125 lines
3.3 KiB
C++
125 lines
3.3 KiB
C++
|
/*++
|
||
|
|
|
||
|
|
Copyright (c) 2000-2002 Microsoft Corporation
|
||
|
|
|
||
|
|
Module Name:
|
||
|
|
|
||
|
|
SierraCartRacing.cpp
|
||
|
|
|
||
|
|
Abstract:
|
||
|
|
|
||
|
|
Sierra Cart Racing passes a bad pointer to InitializeSecurityDescriptor which overwrites
|
||
|
|
part of the SECURITY_ATTRIBUTES structure and some other stack memory.
|
||
|
|
|
||
|
|
The original version of this shim would fail the call to InitializeSecurityDescriptor,
|
||
|
|
and force a NULL security descriptor to CreateSemaphoreA. To reduce the security risk,
|
||
|
|
the shim was modified to only pass a NULL security descriptor to CreateSemaphoreA if
|
||
|
|
it detects that the LPSECURITY_ATTRIBUTES was overwritten by InitializeSecurityDescriptor,
|
||
|
|
and restores the memory overwritten by InitializeSecurityDescriptor.
|
||
|
|
|
||
|
|
Notes:
|
||
|
|
|
||
|
|
This is an app specific shim.
|
||
|
|
|
||
|
|
History:
|
||
|
|
|
||
|
|
11/03/1999 linstev Created
|
||
|
|
03/15/2002 robkenny Re-created to pass security muster.
|
||
|
|
|
||
|
|
--*/
|
||
|
|
|
||
|
|
#include "precomp.h"
|
||
|
|
|
||
|
|
IMPLEMENT_SHIM_BEGIN(SierraCartRacing)
|
||
|
|
#include "ShimHookMacro.h"
|
||
|
|
|
||
|
|
APIHOOK_ENUM_BEGIN
|
||
|
|
APIHOOK_ENUM_ENTRY(CreateSemaphoreA)
|
||
|
|
APIHOOK_ENUM_ENTRY(InitializeSecurityDescriptor)
|
||
|
|
APIHOOK_ENUM_END
|
||
|
|
|
||
|
|
BOOL g_BLastSecurityDescriptorSet = FALSE;
|
||
|
|
SECURITY_DESCRIPTOR g_LastSecurityDescriptor;
|
||
|
|
|
||
|
|
/*++
|
||
|
|
|
||
|
|
Use the default security descriptor.
|
||
|
|
|
||
|
|
--*/
|
||
|
|
|
||
|
|
HANDLE
|
||
|
|
APIHOOK(CreateSemaphoreA)(
|
||
|
|
LPSECURITY_ATTRIBUTES lpSemaphoreAttributes,
|
||
|
|
LONG lInitialCount,
|
||
|
|
LONG lMaximumCount,
|
||
|
|
LPCSTR lpName
|
||
|
|
)
|
||
|
|
{
|
||
|
|
if (lpSemaphoreAttributes && g_BLastSecurityDescriptorSet)
|
||
|
|
{
|
||
|
|
// Initialize a security descriptor
|
||
|
|
SECURITY_DESCRIPTOR securityDescriptor;
|
||
|
|
InitializeSecurityDescriptor(&securityDescriptor, SECURITY_DESCRIPTOR_REVISION);
|
||
|
|
|
||
|
|
// Check to see if them memory starting at lpSemaphoreAttributes->lpSecurityDescriptor
|
||
|
|
// contains the same memory as a security descriptor.
|
||
|
|
int compareResult = memcmp(&securityDescriptor,
|
||
|
|
&lpSemaphoreAttributes->lpSecurityDescriptor,
|
||
|
|
sizeof(securityDescriptor));
|
||
|
|
if (compareResult == 0)
|
||
|
|
{
|
||
|
|
// Restore the overwritten memory
|
||
|
|
memcpy(&lpSemaphoreAttributes->lpSecurityDescriptor, &g_LastSecurityDescriptor, sizeof(g_LastSecurityDescriptor));
|
||
|
|
|
||
|
|
// lpSemaphoreAttributes is bogus
|
||
|
|
lpSemaphoreAttributes = NULL;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
return ORIGINAL_API(CreateSemaphoreA)(
|
||
|
|
lpSemaphoreAttributes,
|
||
|
|
lInitialCount,
|
||
|
|
lMaximumCount,
|
||
|
|
lpName);
|
||
|
|
}
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
/*++
|
||
|
|
|
||
|
|
Returns false for InitializeSecurityDescriptor. i.e. do nothing so we don't
|
||
|
|
touch the stack.
|
||
|
|
|
||
|
|
--*/
|
||
|
|
|
||
|
|
BOOL
|
||
|
|
APIHOOK(InitializeSecurityDescriptor)(
|
||
|
|
PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
||
|
|
DWORD dwRevision
|
||
|
|
)
|
||
|
|
{
|
||
|
|
// Save the memory that will be overwritten.
|
||
|
|
if (pSecurityDescriptor)
|
||
|
|
{
|
||
|
|
g_BLastSecurityDescriptorSet = TRUE;
|
||
|
|
memcpy(&g_LastSecurityDescriptor, pSecurityDescriptor, sizeof(g_LastSecurityDescriptor));
|
||
|
|
}
|
||
|
|
return ORIGINAL_API(InitializeSecurityDescriptor)(pSecurityDescriptor, dwRevision);
|
||
|
|
}
|
||
|
|
|
||
|
|
/*++
|
||
|
|
|
||
|
|
Register hooked functions
|
||
|
|
|
||
|
|
--*/
|
||
|
|
|
||
|
|
HOOK_BEGIN
|
||
|
|
|
||
|
|
APIHOOK_ENTRY(KERNEL32.DLL, CreateSemaphoreA)
|
||
|
|
APIHOOK_ENTRY(ADVAPI32.DLL, InitializeSecurityDescriptor)
|
||
|
|
|
||
|
|
HOOK_END
|
||
|
|
|
||
|
|
IMPLEMENT_SHIM_END
|
||
|
|
|