runtime / ntapi

Clone
Source Code
GIT

Blame src/process/ntapi_tt_create_remote_runtime_data.c

main
  1.   1718cb032cd21e98c9432380979cee8140cc7eaa
  2.   src
  3.   process
  4.   ntapi_tt_create_remote_runtime_data.c
Blob History Raw
dd89bb 
/********************************************************/
dd89bb 
/*  ntapi: Native API core library                      */
dde53a 
/*  Copyright (C) 2013--2017  Z. Gilboa                 */
dd89bb 
/*  Released under GPLv2 and GPLv3; see COPYING.NTAPI.  */
dd89bb 
/********************************************************/
dd89bb
dd89bb 
#include <psxtypes/psxtypes.h>
dd89bb 
#include <ntapi/nt_memory.h>
dd89bb 
#include <ntapi/nt_process.h>
dd89bb 
#include <ntapi/ntapi.h>
dd89bb 
#include "ntapi_impl.h"
dd89bb
dd89bb 
typedef struct _nt_process_basic_information nt_pbi;
dd89bb
dd89bb 
int32_t __stdcall __ntapi_tt_create_remote_runtime_data(
dd89bb 
	__in		void *			hprocess,
dd89bb 
	__in_out	nt_runtime_data_block *	rtblock)
dd89bb 
{
dd89bb 
	int32_t			status;
dd89bb
dd89bb 
	size_t			bytes_written;
dd89bb 
	nt_pbi			rpbi;
dd89bb 
	nt_process_parameters *	rprocess_params;
dd89bb 
	nt_unicode_string	rcmd_line;
dd89bb 
	uint32_t		runtime_arg_hash;
dd89bb 
	nt_runtime_data *	rtdata;
6336c4 
	void *			hserver;
dd89bb
7f8d50 
	#if (__SIZEOF_POINTER__ == 4)
dd89bb 
	wchar16_t		runtime_arg[8] = {
dd89bb 
		'i','n','t','e','g','r','a','l'};
7f8d50 
	#elif (__SIZEOF_POINTER__ == 8)
dd89bb 
	wchar16_t		runtime_arg[16] = {
dd89bb 
		'i','n','t','e','g','r','a','l',
dd89bb 
		'-','r','u','n','t','i','m','e'};
dd89bb 
	#endif
dd89bb
dd89bb 
	/* validation */
dd89bb 
	if (!hprocess)
dd89bb 
		return NT_STATUS_INVALID_PARAMETER_1;
dd89bb 
	else if (!rtblock)
dd89bb 
		return NT_STATUS_INVALID_PARAMETER_2;
dd89bb 
	else if (!rtblock->addr)
dd89bb 
		return NT_STATUS_INVALID_PARAMETER_2;
dd89bb 
	else if (!rtblock->size)
dd89bb 
		return NT_STATUS_INVALID_PARAMETER_2;
dd89bb
dd89bb 
	runtime_arg_hash = __ntapi->tt_buffer_crc32(
dd89bb 
		0,
dd89bb 
		(char *)runtime_arg,
dd89bb 
		sizeof(runtime_arg));
dd89bb
dd89bb 
	/* obtain process information */
3e41b3 
	if ((status = __ntapi->zw_query_information_process(
3e41b3 
			hprocess,
3e41b3 
			NT_PROCESS_BASIC_INFORMATION,
3e41b3 
			(void *)&rpbi,
3e41b3 
			sizeof(nt_process_basic_information),
3e41b3 
			0)))
dd89bb 
		return status;
dd89bb
3e41b3 
	if ((status = __ntapi->zw_read_virtual_memory(
3e41b3 
			hprocess,
3e41b3 
			pe_va_from_rva(
3e41b3 
				rpbi.peb_base_address,
3e41b3 
				(uintptr_t)&(((nt_peb *)0)->process_params)),
3e41b3 
			(char *)&rprocess_params,
3e41b3 
			sizeof(uintptr_t),
3e41b3 
			&bytes_written)))
dd89bb 
		return status;
dd89bb
3e41b3 
	if ((status = __ntapi->zw_read_virtual_memory(
3e41b3 
			hprocess,
3e41b3 
			&rprocess_params->command_line,
3e41b3 
			(char *)&rcmd_line,
3e41b3 
			sizeof(nt_unicode_string),
3e41b3 
			&bytes_written)))
dd89bb 
		return status;
dd89bb
dd89bb 
	if (rcmd_line.buffer == 0)
dd89bb 
		return NT_STATUS_BUFFER_TOO_SMALL;
dd89bb
3e41b3 
	if (rcmd_line.strlen < sizeof(runtime_arg) + 4*sizeof(wchar16_t))
3e41b3 
		return NT_STATUS_INVALID_USER_BUFFER;
dd89bb
3e41b3 
	if ((status = __ntapi->zw_read_virtual_memory(
3e41b3 
			hprocess,
3e41b3 
			pe_va_from_rva(
3e41b3 
				rcmd_line.buffer,
3e41b3 
				rcmd_line.strlen - sizeof(runtime_arg)),
3e41b3 
			(char *)&runtime_arg,
3e41b3 
			sizeof(runtime_arg),
3e41b3 
			&bytes_written)))
dd89bb 
		return status;
dd89bb
dd89bb 
	/* verify remote process compatibility */
dd89bb 
	runtime_arg_hash ^= __ntapi->tt_buffer_crc32(
3e41b3 
		0,(char *)runtime_arg,
dd89bb 
		sizeof(runtime_arg));
dd89bb
dd89bb 
	if (runtime_arg_hash)
dd89bb 
		return NT_STATUS_INVALID_SIGNATURE;
dd89bb
dd89bb 
	/* remote block */
dd89bb 
	rtblock->remote_size = rtblock->size;
dd89bb
3e41b3 
	if ((status = __ntapi->zw_allocate_virtual_memory(
3e41b3 
			hprocess,
3e41b3 
			&rtblock->remote_addr,
3e41b3 
			0,
3e41b3 
			&rtblock->remote_size,
3e41b3 
			NT_MEM_RESERVE | NT_MEM_COMMIT,
3e41b3 
			NT_PAGE_READWRITE)))
dd89bb 
		return status;
dd89bb
dd89bb 
	/* session handles */
3e41b3 
	rtdata    = 0;
6336c4 
	hserver   = 0;
3e41b3
dd89bb 
	if (rtblock->flags & NT_RUNTIME_DATA_DUPLICATE_SESSION_HANDLES) {
3e41b3 
		rtdata    = (nt_runtime_data *)rtblock->addr;
6336c4 
		hserver = rtdata->hserver;
dd89bb
3e41b3 
		if ((status = __ntapi->zw_duplicate_object(
3e41b3 
				NT_CURRENT_PROCESS_HANDLE,
6336c4 
				hserver,
3e41b3 
				hprocess,
6336c4 
				&rtdata->hserver,
3e41b3 
				0,0,
3e41b3 
				NT_DUPLICATE_SAME_ATTRIBUTES
3e41b3 
				|NT_DUPLICATE_SAME_ACCESS)))
3e41b3 
			return status;
3e41b3 
	}
dd89bb
dd89bb 
	/* copy local block to remote process */
dd89bb 
	status = __ntapi->zw_write_virtual_memory(
dd89bb 
		hprocess,
dd89bb 
		rtblock->remote_addr,
dd89bb 
		(char *)rtblock->addr,
dd89bb 
		rtblock->size,
dd89bb 
		&bytes_written);
dd89bb
dd89bb 
	/* restore rtdata */
3e41b3 
	if (rtdata)
6336c4 
		rtdata->hserver = hserver;
dd89bb
3e41b3 
	/* verify above remote write */
3e41b3 
	if (status)
dd89bb 
		return status;
dd89bb
dd89bb 
	/* runtime_arg */
dd89bb 
	__ntapi->tt_uintptr_to_hex_utf16(
dd89bb 
		(uintptr_t)rtblock->remote_addr,
dd89bb 
		runtime_arg);
dd89bb
dd89bb 
	/* update remote runtime arg */
dd89bb 
	status = __ntapi->zw_write_virtual_memory(
dd89bb 
		hprocess,
dd89bb 
		pe_va_from_rva(
dd89bb 
			rcmd_line.buffer,
dd89bb 
			rcmd_line.strlen - sizeof(runtime_arg)),
dd89bb 
		(char *)&runtime_arg,
dd89bb 
		sizeof(runtime_arg),
dd89bb 
		&bytes_written);
dd89bb
dd89bb 
	if (status)
dd89bb 
		__ntapi->zw_free_virtual_memory(
dd89bb 
			hprocess,
dd89bb 
			&rtblock->remote_addr,
dd89bb 
			&rtblock->remote_size,
dd89bb 
			NT_MEM_RELEASE);
dd89bb
dd89bb 
	return status;
dd89bb 
}

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation | About

© Red Hat, Inc. and others.