235 lines
5.8 KiB
C
235 lines
5.8 KiB
C
//+--------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
// Copyright (C) Microsoft Corporation, 1993-1998
|
|
//
|
|
// File: ldrapeng.h
|
|
//
|
|
// Contents: App compat backend code
|
|
//
|
|
// History: 13-Oct-99 v-johnwh created
|
|
//
|
|
//---------------------------------------------------------------------------
|
|
|
|
#ifndef _SHIMENG_VEH_H_
|
|
#define _SHIMENG_VEH_H_
|
|
|
|
|
|
typedef struct _SETACTIVATEADDRESS {
|
|
|
|
RELATIVE_MODULE_ADDRESS rva; // relative address where this patch data is to be applied.
|
|
|
|
} SETACTIVATEADDRESS, *PSETACTIVATEADDRESS;
|
|
|
|
typedef struct _HOOKPATCHINFO {
|
|
|
|
DWORD dwHookAddress; // Address of a hooked function
|
|
PSETACTIVATEADDRESS pData; // Pointer to the real patch data
|
|
PVOID pThunkAddress; // Pointer to the call thunk
|
|
struct _HOOKPATCHINFO* pNextHook;
|
|
|
|
} HOOKPATCHINFO, *PHOOKPATCHINFO;
|
|
|
|
|
|
//
|
|
// Flags used in the shim HOOKAPIs to track chaining
|
|
//
|
|
#define HOOK_CHAIN_TOP 0x40000000
|
|
#define HOOK_CHAINED 0x80000000
|
|
#define HOOK_INDEX_MASK ~(HOOK_CHAINED | HOOK_CHAIN_TOP)
|
|
|
|
//
|
|
// x86 opcodes and sizes used in the thunk generation process
|
|
//
|
|
#define CLI_OR_STI_SIZE 1
|
|
#define CALL_REL_SIZE 5
|
|
#define JMP_SIZE 7
|
|
#define X86_ABSOLUTE_FAR_JUMP 0xEA
|
|
#define X86_REL_CALL_OPCODE 0xE8
|
|
#define X86_CALL_OPCODE 0xFF
|
|
#define X86_CALL_OPCODE2 0x15
|
|
|
|
#define REASON_APIHOOK 0xFA
|
|
#define REASON_PATCHHOOK 0xFB
|
|
|
|
//
|
|
// Flags used in maintaining state information about our module/DLL filtering
|
|
//
|
|
#define MODFILTER_INCLUDE 0x01
|
|
#define MODFILTER_EXCLUDE 0x02
|
|
#define MODFILTER_DLL 0x04
|
|
#define MODFILTER_GLOBAL 0x08
|
|
|
|
typedef struct _MODULEFILTER
|
|
{
|
|
DWORD dwModuleStart; // Starting address of the module to filter
|
|
DWORD dwModuleEnd; // Ending address of the module to filter
|
|
DWORD dwCallerOffset; // Offset added to beginning of module to form the caller's address
|
|
DWORD dwCallerAddress; // Caller address to operate upon
|
|
DWORD dwFlags; // Flags which define what this filter does
|
|
WCHAR wszModuleName[96];
|
|
struct _MODULEFILTER *pNextFilter; // Used to iterate the module filter normally
|
|
struct _MODULEFILTER *pNextLBFilter; // Used to iterate the late bound DLLs
|
|
} MODULEFILTER, *PMODULEFILTER;
|
|
|
|
typedef struct _CHAININFO
|
|
{
|
|
PVOID pAPI;
|
|
PVOID pReturn;
|
|
struct _CHAININFO *pNextChain;
|
|
} CHAININFO, *PCHAININFO;
|
|
|
|
typedef struct _HOOKAPIINFO
|
|
{
|
|
DWORD dwAPIHookAddress; // Address of a hooked function
|
|
PHOOKAPI pTopLevelAPIChain; // Top level hook address
|
|
PVOID pCallThunkAddress;
|
|
WCHAR wszModuleName[32];
|
|
struct _HOOKAPIINFO *pNextHook;
|
|
struct _HOOKAPIINFO *pPrevHook;
|
|
} HOOKAPIINFO, *PHOOKAPIINFO;
|
|
|
|
#pragma pack(push, 1)
|
|
typedef struct _SHIMJMP
|
|
{
|
|
BYTE PUSHAD; //pushad (60)
|
|
BYTE MOVEBPESP[2]; //mov ebp, esp (8b, ec)
|
|
BYTE MOVEAXDWVAL[5]; //mov eax, dwval (b8 dword val)
|
|
BYTE PUSHEAX; //push eax (50)
|
|
BYTE LEAEAXEBPPLUS20[3]; //lea eax, [ebp + 20] (8f 45 20)
|
|
BYTE PUSHEAX2; //push eax (50)
|
|
BYTE CALLROUTINE[6]; //call [address] (ff15 dword address)
|
|
BYTE MOVESPPLUS1CEAX[4]; //mov [esp+0x1c],eax (89 44 24 1c)
|
|
BYTE POPAD; //popad (61)
|
|
BYTE ADDESPPLUS4[3]; //add esp, 0x4 (83 c4 04)
|
|
BYTE JMPEAX[2]; //jmp eax (ff e0)
|
|
} SHIMJMP, *PSHIMJMP;
|
|
|
|
typedef struct _SHIMRET
|
|
{
|
|
BYTE PUSHEAX; //push eax (50)
|
|
BYTE PUSHAD; //pushad (60)
|
|
BYTE CALLROUTINE[6]; //call [address] (ff15 dword address)
|
|
BYTE MOVESPPLUS20EAX[4]; //mov [esp+0x20],eax (89 44 24 20)
|
|
BYTE POPAD; //popad (61)
|
|
BYTE RET; //ret (c3)
|
|
} SHIMRET, *PSHIMRET;
|
|
#pragma pack(pop)
|
|
|
|
typedef NTSTATUS (*PFNLDRLOADDLL)(
|
|
IN PWSTR DllPath OPTIONAL,
|
|
IN PULONG DllCharacteristics OPTIONAL,
|
|
IN PUNICODE_STRING DllName,
|
|
OUT PVOID *DllHandle
|
|
);
|
|
|
|
typedef NTSTATUS (*PFNLDRUNLOADDLL) (
|
|
IN PVOID DllHandle
|
|
);
|
|
|
|
typedef PVOID (*PFNRTLALLOCATEHEAP)(
|
|
IN PVOID HeapHandle,
|
|
IN ULONG Flags,
|
|
IN SIZE_T Size
|
|
);
|
|
|
|
typedef BOOLEAN (*PFNRTLFREEHEAP)(
|
|
IN PVOID HeapHandle,
|
|
IN ULONG Flags,
|
|
IN PVOID BaseAddress
|
|
);
|
|
|
|
NTSTATUS
|
|
SevInitializeData(
|
|
PAPP_COMPAT_SHIM_INFO *pShimData);
|
|
|
|
NTSTATUS
|
|
SevExecutePatchPrimitive(
|
|
PBYTE pPatch);
|
|
|
|
DWORD
|
|
SevGetPatchAddress(
|
|
PRELATIVE_MODULE_ADDRESS pRelAddress);
|
|
|
|
VOID
|
|
SevValidateGlobalFilter(
|
|
VOID);
|
|
|
|
NTSTATUS
|
|
SevFinishThunkInjection(
|
|
DWORD dwAddress,
|
|
PVOID pThunk,
|
|
DWORD dwThunkSize,
|
|
BYTE jReason);
|
|
|
|
NTSTATUS
|
|
SevBuildFilterException(
|
|
HSDB hSDB,
|
|
TAGREF trInclude,
|
|
PMODULEFILTER pModFilter,
|
|
BOOL* pbLateBound);
|
|
|
|
NTSTATUS
|
|
SevBuildExeFilter(
|
|
HSDB hSDB,
|
|
TAGREF trExe,
|
|
DWORD dwDllCount);
|
|
|
|
|
|
PVOID
|
|
SevBuildInjectionCode(
|
|
PVOID pAddress,
|
|
PDWORD pdwThunkSize);
|
|
|
|
NTSTATUS
|
|
SevAddShimFilterException(
|
|
WCHAR* wszDLLPath,
|
|
PMODULEFILTER pModFilter);
|
|
|
|
NTSTATUS
|
|
SevChainAPIHook(
|
|
DWORD dwHookEntryPoint,
|
|
PVOID pThunk,
|
|
PHOOKAPI pAPIHook);
|
|
|
|
PVOID
|
|
SevFilterCaller(
|
|
PMODULEFILTER pFilterList,
|
|
PVOID pFunctionAddress,
|
|
PVOID pExceptionAddress,
|
|
PVOID pStubAddress,
|
|
PVOID pCallThunkAddress);
|
|
|
|
NTSTATUS
|
|
SevPushCaller(
|
|
PVOID pAPIAddress,
|
|
PVOID pReturnAddress);
|
|
|
|
PVOID
|
|
SevPopCaller(
|
|
VOID);
|
|
|
|
NTSTATUS
|
|
StubLdrLoadDll(
|
|
IN PWSTR DllPath OPTIONAL,
|
|
IN PULONG DllCharacteristics OPTIONAL,
|
|
IN PUNICODE_STRING DllName,
|
|
OUT PVOID* DllHandle);
|
|
|
|
NTSTATUS
|
|
StubLdrUnloadDll(
|
|
IN PVOID DllHandle);
|
|
|
|
NTSTATUS
|
|
SevFixupAvailableProcs(
|
|
DWORD dwHookCount,
|
|
PHOOKAPI* pHookArray,
|
|
PDWORD pdwNumberHooksArray,
|
|
PDWORD pdwUnhookedCount);
|
|
|
|
LONG
|
|
SevExceptionHandler(
|
|
struct _EXCEPTION_POINTERS *ExceptionInfo);
|
|
|
|
#endif // _SHIMENG_VEH_H_
|