archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/base/win32/verifier/sample.c

352 lines
6.2 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1989 Microsoft Corporation
  5. Module Name:
  7. sample.c
  9. Abstract:
  11. This module implements a sample application verifier provider
  12. that hooks malloc/free from kernel32.dll and CloseHandle and
  13. CreateEvent from kernel32.dll
  15. Author:
  17. Silviu Calinoiu (SilviuC) 2-Feb-2001
  19. Revision History:
  21. --*/
  23. #include "pch.h"
  25. #include <stdio.h>
  26. #include <stdlib.h>
  28. //
  29. // Thunk replacements (should go into a header)
  30. //
  32. //WINBASEAPI
  33. HANDLE
  34. WINAPI
  35. AVrfpCreateEventW(
  36. IN LPSECURITY_ATTRIBUTES lpEventAttributes,
  37. IN BOOL bManualReset,
  38. IN BOOL bInitialState,
  39. IN LPCWSTR lpName
  40. );
  42. //WINBASEAPI
  43. BOOL
  44. WINAPI
  45. AVrfpCloseHandle(
  46. IN OUT HANDLE hObject
  47. );
  49. PVOID __cdecl
  50. AVrfp_malloc (
  51. IN SIZE_T Size
  52. );
  54. PVOID __cdecl
  55. AVrfp_realloc (
  56. IN PVOID Address,
  57. IN SIZE_T Size
  58. );
  60. VOID __cdecl
  61. AVrfp_free (
  62. IN PVOID Address
  63. );
  65. //
  66. // Callbacks
  67. //
  69. VOID
  70. AVrfpDllLoadCallback (
  71. PWSTR DllName,
  72. PVOID DllBase,
  73. SIZE_T DllSize,
  74. PVOID Reserved
  75. );
  77. VOID
  78. AVrfpDllUnloadCallback (
  79. PWSTR DllName,
  80. PVOID DllBase,
  81. SIZE_T DllSize,
  82. PVOID Reserved
  83. );
  86. //
  87. // kernel32.dll thunks
  88. //
  90. #define AVRF_INDEX_KERNEL32_CREATEEVENT 0
  91. #define AVRF_INDEX_KERNEL32_CLOSEHANDLE 1
  93. RTL_VERIFIER_THUNK_DESCRIPTOR AVrfpKernel32Thunks [] =
  94. {
  95. {"CreateEventW",
  96. NULL,
  97. AVrfpCreateEventW},
  99. {"CloseHandle",
  100. NULL,
  101. AVrfpCloseHandle},
  103. {NULL, NULL, NULL}
  104. };
  106. //
  107. // msvcrt.dll thunks
  108. //
  110. #define AVRF_INDEX_MSVCRT_MALLOC 0
  111. #define AVRF_INDEX_MSVCRT_FREE 1
  113. RTL_VERIFIER_THUNK_DESCRIPTOR AVrfpMsvcrtThunks [] =
  114. {
  115. {"malloc",
  116. NULL,
  117. AVrfp_malloc},
  119. {"free",
  120. NULL,
  121. AVrfp_free},
  123. {NULL, NULL, NULL}
  124. };
  127. //
  128. // dll's providing thunks that will be verified.
  129. //
  131. RTL_VERIFIER_DLL_DESCRIPTOR AVrfpExportDlls [] =
  132. {
  133. {L"kernel32.dll",
  134. 0,
  135. NULL,
  136. AVrfpKernel32Thunks},
  138. {L"msvcrt.dll",
  139. 0,
  140. NULL,
  141. AVrfpMsvcrtThunks},
  143. {NULL, 0, NULL, NULL}
  144. };
  147. RTL_VERIFIER_PROVIDER_DESCRIPTOR AVrfpProvider =
  148. {
  149. sizeof (RTL_VERIFIER_PROVIDER_DESCRIPTOR),
  150. AVrfpExportDlls,
  151. AVrfpDllLoadCallback,
  152. AVrfpDllUnloadCallback,
  153. NULL, // image name (filled by verifier engine)
  154. 0, // verifier flags (filled by verifier engine)
  155. 0, // debug flags (filled by verifier engine)
  156. };
  158. BOOL
  159. WINAPI
  160. DllMain(
  161. HINSTANCE hinstDLL,
  162. DWORD fdwReason,
  163. LPVOID lpvReserved
  164. )
  165. {
  166. switch (fdwReason) {
  168. case DLL_PROCESS_VERIFIER:
  170. DbgPrint ("AVRF: sample verifier provider descriptor @ %p\n",
  171. &AVrfpProvider);
  173. *((PRTL_VERIFIER_PROVIDER_DESCRIPTOR *)lpvReserved) = &AVrfpProvider;
  174. break;
  176. case DLL_PROCESS_ATTACH:
  178. DbgPrint ("AVRF: sample verifier provider initialized \n");
  180. #if 1
  181. malloc (1000);
  183. {
  184. FILE * File;
  186. File = fopen ("_xxx_", "wt");
  188. if (File) {
  190. fputs ("This works.\n", File);
  191. fclose (File);
  192. }
  193. }
  194. #endif
  196. break;
  198. default:
  200. break;
  201. }
  203. return TRUE;
  204. }
  207. PRTL_VERIFIER_THUNK_DESCRIPTOR
  208. AVrfpGetThunkDescriptor (
  209. PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks,
  210. ULONG Index)
  211. {
  212. PRTL_VERIFIER_THUNK_DESCRIPTOR Thunk = NULL;
  214. Thunk = &(DllThunks[Index]);
  216. if (Thunk->ThunkOldAddress == NULL) {
  218. //
  219. // We shuld always have the original thunk address.
  220. // This gets filed by the verifier support in the NT loader.
  221. //
  223. DbgPrint ("AVRF: no original thunk for %s @ %p \n",
  224. Thunk->ThunkName,
  225. Thunk);
  227. DbgBreakPoint ();
  228. }
  230. return Thunk;
  231. }
  234. #define AVRFP_GET_ORIGINAL_EXPORT(DllThunks, Index) \
  235. (FUNCTION_TYPE)(AVrfpGetThunkDescriptor(DllThunks, Index)->ThunkOldAddress)
  238. //
  239. // Callbacks
  240. //
  242. VOID
  243. AVrfpDllLoadCallback (
  244. PWSTR DllName,
  245. PVOID DllBase,
  246. SIZE_T DllSize,
  247. PVOID Reserved
  248. )
  249. {
  250. DbgPrint (" --- loading %ws \n", DllName);
  251. }
  253. VOID
  254. AVrfpDllUnloadCallback (
  255. PWSTR DllName,
  256. PVOID DllBase,
  257. SIZE_T DllSize,
  258. PVOID Reserved
  259. )
  260. {
  261. DbgPrint (" --- unloading %ws \n", DllName);
  262. }
  264. /////////////////////////////////////////////////////////////////////
  265. ///////////////////////////////////////// msvcrt.dll verified exports
  266. /////////////////////////////////////////////////////////////////////
  268. //WINBASEAPI
  269. HANDLE
  270. WINAPI
  271. AVrfpCreateEventW(
  272. IN LPSECURITY_ATTRIBUTES lpEventAttributes,
  273. IN BOOL bManualReset,
  274. IN BOOL bInitialState,
  275. IN LPCWSTR lpName
  276. )
  277. {
  278. typedef HANDLE (WINAPI * FUNCTION_TYPE) (LPSECURITY_ATTRIBUTES, BOOL, BOOL, LPCWSTR);
  279. FUNCTION_TYPE Function;
  281. Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpKernel32Thunks,
  282. AVRF_INDEX_KERNEL32_CREATEEVENT);
  284. return (* Function)(lpEventAttributes,
  285. bManualReset,
  286. bInitialState,
  287. lpName);
  288. }
  290. //WINBASEAPI
  291. BOOL
  292. WINAPI
  293. AVrfpCloseHandle(
  294. IN OUT HANDLE hObject
  295. )
  296. {
  297. typedef BOOL (WINAPI * FUNCTION_TYPE) (HANDLE);
  298. FUNCTION_TYPE Function;
  300. Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpKernel32Thunks,
  301. AVRF_INDEX_KERNEL32_CLOSEHANDLE);
  303. if (hObject == NULL) {
  304. DbgPrint ("AVRF: sample: Closing a null handle !!! \n");
  305. }
  307. return (* Function)(hObject);
  308. }
  310. /////////////////////////////////////////////////////////////////////
  311. ///////////////////////////////////////// msvcrt.dll verified exports
  312. /////////////////////////////////////////////////////////////////////
  314. PVOID __cdecl
  315. AVrfp_malloc (
  316. IN SIZE_T Size
  317. )
  318. {
  319. typedef PVOID (__cdecl * FUNCTION_TYPE) (SIZE_T);
  320. FUNCTION_TYPE Function;
  322. Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpMsvcrtThunks,
  323. AVRF_INDEX_MSVCRT_MALLOC);
  325. return (* Function)(Size);
  326. }
  328. VOID __cdecl
  329. AVrfp_free (
  330. IN PVOID Address
  331. )
  332. {
  333. typedef VOID (__cdecl * FUNCTION_TYPE) (PVOID);
  334. FUNCTION_TYPE Function;
  336. Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpMsvcrtThunks,
  337. AVRF_INDEX_MSVCRT_FREE);
  339. (* Function)(Address);
  340. }