|
|
/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
verifier.c
Abstract:
This module implements the core support for application verifier.
Author:
Silviu Calinoiu (SilviuC) 2-Feb-2001
Revision History:
--*/
#include "ntos.h"
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <heap.h>
#include "ldrp.h"
#define AVRF_FLG_EXPORT_DLL_LOADED 0x0001
ULONG AVrfpDebug = 0x0000;
#define AVRF_DBG_SHOW_SNAPS 0x0001
#define AVRF_DBG_SHOW_VERIFIED_EXPORTS 0x0002
#define AVRF_DBG_SHOW_DLLS_WITH_EXPORTS 0x0004
#define AVRF_DBG_SHOW_PROVIDER_LOADS 0x0008
#define AVRF_DBG_SHOW_CHAIN_ACTIVITY 0x0010
#define AVRF_DBG_SHOW_CHAIN_DETAILS 0x0020
BOOLEAN AVrfpEnabled;
//
// Default system-wide settings
//
#define RTL_VRF_FLG_SYSTEM_WIDE_SETTINGS \
( RTL_VRF_FLG_LOCK_CHECKS \ | RTL_VRF_FLG_HANDLE_CHECKS \ )
//
// Local vars
//
ULONG AVrfpVerifierFlags;WCHAR AVrfpVerifierDllsString [512];LIST_ENTRY AVrfpVerifierProvidersList;
RTL_CRITICAL_SECTION AVrfpVerifierLock;
#define VERIFIER_LOCK() RtlEnterCriticalSection(&AVrfpVerifierLock)
#define VERIFIER_UNLOCK() RtlLeaveCriticalSection(&AVrfpVerifierLock)
//
// Local types
//
typedef struct _AVRF_VERIFIER_DESCRIPTOR {
LIST_ENTRY List; UNICODE_STRING VerifierName; PVOID VerifierHandle; PVOID VerifierEntryPoint; PRTL_VERIFIER_DLL_DESCRIPTOR VerifierDlls; RTL_VERIFIER_DLL_LOAD_CALLBACK VerifierLoadHandler; RTL_VERIFIER_DLL_UNLOAD_CALLBACK VerifierUnloadHandler;
} AVRF_VERIFIER_DESCRIPTOR, *PAVRF_VERIFIER_DESCRIPTOR;
//
// Local functions
//
BOOLEANAVrfpSnapDllImports ( PLDR_DATA_TABLE_ENTRY LdrDataTableEntry );
BOOLEANAVrfpDetectVerifiedExports ( PRTL_VERIFIER_DLL_DESCRIPTOR Dll, PRTL_VERIFIER_THUNK_DESCRIPTOR Thunks );
BOOLEANAVrfpParseVerifierDllsString ( PWSTR Dlls );
VOIDAVrfpSnapAlreadyLoadedDlls ( );
VOIDAVrfpMoveProviderToEndOfInitializationList ( PWSTR ProviderName );
BOOLEANAVrfpLoadAndInitializeProvider ( PAVRF_VERIFIER_DESCRIPTOR Provider );
BOOLEANAVrfpIsVerifierProviderDll ( PVOID Handle );
VOIDAVrfpDumpProviderList ( );
PVOIDAVrfpFindClosestThunkDuplicate ( PAVRF_VERIFIER_DESCRIPTOR Verifier, PWCHAR DllName, PCHAR ThunkName );
VOIDAVrfpChainDuplicateVerificationLayers ( );
VOIDAVrfpDllLoadNotificationInternal ( PLDR_DATA_TABLE_ENTRY LoadedDllData );
PWSTRAVrfpGetProcessName ( );
BOOLEANAVrfpEnableVerifierOptions ( );
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////
VOIDAVrfInitializeVerifier ( BOOLEAN EnabledSystemWide, PUNICODE_STRING ImageName, ULONG Phase )/*++
Routine description:
This routine initializes the verifier package. Reads options from registry, loads verifier dlls, etc.
Parameters:
EnabledSystemWide - true if all processes are supposed to run with application verifier enabled. If this is the case we will scale down our memory-demanding checks so that we can boot.
ImageName - unicode name of the current process Phase - initialization happens in several stages. 0 - we read registry settings under image file execution options. in this phase the other two parameters have a meaning. 1 - we parse the verifier dlls and load them. Return value:
None. --*/{ BOOLEAN Result; PLIST_ENTRY Entry; PAVRF_VERIFIER_DESCRIPTOR Provider; NTSTATUS Status; BOOLEAN LoadSuccess;
switch (Phase) { case 0: // Phase 0
AVrfpVerifierFlags = RTL_VRF_FLG_SYSTEM_WIDE_SETTINGS; AVrfpVerifierDllsString[0] = L'\0';
//
// Attempt to read verifier registry settings even if verifier
// is enabled system wide. In the worst case no values are there
// and nothing will be read. If we have some options per process
// this will override system wide settings.
//
LdrQueryImageFileExecutionOptions (ImageName, L"VerifierFlags", REG_DWORD, &AVrfpVerifierFlags, sizeof(AVrfpVerifierFlags), NULL);
LdrQueryImageFileExecutionOptions (ImageName, L"VerifierDebug", REG_DWORD, &AVrfpDebug, sizeof(AVrfpDebug), NULL);
LdrQueryImageFileExecutionOptions (ImageName, L"VerifierDlls", REG_SZ, AVrfpVerifierDllsString, 512, NULL);
AVrfpEnableVerifierOptions ();
break;
case 1: // Phase 1
InitializeListHead (&AVrfpVerifierProvidersList); RtlInitializeCriticalSection (&AVrfpVerifierLock);
DbgPrint ("AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled\n", AVrfpGetProcessName(), HandleToUlong(NtCurrentTeb()->ClientId.UniqueProcess), AVrfpVerifierFlags);
Result = AVrfpParseVerifierDllsString (AVrfpVerifierDllsString);
if (Result == FALSE) { DbgPrint ("AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.\n", AVrfpGetProcessName(), HandleToUlong(NtCurrentTeb()->ClientId.UniqueProcess));
NtCurrentPeb()->NtGlobalFlag &= ~FLG_APPLICATION_VERIFIER; }
Entry = AVrfpVerifierProvidersList.Flink;
while (Entry != &AVrfpVerifierProvidersList) {
Provider = CONTAINING_RECORD (Entry, AVRF_VERIFIER_DESCRIPTOR, List);
//
// Load provider, probe it to make sure it is really a
// provider, call initialize routine with PROCESS_VERIFIER, etc.
//
LoadSuccess = AVrfpLoadAndInitializeProvider (Provider);
//
// Move to next provider
//
Entry = Provider->List.Flink;
//
// Get this provider out of the providers list if we
// encountered an error while loading
//
if (! LoadSuccess) {
RemoveEntryList (&(Provider->List));
RtlFreeHeap (RtlProcessHeap(), 0, Provider); } }
//
// Chain duplicate verification functions.
//
AVrfpChainDuplicateVerificationLayers ();
//
// Enable verifier. Resnap already loaded dlls.
// Now we will start processing dll load
// notifications coming from loader.
//
AVrfpEnabled = TRUE;
AVrfpSnapAlreadyLoadedDlls ();
if ((AVrfpDebug & AVRF_DBG_SHOW_PROVIDER_LOADS)) {
DbgPrint ("AVRF: -*- final list of providers -*- \n"); AVrfpDumpProviderList (); }
break;
default:
break; }}
BOOLEANAVrfpParseVerifierDllsString ( PWSTR Dlls ){ PWSTR Current; PWSTR Start; WCHAR Save; PAVRF_VERIFIER_DESCRIPTOR Entry;
//
// Create by default an entry for the standard provider "verifier.dll"
//
Entry = RtlAllocateHeap (RtlProcessHeap (), 0, sizeof *Entry);
if (Entry == NULL) { return FALSE; }
RtlZeroMemory (Entry, sizeof *Entry);
RtlInitUnicodeString (&(Entry->VerifierName), L"verifier.dll");
InsertTailList (&AVrfpVerifierProvidersList, &(Entry->List));
//
// Parse the string
//
Current = Dlls;
while (*Current != L'\0') { while (*Current == L' ' || *Current == L'\t') { Current += 1; }
Start = Current;
while (*Current && *Current != L' ' && *Current != L'\t') { Current += 1; }
if (Start == Current) { break; }
Save = *Current; *Current = L'\0';
//
// Check if standard provider was specified explicitely.
// In this case we ignore it because we already have it
// in the list.
//
if (_wcsicmp (Start, L"verifier.dll") != 0) { Entry = RtlAllocateHeap (RtlProcessHeap (), 0, sizeof *Entry);
if (Entry == NULL) { return FALSE; }
RtlZeroMemory (Entry, sizeof *Entry);
RtlInitUnicodeString (&(Entry->VerifierName), Start);
InsertTailList (&AVrfpVerifierProvidersList, &(Entry->List)); }
// *Current = Save;
Current += 1; }
return TRUE;}
VOIDAVrfpSnapAlreadyLoadedDlls ( ){ PPEB_LDR_DATA Ldr; PLIST_ENTRY Head; PLIST_ENTRY Next; PLDR_DATA_TABLE_ENTRY Entry;
Ldr = NtCurrentPeb()->Ldr; Head = &(Ldr->InLoadOrderModuleList); Next = Head->Flink;
while (Next != Head) {
Entry = CONTAINING_RECORD (Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); Next = Next->Flink;
if (! AVrfpIsVerifierProviderDll (Entry->DllBase)) {
if ((AVrfpDebug & AVRF_DBG_SHOW_SNAPS)) { DbgPrint ("AVRF: resnapping %ws ... \n", Entry->BaseDllName.Buffer); }
AVrfpDllLoadNotificationInternal (Entry); } else {
if ((AVrfpDebug & AVRF_DBG_SHOW_SNAPS)) { DbgPrint ("AVRF: skipped resnapping provider %ws ... \n", Entry->BaseDllName.Buffer); } } }}
VOIDAVrfpMoveProviderToEndOfInitializationList ( PWSTR ProviderName ){ PPEB_LDR_DATA Ldr; PLIST_ENTRY Head; PLIST_ENTRY Next; PLDR_DATA_TABLE_ENTRY Entry; BOOLEAN Done = FALSE;
Ldr = NtCurrentPeb()->Ldr; Head = &(Ldr->InInitializationOrderModuleList); Next = Head->Flink;
while (Next != Head) {
Entry = CONTAINING_RECORD (Next, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks); if (_wcsicmp (Entry->BaseDllName.Buffer, ProviderName) == 0) {
RemoveEntryList (Next); InsertTailList (Head, Next); Done = TRUE; break; }
Next = Next->Flink; }
if (! Done) { DbgPrint ("AVRF: provider %ws was not found in the initialization list \n", ProviderName);
DbgBreakPoint (); }}
BOOLEANAVrfpLoadAndInitializeProvider ( PAVRF_VERIFIER_DESCRIPTOR Provider ){ PIMAGE_NT_HEADERS NtHeaders; BOOLEAN LoadError = FALSE; NTSTATUS Status; ULONG_PTR Descriptor; PRTL_VERIFIER_PROVIDER_DESCRIPTOR Dscr; BOOLEAN InitStatus; static WCHAR SystemDllPathBuffer[DOS_MAX_PATH_LENGTH]; UNICODE_STRING SystemDllPath;
if ((AVrfpDebug & AVRF_DBG_SHOW_SNAPS)) { DbgPrint ("AVRF: verifier dll `%ws' \n", Provider->VerifierName.Buffer); }
//
// Prepare the system search path (%windir%\system32).
// Verifier providers can be loaded only from this directory.
//
SystemDllPath.Buffer = SystemDllPathBuffer; SystemDllPath.Length = 0; SystemDllPath.MaximumLength = sizeof(SystemDllPathBuffer);
RtlAppendUnicodeToString (&SystemDllPath, USER_SHARED_DATA->NtSystemRoot); RtlAppendUnicodeToString (&SystemDllPath, L"\\System32\\");
//
// Load provider dll
//
Status = LdrLoadDll (SystemDllPath.Buffer, NULL, &(Provider->VerifierName), &(Provider->VerifierHandle));
if (! NT_SUCCESS(Status)) {
DbgPrint ("AVRF: %ws: failed to load provider `%ws' (status %08X) from %ws\n", AVrfpGetProcessName(), Provider->VerifierName.Buffer, Status, SystemDllPath.Buffer);
LoadError = TRUE; goto Error; } //
// Make sure we have a dll.
//
try { NtHeaders = RtlImageNtHeader (Provider->VerifierHandle);
if (! NtHeaders) {
LoadError = TRUE; goto Error; }
if ((NtHeaders->FileHeader.Characteristics & IMAGE_FILE_DLL) == 0) {
DbgPrint ("AVRF: provider %ws is not a DLL image \n", Provider->VerifierName.Buffer);
LoadError = TRUE; goto Error; } } except (EXCEPTION_EXECUTE_HANDLER) {
DbgPrint ("AVRF: exception raised while probing provider %ws \n", Provider->VerifierName.Buffer);
LoadError = TRUE; goto Error; }
//
// We loaded the provider successfully. We will move it to the end
// of the initialization list so that code from other system dlls
// on which the provider relies gets initialized first. For normal
// DLLs this is not an issue but a verifier provider gets loaded
// before any normal DLL no matter what dependencies has.
//
AVrfpMoveProviderToEndOfInitializationList (Provider->VerifierName.Buffer);
//
// Now call the initialization routine with the special
// PROCESS_VERIFIER reason.
//
Provider->VerifierEntryPoint = LdrpFetchAddressOfEntryPoint(Provider->VerifierHandle);
if (Provider->VerifierEntryPoint == NULL) {
DbgPrint ("AVRF: cannot find an entry point for provider %ws \n", Provider->VerifierName.Buffer); LoadError = TRUE; goto Error; } try {
Descriptor = 0;
InitStatus = LdrpCallInitRoutine ((PDLL_INIT_ROUTINE)(Provider->VerifierEntryPoint), Provider->VerifierHandle, DLL_PROCESS_VERIFIER, (PCONTEXT)(&Descriptor));
if (InitStatus && Descriptor) {
Dscr = (PRTL_VERIFIER_PROVIDER_DESCRIPTOR)Descriptor;
//
// Check if this is really a provider descriptor.
//
if (Dscr->Length != sizeof (*Dscr)) {
LoadError = TRUE;
DbgPrint ("AVRF: provider %ws passed an invalid descriptor @ %p \n", Provider->VerifierName.Buffer, Descriptor); } else {
if ((AVrfpDebug & AVRF_DBG_SHOW_PROVIDER_LOADS)) {
DbgPrint ("AVRF: initialized provider %ws (descriptor @ %p) \n", Provider->VerifierName.Buffer, Descriptor); }
Provider->VerifierDlls = Dscr->ProviderDlls; Provider->VerifierLoadHandler = Dscr->ProviderDllLoadCallback; Provider->VerifierUnloadHandler = Dscr->ProviderDllUnloadCallback;
//
// Fill out the provider descriptor structure with goodies.
//
Dscr->VerifierImage = AVrfpGetProcessName(); Dscr->VerifierFlags = AVrfpVerifierFlags; Dscr->VerifierDebug = AVrfpDebug; } } else {
LoadError = TRUE;
DbgPrint ("AVRF: provider %ws did not initialize correctly \n", Provider->VerifierName.Buffer); } } except (EXCEPTION_EXECUTE_HANDLER) {
DbgPrint ("AVRF: exception raised in provider %ws initialization routine \n", Provider->VerifierName.Buffer); LoadError = TRUE; goto Error; }
Error:
return !LoadError;}
BOOLEANAVrfpIsVerifierProviderDll ( PVOID Handle ){ PLIST_ENTRY Current; PAVRF_VERIFIER_DESCRIPTOR Entry;;
Current = AVrfpVerifierProvidersList.Flink;
while (Current != &AVrfpVerifierProvidersList) {
Entry = CONTAINING_RECORD (Current, AVRF_VERIFIER_DESCRIPTOR, List);
Current = Current->Flink;
if (Entry->VerifierHandle == Handle) { return TRUE; } }
return FALSE;}
VOIDAVrfpDumpProviderList ( ){ PLIST_ENTRY Current; PAVRF_VERIFIER_DESCRIPTOR Entry;
Current = AVrfpVerifierProvidersList.Flink;
while (Current != &AVrfpVerifierProvidersList) {
Entry = CONTAINING_RECORD (Current, AVRF_VERIFIER_DESCRIPTOR, List);
Current = Current->Flink;
DbgPrint ("AVRF: provider %ws \n", Entry->VerifierName.Buffer); }}
PVOIDAVrfpFindClosestThunkDuplicate ( PAVRF_VERIFIER_DESCRIPTOR Verifier, PWCHAR DllName, PCHAR ThunkName )/*++
Routine description:
This function searches the list of providers backwards (reverse load order) for a function that verifies original export ThunkName from DllName. This is necessary to implement chaining of verification layers.
Parameters:
Verifier - verifier provider descriptor for which we want to find duplicates. DllName - name of a dll containing a verified export ThunkName - name of the verified export Return value:
Address of a verification function for the same thunk. Null if none was found. --*/{ PLIST_ENTRY Current; PAVRF_VERIFIER_DESCRIPTOR Entry; PRTL_VERIFIER_DLL_DESCRIPTOR Dlls; PRTL_VERIFIER_THUNK_DESCRIPTOR Thunks; ULONG Di; ULONG Ti;
Current = Verifier->List.Blink;
while (Current != &AVrfpVerifierProvidersList) {
Entry = CONTAINING_RECORD (Current, AVRF_VERIFIER_DESCRIPTOR, List);
Current = Current->Blink;
//
// Search in this provider for the thunk.
//
if ((AVrfpDebug & AVRF_DBG_SHOW_CHAIN_DETAILS)) { DbgPrint ("AVRF: chain: searching in %ws\n", Entry->VerifierName.Buffer); } Dlls = Entry->VerifierDlls;
for (Di = 0; Dlls[Di].DllName; Di += 1) {
if ((AVrfpDebug & AVRF_DBG_SHOW_CHAIN_DETAILS)) { DbgPrint ("AVRF: chain: dll: %ws\n", Dlls[Di].DllName); } if (_wcsicmp(Dlls[Di].DllName, DllName) == 0) {
Thunks = Dlls[Di].DllThunks;
for (Ti = 0; Thunks[Ti].ThunkName; Ti += 1) {
if ((AVrfpDebug & AVRF_DBG_SHOW_CHAIN_DETAILS)) { DbgPrint ("AVRF: chain: thunk: %s == %s ?\n", Thunks[Ti].ThunkName, ThunkName); }
if (_stricmp(Thunks[Ti].ThunkName, ThunkName) == 0) { if ((AVrfpDebug & AVRF_DBG_SHOW_CHAIN_DETAILS)) {
DbgPrint ("AVRF: Found duplicate for (%ws: %s) in %ws\n", DllName, ThunkName, Dlls[Di].DllName); }
return Thunks[Ti].ThunkNewAddress; } } } } }
return NULL;}
VOIDAVrfpChainDuplicateVerificationLayers ( )/*++
Routine description:
This routines is called in the final stage of verifier initialization, after all provider dlls have been loaded, and makes a final sweep to detect providers that attempt to verify the same interface. This will be chained together so that they will be called in reverse load order (last declared will be first called). Parameters:
None. Return value:
None. --*/{ PLIST_ENTRY Current; PAVRF_VERIFIER_DESCRIPTOR Entry; PRTL_VERIFIER_DLL_DESCRIPTOR Dlls; PRTL_VERIFIER_THUNK_DESCRIPTOR Thunks; ULONG Di; ULONG Ti; PVOID Duplicate;
Current = AVrfpVerifierProvidersList.Flink;
while (Current != &AVrfpVerifierProvidersList) {
Entry = CONTAINING_RECORD (Current, AVRF_VERIFIER_DESCRIPTOR, List);
Current = Current->Flink;
//
// Search in this provider for duplicate thunks.
//
Dlls = Entry->VerifierDlls;
for (Di = 0; Dlls[Di].DllName; Di += 1) {
Thunks = Dlls[Di].DllThunks;
for (Ti = 0; Thunks[Ti].ThunkName; Ti += 1) {
if ((AVrfpDebug & AVRF_DBG_SHOW_CHAIN_DETAILS)) {
DbgPrint ("AVRF: Checking %ws for duplicate (%ws: %s) \n", Entry->VerifierName.Buffer, Dlls[Di].DllName, Thunks[Ti].ThunkName); }
Duplicate = AVrfpFindClosestThunkDuplicate (Entry, Dlls[Di].DllName, Thunks[Ti].ThunkName);
if (Duplicate) {
if ((AVrfpDebug & AVRF_DBG_SHOW_CHAIN_ACTIVITY)) {
DbgPrint ("AVRF: Chaining (%ws: %s) to %ws\n", Dlls[Di].DllName, Thunks[Ti].ThunkName, Entry->VerifierName.Buffer); } Thunks[Ti].ThunkOldAddress = Duplicate; } } } }}
VOIDAVrfDllLoadNotification ( PLDR_DATA_TABLE_ENTRY LoadedDllData )/*++
Routine description:
This routine is the DLL load hook of application verifier. It gets called whenever a dll got loaded in the process space and after its import descriptors have been walked.
Parameters:
LoadedDllData - LDR loader structure for the dll. Return value:
None. --*/{ ULONG Index; PLIST_ENTRY Current; PAVRF_VERIFIER_DESCRIPTOR Entry;
//
// Do nothing if application verifier is not enabled. The function
// should not even get called if the flag is not set but we
// double check just in case.
//
if ((NtCurrentPeb()->NtGlobalFlag & FLG_APPLICATION_VERIFIER) == 0) { return; } //
// Get verifier global lock.
//
VERIFIER_LOCK ();
//
// We skip verifier providers. Otherwise we get into infinite loops.
//
if (AVrfpIsVerifierProviderDll (LoadedDllData->DllBase)) {
VERIFIER_UNLOCK (); return; }
//
// Call internal function.
//
AVrfpDllLoadNotificationInternal (LoadedDllData);
//
// Iterate the verifier provider list and notify each one of the
// load event.
Current = AVrfpVerifierProvidersList.Flink;
while (Current != &AVrfpVerifierProvidersList) {
Entry = CONTAINING_RECORD (Current, AVRF_VERIFIER_DESCRIPTOR, List);
Current = Current->Flink;
if (Entry->VerifierLoadHandler) {
Entry->VerifierLoadHandler (LoadedDllData->BaseDllName.Buffer, LoadedDllData->DllBase, LoadedDllData->SizeOfImage, LoadedDllData); } } VERIFIER_UNLOCK ();}
VOIDAVrfpDllLoadNotificationInternal ( PLDR_DATA_TABLE_ENTRY LoadedDllData )/*++
Routine description:
This routine is the DLL load hook of application verifier. It gets called whenever a dll got loaded in the process space and after its import descriptors have been walked. It is also called internally in early stages of process initialization when we just loaded verifier providers and we need to resnap dlls already loaded (.exe, ntdll.dll (although on ntdll this will have zero effect because it does not import anything)).
Parameters:
LoadedDllData - LDR loader structure for the dll. Return value:
None. --*/{ ULONG Index; PLIST_ENTRY Current; PAVRF_VERIFIER_DESCRIPTOR Entry;;
//
// If verifier is disabled skip.
//
if (AVrfpEnabled == FALSE) { return; } //
// Iterate the verifier provider list and for each one determine
// if one of the dlls that has exports to be verified is loaded.
// If this is the case we need to look at its export table in order
// to find out real addresses for functions being redirected.
//
Current = AVrfpVerifierProvidersList.Flink;
while (Current != &AVrfpVerifierProvidersList) {
PRTL_VERIFIER_DLL_DESCRIPTOR Dlls; PRTL_VERIFIER_THUNK_DESCRIPTOR Thunks;
Entry = CONTAINING_RECORD (Current, AVRF_VERIFIER_DESCRIPTOR, List);
Current = Current->Flink;
Dlls = Entry->VerifierDlls;
for (Index = 0; Dlls[Index].DllName; Index += 1) {
if ((Dlls[Index].DllFlags & AVRF_FLG_EXPORT_DLL_LOADED) == 0) {
int CompareResult;
CompareResult = _wcsicmp (LoadedDllData->BaseDllName.Buffer, Dlls[Index].DllName);
if (CompareResult == 0) {
if ((AVrfpDebug & AVRF_DBG_SHOW_DLLS_WITH_EXPORTS)) { DbgPrint ("AVRF: pid 0x%X: found dll descriptor for `%ws' with verified exports \n", HandleToUlong(NtCurrentTeb()->ClientId.UniqueProcess), LoadedDllData->BaseDllName.Buffer); }
AVrfpDetectVerifiedExports (&(Dlls[Index]), Dlls[Index].DllThunks); } } } }
//
// Note. We do not have to snap other DLLs already loaded because they cannot
// possibly have a dependence on a verifier export just discovered in
// current DLL. If this had been the case, the DLL would have been loaded
// earlier (before the current one).
//
AVrfpSnapDllImports (LoadedDllData);}
VOIDAVrfDllUnloadNotification ( PLDR_DATA_TABLE_ENTRY DllData )/*++
Routine description:
This routine is the DLL unload hook of application verifier. It gets called whenever a dll gets unloaded from the process space. The hook is called after the DllMain routine of the DLL got called with PROCESS_DETACH therefore this is the right moment to check for leaks. The function will call DllUnload notification routines for all providers loaded into the process space.
Parameters:
LoadedDllData - LDR loader structure for the dll. Return value:
None. --*/{ ULONG Index; PLIST_ENTRY Current; PAVRF_VERIFIER_DESCRIPTOR Entry;;
//
// Do nothing if application verifier is not enabled. The function
// should not even get called if the flag is not set but we
// double check just in case.
//
if ((NtCurrentPeb()->NtGlobalFlag & FLG_APPLICATION_VERIFIER) == 0) { return; }
//
// If verifier is disabled skip.
//
if (AVrfpEnabled == FALSE) { return; } //
// Get verifier global lock.
//
VERIFIER_LOCK ();
//
// We should never get this call for a verifier provider DLL because
// these are never unloaded.
//
if (AVrfpIsVerifierProviderDll (DllData->DllBase)) {
DbgPrint ("AVrfDllUnloadNotification called for a provider (%p) \n", DllData); DbgBreakPoint (); VERIFIER_UNLOCK (); return; }
//
// Iterate the verifier provider list and notify each one of the
// unload event.
Current = AVrfpVerifierProvidersList.Flink;
while (Current != &AVrfpVerifierProvidersList) {
Entry = CONTAINING_RECORD (Current, AVRF_VERIFIER_DESCRIPTOR, List);
Current = Current->Flink;
if (Entry->VerifierUnloadHandler) {
Entry->VerifierUnloadHandler (DllData->BaseDllName.Buffer, DllData->DllBase, DllData->SizeOfImage, DllData); } } VERIFIER_UNLOCK ();}
BOOLEANAVrfpSnapDllImports ( PLDR_DATA_TABLE_ENTRY LdrDataTableEntry )/*++
Routine description:
This routine walks the already resolved import tables of a loaded dll and modifies the addresses of all functions that need to be verifier. The dll has just been loaded, imports resolved but dll main function has not been called. Parameters:
LdrDataTableEntry - loader descriptor for a loaded dll Return value:
True if we checked all imports of the dll and modified the ones that need to be verified. False if an error was encountered along the way. --*/{ PVOID IATBase; SIZE_T BigIATSize; ULONG LittleIATSize; PVOID *ProcAddresses; ULONG NumberOfProcAddresses; ULONG OldProtect; USHORT TagIndex; NTSTATUS st; ULONG Pi; // procedure index
ULONG Di; // dll index
ULONG Ti; // thunk index
PLIST_ENTRY Current; PAVRF_VERIFIER_DESCRIPTOR Entry; PRTL_VERIFIER_DLL_DESCRIPTOR Dlls; PRTL_VERIFIER_THUNK_DESCRIPTOR Thunks;
//
// Determine the location and size of the IAT. If found, scan the
// IAT address to see if any are pointing to functions that should be
// verified and replace those thunks.
//
IATBase = RtlImageDirectoryEntryToData (LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IAT, &LittleIATSize);
if (IATBase == NULL) { return FALSE; } BigIATSize = LittleIATSize;
//
// Make table read/write.
//
st = NtProtectVirtualMemory (NtCurrentProcess(), &IATBase, &BigIATSize, PAGE_READWRITE, &OldProtect);
if (!NT_SUCCESS (st)) {
DbgPrint( "AVRF: Unable to unprotect IAT to modify thunks (status %08X).\n", st); return FALSE; }
ProcAddresses = (PVOID *)IATBase; NumberOfProcAddresses = (ULONG)(BigIATSize / sizeof(PVOID));
for (Pi = 0; Pi < NumberOfProcAddresses; Pi += 1) { //
// If we find a null in the import table we skip over it.
//
if (*ProcAddresses == NULL) { ProcAddresses += 1; continue; }
Current = AVrfpVerifierProvidersList.Flink;
while (Current != &AVrfpVerifierProvidersList) {
Entry = CONTAINING_RECORD (Current, AVRF_VERIFIER_DESCRIPTOR, List);
Current = Current->Flink;
Dlls = Entry->VerifierDlls; for (Di = 0; Dlls[Di].DllName; Di += 1) {
Thunks = Dlls[Di].DllThunks;
for (Ti = 0; Thunks[Ti].ThunkName; Ti += 1) {
if (*ProcAddresses == Thunks[Ti].ThunkOldAddress) {
if (Thunks[Ti].ThunkNewAddress) {
*ProcAddresses = Thunks[Ti].ThunkNewAddress; } else {
DbgPrint ("AVRF:SilviuC: New thunk for %s is null. \n", Thunks[Ti].ThunkName); DbgBreakPoint (); }
if ((AVrfpDebug & AVRF_DBG_SHOW_SNAPS)) {
DbgPrint ("AVRF: Snapped (%ws: %s) with (%ws: %p). \n", LdrDataTableEntry->BaseDllName.Buffer, Thunks[Ti].ThunkName, Entry->VerifierName.Buffer, Thunks[Ti].ThunkNewAddress); } } } } }
ProcAddresses += 1; }
//
// Restore old protection for the table.
//
NtProtectVirtualMemory (NtCurrentProcess(), &IATBase, &BigIATSize, OldProtect, &OldProtect);
return TRUE;}
BOOLEANAVrfpDetectVerifiedExports ( PRTL_VERIFIER_DLL_DESCRIPTOR Dll, PRTL_VERIFIER_THUNK_DESCRIPTOR Thunks )/*++
Routine description:
This routine checks if `DllString' is the name of a dll that has exports that need to be verifier. If it does then we detect the addresses of all those exports. We need the addresses to detect what imports need to be modified by application verifier. Parameters:
DlString - name of a dll exporting verified interfaces. Thunks - array of thunk descriptors for our dll Return value:
True if verified exports have been detected. False if an error has been encountered. --*/{ UNICODE_STRING DllName; PLDR_DATA_TABLE_ENTRY DllData; PIMAGE_EXPORT_DIRECTORY Directory; ULONG Size; PCHAR NameAddress; PCHAR FunctionAddress; PCHAR Base; PCHAR IndexAddress; ULONG Index; ULONG RealIndex; BOOLEAN Result = FALSE; NTSTATUS Status; WCHAR StaticRedirectionBuffer[DOS_MAX_PATH_LENGTH]; UNICODE_STRING StaticRedirectionString; UNICODE_STRING DynamicRedirectionString; PUNICODE_STRING DllNameToUse; BOOLEAN Redirected = FALSE; ULONG Fi, Ti;
//
// "Fusion-ize" the dll name.
//
RtlInitUnicodeString (&DllName, Dll->DllName);
DynamicRedirectionString.Buffer = NULL;
StaticRedirectionString.Length = 0; StaticRedirectionString.MaximumLength = sizeof(StaticRedirectionBuffer); StaticRedirectionString.Buffer = StaticRedirectionBuffer;
DllNameToUse = &DllName;
Status = RtlDosApplyFileIsolationRedirection_Ustr( RTL_DOS_APPLY_FILE_REDIRECTION_USTR_FLAG_RESPECT_DOT_LOCAL, &DllName, &DefaultExtension, &StaticRedirectionString, &DynamicRedirectionString, &DllNameToUse, NULL, NULL, NULL);
if (NT_SUCCESS(Status)) { Redirected = TRUE; } else if (Status == STATUS_SXS_KEY_NOT_FOUND) { Status = STATUS_SUCCESS; }
//
// Get the loader descriptor for this dll.
//
if (NT_SUCCESS(Status)) {
Result = LdrpCheckForLoadedDll (NULL, DllNameToUse, TRUE, Redirected, &DllData);
if (DynamicRedirectionString.Buffer != NULL) RtlFreeUnicodeString(&DynamicRedirectionString); }
if (Result == FALSE) {
//
// We exit of we failed to fusionize name or did not find
// the dll among the loaded ones.
//
return FALSE; }
//
// Get the export directory for the dll.
//
Base = DllData->DllBase;
Directory = RtlImageDirectoryEntryToData (DllData->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &Size);
if (Directory == NULL) { return FALSE; }
//
// Iterate the exports for the dll and replace all those that
// need to be verified.
//
for (Ti = 0; Thunks[Ti].ThunkName; Ti += 1) { //
// If old thunk already filled (can happen due to chaining)
// then skip search for the original address.
//
if (Thunks[Ti].ThunkOldAddress) { continue; }
for (Fi = 0; Fi < Directory->NumberOfFunctions; Fi += 1) { NameAddress = Base + Directory->AddressOfNames; NameAddress = Base + ((ULONG *)NameAddress)[Fi];
IndexAddress = Base + Directory->AddressOfNameOrdinals; RealIndex = (ULONG)(((USHORT *)IndexAddress)[Fi]);
if (_stricmp (NameAddress, Thunks[Ti].ThunkName) == 0) {
FunctionAddress = Base + Directory->AddressOfFunctions; FunctionAddress = Base + ((ULONG *)FunctionAddress)[RealIndex];
Thunks[Ti].ThunkOldAddress = FunctionAddress;
if ((AVrfpDebug & AVRF_DBG_SHOW_VERIFIED_EXPORTS)) { DbgPrint ("AVRF: found verified export %s @ %p \n", NameAddress, FunctionAddress); } } } }
Dll->DllFlags |= AVRF_FLG_EXPORT_DLL_LOADED;
return TRUE;}
PWSTRAVrfpGetProcessName ( ){ PPEB_LDR_DATA Ldr; PLIST_ENTRY Head; PLIST_ENTRY Next; PLDR_DATA_TABLE_ENTRY Entry;
Ldr = NtCurrentPeb()->Ldr; Head = &(Ldr->InLoadOrderModuleList); Next = Head->Flink;
Entry = CONTAINING_RECORD (Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
return Entry->BaseDllName.Buffer;}
/////////////////////////////////////////////////////////////////////
///////////////////////////////////// Verifier options initialization
/////////////////////////////////////////////////////////////////////
BOOLEANAVrfpEnableHandleVerifier ( ){ PROCESS_HANDLE_TRACING_ENABLE HandleCheckEnable; NTSTATUS Status;
RtlZeroMemory (&HandleCheckEnable, sizeof HandleCheckEnable);
Status = NtSetInformationProcess (NtCurrentProcess(), ProcessHandleTracing, &HandleCheckEnable, sizeof HandleCheckEnable);
if (!NT_SUCCESS (Status)) {
DbgPrint ("AVRF: failed to enable handle checking (status %X) \n", Status);
return FALSE; }
return TRUE;}
BOOLEANAVrfpEnableStackVerifier ( ){ NtCurrentPeb()->NtGlobalFlag |= FLG_DISABLE_STACK_EXTENSION; return TRUE;}
BOOLEANAVrfpEnableLockVerifier ( ){ RtlpCriticalSectionVerifier = TRUE; return TRUE;}
BOOLEANAVrfpEnableHeapVerifier ( ){ extern ULONG RtlpDphGlobalFlags;
NtCurrentPeb()->NtGlobalFlag |= FLG_HEAP_PAGE_ALLOCS;
if (AVrfpVerifierFlags & RTL_VRF_FLG_FULL_PAGE_HEAP) { RtlpDphGlobalFlags |= PAGE_HEAP_ENABLE_PAGE_HEAP; } else {
//
// Nothing. Light heap is the default.
//
}
return TRUE;}
BOOLEANAVrfpEnableVerifierOptions ( ){ BOOLEAN Result; BOOLEAN Failures = FALSE;
//
// Heap verifier in some form is enabled always.
//
Result = AVrfpEnableHeapVerifier ();
if (Result == FALSE) { Failures = TRUE; }
//
// Handle checks
//
if (AVrfpVerifierFlags & RTL_VRF_FLG_HANDLE_CHECKS) {
Result = AVrfpEnableHandleVerifier ();
if (Result == FALSE) { Failures = TRUE; } }
//
// Stack overflow checks
//
if (AVrfpVerifierFlags & RTL_VRF_FLG_STACK_CHECKS) {
Result = AVrfpEnableStackVerifier ();
if (Result == FALSE) { Failures = TRUE; } }
//
// Lock checks
//
if (AVrfpVerifierFlags & RTL_VRF_FLG_LOCK_CHECKS) {
Result = AVrfpEnableLockVerifier ();
if (Result == FALSE) { Failures = TRUE; } }
return !Failures;}
/////////////////////////////////////////////////////////////////////
////////////////////////////////////////// Application verifier stops
/////////////////////////////////////////////////////////////////////
ULONG_PTR AVrfpPreviousStopData[5];ULONG_PTR AVrfpStopData[5];
VOIDRtlApplicationVerifierStop ( ULONG_PTR Code, PCHAR Message, ULONG_PTR Param1, PCHAR Description1, ULONG_PTR Param2, PCHAR Description2, ULONG_PTR Param3, PCHAR Description3, ULONG_PTR Param4, PCHAR Description4 ){ BOOLEAN DoNotBreak = FALSE;
if ((Code & APPLICATION_VERIFIER_NO_BREAK)) {
DoNotBreak = TRUE; Code &= ~APPLICATION_VERIFIER_NO_BREAK; } //
// Make it easy for a debugger to pick up the failure info.
//
RtlMoveMemory (AVrfpPreviousStopData, AVrfpStopData, sizeof AVrfpStopData);
AVrfpStopData[0] = Code; AVrfpStopData[1] = Param1; AVrfpStopData[2] = Param2; AVrfpStopData[3] = Param3; AVrfpStopData[4] = Param4;
//
// Internal warnings/errors will not cause a break if app verifier is on.
// SilviuC: should make sure we really need this.
//
if ((Code & APPLICATION_VERIFIER_INTERNAL_ERROR)) { if (! (NtCurrentPeb()->NtGlobalFlag & FLG_APPLICATION_VERIFIER)) {
DbgPrint ("\n\n===========================================================\n"); DbgPrint ("VERIFIER INTERNAL ERROR %p: pid 0x%X: %s \n" "\n\t%p : %s\n\t%p : %s\n\t%p : %s\n\t%p : %s\n", Code, HandleToUlong(NtCurrentTeb()->ClientId.UniqueProcess), Message, Param1, Description1, Param2, Description2, Param3, Description3, Param4, Description4); DbgPrint ("===========================================================\n\n"); DbgBreakPoint (); } } else if ((Code & APPLICATION_VERIFIER_INTERNAL_WARNING)) { if (! (NtCurrentPeb()->NtGlobalFlag & FLG_APPLICATION_VERIFIER)) { DbgPrint ("\n\n===========================================================\n"); DbgPrint ("VERIFIER INTERNAL WARNING %p: pid 0x%X: %s \n" "\n\t%p : %s\n\t%p : %s\n\t%p : %s\n\t%p : %s\n", Code, HandleToUlong(NtCurrentTeb()->ClientId.UniqueProcess), Message, Param1, Description1, Param2, Description2, Param3, Description3, Param4, Description4); DbgPrint ("===========================================================\n\n"); DbgBreakPoint (); } } else { DbgPrint ("\n\n===========================================================\n"); DbgPrint ("VERIFIER STOP %p: pid 0x%X: %s \n" "\n\t%p : %s\n\t%p : %s\n\t%p : %s\n\t%p : %s\n", Code, HandleToUlong(NtCurrentTeb()->ClientId.UniqueProcess), Message, Param1, Description1, Param2, Description2, Param3, Description3, Param4, Description4); DbgPrint ("===========================================================\n\n");
if (! DoNotBreak) { DbgBreakPoint (); } }}
/////////////////////////////////////////////////////////////////////
////////////////////////////////////////// Page heap target dll logic
/////////////////////////////////////////////////////////////////////
//
// ISSUE: SilviuC: pageheap per dll code should move into verifier.dll
//
BOOLEAN AVrfpDphKernel32Snapped;BOOLEAN AVrfpDphMsvcrtSnapped;
#define SNAP_ROUTINE_GLOBALALLOC 0
#define SNAP_ROUTINE_GLOBALREALLOC 1
#define SNAP_ROUTINE_GLOBALFREE 2
#define SNAP_ROUTINE_LOCALALLOC 3
#define SNAP_ROUTINE_LOCALREALLOC 4
#define SNAP_ROUTINE_LOCALFREE 5
#define SNAP_ROUTINE_HEAPALLOC 6
#define SNAP_ROUTINE_HEAPREALLOC 7
#define SNAP_ROUTINE_HEAPFREE 8
#define SNAP_ROUTINE_HEAPCREATE 9
#define SNAP_ROUTINE_MALLOC 10
#define SNAP_ROUTINE_CALLOC 11
#define SNAP_ROUTINE_REALLOC 12
#define SNAP_ROUTINE_FREE 13
#define SNAP_ROUTINE_NEW 14
#define SNAP_ROUTINE_DELETE 15
#define SNAP_ROUTINE_NEW_ARRAY 16
#define SNAP_ROUTINE_DELETE_ARRAY 17
#define SNAP_ROUTINE_MAX_INDEX 18
PVOID AVrfpDphSnapRoutines [SNAP_ROUTINE_MAX_INDEX];
typedef struct _DPH_SNAP_NAME {
PSTR Name; ULONG Index;
} DPH_SNAP_NAME, * PDPH_SNAP_NAME;
DPH_SNAP_NAMEAVrfpDphSnapNamesForKernel32 [] = {
{ "GlobalAlloc", 0 }, { "GlobalReAlloc", 1 }, { "GlobalFree", 2 }, { "LocalAlloc", 3 }, { "LocalReAlloc", 4 }, { "LocalFree", 5 }, { "HeapAlloc", 6 }, { "HeapReAlloc", 7 }, { "HeapFree", 8 }, { "HeapCreate", 9 }, { NULL, 0 }};
DPH_SNAP_NAMEAVrfpDphSnapNamesForMsvcrt [] = {
{ "malloc", 10}, { "calloc", 11}, { "realloc", 12}, { "free", 13}, { "??2@YAPAXI@Z", 14}, // operator new
{ "??3@YAXPAX@Z", 15}, // operator delete
{ "??_U@YAPAXI@Z", 16}, // operator new[]
{ "??_V@YAXPAX@Z", 17}, // operator delete[]
{ NULL, 0 }};
//
// Declarations for replacement functions
//
PVOIDAVrfpDphDllHeapAlloc ( IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size );
PVOIDAVrfpDphDllHeapReAlloc ( IN PVOID HeapHandle, IN ULONG Flags, IN PVOID Address, IN SIZE_T Size );
BOOLEANAVrfpDphDllHeapFree( IN PVOID HeapHandle, IN ULONG Flags, IN PVOID Address );
PVOIDAVrfpDphDllLocalAlloc ( IN ULONG Flags, IN SIZE_T Size );
PVOIDAVrfpDphDllLocalReAlloc ( IN PVOID Address, IN SIZE_T Size, IN ULONG Flags );
PVOIDAVrfpDphDllLocalFree( IN PVOID Address );
PVOIDAVrfpDphDllGlobalAlloc ( IN ULONG Flags, IN SIZE_T Size );
PVOIDAVrfpDphDllGlobalReAlloc ( IN PVOID Address, IN SIZE_T Size, IN ULONG Flags );
PVOIDAVrfpDphDllGlobalFree( IN PVOID Address );
PVOID __cdeclAVrfpDphDllmalloc ( IN SIZE_T Size );
PVOID __cdeclAVrfpDphDllcalloc ( IN SIZE_T Number, IN SIZE_T Size );
PVOID __cdeclAVrfpDphDllrealloc ( IN PVOID Address, IN SIZE_T Size );
VOID __cdeclAVrfpDphDllfree ( IN PVOID Address );
PVOID __cdeclAVrfpDphDllNew ( IN SIZE_T Size );
VOID __cdeclAVrfpDphDllDelete ( IN PVOID Address );
PVOID __cdeclAVrfpDphDllNewArray ( IN SIZE_T Size );
VOID __cdeclAVrfpDphDllDeleteArray ( IN PVOID Address );
//
// Replacement function for msvcrt HeapCreate used to intercept
// the CRT heap creation.
//
PVOIDAVrfpDphDllHeapCreate ( ULONG Options, SIZE_T InitialSize, SIZE_T MaximumSize );
//
// Address of heap created by msvcrt. This is needed
// by the replacements of malloc/free etc.
//
PVOID AVrfpDphMsvcrtHeap;
//
// Snap implementation
//
BOOLEANAVrfpDphDetectSnapRoutines ( PWSTR DllString, PDPH_SNAP_NAME SnapNames ){ PLDR_DATA_TABLE_ENTRY DllData; PIMAGE_EXPORT_DIRECTORY Directory; ULONG Size; PCHAR NameAddress; PCHAR FunctionAddress; PCHAR Base; PCHAR IndexAddress; ULONG Index; ULONG RealIndex; BOOLEAN Result = FALSE; UNICODE_STRING DllName; PDPH_SNAP_NAME CurrentSnapName; NTSTATUS Status; WCHAR StaticRedirectionBuffer[DOS_MAX_PATH_LENGTH]; UNICODE_STRING StaticRedirectionString; UNICODE_STRING DynamicRedirectionString; PUNICODE_STRING DllNameToUse; BOOLEAN Redirected = FALSE;
RtlInitUnicodeString ( &DllName, DllString);
DynamicRedirectionString.Buffer = NULL;
StaticRedirectionString.Length = 0; StaticRedirectionString.MaximumLength = sizeof(StaticRedirectionBuffer); StaticRedirectionString.Buffer = StaticRedirectionBuffer;
DllNameToUse = &DllName;
Status = RtlDosApplyFileIsolationRedirection_Ustr( RTL_DOS_APPLY_FILE_REDIRECTION_USTR_FLAG_RESPECT_DOT_LOCAL, &DllName, &DefaultExtension, &StaticRedirectionString, &DynamicRedirectionString, &DllNameToUse, NULL, NULL, NULL); if (NT_SUCCESS(Status)) { Redirected = TRUE; } else if (Status == STATUS_SXS_KEY_NOT_FOUND) { Status = STATUS_SUCCESS; }
if (NT_SUCCESS(Status)) { Result = LdrpCheckForLoadedDll ( NULL, DllNameToUse, TRUE, Redirected, &DllData);
if (DynamicRedirectionString.Buffer != NULL) RtlFreeUnicodeString(&DynamicRedirectionString); }
if (Result == FALSE) { return FALSE; }
Base = DllData->DllBase;
Directory = RtlImageDirectoryEntryToData ( DllData->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &Size );
if (Directory == NULL) { return FALSE; }
for (CurrentSnapName = SnapNames; CurrentSnapName->Name; CurrentSnapName += 1) {
for (Index = 0; Index < Directory->NumberOfFunctions; Index += 1) {
NameAddress = Base + Directory->AddressOfNames; NameAddress = Base + ((ULONG *)NameAddress)[Index];
IndexAddress = Base + Directory->AddressOfNameOrdinals; RealIndex = (ULONG)(((USHORT *)IndexAddress)[Index]);
if (_stricmp (NameAddress, CurrentSnapName->Name) == 0) {
FunctionAddress = Base + Directory->AddressOfFunctions; FunctionAddress = Base + ((ULONG *)FunctionAddress)[RealIndex];
AVrfpDphSnapRoutines[CurrentSnapName->Index] = FunctionAddress; DbgPrint ("Page heap: found %s @ address %p \n", NameAddress, FunctionAddress); } } }
return TRUE;}
BOOLEANAVrfpDphSnapImports ( PLDR_DATA_TABLE_ENTRY LdrDataTableEntry, BOOLEAN CallToDetectCrtHeap ){ PVOID IATBase; SIZE_T BigIATSize; ULONG LittleIATSize; PVOID *ProcAddresses; ULONG NumberOfProcAddresses; ULONG OldProtect; USHORT TagIndex; NTSTATUS st;
//
// Determine the location and size of the IAT. If found, scan the
// IAT address to see if any are pointing to alloc/free functions
// and replace those thunks.
//
IATBase = RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IAT, &LittleIATSize);
if (IATBase != NULL) {
BigIATSize = LittleIATSize;
st = NtProtectVirtualMemory( NtCurrentProcess(), &IATBase, &BigIATSize, PAGE_READWRITE, &OldProtect);
if (!NT_SUCCESS(st)) { DbgPrint( "LDR: Unable to unprotect IAT to enable per DLL page heap.\n" ); return FALSE; } else { ProcAddresses = (PVOID *)IATBase; NumberOfProcAddresses = (ULONG)(BigIATSize / sizeof(PVOID)); while (NumberOfProcAddresses--) {
//
// If we find a null in the import table we skip over it.
// Otherwise we will erroneously think it is a malloc() routine
// to be replaced. This can happen if msvcrt was not loaded yet
// and therefore the address of malloc() is also null.
//
if (*ProcAddresses == NULL) { ProcAddresses += 1; continue; }
if (CallToDetectCrtHeap) { if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_HEAPCREATE]) { *ProcAddresses = AVrfpDphDllHeapCreate; DbgPrint ("Snapped (%ws) HeapCreate ... \n", LdrDataTableEntry->BaseDllName.Buffer); } } else {
//
// ntdll imports
//
if (*ProcAddresses == RtlAllocateHeap) { *ProcAddresses = AVrfpDphDllHeapAlloc; DbgPrint ("Snapped (%ws) RtlAllocateHeap ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == RtlReAllocateHeap) { *ProcAddresses = AVrfpDphDllHeapReAlloc; DbgPrint ("Snapped (%ws) RtlReAllocateHeap ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == RtlFreeHeap) { *ProcAddresses = AVrfpDphDllHeapFree; DbgPrint ("Snapped (%ws) RtlFreeHeap ... \n", LdrDataTableEntry->BaseDllName.Buffer); }
//
// kernel32 imports
//
else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_HEAPALLOC]) { *ProcAddresses = AVrfpDphDllHeapAlloc; DbgPrint ("Snapped (%ws) HeapAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_HEAPREALLOC]) { *ProcAddresses = AVrfpDphDllHeapReAlloc; DbgPrint ("Snapped (%ws) HeapReAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_HEAPFREE]) { *ProcAddresses = AVrfpDphDllHeapFree; DbgPrint ("Snapped (%ws) HeapFree ... \n", LdrDataTableEntry->BaseDllName.Buffer); }
else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_LOCALALLOC]) { *ProcAddresses = AVrfpDphDllLocalAlloc; DbgPrint ("Snapped (%ws) LocalAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_LOCALREALLOC]) { *ProcAddresses = AVrfpDphDllLocalReAlloc; DbgPrint ("Snapped (%ws) LocalReAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_LOCALFREE]) { *ProcAddresses = AVrfpDphDllLocalFree; DbgPrint ("Snapped (%ws) LocalFree ... \n", LdrDataTableEntry->BaseDllName.Buffer); }
else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_GLOBALALLOC]) { *ProcAddresses = AVrfpDphDllGlobalAlloc; DbgPrint ("Snapped (%ws) GlobalAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_GLOBALREALLOC]) { *ProcAddresses = AVrfpDphDllGlobalReAlloc; DbgPrint ("Snapped (%ws) GlobalReAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_GLOBALFREE]) { *ProcAddresses = AVrfpDphDllGlobalFree; DbgPrint ("Snapped (%ws) GlobalFree ... \n", LdrDataTableEntry->BaseDllName.Buffer); }
//
// msvcrt imports
//
else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_MALLOC]) { *ProcAddresses = AVrfpDphDllmalloc; DbgPrint ("Snapped (%ws) malloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_REALLOC]) { *ProcAddresses = AVrfpDphDllrealloc; DbgPrint ("Snapped (%ws) realloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_CALLOC]) { *ProcAddresses = AVrfpDphDllcalloc; DbgPrint ("Snapped (%ws) calloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_FREE]) { *ProcAddresses = AVrfpDphDllfree; DbgPrint ("Snapped (%ws) free ... \n", LdrDataTableEntry->BaseDllName.Buffer); }
else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_NEW]) { *ProcAddresses = AVrfpDphDllNew; DbgPrint ("Snapped (%ws) operator new ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_DELETE]) { *ProcAddresses = AVrfpDphDllDelete; DbgPrint ("Snapped (%ws) operator delete ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_NEW_ARRAY]) { *ProcAddresses = AVrfpDphDllNewArray; DbgPrint ("Snapped (%ws) operator new[] ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == AVrfpDphSnapRoutines[SNAP_ROUTINE_DELETE_ARRAY]) { *ProcAddresses = AVrfpDphDllDeleteArray; DbgPrint ("Snapped (%ws) operator delete[] ... \n", LdrDataTableEntry->BaseDllName.Buffer); } }
ProcAddresses += 1; }
NtProtectVirtualMemory( NtCurrentProcess(), &IATBase, &BigIATSize, OldProtect, &OldProtect); } }
return TRUE;}
VOIDAVrfPageHeapDllNotification ( PLDR_DATA_TABLE_ENTRY LoadedDllData )/*++
Routine description:
This routine is the DLL load hook for page heap per dll. It gets called whenever a dll got loaded in the process space and after its import descriptors have been walked.
Parameters:
LoadedDllData - LDR loader structure for the dll. Return value:
None. --*/{ BOOLEAN Kernel32JustSnapped = FALSE; BOOLEAN MsvcrtJustSnapped = FALSE;
//
// If we do not have per dll page heap feature enabled
// we return immediately.
//
if (! (RtlpDphGlobalFlags & PAGE_HEAP_USE_DLL_NAMES)) { return; }
if (! AVrfpDphKernel32Snapped) {
Kernel32JustSnapped = AVrfpDphDetectSnapRoutines ( Kernel32String.Buffer, AVrfpDphSnapNamesForKernel32);
AVrfpDphKernel32Snapped = Kernel32JustSnapped; }
if (! AVrfpDphMsvcrtSnapped) {
MsvcrtJustSnapped = AVrfpDphDetectSnapRoutines ( L"msvcrt.dll", AVrfpDphSnapNamesForMsvcrt);
AVrfpDphMsvcrtSnapped = MsvcrtJustSnapped; }
//
// Snap everything already loaded if we just managed
// to detect snap routines.
//
if (Kernel32JustSnapped || MsvcrtJustSnapped) {
PWSTR Current; PWSTR End; WCHAR SavedChar; PLDR_DATA_TABLE_ENTRY DllData; BOOLEAN Result; UNICODE_STRING DllName; WCHAR StaticRedirectionBuffer[DOS_MAX_PATH_LENGTH]; UNICODE_STRING StaticRedirectionString; UNICODE_STRING DynamicRedirectionString; PUNICODE_STRING DllNameToUse; BOOLEAN Redirected = FALSE; NTSTATUS Status;
DynamicRedirectionString.Buffer = NULL;
StaticRedirectionString.Length = 0; StaticRedirectionString.MaximumLength = sizeof(StaticRedirectionBuffer); StaticRedirectionString.Buffer = StaticRedirectionBuffer;
Current = RtlpDphTargetDlls;
while (*Current) {
while (*Current == L' ') { Current += 1; }
End = Current;
while (*End && *End != L' ') { End += 1; }
if (*Current == L'\0') { break; }
SavedChar = *End; *End = L'\0';
RtlInitUnicodeString ( &DllName, Current);
DllNameToUse = &DllName;
Status = RtlDosApplyFileIsolationRedirection_Ustr( RTL_DOS_APPLY_FILE_REDIRECTION_USTR_FLAG_RESPECT_DOT_LOCAL, &DllName, &DefaultExtension, &StaticRedirectionString, &DynamicRedirectionString, &DllNameToUse, NULL, NULL, NULL); if (NT_SUCCESS(Status)) { Redirected = TRUE; } else if (Status == STATUS_SXS_KEY_NOT_FOUND) { Status = STATUS_SUCCESS; }
if (NT_SUCCESS(Status)) { Result = LdrpCheckForLoadedDll ( NULL, DllNameToUse, TRUE, Redirected, &DllData);
if (DynamicRedirectionString.Buffer != NULL) RtlFreeUnicodeString(&DynamicRedirectionString); }
if (Result) {
if (DllData->DllBase == LoadedDllData->DllBase) {#if DBG
DbgPrint ("Page heap: oversnapping %ws \n", DllData->BaseDllName);#endif
}
AVrfpDphSnapImports (DllData, FALSE); }
*End = SavedChar; Current = End; } }
//
// If we just loaded msvcrt.dll we need to redirect HeapCreate call
// in order to detect when the CRT heap gets created.
//
if (_wcsicmp (LoadedDllData->BaseDllName.Buffer, L"msvcrt.dll") == 0) {
AVrfpDphSnapImports (LoadedDllData, TRUE); }
//
// Call back into page heap manager to figure out if the
// currently loaded dll is a target for page heap.
//
if (RtlpDphIsDllTargeted (LoadedDllData->BaseDllName.Buffer)) {
AVrfpDphSnapImports (LoadedDllData, FALSE); }}
/////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////// Snap routines
/////////////////////////////////////////////////////////////////////
//
// A biased heap pointer signals to the page heap manager that
// this allocation needs to get into page heap (not normal heap).
// This needs to happen only for allocation function (not free, delete).
//
#define BIAS_POINTER(p) ((PVOID)((ULONG_PTR)(p) | 0x01))
PVOIDAVrfpDphDllHeapAlloc ( IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size ){ return RtlpDebugPageHeapAllocate ( BIAS_POINTER(HeapHandle), Flags, Size);}
PVOIDAVrfpDphDllHeapReAlloc ( IN PVOID HeapHandle, IN ULONG Flags, IN PVOID Address, IN SIZE_T Size ){ return RtlpDebugPageHeapReAllocate ( BIAS_POINTER(HeapHandle), Flags, Address, Size);}
BOOLEANAVrfpDphDllHeapFree( IN PVOID HeapHandle, IN ULONG Flags, IN PVOID Address ){ return RtlpDebugPageHeapFree ( HeapHandle, Flags, Address);}
//
// LocalAlloc, LocalReAlloc, LocalFree
// GlobalAlloc, GlobalReAlloc, GlobalFree
//
// The following macros are copied from sdk\inc\winbase.h
// There is very low probability that anybody will ever change
// these values for application compatibility reasons.
//
#define LMEM_MOVEABLE 0x0002
#define LMEM_ZEROINIT 0x0040
#if defined(_AMD64_) || defined(_IA64_)
#define BASE_HANDLE_MARK_BIT 0x08
#else
#define BASE_HANDLE_MARK_BIT 0x04
#endif
typedef PVOID(* FUN_LOCAL_ALLOC) ( IN ULONG Flags, IN SIZE_T Size );
typedef PVOID(* FUN_LOCAL_REALLOC) ( IN PVOID Address, IN SIZE_T Size, IN ULONG Flags );
typedef PVOID(* FUN_LOCAL_FREE)( IN PVOID Address );
typedef PVOID(* FUN_GLOBAL_ALLOC) ( IN ULONG Flags, IN SIZE_T Size );
typedef PVOID(* FUN_GLOBAL_REALLOC) ( IN PVOID Address, IN SIZE_T Size, IN ULONG Flags );
typedef PVOID(* FUN_GLOBAL_FREE)( IN PVOID Address );
PVOIDAVrfpDphDllLocalAlloc ( IN ULONG Flags, IN SIZE_T Size ){ PVOID Block; FUN_LOCAL_ALLOC Original;
if (!(Flags & LMEM_MOVEABLE)) {
Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(RtlProcessHeap()), 0, Size);
if (Block && (Flags & LMEM_ZEROINIT)) { RtlZeroMemory (Block, Size); }
return Block; } else {
Original = (FUN_LOCAL_ALLOC)(AVrfpDphSnapRoutines[SNAP_ROUTINE_LOCALALLOC]); return (* Original) (Flags, Size); }}
PVOIDAVrfpDphDllLocalReAlloc ( IN PVOID Address, IN SIZE_T Size, IN ULONG Flags ){ PVOID Block; FUN_LOCAL_REALLOC Original;
if (!(Flags & LMEM_MOVEABLE)) {
Block = RtlpDebugPageHeapReAllocate ( BIAS_POINTER(RtlProcessHeap()), 0, Address, Size);
return Block; } else {
Original = (FUN_LOCAL_REALLOC)(AVrfpDphSnapRoutines[SNAP_ROUTINE_LOCALREALLOC]); return (* Original) (Address, Size, Flags); }}
PVOIDAVrfpDphDllLocalFree( IN PVOID Address ){ BOOLEAN Result; FUN_LOCAL_FREE Original;
if ((ULONG_PTR)Address & BASE_HANDLE_MARK_BIT) {
Original = (FUN_LOCAL_FREE)(AVrfpDphSnapRoutines[SNAP_ROUTINE_LOCALFREE]); return (* Original) (Address); } else {
Result = RtlpDebugPageHeapFree ( RtlProcessHeap(), 0, Address);
if (Result) { return NULL; } else { return Address; } }}
PVOIDAVrfpDphDllGlobalAlloc ( IN ULONG Flags, IN SIZE_T Size ){ PVOID Block; FUN_GLOBAL_ALLOC Original;
if (!(Flags & LMEM_MOVEABLE)) {
Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(RtlProcessHeap()), 0, Size);
if (Block && (Flags & LMEM_ZEROINIT)) { RtlZeroMemory (Block, Size); }
return Block; } else {
Original = (FUN_GLOBAL_ALLOC)(AVrfpDphSnapRoutines[SNAP_ROUTINE_GLOBALALLOC]); return (* Original) (Flags, Size); }}
PVOIDAVrfpDphDllGlobalReAlloc ( IN PVOID Address, IN SIZE_T Size, IN ULONG Flags ){ PVOID Block; FUN_GLOBAL_REALLOC Original;
if (!(Flags & LMEM_MOVEABLE)) {
Block = RtlpDebugPageHeapReAllocate ( BIAS_POINTER(RtlProcessHeap()), 0, Address, Size);
return Block; } else {
Original = (FUN_GLOBAL_REALLOC)(AVrfpDphSnapRoutines[SNAP_ROUTINE_GLOBALREALLOC]); return (* Original) (Address, Size, Flags); }}
PVOIDAVrfpDphDllGlobalFree( IN PVOID Address ){ BOOLEAN Result; FUN_GLOBAL_FREE Original;
if ((ULONG_PTR)Address & BASE_HANDLE_MARK_BIT) {
Original = (FUN_GLOBAL_FREE)(AVrfpDphSnapRoutines[SNAP_ROUTINE_GLOBALFREE]); return (* Original) (Address); } else {
Result = RtlpDebugPageHeapFree ( RtlProcessHeap(), 0, Address);
if (Result) { return NULL; } else { return Address; } }}
//
// malloc, calloc, realloc, free
//
PVOID __cdeclAVrfpDphDllmalloc ( IN SIZE_T Size ){ PVOID Block;
ASSERT(AVrfpDphMsvcrtHeap != NULL);
Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(AVrfpDphMsvcrtHeap), 0, Size);
return Block;}
PVOID __cdeclAVrfpDphDllcalloc ( IN SIZE_T Number, IN SIZE_T Size ){ PVOID Block;
ASSERT(AVrfpDphMsvcrtHeap != NULL);
Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(AVrfpDphMsvcrtHeap), 0, Size * Number);
if (Block) { RtlZeroMemory (Block, Size * Number); }
return Block;}
PVOID __cdeclAVrfpDphDllrealloc ( IN PVOID Address, IN SIZE_T Size ){ PVOID Block;
ASSERT(AVrfpDphMsvcrtHeap != NULL);
if (Address == NULL) {
Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(AVrfpDphMsvcrtHeap), 0, Size); } else {
Block = RtlpDebugPageHeapReAllocate ( BIAS_POINTER(AVrfpDphMsvcrtHeap), 0, Address, Size); }
return Block;}
VOID __cdeclAVrfpDphDllfree ( IN PVOID Address ){ ASSERT(AVrfpDphMsvcrtHeap != NULL);
RtlpDebugPageHeapFree ( AVrfpDphMsvcrtHeap, 0, Address);}
//
// operator new, delete
// operator new[], delete[]
//
PVOID __cdeclAVrfpDphDllNew ( IN SIZE_T Size ){ PVOID Block;
ASSERT(AVrfpDphMsvcrtHeap != NULL);
Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(AVrfpDphMsvcrtHeap), 0, Size);
return Block;}
VOID __cdeclAVrfpDphDllDelete ( IN PVOID Address ){ ASSERT(AVrfpDphMsvcrtHeap != NULL);
RtlpDebugPageHeapFree ( AVrfpDphMsvcrtHeap, 0, Address);}
PVOID __cdeclAVrfpDphDllNewArray ( IN SIZE_T Size ){ ASSERT(AVrfpDphMsvcrtHeap != NULL);
return RtlpDebugPageHeapAllocate ( BIAS_POINTER(AVrfpDphMsvcrtHeap), 0, Size);}
VOID __cdeclAVrfpDphDllDeleteArray ( IN PVOID Address ){ ASSERT(AVrfpDphMsvcrtHeap != NULL);
RtlpDebugPageHeapFree ( AVrfpDphMsvcrtHeap, 0, Address);}
//
// HeapCreate
//
typedef PVOID(* FUN_HEAP_CREATE) ( ULONG Options, SIZE_T InitialSize, SIZE_T MaximumSize );
PVOIDAVrfpDphDllHeapCreate ( ULONG Options, SIZE_T InitialSize, SIZE_T MaximumSize ){ PVOID Heap; FUN_HEAP_CREATE Original;
Original = (FUN_HEAP_CREATE)(AVrfpDphSnapRoutines[SNAP_ROUTINE_HEAPCREATE]); Heap = (* Original) (Options, InitialSize, MaximumSize);
AVrfpDphMsvcrtHeap = Heap; DbgPrint ("Page heap: detected CRT heap @ %p \n", AVrfpDphMsvcrtHeap);
return Heap;}
|
