#include "windowstool.h"\r
#include <tchar.h>\r
#include <tlhelp32.h>\r
+#include <process.h>\r
\r
#pragma runtime_checks( "", off )\r
static DWORD WINAPI invokeFunc(InjectInfo *info)\r
\r
HANDLE hProcess = info->pOpenProcess(PROCESS_QUERY_INFORMATION, FALSE, info->pid_);\r
if (hProcess == NULL) {\r
- result = 1;\r
+ result = YAMY_ERROR_ON_OPEN_YAMY_PROCESS;\r
goto exit;\r
}\r
\r
ret = pOpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_DUPLICATE , &hToken);\r
if (ret == FALSE) {\r
- result = 2;\r
+ result = YAMY_ERROR_ON_OPEN_YAMY_TOKEN;\r
goto exit;\r
}\r
\r
ret = pImpersonateLoggedOnUser(hToken);\r
if (ret == FALSE) {\r
- result = 3;\r
+ result = YAMY_ERROR_ON_IMPERSONATE;\r
goto exit;\r
}\r
\r
\r
ret = pRevertToSelf();\r
if (ret == FALSE) {\r
- result = 4;\r
+ result = YAMY_ERROR_ON_REVERT_TO_SELF;\r
goto exit;\r
}\r
\r
HANDLE hToken = NULL;\r
\r
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {\r
- ret = 5;\r
+ ret = YAMY_ERROR_ON_OPEN_CURRENT_PROCESS;\r
goto exit;\r
}\r
\r
LUID luid;\r
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {\r
- ret = 6;\r
+ ret = YAMY_ERROR_ON_LOOKUP_PRIVILEGE;\r
goto exit;\r
}\r
\r
tk_priv.Privileges[0].Luid = luid;\r
\r
if (!AdjustTokenPrivileges(hToken, FALSE, &tk_priv, 0, NULL, NULL)) {\r
- ret = 7;\r
+ ret = YAMY_ERROR_ON_ADJUST_PRIVILEGE;\r
goto exit;\r
}\r
\r
wi.m_remoteInfo = NULL;\r
wi.m_hThread = NULL;\r
\r
- DWORD invokeFuncAddr = (DWORD)invokeFunc;\r
- DWORD afterFuncAddr = (DWORD)afterFunc;\r
- DWORD memSize = afterFuncAddr - invokeFuncAddr;\r
+ ULONG_PTR invokeFuncAddr = (ULONG_PTR)invokeFunc;\r
+ ULONG_PTR afterFuncAddr = (ULONG_PTR)afterFunc;\r
+ SIZE_T memSize = afterFuncAddr - invokeFuncAddr;\r
\r
if ((wi.m_hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) == NULL) {\r
- ret = 8;\r
+ ret = YAMY_ERROR_ON_OPEN_WINLOGON_PROCESS;\r
goto exit;\r
}\r
\r
wi.m_remoteMem = VirtualAllocEx(wi.m_hProcess, NULL, memSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r
if (wi.m_remoteMem == NULL) {\r
- ret = 9;\r
+ ret = YAMY_ERROR_ON_VIRTUALALLOCEX;\r
err = GetLastError();\r
goto exit;\r
}\r
\r
wFlag = WriteProcessMemory(wi.m_hProcess, wi.m_remoteMem, (char*)invokeFunc, memSize, (SIZE_T*)0);\r
if (wFlag == FALSE) {\r
- ret = 10;\r
+ ret = YAMY_ERROR_ON_WRITEPROCESSMEMORY;\r
goto exit;\r
}\r
\r
wi.m_remoteInfo = VirtualAllocEx(wi.m_hProcess, NULL, sizeof(m_info), MEM_COMMIT, PAGE_READWRITE);\r
if (wi.m_remoteInfo == NULL) {\r
- ret = 11;\r
+ ret = YAMY_ERROR_ON_VIRTUALALLOCEX;\r
err = GetLastError();\r
goto exit;\r
}\r
\r
wFlag = WriteProcessMemory(wi.m_hProcess, wi.m_remoteInfo, (char*)&m_info, sizeof(m_info), (SIZE_T*)0);\r
if (wFlag == FALSE) {\r
- ret = 12;\r
+ ret = YAMY_ERROR_ON_WRITEPROCESSMEMORY;\r
goto exit;\r
}\r
\r
-#if 0\r
- TCHAR buf[1024];\r
-\r
- _stprintf_s(buf, sizeof(buf)/sizeof(buf[0]),\r
- _T("execute UpdatePerUserSystemParameters(), inject code to winlogon.exe?\r\n")\r
- _T("invokeFunc=0x%p\r\n")\r
- _T("afterFunc=0x%p\r\n")\r
- _T("afterFunc - invokeFunc=%d\r\n")\r
- _T("remoteMem=0x%p\r\n")\r
- _T("remoteInfo=0x%p(size: %d)\r\n"),\r
- invokeFunc, afterFunc, memSize, m_remoteMem, m_remoteInfo, sizeof(m_info));\r
- if (MessageBox((HWND)NULL, buf, _T("upusp"), MB_OKCANCEL | MB_ICONSTOP) == IDCANCEL) {\r
- (m_info.pUpdate)(0, 1);\r
- goto exit;\r
- }\r
-#endif\r
-\r
wi.m_hThread = CreateRemoteThread(wi.m_hProcess, NULL, 0, \r
(LPTHREAD_START_ROUTINE)wi.m_remoteMem, wi.m_remoteInfo, 0, NULL);\r
if (wi.m_hThread == NULL) {\r
- ret = 13;\r
+ ret = YAMY_ERROR_ON_CREATEREMOTETHREAD;\r
goto exit;\r
}\r
\r
if (WaitForSingleObject(wi.m_hThread, 5000) == WAIT_TIMEOUT) {\r
- ret = 14;\r
+ ret = YAMY_ERROR_TIMEOUT_INJECTION;\r
m_wlTrash.push_back(wi);\r
goto dirty_exit;\r
}\r
SystemParametersInfo(SPI_GETMINIMIZEDMETRICS, sizeof(mm), &mm, 0);\r
\r
result = injectThread(m_winlogonPid);\r
- if (result == 14) {\r
+ if (result == YAMY_ERROR_TIMEOUT_INJECTION) {\r
// retry once\r
result = injectThread(m_winlogonPid);\r
- if (result == 0) {\r
- result = 22;\r
+ if (result == YAMY_SUCCESS) {\r
+ result = YAMY_ERROR_RETRY_INJECTION_SUCCESS;\r
}\r
}\r
\r
if (ret) {\r
origMap = reinterpret_cast<ScancodeMap*>(malloc(origSize));\r
if (origMap == NULL) {\r
- result = 16;\r
+ result = YAMY_ERROR_NO_MEMORY;\r
goto exit;\r
}\r
\r
ret = m_pReg->read(_T("Scancode Map"), reinterpret_cast<BYTE*>(origMap), &origSize, NULL, 0);\r
if (ret == false) {\r
- result = 17;\r
+ result = YAMY_ERROR_ON_READ_SCANCODE_MAP;\r
goto exit;\r
}\r
\r
fixSize = origSize;\r
fixMap = reinterpret_cast<ScancodeMap*>(malloc(origSize + s_fixEntryNum * sizeof(s_fixEntry[0])));\r
if (fixMap == NULL) {\r
- result = 18;\r
+ result = YAMY_ERROR_NO_MEMORY;\r
goto exit;\r
}\r
\r
fixSize = sizeof(ScancodeMap);\r
fixMap = reinterpret_cast<ScancodeMap*>(malloc(sizeof(ScancodeMap) + s_fixEntryNum * sizeof(s_fixEntry[0])));\r
if (fixMap == NULL) {\r
- result = 19;\r
+ result = YAMY_ERROR_NO_MEMORY;\r
goto exit;\r
}\r
\r
\r
ret = m_pReg->write(_T("Scancode Map"), reinterpret_cast<BYTE*>(fixMap), fixSize);\r
if (ret == false) {\r
- result = 20;\r
+ result = YAMY_ERROR_ON_WRITE_SCANCODE_MAP;\r
goto exit;\r
}\r
\r
ret = m_pReg->remove(_T("Scancode Map"));\r
}\r
if (ret == false) {\r
- result = 21;\r
+ result = YAMY_ERROR_ON_WRITE_SCANCODE_MAP;\r
goto exit;\r
}\r
\r
return update();\r
}\r
\r
+int FixScancodeMap::escape(bool i_escape)\r
+{\r
+ if (i_escape) {\r
+ SetEvent(m_hFixEvent);\r
+ } else {\r
+ SetEvent(m_hRestoreEvent);\r
+ }\r
+ return 0;\r
+}\r
+\r
+unsigned int WINAPI FixScancodeMap::threadLoop(void *i_this)\r
+{\r
+ int err;\r
+ DWORD ret;\r
+ FixScancodeMap *This = reinterpret_cast<FixScancodeMap*>(i_this);\r
+ HANDLE handles[] = {This->m_hFixEvent, This->m_hRestoreEvent, This->m_hQuitEvent};\r
+ while ((ret = MsgWaitForMultipleObjects(NUMBER_OF(handles), &handles[0],\r
+ FALSE, INFINITE, QS_POSTMESSAGE)) != WAIT_FAILED) {\r
+ switch (ret) {\r
+ case WAIT_OBJECT_0: // m_hFixEvent\r
+ ResetEvent(This->m_hFixEvent);\r
+ err = This->fix();\r
+ PostMessage(This->m_hwnd, This->m_messageOnFail, err, 1);\r
+ break;\r
+ case WAIT_OBJECT_0 + 1: // m_hRestoreEvent\r
+ ResetEvent(This->m_hRestoreEvent);\r
+ err = This->restore();\r
+ PostMessage(This->m_hwnd, This->m_messageOnFail, err, 0);\r
+ break;\r
+ case WAIT_OBJECT_0 + 2: // m_hQuiteEvent\r
+ ResetEvent(This->m_hQuitEvent);\r
+ // through below\r
+ default:\r
+ return 0;\r
+ break;\r
+ }\r
+ }\r
+ return 1;\r
+}\r
+\r
+int FixScancodeMap::init(HWND i_hwnd, UINT i_messageOnFail)\r
+{\r
+ m_hwnd = i_hwnd;\r
+ m_messageOnFail = i_messageOnFail;\r
+ return 0;\r
+}\r
+\r
FixScancodeMap::FixScancodeMap() :\r
+ m_hwnd(NULL),\r
+ m_messageOnFail(WM_NULL),\r
m_errorOnConstruct(0),\r
m_winlogonPid(0),\r
m_regHKCU(HKEY_CURRENT_USER, _T("Keyboard Layout")),\r
memcpy(&m_info.revertToSelf_, "RevertToSelf", sizeof(m_info.revertToSelf_));\r
memcpy(&m_info.openProcessToken_, "OpenProcessToken", sizeof(m_info.openProcessToken_));\r
\r
+ m_hFixEvent = CreateEvent(NULL, TRUE, FALSE, NULL);\r
+ ASSERT(m_hFixEvent);\r
+ m_hRestoreEvent = CreateEvent(NULL, TRUE, FALSE, NULL);\r
+ ASSERT(m_hRestoreEvent);\r
+ m_hQuitEvent = CreateEvent(NULL, TRUE, FALSE, NULL);\r
+ ASSERT(m_hQuitEvent);\r
+\r
+ m_hThread = (HANDLE)_beginthreadex(NULL, 0, threadLoop, this, 0, &m_threadId);\r
+\r
hMod = GetModuleHandle(_T("user32.dll"));\r
if (hMod != NULL) {\r
m_info.pUpdate4 = (FpUpdatePerUserSystemParameters4)GetProcAddress(hMod, "UpdatePerUserSystemParameters");\r
}\r
\r
if ((m_winlogonPid = getWinLogonPid()) == 0) {\r
- m_errorOnConstruct = 15;\r
+ m_errorOnConstruct = YAMY_ERROR_ON_GET_WINLOGON_PID;\r
goto exit;\r
}\r
\r
\r
FixScancodeMap::~FixScancodeMap()\r
{\r
+ SetEvent(m_hQuitEvent);\r
+ WaitForSingleObject(m_hThread, INFINITE);\r
}\r