PageRenderTime 32ms CodeModel.GetById 13ms app.highlight 14ms RepoModel.GetById 1ms app.codeStats 1ms

/build/win32/crashinject.cpp

http://github.com/zpao/v8monkey
C++ | 128 lines | 62 code | 10 blank | 56 comment | 14 complexity | 1bff0f3faf1a9b85468e8c019514d568 MD5 | raw file 
  1/* ***** BEGIN LICENSE BLOCK *****
  2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3 *
  4 * The contents of this file are subject to the Mozilla Public License Version
  5 * 1.1 (the "License"); you may not use this file except in compliance with
  6 * the License. You may obtain a copy of the License at
  7 * http://www.mozilla.org/MPL/
  8 *
  9 * Software distributed under the License is distributed on an "AS IS" basis,
 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 11 * for the specific language governing rights and limitations under the
 12 * License.
 13 *
 14 * The Original Code is Crash Injection Utility
 15 *
 16 * The Initial Developer of the Original Code is
 17 * The Mozilla Foundation.
 18 * Portions created by the Initial Developer are Copyright (C) 2009
 19 * the Initial Developer. All Rights Reserved.
 20 *
 21 * Contributor(s):
 22 *   Ted Mielczarek <ted.mielczarek@gmail.com>
 23 *
 24 * Alternatively, the contents of this file may be used under the terms of
 25 * either the GNU General Public License Version 2 or later (the "GPL"), or
 26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 27 * in which case the provisions of the GPL or the LGPL are applicable instead
 28 * of those above. If you wish to allow use of your version of this file only
 29 * under the terms of either the GPL or the LGPL, and not to allow others to
 30 * use your version of this file under the terms of the MPL, indicate your
 31 * decision by deleting the provisions above and replace them with the notice
 32 * and other provisions required by the GPL or the LGPL. If you do not delete
 33 * the provisions above, a recipient may use your version of this file under
 34 * the terms of any one of the MPL, the GPL or the LGPL.
 35 *
 36 * ***** END LICENSE BLOCK ***** */
 37
 38/*
 39 * Given a PID, this program attempts to inject a DLL into the process
 40 * with that PID. The DLL it attempts to inject, "crashinjectdll.dll",
 41 * must exist alongside this exe. The DLL will then crash the process.
 42 */
 43#include <stdio.h>
 44#include <stdlib.h>
 45#include <string.h>
 46#include <windows.h>
 47
 48int main(int argc, char** argv)
 49{
 50  if (argc != 2) {
 51    fprintf(stderr, "Usage: crashinject <PID>\n");
 52    return 1;
 53  }
 54
 55  int pid = atoi(argv[1]);
 56  if (pid <= 0) {
 57    fprintf(stderr, "Usage: crashinject <PID>\n");
 58    return 1;
 59  }
 60
 61  // find our DLL to inject
 62  wchar_t filename[_MAX_PATH];
 63  if (GetModuleFileNameW(NULL, filename, sizeof(filename) / sizeof(wchar_t)) == 0)
 64    return 1;
 65
 66  wchar_t* slash = wcsrchr(filename, L'\\');
 67  if (slash == NULL)
 68    return 1;
 69
 70  slash++;
 71  wcscpy(slash, L"crashinjectdll.dll");
 72
 73  // now find our target process
 74  HANDLE targetProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION,
 75                                  FALSE,
 76                                  pid);
 77  if (targetProc == NULL) {
 78    fprintf(stderr, "Error %d opening target process\n", GetLastError());
 79    return 1;
 80  }
 81
 82  /*
 83   * This is sort of insane, but we're implementing a technique described here:
 84   * http://www.codeproject.com/KB/threads/winspy.aspx#section_2
 85   *
 86   * The gist is to use CreateRemoteThread to create a thread in the other
 87   * process, but cheat and make the thread function kernel32!LoadLibrary,
 88   * so that the only remote data we have to pass to the other process
 89   * is the path to the library we want to load. The library we're loading
 90   * will then do its dirty work inside the other process.
 91   */
 92  HMODULE hKernel32 = GetModuleHandleW(L"Kernel32");
 93  // allocate some memory to hold the path in the remote process
 94  void*   pLibRemote = VirtualAllocEx(targetProc, NULL, sizeof(filename),
 95                                      MEM_COMMIT, PAGE_READWRITE);
 96  if (pLibRemote == NULL) {
 97    fprintf(stderr, "Error %d in VirtualAllocEx\n", GetLastError());
 98    CloseHandle(targetProc);
 99    return 1;
100  }
101
102  if (!WriteProcessMemory(targetProc, pLibRemote, (void*)filename,
103                          sizeof(filename), NULL)) {
104    fprintf(stderr, "Error %d in WriteProcessMemory\n", GetLastError());
105    VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
106    CloseHandle(targetProc);
107    return 1;
108  }
109  // Now create a thread in the target process that will load our DLL
110  HANDLE hThread = CreateRemoteThread(
111                     targetProc, NULL, 0,
112                     (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,
113                                                            "LoadLibraryW"),
114                     pLibRemote, 0, NULL);
115  if (hThread == NULL) {
116    fprintf(stderr, "Error %d in CreateRemoteThread\n", GetLastError());
117    VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
118    CloseHandle(targetProc);
119    return 1;
120  }
121  WaitForSingleObject(hThread, INFINITE);
122  // Cleanup, not that it's going to matter at this point
123  CloseHandle(hThread);
124  VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
125  CloseHandle(targetProc);
126
127  return 0;
128}