|
|
//+--------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1993-1998
//
// File: ldrapeng.h
//
// Contents: App compat backend code
//
// History: 13-Oct-99 v-johnwh created
//
//---------------------------------------------------------------------------
#ifndef _SHIMENG_VEH_H_
#define _SHIMENG_VEH_H_
typedef struct _SETACTIVATEADDRESS {
RELATIVE_MODULE_ADDRESS rva; // relative address where this patch data is to be applied.
} SETACTIVATEADDRESS, *PSETACTIVATEADDRESS;
typedef struct _HOOKPATCHINFO {
DWORD dwHookAddress; // Address of a hooked function
PSETACTIVATEADDRESS pData; // Pointer to the real patch data
PVOID pThunkAddress; // Pointer to the call thunk
struct _HOOKPATCHINFO* pNextHook;
} HOOKPATCHINFO, *PHOOKPATCHINFO;
//
// Flags used in the shim HOOKAPIs to track chaining
//
#define HOOK_CHAIN_TOP 0x40000000
#define HOOK_CHAINED 0x80000000
#define HOOK_INDEX_MASK ~(HOOK_CHAINED | HOOK_CHAIN_TOP)
//
// x86 opcodes and sizes used in the thunk generation process
//
#define CLI_OR_STI_SIZE 1
#define CALL_REL_SIZE 5
#define JMP_SIZE 7
#define X86_ABSOLUTE_FAR_JUMP 0xEA
#define X86_REL_CALL_OPCODE 0xE8
#define X86_CALL_OPCODE 0xFF
#define X86_CALL_OPCODE2 0x15
#define REASON_APIHOOK 0xFA
#define REASON_PATCHHOOK 0xFB
//
// Flags used in maintaining state information about our module/DLL filtering
//
#define MODFILTER_INCLUDE 0x01
#define MODFILTER_EXCLUDE 0x02
#define MODFILTER_DLL 0x04
#define MODFILTER_GLOBAL 0x08
typedef struct _MODULEFILTER{ DWORD dwModuleStart; // Starting address of the module to filter
DWORD dwModuleEnd; // Ending address of the module to filter
DWORD dwCallerOffset; // Offset added to beginning of module to form the caller's address
DWORD dwCallerAddress; // Caller address to operate upon
DWORD dwFlags; // Flags which define what this filter does
WCHAR wszModuleName[96]; struct _MODULEFILTER *pNextFilter; // Used to iterate the module filter normally
struct _MODULEFILTER *pNextLBFilter; // Used to iterate the late bound DLLs
} MODULEFILTER, *PMODULEFILTER;
typedef struct _CHAININFO{ PVOID pAPI; PVOID pReturn; struct _CHAININFO *pNextChain;} CHAININFO, *PCHAININFO;
typedef struct _HOOKAPIINFO{ DWORD dwAPIHookAddress; // Address of a hooked function
PHOOKAPI pTopLevelAPIChain; // Top level hook address
PVOID pCallThunkAddress; WCHAR wszModuleName[32]; struct _HOOKAPIINFO *pNextHook; struct _HOOKAPIINFO *pPrevHook;} HOOKAPIINFO, *PHOOKAPIINFO;
#pragma pack(push, 1)
typedef struct _SHIMJMP{ BYTE PUSHAD; //pushad (60)
BYTE MOVEBPESP[2]; //mov ebp, esp (8b, ec)
BYTE MOVEAXDWVAL[5]; //mov eax, dwval (b8 dword val)
BYTE PUSHEAX; //push eax (50)
BYTE LEAEAXEBPPLUS20[3]; //lea eax, [ebp + 20] (8f 45 20)
BYTE PUSHEAX2; //push eax (50)
BYTE CALLROUTINE[6]; //call [address] (ff15 dword address)
BYTE MOVESPPLUS1CEAX[4]; //mov [esp+0x1c],eax (89 44 24 1c)
BYTE POPAD; //popad (61)
BYTE ADDESPPLUS4[3]; //add esp, 0x4 (83 c4 04)
BYTE JMPEAX[2]; //jmp eax (ff e0)
} SHIMJMP, *PSHIMJMP;
typedef struct _SHIMRET{ BYTE PUSHEAX; //push eax (50)
BYTE PUSHAD; //pushad (60)
BYTE CALLROUTINE[6]; //call [address] (ff15 dword address)
BYTE MOVESPPLUS20EAX[4]; //mov [esp+0x20],eax (89 44 24 20)
BYTE POPAD; //popad (61)
BYTE RET; //ret (c3)
} SHIMRET, *PSHIMRET;#pragma pack(pop)
typedef NTSTATUS (*PFNLDRLOADDLL)( IN PWSTR DllPath OPTIONAL, IN PULONG DllCharacteristics OPTIONAL, IN PUNICODE_STRING DllName, OUT PVOID *DllHandle );
typedef NTSTATUS (*PFNLDRUNLOADDLL) ( IN PVOID DllHandle );
typedef PVOID (*PFNRTLALLOCATEHEAP)( IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size );
typedef BOOLEAN (*PFNRTLFREEHEAP)( IN PVOID HeapHandle, IN ULONG Flags, IN PVOID BaseAddress );
NTSTATUSSevInitializeData( PAPP_COMPAT_SHIM_INFO *pShimData);
NTSTATUSSevExecutePatchPrimitive( PBYTE pPatch);
DWORDSevGetPatchAddress( PRELATIVE_MODULE_ADDRESS pRelAddress);
VOIDSevValidateGlobalFilter( VOID);
NTSTATUSSevFinishThunkInjection( DWORD dwAddress, PVOID pThunk, DWORD dwThunkSize, BYTE jReason);
NTSTATUSSevBuildFilterException( HSDB hSDB, TAGREF trInclude, PMODULEFILTER pModFilter, BOOL* pbLateBound);
NTSTATUSSevBuildExeFilter( HSDB hSDB, TAGREF trExe, DWORD dwDllCount);
PVOIDSevBuildInjectionCode( PVOID pAddress, PDWORD pdwThunkSize);
NTSTATUSSevAddShimFilterException( WCHAR* wszDLLPath, PMODULEFILTER pModFilter);
NTSTATUSSevChainAPIHook( DWORD dwHookEntryPoint, PVOID pThunk, PHOOKAPI pAPIHook);
PVOIDSevFilterCaller( PMODULEFILTER pFilterList, PVOID pFunctionAddress, PVOID pExceptionAddress, PVOID pStubAddress, PVOID pCallThunkAddress);
NTSTATUSSevPushCaller( PVOID pAPIAddress, PVOID pReturnAddress);
PVOIDSevPopCaller( VOID);
NTSTATUSStubLdrLoadDll( IN PWSTR DllPath OPTIONAL, IN PULONG DllCharacteristics OPTIONAL, IN PUNICODE_STRING DllName, OUT PVOID* DllHandle);
NTSTATUSStubLdrUnloadDll( IN PVOID DllHandle);
NTSTATUSSevFixupAvailableProcs( DWORD dwHookCount, PHOOKAPI* pHookArray, PDWORD pdwNumberHooksArray, PDWORD pdwUnhookedCount);
LONGSevExceptionHandler( struct _EXCEPTION_POINTERS *ExceptionInfo);
#endif // _SHIMENG_VEH_H_
|
