1 | /* $Id: nt_child_inject_standard_handles.c 3236 2018-10-28 14:15:41Z bird $ */
|
---|
2 | /** @file
|
---|
3 | * Injecting standard handles into a child process.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (c) 2004-2018 knut st. osmundsen <[email protected]>
|
---|
8 | *
|
---|
9 | * This file is part of kBuild.
|
---|
10 | *
|
---|
11 | * kBuild is free software; you can redistribute it and/or modify
|
---|
12 | * it under the terms of the GNU General Public License as published by
|
---|
13 | * the Free Software Foundation; either version 3 of the License, or
|
---|
14 | * (at your option) any later version.
|
---|
15 | *
|
---|
16 | * kBuild is distributed in the hope that it will be useful,
|
---|
17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
---|
19 | * GNU General Public License for more details.
|
---|
20 | *
|
---|
21 | * You should have received a copy of the GNU General Public License
|
---|
22 | * along with kBuild. If not, see <http://www.gnu.org/licenses/>
|
---|
23 | *
|
---|
24 | */
|
---|
25 |
|
---|
26 |
|
---|
27 | /*********************************************************************************************************************************
|
---|
28 | * Header Files *
|
---|
29 | *********************************************************************************************************************************/
|
---|
30 | #include <Windows.h>
|
---|
31 | #include <Winternl.h>
|
---|
32 | #include <stdio.h>
|
---|
33 | #include <assert.h>
|
---|
34 | #include <k/kDefs.h>
|
---|
35 | #include "nt_child_inject_standard_handles.h"
|
---|
36 |
|
---|
37 | /**
|
---|
38 | * Wrapper around ReadProcessMemory in case WOW64 tricks are needed.
|
---|
39 | *
|
---|
40 | * @returns Success indicator.
|
---|
41 | * @param hProcess The target process.
|
---|
42 | * @param ullSrc The source address (in @a hProcess).
|
---|
43 | * @param pvDst The target address (this process).
|
---|
44 | * @param cbToRead How much to read.
|
---|
45 | * @param pcbRead Where to return how much was actually read.
|
---|
46 | */
|
---|
47 | static BOOL MyReadProcessMemory(HANDLE hProcess, ULONGLONG ullSrc, void *pvDst, SIZE_T cbToRead, SIZE_T *pcbRead)
|
---|
48 | {
|
---|
49 | #if K_ARCH_BITS != 64
|
---|
50 | if (ullSrc + cbToRead - 1 > ~(uintptr_t)0)
|
---|
51 | {
|
---|
52 | typedef NTSTATUS(NTAPI *PFN_NtWow64ReadVirtualMemory64)(HANDLE, ULONGLONG, PVOID, ULONGLONG, PULONGLONG);
|
---|
53 | static PFN_NtWow64ReadVirtualMemory64 volatile s_pfnNtWow64ReadVirtualMemory64= NULL;
|
---|
54 | static BOOL volatile s_fInitialized = FALSE;
|
---|
55 | PFN_NtWow64ReadVirtualMemory64 pfnNtWow64ReadVirtualMemory64 = s_pfnNtWow64ReadVirtualMemory64;
|
---|
56 | if (!pfnNtWow64ReadVirtualMemory64 && !s_fInitialized)
|
---|
57 | {
|
---|
58 | *(FARPROC *)&pfnNtWow64ReadVirtualMemory64 = GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtWow64ReadVirtualMemory64");
|
---|
59 | s_pfnNtWow64ReadVirtualMemory64 = pfnNtWow64ReadVirtualMemory64;
|
---|
60 | }
|
---|
61 | if (pfnNtWow64ReadVirtualMemory64)
|
---|
62 | {
|
---|
63 | struct
|
---|
64 | {
|
---|
65 | ULONGLONG volatile ullBefore;
|
---|
66 | ULONGLONG cbRead64;
|
---|
67 | ULONGLONG volatile ullAfter;
|
---|
68 | } Wtf = { ~(ULONGLONG)0, 0, ~(ULONGLONG)0 };
|
---|
69 | NTSTATUS rcNt = pfnNtWow64ReadVirtualMemory64(hProcess, ullSrc, pvDst, cbToRead, &Wtf.cbRead64);
|
---|
70 | *pcbRead = (SIZE_T)Wtf.cbRead64;
|
---|
71 | SetLastError(rcNt); /* lazy bird */
|
---|
72 | return NT_SUCCESS(rcNt);
|
---|
73 | }
|
---|
74 | }
|
---|
75 | #endif
|
---|
76 | return ReadProcessMemory(hProcess, (void *)(uintptr_t)ullSrc, pvDst, cbToRead, pcbRead);
|
---|
77 | }
|
---|
78 |
|
---|
79 |
|
---|
80 | /**
|
---|
81 | * Wrapper around WriteProcessMemory in case WOW64 tricks are needed.
|
---|
82 | *
|
---|
83 | * @returns Success indicator.
|
---|
84 | * @param hProcess The target process.
|
---|
85 | * @param ullDst The target address (in @a hProcess).
|
---|
86 | * @param pvSrc The source address (this process).
|
---|
87 | * @param cbToWrite How much to write.
|
---|
88 | * @param pcbWritten Where to return how much was actually written.
|
---|
89 | */
|
---|
90 | static BOOL MyWriteProcessMemory(HANDLE hProcess, ULONGLONG ullDst, void const *pvSrc, SIZE_T cbToWrite, SIZE_T *pcbWritten)
|
---|
91 | {
|
---|
92 | #if K_ARCH_BITS != 64
|
---|
93 | if (ullDst + cbToWrite - 1 > ~(uintptr_t)0)
|
---|
94 | {
|
---|
95 | typedef NTSTATUS (NTAPI *PFN_NtWow64WriteVirtualMemory64)(HANDLE, ULONGLONG, VOID const *, ULONGLONG, PULONGLONG);
|
---|
96 | static PFN_NtWow64WriteVirtualMemory64 volatile s_pfnNtWow64WriteVirtualMemory64= NULL;
|
---|
97 | static BOOL volatile s_fInitialized = FALSE;
|
---|
98 | PFN_NtWow64WriteVirtualMemory64 pfnNtWow64WriteVirtualMemory64 = s_pfnNtWow64WriteVirtualMemory64;
|
---|
99 | if (!pfnNtWow64WriteVirtualMemory64 && !s_fInitialized)
|
---|
100 | {
|
---|
101 | *(FARPROC *)&pfnNtWow64WriteVirtualMemory64 = GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtWow64WriteVirtualMemory64");
|
---|
102 | s_pfnNtWow64WriteVirtualMemory64 = pfnNtWow64WriteVirtualMemory64;
|
---|
103 | }
|
---|
104 | if (pfnNtWow64WriteVirtualMemory64)
|
---|
105 | {
|
---|
106 | struct
|
---|
107 | {
|
---|
108 | ULONGLONG volatile ullBefore;
|
---|
109 | ULONGLONG cbWritten64;
|
---|
110 | ULONGLONG volatile ullAfter;
|
---|
111 | } Wtf = { ~(ULONGLONG)0, 0, ~(ULONGLONG)0 };
|
---|
112 | NTSTATUS rcNt = pfnNtWow64WriteVirtualMemory64(hProcess, ullDst, pvSrc, cbToWrite, &Wtf.cbWritten64);
|
---|
113 | *pcbWritten = (SIZE_T)Wtf.cbWritten64;
|
---|
114 | SetLastError(rcNt); /* lazy bird */
|
---|
115 | return NT_SUCCESS(rcNt);
|
---|
116 | }
|
---|
117 | }
|
---|
118 | #endif
|
---|
119 | return WriteProcessMemory(hProcess, (void *)(uintptr_t)ullDst, pvSrc, cbToWrite, pcbWritten);
|
---|
120 | }
|
---|
121 |
|
---|
122 |
|
---|
123 | /**
|
---|
124 | * Injects standard handles into a child process (created suspended).
|
---|
125 | *
|
---|
126 | * @returns 0 on success. On failure a non-zero windows error or NT status,
|
---|
127 | * with details in @a pszErr.
|
---|
128 | * @param hProcess The child process (created suspended).
|
---|
129 | * @param pafReplace Selects which handles to actually replace (TRUE) and
|
---|
130 | * which to leave as-is (FALSE). The first entry is
|
---|
131 | * starndard input, second is standard output, and the
|
---|
132 | * final is standard error.
|
---|
133 | * @param pahHandles The handle in the current process to inject into the
|
---|
134 | * child process. This runs parallel to pafReplace. The
|
---|
135 | * values NULL and INVALID_HANDLE_VALUE will be written
|
---|
136 | * directly to the child without duplication.
|
---|
137 | * @param pszErr Pointer to error message buffer.
|
---|
138 | * @param cbErr Size of error message buffer.
|
---|
139 | */
|
---|
140 | int nt_child_inject_standard_handles(HANDLE hProcess, BOOL pafReplace[3], HANDLE pahHandles[3], char *pszErr, size_t cbErr)
|
---|
141 | {
|
---|
142 | typedef NTSTATUS (NTAPI *PFN_NtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
|
---|
143 | static PFN_NtQueryInformationProcess volatile s_pfnNtQueryInformationProcess = NULL;
|
---|
144 | PFN_NtQueryInformationProcess pfnNtQueryInformationProcess;
|
---|
145 | #if K_ARCH_BITS != 64
|
---|
146 | static PFN_NtQueryInformationProcess volatile s_pfnNtWow64QueryInformationProcess64 = NULL;
|
---|
147 | PFN_NtQueryInformationProcess pfnNtWow64QueryInformationProcess64;
|
---|
148 |
|
---|
149 | static BOOL s_fHostIs64Bit = K_ARCH_BITS == 64;
|
---|
150 | static BOOL volatile s_fCheckedHost = FALSE;
|
---|
151 | #endif
|
---|
152 |
|
---|
153 | static const unsigned s_offProcessParametersInPeb32 = 0x10;
|
---|
154 | static const unsigned s_offProcessParametersInPeb64 = 0x20;
|
---|
155 | static const unsigned s_offStandardInputInProcParams32 = 0x18;
|
---|
156 | static const unsigned s_offStandardInputInProcParams64 = 0x20;
|
---|
157 | static const char * const s_apszNames[3] = { "standard input", "standard output", "standard error" };
|
---|
158 |
|
---|
159 |
|
---|
160 | ULONG cbActual1 = 0;
|
---|
161 | union
|
---|
162 | {
|
---|
163 | PROCESS_BASIC_INFORMATION Natural;
|
---|
164 | struct
|
---|
165 | {
|
---|
166 | NTSTATUS ExitStatus;
|
---|
167 | ULONGLONG PebBaseAddress;
|
---|
168 | ULONGLONG AffinityMask;
|
---|
169 | ULONG BasePriority;
|
---|
170 | ULONGLONG UniqueProcessId;
|
---|
171 | ULONGLONG InheritedFromUniqueProcessId;
|
---|
172 | } Wow64;
|
---|
173 | } BasicInfo = { { 0, 0, } };
|
---|
174 | uintptr_t uBasicInfoPeb;
|
---|
175 | NTSTATUS rcNt;
|
---|
176 | ULONGLONG ullPeb32 = 0;
|
---|
177 | ULONGLONG ullPeb64 = 0;
|
---|
178 | ULONGLONG ullProcParams32 = 0;
|
---|
179 | ULONGLONG ullProcParams64 = 0;
|
---|
180 | DWORD au32Handles[3] = { 0, 0, 0 };
|
---|
181 | ULONGLONG au64Handles[3] = { 0, 0, 0 };
|
---|
182 | unsigned iFirstToInject;
|
---|
183 | unsigned cHandlesToInject;
|
---|
184 | unsigned i;
|
---|
185 |
|
---|
186 | /*
|
---|
187 | * Analyze the input to figure out exactly what we need to do.
|
---|
188 | */
|
---|
189 | iFirstToInject = 0;
|
---|
190 | while (iFirstToInject < 3 && !pafReplace[iFirstToInject])
|
---|
191 | iFirstToInject++;
|
---|
192 | if (iFirstToInject >= 3)
|
---|
193 | return 0;
|
---|
194 |
|
---|
195 | cHandlesToInject = 3 - iFirstToInject;
|
---|
196 | while ( cHandlesToInject > 1
|
---|
197 | && !pafReplace[iFirstToInject + cHandlesToInject - 1])
|
---|
198 | cHandlesToInject--;
|
---|
199 |
|
---|
200 | #if K_ARCH_BITS != 64
|
---|
201 | /*
|
---|
202 | * Determine host bit count first time through.
|
---|
203 | */
|
---|
204 | if (!s_fCheckedHost)
|
---|
205 | {
|
---|
206 | BOOL fAmIWow64 = FALSE;
|
---|
207 | if ( IsWow64Process(GetCurrentProcess(), &fAmIWow64)
|
---|
208 | && fAmIWow64)
|
---|
209 | s_fHostIs64Bit = TRUE;
|
---|
210 | else
|
---|
211 | s_fHostIs64Bit = FALSE;
|
---|
212 | s_fCheckedHost = TRUE;
|
---|
213 | }
|
---|
214 | #endif
|
---|
215 |
|
---|
216 | /*
|
---|
217 | * Resolve NT API first time through.
|
---|
218 | */
|
---|
219 | pfnNtQueryInformationProcess = s_pfnNtQueryInformationProcess;
|
---|
220 | #if K_ARCH_BITS != 64
|
---|
221 | pfnNtWow64QueryInformationProcess64 = s_pfnNtWow64QueryInformationProcess64;
|
---|
222 | #endif
|
---|
223 | if (!pfnNtQueryInformationProcess)
|
---|
224 | {
|
---|
225 | HMODULE hmodNtDll = GetModuleHandleA("NTDLL.DLL");
|
---|
226 | #if K_ARCH_BITS != 64
|
---|
227 | *(FARPROC *)&pfnNtWow64QueryInformationProcess64 = GetProcAddress(hmodNtDll, "NtWow64QueryInformationProcess64");
|
---|
228 | s_pfnNtWow64QueryInformationProcess64 = pfnNtWow64QueryInformationProcess64;
|
---|
229 | #endif
|
---|
230 | *(FARPROC *)&pfnNtQueryInformationProcess = GetProcAddress(hmodNtDll, "NtQueryInformationProcess");
|
---|
231 | if (!pfnNtQueryInformationProcess)
|
---|
232 | {
|
---|
233 | _snprintf(pszErr, cbErr, "The NtQueryInformationProcess API was not found in NTDLL");
|
---|
234 | return ERROR_PROC_NOT_FOUND;
|
---|
235 | }
|
---|
236 | s_pfnNtQueryInformationProcess = pfnNtQueryInformationProcess;
|
---|
237 | }
|
---|
238 |
|
---|
239 | /*
|
---|
240 | * Get the PEB address.
|
---|
241 | *
|
---|
242 | * If we're a WOW64 process, we must use NtWow64QueryInformationProcess64
|
---|
243 | * here or the PEB address will be set to zero for 64-bit children.
|
---|
244 | */
|
---|
245 | #if K_ARCH_BITS != 64
|
---|
246 | /** @todo On vista PEB can be above 4GB! */
|
---|
247 | if (s_fHostIs64Bit && pfnNtWow64QueryInformationProcess64)
|
---|
248 | {
|
---|
249 | rcNt = pfnNtWow64QueryInformationProcess64(hProcess, ProcessBasicInformation, &BasicInfo.Wow64,
|
---|
250 | sizeof(BasicInfo.Wow64), &cbActual1);
|
---|
251 | if (!NT_SUCCESS(rcNt))
|
---|
252 | {
|
---|
253 | _snprintf(pszErr, cbErr, "NtWow64QueryInformationProcess64 failed: %#x", rcNt);
|
---|
254 | return rcNt;
|
---|
255 | }
|
---|
256 | if ( BasicInfo.Wow64.PebBaseAddress < 0x1000
|
---|
257 | || BasicInfo.Wow64.PebBaseAddress > ~(uintptr_t)0x1000)
|
---|
258 | {
|
---|
259 | _snprintf(pszErr, cbErr, "NtWow64QueryInformationProcess64 returned bad PebBaseAddress: %#llx",
|
---|
260 | BasicInfo.Wow64.PebBaseAddress);
|
---|
261 | return ERROR_INVALID_ADDRESS;
|
---|
262 | }
|
---|
263 | uBasicInfoPeb = (uintptr_t)BasicInfo.Wow64.PebBaseAddress;
|
---|
264 | }
|
---|
265 | else
|
---|
266 | #endif
|
---|
267 | {
|
---|
268 | rcNt = pfnNtQueryInformationProcess(hProcess, ProcessBasicInformation, &BasicInfo.Natural,
|
---|
269 | sizeof(BasicInfo.Natural), &cbActual1);
|
---|
270 | if (!NT_SUCCESS(rcNt))
|
---|
271 | {
|
---|
272 | _snprintf(pszErr, cbErr, "NtQueryInformationProcess failed: %#x", rcNt);
|
---|
273 | return rcNt;
|
---|
274 | }
|
---|
275 | if ((uintptr_t)BasicInfo.Natural.PebBaseAddress < 0x1000)
|
---|
276 | {
|
---|
277 | _snprintf(pszErr, cbErr, "NtQueryInformationProcess returned bad PebBaseAddress: %#llx",
|
---|
278 | BasicInfo.Natural.PebBaseAddress);
|
---|
279 | return ERROR_INVALID_ADDRESS;
|
---|
280 | }
|
---|
281 | uBasicInfoPeb = (uintptr_t)BasicInfo.Natural.PebBaseAddress;
|
---|
282 | }
|
---|
283 |
|
---|
284 | /*
|
---|
285 | * Get the 32-bit PEB if it's a WOW64 process.
|
---|
286 | * This query should return 0 for non-WOW64 processes, but we quietly
|
---|
287 | * ignore failures and assume non-WOW64 child.
|
---|
288 | */
|
---|
289 | #if K_ARCH_BITS != 64
|
---|
290 | if (!s_fHostIs64Bit)
|
---|
291 | ullPeb32 = uBasicInfoPeb;
|
---|
292 | else
|
---|
293 | #endif
|
---|
294 | {
|
---|
295 | ULONG_PTR uPeb32Ptr = 0;
|
---|
296 | cbActual1 = 0;
|
---|
297 | rcNt = pfnNtQueryInformationProcess(hProcess, ProcessWow64Information, &uPeb32Ptr, sizeof(uPeb32Ptr), &cbActual1);
|
---|
298 | if (NT_SUCCESS(rcNt) && uPeb32Ptr != 0)
|
---|
299 | {
|
---|
300 | ullPeb32 = uPeb32Ptr;
|
---|
301 | ullPeb64 = uBasicInfoPeb;
|
---|
302 | #if K_ARCH_BITS != 64
|
---|
303 | assert(ullPeb64 != ullPeb32);
|
---|
304 | if (ullPeb64 == ullPeb32)
|
---|
305 | ullPeb64 = 0;
|
---|
306 | #endif
|
---|
307 | }
|
---|
308 | else
|
---|
309 | {
|
---|
310 | assert(NT_SUCCESS(rcNt));
|
---|
311 | ullPeb64 = uBasicInfoPeb;
|
---|
312 | }
|
---|
313 | }
|
---|
314 |
|
---|
315 | /*
|
---|
316 | * Read the process parameter pointers.
|
---|
317 | */
|
---|
318 | if (ullPeb32)
|
---|
319 | {
|
---|
320 | DWORD uProcParamPtr = 0;
|
---|
321 | SIZE_T cbRead = 0;
|
---|
322 | if ( MyReadProcessMemory(hProcess, ullPeb32 + s_offProcessParametersInPeb32,
|
---|
323 | &uProcParamPtr, sizeof(uProcParamPtr), &cbRead)
|
---|
324 | && cbRead == sizeof(uProcParamPtr))
|
---|
325 | ullProcParams32 = uProcParamPtr;
|
---|
326 | else
|
---|
327 | {
|
---|
328 | DWORD dwErr = GetLastError();
|
---|
329 | _snprintf(pszErr, cbErr, "Failed to read PEB32!ProcessParameter at %#llx: %u/%#x (%u read)",
|
---|
330 | ullPeb32 + s_offProcessParametersInPeb32, dwErr, dwErr, cbRead);
|
---|
331 | return dwErr ? dwErr : -1;
|
---|
332 | }
|
---|
333 | if (uProcParamPtr < 0x1000)
|
---|
334 | {
|
---|
335 | _snprintf(pszErr, cbErr, "Bad PEB32!ProcessParameter value: %#llx", ullProcParams32);
|
---|
336 | return ERROR_INVALID_ADDRESS;
|
---|
337 | }
|
---|
338 | }
|
---|
339 |
|
---|
340 | if (ullPeb64)
|
---|
341 | {
|
---|
342 | ULONGLONG uProcParamPtr = 0;
|
---|
343 | SIZE_T cbRead = 0;
|
---|
344 | if ( MyReadProcessMemory(hProcess, ullPeb64 + s_offProcessParametersInPeb64,
|
---|
345 | &uProcParamPtr, sizeof(uProcParamPtr), &cbRead)
|
---|
346 | && cbRead == sizeof(uProcParamPtr))
|
---|
347 | ullProcParams64 = uProcParamPtr;
|
---|
348 | else
|
---|
349 | {
|
---|
350 | DWORD dwErr = GetLastError();
|
---|
351 | _snprintf(pszErr, cbErr, "Failed to read PEB64!ProcessParameter at %p: %u/%#x (%u read)",
|
---|
352 | ullPeb64 + s_offProcessParametersInPeb64, dwErr, dwErr, cbRead);
|
---|
353 | return dwErr ? dwErr : -1;
|
---|
354 | }
|
---|
355 | if (uProcParamPtr < 0x1000)
|
---|
356 | {
|
---|
357 | _snprintf(pszErr, cbErr, "Bad PEB64!ProcessParameter value: %#llx", uProcParamPtr);
|
---|
358 | return ERROR_INVALID_ADDRESS;
|
---|
359 | }
|
---|
360 | }
|
---|
361 |
|
---|
362 | /*
|
---|
363 | * If we're replacing standard input and standard error but not standard
|
---|
364 | * output, we must read the standard output handle. We ASSUME that in
|
---|
365 | * WOW64 processes the two PEBs have the same value, saving a read.
|
---|
366 | */
|
---|
367 | if (iFirstToInject == 0 && cHandlesToInject == 3 && !pafReplace[1])
|
---|
368 | {
|
---|
369 | if (ullProcParams64)
|
---|
370 | {
|
---|
371 | SIZE_T cbRead = 0;
|
---|
372 | if ( MyReadProcessMemory(hProcess, ullProcParams64 + s_offStandardInputInProcParams64 + sizeof(au64Handles[0]),
|
---|
373 | &au64Handles[1], sizeof(au64Handles[1]), &cbRead)
|
---|
374 | && cbRead == sizeof(au64Handles[1]))
|
---|
375 | au32Handles[1] = (DWORD)au64Handles[1];
|
---|
376 | else
|
---|
377 | {
|
---|
378 | DWORD dwErr = GetLastError();
|
---|
379 | _snprintf(pszErr, cbErr, "Failed to read ProcessParameter64!StandardOutput at %#llx: %u/%#x (%u read)",
|
---|
380 | ullProcParams64 + s_offStandardInputInProcParams64 + sizeof(au64Handles[0]), dwErr, dwErr, cbRead);
|
---|
381 | return dwErr ? dwErr : -1;
|
---|
382 | }
|
---|
383 | }
|
---|
384 | else if (ullProcParams32)
|
---|
385 | {
|
---|
386 | SIZE_T cbRead = 0;
|
---|
387 | if ( !MyReadProcessMemory(hProcess, ullProcParams32 + s_offStandardInputInProcParams32 + sizeof(au32Handles[0]),
|
---|
388 | &au32Handles[1], sizeof(au32Handles[1]), &cbRead)
|
---|
389 | || cbRead != sizeof(au32Handles[1]))
|
---|
390 | {
|
---|
391 | DWORD dwErr = GetLastError();
|
---|
392 | _snprintf(pszErr, cbErr, "Failed to read ProcessParameter32!StandardOutput at %#llx: %u/%#x (%u read)",
|
---|
393 | ullProcParams32 + s_offStandardInputInProcParams32 + sizeof(au32Handles[0]), dwErr, dwErr, cbRead);
|
---|
394 | return dwErr ? dwErr : -1;
|
---|
395 | }
|
---|
396 | }
|
---|
397 | }
|
---|
398 |
|
---|
399 | /*
|
---|
400 | * Duplicate the handles into process, preparing the two handle arrays
|
---|
401 | * that we'll write to the guest afterwards.
|
---|
402 | */
|
---|
403 | for (i = iFirstToInject; i < 3; i++)
|
---|
404 | if (pafReplace[i])
|
---|
405 | {
|
---|
406 | HANDLE hInChild = pahHandles[i];
|
---|
407 | if ( hInChild == NULL
|
---|
408 | || hInChild == INVALID_HANDLE_VALUE
|
---|
409 | || DuplicateHandle(GetCurrentProcess(), pahHandles[i], hProcess, &hInChild,
|
---|
410 | 0 /*fDesiredAccess*/, TRUE /*fInheritable*/, DUPLICATE_SAME_ACCESS))
|
---|
411 | {
|
---|
412 | au32Handles[i] = (DWORD)(uintptr_t)hInChild;
|
---|
413 | au64Handles[i] = (uintptr_t)hInChild;
|
---|
414 | }
|
---|
415 | else
|
---|
416 | {
|
---|
417 | DWORD dwErr = GetLastError();
|
---|
418 | _snprintf(pszErr, cbErr, "Failed to duplicate handle %p into the child as %s: %u",
|
---|
419 | pahHandles[i], s_apszNames[i], dwErr);
|
---|
420 | return dwErr ? dwErr : -1;
|
---|
421 | }
|
---|
422 | }
|
---|
423 |
|
---|
424 | /*
|
---|
425 | * Write the handle arrays to the child.
|
---|
426 | *
|
---|
427 | * If we're a WOW64 we need to use NtWow64WriteVirtualMemory64 instead of
|
---|
428 | * WriteProcessMemory because the latter fails with ERROR_NOACCESS (998).
|
---|
429 | * So, we use a wrapper for doing the writing.
|
---|
430 | */
|
---|
431 | if (ullProcParams32)
|
---|
432 | {
|
---|
433 | ULONGLONG ullDst = ullProcParams32 + s_offStandardInputInProcParams32 + iFirstToInject * sizeof(au32Handles[0]);
|
---|
434 | SIZE_T cbToWrite = cHandlesToInject * sizeof(au32Handles[0]);
|
---|
435 | SIZE_T cbWritten = 0;
|
---|
436 | if ( !MyWriteProcessMemory(hProcess, ullDst, &au32Handles[iFirstToInject], cbToWrite, &cbWritten)
|
---|
437 | || cbWritten != cbToWrite)
|
---|
438 | {
|
---|
439 | DWORD dwErr = GetLastError();
|
---|
440 | _snprintf(pszErr, cbErr, "Failed to write handles to ProcessParameter32 (%#llx LB %u): %u/%#x (%u written)",
|
---|
441 | ullDst, cbToWrite, dwErr, dwErr, cbWritten);
|
---|
442 | return dwErr ? dwErr : ERROR_MORE_DATA;
|
---|
443 | }
|
---|
444 | }
|
---|
445 |
|
---|
446 | if (ullProcParams64)
|
---|
447 | {
|
---|
448 | ULONGLONG ullDst = ullProcParams64 + s_offStandardInputInProcParams64 + iFirstToInject * sizeof(au64Handles[0]);
|
---|
449 | SIZE_T cbToWrite = cHandlesToInject * sizeof(au64Handles[0]);
|
---|
450 | SIZE_T cbWritten = 0;
|
---|
451 | if ( !MyWriteProcessMemory(hProcess, ullDst, &au64Handles[iFirstToInject], cbToWrite, &cbWritten)
|
---|
452 | || cbWritten != cbToWrite)
|
---|
453 | {
|
---|
454 | DWORD dwErr = GetLastError();
|
---|
455 | _snprintf(pszErr, cbErr, "Failed to write handles to ProcessParameter64 (%#llx LB %u): %u/%#x (%u written)",
|
---|
456 | ullDst, cbToWrite, dwErr, dwErr, cbWritten);
|
---|
457 | return dwErr ? dwErr : ERROR_MORE_DATA;
|
---|
458 | }
|
---|
459 | }
|
---|
460 |
|
---|
461 | /* Done successfully! */
|
---|
462 | return 0;
|
---|
463 | }
|
---|
464 |
|
---|