|
|
/*++
Copyright (c) 1990 Microsoft Corporation
Module Name:
stat.c
Abstract:
Pentium stat driver.
Author:
Ken Reneris
Environment:
Notes:
Revision History:
--*/
#include "stdarg.h"
#include "stdio.h"
#define _NTDDK_
#include "ntos.h" // *** USES INTERNAL DEFINES ***
#include "..\..\pstat.h"
#include "stat.h"
#include "zwapi.h"
�
typedefVOID(*pHalProfileInterrupt) ( KPROFILE_SOURCE ProfileSource );
//
// Global data (not in device extension)
//
//
// stats
//
PACCUMULATORS StatProcessorAccumulators[MAXIMUM_PROCESSORS];ACCUMULATORS StatGlobalAccumulators [MAXIMUM_PROCESSORS];PKPCR KiProcessorControlRegister [MAXIMUM_PROCESSORS];
//
// hooked thunks
//
ULONG KeUpdateSystemTimeThunk;ULONG KeUpdateRunTimeThunk;pHalProfileInterrupt HaldStartProfileInterrupt;pHalProfileInterrupt HaldStopProfileInterrupt;pHalQuerySystemInformation HaldQuerySystemInformation;pHalSetSystemInformation HaldSetSystemInformation;
//
// hardware control
//
ULONG NoCESR;ULONG MsrCESR;ULONG MsrCount;#define MsrTSC 0x10
#define NoCount 2
ULONG CESR[MAX_EVENTS];ULONG EventID[MAX_EVENTS];
FAST_MUTEX HookLock;ULONG StatMaxThunkCounter;LIST_ENTRY HookedThunkList;LIST_ENTRY LazyFreeList;
ULONG LazyFreeCountdown;KTIMER LazyFreeTimer;KDPC LazyFreeDpc;WORK_QUEUE_ITEM LazyFreePoolWorkItem;
extern COUNTED_EVENTS P5Events[];extern COUNTED_EVENTS P6Events[];ULONG MaxEvent;PCOUNTED_EVENTS Events;
ULONG ProcType;#define GENERIC_X86 0
#define INTEL_P5 1
#define INTEL_P6 2
//
// Profile support
//
#define PROFILE_SOURCE_BASE 0x1000
typedef struct { ULONG CESR; KPROFILE_SOURCE Source; ULONGLONG InitialCount;} PROFILE_EVENT, *PPROFILE_EVENT;
BOOLEAN DisableRDPMC;BOOLEAN ProfileSupported;PPROFILE_EVENT ProfileEvents, CurrentProfileEvent;
ULONGLONG FASTCALL RDMSR(ULONG);VOID WRMSR(ULONG, ULONGLONG);VOID StatSystemTimeHook(VOID);VOID StatRunTimeHook(VOID);VOID SystemTimeHook(VOID);VOID RunTimeHook(VOID);PKPCR CurrentPcr(VOID);ULONG GetCR4(VOID);VOID SetCR4(ULONG);
NTSTATUSDriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath );
NTSTATUSStatDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp );
NTSTATUSStatQueryEvents ( ULONG Index, PEVENTID Buffer, ULONG Length );
NTSTATUSStatQueryEventsInfo ( PEVENTS_INFO Buffer, ULONG Length );
NTSTATUSStatHookGenericThunk ( IN PHOOKTHUNK Buffer );
VOIDStatRemoveGenericHook ( IN PULONG pTracerId);
NTSTATUSStatOpen( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp );
NTSTATUSStatClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp );
BOOLEANStatHookTimer (VOID);
VOID StatReadStats (PULONG Buffer);VOID StatSetCESR (PSETEVENT);ULONG StatGetP5CESR (PSETEVENT);ULONG StatGetP6CESR (PSETEVENT, BOOLEAN);VOID RemoveAllHookedThunks (VOID);VOID FASTCALL TimerHook (ULONG p);VOID FASTCALL TimerHook (ULONG p);VOID SetMaxThunkCounter (VOID);VOID RemoveAllHookedThunks (VOID);VOID LazyFreePoolDPC (PKDPC, PVOID, PVOID, PVOID);VOID LazyFreePool (PVOID);
VOIDStatEnableRDPMC( );
PPROFILE_EVENTStatProfileEvent ( KPROFILE_SOURCE Source );
VOIDStatStartProfileInterrupt ( KPROFILE_SOURCE Source );
VOIDStatStopProfileInterrupt ( KPROFILE_SOURCE Source );
NTSTATUSFASTCALLStatProfileInterrupt ( IN PKTRAP_FRAME TrapFrame );
NTSTATUSStatQuerySystemInformation( IN HAL_QUERY_INFORMATION_CLASS InformationClass, IN ULONG BufferSize, OUT PVOID Buffer, OUT PULONG ReturnedLength );
NTSTATUSStatSetSystemInformation( IN HAL_SET_INFORMATION_CLASS InformationClass, IN ULONG BufferSize, IN PVOID Buffer );
VOIDCreateHook ( IN PVOID HookCode, IN PVOID HookAddress, IN ULONG HitCounters, IN ULONG HookType);
NTSTATUSopenfile ( IN PHANDLE FileHandle, IN PUCHAR BasePath, IN PUCHAR Name);
VOIDreadfile ( HANDLE handle, ULONG offset, ULONG len, PVOID buffer);
ULONGImportThunkAddress ( IN PUCHAR SourceModule, IN ULONG_PTR ImageBase, IN PUCHAR ImportModule, IN PUCHAR ThunkName, IN PVOID ModuleList );
ULONGImportThunkAddressModule ( IN PRTL_PROCESS_MODULE_INFORMATION SourceModule, IN PUCHAR ImportModule, IN PUCHAR ThunkName );
ULONGImportThunkAddressProcessFile( IN ULONG_PTR ImageBase, IN HANDLE FileHandle, IN PUCHAR ImportModule, IN PUCHAR ThunkName );
ULONG_PTRLookupImageBase ( IN PUCHAR SourceModule, IN PVOID ModuleList );
ULONGConvertImportAddress ( IN ULONG ImageRelativeAddress, IN ULONG PoolAddress, IN PIMAGE_SECTION_HEADER SectionHeader );
#if 0
PRTL_PROCESS_MODULE_INFORMATIONGetModuleInformationFuzzy( IN PUCHAR StartsWith, IN PUCHAR EndsWith, IN PRTL_PROCESS_MODULES Modules );#endif
VOIDFASTCALLNakedCallToKeProfileInterruptWithSource( IN PKTRAP_FRAME TrapFrame, IN KPROFILE_SOURCE Source );
PVOIDGetLoadedModuleList( VOID );
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT,DriverEntry)
#pragma alloc_text(INIT,StatHookTimer)
#pragma alloc_text(PAGE,StatDeviceControl)
#pragma alloc_text(PAGE,StatOpen)
#pragma alloc_text(PAGE,StatClose)
#pragma alloc_text(PAGE,StatReadStats)
#pragma alloc_text(PAGE,StatSetCESR)
#pragma alloc_text(PAGE,StatGetP5CESR)
#pragma alloc_text(PAGE,StatGetP6CESR)
#pragma alloc_text(PAGE,StatDeviceControl)
#pragma alloc_text(PAGE,StatQueryEvents)
#pragma alloc_text(PAGE,ImportThunkAddress)
#pragma alloc_text(PAGE,ImportThunkAddressModule)
#pragma alloc_text(PAGE,ImportThunkAddressProcessFile)
#pragma alloc_text(PAGE,StatHookGenericThunk)
#pragma alloc_text(PAGE,StatRemoveGenericHook)
#pragma alloc_text(PAGE,SetMaxThunkCounter)
#pragma alloc_text(PAGE,LazyFreePool)
#pragma alloc_text(PAGE,StatQuerySystemInformation)
#pragma alloc_text(PAGE,StatSetSystemInformation)
#pragma alloc_text(PAGE,openfile)
#pragma alloc_text(PAGE,readfile)
#pragma alloc_text(PAGE,LookupImageBase)
#pragma alloc_text(PAGE,ConvertImportAddress)
#pragma alloc_text(PAGE,StatEnableRDPMC)
#pragma alloc_text(PAGE,GetLoadedModuleList)
#endif
�VOIDStatEnableRDPMC(){ ULONG Cr4; PKPRCB Prcb;
Prcb = CurrentPcr()->Prcb; if (strcmp(Prcb->VendorString, "GenuineIntel") == 0) {
//
// Profiling only supported on family 6 or above.
//
if (Prcb->CpuType < 6) { DisableRDPMC = TRUE; return; }
//
// Check for busted parts. Anything below stepping 6,1,9
// is subject to errata 26 which says RDPMC cannot be used
// with SMM. As we have know way of knowing if SMM is in
// use (but it probably is), we must disable on those chips.
//
if ((Prcb->CpuType == 6) && (Prcb->CpuStep < 0x0109)) { DisableRDPMC = TRUE; return; }
//
// This processor is believed to be able to handle RDPMC
// from user mode. Enable it by setting CR4.PCE (bit 8).
//
Cr4 = GetCR4();
Cr4 |= 0x100;
SetCR4(Cr4); }}�NTSTATUSDriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
/*++
Routine Description:
This routine initializes the stat driver.
Arguments:
DriverObject - Pointer to driver object created by system.
RegistryPath - Pointer to the Unicode name of the registry path for this driver.
Return Value:
The function value is the final status from the initialization operation.
--*/
{ UNICODE_STRING unicodeString; PDEVICE_OBJECT deviceObject; NTSTATUS status; ULONG i;
KdPrint(( "STAT: DriverEntry()\n" ));
//
// Create non-exclusive device object for beep device.
//
RtlInitUnicodeString(&unicodeString, L"\\Device\\PStat");
status = IoCreateDevice( DriverObject, 0, &unicodeString, FILE_DEVICE_UNKNOWN, // DeviceType
0, FALSE, &deviceObject );
if (status != STATUS_SUCCESS) { KdPrint(( "Stat - DriverEntry: unable to create device object: %X\n", status )); return(status); }
deviceObject->Flags |= DO_BUFFERED_IO;
//
// Set up the device driver entry points.
//
DriverObject->MajorFunction[IRP_MJ_CREATE] = StatOpen; DriverObject->MajorFunction[IRP_MJ_CLOSE] = StatClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = StatDeviceControl;
//
// Initialize globals
//
for (i = 0; i < MAXIMUM_PROCESSORS; i++) { StatProcessorAccumulators[i] = &StatGlobalAccumulators[i]; } ExInitializeFastMutex (&HookLock); KeInitializeDpc (&LazyFreeDpc, LazyFreePoolDPC, 0); ExInitializeWorkItem (&LazyFreePoolWorkItem, LazyFreePool, NULL) KeInitializeTimer (&LazyFreeTimer);
if (strcmp (CurrentPcr()->Prcb->VendorString, "GenuineIntel") == 0) { switch (CurrentPcr()->Prcb->CpuType) { case 5: NoCESR = 1; MsrCESR = 0x11; MsrCount = 0x12; Events = P5Events; ProcType = INTEL_P5; ProfileSupported = FALSE; DisableRDPMC = TRUE; break;
case 6: NoCESR = 2; MsrCESR = 0x186; MsrCount = 0xc1; Events = P6Events; ProcType = INTEL_P6; ProfileSupported = TRUE; DisableRDPMC = FALSE; break;
} }
if (Events) { while (Events[MaxEvent].Description) { MaxEvent += 1; } }
if (ProfileSupported) { i = (ULONG) StatProfileInterrupt; status = HalSetSystemInformation ( HalProfileSourceInterruptHandler, sizeof (i), &i );
if (!NT_SUCCESS(status)) { // hal did not support hooking the performance interrupt
ProfileSupported = FALSE; } }
if (ProfileSupported) { //
// Allocate ProfileEvents
//
ProfileEvents = ExAllocatePool (NonPagedPool, sizeof (PROFILE_EVENT) * MaxEvent);
if (!ProfileEvents) {
ProfileSupported = FALSE;
} else {
RtlZeroMemory (ProfileEvents, sizeof (PROFILE_EVENT) * MaxEvent);
} }
if (!StatHookTimer()) { IoDeleteDevice(DriverObject->DeviceObject); return STATUS_UNSUCCESSFUL; }
InitializeListHead (&HookedThunkList); InitializeListHead (&LazyFreeList);
return(STATUS_SUCCESS);}�NTSTATUSStatDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
/*++
Routine Description:
This routine is the dispatch routine for device control requests.
Arguments:
DeviceObject - Pointer to class device object.
Irp - Pointer to the request packet.
Return Value:
Status is returned.
--*/
{ PIO_STACK_LOCATION irpSp; NTSTATUS status; ULONG BufferLength; PULONG Buffer;
//
// Get a pointer to the current parameters for this request. The
// information is contained in the current stack location.
//
irpSp = IoGetCurrentIrpStackLocation(Irp);
//
// Case on the device control subfunction that is being performed by the
// requestor.
//
status = STATUS_SUCCESS; try {
Buffer = (PULONG) irpSp->Parameters.DeviceIoControl.Type3InputBuffer; BufferLength = irpSp->Parameters.DeviceIoControl.InputBufferLength;
switch (irpSp->Parameters.DeviceIoControl.IoControlCode) {
case PSTAT_READ_STATS: //
// read stats
//
StatReadStats (Buffer); break;
case PSTAT_SET_CESR: //
// Set MSRs to collect stats
//
StatSetCESR ((PSETEVENT) Buffer); break;
case PSTAT_HOOK_THUNK: //
// Hook an import entry point
//
status = StatHookGenericThunk ((PHOOKTHUNK) Buffer); break;
case PSTAT_REMOVE_HOOK: //
// Remove a hook from an entry point
//
StatRemoveGenericHook (Buffer); break;
case PSTAT_QUERY_EVENTS: //
// Query possible stats which can be collected
//
status = StatQueryEvents (*Buffer, (PEVENTID) Buffer, BufferLength); break;
case PSTAT_QUERY_EVENTS_INFO: //
// Query events info
//
status = StatQueryEventsInfo( (PEVENTS_INFO) Buffer, BufferLength ); break;
default: status = STATUS_INVALID_PARAMETER; break; }
} except(EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); }
//
// Request is done...
//
IoCompleteRequest(Irp, IO_NO_INCREMENT); return(status);}�NTSTATUSStatOpen( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ){ PAGED_CODE();
//
// Complete the request and return status.
//
Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return(STATUS_SUCCESS);}
�NTSTATUSStatClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ){ PAGED_CODE();
//
// Complete the request and return status.
//
RemoveAllHookedThunks ();
Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return(STATUS_SUCCESS);}
#if 0
VOIDStatUnload ( IN PDRIVER_OBJECT DriverObject )
{ PDEVICE_OBJECT deviceObject;
PAGED_CODE();
RemoveAllHookedThunks (); KeCancelTimer (&LazyFreeTimer); LazyFreePool (NULL);
//
// Restore hooked addresses
//
*((PULONG) HalThunkForKeUpdateSystemTime) = KeUpdateSystemTimeThunk; if (HalThunkForKeUpdateRunTime) { *((PULONG) HalThunkForKeUpdateRunTime) = KeUpdateRunTimeThunk; }
//
// Delete the device object.
//
IoDeleteDevice(DriverObject->DeviceObject); return;}#endif
�
VOIDStatReadStats (PULONG Buffer){ PACCUMULATORS Accum; ULONG i, r1; pPSTATS Inf; PKPCR Pcr;
PAGED_CODE();
Buffer[0] = sizeof (PSTATS); Inf = (pPSTATS)(Buffer + 1);
for (i = 0; i < MAXIMUM_PROCESSORS; i++, Inf++) { Pcr = KiProcessorControlRegister[i]; if (Pcr == NULL) { continue; }
Accum = StatProcessorAccumulators[i];
do { r1 = Accum->CountStart; Inf->TSC = Accum->TSC;
for (i=0; i < MAX_EVENTS; i++) { Inf->Counters[i] = Accum->Counters[i]; Inf->EventId[i] = EventID[i]; }
Inf->SpinLockAcquires = Pcr->KernelReserved[0]; Inf->SpinLockCollisions = Pcr->KernelReserved[1]; Inf->SpinLockSpins = Pcr->KernelReserved[2]; Inf->Irqls = Pcr->KernelReserved[3];
} while (r1 != Accum->CountEnd);
RtlMoveMemory (Inf->ThunkCounters, (CONST VOID *)(Accum->ThunkCounters), StatMaxThunkCounter * sizeof (ULONG));
}}
NTSTATUSStatQueryEvents ( ULONG Index, PEVENTID Buffer, ULONG Length ){ ULONG i;
if (Index >= MaxEvent) { return STATUS_NO_MORE_ENTRIES; }
i = sizeof (EVENTID) + strlen(Events[Index].Token) + 1 + strlen(Events[Index].Description) + 1;
if (Length < i) { return STATUS_BUFFER_TOO_SMALL; }
memset (Buffer, 0, i); Buffer->EventId = Events[Index].Encoding; Buffer->DescriptionOffset = strlen (Events[Index].Token) + 1; Buffer->SuggestedIntervalBase = Events[Index].SuggestedIntervalBase; strcpy (Buffer->Buffer, Events[Index].Token); strcpy (Buffer->Buffer + Buffer->DescriptionOffset, Events[Index].Description);
if (ProfileSupported) { Buffer->ProfileSource = PROFILE_SOURCE_BASE + Index; }
return STATUS_SUCCESS;}
NTSTATUSStatQueryEventsInfo ( PEVENTS_INFO Buffer, ULONG Length ){ size_t maxLenToken, maxLenOfficialToken; size_t maxLenDescription, maxLenOfficialDescription;
PAGED_CODE();
if ( Length < sizeof(*Buffer) ) { return STATUS_INVALID_PARAMETER; } maxLenToken = maxLenOfficialToken = 0; maxLenDescription = maxLenOfficialDescription = 0; if ( MaxEvent ) { ULONG i; size_t len; for ( i = 0; i < MaxEvent; i++ ) { len = ( Events[i].Token ) ? strlen( Events[i].Token ) : 0; if ( len > maxLenToken ) { maxLenToken = len; } len = ( Events[i].OfficialToken ) ? strlen( Events[i].OfficialToken ) : 0; if ( len > maxLenToken ) { maxLenOfficialToken = len; } len = ( Events[i].Description ) ? strlen( Events[i].Description ) : 0; if ( len > maxLenDescription ) { maxLenDescription = len; } len = ( Events[i].OfficialDescription ) ? strlen( Events[i].OfficialDescription ) : 0; if ( len > maxLenOfficialDescription ) { maxLenOfficialDescription = len; } } }
Buffer->Events = MaxEvent; Buffer->TokenMaxLength = maxLenToken; Buffer->DescriptionMaxLength = maxLenDescription; Buffer->OfficialTokenMaxLength = maxLenOfficialToken; Buffer->OfficialDescriptionMaxLength = maxLenOfficialDescription;
return STATUS_SUCCESS;
} // StatQueryEventsInfo()
ULONGStatGetP5CESR ( PSETEVENT NewEvent ){ ULONG NewCESR;
if (!NewEvent->Active) { return 0; }
NewCESR = NewEvent->EventId & 0x3f; NewCESR |= NewEvent->UserMode ? 0x80 : 0; NewCESR |= NewEvent->KernelMode ? 0x40 : 0; return NewCESR;}
ULONGStatGetP6CESR ( PSETEVENT NewEvent, BOOLEAN Profile ){ ULONG NewCESR;
NewCESR = NewEvent->EventId & 0xffff; NewCESR |= NewEvent->Active ? (1 << 22) : 0; NewCESR |= NewEvent->UserMode ? (1 << 16) : 0; NewCESR |= NewEvent->KernelMode ? (1 << 17) : 0; NewCESR |= NewEvent->EdgeDetect ? (1 << 18) : 0; NewCESR |= Profile ? (1 << 20) : 0; return NewCESR;}
VOIDStatSetCESR ( PSETEVENT NewEvent ){ ULONG i, j, NoProc; ULONG NewCESR[MAX_EVENTS];
PAGED_CODE();
switch (ProcType) { case INTEL_P5: NewCESR[0] = StatGetP5CESR(NewEvent+0); NewCESR[0] |= StatGetP5CESR(NewEvent+1) << 16; break;
case INTEL_P6: NewCESR[0] = StatGetP6CESR(NewEvent+0, FALSE); NewCESR[1] = StatGetP6CESR(NewEvent+1, FALSE); break; }
//
// Check if CESR changed
//
for (i=0; i < NoCESR; i++) { if (NewCESR[i] != CESR[i]) { break; } }
if (i == NoCESR) { // no change, all done
return; }
//
// Set new events
//
for (i=0; i < MAX_EVENTS; i++) { EventID[i] = NewEvent[i].EventId; }
//
// Set new CESR values
//
for (i=0; i < NoCESR; i++) { CESR[i] = NewCESR[i]; }
//
// Clear each processors Pcr pointer so they will reset.
// Also count how many processors there are.
//
for (i = 0, NoProc = 0; i < MAXIMUM_PROCESSORS; i++) { if (KiProcessorControlRegister[i]) { KiProcessorControlRegister[i] = NULL; NoProc++; } }
//
// wait for each processor to get the new Pcr value
//
do { //Sleep (0); // yield
j = 0; for (i = 0; i < MAXIMUM_PROCESSORS; i++) { if (KiProcessorControlRegister[i]) { j++; } } } while (j < NoProc);}
VOIDFASTCALLStatTimerHook ( IN ULONG processor){ PACCUMULATORS Total; ULONG i;
if (KiProcessorControlRegister[processor] == NULL) { for (i=0; i < NoCESR; i++) { WRMSR (MsrCESR+i, 0); // clear old CESR
}
for (i=0; i < NoCESR; i++) { WRMSR (MsrCESR+i, CESR[i]); // write new CESR
}
KiProcessorControlRegister[processor] = CurrentPcr();
//
// Enable RDPMC from Rings 1, 2 and 3.
//
StatEnableRDPMC(); }
Total = StatProcessorAccumulators[ processor ]; Total->CountStart += 1;
for (i=0; i < NoCount; i++) { Total->Counters[i] = RDMSR(MsrCount+i); }
Total->TSC = RDMSR(MsrTSC); Total->CountEnd += 1;}
VOIDFASTCALLTimerHook ( IN ULONG processor){
// for compatibility
//
if (KiProcessorControlRegister[processor] == NULL) { KiProcessorControlRegister[processor] = CurrentPcr(); }}
PVOIDGetLoadedModuleList( VOID ){ NTSTATUS Status; ULONG BufferSize; ULONG NeededSize; ULONG ModuleNumber; PRTL_PROCESS_MODULES Modules; PRTL_PROCESS_MODULE_INFORMATION Module;
//
// 64K should be plenty,... if it isn't we'll come around again.
//
BufferSize = 64000;
while (TRUE) { Modules = ExAllocatePool (PagedPool, BufferSize); if (!Modules) { return NULL; }
//
// Get system loaded module list.
//
Status = ZwQuerySystemInformation ( SystemModuleInformation, Modules, BufferSize, &NeededSize );
if (NeededSize > BufferSize) {
//
// Buffer not big enough, try again.
//
ExFreePool(Modules); BufferSize = NeededSize; continue; }
if (!NT_SUCCESS(Status)) {
//
// Not good, give up.
//
ExFreePool(Modules); return NULL; }
//
// All is good.
//
break; }
return Modules;}
#if 0
PRTL_PROCESS_MODULE_INFORMATIONGetModuleInformationFuzzy( IN PUCHAR StartsWith, IN PUCHAR EndsWith, IN PRTL_PROCESS_MODULES Modules )
/*++
Routine Description:
Run Down the loaded module list looking for a module whos name begins with StartWith and ends with EndsWith. (What's in the middle doesn't matter). This is useful for finding the kernel and the hal which are of the form nt*.exe for the kernel hal*.dll for the hal.
Arguments:
StartsWith Beginning string match. EndsWith Ending string match. ModuleList List of loaded modules.
Returns:
Pointer to the loaded module information for the matching module or null if no match is found.
--*/
{ ULONG StartLength = 0; ULONG EndLength = 0; ULONG ModulesRemaining; PRTL_PROCESS_MODULE_INFORMATION Module; PUCHAR FileName; ULONG FileNameLength;
if (StartsWith) { StartLength = strlen(StartsWith); }
if (EndsWith) { EndLength = strlen(EndsWith); }
if ((!StartsWith) && (!EndsWith)) {
//
// In theory we could claim this matches anything,.. in reality
// the caller doesn't know what they're doing.
//
return NULL; }
for (ModulesRemaining = Modules->NumberOfModules, Module = Modules->Modules; ModulesRemaining; ModulesRemaining--, Module++) {
FileName = Module->FullPathName + Module->OffsetToFileName;
//
// Check start.
//
if (StartLength) { if (_strnicmp(FileName, StartsWith, StartLength) != 0) {
//
// No match.
//
continue; } }
FileNameLength = strlen(FileName);
if (FileNameLength < (StartLength + EndLength)) {
//
// FileName is too short to contain both strings.
//
continue; }
if (!EndLength) {
//
// Not checking the end but the start matches, success.
//
return Module; }
//
// Check end.
//
if (_stricmp(FileName + FileNameLength - EndLength, EndsWith) == 0) {
//
// Tail matches!
//
return Module; } }
//
// No match found.
//
return NULL;}#endif
BOOLEANStatHookTimer (VOID){ PULONG Address; ULONG HalThunkForKeUpdateSystemTime; ULONG HalThunkForKeUpdateRunTime; ULONG HalThunkForStartProfileInterrupt; ULONG HalThunkForStopProfileInterrupt; PRTL_PROCESS_MODULES ModuleList; PRTL_PROCESS_MODULE_INFORMATION Kernel; PRTL_PROCESS_MODULE_INFORMATION Hal;
ModuleList = GetLoadedModuleList(); if (!ModuleList) {
//
// No loaded module list, we aren't going to make much
// progress, give up.
//
return FALSE; }
#if 0
Kernel = GetModuleInformationFuzzy("nt", ".exe", ModuleList); Hal = GetModuleInformationFuzzy("hal", ".dll", ModuleList);
if ((!Kernel) || (!Hal)) { ExFreePool(ModuleList); return FALSE; }
#endif
//
// The kernel is always the first entry on the loaded module
// list, the hal is always the second. If this ever changes
// we'll need to come up with another approach.
//
if (ModuleList->NumberOfModules < 2) {
//
// Something's very wrong with this module list.
//
return 0; }
Kernel = ModuleList->Modules; Hal = Kernel + 1;
HalThunkForKeUpdateSystemTime = ImportThunkAddressModule( Hal, "ntoskrnl.exe", "KeUpdateSystemTime" );
//
// KeUpdateRunTime is not always available.
//
HalThunkForKeUpdateRunTime = ImportThunkAddressModule( Hal, "ntoskrnl.exe", "KeUpdateRunTime" );
HalThunkForStartProfileInterrupt = ImportThunkAddressModule( Kernel, "hal.dll", "HalStartProfileInterrupt" );
HalThunkForStopProfileInterrupt = ImportThunkAddressModule( Kernel, "hal.dll", "HalStopProfileInterrupt" );
ExFreePool(ModuleList);
if (!HalThunkForKeUpdateSystemTime || !HalThunkForStartProfileInterrupt || !HalThunkForStopProfileInterrupt) {
//
// Imports not found.
//
return FALSE; }
//
// Patch in timer hooks, Read current values
//
KeUpdateSystemTimeThunk = *((PULONG) HalThunkForKeUpdateSystemTime);
if (HalThunkForKeUpdateRunTime) { KeUpdateRunTimeThunk = *((PULONG) HalThunkForKeUpdateRunTime); }
HaldStartProfileInterrupt = (pHalProfileInterrupt) *((PULONG) HalThunkForStartProfileInterrupt); HaldStopProfileInterrupt = (pHalProfileInterrupt) *((PULONG) HalThunkForStopProfileInterrupt); HaldQuerySystemInformation = HalQuerySystemInformation; HaldSetSystemInformation = HalSetSystemInformation;
//
// Set Stat hook functions
//
switch (ProcType) { case INTEL_P6: case INTEL_P5: Address = (PULONG) HalThunkForKeUpdateSystemTime; *Address = (ULONG) StatSystemTimeHook;
if (HalThunkForKeUpdateRunTime) { Address = (PULONG) HalThunkForKeUpdateRunTime; *Address = (ULONG)StatRunTimeHook; }
if (ProfileSupported) { Address = (PULONG) HalThunkForStartProfileInterrupt; *Address = (ULONG) StatStartProfileInterrupt;
Address = (PULONG) HalThunkForStopProfileInterrupt; *Address = (ULONG) StatStopProfileInterrupt;
HalQuerySystemInformation = StatQuerySystemInformation; HalSetSystemInformation = StatSetSystemInformation; } break;
default: Address = (PULONG) HalThunkForKeUpdateSystemTime; KdPrint(( "Stat - DriverEntry(5): %X\n", Address )); *Address = (ULONG)SystemTimeHook;
if (HalThunkForKeUpdateRunTime) { Address = (PULONG) HalThunkForKeUpdateRunTime; KdPrint(( "Stat - DriverEntry(6): %X\n", Address ));
*Address = (ULONG)RunTimeHook; } break; }
return TRUE;
}
PPROFILE_EVENTStatProfileEvent( KPROFILE_SOURCE Source ){ ULONG Index;
Index = (ULONG) Source;
if (Index < PROFILE_SOURCE_BASE) { return NULL; }
Index -= PROFILE_SOURCE_BASE; if (Index > MaxEvent) { return NULL; }
return ProfileEvents + Index;}
VOIDStatStartProfileInterrupt ( KPROFILE_SOURCE Source ){ ULONG i; PPROFILE_EVENT ProfileEvent;
//
// If this isn't a profile source we're supporting, pass it on
//
ProfileEvent = StatProfileEvent(Source); if (!ProfileEvent) { HaldStartProfileInterrupt (Source); return; }
if (CurrentPcr()->Number == 0) {
if (!ProfileEvent->Source) { return ; }
CurrentProfileEvent = ProfileEvent; }
//
// Set the CESR
//
WRMSR (MsrCESR, ProfileEvent->CESR);
//
// Prime the interval counter
//
WRMSR (MsrCount, ProfileEvent->InitialCount);}
VOIDStatStopProfileInterrupt ( KPROFILE_SOURCE Source ){ ULONG i; PPROFILE_EVENT ProfileEvent;
//
// If this isn't a profile source we're supporting, pass it on
//
ProfileEvent = StatProfileEvent(Source); if (!ProfileEvent) { HaldStopProfileInterrupt (Source); return ; }
if (CurrentPcr()->Number == 0) {
if (ProfileEvent == CurrentProfileEvent) { //
// Stop calling the kernel
//
CurrentProfileEvent = NULL; }
}}
// The naked call does not work anymore because the call parameters are not saved
// (probably due to change in compiler behaviour)
//_declspec(naked)
VOIDFASTCALLNakedCallToKeProfileInterruptWithSource( IN PKTRAP_FRAME TrapFrame, IN KPROFILE_SOURCE Source ){/*
_asm { push ebp ; Save these as KeProfileInterrupt nukes them push ebx push esi push edi }*/ KeProfileInterruptWithSource (TrapFrame, Source);/*
_asm { pop edi pop esi pop ebx pop ebp ret }*/}
NTSTATUSFASTCALLStatProfileInterrupt ( IN PKTRAP_FRAME TrapFrame ){ ULONG i; ULONG current; PPROFILE_EVENT ProfileEvent;
ProfileEvent = CurrentProfileEvent; if (ProfileEvent) { current = (ULONG) RDMSR(MsrCount);
//
// Did this event fire?
//
if (current < ProfileEvent->InitialCount) {
//
// Notify kernel
//
NakedCallToKeProfileInterruptWithSource( TrapFrame, ProfileEvent->Source );
//
// Reset trigger counter
//
WRMSR (MsrCount, ProfileEvent->InitialCount);
}
}
return STATUS_SUCCESS;}
NTSTATUSStatQuerySystemInformation ( IN HAL_QUERY_INFORMATION_CLASS InformationClass, IN ULONG BufferSize, OUT PVOID Buffer, OUT PULONG ReturnedLength ){ PHAL_PROFILE_SOURCE_INFORMATION ProfileSource; ULONG i; PPROFILE_EVENT ProfileEvent;
if (InformationClass == HalProfileSourceInformation) { ProfileSource = (PHAL_PROFILE_SOURCE_INFORMATION) Buffer; *ReturnedLength = sizeof (HAL_PROFILE_SOURCE_INFORMATION);
if (BufferSize < sizeof (HAL_PROFILE_SOURCE_INFORMATION)) { return STATUS_BUFFER_TOO_SMALL; }
ProfileEvent = StatProfileEvent(ProfileSource->Source); if (ProfileEvent) { ProfileSource->Interval = 0 - (ULONG) ProfileEvent->InitialCount; ProfileSource->Supported = TRUE; return STATUS_SUCCESS; } }
//
// Not our QuerySystemInformation request, pass it on
//
return HaldQuerySystemInformation (InformationClass, BufferSize, Buffer, ReturnedLength);}
NTSTATUSStatSetSystemInformation( IN HAL_SET_INFORMATION_CLASS InformationClass, IN ULONG BufferSize, IN PVOID Buffer ){ PHAL_PROFILE_SOURCE_INTERVAL ProfileInterval; SETEVENT SetEvent; PPROFILE_EVENT ProfileEvent;
if (InformationClass == HalProfileSourceInterval) { ProfileInterval = (PHAL_PROFILE_SOURCE_INTERVAL) Buffer; if (BufferSize < sizeof (HAL_PROFILE_SOURCE_INTERVAL)) { return STATUS_BUFFER_TOO_SMALL; }
ProfileEvent = StatProfileEvent(ProfileInterval->Source); if (ProfileEvent) {
ProfileEvent->Source = ProfileInterval->Source; ProfileEvent->InitialCount = 0; ProfileEvent->InitialCount -= (ULONGLONG) ProfileInterval->Interval;
SetEvent.EventId = Events[ProfileEvent->Source - PROFILE_SOURCE_BASE].Encoding; SetEvent.Active = TRUE; SetEvent.UserMode = TRUE; SetEvent.KernelMode = TRUE;
switch (ProcType) { case INTEL_P6: ProfileEvent->CESR = StatGetP6CESR (&SetEvent, TRUE); break; }
return STATUS_SUCCESS; } }
//
// Not our SetSystemInforamtion request, pass it on
//
return HaldSetSystemInformation (InformationClass, BufferSize, Buffer);}
NTSTATUSStatHookGenericThunk ( IN PHOOKTHUNK ThunkToHook){ ULONG HookAddress; ULONG i, TracerId; UCHAR sourcename[50]; ULONG HitCounterOffset; PLIST_ENTRY Link; PHOOKEDTHUNK HookRecord; UCHAR IdInUse[MAX_THUNK_COUNTERS];
PAGED_CODE();
i = strlen (ThunkToHook->SourceModule); if (i >= 50) { return STATUS_UNSUCCESSFUL; } strcpy (sourcename, ThunkToHook->SourceModule);
HookAddress = ImportThunkAddress ( sourcename, ThunkToHook->ImageBase, ThunkToHook->TargetModule, ThunkToHook->Function, NULL );
if (!HookAddress) { return STATUS_UNSUCCESSFUL; }
//
// Hook this thunk
//
//
// If counting bucket is not known (also tracerid), then allocate one
//
TracerId = ThunkToHook->TracerId;
ExAcquireFastMutex (&HookLock); if (TracerId == 0) { RtlZeroMemory (IdInUse, MAX_THUNK_COUNTERS);
for (Link = HookedThunkList.Flink; Link != &HookedThunkList; Link = Link->Flink) {
HookRecord = CONTAINING_RECORD (Link, HOOKEDTHUNK, HookList); IdInUse[HookRecord->TracerId-1] = 1; }
while (IdInUse[TracerId]) { if (++TracerId >= MAX_THUNK_COUNTERS) { goto Abort; } }
TracerId += 1; }
if (TracerId >= MAX_THUNK_COUNTERS) { goto Abort; }
if (TracerId > StatMaxThunkCounter) { StatMaxThunkCounter = TracerId; }
HookRecord = ExAllocatePool (NonPagedPool, sizeof (HOOKEDTHUNK)); if (!HookRecord) { goto Abort; }
HitCounterOffset = ((ULONG) &StatGlobalAccumulators[0].ThunkCounters[TracerId-1] - (ULONG) StatGlobalAccumulators);
HookRecord->HookAddress = HookAddress; HookRecord->OriginalDispatch = *((PULONG) HookAddress); HookRecord->TracerId = TracerId; InsertHeadList (&HookedThunkList, &HookRecord->HookList);
CreateHook (HookRecord->HookCode, (PVOID)HookAddress, HitCounterOffset, 0); SetMaxThunkCounter ();
ExReleaseFastMutex (&HookLock); ThunkToHook->TracerId = TracerId; return STATUS_SUCCESS;
Abort: ExReleaseFastMutex (&HookLock); return STATUS_UNSUCCESSFUL;}
VOIDStatRemoveGenericHook ( IN PULONG pTracerId){ PLIST_ENTRY Link, NextLink, Temp, NextTemp; PHOOKEDTHUNK HookRecord, AltRecord; ULONG HitCounterOffset; LIST_ENTRY DisabledHooks; ULONG TracerId; PULONG HookAddress;
PAGED_CODE();
//
// Run list of hooks undo-ing any hook which matches this tracerid.
// Note: that hooks are undone in the reverse order for which they
// were applied.
//
TracerId = *pTracerId; InitializeListHead (&DisabledHooks);
ExAcquireFastMutex (&HookLock); Link = HookedThunkList.Flink; while (Link != &HookedThunkList) { NextLink = Link->Flink; HookRecord = CONTAINING_RECORD (Link, HOOKEDTHUNK, HookList);
if (HookRecord->TracerId == TracerId) {
//
// Found a hook with a matching ID
// Scan for any hooks which need to be temporaly removed
// in order to get this hook removed
//
HookAddress = (PULONG) HookRecord->HookAddress; Temp = HookedThunkList.Flink; while (Temp != Link) { NextTemp = Temp->Flink; AltRecord = CONTAINING_RECORD (Temp, HOOKEDTHUNK, HookList); if (AltRecord->HookAddress == HookRecord->HookAddress) { RemoveEntryList(&AltRecord->HookList); *HookAddress = AltRecord->OriginalDispatch; InsertTailList (&DisabledHooks, &AltRecord->HookList); }
Temp = NextTemp; }
//
// Remove this hook
//
RemoveEntryList(&HookRecord->HookList); HookAddress = (PULONG) HookRecord->HookAddress; *HookAddress = HookRecord->OriginalDispatch; InsertTailList (&LazyFreeList, &HookRecord->HookList); }
Link = NextLink; }
//
// Re-hook any hooks which were disabled for the remove operation
//
while (DisabledHooks.Flink != &DisabledHooks) {
HookRecord = CONTAINING_RECORD (DisabledHooks.Flink, HOOKEDTHUNK, HookList);
AltRecord = ExAllocatePool (NonPagedPool, sizeof (HOOKEDTHUNK)); if (!AltRecord) { goto OutOfMemory; } RemoveEntryList(&HookRecord->HookList);
HookAddress = (PULONG) HookRecord->HookAddress; AltRecord->HookAddress = HookRecord->HookAddress; AltRecord->OriginalDispatch = *HookAddress; AltRecord->TracerId = HookRecord->TracerId; InsertHeadList (&HookedThunkList, &AltRecord->HookList);
HitCounterOffset = (ULONG) &StatGlobalAccumulators[0].ThunkCounters[AltRecord->TracerId-1] - (ULONG) StatGlobalAccumulators;
CreateHook (AltRecord->HookCode, (PVOID)HookAddress, HitCounterOffset, 0);
InsertTailList (&LazyFreeList, &HookRecord->HookList); } SetMaxThunkCounter(); ExReleaseFastMutex (&HookLock); return ;
OutOfMemory: while (DisabledHooks.Flink != &DisabledHooks) { HookRecord = CONTAINING_RECORD (DisabledHooks.Flink, HOOKEDTHUNK, HookList); RemoveEntryList(&HookRecord->HookList); InsertTailList (&LazyFreeList, &HookRecord->HookList); } ExReleaseFastMutex (&HookLock); RemoveAllHookedThunks (); return ;}
VOID RemoveAllHookedThunks (){ PHOOKEDTHUNK HookRecord; PULONG HookAddress;
PAGED_CODE();
ExAcquireFastMutex (&HookLock); while (!IsListEmpty(&HookedThunkList)) { HookRecord = CONTAINING_RECORD (HookedThunkList.Flink, HOOKEDTHUNK, HookList); RemoveEntryList(&HookRecord->HookList); HookAddress = (PULONG) HookRecord->HookAddress; *HookAddress = HookRecord->OriginalDispatch;
InsertTailList (&LazyFreeList, &HookRecord->HookList); } SetMaxThunkCounter(); ExReleaseFastMutex (&HookLock);}
VOID SetMaxThunkCounter (){ LARGE_INTEGER duetime; PLIST_ENTRY Link; PHOOKEDTHUNK HookRecord; ULONG Max;
PAGED_CODE();
Max = 0; for (Link = HookedThunkList.Flink; Link != &HookedThunkList; Link = Link->Flink) {
HookRecord = CONTAINING_RECORD (Link, HOOKEDTHUNK, HookList); if (HookRecord->TracerId > Max) { Max = HookRecord->TracerId; } }
StatMaxThunkCounter = Max; LazyFreeCountdown = 2; duetime.QuadPart = -10000000; KeSetTimer (&LazyFreeTimer, duetime, &LazyFreeDpc);}
VOID LazyFreePoolDPC (PKDPC dpc, PVOID a, PVOID b, PVOID c){ ExQueueWorkItem (&LazyFreePoolWorkItem, DelayedWorkQueue);}
VOID LazyFreePool (PVOID conext){ PHOOKEDTHUNK HookRecord; LARGE_INTEGER duetime;
PAGED_CODE();
ExAcquireFastMutex (&HookLock); if (--LazyFreeCountdown == 0) { while (!IsListEmpty(&LazyFreeList)) { HookRecord = CONTAINING_RECORD (LazyFreeList.Flink, HOOKEDTHUNK, HookList); RemoveEntryList(&HookRecord->HookList); RtlFillMemory(HookRecord, sizeof(HOOKEDTHUNK), 0xCC); ExFreePool (HookRecord) ; } } else { duetime.QuadPart = -10000000; KeSetTimer (&LazyFreeTimer, duetime, &LazyFreeDpc); } ExReleaseFastMutex (&HookLock);}
#define IMPKERNELADDRESS(a) ((ULONG)a + ImageBase)
#define IMPIMAGEADDRESS(a) ConvertImportAddress((ULONG)a, (ULONG)Pool, &SectionHeader)
#define INITIAL_POOLSIZE 0x7000
ULONGImportThunkAddressProcessFile( IN ULONG_PTR ImageBase, IN HANDLE FileHandle, IN PUCHAR ImportModule, IN PUCHAR ThunkName ){ ULONG i, j; ULONG Dir; PVOID Pool; ULONG PoolSize; IMAGE_DOS_HEADER DosImageHeader; IMAGE_NT_HEADERS NtImageHeader; PIMAGE_NT_HEADERS LoadedNtHeader; PIMAGE_IMPORT_BY_NAME pImportNameData; PIMAGE_SECTION_HEADER pSectionHeader; IMAGE_SECTION_HEADER SectionHeader; PIMAGE_IMPORT_DESCRIPTOR ImpDescriptor; PULONG pThunkAddr, pThunkData;
PAGED_CODE();
try {
//
// Find module in loaded module list
//
PoolSize = INITIAL_POOLSIZE; Pool = ExAllocatePool (PagedPool, PoolSize); if (!Pool) { return 0; }
try {
//
// Read in source image's headers
//
readfile ( FileHandle, 0, sizeof (DosImageHeader), (PVOID) &DosImageHeader );
if (DosImageHeader.e_magic != IMAGE_DOS_SIGNATURE) { return 0; }
readfile ( FileHandle, DosImageHeader.e_lfanew, sizeof (NtImageHeader), (PVOID) &NtImageHeader );
if (NtImageHeader.Signature != IMAGE_NT_SIGNATURE) { return 0; }
if (!ImageBase) { ImageBase = NtImageHeader.OptionalHeader.ImageBase; }
//
// Check in read in copy header against loaded image
//
LoadedNtHeader = (PIMAGE_NT_HEADERS) ((ULONG) ImageBase + DosImageHeader.e_lfanew);
if (LoadedNtHeader->Signature != IMAGE_NT_SIGNATURE || LoadedNtHeader->FileHeader.TimeDateStamp != NtImageHeader.FileHeader.TimeDateStamp) { return 0; }
//
// read in complete sections headers from image
//
i = NtImageHeader.FileHeader.NumberOfSections * sizeof (IMAGE_SECTION_HEADER);
j = ((ULONG) IMAGE_FIRST_SECTION (&NtImageHeader)) - ((ULONG) &NtImageHeader) + DosImageHeader.e_lfanew;
if (i > PoolSize) { ExFreePool(Pool); PoolSize = i; Pool = ExAllocatePool(PagedPool, PoolSize); if (!Pool) { return 0; } }
readfile ( FileHandle, j, // file offset
i, // length
Pool );
//
// Find section with import directory
//
Dir = NtImageHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; i = 0; pSectionHeader = Pool; for (; ;) { if (i >= NtImageHeader.FileHeader.NumberOfSections) { return 0; } if (pSectionHeader->VirtualAddress <= Dir && pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData > Dir) {
break; } i += 1; pSectionHeader += 1; }
//
// read in complete import section from image
//
Dir -= pSectionHeader->VirtualAddress; pSectionHeader->VirtualAddress += Dir; pSectionHeader->PointerToRawData += Dir; pSectionHeader->SizeOfRawData -= Dir; SectionHeader = *pSectionHeader;
if (SectionHeader.SizeOfRawData > PoolSize) { ExFreePool (Pool); PoolSize = SectionHeader.SizeOfRawData; Pool = ExAllocatePool (PagedPool, PoolSize); if (!Pool) { return 0; } }
readfile ( FileHandle, SectionHeader.PointerToRawData, SectionHeader.SizeOfRawData, Pool );
//
// Find imports from specified module
//
ImpDescriptor = (PIMAGE_IMPORT_DESCRIPTOR) Pool; while (ImpDescriptor->Characteristics) { if (_stricmp((PUCHAR)IMPIMAGEADDRESS((ULONG)(ImpDescriptor->Name)), ImportModule) == 0) { break; } ImpDescriptor += 1; }
//
// Find thunk for imported ThunkName
//
pThunkData = (PULONG) IMPIMAGEADDRESS (ImpDescriptor->OriginalFirstThunk); pThunkAddr = (PULONG) IMPKERNELADDRESS (ImpDescriptor->FirstThunk); for (; ;) { if (*pThunkData == 0L) { // end of table
break; } pImportNameData = (PIMAGE_IMPORT_BY_NAME) IMPIMAGEADDRESS (*pThunkData);
if (_stricmp(pImportNameData->Name, ThunkName) == 0) {
//
// Success, return this address.
//
return (ULONG)pThunkAddr; }
// check next thunk
pThunkData += 1; pThunkAddr += 1; } } except(EXCEPTION_EXECUTE_HANDLER) { return 0; } } finally {
//
// Clean up
//
if (Pool) { ExFreePool (Pool); } } return 0;}
ULONGImportThunkAddress ( IN PUCHAR SourceModule, IN ULONG_PTR ImageBase, IN PUCHAR ImportModule, IN PUCHAR ThunkName, IN PVOID ModuleList ){ NTSTATUS Status; HANDLE FileHandle; ULONG ImportAddress;
PAGED_CODE();
Status = openfile (&FileHandle, "\\SystemRoot\\", SourceModule); if (!NT_SUCCESS(Status)) { Status = openfile (&FileHandle, "\\SystemRoot\\System32\\", SourceModule); } if (!NT_SUCCESS(Status)) { Status = openfile (&FileHandle, "\\SystemRoot\\System32\\Drivers\\", SourceModule); } if (!NT_SUCCESS(Status)) { return 0; }
if (!ImageBase) { ImageBase = LookupImageBase (SourceModule, ModuleList); }
ImportAddress = ImportThunkAddressProcessFile(ImageBase, FileHandle, ImportModule, ThunkName); NtClose (FileHandle); return ImportAddress;}
ULONGImportThunkAddressModule ( IN PRTL_PROCESS_MODULE_INFORMATION SourceModule, IN PUCHAR ImportModule, IN PUCHAR ThunkName ){ NTSTATUS Status; HANDLE FileHandle; ULONG ImportAddress; PUCHAR SubPath;
PAGED_CODE();
//
// Strip the system root from the file path so we can use
// the \SystemRoot object as the head of the path.
//
SubPath = strchr(SourceModule->FullPathName + 1, '\\'); if (!SubPath) {
//
// If we got here we don't know what we're doing,
// bail out.
//
return 0; }
Status = openfile (&FileHandle, "\\SystemRoot", SubPath); if (!NT_SUCCESS(Status)) { return 0; }
ImportAddress = ImportThunkAddressProcessFile( (ULONG_PTR)SourceModule->ImageBase, FileHandle, ImportModule, ThunkName);
NtClose(FileHandle); return ImportAddress;}
ULONG_PTRLookupImageBase ( IN PUCHAR SourceModule, IN PVOID ModuleList ){ NTSTATUS status; ULONG BufferSize; ULONG junk, ModuleNumber; ULONG_PTR ImageBase; PRTL_PROCESS_MODULES Modules; PRTL_PROCESS_MODULE_INFORMATION Module;
ImageBase = 0;
if (ModuleList) { Modules = ModuleList; } else { BufferSize = 64000; Modules = ExAllocatePool (PagedPool, BufferSize); if (!Modules) { return 0; }
//
// Locate system drivers.
//
status = ZwQuerySystemInformation ( SystemModuleInformation, Modules, BufferSize, &junk ); if (!NT_SUCCESS(status)) { ExFreePool(Modules); return 0; } }
Module = &Modules->Modules[ 0 ]; for (ModuleNumber = 0; ModuleNumber < Modules->NumberOfModules; ModuleNumber++,Module++) { if (_stricmp(Module->FullPathName + Module->OffsetToFileName, SourceModule) == 0) { ImageBase = (ULONG_PTR)Module->ImageBase; break; } }
if (!ModuleList) { ExFreePool (Modules); } return ImageBase;}
NTSTATUSopenfile ( IN PHANDLE FileHandle, IN PUCHAR BasePath, IN PUCHAR Name){ ANSI_STRING AscBasePath, AscName; UNICODE_STRING UniPathName, UniName; NTSTATUS status; OBJECT_ATTRIBUTES ObjA; IO_STATUS_BLOCK IOSB; UCHAR StringBuf[500];
//
// Build name
//
UniPathName.Buffer = (PWCHAR)StringBuf; UniPathName.Length = 0; UniPathName.MaximumLength = sizeof( StringBuf );
RtlInitString(&AscBasePath, BasePath); status = RtlAnsiStringToUnicodeString( &UniPathName, &AscBasePath, FALSE ); if (!NT_SUCCESS(status)) { return status; } RtlInitString(&AscName, Name); status = RtlAnsiStringToUnicodeString( &UniName, &AscName, TRUE ); if (!NT_SUCCESS(status)) { return status; }
status = RtlAppendUnicodeStringToString (&UniPathName, &UniName); if (!NT_SUCCESS(status)) { return status; }
InitializeObjectAttributes( &ObjA, &UniPathName, OBJ_CASE_INSENSITIVE, 0, 0 );
//
// open file
//
status = ZwOpenFile ( FileHandle, // return handle
SYNCHRONIZE | FILE_READ_DATA, // desired access
&ObjA, // Object
&IOSB, // io status block
FILE_SHARE_READ | FILE_SHARE_WRITE, // share access
FILE_SYNCHRONOUS_IO_ALERT // open options
);
RtlFreeUnicodeString (&UniName); return status;}
VOIDreadfile ( HANDLE handle, ULONG offset, ULONG len, PVOID buffer ){ NTSTATUS status; IO_STATUS_BLOCK iosb; LARGE_INTEGER foffset;
foffset = RtlConvertUlongToLargeInteger(offset);
status = ZwReadFile ( handle, NULL, // event
NULL, // apc routine
NULL, // apc context
&iosb, buffer, len, &foffset, NULL );
if (!NT_SUCCESS(status)) { ExRaiseStatus (1); }}
ULONGConvertImportAddress ( IN ULONG ImageRelativeAddress, IN ULONG PoolAddress, IN PIMAGE_SECTION_HEADER SectionHeader){ ULONG EffectiveAddress;
EffectiveAddress = PoolAddress + ImageRelativeAddress - SectionHeader->VirtualAddress;
if (EffectiveAddress < PoolAddress || EffectiveAddress > PoolAddress + SectionHeader->SizeOfRawData) {
ExRaiseStatus (1); }
return EffectiveAddress;}
|
