-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathchildrun.cpp
121 lines (107 loc) · 2.99 KB
/
childrun.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#include "stdafx.h"
#include "childrun.h"
#ifdef _WIN32
#include <ndk/ntndk.h>
#pragma comment(lib, "ntdll.lib")
void * g_xblock = 0, *g_xblock2=0;
int (*g_xmain)(void*) = 0;
static string g_hooks;
extern "C" IMAGE_DOS_HEADER __ImageBase;
bool childrun_addhook_i(void(*f)(const char*, size_t), const char* str, size_t slen)
{
if (!f) return false;
string o1;
unsigned int exlen = (unsigned int) slen;
unsigned int padlen = (exlen + 7) & ~7;
uint64_t zero = 0;
o1.append((char*)&padlen, sizeof(padlen));
o1.append((char*)&f, sizeof(void*));
o1.append(str, exlen);
o1.append((char*)&zero, padlen - exlen);
g_hooks += o1;
return true;
}
void childrun_runhooks()
{
char * ptr = (char*)g_xblock2;
if (!ptr) return;
for (;;)
{
unsigned int len = *(unsigned int*)ptr;
if (len == 0) break;
ptr += sizeof(len);
void(*f)(const char*, size_t);
(void*&)f = *(void**)ptr;
ptr += sizeof(void*);
f(ptr, len);
ptr += len;
}
}
int childrun(int (*f)(void*), void * mem, int len)
{
wchar_t thisname[260];
STARTUPINFO sinfo = {sizeof(sinfo)};
PROCESS_INFORMATION pinfo = {0};
sinfo.dwFlags = STARTF_USESHOWWINDOW;
sinfo.wShowWindow = SW_HIDE;
GetModuleFileName(0, thisname, _countof(thisname));
wstring cmdline(GetCommandLineW());
BOOL b = CreateProcess(thisname, (LPWSTR)cmdline.c_str(), 0, 0, TRUE, CREATE_SUSPENDED|CREATE_NEW_CONSOLE, 0, 0, &sinfo, &pinfo);
if (!b) return -1;
ULONG rlen = 0;
SIZE_T rlen1 = 0;
PVOID ImageBase = 0;
PROCESS_BASIC_INFORMATION pbi;
if (ZwQueryInformationProcess(pinfo.hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &rlen) == 0 &&
ReadProcessMemory(pinfo.hProcess, (char*)pbi.PebBaseAddress + offsetof(_PEB, ImageBaseAddress), &ImageBase, sizeof(ImageBase), &rlen1))
{
string hooks = g_hooks;
unsigned int zero = 0;
hooks.append((char*)&zero, sizeof(zero));
#define rp(v) (((char*)v)-(uintptr_t)&__ImageBase + (uintptr_t)ImageBase)
char * pmem = (char*)VirtualAllocEx(pinfo.hProcess, 0, len + hooks.length(), MEM_COMMIT, PAGE_READWRITE);
char * pmem2 = pmem + len;
WriteProcessMemory(pinfo.hProcess, pmem, mem, len, 0);
WriteProcessMemory(pinfo.hProcess, pmem2, hooks.data(), hooks.length(), 0);
WriteProcessMemory(pinfo.hProcess, rp(&g_xmain), &f, sizeof(f), 0);
WriteProcessMemory(pinfo.hProcess, rp(&g_xblock), &pmem, sizeof(pmem), 0);
WriteProcessMemory(pinfo.hProcess, rp(&g_xblock2), &pmem2, sizeof(pmem2), 0);
ResumeThread(pinfo.hThread);
CloseHandle(pinfo.hProcess);
CloseHandle(pinfo.hThread);
return (int)pinfo.dwProcessId;
}
else
{
TerminateProcess(pinfo.hProcess, 1);
CloseHandle(pinfo.hProcess);
CloseHandle(pinfo.hThread);
return -1;
}
}
#else
static void close_io()
{
const char * fn = "/dev/null";
int oid = open(fn, O_WRONLY);
int iid = open(fn, O_RDONLY);
dup2(iid, 0);
dup2(oid, 1);
dup2(oid, 2);
close(oid);
close(iid);
}
int childrun(int (*f)(void*), void * mem, int len)
{
int ix = fork();
if (ix == 0)
{
//daemon(1, 0);
close_io();
int v = f(mem);
exit(v);
return 0;
}
return ix;
}
#endif