creatwth.cpp

微软提供的截取Win32 API函数的开发包和例子detours-src-1.2.rar

//////////////////////////////////////////////////////////////////////////////
//
//	Module:		detours.lib
//  File:		creatwth.cpp
//	Author:		Galen C. Hunt
//
//	CreateProcessWithDll.  Version 1.2. (Build 35)
//
//	Copyright 1995-1999, Microsoft Corporation
//
//	http://www.research.microsoft.com/sn/detours
//
#include <stdio.h>
#include <windows.h>
#include "detours.h"

/////////////////////////////////////////////////////////////// Injected Code.
//
#pragma check_stack(off)
#pragma pack(push, 8)

typedef HINSTANCE (WINAPI *PROCLOADLIBRARY)(PWCHAR);

typedef struct {
	PROCLOADLIBRARY 	fnLoadLibrary;
	WCHAR				wzLibFile[MAX_PATH];
} INJLIBINFO, *PINJLIBINFO;

// Calls to the stack-checking routine must be disabled.

static DWORD WINAPI ThreadFunc(PINJLIBINFO pInjLibInfo) {
	// There must be less than a page-worth of local
	// variables used in this function.
	HINSTANCE hinstLib;

	// Call LoadLibrary(A/W) to load the DLL.
	hinstLib = pInjLibInfo->fnLoadLibrary(pInjLibInfo->wzLibFile);
	return((DWORD) hinstLib);
}

// This function marks the memory address after ThreadFunc.
// ThreadFuncCodeSizeInBytes = (PBYTE) AfterThreadFunc - (PBYTE) ThreadFunc.
static void AfterThreadFunc (void) {
}

#pragma pack(pop)
#pragma check_stack 

////////////////////////////////////////////////////////////// Injection Code.
//
static BOOL InjectLibrary(HANDLE hProcess,
						  PROCLOADLIBRARY pfLoadLibrary,
						  PBYTE pbData,
						  DWORD cbData)
{
	BOOL fSucceeded = FALSE;

	// Initialize the InjLibInfo structure here and then copy
	// it to memory in the remote process.
	INJLIBINFO InjLibInfo;
	InjLibInfo.fnLoadLibrary = pfLoadLibrary;

	// The address where code will be copied to in the remote process.
	PDWORD pdwCodeRemote = NULL;

	// Calculate the number of bytes in the ThreadFunc function.
	const int cbCodeSize = ((LPBYTE) AfterThreadFunc - (LPBYTE) ThreadFunc);

	// The address where InjLibInfo will be copied to in the remote process.
	PINJLIBINFO pInjLibInfoRemote = NULL;

	// The number of bytes written to the remote process.
	DWORD dwNumBytesXferred = 0;

	// The handle and Id of the thread executing the remote copy of ThreadFunc.
	DWORD dwThreadId = 0;
	const DWORD cbMemSize = cbCodeSize + sizeof(InjLibInfo) + 3;
	HANDLE hThread = NULL;

	DWORD dwOldProtect;

	// Finish initializing the InjLibInfo structure by copying the
	// desired DLL's pathname.
	CopyMemory(InjLibInfo.wzLibFile, pbData, cbData);
	
	// Allocate memory in the remote process's address space large 
	// enough to hold our ThreadFunc function and a InjLibInfo structure.
	pdwCodeRemote = (PDWORD)VirtualAllocEx(hProcess, NULL, cbMemSize,
										   MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (pdwCodeRemote == NULL) {
		goto finish;
	}

	// Change the page protection of the allocated memory
	// to executable, read, and write.
	if (!VirtualProtectEx(hProcess, pdwCodeRemote, cbMemSize,
						  PAGE_EXECUTE_READWRITE, &dwOldProtect)) {
		goto finish;
	}

	// Write a copy of ThreadFunc to the remote process.
	if (!WriteProcessMemory(hProcess, pdwCodeRemote,
							(LPVOID) ThreadFunc, cbCodeSize, &dwNumBytesXferred)) {
		goto finish;
	}

	// Write a copy of InjLibInfo to the remote process
	// (the structure MUST start on an even 32-bit bourdary).
	pInjLibInfoRemote = (PINJLIBINFO)(pdwCodeRemote + ((cbCodeSize + 4) & ~3));

	// Put InjLibInfo in remote thread's memory block.
	if (!WriteProcessMemory(hProcess, pInjLibInfoRemote,
							&InjLibInfo, sizeof(InjLibInfo), &dwNumBytesXferred)) {
		goto finish;
	}

	if ((hThread = CreateRemoteThread(hProcess, NULL, 0, 
									  (LPTHREAD_START_ROUTINE) pdwCodeRemote,
									  pInjLibInfoRemote, 0, &dwThreadId)) == NULL) {
		goto finish;
	}
	
	WaitForSingleObject(hThread, INFINITE);
	
	fSucceeded = TRUE;
	
  finish:
	if (hThread != NULL)
		CloseHandle(hThread);

	return fSucceeded;
}

//////////////////////////////////////////////////////////////////////////////
//
BOOL WINAPI ContinueProcessWithDllA(HANDLE hProcess, LPCSTR lpDllName)
{
	if (lpDllName) {
		HINSTANCE hKrnl = GetModuleHandleA("Kernel32");
		PROCLOADLIBRARY pfLoadLibrary
			= (PROCLOADLIBRARY)GetProcAddress(hKrnl, "LoadLibraryA");
		
		if (!InjectLibrary(hProcess, pfLoadLibrary,
						   (PBYTE)lpDllName, strlen(lpDllName) + 1)) {
			return FALSE;
		}
	}
	return TRUE;
}


BOOL WINAPI ContinueProcessWithDllW(HANDLE hProcess, LPCWSTR lpDllName)
{
	if (lpDllName) {
		HINSTANCE hKrnl = GetModuleHandleW(L"Kernel32");
		PROCLOADLIBRARY pfLoadLibrary
			= (PROCLOADLIBRARY)GetProcAddress(hKrnl, "LoadLibraryW");
		
		if (!InjectLibrary(hProcess, pfLoadLibrary,
						   (PBYTE)lpDllName, 2 * wcslen(lpDllName) + 2)) {
			return FALSE;
		}
	}
	return TRUE;
}

//////////////////////////////////////////////////////////////////////////////
//
BOOL WINAPI CreateProcessWithDllA(LPCSTR lpApplicationName,
								  LPSTR lpCommandLine,
								  LPSECURITY_ATTRIBUTES lpProcessAttributes,
								  LPSECURITY_ATTRIBUTES lpThreadAttributes,
								  BOOL bInheritHandles,
								  DWORD dwCreationFlags,
								  LPVOID lpEnvironment,
								  LPCSTR lpCurrentDirectory,
								  LPSTARTUPINFOA lpStartupInfo,
								  LPPROCESS_INFORMATION lpProcessInformation,
								  LPCSTR lpDllName,
								  PCREATE_PROCESS_ROUTINEA pfCreateProcessA)
{
	DWORD dwMyCreationFlags = (dwCreationFlags | CREATE_SUSPENDED);
	PROCESS_INFORMATION pi;
	
	if (pfCreateProcessA == NULL) {
		pfCreateProcessA = CreateProcessA;
	}
	
	if (!pfCreateProcessA(lpApplicationName,
						  lpCommandLine,
						  lpProcessAttributes,
						  lpThreadAttributes,
						  bInheritHandles,
						  dwMyCreationFlags,
						  lpEnvironment,
						  lpCurrentDirectory,
						  lpStartupInfo,
						  &pi)) {
		return FALSE;
	}

	if (lpDllName) {
		HINSTANCE hKrnl = GetModuleHandleA("Kernel32");
		PROCLOADLIBRARY pfLoadLibrary
			= (PROCLOADLIBRARY)GetProcAddress(hKrnl, "LoadLibraryA");
		
		if (!InjectLibrary(pi.hProcess, pfLoadLibrary,
						   (PBYTE)lpDllName, strlen(lpDllName) + 1)) {
			return FALSE;
		}
	}
	if (lpProcessInformation) {
		CopyMemory(lpProcessInformation, &pi, sizeof(pi));
	}
	if (!(dwCreationFlags & CREATE_SUSPENDED)) {
		ResumeThread(pi.hThread);
	}
	return TRUE;
}


BOOL WINAPI CreateProcessWithDllW(LPCWSTR lpApplicationName,
								  LPWSTR lpCommandLine,
								  LPSECURITY_ATTRIBUTES lpProcessAttributes,
								  LPSECURITY_ATTRIBUTES lpThreadAttributes,
								  BOOL bInheritHandles,
								  DWORD dwCreationFlags,
								  LPVOID lpEnvironment,
								  LPCWSTR lpCurrentDirectory,
								  LPSTARTUPINFOW lpStartupInfo,
								  LPPROCESS_INFORMATION lpProcessInformation,
								  LPCWSTR lpDllName,
								  PCREATE_PROCESS_ROUTINEW pfCreateProcessW)
{
	DWORD dwMyCreationFlags = (dwCreationFlags | CREATE_SUSPENDED);
	PROCESS_INFORMATION pi;

	if (pfCreateProcessW == NULL) {
		pfCreateProcessW = CreateProcessW;
	}
	
	if (!pfCreateProcessW(lpApplicationName,
						  lpCommandLine,
						  lpProcessAttributes,
						  lpThreadAttributes,
						  bInheritHandles,
						  dwMyCreationFlags,
						  lpEnvironment,
						  lpCurrentDirectory,
						  lpStartupInfo,
						  &pi)) {
		return FALSE;
	}

	if (lpDllName) {
		HINSTANCE hKrnl = GetModuleHandleW(L"Kernel32");
		PROCLOADLIBRARY pfLoadLibrary
			= (PROCLOADLIBRARY)GetProcAddress(hKrnl, "LoadLibraryW");
		
		if (!InjectLibrary(pi.hProcess, pfLoadLibrary,
						   (PBYTE)lpDllName, 2 * wcslen(lpDllName) + 2)) {
			return FALSE;
		}
	}
	if (lpProcessInformation) {
		CopyMemory(lpProcessInformation, &pi, sizeof(pi));
	}
	if (!(dwCreationFlags & CREATE_SUSPENDED)) {
		ResumeThread(pi.hThread);
	}
	return TRUE;
}
//
///////////////////////////////////////////////////////////////// End of File.