Lenheart
/
DNF_DLL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
DNF_DLL/test/Detours/tests/test_module_api.cpp

732 lines
21 KiB
C++
Raw Normal View History

1211
2022-09-06 00:08:26 +08:00
//////////////////////////////////////////////////////////////////////////////
//
// Unit Tests for Detours Module API (test_module_api.cpp of unittests.exe)
//
// Microsoft Research Detours Package
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
#include "catch.hpp"
#include "windows.h"
#define DETOURS_INTERNAL
#include "detours.h"
#include "corruptor.h"
#include "payload.h"
#include "process_helpers.h"
// Expose the image base of the current module for test assertions.
//
extern "C" IMAGE_DOS_HEADER __ImageBase;
// Expose default module entry point for test assertions.
//
extern "C" int mainCRTStartup();
// Dummy function pointer used for tests.
//
void NoopFunction() { }
TEST_CASE("DetourLoadImageHlp", "[module]")
{
SECTION("Passing own function, results in own HMODULE")
{
auto info = DetourLoadImageHlp();
REQUIRE( info != nullptr );
REQUIRE( info->hDbgHelp != NULL);
REQUIRE( info->pfImagehlpApiVersionEx != nullptr );
REQUIRE( info->pfSymInitialize != nullptr );
REQUIRE( info->pfSymSetOptions != nullptr );
REQUIRE( info->pfSymGetOptions != nullptr );
REQUIRE( info->pfSymLoadModule64 != nullptr );
REQUIRE( info->pfSymGetModuleInfo64 != nullptr );
REQUIRE( info->pfSymFromName != nullptr );
}
}
TEST_CASE("DetourFindFunction", "[module]")
{
SECTION("Passing nullptr for all parameters, results in nullptr")
{
SetLastError(NO_ERROR);
auto func = DetourFindFunction(nullptr, nullptr);
REQUIRE( GetLastError() == ERROR_INVALID_PARAMETER );
REQUIRE( func == nullptr );
}
SECTION("Passing nullptr for function, results in nullptr")
{
SetLastError(NO_ERROR);
auto func = DetourFindFunction("ntdll.dll", nullptr);
REQUIRE( GetLastError() == ERROR_INVALID_PARAMETER );
REQUIRE( func == nullptr );
}
SECTION("Passing nullptr for module, results in nullptr")
{
SetLastError(NO_ERROR);
auto func = DetourFindFunction(nullptr, "FunctionThatDoesntExist");
REQUIRE( GetLastError() == ERROR_INVALID_PARAMETER );
REQUIRE( func == nullptr );
}
SECTION("Finding ntdll export is successful")
{
SetLastError(NO_ERROR);
auto func = DetourFindFunction("ntdll.dll", "NtDeviceIoControlFile");
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( func != nullptr );
}
}
TEST_CASE("DetourGetContainingModule", "[module]")
{
SECTION("Passing nullptr, results in nullptr")
{
SetLastError(NO_ERROR);
auto mod = DetourGetContainingModule(nullptr);
REQUIRE( GetLastError() == ERROR_BAD_EXE_FORMAT );
REQUIRE( mod == nullptr );
}
SECTION("Passing GetCommandLineW, results in kernel32 HMODULE")
{
SetLastError(ERROR_INVALID_HANDLE);
auto mod = DetourGetContainingModule(GetCommandLineW);
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( mod == LoadLibraryW(L"kernel32.dll") );
}
SECTION("Passing own function, results in own HMODULE")
{
SetLastError(ERROR_INVALID_HANDLE);
auto mod = DetourGetContainingModule(NoopFunction);
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( mod == reinterpret_cast<HMODULE>(&__ImageBase) );
}
}
TEST_CASE("DetourGetEntyPoint", "[module]")
{
SECTION("Passing nullptr, results in CRT entrypoint")
{
SetLastError(ERROR_INVALID_HANDLE);
auto entry = DetourGetEntryPoint(nullptr);
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( entry == mainCRTStartup );
}
SECTION("Passing nullptr, equals executing image")
{
REQUIRE( DetourGetEntryPoint(nullptr) ==
DetourGetEntryPoint(reinterpret_cast<HMODULE>(&__ImageBase)) );
}
SECTION("Passing ImageBase, results in CRT main")
{
SetLastError(ERROR_INVALID_HANDLE);
auto entry = DetourGetEntryPoint(reinterpret_cast<HMODULE>(&__ImageBase));
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( entry == mainCRTStartup );
}
SECTION("Corrupt image DOS header magic, results in bad exe format error")
{
ImageCorruptor corruptor(&__ImageBase);
corruptor.ModifyDosMagic(0xDEAD);
SetLastError(NO_ERROR);
auto entry = DetourGetEntryPoint(reinterpret_cast<HMODULE>(&__ImageBase));
REQUIRE( GetLastError() == ERROR_BAD_EXE_FORMAT );
REQUIRE( entry == nullptr );
}
SECTION("Corrupt image NT header signature, results in invalid signature error")
{
ImageCorruptor corruptor(&__ImageBase);
corruptor.ModifyNtSignature(0xDEADBEEF);
SetLastError(NO_ERROR);
auto entry = DetourGetEntryPoint(reinterpret_cast<HMODULE>(&__ImageBase));
REQUIRE( GetLastError() == ERROR_INVALID_EXE_SIGNATURE );
REQUIRE( entry == nullptr );
}
}
TEST_CASE("DetourGetModuleSize", "[module]")
{
SECTION("Passing nullptr, results in current module size")
{
SetLastError(ERROR_INVALID_HANDLE);
auto size = DetourGetModuleSize(nullptr);
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( size > 0 );
}
SECTION("Passing stack, results in error")
{
SetLastError(NO_ERROR);
int value;
auto size = DetourGetModuleSize(reinterpret_cast<HMODULE>(&value));
REQUIRE( GetLastError() == ERROR_BAD_EXE_FORMAT);
REQUIRE( size == 0 );
}
SECTION("Passing nullptr, equals executing image")
{
REQUIRE( DetourGetModuleSize(nullptr) ==
DetourGetModuleSize(reinterpret_cast<HMODULE>(&__ImageBase)) );
}
SECTION("Corrupt image DOS header magic, results in bad exe format error")
{
ImageCorruptor corruptor(&__ImageBase);
corruptor.ModifyDosMagic(0xDEAD);
SetLastError(NO_ERROR);
auto size = DetourGetModuleSize(reinterpret_cast<HMODULE>(&__ImageBase));
REQUIRE( GetLastError() == ERROR_BAD_EXE_FORMAT );
REQUIRE( size == 0 );
}
SECTION("Corrupt image NT header signature, results in invalid signature error")
{
ImageCorruptor corruptor(&__ImageBase);
corruptor.ModifyNtSignature(0xDEADBEEF);
SetLastError(NO_ERROR);
auto size = DetourGetModuleSize(reinterpret_cast<HMODULE>(&__ImageBase));
REQUIRE( GetLastError() == ERROR_INVALID_EXE_SIGNATURE );
REQUIRE( size == 0 );
}
}
TEST_CASE("DetourEnumerateModules", "[module]")
{
SECTION("Passing nullptr, results in current module being returned")
{
SetLastError(ERROR_INVALID_HANDLE);
auto mod = DetourEnumerateModules(nullptr);
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( mod == reinterpret_cast<HMODULE>(&__ImageBase) );
}
SECTION("Passing stack, results in module")
{
SetLastError(NO_ERROR);
int value;
auto mod = DetourEnumerateModules(reinterpret_cast<HMODULE>(&value));
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( mod != NULL );
}
}
// Export test function, only used for test assertions.
//
__declspec(dllexport) void TestFunctionExport() { }
// Context object passed to DetourEnumerateExport(..)
//
struct EnumerateExportsTestContext
{
// Number of exports
//
int ExportCount { 0 };
// If the 'TestFunctionExport' export exists in the module.
//
bool ExportFound { false };
};
// Callback for each modue enumerated with DetourEnumerateExport(..)
//
BOOL CALLBACK ExportCallback(
_In_opt_ PVOID pContext,
_In_ ULONG nOrdinal,
_In_opt_ LPCSTR pszSymbol,
_In_opt_ PVOID pbTarget)
{
(void)pContext;
(void)pbTarget;
(void)nOrdinal;
EnumerateExportsTestContext* context =
reinterpret_cast<EnumerateExportsTestContext*>(pContext);
context->ExportCount++;
context->ExportFound |= Catch::contains(pszSymbol, "TestFunctionExport");
return TRUE;
}
TEST_CASE("DetourEnumerateExports", "[module]")
{
SECTION("Passing nullptr all, results in failure.")
{
SetLastError(NO_ERROR);
auto success = DetourEnumerateExports(nullptr, nullptr, nullptr);
REQUIRE( GetLastError() == ERROR_INVALID_PARAMETER );
REQUIRE_FALSE( success );
}
SECTION("Passing nullptr for just the module, resolves export in current modulee.")
{
SetLastError(ERROR_INVALID_HANDLE);
EnumerateExportsTestContext context {};
auto success = DetourEnumerateExports(nullptr, &context, ExportCallback);
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( success );
REQUIRE( context.ExportCount == 1 );
REQUIRE( context.ExportFound );
}
SECTION("Passing current module, resolves export correctly.")
{
SetLastError(ERROR_INVALID_HANDLE);
EnumerateExportsTestContext context {};
auto mod = reinterpret_cast<HMODULE>(&__ImageBase);
auto success = DetourEnumerateExports(mod, &context, ExportCallback);
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( success );
REQUIRE( context.ExportCount == 1 );
REQUIRE( context.ExportFound );
}
SECTION("Passing stack, results in error")
{
SetLastError(NO_ERROR);
int value;
auto mod = reinterpret_cast<HMODULE>(&value);
EnumerateExportsTestContext context {};
auto success = DetourEnumerateExports(mod, &context, ExportCallback);
REQUIRE( GetLastError() == ERROR_BAD_EXE_FORMAT);
REQUIRE_FALSE( success );
}
SECTION("Corrupt image DOS header magic, results in bad exe format error")
{
ImageCorruptor corruptor(&__ImageBase);
corruptor.ModifyDosMagic(0xDEAD);
SetLastError(NO_ERROR);
EnumerateExportsTestContext context {};
auto mod = reinterpret_cast<HMODULE>(&__ImageBase);
auto success = DetourEnumerateExports(mod, &context, ExportCallback);
REQUIRE( GetLastError() == ERROR_BAD_EXE_FORMAT );
REQUIRE_FALSE( success );
}
SECTION("Corrupt image NT header signature, results in invalid signature error")
{
ImageCorruptor corruptor(&__ImageBase);
corruptor.ModifyNtSignature(0xDEADBEEF);
SetLastError(NO_ERROR);
EnumerateExportsTestContext context {};
auto mod = reinterpret_cast<HMODULE>(&__ImageBase);
auto success = DetourEnumerateExports(mod, &context, ExportCallback);
REQUIRE( GetLastError() == ERROR_INVALID_EXE_SIGNATURE );
REQUIRE_FALSE( success );
}
}
// Context object passed to DetourEnumerateimportsExport(..)
//
struct EnumerateImportsTestContext
{
// Number of imports
//
int ImportCount { 0 };
// If the 'TestFunctionExport' export exists in the module.
//
bool ImportModuleFound { false };
// Number of imports
//
int ImportFuncCount { 0 };
// If the 'TestFunctionExport' export exists in the module.
//
bool ImportFuncFound { false };
};
// Callback for each module enumerated with DetourEnumerateImports(..)
//
BOOL WINAPI ImportFileCallback(PVOID pContext, HMODULE, PCSTR pszFile)
{
EnumerateImportsTestContext* context =
reinterpret_cast<EnumerateImportsTestContext*>(pContext);
context->ImportCount++;
context->ImportModuleFound |= Catch::contains(pszFile, "ntdll");
return TRUE;
}
// Callback for each function enumerated with DetourEnumerateImports(..)
//
BOOL WINAPI ImportFuncCallback(_In_opt_ PVOID pContext,
_In_ DWORD nOrdinal,
_In_opt_ LPCSTR pszFunc,
_In_opt_ PVOID pvFunc)
{
UNREFERENCED_PARAMETER(nOrdinal);
UNREFERENCED_PARAMETER(pszFunc);
UNREFERENCED_PARAMETER(pvFunc);
EnumerateImportsTestContext* context =
reinterpret_cast<EnumerateImportsTestContext*>(pContext);
context->ImportFuncCount++;
return TRUE;
}
TEST_CASE("DetourEnumerateImports", "[module]")
{
SECTION("Passing nullptr all, results in invalid parameter.")
{
SetLastError(NO_ERROR);
auto success = DetourEnumerateImports(nullptr, nullptr, nullptr, nullptr);
REQUIRE( GetLastError() == ERROR_INVALID_PARAMETER );
REQUIRE_FALSE( success );
}
SECTION("Passing nullptr for module callback, results in invalid parameter.")
{
SetLastError(NO_ERROR);
EnumerateImportsTestContext context {};
auto success = DetourEnumerateImports(nullptr, &context, ImportFileCallback, nullptr);
REQUIRE( GetLastError() == ERROR_INVALID_PARAMETER );
REQUIRE_FALSE( success );
REQUIRE( context.ImportCount == 0 );
REQUIRE_FALSE( context.ImportModuleFound );
}
SECTION("Passing nullptr for function callback, resolves in invalid parameter.")
{
SetLastError(ERROR_INVALID_HANDLE);
EnumerateImportsTestContext context {};
auto success = DetourEnumerateImports(nullptr, &context, nullptr, ImportFuncCallback);
REQUIRE( GetLastError() == ERROR_INVALID_PARAMETER );
REQUIRE_FALSE( success );
REQUIRE( context.ImportFuncCount == 0 );
REQUIRE_FALSE( context.ImportFuncFound );
}
}
TEST_CASE("DetourGetSizeOfPayloads", "[module]")
{
SECTION("Passing nullptr for module, is successful.")
{
SetLastError(ERROR_INVALID_HANDLE);
auto size = DetourGetSizeOfPayloads(nullptr);
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( size == sizeof(CPrivateStuff) );
}
SECTION("Passing nullptr is the same as current module.")
{
SetLastError(ERROR_INVALID_HANDLE);
auto mod = reinterpret_cast<HMODULE>(&__ImageBase);
auto nullSize = DetourGetSizeOfPayloads(nullptr);
auto modSize = DetourGetSizeOfPayloads(mod);
REQUIRE( modSize == nullSize );
}
SECTION("Passing a module with no payload, results in exe marked invalid.")
{
auto mod = GetModuleHandleW(L"ntdll.dll");
SetLastError(NO_ERROR);
auto size = DetourGetSizeOfPayloads(mod);
REQUIRE( GetLastError() == ERROR_EXE_MARKED_INVALID );
REQUIRE( size == 0 );
}
SECTION("Passing stack, results in error")
{
SetLastError(NO_ERROR);
int value;
auto mod = reinterpret_cast<HMODULE>(&value);
auto size = DetourGetSizeOfPayloads(mod);
REQUIRE( GetLastError() == ERROR_BAD_EXE_FORMAT );
REQUIRE( size == 0 );
}
SECTION("Corrupt image DOS header magic, results in bad exe format error")
{
ImageCorruptor corruptor(&__ImageBase);
corruptor.ModifyDosMagic(0xDEAD);
SetLastError(NO_ERROR);
auto mod = reinterpret_cast<HMODULE>(&__ImageBase);
auto size = DetourGetSizeOfPayloads(mod);
REQUIRE( GetLastError() == ERROR_BAD_EXE_FORMAT );
REQUIRE( size == 0 );
}
SECTION("Corrupt image NT header signature, results in invalid signature error")
{
ImageCorruptor corruptor(&__ImageBase);
corruptor.ModifyNtSignature(0xDEADBEEF);
SetLastError(NO_ERROR);
auto mod = reinterpret_cast<HMODULE>(&__ImageBase);
auto size = DetourGetSizeOfPayloads(mod);
REQUIRE( GetLastError() == ERROR_INVALID_EXE_SIGNATURE );
REQUIRE( size == 0 );
}
}
TEST_CASE("DetourFindPayload", "[module]")
{
SECTION("Passing empty guid, fails.")
{
SetLastError(NO_ERROR);
HMODULE module {};
GUID guid {};
DWORD data {};
auto payload = DetourFindPayload(module, guid, &data);
REQUIRE( payload == nullptr );
REQUIRE( data == 0 );
REQUIRE( GetLastError() == ERROR_INVALID_HANDLE );
}
SECTION("Passing nullptr for module with correct GUID, is successful.")
{
SetLastError(ERROR_INVALID_HANDLE);
HMODULE module {};
DWORD data {};
auto payload = DetourFindPayload(module, TEST_PAYLOAD_GUID, &data);
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( payload != nullptr );
REQUIRE( data == TEST_PAYLOAD_SIZE );
char* szPayloadMessage = reinterpret_cast<char*>(payload);
REQUIRE_THAT( szPayloadMessage, Catch::Matchers::Contains("123") );
}
}
TEST_CASE("DetourFindPayloadEx", "[module]")
{
SECTION("Passing empty guid, fails.")
{
SetLastError(NO_ERROR);
GUID guid {};
DWORD data {};
auto payload = DetourFindPayloadEx(guid, &data);
REQUIRE( payload == nullptr );
REQUIRE( data == 0 );
// This returns different values on different versions of windows.
//
REQUIRE( (GetLastError() == ERROR_MOD_NOT_FOUND || GetLastError() == ERROR_INVALID_HANDLE) );
}
SECTION("Finding module with correct GUID, is successful.")
{
SetLastError(ERROR_INVALID_HANDLE);
DWORD data {};
auto payload = DetourFindPayloadEx(TEST_PAYLOAD_GUID, &data);
REQUIRE( GetLastError() == NO_ERROR );
REQUIRE( payload != nullptr );
REQUIRE( data == TEST_PAYLOAD_SIZE );
char* szPayloadMessage = reinterpret_cast<char*>(payload);
REQUIRE_THAT( szPayloadMessage, Catch::Matchers::Contains("123") );
}
}
TEST_CASE("DetourCopyPayloadToProcessEx", "[module]")
{
// {44FA1CE0-1DA5-4AFC-946E-F96890C38673}
static constexpr GUID guid = { 0x44fa1ce0, 0x1da5, 0x4afc, { 0x94, 0x6e, 0xf9, 0x68, 0x90, 0xc3, 0x86, 0x73 } };
static constexpr std::uint32_t data = 0xDEADBEEF;
SECTION("Passing NULL process handle, results in error")
{
const auto ptr = DetourCopyPayloadToProcessEx(NULL, guid, &data, sizeof(data));
REQUIRE(GetLastError() == ERROR_INVALID_HANDLE);
REQUIRE(ptr == nullptr);
}
SECTION("Writing to own process, results in valid pointer")
{
const auto ptr = reinterpret_cast<std::uint32_t*>(DetourCopyPayloadToProcessEx(GetCurrentProcess(), guid, &data, sizeof(data)));
REQUIRE(GetLastError() == NO_ERROR);
REQUIRE(*ptr == data);
}
SECTION("Writing to different process, can be read with ReadProcessMemory")
{
// create a suspended copy of ourself to do things with.
TerminateOnScopeExit process{};
REQUIRE(SUCCEEDED(CreateSuspendedCopy(process)));
const auto ptr = DetourCopyPayloadToProcessEx(process.information.hProcess, guid, &data, sizeof(data));
REQUIRE(GetLastError() == NO_ERROR);
REQUIRE(ptr != nullptr);
std::uint32_t retrieved_data{};
REQUIRE(ReadProcessMemory(process.information.hProcess, ptr, &retrieved_data, sizeof(retrieved_data), nullptr));
REQUIRE(retrieved_data == data);
}
}
TEST_CASE("DetourFindRemotePayload", "[module]")
{
SECTION("Passing NULL process handle, results in error")
{
const auto ptr = DetourFindRemotePayload(NULL, TEST_PAYLOAD_GUID, nullptr);
REQUIRE(GetLastError() == ERROR_INVALID_HANDLE);
REQUIRE(ptr == nullptr);
}
SECTION("Finding null GUID from own process, results in error")
{
const GUID guid{};
const auto ptr = DetourFindRemotePayload(GetCurrentProcess(), guid, nullptr);
REQUIRE(GetLastError() == ERROR_MOD_NOT_FOUND);
REQUIRE(ptr == nullptr);
}
SECTION("Finding null GUID from different process, results in error")
{
// create a suspended copy of ourself to do things with.
TerminateOnScopeExit process{};
REQUIRE(SUCCEEDED(CreateSuspendedCopy(process)));
const GUID guid{};
const auto ptr = DetourFindRemotePayload(process.information.hProcess, guid, nullptr);
REQUIRE(GetLastError() == ERROR_MOD_NOT_FOUND);
REQUIRE(ptr == nullptr);
}
SECTION("Finding valid GUID from own process, results in valid pointer")
{
DWORD size = 0;
const auto ptr = reinterpret_cast<std::uint32_t*>(DetourFindRemotePayload(GetCurrentProcess(), TEST_PAYLOAD_GUID, &size));
REQUIRE(GetLastError() == NO_ERROR);
REQUIRE(ptr != nullptr);
REQUIRE(size == TEST_PAYLOAD_SIZE);
char* szPayloadMessage = reinterpret_cast<char*>(ptr);
REQUIRE_THAT(szPayloadMessage, Catch::Matchers::Contains("123"));
}
SECTION("Finding valid GUID from different process, can be read with ReadProcessMemory")
{
// create a suspended copy of ourself to do things with.
TerminateOnScopeExit process{};
REQUIRE(SUCCEEDED(CreateSuspendedCopy(process)));
DWORD size = 0;
const auto ptr = DetourFindRemotePayload(process.information.hProcess, TEST_PAYLOAD_GUID, &size);
REQUIRE(GetLastError() == NO_ERROR);
REQUIRE(ptr != nullptr);
REQUIRE(size == TEST_PAYLOAD_SIZE);
SIZE_T bytesRead = 0;
char szPayloadMessage[TEST_PAYLOAD_SIZE];
REQUIRE(ReadProcessMemory(process.information.hProcess, ptr, &szPayloadMessage, TEST_PAYLOAD_SIZE, &bytesRead));
REQUIRE(bytesRead == TEST_PAYLOAD_SIZE);
REQUIRE_THAT(szPayloadMessage, Catch::Matchers::Contains("123"));
}
}
TEST_CASE("DetourRestoreAfterWith", "[module]")
{
// TODO: Needs to be written.
}
TEST_CASE("DetourRestoreAfterWithEx", "[module]")
{
// TODO: Needs to be written.
}