2 * Copyright 2015-2017 Mark Jansen
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 #define WIN32_NO_STATUS
24 /* Make sure we don't include apphelp logging */
25 #define APPHELP_NOSDBPAPI
30 typedef FARPROC(WINAPI
* GETPROCADDRESSPROC
)(HINSTANCE
, LPCSTR
);
33 FARPROC WINAPI
StubGetProcAddress(HINSTANCE hModule
, LPCSTR lpProcName
);
34 BOOL WINAPI
SE_IsShimDll(PVOID BaseAddress
);
37 extern HMODULE g_hInstance
;
38 ULONG g_ShimEngDebugLevel
= 0xffffffff;
39 BOOL g_bComPlusImage
= FALSE
;
40 BOOL g_bShimDuringInit
= FALSE
;
41 BOOL g_bInternalHooksUsed
= FALSE
;
42 static ARRAY g_pShimInfo
; /* SHIMMODULE */
43 static ARRAY g_pHookArray
; /* HOOKMODULEINFO */
45 HOOKAPIEX g_IntHookEx
[] =
48 "kernel32.dll", /* LibraryName */
49 "GetProcAddress", /* FunctionName */
50 StubGetProcAddress
, /* ReplacementFunction*/
51 NULL
, /* OriginalFunction */
52 { NULL
}, /* ModuleLink */
53 { NULL
} /* ApiLink */
60 static BOOL
ARRAY_EnsureSize(PARRAY Array
, DWORD ItemSize
, DWORD GrowWith
)
65 if (Array
->MaxSize
> Array
->Size
)
68 Count
= Array
->Size
+ GrowWith
;
69 pNewData
= SeiAlloc(Count
* ItemSize
);
73 SHIMENG_FAIL("Failed to allocate %d bytes\n", Count
* ItemSize
);
76 Array
->MaxSize
= Count
;
80 memcpy(pNewData
, Array
->Data
, Array
->Size
* ItemSize
);
83 Array
->Data
= pNewData
;
90 VOID
SeiInitDebugSupport(VOID
)
92 static const UNICODE_STRING DebugKey
= RTL_CONSTANT_STRING(L
"SHIMENG_DEBUG_LEVEL");
93 UNICODE_STRING DebugValue
;
98 RtlInitEmptyUnicodeString(&DebugValue
, Buffer
, sizeof(Buffer
));
100 Status
= RtlQueryEnvironmentVariable_U(NULL
, &DebugKey
, &DebugValue
);
102 if (NT_SUCCESS(Status
))
104 if (!NT_SUCCESS(RtlUnicodeStringToInteger(&DebugValue
, 10, &NewLevel
)))
107 g_ShimEngDebugLevel
= NewLevel
;
112 * Outputs diagnostic info.
114 * @param [in] Level The level to log this message with, choose any of [SHIM_ERR,
115 * SHIM_WARN, SHIM_INFO].
116 * @param [in] FunctionName The function this log should be attributed to.
117 * @param [in] Format The format string.
118 * @param ... Variable arguments providing additional information.
120 * @return Success: TRUE Failure: FALSE.
122 BOOL WINAPIV
SeiDbgPrint(SEI_LOG_LEVEL Level
, PCSTR Function
, PCSTR Format
, ...)
125 char* Current
= Buffer
;
126 const char* LevelStr
;
127 size_t Length
= sizeof(Buffer
);
131 if (g_ShimEngDebugLevel
== 0xffffffff)
132 SeiInitDebugSupport();
134 if (Level
> g_ShimEngDebugLevel
)
157 hr
= StringCchPrintfExA(Current
, Length
, &Current
, &Length
, STRSAFE_NULL_ON_FAILURE
, "[%s] [%s] ", LevelStr
, Function
);
159 hr
= StringCchPrintfExA(Current
, Length
, &Current
, &Length
, STRSAFE_NULL_ON_FAILURE
, "[%s] ", LevelStr
);
164 va_start(ArgList
, Format
);
165 hr
= StringCchVPrintfExA(Current
, Length
, &Current
, &Length
, STRSAFE_NULL_ON_FAILURE
, Format
, ArgList
);
170 DbgPrint("%s", Buffer
);
175 PVOID
SeiGetModuleFromAddress(PVOID addr
)
177 PVOID hModule
= NULL
;
178 RtlPcToFileHeader(addr
, &hModule
);
184 /* TODO: Guard against recursive calling / calling init multiple times! */
185 VOID
NotifyShims(DWORD dwReason
, PVOID Info
)
190 Data
= g_pShimInfo
.Data
;
191 for (n
= 0; n
< g_pShimInfo
.Size
; ++n
)
193 if (!Data
[n
].pNotifyShims
)
196 Data
[n
].pNotifyShims(dwReason
, Info
);
202 VOID
SeiCheckComPlusImage(PVOID BaseAddress
)
204 ULONG ComSectionSize
;
205 g_bComPlusImage
= RtlImageDirectoryEntryToData(BaseAddress
, TRUE
, IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
, &ComSectionSize
) != NULL
;
207 SHIMENG_INFO("COM+ executable %s\n", g_bComPlusImage
? "TRUE" : "FALSE");
211 PSHIMMODULE
SeiGetShimInfo(PVOID BaseAddress
)
216 Data
= g_pShimInfo
.Data
;
217 for (n
= 0; n
< g_pShimInfo
.Size
; ++n
)
219 if (Data
[n
].BaseAddress
== BaseAddress
)
225 PSHIMMODULE
SeiCreateShimInfo(PCWSTR DllName
, PVOID BaseAddress
)
227 static const ANSI_STRING GetHookAPIs
= RTL_CONSTANT_STRING("GetHookAPIs");
228 static const ANSI_STRING NotifyShims
= RTL_CONSTANT_STRING("NotifyShims");
230 PVOID pGetHookAPIs
, pNotifyShims
;
232 if (!NT_SUCCESS(LdrGetProcedureAddress(BaseAddress
, (PANSI_STRING
)&GetHookAPIs
, 0, &pGetHookAPIs
)) ||
233 !NT_SUCCESS(LdrGetProcedureAddress(BaseAddress
, (PANSI_STRING
)&NotifyShims
, 0, &pNotifyShims
)))
235 SHIMENG_WARN("Failed to resolve entry points for %S\n", DllName
);
239 if (!ARRAY_EnsureSize(&g_pShimInfo
, sizeof(SHIMMODULE
), 5))
242 Data
= g_pShimInfo
.Data
;
243 Data
+= g_pShimInfo
.Size
;
246 RtlCreateUnicodeString(&Data
->Name
, DllName
);
247 Data
->BaseAddress
= BaseAddress
;
249 Data
->pGetHookAPIs
= pGetHookAPIs
;
250 Data
->pNotifyShims
= pNotifyShims
;
252 Data
->HookApis
.Data
= NULL
;
253 Data
->HookApis
.Size
= 0;
254 Data
->HookApis
.MaxSize
= 0;
259 VOID
SeiAppendHookInfo(PSHIMMODULE pShimInfo
, PHOOKAPIEX pHookApi
, DWORD dwHookCount
)
261 PHOOKAPIPOINTERS Data
;
262 if (!ARRAY_EnsureSize(&pShimInfo
->HookApis
, sizeof(HOOKAPIPOINTERS
), 5))
265 Data
= pShimInfo
->HookApis
.Data
;
266 Data
+= pShimInfo
->HookApis
.Size
;
268 Data
->pHookApi
= pHookApi
;
269 Data
->dwHookCount
= dwHookCount
;
270 pShimInfo
->HookApis
.Size
++;
273 PHOOKMODULEINFO
SeiFindHookModuleInfo(PUNICODE_STRING ModuleName
, PVOID BaseAddress
)
276 PHOOKMODULEINFO Data
= g_pHookArray
.Data
;
278 for (n
= 0; n
< g_pHookArray
.Size
; ++n
)
280 if (BaseAddress
&& BaseAddress
== Data
[n
].BaseAddress
)
283 if (!BaseAddress
&& RtlEqualUnicodeString(ModuleName
, &Data
[n
].Name
, TRUE
))
290 PHOOKMODULEINFO
SeiFindHookModuleInfoForImportDescriptor(PBYTE DllBase
, PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor
)
292 UNICODE_STRING DllName
;
296 if (!RtlCreateUnicodeStringFromAsciiz(&DllName
, (PCSZ
)(DllBase
+ ImportDescriptor
->Name
)))
298 SHIMENG_FAIL("Unable to convert dll name to unicode\n");
302 Success
= LdrGetDllHandle(NULL
, NULL
, &DllName
, &DllHandle
);
303 RtlFreeUnicodeString(&DllName
);
305 if (!NT_SUCCESS(Success
))
307 SHIMENG_FAIL("Unable to get module handle for %wZ\n", &DllName
);
311 return SeiFindHookModuleInfo(NULL
, DllHandle
);
314 static LPCWSTR
SeiGetStringPtr(PDB pdb
, TAGID tag
, TAG type
)
316 TAGID tagEntry
= SdbFindFirstTag(pdb
, tag
, type
);
317 if (tagEntry
== TAGID_NULL
)
320 return SdbGetStringTagPtr(pdb
, tagEntry
);
323 static DWORD
SeiGetDWORD(PDB pdb
, TAGID tag
, TAG type
)
325 TAGID tagEntry
= SdbFindFirstTag(pdb
, tag
, type
);
326 if (tagEntry
== TAGID_NULL
)
329 return SdbReadDWORDTag(pdb
, tagEntry
, TAGID_NULL
);
334 VOID
SeiAddShim(TAGREF trShimRef
, PARRAY pShimRef
)
337 if (!ARRAY_EnsureSize(pShimRef
, sizeof(TAGREF
), 10))
340 Data
= pShimRef
->Data
;
341 Data
[pShimRef
->Size
] = trShimRef
;
345 VOID
SeiBuildShimRefArray(HSDB hsdb
, SDBQUERYRESULT
* pQuery
, PARRAY pShimRef
)
349 for (n
= 0; n
< pQuery
->dwExeCount
; ++n
)
353 if (SdbTagRefToTagID(hsdb
, pQuery
->atrExes
[n
], &pdb
, &tag
))
355 LPCWSTR ExeName
= SeiGetStringPtr(pdb
, tag
, TAG_NAME
);
356 TAGID ShimRef
= SdbFindFirstTag(pdb
, tag
, TAG_SHIM_REF
);
359 SeiDbgPrint(SEI_MSG
, NULL
, "ShimInfo(Exe(%S))\n", ExeName
);
361 while (ShimRef
!= TAGID_NULL
)
364 if (SdbTagIDToTagRef(hsdb
, pdb
, ShimRef
, &trShimRef
))
365 SeiAddShim(trShimRef
, pShimRef
);
368 ShimRef
= SdbFindNextTag(pdb
, tag
, ShimRef
);
371 /* Handle FLAG_REF */
376 for (n
= 0; n
< pQuery
->dwLayerCount
; ++n
)
380 if (SdbTagRefToTagID(hsdb
, pQuery
->atrLayers
[n
], &pdb
, &tag
))
382 LPCWSTR LayerName
= SeiGetStringPtr(pdb
, tag
, TAG_NAME
);
383 TAGID ShimRef
= SdbFindFirstTag(pdb
, tag
, TAG_SHIM_REF
);
385 SeiDbgPrint(SEI_MSG
, NULL
, "ShimInfo(Layer(%S))\n", LayerName
);
387 while (ShimRef
!= TAGID_NULL
)
390 if (SdbTagIDToTagRef(hsdb
, pdb
, ShimRef
, &trShimRef
))
391 SeiAddShim(trShimRef
, pShimRef
);
393 ShimRef
= SdbFindNextTag(pdb
, tag
, ShimRef
);
396 /* Handle FLAG_REF */
402 VOID
SeiAddHooks(PHOOKAPIEX hooks
, DWORD dwHookCount
)
405 UNICODE_STRING UnicodeModName
;
408 RtlInitEmptyUnicodeString(&UnicodeModName
, Buf
, sizeof(Buf
));
410 for (n
= 0; n
< dwHookCount
; ++n
)
412 ANSI_STRING AnsiString
;
414 PHOOKAPIEX hook
= hooks
+ n
;
415 PHOOKMODULEINFO HookModuleInfo
;
416 PSINGLE_LIST_ENTRY Entry
;
418 RtlInitAnsiString(&AnsiString
, hook
->LibraryName
);
419 if (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&UnicodeModName
, &AnsiString
, FALSE
)))
421 SHIMENG_FAIL("Unable to convert %s to Unicode\n", hook
->LibraryName
);
425 RtlInitAnsiString(&AnsiString
, hook
->FunctionName
);
426 if (NT_SUCCESS(LdrGetDllHandle(NULL
, 0, &UnicodeModName
, &DllHandle
)))
431 if (!NT_SUCCESS(LdrGetProcedureAddress(DllHandle
, &AnsiString
, 0, &ProcAddress
)))
433 SHIMENG_FAIL("Unable to retrieve %s!%s\n", hook
->LibraryName
, hook
->FunctionName
);
437 HookModuleInfo
= SeiFindHookModuleInfo(NULL
, DllHandle
);
438 hook
->OriginalFunction
= ProcAddress
;
442 HookModuleInfo
= SeiFindHookModuleInfo(&UnicodeModName
, NULL
);
448 if (!ARRAY_EnsureSize(&g_pHookArray
, sizeof(HOOKMODULEINFO
), 5))
451 HookModuleInfo
= g_pHookArray
.Data
;
452 HookModuleInfo
+= g_pHookArray
.Size
;
455 HookModuleInfo
->BaseAddress
= DllHandle
;
456 RtlCreateUnicodeString(&HookModuleInfo
->Name
, UnicodeModName
.Buffer
);
459 Entry
= &HookModuleInfo
->ModuleLink
;
461 while (Entry
&& Entry
->Next
)
463 PHOOKAPIEX HookApi
= CONTAINING_RECORD(Entry
->Next
, HOOKAPIEX
, ModuleLink
);
465 int CmpResult
= strcmp(hook
->FunctionName
, HookApi
->FunctionName
);
468 /* Multiple hooks on one function? --> use ApiLink */
469 SHIMENG_FAIL("Multiple hooks on one API is not yet supported!\n");
472 else if (CmpResult
< 0)
474 /* Break out of the loop to have the entry inserted 'in place' */
480 /* If Entry is not NULL, the item is not inserted yet, so link it at the end. */
483 hook
->ModuleLink
.Next
= Entry
->Next
;
484 Entry
->Next
= &hook
->ModuleLink
;
490 FARPROC WINAPI
StubGetProcAddress(HINSTANCE hModule
, LPCSTR lpProcName
)
492 char szOrdProcName
[10] = "";
493 LPCSTR lpPrintName
= lpProcName
;
494 PVOID Addr
= _ReturnAddress();
495 PHOOKMODULEINFO HookModuleInfo
;
496 FARPROC proc
= ((GETPROCADDRESSPROC
)g_IntHookEx
[0].OriginalFunction
)(hModule
, lpProcName
);
498 if (!HIWORD(lpProcName
))
500 sprintf(szOrdProcName
, "#%lu", (DWORD
)lpProcName
);
501 lpPrintName
= szOrdProcName
;
504 Addr
= SeiGetModuleFromAddress(Addr
);
505 if (SE_IsShimDll(Addr
))
507 SHIMENG_MSG("Not touching GetProcAddress for shim dll (%p!%s)", hModule
, lpPrintName
);
511 SHIMENG_MSG("(GetProcAddress(%p!%s) => %p\n", hModule
, lpProcName
, lpPrintName
);
513 HookModuleInfo
= SeiFindHookModuleInfo(NULL
, hModule
);
515 /* FIXME: Ordinal not yet supported */
516 if (HookModuleInfo
&& HIWORD(lpProcName
))
518 PSINGLE_LIST_ENTRY Entry
;
520 Entry
= HookModuleInfo
->ModuleLink
.Next
;
524 PHOOKAPIEX HookApi
= CONTAINING_RECORD(Entry
, HOOKAPIEX
, ModuleLink
);
526 int CmpResult
= strcmp(lpProcName
, HookApi
->FunctionName
);
529 SHIMENG_MSG("Redirecting %p to %p\n", proc
, HookApi
->ReplacementFunction
);
530 proc
= HookApi
->ReplacementFunction
;
533 else if (CmpResult
< 0)
535 SHIMENG_MSG("Not found %s\n", lpProcName
);
536 /* We are not going to find it anymore.. */
547 VOID
SeiResolveAPIs(VOID
)
552 Data
= g_pShimInfo
.Data
;
554 /* Enumerate all Shim modules */
555 for (mod
= 0; mod
< g_pShimInfo
.Size
; ++mod
)
557 PHOOKAPIPOINTERS pShims
= Data
[mod
].HookApis
.Data
;
558 DWORD dwShimCount
= Data
[mod
].HookApis
.Size
;
560 /* Enumerate all Shims */
561 for (n
= 0; n
< dwShimCount
; ++n
)
563 PHOOKAPIEX hooks
= pShims
[n
].pHookApi
;
564 DWORD dwHookCount
= pShims
[n
].dwHookCount
;
566 SeiAddHooks(hooks
, dwHookCount
);
571 VOID
SeiAddInternalHooks(DWORD dwNumHooks
)
575 g_bInternalHooksUsed
= FALSE
;
579 SeiAddHooks(g_IntHookEx
, _countof(g_IntHookEx
));
580 g_bInternalHooksUsed
= TRUE
;
583 VOID
SeiPatchNewImport(PIMAGE_THUNK_DATA FirstThunk
, PHOOKAPIEX HookApi
, PLDR_DATA_TABLE_ENTRY LdrEntry
)
585 ULONG OldProtection
= 0;
590 SHIMENG_INFO("Hooking API \"%s!%s\" for DLL \"%wZ\"\n", HookApi
->LibraryName
, HookApi
->FunctionName
, &LdrEntry
->BaseDllName
);
592 Ptr
= &FirstThunk
->u1
.Function
;
593 Size
= sizeof(FirstThunk
->u1
.Function
);
594 Status
= NtProtectVirtualMemory(NtCurrentProcess(), &Ptr
, &Size
, PAGE_EXECUTE_READWRITE
, &OldProtection
);
596 if (!NT_SUCCESS(Status
))
598 SHIMENG_FAIL("Unable to unprotect 0x%p\n", &FirstThunk
->u1
.Function
);
602 SHIMENG_INFO("changing 0x%p to 0x%p\n", FirstThunk
->u1
.Function
, HookApi
->ReplacementFunction
);
604 FirstThunk
->u1
.Function
= (ULONGLONG
)HookApi
->ReplacementFunction
;
606 FirstThunk
->u1
.Function
= (DWORD
)HookApi
->ReplacementFunction
;
609 Size
= sizeof(FirstThunk
->u1
.Function
);
610 Status
= NtProtectVirtualMemory(NtCurrentProcess(), &Ptr
, &Size
, OldProtection
, &OldProtection
);
612 if (!NT_SUCCESS(Status
))
614 SHIMENG_WARN("Unable to reprotect 0x%p\n", &FirstThunk
->u1
.Function
);
618 /* Level(INFO) [SeiPrintExcludeInfo] Module "kernel32.dll" excluded for shim VistaRTMVersionLie, API "NTDLL.DLL!RtlGetVersion", because it is in System32/WinSXS. */
620 VOID
SeiHookImports(PLDR_DATA_TABLE_ENTRY LdrEntry
)
623 PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor
;
624 PBYTE DllBase
= LdrEntry
->DllBase
;
626 if (SE_IsShimDll(DllBase
) || g_hInstance
== LdrEntry
->DllBase
)
628 SHIMENG_INFO("Skipping shim module 0x%p \"%wZ\"\n", LdrEntry
->DllBase
, &LdrEntry
->BaseDllName
);
632 ImportDescriptor
= RtlImageDirectoryEntryToData(DllBase
, TRUE
, IMAGE_DIRECTORY_ENTRY_IMPORT
, &Size
);
633 if (!ImportDescriptor
)
635 SHIMENG_INFO("Skipping module 0x%p \"%wZ\" due to no iat found\n", LdrEntry
->DllBase
, &LdrEntry
->BaseDllName
);
639 SHIMENG_INFO("Hooking module 0x%p \"%wZ\"\n", LdrEntry
->DllBase
, &LdrEntry
->BaseDllName
);
641 for ( ;ImportDescriptor
->Name
&& ImportDescriptor
->OriginalFirstThunk
; ImportDescriptor
++)
643 PHOOKMODULEINFO HookModuleInfo
;
645 /* Do we have hooks for this module? */
646 HookModuleInfo
= SeiFindHookModuleInfoForImportDescriptor(DllBase
, ImportDescriptor
);
650 PIMAGE_THUNK_DATA OriginalThunk
, FirstThunk
;
651 PSINGLE_LIST_ENTRY Entry
;
653 Entry
= HookModuleInfo
->ModuleLink
.Next
;
658 OriginalThunk
= (PIMAGE_THUNK_DATA
)(DllBase
+ ImportDescriptor
->OriginalFirstThunk
);
659 FirstThunk
= (PIMAGE_THUNK_DATA
)(DllBase
+ ImportDescriptor
->FirstThunk
);
661 for (;OriginalThunk
->u1
.AddressOfData
&& FirstThunk
->u1
.Function
&& Entry
; OriginalThunk
++, FirstThunk
++)
663 PHOOKAPIEX HookApi
= CONTAINING_RECORD(Entry
, HOOKAPIEX
, ModuleLink
);
665 if (!IMAGE_SNAP_BY_ORDINAL32(OriginalThunk
->u1
.AddressOfData
))
667 PIMAGE_IMPORT_BY_NAME ImportName
;
669 ImportName
= (PIMAGE_IMPORT_BY_NAME
)(DllBase
+ OriginalThunk
->u1
.AddressOfData
);
670 if (!strcmp((PCSTR
)ImportName
->Name
, HookApi
->FunctionName
))
672 SeiPatchNewImport(FirstThunk
, HookApi
, LdrEntry
);
674 /* Sadly, iat does not have to be sorted, and can even contain duplicate entries. */
680 SHIMENG_FAIL("Ordinals not yet supported\n");
689 /* One entry not found. */
690 PHOOKAPIEX HookApi
= CONTAINING_RECORD(Entry
, HOOKAPIEX
, ModuleLink
);
692 SHIMENG_INFO("Entry \"%s!%s\" not found for \"%wZ\"\n", HookApi
->LibraryName
, HookApi
->FunctionName
, &LdrEntry
->BaseDllName
);
694 SHIMENG_INFO("Entry \"%s!%s\" found %d times for \"%wZ\"\n", HookApi
->LibraryName
, HookApi
->FunctionName
, dwFound
, &LdrEntry
->BaseDllName
);
705 VOID
PatchNewModules(PPEB Peb
)
707 PLIST_ENTRY ListHead
, ListEntry
;
708 PLDR_DATA_TABLE_ENTRY LdrEntry
;
710 ListHead
= &NtCurrentPeb()->Ldr
->InLoadOrderModuleList
;
711 ListEntry
= ListHead
->Flink
;
713 while (ListHead
!= ListEntry
)
715 LdrEntry
= CONTAINING_RECORD(ListEntry
, LDR_DATA_TABLE_ENTRY
, InLoadOrderLinks
);
716 SeiHookImports(LdrEntry
);
718 ListEntry
= ListEntry
->Flink
;
724 Level(INFO) Using USER apphack flags 0x2080000
727 VOID
SeiInit(PUNICODE_STRING ProcessImage
, HSDB hsdb
, SDBQUERYRESULT
* pQuery
)
732 DWORD dwTotalHooks
= 0;
734 PPEB Peb
= NtCurrentPeb();
737 ShimRef
.Size
= ShimRef
.MaxSize
= 0;
739 SeiCheckComPlusImage(Peb
->ImageBaseAddress
);
742 if (pQuery->trApphelp)
743 SeiDisplayAppHelp(?pQuery->trApphelp?);
746 SeiDbgPrint(SEI_MSG
, NULL
, "ShimInfo(ExePath(%wZ))\n", ProcessImage
);
747 SeiBuildShimRefArray(hsdb
, pQuery
, &ShimRef
);
748 SeiDbgPrint(SEI_MSG
, NULL
, "ShimInfo(Complete)\n");
750 SHIMENG_INFO("Got %d shims\n", ShimRef
.Size
);
752 SeiBuildGlobalInclExclList()
757 for (n
= 0; n
< ShimRef
.Size
; ++n
)
761 if (SdbTagRefToTagID(hsdb
, Data
[n
], &pdb
, &ShimRef
))
763 LPCWSTR ShimName
, DllName
;
765 WCHAR FullNameBuffer
[MAX_PATH
];
766 UNICODE_STRING UnicodeDllName
;
768 PSHIMMODULE pShimInfo
= NULL
;
769 const char* szCommandLine
= "";
773 ShimName
= SeiGetStringPtr(pdb
, ShimRef
, TAG_NAME
);
776 SHIMENG_FAIL("Failed to retrieve the name for 0x%x\n", Data
[n
]);
780 ShimTag
= SeiGetDWORD(pdb
, ShimRef
, TAG_SHIM_TAGID
);
783 SHIMENG_FAIL("Failed to resolve %S to a shim\n", ShimName
);
787 if (!SdbGetAppPatchDir(NULL
, FullNameBuffer
, _countof(FullNameBuffer
)))
789 SHIMENG_WARN("Failed to get the AppPatch dir\n");
793 DllName
= SeiGetStringPtr(pdb
, ShimTag
, TAG_DLLFILE
);
794 if (DllName
== NULL
||
795 !SUCCEEDED(StringCchCatW(FullNameBuffer
, _countof(FullNameBuffer
), L
"\\")) ||
796 !SUCCEEDED(StringCchCatW(FullNameBuffer
, _countof(FullNameBuffer
), DllName
)))
798 SHIMENG_WARN("Failed to build a full path for %S\n", ShimName
);
803 SeiGetShimCommandLine();
804 [SeiInit] COMMAND_LINE VirtualRegistry(WINNT;VistaRTMLie) from AcLayers.DLL
807 RtlInitUnicodeString(&UnicodeDllName
, FullNameBuffer
);
808 if (NT_SUCCESS(LdrGetDllHandle(NULL
, NULL
, &UnicodeDllName
, &BaseAddress
)))
810 pShimInfo
= SeiGetShimInfo(BaseAddress
);
812 else if (!NT_SUCCESS(LdrLoadDll(NULL
, NULL
, &UnicodeDllName
, &BaseAddress
)))
814 SHIMENG_WARN("Failed to load %wZ for %S\n", &UnicodeDllName
, ShimName
);
819 pShimInfo
= SeiCreateShimInfo(DllName
, BaseAddress
);
822 SHIMENG_FAIL("Failed to allocate ShimInfo for %S\n", DllName
);
827 SHIMENG_INFO("Shim DLL 0x%p \"%wZ\" loaded\n", BaseAddress
, &UnicodeDllName
);
828 SHIMENG_INFO("Using SHIM \"%S!%S\"\n", DllName
, ShimName
);
831 pHookApi
= pShimInfo
->pGetHookAPIs(szCommandLine
, ShimName
, &dwHookCount
);
832 SHIMENG_INFO("GetHookAPIs returns %d hooks for DLL \"%wZ\" SHIM \"%S\"\n", dwHookCount
, &UnicodeDllName
, ShimName
);
834 SeiAppendHookInfo(pShimInfo
, pHookApi
, dwHookCount
);
836 dwTotalHooks
+= dwHookCount
;
837 /*SeiBuildInclExclList*/
841 SeiAddInternalHooks(dwTotalHooks
);
843 PatchNewModules(Peb
);
848 BOOL
SeiGetShimData(PUNICODE_STRING ProcessImage
, PVOID pShimData
, HSDB
* pHsdb
, SDBQUERYRESULT
* pQuery
)
850 static const UNICODE_STRING ForbiddenShimmingApps
[] = {
851 RTL_CONSTANT_STRING(L
"ntsd.exe"),
852 RTL_CONSTANT_STRING(L
"windbg.exe"),
854 RTL_CONSTANT_STRING(L
"slsvc.exe"),
857 static const UNICODE_STRING BackSlash
= RTL_CONSTANT_STRING(L
"\\");
858 static const UNICODE_STRING ForwdSlash
= RTL_CONSTANT_STRING(L
"/");
859 UNICODE_STRING ProcessName
;
860 USHORT Back
, Forward
;
864 if (!NT_SUCCESS(RtlFindCharInUnicodeString(RTL_FIND_CHAR_IN_UNICODE_STRING_START_AT_END
, ProcessImage
, &BackSlash
, &Back
)))
867 if (!NT_SUCCESS(RtlFindCharInUnicodeString(RTL_FIND_CHAR_IN_UNICODE_STRING_START_AT_END
, ProcessImage
, &ForwdSlash
, &Forward
)))
874 Back
+= sizeof(WCHAR
);
876 ProcessName
.Buffer
= ProcessImage
->Buffer
+ Back
/ sizeof(WCHAR
);
877 ProcessName
.Length
= ProcessImage
->Length
- Back
;
878 ProcessName
.MaximumLength
= ProcessImage
->MaximumLength
- Back
;
880 for (n
= 0; n
< _countof(ForbiddenShimmingApps
); ++n
)
882 if (RtlEqualUnicodeString(&ProcessName
, ForbiddenShimmingApps
+ n
, TRUE
))
884 SHIMENG_MSG("Not shimming %wZ\n", ForbiddenShimmingApps
+ n
);
889 /* We should probably load all db's here, but since we do not support that yet... */
890 hsdb
= SdbInitDatabase(HID_DOS_PATHS
| SDB_DATABASE_MAIN_SHIM
, NULL
);
893 if (SdbUnpackAppCompatData(hsdb
, ProcessImage
->Buffer
, pShimData
, pQuery
))
898 SdbReleaseDatabase(hsdb
);
905 VOID NTAPI
SE_InstallBeforeInit(PUNICODE_STRING ProcessImage
, PVOID pShimData
)
908 SDBQUERYRESULT QueryResult
= { { 0 } };
909 SHIMENG_MSG("(%wZ, %p)\n", ProcessImage
, pShimData
);
911 if (!SeiGetShimData(ProcessImage
, pShimData
, &hsdb
, &QueryResult
))
913 SHIMENG_FAIL("Failed to get shim data\n");
917 g_bShimDuringInit
= TRUE
;
918 SeiInit(ProcessImage
, hsdb
, &QueryResult
);
919 g_bShimDuringInit
= FALSE
;
921 SdbReleaseDatabase(hsdb
);
924 VOID NTAPI
SE_InstallAfterInit(PUNICODE_STRING ProcessImage
, PVOID pShimData
)
926 NotifyShims(SHIM_NOTIFY_ATTACH
, NULL
);
929 VOID NTAPI
SE_ProcessDying(VOID
)
932 NotifyShims(SHIM_NOTIFY_DETACH
, NULL
);
935 VOID WINAPI
SE_DllLoaded(PLDR_DATA_TABLE_ENTRY LdrEntry
)
937 SHIMENG_INFO("%sINIT. loading DLL \"%wZ\"\n", g_bShimDuringInit
? "" : "AFTER ", &LdrEntry
->BaseDllName
);
938 NotifyShims(SHIM_REASON_DLL_LOAD
, LdrEntry
);
941 VOID WINAPI
SE_DllUnloaded(PLDR_DATA_TABLE_ENTRY LdrEntry
)
943 SHIMENG_MSG("(%p)\n", LdrEntry
);
944 NotifyShims(SHIM_REASON_DLL_UNLOAD
, LdrEntry
);
947 BOOL WINAPI
SE_IsShimDll(PVOID BaseAddress
)
949 SHIMENG_MSG("(%p)\n", BaseAddress
);
951 return SeiGetShimInfo(BaseAddress
) != NULL
;