CXTPSkinManagerModuleList::CXTPSkinManagerModuleList(DWORD dwProcessId) { m_pEnumerator = NULL; if (GetSharedData().m_hPsapiDll) { m_pEnumerator = new CPsapiModuleEnumerator(dwProcessId, GetSharedData().m_hPsapiDll); } else if (GetSharedData().m_bExists) { m_pEnumerator = new CToolHelpModuleEnumerator(dwProcessId); } ASSERT(m_pEnumerator); }
HRESULT CDuiWinDwmWrapper::DefWindowProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam, LRESULT *plResult) { CSharedData& sData = GetSharedData(); if (sData.m_hDwmDll != NULL && sData.m_ptrWrappers[duiWrapperDwmDefWindowProc] == NULL) { sData.m_ptrWrappers[duiWrapperDwmDefWindowProc] = ::GetProcAddress( sData.m_hDwmDll, duiWrapperProcDwmDefWindowProc); } DUIPFNDwmDefWindowProc ptr = (DUIPFNDwmDefWindowProc)sData.m_ptrWrappers[duiWrapperDwmDefWindowProc]; if (ptr) { return (*ptr)(hWnd, msg, wParam, lParam, plResult); } return E_FAIL; }
VOID ResetTrampoline() { PSHARED_DISP_DATA disp = GetSharedData(); if (disp->Signature != SHARED_SIGNATURE) { KdPrint (("ngvid:" __FUNCTION__ ": Damaged shared block %X signature %X should be %X\n", disp, disp->Signature, SHARED_SIGNATURE)); return; } ASSERT (disp->Trampoline); TrampolineIsr = (PTRAMPOLINE) disp->Trampoline; KdPrint(("Resetting trampoline at %X\n", TrampolineIsr)); KIRQL Irql; KeRaiseIrql (HIGH_LEVEL, &Irql); /* USHORT XorEaxEaxOpcode; // 33C0 XOR EAX, EAX UCHAR IncEaxOpcode; // 40 INC EAX UCHAR MovOpcode[4]; // 8B4C2418 MOV ECX, DWORD PTR SS:[ESP+18] UCHAR Mov2Opcode[3]; // C60101 MOV BYTE PTR [ECX], 1 UCHAR RetOpcode[3]; // C21C00 RETN 1C */ TrampolineIsr->e2.XorEaxEaxOpcode = 0xC033; TrampolineIsr->e2.IncEaxOpcode = 0x40; TrampolineIsr->e2.MovOpcode[0] = 0x8B; TrampolineIsr->e2.MovOpcode[1] = 0x4C; TrampolineIsr->e2.MovOpcode[2] = 0x24; TrampolineIsr->e2.MovOpcode[3] = 0x18; TrampolineIsr->e2.Mov2Opcode[0] = 0xC6; TrampolineIsr->e2.Mov2Opcode[1] = 0x01; TrampolineIsr->e2.Mov2Opcode[2] = 0x01; TrampolineIsr->e2.RetOpcode[0] = 0xC2; TrampolineIsr->e2.RetOpcode[1] = 0x1C; TrampolineIsr->e2.RetOpcode[2] = 0x00; KeLowerIrql (Irql); }
BOOL CDuiWinDwmWrapper::IsCompositionEnabled() { CSharedData& sData = GetSharedData(); if (sData.m_hDwmDll != NULL && sData.m_ptrWrappers[duiWrapperDwmIsCompositionEnabled] == NULL) { sData.m_ptrWrappers[duiWrapperDwmIsCompositionEnabled] = ::GetProcAddress( sData.m_hDwmDll, duiWrapperProcDwmIsCompositionEnabled); } DUIPFNDwmIsCompositionEnabled ptr = (DUIPFNDwmIsCompositionEnabled)sData.m_ptrWrappers[duiWrapperDwmIsCompositionEnabled]; if (ptr) { BOOL bEnabled = FALSE; LRESULT lResult = (*ptr)(&bEnabled); if (FAILED(lResult)) return FALSE; return bEnabled; } return FALSE; }
VOID CreateTrampoline() { PSHARED_DISP_DATA disp = GetSharedData(); if (disp->Signature != SHARED_SIGNATURE) { KdPrint (("ngvid:" __FUNCTION__ ": Damaged shared block %X signature %X should be %X\n", disp, disp->Signature, SHARED_SIGNATURE)); return; } if (disp->Trampoline) { KdPrint(("Trampoline already exists at %X\n", disp->Trampoline)); TrampolineIsr = (PTRAMPOLINE) disp->Trampoline; } else { TrampolineIsr = (PTRAMPOLINE) ExAllocatePool (NonPagedPool, sizeof(TRAMPOLINE)); KdPrint(("Trampoline allocated at %X\n", TrampolineIsr)); } KIRQL Irql; KeRaiseIrql (HIGH_LEVEL, &Irql); TrampolineIsr->e1.PushOpcode = 0x68; TrampolineIsr->e1.Address = IsrHookRoutine; TrampolineIsr->e1.RetOpcode = 0xC3; KeLowerIrql (Irql); KdPrint(("Trampoline created\n", TrampolineIsr)); if (disp->Trampoline == NULL) { I8042HookKeyboard ((PI8042_KEYBOARD_ISR) TrampolineIsr); disp->Trampoline = TrampolineIsr; } }
HRESULT CDuiWinDwmWrapper::ExtendFrameIntoClientArea(HWND hWnd, int cxLeftWidth, int cyTopHeight, int cxRightWidth, int cyBottomHeight) { CSharedData& sData = GetSharedData(); if (sData.m_hDwmDll != NULL && sData.m_ptrWrappers[duiWrapperDwmExtendFrameIntoClientArea] == NULL) { sData.m_ptrWrappers[duiWrapperDwmExtendFrameIntoClientArea] = ::GetProcAddress( sData.m_hDwmDll, duiWrapperProcDwmExtendFrameIntoClientArea); } DUIPFNDwmExtendFrameIntoClientArea ptr = (DUIPFNDwmExtendFrameIntoClientArea)sData.m_ptrWrappers[duiWrapperDwmExtendFrameIntoClientArea]; if (ptr) { DUI_DWM_MARGINS margins; margins.cxLeftWidth = cxLeftWidth; margins.cyTopHeight = cyTopHeight; margins.cxRightWidth = cxRightWidth; margins.cyBottomHeight = cyBottomHeight; return (*ptr)(hWnd, &margins); } return E_FAIL; }
// // Driver entry point // NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING ) { DriverObject->DriverUnload = DriverUnload; KdPrint(("[~] DriverEntry()\n")); PsGetVersion (&MajorVersion, &MinorVersion, 0, 0); if (MajorVersion >= 6) { KdPrint(("Windows Vista and later are not supported yet\n")); return STATUS_NOT_SUPPORTED; } if (MajorVersion < 5 || MinorVersion == 0) { KdPrint(("Windows NT and 2000 are not supported\n")); return STATUS_NOT_SUPPORTED; } ASSERT (MajorVersion == 5); ASSERT (MinorVersion >= 1 && MinorVersion <= 2); if (MinorVersion == 1) { KdPrint(("Running on Windows XP\n")); } else { KdPrint(("Running on Windows 2003 Server\n")); } if (KeNumberProcessors > 1) { KdPrint(("Loading on multiprocessor system (NumberProcessors %d)\n", KeNumberProcessors)); } else { KdPrint(("Loading on uniprocessor system\n")); } KdPrint (("First hello from nt\n")); if(!NT_SUCCESS(W32FindAndSwapIAT ())) { KdPrint(("could not swap import\n")); return STATUS_INVALID_FILE_FOR_SECTION; } // import something from W32k EngPrint ("Second hello from win32k\n"); HANDLE hCsrProcess; NTSTATUS Status; Status = ObOpenObjectByPointer ( CsrProcess, OBJ_KERNEL_HANDLE, NULL, PROCESS_ALL_ACCESS, *PsProcessType, KernelMode, &hCsrProcess ); if (!NT_SUCCESS(Status)) { KdPrint(("ObOpenObjectByPointer failed with status %X\n", Status)); W32ReleaseCall(); return Status; } KdPrint(("csr opened, handle %X\n", hCsrProcess)); // // EngLoadImage uses KeAttachProcess/KeDetachProcess to attach to csrss process // KeDetachProcess detaches to thread's original process, but our thread's // original process is System! (because we are running in the context of system // worker thread that loads a driver). // ( // | fucken windows programmers could not call KeStackAttachProcess // | instead of KeAttachProcess :( // ) // So we have to run our function in the context of csrss.exe // HANDLE ThreadHandle; CLIENT_ID ClientId; OBJECT_ATTRIBUTES Oa; InitializeObjectAttributes (&Oa, NULL, OBJ_KERNEL_HANDLE, 0, 0); Status = PsCreateSystemThread ( &ThreadHandle, THREAD_ALL_ACCESS, &Oa, hCsrProcess, &ClientId, REINITIALIZE_ADAPTER, NULL ); if (!NT_SUCCESS(Status)) { KdPrint(("PsCreateSystemThread failed with status %X\n", Status)); ZwClose (hCsrProcess); W32ReleaseCall(); return Status; } KdPrint(("thread created, handle %X\n", ThreadHandle)); PETHREAD Thread; Status = ObReferenceObjectByHandle( ThreadHandle, THREAD_ALL_ACCESS, *PsThreadType, KernelMode, (PVOID*) &Thread, NULL ); if (!NT_SUCCESS(Status)) { KdPrint(("ObReferenceObjectByHandle failed with status %X\n", Status)); // cannot unload because thread is running KeBugCheck (0); } KdPrint(("thread referenced to %X\n", Thread)); KeWaitForSingleObject (Thread, Executive, KernelMode, FALSE, NULL); KdPrint(("Thread terminated\n")); ZwClose (hCsrProcess); ObDereferenceObject (Thread); ZwClose (ThreadHandle); KdPrint(("success\n", hCsrProcess)); if (!pDrvCopyBits) { KdPrint(("Could not find DrvCopyBits\n")); W32ReleaseCall(); return STATUS_UNSUCCESSFUL; } // // Query keyboard LEDs // if(!NT_SUCCESS(KbdWinQueryLeds())) { W32ReleaseCall(); return STATUS_UNSUCCESSFUL; } PSHARED_DISP_DATA disp = GetSharedData(); if (!disp) { EngPrint ("ngvid: could not get shared data\n"); W32ReleaseCall(); return STATUS_UNSUCCESSFUL; } if (disp->Signature != SHARED_SIGNATURE) { EngPrint ("ngvid: Damaged shared block %X signature %X should be %X\n", disp, disp->Signature, SHARED_SIGNATURE); //__asm int 3 W32ReleaseCall(); return STATUS_UNSUCCESSFUL; } KdPrint (("Got shared %X Sign %X Surf %X\n", disp, disp->Signature, disp->pPrimarySurf)); #if 0 // // Temporarily hook DrvCopyBits // pDrvCopyBits = disp->pDrvCopyBits; #endif if (!disp->pPrimarySurf) { KdPrint(("DrvCopyBits %X\n", pDrvCopyBits)); KeInitializeEvent (&SynchEvent, SynchronizationEvent, FALSE); if (SpliceFunctionStart (pDrvCopyBits, NewDrvCopyBits, SplicingBuffer, sizeof(SplicingBuffer), BackupBuffer, &BackupWritten, FALSE)) { KdPrint(("SpliceFunctionStart FAILED!!!\n")); W32ReleaseCall(); return STATUS_UNSUCCESSFUL; } KdPrint(("Now you have to move mouse pointer across the display ...\n")); KeWaitForSingleObject (&SynchEvent, Executive, KernelMode, FALSE, NULL); UnspliceFunctionStart (pDrvCopyBits, BackupBuffer, FALSE); KdPrint(("Wait succeeded, so got primary surf %X\n", pPrimarySurf)); disp->pPrimarySurf = pPrimarySurf; } else { KdPrint(("Already have primary surface\n")); pPrimarySurf = disp->pPrimarySurf; } // Hook kbd & mouse #if KBD_HOOK_ISR OldKbd = GetIOAPICIntVector (1); *(PVOID*)&OldISR = IoHookInterrupt ( (UCHAR)OldKbd, InterruptService); #else CreateTrampoline(); //I8042HookKeyboard ((PI8042_KEYBOARD_ISR) IsrHookRoutine); #endif MouseInitialize (StateChangeCallbackRoutine); KdPrint(("Keyboard & mouse hooked\n")); // Initialize reset DPC KeInitializeDpc (&HotkeyResetStateDpc, HotkeyResetStateDeferredRoutine, NULL); // // Perform multiprocessor initialization // DbgHalInitializeMP (); /// Worker(); /// W32ReleaseCall(); DbgInitialize (); KdPrint(("[+] Driver initialization successful\n")); return STATUS_SUCCESS; }
BOOL AFX_CDECL CXTPSkinManagerModuleList::IsEnumeratorExists() { return GetSharedData().m_bExists; }