1*cdf0e10cSrcweir /************************************************************************* 2*cdf0e10cSrcweir * 3*cdf0e10cSrcweir * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4*cdf0e10cSrcweir * 5*cdf0e10cSrcweir * Copyright 2000, 2010 Oracle and/or its affiliates. 6*cdf0e10cSrcweir * 7*cdf0e10cSrcweir * OpenOffice.org - a multi-platform office productivity suite 8*cdf0e10cSrcweir * 9*cdf0e10cSrcweir * This file is part of OpenOffice.org. 10*cdf0e10cSrcweir * 11*cdf0e10cSrcweir * OpenOffice.org is free software: you can redistribute it and/or modify 12*cdf0e10cSrcweir * it under the terms of the GNU Lesser General Public License version 3 13*cdf0e10cSrcweir * only, as published by the Free Software Foundation. 14*cdf0e10cSrcweir * 15*cdf0e10cSrcweir * OpenOffice.org is distributed in the hope that it will be useful, 16*cdf0e10cSrcweir * but WITHOUT ANY WARRANTY; without even the implied warranty of 17*cdf0e10cSrcweir * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18*cdf0e10cSrcweir * GNU Lesser General Public License version 3 for more details 19*cdf0e10cSrcweir * (a copy is included in the LICENSE file that accompanied this code). 20*cdf0e10cSrcweir * 21*cdf0e10cSrcweir * You should have received a copy of the GNU Lesser General Public License 22*cdf0e10cSrcweir * version 3 along with OpenOffice.org. If not, see 23*cdf0e10cSrcweir * <http://www.openoffice.org/license.html> 24*cdf0e10cSrcweir * for a copy of the LGPLv3 License. 25*cdf0e10cSrcweir * 26*cdf0e10cSrcweir ************************************************************************/ 27*cdf0e10cSrcweir 28*cdf0e10cSrcweir #include "macros.h" 29*cdf0e10cSrcweir #include "win95sys.h" 30*cdf0e10cSrcweir #include <tlhelp32.h> 31*cdf0e10cSrcweir static FARPROC WINAPI GetRealProcAddress( HMODULE hModule, LPCSTR lpProcName ) 32*cdf0e10cSrcweir { 33*cdf0e10cSrcweir FARPROC lpfn = GetProcAddress( hModule, lpProcName ); 34*cdf0e10cSrcweir 35*cdf0e10cSrcweir if ( lpfn ) 36*cdf0e10cSrcweir { 37*cdf0e10cSrcweir if ( 0x68 == *(LPBYTE)lpfn ) 38*cdf0e10cSrcweir { 39*cdf0e10cSrcweir /* 40*cdf0e10cSrcweir 82C9F460 68 36 49 F8 BF push 0BFF84936h 41*cdf0e10cSrcweir 82C9F465 E9 41 62 2F 3D jmp BFF956AB 42*cdf0e10cSrcweir */ 43*cdf0e10cSrcweir 44*cdf0e10cSrcweir lpfn = (FARPROC)*(LPDWORD)((LPBYTE)lpfn + 1); 45*cdf0e10cSrcweir 46*cdf0e10cSrcweir /* 47*cdf0e10cSrcweir BFF956AB 9C pushfd 48*cdf0e10cSrcweir BFF956AC FC cld 49*cdf0e10cSrcweir BFF956AD 50 push eax 50*cdf0e10cSrcweir BFF956AE 53 push ebx 51*cdf0e10cSrcweir BFF956AF 52 push edx 52*cdf0e10cSrcweir BFF956B0 64 8B 15 20 00 00 00 mov edx,dword ptr fs:[20h] 53*cdf0e10cSrcweir BFF956B7 0B D2 or edx,edx 54*cdf0e10cSrcweir BFF956B9 74 09 je BFF956C4 55*cdf0e10cSrcweir BFF956BB 8B 42 04 mov eax,dword ptr [edx+4] 56*cdf0e10cSrcweir BFF956BE 0B C0 or eax,eax 57*cdf0e10cSrcweir BFF956C0 74 07 je BFF956C9 58*cdf0e10cSrcweir BFF956C2 EB 42 jmp BFF95706 59*cdf0e10cSrcweir BFF956C4 5A pop edx 60*cdf0e10cSrcweir BFF956C5 5B pop ebx 61*cdf0e10cSrcweir BFF956C6 58 pop eax 62*cdf0e10cSrcweir BFF956C7 9D popfd 63*cdf0e10cSrcweir BFF956C8 C3 ret 64*cdf0e10cSrcweir */ 65*cdf0e10cSrcweir } 66*cdf0e10cSrcweir } 67*cdf0e10cSrcweir 68*cdf0e10cSrcweir return lpfn; 69*cdf0e10cSrcweir } 70*cdf0e10cSrcweir 71*cdf0e10cSrcweir 72*cdf0e10cSrcweir typedef DWORD (WINAPI OBFUSCATE)( DWORD dwPTID ); 73*cdf0e10cSrcweir typedef OBFUSCATE *LPOBFUSCATE; 74*cdf0e10cSrcweir 75*cdf0e10cSrcweir static DWORD WINAPI Obfuscate( DWORD dwPTID ) 76*cdf0e10cSrcweir { 77*cdf0e10cSrcweir static LPOBFUSCATE lpfnObfuscate = NULL; 78*cdf0e10cSrcweir 79*cdf0e10cSrcweir if ( !lpfnObfuscate ) 80*cdf0e10cSrcweir { 81*cdf0e10cSrcweir LPBYTE lpCode = (LPBYTE)GetRealProcAddress( GetModuleHandleA("KERNEL32"), "GetCurrentThreadId" ); 82*cdf0e10cSrcweir 83*cdf0e10cSrcweir if ( lpCode ) 84*cdf0e10cSrcweir { 85*cdf0e10cSrcweir /* 86*cdf0e10cSrcweir GetCurrentThreadId: 87*cdf0e10cSrcweir lpCode + 00 BFF84936 A1 DC 9C FC BF mov eax,[BFFC9CDC] ; This is the real thread id 88*cdf0e10cSrcweir lpcode + 05 BFF8493B FF 30 push dword ptr [eax] 89*cdf0e10cSrcweir lpCode + 07 BFF8493D E8 17 C5 FF FF call BFF80E59 ; call Obfuscate function 90*cdf0e10cSrcweir lpcode + 0C BFF84942 C3 ret 91*cdf0e10cSrcweir */ 92*cdf0e10cSrcweir 93*cdf0e10cSrcweir DWORD dwOffset = *(LPDWORD)(lpCode + 0x08); 94*cdf0e10cSrcweir 95*cdf0e10cSrcweir lpfnObfuscate = (LPOBFUSCATE)(lpCode + 0x0C + dwOffset); 96*cdf0e10cSrcweir /* 97*cdf0e10cSrcweir Obfuscate: 98*cdf0e10cSrcweir BFF80E59 A1 CC 98 FC BF mov eax,[BFFC98CC] 99*cdf0e10cSrcweir BFF80E5E 85 C0 test eax,eax 100*cdf0e10cSrcweir BFF80E60 75 04 jne BFF80E66 101*cdf0e10cSrcweir BFF80E62 33 C0 xor eax,eax 102*cdf0e10cSrcweir BFF80E64 EB 04 jmp BFF80E6A 103*cdf0e10cSrcweir BFF80E66 33 44 24 04 xor eax,dword ptr [esp+4] 104*cdf0e10cSrcweir BFF80E6A C2 04 00 ret 4 105*cdf0e10cSrcweir */ 106*cdf0e10cSrcweir } 107*cdf0e10cSrcweir 108*cdf0e10cSrcweir } 109*cdf0e10cSrcweir 110*cdf0e10cSrcweir return lpfnObfuscate ? lpfnObfuscate( dwPTID ) : 0; 111*cdf0e10cSrcweir } 112*cdf0e10cSrcweir 113*cdf0e10cSrcweir 114*cdf0e10cSrcweir EXTERN_C DWORD WINAPI GetProcessId_WINDOWS( HANDLE hProcess ) 115*cdf0e10cSrcweir { 116*cdf0e10cSrcweir if ( GetCurrentProcess() == hProcess ) 117*cdf0e10cSrcweir return GetCurrentProcessId(); 118*cdf0e10cSrcweir 119*cdf0e10cSrcweir DWORD dwProcessId = 0; 120*cdf0e10cSrcweir PPROCESS_DATABASE pPDB = (PPROCESS_DATABASE)Obfuscate( GetCurrentProcessId() ); 121*cdf0e10cSrcweir 122*cdf0e10cSrcweir if ( pPDB && K32OBJ_PROCESS == pPDB->Type ) 123*cdf0e10cSrcweir { 124*cdf0e10cSrcweir DWORD dwHandleNumber = (DWORD)hProcess >> 2; 125*cdf0e10cSrcweir 126*cdf0e10cSrcweir if ( 0 == ((DWORD)hProcess & 0x03) && dwHandleNumber < pPDB->pHandleTable->cEntries ) 127*cdf0e10cSrcweir { 128*cdf0e10cSrcweir if ( 129*cdf0e10cSrcweir pPDB->pHandleTable->array[dwHandleNumber].pObject && 130*cdf0e10cSrcweir K32OBJ_PROCESS == pPDB->pHandleTable->array[dwHandleNumber].pObject->Type 131*cdf0e10cSrcweir ) 132*cdf0e10cSrcweir dwProcessId = Obfuscate( (DWORD)pPDB->pHandleTable->array[dwHandleNumber].pObject ); 133*cdf0e10cSrcweir } 134*cdf0e10cSrcweir 135*cdf0e10cSrcweir SetLastError( ERROR_INVALID_HANDLE ); 136*cdf0e10cSrcweir } 137*cdf0e10cSrcweir 138*cdf0e10cSrcweir return dwProcessId; 139*cdf0e10cSrcweir } 140*cdf0e10cSrcweir 141*cdf0e10cSrcweir 142*cdf0e10cSrcweir EXTERN_C DWORD WINAPI GetProcessId_NT( HANDLE hProcess ) 143*cdf0e10cSrcweir { 144*cdf0e10cSrcweir SetLastError( ERROR_CALL_NOT_IMPLEMENTED ); 145*cdf0e10cSrcweir return 0; 146*cdf0e10cSrcweir } 147*cdf0e10cSrcweir 148*cdf0e10cSrcweir 149*cdf0e10cSrcweir EXTERN_C void WINAPI ResolveThunk_GetProcessId( FARPROC *lppfn, LPCSTR lpLibFileName, LPCSTR lpFuncName ) 150*cdf0e10cSrcweir { 151*cdf0e10cSrcweir if ( (LONG)GetVersion() < 0 ) 152*cdf0e10cSrcweir *lppfn = (FARPROC)GetProcessId_WINDOWS; 153*cdf0e10cSrcweir else 154*cdf0e10cSrcweir { 155*cdf0e10cSrcweir FARPROC lpfnResult = GetProcAddress( LoadLibraryA( lpLibFileName ), lpFuncName ); 156*cdf0e10cSrcweir if ( !lpfnResult ) 157*cdf0e10cSrcweir lpfnResult = (FARPROC)GetProcessId_NT; 158*cdf0e10cSrcweir 159*cdf0e10cSrcweir *lppfn = lpfnResult; 160*cdf0e10cSrcweir } 161*cdf0e10cSrcweir } 162*cdf0e10cSrcweir 163*cdf0e10cSrcweir 164*cdf0e10cSrcweir DEFINE_CUSTOM_THUNK( kernel32, GetProcessId, DWORD, WINAPI, GetProcessId, ( HANDLE hProcess ) ); 165