archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/sdktools/profiler/profiler.c

520 lines
12 KiB
Raw Normal View History

Add source files
4 years ago
  1. #include <windows.h>
  2. #include <string.h>
  3. #include <stdio.h>
  4. #include <tlhelp32.h>
  5. #include "profiler.h"
  6. #include "inject.h"
  7. #include "view.h"
  8. #include "except.h"
  9. #include "thread.h"
  10. #include "dump.h"
  11. #include "shimdb.h"
  12. #include "shim2.h"
  13. #include "hooks.h"
  14. #include "memory.h"
  15. #include "filter.h"
  16. #include "clevel.h"
  17. #include "cap.h"
  19. extern CHAR g_fnFinalizeInjection[MAX_PATH];
  20. extern HINSTANCE g_hProfileDLL;
  21. extern FIXUPRETURN g_fnFixupReturn[1];
  22. extern DWORD g_dwCallArray[2];
  23. extern CAPFILTER g_execFilter;
  25. int
  26. WINAPI
  27. WinMain(
  28. HINSTANCE hInst,
  29. HINSTANCE hInstPrev,
  30. LPSTR lpszCmd,
  31. int swShow)
  32. {
  33. HANDLE hFile = 0;
  34. BOOL bResult = FALSE;
  35. STARTUPINFO sInfo;
  36. PCHAR pszToken;
  37. PCHAR pszEnd;
  38. PROCESS_INFORMATION pInfo;
  39. DWORD dwEntry = 0;
  40. OSVERSIONINFO verInfo;
  41. BOOL bIsWin9X = FALSE;
  42. HANDLE hDevice = INVALID_HANDLE_VALUE;
  44. //
  45. // Get the OS information
  46. //
  47. ZeroMemory(&verInfo, sizeof(OSVERSIONINFO));
  49. verInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
  50. bResult = GetVersionExA(&verInfo);
  51. if (FALSE == bResult) {
  52. return -1;
  53. }
  55. if (VER_PLATFORM_WIN32_NT == verInfo.dwPlatformId) {
  56. bIsWin9X = FALSE;
  57. }
  58. else if (VER_PLATFORM_WIN32_WINDOWS == verInfo.dwPlatformId) {
  59. bIsWin9X = TRUE;
  60. }
  62. //
  63. // Initialize my working heap
  64. //
  65. bResult = InitializeHeap();
  66. if (FALSE == bResult) {
  67. return -1;
  68. }
  70. //
  71. // Parse the command line
  72. //
  73. pszToken = strstr(lpszCmd, "\"");
  74. if (pszToken) {
  75. pszToken++;
  77. pszEnd = strstr(pszToken, "\"");
  78. *pszEnd = '\0';
  79. }
  81. if (0 == pszToken) {
  82. pszToken = strstr(lpszCmd, " ");
  83. if (0 == pszToken) {
  84. pszToken = strstr(lpszCmd, "\t");
  85. if (0 == pszToken) {
  86. pszToken = lpszCmd;
  87. }
  88. }
  89. }
  91. //
  92. // Initialize our process information struct
  93. //
  94. ZeroMemory(&sInfo, sizeof(STARTUPINFO));
  95. ZeroMemory(&pInfo, sizeof(PROCESS_INFORMATION));
  96. sInfo.cb = sizeof(STARTUPINFO);
  98. dwEntry = GetExeEntryPoint(pszToken);
  99. if (0 == dwEntry) {
  100. return -1;
  101. }
  103. //
  104. // Get our exe ready for DLL injection
  105. //
  106. bResult = CreateProcessA(0,
  107. pszToken,
  108. 0,
  109. 0,
  110. FALSE,
  111. CREATE_SUSPENDED,
  112. 0,
  113. 0, //should make this a setable param sooner rather than later
  114. &sInfo,
  115. &pInfo);
  116. if (FALSE == bResult) {
  117. return -1;
  118. }
  120. //
  121. // If we're 9x - bring in the VxD
  122. //
  123. if (TRUE == bIsWin9X) {
  124. hDevice = AttachToEXVectorVXD();
  125. if (INVALID_HANDLE_VALUE == hDevice) {
  126. return -1;
  127. }
  128. }
  130. //
  131. // Inject our dll into the target
  132. //
  133. hFile = InjectDLL(dwEntry,
  134. pInfo.hProcess,
  135. NAME_OF_DLL_TO_INJECT);
  136. if (0 == hFile) {
  137. return -1;
  138. }
  140. //
  141. // Turn the process loose
  142. //
  143. bResult = ResumeThread(pInfo.hThread);
  144. if (FALSE == bResult) {
  145. return -1;
  146. }
  148. //
  149. // Wait for target termination
  150. //
  151. WaitForSingleObject(pInfo.hThread,
  152. INFINITE);
  154. //
  155. // If we're 9x - close our handle to the vxd (this will unload the vxd from memory)
  156. //
  157. if (TRUE == bIsWin9X) {
  158. if (INVALID_HANDLE_VALUE != hDevice) {
  159. DetachFromEXVectorVXD(hDevice);
  160. }
  161. }
  163. return 0;
  164. }
  166. DWORD
  167. GetExeEntryPoint(LPSTR pszExePath)
  168. {
  169. PIMAGE_NT_HEADERS pHeaders;
  170. BOOL bResult;
  171. PCHAR pEXEBits = 0;
  172. DWORD dwEntry = 0;
  173. DWORD dwNumberBytesRead;
  174. HANDLE hFile = INVALID_HANDLE_VALUE;
  176. pEXEBits = (PCHAR)AllocMem(4096 * 1); //allocate a page for reading the PE entry point
  177. if (0 == pEXEBits) {
  178. return dwEntry;
  179. }
  181. hFile = CreateFileA(pszExePath,
  182. GENERIC_READ,
  183. FILE_SHARE_READ,
  184. 0,
  185. OPEN_EXISTING,
  186. FILE_ATTRIBUTE_NORMAL,
  187. 0);
  188. if (INVALID_HANDLE_VALUE == hFile) {
  189. goto handleerror;
  190. }
  192. bResult = ReadFile(hFile,
  193. pEXEBits,
  194. 4096, //read one page
  195. &dwNumberBytesRead,
  196. 0);
  197. if (FALSE == bResult) {
  198. goto handleerror;
  199. }
  201. //
  202. // Dig out the PE information
  203. //
  204. pHeaders = ImageNtHeader2((PVOID)pEXEBits);
  205. if (0 == pHeaders) {
  206. goto handleerror;
  207. }
  209. dwEntry = pHeaders->OptionalHeader.ImageBase + pHeaders->OptionalHeader.AddressOfEntryPoint;
  211. handleerror:
  213. if (pEXEBits) {
  214. FreeMem(pEXEBits);
  215. }
  217. if (INVALID_HANDLE_VALUE != hFile) {
  218. CloseHandle(hFile);
  219. }
  221. return dwEntry;
  222. }
  224. PIMAGE_NT_HEADERS
  225. ImageNtHeader2 (PVOID Base)
  226. {
  227. PIMAGE_NT_HEADERS NtHeaders = NULL;
  229. if (Base != NULL && Base != (PVOID)-1) {
  230. if (((PIMAGE_DOS_HEADER)Base)->e_magic == IMAGE_DOS_SIGNATURE) {
  231. NtHeaders = (PIMAGE_NT_HEADERS)((PCHAR)Base + ((PIMAGE_DOS_HEADER)Base)->e_lfanew);
  233. if (NtHeaders->Signature != IMAGE_NT_SIGNATURE) {
  234. NtHeaders = NULL;
  235. }
  236. }
  237. }
  239. return NtHeaders;
  240. }
  242. BOOL
  243. WINAPI
  244. DllMain (
  245. HINSTANCE hinstDLL,
  246. DWORD fdwReason,
  247. LPVOID lpvReserved)
  248. {
  249. PIMAGE_NT_HEADERS pHeaders;
  250. PVOID pBase = 0;
  251. DWORD dwEntryPoint;
  252. BOOL bResult = FALSE;
  254. //
  255. // Return true for everything coming through here
  256. //
  257. if (DLL_PROCESS_ATTACH == fdwReason) {
  258. //
  259. // Initialize my working heap
  260. //
  261. bResult = InitializeHeap();
  262. if (FALSE == bResult) {
  263. return FALSE;
  264. }
  266. //
  267. // Initialize the asm for the fixup return
  268. //
  270. //
  271. // Get the entry point from the headers
  272. //
  273. pBase = (PVOID)GetModuleHandle(0);
  274. if (0 == pBase) {
  275. return FALSE;
  276. }
  278. //
  279. // Dig out the PE information
  280. //
  281. pHeaders = ImageNtHeader2(pBase);
  282. if (0 == pHeaders) {
  283. return FALSE;
  284. }
  286. dwEntryPoint = pHeaders->OptionalHeader.ImageBase + pHeaders->OptionalHeader.AddressOfEntryPoint;
  288. //
  289. // Initialize stub asm for cleanup
  290. //
  291. g_fnFinalizeInjection[0] = 0x90; // int 3
  292. g_fnFinalizeInjection[1] = 0xff; // call dword ptr [xxxxxxxx] - RestoreImageFromInjection
  293. g_fnFinalizeInjection[2] = 0x15;
  294. *(DWORD *)(&(g_fnFinalizeInjection[3])) = (DWORD)g_fnFinalizeInjection + 50;
  295. g_fnFinalizeInjection[7] = 0x83;
  296. g_fnFinalizeInjection[8] = 0xc4;
  297. g_fnFinalizeInjection[9] = 0x04;
  298. g_fnFinalizeInjection[10] = 0x61;
  299. g_fnFinalizeInjection[11] = 0xa1;
  300. *(DWORD *)(&(g_fnFinalizeInjection[12])) = (DWORD)g_fnFinalizeInjection + 54;
  301. g_fnFinalizeInjection[16] = 0xff;
  302. g_fnFinalizeInjection[17] = 0xe0;
  304. *(DWORD *)(&(g_fnFinalizeInjection[50])) = (DWORD)RestoreImageFromInjection;
  305. *(DWORD *)(&(g_fnFinalizeInjection[54])) = dwEntryPoint;
  307. //
  308. // Initialize the call return code
  309. //
  310. g_dwCallArray[0] = (DWORD)PopCaller;
  311. g_dwCallArray[1] = (DWORD)g_fnFixupReturn;
  313. g_fnFixupReturn->PUSHAD = 0x60; //pushad (60)
  314. g_fnFixupReturn->PUSHFD = 0x9c; //pushfd (9c)
  315. g_fnFixupReturn->PUSHDWORDESPPLUS24[0] = 0xff; //push dword ptr [esp+24] (ff 74 24 24)
  316. g_fnFixupReturn->PUSHDWORDESPPLUS24[1] = 0x74;
  317. g_fnFixupReturn->PUSHDWORDESPPLUS24[2] = 0x24;
  318. g_fnFixupReturn->PUSHDWORDESPPLUS24[3] = 0x24;
  319. g_fnFixupReturn->CALLROUTINE[0] = 0xff; //call [address] (ff15 dword address)
  320. g_fnFixupReturn->CALLROUTINE[1] = 0x15;
  321. *(DWORD *)(&(g_fnFixupReturn->CALLROUTINE[2])) = (DWORD)&(g_dwCallArray[0]);
  322. g_fnFixupReturn->MOVESPPLUS24EAX[0] = 0x89; //mov [esp+0x24],eax (89 44 24 24)
  323. g_fnFixupReturn->MOVESPPLUS24EAX[1] = 0x44;
  324. g_fnFixupReturn->MOVESPPLUS24EAX[2] = 0x24;
  325. g_fnFixupReturn->MOVESPPLUS24EAX[3] = 0x24;
  326. g_fnFixupReturn->POPFD = 0x9d; //popfd (9d)
  327. g_fnFixupReturn->POPAD = 0x61; //popad (61)
  328. g_fnFixupReturn->RET = 0xc3; //ret (c3)
  330. //
  331. // Store the DLL base address
  332. //
  333. g_hProfileDLL = hinstDLL;
  334. }
  336. return TRUE;
  337. }
  339. BOOL
  340. InitializeProfiler(VOID)
  341. {
  342. BOOL bResult = TRUE;
  343. PIMAGE_NT_HEADERS pHeaders;
  344. PVOID pBase = 0;
  345. DWORD dwEntryPoint;
  346. PVIEWCHAIN pvTemp;
  348. //
  349. // Get the entry point from the headers
  350. //
  351. pBase = (PVOID)GetModuleHandle(0);
  352. if (0 == pBase) {
  353. return FALSE;
  354. }
  356. //
  357. // Dig out the PE information
  358. //
  359. pHeaders = ImageNtHeader2(pBase);
  360. if (0 == pHeaders) {
  361. return FALSE;
  362. }
  364. dwEntryPoint = pHeaders->OptionalHeader.ImageBase + pHeaders->OptionalHeader.AddressOfEntryPoint;
  366. //
  367. // Tag the entry point so it'll start profiling with the initial view
  368. //
  369. bResult = InitializeViewData();
  370. if (FALSE == bResult) {
  371. //
  372. // Something unexpected happened
  373. //
  374. ExitProcess(-1);
  375. }
  377. //
  378. // Initialize execution filter data
  379. //
  380. ZeroMemory(&g_execFilter, sizeof(CAPFILTER));
  382. //
  383. // Initialize thread context data
  384. //
  385. InitializeThreadData();
  387. //
  388. // Get the debug logging setup
  389. //
  390. bResult = InitializeDumpData();
  391. if (FALSE == bResult) {
  392. //
  393. // Something unexpected happened
  394. //
  395. ExitProcess(-1);
  396. }
  398. //
  399. // Initialize the module filtering
  400. //
  401. bResult = InitializeFilterList();
  402. if (FALSE == bResult) {
  403. //
  404. // Something unexpected happened
  405. //
  406. ExitProcess(-1);
  407. }
  409. //
  410. // Set up exception trap mechanism
  411. //
  412. bResult = HookUnchainableExceptionFilter();
  413. if (FALSE == bResult) {
  414. //
  415. // Something unexpected happened while chaining exception filter
  416. //
  417. ExitProcess(-1);
  418. }
  420. //
  421. // Fixup the module list now that everything is restored
  422. //
  423. //
  424. InitializeBaseHooks(g_hProfileDLL);
  426. //
  427. // Write out import table base info
  428. //
  429. bResult = WriteImportDLLTableInfo();
  430. if (FALSE == bResult) {
  431. ExitProcess(-1);
  432. }
  434. //
  435. // Add our entrypoint to the view monitor
  436. //
  437. pvTemp = AddViewToMonitor(dwEntryPoint,
  438. ThreadStart);
  439. if (0 == pvTemp) {
  440. ExitProcess(-1);
  441. }
  443. //
  444. // We're done
  445. //
  446. return TRUE;
  447. }
  449. BOOL
  450. WriteImportDLLTableInfo(VOID)
  451. {
  452. HANDLE hSnapshot = INVALID_HANDLE_VALUE;
  453. MODULEENTRY32 ModuleEntry32;
  454. BOOL bResult;
  456. hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,
  457. 0);
  458. if (INVALID_HANDLE_VALUE == hSnapshot) {
  459. return FALSE;
  460. }
  462. //
  463. // Walk the DLL imports
  464. //
  465. ModuleEntry32.dwSize = sizeof(ModuleEntry32);
  467. bResult = Module32First(hSnapshot,
  468. &ModuleEntry32);
  469. if (FALSE == bResult) {
  470. return bResult;
  471. }
  473. while(bResult) {
  474. //
  475. // Dump the module information to disk
  476. //
  478. if ((DWORD)(ModuleEntry32.modBaseAddr) != (DWORD)g_hProfileDLL) {
  479. bResult = WriteDllInfo(ModuleEntry32.szModule,
  480. (DWORD)(ModuleEntry32.modBaseAddr),
  481. (DWORD)(ModuleEntry32.modBaseSize));
  482. if (FALSE == bResult) {
  483. CloseHandle(hSnapshot);
  485. return FALSE;
  486. }
  487. }
  489. bResult = Module32Next(hSnapshot,
  490. &ModuleEntry32);
  491. }
  493. if (INVALID_HANDLE_VALUE != hSnapshot) {
  494. CloseHandle(hSnapshot);
  495. }
  497. return TRUE;
  498. }
  500. HANDLE
  501. AttachToEXVectorVXD(VOID)
  502. {
  503. HANDLE hFile;
  505. hFile = CreateFileA(NAME_OF_EXCEPTION_VXD,
  506. 0,
  507. 0,
  508. 0,
  509. 0,
  510. FILE_FLAG_DELETE_ON_CLOSE,
  511. 0);
  513. return hFile;
  514. }
  516. VOID
  517. DetachFromEXVectorVXD(HANDLE hDevice)
  518. {
  519. CloseHandle(hDevice);
  520. }