|
|
#include "precomp.h"
#include <winsvc.h>
#include <tchar.h>
#include <persistcfg.h>
#include <winntsec.h>
#include "cntserv.h"
#include "winmgmt.h"
#include "sched.h"
#include "resync2.h"
#include <malloc.h>
//***********************************************************************
//
// Defines
//
//***********************************************************************
#define CORE_PROVIDER_UNLOAD_TIMEOUT ( 30 * 1000 )
//***********************************************************************
//
// Globals
//
//***********************************************************************
HINSTANCE g_hInstance;
//***********************************************************************
//
// Dll Entry points and export points
//
//***********************************************************************
BOOL APIENTRY DllMain( HINSTANCE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){ switch(ul_reason_for_call){ case DLL_PROCESS_ATTACH: g_hInstance = hModule; DisableThreadLibraryCalls(hModule); break; case DLL_PROCESS_DETACH: break; } return TRUE;};
//
//
// InitialBreak
//
///////////////////////////////////////////////////////////
BOOLInitialBreak(){ HKEY hKey; LONG lRet; BOOL bRet = FALSE;
lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, HOME_REG_PATH, 0, KEY_READ, &hKey); if (ERROR_SUCCESS == lRet) { DWORD dwType; DWORD dwVal; DWORD dwSize = sizeof(DWORD); lRet = RegQueryValueEx(hKey, INITIAL_BREAK, NULL, &dwType, (BYTE *)&dwVal, &dwSize); if (ERROR_SUCCESS == lRet && dwType == REG_DWORD && dwVal) { bRet = TRUE; } RegCloseKey(hKey); } return bRet;}
//
// the global structure
//
struct _PROG_RESOURCES g_ProgRes;
void_PROG_RESOURCES::Init(){
m_hExclusive = NULL; m_hTerminateEvent = NULL; m_bOleInitialized = NULL;
m_pLoginFactory = NULL; m_pBackupFactory = NULL; m_dwLoginClsFacReg = 0; m_dwBackupClsFacReg = 0;
g_fSetup = FALSE; g_fDoResync = TRUE; hMainMutex = NULL; bShuttingDownWinMgmt = FALSE; gbCoreLoaded = FALSE;
ServiceStatus = SERVICE_STOPPED;
ghCoreCanUnload = NULL; ghProviderCanUnload = NULL; ghCoreUnloaded = NULL; ghCoreLoaded = NULL; ghNeedRegistration = NULL; ghRegistrationDone = NULL; ghMofDirChange = NULL; ghLoadCtrEvent = NULL; ghUnloadCtrEvent = NULL; ghHoldOffNewClients = NULL;
szHotMofDirectory = NULL; pWbemVssWriter = NULL; bWbemVssWriterSubscribed = false;};
BOOL _PROG_RESOURCES::Phase1Build(){ hMainMutex = CreateMutex(NULL, FALSE, NULL);
g_fSetup = CheckSetupSwitch();
if ( g_fSetup ) { SetNoShellADAPSwitch(); }
// Look in the registry to decide if we will launch a resync perf or not
g_fDoResync = CheckNoResyncSwitch();
//
// set this to have the Console Control Handler notification
//
SetProcessShutdownParameters(0x400,0);
//
// set to some defined value parames that might be outstanding if someone killed us
//
RegSetDWORD(HKEY_LOCAL_MACHINE,HOME_REG_PATH,DO_THROTTLE,1); return hMainMutex?TRUE:FALSE;};
BOOL _PROG_RESOURCES::Phase2Build(HANDLE hTerminateEvt){ ghCoreCanUnload = CreateEvent(NULL,FALSE,FALSE, TEXT("WINMGMT_COREDLL_CANSHUTDOWN"));
ghProviderCanUnload = CreateEvent(NULL,FALSE,FALSE, TEXT("WINMGMT_PROVIDER_CANSHUTDOWN")); SetEventDacl(ghProviderCanUnload,EVENT_ALL_ACCESS);
ghCoreUnloaded = CreateEvent(NULL,FALSE,FALSE, TEXT("WINMGMT_COREDLL_UNLOADED"));
ghCoreLoaded = CreateEvent(NULL,FALSE,FALSE, TEXT("WINMGMT_COREDLL_LOADED"));
m_hTerminateEvent = CreateEvent(NULL,TRUE,FALSE, TEXT("WINMGMT_MARSHALLING_SERVER_TERMINATE")); if(m_hTerminateEvent == NULL) { TRACE((LOG_WINMGMT,"\nWINMGMT terminating because CreateEvent, last error = 0x%x\n", GetLastError())); return FALSE; }
DWORD dwRet; m_hExclusive = CreateMutex( NULL, FALSE, TEXT("WINMGMT_MARSHALLING_SERVER")); if(m_hExclusive) dwRet = WaitForSingleObject(m_hExclusive, 0); if(m_hExclusive == NULL || dwRet != WAIT_OBJECT_0) { if(m_hExclusive) CloseHandle(m_hExclusive); m_hExclusive = NULL; TRACE((LOG_WINMGMT,"\nWINMGMT terminating an existing copy was detected")); return FALSE; }
ghNeedRegistration = CreateEvent(NULL,TRUE,FALSE, __TEXT("WINMGMT_NEED_REGISTRATION")); SetObjectAccess2(ghNeedRegistration); ghRegistrationDone = CreateEvent(NULL,TRUE,FALSE, __TEXT("WINMGMT_REGISTRATION_DONE")); SetObjectAccess2(ghRegistrationDone);
ghHoldOffNewClients = CreateMutex(NULL, FALSE, __TEXT("WINMGMT_KEEP_NEW_CLIENTS_AT_BAY")); if(ghHoldOffNewClients == NULL) ghHoldOffNewClients = OpenMutex(SYNCHRONIZE, FALSE, __TEXT("WINMGMT_KEEP_NEW_CLIENTS_AT_BAY"));
if(ghNeedRegistration == NULL || ghRegistrationDone == NULL || ghHoldOffNewClients == NULL) { TRACE((LOG_WINMGMT,"\nWINMGMT couldnt create the sync objects")); return FALSE; } if (!m_Monitor.Init()) { return FALSE; }
// don't create a writer if during setup
if (!g_fSetup) { pWbemVssWriter = new CWbemVssWriter; if (!pWbemVssWriter) { TRACE((LOG_WINMGMT,"\nWINMGMT could not create the VssWriter")); return FALSE; } }
return TRUE;}
BOOL_PROG_RESOURCES::RegisterLogin(){ HRESULT sc; DWORD dwFlags = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER;
g_ProgRes.m_pLoginFactory = new CForwardFactory(CLSID_InProcWbemLevel1Login); g_ProgRes.m_pLoginFactory->AddRef(); sc = CoRegisterClassObject(CLSID_WbemLevel1Login, g_ProgRes.m_pLoginFactory, dwFlags, REGCLS_MULTIPLEUSE, &g_ProgRes.m_dwLoginClsFacReg); if(sc != S_OK) { TRACE((LOG_WINMGMT,"\nFailed to register the " "CLSID_WbemLevel1Login class factory, " "sc = 0x%x", sc)); return FALSE; } else { DEBUGTRACE((LOG_WINMGMT, "\nRegistered class factory with flags: 0x%X\n", dwFlags)); return TRUE; }}
BOOL_PROG_RESOURCES::RevokeLogin(){ if(m_pLoginFactory) { CoRevokeClassObject(m_dwLoginClsFacReg); m_dwLoginClsFacReg = 0; m_pLoginFactory->Release(); m_pLoginFactory = NULL; } return TRUE;}
BOOL_PROG_RESOURCES::RegisterBackup(){ HRESULT sc; DWORD dwFlags = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER;
g_ProgRes.m_pBackupFactory = new CForwardFactory(CLSID_WbemBackupRestore); g_ProgRes.m_pBackupFactory->AddRef();
sc = CoRegisterClassObject(CLSID_WbemBackupRestore, g_ProgRes.m_pBackupFactory, dwFlags, REGCLS_MULTIPLEUSE, &g_ProgRes.m_dwBackupClsFacReg); if(sc != S_OK) { TRACE((LOG_WINMGMT,"\nFailed to register the " "Backup/recovery class factory, " "sc = 0x%x", sc)); return FALSE; } else { return TRUE; }}
BOOL_PROG_RESOURCES::RevokeBackup(){ if(m_pBackupFactory) { CoRevokeClassObject(m_dwBackupClsFacReg); m_dwBackupClsFacReg = 0; m_pBackupFactory->Release(); m_pBackupFactory = NULL; } return TRUE;}
_PROG_RESOURCES::Phase1Delete(BOOL bIsSystemShutdown){
if (!bIsSystemShutdown) { if(ghCoreCanUnload) { CloseHandle(ghCoreCanUnload); ghCoreCanUnload = NULL; }; if(ghProviderCanUnload) { CloseHandle(ghProviderCanUnload); ghProviderCanUnload = NULL; } if(ghCoreUnloaded) { CloseHandle(ghCoreUnloaded); ghCoreUnloaded = NULL; } if(ghCoreLoaded) { CloseHandle(ghCoreLoaded); ghCoreLoaded = NULL; }
if(ghNeedRegistration) { CloseHandle(ghNeedRegistration); ghNeedRegistration = NULL; } if(ghRegistrationDone) { CloseHandle(ghRegistrationDone); ghRegistrationDone = NULL; } if(ghMofDirChange) { CloseHandle(ghMofDirChange); ghMofDirChange = NULL; } }
if (m_Monitor.IsRegistred()) { m_Monitor.Unregister(bIsSystemShutdown); } if (!bIsSystemShutdown) { m_Monitor.Uninit();
if(ghHoldOffNewClients) { CloseHandle(ghHoldOffNewClients); ghHoldOffNewClients = NULL; }
if(m_hTerminateEvent) { CloseHandle(m_hTerminateEvent); m_hTerminateEvent = NULL; } if(m_hExclusive) { ReleaseMutex(m_hExclusive); CloseHandle(m_hExclusive); m_hExclusive = NULL; }
if(szHotMofDirectory) { delete [] szHotMofDirectory; szHotMofDirectory = NULL; }
}
// shut down and delete our writer for volume snapshot backup
if (pWbemVssWriter && !bIsSystemShutdown) { if (bWbemVssWriterSubscribed) { HRESULT hRes = pWbemVssWriter->Unsubscribe(); if (SUCCEEDED(hRes)) { bWbemVssWriterSubscribed = false; } else { TRACE((LOG_WINMGMT,"\nWINMGMT Could not unsubscribe the VssWriter")); } }
delete pWbemVssWriter; pWbemVssWriter = NULL; }
return TRUE;}
_PROG_RESOURCES::Phase2Delete(BOOL bIsSystemShutdown){
if (!bIsSystemShutdown) { if(m_pLoginFactory) { CoRevokeClassObject(m_dwLoginClsFacReg); m_pLoginFactory->Release(); m_pLoginFactory = NULL; m_dwLoginClsFacReg = 0; } if(m_pBackupFactory) { CoRevokeClassObject(m_dwBackupClsFacReg); m_pBackupFactory->Release(); m_pBackupFactory = NULL; m_dwBackupClsFacReg = 0; }
if(m_bOleInitialized) { CoUninitialize(); m_bOleInitialized = FALSE; }
}
return TRUE;}
BOOL_PROG_RESOURCES::Phase3Delete(){ if (hMainMutex) { CloseHandle(hMainMutex); hMainMutex = NULL; } return TRUE;}
//
//
// ShutDownCore
//
//
/////////////////////////////////////////////////////////////////
bool ShutDownCore(BOOL bProcessShutdown,BOOL bIsSystemShutDown){ SCODE sc = WBEM_E_FAILED; HMODULE hCoreModule = LoadLibrary(__TEXT("wbemcore.dll")); if(hCoreModule) { pfnShutDown pfn = (pfnShutDown)GetProcAddress(hCoreModule, "Shutdown"); if(pfn) { sc = (pfn)(bProcessShutdown,bIsSystemShutDown); DEBUGTRACE((LOG_WINMGMT, "core is being shut down by WinMgmt.exe, it returned 0x%x",sc)); }
FreeLibrary(hCoreModule); } return sc == S_OK;}
//
//
// void Cleanup
//
//
// Release any currently loaded transports and close Ole etc.
//
//
///////////////////////////////////////////////////////////////////
void Cleanup(BOOL bIsSystemShutDown){ //DBG_PRINTFA((pBuff,"Cleanup called\n"));
if (!bIsSystemShutDown) { DEBUGTRACE((LOG_WINMGMT,"\nStarting cleanup, ID = %x", GetCurrentProcessId())); CoFreeUnusedLibrariesEx ( CORE_PROVIDER_UNLOAD_TIMEOUT , 0 ) ; CoFreeUnusedLibrariesEx ( CORE_PROVIDER_UNLOAD_TIMEOUT , 0 ) ; }
g_ProgRes.Phase1Delete(bIsSystemShutDown);
// If the core is still loaded, call its shutdown function
ShutDownCore(TRUE,bIsSystemShutDown);
g_ProgRes.Phase2Delete(bIsSystemShutDown);
if (!bIsSystemShutDown) { DEBUGTRACE((LOG_WINMGMT,"\nEnding cleanup")); } return;}
//
//
// BOOL Initialize
//
//
///////////////////////////////////////////////////////////////
BOOL Initialize(HANDLE hTerminateEvt){ // Set the error mode. This is used to provent the system from putting up dialog boxs to
// open files
UINT errormode = SetErrorMode(0); errormode |= SEM_NOOPENFILEERRORBOX|SEM_FAILCRITICALERRORS; SetErrorMode(errormode);
int iCnt; TCHAR tcName[MAX_PATH+1]; DEBUGTRACE((LOG_WINMGMT,"\nStarting Initialize, ID = %x", GetCurrentProcessId()));
if(!InitHotMofStuff(&g_ProgRes)) return FALSE;
if (!g_ProgRes.Phase2Build(hTerminateEvt)) return FALSE;
// Initialize Ole
SCODE sc;
sc = CoInitializeEx(NULL,COINIT_MULTITHREADED);
if(FAILED(sc)) { TRACE((LOG_WINMGMT,"\nWINMGMT Could not initialize Ole\n")); return FALSE; } else { g_ProgRes.m_bOleInitialized = TRUE; }
//
// Call the initialize function in core
//
HMODULE hCoreModule = GetModuleHandle(_T("wbemcore.dll")); if(hCoreModule) { HRESULT (STDAPICALLTYPE *pfn)(DWORD); pfn = (long (__stdcall *)(DWORD))GetProcAddress(hCoreModule, "Reinitialize"); if(pfn) { sc = (*pfn)(0); DEBUGTRACE((LOG_WINMGMT, "core is being resumed: it returned 0x%x",sc)); } else { DEBUGTRACE((LOG_WINMGMT, "failed to re-initialize core")); return FALSE; } }
g_ProgRes.RegisterLogin(); g_ProgRes.RegisterBackup();
g_ProgRes.ServiceStatus = SERVICE_RUNNING; // Get the registry key which is the root for all the transports.
// ==============================================================
HKEY hKey;
long lRet = RegOpenKey(HKEY_LOCAL_MACHINE, TEXT("Software\\Microsoft\\WBEM\\CIMOM\\TRANSPORTS"), &hKey); if(lRet != ERROR_SUCCESS) { DEBUGTRACE((LOG_WINMGMT,"\nRegOpenKey returned 0x%x while trying to open the transports node. Using default transports!",lRet)); } else {/*
// Loop through each transport subkey.
// ===================================
for(iCnt = 0;ERROR_SUCCESS == RegEnumKey(hKey,iCnt,tcName,MAX_PATH+1); iCnt++) { HKEY hSubKey; lRet = RegOpenKey(hKey,tcName,&hSubKey); if(lRet != ERROR_SUCCESS) continue; DWORD bytecount = sizeof(DWORD); DWORD dwType;
// If the Enabled value isnt 1, then the transport is disabled
// and is ignored.
// ===========================================================
char cTemp[20]; bytecount=20; lRet = RegQueryValueEx(hSubKey, TEXT("Enabled"), NULL, &dwType, (LPBYTE) cTemp, &bytecount); if(lRet != ERROR_SUCCESS || dwType != REG_SZ || cTemp[0] != '1') { RegCloseKey(hSubKey); continue; }
// Read the CLSID string and convert it into an CLSID structure.
// =============================================================
TCHAR szCLSID[50]; bytecount = sizeof(szCLSID); lRet = RegQueryValueEx(hSubKey, TEXT("CLSID"), NULL, &dwType, (LPBYTE) &szCLSID, &bytecount);
RegCloseKey(hSubKey); if(lRet != ERROR_SUCCESS) { continue; }
CLSID clsid;
sc = CLSIDFromString( szCLSID, &clsid); if(sc != S_OK) { continue; }
// Load up the transport object and then initialize it.
// ====================================================
IWbemTransport * pTransport = NULL; sc = CoCreateInstance(clsid, 0, CLSCTX_INPROC_SERVER, IID_IWbemTransport, (LPVOID *) &pTransport); if(sc != S_OK || pTransport == NULL) { continue; }
sc = pTransport->Initialize(); if(sc != S_OK) pTransport->Release(); else g_ProgRes.m_TransportArray.Add(pTransport); // add it to the list
}*/ RegCloseKey(hKey); };
// initialize our writer for volume snapshot backup
// this must be after CoInitializeEx and after wbem is initialized
// (this pointer will be NULL during setup)
if (g_ProgRes.pWbemVssWriter) { HRESULT hRes = g_ProgRes.pWbemVssWriter->Initialize(); if (SUCCEEDED(hRes)) { hRes = g_ProgRes.pWbemVssWriter->Subscribe(); if (SUCCEEDED(hRes)) { g_ProgRes.bWbemVssWriterSubscribed = true; } else { TRACE((LOG_WINMGMT,"\nWINMGMT Could not subscribe the VssWriter")); } } else { TRACE((LOG_WINMGMT,"\nWINMGMT Could not initialize the VssWriter")); } }
DEBUGTRACE((LOG_WINMGMT,"\nInitialize complete"));
// TO BE REPLACED WITH PROPER CODING --- FORCE CORE
// ================================================
return TRUE;}
//
//
// WaitingFunction
//
// DESCRIPTION:
//
// Here is where we wait for messages and events during WinMgmt execution.
// We return from here when the program/service is being stopped.
//
//////////////////////////////////////////////////////////////////
void WaitingFunction(HANDLE hTerminate){
CSched sched;
DEBUGTRACE((LOG_WINMGMT,"\nInside the waiting function"));
HANDLE hEvents[] = {hTerminate, g_ProgRes.ghCoreCanUnload, g_ProgRes.ghCoreUnloaded, g_ProgRes.ghCoreLoaded, g_ProgRes.ghNeedRegistration, g_ProgRes.ghProviderCanUnload, g_ProgRes.ghMofDirChange // important, must be last entry!!!!
}; int iNumEvents = sizeof(hEvents) / sizeof(HANDLE); DWORD dwFlags; SCODE sc; CPersistentConfig per; per.TidyUp();
sched.SetWorkItem(PossibleStartCore, 60000);
//Load any MOFs in the MOF directory if needed...
LoadMofsInDirectory(g_ProgRes.szHotMofDirectory);
// resync the perf counters if
// we haven't turned this off for debugging AND
// we are not running during setup
if(GLOB_IsResyncAllowed()) { ResyncPerf(RESYNC_TYPE_INITIAL); GLOB_GetMonitor()->Register(); } while(TRUE) { DWORD dwDelay = sched.GetWaitPeriod(); DWORD dwObj = WaitForMultipleObjects(iNumEvents, hEvents, FALSE, dwDelay); switch (dwObj) { case 0: // bail out for terminate event
{ if (SERVICE_SHUTDOWN != g_ProgRes.ServiceStatus) { DEBUGTRACE((LOG_WINMGMT,"\nGot a termination event")); } { CInMutex im(g_ProgRes.hMainMutex); g_ProgRes.bShuttingDownWinMgmt = TRUE; } // call cleanup outside of a Mutex
Cleanup((g_ProgRes.ServiceStatus == SERVICE_SHUTDOWN)?TRUE:FALSE); } return; case 1: // core can unload
DEBUGTRACE((LOG_WINMGMT,"\nGot a core can unload event")); sched.SetWorkItem(FirstCoreShutdown, 30000); // 30 seconds until next unloac;
break; case 2: // core went away
DEBUGTRACE((LOG_WINMGMT,"\nGot a core unloaded event")); g_ProgRes.gbCoreLoaded = FALSE; break;
case 3: // core loaded
DEBUGTRACE((LOG_WINMGMT,"\nGot a core loaded event")); g_ProgRes.gbCoreLoaded = TRUE; break;
case 4: // Need Registration
DEBUGTRACE((LOG_WINMGMT,"\nGot a NeedRegistration event"));
if (g_ProgRes.ServiceStatus == SERVICE_RUNNING) { g_ProgRes.RevokeLogin(); g_ProgRes.RegisterLogin(); } SetEvent(g_ProgRes.ghRegistrationDone); ResetEvent(g_ProgRes.ghNeedRegistration); break; case 5: // provider can unload
{ DEBUGTRACE((LOG_WINMGMT,"\nGot a provider can unload event")); CoFreeUnusedLibrariesEx ( CORE_PROVIDER_UNLOAD_TIMEOUT , 0 ) ; //
// HACKHACK: Call it again to make sure that components that
// were released by unloading the first one can be unloaded
//
CoFreeUnusedLibrariesEx ( CORE_PROVIDER_UNLOAD_TIMEOUT , 0 ) ; sched.SetWorkItem(FinalCoreShutdown, CORE_PROVIDER_UNLOAD_TIMEOUT); // 11 minutes until next unloac;
} break;
case 6: // change in the hot mof directory
{ DEBUGTRACE((LOG_WINMGMT,"\nGot change in the hot mof directory")); LoadMofsInDirectory(g_ProgRes.szHotMofDirectory);
//Continue to monitor changes
if (!FindNextChangeNotification(g_ProgRes.ghMofDirChange)) { iNumEvents--; } } break; case WAIT_TIMEOUT:
DEBUGTRACE((LOG_WINMGMT,"\nGot a TIMEOUT work item")); if(sched.IsWorkItemDue(FirstCoreShutdown)) {
// All the clients have left the core and a decent time interval has passed. Set the
// WINMGMT_CORE_CAN_BACKUP event. When the core is done, it will set the WINMGMT_CORE_BACKUP_DONE
// event which will start the final unloading.
DEBUGTRACE((LOG_WINMGMT,"\nGot a FirstCoreShutdown work item")); sched.ClearWorkItem(FirstCoreShutdown); CoFreeUnusedLibrariesEx ( CORE_PROVIDER_UNLOAD_TIMEOUT , 0 ) ; CoFreeUnusedLibrariesEx ( CORE_PROVIDER_UNLOAD_TIMEOUT , 0 ) ; } if(sched.IsWorkItemDue(FinalCoreShutdown)) { CInMutex im(g_ProgRes.hMainMutex); DEBUGTRACE((LOG_WINMGMT,"\nGot a FinalCoreShutdown work item")); CoFreeUnusedLibrariesEx ( CORE_PROVIDER_UNLOAD_TIMEOUT , 0 ) ; //
// HACKHACK: Call it again to make sure that components that
// were released by unloading the first one can be unloaded
CoFreeUnusedLibrariesEx ( CORE_PROVIDER_UNLOAD_TIMEOUT , 0 ) ; sched.ClearWorkItem(FinalCoreShutdown); } if(sched.IsWorkItemDue(PossibleStartCore)) { sched.StartCoreIfEssNeeded(); sched.ClearWorkItem(PossibleStartCore); }
break; }
}
}
//***************************************************************************
//
// MyService::MyService
//
// DESCRIPTION:
//
// Constructor.
//
//***************************************************************************
MyService::MyService(DWORD CtrlAccepted):CNtService(CtrlAccepted){ m_hStopEvent = CreateEvent(NULL,TRUE,FALSE,NULL); if(m_hStopEvent == NULL) { DEBUGTRACE((LOG_WINMGMT,"\nMyService could not initialize")); }}
//***************************************************************************
//
// MyService::~MyService
//
// DESCRIPTION:
//
// Destructor.
//
//***************************************************************************
MyService::~MyService(){ if(m_hStopEvent) CloseHandle(m_hStopEvent);}
//***************************************************************************
//
// DWORD MyService::WorkerThread
//
// DESCRIPTION:
//
// Where the service runs. In this case, the service just waits for
// the terminate event to be set.
//
// RETURN VALUE:
//
// 0
//***************************************************************************
DWORD MyService::WorkerThread(){ DEBUGTRACE((LOG_WINMGMT,"\nStarting service worker thread")); if(!::Initialize(m_hStopEvent)) return 0; WaitingFunction(m_hStopEvent);
if (SERVICE_SHUTDOWN != g_ProgRes.ServiceStatus ) { DEBUGTRACE((LOG_WINMGMT,"\nStopping service worker thread")); } return 0;}
//
//
// VOID MyService::Log
//
///////////////////////////////////////////////////////////////////
VOID MyService::Log( IN LPCSTR lpszMsg){ TRACE((LOG_WINMGMT,lpszMsg));}
//
//
// the stop function
//
//////////////////////////////////////////////////////////////////
VOID MyService::Stop(BOOL bSystemShutDownCalled){ g_ProgRes.ServiceStatus = (bSystemShutDownCalled)?SERVICE_SHUTDOWN:SERVICE_STOPPED; SetEvent(m_hStopEvent);};
//
// MyService::Pause
//
////////////////////////////////////////////////////////////////////
HRESULT WbemPauseService(){ HRESULT hr = WBEM_S_NO_ERROR; g_ProgRes.ServiceStatus = SERVICE_PAUSED; g_ProgRes.RevokeLogin(); GLOB_GetMonitor()->Unregister(FALSE);
SCODE sc = WBEM_E_FAILED; HMODULE hCoreModule = LoadLibraryEx(__TEXT("wbemcore.dll"),NULL,0); if(hCoreModule) { pfnShutDown pfn = (pfnShutDown)GetProcAddress(hCoreModule, "Shutdown"); if(pfn) { sc = pfn(FALSE,FALSE); DEBUGTRACE((LOG_WINMGMT, "core is being shut down by WinMgmt.exe, it returned 0x%x",sc)); } else hr = WBEM_E_CRITICAL_ERROR;
FreeLibrary(hCoreModule); } else hr = WBEM_E_CRITICAL_ERROR;
return hr;}VOID MyService::Pause(){ WbemPauseService();}
//
// MyService::Continue
//
////////////////////////////////////////////////////////////////////
HRESULT WbemContinueService(){ HRESULT hr = WBEM_S_NO_ERROR; // HRESULT APIENTRY Reinitialize(DWORD dwReserved);
SCODE sc = WBEM_E_FAILED; HMODULE hCoreModule = LoadLibraryEx(__TEXT("wbemcore.dll"),NULL,0); if(hCoreModule) { HRESULT (STDAPICALLTYPE *pfn)(DWORD); pfn = (long (__stdcall *)(DWORD))GetProcAddress(hCoreModule, "Reinitialize"); if(pfn) { sc = (*pfn)(0); DEBUGTRACE((LOG_WINMGMT, "core is being resumed: it returned 0x%x",sc)); } else hr = WBEM_E_CRITICAL_ERROR;
FreeLibrary(hCoreModule); } else hr = WBEM_E_CRITICAL_ERROR;
g_ProgRes.RegisterLogin(); GLOB_GetMonitor()->Register(); g_ProgRes.ServiceStatus = SERVICE_RUNNING; return hr;}
VOID MyService::Continue(){ WbemContinueService();}
//
//
// this function will be executed before
// the final SetServiceStatus(SERVICE_STOPPED)
//
//////////////////////////////////////////////////////////
VOID MyService::FinalCleanup(){ g_ProgRes.Phase3Delete();
RegSetDWORD(HKEY_LOCAL_MACHINE, HOME_REG_PATH, _T("ProcessID"), 0); }
//
// TO be removed before RTM
// publish process ID in the registry
//
////////////////////////////////////////////////////
DWORD RegSetDWORD(HKEY hKey, TCHAR * pName, TCHAR * pValue, DWORD dwValue){ HKEY hKey2; LONG lRet;
lRet = RegOpenKeyEx(hKey, pName, 0, KEY_WRITE, &hKey2); if (ERROR_SUCCESS == lRet) { DWORD dwType = REG_DWORD; DWORD dwSize = sizeof(DWORD); lRet = RegSetValueEx(hKey2, pValue, NULL, dwType, (BYTE *)&dwValue, dwSize); RegCloseKey(hKey2); } return lRet;
}
DWORD RegGetDWORD(HKEY hKey, TCHAR * pName, TCHAR * pValue, DWORD * pdwValue){ HKEY hKey2; LONG lRet;
if (0 == pdwValue) return ERROR_INVALID_PARAMETER;
lRet = RegOpenKeyEx(hKey, pName, 0, KEY_READ, &hKey2); if (ERROR_SUCCESS == lRet) { DWORD dwSize = sizeof(DWORD); DWORD dwType =0; lRet = RegQueryValueEx(hKey2, pValue, NULL, &dwType, (BYTE *)pdwValue, &dwSize); RegCloseKey(hKey2); } return lRet;
} //
//
// Interceptor
//
//
///////////////////////////////////////////////////////////
#ifdef INSTRUMENTED_BUILD
#ifdef _X86_
#include <malloc.h>
struct HEAP_ENTRY { WORD Size; WORD PrevSize; BYTE SegmentIndex; BYTE Flags; BYTE UnusedBytes; BYTE SmallTagIndex;};
#define HEAP_SLOW_FLAGS 0x7d030f60
// only the "header"
typedef struct _HEAP { HEAP_ENTRY Entry; ULONG Signature; ULONG Flags; ULONG ForceFlags;} HEAP;
BOOL g_FaultHeapEnabled = FALSE;BOOL g_FaultFileEnabled = FALSE;ULONG g_Seed;ULONG g_Factor = 100000;ULONG g_Percent = 0x20;//ULONG g_RowOfFailures = 10;
//LONG g_NumFailInARow = 0;
//LONG g_NumFailedAllocation = 0;
BOOL g_bDisableBreak = FALSE;LONG g_nSuccConn = 0;
#define SIZE_JUMP_ADR 5
#define SIZE_SAVED_INSTR 12
void_declspec(naked) Prolog__ReadFile(){ _asm { // this is the space for the "saved istructions"
nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; // this is the place for the JMP
nop ; nop ; nop ; nop ; nop ; nop ; // dist
nop ; // dist
nop ; // dist
nop ; // dist
}}
BOOL _I_ReadFile( HANDLE hFile, // handle to file
LPVOID lpBuffer, // data buffer
DWORD nNumberOfBytesToRead, // number of bytes to read
LPDWORD lpNumberOfBytesRead, // number of bytes read
LPOVERLAPPED lpOverlapped // offset
){ DWORD * pDw = (DWORD *)_alloca(sizeof(DWORD)); BOOL bRet;
LONG Ret = RtlRandomEx(&g_Seed); if (g_FaultFileEnabled && (Ret%g_Factor < g_Percent)) { if (lpNumberOfBytesRead) *lpNumberOfBytesRead = 0; return FALSE; } _asm{ push lpOverlapped; push lpNumberOfBytesRead; push nNumberOfBytesToRead; push lpBuffer; push hFile; call Prolog__ReadFile; mov bRet,eax }
return bRet;}
void_declspec(naked) Prolog__WriteFile(){ _asm { // this is the space for the "saved istructions"
nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; // this is the place for the JMP
nop ; nop ; nop ; nop ; nop ; nop ; // dist
nop ; // dist
nop ; // dist
}}
BOOL _I_WriteFile( HANDLE hFile, // handle to file
LPCVOID lpBuffer, // data buffer
DWORD nNumberOfBytesToWrite, // number of bytes to write
LPDWORD lpNumberOfBytesWritten, // number of bytes written
LPOVERLAPPED lpOverlapped // overlapped buffer
){
DWORD * pDw = (DWORD *)_alloca(sizeof(DWORD)); BOOL bRet;
LONG Ret = RtlRandomEx(&g_Seed); if (g_FaultFileEnabled && (Ret%g_Factor < g_Percent)) { if (lpNumberOfBytesWritten) *lpNumberOfBytesWritten = 0; return FALSE; } _asm{ push lpOverlapped; push lpNumberOfBytesWritten; push nNumberOfBytesToWrite; push lpBuffer; push hFile; call Prolog__WriteFile; mov bRet,eax }
return bRet;}
void_declspec(naked) Prolog__CreateEvent(){ _asm { // this is the space for the "saved istructions"
nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; // this is the place for the JMP
nop ; nop ; nop ; nop ; nop ; nop ; // dist
nop ; // dist
}}
HANDLE _I_CreateEvent( LPSECURITY_ATTRIBUTES lpEventAttributes, // SD
BOOL bManualReset, // reset type
BOOL bInitialState, // initial state
LPCWSTR lpName // object name
){ DWORD * pDw = (DWORD *)_alloca(sizeof(DWORD)); HANDLE hHandle;
LONG Ret = RtlRandomEx(&g_Seed); if (g_FaultFileEnabled && (Ret%g_Factor < g_Percent)) { return NULL; }
_asm{ push lpName; push bInitialState; push bManualReset; push lpEventAttributes call Prolog__CreateEvent; mov hHandle,eax } return hHandle;}
void_declspec(naked) Prolog__RtlFreeHeap(){ _asm { // this is the space for the "saved istructions"
nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; // this is the place for the JMP
nop ; nop ; nop ; nop ; nop ; }}
#define SPACE_STACK_ALLOC (4*sizeof(ULONG_PTR))
DWORD _I_RtlFreeHeap(VOID * pHeap,DWORD Flags,VOID * pBlock){ ULONG * pLong = (ULONG *)_alloca(sizeof(DWORD)); Flags |= (((HEAP *)pHeap)->Flags) | (((HEAP *)pHeap)->ForceFlags); DWORD dwRet;
if (pBlock && !(HEAP_SLOW_FLAGS & Flags)) { HEAP_ENTRY * pEntry = (HEAP_ENTRY *)pBlock-1;
DWORD RealSize = pEntry->Size * sizeof(HEAP_ENTRY); DWORD Size = RealSize - pEntry->UnusedBytes;
ULONG_PTR * pL = (ULONG_PTR *)pBlock;
if (0 == (pEntry->Flags & 0x01) ||0xf0f0f0f0 == pL[1] ) { if (!g_bDisableBreak) DebugBreak(); }
DWORD CanMemset = RealSize-sizeof(HEAP_ENTRY); memset(pBlock,0xF0,(CanMemset > SPACE_STACK_ALLOC)?CanMemset-SPACE_STACK_ALLOC:CanMemset); if (pEntry->Size >=4) { RtlCaptureStackBackTrace (1, (4 == pEntry->Size)?4:6, (PVOID *)(pEntry+2), pLong); }
}
_asm { push pBlock ; push Flags ; push pHeap ; call Prolog__RtlFreeHeap ; mov dwRet,eax ; }
return dwRet;}
void_declspec(naked) Prolog__RtlAllocateHeap(){ _asm { // this is the space for the "saved istructions"
nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; // this is the place for the JMP
nop ; nop ; nop ; nop ; nop ; nop ; // to make this distinct
}}
VOID * _I_RtlAllocateHeap(VOID * pHeap,DWORD Flags,DWORD Size){ ULONG * pLong = (ULONG *)_alloca(sizeof(DWORD)); Flags |= (((HEAP *)pHeap)->Flags) | (((HEAP *)pHeap)->ForceFlags); VOID * pRet; DWORD NewSize = (Size < (3*sizeof(HEAP_ENTRY)))?(3*sizeof(HEAP_ENTRY)+SPACE_STACK_ALLOC):(Size+SPACE_STACK_ALLOC);
/*
if (g_FaultHeapEnabled && g_NumFailInARow) { InterlockedDecrement(&g_NumFailInARow); goto here; }*/ LONG Ret = RtlRandomEx(&g_Seed); if (g_FaultHeapEnabled && (Ret%g_Factor < g_Percent)) {// g_NumFailInARow = g_RowOfFailures;
//here:
// InterlockedIncrement(&g_NumFailedAllocation);
return NULL; }
_asm { push NewSize ; push Flags ; push pHeap ; call Prolog__RtlAllocateHeap ; mov pRet,eax ; }
if (pRet && !(HEAP_SLOW_FLAGS & Flags) ) {
if (NewSize <= 0xffff) NewSize = sizeof(HEAP_ENTRY)*((HEAP_ENTRY *)pRet-1)->Size; if (!(HEAP_ZERO_MEMORY & Flags)) { memset(pRet,0xc0,NewSize-sizeof(HEAP_ENTRY)); }
RtlCaptureStackBackTrace(1, 4, (PVOID *)((BYTE *)pRet+(NewSize-SPACE_STACK_ALLOC-sizeof(HEAP_ENTRY))), pLong); }
return pRet; }
void_declspec(naked) Prolog__RtlReAllocateHeap(){ _asm { // this is the space for the "saved istructions"
nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; // this is the place for the JMP
nop ; nop ; nop ; nop ; nop ; nop ; // dist
nop ; // dist
nop ; // dist
nop ; // dist
nop ; // dist
}}
VOID *_I_RtlReAllocateHeap( HANDLE pHeap, // handle to heap block
DWORD Flags, // heap reallocation options
LPVOID lpMem, // pointer to memory to reallocate
SIZE_T Size // number of bytes to reallocate
){ ULONG * pLong = (ULONG *)_alloca(sizeof(DWORD)); Flags |= (((HEAP *)pHeap)->Flags) | (((HEAP *)pHeap)->ForceFlags); VOID * pRet;
DWORD NewSize = (Size < (3*sizeof(HEAP_ENTRY)))?(3*sizeof(HEAP_ENTRY)+SPACE_STACK_ALLOC):(Size+SPACE_STACK_ALLOC); _asm { push NewSize ; push lpMem ; push Flags ; push pHeap ; call Prolog__RtlReAllocateHeap ; mov pRet,eax ; }
if (pRet && !(HEAP_SLOW_FLAGS & Flags) ) {
if (NewSize <= 0xffff) NewSize = sizeof(HEAP_ENTRY)*((HEAP_ENTRY *)pRet-1)->Size; RtlCaptureStackBackTrace(1, 4, (PVOID *)((BYTE *)pRet+(NewSize-SPACE_STACK_ALLOC-sizeof(HEAP_ENTRY))), pLong); }
return pRet;}
void_declspec(naked) Prolog__RtlValidateHeap(){ _asm { // this is the space for the "saved istructions"
nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; // this is the place for the JMP
nop ; nop ; nop ; nop ; nop ; nop ; // dist
nop ; // dist
nop ; // dist
nop ; // dist
nop ; // dist
nop ; // dist
}}
BOOL_I_RtlValidateHeap( HANDLE pHeap, // handle to heap block
DWORD dwFlags, // heap reallocation options
LPVOID lpMem // pointer to memory to validate
){ ULONG * pLong = (ULONG *)_alloca(sizeof(DWORD)); BOOL bRet;
g_bDisableBreak = TRUE; _asm { push lpMem ; push dwFlags ; push pHeap ; call Prolog__RtlValidateHeap ; mov bRet,eax ; }
g_bDisableBreak = FALSE;
return bRet;}
#if 0
#define MAX_REMEMBER (1024)
struct CSCCTrace{ VOID * p1; VOID * p2; DWORD Tid; ULONG_PTR Trace[5];} g_CSCCTrace[MAX_REMEMBER];
LONG g_CSCCIndex = -1;
void_declspec(naked) Prolog__CoSwitchCallContext(){ _asm { // this is the space for the "saved istructions"
nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; nop ; // this is the place for the JMP
nop ; nop ; nop ; nop ; nop ; nop ; // dist
nop ; // dist
nop ; // dist
nop ; // dist
nop ; // dist
nop ; // dist
nop ; // dist
}}
HRESULT WINAPI_I_CoSwitchCallContext(IUnknown * pNew, IUnknown ** ppOld){ ULONG * pLong = (ULONG * )_alloca(sizeof(ULONG ));
long nIndex = InterlockedIncrement(&g_CSCCIndex); nIndex %= MAX_REMEMBER; CSCCTrace * pTrace = &g_CSCCTrace[nIndex]; pTrace->p1 = pNew; if (ppOld) pTrace->p2 = *ppOld; else pTrace->p2 = 0; pTrace->Tid =GetCurrentThreadId();
RtlCaptureStackBackTrace (1,5,(PVOID *)pTrace->Trace,pLong); HRESULT hRes; _asm { push ppOld; push pNew; call Prolog__CoSwitchCallContext; mov hRes,eax; }; return hRes;}#endif
void intercept2(WCHAR * Module, LPSTR Function, VOID * NewRoutine, VOID * pPrologStorage, DWORD Size) { FARPROC OldRoutine = GetProcAddress(GetModuleHandleW(Module),Function);
if (OldRoutine) { MEMORY_BASIC_INFORMATION MemBI; DWORD dwOldProtect; BOOL bRet, bRet2; DWORD dwRet;
dwRet = VirtualQuery(OldRoutine,&MemBI,sizeof(MemBI));
bRet = VirtualProtect(MemBI.BaseAddress, MemBI.RegionSize, PAGE_EXECUTE_WRITECOPY, &dwOldProtect);
dwRet = VirtualQuery(pPrologStorage,&MemBI,sizeof(MemBI));
bRet2 = VirtualProtect(MemBI.BaseAddress, MemBI.RegionSize, PAGE_EXECUTE_WRITECOPY, &dwOldProtect);
if (bRet && bRet2) { VOID * pToJump = (VOID *)NewRoutine; BYTE Arr[SIZE_JUMP_ADR] = { 0xe9 }; LONG * pOffset = (LONG *)&Arr[1]; * pOffset = (LONG)NewRoutine - (LONG)OldRoutine - SIZE_JUMP_ADR ; // save the old code
memcpy(pPrologStorage,OldRoutine,Size); // put the new code
memset(OldRoutine,0x90,Size); memcpy(OldRoutine,Arr,SIZE_JUMP_ADR); // adjust the prolog to continue
* pOffset = (LONG)OldRoutine + Size - (LONG)pPrologStorage - SIZE_SAVED_INSTR - SIZE_JUMP_ADR; // magic for nops
memcpy((BYTE *)pPrologStorage+SIZE_SAVED_INSTR,Arr,SIZE_JUMP_ADR); } } else { OutputDebugStringA("GetProcAddress FAIL\n"); }}
void unintercept(WCHAR * Module, LPSTR Function, VOID * pPrologStorage, DWORD Size){ FARPROC OldRoutine = GetProcAddress(GetModuleHandleW(Module),Function);
if (OldRoutine) { memcpy((void *)OldRoutine,pPrologStorage,Size); }
}
#endif /*_X86_*/
#ifndef STATUS_POSSIBLE_DEADLOCK
#define STATUS_POSSIBLE_DEADLOCK (0xC0000194L)
#endif
class CSetVectoredHandler{private:// static ULONG_PTR Base;
// static ULONG_PTR Limit;
PVOID pVectorHandler; enum ExceptionTypes { StatusAccessViolation, CXXException, StatusNoMemory, OtherExceptions, LastException }; static LONG ExceptionCounters[LastException];/*
BOOL GetDllLimits(WCHAR * pDllName) { UNICODE_STRING DllName; RtlInitUnicodeString(&DllName,pDllName); PEB_LDR_DATA * pLdr = NtCurrentPeb()->Ldr; LIST_ENTRY * pHeadEntry = &pLdr->InLoadOrderModuleList; LIST_ENTRY * pEntry = pLdr->InLoadOrderModuleList.Flink; BOOL bFound = FALSE; while (pHeadEntry != pEntry) { LDR_DATA_TABLE_ENTRY * pData = CONTAINING_RECORD(pEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (0 == _wcsicmp(DllName.Buffer,pData->BaseDllName.Buffer)) { //OutputDebugStringA("found\n");
Base = (ULONG_PTR)pData->DllBase; Limit = Base + (ULONG_PTR)pData->SizeOfImage; bFound = TRUE; break; } pEntry = pEntry->Flink; } return bFound; }*/ public: CSetVectoredHandler() { pVectorHandler = NULL; //if (GetDllLimits(L"fastprox.dll"))
//{
pVectorHandler = AddVectoredExceptionHandler(TRUE,CSetVectoredHandler::VectoredHandler); //}
}; ~CSetVectoredHandler() { if (pVectorHandler) RemoveVectoredExceptionHandler(pVectorHandler); }; static LONG WINAPI VectoredHandler(PEXCEPTION_POINTERS ExceptionInfo) { PEXCEPTION_RECORD pExr = ExceptionInfo->ExceptionRecord; PCONTEXT pCxr = ExceptionInfo->ContextRecord; switch (pExr->ExceptionCode) { case STATUS_PRIVILEGED_INSTRUCTION: case STATUS_INVALID_HANDLE: case STATUS_STACK_OVERFLOW: case STATUS_POSSIBLE_DEADLOCK: case STATUS_ACCESS_VIOLATION: InterlockedIncrement(&ExceptionCounters[(LONG)StatusAccessViolation]); DebugBreak(); break; case 0xe06d7363: InterlockedIncrement(&ExceptionCounters[(LONG)CXXException]); break; case STATUS_NO_MEMORY: InterlockedIncrement(&ExceptionCounters[(LONG)StatusNoMemory]); break; default: InterlockedIncrement(&ExceptionCounters[(LONG)OtherExceptions]); break; } return EXCEPTION_CONTINUE_SEARCH; }} g_C;
LONG CSetVectoredHandler::ExceptionCounters[CSetVectoredHandler::LastException];
#endif
//
//
// ServiceMain
//
///////////////////////////////////////////////////////////
VOID WINAPI ServiceMain(DWORD dwNumServicesArgs, LPWSTR *lpServiceArgVectors){
#ifdef INSTRUMENTED_BUILD
#ifdef _X86_
intercept2(L"ntdll.dll","RtlFreeHeap",_I_RtlFreeHeap,Prolog__RtlFreeHeap,5); intercept2(L"ntdll.dll","RtlAllocateHeap",_I_RtlAllocateHeap,Prolog__RtlAllocateHeap,5); intercept2(L"ntdll.dll","RtlReAllocateHeap",_I_RtlReAllocateHeap,Prolog__RtlReAllocateHeap,5); intercept2(L"ntdll.dll","RtlValidateHeap",_I_RtlValidateHeap,Prolog__RtlValidateHeap,7); intercept2(L"kernel32.dll","CreateEventW",_I_CreateEvent,Prolog__CreateEvent,6); intercept2(L"kernel32.dll","WriteFile",_I_WriteFile,Prolog__WriteFile,7); intercept2(L"kernel32.dll","ReadFile",_I_ReadFile,Prolog__ReadFile,7); g_nSuccConn = 0;#endif /*_X86_*/
#endif
RegSetDWORD(HKEY_LOCAL_MACHINE, HOME_REG_PATH, _T("ProcessID"), GetCurrentProcessId());
if (InitialBreak()) { DebugBreak(); }
g_ProgRes.Init(); g_ProgRes.Phase1Build();
MyService ThisService(SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN|SERVICE_ACCEPT_PAUSE_CONTINUE); ThisService.Run(SERVICE_NAME, dwNumServicesArgs, lpServiceArgVectors, (void *)&ThisService);
#ifdef INSTRUMENTED_BUILD
#ifdef _X86_
unintercept(L"ntdll.dll","RtlFreeHeap",Prolog__RtlFreeHeap,5); unintercept(L"ntdll.dll","RtlAllocateHeap",Prolog__RtlAllocateHeap,5); unintercept(L"ntdll.dll","RtlReAllocateHeap",Prolog__RtlReAllocateHeap,5); unintercept(L"ntdll.dll","RtlValidateHeap",Prolog__RtlValidateHeap,7); unintercept(L"kernel32.dll","CreateEventW",Prolog__CreateEvent,6); unintercept(L"kernel32.dll","WriteFile",Prolog__WriteFile,7); unintercept(L"kernel32.dll","ReadFile",Prolog__ReadFile,7); #endif /*_X86_*/
#endif
}
|
