archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/windows/appcompat/shims/specific/safedisc.cpp

199 lines
5.2 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 2001 Microsoft Corporation
  5. Module Name:
  7. SafeDisc.cpp
  9. Abstract:
  11. Some versions of SafeDisc try to validate kernel32 by checking if certain
  12. APIs fall within a particular area in the PE image. Our BBT process moves
  13. everything around and therefore breaks their checks.
  15. This shim can be used to fix this problems by effectively moving the entry
  16. point of the APIs they test to a jump table located in a 'valid' location.
  18. The valid location itself is an API that isn't used, but does happen to lie
  19. before the export directory.
  21. Notes:
  23. This is an app specific shim.
  25. History:
  27. 06/15/2001 linstev Created
  29. --*/
  31. #include "precomp.h"
  33. IMPLEMENT_SHIM_BEGIN(SafeDisc)
  35. #include "ShimHookMacro.h"
  37. APIHOOK_ENUM_BEGIN
  38. APIHOOK_ENUM_END
  40. #pragma pack(1)
  42. //
  43. // Random API used as a placeholder for a jump table. It's offset must be less
  44. // than the export directory. Also, since it's overwritten with a jump table,
  45. // it should not be an API that is used.
  46. //
  47. CHAR *g_szRandomAPI = "CreateMailslotA";
  49. struct HOOK {
  50. CHAR *szName;
  51. FARPROC lpAddress;
  52. };
  53. HOOK g_aHooks[] = {
  54. { "ReadProcessMemory" , 0 },
  55. { "WriteProcessMemory" , 0 },
  56. { "VirtualProtect" , 0 },
  57. { "CreateProcessA" , 0 },
  58. { "CreateProcessW" , 0 },
  59. { "GetStartupInfoA" , 0 },
  60. { "GetStartupInfoW" , 0 },
  61. { "GetSystemTime" , 0 },
  62. { "GetSystemTimeAsFileTime" , 0 },
  63. { "TerminateProcess" , 0 },
  64. { "Sleep" , 0 }
  65. };
  66. DWORD g_dwHookCount = sizeof(g_aHooks) / sizeof(HOOK);
  68. BOOL Patch()
  69. {
  70. //
  71. // Get the kernel32 image base
  72. //
  73. HMODULE hKernel = GetModuleHandleW(L"kernel32");
  74. if (!hKernel) {
  75. goto Fail;
  76. }
  78. //
  79. // Get the address of the semi-random API where we'll put our jump table
  80. //
  81. FARPROC lpRandomAPI = GetProcAddress(hKernel, g_szRandomAPI);
  83. //
  84. // Get the export directory
  85. //
  86. PIMAGE_DOS_HEADER pIDH = (PIMAGE_DOS_HEADER) hKernel;
  87. PIMAGE_NT_HEADERS pINTH = (PIMAGE_NT_HEADERS)((LPBYTE) hKernel + pIDH->e_lfanew);
  88. DWORD dwExportOffset = pINTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
  89. PIMAGE_EXPORT_DIRECTORY lpExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((DWORD_PTR)hKernel + dwExportOffset);
  91. //
  92. // Write out the jump table
  93. //
  94. LPBYTE lpCurrAPI = (LPBYTE) lpRandomAPI;
  95. for (UINT i=0; i<g_dwHookCount; i++) {
  96. //
  97. // Loop through each API and create a jump table entry for it
  98. //
  99. DWORD dwAPIOffset;
  101. g_aHooks[i].lpAddress = GetProcAddress(hKernel, g_aHooks[i].szName);
  102. dwAPIOffset = (DWORD)((DWORD_PTR) g_aHooks[i].lpAddress - (DWORD_PTR) hKernel);
  104. //
  105. // This API will cause problems for SafeDisc if it's after the export directory
  106. //
  107. if (dwAPIOffset > dwExportOffset) {
  108. //
  109. // Each jump table entry has the form: jmp dword ptr [address]
  110. //
  111. struct PATCH {
  112. WORD wJump;
  113. DWORD dwAddress;
  114. };
  115. PATCH patch = { 0x25FF, (DWORD_PTR)&g_aHooks[i].lpAddress };
  116. DWORD dwOldProtect;
  118. DPF("SafeDisc", eDbgLevelWarning, "API %s is being redirected", g_aHooks[i].szName);
  120. //
  121. // Write the jump table entry
  122. //
  123. if (!VirtualProtect(lpCurrAPI, sizeof(PATCH), PAGE_READWRITE, &dwOldProtect)) {
  124. goto Fail;
  125. }
  127. MoveMemory(lpCurrAPI, &patch, sizeof(PATCH));
  129. if (!VirtualProtect(lpCurrAPI, sizeof(PATCH), dwOldProtect, &dwOldProtect)) {
  130. goto Fail;
  131. }
  133. //
  134. // Now patch the export directory
  135. //
  136. LPDWORD lpExportList = (LPDWORD)((DWORD_PTR) hKernel + lpExportDirectory->AddressOfFunctions);
  137. for (UINT j=0; j<lpExportDirectory->NumberOfFunctions; j++) {
  138. if (*lpExportList == dwAPIOffset) {
  139. //
  140. // We've found the offset in the export directory, so patch it with the
  141. // new address
  142. //
  143. DWORD dwNewAPIOffset = (DWORD)((DWORD_PTR) lpCurrAPI - (DWORD_PTR) hKernel);
  145. if (!VirtualProtect(lpExportList, sizeof(DWORD), PAGE_READWRITE, &dwOldProtect)) {
  146. goto Fail;
  147. }
  149. MoveMemory(lpExportList, &dwNewAPIOffset, sizeof(DWORD));
  151. if (!VirtualProtect(lpExportList, sizeof(DWORD), dwOldProtect, &dwOldProtect)) {
  152. goto Fail;
  153. }
  154. break;
  155. }
  156. lpExportList++;
  157. }
  159. lpCurrAPI += sizeof(PATCH);
  160. }
  161. }
  164. return TRUE;
  166. Fail:
  168. return FALSE;
  169. }
  171. /*++
  173. Register hooked functions
  175. --*/
  177. BOOL
  178. NOTIFY_FUNCTION(
  179. DWORD fdwReason)
  180. {
  181. if (fdwReason == DLL_PROCESS_ATTACH) {
  182. CHAR *lpCommandLine = COMMAND_LINE;
  184. if (lpCommandLine && (*lpCommandLine != '\0')) {
  185. g_szRandomAPI = lpCommandLine;
  186. }
  188. Patch();
  189. }
  191. return TRUE;
  192. }
  194. HOOK_BEGIN
  195. CALL_NOTIFY_FUNCTION
  196. HOOK_END
  198. IMPLEMENT_SHIM_END