1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/build/win32/crashinject.cpp Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,96 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +/*
1.9 + * Given a PID, this program attempts to inject a DLL into the process
1.10 + * with that PID. The DLL it attempts to inject, "crashinjectdll.dll",
1.11 + * must exist alongside this exe. The DLL will then crash the process.
1.12 + */
1.13 +#include <stdio.h>
1.14 +#include <stdlib.h>
1.15 +#include <string.h>
1.16 +#include <windows.h>
1.17 +
1.18 +int main(int argc, char** argv)
1.19 +{
1.20 + if (argc != 2) {
1.21 + fprintf(stderr, "Usage: crashinject <PID>\n");
1.22 + return 1;
1.23 + }
1.24 +
1.25 + int pid = atoi(argv[1]);
1.26 + if (pid <= 0) {
1.27 + fprintf(stderr, "Usage: crashinject <PID>\n");
1.28 + return 1;
1.29 + }
1.30 +
1.31 + // find our DLL to inject
1.32 + wchar_t filename[_MAX_PATH];
1.33 + if (GetModuleFileNameW(nullptr, filename,
1.34 + sizeof(filename) / sizeof(wchar_t)) == 0)
1.35 + return 1;
1.36 +
1.37 + wchar_t* slash = wcsrchr(filename, L'\\');
1.38 + if (slash == nullptr)
1.39 + return 1;
1.40 +
1.41 + slash++;
1.42 + wcscpy(slash, L"crashinjectdll.dll");
1.43 +
1.44 + // now find our target process
1.45 + HANDLE targetProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION,
1.46 + FALSE,
1.47 + pid);
1.48 + if (targetProc == nullptr) {
1.49 + fprintf(stderr, "Error %d opening target process\n", GetLastError());
1.50 + return 1;
1.51 + }
1.52 +
1.53 + /*
1.54 + * This is sort of insane, but we're implementing a technique described here:
1.55 + * http://www.codeproject.com/KB/threads/winspy.aspx#section_2
1.56 + *
1.57 + * The gist is to use CreateRemoteThread to create a thread in the other
1.58 + * process, but cheat and make the thread function kernel32!LoadLibrary,
1.59 + * so that the only remote data we have to pass to the other process
1.60 + * is the path to the library we want to load. The library we're loading
1.61 + * will then do its dirty work inside the other process.
1.62 + */
1.63 + HMODULE hKernel32 = GetModuleHandleW(L"Kernel32");
1.64 + // allocate some memory to hold the path in the remote process
1.65 + void* pLibRemote = VirtualAllocEx(targetProc, nullptr, sizeof(filename),
1.66 + MEM_COMMIT, PAGE_READWRITE);
1.67 + if (pLibRemote == nullptr) {
1.68 + fprintf(stderr, "Error %d in VirtualAllocEx\n", GetLastError());
1.69 + CloseHandle(targetProc);
1.70 + return 1;
1.71 + }
1.72 +
1.73 + if (!WriteProcessMemory(targetProc, pLibRemote, (void*)filename,
1.74 + sizeof(filename), nullptr)) {
1.75 + fprintf(stderr, "Error %d in WriteProcessMemory\n", GetLastError());
1.76 + VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
1.77 + CloseHandle(targetProc);
1.78 + return 1;
1.79 + }
1.80 + // Now create a thread in the target process that will load our DLL
1.81 + HANDLE hThread = CreateRemoteThread(
1.82 + targetProc, nullptr, 0,
1.83 + (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,
1.84 + "LoadLibraryW"),
1.85 + pLibRemote, 0, nullptr);
1.86 + if (hThread == nullptr) {
1.87 + fprintf(stderr, "Error %d in CreateRemoteThread\n", GetLastError());
1.88 + VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
1.89 + CloseHandle(targetProc);
1.90 + return 1;
1.91 + }
1.92 + WaitForSingleObject(hThread, INFINITE);
1.93 + // Cleanup, not that it's going to matter at this point
1.94 + CloseHandle(hThread);
1.95 + VirtualFreeEx(targetProc, pLibRemote, sizeof(filename), MEM_RELEASE);
1.96 + CloseHandle(targetProc);
1.97 +
1.98 + return 0;
1.99 +}
