build/win32/crashinject.cpp

   1 /* ***** BEGIN LICENSE BLOCK *****
   2  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
   3  *
   4  * The contents of this file are subject to the Mozilla Public License Version
   5  * 1.1 (the "License"); you may not use this file except in compliance with
   6  * the License. You may obtain a copy of the License at
   7  * http://www.mozilla.org/MPL/
   8  *
   9  * Software distributed under the License is distributed on an "AS IS" basis,
  10  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11  * for the specific language governing rights and limitations under the
  12  * License.
  13  *
  14  * The Original Code is Crash Injection Utility
  15  *
  16  * The Initial Developer of the Original Code is
  17  * The Mozilla Foundation.
  18  * Portions created by the Initial Developer are Copyright (C) 2009
  19  * the Initial Developer. All Rights Reserved.
  20  *
  21  * Contributor(s):
  22  *   Ted Mielczarek <ted.mielczarek@gmail.com>
  23  *
  24  * Alternatively, the contents of this file may be used under the terms of
  25  * either the GNU General Public License Version 2 or later (the "GPL"), or
  26  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  27  * in which case the provisions of the GPL or the LGPL are applicable instead
  28  * of those above. If you wish to allow use of your version of this file only
  29  * under the terms of either the GPL or the LGPL, and not to allow others to
  30  * use your version of this file under the terms of the MPL, indicate your
  31  * decision by deleting the provisions above and replace them with the notice
  32  * and other provisions required by the GPL or the LGPL. If you do not delete
  33  * the provisions above, a recipient may use your version of this file under
  34  * the terms of any one of the MPL, the GPL or the LGPL.
  35  *
  36  * ***** END LICENSE BLOCK ***** */
  37
  38 /*
  39  * Given a PID, this program attempts to inject a DLL into the process
  40  * with that PID. The DLL it attempts to inject, "crashinjectdll.dll",
  41  * must exist alongside this exe. The DLL will then crash the process.
  42  */
  43 #include <stdio.h>
  44 #include <stdlib.h>
  45 #include <string.h>
  46 #include <windows.h>
  47
  48 int main(int argc, char** argv)
  49 {
  50   if (argc != 2) {
  51     fprintf(stderr, "Usage: crashinject <PID>\n");
  52     return 1;
  53   }
  54
  55   int pid = atoi(argv[1]);
  56   if (pid <= 0) {
  57     fprintf(stderr, "Usage: crashinject <PID>\n");
  58     return 1;
  59   }
  60
  61   // find our DLL to inject
  62   wchar_t filename[_MAX_PATH];
  63   if (GetModuleFileNameW(NULL, filename, sizeof(filename) / sizeof(wchar_t)) == 0)
  64     return 1;
  65
  66   wchar_t* slash = wcsrchr(filename, L'\\');
  67   if (slash == NULL)
  68     return 1;
  69
  70   slash++;
  71   wcscpy(slash, L"crashinjectdll.dll");
  72
  73   // now find our target process
  74   HANDLE targetProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD,
  75                                   FALSE,
  76                                   pid);
  77   if (targetProc == NULL) {
  78     fprintf(stderr, "Error %d opening target process\n", GetLastError());
  79     return 1;
  80   }
  81
  82   /*
  83    * This is sort of insane, but we're implementing a technique described here:
  84    * http://www.codeproject.com/KB/threads/winspy.aspx#section_2
  85    *
  86    * The gist is to use CreateRemoteThread to create a thread in the other
  87    * process, but cheat and make the thread function kernel32!LoadLibrary,
  88    * so that the only remote data we have to pass to the other process
  89    * is the path to the library we want to load. The library we're loading
  90    * will then do its dirty work inside the other process.
  91    */
  92   HMODULE hKernel32 = GetModuleHandleW(L"Kernel32");
  93   // allocate some memory to hold the path in the remote process
  94   void*   pLibRemote = VirtualAllocEx(targetProc, NULL, sizeof(filename),
  95                                       MEM_COMMIT, PAGE_READWRITE);
  96   if (pLibRemote == NULL) {
  97     fprintf(stderr, "Error %d in VirtualAllocEx\n", GetLastError());
  98     CloseHandle(targetProc);
  99     return 1;
 100   }
 101
 102   if (!WriteProcessMemory(targetProc, pLibRemote, (void*)filename,
 103                           sizeof(filename), NULL)) {
 104     fprintf(stderr, "Error %d in WriteProcessMemory\n", GetLastError());
 105     VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
 106     CloseHandle(targetProc);
 107     return 1;
 108   }
 109   // Now create a thread in the target process that will load our DLL
 110   HANDLE hThread = CreateRemoteThread(
 111                      targetProc, NULL, 0,
 112                      (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,
 113                                                             "LoadLibraryW"),
 114                      pLibRemote, 0, NULL);
 115   if (hThread == NULL) {
 116     fprintf(stderr, "Error %d in CreateRemoteThread\n", GetLastError());
 117     VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
 118     CloseHandle(targetProc);
 119     return 1;
 120   }
 121   WaitForSingleObject(hThread, INFINITE);
 122   // Cleanup, not that it's going to matter at this point
 123   CloseHandle(hThread);
 124   VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
 125   CloseHandle(targetProc);
 126
 127   return 0;
 128 }