Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

169 lines
3.7 KiB

  1. /*++
  2. Copyright (c) 2000 Microsoft Corporation
  3. Module Name:
  4. Force21.cpp
  5. Abstract:
  6. Force21 contains an invalid check code that looks like the following:
  7. mov ebx,A
  8. mov edi,B
  9. mov eax,C
  10. sub edi,eax
  11. cmp edi,ebx
  12. jle @@Loc
  13. mov edi,ebx
  14. @@Loc:
  15. In a particular case: B=-1 and C<0x80000000 this jump will be incorrectly
  16. taken. The reason this works on Win9x is that C>0x80000000 because it's a
  17. memory mapped file. On NT, no user mode address can be >2GB.
  18. This shim patches the app with a 'cli' instruction so that it can perform
  19. some logic when the exception gets hit. This is admittedly slow.
  20. Note we didn't use the in memory patching facility of the shim because we
  21. still needed logic. It didn't make sense to split the shim from the patch.
  22. History:
  23. 04/10/2000 linstev Created
  24. --*/
  25. #include "precomp.h"
  26. IMPLEMENT_SHIM_BEGIN(Force21)
  27. #include "ShimHookMacro.h"
  28. APIHOOK_ENUM_BEGIN
  29. APIHOOK_ENUM_END
  30. /*++
  31. In memory patch the executable with a cli instruction. This patch works
  32. for both the release version and a patch.
  33. --*/
  34. VOID
  35. Force21_ExecutePatch()
  36. {
  37. BYTE bPatchMatch[] = {
  38. 0x2b, 0xf8, 0x3b, 0xfb, 0x7c,
  39. 0x02, 0x8b, 0xfb, 0x85, 0xff };
  40. LPBYTE pPatchAddress[] = {
  41. (LPBYTE)0x5aa1f3, // the shipping version
  42. (LPBYTE)0x5ac4a0 }; // with patch 1 applied
  43. BYTE bPatch = 0xFA; // cli - to cause an exception
  44. //
  45. // Run through the patches and see which one matches
  46. //
  47. for (UINT j=0; j<sizeof(pPatchAddress)/sizeof(LPBYTE); j++)
  48. {
  49. LPBYTE pb = pPatchAddress[j];
  50. // Make sure it's an OK address.
  51. if (!IsBadReadPtr(pb, sizeof(bPatchMatch)))
  52. {
  53. // Check the bytes match
  54. for (UINT i=0; i < sizeof(bPatchMatch); i++)
  55. {
  56. if (*pb != bPatchMatch[i])
  57. {
  58. break;
  59. }
  60. pb++;
  61. }
  62. // In memory patch
  63. if (i == sizeof(bPatchMatch))
  64. {
  65. DWORD dwOldProtect;
  66. if (VirtualProtect(
  67. (PVOID)pPatchAddress[j],
  68. 1,
  69. PAGE_READWRITE,
  70. &dwOldProtect))
  71. {
  72. *pPatchAddress[j] = bPatch;
  73. LOGN(
  74. eDbgLevelError,
  75. "Successfully patched\n");
  76. return;
  77. }
  78. }
  79. }
  80. }
  81. }
  82. /*++
  83. Handle the cli in such a way that the correct logic is performed.
  84. --*/
  85. LONG
  86. Force21_ExceptionFilter(
  87. struct _EXCEPTION_POINTERS *ExceptionInfo
  88. )
  89. {
  90. CONTEXT *lpContext = ExceptionInfo->ContextRecord;
  91. if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_PRIV_INSTRUCTION)
  92. {
  93. // Looks like we've hit our cli instruction
  94. if ((LONG)lpContext->Edi < 0) // Boundary condition, EDI<0
  95. {
  96. // Jump past the invalid check
  97. lpContext->Eip = lpContext->Eip + 6;
  98. }
  99. else
  100. {
  101. // Replace the 'sub edi,eax' and continue
  102. lpContext->Edi = lpContext->Edi - lpContext->Eax;
  103. lpContext->Eip = lpContext->Eip + 2;
  104. }
  105. return EXCEPTION_CONTINUE_EXECUTION;
  106. }
  107. return EXCEPTION_CONTINUE_SEARCH;
  108. }
  109. /*++
  110. Register hooked functions
  111. --*/
  112. BOOL
  113. NOTIFY_FUNCTION(
  114. DWORD fdwReason)
  115. {
  116. if (fdwReason == DLL_PROCESS_ATTACH)
  117. {
  118. Force21_ExecutePatch();
  119. SetUnhandledExceptionFilter(Force21_ExceptionFilter);
  120. }
  121. return TRUE;
  122. }
  123. HOOK_BEGIN
  124. CALL_NOTIFY_FUNCTION
  125. HOOK_END
  126. IMPLEMENT_SHIM_END