BOOL ProcessAttach(HMODULE hDll) { s_bLog = FALSE; s_nTlsIndent = TlsAlloc(); s_nTlsThread = TlsAlloc(); ThreadAttach(hDll); WCHAR wzExeName[MAX_PATH]; s_hInst = hDll; Real_GetModuleFileNameW(hDll, s_wzDllPath, ARRAYSIZE(s_wzDllPath)); Real_GetModuleFileNameW(NULL, wzExeName, ARRAYSIZE(wzExeName)); sprintf_s(s_szDllPath, ARRAYSIZE(s_szDllPath), "%ls", s_wzDllPath); SyelogOpen("trcapi" DETOURS_STRINGIFY(DETOURS_BITS), SYELOG_FACILITY_APPLICATION); ProcessEnumerate(); LONG error = AttachDetours(); if (error != NO_ERROR) { Syelog(SYELOG_SEVERITY_FATAL, "### Error attaching detours: %d\n", error); } s_bLog = TRUE; return TRUE; }
BOOL InstanceEnumerate(HINSTANCE hInst) { WCHAR wzDllName[MAX_PATH]; PIMAGE_NT_HEADERS pinh = NtHeadersForInstance(hInst); if (pinh && Real_GetModuleFileNameW(hInst, wzDllName, ARRAYOF(wzDllName))) { Syelog(SYELOG_SEVERITY_INFORMATION, "### %08lx: %ls\n", hInst, wzDllName); return TRUE; } return FALSE; }
BOOL ProcessAttach(HMODULE hDll) { s_bLog = FALSE; s_nTlsIndent = TlsAlloc(); s_nTlsThread = TlsAlloc(); ThreadAttach(hDll); WCHAR wzExeName[MAX_PATH]; s_hInst = hDll; Real_GetModuleFileNameW(hDll, s_wzDllPath, ARRAYOF(s_wzDllPath)); Real_GetModuleFileNameW(NULL, wzExeName, ARRAYOF(wzExeName)); SyelogOpen("traceapi", SYELOG_FACILITY_APPLICATION); ProcessEnumerate(); TrampolineWith(); s_bLog = TRUE; return TRUE; }
DWORD WINAPI Mine_GetModuleFileNameW(HINSTANCE a0, LPWSTR a1, DWORD a2) { _PrintEnter("GetModuleFileNameW(%p,%p,%x)\n", a0, a1, a2); DWORD rv = 0; __try { rv = Real_GetModuleFileNameW(a0, a1, a2); } __finally { _PrintExit("GetModuleFileNameW(,%ls,) -> %x\n", a1, rv); }; return rv; }
BOOL ProcessEnumerate() { Syelog(SYELOG_SEVERITY_INFORMATION, "######################################################### Binaries\n"); PBYTE pbNext; for (PBYTE pbRegion = (PBYTE)0x10000;; pbRegion = pbNext) { MEMORY_BASIC_INFORMATION mbi; ZeroMemory(&mbi, sizeof(mbi)); if (VirtualQuery((PVOID)pbRegion, &mbi, sizeof(mbi)) <= 0) { break; } pbNext = (PBYTE)mbi.BaseAddress + mbi.RegionSize; // Skip free regions and guard pages. // if (mbi.State == MEM_FREE) { continue; } if (mbi.Protect & PAGE_GUARD || mbi.Protect & PAGE_NOCACHE) { continue; } if (mbi.Protect == PAGE_NOACCESS) { continue; } // Skip over regions from the same allocation... { MEMORY_BASIC_INFORMATION mbiStep; while (VirtualQuery((PVOID)pbNext, &mbiStep, sizeof(mbiStep)) > 0) { if ((PBYTE)mbiStep.AllocationBase != pbRegion) { break; } pbNext = (PBYTE)mbiStep.BaseAddress + mbiStep.RegionSize; mbi.Protect |= mbiStep.Protect; } } WCHAR wzDllName[MAX_PATH]; PIMAGE_NT_HEADERS pinh = NtHeadersForInstance((HINSTANCE)pbRegion); if (pinh && Real_GetModuleFileNameW((HINSTANCE)pbRegion,wzDllName,ARRAYOF(wzDllName))) { Syelog(SYELOG_SEVERITY_INFORMATION, "### %08lx..%08x: %ls\n", pbRegion, pbNext, wzDllName); } else { Syelog(SYELOG_SEVERITY_INFORMATION, "### %08lx..%08x: State=%04x, Protect=%08x\n", pbRegion, pbNext, mbi.State, mbi.Protect); } } Syelog(SYELOG_SEVERITY_INFORMATION, "###\n"); LPVOID lpvEnv = Real_GetEnvironmentStrings(); Syelog(SYELOG_SEVERITY_INFORMATION, "### Env= %08x [%08x %08x]\n", lpvEnv, ((PVOID*)lpvEnv)[0], ((PVOID*)lpvEnv)[1]); printf("%08x\n"); return TRUE; }
DWORD WINAPI Mine_GetModuleFileNameW(HMODULE a0, LPWSTR a1, DWORD a2) { return Real_GetModuleFileNameW(a0, a1, a2); }