmed
|
|
pShimTbl[i] = pgDpmFamTbl->pfn[i];
|
|
|
|
// relate the corresponding module and API name to the API function ptr
|
|
pApiDesc[i].pszModule = (char *)pModSet->ApiModuleName;
|
|
pApiDesc[i].pszApi = (char *)pModSet->ApiNames[i];
|
|
|
|
// save ptr to the patch function
|
|
pFN[i] = lpdpmfn;
|
|
|
|
}
|
|
|
|
// Only do this if we need to attach the shim engine.
|
|
GetSystemDirectory(szShimEng, MAX_PATH);
|
|
strcat(szShimEng, szShimEngDll);
|
|
hModShimEng = LoadLibrary(szShimEng);
|
|
pFT->hModShimEng = hModShimEng;
|
|
|
|
if(NULL == hModShimEng) {
|
|
DPMDBGPRN("NTVDM::dpmfntd:DpmInit:ShimEng load failed\n");
|
|
goto ErrorExit;
|
|
}
|
|
|
|
lpShimNtvdm = (LPFNSE_SHIMNTVDM)GetProcAddress(hModShimEng, "SE_ShimNTVDM");
|
|
|
|
if(!lpShimNtvdm) {
|
|
DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:GetProcAddress failed\n");
|
|
goto ErrorExit;
|
|
}
|
|
|
|
// Patch the shim dispatch table with the shim function ptrs
|
|
// If this fails we will stick with ptrs to the original API's
|
|
(lpShimNtvdm)(pwszAppFilePath, hSdb, pSdbQuery, &VdmTbl);
|
|
|
|
// Do this if you want dispatch directly to the shim functions
|
|
// for(i = 0; i < numApis; i++) {
|
|
// pFN[i] = pShimTbl[i];
|
|
// }
|
|
// HeapFree(hHeap, 0, pShimTbl);
|
|
// pFT->pDpmShmTbls = NULL;
|
|
|
|
if(!TlsSetValue(dwTlsIndex, pFT)) {
|
|
DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:TLS set failed\n");
|
|
goto ErrorExit;
|
|
}
|
|
|
|
if(pApiDesc) {
|
|
HeapFree(hHeap, 0, pApiDesc);
|
|
}
|
|
|
|
DPMDBGPRN1(" DpmfNtd:Returning File I/o API tables: %#lx\n",pFT);
|
|
return(pFT);
|
|
|
|
ErrorExit:
|
|
DPMDBGPRN(" DpmfNtd:Init failed: Returning NULL\n");
|
|
DpmDestroyFamTable(pgDpmFamTbl, pFT);
|
|
|
|
if(pApiDesc) {
|
|
HeapFree(hHeap, 0, pApiDesc);
|
|
}
|
|
return(NULL);
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void DpmDestroyFamTable(PFAMILY_TABLE pgDpmFamTbl, PFAMILY_TABLE pFT)
|
|
{
|
|
PVDM_TIB pVdmTib;
|
|
PVOID *pShimTbl;
|
|
LPFNSE_REMOVENTVDM lpfnSE_RemoveNtvdmTask = NULL;
|
|
|
|
DPMDBGPRN("NTVDM::DpmfNtd:Destroying NTDLL API tables for task\n");
|
|
|
|
// if this task is using the global table for this family, nothing to do
|
|
if(!pFT || pFT == pgDpmFamTbl)
|
|
return;
|
|
|
|
pShimTbl = pFT->pDpmShmTbls;
|
|
|
|
if(pShimTbl) {
|
|
HeapFree(hHeap, 0, pShimTbl);
|
|
}
|
|
|
|
if(pFT->pfn) {
|
|
HeapFree(hHeap, 0, pFT->pfn);
|
|
}
|
|
|
|
// See if the shim engine is attached & detach it
|
|
if(pFT->hModShimEng) {
|
|
|
|
lpfnSE_RemoveNtvdmTask =
|
|
(LPFNSE_REMOVENTVDM)GetProcAddress(pFT->hModShimEng,
|
|
"SE_RemoveNTVDMTask");
|
|
|
|
if(lpfnSE_RemoveNtvdmTask) {
|
|
(lpfnSE_RemoveNtvdmTask)(NtCurrentTeb()->ClientId.UniqueThread);
|
|
}
|
|
FreeLibrary(pFT->hModShimEng);
|
|
}
|
|
|
|
HeapFree(hHeap, 0, pFT);
|
|
}
|
|
|
|
|
|
|
|
|
|
// ^^^^^^^^^^ All the above should be in every DPM module. ^^^^^^^^^^^^
|
|
|
|
|
|
|
|
// vvvvvvvvvv Define module specific stuff below. vvvvvvvvvvvv
|
|
|
|
|
|
|
|
DWORD dpmNtOpenFile(PHANDLE FileHandle,
|
|
ACCESS_MASK DesiredAccess,
|
|
POBJECT_ATTRIBUTES ObjectAttributes,
|
|
PIO_STATUS_BLOCK IoStatusBlock,
|
|
ULONG ShareAccess,
|
|
ULONG OpenOptions)
|
|
{
|
|
PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex);
|
|
DWORD ret = 0;
|
|
|
|
DPMDBGPRN("NtOpenFile: ");
|
|
|
|
ret = SHM_NtOpenFile(FileHandle,
|
|
DesiredAccess,
|
|
ObjectAttributes,
|
|
IoStatusBlock,
|
|
ShareAccess,
|
|
OpenOptions);
|
|
|
|
DPMDBGPRN1(" -> %#lx\n", ret);
|
|
|
|
return(ret);
|
|
}
|
|
|
|
|
|
|
|
|
|
DWORD dpmNtQueryDirectoryFile(HANDLE FileHandle,
|
|
HANDLE Event OPTIONAL,
|
|
PIO_APC_ROUTINE ApcRoutine OPTIONAL,
|
|
PVOID ApcContext OPTIONAL,
|
|
PIO_STATUS_BLOCK IoStatusBlock,
|
|
PVOID FileInformation,
|
|
ULONG Length,
|
|
FILE_INFORMATION_CLASS FileInformationClass,
|
|
BOOLEAN ReturnSingleEntry,
|
|
PUNICODE_STRING FileName OPTIONAL,
|
|
BOOLEAN RestartScan)
|
|
{
|
|
PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex);
|
|
DWORD ret = 0;
|
|
|
|
DPMDBGPRN("NtQueryDirectoryFile: ");
|
|
|
|
ret = SHM_NtQueryDirectoryFile(FileHandle,
|
|
Event,
|
|
ApcRoutine,
|
|
ApcContext,
|
|
IoStatusBlock,
|
|
FileInformation,
|
|
Length,
|
|
FileInformationClass,
|
|
ReturnSingleEntry,
|
|
FileName,
|
|
RestartScan);
|
|
|
|
DPMDBGPRN1(" -> %#lx\n", ret);
|
|
|
|
return(ret);
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
DWORD dpmRtlGetFullPathName_U(PCWSTR lpFileName,
|
|
ULONG nBufferLength,
|
|
PWSTR lpBuffer,
|
|
PWSTR *lpFilePart)
|
|
{
|
|
PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex);
|
|
DWORD ret = 0;
|
|
|
|
DPMDBGPRN("RtlGetFullPathName_U: ");
|
|
|
|
ret = SHM_RtlGetFullPathName_U(lpFileName,
|
|
nBufferLength,
|
|
lpBuffer,
|
|
lpFilePart);
|
|
|
|
DPMDBGPRN1(" -> %#lx\n", ret);
|
|
|
|
return(ret);
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DWORD dpmRtlGetCurrentDirectory_U(ULONG nBufferLength, PWSTR lpBuffer)
|
|
{
|
|
PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex);
|
|
DWORD ret = 0;
|
|
|
|
DPMDBGPRN("RtlGetCurrentDirectory_U: ");
|
|
|
|
ret = SHM_RtlGetCurrentDirectory_U(nBufferLength, lpBuffer);
|
|
|
|
DPMDBGPRN1(" -> %#lx\n", ret);
|
|
|
|
return(ret);
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS dpmRtlSetCurrentDirectory_U(PUNICODE_STRING PathName)
|
|
{
|
|
PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex);
|
|
NTSTATUS ret = 0;
|
|
|
|
DPMDBGPRN("RtlSetCurrentDirectory_U: ");
|
|
|
|
ret = SHM_RtlSetCurrentDirectory_U(PathName);
|
|
|
|
DPMDBGPRN1(" -> %#lx\n", ret);
|
|
|
|
return(ret);
|
|
}
|
|
|
|
|
|
|
|
DWORD dpmNtVdmControl(VDMSERVICECLASS vdmClass, PVOID pInfo)
|
|
{
|
|
PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex);
|
|
NTSTATUS ret = 0;
|
|
|
|
DPMDBGPRN("NtVdmControl: ");
|
|
|
|
ret = SHM_NtVdmControl(vdmClass, pInfo);
|
|
|
|
DPMDBGPRN1(" -> %#lx\n", ret);
|
|
|
|
return(ret);
|
|
}
|
|
|
|
|