Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

234 lines
5.8 KiB

//+--------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1993-1998
//
// File: ldrapeng.h
//
// Contents: App compat backend code
//
// History: 13-Oct-99 v-johnwh created
//
//---------------------------------------------------------------------------
#ifndef _SHIMENG_VEH_H_
#define _SHIMENG_VEH_H_
typedef struct _SETACTIVATEADDRESS {
RELATIVE_MODULE_ADDRESS rva; // relative address where this patch data is to be applied.
} SETACTIVATEADDRESS, *PSETACTIVATEADDRESS;
typedef struct _HOOKPATCHINFO {
DWORD dwHookAddress; // Address of a hooked function
PSETACTIVATEADDRESS pData; // Pointer to the real patch data
PVOID pThunkAddress; // Pointer to the call thunk
struct _HOOKPATCHINFO* pNextHook;
} HOOKPATCHINFO, *PHOOKPATCHINFO;
//
// Flags used in the shim HOOKAPIs to track chaining
//
#define HOOK_CHAIN_TOP 0x40000000
#define HOOK_CHAINED 0x80000000
#define HOOK_INDEX_MASK ~(HOOK_CHAINED | HOOK_CHAIN_TOP)
//
// x86 opcodes and sizes used in the thunk generation process
//
#define CLI_OR_STI_SIZE 1
#define CALL_REL_SIZE 5
#define JMP_SIZE 7
#define X86_ABSOLUTE_FAR_JUMP 0xEA
#define X86_REL_CALL_OPCODE 0xE8
#define X86_CALL_OPCODE 0xFF
#define X86_CALL_OPCODE2 0x15
#define REASON_APIHOOK 0xFA
#define REASON_PATCHHOOK 0xFB
//
// Flags used in maintaining state information about our module/DLL filtering
//
#define MODFILTER_INCLUDE 0x01
#define MODFILTER_EXCLUDE 0x02
#define MODFILTER_DLL 0x04
#define MODFILTER_GLOBAL 0x08
typedef struct _MODULEFILTER
{
DWORD dwModuleStart; // Starting address of the module to filter
DWORD dwModuleEnd; // Ending address of the module to filter
DWORD dwCallerOffset; // Offset added to beginning of module to form the caller's address
DWORD dwCallerAddress; // Caller address to operate upon
DWORD dwFlags; // Flags which define what this filter does
WCHAR wszModuleName[96];
struct _MODULEFILTER *pNextFilter; // Used to iterate the module filter normally
struct _MODULEFILTER *pNextLBFilter; // Used to iterate the late bound DLLs
} MODULEFILTER, *PMODULEFILTER;
typedef struct _CHAININFO
{
PVOID pAPI;
PVOID pReturn;
struct _CHAININFO *pNextChain;
} CHAININFO, *PCHAININFO;
typedef struct _HOOKAPIINFO
{
DWORD dwAPIHookAddress; // Address of a hooked function
PHOOKAPI pTopLevelAPIChain; // Top level hook address
PVOID pCallThunkAddress;
WCHAR wszModuleName[32];
struct _HOOKAPIINFO *pNextHook;
struct _HOOKAPIINFO *pPrevHook;
} HOOKAPIINFO, *PHOOKAPIINFO;
#pragma pack(push, 1)
typedef struct _SHIMJMP
{
BYTE PUSHAD; //pushad (60)
BYTE MOVEBPESP[2]; //mov ebp, esp (8b, ec)
BYTE MOVEAXDWVAL[5]; //mov eax, dwval (b8 dword val)
BYTE PUSHEAX; //push eax (50)
BYTE LEAEAXEBPPLUS20[3]; //lea eax, [ebp + 20] (8f 45 20)
BYTE PUSHEAX2; //push eax (50)
BYTE CALLROUTINE[6]; //call [address] (ff15 dword address)
BYTE MOVESPPLUS1CEAX[4]; //mov [esp+0x1c],eax (89 44 24 1c)
BYTE POPAD; //popad (61)
BYTE ADDESPPLUS4[3]; //add esp, 0x4 (83 c4 04)
BYTE JMPEAX[2]; //jmp eax (ff e0)
} SHIMJMP, *PSHIMJMP;
typedef struct _SHIMRET
{
BYTE PUSHEAX; //push eax (50)
BYTE PUSHAD; //pushad (60)
BYTE CALLROUTINE[6]; //call [address] (ff15 dword address)
BYTE MOVESPPLUS20EAX[4]; //mov [esp+0x20],eax (89 44 24 20)
BYTE POPAD; //popad (61)
BYTE RET; //ret (c3)
} SHIMRET, *PSHIMRET;
#pragma pack(pop)
typedef NTSTATUS (*PFNLDRLOADDLL)(
IN PWSTR DllPath OPTIONAL,
IN PULONG DllCharacteristics OPTIONAL,
IN PUNICODE_STRING DllName,
OUT PVOID *DllHandle
);
typedef NTSTATUS (*PFNLDRUNLOADDLL) (
IN PVOID DllHandle
);
typedef PVOID (*PFNRTLALLOCATEHEAP)(
IN PVOID HeapHandle,
IN ULONG Flags,
IN SIZE_T Size
);
typedef BOOLEAN (*PFNRTLFREEHEAP)(
IN PVOID HeapHandle,
IN ULONG Flags,
IN PVOID BaseAddress
);
NTSTATUS
SevInitializeData(
PAPP_COMPAT_SHIM_INFO *pShimData);
NTSTATUS
SevExecutePatchPrimitive(
PBYTE pPatch);
DWORD
SevGetPatchAddress(
PRELATIVE_MODULE_ADDRESS pRelAddress);
VOID
SevValidateGlobalFilter(
VOID);
NTSTATUS
SevFinishThunkInjection(
DWORD dwAddress,
PVOID pThunk,
DWORD dwThunkSize,
BYTE jReason);
NTSTATUS
SevBuildFilterException(
HSDB hSDB,
TAGREF trInclude,
PMODULEFILTER pModFilter,
BOOL* pbLateBound);
NTSTATUS
SevBuildExeFilter(
HSDB hSDB,
TAGREF trExe,
DWORD dwDllCount);
PVOID
SevBuildInjectionCode(
PVOID pAddress,
PDWORD pdwThunkSize);
NTSTATUS
SevAddShimFilterException(
WCHAR* wszDLLPath,
PMODULEFILTER pModFilter);
NTSTATUS
SevChainAPIHook(
DWORD dwHookEntryPoint,
PVOID pThunk,
PHOOKAPI pAPIHook);
PVOID
SevFilterCaller(
PMODULEFILTER pFilterList,
PVOID pFunctionAddress,
PVOID pExceptionAddress,
PVOID pStubAddress,
PVOID pCallThunkAddress);
NTSTATUS
SevPushCaller(
PVOID pAPIAddress,
PVOID pReturnAddress);
PVOID
SevPopCaller(
VOID);
NTSTATUS
StubLdrLoadDll(
IN PWSTR DllPath OPTIONAL,
IN PULONG DllCharacteristics OPTIONAL,
IN PUNICODE_STRING DllName,
OUT PVOID* DllHandle);
NTSTATUS
StubLdrUnloadDll(
IN PVOID DllHandle);
NTSTATUS
SevFixupAvailableProcs(
DWORD dwHookCount,
PHOOKAPI* pHookArray,
PDWORD pdwNumberHooksArray,
PDWORD pdwUnhookedCount);
LONG
SevExceptionHandler(
struct _EXCEPTION_POINTERS *ExceptionInfo);
#endif // _SHIMENG_VEH_H_