Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

143 lines
2.8 KiB

/*++
Copyright (c) 2000 Microsoft Corporation
Module Name:
SysAdmiral.cpp
Abstract:
Application's service control routine does not properly restore the stack
when returning.
History:
10/22/2001 robkenny Created
--*/
#include "precomp.h"
IMPLEMENT_SHIM_BEGIN(SysAdmiral)
#include "ShimHookMacro.h"
APIHOOK_ENUM_BEGIN
APIHOOK_ENUM_ENTRY(StartServiceCtrlDispatcherA)
APIHOOK_ENUM_END
typedef BOOL (* _pfn_StartServiceCtrlDispatcherA)(CONST LPSERVICE_TABLE_ENTRYA lpServiceTable);
/*++
0x12345678 is replaced with the original service control routine's address
--*/
__declspec(naked)
void
Stub()
{
__asm
{
// save the current stack pointer in ESI
push esi
mov esi, esp
mov eax, 0x12345678
// push the arguments to the routine
push [esi+0xc]
push [esi+0x8]
// call the routine
call eax
// Restore the stack to its value before the routine.
mov esp, esi
pop esi
ret 0x8
}
}
#define Stub_OrigApi_Offset 0x4
#define STUB_SIZE 0x20
/*++
Create an in-memory routine to save and restore the stack.
This is used rather than a subroutine because we cannot pass any parameters
to the routine and it needs to know the address of the original service
routine. A subroutine would have to use a global pointer to the service
routine, limiting this shim to handling only a *single* service routine.
--*/
LPSERVICE_MAIN_FUNCTIONA
BuildStackSaver(LPSERVICE_MAIN_FUNCTIONA lpServiceProc)
{
// Create the stub
LPBYTE pStub = (LPBYTE) VirtualAlloc(
0,
STUB_SIZE,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if (!pStub)
{
DPFN( eDbgLevelError, "Could not allocate memory for stub");
return NULL;
}
// Copy the template code into the memory.
MoveMemory(pStub, Stub, STUB_SIZE);
// Replace the place holding function pointer
DWORD_PTR * origApi = (DWORD_PTR *)(pStub + Stub_OrigApi_Offset);
*origApi = (DWORD_PTR)lpServiceProc;
return (LPSERVICE_MAIN_FUNCTIONA)pStub;
}
/*++
Application's service routine does not properly restore the stack when returning.
--*/
BOOL
APIHOOK(StartServiceCtrlDispatcherA)(
CONST LPSERVICE_TABLE_ENTRYA lpServiceTable // service table
)
{
SERVICE_TABLE_ENTRYA myServiceTable = *lpServiceTable;
//
// Create our in-memory stack restoring functiono
//
myServiceTable.lpServiceProc = BuildStackSaver(lpServiceTable->lpServiceProc);
if (myServiceTable.lpServiceProc)
{
return ORIGINAL_API(StartServiceCtrlDispatcherA)(&myServiceTable);
}
else
{
return FALSE;
}
}
/*++
Register hooked functions
--*/
HOOK_BEGIN
APIHOOK_ENTRY(ADVAPI32.DLL, StartServiceCtrlDispatcherA)
HOOK_END
IMPLEMENT_SHIM_END