archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/base/ntos/mm/verifier.c

7079 lines
182 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1989 Microsoft Corporation
  5. Module Name:
  7. verifier.c
  9. Abstract:
  11. This module contains the routines to verify the system kernel, HAL and
  12. drivers.
  14. Author:
  16. Landy Wang (landyw) 3-Sep-1998
  18. Revision History:
  20. --*/
  21. #include "mi.h"
  23. #define THUNKED_API
  25. THUNKED_API
  26. PVOID
  27. VerifierAllocatePool (
  28. IN POOL_TYPE PoolType,
  29. IN SIZE_T NumberOfBytes
  30. );
  32. THUNKED_API
  33. PVOID
  34. VerifierAllocatePoolWithTag (
  35. IN POOL_TYPE PoolType,
  36. IN SIZE_T NumberOfBytes,
  37. IN ULONG Tag
  38. );
  40. THUNKED_API
  41. PVOID
  42. VerifierAllocatePoolWithQuotaTag (
  43. IN POOL_TYPE PoolType,
  44. IN SIZE_T NumberOfBytes,
  45. IN ULONG Tag
  46. );
  48. THUNKED_API
  49. PVOID
  50. VerifierAllocatePoolWithTagPriority (
  51. IN POOL_TYPE PoolType,
  52. IN SIZE_T NumberOfBytes,
  53. IN ULONG Tag,
  54. IN EX_POOL_PRIORITY Priority
  55. );
  57. PVOID
  58. VeAllocatePoolWithTagPriority (
  59. IN POOL_TYPE PoolType,
  60. IN SIZE_T NumberOfBytes,
  61. IN ULONG Tag,
  62. IN EX_POOL_PRIORITY Priority,
  63. IN PVOID CallingAddress
  64. );
  66. VOID
  67. VerifierFreePool (
  68. IN PVOID P
  69. );
  71. THUNKED_API
  72. VOID
  73. VerifierFreePoolWithTag (
  74. IN PVOID P,
  75. IN ULONG TagToFree
  76. );
  78. THUNKED_API
  79. LONG
  80. VerifierSetEvent (
  81. IN PRKEVENT Event,
  82. IN KPRIORITY Increment,
  83. IN BOOLEAN Wait
  84. );
  86. THUNKED_API
  87. KIRQL
  88. FASTCALL
  89. VerifierKfRaiseIrql (
  90. IN KIRQL NewIrql
  91. );
  93. THUNKED_API
  94. KIRQL
  95. VerifierKeRaiseIrqlToDpcLevel (
  96. VOID
  97. );
  99. THUNKED_API
  100. VOID
  101. FASTCALL
  102. VerifierKfLowerIrql (
  103. IN KIRQL NewIrql
  104. );
  106. THUNKED_API
  107. VOID
  108. VerifierKeRaiseIrql (
  109. IN KIRQL NewIrql,
  110. OUT PKIRQL OldIrql
  111. );
  113. THUNKED_API
  114. VOID
  115. VerifierKeLowerIrql (
  116. IN KIRQL NewIrql
  117. );
  119. THUNKED_API
  120. VOID
  121. VerifierKeAcquireSpinLock (
  122. IN PKSPIN_LOCK SpinLock,
  123. OUT PKIRQL OldIrql
  124. );
  126. THUNKED_API
  127. VOID
  128. VerifierKeReleaseSpinLock (
  129. IN PKSPIN_LOCK SpinLock,
  130. IN KIRQL NewIrql
  131. );
  133. THUNKED_API
  134. VOID
  135. #if defined(_X86_)
  136. FASTCALL
  137. #endif
  138. VerifierKeAcquireSpinLockAtDpcLevel (
  139. IN PKSPIN_LOCK SpinLock
  140. );
  142. THUNKED_API
  143. VOID
  144. #if defined(_X86_)
  145. FASTCALL
  146. #endif
  147. VerifierKeReleaseSpinLockFromDpcLevel (
  148. IN PKSPIN_LOCK SpinLock
  149. );
  151. THUNKED_API
  152. KIRQL
  153. FASTCALL
  154. VerifierKfAcquireSpinLock (
  155. IN PKSPIN_LOCK SpinLock
  156. );
  158. THUNKED_API
  159. VOID
  160. FASTCALL
  161. VerifierKfReleaseSpinLock (
  162. IN PKSPIN_LOCK SpinLock,
  163. IN KIRQL NewIrql
  164. );
  166. #if !defined(_X86_)
  167. THUNKED_API
  168. KIRQL
  169. VerifierKeAcquireSpinLockRaiseToDpc (
  170. IN PKSPIN_LOCK SpinLock
  171. );
  172. #endif
  175. THUNKED_API
  176. VOID
  177. VerifierKeInitializeTimerEx (
  178. IN PKTIMER Timer,
  179. IN TIMER_TYPE Type
  180. );
  182. THUNKED_API
  183. VOID
  184. VerifierKeInitializeTimer (
  185. IN PKTIMER Timer
  186. );
  188. THUNKED_API
  189. BOOLEAN
  190. FASTCALL
  191. VerifierExTryToAcquireFastMutex (
  192. IN PFAST_MUTEX FastMutex
  193. );
  195. THUNKED_API
  196. VOID
  197. FASTCALL
  198. VerifierExAcquireFastMutex (
  199. IN PFAST_MUTEX FastMutex
  200. );
  202. THUNKED_API
  203. VOID
  204. FASTCALL
  205. VerifierExReleaseFastMutex (
  206. IN PFAST_MUTEX FastMutex
  207. );
  209. THUNKED_API
  210. VOID
  211. FASTCALL
  212. VerifierExAcquireFastMutexUnsafe (
  213. IN PFAST_MUTEX FastMutex
  214. );
  216. THUNKED_API
  217. VOID
  218. FASTCALL
  219. VerifierExReleaseFastMutexUnsafe (
  220. IN PFAST_MUTEX FastMutex
  221. );
  223. THUNKED_API
  224. BOOLEAN
  225. VerifierExAcquireResourceExclusiveLite (
  226. IN PERESOURCE Resource,
  227. IN BOOLEAN Wait
  228. );
  230. THUNKED_API
  231. VOID
  232. FASTCALL
  233. VerifierExReleaseResourceLite (
  234. IN PERESOURCE Resource
  235. );
  237. THUNKED_API
  238. KIRQL
  239. FASTCALL
  240. VerifierKeAcquireQueuedSpinLock (
  241. IN KSPIN_LOCK_QUEUE_NUMBER Number
  242. );
  244. THUNKED_API
  245. VOID
  246. FASTCALL
  247. VerifierKeReleaseQueuedSpinLock (
  248. IN KSPIN_LOCK_QUEUE_NUMBER Number,
  249. IN KIRQL OldIrql
  250. );
  252. THUNKED_API
  253. BOOLEAN
  254. VerifierSynchronizeExecution (
  255. IN PKINTERRUPT Interrupt,
  256. IN PKSYNCHRONIZE_ROUTINE SynchronizeRoutine,
  257. IN PVOID SynchronizeContext
  258. );
  260. THUNKED_API
  261. VOID
  262. VerifierProbeAndLockPages (
  263. IN OUT PMDL MemoryDescriptorList,
  264. IN KPROCESSOR_MODE AccessMode,
  265. IN LOCK_OPERATION Operation
  266. );
  268. THUNKED_API
  269. VOID
  270. VerifierProbeAndLockProcessPages (
  271. IN OUT PMDL MemoryDescriptorList,
  272. IN PEPROCESS Process,
  273. IN KPROCESSOR_MODE AccessMode,
  274. IN LOCK_OPERATION Operation
  275. );
  277. THUNKED_API
  278. VOID
  279. VerifierProbeAndLockSelectedPages (
  280. IN OUT PMDL MemoryDescriptorList,
  281. IN PFILE_SEGMENT_ELEMENT SegmentArray,
  282. IN KPROCESSOR_MODE AccessMode,
  283. IN LOCK_OPERATION Operation
  284. );
  286. VOID
  287. VerifierUnlockPages (
  288. IN OUT PMDL MemoryDescriptorList
  289. );
  291. VOID
  292. VerifierUnmapLockedPages (
  293. IN PVOID BaseAddress,
  294. IN PMDL MemoryDescriptorList
  295. );
  297. VOID
  298. VerifierUnmapIoSpace (
  299. IN PVOID BaseAddress,
  300. IN SIZE_T NumberOfBytes
  301. );
  303. THUNKED_API
  304. PVOID
  305. VerifierMapIoSpace (
  306. IN PHYSICAL_ADDRESS PhysicalAddress,
  307. IN SIZE_T NumberOfBytes,
  308. IN MEMORY_CACHING_TYPE CacheType
  309. );
  311. THUNKED_API
  312. PVOID
  313. VerifierMapLockedPages (
  314. IN PMDL MemoryDescriptorList,
  315. IN KPROCESSOR_MODE AccessMode
  316. );
  318. THUNKED_API
  319. PVOID
  320. VerifierMapLockedPagesSpecifyCache (
  321. IN PMDL MemoryDescriptorList,
  322. IN KPROCESSOR_MODE AccessMode,
  323. IN MEMORY_CACHING_TYPE CacheType,
  324. IN PVOID RequestedAddress,
  325. IN ULONG BugCheckOnFailure,
  326. IN MM_PAGE_PRIORITY Priority
  327. );
  329. THUNKED_API
  330. NTSTATUS
  331. VerifierKeWaitForSingleObject (
  332. IN PVOID Object,
  333. IN KWAIT_REASON WaitReason,
  334. IN KPROCESSOR_MODE WaitMode,
  335. IN BOOLEAN Alertable,
  336. IN PLARGE_INTEGER Timeout OPTIONAL
  337. );
  339. THUNKED_API
  340. LONG
  341. VerifierKeReleaseMutex (
  342. IN PRKMUTEX Mutex,
  343. IN BOOLEAN Wait
  344. );
  346. THUNKED_API
  347. VOID
  348. VerifierKeInitializeMutex (
  349. IN PRKMUTEX Mutex,
  350. IN ULONG Level
  351. );
  353. THUNKED_API
  354. LONG
  355. VerifierKeReleaseMutant(
  356. IN PRKMUTANT Mutant,
  357. IN KPRIORITY Increment,
  358. IN BOOLEAN Abandoned,
  359. IN BOOLEAN Wait
  360. );
  362. THUNKED_API
  363. VOID
  364. VerifierKeInitializeMutant(
  365. IN PRKMUTANT Mutant,
  366. IN BOOLEAN InitialOwner
  367. );
  369. THUNKED_API
  370. VOID
  371. VerifierKeInitializeSpinLock (
  372. IN PKSPIN_LOCK SpinLock
  373. );
  375. VOID
  376. ViCheckMdlPages (
  377. IN PMDL MemoryDescriptorList,
  378. IN MEMORY_CACHING_TYPE CacheType
  379. );
  381. VOID
  382. ViFreeTrackedPool (
  383. IN PVOID VirtualAddress,
  384. IN SIZE_T ChargedBytes,
  385. IN LOGICAL CheckType,
  386. IN LOGICAL SpecialPool
  387. );
  389. VOID
  390. VerifierFreeTrackedPool (
  391. IN PVOID VirtualAddress,
  392. IN SIZE_T ChargedBytes,
  393. IN LOGICAL CheckType,
  394. IN LOGICAL SpecialPool
  395. );
  397. VOID
  398. ViPrintString (
  399. IN PUNICODE_STRING DriverName
  400. );
  402. LOGICAL
  403. ViInjectResourceFailure (
  404. VOID
  405. );
  407. VOID
  408. ViTrimAllSystemPagableMemory (
  409. VOID
  410. );
  412. VOID
  413. ViInitializeEntry (
  414. IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
  415. IN LOGICAL FirstLoad
  416. );
  418. LOGICAL
  419. ViReservePoolAllocation (
  420. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  421. );
  423. ULONG_PTR
  424. ViInsertPoolAllocation (
  425. IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
  426. IN PVOID VirtualAddress,
  427. IN PVOID CallingAddress,
  428. IN SIZE_T NumberOfBytes,
  429. IN ULONG Tag
  430. );
  432. VOID
  433. ViCancelPoolAllocation (
  434. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  435. );
  437. VOID
  438. ViReleasePoolAllocation (
  439. IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
  440. IN PVOID VirtualAddress,
  441. IN ULONG_PTR ListIndex,
  442. IN SIZE_T ChargedBytes
  443. );
  445. VOID
  446. KfSanityCheckRaiseIrql (
  447. IN KIRQL NewIrql
  448. );
  450. VOID
  451. KfSanityCheckLowerIrql (
  452. IN KIRQL NewIrql
  453. );
  455. NTSTATUS
  456. VerifierReferenceObjectByHandle (
  457. IN HANDLE Handle,
  458. IN ACCESS_MASK DesiredAccess,
  459. IN POBJECT_TYPE ObjectType OPTIONAL,
  460. IN KPROCESSOR_MODE AccessMode,
  461. OUT PVOID *Object,
  462. OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
  463. );
  465. MM_DRIVER_VERIFIER_DATA MmVerifierData;
  467. //
  468. // Any flags which can be modified on the fly without rebooting are set here.
  469. //
  471. ULONG VerifierModifyableOptions;
  472. ULONG VerifierOptionChanges;
  474. LIST_ENTRY MiSuspectDriverList;
  476. LOGICAL MiVerifyAllDrivers;
  478. WCHAR MiVerifyRandomDrivers;
  480. ULONG MiActiveVerifies;
  482. ULONG MiActiveVerifierThunks;
  484. ULONG MiNoPageOnRaiseIrql;
  486. ULONG MiVerifierStackProtectTime;
  488. LOGICAL MmDontVerifyRandomDrivers = TRUE;
  490. LOGICAL VerifierSystemSufficientlyBooted;
  492. LARGE_INTEGER VerifierRequiredTimeSinceBoot = {(ULONG)(40 * 1000 * 1000 * 10), 1};
  494. LOGICAL VerifierIsTrackingPool = FALSE;
  496. KSPIN_LOCK VerifierListLock;
  498. KSPIN_LOCK VerifierPoolLock;
  500. FAST_MUTEX VerifierPoolMutex;
  502. PRTL_BITMAP VerifierLargePagedPoolMap;
  504. LIST_ENTRY MiVerifierDriverAddedThunkListHead;
  506. extern LOGICAL MmSpecialPoolCatchOverruns;
  508. LOGICAL KernelVerifier = FALSE;
  510. ULONG KernelVerifierTickPage = 0x7;
  512. ULONG MiVerifierThunksAdded;
  514. PDRIVER_VERIFIER_THUNK_ROUTINE
  515. MiResolveVerifierExports (
  516. IN PLOADER_PARAMETER_BLOCK LoaderBlock,
  517. IN PCHAR PristineName
  518. );
  520. LOGICAL
  521. MiEnableVerifier (
  522. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  523. );
  525. LOGICAL
  526. MiReEnableVerifier (
  527. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  528. );
  530. VOID
  531. ViInsertVerifierEntry (
  532. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  533. );
  535. PVOID
  536. ViPostPoolAllocation (
  537. IN PVOID VirtualAddress,
  538. IN SIZE_T NumberOfBytes,
  539. IN POOL_TYPE PoolType,
  540. IN ULONG Tag,
  541. IN PVOID CallingAddress
  542. );
  544. PMI_VERIFIER_DRIVER_ENTRY
  545. ViLocateVerifierEntry (
  546. IN PVOID SystemAddress
  547. );
  549. VOID
  550. MiVerifierCheckThunks (
  551. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  552. );
  554. //
  555. // Track irqls functions
  556. //
  558. VOID
  559. ViTrackIrqlInitialize (
  560. );
  562. VOID
  563. ViTrackIrqlLog (
  564. IN KIRQL CurrentIrql,
  565. IN KIRQL NewIrql
  566. );
  568. //
  569. // Fault injection stack trace log
  570. //
  572. #if defined(_X86_)
  574. VOID
  575. ViFaultTracesInitialize (
  576. );
  578. VOID
  579. ViFaultTracesLog (
  580. );
  582. #endif
  586. #ifdef ALLOC_PRAGMA
  587. #pragma alloc_text(INIT,MiInitializeDriverVerifierList)
  588. #pragma alloc_text(INIT,MiInitializeVerifyingComponents)
  589. #pragma alloc_text(INIT,ViTrackIrqlInitialize)
  590. #pragma alloc_text(INIT,MiResolveVerifierExports)
  591. #if defined(_X86_)
  592. #pragma alloc_text(INIT,MiEnableKernelVerifier)
  593. #pragma alloc_text(INIT,ViFaultTracesInitialize)
  594. #endif
  595. #pragma alloc_text(PAGE,MiApplyDriverVerifier)
  596. #pragma alloc_text(PAGE,MiEnableVerifier)
  597. #pragma alloc_text(INIT,MiReEnableVerifier)
  598. #pragma alloc_text(PAGE,ViPrintString)
  599. #pragma alloc_text(PAGE,MmGetVerifierInformation)
  600. #pragma alloc_text(PAGE,MmSetVerifierInformation)
  601. #pragma alloc_text(PAGE,MmAddVerifierThunks)
  602. #pragma alloc_text(PAGE,MmIsVerifierEnabled)
  603. #pragma alloc_text(PAGE,MiVerifierCheckThunks)
  604. #pragma alloc_text(PAGEVRFY,MiVerifyingDriverUnloading)
  606. #pragma alloc_text(PAGE,MmAddVerifierEntry)
  607. #pragma alloc_text(PAGE,MmRemoveVerifierEntry)
  608. #pragma alloc_text(INIT,MiReApplyVerifierToLoadedModules)
  609. #pragma alloc_text(PAGEVRFY,VerifierProbeAndLockPages)
  610. #pragma alloc_text(PAGEVRFY,VerifierProbeAndLockProcessPages)
  611. #pragma alloc_text(PAGEVRFY,VerifierProbeAndLockSelectedPages)
  612. #pragma alloc_text(PAGEVRFY,VerifierUnlockPages)
  613. #pragma alloc_text(PAGEVRFY,VerifierMapIoSpace)
  614. #pragma alloc_text(PAGEVRFY,VerifierMapLockedPages)
  615. #pragma alloc_text(PAGEVRFY,VerifierMapLockedPagesSpecifyCache)
  616. #pragma alloc_text(PAGEVRFY,VerifierUnmapLockedPages)
  617. #pragma alloc_text(PAGEVRFY,VerifierUnmapIoSpace)
  618. #pragma alloc_text(PAGEVRFY,VerifierAllocatePool)
  619. #pragma alloc_text(PAGEVRFY,VerifierAllocatePoolWithTag)
  620. #pragma alloc_text(PAGEVRFY,VerifierAllocatePoolWithTagPriority)
  621. #pragma alloc_text(PAGEVRFY,VerifierAllocatePoolWithQuotaTag)
  622. #pragma alloc_text(PAGEVRFY,VerifierFreePool)
  623. #pragma alloc_text(PAGEVRFY,VerifierFreePoolWithTag)
  624. #pragma alloc_text(PAGEVRFY,VerifierKeWaitForSingleObject)
  625. #pragma alloc_text(PAGEVRFY,VerifierKfRaiseIrql)
  626. #pragma alloc_text(PAGEVRFY,VerifierKeRaiseIrqlToDpcLevel)
  627. #pragma alloc_text(PAGEVRFY,VerifierKfLowerIrql)
  628. #pragma alloc_text(PAGEVRFY,VerifierKeRaiseIrql)
  629. #pragma alloc_text(PAGEVRFY,VerifierKeLowerIrql)
  630. #pragma alloc_text(PAGEVRFY,VerifierKeAcquireSpinLock)
  631. #pragma alloc_text(PAGEVRFY,VerifierKeReleaseSpinLock)
  632. #pragma alloc_text(PAGEVRFY,VerifierKeAcquireSpinLockAtDpcLevel)
  633. #pragma alloc_text(PAGEVRFY,VerifierKeReleaseSpinLockFromDpcLevel)
  634. #pragma alloc_text(PAGEVRFY,VerifierKfAcquireSpinLock)
  635. #pragma alloc_text(PAGEVRFY,VerifierKfReleaseSpinLock)
  636. #pragma alloc_text(PAGEVRFY,VerifierKeInitializeTimer)
  637. #pragma alloc_text(PAGEVRFY,VerifierKeInitializeTimerEx)
  638. #pragma alloc_text(PAGEVRFY,VerifierExTryToAcquireFastMutex)
  639. #pragma alloc_text(PAGEVRFY,VerifierExAcquireFastMutex)
  640. #pragma alloc_text(PAGEVRFY,VerifierExReleaseFastMutex)
  641. #pragma alloc_text(PAGEVRFY,VerifierExAcquireFastMutexUnsafe)
  642. #pragma alloc_text(PAGEVRFY,VerifierExReleaseFastMutexUnsafe)
  643. #pragma alloc_text(PAGEVRFY,VerifierExAcquireResourceExclusiveLite)
  644. #pragma alloc_text(PAGEVRFY,VerifierExReleaseResourceLite)
  645. #pragma alloc_text(PAGEVRFY,VerifierKeAcquireQueuedSpinLock)
  646. #pragma alloc_text(PAGEVRFY,VerifierKeReleaseQueuedSpinLock)
  647. #pragma alloc_text(PAGEVRFY,VerifierKeReleaseMutex)
  648. #pragma alloc_text(PAGEVRFY,VerifierKeInitializeMutex)
  649. #pragma alloc_text(PAGEVRFY,VerifierKeReleaseMutant)
  650. #pragma alloc_text(PAGEVRFY,VerifierKeInitializeMutant)
  651. #pragma alloc_text(PAGEVRFY,VerifierKeInitializeSpinLock)
  652. #pragma alloc_text(PAGEVRFY,VerifierSynchronizeExecution)
  653. #pragma alloc_text(PAGEVRFY,VerifierReferenceObjectByHandle)
  654. #pragma alloc_text(PAGEVRFY,VerifierSetEvent)
  656. #pragma alloc_text(PAGEVRFY,ViFreeTrackedPool)
  658. #pragma alloc_text(PAGEVRFY,VeAllocatePoolWithTagPriority)
  659. #pragma alloc_text(PAGEVRFY,ViCheckMdlPages)
  660. #pragma alloc_text(PAGEVRFY,ViInsertVerifierEntry)
  661. #pragma alloc_text(PAGEVRFY,ViLocateVerifierEntry)
  662. #pragma alloc_text(PAGEVRFY,ViPostPoolAllocation)
  663. #pragma alloc_text(PAGEVRFY,ViInjectResourceFailure)
  664. #pragma alloc_text(PAGEVRFY,ViTrimAllSystemPagableMemory)
  665. #pragma alloc_text(PAGEVRFY,ViInitializeEntry)
  666. #pragma alloc_text(PAGEVRFY,ViReservePoolAllocation)
  667. #pragma alloc_text(PAGEVRFY,ViInsertPoolAllocation)
  668. #pragma alloc_text(PAGEVRFY,ViCancelPoolAllocation)
  669. #pragma alloc_text(PAGEVRFY,ViReleasePoolAllocation)
  670. #pragma alloc_text(PAGEVRFY,KfSanityCheckRaiseIrql)
  671. #pragma alloc_text(PAGEVRFY,KfSanityCheckLowerIrql)
  672. #pragma alloc_text(PAGEVRFY,ViTrackIrqlLog)
  674. #if defined(_X86_)
  675. #pragma alloc_text(PAGEVRFY,ViFaultTracesLog)
  676. #endif
  678. #if !defined(_X86_)
  679. #pragma alloc_text(PAGEVRFY,VerifierKeAcquireSpinLockRaiseToDpc)
  680. #endif
  682. #endif
  684. typedef struct _VERIFIER_THUNKS {
  685. union {
  686. PCHAR PristineRoutineAsciiName;
  688. //
  689. // The actual pristine routine address is derived from exports
  690. //
  692. PDRIVER_VERIFIER_THUNK_ROUTINE PristineRoutine;
  693. };
  694. PDRIVER_VERIFIER_THUNK_ROUTINE NewRoutine;
  695. } VERIFIER_THUNKS, *PVERIFIER_THUNKS;
  697. extern const VERIFIER_THUNKS MiVerifierThunks[];
  698. extern const VERIFIER_THUNKS MiVerifierPoolThunks[];
  700. #if defined (_X86_)
  702. #define VI_KE_RAISE_IRQL 0
  703. #define VI_KE_LOWER_IRQL 1
  704. #define VI_KE_ACQUIRE_SPINLOCK 2
  705. #define VI_KE_RELEASE_SPINLOCK 3
  706. #define VI_KF_RAISE_IRQL 4
  707. #define VI_KE_RAISE_IRQL_TO_DPC_LEVEL 5
  708. #define VI_KF_LOWER_IRQL 6
  709. #define VI_KF_ACQUIRE_SPINLOCK 7
  710. #define VI_KF_RELEASE_SPINLOCK 8
  711. #define VI_KE_ACQUIRE_QUEUED_SPINLOCK 9
  712. #define VI_KE_RELEASE_QUEUED_SPINLOCK 10
  714. #define VI_HALMAX 11
  716. PVOID MiKernelVerifierOriginalCalls[VI_HALMAX];
  718. #endif
  720. //
  721. // Track irql package declarations
  722. //
  724. #define VI_TRACK_IRQL_TRACE_LENGTH 5
  726. typedef struct _VI_TRACK_IRQL {
  728. PVOID Thread;
  729. KIRQL OldIrql;
  730. KIRQL NewIrql;
  731. UCHAR Processor;
  732. ULONG TickCount;
  733. PVOID StackTrace [VI_TRACK_IRQL_TRACE_LENGTH];
  735. } VI_TRACK_IRQL, *PVI_TRACK_IRQL;
  737. PVI_TRACK_IRQL ViTrackIrqlQueue;
  738. ULONG ViTrackIrqlIndex;
  739. ULONG ViTrackIrqlQueueLength = 128;
  741. VOID
  742. ViTrackIrqlInitialize (
  743. )
  744. {
  745. ULONG Length;
  746. ULONG Round;
  748. //
  749. // Round up length to a power of two and prepare
  750. // mask for the length.
  751. //
  753. Length = ViTrackIrqlQueueLength;
  755. if (Length > 0x10000) {
  756. Length = 0x10000;
  757. }
  759. for (Round = 0x10000; Round != 0; Round >>= 1) {
  761. if (Length == Round) {
  762. break;
  763. }
  764. else if ((Length & Round) == Round) {
  765. Length = (Round << 1);
  766. break;
  767. }
  768. }
  770. ViTrackIrqlQueueLength = Length;
  772. //
  773. // Note POOL_DRIVER_MASK must be set to stop the recursion loop
  774. // when using the kernel verifier.
  775. //
  777. ViTrackIrqlQueue = ExAllocatePoolWithTagPriority (
  778. NonPagedPool | POOL_DRIVER_MASK,
  779. ViTrackIrqlQueueLength * sizeof (VI_TRACK_IRQL),
  780. 'lqrI',
  781. HighPoolPriority);
  782. }
  784. VOID
  785. ViTrackIrqlLog (
  786. IN KIRQL CurrentIrql,
  787. IN KIRQL NewIrql
  788. )
  789. {
  790. PVI_TRACK_IRQL Information;
  791. LARGE_INTEGER TimeStamp;
  792. ULONG Index;
  793. ULONG Hash;
  795. ASSERT (ViTrackIrqlQueue != NULL);
  797. if (CurrentIrql > DISPATCH_LEVEL || NewIrql > DISPATCH_LEVEL) {
  798. return;
  799. }
  801. //
  802. // Get a slot to write into.
  803. //
  805. Index = InterlockedIncrement((PLONG)&ViTrackIrqlIndex);
  806. Index &= (ViTrackIrqlQueueLength - 1);
  808. //
  809. // Capture information.
  810. //
  812. Information = &(ViTrackIrqlQueue[Index]);
  814. Information->Thread = KeGetCurrentThread();
  815. Information->OldIrql = CurrentIrql;
  816. Information->NewIrql = NewIrql;
  817. Information->Processor = (UCHAR)(KeGetCurrentProcessorNumber());
  818. KeQueryTickCount(&TimeStamp);
  819. Information->TickCount = TimeStamp.LowPart;
  821. RtlCaptureStackBackTrace (2,
  822. VI_TRACK_IRQL_TRACE_LENGTH,
  823. Information->StackTrace,
  824. &Hash);
  825. }
  827. //
  828. // Detect the caller of the current function in an architecture
  829. // dependent way.
  830. //
  832. #define VI_DETECT_RETURN_ADDRESS(Caller) { \
  833. PVOID CallersCaller; \
  834. RtlGetCallersAddress(&Caller, &CallersCaller); \
  835. }
  837. //
  838. // Fault injection stack trace log.
  839. //
  841. #define VI_FAULT_TRACE_LENGTH 8
  843. typedef struct _VI_FAULT_TRACE {
  845. PVOID StackTrace [VI_FAULT_TRACE_LENGTH];
  847. } VI_FAULT_TRACE, *PVI_FAULT_TRACE;
  849. PVI_FAULT_TRACE ViFaultTraces;
  850. ULONG ViFaultTracesIndex;
  851. ULONG ViFaultTracesLength = 128;
  853. VOID
  854. ViFaultTracesInitialize (
  855. VOID
  856. )
  857. {
  858. //
  859. // Note POOL_DRIVER_MASK must be set to stop the recursion loop
  860. // when using the kernel verifier.
  861. //
  863. ViFaultTraces = ExAllocatePoolWithTagPriority (
  864. NonPagedPool | POOL_DRIVER_MASK,
  865. ViFaultTracesLength * sizeof (VI_FAULT_TRACE),
  866. 'ttlF',
  867. HighPoolPriority);
  868. }
  870. VOID
  871. ViFaultTracesLog (
  872. VOID
  873. )
  874. {
  875. PVI_FAULT_TRACE Information;
  876. ULONG Hash;
  877. ULONG Index;
  879. //
  880. // Sanity check
  881. //
  883. if (ViFaultTraces == NULL) {
  884. return;
  885. }
  887. //
  888. // Get slot to write into.
  889. //
  891. Index = InterlockedIncrement ((PLONG)&ViFaultTracesIndex);
  892. Index &= (ViFaultTracesLength - 1);
  894. //
  895. // Capture information. Even if we lose performance it is
  896. // worth zeroing the trace buffer to avoid confusing people
  897. // if old traces get merged with new ones. This zeroing
  898. // will happen only if we actually inject a failure.
  899. //
  901. Information = &(ViFaultTraces[Index]);
  903. RtlZeroMemory (Information, sizeof (VI_FAULT_TRACE));
  905. RtlCaptureStackBackTrace (2,
  906. VI_FAULT_TRACE_LENGTH,
  907. Information->StackTrace,
  908. &Hash);
  909. }
  911. //
  912. // Don't fail any requests in the first 7 or 8 minutes as we want to
  913. // give the system enough time to boot.
  914. //
  915. #define MI_CHECK_UPTIME() \
  916. if (VerifierSystemSufficientlyBooted == FALSE) { \
  917. LARGE_INTEGER _CurrentTime; \
  918. KeQuerySystemTime (&_CurrentTime); \
  919. if (_CurrentTime.QuadPart > KeBootTime.QuadPart + VerifierRequiredTimeSinceBoot.QuadPart) { \
  920. VerifierSystemSufficientlyBooted = TRUE; \
  921. } \
  922. }
  924. THUNKED_API
  925. VOID
  926. VerifierProbeAndLockPages (
  927. IN OUT PMDL MemoryDescriptorList,
  928. IN KPROCESSOR_MODE AccessMode,
  929. IN LOCK_OPERATION Operation
  930. )
  931. {
  932. ULONG i;
  933. KIRQL CurrentIrql;
  934. PPFN_NUMBER Page;
  935. PVOID StartingVa;
  936. LOGICAL ValidPfn;
  937. PFN_NUMBER NumberOfPages;
  938. PEPROCESS CurrentProcess;
  939. PLIST_ENTRY NextEntry;
  940. PPFN_NUMBER LastPage;
  941. PMI_PHYSICAL_VIEW PhysicalView;
  943. CurrentIrql = KeGetCurrentIrql();
  944. if (CurrentIrql > DISPATCH_LEVEL) {
  945. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  946. 0x70,
  947. CurrentIrql,
  948. (ULONG_PTR)MemoryDescriptorList,
  949. (ULONG_PTR)AccessMode);
  950. }
  952. if (ViInjectResourceFailure () == TRUE) {
  953. ExRaiseStatus (STATUS_WORKING_SET_QUOTA);
  954. }
  956. MmProbeAndLockPages (MemoryDescriptorList, AccessMode, Operation);
  958. //
  959. // Every page that has been probed and locked must have a PFN with the
  960. // exception of physical section mappings.
  961. //
  963. Page = (PPFN_NUMBER)(MemoryDescriptorList + 1);
  964. StartingVa = (PVOID)((PCHAR)MemoryDescriptorList->StartVa +
  965. MemoryDescriptorList->ByteOffset);
  967. NumberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES(StartingVa,
  968. MemoryDescriptorList->ByteCount);
  970. LastPage = Page + NumberOfPages;
  972. ASSERT (NumberOfPages != 0);
  974. LOCK_PFN2 (CurrentIrql);
  976. do {
  978. if (*Page == MM_EMPTY_LIST) {
  980. //
  981. // There are no more locked pages.
  982. //
  984. break;
  985. }
  987. ValidPfn = FALSE;
  988. for (i = 0; i < MmPhysicalMemoryBlock->NumberOfRuns; i += 1) {
  989. if ((*Page >= MmPhysicalMemoryBlock->Run[i].BasePage) &&
  990. (*Page <= MmPhysicalMemoryBlock->Run[i].BasePage +
  991. MmPhysicalMemoryBlock->Run[i].PageCount)) {
  993. //
  994. // A valid PFN exists for this page, march to the next one.
  995. //
  997. ValidPfn = TRUE;
  998. break;
  999. }
  1000. }
  1002. if (ValidPfn == FALSE) {
  1004. CurrentProcess = PsGetCurrentProcess ();
  1006. //
  1007. // Check for a transfer to/from a physical VAD - these are
  1008. // allowed to have no backing PFNs.
  1009. //
  1011. if ((StartingVa <= MM_HIGHEST_USER_ADDRESS) &&
  1012. (CurrentProcess->Flags & PS_PROCESS_FLAGS_HAS_PHYSICAL_VAD)) {
  1014. //
  1015. // This process has a physical VAD which maps directly to RAM
  1016. // not necessarily present in the PFN database. See if the
  1017. // MDL request intersects this physical VAD.
  1018. //
  1020. NextEntry = CurrentProcess->PhysicalVadList.Flink;
  1021. while (NextEntry != &CurrentProcess->PhysicalVadList) {
  1023. PhysicalView = CONTAINING_RECORD(NextEntry,
  1024. MI_PHYSICAL_VIEW,
  1025. ListEntry);
  1027. if ((PhysicalView->Vad->u.VadFlags.PhysicalMapping == 1) &&
  1028. (StartingVa >= (PVOID)PhysicalView->StartVa) &&
  1029. (StartingVa <= (PVOID)PhysicalView->EndVa)) {
  1031. ValidPfn = TRUE;
  1032. break;
  1033. }
  1034. NextEntry = NextEntry->Flink;
  1035. }
  1036. }
  1038. if (ValidPfn == FALSE) {
  1040. //
  1041. // The MDL being probed has no backing PFNs and it was not
  1042. // a user physical VAD. This means that PFN entries had their
  1043. // reference counts bumped, but since they don't exist, random
  1044. // physical pages just got what are going to usually look
  1045. // like single bit errors. This is bad.
  1046. //
  1048. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1049. 0x6F,
  1050. (ULONG_PTR)MemoryDescriptorList,
  1051. (ULONG_PTR)(*Page),
  1052. (ULONG_PTR)MmHighestPhysicalPage);
  1053. }
  1054. break;
  1055. }
  1057. Page += 1;
  1058. } while (Page < LastPage);
  1060. UNLOCK_PFN2 (CurrentIrql);
  1061. }
  1063. THUNKED_API
  1064. VOID
  1065. VerifierProbeAndLockProcessPages (
  1066. IN OUT PMDL MemoryDescriptorList,
  1067. IN PEPROCESS Process,
  1068. IN KPROCESSOR_MODE AccessMode,
  1069. IN LOCK_OPERATION Operation
  1070. )
  1071. {
  1072. KIRQL CurrentIrql;
  1074. CurrentIrql = KeGetCurrentIrql();
  1075. if (CurrentIrql > DISPATCH_LEVEL) {
  1076. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1077. 0x71,
  1078. CurrentIrql,
  1079. (ULONG_PTR)MemoryDescriptorList,
  1080. (ULONG_PTR)Process);
  1081. }
  1083. if (ViInjectResourceFailure () == TRUE) {
  1084. ExRaiseStatus (STATUS_WORKING_SET_QUOTA);
  1085. }
  1087. MmProbeAndLockProcessPages (MemoryDescriptorList,
  1088. Process,
  1089. AccessMode,
  1090. Operation);
  1091. }
  1093. THUNKED_API
  1094. VOID
  1095. VerifierProbeAndLockSelectedPages (
  1096. IN OUT PMDL MemoryDescriptorList,
  1097. IN PFILE_SEGMENT_ELEMENT SegmentArray,
  1098. IN KPROCESSOR_MODE AccessMode,
  1099. IN LOCK_OPERATION Operation
  1100. )
  1101. {
  1102. KIRQL CurrentIrql;
  1104. CurrentIrql = KeGetCurrentIrql();
  1105. if (CurrentIrql > APC_LEVEL) {
  1106. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1107. 0x72,
  1108. CurrentIrql,
  1109. (ULONG_PTR)MemoryDescriptorList,
  1110. (ULONG_PTR)AccessMode);
  1111. }
  1113. if (ViInjectResourceFailure () == TRUE) {
  1114. ExRaiseStatus (STATUS_WORKING_SET_QUOTA);
  1115. }
  1117. MmProbeAndLockSelectedPages (MemoryDescriptorList,
  1118. SegmentArray,
  1119. AccessMode,
  1120. Operation);
  1121. }
  1123. THUNKED_API
  1124. PVOID
  1125. VerifierMapIoSpace (
  1126. IN PHYSICAL_ADDRESS PhysicalAddress,
  1127. IN SIZE_T NumberOfBytes,
  1128. IN MEMORY_CACHING_TYPE CacheType
  1129. )
  1130. {
  1131. KIRQL CurrentIrql;
  1132. ULONG Hint;
  1133. PMMPFN Pfn1;
  1134. PFN_NUMBER NumberOfPages;
  1135. PFN_NUMBER PageFrameIndex;
  1137. CurrentIrql = KeGetCurrentIrql ();
  1138. if (CurrentIrql > DISPATCH_LEVEL) {
  1139. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1140. 0x73,
  1141. CurrentIrql,
  1142. (ULONG_PTR)PhysicalAddress.LowPart,
  1143. NumberOfBytes);
  1144. }
  1146. //
  1147. // See if the first frame is in the PFN database and if so, they all must
  1148. // be.
  1149. //
  1151. Hint = 0;
  1152. PageFrameIndex = (PFN_NUMBER)(PhysicalAddress.QuadPart >> PAGE_SHIFT);
  1154. if (MiIsPhysicalMemoryAddress (PageFrameIndex, &Hint, TRUE) == TRUE) {
  1156. Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
  1158. NumberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES (PhysicalAddress.LowPart,
  1159. NumberOfBytes);
  1161. do {
  1163. //
  1164. // Each frame better be locked down already. Bugcheck if not.
  1165. //
  1167. if ((Pfn1->u3.e2.ReferenceCount != 0) ||
  1168. ((Pfn1->u3.e1.Rom == 1) && ((CacheType & 0xFF) == MmCached))) {
  1170. NOTHING;
  1171. }
  1172. else {
  1173. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1174. 0x83,
  1175. (ULONG_PTR)PhysicalAddress.LowPart,
  1176. NumberOfBytes,
  1177. (ULONG_PTR)(Pfn1 - MmPfnDatabase));
  1178. }
  1180. if (Pfn1->u3.e1.CacheAttribute == MiNotMapped) {
  1182. //
  1183. // This better be for a page allocated with
  1184. // MmAllocatePagesForMdl. Otherwise it might be a
  1185. // page on the freelist which could subsequently be
  1186. // given out with a different attribute !
  1187. //
  1189. if ((Pfn1->u4.PteFrame == MI_MAGIC_AWE_PTEFRAME) ||
  1190. #if defined (_MI_MORE_THAN_4GB_)
  1191. (Pfn1->u4.PteFrame == MI_MAGIC_4GB_RECLAIM) ||
  1192. #endif
  1193. (Pfn1->PteAddress == (PVOID) (ULONG_PTR)(X64K | 0x1))) {
  1195. NOTHING;
  1196. }
  1197. else {
  1198. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1199. 0x84,
  1200. (ULONG_PTR)PhysicalAddress.LowPart,
  1201. NumberOfBytes,
  1202. (ULONG_PTR)(Pfn1 - MmPfnDatabase));
  1203. }
  1204. }
  1205. Pfn1 += 1;
  1206. NumberOfPages -= 1;
  1207. } while (NumberOfPages != 0);
  1208. }
  1210. if (ViInjectResourceFailure () == TRUE) {
  1211. return NULL;
  1212. }
  1214. return MmMapIoSpace (PhysicalAddress, NumberOfBytes, CacheType);
  1215. }
  1217. VOID
  1218. ViCheckMdlPages (
  1219. IN PMDL MemoryDescriptorList,
  1220. IN MEMORY_CACHING_TYPE CacheType
  1221. )
  1222. {
  1223. PMMPFN Pfn1;
  1224. PFN_NUMBER NumberOfPages;
  1225. PPFN_NUMBER Page;
  1226. PPFN_NUMBER LastPage;
  1227. PVOID StartingVa;
  1229. ASSERT ((MemoryDescriptorList->MdlFlags & MDL_IO_SPACE) == 0);
  1231. StartingVa = (PVOID)((PCHAR)MemoryDescriptorList->StartVa +
  1232. MemoryDescriptorList->ByteOffset);
  1234. Page = (PPFN_NUMBER)(MemoryDescriptorList + 1);
  1235. NumberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES (StartingVa,
  1236. MemoryDescriptorList->ByteCount);
  1237. LastPage = Page + NumberOfPages;
  1239. do {
  1241. if (*Page == MM_EMPTY_LIST) {
  1242. break;
  1243. }
  1245. Pfn1 = MI_PFN_ELEMENT (*Page);
  1247. //
  1248. // Each frame better be locked down already. Bugcheck if not.
  1249. //
  1251. if ((Pfn1->u3.e2.ReferenceCount != 0) ||
  1252. ((Pfn1->u3.e1.Rom == 1) && (CacheType == MmCached))) {
  1254. NOTHING;
  1255. }
  1256. else {
  1257. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1258. 0x85,
  1259. (ULONG_PTR)MemoryDescriptorList,
  1260. NumberOfPages,
  1261. (ULONG_PTR)(Pfn1 - MmPfnDatabase));
  1262. }
  1264. if (Pfn1->u3.e1.CacheAttribute == MiNotMapped) {
  1266. //
  1267. // This better be for a page allocated with
  1268. // MmAllocatePagesForMdl. Otherwise it might be a
  1269. // page on the freelist which could subsequently be
  1270. // given out with a different attribute !
  1271. //
  1273. if ((Pfn1->u4.PteFrame == MI_MAGIC_AWE_PTEFRAME) ||
  1274. #if defined (_MI_MORE_THAN_4GB_)
  1275. (Pfn1->u4.PteFrame == MI_MAGIC_4GB_RECLAIM) ||
  1276. #endif
  1277. (Pfn1->PteAddress == (PVOID) (ULONG_PTR)(X64K | 0x1))) {
  1279. NOTHING;
  1280. }
  1281. else {
  1282. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1283. 0x86,
  1284. (ULONG_PTR)MemoryDescriptorList,
  1285. NumberOfPages,
  1286. (ULONG_PTR)(Pfn1 - MmPfnDatabase));
  1287. }
  1288. }
  1290. Page += 1;
  1291. } while (Page < LastPage);
  1292. }
  1294. THUNKED_API
  1295. PVOID
  1296. VerifierMapLockedPages (
  1297. IN PMDL MemoryDescriptorList,
  1298. IN KPROCESSOR_MODE AccessMode
  1299. )
  1300. {
  1301. KIRQL CurrentIrql;
  1303. CurrentIrql = KeGetCurrentIrql();
  1305. if (AccessMode == KernelMode) {
  1306. if (CurrentIrql > DISPATCH_LEVEL) {
  1307. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1308. 0x74,
  1309. CurrentIrql,
  1310. (ULONG_PTR)MemoryDescriptorList,
  1311. (ULONG_PTR)AccessMode);
  1312. }
  1313. }
  1314. else {
  1315. if (CurrentIrql > APC_LEVEL) {
  1316. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1317. 0x75,
  1318. CurrentIrql,
  1319. (ULONG_PTR)MemoryDescriptorList,
  1320. (ULONG_PTR)AccessMode);
  1321. }
  1322. }
  1324. if ((MemoryDescriptorList->MdlFlags & MDL_IO_SPACE) == 0) {
  1325. ViCheckMdlPages (MemoryDescriptorList, MmCached);
  1326. }
  1328. if ((MemoryDescriptorList->MdlFlags & MDL_MAPPING_CAN_FAIL) == 0) {
  1330. MI_CHECK_UPTIME ();
  1332. if (VerifierSystemSufficientlyBooted == TRUE) {
  1334. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1335. 0x81,
  1336. (ULONG_PTR) MemoryDescriptorList,
  1337. MemoryDescriptorList->MdlFlags,
  1338. 0);
  1339. }
  1340. }
  1342. return MmMapLockedPages (MemoryDescriptorList, AccessMode);
  1343. }
  1345. THUNKED_API
  1346. PVOID
  1347. VerifierMapLockedPagesSpecifyCache (
  1348. IN PMDL MemoryDescriptorList,
  1349. IN KPROCESSOR_MODE AccessMode,
  1350. IN MEMORY_CACHING_TYPE CacheType,
  1351. IN PVOID RequestedAddress,
  1352. IN ULONG BugCheckOnFailure,
  1353. IN MM_PAGE_PRIORITY Priority
  1354. )
  1355. {
  1356. KIRQL CurrentIrql;
  1358. CurrentIrql = KeGetCurrentIrql ();
  1359. if (AccessMode == KernelMode) {
  1360. if (CurrentIrql > DISPATCH_LEVEL) {
  1361. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1362. 0x76,
  1363. CurrentIrql,
  1364. (ULONG_PTR)MemoryDescriptorList,
  1365. (ULONG_PTR)AccessMode);
  1366. }
  1367. }
  1368. else {
  1369. if (CurrentIrql > APC_LEVEL) {
  1370. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1371. 0x77,
  1372. CurrentIrql,
  1373. (ULONG_PTR)MemoryDescriptorList,
  1374. (ULONG_PTR)AccessMode);
  1375. }
  1376. }
  1378. if ((MemoryDescriptorList->MdlFlags & MDL_IO_SPACE) == 0) {
  1379. ViCheckMdlPages (MemoryDescriptorList, CacheType);
  1380. }
  1382. if ((MemoryDescriptorList->MdlFlags & MDL_MAPPING_CAN_FAIL) ||
  1383. (BugCheckOnFailure == 0)) {
  1385. if (ViInjectResourceFailure () == TRUE) {
  1386. return NULL;
  1387. }
  1388. }
  1389. else {
  1391. //
  1392. // All drivers must specify can fail or don't bugcheck.
  1393. //
  1395. MI_CHECK_UPTIME ();
  1397. if (VerifierSystemSufficientlyBooted == TRUE) {
  1399. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1400. 0x82,
  1401. (ULONG_PTR) MemoryDescriptorList,
  1402. MemoryDescriptorList->MdlFlags,
  1403. BugCheckOnFailure);
  1404. }
  1405. }
  1407. return MmMapLockedPagesSpecifyCache (MemoryDescriptorList,
  1408. AccessMode,
  1409. CacheType,
  1410. RequestedAddress,
  1411. BugCheckOnFailure,
  1412. Priority);
  1413. }
  1415. VOID
  1416. VerifierUnlockPages (
  1417. IN OUT PMDL MemoryDescriptorList
  1418. )
  1419. {
  1420. KIRQL CurrentIrql;
  1422. CurrentIrql = KeGetCurrentIrql();
  1423. if (CurrentIrql > DISPATCH_LEVEL) {
  1424. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1425. 0x78,
  1426. CurrentIrql,
  1427. (ULONG_PTR)MemoryDescriptorList,
  1428. 0);
  1429. }
  1431. if ((MemoryDescriptorList->MdlFlags & MDL_PAGES_LOCKED) == 0) {
  1433. //
  1434. // The caller is trying to unlock an MDL that was never locked down.
  1435. //
  1437. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1438. 0x7C,
  1439. (ULONG_PTR)MemoryDescriptorList,
  1440. (ULONG_PTR)MemoryDescriptorList->MdlFlags,
  1441. 0);
  1442. }
  1444. if (MemoryDescriptorList->MdlFlags & MDL_SOURCE_IS_NONPAGED_POOL) {
  1446. //
  1447. // Nonpaged pool should never be locked down.
  1448. //
  1450. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1451. 0x7D,
  1452. (ULONG_PTR)MemoryDescriptorList,
  1453. (ULONG_PTR)MemoryDescriptorList->MdlFlags,
  1454. 0);
  1455. }
  1457. MmUnlockPages (MemoryDescriptorList);
  1458. }
  1460. VOID
  1461. VerifierUnmapLockedPages (
  1462. IN PVOID BaseAddress,
  1463. IN PMDL MemoryDescriptorList
  1464. )
  1465. {
  1466. KIRQL CurrentIrql;
  1468. CurrentIrql = KeGetCurrentIrql();
  1470. if (BaseAddress > MM_HIGHEST_USER_ADDRESS) {
  1471. if (CurrentIrql > DISPATCH_LEVEL) {
  1472. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1473. 0x79,
  1474. CurrentIrql,
  1475. (ULONG_PTR)BaseAddress,
  1476. (ULONG_PTR)MemoryDescriptorList);
  1477. }
  1478. }
  1479. else {
  1480. if (CurrentIrql > APC_LEVEL) {
  1481. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1482. 0x7A,
  1483. CurrentIrql,
  1484. (ULONG_PTR)BaseAddress,
  1485. (ULONG_PTR)MemoryDescriptorList);
  1486. }
  1487. }
  1489. MmUnmapLockedPages (BaseAddress, MemoryDescriptorList);
  1490. }
  1492. VOID
  1493. VerifierUnmapIoSpace (
  1494. IN PVOID BaseAddress,
  1495. IN SIZE_T NumberOfBytes
  1496. )
  1497. {
  1498. KIRQL CurrentIrql;
  1500. CurrentIrql = KeGetCurrentIrql();
  1501. if (CurrentIrql > DISPATCH_LEVEL) {
  1502. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  1503. 0x7B,
  1504. CurrentIrql,
  1505. (ULONG_PTR)BaseAddress,
  1506. (ULONG_PTR)NumberOfBytes);
  1507. }
  1509. MmUnmapIoSpace (BaseAddress, NumberOfBytes);
  1510. }
  1512. THUNKED_API
  1513. PVOID
  1514. VerifierAllocatePool (
  1515. IN POOL_TYPE PoolType,
  1516. IN SIZE_T NumberOfBytes
  1517. )
  1518. {
  1519. PVOID CallingAddress;
  1520. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  1522. VI_DETECT_RETURN_ADDRESS (CallingAddress);
  1524. if (KernelVerifier == TRUE) {
  1526. Verifier = ViLocateVerifierEntry (CallingAddress);
  1528. if ((Verifier == NULL) ||
  1529. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
  1531. return ExAllocatePool (PoolType | POOL_DRIVER_MASK, NumberOfBytes);
  1532. }
  1533. PoolType |= POOL_DRIVER_MASK;
  1534. }
  1536. MmVerifierData.AllocationsWithNoTag += 1;
  1538. return VeAllocatePoolWithTagPriority (PoolType,
  1539. NumberOfBytes,
  1540. 'parW',
  1541. HighPoolPriority,
  1542. CallingAddress);
  1543. }
  1545. THUNKED_API
  1546. PVOID
  1547. VerifierAllocatePoolWithTag (
  1548. IN POOL_TYPE PoolType,
  1549. IN SIZE_T NumberOfBytes,
  1550. IN ULONG Tag
  1551. )
  1552. {
  1553. PVOID CallingAddress;
  1554. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  1556. VI_DETECT_RETURN_ADDRESS (CallingAddress);
  1558. if (KernelVerifier == TRUE) {
  1559. Verifier = ViLocateVerifierEntry (CallingAddress);
  1561. if ((Verifier == NULL) ||
  1562. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
  1564. return ExAllocatePoolWithTag (PoolType | POOL_DRIVER_MASK,
  1565. NumberOfBytes,
  1566. Tag);
  1567. }
  1568. PoolType |= POOL_DRIVER_MASK;
  1569. }
  1571. return VeAllocatePoolWithTagPriority (PoolType,
  1572. NumberOfBytes,
  1573. Tag,
  1574. HighPoolPriority,
  1575. CallingAddress);
  1576. }
  1578. THUNKED_API
  1579. PVOID
  1580. VerifierAllocatePoolWithQuota(
  1581. IN POOL_TYPE PoolType,
  1582. IN SIZE_T NumberOfBytes
  1583. )
  1584. {
  1585. PVOID Va;
  1586. LOGICAL RaiseOnQuotaFailure;
  1587. PVOID CallingAddress;
  1588. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  1590. VI_DETECT_RETURN_ADDRESS (CallingAddress);
  1592. if (KernelVerifier == TRUE) {
  1593. Verifier = ViLocateVerifierEntry (CallingAddress);
  1595. if ((Verifier == NULL) ||
  1596. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
  1598. return ExAllocatePoolWithQuota (PoolType | POOL_DRIVER_MASK,
  1599. NumberOfBytes);
  1600. }
  1601. PoolType |= POOL_DRIVER_MASK;
  1602. }
  1604. MmVerifierData.AllocationsWithNoTag += 1;
  1606. if (PoolType & POOL_QUOTA_FAIL_INSTEAD_OF_RAISE) {
  1607. RaiseOnQuotaFailure = FALSE;
  1608. PoolType &= ~POOL_QUOTA_FAIL_INSTEAD_OF_RAISE;
  1609. }
  1610. else {
  1611. RaiseOnQuotaFailure = TRUE;
  1612. }
  1614. Va = VeAllocatePoolWithTagPriority (PoolType,
  1615. NumberOfBytes,
  1616. 'parW',
  1617. HighPoolPriority,
  1618. CallingAddress);
  1620. if (Va == NULL) {
  1621. if (RaiseOnQuotaFailure == TRUE) {
  1622. ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
  1623. }
  1624. }
  1626. return Va;
  1627. }
  1629. THUNKED_API
  1630. PVOID
  1631. VerifierAllocatePoolWithQuotaTag(
  1632. IN POOL_TYPE PoolType,
  1633. IN SIZE_T NumberOfBytes,
  1634. IN ULONG Tag
  1635. )
  1636. {
  1637. PVOID Va;
  1638. LOGICAL RaiseOnQuotaFailure;
  1639. PVOID CallingAddress;
  1640. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  1642. VI_DETECT_RETURN_ADDRESS (CallingAddress);
  1644. if (KernelVerifier == TRUE) {
  1645. Verifier = ViLocateVerifierEntry (CallingAddress);
  1647. if ((Verifier == NULL) ||
  1648. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
  1650. return ExAllocatePoolWithQuotaTag (PoolType | POOL_DRIVER_MASK,
  1651. NumberOfBytes,
  1652. Tag);
  1653. }
  1654. PoolType |= POOL_DRIVER_MASK;
  1655. }
  1657. if (PoolType & POOL_QUOTA_FAIL_INSTEAD_OF_RAISE) {
  1658. RaiseOnQuotaFailure = FALSE;
  1659. PoolType &= ~POOL_QUOTA_FAIL_INSTEAD_OF_RAISE;
  1660. }
  1661. else {
  1662. RaiseOnQuotaFailure = TRUE;
  1663. }
  1665. Va = VeAllocatePoolWithTagPriority (PoolType,
  1666. NumberOfBytes,
  1667. Tag,
  1668. HighPoolPriority,
  1669. CallingAddress);
  1671. if (Va == NULL) {
  1672. if (RaiseOnQuotaFailure == TRUE) {
  1673. ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
  1674. }
  1675. }
  1677. return Va;
  1678. }
  1680. THUNKED_API
  1681. PVOID
  1682. VerifierAllocatePoolWithTagPriority(
  1683. IN POOL_TYPE PoolType,
  1684. IN SIZE_T NumberOfBytes,
  1685. IN ULONG Tag,
  1686. IN EX_POOL_PRIORITY Priority
  1687. )
  1689. /*++
  1691. Routine Description:
  1693. This thunked-in function:
  1695. - Performs sanity checks on the caller.
  1696. - Can optionally provide allocation failures to the caller.
  1697. - Attempts to provide the allocation from special pool.
  1698. - Tracks pool to ensure callers free everything they allocate.
  1700. --*/
  1702. {
  1703. PVOID CallingAddress;
  1704. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  1706. VI_DETECT_RETURN_ADDRESS (CallingAddress);
  1708. if (KernelVerifier == TRUE) {
  1709. Verifier = ViLocateVerifierEntry (CallingAddress);
  1711. if ((Verifier == NULL) ||
  1712. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
  1714. return ExAllocatePoolWithTagPriority (PoolType | POOL_DRIVER_MASK,
  1715. NumberOfBytes,
  1716. Tag,
  1717. Priority);
  1718. }
  1719. PoolType |= POOL_DRIVER_MASK;
  1720. }
  1722. return VeAllocatePoolWithTagPriority (PoolType,
  1723. NumberOfBytes,
  1724. Tag,
  1725. Priority,
  1726. CallingAddress);
  1727. }
  1729. LOGICAL
  1730. ViInjectResourceFailure (
  1731. VOID
  1732. )
  1734. /*++
  1736. Routine Description:
  1738. This function determines whether a resource allocation should be
  1739. deliberately failed. This may be a pool allocation, MDL creation,
  1740. system PTE allocation, etc.
  1742. Arguments:
  1744. None.
  1746. Return Value:
  1748. TRUE if the allocation should be failed. FALSE otherwise.
  1750. Environment:
  1752. Kernel mode. DISPATCH_LEVEL or below.
  1754. --*/
  1756. {
  1757. ULONG TimeLow;
  1758. LARGE_INTEGER CurrentTime;
  1760. if ((MmVerifierData.Level & DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES) == 0) {
  1761. return FALSE;
  1762. }
  1764. //
  1765. // Don't fail any requests in the first 7 or 8 minutes as we want to
  1766. // give the system enough time to boot.
  1767. //
  1769. MI_CHECK_UPTIME ();
  1771. if (VerifierSystemSufficientlyBooted == TRUE) {
  1773. KeQueryTickCount(&CurrentTime);
  1775. TimeLow = CurrentTime.LowPart;
  1777. if ((TimeLow & 0xF) == 0) {
  1779. MmVerifierData.AllocationsFailedDeliberately += 1;
  1781. //
  1782. // Deliberately fail this request.
  1783. //
  1785. if (MiFaultRetryMask != 0xFFFFFFFF) {
  1786. MiFaultRetryMask = 0xFFFFFFFF;
  1787. MiUserFaultRetryMask = 0xFFFFFFFF;
  1788. }
  1790. #if defined(_X86_)
  1791. ViFaultTracesLog ();
  1792. #endif
  1794. return TRUE;
  1795. }
  1797. //
  1798. // Approximately every 5 minutes (on most systems), fail all of this
  1799. // components allocations for a 10 second burst. This more closely
  1800. // simulates (and exaggerates) the duration of the typical low resource
  1801. // scenario.
  1802. //
  1804. TimeLow &= 0x7FFF;
  1806. if (TimeLow < 0x400) {
  1808. MmVerifierData.BurstAllocationsFailedDeliberately += 1;
  1810. //
  1811. // Deliberately fail this request.
  1812. //
  1814. if (MiFaultRetryMask != 0xFFFFFFFF) {
  1815. MiFaultRetryMask = 0xFFFFFFFF;
  1816. MiUserFaultRetryMask = 0xFFFFFFFF;
  1817. }
  1819. #if defined(_X86_)
  1820. ViFaultTracesLog ();
  1821. #endif
  1823. return TRUE;
  1824. }
  1825. }
  1827. return FALSE;
  1828. }
  1830. LOGICAL
  1831. ViReservePoolAllocation (
  1832. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  1833. )
  1834. {
  1835. ULONG_PTR OldSize;
  1836. ULONG_PTR NewSize;
  1837. ULONG_PTR NewHashOffset;
  1838. ULONG_PTR Increment;
  1839. ULONG_PTR Entries;
  1840. ULONG_PTR i;
  1841. KIRQL OldIrql;
  1842. PVOID NewHashTable;
  1843. PVI_POOL_ENTRY HashEntry;
  1844. PVI_POOL_ENTRY OldHashTable;
  1846. ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
  1848. while (Verifier->PoolHashSize <= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved) {
  1850. //
  1851. // More space is needed. Try for it now.
  1852. //
  1854. #define VI_POOL_ENTRIES_PER_PAGE (PAGE_SIZE / sizeof(VI_POOL_ENTRY))
  1856. OldSize = Verifier->PoolHashSize * sizeof(VI_POOL_ENTRY);
  1858. if (Verifier->PoolHashSize >= VI_POOL_ENTRIES_PER_PAGE) {
  1859. Increment = PAGE_SIZE;
  1860. }
  1861. else {
  1862. Increment = 16 * sizeof (VI_POOL_ENTRY);
  1863. }
  1865. ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
  1867. NewSize = OldSize + Increment;
  1869. if (NewSize < OldSize) {
  1870. return FALSE;
  1871. }
  1873. //
  1874. // Note POOL_DRIVER_MASK must be set to stop the recursion loop
  1875. // when using the kernel verifier.
  1876. //
  1878. NewHashTable = ExAllocatePoolWithTagPriority (NonPagedPool | POOL_DRIVER_MASK,
  1879. NewSize,
  1880. 'ppeV',
  1881. HighPoolPriority);
  1883. ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
  1885. OldSize = Verifier->PoolHashSize * sizeof(VI_POOL_ENTRY);
  1887. if (NewHashTable == NULL) {
  1888. if (Verifier->PoolHashSize <= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved) {
  1889. ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
  1890. return FALSE;
  1891. }
  1893. //
  1894. // Another thread got here before us and space is available.
  1895. //
  1897. break;
  1898. }
  1900. if (NewSize != OldSize + Increment) {
  1902. //
  1903. // Another thread got here before us.
  1904. //
  1906. ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
  1907. ExFreePool (NewHashTable);
  1908. ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
  1909. }
  1910. else {
  1912. //
  1913. // Rebuild the list into the new table.
  1914. //
  1916. OldHashTable = Verifier->PoolHash;
  1917. if (OldHashTable != NULL) {
  1918. RtlCopyMemory (NewHashTable, OldHashTable, OldSize);
  1919. }
  1921. //
  1922. // Construct the freelist chaining it through any existing
  1923. // list (any free entries must be already reserved).
  1924. //
  1926. HashEntry = (PVI_POOL_ENTRY) ((PCHAR)NewHashTable + OldSize);
  1927. Entries = Increment / sizeof (VI_POOL_ENTRY);
  1928. NewHashOffset = HashEntry - (PVI_POOL_ENTRY)NewHashTable;
  1930. //
  1931. // If list compaction becomes important then chaining it on the
  1932. // end here will need to be revisited.
  1933. //
  1935. for (i = 0; i < Entries; i += 1) {
  1936. HashEntry->FreeListNext = NewHashOffset + i + 1;
  1937. HashEntry += 1;
  1938. }
  1939. HashEntry -= 1;
  1940. HashEntry->FreeListNext = Verifier->PoolHashFree;
  1941. Verifier->PoolHashFree = NewHashOffset;
  1942. Verifier->PoolHash = NewHashTable;
  1943. Verifier->PoolHashSize += Entries;
  1945. //
  1946. // Free the old table.
  1947. //
  1949. if (OldHashTable != NULL) {
  1950. ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
  1951. ExFreePool (OldHashTable);
  1952. ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
  1953. }
  1954. }
  1955. }
  1957. Verifier->PoolHashReserved += 1;
  1959. ASSERT (Verifier->PoolHashSize >= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved);
  1961. ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
  1963. return TRUE;
  1964. }
  1966. ULONG_PTR
  1967. ViInsertPoolAllocation (
  1968. IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
  1969. IN PVOID VirtualAddress,
  1970. IN PVOID CallingAddress,
  1971. IN SIZE_T NumberOfBytes,
  1972. IN ULONG Tag
  1973. )
  1975. /*++
  1977. Routine Description:
  1979. This function inserts the specified virtual address into the verifier
  1980. list for this driver.
  1982. Arguments:
  1984. Verifier - Supplies the verifier entry to update.
  1986. VirtualAddress - Supplies the virtual address to insert.
  1988. CallingAddress - Supplies the caller's address.
  1990. NumberOfBytes - Supplies the number of bytes to allocate.
  1992. Tag - Supplies the tag for the pool being allocated.
  1994. Return Value:
  1996. The list index this virtual address was inserted at.
  1998. Environment:
  2000. Kernel mode, DISPATCH_LEVEL. The Verifier->VerifierPoolLock must be held.
  2002. --*/
  2004. {
  2005. ULONG_PTR Index;
  2006. PVI_POOL_ENTRY HashEntry;
  2008. ASSERT (KeGetCurrentIrql() == DISPATCH_LEVEL);
  2010. //
  2011. // The list entry must be reserved in advance.
  2012. //
  2014. ASSERT (Verifier->PoolHashReserved != 0);
  2016. ASSERT (Verifier->PoolHashSize >= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved);
  2018. //
  2019. // Use the next free list entry.
  2020. //
  2022. Index = Verifier->PoolHashFree;
  2023. ASSERT (Index != VI_POOL_FREELIST_END);
  2025. HashEntry = Verifier->PoolHash + Index;
  2027. Verifier->PoolHashFree = HashEntry->FreeListNext;
  2029. Verifier->PoolHashReserved -= 1;
  2031. #if defined (_X86_)
  2032. //
  2033. // MiUseMaximumSystemSpace denotes an x86 mode where kernel pointers don't
  2034. // necessarily have the high bit set.
  2035. //
  2036. ASSERT (((HashEntry->FreeListNext & MINLONG_PTR) == 0) ||
  2037. (HashEntry->FreeListNext == VI_POOL_FREELIST_END) ||
  2038. (MiUseMaximumSystemSpace != 0));
  2039. #else
  2040. ASSERT (((HashEntry->FreeListNext & MINLONG_PTR) == 0) ||
  2041. (HashEntry->FreeListNext == VI_POOL_FREELIST_END));
  2042. #endif
  2044. HashEntry->InUse.VirtualAddress = VirtualAddress;
  2045. HashEntry->InUse.CallingAddress = CallingAddress;
  2046. HashEntry->InUse.NumberOfBytes = NumberOfBytes;
  2047. HashEntry->InUse.Tag = Tag;
  2049. #if defined (_X86_)
  2050. //
  2051. // MiUseMaximumSystemSpace denotes an x86 mode where kernel pointers don't
  2052. // necessarily have the high bit set.
  2053. //
  2054. ASSERT (((HashEntry->FreeListNext & MINLONG_PTR) != 0) ||
  2055. (MiUseMaximumSystemSpace != 0));
  2056. #else
  2057. ASSERT ((HashEntry->FreeListNext & MINLONG_PTR) != 0);
  2058. #endif
  2060. return Index;
  2061. }
  2063. VOID
  2064. ViReleasePoolAllocation (
  2065. IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
  2066. IN PVOID VirtualAddress,
  2067. IN ULONG_PTR ListIndex,
  2068. IN SIZE_T ChargedBytes
  2069. )
  2071. /*++
  2073. Routine Description:
  2075. This function removes the specified virtual address from the verifier
  2076. list for this driver.
  2078. Arguments:
  2080. Verifier - Supplies the verifier entry to update.
  2082. VirtualAddress - Supplies the virtual address to release.
  2084. ListIndex - Supplies the verifier pool hash index for the address being
  2085. released.
  2087. ChargedBytes - Supplies the bytes charged for this allocation.
  2089. Return Value:
  2091. None.
  2093. Environment:
  2095. Kernel mode, DISPATCH_LEVEL. The Verifier->VerifierPoolLock must be held.
  2097. --*/
  2099. {
  2100. PFN_NUMBER PageFrameIndex;
  2101. PFN_NUMBER PageFrameIndex2;
  2102. PVI_POOL_ENTRY HashEntry;
  2103. PMMPTE PointerPte;
  2105. ASSERT (KeGetCurrentIrql() == DISPATCH_LEVEL);
  2107. if (Verifier->PoolHash == NULL) {
  2108. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2109. 0x59,
  2110. (ULONG_PTR)VirtualAddress,
  2111. ListIndex,
  2112. (ULONG_PTR)Verifier);
  2113. }
  2115. //
  2116. // Ensure that the list pointer has not been overrun and still
  2117. // points at something decent.
  2118. //
  2120. HashEntry = Verifier->PoolHash + ListIndex;
  2122. if (ListIndex >= Verifier->PoolHashSize) {
  2123. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2124. 0x54,
  2125. (ULONG_PTR)VirtualAddress,
  2126. Verifier->PoolHashSize,
  2127. ListIndex);
  2128. }
  2130. if (HashEntry->InUse.VirtualAddress != VirtualAddress) {
  2132. PageFrameIndex = 0;
  2133. PageFrameIndex2 = 1;
  2135. if ((!MI_IS_PHYSICAL_ADDRESS(VirtualAddress)) &&
  2136. (MI_IS_PHYSICAL_ADDRESS(HashEntry->InUse.VirtualAddress))) {
  2138. PointerPte = MiGetPteAddress(VirtualAddress);
  2139. if (PointerPte->u.Hard.Valid == 1) {
  2140. PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
  2142. PageFrameIndex2 = MI_CONVERT_PHYSICAL_TO_PFN (HashEntry->InUse.VirtualAddress);
  2143. }
  2144. }
  2146. //
  2147. // Caller overran and corrupted the virtual address - the linked
  2148. // list cannot be counted on either.
  2149. //
  2151. if (PageFrameIndex != PageFrameIndex2) {
  2152. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2153. 0x52,
  2154. (ULONG_PTR)VirtualAddress,
  2155. (ULONG_PTR)HashEntry->InUse.VirtualAddress,
  2156. ChargedBytes);
  2157. }
  2158. }
  2160. if (HashEntry->InUse.NumberOfBytes != ChargedBytes) {
  2162. //
  2163. // Caller overran and corrupted the byte count - the linked
  2164. // list cannot be counted on either.
  2165. //
  2167. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2168. 0x51,
  2169. (ULONG_PTR)VirtualAddress,
  2170. (ULONG_PTR)HashEntry,
  2171. ChargedBytes);
  2172. }
  2174. //
  2175. // Put this list entry into the freelist.
  2176. //
  2178. HashEntry->FreeListNext = Verifier->PoolHashFree;
  2179. Verifier->PoolHashFree = HashEntry - Verifier->PoolHash;
  2180. }
  2182. VOID
  2183. ViCancelPoolAllocation (
  2184. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  2185. )
  2187. /*++
  2189. Routine Description:
  2191. This function removes a reservation from the verifier list for this driver.
  2192. All reservations must be made in advance. This routine is used when an
  2193. earlier reservation is not going to be used (ie: the actual pool
  2194. allocation failed so no reservation will be needed after all).
  2196. Arguments:
  2198. Verifier - Supplies the verifier entry to update.
  2200. Return Value:
  2202. None.
  2204. Environment:
  2206. Kernel mode, DISPATCH_LEVEL or below, no verifier mutexes held.
  2208. --*/
  2210. {
  2211. KIRQL OldIrql;
  2213. ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
  2215. //
  2216. // The hash entry reserved earlier is not going to be used after all.
  2217. //
  2219. ASSERT (Verifier->PoolHashReserved != 0);
  2221. ASSERT (Verifier->PoolHashSize >= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved);
  2223. ASSERT (Verifier->PoolHashFree != VI_POOL_FREELIST_END);
  2225. Verifier->PoolHashReserved -= 1;
  2227. ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
  2228. }
  2230. PVOID
  2231. ViPostPoolAllocation (
  2232. IN PVOID VirtualAddress,
  2233. IN SIZE_T NumberOfBytes,
  2234. IN POOL_TYPE PoolType,
  2235. IN ULONG Tag,
  2236. IN PVOID CallingAddress
  2237. )
  2239. /*++
  2241. Routine Description:
  2243. This function performs verifier book-keeping on the allocation attempt.
  2245. Arguments:
  2247. VirtualAddress - Supplies the virtual address that should be allocated.
  2249. NumberOfBytes - Supplies the number of bytes to allocate.
  2251. PoolType - Supplies the type of pool being allocated.
  2253. Tag - Supplies the tag for the pool being allocated.
  2255. CallingAddress - Supplies the caller's address.
  2257. Return Value:
  2259. The virtual address the caller should use.
  2261. Environment:
  2263. Kernel mode. DISPATCH_LEVEL or below.
  2265. --*/
  2267. {
  2268. KIRQL OldIrql;
  2269. PMI_VERIFIER_POOL_HEADER Header;
  2270. SIZE_T ChargedBytes;
  2271. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  2272. ULONG_PTR InsertedIndex;
  2273. LOGICAL SpecialPoolAllocation;
  2274. PPOOL_HEADER PoolHeader;
  2276. InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceeded);
  2277. ChargedBytes = EX_REAL_POOL_USAGE(NumberOfBytes);
  2278. SpecialPoolAllocation = FALSE;
  2280. if (MmIsSpecialPoolAddress (VirtualAddress) == TRUE) {
  2281. ChargedBytes = NumberOfBytes;
  2282. InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceededSpecialPool);
  2283. SpecialPoolAllocation = TRUE;
  2284. }
  2285. else if (NumberOfBytes <= POOL_BUDDY_MAX) {
  2286. ChargedBytes -= POOL_OVERHEAD;
  2287. }
  2288. else {
  2290. //
  2291. // This isn't exactly true but it does give the user a way to see
  2292. // if this machine is large enough to support special pool 100%.
  2293. //
  2295. InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceededSpecialPool);
  2296. }
  2298. if ((PoolType & POOL_VERIFIER_MASK) == 0) {
  2299. return VirtualAddress;
  2300. }
  2302. if (NumberOfBytes > POOL_BUDDY_MAX) {
  2303. ASSERT (BYTE_OFFSET(VirtualAddress) == 0);
  2304. }
  2306. Verifier = ViLocateVerifierEntry (CallingAddress);
  2307. ASSERT (Verifier != NULL);
  2308. VerifierIsTrackingPool = TRUE;
  2310. if (SpecialPoolAllocation == TRUE) {
  2312. //
  2313. // Carefully adjust the special pool page to move the verifier tracking
  2314. // header to the front. This allows the allocation to remain butted
  2315. // against the end of the page so overruns can be detected immediately.
  2316. //
  2318. if (((ULONG_PTR)VirtualAddress & (PAGE_SIZE - 1))) {
  2319. PoolHeader = (PPOOL_HEADER)(PAGE_ALIGN (VirtualAddress));
  2320. Header = (PMI_VERIFIER_POOL_HEADER) (PoolHeader + 1);
  2321. VirtualAddress = (PVOID) ((PCHAR)VirtualAddress + sizeof (MI_VERIFIER_POOL_HEADER));
  2322. }
  2323. else {
  2324. PoolHeader = (PPOOL_HEADER)((PCHAR)PAGE_ALIGN (VirtualAddress) + PAGE_SIZE - POOL_OVERHEAD);
  2325. Header = (PMI_VERIFIER_POOL_HEADER) (PoolHeader - 1);
  2326. }
  2327. // ASSERT (PoolHeader->Ulong1 & MI_SPECIAL_POOL_VERIFIER);
  2328. PoolHeader->Ulong1 -= sizeof (MI_VERIFIER_POOL_HEADER);
  2329. ChargedBytes -= sizeof (MI_VERIFIER_POOL_HEADER);
  2330. PoolHeader->Ulong1 |= MI_SPECIAL_POOL_VERIFIER;
  2331. }
  2332. else {
  2333. Header = (PMI_VERIFIER_POOL_HEADER)((PCHAR)VirtualAddress +
  2334. ChargedBytes -
  2335. sizeof(MI_VERIFIER_POOL_HEADER));
  2336. }
  2338. ASSERT (((ULONG_PTR)Header & (sizeof(ULONG) - 1)) == 0);
  2341. Header->Verifier = Verifier;
  2343. //
  2344. // Enqueue the entry and update per-driver counters.
  2345. // Note that paged pool allocations must be chained using nonpaged
  2346. // pool to prevent deadlocks.
  2347. //
  2349. ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
  2351. InsertedIndex = ViInsertPoolAllocation (Verifier,
  2352. VirtualAddress,
  2353. CallingAddress,
  2354. ChargedBytes,
  2355. Tag);
  2357. if ((PoolType & BASE_POOL_TYPE_MASK) == PagedPool) {
  2359. Verifier->PagedBytes += ChargedBytes;
  2360. if (Verifier->PagedBytes > Verifier->PeakPagedBytes) {
  2361. Verifier->PeakPagedBytes = Verifier->PagedBytes;
  2362. }
  2364. Verifier->CurrentPagedPoolAllocations += 1;
  2365. if (Verifier->CurrentPagedPoolAllocations > Verifier->PeakPagedPoolAllocations) {
  2366. Verifier->PeakPagedPoolAllocations = Verifier->CurrentPagedPoolAllocations;
  2367. }
  2368. }
  2369. else {
  2370. Verifier->NonPagedBytes += ChargedBytes;
  2371. if (Verifier->NonPagedBytes > Verifier->PeakNonPagedBytes) {
  2372. Verifier->PeakNonPagedBytes = Verifier->NonPagedBytes;
  2373. }
  2375. Verifier->CurrentNonPagedPoolAllocations += 1;
  2376. if (Verifier->CurrentNonPagedPoolAllocations > Verifier->PeakNonPagedPoolAllocations) {
  2377. Verifier->PeakNonPagedPoolAllocations = Verifier->CurrentNonPagedPoolAllocations;
  2378. }
  2379. }
  2381. ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
  2383. //
  2384. // Since the header for paged pool is paged, don't initialize it until the
  2385. // spinlock above is released.
  2386. //
  2388. Header->ListIndex = InsertedIndex;
  2390. //
  2391. // Update systemwide counters.
  2392. //
  2394. if ((PoolType & BASE_POOL_TYPE_MASK) == PagedPool) {
  2395. ExAcquireFastMutex (&VerifierPoolMutex);
  2397. MmVerifierData.PagedBytes += ChargedBytes;
  2398. if (MmVerifierData.PagedBytes > MmVerifierData.PeakPagedBytes) {
  2399. MmVerifierData.PeakPagedBytes = MmVerifierData.PagedBytes;
  2400. }
  2402. MmVerifierData.CurrentPagedPoolAllocations += 1;
  2403. if (MmVerifierData.CurrentPagedPoolAllocations > MmVerifierData.PeakPagedPoolAllocations) {
  2404. MmVerifierData.PeakPagedPoolAllocations = MmVerifierData.CurrentPagedPoolAllocations;
  2405. }
  2407. ExReleaseFastMutex (&VerifierPoolMutex);
  2408. }
  2409. else {
  2410. ExAcquireSpinLock (&VerifierPoolLock, &OldIrql);
  2412. MmVerifierData.NonPagedBytes += ChargedBytes;
  2413. if (MmVerifierData.NonPagedBytes > MmVerifierData.PeakNonPagedBytes) {
  2414. MmVerifierData.PeakNonPagedBytes = MmVerifierData.NonPagedBytes;
  2415. }
  2417. MmVerifierData.CurrentNonPagedPoolAllocations += 1;
  2418. if (MmVerifierData.CurrentNonPagedPoolAllocations > MmVerifierData.PeakNonPagedPoolAllocations) {
  2419. MmVerifierData.PeakNonPagedPoolAllocations = MmVerifierData.CurrentNonPagedPoolAllocations;
  2420. }
  2422. ExReleaseSpinLock (&VerifierPoolLock, OldIrql);
  2423. }
  2425. return VirtualAddress;
  2426. }
  2428. PVOID
  2429. VeAllocatePoolWithTagPriority (
  2430. IN POOL_TYPE PoolType,
  2431. IN SIZE_T NumberOfBytes,
  2432. IN ULONG Tag,
  2433. IN EX_POOL_PRIORITY Priority,
  2434. IN PVOID CallingAddress
  2435. )
  2437. /*++
  2439. Routine Description:
  2441. This routine is called both from ex\pool.c and directly within this module.
  2443. - Performs sanity checks on the caller.
  2444. - Can optionally provide allocation failures to the caller.
  2445. - Attempts to provide the allocation from special pool.
  2446. - Tracks pool to ensure callers free everything they allocate.
  2448. --*/
  2450. {
  2451. PVOID VirtualAddress;
  2452. EX_POOL_PRIORITY AllocationPriority;
  2453. SIZE_T ChargedBytes;
  2454. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  2455. LOGICAL ReservedHash;
  2456. ULONG HeaderSize;
  2458. ExAllocatePoolSanityChecks (PoolType, NumberOfBytes);
  2460. InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsAttempted);
  2462. if ((PoolType & MUST_SUCCEED_POOL_TYPE_MASK) == 0) {
  2464. if (ViInjectResourceFailure () == TRUE) {
  2466. //
  2467. // Caller requested an exception - throw it here.
  2468. //
  2470. if ((PoolType & POOL_RAISE_IF_ALLOCATION_FAILURE) != 0) {
  2471. ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
  2472. }
  2474. return NULL;
  2475. }
  2476. }
  2477. else {
  2478. MI_CHECK_UPTIME ();
  2480. if (VerifierSystemSufficientlyBooted == TRUE) {
  2482. KeBugCheckEx (BAD_POOL_CALLER,
  2483. 0x9A,
  2484. PoolType,
  2485. NumberOfBytes,
  2486. Tag);
  2487. }
  2488. }
  2490. ASSERT ((PoolType & POOL_VERIFIER_MASK) == 0);
  2492. //
  2493. // Initializing Verifier is not needed for
  2494. // correctness but without it the compiler cannot compile this code
  2495. // W4 to check for use of uninitialized variables.
  2496. //
  2498. Verifier = NULL;
  2500. AllocationPriority = Priority;
  2502. if (MmVerifierData.Level & DRIVER_VERIFIER_SPECIAL_POOLING) {
  2504. //
  2505. // Try for a special pool overrun allocation unless the caller has
  2506. // explicitly specified otherwise.
  2507. //
  2509. if ((AllocationPriority & (LowPoolPrioritySpecialPoolOverrun | LowPoolPrioritySpecialPoolUnderrun)) == 0) {
  2510. if (MmSpecialPoolCatchOverruns == TRUE) {
  2511. AllocationPriority |= LowPoolPrioritySpecialPoolOverrun;
  2512. }
  2513. else {
  2514. AllocationPriority |= LowPoolPrioritySpecialPoolUnderrun;
  2515. }
  2516. }
  2517. }
  2519. ReservedHash = FALSE;
  2520. if (MmVerifierData.Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS) {
  2522. if (PoolType & SESSION_POOL_MASK) {
  2524. //
  2525. // Session pool is directly tracked by default already.
  2526. //
  2528. NOTHING;
  2529. }
  2530. else {
  2531. HeaderSize = sizeof(MI_VERIFIER_POOL_HEADER);
  2533. ChargedBytes = MI_ROUND_TO_SIZE (NumberOfBytes, sizeof(ULONG)) + HeaderSize;
  2534. Verifier = ViLocateVerifierEntry (CallingAddress);
  2536. if ((Verifier == NULL) ||
  2537. ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0) ||
  2538. (Verifier->Flags & VI_DISABLE_VERIFICATION)) {
  2540. //
  2541. // This can happen for many reasons including no framing (which
  2542. // can cause RtlGetCallersAddress to return the wrong address),
  2543. // etc.
  2544. //
  2546. MmVerifierData.UnTrackedPool += 1;
  2547. }
  2548. else if (ChargedBytes <= NumberOfBytes) {
  2550. //
  2551. // Don't let the verifier header transform a bad caller into a
  2552. // good caller. Fail via the fall through so an exception
  2553. // can be thrown if asked for, etc.
  2554. //
  2556. MmVerifierData.UnTrackedPool += 1;
  2557. }
  2558. else if (((PoolType & MUST_SUCCEED_POOL_TYPE_MASK) == 0) ||
  2559. (ChargedBytes <= PAGE_SIZE)) {
  2561. //
  2562. // Any pool allocation that is allowed to fail or where the
  2563. // total number of charged bytes fits in a page (nonpaged-
  2564. // must-succeed requires this) is suitable for tracking.
  2565. // Just ensure that the hash list has space for it.
  2566. //
  2568. if (ViReservePoolAllocation (Verifier) == TRUE) {
  2569. ReservedHash = TRUE;
  2570. NumberOfBytes = ChargedBytes;
  2571. PoolType |= POOL_VERIFIER_MASK;
  2572. }
  2573. }
  2574. else {
  2575. ASSERT ((PoolType & BASE_POOL_TYPE_MASK) == NonPagedPool);
  2576. MmVerifierData.UnTrackedPool += 1;
  2577. }
  2578. }
  2579. }
  2581. VirtualAddress = ExAllocatePoolWithTagPriority (PoolType,
  2582. NumberOfBytes,
  2583. Tag,
  2584. AllocationPriority);
  2586. if (VirtualAddress == NULL) {
  2587. MmVerifierData.AllocationsFailed += 1;
  2589. if (ReservedHash == TRUE) {
  2591. //
  2592. // Release the hash table entry now as it's not needed.
  2593. //
  2595. ViCancelPoolAllocation (Verifier);
  2596. }
  2598. if ((PoolType & POOL_RAISE_IF_ALLOCATION_FAILURE) != 0) {
  2599. ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
  2600. }
  2601. return NULL;
  2602. }
  2604. VirtualAddress = ViPostPoolAllocation (VirtualAddress,
  2605. NumberOfBytes,
  2606. PoolType,
  2607. Tag,
  2608. CallingAddress);
  2612. return VirtualAddress;
  2613. }
  2615. VOID
  2616. ViFreeTrackedPool (
  2617. IN PVOID VirtualAddress,
  2618. IN SIZE_T ChargedBytes,
  2619. IN LOGICAL CheckType,
  2620. IN LOGICAL SpecialPool
  2621. )
  2623. /*++
  2625. Routine Description:
  2627. Called directly from the pool manager or the memory manager for verifier-
  2628. tracked allocations. The call to ExFreePool is already in progress.
  2630. Arguments:
  2632. VirtualAddress - Supplies the virtual address being freed.
  2634. ChargedBytes - Supplies the number of bytes charged to this allocation.
  2636. CheckType - Supplies PagedPool or NonPagedPool.
  2638. SpecialPool - Supplies TRUE if the allocation is from special pool.
  2640. Return Value:
  2642. None.
  2644. Environment:
  2646. Kernel mode.
  2648. N.B.
  2650. Callers freeing small pool allocations hold no locks or mutexes on entry.
  2652. Callers freeing special pool hold no locks or mutexes on entry.
  2654. Callers freeing pool of PAGE_SIZE or larger hold the nonpaged pool spinlock
  2655. or the PagedPool mutex (depending on allocation type) on entry.
  2657. --*/
  2659. {
  2660. KIRQL OldIrql;
  2661. ULONG_PTR Index;
  2662. PPOOL_HEADER PoolHeader;
  2663. PMI_VERIFIER_POOL_HEADER Header;
  2664. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  2666. ASSERT (VerifierIsTrackingPool == TRUE);
  2668. if (SpecialPool == TRUE) {
  2670. //
  2671. // Special pool allocation.
  2672. //
  2674. if (((ULONG_PTR)VirtualAddress & (PAGE_SIZE - 1))) {
  2675. PoolHeader = PAGE_ALIGN (VirtualAddress);
  2676. Header = (PMI_VERIFIER_POOL_HEADER)(PoolHeader + 1);
  2677. }
  2678. else {
  2679. PoolHeader = (PPOOL_HEADER)((PCHAR)PAGE_ALIGN (VirtualAddress) + PAGE_SIZE - POOL_OVERHEAD);
  2680. Header = (PMI_VERIFIER_POOL_HEADER)(PoolHeader - 1);
  2681. }
  2682. }
  2683. else if (PAGE_ALIGNED(VirtualAddress)) {
  2685. //
  2686. // Large page allocation.
  2687. //
  2689. Header = (PMI_VERIFIER_POOL_HEADER) ((PCHAR)VirtualAddress +
  2690. ChargedBytes -
  2691. sizeof(MI_VERIFIER_POOL_HEADER));
  2692. }
  2693. else {
  2694. ChargedBytes -= POOL_OVERHEAD;
  2695. Header = (PMI_VERIFIER_POOL_HEADER) ((PCHAR)VirtualAddress +
  2696. ChargedBytes -
  2697. sizeof(MI_VERIFIER_POOL_HEADER));
  2698. }
  2700. Verifier = Header->Verifier;
  2702. //
  2703. // Check the pointer now so we can give a more friendly bugcheck
  2704. // rather than crashing below on a bad reference.
  2705. //
  2707. if ((((ULONG_PTR)Verifier & (sizeof(ULONG) - 1)) != 0) ||
  2708. (!MmIsAddressValid(&Verifier->Signature)) ||
  2709. (Verifier->Signature != MI_VERIFIER_ENTRY_SIGNATURE)) {
  2711. //
  2712. // The caller corrupted the saved verifier field.
  2713. //
  2715. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2716. 0x53,
  2717. (ULONG_PTR)VirtualAddress,
  2718. (ULONG_PTR)Header,
  2719. (ULONG_PTR)Verifier);
  2720. }
  2722. Index = Header->ListIndex;
  2724. ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
  2726. ViReleasePoolAllocation (Verifier,
  2727. VirtualAddress,
  2728. Index,
  2729. ChargedBytes);
  2731. if (CheckType == PagedPool) {
  2732. Verifier->PagedBytes -= ChargedBytes;
  2733. Verifier->CurrentPagedPoolAllocations -= 1;
  2735. ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
  2737. ExAcquireFastMutex (&VerifierPoolMutex);
  2738. MmVerifierData.PagedBytes -= ChargedBytes;
  2739. MmVerifierData.CurrentPagedPoolAllocations -= 1;
  2740. ExReleaseFastMutex (&VerifierPoolMutex);
  2741. }
  2742. else {
  2743. Verifier->NonPagedBytes -= ChargedBytes;
  2744. Verifier->CurrentNonPagedPoolAllocations -= 1;
  2745. ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
  2747. ExAcquireSpinLock (&VerifierPoolLock, &OldIrql);
  2748. MmVerifierData.NonPagedBytes -= ChargedBytes;
  2749. MmVerifierData.CurrentNonPagedPoolAllocations -= 1;
  2750. ExReleaseSpinLock (&VerifierPoolLock, OldIrql);
  2751. }
  2752. }
  2754. VOID
  2755. VerifierFreeTrackedPool (
  2756. IN PVOID VirtualAddress,
  2757. IN SIZE_T ChargedBytes,
  2758. IN LOGICAL CheckType,
  2759. IN LOGICAL SpecialPool
  2760. )
  2762. /*++
  2764. Routine Description:
  2766. Called directly from the pool manager or the memory manager for verifier-
  2767. tracked allocations. The call to ExFreePool is already in progress.
  2769. Arguments:
  2771. VirtualAddress - Supplies the virtual address being freed.
  2773. ChargedBytes - Supplies the number of bytes charged to this allocation.
  2775. CheckType - Supplies PagedPool or NonPagedPool.
  2777. SpecialPool - Supplies TRUE if the allocation is from special pool.
  2779. Return Value:
  2781. None.
  2783. Environment:
  2785. Kernel mode.
  2787. N.B.
  2789. Callers freeing small pool allocations hold no locks or mutexes on entry.
  2791. Callers freeing special pool hold no locks or mutexes on entry.
  2793. Callers freeing pool of PAGE_SIZE or larger hold the nonpaged pool spinlock
  2794. or the PagedPool mutex (depending on allocation type) on entry.
  2796. --*/
  2798. {
  2799. if (VerifierIsTrackingPool == FALSE) {
  2801. //
  2802. // The verifier is not enabled so the only way this routine is being
  2803. // called is because the pool header is mangled or the caller specified
  2804. // a bad address. Either way it's a bugcheck.
  2805. //
  2807. KeBugCheckEx (BAD_POOL_CALLER,
  2808. 0x99,
  2809. (ULONG_PTR)VirtualAddress,
  2810. 0,
  2811. 0);
  2812. }
  2814. ViFreeTrackedPool (VirtualAddress, ChargedBytes, CheckType, SpecialPool);
  2815. }
  2817. THUNKED_API
  2818. VOID
  2819. VerifierFreePool(
  2820. IN PVOID P
  2821. )
  2822. {
  2823. if (KernelVerifier == TRUE) {
  2824. ExFreePool (P);
  2825. return;
  2826. }
  2828. VerifierFreePoolWithTag (P, 0);
  2829. }
  2831. THUNKED_API
  2832. VOID
  2833. VerifierFreePoolWithTag(
  2834. IN PVOID P,
  2835. IN ULONG TagToFree
  2836. )
  2837. {
  2838. if (KernelVerifier == TRUE) {
  2839. ExFreePoolWithTag (P, TagToFree);
  2840. return;
  2841. }
  2843. ExFreePoolSanityChecks (P);
  2845. ExFreePoolWithTag (P, TagToFree);
  2846. }
  2848. THUNKED_API
  2849. LONG
  2850. VerifierSetEvent (
  2851. IN PRKEVENT Event,
  2852. IN KPRIORITY Increment,
  2853. IN BOOLEAN Wait
  2854. )
  2855. {
  2856. KIRQL CurrentIrql;
  2858. CurrentIrql = KeGetCurrentIrql();
  2859. if (CurrentIrql > DISPATCH_LEVEL) {
  2860. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2861. 0x80,
  2862. CurrentIrql,
  2863. (ULONG_PTR)Event,
  2864. (ULONG_PTR)0);
  2865. }
  2867. return KeSetEvent (Event, Increment, Wait);
  2868. }
  2870. THUNKED_API
  2871. BOOLEAN
  2872. VerifierExAcquireResourceExclusiveLite(
  2873. IN PERESOURCE Resource,
  2874. IN BOOLEAN Wait
  2875. )
  2876. {
  2877. KIRQL CurrentIrql;
  2879. CurrentIrql = KeGetCurrentIrql ();
  2881. if ((CurrentIrql != APC_LEVEL) &&
  2882. (!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
  2883. (KeGetCurrentThread()->KernelApcDisable == 0)) {
  2885. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2886. 0x37,
  2887. CurrentIrql,
  2888. (ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable),
  2889. (ULONG_PTR)Resource);
  2890. }
  2892. return ExAcquireResourceExclusiveLite (Resource, Wait);
  2893. }
  2895. THUNKED_API
  2896. VOID
  2897. FASTCALL
  2898. VerifierExReleaseResourceLite(
  2899. IN PERESOURCE Resource
  2900. )
  2901. {
  2902. KIRQL CurrentIrql;
  2904. CurrentIrql = KeGetCurrentIrql ();
  2906. if ((CurrentIrql != APC_LEVEL) &&
  2907. (!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
  2908. (KeGetCurrentThread()->KernelApcDisable == 0)) {
  2910. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2911. 0x38,
  2912. CurrentIrql,
  2913. (ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable),
  2914. (ULONG_PTR)Resource);
  2915. }
  2917. ExReleaseResourceLite (Resource);
  2918. }
  2920. int VerifierIrqlData[0x10];
  2922. VOID
  2923. KfSanityCheckRaiseIrql (
  2924. IN KIRQL NewIrql
  2925. )
  2926. {
  2927. KIRQL CurrentIrql;
  2929. //
  2930. // Check for the caller inadvertently lowering.
  2931. //
  2933. CurrentIrql = KeGetCurrentIrql ();
  2935. if (CurrentIrql == NewIrql) {
  2936. VerifierIrqlData[0] += 1;
  2937. if (CurrentIrql == APC_LEVEL) {
  2938. VerifierIrqlData[1] += 1;
  2939. }
  2940. else if (CurrentIrql == DISPATCH_LEVEL) {
  2941. VerifierIrqlData[2] += 1;
  2942. }
  2943. else {
  2944. VerifierIrqlData[3] += 1;
  2945. }
  2946. }
  2947. else {
  2948. VerifierIrqlData[4] += 1;
  2949. }
  2951. if (CurrentIrql > NewIrql) {
  2952. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2953. 0x30,
  2954. CurrentIrql,
  2955. NewIrql,
  2956. 0);
  2957. }
  2959. //
  2960. // Check for the caller using an uninitialized variable.
  2961. //
  2963. if (NewIrql > HIGH_LEVEL) {
  2964. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  2965. 0x30,
  2966. CurrentIrql,
  2967. NewIrql,
  2968. 0);
  2969. }
  2971. if (ViTrackIrqlQueue != NULL) {
  2972. ViTrackIrqlLog (CurrentIrql, NewIrql);
  2973. }
  2974. }
  2976. VOID
  2977. KfSanityCheckLowerIrql (
  2978. IN KIRQL NewIrql
  2979. )
  2980. {
  2981. KIRQL CurrentIrql;
  2983. //
  2984. // Check for the caller inadvertently lowering.
  2985. //
  2987. CurrentIrql = KeGetCurrentIrql ();
  2989. if (CurrentIrql == NewIrql) {
  2990. VerifierIrqlData[8] += 1;
  2991. if (CurrentIrql == APC_LEVEL) {
  2992. VerifierIrqlData[9] += 1;
  2993. }
  2994. else if (CurrentIrql == DISPATCH_LEVEL) {
  2995. VerifierIrqlData[10] += 1;
  2996. }
  2997. else {
  2998. VerifierIrqlData[11] += 1;
  2999. }
  3000. }
  3001. else {
  3002. VerifierIrqlData[12] += 1;
  3003. }
  3005. if (CurrentIrql < NewIrql) {
  3006. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3007. 0x31,
  3008. CurrentIrql,
  3009. NewIrql,
  3010. 0);
  3011. }
  3013. //
  3014. // Check for the caller using an uninitialized variable.
  3015. //
  3017. if (NewIrql > HIGH_LEVEL) {
  3018. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3019. 0x31,
  3020. CurrentIrql,
  3021. NewIrql,
  3022. 0);
  3023. }
  3025. if (ViTrackIrqlQueue != NULL) {
  3026. ViTrackIrqlLog (CurrentIrql, NewIrql);
  3027. }
  3028. }
  3030. #define VI_TRIM_KERNEL 0x00000001
  3031. #define VI_TRIM_USER 0x00000002
  3032. #define VI_TRIM_SESSION 0x00000004
  3033. #define VI_TRIM_PURGE 0x80000000
  3035. ULONG ViTrimSpaces = VI_TRIM_KERNEL;
  3037. VOID
  3038. ViTrimAllSystemPagableMemory (
  3039. VOID
  3040. )
  3041. {
  3042. LOGICAL PurgeTransition;
  3043. LARGE_INTEGER CurrentTime;
  3044. LOGICAL PageOut;
  3046. PageOut = TRUE;
  3047. if (KernelVerifier == TRUE) {
  3048. KeQueryTickCount(&CurrentTime);
  3049. if ((CurrentTime.LowPart & KernelVerifierTickPage) != 0) {
  3050. PageOut = FALSE;
  3051. }
  3052. }
  3054. if ((PageOut == TRUE) && (MiNoPageOnRaiseIrql == 0)) {
  3055. MmVerifierData.TrimRequests += 1;
  3057. if (ViTrimSpaces & VI_TRIM_PURGE) {
  3058. PurgeTransition = TRUE;
  3059. }
  3060. else {
  3061. PurgeTransition = FALSE;
  3062. }
  3064. if (ViTrimSpaces & VI_TRIM_KERNEL) {
  3065. if (MmTrimAllSystemPagableMemory (PurgeTransition) == TRUE) {
  3066. MmVerifierData.Trims += 1;
  3067. }
  3068. }
  3070. if (ViTrimSpaces & VI_TRIM_USER) {
  3071. if (MmTrimProcessMemory (PurgeTransition) == TRUE) {
  3072. MmVerifierData.UserTrims += 1;
  3073. }
  3074. }
  3076. if (ViTrimSpaces & VI_TRIM_SESSION) {
  3077. if (MmTrimSessionMemory (PurgeTransition) == TRUE) {
  3078. MmVerifierData.SessionTrims += 1;
  3079. }
  3080. }
  3081. }
  3082. }
  3084. typedef
  3085. VOID
  3086. (*PKE_ACQUIRE_SPINLOCK) (
  3087. IN PKSPIN_LOCK SpinLock,
  3088. OUT PKIRQL OldIrql
  3089. );
  3091. THUNKED_API
  3092. VOID
  3093. VerifierKeAcquireSpinLock (
  3094. IN PKSPIN_LOCK SpinLock,
  3095. OUT PKIRQL OldIrql
  3096. )
  3097. {
  3098. KIRQL CurrentIrql;
  3100. #if defined (_X86_)
  3101. PKE_ACQUIRE_SPINLOCK HalRoutine;
  3102. #endif
  3104. CurrentIrql = KeGetCurrentIrql ();
  3106. KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
  3108. MmVerifierData.AcquireSpinLocks += 1;
  3110. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3111. if (CurrentIrql < DISPATCH_LEVEL) {
  3112. ViTrimAllSystemPagableMemory ();
  3113. }
  3114. }
  3116. #if defined (_X86_)
  3117. HalRoutine = (PKE_ACQUIRE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_ACQUIRE_SPINLOCK];
  3119. if (HalRoutine) {
  3120. (*HalRoutine)(SpinLock, OldIrql);
  3122. VfDeadlockAcquireResource(SpinLock,
  3123. VfDeadlockSpinLock,
  3124. KeGetCurrentThread(),
  3125. FALSE,
  3126. _ReturnAddress());
  3127. return;
  3128. }
  3129. #endif
  3131. KeAcquireSpinLock (SpinLock, OldIrql);
  3133. VfDeadlockAcquireResource(SpinLock,
  3134. VfDeadlockSpinLock,
  3135. KeGetCurrentThread(),
  3136. FALSE,
  3137. _ReturnAddress());
  3138. }
  3140. typedef
  3141. VOID
  3142. (*PKE_RELEASE_SPINLOCK) (
  3143. IN PKSPIN_LOCK SpinLock,
  3144. IN KIRQL NewIrql
  3145. );
  3147. THUNKED_API
  3148. VOID
  3149. VerifierKeReleaseSpinLock (
  3150. IN PKSPIN_LOCK SpinLock,
  3151. IN KIRQL NewIrql
  3152. )
  3153. {
  3154. KIRQL CurrentIrql;
  3155. #if defined (_X86_)
  3156. PKE_RELEASE_SPINLOCK HalRoutine;
  3157. #endif
  3159. CurrentIrql = KeGetCurrentIrql ();
  3161. //
  3162. // Caller better still be at DISPATCH_LEVEL when releasing the spinlock
  3163. //
  3165. if (CurrentIrql < DISPATCH_LEVEL) {
  3166. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3167. 0x32,
  3168. CurrentIrql,
  3169. (ULONG_PTR)SpinLock,
  3170. 0);
  3171. }
  3173. KfSanityCheckLowerIrql (NewIrql);
  3175. #if defined (_X86_)
  3176. HalRoutine = (PKE_RELEASE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RELEASE_SPINLOCK];
  3178. if (HalRoutine) {
  3179. VfDeadlockReleaseResource(SpinLock,
  3180. VfDeadlockSpinLock,
  3181. KeGetCurrentThread(),
  3182. _ReturnAddress());
  3183. (*HalRoutine)(SpinLock, NewIrql);
  3185. return;
  3186. }
  3187. #endif
  3189. VfDeadlockReleaseResource(SpinLock,
  3190. VfDeadlockSpinLock,
  3191. KeGetCurrentThread(),
  3192. _ReturnAddress());
  3194. KeReleaseSpinLock (SpinLock, NewIrql);
  3195. }
  3197. //
  3198. // Verifier thunks for AcquireSpinLockAtDpcLevel and ReleaseSpinLockFromDpcLevel.
  3199. //
  3200. // On x86 the functions exported by the kernel that are used by the driver are:
  3201. // KefAcquire.../KefRelease.... On other platforms the functions used by drivers
  3202. // are KeAcquire.../KeRelease. Among other differences the x86 versions use the
  3203. // fastcall convention which requires additional precaution.
  3204. //
  3206. THUNKED_API
  3207. VOID
  3208. #if defined(_X86_)
  3209. FASTCALL
  3210. #endif
  3211. VerifierKeAcquireSpinLockAtDpcLevel (
  3212. IN PKSPIN_LOCK SpinLock
  3213. )
  3214. {
  3215. KIRQL CurrentIrql;
  3217. CurrentIrql = KeGetCurrentIrql ();
  3219. //
  3220. // Caller better be at or above DISPATCH_LEVEL.
  3221. //
  3223. if (CurrentIrql < DISPATCH_LEVEL) {
  3224. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3225. 0x40,
  3226. CurrentIrql,
  3227. (ULONG_PTR)SpinLock,
  3228. 0);
  3229. }
  3231. MmVerifierData.AcquireSpinLocks += 1;
  3233. KeAcquireSpinLockAtDpcLevel (SpinLock);
  3235. VfDeadlockAcquireResource(SpinLock,
  3236. VfDeadlockSpinLock,
  3237. KeGetCurrentThread(),
  3238. FALSE,
  3239. _ReturnAddress());
  3240. }
  3242. THUNKED_API
  3243. VOID
  3244. #if defined(_X86_)
  3245. FASTCALL
  3246. #endif
  3247. VerifierKeReleaseSpinLockFromDpcLevel (
  3248. IN PKSPIN_LOCK SpinLock
  3249. )
  3250. {
  3251. KIRQL CurrentIrql;
  3253. CurrentIrql = KeGetCurrentIrql ();
  3255. //
  3256. // Caller better be at DISPATCH_LEVEL.
  3257. //
  3259. if (CurrentIrql < DISPATCH_LEVEL) {
  3260. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3261. 0x41,
  3262. CurrentIrql,
  3263. (ULONG_PTR)SpinLock,
  3264. 0);
  3265. }
  3267. VfDeadlockReleaseResource(SpinLock,
  3268. VfDeadlockSpinLock,
  3269. KeGetCurrentThread(),
  3270. _ReturnAddress());
  3272. KeReleaseSpinLockFromDpcLevel (SpinLock);
  3273. }
  3275. #if !defined(_X86_)
  3277. THUNKED_API
  3278. KIRQL
  3279. VerifierKeAcquireSpinLockRaiseToDpc (
  3280. IN PKSPIN_LOCK SpinLock
  3281. )
  3282. {
  3283. KIRQL NewIrql = KeAcquireSpinLockRaiseToDpc (SpinLock);
  3285. VfDeadlockAcquireResource (SpinLock,
  3286. VfDeadlockSpinLock,
  3287. KeGetCurrentThread(),
  3288. FALSE,
  3289. _ReturnAddress());
  3291. return NewIrql;
  3292. }
  3295. #endif
  3300. #if defined (_X86_)
  3302. typedef
  3303. KIRQL
  3304. (FASTCALL *PKF_ACQUIRE_SPINLOCK) (
  3305. IN PKSPIN_LOCK SpinLock
  3306. );
  3308. THUNKED_API
  3309. KIRQL
  3310. FASTCALL
  3311. VerifierKfAcquireSpinLock (
  3312. IN PKSPIN_LOCK SpinLock
  3313. )
  3314. {
  3315. KIRQL CurrentIrql;
  3316. PKF_ACQUIRE_SPINLOCK HalRoutine;
  3318. CurrentIrql = KeGetCurrentIrql ();
  3320. KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
  3322. MmVerifierData.AcquireSpinLocks += 1;
  3324. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3325. if (CurrentIrql < DISPATCH_LEVEL) {
  3326. ViTrimAllSystemPagableMemory ();
  3327. }
  3328. }
  3330. #if defined (_X86_)
  3331. HalRoutine = (PKF_ACQUIRE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_ACQUIRE_SPINLOCK];
  3333. if (HalRoutine) {
  3334. CurrentIrql = (*HalRoutine)(SpinLock);
  3336. VfDeadlockAcquireResource(SpinLock,
  3337. VfDeadlockSpinLock,
  3338. KeGetCurrentThread(),
  3339. FALSE,
  3340. _ReturnAddress());
  3342. return CurrentIrql;
  3343. }
  3344. #endif
  3346. CurrentIrql = KfAcquireSpinLock (SpinLock);
  3348. VfDeadlockAcquireResource(SpinLock,
  3349. VfDeadlockSpinLock,
  3350. KeGetCurrentThread(),
  3351. FALSE,
  3352. _ReturnAddress());
  3354. return CurrentIrql;
  3355. }
  3357. typedef
  3358. VOID
  3359. (FASTCALL *PKF_RELEASE_SPINLOCK) (
  3360. IN PKSPIN_LOCK SpinLock,
  3361. IN KIRQL NewIrql
  3362. );
  3364. THUNKED_API
  3365. VOID
  3366. FASTCALL
  3367. VerifierKfReleaseSpinLock (
  3368. IN PKSPIN_LOCK SpinLock,
  3369. IN KIRQL NewIrql
  3370. )
  3371. {
  3372. KIRQL CurrentIrql;
  3373. PKF_RELEASE_SPINLOCK HalRoutine;
  3375. CurrentIrql = KeGetCurrentIrql ();
  3377. //
  3378. // Caller better still be at DISPATCH_LEVEL when releasing the spinlock.
  3379. //
  3381. if (CurrentIrql < DISPATCH_LEVEL) {
  3382. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3383. 0x35,
  3384. CurrentIrql,
  3385. (ULONG_PTR)SpinLock,
  3386. NewIrql);
  3387. }
  3389. KfSanityCheckLowerIrql (NewIrql);
  3391. #if defined (_X86_)
  3392. HalRoutine = (PKF_RELEASE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_RELEASE_SPINLOCK];
  3394. if (HalRoutine) {
  3395. VfDeadlockReleaseResource(SpinLock,
  3396. VfDeadlockSpinLock,
  3397. KeGetCurrentThread(),
  3398. _ReturnAddress());
  3400. (*HalRoutine)(SpinLock, NewIrql);
  3401. return;
  3402. }
  3403. #endif
  3405. VfDeadlockReleaseResource(SpinLock,
  3406. VfDeadlockSpinLock,
  3407. KeGetCurrentThread(),
  3408. _ReturnAddress());
  3410. KfReleaseSpinLock (SpinLock, NewIrql);
  3411. }
  3414. #if !defined(NT_UP)
  3416. typedef
  3417. KIRQL
  3418. (FASTCALL *PKE_ACQUIRE_QUEUED_SPINLOCK) (
  3419. IN KSPIN_LOCK_QUEUE_NUMBER Number
  3420. );
  3422. THUNKED_API
  3423. KIRQL
  3424. FASTCALL
  3425. VerifierKeAcquireQueuedSpinLock (
  3426. IN KSPIN_LOCK_QUEUE_NUMBER Number
  3427. )
  3428. {
  3429. KIRQL CurrentIrql;
  3430. PKE_ACQUIRE_QUEUED_SPINLOCK HalRoutine;
  3432. CurrentIrql = KeGetCurrentIrql ();
  3434. KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
  3436. MmVerifierData.AcquireSpinLocks += 1;
  3438. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3439. if (CurrentIrql < DISPATCH_LEVEL) {
  3440. ViTrimAllSystemPagableMemory ();
  3441. }
  3442. }
  3444. #if defined (_X86_)
  3445. HalRoutine = (PKE_ACQUIRE_QUEUED_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_ACQUIRE_QUEUED_SPINLOCK];
  3447. if (HalRoutine) {
  3448. return (*HalRoutine)(Number);
  3449. }
  3450. #endif
  3453. CurrentIrql = KeAcquireQueuedSpinLock (Number);
  3455. return CurrentIrql;
  3456. }
  3458. typedef
  3459. VOID
  3460. (FASTCALL *PKE_RELEASE_QUEUED_SPINLOCK) (
  3461. IN KSPIN_LOCK_QUEUE_NUMBER Number,
  3462. IN KIRQL OldIrql
  3463. );
  3465. THUNKED_API
  3466. VOID
  3467. FASTCALL
  3468. VerifierKeReleaseQueuedSpinLock (
  3469. IN KSPIN_LOCK_QUEUE_NUMBER Number,
  3470. IN KIRQL OldIrql
  3471. )
  3472. {
  3473. KIRQL CurrentIrql;
  3474. PKE_RELEASE_QUEUED_SPINLOCK HalRoutine;
  3476. CurrentIrql = KeGetCurrentIrql ();
  3478. if (KernelVerifier == TRUE) {
  3479. if (CurrentIrql < DISPATCH_LEVEL) {
  3480. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3481. 0x36,
  3482. CurrentIrql,
  3483. (ULONG_PTR)Number,
  3484. (ULONG_PTR)OldIrql);
  3485. }
  3486. }
  3488. KfSanityCheckLowerIrql (OldIrql);
  3490. #if defined (_X86_)
  3491. HalRoutine = (PKE_RELEASE_QUEUED_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RELEASE_QUEUED_SPINLOCK];
  3493. if (HalRoutine) {
  3494. (*HalRoutine)(Number, OldIrql);
  3495. return;
  3496. }
  3497. #endif
  3499. KeReleaseQueuedSpinLock (Number, OldIrql);
  3500. }
  3501. #endif // NT_UP
  3503. #endif // _X86_
  3505. #if defined(_X86_) || defined(_AMD64_)
  3507. typedef
  3508. KIRQL
  3509. (FASTCALL *PKF_RAISE_IRQL) (
  3510. IN KIRQL NewIrql
  3511. );
  3513. THUNKED_API
  3514. KIRQL
  3515. FASTCALL
  3516. VerifierKfRaiseIrql (
  3517. IN KIRQL NewIrql
  3518. )
  3519. {
  3520. #if defined (_X86_)
  3521. PKF_RAISE_IRQL HalRoutine;
  3522. #endif
  3523. KIRQL CurrentIrql;
  3525. CurrentIrql = KeGetCurrentIrql ();
  3527. KfSanityCheckRaiseIrql (NewIrql);
  3529. MmVerifierData.RaiseIrqls += 1;
  3531. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3532. if ((CurrentIrql < DISPATCH_LEVEL) && (NewIrql >= DISPATCH_LEVEL)) {
  3533. ViTrimAllSystemPagableMemory ();
  3534. }
  3535. }
  3537. #if defined (_X86_)
  3538. HalRoutine = (PKF_RAISE_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_RAISE_IRQL];
  3539. if (HalRoutine) {
  3540. return (*HalRoutine)(NewIrql);
  3541. }
  3542. #endif
  3544. return KfRaiseIrql (NewIrql);
  3545. }
  3547. typedef
  3548. KIRQL
  3549. (FASTCALL *PKE_RAISE_IRQL_TO_DPC_LEVEL) (
  3550. VOID
  3551. );
  3553. THUNKED_API
  3554. KIRQL
  3555. VerifierKeRaiseIrqlToDpcLevel (
  3556. VOID
  3557. )
  3558. {
  3559. #if defined (_X86_)
  3560. PKE_RAISE_IRQL_TO_DPC_LEVEL HalRoutine;
  3561. #endif
  3562. KIRQL CurrentIrql;
  3564. CurrentIrql = KeGetCurrentIrql ();
  3566. KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
  3568. MmVerifierData.RaiseIrqls += 1;
  3570. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3571. if (CurrentIrql < DISPATCH_LEVEL) {
  3572. ViTrimAllSystemPagableMemory ();
  3573. }
  3574. }
  3576. #if defined (_X86_)
  3577. HalRoutine = (PKE_RAISE_IRQL_TO_DPC_LEVEL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RAISE_IRQL_TO_DPC_LEVEL];
  3578. if (HalRoutine) {
  3579. return (*HalRoutine)();
  3580. }
  3581. #endif
  3583. return KeRaiseIrqlToDpcLevel ();
  3584. }
  3586. #endif // _X86_ || _AMD64_
  3588. #if defined(_X86_)
  3590. typedef
  3591. VOID
  3592. (FASTCALL *PKF_LOWER_IRQL) (
  3593. IN KIRQL NewIrql
  3594. );
  3596. THUNKED_API
  3597. VOID
  3598. FASTCALL
  3599. VerifierKfLowerIrql (
  3600. IN KIRQL NewIrql
  3601. )
  3602. {
  3603. PKF_LOWER_IRQL HalRoutine;
  3605. KfSanityCheckLowerIrql (NewIrql);
  3607. #if defined (_X86_)
  3608. HalRoutine = (PKF_LOWER_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_LOWER_IRQL];
  3609. if (HalRoutine) {
  3610. (*HalRoutine)(NewIrql);
  3611. return;
  3612. }
  3613. #endif
  3615. KfLowerIrql (NewIrql);
  3616. }
  3618. #endif
  3620. THUNKED_API
  3621. BOOLEAN
  3622. FASTCALL
  3623. VerifierExTryToAcquireFastMutex (
  3624. IN PFAST_MUTEX FastMutex
  3625. )
  3626. {
  3627. KIRQL CurrentIrql;
  3628. BOOLEAN Acquired;
  3630. CurrentIrql = KeGetCurrentIrql ();
  3632. //
  3633. // Caller better be at or below APC_LEVEL or have APCs blocked.
  3634. //
  3636. if (CurrentIrql > APC_LEVEL) {
  3637. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3638. 0x33,
  3639. CurrentIrql,
  3640. (ULONG_PTR)FastMutex,
  3641. 0);
  3642. }
  3644. Acquired = ExTryToAcquireFastMutex (FastMutex);
  3645. if (Acquired != FALSE) {
  3646. VfDeadlockAcquireResource(FastMutex,
  3647. VfDeadlockFastMutex,
  3648. KeGetCurrentThread(),
  3649. TRUE,
  3650. _ReturnAddress());
  3651. }
  3653. return Acquired;
  3655. }
  3657. THUNKED_API
  3658. VOID
  3659. FASTCALL
  3660. VerifierExAcquireFastMutex (
  3661. IN PFAST_MUTEX FastMutex
  3662. )
  3663. {
  3664. KIRQL CurrentIrql;
  3666. CurrentIrql = KeGetCurrentIrql ();
  3668. //
  3669. // Caller better be at or below APC_LEVEL or have APCs blocked.
  3670. //
  3672. if (CurrentIrql > APC_LEVEL) {
  3673. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3674. 0x33,
  3675. CurrentIrql,
  3676. (ULONG_PTR)FastMutex,
  3677. 0);
  3678. }
  3680. ExAcquireFastMutex (FastMutex);
  3682. VfDeadlockAcquireResource(FastMutex,
  3683. VfDeadlockFastMutex,
  3684. KeGetCurrentThread(),
  3685. FALSE,
  3686. _ReturnAddress());
  3687. }
  3689. THUNKED_API
  3690. VOID
  3691. FASTCALL
  3692. VerifierExAcquireFastMutexUnsafe (
  3693. IN PFAST_MUTEX FastMutex
  3694. )
  3695. {
  3696. KIRQL CurrentIrql;
  3698. CurrentIrql = KeGetCurrentIrql ();
  3700. //
  3701. // Caller better be at APC_LEVEL or have APCs blocked.
  3702. //
  3704. if ((CurrentIrql != APC_LEVEL) &&
  3705. (!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
  3706. (KeGetCurrentThread()->KernelApcDisable == 0)) {
  3708. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3709. 0x39,
  3710. CurrentIrql,
  3711. (ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable),
  3712. (ULONG_PTR)FastMutex);
  3713. }
  3714. ExAcquireFastMutexUnsafe (FastMutex);
  3716. VfDeadlockAcquireResource(FastMutex,
  3717. VfDeadlockFastMutexUnsafe,
  3718. KeGetCurrentThread(),
  3719. FALSE,
  3720. _ReturnAddress());
  3721. }
  3723. THUNKED_API
  3724. VOID
  3725. FASTCALL
  3726. VerifierExReleaseFastMutex (
  3727. IN PFAST_MUTEX FastMutex
  3728. )
  3729. {
  3730. KIRQL CurrentIrql;
  3732. CurrentIrql = KeGetCurrentIrql ();
  3734. //
  3735. // Caller better be at APC_LEVEL or have APCs blocked.
  3736. //
  3738. if ((CurrentIrql != APC_LEVEL) &&
  3739. (!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
  3740. (KeGetCurrentThread()->KernelApcDisable == 0)) {
  3742. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3743. 0x34,
  3744. CurrentIrql,
  3745. (ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable),
  3746. (ULONG_PTR)FastMutex);
  3747. }
  3749. VfDeadlockReleaseResource(FastMutex,
  3750. VfDeadlockFastMutex,
  3751. KeGetCurrentThread(),
  3752. _ReturnAddress());
  3753. ExReleaseFastMutex (FastMutex);
  3754. }
  3756. THUNKED_API
  3757. VOID
  3758. FASTCALL
  3759. VerifierExReleaseFastMutexUnsafe (
  3760. IN PFAST_MUTEX FastMutex
  3761. )
  3762. {
  3763. KIRQL CurrentIrql;
  3765. CurrentIrql = KeGetCurrentIrql ();
  3767. //
  3768. // Caller better be at APC_LEVEL or have APCs blocked.
  3769. //
  3771. if ((CurrentIrql != APC_LEVEL) &&
  3772. (!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
  3773. (KeGetCurrentThread()->KernelApcDisable == 0)) {
  3775. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3776. 0x3A,
  3777. CurrentIrql,
  3778. (ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable),
  3779. (ULONG_PTR)FastMutex);
  3780. }
  3782. VfDeadlockReleaseResource(FastMutex,
  3783. VfDeadlockFastMutexUnsafe,
  3784. KeGetCurrentThread(),
  3785. _ReturnAddress());
  3786. ExReleaseFastMutexUnsafe (FastMutex);
  3788. }
  3790. typedef
  3791. VOID
  3792. (*PKE_RAISE_IRQL) (
  3793. IN KIRQL NewIrql,
  3794. OUT PKIRQL OldIrql
  3795. );
  3797. THUNKED_API
  3798. VOID
  3799. VerifierKeRaiseIrql (
  3800. IN KIRQL NewIrql,
  3801. OUT PKIRQL OldIrql
  3802. )
  3803. {
  3804. #if defined (_X86_)
  3805. PKE_RAISE_IRQL HalRoutine;
  3806. #endif
  3808. *OldIrql = KeGetCurrentIrql ();
  3810. KfSanityCheckRaiseIrql (NewIrql);
  3812. MmVerifierData.RaiseIrqls += 1;
  3814. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3815. if ((*OldIrql < DISPATCH_LEVEL) && (NewIrql >= DISPATCH_LEVEL)) {
  3816. ViTrimAllSystemPagableMemory ();
  3817. }
  3818. }
  3820. #if defined (_X86_)
  3821. HalRoutine = (PKE_RAISE_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RAISE_IRQL];
  3822. if (HalRoutine) {
  3823. (*HalRoutine)(NewIrql, OldIrql);
  3824. return;
  3825. }
  3826. #endif
  3828. KeRaiseIrql (NewIrql, OldIrql);
  3829. }
  3831. typedef
  3832. VOID
  3833. (*PKE_LOWER_IRQL) (
  3834. IN KIRQL NewIrql
  3835. );
  3837. THUNKED_API
  3838. VOID
  3839. VerifierKeLowerIrql (
  3840. IN KIRQL NewIrql
  3841. )
  3842. {
  3843. #if defined (_X86_)
  3844. PKE_LOWER_IRQL HalRoutine;
  3845. #endif
  3847. KfSanityCheckLowerIrql (NewIrql);
  3849. #if defined (_X86_)
  3850. HalRoutine = (PKE_LOWER_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_LOWER_IRQL];
  3851. if (HalRoutine) {
  3852. (*HalRoutine)(NewIrql);
  3853. return;
  3854. }
  3855. #endif
  3857. KeLowerIrql (NewIrql);
  3858. }
  3860. THUNKED_API
  3861. BOOLEAN
  3862. VerifierSynchronizeExecution (
  3863. IN PKINTERRUPT Interrupt,
  3864. IN PKSYNCHRONIZE_ROUTINE SynchronizeRoutine,
  3865. IN PVOID SynchronizeContext
  3866. )
  3867. {
  3868. KIRQL OldIrql;
  3870. OldIrql = KeGetCurrentIrql ();
  3872. KfSanityCheckRaiseIrql (Interrupt->SynchronizeIrql);
  3874. MmVerifierData.SynchronizeExecutions += 1;
  3876. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  3877. if ((OldIrql < DISPATCH_LEVEL) && (Interrupt->SynchronizeIrql >= DISPATCH_LEVEL)) {
  3878. ViTrimAllSystemPagableMemory ();
  3879. }
  3880. }
  3882. return KeSynchronizeExecution (Interrupt,
  3883. SynchronizeRoutine,
  3884. SynchronizeContext);
  3885. }
  3887. THUNKED_API
  3888. VOID
  3889. VerifierKeInitializeTimerEx(
  3890. IN PKTIMER Timer,
  3891. IN TIMER_TYPE Type
  3892. )
  3893. {
  3894. //
  3895. // Check the object being initialized isn't already an
  3896. // active timer. Make sure the timer table list is initialized.
  3897. //
  3899. if (KiTimerTableListHead[0].Flink != NULL) {
  3900. KeCheckForTimer(Timer, sizeof(KTIMER));
  3901. }
  3903. KeInitializeTimerEx(Timer, Type);
  3904. }
  3906. THUNKED_API
  3907. VOID
  3908. VerifierKeInitializeTimer(
  3909. IN PKTIMER Timer
  3910. )
  3911. {
  3912. VerifierKeInitializeTimerEx(Timer, NotificationTimer);
  3913. }
  3916. THUNKED_API
  3917. NTSTATUS
  3918. VerifierKeWaitForSingleObject (
  3919. IN PVOID Object,
  3920. IN KWAIT_REASON WaitReason,
  3921. IN KPROCESSOR_MODE WaitMode,
  3922. IN BOOLEAN Alertable,
  3923. IN PLARGE_INTEGER Timeout OPTIONAL
  3924. )
  3925. {
  3926. KIRQL CurrentIrql;
  3927. PRKTHREAD Thread;
  3928. NTSTATUS Status;
  3929. BOOLEAN TryAcquire;
  3931. if (! ((ARGUMENT_PRESENT(Timeout)) && (Timeout->QuadPart == 0))) {
  3933. CurrentIrql = KeGetCurrentIrql ();
  3935. if (CurrentIrql >= DISPATCH_LEVEL) {
  3937. Thread = KeGetCurrentThread();
  3939. //
  3940. // Skip situations where KeWait is called at DPC level
  3941. // to optimize dispatcher database lock handling.
  3942. //
  3944. if (Thread->WaitNext == FALSE) {
  3946. //
  3947. // Cannot call KeWait at DPC level.
  3948. //
  3950. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  3951. 0x3B,
  3952. (ULONG_PTR)CurrentIrql,
  3953. (ULONG_PTR)Object,
  3954. (ULONG_PTR)Timeout);
  3955. }
  3956. }
  3957. }
  3960. Status = KeWaitForSingleObject (Object,
  3961. WaitReason,
  3962. WaitMode,
  3963. Alertable,
  3964. Timeout);
  3966. if ((STATUS_SUCCESS == Status) &&
  3967. (((PRKMUTANT) Object)->Header.Type == MutantObject)) {
  3969. if (ARGUMENT_PRESENT(Timeout)) {
  3970. TryAcquire = TRUE;
  3971. }
  3972. else {
  3973. TryAcquire = FALSE;
  3974. }
  3976. VfDeadlockAcquireResource (Object,
  3977. VfDeadlockMutex,
  3978. KeGetCurrentThread (),
  3979. TryAcquire,
  3980. _ReturnAddress ());
  3981. }
  3983. return Status;
  3985. }
  3987. THUNKED_API
  3988. LONG
  3989. VerifierKeReleaseMutex(
  3990. IN PRKMUTEX Mutex,
  3991. IN BOOLEAN Wait
  3992. )
  3993. {
  3994. VfDeadlockReleaseResource(Mutex,
  3995. VfDeadlockMutex,
  3996. KeGetCurrentThread(),
  3997. _ReturnAddress());
  3999. return KeReleaseMutex(Mutex, Wait);
  4000. }
  4002. THUNKED_API
  4003. VOID
  4004. VerifierKeInitializeMutex(
  4005. IN PRKMUTEX Mutex,
  4006. IN ULONG Level
  4007. )
  4008. {
  4009. KeInitializeMutex (Mutex,Level);
  4010. VfDeadlockInitializeResource (Mutex, VfDeadlockMutex, _ReturnAddress(), FALSE);
  4011. }
  4013. THUNKED_API
  4014. LONG
  4015. VerifierKeReleaseMutant(
  4016. IN PRKMUTANT Mutant,
  4017. IN KPRIORITY Increment,
  4018. IN BOOLEAN Abandoned,
  4019. IN BOOLEAN Wait
  4020. )
  4021. {
  4022. VfDeadlockReleaseResource(Mutant,
  4023. VfDeadlockMutex,
  4024. KeGetCurrentThread(),
  4025. _ReturnAddress());
  4027. return KeReleaseMutant(Mutant, Increment, Abandoned, Wait);
  4028. }
  4030. THUNKED_API
  4031. VOID
  4032. VerifierKeInitializeMutant(
  4033. IN PRKMUTANT Mutant,
  4034. IN BOOLEAN InitialOwner
  4035. )
  4036. {
  4037. KeInitializeMutant (Mutant, InitialOwner);
  4038. VfDeadlockInitializeResource (Mutant, VfDeadlockMutex, _ReturnAddress(), FALSE);
  4040. if (InitialOwner) {
  4042. VfDeadlockAcquireResource (Mutant,
  4043. VfDeadlockMutex,
  4044. KeGetCurrentThread(),
  4045. FALSE,
  4046. _ReturnAddress());
  4047. }
  4048. }
  4050. THUNKED_API
  4051. VOID
  4052. VerifierKeInitializeSpinLock(
  4053. IN PKSPIN_LOCK SpinLock
  4054. )
  4055. {
  4056. KeInitializeSpinLock (SpinLock);
  4057. VfDeadlockInitializeResource (SpinLock, VfDeadlockSpinLock, _ReturnAddress(), FALSE);
  4059. }
  4061. NTSTATUS
  4062. VerifierReferenceObjectByHandle (
  4063. IN HANDLE Handle,
  4064. IN ACCESS_MASK DesiredAccess,
  4065. IN POBJECT_TYPE ObjectType OPTIONAL,
  4066. IN KPROCESSOR_MODE AccessMode,
  4067. OUT PVOID *Object,
  4068. OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
  4069. )
  4070. {
  4071. NTSTATUS Status;
  4073. Status = ObReferenceObjectByHandle (Handle,
  4074. DesiredAccess,
  4075. ObjectType,
  4076. AccessMode,
  4077. Object,
  4078. HandleInformation);
  4079. if (AccessMode == KernelMode || PsIsSystemThread (PsGetCurrentThread ())) {
  4080. if (Status == STATUS_INVALID_HANDLE || Status == STATUS_OBJECT_TYPE_MISMATCH) {
  4081. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  4082. 0x3C,
  4083. (ULONG_PTR)Handle,
  4084. (ULONG_PTR)ObjectType,
  4085. (ULONG_PTR)0);
  4086. }
  4087. }
  4088. return Status;
  4089. }
  4092. VOID
  4093. ViInitializeEntry (
  4094. IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
  4095. IN LOGICAL FirstLoad
  4096. )
  4098. /*++
  4100. Routine Description:
  4102. Initialize various verifier fields as the driver is being (re)loaded now.
  4104. Arguments:
  4106. Verifier - Supplies the verifier entry to be initialized.
  4108. FirstLoad - Supplies TRUE if this is the first load of this driver.
  4110. Return Value:
  4112. None.
  4114. --*/
  4116. {
  4117. KIRQL OldIrql;
  4119. //
  4120. // Only the BaseName field is initialized on entry.
  4121. //
  4123. KeInitializeSpinLock (&Verifier->VerifierPoolLock);
  4125. Verifier->CurrentPagedPoolAllocations = 0;
  4126. Verifier->CurrentNonPagedPoolAllocations = 0;
  4127. Verifier->PeakPagedPoolAllocations = 0;
  4128. Verifier->PeakNonPagedPoolAllocations = 0;
  4130. Verifier->PagedBytes = 0;
  4131. Verifier->NonPagedBytes = 0;
  4132. Verifier->PeakPagedBytes = 0;
  4133. Verifier->PeakNonPagedBytes = 0;
  4135. Verifier->PoolHash = NULL;
  4136. Verifier->PoolHashSize = 0;
  4137. Verifier->PoolHashFree = VI_POOL_FREELIST_END;
  4138. Verifier->PoolHashReserved = 0;
  4140. Verifier->Signature = MI_VERIFIER_ENTRY_SIGNATURE;
  4142. if (FirstLoad == TRUE) {
  4143. Verifier->Flags = 0;
  4144. Verifier->Loads = 0;
  4145. Verifier->Unloads = 0;
  4146. }
  4148. ExAcquireSpinLock (&VerifierListLock, &OldIrql);
  4149. Verifier->StartAddress = NULL;
  4150. Verifier->EndAddress = NULL;
  4151. ExReleaseSpinLock (&VerifierListLock, OldIrql);
  4152. }
  4154. #define UNICODE_TAB 0x0009
  4155. #define UNICODE_LF 0x000A
  4156. #define UNICODE_CR 0x000D
  4157. #define UNICODE_SPACE 0x0020
  4158. #define UNICODE_CJK_SPACE 0x3000
  4160. #define UNICODE_WHITESPACE(_ch) (((_ch) == UNICODE_TAB) || \
  4161. ((_ch) == UNICODE_LF) || \
  4162. ((_ch) == UNICODE_CR) || \
  4163. ((_ch) == UNICODE_SPACE) || \
  4164. ((_ch) == UNICODE_CJK_SPACE) || \
  4165. ((_ch) == UNICODE_NULL))
  4167. LOGICAL
  4168. MiInitializeDriverVerifierList (
  4169. IN PLOADER_PARAMETER_BLOCK LoaderBlock
  4170. )
  4172. /*++
  4174. Routine Description:
  4176. Parse the registry settings and set up the list of driver names that will
  4177. be put through the validation process.
  4179. It is important that this list be parsed early because the machine-specific
  4180. memory management initialization needs to know whether the verifier is
  4181. going to be enabled.
  4183. Arguments:
  4185. LoaderBlock - Supplies the loader block used by the system to boot.
  4187. Return Value:
  4189. TRUE if successful, FALSE if not.
  4191. Environment:
  4193. Kernel mode, Phase 0 Initialization.
  4195. Nonpaged (but not paged) pool exists.
  4197. The PsLoadedModuleList has not been set up yet AND the boot drivers
  4198. have NOT been relocated to their final resting places.
  4200. --*/
  4202. {
  4203. PWCHAR Start;
  4204. PWCHAR End;
  4205. PWCHAR Walk;
  4206. ULONG NameLength;
  4207. LARGE_INTEGER CurrentTime;
  4208. UNICODE_STRING KernelString;
  4209. UNICODE_STRING DriverBaseName;
  4211. UNREFERENCED_PARAMETER (LoaderBlock);
  4213. InitializeListHead (&MiSuspectDriverList);
  4215. if (MmVerifyDriverLevel != (ULONG)-1) {
  4216. if (MmVerifyDriverLevel & DRIVER_VERIFIER_IO_CHECKING) {
  4217. if (MmVerifyDriverBufferLength == (ULONG)-1) {
  4218. MmVerifyDriverBufferLength = 0; // Mm will not page out verifier pages.
  4219. }
  4220. }
  4221. }
  4223. if (MmVerifyDriverBufferLength == (ULONG)-1) {
  4225. if (MmDontVerifyRandomDrivers == TRUE) {
  4226. return FALSE;
  4227. }
  4229. MmVerifyDriverBufferLength = 0;
  4231. CurrentTime = KeQueryPerformanceCounter (NULL);
  4232. CurrentTime.LowPart = (CurrentTime.LowPart % 26);
  4234. MiVerifyRandomDrivers = (WCHAR)('A' + (WCHAR)CurrentTime.LowPart);
  4236. if ((MiVerifyRandomDrivers == (WCHAR)'H') ||
  4237. (MiVerifyRandomDrivers == (WCHAR)'J') ||
  4238. (MiVerifyRandomDrivers == (WCHAR)'X') ||
  4239. (MiVerifyRandomDrivers == (WCHAR)'Y') ||
  4240. (MiVerifyRandomDrivers == (WCHAR)'Z')) {
  4241. MiVerifyRandomDrivers = (WCHAR)'X';
  4242. }
  4243. }
  4245. KeInitializeSpinLock (&VerifierListLock);
  4247. KeInitializeSpinLock (&VerifierPoolLock);
  4248. ExInitializeFastMutex (&VerifierPoolMutex);
  4250. //
  4251. // Initializing this listhead indicates to the rest of this module that
  4252. // the system was booted with verification of some sort configured.
  4253. //
  4255. InitializeListHead (&MiVerifierDriverAddedThunkListHead);
  4257. //
  4258. // If no default is specified, then special pool, pagable code/data
  4259. // flushing and pool leak detection are enabled.
  4260. //
  4262. if (MmVerifyDriverLevel == (ULONG)-1) {
  4263. MmVerifierData.Level = DRIVER_VERIFIER_SPECIAL_POOLING |
  4264. DRIVER_VERIFIER_FORCE_IRQL_CHECKING |
  4265. DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS;
  4266. }
  4267. else {
  4268. MmVerifierData.Level = MmVerifyDriverLevel;
  4269. }
  4271. VerifierModifyableOptions = (DRIVER_VERIFIER_SPECIAL_POOLING |
  4272. DRIVER_VERIFIER_FORCE_IRQL_CHECKING |
  4273. DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES);
  4275. //
  4276. // An initial parse of the driver list is needed here to see if it's the
  4277. // kernel as special machine-dependent initialization is needed to fully
  4278. // support kernel verification (ie: no use of large pages, etc).
  4279. //
  4281. if (MiVerifyRandomDrivers == (WCHAR)0) {
  4283. RtlInitUnicodeString (&KernelString, (PUSHORT)L"ntoskrnl.exe");
  4285. Start = MmVerifyDriverBuffer;
  4286. End = MmVerifyDriverBuffer + (MmVerifyDriverBufferLength - sizeof(WCHAR)) / sizeof(WCHAR);
  4288. while (Start < End) {
  4289. if (UNICODE_WHITESPACE(*Start)) {
  4290. Start += 1;
  4291. continue;
  4292. }
  4294. if (*Start == (WCHAR)'*') {
  4295. MiVerifyAllDrivers = TRUE;
  4296. break;
  4297. }
  4299. for (Walk = Start; Walk < End; Walk += 1) {
  4300. if (UNICODE_WHITESPACE(*Walk)) {
  4301. break;
  4302. }
  4303. }
  4305. //
  4306. // Got a string - see if it indicates the kernel.
  4307. //
  4309. NameLength = (ULONG)(Walk - Start + 1) * sizeof (WCHAR);
  4311. DriverBaseName.Buffer = Start;
  4312. DriverBaseName.Length = (USHORT)(NameLength - sizeof (UNICODE_NULL));
  4313. DriverBaseName.MaximumLength = (USHORT)NameLength;
  4315. if (RtlEqualUnicodeString (&KernelString,
  4316. &DriverBaseName,
  4317. TRUE)) {
  4319. //
  4320. // AcquireAtDpc/ReleaseFromDpc calls made by the kernel are not
  4321. // intercepted which confuses the deadlock verifier. So disable
  4322. // deadlock verification if we are kernel verifying.
  4323. //
  4325. MmVerifyDriverLevel &= ~DRIVER_VERIFIER_DEADLOCK_DETECTION;
  4326. MmVerifierData.Level &= ~DRIVER_VERIFIER_DEADLOCK_DETECTION;
  4328. //
  4329. //
  4330. // All driver pool allocation calls must be intercepted so
  4331. // they are not mistaken for kernel pool allocations.
  4332. //
  4334. MiVerifyAllDrivers = TRUE;
  4335. KernelVerifier = TRUE;
  4336. ExSetPoolFlags (EX_KERNEL_VERIFIER_ENABLED);
  4337. break;
  4338. }
  4340. Start = Walk + 1;
  4341. }
  4342. }
  4344. return TRUE;
  4345. }
  4347. VOID
  4348. MiReApplyVerifierToLoadedModules(
  4349. IN PLIST_ENTRY ModuleListHead
  4350. )
  4352. /*++
  4354. Routine Description:
  4356. Walk the supplied module list and re-thunk any drivers that are being
  4357. verified. This allows the module to pick up any new thunks that have
  4358. been added.
  4360. Arguments:
  4362. ModuleListHead - Supplies a pointer to the head of a loaded module list.
  4364. Environment:
  4366. Kernel mode, Phase 0 Initialization only.
  4368. --*/
  4370. {
  4371. LOGICAL Skip;
  4372. PLIST_ENTRY Entry;
  4373. PKLDR_DATA_TABLE_ENTRY TableEntry;
  4374. UNICODE_STRING HalString;
  4375. UNICODE_STRING KernelString;
  4377. //
  4378. // If the thunk listhead is NULL then the verifier is not enabled so
  4379. // don't notify any components.
  4380. //
  4382. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  4383. return;
  4384. }
  4386. //
  4387. // Initialize unicode strings to use to bypass modules
  4388. // in the list. There's no reason to reapply verifier to
  4389. // the kernel or to the hal.
  4390. //
  4392. RtlInitUnicodeString (&KernelString, (PUSHORT)L"ntoskrnl.exe");
  4393. RtlInitUnicodeString (&HalString, (PUSHORT)L"hal.dll");
  4395. //
  4396. // Walk the list and reapply verifier to all the modules except those
  4397. // selected for exclusion.
  4398. //
  4400. Entry = ModuleListHead->Flink;
  4401. while (Entry != ModuleListHead) {
  4403. TableEntry = CONTAINING_RECORD(Entry,
  4404. KLDR_DATA_TABLE_ENTRY,
  4405. InLoadOrderLinks);
  4407. Skip = TRUE;
  4409. if (RtlEqualUnicodeString (&KernelString,
  4410. &TableEntry->BaseDllName,
  4411. TRUE)) {
  4412. NOTHING;
  4413. }
  4414. else if (RtlEqualUnicodeString (&HalString,
  4415. &TableEntry->BaseDllName,
  4416. TRUE)) {
  4417. NOTHING;
  4418. }
  4419. else {
  4420. Skip = FALSE;
  4421. }
  4423. //
  4424. // Reapply verifier thunks to the image if it is already being
  4425. // verified and if it is not one of the modules we've decided to skip.
  4426. //
  4428. if ((Skip == FALSE) && (TableEntry->Flags & LDRP_IMAGE_VERIFYING)) {
  4429. #if DBG
  4430. PLIST_ENTRY NextEntry;
  4431. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  4433. //
  4434. // Initializing Verifier is not needed for correctness, but
  4435. // without it the compiler cannot compile this code W4 to check
  4436. // for use of uninitialized variables.
  4437. //
  4439. Verifier = NULL;
  4441. //
  4442. // Find the entry for this driver in the suspect list. This is
  4443. // expected to succeed since we are re-applying thunks to a module
  4444. // that has already been verified at least once before.
  4445. //
  4447. NextEntry = MiSuspectDriverList.Flink;
  4448. while (NextEntry != &MiSuspectDriverList) {
  4450. Verifier = CONTAINING_RECORD(NextEntry,
  4451. MI_VERIFIER_DRIVER_ENTRY,
  4452. Links);
  4454. if (RtlEqualUnicodeString (&Verifier->BaseName,
  4455. &TableEntry->BaseDllName,
  4456. TRUE)) {
  4458. break;
  4459. }
  4460. NextEntry = NextEntry->Flink;
  4461. }
  4463. ASSERT (NextEntry != &MiSuspectDriverList);
  4465. //
  4466. // Sanity tests. We should always find this module in the suspect
  4467. // driver list because it is already being verified. And the
  4468. // start and end addresses should still match those of the this
  4469. // module.
  4470. //
  4472. ASSERT(NextEntry != &MiSuspectDriverList);
  4473. ASSERT(Verifier->StartAddress == TableEntry->DllBase);
  4474. ASSERT(Verifier->EndAddress ==
  4475. (PVOID)((ULONG_PTR)TableEntry->DllBase +
  4476. TableEntry->SizeOfImage));
  4477. #endif
  4478. MiReEnableVerifier (TableEntry);
  4479. }
  4481. Entry = Entry->Flink;
  4482. }
  4483. }
  4485. LOGICAL
  4486. MiInitializeVerifyingComponents (
  4487. IN PLOADER_PARAMETER_BLOCK LoaderBlock
  4488. )
  4490. /*++
  4492. Routine Description:
  4494. Walk the loaded module list and thunk any drivers that need/deserve it.
  4496. Arguments:
  4498. LoaderBlock - Supplies the loader block used by the system to boot.
  4500. Return Value:
  4502. TRUE if successful, FALSE if not.
  4504. Environment:
  4506. Kernel mode, Phase 0 Initialization.
  4508. Both nonpaged and paged pool exist.
  4510. The PsLoadedModuleList has not been set up yet although the boot drivers
  4511. have been relocated to their final resting places.
  4513. --*/
  4515. {
  4516. ULONG i;
  4517. PWCHAR Start;
  4518. PWCHAR End;
  4519. PWCHAR Walk;
  4520. ULONG NameLength;
  4521. PLIST_ENTRY NextEntry;
  4522. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  4523. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  4524. PMI_VERIFIER_DRIVER_ENTRY KernelEntry;
  4525. PMI_VERIFIER_DRIVER_ENTRY HalEntry;
  4526. UNICODE_STRING HalString;
  4527. UNICODE_STRING KernelString;
  4528. PVERIFIER_THUNKS Thunk;
  4529. PDRIVER_VERIFIER_THUNK_ROUTINE PristineRoutine;
  4531. //
  4532. // If the thunk listhead is NULL then the verifier is not enabled so
  4533. // don't notify any components.
  4534. //
  4536. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  4537. return FALSE;
  4538. }
  4540. KernelEntry = NULL;
  4541. HalEntry = NULL;
  4543. if (MiVerifyRandomDrivers == (WCHAR)0) {
  4545. RtlInitUnicodeString (&KernelString, (PUSHORT)L"ntoskrnl.exe");
  4546. RtlInitUnicodeString (&HalString, (PUSHORT)L"hal.dll");
  4548. Start = MmVerifyDriverBuffer;
  4549. End = MmVerifyDriverBuffer + (MmVerifyDriverBufferLength - sizeof(WCHAR)) / sizeof(WCHAR);
  4551. while (Start < End) {
  4552. if (UNICODE_WHITESPACE(*Start)) {
  4553. Start += 1;
  4554. continue;
  4555. }
  4557. if (*Start == (WCHAR)'*') {
  4558. MiVerifyAllDrivers = TRUE;
  4559. break;
  4560. }
  4562. for (Walk = Start; Walk < End; Walk += 1) {
  4563. if (UNICODE_WHITESPACE(*Walk)) {
  4564. break;
  4565. }
  4566. }
  4568. //
  4569. // Got a string. Save it.
  4570. //
  4572. NameLength = (ULONG)(Walk - Start + 1) * sizeof (WCHAR);
  4574. Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag (
  4575. NonPagedPool,
  4576. sizeof (MI_VERIFIER_DRIVER_ENTRY) +
  4577. NameLength,
  4578. 'dLmM');
  4580. if (Verifier == NULL) {
  4581. break;
  4582. }
  4584. Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier +
  4585. sizeof (MI_VERIFIER_DRIVER_ENTRY));
  4586. Verifier->BaseName.Length = (USHORT)(NameLength - sizeof (UNICODE_NULL));
  4587. Verifier->BaseName.MaximumLength = (USHORT)NameLength;
  4589. RtlCopyMemory (Verifier->BaseName.Buffer,
  4590. Start,
  4591. NameLength - sizeof (UNICODE_NULL));
  4593. ViInitializeEntry (Verifier, TRUE);
  4595. Verifier->Flags |= VI_VERIFYING_DIRECTLY;
  4597. ViInsertVerifierEntry (Verifier);
  4599. if (RtlEqualUnicodeString (&KernelString,
  4600. &Verifier->BaseName,
  4601. TRUE)) {
  4603. //
  4604. // All driver pool allocation calls must be intercepted so
  4605. // they are not mistaken for kernel pool allocations.
  4606. //
  4608. ASSERT (MiVerifyAllDrivers == TRUE);
  4609. ASSERT (KernelVerifier == TRUE);
  4611. KernelEntry = Verifier;
  4613. }
  4614. else if (RtlEqualUnicodeString (&HalString,
  4615. &Verifier->BaseName,
  4616. TRUE)) {
  4618. HalEntry = Verifier;
  4619. }
  4621. Start = Walk + 1;
  4622. }
  4623. }
  4625. //
  4626. // Enable deadlock detection if the deadlock bit was set in the
  4627. // registry.
  4628. //
  4630. if (MmVerifierData.Level & DRIVER_VERIFIER_DEADLOCK_DETECTION) {
  4631. VfDeadlockDetectionInitialize (MiVerifyAllDrivers, KernelVerifier);
  4632. ExSetPoolFlags (EX_VERIFIER_DEADLOCK_DETECTION_ENABLED);
  4633. }
  4635. //
  4636. // Initialize i/o verifier.
  4637. //
  4639. IoVerifierInit (MmVerifierData.Level);
  4641. if (MiTriageAddDrivers (LoaderBlock) == TRUE) {
  4643. //
  4644. // Disable random driver verification if triage has picked driver(s).
  4645. //
  4647. MiVerifyRandomDrivers = (WCHAR)0;
  4648. }
  4650. Thunk = (PVERIFIER_THUNKS) &MiVerifierThunks[0];
  4652. while (Thunk->PristineRoutineAsciiName != NULL) {
  4653. PristineRoutine = MiResolveVerifierExports (LoaderBlock,
  4654. Thunk->PristineRoutineAsciiName);
  4655. ASSERT (PristineRoutine != NULL);
  4656. Thunk->PristineRoutine = PristineRoutine;
  4657. Thunk += 1;
  4658. }
  4660. Thunk = (PVERIFIER_THUNKS) &MiVerifierPoolThunks[0];
  4661. while (Thunk->PristineRoutineAsciiName != NULL) {
  4662. PristineRoutine = MiResolveVerifierExports (LoaderBlock,
  4663. Thunk->PristineRoutineAsciiName);
  4664. ASSERT (PristineRoutine != NULL);
  4665. Thunk->PristineRoutine = PristineRoutine;
  4666. Thunk += 1;
  4667. }
  4669. //
  4670. // Process the boot-loaded drivers now.
  4671. //
  4673. i = 0;
  4674. NextEntry = LoaderBlock->LoadOrderListHead.Flink;
  4676. for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) {
  4678. DataTableEntry = CONTAINING_RECORD(NextEntry,
  4679. KLDR_DATA_TABLE_ENTRY,
  4680. InLoadOrderLinks);
  4682. //
  4683. // Process the kernel and HAL specially.
  4684. //
  4686. if (i == 0) {
  4687. if (KernelEntry != NULL) {
  4688. MiApplyDriverVerifier (DataTableEntry, KernelEntry);
  4689. }
  4690. }
  4691. else if (i == 1) {
  4692. if (HalEntry != NULL) {
  4693. MiApplyDriverVerifier (DataTableEntry, HalEntry);
  4694. }
  4695. }
  4696. else {
  4697. MiApplyDriverVerifier (DataTableEntry, NULL);
  4698. }
  4699. i += 1;
  4700. }
  4702. //
  4703. // Initialize irql tracking package. The drivers that will be verified
  4704. // will have automatically tracked all their raise/lower irql operations.
  4705. //
  4707. ViTrackIrqlInitialize ();
  4709. //
  4710. // Initialize fault injection stack trace log package.
  4711. //
  4713. #if defined(_X86_)
  4714. ViFaultTracesInitialize ();
  4715. #endif
  4717. return TRUE;
  4718. }
  4720. NTSTATUS
  4721. MmAddVerifierEntry (
  4722. IN PUNICODE_STRING ImageFileName
  4723. )
  4725. /*++
  4727. Routine Description:
  4729. This routine inserts a new verifier entry for the specified driver so that
  4730. when the driver is loaded it will automatically be verified.
  4732. Note that if the driver is already loaded, then no entry is added and
  4733. STATUS_IMAGE_ALREADY_LOADED is returned.
  4735. If the system was booted with an empty verifier list, then no entries can
  4736. be added now as the current system configuration will not support special
  4737. pool, etc.
  4739. Note also that no registry changes are made so any insertions made by this
  4740. routine are lost on reboot.
  4742. Arguments:
  4744. ImageFileName - Supplies the name of the desired driver.
  4746. Return Value:
  4748. Various NTSTATUS codes.
  4750. Environment:
  4752. Kernel mode, PASSIVE_LEVEL, arbitrary process context.
  4754. --*/
  4756. {
  4757. PKTHREAD CurrentThread;
  4758. PLIST_ENTRY NextEntry;
  4759. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  4760. PMI_VERIFIER_DRIVER_ENTRY VerifierEntry;
  4761. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  4763. ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL);
  4765. //
  4766. // If the system was not booted with verification on, then bail.
  4767. //
  4769. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  4770. return STATUS_NOT_SUPPORTED;
  4771. }
  4773. //
  4774. // First build up a verifier entry.
  4775. //
  4777. Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag (
  4778. NonPagedPool,
  4779. sizeof (MI_VERIFIER_DRIVER_ENTRY) +
  4780. ImageFileName->MaximumLength,
  4781. 'dLmM');
  4783. if (Verifier == NULL) {
  4784. return STATUS_INSUFFICIENT_RESOURCES;
  4785. }
  4787. Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier +
  4788. sizeof (MI_VERIFIER_DRIVER_ENTRY));
  4789. Verifier->BaseName.Length = ImageFileName->Length;
  4790. Verifier->BaseName.MaximumLength = ImageFileName->MaximumLength;
  4792. RtlCopyMemory (Verifier->BaseName.Buffer,
  4793. ImageFileName->Buffer,
  4794. ImageFileName->Length);
  4796. ViInitializeEntry (Verifier, TRUE);
  4798. Verifier->Flags |= VI_VERIFYING_DIRECTLY;
  4800. //
  4801. // Arbitrary process context so prevent suspend APCs now.
  4802. //
  4804. CurrentThread = KeGetCurrentThread ();
  4805. KeEnterCriticalRegionThread (CurrentThread);
  4807. //
  4808. // Acquire the load lock so the verifier list can be read.
  4809. // Then ensure that the specified driver is not already in the list.
  4810. //
  4812. KeWaitForSingleObject (&MmSystemLoadLock,
  4813. WrVirtualMemory,
  4814. KernelMode,
  4815. FALSE,
  4816. (PLARGE_INTEGER)NULL);
  4818. //
  4819. // Check to make sure the requested entry is not already present in
  4820. // the verifier list and that the driver is not currently loaded.
  4821. //
  4823. NextEntry = MiSuspectDriverList.Flink;
  4824. while (NextEntry != &MiSuspectDriverList) {
  4826. VerifierEntry = CONTAINING_RECORD(NextEntry,
  4827. MI_VERIFIER_DRIVER_ENTRY,
  4828. Links);
  4830. if (RtlEqualUnicodeString (&Verifier->BaseName,
  4831. &VerifierEntry->BaseName,
  4832. TRUE)) {
  4834. //
  4835. // The driver is already in the verifier list - just mark the
  4836. // entry as verification-enabled and free the temporary allocation.
  4837. //
  4839. if ((VerifierEntry->Loads > VerifierEntry->Unloads) &&
  4840. (VerifierEntry->Flags & VI_DISABLE_VERIFICATION)) {
  4842. //
  4843. // The driver is loaded and verification is disabled. Don't
  4844. // turn it on now because we don't want to mislead our caller.
  4845. //
  4847. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  4848. KeLeaveCriticalRegionThread (CurrentThread);
  4849. ExFreePool (Verifier);
  4850. return STATUS_IMAGE_ALREADY_LOADED;
  4851. }
  4852. VerifierEntry->Flags &= ~VI_DISABLE_VERIFICATION;
  4853. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  4854. KeLeaveCriticalRegionThread (CurrentThread);
  4855. ExFreePool (Verifier);
  4856. return STATUS_SUCCESS;
  4857. }
  4858. NextEntry = NextEntry->Flink;
  4859. }
  4861. //
  4862. // A new verifier entry will need to be added so check to
  4863. // make sure the specified driver is not already loaded.
  4864. //
  4866. ExAcquireResourceSharedLite (&PsLoadedModuleResource, TRUE);
  4868. NextEntry = PsLoadedModuleList.Flink;
  4869. while (NextEntry != &PsLoadedModuleList) {
  4871. DataTableEntry = CONTAINING_RECORD(NextEntry,
  4872. KLDR_DATA_TABLE_ENTRY,
  4873. InLoadOrderLinks);
  4875. if (RtlEqualUnicodeString (&Verifier->BaseName,
  4876. &DataTableEntry->BaseDllName,
  4877. TRUE)) {
  4879. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  4880. ExReleaseResourceLite (&PsLoadedModuleResource);
  4881. KeLeaveCriticalRegionThread (CurrentThread);
  4882. ExFreePool (Verifier);
  4883. return STATUS_IMAGE_ALREADY_LOADED;
  4884. }
  4886. NextEntry = NextEntry->Flink;
  4887. }
  4889. //
  4890. // The entry is not already in the verifier list and the driver is not
  4891. // currently loaded. Proceed to insert it now.
  4892. //
  4894. ViInsertVerifierEntry (Verifier);
  4896. ExReleaseResourceLite (&PsLoadedModuleResource);
  4897. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  4898. KeLeaveCriticalRegionThread (CurrentThread);
  4900. return STATUS_SUCCESS;
  4901. }
  4903. NTSTATUS
  4904. MmRemoveVerifierEntry (
  4905. IN PUNICODE_STRING ImageFileName
  4906. )
  4908. /*++
  4910. Routine Description:
  4912. This routine doesn't actually remove the verifier entry for the
  4913. specified driver as we don't want to lose any valuable information
  4914. already gathered on the driver if it was previously loaded.
  4915. Instead, this routine disables verification for this driver for future
  4916. loads.
  4918. Note that if the driver is already loaded, then the removal is not
  4919. performed and STATUS_IMAGE_ALREADY_LOADED is returned.
  4921. Note also that no registry changes are made so any removals made by this
  4922. routine are lost on reboot.
  4924. Arguments:
  4926. ImageFileName - Supplies the name of the desired driver.
  4928. Return Value:
  4930. Various NTSTATUS codes.
  4932. Environment:
  4934. Kernel mode, PASSIVE_LEVEL, arbitrary process context.
  4936. --*/
  4938. {
  4939. PKTHREAD CurrentThread;
  4940. PLIST_ENTRY NextEntry;
  4941. PMI_VERIFIER_DRIVER_ENTRY VerifierEntry;
  4943. ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL);
  4945. //
  4946. // If the system was not booted with verification on, then bail.
  4947. //
  4949. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  4950. return STATUS_NOT_SUPPORTED;
  4951. }
  4953. //
  4954. // Arbitrary process context so prevent suspend APCs now.
  4955. //
  4957. CurrentThread = KeGetCurrentThread ();
  4958. KeEnterCriticalRegionThread (CurrentThread);
  4960. //
  4961. // Acquire the load lock so the verifier list can be read.
  4962. // Then ensure that the specified driver is not already in the list.
  4963. //
  4965. KeWaitForSingleObject (&MmSystemLoadLock,
  4966. WrVirtualMemory,
  4967. KernelMode,
  4968. FALSE,
  4969. (PLARGE_INTEGER)NULL);
  4971. //
  4972. // Check to make sure the requested entry is not already present in
  4973. // the verifier list and that the driver is not currently loaded.
  4974. //
  4976. NextEntry = MiSuspectDriverList.Flink;
  4977. while (NextEntry != &MiSuspectDriverList) {
  4979. VerifierEntry = CONTAINING_RECORD(NextEntry,
  4980. MI_VERIFIER_DRIVER_ENTRY,
  4981. Links);
  4983. if (RtlEqualUnicodeString (ImageFileName,
  4984. &VerifierEntry->BaseName,
  4985. TRUE)) {
  4987. //
  4988. // The driver is already in the verifier list - just mark the
  4989. // entry as verification-enabled and free the temporary allocation.
  4990. // No need to check the loaded module list if the entry is already
  4991. // in the verifier list.
  4992. //
  4994. if ((VerifierEntry->Loads > VerifierEntry->Unloads) &&
  4995. ((VerifierEntry->Flags & VI_DISABLE_VERIFICATION) == 0)) {
  4997. //
  4998. // The driver is loaded and verification is enabled. Don't
  4999. // disable it now because we don't want to mislead our caller.
  5000. //
  5002. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5003. KeLeaveCriticalRegionThread (CurrentThread);
  5004. return STATUS_IMAGE_ALREADY_LOADED;
  5005. }
  5007. VerifierEntry->Flags |= VI_DISABLE_VERIFICATION;
  5008. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5009. KeLeaveCriticalRegionThread (CurrentThread);
  5010. return STATUS_SUCCESS;
  5011. }
  5012. NextEntry = NextEntry->Flink;
  5013. }
  5015. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5016. KeLeaveCriticalRegionThread (CurrentThread);
  5018. return STATUS_NOT_FOUND;
  5019. }
  5021. VOID
  5022. ViInsertVerifierEntry (
  5023. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  5024. )
  5026. /*++
  5028. Routine Description:
  5030. Nonpagable wrapper to insert a new verifier entry.
  5032. Note that the system load mutant or the verifier load spinlock is sufficient
  5033. for readers to access the list. This is because the insertion path
  5034. acquires both.
  5036. Lock synchronization is needed because pool allocators walk the
  5037. verifier list at DISPATCH_LEVEL.
  5039. Arguments:
  5041. Verifier - Supplies a caller-initialized entry for the driver.
  5043. Return Value:
  5045. None.
  5047. --*/
  5049. {
  5050. KIRQL OldIrql;
  5052. ExAcquireSpinLock (&VerifierListLock, &OldIrql);
  5053. InsertTailList (&MiSuspectDriverList, &Verifier->Links);
  5054. ExReleaseSpinLock (&VerifierListLock, OldIrql);
  5055. }
  5057. PMI_VERIFIER_DRIVER_ENTRY
  5058. ViLocateVerifierEntry (
  5059. IN PVOID SystemAddress
  5060. )
  5062. /*++
  5064. Routine Description:
  5066. Locate the Driver Verifier entry for the specified system address.
  5068. Arguments:
  5070. SystemAddress - Supplies a code or data address within a driver.
  5072. Return Value:
  5074. The Verifier entry corresponding to the driver or NULL.
  5076. Environment:
  5078. The caller may be at DISPATCH_LEVEL and does not hold the MmSystemLoadLock.
  5080. --*/
  5082. {
  5083. KIRQL OldIrql;
  5084. PLIST_ENTRY NextEntry;
  5085. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  5087. ExAcquireSpinLock (&VerifierListLock, &OldIrql);
  5089. NextEntry = MiSuspectDriverList.Flink;
  5090. while (NextEntry != &MiSuspectDriverList) {
  5092. Verifier = CONTAINING_RECORD(NextEntry,
  5093. MI_VERIFIER_DRIVER_ENTRY,
  5094. Links);
  5096. if ((SystemAddress >= Verifier->StartAddress) &&
  5097. (SystemAddress < Verifier->EndAddress)) {
  5099. ExReleaseSpinLock (&VerifierListLock, OldIrql);
  5100. return Verifier;
  5101. }
  5102. NextEntry = NextEntry->Flink;
  5103. }
  5105. ExReleaseSpinLock (&VerifierListLock, OldIrql);
  5106. return NULL;
  5107. }
  5109. LOGICAL
  5110. MiApplyDriverVerifier (
  5111. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry,
  5112. IN PMI_VERIFIER_DRIVER_ENTRY Verifier
  5113. )
  5115. /*++
  5117. Routine Description:
  5119. This function is called as each module is loaded. If the module being
  5120. loaded is in the suspect list, thunk it here.
  5122. Arguments:
  5124. DataTableEntry - Supplies the data table entry for the module.
  5126. Verifier - Non-NULL if verification must be applied. FALSE indicates
  5127. that the driver name must match for verification to be
  5128. applied.
  5130. Return Value:
  5132. TRUE if thunking was applied, FALSE if not.
  5134. Environment:
  5136. Kernel mode, Phase 0 Initialization and normal runtime.
  5137. Non paged pool exists in Phase0, but paged pool does not.
  5138. Post-Phase0 serialization is provided by the MmSystemLoadLock.
  5140. --*/
  5142. {
  5143. WCHAR FirstChar;
  5144. LOGICAL Found;
  5145. PLIST_ENTRY NextEntry;
  5146. ULONG VerifierFlags;
  5148. if (Verifier != NULL) {
  5149. Found = TRUE;
  5150. }
  5151. else {
  5152. Found = FALSE;
  5153. NextEntry = MiSuspectDriverList.Flink;
  5154. while (NextEntry != &MiSuspectDriverList) {
  5156. Verifier = CONTAINING_RECORD(NextEntry,
  5157. MI_VERIFIER_DRIVER_ENTRY,
  5158. Links);
  5160. if (RtlEqualUnicodeString (&Verifier->BaseName,
  5161. &DataTableEntry->BaseDllName,
  5162. TRUE)) {
  5164. Found = TRUE;
  5165. ViInitializeEntry (Verifier, FALSE);
  5166. break;
  5167. }
  5168. NextEntry = NextEntry->Flink;
  5169. }
  5170. }
  5172. if (Found == FALSE) {
  5173. VerifierFlags = VI_VERIFYING_DIRECTLY;
  5174. if (MiVerifyAllDrivers == TRUE) {
  5175. if (KernelVerifier == TRUE) {
  5176. VerifierFlags = VI_VERIFYING_INVERSELY;
  5177. }
  5178. Found = TRUE;
  5179. }
  5180. else if (MiVerifyRandomDrivers != (WCHAR)0) {
  5182. //
  5183. // Wildcard match drivers randomly.
  5184. //
  5186. FirstChar = RtlUpcaseUnicodeChar(DataTableEntry->BaseDllName.Buffer[0]);
  5188. if (MiVerifyRandomDrivers == FirstChar) {
  5189. Found = TRUE;
  5190. }
  5191. else if (MiVerifyRandomDrivers == (WCHAR)'X') {
  5192. if ((FirstChar >= (WCHAR)'0') && (FirstChar <= (WCHAR)'9')) {
  5193. Found = TRUE;
  5194. }
  5195. }
  5196. }
  5198. if (Found == FALSE) {
  5199. return FALSE;
  5200. }
  5202. Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag (
  5203. NonPagedPool,
  5204. sizeof (MI_VERIFIER_DRIVER_ENTRY) +
  5205. DataTableEntry->BaseDllName.MaximumLength,
  5206. 'dLmM');
  5208. if (Verifier == NULL) {
  5209. return FALSE;
  5210. }
  5212. Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier +
  5213. sizeof (MI_VERIFIER_DRIVER_ENTRY));
  5214. Verifier->BaseName.Length = DataTableEntry->BaseDllName.Length;
  5215. Verifier->BaseName.MaximumLength = DataTableEntry->BaseDllName.MaximumLength;
  5217. RtlCopyMemory (Verifier->BaseName.Buffer,
  5218. DataTableEntry->BaseDllName.Buffer,
  5219. DataTableEntry->BaseDllName.Length);
  5221. ViInitializeEntry (Verifier, TRUE);
  5223. Verifier->Flags = VerifierFlags;
  5225. ViInsertVerifierEntry (Verifier);
  5226. }
  5228. Verifier->StartAddress = DataTableEntry->DllBase;
  5229. Verifier->EndAddress = (PVOID)((ULONG_PTR)DataTableEntry->DllBase + DataTableEntry->SizeOfImage);
  5231. ASSERT (Found == TRUE);
  5233. if (Verifier->Flags & VI_DISABLE_VERIFICATION) {
  5235. //
  5236. // We've been instructed to not verify this driver. If kernel
  5237. // verification is enabled, then the driver must still be thunked
  5238. // for "inverse-verification". If kernel verification is disabled,
  5239. // nothing needs to be done here except load/unload counting.
  5240. //
  5242. if (KernelVerifier == TRUE) {
  5243. Found = MiEnableVerifier (DataTableEntry);
  5244. }
  5245. else {
  5246. Found = FALSE;
  5247. }
  5248. }
  5249. else {
  5250. Found = MiEnableVerifier (DataTableEntry);
  5251. }
  5253. if (Found == TRUE) {
  5255. if (Verifier->Flags & VI_VERIFYING_DIRECTLY &&
  5256. ((DataTableEntry->Flags & LDRP_IMAGE_VERIFYING) == 0)) {
  5257. ViPrintString (&DataTableEntry->BaseDllName);
  5258. }
  5260. MmVerifierData.Loads += 1;
  5261. Verifier->Loads += 1;
  5263. DataTableEntry->Flags |= LDRP_IMAGE_VERIFYING;
  5264. MiActiveVerifies += 1;
  5266. if (MiActiveVerifies == 1) {
  5268. #ifndef NO_POOL_CHECKS
  5270. //
  5271. // If a loaded driver(s) is undergoing validation, the default
  5272. // special pool randomizer is disabled as the precious virtual
  5273. // address space and physical memory is being put to specific
  5274. // use.
  5275. //
  5277. MiEnableRandomSpecialPool (FALSE);
  5278. #endif
  5279. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  5281. //
  5282. // Page out all thread stacks as soon as possible to
  5283. // catch drivers using local events that do usermode waits.
  5284. //
  5286. if (KernelVerifier == FALSE) {
  5287. MiVerifierStackProtectTime = KiStackProtectTime;
  5288. KiStackProtectTime = 0;
  5289. }
  5290. }
  5291. }
  5292. }
  5294. return Found;
  5295. }
  5297. PUNICODE_STRING ViBadDriver;
  5299. VOID
  5300. MiVerifyingDriverUnloading (
  5301. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  5302. )
  5304. /*++
  5306. Routine Description:
  5308. This function is called as a driver that was being verified is now being
  5309. unloaded.
  5311. Arguments:
  5313. DataTableEntry - Supplies the data table entry for the driver.
  5315. Return Value:
  5317. TRUE if thunking was applied, FALSE if not.
  5319. Environment:
  5321. Kernel mode, Phase 0 Initialization and normal runtime.
  5322. Non paged pool exists in Phase0, but paged pool does not.
  5323. Post-Phase0 serialization is provided by the MmSystemLoadLock.
  5325. --*/
  5327. {
  5328. KIRQL OldIrql;
  5329. PLIST_ENTRY NextEntry;
  5330. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  5331. PVI_POOL_ENTRY OldHashTable;
  5333. //
  5334. // Initializing Verifier is not needed for correctness, but without it
  5335. // the compiler cannot compile this code W4 to check for use of
  5336. // uninitialized variables.
  5337. //
  5339. Verifier = NULL;
  5341. NextEntry = MiSuspectDriverList.Flink;
  5342. while (NextEntry != &MiSuspectDriverList) {
  5344. Verifier = CONTAINING_RECORD(NextEntry,
  5345. MI_VERIFIER_DRIVER_ENTRY,
  5346. Links);
  5348. if (RtlEqualUnicodeString (&Verifier->BaseName,
  5349. &DataTableEntry->BaseDllName,
  5350. TRUE)) {
  5352. break;
  5353. }
  5354. NextEntry = NextEntry->Flink;
  5355. }
  5357. ASSERT (NextEntry != &MiSuspectDriverList);
  5359. //
  5360. // Delete any static locks in the driver image.
  5361. //
  5362. // silviuc: might be able to get rid of this call if we get a
  5363. // hook in MmSystemImageUnload.
  5364. //
  5366. VfDeadlockDeleteMemoryRange(DataTableEntry->DllBase,
  5367. (SIZE_T) DataTableEntry->SizeOfImage);
  5370. if (MmVerifierData.Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS) {
  5372. //
  5373. // Better not be any pool left that wasn't freed.
  5374. //
  5376. if (Verifier->PagedBytes) {
  5378. #if DBG
  5379. DbgPrint ("Driver %wZ leaked %d paged pool allocations (0x%x bytes)\n",
  5380. &DataTableEntry->FullDllName,
  5381. Verifier->CurrentPagedPoolAllocations,
  5382. Verifier->PagedBytes);
  5383. #endif
  5385. //
  5386. // It would be nice to fault in the driver's paged pool allocations
  5387. // now to make debugging easier, but this cannot be easily done
  5388. // in a deadlock free manner.
  5389. //
  5390. // At least disable the paging of pool on IRQL raising in attempt
  5391. // to keep some of these allocations resident for debugging.
  5392. // No need to undo the increment as we're about to bugcheck anyway.
  5393. //
  5395. InterlockedIncrement ((PLONG)&MiNoPageOnRaiseIrql);
  5396. }
  5397. #if DBG
  5398. if (Verifier->NonPagedBytes) {
  5399. DbgPrint ("Driver %wZ leaked %d nonpaged pool allocations (0x%x bytes)\n",
  5400. &DataTableEntry->FullDllName,
  5401. Verifier->CurrentNonPagedPoolAllocations,
  5402. Verifier->NonPagedBytes);
  5403. }
  5404. #endif
  5406. if (Verifier->PagedBytes || Verifier->NonPagedBytes) {
  5407. #if 0
  5408. DbgBreakPoint ();
  5409. InterlockedDecrement (&MiNoPageOnRaiseIrql);
  5410. #else
  5411. //
  5412. // Snap this so the build/BVT lab can easily triage the culprit.
  5413. //
  5415. ViBadDriver = &Verifier->BaseName;
  5417. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  5418. 0x60,
  5419. Verifier->PagedBytes,
  5420. Verifier->NonPagedBytes,
  5421. Verifier->CurrentPagedPoolAllocations +
  5422. Verifier->CurrentNonPagedPoolAllocations);
  5423. #endif
  5424. }
  5426. ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
  5428. if (Verifier->PoolHashReserved != 0) {
  5429. KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
  5430. 0x61,
  5431. Verifier->PagedBytes,
  5432. Verifier->NonPagedBytes,
  5433. Verifier->CurrentPagedPoolAllocations +
  5434. Verifier->CurrentNonPagedPoolAllocations);
  5435. }
  5437. OldHashTable = Verifier->PoolHash;
  5438. if (OldHashTable != NULL) {
  5439. Verifier->PoolHashSize = 0;
  5440. Verifier->PoolHashFree = VI_POOL_FREELIST_END;
  5441. Verifier->PoolHash = NULL;
  5442. }
  5443. else {
  5444. ASSERT (Verifier->PoolHashSize == 0);
  5445. ASSERT (Verifier->PoolHashFree == VI_POOL_FREELIST_END);
  5446. }
  5448. ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
  5450. if (OldHashTable != NULL) {
  5451. ExFreePool (OldHashTable);
  5452. }
  5454. //
  5455. // Clear these fields so reuse of stale addresses don't trigger
  5456. // erroneous bucket fills.
  5457. //
  5459. ExAcquireSpinLock (&VerifierListLock, &OldIrql);
  5460. Verifier->StartAddress = NULL;
  5461. Verifier->EndAddress = NULL;
  5462. ExReleaseSpinLock (&VerifierListLock, OldIrql);
  5463. }
  5465. Verifier->Unloads += 1;
  5466. MmVerifierData.Unloads += 1;
  5467. MiActiveVerifies -= 1;
  5469. if (MiActiveVerifies == 0) {
  5471. if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
  5473. //
  5474. // Return to normal thread stack protection.
  5475. //
  5477. if (KernelVerifier == FALSE) {
  5478. KiStackProtectTime = MiVerifierStackProtectTime;
  5479. }
  5480. }
  5482. #ifndef NO_POOL_CHECKS
  5483. MiEnableRandomSpecialPool (TRUE);
  5484. #endif
  5485. }
  5486. }
  5488. NTKERNELAPI
  5489. LOGICAL
  5490. MmIsDriverVerifying (
  5491. IN PDRIVER_OBJECT DriverObject
  5492. )
  5494. /*++
  5496. Routine Description:
  5498. This function informs the caller if the argument driver is being verified.
  5500. Arguments:
  5502. DriverObject - Supplies the driver object.
  5504. Return Value:
  5506. TRUE if this driver is being verified, FALSE if not.
  5508. Environment:
  5510. Kernel mode, any IRQL, any needed synchronization must be provided by the
  5511. caller.
  5513. --*/
  5515. {
  5516. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  5518. DataTableEntry = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
  5520. if (DataTableEntry == NULL) {
  5521. return FALSE;
  5522. }
  5524. if ((DataTableEntry->Flags & LDRP_IMAGE_VERIFYING) == 0) {
  5525. return FALSE;
  5526. }
  5528. return TRUE;
  5529. }
  5531. NTSTATUS
  5532. MmAddVerifierThunks (
  5533. IN PVOID ThunkBuffer,
  5534. IN ULONG ThunkBufferSize
  5535. )
  5537. /*++
  5539. Routine Description:
  5541. This routine adds another set of thunks to the verifier list.
  5543. Arguments:
  5545. ThunkBuffer - Supplies the buffer containing the thunk pairs.
  5547. ThunkBufferSize - Supplies the number of bytes in the thunk buffer.
  5549. Return Value:
  5551. Returns the status of the operation.
  5553. Environment:
  5555. Kernel mode. APC_LEVEL and below, arbitrary process context.
  5557. --*/
  5559. {
  5560. ULONG i;
  5561. PKTHREAD CurrentThread;
  5562. ULONG NumberOfThunkPairs;
  5563. PDRIVER_VERIFIER_THUNK_PAIRS ThunkPairs;
  5564. PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable;
  5565. PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
  5566. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  5567. PKLDR_DATA_TABLE_ENTRY DataTableEntry2;
  5568. PLIST_ENTRY NextEntry;
  5569. PVOID DriverStartAddress;
  5570. PVOID DriverEndAddress;
  5572. PAGED_CODE();
  5574. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  5575. return STATUS_NOT_SUPPORTED;
  5576. }
  5578. ThunkPairs = (PDRIVER_VERIFIER_THUNK_PAIRS)ThunkBuffer;
  5579. NumberOfThunkPairs = ThunkBufferSize / sizeof(DRIVER_VERIFIER_THUNK_PAIRS);
  5581. if (NumberOfThunkPairs == 0) {
  5582. return STATUS_INVALID_PARAMETER_1;
  5583. }
  5585. ThunkTableBase = (PDRIVER_SPECIFIED_VERIFIER_THUNKS) ExAllocatePoolWithTag (
  5586. PagedPool,
  5587. sizeof (DRIVER_SPECIFIED_VERIFIER_THUNKS) + NumberOfThunkPairs * sizeof (DRIVER_VERIFIER_THUNK_PAIRS),
  5588. 'tVmM');
  5590. if (ThunkTableBase == NULL) {
  5591. return STATUS_INSUFFICIENT_RESOURCES;
  5592. }
  5594. ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1);
  5596. RtlCopyMemory (ThunkTable,
  5597. ThunkPairs,
  5598. NumberOfThunkPairs * sizeof(DRIVER_VERIFIER_THUNK_PAIRS));
  5600. CurrentThread = KeGetCurrentThread ();
  5601. KeEnterCriticalRegionThread (CurrentThread);
  5603. KeWaitForSingleObject (&MmSystemLoadLock,
  5604. WrVirtualMemory,
  5605. KernelMode,
  5606. FALSE,
  5607. (PLARGE_INTEGER)NULL);
  5609. //
  5610. // Find and validate the image that contains the routines to be thunked.
  5611. //
  5613. DataTableEntry = MiLookupDataTableEntry ((PVOID)(ULONG_PTR)ThunkTable->PristineRoutine,
  5614. TRUE);
  5616. if (DataTableEntry == NULL) {
  5617. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5618. KeLeaveCriticalRegionThread (CurrentThread);
  5619. ExFreePool (ThunkTableBase);
  5620. return STATUS_INVALID_PARAMETER_2;
  5621. }
  5623. DriverStartAddress = (PVOID)(DataTableEntry->DllBase);
  5624. DriverEndAddress = (PVOID)((PCHAR)DataTableEntry->DllBase + DataTableEntry->SizeOfImage);
  5626. //
  5627. // Don't let drivers hook calls to kernel or HAL routines.
  5628. //
  5630. i = 0;
  5631. NextEntry = PsLoadedModuleList.Flink;
  5632. while (NextEntry != &PsLoadedModuleList) {
  5634. DataTableEntry2 = CONTAINING_RECORD(NextEntry,
  5635. KLDR_DATA_TABLE_ENTRY,
  5636. InLoadOrderLinks);
  5638. if (DataTableEntry == DataTableEntry2) {
  5639. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5640. KeLeaveCriticalRegionThread (CurrentThread);
  5641. ExFreePool (ThunkTableBase);
  5642. return STATUS_INVALID_PARAMETER_2;
  5643. }
  5645. NextEntry = NextEntry->Flink;
  5646. i += 1;
  5647. if (i >= 2) {
  5648. break;
  5649. }
  5650. }
  5652. for (i = 0; i < NumberOfThunkPairs; i += 1) {
  5654. //
  5655. // Ensure all the routines being thunked are in the same driver.
  5656. //
  5658. if (((ULONG_PTR)ThunkTable->PristineRoutine < (ULONG_PTR)DriverStartAddress) ||
  5659. ((ULONG_PTR)ThunkTable->PristineRoutine >= (ULONG_PTR)DriverEndAddress) ||
  5660. ((ULONG_PTR)ThunkTable->NewRoutine < (ULONG_PTR)DriverStartAddress) ||
  5661. ((ULONG_PTR)ThunkTable->NewRoutine >= (ULONG_PTR)DriverEndAddress)
  5662. ) {
  5664. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5665. KeLeaveCriticalRegionThread (CurrentThread);
  5666. ExFreePool (ThunkTableBase);
  5667. return STATUS_INVALID_PARAMETER_2;
  5668. }
  5669. ThunkTable += 1;
  5670. }
  5672. //
  5673. // Add the validated thunk table to the verifier's global list.
  5674. //
  5676. ThunkTableBase->DataTableEntry = DataTableEntry;
  5677. ThunkTableBase->NumberOfThunks = NumberOfThunkPairs;
  5678. MiActiveVerifierThunks += 1;
  5680. InsertTailList (&MiVerifierDriverAddedThunkListHead,
  5681. &ThunkTableBase->ListEntry);
  5683. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5684. KeLeaveCriticalRegionThread (CurrentThread);
  5686. //
  5687. // Indicate that new thunks have been added to the verifier list.
  5688. //
  5690. MiVerifierThunksAdded += 1;
  5692. return STATUS_SUCCESS;
  5693. }
  5695. VOID
  5696. MiVerifierCheckThunks (
  5697. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  5698. )
  5700. /*++
  5702. Routine Description:
  5704. This routine adds another set of thunks to the verifier list.
  5706. Arguments:
  5708. DataTableEntry - Supplies the data table entry for the driver.
  5710. Return Value:
  5712. None.
  5714. Environment:
  5716. Kernel mode. APC_LEVEL and below.
  5717. The system load lock must be held by the caller.
  5719. --*/
  5721. {
  5722. PLIST_ENTRY NextEntry;
  5723. PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
  5725. PAGED_CODE ();
  5727. //
  5728. // N.B. The DataTableEntry can move (see MiInitializeLoadedModuleList),
  5729. // but this only happens long before IoInitialize so this is safe.
  5730. //
  5732. NextEntry = MiVerifierDriverAddedThunkListHead.Flink;
  5733. while (NextEntry != &MiVerifierDriverAddedThunkListHead) {
  5735. ThunkTableBase = CONTAINING_RECORD(NextEntry,
  5736. DRIVER_SPECIFIED_VERIFIER_THUNKS,
  5737. ListEntry);
  5739. if (ThunkTableBase->DataTableEntry == DataTableEntry) {
  5740. RemoveEntryList (NextEntry);
  5741. NextEntry = NextEntry->Flink;
  5742. ExFreePool (ThunkTableBase);
  5743. MiActiveVerifierThunks -= 1;
  5745. //
  5746. // Keep looking as the driver may have made multiple calls.
  5747. //
  5749. continue;
  5750. }
  5752. NextEntry = NextEntry->Flink;
  5753. }
  5754. }
  5756. NTSTATUS
  5757. MmIsVerifierEnabled (
  5758. OUT PULONG VerifierFlags
  5759. )
  5761. /*++
  5763. Routine Description:
  5765. This routine is called by drivers to query whether the Driver Verifier
  5766. is enabled and to find out what the currently enabled options are.
  5768. Arguments:
  5770. VerifierFlags - Returns the current driver verifier flags. Note these
  5771. flags can change dynamically without rebooting.
  5773. Return Value:
  5775. Returns STATUS_SUCCESS if the verifier is enabled, or a failure code if not.
  5777. Environment:
  5779. Kernel mode, PASSIVE_LEVEL.
  5781. --*/
  5783. {
  5784. if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
  5785. *VerifierFlags = 0;
  5786. return STATUS_NOT_SUPPORTED;
  5787. }
  5789. *VerifierFlags = MmVerifierData.Level;
  5790. return STATUS_SUCCESS;
  5791. }
  5793. #define ROUND_UP(VALUE,ROUND) ((ULONG)(((ULONG)VALUE + \
  5794. ((ULONG)ROUND - 1L)) & (~((ULONG)ROUND - 1L))))
  5796. NTSTATUS
  5797. MmGetVerifierInformation (
  5798. OUT PVOID SystemInformation,
  5799. IN ULONG SystemInformationLength,
  5800. OUT PULONG Length
  5801. )
  5803. /*++
  5805. Routine Description:
  5807. This routine returns information about drivers undergoing verification.
  5809. Arguments:
  5811. SystemInformation - Returns the driver verification information.
  5813. SystemInformationLength - Supplies the length of the SystemInformation
  5814. buffer.
  5816. Length - Returns the length of the driver verification file information
  5817. placed in the buffer.
  5819. Return Value:
  5821. Returns the status of the operation.
  5823. Environment:
  5825. The SystemInformation buffer is in user space and our caller has wrapped
  5826. a try-except around this entire routine. Capture any exceptions here and
  5827. release resources accordingly.
  5829. --*/
  5831. {
  5832. PKTHREAD CurrentThread;
  5833. PSYSTEM_VERIFIER_INFORMATION UserVerifyBuffer;
  5834. ULONG NextEntryOffset;
  5835. ULONG TotalSize;
  5836. NTSTATUS Status;
  5837. PLIST_ENTRY NextEntry;
  5838. PMI_VERIFIER_DRIVER_ENTRY Verifier;
  5839. UNICODE_STRING UserBufferDriverName;
  5841. PAGED_CODE();
  5843. NextEntryOffset = 0;
  5844. TotalSize = 0;
  5846. *Length = 0;
  5847. UserVerifyBuffer = (PSYSTEM_VERIFIER_INFORMATION)SystemInformation;
  5849. //
  5850. // Capture the number of verifying drivers and the relevant data while
  5851. // synchronized. Then return it to our caller.
  5852. //
  5854. Status = STATUS_SUCCESS;
  5856. CurrentThread = KeGetCurrentThread ();
  5857. KeEnterCriticalRegionThread (CurrentThread);
  5859. KeWaitForSingleObject (&MmSystemLoadLock,
  5860. WrVirtualMemory,
  5861. KernelMode,
  5862. FALSE,
  5863. (PLARGE_INTEGER)NULL);
  5865. try {
  5867. NextEntry = MiSuspectDriverList.Flink;
  5868. while (NextEntry != &MiSuspectDriverList) {
  5870. Verifier = CONTAINING_RECORD(NextEntry,
  5871. MI_VERIFIER_DRIVER_ENTRY,
  5872. Links);
  5874. if (((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0) ||
  5875. (Verifier->Flags & VI_DISABLE_VERIFICATION)) {
  5877. NextEntry = NextEntry->Flink;
  5878. continue;
  5879. }
  5881. UserVerifyBuffer = (PSYSTEM_VERIFIER_INFORMATION)(
  5882. (PUCHAR)UserVerifyBuffer + NextEntryOffset);
  5883. NextEntryOffset = sizeof(SYSTEM_VERIFIER_INFORMATION);
  5884. TotalSize += sizeof(SYSTEM_VERIFIER_INFORMATION);
  5886. if (TotalSize > SystemInformationLength) {
  5887. ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH);
  5888. }
  5890. //
  5891. // This data is cumulative for all drivers.
  5892. //
  5894. UserVerifyBuffer->Level = MmVerifierData.Level;
  5895. UserVerifyBuffer->RaiseIrqls = MmVerifierData.RaiseIrqls;
  5896. UserVerifyBuffer->AcquireSpinLocks = MmVerifierData.AcquireSpinLocks;
  5898. UserVerifyBuffer->UnTrackedPool = MmVerifierData.UnTrackedPool;
  5899. UserVerifyBuffer->SynchronizeExecutions = MmVerifierData.SynchronizeExecutions;
  5901. UserVerifyBuffer->AllocationsAttempted = MmVerifierData.AllocationsAttempted;
  5902. UserVerifyBuffer->AllocationsSucceeded = MmVerifierData.AllocationsSucceeded;
  5903. UserVerifyBuffer->AllocationsSucceededSpecialPool = MmVerifierData.AllocationsSucceededSpecialPool;
  5904. UserVerifyBuffer->AllocationsWithNoTag = MmVerifierData.AllocationsWithNoTag;
  5906. UserVerifyBuffer->TrimRequests = MmVerifierData.TrimRequests;
  5907. UserVerifyBuffer->Trims = MmVerifierData.Trims;
  5908. UserVerifyBuffer->AllocationsFailed = MmVerifierData.AllocationsFailed;
  5909. UserVerifyBuffer->AllocationsFailedDeliberately = MmVerifierData.AllocationsFailedDeliberately;
  5911. //
  5912. // This data is kept on a per-driver basis.
  5913. //
  5915. UserVerifyBuffer->CurrentPagedPoolAllocations = Verifier->CurrentPagedPoolAllocations;
  5916. UserVerifyBuffer->CurrentNonPagedPoolAllocations = Verifier->CurrentNonPagedPoolAllocations;
  5917. UserVerifyBuffer->PeakPagedPoolAllocations = Verifier->PeakPagedPoolAllocations;
  5918. UserVerifyBuffer->PeakNonPagedPoolAllocations = Verifier->PeakNonPagedPoolAllocations;
  5920. UserVerifyBuffer->PagedPoolUsageInBytes = Verifier->PagedBytes;
  5921. UserVerifyBuffer->NonPagedPoolUsageInBytes = Verifier->NonPagedBytes;
  5922. UserVerifyBuffer->PeakPagedPoolUsageInBytes = Verifier->PeakPagedBytes;
  5923. UserVerifyBuffer->PeakNonPagedPoolUsageInBytes = Verifier->PeakNonPagedBytes;
  5925. UserVerifyBuffer->Loads = Verifier->Loads;
  5926. UserVerifyBuffer->Unloads = Verifier->Unloads;
  5928. //
  5929. // The DriverName portion of the UserVerifyBuffer must be saved
  5930. // locally to protect against a malicious thread changing the
  5931. // contents. This is because we will reference the contents
  5932. // ourselves when the actual string is copied out carefully below.
  5933. //
  5935. UserBufferDriverName.Length = Verifier->BaseName.Length;
  5936. UserBufferDriverName.MaximumLength = (USHORT)(Verifier->BaseName.Length + sizeof (WCHAR));
  5937. UserBufferDriverName.Buffer = (PWCHAR)(UserVerifyBuffer + 1);
  5939. UserVerifyBuffer->DriverName = UserBufferDriverName;
  5941. TotalSize += ROUND_UP (UserBufferDriverName.MaximumLength,
  5942. sizeof(PVOID));
  5943. NextEntryOffset += ROUND_UP (UserBufferDriverName.MaximumLength,
  5944. sizeof(PVOID));
  5946. if (TotalSize > SystemInformationLength) {
  5947. ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH);
  5948. }
  5950. //
  5951. // Carefully reference the UserVerifyBuffer here.
  5952. //
  5954. RtlCopyMemory(UserBufferDriverName.Buffer,
  5955. Verifier->BaseName.Buffer,
  5956. Verifier->BaseName.Length);
  5958. UserBufferDriverName.Buffer[
  5959. Verifier->BaseName.Length/sizeof(WCHAR)] = UNICODE_NULL;
  5960. UserVerifyBuffer->NextEntryOffset = NextEntryOffset;
  5962. NextEntry = NextEntry->Flink;
  5963. }
  5964. } except (EXCEPTION_EXECUTE_HANDLER) {
  5965. Status = GetExceptionCode();
  5966. }
  5968. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  5970. KeLeaveCriticalRegionThread (CurrentThread);
  5972. if (Status != STATUS_INFO_LENGTH_MISMATCH) {
  5973. UserVerifyBuffer->NextEntryOffset = 0;
  5974. *Length = TotalSize;
  5975. }
  5977. return Status;
  5978. }
  5980. NTSTATUS
  5981. MmSetVerifierInformation (
  5982. IN OUT PVOID SystemInformation,
  5983. IN ULONG SystemInformationLength
  5984. )
  5986. /*++
  5988. Routine Description:
  5990. This routine sets any driver verifier flags that can be done without
  5991. rebooting.
  5993. Arguments:
  5995. SystemInformation - Gets and returns the driver verification flags.
  5997. SystemInformationLength - Supplies the length of the SystemInformation
  5998. buffer.
  6000. Return Value:
  6002. Returns the status of the operation.
  6004. Environment:
  6006. The SystemInformation buffer is in user space and our caller has wrapped
  6007. a try-except around this entire routine. Capture any exceptions here and
  6008. release resources accordingly.
  6010. --*/
  6012. {
  6013. PKTHREAD CurrentThread;
  6014. ULONG UserFlags;
  6015. ULONG NewFlags;
  6016. ULONG NewFlagsOn;
  6017. ULONG NewFlagsOff;
  6018. NTSTATUS Status;
  6019. PULONG UserVerifyBuffer;
  6021. PAGED_CODE();
  6023. if (SystemInformationLength < sizeof (ULONG)) {
  6024. ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH);
  6025. }
  6027. UserVerifyBuffer = (PULONG)SystemInformation;
  6029. //
  6030. // Synchronize all changes to the flags here.
  6031. //
  6033. Status = STATUS_SUCCESS;
  6035. CurrentThread = KeGetCurrentThread ();
  6036. KeEnterCriticalRegionThread (CurrentThread);
  6038. KeWaitForSingleObject (&MmSystemLoadLock,
  6039. WrVirtualMemory,
  6040. KernelMode,
  6041. FALSE,
  6042. (PLARGE_INTEGER)NULL);
  6044. try {
  6046. UserFlags = *UserVerifyBuffer;
  6048. //
  6049. // Ensure nothing is being set or cleared that isn't supported.
  6050. //
  6051. //
  6053. NewFlagsOn = UserFlags & VerifierModifyableOptions;
  6055. NewFlags = MmVerifierData.Level | NewFlagsOn;
  6057. //
  6058. // Any bits set in NewFlagsOff must be zeroed in the NewFlags.
  6059. //
  6061. NewFlagsOff = ((~UserFlags) & VerifierModifyableOptions);
  6063. NewFlags &= ~NewFlagsOff;
  6065. if (NewFlags != MmVerifierData.Level) {
  6066. VerifierOptionChanges += 1;
  6067. MmVerifierData.Level = NewFlags;
  6068. *UserVerifyBuffer = NewFlags;
  6069. }
  6071. } except (EXCEPTION_EXECUTE_HANDLER) {
  6072. Status = GetExceptionCode();
  6073. }
  6075. KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
  6077. KeLeaveCriticalRegionThread (CurrentThread);
  6079. return Status;
  6080. }
  6082. typedef struct _VERIFIER_STRING_INFO {
  6083. ULONG BuildNumber;
  6084. ULONG DriverVerifierLevel;
  6085. ULONG Flags;
  6086. ULONG Check;
  6087. } VERIFIER_STRING_INFO, *PVERIFIER_STRING_INFO;
  6089. #ifdef ALLOC_DATA_PRAGMA
  6090. #pragma const_seg("PAGECONST")
  6091. #endif
  6093. static const WCHAR Printable[] = L"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  6094. static const ULONG PrintableChars = sizeof (Printable) / sizeof (Printable[0]) - 1;
  6096. #ifdef ALLOC_DATA_PRAGMA
  6097. #pragma const_seg()
  6098. #endif
  6100. VOID
  6101. ViPrintString (
  6102. IN PUNICODE_STRING DriverName
  6103. )
  6105. /*++
  6107. Routine Description:
  6109. This routine does a really bad hash of build number, verifier level and
  6110. flags by using the driver name as a stream of bytes to XOR into the flags,
  6111. etc.
  6113. This is a Neill Clift special.
  6115. Arguments:
  6117. DriverName - Supplies the name of the driver.
  6119. Return Value:
  6121. None.
  6123. --*/
  6125. {
  6126. VERIFIER_STRING_INFO Bld;
  6127. PUCHAR BufPtr;
  6128. PWCHAR DriverPtr;
  6129. ULONG BufLen;
  6130. ULONG i;
  6131. ULONG j;
  6132. ULONG DriverChars;
  6133. ULONG MaxChars;
  6134. WCHAR OutBuf[sizeof (VERIFIER_STRING_INFO) * 2 + 1];
  6135. UNICODE_STRING OutBufU;
  6136. ULONG Rem;
  6137. ULONG LastRem;
  6138. LOGICAL Done;
  6140. Bld.BuildNumber = NtBuildNumber;
  6141. Bld.DriverVerifierLevel = MmVerifierData.Level;
  6143. //
  6144. // Unloads and other actions could be encoded in the Flags field here.
  6145. //
  6147. Bld.Flags = 0;
  6149. //
  6150. // Make the last ULONG a weird function of the others.
  6151. //
  6153. Bld.Check = ((Bld.Flags + 1) * Bld.BuildNumber * (Bld.DriverVerifierLevel + 1)) * 123456789;
  6155. BufPtr = (PUCHAR) &Bld;
  6156. BufLen = sizeof (Bld);
  6158. DriverChars = DriverName->Length / sizeof (DriverName->Buffer[0]);
  6159. DriverPtr = DriverName->Buffer;
  6160. MaxChars = DriverChars;
  6162. if (DriverChars < sizeof (VERIFIER_STRING_INFO)) {
  6163. MaxChars = sizeof (VERIFIER_STRING_INFO);
  6164. }
  6166. //
  6167. // Xor each character in the driver name into the buffer.
  6168. //
  6170. for (i = 0; i < MaxChars; i += 1) {
  6171. BufPtr[i % BufLen] ^= (UCHAR) RtlUpcaseUnicodeChar(DriverPtr[i % DriverChars]);
  6172. }
  6174. //
  6175. // Produce a base N decoding of the binary buffer using the printable
  6176. // characters defines. Treat the binary as a byte array and do the
  6177. // division for each, tracking the carry.
  6178. //
  6180. j = 0;
  6181. do {
  6182. Done = TRUE;
  6184. for (i = 0, LastRem = 0; i < sizeof (VERIFIER_STRING_INFO); i += 1) {
  6185. Rem = BufPtr[i] + 256 * LastRem;
  6186. BufPtr[i] = (UCHAR) (Rem / PrintableChars);
  6187. LastRem = Rem % PrintableChars;
  6188. if (BufPtr[i]) {
  6189. Done = FALSE;
  6190. }
  6191. }
  6192. OutBuf[j++] = Printable[LastRem];
  6194. if (j >= sizeof (OutBuf) / sizeof (OutBuf[0])) {
  6196. //
  6197. // The stack buffer isn't big enough.
  6198. //
  6200. return;
  6201. }
  6203. } while (Done == FALSE);
  6205. OutBuf[j] = L'\0';
  6207. OutBufU.Length = OutBufU.MaximumLength = (USHORT) (j * sizeof (WCHAR));
  6208. OutBufU.Buffer = OutBuf;
  6210. DbgPrint ("*******************************************************************************\n"
  6211. "*\n"
  6212. "* This is the string you add to your checkin description\n"
  6213. "* Driver Verifier: Enabled for %Z on Build %ld %wZ\n"
  6214. "*\n"
  6215. "*******************************************************************************\n",
  6216. DriverName, NtBuildNumber & 0xFFFFFFF, &OutBufU);
  6218. return;
  6219. }
  6221. //
  6222. // BEWARE: Various kernel macros are undefined here so we can pull in the
  6223. // real routines. This is needed because the real routines are exported for
  6224. // driver compatibility. This module has been carefully laid out so these
  6225. // macros are not referenced from this point down and references go to the
  6226. // real routines.
  6227. //
  6232. #undef KeRaiseIrql
  6233. #undef KeLowerIrql
  6234. #undef KeAcquireSpinLock
  6235. #undef KeReleaseSpinLock
  6236. #undef KeAcquireSpinLockAtDpcLevel
  6237. #undef KeReleaseSpinLockFromDpcLevel
  6238. #if 0
  6239. #undef ExAcquireResourceExclusive
  6240. #endif
  6242. #if !defined(_AMD64_)
  6244. VOID
  6245. KeRaiseIrql (
  6246. IN KIRQL NewIrql,
  6247. OUT PKIRQL OldIrql
  6248. );
  6250. #endif
  6252. VOID
  6253. KeLowerIrql (
  6254. IN KIRQL NewIrql
  6255. );
  6257. #if !defined(_AMD64_)
  6259. VOID
  6260. KeAcquireSpinLock (
  6261. IN PKSPIN_LOCK SpinLock,
  6262. OUT PKIRQL OldIrql
  6263. );
  6265. #endif
  6267. VOID
  6268. KeReleaseSpinLock (
  6269. IN PKSPIN_LOCK SpinLock,
  6270. IN KIRQL NewIrql
  6271. );
  6273. VOID
  6274. KeAcquireSpinLockAtDpcLevel (
  6275. IN PKSPIN_LOCK SpinLock
  6276. );
  6278. VOID
  6279. KeReleaseSpinLockFromDpcLevel (
  6280. IN PKSPIN_LOCK SpinLock
  6281. );
  6283. #if 0
  6284. BOOLEAN
  6285. ExAcquireResourceExclusive (
  6286. IN PERESOURCE Resource,
  6287. IN BOOLEAN Wait
  6288. );
  6289. #endif
  6291. #ifdef ALLOC_DATA_PRAGMA
  6292. #pragma const_seg("PAGECONST")
  6293. #endif
  6295. const VERIFIER_THUNKS MiVerifierThunks[] = {
  6297. "KeSetEvent",
  6298. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierSetEvent,
  6300. "ExAcquireFastMutexUnsafe",
  6301. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExAcquireFastMutexUnsafe,
  6303. "ExReleaseFastMutexUnsafe",
  6304. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExReleaseFastMutexUnsafe,
  6306. "ExAcquireResourceExclusiveLite",
  6307. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExAcquireResourceExclusiveLite,
  6309. "ExReleaseResourceLite",
  6310. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExReleaseResourceLite,
  6312. "MmProbeAndLockPages",
  6313. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierProbeAndLockPages,
  6315. #if 0
  6316. //
  6317. // Don't bother thunking this API as it appears no drivers use it.
  6318. //
  6319. "MmProbeAndLockSelectedPages",
  6320. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierProbeAndLockSelectedPages,
  6321. #endif
  6323. "MmProbeAndLockProcessPages",
  6324. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierProbeAndLockProcessPages,
  6326. "MmMapIoSpace",
  6327. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierMapIoSpace,
  6329. "MmMapLockedPages",
  6330. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierMapLockedPages,
  6332. "MmMapLockedPagesSpecifyCache",
  6333. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierMapLockedPagesSpecifyCache,
  6335. "MmUnlockPages",
  6336. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierUnlockPages,
  6338. "MmUnmapLockedPages",
  6339. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierUnmapLockedPages,
  6341. "MmUnmapIoSpace",
  6342. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierUnmapIoSpace,
  6344. "ExAcquireFastMutex",
  6345. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExAcquireFastMutex,
  6347. "ExTryToAcquireFastMutex",
  6348. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExTryToAcquireFastMutex,
  6350. "ExReleaseFastMutex",
  6351. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExReleaseFastMutex,
  6353. #if !defined(_AMD64_)
  6355. "KeRaiseIrql",
  6356. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrql,
  6358. #endif
  6360. "KeLowerIrql",
  6361. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeLowerIrql,
  6363. #if !defined(_AMD64_)
  6365. "KeAcquireSpinLock",
  6366. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLock,
  6368. #endif
  6370. "KeReleaseSpinLock",
  6371. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLock,
  6373. #if defined(_X86_)
  6374. "KefAcquireSpinLockAtDpcLevel",
  6375. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLockAtDpcLevel,
  6377. "KefReleaseSpinLockFromDpcLevel",
  6378. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLockFromDpcLevel,
  6379. #else
  6380. "KeAcquireSpinLockAtDpcLevel",
  6381. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLockAtDpcLevel,
  6383. "KeReleaseSpinLockFromDpcLevel",
  6384. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLockFromDpcLevel,
  6385. #endif
  6387. "KeSynchronizeExecution",
  6388. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierSynchronizeExecution,
  6390. "KeInitializeTimerEx",
  6391. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeInitializeTimerEx,
  6393. "KeInitializeTimer",
  6394. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeInitializeTimer,
  6396. "KeWaitForSingleObject",
  6397. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeWaitForSingleObject,
  6399. #if defined(_X86_) || defined(_AMD64_)
  6401. "KfRaiseIrql",
  6402. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfRaiseIrql,
  6404. "KeRaiseIrqlToDpcLevel",
  6405. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrqlToDpcLevel,
  6407. #endif
  6409. #if defined(_X86_)
  6411. "KfLowerIrql",
  6412. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfLowerIrql,
  6414. "KfAcquireSpinLock",
  6415. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfAcquireSpinLock,
  6417. "KfReleaseSpinLock",
  6418. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfReleaseSpinLock,
  6420. #endif
  6422. #if !defined(_X86_)
  6424. "KeAcquireSpinLockRaiseToDpc",
  6425. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLockRaiseToDpc,
  6427. #endif
  6429. "IoFreeIrp",
  6430. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovFreeIrp,
  6432. "IofCallDriver",
  6433. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovCallDriver,
  6435. "IofCompleteRequest",
  6436. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovCompleteRequest,
  6438. "IoBuildDeviceIoControlRequest",
  6439. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovBuildDeviceIoControlRequest,
  6441. "IoBuildAsynchronousFsdRequest",
  6442. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovBuildAsynchronousFsdRequest,
  6444. "IoInitializeTimer",
  6445. (PDRIVER_VERIFIER_THUNK_ROUTINE)IovInitializeTimer,
  6447. "KeQueryPerformanceCounter",
  6448. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfQueryPerformanceCounter,
  6450. "IoGetDmaAdapter",
  6451. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfGetDmaAdapter,
  6453. "HalAllocateCrashDumpRegisters",
  6454. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfAllocateCrashDumpRegisters,
  6456. "ObReferenceObjectByHandle",
  6457. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierReferenceObjectByHandle,
  6459. "KeReleaseMutex",
  6460. (PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeReleaseMutex,
  6462. "KeInitializeMutex",
  6463. (PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeInitializeMutex,
  6465. "KeReleaseMutant",
  6466. (PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeReleaseMutant,
  6468. "KeInitializeMutant",
  6469. (PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeInitializeMutant,
  6471. "KeInitializeSpinLock",
  6472. (PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeInitializeSpinLock,
  6474. #if !defined(NO_LEGACY_DRIVERS)
  6475. "HalGetAdapter",
  6476. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfLegacyGetAdapter,
  6478. "IoMapTransfer",
  6479. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfMapTransfer,
  6481. "IoFlushAdapterBuffers",
  6482. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfFlushAdapterBuffers,
  6484. "HalAllocateCommonBuffer",
  6485. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfAllocateCommonBuffer,
  6487. "HalFreeCommonBuffer",
  6488. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfFreeCommonBuffer,
  6490. "IoAllocateAdapterChannel",
  6491. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfAllocateAdapterChannel,
  6493. "IoFreeAdapterChannel",
  6494. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfFreeAdapterChannel,
  6496. "IoFreeMapRegisters",
  6497. (PDRIVER_VERIFIER_THUNK_ROUTINE)VfFreeMapRegisters,
  6498. #endif
  6500. "NtCreateFile",
  6501. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierNtCreateFile,
  6503. "NtWriteFile",
  6504. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierNtWriteFile,
  6506. "NtReadFile",
  6507. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierNtReadFile,
  6509. NULL,
  6510. NULL,
  6511. };
  6513. const VERIFIER_THUNKS MiVerifierPoolThunks[] = {
  6515. "ExAllocatePool",
  6516. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePool,
  6518. "ExAllocatePoolWithQuota",
  6519. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithQuota,
  6521. "ExAllocatePoolWithQuotaTag",
  6522. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithQuotaTag,
  6524. "ExAllocatePoolWithTag",
  6525. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithTag,
  6527. "ExAllocatePoolWithTagPriority",
  6528. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithTagPriority,
  6530. "ExFreePool",
  6531. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierFreePool,
  6533. "ExFreePoolWithTag",
  6534. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierFreePoolWithTag,
  6536. NULL,
  6537. NULL,
  6538. };
  6540. #ifdef ALLOC_DATA_PRAGMA
  6541. #pragma data_seg()
  6542. #endif
  6544. PDRIVER_VERIFIER_THUNK_ROUTINE
  6545. MiResolveVerifierExports (
  6546. IN PLOADER_PARAMETER_BLOCK LoaderBlock,
  6547. IN PCHAR PristineName
  6548. )
  6550. /*++
  6552. Routine Description:
  6554. This function scans the kernel & HAL exports for the specified routine name.
  6556. Arguments:
  6558. DataTableEntry - Supplies the data table entry for the driver.
  6560. Return Value:
  6562. Non-NULL address of routine to thunk or NULL if the routine could not be
  6563. found.
  6565. Environment:
  6567. Kernel mode, Phase 0 Initialization only.
  6568. The PsLoadedModuleList has not been initialized yet.
  6569. Non paged pool exists in Phase0, but paged pool does not.
  6571. --*/
  6573. {
  6574. ULONG i;
  6575. PIMAGE_EXPORT_DIRECTORY ExportDirectory;
  6576. PULONG NameTableBase;
  6577. PUSHORT NameOrdinalTableBase;
  6578. PULONG Addr;
  6579. ULONG ExportSize;
  6580. ULONG Low;
  6581. ULONG Middle;
  6582. ULONG High;
  6583. PLIST_ENTRY NextEntry;
  6584. PKLDR_DATA_TABLE_ENTRY DataTableEntry;
  6585. USHORT OrdinalNumber;
  6586. LONG Result;
  6587. PCHAR DllBase;
  6589. i = 0;
  6590. NextEntry = LoaderBlock->LoadOrderListHead.Flink;
  6592. for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) {
  6594. DataTableEntry = CONTAINING_RECORD (NextEntry,
  6595. KLDR_DATA_TABLE_ENTRY,
  6596. InLoadOrderLinks);
  6598. //
  6599. // Process the kernel and HAL exports so the proper routine
  6600. // addresses can be generated now that relocations are complete.
  6601. //
  6603. DllBase = (PCHAR) DataTableEntry->DllBase;
  6605. ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData(
  6606. (PVOID) DllBase,
  6607. TRUE,
  6608. IMAGE_DIRECTORY_ENTRY_EXPORT,
  6609. &ExportSize);
  6611. if (ExportDirectory != NULL) {
  6613. //
  6614. // Lookup the import name in the name table using a binary search.
  6615. //
  6617. NameTableBase = (PULONG)(DllBase + (ULONG)ExportDirectory->AddressOfNames);
  6618. NameOrdinalTableBase = (PUSHORT)(DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
  6620. Low = 0;
  6621. High = ExportDirectory->NumberOfNames - 1;
  6623. //
  6624. // Initializing Middle is not needed for correctness, but without it
  6625. // the compiler cannot compile this code W4 to check for use of
  6626. // uninitialized variables.
  6627. //
  6629. Middle = 0;
  6631. while (High >= Low) {
  6633. //
  6634. // Compute the next probe index and compare the import name
  6635. // with the export name entry.
  6636. //
  6638. Middle = (Low + High) >> 1;
  6639. Result = strcmp (PristineName,
  6640. (PCHAR)DllBase + NameTableBase[Middle]);
  6642. if (Result < 0) {
  6643. High = Middle - 1;
  6645. } else if (Result > 0) {
  6646. Low = Middle + 1;
  6648. }
  6649. else {
  6650. break;
  6651. }
  6652. }
  6654. //
  6655. // If the high index is less than the low index, then a matching
  6656. // table entry was not found. Otherwise, get the ordinal number
  6657. // from the ordinal table.
  6658. //
  6660. if ((LONG)High >= (LONG)Low) {
  6661. OrdinalNumber = NameOrdinalTableBase[Middle];
  6663. //
  6664. // If OrdinalNumber is not within the Export Address Table,
  6665. // then DLL does not implement function. Otherwise we have
  6666. // the export that matches the specified argument routine name.
  6667. //
  6669. if ((ULONG)OrdinalNumber < ExportDirectory->NumberOfFunctions) {
  6671. Addr = (PULONG)(DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
  6672. return (PDRIVER_VERIFIER_THUNK_ROUTINE)(ULONG_PTR)(DllBase + Addr[OrdinalNumber]);
  6673. }
  6674. }
  6675. }
  6677. i += 1;
  6678. if (i == 2) {
  6679. break;
  6680. }
  6681. }
  6682. return NULL;
  6683. }
  6685. LOGICAL
  6686. MiEnableVerifier (
  6687. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  6688. )
  6690. /*++
  6692. Routine Description:
  6694. This function enables the verifier for the argument driver by thunking
  6695. relevant system APIs in the argument driver import table.
  6697. Arguments:
  6699. DataTableEntry - Supplies the data table entry for the driver.
  6701. Return Value:
  6703. TRUE if thunking was applied, FALSE if not.
  6705. Environment:
  6707. Kernel mode, Phase 0 Initialization and normal runtime.
  6708. Non paged pool exists in Phase0, but paged pool does not.
  6710. --*/
  6712. {
  6713. ULONG i;
  6714. ULONG j;
  6715. PULONG_PTR ImportThunk;
  6716. ULONG ImportSize;
  6717. VERIFIER_THUNKS const *VerifierThunk;
  6718. LOGICAL Found;
  6719. ULONG_PTR RealRoutine;
  6720. PLIST_ENTRY NextEntry;
  6721. PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable;
  6722. PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
  6724. ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
  6725. DataTableEntry->DllBase,
  6726. TRUE,
  6727. IMAGE_DIRECTORY_ENTRY_IAT,
  6728. &ImportSize);
  6730. if (ImportThunk == NULL) {
  6731. return FALSE;
  6732. }
  6734. ImportSize /= sizeof(PULONG_PTR);
  6736. for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
  6738. Found = FALSE;
  6740. if (KernelVerifier == FALSE) {
  6741. VerifierThunk = MiVerifierThunks;
  6743. while (VerifierThunk->PristineRoutineAsciiName != NULL) {
  6745. RealRoutine = (ULONG_PTR)VerifierThunk->PristineRoutine;
  6747. if (*ImportThunk == RealRoutine) {
  6748. *ImportThunk = (ULONG_PTR)(VerifierThunk->NewRoutine);
  6749. Found = TRUE;
  6750. break;
  6751. }
  6752. VerifierThunk += 1;
  6753. }
  6754. }
  6756. if (Found == FALSE) {
  6757. VerifierThunk = MiVerifierPoolThunks;
  6759. while (VerifierThunk->PristineRoutineAsciiName != NULL) {
  6761. RealRoutine = (ULONG_PTR)VerifierThunk->PristineRoutine;
  6763. if (*ImportThunk == RealRoutine) {
  6764. *ImportThunk = (ULONG_PTR)(VerifierThunk->NewRoutine);
  6765. Found = TRUE;
  6766. break;
  6767. }
  6768. VerifierThunk += 1;
  6769. }
  6770. }
  6772. if (Found == FALSE) {
  6774. NextEntry = MiVerifierDriverAddedThunkListHead.Flink;
  6775. while (NextEntry != &MiVerifierDriverAddedThunkListHead) {
  6777. ThunkTableBase = CONTAINING_RECORD(NextEntry,
  6778. DRIVER_SPECIFIED_VERIFIER_THUNKS,
  6779. ListEntry);
  6781. ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1);
  6783. for (j = 0; j < ThunkTableBase->NumberOfThunks; j += 1) {
  6785. if (*ImportThunk == (ULONG_PTR)ThunkTable->PristineRoutine) {
  6786. *ImportThunk = (ULONG_PTR)(ThunkTable->NewRoutine);
  6787. Found = TRUE;
  6788. break;
  6789. }
  6790. ThunkTable += 1;
  6791. }
  6793. if (Found == TRUE) {
  6794. break;
  6795. }
  6797. NextEntry = NextEntry->Flink;
  6798. }
  6799. }
  6800. }
  6801. return TRUE;
  6802. }
  6804. LOGICAL
  6805. MiReEnableVerifier (
  6806. IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
  6807. )
  6809. /*++
  6811. Routine Description:
  6813. This function thunks DLL-supplied APIs in the argument driver import table.
  6815. Arguments:
  6817. DataTableEntry - Supplies the data table entry for the driver.
  6819. Return Value:
  6821. TRUE if thunking was applied, FALSE if not.
  6823. Environment:
  6825. Kernel mode, Phase 0 Initialization only.
  6826. Non paged pool exists in Phase0, but paged pool does not.
  6828. --*/
  6830. {
  6831. ULONG i;
  6832. ULONG j;
  6833. PULONG_PTR ImportThunk;
  6834. ULONG ImportSize;
  6835. LOGICAL Found;
  6836. PLIST_ENTRY NextEntry;
  6837. PMMPTE PointerPte;
  6838. PULONG_PTR VirtualThunk;
  6839. PFN_NUMBER PageFrameIndex;
  6840. PFN_NUMBER VirtualPageFrameIndex;
  6841. PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable;
  6842. PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
  6843. ULONG Offset;
  6845. ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
  6846. DataTableEntry->DllBase,
  6847. TRUE,
  6848. IMAGE_DIRECTORY_ENTRY_IAT,
  6849. &ImportSize);
  6851. if (ImportThunk == NULL) {
  6852. return FALSE;
  6853. }
  6855. VirtualThunk = NULL;
  6856. ImportSize /= sizeof(PULONG_PTR);
  6858. //
  6859. // Initializing VirtualPageFrameIndex is not needed for correctness, but
  6860. // without it the compiler cannot compile this code W4 to check for use of
  6861. // uninitialized variables.
  6862. //
  6864. VirtualPageFrameIndex = 0;
  6866. for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
  6868. Found = FALSE;
  6870. NextEntry = MiVerifierDriverAddedThunkListHead.Flink;
  6871. while (NextEntry != &MiVerifierDriverAddedThunkListHead) {
  6873. ThunkTableBase = CONTAINING_RECORD(NextEntry,
  6874. DRIVER_SPECIFIED_VERIFIER_THUNKS,
  6875. ListEntry);
  6877. ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1);
  6879. for (j = 0; j < ThunkTableBase->NumberOfThunks; j += 1) {
  6881. if (*ImportThunk == (ULONG_PTR)ThunkTable->PristineRoutine) {
  6883. ASSERT (MI_IS_PHYSICAL_ADDRESS(ImportThunk) == 0);
  6884. PointerPte = MiGetPteAddress (ImportThunk);
  6885. ASSERT (PointerPte->u.Hard.Valid == 1);
  6886. PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
  6887. Offset = (ULONG) MiGetByteOffset(ImportThunk);
  6889. if ((VirtualThunk != NULL) &&
  6890. (VirtualPageFrameIndex == PageFrameIndex)) {
  6892. NOTHING;
  6893. }
  6894. else {
  6896. VirtualThunk = MiMapSinglePage (VirtualThunk,
  6897. PageFrameIndex,
  6898. MmCached,
  6899. HighPagePriority);
  6901. if (VirtualThunk == NULL) {
  6902. return FALSE;
  6903. }
  6904. VirtualPageFrameIndex = PageFrameIndex;
  6905. }
  6907. *(PULONG_PTR)((PUCHAR)VirtualThunk + Offset) =
  6908. (ULONG_PTR)(ThunkTable->NewRoutine);
  6910. Found = TRUE;
  6911. break;
  6912. }
  6913. ThunkTable += 1;
  6914. }
  6916. if (Found == TRUE) {
  6917. break;
  6918. }
  6920. NextEntry = NextEntry->Flink;
  6921. }
  6922. }
  6924. if (VirtualThunk != NULL) {
  6925. MiUnmapSinglePage (VirtualThunk);
  6926. }
  6928. return TRUE;
  6929. }
  6931. typedef struct _KERNEL_VERIFIER_THUNK_PAIRS {
  6932. PDRIVER_VERIFIER_THUNK_ROUTINE PristineRoutine;
  6933. PDRIVER_VERIFIER_THUNK_ROUTINE NewRoutine;
  6934. } KERNEL_VERIFIER_THUNK_PAIRS, *PKERNEL_VERIFIER_THUNK_PAIRS;
  6936. #if defined(_X86_)
  6938. #ifdef ALLOC_DATA_PRAGMA
  6939. #pragma const_seg("INITCONST")
  6940. #endif
  6942. const KERNEL_VERIFIER_THUNK_PAIRS MiKernelVerifierThunks[] = {
  6944. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeRaiseIrql,
  6945. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrql,
  6947. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeLowerIrql,
  6948. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeLowerIrql,
  6950. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeAcquireSpinLock,
  6951. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLock,
  6953. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeReleaseSpinLock,
  6954. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLock,
  6956. (PDRIVER_VERIFIER_THUNK_ROUTINE)KfRaiseIrql,
  6957. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfRaiseIrql,
  6959. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeRaiseIrqlToDpcLevel,
  6960. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrqlToDpcLevel,
  6962. (PDRIVER_VERIFIER_THUNK_ROUTINE)KfLowerIrql,
  6963. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfLowerIrql,
  6965. (PDRIVER_VERIFIER_THUNK_ROUTINE)KfAcquireSpinLock,
  6966. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfAcquireSpinLock,
  6968. (PDRIVER_VERIFIER_THUNK_ROUTINE)KfReleaseSpinLock,
  6969. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfReleaseSpinLock,
  6971. #if !defined(NT_UP)
  6972. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeAcquireQueuedSpinLock,
  6973. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireQueuedSpinLock,
  6975. (PDRIVER_VERIFIER_THUNK_ROUTINE)KeReleaseQueuedSpinLock,
  6976. (PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseQueuedSpinLock,
  6977. #endif
  6978. };
  6980. #ifdef ALLOC_DATA_PRAGMA
  6981. #pragma data_seg()
  6982. #endif
  6984. VOID
  6985. MiEnableKernelVerifier (
  6986. VOID
  6987. )
  6989. /*++
  6991. Routine Description:
  6993. This function enables the verifier for the kernel by thunking
  6994. relevant HAL APIs in the kernel's import table.
  6996. Arguments:
  6998. None.
  7000. Return Value:
  7002. None.
  7004. Environment:
  7006. Kernel mode, Phase 1 Initialization.
  7008. --*/
  7010. {
  7011. ULONG i;
  7012. PULONG_PTR ImportThunk;
  7013. ULONG ImportSize;
  7014. KERNEL_VERIFIER_THUNK_PAIRS const *VerifierThunk;
  7015. ULONG ThunkCount;
  7016. ULONG_PTR RealRoutine;
  7017. PULONG_PTR PointerRealRoutine;
  7019. if (KernelVerifier == FALSE) {
  7020. return;
  7021. }
  7023. ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
  7024. PsNtosImageBase,
  7025. TRUE,
  7026. IMAGE_DIRECTORY_ENTRY_IAT,
  7027. &ImportSize);
  7029. if (ImportThunk == NULL) {
  7030. return;
  7031. }
  7033. ImportSize /= sizeof(PULONG_PTR);
  7035. for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
  7037. VerifierThunk = MiKernelVerifierThunks;
  7039. for (ThunkCount = 0; ThunkCount < sizeof (MiKernelVerifierThunks) / sizeof (KERNEL_VERIFIER_THUNK_PAIRS); ThunkCount += 1) {
  7041. //
  7042. // Only the x86 has/needs this oddity - take the kernel address,
  7043. // knowing that it points at a 2 byte jmp opcode followed by
  7044. // a 4-byte indirect pointer to a destination address.
  7045. //
  7047. PointerRealRoutine = (PULONG_PTR)*((PULONG_PTR)((ULONG_PTR)VerifierThunk->PristineRoutine + 2));
  7048. RealRoutine = *PointerRealRoutine;
  7050. if (*ImportThunk == RealRoutine) {
  7052. //
  7053. // Order is important here.
  7054. //
  7056. if (MiKernelVerifierOriginalCalls[ThunkCount] == NULL) {
  7057. MiKernelVerifierOriginalCalls[ThunkCount] = (PVOID)RealRoutine;
  7058. }
  7060. *ImportThunk = (ULONG_PTR)(VerifierThunk->NewRoutine);
  7062. break;
  7063. }
  7064. VerifierThunk += 1;
  7065. }
  7066. }
  7067. return;
  7068. }
  7069. #endif
  7071. //
  7072. // BEWARE: Various kernel macros were undefined above so we can pull in the
  7073. // real routines. This is needed because the real routines are exported for
  7074. // driver compatibility. This module has been carefully laid out so these
  7075. // macros are not referenced from that point to here and references go to the
  7076. // real routines.
  7077. //
  7078. // BE EXTREMELY CAREFUL IF YOU DECIDE TO ADD ROUTINES BELOW THIS POINT !
  7079. //