/build/win32/crashinject.cpp

http://github.com/zpao/v8monkey · C++ · 128 lines · 62 code · 10 blank · 56 comment · 14 complexity · 1bff0f3faf1a9b85468e8c019514d568 MD5 · raw file

  1. /* ***** BEGIN LICENSE BLOCK *****
  2. * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3. *
  4. * The contents of this file are subject to the Mozilla Public License Version
  5. * 1.1 (the "License"); you may not use this file except in compliance with
  6. * the License. You may obtain a copy of the License at
  7. * http://www.mozilla.org/MPL/
  8. *
  9. * Software distributed under the License is distributed on an "AS IS" basis,
  10. * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  11. * for the specific language governing rights and limitations under the
  12. * License.
  13. *
  14. * The Original Code is Crash Injection Utility
  15. *
  16. * The Initial Developer of the Original Code is
  17. * The Mozilla Foundation.
  18. * Portions created by the Initial Developer are Copyright (C) 2009
  19. * the Initial Developer. All Rights Reserved.
  20. *
  21. * Contributor(s):
  22. * Ted Mielczarek <ted.mielczarek@gmail.com>
  23. *
  24. * Alternatively, the contents of this file may be used under the terms of
  25. * either the GNU General Public License Version 2 or later (the "GPL"), or
  26. * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  27. * in which case the provisions of the GPL or the LGPL are applicable instead
  28. * of those above. If you wish to allow use of your version of this file only
  29. * under the terms of either the GPL or the LGPL, and not to allow others to
  30. * use your version of this file under the terms of the MPL, indicate your
  31. * decision by deleting the provisions above and replace them with the notice
  32. * and other provisions required by the GPL or the LGPL. If you do not delete
  33. * the provisions above, a recipient may use your version of this file under
  34. * the terms of any one of the MPL, the GPL or the LGPL.
  35. *
  36. * ***** END LICENSE BLOCK ***** */
  37. /*
  38. * Given a PID, this program attempts to inject a DLL into the process
  39. * with that PID. The DLL it attempts to inject, "crashinjectdll.dll",
  40. * must exist alongside this exe. The DLL will then crash the process.
  41. */
  42. #include <stdio.h>
  43. #include <stdlib.h>
  44. #include <string.h>
  45. #include <windows.h>
  46. int main(int argc, char** argv)
  47. {
  48. if (argc != 2) {
  49. fprintf(stderr, "Usage: crashinject <PID>\n");
  50. return 1;
  51. }
  52. int pid = atoi(argv[1]);
  53. if (pid <= 0) {
  54. fprintf(stderr, "Usage: crashinject <PID>\n");
  55. return 1;
  56. }
  57. // find our DLL to inject
  58. wchar_t filename[_MAX_PATH];
  59. if (GetModuleFileNameW(NULL, filename, sizeof(filename) / sizeof(wchar_t)) == 0)
  60. return 1;
  61. wchar_t* slash = wcsrchr(filename, L'\\');
  62. if (slash == NULL)
  63. return 1;
  64. slash++;
  65. wcscpy(slash, L"crashinjectdll.dll");
  66. // now find our target process
  67. HANDLE targetProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION,
  68. FALSE,
  69. pid);
  70. if (targetProc == NULL) {
  71. fprintf(stderr, "Error %d opening target process\n", GetLastError());
  72. return 1;
  73. }
  74. /*
  75. * This is sort of insane, but we're implementing a technique described here:
  76. * http://www.codeproject.com/KB/threads/winspy.aspx#section_2
  77. *
  78. * The gist is to use CreateRemoteThread to create a thread in the other
  79. * process, but cheat and make the thread function kernel32!LoadLibrary,
  80. * so that the only remote data we have to pass to the other process
  81. * is the path to the library we want to load. The library we're loading
  82. * will then do its dirty work inside the other process.
  83. */
  84. HMODULE hKernel32 = GetModuleHandleW(L"Kernel32");
  85. // allocate some memory to hold the path in the remote process
  86. void* pLibRemote = VirtualAllocEx(targetProc, NULL, sizeof(filename),
  87. MEM_COMMIT, PAGE_READWRITE);
  88. if (pLibRemote == NULL) {
  89. fprintf(stderr, "Error %d in VirtualAllocEx\n", GetLastError());
  90. CloseHandle(targetProc);
  91. return 1;
  92. }
  93. if (!WriteProcessMemory(targetProc, pLibRemote, (void*)filename,
  94. sizeof(filename), NULL)) {
  95. fprintf(stderr, "Error %d in WriteProcessMemory\n", GetLastError());
  96. VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
  97. CloseHandle(targetProc);
  98. return 1;
  99. }
  100. // Now create a thread in the target process that will load our DLL
  101. HANDLE hThread = CreateRemoteThread(
  102. targetProc, NULL, 0,
  103. (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,
  104. "LoadLibraryW"),
  105. pLibRemote, 0, NULL);
  106. if (hThread == NULL) {
  107. fprintf(stderr, "Error %d in CreateRemoteThread\n", GetLastError());
  108. VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
  109. CloseHandle(targetProc);
  110. return 1;
  111. }
  112. WaitForSingleObject(hThread, INFINITE);
  113. // Cleanup, not that it's going to matter at this point
  114. CloseHandle(hThread);
  115. VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
  116. CloseHandle(targetProc);
  117. return 0;
  118. }