toolkit/crashreporter/LoadLibraryRemote.cpp
author Kai Engert <kaie@kuix.de>
Wed, 11 Mar 2015 20:13:42 +0100
changeset 257596 758a094c8b7e66c67cd2998b30d0f2d89c4d74e4
parent 235915 ac44aef9c4d46927c98ce9edd4126a1242efe1fb
child 416428 6a629adbb62a299d7208373d1c6f375149d2afdb
permissions -rw-r--r--
Bug 1137470, landing NSS_3_18_RC0 minus bug 1132496, r=nss-confcall, a=lsblakk

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef __GNUC__
// disable warnings about pointer <-> DWORD conversions
#pragma warning( disable : 4311 4312 )
#endif

#ifdef _WIN64
#define POINTER_TYPE ULONGLONG
#else
#define POINTER_TYPE DWORD
#endif

#include <windows.h>
#include <winnt.h>
#include <stdlib.h>
#ifdef DEBUG_OUTPUT
#include <stdio.h>
#endif

#include "nsWindowsHelpers.h"

typedef const unsigned char* FileView;

template<>
class nsAutoRefTraits<FileView>
{
public:
  typedef FileView RawRef;
  static FileView Void()
  {
    return nullptr;
  }

  static void Release(RawRef aView)
  {
    if (nullptr != aView)
      UnmapViewOfFile(aView);
  }
};

#ifndef IMAGE_SIZEOF_BASE_RELOCATION
// Vista SDKs no longer define IMAGE_SIZEOF_BASE_RELOCATION!?
#define IMAGE_SIZEOF_BASE_RELOCATION (sizeof(IMAGE_BASE_RELOCATION))
#endif

#include "LoadLibraryRemote.h"

typedef struct {
  PIMAGE_NT_HEADERS headers;
  unsigned char *localCodeBase;
  unsigned char *remoteCodeBase;
  HMODULE *modules;
  int numModules;
} MEMORYMODULE, *PMEMORYMODULE;

typedef BOOL (WINAPI *DllEntryProc)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved);

#define GET_HEADER_DICTIONARY(module, idx)  &(module)->headers->OptionalHeader.DataDirectory[idx]

#ifdef DEBUG_OUTPUT
static void
OutputLastError(const char *msg)
{
  char* tmp;
  char *tmpmsg;
  FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
                 nullptr, GetLastError(),
                 MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
                 (LPSTR) &tmp, 0, nullptr);
  tmpmsg = (char *)LocalAlloc(LPTR, strlen(msg) + strlen(tmp) + 3);
  sprintf(tmpmsg, "%s: %s", msg, tmp);
  OutputDebugStringA(tmpmsg);
  LocalFree(tmpmsg);
  LocalFree(tmp);
}
#endif

static void
CopySections(const unsigned char *data, PIMAGE_NT_HEADERS old_headers, PMEMORYMODULE module)
{
  int i;
  unsigned char *codeBase = module->localCodeBase;
  unsigned char *dest;
  PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(module->headers);
  for (i=0; i<module->headers->FileHeader.NumberOfSections; i++, section++) {
    dest = codeBase + section->VirtualAddress;
    memset(dest, 0, section->Misc.VirtualSize);
    if (section->SizeOfRawData) {
      memcpy(dest, data + section->PointerToRawData, section->SizeOfRawData);
    }
    //     section->Misc.PhysicalAddress = (POINTER_TYPE) module->remoteCodeBase + section->VirtualAddress;
  }
}

static bool
CopyRegion(HANDLE hRemoteProcess, void* remoteAddress, void* localAddress, DWORD size, DWORD protect)
{
  if (size > 0) {
    // Copy the data from local->remote and set the memory protection
    if (!VirtualAllocEx(hRemoteProcess, remoteAddress, size, MEM_COMMIT, PAGE_READWRITE))
      return false;

    if (!WriteProcessMemory(hRemoteProcess,
                            remoteAddress,
                            localAddress,
                            size,
                            nullptr)) {
#ifdef DEBUG_OUTPUT
      OutputLastError("Error writing remote memory.\n");
#endif
      return false;
    }

    DWORD oldProtect;
    if (VirtualProtectEx(hRemoteProcess, remoteAddress, size, protect, &oldProtect) == 0) {
#ifdef DEBUG_OUTPUT
      OutputLastError("Error protecting memory page");
#endif
      return false;
    }
  }
  return true;
}
// Protection flags for memory pages (Executable, Readable, Writeable)
static int ProtectionFlags[2][2][2] = {
  {
    // not executable
    {PAGE_NOACCESS, PAGE_WRITECOPY},
    {PAGE_READONLY, PAGE_READWRITE},
  }, {
    // executable
    {PAGE_EXECUTE, PAGE_EXECUTE_WRITECOPY},
    {PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE},
  },
};

static bool
FinalizeSections(PMEMORYMODULE module, HANDLE hRemoteProcess)
{
#ifdef DEBUG_OUTPUT
  fprintf(stderr, "Finalizing sections: local base %p, remote base %p\n",
          module->localCodeBase, module->remoteCodeBase);
#endif

  int i;
  int numSections = module->headers->FileHeader.NumberOfSections;

  if (numSections < 1)
    return false;

  PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION(module->headers);

  // Copy any data before the first section (i.e. the image header)
  if (!CopyRegion(hRemoteProcess, module->remoteCodeBase, module->localCodeBase, section->VirtualAddress, PAGE_READONLY))
    return false;

  // loop through all sections and change access flags
  for (i=0; i<numSections; i++, section++) {
    DWORD protect, size;
    int executable = (section->Characteristics & IMAGE_SCN_MEM_EXECUTE) != 0;
    int readable =   (section->Characteristics & IMAGE_SCN_MEM_READ) != 0;
    int writeable =  (section->Characteristics & IMAGE_SCN_MEM_WRITE) != 0;

    // determine protection flags based on characteristics
    protect = ProtectionFlags[executable][readable][writeable];
    if (section->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) {
      protect |= PAGE_NOCACHE;
    }

    void* remoteAddress = module->remoteCodeBase + section->VirtualAddress;
    void* localAddress = module->localCodeBase + section->VirtualAddress;

    // determine size of region
    size = section->Misc.VirtualSize;
#ifdef DEBUG_OUTPUT
      fprintf(stderr, "Copying section %s to %p, size %x, executable %i readable %i writeable %i\n",
              section->Name, remoteAddress, size, executable, readable, writeable);
#endif
    if (!CopyRegion(hRemoteProcess, remoteAddress, localAddress, size, protect))
      return false;
  }
  return true;
}

static void
PerformBaseRelocation(PMEMORYMODULE module, SIZE_T delta)
{
  DWORD i;
  unsigned char *codeBase = module->localCodeBase;

  PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY(module, IMAGE_DIRECTORY_ENTRY_BASERELOC);
  if (directory->Size > 0) {
    PIMAGE_BASE_RELOCATION relocation = (PIMAGE_BASE_RELOCATION) (codeBase + directory->VirtualAddress);
    for (; relocation->VirtualAddress > 0; ) {
      unsigned char *dest = codeBase + relocation->VirtualAddress;
      unsigned short *relInfo = (unsigned short *)((unsigned char *)relocation + IMAGE_SIZEOF_BASE_RELOCATION);
      for (i=0; i<((relocation->SizeOfBlock-IMAGE_SIZEOF_BASE_RELOCATION) / 2); i++, relInfo++) {
        DWORD *patchAddrHL;
#ifdef _WIN64
        ULONGLONG *patchAddr64;
#endif
        int type, offset;

        // the upper 4 bits define the type of relocation
        type = *relInfo >> 12;
        // the lower 12 bits define the offset
        offset = *relInfo & 0xfff;
        
        switch (type)
        {
        case IMAGE_REL_BASED_ABSOLUTE:
          // skip relocation
          break;

        case IMAGE_REL_BASED_HIGHLOW:
          // change complete 32 bit address
          patchAddrHL = (DWORD *) (dest + offset);
          *patchAddrHL += delta;
          break;
        
#ifdef _WIN64
        case IMAGE_REL_BASED_DIR64:
          patchAddr64 = (ULONGLONG *) (dest + offset);
          *patchAddr64 += delta;
          break;
#endif

        default:
          //printf("Unknown relocation: %d\n", type);
          break;
        }
      }

      // advance to next relocation block
      relocation = (PIMAGE_BASE_RELOCATION) (((char *) relocation) + relocation->SizeOfBlock);
    }
  }
}

static int
BuildImportTable(PMEMORYMODULE module)
{
  int result=1;
  unsigned char *codeBase = module->localCodeBase;

  PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY(module, IMAGE_DIRECTORY_ENTRY_IMPORT);
  if (directory->Size > 0) {
    PIMAGE_IMPORT_DESCRIPTOR importDesc = (PIMAGE_IMPORT_DESCRIPTOR) (codeBase + directory->VirtualAddress);
    PIMAGE_IMPORT_DESCRIPTOR importEnd = (PIMAGE_IMPORT_DESCRIPTOR) (codeBase + directory->VirtualAddress + directory->Size);

    for (; importDesc < importEnd && importDesc->Name; importDesc++) {
      POINTER_TYPE *thunkRef;
      FARPROC *funcRef;
      HMODULE handle = GetModuleHandleA((LPCSTR) (codeBase + importDesc->Name));
      if (handle == nullptr) {
#if DEBUG_OUTPUT
        OutputLastError("Can't load library");
#endif
        result = 0;
        break;
      }

      module->modules = (HMODULE *)realloc(module->modules, (module->numModules+1)*(sizeof(HMODULE)));
      if (module->modules == nullptr) {
        result = 0;
        break;
      }

      module->modules[module->numModules++] = handle;
      if (importDesc->OriginalFirstThunk) {
        thunkRef = (POINTER_TYPE *) (codeBase + importDesc->OriginalFirstThunk);
        funcRef = (FARPROC *) (codeBase + importDesc->FirstThunk);
      } else {
        // no hint table
        thunkRef = (POINTER_TYPE *) (codeBase + importDesc->FirstThunk);
        funcRef = (FARPROC *) (codeBase + importDesc->FirstThunk);
      }
      for (; *thunkRef; thunkRef++, funcRef++) {
        if (IMAGE_SNAP_BY_ORDINAL(*thunkRef)) {
          *funcRef = (FARPROC)GetProcAddress(handle, (LPCSTR)IMAGE_ORDINAL(*thunkRef));
        } else {
          PIMAGE_IMPORT_BY_NAME thunkData = (PIMAGE_IMPORT_BY_NAME) (codeBase + (*thunkRef));
          *funcRef = (FARPROC)GetProcAddress(handle, (LPCSTR)&thunkData->Name);
        }
        if (*funcRef == 0) {
          result = 0;
          break;
        }
      }

      if (!result) {
        break;
      }
    }
  }

  return result;
}

static void* MemoryGetProcAddress(PMEMORYMODULE module, const char *name);

void* LoadRemoteLibraryAndGetAddress(HANDLE hRemoteProcess,
                                     const WCHAR* library,
                                     const char* symbol)
{
  // Map the DLL into memory
  nsAutoHandle hLibrary(
    CreateFile(library, GENERIC_READ, FILE_SHARE_READ, nullptr, OPEN_EXISTING,
               FILE_ATTRIBUTE_NORMAL, nullptr));
  if (INVALID_HANDLE_VALUE == hLibrary) {
#if DEBUG_OUTPUT
    OutputLastError("Couldn't CreateFile the library.\n");
#endif
    return nullptr;
  }

  nsAutoHandle hMapping(
    CreateFileMapping(hLibrary, nullptr, PAGE_READONLY, 0, 0, nullptr));
  if (!hMapping) {
#if DEBUG_OUTPUT
    OutputLastError("Couldn't CreateFileMapping.\n");
#endif
    return nullptr;
  }

  nsAutoRef<FileView> data(
    (const unsigned char*) MapViewOfFile(hMapping, FILE_MAP_READ, 0, 0, 0));
  if (!data) {
#if DEBUG_OUTPUT
    OutputLastError("Couldn't MapViewOfFile.\n");
#endif
    return nullptr;
  }

  SIZE_T locationDelta;

  PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)data.get();
  if (dos_header->e_magic != IMAGE_DOS_SIGNATURE) {
#if DEBUG_OUTPUT
    OutputDebugStringA("Not a valid executable file.\n");
#endif
    return nullptr;
  }

  PIMAGE_NT_HEADERS old_header = (PIMAGE_NT_HEADERS)(data + dos_header->e_lfanew);
  if (old_header->Signature != IMAGE_NT_SIGNATURE) {
#if DEBUG_OUTPUT
    OutputDebugStringA("No PE header found.\n");
#endif
    return nullptr;
  }

  // reserve memory for image of library in this process and the target process
  unsigned char* localCode = (unsigned char*) VirtualAlloc(nullptr,
    old_header->OptionalHeader.SizeOfImage,
    MEM_RESERVE | MEM_COMMIT,
    PAGE_READWRITE);
  if (!localCode) {
#if DEBUG_OUTPUT
    OutputLastError("Can't reserve local memory.");
#endif
  }

  unsigned char* remoteCode = (unsigned char*) VirtualAllocEx(hRemoteProcess, nullptr,
    old_header->OptionalHeader.SizeOfImage,
    MEM_RESERVE,
    PAGE_EXECUTE_READ);
  if (!remoteCode) {
#if DEBUG_OUTPUT
    OutputLastError("Can't reserve remote memory.");
#endif
  }

  MEMORYMODULE result;
  result.localCodeBase = localCode;
  result.remoteCodeBase = remoteCode;
  result.numModules = 0;
  result.modules = nullptr;

  // copy PE header to code
  memcpy(localCode, dos_header, dos_header->e_lfanew + old_header->OptionalHeader.SizeOfHeaders);
  result.headers = reinterpret_cast<PIMAGE_NT_HEADERS>(localCode + dos_header->e_lfanew);

  // update position
  result.headers->OptionalHeader.ImageBase = (POINTER_TYPE)remoteCode;

  // copy sections from DLL file block to new memory location
  CopySections(data, old_header, &result);

  // adjust base address of imported data
  locationDelta = (SIZE_T)(remoteCode - old_header->OptionalHeader.ImageBase);
  if (locationDelta != 0) {
    PerformBaseRelocation(&result, locationDelta);
  }

  // load required dlls and adjust function table of imports
  if (!BuildImportTable(&result)) {
    return nullptr;
  }

  // mark memory pages depending on section headers and release
  // sections that are marked as "discardable"
  if (!FinalizeSections(&result, hRemoteProcess)) {
    return nullptr;
  }

  return MemoryGetProcAddress(&result, symbol);
}

static void* MemoryGetProcAddress(PMEMORYMODULE module, const char *name)
{
  unsigned char *localCodeBase = module->localCodeBase;
  int idx=-1;
  DWORD i, *nameRef;
  WORD *ordinal;
  PIMAGE_EXPORT_DIRECTORY exports;
  PIMAGE_DATA_DIRECTORY directory = GET_HEADER_DICTIONARY(module, IMAGE_DIRECTORY_ENTRY_EXPORT);
  if (directory->Size == 0) {
    // no export table found
    return nullptr;
  }

  exports = (PIMAGE_EXPORT_DIRECTORY) (localCodeBase + directory->VirtualAddress);
  if (exports->NumberOfNames == 0 || exports->NumberOfFunctions == 0) {
    // DLL doesn't export anything
    return nullptr;
  }

  // search function name in list of exported names
  nameRef = (DWORD *) (localCodeBase + exports->AddressOfNames);
  ordinal = (WORD *) (localCodeBase + exports->AddressOfNameOrdinals);
  for (i=0; i<exports->NumberOfNames; i++, nameRef++, ordinal++) {
    if (stricmp(name, (const char *) (localCodeBase + (*nameRef))) == 0) {
      idx = *ordinal;
      break;
    }
  }

  if (idx == -1) {
    // exported symbol not found
    return nullptr;
  }

  if ((DWORD)idx > exports->NumberOfFunctions) {
    // name <-> ordinal number don't match
    return nullptr;
  }

  // AddressOfFunctions contains the RVAs to the "real" functions
  return module->remoteCodeBase + (*(DWORD *) (localCodeBase + exports->AddressOfFunctions + (idx*4)));
}