Windows-Server-2003/sdktools/profiler/inject.c

#include <windows.h>
#include "inject.h"
#include "profiler.h"

BOOL g_bIsWin9X = FALSE;
CHAR g_fnFinalizeInjection[MAX_PATH];
HINSTANCE g_hProfileDLL = 0;

HANDLE
InjectDLL(DWORD dwEntryPoint,
          HANDLE hProcess,
          LPSTR  pszDLLName)
{
    CHAR szTempPath[MAX_PATH];
    HMODULE hKernel32;
    BOOL bResult = FALSE;
    INJECTIONSTUB injStub;
    DWORD dwLoadLibrary;
    DWORD dwGetProcAddress;
    DWORD dwBytesWritten;
    DWORD dwBytesRead;
    DWORD dwOldProtect;
    DWORD dwOldProtect2;
    PBYTE pSharedMem = 0;
    HANDLE hFileMap = 0;

    hKernel32 =  GetModuleHandle("KERNEL32.DLL");
    dwLoadLibrary = (DWORD)GetProcAddress(hKernel32,
                                          "LoadLibraryA");
    if (0 == dwLoadLibrary) {
       bResult = FALSE;
       goto handleerror;
    }

    dwGetProcAddress = (DWORD)GetProcAddress(hKernel32,
                                             "GetProcAddress");
    if (0 == dwGetProcAddress) {
       bResult = FALSE;
       goto handleerror;
    }

    //
    // Initialize the asm for the stub
    //
    injStub.pCode[0] = 0x90;  // int 3 or nop
    injStub.pCode[1] = 0x60;  // pushad
    injStub.pCode[2] = 0x8d;  // lea eax, [xxxxxxxx]
    injStub.pCode[3] = 0x05;
    *(DWORD *)(&(injStub.pCode[4])) = dwEntryPoint + (DWORD)&(injStub.szDLLName) - (DWORD)&injStub;
    injStub.pCode[8] = 0x50;  // push eax
    injStub.pCode[9] = 0xff;  // call dword ptr [xxxxxxxx] - LoadLibraryA
    injStub.pCode[10] = 0x15;
    *(DWORD *)(&(injStub.pCode[11])) = dwEntryPoint + 50;
    injStub.pCode[15] = 0x50; // push eax
    injStub.pCode[16] = 0x5b; // pop ebx
    injStub.pCode[17] = 0x8d; // lea eax, [xxxxxxxx]
    injStub.pCode[18] = 0x05;
    *(DWORD *)(&(injStub.pCode[19])) = dwEntryPoint + (DWORD)&(injStub.szEntryPoint) - (DWORD)&injStub;
    injStub.pCode[23] = 0x50; // push eax  // module base
    injStub.pCode[24] = 0x53; // push ebx  // function name
    injStub.pCode[25] = 0xff; // call dword ptr [xxxxxxxx] - GetProcAddress
    injStub.pCode[26] = 0x15;
    *(DWORD *)(&(injStub.pCode[27])) = dwEntryPoint + 54;
    injStub.pCode[31] = 0xff;
    injStub.pCode[32] = 0xd0;
    *(DWORD *)(&(injStub.pCode[50])) = dwLoadLibrary;
    *(DWORD *)(&(injStub.pCode[54])) = dwGetProcAddress;

    //
    // Create the file mapping object from the paging file
    //
    hFileMap = CreateFileMapping(INVALID_HANDLE_VALUE,
                                 NULL,
                                 PAGE_READWRITE,
                                 0,
                                 sizeof(INJECTIONSTUB),
                                 "ProfilerSharedMem");
    if (0 == hFileMap) {
       bResult = FALSE;
       goto handleerror;
    }

    pSharedMem = (PBYTE)MapViewOfFile(hFileMap,
                                      FILE_MAP_ALL_ACCESS,
                                      0,
                                      0,
                                      sizeof(INJECTIONSTUB));
    if (0 == pSharedMem) {
       bResult = FALSE;
       goto handleerror;
    }

    //
    // Initialize injection stub
    //
    strcpy(injStub.szDLLName, pszDLLName);
    strcpy(injStub.szEntryPoint, DEFAULT_ENTRY_POINT);

    bResult = ReadProcessMemory(hProcess,
 	                       (LPVOID)dwEntryPoint,
 			       (PVOID)pSharedMem,
			       sizeof(INJECTIONSTUB),
			       &dwBytesRead);	                  
    if (FALSE == bResult) {
       bResult = FALSE;
       goto handleerror;
    }  

    //
    // Write the stub code into the entry point
    //
    bResult = WriteProcessMemory(hProcess,
 	                        (LPVOID)dwEntryPoint,
 				(PVOID)&injStub,
				sizeof(INJECTIONSTUB),
 				&dwBytesWritten);	                  
    if (FALSE == bResult) {
       bResult = FALSE;
       goto handleerror;
    }

handleerror:

    return hFileMap;
}

VOID
RestoreImageFromInjection(VOID)
{
    PIMAGE_NT_HEADERS pHeaders = 0;
    BOOL bResult;
    BOOL bError = FALSE;
    PVOID pBase = 0;
    DWORD dwEntryPoint;
    DWORD dwBytesRead;
    DWORD dwBytesWritten;
    PINJECTIONSTUB pInjStub;
    HANDLE hFileMap = 0;
    PBYTE pSharedMem = 0;
    OSVERSIONINFO verInfo;

    //
    // Get the entry point from the headers
    //
    pBase = (PVOID)GetModuleHandle(0);
    if (0 == pBase) {
       bError = TRUE;
       goto handleerror;
    }

    //
    // Dig out the PE information
    //
    pHeaders = ImageNtHeader2(pBase);
    if (0 == pHeaders) {
       bError = TRUE;
       goto handleerror;
    }

    dwEntryPoint = pHeaders->OptionalHeader.ImageBase + pHeaders->OptionalHeader.AddressOfEntryPoint;
    pInjStub = (PINJECTIONSTUB)dwEntryPoint;

    //
    // Open the memory mapped file and get the bits
    //
    hFileMap = OpenFileMapping(FILE_MAP_ALL_ACCESS,
                               FALSE,
                               "ProfilerSharedMem");

    if (0 == hFileMap) {
       bError = TRUE;
       goto handleerror;
    }

    pSharedMem = (PBYTE)MapViewOfFile(hFileMap,
                                      FILE_MAP_ALL_ACCESS,
                                      0,
                                      0,
                                      0);
    if (0 == pSharedMem) {
       bError = TRUE;
       goto handleerror;
    }

    //
    // Replace the bits
    //
    bResult = WriteProcessMemory(GetCurrentProcess(),
                                 (PVOID)dwEntryPoint,
                                 (PVOID)pSharedMem,
                                 sizeof(INJECTIONSTUB),
                                 &dwBytesWritten);
    if (FALSE == bResult) {
       bError = TRUE;
       goto handleerror;
    }

    //
    // Set the OS information
    //
    ZeroMemory(&verInfo, sizeof(OSVERSIONINFO));
    
    verInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
    bResult = GetVersionExA(&verInfo);
    if (FALSE == bResult) {
       bError = TRUE;
       goto handleerror;
    }

    if (VER_PLATFORM_WIN32_NT == verInfo.dwPlatformId) {
       g_bIsWin9X = FALSE;
    }
    else if (VER_PLATFORM_WIN32_WINDOWS == verInfo.dwPlatformId) {
       g_bIsWin9X = TRUE;
    }
    else {
       //
       // Unsupported platform
       //
       ExitProcess(-1);
    }

    //
    // Finish profiler initializations
    //
    bResult = InitializeProfiler();
    if (FALSE == bResult) {
       bError = TRUE;
       goto handleerror;
    }
    
handleerror:

    if (TRUE == bError) {
       ExitProcess(-1);
    }

    return;
}
Initiall commit 2024-08-04 01:28:15 +02:00			`#include <windows.h>`
			`#include "inject.h"`
			`#include "profiler.h"`

			`BOOL g_bIsWin9X = FALSE;`
			`CHAR g_fnFinalizeInjection[MAX_PATH];`
			`HINSTANCE g_hProfileDLL = 0;`

			`HANDLE`
			`InjectDLL(DWORD dwEntryPoint,`
			`HANDLE hProcess,`
			`LPSTR pszDLLName)`
			`{`
			`CHAR szTempPath[MAX_PATH];`
			`HMODULE hKernel32;`
			`BOOL bResult = FALSE;`
			`INJECTIONSTUB injStub;`
			`DWORD dwLoadLibrary;`
			`DWORD dwGetProcAddress;`
			`DWORD dwBytesWritten;`
			`DWORD dwBytesRead;`
			`DWORD dwOldProtect;`
			`DWORD dwOldProtect2;`
			`PBYTE pSharedMem = 0;`
			`HANDLE hFileMap = 0;`

			`hKernel32 = GetModuleHandle("KERNEL32.DLL");`
			`dwLoadLibrary = (DWORD)GetProcAddress(hKernel32,`
			`"LoadLibraryA");`
			`if (0 == dwLoadLibrary) {`
			`bResult = FALSE;`
			`goto handleerror;`
			`}`

			`dwGetProcAddress = (DWORD)GetProcAddress(hKernel32,`
			`"GetProcAddress");`
			`if (0 == dwGetProcAddress) {`
			`bResult = FALSE;`
			`goto handleerror;`
			`}`

			`//`
			`// Initialize the asm for the stub`
			`//`
			`injStub.pCode[0] = 0x90; // int 3 or nop`
			`injStub.pCode[1] = 0x60; // pushad`
			`injStub.pCode[2] = 0x8d; // lea eax, [xxxxxxxx]`
			`injStub.pCode[3] = 0x05;`
			`(DWORD )(&(injStub.pCode[4])) = dwEntryPoint + (DWORD)&(injStub.szDLLName) - (DWORD)&injStub;`
			`injStub.pCode[8] = 0x50; // push eax`
			`injStub.pCode[9] = 0xff; // call dword ptr [xxxxxxxx] - LoadLibraryA`
			`injStub.pCode[10] = 0x15;`
			`(DWORD )(&(injStub.pCode[11])) = dwEntryPoint + 50;`
			`injStub.pCode[15] = 0x50; // push eax`
			`injStub.pCode[16] = 0x5b; // pop ebx`
			`injStub.pCode[17] = 0x8d; // lea eax, [xxxxxxxx]`
			`injStub.pCode[18] = 0x05;`
			`(DWORD )(&(injStub.pCode[19])) = dwEntryPoint + (DWORD)&(injStub.szEntryPoint) - (DWORD)&injStub;`
			`injStub.pCode[23] = 0x50; // push eax // module base`
			`injStub.pCode[24] = 0x53; // push ebx // function name`
			`injStub.pCode[25] = 0xff; // call dword ptr [xxxxxxxx] - GetProcAddress`
			`injStub.pCode[26] = 0x15;`
			`(DWORD )(&(injStub.pCode[27])) = dwEntryPoint + 54;`
			`injStub.pCode[31] = 0xff;`
			`injStub.pCode[32] = 0xd0;`
			`(DWORD )(&(injStub.pCode[50])) = dwLoadLibrary;`
			`(DWORD )(&(injStub.pCode[54])) = dwGetProcAddress;`

			`//`
			`// Create the file mapping object from the paging file`
			`//`
			`hFileMap = CreateFileMapping(INVALID_HANDLE_VALUE,`
			`NULL,`
			`PAGE_READWRITE,`
			`0,`
			`sizeof(INJECTIONSTUB),`
			`"ProfilerSharedMem");`
			`if (0 == hFileMap) {`
			`bResult = FALSE;`
			`goto handleerror;`
			`}`

			`pSharedMem = (PBYTE)MapViewOfFile(hFileMap,`
			`FILE_MAP_ALL_ACCESS,`
			`0,`
			`0,`
			`sizeof(INJECTIONSTUB));`
			`if (0 == pSharedMem) {`
			`bResult = FALSE;`
			`goto handleerror;`
			`}`

			`//`
			`// Initialize injection stub`
			`//`
			`strcpy(injStub.szDLLName, pszDLLName);`
			`strcpy(injStub.szEntryPoint, DEFAULT_ENTRY_POINT);`

			`bResult = ReadProcessMemory(hProcess,`
			`(LPVOID)dwEntryPoint,`
			`(PVOID)pSharedMem,`
			`sizeof(INJECTIONSTUB),`
			`&dwBytesRead);`
			`if (FALSE == bResult) {`
			`bResult = FALSE;`
			`goto handleerror;`
			`}`

			`//`
			`// Write the stub code into the entry point`
			`//`
			`bResult = WriteProcessMemory(hProcess,`
			`(LPVOID)dwEntryPoint,`
			`(PVOID)&injStub,`
			`sizeof(INJECTIONSTUB),`
			`&dwBytesWritten);`
			`if (FALSE == bResult) {`
			`bResult = FALSE;`
			`goto handleerror;`
			`}`

			`handleerror:`

			`return hFileMap;`
			`}`

			`VOID`
			`RestoreImageFromInjection(VOID)`
			`{`
			`PIMAGE_NT_HEADERS pHeaders = 0;`
			`BOOL bResult;`
			`BOOL bError = FALSE;`
			`PVOID pBase = 0;`
			`DWORD dwEntryPoint;`
			`DWORD dwBytesRead;`
			`DWORD dwBytesWritten;`
			`PINJECTIONSTUB pInjStub;`
			`HANDLE hFileMap = 0;`
			`PBYTE pSharedMem = 0;`
			`OSVERSIONINFO verInfo;`

			`//`
			`// Get the entry point from the headers`
			`//`
			`pBase = (PVOID)GetModuleHandle(0);`
			`if (0 == pBase) {`
			`bError = TRUE;`
			`goto handleerror;`
			`}`

			`//`
			`// Dig out the PE information`
			`//`
			`pHeaders = ImageNtHeader2(pBase);`
			`if (0 == pHeaders) {`
			`bError = TRUE;`
			`goto handleerror;`
			`}`

			`dwEntryPoint = pHeaders->OptionalHeader.ImageBase + pHeaders->OptionalHeader.AddressOfEntryPoint;`
			`pInjStub = (PINJECTIONSTUB)dwEntryPoint;`

			`//`
			`// Open the memory mapped file and get the bits`
			`//`
			`hFileMap = OpenFileMapping(FILE_MAP_ALL_ACCESS,`
			`FALSE,`
			`"ProfilerSharedMem");`

			`if (0 == hFileMap) {`
			`bError = TRUE;`
			`goto handleerror;`
			`}`

			`pSharedMem = (PBYTE)MapViewOfFile(hFileMap,`
			`FILE_MAP_ALL_ACCESS,`
			`0,`
			`0,`
			`0);`
			`if (0 == pSharedMem) {`
			`bError = TRUE;`
			`goto handleerror;`
			`}`

			`//`
			`// Replace the bits`
			`//`
			`bResult = WriteProcessMemory(GetCurrentProcess(),`
			`(PVOID)dwEntryPoint,`
			`(PVOID)pSharedMem,`
			`sizeof(INJECTIONSTUB),`
			`&dwBytesWritten);`
			`if (FALSE == bResult) {`
			`bError = TRUE;`
			`goto handleerror;`
			`}`

			`//`
			`// Set the OS information`
			`//`
			`ZeroMemory(&verInfo, sizeof(OSVERSIONINFO));`

			`verInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);`
			`bResult = GetVersionExA(&verInfo);`
			`if (FALSE == bResult) {`
			`bError = TRUE;`
			`goto handleerror;`
			`}`

			`if (VER_PLATFORM_WIN32_NT == verInfo.dwPlatformId) {`
			`g_bIsWin9X = FALSE;`
			`}`
			`else if (VER_PLATFORM_WIN32_WINDOWS == verInfo.dwPlatformId) {`
			`g_bIsWin9X = TRUE;`
			`}`
			`else {`
			`//`
			`// Unsupported platform`
			`//`
			`ExitProcess(-1);`
			`}`

			`//`
			`// Finish profiler initializations`
			`//`
			`bResult = InitializeProfiler();`
			`if (FALSE == bResult) {`
			`bError = TRUE;`
			`goto handleerror;`
			`}`

			`handleerror:`

			`if (TRUE == bError) {`
			`ExitProcess(-1);`
			`}`

			`return;`
			`}`