char *convert_address_to_dll_name_and_offset(ULONG_PTR addr, unsigned int *offset) { LDR_MODULE *mod; PEB *peb = (PEB *)get_peb(); if (addr >= g_our_dll_base && addr < (g_our_dll_base + g_our_dll_size)) { char *buf = calloc(1, strlen("cuckoomon.dll") + 1); if (buf == NULL) return NULL; strcpy(buf, "cuckoomon.dll"); *offset = (unsigned int)(addr - g_our_dll_base); return buf; } for (mod = (LDR_MODULE *)peb->LoaderData->InLoadOrderModuleList.Flink; mod->BaseAddress != NULL; mod = (LDR_MODULE *)mod->InLoadOrderModuleList.Flink) { if (addr < (ULONG_PTR)mod->BaseAddress || addr >= ((ULONG_PTR)mod->BaseAddress + mod->SizeOfImage)) continue; char *buf = calloc(1, (mod->BaseDllName.Length / sizeof(wchar_t)) + 1); unsigned int i; if (buf == NULL) return NULL; for (i = 0; i < (mod->BaseDllName.Length / sizeof(wchar_t)); i++) buf[i] = (char)mod->BaseDllName.Buffer[i]; *offset = (unsigned int)(addr - (ULONG_PTR)mod->BaseAddress); return buf; } return NULL; }
void WINAPI redirect_RtlFreeOemString(OEM_STRING *string) { if (is_dynamo_address((app_pc)string->Buffer)) { PEB *peb = get_peb(NT_CURRENT_PROCESS); redirect_RtlFreeHeap(peb->ProcessHeap, 0, (byte *)string->Buffer); memset(string, 0, sizeof(*string)); } else RtlFreeOemString(string); }
HANDLE WINAPI redirect_GetProcessHeap(VOID) { #ifdef CLIENT_INTERFACE /* XXX: perhaps all of these redirection routines should be ifdef CLIENT_INTERFACE. * The loader itself is not, for use w/ hotpatching, etc. */ return get_private_peb()->ProcessHeap; #else return get_peb(NT_CURRENT_PROCESS)->ProcessHeap; #endif }
void add_all_dlls_to_dll_ranges(void) { LDR_MODULE *mod; PEB *peb = (PEB *)get_peb(); /* skip the base image */ mod = (LDR_MODULE *)peb->LoaderData->InLoadOrderModuleList.Flink; if (mod->BaseAddress == NULL) return; for (mod = (LDR_MODULE *)mod->InLoadOrderModuleList.Flink; mod->BaseAddress != NULL; mod = (LDR_MODULE *)mod->InLoadOrderModuleList.Flink) { if ((ULONG_PTR)mod->BaseAddress != base_of_dll_of_interest) add_dll_range((ULONG_PTR)mod->BaseAddress, (ULONG_PTR)mod->BaseAddress + mod->SizeOfImage); } }
bool redirect_heap_call(HANDLE heap) { ASSERT(!dynamo_initialized || dynamo_exited || standalone_library || get_thread_private_dcontext() == NULL /*thread exiting*/ || !os_using_app_state(get_thread_private_dcontext())); #ifdef CLIENT_INTERFACE if (!INTERNAL_OPTION(privlib_privheap)) return false; #endif /* either default heap, or one whose creation we intercepted */ return ( #ifdef CLIENT_INTERFACE /* check both current and private: should be same, but * handle case where didn't swap */ heap == get_private_peb()->ProcessHeap || #endif heap == get_peb(NT_CURRENT_PROCESS)->ProcessHeap || is_dynamo_address((byte*)heap)); }
void hide_module_from_peb(HMODULE module_handle) { LDR_MODULE *mod; PEB *peb = (PEB *)get_peb(); for (mod = (LDR_MODULE *) peb->LoaderData->InLoadOrderModuleList.Flink; mod->BaseAddress != NULL; mod = (LDR_MODULE *) mod->InLoadOrderModuleList.Flink) { if(mod->BaseAddress == module_handle) { CUT_LIST(mod->InLoadOrderModuleList); CUT_LIST(mod->InInitializationOrderModuleList); CUT_LIST(mod->InMemoryOrderModuleList); // TODO test whether this list is really used as a linked list // like InLoadOrderModuleList etc CUT_LIST(mod->HashTableEntry); memset(mod, 0, sizeof(LDR_MODULE)); break; } } }