shimeng.c File Reference

#include "ntndk.h"
#include "shimlib.h"
#include <strsafe.h>
#include "apphelp.h"
#include "shimeng.h"

Include dependency graph for shimeng.c:

Go to the source code of this file.

Macros
#define	WIN32_NO_STATUS
#define	IN_APPHELP
#define	APPHELP_NOSDBPAPI
#define	ARRAY_Init(Array, TypeOfArray)   ARRAY_InitWorker((Array), sizeof(TypeOfArray))
#define	ARRAY_Append(Array, TypeOfArray)   (TypeOfArray*)ARRAY_AppendWorker((Array), sizeof(TypeOfArray), 5)
#define	ARRAY_At(Array, TypeOfArray, at)   (TypeOfArray*)ARRAY_AtWorker((Array), sizeof(TypeOfArray), at)
#define	ARRAY_Size(Array)   (Array)->Size__
#define	MAX_LAYER_LENGTH   256
#define	SYSTEM32   L"\\system32"
#define	WINSXS   L"\\winsxs"

Typedefs
typedef FARPROC(WINAPI *	GETPROCADDRESSPROC) (HINSTANCE, LPCSTR)

Functions
FARPROC WINAPI	StubGetProcAddress (HINSTANCE hModule, LPCSTR lpProcName)
BOOL WINAPI	SE_IsShimDll (PVOID BaseAddress)
static BOOL	ARRAY_InitWorker (PARRAY Array, DWORD ItemSize)
static BOOL	ARRAY_EnsureSize (PARRAY Array, DWORD ItemSize, DWORD GrowWith)
static PVOID	ARRAY_AppendWorker (PARRAY Array, DWORD ItemSize, DWORD GrowWith)
static PVOID	ARRAY_AtWorker (PARRAY Array, DWORD ItemSize, DWORD n)
VOID	SeiInitDebugSupport (VOID)
BOOL WINAPIV	SeiDbgPrint (SEI_LOG_LEVEL Level, PCSTR Function, PCSTR Format,...)
static BOOL	SeiIsOrdinalName (LPCSTR lpProcName)
LPCSTR	SeiPrintFunctionName (LPCSTR lpProcName, char szOrdProcFmt[10])
int	SeiCompareFunctionName (LPCSTR lpProcName1, LPCSTR lpProcName2)
PVOID	SeiGetModuleFromAddress (PVOID addr)
VOID	NotifyShims (DWORD dwReason, PVOID Info)
VOID	SeiCheckComPlusImage (PVOID BaseAddress)
PSHIMMODULE	SeiGetShimModuleInfo (PVOID BaseAddress)
PSHIMMODULE	SeiCreateShimModuleInfo (PCWSTR DllName, PVOID BaseAddress)
PSHIMINFO	SeiAppendHookInfo (PSHIMMODULE pShimModuleInfo, PHOOKAPIEX pHookApi, DWORD dwHookCount, PCWSTR ShimName)
PHOOKMODULEINFO	SeiFindHookModuleInfo (PUNICODE_STRING ModuleName, PVOID BaseAddress)
PHOOKMODULEINFO	SeiFindHookModuleInfoForImportDescriptor (PBYTE DllBase, PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor)
static LPCWSTR	SeiGetStringPtr (PDB pdb, TAGID tag, TAG type)
static DWORD	SeiGetDWORD (PDB pdb, TAGID tag, TAG type)
static QWORD	SeiGetQWORD (PDB pdb, TAGID tag, TAG type)
static VOID	SeiAddShim (TAGREF trShimRef, PARRAY pShimRef)
static VOID	SeiAddFlag (PDB pdb, TAGID tiFlagRef, PFLAGINFO pFlagInfo)
static VOID	SeiSetLayerEnvVar (LPCWSTR wszLayer)
static VOID	SeiBuildShimRefArray (HSDB hsdb, SDBQUERYRESULT *pQuery, PARRAY pShimRef, PFLAGINFO pFlagInfo)
VOID	SeiAddHooks (PHOOKAPIEX hooks, DWORD dwHookCount, PSHIMINFO pShim)
VOID	SeiResolveAPI (PHOOKMODULEINFO HookModuleInfo)
VOID	SeiResolveAPIs (VOID)
VOID	SeiCombineHookInfo (VOID)
VOID	SeiAddInternalHooks (DWORD dwNumHooks)
VOID	SeiPatchNewImport (PIMAGE_THUNK_DATA FirstThunk, PHOOKAPIEX HookApi, PLDR_DATA_TABLE_ENTRY LdrEntry)
PINEXCLUDE	SeiFindInExclude (PARRAY InExclude, PCUNICODE_STRING DllName)
BOOL	SeiIsExcluded (PLDR_DATA_TABLE_ENTRY LdrEntry, PHOOKAPIEX HookApi)
VOID	SeiAppendInExclude (PARRAY dest, PCWSTR ModuleName, BOOL IsInclude)
VOID	SeiReadInExclude (PDB pdb, TAGID parent, PARRAY dest)
VOID	SeiBuildGlobalInclExclList (HSDB hsdb)
VOID	SeiBuildInclExclList (PDB pdb, TAGID ShimTag, PSHIMINFO pShimInfo)
VOID	SeiHookImports (PLDR_DATA_TABLE_ENTRY LdrEntry)
VOID	PatchNewModules (PPEB Peb)
VOID	SeiInitPaths (VOID)
VOID	SeiSetEntryProcessed (PPEB Peb)
VOID	SeiResetEntryProcessed (PPEB Peb)
VOID	SeiInit (PUNICODE_STRING ProcessImage, HSDB hsdb, SDBQUERYRESULT *pQuery)
BOOL	SeiGetShimData (PUNICODE_STRING ProcessImage, PVOID pShimData, HSDB *pHsdb, SDBQUERYRESULT *pQuery)
VOID NTAPI	SE_InstallBeforeInit (PUNICODE_STRING ProcessImage, PVOID pShimData)
VOID NTAPI	SE_InstallAfterInit (PUNICODE_STRING ProcessImage, PVOID pShimData)
VOID NTAPI	SE_ProcessDying (VOID)
VOID WINAPI	SE_DllLoaded (PLDR_DATA_TABLE_ENTRY LdrEntry)
VOID WINAPI	SE_DllUnloaded (PLDR_DATA_TABLE_ENTRY LdrEntry)

Variables
static const UNICODE_STRING	Ntdll = RTL_CONSTANT_STRING(L"ntdll.dll")
static const UNICODE_STRING	Kernel32 = RTL_CONSTANT_STRING(L"kernel32.dll")
static const UNICODE_STRING	Verifier = RTL_CONSTANT_STRING(L"verifier.dll")
HMODULE	g_hInstance
static UNICODE_STRING	g_WindowsDirectory
static UNICODE_STRING	g_System32Directory
static UNICODE_STRING	g_SxsDirectory
static UNICODE_STRING	g_LoadingShimDll
ULONG	g_ShimEngDebugLevel = 0xffffffff
BOOL	g_bComPlusImage = FALSE
BOOL	g_bShimDuringInit = FALSE
BOOL	g_bInternalHooksUsed = FALSE
static ARRAY	g_pShimInfo
static ARRAY	g_pHookArray
static ARRAY	g_InExclude
HOOKAPIEX	g_IntHookEx []

Macro Definition Documentation

APPHELP_NOSDBPAPI

#define APPHELP_NOSDBPAPI

Definition at line 14 of file shimeng.c.

ARRAY_Append

#define ARRAY_Append	(		Array,
			TypeOfArray
	)		(TypeOfArray*)ARRAY_AppendWorker((Array), sizeof(TypeOfArray), 5)

Definition at line 122 of file shimeng.c.

ARRAY_At

#define ARRAY_At	(		Array,
			TypeOfArray,
			at
	)		(TypeOfArray*)ARRAY_AtWorker((Array), sizeof(TypeOfArray), at)

Definition at line 123 of file shimeng.c.

ARRAY_Init

#define ARRAY_Init	(		Array,
			TypeOfArray
	)		ARRAY_InitWorker((Array), sizeof(TypeOfArray))

Definition at line 121 of file shimeng.c.

ARRAY_Size

#define ARRAY_Size

(

Array

)

(Array)->Size__

Definition at line 124 of file shimeng.c.

IN_APPHELP

#define IN_APPHELP

Definition at line 10 of file shimeng.c.

MAX_LAYER_LENGTH

#define MAX_LAYER_LENGTH   256

Definition at line 470 of file shimeng.c.

SYSTEM32

#define SYSTEM32   L"\\system32"

WIN32_NO_STATUS

#define WIN32_NO_STATUS

Definition at line 8 of file shimeng.c.

WINSXS

#define WINSXS   L"\\winsxs"

Typedef Documentation

GETPROCADDRESSPROC

typedef FARPROC(WINAPI* GETPROCADDRESSPROC) (HINSTANCE, LPCSTR)

Definition at line 40 of file shimeng.c.

Function Documentation

ARRAY_AppendWorker()

static PVOID ARRAY_AppendWorker ( PARRAY  Array, DWORD  ItemSize, DWORD  GrowWith  )

inlinestatic

Definition at line 94 of file shimeng.c.

{
    PBYTE pData;

    if (!ARRAY_EnsureSize(Array, ItemSize, GrowWith))
        return NULL;

    pData = Array->Data__;
    pData += (Array->Size__ * ItemSize);
    Array->Size__++;

    return pData;
}

ARRAY_AtWorker()

static PVOID ARRAY_AtWorker ( PARRAY  Array, DWORD  ItemSize, DWORD  n  )

inlinestatic

Definition at line 108 of file shimeng.c.

{
    PBYTE pData;

    ASSERT(Array);
    ASSERT(ItemSize == Array->ItemSize__);
    ASSERT(n < Array->Size__);

    pData = Array->Data__;
    return pData + (n * ItemSize);
}

ARRAY_EnsureSize()

static BOOL ARRAY_EnsureSize ( PARRAY  Array, DWORD  ItemSize, DWORD  GrowWith  )

inlinestatic

Definition at line 63 of file shimeng.c.

{
    PVOID pNewData;
    DWORD Count;

    ASSERT(Array);
    ASSERT(ItemSize == Array->ItemSize__);

    if (Array->MaxSize__ > Array->Size__)
        return TRUE;

    Count = Array->Size__ + GrowWith;
    pNewData = SeiAlloc(Count * ItemSize);

    if (!pNewData)
    {
        SHIMENG_FAIL("Failed to allocate %d bytes\n", Count * ItemSize);
        return FALSE;
    }
    Array->MaxSize__ = Count;

    if (Array->Data__)
    {
        memcpy(pNewData, Array->Data__, Array->Size__ * ItemSize);
        SeiFree(Array->Data__);
    }
    Array->Data__ = pNewData;

    return TRUE;
}

Referenced by ARRAY_AppendWorker().

ARRAY_InitWorker()

static BOOL ARRAY_InitWorker ( PARRAY  Array, DWORD  ItemSize  )

inlinestatic

Definition at line 54 of file shimeng.c.

{
    Array->Data__ = NULL;
    Array->Size__ = Array->MaxSize__ = 0;
    Array->ItemSize__ = ItemSize;

    return TRUE;
}

NotifyShims()

VOID NotifyShims	(	DWORD	dwReason,
		PVOID	Info
	)

Definition at line 254 of file shimeng.c.

{
    DWORD n;

    for (n = 0; n < ARRAY_Size(&g_pShimInfo); ++n)
    {
        PSHIMMODULE pShimModule = *ARRAY_At(&g_pShimInfo, PSHIMMODULE, n);
        if (!pShimModule->pNotifyShims)
            continue;

        pShimModule->pNotifyShims(dwReason, Info);
    }
}

Referenced by SE_DllLoaded(), SE_DllUnloaded(), SE_InstallAfterInit(), SE_ProcessDying(), and SeiCreateShimModuleInfo().

PatchNewModules()

VOID PatchNewModules

(

PPEB

Peb

)

Definition at line 1058 of file shimeng.c.

{
    PLIST_ENTRY ListHead, ListEntry;
    PLDR_DATA_TABLE_ENTRY LdrEntry;

    ListHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList;
    ListEntry = ListHead->Flink;

    while (ListHead != ListEntry)
    {
        LdrEntry = CONTAINING_RECORD(ListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
        SeiHookImports(LdrEntry);

        ListEntry = ListEntry->Flink;
    }
}

Referenced by SeiInit().

SE_DllLoaded()

VOID WINAPI SE_DllLoaded

(

PLDR_DATA_TABLE_ENTRY

LdrEntry

)

Definition at line 1433 of file shimeng.c.

{
    PHOOKMODULEINFO HookModuleInfo;
    SHIMENG_INFO("%sINIT. loading DLL \"%wZ\"\n", g_bShimDuringInit ? "" : "AFTER ", &LdrEntry->BaseDllName);

    HookModuleInfo = SeiFindHookModuleInfo(&LdrEntry->BaseDllName, NULL);
    if (HookModuleInfo)
    {
        ASSERT(HookModuleInfo->BaseAddress == NULL);
        HookModuleInfo->BaseAddress = LdrEntry->DllBase;
        SeiResolveAPI(HookModuleInfo);
    }

    SeiHookImports(LdrEntry);

    NotifyShims(SHIM_REASON_DLL_LOAD, LdrEntry);
}

Referenced by LdrpGetShimEngineInterface(), and LdrpLoadDll().

SE_DllUnloaded()

VOID WINAPI SE_DllUnloaded

(

PLDR_DATA_TABLE_ENTRY

LdrEntry

)

Definition at line 1451 of file shimeng.c.

{
    SHIMENG_INFO("(%p)\n", LdrEntry);

    /* Should we unhook here? */

    NotifyShims(SHIM_REASON_DLL_UNLOAD, LdrEntry);
}

Referenced by LdrpGetShimEngineInterface(), and LdrUnloadDll().

SE_InstallAfterInit()

VOID NTAPI SE_InstallAfterInit	(	PUNICODE_STRING	ProcessImage,
		PVOID	pShimData
	)

Definition at line 1422 of file shimeng.c.

{
    NotifyShims(SHIM_NOTIFY_ATTACH, NULL);
}

Referenced by LdrpGetShimEngineInterface(), and LdrpInitializeProcess().

SE_InstallBeforeInit()

VOID NTAPI SE_InstallBeforeInit	(	PUNICODE_STRING	ProcessImage,
		PVOID	pShimData
	)

Definition at line 1403 of file shimeng.c.

{
    HSDB hsdb = NULL;
    SDBQUERYRESULT QueryResult = { { 0 } };
    SHIMENG_INFO("(%wZ, %p)\n", ProcessImage, pShimData);

    if (!SeiGetShimData(ProcessImage, pShimData, &hsdb, &QueryResult))
    {
        SHIMENG_FAIL("Failed to get shim data\n");
        return;
    }

    g_bShimDuringInit = TRUE;
    SeiInit(ProcessImage, hsdb, &QueryResult);
    g_bShimDuringInit = FALSE;

    SdbReleaseDatabase(hsdb);
}

Referenced by LdrpGetShimEngineInterface(), and LdrpLoadShimEngine().

SE_IsShimDll()

BOOL WINAPI SE_IsShimDll

(

PVOID

BaseAddress

)

Definition at line 1460 of file shimeng.c.

{
    SHIMENG_INFO("(%p)\n", BaseAddress);

    return SeiGetShimModuleInfo(BaseAddress) != NULL;
}

Referenced by SeiHookImports(), SeiResetEntryProcessed(), SeiSetEntryProcessed(), and StubGetProcAddress().

SE_ProcessDying()

VOID NTAPI SE_ProcessDying

(

VOID

)

Definition at line 1427 of file shimeng.c.

{
    SHIMENG_MSG("()\n");
    NotifyShims(SHIM_NOTIFY_DETACH, NULL);
}

Referenced by LdrpGetShimEngineInterface(), and LdrShutdownProcess().

SeiAddFlag()

static VOID SeiAddFlag ( PDB  pdb, TAGID  tiFlagRef, PFLAGINFO  pFlagInfo  )

static

Definition at line 438 of file shimeng.c.

{
    ULARGE_INTEGER Flag;

    /* Resolve the FLAG_REF to the real FLAG node */
    TAGID FlagTag = SeiGetDWORD(pdb, tiFlagRef, TAG_FLAG_TAGID);

    if (FlagTag == TAGID_NULL)
        return;

    pFlagInfo->AppCompatFlags.QuadPart |= SeiGetQWORD(pdb, FlagTag, TAG_FLAG_MASK_KERNEL);
    pFlagInfo->AppCompatFlagsUser.QuadPart |= SeiGetQWORD(pdb, FlagTag, TAG_FLAG_MASK_USER);
    Flag.QuadPart = SeiGetQWORD(pdb, FlagTag, TAG_FLAG_PROCESSPARAM);
    pFlagInfo->ProcessParameters_Flags |= Flag.LowPart;
}

Referenced by SeiBuildShimRefArray().

SeiAddHooks()

VOID SeiAddHooks	(	PHOOKAPIEX	hooks,
		DWORD	dwHookCount,
		PSHIMINFO	pShim
	)

Definition at line 555 of file shimeng.c.

{
    DWORD n, j;
    UNICODE_STRING UnicodeModName;
    WCHAR Buf[512];

    RtlInitEmptyUnicodeString(&UnicodeModName, Buf, sizeof(Buf));

    for (n = 0; n < dwHookCount; ++n)
    {
        ANSI_STRING AnsiString;
        PVOID DllHandle;
        PHOOKAPIEX hook = hooks + n;
        PHOOKAPIEX* pHookApi;
        PHOOKMODULEINFO HookModuleInfo;

        RtlInitAnsiString(&AnsiString, hook->LibraryName);
        if (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&UnicodeModName, &AnsiString, FALSE)))
        {
            SHIMENG_FAIL("Unable to convert %s to Unicode\n", hook->LibraryName);
            continue;
        }

        if (NT_SUCCESS(LdrGetDllHandle(NULL, 0, &UnicodeModName, &DllHandle)))
        {
            HookModuleInfo = SeiFindHookModuleInfo(NULL, DllHandle);
        }
        else
        {
            HookModuleInfo = SeiFindHookModuleInfo(&UnicodeModName, NULL);
            DllHandle = NULL;
        }

        if (!HookModuleInfo)
        {
            HookModuleInfo = ARRAY_Append(&g_pHookArray, HOOKMODULEINFO);
            if (!HookModuleInfo)
                continue;

            HookModuleInfo->BaseAddress = DllHandle;
            ARRAY_Init(&HookModuleInfo->HookApis, PHOOKAPIEX);
            RtlCreateUnicodeString(&HookModuleInfo->Name, UnicodeModName.Buffer);
        }

        hook->pShimInfo = pShim;

        for (j = 0; j < ARRAY_Size(&HookModuleInfo->HookApis); ++j)
        {
            PHOOKAPIEX HookApi = *ARRAY_At(&HookModuleInfo->HookApis, PHOOKAPIEX, j);
            int CmpResult = SeiCompareFunctionName(hook->FunctionName, HookApi->FunctionName);
            if (CmpResult == 0)
            {
                while (HookApi->ApiLink)
                {
                    HookApi = HookApi->ApiLink;
                }
                HookApi->ApiLink = hook;
                hook = NULL;
                break;
            }
        }
        /* No place found yet, append it */
        if (hook)
        {
            pHookApi = ARRAY_Append(&HookModuleInfo->HookApis, PHOOKAPIEX);
            if (pHookApi)
                *pHookApi = hook;
        }
    }
}

Referenced by SeiAddInternalHooks(), and SeiCombineHookInfo().

SeiAddInternalHooks()

VOID SeiAddInternalHooks

(

DWORD

dwNumHooks

)

Definition at line 750 of file shimeng.c.

{
    if (dwNumHooks == 0)
    {
        g_bInternalHooksUsed = FALSE;
        return;
    }

    SeiAddHooks(g_IntHookEx, ARRAYSIZE(g_IntHookEx), NULL);
    g_bInternalHooksUsed = TRUE;
}

Referenced by SeiInit().

SeiAddShim()

static VOID SeiAddShim ( TAGREF  trShimRef, PARRAY  pShimRef  )

static

Definition at line 427 of file shimeng.c.

{
    TAGREF* Data;

    Data = ARRAY_Append(pShimRef, TAGREF);
    if (!Data)
        return;

    *Data = trShimRef;
}

Referenced by SeiBuildShimRefArray().

SeiAppendHookInfo()

PSHIMINFO SeiAppendHookInfo	(	PSHIMMODULE	pShimModuleInfo,
		PHOOKAPIEX	pHookApi,
		DWORD	dwHookCount,
		PCWSTR	ShimName
	)

Definition at line 326 of file shimeng.c.

{
    PSHIMINFO* pData, Data;

    pData = ARRAY_Append(&pShimModuleInfo->EnabledShims, PSHIMINFO);
    if (!pData)
        return NULL;

    *pData = SeiAlloc(sizeof(SHIMINFO));
    Data = *pData;

    if (!Data)
        return NULL;

    Data->ShimName = SdbpStrDup(ShimName);
    if (!Data->ShimName)
        return NULL;

    Data->pHookApi = pHookApi;
    Data->dwHookCount = dwHookCount;
    Data->pShimModule = pShimModuleInfo;
    ARRAY_Init(&Data->InExclude, INEXCLUDE);
    return Data;
}

Referenced by SeiInit().

SeiAppendInExclude()

VOID SeiAppendInExclude	(	PARRAY	dest,
		PCWSTR	ModuleName,
		BOOL	IsInclude
	)

Definition at line 859 of file shimeng.c.

{
    PINEXCLUDE InExclude;
    UNICODE_STRING ModuleNameU;
    RtlInitUnicodeString(&ModuleNameU, ModuleName);

    InExclude = SeiFindInExclude(dest, &ModuleNameU);
    if (InExclude)
    {
        InExclude->Include = IsInclude;
        return;
    }

    InExclude = ARRAY_Append(dest, INEXCLUDE);
    if (InExclude)
    {
        PCWSTR ModuleNameCopy = SdbpStrDup(ModuleName);
        RtlInitUnicodeString(&InExclude->Module, ModuleNameCopy);
        InExclude->Include = IsInclude;
    }
}

Referenced by SeiBuildInclExclList(), and SeiReadInExclude().

SeiBuildGlobalInclExclList()

VOID SeiBuildGlobalInclExclList

(

HSDB

hsdb

)

Definition at line 908 of file shimeng.c.

{
    PDB pdb;
    TAGREF tr = TAGREF_ROOT;
    TAGID root, db, library;

    if (!SdbTagRefToTagID(hsdb, tr, &pdb, &root))
    {
        SHIMENG_WARN("Unable to resolve database root\n");
        return;
    }
    db = SdbFindFirstTag(pdb, root, TAG_DATABASE);
    if (db == TAGID_NULL)
    {
        SHIMENG_WARN("Unable to resolve database\n");
        return;
    }
    library = SdbFindFirstTag(pdb, db, TAG_LIBRARY);
    if (library == TAGID_NULL)
    {
        SHIMENG_WARN("Unable to resolve library\n");
        return;
    }

    SeiReadInExclude(pdb, library, &g_InExclude);
}

Referenced by SeiInit().

SeiBuildInclExclList()

VOID SeiBuildInclExclList	(	PDB	pdb,
		TAGID	ShimTag,
		PSHIMINFO	pShimInfo
	)

Definition at line 935 of file shimeng.c.

{
    DWORD n;

    /* First duplicate the global in/excludes */
    for (n = 0; n < ARRAY_Size(&g_InExclude); ++n)
    {
        PINEXCLUDE InEx = ARRAY_At(&g_InExclude, INEXCLUDE, n);
        SeiAppendInExclude(&pShimInfo->InExclude, InEx->Module.Buffer, InEx->Include);
    }

    /* Now read this shim's in/excludes (possibly overriding the global ones) */
    SeiReadInExclude(pdb, ShimTag, &pShimInfo->InExclude);
}

Referenced by SeiInit().

SeiBuildShimRefArray()

static VOID SeiBuildShimRefArray ( HSDB  hsdb, SDBQUERYRESULT *  pQuery, PARRAY  pShimRef, PFLAGINFO  pFlagInfo  )

static

Definition at line 473 of file shimeng.c.

{
    WCHAR wszLayerEnvVar[MAX_LAYER_LENGTH] = { 0 };
    DWORD n;

    for (n = 0; n < pQuery->dwExeCount; ++n)
    {
        PDB pdb;
        TAGID tag;
        if (SdbTagRefToTagID(hsdb, pQuery->atrExes[n], &pdb, &tag))
        {
            LPCWSTR ExeName = SeiGetStringPtr(pdb, tag, TAG_NAME);
            TAGID ShimRef = SdbFindFirstTag(pdb, tag, TAG_SHIM_REF);
            TAGID FlagRef = SdbFindFirstTag(pdb, tag, TAG_FLAG_REF);

            if (ExeName)
                SeiDbgPrint(SEI_MSG, NULL, "ShimInfo(Exe(%S))\n", ExeName);

            while (ShimRef != TAGID_NULL)
            {
                TAGREF trShimRef;
                if (SdbTagIDToTagRef(hsdb, pdb, ShimRef, &trShimRef))
                    SeiAddShim(trShimRef, pShimRef);

                ShimRef = SdbFindNextTag(pdb, tag, ShimRef);
            }

            while (FlagRef != TAGID_NULL)
            {
                SeiAddFlag(pdb, FlagRef, pFlagInfo);

                FlagRef = SdbFindNextTag(pdb, tag, FlagRef);
            }
        }
    }


    for (n = 0; n < pQuery->dwLayerCount; ++n)
    {
        PDB pdb;
        TAGID tag;
        if (SdbTagRefToTagID(hsdb, pQuery->atrLayers[n], &pdb, &tag))
        {
            LPCWSTR LayerName = SeiGetStringPtr(pdb, tag, TAG_NAME);
            TAGID ShimRef = SdbFindFirstTag(pdb, tag, TAG_SHIM_REF);
            TAGID FlagRef = SdbFindFirstTag(pdb, tag, TAG_FLAG_REF);

            if (LayerName)
            {
                HRESULT hr;
                SeiDbgPrint(SEI_MSG, NULL, "ShimInfo(Layer(%S))\n", LayerName);
                if (wszLayerEnvVar[0])
                    StringCchCatW(wszLayerEnvVar, ARRAYSIZE(wszLayerEnvVar), L" ");
                hr = StringCchCatW(wszLayerEnvVar, ARRAYSIZE(wszLayerEnvVar), LayerName);
                if (!SUCCEEDED(hr))
                {
                    SHIMENG_FAIL("Unable to append %S\n", LayerName);
                }
            }

            while (ShimRef != TAGID_NULL)
            {
                TAGREF trShimRef;
                if (SdbTagIDToTagRef(hsdb, pdb, ShimRef, &trShimRef))
                    SeiAddShim(trShimRef, pShimRef);

                ShimRef = SdbFindNextTag(pdb, tag, ShimRef);
            }

            while (FlagRef != TAGID_NULL)
            {
                SeiAddFlag(pdb, FlagRef, pFlagInfo);

                FlagRef = SdbFindNextTag(pdb, tag, FlagRef);
            }
        }
    }
    if (wszLayerEnvVar[0])
        SeiSetLayerEnvVar(wszLayerEnvVar);
}

Referenced by SeiInit().

SeiCheckComPlusImage()

VOID SeiCheckComPlusImage

(

PVOID

BaseAddress

)

Definition at line 270 of file shimeng.c.

{
    ULONG ComSectionSize;
    g_bComPlusImage = RtlImageDirectoryEntryToData(BaseAddress, TRUE, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &ComSectionSize) != NULL;

    SHIMENG_INFO("COM+ executable %s\n", g_bComPlusImage ? "TRUE" : "FALSE");
}

Referenced by SeiInit().

SeiCombineHookInfo()

VOID SeiCombineHookInfo

(

VOID

)

Definition at line 726 of file shimeng.c.

{
    DWORD mod, n;

    /* Enumerate all Shim modules */
    for (mod = 0; mod < ARRAY_Size(&g_pShimInfo); ++mod)
    {
        PSHIMMODULE pShimModule = *ARRAY_At(&g_pShimInfo, PSHIMMODULE, mod);
        DWORD dwShimCount = ARRAY_Size(&pShimModule->EnabledShims);

        /* Enumerate all Shims */
        for (n = 0; n < dwShimCount; ++n)
        {
            PSHIMINFO pShim = *ARRAY_At(&pShimModule->EnabledShims, PSHIMINFO, n);

            PHOOKAPIEX hooks = pShim->pHookApi;
            DWORD dwHookCount = pShim->dwHookCount;

            SeiAddHooks(hooks, dwHookCount, pShim);
        }
    }
}

Referenced by SeiInit().

SeiCompareFunctionName()

int SeiCompareFunctionName	(	LPCSTR	lpProcName1,
		LPCSTR	lpProcName2
	)

Definition at line 227 of file shimeng.c.

{
    BOOL Ord1 = SeiIsOrdinalName(lpProcName1);
    BOOL Ord2 = SeiIsOrdinalName(lpProcName2);

    /* One is an ordinal, the other not */
    if (Ord1 != Ord2)
        return 1;

    /* Compare ordinals */
    if (Ord1)
        return (ULONG_PTR)lpProcName1 != (ULONG_PTR)lpProcName2;

    /* Compare names */
    return strcmp(lpProcName1, lpProcName2);
}

Referenced by SeiAddHooks(), and StubGetProcAddress().

SeiCreateShimModuleInfo()

PSHIMMODULE SeiCreateShimModuleInfo	(	PCWSTR	DllName,
		PVOID	BaseAddress
	)

Definition at line 293 of file shimeng.c.

{
    static const ANSI_STRING GetHookAPIs = RTL_CONSTANT_STRING("GetHookAPIs");
    static const ANSI_STRING NotifyShims = RTL_CONSTANT_STRING("NotifyShims");
    PSHIMMODULE* pData, Data;
    PVOID pGetHookAPIs, pNotifyShims;

    if (!NT_SUCCESS(LdrGetProcedureAddress(BaseAddress, (PANSI_STRING)&GetHookAPIs, 0, &pGetHookAPIs)) ||
        !NT_SUCCESS(LdrGetProcedureAddress(BaseAddress, (PANSI_STRING)&NotifyShims, 0, &pNotifyShims)))
    {
        SHIMENG_WARN("Failed to resolve entry points for %S\n", DllName);
        return NULL;
    }

    pData = ARRAY_Append(&g_pShimInfo, PSHIMMODULE);
    if (!pData)
        return NULL;

    *pData = SeiAlloc(sizeof(SHIMMODULE));

    Data = *pData;

    RtlCreateUnicodeString(&Data->Name, DllName);
    Data->BaseAddress = BaseAddress;

    Data->pGetHookAPIs = pGetHookAPIs;
    Data->pNotifyShims = pNotifyShims;

    ARRAY_Init(&Data->EnabledShims, PSHIMINFO);

    return Data;
}

Referenced by SeiInit().

SeiDbgPrint()

BOOL WINAPIV SeiDbgPrint	(	SEI_LOG_LEVEL	Level,
		PCSTR	Function,
		PCSTR	Format,
			...
	)

Outputs diagnostic info.

Parameters

[in]	Level	The level to log this message with, choose any of [SHIM_ERR, SHIM_WARN, SHIM_INFO].
[in]	FunctionName	The function this log should be attributed to.
[in]	Format	The format string.
	...	Variable arguments providing additional information.

Returns

Success: TRUE Failure: FALSE.

Definition at line 159 of file shimeng.c.

{
    char Buffer[512];
    char* Current = Buffer;
    const char* LevelStr;
    size_t Length = sizeof(Buffer);
    va_list ArgList;
    HRESULT hr;

    if (g_ShimEngDebugLevel == 0xffffffff)
        SeiInitDebugSupport();

    if (Level > g_ShimEngDebugLevel)
        return FALSE;

    switch (Level)
    {
    case SEI_MSG:
        LevelStr = "MSG ";
        break;
    case SEI_FAIL:
        LevelStr = "FAIL";
        break;
    case SEI_WARN:
        LevelStr = "WARN";
        break;
    case SEI_INFO:
        LevelStr = "INFO";
        break;
    default:
        LevelStr = "USER";
        break;
    }

    if (Function)
        hr = StringCchPrintfExA(Current, Length, &Current, &Length, STRSAFE_NULL_ON_FAILURE, "[%s] [%s] ", LevelStr, Function);
    else
        hr = StringCchPrintfExA(Current, Length, &Current, &Length, STRSAFE_NULL_ON_FAILURE, "[%s] ", LevelStr);

    if (!SUCCEEDED(hr))
        return FALSE;

    va_start(ArgList, Format);
    hr = StringCchVPrintfExA(Current, Length, &Current, &Length, STRSAFE_NULL_ON_FAILURE, Format, ArgList);
    va_end(ArgList);
    if (!SUCCEEDED(hr))
        return FALSE;

    DbgPrint("%s", Buffer);
    return TRUE;
}

Referenced by SeiBuildShimRefArray(), and SeiInit().

SeiFindHookModuleInfo()

PHOOKMODULEINFO SeiFindHookModuleInfo	(	PUNICODE_STRING	ModuleName,
		PVOID	BaseAddress
	)

Definition at line 351 of file shimeng.c.

{
    DWORD n;

    if (ModuleName == NULL && BaseAddress == NULL)
    {
        BaseAddress = NtCurrentPeb()->ImageBaseAddress;
    }

    for (n = 0; n < ARRAY_Size(&g_pHookArray); ++n)
    {
        PHOOKMODULEINFO pModuleInfo = ARRAY_At(&g_pHookArray, HOOKMODULEINFO, n);

        if (BaseAddress && BaseAddress == pModuleInfo->BaseAddress)
            return pModuleInfo;

        if (!BaseAddress && RtlEqualUnicodeString(ModuleName, &pModuleInfo->Name, TRUE))
            return pModuleInfo;
    }

    return NULL;
}

Referenced by SE_DllLoaded(), SeiAddHooks(), SeiFindHookModuleInfoForImportDescriptor(), and StubGetProcAddress().

SeiFindHookModuleInfoForImportDescriptor()

PHOOKMODULEINFO SeiFindHookModuleInfoForImportDescriptor	(	PBYTE	DllBase,
		PIMAGE_IMPORT_DESCRIPTOR	ImportDescriptor
	)

Definition at line 374 of file shimeng.c.

{
    UNICODE_STRING DllName;
    PVOID DllHandle;
    NTSTATUS Success;

    if (!RtlCreateUnicodeStringFromAsciiz(&DllName, (PCSZ)(DllBase + ImportDescriptor->Name)))
    {
        SHIMENG_FAIL("Unable to convert dll name to unicode\n");
        return NULL;
    }

    Success = LdrGetDllHandle(NULL, NULL, &DllName, &DllHandle);

    if (!NT_SUCCESS(Success))
    {
        SHIMENG_FAIL("Unable to get module handle for %wZ (%p)\n", &DllName, DllBase);
        RtlFreeUnicodeString(&DllName);

        return NULL;
    }
    RtlFreeUnicodeString(&DllName);

    return SeiFindHookModuleInfo(NULL, DllHandle);
}

Referenced by SeiHookImports().

SeiFindInExclude()

PINEXCLUDE SeiFindInExclude	(	PARRAY	InExclude,
		PCUNICODE_STRING	DllName
	)

Definition at line 796 of file shimeng.c.

{
    DWORD n;

    for (n = 0; n < ARRAY_Size(InExclude); ++n)
    {
        PINEXCLUDE InEx = ARRAY_At(InExclude, INEXCLUDE, n);

        if (RtlEqualUnicodeString(&InEx->Module, DllName, TRUE))
            return InEx;
    }

    return NULL;
}

Referenced by SeiAppendInExclude(), and SeiIsExcluded().

SeiGetDWORD()

static DWORD SeiGetDWORD ( PDB  pdb, TAGID  tag, TAG  type  )

static

Definition at line 409 of file shimeng.c.

{
    TAGID tagEntry = SdbFindFirstTag(pdb, tag, type);
    if (tagEntry == TAGID_NULL)
        return 0;

    return SdbReadDWORDTag(pdb, tagEntry, 0);
}

Referenced by SeiAddFlag(), and SeiInit().

SeiGetModuleFromAddress()

PVOID SeiGetModuleFromAddress

(

PVOID

addr

)

Definition at line 245 of file shimeng.c.

{
    PVOID hModule = NULL;
    RtlPcToFileHeader(addr, &hModule);
    return hModule;
}

Referenced by StubGetProcAddress().

SeiGetQWORD()

static QWORD SeiGetQWORD ( PDB  pdb, TAGID  tag, TAG  type  )

static

Definition at line 418 of file shimeng.c.

{
    TAGID tagEntry = SdbFindFirstTag(pdb, tag, type);
    if (tagEntry == TAGID_NULL)
        return 0;

    return SdbReadQWORDTag(pdb, tagEntry, 0);
}

Referenced by SeiAddFlag().

SeiGetShimData()

BOOL SeiGetShimData	(	PUNICODE_STRING	ProcessImage,
		PVOID	pShimData,
		HSDB *	pHsdb,
		SDBQUERYRESULT *	pQuery
	)

Definition at line 1353 of file shimeng.c.

{
    static const UNICODE_STRING ForbiddenShimmingApps[] = {
        RTL_CONSTANT_STRING(L"ntsd.exe"),
        RTL_CONSTANT_STRING(L"windbg.exe"),
#if WINVER >= 0x600
        RTL_CONSTANT_STRING(L"slsvc.exe"),
#endif
    };
    static const UNICODE_STRING PathDividerFind = RTL_CONSTANT_STRING(L"\\/");
    UNICODE_STRING ProcessName;
    USHORT PathDivider;
    HSDB hsdb;
    DWORD n;

    if (!NT_SUCCESS(RtlFindCharInUnicodeString(RTL_FIND_CHAR_IN_UNICODE_STRING_START_AT_END, ProcessImage, &PathDividerFind, &PathDivider)))
        PathDivider = 0;

    if (PathDivider)
        PathDivider += sizeof(WCHAR);

    ProcessName.Buffer = ProcessImage->Buffer + PathDivider / sizeof(WCHAR);
    ProcessName.Length = ProcessImage->Length - PathDivider;
    ProcessName.MaximumLength = ProcessImage->MaximumLength - PathDivider;

    for (n = 0; n < ARRAYSIZE(ForbiddenShimmingApps); ++n)
    {
        if (RtlEqualUnicodeString(&ProcessName, ForbiddenShimmingApps + n, TRUE))
        {
            SHIMENG_MSG("Not shimming %wZ\n", ForbiddenShimmingApps + n);
            return FALSE;
        }
    }

    /* We should probably load all db's here, but since we do not support that yet... */
    hsdb = SdbInitDatabase(HID_DOS_PATHS | SDB_DATABASE_MAIN_SHIM, NULL);
    if (hsdb)
    {
        if (SdbUnpackAppCompatData(hsdb, ProcessImage->Buffer, pShimData, pQuery))
        {
            *pHsdb = hsdb;
            return TRUE;
        }
        SdbReleaseDatabase(hsdb);
    }
    return FALSE;
}

Referenced by SE_InstallBeforeInit().

SeiGetShimModuleInfo()

PSHIMMODULE SeiGetShimModuleInfo

(

PVOID

BaseAddress

)

Definition at line 279 of file shimeng.c.

{
    DWORD n;

    for (n = 0; n < ARRAY_Size(&g_pShimInfo); ++n)
    {
        PSHIMMODULE pShimModule = *ARRAY_At(&g_pShimInfo, PSHIMMODULE, n);

        if (pShimModule->BaseAddress == BaseAddress)
            return pShimModule;
    }
    return NULL;
}

Referenced by SE_IsShimDll(), and SeiInit().

SeiGetStringPtr()

static LPCWSTR SeiGetStringPtr ( PDB  pdb, TAGID  tag, TAG  type  )

static

Definition at line 400 of file shimeng.c.

{
    TAGID tagEntry = SdbFindFirstTag(pdb, tag, type);
    if (tagEntry == TAGID_NULL)
        return NULL;

    return SdbGetStringTagPtr(pdb, tagEntry);
}

Referenced by SeiBuildShimRefArray(), and SeiInit().

SeiHookImports()

VOID SeiHookImports

(

PLDR_DATA_TABLE_ENTRY

LdrEntry

)

Definition at line 951 of file shimeng.c.

{
    ULONG Size;
    PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor;
    PBYTE DllBase = LdrEntry->DllBase;

    if (SE_IsShimDll(DllBase) ||
        g_hInstance == LdrEntry->DllBase ||
        RtlEqualUnicodeString(&g_LoadingShimDll, &LdrEntry->BaseDllName, TRUE))
    {
        SHIMENG_INFO("Skipping shim module 0x%p \"%wZ\"\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
        return;
    }

    if (LdrEntry->Flags & LDRP_COMPAT_DATABASE_PROCESSED)
    {
        SHIMENG_INFO("Skipping module 0x%p \"%wZ\" because it was already processed\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
        return;
    }

    ImportDescriptor = RtlImageDirectoryEntryToData(DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size);
    if (!ImportDescriptor)
    {
        SHIMENG_INFO("Skipping module 0x%p \"%wZ\" due to no iat found\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
        return;
    }

    SHIMENG_INFO("Hooking module 0x%p \"%wZ\"\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);

    for ( ;ImportDescriptor->Name && ImportDescriptor->OriginalFirstThunk; ImportDescriptor++)
    {
        PHOOKMODULEINFO HookModuleInfo;

        /* Do we have hooks for this module? */
        HookModuleInfo = SeiFindHookModuleInfoForImportDescriptor(DllBase, ImportDescriptor);

        if (HookModuleInfo)
        {
            PIMAGE_THUNK_DATA OriginalThunk, FirstThunk;
            DWORD n;

            for (n = 0; n < ARRAY_Size(&HookModuleInfo->HookApis); ++n)
            {
                DWORD dwFound = 0;
                PHOOKAPIEX HookApi = *ARRAY_At(&HookModuleInfo->HookApis, PHOOKAPIEX, n);

                /* Check if this module should be excluded from being hooked (system32/winsxs, global or shim exclude) */
                if (SeiIsExcluded(LdrEntry, HookApi))
                {
                    continue;
                }

                OriginalThunk = (PIMAGE_THUNK_DATA)(DllBase + ImportDescriptor->OriginalFirstThunk);
                FirstThunk = (PIMAGE_THUNK_DATA)(DllBase + ImportDescriptor->FirstThunk);

                /* Walk all imports */
                for (;OriginalThunk->u1.AddressOfData && FirstThunk->u1.Function; OriginalThunk++, FirstThunk++)
                {
                    if (!IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Function))
                    {
                        if (!SeiIsOrdinalName(HookApi->FunctionName))
                        {
                            PIMAGE_IMPORT_BY_NAME ImportName;

                            ImportName = (PIMAGE_IMPORT_BY_NAME)(DllBase + OriginalThunk->u1.Function);
                            if (!strcmp((PCSTR)ImportName->Name, HookApi->FunctionName))
                            {
                                SeiPatchNewImport(FirstThunk, HookApi, LdrEntry);

                                /* Sadly, iat does not have to be sorted, and can even contain duplicate entries. */
                                dwFound++;
                            }
                        }
                    }
                    else
                    {
                        if (SeiIsOrdinalName(HookApi->FunctionName))
                        {
                            if ((PCSTR)IMAGE_ORDINAL(OriginalThunk->u1.Function) == HookApi->FunctionName)
                            {
                                SeiPatchNewImport(FirstThunk, HookApi, LdrEntry);
                                dwFound++;
                            }
                        }
                    }
                }

                if (dwFound != 1)
                {
                    char szOrdProcFmt[10];
                    LPCSTR FuncName = SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt);

                    /* One entry not found. */
                    if (!dwFound)
                        SHIMENG_INFO("Entry \"%s!%s\" not found for \"%wZ\"\n", HookApi->LibraryName, FuncName, &LdrEntry->BaseDllName);
                    else
                        SHIMENG_INFO("Entry \"%s!%s\" found %d times for \"%wZ\"\n", HookApi->LibraryName, FuncName, dwFound, &LdrEntry->BaseDllName);
                }
            }
        }
    }

    /* Mark this module as processed. */
    LdrEntry->Flags |= LDRP_COMPAT_DATABASE_PROCESSED;
}

Referenced by PatchNewModules(), and SE_DllLoaded().

SeiInit()

VOID SeiInit	(	PUNICODE_STRING	ProcessImage,
		HSDB	hsdb,
		SDBQUERYRESULT *	pQuery
	)

Definition at line 1178 of file shimeng.c.

{
    DWORD n;
    ARRAY ShimRefArray;
    DWORD dwTotalHooks = 0;
    FLAGINFO ShimFlags;

    PPEB Peb = NtCurrentPeb();

    /* We should only be called once! */
    ASSERT(g_pShimInfo.ItemSize__ == 0);

    ARRAY_Init(&ShimRefArray, TAGREF);
    ARRAY_Init(&g_pShimInfo, PSHIMMODULE);
    ARRAY_Init(&g_pHookArray, HOOKMODULEINFO);
    ARRAY_Init(&g_InExclude, INEXCLUDE);
    RtlZeroMemory(&ShimFlags, sizeof(ShimFlags));

    SeiInitPaths();

    SeiCheckComPlusImage(Peb->ImageBaseAddress);

    /* Mark all modules loaded until now as 'LDRP_ENTRY_PROCESSED' so that their entrypoint is not called while we are loading shims */
    SeiSetEntryProcessed(Peb);

    /* TODO:
    if (pQuery->trApphelp)
        SeiDisplayAppHelp(?pQuery->trApphelp?);
    */

    SeiDbgPrint(SEI_MSG, NULL, "ShimInfo(ExePath(%wZ))\n", ProcessImage);
    SeiBuildShimRefArray(hsdb, pQuery, &ShimRefArray, &ShimFlags);
    if (ShimFlags.AppCompatFlags.QuadPart)
    {
        SeiDbgPrint(SEI_MSG, NULL, "Using KERNEL apphack flags 0x%I64x\n", ShimFlags.AppCompatFlags.QuadPart);
        Peb->AppCompatFlags.QuadPart |= ShimFlags.AppCompatFlags.QuadPart;
    }
    if (ShimFlags.AppCompatFlagsUser.QuadPart)
    {
        SeiDbgPrint(SEI_MSG, NULL, "Using USER apphack flags 0x%I64x\n", ShimFlags.AppCompatFlagsUser.QuadPart);
        Peb->AppCompatFlagsUser.QuadPart |= ShimFlags.AppCompatFlagsUser.QuadPart;
    }
    if (ShimFlags.ProcessParameters_Flags)
    {
        SeiDbgPrint(SEI_MSG, NULL, "Using ProcessParameters flags 0x%x\n", ShimFlags.ProcessParameters_Flags);
        Peb->ProcessParameters->Flags |= ShimFlags.ProcessParameters_Flags;
    }
    SeiDbgPrint(SEI_MSG, NULL, "ShimInfo(Complete)\n");

    SHIMENG_INFO("Got %d shims\n", ARRAY_Size(&ShimRefArray));
    SeiBuildGlobalInclExclList(hsdb);

    /* Walk all shims referenced (in layers + exes), and load their modules */
    for (n = 0; n < ARRAY_Size(&ShimRefArray); ++n)
    {
        PDB pdb;
        TAGID ShimRef;

        TAGREF tr = *ARRAY_At(&ShimRefArray, TAGREF, n);

        if (SdbTagRefToTagID(hsdb, tr, &pdb, &ShimRef))
        {
            LPCWSTR ShimName, DllName, CommandLine = NULL;
            TAGID ShimTag;
            WCHAR FullNameBuffer[MAX_PATH];
            UNICODE_STRING UnicodeDllName;
            PVOID BaseAddress;
            PSHIMMODULE pShimModuleInfo = NULL;
            ANSI_STRING AnsiCommandLine = RTL_CONSTANT_STRING("");
            PSHIMINFO pShimInfo = NULL;
            PHOOKAPIEX pHookApi;
            DWORD dwHookCount;

            ShimName = SeiGetStringPtr(pdb, ShimRef, TAG_NAME);
            if (!ShimName)
            {
                SHIMENG_FAIL("Failed to retrieve the name for 0x%x\n", tr);
                continue;
            }

            CommandLine = SeiGetStringPtr(pdb, ShimRef, TAG_COMMAND_LINE);
            if (CommandLine && *CommandLine)
            {
                RtlInitUnicodeString(&UnicodeDllName, CommandLine);
                if (NT_SUCCESS(RtlUnicodeStringToAnsiString(&AnsiCommandLine, &UnicodeDllName, TRUE)))
                {
                    SHIMENG_INFO("COMMAND LINE %s for %S", AnsiCommandLine.Buffer, ShimName);
                }
                else
                {
                    AnsiCommandLine.Buffer = "";
                    CommandLine = NULL;
                }
            }

            ShimTag = SeiGetDWORD(pdb, ShimRef, TAG_SHIM_TAGID);
            if (!ShimTag)
            {
                SHIMENG_FAIL("Failed to resolve %S to a shim\n", ShimName);
                continue;
            }

            if (!SUCCEEDED(SdbGetAppPatchDir(NULL, FullNameBuffer, ARRAYSIZE(FullNameBuffer))))
            {
                SHIMENG_WARN("Failed to get the AppPatch dir\n");
                continue;
            }

            DllName = SeiGetStringPtr(pdb, ShimTag, TAG_DLLFILE);
            if (DllName == NULL ||
                !SUCCEEDED(StringCchCatW(FullNameBuffer, ARRAYSIZE(FullNameBuffer), L"\\")) ||
                !SUCCEEDED(StringCchCatW(FullNameBuffer, ARRAYSIZE(FullNameBuffer), DllName)))
            {
                SHIMENG_WARN("Failed to build a full path for %S\n", ShimName);
                continue;
            }

            RtlInitUnicodeString(&g_LoadingShimDll, DllName);
            RtlInitUnicodeString(&UnicodeDllName, FullNameBuffer);
            if (NT_SUCCESS(LdrGetDllHandle(NULL, NULL, &UnicodeDllName, &BaseAddress)))
            {
                /* This shim dll was already loaded, let's find it */
                pShimModuleInfo = SeiGetShimModuleInfo(BaseAddress);
            }
            else if (!NT_SUCCESS(LdrLoadDll(NULL, NULL, &UnicodeDllName, &BaseAddress)))
            {
                SHIMENG_WARN("Failed to load %wZ for %S\n", &UnicodeDllName, ShimName);
                continue;
            }
            RtlInitUnicodeString(&g_LoadingShimDll, NULL);
            /* No shim module found (or we just loaded it) */
            if (!pShimModuleInfo)
            {
                pShimModuleInfo = SeiCreateShimModuleInfo(DllName, BaseAddress);
                if (!pShimModuleInfo)
                {
                    SHIMENG_FAIL("Failed to allocate ShimInfo for %S\n", DllName);
                    continue;
                }
            }

            SHIMENG_INFO("Shim DLL 0x%p \"%wZ\" loaded\n", BaseAddress, &UnicodeDllName);
            SHIMENG_INFO("Using SHIM \"%S!%S\"\n", DllName, ShimName);

            /* Ask this shim what hooks it needs (and pass along the commandline) */
            dwHookCount = 0;
            pHookApi = pShimModuleInfo->pGetHookAPIs(AnsiCommandLine.Buffer, ShimName, &dwHookCount);
            SHIMENG_INFO("GetHookAPIs returns %d hooks for DLL \"%wZ\" SHIM \"%S\"\n", dwHookCount, &UnicodeDllName, ShimName);
            if (dwHookCount && pHookApi)
                pShimInfo = SeiAppendHookInfo(pShimModuleInfo, pHookApi, dwHookCount, ShimName);
            else
                dwHookCount = 0;

            /* If this shim has hooks, create the include / exclude lists */
            if (pShimInfo)
                SeiBuildInclExclList(pdb, ShimTag, pShimInfo);

            if (CommandLine && *CommandLine)
                RtlFreeAnsiString(&AnsiCommandLine);

            dwTotalHooks += dwHookCount;
        }
    }

    SeiAddInternalHooks(dwTotalHooks);
    SeiCombineHookInfo();
    SeiResolveAPIs();
    PatchNewModules(Peb);

    /* Remove the 'LDRP_ENTRY_PROCESSED' flag from entries we modified, so that the loader can continue to process them */
    SeiResetEntryProcessed(Peb);
}

Referenced by SE_InstallBeforeInit().

SeiInitDebugSupport()

VOID SeiInitDebugSupport

(

VOID

)

Definition at line 127 of file shimeng.c.

{
    static const UNICODE_STRING DebugKey = RTL_CONSTANT_STRING(L"SHIMENG_DEBUG_LEVEL");
    UNICODE_STRING DebugValue;
    NTSTATUS Status;
    ULONG NewLevel = SEI_MSG;   /* Show some basic info in the logs, unless configured different */
    WCHAR Buffer[40];

    RtlInitEmptyUnicodeString(&DebugValue, Buffer, sizeof(Buffer));

    Status = RtlQueryEnvironmentVariable_U(NULL, &DebugKey, &DebugValue);

    if (NT_SUCCESS(Status))
    {
        if (!NT_SUCCESS(RtlUnicodeStringToInteger(&DebugValue, 10, &NewLevel)))
            NewLevel = 0;
    }
    g_ShimEngDebugLevel = NewLevel;
}

Referenced by SeiDbgPrint().

SeiInitPaths()

VOID SeiInitPaths

(

VOID

)

Definition at line 1076 of file shimeng.c.

{
#define SYSTEM32  L"\\system32"
#define WINSXS  L"\\winsxs"

    PWSTR WindowsDirectory = SdbpStrDup(SharedUserData->NtSystemRoot);
    RtlInitUnicodeString(&g_WindowsDirectory, WindowsDirectory);

    g_System32Directory.MaximumLength = g_WindowsDirectory.Length + SdbpStrsize(SYSTEM32);
    g_System32Directory.Buffer = SdbpAlloc(g_System32Directory.MaximumLength);
    RtlCopyUnicodeString(&g_System32Directory, &g_WindowsDirectory);
    RtlAppendUnicodeToString(&g_System32Directory, SYSTEM32);

    g_SxsDirectory.MaximumLength = g_WindowsDirectory.Length + SdbpStrsize(WINSXS);
    g_SxsDirectory.Buffer = SdbpAlloc(g_SxsDirectory.MaximumLength);
    RtlCopyUnicodeString(&g_SxsDirectory, &g_WindowsDirectory);
    RtlAppendUnicodeToString(&g_SxsDirectory, WINSXS);

#undef SYSTEM32
#undef WINSXS
}

Referenced by SeiInit().

SeiIsExcluded()

BOOL SeiIsExcluded	(	PLDR_DATA_TABLE_ENTRY	LdrEntry,
		PHOOKAPIEX	HookApi
	)

Definition at line 811 of file shimeng.c.

{
    PSHIMINFO pShimInfo = HookApi->pShimInfo;
    PINEXCLUDE InExclude;
    BOOL IsExcluded = FALSE;
    char szOrdProcFmt[10];

    if (!pShimInfo)
    {
        /* Internal hook, do not exclude it */
        return FALSE;
    }

    /* By default, everything from System32 or WinSxs is excluded */
    if (RtlPrefixUnicodeString(&g_System32Directory, &LdrEntry->FullDllName, TRUE) ||
        RtlPrefixUnicodeString(&g_SxsDirectory, &LdrEntry->FullDllName, TRUE))
        IsExcluded = TRUE;

    InExclude = SeiFindInExclude(&pShimInfo->InExclude, &LdrEntry->BaseDllName);
    if (InExclude)
    {
        /* If it is on the 'exclude' list, bail out */
        if (!InExclude->Include)
        {
            SHIMENG_INFO("Module '%wZ' excluded for shim %S, API '%s!%s', because it on in the exclude list.\n",
                         &LdrEntry->BaseDllName, pShimInfo->ShimName, HookApi->LibraryName, SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt));

            return TRUE;
        }
        /* If it is on the 'include' list, override System32 / Winsxs check. */
        if (IsExcluded)
        {
            SHIMENG_INFO("Module '%wZ' included for shim %S, API '%s!%s', because it is on the include list.\n",
                         &LdrEntry->BaseDllName, pShimInfo->ShimName, HookApi->LibraryName, SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt));

        }
        IsExcluded = FALSE;
    }

    if (IsExcluded)
    {
        SHIMENG_INFO("Module '%wZ' excluded for shim %S, API '%s!%s', because it is in System32/WinSXS.\n",
                     &LdrEntry->BaseDllName, pShimInfo->ShimName, HookApi->LibraryName, SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt));
    }

    return IsExcluded;
}

Referenced by SeiHookImports().

SeiIsOrdinalName()

static BOOL SeiIsOrdinalName ( LPCSTR  lpProcName )

static

Definition at line 212 of file shimeng.c.

{
    return (ULONG_PTR)lpProcName <= MAXUSHORT;
}

Referenced by SeiCompareFunctionName(), SeiHookImports(), SeiPrintFunctionName(), and SeiResolveAPI().

SeiPatchNewImport()

VOID SeiPatchNewImport	(	PIMAGE_THUNK_DATA	FirstThunk,
		PHOOKAPIEX	HookApi,
		PLDR_DATA_TABLE_ENTRY	LdrEntry
	)

Definition at line 763 of file shimeng.c.

{
    ULONG OldProtection = 0;
    PVOID Ptr;
    SIZE_T Size;
    NTSTATUS Status;
    char szOrdProcFmt[10];

    SHIMENG_INFO("Hooking API \"%s!%s\" for DLL \"%wZ\"\n", HookApi->LibraryName, SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt), &LdrEntry->BaseDllName);

    Ptr = &FirstThunk->u1.Function;
    Size = sizeof(FirstThunk->u1.Function);
    Status = NtProtectVirtualMemory(NtCurrentProcess(), &Ptr, &Size, PAGE_EXECUTE_READWRITE, &OldProtection);

    if (!NT_SUCCESS(Status))
    {
        SHIMENG_FAIL("Unable to unprotect 0x%p\n", &FirstThunk->u1.Function);
        return;
    }

    SHIMENG_INFO("changing 0x%p to 0x%p\n", FirstThunk->u1.Function, HookApi->ReplacementFunction);
    FirstThunk->u1.Function = (ULONG_PTR)HookApi->ReplacementFunction;

    Size = sizeof(FirstThunk->u1.Function);
    Status = NtProtectVirtualMemory(NtCurrentProcess(), &Ptr, &Size, OldProtection, &OldProtection);

    if (!NT_SUCCESS(Status))
    {
        SHIMENG_WARN("Unable to reprotect 0x%p\n", &FirstThunk->u1.Function);
    }
}

Referenced by SeiHookImports().

SeiPrintFunctionName()

LPCSTR SeiPrintFunctionName	(	LPCSTR	lpProcName,
		char	szOrdProcFmt[10]
	)

Definition at line 217 of file shimeng.c.

{
    if (SeiIsOrdinalName(lpProcName))
    {
        StringCchPrintfA(szOrdProcFmt, 10, "#%Iu", (ULONG_PTR)lpProcName);
        return szOrdProcFmt;
    }
    return lpProcName;
}

Referenced by SeiHookImports(), SeiIsExcluded(), SeiPatchNewImport(), SeiResolveAPI(), and StubGetProcAddress().

SeiReadInExclude()

VOID SeiReadInExclude	(	PDB	pdb,
		TAGID	parent,
		PARRAY	dest
	)

Definition at line 882 of file shimeng.c.

{
    TAGID InExcludeTag;

    InExcludeTag = SdbFindFirstTag(pdb, parent, TAG_INEXCLUD);

    while (InExcludeTag != TAGID_NULL)
    {
        PCWSTR ModuleName;
        TAGID ModuleTag = SdbFindFirstTag(pdb, InExcludeTag, TAG_MODULE);
        TAGID IncludeTag = SdbFindFirstTag(pdb, InExcludeTag, TAG_INCLUDE);

        ModuleName = SdbGetStringTagPtr(pdb, ModuleTag);
        if (ModuleName)
        {
            SeiAppendInExclude(dest, ModuleName, IncludeTag != TAGID_NULL);
        }
        else
        {
            SHIMENG_WARN("INEXCLUDE without Module: 0x%x\n", InExcludeTag);
        }

        InExcludeTag = SdbFindNextTag(pdb, parent, InExcludeTag);
    }
}

Referenced by SeiBuildGlobalInclExclList(), and SeiBuildInclExclList().

SeiResetEntryProcessed()

VOID SeiResetEntryProcessed

(

PPEB

Peb

)

Definition at line 1149 of file shimeng.c.

{
    PLIST_ENTRY ListHead, Entry;
    PLDR_DATA_TABLE_ENTRY LdrEntry;

    ListHead = &NtCurrentPeb()->Ldr->InInitializationOrderModuleList;
    Entry = ListHead->Flink;
    while (Entry != ListHead)
    {
        LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks);
        Entry = Entry->Flink;

        if (SE_IsShimDll(LdrEntry->DllBase) ||
            g_hInstance == LdrEntry->DllBase ||
            RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Ntdll, TRUE) ||
            RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Kernel32, TRUE) ||
            RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Verifier, TRUE) ||
            !(LdrEntry->Flags & LDRP_SHIMENG_SUPPRESSED_ENTRY))
        {
            SHIMENG_WARN("Don't mess with 0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
        }
        else
        {
            SHIMENG_WARN("Resetting       0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
            LdrEntry->Flags &= ~(LDRP_ENTRY_PROCESSED | LDRP_SHIMENG_SUPPRESSED_ENTRY);
        }
    }
}

Referenced by SeiInit().

SeiResolveAPI()

VOID SeiResolveAPI

(

PHOOKMODULEINFO

HookModuleInfo

)

Definition at line 664 of file shimeng.c.

{
    DWORD n;
    ANSI_STRING AnsiString;

    ASSERT(HookModuleInfo->BaseAddress != NULL);

    for (n = 0; n < ARRAY_Size(&HookModuleInfo->HookApis); ++n)
    {
        NTSTATUS Status;
        PVOID ProcAddress;
        PHOOKAPIEX HookApi = *ARRAY_At(&HookModuleInfo->HookApis, PHOOKAPIEX, n);

        if (!SeiIsOrdinalName(HookApi->FunctionName))
        {
            RtlInitAnsiString(&AnsiString, HookApi->FunctionName);
            Status = LdrGetProcedureAddress(HookModuleInfo->BaseAddress, &AnsiString, 0, &ProcAddress);
        }
        else
        {
            Status = LdrGetProcedureAddress(HookModuleInfo->BaseAddress, NULL, (ULONG_PTR)HookApi->FunctionName, &ProcAddress);
        }

        if (!NT_SUCCESS(Status))
        {
            char szOrdProcFmt[10];
            LPCSTR lpFunctionName = SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt);
            SHIMENG_FAIL("Unable to retrieve %s!%s\n", HookApi->LibraryName, lpFunctionName);
            continue;
        }

        HookApi->OriginalFunction = ProcAddress;
        if (HookApi->ApiLink)
        {
            SHIMENG_MSG("TODO: Figure out how to handle conflicting In/Exports with ApiLink!\n");
        }
        while (HookApi->ApiLink)
        {
            HookApi->ApiLink->OriginalFunction = HookApi->OriginalFunction;
            HookApi->OriginalFunction = HookApi->ApiLink->ReplacementFunction;
            HookApi = HookApi->ApiLink;
        }
    }
}

Referenced by SE_DllLoaded(), and SeiResolveAPIs().

SeiResolveAPIs()

VOID SeiResolveAPIs

(

VOID

)

Definition at line 710 of file shimeng.c.

{
    DWORD n;

    for (n = 0; n < ARRAY_Size(&g_pHookArray); ++n)
    {
        PHOOKMODULEINFO pModuleInfo = ARRAY_At(&g_pHookArray, HOOKMODULEINFO, n);

        /* Is this module loaded? */
        if (pModuleInfo->BaseAddress)
        {
            SeiResolveAPI(pModuleInfo);
        }
    }
}

Referenced by SeiInit().

SeiSetEntryProcessed()

VOID SeiSetEntryProcessed

(

PPEB

Peb

)

Definition at line 1098 of file shimeng.c.

{
    PLIST_ENTRY ListHead, Entry;
    PLDR_DATA_TABLE_ENTRY LdrEntry;

    ListHead = &NtCurrentPeb()->Ldr->InInitializationOrderModuleList;
    Entry = ListHead->Flink;
    while (Entry != ListHead)
    {
        LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks);
        Entry = Entry->Flink;

        if (RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Ntdll, TRUE) ||
            RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Kernel32, TRUE) ||
            RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Verifier, TRUE) ||
            RtlEqualUnicodeString(&LdrEntry->BaseDllName, &g_LoadingShimDll, TRUE) ||
            SE_IsShimDll(LdrEntry->DllBase) ||
            (LdrEntry->Flags & LDRP_ENTRY_PROCESSED))
        {
            SHIMENG_WARN("Don't mess with 0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
        }
        else
        {
            SHIMENG_WARN("Touching        0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
            LdrEntry->Flags |= (LDRP_ENTRY_PROCESSED | LDRP_SHIMENG_SUPPRESSED_ENTRY);
        }
    }

    ListHead = &NtCurrentPeb()->Ldr->InMemoryOrderModuleList;
    Entry = ListHead->Flink;
    SHIMENG_INFO("In memory:\n");
    while (Entry != ListHead)
    {
        LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
        Entry = Entry->Flink;

        SHIMENG_INFO("    0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
    }

    ListHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList;
    Entry = ListHead->Flink;
    SHIMENG_INFO("In load:\n");
    while (Entry != ListHead)
    {
        LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
        Entry = Entry->Flink;

        SHIMENG_INFO("    0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
    }
}

Referenced by SeiInit().

SeiSetLayerEnvVar()

static VOID SeiSetLayerEnvVar ( LPCWSTR  wszLayer )

static

Definition at line 455 of file shimeng.c.

{
    NTSTATUS Status;
    UNICODE_STRING VarName = RTL_CONSTANT_STRING(L"__COMPAT_LAYER");
    UNICODE_STRING Value;

    RtlInitUnicodeString(&Value, wszLayer);

    Status = RtlSetEnvironmentVariable(NULL, &VarName, &Value);
    if (NT_SUCCESS(Status))
        SHIMENG_INFO("%wZ=%wZ\n", &VarName, &Value);
    else
        SHIMENG_FAIL("Failed to set %wZ: 0x%x\n", &VarName, Status);
}

Referenced by SeiBuildShimRefArray().

StubGetProcAddress()

FARPROC WINAPI StubGetProcAddress	(	HINSTANCE	hModule,
		LPCSTR	lpProcName
	)

Definition at line 627 of file shimeng.c.

{
    PVOID Addr = _ReturnAddress();
    PHOOKMODULEINFO HookModuleInfo;
    FARPROC proc = ((GETPROCADDRESSPROC)g_IntHookEx[0].OriginalFunction)(hModule, lpProcName);
    char szOrdProcFmt[10];

    Addr = SeiGetModuleFromAddress(Addr);
    if (SE_IsShimDll(Addr))
    {
        SHIMENG_MSG("Not touching GetProcAddress for shim dll (%p!%s)", hModule, SeiPrintFunctionName(lpProcName, szOrdProcFmt));
        return proc;
    }

    SHIMENG_INFO("(GetProcAddress(%p!%s) => %p\n", hModule, SeiPrintFunctionName(lpProcName, szOrdProcFmt), proc);

    HookModuleInfo = SeiFindHookModuleInfo(NULL, hModule);

    if (HookModuleInfo)
    {
        DWORD n;
        for (n = 0; n < ARRAY_Size(&HookModuleInfo->HookApis); ++n)
        {
            PHOOKAPIEX HookApi = *ARRAY_At(&HookModuleInfo->HookApis, PHOOKAPIEX, n);
            int CmpResult = SeiCompareFunctionName(lpProcName, HookApi->FunctionName);
            if (CmpResult == 0)
            {
                SHIMENG_MSG("Redirecting %p to %p\n", proc, HookApi->ReplacementFunction);
                proc = HookApi->ReplacementFunction;
                break;
            }
        }
    }

    return proc;
}

Variable Documentation

g_bComPlusImage

BOOL g_bComPlusImage = FALSE

Definition at line 33 of file shimeng.c.

Referenced by SeiCheckComPlusImage().

g_bInternalHooksUsed

BOOL g_bInternalHooksUsed = FALSE

Definition at line 35 of file shimeng.c.

Referenced by SeiAddInternalHooks().

g_bShimDuringInit

BOOL g_bShimDuringInit = FALSE

Definition at line 34 of file shimeng.c.

Referenced by SE_DllLoaded(), and SE_InstallBeforeInit().

g_hInstance

HMODULE g_hInstance

Definition at line 18 of file MainWindow.cpp.

Referenced by SeiHookImports(), and SeiResetEntryProcessed().

g_InExclude

ARRAY g_InExclude

static

Definition at line 38 of file shimeng.c.

Referenced by SeiBuildGlobalInclExclList(), SeiBuildInclExclList(), and SeiInit().

g_IntHookEx

HOOKAPIEX g_IntHookEx[]

Initial value:

=
{
    {
        "kernel32.dll",     
        "GetProcAddress",   
        StubGetProcAddress, 
        NULL,               
        NULL,               
        NULL                
    },
}

Definition at line 42 of file shimeng.c.

Referenced by SeiAddInternalHooks(), and StubGetProcAddress().

g_LoadingShimDll

UNICODE_STRING g_LoadingShimDll

static

Definition at line 31 of file shimeng.c.

Referenced by SeiHookImports(), SeiInit(), and SeiSetEntryProcessed().

g_pHookArray

ARRAY g_pHookArray

static

Definition at line 37 of file shimeng.c.

Referenced by SeiAddHooks(), SeiFindHookModuleInfo(), SeiInit(), and SeiResolveAPIs().

g_pShimInfo

ARRAY g_pShimInfo

static

Definition at line 36 of file shimeng.c.

Referenced by NotifyShims(), SeiCombineHookInfo(), SeiCreateShimModuleInfo(), SeiGetShimModuleInfo(), and SeiInit().

g_ShimEngDebugLevel

ULONG g_ShimEngDebugLevel = 0xffffffff

Definition at line 32 of file shimeng.c.

Referenced by SeiDbgPrint(), and SeiInitDebugSupport().

g_SxsDirectory

UNICODE_STRING g_SxsDirectory

static

Definition at line 30 of file shimeng.c.

Referenced by SeiInitPaths(), and SeiIsExcluded().

g_System32Directory

UNICODE_STRING g_System32Directory

static

Definition at line 29 of file shimeng.c.

Referenced by SeiInitPaths(), and SeiIsExcluded().

g_WindowsDirectory

UNICODE_STRING g_WindowsDirectory

static

Definition at line 28 of file shimeng.c.

Referenced by SeiInitPaths().

Kernel32

const UNICODE_STRING Kernel32 = RTL_CONSTANT_STRING(L"kernel32.dll")

static

Definition at line 24 of file shimeng.c.

Referenced by SeiResetEntryProcessed(), and SeiSetEntryProcessed().

Ntdll

const UNICODE_STRING Ntdll = RTL_CONSTANT_STRING(L"ntdll.dll")

static

Definition at line 23 of file shimeng.c.

Referenced by SeiResetEntryProcessed(), and SeiSetEntryProcessed().

Verifier

const UNICODE_STRING Verifier = RTL_CONSTANT_STRING(L"verifier.dll")

static

Definition at line 25 of file shimeng.c.

Referenced by SeiResetEntryProcessed(), and SeiSetEntryProcessed().