|
|
/*++
Copyright (c) Microsoft Corporation. All rights reserved.
Module Name:
verifier.c
Abstract:
Application verifier debugger extension for both ntsd and kd.
Author:
Silviu Calinoiu (SilviuC) 4-Mar-2001
Environment:
User Mode.
--*/
#include "precomp.h"
#pragma hdrstop
//
// Page heap extension functions (defined in heappagx.c and heappagxXP.c).
// We need one for WinXP client and one for latest .NET server because the internal
// structures changed significantly and there are not separate debugger packages
// for each OS. We have this problem only for stuff implemented inside ntdll.dll
// since the dll is different between OSes. We do nto have this problem for
// verifier.dll because this one is refreshed whenever the application verifier
// package is installed.
//
VOIDPageHeapExtension( IN PCSTR lpArgumentString );
VOIDDebugPageHeapExtensionXP( IN PCSTR lpArgumentString );
//
// Local functions
//
ULONGVrfGetArguments ( PCHAR ArgsString, PCHAR Args[], ULONG NoOfArgs );
VOIDVrfHelp ( VOID );
BOOLEANVrfTraceInitialize ( );
ULONG64VrfTraceAddress ( ULONG TraceIndex );
VOIDVrfTraceDump ( ULONG TraceIndex );
LOGICALVrfVerifierGlobalFlagSet ( VOID );
VOIDVrfDumpSettings ( );
VOIDVrfDumpStopInformation ( VOID );
VOIDVrfFigureOutAddress ( ULONG64 Address );
VOIDVrfDumpGlobalCounters ( VOID );
VOIDVrfDumpBreakTriggers ( VOID );
VOIDVrfToggleBreakTrigger ( ULONG Index );
VOIDVrfDumpFaultInjectionSettings ( VOID );
VOIDVrfSetFaultInjectionParameters ( ULONG Index, ULONG Probability );
VOIDVrfSetFaultInjectionCallParameters ( ULONG Index, ULONG Call );
VOIDVrfDumpFaultInjectionTargetRanges ( VOID );
VOIDVrfAddFaultInjectionTargetRange ( ULONG64 Start, ULONG64 End );
VOIDVrfResetFaultInjectionTargetRanges ( VOID );
VOIDVrfDumpFaultInjectionExclusionRanges ( VOID );
VOIDVrfAddFaultInjectionExclusionRange ( ULONG64 Start, ULONG64 End );
VOIDVrfResetFaultInjectionExclusionRanges ( VOID );
VOIDVrfSetFaultInjectionExclusionPeriod ( ULONG64 TimeInMsecs );
VOIDVrfDumpFaultInjectionTraces ( ULONG Count );
VOIDVrfToggleFaultInjectionBreak ( ULONG Index );
VOIDVrfSetFaultInjectionDllTarget ( PCHAR DllName, LOGICAL Exclude );
VOIDVrfDumpExceptionLog ( ULONG MaxEntries );
VOIDVrfDumpThreadsInformation ( ULONG64 UserThreadId );
LOGICALVrfCheckSymbols ( PCHAR * DllName );
//
// Globals.
//
LOGICAL WinXpClient;
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////// Call tracker querying
/////////////////////////////////////////////////////////////////////
extern ULONG64 VrfThreadTrackerAddress;extern ULONG64 VrfHeapTrackerAddress;extern ULONG64 VrfVspaceTrackerAddress;
LOGICALVrfDetectTrackerAddresses ( VOID );
LOGICALVrfQueryCallTracker ( ULONG64 TrackerAddress, ULONG64 SearchAddress, ULONG64 LastEntries );
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////// !avrf entry point
/////////////////////////////////////////////////////////////////////
DECLARE_API( avrf )/*++
Routine Description:
Application verifier debugger extension.
Arguments:
args -
Return Value:
None
--*/{ PCHAR Args[16]; ULONG NoOfArgs, I; PCHAR DllName;
INIT_API();
if (g_TargetBuild <= 2600) { WinXpClient = TRUE; }
//
// Check out the symbols.
//
if (VrfCheckSymbols(&DllName) == FALSE) {
if (DllName) { dprintf ("Please fix the symbols for `%s'.\n", DllName); } return S_OK; }
//
// Parse arguments.
//
NoOfArgs = VrfGetArguments ((PCHAR)args, Args, 16);
//
// Check if help needed
//
if (NoOfArgs > 0 && strstr (Args[0], "?") != NULL) { VrfHelp (); goto Exit; }
if (NoOfArgs > 0 && _stricmp (Args[0], "-cnt") == 0) { VrfDumpGlobalCounters ();
goto Exit; } if (NoOfArgs > 0 && _stricmp (Args[0], "-brk") == 0) { if (NoOfArgs > 1) { ULONG64 Index; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[1], &Index, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to an index.\n", Args[1]); goto Exit; }
VrfToggleBreakTrigger ((ULONG)Index); } else {
VrfDumpBreakTriggers (); }
goto Exit; } if (NoOfArgs > 0 && _stricmp (Args[0], "-flt") == 0) { if (NoOfArgs == 1) { VrfDumpFaultInjectionSettings (); } else if (NoOfArgs == 3){
if (_stricmp(Args[1], "stacks") == 0) {
ULONG64 Count; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[2], &Count, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to a number.\n", Args[2]); goto Exit; }
VrfDumpFaultInjectionTraces ((ULONG)Count); } else if (_stricmp(Args[1], "break") == 0) {
ULONG64 Count; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[2], &Count, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to an index.\n", Args[2]); goto Exit; }
VrfToggleFaultInjectionBreak ((ULONG)Count); } else {
ULONG64 Index; ULONG64 Probability; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[1], &Index, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to an index.\n", Args[1]); goto Exit; }
Result = GetExpressionEx (Args[2], &Probability, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to a probability.\n", Args[2]); goto Exit; }
VrfSetFaultInjectionParameters ((ULONG)Index, (ULONG)Probability); } }
goto Exit; } if (NoOfArgs > 0 && _stricmp (Args[0], "-trg") == 0) { if (NoOfArgs > 1) { if (_stricmp(Args[1], "all") == 0) { VrfResetFaultInjectionTargetRanges (); } else if (NoOfArgs == 3 && _stricmp(Args[1], "dll") == 0) { VrfSetFaultInjectionDllTarget (Args[2], FALSE); } else if (NoOfArgs > 2){
ULONG64 Start; ULONG64 End; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[1], &Start, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to a start address.\n", Args[1]); goto Exit; }
Result = GetExpressionEx (Args[2], &End, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to an end address.\n", Args[2]); goto Exit; }
VrfAddFaultInjectionTargetRange (Start, End); } } else {
VrfDumpFaultInjectionTargetRanges (); }
goto Exit; } if (NoOfArgs > 0 && _stricmp (Args[0], "-skp") == 0) { if (NoOfArgs > 1) { if (_stricmp(Args[1], "all") == 0) { VrfResetFaultInjectionExclusionRanges (); } else if (NoOfArgs == 3 && _stricmp(Args[1], "dll") == 0) { VrfSetFaultInjectionDllTarget (Args[2], TRUE); } else if (NoOfArgs == 2) { ULONG64 Period; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[1], &Period, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to a number.\n", Args[1]); goto Exit; }
VrfSetFaultInjectionExclusionPeriod (Period); } else if (NoOfArgs > 2){
ULONG64 Start; ULONG64 End; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[1], &Start, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to a start address.\n", Args[1]); goto Exit; }
Result = GetExpressionEx (Args[2], &End, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to an end address.\n", Args[2]); goto Exit; }
VrfAddFaultInjectionExclusionRange (Start, End); } } else {
VrfDumpFaultInjectionExclusionRanges (); }
goto Exit; } if (NoOfArgs > 0 && _stricmp (Args[0], "-ex") == 0) {
ULONG MaxEntries;
if (NoOfArgs > 1) {
MaxEntries = atoi (Args[1]); } else {
MaxEntries = (ULONG)-1; }
VrfDumpExceptionLog (MaxEntries); goto Exit; } if (NoOfArgs > 0 && _stricmp (Args[0], "-threads") == 0) {
ULONG64 ThreadId;
if (NoOfArgs > 1) {
BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[1], &ThreadId, &Remainder); } else {
ThreadId = 0; }
VrfDumpThreadsInformation (ThreadId); goto Exit; }
//
// The rest of the options need traces support.
//
if (VrfTraceInitialize() == FALSE) { goto DumpAndExit; }
if (NoOfArgs > 1 && _stricmp (Args[0], "-trace") == 0) { ULONG Index;
Index = (ULONG) GetExpression (Args[1]);
if (Index != 0) { VrfTraceDump (Index); } else { dprintf ("Invalid trace index: `%s' . \n", Args[1]); } goto Exit; } if (NoOfArgs > 1 && _stricmp (Args[0], "-a") == 0) {
ULONG64 Address; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[1], &Address, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to an address.\n", Args[1]); goto Exit; }
dprintf ("Address %I64X ...\n\n", Address); VrfFigureOutAddress (Address);
goto Exit; } if (NoOfArgs > 1 && _stricmp (Args[0], "-vs") == 0) {
if (NoOfArgs > 2 && _stricmp (Args[1], "-a") == 0) {
ULONG64 Address; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[2], &Address, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to an address.\n", Args[2]); goto Exit; }
VrfQueryCallTracker (VrfVspaceTrackerAddress, Address, 0); goto Exit; } else {
VrfQueryCallTracker (VrfVspaceTrackerAddress, 0, atoi(Args[1])); goto Exit; } } if (NoOfArgs > 1 && _stricmp (Args[0], "-hp") == 0) {
if (NoOfArgs > 2 && _stricmp (Args[1], "-a") == 0) {
ULONG64 Address; BOOL Result; PCSTR Remainder;
Result = GetExpressionEx (Args[2], &Address, &Remainder);
if (Result == FALSE) { dprintf ("\nFailed to convert `%s' to an address.\n", Args[2]); goto Exit; }
VrfQueryCallTracker (VrfHeapTrackerAddress, Address, 0); goto Exit; } else {
VrfQueryCallTracker (VrfHeapTrackerAddress, 0, atoi(Args[1])); goto Exit; } }
if (NoOfArgs > 0 && _stricmp (Args[0], "-trm") == 0) { VrfQueryCallTracker (VrfThreadTrackerAddress, 0, 32); goto Exit; } //
// If no option specified then we just print current settings.
//
DumpAndExit:
VrfDumpSettings ();
Exit:
EXIT_API(); return S_OK;}
VOIDVrfHelp ( VOID ){ dprintf ("Application verifier debugger extension \n" " \n" "!avrf displays current settings and stop \n" " data if a verifier stop happened. \n" // "!avrf -a ADDR figure out the nature of address ADDR. \n"
"!avrf -vs N dump last N entries from vspace log. \n" "!avrf -vs -a ADDR searches ADDR in the vspace log. \n" "!avrf -hp N dump last N entries from heap log. \n" "!avrf -hp -a ADDR searches ADDR in the heap log. \n" "!avrf -trm dump thread terminate/suspend log. \n" "!avrf -ex [N] dump exception log entries. \n" "!avrf -threads [TID] dump threads information. \n" "!avrf -trace INDEX dump stack trace with index INDEX. \n" "!avrf -cnt dump global counters. \n" "!avrf -brk [INDEX] dump or set/reset break triggers. \n" "!avrf -flt dump fault injection settings. \n" "!avrf -flt INDX PROB set fault probability for an event. \n" "!avrf -flt break INDX toggle break for a fault injection event.\n" "!avrf -flt stacks N dump the last N fault injection stacks. \n" "!avrf -trg dump fault injection target addresses. \n" "!avrf -trg START END add a new fault target range. \n" "!avrf -trg dll XXX add code in dll XXX as target range. \n" "!avrf -trg all deletes all fault target ranges. \n" "!avrf -skp dump fault injection exclusion addresses.\n" "!avrf -skp START END add a new fault exclusion range. \n" "!avrf -skp dll XXX add code in dll XXX as exclusion range. \n" "!avrf -skp all deletes all fault exclusion ranges. \n" "!avrf -skp TIME disable faults for TIME msecs. \n" " \n");}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////// Argument parsing routines
/////////////////////////////////////////////////////////////////////
PCHAR VrfGetArgument ( PCHAR Args, PCHAR * Next ){ PCHAR Start;
if (Args == NULL) { return NULL; }
while (*Args == ' ' || *Args == '\t') { Args += 1; }
if (*Args == '\0') { return NULL; }
Start = Args;
while (*Args != ' ' && *Args != '\t' && *Args != '\0') { Args += 1; }
if (*Args == '\0') { *Next = NULL; } else { *Args = '\0'; *Next = Args + 1; }
return Start;}
ULONGVrfGetArguments ( PCHAR ArgsString, PCHAR Args[], ULONG NoOfArgs ){ PCHAR Arg = ArgsString; PCHAR Next; ULONG Index; for (Index = 0; Index < NoOfArgs; Index += 1) {
Arg = VrfGetArgument (Arg, &Next);
if (Arg) { Args[Index] = Arg; } else { break; }
Arg = Next; }
return Index;}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////// Dump stack traces
/////////////////////////////////////////////////////////////////////
ULONG64 TraceDbArrayEnd;ULONG PvoidSize;
BOOLEANVrfTraceInitialize ( ){ ULONG64 TraceDatabaseAddress; ULONG64 TraceDatabase;
//
// Stack trace database address
//
TraceDatabaseAddress = GetExpression("ntdll!RtlpStackTraceDataBase"); if ( TraceDatabaseAddress == 0 ) { dprintf( "Unable to resolve ntdll!RtlpStackTraceDataBase symbolic name.\n"); return FALSE; }
if (!ReadPointer (TraceDatabaseAddress, &TraceDatabase ) != S_OK) { dprintf( "Cannot read pointer at ntdll!RtlpStackTraceDataBase\n" ); return FALSE; }
if (TraceDatabase == 0) { dprintf( "Stack traces not enabled (ntdll!RtlpStackTraceDataBase is null).\n" ); return FALSE; }
//
// Find the array of stack traces
//
if (InitTypeRead(TraceDatabase, ntdll!_STACK_TRACE_DATABASE)) { dprintf("Unable to read type ntdll!_STACK_TRACE_DATABASE @ %p\n", TraceDatabase); return FALSE; }
TraceDbArrayEnd = ReadField (EntryIndexArray);
PvoidSize = IsPtr64() ? 8 : 4;
return TRUE;}
ULONG64VrfTraceAddress ( ULONG TraceIndex ){ ULONG64 TracePointerAddress; ULONG64 TracePointer;
TracePointerAddress = TraceDbArrayEnd - TraceIndex * PvoidSize;
if (!ReadPointer (TracePointerAddress, &TracePointer) != S_OK) { dprintf ("Cannot read stack trace address @ %p\n", TracePointerAddress); return 0; }
return TracePointer;}
VOIDVrfTraceDump ( ULONG TraceIndex ){ ULONG64 TraceAddress; ULONG64 TraceArray; ULONG TraceDepth; ULONG Offset; ULONG Index; ULONG64 ReturnAddress; CHAR Symbol[ 1024 ]; ULONG64 Displacement;
//
// Get real address of the trace.
//
TraceAddress = VrfTraceAddress (TraceIndex);
if (TraceAddress == 0) { return; }
//
// Read the stack trace depth
//
if (InitTypeRead(TraceAddress, ntdll!_RTL_STACK_TRACE_ENTRY)) { dprintf("Unable to read type ntdll!_RTL_STACK_TRACE_ENTRY @ %p\n", TraceAddress); return; }
TraceDepth = (ULONG)ReadField (Depth);
//
// Limit the depth to 20 to protect ourselves from corrupted data
//
TraceDepth = __min (TraceDepth, 16);
//
// Get a pointer to the BackTrace array
//
GetFieldOffset ("ntdll!_RTL_STACK_TRACE_ENTRY", "BackTrace", &Offset); TraceArray = TraceAddress + Offset;
//
// Dump this stack trace. Skip first two entries.
//
TraceArray += 2 * PvoidSize;
for (Index = 2; Index < TraceDepth; Index += 1) {
if (!ReadPointer (TraceArray, &ReturnAddress) != S_OK) { dprintf ("Cannot read address @ %p\n", TraceArray); return; }
GetSymbol (ReturnAddress, Symbol, &Displacement);
dprintf ("\t%p: %s+0x%I64X\n", ReturnAddress, Symbol, Displacement );
TraceArray += PvoidSize; }}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////// Dump settings
/////////////////////////////////////////////////////////////////////
ULONG64 VrfPebAddress ( VOID ){ ULONG64 PebAddress; GetPebAddress (0, &PebAddress); // dprintf ("PEB @ %I64X \n", PebAddress);
return PebAddress;}
LOGICALVrfVerifierGlobalFlagSet ( VOID ){ ULONG64 FlagsAddress; ULONG Flags; ULONG BytesRead; ULONG I; ULONG64 GlobalFlags;
InitTypeRead (VrfPebAddress(), ntdll!_PEB); GlobalFlags = ReadField (NtGlobalFlag);
if ((GlobalFlags & FLG_APPLICATION_VERIFIER)) { return TRUE; } else { return FALSE; }}
VOIDVrfDumpSettings ( ){ ULONG64 FlagsAddress; ULONG Flags; ULONG BytesRead; ULONG I; ULONG64 GlobalFlags;
InitTypeRead (VrfPebAddress(), ntdll!_PEB); GlobalFlags = ReadField (NtGlobalFlag);
dprintf ("\nGlobal flags: %08I64X \n", GlobalFlags);
if ((GlobalFlags & FLG_APPLICATION_VERIFIER)) { dprintf ("Application verifier global flag is set. \n"); } if ((GlobalFlags & FLG_HEAP_PAGE_ALLOCS)) { dprintf ("Page heap global flag is set. \n"); } dprintf ("\n");
if ((GlobalFlags & FLG_APPLICATION_VERIFIER) == 0) { dprintf ("Application verifier is not enabled for this process. \n"); if ((GlobalFlags & FLG_HEAP_PAGE_ALLOCS)) {
dprintf ("Page heap has been enabled separately. \n"); } return; }
FlagsAddress = GetExpression("ntdll!AVrfpVerifierFlags");
if (FlagsAddress == 0) { dprintf( "Unable to resolve ntdll!AVrfpVerifierFlags symbolic name.\n"); return; }
if (ReadMemory (FlagsAddress, &Flags, sizeof Flags, &BytesRead) == FALSE) { dprintf ("Cannot read value @ %p (ntdll!AVrfpVerifierFlags) \n", FlagsAddress); return; }
dprintf ("Application verifier settings (%08X): \n\n", Flags);
if (WinXpClient) { //
// On XP client no heap checks actually means light page heap.
//
if (Flags & RTL_VRF_FLG_FULL_PAGE_HEAP) { dprintf (" - full page heap\n"); } else { dprintf (" - light page heap\n"); } } else {
//
// On .NET server no heap checks really means no heap checks.
//
if (Flags & RTL_VRF_FLG_FULL_PAGE_HEAP) { dprintf (" - full page heap\n"); } else if (Flags & RTL_VRF_FLG_FAST_FILL_HEAP) { dprintf (" - fast fill heap (a.k.a light page heap)\n"); } else { dprintf (" - no heap checking enabled!\n"); } } if (Flags & RTL_VRF_FLG_LOCK_CHECKS) { dprintf (" - lock checks (critical section verifier)\n"); } if (Flags & RTL_VRF_FLG_HANDLE_CHECKS) { dprintf (" - handle checks\n"); } if (Flags & RTL_VRF_FLG_STACK_CHECKS) { dprintf (" - stack checks (disable automatic stack extensions)\n"); } if (Flags & RTL_VRF_FLG_TLS_CHECKS) { dprintf (" - TLS checks (thread local storage APIs)\n"); } if (Flags & RTL_VRF_FLG_RPC_CHECKS) { dprintf (" - RPC checks (RPC verifier)\n"); } if (Flags & RTL_VRF_FLG_COM_CHECKS) { dprintf (" - COM checks (COM verifier)\n"); } if (Flags & RTL_VRF_FLG_DANGEROUS_APIS) { dprintf (" - bad APIs (e.g. TerminateThread)\n"); } if (Flags & RTL_VRF_FLG_RACE_CHECKS) { dprintf (" - random delays for wait operations\n"); } if (Flags & RTL_VRF_FLG_VIRTUAL_MEM_CHECKS) { dprintf (" - virtual memory operations checks\n"); } if (Flags & RTL_VRF_FLG_DEADLOCK_CHECKS) { dprintf (" - deadlock verifier\n"); }
dprintf ("\n");
//
// Call the appropriate page heap extension.
//
if (WinXpClient) { DebugPageHeapExtensionXP ("-p"); } else { PageHeapExtension ("-p"); }
dprintf ("\n"); //
// Dump verifier stop information if there is any.
//
VrfDumpStopInformation ();}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////// Stop data
/////////////////////////////////////////////////////////////////////
VOIDVrfDumpBriefStopDescription ( ULONG64 Code );
VOIDVrfDumpStopInformation ( VOID ){ ULONG64 CurrentStopAddress; ULONG64 CurrentStopData[5]; ULONG64 PreviousStopAddress; ULONG64 PreviousStopData[5]; ULONG I; ULONG UlongPtrSize;
UlongPtrSize = GetTypeSize ("ntdll!ULONG_PTR"); //
// Check if a verifier stop has been encountered.
//
CurrentStopAddress = GetExpression("verifier!AVrfpStopData"); if (CurrentStopAddress == 0) { dprintf( "Unable to resolve verifier!AVrfpStopData symbolic name.\n"); return; }
for (I = 0; I < 5; I += 1) {
if (!ReadPointer (CurrentStopAddress + I * UlongPtrSize, &(CurrentStopData[I])) != S_OK) { dprintf ("Cannot read value @ %p \n", CurrentStopAddress + I * UlongPtrSize); } }
//
// Read also previous stop data.
//
PreviousStopAddress = GetExpression("verifier!AVrfpPreviousStopData"); if (PreviousStopAddress == 0) { dprintf( "Unable to resolve verifier!AVrfpPreviousStopData symbolic name.\n"); return; }
for (I = 0; I < 5; I += 1) {
if (!ReadPointer (PreviousStopAddress + I * UlongPtrSize, &(PreviousStopData[I])) != S_OK) { dprintf ("Cannot read value @ %p \n", PreviousStopAddress + I * UlongPtrSize); } }
//
// Parse the values just read.
//
if (PreviousStopData[0] != 0) {
dprintf ("Previous stop %p : %p %p %p %p was continued! \n", PreviousStopData[0], PreviousStopData[1], PreviousStopData[2], PreviousStopData[3], PreviousStopData[4]);
dprintf ("\n "); VrfDumpBriefStopDescription (PreviousStopData[0]); dprintf ("\n"); }
if (CurrentStopData[0] == 0) {
dprintf ("No verifier stop active. \n\n");
dprintf ("Note. Sometimes bugs found by verifier manifest themselves \n" "as raised exceptions (access violations, stack overflows, invalid handles \n" "and it is not always necessary to have a verifier stop. \n"); } else {
dprintf ("Current stop %p : %p %p %p %p . \n", CurrentStopData[0], CurrentStopData[1], CurrentStopData[2], CurrentStopData[3], CurrentStopData[4]); dprintf ("\n "); VrfDumpBriefStopDescription (CurrentStopData[0]); dprintf ("\n"); }}
VOIDVrfDumpBriefStopDescription ( ULONG64 Code ){ switch (Code) { case APPLICATION_VERIFIER_UNKNOWN_ERROR: dprintf ("Unknown error. \n"); break; case APPLICATION_VERIFIER_ACCESS_VIOLATION: dprintf ("Access violation. \n"); break; case APPLICATION_VERIFIER_UNSYNCHRONIZED_ACCESS: dprintf ("Unsynchronized access. \n"); break; case APPLICATION_VERIFIER_EXTREME_SIZE_REQUEST: dprintf ("Extreme size request. \n"); break; case APPLICATION_VERIFIER_BAD_HEAP_HANDLE: dprintf ("Bad heap handle (not even handle of another heap). \n"); break; case APPLICATION_VERIFIER_SWITCHED_HEAP_HANDLE: dprintf ("Switched heap handle. \n"); break; case APPLICATION_VERIFIER_DOUBLE_FREE: dprintf ("Double free. \n"); break; case APPLICATION_VERIFIER_CORRUPTED_HEAP_BLOCK: dprintf ("Corrupted heap block. \n"); break; case APPLICATION_VERIFIER_DESTROY_PROCESS_HEAP: dprintf ("Attempt to destroy process heap. \n"); break; case APPLICATION_VERIFIER_UNEXPECTED_EXCEPTION: dprintf ("Unexpected exception inside page heap code. \n"); break; case APPLICATION_VERIFIER_STACK_OVERFLOW: dprintf ("Stack overflow. \n"); break; case APPLICATION_VERIFIER_INVALID_FREEMEM: dprintf ("Invalid free memory. \n"); break; case APPLICATION_VERIFIER_INVALID_ALLOCMEM: dprintf ("Invalid memory allocation. \n"); break; case APPLICATION_VERIFIER_INVALID_MAPVIEW: dprintf ("Invalid memory mapping. \n"); break; case APPLICATION_VERIFIER_TERMINATE_THREAD_CALL: dprintf ("TerminateThread() call. \n"); break; case APPLICATION_VERIFIER_INVALID_EXIT_PROCESS_CALL: dprintf ("ExitProcess() call while multiple threads still running. \n"); break;
case APPLICATION_VERIFIER_EXIT_THREAD_OWNS_LOCK: dprintf ("Threads owns lock in a context it should not. \n"); break; case APPLICATION_VERIFIER_LOCK_IN_UNLOADED_DLL: dprintf ("DLL unloaded contains a critical section that was not deleted. \n"); break; case APPLICATION_VERIFIER_LOCK_IN_FREED_HEAP: dprintf ("Block freed contains a critical section that was not deleted. \n"); break; case APPLICATION_VERIFIER_LOCK_IN_FREED_MEMORY: dprintf ("Virtual region freed contains a critical section that was not deleted. \n"); break; case APPLICATION_VERIFIER_LOCK_DOUBLE_INITIALIZE: dprintf ("Critical section initialized twice. \n"); break; case APPLICATION_VERIFIER_LOCK_CORRUPTED: dprintf ("Corrupted critical section. \n"); break; case APPLICATION_VERIFIER_LOCK_INVALID_OWNER: dprintf ("Critical section has invalid owner. \n"); break; case APPLICATION_VERIFIER_LOCK_INVALID_RECURSION_COUNT: dprintf ("Critical section has invalid recursion count. \n"); break; case APPLICATION_VERIFIER_LOCK_INVALID_LOCK_COUNT: dprintf ("Critical section has invalid lock count. \n"); break; case APPLICATION_VERIFIER_LOCK_OVER_RELEASED: dprintf ("Releasing a critical section that is not acquired. \n"); break; case APPLICATION_VERIFIER_LOCK_NOT_INITIALIZED: dprintf ("Using an uninitialized critical section. \n"); break; case APPLICATION_VERIFIER_LOCK_ALREADY_INITIALIZED: dprintf ("Initializing a critical section already initialized. \n"); break; case APPLICATION_VERIFIER_INVALID_HANDLE: dprintf ("Using an invalid handle (either closed or simply bad). \n"); break; case APPLICATION_VERIFIER_INVALID_TLS_VALUE: dprintf ("Using an invalid TLS value (not obtained from TlsAlloc()). \n"); break;
case APPLICATION_VERIFIER_INCORRECT_WAIT_CALL: dprintf ("Wait call with invalid parameters. \n"); break; case APPLICATION_VERIFIER_NULL_HANDLE: dprintf ("Using a null handle. \n"); break; case APPLICATION_VERIFIER_WAIT_IN_DLLMAIN: dprintf ("Wait operation in DllMain function. \n"); break; case APPLICATION_VERIFIER_COM_ERROR: dprintf ("COM related error. \n"); break; case APPLICATION_VERIFIER_COM_API_IN_DLLMAIN: dprintf ("COM error: APPLICATION_VERIFIER_COM_API_IN_DLLMAIN \n"); break; case APPLICATION_VERIFIER_COM_UNHANDLED_EXCEPTION: dprintf ("COM error: APPLICATION_VERIFIER_COM_UNHANDLED_EXCEPTION \n"); break; case APPLICATION_VERIFIER_COM_UNBALANCED_COINIT: dprintf ("COM error: APPLICATION_VERIFIER_COM_UNBALANCED_COINIT \n"); break; case APPLICATION_VERIFIER_COM_UNBALANCED_OLEINIT: dprintf ("COM error: APPLICATION_VERIFIER_COM_UNBALANCED_OLEINIT \n"); break; case APPLICATION_VERIFIER_COM_UNBALANCED_SWC: dprintf ("COM error: APPLICATION_VERIFIER_COM_UNBALANCED_SWC \n"); break; case APPLICATION_VERIFIER_COM_NULL_DACL: dprintf ("COM error: APPLICATION_VERIFIER_COM_NULL_DACL \n"); break; case APPLICATION_VERIFIER_COM_UNSAFE_IMPERSONATION: dprintf ("COM error: APPLICATION_VERIFIER_COM_UNSAFE_IMPERSONATION\n"); break; case APPLICATION_VERIFIER_COM_SMUGGLED_WRAPPER: dprintf ("COM error: APPLICATION_VERIFIER_COM_SMUGGLED_WRAPPER \n"); break; case APPLICATION_VERIFIER_COM_SMUGGLED_PROXY: dprintf ("COM error: APPLICATION_VERIFIER_COM_SMUGGLED_PROXY \n"); break; case APPLICATION_VERIFIER_COM_CF_SUCCESS_WITH_NULL: dprintf ("COM error: APPLICATION_VERIFIER_COM_CF_SUCCESS_WITH_NULL \n"); break; case APPLICATION_VERIFIER_COM_GCO_SUCCESS_WITH_NULL: dprintf ("COM error: APPLICATION_VERIFIER_COM_GCO_SUCCESS_WITH_NULL \n"); break; case APPLICATION_VERIFIER_COM_OBJECT_IN_FREED_MEMORY: dprintf ("COM error: APPLICATION_VERIFIER_COM_OBJECT_IN_FREED_MEMORY \n"); break; case APPLICATION_VERIFIER_COM_OBJECT_IN_UNLOADED_DLL: dprintf ("COM error: APPLICATION_VERIFIER_COM_OBJECT_IN_UNLOADED_DLL \n"); break; case APPLICATION_VERIFIER_COM_VTBL_IN_FREED_MEMORY: dprintf ("COM error: APPLICATION_VERIFIER_COM_VTBL_IN_FREED_MEMORY \n"); break; case APPLICATION_VERIFIER_COM_VTBL_IN_UNLOADED_DLL: dprintf ("COM error: APPLICATION_VERIFIER_COM_VTBL_IN_UNLOADED_DLL \n"); break; case APPLICATION_VERIFIER_COM_HOLDING_LOCKS_ON_CALL: dprintf ("COM error: APPLICATION_VERIFIER_COM_HOLDING_LOCKS_ON_CALL \n"); break; case APPLICATION_VERIFIER_RPC_ERROR: dprintf ("RPC related error. \n"); break; default: dprintf ("UNRECOGNIZED STOP CODE! \n"); break; }}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////// Nature of address
/////////////////////////////////////////////////////////////////////
//
// Definitions from \nt\base\ntos\rtl\heappagi.h
//
#define DPH_NORMAL_BLOCK_START_STAMP_ALLOCATED 0xABCDAAAA
#define DPH_NORMAL_BLOCK_END_STAMP_ALLOCATED 0xDCBAAAAA
#define DPH_PAGE_BLOCK_START_STAMP_ALLOCATED 0xABCDBBBB
#define DPH_PAGE_BLOCK_END_STAMP_ALLOCATED 0xDCBABBBB
#define DPH_NORMAL_BLOCK_SUFFIX 0xA0
#define DPH_PAGE_BLOCK_PREFIX 0xB0
#define DPH_PAGE_BLOCK_INFIX 0xC0
#define DPH_PAGE_BLOCK_SUFFIX 0xD0
#define DPH_NORMAL_BLOCK_INFIX 0xE0
#define DPH_FREE_BLOCK_INFIX 0xF0
VOIDVrfFigureOutAddress ( ULONG64 Address ){ ULONG64 Prefix; ULONG PrefixSize; ULONG64 StartStamp, EndStamp; ULONG64 Heap; CHAR Buffer[128];
PrefixSize = GetTypeSize ("NTDLL!_DPH_BLOCK_INFORMATION");
Prefix = Address - PrefixSize;
if (InitTypeRead (Prefix, NTDLL!_DPH_BLOCK_INFORMATION) == 0) {
StartStamp = ReadField (StartStamp); EndStamp = ReadField (EndStamp); Heap = ReadField (Heap);
if (EndStamp == DPH_NORMAL_BLOCK_END_STAMP_ALLOCATED) {
dprintf ("Address %I64X is the start of a block allocated in light heap %I64X .\n", Address, Heap); } else if (EndStamp == DPH_NORMAL_BLOCK_END_STAMP_ALLOCATED - 1) {
dprintf ("Address %I64X is the start of a block freed in light heap %I64X .\n" "The block is still in the delayed free cache.\n", Address, Heap); } else if (EndStamp == DPH_NORMAL_BLOCK_END_STAMP_ALLOCATED - 2) {
dprintf ("Address %I64X is the start of a block freed in light heap %I64X .\n" "The block was recycled, it is not in the delayed free cache anymore.\n", Address, Heap); } else {
sprintf (Buffer, "-p -a %I64X", Address);
dprintf ("Searching inside page heap structures ... \n");
//
// Call the appropriate page heap extension.
//
if (WinXpClient) { DebugPageHeapExtensionXP (Buffer); } else { PageHeapExtension (Buffer); } } }}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
ULONGReadULONG ( ULONG64 Address ){ ULONG Value; ULONG BytesRead;
if (ReadMemory (Address, &Value, sizeof Value, &BytesRead) == FALSE) { dprintf ("Cannot read value @ %p. \n", Address); return 0; } else {
return Value; }}
VOIDWriteULONG ( ULONG64 Address, ULONG Value ){ ULONG BytesWritten;
if (WriteMemory (Address, &Value, sizeof Value, &BytesWritten) == FALSE) { dprintf ("Cannot write value @ %p. \n", Address); }}
VOIDWritePVOID ( ULONG64 Address, ULONG64 Value ){ ULONG BytesWritten;
if (IsPtr64()) { if (WriteMemory (Address, &Value, 8, &BytesWritten) == FALSE) { dprintf ("Cannot write pointer @ %p. \n", Address); } } else {
if (WriteMemory (Address, &Value, 4, &BytesWritten) == FALSE) { dprintf ("Cannot write pointer @ %p. \n", Address); } }}
ULONG64ReadPVOID ( ULONG64 Address ){ ULONG BytesRead;
if (IsPtr64()) { ULONG64 Value;
if (ReadMemory (Address, &Value, sizeof Value, &BytesRead) == FALSE) { dprintf ("Cannot read pointer @ %p. \n", Address); return 0; } else {
return (ULONG64)Value; } } else {
ULONG Value;
if (ReadMemory (Address, &Value, sizeof Value, &BytesRead) == FALSE) { dprintf ("Cannot read pointer @ %p. \n", Address); return 0; } else {
return (ULONG64)Value; } }}
//
// Definitions from \nt\base\win32\verifier\support.h
//
#define CNT_WAIT_SINGLE_CALLS 0
#define CNT_WAIT_SINGLEEX_CALLS 1
#define CNT_WAIT_MULTIPLE_CALLS 2
#define CNT_WAIT_MULTIPLEEX_CALLS 3
#define CNT_WAIT_WITH_TIMEOUT_CALLS 4
#define CNT_WAIT_WITH_TIMEOUT_FAILS 5
#define CNT_CREATE_EVENT_CALLS 6
#define CNT_CREATE_EVENT_FAILS 7
#define CNT_HEAP_ALLOC_CALLS 8
#define CNT_HEAP_ALLOC_FAILS 9
#define CNT_CLOSE_NULL_HANDLE_CALLS 10
#define CNT_CLOSE_PSEUDO_HANDLE_CALLS 11
#define CNT_HEAPS_CREATED 12
#define CNT_HEAPS_DESTROYED 13
#define CNT_VIRTUAL_ALLOC_CALLS 14
#define CNT_VIRTUAL_ALLOC_FAILS 15
#define CNT_MAP_VIEW_CALLS 16
#define CNT_MAP_VIEW_FAILS 17
#define CNT_OLE_ALLOC_CALLS 18
#define CNT_OLE_ALLOC_FAILS 19
VOIDVrfDumpGlobalCounters ( VOID ){ ULONG64 Address; ULONG TypeSize; ULONG Value;
Address = GetExpression("verifier!AVrfpCounter"); TypeSize = sizeof (ULONG);
Value = ReadULONG (Address + TypeSize * CNT_WAIT_SINGLE_CALLS); dprintf ("WaitForSingleObject calls: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_WAIT_SINGLEEX_CALLS); dprintf ("WaitForSingleObjectEx calls: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_WAIT_MULTIPLE_CALLS); dprintf ("WaitForMultipleObjects calls %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_WAIT_MULTIPLEEX_CALLS); dprintf ("WaitForMultipleObjectsEx calls: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_WAIT_WITH_TIMEOUT_CALLS); dprintf ("Waits with timeout calls: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_WAIT_WITH_TIMEOUT_FAILS); dprintf ("Waits with timeout failed: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_CREATE_EVENT_CALLS); dprintf ("CreateEvent calls: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_CREATE_EVENT_FAILS); dprintf ("CreateEvent calls failed: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_HEAP_ALLOC_CALLS); dprintf ("Heap allocation calls: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_HEAP_ALLOC_FAILS); dprintf ("Heap allocations failed: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_CLOSE_NULL_HANDLE_CALLS); dprintf ("CloseHandle called with null handle: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_CLOSE_PSEUDO_HANDLE_CALLS); dprintf ("CloseHandle called with pseudo handle: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_HEAPS_CREATED); dprintf ("Heaps created: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_HEAPS_DESTROYED); dprintf ("Heaps destroyed: %X \n", Value); Value = ReadULONG (Address + TypeSize * CNT_VIRTUAL_ALLOC_CALLS); dprintf ("Virtual allocation calls: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_VIRTUAL_ALLOC_FAILS); dprintf ("Virtual allocations failed: %X \n", Value); Value = ReadULONG (Address + TypeSize * CNT_MAP_VIEW_CALLS); dprintf ("Map view calls: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_MAP_VIEW_FAILS); dprintf ("Map views failed: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_OLE_ALLOC_CALLS); dprintf ("OLE string allocation calls: %X \n", Value);
Value = ReadULONG (Address + TypeSize * CNT_OLE_ALLOC_FAILS); dprintf ("OLE string allocations failed: %X \n", Value);}
//
// Definitions from \nt\base\win32\verifier\support.h
//
#define BRK_CLOSE_NULL_HANDLE 0
#define BRK_CLOSE_PSEUDO_HANDLE 1
#define BRK_CREATE_EVENT_FAIL 2
#define BRK_HEAP_ALLOC_FAIL 3
#define BRK_WAIT_WITH_TIMEOUT_FAIL 4
#define BRK_VIRTUAL_ALLOC_FAIL 5
#define BRK_MAP_VIEW_FAIL 6
#define BRK_CREATE_FILE_FAIL 7
#define BRK_CREATE_KEY_FAIL 8
#define BRK_OLE_ALLOC_FAIL 9
#define BRK_MAXIMUM_INDEX 64
VOIDVrfDumpBreakTriggers ( VOID ){ ULONG64 Address; ULONG TypeSize; ULONG Value;
Address = GetExpression("verifier!AVrfpBreak"); TypeSize = sizeof (ULONG);
Value = ReadULONG (Address + TypeSize * BRK_CLOSE_NULL_HANDLE); dprintf ("%03X : Break for closing null handle: %X \n", BRK_CLOSE_NULL_HANDLE, Value);
Value = ReadULONG (Address + TypeSize * BRK_CLOSE_PSEUDO_HANDLE); dprintf ("%03X : Break for closing pseudo handle: %X \n", BRK_CLOSE_PSEUDO_HANDLE, Value);
Value = ReadULONG (Address + TypeSize * BRK_CREATE_EVENT_FAIL); dprintf ("%03X : Break for failing CreateEvent: %X \n", BRK_CREATE_EVENT_FAIL, Value);
Value = ReadULONG (Address + TypeSize * BRK_HEAP_ALLOC_FAIL); dprintf ("%03X : Break for failing heap allocation: %X \n", BRK_HEAP_ALLOC_FAIL, Value);
Value = ReadULONG (Address + TypeSize * BRK_WAIT_WITH_TIMEOUT_FAIL); dprintf ("%03X : Break for failing a wait with timeout: %X \n", BRK_WAIT_WITH_TIMEOUT_FAIL, Value); Value = ReadULONG (Address + TypeSize * BRK_VIRTUAL_ALLOC_FAIL); dprintf ("%03X : Break for failing virtual allocation: %X \n", BRK_VIRTUAL_ALLOC_FAIL, Value); Value = ReadULONG (Address + TypeSize * BRK_MAP_VIEW_FAIL); dprintf ("%03X : Break for failing map view operations: %X \n", BRK_MAP_VIEW_FAIL, Value); Value = ReadULONG (Address + TypeSize * BRK_CREATE_FILE_FAIL); dprintf ("%03X : Break for failing create/open file operations: %X \n", BRK_CREATE_FILE_FAIL, Value); Value = ReadULONG (Address + TypeSize * BRK_CREATE_KEY_FAIL); dprintf ("%03X : Break for failing registry create/open key operations: %X \n", BRK_CREATE_KEY_FAIL, Value); Value = ReadULONG (Address + TypeSize * BRK_OLE_ALLOC_FAIL); dprintf ("%03X : Break for failing OLE string allocations: %X \n", BRK_OLE_ALLOC_FAIL, Value);}
VOIDVrfToggleBreakTrigger ( ULONG Index ){ ULONG64 Address; ULONG TypeSize; ULONG Value;
if (Index > BRK_MAXIMUM_INDEX) { dprintf ("Index %X is out of range (0..%X) \n", Index, BRK_MAXIMUM_INDEX); return; }
Address = GetExpression("verifier!AVrfpBreak"); TypeSize = sizeof (ULONG);
Value = ReadULONG (Address + TypeSize * Index);
if (Value == 0) { WriteULONG (Address + TypeSize * Index, 1); dprintf ("Break trigger %X is now enabled.\n", Index); } else {
WriteULONG (Address + TypeSize * Index, 0); dprintf ("Break trigger %X is now disabled.\n", Index); }}
//
// Definitions from \nt\base\win32\verifier\faults.h
//
#define CLS_WAIT_APIS 0
#define CLS_HEAP_ALLOC_APIS 1
#define CLS_VIRTUAL_ALLOC_APIS 2
#define CLS_REGISTRY_APIS 3
#define CLS_FILE_APIS 4
#define CLS_EVENT_APIS 5
#define CLS_MAP_VIEW_APIS 6
#define CLS_OLE_ALLOC_APIS 7
#define CLS_MAXIMUM_INDEX 16
VOIDVrfDumpFaultInjectionSettings ( VOID ){ ULONG64 Address; ULONG64 BreakAddress; ULONG64 TrueAddress; ULONG64 FalseAddress; ULONG TypeSize; ULONG Value; ULONG BreakValue; ULONG SuccessValue; ULONG FailValue;
dprintf ("Fault injection settings: Probability (break, success/failed) \n" "==============================================\n");
Address = GetExpression("verifier!AVrfpFaultProbability"); BreakAddress = GetExpression("verifier!AVrfpFaultBreak"); TrueAddress = GetExpression("verifier!AVrfpFaultTrue"); FalseAddress = GetExpression("verifier!AVrfpFaultFalse"); TypeSize = sizeof (ULONG);
Value = ReadULONG (Address + TypeSize * CLS_WAIT_APIS); BreakValue = ReadULONG (BreakAddress + TypeSize * CLS_WAIT_APIS); SuccessValue = ReadULONG (FalseAddress + TypeSize * CLS_WAIT_APIS); FailValue = ReadULONG (TrueAddress + TypeSize * CLS_WAIT_APIS); dprintf ("%03X : Wait APIs: %02X (%X, %X / %X)\n", CLS_WAIT_APIS, Value, BreakValue, SuccessValue, FailValue);
Value = ReadULONG (Address + TypeSize * CLS_HEAP_ALLOC_APIS); BreakValue = ReadULONG (BreakAddress + TypeSize * CLS_HEAP_ALLOC_APIS); SuccessValue = ReadULONG (FalseAddress + TypeSize * CLS_HEAP_ALLOC_APIS); FailValue = ReadULONG (TrueAddress + TypeSize * CLS_HEAP_ALLOC_APIS); dprintf ("%03X : Heap allocations: %02X (%X, %X / %X)\n", CLS_HEAP_ALLOC_APIS, Value, BreakValue, SuccessValue, FailValue);
Value = ReadULONG (Address + TypeSize * CLS_VIRTUAL_ALLOC_APIS); BreakValue = ReadULONG (BreakAddress + TypeSize * CLS_VIRTUAL_ALLOC_APIS); SuccessValue = ReadULONG (FalseAddress + TypeSize * CLS_VIRTUAL_ALLOC_APIS); FailValue = ReadULONG (TrueAddress + TypeSize * CLS_VIRTUAL_ALLOC_APIS); dprintf ("%03X : Virtual space allocations: %02X (%X, %X / %X)\n", CLS_VIRTUAL_ALLOC_APIS, Value, BreakValue, SuccessValue, FailValue);
Value = ReadULONG (Address + TypeSize * CLS_REGISTRY_APIS); BreakValue = ReadULONG (BreakAddress + TypeSize * CLS_REGISTRY_APIS); SuccessValue = ReadULONG (FalseAddress + TypeSize * CLS_REGISTRY_APIS); FailValue = ReadULONG (TrueAddress + TypeSize * CLS_REGISTRY_APIS); dprintf ("%03X : Registry APIs: %02X (%X, %X / %X)\n", CLS_REGISTRY_APIS, Value, BreakValue, SuccessValue, FailValue);
Value = ReadULONG (Address + TypeSize * CLS_FILE_APIS); BreakValue = ReadULONG (BreakAddress + TypeSize * CLS_FILE_APIS); SuccessValue = ReadULONG (FalseAddress + TypeSize * CLS_FILE_APIS); FailValue = ReadULONG (TrueAddress + TypeSize * CLS_FILE_APIS); dprintf ("%03X : File APIs: %02X (%X, %X / %X)\n", CLS_FILE_APIS, Value, BreakValue, SuccessValue, FailValue);
Value = ReadULONG (Address + TypeSize * CLS_EVENT_APIS); BreakValue = ReadULONG (BreakAddress + TypeSize * CLS_EVENT_APIS); SuccessValue = ReadULONG (FalseAddress + TypeSize * CLS_EVENT_APIS); FailValue = ReadULONG (TrueAddress + TypeSize * CLS_EVENT_APIS); dprintf ("%03X : Event APIs: %02X (%X, %X / %X)\n", CLS_EVENT_APIS, Value, BreakValue, SuccessValue, FailValue);
Value = ReadULONG (Address + TypeSize * CLS_MAP_VIEW_APIS); BreakValue = ReadULONG (BreakAddress + TypeSize * CLS_MAP_VIEW_APIS); SuccessValue = ReadULONG (FalseAddress + TypeSize * CLS_MAP_VIEW_APIS); FailValue = ReadULONG (TrueAddress + TypeSize * CLS_MAP_VIEW_APIS); dprintf ("%03X : Map view operations: %02X (%X, %X / %X)\n", CLS_MAP_VIEW_APIS, Value, BreakValue, SuccessValue, FailValue);
Value = ReadULONG (Address + TypeSize * CLS_OLE_ALLOC_APIS); BreakValue = ReadULONG (BreakAddress + TypeSize * CLS_OLE_ALLOC_APIS); SuccessValue = ReadULONG (FalseAddress + TypeSize * CLS_OLE_ALLOC_APIS); FailValue = ReadULONG (TrueAddress + TypeSize * CLS_OLE_ALLOC_APIS); dprintf ("%03X : OLE string allocations: %02X (%X, %X / %X)\n", CLS_OLE_ALLOC_APIS, Value, BreakValue, SuccessValue, FailValue);}
VOIDVrfSetFaultInjectionParameters ( ULONG Index, ULONG Probability ){ ULONG64 Address; ULONG TypeSize; ULONG Value;
if (Index > CLS_MAXIMUM_INDEX) { dprintf ("Index %X is out of range (0..%X) \n", Index, CLS_MAXIMUM_INDEX); return; }
if (Probability > 100) { dprintf ("Probability %X is out of range (0..%X) \n", Probability, 100); return; }
Address = GetExpression("verifier!AVrfpFaultProbability"); TypeSize = sizeof (ULONG);
WriteULONG (Address + TypeSize * Index, Probability);
dprintf ("Probability for event %X is now set to %X.\n", Index, Probability);}
VOIDVrfToggleFaultInjectionBreak ( ULONG Index ){ ULONG64 Address; ULONG TypeSize; ULONG Value;
if (Index > CLS_MAXIMUM_INDEX) { dprintf ("Index %X is out of range (0..%X) \n", Index, CLS_MAXIMUM_INDEX); return; }
Address = GetExpression("verifier!AVrfpFaultBreak"); TypeSize = sizeof (ULONG);
Value = ReadULONG (Address + TypeSize * Index);
if (Value == 0) { WriteULONG (Address + TypeSize * Index, 1); dprintf ("Will break for fault injection event %X.\n", Index); } else {
WriteULONG (Address + TypeSize * Index, 0); dprintf ("Will not break for fault injection event %X.\n", Index); }}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
VOIDVrfDumpFaultInjectionTargetRanges ( VOID ){ ULONG64 StartAddress, EndAddress; ULONG64 HitsAddress; ULONG64 IndexAddress; ULONG TypeSize; ULONG64 Start, End; ULONG MaximumIndex; ULONG Index; ULONG RangeCount = 0; ULONG Hits;
dprintf ("Fault injection target ranges (START END HITS): \n" "============================================================\n");
IndexAddress = GetExpression("verifier!AVrfpFaultTargetMaximumIndex"); StartAddress = GetExpression("verifier!AVrfpFaultTargetStart"); EndAddress = GetExpression("verifier!AVrfpFaultTargetEnd"); HitsAddress = GetExpression("verifier!AVrfpFaultTargetHits"); TypeSize = IsPtr64() ? 8 : 4;
MaximumIndex = ReadULONG (IndexAddress);
for (Index = 0; Index < MaximumIndex; Index += 1) { ReadPointer (StartAddress + TypeSize * Index, &Start); ReadPointer (EndAddress + TypeSize * Index, &End);
Hits = ReadULONG (HitsAddress + sizeof(ULONG) * Index);
if (Start == 0 && End == 0) { continue; } dprintf ("%016I64X %016I64X %X\n", Start, End, Hits); RangeCount += 1; }
if (RangeCount == 0) { dprintf ("No fault injection target ranges are active. \n"); }}
VOIDVrfAddFaultInjectionTargetRange ( ULONG64 TargetStart, ULONG64 TargetEnd ){ ULONG64 StartAddress, EndAddress; ULONG64 HitsAddress; ULONG64 IndexAddress; ULONG TypeSize; ULONG64 Start, End; ULONG MaximumIndex; ULONG Index; ULONG Hits;
IndexAddress = GetExpression("verifier!AVrfpFaultTargetMaximumIndex"); StartAddress = GetExpression("verifier!AVrfpFaultTargetStart"); EndAddress = GetExpression("verifier!AVrfpFaultTargetEnd"); HitsAddress = GetExpression("verifier!AVrfpFaultTargetHits"); TypeSize = IsPtr64() ? 8 : 4;
MaximumIndex = ReadULONG (IndexAddress);
for (Index = 0; Index < MaximumIndex; Index += 1) { ReadPointer (StartAddress + TypeSize * Index, &Start); ReadPointer (EndAddress + TypeSize * Index, &End);
if (Start == 0) { break; } }
if (Index < MaximumIndex) { WritePVOID (StartAddress + TypeSize * Index, TargetStart); WritePVOID (EndAddress + TypeSize * Index, TargetEnd); WriteULONG (HitsAddress + sizeof(ULONG) * Index, 0);
dprintf ("Target range %I64X - %I64X activated. \n", TargetStart, TargetEnd); } else {
dprintf ("No more space for additional fault target range. \n"); }}
VOIDVrfResetFaultInjectionTargetRanges ( VOID ){ ULONG64 StartAddress, EndAddress; ULONG64 HitsAddress; ULONG64 IndexAddress; ULONG TypeSize; ULONG64 Start, End; ULONG MaximumIndex; ULONG Index; ULONG Hits;
IndexAddress = GetExpression("verifier!AVrfpFaultTargetMaximumIndex"); StartAddress = GetExpression("verifier!AVrfpFaultTargetStart"); EndAddress = GetExpression("verifier!AVrfpFaultTargetEnd"); HitsAddress = GetExpression("verifier!AVrfpFaultTargetHits"); TypeSize = IsPtr64() ? 8 : 4;
MaximumIndex = ReadULONG (IndexAddress);
for (Index = 0; Index < MaximumIndex; Index += 1) { WritePVOID (StartAddress + TypeSize * Index, 0); WriteULONG (HitsAddress + sizeof(ULONG) * Index, 0); if (Index == 0) { WritePVOID (EndAddress + TypeSize * Index, ~((ULONG64)0)); } else {
WritePVOID (EndAddress + TypeSize * Index, 0); } } dprintf ("Target ranges have been reset. \n");}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
VOIDVrfDumpFaultInjectionExclusionRanges ( VOID ){ ULONG64 StartAddress, EndAddress; ULONG64 HitsAddress; ULONG64 TimeAddress; ULONG64 IndexAddress; ULONG TypeSize; ULONG64 Start, End; ULONG MaximumIndex; ULONG Index; ULONG RangeCount = 0; ULONG Hits; ULONG TimeInMsecs;
dprintf ("Fault injection exclusion ranges (START END HITS): \n" "============================================================\n");
IndexAddress = GetExpression("verifier!AVrfpFaultExclusionMaximumIndex"); StartAddress = GetExpression("verifier!AVrfpFaultExclusionStart"); EndAddress = GetExpression("verifier!AVrfpFaultExclusionEnd"); HitsAddress = GetExpression("verifier!AVrfpFaultExclusionHits"); TimeAddress = GetExpression("verifier!AVrfpFaultPeriodTimeInMsecs"); TypeSize = IsPtr64() ? 8 : 4;
MaximumIndex = ReadULONG (IndexAddress); TimeInMsecs = ReadULONG (TimeAddress);
for (Index = 0; Index < MaximumIndex; Index += 1) { ReadPointer (StartAddress + TypeSize * Index, &Start); ReadPointer (EndAddress + TypeSize * Index, &End);
Hits = ReadULONG (HitsAddress + sizeof(ULONG) * Index);
if (Start == 0 && End == 0) { continue; } dprintf ("%016I64X %016I64X %X\n", Start, End, Hits); RangeCount += 1; }
if (RangeCount == 0) { dprintf ("No fault injection exclusion ranges are active. \n"); }
if (TimeInMsecs) { dprintf ("\nFault injection disabled for the next 0x%X msecs. \n", TimeInMsecs); }}
VOIDVrfAddFaultInjectionExclusionRange ( ULONG64 TargetStart, ULONG64 TargetEnd ){ ULONG64 StartAddress, EndAddress; ULONG64 HitsAddress; ULONG64 IndexAddress; ULONG TypeSize; ULONG64 Start, End; ULONG MaximumIndex; ULONG Index; ULONG Hits;
IndexAddress = GetExpression("verifier!AVrfpFaultExclusionMaximumIndex"); StartAddress = GetExpression("verifier!AVrfpFaultExclusionStart"); EndAddress = GetExpression("verifier!AVrfpFaultExclusionEnd"); HitsAddress = GetExpression("verifier!AVrfpFaultExclusionHits"); TypeSize = IsPtr64() ? 8 : 4;
MaximumIndex = ReadULONG (IndexAddress);
for (Index = 0; Index < MaximumIndex; Index += 1) { ReadPointer (StartAddress + TypeSize * Index, &Start); ReadPointer (EndAddress + TypeSize * Index, &End);
if (Start == 0) { break; } }
if (Index < MaximumIndex) { WritePVOID (StartAddress + TypeSize * Index, TargetStart); WritePVOID (EndAddress + TypeSize * Index, TargetEnd); WriteULONG (HitsAddress + sizeof(ULONG) * Index, 0);
dprintf ("Exclusion range %I64X - %I64X activated. \n", TargetStart, TargetEnd); } else {
dprintf ("No more space for additional fault exclusion range. \n"); }}
VOIDVrfResetFaultInjectionExclusionRanges ( VOID ){ ULONG64 StartAddress, EndAddress; ULONG64 TimeAddress; ULONG64 HitsAddress; ULONG64 IndexAddress; ULONG TypeSize; ULONG64 Start, End; ULONG MaximumIndex; ULONG Index; ULONG Hits;
IndexAddress = GetExpression("verifier!AVrfpFaultExclusionMaximumIndex"); StartAddress = GetExpression("verifier!AVrfpFaultExclusionStart"); EndAddress = GetExpression("verifier!AVrfpFaultExclusionEnd"); HitsAddress = GetExpression("verifier!AVrfpFaultExclusionHits"); TimeAddress = GetExpression("verifier!AVrfpFaultPeriodTimeInMsecs"); TypeSize = IsPtr64() ? 8 : 4;
MaximumIndex = ReadULONG (IndexAddress);
for (Index = 0; Index < MaximumIndex; Index += 1) { WritePVOID (StartAddress + TypeSize * Index, 0); WritePVOID (EndAddress + TypeSize * Index, 0); WriteULONG (HitsAddress + sizeof(ULONG) * Index, 0); } WriteULONG (TimeAddress, 0);
dprintf ("Exclusion ranges have been reset. \n");}
VOIDVrfSetFaultInjectionExclusionPeriod ( ULONG64 TimeInMsecs ){ ULONG64 TimeAddress; ULONG64 HitsAddress; ULONG64 IndexAddress; ULONG TypeSize; ULONG64 Start, End; ULONG MaximumIndex; ULONG Index; ULONG Hits;
TimeAddress = GetExpression("verifier!AVrfpFaultPeriodTimeInMsecs"); TypeSize = IsPtr64() ? 8 : 4;
WriteULONG (TimeAddress, (ULONG)TimeInMsecs);
dprintf ("Fault injection disabled for the next 0x%I64X msecs. \n", TimeInMsecs);}
VOIDVrfDumpFaultInjectionTraces ( ULONG Count ){ ULONG64 TraceAddress; ULONG64 IndexAddress; ULONG64 Address; ULONG Index; ULONG MaxIndex; ULONG TraceSize; ULONG TypeSize; ULONG I;
TraceAddress = GetExpression ("verifier!AVrfpFaultTrace");
Address = GetExpression ("verifier!AVrfpFaultTraceIndex"); Index = ReadULONG(Address);
Address = GetExpression ("verifier!AVrfpFaultNumberOfTraces"); MaxIndex = ReadULONG(Address);
Address = GetExpression ("verifier!AVrfpFaultTraceSize"); TraceSize = ReadULONG(Address);
TypeSize = IsPtr64() ? 8 : 4;
if (Count > MaxIndex) { Count = MaxIndex; }
//
// Bring Index within stack trace database limits.
//
Index = Index % MaxIndex;
while (Count > 0) {
dprintf ("- - - - - - - - - - - - - - - - - - - - - - - - - \n");
for (I = 0; I < TraceSize; I += 1) { CHAR SymbolName[ 1024 ]; ULONG64 Displacement; ULONG64 ReturnAddress;
ReadPointer (TraceAddress + TypeSize * TraceSize * Index + TypeSize * I, &ReturnAddress);
if (ReturnAddress == 0) { break; } GetSymbol (ReturnAddress, SymbolName, &Displacement);
dprintf (" %p %s+0x%p\n", ReturnAddress, SymbolName, Displacement); } Index = (Index - 1) % MaxIndex;
Count -= 1; }}
PWSTRReadUnicodeString ( ULONG64 Address, PWSTR Buffer, ULONG BufferSizeInBytes ){ ULONG BytesRead; ULONG Offset; LOGICAL Result;
InitTypeRead (Address, ntdll!_UNICODE_STRING); Result = ReadMemory (ReadField(Buffer), Buffer, BufferSizeInBytes, &BytesRead);
if (Result == FALSE) { dprintf ("Cannot read UNICODE string @ %p. \n", Address); return NULL; } else {
Buffer[BufferSizeInBytes - 1] = 0;
return Buffer; }}
CHAR DllNameInChars [256];WCHAR DllNameInWChars [256];
VOIDVrfSetFaultInjectionDllTarget ( PCHAR DllName, LOGICAL Exclude ){ ULONG64 PebAddress; ULONG64 LdrAddress; ULONG Offset; ULONG64 ListStart; ULONG64 ListEntry; ULONG NameOffset;
PebAddress = VrfPebAddress ();
InitTypeRead (PebAddress, ntdll!_PEB); LdrAddress = ReadField (Ldr);
InitTypeRead (LdrAddress, ntdll!_PEB_LDR_DATA); GetFieldOffset ("ntdll!_PEB_LDR_DATA", "InLoadOrderModuleList", &Offset);
ListStart = LdrAddress + Offset;
ReadPointer(ListStart, &ListEntry);
while (ListEntry != ListStart) { GetFieldOffset ("ntdll!_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks", &Offset);
LdrAddress = ListEntry - Offset;
GetFieldOffset ("ntdll!_LDR_DATA_TABLE_ENTRY", "BaseDllName", &NameOffset);
ReadUnicodeString (LdrAddress + NameOffset, DllNameInWChars, sizeof DllNameInWChars); //
// Convert from WCHAR* to CHAR* the dll name.
//
{ PCHAR Src; ULONG Ti;
Src = (PCHAR)DllNameInWChars; Ti = 0;
while (*Src) {
if (Ti > 254) { break; }
DllNameInChars[Ti] = *Src;
Src += sizeof(WCHAR); Ti += 1; }
DllNameInChars[Ti] = 0; } if (_stricmp (DllName, DllNameInChars) == 0) { InitTypeRead (LdrAddress, ntdll!_LDR_DATA_TABLE_ENTRY); if (Exclude) { VrfAddFaultInjectionExclusionRange (ReadField (DllBase), ReadField (DllBase) + ReadField (SizeOfImage)); } else {
VrfAddFaultInjectionTargetRange (ReadField (DllBase), ReadField (DllBase) + ReadField (SizeOfImage)); }
break; }
ReadPointer(ListEntry, &ListEntry); }}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
VOIDVrfDumpExceptionLog ( ULONG MaxEntries ){ ULONG64 TempAddress; ULONG64 ExceptionLogAddress; ULONG64 CurrentLogEntryAddress; ULONG64 Value; ULONG ExceptionLogEntriesNo; ULONG CurrentLogIndex; ULONG BytesRead; ULONG LogEntrySize; ULONG LogEntry; ULONG EntriedDumped = 0; //
// Read the start of the exception log database.
//
ExceptionLogAddress = GetExpression ("&verifier!AVrfpExceptionLog"); if (ExceptionLogAddress == 0 ) {
dprintf ("No exception information available (unable to resolve verifier!AVrfpExceptionLog)\n"); return; }
if (!ReadPointer (ExceptionLogAddress, &ExceptionLogAddress) != S_OK) {
dprintf ("No exception information available (cannot read pointer from address %p)\n", ExceptionLogAddress); return; }
//
// Read the number of entries in the exception log database.
//
TempAddress = GetExpression ("&verifier!AVrfpExceptionLogEntriesNo");
if (TempAddress == 0 ) {
dprintf ("No exception information available (unable to resolve verifier!AVrfpExceptionLogEntriesNo)\n"); return; }
ExceptionLogEntriesNo = ReadULONG(TempAddress);
if (ExceptionLogEntriesNo <= 1) { return; }
//
// Read the current index in the exception log database.
//
TempAddress = GetExpression ("&verifier!AVrfpExceptionLogCurrentIndex");
if (TempAddress == 0 ) {
dprintf ("No exception information available (unable to resolve verifier!AVrfpExceptionLogCurrentIndex)\n"); return; }
if (ReadMemory (TempAddress, &CurrentLogIndex, sizeof (CurrentLogIndex), &BytesRead) == FALSE) {
dprintf ("Error: cannot read value at %p\n", TempAddress); return; }
CurrentLogIndex = CurrentLogIndex % ExceptionLogEntriesNo;
//
// Read the AVRF_EXCEPTION_LOG_ENTRY type size.
//
LogEntrySize = GetTypeSize ("verifier!_AVRF_EXCEPTION_LOG_ENTRY");
if (LogEntrySize == 0) {
dprintf ("Error: cannot get verifier!_AVRF_EXCEPTION_LOG_ENTRY type size.\n"); return; }
//
// Parse all the log entries.
//
for (LogEntry = 0; LogEntry < ExceptionLogEntriesNo && LogEntry < MaxEntries; LogEntry += 1) {
if (CheckControlC()) {
break; }
CurrentLogEntryAddress = ExceptionLogAddress + CurrentLogIndex * LogEntrySize;
if (InitTypeRead(CurrentLogEntryAddress, verifier!_AVRF_EXCEPTION_LOG_ENTRY)) {
dprintf ("Error: cannot read log entry at %p\n", CurrentLogEntryAddress); } else {
Value = ReadField (ThreadId);
if (Value == 0) {
//
// This is the last entry in our log.
//
break; }
EntriedDumped += 1;
dprintf ("=================================\n");
dprintf ("Thread ID: %p\n", Value);
Value = ReadField (ExceptionCode); dprintf ("Exception code: %I64x\n", Value);
Value = ReadField (ExceptionAddress); dprintf ("Exception address: %p\n", Value);
Value = ReadField (ExceptionRecord); dprintf ("Exception record: %p\n", Value);
Value = ReadField (ContextRecord); dprintf ("Context record: %p\n", Value); }
if (CurrentLogIndex > 0) {
CurrentLogIndex -= 1; } else {
CurrentLogIndex = ExceptionLogEntriesNo - 1; } }
if (EntriedDumped == 0) {
dprintf ("No exception log entries available.\n"); } else {
dprintf ("\nDisplayed %u exception log entries.\n", EntriedDumped); }}
#define THREAD_TABLE_SIZE 61
VOIDVrfDumpThreadsInformation ( ULONG64 UserThreadId ){ ULONG64 CrtListHeadAddress; ULONG64 Flink; ULONG64 Displacement; ULONG64 ThreadId; ULONG64 ThreadParentId; ULONG64 ThreadParameter; ULONG64 ThreadStackSize; ULONG64 ThreadStartAddress; ULONG64 ThreadCreationFlags; ULONG64 TempAddress; ULONG CrtListIndex; ULONG PtrSize; ULONG DumpedThreads; ULONG ThreadTableLength; BOOL Continue; CHAR SeparatorString[] = "===================================================\n"; CHAR Symbol[ 1024 ];
PtrSize = IsPtr64() ? 8 : 4;
DumpedThreads = 0;
//
// Get the length of the thread list array.
//
TempAddress = GetExpression ("&verifier!AVrfpThreadTableEntriesNo");
if (TempAddress == 0 ) {
ThreadTableLength = THREAD_TABLE_SIZE; } else {
ThreadTableLength = ReadULONG(TempAddress);
if (ThreadTableLength <= 1) { return; } }
//
// Get the address of the thread list array.
//
CrtListHeadAddress = GetExpression ("&verifier!AVrfpThreadTable");
if (CrtListHeadAddress == 0 ) {
dprintf ("Unable read thread table (verifier!AVrfpThreadTable))\n"); return; }
for (CrtListIndex = 0; CrtListIndex < ThreadTableLength; CrtListIndex += 1, CrtListHeadAddress += 2 * PtrSize) {
if (CheckControlC()) {
break; }
//
// Read the first Flink from the list.
//
if (ReadPtr (CrtListHeadAddress, &Flink) != S_OK) {
dprintf ("Cannot read list head from %p\n", CrtListHeadAddress); continue; }
//
// Parse all the elements of this list.
//
Continue = TRUE;
while (Flink != CrtListHeadAddress) {
if (CheckControlC()) {
Continue = FALSE; break; }
if (InitTypeRead(Flink, verifier!_AVRF_THREAD_ENTRY)) {
dprintf ("Error: cannot read verifier thread structure from %p\n", Flink); break; }
ThreadId = ReadField (Id); if (UserThreadId == 0 || UserThreadId == ThreadId) {
ThreadStartAddress = ReadField (Function);
if (ThreadStartAddress != 0) {
GetSymbol (ThreadStartAddress, Symbol, &Displacement); ThreadParameter = ReadField (Parameter); ThreadParentId = ReadField (ParentThreadId); ThreadStackSize = ReadField (StackSize); ThreadCreationFlags = ReadField (CreationFlags); }
DumpedThreads += 1;
dprintf (SeparatorString); dprintf ("Thread ID = 0x%X\n", (ULONG)ThreadId); if (ThreadStartAddress == 0) {
dprintf ("Initial thread\n"); } else {
dprintf ("Parent thread ID = 0x%X\n", (ULONG)ThreadParentId); if (Displacement != 0) {
dprintf ("Start address = 0x%p: %s+0x%I64X\n", ThreadStartAddress, Symbol, Displacement); } else {
dprintf ("Start address = 0x%p: %s\n", ThreadStartAddress, Symbol); }
if (ThreadParameter != 0) {
dprintf ("Parameter = 0x%p\n", ThreadParameter); }
if (ThreadStackSize != 0) {
dprintf ("Stack size specified by parent = 0x%p\n", ThreadStackSize); }
if (ThreadCreationFlags != 0) {
dprintf ("CreateThread flags specified by parent = 0x%X\n", (ULONG)ThreadCreationFlags); } } }
//
// Go to the next thread.
//
if (ReadPtr (Flink, &Flink) != S_OK) {
dprintf ("Cannot read next list element address from %p\n", Flink); break; } }
if (Continue == FALSE) {
break; } }
dprintf (SeparatorString); dprintf ("Number of threads displayed: 0x%X\n", DumpedThreads);}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////// Call tracker querying
/////////////////////////////////////////////////////////////////////
//
// This codes are defined in \nt\base\win32\verifier\tracker.h
//
#define TRACK_HEAP_ALLOCATE 1
#define TRACK_HEAP_REALLOCATE 2
#define TRACK_HEAP_FREE 3
#define TRACK_VIRTUAL_ALLOCATE 4
#define TRACK_VIRTUAL_FREE 5
#define TRACK_VIRTUAL_PROTECT 6
#define TRACK_MAP_VIEW_OF_SECTION 7
#define TRACK_UNMAP_VIEW_OF_SECTION 8
#define TRACK_EXIT_PROCESS 9
#define TRACK_TERMINATE_THREAD 10
#define TRACK_SUSPEND_THREAD 11
ULONG64 VrfThreadTrackerAddress;ULONG64 VrfHeapTrackerAddress;ULONG64 VrfVspaceTrackerAddress;
LOGICALVrfDetectTrackerAddresses ( VOID ){ ULONG64 SymbolAddress;
SymbolAddress = GetExpression ("verifier!AVrfThreadTracker");
if (!ReadPointer (SymbolAddress, &VrfThreadTrackerAddress) != S_OK) { dprintf( "Error: cannot read pointer at verifier!AVrfThreadTracker \n" ); return FALSE; }
SymbolAddress = GetExpression ("verifier!AVrfHeapTracker");
if (!ReadPointer (SymbolAddress, &VrfHeapTrackerAddress) != S_OK) { dprintf( "Error: cannot read pointer at verifier!AVrfHeapTracker \n" ); return FALSE; }
SymbolAddress = GetExpression ("verifier!AVrfVspaceTracker");
if (!ReadPointer (SymbolAddress, &VrfVspaceTrackerAddress) != S_OK) { dprintf( "Error: cannot read pointer at verifier!AVrfVspaceTracker \n" ); return FALSE; }
return TRUE;}
LOGICALVrfCallTrackerHeapSearchFilter ( ULONG64 SearchAddress, PULONG64 Info ){ if (Info[4] == TRACK_HEAP_ALLOCATE) { if (Info[0] <= SearchAddress && SearchAddress < Info[0] + Info[1]) { return TRUE; } } else if (Info[4] == TRACK_HEAP_FREE) { if (Info[0] == SearchAddress) { return TRUE; } } else if (Info[4] == TRACK_HEAP_REALLOCATE) { if (Info[1] <= SearchAddress && SearchAddress < Info[1] + Info[2]) { return TRUE; }
if (Info[0] == SearchAddress) { return TRUE; } } return FALSE;}
LOGICALVrfCallTrackerVspaceSearchFilter ( ULONG64 SearchAddress, PULONG64 Info ){ if (Info[4] == TRACK_VIRTUAL_ALLOCATE || Info[4] == TRACK_MAP_VIEW_OF_SECTION ) { if (Info[0] <= SearchAddress && SearchAddress < Info[0] + Info[1]) { return TRUE; } } else { if (Info[0] == SearchAddress) { return TRUE; } } return FALSE;}
LOGICALVrfCallTrackerSearchFilter ( ULONG64 TrackerAddress, ULONG64 SearchAddress, PULONG64 Info ){ if (TrackerAddress == VrfThreadTrackerAddress) {
return FALSE; } else if (TrackerAddress == VrfHeapTrackerAddress) {
return VrfCallTrackerHeapSearchFilter (SearchAddress, Info); } else if (TrackerAddress == VrfVspaceTrackerAddress) {
return VrfCallTrackerVspaceSearchFilter (SearchAddress, Info); } else {
dprintf ("Error: unrecognized call tracker address %p \n", TrackerAddress); return FALSE; } return FALSE;}
PCHAR VrfCallTrackerEntryName ( ULONG64 Type ){ switch (Type) { case TRACK_HEAP_ALLOCATE: return "HeapAlloc"; case TRACK_HEAP_REALLOCATE: return "HeapReAlloc"; case TRACK_HEAP_FREE: return "HeapFree"; case TRACK_VIRTUAL_ALLOCATE: return "VirtualAlloc"; case TRACK_VIRTUAL_FREE: return "VirtualFree"; case TRACK_VIRTUAL_PROTECT: return "VirtualProtect"; case TRACK_MAP_VIEW_OF_SECTION: return "MapView"; case TRACK_UNMAP_VIEW_OF_SECTION: return "UnmapView"; case TRACK_EXIT_PROCESS: return "ExitProcess"; case TRACK_TERMINATE_THREAD: return "TerminateThread"; case TRACK_SUSPEND_THREAD: return "SuspendThread"; default: return "unknown!"; }}
LOGICALVrfQueryCallTracker ( ULONG64 TrackerAddress, ULONG64 SearchAddress, ULONG64 LastEntries ){ ULONG64 TrackerSize; ULONG64 TrackerIndex; ULONG EntriesOffset; ULONG Result; ULONG EntrySize; ULONG64 EntryAddress; ULONG64 Index; ULONG64 EntryInfo[5]; ULONG64 EntryTraceDepth; ULONG TraceOffset; LOGICAL FullTracker = FALSE; LOGICAL FoundEntry = FALSE; LOGICAL AtLeastOneEntry = FALSE; ULONG PvoidSize; ULONG64 ReturnAddress; ULONG I; CHAR Symbol [1024]; ULONG64 Displacement;
//
// Read all type sizes and field offsets required to traverse the call tracker.
//
if (InitTypeRead (TrackerAddress, verifier!_AVRF_TRACKER)) { dprintf("Error: failed to read type verifier!_AVRF_TRACKER @ %p\n", TrackerAddress); return FALSE; }
TrackerSize = ReadField (Size); TrackerIndex = ReadField (Index);
if (GetFieldOffset ("verifier!_AVRF_TRACKER", "Entry", &EntriesOffset) != S_OK) { dprintf("Error: failed to get offset of `Entry' in type verifier!_AVRF_TRACKER\n"); return FALSE; }
if (GetFieldOffset ("verifier!_AVRF_TRACKER_ENTRY", "Trace", &TraceOffset) != S_OK) { dprintf("Error: failed to get offset of `Trace' in type verifier!_AVRF_TRACKER_ENTRY\n"); return FALSE; }
EntrySize = GetTypeSize ("verifier!_AVRF_TRACKER_ENTRY");
if (EntrySize == 0) { dprintf("Error: failed to get size of type verifier!_AVRF_TRACKER_ENTRY\n"); return FALSE; }
PvoidSize = IsPtr64() ? 8 : 4; //
// Figure out how many valid entries are in the tracker.
//
if (TrackerIndex == 0) { dprintf ("The tracker has zero entries. \n"); return TRUE; }
if (SearchAddress != 0) { if (TrackerIndex < TrackerSize) { dprintf ("Searching call tracker @ %p with %I64u valid entries ... \n", TrackerAddress, TrackerIndex); } else { dprintf ("Searching call tracker @ %p with %I64u valid entries ... \n", TrackerAddress, TrackerSize);
FullTracker = TRUE; } } else {
if (TrackerIndex < TrackerSize) {
dprintf ("Dumping last %I64u entries from tracker @ %p with %I64u valid entries ... \n", LastEntries, TrackerAddress, TrackerIndex); } else { dprintf ("Dumping last %I64u entries from tracker @ %p with %I64u valid entries ... \n", LastEntries, TrackerAddress, TrackerSize);
FullTracker = TRUE; } }
//
// Compute last entry in the call tracker.
//
EntryAddress = TrackerAddress + EntriesOffset + EntrySize * TrackerIndex;
//
// Start a loop iterating in reverse all tracker entries from the
// most recent to the oldest one logged
//
for (Index = 0; Index < TrackerSize; Index += 1) { //
// Check for user interruption.
//
if (CheckControlC ()) { dprintf ("Search interrupted. \n"); break; }
//
// If we have already printed the last N entries stop.
//
if (SearchAddress == 0) { if (Index >= LastEntries) { break; } } //
// Read the current tracker entry.
//
if (InitTypeRead (EntryAddress, verifier!_AVRF_TRACKER_ENTRY)) { dprintf("Error: failed to read type verifier!_AVRF_TRACKER_ENTRY @ %p\n", EntryAddress); return FALSE; }
EntryInfo[0] = ReadField (Info[0]); EntryInfo[1] = ReadField (Info[1]); EntryInfo[2] = ReadField (Info[2]); EntryInfo[3] = ReadField (Info[3]); EntryInfo[4] = ReadField (Type); EntryTraceDepth = ReadField (TraceDepth);
FoundEntry = TRUE;
//
// If we are searching for an address and the current entry
// does not satisfy the search condition then move on.
//
if (SearchAddress != 0) { if (VrfCallTrackerSearchFilter(TrackerAddress, SearchAddress, EntryInfo) == FALSE) { FoundEntry = FALSE; } }
//
// Dump the tracker entry.
//
if (FoundEntry) { dprintf ("-------------------------------------------------------------- \n" "%s: %I64X %I64X %I64X %I64X \n\n", VrfCallTrackerEntryName (EntryInfo[4]), EntryInfo[0], EntryInfo[1], EntryInfo[2], EntryInfo[3]);
for (I = 0; I < EntryTraceDepth; I += 1) { ReturnAddress = 0; ReadPointer (EntryAddress + TraceOffset + I * PvoidSize, &ReturnAddress); GetSymbol (ReturnAddress, Symbol, &Displacement); dprintf ("\t%p: %s+0x%I64X\n", ReturnAddress, Symbol, Displacement ); }
AtLeastOneEntry = TRUE; }
//
// Move to the previous tracker entry.
//
if (FullTracker) { if (TrackerIndex > 0) { TrackerIndex -= 1; } else { TrackerIndex = TrackerSize - 1; } } else {
if (TrackerIndex == 1) { break; } else { TrackerIndex -= 1; } }
EntryAddress = TrackerAddress + EntriesOffset + EntrySize * TrackerIndex; }
//
// If we searched for an address and did not find any print a sorry message.
//
if (SearchAddress != 0 && AtLeastOneEntry == FALSE) { dprintf ("No entries found. \n"); }
return TRUE;}
/////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////// Symbol checking
/////////////////////////////////////////////////////////////////////
#define CHECK_NAME(Name, Dll) { \
if (GetExpression(Name) == 0) { \ dprintf ("Failed to resolve `%s' to an address. \n", Name); \ Result = FALSE; \ *DllName = Dll; \ goto Exit; \ } \ }
#define CHECK_TYPE(Name, Dll) { \
if (GetTypeSize(Name) == 0) { \ dprintf ("No type information found for `%s'. \n", Name); \ Result = FALSE; \ *DllName = Dll; \ goto Exit; \ } \ }
LOGICALVrfCheckSymbols ( PCHAR * DllName ){ LOGICAL Result = TRUE;
CHECK_TYPE ("ntdll!_PEB", "ntdll.dll");
if (VrfPebAddress() == 0) {
dprintf ("Failed to get the address of the PEB structure.\n"); *DllName = "ntdll.dll"; return FALSE; }
if (VrfVerifierGlobalFlagSet() == FALSE) {
dprintf ("Application verifier is not enabled for this process.\n" "Use appverif.exe tool to enable it. \n"); *DllName = NULL; return FALSE; }
//
// ntdll.dll variables
//
CHECK_NAME ("ntdll!RtlpStackTraceDataBase", "ntdll.dll"); CHECK_NAME ("ntdll!AVrfpVerifierFlags", "ntdll.dll");
//
// ntdll.dll types
//
CHECK_TYPE ("ntdll!_RTL_CRITICAL_SECTION", "ntdll.dll"); CHECK_TYPE ("ntdll!_RTL_CRITICAL_SECTION_DEBUG", "ntdll.dll"); CHECK_TYPE ("ntdll!_RTL_STACK_TRACE_ENTRY", "ntdll.dll"); CHECK_TYPE ("ntdll!_STACK_TRACE_DATABASE", "ntdll.dll"); CHECK_TYPE ("ntdll!_DPH_HEAP_ROOT", "ntdll.dll"); CHECK_TYPE ("ntdll!_DPH_HEAP_BLOCK", "ntdll.dll"); CHECK_TYPE ("ntdll!_DPH_BLOCK_INFORMATION", "ntdll.dll"); CHECK_TYPE ("ntdll!ULONG_PTR", "ntdll.dll"); CHECK_TYPE ("ntdll!_UNICODE_STRING", "ntdll.dll"); CHECK_TYPE ("ntdll!_PEB", "ntdll.dll"); CHECK_TYPE ("ntdll!_PEB_LDR_DATA", "ntdll.dll"); CHECK_TYPE ("ntdll!_LDR_DATA_TABLE_ENTRY", "ntdll.dll");
//
// verifier.dll types
//
CHECK_TYPE ("verifier!_AVRF_EXCEPTION_LOG_ENTRY", "verifier.dll"); CHECK_TYPE ("verifier!_AVRF_DEADLOCK_GLOBALS", "verifier.dll"); CHECK_TYPE ("verifier!_AVRF_DEADLOCK_RESOURCE", "verifier.dll"); CHECK_TYPE ("verifier!_AVRF_DEADLOCK_NODE", "verifier.dll"); CHECK_TYPE ("verifier!_AVRF_DEADLOCK_THREAD", "verifier.dll"); CHECK_TYPE ("verifier!_AVRF_THREAD_ENTRY", "verifier.dll"); CHECK_TYPE ("verifier!_AVRF_TRACKER", "verifier.dll"); CHECK_TYPE ("verifier!_AVRF_TRACKER_ENTRY", "verifier.dll");
//
// Cache some addresses we may need.
//
VrfDetectTrackerAddresses ();
Exit:
//
// On WinXP !avrf does not work with retail symbols because they do
// not have the type information required. This has been fixed in .NET using
// the ntdllsym/verifiersym solution.
//
if (Result == FALSE && WinXpClient == TRUE) { dprintf ("\nThis extension requires symbols with type information \n" "for ntdll.dll and verifier.dll. \n\n"); }
return Result;}
|
