Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

352 lines
6.2 KiB

/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
sample.c
Abstract:
This module implements a sample application verifier provider
that hooks malloc/free from kernel32.dll and CloseHandle and
CreateEvent from kernel32.dll
Author:
Silviu Calinoiu (SilviuC) 2-Feb-2001
Revision History:
--*/
#include "pch.h"
#include <stdio.h>
#include <stdlib.h>
//
// Thunk replacements (should go into a header)
//
//WINBASEAPI
HANDLE
WINAPI
AVrfpCreateEventW(
IN LPSECURITY_ATTRIBUTES lpEventAttributes,
IN BOOL bManualReset,
IN BOOL bInitialState,
IN LPCWSTR lpName
);
//WINBASEAPI
BOOL
WINAPI
AVrfpCloseHandle(
IN OUT HANDLE hObject
);
PVOID __cdecl
AVrfp_malloc (
IN SIZE_T Size
);
PVOID __cdecl
AVrfp_realloc (
IN PVOID Address,
IN SIZE_T Size
);
VOID __cdecl
AVrfp_free (
IN PVOID Address
);
//
// Callbacks
//
VOID
AVrfpDllLoadCallback (
PWSTR DllName,
PVOID DllBase,
SIZE_T DllSize,
PVOID Reserved
);
VOID
AVrfpDllUnloadCallback (
PWSTR DllName,
PVOID DllBase,
SIZE_T DllSize,
PVOID Reserved
);
//
// kernel32.dll thunks
//
#define AVRF_INDEX_KERNEL32_CREATEEVENT 0
#define AVRF_INDEX_KERNEL32_CLOSEHANDLE 1
RTL_VERIFIER_THUNK_DESCRIPTOR AVrfpKernel32Thunks [] =
{
{"CreateEventW",
NULL,
AVrfpCreateEventW},
{"CloseHandle",
NULL,
AVrfpCloseHandle},
{NULL, NULL, NULL}
};
//
// msvcrt.dll thunks
//
#define AVRF_INDEX_MSVCRT_MALLOC 0
#define AVRF_INDEX_MSVCRT_FREE 1
RTL_VERIFIER_THUNK_DESCRIPTOR AVrfpMsvcrtThunks [] =
{
{"malloc",
NULL,
AVrfp_malloc},
{"free",
NULL,
AVrfp_free},
{NULL, NULL, NULL}
};
//
// dll's providing thunks that will be verified.
//
RTL_VERIFIER_DLL_DESCRIPTOR AVrfpExportDlls [] =
{
{L"kernel32.dll",
0,
NULL,
AVrfpKernel32Thunks},
{L"msvcrt.dll",
0,
NULL,
AVrfpMsvcrtThunks},
{NULL, 0, NULL, NULL}
};
RTL_VERIFIER_PROVIDER_DESCRIPTOR AVrfpProvider =
{
sizeof (RTL_VERIFIER_PROVIDER_DESCRIPTOR),
AVrfpExportDlls,
AVrfpDllLoadCallback,
AVrfpDllUnloadCallback,
NULL, // image name (filled by verifier engine)
0, // verifier flags (filled by verifier engine)
0, // debug flags (filled by verifier engine)
};
BOOL
WINAPI
DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
switch (fdwReason) {
case DLL_PROCESS_VERIFIER:
DbgPrint ("AVRF: sample verifier provider descriptor @ %p\n",
&AVrfpProvider);
*((PRTL_VERIFIER_PROVIDER_DESCRIPTOR *)lpvReserved) = &AVrfpProvider;
break;
case DLL_PROCESS_ATTACH:
DbgPrint ("AVRF: sample verifier provider initialized \n");
#if 1
malloc (1000);
{
FILE * File;
File = fopen ("_xxx_", "wt");
if (File) {
fputs ("This works.\n", File);
fclose (File);
}
}
#endif
break;
default:
break;
}
return TRUE;
}
PRTL_VERIFIER_THUNK_DESCRIPTOR
AVrfpGetThunkDescriptor (
PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks,
ULONG Index)
{
PRTL_VERIFIER_THUNK_DESCRIPTOR Thunk = NULL;
Thunk = &(DllThunks[Index]);
if (Thunk->ThunkOldAddress == NULL) {
//
// We shuld always have the original thunk address.
// This gets filed by the verifier support in the NT loader.
//
DbgPrint ("AVRF: no original thunk for %s @ %p \n",
Thunk->ThunkName,
Thunk);
DbgBreakPoint ();
}
return Thunk;
}
#define AVRFP_GET_ORIGINAL_EXPORT(DllThunks, Index) \
(FUNCTION_TYPE)(AVrfpGetThunkDescriptor(DllThunks, Index)->ThunkOldAddress)
//
// Callbacks
//
VOID
AVrfpDllLoadCallback (
PWSTR DllName,
PVOID DllBase,
SIZE_T DllSize,
PVOID Reserved
)
{
DbgPrint (" --- loading %ws \n", DllName);
}
VOID
AVrfpDllUnloadCallback (
PWSTR DllName,
PVOID DllBase,
SIZE_T DllSize,
PVOID Reserved
)
{
DbgPrint (" --- unloading %ws \n", DllName);
}
/////////////////////////////////////////////////////////////////////
///////////////////////////////////////// msvcrt.dll verified exports
/////////////////////////////////////////////////////////////////////
//WINBASEAPI
HANDLE
WINAPI
AVrfpCreateEventW(
IN LPSECURITY_ATTRIBUTES lpEventAttributes,
IN BOOL bManualReset,
IN BOOL bInitialState,
IN LPCWSTR lpName
)
{
typedef HANDLE (WINAPI * FUNCTION_TYPE) (LPSECURITY_ATTRIBUTES, BOOL, BOOL, LPCWSTR);
FUNCTION_TYPE Function;
Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpKernel32Thunks,
AVRF_INDEX_KERNEL32_CREATEEVENT);
return (* Function)(lpEventAttributes,
bManualReset,
bInitialState,
lpName);
}
//WINBASEAPI
BOOL
WINAPI
AVrfpCloseHandle(
IN OUT HANDLE hObject
)
{
typedef BOOL (WINAPI * FUNCTION_TYPE) (HANDLE);
FUNCTION_TYPE Function;
Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpKernel32Thunks,
AVRF_INDEX_KERNEL32_CLOSEHANDLE);
if (hObject == NULL) {
DbgPrint ("AVRF: sample: Closing a null handle !!! \n");
}
return (* Function)(hObject);
}
/////////////////////////////////////////////////////////////////////
///////////////////////////////////////// msvcrt.dll verified exports
/////////////////////////////////////////////////////////////////////
PVOID __cdecl
AVrfp_malloc (
IN SIZE_T Size
)
{
typedef PVOID (__cdecl * FUNCTION_TYPE) (SIZE_T);
FUNCTION_TYPE Function;
Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpMsvcrtThunks,
AVRF_INDEX_MSVCRT_MALLOC);
return (* Function)(Size);
}
VOID __cdecl
AVrfp_free (
IN PVOID Address
)
{
typedef VOID (__cdecl * FUNCTION_TYPE) (PVOID);
FUNCTION_TYPE Function;
Function = AVRFP_GET_ORIGINAL_EXPORT (AVrfpMsvcrtThunks,
AVRF_INDEX_MSVCRT_FREE);
(* Function)(Address);
}