CXTPSkinManagerModuleList::CXTPSkinManagerModuleList(DWORD dwProcessId)
{
m_pEnumerator = NULL;
if (GetSharedData().m_hPsapiDll)
{
m_pEnumerator = new CPsapiModuleEnumerator(dwProcessId, GetSharedData().m_hPsapiDll);
}
else if (GetSharedData().m_bExists)
{
m_pEnumerator = new CToolHelpModuleEnumerator(dwProcessId);
}
ASSERT(m_pEnumerator);
}
HRESULT CDuiWinDwmWrapper::DefWindowProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, LRESULT *plResult)
{
CSharedData& sData = GetSharedData();
if (sData.m_hDwmDll != NULL && sData.m_ptrWrappers[duiWrapperDwmDefWindowProc] == NULL)
{
sData.m_ptrWrappers[duiWrapperDwmDefWindowProc] = ::GetProcAddress(
sData.m_hDwmDll, duiWrapperProcDwmDefWindowProc);
}
DUIPFNDwmDefWindowProc ptr = (DUIPFNDwmDefWindowProc)sData.m_ptrWrappers[duiWrapperDwmDefWindowProc];
if (ptr)
{
return (*ptr)(hWnd, msg, wParam, lParam, plResult);
}
return E_FAIL;
}
VOID ResetTrampoline()
{
PSHARED_DISP_DATA disp = GetSharedData();
if (disp->Signature != SHARED_SIGNATURE)
{
KdPrint (("ngvid:" __FUNCTION__ ": Damaged shared block %X signature %X should be %X\n",
disp, disp->Signature, SHARED_SIGNATURE));
return;
}
ASSERT (disp->Trampoline);
TrampolineIsr = (PTRAMPOLINE) disp->Trampoline;
KdPrint(("Resetting trampoline at %X\n", TrampolineIsr));
KIRQL Irql;
KeRaiseIrql (HIGH_LEVEL, &Irql);
/*
USHORT XorEaxEaxOpcode; // 33C0 XOR EAX, EAX
UCHAR IncEaxOpcode; // 40 INC EAX
UCHAR MovOpcode[4]; // 8B4C2418 MOV ECX, DWORD PTR SS:[ESP+18]
UCHAR Mov2Opcode[3]; // C60101 MOV BYTE PTR [ECX], 1
UCHAR RetOpcode[3]; // C21C00 RETN 1C
*/
TrampolineIsr->e2.XorEaxEaxOpcode = 0xC033;
TrampolineIsr->e2.IncEaxOpcode = 0x40;
TrampolineIsr->e2.MovOpcode[0] = 0x8B;
TrampolineIsr->e2.MovOpcode[1] = 0x4C;
TrampolineIsr->e2.MovOpcode[2] = 0x24;
TrampolineIsr->e2.MovOpcode[3] = 0x18;
TrampolineIsr->e2.Mov2Opcode[0] = 0xC6;
TrampolineIsr->e2.Mov2Opcode[1] = 0x01;
TrampolineIsr->e2.Mov2Opcode[2] = 0x01;
TrampolineIsr->e2.RetOpcode[0] = 0xC2;
TrampolineIsr->e2.RetOpcode[1] = 0x1C;
TrampolineIsr->e2.RetOpcode[2] = 0x00;
KeLowerIrql (Irql);
}
BOOL CDuiWinDwmWrapper::IsCompositionEnabled()
{
CSharedData& sData = GetSharedData();
if (sData.m_hDwmDll != NULL && sData.m_ptrWrappers[duiWrapperDwmIsCompositionEnabled] == NULL)
{
sData.m_ptrWrappers[duiWrapperDwmIsCompositionEnabled] = ::GetProcAddress(
sData.m_hDwmDll, duiWrapperProcDwmIsCompositionEnabled);
}
DUIPFNDwmIsCompositionEnabled ptr = (DUIPFNDwmIsCompositionEnabled)sData.m_ptrWrappers[duiWrapperDwmIsCompositionEnabled];
if (ptr)
{
BOOL bEnabled = FALSE;
LRESULT lResult = (*ptr)(&bEnabled);
if (FAILED(lResult))
return FALSE;
return bEnabled;
}
return FALSE;
}
VOID CreateTrampoline()
{
PSHARED_DISP_DATA disp = GetSharedData();
if (disp->Signature != SHARED_SIGNATURE)
{
KdPrint (("ngvid:" __FUNCTION__ ": Damaged shared block %X signature %X should be %X\n",
disp, disp->Signature, SHARED_SIGNATURE));
return;
}
if (disp->Trampoline)
{
KdPrint(("Trampoline already exists at %X\n", disp->Trampoline));
TrampolineIsr = (PTRAMPOLINE) disp->Trampoline;
}
else
{
TrampolineIsr = (PTRAMPOLINE) ExAllocatePool (NonPagedPool, sizeof(TRAMPOLINE));
KdPrint(("Trampoline allocated at %X\n", TrampolineIsr));
}
KIRQL Irql;
KeRaiseIrql (HIGH_LEVEL, &Irql);
TrampolineIsr->e1.PushOpcode = 0x68;
TrampolineIsr->e1.Address = IsrHookRoutine;
TrampolineIsr->e1.RetOpcode = 0xC3;
KeLowerIrql (Irql);
KdPrint(("Trampoline created\n", TrampolineIsr));
if (disp->Trampoline == NULL)
{
I8042HookKeyboard ((PI8042_KEYBOARD_ISR) TrampolineIsr);
disp->Trampoline = TrampolineIsr;
}
}
HRESULT CDuiWinDwmWrapper::ExtendFrameIntoClientArea(HWND hWnd, int cxLeftWidth, int cyTopHeight, int cxRightWidth, int cyBottomHeight)
{
CSharedData& sData = GetSharedData();
if (sData.m_hDwmDll != NULL && sData.m_ptrWrappers[duiWrapperDwmExtendFrameIntoClientArea] == NULL)
{
sData.m_ptrWrappers[duiWrapperDwmExtendFrameIntoClientArea] = ::GetProcAddress(
sData.m_hDwmDll, duiWrapperProcDwmExtendFrameIntoClientArea);
}
DUIPFNDwmExtendFrameIntoClientArea ptr = (DUIPFNDwmExtendFrameIntoClientArea)sData.m_ptrWrappers[duiWrapperDwmExtendFrameIntoClientArea];
if (ptr)
{
DUI_DWM_MARGINS margins;
margins.cxLeftWidth = cxLeftWidth;
margins.cyTopHeight = cyTopHeight;
margins.cxRightWidth = cxRightWidth;
margins.cyBottomHeight = cyBottomHeight;
return (*ptr)(hWnd, &margins);
}
return E_FAIL;
}
//
// Driver entry point
//
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING )
{
DriverObject->DriverUnload = DriverUnload;
KdPrint(("[~] DriverEntry()\n"));
PsGetVersion (&MajorVersion, &MinorVersion, 0, 0);
if (MajorVersion >= 6)
{
KdPrint(("Windows Vista and later are not supported yet\n"));
return STATUS_NOT_SUPPORTED;
}
if (MajorVersion < 5 || MinorVersion == 0)
{
KdPrint(("Windows NT and 2000 are not supported\n"));
return STATUS_NOT_SUPPORTED;
}
ASSERT (MajorVersion == 5);
ASSERT (MinorVersion >= 1 && MinorVersion <= 2);
if (MinorVersion == 1)
{
KdPrint(("Running on Windows XP\n"));
}
else
{
KdPrint(("Running on Windows 2003 Server\n"));
}
if (KeNumberProcessors > 1)
{
KdPrint(("Loading on multiprocessor system (NumberProcessors %d)\n", KeNumberProcessors));
}
else
{
KdPrint(("Loading on uniprocessor system\n"));
}
KdPrint (("First hello from nt\n"));
if(!NT_SUCCESS(W32FindAndSwapIAT ()))
{
KdPrint(("could not swap import\n"));
return STATUS_INVALID_FILE_FOR_SECTION;
}
// import something from W32k
EngPrint ("Second hello from win32k\n");
HANDLE hCsrProcess;
NTSTATUS Status;
Status = ObOpenObjectByPointer (
CsrProcess,
OBJ_KERNEL_HANDLE,
NULL,
PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode,
&hCsrProcess
);
if (!NT_SUCCESS(Status))
{
KdPrint(("ObOpenObjectByPointer failed with status %X\n", Status));
W32ReleaseCall();
return Status;
}
KdPrint(("csr opened, handle %X\n", hCsrProcess));
//
// EngLoadImage uses KeAttachProcess/KeDetachProcess to attach to csrss process
// KeDetachProcess detaches to thread's original process, but our thread's
// original process is System! (because we are running in the context of system
// worker thread that loads a driver).
// (
// | fucken windows programmers could not call KeStackAttachProcess
// | instead of KeAttachProcess :(
// )
// So we have to run our function in the context of csrss.exe
//
HANDLE ThreadHandle;
CLIENT_ID ClientId;
OBJECT_ATTRIBUTES Oa;
InitializeObjectAttributes (&Oa, NULL, OBJ_KERNEL_HANDLE, 0, 0);
Status = PsCreateSystemThread (
&ThreadHandle,
THREAD_ALL_ACCESS,
&Oa,
hCsrProcess,
&ClientId,
REINITIALIZE_ADAPTER,
NULL
);
if (!NT_SUCCESS(Status))
{
KdPrint(("PsCreateSystemThread failed with status %X\n", Status));
ZwClose (hCsrProcess);
W32ReleaseCall();
return Status;
}
KdPrint(("thread created, handle %X\n", ThreadHandle));
PETHREAD Thread;
Status = ObReferenceObjectByHandle(
ThreadHandle,
THREAD_ALL_ACCESS,
*PsThreadType,
KernelMode,
(PVOID*) &Thread,
NULL
);
if (!NT_SUCCESS(Status))
{
KdPrint(("ObReferenceObjectByHandle failed with status %X\n", Status));
// cannot unload because thread is running
KeBugCheck (0);
}
KdPrint(("thread referenced to %X\n", Thread));
KeWaitForSingleObject (Thread, Executive, KernelMode, FALSE, NULL);
KdPrint(("Thread terminated\n"));
ZwClose (hCsrProcess);
ObDereferenceObject (Thread);
ZwClose (ThreadHandle);
KdPrint(("success\n", hCsrProcess));
if (!pDrvCopyBits)
{
KdPrint(("Could not find DrvCopyBits\n"));
W32ReleaseCall();
return STATUS_UNSUCCESSFUL;
}
//
// Query keyboard LEDs
//
if(!NT_SUCCESS(KbdWinQueryLeds()))
{
W32ReleaseCall();
return STATUS_UNSUCCESSFUL;
}
PSHARED_DISP_DATA disp = GetSharedData();
if (!disp)
{
EngPrint ("ngvid: could not get shared data\n");
W32ReleaseCall();
return STATUS_UNSUCCESSFUL;
}
if (disp->Signature != SHARED_SIGNATURE)
{
EngPrint ("ngvid: Damaged shared block %X signature %X should be %X\n",
disp, disp->Signature, SHARED_SIGNATURE);
//__asm int 3
W32ReleaseCall();
return STATUS_UNSUCCESSFUL;
}
KdPrint (("Got shared %X Sign %X Surf %X\n", disp, disp->Signature, disp->pPrimarySurf));
#if 0
//
// Temporarily hook DrvCopyBits
//
pDrvCopyBits = disp->pDrvCopyBits;
#endif
if (!disp->pPrimarySurf)
{
KdPrint(("DrvCopyBits %X\n", pDrvCopyBits));
KeInitializeEvent (&SynchEvent, SynchronizationEvent, FALSE);
if (SpliceFunctionStart (pDrvCopyBits, NewDrvCopyBits, SplicingBuffer, sizeof(SplicingBuffer), BackupBuffer, &BackupWritten, FALSE))
{
KdPrint(("SpliceFunctionStart FAILED!!!\n"));
W32ReleaseCall();
return STATUS_UNSUCCESSFUL;
}
KdPrint(("Now you have to move mouse pointer across the display ...\n"));
KeWaitForSingleObject (&SynchEvent, Executive, KernelMode, FALSE, NULL);
UnspliceFunctionStart (pDrvCopyBits, BackupBuffer, FALSE);
KdPrint(("Wait succeeded, so got primary surf %X\n", pPrimarySurf));
disp->pPrimarySurf = pPrimarySurf;
}
else
{
KdPrint(("Already have primary surface\n"));
pPrimarySurf = disp->pPrimarySurf;
}
// Hook kbd & mouse
#if KBD_HOOK_ISR
OldKbd = GetIOAPICIntVector (1);
*(PVOID*)&OldISR = IoHookInterrupt ( (UCHAR)OldKbd, InterruptService);
#else
CreateTrampoline();
//I8042HookKeyboard ((PI8042_KEYBOARD_ISR) IsrHookRoutine);
#endif
MouseInitialize (StateChangeCallbackRoutine);
KdPrint(("Keyboard & mouse hooked\n"));
// Initialize reset DPC
KeInitializeDpc (&HotkeyResetStateDpc, HotkeyResetStateDeferredRoutine, NULL);
//
// Perform multiprocessor initialization
//
DbgHalInitializeMP ();
///
Worker();
///
W32ReleaseCall();
DbgInitialize ();
KdPrint(("[+] Driver initialization successful\n"));
return STATUS_SUCCESS;
}
BOOL AFX_CDECL CXTPSkinManagerModuleList::IsEnumeratorExists()
{
return GetSharedData().m_bExists;
}
