/* (C) 2003 XDA Developers  itsme@xs4all.nl
 *
 * $Header$
 */

// web: http://www.xs4all.nl/~itsme/projects/xda/rilhook.html
//
// this loads the extendril.dll into device.exe's memory space.
//
// the trick to load a dll into another process's space is from peter.

#define WIN32_LEAN_AND_MEAN
#define WINCEOEM

// Windows Header Files (usual undoc'd includes)
#include  <windows.h>
#include  <types.h>
//struct BLENDFUNCTION { int x; };        // needed by winddi in wce5
//#include  <winddi.h>
#include  <pkfuncs.h>
#include  <pehdr.h>
#include  <romldr.h>
#include  <kernel.h>
#include  <pkfuncs.h>

#include "debug.h"

// Setup to call right into APISET
#define WIN32_CALL(type, api, args) IMPLICIT_DECL(type, SH_WIN32, W32_ ## api, args)
#define __LoadLibraryW PRIV_IMPLICIT_DECL(HMODULE, SH_WIN32, 8, (LPCTSTR))
#define __FreeLibraryW PRIV_IMPLICIT_DECL(HMODULE, SH_WIN32, 9, (LPCTSTR))
#define __GetModuleHandleW PRIV_IMPLICIT_DECL(HMODULE, SH_WIN32, 131, (LPCTSTR))

// ------------- handling insertion of dll --------------------------
DWORD CALLBACK pfnInjectDll(LPCWSTR szDll)
{
    HMODULE hMod= __LoadLibraryW(szDll);
    return hMod!=NULL && hMod!=INVALID_HANDLE_VALUE;
}
void pfnInjectDllEnd(){};

bool InjectDLL(DWORD dwProcessId, LPCWSTR szDll)
{
    debug("injectdll(%08lx %ls)\n", dwProcessId, szDll);
    bool bRes = false;
    HPROCESS hpTarget = OpenProcess(NULL, FALSE, dwProcessId);
    if(hpTarget==NULL || hpTarget==INVALID_HANDLE_VALUE)
    {
        error("OpenProcess");
        return false;
    }
    debug("  openprocess: %08lx\n", hpTarget);

    // Get perms
    BOOL bMode = SetKMode(TRUE);
    DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);

    debug("  km=%08lx perm=%08lx\n", bMode, dwPerm);

    // Alloc space in remote process for injection code
    HLOCAL hMem = LocalAllocInProcess(LMEM_FIXED, (DWORD)pfnInjectDllEnd - (DWORD)pfnInjectDll, hpTarget);
    if (hMem==NULL || hMem==INVALID_HANDLE_VALUE)
    {
        error("LocalAllocInProcess");
        CloseHandle(hpTarget);
        return false;
    }

    debug("  LocalAllocInProcess : %08lx\n", hMem);

    memcpy((LPVOID)hMem, (LPVOID)pfnInjectDll, (DWORD)pfnInjectDllEnd - (DWORD)pfnInjectDll);

    CALLBACKINFO cbi;
    cbi.hProc = hpTarget;
    cbi.pfn = (FARPROC)hMem;
    cbi.pvArg0 = (LPVOID)MapPtrUnsecure((LPVOID)szDll, GetCurrentProcess());

    debug("  MapPtrUnsecure : %08lx\n", cbi.pvArg0);
    // PerformCallBack4 is used for calling code in other processes, takes the calling thread
    // activates the target process, and runs the thread under the context of that process
    if (!PerformCallBack4(&cbi))
    {
        error("PerformCallBack4");
        bRes= false;
    }
    debug("  callback done\n");

    LocalFreeInProcess(hMem, hpTarget);

    CloseHandle(hpTarget);

    SetProcPermissions(dwPerm);
    SetKMode(bMode);
    return bRes;
}



HANDLE GetProcessHandle(WCHAR *wszProcessName)
{
    HANDLE hTH= CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS|TH32CS_SNAPNOHEAPS, 0);

    PROCESSENTRY32 pe;
    pe.dwSize= sizeof(PROCESSENTRY32);

    HANDLE hProc= INVALID_HANDLE_VALUE;
    if (Process32First(hTH, &pe))
    {
        do {

            if (wcsicmp(wszProcessName, pe.szExeFile)==0)
            {
                hProc= OpenProcess(0, 0, pe.th32ProcessID);
                if (hProc != INVALID_HANDLE_VALUE && hProc!=NULL)
                    break;
            }
        } while (Process32Next(hTH, &pe));
    }

    CloseToolhelp32Snapshot(hTH);

    return hProc;
}

int WINAPI WinMain( HINSTANCE hInstance,
                   HINSTANCE hPrevInstance,
                   LPTSTR    lpCmdLine,
                   int       nCmdShow)
{
    DebugSetLogfile("loadril.log");
    HANDLE hProc= GetProcessHandle(L"device.exe");
    if(hProc==NULL || hProc==INVALID_HANDLE_VALUE)
    {
        debug("could not find process\n");
        return 1;
    }

    InjectDLL((DWORD)hProc, L"\\Windows\\extendril.dll");

    return 0;
}