source: zzuf/trunk/src/libzzuf/lib-win32.c @ 4834

Last change on this file since 4834 was 4834, checked in by wisk, 8 years ago

add new hook for windows (CreateFileMapping?(A|W), MapViewOfFile?, ReadFileEx?), re-enable option -U, start to port network on windows

File size: 9.8 KB
Line 
1/*
2 *  zzuf - general purpose fuzzer
3 *  Copyright (c) 2006-2010 Sam Hocevar <sam@hocevar.net>
4 *                All Rights Reserved
5 *
6 *  This program is free software. It comes without any warranty, to
7 *  the extent permitted by applicable law. You can redistribute it
8 *  and/or modify it under the terms of the Do What The Fuck You Want
9 *  To Public License, Version 2, as published by Sam Hocevar. See
10 *  http://sam.zoy.org/wtfpl/COPYING for more details.
11 */
12
13/*
14 *  load-win32.c: loaded Win32 functions
15 */
16
17#include "config.h"
18
19#if defined HAVE_STDINT_H
20#   include <stdint.h>
21#elif defined HAVE_INTTYPES_H
22#   include <inttypes.h>
23#endif
24
25#include <stdio.h>
26
27#if defined HAVE_WINDOWS_H
28#   include <windows.h>
29#endif
30#if defined HAVE_IO_H
31#   include <io.h>
32#endif
33
34#include "common.h"
35#include "libzzuf.h"
36#include "lib-load.h"
37#include "debug.h"
38#include "fuzz.h"
39#include "fd.h"
40
41/* Kernel functions that we divert */
42#if defined HAVE_CREATEFILEA
43static HANDLE (__stdcall *ORIG(CreateFileA))(LPCSTR, DWORD, DWORD,
44                                             LPSECURITY_ATTRIBUTES,
45                                             DWORD, DWORD, HANDLE);
46#endif
47#if defined HAVE_CREATEFILEW
48static HANDLE (__stdcall *ORIG(CreateFileW))(LPCWSTR, DWORD, DWORD,
49                                             LPSECURITY_ATTRIBUTES,
50                                             DWORD, DWORD, HANDLE);
51#endif
52#if defined HAVE_REOPENFILE
53static HANDLE (__stdcall *ORIG(ReOpenFile))(HANDLE, DWORD,
54                                            DWORD, DWORD);
55#endif
56#if defined HAVE_READFILE
57static BOOL (__stdcall *ORIG(ReadFile))(HANDLE, LPVOID, DWORD, LPDWORD,
58                                        LPOVERLAPPED);
59#endif
60#if defined HAVE_READFILEEX
61static BOOL (__stdcall *ORIG(ReadFileEx))(HANDLE, LPVOID, DWORD, LPDWORD,
62    LPOVERLAPPED, LPOVERLAPPED_COMPLETION_ROUTINE);
63#endif
64#if defined HAVE_CREATEFILEMAPPINGA
65static HANDLE (__stdcall *ORIG(CreateFileMappingA))(HANDLE, LPSECURITY_ATTRIBUTES,
66                                                   DWORD, DWORD, DWORD, LPCSTR);
67#endif
68#if defined HAVE_CREATEFILEMAPPINGW
69static HANDLE (__stdcall *ORIG(CreateFileMappingW))(HANDLE, LPSECURITY_ATTRIBUTES,
70                                                   DWORD, DWORD, DWORD, LPCWSTR);
71#endif
72#ifdef HAVE_MAPVIEWOFFILE
73static LPVOID (__stdcall *ORIG(MapViewOfFile))(HANDLE, DWORD, DWORD, DWORD, SIZE_T);
74#endif
75#if defined HAVE_CLOSEHANDLE
76static BOOL (__stdcall *ORIG(CloseHandle))(HANDLE);
77#endif
78
79/*
80 * CreateFileA, CreateFileW
81 */
82
83#if defined HAVE_CREATEFILEA
84HANDLE __stdcall NEW(CreateFileA)(LPCSTR lpFileName, DWORD dwDesiredAccess,
85           DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes,
86           DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes,
87           HANDLE hTemplateFile)
88{
89    HANDLE ret;
90
91    ret = ORIG(CreateFileA)(lpFileName, dwDesiredAccess, dwShareMode,
92                            lpSecurityAttributes, dwCreationDisposition,
93                            dwFlagsAndAttributes, hTemplateFile);
94    debug("CreateFileA(\"%s\", 0x%x, 0x%x, {...}, 0x%x, 0x%x, {...}) = %#08x",
95          lpFileName, dwDesiredAccess, dwShareMode, dwCreationDisposition,
96          dwFlagsAndAttributes, (int)ret);
97
98    if(!_zz_ready || _zz_islocked(-1)) return ret;
99    if (ret != INVALID_HANDLE_VALUE && dwCreationDisposition == OPEN_EXISTING && _zz_mustwatch(lpFileName))
100    {
101        _zz_register(ret);
102    }
103
104    return ret;
105}
106#endif
107
108#if defined HAVE_CREATEFILEW
109HANDLE __stdcall NEW(CreateFileW)(LPCWSTR lpFileName, DWORD dwDesiredAccess,
110           DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes,
111           DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes,
112           HANDLE hTemplateFile)
113{
114    HANDLE ret;
115    ret = ORIG(CreateFileW)(lpFileName, dwDesiredAccess, dwShareMode,
116                            lpSecurityAttributes, dwCreationDisposition,
117                            dwFlagsAndAttributes, hTemplateFile);
118    debug("CreateFileW(\"%S\", 0x%x, 0x%x, {...}, 0x%x, 0x%x, {...}) = %#08x",
119          lpFileName, dwDesiredAccess, dwShareMode, dwCreationDisposition,
120          dwFlagsAndAttributes, (int)ret);
121
122    if(!_zz_ready || _zz_islocked(-1)) return ret;
123    if (ret != INVALID_HANDLE_VALUE && dwCreationDisposition == OPEN_EXISTING && _zz_mustwatchw(lpFileName))
124    {
125        debug("handle %#08x is registered", ret);
126        _zz_register(ret);
127    }
128
129
130    return ret;
131}
132#endif
133
134#if defined HAVE_REOPENFILE
135HANDLE __stdcall NEW(ReOpenFile)(HANDLE hOriginalFile, DWORD dwDesiredAccess,
136                                 DWORD dwShareMode, DWORD dwFlags)
137{
138    HANDLE ret;
139    ret = ORIG(ReOpenFile)(hOriginalFile, dwDesiredAccess,
140                           dwShareMode, dwFlags);
141    debug("ReOpenFile(%#08x, 0x%x, 0x%x, 0x%x) = %#08x", (int)hOriginalFile,
142          dwDesiredAccess, dwShareMode, dwFlags, (int)ret);
143    return ret;
144}
145#endif
146
147/*
148 * ReadFile
149 */
150
151#if defined HAVE_READFILE
152BOOL __stdcall NEW(ReadFile)(HANDLE hFile, LPVOID lpBuffer,
153           DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead,
154           LPOVERLAPPED lpOverlapped)
155{
156    BOOL ret;
157    ret = ORIG(ReadFile)(hFile, lpBuffer, nNumberOfBytesToRead,
158                          lpNumberOfBytesRead, lpOverlapped);
159    debug("ReadFile(%#08x, %p, %#08x, %#08x, %p) = %s",
160        hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped, (ret ? "TRUE" : "FALSE"));
161
162    if (!_zz_ready || !_zz_iswatched(hFile) /*|| !_zz_hostwatched(hFile)*/ || _zz_islocked(hFile) || !_zz_isactive(hFile))
163        return ret;
164
165    if (ret)
166    {
167        DWORD bytes_read = lpNumberOfBytesRead ? *lpNumberOfBytesRead : nNumberOfBytesToRead;
168        debug("fuzzing file %#08x\n", hFile);
169        _zz_fuzz(hFile, lpBuffer, bytes_read);
170        _zz_addpos(hFile, bytes_read);
171    }
172    return ret;
173}
174#endif
175
176#if defined HAVE_READFILEEX
177BOOL __stdcall NEW(ReadFileEx)(HANDLE hFile, LPVOID lpBuffer,
178    DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead,
179    LPOVERLAPPED lpOverlapped, LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine)
180{
181    BOOL ret;
182
183    ret = ORIG(ReadFileEx)(hFile, lpBuffer, nNumberOfBytesToRead,
184        lpNumberOfBytesRead, lpOverlapped, lpCompletionRoutine);
185
186    debug("ReadFileEx(%#08x, %p, %#08x, %p, %p, %p) = %s",
187        hFile, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped, lpCompletionRoutine, (ret ? "TRUE" : "FALSE"));
188
189    if (!_zz_ready || !_zz_iswatched(hFile) /*|| !_zz_hostwatched(hFile)*/ || _zz_islocked(hFile) || !_zz_isactive(hFile))
190        return ret;
191
192    if (ret)
193    {
194        DWORD bytes_read = lpNumberOfBytesRead ? *lpNumberOfBytesRead : nNumberOfBytesToRead;
195        debug("fuzzing file %#08x\n", hFile);
196        _zz_fuzz(hFile, lpBuffer, bytes_read);
197        _zz_addpos(hFile, bytes_read);
198    }
199    return ret;
200}
201#endif
202
203#if defined HAVE_CREATEFILEMAPPINGA
204HANDLE __stdcall NEW(CreateFileMappingA)(HANDLE hFile, LPSECURITY_ATTRIBUTES lpAttributes,
205            DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow,
206            LPCSTR lpName)
207{
208    HANDLE ret;
209    ret = ORIG(CreateFileMappingA)(hFile, lpAttributes,
210        flProtect, dwMaximumSizeHigh, dwMaximumSizeLow,
211        lpName);
212
213    debug("CreateFileMappingA(%#08x, %#08x, %#08x, %#08x, %#08x, %s) = %#08x",
214        hFile, lpAttributes, flProtect, dwMaximumSizeHigh, dwMaximumSizeLow, lpName, ret);
215
216    if (ret == NULL) return ret;
217
218    if (!_zz_ready || !_zz_iswatched(hFile) /*|| !_zz_hostwatched(hFile)*/ || _zz_islocked(hFile) || !_zz_isactive(hFile) || _zz_islocked(-1))
219        return ret;
220
221    debug("handle %#08x is registered", ret);
222    _zz_register(ret);
223
224    return ret;
225}
226#endif
227
228#if defined HAVE_CREATEFILEMAPPINGW
229HANDLE __stdcall NEW(CreateFileMappingW)(HANDLE hFile, LPSECURITY_ATTRIBUTES lpAttributes,
230            DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow,
231            LPCWSTR lpName)
232{
233    HANDLE ret;
234    ret = ORIG(CreateFileMappingW)(hFile, lpAttributes,
235        flProtect, dwMaximumSizeHigh, dwMaximumSizeLow,
236        lpName);
237
238    debug("CreateFileMappingW(%#08x, %#08x, %#08x, %#08x, %#08x, %S) = %#08x",
239        hFile, lpAttributes, flProtect, dwMaximumSizeHigh, dwMaximumSizeLow, lpName, ret);
240
241    if (ret == NULL) return ret;
242
243    if (!_zz_ready || !_zz_iswatched(hFile) /*|| !_zz_hostwatched(hFile)*/ || _zz_islocked(hFile) || !_zz_isactive(hFile) || _zz_islocked(-1))
244        return ret;
245
246    debug("handle %#08x is registered", ret);
247    _zz_register(ret);
248
249    return ret;
250}
251#endif
252
253#ifdef HAVE_MAPVIEWOFFILE
254LPVOID __stdcall NEW(MapViewOfFile)(HANDLE hFileMappingObject, DWORD dwDesiredAccess,
255    DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow,
256    SIZE_T dwNumberOfBytesToMap)
257{
258    LPVOID ret;
259    ret = ORIG(MapViewOfFile)(hFileMappingObject, dwDesiredAccess,
260        dwFileOffsetHigh, dwFileOffsetLow,
261        dwNumberOfBytesToMap);
262
263    debug("MapViewOfFile(%#08x, %#08x, %#08x, %#08x, %#08x) = %p",
264        hFileMappingObject, dwDesiredAccess, dwFileOffsetHigh, dwFileOffsetLow, dwNumberOfBytesToMap, ret);
265
266    return ret;
267}
268#endif
269
270/*
271 * CloseHandle
272 */
273
274#if defined HAVE_CLOSEHANDLE
275BOOL __stdcall NEW(CloseHandle)(HANDLE hObject)
276{
277    BOOL ret;
278
279    /* TODO: Check if fuzzed application tries to close our debug channel */
280
281    ret = ORIG(CloseHandle)(hObject);
282    debug("CloseHandle(%#08x) = %s", (int)hObject, (ret ? "TRUE" : "FALSE"));
283    if (!_zz_ready || !_zz_iswatched(hObject) || _zz_islocked(hObject))
284        return ret;
285    _zz_unregister(hObject);
286    return ret;
287}
288#endif
289
290/* Win32 function table */
291#if defined HAVE_WINDOWS_H
292#   define DIVERT(x) { "kernel32.dll", #x, \
293                      (void **)&x##_orig, (void *)x##_new }
294#   define DIVERT_END { NULL, NULL, NULL, NULL }
295
296zzuf_table_t table_win32[] =
297{
298    DIVERT(CloseHandle),
299    DIVERT(CreateFileA),
300    DIVERT(CreateFileW),
301    DIVERT(CreateFileMappingA),
302    DIVERT(CreateFileMappingW),
303    DIVERT(MapViewOfFile),
304    DIVERT(ReadFile),
305    DIVERT(ReadFileEx),
306    DIVERT_END
307};
308#endif
309
Note: See TracBrowser for help on using the repository browser.