Windows2003-3790/windows/appcompat/shims/layer/shrinker.cpp

109 lines
2.9 KiB
C++
Raw Permalink Normal View History

2001-01-01 00:00:00 +01:00
/*++
Copyright (c) 2000-2002 Microsoft Corporation
Module Name:
Shrinker.cpp
Abstract:
Fix Shrinker library problem. This library is hacking some ntdll and kernel32 opcode
with unreliable way to do it.
First, they try to search the matching opcode within 32 bytes from the hacked
function (the function address retrieved from GetProcAddress and the opcode bytes
retrieved via ReadProcessMemory).
If they found it, then they replaced it with their opcode to redirect the call
into their own routine.
Unfortunately, opcode in Whistler has changed. So, the result will be unpredictable.
They could be ended up with unexpected behavior from misreplacement of opcode
or the app decided to terminated itself since the matching opcode can't be found.
We fixed this by providing an exact matching opcode.
Addition: Shrinker also checks against ExitProcess for exact opcodes, these
values have recently changed and no longer match against their hard coded
values. We now provide matching opcodes for ExitProcess also.
Notes:
Hooking ntdll!LdrAccessResource to emulate Win2K's version of it.
Hooking Kernel32!ExitProcess to emulate Win2K's version of it.
History:
11/17/2000 andyseti Created
04/30/2001 mnikkel Added ExitProcess
05/01/2001 mnikkel Corrected calls to ldraccessresource and exitprocess
02/20/2002 mnikkel Corrected exitprocess parameter to remove w4 warning
--*/
#include "precomp.h"
#include <nt.h>
IMPLEMENT_SHIM_BEGIN(Shrinker)
#include "ShimHookMacro.h"
APIHOOK_ENUM_BEGIN
APIHOOK_ENUM_ENTRY(LdrAccessResource)
APIHOOK_ENUM_ENTRY(ExitProcess)
APIHOOK_ENUM_END
__declspec(naked)
NTSTATUS
APIHOOK(LdrAccessResource)(
IN PVOID /*DllHandle*/,
IN const IMAGE_RESOURCE_DATA_ENTRY* /*ResourceDataEntry*/,
OUT PVOID * /*Address*/ OPTIONAL,
OUT PULONG /*Size*/ OPTIONAL)
{
_asm {
push [esp+0x10] // shrinker lib needs these opcode signature (found in Win2K), -
push [esp+0x10] // but the actual LdrAccessResource doesn't have them
push [esp+0x10]
push [esp+0x10]
call dword ptr [LdrAccessResource]
ret 0x10 // when exit, pop 16 bytes from stack.
}
}
__declspec(naked)
VOID
APIHOOK(ExitProcess)(
UINT /*uExitCode*/
)
{
_asm {
push ebp // shrinker is looking for these exact op codes in
mov ebp,esp // ExitProcess, but the routine has changed.
push 0xFFFFFFFF
push 0x77e8f3b0
push [ebp+4]
call dword ptr [ExitProcess]
pop ebp
ret 4
}
}
/*++
Register hooked functions
--*/
HOOK_BEGIN
APIHOOK_ENTRY(NTDLL.DLL, LdrAccessResource)
APIHOOK_ENTRY(KERNEL32.DLL, ExitProcess)
HOOK_END
IMPLEMENT_SHIM_END