📄 dllmain.c
字号:
Request.Data.AllocConsoleRequest.CtrlDispatcher = ConsoleControlDispatcher;
Status = CsrClientCallServer(&Request,
NULL,
CsrRequest,
sizeof(CSR_API_MESSAGE));
if(!NT_SUCCESS(Status) || !NT_SUCCESS(Status = Request.Status))
{
DPRINT1("CSR Failed to give us a console\n");
/* We're lying here, so at least the process can load... */
return TRUE;
}
/* We got the handles, let's set them */
if ((Parameters->ConsoleHandle = Request.Data.AllocConsoleRequest.Console))
{
/* If we already had some, don't use the new ones */
if (!Parameters->StandardInput)
{
Parameters->StandardInput = Request.Data.AllocConsoleRequest.InputHandle;
}
if (!Parameters->StandardOutput)
{
Parameters->StandardOutput = Request.Data.AllocConsoleRequest.OutputHandle;
}
if (!Parameters->StandardError)
{
Parameters->StandardError = Request.Data.AllocConsoleRequest.OutputHandle;
}
}
DPRINT("Console setup: %lx, %lx, %lx, %lx\n",
Parameters->ConsoleHandle,
Parameters->StandardInput,
Parameters->StandardOutput,
Parameters->StandardError);
return TRUE;
}
BOOL
STDCALL
DllMain(HANDLE hDll,
DWORD dwReason,
LPVOID lpReserved)
{
NTSTATUS Status;
BOOLEAN IsServer;
ULONG Dummy;
ULONG DummySize = sizeof(Dummy);
WCHAR SessionDir[256];
DPRINT("DllMain(hInst %lx, dwReason %lu)\n",
hDll, dwReason);
Basep8BitStringToUnicodeString = RtlAnsiStringToUnicodeString;
/* Cache the PEB and Session ID */
Peb = NtCurrentPeb();
SessionId = Peb->SessionId;
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
/* OK, yes, this is really retarded but it works for now */
InWindows = NtCurrentPeb()->BeingDebugged;
/*
* CreateProcess will run in the real kernel32 and it will write
* its own BaseProcessStartThunk EIP in the CONTEXT that ZwContinue
* will get. We'll be first called by Ldr while initializing, and we'll
* be wrapped in 3 layers of SEH, followed by two frames, finally
* followed by our CONTEXT on the stack. We'll modify the EIP in it
* to match the correct one (our own) and then everything works.
* Tested on XP and 2K3, probably doesn't work in 2K.
*/
if (InWindows)
{
/*
* Due to yet another bug in how Windows handles .local, LDR will
* actually end up loading us twice. The second time will be the
* "official" load, at a totally different address. It will be,
* it will be at -that- address that all the APIs will be called.
* However, that address is dynamic while this one will be static,
* so we'll do initilization with this one. Plus, at this one,
* we know exactly that we're within 3 SEH layers.
*/
if (hDll == (HANDLE)0x7c800000)
{
PULONG Eip;
Eip = (PULONG)*(PULONG)*(PULONG)NtCurrentTeb()->Tib.ExceptionList +
0x9 +
FIELD_OFFSET(CONTEXT, Eip) / sizeof(ULONG);
*Eip = (ULONG)BaseProcessStartThunk;
}
}
/* Don't bother us for each thread */
LdrDisableThreadCalloutsForDll((PVOID)hDll);
/* Setup the right Object Directory path */
if (!SessionId)
{
/* Use the raw path */
wcscpy(SessionDir, WIN_OBJ_DIR);
}
else
{
/* Use the session path */
swprintf(SessionDir,
L"%ws\\%ld%ws",
SESSION_DIR,
SessionId,
WIN_OBJ_DIR);
}
/* Connect to the base server */
DPRINT("Connecting to CSR...\n");
Status = CsrClientConnectToServer(SessionDir,
InWindows ? 1 : 0,
&Dummy,
&DummySize,
&IsServer);
if (!NT_SUCCESS(Status))
{
DPRINT1("Failed to connect to CSR (Status %lx)\n", Status);
ZwTerminateProcess(NtCurrentProcess(), Status);
return FALSE;
}
/* Check if we are running a CSR Server */
if (!IsServer)
{
/* Set the termination port for the thread */
DPRINT("Creating new thread for CSR\n");
CsrNewThread();
}
hProcessHeap = RtlGetProcessHeap();
RtlInitializeHandleTable(0xFFFF,
sizeof(BASE_HEAP_HANDLE_ENTRY),
&BaseHeapHandleTable);
hCurrentModule = hDll;
DPRINT("Heap: %p\n", hProcessHeap);
/*
* Initialize WindowsDirectory and SystemDirectory
*/
DPRINT("NtSystemRoot: %S\n", SharedUserData->NtSystemRoot);
RtlCreateUnicodeString (&WindowsDirectory, SharedUserData->NtSystemRoot);
SystemDirectory.MaximumLength = WindowsDirectory.MaximumLength + 18;
SystemDirectory.Length = WindowsDirectory.Length + 18;
SystemDirectory.Buffer = RtlAllocateHeap(hProcessHeap,
0,
SystemDirectory.MaximumLength);
if(SystemDirectory.Buffer == NULL)
{
return FALSE;
}
wcscpy(SystemDirectory.Buffer, WindowsDirectory.Buffer);
wcscat(SystemDirectory.Buffer, L"\\System32");
/* Open object base directory */
Status = OpenBaseDirectory(&hBaseDir);
if (!NT_SUCCESS(Status))
{
DPRINT1("Failed to open object base directory (Status %lx)\n", Status);
return FALSE;
}
/* Initialize the DLL critical section */
RtlInitializeCriticalSection(&DllLock);
/* Initialize the National Language Support routines */
if (!NlsInit())
{
DPRINT1("NLS Init failed\n");
return FALSE;
}
/* Initialize Console Support */
if (!BasepInitConsole())
{
DPRINT1("Failure to set up console\n");
return FALSE;
}
/* Cache static system information */
Status = ZwQuerySystemInformation(SystemBasicInformation,
&BaseCachedSysInfo,
sizeof(BaseCachedSysInfo),
NULL);
if (!NT_SUCCESS(Status))
{
DPRINT1("Failure to get system information\n");
return FALSE;
}
/* Insert more dll attach stuff here! */
DllInitialized = TRUE;
DPRINT("Initialization complete\n");
break;
case DLL_PROCESS_DETACH:
DPRINT("DLL_PROCESS_DETACH\n");
if (DllInitialized == TRUE)
{
/* Insert more dll detach stuff here! */
NlsUninit();
/* Delete DLL critical section */
if (ConsoleInitialized == TRUE)
{
RtlDeleteCriticalSection (&ConsoleLock);
}
RtlDeleteCriticalSection (&DllLock);
/* Close object base directory */
NtClose(hBaseDir);
RtlFreeUnicodeString (&SystemDirectory);
RtlFreeUnicodeString (&WindowsDirectory);
}
break;
default:
break;
}
return TRUE;
}
/* EOF */
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -