2020-09-30 16:53:55 +02:00

578 lines
18 KiB
C

////////////////////////////////////////////////////////////////////////////////////
//
// File: shim2.c
//
// History: May-99 clupu Created.
// Aug-99 v-johnwh Various bug fixes.
// 23-Nov-99 markder Support for multiple shim DLLs, chaining
// of hooks, DLL loads/unloads. General clean-up.
// Jan-00 markder Windows 9x support added.
// Mar-00 a-batjar Changed to support whistler format on w2k
// May-00 v-johnwh Modified to work in the profiler
// Desc: Contains all code to facilitate hooking of APIs by replacing entries
// in the import tables of loaded modules.
//
////////////////////////////////////////////////////////////////////////////////////
#include <windows.h>
#include <stdlib.h>
#include <psapi.h>
#include <tlhelp32.h>
#include <imagehlp.h>
#include <stdio.h>
#include "shimdb.h"
#include "shim2.h"
#define HAF_RESOLVED 0x0001
#define HAF_BOTTOM_OF_CHAIN 0x0002
typedef PHOOKAPI (*PFNNEWGETHOOKAPIS)(DWORD dwGetProcAddress, DWORD dwLoadLibraryA, DWORD dwFreeLibrary, DWORD* pdwHookAPICount);
typedef LPSTR (*PFNGETCOMMANDLINEA)(VOID);
typedef LPWSTR (*PFNGETCOMMANDLINEW)(VOID);
typedef PVOID (*PFNGETPROCADDRESS)(HMODULE hMod, char* pszProc);
typedef HINSTANCE (*PFNLOADLIBRARYA)(LPCSTR lpLibFileName);
typedef HINSTANCE (*PFNLOADLIBRARYW)(LPCWSTR lpLibFileName);
typedef HINSTANCE (*PFNLOADLIBRARYEXA)(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags);
typedef HINSTANCE (*PFNLOADLIBRARYEXW)(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags);
typedef BOOL (*PFNFREELIBRARY)(HMODULE hLibModule);
// Global Variables
// Disable build warnings due to Print macro in free builds
#pragma warning( disable : 4002 )
#define MAX_MODULES 512
#define SHIM_GETHOOKAPIS "GetHookAPIs"
////////////////////////////////////////////////////////////////////////////////////
// API hook count & indices
////////////////////////////////////////////////////////////////////////////////////
enum
{
hookGetProcAddress,
hookLoadLibraryA,
hookLoadLibraryW,
hookLoadLibraryExA,
hookLoadLibraryExW,
hookFreeLibrary,
hookGetCommandLineA,
hookGetCommandLineW
};
////////////////////////////////////////////////////////////////////////////////////
// Global variables
////////////////////////////////////////////////////////////////////////////////////
// This array contains information used by the shim mechanism to describe
// what API to hook with a particular stub function.
LONG g_nShimDllCount;
HMODULE g_hShimDlls[MAX_MODULES];
PHOOKAPI g_rgpHookAPIs[MAX_MODULES];
LONG g_rgnHookAPICount[MAX_MODULES];
LPTSTR g_rgnHookDllList[MAX_MODULES];
HMODULE g_hHookedModules[MAX_MODULES];
LONG g_nHookedModuleCount;
extern BOOL g_bIsWin9X;
HANDLE g_hSnapshot = NULL;
HANDLE g_hValidationSnapshot = NULL;
////////////////////////////////////////////////////////////////////////////////////
//
// Func: ValidateAddress
//
// Params: pfnOld Original API function pointer to validate.
//
// Return: Potentially massaged pfnOld.
//
// Desc: Win9x thunks system API entry points for some reason. The
// shim mechanism has to work around this to get to the
// 'real' pointer so that it can make valid comparisons.
//
PVOID ValidateAddress( PVOID pfnOld )
{
MODULEENTRY32 ModuleEntry32;
BOOL bRet;
long i, j;
// Make sure the address isn't a shim thunk
for( i = g_nShimDllCount - 1; i >= 0; i-- )
{
for( j = 0; j < g_rgnHookAPICount[i]; j++ )
{
if( g_rgpHookAPIs[i][j].pfnOld == pfnOld )
{
if( pfnOld == g_rgpHookAPIs[i][j].pfnNew )
return pfnOld;
}
}
}
ModuleEntry32.dwSize = sizeof( ModuleEntry32 );
bRet = Module32First( g_hValidationSnapshot, &ModuleEntry32 );
while( bRet )
{
if( pfnOld >= (PVOID) ModuleEntry32.modBaseAddr &&
pfnOld <= (PVOID) ( ModuleEntry32.modBaseAddr + ModuleEntry32.modBaseSize ) )
{
return pfnOld;
}
bRet = Module32Next( g_hValidationSnapshot, &ModuleEntry32 );
}
// Hack for Win9x
return *(PVOID *)( ((PBYTE)pfnOld)+1);
}
////////////////////////////////////////////////////////////////////////////////////
//
// Func: ConstructChain
//
// Params: pfnOld Original API function pointer to resolve.
//
// Return: Top-of-chain PHOOKAPI structure.
//
// Desc: Scans HookAPI arrays for pfnOld and either constructs the
// chain or returns the top-of-chain PHOOKAPI if the chain
// already exists.
//
PHOOKAPI ConstructChain( PVOID pfnOld ,DWORD* DllListIndex)
{
LONG i, j;
PHOOKAPI pTopHookAPI;
PHOOKAPI pBottomHookAPI;
pTopHookAPI = NULL;
pBottomHookAPI = NULL;
*DllListIndex=0;
// Scan all HOOKAPI entries for corresponding function pointer
for( i = g_nShimDllCount - 1; i >= 0; i-- )
{
for( j = 0; j < g_rgnHookAPICount[i]; j++ )
{
if( g_rgpHookAPIs[i][j].pfnOld == pfnOld )
{
if( pTopHookAPI )
{
// Already hooked! Chain them together.
pBottomHookAPI->pfnOld = g_rgpHookAPIs[i][j].pfnNew;
pBottomHookAPI = &( g_rgpHookAPIs[i][j] );
pBottomHookAPI->pNextHook = pTopHookAPI;
pBottomHookAPI->dwFlags = HAF_RESOLVED;
}
else
{
if( g_rgpHookAPIs[i][j].pNextHook )
{
// Chaining has already been constructed.
pTopHookAPI = (PHOOKAPI) g_rgpHookAPIs[i][j].pNextHook;
*DllListIndex=i;
return pTopHookAPI;
}
// Not hooked yet. Set to top of chain.
pTopHookAPI = &( g_rgpHookAPIs[i][j] );
pTopHookAPI->pNextHook = pTopHookAPI;
pTopHookAPI->dwFlags = HAF_RESOLVED;
pBottomHookAPI = pTopHookAPI;
}
break;
}
}
}
if( pBottomHookAPI )
{
pBottomHookAPI->dwFlags = HAF_BOTTOM_OF_CHAIN;
}
*DllListIndex=i;
return pTopHookAPI;
} // ConstructChain
////////////////////////////////////////////////////////////////////////////////////
//
// Func: HookImports
//
// Params: dwBaseAddress Base address of module image to hook.
//
// szModName Name of module (for debug purposes only).
//
// Desc: This function is the workhorse of the shim: It scans the import
// table of a module (specified by dwBaseAddress) looking for
// function pointers that require hooking (according to HOOKAPI
// entries in g_rgpHookAPIs). It then overwrites hooked function
// pointers with the first stub function in the chain.
//
VOID HookImports(
DWORD dwBaseAddress,
LPTSTR szModName )
{
BOOL bAnyHooked = FALSE;
PIMAGE_DOS_HEADER pIDH = (PIMAGE_DOS_HEADER) dwBaseAddress;
PIMAGE_NT_HEADERS pINTH;
PIMAGE_IMPORT_DESCRIPTOR pIID;
PIMAGE_NT_HEADERS NtHeaders;
DWORD dwTemp;
DWORD dwImportTableOffset;
PHOOKAPI pTopHookAPI;
DWORD dwOldProtect;
LONG i, j;
PVOID pfnOld;
// Get the import table
pINTH = (PIMAGE_NT_HEADERS)(dwBaseAddress + pIDH->e_lfanew);
dwImportTableOffset = pINTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if( dwImportTableOffset == 0 )
return;
pIID = (PIMAGE_IMPORT_DESCRIPTOR)(dwBaseAddress + dwImportTableOffset);
// Loop through the import table and search for the APIs that we want to patch
while( TRUE )
{
LPTSTR pszModule;
PIMAGE_THUNK_DATA pITDA;
// Return if no first thunk
if (pIID->FirstThunk == 0) // (terminating condition)
break;
pszModule = (LPTSTR) ( dwBaseAddress + pIID->Name );
// If we're not interested in this module jump to the next.
bAnyHooked = FALSE;
for( i = 0; i < g_nShimDllCount; i++ )
{
for( j = 0; j < g_rgnHookAPICount[i]; j++ )
{
if( lstrcmpi( g_rgpHookAPIs[i][j].pszModule, pszModule ) == 0 )
{
bAnyHooked = TRUE;
goto ScanDone;
}
}
}
ScanDone:
if( !bAnyHooked )
{
pIID++;
continue;
}
// We have APIs to hook for this module!
pITDA = (PIMAGE_THUNK_DATA)( dwBaseAddress + (DWORD)pIID->FirstThunk );
while( TRUE )
{
DWORD DllListIndex = 0;
pfnOld = (PVOID) pITDA->u1.Function;
// Done with all the imports from this module?
if( pITDA->u1.Ordinal == 0 ) // (terminating condition)
break;
if( g_bIsWin9X )
pfnOld = ValidateAddress( pfnOld );
pTopHookAPI = ConstructChain( (PVOID) pfnOld,&DllListIndex );
if( ! pTopHookAPI )
{
pITDA++;
continue;
}
/*
* Check if we want to patch this API for this particular loaded module
*/
if (NULL != g_rgnHookDllList[DllListIndex])
{
LPTSTR pszMod = g_rgnHookDllList[DllListIndex];
BOOL b = FALSE; //gets set to true if the list is an exclude list
while (*pszMod != 0) {
if (lstrcmpi(pszMod, szModName) == 0)
break;
if(lstrcmpi(pszMod,TEXT("%")) == 0)
b=TRUE;
if(b && lstrcmpi(pszMod,TEXT("*")) == 0)
{
//this means it is exclude all and we already checked include list
//skip this api
break;
}
pszMod = pszMod + lstrlen(pszMod) + 1;
}
if(b && *pszMod != 0)
{
pITDA++;
continue;
}
if (!b && *pszMod == 0)
{
pITDA++;
continue;
}
}
// Make the code page writable and overwrite new function pointer in import table
if ( VirtualProtect( &pITDA->u1.Function,
sizeof(DWORD),
PAGE_READWRITE,
&dwOldProtect) )
{
pITDA->u1.Function = (ULONG) pTopHookAPI->pfnNew;
VirtualProtect( &pITDA->u1.Function,
sizeof(DWORD),
dwOldProtect,
&dwTemp );
}
pITDA++;
}
pIID++;
}
} // HookImports
////////////////////////////////////////////////////////////////////////////////////
//
// Func: ResolveAPIs
//
// Desc: Each time a module is loaded, the pfnOld members of each HOOKAPI
// structure in g_rgpHookAPIs are resolved (by calling GetProcAddress).
//
VOID ResolveAPIs()
{
LONG i, j;
PVOID pfnOld = NULL;
PIMAGE_NT_HEADERS NtHeaders;
for (i = 0; i < g_nShimDllCount; i++)
{
for (j = 0; j < g_rgnHookAPICount[i]; j++ )
{
HMODULE hMod;
// We only care about HOOKAPIs at the bottom of a chain.
if( ( g_rgpHookAPIs[i][j].dwFlags & HAF_RESOLVED ) &&
! ( g_rgpHookAPIs[i][j].dwFlags & HAF_BOTTOM_OF_CHAIN ) )
continue;
if( ( hMod = GetModuleHandle(g_rgpHookAPIs[i][j].pszModule) ) != NULL)
{
pfnOld = GetProcAddress( hMod, g_rgpHookAPIs[i][j].pszFunctionName );
if( pfnOld == NULL )
{
// This is an ERROR. The hook DLL asked to patch a function
// that doesn't exist !!!
}
else
{
if( g_bIsWin9X )
pfnOld = ValidateAddress( pfnOld );
g_rgpHookAPIs[i][j].pfnOld = pfnOld;
}
}
}
}
} // ResolveAPIs
////////////////////////////////////////////////////////////////////////////////////
//
// Func: PatchNewModules
//
// Desc: This function is called at initialization and then each time a module
// is loaded. It enumerates all loaded processes and calls HookImports
// to overwrite appropriate function pointers.
//
void __stdcall Shim2PatchNewModules( VOID )
{
DWORD i;
LONG j;
BOOL bRet;
HMODULE hMod;
MODULEENTRY32 ModuleEntry32;
// Enumerate all the loaded modules and hook their import tables
g_hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, 0 );
g_hValidationSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, 0 );
if( g_hSnapshot == NULL )
{
return;
}
// Resolve old APIs for loaded modules
ResolveAPIs();
ModuleEntry32.dwSize = sizeof( ModuleEntry32 );
bRet = Module32First( g_hSnapshot, &ModuleEntry32 );
while( bRet )
{
hMod = ModuleEntry32.hModule;
if( hMod >= (HMODULE) 0x80000000 )
{
bRet = Module32Next( g_hSnapshot, &ModuleEntry32 );
continue;
}
// we need to make sure we are not trying to shim ourselves
for (j = 0; j < g_nShimDllCount; j++ )
{
if( hMod == g_hShimDlls[j] )
{
hMod = NULL;
break;
}
}
for (j = 0; j < g_nHookedModuleCount; j++ )
{
if( hMod == g_hHookedModules[ j ] )
{
hMod = NULL;
break;
}
}
if( hMod )
{
HookImports( (DWORD) hMod, ModuleEntry32.szModule );
g_hHookedModules[ g_nHookedModuleCount++ ] = hMod;
}
bRet = Module32Next( g_hSnapshot, &ModuleEntry32 );
}
if( g_hSnapshot )
{
CloseHandle( g_hSnapshot );
g_hSnapshot = NULL;
}
if( g_hValidationSnapshot )
{
CloseHandle( g_hValidationSnapshot );
g_hValidationSnapshot = NULL;
}
} //PatchNewModules
////////////////////////////////////////////////////////////////////////////////////
//
// Func: AddHookAPIs
//
// Params: hShimDll Handle of new shim DLL.
//
// pHookAPIs Pointer to new HOOKAPI array.
//
// dwCount Number of entries in pHookAPIs.
//
// Desc: Stores away the pointer returned by a shim DLL's GetHookAPIs
// function in our global arrays.
//
void AddHookAPIs( HMODULE hShimDll, PHOOKAPI pHookAPIs, DWORD dwCount,LPTSTR szIncExclDllList)
{
DWORD i;
for( i = 0; i < dwCount; i++ )
{
pHookAPIs[i].dwFlags = 0;
pHookAPIs[i].pNextHook = NULL;
}
g_rgpHookAPIs[ g_nShimDllCount ] = pHookAPIs;
g_rgnHookAPICount[ g_nShimDllCount ] = dwCount;
g_hShimDlls[ g_nShimDllCount ] = hShimDll;
g_rgnHookDllList[g_nShimDllCount ] = szIncExclDllList;
g_nShimDllCount++;
} // AddHookAPIs
////////////////////////////////////////////////////////////////////////////////////
//
// Func: _LoadPatchDll
//
// Params: pwszPatchDll Name of shim DLL to be loaded.
//
// Return: TRUE if successful, FALSE if not.
//
// Desc: Loads a shim DLL and retrieves the hooking information via GetHookAPIs.
//
BOOL _LoadPatchDll(
LPWSTR szPatchDll,LPSTR szCmdLine,LPSTR szIncExclDllList)
{
PHOOKAPI pHookAPIs = NULL;
DWORD dwHookAPICount = 0;
HMODULE hModHookDll;
PFNGETHOOKAPIS pfnGetHookAPIs;
hModHookDll = LoadLibraryW(szPatchDll);
if (hModHookDll == NULL)
{
return FALSE;
}
pfnGetHookAPIs = (PFNGETHOOKAPIS) GetProcAddress( hModHookDll, SHIM_GETHOOKAPIS );
if( pfnGetHookAPIs == NULL )
{
FreeLibrary( hModHookDll );
return FALSE;
}
pHookAPIs = (*pfnGetHookAPIs)(szCmdLine, Shim2PatchNewModules, &dwHookAPICount );
if( dwHookAPICount == 0 || pHookAPIs == NULL )
{
FreeLibrary( hModHookDll );
return FALSE;
}
AddHookAPIs( hModHookDll, pHookAPIs, dwHookAPICount,szIncExclDllList);
return TRUE;
} // _LoadPatchDll
// Re-enable build warnings.
#pragma warning( default : 4002 )