archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/sdktools/perfmtr/poolfind.cpp

619 lines
20 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2002 Microsoft Corporation
  5. Module Name:
  7. poolfind.cpp
  9. Abstract:
  11. This module contains the code to find the tags in a driver binary
  13. Author:
  15. Andrew Edwards (andred) Oct-2001
  17. Revision History:
  19. Swetha Narayanaswamy (swethan) 19-Mar-2002
  21. --*/
  22. #if !defined (_WIN64)
  23. #pragma warning(disable: 4514)
  25. #include "windows.h"
  26. #include "msdis.h"
  28. #include <stdlib.h>
  29. #include <stdio.h>
  30. #include <tchar.h>
  31. #include <delayimp.h>
  33. #define TAGSIZE 5
  34. #define DRIVERDIR "\\drivers\\"
  35. #define DRIVERFILEEXT "*.sys"
  36. #define MAXPATH 1024
  38. int __cdecl main(int argc, char** argv);
  39. void ParseImageFile(PTCHAR szImage);
  43. CHAR localTagFile[MAXPATH] = "localtag.txt";
  44. int cSystemDirectory = 0;
  46. //Used to form list of tags used by the same driver
  47. typedef struct _TAGLIST{
  48. TCHAR Tag[TAGSIZE];
  49. struct _TAGLIST *next;
  50. } TAGLIST, *PTAGLIST;
  53. BOOL
  54. GetTagFromCall (
  55. const BYTE *pbCall, // pointer to call instruction
  56. PTCHAR ptchTag, //out param: pointer to tag
  57. DIS *pDis,
  58. int tagLocation) //location of tag in the parameter list
  60. /*++
  62. Routine Description:
  64. This function disassembles the memory allocation function call.
  65. It finds the third push and determines the tag and
  66. places it in the ptchTag return parameter
  68. Return Value:
  70. FALSE: If unable to find tag
  71. TRUE: Otherwise
  73. --*/
  75. {
  76. // try to backup 3 pushes:
  77. // FF /6 + modrm etc
  78. // 50-5F
  79. // 6A <8imm>
  80. // 68 <32imm>
  82. int cbMax = 200;
  84. const BYTE *pb = pbCall;
  86. const BYTE *pTag = NULL;
  88. if ((ptchTag == NULL) || (pbCall == NULL) || (pDis == NULL)) return FALSE;
  90. _tcscpy(ptchTag,"");
  92. while (cbMax--)
  93. {
  94. pb--;
  96. if (pb[0] == 0x68)
  97. {
  98. // disassemble forward
  99. const BYTE *pbInst = pb;
  100. size_t cb = 1;
  101. int cPush = 0;
  103. while (cb && pbInst < pbCall)
  104. {
  105. cb = pDis->CbDisassemble( (DWORD)pbInst,
  106. pbInst, pbCall - pbInst);
  108. if ( (pbInst[0] == 0xFF) &&
  109. ((pbInst[1] & 0x38) == 0x30))
  110. {
  111. // this looks like a push <r/m>
  112. cPush++;
  113. }
  114. else if ((pbInst[0] & 0xF0) == 0x50)
  115. {
  116. // this looks like a push <reg>
  117. cPush++;
  118. }
  119. else if (pbInst[0] == 0x6A)
  120. {
  121. // this looks like a push <byte>
  122. cPush++;
  123. }
  124. else if (pbInst[0] == 0x68)
  125. {
  126. // this looks like a push <dword>
  127. cPush++;
  128. }
  129. pbInst += cb;
  130. }
  132. if (cPush == tagLocation && pbInst == pbCall)
  133. {
  134. _sntprintf(ptchTag,5,"%c%c%c%c",
  135. pb[1],pb[2],pb[3],( 0x7f &pb[4]));
  136. return TRUE;
  137. }
  138. }
  139. }
  140. return FALSE;
  141. }
  143. BOOL
  144. FindTags(
  145. const BYTE *pb,
  146. DWORD addr,
  147. PTAGLIST tagList, // out param: List of tags to append the new tags to
  148. DIS *pDis,
  149. int tagLocation) // tag location
  151. /*++
  153. Routine Description:
  155. This function reads the bytes in the instruction and looks for
  156. indirect/direct calls. The tag is appended to the tagList parameter
  158. Return Value:
  160. FALSE: If there is an exception or lack of memory
  161. TRUE: Otherwise
  163. --*/
  165. {
  167. TCHAR tag[TAGSIZE];
  168. BOOL done = FALSE;
  169. PTAGLIST tempTagNode=NULL, prevTagNode=NULL, newTagNode=NULL;
  171. if ((pb==NULL) || (tagList == NULL) || (pDis == NULL)) return FALSE;
  173. // Get the raw bytes and size of the image
  174. try
  175. {
  176. for(;;)
  177. {
  178. done = FALSE;
  180. if (pb[0] == 0xFF && pb[1] == 0x15)
  181. {
  182. // Indirect call
  183. pb += 2;
  184. if (*(DWORD *)pb == (DWORD)addr)
  185. {
  186. // Found a call
  187. if ((GetTagFromCall(pb-2,tag,pDis, tagLocation)) == FALSE)
  188. {
  189. pb++;
  190. continue;
  191. }
  192. tempTagNode = prevTagNode = tagList;
  194. while (tempTagNode != NULL)
  195. {
  196. if ((_tcscmp(tempTagNode->Tag,"")) == 0)
  197. {
  198. // Insert here
  199. _tcsncpy(tempTagNode->Tag, tag, TAGSIZE);
  200. done = TRUE;
  201. break;
  202. }
  203. else if (!(memcmp(tempTagNode->Tag,tag,TAGSIZE)))
  204. {
  205. //Tag already exists in list
  206. done = TRUE;
  207. break;
  208. }
  209. prevTagNode = tempTagNode;
  210. tempTagNode = tempTagNode->next;
  211. }
  213. if (!done )
  214. {
  215. newTagNode = (PTAGLIST)malloc(sizeof(TAGLIST));
  216. if (!newTagNode)
  217. {
  218. printf("Poolmon: Insufficient memory: %d\n", GetLastError());
  219. return FALSE;
  220. }
  222. //There is at least one node allocated so prevTagNode
  223. //will never be NULL
  224. prevTagNode->next = newTagNode;
  225. // Insert here
  226. _tcsncpy(newTagNode->Tag, tag, TAGSIZE);
  228. newTagNode->next = NULL;
  229. }
  230. }
  231. }
  233. pb++;
  234. }
  236. }
  237. catch (...)
  238. {
  239. return FALSE;
  240. }
  241. return TRUE;
  242. }
  244. unsigned RvaToPtr(unsigned rva, IMAGE_NT_HEADERS *pNtHeader)
  245. {
  246. int iSect = 0;
  247. for (PIMAGE_SECTION_HEADER pSect = IMAGE_FIRST_SECTION(pNtHeader); iSect < pNtHeader->FileHeader.NumberOfSections; pSect++, iSect++)
  248. {
  249. if (rva >= pSect->VirtualAddress &&
  250. rva < pSect->VirtualAddress + pSect->SizeOfRawData)
  251. {
  252. rva -= pSect->VirtualAddress;
  253. rva += pSect->PointerToRawData;
  254. return rva;
  255. }
  256. }
  258. //error case
  259. return 0;
  260. }
  262. void
  263. ParseImageFile(
  264. PTCHAR szImage, PTAGLIST tagList) // Image file name
  265. /*++
  267. Routine Description:
  269. This function opens the binary driver image file, reads it and looks for
  270. a memory allocation call
  272. Return Value:
  274. None
  275. --*/
  277. {
  278. DIS *pDis = NULL;
  281. if ((tagList == NULL) || (szImage == NULL) ) return;
  283. // read szImage into memory
  284. FILE *pf = NULL;
  285. pf = _tfopen(szImage, "rb");
  286. if (!pf) return;
  288. if ((fseek(pf, 0, SEEK_END )) != 0) goto exitParseImageFile;
  290. size_t cbMax = 0;
  291. cbMax = ftell(pf);
  292. if (cbMax == -1) goto exitParseImageFile;
  294. if ((fseek(pf, 0, SEEK_SET )) != 0) goto exitParseImageFile;
  296. BYTE *pbImage = NULL;
  297. pbImage = new BYTE[cbMax];
  298. if (!pbImage) goto exitParseImageFile;
  300. if ((fread( pbImage, cbMax, 1, pf )) <= 0) goto exitParseImageFile;
  302. // find the import table
  303. IMAGE_DOS_HEADER *phdr = (IMAGE_DOS_HEADER *)pbImage;
  305. if (phdr->e_magic != IMAGE_DOS_SIGNATURE)
  306. {
  307. _tprintf("Poolmon: Bad image file %s\n", szImage);
  308. goto exitParseImageFile;
  309. }
  311. if (cbMax < offsetof(IMAGE_DOS_HEADER, e_lfanew) +
  312. sizeof(phdr->e_lfanew) ||phdr->e_lfanew == 0)
  313. {
  314. _tprintf("Poolmon: Bad image file %s\n", szImage);
  315. goto exitParseImageFile;
  316. }
  318. IMAGE_NT_HEADERS *pNtHeader =
  319. (IMAGE_NT_HEADERS *) (pbImage + phdr->e_lfanew);
  320. if (pNtHeader == NULL) goto exitParseImageFile;
  322. if (pNtHeader->Signature != IMAGE_NT_SIGNATURE ||
  323. pNtHeader->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR32_MAGIC)
  324. {
  325. _tprintf("Poolmon: Bad image file %s\n", szImage);
  326. goto exitParseImageFile;
  327. }
  329. // Find import tables
  330. IMAGE_DATA_DIRECTORY *pImports =
  331. (IMAGE_DATA_DIRECTORY *)&pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
  333. if (pImports == NULL) goto exitParseImageFile;
  335. unsigned rva = pImports->VirtualAddress;
  336. // need to adjust from rva to pointer accounting for section alignment
  337. rva = RvaToPtr(rva, pNtHeader);
  338. if (0 == rva) {
  339. goto exitParseImageFile;
  340. }
  342. IMAGE_IMPORT_DESCRIPTOR *pImportDescr =
  343. (IMAGE_IMPORT_DESCRIPTOR *) (pbImage+rva);
  345. if (NULL == pImportDescr)
  346. {
  347. goto exitParseImageFile;
  348. }
  350. //msdis130.dll depends on msvcr70.dll and msvcp70.dll
  351. //Try a loadlibrary on these 2 libraries, and then proceed to delayload msdis130.dll
  353. #pragma prefast(suppress:321, "user guide:Programmers developing on the .NET server can ignore this warning by filtering it out.")
  354. if ((!LoadLibrary("MSVCR70.DLL")) || (!LoadLibrary("MSVCP70.DLL")))
  355. {
  356. printf("Unable to load msvcr70.dll/msvcp70.dll, cannot create local tag file\n");
  357. if (pf) fclose(pf);
  358. if (pbImage) delete[](pbImage);
  359. exit(-1);
  360. }
  362. try {
  363. pDis = DIS::PdisNew( DIS::distX86 );
  364. }
  365. catch (...) {
  366. printf("Poolmon: Unable to load msdis130.dll, cannot create local tag file\n");
  367. if (pf) fclose(pf);
  368. if (pbImage) delete[](pbImage);
  369. exit(-1);
  370. }
  372. if (pDis == NULL)
  373. {
  374. goto exitParseImageFile;
  375. }
  377. // Find the import for ExAllocatePoolWithTag
  379. for (;pImportDescr->Name &&pImportDescr->FirstThunk;pImportDescr++)
  380. {
  382. if (0 == (rva = RvaToPtr(pImportDescr->FirstThunk, pNtHeader))) {
  383. goto exitParseImageFile;
  384. }
  385. IMAGE_THUNK_DATA32 *pIAT = (IMAGE_THUNK_DATA32 *) (pbImage + rva);
  386. if (pIAT == NULL) goto exitParseImageFile;
  388. IMAGE_THUNK_DATA32 *addrIAT =
  389. (IMAGE_THUNK_DATA32 *) (pNtHeader->OptionalHeader.ImageBase + pImportDescr->FirstThunk);
  390. if (addrIAT == NULL) goto exitParseImageFile;
  392. if (0 == (rva = RvaToPtr(pImportDescr->Characteristics, pNtHeader))) {
  393. goto exitParseImageFile;
  394. }
  395. IMAGE_THUNK_DATA32 *pINT= (IMAGE_THUNK_DATA32 *) (pbImage + rva);
  396. if (pINT == NULL) goto exitParseImageFile;
  398. for (;pIAT->u1.Ordinal;)
  399. {
  400. if (IMAGE_SNAP_BY_ORDINAL32(pINT->u1.Ordinal))
  401. {
  402. // by ordinal?
  403. }
  404. else
  405. {
  406. if (0 == (rva = RvaToPtr((int)pINT->u1.AddressOfData, pNtHeader))) {
  407. goto exitParseImageFile;
  408. }
  409. IMAGE_IMPORT_BY_NAME* pIIN = (IMAGE_IMPORT_BY_NAME*) (pbImage + rva);
  410. if (NULL == pIIN) goto exitParseImageFile;
  412. char *name = (char*)pIIN->Name;
  414. if (0 == strcmp( name, "ExAllocatePoolWithTag" ))
  415. {
  416. FindTags(pbImage, (DWORD)addrIAT,tagList, pDis,3);
  417. }
  418. else if (0 == strcmp( name, "ExAllocatePoolWithQuotaTag" ))
  419. {
  420. FindTags(pbImage, (DWORD)addrIAT,tagList,pDis,3);
  421. }
  422. else if (0 == strcmp( name, "ExAllocatePoolWithTagPriority" ))
  423. {
  424. FindTags(pbImage, (DWORD)addrIAT,tagList,pDis,3);
  425. }
  426. //wrapper functions
  427. else if(0 == strcmp(name, "NdisAllocateMemoryWithTag"))
  428. {
  429. FindTags(pbImage, (DWORD)addrIAT,tagList,pDis,3);
  430. }
  431. else if(0 == strcmp(name,"VideoPortAllocatePool"))
  432. {
  433. FindTags(pbImage, (DWORD)addrIAT,tagList,pDis,4);
  434. }
  436. }
  438. addrIAT++;
  439. pIAT++;
  440. pINT++;
  441. }
  442. }
  446. exitParseImageFile:
  447. if (pf) fclose(pf);
  448. if (pbImage) delete[](pbImage);
  449. }
  451. extern "C" BOOL MakeLocalTagFile()
  452. /*++
  454. Routine Description:
  456. This function finds files one by one in the system drivers directory and call ParseImageFile on the image
  458. Return Value:
  460. None
  461. --*/
  462. {
  463. WIN32_FIND_DATA FileData;
  464. HANDLE hSearch=0;
  465. BOOL fFinished = FALSE;
  466. TCHAR sysdir[1024];
  467. PTCHAR filename=NULL;
  468. TCHAR imageName[MAXPATH] = "";
  469. PTAGLIST tagList = NULL;
  470. BOOL ret = TRUE;
  471. FILE *fpLocalTagFile = NULL;
  473. cSystemDirectory = GetSystemDirectory(sysdir, 0);
  474. if(!cSystemDirectory)
  475. {
  476. printf("Poolmon: Unable to get system directory: %d\n", GetLastError());
  477. ret = FALSE;
  478. goto freeall;
  479. }
  481. filename = (PTCHAR)malloc(cSystemDirectory +
  482. (_tcslen(DRIVERDIR) + _tcslen(DRIVERFILEEXT) + 1) * sizeof(TCHAR));
  484. if(!filename)
  485. {
  486. ret = FALSE;
  487. goto freeall;
  488. }
  490. GetSystemDirectory(filename, cSystemDirectory + 1);
  491. _tcscat(filename, DRIVERDIR);
  492. _tcscat(filename, DRIVERFILEEXT);
  494. // Search for .sys files
  495. hSearch = FindFirstFile(filename, &FileData);
  496. if (hSearch == INVALID_HANDLE_VALUE)
  497. {
  498. printf("Poolmon: No .sys files found\n");
  499. ret = FALSE;
  500. goto freeall;
  501. }
  503. _tcsncpy(imageName, filename,MAXPATH);
  504. imageName[MAXPATH-1] = '\0';
  507. tagList = (PTAGLIST)malloc(sizeof(TAGLIST));
  508. if (!tagList)
  509. {
  510. ret = FALSE;
  511. goto freeall;
  512. }
  513. _tcscpy(tagList->Tag,"");
  514. tagList->next = NULL;
  516. int cImagePath = cSystemDirectory+ _tcslen(DRIVERDIR) -1;
  518. while (!fFinished)
  519. {
  520. // Do all the initializations for the next round
  521. // Remove the previous name
  522. imageName[cImagePath] = '\0';
  524. // Initialize existing tagList
  525. PTAGLIST tempTagNode = tagList;
  526. while (tempTagNode != NULL)
  527. {
  528. _tcscpy(tempTagNode->Tag,"");
  529. tempTagNode = tempTagNode->next;
  530. }
  532. try
  533. {
  534. _tcsncat(imageName, FileData.cFileName,MAXPATH-cImagePath);
  535. ParseImageFile(imageName,tagList);
  537. //Remove .sys from szImage
  538. imageName[_tcslen(imageName) - 4] = '\0';
  539. }
  540. catch(...)
  541. {
  542. _tprintf("Poolmon: Could not read tags from %s\n", imageName);
  543. }
  545. if (!fpLocalTagFile)
  546. {
  547. printf("Poolmon: Creating %s in current directory......\n", localTagFile);
  548. fpLocalTagFile = fopen(localTagFile, "w");
  549. if (!fpLocalTagFile)
  550. {
  551. ret = FALSE;
  552. goto freeall;
  553. }
  554. }
  556. tempTagNode = tagList;
  557. while (tempTagNode != NULL)
  558. {
  559. if ((_tcscmp(tempTagNode->Tag,"")))
  560. {
  561. _ftprintf(fpLocalTagFile, "%s - %s\n",
  562. tempTagNode->Tag,imageName + cSystemDirectory + _tcslen(DRIVERDIR) -1);
  564. tempTagNode = tempTagNode->next;
  565. }
  566. else break;
  567. }
  569. if (!FindNextFile(hSearch, &FileData))
  570. {
  571. if (GetLastError() == ERROR_NO_MORE_FILES)
  572. {
  573. fFinished = TRUE;
  574. }
  575. else
  576. {
  577. printf("Poolmon: Cannot find next .sys file\n");
  578. }
  579. }
  580. }
  583. freeall:
  584. // Close the search handle.
  585. if (hSearch)
  586. {
  587. if (!FindClose(hSearch)) {
  588. printf("Poolmon: Unable to close search handle: %d\n", GetLastError());
  589. }
  590. }
  592. if (filename) free(filename);
  593. if (fpLocalTagFile) fclose(fpLocalTagFile);
  594. //Free tagList memory
  595. PTAGLIST tempTagNode = tagList,prevTagNode = tagList;
  596. while (tempTagNode != NULL)
  597. {
  598. tempTagNode = tempTagNode->next;
  599. free(prevTagNode);
  600. prevTagNode = tempTagNode;
  601. }
  603. return ret;
  605. }
  607. FARPROC
  608. WINAPI
  609. PoolmonDLoadErrorHandler (
  610. UINT unReason,
  611. PDelayLoadInfo pDelayInfo
  612. )
  613. {
  614. printf("Poolmon: Unable to load required dlls, cannot create local tag file\n");
  615. exit(-1);
  616. }
  618. PfnDliHook __pfnDliFailureHook2 = PoolmonDLoadErrorHandler;
  619. #endif