Back to index

enigmail  1.4.3
crashinject.cpp
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is Crash Injection Utility
00015  *
00016  * The Initial Developer of the Original Code is
00017  * The Mozilla Foundation.
00018  * Portions created by the Initial Developer are Copyright (C) 2009
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *   Ted Mielczarek <ted.mielczarek@gmail.com>
00023  *
00024  * Alternatively, the contents of this file may be used under the terms of
00025  * either the GNU General Public License Version 2 or later (the "GPL"), or
00026  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00027  * in which case the provisions of the GPL or the LGPL are applicable instead
00028  * of those above. If you wish to allow use of your version of this file only
00029  * under the terms of either the GPL or the LGPL, and not to allow others to
00030  * use your version of this file under the terms of the MPL, indicate your
00031  * decision by deleting the provisions above and replace them with the notice
00032  * and other provisions required by the GPL or the LGPL. If you do not delete
00033  * the provisions above, a recipient may use your version of this file under
00034  * the terms of any one of the MPL, the GPL or the LGPL.
00035  *
00036  * ***** END LICENSE BLOCK ***** */
00037 
00038 /*
00039  * Given a PID, this program attempts to inject a DLL into the process
00040  * with that PID. The DLL it attempts to inject, "crashinjectdll.dll",
00041  * must exist alongside this exe. The DLL will then crash the process.
00042  */
00043 #include <stdio.h>
00044 #include <stdlib.h>
00045 #include <string.h>
00046 #include <windows.h>
00047 
00048 int main(int argc, char** argv)
00049 {
00050   if (argc != 2) {
00051     fprintf(stderr, "Usage: crashinject <PID>\n");
00052     return 1;
00053   }
00054 
00055   int pid = atoi(argv[1]);
00056   if (pid <= 0) {
00057     fprintf(stderr, "Usage: crashinject <PID>\n");
00058     return 1;
00059   }
00060 
00061   // find our DLL to inject
00062   wchar_t filename[_MAX_PATH];
00063   if (GetModuleFileNameW(NULL, filename, sizeof(filename) / sizeof(wchar_t)) == 0)
00064     return 1;
00065 
00066   wchar_t* slash = wcsrchr(filename, L'\\');
00067   if (slash == NULL)
00068     return 1;
00069 
00070   slash++;
00071   wcscpy(slash, L"crashinjectdll.dll");
00072 
00073   // now find our target process
00074   HANDLE targetProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION,
00075                                   FALSE,
00076                                   pid);
00077   if (targetProc == NULL) {
00078     fprintf(stderr, "Error %d opening target process\n", GetLastError());
00079     return 1;
00080   }
00081 
00082   /*
00083    * This is sort of insane, but we're implementing a technique described here:
00084    * http://www.codeproject.com/KB/threads/winspy.aspx#section_2
00085    *
00086    * The gist is to use CreateRemoteThread to create a thread in the other
00087    * process, but cheat and make the thread function kernel32!LoadLibrary,
00088    * so that the only remote data we have to pass to the other process
00089    * is the path to the library we want to load. The library we're loading
00090    * will then do its dirty work inside the other process.
00091    */
00092   HMODULE hKernel32 = GetModuleHandleW(L"Kernel32");
00093   // allocate some memory to hold the path in the remote process
00094   void*   pLibRemote = VirtualAllocEx(targetProc, NULL, sizeof(filename),
00095                                       MEM_COMMIT, PAGE_READWRITE);
00096   if (pLibRemote == NULL) {
00097     fprintf(stderr, "Error %d in VirtualAllocEx\n", GetLastError());
00098     CloseHandle(targetProc);
00099     return 1;
00100   }
00101 
00102   if (!WriteProcessMemory(targetProc, pLibRemote, (void*)filename,
00103                           sizeof(filename), NULL)) {
00104     fprintf(stderr, "Error %d in WriteProcessMemory\n", GetLastError());
00105     VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
00106     CloseHandle(targetProc);
00107     return 1;
00108   }
00109   // Now create a thread in the target process that will load our DLL
00110   HANDLE hThread = CreateRemoteThread(
00111                      targetProc, NULL, 0,
00112                      (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,
00113                                                             "LoadLibraryW"),
00114                      pLibRemote, 0, NULL);
00115   if (hThread == NULL) {
00116     fprintf(stderr, "Error %d in CreateRemoteThread\n", GetLastError());
00117     VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
00118     CloseHandle(targetProc);
00119     return 1;
00120   }
00121   WaitForSingleObject(hThread, INFINITE);
00122   // Cleanup, not that it's going to matter at this point
00123   CloseHandle(hThread);
00124   VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
00125   CloseHandle(targetProc);
00126 
00127   return 0;
00128 }