mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
314 lines
8.1 KiB
314 lines
8.1 KiB
#include <windows.h>
|
|
#include <stdlib.h>
|
|
#include <psapi.h>
|
|
#include <tlhelp32.h>
|
|
#include <imagehlp.h>
|
|
#include <stdio.h>
|
|
#include "shimdb.h"
|
|
#include "shim2.h"
|
|
#include "hooks.h"
|
|
#include "dump.h"
|
|
#include "view.h"
|
|
#include "filter.h"
|
|
#include "except.h"
|
|
#include "profiler.h"
|
|
|
|
//
|
|
// API hook externs
|
|
//
|
|
extern BOOL g_bIsWin9X;
|
|
extern HANDLE g_hSnapshot;
|
|
extern HANDLE g_hValidationSnapshot;
|
|
extern LONG g_nShimDllCount;
|
|
extern LONG g_nHookedModuleCount;
|
|
extern HMODULE g_hHookedModules[MAX_MODULES];
|
|
extern HMODULE g_hShimDlls[MAX_MODULES];
|
|
extern PHOOKAPI g_rgpHookAPIs[MAX_MODULES];
|
|
extern LONG g_rgnHookAPICount[MAX_MODULES];
|
|
|
|
//
|
|
// Global array of hooked functions
|
|
//
|
|
HOOKAPI g_rgBaseHookAPIs[SHIM_BASE_APIHOOK_COUNT];
|
|
|
|
PVOID StubGetProcAddress(
|
|
HMODULE hMod,
|
|
char* pszProc)
|
|
{
|
|
char szModName[MAX_PATH];
|
|
char* pszShortName;
|
|
UINT ind;
|
|
DWORD dwSize;
|
|
PVOID pfn;
|
|
LONG i,j;
|
|
PHOOKAPI pTopHookAPI = NULL;
|
|
|
|
PFNGETPROCADDRESS pfnOld;
|
|
pfnOld = g_rgBaseHookAPIs[ hookGetProcAddress ].pfnOld;
|
|
|
|
if( pfn = (*pfnOld)(hMod, pszProc) )
|
|
{
|
|
for (i = 0; i < g_nShimDllCount; i++)
|
|
{
|
|
for (j = 0; j < g_rgnHookAPICount[i]; j++)
|
|
{
|
|
if( g_rgpHookAPIs[i][j].pfnOld == pfn)
|
|
{
|
|
pTopHookAPI = ConstructChain( pfn, &dwSize );
|
|
//maybe use the include exclude function here as well
|
|
return pTopHookAPI->pfnNew;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return pfn;
|
|
} // StubGetProcAddress
|
|
|
|
HMODULE StubLoadLibraryA(
|
|
LPCSTR pszModule)
|
|
{
|
|
HMODULE hMod;
|
|
PFNLOADLIBRARYA pfnOld;
|
|
PIMAGE_NT_HEADERS pHeaders;
|
|
|
|
pfnOld = g_rgBaseHookAPIs[ hookLoadLibraryA ].pfnOld;
|
|
hMod = (*pfnOld)(pszModule);
|
|
|
|
if (hMod != NULL) {
|
|
RefreshFilterList();
|
|
|
|
Shim2PatchNewModules();
|
|
|
|
//
|
|
// Rescan DLLs and add updated base information
|
|
//
|
|
WriteImportDLLTableInfo();
|
|
}
|
|
|
|
return hMod;
|
|
} // StubLoadLibraryA
|
|
|
|
HMODULE StubLoadLibraryW(
|
|
WCHAR* pwszModule)
|
|
{
|
|
HMODULE hMod;
|
|
CHAR szModuleName[MAX_PATH];
|
|
PIMAGE_NT_HEADERS pHeaders;
|
|
INT nResult;
|
|
|
|
PFNLOADLIBRARYW pfnOld;
|
|
pfnOld = g_rgBaseHookAPIs[ hookLoadLibraryW ].pfnOld;
|
|
|
|
hMod = (*pfnOld)(pwszModule);
|
|
|
|
if (hMod != NULL) {
|
|
RefreshFilterList();
|
|
|
|
Shim2PatchNewModules();
|
|
|
|
|
|
//
|
|
// Rescan DLLs and add updated base information
|
|
//
|
|
WriteImportDLLTableInfo();
|
|
}
|
|
|
|
return hMod;
|
|
} // StubLoadLibraryW
|
|
|
|
HMODULE StubLoadLibraryExA(
|
|
LPCSTR pszModule,
|
|
HANDLE hFile,
|
|
DWORD dwFlags)
|
|
{
|
|
HMODULE hMod;
|
|
PFNLOADLIBRARYEXA pfnOld;
|
|
PIMAGE_NT_HEADERS pHeaders;
|
|
|
|
pfnOld = g_rgBaseHookAPIs[ hookLoadLibraryExA ].pfnOld;
|
|
hMod = (*pfnOld)(pszModule, hFile, dwFlags);
|
|
|
|
if (hMod != NULL) {
|
|
RefreshFilterList();
|
|
|
|
Shim2PatchNewModules();
|
|
|
|
//
|
|
// Rescan DLLs and add updated base information
|
|
//
|
|
WriteImportDLLTableInfo();
|
|
}
|
|
|
|
return hMod;
|
|
} // StubLoadLibraryExA
|
|
|
|
HMODULE StubLoadLibraryExW(
|
|
WCHAR* pwszModule,
|
|
HANDLE hFile,
|
|
DWORD dwFlags)
|
|
{
|
|
HMODULE hMod;
|
|
PIMAGE_NT_HEADERS pHeaders;
|
|
INT nResult;
|
|
|
|
PFNLOADLIBRARYEXW pfnOld;
|
|
pfnOld = g_rgBaseHookAPIs[ hookLoadLibraryExW ].pfnOld;
|
|
|
|
hMod = (*pfnOld)(pwszModule, hFile, dwFlags);
|
|
|
|
if (hMod != NULL) {
|
|
RefreshFilterList();
|
|
|
|
Shim2PatchNewModules();
|
|
|
|
//
|
|
// Rescan DLLs and add updated base information
|
|
//
|
|
WriteImportDLLTableInfo();
|
|
}
|
|
|
|
return hMod;
|
|
} // StubLoadLibraryExW
|
|
|
|
BOOL StubFreeLibrary(
|
|
HMODULE hLibModule // handle to loaded library module
|
|
)
|
|
{
|
|
BOOL bRet, bFound;
|
|
PFNFREELIBRARY pfnOld;
|
|
MODULEENTRY32 ModuleEntry32;
|
|
long i, j;
|
|
|
|
pfnOld = (PFNFREELIBRARY) g_rgBaseHookAPIs[ hookFreeLibrary ].pfnOld;
|
|
|
|
bRet = (*pfnOld)(hLibModule);
|
|
|
|
g_hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, 0 );
|
|
|
|
ModuleEntry32.dwSize = sizeof( ModuleEntry32 );
|
|
for( i = 0; i < g_nHookedModuleCount; i++ )
|
|
{
|
|
bFound = FALSE;
|
|
bRet = Module32First( g_hSnapshot, &ModuleEntry32 );
|
|
|
|
while( bRet )
|
|
{
|
|
if( g_hHookedModules[i] == ModuleEntry32.hModule )
|
|
{
|
|
bFound = TRUE;
|
|
break;
|
|
}
|
|
bRet = Module32Next( g_hSnapshot, &ModuleEntry32 );
|
|
}
|
|
|
|
if( ! bFound )
|
|
{
|
|
// Take out of list
|
|
for( j = i; j < g_nHookedModuleCount - 1; j++ )
|
|
g_hHookedModules[j] = g_hHookedModules[j+1];
|
|
|
|
g_hHookedModules[j] = NULL;
|
|
g_nHookedModuleCount--;
|
|
}
|
|
}
|
|
|
|
if( g_hSnapshot )
|
|
{
|
|
CloseHandle( g_hSnapshot );
|
|
g_hSnapshot = NULL;
|
|
}
|
|
|
|
return bRet;
|
|
}
|
|
|
|
VOID StubExitProcess(UINT uExitCode)
|
|
{
|
|
PFNEXITPROCESS pfnOld;
|
|
|
|
//
|
|
// Process is terminating - flush ourselves
|
|
//
|
|
FlushForTermination();
|
|
|
|
pfnOld = g_rgBaseHookAPIs[ hookExitProcess ].pfnOld;
|
|
(*pfnOld)(uExitCode);
|
|
} // StubExitProcess
|
|
|
|
HANDLE StubCreateThread(
|
|
LPSECURITY_ATTRIBUTES lpThreadAttributes,
|
|
DWORD dwStackSize,
|
|
LPTHREAD_START_ROUTINE lpStartAddress,
|
|
LPVOID lpParameter,
|
|
DWORD dwCreationFlags,
|
|
LPDWORD lpThreadId)
|
|
{
|
|
PFNCREATETHREAD pfnOld;
|
|
PVIEWCHAIN pvTemp;
|
|
|
|
pfnOld = g_rgBaseHookAPIs[ hookCreateThread ].pfnOld;
|
|
|
|
//
|
|
// Add a mapping breakpoint for the thread entrypoint
|
|
//
|
|
pvTemp = AddViewToMonitor((DWORD)lpStartAddress,
|
|
ThreadStart);
|
|
|
|
return (*pfnOld)(lpThreadAttributes,
|
|
dwStackSize,
|
|
lpStartAddress,
|
|
lpParameter,
|
|
dwCreationFlags,
|
|
lpThreadId);
|
|
} // StubCreateThread
|
|
|
|
VOID
|
|
InitializeBaseHooks(HINSTANCE hInstance)
|
|
{
|
|
g_hSnapshot = NULL;
|
|
g_hValidationSnapshot = NULL;
|
|
|
|
g_nShimDllCount = 0;
|
|
g_nHookedModuleCount = 0;
|
|
ZeroMemory( g_hHookedModules, sizeof( g_hHookedModules ) );
|
|
ZeroMemory( g_hShimDlls, sizeof( g_hShimDlls ) );
|
|
ZeroMemory( g_rgpHookAPIs, sizeof( g_rgpHookAPIs ) );
|
|
ZeroMemory( g_rgnHookAPICount, sizeof( g_rgnHookAPICount ) );
|
|
ZeroMemory( g_rgBaseHookAPIs, sizeof( g_rgBaseHookAPIs ) );
|
|
|
|
g_rgBaseHookAPIs[ hookGetProcAddress ].pszModule = "kernel32.dll";
|
|
g_rgBaseHookAPIs[ hookGetProcAddress ].pszFunctionName = "GetProcAddress";
|
|
g_rgBaseHookAPIs[ hookGetProcAddress ].pfnNew = (PVOID)StubGetProcAddress;
|
|
|
|
g_rgBaseHookAPIs[ hookLoadLibraryA ].pszModule = "kernel32.dll";
|
|
g_rgBaseHookAPIs[ hookLoadLibraryA ].pszFunctionName = "LoadLibraryA";
|
|
g_rgBaseHookAPIs[ hookLoadLibraryA ].pfnNew = (PVOID)StubLoadLibraryA;
|
|
|
|
g_rgBaseHookAPIs[ hookLoadLibraryW ].pszModule = "kernel32.dll";
|
|
g_rgBaseHookAPIs[ hookLoadLibraryW ].pszFunctionName = "LoadLibraryW";
|
|
g_rgBaseHookAPIs[ hookLoadLibraryW ].pfnNew = (PVOID)StubLoadLibraryW;
|
|
|
|
g_rgBaseHookAPIs[ hookLoadLibraryExA ].pszModule = "kernel32.dll";
|
|
g_rgBaseHookAPIs[ hookLoadLibraryExA ].pszFunctionName = "LoadLibraryExA";
|
|
g_rgBaseHookAPIs[ hookLoadLibraryExA ].pfnNew = (PVOID)StubLoadLibraryExA;
|
|
|
|
g_rgBaseHookAPIs[ hookLoadLibraryExW ].pszModule = "kernel32.dll";
|
|
g_rgBaseHookAPIs[ hookLoadLibraryExW ].pszFunctionName = "LoadLibraryExW";
|
|
g_rgBaseHookAPIs[ hookLoadLibraryExW ].pfnNew = (PVOID)StubLoadLibraryExW;
|
|
|
|
g_rgBaseHookAPIs[ hookFreeLibrary ].pszModule = "kernel32.dll";
|
|
g_rgBaseHookAPIs[ hookFreeLibrary ].pszFunctionName = "FreeLibrary";
|
|
g_rgBaseHookAPIs[ hookFreeLibrary ].pfnNew = (PVOID)StubFreeLibrary;
|
|
|
|
g_rgBaseHookAPIs[ hookExitProcess ].pszModule = "kernel32.dll";
|
|
g_rgBaseHookAPIs[ hookExitProcess ].pszFunctionName = "ExitProcess";
|
|
g_rgBaseHookAPIs[ hookExitProcess ].pfnNew = (PVOID)StubExitProcess;
|
|
|
|
g_rgBaseHookAPIs[ hookCreateThread ].pszModule = "kernel32.dll";
|
|
g_rgBaseHookAPIs[ hookCreateThread ].pszFunctionName = "CreateThread";
|
|
g_rgBaseHookAPIs[ hookCreateThread ].pfnNew = (PVOID)StubCreateThread;
|
|
|
|
AddHookAPIs(hInstance, g_rgBaseHookAPIs, SHIM_BASE_APIHOOK_COUNT, NULL);
|
|
|
|
Shim2PatchNewModules();
|
|
}
|