Source code of Windows XP (NT5)
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
/*++
Copyright (c) 2000 Microsoft Corporation
Module Name:
KingsQuestMask.cpp
Abstract:
The app calls UnmapViewOfFile with a bogus address - an address that wasn't obtained from MapViewOfFile. We validate the address before calling UnmapViewOfFile.
History:
11/20/2000 maonis Created
--*/
#include "precomp.h"
typedef BOOL (WINAPI *_pfn_UnmapViewOfFile)(LPCVOID lpBaseAddress);
IMPLEMENT_SHIM_BEGIN(KingsQuestMask) #include "ShimHookMacro.h"
APIHOOK_ENUM_BEGIN APIHOOK_ENUM_ENTRY(MapViewOfFile) APIHOOK_ENUM_ENTRY(UnmapViewOfFile) APIHOOK_ENUM_END
// Link list of base addresses
struct MAPADDRESS { MAPADDRESS *next; LPCVOID pBaseAddress; }; MAPADDRESS *g_pBaseAddressList;
/*++
Function Description:
Add a base address to the linked list of addresses. Does not add if the address is NULL or a duplicate.
Arguments:
IN pBaseAddress - base address returned by MapViewOfFile.
Return Value:
None
History:
11/20/2000 maonis Created
--*/
VOID AddBaseAddress( IN LPCVOID pBaseAddress ) { if (pBaseAddress) { MAPADDRESS *pMapAddress = g_pBaseAddressList; while (pMapAddress) { if (pMapAddress->pBaseAddress == pBaseAddress) { return; } pMapAddress = pMapAddress->next; }
pMapAddress = (MAPADDRESS *) malloc(sizeof MAPADDRESS);
pMapAddress->pBaseAddress = pBaseAddress; pMapAddress->next = g_pBaseAddressList; g_pBaseAddressList = pMapAddress; } }
/*++
Function Description:
Remove a base address if it can be found in the linked list of addresses.
Arguments:
IN pBaseAddress - the base address to remove.
Return Value:
TRUE if the address is found. FALSE if the address is not found.
History:
11/20/2000 maonis Created
--*/
BOOL RemoveBaseAddress( IN LPCVOID pBaseAddress ) { MAPADDRESS *pMapAddress = g_pBaseAddressList; MAPADDRESS *last = NULL; while (pMapAddress) { if (pMapAddress->pBaseAddress == pBaseAddress) { if (last) { last->next = pMapAddress->next; } else { g_pBaseAddressList = pMapAddress->next; } free(pMapAddress);
return TRUE; } last = pMapAddress; pMapAddress = pMapAddress->next; }
return FALSE; }
/*++
Add the base address to our list. --*/
LPVOID APIHOOK(MapViewOfFile)( HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow, SIZE_T dwNumberOfBytesToMap ) { LPVOID pRet = ORIGINAL_API(MapViewOfFile)( hFileMappingObject, dwDesiredAccess, dwFileOffsetHigh, dwFileOffsetLow, dwNumberOfBytesToMap);
AddBaseAddress(pRet);
DPFN( eDbgLevelInfo, "MapViewOfFile: added base address = 0x%x\n", pRet);
return pRet; }
/*++
Remove the address from our list if it can be found; otherwise do nothing.
--*/
BOOL APIHOOK(UnmapViewOfFile)( LPCVOID lpBaseAddress ) { BOOL bRet;
if (RemoveBaseAddress(lpBaseAddress)) { bRet = ORIGINAL_API(UnmapViewOfFile)(lpBaseAddress); if (bRet) { DPFN( eDbgLevelInfo, "UnmapViewOfFile unmapped address 0x%x\n", lpBaseAddress); }
return bRet; } else { DPFN( eDbgLevelError,"UnmapViewOfFile was passed an invalid address 0x%x\n", lpBaseAddress); return FALSE; } }
/*++
Free the list.
--*/
BOOL NOTIFY_FUNCTION( DWORD fdwReason) { if (fdwReason == DLL_PROCESS_DETACH) { DWORD dwCount = 0; MAPADDRESS *pMapAddress = g_pBaseAddressList; while (pMapAddress) { g_pBaseAddressList = pMapAddress->next; ORIGINAL_API(UnmapViewOfFile)(pMapAddress->pBaseAddress); free(pMapAddress); pMapAddress = g_pBaseAddressList; dwCount++; } if (dwCount > 0) { DPFN( eDbgLevelInfo,"%d addresses not unmapped.", dwCount); } }
return TRUE; }
/*++
Register hooked functions
--*/
HOOK_BEGIN APIHOOK_ENTRY(KERNEL32.DLL, MapViewOfFile) APIHOOK_ENTRY(KERNEL32.DLL, UnmapViewOfFile) CALL_NOTIFY_FUNCTION HOOK_END
IMPLEMENT_SHIM_END
|