| blob | ab11935a25da31db5410c069878649b4eb4b7fde |
1 /*
2 Module : HookImportFunction.cpp
3 Purpose: Defines the implementation for code to hook a call to any imported Win32 SDK
4 Created: PJN / 23-10-1999
5 History: PJN / 01-01-2001 1. Now includes copyright message in the source code and documentation.
6 2. Fixed an access violation in where I was getting the name of the import
7 function but not checking for failure.
8 3. Fixed a compiler error where I was incorrectly casting to a PDWORD instead
9 of a DWORD
10 PJN / 20-04-2002 1. Fixed a potential infinite loop in HookImportFunctionByName. Thanks to
11 David Defoort for spotting this problem.
13 Copyright (c) 1996 - 2002 by PJ Naughter. (Web: www.naughter.com, Email: pjna@naughter.com)
15 All rights reserved.
17 Copyright / Usage Details:
19 You are allowed to include the source code in any product (commercial, shareware, freeware or otherwise)
20 when your product is released in binary form. You are allowed to modify the source code in any way you want
21 except you cannot modify the copyright details at the top of each module. If you want to distribute source
22 code with your application, then you are only allowed to distribute versions released by the author. This is
23 to maintain a single distribution point for the source code.
25 */
28 ////////////////// Includes ////////////////////////////////////
30 #include <windows.h>
33 #define ASSERT(e)
34 #define VERIFY(e) e
35 #define TRACE0(s) OutputDebugString(s)
36 #define _T(s) s
38 ////////////////// Defines / Locals ////////////////////////////
40 #ifdef _DEBUG
41 #define new DEBUG_NEW
42 #undef THIS_FILE
44 #endif
46 #define MakePtr(cast, ptr, AddValue) (cast)((DWORD)(ptr)+(DWORD)(AddValue))
52 ////////////////// Implementation //////////////////////////////
56 {
57 // Double check the parameters.
62 #ifdef _DEBUG
68 //Check each function name in the hook array.
70 {
74 //If the proc is not NULL, then it is checked.
77 }
78 #endif
80 //Do the parameter validation for real.
81 if (uiCount == 0 || szImportMod == NULL || IsBadReadPtr(paHookArray, sizeof(HOOKFUNCDESC)* uiCount))
82 {
86 }
89 {
93 }
96 {
100 }
102 //Is this a system DLL, which Windows95 will not let you patch
103 //since it is above the 2GB line?
105 {
106 #ifdef _DEBUG
107 CString sMsg;
108 sMsg.Format(_T("Could not hook module %x because we are on Win9x and it is in shared memory\n"), hModule);
110 #endif
113 }
115 //TODO TODO
116 // Should each item in the hook array be checked in release builds?
121 //Get the specific import descriptor.
128 {
132 }
134 //Set all the values in paOrigFuncs to NULL.
138 //Get the original thunk information for this DLL. I cannot use
139 // the thunk information stored in the pImportDesc->FirstThunk
140 // because the that is the array that the loader
141 // has already bashed to fix up all the imports.
142 // This pointer gives us acess to the function names.
143 PIMAGE_THUNK_DATA pOrigThunk = MakePtr(PIMAGE_THUNK_DATA, hModule, pImportDesc->OriginalFirstThunk);
145 //Get the array pointed to by the pImportDesc->FirstThunk.
146 // This is where I will do the actual bash.
149 //Loop through and look for the one that matches the name.
151 // Increment both tables.
153 {
154 //Only look at those that are imported by name, not ordinal.
158 //Look get the name of this imported function.
159 PIMAGE_IMPORT_BY_NAME pByName = MakePtr(PIMAGE_IMPORT_BY_NAME, hModule, pOrigThunk->u1.AddressOfData);
162 {
165 }
167 //If the name starts with NULL, then just skip to next.
171 //Determines if we do the hook.
174 //TODO {
175 // Might want to consider bsearch here.
176 //TODO }
177 //See if the particular function name is in the import
178 // list. It might be good to consider requiring the
179 // paHookArray to be in sorted order so bsearch could be
180 // used so the lookup will be faster. However, the size of
181 // uiCount coming into this function should be rather small
182 // but it is called for each function imported by szImportMod.
184 {
187 {
188 //If the proc is NULL, kick out, otherwise
189 // go ahead and hook it.
193 }
194 }
199 // I found it. Now I need to change the protection to
200 // writable before I do the blast. Note that I am now
201 // blasting into the real thunk area!
202 MEMORY_BASIC_INFORMATION mbi_thunk;
204 VERIFY(VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, PAGE_READWRITE, &mbi_thunk.Protect));
206 // Get fast/simple pointer
209 {
212 }
214 {
218 }
219 //Save the original address if requested.
221 {
223 {
227 }
229 {
231 {
233 {
237 }
238 }
240 }
241 }
242 //Do the actual hook.
245 //Increment the total number hooked.
249 //Change the protection back to what it was before I blasted.
250 DWORD dwOldProtect;
251 VERIFY(VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, &dwOldProtect));
252 }
253 //All OK, JumpMaster!
256 }
259 {
260 //Always check parameters.
264 {
268 }
270 //Get the Dos header.
273 // Is this the MZ header?
274 if (IsBadReadPtr(pDOSHeader, sizeof(IMAGE_DOS_HEADER)) || (pDOSHeader->e_magic != IMAGE_DOS_SIGNATURE))
275 {
276 #ifdef _DEBUG
277 CString sMsg;
280 #endif
283 }
285 // Get the PE header.
288 //Is this a real PE image?
289 if (IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) || (pNTHeader->Signature != IMAGE_NT_SIGNATURE))
290 {
294 }
296 //If there is no imports section, leave now.
300 // Get the pointer to the imports section.
301 PIMAGE_IMPORT_DESCRIPTOR pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, pDOSHeader, pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
303 //Loop through the import module descriptors looking for the module whose name matches szImportMod.
305 {
310 //Look at the next one.
311 pImportDesc++;
312 }
314 //If the name is NULL, then the module is not imported.
318 //All OK, Jumpmaster!
320 }
323 {
324 OSVERSIONINFO stOSVI;
331 {
334 }
336 //Check the version and call the appropriate thing.
338 }