un-hardcode the API number for ClientLoadLibrary, and re-enable DLL i…

…njection protection on Vista. this might break everything on Vista and Windows 7 but hopefully it works on both.
TASEmulators · Jul 26, 2011 · 92bc804 · 92bc804
1 parent 21bfe98
commit 92bc804
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 25 deletions.
diff --git a/src/wintasee/hooks/modulehooks.cpp b/src/wintasee/hooks/modulehooks.cpp
@@ -234,6 +234,9 @@ static BOOL WideStringContains(LPWSTR lpFileName, const char* match)
 	return (BOOL)strstr(name, match);
 }
 
+bool watchForCLLApiNum = false;
+int cllApiNum = -1;
+
 //void debugsplatmem(DWORD address, const char* name);
 
 HOOKFUNC NTSTATUS NTAPI MyLdrLoadDll(PWCHAR PathToFile, ULONG Flags, PUNICODE_STRING ModuleFileName, PHANDLE ModuleHandle)
@@ -259,6 +262,7 @@ HOOKFUNC NTSTATUS NTAPI MyLdrLoadDll(PWCHAR PathToFile, ULONG Flags, PUNICODE_ST
 		if(curtls.callingClientLoadLibrary || curtls.treatDLLLoadsAsClient)
 		{
 			curtls.callingClientLoadLibrary = FALSE; // see MyKiUserCallbackDispatcher
+			watchForCLLApiNum = false; // if we were watching for the apiNum, it must have worked
 			if(!ShouldLoadUserDll(ModuleFileName->Buffer))
 			{
 				//debuglog(LCF_MODULE, "DENIED loading DLL: %S\n", ModuleFileName->Buffer);
@@ -432,24 +436,22 @@ HOOKFUNC NTSTATUS NTAPI MyLdrLoadDll(PWCHAR PathToFile, ULONG Flags, PUNICODE_ST
 
 HOOKFUNC VOID NTAPI MyKiUserCallbackDispatcher(ULONG ApiNumber, PVOID InputBuffer, ULONG InputLength)
 {
-//	debugprintf(__FUNCTION__ "(ApiNumber=%d) called.\n",ApiNumber);
+	//debugprintf(__FUNCTION__ "(ApiNumber=%d) called.\n",ApiNumber);
+
+	// maybe should instead scan the stack in MyLdrLoadDll for something we put on the stack in MyKiUserCallbackDispatcher? but I couldn't get it to work...
 //	char test [8] = {0,0x42,0x42,0x42,0x42,0x42,0x42,0x42,};
 //	debugprintf(test);
 
-	// FIXME: hardcoded OS-version-specific numbers suck.
-	// maybe should scan the stack in MyLdrLoadDll for KiUserCallbackDispatcher.
-	if(ApiNumber != 66 // the index of user32!__ClientLoadLibrary in the KernelCallbackTable on Windows XP 32-bit
-	&& ApiNumber != 65 // the index of user32!__ClientLoadLibrary in the KernelCallbackTable on Windows 7 in Wow64
-	)
-	{
-		KiUserCallbackDispatcher(ApiNumber, InputBuffer, InputLength);
-	}
-	else
-	{
+	if(watchForCLLApiNum)
+		cllApiNum = ApiNumber;
+
+	if(ApiNumber == cllApiNum)
 		tls.callingClientLoadLibrary = TRUE;
-		KiUserCallbackDispatcher(ApiNumber, InputBuffer, InputLength);
-		// code placed here won't run, so we reset tls.callingClientLoadLibrary in MyLdrLoadDll
-	}
+
+	KiUserCallbackDispatcher(ApiNumber, InputBuffer, InputLength);
+	// at least on Windows XP, code placed here won't run,
+	// because KiUserCallbackDispatcher returns directly to the kernel mode code that called us.
+	// so, so we have to reset tls.callingClientLoadLibrary elsewhere (in MyLdrLoadDll)
 }
 
 // TODO it's just for debugging but this is kind of wrong (chooseriid, riidToName)

diff --git a/src/wintasee/wintasee.cpp b/src/wintasee/wintasee.cpp
@@ -1530,6 +1530,13 @@ void HookCOMInterface(REFIID riid, LPVOID* ppvOut, bool uncheckedFastNew)
 
 //typedef UINT (WINAPI *SetCPGlobalType)(UINT acp);
 
+OSVERSIONINFO osvi = {sizeof(OSVERSIONINFO)};
+// warning: we can't trust these too much (version lies from compatibility mode shims are common)
+bool IsWindowsXP()    { return osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1; }
+bool IsWindowsVista() { return osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 0; }
+bool IsWindows7()     { return osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 1; }
+
+
 DWORD WINAPI PostDllMain(LPVOID lpParam)
 {
 	dllInitializationDone = true;
@@ -1538,8 +1545,16 @@ DWORD WINAPI PostDllMain(LPVOID lpParam)
 	detTimer.OnSystemTimerRecalibrated();
 
 	ThreadLocalStuff& curtls = tls;
-	curtls.callerisuntrusted++;
-	//curtls.treatDLLLoadsAsClient++;
+	curtls.callerisuntrusted++; // avoid advancing timer here
+
+	// see MyKiUserCallbackDispatcher... to avoid hardcoding OS-specific constants, we take the chance to measure one of them here.
+	extern bool watchForCLLApiNum;
+	extern int cllApiNum;
+	watchForCLLApiNum = true; // a few functions like GetSystemMetrics and LoadKeyboardLayout are very likely to call ClientLoadLibrary
+	curtls.treatDLLLoadsAsClient++;
+	GetSystemMetrics(42);
+	curtls.treatDLLLoadsAsClient--; // disable here because we'd prefer LoadKeyboardLayout to actually succeed.  
+	curtls.callingClientLoadLibrary = FALSE;
 
 	// moved from DllMain since it was causing a loader lock problem
 	//LoadKeyboardLayoutA(keyboardLayoutName, KLF_ACTIVATE | KLF_REORDER | KLF_SETFORPROCESS);
@@ -1553,17 +1568,33 @@ DWORD WINAPI PostDllMain(LPVOID lpParam)
 			(DWORD&)g_hklOverride |= ((DWORD)g_hklOverride << 16);
 	}
 	debugprintf("keyboardLayout = %s, hkl = %08X -> %08X", keyboardLayoutName, loadLayoutRv, g_hklOverride);
+	curtls.callingClientLoadLibrary = FALSE;
 
 	if(tasflags.appLocale)
 	{
 		SetThreadLocale(tasflags.appLocale);
 		SetThreadUILanguage(tasflags.appLocale);
 	}
 
-	//curtls.treatDLLLoadsAsClient--;
+	if(watchForCLLApiNum || cllApiNum == -1)
+	{
+		// didn't find it, somehow
+		watchForCLLApiNum = false;
+		cllApiNum = -1;
+		GetVersionEx(&osvi);
+		cllApiNum = (IsWindows7() ? 65 : 66);
+		debugprintf("using ClientLoadLibrary ApiNumber = %d. OS = %d.%d\n", cllApiNum, osvi.dwMajorVersion, osvi.dwMinorVersion);
+	}
+	else
+	{
+		GetVersionEx(&osvi);
+		debugprintf("found ClientLoadLibrary ApiNumber = %d. OS = %d.%d\n", cllApiNum, osvi.dwMajorVersion, osvi.dwMinorVersion);
+	}
+	curtls.callingClientLoadLibrary = FALSE;
+
 	curtls.callerisuntrusted--;
 
-	tls.isFirstThread = true;
+	curtls.isFirstThread = true;
 
 	cmdprintf("POSTDLLMAINDONE: 0");
 

diff --git a/src/wintaser/wintaser.cpp b/src/wintaser/wintaser.cpp
@@ -257,7 +257,7 @@ bool InjectDLLIntoIDT(DWORD dwInjectProcessID, HANDLE hInjectProcess, HANDLE hIn
 
 
 OSVERSIONINFO osvi = {sizeof(OSVERSIONINFO)};
-
+// warning: we can't trust these too much (version lies from compatibility mode shims are common)
 bool IsWindowsXP()    { return osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1; }
 bool IsWindowsVista() { return osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 0; }
 bool IsWindows7()     { return osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 1; }
@@ -8012,12 +8012,12 @@ int APIENTRY _tWinMain(HINSTANCE hInstance,
 	NormalizePath(thisprocessPath, thisprocessPath);
 
 	GetVersionEx(&osvi);
-	if(!IsWindowsXP() && !IsWindows7())
-	{
-		// HACK: disable a feature on systems not supported by the current implementation of MyKiUserCallbackDispatcher
-		allowLoadInstalledDlls = true;
-		allowLoadUxtheme = true;
-	}
+	//if(!IsWindowsXP() && !IsWindows7())
+	//{
+	//	// HACK: disable a feature on systems not supported by the current implementation of MyKiUserCallbackDispatcher
+	//	allowLoadInstalledDlls = true;
+	//	allowLoadUxtheme = true;
+	//}
 
 	InitRamSearch();