archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/base/ntdll/hotpatch.c

485 lines
11 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*
  3. Copyright (c) 2001 Microsoft Corporation
  5. File name:
  7. hotpatch.c
  9. Author:
  11. Adrian Marinescu (adrmarin) Nov 14 2001
  13. */
  15. #include <ntos.h>
  16. #include <nt.h>
  17. #include <ntrtl.h>
  18. #include <nturtl.h>
  19. #include "ldrp.h"
  21. #include "hotpatch.h"
  23. ULONG LdrpHotpatchCount = 0;
  24. LIST_ENTRY LdrpHotPatchList;
  26. NTSTATUS
  27. LdrpSetupHotpatch (
  28. IN PRTL_PATCH_HEADER RtlPatchData
  29. )
  31. /*++
  33. Routine Description:
  35. This utility routine is used to:
  36. - find the targed module (the patch apply to)
  37. - search for an existing identical patch, and create a new one if not
  38. existent
  39. - Prepare the fixup code
  41. N.B. It assumes that the loader lock is held.
  43. Arguments:
  45. DllPatchHandle - The handle of the patch image
  47. Patch - The pointer to the patch header
  49. PatchFlags - The flags for the patch being applied.
  51. Return Value:
  53. NTSTATUS
  55. --*/
  57. {
  58. PLIST_ENTRY Next;
  59. NTSTATUS Status;
  61. //
  62. // walk the table entry list to find the dll
  63. //
  65. Next = PebLdr.InLoadOrderModuleList.Flink;
  67. for ( ; Next != &PebLdr.InLoadOrderModuleList; Next = Next->Flink) {
  69. PPATCH_LDR_DATA_TABLE_ENTRY Entry;
  71. Entry = CONTAINING_RECORD (Next, PATCH_LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
  73. //
  74. // when we unload, the memory order links flink field is nulled.
  75. // this is used to skip the entry pending list removal.
  76. //
  78. if ( !Entry->InMemoryOrderLinks.Flink ) {
  79. continue;
  80. }
  82. if (RtlpIsSameImage(RtlPatchData, Entry)) {
  84. break;
  85. }
  86. }
  88. if (RtlPatchData->TargetDllBase == NULL) {
  90. return STATUS_DLL_NOT_FOUND;
  91. }
  93. //
  94. // Create the new structure rtl patch structure here
  95. // This requires some relocation info to be processed,
  96. // so we need to allow write access to the patch dll
  97. //
  99. Status = LdrpSetProtection (RtlPatchData->PatchLdrDataTableEntry->DllBase, FALSE);
  101. if (!NT_SUCCESS(Status)) {
  103. return Status;
  104. }
  106. Status = RtlInitializeHotPatch (RtlPatchData, 0);
  108. //
  109. // Restore the protection to RO
  110. //
  112. LdrpSetProtection (RtlPatchData->PatchLdrDataTableEntry->DllBase, TRUE);
  114. return Status;
  115. }
  117. NTSTATUS
  118. LdrpApplyHotPatch(
  119. IN PRTL_PATCH_HEADER RtlPatchData,
  120. IN ULONG PatchFlags
  121. )
  123. /*++
  125. Routine Description:
  127. The function applies the changes to the target code.
  129. Arguments:
  131. RtlPatchData - Supplies the patch information
  133. PatchFlags - Supplies the patch flags
  135. Return Value:
  137. NTSTATUS
  139. --*/
  141. {
  142. NTSTATUS Status;
  144. //
  145. // Check whether we change the status or not.
  146. //
  148. if (((PatchFlags ^ RtlPatchData->CodeInfo->Flags) & FLG_HOTPATCH_ACTIVE) == 0) {
  150. return STATUS_NOT_SUPPORTED;
  151. }
  153. //
  154. // Unprotect the target binary pages
  155. //
  157. Status = LdrpSetProtection (RtlPatchData->TargetDllBase, FALSE);
  159. if (!NT_SUCCESS(Status)) {
  161. return Status;
  162. }
  164. //
  165. // Make the system call to modify the code from a DPC routine
  166. //
  168. Status = NtSetSystemInformation ( SystemHotpatchInformation,
  169. RtlPatchData->CodeInfo,
  170. RtlPatchData->CodeInfo->InfoSize);
  172. if (NT_SUCCESS(Status)) {
  174. //
  175. // Update the flags to contain the new state
  176. //
  178. RtlPatchData->CodeInfo->Flags ^= FLG_HOTPATCH_ACTIVE;
  179. }
  181. LdrpSetProtection (RtlPatchData->TargetDllBase, TRUE);
  183. return Status;
  184. }
  186. LONG
  187. LdrHotPatchRoutine (
  188. PVOID PatchInfo
  189. )
  191. /*++
  193. Routine Description:
  195. This is the worker routine that an external program can use for
  196. thread injection.
  198. Arguments:
  200. Patch - The pointer to the patch header. The application which calls
  201. this routine should never free or unmap this structure, as the current
  202. process can start using the code located inside this blob.
  204. Return Value:
  206. NTSTATUS
  208. --*/
  210. {
  211. NTSTATUS Status;
  212. PHOTPATCH_HEADER Patch;
  213. ULONG PatchFlags;
  214. PVOID DllHandle = NULL;
  215. LOGICAL FirstLoad;
  216. UNICODE_STRING PatchImageName, TargetImageName;
  217. PSYSTEM_HOTPATCH_CODE_INFORMATION RemoteInfo;
  218. PLIST_ENTRY Next;
  219. PLDR_DATA_TABLE_ENTRY PatchLdrTableEntry;
  220. PRTL_PATCH_HEADER RtlPatchData;
  221. BOOLEAN LoaderLockAcquired = FALSE;
  223. FirstLoad = FALSE;
  224. Status = STATUS_SUCCESS;
  226. __try {
  228. RemoteInfo = (PSYSTEM_HOTPATCH_CODE_INFORMATION)PatchInfo;
  230. if (!(RemoteInfo->Flags & FLG_HOTPATCH_NAME_INFO)) {
  232. Status = STATUS_INVALID_PARAMETER;
  233. leave;
  234. }
  236. PatchImageName.Buffer = (PWCHAR)((PUCHAR)RemoteInfo + RemoteInfo->UserModeInfo.NameOffset);
  237. PatchImageName.Length = (USHORT)RemoteInfo->UserModeInfo.NameLength;
  238. PatchImageName.MaximumLength = PatchImageName.Length;
  240. TargetImageName.Buffer = (PWCHAR)((PUCHAR)RemoteInfo + RemoteInfo->UserModeInfo.TargetNameOffset);
  241. TargetImageName.Length = (USHORT)RemoteInfo->UserModeInfo.TargetNameLength;
  242. TargetImageName.MaximumLength = TargetImageName.Length;
  244. PatchFlags = RemoteInfo->Flags;
  246. RtlEnterCriticalSection (&LdrpLoaderLock);
  247. LoaderLockAcquired = TRUE;
  249. if (TargetImageName.Length) {
  251. Status = STATUS_DLL_NOT_FOUND;
  253. Next = PebLdr.InLoadOrderModuleList.Flink;
  255. for ( ; Next != &PebLdr.InLoadOrderModuleList; Next = Next->Flink) {
  257. PLDR_DATA_TABLE_ENTRY Entry;
  259. Entry = CONTAINING_RECORD (Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
  261. //
  262. // when we unload, the memory order links flink field is nulled.
  263. // this is used to skip the entry pending list removal.
  264. //
  266. if ( !Entry->InMemoryOrderLinks.Flink ) {
  267. continue;
  268. }
  270. if (RtlEqualUnicodeString (&TargetImageName, &Entry->BaseDllName, TRUE)) {
  272. Status = STATUS_SUCCESS;
  273. break;
  274. }
  275. }
  277. if (!NT_SUCCESS(Status)) {
  279. leave;
  280. }
  281. }
  283. //
  284. // Load the module in memory. If this is not the first time
  285. // we apply the patch, the load will reference the LoadCount for
  286. // the existing module.
  287. //
  289. if (LdrpHotpatchCount == 0) {
  291. InitializeListHead (&LdrpHotPatchList);
  292. }
  294. Status = LdrLoadDll (NULL, NULL, &PatchImageName, &DllHandle );
  296. if (!NT_SUCCESS(Status)) {
  298. leave;
  299. }
  301. //
  302. // Search the loader table entry for the patch data
  303. //
  305. PatchLdrTableEntry = NULL;
  306. Next = PebLdr.InLoadOrderModuleList.Flink;
  308. for ( ; Next != &PebLdr.InLoadOrderModuleList; Next = Next->Flink) {
  310. PLDR_DATA_TABLE_ENTRY Entry;
  312. Entry = CONTAINING_RECORD (Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
  314. //
  315. // when we unload, the memory order links flink field is nulled.
  316. // this is used to skip the entry pending list removal.
  317. //
  319. if ( !Entry->InMemoryOrderLinks.Flink ) {
  320. continue;
  321. }
  323. if (DllHandle == Entry->DllBase) {
  325. PatchLdrTableEntry = Entry;
  326. break;
  327. }
  328. }
  330. if (PatchLdrTableEntry == NULL) {
  332. Status = STATUS_UNSUCCESSFUL;
  333. leave;
  334. }
  336. Patch = RtlGetHotpatchHeader(DllHandle);
  338. if (Patch == NULL) {
  340. Status = STATUS_INVALID_IMAGE_FORMAT;
  341. leave;
  342. }
  344. RtlPatchData = RtlFindRtlPatchHeader(&LdrpHotPatchList, PatchLdrTableEntry);
  346. if (RtlPatchData == NULL) {
  348. Status = RtlCreateHotPatch(&RtlPatchData, Patch, PatchLdrTableEntry, PatchFlags);
  350. if (!NT_SUCCESS(Status)) {
  352. leave;
  353. }
  355. Status = LdrpSetupHotpatch(RtlPatchData);
  357. if (!NT_SUCCESS(Status)) {
  359. RtlFreeHotPatchData(RtlPatchData);
  360. leave;
  361. }
  363. FirstLoad = TRUE;
  365. } else {
  367. //
  368. // Existing hotpatch case.
  369. // Rebuild the hook information, if the hotpatch was not active
  370. //
  372. if ((RtlPatchData->CodeInfo->Flags & FLG_HOTPATCH_ACTIVE) == 0) {
  374. Status = RtlReadHookInformation( RtlPatchData );
  376. if (!NT_SUCCESS(Status)) {
  378. leave;
  379. }
  380. }
  381. }
  383. Status = LdrpApplyHotPatch (RtlPatchData, PatchFlags);
  385. if (FirstLoad) {
  387. if (NT_SUCCESS(Status)) {
  389. //
  390. // We succesfully applied the patch. Add it to the Patch list
  391. //
  393. RtlPatchData->NextPatch = (PRTL_PATCH_HEADER)RtlPatchData->TargetLdrDataTableEntry->PatchInformation;
  394. RtlPatchData->TargetLdrDataTableEntry->PatchInformation = RtlPatchData;
  396. InsertTailList (&LdrpHotPatchList, &RtlPatchData->PatchList);
  397. LdrpHotpatchCount += 1;
  399. } else {
  401. RtlFreeHotPatchData(RtlPatchData);
  402. FirstLoad = FALSE; // force unload the module
  404. leave;
  405. }
  406. }
  408. } __finally {
  410. if (LoaderLockAcquired) {
  412. RtlLeaveCriticalSection (&LdrpLoaderLock);
  413. }
  415. //
  416. // Unload the patch dll. LdrpPerformHotPatch added a reference to the LoadCount
  417. // if succesfully installed.
  418. //
  420. if ((!FirstLoad) && (DllHandle != NULL)) {
  422. LdrUnloadDll (DllHandle);
  423. }
  424. }
  426. RtlExitUserThread(Status);
  428. // return Status;
  429. }
  431. NTSTATUS
  432. LdrpRundownHotpatchList (
  433. PRTL_PATCH_HEADER PatchHead
  434. )
  436. /*++
  438. Routine Description:
  440. This function cleans up the hotpatch data when the target dll is unloaded.
  441. The function assumes the loader lock is not held.
  443. Arguments:
  445. PatchHead - The head of the patch list
  447. Return Value:
  449. Returns the appropriate status
  451. --*/
  453. {
  454. while (PatchHead) {
  456. //
  457. // Remove the patch data from the list
  458. //
  460. PRTL_PATCH_HEADER CrtPatch = PatchHead;
  461. PatchHead = PatchHead->NextPatch;
  463. RtlEnterCriticalSection (&LdrpLoaderLock);
  466. RemoveEntryList (&CrtPatch->PatchList);
  467. LdrpHotpatchCount -= 1;
  469. RtlLeaveCriticalSection (&LdrpLoaderLock);
  471. //
  472. // Unload all instances for that dll.
  473. //
  475. if (CrtPatch->PatchImageBase) {
  477. LdrUnloadDll (CrtPatch->PatchImageBase);
  478. }
  480. RtlFreeHotPatchData (CrtPatch);
  481. }
  483. return STATUS_SUCCESS;
  484. }