/*++ Copyright (c) 1990 Microsoft Corporation Module Name: stat.c Abstract: Pentium stat driver. Author: Ken Reneris Environment: Notes: Revision History: --*/ #include "stdarg.h" #include "stdio.h" #define _NTDDK_ #include "ntos.h" // *** USES INTERNAL DEFINES *** #include "..\..\pstat.h" #include "stat.h" #include "zwapi.h" typedef VOID (*pHalProfileInterrupt) ( KPROFILE_SOURCE ProfileSource ); // // Global data (not in device extension) // // // stats // PACCUMULATORS StatProcessorAccumulators[MAXIMUM_PROCESSORS]; ACCUMULATORS StatGlobalAccumulators [MAXIMUM_PROCESSORS]; PKPCR KiProcessorControlRegister [MAXIMUM_PROCESSORS]; // // hooked thunks // ULONG KeUpdateSystemTimeThunk; ULONG KeUpdateRunTimeThunk; pHalProfileInterrupt HaldStartProfileInterrupt; pHalProfileInterrupt HaldStopProfileInterrupt; pHalQuerySystemInformation HaldQuerySystemInformation; pHalSetSystemInformation HaldSetSystemInformation; // // hardware control // ULONG NoCESR; ULONG MsrCESR; ULONG MsrCount; #define MsrTSC 0x10 #define NoCount 2 ULONG CESR[MAX_EVENTS]; ULONG EventID[MAX_EVENTS]; FAST_MUTEX HookLock; ULONG StatMaxThunkCounter; LIST_ENTRY HookedThunkList; LIST_ENTRY LazyFreeList; ULONG LazyFreeCountdown; KTIMER LazyFreeTimer; KDPC LazyFreeDpc; WORK_QUEUE_ITEM LazyFreePoolWorkItem; extern COUNTED_EVENTS P5Events[]; extern COUNTED_EVENTS P6Events[]; ULONG MaxEvent; PCOUNTED_EVENTS Events; ULONG ProcType; #define GENERIC_X86 0 #define INTEL_P5 1 #define INTEL_P6 2 // // Profile support // #define PROFILE_SOURCE_BASE 0x1000 typedef struct { ULONG CESR; KPROFILE_SOURCE Source; ULONGLONG InitialCount; } PROFILE_EVENT, *PPROFILE_EVENT; BOOLEAN DisableRDPMC; BOOLEAN ProfileSupported; PPROFILE_EVENT ProfileEvents, CurrentProfileEvent; ULONGLONG FASTCALL RDMSR(ULONG); VOID WRMSR(ULONG, ULONGLONG); VOID StatSystemTimeHook(VOID); VOID StatRunTimeHook(VOID); VOID SystemTimeHook(VOID); VOID RunTimeHook(VOID); PKPCR CurrentPcr(VOID); ULONG GetCR4(VOID); VOID SetCR4(ULONG); NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ); NTSTATUS StatDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); NTSTATUS StatQueryEvents ( ULONG Index, PEVENTID Buffer, ULONG Length ); NTSTATUS StatQueryEventsInfo ( PEVENTS_INFO Buffer, ULONG Length ); NTSTATUS StatHookGenericThunk ( IN PHOOKTHUNK Buffer ); VOID StatRemoveGenericHook ( IN PULONG pTracerId ); NTSTATUS StatOpen( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); NTSTATUS StatClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); BOOLEAN StatHookTimer (VOID); VOID StatReadStats (PULONG Buffer); VOID StatSetCESR (PSETEVENT); ULONG StatGetP5CESR (PSETEVENT); ULONG StatGetP6CESR (PSETEVENT, BOOLEAN); VOID RemoveAllHookedThunks (VOID); VOID FASTCALL TimerHook (ULONG p); VOID FASTCALL TimerHook (ULONG p); VOID SetMaxThunkCounter (VOID); VOID RemoveAllHookedThunks (VOID); VOID LazyFreePoolDPC (PKDPC, PVOID, PVOID, PVOID); VOID LazyFreePool (PVOID); VOID StatEnableRDPMC( ); PPROFILE_EVENT StatProfileEvent ( KPROFILE_SOURCE Source ); VOID StatStartProfileInterrupt ( KPROFILE_SOURCE Source ); VOID StatStopProfileInterrupt ( KPROFILE_SOURCE Source ); NTSTATUS FASTCALL StatProfileInterrupt ( IN PKTRAP_FRAME TrapFrame ); NTSTATUS StatQuerySystemInformation( IN HAL_QUERY_INFORMATION_CLASS InformationClass, IN ULONG BufferSize, OUT PVOID Buffer, OUT PULONG ReturnedLength ); NTSTATUS StatSetSystemInformation( IN HAL_SET_INFORMATION_CLASS InformationClass, IN ULONG BufferSize, IN PVOID Buffer ); VOID CreateHook ( IN PVOID HookCode, IN PVOID HookAddress, IN ULONG HitCounters, IN ULONG HookType ); NTSTATUS openfile ( IN PHANDLE FileHandle, IN PUCHAR BasePath, IN PUCHAR Name ); VOID readfile ( HANDLE handle, ULONG offset, ULONG len, PVOID buffer ); ULONG ImportThunkAddress ( IN PUCHAR SourceModule, IN ULONG_PTR ImageBase, IN PUCHAR ImportModule, IN PUCHAR ThunkName, IN PVOID ModuleList ); ULONG ImportThunkAddressModule ( IN PRTL_PROCESS_MODULE_INFORMATION SourceModule, IN PUCHAR ImportModule, IN PUCHAR ThunkName ); ULONG ImportThunkAddressProcessFile( IN ULONG_PTR ImageBase, IN HANDLE FileHandle, IN PUCHAR ImportModule, IN PUCHAR ThunkName ); ULONG_PTR LookupImageBase ( IN PUCHAR SourceModule, IN PVOID ModuleList ); ULONG ConvertImportAddress ( IN ULONG ImageRelativeAddress, IN ULONG PoolAddress, IN PIMAGE_SECTION_HEADER SectionHeader ); #if 0 PRTL_PROCESS_MODULE_INFORMATION GetModuleInformationFuzzy( IN PUCHAR StartsWith, IN PUCHAR EndsWith, IN PRTL_PROCESS_MODULES Modules ); #endif VOID FASTCALL NakedCallToKeProfileInterruptWithSource( IN PKTRAP_FRAME TrapFrame, IN KPROFILE_SOURCE Source ); PVOID GetLoadedModuleList( VOID ); #ifdef ALLOC_PRAGMA #pragma alloc_text(INIT,DriverEntry) #pragma alloc_text(INIT,StatHookTimer) #pragma alloc_text(PAGE,StatDeviceControl) #pragma alloc_text(PAGE,StatOpen) #pragma alloc_text(PAGE,StatClose) #pragma alloc_text(PAGE,StatReadStats) #pragma alloc_text(PAGE,StatSetCESR) #pragma alloc_text(PAGE,StatGetP5CESR) #pragma alloc_text(PAGE,StatGetP6CESR) #pragma alloc_text(PAGE,StatDeviceControl) #pragma alloc_text(PAGE,StatQueryEvents) #pragma alloc_text(PAGE,ImportThunkAddress) #pragma alloc_text(PAGE,ImportThunkAddressModule) #pragma alloc_text(PAGE,ImportThunkAddressProcessFile) #pragma alloc_text(PAGE,StatHookGenericThunk) #pragma alloc_text(PAGE,StatRemoveGenericHook) #pragma alloc_text(PAGE,SetMaxThunkCounter) #pragma alloc_text(PAGE,LazyFreePool) #pragma alloc_text(PAGE,StatQuerySystemInformation) #pragma alloc_text(PAGE,StatSetSystemInformation) #pragma alloc_text(PAGE,openfile) #pragma alloc_text(PAGE,readfile) #pragma alloc_text(PAGE,LookupImageBase) #pragma alloc_text(PAGE,ConvertImportAddress) #pragma alloc_text(PAGE,StatEnableRDPMC) #pragma alloc_text(PAGE,GetLoadedModuleList) #endif VOID StatEnableRDPMC() { ULONG Cr4; PKPRCB Prcb; Prcb = CurrentPcr()->Prcb; if (strcmp(Prcb->VendorString, "GenuineIntel") == 0) { // // Profiling only supported on family 6 or above. // if (Prcb->CpuType < 6) { DisableRDPMC = TRUE; return; } // // Check for busted parts. Anything below stepping 6,1,9 // is subject to errata 26 which says RDPMC cannot be used // with SMM. As we have know way of knowing if SMM is in // use (but it probably is), we must disable on those chips. // if ((Prcb->CpuType == 6) && (Prcb->CpuStep < 0x0109)) { DisableRDPMC = TRUE; return; } // // This processor is believed to be able to handle RDPMC // from user mode. Enable it by setting CR4.PCE (bit 8). // Cr4 = GetCR4(); Cr4 |= 0x100; SetCR4(Cr4); } } NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) /*++ Routine Description: This routine initializes the stat driver. Arguments: DriverObject - Pointer to driver object created by system. RegistryPath - Pointer to the Unicode name of the registry path for this driver. Return Value: The function value is the final status from the initialization operation. --*/ { UNICODE_STRING unicodeString; PDEVICE_OBJECT deviceObject; NTSTATUS status; ULONG i; KdPrint(( "STAT: DriverEntry()\n" )); // // Create non-exclusive device object for beep device. // RtlInitUnicodeString(&unicodeString, L"\\Device\\PStat"); status = IoCreateDevice( DriverObject, 0, &unicodeString, FILE_DEVICE_UNKNOWN, // DeviceType 0, FALSE, &deviceObject ); if (status != STATUS_SUCCESS) { KdPrint(( "Stat - DriverEntry: unable to create device object: %X\n", status )); return(status); } deviceObject->Flags |= DO_BUFFERED_IO; // // Set up the device driver entry points. // DriverObject->MajorFunction[IRP_MJ_CREATE] = StatOpen; DriverObject->MajorFunction[IRP_MJ_CLOSE] = StatClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = StatDeviceControl; // // Initialize globals // for (i = 0; i < MAXIMUM_PROCESSORS; i++) { StatProcessorAccumulators[i] = &StatGlobalAccumulators[i]; } ExInitializeFastMutex (&HookLock); KeInitializeDpc (&LazyFreeDpc, LazyFreePoolDPC, 0); ExInitializeWorkItem (&LazyFreePoolWorkItem, LazyFreePool, NULL) KeInitializeTimer (&LazyFreeTimer); if (strcmp (CurrentPcr()->Prcb->VendorString, "GenuineIntel") == 0) { switch (CurrentPcr()->Prcb->CpuType) { case 5: NoCESR = 1; MsrCESR = 0x11; MsrCount = 0x12; Events = P5Events; ProcType = INTEL_P5; ProfileSupported = FALSE; DisableRDPMC = TRUE; break; case 6: NoCESR = 2; MsrCESR = 0x186; MsrCount = 0xc1; Events = P6Events; ProcType = INTEL_P6; ProfileSupported = TRUE; DisableRDPMC = FALSE; break; } } if (Events) { while (Events[MaxEvent].Description) { MaxEvent += 1; } } if (ProfileSupported) { i = (ULONG) StatProfileInterrupt; status = HalSetSystemInformation ( HalProfileSourceInterruptHandler, sizeof (i), &i ); if (!NT_SUCCESS(status)) { // hal did not support hooking the performance interrupt ProfileSupported = FALSE; } } if (ProfileSupported) { // // Allocate ProfileEvents // ProfileEvents = ExAllocatePool (NonPagedPool, sizeof (PROFILE_EVENT) * MaxEvent); if (!ProfileEvents) { ProfileSupported = FALSE; } else { RtlZeroMemory (ProfileEvents, sizeof (PROFILE_EVENT) * MaxEvent); } } if (!StatHookTimer()) { IoDeleteDevice(DriverObject->DeviceObject); return STATUS_UNSUCCESSFUL; } InitializeListHead (&HookedThunkList); InitializeListHead (&LazyFreeList); return(STATUS_SUCCESS); } NTSTATUS StatDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) /*++ Routine Description: This routine is the dispatch routine for device control requests. Arguments: DeviceObject - Pointer to class device object. Irp - Pointer to the request packet. Return Value: Status is returned. --*/ { PIO_STACK_LOCATION irpSp; NTSTATUS status; ULONG BufferLength; PULONG Buffer; // // Get a pointer to the current parameters for this request. The // information is contained in the current stack location. // irpSp = IoGetCurrentIrpStackLocation(Irp); // // Case on the device control subfunction that is being performed by the // requestor. // status = STATUS_SUCCESS; try { Buffer = (PULONG) irpSp->Parameters.DeviceIoControl.Type3InputBuffer; BufferLength = irpSp->Parameters.DeviceIoControl.InputBufferLength; switch (irpSp->Parameters.DeviceIoControl.IoControlCode) { case PSTAT_READ_STATS: // // read stats // StatReadStats (Buffer); break; case PSTAT_SET_CESR: // // Set MSRs to collect stats // StatSetCESR ((PSETEVENT) Buffer); break; case PSTAT_HOOK_THUNK: // // Hook an import entry point // status = StatHookGenericThunk ((PHOOKTHUNK) Buffer); break; case PSTAT_REMOVE_HOOK: // // Remove a hook from an entry point // StatRemoveGenericHook (Buffer); break; case PSTAT_QUERY_EVENTS: // // Query possible stats which can be collected // status = StatQueryEvents (*Buffer, (PEVENTID) Buffer, BufferLength); break; case PSTAT_QUERY_EVENTS_INFO: // // Query events info // status = StatQueryEventsInfo( (PEVENTS_INFO) Buffer, BufferLength ); break; default: status = STATUS_INVALID_PARAMETER; break; } } except(EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); } // // Request is done... // IoCompleteRequest(Irp, IO_NO_INCREMENT); return(status); } NTSTATUS StatOpen( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PAGED_CODE(); // // Complete the request and return status. // Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return(STATUS_SUCCESS); } NTSTATUS StatClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PAGED_CODE(); // // Complete the request and return status. // RemoveAllHookedThunks (); Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IoCompleteRequest(Irp, IO_NO_INCREMENT); return(STATUS_SUCCESS); } #if 0 VOID StatUnload ( IN PDRIVER_OBJECT DriverObject ) { PDEVICE_OBJECT deviceObject; PAGED_CODE(); RemoveAllHookedThunks (); KeCancelTimer (&LazyFreeTimer); LazyFreePool (NULL); // // Restore hooked addresses // *((PULONG) HalThunkForKeUpdateSystemTime) = KeUpdateSystemTimeThunk; if (HalThunkForKeUpdateRunTime) { *((PULONG) HalThunkForKeUpdateRunTime) = KeUpdateRunTimeThunk; } // // Delete the device object. // IoDeleteDevice(DriverObject->DeviceObject); return; } #endif VOID StatReadStats (PULONG Buffer) { PACCUMULATORS Accum; ULONG i, r1; pPSTATS Inf; PKPCR Pcr; PAGED_CODE(); Buffer[0] = sizeof (PSTATS); Inf = (pPSTATS)(Buffer + 1); for (i = 0; i < MAXIMUM_PROCESSORS; i++, Inf++) { Pcr = KiProcessorControlRegister[i]; if (Pcr == NULL) { continue; } Accum = StatProcessorAccumulators[i]; do { r1 = Accum->CountStart; Inf->TSC = Accum->TSC; for (i=0; i < MAX_EVENTS; i++) { Inf->Counters[i] = Accum->Counters[i]; Inf->EventId[i] = EventID[i]; } Inf->SpinLockAcquires = Pcr->KernelReserved[0]; Inf->SpinLockCollisions = Pcr->KernelReserved[1]; Inf->SpinLockSpins = Pcr->KernelReserved[2]; Inf->Irqls = Pcr->KernelReserved[3]; } while (r1 != Accum->CountEnd); RtlMoveMemory (Inf->ThunkCounters, (CONST VOID *)(Accum->ThunkCounters), StatMaxThunkCounter * sizeof (ULONG)); } } NTSTATUS StatQueryEvents ( ULONG Index, PEVENTID Buffer, ULONG Length ) { ULONG i; if (Index >= MaxEvent) { return STATUS_NO_MORE_ENTRIES; } i = sizeof (EVENTID) + strlen(Events[Index].Token) + 1 + strlen(Events[Index].Description) + 1; if (Length < i) { return STATUS_BUFFER_TOO_SMALL; } memset (Buffer, 0, i); Buffer->EventId = Events[Index].Encoding; Buffer->DescriptionOffset = strlen (Events[Index].Token) + 1; Buffer->SuggestedIntervalBase = Events[Index].SuggestedIntervalBase; strcpy (Buffer->Buffer, Events[Index].Token); strcpy (Buffer->Buffer + Buffer->DescriptionOffset, Events[Index].Description); if (ProfileSupported) { Buffer->ProfileSource = PROFILE_SOURCE_BASE + Index; } return STATUS_SUCCESS; } NTSTATUS StatQueryEventsInfo ( PEVENTS_INFO Buffer, ULONG Length ) { size_t maxLenToken, maxLenOfficialToken; size_t maxLenDescription, maxLenOfficialDescription; PAGED_CODE(); if ( Length < sizeof(*Buffer) ) { return STATUS_INVALID_PARAMETER; } maxLenToken = maxLenOfficialToken = 0; maxLenDescription = maxLenOfficialDescription = 0; if ( MaxEvent ) { ULONG i; size_t len; for ( i = 0; i < MaxEvent; i++ ) { len = ( Events[i].Token ) ? strlen( Events[i].Token ) : 0; if ( len > maxLenToken ) { maxLenToken = len; } len = ( Events[i].OfficialToken ) ? strlen( Events[i].OfficialToken ) : 0; if ( len > maxLenToken ) { maxLenOfficialToken = len; } len = ( Events[i].Description ) ? strlen( Events[i].Description ) : 0; if ( len > maxLenDescription ) { maxLenDescription = len; } len = ( Events[i].OfficialDescription ) ? strlen( Events[i].OfficialDescription ) : 0; if ( len > maxLenOfficialDescription ) { maxLenOfficialDescription = len; } } } Buffer->Events = MaxEvent; Buffer->TokenMaxLength = maxLenToken; Buffer->DescriptionMaxLength = maxLenDescription; Buffer->OfficialTokenMaxLength = maxLenOfficialToken; Buffer->OfficialDescriptionMaxLength = maxLenOfficialDescription; return STATUS_SUCCESS; } // StatQueryEventsInfo() ULONG StatGetP5CESR ( PSETEVENT NewEvent ) { ULONG NewCESR; if (!NewEvent->Active) { return 0; } NewCESR = NewEvent->EventId & 0x3f; NewCESR |= NewEvent->UserMode ? 0x80 : 0; NewCESR |= NewEvent->KernelMode ? 0x40 : 0; return NewCESR; } ULONG StatGetP6CESR ( PSETEVENT NewEvent, BOOLEAN Profile ) { ULONG NewCESR; NewCESR = NewEvent->EventId & 0xffff; NewCESR |= NewEvent->Active ? (1 << 22) : 0; NewCESR |= NewEvent->UserMode ? (1 << 16) : 0; NewCESR |= NewEvent->KernelMode ? (1 << 17) : 0; NewCESR |= NewEvent->EdgeDetect ? (1 << 18) : 0; NewCESR |= Profile ? (1 << 20) : 0; return NewCESR; } VOID StatSetCESR ( PSETEVENT NewEvent ) { ULONG i, j, NoProc; ULONG NewCESR[MAX_EVENTS]; PAGED_CODE(); switch (ProcType) { case INTEL_P5: NewCESR[0] = StatGetP5CESR(NewEvent+0); NewCESR[0] |= StatGetP5CESR(NewEvent+1) << 16; break; case INTEL_P6: NewCESR[0] = StatGetP6CESR(NewEvent+0, FALSE); NewCESR[1] = StatGetP6CESR(NewEvent+1, FALSE); break; } // // Check if CESR changed // for (i=0; i < NoCESR; i++) { if (NewCESR[i] != CESR[i]) { break; } } if (i == NoCESR) { // no change, all done return; } // // Set new events // for (i=0; i < MAX_EVENTS; i++) { EventID[i] = NewEvent[i].EventId; } // // Set new CESR values // for (i=0; i < NoCESR; i++) { CESR[i] = NewCESR[i]; } // // Clear each processors Pcr pointer so they will reset. // Also count how many processors there are. // for (i = 0, NoProc = 0; i < MAXIMUM_PROCESSORS; i++) { if (KiProcessorControlRegister[i]) { KiProcessorControlRegister[i] = NULL; NoProc++; } } // // wait for each processor to get the new Pcr value // do { //Sleep (0); // yield j = 0; for (i = 0; i < MAXIMUM_PROCESSORS; i++) { if (KiProcessorControlRegister[i]) { j++; } } } while (j < NoProc); } VOID FASTCALL StatTimerHook ( IN ULONG processor ) { PACCUMULATORS Total; ULONG i; if (KiProcessorControlRegister[processor] == NULL) { for (i=0; i < NoCESR; i++) { WRMSR (MsrCESR+i, 0); // clear old CESR } for (i=0; i < NoCESR; i++) { WRMSR (MsrCESR+i, CESR[i]); // write new CESR } KiProcessorControlRegister[processor] = CurrentPcr(); // // Enable RDPMC from Rings 1, 2 and 3. // StatEnableRDPMC(); } Total = StatProcessorAccumulators[ processor ]; Total->CountStart += 1; for (i=0; i < NoCount; i++) { Total->Counters[i] = RDMSR(MsrCount+i); } Total->TSC = RDMSR(MsrTSC); Total->CountEnd += 1; } VOID FASTCALL TimerHook ( IN ULONG processor ) { // for compatibility // if (KiProcessorControlRegister[processor] == NULL) { KiProcessorControlRegister[processor] = CurrentPcr(); } } PVOID GetLoadedModuleList( VOID ) { NTSTATUS Status; ULONG BufferSize; ULONG NeededSize; ULONG ModuleNumber; PRTL_PROCESS_MODULES Modules; PRTL_PROCESS_MODULE_INFORMATION Module; // // 64K should be plenty,... if it isn't we'll come around again. // BufferSize = 64000; while (TRUE) { Modules = ExAllocatePool (PagedPool, BufferSize); if (!Modules) { return NULL; } // // Get system loaded module list. // Status = ZwQuerySystemInformation ( SystemModuleInformation, Modules, BufferSize, &NeededSize ); if (NeededSize > BufferSize) { // // Buffer not big enough, try again. // ExFreePool(Modules); BufferSize = NeededSize; continue; } if (!NT_SUCCESS(Status)) { // // Not good, give up. // ExFreePool(Modules); return NULL; } // // All is good. // break; } return Modules; } #if 0 PRTL_PROCESS_MODULE_INFORMATION GetModuleInformationFuzzy( IN PUCHAR StartsWith, IN PUCHAR EndsWith, IN PRTL_PROCESS_MODULES Modules ) /*++ Routine Description: Run Down the loaded module list looking for a module whos name begins with StartWith and ends with EndsWith. (What's in the middle doesn't matter). This is useful for finding the kernel and the hal which are of the form nt*.exe for the kernel hal*.dll for the hal. Arguments: StartsWith Beginning string match. EndsWith Ending string match. ModuleList List of loaded modules. Returns: Pointer to the loaded module information for the matching module or null if no match is found. --*/ { ULONG StartLength = 0; ULONG EndLength = 0; ULONG ModulesRemaining; PRTL_PROCESS_MODULE_INFORMATION Module; PUCHAR FileName; ULONG FileNameLength; if (StartsWith) { StartLength = strlen(StartsWith); } if (EndsWith) { EndLength = strlen(EndsWith); } if ((!StartsWith) && (!EndsWith)) { // // In theory we could claim this matches anything,.. in reality // the caller doesn't know what they're doing. // return NULL; } for (ModulesRemaining = Modules->NumberOfModules, Module = Modules->Modules; ModulesRemaining; ModulesRemaining--, Module++) { FileName = Module->FullPathName + Module->OffsetToFileName; // // Check start. // if (StartLength) { if (_strnicmp(FileName, StartsWith, StartLength) != 0) { // // No match. // continue; } } FileNameLength = strlen(FileName); if (FileNameLength < (StartLength + EndLength)) { // // FileName is too short to contain both strings. // continue; } if (!EndLength) { // // Not checking the end but the start matches, success. // return Module; } // // Check end. // if (_stricmp(FileName + FileNameLength - EndLength, EndsWith) == 0) { // // Tail matches! // return Module; } } // // No match found. // return NULL; } #endif BOOLEAN StatHookTimer (VOID) { PULONG Address; ULONG HalThunkForKeUpdateSystemTime; ULONG HalThunkForKeUpdateRunTime; ULONG HalThunkForStartProfileInterrupt; ULONG HalThunkForStopProfileInterrupt; PRTL_PROCESS_MODULES ModuleList; PRTL_PROCESS_MODULE_INFORMATION Kernel; PRTL_PROCESS_MODULE_INFORMATION Hal; ModuleList = GetLoadedModuleList(); if (!ModuleList) { // // No loaded module list, we aren't going to make much // progress, give up. // return FALSE; } #if 0 Kernel = GetModuleInformationFuzzy("nt", ".exe", ModuleList); Hal = GetModuleInformationFuzzy("hal", ".dll", ModuleList); if ((!Kernel) || (!Hal)) { ExFreePool(ModuleList); return FALSE; } #endif // // The kernel is always the first entry on the loaded module // list, the hal is always the second. If this ever changes // we'll need to come up with another approach. // if (ModuleList->NumberOfModules < 2) { // // Something's very wrong with this module list. // return 0; } Kernel = ModuleList->Modules; Hal = Kernel + 1; HalThunkForKeUpdateSystemTime = ImportThunkAddressModule( Hal, "ntoskrnl.exe", "KeUpdateSystemTime" ); // // KeUpdateRunTime is not always available. // HalThunkForKeUpdateRunTime = ImportThunkAddressModule( Hal, "ntoskrnl.exe", "KeUpdateRunTime" ); HalThunkForStartProfileInterrupt = ImportThunkAddressModule( Kernel, "hal.dll", "HalStartProfileInterrupt" ); HalThunkForStopProfileInterrupt = ImportThunkAddressModule( Kernel, "hal.dll", "HalStopProfileInterrupt" ); ExFreePool(ModuleList); if (!HalThunkForKeUpdateSystemTime || !HalThunkForStartProfileInterrupt || !HalThunkForStopProfileInterrupt) { // // Imports not found. // return FALSE; } // // Patch in timer hooks, Read current values // KeUpdateSystemTimeThunk = *((PULONG) HalThunkForKeUpdateSystemTime); if (HalThunkForKeUpdateRunTime) { KeUpdateRunTimeThunk = *((PULONG) HalThunkForKeUpdateRunTime); } HaldStartProfileInterrupt = (pHalProfileInterrupt) *((PULONG) HalThunkForStartProfileInterrupt); HaldStopProfileInterrupt = (pHalProfileInterrupt) *((PULONG) HalThunkForStopProfileInterrupt); HaldQuerySystemInformation = HalQuerySystemInformation; HaldSetSystemInformation = HalSetSystemInformation; // // Set Stat hook functions // switch (ProcType) { case INTEL_P6: case INTEL_P5: Address = (PULONG) HalThunkForKeUpdateSystemTime; *Address = (ULONG) StatSystemTimeHook; if (HalThunkForKeUpdateRunTime) { Address = (PULONG) HalThunkForKeUpdateRunTime; *Address = (ULONG)StatRunTimeHook; } if (ProfileSupported) { Address = (PULONG) HalThunkForStartProfileInterrupt; *Address = (ULONG) StatStartProfileInterrupt; Address = (PULONG) HalThunkForStopProfileInterrupt; *Address = (ULONG) StatStopProfileInterrupt; HalQuerySystemInformation = StatQuerySystemInformation; HalSetSystemInformation = StatSetSystemInformation; } break; default: Address = (PULONG) HalThunkForKeUpdateSystemTime; KdPrint(( "Stat - DriverEntry(5): %X\n", Address )); *Address = (ULONG)SystemTimeHook; if (HalThunkForKeUpdateRunTime) { Address = (PULONG) HalThunkForKeUpdateRunTime; KdPrint(( "Stat - DriverEntry(6): %X\n", Address )); *Address = (ULONG)RunTimeHook; } break; } return TRUE; } PPROFILE_EVENT StatProfileEvent( KPROFILE_SOURCE Source ) { ULONG Index; Index = (ULONG) Source; if (Index < PROFILE_SOURCE_BASE) { return NULL; } Index -= PROFILE_SOURCE_BASE; if (Index > MaxEvent) { return NULL; } return ProfileEvents + Index; } VOID StatStartProfileInterrupt ( KPROFILE_SOURCE Source ) { ULONG i; PPROFILE_EVENT ProfileEvent; // // If this isn't a profile source we're supporting, pass it on // ProfileEvent = StatProfileEvent(Source); if (!ProfileEvent) { HaldStartProfileInterrupt (Source); return; } if (CurrentPcr()->Number == 0) { if (!ProfileEvent->Source) { return ; } CurrentProfileEvent = ProfileEvent; } // // Set the CESR // WRMSR (MsrCESR, ProfileEvent->CESR); // // Prime the interval counter // WRMSR (MsrCount, ProfileEvent->InitialCount); } VOID StatStopProfileInterrupt ( KPROFILE_SOURCE Source ) { ULONG i; PPROFILE_EVENT ProfileEvent; // // If this isn't a profile source we're supporting, pass it on // ProfileEvent = StatProfileEvent(Source); if (!ProfileEvent) { HaldStopProfileInterrupt (Source); return ; } if (CurrentPcr()->Number == 0) { if (ProfileEvent == CurrentProfileEvent) { // // Stop calling the kernel // CurrentProfileEvent = NULL; } } } // The naked call does not work anymore because the call parameters are not saved // (probably due to change in compiler behaviour) //_declspec(naked) VOID FASTCALL NakedCallToKeProfileInterruptWithSource( IN PKTRAP_FRAME TrapFrame, IN KPROFILE_SOURCE Source ) { /* _asm { push ebp ; Save these as KeProfileInterrupt nukes them push ebx push esi push edi } */ KeProfileInterruptWithSource (TrapFrame, Source); /* _asm { pop edi pop esi pop ebx pop ebp ret } */ } NTSTATUS FASTCALL StatProfileInterrupt ( IN PKTRAP_FRAME TrapFrame ) { ULONG i; ULONG current; PPROFILE_EVENT ProfileEvent; ProfileEvent = CurrentProfileEvent; if (ProfileEvent) { current = (ULONG) RDMSR(MsrCount); // // Did this event fire? // if (current < ProfileEvent->InitialCount) { // // Notify kernel // NakedCallToKeProfileInterruptWithSource( TrapFrame, ProfileEvent->Source ); // // Reset trigger counter // WRMSR (MsrCount, ProfileEvent->InitialCount); } } return STATUS_SUCCESS; } NTSTATUS StatQuerySystemInformation ( IN HAL_QUERY_INFORMATION_CLASS InformationClass, IN ULONG BufferSize, OUT PVOID Buffer, OUT PULONG ReturnedLength ) { PHAL_PROFILE_SOURCE_INFORMATION ProfileSource; ULONG i; PPROFILE_EVENT ProfileEvent; if (InformationClass == HalProfileSourceInformation) { ProfileSource = (PHAL_PROFILE_SOURCE_INFORMATION) Buffer; *ReturnedLength = sizeof (HAL_PROFILE_SOURCE_INFORMATION); if (BufferSize < sizeof (HAL_PROFILE_SOURCE_INFORMATION)) { return STATUS_BUFFER_TOO_SMALL; } ProfileEvent = StatProfileEvent(ProfileSource->Source); if (ProfileEvent) { ProfileSource->Interval = 0 - (ULONG) ProfileEvent->InitialCount; ProfileSource->Supported = TRUE; return STATUS_SUCCESS; } } // // Not our QuerySystemInformation request, pass it on // return HaldQuerySystemInformation (InformationClass, BufferSize, Buffer, ReturnedLength); } NTSTATUS StatSetSystemInformation( IN HAL_SET_INFORMATION_CLASS InformationClass, IN ULONG BufferSize, IN PVOID Buffer ) { PHAL_PROFILE_SOURCE_INTERVAL ProfileInterval; SETEVENT SetEvent; PPROFILE_EVENT ProfileEvent; if (InformationClass == HalProfileSourceInterval) { ProfileInterval = (PHAL_PROFILE_SOURCE_INTERVAL) Buffer; if (BufferSize < sizeof (HAL_PROFILE_SOURCE_INTERVAL)) { return STATUS_BUFFER_TOO_SMALL; } ProfileEvent = StatProfileEvent(ProfileInterval->Source); if (ProfileEvent) { ProfileEvent->Source = ProfileInterval->Source; ProfileEvent->InitialCount = 0; ProfileEvent->InitialCount -= (ULONGLONG) ProfileInterval->Interval; SetEvent.EventId = Events[ProfileEvent->Source - PROFILE_SOURCE_BASE].Encoding; SetEvent.Active = TRUE; SetEvent.UserMode = TRUE; SetEvent.KernelMode = TRUE; switch (ProcType) { case INTEL_P6: ProfileEvent->CESR = StatGetP6CESR (&SetEvent, TRUE); break; } return STATUS_SUCCESS; } } // // Not our SetSystemInforamtion request, pass it on // return HaldSetSystemInformation (InformationClass, BufferSize, Buffer); } NTSTATUS StatHookGenericThunk ( IN PHOOKTHUNK ThunkToHook ) { ULONG HookAddress; ULONG i, TracerId; UCHAR sourcename[50]; ULONG HitCounterOffset; PLIST_ENTRY Link; PHOOKEDTHUNK HookRecord; UCHAR IdInUse[MAX_THUNK_COUNTERS]; PAGED_CODE(); i = strlen (ThunkToHook->SourceModule); if (i >= 50) { return STATUS_UNSUCCESSFUL; } strcpy (sourcename, ThunkToHook->SourceModule); HookAddress = ImportThunkAddress ( sourcename, ThunkToHook->ImageBase, ThunkToHook->TargetModule, ThunkToHook->Function, NULL ); if (!HookAddress) { return STATUS_UNSUCCESSFUL; } // // Hook this thunk // // // If counting bucket is not known (also tracerid), then allocate one // TracerId = ThunkToHook->TracerId; ExAcquireFastMutex (&HookLock); if (TracerId == 0) { RtlZeroMemory (IdInUse, MAX_THUNK_COUNTERS); for (Link = HookedThunkList.Flink; Link != &HookedThunkList; Link = Link->Flink) { HookRecord = CONTAINING_RECORD (Link, HOOKEDTHUNK, HookList); IdInUse[HookRecord->TracerId-1] = 1; } while (IdInUse[TracerId]) { if (++TracerId >= MAX_THUNK_COUNTERS) { goto Abort; } } TracerId += 1; } if (TracerId >= MAX_THUNK_COUNTERS) { goto Abort; } if (TracerId > StatMaxThunkCounter) { StatMaxThunkCounter = TracerId; } HookRecord = ExAllocatePool (NonPagedPool, sizeof (HOOKEDTHUNK)); if (!HookRecord) { goto Abort; } HitCounterOffset = ((ULONG) &StatGlobalAccumulators[0].ThunkCounters[TracerId-1] - (ULONG) StatGlobalAccumulators); HookRecord->HookAddress = HookAddress; HookRecord->OriginalDispatch = *((PULONG) HookAddress); HookRecord->TracerId = TracerId; InsertHeadList (&HookedThunkList, &HookRecord->HookList); CreateHook (HookRecord->HookCode, (PVOID)HookAddress, HitCounterOffset, 0); SetMaxThunkCounter (); ExReleaseFastMutex (&HookLock); ThunkToHook->TracerId = TracerId; return STATUS_SUCCESS; Abort: ExReleaseFastMutex (&HookLock); return STATUS_UNSUCCESSFUL; } VOID StatRemoveGenericHook ( IN PULONG pTracerId ) { PLIST_ENTRY Link, NextLink, Temp, NextTemp; PHOOKEDTHUNK HookRecord, AltRecord; ULONG HitCounterOffset; LIST_ENTRY DisabledHooks; ULONG TracerId; PULONG HookAddress; PAGED_CODE(); // // Run list of hooks undo-ing any hook which matches this tracerid. // Note: that hooks are undone in the reverse order for which they // were applied. // TracerId = *pTracerId; InitializeListHead (&DisabledHooks); ExAcquireFastMutex (&HookLock); Link = HookedThunkList.Flink; while (Link != &HookedThunkList) { NextLink = Link->Flink; HookRecord = CONTAINING_RECORD (Link, HOOKEDTHUNK, HookList); if (HookRecord->TracerId == TracerId) { // // Found a hook with a matching ID // Scan for any hooks which need to be temporaly removed // in order to get this hook removed // HookAddress = (PULONG) HookRecord->HookAddress; Temp = HookedThunkList.Flink; while (Temp != Link) { NextTemp = Temp->Flink; AltRecord = CONTAINING_RECORD (Temp, HOOKEDTHUNK, HookList); if (AltRecord->HookAddress == HookRecord->HookAddress) { RemoveEntryList(&AltRecord->HookList); *HookAddress = AltRecord->OriginalDispatch; InsertTailList (&DisabledHooks, &AltRecord->HookList); } Temp = NextTemp; } // // Remove this hook // RemoveEntryList(&HookRecord->HookList); HookAddress = (PULONG) HookRecord->HookAddress; *HookAddress = HookRecord->OriginalDispatch; InsertTailList (&LazyFreeList, &HookRecord->HookList); } Link = NextLink; } // // Re-hook any hooks which were disabled for the remove operation // while (DisabledHooks.Flink != &DisabledHooks) { HookRecord = CONTAINING_RECORD (DisabledHooks.Flink, HOOKEDTHUNK, HookList); AltRecord = ExAllocatePool (NonPagedPool, sizeof (HOOKEDTHUNK)); if (!AltRecord) { goto OutOfMemory; } RemoveEntryList(&HookRecord->HookList); HookAddress = (PULONG) HookRecord->HookAddress; AltRecord->HookAddress = HookRecord->HookAddress; AltRecord->OriginalDispatch = *HookAddress; AltRecord->TracerId = HookRecord->TracerId; InsertHeadList (&HookedThunkList, &AltRecord->HookList); HitCounterOffset = (ULONG) &StatGlobalAccumulators[0].ThunkCounters[AltRecord->TracerId-1] - (ULONG) StatGlobalAccumulators; CreateHook (AltRecord->HookCode, (PVOID)HookAddress, HitCounterOffset, 0); InsertTailList (&LazyFreeList, &HookRecord->HookList); } SetMaxThunkCounter(); ExReleaseFastMutex (&HookLock); return ; OutOfMemory: while (DisabledHooks.Flink != &DisabledHooks) { HookRecord = CONTAINING_RECORD (DisabledHooks.Flink, HOOKEDTHUNK, HookList); RemoveEntryList(&HookRecord->HookList); InsertTailList (&LazyFreeList, &HookRecord->HookList); } ExReleaseFastMutex (&HookLock); RemoveAllHookedThunks (); return ; } VOID RemoveAllHookedThunks () { PHOOKEDTHUNK HookRecord; PULONG HookAddress; PAGED_CODE(); ExAcquireFastMutex (&HookLock); while (!IsListEmpty(&HookedThunkList)) { HookRecord = CONTAINING_RECORD (HookedThunkList.Flink, HOOKEDTHUNK, HookList); RemoveEntryList(&HookRecord->HookList); HookAddress = (PULONG) HookRecord->HookAddress; *HookAddress = HookRecord->OriginalDispatch; InsertTailList (&LazyFreeList, &HookRecord->HookList); } SetMaxThunkCounter(); ExReleaseFastMutex (&HookLock); } VOID SetMaxThunkCounter () { LARGE_INTEGER duetime; PLIST_ENTRY Link; PHOOKEDTHUNK HookRecord; ULONG Max; PAGED_CODE(); Max = 0; for (Link = HookedThunkList.Flink; Link != &HookedThunkList; Link = Link->Flink) { HookRecord = CONTAINING_RECORD (Link, HOOKEDTHUNK, HookList); if (HookRecord->TracerId > Max) { Max = HookRecord->TracerId; } } StatMaxThunkCounter = Max; LazyFreeCountdown = 2; duetime.QuadPart = -10000000; KeSetTimer (&LazyFreeTimer, duetime, &LazyFreeDpc); } VOID LazyFreePoolDPC (PKDPC dpc, PVOID a, PVOID b, PVOID c) { ExQueueWorkItem (&LazyFreePoolWorkItem, DelayedWorkQueue); } VOID LazyFreePool (PVOID conext) { PHOOKEDTHUNK HookRecord; LARGE_INTEGER duetime; PAGED_CODE(); ExAcquireFastMutex (&HookLock); if (--LazyFreeCountdown == 0) { while (!IsListEmpty(&LazyFreeList)) { HookRecord = CONTAINING_RECORD (LazyFreeList.Flink, HOOKEDTHUNK, HookList); RemoveEntryList(&HookRecord->HookList); RtlFillMemory(HookRecord, sizeof(HOOKEDTHUNK), 0xCC); ExFreePool (HookRecord) ; } } else { duetime.QuadPart = -10000000; KeSetTimer (&LazyFreeTimer, duetime, &LazyFreeDpc); } ExReleaseFastMutex (&HookLock); } #define IMPKERNELADDRESS(a) ((ULONG)a + ImageBase) #define IMPIMAGEADDRESS(a) ConvertImportAddress((ULONG)a, (ULONG)Pool, &SectionHeader) #define INITIAL_POOLSIZE 0x7000 ULONG ImportThunkAddressProcessFile( IN ULONG_PTR ImageBase, IN HANDLE FileHandle, IN PUCHAR ImportModule, IN PUCHAR ThunkName ) { ULONG i, j; ULONG Dir; PVOID Pool; ULONG PoolSize; IMAGE_DOS_HEADER DosImageHeader; IMAGE_NT_HEADERS NtImageHeader; PIMAGE_NT_HEADERS LoadedNtHeader; PIMAGE_IMPORT_BY_NAME pImportNameData; PIMAGE_SECTION_HEADER pSectionHeader; IMAGE_SECTION_HEADER SectionHeader; PIMAGE_IMPORT_DESCRIPTOR ImpDescriptor; PULONG pThunkAddr, pThunkData; PAGED_CODE(); try { // // Find module in loaded module list // PoolSize = INITIAL_POOLSIZE; Pool = ExAllocatePool (PagedPool, PoolSize); if (!Pool) { return 0; } try { // // Read in source image's headers // readfile ( FileHandle, 0, sizeof (DosImageHeader), (PVOID) &DosImageHeader ); if (DosImageHeader.e_magic != IMAGE_DOS_SIGNATURE) { return 0; } readfile ( FileHandle, DosImageHeader.e_lfanew, sizeof (NtImageHeader), (PVOID) &NtImageHeader ); if (NtImageHeader.Signature != IMAGE_NT_SIGNATURE) { return 0; } if (!ImageBase) { ImageBase = NtImageHeader.OptionalHeader.ImageBase; } // // Check in read in copy header against loaded image // LoadedNtHeader = (PIMAGE_NT_HEADERS) ((ULONG) ImageBase + DosImageHeader.e_lfanew); if (LoadedNtHeader->Signature != IMAGE_NT_SIGNATURE || LoadedNtHeader->FileHeader.TimeDateStamp != NtImageHeader.FileHeader.TimeDateStamp) { return 0; } // // read in complete sections headers from image // i = NtImageHeader.FileHeader.NumberOfSections * sizeof (IMAGE_SECTION_HEADER); j = ((ULONG) IMAGE_FIRST_SECTION (&NtImageHeader)) - ((ULONG) &NtImageHeader) + DosImageHeader.e_lfanew; if (i > PoolSize) { ExFreePool(Pool); PoolSize = i; Pool = ExAllocatePool(PagedPool, PoolSize); if (!Pool) { return 0; } } readfile ( FileHandle, j, // file offset i, // length Pool ); // // Find section with import directory // Dir = NtImageHeader.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; i = 0; pSectionHeader = Pool; for (; ;) { if (i >= NtImageHeader.FileHeader.NumberOfSections) { return 0; } if (pSectionHeader->VirtualAddress <= Dir && pSectionHeader->VirtualAddress + pSectionHeader->SizeOfRawData > Dir) { break; } i += 1; pSectionHeader += 1; } // // read in complete import section from image // Dir -= pSectionHeader->VirtualAddress; pSectionHeader->VirtualAddress += Dir; pSectionHeader->PointerToRawData += Dir; pSectionHeader->SizeOfRawData -= Dir; SectionHeader = *pSectionHeader; if (SectionHeader.SizeOfRawData > PoolSize) { ExFreePool (Pool); PoolSize = SectionHeader.SizeOfRawData; Pool = ExAllocatePool (PagedPool, PoolSize); if (!Pool) { return 0; } } readfile ( FileHandle, SectionHeader.PointerToRawData, SectionHeader.SizeOfRawData, Pool ); // // Find imports from specified module // ImpDescriptor = (PIMAGE_IMPORT_DESCRIPTOR) Pool; while (ImpDescriptor->Characteristics) { if (_stricmp((PUCHAR)IMPIMAGEADDRESS((ULONG)(ImpDescriptor->Name)), ImportModule) == 0) { break; } ImpDescriptor += 1; } // // Find thunk for imported ThunkName // pThunkData = (PULONG) IMPIMAGEADDRESS (ImpDescriptor->OriginalFirstThunk); pThunkAddr = (PULONG) IMPKERNELADDRESS (ImpDescriptor->FirstThunk); for (; ;) { if (*pThunkData == 0L) { // end of table break; } pImportNameData = (PIMAGE_IMPORT_BY_NAME) IMPIMAGEADDRESS (*pThunkData); if (_stricmp(pImportNameData->Name, ThunkName) == 0) { // // Success, return this address. // return (ULONG)pThunkAddr; } // check next thunk pThunkData += 1; pThunkAddr += 1; } } except(EXCEPTION_EXECUTE_HANDLER) { return 0; } } finally { // // Clean up // if (Pool) { ExFreePool (Pool); } } return 0; } ULONG ImportThunkAddress ( IN PUCHAR SourceModule, IN ULONG_PTR ImageBase, IN PUCHAR ImportModule, IN PUCHAR ThunkName, IN PVOID ModuleList ) { NTSTATUS Status; HANDLE FileHandle; ULONG ImportAddress; PAGED_CODE(); Status = openfile (&FileHandle, "\\SystemRoot\\", SourceModule); if (!NT_SUCCESS(Status)) { Status = openfile (&FileHandle, "\\SystemRoot\\System32\\", SourceModule); } if (!NT_SUCCESS(Status)) { Status = openfile (&FileHandle, "\\SystemRoot\\System32\\Drivers\\", SourceModule); } if (!NT_SUCCESS(Status)) { return 0; } if (!ImageBase) { ImageBase = LookupImageBase (SourceModule, ModuleList); } ImportAddress = ImportThunkAddressProcessFile(ImageBase, FileHandle, ImportModule, ThunkName); NtClose (FileHandle); return ImportAddress; } ULONG ImportThunkAddressModule ( IN PRTL_PROCESS_MODULE_INFORMATION SourceModule, IN PUCHAR ImportModule, IN PUCHAR ThunkName ) { NTSTATUS Status; HANDLE FileHandle; ULONG ImportAddress; PUCHAR SubPath; PAGED_CODE(); // // Strip the system root from the file path so we can use // the \SystemRoot object as the head of the path. // SubPath = strchr(SourceModule->FullPathName + 1, '\\'); if (!SubPath) { // // If we got here we don't know what we're doing, // bail out. // return 0; } Status = openfile (&FileHandle, "\\SystemRoot", SubPath); if (!NT_SUCCESS(Status)) { return 0; } ImportAddress = ImportThunkAddressProcessFile( (ULONG_PTR)SourceModule->ImageBase, FileHandle, ImportModule, ThunkName); NtClose(FileHandle); return ImportAddress; } ULONG_PTR LookupImageBase ( IN PUCHAR SourceModule, IN PVOID ModuleList ) { NTSTATUS status; ULONG BufferSize; ULONG junk, ModuleNumber; ULONG_PTR ImageBase; PRTL_PROCESS_MODULES Modules; PRTL_PROCESS_MODULE_INFORMATION Module; ImageBase = 0; if (ModuleList) { Modules = ModuleList; } else { BufferSize = 64000; Modules = ExAllocatePool (PagedPool, BufferSize); if (!Modules) { return 0; } // // Locate system drivers. // status = ZwQuerySystemInformation ( SystemModuleInformation, Modules, BufferSize, &junk ); if (!NT_SUCCESS(status)) { ExFreePool(Modules); return 0; } } Module = &Modules->Modules[ 0 ]; for (ModuleNumber = 0; ModuleNumber < Modules->NumberOfModules; ModuleNumber++,Module++) { if (_stricmp(Module->FullPathName + Module->OffsetToFileName, SourceModule) == 0) { ImageBase = (ULONG_PTR)Module->ImageBase; break; } } if (!ModuleList) { ExFreePool (Modules); } return ImageBase; } NTSTATUS openfile ( IN PHANDLE FileHandle, IN PUCHAR BasePath, IN PUCHAR Name ) { ANSI_STRING AscBasePath, AscName; UNICODE_STRING UniPathName, UniName; NTSTATUS status; OBJECT_ATTRIBUTES ObjA; IO_STATUS_BLOCK IOSB; UCHAR StringBuf[500]; // // Build name // UniPathName.Buffer = (PWCHAR)StringBuf; UniPathName.Length = 0; UniPathName.MaximumLength = sizeof( StringBuf ); RtlInitString(&AscBasePath, BasePath); status = RtlAnsiStringToUnicodeString( &UniPathName, &AscBasePath, FALSE ); if (!NT_SUCCESS(status)) { return status; } RtlInitString(&AscName, Name); status = RtlAnsiStringToUnicodeString( &UniName, &AscName, TRUE ); if (!NT_SUCCESS(status)) { return status; } status = RtlAppendUnicodeStringToString (&UniPathName, &UniName); if (!NT_SUCCESS(status)) { return status; } InitializeObjectAttributes( &ObjA, &UniPathName, OBJ_CASE_INSENSITIVE, 0, 0 ); // // open file // status = ZwOpenFile ( FileHandle, // return handle SYNCHRONIZE | FILE_READ_DATA, // desired access &ObjA, // Object &IOSB, // io status block FILE_SHARE_READ | FILE_SHARE_WRITE, // share access FILE_SYNCHRONOUS_IO_ALERT // open options ); RtlFreeUnicodeString (&UniName); return status; } VOID readfile ( HANDLE handle, ULONG offset, ULONG len, PVOID buffer ) { NTSTATUS status; IO_STATUS_BLOCK iosb; LARGE_INTEGER foffset; foffset = RtlConvertUlongToLargeInteger(offset); status = ZwReadFile ( handle, NULL, // event NULL, // apc routine NULL, // apc context &iosb, buffer, len, &foffset, NULL ); if (!NT_SUCCESS(status)) { ExRaiseStatus (1); } } ULONG ConvertImportAddress ( IN ULONG ImageRelativeAddress, IN ULONG PoolAddress, IN PIMAGE_SECTION_HEADER SectionHeader ) { ULONG EffectiveAddress; EffectiveAddress = PoolAddress + ImageRelativeAddress - SectionHeader->VirtualAddress; if (EffectiveAddress < PoolAddress || EffectiveAddress > PoolAddress + SectionHeader->SizeOfRawData) { ExRaiseStatus (1); } return EffectiveAddress; }