Search

Injlib

Injlib

1. InjInitialize

NTSTATUS NTAPI InjInitialize( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath, _In_ PINJ_SETTINGS Settings ) { NTSTATUS Status; // // Initialize injection info linked list. // InitializeListHead(&InjInfoListHead); ULONG Flags = RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE | RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING; for (ULONG Architecture = 0; Architecture < InjArchitectureMax; Architecture += 1) { Status = RtlDuplicateUnicodeString(Flags, &Settings->DllPath[Architecture], &InjDllPath[Architecture]); if (!NT_SUCCESS(Status)) { goto Error; } } // // Check if we're running on Windows 7. // RTL_OSVERSIONINFOW VersionInformation = { 0 }; VersionInformation.dwOSVersionInfoSize = sizeof(VersionInformation); RtlGetVersion(&VersionInformation); if (VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion == 1) { InjDbgPrint("[injlib]: Current system is Windows 7\n"); InjIsWindows7 = TRUE; } // // Default setting of the injection of Wow64 processes. // #if defined(INJ_CONFIG_SUPPORTS_WOW64) InjMethod = Settings->Method; # if !defined(_M_AMD64) // // Thunkless method is available on x64. // if (InjMethod == InjMethodThunkless) { InjMethod = InjMethodThunk; } # endif #else InjMethod = InjMethodThunk; #endif InjDbgPrint("[injlib]: InjMethod: '%s'\n", InjMethod == InjMethodThunk ? "InjMethodThunk" : InjMethod == InjMethodThunkless ? "InjMethodThunkLess" : InjMethod == InjMethodWow64LogReparse ? "InjMethodWow64LogReparse" : "UNKNOWN" ); if (InjMethod == InjMethodWow64LogReparse) { Status = SimRepInitialize(DriverObject, RegistryPath); } return Status; Error: InjDestroy(); return Status; }
C++
복사

2. InitializeListHead, RtlDulicateUnicodeString

1.
InitializeListHead로 InjInfoListHead를 초기화합니다.
2.
Settings의 DLLPath를 InjDllPath로 복제하며 Settings의 DllPath는 이미 InjCreateSettings에서 초기화한 Dll의 경로가 저장되어 있습니다.
InitializeListHead(&InjInfoListHead); ULONG Flags = RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE | RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING; for (ULONG Architecture = 0; Architecture < InjArchitectureMax; Architecture += 1) { Status = RtlDuplicateUnicodeString(Flags, &Settings->DllPath[Architecture], &InjDllPath[Architecture]); if (!NT_SUCCESS(Status)) { goto Error; } }
C++
복사

2.1 RtlDuplicateUnicodeString (undocument)

NTSTATUS RtlDuplicateUnicodeString ( int Flags, const UNICODE_STRING* source, UNICODE_STRING* destination )
C++
복사

3. RtlGetVersion, 이후 리턴까지

RtlGetVersion 함수를 이용하여 현재 윈도우의 버전 정보를 가져 올 수 있습니다. 윈도우7일 경우 Windows7 플래그를 활성화하며 Settings→Method값을 여기서 사용합니다. AMD64 (x64)의 경우는 Thunkless방식이기 때문에 SimRepInitalize는 호출하지 않습니다.
arm에서 구동되는 윈도우(임베디드)는 다르게 처리를 해주는 것으로 보입니다.
RTL_OSVERSIONINFOW VersionInformation = { 0 }; VersionInformation.dwOSVersionInfoSize = sizeof(VersionInformation); RtlGetVersion(&VersionInformation); if (VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion == 1) { InjDbgPrint("[injlib]: Current system is Windows 7\n"); InjIsWindows7 = TRUE; } // // Default setting of the injection of Wow64 processes. // #if defined(INJ_CONFIG_SUPPORTS_WOW64) InjMethod = Settings->Method; # if !defined(_M_AMD64) // // Thunkless method is available on x64. // if (InjMethod == InjMethodThunkless) { InjMethod = InjMethodThunk; } # endif #else InjMethod = InjMethodThunk; #endif InjDbgPrint("[injlib]: InjMethod: '%s'\n", InjMethod == InjMethodThunk ? "InjMethodThunk" : InjMethod == InjMethodThunkless ? "InjMethodThunkLess" : InjMethod == InjMethodWow64LogReparse ? "InjMethodWow64LogReparse" : "UNKNOWN" ); if (InjMethod == InjMethodWow64LogReparse) { Status = SimRepInitialize(DriverObject, RegistryPath); } return Status; Error: InjDestroy(); return Status; }
C++
복사
Made with