Blame src/process/ntapi_tt_create_remote_runtime_data.c

dd89bb
/********************************************************/
dd89bb
/*  ntapi: Native API core library                      */
4256e2
/*  Copyright (C) 2013--2016  Z. Gilboa                 */
dd89bb
/*  Released under GPLv2 and GPLv3; see COPYING.NTAPI.  */
dd89bb
/********************************************************/
dd89bb
dd89bb
#include <psxtypes/psxtypes.h>
dd89bb
#include <ntapi/nt_memory.h>
dd89bb
#include <ntapi/nt_process.h>
dd89bb
#include <ntapi/ntapi.h>
dd89bb
#include "ntapi_impl.h"
dd89bb
dd89bb
typedef struct _nt_process_basic_information nt_pbi;
dd89bb
dd89bb
int32_t __stdcall __ntapi_tt_create_remote_runtime_data(
dd89bb
	__in		void *			hprocess,
dd89bb
	__in_out	nt_runtime_data_block *	rtblock)
dd89bb
{
dd89bb
	int32_t			status;
dd89bb
dd89bb
	size_t			bytes_written;
dd89bb
	nt_pbi			rpbi;
dd89bb
	nt_process_parameters *	rprocess_params;
dd89bb
	nt_unicode_string	rcmd_line;
dd89bb
	uint32_t		runtime_arg_hash;
dd89bb
	nt_runtime_data *	rtdata;
dd89bb
	void *			srv_ready;
dd89bb
7f8d50
	#if (__SIZEOF_POINTER__ == 4)
dd89bb
	wchar16_t		runtime_arg[8] = {
dd89bb
		'i','n','t','e','g','r','a','l'};
7f8d50
	#elif (__SIZEOF_POINTER__ == 8)
dd89bb
	wchar16_t		runtime_arg[16] = {
dd89bb
		'i','n','t','e','g','r','a','l',
dd89bb
		'-','r','u','n','t','i','m','e'};
dd89bb
	#endif
dd89bb
dd89bb
	/* validation */
dd89bb
	if (!hprocess)
dd89bb
		return NT_STATUS_INVALID_PARAMETER_1;
dd89bb
	else if (!rtblock)
dd89bb
		return NT_STATUS_INVALID_PARAMETER_2;
dd89bb
	else if (!rtblock->addr)
dd89bb
		return NT_STATUS_INVALID_PARAMETER_2;
dd89bb
	else if (!rtblock->size)
dd89bb
		return NT_STATUS_INVALID_PARAMETER_2;
dd89bb
dd89bb
	runtime_arg_hash = __ntapi->tt_buffer_crc32(
dd89bb
		0,
dd89bb
		(char *)runtime_arg,
dd89bb
		sizeof(runtime_arg));
dd89bb
dd89bb
	/* obtain process information */
3e41b3
	if ((status = __ntapi->zw_query_information_process(
3e41b3
			hprocess,
3e41b3
			NT_PROCESS_BASIC_INFORMATION,
3e41b3
			(void *)&rpbi,
3e41b3
			sizeof(nt_process_basic_information),
3e41b3
			0)))
dd89bb
		return status;
dd89bb
3e41b3
	if ((status = __ntapi->zw_read_virtual_memory(
3e41b3
			hprocess,
3e41b3
			pe_va_from_rva(
3e41b3
				rpbi.peb_base_address,
3e41b3
				(uintptr_t)&(((nt_peb *)0)->process_params)),
3e41b3
			(char *)&rprocess_params,
3e41b3
			sizeof(uintptr_t),
3e41b3
			&bytes_written)))
dd89bb
		return status;
dd89bb
3e41b3
	if ((status = __ntapi->zw_read_virtual_memory(
3e41b3
			hprocess,
3e41b3
			&rprocess_params->command_line,
3e41b3
			(char *)&rcmd_line,
3e41b3
			sizeof(nt_unicode_string),
3e41b3
			&bytes_written)))
dd89bb
		return status;
dd89bb
dd89bb
	if (rcmd_line.buffer == 0)
dd89bb
		return NT_STATUS_BUFFER_TOO_SMALL;
dd89bb
3e41b3
	if (rcmd_line.strlen < sizeof(runtime_arg) + 4*sizeof(wchar16_t))
3e41b3
		return NT_STATUS_INVALID_USER_BUFFER;
dd89bb
3e41b3
	if ((status = __ntapi->zw_read_virtual_memory(
3e41b3
			hprocess,
3e41b3
			pe_va_from_rva(
3e41b3
				rcmd_line.buffer,
3e41b3
				rcmd_line.strlen - sizeof(runtime_arg)),
3e41b3
			(char *)&runtime_arg,
3e41b3
			sizeof(runtime_arg),
3e41b3
			&bytes_written)))
dd89bb
		return status;
dd89bb
dd89bb
	/* verify remote process compatibility */
dd89bb
	runtime_arg_hash ^= __ntapi->tt_buffer_crc32(
3e41b3
		0,(char *)runtime_arg,
dd89bb
		sizeof(runtime_arg));
dd89bb
dd89bb
	if (runtime_arg_hash)
dd89bb
		return NT_STATUS_INVALID_SIGNATURE;
dd89bb
dd89bb
	/* remote block */
dd89bb
	rtblock->remote_size = rtblock->size;
dd89bb
3e41b3
	if ((status = __ntapi->zw_allocate_virtual_memory(
3e41b3
			hprocess,
3e41b3
			&rtblock->remote_addr,
3e41b3
			0,
3e41b3
			&rtblock->remote_size,
3e41b3
			NT_MEM_RESERVE | NT_MEM_COMMIT,
3e41b3
			NT_PAGE_READWRITE)))
dd89bb
		return status;
dd89bb
dd89bb
	/* session handles */
3e41b3
	rtdata    = 0;
3e41b3
	srv_ready = 0;
3e41b3
dd89bb
	if (rtblock->flags & NT_RUNTIME_DATA_DUPLICATE_SESSION_HANDLES) {
3e41b3
		rtdata    = (nt_runtime_data *)rtblock->addr;
dd89bb
		srv_ready = rtdata->srv_ready;
dd89bb
3e41b3
		if ((status = __ntapi->zw_duplicate_object(
3e41b3
				NT_CURRENT_PROCESS_HANDLE,
3e41b3
				srv_ready,
3e41b3
				hprocess,
3e41b3
				&rtdata->srv_ready,
3e41b3
				0,0,
3e41b3
				NT_DUPLICATE_SAME_ATTRIBUTES
3e41b3
				|NT_DUPLICATE_SAME_ACCESS)))
3e41b3
			return status;
3e41b3
	}
dd89bb
dd89bb
	/* copy local block to remote process */
dd89bb
	status = __ntapi->zw_write_virtual_memory(
dd89bb
		hprocess,
dd89bb
		rtblock->remote_addr,
dd89bb
		(char *)rtblock->addr,
dd89bb
		rtblock->size,
dd89bb
		&bytes_written);
dd89bb
dd89bb
	/* restore rtdata */
3e41b3
	if (rtdata)
dd89bb
		rtdata->srv_ready = srv_ready;
dd89bb
3e41b3
	/* verify above remote write */
3e41b3
	if (status)
dd89bb
		return status;
dd89bb
dd89bb
	/* runtime_arg */
dd89bb
	__ntapi->tt_uintptr_to_hex_utf16(
dd89bb
		(uintptr_t)rtblock->remote_addr,
dd89bb
		runtime_arg);
dd89bb
dd89bb
	/* update remote runtime arg */
dd89bb
	status = __ntapi->zw_write_virtual_memory(
dd89bb
		hprocess,
dd89bb
		pe_va_from_rva(
dd89bb
			rcmd_line.buffer,
dd89bb
			rcmd_line.strlen - sizeof(runtime_arg)),
dd89bb
		(char *)&runtime_arg,
dd89bb
		sizeof(runtime_arg),
dd89bb
		&bytes_written);
dd89bb
dd89bb
	if (status)
dd89bb
		__ntapi->zw_free_virtual_memory(
dd89bb
			hprocess,
dd89bb
			&rtblock->remote_addr,
dd89bb
			&rtblock->remote_size,
dd89bb
			NT_MEM_RELEASE);
dd89bb
dd89bb
	return status;
dd89bb
}