archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/com/svcdlls/trksvcs/dltadmin/procact.cxx

439 lines
14 KiB
Raw Normal View History

Add source files
4 years ago
  2. #include <pch.cxx>
  3. #pragma hdrstop
  5. #include <ole2.h>
  6. #include "trkwks.hxx"
  7. #include "dltadmin.hxx"
  11. typedef HINSTANCE (WINAPI *PFNLoadLibrary)(LPCTSTR);
  12. typedef HMODULE (WINAPI *PFNGetModuleHandle)(LPCTSTR);
  13. typedef BOOL (WINAPI *PFNFreeLibrary)(HINSTANCE);
  14. typedef LONG (WINAPI *PFNGetLastError)();
  15. typedef VOID (WINAPI *PFNDebugBreak)();
  16. typedef VOID (WINAPI *PFNOutputDebugStringW)( LPCTSTR );
  17. typedef BOOL (WINAPI *PFNCreateProcessW)(
  18. IN LPCWSTR lpApplicationName,
  19. IN LPWSTR lpCommandLine,
  20. IN LPSECURITY_ATTRIBUTES lpProcessAttributes,
  21. IN LPSECURITY_ATTRIBUTES lpThreadAttributes,
  22. IN BOOL bInheritHandles,
  23. IN DWORD dwCreationFlags,
  24. IN LPVOID lpEnvironment,
  25. IN LPCWSTR lpCurrentDirectory,
  26. IN LPSTARTUPINFOW lpStartupInfo,
  27. OUT LPPROCESS_INFORMATION lpProcessInformation
  28. );
  30. typedef struct
  31. {
  32. EProcessAction eAction;
  33. PFNGetModuleHandle pfnGetModuleHandleW;
  34. PFNFreeLibrary pfnFreeLibrary;
  35. PFNLoadLibrary pfnLoadLibraryW;
  36. PFNGetLastError pfnGetLastError;
  37. PFNDebugBreak pfnDebugBreak;
  38. PFNOutputDebugStringW pfnOutputDebugStringW;
  39. PFNCreateProcessW pfnCreateProcessW;
  40. WCHAR wsz[ 4*MAX_PATH + 1 ];
  41. WCHAR wszMessage[ 2*MAX_PATH + 1 ];
  42. } THREADFNSTRUCT;
  45. extern "C"
  46. {
  48. // Turn off stack-probing.
  49. #pragma check_stack (off)
  51. // Also turn off optimizations, to ensure that the compiler doesn't
  52. // consolidate any of this code with that from another function.
  53. #pragma optimize( "", off )
  55. static void BeforeThreadFunc (void)
  56. {
  57. // Prevent optimizations
  58. int i = rand();
  59. }
  61. static DWORD WINAPI
  62. RemoteThreadFunc( THREADFNSTRUCT *pStruct )
  63. {
  64. pStruct->pfnOutputDebugStringW( pStruct->wszMessage );
  66. if( FREE_LIBRARY == pStruct->eAction )
  67. {
  68. HINSTANCE hinst = NULL;
  70. hinst = pStruct->pfnGetModuleHandleW( pStruct->wsz );
  71. if( NULL == hinst )
  72. return( pStruct->pfnGetLastError() );
  74. if( !pStruct->pfnFreeLibrary( hinst ))
  75. return( pStruct->pfnGetLastError() );
  76. else
  77. return( ERROR_SUCCESS );
  79. }
  80. else if( LOAD_LIBRARY == pStruct->eAction )
  81. {
  82. if( NULL == pStruct->pfnLoadLibraryW( pStruct->wsz ))
  83. return( pStruct->pfnGetLastError() );
  84. else
  85. return( ERROR_SUCCESS );
  86. }
  87. else if( DEBUG_BREAK == pStruct->eAction )
  88. {
  89. pStruct->pfnDebugBreak();
  90. return( ERROR_SUCCESS );
  91. }
  92. else if( CREATE_PROCESS == pStruct->eAction )
  93. {
  94. if( !pStruct->pfnCreateProcessW( NULL, pStruct->wsz,
  95. NULL, NULL,
  96. FALSE, NORMAL_PRIORITY_CLASS,
  97. NULL, NULL, NULL, NULL ))
  98. {
  99. return GetLastError();
  100. }
  101. else
  102. return ERROR_SUCCESS;
  103. }
  104. else
  105. {
  106. pStruct->pfnOutputDebugStringW( L"Invalid action to RemoteThreadFunc" );
  107. return ERROR_INVALID_PARAMETER;
  108. }
  110. }
  112. static void AfterThreadFunc (void)
  113. {
  114. // Prevent optimziations
  115. int i = 2 * rand();
  116. }
  118. #pragma optimize ("", on ) // Restore to default
  119. #pragma check_stack // Restore to default
  120. }
  122. BOOL
  123. RemoteProcessAction( HANDLE hProcess,
  124. EProcessAction eAction,
  125. const WCHAR *pwsz )
  126. {
  127. int cbCodeSize = 0;
  128. const DWORD cbMemSize = cbCodeSize + sizeof(THREADFNSTRUCT) + 3;
  129. DWORD *pdwCodeRemote = NULL;
  130. THREADFNSTRUCT ThreadFnStruct;
  131. THREADFNSTRUCT *pRemoteThreadFnStruct = NULL;
  132. HANDLE hThread = NULL;
  133. DWORD dwThreadID = 0;
  134. BOOL fSuccess = FALSE;
  136. __try {
  138. // Determine the size of RemoteThreadFunc. Assume the functions
  139. // either in order or in reverse order.
  141. if( (LPBYTE) AfterThreadFunc > (LPBYTE) RemoteThreadFunc )
  142. cbCodeSize = (int)( (LPBYTE) AfterThreadFunc - (LPBYTE) RemoteThreadFunc );
  143. else if( (LPBYTE) BeforeThreadFunc > (LPBYTE) RemoteThreadFunc )
  144. cbCodeSize = (int)( (LPBYTE) BeforeThreadFunc - (LPBYTE) RemoteThreadFunc );
  145. else
  146. {
  147. printf( "Can't determine size of code to inject (%p, %p, %p)\n",
  148. BeforeThreadFunc, AfterThreadFunc, RemoteThreadFunc );
  149. __leave;
  150. }
  153. // Allocate memory in the remote process's address space large
  154. // enough to hold our RemoteThreadFunc function and a THREADFNSTRUCT structure.
  156. pdwCodeRemote = (DWORD*) VirtualAllocEx( hProcess, NULL, cbMemSize,
  157. MEM_COMMIT, PAGE_EXECUTE_READWRITE );
  159. if( NULL == pdwCodeRemote )
  160. {
  161. printf( "VirtualAllocEx failed: %d\n", GetLastError() );
  162. __leave;
  163. }
  166. // Write a copy of RemoteThreadFunc to the remote process.
  167. if( !WriteProcessMemory( hProcess, pdwCodeRemote,
  168. (LPVOID) RemoteThreadFunc,
  169. cbCodeSize, NULL ))
  170. {
  171. printf( "WriteProcessMemory failed: %d\n", GetLastError() );
  172. __leave;
  173. }
  176. // Write a copy of ThreadFnStruct to the remote process
  177. // (the structure MUST start on an even 32-bit bourdary).
  179. pRemoteThreadFnStruct = reinterpret_cast<THREADFNSTRUCT *>
  180. ( (BYTE*)pdwCodeRemote + ((cbCodeSize + 4) & ~3) );
  183. memset( &ThreadFnStruct, 0, sizeof(ThreadFnStruct) );
  184. ThreadFnStruct.eAction = eAction;
  186. //wcscpy( ThreadFnStruct.wszMessage, L"*** Remote thread from dltadmin.exe ***\n" );
  189. if( LOAD_LIBRARY == eAction )
  190. {
  191. wcscpy( ThreadFnStruct.wsz, pwsz );
  192. wsprintf( ThreadFnStruct.wszMessage,
  193. L"Received request from dltadmin to load \"%s\"\n",
  194. pwsz );
  196. ThreadFnStruct.pfnLoadLibraryW = (PFNLoadLibrary)
  197. GetProcAddress( GetModuleHandle( L"kernel32.dll" ),
  198. "LoadLibraryW" );
  199. if( NULL == ThreadFnStruct.pfnLoadLibraryW )
  200. {
  201. printf( "Couldn't load LoadLibraryW (%d)\n", GetLastError() );
  202. __leave;
  203. }
  204. }
  205. else if( FREE_LIBRARY == eAction )
  206. {
  207. wcscpy( ThreadFnStruct.wsz, pwsz );
  208. wsprintf( ThreadFnStruct.wszMessage,
  209. L"Received request from dltadmin to free \"%s\"\n",
  210. pwsz );
  211. ThreadFnStruct.pfnFreeLibrary = (PFNFreeLibrary)
  212. GetProcAddress( GetModuleHandleA("kernel32.dll"),
  213. "FreeLibrary" );
  214. if( NULL == ThreadFnStruct.pfnFreeLibrary )
  215. {
  216. printf( "Couldn't load FreeLibrary (%d)\n", GetLastError() );
  217. __leave;
  218. }
  220. ThreadFnStruct.pfnGetModuleHandleW = (PFNGetModuleHandle)
  221. GetProcAddress( GetModuleHandle(L"kernel32.dll"),
  222. "GetModuleHandleW" );
  223. if( NULL == ThreadFnStruct.pfnFreeLibrary )
  224. {
  225. printf( "Couldn't load FreeLibrary (%d)\n", GetLastError() );
  226. __leave;
  227. }
  228. }
  229. else if( CREATE_PROCESS == eAction )
  230. {
  231. wcscpy( ThreadFnStruct.wsz, pwsz );
  232. wsprintf( ThreadFnStruct.wszMessage,
  233. L"Received request from dltadmin to create \"%s\"\n",
  234. pwsz );
  235. ThreadFnStruct.pfnCreateProcessW = (PFNCreateProcessW)
  236. GetProcAddress( GetModuleHandleA("kernel32.dll"),
  237. "CreateProcessW" );
  238. if( NULL == ThreadFnStruct.pfnCreateProcessW )
  239. {
  240. printf( "Couldn't load CreateProcess (%d)\n", GetLastError() );
  241. __leave;
  242. }
  244. }
  245. else // DEBUG_BREAK
  246. {
  247. wsprintf( ThreadFnStruct.wszMessage,
  248. L"Received request from dltadmin to DebugBreak\n" );
  249. ThreadFnStruct.pfnDebugBreak = (PFNDebugBreak)
  250. GetProcAddress( GetModuleHandleA("kernel32.dll"),
  251. "DebugBreak" );
  252. if( NULL == ThreadFnStruct.pfnDebugBreak )
  253. {
  254. printf( "Couldn't load DebugBreak (%d)\n", GetLastError() );
  255. __leave;
  256. }
  258. }
  260. ThreadFnStruct.pfnGetLastError = (PFNGetLastError)
  261. GetProcAddress( GetModuleHandle( L"kernel32.dll" ),
  262. "GetLastError" );
  263. if( NULL == ThreadFnStruct.pfnGetLastError )
  264. {
  265. printf( "Couldn't load GetLastError (%d)\n", GetLastError() );
  266. __leave;
  267. }
  269. ThreadFnStruct.pfnOutputDebugStringW = (PFNOutputDebugStringW)
  270. GetProcAddress( GetModuleHandle( L"kernel32.dll" ),
  271. "OutputDebugStringW" );
  272. if( NULL == ThreadFnStruct.pfnOutputDebugStringW )
  273. {
  274. printf( "Couldn't load OutputDebugStringW (%d)\n", GetLastError() );
  275. __leave;
  276. }
  278. // Write the struct into the remote thread's memory block.
  280. if( !WriteProcessMemory( hProcess, pRemoteThreadFnStruct,
  281. &ThreadFnStruct, sizeof(THREADFNSTRUCT), NULL ))
  282. {
  283. printf( "Couldn't write ThreadFnStruct to remote thread: %d\n", GetLastError() );
  284. __leave;
  285. }
  288. hThread = CreateRemoteThread( hProcess, NULL, 0,
  289. (LPTHREAD_START_ROUTINE) pdwCodeRemote,
  290. pRemoteThreadFnStruct, 0, &dwThreadID );
  291. if( NULL == hThread )
  292. {
  293. printf( "Couldn't create remote thread: %d\n", GetLastError() );
  294. __leave;
  295. }
  297. DWORD dwWait = WaitForSingleObject( hThread, INFINITE );
  298. if( WAIT_OBJECT_0 != dwWait )
  299. printf( "Wait failed: %d, %d\n", dwWait, GetLastError() );
  301. } // __try
  302. __finally
  303. {
  305. if( NULL != hThread )
  306. {
  307. DWORD dwError;
  309. if( !AbnormalTermination() )
  310. {
  311. if( !GetExitCodeThread( hThread, &dwError ))
  312. printf( "Couldn't get remote thread exit code: %d\n", GetLastError() );
  313. else if( ERROR_MOD_NOT_FOUND == dwError )
  314. {
  315. if( LOAD_LIBRARY == eAction )
  316. wprintf( L"DLL \"%s\" not found\n", pwsz );
  317. else if( FREE_LIBRARY == eAction )
  318. wprintf( L"DLL \"%s\" not already loaded\n", pwsz );
  319. }
  320. else if( ERROR_SUCCESS != dwError )
  321. printf( "Failed: 0x%x\n", dwError );
  322. else
  323. fSuccess = TRUE;
  324. }
  326. CloseHandle(hThread);
  327. }
  329. if( NULL != pdwCodeRemote )
  330. {
  331. if( !VirtualFreeEx( hProcess, pdwCodeRemote, 0, MEM_RELEASE ))
  332. printf( "Couldn't free remote memory: 0x%x\n", GetLastError() );
  333. }
  335. } // __finally
  337. if( fSuccess )
  338. printf( "Succeeded\n" );
  339. return( fSuccess );
  341. }
  345. BOOL
  346. DltAdminProcessAction( EProcessAction eAction, ULONG cArgs, TCHAR * const rgptszArgs[], ULONG *pcEaten )
  347. {
  348. BOOL fSuccess = FALSE;
  350. *pcEaten = 0;
  352. if( 0 == cArgs
  353. ||
  354. 1 <= cArgs && IsHelpArgument(rgptszArgs[0]) )
  355. {
  356. *pcEaten = 1;
  358. if( LOAD_LIBRARY == eAction )
  359. {
  360. printf( "\nOption LoadLib\n"
  361. " Purpose: Load a dll into a process with LoadLibrary\n"
  362. " Usage: -LoadLib -p <process ID> <library name>\n"
  363. " E.g.: -LoadLib -p 182 shell32.dll\n" );
  364. }
  365. else if( FREE_LIBRARY == eAction )
  366. {
  367. printf( "\nOption FreeLib\n"
  368. " Purpose: Unload a dll from a process with FreeLibrary\n"
  369. " Usage: -FreeLib -p <process ID> <library name>\n"
  370. " E.g.: -FreeLib -p 182 shell32.dll\n" );
  371. }
  372. else
  373. {
  374. printf( "\nOption DebugBreak\n"
  375. " Purpose: Execute DebugBreak within a process\n"
  376. " Usage: -DebugBreak -p <process ID>\n"
  377. " E.g.: -DebugBreak -p 182\n" );
  378. }
  379. return( TRUE );
  380. }
  382. ULONG iArgs = 0;
  384. if( 2 > cArgs
  385. ||
  386. TEXT('-') != rgptszArgs[0][0]
  387. &&
  388. TEXT('/') != rgptszArgs[0][0]
  389. ||
  390. TEXT('P') != rgptszArgs[0][1]
  391. &&
  392. TEXT('p') != rgptszArgs[0][1] )
  394. {
  395. printf( "Argument error. Use -? for usage info.\n" );
  396. return( FALSE );
  397. }
  399. HANDLE hProcess = NULL;
  400. __try
  401. {
  402. DWORD dwProcessID = 0;
  404. _stscanf( rgptszArgs[1], TEXT("%d"), &dwProcessID );
  405. if( 0 == dwProcessID )
  406. {
  407. printf( "Failed to open system process\n" );
  408. __leave;
  409. }
  411. EnablePrivilege(SE_DEBUG_NAME);
  412. hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwProcessID );
  413. if( NULL == hProcess )
  414. {
  415. printf( "Failed to open process %d (%lu)\n", dwProcessID, GetLastError() );
  416. __leave;
  417. }
  419. if( RemoteProcessAction( hProcess, eAction,
  420. DEBUG_BREAK == eAction ? NULL : rgptszArgs[2] ))
  421. fSuccess = TRUE;
  423. if( DEBUG_BREAK == eAction )
  424. *pcEaten = 2;
  425. else
  426. *pcEaten = 3;
  428. }
  429. __finally
  430. {
  431. if( NULL != hProcess )
  432. CloseHandle( hProcess );
  433. }
  435. return( fSuccess );
  436. }