CreateFile() diversion proof of concept.

configure.ac

@@ -54,6 +54,7 @@ AC_CHECK_FUNCS(__getdelim __srefill __filbuf __srget __uflow)
 AC_CHECK_FUNCS(open64 lseek64 mmap64 fopen64 freopen64 ftello64 fseeko64 fsetpos64)
 AC_CHECK_FUNCS(__open64 __lseek64 __fopen64 __freopen64 __ftello64 __fseeko64 __fsetpos64)
 AC_CHECK_FUNCS(__fgets_chk __fgets_unlocked_chk __fread_chk __fread_unlocked_chk __read_chk __recv_chk __recvfrom_chk)
+AC_CHECK_FUNCS(CreateFile)
 
 AC_CHECK_TYPES(sighandler_t, [], [],
   [#define _GNU_SOURCE

msvc/config.h

@@ -25,6 +25,7 @@
 /* #undef HAVE_ARPA_INET_H */
 #define HAVE_BIND 1
 #define HAVE_CONNECT 1
+#define HAVE_CREATEFILE 1
 /* #undef HAVE_DLFCN_H */
 #define HAVE_DUP 1
 #define HAVE_DUP2 1

msvc/libzzuf.vcxproj

@@ -126,6 +126,7 @@
     <ClCompile Include="..\src\libzzuf\lib-mem.c" />
     <ClCompile Include="..\src\libzzuf\lib-signal.c" />
     <ClCompile Include="..\src\libzzuf\lib-stream.c" />
+    <ClCompile Include="..\src\libzzuf\lib-win32.c" />
     <ClCompile Include="..\src\libzzuf\libzzuf.c" />
     <ClCompile Include="..\src\libzzuf\network.c" />
     <ClCompile Include="..\src\libzzuf\sys.c" />

src/libzzuf/lib-load.h

@@ -53,7 +53,7 @@ zzuf_table_t;
 #   define DIVERT(x) { "kernel32.dll", #x, &x##_orig, x##_new }
 #   define DIVERT_END { NULL, NULL, NULL, NULL }
 
-extern zzuf_table_t table_stream[];
+extern zzuf_table_t table_stream[],
+                    table_win32[];
 
 #endif
-

src/libzzuf/lib-win32.c

@@ -0,0 +1,59 @@
+/*
+ *  zzuf - general purpose fuzzer
+ *  Copyright (c) 2006-2010 Sam Hocevar <sam@hocevar.net>
+ *                All Rights Reserved
+ *
+ *  This program is free software. It comes without any warranty, to
+ *  the extent permitted by applicable law. You can redistribute it
+ *  and/or modify it under the terms of the Do What The Fuck You Want
+ *  To Public License, Version 2, as published by Sam Hocevar. See
+ *  http://sam.zoy.org/wtfpl/COPYING for more details.
+ */
+
+/*
+ *  load-win32.c: loaded Win32 functions
+ */
+
+#include "config.h"
+
+#if defined HAVE_WINDOWS_H
+#   include <windows.h>
+#endif
+
+#include <stdio.h>
+
+#include "common.h"
+#include "libzzuf.h"
+#include "lib-load.h"
+#include "debug.h"
+#include "fuzz.h"
+#include "fd.h"
+
+/* Kernel functions that we divert */
+#if defined HAVE_CREATEFILE
+static HANDLE (*ORIG(CreateFileA))(LPCTSTR lpFileName, DWORD dwDesiredAccess,
+           DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+           DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes,
+           HANDLE hTemplateFile);
+#endif
+
+HANDLE NEW(CreateFileA)(LPCTSTR lpFileName, DWORD dwDesiredAccess,
+           DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes,
+           DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes,
+           HANDLE hTemplateFile)
+{
+    fprintf(stderr, "CreateFileA diverted!\n");
+    return ORIG(CreateFileA)(lpFileName, dwDesiredAccess, dwShareMode,
+                             lpSecurityAttributes, dwCreationDisposition,
+                             dwFlagsAndAttributes, hTemplateFile);
+}
+
+/* Win32 function table */
+zzuf_table_t table_win32[] =
+{
+#if defined HAVE_CREATEFILE
+    DIVERT(CreateFileA),
+#endif
+    DIVERT_END
+};
+

src/libzzuf/sys.c

@@ -93,10 +93,12 @@ static void insert_funcs(void *module)
 {
     static zzuf_table_t *list[] =
     {
-        table_stream
+        table_stream,
+        table_win32,
     };
 
     zzuf_table_t *diversion;
+    void *lib;
     unsigned long dummy;
     import_t import;
     thunk_t thunk;
@@ -108,34 +110,43 @@ static void insert_funcs(void *module)
     if(!import)
         return;
 
-    for (k = 0; k < sizeof(list) / sizeof(*list); k++)
+    for (k = 0, diversion = NULL; k < sizeof(list) / sizeof(*list); )
     {
-        for (diversion = list[k]; diversion->lib; diversion++)
-        {
-            void *lib = GetModuleHandleA(diversion->lib);
-            *diversion->old = (void *)GetProcAddress(lib, diversion->name);
+        if (!diversion)
+            diversion = list[k];
 
-            for(j = 0; import[j].Name; j++)
+        if (!diversion->lib)
+        {
+            k++;
+            diversion = NULL;
+            continue;
+        }
+
+        lib = GetModuleHandleA(diversion->lib);
+        *diversion->old = (void *)GetProcAddress(lib, diversion->name);
+
+        for(j = 0; import[j].Name; j++)
+        {
+            char *name = (char *)module + import[j].Name;
+            if(lstrcmpiA(name, diversion->lib) != 0)
+                continue;
+
+            thunk = (thunk_t)((char *)module + import->FirstThunk);
+            for(i = 0; thunk[i].u1.Function; i++)
             {
-                char *name = (char *)module + import[j].Name;
-                if(lstrcmpiA(name, diversion->lib) != 0)
+                void **func = (void **)&thunk[i].u1.Function;
+                if(*func != *diversion->old)
                     continue;
 
-                thunk = (thunk_t)((char *)module + import->FirstThunk);
-                for(i = 0; thunk[i].u1.Function; i++)
-                {
-                    void **func = (void **)&thunk[i].u1.Function;
-                    if(*func != *diversion->old)
-                        continue;
-
-                    /* FIXME: The StarCraft 2 hack uses two methods for function
-                     * diversion. See HookSsdt() and HookHotPatch(). */
-                    VirtualProtect(func, sizeof(func), PAGE_EXECUTE_READWRITE, &dummy);
-                    WriteProcessMemory(GetCurrentProcess(), func, &diversion->new,
-                                       sizeof(diversion->new), NULL);
-                }
+                /* FIXME: The StarCraft 2 hack uses two methods for function
+                    * diversion. See HookSsdt() and HookHotPatch(). */
+                VirtualProtect(func, sizeof(func), PAGE_EXECUTE_READWRITE, &dummy);
+                WriteProcessMemory(GetCurrentProcess(), func, &diversion->new,
+                                    sizeof(diversion->new), NULL);
             }
         }
+
+        diversion++;
     }
 }
 #endif