archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/base/ntos/mm/verifier.c

7512 lines
205 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) Microsoft Corporation. All rights reserved.
  5. Module Name:
  7. verifier.c
  9. Abstract:
  11. This module contains the routines to verify the system kernel, HAL and
  12. drivers.
  14. Author:
  16. Landy Wang (landyw) 3-Sep-1998
  18. Revision History:
  20. --*/
  21. #include "mi.h"
  23. #define THUNKED_API
  25. THUNKED_API
  26. PVOID
  27. VerifierAllocatePool (
  28. IN POOL_TYPE PoolType,
  29. IN SIZE_T NumberOfBytes
  30. );
  32. THUNKED_API
  33. PVOID
  34. VerifierAllocatePoolWithTag (
  35. IN POOL_TYPE PoolType,
  36. IN SIZE_T NumberOfBytes,
  37. IN ULONG Tag
  38. );
  40. THUNKED_API
  41. PVOID
  42. VerifierAllocatePoolWithQuotaTag (
  43. IN POOL_TYPE PoolType,
  44. IN SIZE_T NumberOfBytes,
  45. IN ULONG Tag
  46. );
  48. THUNKED_API
  49. PVOID
  50. VerifierAllocatePoolWithTagPriority (
  51. IN POOL_TYPE PoolType,
  52. IN SIZE_T NumberOfBytes,
  53. IN ULONG Tag,
  54. IN EX_POOL_PRIORITY Priority
  55. );
  57. PVOID
  58. VeAllocatePoolWithTagPriority (
  59. IN POOL_TYPE PoolType,
  60. IN SIZE_T NumberOfBytes,
  61. IN ULONG Tag,
  62. IN EX_POOL_PRIORITY Priority,
  63. IN PVOID CallingAddress
  64. );
  66. VOID
  67. VerifierFreePool (
  68. IN PVOID P
  69. );
  71. THUNKED_API
  72. VOID
  73. VerifierFreePoolWithTag (
  74. IN PVOID P,
  75. IN ULONG TagToFree
  76. );
  78. THUNKED_API
  79. LONG
  80. VerifierSetEvent (
  81. IN PRKEVENT Event,
  82. IN KPRIORITY Increment,
  83. IN BOOLEAN Wait
  84. );
  86. THUNKED_API
  87. KIRQL
  88. FASTCALL
  89. VerifierKfRaiseIrql (
  90. IN KIRQL NewIrql
  91. );
  93. THUNKED_API
  94. KIRQL
  95. VerifierKeRaiseIrqlToDpcLevel (
  96. VOID
  97. );
  99. THUNKED_API
  100. VOID
  101. FASTCALL
  102. VerifierKfLowerIrql (
  103. IN KIRQL NewIrql
  104. );
  106. THUNKED_API
  107. VOID
  108. VerifierKeRaiseIrql (
  109. IN KIRQL NewIrql,
  110. OUT PKIRQL OldIrql
  111. );
  113. THUNKED_API
  114. VOID
  115. VerifierKeLowerIrql (
  116. IN KIRQL NewIrql
  117. );
  119. THUNKED_API
  120. VOID
  121. VerifierKeAcquireSpinLock (
  122. IN PKSPIN_LOCK SpinLock,
  123. OUT PKIRQL OldIrql
  124. );
  126. THUNKED_API
  127. VOID
  128. VerifierKeReleaseSpinLock (
  129. IN PKSPIN_LOCK SpinLock,
  130. IN KIRQL NewIrql
  131. );
  133. THUNKED_API
  134. VOID
  135. #if defined(_X86_)
  136. FASTCALL
  137. #endif
  138. VerifierKeAcquireSpinLockAtDpcLevel (
  139. IN PKSPIN_LOCK SpinLock
  140. );
  142. THUNKED_API
  143. VOID
  144. #if defined(_X86_)
  145. FASTCALL
  146. #endif
  147. VerifierKeReleaseSpinLockFromDpcLevel (
  148. IN PKSPIN_LOCK SpinLock
  149. );
  151. THUNKED_API
  152. KIRQL
  153. FASTCALL
  154. VerifierKfAcquireSpinLock (
  155. IN PKSPIN_LOCK SpinLock
  156. );
  158. THUNKED_API
  159. VOID
  160. FASTCALL
  161. VerifierKfReleaseSpinLock (
  162. IN PKSPIN_LOCK SpinLock,
  163. IN KIRQL NewIrql
  164. );
  166. #if !defined(_X86_)
  167. THUNKED_API
  168. KIRQL
  169. VerifierKeAcquireSpinLockRaiseToDpc (
  170. IN PKSPIN_LOCK SpinLock
  171. );
  172. #endif
  175. THUNKED_API
  176. VOID
  177. VerifierKeInitializeTimerEx (
  178. IN PKTIMER Timer,
  179. IN TIMER_TYPE Type
  180. );
  182. THUNKED_API
  183. VOID
  184. VerifierKeInitializeTimer (
  185. IN PKTIMER Timer
  186. );
  188. THUNKED_API
  189. BOOLEAN
  190. FASTCALL
  191. VerifierExTryToAcquireFastMutex (
  192. IN PFAST_MUTEX FastMutex
  193. );
  195. THUNKED_API
  196. VOID
  197. FASTCALL
  198. VerifierExAcquireFastMutex (
  199. IN PFAST_MUTEX FastMutex
  200. );
  202. THUNKED_API
  203. VOID
  204. FASTCALL
  205. VerifierExReleaseFastMutex (
  206. IN PFAST_MUTEX FastMutex
  207. );
  209. THUNKED_API
  210. VOID
  211. FASTCALL
  212. VerifierExAcquireFastMutexUnsafe (
  213. IN PFAST_MUTEX FastMutex
  214. );
  216. THUNKED_API
  217. VOID
  218. FASTCALL
  219. VerifierExReleaseFastMutexUnsafe (
  220. IN PFAST_MUTEX FastMutex
  221. );
  223. THUNKED_API
  224. BOOLEAN
  225. VerifierExAcquireResourceExclusiveLite (
  226. IN PERESOURCE Resource,
  227. IN BOOLEAN Wait
  228. );
  230. THUNKED_API
  231. VOID
  232. FASTCALL
  233. VerifierExReleaseResourceLite (
  234. IN PERESOURCE Resource
  235. );
  237. THUNKED_API
  238. KIRQL
  239. FASTCALL
  240. VerifierKeAcquireQueuedSpinLock (
  241. IN KSPIN_LOCK_QUEUE_NUMBER Number
  242. );
  244. THUNKED_API
  245. VOID
  246. FASTCALL
  247. VerifierKeReleaseQueuedSpinLock (
  248. IN KSPIN_LOCK_QUEUE_NUMBER Number,
  249. IN KIRQL OldIrql
  250. );
  252. THUNKED_API
  253. BOOLEAN
  254. VerifierSynchronizeExecution (
  255. IN PKINTERRUPT Interrupt,
  256. IN PKSYNCHRONIZE_ROUTINE SynchronizeRoutine,
  257. IN PVOID SynchronizeContext
  258. );
  260. THUNKED_API
  261. VOID
  262. VerifierProbeAndLockPages (
  263. IN OUT PMDL MemoryDescriptorList,
  264. IN KPROCESSOR_MODE AccessMode,
  265. IN LOCK_OPERATION Operation
  266. );
  268. THUNKED_API
  269. VOID
  270. VerifierProbeAndLockProcessPages (
  271. IN OUT PMDL MemoryDescriptorList,
  272. IN PEPROCESS Process,
  273. IN KPROCESSOR_MODE AccessMode,
  274. IN LOCK_OPERATION Operation
  275. );
  277. THUNKED_API
  278. VOID
  279. VerifierProbeAndLockSelectedPages (
  280. IN OUT PMDL MemoryDescriptorList,
  281. IN PFILE_SEGMENT_ELEMENT SegmentArray,
  282. IN KPROCESSOR_MODE AccessMode,
  283. IN LOCK_OPERATION Operation
  284. );
  286. VOID
  287. VerifierUnlockPages (
  288. IN OUT PMDL MemoryDescriptorList
  289. );
  291. VOID
  292. VerifierUnmapLockedPages (
  293. IN PVOID BaseAddress,
  294. IN PMDL MemoryDescriptorList
  295. );
  297. VOID
  298. VerifierUnmapIoSpace (
  299. IN PVOID BaseAddress,
  300. IN SIZE_T NumberOfBytes
  301. );
  303. THUNKED_API
  304. PVOID
  305. VerifierMapIoSpace (
  306. IN PHYSICAL_ADDRESS PhysicalAddress,
  307. IN SIZE_T NumberOfBytes,
  308. IN MEMORY_CACHING_TYPE CacheType
  309. );
  311. THUNKED_API
  312. PVOID
  313. VerifierMapLockedPages (
  314. IN PMDL MemoryDescriptorList,
  315. IN KPROCESSOR_MODE AccessMode
  316. );
  318. THUNKED_API
  319. PVOID
  320. VerifierMapLockedPagesSpecifyCache (
  321. IN PMDL MemoryDescriptorList,
  322. IN KPROCESSOR_MODE AccessMode,
  323. IN MEMORY_CACHING_TYPE CacheType,
  324. IN PVOID RequestedAddress,
  325. IN ULONG BugCheckOnFailure,
  326. IN MM_PAGE_PRIORITY Priority
  327. );
  329. THUNKED_API
  330. NTSTATUS
  331. VerifierKeWaitForSingleObject (
  332. IN PVOID Object,
  333. IN KWAIT_REASON WaitReason,
  334. IN KPROCESSOR_MODE WaitMode,
  335. IN BOOLEAN Alertable,
  336. IN PLARGE_INTEGER Timeout OPTIONAL
  337. );
  339. THUNKED_API
  340. LONG
  341. VerifierKeReleaseMutex (
  342. IN PRKMUTEX Mutex,
  343. IN BOOLEAN Wait
  344. );
  346. THUNKED_API
  347. VOID
  348. VerifierKeInitializeMutex (
  349. IN PRKMUTEX Mutex,
  350. IN ULONG Level
  351. );
  353. THUNKED_API
  354. LONG
  355. VerifierKeReleaseMutant(
  356. IN PRKMUTANT Mutant,
  357. IN KPRIORITY Increment,
  358. IN BOOLEAN Abandoned,
  359. IN BOOLEAN Wait
  360. );
  362. THUNKED_API
  363. VOID
  364. VerifierKeInitializeMutant(
  365. IN PRKMUTANT Mutant,
  366. IN BOOLEAN InitialOwner
  367. );
  369. THUNKED_API
  370. VOID
  371. VerifierKeInitializeSpinLock (
  372. IN PKSPIN_LOCK SpinLock
  373. );
  375. VOID
  376. ViCheckMdlPages (
  377. IN PMDL MemoryDescriptorList,
  378. IN MEMORY_CACHING_TYPE CacheType
  379. );
  381. VOID
  382. ViFreeTrackedPool (
  383. IN PVOID VirtualAddress,
  384. IN SIZE_T ChargedBytes,
  385. IN LOGICAL CheckType,
  386. IN LOGICAL SpecialPool
  387. );
  389. VOID
  390. VerifierFreeTrackedPool (
  391. IN PVOID VirtualAddress,
  392. IN SIZE_T ChargedBytes,
  393. IN LOGICAL CheckType,
  394. IN LOGICAL SpecialPool
  395. );
  397. VOID
  398. ViPrintString (
  399. IN PUNICODE_STRING DriverName
  400. );
  402. LOGICAL
  403. ViInjectResourceFailure (
  404. VOID
  405. );
  407. VOID
  408. ViTrimAllSystemPagableMemory (
  409. ULONG TrimType
  410. );
  412. VOID
  413. ViInitializeEntry (
  414. IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
  415. IN LOGICAL FirstLoad
  416. );
  418. PVI_POOL_ENTRY
  419. ViGrowPoolAllocation (
  420. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  421. );
  423. VOID
  424. KfSanityCheckRaiseIrql (
  425. IN KIRQL NewIrql
  426. );
  428. VOID
  429. KfSanityCheckLowerIrql (
  430. IN KIRQL NewIrql
  431. );
  433. NTSTATUS
  434. VerifierReferenceObjectByHandle (
  435. IN HANDLE Handle,
  436. IN ACCESS_MASK DesiredAccess,
  437. IN POBJECT_TYPE ObjectType OPTIONAL,
  438. IN KPROCESSOR_MODE AccessMode,
  439. OUT PVOID *Object,
  440. OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
  441. );
  443. LONG_PTR
  444. FASTCALL
  445. VerifierReferenceObject (
  446. IN PVOID Object
  447. );
  449. LONG_PTR
  450. VerifierDereferenceObject (
  451. IN PVOID Object
  452. );
  455. VOID
  456. VerifierLeaveCriticalRegion (
  457. VOID
  458. );
  461. PEPROCESS
  462. ExGetBilledProcess (
  463. IN PPOOL_HEADER Entry
  464. );
  466. MM_DRIVER_VERIFIER_DATA MmVerifierData;
  468. //
  469. // Any flags which can be modified on the fly without rebooting are set here.
  470. //
  472. ULONG VerifierModifyableOptions;
  473. ULONG VerifierOptionChanges;
  475. LIST_ENTRY MiSuspectDriverList;
  477. //
  478. // Patch this to 1 on the first call to MmInitSystem to verify all drivers
  479. // regardless of registry settings.
  480. //
  481. // Patch this to 2 on the first call to MmInitSystem to verify the kernel
  482. // regardless of registry settings.
  483. //
  485. ULONG MiVerifyAllDrivers;
  487. WCHAR MiVerifyRandomDrivers;
  489. ULONG MiActiveVerifies;
  491. ULONG MiActiveVerifierThunks;
  493. ULONG MiNoPageOnRaiseIrql;
  495. ULONG MiVerifierStackProtectTime;
  497. LOGICAL VerifierSystemSufficientlyBooted;
  499. LARGE_INTEGER VerifierRequiredTimeSinceBoot = {(ULONG)(40 * 1000 * 1000 * 10), 1};
  501. LOGICAL VerifierIsTrackingPool = FALSE;
  503. #if defined(_IA64_)
  505. KSPIN_LOCK VerifierListLock;
  507. #define LOCK_VERIFIER(OLDIRQL) \
  508. ExAcquireSpinLock (&VerifierListLock, OLDIRQL);
  510. #define UNLOCK_VERIFIER(OLDIRQL) \
  511. ExReleaseSpinLock (&VerifierListLock, OLDIRQL);
  513. #else
  515. //
  516. // This is only done to avoid calling IRQL raise (directly or via spinlock
  517. // APIs) because the verifier itself doesn't need the checking and these
  518. // checks would fire a substantial number of times, reducing *kernel*
  519. // verifier effectiveness.
  520. //
  522. LONG VerifierListLock;
  524. #define LOCK_VERIFIER(OLDIRQL) \
  525. UNREFERENCED_PARAMETER (OldIrql); \
  526. _disable(); \
  527. do { \
  528. } while (InterlockedCompareExchange (&VerifierListLock, 1, 0));
  530. #define UNLOCK_VERIFIER(OLDIRQL) \
  531. UNREFERENCED_PARAMETER (OldIrql); \
  532. InterlockedAnd (&VerifierListLock, 0); \
  533. _enable();
  535. #endif
  537. PRTL_BITMAP VerifierLargePagedPoolMap;
  539. LIST_ENTRY MiVerifierDriverAddedThunkListHead;
  541. extern LOGICAL MmSpecialPoolCatchOverruns;
  543. LOGICAL KernelVerifier = FALSE;
  545. ULONG KernelVerifierTickPage = 0x1;
  547. ULONG MiVerifierThunksAdded;
  549. extern USHORT ExMinimumLookasideDepth;
  551. LOGICAL ViHideCacheConflicts = TRUE;
  553. PDRIVER_VERIFIER_THUNK_ROUTINE
  554. MiResolveVerifierExports (
  555. IN PLOADER_PARAMETER_BLOCK LoaderBlock,
  556. IN PCHAR PristineName
  557. );
  559. LOGICAL
  560. MiEnableVerifier (
  561. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  562. );
  564. LOGICAL
  565. MiReEnableVerifier (
  566. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  567. );
  569. VOID
  570. ViInsertVerifierEntry (
  571. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  572. );
  574. PVOID
  575. ViPostPoolAllocation (
  576. IN PVI_POOL_ENTRY PoolEntry,
  577. IN POOL_TYPE PoolType
  578. );
  580. PMI_VERIFIER_DRIVER_ENTRY
  581. ViLocateVerifierEntry (
  582. IN PVOID SystemAddress
  583. );
  585. VOID
  586. MiVerifierCheckThunks (
  587. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  588. );
  590. //
  591. // Track irqls functions
  592. //
  594. VOID
  595. ViTrackIrqlInitialize (
  596. VOID
  597. );
  599. VOID
  600. ViTrackIrqlLog (
  601. IN KIRQL CurrentIrql,
  602. IN KIRQL NewIrql
  603. );
  605. #if defined(_X86_) || defined(_AMD64_)
  607. //
  608. // Fault injection stack trace log.
  609. //
  611. VOID
  612. ViFaultTracesInitialize (
  613. VOID
  614. );
  616. VOID
  617. ViFaultTracesLog (
  618. VOID
  619. );
  621. #endif
  625. #ifdef ALLOC_PRAGMA
  626. #pragma alloc_text(INIT,MiInitializeDriverVerifierList)
  627. #pragma alloc_text(INIT,MiInitializeVerifyingComponents)
  628. #pragma alloc_text(INIT,ViTrackIrqlInitialize)
  629. #pragma alloc_text(INIT,MiResolveVerifierExports)
  630. #if defined(_X86_)
  631. #pragma alloc_text(INIT,MiEnableKernelVerifier)
  632. #pragma alloc_text(INIT,ViFaultTracesInitialize)
  633. #endif
  634. #pragma alloc_text(PAGE,MiApplyDriverVerifier)
  635. #pragma alloc_text(PAGE,MiEnableVerifier)
  636. #pragma alloc_text(INIT,MiReEnableVerifier)
  637. #pragma alloc_text(PAGE,ViPrintString)
  638. #pragma alloc_text(PAGE,MmGetVerifierInformation)
  639. #pragma alloc_text(PAGE,MmSetVerifierInformation)
  640. #pragma alloc_text(PAGE,MmAddVerifierThunks)
  641. #pragma alloc_text(PAGE,MmIsVerifierEnabled)
  642. #pragma alloc_text(PAGE,MiVerifierCheckThunks)
  643. #pragma alloc_text(PAGEVRFY,MiVerifyingDriverUnloading)
  645. #pragma alloc_text(PAGE,MmAddVerifierEntry)
  646. #pragma alloc_text(PAGE,MmRemoveVerifierEntry)
  647. #pragma alloc_text(INIT,MiReApplyVerifierToLoadedModules)
  648. #pragma alloc_text(PAGEVRFY,VerifierProbeAndLockPages)
  649. #pragma alloc_text(PAGEVRFY,VerifierProbeAndLockProcessPages)
  650. #pragma alloc_text(PAGEVRFY,VerifierProbeAndLockSelectedPages)
  651. #pragma alloc_text(PAGEVRFY,VerifierUnlockPages)
  652. #pragma alloc_text(PAGEVRFY,VerifierMapIoSpace)
  653. #pragma alloc_text(PAGEVRFY,VerifierMapLockedPages)
  654. #pragma alloc_text(PAGEVRFY,VerifierMapLockedPagesSpecifyCache)
  655. #pragma alloc_text(PAGEVRFY,VerifierUnmapLockedPages)
  656. #pragma alloc_text(PAGEVRFY,VerifierUnmapIoSpace)
  657. #pragma alloc_text(PAGEVRFY,VerifierAllocatePool)
  658. #pragma alloc_text(PAGEVRFY,VerifierAllocatePoolWithTag)
  659. #pragma alloc_text(PAGEVRFY,VerifierAllocatePoolWithTagPriority)
  660. #pragma alloc_text(PAGEVRFY,VerifierAllocatePoolWithQuotaTag)
  661. #pragma alloc_text(PAGEVRFY,VerifierFreePool)
  662. #pragma alloc_text(PAGEVRFY,VerifierFreePoolWithTag)
  663. #pragma alloc_text(PAGEVRFY,VerifierKeWaitForSingleObject)
  664. #pragma alloc_text(PAGEVRFY,VerifierKfRaiseIrql)
  665. #pragma alloc_text(PAGEVRFY,VerifierKeRaiseIrqlToDpcLevel)
  666. #pragma alloc_text(PAGEVRFY,VerifierKfLowerIrql)
  667. #pragma alloc_text(PAGEVRFY,VerifierKeRaiseIrql)
  668. #pragma alloc_text(PAGEVRFY,VerifierKeLowerIrql)
  669. #pragma alloc_text(PAGEVRFY,VerifierKeAcquireSpinLock)
  670. #pragma alloc_text(PAGEVRFY,VerifierKeReleaseSpinLock)
  671. #pragma alloc_text(PAGEVRFY,VerifierKeAcquireSpinLockAtDpcLevel)
  672. #pragma alloc_text(PAGEVRFY,VerifierKeReleaseSpinLockFromDpcLevel)
  673. #pragma alloc_text(PAGEVRFY,VerifierKfAcquireSpinLock)
  674. #pragma alloc_text(PAGEVRFY,VerifierKfReleaseSpinLock)
  675. #pragma alloc_text(PAGEVRFY,VerifierKeInitializeTimer)
  676. #pragma alloc_text(PAGEVRFY,VerifierKeInitializeTimerEx)
  677. #pragma alloc_text(PAGEVRFY,VerifierExTryToAcquireFastMutex)
  678. #pragma alloc_text(PAGEVRFY,VerifierExAcquireFastMutex)
  679. #pragma alloc_text(PAGEVRFY,VerifierExReleaseFastMutex)
  680. #pragma alloc_text(PAGEVRFY,VerifierExAcquireFastMutexUnsafe)
  681. #pragma alloc_text(PAGEVRFY,VerifierExReleaseFastMutexUnsafe)
  682. #pragma alloc_text(PAGEVRFY,VerifierExAcquireResourceExclusiveLite)
  683. #pragma alloc_text(PAGEVRFY,VerifierExReleaseResourceLite)
  684. #pragma alloc_text(PAGEVRFY,VerifierKeAcquireQueuedSpinLock)
  685. #pragma alloc_text(PAGEVRFY,VerifierKeReleaseQueuedSpinLock)
  686. #pragma alloc_text(PAGEVRFY,VerifierKeReleaseMutex)
  687. #pragma alloc_text(PAGEVRFY,VerifierKeInitializeMutex)
  688. #pragma alloc_text(PAGEVRFY,VerifierKeReleaseMutant)
  689. #pragma alloc_text(PAGEVRFY,VerifierKeInitializeMutant)
  690. #pragma alloc_text(PAGEVRFY,VerifierKeInitializeSpinLock)
  691. #pragma alloc_text(PAGEVRFY,VerifierSynchronizeExecution)
  692. #pragma alloc_text(PAGEVRFY,VerifierReferenceObjectByHandle)
  693. #pragma alloc_text(PAGEVRFY,VerifierReferenceObject)
  694. #pragma alloc_text(PAGEVRFY,VerifierDereferenceObject)
  695. #pragma alloc_text(PAGEVRFY,VerifierLeaveCriticalRegion)
  696. #pragma alloc_text(PAGEVRFY,VerifierSetEvent)
  697. #pragma alloc_text(PAGEVRFY,ViFreeTrackedPool)
  699. #pragma alloc_text(PAGEVRFY,VeAllocatePoolWithTagPriority)
  700. #pragma alloc_text(PAGEVRFY,ViCheckMdlPages)
  701. #pragma alloc_text(PAGEVRFY,ViInsertVerifierEntry)
  702. #pragma alloc_text(PAGEVRFY,ViLocateVerifierEntry)
  703. #pragma alloc_text(PAGEVRFY,ViPostPoolAllocation)
  704. #pragma alloc_text(PAGEVRFY,ViInjectResourceFailure)
  705. #pragma alloc_text(PAGEVRFY,ViTrimAllSystemPagableMemory)
  706. #pragma alloc_text(PAGEVRFY,ViInitializeEntry)
  707. #pragma alloc_text(PAGEVRFY,ViGrowPoolAllocation)
  708. #pragma alloc_text(PAGEVRFY,KfSanityCheckRaiseIrql)
  709. #pragma alloc_text(PAGEVRFY,KfSanityCheckLowerIrql)
  710. #pragma alloc_text(PAGEVRFY,ViTrackIrqlLog)
  712. #if defined(_X86_) || defined(_AMD64_)
  713. #pragma alloc_text(PAGEVRFY,ViFaultTracesLog)
  714. #endif
  716. #if !defined(_X86_)
  717. #pragma alloc_text(PAGEVRFY,VerifierKeAcquireSpinLockRaiseToDpc)
  718. #endif
  720. #endif
  722. typedef struct _VERIFIER_THUNKS {
  723. union {
  724. PCHAR PristineRoutineAsciiName;
  726. //
  727. // The actual pristine routine address is derived from exports
  728. //
  730. PDRIVER_VERIFIER_THUNK_ROUTINE PristineRoutine;
  731. };
  732. PDRIVER_VERIFIER_THUNK_ROUTINE NewRoutine;
  733. } VERIFIER_THUNKS, *PVERIFIER_THUNKS;
  735. extern const VERIFIER_THUNKS MiVerifierThunks[];
  736. extern const VERIFIER_THUNKS MiVerifierPoolThunks[];
  738. #if defined (_X86_)
  740. #define VI_KE_RAISE_IRQL 0
  741. #define VI_KE_LOWER_IRQL 1
  742. #define VI_KE_ACQUIRE_SPINLOCK 2
  743. #define VI_KE_RELEASE_SPINLOCK 3
  745. #define VI_KF_RAISE_IRQL 4
  746. #define VI_KE_RAISE_IRQL_TO_DPC_LEVEL 5
  747. #define VI_KF_LOWER_IRQL 6
  748. #define VI_KF_ACQUIRE_SPINLOCK 7
  750. #define VI_KF_RELEASE_SPINLOCK 8
  751. #define VI_EX_ACQUIRE_FAST_MUTEX 9
  752. #define VI_KE_ACQUIRE_QUEUED_SPINLOCK 10
  753. #define VI_KE_RELEASE_QUEUED_SPINLOCK 11
  755. #define VI_HALMAX 12
  757. PVOID MiKernelVerifierOriginalCalls[VI_HALMAX];
  759. #endif
  761. //
  762. // Track irql package declarations
  763. //
  765. #define VI_TRACK_IRQL_TRACE_LENGTH 5
  767. typedef struct _VI_TRACK_IRQL {
  769. PVOID Thread;
  770. KIRQL OldIrql;
  771. KIRQL NewIrql;
  772. UCHAR Processor;
  773. ULONG TickCount;
  774. PVOID StackTrace [VI_TRACK_IRQL_TRACE_LENGTH];
  776. } VI_TRACK_IRQL, *PVI_TRACK_IRQL;
  778. PVI_TRACK_IRQL ViTrackIrqlQueue;
  779. ULONG ViTrackIrqlIndex;
  780. ULONG ViTrackIrqlQueueLength = 128;
  782. VOID
  783. ViTrackIrqlInitialize (
  784. )
  785. {
  786. ULONG Length;
  787. ULONG Round;
  789. //
  790. // Round up length to a power of two and prepare
  791. // mask for the length.
  792. //
  794. Length = ViTrackIrqlQueueLength;
  796. if (Length > 0x10000) {
  797. Length = 0x10000;
  798. }
  800. for (Round = 0x10000; Round != 0; Round >>= 1) {
  802. if (Length == Round) {
  803. break;
  804. }
  805. else if ((Length & Round) == Round) {
  806. Length = (Round << 1);
  807. break;
  808. }
  809. }
  811. ViTrackIrqlQueueLength = Length;
  813. //
  814. // Note POOL_DRIVER_MASK must be set to stop the recursion loop
  815. // when using the kernel verifier.
  816. //
  818. ViTrackIrqlQueue = ExAllocatePoolWithTagPriority (
  819. NonPagedPool | POOL_DRIVER_MASK,
  820. ViTrackIrqlQueueLength * sizeof (VI_TRACK_IRQL),
  821. 'lqrI',
  822. HighPoolPriority);
  823. }
  825. VOID
  826. ViTrackIrqlLog (
  827. IN KIRQL CurrentIrql,
  828. IN KIRQL NewIrql
  829. )
  830. {
  831. PVI_TRACK_IRQL Information;
  832. LARGE_INTEGER TimeStamp;
  833. ULONG Index;
  834. ULONG Hash;
  836. ASSERT (ViTrackIrqlQueue != NULL);
  838. if (CurrentIrql > DISPATCH_LEVEL || NewIrql > DISPATCH_LEVEL) {
  839. return;
  840. }
  842. #if defined(_AMD64_)
  843. if ((GetCallersEflags () & EFLAGS_IF_MASK) == 0) {
  844. return;
  845. }
  846. #endif
  848. //
  849. // Get a slot to write into.
  850. //
  852. Index = InterlockedIncrement((PLONG)&ViTrackIrqlIndex);
  853. Index &= (ViTrackIrqlQueueLength - 1);
  855. //
  856. // Capture information.
  857. //
  859. Information = &(ViTrackIrqlQueue[Index]);
  861. Information->Thread = KeGetCurrentThread();
  862. Information->OldIrql = CurrentIrql;
  863. Information->NewIrql = NewIrql;
  864. Information->Processor = (UCHAR)(KeGetCurrentProcessorNumber());
  865. KeQueryTickCount(&TimeStamp);
  866. Information->TickCount = TimeStamp.LowPart;
  868. RtlCaptureStackBackTrace (2,
  869. VI_TRACK_IRQL_TRACE_LENGTH,
  870. Information->StackTrace,
  871. &Hash);
  872. }
  874. //
  875. // Detect the caller of the current function in an architecture
  876. // dependent way.
  877. //
  879. #define VI_DETECT_RETURN_ADDRESS(Caller) { \
  880. PVOID CallersCaller; \
  881. RtlGetCallersAddress(&Caller, &CallersCaller); \
  882. }
  884. //
  885. // Fault injection stack trace log.
  886. //
  888. #define VI_FAULT_TRACE_LENGTH 8
  890. typedef struct _VI_FAULT_TRACE {
  892. PVOID StackTrace [VI_FAULT_TRACE_LENGTH];
  894. } VI_FAULT_TRACE, *PVI_FAULT_TRACE;
  896. PVI_FAULT_TRACE ViFaultTraces;
  897. ULONG ViFaultTracesIndex;
  898. ULONG ViFaultTracesLength = 128;
  900. VOID
  901. ViFaultTracesInitialize (
  902. VOID
  903. )
  904. {
  905. //
  906. // Note POOL_DRIVER_MASK must be set to stop the recursion loop
  907. // when using the kernel verifier.
  908. //
  910. ViFaultTraces = ExAllocatePoolWithTagPriority (
  911. NonPagedPool | POOL_DRIVER_MASK,
  912. ViFaultTracesLength * sizeof (VI_FAULT_TRACE),
  913. 'ttlF',
  914. HighPoolPriority);
  915. }
  917. VOID
  918. ViFaultTracesLog (
  919. VOID
  920. )
  921. {
  922. PVI_FAULT_TRACE Information;
  923. ULONG Hash;
  924. ULONG Index;
  926. if (ViFaultTraces == NULL) {
  927. return;
  928. }
  930. //
  931. // Get slot to write into.
  932. //
  934. Index = InterlockedIncrement ((PLONG)&ViFaultTracesIndex);
  935. Index &= (ViFaultTracesLength - 1);
  937. //
  938. // Capture information. Even if we lose performance it is
  939. // worth zeroing the trace buffer to avoid confusing people
  940. // if old traces get merged with new ones. This zeroing
  941. // will happen only if we actually inject a failure.
  942. //
  944. Information = &(ViFaultTraces[Index]);
  946. RtlZeroMemory (Information, sizeof (VI_FAULT_TRACE));
  948. RtlCaptureStackBackTrace (2,
  949. VI_FAULT_TRACE_LENGTH,
  950. Information->StackTrace,
  951. &Hash);
  952. }
  954. //
  955. // Don't fail any requests in the first 7 or 8 minutes as we want to
  956. // give the system enough time to boot.
  957. //
  958. #define MI_CHECK_UPTIME() \
  959. if (VerifierSystemSufficientlyBooted == FALSE) { \
  960. LARGE_INTEGER _CurrentTime; \
  961. KeQuerySystemTime (&_CurrentTime); \
  962. if (_CurrentTime.QuadPart > KeBootTime.QuadPart + VerifierRequiredTimeSinceBoot.QuadPart) { \
  963. VerifierSystemSufficientlyBooted = TRUE; \
  964. } \
  965. }
  967. THUNKED_API
  968. VOID
  969. VerifierProbeAndLockPages (
  970. IN OUT PMDL MemoryDescriptorList,
  971. IN KPROCESSOR_MODE AccessMode,
  972. IN LOCK_OPERATION Operation
  973. )
  974. {
  975. KIRQL CurrentIrql;
  977. CurrentIrql = KeGetCurrentIrql();
  978. if (CurrentIrql > DISPATCH_LEVEL) {
  979. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  980. 0x70,
  981. CurrentIrql,
  982. (ULONG_PTR)MemoryDescriptorList,
  983. (ULONG_PTR)AccessMode);
  984. }
  986. if (ViInjectResourceFailure () == TRUE) {
  987. ExRaiseStatus (STATUS_WORKING_SET_QUOTA);
  988. }
  990. MmProbeAndLockPages (MemoryDescriptorList, AccessMode, Operation);
  991. }
  993. THUNKED_API
  994. VOID
  995. VerifierProbeAndLockProcessPages (
  996. IN OUT PMDL MemoryDescriptorList,
  997. IN PEPROCESS Process,
  998. IN KPROCESSOR_MODE AccessMode,
  999. IN LOCK_OPERATION Operation
  1000. )
  1001. {
  1002. KIRQL CurrentIrql;
  1004. CurrentIrql = KeGetCurrentIrql();
  1005. if (CurrentIrql > DISPATCH_LEVEL) {
  1006. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1007. 0x71,
  1008. CurrentIrql,
  1009. (ULONG_PTR)MemoryDescriptorList,
  1010. (ULONG_PTR)Process);
  1011. }
  1013. if (ViInjectResourceFailure () == TRUE) {
  1014. ExRaiseStatus (STATUS_WORKING_SET_QUOTA);
  1015. }
  1017. MmProbeAndLockProcessPages (MemoryDescriptorList,
  1018. Process,
  1019. AccessMode,
  1020. Operation);
  1021. }
  1023. THUNKED_API
  1024. VOID
  1025. VerifierProbeAndLockSelectedPages (
  1026. IN OUT PMDL MemoryDescriptorList,
  1027. IN PFILE_SEGMENT_ELEMENT SegmentArray,
  1028. IN KPROCESSOR_MODE AccessMode,
  1029. IN LOCK_OPERATION Operation
  1030. )
  1031. {
  1032. KIRQL CurrentIrql;
  1034. CurrentIrql = KeGetCurrentIrql();
  1035. if (CurrentIrql > APC_LEVEL) {
  1036. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1037. 0x72,
  1038. CurrentIrql,
  1039. (ULONG_PTR)MemoryDescriptorList,
  1040. (ULONG_PTR)AccessMode);
  1041. }
  1043. if (ViInjectResourceFailure () == TRUE) {
  1044. ExRaiseStatus (STATUS_WORKING_SET_QUOTA);
  1045. }
  1047. MmProbeAndLockSelectedPages (MemoryDescriptorList,
  1048. SegmentArray,
  1049. AccessMode,
  1050. Operation);
  1051. }
  1053. THUNKED_API
  1054. PVOID
  1055. VerifierMapIoSpace (
  1056. IN PHYSICAL_ADDRESS PhysicalAddress,
  1057. IN SIZE_T NumberOfBytes,
  1058. IN MEMORY_CACHING_TYPE CacheType
  1059. )
  1060. {
  1061. KIRQL OldIrql;
  1062. LOGICAL IsPfn;
  1063. PMMPFN Pfn1;
  1064. PFN_NUMBER NumberOfPages;
  1065. PFN_NUMBER PageFrameIndex;
  1066. PFN_NUMBER LastPageFrameIndex;
  1067. PMMIO_TRACKER Tracker2;
  1068. PLIST_ENTRY NextEntry;
  1069. MI_PFN_CACHE_ATTRIBUTE CacheAttribute;
  1070. MI_PFN_CACHE_ATTRIBUTE ExistingAttribute;
  1071. MEMORY_CACHING_TYPE ExistingCacheType;
  1073. OldIrql = KeGetCurrentIrql ();
  1075. if (OldIrql > DISPATCH_LEVEL) {
  1076. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1077. 0x73,
  1078. OldIrql,
  1079. (ULONG_PTR)PhysicalAddress.LowPart,
  1080. NumberOfBytes);
  1081. }
  1083. //
  1084. // See if the first frame is in the PFN database and if so, they all must
  1085. // be.
  1086. //
  1088. PageFrameIndex = (PFN_NUMBER)(PhysicalAddress.QuadPart >> PAGE_SHIFT);
  1090. NumberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES (PhysicalAddress.LowPart,
  1091. NumberOfBytes);
  1093. CacheAttribute = MI_TRANSLATE_CACHETYPE (CacheType, TRUE);
  1095. IsPfn = MI_IS_PFN (PageFrameIndex);
  1097. if (IsPfn == TRUE) {
  1099. Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
  1101. do {
  1103. //
  1104. // Each frame better be locked down already. Bugcheck if not.
  1105. //
  1107. if ((Pfn1->u3.e2.ReferenceCount != 0) ||
  1108. ((Pfn1->u3.e1.Rom == 1) && ((CacheType & 0xFF) == MmCached))) {
  1110. NOTHING;
  1111. }
  1112. else {
  1113. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1114. 0x83,
  1115. (ULONG_PTR)PhysicalAddress.LowPart,
  1116. NumberOfBytes,
  1117. (ULONG_PTR)MI_PFN_ELEMENT_TO_INDEX (Pfn1));
  1118. }
  1120. if (Pfn1->u3.e1.CacheAttribute == MiNotMapped) {
  1122. //
  1123. // This better be for a page allocated with
  1124. // MmAllocatePagesForMdl. Otherwise it might be a
  1125. // page on the freelist which could subsequently be
  1126. // given out with a different attribute !
  1127. //
  1129. if ((Pfn1->u4.PteFrame == MI_MAGIC_AWE_PTEFRAME) ||
  1130. #if defined (_MI_MORE_THAN_4GB_)
  1131. (Pfn1->u4.PteFrame == MI_MAGIC_4GB_RECLAIM) ||
  1132. #endif
  1133. (Pfn1->PteAddress == (PVOID) (ULONG_PTR)(X64K | 0x1))) {
  1135. NOTHING;
  1136. }
  1137. else {
  1138. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1139. 0x84,
  1140. (ULONG_PTR)PhysicalAddress.LowPart,
  1141. NumberOfBytes,
  1142. (ULONG_PTR)MI_PFN_ELEMENT_TO_INDEX (Pfn1));
  1143. }
  1144. }
  1145. Pfn1 += 1;
  1146. NumberOfPages -= 1;
  1147. } while (NumberOfPages != 0);
  1148. }
  1149. else {
  1151. ExAcquireSpinLock (&MmIoTrackerLock, &OldIrql);
  1153. //
  1154. // Scan I/O space mappings for duplicate or overlapping entries.
  1155. //
  1157. NextEntry = MmIoHeader.Flink;
  1158. while (NextEntry != &MmIoHeader) {
  1160. Tracker2 = (PMMIO_TRACKER) CONTAINING_RECORD (NextEntry,
  1161. MMIO_TRACKER,
  1162. ListEntry.Flink);
  1164. if ((PageFrameIndex < Tracker2->PageFrameIndex + Tracker2->NumberOfPages) &&
  1165. (PageFrameIndex + NumberOfPages > Tracker2->PageFrameIndex)) {
  1167. ExistingAttribute = Tracker2->CacheAttribute;
  1169. if (CacheAttribute != ExistingAttribute) {
  1171. DbgPrint ("MM: Iospace mapping overlap %p\n",
  1172. Tracker2);
  1174. DbgPrint ("Physical range 0x%p->%p first mapped %s at VA %p\n",
  1175. Tracker2->PageFrameIndex << PAGE_SHIFT,
  1176. (Tracker2->PageFrameIndex + Tracker2->NumberOfPages) << PAGE_SHIFT,
  1177. MiCacheStrings[ExistingAttribute],
  1178. Tracker2->BaseVa);
  1179. DbgPrint ("\tby call stack: %p %p %p %p\n",
  1180. Tracker2->StackTrace[0],
  1181. Tracker2->StackTrace[1],
  1182. Tracker2->StackTrace[2],
  1183. Tracker2->StackTrace[3]);
  1185. DbgPrint ("Physical range 0x%p->%p now being mapped %s\n",
  1186. PageFrameIndex << PAGE_SHIFT,
  1187. (PageFrameIndex + NumberOfPages) << PAGE_SHIFT,
  1188. MiCacheStrings[CacheAttribute]);
  1190. //
  1191. // Convert the existing internal cache attribute to an
  1192. // external cache type driver writers are familiar with.
  1193. //
  1195. ExistingCacheType = MmCached;
  1196. if (ExistingAttribute == MiNonCached) {
  1197. ExistingCacheType = MmNonCached;
  1198. }
  1199. else if (ExistingAttribute == MiWriteCombined) {
  1200. ExistingCacheType = MmWriteCombined;
  1201. }
  1203. if (ViHideCacheConflicts == TRUE) {
  1205. //
  1206. // People don't want to know about these corruptions.
  1207. //
  1209. break;
  1210. }
  1211. else {
  1212. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1213. 0x87,
  1214. Tracker2->PageFrameIndex,
  1215. Tracker2->NumberOfPages,
  1216. ExistingCacheType);
  1217. }
  1218. }
  1219. }
  1221. NextEntry = Tracker2->ListEntry.Flink;
  1222. }
  1224. ExReleaseSpinLock (&MmIoTrackerLock, OldIrql);
  1225. }
  1227. if (CacheAttribute != MiCached) {
  1229. //
  1230. // If a noncachable mapping is requested, none of the pages in the
  1231. // requested range can reside in a cached large page. Otherwise we
  1232. // would be creating an incoherent overlapping TB entry as the
  1233. // same physical page would be mapped by 2 different TB entries
  1234. // with different cache attributes.
  1235. //
  1237. NumberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES (PhysicalAddress.LowPart,
  1238. NumberOfBytes);
  1240. LastPageFrameIndex = PageFrameIndex + NumberOfPages;
  1242. LOCK_PFN2 (OldIrql);
  1244. do {
  1246. if (MI_PAGE_FRAME_INDEX_MUST_BE_CACHED (PageFrameIndex)) {
  1248. PageFrameIndex = (PFN_NUMBER)(PhysicalAddress.QuadPart >> PAGE_SHIFT);
  1249. NumberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES (PhysicalAddress.LowPart,
  1250. NumberOfBytes);
  1252. //
  1253. // Convert the existing internal cache attribute to an
  1254. // external cache type driver writers are familiar with.
  1255. // Note this must be done (instead of using the input
  1256. // parameter) because some (broken hardware) OEM platforms
  1257. // convert the input parameter via MI_TRANSLATE_CACHETYPE
  1258. // and we want to print the type really did conflict.
  1259. //
  1261. if (CacheAttribute == MiNonCached) {
  1262. CacheType = MmNonCached;
  1263. }
  1264. else {
  1265. ASSERT (CacheAttribute == MiWriteCombined);
  1266. CacheType = MmWriteCombined;
  1267. }
  1269. if (ViHideCacheConflicts == TRUE) {
  1271. //
  1272. // People don't want to know about these corruptions.
  1273. //
  1275. break;
  1276. }
  1277. else {
  1278. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1279. 0x88,
  1280. PageFrameIndex,
  1281. NumberOfPages,
  1282. CacheType);
  1283. }
  1284. }
  1286. PageFrameIndex += 1;
  1288. } while (PageFrameIndex < LastPageFrameIndex);
  1290. UNLOCK_PFN2 (OldIrql);
  1291. }
  1293. if (ViInjectResourceFailure () == TRUE) {
  1294. return NULL;
  1295. }
  1297. return MmMapIoSpace (PhysicalAddress, NumberOfBytes, CacheType);
  1298. }
  1300. VOID
  1301. ViCheckMdlPages (
  1302. IN PMDL MemoryDescriptorList,
  1303. IN MEMORY_CACHING_TYPE CacheType
  1304. )
  1305. {
  1306. KIRQL OldIrql;
  1307. PMMPFN Pfn1;
  1308. PFN_NUMBER NumberOfPages;
  1309. PPFN_NUMBER Page;
  1310. PPFN_NUMBER LastPage;
  1311. PVOID StartingVa;
  1312. MI_PFN_CACHE_ATTRIBUTE CacheAttribute;
  1313. LOGICAL IsPfn;
  1315. StartingVa = (PVOID)((PCHAR)MemoryDescriptorList->StartVa +
  1316. MemoryDescriptorList->ByteOffset);
  1318. Page = (PPFN_NUMBER)(MemoryDescriptorList + 1);
  1319. NumberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES (StartingVa,
  1320. MemoryDescriptorList->ByteCount);
  1321. LastPage = Page + NumberOfPages;
  1323. CacheAttribute = MI_TRANSLATE_CACHETYPE (CacheType, TRUE);
  1325. do {
  1327. if (*Page == MM_EMPTY_LIST) {
  1328. break;
  1329. }
  1331. IsPfn = MI_IS_PFN (*Page);
  1333. if (MemoryDescriptorList->MdlFlags & MDL_IO_SPACE) {
  1335. #if 0
  1336. //
  1337. // Drivers end up with HALCachedMemory pages here
  1338. // so this cannot be enabled.
  1339. //
  1341. if (IsPfn == TRUE) {
  1342. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1343. 0x8B,
  1344. (ULONG_PTR) MemoryDescriptorList,
  1345. (ULONG_PTR) Page,
  1346. *Page);
  1347. }
  1348. #endif
  1349. }
  1350. else {
  1352. if (IsPfn == FALSE) {
  1353. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1354. 0x89,
  1355. (ULONG_PTR) MemoryDescriptorList,
  1356. (ULONG_PTR) Page,
  1357. *Page);
  1358. }
  1360. Pfn1 = MI_PFN_ELEMENT (*Page);
  1362. //
  1363. // Each frame better be locked down already. Bugcheck if not.
  1364. //
  1366. if ((Pfn1->u3.e2.ReferenceCount != 0) ||
  1367. ((Pfn1->u3.e1.Rom == 1) && (CacheType == MmCached))) {
  1369. NOTHING;
  1370. }
  1371. else {
  1372. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1373. 0x85,
  1374. (ULONG_PTR)MemoryDescriptorList,
  1375. NumberOfPages,
  1376. (ULONG_PTR)MI_PFN_ELEMENT_TO_INDEX(Pfn1));
  1377. }
  1379. if (Pfn1->u3.e1.CacheAttribute == MiNotMapped) {
  1381. //
  1382. // This better be for a page allocated with
  1383. // MmAllocatePagesForMdl. Otherwise it might be a
  1384. // page on the freelist which could subsequently be
  1385. // given out with a different attribute !
  1386. //
  1388. if ((Pfn1->u4.PteFrame == MI_MAGIC_AWE_PTEFRAME) ||
  1389. #if defined (_MI_MORE_THAN_4GB_)
  1390. (Pfn1->u4.PteFrame == MI_MAGIC_4GB_RECLAIM) ||
  1391. #endif
  1392. (Pfn1->PteAddress == (PVOID) (ULONG_PTR)(X64K | 0x1))) {
  1394. NOTHING;
  1395. }
  1396. else {
  1397. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1398. 0x86,
  1399. (ULONG_PTR)MemoryDescriptorList,
  1400. NumberOfPages,
  1401. (ULONG_PTR)MI_PFN_ELEMENT_TO_INDEX(Pfn1));
  1402. }
  1403. }
  1404. }
  1406. if (CacheAttribute != MiCached) {
  1408. //
  1409. // If a noncachable mapping is requested, none of the pages in the
  1410. // requested range can reside in a cached large page. Otherwise we
  1411. // would be creating an incoherent overlapping TB entry as the
  1412. // same physical page would be mapped by 2 different TB entries
  1413. // with different cache attributes.
  1414. //
  1416. LOCK_PFN2 (OldIrql);
  1418. if (MI_PAGE_FRAME_INDEX_MUST_BE_CACHED (*Page)) {
  1420. //
  1421. // Convert the existing internal cache attribute to an
  1422. // external cache type driver writers are familiar with.
  1423. // Note this must be done (instead of using the input
  1424. // parameter) because some (broken hardware) OEM platforms
  1425. // convert the input parameter via MI_TRANSLATE_CACHETYPE
  1426. // and we want to print the type really did conflict.
  1427. //
  1429. if (CacheAttribute == MiNonCached) {
  1430. CacheType = MmNonCached;
  1431. }
  1432. else {
  1433. ASSERT (CacheAttribute == MiWriteCombined);
  1434. CacheType = MmWriteCombined;
  1435. }
  1437. if (ViHideCacheConflicts == TRUE) {
  1439. //
  1440. // People don't want to know about these corruptions.
  1441. //
  1443. UNLOCK_PFN2 (OldIrql);
  1444. break;
  1445. }
  1446. else {
  1447. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1448. 0x8A,
  1449. (ULONG_PTR) MemoryDescriptorList,
  1450. *Page,
  1451. CacheType);
  1452. }
  1453. }
  1455. UNLOCK_PFN2 (OldIrql);
  1456. }
  1458. Page += 1;
  1459. } while (Page < LastPage);
  1460. }
  1462. THUNKED_API
  1463. PVOID
  1464. VerifierMapLockedPages (
  1465. IN PMDL MemoryDescriptorList,
  1466. IN KPROCESSOR_MODE AccessMode
  1467. )
  1468. {
  1469. KIRQL CurrentIrql;
  1471. CurrentIrql = KeGetCurrentIrql();
  1473. if (AccessMode == KernelMode) {
  1474. if (CurrentIrql > DISPATCH_LEVEL) {
  1475. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1476. 0x74,
  1477. CurrentIrql,
  1478. (ULONG_PTR)MemoryDescriptorList,
  1479. (ULONG_PTR)AccessMode);
  1480. }
  1481. }
  1482. else {
  1483. if (CurrentIrql > APC_LEVEL) {
  1484. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1485. 0x75,
  1486. CurrentIrql,
  1487. (ULONG_PTR)MemoryDescriptorList,
  1488. (ULONG_PTR)AccessMode);
  1489. }
  1490. }
  1492. ViCheckMdlPages (MemoryDescriptorList, MmCached);
  1494. if ((MemoryDescriptorList->MdlFlags & MDL_MAPPING_CAN_FAIL) == 0) {
  1496. MI_CHECK_UPTIME ();
  1498. if (VerifierSystemSufficientlyBooted == TRUE) {
  1500. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1501. 0x81,
  1502. (ULONG_PTR) MemoryDescriptorList,
  1503. MemoryDescriptorList->MdlFlags,
  1504. 0);
  1505. }
  1506. }
  1508. return MmMapLockedPages (MemoryDescriptorList, AccessMode);
  1509. }
  1511. THUNKED_API
  1512. PVOID
  1513. VerifierMapLockedPagesSpecifyCache (
  1514. IN PMDL MemoryDescriptorList,
  1515. IN KPROCESSOR_MODE AccessMode,
  1516. IN MEMORY_CACHING_TYPE CacheType,
  1517. IN PVOID RequestedAddress,
  1518. IN ULONG BugCheckOnFailure,
  1519. IN MM_PAGE_PRIORITY Priority
  1520. )
  1521. {
  1522. KIRQL CurrentIrql;
  1524. CurrentIrql = KeGetCurrentIrql ();
  1525. if (AccessMode == KernelMode) {
  1526. if (CurrentIrql > DISPATCH_LEVEL) {
  1527. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1528. 0x76,
  1529. CurrentIrql,
  1530. (ULONG_PTR)MemoryDescriptorList,
  1531. (ULONG_PTR)AccessMode);
  1532. }
  1533. }
  1534. else {
  1535. if (CurrentIrql > APC_LEVEL) {
  1536. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1537. 0x77,
  1538. CurrentIrql,
  1539. (ULONG_PTR)MemoryDescriptorList,
  1540. (ULONG_PTR)AccessMode);
  1541. }
  1542. }
  1544. ViCheckMdlPages (MemoryDescriptorList, CacheType);
  1546. if ((MemoryDescriptorList->MdlFlags & MDL_MAPPING_CAN_FAIL) ||
  1547. (BugCheckOnFailure == 0)) {
  1549. if (ViInjectResourceFailure () == TRUE) {
  1550. return NULL;
  1551. }
  1552. }
  1553. else {
  1555. //
  1556. // All drivers must specify can fail or don't bugcheck.
  1557. //
  1559. MI_CHECK_UPTIME ();
  1561. if (VerifierSystemSufficientlyBooted == TRUE) {
  1563. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1564. 0x82,
  1565. (ULONG_PTR) MemoryDescriptorList,
  1566. MemoryDescriptorList->MdlFlags,
  1567. BugCheckOnFailure);
  1568. }
  1569. }
  1571. return MmMapLockedPagesSpecifyCache (MemoryDescriptorList,
  1572. AccessMode,
  1573. CacheType,
  1574. RequestedAddress,
  1575. BugCheckOnFailure,
  1576. Priority);
  1577. }
  1579. VOID
  1580. VerifierUnlockPages (
  1581. IN OUT PMDL MemoryDescriptorList
  1582. )
  1583. {
  1584. KIRQL CurrentIrql;
  1586. CurrentIrql = KeGetCurrentIrql();
  1587. if (CurrentIrql > DISPATCH_LEVEL) {
  1588. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1589. 0x78,
  1590. CurrentIrql,
  1591. (ULONG_PTR)MemoryDescriptorList,
  1592. 0);
  1593. }
  1595. if ((MemoryDescriptorList->MdlFlags & MDL_PAGES_LOCKED) == 0) {
  1597. //
  1598. // The caller is trying to unlock an MDL that was never locked down.
  1599. //
  1601. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1602. 0x7C,
  1603. (ULONG_PTR)MemoryDescriptorList,
  1604. (ULONG_PTR)MemoryDescriptorList->MdlFlags,
  1605. 0);
  1606. }
  1608. if (MemoryDescriptorList->MdlFlags & MDL_SOURCE_IS_NONPAGED_POOL) {
  1610. //
  1611. // Nonpaged pool should never be locked down.
  1612. //
  1614. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1615. 0x7D,
  1616. (ULONG_PTR)MemoryDescriptorList,
  1617. (ULONG_PTR)MemoryDescriptorList->MdlFlags,
  1618. 0);
  1619. }
  1621. MmUnlockPages (MemoryDescriptorList);
  1622. }
  1624. VOID
  1625. VerifierUnmapLockedPages (
  1626. IN PVOID BaseAddress,
  1627. IN PMDL MemoryDescriptorList
  1628. )
  1629. {
  1630. KIRQL CurrentIrql;
  1632. CurrentIrql = KeGetCurrentIrql();
  1634. if (BaseAddress > MM_HIGHEST_USER_ADDRESS) {
  1635. if (CurrentIrql > DISPATCH_LEVEL) {
  1636. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1637. 0x79,
  1638. CurrentIrql,
  1639. (ULONG_PTR)BaseAddress,
  1640. (ULONG_PTR)MemoryDescriptorList);
  1641. }
  1642. }
  1643. else {
  1644. if (CurrentIrql > APC_LEVEL) {
  1645. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1646. 0x7A,
  1647. CurrentIrql,
  1648. (ULONG_PTR)BaseAddress,
  1649. (ULONG_PTR)MemoryDescriptorList);
  1650. }
  1651. }
  1653. MmUnmapLockedPages (BaseAddress, MemoryDescriptorList);
  1654. }
  1656. VOID
  1657. VerifierUnmapIoSpace (
  1658. IN PVOID BaseAddress,
  1659. IN SIZE_T NumberOfBytes
  1660. )
  1661. {
  1662. KIRQL CurrentIrql;
  1664. CurrentIrql = KeGetCurrentIrql();
  1665. if (CurrentIrql > DISPATCH_LEVEL) {
  1666. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1667. 0x7B,
  1668. CurrentIrql,
  1669. (ULONG_PTR)BaseAddress,
  1670. (ULONG_PTR)NumberOfBytes);
  1671. }
  1673. MmUnmapIoSpace (BaseAddress, NumberOfBytes);
  1674. }
  1676. THUNKED_API
  1677. PVOID
  1678. VerifierAllocatePool (
  1679. IN POOL_TYPE PoolType,
  1680. IN SIZE_T NumberOfBytes
  1681. )
  1682. {
  1683. PVOID CallingAddress;
  1684. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  1686. VI_DETECT_RETURN_ADDRESS (CallingAddress);
  1688. if (KernelVerifier == TRUE) {
  1690. Verifier = ViLocateVerifierEntry (CallingAddress);
  1692. if ((Verifier == NULL) ||
  1693. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
  1695. return ExAllocatePoolWithTag (PoolType | POOL_DRIVER_MASK,
  1696. NumberOfBytes,
  1697. 'enoN');
  1698. }
  1699. PoolType |= POOL_DRIVER_MASK;
  1700. }
  1702. MmVerifierData.AllocationsWithNoTag += 1;
  1704. return VeAllocatePoolWithTagPriority (PoolType,
  1705. NumberOfBytes,
  1706. 'parW',
  1707. HighPoolPriority,
  1708. CallingAddress);
  1709. }
  1711. THUNKED_API
  1712. PVOID
  1713. VerifierAllocatePoolWithTag (
  1714. IN POOL_TYPE PoolType,
  1715. IN SIZE_T NumberOfBytes,
  1716. IN ULONG Tag
  1717. )
  1718. {
  1719. PVOID CallingAddress;
  1720. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  1722. VI_DETECT_RETURN_ADDRESS (CallingAddress);
  1724. if (KernelVerifier == TRUE) {
  1725. Verifier = ViLocateVerifierEntry (CallingAddress);
  1727. if ((Verifier == NULL) ||
  1728. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
  1730. return ExAllocatePoolWithTag (PoolType | POOL_DRIVER_MASK,
  1731. NumberOfBytes,
  1732. Tag);
  1733. }
  1734. PoolType |= POOL_DRIVER_MASK;
  1735. }
  1737. return VeAllocatePoolWithTagPriority (PoolType,
  1738. NumberOfBytes,
  1739. Tag,
  1740. HighPoolPriority,
  1741. CallingAddress);
  1742. }
  1744. THUNKED_API
  1745. PVOID
  1746. VerifierAllocatePoolWithQuota (
  1747. IN POOL_TYPE PoolType,
  1748. IN SIZE_T NumberOfBytes
  1749. )
  1750. {
  1751. PVOID Va;
  1752. LOGICAL RaiseOnQuotaFailure;
  1753. PVOID CallingAddress;
  1754. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  1756. VI_DETECT_RETURN_ADDRESS (CallingAddress);
  1758. if (KernelVerifier == TRUE) {
  1759. Verifier = ViLocateVerifierEntry (CallingAddress);
  1761. if ((Verifier == NULL) ||
  1762. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
  1764. return ExAllocatePoolWithQuotaTag (PoolType | POOL_DRIVER_MASK,
  1765. NumberOfBytes,
  1766. 'enoN');
  1767. }
  1768. PoolType |= POOL_DRIVER_MASK;
  1769. }
  1771. MmVerifierData.AllocationsWithNoTag += 1;
  1773. if (PoolType & POOL_QUOTA_FAIL_INSTEAD_OF_RAISE) {
  1774. RaiseOnQuotaFailure = FALSE;
  1775. PoolType &= ~POOL_QUOTA_FAIL_INSTEAD_OF_RAISE;
  1776. }
  1777. else {
  1778. RaiseOnQuotaFailure = TRUE;
  1779. }
  1781. Va = VeAllocatePoolWithTagPriority (PoolType,
  1782. NumberOfBytes,
  1783. 'parW',
  1784. HighPoolPriority,
  1785. CallingAddress);
  1787. if (Va == NULL) {
  1788. if (RaiseOnQuotaFailure == TRUE) {
  1789. ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
  1790. }
  1791. }
  1793. return Va;
  1794. }
  1796. THUNKED_API
  1797. PVOID
  1798. VerifierAllocatePoolWithQuotaTag (
  1799. IN POOL_TYPE PoolType,
  1800. IN SIZE_T NumberOfBytes,
  1801. IN ULONG Tag
  1802. )
  1803. {
  1804. PVOID Va;
  1805. LOGICAL RaiseOnQuotaFailure;
  1806. PVOID CallingAddress;
  1807. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  1809. VI_DETECT_RETURN_ADDRESS (CallingAddress);
  1811. if (KernelVerifier == TRUE) {
  1812. Verifier = ViLocateVerifierEntry (CallingAddress);
  1814. if ((Verifier == NULL) ||
  1815. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
  1817. return ExAllocatePoolWithQuotaTag (PoolType | POOL_DRIVER_MASK,
  1818. NumberOfBytes,
  1819. Tag);
  1820. }
  1821. PoolType |= POOL_DRIVER_MASK;
  1822. }
  1824. if (PoolType & POOL_QUOTA_FAIL_INSTEAD_OF_RAISE) {
  1825. RaiseOnQuotaFailure = FALSE;
  1826. PoolType &= ~POOL_QUOTA_FAIL_INSTEAD_OF_RAISE;
  1827. }
  1828. else {
  1829. RaiseOnQuotaFailure = TRUE;
  1830. }
  1832. Va = VeAllocatePoolWithTagPriority (PoolType,
  1833. NumberOfBytes,
  1834. Tag,
  1835. HighPoolPriority,
  1836. CallingAddress);
  1838. if (Va == NULL) {
  1839. if (RaiseOnQuotaFailure == TRUE) {
  1840. ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
  1841. }
  1842. }
  1844. return Va;
  1845. }
  1847. THUNKED_API
  1848. PVOID
  1849. VerifierAllocatePoolWithTagPriority(
  1850. IN POOL_TYPE PoolType,
  1851. IN SIZE_T NumberOfBytes,
  1852. IN ULONG Tag,
  1853. IN EX_POOL_PRIORITY Priority
  1854. )
  1856. /*++
  1858. Routine Description:
  1860. This thunked-in function:
  1862. - Performs sanity checks on the caller.
  1863. - Can optionally provide allocation failures to the caller.
  1864. - Attempts to provide the allocation from special pool.
  1865. - Tracks pool to ensure callers free everything they allocate.
  1867. --*/
  1869. {
  1870. PVOID CallingAddress;
  1871. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  1873. VI_DETECT_RETURN_ADDRESS (CallingAddress);
  1875. if (KernelVerifier == TRUE) {
  1876. Verifier = ViLocateVerifierEntry (CallingAddress);
  1878. if ((Verifier == NULL) ||
  1879. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
  1881. return ExAllocatePoolWithTagPriority (PoolType | POOL_DRIVER_MASK,
  1882. NumberOfBytes,
  1883. Tag,
  1884. Priority);
  1885. }
  1886. PoolType |= POOL_DRIVER_MASK;
  1887. }
  1889. return VeAllocatePoolWithTagPriority (PoolType,
  1890. NumberOfBytes,
  1891. Tag,
  1892. Priority,
  1893. CallingAddress);
  1894. }
  1896. #if DBG
  1898. //
  1899. // Manually set this to inject failures in the inpage path for threads
  1900. // faulting on user (not kernel or session) space addresses only. You
  1901. // need to have the verifier enabled for the drivers of interest with
  1902. // fault injection disabled.
  1903. //
  1905. BOOLEAN ViInjectInPagePathOnly;
  1907. #endif
  1909. LOGICAL
  1910. ViInjectResourceFailure (
  1911. VOID
  1912. )
  1914. /*++
  1916. Routine Description:
  1918. This function determines whether a resource allocation should be
  1919. deliberately failed. This may be a pool allocation, MDL creation,
  1920. system PTE allocation, etc.
  1922. Arguments:
  1924. None.
  1926. Return Value:
  1928. TRUE if the allocation should be failed. FALSE otherwise.
  1930. Environment:
  1932. Kernel mode. DISPATCH_LEVEL or below.
  1934. --*/
  1936. {
  1937. ULONG TimeLow;
  1938. LARGE_INTEGER CurrentTime;
  1940. if ((MmVerifierData.Level & DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES) == 0) {
  1941. #if DBG
  1942. if ((ViInjectInPagePathOnly == TRUE) &&
  1943. (PsGetCurrentThread ()->NestedFaultCount != 0)) {
  1945. MmVerifierData.AllocationsFailedDeliberately += 1;
  1947. //
  1948. // Deliberately fail this request.
  1949. //
  1951. if (MiFaultRetryMask != 0xFFFFFFFF) {
  1952. MiFaultRetryMask = 0xFFFFFFFF;
  1953. MiUserFaultRetryMask = 0xFFFFFFFF;
  1954. }
  1956. #if defined(_X86_) || defined(_AMD64_)
  1957. ViFaultTracesLog ();
  1958. #endif
  1959. return TRUE;
  1960. }
  1961. #endif
  1962. return FALSE;
  1963. }
  1965. //
  1966. // Don't fail any requests in the first 7 or 8 minutes as we want to
  1967. // give the system enough time to boot.
  1968. //
  1970. MI_CHECK_UPTIME ();
  1972. if (VerifierSystemSufficientlyBooted == TRUE) {
  1974. KeQueryTickCount(&CurrentTime);
  1976. TimeLow = CurrentTime.LowPart;
  1978. if ((TimeLow & 0xF) == 0) {
  1980. MmVerifierData.AllocationsFailedDeliberately += 1;
  1982. //
  1983. // Deliberately fail this request.
  1984. //
  1986. if (MiFaultRetryMask != 0xFFFFFFFF) {
  1987. MiFaultRetryMask = 0xFFFFFFFF;
  1988. MiUserFaultRetryMask = 0xFFFFFFFF;
  1989. }
  1991. #if defined(_X86_) || defined(_AMD64_)
  1992. ViFaultTracesLog ();
  1993. #endif
  1995. return TRUE;
  1996. }
  1998. //
  1999. // Approximately every 5 minutes (on most systems), fail all of this
  2000. // components allocations for a 10 second burst. This more closely
  2001. // simulates (and exaggerates) the duration of the typical low resource
  2002. // scenario.
  2003. //
  2005. TimeLow &= 0x7FFF;
  2007. if (TimeLow < 0x400) {
  2009. MmVerifierData.BurstAllocationsFailedDeliberately += 1;
  2011. //
  2012. // Deliberately fail this request.
  2013. //
  2015. if (MiFaultRetryMask != 0xFFFFFFFF) {
  2016. MiFaultRetryMask = 0xFFFFFFFF;
  2017. MiUserFaultRetryMask = 0xFFFFFFFF;
  2018. }
  2020. #if defined(_X86_) || defined(_AMD64_)
  2021. ViFaultTracesLog ();
  2022. #endif
  2024. return TRUE;
  2025. }
  2026. }
  2028. return FALSE;
  2029. }
  2031. PVI_POOL_ENTRY
  2032. ViGrowPoolAllocation (
  2033. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  2034. )
  2036. /*++
  2038. Routine Description:
  2040. This function attempts to grows the verifier pool tracking tables and
  2041. return a free entry.
  2043. Arguments:
  2045. Verifier - Supplies the relevant verifier information structure.
  2047. Return Value:
  2049. A valid pool information pointer on success, FALSE on failure.
  2051. Environment:
  2053. Kernel mode. DISPATCH_LEVEL or below.
  2055. --*/
  2057. {
  2058. ULONG_PTR i;
  2059. PVI_POOL_ENTRY HashEntry;
  2061. //
  2062. // No entries were left, try to expand the list.
  2063. //
  2064. // Note POOL_DRIVER_MASK must be set to stop the recursion loop
  2065. // when using the kernel verifier.
  2066. //
  2068. HashEntry = ExAllocatePoolWithTagPriority (NonPagedPool | POOL_DRIVER_MASK,
  2069. PAGE_SIZE,
  2070. 'ppeV',
  2071. HighPoolPriority);
  2073. if (HashEntry == NULL) {
  2075. //
  2076. // Try one last time in case a thread has freed an entry while we
  2077. // tried to allocate pool.
  2078. //
  2080. return (PVI_POOL_ENTRY) InterlockedPopEntrySList (&Verifier->PoolTrackers);
  2081. }
  2083. KeZeroPages (HashEntry, PAGE_SIZE);
  2085. //
  2086. // Initialize the page header and then push it on to the page header list.
  2087. // This is so the debugger can easily walk the page headers to display all
  2088. // the current allocations.
  2089. //
  2091. HashEntry->PageHeader.VerifierEntry = Verifier;
  2092. HashEntry->PageHeader.Signature = VI_POOL_PAGE_HEADER_SIGNATURE;
  2094. InterlockedPushEntrySList (&Verifier->PoolPageHeaders,
  2095. (PSLIST_ENTRY) &HashEntry->PageHeader.NextPage);
  2097. //
  2098. // Push each free entry onto the free entry list.
  2099. //
  2101. #define VI_POOL_ENTRIES_PER_PAGE (PAGE_SIZE / sizeof(VI_POOL_ENTRY))
  2103. for (i = 0; i < VI_POOL_ENTRIES_PER_PAGE - 2; i += 1) {
  2105. HashEntry += 1;
  2106. HashEntry->InUse.NumberOfBytes = 0x1;
  2108. InterlockedPushEntrySList (&Verifier->PoolTrackers,
  2109. (PSLIST_ENTRY) HashEntry);
  2110. }
  2112. //
  2113. // Use the very last entry for our caller.
  2114. //
  2116. HashEntry += 1;
  2117. HashEntry->InUse.NumberOfBytes = 0x1;
  2119. return HashEntry;
  2120. }
  2122. PVOID
  2123. ViPostPoolAllocation (
  2124. IN PVI_POOL_ENTRY PoolEntry,
  2125. IN POOL_TYPE PoolType
  2126. )
  2128. /*++
  2130. Routine Description:
  2132. This function performs verifier book-keeping on the allocation.
  2134. Arguments:
  2136. PoolEntry - Supplies information about the pool entry being allocated.
  2137. Note the low bit is set if the allocation came from special
  2138. pool so strip it here.
  2140. PoolType - Supplies the type of pool being allocated.
  2142. Return Value:
  2144. The virtual address to give to the original caller.
  2146. Environment:
  2148. Kernel mode. DISPATCH_LEVEL or below.
  2150. --*/
  2152. {
  2153. PMI_VERIFIER_POOL_HEADER Header;
  2154. SIZE_T ChargedBytes;
  2155. SIZE_T TotalBytes;
  2156. ULONG TotalAllocations;
  2157. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  2158. PPOOL_HEADER PoolHeader;
  2159. PVOID VirtualAddress;
  2160. ULONG_PTR SpecialPooled;
  2162. VirtualAddress = PoolEntry->InUse.VirtualAddress;
  2164. SpecialPooled = (ULONG_PTR)VirtualAddress & 0x1;
  2166. Verifier = ((PVI_POOL_ENTRY)(PAGE_ALIGN (PoolEntry)))->PageHeader.VerifierEntry;
  2168. ASSERT (Verifier != NULL);
  2170. VerifierIsTrackingPool = TRUE;
  2172. ChargedBytes = EX_REAL_POOL_USAGE (PoolEntry->InUse.NumberOfBytes);
  2174. if (SpecialPooled) {
  2175. VirtualAddress = (PVOID)((ULONG_PTR)VirtualAddress & ~0x1);
  2176. PoolEntry->InUse.VirtualAddress = VirtualAddress;
  2177. ChargedBytes = PoolEntry->InUse.NumberOfBytes;
  2178. }
  2179. else if (PoolEntry->InUse.NumberOfBytes <= POOL_BUDDY_MAX) {
  2180. ChargedBytes -= POOL_OVERHEAD;
  2181. }
  2183. if (PoolEntry->InUse.NumberOfBytes > POOL_BUDDY_MAX) {
  2184. ASSERT (BYTE_OFFSET(VirtualAddress) == 0);
  2185. }
  2187. if (SpecialPooled) {
  2189. //
  2190. // Carefully adjust the special pool page to move the verifier tracking
  2191. // header to the front. This allows the allocation to remain butted
  2192. // against the end of the page so overruns can be detected immediately.
  2193. //
  2195. ChargedBytes -= sizeof (MI_VERIFIER_POOL_HEADER);
  2197. if (((ULONG_PTR)VirtualAddress & (PAGE_SIZE - 1))) {
  2198. PoolHeader = (PPOOL_HEADER)(PAGE_ALIGN (VirtualAddress));
  2199. Header = (PMI_VERIFIER_POOL_HEADER) (PoolHeader + 1);
  2201. VirtualAddress = (PVOID)(((LONG_PTR)(((PCHAR)PoolHeader + (PAGE_SIZE - ChargedBytes)))) & ~((LONG_PTR)POOL_OVERHEAD - 1));
  2202. }
  2203. else {
  2204. PoolHeader = (PPOOL_HEADER)((PCHAR)VirtualAddress + PAGE_SIZE - POOL_OVERHEAD);
  2205. Header = (PMI_VERIFIER_POOL_HEADER)((PCHAR)PoolHeader - sizeof (MI_VERIFIER_POOL_HEADER));
  2206. }
  2207. // ASSERT (PoolHeader->Ulong1 & MI_SPECIAL_POOL_VERIFIER);
  2208. PoolHeader->Ulong1 -= sizeof (MI_VERIFIER_POOL_HEADER);
  2209. PoolHeader->Ulong1 |= MI_SPECIAL_POOL_VERIFIER;
  2210. }
  2211. else if (PAGE_ALIGNED(VirtualAddress)) {
  2213. //
  2214. // Large page allocation.
  2215. //
  2217. Header = (PMI_VERIFIER_POOL_HEADER)((PCHAR)VirtualAddress +
  2218. ChargedBytes -
  2219. sizeof(MI_VERIFIER_POOL_HEADER));
  2220. }
  2221. else {
  2222. PoolHeader = (PPOOL_HEADER)((PCHAR)VirtualAddress - POOL_OVERHEAD);
  2224. #if !defined (_WIN64)
  2226. if (PoolType & POOL_QUOTA_MASK) {
  2228. //
  2229. // Note that when kernel verifying, the quota pointer in the pool
  2230. // block (for NT32) is not initialized until this routine returns
  2231. // to our caller.
  2232. //
  2234. //
  2235. // This allocation was charged quota and on NT32 ONLY, the
  2236. // quota pointer is extra space at the end of the pool
  2237. // allocation. Move our verifier header to just before the
  2238. // quota pointer. No worries about structure alignment on 4 byte
  2239. // boundaries on NT32 either.
  2240. //
  2242. Header = (PMI_VERIFIER_POOL_HEADER)((PCHAR)PoolHeader +
  2243. (PoolHeader->BlockSize << POOL_BLOCK_SHIFT) -
  2244. sizeof(PVOID) -
  2245. sizeof(MI_VERIFIER_POOL_HEADER));
  2246. }
  2247. else
  2248. #endif
  2250. Header = (PMI_VERIFIER_POOL_HEADER)((PCHAR)VirtualAddress +
  2251. ChargedBytes -
  2252. sizeof(MI_VERIFIER_POOL_HEADER));
  2253. }
  2255. ASSERT (((ULONG_PTR)Header & (sizeof(ULONG) - 1)) == 0);
  2257. //
  2258. // Override a few fields with their final values.
  2259. //
  2261. PoolEntry->InUse.VirtualAddress = VirtualAddress;
  2262. PoolEntry->InUse.NumberOfBytes = ChargedBytes;
  2264. if ((PoolType & BASE_POOL_TYPE_MASK) == PagedPool) {
  2266. //
  2267. // Update this driver's counters.
  2268. //
  2270. TotalBytes = InterlockedExchangeAddSizeT (&Verifier->PagedBytes,
  2271. ChargedBytes);
  2272. if (TotalBytes > Verifier->PeakPagedBytes) {
  2273. Verifier->PeakPagedBytes = TotalBytes;
  2274. }
  2276. TotalAllocations = (ULONG) InterlockedIncrement ((PLONG) &Verifier->CurrentPagedPoolAllocations);
  2277. if (TotalAllocations > Verifier->PeakPagedPoolAllocations) {
  2278. Verifier->PeakPagedPoolAllocations = TotalAllocations;
  2279. }
  2281. //
  2282. // Update systemwide counters.
  2283. //
  2285. TotalBytes = InterlockedExchangeAddSizeT (&MmVerifierData.PagedBytes,
  2286. ChargedBytes);
  2287. if (TotalBytes > MmVerifierData.PeakPagedBytes) {
  2288. MmVerifierData.PeakPagedBytes = TotalBytes;
  2289. }
  2291. TotalAllocations = (ULONG) InterlockedIncrement ((PLONG) &MmVerifierData.CurrentPagedPoolAllocations);
  2292. if (TotalAllocations > MmVerifierData.PeakPagedPoolAllocations) {
  2293. MmVerifierData.PeakPagedPoolAllocations = TotalAllocations;
  2294. }
  2295. }
  2296. else {
  2298. //
  2299. // Update this driver's counters.
  2300. //
  2302. TotalBytes = InterlockedExchangeAddSizeT (&Verifier->NonPagedBytes,
  2303. ChargedBytes);
  2305. if (TotalBytes > Verifier->PeakNonPagedBytes) {
  2306. Verifier->PeakNonPagedBytes = TotalBytes;
  2307. }
  2309. TotalAllocations = (ULONG) InterlockedIncrement ((PLONG) &Verifier->CurrentNonPagedPoolAllocations);
  2311. if (TotalAllocations > Verifier->PeakNonPagedPoolAllocations) {
  2312. Verifier->PeakNonPagedPoolAllocations = TotalAllocations;
  2313. }
  2315. //
  2316. // Update systemwide counters.
  2317. //
  2319. TotalBytes = InterlockedExchangeAddSizeT (&MmVerifierData.NonPagedBytes,
  2320. ChargedBytes);
  2322. if (TotalBytes > MmVerifierData.PeakNonPagedBytes) {
  2323. MmVerifierData.PeakNonPagedBytes = TotalBytes;
  2324. }
  2326. TotalAllocations = (ULONG) InterlockedIncrement ((PLONG) &MmVerifierData.CurrentNonPagedPoolAllocations);
  2327. if (TotalAllocations > MmVerifierData.PeakNonPagedPoolAllocations) {
  2328. MmVerifierData.PeakNonPagedPoolAllocations = TotalAllocations;
  2329. }
  2330. }
  2332. //
  2333. // Remember the header for paged pool is paged so this may fault.
  2334. //
  2336. Header->VerifierPoolEntry = PoolEntry;
  2338. return VirtualAddress;
  2339. }
  2341. PVOID
  2342. VeAllocatePoolWithTagPriority (
  2343. IN POOL_TYPE PoolType,
  2344. IN SIZE_T NumberOfBytes,
  2345. IN ULONG Tag,
  2346. IN EX_POOL_PRIORITY Priority,
  2347. IN PVOID CallingAddress
  2348. )
  2350. /*++
  2352. Routine Description:
  2354. This routine is called both from ex\pool.c and directly within this module.
  2356. - Performs sanity checks on the caller.
  2357. - Can optionally provide allocation failures to the caller.
  2358. - Attempts to provide the allocation from special pool.
  2359. - Tracks pool to ensure callers free everything they allocate.
  2361. --*/
  2363. {
  2364. PVOID VirtualAddress;
  2365. EX_POOL_PRIORITY AllocationPriority;
  2366. SIZE_T ChargedBytes;
  2367. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  2368. ULONG HeaderSize;
  2369. PVI_POOL_ENTRY PoolEntry;
  2370. LOGICAL SpecialPooled;
  2372. if (Tag == 0) {
  2373. KeBugCheckEx (BAD_POOL_CALLER,
  2374. 0x9B,
  2375. PoolType,
  2376. NumberOfBytes,
  2377. (ULONG_PTR) CallingAddress);
  2378. }
  2380. if (Tag == ' GIB') {
  2381. KeBugCheckEx (BAD_POOL_CALLER,
  2382. 0x9C,
  2383. PoolType,
  2384. NumberOfBytes,
  2385. (ULONG_PTR) CallingAddress);
  2386. }
  2388. ExAllocatePoolSanityChecks (PoolType, NumberOfBytes);
  2390. InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsAttempted);
  2392. if ((PoolType & MUST_SUCCEED_POOL_TYPE_MASK) == 0) {
  2394. if (ViInjectResourceFailure () == TRUE) {
  2396. //
  2397. // Caller requested an exception - throw it here.
  2398. //
  2400. if ((PoolType & POOL_RAISE_IF_ALLOCATION_FAILURE) != 0) {
  2401. ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
  2402. }
  2404. return NULL;
  2405. }
  2406. }
  2407. else {
  2408. MI_CHECK_UPTIME ();
  2410. if (VerifierSystemSufficientlyBooted == TRUE) {
  2412. KeBugCheckEx (BAD_POOL_CALLER,
  2413. 0x9A,
  2414. PoolType,
  2415. NumberOfBytes,
  2416. Tag);
  2417. }
  2418. }
  2420. ASSERT ((PoolType & POOL_VERIFIER_MASK) == 0);
  2422. AllocationPriority = Priority;
  2424. if (MmVerifierData.Level & DRIVER_VERIFIER_SPECIAL_POOLING) {
  2426. //
  2427. // Try for a special pool overrun allocation unless the caller has
  2428. // explicitly specified otherwise.
  2429. //
  2431. if ((AllocationPriority & (LowPoolPrioritySpecialPoolOverrun | LowPoolPrioritySpecialPoolUnderrun)) == 0) {
  2432. if (MmSpecialPoolCatchOverruns == TRUE) {
  2433. AllocationPriority |= LowPoolPrioritySpecialPoolOverrun;
  2434. }
  2435. else {
  2436. AllocationPriority |= LowPoolPrioritySpecialPoolUnderrun;
  2437. }
  2438. }
  2439. }
  2441. //
  2442. // Initializing Verifier is not needed for
  2443. // correctness but without it the compiler cannot compile this code
  2444. // W4 to check for use of uninitialized variables.
  2445. //
  2447. Verifier = NULL;
  2449. PoolEntry = NULL;
  2451. //
  2452. // Session pool is directly tracked by default already so it doesn't
  2453. // need verifier tracking.
  2454. //
  2456. if ((MmVerifierData.Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS) &&
  2457. ((PoolType & SESSION_POOL_MASK) == 0)) {
  2459. HeaderSize = sizeof (MI_VERIFIER_POOL_HEADER);
  2461. ChargedBytes = MI_ROUND_TO_SIZE (NumberOfBytes, sizeof(ULONG)) + HeaderSize;
  2462. Verifier = ViLocateVerifierEntry (CallingAddress);
  2464. if ((Verifier == NULL) ||
  2465. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0) ||
  2466. (Verifier->Flags & VI_DISABLE_VERIFICATION)) {
  2468. //
  2469. // This can happen for many reasons including no framing (which
  2470. // can cause RtlGetCallersAddress to return the wrong address),
  2471. // etc.
  2472. //
  2474. MmVerifierData.UnTrackedPool += 1;
  2475. }
  2476. else if (ChargedBytes <= NumberOfBytes) {
  2478. //
  2479. // Don't let the verifier header transform a bad caller into a
  2480. // good caller. Fail via the fall through so an exception
  2481. // can be thrown if asked for, etc.
  2482. //
  2484. MmVerifierData.UnTrackedPool += 1;
  2485. }
  2486. else {
  2488. PoolEntry = (PVI_POOL_ENTRY) InterlockedPopEntrySList (&Verifier->PoolTrackers);
  2490. if (PoolEntry == NULL) {
  2491. PoolEntry = ViGrowPoolAllocation (Verifier);
  2492. }
  2494. if (PoolEntry != NULL) {
  2495. ASSERT (PoolEntry->InUse.NumberOfBytes & 0x1);
  2496. NumberOfBytes = ChargedBytes;
  2497. PoolType |= POOL_VERIFIER_MASK;
  2498. }
  2499. }
  2500. }
  2502. VirtualAddress = ExAllocatePoolWithTagPriority (PoolType,
  2503. NumberOfBytes,
  2504. Tag,
  2505. AllocationPriority);
  2507. if (VirtualAddress == NULL) {
  2508. MmVerifierData.AllocationsFailed += 1;
  2510. if (PoolEntry != NULL) {
  2512. //
  2513. // Release the hash table entry now as it's not needed.
  2514. //
  2516. ASSERT (PoolEntry->InUse.NumberOfBytes & 0x1);
  2517. InterlockedPushEntrySList (&Verifier->PoolTrackers,
  2518. (PSLIST_ENTRY) PoolEntry);
  2519. }
  2521. if ((PoolType & POOL_RAISE_IF_ALLOCATION_FAILURE) != 0) {
  2522. ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
  2523. }
  2524. return NULL;
  2525. }
  2527. SpecialPooled = FALSE;
  2528. InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceeded);
  2530. if (MmIsSpecialPoolAddress (VirtualAddress) == TRUE) {
  2531. SpecialPooled = TRUE;
  2532. InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceededSpecialPool);
  2533. }
  2534. else if (NumberOfBytes > POOL_BUDDY_MAX) {
  2536. //
  2537. // This isn't exactly true but it does give the user a way to see
  2538. // if this machine is large enough to support special pool 100%.
  2539. //
  2541. InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceededSpecialPool);
  2542. }
  2544. if (PoolEntry != NULL) {
  2545. PoolEntry->InUse.VirtualAddress = (PVOID)((ULONG_PTR)VirtualAddress | SpecialPooled);
  2546. PoolEntry->InUse.CallingAddress = CallingAddress;
  2547. PoolEntry->InUse.NumberOfBytes = NumberOfBytes;
  2548. PoolEntry->InUse.Tag = Tag;
  2549. ASSERT ((PoolType & POOL_VERIFIER_MASK) != 0);
  2551. VirtualAddress = ViPostPoolAllocation (PoolEntry, PoolType);
  2552. }
  2553. else {
  2554. ASSERT ((PoolType & POOL_VERIFIER_MASK) == 0);
  2555. }
  2557. return VirtualAddress;
  2558. }
  2560. VOID
  2561. ViFreeTrackedPool (
  2562. IN PVOID VirtualAddress,
  2563. IN SIZE_T ChargedBytes,
  2564. IN LOGICAL CheckType,
  2565. IN LOGICAL SpecialPool
  2566. )
  2568. /*++
  2570. Routine Description:
  2572. Called directly from the pool manager or the memory manager for verifier-
  2573. tracked allocations. The call to ExFreePool is already in progress.
  2575. Arguments:
  2577. VirtualAddress - Supplies the virtual address being freed.
  2579. ChargedBytes - Supplies the number of bytes charged to this allocation.
  2581. CheckType - Supplies PagedPool or NonPagedPool.
  2583. SpecialPool - Supplies TRUE if the allocation is from special pool.
  2585. Return Value:
  2587. None.
  2589. Environment:
  2591. Kernel mode, no locks or mutexes held on entry.
  2593. --*/
  2595. {
  2596. PPOOL_HEADER PoolHeader;
  2597. PMI_VERIFIER_POOL_HEADER Header;
  2598. PVI_POOL_ENTRY PoolEntry;
  2599. PFN_NUMBER PageFrameIndex;
  2600. PFN_NUMBER PageFrameIndex2;
  2601. PVI_POOL_PAGE_HEADER PageHeader;
  2602. PMMPTE PointerPte;
  2603. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  2605. ASSERT (KeGetCurrentIrql() <= DISPATCH_LEVEL);
  2607. ASSERT (VerifierIsTrackingPool == TRUE);
  2609. if (SpecialPool == TRUE) {
  2611. //
  2612. // Special pool allocation.
  2613. //
  2615. if (((ULONG_PTR)VirtualAddress & (PAGE_SIZE - 1))) {
  2616. PoolHeader = PAGE_ALIGN (VirtualAddress);
  2617. Header = (PMI_VERIFIER_POOL_HEADER)(PoolHeader + 1);
  2618. }
  2619. else {
  2620. PoolHeader = (PPOOL_HEADER)((PCHAR)PAGE_ALIGN (VirtualAddress) + PAGE_SIZE - POOL_OVERHEAD);
  2621. Header = (PMI_VERIFIER_POOL_HEADER)((PCHAR)PoolHeader - sizeof (MI_VERIFIER_POOL_HEADER));
  2622. }
  2623. }
  2624. else if (PAGE_ALIGNED(VirtualAddress)) {
  2626. //
  2627. // Large page allocation.
  2628. //
  2630. Header = (PMI_VERIFIER_POOL_HEADER) ((PCHAR)VirtualAddress +
  2631. ChargedBytes -
  2632. sizeof(MI_VERIFIER_POOL_HEADER));
  2633. }
  2634. else {
  2635. ChargedBytes -= POOL_OVERHEAD;
  2637. #if !defined (_WIN64)
  2639. PoolHeader = (PPOOL_HEADER)((PCHAR)VirtualAddress - POOL_OVERHEAD);
  2641. if (PoolHeader->PoolType & POOL_QUOTA_MASK) {
  2643. //
  2644. // This allocation was charged quota and on NT32 ONLY, the
  2645. // quota pointer is extra space at the end of the pool
  2646. // allocation. Move our verifier header to just before the
  2647. // quota pointer. No worries about structure alignment on 4 byte
  2648. // boundaries on NT32 either.
  2649. //
  2651. Header = (PMI_VERIFIER_POOL_HEADER)((PCHAR)PoolHeader +
  2652. (PoolHeader->BlockSize << POOL_BLOCK_SHIFT) -
  2653. sizeof(PVOID) -
  2654. sizeof(MI_VERIFIER_POOL_HEADER));
  2655. }
  2656. else
  2657. #endif
  2658. Header = (PMI_VERIFIER_POOL_HEADER) ((PCHAR)VirtualAddress +
  2659. ChargedBytes -
  2660. sizeof(MI_VERIFIER_POOL_HEADER));
  2661. }
  2663. PoolEntry = Header->VerifierPoolEntry;
  2665. //
  2666. // Check the pointer now so we can give a more friendly bugcheck
  2667. // rather than crashing below on a bad reference.
  2668. //
  2670. if ((((ULONG_PTR)PoolEntry & (sizeof(ULONG) - 1)) != 0) ||
  2671. (!MiIsAddressValid(PoolEntry, TRUE))) {
  2673. //
  2674. // The caller corrupted the saved verifier field.
  2675. //
  2677. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2678. 0x53,
  2679. (ULONG_PTR)VirtualAddress,
  2680. (ULONG_PTR)NULL,
  2681. (ULONG_PTR)PoolEntry);
  2682. }
  2684. PageHeader = (PVI_POOL_PAGE_HEADER) PAGE_ALIGN (PoolEntry);
  2686. if (PageHeader->Signature != VI_POOL_PAGE_HEADER_SIGNATURE) {
  2687. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2688. 0x53,
  2689. (ULONG_PTR)VirtualAddress,
  2690. (ULONG_PTR)PageHeader->Signature,
  2691. (ULONG_PTR)PoolEntry);
  2692. }
  2694. Verifier = (PMI_VERIFIER_DRIVER_ENTRY) PageHeader->VerifierEntry;
  2696. ASSERT (Verifier != NULL);
  2698. //
  2699. // Check the pointer now so we can give a more friendly bugcheck
  2700. // rather than crashing below on a bad reference.
  2701. //
  2703. if ((((ULONG_PTR)Verifier & (sizeof(ULONG) - 1)) != 0) ||
  2704. (!MiIsAddressValid(&Verifier->Signature, TRUE)) ||
  2705. (Verifier->Signature != MI_VERIFIER_ENTRY_SIGNATURE)) {
  2707. //
  2708. // The caller corrupted the saved verifier field.
  2709. //
  2711. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2712. 0x53,
  2713. (ULONG_PTR)VirtualAddress,
  2714. (ULONG_PTR)PoolEntry,
  2715. (ULONG_PTR)Verifier);
  2716. }
  2718. if (PoolEntry->InUse.VirtualAddress != VirtualAddress) {
  2720. PageFrameIndex = 0;
  2721. PageFrameIndex2 = 1;
  2723. if ((!MI_IS_PHYSICAL_ADDRESS(VirtualAddress)) &&
  2724. (MI_IS_PHYSICAL_ADDRESS(PoolEntry->InUse.VirtualAddress))) {
  2726. PointerPte = MiGetPteAddress(VirtualAddress);
  2727. if (PointerPte->u.Hard.Valid == 1) {
  2728. PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
  2730. PageFrameIndex2 = MI_CONVERT_PHYSICAL_TO_PFN (PoolEntry->InUse.VirtualAddress);
  2731. }
  2732. }
  2734. //
  2735. // Caller overran and corrupted the virtual address - the linked
  2736. // list cannot be counted on either.
  2737. //
  2739. if (PageFrameIndex != PageFrameIndex2) {
  2740. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2741. 0x52,
  2742. (ULONG_PTR)VirtualAddress,
  2743. (ULONG_PTR)PoolEntry->InUse.VirtualAddress,
  2744. ChargedBytes);
  2745. }
  2746. }
  2748. if (PoolEntry->InUse.NumberOfBytes != ChargedBytes) {
  2750. //
  2751. // Caller overran and corrupted the byte count - the linked
  2752. // list cannot be counted on either.
  2753. //
  2755. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2756. 0x51,
  2757. (ULONG_PTR)VirtualAddress,
  2758. (ULONG_PTR)PoolEntry,
  2759. ChargedBytes);
  2760. }
  2762. //
  2763. // Put this list entry into the freelist.
  2764. //
  2766. PoolEntry->InUse.NumberOfBytes |= 0x1;
  2767. InterlockedPushEntrySList (&Verifier->PoolTrackers,
  2768. (PSLIST_ENTRY) PoolEntry);
  2770. if ((CheckType & BASE_POOL_TYPE_MASK) == PagedPool) {
  2772. //
  2773. // Decrement this driver's counters.
  2774. //
  2776. InterlockedExchangeAddSizeT (&Verifier->PagedBytes, 0 - ChargedBytes);
  2777. InterlockedDecrement ((PLONG) &Verifier->CurrentPagedPoolAllocations);
  2779. //
  2780. // Decrement the systemwide counters.
  2781. //
  2783. InterlockedExchangeAddSizeT (&MmVerifierData.PagedBytes, 0 - ChargedBytes);
  2784. InterlockedDecrement ((PLONG) &MmVerifierData.CurrentPagedPoolAllocations);
  2785. }
  2786. else {
  2788. //
  2789. // Decrement this driver's counters.
  2790. //
  2792. InterlockedExchangeAddSizeT (&Verifier->NonPagedBytes, 0 - ChargedBytes);
  2793. InterlockedDecrement ((PLONG) &Verifier->CurrentNonPagedPoolAllocations);
  2795. //
  2796. // Decrement the systemwide counters.
  2797. //
  2799. InterlockedExchangeAddSizeT (&MmVerifierData.NonPagedBytes, 0 - ChargedBytes);
  2800. InterlockedDecrement ((PLONG) &MmVerifierData.CurrentNonPagedPoolAllocations);
  2801. }
  2802. }
  2804. VOID
  2805. VerifierFreeTrackedPool (
  2806. IN PVOID VirtualAddress,
  2807. IN SIZE_T ChargedBytes,
  2808. IN LOGICAL CheckType,
  2809. IN LOGICAL SpecialPool
  2810. )
  2812. /*++
  2814. Routine Description:
  2816. Called directly from the pool manager or the memory manager for verifier-
  2817. tracked allocations. The call to ExFreePool is already in progress.
  2819. Arguments:
  2821. VirtualAddress - Supplies the virtual address being freed.
  2823. ChargedBytes - Supplies the number of bytes charged to this allocation.
  2825. CheckType - Supplies PagedPool or NonPagedPool.
  2827. SpecialPool - Supplies TRUE if the allocation is from special pool.
  2829. Return Value:
  2831. None.
  2833. Environment:
  2835. Kernel mode, no locks or mutexes held on entry.
  2837. --*/
  2839. {
  2840. if (VerifierIsTrackingPool == FALSE) {
  2842. //
  2843. // The verifier is not enabled so the only way this routine is being
  2844. // called is because the pool header is mangled or the caller specified
  2845. // a bad address. Either way it's a bugcheck.
  2846. //
  2848. KeBugCheckEx (BAD_POOL_CALLER,
  2849. 0x99,
  2850. (ULONG_PTR)VirtualAddress,
  2851. 0,
  2852. 0);
  2853. }
  2855. ViFreeTrackedPool (VirtualAddress, ChargedBytes, CheckType, SpecialPool);
  2856. }
  2858. THUNKED_API
  2859. VOID
  2860. VerifierFreePool(
  2861. IN PVOID P
  2862. )
  2863. {
  2864. if (KernelVerifier == TRUE) {
  2865. ExFreePool (P);
  2866. return;
  2867. }
  2869. VerifierFreePoolWithTag (P, 0);
  2870. }
  2872. THUNKED_API
  2873. VOID
  2874. VerifierFreePoolWithTag(
  2875. IN PVOID P,
  2876. IN ULONG TagToFree
  2877. )
  2878. {
  2879. if (KernelVerifier == TRUE) {
  2880. ExFreePoolWithTag (P, TagToFree);
  2881. return;
  2882. }
  2884. ExFreePoolSanityChecks (P);
  2886. ExFreePoolWithTag (P, TagToFree);
  2887. }
  2889. THUNKED_API
  2890. LONG
  2891. VerifierSetEvent (
  2892. IN PRKEVENT Event,
  2893. IN KPRIORITY Increment,
  2894. IN BOOLEAN Wait
  2895. )
  2896. {
  2897. KIRQL CurrentIrql;
  2899. CurrentIrql = KeGetCurrentIrql();
  2900. if (CurrentIrql > DISPATCH_LEVEL) {
  2901. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2902. 0x80,
  2903. CurrentIrql,
  2904. (ULONG_PTR)Event,
  2905. (ULONG_PTR)0);
  2906. }
  2908. return KeSetEvent (Event, Increment, Wait);
  2909. }
  2911. THUNKED_API
  2912. BOOLEAN
  2913. VerifierExAcquireResourceExclusiveLite(
  2914. IN PERESOURCE Resource,
  2915. IN BOOLEAN Wait
  2916. )
  2917. {
  2918. KIRQL CurrentIrql;
  2920. //
  2921. // Check alignment of the Resource. It MUST be aligned because
  2922. // it contains a queued lock and the lower two bits of the address
  2923. // of the lock are used for status information.
  2924. //
  2926. if ((((ULONG_PTR)Resource) & (sizeof(ULONG_PTR) - 1)) != 0) {
  2927. KeBugCheckEx(DRIVER_VERIFIER_DETECTED_VIOLATION,
  2928. 0x3D,
  2929. 0,
  2930. 0,
  2931. (ULONG_PTR)Resource);
  2932. }
  2934. CurrentIrql = KeGetCurrentIrql ();
  2936. if ((CurrentIrql != APC_LEVEL) &&
  2937. (!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
  2938. (KeGetCurrentThread()->CombinedApcDisable == 0)) {
  2940. if ((CurrentIrql == DISPATCH_LEVEL) && (Wait == FALSE)) {
  2941. NOTHING;
  2942. }
  2943. else {
  2944. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2945. 0x37,
  2946. CurrentIrql,
  2947. (ULONG_PTR)(KeGetCurrentThread()->CombinedApcDisable),
  2948. (ULONG_PTR)Resource);
  2949. }
  2950. }
  2952. return ExAcquireResourceExclusiveLite (Resource, Wait);
  2953. }
  2955. THUNKED_API
  2956. VOID
  2957. FASTCALL
  2958. VerifierExReleaseResourceLite(
  2959. IN PERESOURCE Resource
  2960. )
  2961. {
  2962. KIRQL CurrentIrql;
  2964. CurrentIrql = KeGetCurrentIrql ();
  2966. if ((CurrentIrql != APC_LEVEL) &&
  2967. (!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
  2968. (KeGetCurrentThread()->CombinedApcDisable == 0)) {
  2970. if (CurrentIrql != DISPATCH_LEVEL) {
  2971. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2972. 0x38,
  2973. CurrentIrql,
  2974. (ULONG_PTR)(KeGetCurrentThread()->CombinedApcDisable),
  2975. (ULONG_PTR)Resource);
  2976. }
  2977. }
  2979. ExReleaseResourceLite (Resource);
  2980. }
  2982. int VerifierIrqlData[0x10];
  2984. VOID
  2985. KfSanityCheckRaiseIrql (
  2986. IN KIRQL NewIrql
  2987. )
  2988. {
  2989. KIRQL CurrentIrql;
  2991. //
  2992. // Check for the caller inadvertently lowering.
  2993. //
  2995. CurrentIrql = KeGetCurrentIrql ();
  2997. if (CurrentIrql == NewIrql) {
  2998. VerifierIrqlData[0] += 1;
  2999. if (CurrentIrql == APC_LEVEL) {
  3000. VerifierIrqlData[1] += 1;
  3001. }
  3002. else if (CurrentIrql == DISPATCH_LEVEL) {
  3003. VerifierIrqlData[2] += 1;
  3004. }
  3005. else {
  3006. VerifierIrqlData[3] += 1;
  3007. }
  3008. }
  3009. else {
  3010. VerifierIrqlData[4] += 1;
  3011. }
  3013. if (CurrentIrql > NewIrql) {
  3014. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3015. 0x30,
  3016. CurrentIrql,
  3017. NewIrql,
  3018. 0);
  3019. }
  3021. //
  3022. // Check for the caller using an uninitialized variable.
  3023. //
  3025. if (NewIrql > HIGH_LEVEL) {
  3026. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3027. 0x30,
  3028. CurrentIrql,
  3029. NewIrql,
  3030. 0);
  3031. }
  3033. if (ViTrackIrqlQueue != NULL) {
  3034. ViTrackIrqlLog (CurrentIrql, NewIrql);
  3035. }
  3036. }
  3038. VOID
  3039. KfSanityCheckLowerIrql (
  3040. IN KIRQL NewIrql
  3041. )
  3042. {
  3043. KIRQL CurrentIrql;
  3044. BOOLEAN Enable;
  3046. //
  3047. // Check for the caller inadvertently lowering.
  3048. //
  3050. CurrentIrql = KeGetCurrentIrql ();
  3052. if (CurrentIrql == NewIrql) {
  3053. VerifierIrqlData[8] += 1;
  3054. if (CurrentIrql == APC_LEVEL) {
  3055. VerifierIrqlData[9] += 1;
  3056. }
  3057. else if (CurrentIrql == DISPATCH_LEVEL) {
  3058. VerifierIrqlData[10] += 1;
  3059. }
  3060. else {
  3061. VerifierIrqlData[11] += 1;
  3062. }
  3063. }
  3064. else {
  3065. VerifierIrqlData[12] += 1;
  3066. }
  3068. if (CurrentIrql < NewIrql) {
  3069. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3070. 0x31,
  3071. CurrentIrql,
  3072. NewIrql,
  3073. 0);
  3074. }
  3076. //
  3077. // Check if we are lowering IRQL in a DPC routine.
  3078. // This is illegal as we might context swap.
  3079. //
  3081. if (CurrentIrql >= DISPATCH_LEVEL &&
  3082. NewIrql < DISPATCH_LEVEL &&
  3083. KeGetCurrentPrcb()->DpcRoutineActive) {
  3085. //
  3086. // Don't bugcheck if interrupts are disabled as this would be legal.
  3087. // This might miss some real bugs but it's going to be rare.
  3088. //
  3090. Enable = KeDisableInterrupts ();
  3091. KeEnableInterrupts (Enable);
  3093. if (Enable != 0) {
  3095. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3096. 0x31,
  3097. CurrentIrql,
  3098. NewIrql,
  3099. 1);
  3100. }
  3101. }
  3103. //
  3104. // Check for the caller using an uninitialized variable.
  3105. //
  3107. if (NewIrql > HIGH_LEVEL) {
  3108. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3109. 0x31,
  3110. CurrentIrql,
  3111. NewIrql,
  3112. 0);
  3113. }
  3115. if (ViTrackIrqlQueue != NULL) {
  3116. ViTrackIrqlLog (CurrentIrql, NewIrql);
  3117. }
  3118. }
  3120. #define VI_TRIM_KERNEL 0x00000001
  3121. #define VI_TRIM_USER 0x00000002
  3122. #define VI_TRIM_SESSION 0x00000004
  3123. #define VI_TRIM_PURGE 0x80000000
  3125. ULONG ViTrimSpaces = VI_TRIM_KERNEL;
  3127. VOID
  3128. ViTrimAllSystemPagableMemory (
  3129. ULONG TrimType
  3130. )
  3131. {
  3132. LOGICAL PurgeTransition;
  3133. LARGE_INTEGER CurrentTime;
  3134. LOGICAL PageOut;
  3136. PageOut = TRUE;
  3137. if (KernelVerifier == TRUE) {
  3138. KeQueryTickCount (&CurrentTime);
  3139. if ((CurrentTime.LowPart & KernelVerifierTickPage) != 0) {
  3140. PageOut = FALSE;
  3141. }
  3142. }
  3144. if ((PageOut == TRUE) && (MiNoPageOnRaiseIrql == 0)) {
  3145. MmVerifierData.TrimRequests += 1;
  3147. if (TrimType == 0) {
  3148. TrimType = ViTrimSpaces;
  3149. }
  3151. if (TrimType & VI_TRIM_PURGE) {
  3152. PurgeTransition = TRUE;
  3153. }
  3154. else {
  3155. PurgeTransition = FALSE;
  3156. }
  3158. if (TrimType & VI_TRIM_KERNEL) {
  3159. if (MiTrimAllSystemPagableMemory (MI_SYSTEM_GLOBAL,
  3160. PurgeTransition) == TRUE) {
  3161. MmVerifierData.Trims += 1;
  3162. }
  3163. }
  3165. if (TrimType & VI_TRIM_USER) {
  3166. if (MiTrimAllSystemPagableMemory (MI_USER_LOCAL,
  3167. PurgeTransition) == TRUE) {
  3168. MmVerifierData.UserTrims += 1;
  3169. }
  3170. }
  3172. if (TrimType & VI_TRIM_SESSION) {
  3173. if (MiTrimAllSystemPagableMemory (MI_SESSION_LOCAL,
  3174. PurgeTransition) == TRUE) {
  3175. MmVerifierData.SessionTrims += 1;
  3176. }
  3177. }
  3178. }
  3179. }
  3181. typedef
  3182. VOID
  3183. (*PKE_ACQUIRE_SPINLOCK) (
  3184. IN PKSPIN_LOCK SpinLock,
  3185. OUT PKIRQL OldIrql
  3186. );
  3188. THUNKED_API
  3189. VOID
  3190. VerifierKeAcquireSpinLock (
  3191. IN PKSPIN_LOCK SpinLock,
  3192. OUT PKIRQL OldIrql
  3193. )
  3194. {
  3195. KIRQL CurrentIrql;
  3197. #if defined (_X86_)
  3198. PKE_ACQUIRE_SPINLOCK HalRoutine;
  3199. #endif
  3201. CurrentIrql = KeGetCurrentIrql ();
  3203. KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
  3205. MmVerifierData.AcquireSpinLocks += 1;
  3207. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3208. if (CurrentIrql < DISPATCH_LEVEL) {
  3209. ViTrimAllSystemPagableMemory (0);
  3210. }
  3211. }
  3213. #if defined (_X86_)
  3214. HalRoutine = (PKE_ACQUIRE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_ACQUIRE_SPINLOCK];
  3216. if (HalRoutine) {
  3217. (*HalRoutine)(SpinLock, OldIrql);
  3219. VfDeadlockAcquireResource (SpinLock,
  3220. VfDeadlockSpinLock,
  3221. KeGetCurrentThread(),
  3222. FALSE,
  3223. _ReturnAddress());
  3224. return;
  3225. }
  3226. #endif
  3228. KeAcquireSpinLock (SpinLock, OldIrql);
  3230. VfDeadlockAcquireResource (SpinLock,
  3231. VfDeadlockSpinLock,
  3232. KeGetCurrentThread(),
  3233. FALSE,
  3234. _ReturnAddress());
  3235. }
  3237. typedef
  3238. VOID
  3239. (*PKE_RELEASE_SPINLOCK) (
  3240. IN PKSPIN_LOCK SpinLock,
  3241. IN KIRQL NewIrql
  3242. );
  3244. THUNKED_API
  3245. VOID
  3246. VerifierKeReleaseSpinLock (
  3247. IN PKSPIN_LOCK SpinLock,
  3248. IN KIRQL NewIrql
  3249. )
  3250. {
  3251. KIRQL CurrentIrql;
  3252. #if defined (_X86_)
  3253. PKE_RELEASE_SPINLOCK HalRoutine;
  3254. #endif
  3256. CurrentIrql = KeGetCurrentIrql ();
  3258. //
  3259. // Caller better still be at DISPATCH_LEVEL when releasing the spinlock
  3260. //
  3262. if (CurrentIrql < DISPATCH_LEVEL) {
  3263. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3264. 0x32,
  3265. CurrentIrql,
  3266. (ULONG_PTR)SpinLock,
  3267. 0);
  3268. }
  3270. KfSanityCheckLowerIrql (NewIrql);
  3272. #if defined (_X86_)
  3273. HalRoutine = (PKE_RELEASE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RELEASE_SPINLOCK];
  3275. if (HalRoutine) {
  3276. VfDeadlockReleaseResource(SpinLock,
  3277. VfDeadlockSpinLock,
  3278. KeGetCurrentThread(),
  3279. _ReturnAddress());
  3280. (*HalRoutine)(SpinLock, NewIrql);
  3282. return;
  3283. }
  3284. #endif
  3286. VfDeadlockReleaseResource(SpinLock,
  3287. VfDeadlockSpinLock,
  3288. KeGetCurrentThread(),
  3289. _ReturnAddress());
  3291. KeReleaseSpinLock (SpinLock, NewIrql);
  3292. }
  3294. //
  3295. // Verifier thunks for AcquireSpinLockAtDpcLevel and ReleaseSpinLockFromDpcLevel.
  3296. //
  3297. // On x86 the functions exported by the kernel that are used by the driver are:
  3298. // KefAcquire.../KefRelease.... On other platforms the functions used by drivers
  3299. // are KeAcquire.../KeRelease. Among other differences the x86 versions use the
  3300. // fastcall convention which requires additional precaution.
  3301. //
  3303. THUNKED_API
  3304. VOID
  3305. #if defined(_X86_)
  3306. FASTCALL
  3307. #endif
  3308. VerifierKeAcquireSpinLockAtDpcLevel (
  3309. IN PKSPIN_LOCK SpinLock
  3310. )
  3311. {
  3312. KIRQL CurrentIrql;
  3314. CurrentIrql = KeGetCurrentIrql ();
  3316. //
  3317. // Caller better be at or above DISPATCH_LEVEL.
  3318. //
  3320. if (CurrentIrql < DISPATCH_LEVEL) {
  3321. #if defined(_AMD64_)
  3322. if (GetCallersEflags () & EFLAGS_IF_MASK)
  3323. #endif
  3324. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3325. 0x40,
  3326. CurrentIrql,
  3327. (ULONG_PTR)SpinLock,
  3328. 0);
  3329. }
  3331. MmVerifierData.AcquireSpinLocks += 1;
  3333. KeAcquireSpinLockAtDpcLevel (SpinLock);
  3335. VfDeadlockAcquireResource(SpinLock,
  3336. VfDeadlockSpinLock,
  3337. KeGetCurrentThread(),
  3338. FALSE,
  3339. _ReturnAddress());
  3340. }
  3342. THUNKED_API
  3343. VOID
  3344. #if defined(_X86_)
  3345. FASTCALL
  3346. #endif
  3347. VerifierKeReleaseSpinLockFromDpcLevel (
  3348. IN PKSPIN_LOCK SpinLock
  3349. )
  3350. {
  3351. KIRQL CurrentIrql;
  3353. CurrentIrql = KeGetCurrentIrql ();
  3355. //
  3356. // Caller better be at or above DISPATCH_LEVEL.
  3357. //
  3359. if (CurrentIrql < DISPATCH_LEVEL) {
  3360. #if defined(_AMD64_)
  3361. if (GetCallersEflags () & EFLAGS_IF_MASK)
  3362. #endif
  3363. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3364. 0x41,
  3365. CurrentIrql,
  3366. (ULONG_PTR)SpinLock,
  3367. 0);
  3368. }
  3370. VfDeadlockReleaseResource(SpinLock,
  3371. VfDeadlockSpinLock,
  3372. KeGetCurrentThread(),
  3373. _ReturnAddress());
  3375. KeReleaseSpinLockFromDpcLevel (SpinLock);
  3376. }
  3378. #if !defined(_X86_)
  3380. THUNKED_API
  3381. KIRQL
  3382. VerifierKeAcquireSpinLockRaiseToDpc (
  3383. IN PKSPIN_LOCK SpinLock
  3384. )
  3385. {
  3386. KIRQL NewIrql = KeAcquireSpinLockRaiseToDpc (SpinLock);
  3388. VfDeadlockAcquireResource (SpinLock,
  3389. VfDeadlockSpinLock,
  3390. KeGetCurrentThread(),
  3391. FALSE,
  3392. _ReturnAddress());
  3394. return NewIrql;
  3395. }
  3398. #endif
  3403. #if defined (_X86_)
  3405. typedef
  3406. KIRQL
  3407. (FASTCALL *PKF_ACQUIRE_SPINLOCK) (
  3408. IN PKSPIN_LOCK SpinLock
  3409. );
  3411. THUNKED_API
  3412. KIRQL
  3413. FASTCALL
  3414. VerifierKfAcquireSpinLock (
  3415. IN PKSPIN_LOCK SpinLock
  3416. )
  3417. {
  3418. KIRQL CurrentIrql;
  3419. PKF_ACQUIRE_SPINLOCK HalRoutine;
  3421. CurrentIrql = KeGetCurrentIrql ();
  3423. KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
  3425. MmVerifierData.AcquireSpinLocks += 1;
  3427. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3428. if (CurrentIrql < DISPATCH_LEVEL) {
  3429. ViTrimAllSystemPagableMemory (0);
  3430. }
  3431. }
  3433. #if defined (_X86_)
  3434. HalRoutine = (PKF_ACQUIRE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_ACQUIRE_SPINLOCK];
  3436. if (HalRoutine) {
  3437. CurrentIrql = (*HalRoutine)(SpinLock);
  3439. VfDeadlockAcquireResource (SpinLock,
  3440. VfDeadlockSpinLock,
  3441. KeGetCurrentThread(),
  3442. FALSE,
  3443. _ReturnAddress());
  3445. return CurrentIrql;
  3446. }
  3447. #endif
  3449. CurrentIrql = KfAcquireSpinLock (SpinLock);
  3451. VfDeadlockAcquireResource (SpinLock,
  3452. VfDeadlockSpinLock,
  3453. KeGetCurrentThread(),
  3454. FALSE,
  3455. _ReturnAddress());
  3457. return CurrentIrql;
  3458. }
  3460. typedef
  3461. VOID
  3462. (FASTCALL *PKF_RELEASE_SPINLOCK) (
  3463. IN PKSPIN_LOCK SpinLock,
  3464. IN KIRQL NewIrql
  3465. );
  3467. THUNKED_API
  3468. VOID
  3469. FASTCALL
  3470. VerifierKfReleaseSpinLock (
  3471. IN PKSPIN_LOCK SpinLock,
  3472. IN KIRQL NewIrql
  3473. )
  3474. {
  3475. KIRQL CurrentIrql;
  3476. PKF_RELEASE_SPINLOCK HalRoutine;
  3478. CurrentIrql = KeGetCurrentIrql ();
  3480. //
  3481. // Caller better still be at DISPATCH_LEVEL when releasing the spinlock.
  3482. //
  3484. if (CurrentIrql < DISPATCH_LEVEL) {
  3485. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3486. 0x35,
  3487. CurrentIrql,
  3488. (ULONG_PTR)SpinLock,
  3489. NewIrql);
  3490. }
  3492. KfSanityCheckLowerIrql (NewIrql);
  3494. #if defined (_X86_)
  3495. HalRoutine = (PKF_RELEASE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_RELEASE_SPINLOCK];
  3497. if (HalRoutine) {
  3498. VfDeadlockReleaseResource(SpinLock,
  3499. VfDeadlockSpinLock,
  3500. KeGetCurrentThread(),
  3501. _ReturnAddress());
  3503. (*HalRoutine)(SpinLock, NewIrql);
  3504. return;
  3505. }
  3506. #endif
  3508. VfDeadlockReleaseResource(SpinLock,
  3509. VfDeadlockSpinLock,
  3510. KeGetCurrentThread(),
  3511. _ReturnAddress());
  3513. KfReleaseSpinLock (SpinLock, NewIrql);
  3514. }
  3517. #if !defined(NT_UP)
  3519. typedef
  3520. KIRQL
  3521. (FASTCALL *PKE_ACQUIRE_QUEUED_SPINLOCK) (
  3522. IN KSPIN_LOCK_QUEUE_NUMBER Number
  3523. );
  3525. THUNKED_API
  3526. KIRQL
  3527. FASTCALL
  3528. VerifierKeAcquireQueuedSpinLock (
  3529. IN KSPIN_LOCK_QUEUE_NUMBER Number
  3530. )
  3531. {
  3532. KIRQL CurrentIrql;
  3533. PKE_ACQUIRE_QUEUED_SPINLOCK HalRoutine;
  3535. CurrentIrql = KeGetCurrentIrql ();
  3537. KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
  3539. MmVerifierData.AcquireSpinLocks += 1;
  3541. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3542. if (CurrentIrql < DISPATCH_LEVEL) {
  3543. ViTrimAllSystemPagableMemory (0);
  3544. }
  3545. }
  3547. #if defined (_X86_)
  3548. HalRoutine = (PKE_ACQUIRE_QUEUED_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_ACQUIRE_QUEUED_SPINLOCK];
  3550. if (HalRoutine) {
  3551. return (*HalRoutine)(Number);
  3552. }
  3553. #endif
  3556. CurrentIrql = KeAcquireQueuedSpinLock (Number);
  3558. return CurrentIrql;
  3559. }
  3561. typedef
  3562. VOID
  3563. (FASTCALL *PKE_RELEASE_QUEUED_SPINLOCK) (
  3564. IN KSPIN_LOCK_QUEUE_NUMBER Number,
  3565. IN KIRQL OldIrql
  3566. );
  3568. THUNKED_API
  3569. VOID
  3570. FASTCALL
  3571. VerifierKeReleaseQueuedSpinLock (
  3572. IN KSPIN_LOCK_QUEUE_NUMBER Number,
  3573. IN KIRQL OldIrql
  3574. )
  3575. {
  3576. KIRQL CurrentIrql;
  3577. PKE_RELEASE_QUEUED_SPINLOCK HalRoutine;
  3579. CurrentIrql = KeGetCurrentIrql ();
  3581. if (KernelVerifier == TRUE) {
  3582. if (CurrentIrql < DISPATCH_LEVEL) {
  3583. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3584. 0x36,
  3585. CurrentIrql,
  3586. (ULONG_PTR)Number,
  3587. (ULONG_PTR)OldIrql);
  3588. }
  3589. }
  3591. KfSanityCheckLowerIrql (OldIrql);
  3593. #if defined (_X86_)
  3594. HalRoutine = (PKE_RELEASE_QUEUED_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RELEASE_QUEUED_SPINLOCK];
  3596. if (HalRoutine) {
  3597. (*HalRoutine)(Number, OldIrql);
  3598. return;
  3599. }
  3600. #endif
  3602. KeReleaseQueuedSpinLock (Number, OldIrql);
  3603. }
  3604. #endif // NT_UP
  3606. #endif // _X86_
  3608. #if defined(_X86_) || defined(_AMD64_)
  3610. typedef
  3611. KIRQL
  3612. (FASTCALL *PKF_RAISE_IRQL) (
  3613. IN KIRQL NewIrql
  3614. );
  3616. THUNKED_API
  3617. KIRQL
  3618. FASTCALL
  3619. VerifierKfRaiseIrql (
  3620. IN KIRQL NewIrql
  3621. )
  3622. {
  3623. #if defined (_X86_)
  3624. PKF_RAISE_IRQL HalRoutine;
  3625. #endif
  3626. KIRQL CurrentIrql;
  3628. CurrentIrql = KeGetCurrentIrql ();
  3630. KfSanityCheckRaiseIrql (NewIrql);
  3632. MmVerifierData.RaiseIrqls += 1;
  3634. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3635. if ((CurrentIrql < DISPATCH_LEVEL) && (NewIrql >= DISPATCH_LEVEL)) {
  3636. ViTrimAllSystemPagableMemory (0);
  3637. }
  3638. }
  3640. #if defined (_X86_)
  3641. HalRoutine = (PKF_RAISE_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_RAISE_IRQL];
  3642. if (HalRoutine) {
  3643. return (*HalRoutine)(NewIrql);
  3644. }
  3645. #endif
  3647. return KfRaiseIrql (NewIrql);
  3648. }
  3650. typedef
  3651. KIRQL
  3652. (FASTCALL *PKE_RAISE_IRQL_TO_DPC_LEVEL) (
  3653. VOID
  3654. );
  3656. THUNKED_API
  3657. KIRQL
  3658. VerifierKeRaiseIrqlToDpcLevel (
  3659. VOID
  3660. )
  3661. {
  3662. #if defined (_X86_)
  3663. PKE_RAISE_IRQL_TO_DPC_LEVEL HalRoutine;
  3664. #endif
  3665. KIRQL CurrentIrql;
  3667. CurrentIrql = KeGetCurrentIrql ();
  3669. KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
  3671. MmVerifierData.RaiseIrqls += 1;
  3673. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3674. if (CurrentIrql < DISPATCH_LEVEL) {
  3675. ViTrimAllSystemPagableMemory (0);
  3676. }
  3677. }
  3679. #if defined (_X86_)
  3680. HalRoutine = (PKE_RAISE_IRQL_TO_DPC_LEVEL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RAISE_IRQL_TO_DPC_LEVEL];
  3681. if (HalRoutine) {
  3682. return (*HalRoutine)();
  3683. }
  3684. #endif
  3686. return KeRaiseIrqlToDpcLevel ();
  3687. }
  3689. #endif // _X86_ || _AMD64_
  3691. #if defined(_X86_)
  3693. typedef
  3694. VOID
  3695. (FASTCALL *PKF_LOWER_IRQL) (
  3696. IN KIRQL NewIrql
  3697. );
  3699. THUNKED_API
  3700. VOID
  3701. FASTCALL
  3702. VerifierKfLowerIrql (
  3703. IN KIRQL NewIrql
  3704. )
  3705. {
  3706. PKF_LOWER_IRQL HalRoutine;
  3708. KfSanityCheckLowerIrql (NewIrql);
  3710. #if defined (_X86_)
  3711. HalRoutine = (PKF_LOWER_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_LOWER_IRQL];
  3712. if (HalRoutine) {
  3713. (*HalRoutine)(NewIrql);
  3714. return;
  3715. }
  3716. #endif
  3718. KfLowerIrql (NewIrql);
  3719. }
  3721. #endif
  3723. THUNKED_API
  3724. BOOLEAN
  3725. FASTCALL
  3726. VerifierExTryToAcquireFastMutex (
  3727. IN PFAST_MUTEX FastMutex
  3728. )
  3729. {
  3730. KIRQL CurrentIrql;
  3731. BOOLEAN Acquired;
  3733. CurrentIrql = KeGetCurrentIrql ();
  3735. //
  3736. // Caller better be at or below APC_LEVEL or have APCs blocked.
  3737. //
  3739. if (CurrentIrql > APC_LEVEL) {
  3740. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3741. 0x33,
  3742. CurrentIrql,
  3743. (ULONG_PTR)FastMutex,
  3744. 0);
  3745. }
  3747. Acquired = ExTryToAcquireFastMutex (FastMutex);
  3748. if (Acquired != FALSE) {
  3749. VfDeadlockAcquireResource (FastMutex,
  3750. VfDeadlockFastMutex,
  3751. KeGetCurrentThread(),
  3752. TRUE,
  3753. _ReturnAddress());
  3754. }
  3756. return Acquired;
  3758. }
  3760. typedef
  3761. VOID
  3762. (FASTCALL *PEX_ACQUIRE_FAST_MUTEX) (
  3763. IN PFAST_MUTEX FastMutex
  3764. );
  3766. THUNKED_API
  3767. VOID
  3768. FASTCALL
  3769. VerifierExAcquireFastMutex (
  3770. IN PFAST_MUTEX FastMutex
  3771. )
  3772. {
  3773. KIRQL CurrentIrql;
  3774. #if defined (_X86_)
  3775. PEX_ACQUIRE_FAST_MUTEX HalRoutine;
  3776. #endif
  3778. CurrentIrql = KeGetCurrentIrql ();
  3780. //
  3781. // Caller better be at or below APC_LEVEL or have APCs blocked.
  3782. //
  3784. if (CurrentIrql > APC_LEVEL) {
  3785. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3786. 0x33,
  3787. CurrentIrql,
  3788. (ULONG_PTR)FastMutex,
  3789. 0);
  3790. }
  3792. #if 0
  3794. //
  3795. // If the kernel verifier is active, then page relevant address spaces
  3796. // out when the system or session space working set mutex is acquired.
  3797. // Note this must be done regardless of the entry IRQL level because
  3798. // callers may have raised to APC_LEVEL and subsequently acquire the mutex.
  3799. //
  3801. //
  3802. // Commented all this out when the working mutex was converted from a
  3803. // fast mutex to a guarded mutex as there are no longer calls to thunk.
  3804. //
  3806. if ((KernelVerifier == TRUE) &&
  3807. (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING)) {
  3809. if (FastMutex == &MmSystemWsLock) {
  3810. ViTrimAllSystemPagableMemory (VI_TRIM_KERNEL);
  3811. }
  3812. else if (PsGetCurrentProcess()->Vm.Flags.SessionLeader == 0) {
  3813. if (MiIsAddressValid (MmSessionSpace, FALSE)) {
  3815. if (FastMutex == &MmSessionSpace->GlobalVirtualAddress->WsLock) {
  3816. ViTrimAllSystemPagableMemory (VI_TRIM_SESSION);
  3817. }
  3818. }
  3819. }
  3820. }
  3822. #endif
  3824. #if defined (_X86_)
  3825. HalRoutine = (PEX_ACQUIRE_FAST_MUTEX) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_EX_ACQUIRE_FAST_MUTEX];
  3826. if (HalRoutine) {
  3827. (*HalRoutine)(FastMutex);
  3828. }
  3829. else
  3830. #endif
  3832. ExAcquireFastMutex (FastMutex);
  3834. VfDeadlockAcquireResource (FastMutex,
  3835. VfDeadlockFastMutex,
  3836. KeGetCurrentThread(),
  3837. FALSE,
  3838. _ReturnAddress());
  3839. }
  3841. THUNKED_API
  3842. VOID
  3843. FASTCALL
  3844. VerifierExAcquireFastMutexUnsafe (
  3845. IN PFAST_MUTEX FastMutex
  3846. )
  3847. {
  3848. KIRQL CurrentIrql;
  3850. CurrentIrql = KeGetCurrentIrql ();
  3852. //
  3853. // Caller better be at APC_LEVEL or have APCs blocked.
  3854. //
  3856. if ((CurrentIrql != APC_LEVEL) &&
  3857. (!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
  3858. (KeGetCurrentThread()->CombinedApcDisable == 0)) {
  3860. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3861. 0x39,
  3862. CurrentIrql,
  3863. (ULONG_PTR)(KeGetCurrentThread()->CombinedApcDisable),
  3864. (ULONG_PTR)FastMutex);
  3865. }
  3867. ExAcquireFastMutexUnsafe (FastMutex);
  3869. VfDeadlockAcquireResource(FastMutex,
  3870. VfDeadlockFastMutexUnsafe,
  3871. KeGetCurrentThread(),
  3872. FALSE,
  3873. _ReturnAddress());
  3874. }
  3876. THUNKED_API
  3877. VOID
  3878. FASTCALL
  3879. VerifierExReleaseFastMutex (
  3880. IN PFAST_MUTEX FastMutex
  3881. )
  3882. {
  3883. KIRQL CurrentIrql;
  3885. CurrentIrql = KeGetCurrentIrql ();
  3887. //
  3888. // Caller better be at APC_LEVEL or have APCs blocked.
  3889. //
  3891. if ((CurrentIrql != APC_LEVEL) &&
  3892. (!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
  3893. (KeGetCurrentThread()->CombinedApcDisable == 0)) {
  3895. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3896. 0x34,
  3897. CurrentIrql,
  3898. (ULONG_PTR)(KeGetCurrentThread()->CombinedApcDisable),
  3899. (ULONG_PTR)FastMutex);
  3900. }
  3902. VfDeadlockReleaseResource(FastMutex,
  3903. VfDeadlockFastMutex,
  3904. KeGetCurrentThread(),
  3905. _ReturnAddress());
  3906. ExReleaseFastMutex (FastMutex);
  3907. }
  3909. THUNKED_API
  3910. VOID
  3911. FASTCALL
  3912. VerifierExReleaseFastMutexUnsafe (
  3913. IN PFAST_MUTEX FastMutex
  3914. )
  3915. {
  3916. KIRQL CurrentIrql;
  3918. CurrentIrql = KeGetCurrentIrql ();
  3920. //
  3921. // Caller better be at APC_LEVEL or have APCs blocked.
  3922. //
  3924. if ((CurrentIrql != APC_LEVEL) &&
  3925. (!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
  3926. (KeGetCurrentThread()->CombinedApcDisable == 0)) {
  3928. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3929. 0x3A,
  3930. CurrentIrql,
  3931. (ULONG_PTR)(KeGetCurrentThread()->CombinedApcDisable),
  3932. (ULONG_PTR)FastMutex);
  3933. }
  3935. VfDeadlockReleaseResource(FastMutex,
  3936. VfDeadlockFastMutexUnsafe,
  3937. KeGetCurrentThread(),
  3938. _ReturnAddress());
  3939. ExReleaseFastMutexUnsafe (FastMutex);
  3941. }
  3943. typedef
  3944. VOID
  3945. (*PKE_RAISE_IRQL) (
  3946. IN KIRQL NewIrql,
  3947. OUT PKIRQL OldIrql
  3948. );
  3950. THUNKED_API
  3951. VOID
  3952. VerifierKeRaiseIrql (
  3953. IN KIRQL NewIrql,
  3954. OUT PKIRQL OldIrql
  3955. )
  3956. {
  3957. #if defined (_X86_)
  3958. PKE_RAISE_IRQL HalRoutine;
  3959. #endif
  3961. *OldIrql = KeGetCurrentIrql ();
  3963. KfSanityCheckRaiseIrql (NewIrql);
  3965. MmVerifierData.RaiseIrqls += 1;
  3967. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3968. if ((*OldIrql < DISPATCH_LEVEL) && (NewIrql >= DISPATCH_LEVEL)) {
  3969. ViTrimAllSystemPagableMemory (0);
  3970. }
  3971. }
  3973. #if defined (_X86_)
  3974. HalRoutine = (PKE_RAISE_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RAISE_IRQL];
  3975. if (HalRoutine) {
  3976. (*HalRoutine)(NewIrql, OldIrql);
  3977. return;
  3978. }
  3979. #endif
  3981. KeRaiseIrql (NewIrql, OldIrql);
  3982. }
  3984. typedef
  3985. VOID
  3986. (*PKE_LOWER_IRQL) (
  3987. IN KIRQL NewIrql
  3988. );
  3990. THUNKED_API
  3991. VOID
  3992. VerifierKeLowerIrql (
  3993. IN KIRQL NewIrql
  3994. )
  3995. {
  3996. #if defined (_X86_)
  3997. PKE_LOWER_IRQL HalRoutine;
  3998. #endif
  4000. KfSanityCheckLowerIrql (NewIrql);
  4002. #if defined (_X86_)
  4003. HalRoutine = (PKE_LOWER_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_LOWER_IRQL];
  4004. if (HalRoutine) {
  4005. (*HalRoutine)(NewIrql);
  4006. return;
  4007. }
  4008. #endif
  4010. KeLowerIrql (NewIrql);
  4011. }
  4013. THUNKED_API
  4014. BOOLEAN
  4015. VerifierSynchronizeExecution (
  4016. IN PKINTERRUPT Interrupt,
  4017. IN PKSYNCHRONIZE_ROUTINE SynchronizeRoutine,
  4018. IN PVOID SynchronizeContext
  4019. )
  4020. {
  4021. KIRQL OldIrql;
  4023. OldIrql = KeGetCurrentIrql ();
  4025. KfSanityCheckRaiseIrql (Interrupt->SynchronizeIrql);
  4027. MmVerifierData.SynchronizeExecutions += 1;
  4029. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  4030. if ((OldIrql < DISPATCH_LEVEL) && (Interrupt->SynchronizeIrql >= DISPATCH_LEVEL)) {
  4031. ViTrimAllSystemPagableMemory (0);
  4032. }
  4033. }
  4035. return KeSynchronizeExecution (Interrupt,
  4036. SynchronizeRoutine,
  4037. SynchronizeContext);
  4038. }
  4040. THUNKED_API
  4041. VOID
  4042. VerifierKeInitializeTimerEx (
  4043. IN PKTIMER Timer,
  4044. IN TIMER_TYPE Type
  4045. )
  4046. {
  4047. //
  4048. // Check the object being initialized isn't already an
  4049. // active timer. Make sure the timer table list is initialized.
  4050. //
  4052. if (KiTimerTableListHead[0].Flink != NULL) {
  4053. KeCheckForTimer(Timer, sizeof(KTIMER));
  4054. }
  4056. KeInitializeTimerEx (Timer, Type);
  4057. }
  4059. THUNKED_API
  4060. VOID
  4061. VerifierKeInitializeTimer (
  4062. IN PKTIMER Timer
  4063. )
  4064. {
  4065. VerifierKeInitializeTimerEx (Timer, NotificationTimer);
  4066. }
  4069. THUNKED_API
  4070. NTSTATUS
  4071. VerifierKeWaitForSingleObject (
  4072. IN PVOID Object,
  4073. IN KWAIT_REASON WaitReason,
  4074. IN KPROCESSOR_MODE WaitMode,
  4075. IN BOOLEAN Alertable,
  4076. IN PLARGE_INTEGER Timeout OPTIONAL
  4077. )
  4078. {
  4079. KIRQL WaitIrql;
  4080. PRKTHREAD Thread;
  4081. NTSTATUS Status;
  4082. BOOLEAN TryAcquire;
  4084. //
  4085. // Get the IRQL we will return from this function at.
  4086. //
  4088. Thread = KeGetCurrentThread ();
  4090. if (Thread->WaitNext == TRUE) {
  4092. //
  4093. // The real IRQL is stored in the thread if WaitNext is TRUE.
  4094. //
  4096. WaitIrql = Thread->WaitIrql;
  4097. }
  4098. else {
  4099. WaitIrql = KeGetCurrentIrql();
  4100. }
  4102. //
  4103. // Returning to code running above DISPATCH_LEVEL is never legal. Probes
  4104. // with timeout == 0 can only be done at DISPATCH_LEVEL or lower.
  4105. //
  4106. // Blocking (ie causing a context switch) in KeWaitForSingleObject
  4107. // at DPC level is also illegal, as the caller may be holding a spinlock.
  4108. //
  4110. if ((WaitIrql > DISPATCH_LEVEL) ||
  4111. ((WaitIrql == DISPATCH_LEVEL) &&
  4112. (! (ARGUMENT_PRESENT(Timeout) && (Timeout->QuadPart == 0))))) {
  4114. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  4115. 0x3B,
  4116. (ULONG_PTR)WaitIrql,
  4117. (ULONG_PTR)Object,
  4118. (ULONG_PTR)Timeout);
  4119. }
  4121. Status = KeWaitForSingleObject (Object,
  4122. WaitReason,
  4123. WaitMode,
  4124. Alertable,
  4125. Timeout);
  4127. //
  4128. // If we waited for a mutant then inform the deadlock verifier.
  4129. //
  4131. if (((PRKMUTANT) Object)->Header.Type == MutantObject) {
  4133. //
  4134. // Both STATUS_SUCCESS and STATUS_ABANDONED are successful
  4135. // values and we need to track an acquire() operation.
  4136. //
  4138. if ((Status == STATUS_SUCCESS) || (Status == STATUS_ABANDONED)) {
  4140. //
  4141. // If a TimeOut is present then this is equivalent with a
  4142. // try-acquire call and it cannot be involved in a deadlock.
  4143. //
  4145. if (ARGUMENT_PRESENT (Timeout)) {
  4146. TryAcquire = TRUE;
  4147. }
  4148. else {
  4149. TryAcquire = FALSE;
  4150. }
  4152. VfDeadlockAcquireResource (Object,
  4153. VfDeadlockMutex,
  4154. Thread,
  4155. TryAcquire,
  4156. _ReturnAddress ());
  4157. }
  4158. }
  4160. return Status;
  4161. }
  4163. THUNKED_API
  4164. LONG
  4165. VerifierKeReleaseMutex (
  4166. IN PRKMUTEX Mutex,
  4167. IN BOOLEAN Wait
  4168. )
  4169. {
  4170. VfDeadlockReleaseResource (Mutex,
  4171. VfDeadlockMutex,
  4172. KeGetCurrentThread (),
  4173. _ReturnAddress ());
  4175. return KeReleaseMutex (Mutex, Wait);
  4176. }
  4178. THUNKED_API
  4179. VOID
  4180. VerifierKeInitializeMutex (
  4181. IN PRKMUTEX Mutex,
  4182. IN ULONG Level
  4183. )
  4184. {
  4185. KeInitializeMutex (Mutex,Level);
  4187. VfDeadlockInitializeResource (Mutex,
  4188. VfDeadlockMutex,
  4189. _ReturnAddress (),
  4190. FALSE);
  4191. }
  4193. THUNKED_API
  4194. LONG
  4195. VerifierKeReleaseMutant (
  4196. IN PRKMUTANT Mutant,
  4197. IN KPRIORITY Increment,
  4198. IN BOOLEAN Abandoned,
  4199. IN BOOLEAN Wait
  4200. )
  4201. {
  4202. VI_DEADLOCK_RESOURCE_TYPE MutexType;
  4204. if (Abandoned) {
  4205. MutexType = VfDeadlockMutexAbandoned;
  4206. }
  4207. else {
  4208. MutexType = VfDeadlockMutex;
  4209. }
  4211. VfDeadlockReleaseResource (Mutant,
  4212. MutexType,
  4213. KeGetCurrentThread (),
  4214. _ReturnAddress());
  4216. return KeReleaseMutant (Mutant, Increment, Abandoned, Wait);
  4217. }
  4219. THUNKED_API
  4220. VOID
  4221. VerifierKeInitializeMutant (
  4222. IN PRKMUTANT Mutant,
  4223. IN BOOLEAN InitialOwner
  4224. )
  4225. {
  4226. KeInitializeMutant (Mutant, InitialOwner);
  4228. VfDeadlockInitializeResource (Mutant,
  4229. VfDeadlockMutex,
  4230. _ReturnAddress (),
  4231. FALSE);
  4233. if (InitialOwner) {
  4235. VfDeadlockAcquireResource (Mutant,
  4236. VfDeadlockMutex,
  4237. KeGetCurrentThread (),
  4238. FALSE,
  4239. _ReturnAddress ());
  4240. }
  4241. }
  4243. THUNKED_API
  4244. VOID
  4245. VerifierKeInitializeSpinLock (
  4246. IN PKSPIN_LOCK SpinLock
  4247. )
  4248. {
  4249. KeInitializeSpinLock (SpinLock);
  4251. VfDeadlockInitializeResource (SpinLock,
  4252. VfDeadlockSpinLock,
  4253. _ReturnAddress (),
  4254. FALSE);
  4256. }
  4258. NTSTATUS
  4259. VerifierReferenceObjectByHandle (
  4260. IN HANDLE Handle,
  4261. IN ACCESS_MASK DesiredAccess,
  4262. IN POBJECT_TYPE ObjectType OPTIONAL,
  4263. IN KPROCESSOR_MODE AccessMode,
  4264. OUT PVOID *Object,
  4265. OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
  4266. )
  4267. {
  4268. NTSTATUS Status;
  4270. Status = ObReferenceObjectByHandle (Handle,
  4271. DesiredAccess,
  4272. ObjectType,
  4273. AccessMode,
  4274. Object,
  4275. HandleInformation);
  4277. if ((Status == STATUS_INVALID_HANDLE) ||
  4278. (Status == STATUS_OBJECT_TYPE_MISMATCH)) {
  4280. if ((AccessMode == KernelMode) ||
  4281. (PsIsSystemThread (PsGetCurrentThread ()))) {
  4283. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  4284. 0x3C,
  4285. (ULONG_PTR) Handle,
  4286. (ULONG_PTR) ObjectType,
  4287. (ULONG_PTR) 0);
  4288. }
  4289. }
  4290. return Status;
  4291. }
  4293. LONG_PTR
  4294. FASTCALL
  4295. VerifierReferenceObject (
  4296. IN PVOID Object
  4297. )
  4298. {
  4299. LONG_PTR RetVal;
  4301. RetVal = ObReferenceObject (Object);
  4303. //
  4304. // See if they passed in an object with a zero reference
  4305. //
  4307. if (RetVal == 1) {
  4308. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  4309. 0x3F,
  4310. (ULONG_PTR) Object,
  4311. (ULONG_PTR) RetVal,
  4312. (ULONG_PTR) 0);
  4313. }
  4315. return RetVal;
  4316. }
  4318. LONG_PTR
  4319. VerifierDereferenceObject (
  4320. IN PVOID Object
  4321. )
  4322. {
  4323. LONG_PTR RetVal;
  4325. RetVal = ObDereferenceObject (Object);
  4327. //
  4328. // See if they passed in an object with a zero reference
  4329. //
  4331. if (RetVal + 1 == 0) {
  4332. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  4333. 0x3F,
  4334. (ULONG_PTR) Object,
  4335. (ULONG_PTR) RetVal,
  4336. (ULONG_PTR) 0);
  4337. }
  4339. return RetVal;
  4340. }
  4342. VOID
  4343. VerifierLeaveCriticalRegion (
  4344. VOID
  4345. )
  4346. {
  4347. PKTHREAD CurrentThread;
  4349. CurrentThread = KeGetCurrentThread ();
  4351. if ((CurrentThread->KernelApcDisable > 0) || (CurrentThread->KernelApcDisable == 0x8000)) {
  4352. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  4353. 0x3E,
  4354. (ULONG_PTR) 0,
  4355. (ULONG_PTR) 0,
  4356. (ULONG_PTR) 0);
  4357. }
  4359. KeLeaveCriticalRegionThread (CurrentThread);
  4360. }
  4363. VOID
  4364. ViInitializeEntry (
  4365. IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
  4366. IN LOGICAL FirstLoad
  4367. )
  4369. /*++
  4371. Routine Description:
  4373. Initialize various verifier fields as the driver is being (re)loaded now.
  4375. Arguments:
  4377. Verifier - Supplies the verifier entry to be initialized.
  4379. FirstLoad - Supplies TRUE if this is the first load of this driver.
  4381. Return Value:
  4383. None.
  4385. --*/
  4387. {
  4388. KIRQL OldIrql;
  4390. //
  4391. // Only the BaseName field is initialized on entry.
  4392. //
  4394. Verifier->CurrentPagedPoolAllocations = 0;
  4395. Verifier->CurrentNonPagedPoolAllocations = 0;
  4396. Verifier->PeakPagedPoolAllocations = 0;
  4397. Verifier->PeakNonPagedPoolAllocations = 0;
  4399. Verifier->PagedBytes = 0;
  4400. Verifier->NonPagedBytes = 0;
  4401. Verifier->PeakPagedBytes = 0;
  4402. Verifier->PeakNonPagedBytes = 0;
  4404. Verifier->Signature = MI_VERIFIER_ENTRY_SIGNATURE;
  4406. InitializeSListHead (&Verifier->PoolPageHeaders);
  4407. InitializeSListHead (&Verifier->PoolTrackers);
  4409. if (FirstLoad == TRUE) {
  4410. Verifier->Flags = 0;
  4411. Verifier->Loads = 0;
  4412. Verifier->Unloads = 0;
  4413. }
  4415. LOCK_VERIFIER (&OldIrql);
  4417. Verifier->StartAddress = NULL;
  4418. Verifier->EndAddress = NULL;
  4420. UNLOCK_VERIFIER (OldIrql);
  4421. }
  4423. VOID
  4424. MiInitializeDriverVerifierList (
  4425. VOID
  4426. )
  4428. /*++
  4430. Routine Description:
  4432. Parse the registry settings and set up the list of driver names that will
  4433. be put through the validation process.
  4435. It is important that this list be parsed early because the machine-specific
  4436. memory management initialization needs to know whether the verifier is
  4437. going to be enabled.
  4439. Arguments:
  4441. None.
  4443. Return Value:
  4445. None.
  4447. Environment:
  4449. Kernel mode, Phase 0 Initialization.
  4451. Pool does not exist yet.
  4453. The PsLoadedModuleList has not been set up yet AND the boot drivers
  4454. have NOT been relocated to their final resting places.
  4456. --*/
  4458. {
  4459. PWCHAR Start;
  4460. PWCHAR End;
  4461. PWCHAR Walk;
  4462. ULONG NameLength;
  4463. UNICODE_STRING KernelString;
  4464. UNICODE_STRING DriverBaseName;
  4466. InitializeListHead (&MiSuspectDriverList);
  4468. if (MmVerifyDriverLevel != (ULONG)-1) {
  4469. if (MmVerifyDriverLevel & DRIVER_VERIFIER_IO_CHECKING) {
  4470. if (MmVerifyDriverBufferLength == (ULONG)-1) {
  4471. MmVerifyDriverBufferLength = 0; // Mm will not page out verifier pages.
  4472. }
  4473. }
  4474. }
  4476. //
  4477. // The only way MiVerifyAllDrivers is nonzero here is if it was patched in
  4478. // the kernel debugger. If so, just verify everything.
  4479. //
  4481. if (MiVerifyAllDrivers == 1) {
  4482. MmVerifyDriverBufferLength = 0;
  4483. }
  4484. else if (MiVerifyAllDrivers == 2) {
  4485. MiVerifyAllDrivers = 1;
  4486. KernelVerifier = TRUE;
  4487. MmVerifyDriverBufferLength = 0;
  4488. }
  4489. else if (MmVerifyDriverBufferLength == (ULONG)-1) {
  4490. return;
  4491. }
  4493. #if defined(_IA64_)
  4494. KeInitializeSpinLock (&VerifierListLock);
  4495. #endif
  4497. //
  4498. // Initializing this listhead indicates to the rest of this module that
  4499. // the system was booted with verification of some sort configured.
  4500. //
  4502. InitializeListHead (&MiVerifierDriverAddedThunkListHead);
  4504. //
  4505. // Disable lookasides so pool corruption can be found easily.
  4506. //
  4508. ExMinimumLookasideDepth = 0;
  4510. //
  4511. // Disable large pages for driver images so pool corruption can be
  4512. // found easily.
  4513. //
  4515. MmLargePageDriverBufferLength = (ULONG)-1;
  4517. //
  4518. // If no default is specified, then special pool, pagable code/data
  4519. // flushing and pool leak detection are enabled.
  4520. //
  4522. if (MmVerifyDriverLevel == (ULONG)-1) {
  4523. MmVerifierData.Level = DRIVER_VERIFIER_SPECIAL_POOLING |
  4524. DRIVER_VERIFIER_FORCE_IRQL_CHECKING |
  4525. DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS;
  4526. }
  4527. else {
  4528. MmVerifierData.Level = MmVerifyDriverLevel;
  4529. }
  4531. VerifierModifyableOptions = (DRIVER_VERIFIER_SPECIAL_POOLING |
  4532. DRIVER_VERIFIER_FORCE_IRQL_CHECKING |
  4533. DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES);
  4535. //
  4536. // An initial parse of the driver list is needed here to see if it's the
  4537. // kernel as special machine-dependent initialization is needed to fully
  4538. // support kernel verification (ie: no use of large pages, etc).
  4539. //
  4541. if ((MiVerifyAllDrivers == 0) &&
  4542. (MiVerifyRandomDrivers == (WCHAR)0)) {
  4544. #define KERNEL_NAME L"ntoskrnl.exe"
  4546. KernelString.Buffer = (const PUSHORT) KERNEL_NAME;
  4547. KernelString.Length = sizeof (KERNEL_NAME) - sizeof (WCHAR);
  4548. KernelString.MaximumLength = sizeof KERNEL_NAME;
  4550. Start = MmVerifyDriverBuffer;
  4551. End = MmVerifyDriverBuffer + (MmVerifyDriverBufferLength - sizeof(WCHAR)) / sizeof(WCHAR);
  4553. while (Start < End) {
  4554. if (UNICODE_WHITESPACE(*Start)) {
  4555. Start += 1;
  4556. continue;
  4557. }
  4559. if (*Start == (WCHAR)'*') {
  4560. MiVerifyAllDrivers = 1;
  4561. break;
  4562. }
  4564. for (Walk = Start; Walk < End; Walk += 1) {
  4565. if (UNICODE_WHITESPACE(*Walk)) {
  4566. break;
  4567. }
  4568. }
  4570. //
  4571. // Got a string - see if it indicates the kernel.
  4572. //
  4574. NameLength = (ULONG)(Walk - Start + 1) * sizeof (WCHAR);
  4576. DriverBaseName.Buffer = Start;
  4577. DriverBaseName.Length = (USHORT)(NameLength - sizeof (UNICODE_NULL));
  4578. DriverBaseName.MaximumLength = (USHORT)NameLength;
  4580. if (RtlEqualUnicodeString (&KernelString,
  4581. &DriverBaseName,
  4582. TRUE)) {
  4584. KernelVerifier = TRUE;
  4586. break;
  4587. }
  4589. Start = Walk + 1;
  4590. }
  4591. }
  4593. if (KernelVerifier == TRUE) {
  4595. //
  4596. // AcquireAtDpc/ReleaseFromDpc calls made by the kernel are not
  4597. // intercepted which confuses the deadlock verifier. So disable
  4598. // deadlock verification if we are kernel verifying.
  4599. //
  4601. MmVerifyDriverLevel &= ~DRIVER_VERIFIER_DEADLOCK_DETECTION;
  4602. MmVerifierData.Level &= ~DRIVER_VERIFIER_DEADLOCK_DETECTION;
  4604. //
  4605. //
  4606. // All driver pool allocation calls must be intercepted so
  4607. // they are not mistaken for kernel pool allocations.
  4608. //
  4610. MiVerifyAllDrivers = 1;
  4611. ExSetPoolFlags (EX_KERNEL_VERIFIER_ENABLED);
  4612. }
  4614. return;
  4615. }
  4617. VOID
  4618. MiReApplyVerifierToLoadedModules (
  4619. IN PLIST_ENTRY ModuleListHead
  4620. )
  4622. /*++
  4624. Routine Description:
  4626. Walk the supplied module list and re-thunk any drivers that are being
  4627. verified. This allows the module to pick up any new thunks that have
  4628. been added.
  4630. Arguments:
  4632. ModuleListHead - Supplies a pointer to the head of a loaded module list.
  4634. Environment:
  4636. Kernel mode, Phase 0 Initialization only.
  4638. --*/
  4640. {
  4641. LOGICAL Skip;
  4642. PLIST_ENTRY Entry;
  4643. PKLDR_DATA_TABLE_ENTRY TableEntry;
  4644. UNICODE_STRING HalString;
  4645. UNICODE_STRING KernelString;
  4647. //
  4648. // If the thunk listhead is NULL then the verifier is not enabled so
  4649. // don't notify any components.
  4650. //
  4652. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  4653. return;
  4654. }
  4656. //
  4657. // Initialize unicode strings to use to bypass modules
  4658. // in the list. There's no reason to reapply verifier to
  4659. // the kernel or to the hal.
  4660. //
  4662. KernelString.Buffer = (const PUSHORT) KERNEL_NAME;
  4663. KernelString.Length = sizeof (KERNEL_NAME) - sizeof (WCHAR);
  4664. KernelString.MaximumLength = sizeof KERNEL_NAME;
  4666. #define HAL_NAME L"hal.dll"
  4668. HalString.Buffer = (const PUSHORT) HAL_NAME;
  4669. HalString.Length = sizeof (HAL_NAME) - sizeof (WCHAR);
  4670. HalString.MaximumLength = sizeof HAL_NAME;
  4672. //
  4673. // Walk the list and reapply verifier to all the modules except those
  4674. // selected for exclusion.
  4675. //
  4677. Entry = ModuleListHead->Flink;
  4678. while (Entry != ModuleListHead) {
  4680. TableEntry = CONTAINING_RECORD(Entry,
  4681. KLDR_DATA_TABLE_ENTRY,
  4682. InLoadOrderLinks);
  4684. Skip = TRUE;
  4686. if (RtlEqualUnicodeString (&KernelString,
  4687. &TableEntry->BaseDllName,
  4688. TRUE)) {
  4689. NOTHING;
  4690. }
  4691. else if (RtlEqualUnicodeString (&HalString,
  4692. &TableEntry->BaseDllName,
  4693. TRUE)) {
  4694. NOTHING;
  4695. }
  4696. else {
  4697. Skip = FALSE;
  4698. }
  4700. //
  4701. // Reapply verifier thunks to the image if it is already being
  4702. // verified and if it is not one of the modules we've decided to skip.
  4703. //
  4705. if ((Skip == FALSE) && (TableEntry->Flags & LDRP_IMAGE_VERIFYING)) {
  4706. #if DBG
  4707. PLIST_ENTRY NextEntry;
  4708. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  4710. //
  4711. // Find the entry for this driver in the suspect list. This is
  4712. // expected to succeed since we are re-applying thunks to a module
  4713. // that has already been verified at least once before.
  4714. //
  4716. NextEntry = MiSuspectDriverList.Flink;
  4717. while (NextEntry != &MiSuspectDriverList) {
  4719. Verifier = CONTAINING_RECORD(NextEntry,
  4720. MI_VERIFIER_DRIVER_ENTRY,
  4721. Links);
  4723. if (RtlEqualUnicodeString (&Verifier->BaseName,
  4724. &TableEntry->BaseDllName,
  4725. TRUE)) {
  4727. ASSERT(Verifier->StartAddress == TableEntry->DllBase);
  4728. ASSERT(Verifier->EndAddress ==
  4729. (PVOID)((ULONG_PTR)TableEntry->DllBase +
  4730. TableEntry->SizeOfImage));
  4731. break;
  4732. }
  4733. NextEntry = NextEntry->Flink;
  4734. }
  4736. //
  4737. // Sanity tests. We should always find this module in the suspect
  4738. // driver list because it is already being verified. And the
  4739. // start and end addresses should still match those of this
  4740. // module.
  4741. //
  4743. ASSERT(NextEntry != &MiSuspectDriverList);
  4744. #endif
  4745. MiReEnableVerifier (TableEntry);
  4746. }
  4748. Entry = Entry->Flink;
  4749. }
  4750. }
  4752. LOGICAL
  4753. MiInitializeVerifyingComponents (
  4754. IN PLOADER_PARAMETER_BLOCK LoaderBlock
  4755. )
  4757. /*++
  4759. Routine Description:
  4761. Walk the loaded module list and thunk any drivers that need/deserve it.
  4763. Arguments:
  4765. LoaderBlock - Supplies the loader block used by the system to boot.
  4767. Return Value:
  4769. TRUE if successful, FALSE if not.
  4771. Environment:
  4773. Kernel mode, Phase 0 Initialization.
  4775. Nonpaged pool exists but paged pool does not.
  4777. The PsLoadedModuleList has not been set up yet although the boot drivers
  4778. have been relocated to their final resting places.
  4780. --*/
  4782. {
  4783. ULONG i;
  4784. PWCHAR Start;
  4785. PWCHAR End;
  4786. PWCHAR Walk;
  4787. ULONG NameLength;
  4788. PLIST_ENTRY NextEntry;
  4789. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  4790. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  4791. PMI_VERIFIER_DRIVER_ENTRY KernelEntry;
  4792. PMI_VERIFIER_DRIVER_ENTRY HalEntry;
  4793. UNICODE_STRING HalString;
  4794. UNICODE_STRING KernelString;
  4795. PVERIFIER_THUNKS Thunk;
  4796. PDRIVER_VERIFIER_THUNK_ROUTINE PristineRoutine;
  4798. //
  4799. // If the thunk listhead is NULL then the verifier is not enabled so
  4800. // don't notify any components.
  4801. //
  4803. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  4804. return FALSE;
  4805. }
  4807. KernelEntry = NULL;
  4808. HalEntry = NULL;
  4810. KernelString.Buffer = (const PUSHORT) KERNEL_NAME;
  4811. KernelString.Length = sizeof (KERNEL_NAME) - sizeof (WCHAR);
  4812. KernelString.MaximumLength = sizeof KERNEL_NAME;
  4814. HalString.Buffer = (const PUSHORT) HAL_NAME;
  4815. HalString.Length = sizeof (HAL_NAME) - sizeof (WCHAR);
  4816. HalString.MaximumLength = sizeof HAL_NAME;
  4818. if (MmVerifyDriverBufferLength == 0) {
  4820. //
  4821. // Verifier was enabled in kd, handle specially...
  4822. //
  4824. ASSERT (MiVerifyAllDrivers == 1);
  4825. }
  4826. else if (MiVerifyRandomDrivers == (WCHAR)0) {
  4828. Start = MmVerifyDriverBuffer;
  4829. End = MmVerifyDriverBuffer + (MmVerifyDriverBufferLength - sizeof(WCHAR)) / sizeof(WCHAR);
  4831. while (Start < End) {
  4832. if (UNICODE_WHITESPACE(*Start)) {
  4833. Start += 1;
  4834. continue;
  4835. }
  4837. if (*Start == (WCHAR)'*') {
  4838. MiVerifyAllDrivers = 1;
  4839. break;
  4840. }
  4842. for (Walk = Start; Walk < End; Walk += 1) {
  4843. if (UNICODE_WHITESPACE(*Walk)) {
  4844. break;
  4845. }
  4846. }
  4848. //
  4849. // Got a string. Save it.
  4850. //
  4852. NameLength = (ULONG)(Walk - Start + 1) * sizeof (WCHAR);
  4854. Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag (
  4855. NonPagedPool,
  4856. sizeof (MI_VERIFIER_DRIVER_ENTRY) +
  4857. NameLength,
  4858. 'dLmM');
  4860. if (Verifier == NULL) {
  4861. break;
  4862. }
  4864. Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier +
  4865. sizeof (MI_VERIFIER_DRIVER_ENTRY));
  4866. Verifier->BaseName.Length = (USHORT)(NameLength - sizeof (UNICODE_NULL));
  4867. Verifier->BaseName.MaximumLength = (USHORT)NameLength;
  4869. RtlCopyMemory (Verifier->BaseName.Buffer,
  4870. Start,
  4871. NameLength - sizeof (UNICODE_NULL));
  4873. ViInitializeEntry (Verifier, TRUE);
  4875. Verifier->Flags |= VI_VERIFYING_DIRECTLY;
  4877. ViInsertVerifierEntry (Verifier);
  4879. if (RtlEqualUnicodeString (&KernelString,
  4880. &Verifier->BaseName,
  4881. TRUE)) {
  4883. //
  4884. // All driver pool allocation calls must be intercepted so
  4885. // they are not mistaken for kernel pool allocations.
  4886. //
  4888. ASSERT (MiVerifyAllDrivers == 1);
  4889. ASSERT (KernelVerifier == TRUE);
  4891. KernelEntry = Verifier;
  4893. }
  4894. else if (RtlEqualUnicodeString (&HalString,
  4895. &Verifier->BaseName,
  4896. TRUE)) {
  4898. HalEntry = Verifier;
  4899. }
  4901. Start = Walk + 1;
  4902. }
  4903. }
  4905. //
  4906. // Enable deadlock detection if the deadlock bit was set in the
  4907. // registry.
  4908. //
  4910. if (MmVerifierData.Level & DRIVER_VERIFIER_DEADLOCK_DETECTION) {
  4912. #if !defined(_AMD64_) || !defined(NT_UP)
  4914. //
  4915. // Because the AMD64 versions of KeAcquireSpinLockAtDpc
  4916. // and KeReleaseSpinlockFromDPc routines are written in
  4917. // C, the UP build where these functions are no-ops end up getting resolved
  4918. // by the linker into a single no-op routine. The verifier engine as
  4919. // a temporary workaround does not hook these routines. This can cause
  4920. // false positives in deadlock verifier if normal spinlock routines are
  4921. // paired with atdpc/fromdpc routines.
  4922. //
  4923. // Until this gets solved in the verifier engine code that redirects thunks
  4924. // we will disable deadlock verifier on these machines.
  4925. //
  4927. VfDeadlockDetectionInitialize (MiVerifyAllDrivers, KernelVerifier);
  4928. ExSetPoolFlags (EX_VERIFIER_DEADLOCK_DETECTION_ENABLED);
  4929. #endif
  4930. }
  4932. //
  4933. // Initialize i/o verifier.
  4934. //
  4936. IoVerifierInit (MmVerifierData.Level);
  4938. if (MiTriageAddDrivers (LoaderBlock) == TRUE) {
  4940. //
  4941. // Disable random driver verification if triage has picked driver(s).
  4942. //
  4944. MiVerifyRandomDrivers = (WCHAR)0;
  4945. }
  4947. Thunk = (PVERIFIER_THUNKS) &MiVerifierThunks[0];
  4949. while (Thunk->PristineRoutineAsciiName != NULL) {
  4950. PristineRoutine = MiResolveVerifierExports (LoaderBlock,
  4951. Thunk->PristineRoutineAsciiName);
  4952. ASSERT (PristineRoutine != NULL);
  4953. Thunk->PristineRoutine = PristineRoutine;
  4954. Thunk += 1;
  4955. }
  4957. Thunk = (PVERIFIER_THUNKS) &MiVerifierPoolThunks[0];
  4958. while (Thunk->PristineRoutineAsciiName != NULL) {
  4959. PristineRoutine = MiResolveVerifierExports (LoaderBlock,
  4960. Thunk->PristineRoutineAsciiName);
  4961. ASSERT (PristineRoutine != NULL);
  4962. Thunk->PristineRoutine = PristineRoutine;
  4963. Thunk += 1;
  4964. }
  4966. //
  4967. // Process the boot-loaded drivers now.
  4968. //
  4970. i = 0;
  4971. NextEntry = LoaderBlock->LoadOrderListHead.Flink;
  4973. for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) {
  4975. DataTableEntry = CONTAINING_RECORD(NextEntry,
  4976. KLDR_DATA_TABLE_ENTRY,
  4977. InLoadOrderLinks);
  4979. //
  4980. // Process the kernel and HAL specially.
  4981. //
  4983. if (i == 0) {
  4984. if ((KernelEntry != NULL) || (KernelVerifier)) {
  4985. MiApplyDriverVerifier (DataTableEntry, KernelEntry);
  4986. }
  4987. }
  4988. else if (i == 1) {
  4989. if ((HalEntry != NULL) || (MiVerifyAllDrivers == 1)) {
  4990. MiApplyDriverVerifier (DataTableEntry, HalEntry);
  4991. }
  4992. }
  4993. else {
  4994. MiApplyDriverVerifier (DataTableEntry, NULL);
  4995. }
  4996. i += 1;
  4997. }
  4999. //
  5000. // Initialize irql tracking package. The drivers that will be verified
  5001. // will have automatically tracked all their raise/lower irql operations.
  5002. //
  5004. ViTrackIrqlInitialize ();
  5006. #if defined(_X86_) || defined(_AMD64_)
  5008. //
  5009. // Initialize fault injection stack trace log package.
  5010. //
  5012. ViFaultTracesInitialize ();
  5014. #endif
  5016. return TRUE;
  5017. }
  5019. NTSTATUS
  5020. MmAddVerifierEntry (
  5021. IN PUNICODE_STRING ImageFileName
  5022. )
  5024. /*++
  5026. Routine Description:
  5028. This routine inserts a new verifier entry for the specified driver so that
  5029. when the driver is loaded it will automatically be verified.
  5031. Note that if the driver is already loaded, then no entry is added and
  5032. STATUS_IMAGE_ALREADY_LOADED is returned.
  5034. If the system was booted with an empty verifier list, then no entries can
  5035. be added now as the current system configuration will not support special
  5036. pool, etc.
  5038. Note also that no registry changes are made so any insertions made by this
  5039. routine are lost on reboot.
  5041. Arguments:
  5043. ImageFileName - Supplies the name of the desired driver.
  5045. Return Value:
  5047. Various NTSTATUS codes.
  5049. Environment:
  5051. Kernel mode, PASSIVE_LEVEL, arbitrary process context.
  5053. --*/
  5055. {
  5056. PKTHREAD CurrentThread;
  5057. PLIST_ENTRY NextEntry;
  5058. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  5059. PMI_VERIFIER_DRIVER_ENTRY VerifierEntry;
  5060. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  5062. ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL);
  5064. //
  5065. // If the system was not booted with verification on, then bail.
  5066. //
  5068. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  5069. return STATUS_NOT_SUPPORTED;
  5070. }
  5072. //
  5073. // First build up a verifier entry.
  5074. //
  5076. Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag (
  5077. NonPagedPool,
  5078. sizeof (MI_VERIFIER_DRIVER_ENTRY) +
  5079. ImageFileName->MaximumLength,
  5080. 'dLmM');
  5082. if (Verifier == NULL) {
  5083. return STATUS_INSUFFICIENT_RESOURCES;
  5084. }
  5086. Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier +
  5087. sizeof (MI_VERIFIER_DRIVER_ENTRY));
  5088. Verifier->BaseName.Length = ImageFileName->Length;
  5089. Verifier->BaseName.MaximumLength = ImageFileName->MaximumLength;
  5091. RtlCopyMemory (Verifier->BaseName.Buffer,
  5092. ImageFileName->Buffer,
  5093. ImageFileName->Length);
  5095. ViInitializeEntry (Verifier, TRUE);
  5097. Verifier->Flags |= VI_VERIFYING_DIRECTLY;
  5099. //
  5100. // Arbitrary process context so prevent suspend APCs now.
  5101. //
  5103. CurrentThread = KeGetCurrentThread ();
  5104. KeEnterCriticalRegionThread (CurrentThread);
  5106. //
  5107. // Acquire the load lock so the verifier list can be read.
  5108. // Then ensure that the specified driver is not already in the list.
  5109. //
  5111. KeWaitForSingleObject (&MmSystemLoadLock,
  5112. WrVirtualMemory,
  5113. KernelMode,
  5114. FALSE,
  5115. (PLARGE_INTEGER)NULL);
  5117. //
  5118. // Check to make sure the requested entry is not already present in
  5119. // the verifier list and that the driver is not currently loaded.
  5120. //
  5122. NextEntry = MiSuspectDriverList.Flink;
  5123. while (NextEntry != &MiSuspectDriverList) {
  5125. VerifierEntry = CONTAINING_RECORD(NextEntry,
  5126. MI_VERIFIER_DRIVER_ENTRY,
  5127. Links);
  5129. if (RtlEqualUnicodeString (&Verifier->BaseName,
  5130. &VerifierEntry->BaseName,
  5131. TRUE)) {
  5133. //
  5134. // The driver is already in the verifier list - just mark the
  5135. // entry as verification-enabled and free the temporary allocation.
  5136. //
  5138. if ((VerifierEntry->Loads > VerifierEntry->Unloads) &&
  5139. (VerifierEntry->Flags & VI_DISABLE_VERIFICATION)) {
  5141. //
  5142. // The driver is loaded and verification is disabled. Don't
  5143. // turn it on now because we don't want to mislead our caller.
  5144. //
  5146. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5147. KeLeaveCriticalRegionThread (CurrentThread);
  5148. ExFreePool (Verifier);
  5149. return STATUS_IMAGE_ALREADY_LOADED;
  5150. }
  5151. VerifierEntry->Flags &= ~VI_DISABLE_VERIFICATION;
  5152. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5153. KeLeaveCriticalRegionThread (CurrentThread);
  5154. ExFreePool (Verifier);
  5155. return STATUS_SUCCESS;
  5156. }
  5157. NextEntry = NextEntry->Flink;
  5158. }
  5160. //
  5161. // A new verifier entry will need to be added so check to
  5162. // make sure the specified driver is not already loaded.
  5163. //
  5165. ExAcquireResourceSharedLite (&PsLoadedModuleResource, TRUE);
  5167. NextEntry = PsLoadedModuleList.Flink;
  5168. while (NextEntry != &PsLoadedModuleList) {
  5170. DataTableEntry = CONTAINING_RECORD(NextEntry,
  5171. KLDR_DATA_TABLE_ENTRY,
  5172. InLoadOrderLinks);
  5174. if (RtlEqualUnicodeString (&Verifier->BaseName,
  5175. &DataTableEntry->BaseDllName,
  5176. TRUE)) {
  5178. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5179. ExReleaseResourceLite (&PsLoadedModuleResource);
  5180. KeLeaveCriticalRegionThread (CurrentThread);
  5181. ExFreePool (Verifier);
  5182. return STATUS_IMAGE_ALREADY_LOADED;
  5183. }
  5185. NextEntry = NextEntry->Flink;
  5186. }
  5188. //
  5189. // The entry is not already in the verifier list and the driver is not
  5190. // currently loaded. Proceed to insert it now.
  5191. //
  5193. ViInsertVerifierEntry (Verifier);
  5195. ExReleaseResourceLite (&PsLoadedModuleResource);
  5196. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5197. KeLeaveCriticalRegionThread (CurrentThread);
  5199. return STATUS_SUCCESS;
  5200. }
  5202. NTSTATUS
  5203. MmRemoveVerifierEntry (
  5204. IN PUNICODE_STRING ImageFileName
  5205. )
  5207. /*++
  5209. Routine Description:
  5211. This routine doesn't actually remove the verifier entry for the
  5212. specified driver as we don't want to lose any valuable information
  5213. already gathered on the driver if it was previously loaded.
  5214. Instead, this routine disables verification for this driver for future
  5215. loads.
  5217. Note that if the driver is already loaded, then the removal is not
  5218. performed and STATUS_IMAGE_ALREADY_LOADED is returned.
  5220. Note also that no registry changes are made so any removals made by this
  5221. routine are lost on reboot.
  5223. Arguments:
  5225. ImageFileName - Supplies the name of the desired driver.
  5227. Return Value:
  5229. Various NTSTATUS codes.
  5231. Environment:
  5233. Kernel mode, PASSIVE_LEVEL, arbitrary process context.
  5235. --*/
  5237. {
  5238. PKTHREAD CurrentThread;
  5239. PLIST_ENTRY NextEntry;
  5240. PMI_VERIFIER_DRIVER_ENTRY VerifierEntry;
  5242. ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL);
  5244. //
  5245. // If the system was not booted with verification on, then bail.
  5246. //
  5248. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  5249. return STATUS_NOT_SUPPORTED;
  5250. }
  5252. //
  5253. // Arbitrary process context so prevent suspend APCs now.
  5254. //
  5256. CurrentThread = KeGetCurrentThread ();
  5257. KeEnterCriticalRegionThread (CurrentThread);
  5259. //
  5260. // Acquire the load lock so the verifier list can be read.
  5261. // Then ensure that the specified driver is not already in the list.
  5262. //
  5264. KeWaitForSingleObject (&MmSystemLoadLock,
  5265. WrVirtualMemory,
  5266. KernelMode,
  5267. FALSE,
  5268. (PLARGE_INTEGER)NULL);
  5270. //
  5271. // Check to make sure the requested entry is not already present in
  5272. // the verifier list and that the driver is not currently loaded.
  5273. //
  5275. NextEntry = MiSuspectDriverList.Flink;
  5276. while (NextEntry != &MiSuspectDriverList) {
  5278. VerifierEntry = CONTAINING_RECORD(NextEntry,
  5279. MI_VERIFIER_DRIVER_ENTRY,
  5280. Links);
  5282. if (RtlEqualUnicodeString (ImageFileName,
  5283. &VerifierEntry->BaseName,
  5284. TRUE)) {
  5286. //
  5287. // The driver is already in the verifier list - just mark the
  5288. // entry as verification-enabled and free the temporary allocation.
  5289. // No need to check the loaded module list if the entry is already
  5290. // in the verifier list.
  5291. //
  5293. if ((VerifierEntry->Loads > VerifierEntry->Unloads) &&
  5294. ((VerifierEntry->Flags & VI_DISABLE_VERIFICATION) == 0)) {
  5296. //
  5297. // The driver is loaded and verification is enabled. Don't
  5298. // disable it now because we don't want to mislead our caller.
  5299. //
  5301. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5302. KeLeaveCriticalRegionThread (CurrentThread);
  5303. return STATUS_IMAGE_ALREADY_LOADED;
  5304. }
  5306. VerifierEntry->Flags |= VI_DISABLE_VERIFICATION;
  5307. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5308. KeLeaveCriticalRegionThread (CurrentThread);
  5309. return STATUS_SUCCESS;
  5310. }
  5311. NextEntry = NextEntry->Flink;
  5312. }
  5314. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5315. KeLeaveCriticalRegionThread (CurrentThread);
  5317. return STATUS_NOT_FOUND;
  5318. }
  5320. VOID
  5321. ViInsertVerifierEntry (
  5322. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  5323. )
  5325. /*++
  5327. Routine Description:
  5329. Nonpagable wrapper to insert a new verifier entry.
  5331. Note that the system load mutant or the verifier load spinlock is sufficient
  5332. for readers to access the list. This is because the insertion path
  5333. acquires both.
  5335. Lock synchronization is needed because pool allocators walk the
  5336. verifier list at DISPATCH_LEVEL.
  5338. Arguments:
  5340. Verifier - Supplies a caller-initialized entry for the driver.
  5342. Return Value:
  5344. None.
  5346. --*/
  5348. {
  5349. KIRQL OldIrql;
  5351. LOCK_VERIFIER (&OldIrql);
  5353. InsertTailList (&MiSuspectDriverList, &Verifier->Links);
  5355. UNLOCK_VERIFIER (OldIrql);
  5356. }
  5358. PMI_VERIFIER_DRIVER_ENTRY
  5359. ViLocateVerifierEntry (
  5360. IN PVOID SystemAddress
  5361. )
  5363. /*++
  5365. Routine Description:
  5367. Locate the Driver Verifier entry for the specified system address.
  5369. Arguments:
  5371. SystemAddress - Supplies a code or data address within a driver.
  5373. Return Value:
  5375. The Verifier entry corresponding to the driver or NULL.
  5377. Environment:
  5379. The caller may be at DISPATCH_LEVEL and does not hold the MmSystemLoadLock.
  5381. --*/
  5383. {
  5384. KIRQL OldIrql;
  5385. PLIST_ENTRY NextEntry;
  5386. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  5388. LOCK_VERIFIER (&OldIrql);
  5390. NextEntry = MiSuspectDriverList.Flink;
  5391. while (NextEntry != &MiSuspectDriverList) {
  5393. Verifier = CONTAINING_RECORD(NextEntry,
  5394. MI_VERIFIER_DRIVER_ENTRY,
  5395. Links);
  5397. if ((SystemAddress >= Verifier->StartAddress) &&
  5398. (SystemAddress < Verifier->EndAddress)) {
  5400. UNLOCK_VERIFIER (OldIrql);
  5401. return Verifier;
  5402. }
  5403. NextEntry = NextEntry->Flink;
  5404. }
  5406. UNLOCK_VERIFIER (OldIrql);
  5407. return NULL;
  5408. }
  5410. LOGICAL
  5411. MiApplyDriverVerifier (
  5412. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry,
  5413. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  5414. )
  5416. /*++
  5418. Routine Description:
  5420. This function is called as each module is loaded. If the module being
  5421. loaded is in the suspect list, thunk it here.
  5423. Arguments:
  5425. DataTableEntry - Supplies the data table entry for the module.
  5427. Verifier - Non-NULL if verification must be applied. FALSE indicates
  5428. that the driver name must match for verification to be applied.
  5430. Return Value:
  5432. TRUE if thunking was applied, FALSE if not.
  5434. Environment:
  5436. Kernel mode, Phase 0 Initialization and normal runtime.
  5437. Non paged pool exists in Phase0, but paged pool does not.
  5438. Post-Phase0 serialization is provided by the MmSystemLoadLock.
  5440. --*/
  5442. {
  5443. WCHAR FirstChar;
  5444. LOGICAL Found;
  5445. PLIST_ENTRY NextEntry;
  5446. ULONG VerifierFlags;
  5447. UNICODE_STRING KernelString;
  5449. if (Verifier != NULL) {
  5450. Found = TRUE;
  5451. }
  5452. else {
  5453. Found = FALSE;
  5454. NextEntry = MiSuspectDriverList.Flink;
  5455. while (NextEntry != &MiSuspectDriverList) {
  5457. Verifier = CONTAINING_RECORD(NextEntry,
  5458. MI_VERIFIER_DRIVER_ENTRY,
  5459. Links);
  5461. if (RtlEqualUnicodeString (&Verifier->BaseName,
  5462. &DataTableEntry->BaseDllName,
  5463. TRUE)) {
  5465. Found = TRUE;
  5466. ViInitializeEntry (Verifier, FALSE);
  5467. break;
  5468. }
  5469. NextEntry = NextEntry->Flink;
  5470. }
  5471. }
  5473. if (Found == FALSE) {
  5474. VerifierFlags = VI_VERIFYING_DIRECTLY;
  5475. if (MiVerifyAllDrivers != 0) {
  5476. if (KernelVerifier == TRUE) {
  5478. KernelString.Buffer = (const PUSHORT) KERNEL_NAME;
  5479. KernelString.Length = sizeof (KERNEL_NAME) - sizeof (WCHAR);
  5480. KernelString.MaximumLength = sizeof KERNEL_NAME;
  5482. if (!RtlEqualUnicodeString (&KernelString,
  5483. &DataTableEntry->BaseDllName,
  5484. TRUE)) {
  5486. VerifierFlags = VI_VERIFYING_INVERSELY;
  5487. }
  5488. }
  5489. Found = TRUE;
  5490. }
  5491. else if (MiVerifyRandomDrivers != (WCHAR)0) {
  5493. //
  5494. // Wildcard match drivers randomly.
  5495. //
  5497. FirstChar = RtlUpcaseUnicodeChar(DataTableEntry->BaseDllName.Buffer[0]);
  5499. if (MiVerifyRandomDrivers == FirstChar) {
  5500. Found = TRUE;
  5501. }
  5502. else if (MiVerifyRandomDrivers == (WCHAR)'X') {
  5503. if ((FirstChar >= (WCHAR)'0') && (FirstChar <= (WCHAR)'9')) {
  5504. Found = TRUE;
  5505. }
  5506. }
  5507. }
  5509. if (Found == FALSE) {
  5510. return FALSE;
  5511. }
  5513. Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag (
  5514. NonPagedPool,
  5515. sizeof (MI_VERIFIER_DRIVER_ENTRY) +
  5516. DataTableEntry->BaseDllName.MaximumLength,
  5517. 'dLmM');
  5519. if (Verifier == NULL) {
  5520. return FALSE;
  5521. }
  5523. Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier +
  5524. sizeof (MI_VERIFIER_DRIVER_ENTRY));
  5525. Verifier->BaseName.Length = DataTableEntry->BaseDllName.Length;
  5526. Verifier->BaseName.MaximumLength = DataTableEntry->BaseDllName.MaximumLength;
  5528. RtlCopyMemory (Verifier->BaseName.Buffer,
  5529. DataTableEntry->BaseDllName.Buffer,
  5530. DataTableEntry->BaseDllName.Length);
  5532. ViInitializeEntry (Verifier, TRUE);
  5534. Verifier->Flags = VerifierFlags;
  5536. ViInsertVerifierEntry (Verifier);
  5537. }
  5539. Verifier->StartAddress = DataTableEntry->DllBase;
  5540. Verifier->EndAddress = (PVOID)((ULONG_PTR)DataTableEntry->DllBase + DataTableEntry->SizeOfImage);
  5542. ASSERT (Found == TRUE);
  5544. if (Verifier->Flags & VI_DISABLE_VERIFICATION) {
  5546. //
  5547. // We've been instructed to not verify this driver. If kernel
  5548. // verification is enabled, then the driver must still be thunked
  5549. // for "inverse-verification". If kernel verification is disabled,
  5550. // nothing needs to be done here except load/unload counting.
  5551. //
  5553. if (KernelVerifier == TRUE) {
  5554. Found = MiEnableVerifier (DataTableEntry);
  5555. }
  5556. else {
  5557. Found = FALSE;
  5558. }
  5559. }
  5560. else {
  5561. Found = MiEnableVerifier (DataTableEntry);
  5562. }
  5564. if (Found == TRUE) {
  5566. if (Verifier->Flags & VI_VERIFYING_DIRECTLY &&
  5567. ((DataTableEntry->Flags & LDRP_IMAGE_VERIFYING) == 0)) {
  5568. ViPrintString (&DataTableEntry->BaseDllName);
  5569. }
  5571. MmVerifierData.Loads += 1;
  5572. Verifier->Loads += 1;
  5574. DataTableEntry->Flags |= LDRP_IMAGE_VERIFYING;
  5575. MiActiveVerifies += 1;
  5577. if (MiActiveVerifies == 1) {
  5579. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  5581. //
  5582. // Page out all thread stacks as soon as possible to
  5583. // catch drivers using local events that do usermode waits.
  5584. //
  5586. if (KernelVerifier == FALSE) {
  5587. MiVerifierStackProtectTime = KiStackProtectTime;
  5588. KiStackProtectTime = 0;
  5589. }
  5590. }
  5591. }
  5592. }
  5594. return Found;
  5595. }
  5597. PUNICODE_STRING ViBadDriver;
  5599. VOID
  5600. MiVerifyingDriverUnloading (
  5601. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  5602. )
  5604. /*++
  5606. Routine Description:
  5608. This function is called as a driver that was being verified is now being
  5609. unloaded.
  5611. Arguments:
  5613. DataTableEntry - Supplies the data table entry for the driver.
  5615. Return Value:
  5617. TRUE if thunking was applied, FALSE if not.
  5619. Environment:
  5621. Kernel mode, Phase 0 Initialization and normal runtime.
  5622. Non paged pool exists in Phase0, but paged pool does not.
  5623. Post-Phase0 serialization is provided by the MmSystemLoadLock.
  5625. --*/
  5627. {
  5628. PVOID FullPage;
  5629. KIRQL OldIrql;
  5630. PLIST_ENTRY NextEntry;
  5631. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  5633. NextEntry = MiSuspectDriverList.Flink;
  5635. while (NextEntry != &MiSuspectDriverList) {
  5637. Verifier = CONTAINING_RECORD (NextEntry,
  5638. MI_VERIFIER_DRIVER_ENTRY,
  5639. Links);
  5641. if (RtlEqualUnicodeString (&Verifier->BaseName,
  5642. &DataTableEntry->BaseDllName,
  5643. TRUE)) {
  5645. //
  5646. // Delete any static locks in the driver image.
  5647. //
  5649. VfDeadlockDeleteMemoryRange (DataTableEntry->DllBase,
  5650. (SIZE_T) DataTableEntry->SizeOfImage);
  5653. if (MmVerifierData.Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS) {
  5655. //
  5656. // Better not be any pool left that wasn't freed.
  5657. //
  5659. if (Verifier->PagedBytes) {
  5661. #if DBG
  5662. DbgPrint ("Driver %wZ leaked %d paged pool allocations (0x%x bytes)\n",
  5663. &DataTableEntry->FullDllName,
  5664. Verifier->CurrentPagedPoolAllocations,
  5665. Verifier->PagedBytes);
  5666. #endif
  5668. //
  5669. // It would be nice to fault in the driver's paged pool
  5670. // allocations now to make debugging easier, but this
  5671. // cannot be easily done in a deadlock free manner.
  5672. //
  5673. // At least disable the paging of pool on IRQL raising
  5674. // in attempt to keep some of these allocations resident
  5675. // for debugging.
  5676. //
  5677. // No need to undo the increment as we're about to
  5678. // bugcheck anyway.
  5679. //
  5681. InterlockedIncrement ((PLONG)&MiNoPageOnRaiseIrql);
  5682. }
  5683. #if DBG
  5684. if (Verifier->NonPagedBytes) {
  5685. DbgPrint ("Driver %wZ leaked %d nonpaged pool allocations (0x%x bytes)\n",
  5686. &DataTableEntry->FullDllName,
  5687. Verifier->CurrentNonPagedPoolAllocations,
  5688. Verifier->NonPagedBytes);
  5689. }
  5690. #endif
  5692. if (Verifier->PagedBytes || Verifier->NonPagedBytes) {
  5694. ViBadDriver = &Verifier->BaseName;
  5696. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  5697. 0x60,
  5698. Verifier->PagedBytes,
  5699. Verifier->NonPagedBytes,
  5700. Verifier->CurrentPagedPoolAllocations +
  5701. Verifier->CurrentNonPagedPoolAllocations);
  5702. }
  5704. //
  5705. // Free all pages (if any) used to track the pool allocations.
  5706. //
  5708. do {
  5709. FullPage = InterlockedPopEntrySList (&Verifier->PoolPageHeaders);
  5711. if (FullPage != NULL) {
  5712. ExFreePool (FullPage);
  5713. }
  5714. } while (FullPage != NULL);
  5716. //
  5717. // Clear these fields so reuse of stale addresses don't trigger
  5718. // erroneous bucket fills.
  5719. //
  5721. LOCK_VERIFIER (&OldIrql);
  5722. Verifier->StartAddress = NULL;
  5723. Verifier->EndAddress = NULL;
  5724. UNLOCK_VERIFIER (OldIrql);
  5725. }
  5727. Verifier->Unloads += 1;
  5728. MmVerifierData.Unloads += 1;
  5729. MiActiveVerifies -= 1;
  5731. if (MiActiveVerifies == 0) {
  5733. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  5735. //
  5736. // Return to normal thread stack protection.
  5737. //
  5739. if (KernelVerifier == FALSE) {
  5740. KiStackProtectTime = MiVerifierStackProtectTime;
  5741. }
  5742. }
  5743. }
  5744. return;
  5745. }
  5746. NextEntry = NextEntry->Flink;
  5747. }
  5749. ASSERT (FALSE);
  5750. }
  5752. NTKERNELAPI
  5753. LOGICAL
  5754. MmIsDriverVerifying (
  5755. IN PDRIVER_OBJECT DriverObject
  5756. )
  5758. /*++
  5760. Routine Description:
  5762. This function informs the caller if the argument driver is being verified.
  5764. Arguments:
  5766. DriverObject - Supplies the driver object.
  5768. Return Value:
  5770. TRUE if this driver is being verified, FALSE if not.
  5772. Environment:
  5774. Kernel mode, any IRQL, any needed synchronization must be provided by the
  5775. caller.
  5777. --*/
  5779. {
  5780. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  5782. DataTableEntry = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
  5784. if (DataTableEntry == NULL) {
  5785. return FALSE;
  5786. }
  5788. if ((DataTableEntry->Flags & LDRP_IMAGE_VERIFYING) == 0) {
  5789. return FALSE;
  5790. }
  5792. return TRUE;
  5793. }
  5795. NTSTATUS
  5796. MmAddVerifierThunks (
  5797. IN PVOID ThunkBuffer,
  5798. IN ULONG ThunkBufferSize
  5799. )
  5801. /*++
  5803. Routine Description:
  5805. This routine adds another set of thunks to the verifier list.
  5807. Arguments:
  5809. ThunkBuffer - Supplies the buffer containing the thunk pairs.
  5811. ThunkBufferSize - Supplies the number of bytes in the thunk buffer.
  5813. Return Value:
  5815. Returns the status of the operation.
  5817. Environment:
  5819. Kernel mode. APC_LEVEL and below, arbitrary process context.
  5821. --*/
  5823. {
  5824. ULONG i;
  5825. PKTHREAD CurrentThread;
  5826. ULONG NumberOfThunkPairs;
  5827. PDRIVER_VERIFIER_THUNK_PAIRS ThunkPairs;
  5828. PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable;
  5829. PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
  5830. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  5831. PKLDR_DATA_TABLE_ENTRY DataTableEntry2;
  5832. PLIST_ENTRY NextEntry;
  5833. PVOID DriverStartAddress;
  5834. PVOID DriverEndAddress;
  5836. PAGED_CODE();
  5838. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  5839. return STATUS_NOT_SUPPORTED;
  5840. }
  5842. ThunkPairs = (PDRIVER_VERIFIER_THUNK_PAIRS)ThunkBuffer;
  5843. NumberOfThunkPairs = ThunkBufferSize / sizeof(DRIVER_VERIFIER_THUNK_PAIRS);
  5845. if (NumberOfThunkPairs == 0) {
  5846. return STATUS_INVALID_PARAMETER_1;
  5847. }
  5849. ThunkTableBase = (PDRIVER_SPECIFIED_VERIFIER_THUNKS) ExAllocatePoolWithTag (
  5850. PagedPool,
  5851. sizeof (DRIVER_SPECIFIED_VERIFIER_THUNKS) + NumberOfThunkPairs * sizeof (DRIVER_VERIFIER_THUNK_PAIRS),
  5852. 'tVmM');
  5854. if (ThunkTableBase == NULL) {
  5855. return STATUS_INSUFFICIENT_RESOURCES;
  5856. }
  5858. ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1);
  5860. RtlCopyMemory (ThunkTable,
  5861. ThunkPairs,
  5862. NumberOfThunkPairs * sizeof(DRIVER_VERIFIER_THUNK_PAIRS));
  5864. CurrentThread = KeGetCurrentThread ();
  5865. KeEnterCriticalRegionThread (CurrentThread);
  5867. KeWaitForSingleObject (&MmSystemLoadLock,
  5868. WrVirtualMemory,
  5869. KernelMode,
  5870. FALSE,
  5871. (PLARGE_INTEGER)NULL);
  5873. //
  5874. // Find and validate the image that contains the routines to be thunked.
  5875. //
  5877. DataTableEntry = MiLookupDataTableEntry ((PVOID)(ULONG_PTR)ThunkTable->PristineRoutine,
  5878. TRUE);
  5880. if (DataTableEntry == NULL) {
  5881. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5882. KeLeaveCriticalRegionThread (CurrentThread);
  5883. ExFreePool (ThunkTableBase);
  5884. return STATUS_INVALID_PARAMETER_2;
  5885. }
  5887. DriverStartAddress = (PVOID)(DataTableEntry->DllBase);
  5888. DriverEndAddress = (PVOID)((PCHAR)DataTableEntry->DllBase + DataTableEntry->SizeOfImage);
  5890. //
  5891. // Don't let drivers hook calls to kernel or HAL routines.
  5892. //
  5894. i = 0;
  5895. NextEntry = PsLoadedModuleList.Flink;
  5896. while (NextEntry != &PsLoadedModuleList) {
  5898. DataTableEntry2 = CONTAINING_RECORD(NextEntry,
  5899. KLDR_DATA_TABLE_ENTRY,
  5900. InLoadOrderLinks);
  5902. if (DataTableEntry == DataTableEntry2) {
  5903. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5904. KeLeaveCriticalRegionThread (CurrentThread);
  5905. ExFreePool (ThunkTableBase);
  5906. return STATUS_INVALID_PARAMETER_2;
  5907. }
  5909. NextEntry = NextEntry->Flink;
  5910. i += 1;
  5911. if (i >= 2) {
  5912. break;
  5913. }
  5914. }
  5916. for (i = 0; i < NumberOfThunkPairs; i += 1) {
  5918. //
  5919. // Ensure all the routines being thunked are in the same driver.
  5920. //
  5922. if (((ULONG_PTR)ThunkTable->PristineRoutine < (ULONG_PTR)DriverStartAddress) ||
  5923. ((ULONG_PTR)ThunkTable->PristineRoutine >= (ULONG_PTR)DriverEndAddress) ||
  5924. ((ULONG_PTR)ThunkTable->NewRoutine < (ULONG_PTR)DriverStartAddress) ||
  5925. ((ULONG_PTR)ThunkTable->NewRoutine >= (ULONG_PTR)DriverEndAddress)
  5926. ) {
  5928. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5929. KeLeaveCriticalRegionThread (CurrentThread);
  5930. ExFreePool (ThunkTableBase);
  5931. return STATUS_INVALID_PARAMETER_2;
  5932. }
  5933. ThunkTable += 1;
  5934. }
  5936. //
  5937. // Add the validated thunk table to the verifier's global list.
  5938. //
  5940. ThunkTableBase->DataTableEntry = DataTableEntry;
  5941. ThunkTableBase->NumberOfThunks = NumberOfThunkPairs;
  5942. MiActiveVerifierThunks += 1;
  5944. InsertTailList (&MiVerifierDriverAddedThunkListHead,
  5945. &ThunkTableBase->ListEntry);
  5947. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5948. KeLeaveCriticalRegionThread (CurrentThread);
  5950. //
  5951. // Indicate that new thunks have been added to the verifier list.
  5952. //
  5954. MiVerifierThunksAdded += 1;
  5956. return STATUS_SUCCESS;
  5957. }
  5959. VOID
  5960. MiVerifierCheckThunks (
  5961. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  5962. )
  5964. /*++
  5966. Routine Description:
  5968. This routine adds another set of thunks to the verifier list.
  5970. Arguments:
  5972. DataTableEntry - Supplies the data table entry for the driver.
  5974. Return Value:
  5976. None.
  5978. Environment:
  5980. Kernel mode. APC_LEVEL and below.
  5981. The system load lock must be held by the caller.
  5983. --*/
  5985. {
  5986. PLIST_ENTRY NextEntry;
  5987. PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
  5989. PAGED_CODE ();
  5991. //
  5992. // N.B. The DataTableEntry can move (see MiInitializeLoadedModuleList),
  5993. // but this only happens long before IoInitialize so this is safe.
  5994. //
  5996. NextEntry = MiVerifierDriverAddedThunkListHead.Flink;
  5997. while (NextEntry != &MiVerifierDriverAddedThunkListHead) {
  5999. ThunkTableBase = CONTAINING_RECORD(NextEntry,
  6000. DRIVER_SPECIFIED_VERIFIER_THUNKS,
  6001. ListEntry);
  6003. if (ThunkTableBase->DataTableEntry == DataTableEntry) {
  6004. RemoveEntryList (NextEntry);
  6005. NextEntry = NextEntry->Flink;
  6006. ExFreePool (ThunkTableBase);
  6007. MiActiveVerifierThunks -= 1;
  6009. //
  6010. // Keep looking as the driver may have made multiple calls.
  6011. //
  6013. continue;
  6014. }
  6016. NextEntry = NextEntry->Flink;
  6017. }
  6018. }
  6020. NTSTATUS
  6021. MmIsVerifierEnabled (
  6022. OUT PULONG VerifierFlags
  6023. )
  6025. /*++
  6027. Routine Description:
  6029. This routine is called by drivers to query whether the Driver Verifier
  6030. is enabled and to find out what the currently enabled options are.
  6032. Arguments:
  6034. VerifierFlags - Returns the current driver verifier flags. Note these
  6035. flags can change dynamically without rebooting.
  6037. Return Value:
  6039. Returns STATUS_SUCCESS if the verifier is enabled, or a failure code if not.
  6041. Environment:
  6043. Kernel mode, any level prior to Phase 1, PASSIVE_LEVEL after that.
  6045. --*/
  6047. {
  6048. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  6049. *VerifierFlags = 0;
  6050. return STATUS_NOT_SUPPORTED;
  6051. }
  6053. *VerifierFlags = MmVerifierData.Level;
  6054. return STATUS_SUCCESS;
  6055. }
  6057. #define ROUND_UP(VALUE,ROUND) ((ULONG)(((ULONG)VALUE + \
  6058. ((ULONG)ROUND - 1L)) & (~((ULONG)ROUND - 1L))))
  6060. NTSTATUS
  6061. MmGetVerifierInformation (
  6062. OUT PVOID SystemInformation,
  6063. IN ULONG SystemInformationLength,
  6064. OUT PULONG Length
  6065. )
  6067. /*++
  6069. Routine Description:
  6071. This routine returns information about drivers undergoing verification.
  6073. Arguments:
  6075. SystemInformation - Returns the driver verification information.
  6077. SystemInformationLength - Supplies the length of the SystemInformation
  6078. buffer.
  6080. Length - Returns the length of the driver verification file information
  6081. placed in the buffer.
  6083. Return Value:
  6085. Returns the status of the operation.
  6087. Environment:
  6089. The SystemInformation buffer is in user space and our caller has wrapped
  6090. a try-except around this entire routine. Capture any exceptions here and
  6091. release resources accordingly.
  6093. --*/
  6095. {
  6096. PKTHREAD CurrentThread;
  6097. PSYSTEM_VERIFIER_INFORMATION UserVerifyBuffer;
  6098. ULONG NextEntryOffset;
  6099. ULONG TotalSize;
  6100. NTSTATUS Status;
  6101. PLIST_ENTRY NextEntry;
  6102. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  6103. UNICODE_STRING UserBufferDriverName;
  6105. PAGED_CODE();
  6107. NextEntryOffset = 0;
  6108. TotalSize = 0;
  6110. *Length = 0;
  6111. UserVerifyBuffer = (PSYSTEM_VERIFIER_INFORMATION)SystemInformation;
  6113. //
  6114. // Capture the number of verifying drivers and the relevant data while
  6115. // synchronized. Then return it to our caller.
  6116. //
  6118. Status = STATUS_SUCCESS;
  6120. CurrentThread = KeGetCurrentThread ();
  6121. KeEnterCriticalRegionThread (CurrentThread);
  6123. KeWaitForSingleObject (&MmSystemLoadLock,
  6124. WrVirtualMemory,
  6125. KernelMode,
  6126. FALSE,
  6127. (PLARGE_INTEGER)NULL);
  6129. try {
  6131. NextEntry = MiSuspectDriverList.Flink;
  6132. while (NextEntry != &MiSuspectDriverList) {
  6134. Verifier = CONTAINING_RECORD(NextEntry,
  6135. MI_VERIFIER_DRIVER_ENTRY,
  6136. Links);
  6138. if (((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0) ||
  6139. (Verifier->Flags & VI_DISABLE_VERIFICATION)) {
  6141. NextEntry = NextEntry->Flink;
  6142. continue;
  6143. }
  6145. UserVerifyBuffer = (PSYSTEM_VERIFIER_INFORMATION)(
  6146. (PUCHAR)UserVerifyBuffer + NextEntryOffset);
  6147. NextEntryOffset = sizeof(SYSTEM_VERIFIER_INFORMATION);
  6148. TotalSize += sizeof(SYSTEM_VERIFIER_INFORMATION);
  6150. if (TotalSize > SystemInformationLength) {
  6151. ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH);
  6152. }
  6154. //
  6155. // This data is cumulative for all drivers.
  6156. //
  6158. UserVerifyBuffer->Level = MmVerifierData.Level;
  6159. UserVerifyBuffer->RaiseIrqls = MmVerifierData.RaiseIrqls;
  6160. UserVerifyBuffer->AcquireSpinLocks = MmVerifierData.AcquireSpinLocks;
  6162. UserVerifyBuffer->UnTrackedPool = MmVerifierData.UnTrackedPool;
  6163. UserVerifyBuffer->SynchronizeExecutions = MmVerifierData.SynchronizeExecutions;
  6165. UserVerifyBuffer->AllocationsAttempted = MmVerifierData.AllocationsAttempted;
  6166. UserVerifyBuffer->AllocationsSucceeded = MmVerifierData.AllocationsSucceeded;
  6167. UserVerifyBuffer->AllocationsSucceededSpecialPool = MmVerifierData.AllocationsSucceededSpecialPool;
  6168. UserVerifyBuffer->AllocationsWithNoTag = MmVerifierData.AllocationsWithNoTag;
  6170. UserVerifyBuffer->TrimRequests = MmVerifierData.TrimRequests;
  6171. UserVerifyBuffer->Trims = MmVerifierData.Trims;
  6172. UserVerifyBuffer->AllocationsFailed = MmVerifierData.AllocationsFailed;
  6173. UserVerifyBuffer->AllocationsFailedDeliberately = MmVerifierData.AllocationsFailedDeliberately;
  6175. //
  6176. // This data is kept on a per-driver basis.
  6177. //
  6179. UserVerifyBuffer->CurrentPagedPoolAllocations = Verifier->CurrentPagedPoolAllocations;
  6180. UserVerifyBuffer->CurrentNonPagedPoolAllocations = Verifier->CurrentNonPagedPoolAllocations;
  6181. UserVerifyBuffer->PeakPagedPoolAllocations = Verifier->PeakPagedPoolAllocations;
  6182. UserVerifyBuffer->PeakNonPagedPoolAllocations = Verifier->PeakNonPagedPoolAllocations;
  6184. UserVerifyBuffer->PagedPoolUsageInBytes = Verifier->PagedBytes;
  6185. UserVerifyBuffer->NonPagedPoolUsageInBytes = Verifier->NonPagedBytes;
  6186. UserVerifyBuffer->PeakPagedPoolUsageInBytes = Verifier->PeakPagedBytes;
  6187. UserVerifyBuffer->PeakNonPagedPoolUsageInBytes = Verifier->PeakNonPagedBytes;
  6189. UserVerifyBuffer->Loads = Verifier->Loads;
  6190. UserVerifyBuffer->Unloads = Verifier->Unloads;
  6192. //
  6193. // The DriverName portion of the UserVerifyBuffer must be saved
  6194. // locally to protect against a malicious thread changing the
  6195. // contents. This is because we will reference the contents
  6196. // ourselves when the actual string is copied out carefully below.
  6197. //
  6199. UserBufferDriverName.Length = Verifier->BaseName.Length;
  6200. UserBufferDriverName.MaximumLength = (USHORT)(Verifier->BaseName.Length + sizeof (WCHAR));
  6201. UserBufferDriverName.Buffer = (PWCHAR)(UserVerifyBuffer + 1);
  6203. UserVerifyBuffer->DriverName = UserBufferDriverName;
  6205. TotalSize += ROUND_UP (UserBufferDriverName.MaximumLength,
  6206. sizeof(PVOID));
  6207. NextEntryOffset += ROUND_UP (UserBufferDriverName.MaximumLength,
  6208. sizeof(PVOID));
  6210. if (TotalSize > SystemInformationLength) {
  6211. ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH);
  6212. }
  6214. //
  6215. // Carefully reference the UserVerifyBuffer here.
  6216. //
  6218. RtlCopyMemory(UserBufferDriverName.Buffer,
  6219. Verifier->BaseName.Buffer,
  6220. Verifier->BaseName.Length);
  6222. UserBufferDriverName.Buffer[
  6223. Verifier->BaseName.Length/sizeof(WCHAR)] = UNICODE_NULL;
  6224. UserVerifyBuffer->NextEntryOffset = NextEntryOffset;
  6226. NextEntry = NextEntry->Flink;
  6227. }
  6228. } except (EXCEPTION_EXECUTE_HANDLER) {
  6229. Status = GetExceptionCode();
  6230. }
  6232. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  6234. KeLeaveCriticalRegionThread (CurrentThread);
  6236. if (Status != STATUS_INFO_LENGTH_MISMATCH) {
  6237. UserVerifyBuffer->NextEntryOffset = 0;
  6238. *Length = TotalSize;
  6239. }
  6241. return Status;
  6242. }
  6244. NTSTATUS
  6245. MmSetVerifierInformation (
  6246. IN OUT PVOID SystemInformation,
  6247. IN ULONG SystemInformationLength
  6248. )
  6250. /*++
  6252. Routine Description:
  6254. This routine sets any driver verifier flags that can be done without
  6255. rebooting.
  6257. Arguments:
  6259. SystemInformation - Gets and returns the driver verification flags.
  6261. SystemInformationLength - Supplies the length of the SystemInformation
  6262. buffer.
  6264. Return Value:
  6266. Returns the status of the operation.
  6268. Environment:
  6270. The SystemInformation buffer is in user space and our caller has wrapped
  6271. a try-except around this entire routine. Capture any exceptions here and
  6272. release resources accordingly.
  6274. --*/
  6276. {
  6277. PKTHREAD CurrentThread;
  6278. ULONG UserFlags;
  6279. ULONG NewFlags;
  6280. ULONG NewFlagsOn;
  6281. ULONG NewFlagsOff;
  6282. NTSTATUS Status;
  6283. PULONG UserVerifyBuffer;
  6285. PAGED_CODE();
  6287. if (SystemInformationLength < sizeof (ULONG)) {
  6288. ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH);
  6289. }
  6291. UserVerifyBuffer = (PULONG)SystemInformation;
  6293. //
  6294. // Synchronize all changes to the flags here.
  6295. //
  6297. Status = STATUS_SUCCESS;
  6299. CurrentThread = KeGetCurrentThread ();
  6300. KeEnterCriticalRegionThread (CurrentThread);
  6302. KeWaitForSingleObject (&MmSystemLoadLock,
  6303. WrVirtualMemory,
  6304. KernelMode,
  6305. FALSE,
  6306. (PLARGE_INTEGER)NULL);
  6308. try {
  6310. UserFlags = *UserVerifyBuffer;
  6312. //
  6313. // Ensure nothing is being set or cleared that isn't supported.
  6314. //
  6315. //
  6317. NewFlagsOn = UserFlags & VerifierModifyableOptions;
  6319. NewFlags = MmVerifierData.Level | NewFlagsOn;
  6321. //
  6322. // Any bits set in NewFlagsOff must be zeroed in the NewFlags.
  6323. //
  6325. NewFlagsOff = ((~UserFlags) & VerifierModifyableOptions);
  6327. NewFlags &= ~NewFlagsOff;
  6329. if (NewFlags != MmVerifierData.Level) {
  6330. VerifierOptionChanges += 1;
  6331. MmVerifierData.Level = NewFlags;
  6332. *UserVerifyBuffer = NewFlags;
  6333. }
  6335. } except (EXCEPTION_EXECUTE_HANDLER) {
  6336. Status = GetExceptionCode();
  6337. }
  6339. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  6341. KeLeaveCriticalRegionThread (CurrentThread);
  6343. return Status;
  6344. }
  6346. typedef struct _VERIFIER_STRING_INFO {
  6347. ULONG BuildNumber;
  6348. ULONG DriverVerifierLevel;
  6349. ULONG Flags;
  6350. ULONG Check;
  6351. } VERIFIER_STRING_INFO, *PVERIFIER_STRING_INFO;
  6353. #ifdef ALLOC_DATA_PRAGMA
  6354. #pragma const_seg("PAGECONST")
  6355. #endif
  6357. static const WCHAR Printable[] = L"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  6358. static const ULONG PrintableChars = sizeof (Printable) / sizeof (Printable[0]) - 1;
  6360. #ifdef ALLOC_DATA_PRAGMA
  6361. #pragma const_seg()
  6362. #endif
  6364. //
  6365. // Verifier string is now available via http://winweb/drivercheck
  6366. // This site won't give out the verifier string unless certain tests
  6367. // have been ran.
  6368. //
  6369. #define PRINT_VERIFIER_STRING 0
  6371. VOID
  6372. ViPrintString (
  6373. IN PUNICODE_STRING DriverName
  6374. )
  6376. /*++
  6378. Routine Description:
  6380. This routine does a really bad hash of build number, verifier level and
  6381. flags by using the driver name as a stream of bytes to XOR into the flags,
  6382. etc.
  6384. This is a Neill Clift special.
  6386. Arguments:
  6388. DriverName - Supplies the name of the driver.
  6390. Return Value:
  6392. None.
  6394. --*/
  6396. {
  6398. #if PRINT_VERIFIER_STRING
  6400. VERIFIER_STRING_INFO Bld;
  6401. PUCHAR BufPtr;
  6402. PWCHAR DriverPtr;
  6403. ULONG BufLen;
  6404. ULONG i;
  6405. ULONG j;
  6406. ULONG DriverChars;
  6407. ULONG MaxChars;
  6408. WCHAR OutBuf[sizeof (VERIFIER_STRING_INFO) * 2 + 1];
  6409. UNICODE_STRING OutBufU;
  6410. ULONG Rem;
  6411. ULONG LastRem;
  6412. LOGICAL Done;
  6414. Bld.BuildNumber = NtBuildNumber;
  6415. Bld.DriverVerifierLevel = MmVerifierData.Level;
  6417. //
  6418. // Unloads and other actions could be encoded in the Flags field here.
  6419. //
  6421. Bld.Flags = 0;
  6423. //
  6424. // Make the last ULONG a weird function of the others.
  6425. //
  6427. Bld.Check = ((Bld.Flags + 1) * Bld.BuildNumber * (Bld.DriverVerifierLevel + 1)) * 123456789;
  6429. BufPtr = (PUCHAR) &Bld;
  6430. BufLen = sizeof (Bld);
  6432. DriverChars = DriverName->Length / sizeof (DriverName->Buffer[0]);
  6433. DriverPtr = DriverName->Buffer;
  6434. MaxChars = DriverChars;
  6436. if (DriverChars < sizeof (VERIFIER_STRING_INFO)) {
  6437. MaxChars = sizeof (VERIFIER_STRING_INFO);
  6438. }
  6440. //
  6441. // Xor each character in the driver name into the buffer.
  6442. //
  6444. for (i = 0; i < MaxChars; i += 1) {
  6445. BufPtr[i % BufLen] ^= (UCHAR) RtlUpcaseUnicodeChar(DriverPtr[i % DriverChars]);
  6446. }
  6448. //
  6449. // Produce a base N decoding of the binary buffer using the printable
  6450. // characters defines. Treat the binary as a byte array and do the
  6451. // division for each, tracking the carry.
  6452. //
  6454. j = 0;
  6455. do {
  6456. Done = TRUE;
  6458. for (i = 0, LastRem = 0; i < sizeof (VERIFIER_STRING_INFO); i += 1) {
  6459. Rem = BufPtr[i] + 256 * LastRem;
  6460. BufPtr[i] = (UCHAR) (Rem / PrintableChars);
  6461. LastRem = Rem % PrintableChars;
  6462. if (BufPtr[i]) {
  6463. Done = FALSE;
  6464. }
  6465. }
  6466. OutBuf[j++] = Printable[LastRem];
  6468. if (j >= sizeof (OutBuf) / sizeof (OutBuf[0])) {
  6470. //
  6471. // The stack buffer isn't big enough.
  6472. //
  6474. return;
  6475. }
  6477. } while (Done == FALSE);
  6479. OutBuf[j] = L'\0';
  6481. OutBufU.Length = OutBufU.MaximumLength = (USHORT) (j * sizeof (WCHAR));
  6482. OutBufU.Buffer = OutBuf;
  6484. DbgPrint ("*******************************************************************************\n"
  6485. "*\n"
  6486. "* This is the string you add to your checkin description\n"
  6487. "* Driver Verifier: Enabled for %Z on Build %ld %wZ\n"
  6488. "*\n"
  6489. "*******************************************************************************\n",
  6490. DriverName, NtBuildNumber & 0xFFFFFFF, &OutBufU);
  6492. #else
  6494. DbgPrint ("*******************************************************************************\n"
  6495. "*\n"
  6496. "* Driver Verifier: Enabled for %Z on Build %ld\n"
  6497. "* Please see http://winweb/drivercheck to obtain a check-in string.\n"
  6498. "*\n"
  6499. "*******************************************************************************\n",
  6500. DriverName, NtBuildNumber & 0xFFFFFFF);
  6501. #endif
  6502. return;
  6503. }
  6505. //
  6506. // BEWARE: Various kernel macros are undefined here so we can pull in the
  6507. // real routines. This is needed because the real routines are exported for
  6508. // driver compatibility. This module has been carefully laid out so these
  6509. // macros are not referenced from this point down and references go to the
  6510. // real routines.
  6511. //
  6516. #undef KeRaiseIrql
  6517. #undef KeLowerIrql
  6518. #undef KeAcquireSpinLock
  6519. #undef KeReleaseSpinLock
  6520. #undef KeAcquireSpinLockAtDpcLevel
  6521. #undef KeReleaseSpinLockFromDpcLevel
  6522. #if 0
  6523. #undef ExAcquireResourceExclusive
  6524. #endif
  6526. #if !defined(_AMD64_)
  6528. VOID
  6529. KeRaiseIrql (
  6530. IN KIRQL NewIrql,
  6531. OUT PKIRQL OldIrql
  6532. );
  6534. #endif
  6536. VOID
  6537. KeLowerIrql (
  6538. IN KIRQL NewIrql
  6539. );
  6541. #if !defined(_AMD64_)
  6543. VOID
  6544. KeAcquireSpinLock (
  6545. IN PKSPIN_LOCK SpinLock,
  6546. OUT PKIRQL OldIrql
  6547. );
  6549. #endif
  6551. VOID
  6552. KeReleaseSpinLock (
  6553. IN PKSPIN_LOCK SpinLock,
  6554. IN KIRQL NewIrql
  6555. );
  6557. VOID
  6558. KeAcquireSpinLockAtDpcLevel (
  6559. IN PKSPIN_LOCK SpinLock
  6560. );
  6562. VOID
  6563. KeReleaseSpinLockFromDpcLevel (
  6564. IN PKSPIN_LOCK SpinLock
  6565. );
  6567. #if 0
  6568. BOOLEAN
  6569. ExAcquireResourceExclusive (
  6570. IN PERESOURCE Resource,
  6571. IN BOOLEAN Wait
  6572. );
  6573. #endif
  6575. #ifdef ALLOC_DATA_PRAGMA
  6576. #pragma const_seg("PAGECONST")
  6577. #endif
  6579. const VERIFIER_THUNKS MiVerifierThunks[] = {
  6581. "KeSetEvent",
  6582. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierSetEvent,
  6584. "ExAcquireFastMutexUnsafe",
  6585. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExAcquireFastMutexUnsafe,
  6587. "ExReleaseFastMutexUnsafe",
  6588. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExReleaseFastMutexUnsafe,
  6590. "ExAcquireResourceExclusiveLite",
  6591. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExAcquireResourceExclusiveLite,
  6593. "ExReleaseResourceLite",
  6594. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExReleaseResourceLite,
  6596. "MmProbeAndLockPages",
  6597. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierProbeAndLockPages,
  6599. #if 0
  6600. //
  6601. // Don't bother thunking this API as it appears no drivers use it.
  6602. //
  6603. "MmProbeAndLockSelectedPages",
  6604. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierProbeAndLockSelectedPages,
  6605. #endif
  6607. "MmProbeAndLockProcessPages",
  6608. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierProbeAndLockProcessPages,
  6610. "MmMapIoSpace",
  6611. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierMapIoSpace,
  6613. "MmMapLockedPages",
  6614. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierMapLockedPages,
  6616. "MmMapLockedPagesSpecifyCache",
  6617. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierMapLockedPagesSpecifyCache,
  6619. "MmUnlockPages",
  6620. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierUnlockPages,
  6622. "MmUnmapLockedPages",
  6623. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierUnmapLockedPages,
  6625. "MmUnmapIoSpace",
  6626. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierUnmapIoSpace,
  6628. "ExAcquireFastMutex",
  6629. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExAcquireFastMutex,
  6631. "ExTryToAcquireFastMutex",
  6632. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExTryToAcquireFastMutex,
  6634. "ExReleaseFastMutex",
  6635. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExReleaseFastMutex,
  6637. #if !defined(_AMD64_)
  6639. "KeRaiseIrql",
  6640. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrql,
  6642. #endif
  6644. "KeLowerIrql",
  6645. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeLowerIrql,
  6647. #if !defined(_AMD64_)
  6649. "KeAcquireSpinLock",
  6650. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLock,
  6652. #endif
  6654. "KeReleaseSpinLock",
  6655. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLock,
  6657. #if defined(_X86_)
  6658. "KefAcquireSpinLockAtDpcLevel",
  6659. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLockAtDpcLevel,
  6661. "KefReleaseSpinLockFromDpcLevel",
  6662. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLockFromDpcLevel,
  6663. #else
  6665. #if !defined(_AMD64_) || !defined(NT_UP)
  6667. //
  6668. // Because the AMD64 versions of these native Ke routines are written in
  6669. // C, the UP build where these functions are no-ops end up getting resolved
  6670. // by the linker into a single no-op routine. When we subsequently
  6671. // initialize the MiVerifierThunks array, we count on the target routine
  6672. // being unique - and therefore that thunking the driver import tables is
  6673. // done by comparing to the target routine address (INSTEAD OF THE NAME).
  6674. //
  6675. // So disable thunking these calls for now. Note this may need to be done
  6676. // for any other routines/platforms that can get optimized in this manner.
  6677. //
  6679. "KeAcquireSpinLockAtDpcLevel",
  6680. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLockAtDpcLevel,
  6682. "KeReleaseSpinLockFromDpcLevel",
  6683. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLockFromDpcLevel,
  6685. #endif
  6687. #endif
  6689. "KeSynchronizeExecution",
  6690. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierSynchronizeExecution,
  6692. "KeInitializeTimerEx",
  6693. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeInitializeTimerEx,
  6695. "KeInitializeTimer",
  6696. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeInitializeTimer,
  6698. "KeWaitForSingleObject",
  6699. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeWaitForSingleObject,
  6701. #if defined(_X86_) || defined(_AMD64_)
  6703. "KfRaiseIrql",
  6704. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfRaiseIrql,
  6706. "KeRaiseIrqlToDpcLevel",
  6707. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrqlToDpcLevel,
  6709. #endif
  6711. #if defined(_X86_)
  6713. "KfLowerIrql",
  6714. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfLowerIrql,
  6716. "KfAcquireSpinLock",
  6717. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfAcquireSpinLock,
  6719. "KfReleaseSpinLock",
  6720. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfReleaseSpinLock,
  6722. #endif
  6724. #if !defined(_X86_)
  6726. "KeAcquireSpinLockRaiseToDpc",
  6727. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLockRaiseToDpc,
  6729. #endif
  6731. "IoFreeIrp",
  6732. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovFreeIrp,
  6734. "IofCompleteRequest",
  6735. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovCompleteRequest,
  6737. "IoBuildDeviceIoControlRequest",
  6738. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovBuildDeviceIoControlRequest,
  6740. "IoBuildAsynchronousFsdRequest",
  6741. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovBuildAsynchronousFsdRequest,
  6743. "IoInitializeTimer",
  6744. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovInitializeTimer,
  6746. "KeQueryPerformanceCounter",
  6747. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfQueryPerformanceCounter,
  6749. "IoGetDmaAdapter",
  6750. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfGetDmaAdapter,
  6752. "HalAllocateCrashDumpRegisters",
  6753. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfAllocateCrashDumpRegisters,
  6755. "ObReferenceObjectByHandle",
  6756. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierReferenceObjectByHandle,
  6758. "KeReleaseMutex",
  6759. (PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeReleaseMutex,
  6761. "KeInitializeMutex",
  6762. (PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeInitializeMutex,
  6764. "KeReleaseMutant",
  6765. (PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeReleaseMutant,
  6767. "KeInitializeMutant",
  6768. (PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeInitializeMutant,
  6770. #if defined(_X86_) || defined(_IA64_)
  6771. "KeInitializeSpinLock",
  6772. (PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeInitializeSpinLock,
  6773. #endif
  6775. #if !defined(NO_LEGACY_DRIVERS)
  6776. "HalGetAdapter",
  6777. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfLegacyGetAdapter,
  6779. "IoMapTransfer",
  6780. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfMapTransfer,
  6782. "IoFlushAdapterBuffers",
  6783. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfFlushAdapterBuffers,
  6785. "HalAllocateCommonBuffer",
  6786. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfAllocateCommonBuffer,
  6788. "HalFreeCommonBuffer",
  6789. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfFreeCommonBuffer,
  6791. "IoAllocateAdapterChannel",
  6792. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfAllocateAdapterChannel,
  6794. "IoFreeAdapterChannel",
  6795. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfFreeAdapterChannel,
  6797. "IoFreeMapRegisters",
  6798. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfFreeMapRegisters,
  6799. #endif
  6801. "NtCreateFile",
  6802. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierNtCreateFile,
  6804. "NtWriteFile",
  6805. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierNtWriteFile,
  6807. "NtReadFile",
  6808. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierNtReadFile,
  6810. "KeLeaveCriticalRegion",
  6811. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierLeaveCriticalRegion,
  6813. "ObfReferenceObject",
  6814. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierReferenceObject,
  6816. "ObDereferenceObject",
  6817. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierDereferenceObject,
  6819. // Zw intefaces
  6821. DECLARE_ZW_VERIFIER_THUNK(ZwAccessCheckAndAuditAlarm),
  6822. DECLARE_ZW_VERIFIER_THUNK(ZwAddBootEntry),
  6823. DECLARE_ZW_VERIFIER_THUNK(ZwAddDriverEntry),
  6824. DECLARE_ZW_VERIFIER_THUNK(ZwAdjustPrivilegesToken),
  6825. DECLARE_ZW_VERIFIER_THUNK(ZwAlertThread),
  6826. DECLARE_ZW_VERIFIER_THUNK(ZwAllocateVirtualMemory),
  6827. DECLARE_ZW_VERIFIER_THUNK(ZwAssignProcessToJobObject),
  6828. DECLARE_ZW_VERIFIER_THUNK(ZwCancelIoFile),
  6829. DECLARE_ZW_VERIFIER_THUNK(ZwCancelTimer),
  6830. DECLARE_ZW_VERIFIER_THUNK(ZwClearEvent),
  6831. DECLARE_ZW_VERIFIER_THUNK(ZwClose),
  6832. DECLARE_ZW_VERIFIER_THUNK(ZwCloseObjectAuditAlarm),
  6833. DECLARE_ZW_VERIFIER_THUNK(ZwConnectPort),
  6834. DECLARE_ZW_VERIFIER_THUNK(ZwCreateDirectoryObject),
  6835. DECLARE_ZW_VERIFIER_THUNK(ZwCreateEvent),
  6836. DECLARE_ZW_VERIFIER_THUNK(ZwCreateFile),
  6837. DECLARE_ZW_VERIFIER_THUNK(ZwCreateJobObject),
  6838. DECLARE_ZW_VERIFIER_THUNK(ZwCreateKey),
  6839. DECLARE_ZW_VERIFIER_THUNK(ZwCreateSection),
  6840. DECLARE_ZW_VERIFIER_THUNK(ZwCreateSymbolicLinkObject),
  6841. DECLARE_ZW_VERIFIER_THUNK(ZwCreateTimer),
  6842. DECLARE_ZW_VERIFIER_THUNK(ZwDeleteBootEntry),
  6843. DECLARE_ZW_VERIFIER_THUNK(ZwDeleteDriverEntry),
  6844. DECLARE_ZW_VERIFIER_THUNK(ZwDeleteFile),
  6845. DECLARE_ZW_VERIFIER_THUNK(ZwDeleteKey),
  6846. DECLARE_ZW_VERIFIER_THUNK(ZwDeleteValueKey),
  6847. DECLARE_ZW_VERIFIER_THUNK(ZwDeviceIoControlFile),
  6848. DECLARE_ZW_VERIFIER_THUNK(ZwDisplayString),
  6849. DECLARE_ZW_VERIFIER_THUNK(ZwDuplicateObject),
  6850. DECLARE_ZW_VERIFIER_THUNK(ZwDuplicateToken),
  6851. DECLARE_ZW_VERIFIER_THUNK(ZwEnumerateBootEntries),
  6852. DECLARE_ZW_VERIFIER_THUNK(ZwEnumerateDriverEntries),
  6853. DECLARE_ZW_VERIFIER_THUNK(ZwEnumerateKey),
  6854. DECLARE_ZW_VERIFIER_THUNK(ZwEnumerateValueKey),
  6855. DECLARE_ZW_VERIFIER_THUNK(ZwFlushInstructionCache),
  6856. DECLARE_ZW_VERIFIER_THUNK(ZwFlushKey),
  6857. DECLARE_ZW_VERIFIER_THUNK(ZwFlushVirtualMemory),
  6858. DECLARE_ZW_VERIFIER_THUNK(ZwFreeVirtualMemory),
  6859. DECLARE_ZW_VERIFIER_THUNK(ZwFsControlFile),
  6860. DECLARE_ZW_VERIFIER_THUNK(ZwInitiatePowerAction),
  6861. DECLARE_ZW_VERIFIER_THUNK(ZwIsProcessInJob),
  6862. DECLARE_ZW_VERIFIER_THUNK(ZwLoadDriver),
  6863. DECLARE_ZW_VERIFIER_THUNK(ZwLoadKey),
  6864. DECLARE_ZW_VERIFIER_THUNK(ZwMakeTemporaryObject),
  6865. DECLARE_ZW_VERIFIER_THUNK(ZwMapViewOfSection),
  6866. DECLARE_ZW_VERIFIER_THUNK(ZwModifyBootEntry),
  6867. DECLARE_ZW_VERIFIER_THUNK(ZwModifyDriverEntry),
  6868. DECLARE_ZW_VERIFIER_THUNK(ZwNotifyChangeKey),
  6869. DECLARE_ZW_VERIFIER_THUNK(ZwOpenDirectoryObject),
  6870. DECLARE_ZW_VERIFIER_THUNK(ZwOpenEvent),
  6871. DECLARE_ZW_VERIFIER_THUNK(ZwOpenFile),
  6872. DECLARE_ZW_VERIFIER_THUNK(ZwOpenJobObject),
  6873. DECLARE_ZW_VERIFIER_THUNK(ZwOpenKey),
  6874. DECLARE_ZW_VERIFIER_THUNK(ZwOpenProcess),
  6875. DECLARE_ZW_VERIFIER_THUNK(ZwOpenProcessToken),
  6876. DECLARE_ZW_VERIFIER_THUNK(ZwOpenProcessTokenEx),
  6877. DECLARE_ZW_VERIFIER_THUNK(ZwOpenSection),
  6878. DECLARE_ZW_VERIFIER_THUNK(ZwOpenSymbolicLinkObject),
  6879. DECLARE_ZW_VERIFIER_THUNK(ZwOpenThread),
  6880. DECLARE_ZW_VERIFIER_THUNK(ZwOpenThreadToken),
  6881. DECLARE_ZW_VERIFIER_THUNK(ZwOpenThreadTokenEx),
  6882. DECLARE_ZW_VERIFIER_THUNK(ZwOpenTimer),
  6883. DECLARE_ZW_VERIFIER_THUNK(ZwPowerInformation),
  6884. DECLARE_ZW_VERIFIER_THUNK(ZwPulseEvent),
  6885. DECLARE_ZW_VERIFIER_THUNK(ZwQueryBootEntryOrder),
  6886. DECLARE_ZW_VERIFIER_THUNK(ZwQueryBootOptions),
  6887. DECLARE_ZW_VERIFIER_THUNK(ZwQueryDefaultLocale),
  6888. DECLARE_ZW_VERIFIER_THUNK(ZwQueryDefaultUILanguage),
  6889. DECLARE_ZW_VERIFIER_THUNK(ZwQueryDriverEntryOrder),
  6890. DECLARE_ZW_VERIFIER_THUNK(ZwQueryInstallUILanguage),
  6891. DECLARE_ZW_VERIFIER_THUNK(ZwQueryDirectoryFile),
  6892. DECLARE_ZW_VERIFIER_THUNK(ZwQueryDirectoryObject),
  6893. DECLARE_ZW_VERIFIER_THUNK(ZwQueryEaFile),
  6894. DECLARE_ZW_VERIFIER_THUNK(ZwQueryFullAttributesFile),
  6895. DECLARE_ZW_VERIFIER_THUNK(ZwQueryInformationFile),
  6896. DECLARE_ZW_VERIFIER_THUNK(ZwQueryInformationJobObject),
  6897. DECLARE_ZW_VERIFIER_THUNK(ZwQueryInformationProcess),
  6898. DECLARE_ZW_VERIFIER_THUNK(ZwQueryInformationThread),
  6899. DECLARE_ZW_VERIFIER_THUNK(ZwQueryInformationToken),
  6900. DECLARE_ZW_VERIFIER_THUNK(ZwQueryInformationToken),
  6901. DECLARE_ZW_VERIFIER_THUNK(ZwQueryKey),
  6902. DECLARE_ZW_VERIFIER_THUNK(ZwQueryObject),
  6903. DECLARE_ZW_VERIFIER_THUNK(ZwQuerySection),
  6904. DECLARE_ZW_VERIFIER_THUNK(ZwQuerySecurityObject),
  6905. DECLARE_ZW_VERIFIER_THUNK(ZwQuerySymbolicLinkObject),
  6906. DECLARE_ZW_VERIFIER_THUNK(ZwQuerySystemInformation),
  6907. DECLARE_ZW_VERIFIER_THUNK(ZwQueryValueKey),
  6908. DECLARE_ZW_VERIFIER_THUNK(ZwQueryVolumeInformationFile),
  6909. DECLARE_ZW_VERIFIER_THUNK(ZwReadFile),
  6910. DECLARE_ZW_VERIFIER_THUNK(ZwReplaceKey),
  6911. DECLARE_ZW_VERIFIER_THUNK(ZwRequestWaitReplyPort),
  6912. DECLARE_ZW_VERIFIER_THUNK(ZwResetEvent),
  6913. DECLARE_ZW_VERIFIER_THUNK(ZwRestoreKey),
  6914. DECLARE_ZW_VERIFIER_THUNK(ZwSaveKey),
  6915. DECLARE_ZW_VERIFIER_THUNK(ZwSaveKeyEx),
  6916. DECLARE_ZW_VERIFIER_THUNK(ZwSetBootEntryOrder),
  6917. DECLARE_ZW_VERIFIER_THUNK(ZwSetBootOptions),
  6918. DECLARE_ZW_VERIFIER_THUNK(ZwSetDefaultLocale),
  6919. DECLARE_ZW_VERIFIER_THUNK(ZwSetDefaultUILanguage),
  6920. DECLARE_ZW_VERIFIER_THUNK(ZwSetDriverEntryOrder),
  6921. DECLARE_ZW_VERIFIER_THUNK(ZwSetEaFile),
  6922. DECLARE_ZW_VERIFIER_THUNK(ZwSetEvent),
  6923. DECLARE_ZW_VERIFIER_THUNK(ZwSetInformationFile),
  6924. DECLARE_ZW_VERIFIER_THUNK(ZwSetInformationJobObject),
  6925. DECLARE_ZW_VERIFIER_THUNK(ZwSetInformationObject),
  6926. DECLARE_ZW_VERIFIER_THUNK(ZwSetInformationProcess),
  6927. DECLARE_ZW_VERIFIER_THUNK(ZwSetInformationThread),
  6928. DECLARE_ZW_VERIFIER_THUNK(ZwSetSecurityObject),
  6929. DECLARE_ZW_VERIFIER_THUNK(ZwSetSystemInformation),
  6930. DECLARE_ZW_VERIFIER_THUNK(ZwSetSystemTime),
  6931. DECLARE_ZW_VERIFIER_THUNK(ZwSetTimer),
  6932. DECLARE_ZW_VERIFIER_THUNK(ZwSetValueKey),
  6933. DECLARE_ZW_VERIFIER_THUNK(ZwSetVolumeInformationFile),
  6934. DECLARE_ZW_VERIFIER_THUNK(ZwTerminateJobObject),
  6935. DECLARE_ZW_VERIFIER_THUNK(ZwTerminateProcess),
  6936. DECLARE_ZW_VERIFIER_THUNK(ZwTranslateFilePath),
  6937. DECLARE_ZW_VERIFIER_THUNK(ZwUnloadDriver),
  6938. DECLARE_ZW_VERIFIER_THUNK(ZwUnloadKey),
  6939. DECLARE_ZW_VERIFIER_THUNK(ZwUnmapViewOfSection),
  6940. DECLARE_ZW_VERIFIER_THUNK(ZwWaitForMultipleObjects),
  6941. DECLARE_ZW_VERIFIER_THUNK(ZwWaitForSingleObject),
  6942. DECLARE_ZW_VERIFIER_THUNK(ZwWriteFile),
  6943. DECLARE_ZW_VERIFIER_THUNK(ZwYieldExecution),
  6945. NULL,
  6946. NULL,
  6947. };
  6949. const VERIFIER_THUNKS MiVerifierPoolThunks[] = {
  6951. "ExAllocatePool",
  6952. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePool,
  6954. "ExAllocatePoolWithQuota",
  6955. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithQuota,
  6957. "ExAllocatePoolWithQuotaTag",
  6958. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithQuotaTag,
  6960. "ExAllocatePoolWithTag",
  6961. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithTag,
  6963. "ExAllocatePoolWithTagPriority",
  6964. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithTagPriority,
  6966. "ExFreePool",
  6967. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierFreePool,
  6969. "ExFreePoolWithTag",
  6970. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierFreePoolWithTag,
  6972. NULL,
  6973. NULL,
  6974. };
  6976. #ifdef ALLOC_DATA_PRAGMA
  6977. #pragma const_seg()
  6978. #endif
  6980. PDRIVER_VERIFIER_THUNK_ROUTINE
  6981. MiResolveVerifierExports (
  6982. IN PLOADER_PARAMETER_BLOCK LoaderBlock,
  6983. IN PCHAR PristineName
  6984. )
  6986. /*++
  6988. Routine Description:
  6990. This function scans the kernel & HAL exports for the specified routine name.
  6992. Arguments:
  6994. DataTableEntry - Supplies the data table entry for the driver.
  6996. Return Value:
  6998. Non-NULL address of routine to thunk or NULL if the routine could not be
  6999. found.
  7001. Environment:
  7003. Kernel mode, Phase 0 Initialization only.
  7004. The PsLoadedModuleList has not been initialized yet.
  7005. Non paged pool exists in Phase0, but paged pool does not.
  7007. --*/
  7009. {
  7010. ULONG i;
  7011. PIMAGE_EXPORT_DIRECTORY ExportDirectory;
  7012. PULONG NameTableBase;
  7013. PUSHORT NameOrdinalTableBase;
  7014. PULONG Addr;
  7015. ULONG ExportSize;
  7016. ULONG Low;
  7017. ULONG Middle;
  7018. ULONG High;
  7019. PLIST_ENTRY NextEntry;
  7020. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  7021. USHORT OrdinalNumber;
  7022. LONG Result;
  7023. PCHAR DllBase;
  7025. i = 0;
  7026. NextEntry = LoaderBlock->LoadOrderListHead.Flink;
  7028. for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) {
  7030. DataTableEntry = CONTAINING_RECORD (NextEntry,
  7031. KLDR_DATA_TABLE_ENTRY,
  7032. InLoadOrderLinks);
  7034. //
  7035. // Process the kernel and HAL exports so the proper routine
  7036. // addresses can be generated now that relocations are complete.
  7037. //
  7039. DllBase = (PCHAR) DataTableEntry->DllBase;
  7041. ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData(
  7042. (PVOID) DllBase,
  7043. TRUE,
  7044. IMAGE_DIRECTORY_ENTRY_EXPORT,
  7045. &ExportSize);
  7047. if (ExportDirectory != NULL) {
  7049. //
  7050. // Lookup the import name in the name table using a binary search.
  7051. //
  7053. NameTableBase = (PULONG)(DllBase + (ULONG)ExportDirectory->AddressOfNames);
  7054. NameOrdinalTableBase = (PUSHORT)(DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
  7056. Low = 0;
  7057. Middle = 0;
  7058. High = ExportDirectory->NumberOfNames - 1;
  7060. while (High >= Low) {
  7062. //
  7063. // Compute the next probe index and compare the import name
  7064. // with the export name entry.
  7065. //
  7067. Middle = (Low + High) >> 1;
  7068. Result = strcmp (PristineName,
  7069. (PCHAR)DllBase + NameTableBase[Middle]);
  7071. if (Result < 0) {
  7072. High = Middle - 1;
  7074. } else if (Result > 0) {
  7075. Low = Middle + 1;
  7077. }
  7078. else {
  7079. break;
  7080. }
  7081. }
  7083. //
  7084. // If the high index is less than the low index, then a matching
  7085. // table entry was not found. Otherwise, get the ordinal number
  7086. // from the ordinal table.
  7087. //
  7089. if ((LONG)High >= (LONG)Low) {
  7090. OrdinalNumber = NameOrdinalTableBase[Middle];
  7092. //
  7093. // If OrdinalNumber is not within the Export Address Table,
  7094. // then DLL does not implement function. Otherwise we have
  7095. // the export that matches the specified argument routine name.
  7096. //
  7098. if ((ULONG)OrdinalNumber < ExportDirectory->NumberOfFunctions) {
  7100. Addr = (PULONG)(DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
  7101. return (PDRIVER_VERIFIER_THUNK_ROUTINE)(ULONG_PTR)(DllBase + Addr[OrdinalNumber]);
  7102. }
  7103. }
  7104. }
  7106. i += 1;
  7107. if (i == 2) {
  7108. break;
  7109. }
  7110. }
  7111. return NULL;
  7112. }
  7114. LOGICAL
  7115. MiEnableVerifier (
  7116. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  7117. )
  7119. /*++
  7121. Routine Description:
  7123. This function enables the verifier for the argument driver by thunking
  7124. relevant system APIs in the argument driver import table.
  7126. Arguments:
  7128. DataTableEntry - Supplies the data table entry for the driver.
  7130. Return Value:
  7132. TRUE if thunking was applied, FALSE if not.
  7134. Environment:
  7136. Kernel mode, Phase 0 Initialization and normal runtime.
  7137. Non paged pool exists in Phase0, but paged pool does not.
  7139. --*/
  7141. {
  7142. ULONG i;
  7143. ULONG j;
  7144. PULONG_PTR ImportThunk;
  7145. ULONG ImportSize;
  7146. VERIFIER_THUNKS const *VerifierThunk;
  7147. LOGICAL Found;
  7148. ULONG_PTR RealRoutine;
  7149. PLIST_ENTRY NextEntry;
  7150. PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable;
  7151. PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
  7153. ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
  7154. DataTableEntry->DllBase,
  7155. TRUE,
  7156. IMAGE_DIRECTORY_ENTRY_IAT,
  7157. &ImportSize);
  7159. if (ImportThunk == NULL) {
  7160. return FALSE;
  7161. }
  7163. ImportSize /= sizeof(PULONG_PTR);
  7165. for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
  7167. Found = FALSE;
  7169. if (KernelVerifier == FALSE) {
  7171. VerifierThunk = MiVerifierThunks;
  7173. while (VerifierThunk->PristineRoutineAsciiName != NULL) {
  7175. RealRoutine = (ULONG_PTR)VerifierThunk->PristineRoutine;
  7177. if (*ImportThunk == RealRoutine) {
  7178. *ImportThunk = (ULONG_PTR)(VerifierThunk->NewRoutine);
  7179. Found = TRUE;
  7180. break;
  7181. }
  7182. VerifierThunk += 1;
  7183. }
  7184. }
  7186. if (Found == FALSE) {
  7187. VerifierThunk = MiVerifierPoolThunks;
  7189. while (VerifierThunk->PristineRoutineAsciiName != NULL) {
  7191. RealRoutine = (ULONG_PTR)VerifierThunk->PristineRoutine;
  7193. if (*ImportThunk == RealRoutine) {
  7194. *ImportThunk = (ULONG_PTR)(VerifierThunk->NewRoutine);
  7195. Found = TRUE;
  7196. break;
  7197. }
  7198. VerifierThunk += 1;
  7199. }
  7200. }
  7202. if (Found == FALSE) {
  7204. NextEntry = MiVerifierDriverAddedThunkListHead.Flink;
  7205. while (NextEntry != &MiVerifierDriverAddedThunkListHead) {
  7207. ThunkTableBase = CONTAINING_RECORD(NextEntry,
  7208. DRIVER_SPECIFIED_VERIFIER_THUNKS,
  7209. ListEntry);
  7211. ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1);
  7213. for (j = 0; j < ThunkTableBase->NumberOfThunks; j += 1) {
  7215. if (*ImportThunk == (ULONG_PTR)ThunkTable->PristineRoutine) {
  7216. *ImportThunk = (ULONG_PTR)(ThunkTable->NewRoutine);
  7217. Found = TRUE;
  7218. break;
  7219. }
  7220. ThunkTable += 1;
  7221. }
  7223. if (Found == TRUE) {
  7224. break;
  7225. }
  7227. NextEntry = NextEntry->Flink;
  7228. }
  7229. }
  7230. }
  7231. return TRUE;
  7232. }
  7234. LOGICAL
  7235. MiReEnableVerifier (
  7236. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  7237. )
  7239. /*++
  7241. Routine Description:
  7243. This function thunks DLL-supplied APIs in the argument driver import table.
  7245. Arguments:
  7247. DataTableEntry - Supplies the data table entry for the driver.
  7249. Return Value:
  7251. TRUE if thunking was applied, FALSE if not.
  7253. Environment:
  7255. Kernel mode, Phase 0 Initialization only.
  7256. Non paged pool exists in Phase0, but paged pool does not.
  7258. --*/
  7260. {
  7261. ULONG i;
  7262. ULONG j;
  7263. PULONG_PTR ImportThunk;
  7264. ULONG ImportSize;
  7265. LOGICAL Found;
  7266. PLIST_ENTRY NextEntry;
  7267. PMMPTE PointerPte;
  7268. PULONG_PTR VirtualThunk;
  7269. PFN_NUMBER PageFrameIndex;
  7270. PFN_NUMBER VirtualPageFrameIndex;
  7271. PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable;
  7272. PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
  7273. ULONG Offset;
  7275. ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
  7276. DataTableEntry->DllBase,
  7277. TRUE,
  7278. IMAGE_DIRECTORY_ENTRY_IAT,
  7279. &ImportSize);
  7281. if (ImportThunk == NULL) {
  7282. return FALSE;
  7283. }
  7285. VirtualThunk = NULL;
  7286. ImportSize /= sizeof(PULONG_PTR);
  7288. //
  7289. // Initializing VirtualPageFrameIndex is not needed for correctness, but
  7290. // without it the compiler cannot compile this code W4 to check for use of
  7291. // uninitialized variables.
  7292. //
  7294. VirtualPageFrameIndex = 0;
  7296. for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
  7298. Found = FALSE;
  7300. NextEntry = MiVerifierDriverAddedThunkListHead.Flink;
  7301. while (NextEntry != &MiVerifierDriverAddedThunkListHead) {
  7303. ThunkTableBase = CONTAINING_RECORD(NextEntry,
  7304. DRIVER_SPECIFIED_VERIFIER_THUNKS,
  7305. ListEntry);
  7307. ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1);
  7309. for (j = 0; j < ThunkTableBase->NumberOfThunks; j += 1) {
  7311. if (*ImportThunk == (ULONG_PTR)ThunkTable->PristineRoutine) {
  7313. ASSERT (MI_IS_PHYSICAL_ADDRESS(ImportThunk) == 0);
  7314. PointerPte = MiGetPteAddress (ImportThunk);
  7315. ASSERT (PointerPte->u.Hard.Valid == 1);
  7316. PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
  7317. Offset = (ULONG) MiGetByteOffset(ImportThunk);
  7319. if ((VirtualThunk != NULL) &&
  7320. (VirtualPageFrameIndex == PageFrameIndex)) {
  7322. NOTHING;
  7323. }
  7324. else {
  7326. VirtualThunk = MiMapSinglePage (VirtualThunk,
  7327. PageFrameIndex,
  7328. MmCached,
  7329. HighPagePriority);
  7331. if (VirtualThunk == NULL) {
  7332. return FALSE;
  7333. }
  7334. VirtualPageFrameIndex = PageFrameIndex;
  7335. }
  7337. *(PULONG_PTR)((PUCHAR)VirtualThunk + Offset) =
  7338. (ULONG_PTR)(ThunkTable->NewRoutine);
  7340. Found = TRUE;
  7341. break;
  7342. }
  7343. ThunkTable += 1;
  7344. }
  7346. if (Found == TRUE) {
  7347. break;
  7348. }
  7350. NextEntry = NextEntry->Flink;
  7351. }
  7352. }
  7354. if (VirtualThunk != NULL) {
  7355. MiUnmapSinglePage (VirtualThunk);
  7356. }
  7358. return TRUE;
  7359. }
  7361. typedef struct _KERNEL_VERIFIER_THUNK_PAIRS {
  7362. PDRIVER_VERIFIER_THUNK_ROUTINE PristineRoutine;
  7363. PDRIVER_VERIFIER_THUNK_ROUTINE NewRoutine;
  7364. } KERNEL_VERIFIER_THUNK_PAIRS, *PKERNEL_VERIFIER_THUNK_PAIRS;
  7366. #if defined(_X86_)
  7368. #ifdef ALLOC_DATA_PRAGMA
  7369. #pragma const_seg("INITCONST")
  7370. #endif
  7372. const KERNEL_VERIFIER_THUNK_PAIRS MiKernelVerifierThunks[] = {
  7374. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeRaiseIrql,
  7375. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrql,
  7377. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeLowerIrql,
  7378. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeLowerIrql,
  7380. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeAcquireSpinLock,
  7381. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLock,
  7383. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeReleaseSpinLock,
  7384. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLock,
  7386. (PDRIVER_VERIFIER_THUNK_ROUTINE)KfRaiseIrql,
  7387. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfRaiseIrql,
  7389. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeRaiseIrqlToDpcLevel,
  7390. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrqlToDpcLevel,
  7392. (PDRIVER_VERIFIER_THUNK_ROUTINE)KfLowerIrql,
  7393. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfLowerIrql,
  7395. (PDRIVER_VERIFIER_THUNK_ROUTINE)KfAcquireSpinLock,
  7396. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfAcquireSpinLock,
  7398. (PDRIVER_VERIFIER_THUNK_ROUTINE)KfReleaseSpinLock,
  7399. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfReleaseSpinLock,
  7401. (PDRIVER_VERIFIER_THUNK_ROUTINE)ExAcquireFastMutex,
  7402. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExAcquireFastMutex,
  7404. #if !defined(NT_UP)
  7405. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeAcquireQueuedSpinLock,
  7406. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireQueuedSpinLock,
  7408. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeReleaseQueuedSpinLock,
  7409. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseQueuedSpinLock,
  7410. #endif
  7411. };
  7413. #ifdef ALLOC_DATA_PRAGMA
  7414. #pragma const_seg()
  7415. #endif
  7417. VOID
  7418. MiEnableKernelVerifier (
  7419. VOID
  7420. )
  7422. /*++
  7424. Routine Description:
  7426. This function enables the verifier for the kernel by thunking
  7427. relevant HAL APIs in the kernel's import table.
  7429. Arguments:
  7431. None.
  7433. Return Value:
  7435. None.
  7437. Environment:
  7439. Kernel mode, Phase 1 Initialization.
  7441. --*/
  7443. {
  7444. ULONG i;
  7445. PULONG_PTR ImportThunk;
  7446. ULONG ImportSize;
  7447. KERNEL_VERIFIER_THUNK_PAIRS const *VerifierThunk;
  7448. ULONG ThunkCount;
  7449. ULONG_PTR RealRoutine;
  7450. PULONG_PTR PointerRealRoutine;
  7452. if (KernelVerifier == FALSE) {
  7453. return;
  7454. }
  7456. ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
  7457. PsNtosImageBase,
  7458. TRUE,
  7459. IMAGE_DIRECTORY_ENTRY_IAT,
  7460. &ImportSize);
  7462. if (ImportThunk == NULL) {
  7463. return;
  7464. }
  7466. ImportSize /= sizeof(PULONG_PTR);
  7468. for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
  7470. VerifierThunk = MiKernelVerifierThunks;
  7472. for (ThunkCount = 0; ThunkCount < sizeof (MiKernelVerifierThunks) / sizeof (KERNEL_VERIFIER_THUNK_PAIRS); ThunkCount += 1) {
  7474. //
  7475. // Only the x86 has/needs this oddity - take the kernel address,
  7476. // knowing that it points at a 2 byte jmp opcode followed by
  7477. // a 4-byte indirect pointer to a destination address.
  7478. //
  7480. PointerRealRoutine = (PULONG_PTR)*((PULONG_PTR)((ULONG_PTR)VerifierThunk->PristineRoutine + 2));
  7481. RealRoutine = *PointerRealRoutine;
  7483. if (*ImportThunk == RealRoutine) {
  7485. //
  7486. // Order is important here.
  7487. //
  7489. if (MiKernelVerifierOriginalCalls[ThunkCount] == NULL) {
  7490. MiKernelVerifierOriginalCalls[ThunkCount] = (PVOID)RealRoutine;
  7491. }
  7493. *ImportThunk = (ULONG_PTR)(VerifierThunk->NewRoutine);
  7495. break;
  7496. }
  7497. VerifierThunk += 1;
  7498. }
  7499. }
  7500. return;
  7501. }
  7502. #endif
  7504. //
  7505. // BEWARE: Various kernel macros were undefined above so we can pull in the
  7506. // real routines. This is needed because the real routines are exported for
  7507. // driver compatibility. This module has been carefully laid out so these
  7508. // macros are not referenced from that point to here and references go to the
  7509. // real routines.
  7510. //
  7511. // BE EXTREMELY CAREFUL IF YOU DECIDE TO ADD ROUTINES BELOW THIS POINT !
  7512. //