mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
291 lines
6.1 KiB
291 lines
6.1 KiB
#include "precomp.h"
|
|
#include <tlhelp32.h>
|
|
|
|
#ifndef MYASSERT
|
|
#define MYASSERT(x)
|
|
#endif
|
|
|
|
|
|
typedef HANDLE (WINAPI * CREATETOOLHELP32SNAPSHOT)(DWORD Flags, DWORD ProcessId);
|
|
typedef BOOL (WINAPI * MODULE32FIRST)(HANDLE Snapshot, LPMODULEENTRY32 lpme);
|
|
typedef BOOL (WINAPI * MODULE32NEXT)(HANDLE Snapshot, LPMODULEENTRY32 lpme);
|
|
|
|
|
|
BOOL
|
|
pIsLegalPage (
|
|
IN DWORD Protect
|
|
)
|
|
{
|
|
//
|
|
// Page must be actually in memory to protect it, and it
|
|
// cannot be any type of write-copy.
|
|
//
|
|
|
|
if ((Protect & PAGE_GUARD) ||
|
|
(Protect == PAGE_NOACCESS) ||
|
|
(Protect == PAGE_WRITECOPY) ||
|
|
(Protect == PAGE_EXECUTE_WRITECOPY)
|
|
) {
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
BOOL
|
|
pIsKnownSection (
|
|
IN const IMAGE_SECTION_HEADER *Section,
|
|
IN const IMAGE_NT_HEADERS *NtHeaders
|
|
)
|
|
{
|
|
//
|
|
// Return TRUE if section is code or code data
|
|
//
|
|
|
|
if (Section->Characteristics & (IMAGE_SCN_MEM_EXECUTE|
|
|
IMAGE_SCN_MEM_DISCARDABLE|
|
|
IMAGE_SCN_MEM_WRITE|
|
|
IMAGE_SCN_MEM_READ)
|
|
) {
|
|
return TRUE;
|
|
}
|
|
|
|
//
|
|
// Return TRUE if section is resources
|
|
//
|
|
|
|
if (NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress ==
|
|
Section->VirtualAddress
|
|
) {
|
|
return TRUE;
|
|
}
|
|
|
|
//
|
|
// Unknown section
|
|
//
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
VOID
|
|
pPutRegionInSwapFile (
|
|
IN PVOID Address,
|
|
IN DWORD Size
|
|
)
|
|
{
|
|
MEMORY_BASIC_INFORMATION mbi;
|
|
DWORD PageSize;
|
|
PVOID EndPtr;
|
|
PVOID RegionEnd;
|
|
DWORD d;
|
|
DWORD OldPermissions;
|
|
volatile DWORD *v;
|
|
SYSTEM_INFO si;
|
|
|
|
//
|
|
// Get system virtual page size
|
|
//
|
|
|
|
GetSystemInfo(&si);
|
|
PageSize = si.dwPageSize;
|
|
|
|
//
|
|
// Compute the pointer to the end of the region
|
|
//
|
|
|
|
EndPtr = (PBYTE) Address + Size;
|
|
|
|
//
|
|
// For each page in the region, mark it as e/r/w, modify it, and restore the permissions
|
|
//
|
|
|
|
while (Address < EndPtr) {
|
|
|
|
d = VirtualQuery (Address, &mbi, sizeof(mbi));
|
|
|
|
if (d == sizeof(mbi)) {
|
|
|
|
//
|
|
// We assume the module wasn't loaded with one of the following
|
|
// conditions (which break as a result of VirtualProtect)
|
|
//
|
|
|
|
RegionEnd = (PBYTE) mbi.BaseAddress + mbi.RegionSize;
|
|
|
|
if (RegionEnd > EndPtr) {
|
|
RegionEnd = EndPtr;
|
|
}
|
|
|
|
if (mbi.State == MEM_COMMIT && pIsLegalPage (mbi.Protect)) {
|
|
|
|
//
|
|
// Switch to e/r/w
|
|
//
|
|
|
|
if (VirtualProtect (
|
|
mbi.BaseAddress,
|
|
(PBYTE) RegionEnd - (PBYTE) mbi.BaseAddress,
|
|
PAGE_EXECUTE_READWRITE,
|
|
&OldPermissions
|
|
)) {
|
|
|
|
//
|
|
// Touch every page in the region.
|
|
//
|
|
|
|
for (Address = mbi.BaseAddress; Address < RegionEnd ; Address = (PBYTE) Address + PageSize) {
|
|
v = Address;
|
|
*v = *v;
|
|
}
|
|
|
|
//
|
|
// Switch back
|
|
//
|
|
|
|
VirtualProtect (
|
|
mbi.BaseAddress,
|
|
(PBYTE) RegionEnd - (PBYTE) mbi.BaseAddress,
|
|
OldPermissions,
|
|
&d
|
|
);
|
|
}
|
|
}
|
|
|
|
Address = RegionEnd;
|
|
|
|
} else {
|
|
MYASSERT (FALSE);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
pProtectModule (
|
|
HANDLE Module
|
|
)
|
|
{
|
|
TCHAR Path[MAX_PATH];
|
|
BOOL IsNetDrive;
|
|
const IMAGE_DOS_HEADER *DosHeader;
|
|
const IMAGE_NT_HEADERS *NtHeaders;
|
|
const IMAGE_SECTION_HEADER *SectHeader;
|
|
UINT u;
|
|
|
|
|
|
IsNetDrive = FALSE;
|
|
|
|
//
|
|
// Get module info
|
|
//
|
|
|
|
if( GetModuleFileName (Module, Path, MAX_PATH) ){
|
|
|
|
//
|
|
// Determine if the module is running on the net
|
|
//
|
|
|
|
|
|
if (Path[0] == TEXT('\\')) {
|
|
IsNetDrive = TRUE;
|
|
} else if (GetDriveType (Path) == DRIVE_REMOTE) {
|
|
IsNetDrive = TRUE;
|
|
}
|
|
|
|
}
|
|
|
|
|
|
if (!IsNetDrive) {
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Enumerate all sections in the PE header
|
|
//
|
|
|
|
DosHeader = (const IMAGE_DOS_HEADER *) Module;
|
|
NtHeaders = (const IMAGE_NT_HEADERS *) ((PBYTE) Module + DosHeader->e_lfanew);
|
|
|
|
for (u = 0 ; u < NtHeaders->FileHeader.NumberOfSections ; u++) {
|
|
SectHeader = IMAGE_FIRST_SECTION (NtHeaders) + u;
|
|
|
|
if (pIsKnownSection (SectHeader, NtHeaders)) {
|
|
pPutRegionInSwapFile (
|
|
(PBYTE) Module + SectHeader->VirtualAddress,
|
|
SectHeader->Misc.VirtualSize
|
|
);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
ProtectAllModules (
|
|
VOID
|
|
)
|
|
{
|
|
HANDLE Library;
|
|
HANDLE Snapshot;
|
|
MODULEENTRY32 me32;
|
|
CREATETOOLHELP32SNAPSHOT fnCreateToolhelp32Snapshot;
|
|
MODULE32FIRST fnModule32First;
|
|
MODULE32NEXT fnModule32Next;
|
|
|
|
//
|
|
// Load toohelp dynamically (for NT 4, NT 3.51 compatibility)
|
|
//
|
|
|
|
Library = LoadLibrary (TEXT("toolhelp.dll"));
|
|
if (!Library) {
|
|
return;
|
|
}
|
|
|
|
(FARPROC) fnCreateToolhelp32Snapshot = GetProcAddress (Library, "CreateToolhelp32Snapshot");
|
|
(FARPROC) fnModule32First = GetProcAddress (Library, "Module32First");
|
|
(FARPROC) fnModule32Next = GetProcAddress (Library, "Module32Next");
|
|
|
|
if (!fnCreateToolhelp32Snapshot || !fnModule32First || !fnModule32Next) {
|
|
FreeLibrary (Library);
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Protect each loaded module
|
|
//
|
|
|
|
Snapshot = fnCreateToolhelp32Snapshot (TH32CS_SNAPMODULE, 0);
|
|
MYASSERT (Snapshot != INVALID_HANDLE_VALUE);
|
|
|
|
if (Snapshot == INVALID_HANDLE_VALUE) {
|
|
return;
|
|
}
|
|
|
|
me32.dwSize = sizeof (me32);
|
|
if (fnModule32First (Snapshot, &me32)) {
|
|
do {
|
|
pProtectModule (me32.hModule);
|
|
} while (fnModule32Next (Snapshot, &me32));
|
|
}
|
|
|
|
//
|
|
// Done
|
|
//
|
|
|
|
CloseHandle (Snapshot);
|
|
|
|
FreeLibrary (Library);
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|