mirror of
https://github.com/UzixLS/KernelEx.git
synced 2025-07-19 07:21:20 +03:00
import KernelEx-4.0-Final2
This commit is contained in:
UzixLS
@ -37,8 +37,8 @@ char system_path[MAX_PATH];
|
||||
int system_path_len;
|
||||
|
||||
static PLONG jtab;
|
||||
static LONG old_jtab[4];
|
||||
|
||||
static LONG old_jtab[JTAB_SIZE];
|
||||
static HKEY known_dlls_key;
|
||||
|
||||
|
||||
/** Get API configuration for selected module.
|
||||
@ -101,6 +101,7 @@ static bool get_config(MODREF* moduleMR, config_params& cp)
|
||||
if (ppdbParent && !(ppdbParent->Flags & (fTerminated | fTerminating |
|
||||
fNearlyTerminating | fDosProcess | fWin16Process)))
|
||||
{
|
||||
pmteModTable = *ppmteModTable;
|
||||
IMTE_KEX* parent = (IMTE_KEX*) pmteModTable[ppdbParent->pExeMODREF->mteIndex];
|
||||
conf = parent->config;
|
||||
flags = parent->flags;
|
||||
@ -128,7 +129,7 @@ static bool get_config(MODREF* moduleMR, config_params& cp)
|
||||
DBGASSERT(conf != NULL);
|
||||
cp.apiconf = conf;
|
||||
#ifdef _DEBUG
|
||||
cp.log_apis = (flags & LDR_LOG_APIS) != 0;
|
||||
cp.log_apis = (process->flags & LDR_LOG_APIS) != 0;
|
||||
#endif
|
||||
return true;
|
||||
}
|
||||
@ -234,7 +235,7 @@ static PROC resolve_nonshared_addr(DWORD addr, MODREF* caller, PMODREF** refmod)
|
||||
}
|
||||
|
||||
DBGPRINTF(("Implicit load: replacing tree %s => %s [PID=%08x]\n",
|
||||
pmteModTable[caller->ImplicitImports[*refmod - buffer].pMR->mteIndex]
|
||||
(*ppmteModTable)[caller->ImplicitImports[*refmod - buffer].pMR->mteIndex]
|
||||
->pszModName, apilib->apilib_name,
|
||||
GetCurrentProcessId()));
|
||||
|
||||
@ -261,6 +262,7 @@ static PROC resolve_nonshared_addr(DWORD addr, MODREF* caller, PMODREF** refmod)
|
||||
}
|
||||
}
|
||||
|
||||
pmteModTable = *ppmteModTable;
|
||||
IMTE_KEX* imte = (IMTE_KEX*) pmteModTable[mr->mteIndex];
|
||||
|
||||
img_base = imte->pNTHdr->OptionalHeader.ImageBase;
|
||||
@ -462,7 +464,9 @@ DWORD encode_address(DWORD addr, const ApiLibrary* apilib)
|
||||
//STD apilib
|
||||
if (index == 0)
|
||||
{
|
||||
if (addr < 0xc0000000)
|
||||
//normal address (shared or nonshared library)
|
||||
//or ordinal number for export forwarding
|
||||
if (addr < 0xc0000000 || addr >= 0xffff0000)
|
||||
return addr;
|
||||
|
||||
//extremely rare scenario: driver hijacked apis so the address is now
|
||||
@ -526,6 +530,15 @@ PROC WINAPI ExportFromOrdinal(IMTE_KEX* target, MODREF* caller, PMODREF** refmod
|
||||
target->pNTHdr, caller, refmod);
|
||||
else
|
||||
ret = OriExportFromOrdinal(target->pNTHdr, ordinal);
|
||||
#ifdef _DEBUG
|
||||
if (ret && cp.log_apis)
|
||||
{
|
||||
IMTE_KEX* icaller = (IMTE_KEX*)((*ppmteModTable)[caller->mteIndex]);
|
||||
if (DWORD(ret) < target->pNTHdr->OptionalHeader.ImageBase
|
||||
+ target->pNTHdr->OptionalHeader.BaseOfData)
|
||||
ret = create_log_stub(icaller->pszModName, target->pszModName, ordinal, ret);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
else
|
||||
ret = OriExportFromOrdinal(target->pNTHdr, ordinal);
|
||||
@ -568,7 +581,9 @@ PROC WINAPI ExportFromName(IMTE_KEX* target, MODREF* caller, PMODREF** refmod, W
|
||||
if (ret && cp.log_apis)
|
||||
{
|
||||
IMTE_KEX* icaller = (IMTE_KEX*)((*ppmteModTable)[caller->mteIndex]);
|
||||
ret = create_log_stub(icaller->pszModName, target->pszModName, name, ret);
|
||||
if (DWORD(ret) < target->pNTHdr->OptionalHeader.ImageBase
|
||||
+ target->pNTHdr->OptionalHeader.BaseOfData)
|
||||
ret = create_log_stub(icaller->pszModName, target->pszModName, name, ret);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
@ -585,6 +600,50 @@ PROC WINAPI ExportFromName(IMTE_KEX* target, MODREF* caller, PMODREF** refmod, W
|
||||
return ret;
|
||||
}
|
||||
|
||||
bool are_extensions_enabled()
|
||||
{
|
||||
config_params cp;
|
||||
MODREF* exe = (*pppdbCur)->pExeMODREF;
|
||||
return get_config(exe, cp);
|
||||
}
|
||||
|
||||
typedef BOOL (__stdcall *IsKnownDLL_t)(char*, const char*);
|
||||
|
||||
static BOOL WINAPI IsKnownKexDLL(char* name, const char* ext)
|
||||
{
|
||||
LONG res;
|
||||
DWORD type;
|
||||
char path[MAX_PATH];
|
||||
DWORD size = sizeof(path);
|
||||
|
||||
if (ext && strcmp(ext, "DLL") != 0)
|
||||
return FALSE;
|
||||
|
||||
if (are_extensions_enabled())
|
||||
{
|
||||
//workaround windows bug
|
||||
int pos = strlen(name) - 4;
|
||||
if (pos > 0 && name[pos] == '.')
|
||||
name[pos] = '\0';
|
||||
|
||||
res = RegQueryValueEx(known_dlls_key, name, NULL, &type, (BYTE*) path, &size);
|
||||
}
|
||||
else
|
||||
res = ERROR_INVALID_FUNCTION;
|
||||
|
||||
if (res == ERROR_SUCCESS && type == REG_SZ)
|
||||
{
|
||||
memcpy(name, (const char*) kernelex_dir, kernelex_dir.length());
|
||||
memcpy(name + kernelex_dir.length(), path, size);
|
||||
return TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
IsKnownDLL_t IsKnownDLL = (IsKnownDLL_t) old_jtab[JTAB_KNO_DLL];
|
||||
return IsKnownDLL(name, NULL);
|
||||
}
|
||||
}
|
||||
|
||||
PROC WINAPI iGetProcAddress(HMODULE hModule, LPCSTR lpProcName)
|
||||
{
|
||||
IMAGE_DOS_HEADER* dos_hdr;
|
||||
@ -708,6 +767,7 @@ int resolver_init()
|
||||
jtab = (PLONG) dseg->jtab;
|
||||
|
||||
system_path_len = GetSystemDirectory(system_path, sizeof(system_path));
|
||||
RegOpenKey(HKEY_LOCAL_MACHINE, "Software\\KernelEx\\KnownDLLs", &known_dlls_key);
|
||||
|
||||
SettingsDB::instance.flush_all();
|
||||
|
||||
@ -716,6 +776,8 @@ int resolver_init()
|
||||
|
||||
void resolver_uninit()
|
||||
{
|
||||
DBGPRINTF(("resolver_uninit()\n"));
|
||||
RegCloseKey(known_dlls_key);
|
||||
SettingsDB::instance.clear();
|
||||
reset_imtes();
|
||||
}
|
||||
@ -723,17 +785,16 @@ void resolver_uninit()
|
||||
void resolver_hook()
|
||||
{
|
||||
DBGPRINTF(("resolver_hook()\n"));
|
||||
old_jtab[0] = InterlockedExchange(jtab + JTAB_EFO_DYN, (LONG) ExportFromOrdinalDynamic_thunk);
|
||||
old_jtab[1] = InterlockedExchange(jtab + JTAB_EFO_STA, (LONG) ExportFromOrdinalStatic_thunk);
|
||||
old_jtab[2] = InterlockedExchange(jtab + JTAB_EFN_DYN, (LONG) ExportFromNameDynamic_thunk);
|
||||
old_jtab[3] = InterlockedExchange(jtab + JTAB_EFN_STA, (LONG) ExportFromNameStatic_thunk);
|
||||
old_jtab[JTAB_EFO_DYN] = InterlockedExchange(jtab + JTAB_EFO_DYN, (LONG) ExportFromOrdinalDynamic_thunk);
|
||||
old_jtab[JTAB_EFO_STA] = InterlockedExchange(jtab + JTAB_EFO_STA, (LONG) ExportFromOrdinalStatic_thunk);
|
||||
old_jtab[JTAB_EFN_DYN] = InterlockedExchange(jtab + JTAB_EFN_DYN, (LONG) ExportFromNameDynamic_thunk);
|
||||
old_jtab[JTAB_EFN_STA] = InterlockedExchange(jtab + JTAB_EFN_STA, (LONG) ExportFromNameStatic_thunk);
|
||||
old_jtab[JTAB_KNO_DLL] = InterlockedExchange(jtab + JTAB_KNO_DLL, (LONG) IsKnownKexDLL);
|
||||
}
|
||||
|
||||
void resolver_unhook()
|
||||
{
|
||||
DBGPRINTF(("resolver_unhook()\n"));
|
||||
InterlockedExchange(jtab + JTAB_EFO_DYN, old_jtab[0]);
|
||||
InterlockedExchange(jtab + JTAB_EFO_STA, old_jtab[1]);
|
||||
InterlockedExchange(jtab + JTAB_EFN_DYN, old_jtab[2]);
|
||||
InterlockedExchange(jtab + JTAB_EFN_STA, old_jtab[3]);
|
||||
for (int i = 0 ; i < JTAB_SIZE ; i++)
|
||||
InterlockedExchange(jtab + i, old_jtab[i]);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user