|
|
/*++
Copyright (c) 2000 Microsoft Corporation
Module Name:
Win2000VersionLie.cpp
Abstract:
This DLL hooks GetVersion and GetVersionEx so that they return Windows 2000 version credentials.
Notes:
This is a general purpose shim.
History:
03/13/2000 clupu Created 10/26/2000 Vadimb Merged WowProcessHistory functionality, new environment-handling cases
--*/
#include "precomp.h"
// This module has been given an official blessing to use the str routines.
#include "LegalStr.h"
IMPLEMENT_SHIM_BEGIN(Win2kPropagateLayer)#include "ShimHookMacro.h"
#include "Win2kPropagateLayer.h"
#include "stdio.h"
APIHOOK_ENUM_BEGIN APIHOOK_ENUM_ENTRY(CreateProcessA) APIHOOK_ENUM_ENTRY(CreateProcessW) APIHOOK_ENUM_ENTRY(UserRegisterWowHandlers)APIHOOK_ENUM_END
#define LI_WIN95 0x00000001
#define LI_NT4 0x00000002
#define LI_WIN98 0x00000004
#define LS_MAGIC 0x07036745
typedef struct tagLayerStorageHeader { DWORD dwItemCount; // number of items in the file
DWORD dwMagic; // magic to identify the file
SYSTEMTIME timeLast; // time of last access
} LayerStorageHeader, *PLayerStorageHeader;
typedef struct tagLayeredItem { WCHAR szItemName[MAX_PATH]; DWORD dwFlags;
} LayeredItem, *PLayeredItem;
#define APPCOMPAT_KEY L"System\\CurrentControlSet\\Control\\Session Manager\\AppCompatibility"
WCHAR g_szLayerStorage[MAX_PATH] = L"";
CHAR g_szCompatLayerVar[] = "__COMPAT_LAYER";CHAR g_szProcessHistoryVar[] = "__PROCESS_HISTORY";CHAR g_szShimFileLogVar[] = "SHIM_FILE_LOG";
WCHAR g_wszCompatLayerVar[] = L"__COMPAT_LAYER";WCHAR g_wszProcessHistroyVar[] = L"__PROCESS_HISTORY";//
// This variable receives current process' compat layer
//
WCHAR* g_pwszCompatLayer = NULL;WCHAR* g_pwszProcessHistory = NULL;
//
// Unicode equivalent of the above
//
UNICODE_STRING g_ustrProcessHistoryVar = RTL_CONSTANT_STRING(L"__PROCESS_HISTORY");UNICODE_STRING g_ustrCompatLayerVar = RTL_CONSTANT_STRING(L"__COMPAT_LAYER");
//
// Global flags
//
BOOL g_bIsNTVDM = FALSE;BOOL g_bIsExplorer = FALSE;
INT g_argc = 0;CHAR** g_argv = NULL;
//
// is this a separate wow ?
//
BOOL* g_pSeparateWow = NULL;
voidInitLayerStorage( BOOL bDelete ){ GetSystemWindowsDirectoryW(g_szLayerStorage, MAX_PATH);
if (g_szLayerStorage[lstrlenW(g_szLayerStorage) - 1] == L'\\') { g_szLayerStorage[lstrlenW(g_szLayerStorage) - 1] = 0; }
lstrcatW(g_szLayerStorage, L"\\AppPatch\\LayerStorage.dat");
if (bDelete) { DeleteFileW(g_szLayerStorage); }}
voidReadLayeredStorage( LPWSTR pszItem, LPDWORD lpdwFlags ){ HANDLE hFile = INVALID_HANDLE_VALUE; HANDLE hFileMapping = NULL; DWORD dwFileSize; PBYTE pData = NULL; PLayerStorageHeader pHeader = NULL; PLayeredItem pItems; PLayeredItem pCrtItem = NULL; int nLeft, nRight, nMid, nItem;
LOGN( eDbgLevelInfo, "[ReadLayeredStorage] for \"%S\"", pszItem);
//
// Make sure we don't corrupt the layer storage.
//
if (lstrlenW(pszItem) + 1 > MAX_PATH) { pszItem[MAX_PATH - 1] = 0; }
hFile = CreateFileW(g_szLayerStorage, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) { LOGN( eDbgLevelInfo, "[ReadLayeredStorage] the layer storage doesn't exist."); *lpdwFlags = 0; return; }
//
// The file already exists. Create a file mapping that will allow
// for querying the item.
//
dwFileSize = GetFileSize(hFile, NULL);
hFileMapping = CreateFileMapping(hFile, NULL, PAGE_READWRITE, 0, dwFileSize, NULL);
if (hFileMapping == NULL) { LOGN( eDbgLevelError, "[ReadLayeredStorage] CreateFileMapping failed 0x%X", GetLastError()); goto done; }
pData = (PBYTE)MapViewOfFile(hFileMapping, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, 0);
if (pData == NULL) { LOGN( eDbgLevelError, "[ReadLayeredStorage] MapViewOfFile failed 0x%X", GetLastError()); goto done; }
pHeader = (PLayerStorageHeader)pData;
pItems = (PLayeredItem)(pData + sizeof(LayerStorageHeader));
//
// Make sure it's our file.
//
if (dwFileSize < sizeof(LayerStorageHeader) || pHeader->dwMagic != LS_MAGIC) { LOGN( eDbgLevelError, "[ReadLayeredStorage] invalid file magic 0x%X", pHeader->dwMagic); goto done; }
//
// First search for the item. The array is sorted so we do binary search.
//
nItem = -1, nLeft = 0, nRight = (int)pHeader->dwItemCount - 1;
while (nLeft <= nRight) {
int nVal;
nMid = (nLeft + nRight) / 2;
pCrtItem = pItems + nMid;
nVal = _wcsnicmp(pszItem, pCrtItem->szItemName, lstrlenW(pCrtItem->szItemName));
if (nVal == 0) { nItem = nMid; break; } else if (nVal < 0) { nRight = nMid - 1; } else { nLeft = nMid + 1; } }
if (nItem == -1) { LOGN( eDbgLevelInfo, "[ReadLayeredStorage] the item was not found in the file.");
*lpdwFlags = 0; } else { //
// The item is in the file.
//
LOGN( eDbgLevelInfo, "[ReadLayeredStorage] the item is in the file.");
*lpdwFlags = pCrtItem->dwFlags; }
done:
if (pData != NULL) { UnmapViewOfFile(pData); }
if (hFileMapping != NULL) { CloseHandle(hFileMapping); }
if (hFile != INVALID_HANDLE_VALUE) { CloseHandle(hFile); }}
BOOLGetFileNameFromCmdLine( LPWSTR lpFileName, DWORD dwFileNameSize, LPCWSTR lpCmdLine ){ LPWSTR pTemp = lpFileName; LPCWSTR pSrc = lpCmdLine; DWORD dwQuote = 0; LPCWSTR pStart; BOOL bQuote = FALSE; BOOL bInitialQuote = FALSE; BOOL bDone = FALSE; DWORD dwLength; // length of the result, in chars
pSrc += wcsspn(pSrc, L" \t"); if (*pSrc == L'\"') { ++pSrc; bQuote = TRUE; bInitialQuote = TRUE; }
pStart = pSrc; // note -- we're past the quote
// we end when: 1) we start we the quote -- we end with the quote or
// we did not start with the quote -- we encounter space then
while (*pSrc && !bDone) { switch(*pSrc) { case L'\"': bQuote = !bQuote; break; case L' ': bDone = !bQuote; // out of quotes? this is the end
break; } if (!bDone) { ++pSrc; } }
if (pSrc > pStart && bInitialQuote && *(pSrc-1) == L'\"') { --pSrc; }
//
// now that we ended the run, copy
//
dwLength = (DWORD)(pSrc - pStart);
if (dwFileNameSize < (dwLength + 1)) { // too big
LOGN( eDbgLevelError, "[GetFileNameFromCmdLine] filename is too long\"%S\".\n", lpCmdLine); return FALSE; }
RtlCopyMemory(lpFileName, pStart, dwLength * sizeof(WCHAR)); lpFileName[dwLength] = L'\0'; return TRUE;
} BOOLAddSupport( LPCWSTR lpCommandLine, LPVOID* ppEnvironment, LPDWORD lpdwCreationFlags ){ WCHAR szKey[MAX_PATH]; WCHAR szFullPath[MAX_PATH] = L"\""; WCHAR szExeName[128]; HKEY hkey; DWORD type; DWORD cbData = 0; BOOL bBraket = FALSE; LPVOID pEnvironmentNew = *ppEnvironment; DWORD dwCreationFlags = *lpdwCreationFlags; BOOL bUserEnvironment = (*ppEnvironment != NULL); NTSTATUS Status; LPCWSTR pszEnd; LPCWSTR pszStart = lpCommandLine;
//
// Need to look in lpCommandLine for the first token
//
LPCWSTR psz = lpCommandLine;
while (*psz == L' ' || *psz == L'\t') { psz++; }
if (*psz == L'\"') { pszStart = psz + 1; } else { pszStart = psz; }
while (*psz != 0) { if (*psz == L'\"') { bBraket = !bBraket; } else if (*psz == L' ' && !bBraket) { break; }
psz++; }
pszEnd = psz;
//
// Now walk back to get the caracters.
//
psz--;
if (*psz == L'\"') { psz--; pszEnd--; }
memcpy(szFullPath + 1, pszStart, (pszEnd - pszStart) * sizeof(WCHAR)); szFullPath[pszEnd - pszStart + 1] = L'\"'; szFullPath[pszEnd - pszStart + 2] = 0;
pszStart = lpCommandLine;
pszEnd = psz + 1;
while (psz >= lpCommandLine) { if (*psz == L'\\') { pszStart = psz + 1; break; } psz--; }
memcpy(szExeName, pszStart, (pszEnd - pszStart) * sizeof(WCHAR)); szExeName[pszEnd - pszStart] = 0;
if (g_bIsExplorer) { DWORD dwFlags = 0, id = 0; LPVOID pEnvironmentNew = NULL;
ReadLayeredStorage(szFullPath, &dwFlags);
if (dwFlags != LI_WIN95 && dwFlags != LI_NT4 && dwFlags != LI_WIN98) { //
// no layer support
//
LOGN( eDbgLevelInfo, "[AddSupport] No Layer specified for \"%S\".", lpCommandLine);
return TRUE; }
// we are using layer -- clone the environment
Status = ShimCloneEnvironment(&pEnvironmentNew, *ppEnvironment, !!(dwCreationFlags & CREATE_UNICODE_ENVIRONMENT)); if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[AddSupport] Failed to Clone the environment. Status = 0x%x", Status); return FALSE; }
if (LI_WIN95 == dwFlags) { Status = ShimSetEnvironmentVar(&pEnvironmentNew, g_wszCompatLayerVar, L"Win95");
LOGN( eDbgLevelInfo, "[AddSupport] Env var \"Win95\" added.");
} else if (LI_WIN98 == dwFlags) { Status = ShimSetEnvironmentVar(&pEnvironmentNew, g_wszCompatLayerVar, L"Win98");
LOGN( eDbgLevelInfo, "[AddSupport] Env var \"Win98\" added.");
} else if (LI_NT4 == dwFlags) { Status = ShimSetEnvironmentVar(&pEnvironmentNew, g_wszCompatLayerVar, L"NT4SP5");
LOGN( eDbgLevelInfo, "[AddSupport] Env var \"NT4SP5\" added.");
}
if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[AddSupport] Failed to set the environment variable. Status = 0x%x", Status); ShimFreeEnvironment(pEnvironmentNew); return FALSE; }
//
// We have succeeded, set the output values.
//
*ppEnvironment = pEnvironmentNew; *lpdwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
} else { //
// not explorer - set the environment variable up
// compat_layer will be inherited by the child process if bUserEnvironment is FALSE
//
if (bUserEnvironment) {
//
// Clone the environment and add the layer variable to the new env.
//
Status = ShimCloneEnvironment(&pEnvironmentNew, *ppEnvironment, !!(dwCreationFlags & CREATE_UNICODE_ENVIRONMENT)); if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[AddSupport] Failed to clone the environment. Status = 0x%x", Status); return FALSE; }
Status = ShimSetEnvironmentVar(&pEnvironmentNew, g_wszCompatLayerVar, g_pwszCompatLayer);
if (!NT_SUCCESS(Status)) { ShimFreeEnvironment(pEnvironmentNew); LOGN( eDbgLevelError, "[AddSupport] Failed to set compat layer variable. Status = 0x%x", Status); return FALSE; }
LOGN( eDbgLevelInfo, "[AddSupport] Env var \"%S\" added.", g_pwszCompatLayer);
*ppEnvironment = pEnvironmentNew; *lpdwCreationFlags |= CREATE_UNICODE_ENVIRONMENT; } }
//
// Build the registry key.
//
swprintf(szKey, L"%s\\%s", APPCOMPAT_KEY, szExeName);
if (RegCreateKeyW(HKEY_LOCAL_MACHINE, szKey, &hkey) != ERROR_SUCCESS) { LOGN( eDbgLevelError, "Failed to open/create the appcompat key \"%s\"", szKey); } else { if (RegQueryValueExA(hkey, "DllPatch-x", NULL, &type, NULL, &cbData) != ERROR_SUCCESS) {
BYTE data[16] = {0x0c, 0, 0, 0, 0, 0, 0, 0, 0x06, 0, 0, 0, 0, 0, 0, 0};
//
// The value doesn't exist. Create it.
//
RegSetValueExA(hkey, "y", NULL, REG_BINARY, data, sizeof(data));
data[0] = 0;
RegSetValueExA(hkey, "DllPatch-y", NULL, REG_SZ, data, 2); } }
RegCloseKey(hkey);
//
// Finally, set a separate vdm flag
// if we are here, it means that we are running under the layer
// and the next exe is going to be shimmed.
//
*lpdwCreationFlags &= ~CREATE_SHARED_WOW_VDM; *lpdwCreationFlags |= CREATE_SEPARATE_WOW_VDM;
return TRUE;}
LPVOIDShimCreateWowEnvironment_U( LPVOID lpEnvironment, // pointer to the existing environment
DWORD* lpdwFlags, // process creation flags
BOOL bNewEnvironment // when set, forces us to clone environment ptr
){ WOWENVDATA WowEnvData = { 0 }; LPVOID lpEnvRet = lpEnvironment; LPVOID lpEnvCurrent = NULL; NTSTATUS Status = STATUS_SUCCESS; DWORD dwFlags = *lpdwFlags; UNICODE_STRING ustrProcessHistory = { 0 }; ANSI_STRING strProcessHistory = { 0 }; DWORD dwProcessHistoryLength = 0; UNICODE_STRING ustrCompatLayer = { 0 }; ANSI_STRING strCompatLayer = { 0 };
if (!ShimRetrieveVariablesEx(&WowEnvData)) { //
// If no data, we have failed. Return the current data.
//
goto Fail; }
if (bNewEnvironment) { Status = ShimCloneEnvironment(&lpEnvCurrent, lpEnvironment, !!(dwFlags & CREATE_UNICODE_ENVIRONMENT)); if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[ShimCreateWowEnvironment_U] Failed to clone the environment. Status = 0x%x", Status); goto Fail; } } else { lpEnvCurrent = lpEnvironment; }
//
// Now we are ready to set the environment in place.
//
//
// Nuke the existing process history first. We don't care for the return result.
//
RtlSetEnvironmentVariable(&lpEnvCurrent, &g_ustrProcessHistoryVar, NULL);
if (WowEnvData.pszProcessHistory != NULL || WowEnvData.pszCurrentProcessHistory != NULL) {
//
// Convert the process history which consists of 2 strings.
//
// The length is the existing process history length + 1 (for ';') +
// new process history length + 1 (for '\0')
//
dwProcessHistoryLength = ((WowEnvData.pszProcessHistory == NULL) ? 0 : (strlen(WowEnvData.pszProcessHistory) + 1)) + ((WowEnvData.pszCurrentProcessHistory == NULL) ? 0 : strlen(WowEnvData.pszCurrentProcessHistory)) + 1;
//
// Allocate process history buffer and convert it, allocating resulting unicode string.
//
strProcessHistory.Buffer = (PCHAR)ShimMalloc(dwProcessHistoryLength);
if (strProcessHistory.Buffer == NULL) { LOGN( eDbgLevelError, "[ShimCreateWowEnvironment_U] failed to allocate %d bytes for process history.", dwProcessHistoryLength); Status = STATUS_NO_MEMORY; goto Fail; }
strProcessHistory.MaximumLength = (USHORT)dwProcessHistoryLength;
if (WowEnvData.pszProcessHistory != NULL) { strcpy(strProcessHistory.Buffer, WowEnvData.pszProcessHistory); strProcessHistory.Length = strlen(WowEnvData.pszProcessHistory); } else { strProcessHistory.Length = 0; }
if (WowEnvData.pszCurrentProcessHistory != NULL) {
//
// Append ';' if the string was not empty.
//
if (strProcessHistory.Length) { Status = RtlAppendAsciizToString(&strProcessHistory, ";"); if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[ShimCreateWowEnvironment_U] failed to append ';' to the process history. Status = 0x%x", Status); goto Fail; } }
Status = RtlAppendAsciizToString(&strProcessHistory, WowEnvData.pszCurrentProcessHistory); if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[ShimCreateWowEnvironment_U] failed to build the process history. Status = 0x%x", Status); goto Fail; }
}
//
// Convert the process history.
//
Status = RtlAnsiStringToUnicodeString(&ustrProcessHistory, &strProcessHistory, TRUE); if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[ShimCreateWowEnvironment_U] failed to convert process history to UNICODE. Status = 0x%x", Status); goto Fail; }
//
// Now we can set the process history.
//
Status = RtlSetEnvironmentVariable(&lpEnvCurrent, &g_ustrProcessHistoryVar, &ustrProcessHistory); if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[ShimCreateWowEnvironment_U] failed to set the process history. Status = 0x%x", Status); goto Fail; } }
//
// Now we pass along any compat layer that we might have.
//
if (g_pwszCompatLayer != NULL) {
//
// Pass along this thing, we have been started under layer.
//
LOGN( eDbgLevelInfo, "[ShimCreateWowEnvironment_U] Propagating CompatLayer from the ntvdm environment __COMPAT_LAYER=\"%S\"", g_pwszCompatLayer);
RtlInitUnicodeString(&ustrCompatLayer, g_pwszCompatLayer);
Status = RtlSetEnvironmentVariable(&lpEnvCurrent, &g_ustrCompatLayerVar, &ustrCompatLayer);
if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[ShimCreateWowEnvironment_U] Failed to set compatlayer environment variable. Status = 0x%x", Status); goto Fail; }
} else if (WowEnvData.pszCompatLayerVal != NULL) {
LOGN( eDbgLevelInfo, "[ShimCreateWowEnvironment_U] Propagating CompatLayer from the parent WOW app \"%s\"", WowEnvData.pszCompatLayer);
RtlInitString(&strCompatLayer, WowEnvData.pszCompatLayerVal);
Status = RtlAnsiStringToUnicodeString(&ustrCompatLayer, &strCompatLayer, TRUE); if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[ShimCreateWowEnvironment_U] Failed to convert compatlayer to UNICODE. Status = 0x%x", Status); goto Fail; }
Status = RtlSetEnvironmentVariable(&lpEnvCurrent, &g_ustrCompatLayerVar, &ustrCompatLayer);
RtlFreeUnicodeString(&ustrCompatLayer);
if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[ShimCreateWowEnvironment_U] Failed to set compatlayer environment variable. Status = 0x%x", Status); goto Fail; } }
//
// We have been successful. The return environment is UNICODE now.
//
lpEnvRet = (LPVOID)lpEnvCurrent; *lpdwFlags = dwFlags | CREATE_UNICODE_ENVIRONMENT; Status = STATUS_SUCCESS;
Fail:
if (!NT_SUCCESS(Status) && lpEnvCurrent != NULL && bNewEnvironment) { //
// This points to the cloned environment ALWAYS.
//
RtlDestroyEnvironment(lpEnvCurrent); }
RtlFreeUnicodeString(&ustrProcessHistory);
if (strProcessHistory.Buffer != NULL) { ShimFree(strProcessHistory.Buffer); }
//
// This call is only necessary when using ShimRetrieveVariables.
// It is not needed when using ShimRetrieveVariablesEx.
//
// ShimFreeWOWEnvData(&WowEnvData);
//
return lpEnvRet;}
ULONGWin2kPropagateLayerExceptionHandler( PEXCEPTION_POINTERS pexi, char* szFile, DWORD dwLine ){ LOGN( eDbgLevelError, "[Win2kPropagateLayerExceptionHandler] %#x in module \"%s\", line %d," " at address %#p. flags:%#x. !exr %#p !cxr %#p", pexi->ExceptionRecord->ExceptionCode, szFile, dwLine, CONTEXT_TO_PROGRAM_COUNTER(pexi->ContextRecord), pexi->ExceptionRecord->ExceptionFlags, pexi->ExceptionRecord, pexi->ContextRecord);
#if DBG
DbgBreakPoint();#endif // DBG
return EXCEPTION_EXECUTE_HANDLER;}
/*++
Stub functions that are intercepted from WOW initialization code (through APIHook_UserRegisterWowHandlers) --*/
NSWOWUSERP::PFNINITTASK g_pfnInitTask;NSWOWUSERP::PFNWOWCLEANUP g_pfnWowCleanup;
BOOL WINAPIStubInitTask( UINT dwExpWinVer, DWORD dwAppCompatFlags, LPCSTR lpszModName, LPCSTR lpszBaseFileName, DWORD hTaskWow, DWORD dwHotkey, DWORD idTask, DWORD dwX, DWORD dwY, DWORD dwXSize, DWORD dwYSize ){ BOOL bReturn; bReturn = g_pfnInitTask(dwExpWinVer, dwAppCompatFlags, lpszModName, lpszBaseFileName, hTaskWow, dwHotkey, idTask, dwX, dwY, dwXSize, dwYSize); if (bReturn) { CheckAndShimNTVDM((WORD)hTaskWow); UpdateWowTaskList((WORD)hTaskWow); }
return bReturn;}
BOOL WINAPIStubWowCleanup( HANDLE hInstance, DWORD hTaskWow ){ BOOL bReturn;
bReturn = g_pfnWowCleanup(hInstance, hTaskWow);
if (bReturn) { CleanupWowTaskList((WORD)hTaskWow); }
return bReturn;}
/*++
APIHook_UserRegisterWowHandlers
Trap InitTask and WowCleanup functions and replace them with stubs
--*/
ULONG_PTRAPIHOOK(UserRegisterWowHandlers)( NSWOWUSERP::APFNWOWHANDLERSIN apfnWowIn, NSWOWUSERP::APFNWOWHANDLERSOUT apfnWowOut ){ ULONG_PTR ulRet;
ulRet = ORIGINAL_API(UserRegisterWowHandlers)(apfnWowIn, apfnWowOut);
g_pfnInitTask = apfnWowOut->pfnInitTask; apfnWowOut->pfnInitTask = StubInitTask;
g_pfnWowCleanup = apfnWowOut->pfnWOWCleanup; apfnWowOut->pfnWOWCleanup = StubWowCleanup;
return ulRet;}
BOOL CheckWOWExe( LPCWSTR lpApplicationName, LPVOID lpEnvironment, LPDWORD lpdwCreationFlags ){ BOOL bSuccess; BOOL bReturn = FALSE; NTSTATUS Status; LPVOID pEnvironmentNew = lpEnvironment; SDBQUERYRESULT QueryResult; DWORD dwBinaryType = 0; HSDB hSDB = NULL; DWORD dwExes; WCHAR wszAppName[MAX_PATH];
bSuccess = GetFileNameFromCmdLine(wszAppName, CHARCOUNT(wszAppName), lpApplicationName); if (!bSuccess) { return FALSE; } bSuccess = GetBinaryTypeW(wszAppName, &dwBinaryType); if (!bSuccess || dwBinaryType != SCS_WOW_BINARY) { LOGN( eDbgLevelInfo, "[CheckWowExe] can't get binary type\n"); return FALSE; }
//
// for these binaries we shall perform the good deed of running the detection
//
hSDB = SdbInitDatabase(0, NULL); if (hSDB == NULL) { LOGN( eDbgLevelError, "[CheckWowExe] Failed to init the database."); return FALSE; } if (lpEnvironment != NULL && !(*lpdwCreationFlags & CREATE_UNICODE_ENVIRONMENT)) { // non-null unicode env?
Status = ShimCloneEnvironment(&pEnvironmentNew, lpEnvironment, FALSE); if (!NT_SUCCESS(Status)) { LOGN( eDbgLevelError, "[ShimCloneEnvironment] failed with status 0x%lx\n", Status); goto cleanup; } }
//
// all parameters below have to be unicode
//
dwExes = SdbGetMatchingExe(hSDB, wszAppName, NULL, (LPCWSTR)pEnvironmentNew, 0, &QueryResult); bSuccess = (QueryResult.atrExes [0] != TAGREF_NULL || QueryResult.atrLayers[0] != TAGREF_NULL);
//
// if we have been successful -- layers apply to this thing
//
if (!bSuccess) { goto cleanup; }
//
// set the separate ntvdm flag and be on our way out
//
*lpdwCreationFlags &= ~CREATE_SHARED_WOW_VDM; *lpdwCreationFlags |= CREATE_SEPARATE_WOW_VDM; bReturn = TRUE; cleanup:
if (pEnvironmentNew != lpEnvironment) { ShimFreeEnvironment(pEnvironmentNew); }
if (hSDB) { SdbReleaseDatabase(hSDB); }
return bReturn;}
BOOLAPIHOOK(CreateProcessA)( LPCSTR lpApplicationName, LPSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory, LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ){ BOOL bRet; LPVOID lpEnvironmentNew = lpEnvironment; DWORD dwCreationFlagsOriginal = dwCreationFlags; LPSTR pszApp = NULL;
LOGN( eDbgLevelError, "[CreateProcessA] called for:");
LOGN( eDbgLevelError, "[CreateProcessA] lpApplicationName : \"%s\"", (lpApplicationName == NULL ? "null": lpApplicationName));
LOGN( eDbgLevelError, "[CreateProcessA] lpCommandLine : \"%s\"", (lpCommandLine == NULL ? "null": lpCommandLine));
if (lpApplicationName != NULL) { pszApp = (LPSTR)lpApplicationName; } else if (lpCommandLine != NULL) { pszApp = lpCommandLine; } else { LOGN( eDbgLevelError, "[CreateProcessA] called with NULL params."); }
__try {
WCHAR wszApp[MAX_PATH];
if (pszApp != NULL) { MultiByteToWideChar(CP_ACP, 0, pszApp, -1, wszApp, MAX_PATH);
AddSupport(wszApp, &lpEnvironmentNew, &dwCreationFlags); }
if (g_bIsNTVDM) {
//
// if the environment stayed the same as it was passed in -- clone it to propagate process history
// if it was modified in AddSupport -- use it
//
lpEnvironmentNew = ShimCreateWowEnvironment_U(lpEnvironmentNew, &dwCreationFlags, lpEnvironmentNew == lpEnvironment); }
if (pszApp != NULL && !(dwCreationFlags & CREATE_SEPARATE_WOW_VDM)) { // since the separate vdm flag is not set -- we need to determine whether we have
// any kind of fixes to care about.
CheckWOWExe(wszApp, lpEnvironmentNew, &dwCreationFlags); }
} __except(WOWPROCESSHISTORYEXCEPTIONFILTER) {
//
// cleanup the mess, if we have allocated the environment, free it now
//
if (lpEnvironmentNew != lpEnvironment) {
ShimFreeEnvironment(lpEnvironmentNew);
lpEnvironmentNew = lpEnvironment; } }
bRet = ORIGINAL_API(CreateProcessA)(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironmentNew, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
if (lpEnvironmentNew != lpEnvironment) { //
// The function below does not need a __try/__except wrapper, it has it internally
//
ShimFreeEnvironment(lpEnvironmentNew); }
return bRet;}
BOOLAPIHOOK(CreateProcessW)( LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ){ LPWSTR pszApp = NULL; BOOL bRet; LPVOID lpEnvironmentNew = lpEnvironment;
LOGN( eDbgLevelInfo, "[CreateProcessW] called for:");
LOGN( eDbgLevelInfo, "[CreateProcessW] lpApplicationName : \"%S\"", (lpApplicationName == NULL ? L"null": lpApplicationName));
LOGN( eDbgLevelInfo, "[CreateProcessW] lpCommandLine : \"%S\"", (lpCommandLine == NULL ? L"null": lpCommandLine));
if (lpApplicationName != NULL) { pszApp = (LPWSTR)lpApplicationName; } else if (lpCommandLine != NULL) { pszApp = lpCommandLine; } else { LOGN( eDbgLevelError, "[CreateProcessW] called with NULL params."); }
__try {
if (pszApp != NULL) {
AddSupport(pszApp, &lpEnvironmentNew, &dwCreationFlags); }
if (g_bIsNTVDM) {
lpEnvironmentNew = ShimCreateWowEnvironment_U(lpEnvironmentNew, &dwCreationFlags, lpEnvironment == lpEnvironmentNew); }
//
// typically we need to find out whether the current app is ntvdm
//
if (!(dwCreationFlags & CREATE_SEPARATE_WOW_VDM)) { // since the separate vdm flag is not set -- we need to determine whether we have
// any kind of fixes to care about.
CheckWOWExe(pszApp, lpEnvironmentNew, &dwCreationFlags); } } __except(WOWPROCESSHISTORYEXCEPTIONFILTER) {
if (lpEnvironmentNew != lpEnvironment) {
ShimFreeEnvironment(lpEnvironmentNew);
lpEnvironmentNew = lpEnvironment; // reset the pointer
} }
bRet = ORIGINAL_API(CreateProcessW)(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironmentNew, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
if (lpEnvironmentNew != lpEnvironment) {
ShimFreeEnvironment(lpEnvironmentNew);
}
return bRet;}
BOOLGetVariableFromEnvironment( LPCWSTR pwszVariableName, LPWSTR* ppwszVariableValue ){ DWORD dwLength; DWORD dwLen; BOOL bSuccess = FALSE; LPWSTR pwszVariableValue = *ppwszVariableValue;
dwLength = GetEnvironmentVariableW(pwszVariableName, NULL, 0);
if (dwLength == 0) { LOGN( eDbgLevelInfo, "[GetCompatLayerFromEnvironment] Not under the compatibility layer."); *ppwszVariableValue = NULL; return FALSE; }
if (pwszVariableValue != NULL) { LOGN( eDbgLevelError, "[GetCompatLayerFromEnvironment] called twice!"); ShimFree(pwszVariableValue); pwszVariableValue = NULL; }
pwszVariableValue = (WCHAR*)ShimMalloc(dwLength * sizeof(WCHAR));
if (pwszVariableValue == NULL) { LOGN( eDbgLevelError, "[GetCompatLayerFromEnvironment] Failed to allocate %d bytes for Compat Layer.", dwLength * sizeof(WCHAR)); goto out; }
*pwszVariableValue = L'\0';
dwLen = GetEnvironmentVariableW(pwszVariableName, pwszVariableValue, dwLength);
bSuccess = (dwLen != 0 && dwLen < dwLength);
if (!bSuccess) { LOGN( eDbgLevelError, "[GetCompatLayerFromEnvironment] Failed to get compat layer variable."); ShimFree(pwszVariableValue); pwszVariableValue = NULL; } out:
*ppwszVariableValue = pwszVariableValue;
return bSuccess;}
BOOL GetCompatLayerFromEnvironment( VOID ){ return GetVariableFromEnvironment(g_wszCompatLayerVar, &g_pwszCompatLayer);}
BOOL GetSeparateWowPtr( VOID ){
HMODULE hMod = GetModuleHandle(NULL); g_pSeparateWow = (BOOL*)GetProcAddress(hMod, "fSeparateWow"); if (g_pSeparateWow == NULL) { LOGN( eDbgLevelError, "[GetSeparateWowPtr] Failed 0x%lx\n", GetLastError()); return FALSE; }
return TRUE;}
VOIDParseCommandLine( LPCSTR commandLine ){ int i; char* pArg;
g_argc = 0; g_argv = NULL;
g_bIsNTVDM = FALSE; g_bIsExplorer = FALSE;
g_argv = _CommandLineToArgvA(commandLine, &g_argc);
if (0 == g_argc || NULL == g_argv) { return; // nothing to do
}
for (i = 0; i < g_argc; ++i) { pArg = g_argv[i];
if (!_strcmpi(pArg, "ntvdm")) { LOGN( eDbgLevelInfo, "[ParseCommandLine] Running NTVDM."); g_bIsNTVDM = TRUE;
} else if (!_strcmpi(pArg, "explorer")) { LOGN( eDbgLevelInfo, "[ParseCommandLine] Running Explorer."); g_bIsExplorer = TRUE;
} else { LOGN( eDbgLevelError, "[ParseCommandLine] Unrecognized argument: \"%s\"", pArg); } }
if (g_bIsNTVDM && g_bIsExplorer) { LOGN( eDbgLevelError, "[ParseCommandLine] Conflicting arguments! Neither will be applied."); g_bIsNTVDM = FALSE; g_bIsExplorer = FALSE; }}
BOOLNOTIFY_FUNCTION( DWORD fdwReason ){ OSVERSIONINFO osvi; BOOL bHook = FALSE; DWORD dwCompatLayerLength; DWORD dwLen;
if (fdwReason != DLL_PROCESS_ATTACH) { return TRUE; }
osvi.dwOSVersionInfoSize = sizeof(osvi);
GetVersionEx(&osvi);
if (osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0) {
ParseCommandLine(COMMAND_LINE);
InitLayerStorage(FALSE);
CleanupRegistryForCurrentExe();
if (g_bIsNTVDM) {
bHook = TRUE;
//
// Retrieve the compat layer variable that we have been started with (just in case)
//
GetCompatLayerFromEnvironment();
GetSeparateWowPtr(); // retrieve ptr to a sep flag
} else if (g_bIsExplorer) {
//
// Cleanup compat layer variable
//
SetEnvironmentVariableW(g_wszCompatLayerVar, NULL); bHook = TRUE;
} else { //
// Neither explorer nor ntvdm. Get the compat layer.
//
bHook = GetCompatLayerFromEnvironment(); if (!bHook) { LOGN( eDbgLevelInfo, "[NOTIFY_FUNCTION] Not under the compatibility layer."); } } }
if (bHook) { APIHOOK_ENTRY(KERNEL32.DLL, CreateProcessA) APIHOOK_ENTRY(KERNEL32.DLL, CreateProcessW) APIHOOK_ENTRY(USER32.DLL, UserRegisterWowHandlers) }
return TRUE;}
HOOK_BEGIN
CALL_NOTIFY_FUNCTION
HOOK_END
IMPLEMENT_SHIM_END
|
