Changeset 4111 for zzuf/trunk


Ignore:
Timestamp:
Dec 9, 2009, 1:28:28 AM (11 years ago)
Author:
Sam Hocevar
Message:

Try to work around the Vista ASLR feature by retrieving the executable's
base address once it is loaded in memory.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • zzuf/trunk/src/zzuf.c

    r4109 r4111  
    4545#if defined HAVE_WINDOWS_H
    4646#   include <windows.h>
     47#   include <imagehlp.h>
     48#   include <tlhelp32.h>
    4749#endif
    4850#if defined HAVE_IO_H
     
    122124#if defined HAVE_WINDOWS_H
    123125static int dll_inject(void *, void *);
    124 static void *get_entry(char const *);
     126static intptr_t get_base_address(DWORD);
     127static intptr_t get_entry_point_offset(char const *);
    125128#endif
    126129static void finfo(FILE *, struct opts *, uint32_t);
     
    10891092    pid = GetCurrentProcess();
    10901093
    1091     /* Get entry point */
    1092     epaddr = get_entry(opts->newargv[0]);
    1093     if(!epaddr)
    1094         return -1;
    1095 
    10961094    memset(&sinfo, 0, sizeof(sinfo));
    10971095    sinfo.cb = sizeof(sinfo);
     
    11061104                        CREATE_SUSPENDED, NULL, NULL, &sinfo, &pinfo);
    11071105    if(!ret)
     1106        return -1;
     1107
     1108    /* Get the child process's entry point address */
     1109    epaddr = (void *)(get_base_address(pinfo.dwProcessId)
     1110                       + get_entry_point_offset(opts->newargv[0]));
     1111    if(!epaddr)
    11081112        return -1;
    11091113
     
    11981202}
    11991203
    1200 static void *get_entry(char const *name)
     1204/* Find the process's base address once it is loaded in memory (the header
     1205 * information is unreliable because of Vista's ASLR). */
     1206static intptr_t get_base_address(DWORD pid)
     1207{
     1208    MODULEENTRY32 entry;
     1209    intptr_t ret = 0;
     1210    void *list;
     1211    int k;
     1212
     1213    list = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
     1214    entry.dwSize = sizeof(entry);
     1215    for(k = Module32First(list, &entry); k; k = Module32Next(list, &entry))
     1216    {
     1217        /* FIXME: how do we select the correct module? */
     1218        ret = (intptr_t)entry.modBaseAddr;
     1219    }
     1220    CloseHandle(list);
     1221
     1222    return ret;
     1223}
     1224
     1225/* Find the process's entry point address offset. The information is in
     1226 * the file's PE header. */
     1227static intptr_t get_entry_point_offset(char const *name)
    12011228{
    12021229    PIMAGE_DOS_HEADER dos;
    12031230    PIMAGE_NT_HEADERS nt;
    1204     void *file, *map, *base, *ret = NULL;
     1231    intptr_t ret = 0;
     1232    void *file, *map, *base;
    12051233
    12061234    file = CreateFile(name, GENERIC_READ, FILE_SHARE_READ,
     
    12321260      && nt->OptionalHeader.Magic == 0x10b /* IMAGE_NT_OPTIONAL_HDR32_MAGIC */)
    12331261    {
    1234         ret = (void *)(uintptr_t)(nt->OptionalHeader.ImageBase +
    1235                                   nt->OptionalHeader.AddressOfEntryPoint);
     1262        ret = (intptr_t)nt->OptionalHeader.AddressOfEntryPoint;
    12361263    }
    12371264
Note: See TracChangeset for help on using the changeset viewer.