ReactOS 0.4.15-dev-7931-gfd331f1
Macros | Functions
vmhorizon.c File Reference
#include <windef.h>
#include <winbase.h>
#include <shimlib.h>
#include "ntndk.h"
#include <setup_shim.inl>
#include <implement_shim.inl>
Include dependency graph for vmhorizon.c:

Go to the source code of this file.

Macros

#define WIN32_NO_STATUS
 
#define OFFSET_1   0x21A6E
 
#define OFFSET_2   0x21B04
 
#define OFFSET_3   0x21C3C
 
#define SHIM_NS   VMHorizonSetup
 
#define SHIM_NUM_HOOKS   0
 
#define SHIM_NOTIFY_FN   SHIM_OBJ_NAME(Notify)
 

Functions

static BOOL Write (PBYTE Address, PBYTE Data, SIZE_T Size)
 
static void FixupDll (PLDR_DATA_TABLE_ENTRY LdrEntry)
 
static BOOLEAN PostfixUnicodeString (const UNICODE_STRING *String1, const UNICODE_STRING *String2)
 
BOOL WINAPI SHIM_OBJ_NAME() Notify (DWORD fdwReason, PVOID ptr)
 

Macro Definition Documentation

◆ OFFSET_1

#define OFFSET_1   0x21A6E

◆ OFFSET_2

#define OFFSET_2   0x21B04

◆ OFFSET_3

#define OFFSET_3   0x21C3C

◆ SHIM_NOTIFY_FN

#define SHIM_NOTIFY_FN   SHIM_OBJ_NAME(Notify)

Definition at line 114 of file vmhorizon.c.

◆ SHIM_NS

#define SHIM_NS   VMHorizonSetup

Definition at line 110 of file vmhorizon.c.

◆ SHIM_NUM_HOOKS

#define SHIM_NUM_HOOKS   0

Definition at line 113 of file vmhorizon.c.

◆ WIN32_NO_STATUS

#define WIN32_NO_STATUS

Definition at line 9 of file vmhorizon.c.

Function Documentation

◆ FixupDll()

static void FixupDll ( PLDR_DATA_TABLE_ENTRY  LdrEntry)
static

Definition at line 32 of file vmhorizon.c.

33{
34 static const UCHAR Match1[5] = { 0x0C, 0x8B, 0xFC, 0xF3, 0xA5 };
35 static const UCHAR Match2[5] = { 0x0C, 0x8B, 0xFC, 0xF3, 0xA5 };
36 static const UCHAR Match3[5] = { 0xB0, 0x8B, 0xFC, 0xF3, 0xA5 };
37 UCHAR Replacement1[5] = { 0x10, 0x89, 0x34, 0x24, 0x90 };
38 UCHAR Replacement2[5] = { 0x10, 0x89, 0x34, 0x24, 0x90 };
39 UCHAR Replacement3[5] = { 0xB4, 0x89, 0x34, 0x24, 0x90 };
40#define OFFSET_1 0x21A6E
41#define OFFSET_2 0x21B04
42#define OFFSET_3 0x21C3C
43
44
45 UCHAR Buffer[5];
46 PBYTE Base = LdrEntry->DllBase;
47 SIZE_T Bytes;
48
49 /*
50 00020E6E: 0C 8B FC F3 A5 --> 10 89 34 24 90 F11A6E - ef0000 = 21A6E
51 00020F04: 0C 8B FC F3 A5 --> 10 89 34 24 90 F11B04 - ef0000 = 21B04
52 00021C3C: B0 8B FC F3 A5 --> B4 89 34 24 90 F11C3C - ef0000 = 21C3C
53 */
54 do {
55 DbgPrint("Module %wZ Loaded at 0x%p, we should patch!\n", &LdrEntry->BaseDllName, LdrEntry->DllBase);
56 if (!NT_SUCCESS(NtReadVirtualMemory(NtCurrentProcess(), Base + OFFSET_1, Buffer, 5, &Bytes)) || Bytes != 5)
57 break;
58 if (memcmp(Buffer, Match1, sizeof(Match1)))
59 break;
60
61 if (!NT_SUCCESS(NtReadVirtualMemory(NtCurrentProcess(), Base + OFFSET_2, Buffer, 5, &Bytes)) || Bytes != 5)
62 break;
63 if (memcmp(Buffer, Match2, sizeof(Match2)))
64 break;
65
66 if (!NT_SUCCESS(NtReadVirtualMemory(NtCurrentProcess(), Base + OFFSET_3, Buffer, 5, &Bytes)) || Bytes != 5)
67 break;
68 if (memcmp(Buffer, Match3, sizeof(Match3)))
69 break;
70
71 DbgPrint("Module %wZ Loaded at 0x%p, OK to patch!\n", &LdrEntry->BaseDllName, LdrEntry->DllBase);
72 if (!Write(Base + OFFSET_1, Replacement1, sizeof(Replacement1)))
73 break;
74 if (!Write(Base + OFFSET_2, Replacement2, sizeof(Replacement2)))
75 break;
76 if (!Write(Base + OFFSET_3, Replacement3, sizeof(Replacement3)))
77 break;
78
79 NtFlushInstructionCache(NtCurrentProcess(), Base, 0x22000);
80
81 DbgPrint("Module %wZ Loaded at 0x%p, patched!\n", &LdrEntry->BaseDllName, LdrEntry->DllBase);
82 } while (0);
83}
memcmp
int memcmp(void *Buffer1, void *Buffer2, ACPI_SIZE Count)
Definition: utclib.c:112
Buffer
Definition: bufpool.h:45
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
DbgPrint
#define DbgPrint
Definition: hal.h:12
Bytes
_In_ UINT Bytes
Definition: mmcopy.h:9
Base
_In_opt_ ULONG Base
Definition: rtlfuncs.h:2439
NtCurrentProcess
#define NtCurrentProcess()
Definition: nt_native.h:1657
NtReadVirtualMemory
NTSTATUS NTAPI NtReadVirtualMemory(IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN SIZE_T NumberOfBytesToRead, OUT PSIZE_T NumberOfBytesRead OPTIONAL)
Definition: virtual.c:2816
NtFlushInstructionCache
NTSTATUS NTAPI NtFlushInstructionCache(_In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ SIZE_T FlushSize)
Definition: virtual.c:3044
PBYTE
BYTE * PBYTE
Definition: pedump.c:66
_LDR_DATA_TABLE_ENTRY::DllBase
PVOID DllBase
Definition: btrfs_drv.h:1880
_LDR_DATA_TABLE_ENTRY::BaseDllName
UNICODE_STRING BaseDllName
Definition: ldrtypes.h:145
SIZE_T
ULONG_PTR SIZE_T
Definition: typedefs.h:80
OFFSET_2
#define OFFSET_2
Write
static BOOL Write(PBYTE Address, PBYTE Data, SIZE_T Size)
Definition: vmhorizon.c:15
OFFSET_3
#define OFFSET_3
OFFSET_1
#define OFFSET_1
UCHAR
unsigned char UCHAR
Definition: xmlstorage.h:181

Referenced by Notify().

◆ Notify()

BOOL WINAPI SHIM_OBJ_NAME() Notify ( DWORD  fdwReason,
PVOID  ptr 
)

Definition at line 116 of file vmhorizon.c.

117{
118 if (fdwReason == SHIM_REASON_DLL_LOAD)
119 {
120 static const UNICODE_STRING DllPrefix = RTL_CONSTANT_STRING(L"msi");
121 static const UNICODE_STRING DllPostfix = RTL_CONSTANT_STRING(L".tmp");
122 PLDR_DATA_TABLE_ENTRY LdrEntry = ptr;
123
124 BOOLEAN Prefix = RtlPrefixUnicodeString(&DllPrefix, &LdrEntry->BaseDllName, TRUE);
125 BOOLEAN Postfix = PostfixUnicodeString(&DllPostfix, &LdrEntry->BaseDllName);
126 ULONG ExtraChars = (LdrEntry->BaseDllName.Length - DllPrefix.Length - DllPostfix.Length) / sizeof(WCHAR);
127
128 /* msiN[N].tmp */
129 if (Prefix && Postfix && ExtraChars <= 2)
130 {
131 PIMAGE_NT_HEADERS ImageNtHeader = RtlImageNtHeader(LdrEntry->DllBase);
132 if (ImageNtHeader && ImageNtHeader->OptionalHeader.CheckSum == 0x176241)
133 {
134 SHIM_MSG("Module %wZ is a match, applying fixups\n", &LdrEntry->BaseDllName);
135 FixupDll(LdrEntry);
136 }
137 }
138 }
139 return TRUE;
140}
BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185
ImageNtHeader
PIMAGE_NT_HEADERS WINAPI ImageNtHeader(_In_ PVOID)
TRUE
#define TRUE
Definition: types.h:120
RtlImageNtHeader
#define RtlImageNtHeader
Definition: compat.h:806
ptr
static PVOID ptr
Definition: dispmode.c:27
RtlPrefixUnicodeString
NTSYSAPI BOOLEAN NTAPI RtlPrefixUnicodeString(IN PUNICODE_STRING String1, IN PUNICODE_STRING String2, IN BOOLEAN CaseInSensitive)
L
#define L(x)
Definition: ntvdm.h:50
SHIM_REASON_DLL_LOAD
#define SHIM_REASON_DLL_LOAD
Definition: shimlib.h:47
SHIM_MSG
#define SHIM_MSG(fmt,...)
Definition: shimlib.h:75
_IMAGE_NT_HEADERS
Definition: ntddk_ex.h:181
_IMAGE_NT_HEADERS::OptionalHeader
IMAGE_OPTIONAL_HEADER32 OptionalHeader
Definition: ntddk_ex.h:184
_IMAGE_OPTIONAL_HEADER::CheckSum
DWORD CheckSum
Definition: ntddk_ex.h:169
_LDR_DATA_TABLE_ENTRY
Definition: btrfs_drv.h:1876
_UNICODE_STRING
Definition: env_spec_w32.h:368
_UNICODE_STRING::Length
USHORT Length
Definition: env_spec_w32.h:369
RTL_CONSTANT_STRING
#define RTL_CONSTANT_STRING(s)
Definition: tunneltest.c:14
ULONG
uint32_t ULONG
Definition: typedefs.h:59
PostfixUnicodeString
static BOOLEAN PostfixUnicodeString(const UNICODE_STRING *String1, const UNICODE_STRING *String2)
Definition: vmhorizon.c:85
FixupDll
static void FixupDll(PLDR_DATA_TABLE_ENTRY LdrEntry)
Definition: vmhorizon.c:32
Prefix
_In_ __drv_aliasesMem PSTRING Prefix
Definition: rtlfuncs.h:1630
WCHAR
__wchar_t WCHAR
Definition: xmlstorage.h:180

◆ PostfixUnicodeString()

static BOOLEAN PostfixUnicodeString ( const UNICODE_STRING String1,
const UNICODE_STRING String2 
)
static

Definition at line 85 of file vmhorizon.c.

86{
87 PWCHAR pc1;
88 PWCHAR pc2;
89 ULONG NumChars;
90
91 if (String2->Length < String1->Length)
92 return FALSE;
93
94 if (!String1->Buffer || !String2->Buffer)
95 return FALSE;
96
97 NumChars = String1->Length / sizeof(WCHAR);
98 pc1 = String1->Buffer;
99 pc2 = String2->Buffer + (String2->Length / sizeof(WCHAR)) - NumChars;
100
101 while (NumChars--)
102 {
103 if (RtlUpcaseUnicodeChar(*pc1++) != RtlUpcaseUnicodeChar(*pc2++))
104 return FALSE;
105 }
106
107 return TRUE;
108}
FALSE
#define FALSE
Definition: types.h:117
pc1
static const unsigned char pc1[56]
Definition: des.c:54
pc2
static const unsigned char pc2[48]
Definition: des.c:68
String2
_In_ const STRING * String2
Definition: rtlfuncs.h:2357
RtlUpcaseUnicodeChar
WCHAR NTAPI RtlUpcaseUnicodeChar(_In_ WCHAR Source)
Definition: nlsboot.c:176
_UNICODE_STRING::Buffer
PWSTR Buffer
Definition: env_spec_w32.h:371
PWCHAR
uint16_t * PWCHAR
Definition: typedefs.h:56

Referenced by Notify().

◆ Write()

static BOOL Write ( PBYTE  Address,
PBYTE  Data,
SIZE_T  Size 
)
static

Definition at line 15 of file vmhorizon.c.

16{
17 PVOID BaseAddress = Address;
18 SIZE_T RegionSize = Size;
19 ULONG OldProtection;
20 NTSTATUS Status = NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, &RegionSize, PAGE_EXECUTE_READWRITE, &OldProtection);
21 if (NT_SUCCESS(Status))
22 {
23 SIZE_T Bytes;
24 Status = NtWriteVirtualMemory(NtCurrentProcess(), Address, Data, Size, &Bytes);
25 if (NT_SUCCESS(Status) && Bytes != Size)
26 Status = STATUS_MEMORY_NOT_ALLOCATED;
27 NtProtectVirtualMemory(NtCurrentProcess(), &BaseAddress, &RegionSize, OldProtection, &OldProtection);
28 }
29 return NT_SUCCESS(Status);
30}
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
Status
Status
Definition: gdiplustypes.h:25
BaseAddress
_In_ HANDLE _Outptr_result_bytebuffer_ ViewSize PVOID * BaseAddress
Definition: mmfuncs.h:404
RegionSize
__kernel_entry _Inout_ _Inout_ PSIZE_T RegionSize
Definition: mmfuncs.h:172
PAGE_EXECUTE_READWRITE
#define PAGE_EXECUTE_READWRITE
Definition: nt_native.h:1308
NtWriteVirtualMemory
NTSTATUS NTAPI NtWriteVirtualMemory(IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN SIZE_T NumberOfBytesToWrite, OUT PSIZE_T NumberOfBytesWritten OPTIONAL)
Definition: virtual.c:2930
NtProtectVirtualMemory
NTSTATUS NTAPI NtProtectVirtualMemory(IN HANDLE ProcessHandle, IN OUT PVOID *UnsafeBaseAddress, IN OUT SIZE_T *UnsafeNumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG UnsafeOldAccessProtection)
Definition: virtual.c:3111
STATUS_MEMORY_NOT_ALLOCATED
#define STATUS_MEMORY_NOT_ALLOCATED
Definition: ntstatus.h:396
Address
static WCHAR Address[46]
Definition: ping.c:68
Size
_Must_inspect_result_ _In_ WDFDEVICE _In_ PWDF_DEVICE_PROPERTY_DATA _In_ DEVPROPTYPE _In_ ULONG Size
Definition: wdfdevice.h:4533

Referenced by AccpOpenNamedObject(), DECLARE_INTERFACE_(), FileInformationCheck(), FixupDll(), LockBuffers(), LpcpCopyRequestData(), MempAllocatePTE(), MiIsAccessAllowed(), RxGetRegistryParameters(), WinLdrMapSpecialPages(), and WinLdrpMapApic().