1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/win/iat_patch_function.h"
6
7 #include "base/logging.h"
8 #include "base/win/pe_image.h"
9
10 namespace base {
11 namespace win {
12
13 namespace {
14
15 struct InterceptFunctionInformation {
16 bool finished_operation;
17 const char* imported_from_module;
18 const char* function_name;
19 void* new_function;
20 void** old_function;
21 IMAGE_THUNK_DATA** iat_thunk;
22 DWORD return_code;
23 };
24
GetIATFunction(IMAGE_THUNK_DATA * iat_thunk)25 void* GetIATFunction(IMAGE_THUNK_DATA* iat_thunk) {
26 if (NULL == iat_thunk) {
27 NOTREACHED();
28 return NULL;
29 }
30
31 // Works around the 64 bit portability warning:
32 // The Function member inside IMAGE_THUNK_DATA is really a pointer
33 // to the IAT function. IMAGE_THUNK_DATA correctly maps to IMAGE_THUNK_DATA32
34 // or IMAGE_THUNK_DATA64 for correct pointer size.
35 union FunctionThunk {
36 IMAGE_THUNK_DATA thunk;
37 void* pointer;
38 } iat_function;
39
40 iat_function.thunk = *iat_thunk;
41 return iat_function.pointer;
42 }
43 // Change the page protection (of code pages) to writable and copy
44 // the data at the specified location
45 //
46 // Arguments:
47 // old_code Target location to copy
48 // new_code Source
49 // length Number of bytes to copy
50 //
51 // Returns: Windows error code (winerror.h). NO_ERROR if successful
ModifyCode(void * old_code,void * new_code,int length)52 DWORD ModifyCode(void* old_code, void* new_code, int length) {
53 if ((NULL == old_code) || (NULL == new_code) || (0 == length)) {
54 NOTREACHED();
55 return ERROR_INVALID_PARAMETER;
56 }
57
58 // Change the page protection so that we can write.
59 DWORD error = NO_ERROR;
60 DWORD old_page_protection = 0;
61 if (VirtualProtect(old_code,
62 length,
63 PAGE_READWRITE,
64 &old_page_protection)) {
65
66 // Write the data.
67 CopyMemory(old_code, new_code, length);
68
69 // Restore the old page protection.
70 error = ERROR_SUCCESS;
71 VirtualProtect(old_code,
72 length,
73 old_page_protection,
74 &old_page_protection);
75 } else {
76 error = GetLastError();
77 NOTREACHED();
78 }
79
80 return error;
81 }
82
InterceptEnumCallback(const base::win::PEImage & image,const char * module,DWORD ordinal,const char * name,DWORD hint,IMAGE_THUNK_DATA * iat,void * cookie)83 bool InterceptEnumCallback(const base::win::PEImage& image, const char* module,
84 DWORD ordinal, const char* name, DWORD hint,
85 IMAGE_THUNK_DATA* iat, void* cookie) {
86 InterceptFunctionInformation* intercept_information =
87 reinterpret_cast<InterceptFunctionInformation*>(cookie);
88
89 if (NULL == intercept_information) {
90 NOTREACHED();
91 return false;
92 }
93
94 DCHECK(module);
95
96 if ((0 == lstrcmpiA(module, intercept_information->imported_from_module)) &&
97 (NULL != name) &&
98 (0 == lstrcmpiA(name, intercept_information->function_name))) {
99 // Save the old pointer.
100 if (NULL != intercept_information->old_function) {
101 *(intercept_information->old_function) = GetIATFunction(iat);
102 }
103
104 if (NULL != intercept_information->iat_thunk) {
105 *(intercept_information->iat_thunk) = iat;
106 }
107
108 // portability check
109 COMPILE_ASSERT(sizeof(iat->u1.Function) ==
110 sizeof(intercept_information->new_function), unknown_IAT_thunk_format);
111
112 // Patch the function.
113 intercept_information->return_code =
114 ModifyCode(&(iat->u1.Function),
115 &(intercept_information->new_function),
116 sizeof(intercept_information->new_function));
117
118 // Terminate further enumeration.
119 intercept_information->finished_operation = true;
120 return false;
121 }
122
123 return true;
124 }
125
126 // Helper to intercept a function in an import table of a specific
127 // module.
128 //
129 // Arguments:
130 // module_handle Module to be intercepted
131 // imported_from_module Module that exports the symbol
132 // function_name Name of the API to be intercepted
133 // new_function Interceptor function
134 // old_function Receives the original function pointer
135 // iat_thunk Receives pointer to IAT_THUNK_DATA
136 // for the API from the import table.
137 //
138 // Returns: Returns NO_ERROR on success or Windows error code
139 // as defined in winerror.h
InterceptImportedFunction(HMODULE module_handle,const char * imported_from_module,const char * function_name,void * new_function,void ** old_function,IMAGE_THUNK_DATA ** iat_thunk)140 DWORD InterceptImportedFunction(HMODULE module_handle,
141 const char* imported_from_module,
142 const char* function_name, void* new_function,
143 void** old_function,
144 IMAGE_THUNK_DATA** iat_thunk) {
145 if ((NULL == module_handle) || (NULL == imported_from_module) ||
146 (NULL == function_name) || (NULL == new_function)) {
147 NOTREACHED();
148 return ERROR_INVALID_PARAMETER;
149 }
150
151 base::win::PEImage target_image(module_handle);
152 if (!target_image.VerifyMagic()) {
153 NOTREACHED();
154 return ERROR_INVALID_PARAMETER;
155 }
156
157 InterceptFunctionInformation intercept_information = {
158 false,
159 imported_from_module,
160 function_name,
161 new_function,
162 old_function,
163 iat_thunk,
164 ERROR_GEN_FAILURE};
165
166 // First go through the IAT. If we don't find the import we are looking
167 // for in IAT, search delay import table.
168 target_image.EnumAllImports(InterceptEnumCallback, &intercept_information);
169 if (!intercept_information.finished_operation) {
170 target_image.EnumAllDelayImports(InterceptEnumCallback,
171 &intercept_information);
172 }
173
174 return intercept_information.return_code;
175 }
176
177 // Restore intercepted IAT entry with the original function.
178 //
179 // Arguments:
180 // intercept_function Interceptor function
181 // original_function Receives the original function pointer
182 //
183 // Returns: Returns NO_ERROR on success or Windows error code
184 // as defined in winerror.h
RestoreImportedFunction(void * intercept_function,void * original_function,IMAGE_THUNK_DATA * iat_thunk)185 DWORD RestoreImportedFunction(void* intercept_function,
186 void* original_function,
187 IMAGE_THUNK_DATA* iat_thunk) {
188 if ((NULL == intercept_function) || (NULL == original_function) ||
189 (NULL == iat_thunk)) {
190 NOTREACHED();
191 return ERROR_INVALID_PARAMETER;
192 }
193
194 if (GetIATFunction(iat_thunk) != intercept_function) {
195 // Check if someone else has intercepted on top of us.
196 // We cannot unpatch in this case, just raise a red flag.
197 NOTREACHED();
198 return ERROR_INVALID_FUNCTION;
199 }
200
201 return ModifyCode(&(iat_thunk->u1.Function),
202 &original_function,
203 sizeof(original_function));
204 }
205
206 } // namespace
207
IATPatchFunction()208 IATPatchFunction::IATPatchFunction()
209 : module_handle_(NULL),
210 original_function_(NULL),
211 iat_thunk_(NULL),
212 intercept_function_(NULL) {
213 }
214
~IATPatchFunction()215 IATPatchFunction::~IATPatchFunction() {
216 if (NULL != intercept_function_) {
217 DWORD error = Unpatch();
218 DCHECK_EQ(static_cast<DWORD>(NO_ERROR), error);
219 }
220 }
221
Patch(const wchar_t * module,const char * imported_from_module,const char * function_name,void * new_function)222 DWORD IATPatchFunction::Patch(const wchar_t* module,
223 const char* imported_from_module,
224 const char* function_name,
225 void* new_function) {
226 DCHECK_EQ(static_cast<void*>(NULL), original_function_);
227 DCHECK_EQ(static_cast<IMAGE_THUNK_DATA*>(NULL), iat_thunk_);
228 DCHECK_EQ(static_cast<void*>(NULL), intercept_function_);
229
230 HMODULE module_handle = LoadLibraryW(module);
231
232 if (module_handle == NULL) {
233 NOTREACHED();
234 return GetLastError();
235 }
236
237 DWORD error = InterceptImportedFunction(module_handle,
238 imported_from_module,
239 function_name,
240 new_function,
241 &original_function_,
242 &iat_thunk_);
243
244 if (NO_ERROR == error) {
245 DCHECK_NE(original_function_, intercept_function_);
246 module_handle_ = module_handle;
247 intercept_function_ = new_function;
248 } else {
249 FreeLibrary(module_handle);
250 }
251
252 return error;
253 }
254
Unpatch()255 DWORD IATPatchFunction::Unpatch() {
256 DWORD error = RestoreImportedFunction(intercept_function_,
257 original_function_,
258 iat_thunk_);
259 DCHECK_EQ(static_cast<DWORD>(NO_ERROR), error);
260
261 // Hands off the intercept if we fail to unpatch.
262 // If IATPatchFunction::Unpatch fails during RestoreImportedFunction
263 // it means that we cannot safely unpatch the import address table
264 // patch. In this case its better to be hands off the intercept as
265 // trying to unpatch again in the destructor of IATPatchFunction is
266 // not going to be any safer
267 if (module_handle_)
268 FreeLibrary(module_handle_);
269 module_handle_ = NULL;
270 intercept_function_ = NULL;
271 original_function_ = NULL;
272 iat_thunk_ = NULL;
273
274 return error;
275 }
276
277 } // namespace win
278 } // namespace base
279