archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
 
 
 
 
 
 
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/sdktools/debuggers/minidump/prov_w9x.cpp

1038 lines
23 KiB
Raw Blame History

/*++
Copyright (c) 1999-2002 Microsoft Corporation
Algorithm:
Unfortunately, implementing OpenThread cannot be done in a simple
manner. What follows is a very system dependent hack. If the structure
of the TDB or the implementation of OpenProcess change very much, this
function will break.
To have any idea of what we are doing here, you should be familiar with
Win9x internals. If you are not familiar with the Win9x source, consult
the book "Windows 95 System Programming SECRETS" by Matt Pietrek. Things
are not exactly the same for Win98 -- but pretty close.
OpenThread is a very simple function. If we were compiled withing the
Win9x source code base, the code would be simple:
OpenThread:
pObj = TidToTDB (dwThreadId);
return AllocHandle (GetCurrentPdb(), pObj, Flags);
Since we are not, the challenge is implementing the functions TidToTDB()
and AllocHandle().
Our approach is as follows:
1) We reverse-engineer TidToTDB since it is simple. TidToTDB is just
the thread-id xor'd with the Win9x Obfuscator.
2) We search through the code of OpenProcess until we find the address
of AllocHandle. We use this to allocate new handles in the
process's handle database.
3) OpenThread is then implemented in terms of the above primitives.
Author:
Matthew D Hendel (math) 01-Sept-1999
--*/
#include "pch.cpp"
//
// Win9x support is x86-only.
//
#ifdef _X86_
typedef struct _MATCH_BUFFER {
ULONG Offset;
BYTE Byte;
} MATCH_BUFFER, *PMATCH_BUFFER;
typedef struct _OS_INFORMATION {
PMATCH_BUFFER MatchBuffer;
ULONG AllocHandleOffset;
} OS_INFORMATION, POS_INFORMATION;
/*++
Operating System:
Win95
Description:
This is the disasm of the OpenProcess routine on Win95. We attempt to
match this routine and pull out the value for AllocHandle from the code
for this routine. In this case, AllocHande is called by the third call in
this function.
The instructions marked by '*' are those we use for matching.
OpenProcess:
* BFF9404C: FF 74 24 0C push dword ptr [esp+0Ch]
* BFF94050: E8 2D 87 FE FF call BFF7C782
BFF94055: 85 C0 test eax,eax
BFF94057: 75 04 jne BFF9405D
BFF94059: 33 C0 xor eax,eax
BFF9405B: EB 56 jmp BFF940B3
BFF9405D: 83 38 05 cmp dword ptr [eax],5
BFF94060: 74 0E je BFF94070
BFF94062: 6A 57 push 57h
* BFF94064: E8 BC 68 FE FF call BFF7A925
BFF94069: B9 FF FF FF FF mov ecx,0FFFFFFFFh
BFF9406E: EB 33 jmp BFF940A3
BFF94070: B9 00 00 00 00 mov ecx,0
BFF94075: 8B 54 24 04 mov edx,dword ptr [esp+4]
BFF94079: 83 7C 24 08 01 cmp dword ptr [esp+8],1
BFF9407E: 83 D1 FF adc ecx,0FFFFFFFFh
BFF94081: 81 E2 BF FF 1F 00 and edx,1FFFBFh
BFF94087: 81 E1 00 00 00 80 and ecx,80000000h
BFF9408D: 0B CA or ecx,edx
BFF9408F: 8B 15 7C C2 FB BF mov edx,dword ptr ds:[BFFBC27Ch]
BFF94095: 80 C9 40 or cl,40h
BFF94098: 51 push ecx
BFF94099: 50 push eax
BFF9409A: FF 32 push dword ptr [edx]
* BFF9409C: E8 6E 76 FE FF call BFF7B70F
BFF940A1: 8B C8 mov ecx,eax
BFF940A3: 8D 41 01 lea eax,[ecx+1]
BFF940A6: 83 F8 01 cmp eax,1
BFF940A9: B8 00 00 00 00 mov eax,0
BFF940AE: 83 D0 FF adc eax,0FFFFFFFFh
BFF940B1: 23 C1 and eax,ecx
BFF940B3: C2 0C 00 ret 0Ch
--*/
MATCH_BUFFER Win95AllocHandleMatch [] = {
//
// ret 0x0C at offset 103
//
{ 103, 0xC2 },
{ 104, 0x0C },
{ 105, 0x00 },
//
// push dword ptr [exp 0x0C] at offset 0
//
{ 0, 0xFF },
{ 1, 0x74 },
{ 2, 0x24 },
{ 3, 0x0C },
//
// call at offset 4
//
{ 4, 0xE8 },
//
// call at offset 24
//
{ 24, 0xE8 },
//
// call at offset 80
//
{ 80, 0xE8 },
//
// End of match list.
//
{ -1, -1 }
};
/*++
Operating system:
Win98
Description:
See comments above regarding OpenProcess.
OpenProcess:
* BFF95C4D: FF 74 24 0C push dword ptr [esp+0Ch]
* BFF95C51: E8 C9 8E FE FF call BFF7EB1F
BFF95C56: 85 C0 test eax,eax
BFF95C58: 75 04 jne BFF95C5E
BFF95C5A: 33 C0 xor eax,eax
BFF95C5C: EB 53 jmp BFF95CB1
BFF95C5E: 80 38 06 cmp byte ptr [eax],6
BFF95C61: 74 0E je BFF95C71
BFF95C63: 6A 57 push 57h
* BFF95C65: E8 27 6D FE FF call BFF7C991
BFF95C6A: B9 FF FF FF FF mov ecx,0FFFFFFFFh
BFF95C6F: EB 30 jmp BFF95CA1
BFF95C71: B9 00 00 00 00 mov ecx,0
BFF95C76: 8B 54 24 04 mov edx,dword ptr [esp+4]
BFF95C7A: 83 7C 24 08 01 cmp dword ptr [esp+8],1
BFF95C7F: 83 D1 FF adc ecx,0FFFFFFFFh
BFF95C82: 81 E2 FF 0F 1F 00 and edx,1F0FFFh
BFF95C88: 81 E1 00 00 00 80 and ecx,80000000h
BFF95C8E: 0B CA or ecx,edx
BFF95C90: 8B 15 DC 9C FC BF mov edx,dword ptr ds:[BFFC9CDCh]
BFF95C96: 51 push ecx
BFF95C97: 50 push eax
BFF95C98: FF 32 push dword ptr [edx]
* BFF95C9A: E8 5A 7E FE FF call BFF7DAF9
BFF95C9F: 8B C8 mov ecx,eax
BFF95CA1: 8D 41 01 lea eax,[ecx+1]
BFF95CA4: 83 F8 01 cmp eax,1
BFF95CA7: B8 00 00 00 00 mov eax,0
BFF95CAC: 83 D0 FF adc eax,0FFFFFFFFh
BFF95CAF: 23 C1 and eax,ecx
* BFF95CB1: C2 0C 00 ret 0Ch
--*/
MATCH_BUFFER Win98AllocHandleMatch [] = {
//
// ret 0x0C at offset 100
//
{ 100, 0xC2 },
{ 101, 0x0C },
{ 102, 0x00 },
//
// push dword ptr [exp 0x0C] at offset 0
//
{ 0, 0xFF },
{ 1, 0x74 },
{ 2, 0x24 },
{ 3, 0x0C },
//
// call at offset 4
//
{ 4, 0xE8 },
//
// call at offset 24
//
{ 24, 0xE8 },
//
// call at offset 77
//
{ 77, 0xE8 },
//
// End of match list.
//
{ -1, -1 }
};
OS_INFORMATION SupportedSystems [] =
{
{ Win95AllocHandleMatch, 81 },
{ Win98AllocHandleMatch, 78 }
};
typedef
HANDLE
(__stdcall * ALLOC_HANDLE_ROUTINE) (
PVOID Pdb,
PVOID Obj,
DWORD Flags
);
//
// Global variables
//
ALLOC_HANDLE_ROUTINE WinpAllocHandle = NULL;
DWORD WinpObfuscator = 0;
#pragma warning (disable:4035)
//
// OffsetTib is NOT dependent on the OS. The compiler uses this value.
//
#define OffsetTib 0x18
_inline
PVOID
WinpGetCurrentTib(
)
{
__asm mov eax, fs:[OffsetTib]
}
#pragma warning (default:4035)
BOOL
WinpGetAllocHandleFromStream(
IN PBYTE Buffer,
IN PVOID BaseOfBuffer,
IN PMATCH_BUFFER MatchBuffer,
IN ULONG Offset,
IN ULONG * Val
)
/*++
Routine Description:
Find the address of the AllocHandle routine. This is done by searching
through the code of the OpenProcess routine, looking for the third
call instruction in that function. The third call calls AllocHandle().
Arguments:
Buffer - Buffer of instructions to search through.
BaseOfBuffer - The base address of the buffer.
MatchBuffer - The match buffer to compare against.
Offset - The offset of call destination.
Val - A buffer to return the value of AllocHandle.
Return Values:
TRUE - Success.
FALSE - Failure.
--*/
{
UINT i;
for (i = 0; MatchBuffer [i].Offset != -1; i++) {
if (Buffer [MatchBuffer[i].Offset] != MatchBuffer[i].Byte) {
return FALSE;
}
}
//
// This assumes that the call instruction is a near, relative call (E8).
// If this is not the case, the calculation below is incorrect.
//
// The calculation gives us the destination relative to the next
// instruction after the call.
//
*Val = (ULONG) BaseOfBuffer + Offset + *(PLONG) &Buffer [Offset] + 4;
return TRUE;
}
ULONG
WinGetModuleSize(
PVOID Base
)
/*++
Routine Description:
Get the SizeOfImage field given the base address of a module.
Return Values:
SizeOfImage field of the specified module on success.
NULL on failure.
--*/
{
ULONG Size;
PIMAGE_NT_HEADERS NtHeaders;
NtHeaders = GenImageNtHeader ( Base, NULL );
if ( NtHeaders ) {
Size = NtHeaders->OptionalHeader.SizeOfImage;
} else {
Size = 0;
}
return Size;
}
BOOL
WinpInitAllocHandle (
)
/*++
Routine Description:
Initialize the global variable WxAllocHandle to the value of the Win9x
internal routine, AllocHandle.
Arguments:
None
Return Values:
TRUE - If we were able to successfully obtain a pointer to AllocHandle.
FALSE - Otherwise.
Comments:
The client of this routine should verify that this handle is correct by
calling WxCheckOpenThread() before blindly assuming the pointer is
correct.
--*/
{
ULONG i;
BOOL Succ;
PVOID OpenProcessPtr;
ULONG Kernel32Base;
ULONG Kernel32Size;
ULONG AllocHandle;
BYTE Buffer [ 200 ];
if ( WinpAllocHandle ) {
return TRUE;
}
Kernel32Base = (ULONG) GetModuleHandle ( "kernel32.dll" );
ASSERT ( Kernel32Base );
if (!Kernel32Base)
{
return FALSE;
}
Kernel32Size = WinGetModuleSize ( (PVOID) Kernel32Base );
ASSERT ( Kernel32Size != 0 );
OpenProcessPtr = GetProcAddress (
(HINSTANCE) Kernel32Base,
"OpenProcess"
);
if (!OpenProcessPtr)
{
return FALSE;
}
//
// Win9x thunks out functions when a debugger is present. To work around
// this we undo the thunk when it looks like its been thunked.
//
if ( (ULONG) OpenProcessPtr < Kernel32Base ||
(ULONG) OpenProcessPtr > Kernel32Base + Kernel32Size ) {
OpenProcessPtr = (PVOID) *(PULONG)( (PBYTE)OpenProcessPtr + 1 );
}
if ( (ULONG) OpenProcessPtr < Kernel32Base ||
(ULONG) OpenProcessPtr > Kernel32Base + Kernel32Size ) {
return FALSE;
}
CopyMemory (Buffer, OpenProcessPtr, sizeof (Buffer));
//
// Check the buffer
//
for ( i = 0; i < ARRAY_COUNT (SupportedSystems); i++) {
Succ = WinpGetAllocHandleFromStream (
Buffer,
OpenProcessPtr,
SupportedSystems[i].MatchBuffer,
SupportedSystems[i].AllocHandleOffset,
&AllocHandle
);
if ( Succ ) {
//
// Verify WinpAllocHandle within range of Kernel32.
//
if (AllocHandle > Kernel32Base &&
AllocHandle < Kernel32Base + Kernel32Size) {
WinpAllocHandle = (ALLOC_HANDLE_ROUTINE) AllocHandle;
break;
}
}
}
if ( !Succ ) {
WinpAllocHandle = NULL;
}
return Succ;
}
//
// This value is basically FIELD_OFFSET (TDB, Tib). It is dependent on the
// specific version of the OS (95, 98).
//
#define WIN95_TDB_OFFSET (0x10)
#define WIN98_TDB_OFFSET (0x08)
DWORD
WinpGetObfuscator(
IN BOOL Win95
)
/*++
Routine Description:
Get the Obfuscator DWORD.
Arguments:
None.
Return Values:
The Obfuscator or 0 on failure.
Comments:
This routine depends on internal structures from the Win9x sources. If
another major revision of windows changes many of these structures, this
function may break.
--*/
{
ULONG Tib;
ULONG Type;
ULONG Major;
if (WinpObfuscator != 0) {
return WinpObfuscator;
}
Tib = (DWORD)WinpGetCurrentTib ();
if ( Win95 ) {
WinpObfuscator = (GetCurrentThreadId () ^ (Tib - WIN95_TDB_OFFSET));
} else {
//
// If a windows-based system that is not 95 or 98 comes along,
// we should make sure the WINxx_TDB_OFFSET is correct.
//
WinpObfuscator = (GetCurrentThreadId () ^ (Tib - WIN98_TDB_OFFSET));
}
return WinpObfuscator;
}
LPVOID
WinpTidToTDB(
IN BOOL Win95,
IN DWORD ThreadId
)
{
return (PVOID) (ThreadId ^ WinpGetObfuscator (Win95));
}
LPVOID
WinpGetCurrentPdb(
IN BOOL Win95
)
{
return (LPVOID) (GetCurrentProcessId () ^ WinpGetObfuscator (Win95));
}
HANDLE
WinpOpenThreadInternal(
BOOL Win95,
DWORD dwAccess,
BOOL bInheritHandle,
DWORD ThreadId
)
{
HANDLE hThread;
PVOID ThreadObj;
ASSERT (WinpAllocHandle);
//
// Convert the ThreadId to a Thread Object
//
ThreadObj = WinpTidToTDB (Win95, ThreadId);
if (ThreadObj == NULL) {
return NULL;
}
//
// NB: we do not check that the handle really is a thread handle.
// The type varies from version to version of the OS, so it is not
// correct to check it.
//
__try {
hThread = WinpAllocHandle (
WinpGetCurrentPdb (Win95),
ThreadObj,
dwAccess
);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
hThread = NULL;
}
if (hThread == (HANDLE) (-1)) {
hThread = NULL;
}
return hThread;
}
#if _MSC_FULL_VER >= 13008827
#pragma warning(push)
#pragma warning(disable:4715) // Not all control paths return (due to infinite loop)
#endif
DWORD
WINAPI
WinpCheckThread(
PVOID unused
)
{
for (;;) {
}
return 0;
}
#if _MSC_FULL_VER >= 13008827
#pragma warning(pop)
#endif
BOOL
WinpCheckOpenThread(
IN BOOL Win95
)
/*++
Routine Description:
Check that WxOpenThread actually works.
Return Values:
TRUE - If WxOpenThread works properly.
FALSE - Otherwise.
--*/
{
BOOL Succ;
HANDLE hThread1;
HANDLE hThread2;
DWORD ThreadId;
CONTEXT Context1;
CONTEXT Context2;
LONG SuspendCount;
SuspendCount = 0;
hThread1 = NULL;
hThread2 = NULL;
hThread1 = CreateThread (NULL,
0,
WinpCheckThread,
0,
0,
&ThreadId
);
if ( hThread1 == NULL ) {
return FALSE;
}
hThread2 = WinpOpenThreadInternal (
Win95,
THREAD_ALL_ACCESS,
FALSE,
ThreadId
);
if ( hThread2 == NULL ) {
Succ = FALSE;
goto Exit;
}
Succ = TRUE;
__try {
//
// First we check that we can suspend the thread. If that is
// successful, then get the context using the read thread
// handle and the newly opened thread handle and check that
// they are the same.
//
SuspendCount = SuspendThread ( hThread2 );
if ( SuspendCount == -1 ) {
Succ = FALSE;
__leave;
}
Context1.ContextFlags = CONTEXT_FULL;
Succ = GetThreadContext ( hThread2, &Context1 );
if ( !Succ ) {
__leave;
}
Context2.ContextFlags = CONTEXT_FULL;
Succ = GetThreadContext ( hThread1, &Context2 );
if ( !Succ ) {
__leave;
}
if ( Context1.Eip != Context2.Eip ) {
Succ = FALSE;
__leave;
}
}
__except ( EXCEPTION_EXECUTE_HANDLER ) {
Succ = FALSE;
}
Exit:
if ( SuspendCount > 0 ) {
ResumeThread ( hThread2 );
}
TerminateThread ( hThread1, 0xDEAD );
if ( hThread1 ) {
::CloseHandle ( hThread1 );
}
if ( hThread2 ) {
::CloseHandle ( hThread2 );
}
return Succ;
}
BOOL
WinInitialize(
IN BOOL Win95
)
{
if ( WinpAllocHandle == NULL ) {
if (!WinpInitAllocHandle ()) {
SetLastError (ERROR_NOT_SUPPORTED);
return FALSE;
}
if (!WinpCheckOpenThread (Win95)) {
SetLastError (ERROR_NOT_SUPPORTED);
return FALSE;
}
}
return TRUE;
}
VOID
WinFree(
)
{
WinpAllocHandle = NULL;
WinpObfuscator = 0;
}
HANDLE
WINAPI
WinOpenThread(
BOOL Win95,
DWORD dwAccess,
BOOL bInheritHandle,
DWORD ThreadId
)
/*++
Routine Description:
Obtain a thread handle from a thread id on Win9x platform.x
Arguments:
dwAccess - Thread access requested.
bInheritHandle - ALWAYS IGNORED.
ThreadId - The identifier of the thread for which a handle is to
be returned.
Return Values:
A handle to the open thread on success or NULL on failure.
--*/
{
HANDLE Handle;
//
// It is necessary to call WinInitialize() before calling this function.
// If this was not called, return failure.
//
if ( WinpAllocHandle == NULL ) {
SetLastError ( ERROR_DLL_INIT_FAILED );
return FALSE;
}
Handle = WinpOpenThreadInternal (
Win95,
dwAccess,
bInheritHandle,
ThreadId
);
return Handle;
}
//----------------------------------------------------------------------------
//
// Win9xWin32LiveSystemProvider.
//
//----------------------------------------------------------------------------
class Win9xWin32LiveSystemProvider : public Win32LiveSystemProvider
{
public:
Win9xWin32LiveSystemProvider(ULONG BuildNumber);
~Win9xWin32LiveSystemProvider(void);
virtual void Release(void);
virtual HRESULT OpenThread(IN ULONG DesiredAccess,
IN BOOL InheritHandle,
IN ULONG ThreadId,
OUT PHANDLE Handle);
virtual HRESULT GetTeb(IN HANDLE Thread,
OUT PULONG64 Offset,
OUT PULONG Size);
virtual HRESULT GetThreadInfo(IN HANDLE Process,
IN HANDLE Thread,
OUT PULONG64 Teb,
OUT PULONG SizeOfTeb,
OUT PULONG64 StackBase,
OUT PULONG64 StackLimit,
OUT PULONG64 StoreBase,
OUT PULONG64 StoreLimit);
virtual HRESULT GetPeb(IN HANDLE Process,
OUT PULONG64 Offset,
OUT PULONG Size);
protected:
BOOL m_WinInit;
};
Win9xWin32LiveSystemProvider::Win9xWin32LiveSystemProvider(ULONG BuildNumber)
: Win32LiveSystemProvider(VER_PLATFORM_WIN32_WINDOWS, BuildNumber)
{
m_WinInit = FALSE;
}
Win9xWin32LiveSystemProvider::~Win9xWin32LiveSystemProvider(void)
{
if (m_WinInit) {
WinFree();
}
}
void
Win9xWin32LiveSystemProvider::Release(void)
{
delete this;
}
HRESULT
Win9xWin32LiveSystemProvider::OpenThread(IN ULONG DesiredAccess,
IN BOOL InheritHandle,
IN ULONG ThreadId,
OUT PHANDLE Handle)
{
BOOL Win95;
if (m_OpenThread) {
// OS supports regular Win32 OpenThread, so try it.
*Handle = m_OpenThread(DesiredAccess, InheritHandle, ThreadId);
if (*Handle) {
return S_OK;
}
}
Win95 = m_BuildNumber < 1998;
if (!m_WinInit) {
m_WinInit = WinInitialize(Win95);
if (!m_WinInit) {
return E_FAIL;
}
}
*Handle = WinOpenThread(Win95, DesiredAccess, InheritHandle, ThreadId);
return *Handle ? S_OK : E_FAIL;
}
HRESULT
Win9xWin32LiveSystemProvider::GetTeb(IN HANDLE Thread,
OUT PULONG64 Offset,
OUT PULONG Size)
{
BOOL Succ;
ULONG Addr;
LDT_ENTRY Ldt;
CONTEXT Context;
Context.ContextFlags = CONTEXT_SEGMENTS;
Succ = ::GetThreadContext (Thread, &Context);
if ( !Succ ) {
return WIN32_LAST_STATUS();
}
Succ = GetThreadSelectorEntry (Thread,
Context.SegFs,
&Ldt);
if ( !Succ ) {
return WIN32_LAST_STATUS();
}
Addr = (Ldt.HighWord.Bytes.BaseHi << 24) |
(Ldt.HighWord.Bytes.BaseMid << 16) |
(Ldt.BaseLow);
*Offset = (LONG_PTR)Addr;
*Size = sizeof(NT_TIB);
return S_OK;
}
HRESULT
Win9xWin32LiveSystemProvider::GetThreadInfo(IN HANDLE Process,
IN HANDLE Thread,
OUT PULONG64 Teb,
OUT PULONG SizeOfTeb,
OUT PULONG64 StackBase,
OUT PULONG64 StackLimit,
OUT PULONG64 StoreBase,
OUT PULONG64 StoreLimit)
{
HRESULT Status;
if ((Status = GetTeb(Thread, Teb, SizeOfTeb)) != S_OK) {
return Status;
}
return TibGetThreadInfo(Process, *Teb,
StackBase, StackLimit,
StoreBase, StoreLimit);
}
HRESULT
Win9xWin32LiveSystemProvider::GetPeb(IN HANDLE Process,
OUT PULONG64 Offset,
OUT PULONG Size)
{
// Win9x doesn't have a PEB.
*Offset = 0;
*Size = 0;
return S_OK;
}
Win32LiveSystemProvider*
NewWin9xWin32LiveSystemProvider(ULONG BuildNumber)
{
// Win9x keeps the build number in the low 16 bits.
return new Win9xWin32LiveSystemProvider(BuildNumber & 0xffff);
}
#else // #ifdef _X86_
Win32LiveSystemProvider*
NewWin9xWin32LiveSystemProvider(ULONG BuildNumber)
{
return NULL;
}
#endif // #ifdef _X86_