BOOL NTAPI FirstSoundSentry(VOID) { UNICODE_STRING DllString = RTL_CONSTANT_STRING(L"winsrv"); STRING FuncString = RTL_CONSTANT_STRING("_UserSoundSentry"); HANDLE DllHandle; NTSTATUS Status; PUSER_SOUND_SENTRY NewSoundSentry = FailSoundSentry; /* Load winsrv manually */ Status = LdrGetDllHandle(NULL, NULL, &DllString, &DllHandle); if (NT_SUCCESS(Status)) { /* If it was found, get SoundSentry export */ Status = LdrGetProcedureAddress(DllHandle, &FuncString, 0, (PVOID*)&NewSoundSentry); } /* Set it as the callback for the future, and call it */ _UserSoundSentry = NewSoundSentry; return _UserSoundSentry(); }
PCSR_THREAD CsrConnectToUser( VOID ) { static BOOLEAN (*ClientThreadSetupRoutine)(VOID) = NULL; NTSTATUS Status; ANSI_STRING DllName; UNICODE_STRING DllName_U; STRING ProcedureName; HANDLE UserClientModuleHandle; PTEB Teb; PCSR_THREAD Thread; BOOLEAN fConnected; if (ClientThreadSetupRoutine == NULL) { RtlInitAnsiString(&DllName, "user32"); Status = RtlAnsiStringToUnicodeString(&DllName_U, &DllName, TRUE); ASSERT(NT_SUCCESS(Status)); Status = LdrGetDllHandle( UNICODE_NULL, NULL, &DllName_U, (PVOID *)&UserClientModuleHandle ); RtlFreeUnicodeString(&DllName_U); if ( NT_SUCCESS(Status) ) { RtlInitString(&ProcedureName,"ClientThreadSetup"); Status = LdrGetProcedureAddress( UserClientModuleHandle, &ProcedureName, 0L, (PVOID *)&ClientThreadSetupRoutine ); ASSERT(NT_SUCCESS(Status)); } } try { fConnected = ClientThreadSetupRoutine(); } except (EXCEPTION_EXECUTE_HANDLER) { fConnected = FALSE; } if (!fConnected) { IF_DEBUG { DbgPrint("CSRSS: CsrConnectToUser failed\n"); } return NULL; }
NTSTATUS HookDirectInput8(PVOID *ModuleBase, PDHOOK_HOOK_INFO Context) { PVOID DInput8ModuleBase; NTSTATUS Status; UNICODE_STRING DllName; LPDIRECTINPUT8W dinput; HRESULT (WINAPI *DirectInput8Create)(HINSTANCE, DWORD, REFIID, PVOID*, LPUNKNOWN); Status = STATUS_UNSUCCESSFUL; dinput = NULL; LOOP_ONCE { RTL_CONST_STRING(DllName, L"dinput8.dll"); Status = LdrGetDllHandle(NULL, 0, &DllName, &DInput8ModuleBase); if (!NT_SUCCESS(Status)) return Status; Status = STATUS_UNSUCCESSFUL; *(PVOID *)&DirectInput8Create = Nt_GetProcAddress(DInput8ModuleBase, "DirectInput8Create"); if (DirectInput8Create == NULL) break; MEMORY_FUNCTION_PATCH f[] = { INLINE_HOOK_JUMP(DirectInput8Create, HookDirectInput8Create, StubDirectInput8Create), }; Status = Nt_PatchMemory(NULL, 0, f, countof(f), NULL); if (ModuleBase != NULL) *ModuleBase = DInput8ModuleBase; DInput8CallbackContext = Context; } return Status; }
// my getmodulehandlea, uses only ntdll functions LPVOID engine_NtGetModuleHandleA(LPSTR lpModuleName) { STRING asModuleName; UNICODE_STRING usModuleName; HANDLE hModule; asModuleName.Buffer=(PCHAR)lpModuleName; asModuleName.Length=strlen(lpModuleName); asModuleName.MaximumLength=asModuleName.Length; if (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&usModuleName,&asModuleName,TRUE))) return NULL; if (!NT_SUCCESS(LdrGetDllHandle(NULL,NULL,&usModuleName,&hModule))) { RtlFreeUnicodeString(&usModuleName); return NULL; } RtlFreeUnicodeString(&usModuleName); return hModule; }
NTSTATUS CsrClientConnectToServer( IN PWSTR ObjectDirectory, IN ULONG ServerDllIndex, IN PCSR_CALLBACK_INFO CallbackInformation OPTIONAL, IN PVOID ConnectionInformation, IN OUT PULONG ConnectionInformationLength OPTIONAL, OUT PBOOLEAN CalledFromServer OPTIONAL ) /*++ Routine Description: This function is called by the client side DLL to connect with its server side DLL. Arguments: ObjectDirectory - Points to a null terminate string that is the same as the value of the ObjectDirectory= argument passed to the CSRSS program. ServerDllIndex - Index of the server DLL that is being connected to. It should match one of the ServerDll= arguments passed to the CSRSS program. CallbackInformation - An optional pointer to a structure that contains a pointer to the client callback function dispatch table. ConnectionInformation - An optional pointer to uninterpreted data. This data is intended for clients to pass package, version and protocol identification information to the server to allow the server to determine if it can satisify the client before accepting the connection. Upon return to the client, the ConnectionInformation data block contains any information passed back from the server DLL by its call to the CsrCompleteConnection call. The output data overwrites the input data. ConnectionInformationLength - Pointer to the length of the ConnectionInformation data block. The output value is the length of the data stored in the ConnectionInformation data block by the server's call to the NtCompleteConnectPort service. This parameter is OPTIONAL only if the ConnectionInformation parameter is NULL, otherwise it is required. CalledFromServer - On output, TRUE if the dll has been called from a server process. Return Value: Status value. --*/ { NTSTATUS Status; CSR_API_MSG m; PCSR_CLIENTCONNECT_MSG a = &m.u.ClientConnect; PCSR_CAPTURE_HEADER CaptureBuffer; HANDLE CsrServerModuleHandle; STRING ProcedureName; ANSI_STRING DllName; UNICODE_STRING DllName_U; PIMAGE_NT_HEADERS NtHeaders; if (ARGUMENT_PRESENT( ConnectionInformation ) && (!ARGUMENT_PRESENT( ConnectionInformationLength ) || *ConnectionInformationLength == 0 ) ) { return( STATUS_INVALID_PARAMETER ); } if (!CsrInitOnceDone) { Status = CsrOneTimeInitialize(); if (!NT_SUCCESS( Status )) { return( Status ); } } if (ARGUMENT_PRESENT( CallbackInformation )) { CsrLoadedClientDll[ ServerDllIndex ] = RtlAllocateHeap( CsrHeap, MAKE_TAG( CSR_TAG ), sizeof(CSR_CALLBACK_INFO) ); CsrLoadedClientDll[ ServerDllIndex ]->ApiNumberBase = CallbackInformation->ApiNumberBase; CsrLoadedClientDll[ ServerDllIndex ]->MaxApiNumber = CallbackInformation->MaxApiNumber; CsrLoadedClientDll[ ServerDllIndex ]->CallbackDispatchTable = CallbackInformation->CallbackDispatchTable; } // // if we are being called by a server process, skip lpc port initialization // and call to server connect routine and just initialize heap. the // dll initialization routine will do any necessary initialization. this // stuff only needs to be done for the first connect. // if ( CsrServerProcess == TRUE ) { *CalledFromServer = CsrServerProcess; return STATUS_SUCCESS; } // // If the image is an NT Native image, we are running in the // context of the server. // NtHeaders = RtlImageNtHeader(NtCurrentPeb()->ImageBaseAddress); CsrServerProcess = (NtHeaders->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_NATIVE) ? TRUE : FALSE; if ( CsrServerProcess ) { extern PVOID NtDllBase; RtlInitAnsiString( &DllName, "csrsrv" ); Status = RtlAnsiStringToUnicodeString(&DllName_U, &DllName, TRUE); ASSERT(NT_SUCCESS(Status)); LdrDisableThreadCalloutsForDll(NtDllBase); Status = LdrGetDllHandle( UNICODE_NULL, NULL, &DllName_U, (PVOID *)&CsrServerModuleHandle ); RtlFreeUnicodeString(&DllName_U); CsrServerProcess = TRUE; RtlInitString(&ProcedureName,"CsrCallServerFromServer"); Status = LdrGetProcedureAddress( CsrServerModuleHandle, &ProcedureName, 0L, (PVOID *)&CsrServerApiRoutine ); ASSERT(NT_SUCCESS(Status)); RtlInitString(&ProcedureName, "CsrLocateThreadInProcess"); Status = LdrGetProcedureAddress( CsrServerModuleHandle, &ProcedureName, 0L, (PVOID *)&CsrpLocateThreadInProcess ); ASSERT(NT_SUCCESS(Status)); ASSERT (CsrPortHeap==NULL); CsrPortHeap = RtlProcessHeap(); CsrPortBaseTag = RtlCreateTagHeap( CsrPortHeap, 0, L"CSRPORT!", L"CAPTURE\0" ); if (ARGUMENT_PRESENT(CalledFromServer)) { *CalledFromServer = CsrServerProcess; } return STATUS_SUCCESS; } if ( ARGUMENT_PRESENT(ConnectionInformation) ) { CsrServerProcess = FALSE; if (CsrPortHandle == NULL) { Status = CsrpConnectToServer( ObjectDirectory ); if (!NT_SUCCESS( Status )) { return( Status ); } } a->ServerDllIndex = ServerDllIndex; a->ConnectionInformationLength = *ConnectionInformationLength; if (ARGUMENT_PRESENT( ConnectionInformation )) { CaptureBuffer = CsrAllocateCaptureBuffer( 1, 0, a->ConnectionInformationLength ); if (CaptureBuffer == NULL) { return( STATUS_NO_MEMORY ); } CsrAllocateMessagePointer( CaptureBuffer, a->ConnectionInformationLength, (PVOID *)&a->ConnectionInformation ); RtlMoveMemory( a->ConnectionInformation, ConnectionInformation, a->ConnectionInformationLength ); *ConnectionInformationLength = a->ConnectionInformationLength; } else { CaptureBuffer = NULL; } Status = CsrClientCallServer( &m, CaptureBuffer, CSR_MAKE_API_NUMBER( CSRSRV_SERVERDLL_INDEX, CsrpClientConnect ), sizeof( *a ) ); if (CaptureBuffer != NULL) { if (ARGUMENT_PRESENT( ConnectionInformation )) { RtlMoveMemory( ConnectionInformation, a->ConnectionInformation, *ConnectionInformationLength ); } CsrFreeCaptureBuffer( CaptureBuffer ); } } else { Status = STATUS_SUCCESS; } if (ARGUMENT_PRESENT(CalledFromServer)) { *CalledFromServer = CsrServerProcess; } return( Status ); }