Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

239 lines
6.3 KiB

#include <windows.h>
#include "inject.h"
#include "profiler.h"
BOOL g_bIsWin9X = FALSE;
CHAR g_fnFinalizeInjection[MAX_PATH];
HINSTANCE g_hProfileDLL = 0;
HANDLE
InjectDLL(DWORD dwEntryPoint,
HANDLE hProcess,
LPSTR pszDLLName)
{
CHAR szTempPath[MAX_PATH];
HMODULE hKernel32;
BOOL bResult = FALSE;
INJECTIONSTUB injStub;
DWORD dwLoadLibrary;
DWORD dwGetProcAddress;
DWORD dwBytesWritten;
DWORD dwBytesRead;
DWORD dwOldProtect;
DWORD dwOldProtect2;
PBYTE pSharedMem = 0;
HANDLE hFileMap = 0;
hKernel32 = GetModuleHandle("KERNEL32.DLL");
dwLoadLibrary = (DWORD)GetProcAddress(hKernel32,
"LoadLibraryA");
if (0 == dwLoadLibrary) {
bResult = FALSE;
goto handleerror;
}
dwGetProcAddress = (DWORD)GetProcAddress(hKernel32,
"GetProcAddress");
if (0 == dwGetProcAddress) {
bResult = FALSE;
goto handleerror;
}
//
// Initialize the asm for the stub
//
injStub.pCode[0] = 0x90; // int 3 or nop
injStub.pCode[1] = 0x60; // pushad
injStub.pCode[2] = 0x8d; // lea eax, [xxxxxxxx]
injStub.pCode[3] = 0x05;
*(DWORD *)(&(injStub.pCode[4])) = dwEntryPoint + (DWORD)&(injStub.szDLLName) - (DWORD)&injStub;
injStub.pCode[8] = 0x50; // push eax
injStub.pCode[9] = 0xff; // call dword ptr [xxxxxxxx] - LoadLibraryA
injStub.pCode[10] = 0x15;
*(DWORD *)(&(injStub.pCode[11])) = dwEntryPoint + 50;
injStub.pCode[15] = 0x50; // push eax
injStub.pCode[16] = 0x5b; // pop ebx
injStub.pCode[17] = 0x8d; // lea eax, [xxxxxxxx]
injStub.pCode[18] = 0x05;
*(DWORD *)(&(injStub.pCode[19])) = dwEntryPoint + (DWORD)&(injStub.szEntryPoint) - (DWORD)&injStub;
injStub.pCode[23] = 0x50; // push eax // module base
injStub.pCode[24] = 0x53; // push ebx // function name
injStub.pCode[25] = 0xff; // call dword ptr [xxxxxxxx] - GetProcAddress
injStub.pCode[26] = 0x15;
*(DWORD *)(&(injStub.pCode[27])) = dwEntryPoint + 54;
injStub.pCode[31] = 0xff;
injStub.pCode[32] = 0xd0;
*(DWORD *)(&(injStub.pCode[50])) = dwLoadLibrary;
*(DWORD *)(&(injStub.pCode[54])) = dwGetProcAddress;
//
// Create the file mapping object from the paging file
//
hFileMap = CreateFileMapping(INVALID_HANDLE_VALUE,
NULL,
PAGE_READWRITE,
0,
sizeof(INJECTIONSTUB),
"ProfilerSharedMem");
if (0 == hFileMap) {
bResult = FALSE;
goto handleerror;
}
pSharedMem = (PBYTE)MapViewOfFile(hFileMap,
FILE_MAP_ALL_ACCESS,
0,
0,
sizeof(INJECTIONSTUB));
if (0 == pSharedMem) {
bResult = FALSE;
goto handleerror;
}
//
// Initialize injection stub
//
strcpy(injStub.szDLLName, pszDLLName);
strcpy(injStub.szEntryPoint, DEFAULT_ENTRY_POINT);
bResult = ReadProcessMemory(hProcess,
(LPVOID)dwEntryPoint,
(PVOID)pSharedMem,
sizeof(INJECTIONSTUB),
&dwBytesRead);
if (FALSE == bResult) {
bResult = FALSE;
goto handleerror;
}
//
// Write the stub code into the entry point
//
bResult = WriteProcessMemory(hProcess,
(LPVOID)dwEntryPoint,
(PVOID)&injStub,
sizeof(INJECTIONSTUB),
&dwBytesWritten);
if (FALSE == bResult) {
bResult = FALSE;
goto handleerror;
}
handleerror:
return hFileMap;
}
VOID
RestoreImageFromInjection(VOID)
{
PIMAGE_NT_HEADERS pHeaders = 0;
BOOL bResult;
BOOL bError = FALSE;
PVOID pBase = 0;
DWORD dwEntryPoint;
DWORD dwBytesRead;
DWORD dwBytesWritten;
PINJECTIONSTUB pInjStub;
HANDLE hFileMap = 0;
PBYTE pSharedMem = 0;
OSVERSIONINFO verInfo;
//
// Get the entry point from the headers
//
pBase = (PVOID)GetModuleHandle(0);
if (0 == pBase) {
bError = TRUE;
goto handleerror;
}
//
// Dig out the PE information
//
pHeaders = ImageNtHeader2(pBase);
if (0 == pHeaders) {
bError = TRUE;
goto handleerror;
}
dwEntryPoint = pHeaders->OptionalHeader.ImageBase + pHeaders->OptionalHeader.AddressOfEntryPoint;
pInjStub = (PINJECTIONSTUB)dwEntryPoint;
//
// Open the memory mapped file and get the bits
//
hFileMap = OpenFileMapping(FILE_MAP_ALL_ACCESS,
FALSE,
"ProfilerSharedMem");
if (0 == hFileMap) {
bError = TRUE;
goto handleerror;
}
pSharedMem = (PBYTE)MapViewOfFile(hFileMap,
FILE_MAP_ALL_ACCESS,
0,
0,
0);
if (0 == pSharedMem) {
bError = TRUE;
goto handleerror;
}
//
// Replace the bits
//
bResult = WriteProcessMemory(GetCurrentProcess(),
(PVOID)dwEntryPoint,
(PVOID)pSharedMem,
sizeof(INJECTIONSTUB),
&dwBytesWritten);
if (FALSE == bResult) {
bError = TRUE;
goto handleerror;
}
//
// Set the OS information
//
ZeroMemory(&verInfo, sizeof(OSVERSIONINFO));
verInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
bResult = GetVersionExA(&verInfo);
if (FALSE == bResult) {
bError = TRUE;
goto handleerror;
}
if (VER_PLATFORM_WIN32_NT == verInfo.dwPlatformId) {
g_bIsWin9X = FALSE;
}
else if (VER_PLATFORM_WIN32_WINDOWS == verInfo.dwPlatformId) {
g_bIsWin9X = TRUE;
}
else {
//
// Unsupported platform
//
ExitProcess(-1);
}
//
// Finish profiler initializations
//
bResult = InitializeProfiler();
if (FALSE == bResult) {
bError = TRUE;
goto handleerror;
}
handleerror:
if (TRUE == bError) {
ExitProcess(-1);
}
return;
}