/* * PROJECT: ReactOS Application compatibility module * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later) * PURPOSE: Shim engine core * COPYRIGHT: Copyright 2015-2019 Mark Jansen (mark.jansen@reactos.org) */ #define WIN32_NO_STATUS #include "ntndk.h" #define IN_APPHELP #include "shimlib.h" #include /* Make sure we don't include apphelp logging */ #define APPHELP_NOSDBPAPI #include "apphelp.h" #include "shimeng.h" FARPROC WINAPI StubGetProcAddress(HINSTANCE hModule, LPCSTR lpProcName); BOOL WINAPI SE_IsShimDll(PVOID BaseAddress); static const UNICODE_STRING Ntdll = RTL_CONSTANT_STRING(L"ntdll.dll"); static const UNICODE_STRING Kernel32 = RTL_CONSTANT_STRING(L"kernel32.dll"); static const UNICODE_STRING Verifier = RTL_CONSTANT_STRING(L"verifier.dll"); extern HMODULE g_hInstance; static UNICODE_STRING g_WindowsDirectory; static UNICODE_STRING g_System32Directory; static UNICODE_STRING g_SxsDirectory; static UNICODE_STRING g_LoadingShimDll; ULONG g_ShimEngDebugLevel = 0xffffffff; BOOL g_bComPlusImage = FALSE; BOOL g_bShimDuringInit = FALSE; BOOL g_bInternalHooksUsed = FALSE; static ARRAY g_pShimInfo; /* PSHIMMODULE */ static ARRAY g_pHookArray; /* HOOKMODULEINFO */ static ARRAY g_InExclude; /* INEXCLUDE */ typedef FARPROC(WINAPI* GETPROCADDRESSPROC)(HINSTANCE, LPCSTR); /* If we have setup a hook for a function, we should also redirect GetProcAddress for this function */ HOOKAPIEX g_IntHookEx[] = { { "kernel32.dll", /* LibraryName */ "GetProcAddress", /* FunctionName */ StubGetProcAddress, /* ReplacementFunction*/ NULL, /* OriginalFunction */ NULL, /* pShimInfo */ NULL /* ApiLink */ }, }; static inline BOOL ARRAY_InitWorker(PARRAY Array, DWORD ItemSize) { Array->Data__ = NULL; Array->Size__ = Array->MaxSize__ = 0; Array->ItemSize__ = ItemSize; return TRUE; } static inline BOOL ARRAY_EnsureSize(PARRAY Array, DWORD ItemSize, DWORD GrowWith) { PVOID pNewData; DWORD Count; ASSERT(Array); ASSERT(ItemSize == Array->ItemSize__); if (Array->MaxSize__ > Array->Size__) return TRUE; Count = Array->Size__ + GrowWith; pNewData = SeiAlloc(Count * ItemSize); if (!pNewData) { SHIMENG_FAIL("Failed to allocate %d bytes\n", Count * ItemSize); return FALSE; } Array->MaxSize__ = Count; if (Array->Data__) { memcpy(pNewData, Array->Data__, Array->Size__ * ItemSize); SeiFree(Array->Data__); } Array->Data__ = pNewData; return TRUE; } static inline PVOID ARRAY_AppendWorker(PARRAY Array, DWORD ItemSize, DWORD GrowWith) { PBYTE pData; if (!ARRAY_EnsureSize(Array, ItemSize, GrowWith)) return NULL; pData = Array->Data__; pData += (Array->Size__ * ItemSize); Array->Size__++; return pData; } static inline PVOID ARRAY_AtWorker(PARRAY Array, DWORD ItemSize, DWORD n) { PBYTE pData; ASSERT(Array); ASSERT(ItemSize == Array->ItemSize__); ASSERT(n < Array->Size__); pData = Array->Data__; return pData + (n * ItemSize); } #define ARRAY_Init(Array, TypeOfArray) ARRAY_InitWorker((Array), sizeof(TypeOfArray)) #define ARRAY_Append(Array, TypeOfArray) (TypeOfArray*)ARRAY_AppendWorker((Array), sizeof(TypeOfArray), 5) #define ARRAY_At(Array, TypeOfArray, at) (TypeOfArray*)ARRAY_AtWorker((Array), sizeof(TypeOfArray), at) #define ARRAY_Size(Array) (Array)->Size__ VOID SeiInitDebugSupport(VOID) { static const UNICODE_STRING DebugKey = RTL_CONSTANT_STRING(L"SHIMENG_DEBUG_LEVEL"); UNICODE_STRING DebugValue; NTSTATUS Status; ULONG NewLevel = SEI_MSG; /* Show some basic info in the logs, unless configured different */ WCHAR Buffer[40]; RtlInitEmptyUnicodeString(&DebugValue, Buffer, sizeof(Buffer)); Status = RtlQueryEnvironmentVariable_U(NULL, &DebugKey, &DebugValue); if (NT_SUCCESS(Status)) { if (!NT_SUCCESS(RtlUnicodeStringToInteger(&DebugValue, 10, &NewLevel))) NewLevel = 0; } g_ShimEngDebugLevel = NewLevel; } /** * Outputs diagnostic info. * * @param [in] Level The level to log this message with, choose any of [SHIM_ERR, * SHIM_WARN, SHIM_INFO]. * @param [in] FunctionName The function this log should be attributed to. * @param [in] Format The format string. * @param ... Variable arguments providing additional information. * * @return Success: TRUE Failure: FALSE. */ BOOL WINAPIV SeiDbgPrint(SEI_LOG_LEVEL Level, PCSTR Function, PCSTR Format, ...) { char Buffer[512]; char* Current = Buffer; const char* LevelStr; size_t Length = sizeof(Buffer); va_list ArgList; HRESULT hr; if (g_ShimEngDebugLevel == 0xffffffff) SeiInitDebugSupport(); if (Level > g_ShimEngDebugLevel) return FALSE; switch (Level) { case SEI_MSG: LevelStr = "MSG "; break; case SEI_FAIL: LevelStr = "FAIL"; break; case SEI_WARN: LevelStr = "WARN"; break; case SEI_INFO: LevelStr = "INFO"; break; default: LevelStr = "USER"; break; } if (Function) hr = StringCchPrintfExA(Current, Length, &Current, &Length, STRSAFE_NULL_ON_FAILURE, "[%s] [%s] ", LevelStr, Function); else hr = StringCchPrintfExA(Current, Length, &Current, &Length, STRSAFE_NULL_ON_FAILURE, "[%s] ", LevelStr); if (!SUCCEEDED(hr)) return FALSE; va_start(ArgList, Format); hr = StringCchVPrintfExA(Current, Length, &Current, &Length, STRSAFE_NULL_ON_FAILURE, Format, ArgList); va_end(ArgList); if (!SUCCEEDED(hr)) return FALSE; DbgPrint("%s", Buffer); return TRUE; } static BOOL SeiIsOrdinalName(LPCSTR lpProcName) { return (ULONG_PTR)lpProcName <= MAXUSHORT; } LPCSTR SeiPrintFunctionName(LPCSTR lpProcName, char szOrdProcFmt[10]) { if (SeiIsOrdinalName(lpProcName)) { StringCchPrintfA(szOrdProcFmt, 10, "#%Iu", (ULONG_PTR)lpProcName); return szOrdProcFmt; } return lpProcName; } int SeiCompareFunctionName(LPCSTR lpProcName1, LPCSTR lpProcName2) { BOOL Ord1 = SeiIsOrdinalName(lpProcName1); BOOL Ord2 = SeiIsOrdinalName(lpProcName2); /* One is an ordinal, the other not */ if (Ord1 != Ord2) return 1; /* Compare ordinals */ if (Ord1) return (ULONG_PTR)lpProcName1 != (ULONG_PTR)lpProcName2; /* Compare names */ return strcmp(lpProcName1, lpProcName2); } PVOID SeiGetModuleFromAddress(PVOID addr) { PVOID hModule = NULL; RtlPcToFileHeader(addr, &hModule); return hModule; } /* TODO: Guard against recursive calling / calling init multiple times! */ VOID NotifyShims(DWORD dwReason, PVOID Info) { DWORD n; for (n = 0; n < ARRAY_Size(&g_pShimInfo); ++n) { PSHIMMODULE pShimModule = *ARRAY_At(&g_pShimInfo, PSHIMMODULE, n); if (!pShimModule->pNotifyShims) continue; pShimModule->pNotifyShims(dwReason, Info); } } VOID SeiCheckComPlusImage(PVOID BaseAddress) { ULONG ComSectionSize; g_bComPlusImage = RtlImageDirectoryEntryToData(BaseAddress, TRUE, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR, &ComSectionSize) != NULL; SHIMENG_INFO("COM+ executable %s\n", g_bComPlusImage ? "TRUE" : "FALSE"); } PSHIMMODULE SeiGetShimModuleInfo(PVOID BaseAddress) { DWORD n; for (n = 0; n < ARRAY_Size(&g_pShimInfo); ++n) { PSHIMMODULE pShimModule = *ARRAY_At(&g_pShimInfo, PSHIMMODULE, n); if (pShimModule->BaseAddress == BaseAddress) return pShimModule; } return NULL; } PSHIMMODULE SeiCreateShimModuleInfo(PCWSTR DllName, PVOID BaseAddress) { static const ANSI_STRING GetHookAPIs = RTL_CONSTANT_STRING("GetHookAPIs"); static const ANSI_STRING NotifyShims = RTL_CONSTANT_STRING("NotifyShims"); PSHIMMODULE* pData, Data; PVOID pGetHookAPIs, pNotifyShims; if (!NT_SUCCESS(LdrGetProcedureAddress(BaseAddress, (PANSI_STRING)&GetHookAPIs, 0, &pGetHookAPIs)) || !NT_SUCCESS(LdrGetProcedureAddress(BaseAddress, (PANSI_STRING)&NotifyShims, 0, &pNotifyShims))) { SHIMENG_WARN("Failed to resolve entry points for %S\n", DllName); return NULL; } pData = ARRAY_Append(&g_pShimInfo, PSHIMMODULE); if (!pData) return NULL; *pData = SeiAlloc(sizeof(SHIMMODULE)); Data = *pData; RtlCreateUnicodeString(&Data->Name, DllName); Data->BaseAddress = BaseAddress; Data->pGetHookAPIs = pGetHookAPIs; Data->pNotifyShims = pNotifyShims; ARRAY_Init(&Data->EnabledShims, PSHIMINFO); return Data; } PSHIMINFO SeiAppendHookInfo(PSHIMMODULE pShimModuleInfo, PHOOKAPIEX pHookApi, DWORD dwHookCount, PCWSTR ShimName) { PSHIMINFO* pData, Data; pData = ARRAY_Append(&pShimModuleInfo->EnabledShims, PSHIMINFO); if (!pData) return NULL; *pData = SeiAlloc(sizeof(SHIMINFO)); Data = *pData; if (!Data) return NULL; Data->ShimName = SdbpStrDup(ShimName); if (!Data->ShimName) return NULL; Data->pHookApi = pHookApi; Data->dwHookCount = dwHookCount; Data->pShimModule = pShimModuleInfo; ARRAY_Init(&Data->InExclude, INEXCLUDE); return Data; } PHOOKMODULEINFO SeiFindHookModuleInfo(PUNICODE_STRING ModuleName, PVOID BaseAddress) { DWORD n; if (ModuleName == NULL && BaseAddress == NULL) { BaseAddress = NtCurrentPeb()->ImageBaseAddress; } for (n = 0; n < ARRAY_Size(&g_pHookArray); ++n) { PHOOKMODULEINFO pModuleInfo = ARRAY_At(&g_pHookArray, HOOKMODULEINFO, n); if (BaseAddress && BaseAddress == pModuleInfo->BaseAddress) return pModuleInfo; if (!BaseAddress && RtlEqualUnicodeString(ModuleName, &pModuleInfo->Name, TRUE)) return pModuleInfo; } return NULL; } PHOOKMODULEINFO SeiFindHookModuleInfoForImportDescriptor(PBYTE DllBase, PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor) { UNICODE_STRING DllName; PVOID DllHandle; NTSTATUS Success; if (!RtlCreateUnicodeStringFromAsciiz(&DllName, (PCSZ)(DllBase + ImportDescriptor->Name))) { SHIMENG_FAIL("Unable to convert dll name to unicode\n"); return NULL; } Success = LdrGetDllHandle(NULL, NULL, &DllName, &DllHandle); if (!NT_SUCCESS(Success)) { SHIMENG_FAIL("Unable to get module handle for %wZ (%p)\n", &DllName, DllBase); RtlFreeUnicodeString(&DllName); return NULL; } RtlFreeUnicodeString(&DllName); return SeiFindHookModuleInfo(NULL, DllHandle); } static LPCWSTR SeiGetStringPtr(PDB pdb, TAGID tag, TAG type) { TAGID tagEntry = SdbFindFirstTag(pdb, tag, type); if (tagEntry == TAGID_NULL) return NULL; return SdbGetStringTagPtr(pdb, tagEntry); } static DWORD SeiGetDWORD(PDB pdb, TAGID tag, TAG type) { TAGID tagEntry = SdbFindFirstTag(pdb, tag, type); if (tagEntry == TAGID_NULL) return 0; return SdbReadDWORDTag(pdb, tagEntry, 0); } static QWORD SeiGetQWORD(PDB pdb, TAGID tag, TAG type) { TAGID tagEntry = SdbFindFirstTag(pdb, tag, type); if (tagEntry == TAGID_NULL) return 0; return SdbReadQWORDTag(pdb, tagEntry, 0); } static VOID SeiAddShim(TAGREF trShimRef, PARRAY pShimRef) { TAGREF* Data; Data = ARRAY_Append(pShimRef, TAGREF); if (!Data) return; *Data = trShimRef; } static VOID SeiAddFlag(PDB pdb, TAGID tiFlagRef, PFLAGINFO pFlagInfo) { ULARGE_INTEGER Flag; /* Resolve the FLAG_REF to the real FLAG node */ TAGID FlagTag = SeiGetDWORD(pdb, tiFlagRef, TAG_FLAG_TAGID); if (FlagTag == TAGID_NULL) return; pFlagInfo->AppCompatFlags.QuadPart |= SeiGetQWORD(pdb, FlagTag, TAG_FLAG_MASK_KERNEL); pFlagInfo->AppCompatFlagsUser.QuadPart |= SeiGetQWORD(pdb, FlagTag, TAG_FLAG_MASK_USER); Flag.QuadPart = SeiGetQWORD(pdb, FlagTag, TAG_FLAG_PROCESSPARAM); pFlagInfo->ProcessParameters_Flags |= Flag.LowPart; } /* Propagate layers to child processes */ static VOID SeiSetLayerEnvVar(LPCWSTR wszLayer) { NTSTATUS Status; UNICODE_STRING VarName = RTL_CONSTANT_STRING(L"__COMPAT_LAYER"); UNICODE_STRING Value; RtlInitUnicodeString(&Value, wszLayer); Status = RtlSetEnvironmentVariable(NULL, &VarName, &Value); if (NT_SUCCESS(Status)) SHIMENG_INFO("%wZ=%wZ\n", &VarName, &Value); else SHIMENG_FAIL("Failed to set %wZ: 0x%x\n", &VarName, Status); } #define MAX_LAYER_LENGTH 256 /* Translate all Exe and Layer entries to Shims, and propagate all layers */ static VOID SeiBuildShimRefArray(HSDB hsdb, SDBQUERYRESULT* pQuery, PARRAY pShimRef, PFLAGINFO pFlagInfo) { WCHAR wszLayerEnvVar[MAX_LAYER_LENGTH] = { 0 }; DWORD n; for (n = 0; n < pQuery->dwExeCount; ++n) { PDB pdb; TAGID tag; if (SdbTagRefToTagID(hsdb, pQuery->atrExes[n], &pdb, &tag)) { LPCWSTR ExeName = SeiGetStringPtr(pdb, tag, TAG_NAME); TAGID ShimRef = SdbFindFirstTag(pdb, tag, TAG_SHIM_REF); TAGID FlagRef = SdbFindFirstTag(pdb, tag, TAG_FLAG_REF); if (ExeName) SeiDbgPrint(SEI_MSG, NULL, "ShimInfo(Exe(%S))\n", ExeName); while (ShimRef != TAGID_NULL) { TAGREF trShimRef; if (SdbTagIDToTagRef(hsdb, pdb, ShimRef, &trShimRef)) SeiAddShim(trShimRef, pShimRef); ShimRef = SdbFindNextTag(pdb, tag, ShimRef); } while (FlagRef != TAGID_NULL) { SeiAddFlag(pdb, FlagRef, pFlagInfo); FlagRef = SdbFindNextTag(pdb, tag, FlagRef); } } } for (n = 0; n < pQuery->dwLayerCount; ++n) { PDB pdb; TAGID tag; if (SdbTagRefToTagID(hsdb, pQuery->atrLayers[n], &pdb, &tag)) { LPCWSTR LayerName = SeiGetStringPtr(pdb, tag, TAG_NAME); TAGID ShimRef = SdbFindFirstTag(pdb, tag, TAG_SHIM_REF); TAGID FlagRef = SdbFindFirstTag(pdb, tag, TAG_FLAG_REF); if (LayerName) { HRESULT hr; SeiDbgPrint(SEI_MSG, NULL, "ShimInfo(Layer(%S))\n", LayerName); if (wszLayerEnvVar[0]) StringCchCatW(wszLayerEnvVar, ARRAYSIZE(wszLayerEnvVar), L" "); hr = StringCchCatW(wszLayerEnvVar, ARRAYSIZE(wszLayerEnvVar), LayerName); if (!SUCCEEDED(hr)) { SHIMENG_FAIL("Unable to append %S\n", LayerName); } } while (ShimRef != TAGID_NULL) { TAGREF trShimRef; if (SdbTagIDToTagRef(hsdb, pdb, ShimRef, &trShimRef)) SeiAddShim(trShimRef, pShimRef); ShimRef = SdbFindNextTag(pdb, tag, ShimRef); } while (FlagRef != TAGID_NULL) { SeiAddFlag(pdb, FlagRef, pFlagInfo); FlagRef = SdbFindNextTag(pdb, tag, FlagRef); } } } if (wszLayerEnvVar[0]) SeiSetLayerEnvVar(wszLayerEnvVar); } /* Given the hooks from one shim, find the relevant modules and store the combination of module + hook */ VOID SeiAddHooks(PHOOKAPIEX hooks, DWORD dwHookCount, PSHIMINFO pShim) { DWORD n, j; UNICODE_STRING UnicodeModName; WCHAR Buf[512]; RtlInitEmptyUnicodeString(&UnicodeModName, Buf, sizeof(Buf)); for (n = 0; n < dwHookCount; ++n) { ANSI_STRING AnsiString; PVOID DllHandle; PHOOKAPIEX hook = hooks + n; PHOOKAPIEX* pHookApi; PHOOKMODULEINFO HookModuleInfo; RtlInitAnsiString(&AnsiString, hook->LibraryName); if (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&UnicodeModName, &AnsiString, FALSE))) { SHIMENG_FAIL("Unable to convert %s to Unicode\n", hook->LibraryName); continue; } if (NT_SUCCESS(LdrGetDllHandle(NULL, 0, &UnicodeModName, &DllHandle))) { HookModuleInfo = SeiFindHookModuleInfo(NULL, DllHandle); } else { HookModuleInfo = SeiFindHookModuleInfo(&UnicodeModName, NULL); DllHandle = NULL; } if (!HookModuleInfo) { HookModuleInfo = ARRAY_Append(&g_pHookArray, HOOKMODULEINFO); if (!HookModuleInfo) continue; HookModuleInfo->BaseAddress = DllHandle; ARRAY_Init(&HookModuleInfo->HookApis, PHOOKAPIEX); RtlCreateUnicodeString(&HookModuleInfo->Name, UnicodeModName.Buffer); } hook->pShimInfo = pShim; for (j = 0; j < ARRAY_Size(&HookModuleInfo->HookApis); ++j) { PHOOKAPIEX HookApi = *ARRAY_At(&HookModuleInfo->HookApis, PHOOKAPIEX, j); int CmpResult = SeiCompareFunctionName(hook->FunctionName, HookApi->FunctionName); if (CmpResult == 0) { while (HookApi->ApiLink) { HookApi = HookApi->ApiLink; } HookApi->ApiLink = hook; hook = NULL; break; } } /* No place found yet, append it */ if (hook) { pHookApi = ARRAY_Append(&HookModuleInfo->HookApis, PHOOKAPIEX); if (pHookApi) *pHookApi = hook; } } } /* Check if we should fake the return from GetProcAddress (because we also redirected the iat for this module) */ FARPROC WINAPI StubGetProcAddress(HINSTANCE hModule, LPCSTR lpProcName) { PVOID Addr = _ReturnAddress(); PHOOKMODULEINFO HookModuleInfo; FARPROC proc = ((GETPROCADDRESSPROC)g_IntHookEx[0].OriginalFunction)(hModule, lpProcName); char szOrdProcFmt[10]; Addr = SeiGetModuleFromAddress(Addr); if (SE_IsShimDll(Addr)) { SHIMENG_MSG("Not touching GetProcAddress for shim dll (%p!%s)", hModule, SeiPrintFunctionName(lpProcName, szOrdProcFmt)); return proc; } SHIMENG_INFO("(GetProcAddress(%p!%s) => %p\n", hModule, SeiPrintFunctionName(lpProcName, szOrdProcFmt), proc); HookModuleInfo = SeiFindHookModuleInfo(NULL, hModule); if (HookModuleInfo) { DWORD n; for (n = 0; n < ARRAY_Size(&HookModuleInfo->HookApis); ++n) { PHOOKAPIEX HookApi = *ARRAY_At(&HookModuleInfo->HookApis, PHOOKAPIEX, n); int CmpResult = SeiCompareFunctionName(lpProcName, HookApi->FunctionName); if (CmpResult == 0) { SHIMENG_MSG("Redirecting %p to %p\n", proc, HookApi->ReplacementFunction); proc = HookApi->ReplacementFunction; break; } } } return proc; } VOID SeiResolveAPI(PHOOKMODULEINFO HookModuleInfo) { DWORD n; ANSI_STRING AnsiString; ASSERT(HookModuleInfo->BaseAddress != NULL); for (n = 0; n < ARRAY_Size(&HookModuleInfo->HookApis); ++n) { NTSTATUS Status; PVOID ProcAddress; PHOOKAPIEX HookApi = *ARRAY_At(&HookModuleInfo->HookApis, PHOOKAPIEX, n); if (!SeiIsOrdinalName(HookApi->FunctionName)) { RtlInitAnsiString(&AnsiString, HookApi->FunctionName); Status = LdrGetProcedureAddress(HookModuleInfo->BaseAddress, &AnsiString, 0, &ProcAddress); } else { Status = LdrGetProcedureAddress(HookModuleInfo->BaseAddress, NULL, (ULONG_PTR)HookApi->FunctionName, &ProcAddress); } if (!NT_SUCCESS(Status)) { char szOrdProcFmt[10]; LPCSTR lpFunctionName = SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt); SHIMENG_FAIL("Unable to retrieve %s!%s\n", HookApi->LibraryName, lpFunctionName); continue; } HookApi->OriginalFunction = ProcAddress; if (HookApi->ApiLink) { SHIMENG_MSG("TODO: Figure out how to handle conflicting In/Exports with ApiLink!\n"); } while (HookApi->ApiLink) { HookApi->ApiLink->OriginalFunction = HookApi->OriginalFunction; HookApi->OriginalFunction = HookApi->ApiLink->ReplacementFunction; HookApi = HookApi->ApiLink; } } } /* Walk all shim modules / enabled shims, and add their hooks */ VOID SeiResolveAPIs(VOID) { DWORD n; for (n = 0; n < ARRAY_Size(&g_pHookArray); ++n) { PHOOKMODULEINFO pModuleInfo = ARRAY_At(&g_pHookArray, HOOKMODULEINFO, n); /* Is this module loaded? */ if (pModuleInfo->BaseAddress) { SeiResolveAPI(pModuleInfo); } } } VOID SeiCombineHookInfo(VOID) { DWORD mod, n; /* Enumerate all Shim modules */ for (mod = 0; mod < ARRAY_Size(&g_pShimInfo); ++mod) { PSHIMMODULE pShimModule = *ARRAY_At(&g_pShimInfo, PSHIMMODULE, mod); DWORD dwShimCount = ARRAY_Size(&pShimModule->EnabledShims); /* Enumerate all Shims */ for (n = 0; n < dwShimCount; ++n) { PSHIMINFO pShim = *ARRAY_At(&pShimModule->EnabledShims, PSHIMINFO, n); PHOOKAPIEX hooks = pShim->pHookApi; DWORD dwHookCount = pShim->dwHookCount; SeiAddHooks(hooks, dwHookCount, pShim); } } } /* If we hooked something, we should also redirect GetProcAddress */ VOID SeiAddInternalHooks(DWORD dwNumHooks) { if (dwNumHooks == 0) { g_bInternalHooksUsed = FALSE; return; } SeiAddHooks(g_IntHookEx, ARRAYSIZE(g_IntHookEx), NULL); g_bInternalHooksUsed = TRUE; } /* Patch one function in the iat */ VOID SeiPatchNewImport(PIMAGE_THUNK_DATA FirstThunk, PHOOKAPIEX HookApi, PLDR_DATA_TABLE_ENTRY LdrEntry) { ULONG OldProtection = 0; PVOID Ptr; SIZE_T Size; NTSTATUS Status; char szOrdProcFmt[10]; SHIMENG_INFO("Hooking API \"%s!%s\" for DLL \"%wZ\"\n", HookApi->LibraryName, SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt), &LdrEntry->BaseDllName); Ptr = &FirstThunk->u1.Function; Size = sizeof(FirstThunk->u1.Function); Status = NtProtectVirtualMemory(NtCurrentProcess(), &Ptr, &Size, PAGE_EXECUTE_READWRITE, &OldProtection); if (!NT_SUCCESS(Status)) { SHIMENG_FAIL("Unable to unprotect 0x%p\n", &FirstThunk->u1.Function); return; } SHIMENG_INFO("changing 0x%p to 0x%p\n", FirstThunk->u1.Function, HookApi->ReplacementFunction); FirstThunk->u1.Function = (ULONG_PTR)HookApi->ReplacementFunction; Size = sizeof(FirstThunk->u1.Function); Status = NtProtectVirtualMemory(NtCurrentProcess(), &Ptr, &Size, OldProtection, &OldProtection); if (!NT_SUCCESS(Status)) { SHIMENG_WARN("Unable to reprotect 0x%p\n", &FirstThunk->u1.Function); } } PINEXCLUDE SeiFindInExclude(PARRAY InExclude, PCUNICODE_STRING DllName) { DWORD n; for (n = 0; n < ARRAY_Size(InExclude); ++n) { PINEXCLUDE InEx = ARRAY_At(InExclude, INEXCLUDE, n); if (RtlEqualUnicodeString(&InEx->Module, DllName, TRUE)) return InEx; } return NULL; } BOOL SeiIsExcluded(PLDR_DATA_TABLE_ENTRY LdrEntry, PHOOKAPIEX HookApi) { PSHIMINFO pShimInfo = HookApi->pShimInfo; PINEXCLUDE InExclude; BOOL IsExcluded = FALSE; char szOrdProcFmt[10]; if (!pShimInfo) { /* Internal hook, do not exclude it */ return FALSE; } /* By default, everything from System32 or WinSxs is excluded */ if (RtlPrefixUnicodeString(&g_System32Directory, &LdrEntry->FullDllName, TRUE) || RtlPrefixUnicodeString(&g_SxsDirectory, &LdrEntry->FullDllName, TRUE)) IsExcluded = TRUE; InExclude = SeiFindInExclude(&pShimInfo->InExclude, &LdrEntry->BaseDllName); if (InExclude) { /* If it is on the 'exclude' list, bail out */ if (!InExclude->Include) { SHIMENG_INFO("Module '%wZ' excluded for shim %S, API '%s!%s', because it on in the exclude list.\n", &LdrEntry->BaseDllName, pShimInfo->ShimName, HookApi->LibraryName, SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt)); return TRUE; } /* If it is on the 'include' list, override System32 / Winsxs check. */ if (IsExcluded) { SHIMENG_INFO("Module '%wZ' included for shim %S, API '%s!%s', because it is on the include list.\n", &LdrEntry->BaseDllName, pShimInfo->ShimName, HookApi->LibraryName, SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt)); } IsExcluded = FALSE; } if (IsExcluded) { SHIMENG_INFO("Module '%wZ' excluded for shim %S, API '%s!%s', because it is in System32/WinSXS.\n", &LdrEntry->BaseDllName, pShimInfo->ShimName, HookApi->LibraryName, SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt)); } return IsExcluded; } VOID SeiAppendInExclude(PARRAY dest, PCWSTR ModuleName, BOOL IsInclude) { PINEXCLUDE InExclude; UNICODE_STRING ModuleNameU; RtlInitUnicodeString(&ModuleNameU, ModuleName); InExclude = SeiFindInExclude(dest, &ModuleNameU); if (InExclude) { InExclude->Include = IsInclude; return; } InExclude = ARRAY_Append(dest, INEXCLUDE); if (InExclude) { PCWSTR ModuleNameCopy = SdbpStrDup(ModuleName); RtlInitUnicodeString(&InExclude->Module, ModuleNameCopy); InExclude->Include = IsInclude; } } /* Read the INEXCLUD tags from a given parent tag FIXME: Some observed tags: '*' with include '$' with include, followed by '*' without include Include list logging, referring to: (MODE: EA) */ VOID SeiReadInExclude(PDB pdb, TAGID parent, PARRAY dest) { TAGID InExcludeTag; InExcludeTag = SdbFindFirstTag(pdb, parent, TAG_INEXCLUD); while (InExcludeTag != TAGID_NULL) { PCWSTR ModuleName; TAGID ModuleTag = SdbFindFirstTag(pdb, InExcludeTag, TAG_MODULE); TAGID IncludeTag = SdbFindFirstTag(pdb, InExcludeTag, TAG_INCLUDE); ModuleName = SdbGetStringTagPtr(pdb, ModuleTag); if (ModuleName) { SeiAppendInExclude(dest, ModuleName, IncludeTag != TAGID_NULL); } else { SHIMENG_WARN("INEXCLUDE without Module: 0x%x\n", InExcludeTag); } InExcludeTag = SdbFindNextTag(pdb, parent, InExcludeTag); } } VOID SeiBuildGlobalInclExclList(HSDB hsdb) { PDB pdb; TAGREF tr = TAGREF_ROOT; TAGID root, db, library; if (!SdbTagRefToTagID(hsdb, tr, &pdb, &root)) { SHIMENG_WARN("Unable to resolve database root\n"); return; } db = SdbFindFirstTag(pdb, root, TAG_DATABASE); if (db == TAGID_NULL) { SHIMENG_WARN("Unable to resolve database\n"); return; } library = SdbFindFirstTag(pdb, db, TAG_LIBRARY); if (library == TAGID_NULL) { SHIMENG_WARN("Unable to resolve library\n"); return; } SeiReadInExclude(pdb, library, &g_InExclude); } VOID SeiBuildInclExclList(PDB pdb, TAGID ShimTag, PSHIMINFO pShimInfo) { DWORD n; /* First duplicate the global in/excludes */ for (n = 0; n < ARRAY_Size(&g_InExclude); ++n) { PINEXCLUDE InEx = ARRAY_At(&g_InExclude, INEXCLUDE, n); SeiAppendInExclude(&pShimInfo->InExclude, InEx->Module.Buffer, InEx->Include); } /* Now read this shim's in/excludes (possibly overriding the global ones) */ SeiReadInExclude(pdb, ShimTag, &pShimInfo->InExclude); } /* Given one loaded module, redirect (hook) all functions from the iat that are registered by shims */ VOID SeiHookImports(PLDR_DATA_TABLE_ENTRY LdrEntry) { ULONG Size; PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor; PBYTE DllBase = LdrEntry->DllBase; if (SE_IsShimDll(DllBase) || g_hInstance == LdrEntry->DllBase || RtlEqualUnicodeString(&g_LoadingShimDll, &LdrEntry->BaseDllName, TRUE)) { SHIMENG_INFO("Skipping shim module 0x%p \"%wZ\"\n", LdrEntry->DllBase, &LdrEntry->BaseDllName); return; } if (LdrEntry->Flags & LDRP_COMPAT_DATABASE_PROCESSED) { SHIMENG_INFO("Skipping module 0x%p \"%wZ\" because it was already processed\n", LdrEntry->DllBase, &LdrEntry->BaseDllName); return; } ImportDescriptor = RtlImageDirectoryEntryToData(DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size); if (!ImportDescriptor) { SHIMENG_INFO("Skipping module 0x%p \"%wZ\" due to no iat found\n", LdrEntry->DllBase, &LdrEntry->BaseDllName); return; } SHIMENG_INFO("Hooking module 0x%p \"%wZ\"\n", LdrEntry->DllBase, &LdrEntry->BaseDllName); for ( ;ImportDescriptor->Name && ImportDescriptor->OriginalFirstThunk; ImportDescriptor++) { PHOOKMODULEINFO HookModuleInfo; /* Do we have hooks for this module? */ HookModuleInfo = SeiFindHookModuleInfoForImportDescriptor(DllBase, ImportDescriptor); if (HookModuleInfo) { PIMAGE_THUNK_DATA OriginalThunk, FirstThunk; DWORD n; for (n = 0; n < ARRAY_Size(&HookModuleInfo->HookApis); ++n) { DWORD dwFound = 0; PHOOKAPIEX HookApi = *ARRAY_At(&HookModuleInfo->HookApis, PHOOKAPIEX, n); /* Check if this module should be excluded from being hooked (system32/winsxs, global or shim exclude) */ if (SeiIsExcluded(LdrEntry, HookApi)) { continue; } OriginalThunk = (PIMAGE_THUNK_DATA)(DllBase + ImportDescriptor->OriginalFirstThunk); FirstThunk = (PIMAGE_THUNK_DATA)(DllBase + ImportDescriptor->FirstThunk); /* Walk all imports */ for (;OriginalThunk->u1.AddressOfData && FirstThunk->u1.Function; OriginalThunk++, FirstThunk++) { if (!IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Function)) { if (!SeiIsOrdinalName(HookApi->FunctionName)) { PIMAGE_IMPORT_BY_NAME ImportName; ImportName = (PIMAGE_IMPORT_BY_NAME)(DllBase + OriginalThunk->u1.Function); if (!strcmp((PCSTR)ImportName->Name, HookApi->FunctionName)) { SeiPatchNewImport(FirstThunk, HookApi, LdrEntry); /* Sadly, iat does not have to be sorted, and can even contain duplicate entries. */ dwFound++; } } } else { if (SeiIsOrdinalName(HookApi->FunctionName)) { if ((PCSTR)IMAGE_ORDINAL(OriginalThunk->u1.Function) == HookApi->FunctionName) { SeiPatchNewImport(FirstThunk, HookApi, LdrEntry); dwFound++; } } } } if (dwFound != 1) { char szOrdProcFmt[10]; LPCSTR FuncName = SeiPrintFunctionName(HookApi->FunctionName, szOrdProcFmt); /* One entry not found. */ if (!dwFound) SHIMENG_INFO("Entry \"%s!%s\" not found for \"%wZ\"\n", HookApi->LibraryName, FuncName, &LdrEntry->BaseDllName); else SHIMENG_INFO("Entry \"%s!%s\" found %d times for \"%wZ\"\n", HookApi->LibraryName, FuncName, dwFound, &LdrEntry->BaseDllName); } } } } /* Mark this module as processed. */ LdrEntry->Flags |= LDRP_COMPAT_DATABASE_PROCESSED; } VOID PatchNewModules(PPEB Peb) { PLIST_ENTRY ListHead, ListEntry; PLDR_DATA_TABLE_ENTRY LdrEntry; ListHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; ListEntry = ListHead->Flink; while (ListHead != ListEntry) { LdrEntry = CONTAINING_RECORD(ListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); SeiHookImports(LdrEntry); ListEntry = ListEntry->Flink; } } VOID SeiInitPaths(VOID) { #define SYSTEM32 L"\\system32" #define WINSXS L"\\winsxs" PWSTR WindowsDirectory = SdbpStrDup(SharedUserData->NtSystemRoot); RtlInitUnicodeString(&g_WindowsDirectory, WindowsDirectory); g_System32Directory.MaximumLength = g_WindowsDirectory.Length + SdbpStrsize(SYSTEM32); g_System32Directory.Buffer = SdbpAlloc(g_System32Directory.MaximumLength); RtlCopyUnicodeString(&g_System32Directory, &g_WindowsDirectory); RtlAppendUnicodeToString(&g_System32Directory, SYSTEM32); g_SxsDirectory.MaximumLength = g_WindowsDirectory.Length + SdbpStrsize(WINSXS); g_SxsDirectory.Buffer = SdbpAlloc(g_SxsDirectory.MaximumLength); RtlCopyUnicodeString(&g_SxsDirectory, &g_WindowsDirectory); RtlAppendUnicodeToString(&g_SxsDirectory, WINSXS); #undef SYSTEM32 #undef WINSXS } VOID SeiSetEntryProcessed(PPEB Peb) { PLIST_ENTRY ListHead, Entry; PLDR_DATA_TABLE_ENTRY LdrEntry; ListHead = &NtCurrentPeb()->Ldr->InInitializationOrderModuleList; Entry = ListHead->Flink; while (Entry != ListHead) { LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks); Entry = Entry->Flink; if (RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Ntdll, TRUE) || RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Kernel32, TRUE) || RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Verifier, TRUE) || RtlEqualUnicodeString(&LdrEntry->BaseDllName, &g_LoadingShimDll, TRUE) || SE_IsShimDll(LdrEntry->DllBase) || (LdrEntry->Flags & LDRP_ENTRY_PROCESSED)) { SHIMENG_WARN("Don't mess with 0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName); } else { SHIMENG_WARN("Touching 0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName); LdrEntry->Flags |= (LDRP_ENTRY_PROCESSED | LDRP_SHIMENG_SUPPRESSED_ENTRY); } } ListHead = &NtCurrentPeb()->Ldr->InMemoryOrderModuleList; Entry = ListHead->Flink; SHIMENG_INFO("In memory:\n"); while (Entry != ListHead) { LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks); Entry = Entry->Flink; SHIMENG_INFO(" 0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName); } ListHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Entry = ListHead->Flink; SHIMENG_INFO("In load:\n"); while (Entry != ListHead) { LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); Entry = Entry->Flink; SHIMENG_INFO(" 0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName); } } VOID SeiResetEntryProcessed(PPEB Peb) { PLIST_ENTRY ListHead, Entry; PLDR_DATA_TABLE_ENTRY LdrEntry; ListHead = &NtCurrentPeb()->Ldr->InInitializationOrderModuleList; Entry = ListHead->Flink; while (Entry != ListHead) { LdrEntry = CONTAINING_RECORD(Entry, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks); Entry = Entry->Flink; if (SE_IsShimDll(LdrEntry->DllBase) || g_hInstance == LdrEntry->DllBase || RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Ntdll, TRUE) || RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Kernel32, TRUE) || RtlEqualUnicodeString(&LdrEntry->BaseDllName, &Verifier, TRUE) || !(LdrEntry->Flags & LDRP_SHIMENG_SUPPRESSED_ENTRY)) { SHIMENG_WARN("Don't mess with 0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName); } else { SHIMENG_WARN("Resetting 0x%p '%wZ'\n", LdrEntry->DllBase, &LdrEntry->BaseDllName); LdrEntry->Flags &= ~(LDRP_ENTRY_PROCESSED | LDRP_SHIMENG_SUPPRESSED_ENTRY); } } } VOID SeiInit(LPCWSTR ProcessImage, HSDB hsdb, SDBQUERYRESULT* pQuery, BOOLEAN ProcessInit) { DWORD n; ARRAY ShimRefArray; DWORD dwTotalHooks = 0; FLAGINFO ShimFlags; PPEB Peb = NtCurrentPeb(); /* We should only be called once! */ ASSERT(g_pShimInfo.ItemSize__ == 0); ARRAY_Init(&ShimRefArray, TAGREF); ARRAY_Init(&g_pShimInfo, PSHIMMODULE); ARRAY_Init(&g_pHookArray, HOOKMODULEINFO); ARRAY_Init(&g_InExclude, INEXCLUDE); RtlZeroMemory(&ShimFlags, sizeof(ShimFlags)); SeiInitPaths(); SeiCheckComPlusImage(Peb->ImageBaseAddress); if (ProcessInit) { /* Mark all modules loaded until now as 'LDRP_ENTRY_PROCESSED' so that their entrypoint is not called while we are loading shims */ SeiSetEntryProcessed(Peb); } /* TODO: if (pQuery->trApphelp) SeiDisplayAppHelp(?pQuery->trApphelp?); */ SeiDbgPrint(SEI_MSG, NULL, "ShimInfo(ExePath(%S))\n", ProcessImage); SeiBuildShimRefArray(hsdb, pQuery, &ShimRefArray, &ShimFlags); if (ShimFlags.AppCompatFlags.QuadPart) { SeiDbgPrint(SEI_MSG, NULL, "Using KERNEL apphack flags 0x%I64x\n", ShimFlags.AppCompatFlags.QuadPart); Peb->AppCompatFlags.QuadPart |= ShimFlags.AppCompatFlags.QuadPart; } if (ShimFlags.AppCompatFlagsUser.QuadPart) { SeiDbgPrint(SEI_MSG, NULL, "Using USER apphack flags 0x%I64x\n", ShimFlags.AppCompatFlagsUser.QuadPart); Peb->AppCompatFlagsUser.QuadPart |= ShimFlags.AppCompatFlagsUser.QuadPart; } if (ShimFlags.ProcessParameters_Flags) { SeiDbgPrint(SEI_MSG, NULL, "Using ProcessParameters flags 0x%x\n", ShimFlags.ProcessParameters_Flags); Peb->ProcessParameters->Flags |= ShimFlags.ProcessParameters_Flags; } SeiDbgPrint(SEI_MSG, NULL, "ShimInfo(Complete)\n"); SHIMENG_INFO("Got %d shims\n", ARRAY_Size(&ShimRefArray)); SeiBuildGlobalInclExclList(hsdb); /* Walk all shims referenced (in layers + exes), and load their modules */ for (n = 0; n < ARRAY_Size(&ShimRefArray); ++n) { PDB pdb; TAGID ShimRef; TAGREF tr = *ARRAY_At(&ShimRefArray, TAGREF, n); if (SdbTagRefToTagID(hsdb, tr, &pdb, &ShimRef)) { LPCWSTR ShimName, DllName, CommandLine = NULL; TAGID ShimTag; WCHAR FullNameBuffer[MAX_PATH]; UNICODE_STRING UnicodeDllName; PVOID BaseAddress; PSHIMMODULE pShimModuleInfo = NULL; ANSI_STRING AnsiCommandLine = RTL_CONSTANT_STRING(""); PSHIMINFO pShimInfo = NULL; PHOOKAPIEX pHookApi; DWORD dwHookCount; ShimName = SeiGetStringPtr(pdb, ShimRef, TAG_NAME); if (!ShimName) { SHIMENG_FAIL("Failed to retrieve the name for 0x%x\n", tr); continue; } CommandLine = SeiGetStringPtr(pdb, ShimRef, TAG_COMMAND_LINE); if (CommandLine && *CommandLine) { RtlInitUnicodeString(&UnicodeDllName, CommandLine); if (NT_SUCCESS(RtlUnicodeStringToAnsiString(&AnsiCommandLine, &UnicodeDllName, TRUE))) { SHIMENG_INFO("COMMAND LINE %s for %S", AnsiCommandLine.Buffer, ShimName); } else { AnsiCommandLine.Buffer = ""; CommandLine = NULL; } } ShimTag = SeiGetDWORD(pdb, ShimRef, TAG_SHIM_TAGID); if (!ShimTag) { SHIMENG_FAIL("Failed to resolve %S to a shim\n", ShimName); continue; } if (!SUCCEEDED(SdbGetAppPatchDir(NULL, FullNameBuffer, ARRAYSIZE(FullNameBuffer)))) { SHIMENG_WARN("Failed to get the AppPatch dir\n"); continue; } DllName = SeiGetStringPtr(pdb, ShimTag, TAG_DLLFILE); if (DllName == NULL || !SUCCEEDED(StringCchCatW(FullNameBuffer, ARRAYSIZE(FullNameBuffer), L"\\")) || !SUCCEEDED(StringCchCatW(FullNameBuffer, ARRAYSIZE(FullNameBuffer), DllName))) { SHIMENG_WARN("Failed to build a full path for %S\n", ShimName); continue; } RtlInitUnicodeString(&g_LoadingShimDll, DllName); RtlInitUnicodeString(&UnicodeDllName, FullNameBuffer); if (NT_SUCCESS(LdrGetDllHandle(NULL, NULL, &UnicodeDllName, &BaseAddress))) { /* This shim dll was already loaded, let's find it */ pShimModuleInfo = SeiGetShimModuleInfo(BaseAddress); } else if (!NT_SUCCESS(LdrLoadDll(NULL, NULL, &UnicodeDllName, &BaseAddress))) { SHIMENG_WARN("Failed to load %wZ for %S\n", &UnicodeDllName, ShimName); continue; } RtlInitUnicodeString(&g_LoadingShimDll, NULL); /* No shim module found (or we just loaded it) */ if (!pShimModuleInfo) { pShimModuleInfo = SeiCreateShimModuleInfo(DllName, BaseAddress); if (!pShimModuleInfo) { SHIMENG_FAIL("Failed to allocate ShimInfo for %S\n", DllName); continue; } } SHIMENG_INFO("Shim DLL 0x%p \"%wZ\" loaded\n", BaseAddress, &UnicodeDllName); SHIMENG_INFO("Using SHIM \"%S!%S\"\n", DllName, ShimName); /* Ask this shim what hooks it needs (and pass along the commandline) */ dwHookCount = 0; pHookApi = pShimModuleInfo->pGetHookAPIs(AnsiCommandLine.Buffer, ShimName, &dwHookCount); SHIMENG_INFO("GetHookAPIs returns %d hooks for DLL \"%wZ\" SHIM \"%S\"\n", dwHookCount, &UnicodeDllName, ShimName); if (dwHookCount && pHookApi) pShimInfo = SeiAppendHookInfo(pShimModuleInfo, pHookApi, dwHookCount, ShimName); else dwHookCount = 0; /* If this shim has hooks, create the include / exclude lists */ if (pShimInfo) SeiBuildInclExclList(pdb, ShimTag, pShimInfo); if (CommandLine && *CommandLine) RtlFreeAnsiString(&AnsiCommandLine); dwTotalHooks += dwHookCount; } } SeiAddInternalHooks(dwTotalHooks); SeiCombineHookInfo(); SeiResolveAPIs(); PatchNewModules(Peb); if (ProcessInit) { /* Remove the 'LDRP_ENTRY_PROCESSED' flag from entries we modified, so that the loader can continue to process them */ SeiResetEntryProcessed(Peb); } } /* Load the database + unpack the shim data (if this process is allowed) */ BOOL SeiGetShimData(PUNICODE_STRING ProcessImage, PVOID pShimData, HSDB* pHsdb, SDBQUERYRESULT* pQuery) { static const UNICODE_STRING ForbiddenShimmingApps[] = { RTL_CONSTANT_STRING(L"ntsd.exe"), RTL_CONSTANT_STRING(L"windbg.exe"), #if WINVER >= 0x600 RTL_CONSTANT_STRING(L"slsvc.exe"), #endif }; static const UNICODE_STRING PathDividerFind = RTL_CONSTANT_STRING(L"\\/"); UNICODE_STRING ProcessName; USHORT PathDivider; HSDB hsdb; DWORD n; if (!NT_SUCCESS(RtlFindCharInUnicodeString(RTL_FIND_CHAR_IN_UNICODE_STRING_START_AT_END, ProcessImage, &PathDividerFind, &PathDivider))) PathDivider = 0; if (PathDivider) PathDivider += sizeof(WCHAR); ProcessName.Buffer = ProcessImage->Buffer + PathDivider / sizeof(WCHAR); ProcessName.Length = ProcessImage->Length - PathDivider; ProcessName.MaximumLength = ProcessImage->MaximumLength - PathDivider; for (n = 0; n < ARRAYSIZE(ForbiddenShimmingApps); ++n) { if (RtlEqualUnicodeString(&ProcessName, ForbiddenShimmingApps + n, TRUE)) { SHIMENG_MSG("Not shimming %wZ\n", ForbiddenShimmingApps + n); return FALSE; } } /* We should probably load all db's here, but since we do not support that yet... */ hsdb = SdbInitDatabase(HID_DOS_PATHS | SDB_DATABASE_MAIN_SHIM, NULL); if (hsdb) { if (SdbUnpackAppCompatData(hsdb, ProcessImage->Buffer, pShimData, pQuery)) { *pHsdb = hsdb; return TRUE; } SdbReleaseDatabase(hsdb); } return FALSE; } VOID NTAPI SE_InstallBeforeInit(PUNICODE_STRING ProcessImage, PVOID pShimData) { HSDB hsdb = NULL; SDBQUERYRESULT QueryResult = { { 0 } }; SHIMENG_INFO("(%wZ, %p)\n", ProcessImage, pShimData); if (!SeiGetShimData(ProcessImage, pShimData, &hsdb, &QueryResult)) { SHIMENG_FAIL("Failed to get shim data\n"); return; } g_bShimDuringInit = TRUE; SeiInit(ProcessImage->Buffer, hsdb, &QueryResult, TRUE); g_bShimDuringInit = FALSE; SdbReleaseDatabase(hsdb); } VOID NTAPI SE_InstallAfterInit(PUNICODE_STRING ProcessImage, PVOID pShimData) { NotifyShims(SHIM_NOTIFY_ATTACH, NULL); } VOID NTAPI SE_ProcessDying(VOID) { SHIMENG_MSG("()\n"); NotifyShims(SHIM_NOTIFY_DETACH, NULL); } VOID WINAPI SE_DllLoaded(PLDR_DATA_TABLE_ENTRY LdrEntry) { PHOOKMODULEINFO HookModuleInfo; SHIMENG_INFO("%sINIT. loading DLL \"%wZ\"\n", g_bShimDuringInit ? "" : "AFTER ", &LdrEntry->BaseDllName); HookModuleInfo = SeiFindHookModuleInfo(&LdrEntry->BaseDllName, NULL); if (HookModuleInfo) { ASSERT(HookModuleInfo->BaseAddress == NULL); HookModuleInfo->BaseAddress = LdrEntry->DllBase; SeiResolveAPI(HookModuleInfo); } SeiHookImports(LdrEntry); NotifyShims(SHIM_REASON_DLL_LOAD, LdrEntry); } VOID WINAPI SE_DllUnloaded(PLDR_DATA_TABLE_ENTRY LdrEntry) { SHIMENG_INFO("(%p)\n", LdrEntry); /* Should we unhook here? */ NotifyShims(SHIM_REASON_DLL_UNLOAD, LdrEntry); } BOOL WINAPI SE_IsShimDll(PVOID BaseAddress) { SHIMENG_INFO("(%p)\n", BaseAddress); return SeiGetShimModuleInfo(BaseAddress) != NULL; } /* 'Private' ntdll function */ BOOLEAN NTAPI LdrInitShimEngineDynamic(IN PVOID BaseAddress); BOOL WINAPI SE_DynamicShim(LPCWSTR ProcessImage, HSDB hsdb, PVOID pQueryResult, LPCSTR Module, LPDWORD lpdwDynamicToken) { g_bShimDuringInit = TRUE; SeiInit(ProcessImage, hsdb, pQueryResult, FALSE); g_bShimDuringInit = FALSE; LdrInitShimEngineDynamic(g_hInstance); return TRUE; }