- /*
- * Locate and open NTDLL to determine ImageBase
- * and LdrStartup
- */
- GetSystemDirectory(
- TmpNameBuffer,
- sizeof TmpNameBuffer
- );
- wcscat(
- TmpNameBuffer,
- L"\\ntdll.dll"
- );
- RtlInitUnicodeString(
- & DllPathname,
- TmpNameBuffer
- );
- InitializeObjectAttributes(
- & FileObjectAttributes,
- & DllPathname,
- 0,
- NULL,
- NULL
- );
- DPRINT("Opening NTDLL\n");
- Status = ZwOpenFile(
- & FileHandle,
- FILE_ALL_ACCESS,
- & FileObjectAttributes,
- NULL,
- 0,
- 0
- );
- if (!NT_SUCCESS(Status))
- {
- DPRINT("NTDLL open failed ");
- DbgPrintErrorMessage(Status);
-
- return Status;
- }
- Status = ZwReadFile(
- FileHandle,
- 0,
- 0,
- 0,
- 0,
- BlockBuffer,
- sizeof BlockBuffer,
- 0,
- 0
- );
- if (!NT_SUCCESS(Status))
- {
- DPRINT("NTDLL header read failed ");
- DbgPrintErrorMessage(Status);
- ZwClose(FileHandle);
-
- return Status;
- }
- /*
- * FIXME: this will fail if the NT headers are
- * more than 1024 bytes from start.
- */
- DosHeader = (PIMAGE_DOS_HEADER) BlockBuffer;
- NTHeaders = (PIMAGE_NT_HEADERS) (BlockBuffer + DosHeader->e_lfanew);
- if (
- (DosHeader->e_magic != IMAGE_DOS_MAGIC)
- || (DosHeader->e_lfanew == 0L)
- || (*(PULONG) NTHeaders != IMAGE_PE_MAGIC)
- )
- {
- DPRINT("NTDLL format invalid\n");
- ZwClose(FileHandle);
-
- return STATUS_UNSUCCESSFUL;
- }
- ImageBase = NTHeaders->OptionalHeader.ImageBase;
- ImageSize = NTHeaders->OptionalHeader.SizeOfImage;
- /*
- * FIXME: retrieve the offset of LdrStartup from NTDLL
- */
- DPRINT("ImageBase %x\n",ImageBase);
- LdrStartupAddr =
- ImageBase
- + NTHeaders->OptionalHeader.AddressOfEntryPoint;
- /*
- * Create a section for NTDLL
- */
- Status = ZwCreateSection(
- & NTDllSectionHandle,
- SECTION_ALL_ACCESS,
- NULL,
- NULL,
- PAGE_READWRITE,
- MEM_COMMIT,
- FileHandle
- );
- if (!NT_SUCCESS(Status))
- {
- DPRINT("NTDLL create section failed ");
- DbgPrintErrorMessage(Status);
- ZwClose(FileHandle);
-
- return Status;
- }
- /*
- * Map the NTDLL into the process
- */
- InitialViewSize =
- DosHeader->e_lfanew
- + sizeof (IMAGE_NT_HEADERS)
- + ( sizeof (IMAGE_SECTION_HEADER)
- * NTHeaders->FileHeader.NumberOfSections
- );
- Status = ZwMapViewOfSection(
- NTDllSectionHandle,
- ProcessHandle,
- (PVOID *) & ImageBase,
- 0,
- InitialViewSize,
- NULL,
- & InitialViewSize,
- 0,
- MEM_COMMIT,
- PAGE_READWRITE
- );
- if (!NT_SUCCESS(Status))
- {
- DPRINT("NTDLL map view of secion failed ");
- DbgPrintErrorMessage(Status);
-
- /* FIXME: destroy the section here */
-
- ZwClose(FileHandle);
-
- return Status;
- }
- for ( i = 0;
- (i < NTHeaders->FileHeader.NumberOfSections);
- i++
- )
- {
- PIMAGE_SECTION_HEADER Sections;
- LARGE_INTEGER Offset;
- ULONG Base;
+ /*
+ * Locate and open NTDLL to determine ImageBase
+ * and LdrStartup
+ */
+ GetSystemDirectory(TmpNameBuffer, sizeof TmpNameBuffer);
+ wcscat(TmpNameBuffer, L"\\ntdll.dll");
+ RtlInitUnicodeString(&DllPathname, TmpNameBuffer);
+ InitializeObjectAttributes(&FileObjectAttributes,
+ &DllPathname,
+ 0,
+ NULL,
+ NULL);
+ DPRINT("Opening NTDLL\n");
+ Status = ZwOpenFile(&FileHandle,
+ FILE_ALL_ACCESS,
+ &FileObjectAttributes,
+ NULL,
+ 0,
+ 0);
+ if (!NT_SUCCESS(Status))
+ {
+ DbgPrint("NTDLL open failed ");
+ DbgPrintErrorMessage(Status);
+ return Status;
+ }
+ Status = ZwReadFile(FileHandle,
+ 0,
+ 0,
+ 0,
+ 0,
+ BlockBuffer,
+ sizeof BlockBuffer,
+ 0,
+ 0);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT("NTDLL header read failed ");
+ DbgPrintErrorMessage(Status);
+ ZwClose(FileHandle);
+ return Status;
+ }
+
+ /*
+ * FIXME: this will fail if the NT headers are
+ * more than 1024 bytes from start.
+ */
+ DosHeader = (PIMAGE_DOS_HEADER) BlockBuffer;
+ NTHeaders = (PIMAGE_NT_HEADERS) (BlockBuffer + DosHeader->e_lfanew);
+ if ((DosHeader->e_magic != IMAGE_DOS_MAGIC)
+ || (DosHeader->e_lfanew == 0L)
+ || (*(PULONG) NTHeaders != IMAGE_PE_MAGIC))
+ {
+ DPRINT("NTDLL format invalid\n");
+ ZwClose(FileHandle);
+ return STATUS_UNSUCCESSFUL;
+ }
+ ImageBase = NTHeaders->OptionalHeader.ImageBase;
+ ImageSize = NTHeaders->OptionalHeader.SizeOfImage;
+ /*
+ * FIXME: retrieve the offset of LdrStartup from NTDLL
+ */
+ DPRINT("ImageBase %x\n",ImageBase);
+ LdrStartupAddr = ImageBase + NTHeaders->OptionalHeader.AddressOfEntryPoint;
+ /*
+ * Create a section for NTDLL
+ */
+ Status = ZwCreateSection(&NTDllSectionHandle,
+ SECTION_ALL_ACCESS,
+ NULL,
+ NULL,
+ PAGE_READWRITE,
+ MEM_COMMIT,
+ FileHandle);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT("NTDLL create section failed ");
+ DbgPrintErrorMessage(Status);
+ ZwClose(FileHandle);
+
+ return Status;
+ }
+
+ /*
+ * Map the NTDLL into the process
+ */
+ InitialViewSize = DosHeader->e_lfanew
+ + sizeof (IMAGE_NT_HEADERS)
+ + ( sizeof (IMAGE_SECTION_HEADER)
+ * NTHeaders->FileHeader.NumberOfSections
+ );
+ Status = ZwMapViewOfSection(NTDllSectionHandle,
+ ProcessHandle,
+ (PVOID *) & ImageBase,
+ 0,
+ InitialViewSize,
+ NULL,
+ &InitialViewSize,
+ 0,
+ MEM_COMMIT,
+ PAGE_READWRITE);
+ if (!NT_SUCCESS(Status))
+ {
+ DPRINT("NTDLL map view of secion failed ");
+ DbgPrintErrorMessage(Status);
+
+ /* FIXME: destroy the section here */