mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7767 lines
229 KiB
7767 lines
229 KiB
/*++
|
|
|
|
Copyright (c) 1991 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
sysload.c
|
|
|
|
Abstract:
|
|
|
|
This module contains the code to load DLLs into the system portion of
|
|
the address space and calls the DLL at its initialization entry point.
|
|
|
|
Author:
|
|
|
|
Lou Perazzoli 21-May-1991
|
|
Landy Wang 02-June-1997
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
#include "mi.h"
|
|
|
|
KMUTANT MmSystemLoadLock;
|
|
|
|
ULONG MmTotalSystemDriverPages;
|
|
|
|
ULONG MmDriverCommit;
|
|
|
|
ULONG MiFirstDriverLoadEver = 0;
|
|
|
|
//
|
|
// This key is set to TRUE to make more memory below 16mb available for drivers.
|
|
// It can be cleared via the registry.
|
|
//
|
|
|
|
LOGICAL MmMakeLowMemory = TRUE;
|
|
|
|
//
|
|
// Enabled via the registry to identify drivers which unload without releasing
|
|
// resources or still have active timers, etc.
|
|
//
|
|
|
|
PUNLOADED_DRIVERS MmUnloadedDrivers;
|
|
|
|
ULONG MmLastUnloadedDriver;
|
|
ULONG MiTotalUnloads;
|
|
ULONG MiUnloadsSkipped;
|
|
|
|
//
|
|
// This can be set by the registry.
|
|
//
|
|
|
|
ULONG MmEnforceWriteProtection = 1;
|
|
|
|
//
|
|
// Referenced by ke\bugcheck.c.
|
|
//
|
|
|
|
PVOID ExPoolCodeStart;
|
|
PVOID ExPoolCodeEnd;
|
|
PVOID MmPoolCodeStart;
|
|
PVOID MmPoolCodeEnd;
|
|
PVOID MmPteCodeStart;
|
|
PVOID MmPteCodeEnd;
|
|
|
|
extern LONG MiSessionLeaderExists;
|
|
|
|
ULONG
|
|
CacheImageSymbols (
|
|
IN PVOID ImageBase
|
|
);
|
|
|
|
NTSTATUS
|
|
MiResolveImageReferences (
|
|
PVOID ImageBase,
|
|
IN PUNICODE_STRING ImageFileDirectory,
|
|
IN PUNICODE_STRING NamePrefix OPTIONAL,
|
|
OUT PCHAR *MissingProcedureName,
|
|
OUT PWSTR *MissingDriverName,
|
|
OUT PLOAD_IMPORTS *LoadedImports
|
|
);
|
|
|
|
NTSTATUS
|
|
MiSnapThunk (
|
|
IN PVOID DllBase,
|
|
IN PVOID ImageBase,
|
|
IN PIMAGE_THUNK_DATA NameThunk,
|
|
OUT PIMAGE_THUNK_DATA AddrThunk,
|
|
IN PIMAGE_EXPORT_DIRECTORY ExportDirectory,
|
|
IN ULONG ExportSize,
|
|
IN LOGICAL SnapForwarder,
|
|
OUT PCHAR *MissingProcedureName
|
|
);
|
|
|
|
NTSTATUS
|
|
MiLoadImageSection (
|
|
IN PSECTION SectionPointer,
|
|
OUT PVOID *ImageBase,
|
|
IN PUNICODE_STRING ImageFileName,
|
|
IN ULONG LoadInSessionSpace
|
|
);
|
|
|
|
VOID
|
|
MiEnablePagingOfDriver (
|
|
IN PVOID ImageHandle
|
|
);
|
|
|
|
VOID
|
|
MiSetPagingOfDriver (
|
|
IN PMMPTE PointerPte,
|
|
IN PMMPTE LastPte,
|
|
IN LOGICAL SessionSpace
|
|
);
|
|
|
|
PVOID
|
|
MiLookupImageSectionByName (
|
|
IN PVOID Base,
|
|
IN LOGICAL MappedAsImage,
|
|
IN PCHAR SectionName,
|
|
OUT PULONG SectionSize
|
|
);
|
|
|
|
VOID
|
|
MiClearImports (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
);
|
|
|
|
NTSTATUS
|
|
MiBuildImportsForBootDrivers (
|
|
VOID
|
|
);
|
|
|
|
NTSTATUS
|
|
MmCheckSystemImage (
|
|
IN HANDLE ImageFileHandle,
|
|
IN LOGICAL PurgeSection
|
|
);
|
|
|
|
LONG
|
|
MiMapCacheExceptionFilter (
|
|
OUT PNTSTATUS Status,
|
|
IN PEXCEPTION_POINTERS ExceptionPointer
|
|
);
|
|
|
|
ULONG
|
|
MiSetProtectionOnTransitionPte (
|
|
IN PMMPTE PointerPte,
|
|
IN ULONG ProtectionMask
|
|
);
|
|
|
|
NTSTATUS
|
|
MiDereferenceImports (
|
|
IN PLOAD_IMPORTS ImportList
|
|
);
|
|
|
|
LOGICAL
|
|
MiCallDllUnloadAndUnloadDll (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
);
|
|
|
|
PVOID
|
|
MiLocateExportName (
|
|
IN PVOID DllBase,
|
|
IN PCHAR FunctionName
|
|
);
|
|
|
|
VOID
|
|
MiRememberUnloadedDriver (
|
|
IN PUNICODE_STRING DriverName,
|
|
IN PVOID Address,
|
|
IN ULONG Length
|
|
);
|
|
|
|
VOID
|
|
MiWriteProtectSystemImage (
|
|
IN PVOID DllBase
|
|
);
|
|
|
|
VOID
|
|
MiLocateKernelSections (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
);
|
|
|
|
VOID
|
|
MiUpdateThunks (
|
|
IN PLOADER_PARAMETER_BLOCK LoaderBlock,
|
|
IN PVOID OldAddress,
|
|
IN PVOID NewAddress,
|
|
IN ULONG NumberOfBytes
|
|
);
|
|
|
|
PVOID
|
|
MiFindExportedRoutineByName (
|
|
IN PVOID DllBase,
|
|
IN PANSI_STRING AnsiImageRoutineName
|
|
);
|
|
|
|
#if 0
|
|
VOID
|
|
MiLockDriverPdata (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
);
|
|
#endif
|
|
|
|
VOID
|
|
MiSetSystemCodeProtection (
|
|
IN PMMPTE FirstPte,
|
|
IN PMMPTE LastPte
|
|
);
|
|
|
|
LOGICAL
|
|
MiChargeResidentAvailable (
|
|
IN PFN_NUMBER NumberOfPages,
|
|
IN ULONG Id
|
|
);
|
|
|
|
VOID
|
|
MiReturnResidentAvailable (
|
|
IN PFN_NUMBER NumberOfPages,
|
|
IN ULONG Id
|
|
);
|
|
|
|
#ifdef ALLOC_PRAGMA
|
|
#pragma alloc_text(PAGE,MmCheckSystemImage)
|
|
#pragma alloc_text(PAGE,MmLoadSystemImage)
|
|
#pragma alloc_text(PAGE,MiResolveImageReferences)
|
|
#pragma alloc_text(PAGE,MiSnapThunk)
|
|
#pragma alloc_text(PAGE,MiEnablePagingOfDriver)
|
|
#pragma alloc_text(PAGE,MmPageEntireDriver)
|
|
#pragma alloc_text(PAGE,MiSetImageProtect)
|
|
#pragma alloc_text(PAGE,MiDereferenceImports)
|
|
#pragma alloc_text(PAGE,MiCallDllUnloadAndUnloadDll)
|
|
#pragma alloc_text(PAGE,MiLocateExportName)
|
|
#pragma alloc_text(PAGE,MiClearImports)
|
|
#pragma alloc_text(PAGE,MiWriteProtectSystemImage)
|
|
#pragma alloc_text(PAGE,MmGetSystemRoutineAddress)
|
|
#pragma alloc_text(PAGE,MiFindExportedRoutineByName)
|
|
#pragma alloc_text(PAGE,MmCallDllInitialize)
|
|
#pragma alloc_text(PAGE,MmFreeDriverInitialization)
|
|
#pragma alloc_text(PAGE,MmResetDriverPaging)
|
|
#pragma alloc_text(PAGE,MmUnloadSystemImage)
|
|
#pragma alloc_text(PAGE,MiLoadImageSection)
|
|
#pragma alloc_text(PAGE,MiRememberUnloadedDriver)
|
|
#pragma alloc_text(INIT,MiBuildImportsForBootDrivers)
|
|
#pragma alloc_text(INIT,MiReloadBootLoadedDrivers)
|
|
#pragma alloc_text(INIT,MiUpdateThunks)
|
|
#pragma alloc_text(INIT,MiInitializeLoadedModuleList)
|
|
#pragma alloc_text(INIT,MiLocateKernelSections)
|
|
#if 0
|
|
#pragma alloc_text(PAGEKD,MiLockDriverPdata)
|
|
#endif
|
|
|
|
#if !defined(NT_UP)
|
|
#pragma alloc_text(PAGE,MmVerifyImageIsOkForMpUse)
|
|
#endif
|
|
|
|
#endif
|
|
|
|
CHAR MiPteStr[] = "\0";
|
|
|
|
VOID
|
|
MiProcessLoaderEntry (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry,
|
|
IN LOGICAL Insert
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is a nonpaged wrapper which acquires the PsLoadedModuleList
|
|
lock to insert a new entry.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - Supplies the loaded module list entry to insert/remove.
|
|
|
|
Insert - Supplies TRUE if the entry should be inserted, FALSE if the entry
|
|
should be removed.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode. Normal APCs disabled (critical region held).
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
|
|
ExAcquireResourceExclusiveLite (&PsLoadedModuleResource, TRUE);
|
|
ExAcquireSpinLock (&PsLoadedModuleSpinLock, &OldIrql);
|
|
|
|
if (Insert == TRUE) {
|
|
InsertTailList (&PsLoadedModuleList, &DataTableEntry->InLoadOrderLinks);
|
|
|
|
#if defined(_AMD64_) // || defined(_IA64_)
|
|
|
|
RtlInsertInvertedFunctionTable (&PsInvertedFunctionTable,
|
|
DataTableEntry->DllBase,
|
|
DataTableEntry->SizeOfImage);
|
|
|
|
#endif
|
|
|
|
}
|
|
else {
|
|
|
|
#if defined(_AMD64_) // || defined(_IA64_)
|
|
|
|
RtlRemoveInvertedFunctionTable (&PsInvertedFunctionTable,
|
|
DataTableEntry->DllBase);
|
|
|
|
#endif
|
|
|
|
RemoveEntryList (&DataTableEntry->InLoadOrderLinks);
|
|
}
|
|
|
|
ExReleaseSpinLock (&PsLoadedModuleSpinLock, OldIrql);
|
|
ExReleaseResourceLite (&PsLoadedModuleResource);
|
|
}
|
|
|
|
NTSTATUS
|
|
MmLoadSystemImage (
|
|
IN PUNICODE_STRING ImageFileName,
|
|
IN PUNICODE_STRING NamePrefix OPTIONAL,
|
|
IN PUNICODE_STRING LoadedBaseName OPTIONAL,
|
|
IN ULONG LoadFlags,
|
|
OUT PVOID *ImageHandle,
|
|
OUT PVOID *ImageBaseAddress
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine reads the image pages from the specified section into
|
|
the system and returns the address of the DLL's header.
|
|
|
|
At successful completion, the Section is referenced so it remains
|
|
until the system image is unloaded.
|
|
|
|
Arguments:
|
|
|
|
ImageFileName - Supplies the full path name (including the image name)
|
|
of the image to load.
|
|
|
|
NamePrefix - If present, supplies the prefix to use with the image name on
|
|
load operations. This is used to load the same image multiple
|
|
times, by using different prefixes.
|
|
|
|
LoadedBaseName - If present, supplies the base name to use on the
|
|
loaded image instead of the base name found on the
|
|
image name.
|
|
|
|
LoadFlags - Supplies a combination of bit flags as follows:
|
|
|
|
MM_LOAD_IMAGE_IN_SESSION :
|
|
- Supplies whether to load this image in session space.
|
|
Each session gets a different copy of this driver with
|
|
pages shared as much as possible via copy on write.
|
|
|
|
MM_LOAD_IMAGE_AND_LOCKDOWN :
|
|
- Supplies TRUE if the image pages should be made
|
|
nonpagable.
|
|
|
|
ImageHandle - Returns an opaque pointer to the referenced section object
|
|
of the image that was loaded.
|
|
|
|
ImageBaseAddress - Returns the image base within the system.
|
|
|
|
Return Value:
|
|
|
|
Status of the load operation.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, APC_LEVEL or below, arbitrary process context.
|
|
|
|
--*/
|
|
|
|
{
|
|
SIZE_T DataTableEntrySize;
|
|
PWSTR BaseDllNameBuffer;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
KLDR_DATA_TABLE_ENTRY TempDataTableEntry;
|
|
NTSTATUS Status;
|
|
PSECTION SectionPointer;
|
|
PIMAGE_NT_HEADERS NtHeaders;
|
|
UNICODE_STRING PrefixedImageName;
|
|
UNICODE_STRING BaseName;
|
|
UNICODE_STRING BaseDirectory;
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
HANDLE FileHandle;
|
|
HANDLE SectionHandle;
|
|
IO_STATUS_BLOCK IoStatus;
|
|
PCHAR NameBuffer;
|
|
PLIST_ENTRY NextEntry;
|
|
ULONG NumberOfPtes;
|
|
PCHAR MissingProcedureName;
|
|
PWSTR MissingDriverName;
|
|
PWSTR PrintableMissingDriverName;
|
|
PLOAD_IMPORTS LoadedImports;
|
|
PMMSESSION Session;
|
|
LOGICAL AlreadyOpen;
|
|
LOGICAL IssueUnloadOnFailure;
|
|
ULONG SectionAccess;
|
|
PKTHREAD CurrentThread;
|
|
|
|
PAGED_CODE();
|
|
|
|
LoadedImports = (PLOAD_IMPORTS)NO_IMPORTS_USED;
|
|
SectionPointer = (PVOID)-1;
|
|
FileHandle = (HANDLE)0;
|
|
MissingProcedureName = NULL;
|
|
MissingDriverName = NULL;
|
|
IssueUnloadOnFailure = FALSE;
|
|
MiFirstDriverLoadEver |= 0x1;
|
|
|
|
NameBuffer = ExAllocatePoolWithTag (NonPagedPool,
|
|
MAXIMUM_FILENAME_LENGTH,
|
|
'nLmM');
|
|
|
|
if (NameBuffer == NULL) {
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
//
|
|
// Initializing these is not needed for correctness, but
|
|
// without it the compiler cannot compile this code W4 to check
|
|
// for use of uninitialized variables.
|
|
//
|
|
|
|
NumberOfPtes = (ULONG)-1;
|
|
DataTableEntry = NULL;
|
|
|
|
if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) {
|
|
|
|
ASSERT (NamePrefix == NULL);
|
|
ASSERT (LoadedBaseName == NULL);
|
|
|
|
if ((PsGetCurrentProcess()->Flags & PS_PROCESS_FLAGS_IN_SESSION) == 0) {
|
|
ExFreePool (NameBuffer);
|
|
return STATUS_NO_MEMORY;
|
|
}
|
|
|
|
ASSERT (MmIsAddressValid (MmSessionSpace) == TRUE);
|
|
|
|
Session = &MmSessionSpace->Session;
|
|
}
|
|
else {
|
|
Session = &MmSession;
|
|
}
|
|
|
|
//
|
|
// Get name roots.
|
|
//
|
|
|
|
if (ImageFileName->Buffer[0] == OBJ_NAME_PATH_SEPARATOR) {
|
|
PWCHAR p;
|
|
ULONG l;
|
|
|
|
p = &ImageFileName->Buffer[ImageFileName->Length>>1];
|
|
while (*(p-1) != OBJ_NAME_PATH_SEPARATOR) {
|
|
p--;
|
|
}
|
|
l = (ULONG)(&ImageFileName->Buffer[ImageFileName->Length>>1] - p);
|
|
l *= sizeof(WCHAR);
|
|
BaseName.Length = (USHORT)l;
|
|
BaseName.Buffer = p;
|
|
}
|
|
else {
|
|
BaseName.Length = ImageFileName->Length;
|
|
BaseName.Buffer = ImageFileName->Buffer;
|
|
}
|
|
|
|
BaseName.MaximumLength = BaseName.Length;
|
|
BaseDirectory = *ImageFileName;
|
|
BaseDirectory.Length = (USHORT)(BaseDirectory.Length - BaseName.Length);
|
|
BaseDirectory.MaximumLength = BaseDirectory.Length;
|
|
PrefixedImageName = *ImageFileName;
|
|
|
|
//
|
|
// If there's a name prefix, add it to the PrefixedImageName.
|
|
//
|
|
|
|
if (NamePrefix) {
|
|
PrefixedImageName.MaximumLength = (USHORT)(BaseDirectory.Length + NamePrefix->Length + BaseName.Length);
|
|
|
|
PrefixedImageName.Buffer = ExAllocatePoolWithTag (
|
|
NonPagedPool,
|
|
PrefixedImageName.MaximumLength,
|
|
'dLmM');
|
|
|
|
if (!PrefixedImageName.Buffer) {
|
|
ExFreePool (NameBuffer);
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
PrefixedImageName.Length = 0;
|
|
RtlAppendUnicodeStringToString(&PrefixedImageName, &BaseDirectory);
|
|
RtlAppendUnicodeStringToString(&PrefixedImageName, NamePrefix);
|
|
RtlAppendUnicodeStringToString(&PrefixedImageName, &BaseName);
|
|
|
|
//
|
|
// Alter the basename to match.
|
|
//
|
|
|
|
BaseName.Buffer = PrefixedImageName.Buffer + BaseDirectory.Length / sizeof(WCHAR);
|
|
BaseName.Length = (USHORT)(BaseName.Length + NamePrefix->Length);
|
|
BaseName.MaximumLength = (USHORT)(BaseName.MaximumLength + NamePrefix->Length);
|
|
}
|
|
|
|
//
|
|
// If there's a loaded base name, use it instead of the base name.
|
|
//
|
|
|
|
if (LoadedBaseName) {
|
|
BaseName = *LoadedBaseName;
|
|
}
|
|
|
|
#if DBG
|
|
if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) {
|
|
DbgPrint ("MM:SYSLDR Loading %wZ (%wZ) %s\n",
|
|
&PrefixedImageName,
|
|
&BaseName,
|
|
(LoadFlags & MM_LOAD_IMAGE_IN_SESSION) ? "in session space" : " ");
|
|
}
|
|
#endif
|
|
|
|
AlreadyOpen = FALSE;
|
|
|
|
//
|
|
// Arbitrary process context so prevent suspend APCs now.
|
|
//
|
|
|
|
CurrentThread = KeGetCurrentThread ();
|
|
KeEnterCriticalRegionThread (CurrentThread);
|
|
|
|
KeWaitForSingleObject (&MmSystemLoadLock,
|
|
WrVirtualMemory,
|
|
KernelMode,
|
|
FALSE,
|
|
(PLARGE_INTEGER)NULL);
|
|
|
|
//
|
|
// Check to see if this name already exists in the loader database.
|
|
//
|
|
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
while (NextEntry != &PsLoadedModuleList) {
|
|
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
if (RtlEqualUnicodeString (&PrefixedImageName,
|
|
&DataTableEntry->FullDllName,
|
|
TRUE)) {
|
|
|
|
if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) {
|
|
|
|
if (MI_IS_SESSION_ADDRESS (DataTableEntry->DllBase) == FALSE) {
|
|
|
|
//
|
|
// The caller is trying to load a driver in session space
|
|
// that has already been loaded in system space. This is
|
|
// not allowed.
|
|
//
|
|
|
|
Status = STATUS_CONFLICTING_ADDRESSES;
|
|
goto return2;
|
|
}
|
|
|
|
AlreadyOpen = TRUE;
|
|
|
|
//
|
|
// The LoadCount should generally not be 0 here, but it is
|
|
// possible in the case where an attempt has been made to
|
|
// unload a DLL on last dereference, but the DLL refused to
|
|
// unload.
|
|
//
|
|
|
|
DataTableEntry->LoadCount += 1;
|
|
SectionPointer = DataTableEntry->SectionPointer;
|
|
break;
|
|
}
|
|
else {
|
|
if (MI_IS_SESSION_ADDRESS (DataTableEntry->DllBase) == TRUE) {
|
|
|
|
//
|
|
// The caller is trying to load a driver in systemwide space
|
|
// that has already been loaded in session space. This is
|
|
// not allowed.
|
|
//
|
|
|
|
Status = STATUS_CONFLICTING_ADDRESSES;
|
|
goto return2;
|
|
}
|
|
}
|
|
|
|
*ImageHandle = DataTableEntry;
|
|
*ImageBaseAddress = DataTableEntry->DllBase;
|
|
Status = STATUS_IMAGE_ALREADY_LOADED;
|
|
goto return2;
|
|
}
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
ASSERT (AlreadyOpen == TRUE || NextEntry == &PsLoadedModuleList);
|
|
|
|
if (AlreadyOpen == FALSE) {
|
|
|
|
//
|
|
// Check and see if a user wants to replace this binary
|
|
// via a transfer through the kernel debugger. If this
|
|
// fails just continue on with the existing file.
|
|
//
|
|
if (KdDebuggerEnabled && KdDebuggerNotPresent == FALSE) {
|
|
Status = KdPullRemoteFile(ImageFileName,
|
|
FILE_ATTRIBUTE_NORMAL,
|
|
FILE_OVERWRITE_IF,
|
|
FILE_SYNCHRONOUS_IO_NONALERT);
|
|
if (NT_SUCCESS(Status)) {
|
|
DbgPrint("MmLoadSystemImage: Pulled %wZ from kd\n",
|
|
ImageFileName);
|
|
}
|
|
}
|
|
|
|
DataTableEntry = NULL;
|
|
|
|
//
|
|
// Attempt to open the driver image itself. If this fails, then the
|
|
// driver image cannot be located, so nothing else matters.
|
|
//
|
|
|
|
InitializeObjectAttributes (&ObjectAttributes,
|
|
ImageFileName,
|
|
(OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE),
|
|
NULL,
|
|
NULL);
|
|
|
|
Status = ZwOpenFile (&FileHandle,
|
|
FILE_EXECUTE,
|
|
&ObjectAttributes,
|
|
&IoStatus,
|
|
FILE_SHARE_READ | FILE_SHARE_DELETE,
|
|
0);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
|
|
#if DBG
|
|
if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) {
|
|
DbgPrint ("MiLoadImageSection: cannot open %wZ\n",
|
|
ImageFileName);
|
|
}
|
|
#endif
|
|
//
|
|
// Don't raise hard error status for file not found.
|
|
//
|
|
|
|
goto return2;
|
|
}
|
|
|
|
Status = MmCheckSystemImage(FileHandle, FALSE);
|
|
|
|
if ((Status == STATUS_IMAGE_CHECKSUM_MISMATCH) ||
|
|
(Status == STATUS_IMAGE_MP_UP_MISMATCH) ||
|
|
(Status == STATUS_INVALID_IMAGE_PROTECT)) {
|
|
|
|
goto return1;
|
|
}
|
|
|
|
//
|
|
// Now attempt to create an image section for the file. If this fails,
|
|
// then the driver file is not an image. Session space drivers are
|
|
// shared text with copy on write data, so don't allow writes here.
|
|
//
|
|
|
|
if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) {
|
|
SectionAccess = SECTION_MAP_READ | SECTION_MAP_EXECUTE;
|
|
}
|
|
else {
|
|
SectionAccess = SECTION_ALL_ACCESS;
|
|
}
|
|
|
|
InitializeObjectAttributes (&ObjectAttributes,
|
|
NULL,
|
|
(OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE),
|
|
NULL,
|
|
NULL);
|
|
|
|
Status = ZwCreateSection (&SectionHandle,
|
|
SectionAccess,
|
|
&ObjectAttributes,
|
|
(PLARGE_INTEGER) NULL,
|
|
PAGE_EXECUTE,
|
|
SEC_IMAGE,
|
|
FileHandle);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
goto return1;
|
|
}
|
|
|
|
//
|
|
// Now reference the section handle. If this fails something is
|
|
// very wrong because we are in a privileged process.
|
|
//
|
|
// N.B. ObRef sets SectionPointer to NULL on failure so it must be
|
|
// reset to -1 in this case.
|
|
//
|
|
|
|
Status = ObReferenceObjectByHandle (SectionHandle,
|
|
SECTION_MAP_EXECUTE,
|
|
MmSectionObjectType,
|
|
KernelMode,
|
|
(PVOID *) &SectionPointer,
|
|
(POBJECT_HANDLE_INFORMATION) NULL );
|
|
|
|
ZwClose (SectionHandle);
|
|
if (!NT_SUCCESS (Status)) {
|
|
SectionPointer = (PVOID)-1; // undo ObRef setting.
|
|
goto return1;
|
|
}
|
|
|
|
if (SectionPointer->Segment->ControlArea->NumberOfSubsections == 1) {
|
|
if (((LoadFlags & MM_LOAD_IMAGE_IN_SESSION) == 0) &&
|
|
(SectionPointer->Segment->BasedAddress != (PVOID)Session->SystemSpaceViewStart)) {
|
|
|
|
PSECTION SectionPointer2;
|
|
|
|
//
|
|
// The driver was linked with subsection alignment such that
|
|
// it is mapped with one subsection. Since the CreateSection
|
|
// above guarantees that the driver image is indeed a
|
|
// satisfactory executable, map it directly now to reuse the
|
|
// cache from the MmCheckSystemImage call above.
|
|
//
|
|
|
|
Status = ZwCreateSection (&SectionHandle,
|
|
SectionAccess,
|
|
(POBJECT_ATTRIBUTES) NULL,
|
|
(PLARGE_INTEGER) NULL,
|
|
PAGE_EXECUTE,
|
|
SEC_COMMIT,
|
|
FileHandle );
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
Status = ObReferenceObjectByHandle (
|
|
SectionHandle,
|
|
SECTION_MAP_EXECUTE,
|
|
MmSectionObjectType,
|
|
KernelMode,
|
|
(PVOID *) &SectionPointer2,
|
|
(POBJECT_HANDLE_INFORMATION) NULL );
|
|
|
|
ZwClose (SectionHandle);
|
|
|
|
if (NT_SUCCESS (Status)) {
|
|
|
|
//
|
|
// The number of PTEs won't match if the image is
|
|
// stripped and the debug directory crosses the last
|
|
// sector boundary of the file. We could still use the
|
|
// new section, but these cases are under 2% of all the
|
|
// drivers loaded so don't bother.
|
|
//
|
|
|
|
if (SectionPointer->Segment->TotalNumberOfPtes == SectionPointer2->Segment->TotalNumberOfPtes) {
|
|
ObDereferenceObject (SectionPointer);
|
|
SectionPointer = SectionPointer2;
|
|
}
|
|
else {
|
|
ObDereferenceObject (SectionPointer2);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
//
|
|
// Load the driver from the filesystem and pick a virtual address for it.
|
|
// For Hydra, this means also allocating session virtual space, and
|
|
// after mapping a view of the image, either copying or sharing the
|
|
// driver's code and data in the session virtual space.
|
|
//
|
|
// If it is a share map because the image was loaded at its based address,
|
|
// the disk image will remain busy.
|
|
//
|
|
|
|
Status = MiLoadImageSection (SectionPointer,
|
|
ImageBaseAddress,
|
|
ImageFileName,
|
|
LoadFlags & MM_LOAD_IMAGE_IN_SESSION);
|
|
|
|
NumberOfPtes = SectionPointer->Segment->TotalNumberOfPtes;
|
|
|
|
if (Status == STATUS_ALREADY_COMMITTED) {
|
|
|
|
//
|
|
// This is a driver that was relocated that is being loaded into
|
|
// the same session space twice. Don't increment the overall load
|
|
// count - just the image count in the session which has already been
|
|
// done.
|
|
//
|
|
|
|
ASSERT (AlreadyOpen == TRUE);
|
|
ASSERT (LoadFlags & MM_LOAD_IMAGE_IN_SESSION);
|
|
ASSERT (DataTableEntry != NULL);
|
|
ASSERT (DataTableEntry->LoadCount > 1);
|
|
|
|
*ImageHandle = DataTableEntry;
|
|
*ImageBaseAddress = DataTableEntry->DllBase;
|
|
|
|
DataTableEntry->LoadCount -= 1;
|
|
Status = STATUS_SUCCESS;
|
|
goto return1;
|
|
}
|
|
|
|
if ((MiFirstDriverLoadEver & 0x2) == 0) {
|
|
|
|
NTSTATUS PagingPathStatus;
|
|
|
|
//
|
|
// Check with all of the drivers along the path to win32k.sys to
|
|
// ensure that they are willing to follow the rules required
|
|
// of them and to give them a chance to lock down code and data
|
|
// that needs to be locked. If any of the drivers along the path
|
|
// refuses to participate, fail the win32k.sys load.
|
|
//
|
|
// It is assumed that all drivers live on the same physical drive, so
|
|
// when the very first driver is loaded, this check can be made.
|
|
// This eliminates the need to check for things like relocated win32ks,
|
|
// Terminal Server systems, etc.
|
|
//
|
|
|
|
//
|
|
// In WinPE removable media boot case don't do this since user might
|
|
// be running WinPE in RAM and would like to swap out the boot media.
|
|
//
|
|
if (InitWinPEModeType & INIT_WINPEMODE_REMOVABLE_MEDIA) {
|
|
PagingPathStatus = STATUS_SUCCESS;
|
|
} else {
|
|
PagingPathStatus = PpPagePathAssign(SectionPointer->Segment->ControlArea->FilePointer);
|
|
}
|
|
|
|
if (!NT_SUCCESS(PagingPathStatus)) {
|
|
|
|
KdPrint (("PpPagePathAssign FAILED for win32k.sys: %x\n",
|
|
PagingPathStatus));
|
|
|
|
//
|
|
// Failing the insertion of win32k.sys' device in the
|
|
// pagefile path is commented out until the storage drivers have
|
|
// been modified to correctly handle this request. If this is
|
|
// added later, add code here to release relevant resources for
|
|
// the error path.
|
|
//
|
|
}
|
|
|
|
MiFirstDriverLoadEver |= 0x2;
|
|
}
|
|
|
|
//
|
|
// Normal drivers are dereferenced here and their images can then be
|
|
// overwritten. This is ok because we've already read the whole thing
|
|
// into memory and from here until reboot (or unload), we back them
|
|
// with the pagefile.
|
|
//
|
|
// win32k.sys and session space drivers are the exception - these images
|
|
// are inpaged from the filesystem and we need to keep our reference to
|
|
// the file so that it doesn't get overwritten.
|
|
//
|
|
|
|
if ((LoadFlags & MM_LOAD_IMAGE_IN_SESSION) == 0) {
|
|
ObDereferenceObject (SectionPointer);
|
|
SectionPointer = (PVOID)-1;
|
|
}
|
|
|
|
//
|
|
// The module LoadCount will be 1 here if the module was just loaded.
|
|
// The LoadCount will be >1 if it was attached to by a session (as opposed
|
|
// to just loaded).
|
|
//
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
if (AlreadyOpen == TRUE) {
|
|
|
|
//
|
|
// We're failing and we were just attaching to an already loaded
|
|
// driver. We don't want to go through the forced unload path
|
|
// because we've already deleted the address space. Simply
|
|
// decrement our reference and null the DataTableEntry
|
|
// so we don't go through the forced unload path.
|
|
//
|
|
|
|
ASSERT (DataTableEntry != NULL);
|
|
DataTableEntry->LoadCount -= 1;
|
|
DataTableEntry = NULL;
|
|
}
|
|
goto return1;
|
|
}
|
|
|
|
//
|
|
// Error recovery from this point out for sessions works as follows:
|
|
//
|
|
// For sessions, we may or may not have a DataTableEntry at this point.
|
|
// If we do, it's because we're attaching to a driver that has already
|
|
// been loaded - and the DataTableEntry->LoadCount has been bumped - so
|
|
// the error recovery from here on out is to just call
|
|
// MmUnloadSystemImage with the DataTableEntry.
|
|
//
|
|
// If this is the first load of a given driver into a session space, we
|
|
// have no DataTableEntry at this point. The view has already been mapped
|
|
// and committed and the group/session addresses reserved for this DLL.
|
|
// The error recovery path handles all this because
|
|
// MmUnloadSystemImage will zero the relevant fields in the
|
|
// LDR_DATA_TABLE_ENTRY so that MmUnloadSystemImage will work properly.
|
|
//
|
|
|
|
IssueUnloadOnFailure = TRUE;
|
|
|
|
if (((LoadFlags & MM_LOAD_IMAGE_IN_SESSION) == 0) ||
|
|
(*ImageBaseAddress != SectionPointer->Segment->BasedAddress)) {
|
|
|
|
#if DBG
|
|
|
|
//
|
|
// Warn users about session images that cannot be shared
|
|
// because they were linked at a bad address.
|
|
//
|
|
|
|
if ((LoadFlags & MM_LOAD_IMAGE_IN_SESSION) &&
|
|
(MmSessionSpace->SessionId != 0)) {
|
|
|
|
DbgPrint ("MM: Session %d image %wZ is linked at a nonsharable address (%p)\n",
|
|
MmSessionSpace->SessionId,
|
|
ImageFileName,
|
|
SectionPointer->Segment->BasedAddress);
|
|
DbgPrint ("MM: Image %wZ has been moved to address (%p) by the system so it can run,\n",
|
|
ImageFileName,
|
|
*ImageBaseAddress);
|
|
DbgPrint (" but this needs to be fixed in the image for sharing to occur.\n");
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// Apply the fixups to the section.
|
|
//
|
|
|
|
try {
|
|
Status = LdrRelocateImage (*ImageBaseAddress,
|
|
"SYSLDR",
|
|
STATUS_SUCCESS,
|
|
STATUS_CONFLICTING_ADDRESSES,
|
|
STATUS_INVALID_IMAGE_FORMAT);
|
|
|
|
} except (EXCEPTION_EXECUTE_HANDLER) {
|
|
Status = GetExceptionCode();
|
|
KdPrint(("MM:sysload - LdrRelocateImage failed status %lx\n",
|
|
Status));
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
|
|
//
|
|
// Unload the system image and dereference the section.
|
|
//
|
|
|
|
goto return1;
|
|
}
|
|
}
|
|
|
|
if (AlreadyOpen == FALSE) {
|
|
|
|
ULONG DebugInfoSize;
|
|
PIMAGE_DATA_DIRECTORY DataDirectory;
|
|
PIMAGE_DEBUG_DIRECTORY DebugDir;
|
|
PNON_PAGED_DEBUG_INFO ssHeader;
|
|
UCHAR i;
|
|
|
|
DebugInfoSize = 0;
|
|
DataDirectory = NULL;
|
|
DebugDir = NULL;
|
|
|
|
NtHeaders = RtlImageNtHeader(*ImageBaseAddress);
|
|
|
|
//
|
|
// Create a loader table entry for this driver before resolving the
|
|
// references so that any circular references can resolve properly.
|
|
//
|
|
|
|
if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) {
|
|
|
|
DebugInfoSize = sizeof (NON_PAGED_DEBUG_INFO);
|
|
|
|
if (IMAGE_DIRECTORY_ENTRY_DEBUG <
|
|
NtHeaders->OptionalHeader.NumberOfRvaAndSizes) {
|
|
|
|
DataDirectory = &NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG];
|
|
|
|
if (DataDirectory->VirtualAddress &&
|
|
DataDirectory->Size &&
|
|
(DataDirectory->VirtualAddress + DataDirectory->Size) <
|
|
NtHeaders->OptionalHeader.SizeOfImage) {
|
|
|
|
DebugDir = (PIMAGE_DEBUG_DIRECTORY)
|
|
((PUCHAR)(*ImageBaseAddress) +
|
|
DataDirectory->VirtualAddress);
|
|
|
|
DebugInfoSize += DataDirectory->Size;
|
|
|
|
for (i = 0;
|
|
i < DataDirectory->Size/sizeof(IMAGE_DEBUG_DIRECTORY);
|
|
i += 1) {
|
|
|
|
if ((DebugDir+i)->PointerToRawData &&
|
|
(DebugDir+i)->PointerToRawData <
|
|
NtHeaders->OptionalHeader.SizeOfImage &&
|
|
((DebugDir+i)->PointerToRawData +
|
|
(DebugDir+i)->SizeOfData) <
|
|
NtHeaders->OptionalHeader.SizeOfImage) {
|
|
|
|
DebugInfoSize += (DebugDir+i)->SizeOfData;
|
|
}
|
|
}
|
|
}
|
|
|
|
DebugInfoSize = MI_ROUND_TO_SIZE(DebugInfoSize, sizeof(ULONG));
|
|
}
|
|
}
|
|
|
|
DataTableEntrySize = sizeof (KLDR_DATA_TABLE_ENTRY) +
|
|
DebugInfoSize +
|
|
BaseName.Length + sizeof(UNICODE_NULL);
|
|
|
|
DataTableEntry = ExAllocatePoolWithTag (NonPagedPool,
|
|
DataTableEntrySize,
|
|
'dLmM');
|
|
|
|
if (DataTableEntry == NULL) {
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto return1;
|
|
}
|
|
|
|
//
|
|
// Initialize the flags and load count.
|
|
//
|
|
|
|
DataTableEntry->Flags = LDRP_LOAD_IN_PROGRESS;
|
|
DataTableEntry->LoadCount = 1;
|
|
DataTableEntry->LoadedImports = (PVOID)LoadedImports;
|
|
|
|
if ((NtHeaders->OptionalHeader.MajorOperatingSystemVersion >= 5) &&
|
|
(NtHeaders->OptionalHeader.MajorImageVersion >= 5)) {
|
|
DataTableEntry->Flags |= LDRP_ENTRY_NATIVE;
|
|
}
|
|
|
|
ssHeader = (PNON_PAGED_DEBUG_INFO) ((ULONG_PTR)DataTableEntry +
|
|
sizeof (KLDR_DATA_TABLE_ENTRY));
|
|
|
|
BaseDllNameBuffer = (PWSTR) ((ULONG_PTR)ssHeader + DebugInfoSize);
|
|
|
|
//
|
|
// If loading a session space image, store away some debug data.
|
|
//
|
|
|
|
DataTableEntry->NonPagedDebugInfo = NULL;
|
|
|
|
if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) {
|
|
|
|
DataTableEntry->NonPagedDebugInfo = ssHeader;
|
|
DataTableEntry->Flags |= LDRP_NON_PAGED_DEBUG_INFO;
|
|
|
|
ssHeader->Signature = NON_PAGED_DEBUG_SIGNATURE;
|
|
ssHeader->Flags = 1;
|
|
ssHeader->Size = DebugInfoSize;
|
|
ssHeader->Machine = NtHeaders->FileHeader.Machine;
|
|
ssHeader->Characteristics = NtHeaders->FileHeader.Characteristics;
|
|
ssHeader->TimeDateStamp = NtHeaders->FileHeader.TimeDateStamp;
|
|
ssHeader->CheckSum = NtHeaders->OptionalHeader.CheckSum;
|
|
ssHeader->SizeOfImage = NtHeaders->OptionalHeader.SizeOfImage;
|
|
ssHeader->ImageBase = (ULONG_PTR) *ImageBaseAddress;
|
|
|
|
if (DebugDir)
|
|
{
|
|
RtlCopyMemory(ssHeader + 1,
|
|
DebugDir,
|
|
DataDirectory->Size);
|
|
|
|
DebugInfoSize = DataDirectory->Size;
|
|
|
|
for (i = 0;
|
|
i < DataDirectory->Size/sizeof(IMAGE_DEBUG_DIRECTORY);
|
|
i += 1) {
|
|
|
|
if ((DebugDir + i)->PointerToRawData &&
|
|
(DebugDir+i)->PointerToRawData <
|
|
NtHeaders->OptionalHeader.SizeOfImage &&
|
|
((DebugDir+i)->PointerToRawData +
|
|
(DebugDir+i)->SizeOfData) <
|
|
NtHeaders->OptionalHeader.SizeOfImage) {
|
|
|
|
RtlCopyMemory((PUCHAR)(ssHeader + 1) +
|
|
DebugInfoSize,
|
|
(PUCHAR)(*ImageBaseAddress) +
|
|
(DebugDir + i)->PointerToRawData,
|
|
(DebugDir + i)->SizeOfData);
|
|
|
|
//
|
|
// Reset the offset in the debug directory to point to
|
|
//
|
|
|
|
(((PIMAGE_DEBUG_DIRECTORY)(ssHeader + 1)) + i)->
|
|
PointerToRawData = DebugInfoSize;
|
|
|
|
DebugInfoSize += (DebugDir+i)->SizeOfData;
|
|
}
|
|
else
|
|
{
|
|
(((PIMAGE_DEBUG_DIRECTORY)(ssHeader + 1)) + i)->
|
|
PointerToRawData = 0;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// Initialize the address of the DLL image file header and the entry
|
|
// point address.
|
|
//
|
|
|
|
DataTableEntry->DllBase = *ImageBaseAddress;
|
|
DataTableEntry->EntryPoint =
|
|
((PCHAR)*ImageBaseAddress + NtHeaders->OptionalHeader.AddressOfEntryPoint);
|
|
DataTableEntry->SizeOfImage = NumberOfPtes << PAGE_SHIFT;
|
|
DataTableEntry->CheckSum = NtHeaders->OptionalHeader.CheckSum;
|
|
DataTableEntry->SectionPointer = (PVOID)SectionPointer;
|
|
|
|
//
|
|
// Store the DLL name.
|
|
//
|
|
|
|
DataTableEntry->BaseDllName.Buffer = BaseDllNameBuffer;
|
|
|
|
DataTableEntry->BaseDllName.Length = BaseName.Length;
|
|
DataTableEntry->BaseDllName.MaximumLength = BaseName.Length;
|
|
RtlCopyMemory (DataTableEntry->BaseDllName.Buffer,
|
|
BaseName.Buffer,
|
|
BaseName.Length );
|
|
DataTableEntry->BaseDllName.Buffer[BaseName.Length/sizeof(WCHAR)] = UNICODE_NULL;
|
|
|
|
DataTableEntry->FullDllName.Buffer = ExAllocatePoolWithTag (PagedPool | POOL_COLD_ALLOCATION,
|
|
PrefixedImageName.Length + sizeof(UNICODE_NULL),
|
|
'TDmM');
|
|
|
|
if (DataTableEntry->FullDllName.Buffer == NULL) {
|
|
|
|
//
|
|
// Pool could not be allocated, just set the length to 0.
|
|
//
|
|
|
|
DataTableEntry->FullDllName.Length = 0;
|
|
DataTableEntry->FullDllName.MaximumLength = 0;
|
|
}
|
|
else {
|
|
DataTableEntry->FullDllName.Length = PrefixedImageName.Length;
|
|
DataTableEntry->FullDllName.MaximumLength = PrefixedImageName.Length;
|
|
RtlCopyMemory (DataTableEntry->FullDllName.Buffer,
|
|
PrefixedImageName.Buffer,
|
|
PrefixedImageName.Length);
|
|
DataTableEntry->FullDllName.Buffer[PrefixedImageName.Length/sizeof(WCHAR)] = UNICODE_NULL;
|
|
}
|
|
|
|
//
|
|
// Acquire the loaded module list resource and insert this entry
|
|
// into the list.
|
|
//
|
|
|
|
MiProcessLoaderEntry (DataTableEntry, TRUE);
|
|
}
|
|
|
|
MissingProcedureName = NameBuffer;
|
|
|
|
try {
|
|
|
|
//
|
|
// Resolving the image references results in other DLLs being
|
|
// loaded if they are referenced by the module that was just loaded.
|
|
// An example is when an OEM printer or FAX driver links with
|
|
// other general libraries. This is not a problem for session space
|
|
// because the general libraries do not have the global data issues
|
|
// that win32k.sys and the video drivers do. So we just call the
|
|
// standard kernel reference resolver and any referenced libraries
|
|
// get loaded into system global space. Code in the routine
|
|
// restricts which libraries can be referenced by a driver.
|
|
//
|
|
|
|
Status = MiResolveImageReferences (*ImageBaseAddress,
|
|
&BaseDirectory,
|
|
NamePrefix,
|
|
&MissingProcedureName,
|
|
&MissingDriverName,
|
|
&LoadedImports);
|
|
|
|
} except (EXCEPTION_EXECUTE_HANDLER) {
|
|
Status = GetExceptionCode ();
|
|
KdPrint(("MM:sysload - ResolveImageReferences failed status %x\n",
|
|
Status));
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
#if DBG
|
|
if (Status == STATUS_OBJECT_NAME_NOT_FOUND) {
|
|
ASSERT (MissingProcedureName == NULL);
|
|
}
|
|
|
|
if ((Status == STATUS_DRIVER_ORDINAL_NOT_FOUND) ||
|
|
(Status == STATUS_OBJECT_NAME_NOT_FOUND) ||
|
|
(Status == STATUS_DRIVER_ENTRYPOINT_NOT_FOUND)) {
|
|
|
|
if ((ULONG_PTR)MissingProcedureName & ~((ULONG_PTR) (X64K-1))) {
|
|
//
|
|
// If not an ordinal, print string
|
|
//
|
|
DbgPrint("MissingProcedureName %s\n", MissingProcedureName);
|
|
}
|
|
else {
|
|
DbgPrint("MissingProcedureName 0x%p\n", MissingProcedureName);
|
|
}
|
|
}
|
|
|
|
if (MissingDriverName != NULL) {
|
|
PrintableMissingDriverName = (PWSTR)((ULONG_PTR)MissingDriverName & ~0x1);
|
|
DbgPrint("MissingDriverName %ws\n", PrintableMissingDriverName);
|
|
}
|
|
#endif
|
|
if (AlreadyOpen == FALSE) {
|
|
MiProcessLoaderEntry (DataTableEntry, FALSE);
|
|
if (DataTableEntry->FullDllName.Buffer != NULL) {
|
|
ExFreePool (DataTableEntry->FullDllName.Buffer);
|
|
}
|
|
ExFreePool (DataTableEntry);
|
|
DataTableEntry = NULL;
|
|
}
|
|
goto return1;
|
|
}
|
|
|
|
if (AlreadyOpen == FALSE) {
|
|
|
|
PERFINFO_IMAGE_LOAD(DataTableEntry);
|
|
|
|
//
|
|
// Reinitialize the flags and update the loaded imports.
|
|
//
|
|
|
|
DataTableEntry->Flags |= LDRP_SYSTEM_MAPPED | LDRP_ENTRY_PROCESSED;
|
|
DataTableEntry->Flags &= ~LDRP_LOAD_IN_PROGRESS;
|
|
DataTableEntry->LoadedImports = LoadedImports;
|
|
|
|
MiApplyDriverVerifier (DataTableEntry, NULL);
|
|
|
|
MiWriteProtectSystemImage (DataTableEntry->DllBase);
|
|
|
|
if (PsImageNotifyEnabled) {
|
|
IMAGE_INFO ImageInfo;
|
|
|
|
ImageInfo.Properties = 0;
|
|
ImageInfo.ImageAddressingMode = IMAGE_ADDRESSING_MODE_32BIT;
|
|
ImageInfo.SystemModeImage = TRUE;
|
|
ImageInfo.ImageSize = DataTableEntry->SizeOfImage;
|
|
ImageInfo.ImageBase = *ImageBaseAddress;
|
|
ImageInfo.ImageSelector = 0;
|
|
ImageInfo.ImageSectionNumber = 0;
|
|
|
|
PsCallImageNotifyRoutines(ImageFileName, (HANDLE)NULL, &ImageInfo);
|
|
}
|
|
|
|
if (CacheImageSymbols (*ImageBaseAddress)) {
|
|
|
|
//
|
|
// TEMP TEMP TEMP rip out when debugger converted
|
|
//
|
|
|
|
ANSI_STRING AnsiName;
|
|
UNICODE_STRING UnicodeName;
|
|
|
|
//
|
|
// \SystemRoot is 11 characters in length
|
|
//
|
|
if (PrefixedImageName.Length > (11 * sizeof (WCHAR )) &&
|
|
!_wcsnicmp (PrefixedImageName.Buffer, (const PUSHORT)L"\\SystemRoot", 11)) {
|
|
UnicodeName = PrefixedImageName;
|
|
UnicodeName.Buffer += 11;
|
|
UnicodeName.Length -= (11 * sizeof (WCHAR));
|
|
sprintf (NameBuffer, "%ws%wZ", &SharedUserData->NtSystemRoot[2], &UnicodeName);
|
|
}
|
|
else {
|
|
sprintf (NameBuffer, "%wZ", &BaseName);
|
|
}
|
|
RtlInitString (&AnsiName, NameBuffer);
|
|
DbgLoadImageSymbols (&AnsiName,
|
|
*ImageBaseAddress,
|
|
(ULONG_PTR) -1);
|
|
|
|
DataTableEntry->Flags |= LDRP_DEBUG_SYMBOLS_LOADED;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Flush the instruction cache on all systems in the configuration.
|
|
//
|
|
|
|
KeSweepIcache (TRUE);
|
|
*ImageHandle = DataTableEntry;
|
|
Status = STATUS_SUCCESS;
|
|
|
|
if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) {
|
|
MI_LOG_SESSION_DATA_START (DataTableEntry);
|
|
MmPageEntireDriver (DataTableEntry->EntryPoint);
|
|
}
|
|
else if ((SectionPointer == (PVOID)-1) &&
|
|
((LoadFlags & MM_LOAD_IMAGE_AND_LOCKDOWN) == 0)) {
|
|
|
|
MiEnablePagingOfDriver (DataTableEntry);
|
|
}
|
|
|
|
return1:
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
|
|
if ((AlreadyOpen == FALSE) && (SectionPointer != (PVOID)-1)) {
|
|
|
|
//
|
|
// This is needed for failed win32k.sys loads or any session's
|
|
// load of the first instance of a driver.
|
|
//
|
|
|
|
ObDereferenceObject (SectionPointer);
|
|
}
|
|
|
|
if (IssueUnloadOnFailure == TRUE) {
|
|
|
|
if (DataTableEntry == NULL) {
|
|
RtlZeroMemory (&TempDataTableEntry, sizeof(KLDR_DATA_TABLE_ENTRY));
|
|
|
|
DataTableEntry = &TempDataTableEntry;
|
|
|
|
DataTableEntry->DllBase = *ImageBaseAddress;
|
|
DataTableEntry->SizeOfImage = NumberOfPtes << PAGE_SHIFT;
|
|
DataTableEntry->LoadCount = 1;
|
|
DataTableEntry->LoadedImports = LoadedImports;
|
|
}
|
|
#if DBG
|
|
else {
|
|
|
|
//
|
|
// If DataTableEntry is NULL, then we are unloading before one
|
|
// got created. Once a LDR_DATA_TABLE_ENTRY is created, the
|
|
// load cannot fail, so if exists here, at least one other
|
|
// session contains this image as well.
|
|
//
|
|
|
|
ASSERT (DataTableEntry->LoadCount > 1);
|
|
}
|
|
#endif
|
|
|
|
MmUnloadSystemImage ((PVOID)DataTableEntry);
|
|
}
|
|
}
|
|
|
|
if (FileHandle) {
|
|
ZwClose (FileHandle);
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
|
|
UNICODE_STRING ErrorStrings[4];
|
|
ULONG UniqueErrorValue;
|
|
ULONG StringSize;
|
|
ULONG StringCount;
|
|
ANSI_STRING AnsiString;
|
|
UNICODE_STRING ProcedureName;
|
|
UNICODE_STRING DriverName;
|
|
ULONG i;
|
|
PWCHAR temp;
|
|
PWCHAR ptr;
|
|
ULONG PacketSize;
|
|
SIZE_T length;
|
|
PIO_ERROR_LOG_PACKET ErrLog;
|
|
|
|
//
|
|
// The driver could not be loaded - log an event with the details.
|
|
//
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
|
|
StringSize = 0;
|
|
|
|
*(&ErrorStrings[0]) = *ImageFileName;
|
|
StringSize += (ImageFileName->Length + sizeof(UNICODE_NULL));
|
|
StringCount = 1;
|
|
|
|
UniqueErrorValue = 0;
|
|
RtlInitUnicodeString (&ProcedureName, NULL);
|
|
|
|
PrintableMissingDriverName = (PWSTR)((ULONG_PTR)MissingDriverName & ~0x1);
|
|
if ((Status == STATUS_DRIVER_ORDINAL_NOT_FOUND) ||
|
|
(Status == STATUS_DRIVER_ENTRYPOINT_NOT_FOUND) ||
|
|
(Status == STATUS_OBJECT_NAME_NOT_FOUND) ||
|
|
(Status == STATUS_PROCEDURE_NOT_FOUND)) {
|
|
|
|
ErrorStrings[1].Buffer = L"cannot find";
|
|
length = wcslen(ErrorStrings[1].Buffer) * sizeof(WCHAR);
|
|
ErrorStrings[1].Length = (USHORT) length;
|
|
StringSize += (ULONG)(length + sizeof (UNICODE_NULL));
|
|
StringCount += 1;
|
|
|
|
RtlInitUnicodeString (&DriverName, PrintableMissingDriverName);
|
|
|
|
StringSize += (DriverName.Length + sizeof(UNICODE_NULL));
|
|
StringCount += 1;
|
|
*(&ErrorStrings[2]) = *(&DriverName);
|
|
|
|
if ((ULONG_PTR)MissingProcedureName & ~((ULONG_PTR) (X64K-1))) {
|
|
|
|
//
|
|
// If not an ordinal, pass as a Unicode string
|
|
//
|
|
|
|
RtlInitAnsiString (&AnsiString, MissingProcedureName);
|
|
RtlAnsiStringToUnicodeString (&ProcedureName, &AnsiString, TRUE);
|
|
StringSize += (ProcedureName.Length + sizeof(UNICODE_NULL));
|
|
StringCount += 1;
|
|
*(&ErrorStrings[3]) = *(&ProcedureName);
|
|
}
|
|
else {
|
|
|
|
//
|
|
// Just pass ordinal values as is in the UniqueErrorValue.
|
|
//
|
|
|
|
UniqueErrorValue = PtrToUlong (MissingProcedureName);
|
|
}
|
|
}
|
|
else {
|
|
UniqueErrorValue = (ULONG) Status;
|
|
Status = STATUS_DRIVER_UNABLE_TO_LOAD;
|
|
|
|
ErrorStrings[1].Buffer = L"failed to load";
|
|
length = wcslen(ErrorStrings[1].Buffer) * sizeof(WCHAR);
|
|
ErrorStrings[1].Length = (USHORT) length;
|
|
StringSize += (ULONG)(length + sizeof (UNICODE_NULL));
|
|
StringCount += 1;
|
|
}
|
|
|
|
PacketSize = sizeof (IO_ERROR_LOG_PACKET) + StringSize;
|
|
|
|
//
|
|
// Enforce I/O manager interface (ie: UCHAR) size restrictions.
|
|
//
|
|
|
|
if (PacketSize < MAXUCHAR) {
|
|
|
|
ErrLog = IoAllocateGenericErrorLogEntry ((UCHAR)PacketSize);
|
|
|
|
if (ErrLog != NULL) {
|
|
|
|
//
|
|
// Fill it in and write it out as a single string.
|
|
//
|
|
|
|
ErrLog->ErrorCode = STATUS_LOG_HARD_ERROR;
|
|
ErrLog->FinalStatus = Status;
|
|
ErrLog->UniqueErrorValue = UniqueErrorValue;
|
|
|
|
ErrLog->StringOffset = (USHORT) sizeof (IO_ERROR_LOG_PACKET);
|
|
|
|
temp = (PWCHAR) ((PUCHAR) ErrLog + ErrLog->StringOffset);
|
|
|
|
for (i = 0; i < StringCount; i += 1) {
|
|
|
|
ptr = ErrorStrings[i].Buffer;
|
|
|
|
RtlCopyMemory (temp, ptr, ErrorStrings[i].Length);
|
|
temp += (ErrorStrings[i].Length / sizeof (WCHAR));
|
|
|
|
*temp = L' ';
|
|
temp += 1;
|
|
}
|
|
|
|
*(temp - 1) = UNICODE_NULL;
|
|
ErrLog->NumberOfStrings = 1;
|
|
|
|
IoWriteErrorLogEntry (ErrLog);
|
|
}
|
|
}
|
|
|
|
//
|
|
// The only way this pointer has the low bit set is if we are expected
|
|
// to free the pool containing the name. Typically the name points at
|
|
// a loaded module list entry and so no one has to free it and in this
|
|
// case the low bit will NOT be set. If the module could not be found
|
|
// and was therefore not loaded, then we left a piece of pool around
|
|
// containing the name since there is no loaded module entry already -
|
|
// this must be released now.
|
|
//
|
|
|
|
if ((ULONG_PTR)MissingDriverName & 0x1) {
|
|
ExFreePool (PrintableMissingDriverName);
|
|
}
|
|
|
|
if (ProcedureName.Buffer != NULL) {
|
|
RtlFreeUnicodeString (&ProcedureName);
|
|
}
|
|
ExFreePool (NameBuffer);
|
|
return Status;
|
|
}
|
|
|
|
return2:
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
|
|
if (NamePrefix) {
|
|
ExFreePool (PrefixedImageName.Buffer);
|
|
}
|
|
|
|
ExFreePool (NameBuffer);
|
|
|
|
return Status;
|
|
}
|
|
|
|
VOID
|
|
MiReturnFailedSessionPages (
|
|
IN PMMPTE PointerPte,
|
|
IN PMMPTE LastPte,
|
|
IN PFN_NUMBER NumberOfPages
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine is a nonpaged wrapper which undoes session image loads
|
|
that failed midway through reading in the pages.
|
|
|
|
Arguments:
|
|
|
|
PointerPte - Supplies the starting PTE for the range to unload.
|
|
|
|
LastPte - Supplies the ending PTE for the range to unload.
|
|
|
|
NumberOfPages - Supplies the number of resident available pages that
|
|
were charged and now need to be returned.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
PMMPFN Pfn1;
|
|
PFN_NUMBER PageFrameIndex;
|
|
|
|
LOCK_PFN (OldIrql);
|
|
|
|
while (PointerPte <= LastPte) {
|
|
if (PointerPte->u.Hard.Valid == 1) {
|
|
|
|
//
|
|
// Delete the page.
|
|
//
|
|
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
|
|
|
|
//
|
|
// Set the pointer to PTE as empty so the page
|
|
// is deleted when the reference count goes to zero.
|
|
//
|
|
|
|
Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
|
|
MiDecrementShareAndValidCount (Pfn1->u4.PteFrame);
|
|
MI_SET_PFN_DELETED (Pfn1);
|
|
MiDecrementShareCountOnly (PageFrameIndex);
|
|
|
|
MI_WRITE_INVALID_PTE (PointerPte, ZeroPte);
|
|
}
|
|
PointerPte += 1;
|
|
}
|
|
|
|
MmResidentAvailablePages += NumberOfPages;
|
|
MM_BUMP_COUNTER(17, NumberOfPages);
|
|
|
|
UNLOCK_PFN (OldIrql);
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
MiLoadImageSection (
|
|
IN PSECTION SectionPointer,
|
|
OUT PVOID *ImageBaseAddress,
|
|
IN PUNICODE_STRING ImageFileName,
|
|
IN ULONG LoadInSessionSpace
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine loads the specified image into the kernel part of the
|
|
address space.
|
|
|
|
Arguments:
|
|
|
|
SectionPointer - Supplies the section object for the image.
|
|
|
|
ImageBaseAddress - Returns the address that the image header is at.
|
|
|
|
ImageFileName - Supplies the full path name (including the image name)
|
|
of the image to load.
|
|
|
|
LoadInSessionSpace - Supplies nonzero to load this image in session space.
|
|
Each session gets a different copy of this driver with
|
|
pages shared as much as possible via copy on write.
|
|
|
|
Supplies zero if this image should be loaded in global
|
|
space.
|
|
|
|
Return Value:
|
|
|
|
Status of the operation.
|
|
|
|
--*/
|
|
|
|
{
|
|
KAPC_STATE ApcState;
|
|
PFN_NUMBER PagesRequired;
|
|
PFN_NUMBER ActualPagesUsed;
|
|
PVOID OpaqueSession;
|
|
PMMPTE ProtoPte;
|
|
PMMPTE FirstPte;
|
|
PMMPTE LastPte;
|
|
PMMPTE PointerPte;
|
|
PEPROCESS Process;
|
|
PEPROCESS TargetProcess;
|
|
ULONG NumberOfPtes;
|
|
MMPTE PteContents;
|
|
MMPTE TempPte;
|
|
PFN_NUMBER PageFrameIndex;
|
|
PVOID UserVa;
|
|
PVOID SystemVa;
|
|
NTSTATUS Status;
|
|
NTSTATUS ExceptionStatus;
|
|
PVOID Base;
|
|
ULONG_PTR ViewSize;
|
|
LARGE_INTEGER SectionOffset;
|
|
LOGICAL LoadSymbols;
|
|
PVOID BaseAddress;
|
|
PFN_NUMBER CommittedPages;
|
|
SIZE_T SectionSize;
|
|
LOGICAL AlreadyLoaded;
|
|
PCONTROL_AREA ControlArea;
|
|
PSUBSECTION Subsection;
|
|
|
|
PAGED_CODE();
|
|
|
|
NumberOfPtes = SectionPointer->Segment->TotalNumberOfPtes;
|
|
|
|
if (LoadInSessionSpace != 0) {
|
|
|
|
SectionSize = (ULONG_PTR)NumberOfPtes * PAGE_SIZE;
|
|
|
|
//
|
|
// Allocate a unique systemwide session space virtual address for
|
|
// the driver.
|
|
//
|
|
|
|
Status = MiSessionWideReserveImageAddress (ImageFileName,
|
|
SectionPointer,
|
|
PAGE_SIZE,
|
|
&BaseAddress,
|
|
&AlreadyLoaded);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
return Status;
|
|
}
|
|
|
|
//
|
|
// This is a request to load an existing driver. This can
|
|
// occur with printer drivers for example.
|
|
//
|
|
|
|
if (AlreadyLoaded == TRUE) {
|
|
*ImageBaseAddress = BaseAddress;
|
|
return STATUS_ALREADY_COMMITTED;
|
|
}
|
|
|
|
#if DBG
|
|
if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) {
|
|
DbgPrint ("MM: MiLoadImageSection: Image %wZ, BasedAddress 0x%p, Allocated Session BaseAddress 0x%p\n",
|
|
ImageFileName,
|
|
SectionPointer->Segment->BasedAddress,
|
|
BaseAddress);
|
|
}
|
|
#endif
|
|
|
|
if (BaseAddress == SectionPointer->Segment->BasedAddress) {
|
|
|
|
//
|
|
// We were able to load the image at its based address, so
|
|
// map its image segments as backed directly by the file image.
|
|
// All pristine pages of the image will be shared across all
|
|
// sessions, with each page treated as copy-on-write on first write.
|
|
//
|
|
// NOTE: This makes the file image "busy", a different behavior
|
|
// as normal kernel drivers are backed by the paging file only.
|
|
//
|
|
// Map the image into session space.
|
|
//
|
|
|
|
Status = MiShareSessionImage (SectionPointer, &SectionSize);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
MiRemoveImageSessionWide (BaseAddress);
|
|
return Status;
|
|
}
|
|
|
|
ASSERT (BaseAddress == SectionPointer->Segment->BasedAddress);
|
|
|
|
*ImageBaseAddress = BaseAddress;
|
|
|
|
//
|
|
// Indicate that this section has been loaded into the system.
|
|
//
|
|
|
|
SectionPointer->Segment->SystemImageBase = BaseAddress;
|
|
|
|
#if DBG
|
|
if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) {
|
|
DbgPrint ("MM: MiLoadImageSection: Mapped image %wZ at requested session address 0x%p\n",
|
|
ImageFileName,
|
|
BaseAddress);
|
|
}
|
|
#endif
|
|
|
|
return Status;
|
|
}
|
|
|
|
//
|
|
// The image could not be loaded at its based address. It must be
|
|
// copied to its new address using private page file backed pages.
|
|
// Our caller will relocate the internal references and then bind the
|
|
// image. Allocate the pages and page tables for the image now.
|
|
//
|
|
|
|
Status = MiSessionCommitImagePages (BaseAddress, SectionSize);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
#if DBG
|
|
if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) {
|
|
DbgPrint ("MM: MiLoadImageSection: Error 0x%x Allocating session space %p Bytes\n", Status, SectionSize);
|
|
}
|
|
#endif
|
|
MiRemoveImageSessionWide (BaseAddress);
|
|
return Status;
|
|
}
|
|
SystemVa = BaseAddress;
|
|
|
|
//
|
|
// Initializing these is not needed for correctness, but
|
|
// without it the compiler cannot compile this code W4 to check
|
|
// for use of uninitialized variables.
|
|
//
|
|
|
|
PagesRequired = 0;
|
|
ActualPagesUsed = 0;
|
|
PointerPte = NULL;
|
|
FirstPte = NULL;
|
|
}
|
|
else {
|
|
|
|
//
|
|
// Initializing SectionSize and BaseAddress is not needed for
|
|
// correctness, but without it the compiler cannot compile this
|
|
// code W4 to check for use of uninitialized variables.
|
|
//
|
|
|
|
SectionSize = 0;
|
|
BaseAddress = NULL;
|
|
|
|
//
|
|
// Calculate the number of pages required to load this image.
|
|
//
|
|
// Start out by charging for everything and subtract out any gap
|
|
// pages after the image loads successfully.
|
|
//
|
|
|
|
PagesRequired = NumberOfPtes;
|
|
ActualPagesUsed = 0;
|
|
|
|
//
|
|
// See if ample pages exist to load this image.
|
|
//
|
|
|
|
if (MiChargeResidentAvailable (PagesRequired, 14) == FALSE) {
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
//
|
|
// Reserve the necessary system address space.
|
|
//
|
|
|
|
FirstPte = MiReserveSystemPtes (NumberOfPtes, SystemPteSpace);
|
|
|
|
if (FirstPte == NULL) {
|
|
MiReturnResidentAvailable (PagesRequired, 15);
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
PointerPte = FirstPte;
|
|
SystemVa = MiGetVirtualAddressMappedByPte (PointerPte);
|
|
|
|
if (MiChargeCommitment (PagesRequired, NULL) == FALSE) {
|
|
MiReturnResidentAvailable (PagesRequired, 15);
|
|
MiReleaseSystemPtes (FirstPte, NumberOfPtes, SystemPteSpace);
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
MM_TRACK_COMMIT (MM_DBG_COMMIT_DRIVER_PAGES, PagesRequired);
|
|
|
|
InterlockedExchangeAdd ((PLONG)&MmDriverCommit, (LONG) PagesRequired);
|
|
}
|
|
|
|
//
|
|
// Map a view into the user portion of the address space.
|
|
//
|
|
|
|
Process = PsGetCurrentProcess();
|
|
|
|
//
|
|
// Since callees are not always in the context of the system process,
|
|
// attach here when necessary to guarantee the driver load occurs in a
|
|
// known safe address space to prevent security holes.
|
|
//
|
|
|
|
OpaqueSession = NULL;
|
|
|
|
if ((Process->Peb != NULL) &&
|
|
(Process->Vm.Flags.SessionLeader == 0) &&
|
|
(MiSessionLeaderExists == 2)) {
|
|
|
|
OpaqueSession = MiAttachToSecureProcessInSession (&ApcState);
|
|
|
|
if (OpaqueSession == NULL) {
|
|
|
|
if (LoadInSessionSpace != 0) {
|
|
CommittedPages = MiDeleteSystemPagableVm (
|
|
MiGetPteAddress (BaseAddress),
|
|
BYTES_TO_PAGES (SectionSize),
|
|
ZeroKernelPte,
|
|
TRUE,
|
|
NULL);
|
|
|
|
InterlockedExchangeAddSizeT (&MmSessionSpace->CommittedPages,
|
|
0 - CommittedPages);
|
|
|
|
MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_COMMIT_IMAGELOAD_FAILED1,
|
|
(ULONG)CommittedPages);
|
|
|
|
//
|
|
// Return the commitment we took out on the pagefile when
|
|
// the page was allocated. This is needed for collided images
|
|
// since all the pages get committed regardless of writability.
|
|
//
|
|
|
|
MiRemoveImageSessionWide (BaseAddress);
|
|
}
|
|
else {
|
|
MiReturnResidentAvailable (PagesRequired, 15);
|
|
MiReleaseSystemPtes (FirstPte, NumberOfPtes, SystemPteSpace);
|
|
MiReturnCommitment (PagesRequired);
|
|
}
|
|
|
|
return STATUS_PROCESS_IS_TERMINATING;
|
|
}
|
|
|
|
//
|
|
// We are now attached to a secure process in the current session.
|
|
//
|
|
}
|
|
|
|
ZERO_LARGE (SectionOffset);
|
|
Base = NULL;
|
|
ViewSize = 0;
|
|
|
|
if (NtGlobalFlag & FLG_ENABLE_KDEBUG_SYMBOL_LOAD) {
|
|
LoadSymbols = TRUE;
|
|
NtGlobalFlag &= ~FLG_ENABLE_KDEBUG_SYMBOL_LOAD;
|
|
}
|
|
else {
|
|
LoadSymbols = FALSE;
|
|
}
|
|
|
|
TargetProcess = PsGetCurrentProcess ();
|
|
|
|
Status = MmMapViewOfSection (SectionPointer,
|
|
TargetProcess,
|
|
&Base,
|
|
0,
|
|
0,
|
|
&SectionOffset,
|
|
&ViewSize,
|
|
ViewUnmap,
|
|
0,
|
|
PAGE_EXECUTE);
|
|
|
|
if (LoadSymbols) {
|
|
NtGlobalFlag |= FLG_ENABLE_KDEBUG_SYMBOL_LOAD;
|
|
}
|
|
|
|
if (Status == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) {
|
|
Status = STATUS_INVALID_IMAGE_FORMAT;
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
|
|
if (OpaqueSession != NULL) {
|
|
MiDetachFromSecureProcessInSession (OpaqueSession, &ApcState);
|
|
}
|
|
|
|
if (LoadInSessionSpace != 0) {
|
|
|
|
#if DBG
|
|
if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) {
|
|
DbgPrint ("MiLoadImageSection: Error 0x%x in session space mapping via MmMapViewOfSection\n", Status);
|
|
}
|
|
#endif
|
|
|
|
CommittedPages = MiDeleteSystemPagableVm (
|
|
MiGetPteAddress (BaseAddress),
|
|
BYTES_TO_PAGES (SectionSize),
|
|
ZeroKernelPte,
|
|
TRUE,
|
|
NULL);
|
|
|
|
InterlockedExchangeAddSizeT (&MmSessionSpace->CommittedPages,
|
|
0 - CommittedPages);
|
|
|
|
MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_COMMIT_IMAGELOAD_FAILED1,
|
|
(ULONG)CommittedPages);
|
|
|
|
//
|
|
// Return the commitment we took out on the pagefile when
|
|
// the page was allocated. This is needed for collided images
|
|
// since all the pages get committed regardless of writability.
|
|
//
|
|
|
|
MiRemoveImageSessionWide (BaseAddress);
|
|
}
|
|
else {
|
|
MiReturnResidentAvailable (PagesRequired, 16);
|
|
MiReleaseSystemPtes (FirstPte, NumberOfPtes, SystemPteSpace);
|
|
MiReturnCommitment (PagesRequired);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
//
|
|
// Allocate a physical page(s) and copy the image data.
|
|
// Note Hydra has already allocated the physical pages and just does
|
|
// data copying here.
|
|
//
|
|
|
|
ControlArea = SectionPointer->Segment->ControlArea;
|
|
if ((ControlArea->u.Flags.GlobalOnlyPerSession == 0) &&
|
|
(ControlArea->u.Flags.Rom == 0)) {
|
|
Subsection = (PSUBSECTION)(ControlArea + 1);
|
|
}
|
|
else {
|
|
Subsection = (PSUBSECTION)((PLARGE_CONTROL_AREA)ControlArea + 1);
|
|
}
|
|
ASSERT (Subsection->SubsectionBase != NULL);
|
|
ProtoPte = Subsection->SubsectionBase;
|
|
|
|
*ImageBaseAddress = SystemVa;
|
|
|
|
UserVa = Base;
|
|
TempPte = ValidKernelPte;
|
|
TempPte.u.Long |= MM_PTE_EXECUTE;
|
|
|
|
LastPte = ProtoPte + NumberOfPtes;
|
|
|
|
ExceptionStatus = STATUS_SUCCESS;
|
|
|
|
while (ProtoPte < LastPte) {
|
|
PteContents = *ProtoPte;
|
|
if ((PteContents.u.Hard.Valid == 1) ||
|
|
(PteContents.u.Soft.Protection != MM_NOACCESS)) {
|
|
|
|
if (LoadInSessionSpace == 0) {
|
|
ActualPagesUsed += 1;
|
|
|
|
PageFrameIndex = MiAllocatePfn (PointerPte, MM_EXECUTE);
|
|
|
|
TempPte.u.Hard.PageFrameNumber = PageFrameIndex;
|
|
MI_WRITE_VALID_PTE (PointerPte, TempPte);
|
|
|
|
ASSERT (MI_PFN_ELEMENT (PageFrameIndex)->u1.WsIndex == 0);
|
|
}
|
|
|
|
try {
|
|
|
|
RtlCopyMemory (SystemVa, UserVa, PAGE_SIZE);
|
|
|
|
} except (MiMapCacheExceptionFilter (&ExceptionStatus,
|
|
GetExceptionInformation())) {
|
|
|
|
//
|
|
// An exception occurred, unmap the view and
|
|
// return the error to the caller.
|
|
//
|
|
|
|
#if DBG
|
|
DbgPrint("MiLoadImageSection: Exception 0x%x copying driver SystemVa 0x%p, UserVa 0x%p\n",ExceptionStatus,SystemVa,UserVa);
|
|
#endif
|
|
|
|
if (LoadInSessionSpace != 0) {
|
|
CommittedPages = MiDeleteSystemPagableVm (
|
|
MiGetPteAddress (BaseAddress),
|
|
BYTES_TO_PAGES (SectionSize),
|
|
ZeroKernelPte,
|
|
TRUE,
|
|
NULL);
|
|
|
|
InterlockedExchangeAddSizeT (&MmSessionSpace->CommittedPages,
|
|
0 - CommittedPages);
|
|
|
|
MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_COMMIT_IMAGELOAD_FAILED2,
|
|
(ULONG)CommittedPages);
|
|
|
|
//
|
|
// Return the commitment we took out on the pagefile when
|
|
// the page was allocated. This is needed for collided
|
|
// images since all the pages get committed regardless
|
|
// of writability.
|
|
//
|
|
|
|
MiReturnCommitment (CommittedPages);
|
|
MM_TRACK_COMMIT (MM_DBG_COMMIT_RETURN_SESSION_DRIVER_LOAD_FAILURE1, CommittedPages);
|
|
}
|
|
else {
|
|
MiReturnFailedSessionPages (FirstPte, PointerPte, PagesRequired);
|
|
MiReleaseSystemPtes (FirstPte,
|
|
NumberOfPtes,
|
|
SystemPteSpace);
|
|
MiReturnCommitment (PagesRequired);
|
|
}
|
|
|
|
Status = MiUnmapViewOfSection (TargetProcess, Base, FALSE);
|
|
|
|
ASSERT (NT_SUCCESS (Status));
|
|
|
|
//
|
|
// Purge the section as we want these pages on the freelist
|
|
// instead of at the tail of standby, as we're completely
|
|
// done with the section. This is because other valuable
|
|
// standby pages end up getting reused (especially during
|
|
// bootup) when the section pages are the ones that really
|
|
// will never be referenced again.
|
|
//
|
|
// Note this isn't done for session images as they're
|
|
// inpaged directly from the filesystem via the section.
|
|
//
|
|
|
|
if (LoadInSessionSpace == 0) {
|
|
MmPurgeSection (ControlArea->FilePointer->SectionObjectPointer,
|
|
NULL,
|
|
0,
|
|
FALSE);
|
|
}
|
|
|
|
if (OpaqueSession != NULL) {
|
|
MiDetachFromSecureProcessInSession (OpaqueSession,
|
|
&ApcState);
|
|
}
|
|
|
|
if (LoadInSessionSpace != 0) {
|
|
MiRemoveImageSessionWide (BaseAddress);
|
|
}
|
|
|
|
return ExceptionStatus;
|
|
}
|
|
|
|
}
|
|
else {
|
|
|
|
//
|
|
// The PTE is no access - if this driver is being loaded in session
|
|
// space we already preloaded the page so free it now. The
|
|
// commitment is returned when the whole image is unmapped.
|
|
//
|
|
|
|
if (LoadInSessionSpace != 0) {
|
|
CommittedPages = MiDeleteSystemPagableVm (
|
|
MiGetPteAddress (SystemVa),
|
|
1,
|
|
ZeroKernelPte,
|
|
TRUE,
|
|
NULL);
|
|
|
|
MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_COMMIT_IMAGELOAD_NOACCESS,
|
|
1);
|
|
}
|
|
else {
|
|
MI_WRITE_INVALID_PTE (PointerPte, ZeroKernelPte);
|
|
}
|
|
}
|
|
|
|
ProtoPte += 1;
|
|
if (LoadInSessionSpace == 0) {
|
|
PointerPte += 1;
|
|
}
|
|
SystemVa = ((PCHAR)SystemVa + PAGE_SIZE);
|
|
UserVa = ((PCHAR)UserVa + PAGE_SIZE);
|
|
}
|
|
|
|
Status = MiUnmapViewOfSection (TargetProcess, Base, FALSE);
|
|
ASSERT (NT_SUCCESS (Status));
|
|
|
|
//
|
|
// Purge the section as we want these pages on the freelist instead of
|
|
// at the tail of standby, as we're completely done with the section.
|
|
// This is because other valuable standby pages end up getting reused
|
|
// (especially during bootup) when the section pages are the ones that
|
|
// really will never be referenced again.
|
|
//
|
|
// Note this isn't done for session images as they're inpaged directly
|
|
// from the filesystem via the section.
|
|
//
|
|
|
|
if (LoadInSessionSpace == 0) {
|
|
MmPurgeSection (ControlArea->FilePointer->SectionObjectPointer,
|
|
NULL,
|
|
0,
|
|
FALSE);
|
|
}
|
|
|
|
if (OpaqueSession != NULL) {
|
|
MiDetachFromSecureProcessInSession (OpaqueSession, &ApcState);
|
|
}
|
|
|
|
//
|
|
// Indicate that this section has been loaded into the system.
|
|
//
|
|
|
|
SectionPointer->Segment->SystemImageBase = *ImageBaseAddress;
|
|
|
|
if (LoadInSessionSpace == 0) {
|
|
|
|
//
|
|
// Return any excess resident available and commit.
|
|
//
|
|
|
|
if (PagesRequired != ActualPagesUsed) {
|
|
ASSERT (PagesRequired > ActualPagesUsed);
|
|
PagesRequired -= ActualPagesUsed;
|
|
|
|
MiReturnResidentAvailable (PagesRequired, 13);
|
|
MiReturnCommitment (PagesRequired);
|
|
}
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
VOID
|
|
MmFreeDriverInitialization (
|
|
IN PVOID ImageHandle
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine removes the pages that relocate and debug information from
|
|
the address space of the driver.
|
|
|
|
NOTE: This routine looks at the last sections defined in the image
|
|
header and if that section is marked as DISCARDABLE in the
|
|
characteristics, it is removed from the image. This means
|
|
that all discardable sections at the end of the driver are
|
|
deleted.
|
|
|
|
Arguments:
|
|
|
|
SectionObject - Supplies the section object for the image.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PMMPTE PointerPte;
|
|
PMMPTE LastPte;
|
|
PFN_NUMBER NumberOfPtes;
|
|
PVOID Base;
|
|
ULONG i;
|
|
PIMAGE_NT_HEADERS NtHeaders;
|
|
PIMAGE_SECTION_HEADER NtSection;
|
|
PIMAGE_SECTION_HEADER FoundSection;
|
|
PFN_NUMBER PagesDeleted;
|
|
|
|
DataTableEntry = (PKLDR_DATA_TABLE_ENTRY)ImageHandle;
|
|
Base = DataTableEntry->DllBase;
|
|
|
|
ASSERT (MI_IS_SESSION_ADDRESS (Base) == FALSE);
|
|
|
|
NumberOfPtes = DataTableEntry->SizeOfImage >> PAGE_SHIFT;
|
|
LastPte = MiGetPteAddress (Base) + NumberOfPtes;
|
|
|
|
NtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(Base);
|
|
|
|
NtSection = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders +
|
|
sizeof(ULONG) +
|
|
sizeof(IMAGE_FILE_HEADER) +
|
|
NtHeaders->FileHeader.SizeOfOptionalHeader
|
|
);
|
|
|
|
NtSection += NtHeaders->FileHeader.NumberOfSections;
|
|
|
|
FoundSection = NULL;
|
|
for (i = 0; i < NtHeaders->FileHeader.NumberOfSections; i += 1) {
|
|
NtSection -= 1;
|
|
if ((NtSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) != 0) {
|
|
FoundSection = NtSection;
|
|
}
|
|
else {
|
|
|
|
//
|
|
// There was a non discardable section between the this
|
|
// section and the last non discardable section, don't
|
|
// discard this section and don't look any more.
|
|
//
|
|
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (FoundSection != NULL) {
|
|
|
|
PointerPte = MiGetPteAddress ((PVOID)(ROUND_TO_PAGES (
|
|
(PCHAR)Base + FoundSection->VirtualAddress)));
|
|
NumberOfPtes = (PFN_NUMBER)(LastPte - PointerPte);
|
|
|
|
PagesDeleted = MiDeleteSystemPagableVm (PointerPte,
|
|
NumberOfPtes,
|
|
ZeroKernelPte,
|
|
FALSE,
|
|
NULL);
|
|
|
|
MiReturnResidentAvailable (PagesDeleted, 18);
|
|
|
|
MiReturnCommitment (PagesDeleted);
|
|
MM_TRACK_COMMIT (MM_DBG_COMMIT_RETURN_DRIVER_INIT_CODE, PagesDeleted);
|
|
|
|
InterlockedExchangeAdd ((PLONG)&MmDriverCommit,
|
|
(LONG) (0 - PagesDeleted));
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
LOGICAL
|
|
MiChargeResidentAvailable (
|
|
IN PFN_NUMBER NumberOfPages,
|
|
IN ULONG Id
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine is a nonpaged wrapper to charge resident available pages.
|
|
|
|
Arguments:
|
|
|
|
NumberOfPages - Supplies the number of pages to charge.
|
|
|
|
Id - Supplies a tracking ID for debugging purposes.
|
|
|
|
Return Value:
|
|
|
|
TRUE if the pages were charged, FALSE if not.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
|
|
LOCK_PFN (OldIrql);
|
|
|
|
if (MI_NONPAGABLE_MEMORY_AVAILABLE() <= (SPFN_NUMBER)NumberOfPages) {
|
|
UNLOCK_PFN (OldIrql);
|
|
return FALSE;
|
|
}
|
|
|
|
MmResidentAvailablePages -= NumberOfPages;
|
|
MM_BUMP_COUNTER(Id, NumberOfPages);
|
|
|
|
UNLOCK_PFN (OldIrql);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
VOID
|
|
MiReturnResidentAvailable (
|
|
IN PFN_NUMBER NumberOfPages,
|
|
IN ULONG Id
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine is a nonpaged wrapper to return resident available pages.
|
|
|
|
Arguments:
|
|
|
|
NumberOfPages - Supplies the number of pages to return.
|
|
|
|
Id - Supplies a tracking ID for debugging purposes.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
|
|
LOCK_PFN (OldIrql);
|
|
MmResidentAvailablePages += NumberOfPages;
|
|
MM_BUMP_COUNTER(Id, NumberOfPages);
|
|
UNLOCK_PFN (OldIrql);
|
|
}
|
|
|
|
VOID
|
|
MiEnablePagingOfDriver (
|
|
IN PVOID ImageHandle
|
|
)
|
|
|
|
{
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PMMPTE LastPte;
|
|
PMMPTE PointerPte;
|
|
PVOID Base;
|
|
ULONG i;
|
|
PIMAGE_NT_HEADERS NtHeaders;
|
|
PIMAGE_SECTION_HEADER FoundSection;
|
|
PIMAGE_OPTIONAL_HEADER OptionalHeader;
|
|
|
|
//
|
|
// Don't page kernel mode code if customer does not want it paged.
|
|
//
|
|
|
|
if (MmDisablePagingExecutive & MM_SYSTEM_CODE_LOCKED_DOWN) {
|
|
return;
|
|
}
|
|
|
|
//
|
|
// If the driver has pagable code, make it paged.
|
|
//
|
|
|
|
DataTableEntry = (PKLDR_DATA_TABLE_ENTRY)ImageHandle;
|
|
Base = DataTableEntry->DllBase;
|
|
|
|
NtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(Base);
|
|
|
|
OptionalHeader = (PIMAGE_OPTIONAL_HEADER)((PCHAR)NtHeaders +
|
|
#if defined (_WIN64)
|
|
FIELD_OFFSET (IMAGE_NT_HEADERS64, OptionalHeader));
|
|
#else
|
|
FIELD_OFFSET (IMAGE_NT_HEADERS32, OptionalHeader));
|
|
#endif
|
|
|
|
FoundSection = IMAGE_FIRST_SECTION (NtHeaders);
|
|
|
|
i = NtHeaders->FileHeader.NumberOfSections;
|
|
|
|
PointerPte = NULL;
|
|
|
|
//
|
|
// Initializing LastPte is not needed for correctness, but without it
|
|
// the compiler cannot compile this code W4 to check for use of
|
|
// uninitialized variables.
|
|
//
|
|
|
|
LastPte = NULL;
|
|
|
|
while (i > 0) {
|
|
#if DBG
|
|
if ((*(PULONG)FoundSection->Name == 'tini') ||
|
|
(*(PULONG)FoundSection->Name == 'egap')) {
|
|
DbgPrint("driver %wZ has lower case sections (init or pagexxx)\n",
|
|
&DataTableEntry->FullDllName);
|
|
}
|
|
#endif //DBG
|
|
|
|
//
|
|
// Mark as pagable any section which starts with the
|
|
// first 4 characters PAGE or .eda (for the .edata section).
|
|
//
|
|
|
|
if ((*(PULONG)FoundSection->Name == 'EGAP') ||
|
|
(*(PULONG)FoundSection->Name == 'ade.')) {
|
|
|
|
//
|
|
// This section is pagable, save away the start and end.
|
|
//
|
|
|
|
if (PointerPte == NULL) {
|
|
|
|
//
|
|
// Previous section was NOT pagable, get the start address.
|
|
//
|
|
|
|
PointerPte = MiGetPteAddress ((PVOID)(ROUND_TO_PAGES (
|
|
(PCHAR)Base + FoundSection->VirtualAddress)));
|
|
}
|
|
LastPte = MiGetPteAddress ((PCHAR)Base +
|
|
FoundSection->VirtualAddress +
|
|
(OptionalHeader->SectionAlignment - 1) +
|
|
FoundSection->SizeOfRawData - PAGE_SIZE);
|
|
|
|
}
|
|
else {
|
|
|
|
//
|
|
// This section is not pagable, if the previous section was
|
|
// pagable, enable it.
|
|
//
|
|
|
|
if (PointerPte != NULL) {
|
|
MiSetPagingOfDriver (PointerPte, LastPte, FALSE);
|
|
PointerPte = NULL;
|
|
}
|
|
}
|
|
i -= 1;
|
|
FoundSection += 1;
|
|
}
|
|
if (PointerPte != NULL) {
|
|
MiSetPagingOfDriver (PointerPte, LastPte, FALSE);
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
MiSetPagingOfDriver (
|
|
IN PMMPTE PointerPte,
|
|
IN PMMPTE LastPte,
|
|
IN LOGICAL SessionSpace
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine marks the specified range of PTEs as pagable.
|
|
|
|
Arguments:
|
|
|
|
PointerPte - Supplies the starting PTE.
|
|
|
|
LastPte - Supplies the ending PTE.
|
|
|
|
SessionSpace - Supplies TRUE if this mapping is in session space,
|
|
FALSE if not.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel Mode, IRQL of APC_LEVEL or below.
|
|
|
|
This routine could be made PAGELK but it is a high frequency routine
|
|
so it is actually better to keep it nonpaged to avoid bringing in the
|
|
entire PAGELK section.
|
|
|
|
--*/
|
|
|
|
{
|
|
PVOID Base;
|
|
PFN_NUMBER PageCount;
|
|
PFN_NUMBER PageFrameIndex;
|
|
PMMPFN Pfn;
|
|
MMPTE TempPte;
|
|
MMPTE PreviousPte;
|
|
KIRQL OldIrql1;
|
|
KIRQL OldIrql;
|
|
|
|
PAGED_CODE ();
|
|
|
|
ASSERT ((SessionSpace == FALSE) ||
|
|
(MmIsAddressValid(MmSessionSpace) == TRUE));
|
|
|
|
if (MI_IS_PHYSICAL_ADDRESS(MiGetVirtualAddressMappedByPte(PointerPte))) {
|
|
|
|
//
|
|
// No need to lock physical addresses.
|
|
//
|
|
|
|
return;
|
|
}
|
|
|
|
PageCount = 0;
|
|
|
|
if (SessionSpace == TRUE) {
|
|
LOCK_SESSION_SPACE_WS (OldIrql1, PsGetCurrentThread ());
|
|
}
|
|
else {
|
|
LOCK_SYSTEM_WS (OldIrql1, PsGetCurrentThread ());
|
|
}
|
|
|
|
LOCK_PFN (OldIrql);
|
|
|
|
Base = MiGetVirtualAddressMappedByPte (PointerPte);
|
|
|
|
while (PointerPte <= LastPte) {
|
|
|
|
//
|
|
// Check to make sure this PTE has not already been
|
|
// made pagable (or deleted). It is pagable if it
|
|
// is not valid, or if the PFN database wsindex element
|
|
// is non zero.
|
|
//
|
|
|
|
if (PointerPte->u.Hard.Valid == 1) {
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
|
|
Pfn = MI_PFN_ELEMENT (PageFrameIndex);
|
|
ASSERT (Pfn->u2.ShareCount == 1);
|
|
|
|
if (Pfn->u1.WsIndex == 0) {
|
|
|
|
//
|
|
// Original PTE may need to be set for drivers loaded
|
|
// via ntldr.
|
|
//
|
|
|
|
if (Pfn->OriginalPte.u.Long == 0) {
|
|
Pfn->OriginalPte.u.Long = MM_KERNEL_DEMAND_ZERO_PTE;
|
|
Pfn->OriginalPte.u.Soft.Protection |= MM_EXECUTE;
|
|
}
|
|
|
|
TempPte = *PointerPte;
|
|
|
|
MI_MAKE_VALID_PTE_TRANSITION (TempPte,
|
|
Pfn->OriginalPte.u.Soft.Protection);
|
|
|
|
PreviousPte.u.Flush = KeFlushSingleTb (Base,
|
|
TRUE,
|
|
TRUE,
|
|
(PHARDWARE_PTE)PointerPte,
|
|
TempPte.u.Flush);
|
|
|
|
MI_CAPTURE_DIRTY_BIT_TO_PFN (&PreviousPte, Pfn);
|
|
|
|
//
|
|
// Flush the translation buffer and decrement the number of valid
|
|
// PTEs within the containing page table page. Note that for a
|
|
// private page, the page table page is still needed because the
|
|
// page is in transition.
|
|
//
|
|
|
|
MiDecrementShareCount (PageFrameIndex);
|
|
MmResidentAvailablePages += 1;
|
|
MM_BUMP_COUNTER(19, 1);
|
|
MmTotalSystemDriverPages += 1;
|
|
PageCount += 1;
|
|
}
|
|
else {
|
|
//
|
|
// This page is already pagable and has a WSLE entry.
|
|
// Ignore it here and let the trimmer take it if memory
|
|
// comes under pressure.
|
|
//
|
|
}
|
|
}
|
|
Base = (PVOID)((PCHAR)Base + PAGE_SIZE);
|
|
PointerPte += 1;
|
|
}
|
|
|
|
if (SessionSpace == TRUE) {
|
|
|
|
//
|
|
// Session space has no ASN - flush the entire TB.
|
|
//
|
|
|
|
MI_FLUSH_ENTIRE_SESSION_TB (TRUE, TRUE);
|
|
}
|
|
|
|
UNLOCK_PFN (OldIrql);
|
|
|
|
if (SessionSpace == TRUE) {
|
|
|
|
//
|
|
// These pages are no longer locked down.
|
|
//
|
|
|
|
MM_BUMP_SESS_COUNTER (MM_DBG_SESSION_NP_PAGE_DRIVER, (ULONG)PageCount);
|
|
MmSessionSpace->NonPagablePages -= PageCount;
|
|
MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_DRIVER_PAGES_UNLOCKED, (ULONG)PageCount);
|
|
|
|
UNLOCK_SESSION_SPACE_WS (OldIrql1);
|
|
}
|
|
else {
|
|
UNLOCK_SYSTEM_WS (OldIrql1);
|
|
}
|
|
}
|
|
|
|
|
|
PVOID
|
|
MmPageEntireDriver (
|
|
IN PVOID AddressWithinSection
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine allows a driver to page out all of its code and
|
|
data regardless of the attributes of the various image sections.
|
|
|
|
Note, this routine can be called multiple times with no
|
|
intervening calls to MmResetDriverPaging.
|
|
|
|
Arguments:
|
|
|
|
AddressWithinSection - Supplies an address within the driver, e.g.
|
|
DriverEntry.
|
|
|
|
Return Value:
|
|
|
|
Base address of driver.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, APC_LEVEL or below.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PMMPTE FirstPte;
|
|
PMMPTE LastPte;
|
|
PVOID BaseAddress;
|
|
PSECTION SectionPointer;
|
|
LOGICAL SessionSpace;
|
|
|
|
PAGED_CODE();
|
|
|
|
DataTableEntry = MiLookupDataTableEntry (AddressWithinSection, FALSE);
|
|
|
|
if (DataTableEntry == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// Don't page kernel mode code if disabled via registry.
|
|
//
|
|
|
|
if (MmDisablePagingExecutive & MM_SYSTEM_CODE_LOCKED_DOWN) {
|
|
BaseAddress = DataTableEntry->DllBase;
|
|
goto success;
|
|
}
|
|
|
|
SectionPointer = (PSECTION)DataTableEntry->SectionPointer;
|
|
|
|
SessionSpace = MI_IS_SESSION_IMAGE_ADDRESS (AddressWithinSection);
|
|
|
|
if ((SectionPointer != NULL) && (SectionPointer != (PVOID)-1)) {
|
|
|
|
//
|
|
// Driver is mapped as an image (ie: win32k), this is always pagable.
|
|
// For session space, an image that has been loaded at its desired
|
|
// address is also always pagable. If there was an address collision,
|
|
// then we fall through because we have to explicitly page it.
|
|
//
|
|
|
|
if (SessionSpace == TRUE) {
|
|
if (SectionPointer->Segment &&
|
|
SectionPointer->Segment->BasedAddress == SectionPointer->Segment->SystemImageBase) {
|
|
BaseAddress = DataTableEntry->DllBase;
|
|
goto success;
|
|
}
|
|
}
|
|
else {
|
|
BaseAddress = DataTableEntry->DllBase;
|
|
goto success;
|
|
}
|
|
}
|
|
|
|
BaseAddress = DataTableEntry->DllBase;
|
|
FirstPte = MiGetPteAddress (BaseAddress);
|
|
LastPte = (FirstPte - 1) + (DataTableEntry->SizeOfImage >> PAGE_SHIFT);
|
|
|
|
MiSetPagingOfDriver (FirstPte, LastPte, SessionSpace);
|
|
|
|
success:
|
|
|
|
#if 0
|
|
|
|
//
|
|
// .rdata and .pdata must be made resident for the kernel debugger to
|
|
// display stack frames properly. This means these sections must not
|
|
// only be marked nonpagable, but for drivers like win32k.sys (and
|
|
// session space drivers that are not relocated) that are paged in and
|
|
// out directly from the filesystem, these pages must be made explicitly
|
|
// resident now.
|
|
//
|
|
// If the debugger can be pitched, then there is no need to lock down
|
|
// these subsections as no one will be debugging this system anyway.
|
|
//
|
|
|
|
if (KdPitchDebugger == 0) {
|
|
MiLockDriverPdata (DataTableEntry);
|
|
}
|
|
|
|
#endif
|
|
|
|
return BaseAddress;
|
|
}
|
|
|
|
|
|
VOID
|
|
MmResetDriverPaging (
|
|
IN PVOID AddressWithinSection
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routines resets the driver paging to what the image specified.
|
|
Hence image sections such as the IAT, .text, .data will be locked
|
|
down in memory.
|
|
|
|
Note, there is no requirement that MmPageEntireDriver was called.
|
|
|
|
Arguments:
|
|
|
|
AddressWithinSection - Supplies an address within the driver, e.g.
|
|
DriverEntry.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, APC_LEVEL or below.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PMMPTE LastPte;
|
|
PMMPTE PointerPte;
|
|
PVOID Base;
|
|
ULONG i;
|
|
PIMAGE_NT_HEADERS NtHeaders;
|
|
PIMAGE_SECTION_HEADER FoundSection;
|
|
|
|
PAGED_CODE();
|
|
|
|
//
|
|
// Don't page kernel mode code if disabled via registry.
|
|
//
|
|
|
|
if (MmDisablePagingExecutive & MM_SYSTEM_CODE_LOCKED_DOWN) {
|
|
return;
|
|
}
|
|
|
|
if (MI_IS_PHYSICAL_ADDRESS(AddressWithinSection)) {
|
|
return;
|
|
}
|
|
|
|
//
|
|
// If the driver has pagable code, make it paged.
|
|
//
|
|
|
|
DataTableEntry = MiLookupDataTableEntry (AddressWithinSection, FALSE);
|
|
|
|
if ((DataTableEntry->SectionPointer != NULL) &&
|
|
(DataTableEntry->SectionPointer != (PVOID)-1)) {
|
|
|
|
//
|
|
// Driver is mapped by image hence already paged.
|
|
//
|
|
|
|
return;
|
|
}
|
|
|
|
Base = DataTableEntry->DllBase;
|
|
|
|
NtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(Base);
|
|
|
|
FoundSection = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders +
|
|
sizeof(ULONG) +
|
|
sizeof(IMAGE_FILE_HEADER) +
|
|
NtHeaders->FileHeader.SizeOfOptionalHeader
|
|
);
|
|
|
|
i = NtHeaders->FileHeader.NumberOfSections;
|
|
PointerPte = NULL;
|
|
|
|
while (i > 0) {
|
|
#if DBG
|
|
if ((*(PULONG)FoundSection->Name == 'tini') ||
|
|
(*(PULONG)FoundSection->Name == 'egap')) {
|
|
DbgPrint("driver %wZ has lower case sections (init or pagexxx)\n",
|
|
&DataTableEntry->FullDllName);
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// Don't lock down code for sections marked as discardable or
|
|
// sections marked with the first 4 characters PAGE or .eda
|
|
// (for the .edata section) or INIT.
|
|
//
|
|
|
|
if (((FoundSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) != 0) ||
|
|
(*(PULONG)FoundSection->Name == 'EGAP') ||
|
|
(*(PULONG)FoundSection->Name == 'ade.') ||
|
|
(*(PULONG)FoundSection->Name == 'TINI')) {
|
|
|
|
NOTHING;
|
|
|
|
}
|
|
else {
|
|
|
|
//
|
|
// This section is nonpagable.
|
|
//
|
|
|
|
PointerPte = MiGetPteAddress (
|
|
(PCHAR)Base + FoundSection->VirtualAddress);
|
|
LastPte = MiGetPteAddress ((PCHAR)Base +
|
|
FoundSection->VirtualAddress +
|
|
(FoundSection->SizeOfRawData - 1));
|
|
ASSERT (PointerPte <= LastPte);
|
|
|
|
MiLockCode (PointerPte, LastPte, MM_LOCK_BY_NONPAGE);
|
|
}
|
|
i -= 1;
|
|
FoundSection += 1;
|
|
}
|
|
return;
|
|
}
|
|
|
|
#if 0
|
|
|
|
VOID
|
|
MiLockDriverPdata (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routines locks down the .pdata & .rdata subsections within the driver.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - Supplies the argument module's data table entry.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, APC_LEVEL or below.
|
|
|
|
--*/
|
|
|
|
{
|
|
PSECTION SectionPointer;
|
|
LOGICAL SessionSpace;
|
|
PMMPTE LastPte;
|
|
PMMPTE PointerPte;
|
|
PVOID Base;
|
|
ULONG i;
|
|
PIMAGE_NT_HEADERS NtHeaders;
|
|
PIMAGE_SECTION_HEADER FoundSection;
|
|
PETHREAD Thread;
|
|
|
|
PAGED_CODE();
|
|
|
|
//
|
|
// If the debugger can be pitched, then there is no need to lock down
|
|
// these subsections as no one will be debugging this system anyway.
|
|
//
|
|
|
|
ASSERT (KdPitchDebugger == 0);
|
|
|
|
if (MI_IS_PHYSICAL_ADDRESS(DataTableEntry->DllBase)) {
|
|
return;
|
|
}
|
|
|
|
SectionPointer = (PSECTION)DataTableEntry->SectionPointer;
|
|
|
|
//
|
|
// Drivers backed by the paging file require no handling as the .pdata
|
|
// .rdata sections are not paged by default and have already been inpaged.
|
|
//
|
|
|
|
if ((SectionPointer == NULL) || (SectionPointer == (PVOID)-1)) {
|
|
return;
|
|
}
|
|
|
|
//
|
|
// The driver is mapped as an image (ie: win32k) which is always pagable.
|
|
// In fact, it may not even be resident right now because in addition
|
|
// to being always pagable, it is backed directly by the filesystem,
|
|
// not the pagefile. So it must be inpaged now.
|
|
//
|
|
|
|
SessionSpace = MI_IS_SESSION_IMAGE_ADDRESS (DataTableEntry->DllBase);
|
|
|
|
Base = DataTableEntry->DllBase;
|
|
|
|
NtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(Base);
|
|
|
|
FoundSection = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders +
|
|
sizeof(ULONG) +
|
|
sizeof(IMAGE_FILE_HEADER) +
|
|
NtHeaders->FileHeader.SizeOfOptionalHeader);
|
|
|
|
i = NtHeaders->FileHeader.NumberOfSections;
|
|
PointerPte = NULL;
|
|
Thread = PsGetCurrentThread ();
|
|
|
|
for ( ; i > 0; i -= 1, FoundSection += 1) {
|
|
|
|
//
|
|
// Don't lock down discardable sections.
|
|
//
|
|
|
|
if ((FoundSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) != 0) {
|
|
NOTHING;
|
|
}
|
|
|
|
//
|
|
// Inpage and lock down subsections marked as .pdata & .rdata.
|
|
//
|
|
|
|
if (((*(PULONG)FoundSection->Name == 'adp.') &&
|
|
(FoundSection->Name[4] == 't') &&
|
|
(FoundSection->Name[5] == 'a')) ||
|
|
|
|
((*(PULONG)FoundSection->Name == 'adr.') &&
|
|
(FoundSection->Name[4] == 't') &&
|
|
(FoundSection->Name[5] == 'a'))) {
|
|
|
|
PointerPte = MiGetPteAddress (
|
|
(PCHAR)Base + FoundSection->VirtualAddress);
|
|
LastPte = MiGetPteAddress ((PCHAR)Base +
|
|
FoundSection->VirtualAddress +
|
|
(FoundSection->SizeOfRawData - 1));
|
|
ASSERT (PointerPte <= LastPte);
|
|
}
|
|
}
|
|
return;
|
|
}
|
|
#endif
|
|
|
|
|
|
VOID
|
|
MiClearImports(
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Free up the import list and clear the pointer. This stops the
|
|
recursion performed in MiDereferenceImports().
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - provided for the driver.
|
|
|
|
Return Value:
|
|
|
|
Status of the import list construction operation.
|
|
|
|
--*/
|
|
|
|
{
|
|
PAGED_CODE();
|
|
|
|
if (DataTableEntry->LoadedImports == (PVOID)LOADED_AT_BOOT) {
|
|
return;
|
|
}
|
|
|
|
if (DataTableEntry->LoadedImports == (PVOID)NO_IMPORTS_USED) {
|
|
NOTHING;
|
|
}
|
|
else if (SINGLE_ENTRY(DataTableEntry->LoadedImports)) {
|
|
NOTHING;
|
|
}
|
|
else {
|
|
//
|
|
// free the memory
|
|
//
|
|
ExFreePool ((PVOID)DataTableEntry->LoadedImports);
|
|
}
|
|
|
|
//
|
|
// stop the recursion
|
|
//
|
|
DataTableEntry->LoadedImports = (PVOID)LOADED_AT_BOOT;
|
|
}
|
|
|
|
VOID
|
|
MiRememberUnloadedDriver (
|
|
IN PUNICODE_STRING DriverName,
|
|
IN PVOID Address,
|
|
IN ULONG Length
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine saves information about unloaded drivers so that ones that
|
|
forget to delete lookaside lists or queues can be caught.
|
|
|
|
Arguments:
|
|
|
|
DriverName - Supplies a Unicode string containing the driver's name.
|
|
|
|
Address - Supplies the address the driver was loaded at.
|
|
|
|
Length - Supplies the number of bytes the driver load spanned.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
PUNLOADED_DRIVERS Entry;
|
|
ULONG NumberOfBytes;
|
|
|
|
if (DriverName->Length == 0) {
|
|
|
|
//
|
|
// This is an aborted load and the driver name hasn't been filled
|
|
// in yet. No need to save it.
|
|
//
|
|
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Serialization is provided by the caller, so just update the list now.
|
|
// Note the allocations are nonpaged so they can be searched at bugcheck
|
|
// time.
|
|
//
|
|
|
|
if (MmUnloadedDrivers == NULL) {
|
|
NumberOfBytes = MI_UNLOADED_DRIVERS * sizeof (UNLOADED_DRIVERS);
|
|
|
|
MmUnloadedDrivers = (PUNLOADED_DRIVERS)ExAllocatePoolWithTag (NonPagedPool,
|
|
NumberOfBytes,
|
|
'TDmM');
|
|
if (MmUnloadedDrivers == NULL) {
|
|
return;
|
|
}
|
|
RtlZeroMemory (MmUnloadedDrivers, NumberOfBytes);
|
|
MmLastUnloadedDriver = 0;
|
|
}
|
|
else if (MmLastUnloadedDriver >= MI_UNLOADED_DRIVERS) {
|
|
MmLastUnloadedDriver = 0;
|
|
}
|
|
|
|
Entry = &MmUnloadedDrivers[MmLastUnloadedDriver];
|
|
|
|
//
|
|
// Free the old entry as we recycle into the new.
|
|
//
|
|
|
|
RtlFreeUnicodeString (&Entry->Name);
|
|
|
|
Entry->Name.Buffer = ExAllocatePoolWithTag (NonPagedPool,
|
|
DriverName->Length,
|
|
'TDmM');
|
|
|
|
if (Entry->Name.Buffer == NULL) {
|
|
Entry->Name.MaximumLength = 0;
|
|
Entry->Name.Length = 0;
|
|
MiUnloadsSkipped += 1;
|
|
return;
|
|
}
|
|
|
|
RtlCopyMemory(Entry->Name.Buffer, DriverName->Buffer, DriverName->Length);
|
|
Entry->Name.Length = DriverName->Length;
|
|
Entry->Name.MaximumLength = DriverName->MaximumLength;
|
|
|
|
Entry->StartAddress = Address;
|
|
Entry->EndAddress = (PVOID)((PCHAR)Address + Length);
|
|
|
|
KeQuerySystemTime (&Entry->CurrentTime);
|
|
|
|
MiTotalUnloads += 1;
|
|
MmLastUnloadedDriver += 1;
|
|
}
|
|
|
|
PUNICODE_STRING
|
|
MmLocateUnloadedDriver (
|
|
IN PVOID VirtualAddress
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine attempts to find the specified virtual address in the
|
|
unloaded driver list.
|
|
|
|
Arguments:
|
|
|
|
VirtualAddress - Supplies a virtual address that might be within a driver
|
|
that has already unloaded.
|
|
|
|
Return Value:
|
|
|
|
A pointer to a Unicode string containing the unloaded driver's name.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, bugcheck time.
|
|
|
|
--*/
|
|
|
|
{
|
|
PUNLOADED_DRIVERS Entry;
|
|
ULONG i;
|
|
ULONG Index;
|
|
|
|
//
|
|
// No serialization is needed because we've crashed.
|
|
//
|
|
|
|
if (MmUnloadedDrivers == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
Index = MmLastUnloadedDriver - 1;
|
|
|
|
for (i = 0; i < MI_UNLOADED_DRIVERS; i += 1) {
|
|
if (Index >= MI_UNLOADED_DRIVERS) {
|
|
Index = MI_UNLOADED_DRIVERS - 1;
|
|
}
|
|
Entry = &MmUnloadedDrivers[Index];
|
|
if (Entry->Name.Buffer != NULL) {
|
|
if ((VirtualAddress >= Entry->StartAddress) &&
|
|
(VirtualAddress < Entry->EndAddress)) {
|
|
return &Entry->Name;
|
|
}
|
|
}
|
|
Index -= 1;
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
MmUnloadSystemImage (
|
|
IN PVOID ImageHandle
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine unloads a previously loaded system image and returns
|
|
the allocated resources.
|
|
|
|
Arguments:
|
|
|
|
ImageHandle - Supplies a pointer to the section object of the
|
|
image to unload.
|
|
|
|
Return Value:
|
|
|
|
Various NTSTATUS codes.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, APC_LEVEL or below, arbitrary process context.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PMMPTE LastPte;
|
|
PFN_NUMBER PagesRequired;
|
|
PFN_NUMBER ResidentPages;
|
|
PMMPTE PointerPte;
|
|
PFN_NUMBER NumberOfPtes;
|
|
PVOID BasedAddress;
|
|
SIZE_T NumberOfBytes;
|
|
LOGICAL MustFree;
|
|
SIZE_T CommittedPages;
|
|
LOGICAL ViewDeleted;
|
|
PIMAGE_ENTRY_IN_SESSION DriverImage;
|
|
NTSTATUS Status;
|
|
PSECTION SectionPointer;
|
|
PKTHREAD CurrentThread;
|
|
|
|
//
|
|
// Arbitrary process context so prevent suspend APCs now.
|
|
//
|
|
|
|
CurrentThread = KeGetCurrentThread ();
|
|
KeEnterCriticalRegionThread (CurrentThread);
|
|
|
|
KeWaitForSingleObject (&MmSystemLoadLock,
|
|
WrVirtualMemory,
|
|
KernelMode,
|
|
FALSE,
|
|
(PLARGE_INTEGER)NULL);
|
|
|
|
ViewDeleted = FALSE;
|
|
DataTableEntry = (PKLDR_DATA_TABLE_ENTRY)ImageHandle;
|
|
BasedAddress = DataTableEntry->DllBase;
|
|
|
|
#if DBGXX
|
|
//
|
|
// MiUnloadSystemImageByForce violates this check so remove it for now.
|
|
//
|
|
|
|
if (PsLoadedModuleList.Flink) {
|
|
LOGICAL Found;
|
|
PLIST_ENTRY NextEntry;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry2;
|
|
|
|
Found = FALSE;
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
while (NextEntry != &PsLoadedModuleList) {
|
|
|
|
DataTableEntry2 = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
if (DataTableEntry == DataTableEntry2) {
|
|
Found = TRUE;
|
|
break;
|
|
}
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
ASSERT (Found == TRUE);
|
|
}
|
|
#endif
|
|
|
|
#if DBG_SYSLOAD
|
|
if (DataTableEntry->SectionPointer == NULL) {
|
|
DbgPrint ("MM: Called to unload boot driver %wZ\n",
|
|
&DataTableEntry->FullDllName);
|
|
}
|
|
else {
|
|
DbgPrint ("MM: Called to unload non-boot driver %wZ\n",
|
|
&DataTableEntry->FullDllName);
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// Any driver loaded at boot that did not have its import list
|
|
// and LoadCount reconstructed cannot be unloaded because we don't
|
|
// know how many other drivers may be linked to it.
|
|
//
|
|
|
|
if (DataTableEntry->LoadedImports == (PVOID)LOADED_AT_BOOT) {
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
ASSERT (DataTableEntry->LoadCount != 0);
|
|
|
|
if (MI_IS_SESSION_IMAGE_ADDRESS (BasedAddress)) {
|
|
|
|
//
|
|
// A printer driver may be referenced multiple times for the
|
|
// same session space. Only unload the last reference.
|
|
//
|
|
|
|
DriverImage = MiSessionLookupImage (BasedAddress);
|
|
|
|
ASSERT (DriverImage);
|
|
|
|
ASSERT (DriverImage->ImageCountInThisSession);
|
|
|
|
if (DriverImage->ImageCountInThisSession > 1) {
|
|
|
|
DriverImage->ImageCountInThisSession -= 1;
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
//
|
|
// The reference count for this image has dropped to zero in this
|
|
// session, so we can delete this session's view of the image.
|
|
//
|
|
|
|
Status = MiSessionWideGetImageSize (BasedAddress,
|
|
&NumberOfBytes,
|
|
&CommittedPages);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
|
|
KeBugCheckEx (MEMORY_MANAGEMENT,
|
|
0x41286,
|
|
(ULONG_PTR)MmSessionSpace->SessionId,
|
|
(ULONG_PTR)BasedAddress,
|
|
0);
|
|
}
|
|
|
|
//
|
|
// Free the session space taken up by the image, unmapping it from
|
|
// the current VA space - note this does not remove page table pages
|
|
// from the session PageTables[]. Each data page is only freed
|
|
// if there are no other references to it (ie: from any other
|
|
// sessions).
|
|
//
|
|
|
|
PointerPte = MiGetPteAddress (BasedAddress);
|
|
LastPte = MiGetPteAddress ((PVOID)((ULONG_PTR)BasedAddress + NumberOfBytes));
|
|
|
|
PagesRequired = MiDeleteSystemPagableVm (PointerPte,
|
|
(PFN_NUMBER)(LastPte - PointerPte),
|
|
ZeroKernelPte,
|
|
TRUE,
|
|
&ResidentPages);
|
|
|
|
//
|
|
// Note resident available is returned here without waiting for load
|
|
// count to reach zero because it is charged each time a session space
|
|
// driver locks down its code or data regardless of whether it is really
|
|
// the same copy-on-write backing page(s) that some other session has
|
|
// already locked down.
|
|
//
|
|
|
|
MiReturnResidentAvailable (ResidentPages, 22);
|
|
|
|
if ((MmDisablePagingExecutive & MM_SYSTEM_CODE_LOCKED_DOWN) == 0) {
|
|
|
|
SectionPointer = (PSECTION)DataTableEntry->SectionPointer;
|
|
|
|
if ((SectionPointer == NULL) ||
|
|
(SectionPointer == (PVOID)-1) ||
|
|
(SectionPointer->Segment == NULL) ||
|
|
(SectionPointer->Segment->BasedAddress != SectionPointer->Segment->SystemImageBase)) {
|
|
|
|
MmTotalSystemDriverPages -= (ULONG)(PagesRequired - ResidentPages);
|
|
}
|
|
}
|
|
|
|
InterlockedExchangeAddSizeT (&MmSessionSpace->CommittedPages,
|
|
0 - CommittedPages);
|
|
|
|
MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_COMMIT_IMAGE_UNLOAD,
|
|
(ULONG)CommittedPages);
|
|
|
|
ViewDeleted = TRUE;
|
|
|
|
//
|
|
// Return the commitment we took out on the pagefile when the
|
|
// image was allocated.
|
|
//
|
|
|
|
MiReturnCommitment (CommittedPages);
|
|
MM_TRACK_COMMIT (MM_DBG_COMMIT_RETURN_DRIVER_UNLOAD, CommittedPages);
|
|
|
|
//
|
|
// Tell the session space image handler that we are releasing
|
|
// our claim to the image.
|
|
//
|
|
|
|
Status = MiRemoveImageSessionWide (BasedAddress);
|
|
|
|
ASSERT (NT_SUCCESS (Status));
|
|
}
|
|
|
|
ASSERT (DataTableEntry->LoadCount != 0);
|
|
|
|
DataTableEntry->LoadCount -= 1;
|
|
|
|
if (DataTableEntry->LoadCount != 0) {
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
#if DBG
|
|
if (MI_IS_SESSION_IMAGE_ADDRESS (BasedAddress)) {
|
|
ASSERT (MiSessionLookupImage (BasedAddress) == NULL);
|
|
}
|
|
#endif
|
|
|
|
if (MmSnapUnloads) {
|
|
#if 0
|
|
PVOID StillQueued;
|
|
|
|
StillQueued = KeCheckForTimer (DataTableEntry->DllBase,
|
|
DataTableEntry->SizeOfImage);
|
|
|
|
if (StillQueued != NULL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x18,
|
|
(ULONG_PTR)StillQueued,
|
|
(ULONG_PTR)-1,
|
|
(ULONG_PTR)DataTableEntry->DllBase);
|
|
}
|
|
|
|
StillQueued = ExpCheckForResource (DataTableEntry->DllBase,
|
|
DataTableEntry->SizeOfImage);
|
|
|
|
if (StillQueued != NULL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x19,
|
|
(ULONG_PTR)StillQueued,
|
|
(ULONG_PTR)-1,
|
|
(ULONG_PTR)DataTableEntry->DllBase);
|
|
}
|
|
#endif
|
|
}
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_DEADLOCK_DETECTION) {
|
|
VerifierDeadlockFreePool (DataTableEntry->DllBase, DataTableEntry->SizeOfImage);
|
|
}
|
|
|
|
if (DataTableEntry->Flags & LDRP_IMAGE_VERIFYING) {
|
|
MiVerifyingDriverUnloading (DataTableEntry);
|
|
}
|
|
|
|
if (MiActiveVerifierThunks != 0) {
|
|
MiVerifierCheckThunks (DataTableEntry);
|
|
}
|
|
|
|
//
|
|
// Unload symbols from debugger.
|
|
//
|
|
|
|
if (DataTableEntry->Flags & LDRP_DEBUG_SYMBOLS_LOADED) {
|
|
|
|
//
|
|
// TEMP TEMP TEMP rip out when debugger converted
|
|
//
|
|
|
|
ANSI_STRING AnsiName;
|
|
|
|
Status = RtlUnicodeStringToAnsiString (&AnsiName,
|
|
&DataTableEntry->BaseDllName,
|
|
TRUE);
|
|
|
|
if (NT_SUCCESS (Status)) {
|
|
DbgUnLoadImageSymbols (&AnsiName,
|
|
BasedAddress,
|
|
(ULONG)-1);
|
|
RtlFreeAnsiString (&AnsiName);
|
|
}
|
|
}
|
|
|
|
//
|
|
// No unload can happen till after Mm has finished Phase 1 initialization.
|
|
// Therefore, large pages are already in effect (if this platform supports
|
|
// it).
|
|
//
|
|
|
|
if (ViewDeleted == FALSE) {
|
|
|
|
NumberOfPtes = DataTableEntry->SizeOfImage >> PAGE_SHIFT;
|
|
|
|
if (MmSnapUnloads) {
|
|
MiRememberUnloadedDriver (&DataTableEntry->BaseDllName,
|
|
BasedAddress,
|
|
(ULONG)(NumberOfPtes << PAGE_SHIFT));
|
|
}
|
|
|
|
if (DataTableEntry->Flags & LDRP_SYSTEM_MAPPED) {
|
|
|
|
PointerPte = MiGetPteAddress (BasedAddress);
|
|
|
|
PagesRequired = MiDeleteSystemPagableVm (PointerPte,
|
|
NumberOfPtes,
|
|
ZeroKernelPte,
|
|
FALSE,
|
|
&ResidentPages);
|
|
|
|
MmTotalSystemDriverPages -= (ULONG)(PagesRequired - ResidentPages);
|
|
|
|
//
|
|
// Note that drivers loaded at boot that have not been relocated
|
|
// have no system PTEs or commit charged.
|
|
//
|
|
|
|
MiReleaseSystemPtes (PointerPte,
|
|
(ULONG)NumberOfPtes,
|
|
SystemPteSpace);
|
|
|
|
MiReturnResidentAvailable (ResidentPages, 21);
|
|
|
|
//
|
|
// Only return commitment for drivers that weren't loaded by the
|
|
// boot loader.
|
|
//
|
|
|
|
if (DataTableEntry->SectionPointer != NULL) {
|
|
MiReturnCommitment (PagesRequired);
|
|
MM_TRACK_COMMIT (MM_DBG_COMMIT_RETURN_DRIVER_UNLOAD1, PagesRequired);
|
|
InterlockedExchangeAdd ((PLONG)&MmDriverCommit,
|
|
(LONG) (0 - PagesRequired));
|
|
}
|
|
}
|
|
else {
|
|
|
|
//
|
|
// This must be a boot driver that was not relocated into
|
|
// system PTEs. If large or super pages are enabled, the
|
|
// image pages must be freed without referencing the
|
|
// non-existent page table pages. If large/super pages are
|
|
// not enabled, note that system PTEs were not used to map the
|
|
// image and thus, cannot be freed.
|
|
|
|
//
|
|
// This is further complicated by the fact that the INIT and/or
|
|
// discardable portions of these images may have already been freed.
|
|
//
|
|
}
|
|
}
|
|
|
|
//
|
|
// Search the loaded module list for the data table entry that describes
|
|
// the DLL that was just unloaded. It is possible an entry is not in the
|
|
// list if a failure occurred at a point in loading the DLL just before
|
|
// the data table entry was generated.
|
|
//
|
|
|
|
if (DataTableEntry->InLoadOrderLinks.Flink != NULL) {
|
|
MiProcessLoaderEntry (DataTableEntry, FALSE);
|
|
MustFree = TRUE;
|
|
}
|
|
else {
|
|
MustFree = FALSE;
|
|
}
|
|
|
|
//
|
|
// Handle unloading of any dependent DLLs that we loaded automatically
|
|
// for this image.
|
|
//
|
|
|
|
MiDereferenceImports ((PLOAD_IMPORTS)DataTableEntry->LoadedImports);
|
|
|
|
MiClearImports (DataTableEntry);
|
|
|
|
//
|
|
// Free this loader entry.
|
|
//
|
|
|
|
if (MustFree == TRUE) {
|
|
|
|
if (DataTableEntry->FullDllName.Buffer != NULL) {
|
|
ExFreePool (DataTableEntry->FullDllName.Buffer);
|
|
}
|
|
|
|
//
|
|
// Dereference the section object if there is one.
|
|
// There should only be one for win32k.sys and Hydra session images.
|
|
//
|
|
|
|
if ((DataTableEntry->SectionPointer != NULL) &&
|
|
(DataTableEntry->SectionPointer != (PVOID)-1)) {
|
|
|
|
ObDereferenceObject (DataTableEntry->SectionPointer);
|
|
}
|
|
|
|
ExFreePool((PVOID)DataTableEntry);
|
|
}
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
|
|
PERFINFO_IMAGE_UNLOAD(BasedAddress);
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
MiBuildImportsForBootDrivers(
|
|
VOID
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Construct an import list chain for boot-loaded drivers.
|
|
If this cannot be done for an entry, its chain is set to LOADED_AT_BOOT.
|
|
|
|
If a chain can be successfully built, then this driver's DLLs
|
|
will be automatically unloaded if this driver goes away (provided
|
|
no other driver is also using them). Otherwise, on driver unload,
|
|
its dependent DLLs would have to be explicitly unloaded.
|
|
|
|
Note that the incoming LoadCount values are not correct and thus, they
|
|
are reinitialized here.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
Various NTSTATUS codes.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PLIST_ENTRY NextEntry;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry2;
|
|
PLIST_ENTRY NextEntry2;
|
|
ULONG i;
|
|
ULONG j;
|
|
ULONG ImageCount;
|
|
PVOID *ImageReferences;
|
|
PVOID LastImageReference;
|
|
PULONG_PTR ImportThunk;
|
|
ULONG_PTR BaseAddress;
|
|
ULONG_PTR LastAddress;
|
|
ULONG ImportSize;
|
|
ULONG ImportListSize;
|
|
PLOAD_IMPORTS ImportList;
|
|
LOGICAL UndoEverything;
|
|
PKLDR_DATA_TABLE_ENTRY KernelDataTableEntry;
|
|
PKLDR_DATA_TABLE_ENTRY HalDataTableEntry;
|
|
UNICODE_STRING KernelString;
|
|
UNICODE_STRING HalString;
|
|
|
|
PAGED_CODE();
|
|
|
|
ImageCount = 0;
|
|
|
|
KernelDataTableEntry = NULL;
|
|
HalDataTableEntry = NULL;
|
|
|
|
RtlInitUnicodeString (&KernelString, (const PUSHORT)L"ntoskrnl.exe");
|
|
RtlInitUnicodeString (&HalString, (const PUSHORT)L"hal.dll");
|
|
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
while (NextEntry != &PsLoadedModuleList) {
|
|
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
if (RtlEqualUnicodeString (&KernelString,
|
|
&DataTableEntry->BaseDllName,
|
|
TRUE)) {
|
|
|
|
KernelDataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
}
|
|
else if (RtlEqualUnicodeString (&HalString,
|
|
&DataTableEntry->BaseDllName,
|
|
TRUE)) {
|
|
|
|
HalDataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
}
|
|
|
|
//
|
|
// Initialize these properly so error recovery is simplified.
|
|
//
|
|
|
|
if (DataTableEntry->Flags & LDRP_DRIVER_DEPENDENT_DLL) {
|
|
if ((DataTableEntry == HalDataTableEntry) || (DataTableEntry == KernelDataTableEntry)) {
|
|
DataTableEntry->LoadCount = 1;
|
|
}
|
|
else {
|
|
DataTableEntry->LoadCount = 0;
|
|
}
|
|
}
|
|
else {
|
|
DataTableEntry->LoadCount = 1;
|
|
}
|
|
|
|
DataTableEntry->LoadedImports = (PVOID)LOADED_AT_BOOT;
|
|
|
|
ImageCount += 1;
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
if (KernelDataTableEntry == NULL || HalDataTableEntry == NULL) {
|
|
return STATUS_NOT_FOUND;
|
|
}
|
|
|
|
ImageReferences = (PVOID *) ExAllocatePoolWithTag (PagedPool | POOL_COLD_ALLOCATION,
|
|
ImageCount * sizeof (PVOID),
|
|
'TDmM');
|
|
|
|
if (ImageReferences == NULL) {
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
UndoEverything = FALSE;
|
|
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
|
|
for ( ; NextEntry != &PsLoadedModuleList; NextEntry = NextEntry->Flink) {
|
|
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
|
|
DataTableEntry->DllBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_IAT,
|
|
&ImportSize);
|
|
|
|
if (ImportThunk == NULL) {
|
|
DataTableEntry->LoadedImports = NO_IMPORTS_USED;
|
|
continue;
|
|
}
|
|
|
|
RtlZeroMemory (ImageReferences, ImageCount * sizeof (PVOID));
|
|
|
|
ImportSize /= sizeof(PULONG_PTR);
|
|
|
|
BaseAddress = 0;
|
|
|
|
//
|
|
// Initializing these locals is not needed for correctness, but
|
|
// without it the compiler cannot compile this code W4 to check
|
|
// for use of uninitialized variables.
|
|
//
|
|
|
|
j = 0;
|
|
LastAddress = 0;
|
|
|
|
for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
|
|
|
|
//
|
|
// Check the hint first.
|
|
//
|
|
|
|
if (BaseAddress != 0) {
|
|
if (*ImportThunk >= BaseAddress && *ImportThunk < LastAddress) {
|
|
ASSERT (ImageReferences[j]);
|
|
continue;
|
|
}
|
|
}
|
|
|
|
j = 0;
|
|
NextEntry2 = PsLoadedModuleList.Flink;
|
|
|
|
while (NextEntry2 != &PsLoadedModuleList) {
|
|
|
|
DataTableEntry2 = CONTAINING_RECORD(NextEntry2,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
BaseAddress = (ULONG_PTR) DataTableEntry2->DllBase;
|
|
LastAddress = BaseAddress + DataTableEntry2->SizeOfImage;
|
|
|
|
if (*ImportThunk >= BaseAddress && *ImportThunk < LastAddress) {
|
|
ImageReferences[j] = DataTableEntry2;
|
|
break;
|
|
}
|
|
|
|
NextEntry2 = NextEntry2->Flink;
|
|
j += 1;
|
|
}
|
|
|
|
if (*ImportThunk < BaseAddress || *ImportThunk >= LastAddress) {
|
|
if (*ImportThunk) {
|
|
#if DBG
|
|
DbgPrint ("MM: broken import linkage %p %p %p\n",
|
|
DataTableEntry,
|
|
ImportThunk,
|
|
*ImportThunk);
|
|
DbgBreakPoint ();
|
|
#endif
|
|
UndoEverything = TRUE;
|
|
goto finished;
|
|
}
|
|
|
|
BaseAddress = 0;
|
|
}
|
|
}
|
|
|
|
ImportSize = 0;
|
|
|
|
//
|
|
// Initializing LastImageReference is not needed for correctness, but
|
|
// without it the compiler cannot compile this code W4 to check
|
|
// for use of uninitialized variables.
|
|
//
|
|
|
|
LastImageReference = NULL;
|
|
|
|
for (i = 0; i < ImageCount; i += 1) {
|
|
|
|
if ((ImageReferences[i] != NULL) &&
|
|
(ImageReferences[i] != KernelDataTableEntry) &&
|
|
(ImageReferences[i] != HalDataTableEntry)) {
|
|
|
|
LastImageReference = ImageReferences[i];
|
|
ImportSize += 1;
|
|
}
|
|
}
|
|
|
|
if (ImportSize == 0) {
|
|
DataTableEntry->LoadedImports = NO_IMPORTS_USED;
|
|
}
|
|
else if (ImportSize == 1) {
|
|
#if DBG_SYSLOAD
|
|
DbgPrint("driver %wZ imports %wZ\n",
|
|
&DataTableEntry->FullDllName,
|
|
&((PKLDR_DATA_TABLE_ENTRY)LastImageReference)->FullDllName);
|
|
#endif
|
|
|
|
DataTableEntry->LoadedImports = POINTER_TO_SINGLE_ENTRY (LastImageReference);
|
|
((PKLDR_DATA_TABLE_ENTRY)LastImageReference)->LoadCount += 1;
|
|
}
|
|
else {
|
|
#if DBG_SYSLOAD
|
|
DbgPrint("driver %wZ imports many\n", &DataTableEntry->FullDllName);
|
|
#endif
|
|
|
|
ImportListSize = ImportSize * sizeof(PVOID) + sizeof(SIZE_T);
|
|
|
|
ImportList = (PLOAD_IMPORTS) ExAllocatePoolWithTag (PagedPool | POOL_COLD_ALLOCATION,
|
|
ImportListSize,
|
|
'TDmM');
|
|
|
|
if (ImportList == NULL) {
|
|
UndoEverything = TRUE;
|
|
break;
|
|
}
|
|
|
|
ImportList->Count = ImportSize;
|
|
|
|
j = 0;
|
|
for (i = 0; i < ImageCount; i += 1) {
|
|
|
|
if ((ImageReferences[i] != NULL) &&
|
|
(ImageReferences[i] != KernelDataTableEntry) &&
|
|
(ImageReferences[i] != HalDataTableEntry)) {
|
|
|
|
#if DBG_SYSLOAD
|
|
DbgPrint("driver %wZ imports %wZ\n",
|
|
&DataTableEntry->FullDllName,
|
|
&((PKLDR_DATA_TABLE_ENTRY)ImageReferences[i])->FullDllName);
|
|
#endif
|
|
|
|
ImportList->Entry[j] = ImageReferences[i];
|
|
((PKLDR_DATA_TABLE_ENTRY)ImageReferences[i])->LoadCount += 1;
|
|
j += 1;
|
|
}
|
|
}
|
|
|
|
ASSERT (j == ImportSize);
|
|
|
|
DataTableEntry->LoadedImports = ImportList;
|
|
}
|
|
#if DBG_SYSLOAD
|
|
DbgPrint("\n");
|
|
#endif
|
|
}
|
|
|
|
finished:
|
|
|
|
ExFreePool ((PVOID)ImageReferences);
|
|
|
|
//
|
|
// The kernel and HAL are never unloaded.
|
|
//
|
|
|
|
if ((KernelDataTableEntry->LoadedImports != NO_IMPORTS_USED) &&
|
|
(!POINTER_TO_SINGLE_ENTRY(KernelDataTableEntry->LoadedImports))) {
|
|
ExFreePool ((PVOID)KernelDataTableEntry->LoadedImports);
|
|
}
|
|
|
|
if ((HalDataTableEntry->LoadedImports != NO_IMPORTS_USED) &&
|
|
(!POINTER_TO_SINGLE_ENTRY(HalDataTableEntry->LoadedImports))) {
|
|
ExFreePool ((PVOID)HalDataTableEntry->LoadedImports);
|
|
}
|
|
|
|
KernelDataTableEntry->LoadedImports = (PVOID)LOADED_AT_BOOT;
|
|
HalDataTableEntry->LoadedImports = (PVOID)LOADED_AT_BOOT;
|
|
|
|
if (UndoEverything == TRUE) {
|
|
|
|
#if DBG_SYSLOAD
|
|
DbgPrint("driver %wZ import rebuild failed\n",
|
|
&DataTableEntry->FullDllName);
|
|
DbgBreakPoint();
|
|
#endif
|
|
|
|
//
|
|
// An error occurred and this is an all or nothing operation so
|
|
// roll everything back.
|
|
//
|
|
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
while (NextEntry != &PsLoadedModuleList) {
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
ImportList = DataTableEntry->LoadedImports;
|
|
if (ImportList == LOADED_AT_BOOT || ImportList == NO_IMPORTS_USED ||
|
|
SINGLE_ENTRY(ImportList)) {
|
|
NOTHING;
|
|
}
|
|
else {
|
|
ExFreePool (ImportList);
|
|
}
|
|
|
|
DataTableEntry->LoadedImports = (PVOID)LOADED_AT_BOOT;
|
|
DataTableEntry->LoadCount = 1;
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
LOGICAL
|
|
MiCallDllUnloadAndUnloadDll(
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
All the references from other drivers to this DLL have been cleared.
|
|
The only remaining issue is that this DLL must support being unloaded.
|
|
This means having no outstanding DPCs, allocated pool, etc.
|
|
|
|
If the DLL has an unload routine that returns SUCCESS, then we clean
|
|
it up and free up its memory now.
|
|
|
|
Note this routine is NEVER called for drivers - only for DLLs that were
|
|
loaded due to import references from various drivers.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - provided for the DLL.
|
|
|
|
Return Value:
|
|
|
|
TRUE if the DLL was successfully unloaded, FALSE if not.
|
|
|
|
--*/
|
|
|
|
{
|
|
PMM_DLL_UNLOAD Func;
|
|
NTSTATUS Status;
|
|
LOGICAL Unloaded;
|
|
|
|
PAGED_CODE();
|
|
|
|
Unloaded = FALSE;
|
|
|
|
Func = (PMM_DLL_UNLOAD) (ULONG_PTR) MiLocateExportName (DataTableEntry->DllBase, "DllUnload");
|
|
|
|
if (Func) {
|
|
|
|
//
|
|
// The unload function was found in the DLL so unload it now.
|
|
//
|
|
|
|
Status = Func();
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
//
|
|
// Set up the reference count so the import DLL looks like a regular
|
|
// driver image is being unloaded.
|
|
//
|
|
|
|
ASSERT (DataTableEntry->LoadCount == 0);
|
|
DataTableEntry->LoadCount = 1;
|
|
|
|
MmUnloadSystemImage ((PVOID)DataTableEntry);
|
|
Unloaded = TRUE;
|
|
}
|
|
}
|
|
|
|
return Unloaded;
|
|
}
|
|
|
|
|
|
PVOID
|
|
MiLocateExportName (
|
|
IN PVOID DllBase,
|
|
IN PCHAR FunctionName
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is invoked to locate a function name in an export directory.
|
|
|
|
Arguments:
|
|
|
|
DllBase - Supplies the image base.
|
|
|
|
FunctionName - Supplies the the name to be located.
|
|
|
|
Return Value:
|
|
|
|
The address of the located function or NULL.
|
|
|
|
--*/
|
|
|
|
{
|
|
PVOID Func;
|
|
PULONG NameTableBase;
|
|
PUSHORT NameOrdinalTableBase;
|
|
PIMAGE_EXPORT_DIRECTORY ExportDirectory;
|
|
PULONG Addr;
|
|
ULONG ExportSize;
|
|
ULONG Low;
|
|
ULONG Middle;
|
|
ULONG High;
|
|
LONG Result;
|
|
USHORT OrdinalNumber;
|
|
|
|
PAGED_CODE();
|
|
|
|
Func = NULL;
|
|
|
|
//
|
|
// Locate the DLL's export directory.
|
|
//
|
|
|
|
ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData(
|
|
DllBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_EXPORT,
|
|
&ExportSize
|
|
);
|
|
if (ExportDirectory) {
|
|
|
|
NameTableBase = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNames);
|
|
NameOrdinalTableBase = (PUSHORT)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
|
|
|
|
//
|
|
// Look in the export name table for the specified function name.
|
|
//
|
|
|
|
Low = 0;
|
|
High = ExportDirectory->NumberOfNames - 1;
|
|
|
|
//
|
|
// Initializing Middle is not needed for correctness, but without it
|
|
// the compiler cannot compile this code W4 to check for use of
|
|
// uninitialized variables.
|
|
//
|
|
|
|
Middle = 0;
|
|
|
|
while (High >= Low && (LONG)High >= 0) {
|
|
|
|
//
|
|
// Compute the next probe index and compare the export name entry
|
|
// with the specified function name.
|
|
//
|
|
|
|
Middle = (Low + High) >> 1;
|
|
Result = strcmp(FunctionName,
|
|
(PCHAR)((PCHAR)DllBase + NameTableBase[Middle]));
|
|
|
|
if (Result < 0) {
|
|
High = Middle - 1;
|
|
}
|
|
else if (Result > 0) {
|
|
Low = Middle + 1;
|
|
}
|
|
else {
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// If the high index is less than the low index, then a matching table
|
|
// entry was not found. Otherwise, get the ordinal number from the
|
|
// ordinal table and location the function address.
|
|
//
|
|
|
|
if ((LONG)High >= (LONG)Low) {
|
|
|
|
OrdinalNumber = NameOrdinalTableBase[Middle];
|
|
Addr = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
|
|
Func = (PVOID)((ULONG_PTR)DllBase + Addr[OrdinalNumber]);
|
|
|
|
//
|
|
// If the function address is w/in range of the export directory,
|
|
// then the function is forwarded, which is not allowed, so ignore
|
|
// it.
|
|
//
|
|
|
|
if ((ULONG_PTR)Func > (ULONG_PTR)ExportDirectory &&
|
|
(ULONG_PTR)Func < ((ULONG_PTR)ExportDirectory + ExportSize)) {
|
|
Func = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
return Func;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
MiDereferenceImports (
|
|
IN PLOAD_IMPORTS ImportList
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Decrement the reference count on each DLL specified in the image import
|
|
list. If any DLL's reference count reaches zero, then free the DLL.
|
|
|
|
No locks may be held on entry as MmUnloadSystemImage may be called.
|
|
|
|
The parameter list is freed here as well.
|
|
|
|
Arguments:
|
|
|
|
ImportList - Supplies the list of DLLs to dereference.
|
|
|
|
Return Value:
|
|
|
|
Status of the dereference operation.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG i;
|
|
LOGICAL Unloaded;
|
|
PVOID SavedImports;
|
|
LOAD_IMPORTS SingleTableEntry;
|
|
PKLDR_DATA_TABLE_ENTRY ImportTableEntry;
|
|
|
|
PAGED_CODE();
|
|
|
|
if (ImportList == LOADED_AT_BOOT || ImportList == NO_IMPORTS_USED) {
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
if (SINGLE_ENTRY(ImportList)) {
|
|
SingleTableEntry.Count = 1;
|
|
SingleTableEntry.Entry[0] = SINGLE_ENTRY_TO_POINTER(ImportList);
|
|
ImportList = &SingleTableEntry;
|
|
}
|
|
|
|
for (i = 0; i < ImportList->Count && ImportList->Entry[i]; i += 1) {
|
|
ImportTableEntry = ImportList->Entry[i];
|
|
|
|
if (ImportTableEntry->LoadedImports == (PVOID)LOADED_AT_BOOT) {
|
|
|
|
//
|
|
// Skip this one - it was loaded by ntldr.
|
|
//
|
|
|
|
continue;
|
|
}
|
|
|
|
#if DBG
|
|
{
|
|
ULONG ImageCount;
|
|
PLIST_ENTRY NextEntry;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
|
|
//
|
|
// Assert that the first 2 entries are never dereferenced as
|
|
// unloading the kernel or HAL would be fatal.
|
|
//
|
|
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
|
|
ImageCount = 0;
|
|
while (NextEntry != &PsLoadedModuleList && ImageCount < 2) {
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
ASSERT (ImportTableEntry != DataTableEntry);
|
|
ASSERT (DataTableEntry->LoadCount == 1);
|
|
NextEntry = NextEntry->Flink;
|
|
ImageCount += 1;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
ASSERT (ImportTableEntry->LoadCount >= 1);
|
|
|
|
ImportTableEntry->LoadCount -= 1;
|
|
|
|
if (ImportTableEntry->LoadCount == 0) {
|
|
|
|
//
|
|
// Unload this dependent DLL - we only do this to non-referenced
|
|
// non-boot-loaded drivers. Stop the import list recursion prior
|
|
// to unloading - we know we're done at this point.
|
|
//
|
|
// Note we can continue on afterwards without restarting
|
|
// regardless of which locks get released and reacquired
|
|
// because this chain is private.
|
|
//
|
|
|
|
SavedImports = ImportTableEntry->LoadedImports;
|
|
|
|
ImportTableEntry->LoadedImports = (PVOID)NO_IMPORTS_USED;
|
|
|
|
Unloaded = MiCallDllUnloadAndUnloadDll ((PVOID)ImportTableEntry);
|
|
|
|
if (Unloaded == TRUE) {
|
|
|
|
//
|
|
// This DLL was unloaded so recurse through its imports and
|
|
// attempt to unload all of those too.
|
|
//
|
|
|
|
MiDereferenceImports ((PLOAD_IMPORTS)SavedImports);
|
|
|
|
if ((SavedImports != (PVOID)LOADED_AT_BOOT) &&
|
|
(SavedImports != (PVOID)NO_IMPORTS_USED) &&
|
|
(!SINGLE_ENTRY(SavedImports))) {
|
|
|
|
ExFreePool (SavedImports);
|
|
}
|
|
}
|
|
else {
|
|
ImportTableEntry->LoadedImports = SavedImports;
|
|
}
|
|
}
|
|
}
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
MiResolveImageReferences (
|
|
PVOID ImageBase,
|
|
IN PUNICODE_STRING ImageFileDirectory,
|
|
IN PUNICODE_STRING NamePrefix OPTIONAL,
|
|
OUT PCHAR *MissingProcedureName,
|
|
OUT PWSTR *MissingDriverName,
|
|
OUT PLOAD_IMPORTS *LoadedImports
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine resolves the references from the newly loaded driver
|
|
to the kernel, HAL and other drivers.
|
|
|
|
Arguments:
|
|
|
|
ImageBase - Supplies the address of which the image header resides.
|
|
|
|
ImageFileDirectory - Supplies the directory to load referenced DLLs.
|
|
|
|
Return Value:
|
|
|
|
Status of the image reference resolution.
|
|
|
|
--*/
|
|
|
|
{
|
|
PCHAR MissingProcedureStorageArea;
|
|
PVOID ImportBase;
|
|
ULONG ImportSize;
|
|
ULONG ImportListSize;
|
|
ULONG Count;
|
|
ULONG i;
|
|
PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor;
|
|
PIMAGE_IMPORT_DESCRIPTOR Imp;
|
|
NTSTATUS st;
|
|
ULONG ExportSize;
|
|
PIMAGE_EXPORT_DIRECTORY ExportDirectory;
|
|
PIMAGE_THUNK_DATA NameThunk;
|
|
PIMAGE_THUNK_DATA AddrThunk;
|
|
PSZ ImportName;
|
|
PLIST_ENTRY NextEntry;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PKLDR_DATA_TABLE_ENTRY SingleEntry;
|
|
ANSI_STRING AnsiString;
|
|
UNICODE_STRING ImportName_U;
|
|
UNICODE_STRING ImportDescriptorName_U;
|
|
UNICODE_STRING DllToLoad;
|
|
UNICODE_STRING DllToLoad2;
|
|
PVOID Section;
|
|
PVOID BaseAddress;
|
|
LOGICAL PrefixedNameAllocated;
|
|
LOGICAL ReferenceImport;
|
|
ULONG LinkWin32k = 0;
|
|
ULONG LinkNonWin32k = 0;
|
|
PLOAD_IMPORTS ImportList;
|
|
PLOAD_IMPORTS CompactedImportList;
|
|
LOGICAL Loaded;
|
|
UNICODE_STRING DriverDirectory;
|
|
|
|
PAGED_CODE();
|
|
|
|
*LoadedImports = NO_IMPORTS_USED;
|
|
|
|
MissingProcedureStorageArea = *MissingProcedureName;
|
|
|
|
ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData(
|
|
ImageBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_IMPORT,
|
|
&ImportSize);
|
|
|
|
if (ImportDescriptor == NULL) {
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
// Count the number of imports so we can allocate enough room to
|
|
// store them all chained off this module's LDR_DATA_TABLE_ENTRY.
|
|
//
|
|
|
|
Count = 0;
|
|
for (Imp = ImportDescriptor; Imp->Name && Imp->OriginalFirstThunk; Imp += 1) {
|
|
Count += 1;
|
|
}
|
|
|
|
if (Count != 0) {
|
|
ImportListSize = Count * sizeof(PVOID) + sizeof(SIZE_T);
|
|
|
|
ImportList = (PLOAD_IMPORTS) ExAllocatePoolWithTag (PagedPool | POOL_COLD_ALLOCATION,
|
|
ImportListSize,
|
|
'TDmM');
|
|
|
|
//
|
|
// Zero it so we can recover gracefully if we fail in the middle.
|
|
// If the allocation failed, just don't build the import list.
|
|
//
|
|
|
|
if (ImportList != NULL) {
|
|
RtlZeroMemory (ImportList, ImportListSize);
|
|
ImportList->Count = Count;
|
|
}
|
|
}
|
|
else {
|
|
ImportList = NULL;
|
|
}
|
|
|
|
Count = 0;
|
|
while (ImportDescriptor->Name && ImportDescriptor->OriginalFirstThunk) {
|
|
|
|
ImportName = (PSZ)((PCHAR)ImageBase + ImportDescriptor->Name);
|
|
|
|
//
|
|
// A driver can link with win32k.sys if and only if it is a GDI
|
|
// driver.
|
|
// Also display drivers can only link to win32k.sys (and lego ...).
|
|
//
|
|
// So if we get a driver that links to win32k.sys and has more
|
|
// than one set of imports, we will fail to load it.
|
|
//
|
|
|
|
LinkWin32k = LinkWin32k |
|
|
(!_strnicmp(ImportName, "win32k", sizeof("win32k") - 1));
|
|
|
|
//
|
|
// We don't want to count coverage, win32k and irt (lego) since
|
|
// display drivers CAN link against these.
|
|
//
|
|
|
|
LinkNonWin32k = LinkNonWin32k |
|
|
((_strnicmp(ImportName, "win32k", sizeof("win32k") - 1)) &&
|
|
(_strnicmp(ImportName, "dxapi", sizeof("dxapi") - 1)) &&
|
|
(_strnicmp(ImportName, "coverage", sizeof("coverage") - 1)) &&
|
|
(_strnicmp(ImportName, "irt", sizeof("irt") - 1)));
|
|
|
|
|
|
if (LinkNonWin32k && LinkWin32k) {
|
|
MiDereferenceImports (ImportList);
|
|
if (ImportList) {
|
|
ExFreePool (ImportList);
|
|
}
|
|
return (STATUS_PROCEDURE_NOT_FOUND);
|
|
}
|
|
|
|
if ((!_strnicmp(ImportName, "ntdll", sizeof("ntdll") - 1)) ||
|
|
(!_strnicmp(ImportName, "winsrv", sizeof("winsrv") - 1)) ||
|
|
(!_strnicmp(ImportName, "advapi32", sizeof("advapi32") - 1)) ||
|
|
(!_strnicmp(ImportName, "kernel32", sizeof("kernel32") - 1)) ||
|
|
(!_strnicmp(ImportName, "user32", sizeof("user32") - 1)) ||
|
|
(!_strnicmp(ImportName, "gdi32", sizeof("gdi32") - 1)) ) {
|
|
|
|
MiDereferenceImports (ImportList);
|
|
|
|
if (ImportList) {
|
|
ExFreePool (ImportList);
|
|
}
|
|
return (STATUS_PROCEDURE_NOT_FOUND);
|
|
}
|
|
|
|
if ((!_strnicmp(ImportName, "ntoskrnl", sizeof("ntoskrnl") - 1)) ||
|
|
(!_strnicmp(ImportName, "win32k", sizeof("win32k") - 1)) ||
|
|
(!_strnicmp(ImportName, "hal", sizeof("hal") - 1))) {
|
|
|
|
//
|
|
// These imports don't get refcounted because we don't
|
|
// ever want to unload them.
|
|
//
|
|
|
|
ReferenceImport = FALSE;
|
|
}
|
|
else {
|
|
ReferenceImport = TRUE;
|
|
}
|
|
|
|
RtlInitAnsiString (&AnsiString, ImportName);
|
|
st = RtlAnsiStringToUnicodeString (&ImportName_U, &AnsiString, TRUE);
|
|
|
|
if (!NT_SUCCESS(st)) {
|
|
MiDereferenceImports (ImportList);
|
|
if (ImportList != NULL) {
|
|
ExFreePool (ImportList);
|
|
}
|
|
return st;
|
|
}
|
|
|
|
if (NamePrefix &&
|
|
(_strnicmp(ImportName, "ntoskrnl", sizeof("ntoskrnl") - 1) &&
|
|
_strnicmp(ImportName, "hal", sizeof("hal") - 1))) {
|
|
|
|
ImportDescriptorName_U.MaximumLength = (USHORT)(ImportName_U.Length + NamePrefix->Length);
|
|
ImportDescriptorName_U.Buffer = ExAllocatePoolWithTag (NonPagedPool,
|
|
ImportDescriptorName_U.MaximumLength,
|
|
'TDmM');
|
|
if (!ImportDescriptorName_U.Buffer) {
|
|
RtlFreeUnicodeString (&ImportName_U);
|
|
MiDereferenceImports (ImportList);
|
|
if (ImportList != NULL) {
|
|
ExFreePool (ImportList);
|
|
}
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
ImportDescriptorName_U.Length = 0;
|
|
RtlAppendUnicodeStringToString(&ImportDescriptorName_U, NamePrefix);
|
|
RtlAppendUnicodeStringToString(&ImportDescriptorName_U, &ImportName_U);
|
|
PrefixedNameAllocated = TRUE;
|
|
}
|
|
else {
|
|
ImportDescriptorName_U = ImportName_U;
|
|
PrefixedNameAllocated = FALSE;
|
|
}
|
|
|
|
Loaded = FALSE;
|
|
|
|
ReCheck:
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
ImportBase = NULL;
|
|
|
|
//
|
|
// Initializing DataTableEntry is not needed for correctness
|
|
// but without it the compiler cannot compile this code
|
|
// W4 to check for use of uninitialized variables.
|
|
//
|
|
|
|
DataTableEntry = NULL;
|
|
|
|
while (NextEntry != &PsLoadedModuleList) {
|
|
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
if (RtlEqualUnicodeString (&ImportDescriptorName_U,
|
|
&DataTableEntry->BaseDllName,
|
|
TRUE)) {
|
|
|
|
ImportBase = DataTableEntry->DllBase;
|
|
|
|
//
|
|
// Only bump the LoadCount if this thread did not initiate
|
|
// the load below. If this thread initiated the load, then
|
|
// the LoadCount has already been bumped as part of the
|
|
// load - we only want to increment it here if we are
|
|
// "attaching" to a previously loaded DLL.
|
|
//
|
|
|
|
if ((Loaded == FALSE) && (ReferenceImport == TRUE)) {
|
|
|
|
//
|
|
// Only increment the load count on the import if it is not
|
|
// circular (ie: the import is not from the original
|
|
// caller).
|
|
//
|
|
|
|
if ((DataTableEntry->Flags & LDRP_LOAD_IN_PROGRESS) == 0) {
|
|
DataTableEntry->LoadCount += 1;
|
|
}
|
|
}
|
|
|
|
break;
|
|
}
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
if (ImportBase == NULL) {
|
|
|
|
//
|
|
// The DLL name was not located, attempt to load this dll.
|
|
//
|
|
|
|
DllToLoad.MaximumLength = (USHORT)(ImportName_U.Length +
|
|
ImageFileDirectory->Length +
|
|
sizeof(WCHAR));
|
|
|
|
DllToLoad.Buffer = ExAllocatePoolWithTag (NonPagedPool,
|
|
DllToLoad.MaximumLength,
|
|
'TDmM');
|
|
|
|
if (DllToLoad.Buffer) {
|
|
DllToLoad.Length = ImageFileDirectory->Length;
|
|
RtlCopyMemory (DllToLoad.Buffer,
|
|
ImageFileDirectory->Buffer,
|
|
ImageFileDirectory->Length);
|
|
|
|
RtlAppendStringToString ((PSTRING)&DllToLoad,
|
|
(PSTRING)&ImportName_U);
|
|
|
|
//
|
|
// Add NULL termination in case the load fails so the name
|
|
// can be returned as the PWSTR MissingDriverName.
|
|
//
|
|
|
|
DllToLoad.Buffer[(DllToLoad.MaximumLength - 1) / sizeof (WCHAR)] =
|
|
UNICODE_NULL;
|
|
|
|
st = MmLoadSystemImage (&DllToLoad,
|
|
NamePrefix,
|
|
NULL,
|
|
FALSE,
|
|
&Section,
|
|
&BaseAddress);
|
|
|
|
if (NT_SUCCESS(st)) {
|
|
|
|
//
|
|
// No need to keep the temporary name buffer around now
|
|
// that there is a loaded module list entry for this DLL.
|
|
//
|
|
|
|
ExFreePool (DllToLoad.Buffer);
|
|
}
|
|
else {
|
|
|
|
if ((st == STATUS_OBJECT_NAME_NOT_FOUND) &&
|
|
(NamePrefix == NULL) &&
|
|
(MI_IS_SESSION_ADDRESS (ImageBase))) {
|
|
|
|
#define DRIVERS_SUBDIR_NAME L"drivers\\"
|
|
|
|
DriverDirectory.Buffer = (const PUSHORT) DRIVERS_SUBDIR_NAME;
|
|
DriverDirectory.Length = sizeof (DRIVERS_SUBDIR_NAME) - sizeof (WCHAR);
|
|
DriverDirectory.MaximumLength = sizeof DRIVERS_SUBDIR_NAME;
|
|
|
|
//
|
|
// The DLL file was not located, attempt to load it
|
|
// from the drivers subdirectory. This makes it
|
|
// possible for drivers like win32k.sys to link to
|
|
// drivers that reside in the drivers subdirectory
|
|
// (like dxapi.sys).
|
|
//
|
|
|
|
DllToLoad2.MaximumLength = (USHORT)(ImportName_U.Length +
|
|
DriverDirectory.Length +
|
|
ImageFileDirectory->Length +
|
|
sizeof(WCHAR));
|
|
|
|
DllToLoad2.Buffer = ExAllocatePoolWithTag (NonPagedPool,
|
|
DllToLoad2.MaximumLength,
|
|
'TDmM');
|
|
|
|
if (DllToLoad2.Buffer) {
|
|
DllToLoad2.Length = ImageFileDirectory->Length;
|
|
RtlCopyMemory (DllToLoad2.Buffer,
|
|
ImageFileDirectory->Buffer,
|
|
ImageFileDirectory->Length);
|
|
|
|
RtlAppendStringToString ((PSTRING)&DllToLoad2,
|
|
(PSTRING)&DriverDirectory);
|
|
|
|
RtlAppendStringToString ((PSTRING)&DllToLoad2,
|
|
(PSTRING)&ImportName_U);
|
|
|
|
//
|
|
// Add NULL termination in case the load fails
|
|
// so the name can be returned as the PWSTR
|
|
// MissingDriverName.
|
|
//
|
|
|
|
DllToLoad2.Buffer[(DllToLoad2.MaximumLength - 1) / sizeof (WCHAR)] =
|
|
UNICODE_NULL;
|
|
|
|
st = MmLoadSystemImage (&DllToLoad2,
|
|
NULL,
|
|
NULL,
|
|
FALSE,
|
|
&Section,
|
|
&BaseAddress);
|
|
|
|
ExFreePool (DllToLoad.Buffer);
|
|
|
|
DllToLoad.Buffer = DllToLoad2.Buffer;
|
|
DllToLoad.Length = DllToLoad2.Length;
|
|
DllToLoad.MaximumLength = DllToLoad2.MaximumLength;
|
|
|
|
if (NT_SUCCESS(st)) {
|
|
ExFreePool (DllToLoad.Buffer);
|
|
goto LoadFinished;
|
|
}
|
|
}
|
|
else {
|
|
Section = NULL;
|
|
BaseAddress = NULL;
|
|
st = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto LoadFinished;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Return the temporary name buffer to our caller so
|
|
// the name of the DLL that failed to load can be displayed.
|
|
// Set the low bit of the pointer so our caller knows to
|
|
// free this buffer when he's done displaying it (as opposed
|
|
// to loaded module list entries which should not be freed).
|
|
//
|
|
|
|
*MissingDriverName = DllToLoad.Buffer;
|
|
*(PULONG)MissingDriverName |= 0x1;
|
|
|
|
//
|
|
// Set this to NULL so the hard error prints properly.
|
|
//
|
|
|
|
*MissingProcedureName = NULL;
|
|
}
|
|
}
|
|
else {
|
|
|
|
//
|
|
// Initializing Section and BaseAddress is not needed for
|
|
// correctness but without it the compiler cannot compile
|
|
// this code W4 to check for use of uninitialized variables.
|
|
//
|
|
|
|
Section = NULL;
|
|
BaseAddress = NULL;
|
|
st = STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
LoadFinished:
|
|
|
|
//
|
|
// Call any needed DLL initialization now.
|
|
//
|
|
|
|
if (NT_SUCCESS(st)) {
|
|
#if DBG
|
|
PLIST_ENTRY Entry;
|
|
#endif
|
|
PKLDR_DATA_TABLE_ENTRY TableEntry;
|
|
|
|
Loaded = TRUE;
|
|
|
|
TableEntry = (PKLDR_DATA_TABLE_ENTRY) Section;
|
|
ASSERT (BaseAddress == TableEntry->DllBase);
|
|
|
|
#if DBG
|
|
//
|
|
// Lookup the dll's table entry in the loaded module list.
|
|
// This is expected to always succeed.
|
|
//
|
|
|
|
Entry = PsLoadedModuleList.Blink;
|
|
while (Entry != &PsLoadedModuleList) {
|
|
TableEntry = CONTAINING_RECORD (Entry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
if (BaseAddress == TableEntry->DllBase) {
|
|
ASSERT (TableEntry == (PKLDR_DATA_TABLE_ENTRY) Section);
|
|
break;
|
|
}
|
|
ASSERT (TableEntry != (PKLDR_DATA_TABLE_ENTRY) Section);
|
|
Entry = Entry->Blink;
|
|
}
|
|
|
|
ASSERT (Entry != &PsLoadedModuleList);
|
|
#endif
|
|
|
|
//
|
|
// Call the dll's initialization routine if it has
|
|
// one. This routine will reapply verifier thunks to
|
|
// any modules that link to this one if necessary.
|
|
//
|
|
|
|
st = MmCallDllInitialize (TableEntry, &PsLoadedModuleList);
|
|
|
|
//
|
|
// If the module could not be properly initialized,
|
|
// unload it.
|
|
//
|
|
|
|
if (!NT_SUCCESS(st)) {
|
|
MmUnloadSystemImage ((PVOID)TableEntry);
|
|
Loaded = FALSE;
|
|
}
|
|
}
|
|
|
|
if (!NT_SUCCESS(st)) {
|
|
|
|
RtlFreeUnicodeString (&ImportName_U);
|
|
if (PrefixedNameAllocated == TRUE) {
|
|
ExFreePool (ImportDescriptorName_U.Buffer);
|
|
}
|
|
MiDereferenceImports (ImportList);
|
|
if (ImportList != NULL) {
|
|
ExFreePool (ImportList);
|
|
}
|
|
return st;
|
|
}
|
|
|
|
goto ReCheck;
|
|
}
|
|
|
|
if ((ReferenceImport == TRUE) && (ImportList)) {
|
|
|
|
//
|
|
// Only add the image providing satisfying our imports to the
|
|
// import list if the reference is not circular (ie: the import
|
|
// is not from the original caller).
|
|
//
|
|
|
|
if ((DataTableEntry->Flags & LDRP_LOAD_IN_PROGRESS) == 0) {
|
|
ImportList->Entry[Count] = DataTableEntry;
|
|
Count += 1;
|
|
}
|
|
}
|
|
|
|
RtlFreeUnicodeString (&ImportName_U);
|
|
if (PrefixedNameAllocated) {
|
|
ExFreePool (ImportDescriptorName_U.Buffer);
|
|
}
|
|
|
|
*MissingDriverName = DataTableEntry->BaseDllName.Buffer;
|
|
|
|
ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData(
|
|
ImportBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_EXPORT,
|
|
&ExportSize
|
|
);
|
|
|
|
if (!ExportDirectory) {
|
|
MiDereferenceImports (ImportList);
|
|
if (ImportList) {
|
|
ExFreePool (ImportList);
|
|
}
|
|
return STATUS_DRIVER_ENTRYPOINT_NOT_FOUND;
|
|
}
|
|
|
|
//
|
|
// Walk through the IAT and snap all the thunks.
|
|
//
|
|
|
|
if (ImportDescriptor->OriginalFirstThunk) {
|
|
|
|
NameThunk = (PIMAGE_THUNK_DATA)((PCHAR)ImageBase + (ULONG)ImportDescriptor->OriginalFirstThunk);
|
|
AddrThunk = (PIMAGE_THUNK_DATA)((PCHAR)ImageBase + (ULONG)ImportDescriptor->FirstThunk);
|
|
|
|
while (NameThunk->u1.AddressOfData) {
|
|
|
|
st = MiSnapThunk (ImportBase,
|
|
ImageBase,
|
|
NameThunk++,
|
|
AddrThunk++,
|
|
ExportDirectory,
|
|
ExportSize,
|
|
FALSE,
|
|
MissingProcedureName);
|
|
|
|
if (!NT_SUCCESS(st) ) {
|
|
MiDereferenceImports (ImportList);
|
|
if (ImportList) {
|
|
ExFreePool (ImportList);
|
|
}
|
|
return st;
|
|
}
|
|
*MissingProcedureName = MissingProcedureStorageArea;
|
|
}
|
|
}
|
|
|
|
ImportDescriptor += 1;
|
|
}
|
|
|
|
//
|
|
// All the imports are successfully loaded so establish and compact
|
|
// the import unload list.
|
|
//
|
|
|
|
if (ImportList) {
|
|
|
|
//
|
|
// Blank entries occur for things like the kernel, HAL & win32k.sys
|
|
// that we never want to unload. Especially for things like
|
|
// win32k.sys where the reference count can really hit 0.
|
|
//
|
|
|
|
//
|
|
// Initializing SingleEntry is not needed for correctness
|
|
// but without it the compiler cannot compile this code
|
|
// W4 to check for use of uninitialized variables.
|
|
//
|
|
|
|
SingleEntry = NULL;
|
|
|
|
Count = 0;
|
|
for (i = 0; i < ImportList->Count; i += 1) {
|
|
if (ImportList->Entry[i]) {
|
|
SingleEntry = POINTER_TO_SINGLE_ENTRY(ImportList->Entry[i]);
|
|
Count += 1;
|
|
}
|
|
}
|
|
|
|
if (Count == 0) {
|
|
|
|
ExFreePool(ImportList);
|
|
ImportList = NO_IMPORTS_USED;
|
|
}
|
|
else if (Count == 1) {
|
|
ExFreePool(ImportList);
|
|
ImportList = (PLOAD_IMPORTS)SingleEntry;
|
|
}
|
|
else if (Count != ImportList->Count) {
|
|
|
|
ImportListSize = Count * sizeof(PVOID) + sizeof(SIZE_T);
|
|
|
|
CompactedImportList = (PLOAD_IMPORTS)
|
|
ExAllocatePoolWithTag (PagedPool | POOL_COLD_ALLOCATION,
|
|
ImportListSize,
|
|
'TDmM');
|
|
if (CompactedImportList) {
|
|
CompactedImportList->Count = Count;
|
|
|
|
Count = 0;
|
|
for (i = 0; i < ImportList->Count; i += 1) {
|
|
if (ImportList->Entry[i]) {
|
|
CompactedImportList->Entry[Count] = ImportList->Entry[i];
|
|
Count += 1;
|
|
}
|
|
}
|
|
|
|
ExFreePool(ImportList);
|
|
ImportList = CompactedImportList;
|
|
}
|
|
}
|
|
|
|
*LoadedImports = ImportList;
|
|
}
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
MiSnapThunk(
|
|
IN PVOID DllBase,
|
|
IN PVOID ImageBase,
|
|
IN PIMAGE_THUNK_DATA NameThunk,
|
|
OUT PIMAGE_THUNK_DATA AddrThunk,
|
|
IN PIMAGE_EXPORT_DIRECTORY ExportDirectory,
|
|
IN ULONG ExportSize,
|
|
IN LOGICAL SnapForwarder,
|
|
OUT PCHAR *MissingProcedureName
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function snaps a thunk using the specified Export Section data.
|
|
If the section data does not support the thunk, then the thunk is
|
|
partially snapped (Dll field is still non-null, but snap address is
|
|
set).
|
|
|
|
Arguments:
|
|
|
|
DllBase - Base of DLL being snapped to.
|
|
|
|
ImageBase - Base of image that contains the thunks to snap.
|
|
|
|
Thunk - On input, supplies the thunk to snap. When successfully
|
|
snapped, the function field is set to point to the address in
|
|
the DLL, and the DLL field is set to NULL.
|
|
|
|
ExportDirectory - Supplies the Export Section data from a DLL.
|
|
|
|
SnapForwarder - Supplies TRUE if the snap is for a forwarder, and therefore
|
|
Address of Data is already setup.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS or STATUS_DRIVER_ENTRYPOINT_NOT_FOUND or
|
|
STATUS_DRIVER_ORDINAL_NOT_FOUND
|
|
|
|
--*/
|
|
|
|
{
|
|
BOOLEAN Ordinal;
|
|
USHORT OrdinalNumber;
|
|
PULONG NameTableBase;
|
|
PUSHORT NameOrdinalTableBase;
|
|
PULONG Addr;
|
|
USHORT HintIndex;
|
|
ULONG High;
|
|
ULONG Low;
|
|
ULONG Middle;
|
|
LONG Result;
|
|
NTSTATUS Status;
|
|
PCHAR MissingProcedureName2;
|
|
CHAR NameBuffer[ MAXIMUM_FILENAME_LENGTH ];
|
|
|
|
PAGED_CODE();
|
|
|
|
//
|
|
// Determine if snap is by name, or by ordinal
|
|
//
|
|
|
|
Ordinal = (BOOLEAN)IMAGE_SNAP_BY_ORDINAL(NameThunk->u1.Ordinal);
|
|
|
|
if (Ordinal && !SnapForwarder) {
|
|
|
|
OrdinalNumber = (USHORT)(IMAGE_ORDINAL(NameThunk->u1.Ordinal) -
|
|
ExportDirectory->Base);
|
|
|
|
*MissingProcedureName = (PCHAR)(ULONG_PTR)OrdinalNumber;
|
|
|
|
}
|
|
else {
|
|
|
|
//
|
|
// Change AddressOfData from an RVA to a VA.
|
|
//
|
|
|
|
if (!SnapForwarder) {
|
|
NameThunk->u1.AddressOfData = (ULONG_PTR)ImageBase + NameThunk->u1.AddressOfData;
|
|
}
|
|
|
|
strncpy (*MissingProcedureName,
|
|
(const PCHAR)&((PIMAGE_IMPORT_BY_NAME)NameThunk->u1.AddressOfData)->Name[0],
|
|
MAXIMUM_FILENAME_LENGTH - 1);
|
|
|
|
//
|
|
// Lookup Name in NameTable
|
|
//
|
|
|
|
NameTableBase = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNames);
|
|
NameOrdinalTableBase = (PUSHORT)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
|
|
|
|
//
|
|
// Before dropping into binary search, see if
|
|
// the hint index results in a successful
|
|
// match. If the hint index is zero, then
|
|
// drop into binary search.
|
|
//
|
|
|
|
HintIndex = ((PIMAGE_IMPORT_BY_NAME)NameThunk->u1.AddressOfData)->Hint;
|
|
if ((ULONG)HintIndex < ExportDirectory->NumberOfNames &&
|
|
!strcmp((PSZ)((PIMAGE_IMPORT_BY_NAME)NameThunk->u1.AddressOfData)->Name,
|
|
(PSZ)((PCHAR)DllBase + NameTableBase[HintIndex]))) {
|
|
OrdinalNumber = NameOrdinalTableBase[HintIndex];
|
|
|
|
}
|
|
else {
|
|
|
|
//
|
|
// Lookup the import name in the name table using a binary search.
|
|
//
|
|
|
|
Low = 0;
|
|
High = ExportDirectory->NumberOfNames - 1;
|
|
|
|
//
|
|
// Initializing Middle is not needed for correctness, but without it
|
|
// the compiler cannot compile this code W4 to check for use of
|
|
// uninitialized variables.
|
|
//
|
|
|
|
Middle = 0;
|
|
|
|
while (High >= Low) {
|
|
|
|
//
|
|
// Compute the next probe index and compare the import name
|
|
// with the export name entry.
|
|
//
|
|
|
|
Middle = (Low + High) >> 1;
|
|
Result = strcmp((const PCHAR)&((PIMAGE_IMPORT_BY_NAME)NameThunk->u1.AddressOfData)->Name[0],
|
|
(PCHAR)((PCHAR)DllBase + NameTableBase[Middle]));
|
|
|
|
if (Result < 0) {
|
|
High = Middle - 1;
|
|
|
|
} else if (Result > 0) {
|
|
Low = Middle + 1;
|
|
|
|
}
|
|
else {
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// If the high index is less than the low index, then a matching
|
|
// table entry was not found. Otherwise, get the ordinal number
|
|
// from the ordinal table.
|
|
//
|
|
|
|
if ((LONG)High < (LONG)Low) {
|
|
return STATUS_DRIVER_ENTRYPOINT_NOT_FOUND;
|
|
}
|
|
else {
|
|
OrdinalNumber = NameOrdinalTableBase[Middle];
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// If OrdinalNumber is not within the Export Address Table,
|
|
// then DLL does not implement function. Snap to LDRP_BAD_DLL.
|
|
//
|
|
|
|
if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions) {
|
|
Status = STATUS_DRIVER_ORDINAL_NOT_FOUND;
|
|
|
|
}
|
|
else {
|
|
|
|
MissingProcedureName2 = NameBuffer;
|
|
|
|
Addr = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
|
|
*(PULONG_PTR)&AddrThunk->u1.Function = (ULONG_PTR)DllBase + Addr[OrdinalNumber];
|
|
|
|
// AddrThunk s/b used from here on.
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
if (((ULONG_PTR)AddrThunk->u1.Function > (ULONG_PTR)ExportDirectory) &&
|
|
((ULONG_PTR)AddrThunk->u1.Function < ((ULONG_PTR)ExportDirectory + ExportSize)) ) {
|
|
|
|
UNICODE_STRING UnicodeString;
|
|
ANSI_STRING ForwardDllName;
|
|
|
|
PLIST_ENTRY NextEntry;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
ULONG LocalExportSize;
|
|
PIMAGE_EXPORT_DIRECTORY LocalExportDirectory;
|
|
|
|
Status = STATUS_DRIVER_ENTRYPOINT_NOT_FOUND;
|
|
|
|
//
|
|
// Include the dot in the length so we can do prefix later on.
|
|
//
|
|
|
|
ForwardDllName.Buffer = (PCHAR)AddrThunk->u1.Function;
|
|
ForwardDllName.Length = (USHORT)(strchr(ForwardDllName.Buffer, '.') -
|
|
ForwardDllName.Buffer + 1);
|
|
ForwardDllName.MaximumLength = ForwardDllName.Length;
|
|
|
|
if (NT_SUCCESS(RtlAnsiStringToUnicodeString(&UnicodeString,
|
|
&ForwardDllName,
|
|
TRUE))) {
|
|
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
|
|
while (NextEntry != &PsLoadedModuleList) {
|
|
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
//
|
|
// We have to do a case INSENSITIVE comparison for
|
|
// forwarder because the linker just took what is in the
|
|
// def file, as opposed to looking in the exporting
|
|
// image for the name.
|
|
// we also use the prefix function to ignore the .exe or
|
|
// .sys or .dll at the end.
|
|
//
|
|
|
|
if (RtlPrefixString((PSTRING)&UnicodeString,
|
|
(PSTRING)&DataTableEntry->BaseDllName,
|
|
TRUE)) {
|
|
|
|
LocalExportDirectory = (PIMAGE_EXPORT_DIRECTORY)
|
|
RtlImageDirectoryEntryToData(DataTableEntry->DllBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_EXPORT,
|
|
&LocalExportSize);
|
|
|
|
if (LocalExportDirectory != NULL) {
|
|
|
|
IMAGE_THUNK_DATA thunkData;
|
|
PIMAGE_IMPORT_BY_NAME addressOfData;
|
|
SIZE_T length;
|
|
|
|
//
|
|
// One extra byte for NULL termination.
|
|
//
|
|
|
|
length = strlen(ForwardDllName.Buffer +
|
|
ForwardDllName.Length) + 1;
|
|
|
|
addressOfData = (PIMAGE_IMPORT_BY_NAME)
|
|
ExAllocatePoolWithTag (PagedPool,
|
|
length +
|
|
sizeof(IMAGE_IMPORT_BY_NAME),
|
|
' mM');
|
|
|
|
if (addressOfData) {
|
|
|
|
RtlCopyMemory(&(addressOfData->Name[0]),
|
|
ForwardDllName.Buffer +
|
|
ForwardDllName.Length,
|
|
length);
|
|
|
|
addressOfData->Hint = 0;
|
|
|
|
*(PULONG_PTR)&thunkData.u1.AddressOfData =
|
|
(ULONG_PTR)addressOfData;
|
|
|
|
Status = MiSnapThunk(DataTableEntry->DllBase,
|
|
ImageBase,
|
|
&thunkData,
|
|
&thunkData,
|
|
LocalExportDirectory,
|
|
LocalExportSize,
|
|
TRUE,
|
|
&MissingProcedureName2);
|
|
|
|
ExFreePool(addressOfData);
|
|
|
|
AddrThunk->u1 = thunkData.u1;
|
|
}
|
|
}
|
|
|
|
break;
|
|
}
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
RtlFreeUnicodeString(&UnicodeString);
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
return Status;
|
|
}
|
|
#if 0
|
|
PVOID
|
|
MiLookupImageSectionByName (
|
|
IN PVOID Base,
|
|
IN LOGICAL MappedAsImage,
|
|
IN PCHAR SectionName,
|
|
OUT PULONG SectionSize
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function locates a Directory Entry within the image header
|
|
and returns either the virtual address or seek address of the
|
|
data the Directory describes.
|
|
|
|
Arguments:
|
|
|
|
Base - Supplies the base of the image or data file.
|
|
|
|
MappedAsImage - FALSE if the file is mapped as a data file.
|
|
- TRUE if the file is mapped as an image.
|
|
|
|
SectionName - Supplies the name of the section to lookup.
|
|
|
|
SectionSize - Return the size of the section.
|
|
|
|
Return Value:
|
|
|
|
NULL - The file does not contain data for the specified section.
|
|
|
|
NON-NULL - Returns the address where the section is mapped in memory.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG i, j, Match;
|
|
PIMAGE_NT_HEADERS NtHeaders;
|
|
PIMAGE_SECTION_HEADER NtSection;
|
|
|
|
NtHeaders = RtlImageNtHeader(Base);
|
|
NtSection = IMAGE_FIRST_SECTION (NtHeaders);
|
|
for (i = 0; i < NtHeaders->FileHeader.NumberOfSections; i++) {
|
|
Match = TRUE;
|
|
for (j = 0; j < IMAGE_SIZEOF_SHORT_NAME; j++) {
|
|
if (SectionName[j] != NtSection->Name[j]) {
|
|
Match = FALSE;
|
|
break;
|
|
}
|
|
if (SectionName[j] == '\0') {
|
|
break;
|
|
}
|
|
}
|
|
if (Match) {
|
|
break;
|
|
}
|
|
NtSection += 1;
|
|
}
|
|
if (Match) {
|
|
*SectionSize = NtSection->SizeOfRawData;
|
|
if (MappedAsImage) {
|
|
return (((PCHAR)Base + NtSection->VirtualAddress));
|
|
}
|
|
else {
|
|
return (((PCHAR)Base + NtSection->PointerToRawData));
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
#endif //0
|
|
|
|
|
|
NTSTATUS
|
|
MmCheckSystemImage (
|
|
IN HANDLE ImageFileHandle,
|
|
IN LOGICAL PurgeSection
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function ensures the checksum for a system image is correct
|
|
and matches the data in the image.
|
|
|
|
Arguments:
|
|
|
|
ImageFileHandle - Supplies the file handle of the image.
|
|
|
|
PurgeSection - Supplies TRUE if the data section mapping the image should
|
|
be purged prior to returning. Note that the first page
|
|
could be used to speed up subsequent image section creation,
|
|
but generally the cost of useless data pages sitting in
|
|
transition is costly. Better to put the pages immediately
|
|
on the free list to preserve the transition cache for more
|
|
useful pages.
|
|
|
|
Return Value:
|
|
|
|
Status value.
|
|
|
|
--*/
|
|
|
|
{
|
|
NTSTATUS Status;
|
|
NTSTATUS Status2;
|
|
HANDLE Section;
|
|
PVOID ViewBase;
|
|
SIZE_T ViewSize;
|
|
IO_STATUS_BLOCK IoStatusBlock;
|
|
PIMAGE_FILE_HEADER FileHeader;
|
|
PIMAGE_NT_HEADERS NtHeaders;
|
|
FILE_STANDARD_INFORMATION StandardInfo;
|
|
PSECTION SectionPointer;
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
KAPC_STATE ApcState;
|
|
|
|
PAGED_CODE();
|
|
|
|
InitializeObjectAttributes (&ObjectAttributes,
|
|
NULL,
|
|
(OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE),
|
|
NULL,
|
|
NULL);
|
|
|
|
Status = ZwCreateSection (&Section,
|
|
SECTION_MAP_EXECUTE,
|
|
&ObjectAttributes,
|
|
NULL,
|
|
PAGE_EXECUTE,
|
|
SEC_COMMIT,
|
|
ImageFileHandle);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
return Status;
|
|
}
|
|
|
|
ViewBase = NULL;
|
|
ViewSize = 0;
|
|
|
|
//
|
|
// Since callees are not always in the context of the system process,
|
|
// attach here when necessary to guarantee the driver load occurs in a
|
|
// known safe address space to prevent security holes.
|
|
//
|
|
|
|
KeStackAttachProcess (&PsInitialSystemProcess->Pcb, &ApcState);
|
|
|
|
Status = ZwMapViewOfSection (Section,
|
|
NtCurrentProcess(),
|
|
(PVOID *)&ViewBase,
|
|
0L,
|
|
0L,
|
|
NULL,
|
|
&ViewSize,
|
|
ViewShare,
|
|
0L,
|
|
PAGE_EXECUTE);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
KeUnstackDetachProcess (&ApcState);
|
|
ZwClose(Section);
|
|
return Status;
|
|
}
|
|
|
|
//
|
|
// Now the image is mapped as a data file... Calculate its size and then
|
|
// check its checksum.
|
|
//
|
|
|
|
Status = ZwQueryInformationFile (ImageFileHandle,
|
|
&IoStatusBlock,
|
|
&StandardInfo,
|
|
sizeof(StandardInfo),
|
|
FileStandardInformation);
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
try {
|
|
|
|
if (!LdrVerifyMappedImageMatchesChecksum (ViewBase, StandardInfo.EndOfFile.LowPart)) {
|
|
Status = STATUS_IMAGE_CHECKSUM_MISMATCH;
|
|
goto out;
|
|
}
|
|
|
|
NtHeaders = RtlImageNtHeader (ViewBase);
|
|
|
|
if (NtHeaders == NULL) {
|
|
Status = STATUS_IMAGE_CHECKSUM_MISMATCH;
|
|
goto out;
|
|
}
|
|
|
|
FileHeader = &NtHeaders->FileHeader;
|
|
|
|
//
|
|
// Detect configurations inadvertently trying to load 32-bit
|
|
// drivers on NT64 or mismatched platform architectures, etc.
|
|
//
|
|
|
|
if ((FileHeader->Machine != IMAGE_FILE_MACHINE_NATIVE) ||
|
|
(NtHeaders->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)) {
|
|
Status = STATUS_INVALID_IMAGE_PROTECT;
|
|
goto out;
|
|
}
|
|
|
|
#if !defined(NT_UP)
|
|
if (!MmVerifyImageIsOkForMpUse (ViewBase)) {
|
|
Status = STATUS_IMAGE_MP_UP_MISMATCH;
|
|
goto out;
|
|
}
|
|
#endif
|
|
} except (EXCEPTION_EXECUTE_HANDLER) {
|
|
Status = STATUS_IMAGE_CHECKSUM_MISMATCH;
|
|
}
|
|
}
|
|
|
|
out:
|
|
|
|
ZwUnmapViewOfSection (NtCurrentProcess(), ViewBase);
|
|
|
|
KeUnstackDetachProcess (&ApcState);
|
|
|
|
if (PurgeSection == TRUE) {
|
|
|
|
Status2 = ObReferenceObjectByHandle (Section,
|
|
SECTION_MAP_EXECUTE,
|
|
MmSectionObjectType,
|
|
KernelMode,
|
|
(PVOID *) &SectionPointer,
|
|
(POBJECT_HANDLE_INFORMATION) NULL);
|
|
|
|
if (NT_SUCCESS (Status2)) {
|
|
|
|
MmPurgeSection (SectionPointer->Segment->ControlArea->FilePointer->SectionObjectPointer,
|
|
NULL,
|
|
0,
|
|
FALSE);
|
|
ObDereferenceObject (SectionPointer);
|
|
}
|
|
}
|
|
|
|
ZwClose (Section);
|
|
return Status;
|
|
}
|
|
|
|
#if !defined(NT_UP)
|
|
BOOLEAN
|
|
MmVerifyImageIsOkForMpUse(
|
|
IN PVOID BaseAddress
|
|
)
|
|
{
|
|
PIMAGE_NT_HEADERS NtHeaders;
|
|
|
|
PAGED_CODE();
|
|
|
|
NtHeaders = RtlImageNtHeader(BaseAddress);
|
|
if (NtHeaders != NULL) {
|
|
if ((KeNumberProcessors > 1) &&
|
|
(NtHeaders->FileHeader.Characteristics & IMAGE_FILE_UP_SYSTEM_ONLY)) {
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
#endif
|
|
|
|
|
|
PFN_NUMBER
|
|
MiDeleteSystemPagableVm (
|
|
IN PMMPTE PointerPte,
|
|
IN PFN_NUMBER NumberOfPtes,
|
|
IN MMPTE NewPteValue,
|
|
IN LOGICAL SessionAllocation,
|
|
OUT PPFN_NUMBER ResidentPages
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function deletes pagable system address space (paged pool
|
|
or driver pagable sections).
|
|
|
|
Arguments:
|
|
|
|
PointerPte - Supplies the start of the PTE range to delete.
|
|
|
|
NumberOfPtes - Supplies the number of PTEs in the range.
|
|
|
|
NewPteValue - Supplies the new value for the PTE.
|
|
|
|
SessionAllocation - Supplies TRUE if this is a range in session space. If
|
|
TRUE is specified, it is assumed that the caller has
|
|
already attached to the relevant session.
|
|
|
|
If FALSE is supplied, then it is assumed that the range
|
|
is in the systemwide global space instead.
|
|
|
|
ResidentPages - If not NULL, the number of resident pages freed is
|
|
returned here.
|
|
|
|
Return Value:
|
|
|
|
Returns the number of pages actually freed.
|
|
|
|
--*/
|
|
|
|
{
|
|
PVOID VirtualAddress;
|
|
PFN_NUMBER PageFrameIndex;
|
|
MMPTE PteContents;
|
|
PMMPFN Pfn1;
|
|
PMMPFN Pfn2;
|
|
PFN_NUMBER ValidPages;
|
|
PFN_NUMBER PagesRequired;
|
|
MMPTE NewContents;
|
|
WSLE_NUMBER WsIndex;
|
|
KIRQL OldIrql;
|
|
KIRQL OldIrqlWs;
|
|
MMPTE_FLUSH_LIST PteFlushList;
|
|
MMPTE JunkPte;
|
|
MMWSLENTRY Locked;
|
|
PFN_NUMBER PageTableFrameIndex;
|
|
PETHREAD CurrentThread;
|
|
LOGICAL WsHeld;
|
|
|
|
ASSERT (KeGetCurrentIrql() <= APC_LEVEL);
|
|
|
|
ValidPages = 0;
|
|
PagesRequired = 0;
|
|
PteFlushList.Count = 0;
|
|
WsHeld = FALSE;
|
|
OldIrqlWs = PASSIVE_LEVEL;
|
|
NewContents = NewPteValue;
|
|
CurrentThread = PsGetCurrentThread ();
|
|
|
|
while (NumberOfPtes != 0) {
|
|
PteContents = *PointerPte;
|
|
|
|
if (PteContents.u.Long != ZeroKernelPte.u.Long) {
|
|
|
|
if (PteContents.u.Hard.Valid == 1) {
|
|
|
|
//
|
|
// Once the working set mutex is acquired, it is deliberately
|
|
// held until all the pages have been freed. This is because
|
|
// when paged pool is running low on large servers, we need the
|
|
// segment dereference thread to be able to free large amounts
|
|
// quickly. Typically this thread will free 64k chunks and we
|
|
// don't want to have to contend for the mutex 16 times to do
|
|
// this as there may be thousands of other threads also trying
|
|
// for it.
|
|
//
|
|
|
|
if (WsHeld == FALSE) {
|
|
WsHeld = TRUE;
|
|
if (SessionAllocation == TRUE) {
|
|
LOCK_SESSION_SPACE_WS (OldIrqlWs, CurrentThread);
|
|
}
|
|
else {
|
|
LOCK_SYSTEM_WS (OldIrqlWs, CurrentThread);
|
|
}
|
|
}
|
|
|
|
PteContents = *(volatile MMPTE *)PointerPte;
|
|
if (PteContents.u.Hard.Valid == 0) {
|
|
continue;
|
|
}
|
|
|
|
//
|
|
// Delete the page.
|
|
//
|
|
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (&PteContents);
|
|
|
|
Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
|
|
|
|
//
|
|
// Check to see if this is a pagable page in which
|
|
// case it needs to be removed from the working set list.
|
|
//
|
|
|
|
WsIndex = Pfn1->u1.WsIndex;
|
|
if (WsIndex == 0) {
|
|
ValidPages += 1;
|
|
if (SessionAllocation == TRUE) {
|
|
MM_BUMP_SESS_COUNTER (MM_DBG_SESSION_NP_DELVA, 1);
|
|
MmSessionSpace->NonPagablePages -= 1;
|
|
}
|
|
}
|
|
else {
|
|
if (SessionAllocation == FALSE) {
|
|
MiRemoveWsle (WsIndex, MmSystemCacheWorkingSetList);
|
|
MiReleaseWsle (WsIndex, &MmSystemCacheWs);
|
|
}
|
|
else {
|
|
VirtualAddress = MiGetVirtualAddressMappedByPte (PointerPte);
|
|
WsIndex = MiLocateWsle (VirtualAddress,
|
|
MmSessionSpace->Vm.VmWorkingSetList,
|
|
WsIndex);
|
|
|
|
ASSERT (WsIndex != WSLE_NULL_INDEX);
|
|
|
|
//
|
|
// Check to see if this entry is locked in
|
|
// the working set or locked in memory.
|
|
//
|
|
|
|
Locked = MmSessionSpace->Wsle[WsIndex].u1.e1;
|
|
|
|
MiRemoveWsle (WsIndex, MmSessionSpace->Vm.VmWorkingSetList);
|
|
|
|
MiReleaseWsle (WsIndex, &MmSessionSpace->Vm);
|
|
|
|
if (Locked.LockedInWs == 1 || Locked.LockedInMemory == 1) {
|
|
|
|
//
|
|
// This entry is locked.
|
|
//
|
|
|
|
MM_BUMP_SESS_COUNTER (MM_DBG_SESSION_NP_DELVA, 1);
|
|
MmSessionSpace->NonPagablePages -= 1;
|
|
ValidPages += 1;
|
|
|
|
ASSERT (WsIndex < MmSessionSpace->Vm.VmWorkingSetList->FirstDynamic);
|
|
MmSessionSpace->Vm.VmWorkingSetList->FirstDynamic -= 1;
|
|
|
|
if (WsIndex != MmSessionSpace->Vm.VmWorkingSetList->FirstDynamic) {
|
|
WSLE_NUMBER Entry;
|
|
PVOID SwapVa;
|
|
|
|
Entry = MmSessionSpace->Vm.VmWorkingSetList->FirstDynamic;
|
|
ASSERT (MmSessionSpace->Wsle[Entry].u1.e1.Valid);
|
|
SwapVa = MmSessionSpace->Wsle[Entry].u1.VirtualAddress;
|
|
SwapVa = PAGE_ALIGN (SwapVa);
|
|
|
|
MiSwapWslEntries (Entry,
|
|
WsIndex,
|
|
&MmSessionSpace->Vm);
|
|
}
|
|
}
|
|
else {
|
|
ASSERT (WsIndex >= MmSessionSpace->Vm.VmWorkingSetList->FirstDynamic);
|
|
}
|
|
}
|
|
}
|
|
|
|
LOCK_PFN (OldIrql);
|
|
#if DBG0
|
|
if ((Pfn1->u3.e2.ReferenceCount > 1) &&
|
|
(Pfn1->u3.e1.WriteInProgress == 0)) {
|
|
DbgPrint ("MM:SYSLOAD - deleting pool locked for I/O PTE %p, pfn %p, share=%x, refcount=%x, wsindex=%x\n",
|
|
PointerPte,
|
|
PageFrameIndex,
|
|
Pfn1->u2.ShareCount,
|
|
Pfn1->u3.e2.ReferenceCount,
|
|
Pfn1->u1.WsIndex);
|
|
//
|
|
// This case is valid only if the page being deleted
|
|
// contained a lookaside free list entry that wasn't mapped
|
|
// and multiple threads faulted on it and waited together.
|
|
// Some of the faulted threads are still on the ready
|
|
// list but haven't run yet, and so still have references
|
|
// to this page that they picked up during the fault.
|
|
// But this current thread has already allocated the
|
|
// lookaside entry and is now freeing the entire page.
|
|
//
|
|
// BUT - if it is NOT the above case, we really should
|
|
// trap here. However, we don't have a good way to
|
|
// distinguish between the two cases. Note
|
|
// that this complication was inserted when we went to
|
|
// cmpxchg8 because using locks would prevent anyone from
|
|
// accessing the lookaside freelist flinks like this.
|
|
//
|
|
// So, the ASSERT below comes out, but we leave the print
|
|
// above in (with more data added) for the case where it's
|
|
// not a lookaside contender with the reference count, but
|
|
// is instead a truly bad reference that needs to be
|
|
// debugged. The system should crash shortly thereafter
|
|
// and we'll at least have the above print to help us out.
|
|
//
|
|
// ASSERT (Pfn1->u3.e2.ReferenceCount == 1);
|
|
}
|
|
#endif //DBG
|
|
//
|
|
// Check if this is a prototype PTE.
|
|
//
|
|
if (Pfn1->u3.e1.PrototypePte == 1) {
|
|
|
|
PMMPTE PointerPde;
|
|
|
|
ASSERT (SessionAllocation == TRUE);
|
|
|
|
//
|
|
// Capture the state of the modified bit for this
|
|
// PTE.
|
|
//
|
|
|
|
MI_CAPTURE_DIRTY_BIT_TO_PFN (PointerPte, Pfn1);
|
|
|
|
//
|
|
// Decrement the share and valid counts of the page table
|
|
// page which maps this PTE.
|
|
//
|
|
|
|
PointerPde = MiGetPteAddress (PointerPte);
|
|
if (PointerPde->u.Hard.Valid == 0) {
|
|
#if (_MI_PAGING_LEVELS < 3)
|
|
if (!NT_SUCCESS(MiCheckPdeForPagedPool (PointerPte))) {
|
|
#endif
|
|
KeBugCheckEx (MEMORY_MANAGEMENT,
|
|
0x61940,
|
|
(ULONG_PTR)PointerPte,
|
|
(ULONG_PTR)PointerPde->u.Long,
|
|
(ULONG_PTR)MiGetVirtualAddressMappedByPte(PointerPte));
|
|
#if (_MI_PAGING_LEVELS < 3)
|
|
}
|
|
#endif
|
|
}
|
|
|
|
PageTableFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPde);
|
|
Pfn2 = MI_PFN_ELEMENT (PageTableFrameIndex);
|
|
MiDecrementShareCountInline (Pfn2, PageTableFrameIndex);
|
|
|
|
//
|
|
// Decrement the share count for the physical page.
|
|
//
|
|
|
|
MiDecrementShareCount (PageFrameIndex);
|
|
|
|
//
|
|
// No need to worry about fork prototype PTEs
|
|
// for kernel addresses.
|
|
//
|
|
|
|
ASSERT (PointerPte > MiHighestUserPte);
|
|
|
|
}
|
|
else {
|
|
PageTableFrameIndex = Pfn1->u4.PteFrame;
|
|
Pfn2 = MI_PFN_ELEMENT (PageTableFrameIndex);
|
|
MiDecrementShareCountInline (Pfn2, PageTableFrameIndex);
|
|
|
|
MI_SET_PFN_DELETED (Pfn1);
|
|
MiDecrementShareCountOnly (PageFrameIndex);
|
|
}
|
|
|
|
MI_WRITE_INVALID_PTE (PointerPte, NewContents);
|
|
UNLOCK_PFN (OldIrql);
|
|
|
|
//
|
|
// Flush the TB for this page.
|
|
//
|
|
|
|
if (PteFlushList.Count != MM_MAXIMUM_FLUSH_COUNT) {
|
|
|
|
//
|
|
// We cannot rewrite the PTE later without creating a race
|
|
// condition. So point the FlushPte at a harmless
|
|
// location so MiFlushPteList does the right thing.
|
|
//
|
|
|
|
PteFlushList.FlushPte[PteFlushList.Count] =
|
|
(PMMPTE)&JunkPte;
|
|
|
|
PteFlushList.FlushVa[PteFlushList.Count] =
|
|
MiGetVirtualAddressMappedByPte (PointerPte);
|
|
PteFlushList.Count += 1;
|
|
}
|
|
|
|
} else if (PteContents.u.Soft.Prototype) {
|
|
|
|
ASSERT (SessionAllocation == TRUE);
|
|
|
|
//
|
|
// No need to worry about fork prototype PTEs
|
|
// for kernel addresses.
|
|
//
|
|
|
|
ASSERT (PointerPte >= MiHighestUserPte);
|
|
|
|
MI_WRITE_INVALID_PTE (PointerPte, NewContents);
|
|
|
|
//
|
|
// We currently commit for all prototype kernel mappings since
|
|
// we could copy-on-write.
|
|
//
|
|
|
|
} else if (PteContents.u.Soft.Transition == 1) {
|
|
|
|
LOCK_PFN (OldIrql);
|
|
|
|
PteContents = *(volatile MMPTE *)PointerPte;
|
|
|
|
if (PteContents.u.Soft.Transition == 0) {
|
|
UNLOCK_PFN (OldIrql);
|
|
continue;
|
|
}
|
|
|
|
//
|
|
// Transition, release page.
|
|
//
|
|
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_TRANSITION_PTE (&PteContents);
|
|
|
|
//
|
|
// Set the pointer to PTE as empty so the page
|
|
// is deleted when the reference count goes to zero.
|
|
//
|
|
|
|
Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
|
|
|
|
MI_SET_PFN_DELETED (Pfn1);
|
|
|
|
PageTableFrameIndex = Pfn1->u4.PteFrame;
|
|
Pfn2 = MI_PFN_ELEMENT (PageTableFrameIndex);
|
|
MiDecrementShareCountInline (Pfn2, PageTableFrameIndex);
|
|
|
|
//
|
|
// Check the reference count for the page, if the reference
|
|
// count is zero, move the page to the free list, if the
|
|
// reference count is not zero, ignore this page. When the
|
|
// reference count goes to zero, it will be placed on the
|
|
// free list.
|
|
//
|
|
|
|
if (Pfn1->u3.e2.ReferenceCount == 0) {
|
|
MiUnlinkPageFromList (Pfn1);
|
|
MiReleasePageFileSpace (Pfn1->OriginalPte);
|
|
MiInsertPageInFreeList (PageFrameIndex);
|
|
}
|
|
#if 0
|
|
//
|
|
// This assert is not valid since pool may now be the deferred
|
|
// MmUnlockPages queue in which case the reference count
|
|
// will be nonzero with no write in progress pending.
|
|
//
|
|
|
|
if ((Pfn1->u3.e2.ReferenceCount > 1) &&
|
|
(Pfn1->u3.e1.WriteInProgress == 0)) {
|
|
DbgPrint ("MM:SYSLOAD - deleting pool locked for I/O %p\n",
|
|
PageFrameIndex);
|
|
DbgBreakPoint();
|
|
}
|
|
#endif //DBG
|
|
|
|
MI_WRITE_INVALID_PTE (PointerPte, NewContents);
|
|
UNLOCK_PFN (OldIrql);
|
|
}
|
|
else {
|
|
|
|
//
|
|
// Demand zero, release page file space.
|
|
//
|
|
if (PteContents.u.Soft.PageFileHigh != 0) {
|
|
LOCK_PFN (OldIrql);
|
|
MiReleasePageFileSpace (PteContents);
|
|
UNLOCK_PFN (OldIrql);
|
|
}
|
|
|
|
MI_WRITE_INVALID_PTE (PointerPte, NewContents);
|
|
}
|
|
|
|
PagesRequired += 1;
|
|
}
|
|
|
|
NumberOfPtes -= 1;
|
|
PointerPte += 1;
|
|
}
|
|
|
|
if (WsHeld == TRUE) {
|
|
if (SessionAllocation == TRUE) {
|
|
UNLOCK_SESSION_SPACE_WS (OldIrqlWs);
|
|
}
|
|
else {
|
|
UNLOCK_SYSTEM_WS (OldIrqlWs);
|
|
}
|
|
}
|
|
|
|
//
|
|
// There is the thorny case where one of the pages we just deleted could
|
|
// get faulted back in when we released the PFN lock above within the loop.
|
|
// The only time when this can happen is if a thread faulted during an
|
|
// interlocked pool allocation for an address that we've just deleted.
|
|
//
|
|
// If this thread sees the NewContents in the PTE, it will treat it as
|
|
// demand zero, and incorrectly allocate a page, PTE and WSL. It will
|
|
// reference it once and realize it needs to reread the lookaside listhead
|
|
// and restart the operation. But this page would live on in paged pool
|
|
// as modified (but unused) until the paged pool allocator chose to give
|
|
// out its virtual address again.
|
|
//
|
|
// The code below rewrites the PTEs which is really bad if another thread
|
|
// gets a zero page between our first setting of the PTEs above and our
|
|
// second setting below - because we'll reset the PTE to demand zero, but
|
|
// we'll still have a WSL entry that's valid, and we spiral from there.
|
|
//
|
|
// We really should remove the writing of the PTE below since we've already
|
|
// done it above. But for now, we're leaving it in - it's harmless because
|
|
// we've chosen to fix this problem by checking for this case when we
|
|
// materialize demand zero pages. Note that we have to fix this problem
|
|
// by checking in the demand zero path because a thread could be coming into
|
|
// that path any time before or after we flush the PTE list and any fixes
|
|
// here could only address the before case, not the after.
|
|
//
|
|
|
|
if (SessionAllocation == TRUE) {
|
|
|
|
//
|
|
// Session space has no ASN - flush the entire TB.
|
|
//
|
|
|
|
MI_FLUSH_ENTIRE_SESSION_TB (TRUE, TRUE);
|
|
}
|
|
|
|
MiFlushPteList (&PteFlushList, TRUE, NewContents);
|
|
|
|
if (ARGUMENT_PRESENT(ResidentPages)) {
|
|
*ResidentPages = ValidPages;
|
|
}
|
|
|
|
return PagesRequired;
|
|
}
|
|
|
|
VOID
|
|
MiSetImageProtect (
|
|
IN PSEGMENT Segment,
|
|
IN ULONG Protection
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function sets the protection of all prototype PTEs to the specified
|
|
protection.
|
|
|
|
Arguments:
|
|
|
|
Segment - Supplies a pointer to the segment to protect.
|
|
|
|
Protection - Supplies the protection value to set.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
PMMPTE PointerPte;
|
|
PMMPTE StartPte;
|
|
PMMPTE LastPte;
|
|
MMPTE PteContents;
|
|
PSUBSECTION Subsection;
|
|
|
|
//
|
|
// Set the subsection protections.
|
|
//
|
|
|
|
ASSERT (Segment->ControlArea->u.Flags.GlobalOnlyPerSession == 0);
|
|
|
|
if ((Segment->ControlArea->u.Flags.GlobalOnlyPerSession == 0) &&
|
|
(Segment->ControlArea->u.Flags.Rom == 0)) {
|
|
Subsection = (PSUBSECTION)(Segment->ControlArea + 1);
|
|
}
|
|
else {
|
|
Subsection = (PSUBSECTION)((PLARGE_CONTROL_AREA)(Segment->ControlArea) + 1);
|
|
}
|
|
|
|
if ((Protection & MM_PROTECTION_WRITE_MASK) == 0) {
|
|
Subsection->u.SubsectionFlags.Protection = Protection;
|
|
Subsection->u.SubsectionFlags.ReadOnly = 1;
|
|
}
|
|
|
|
StartPte = Subsection->SubsectionBase;
|
|
|
|
PointerPte = StartPte;
|
|
LastPte = PointerPte + Segment->NonExtendedPtes;
|
|
|
|
MmLockPagedPool (PointerPte, (LastPte - PointerPte) * sizeof (MMPTE));
|
|
|
|
do {
|
|
PteContents = *PointerPte;
|
|
ASSERT (PteContents.u.Hard.Valid == 0);
|
|
if (PteContents.u.Long != ZeroPte.u.Long) {
|
|
if ((PteContents.u.Soft.Prototype == 0) &&
|
|
(PteContents.u.Soft.Transition == 1)) {
|
|
if (MiSetProtectionOnTransitionPte (PointerPte, Protection)) {
|
|
continue;
|
|
}
|
|
}
|
|
else {
|
|
PointerPte->u.Soft.Protection = Protection;
|
|
}
|
|
}
|
|
PointerPte += 1;
|
|
} while (PointerPte < LastPte);
|
|
|
|
MmUnlockPagedPool (StartPte, (LastPte - StartPte) * sizeof (MMPTE));
|
|
|
|
return;
|
|
}
|
|
|
|
|
|
VOID
|
|
MiSetSystemCodeProtection (
|
|
IN PMMPTE FirstPte,
|
|
IN PMMPTE LastPte
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function sets the protection of system code to read only.
|
|
Note this is different from protecting section-backed code like win32k.
|
|
|
|
Arguments:
|
|
|
|
FirstPte - Supplies the starting PTE.
|
|
|
|
LastPte - Supplies the ending PTE.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel Mode, IRQL of APC_LEVEL or below.
|
|
|
|
This routine could be made PAGELK but it is a high frequency routine
|
|
so it is actually better to keep it nonpaged to avoid bringing in the
|
|
entire PAGELK section.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
MMPTE PteContents;
|
|
MMPTE TempPte;
|
|
MMPTE PreviousPte;
|
|
PMMPTE PointerPte;
|
|
PMMPTE PointerPde;
|
|
PMMPTE PointerProtoPte;
|
|
ULONG ProtectionMask;
|
|
PMMPFN Pfn1;
|
|
PMMPFN ProtoPfn;
|
|
LOGICAL SessionAddress;
|
|
|
|
#if defined(_X86_)
|
|
ASSERT (MI_IS_PHYSICAL_ADDRESS(MiGetVirtualAddressMappedByPte(FirstPte)) == 0);
|
|
#endif
|
|
|
|
SessionAddress = FALSE;
|
|
|
|
if (MI_IS_SESSION_ADDRESS(MiGetVirtualAddressMappedByPte(FirstPte))) {
|
|
SessionAddress = TRUE;
|
|
}
|
|
|
|
ProtectionMask = MM_EXECUTE_READ;
|
|
|
|
//
|
|
// Make these PTEs read only.
|
|
//
|
|
// Note that the write bit may already be off (in the valid PTE) if the
|
|
// page has already been inpaged from the paging file and has not since
|
|
// been dirtied.
|
|
//
|
|
|
|
PointerPte = FirstPte;
|
|
|
|
LOCK_PFN (OldIrql);
|
|
|
|
while (PointerPte <= LastPte) {
|
|
|
|
PteContents = *PointerPte;
|
|
|
|
if ((PteContents.u.Long == 0) || (!*MiPteStr)) {
|
|
PointerPte += 1;
|
|
continue;
|
|
}
|
|
|
|
if (PteContents.u.Hard.Valid == 1) {
|
|
|
|
Pfn1 = MI_PFN_ELEMENT (PteContents.u.Hard.PageFrameNumber);
|
|
Pfn1->OriginalPte.u.Soft.Protection = ProtectionMask;
|
|
|
|
//
|
|
// Note the dirty and write bits get turned off here.
|
|
// Any existing pagefile addresses for clean pages are preserved.
|
|
//
|
|
|
|
if (MI_IS_PTE_DIRTY(PteContents)) {
|
|
MI_CAPTURE_DIRTY_BIT_TO_PFN (&PteContents, Pfn1);
|
|
}
|
|
|
|
MI_MAKE_VALID_PTE (TempPte,
|
|
PteContents.u.Hard.PageFrameNumber,
|
|
Pfn1->OriginalPte.u.Soft.Protection,
|
|
PointerPte);
|
|
|
|
if (SessionAddress == TRUE) {
|
|
|
|
//
|
|
// Session space has no ASN - flush the entire TB.
|
|
//
|
|
|
|
MI_FLUSH_SINGLE_SESSION_TB (MiGetVirtualAddressMappedByPte (PointerPte),
|
|
TRUE,
|
|
TRUE,
|
|
(PHARDWARE_PTE)PointerPte,
|
|
TempPte.u.Flush,
|
|
PreviousPte);
|
|
}
|
|
else {
|
|
KeFlushSingleTb (MiGetVirtualAddressMappedByPte (PointerPte),
|
|
TRUE,
|
|
TRUE,
|
|
(PHARDWARE_PTE)PointerPte,
|
|
TempPte.u.Flush);
|
|
}
|
|
}
|
|
else if (PteContents.u.Soft.Prototype == 1) {
|
|
|
|
if (SessionAddress == TRUE) {
|
|
PointerPte->u.Proto.ReadOnly = 1;
|
|
}
|
|
else {
|
|
PointerProtoPte = MiPteToProto(PointerPte);
|
|
|
|
ASSERT (!MI_IS_PHYSICAL_ADDRESS(PointerProtoPte));
|
|
PointerPde = MiGetPteAddress (PointerProtoPte);
|
|
if (PointerPde->u.Hard.Valid == 0) {
|
|
MiMakeSystemAddressValidPfn (PointerProtoPte);
|
|
|
|
//
|
|
// The world may change if we had to wait.
|
|
//
|
|
|
|
PteContents = *PointerPte;
|
|
if ((PteContents.u.Hard.Valid == 1) ||
|
|
(PteContents.u.Soft.Prototype == 0)) {
|
|
continue;
|
|
}
|
|
}
|
|
|
|
ProtoPfn = MI_PFN_ELEMENT (PointerPde->u.Hard.PageFrameNumber);
|
|
MI_ADD_LOCKED_PAGE_CHARGE(ProtoPfn, 12);
|
|
ProtoPfn->u3.e2.ReferenceCount += 1;
|
|
ASSERT (ProtoPfn->u3.e2.ReferenceCount > 1);
|
|
|
|
PteContents = *PointerProtoPte;
|
|
|
|
if (PteContents.u.Long != ZeroPte.u.Long) {
|
|
|
|
ASSERT (PteContents.u.Hard.Valid == 0);
|
|
|
|
PointerProtoPte->u.Soft.Protection = ProtectionMask;
|
|
|
|
if ((PteContents.u.Soft.Prototype == 0) &&
|
|
(PteContents.u.Soft.Transition == 1)) {
|
|
Pfn1 = MI_PFN_ELEMENT (PteContents.u.Trans.PageFrameNumber);
|
|
Pfn1->OriginalPte.u.Soft.Protection = ProtectionMask;
|
|
}
|
|
}
|
|
|
|
ASSERT (ProtoPfn->u3.e2.ReferenceCount > 1);
|
|
MI_REMOVE_LOCKED_PAGE_CHARGE_AND_DECREF(ProtoPfn, 13);
|
|
}
|
|
}
|
|
else if (PteContents.u.Soft.Transition == 1) {
|
|
|
|
Pfn1 = MI_PFN_ELEMENT (PteContents.u.Trans.PageFrameNumber);
|
|
Pfn1->OriginalPte.u.Soft.Protection = ProtectionMask;
|
|
PointerPte->u.Soft.Protection = ProtectionMask;
|
|
|
|
}
|
|
else {
|
|
|
|
//
|
|
// Must be page file space or demand zero.
|
|
//
|
|
|
|
PointerPte->u.Soft.Protection = ProtectionMask;
|
|
}
|
|
PointerPte += 1;
|
|
}
|
|
|
|
UNLOCK_PFN (OldIrql);
|
|
}
|
|
|
|
|
|
VOID
|
|
MiWriteProtectSystemImage (
|
|
IN PVOID DllBase
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function sets the protection of a system component to read only.
|
|
|
|
Arguments:
|
|
|
|
DllBase - Supplies the base address of the system component.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG SectionProtection;
|
|
ULONG NumberOfSubsections;
|
|
ULONG SectionVirtualSize;
|
|
ULONG ImageAlignment;
|
|
ULONG OffsetToSectionTable;
|
|
ULONG NumberOfPtes;
|
|
ULONG_PTR VirtualAddress;
|
|
PVOID LastVirtualAddress;
|
|
PMMPTE PointerPte;
|
|
PMMPTE FirstPte;
|
|
PMMPTE LastPte;
|
|
PMMPTE LastImagePte;
|
|
PMMPTE WritablePte;
|
|
PIMAGE_NT_HEADERS NtHeader;
|
|
PIMAGE_FILE_HEADER FileHeader;
|
|
PIMAGE_SECTION_HEADER SectionTableEntry;
|
|
|
|
PAGED_CODE();
|
|
|
|
if (MI_IS_PHYSICAL_ADDRESS(DllBase)) {
|
|
return;
|
|
}
|
|
|
|
NtHeader = RtlImageNtHeader (DllBase);
|
|
|
|
ASSERT (NtHeader);
|
|
|
|
ImageAlignment = NtHeader->OptionalHeader.SectionAlignment;
|
|
|
|
//
|
|
// All session drivers must be one way or the other - no mixing is allowed
|
|
// within multiple copy-on-write drivers.
|
|
//
|
|
|
|
if (MI_IS_SESSION_ADDRESS(DllBase) == 0) {
|
|
|
|
//
|
|
// Images prior to NT5 were not protected from stepping all over
|
|
// their (and others) code and readonly data. Here we somewhat
|
|
// preserve that behavior, but don't allow them to step on anyone else.
|
|
//
|
|
|
|
if (NtHeader->OptionalHeader.MajorOperatingSystemVersion < 5) {
|
|
return;
|
|
}
|
|
|
|
if (NtHeader->OptionalHeader.MajorImageVersion < 5) {
|
|
return;
|
|
}
|
|
}
|
|
|
|
NumberOfPtes = BYTES_TO_PAGES (NtHeader->OptionalHeader.SizeOfImage);
|
|
|
|
FileHeader = &NtHeader->FileHeader;
|
|
|
|
NumberOfSubsections = FileHeader->NumberOfSections;
|
|
|
|
ASSERT (NumberOfSubsections != 0);
|
|
|
|
OffsetToSectionTable = sizeof(ULONG) +
|
|
sizeof(IMAGE_FILE_HEADER) +
|
|
FileHeader->SizeOfOptionalHeader;
|
|
|
|
SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeader +
|
|
OffsetToSectionTable);
|
|
|
|
//
|
|
// Verify the image contains subsections ordered by increasing virtual
|
|
// address and that there are no overlaps.
|
|
//
|
|
|
|
FirstPte = NULL;
|
|
LastVirtualAddress = DllBase;
|
|
|
|
for ( ; NumberOfSubsections > 0; NumberOfSubsections -= 1, SectionTableEntry += 1) {
|
|
|
|
if (SectionTableEntry->Misc.VirtualSize == 0) {
|
|
SectionVirtualSize = SectionTableEntry->SizeOfRawData;
|
|
}
|
|
else {
|
|
SectionVirtualSize = SectionTableEntry->Misc.VirtualSize;
|
|
}
|
|
|
|
VirtualAddress = (ULONG_PTR)DllBase + SectionTableEntry->VirtualAddress;
|
|
if ((PVOID)VirtualAddress <= LastVirtualAddress) {
|
|
|
|
//
|
|
// Subsections are not in an increasing virtual address ordering.
|
|
// No protection is provided for such a poorly linked image.
|
|
//
|
|
|
|
KdPrint (("MM:sysload - Image at %p is badly linked\n", DllBase));
|
|
return;
|
|
}
|
|
LastVirtualAddress = (PVOID)((PCHAR)VirtualAddress + SectionVirtualSize - 1);
|
|
}
|
|
|
|
NumberOfSubsections = FileHeader->NumberOfSections;
|
|
ASSERT (NumberOfSubsections != 0);
|
|
|
|
SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeader +
|
|
OffsetToSectionTable);
|
|
|
|
LastVirtualAddress = NULL;
|
|
|
|
//
|
|
// Set writable PTE here so the image headers are excluded. This is
|
|
// needed so that locking down of sections can continue to edit the
|
|
// image headers for counts.
|
|
//
|
|
|
|
WritablePte = MiGetPteAddress ((PVOID)((ULONG_PTR)(SectionTableEntry + NumberOfSubsections) - 1));
|
|
LastImagePte = MiGetPteAddress(DllBase) + NumberOfPtes;
|
|
|
|
for ( ; NumberOfSubsections > 0; NumberOfSubsections -= 1, SectionTableEntry += 1) {
|
|
|
|
if (SectionTableEntry->Misc.VirtualSize == 0) {
|
|
SectionVirtualSize = SectionTableEntry->SizeOfRawData;
|
|
}
|
|
else {
|
|
SectionVirtualSize = SectionTableEntry->Misc.VirtualSize;
|
|
}
|
|
|
|
VirtualAddress = (ULONG_PTR)DllBase + SectionTableEntry->VirtualAddress;
|
|
|
|
PointerPte = MiGetPteAddress ((PVOID)VirtualAddress);
|
|
|
|
if (PointerPte >= LastImagePte) {
|
|
|
|
//
|
|
// Skip relocation subsections (which aren't given VA space).
|
|
//
|
|
|
|
break;
|
|
}
|
|
|
|
SectionProtection = (SectionTableEntry->Characteristics & (IMAGE_SCN_MEM_WRITE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE));
|
|
|
|
if (SectionProtection & IMAGE_SCN_MEM_WRITE) {
|
|
|
|
//
|
|
// This is a writable subsection, skip it. Make sure if it's
|
|
// sharing a PTE (and update the linker so this doesn't happen
|
|
// for the kernel at least) that the last PTE isn't made
|
|
// read only.
|
|
//
|
|
|
|
WritablePte = MiGetPteAddress ((PVOID)(VirtualAddress + SectionVirtualSize - 1));
|
|
|
|
if (LastVirtualAddress != NULL) {
|
|
LastPte = (PVOID) MiGetPteAddress (LastVirtualAddress);
|
|
|
|
if (LastPte == PointerPte) {
|
|
LastPte -= 1;
|
|
}
|
|
|
|
if (FirstPte <= LastPte) {
|
|
|
|
ASSERT (PointerPte < LastImagePte);
|
|
|
|
if (LastPte >= LastImagePte) {
|
|
LastPte = LastImagePte - 1;
|
|
}
|
|
|
|
MiSetSystemCodeProtection (FirstPte, LastPte);
|
|
}
|
|
|
|
LastVirtualAddress = NULL;
|
|
}
|
|
continue;
|
|
}
|
|
|
|
if (LastVirtualAddress == NULL) {
|
|
|
|
//
|
|
// There is no previous subsection or the previous
|
|
// subsection was writable. Thus the current starting PTE
|
|
// could be mapping both a readonly and a readwrite
|
|
// subsection if the image alignment is less than PAGE_SIZE.
|
|
// These cases (in either order) are handled here.
|
|
//
|
|
|
|
if (PointerPte == WritablePte) {
|
|
LastPte = MiGetPteAddress ((PVOID)(VirtualAddress + SectionVirtualSize - 1));
|
|
if (PointerPte == LastPte) {
|
|
|
|
//
|
|
// Nothing can be protected in this subsection
|
|
// due to the image alignment specified for the executable.
|
|
//
|
|
|
|
continue;
|
|
}
|
|
PointerPte += 1;
|
|
}
|
|
FirstPte = PointerPte;
|
|
}
|
|
|
|
LastVirtualAddress = (PVOID)((PCHAR)VirtualAddress + SectionVirtualSize - 1);
|
|
}
|
|
|
|
if (LastVirtualAddress != NULL) {
|
|
LastPte = (PVOID) MiGetPteAddress (LastVirtualAddress);
|
|
|
|
if ((FirstPte <= LastPte) && (FirstPte < LastImagePte)) {
|
|
|
|
if (LastPte >= LastImagePte) {
|
|
LastPte = LastImagePte - 1;
|
|
}
|
|
|
|
MiSetSystemCodeProtection (FirstPte, LastPte);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
MiUpdateThunks (
|
|
IN PLOADER_PARAMETER_BLOCK LoaderBlock,
|
|
IN PVOID OldAddress,
|
|
IN PVOID NewAddress,
|
|
IN ULONG NumberOfBytes
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function updates the IATs of all the loaded modules in the system
|
|
to handle a newly relocated image.
|
|
|
|
Arguments:
|
|
|
|
LoaderBlock - Supplies a pointer to the system loader block.
|
|
|
|
OldAddress - Supplies the old address of the DLL which was just relocated.
|
|
|
|
NewAddress - Supplies the new address of the DLL which was just relocated.
|
|
|
|
NumberOfBytes - Supplies the number of bytes spanned by the DLL.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
PULONG_PTR ImportThunk;
|
|
ULONG_PTR OldAddressHigh;
|
|
ULONG_PTR AddressDifference;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PLIST_ENTRY NextEntry;
|
|
ULONG_PTR i;
|
|
ULONG ImportSize;
|
|
|
|
//
|
|
// Note this routine must not call any modules outside the kernel.
|
|
// This is because that module may itself be the one being relocated right
|
|
// now.
|
|
//
|
|
|
|
OldAddressHigh = (ULONG_PTR)((PCHAR)OldAddress + NumberOfBytes - 1);
|
|
AddressDifference = (ULONG_PTR)NewAddress - (ULONG_PTR)OldAddress;
|
|
|
|
NextEntry = LoaderBlock->LoadOrderListHead.Flink;
|
|
|
|
for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) {
|
|
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
|
|
DataTableEntry->DllBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_IAT,
|
|
&ImportSize);
|
|
|
|
if (ImportThunk == NULL) {
|
|
continue;
|
|
}
|
|
|
|
ImportSize /= sizeof(PULONG_PTR);
|
|
|
|
for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
|
|
if (*ImportThunk >= (ULONG_PTR)OldAddress && *ImportThunk <= OldAddressHigh) {
|
|
*ImportThunk += AddressDifference;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
MiReloadBootLoadedDrivers (
|
|
IN PLOADER_PARAMETER_BLOCK LoaderBlock
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
The kernel, HAL and boot drivers are relocated by the loader.
|
|
All the boot drivers are then relocated again here.
|
|
|
|
This function relocates osloader-loaded images into system PTEs. This
|
|
gives these images the benefits that all other drivers already enjoy,
|
|
including :
|
|
|
|
1. Paging of the drivers (this is more than 500K today).
|
|
2. Write-protection of their text sections.
|
|
3. Automatic unload of drivers on last dereference.
|
|
|
|
Note care must be taken when processing HIGHADJ relocations more than once.
|
|
|
|
Arguments:
|
|
|
|
LoaderBlock - Supplies a pointer to the system loader block.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization.
|
|
|
|
--*/
|
|
|
|
{
|
|
LOGICAL HasRelocations;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PLIST_ENTRY NextEntry;
|
|
PIMAGE_FILE_HEADER FileHeader;
|
|
PIMAGE_NT_HEADERS NtHeader;
|
|
PIMAGE_DATA_DIRECTORY DataDirectory;
|
|
ULONG_PTR i;
|
|
ULONG NumberOfPtes;
|
|
ULONG NumberOfLoaderPtes;
|
|
PMMPTE PointerPte;
|
|
PMMPTE LastPte;
|
|
PMMPTE LoaderPte;
|
|
MMPTE PteContents;
|
|
MMPTE TempPte;
|
|
PVOID LoaderImageAddress;
|
|
PVOID NewImageAddress;
|
|
NTSTATUS Status;
|
|
PFN_NUMBER PageFrameIndex;
|
|
PFN_NUMBER PteFramePage;
|
|
PMMPTE PteFramePointer;
|
|
PMMPFN Pfn1;
|
|
PMMPFN Pfn2;
|
|
KIRQL OldIrql;
|
|
PCHAR RelocatedVa;
|
|
PCHAR NonRelocatedVa;
|
|
LOGICAL StopMoving;
|
|
|
|
#if !defined (_X86_)
|
|
|
|
//
|
|
// Only try to preserve low memory on x86 machines.
|
|
//
|
|
|
|
MmMakeLowMemory = FALSE;
|
|
#endif
|
|
StopMoving = FALSE;
|
|
|
|
i = 0;
|
|
NextEntry = LoaderBlock->LoadOrderListHead.Flink;
|
|
|
|
for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) {
|
|
|
|
//
|
|
// Skip the kernel and the HAL. Note their relocation sections will
|
|
// be automatically reclaimed.
|
|
//
|
|
|
|
i += 1;
|
|
if (i <= 2) {
|
|
continue;
|
|
}
|
|
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
NtHeader = RtlImageNtHeader (DataTableEntry->DllBase);
|
|
|
|
//
|
|
// Ensure that the relocation section exists and that the loader
|
|
// hasn't freed it already.
|
|
//
|
|
|
|
if (NtHeader == NULL) {
|
|
continue;
|
|
}
|
|
|
|
FileHeader = &NtHeader->FileHeader;
|
|
|
|
if (FileHeader->Characteristics & IMAGE_FILE_RELOCS_STRIPPED) {
|
|
continue;
|
|
}
|
|
|
|
if (IMAGE_DIRECTORY_ENTRY_BASERELOC >= NtHeader->OptionalHeader.NumberOfRvaAndSizes) {
|
|
continue;
|
|
}
|
|
|
|
DataDirectory = &NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
|
|
|
|
if (DataDirectory->VirtualAddress == 0) {
|
|
HasRelocations = FALSE;
|
|
}
|
|
else {
|
|
|
|
if (DataDirectory->VirtualAddress + DataDirectory->Size > DataTableEntry->SizeOfImage) {
|
|
|
|
//
|
|
// The relocation section has already been freed, the user must
|
|
// be using an old loader that didn't save the relocations.
|
|
//
|
|
|
|
continue;
|
|
}
|
|
HasRelocations = TRUE;
|
|
}
|
|
|
|
LoaderImageAddress = DataTableEntry->DllBase;
|
|
LoaderPte = MiGetPteAddress(DataTableEntry->DllBase);
|
|
NumberOfLoaderPtes = (ULONG)((ROUND_TO_PAGES(DataTableEntry->SizeOfImage)) >> PAGE_SHIFT);
|
|
|
|
LOCK_PFN (OldIrql);
|
|
|
|
PointerPte = LoaderPte;
|
|
LastPte = PointerPte + NumberOfLoaderPtes;
|
|
|
|
while (PointerPte < LastPte) {
|
|
ASSERT (PointerPte->u.Hard.Valid == 1);
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
|
|
Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
|
|
|
|
//
|
|
// Mark the page as modified so boot drivers that call
|
|
// MmPageEntireDriver don't lose their unmodified data !
|
|
//
|
|
|
|
MI_SET_MODIFIED (Pfn1, 1, 0x14);
|
|
|
|
PointerPte += 1;
|
|
}
|
|
|
|
UNLOCK_PFN (OldIrql);
|
|
|
|
//
|
|
// Extra PTEs are allocated here to map the relocation section at the
|
|
// new address so the image can be relocated.
|
|
//
|
|
|
|
NumberOfPtes = NumberOfLoaderPtes;
|
|
|
|
PointerPte = MiReserveSystemPtes (NumberOfPtes, SystemPteSpace);
|
|
|
|
if (PointerPte == NULL) {
|
|
continue;
|
|
}
|
|
|
|
LastPte = PointerPte + NumberOfPtes;
|
|
|
|
NewImageAddress = MiGetVirtualAddressMappedByPte (PointerPte);
|
|
|
|
#if DBG_SYSLOAD
|
|
DbgPrint ("Relocating %wZ from %p to %p, %x bytes\n",
|
|
&DataTableEntry->FullDllName,
|
|
DataTableEntry->DllBase,
|
|
NewImageAddress,
|
|
DataTableEntry->SizeOfImage
|
|
);
|
|
#endif
|
|
|
|
//
|
|
// This assert is important because the assumption is made that PTEs
|
|
// (not superpages) are mapping these drivers.
|
|
//
|
|
|
|
ASSERT (InitializationPhase == 0);
|
|
|
|
//
|
|
// If the system is configured to make low memory available for ISA
|
|
// type drivers, then copy the boot loaded drivers now. Otherwise
|
|
// only PTE adjustment is done. Presumably some day when ISA goes
|
|
// away this code can be removed.
|
|
//
|
|
|
|
RelocatedVa = NewImageAddress;
|
|
NonRelocatedVa = (PCHAR) DataTableEntry->DllBase;
|
|
|
|
while (PointerPte < LastPte) {
|
|
|
|
PteContents = *LoaderPte;
|
|
ASSERT (PteContents.u.Hard.Valid == 1);
|
|
|
|
if (MmMakeLowMemory == TRUE) {
|
|
#if DBG
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (LoaderPte);
|
|
Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
|
|
ASSERT (Pfn1->u1.WsIndex == 0);
|
|
#endif
|
|
LOCK_PFN (OldIrql);
|
|
MiEnsureAvailablePageOrWait (NULL, NULL);
|
|
PageFrameIndex = MiRemoveAnyPage(
|
|
MI_GET_PAGE_COLOR_FROM_PTE (PointerPte));
|
|
|
|
if (PageFrameIndex < (16*1024*1024)/PAGE_SIZE) {
|
|
|
|
//
|
|
// If the frames cannot be replaced with high pages
|
|
// then stop copying.
|
|
//
|
|
|
|
#if defined (_MI_MORE_THAN_4GB_)
|
|
if (MiNoLowMemory == 0)
|
|
#endif
|
|
StopMoving = TRUE;
|
|
}
|
|
|
|
MI_MAKE_VALID_PTE (TempPte,
|
|
PageFrameIndex,
|
|
MM_EXECUTE_READWRITE,
|
|
PointerPte);
|
|
|
|
MI_SET_PTE_DIRTY (TempPte);
|
|
MI_SET_ACCESSED_IN_PTE (&TempPte, 1);
|
|
MI_WRITE_VALID_PTE (PointerPte, TempPte);
|
|
|
|
MiInitializePfn (PageFrameIndex, PointerPte, 1);
|
|
Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
|
|
|
|
MI_SET_MODIFIED (Pfn1, 1, 0x15);
|
|
|
|
//
|
|
// Initialize the WsIndex just like the original page had it.
|
|
//
|
|
|
|
Pfn1->u1.WsIndex = 0;
|
|
|
|
UNLOCK_PFN (OldIrql);
|
|
RtlCopyMemory (RelocatedVa, NonRelocatedVa, PAGE_SIZE);
|
|
RelocatedVa += PAGE_SIZE;
|
|
NonRelocatedVa += PAGE_SIZE;
|
|
}
|
|
else {
|
|
MI_MAKE_VALID_PTE (TempPte,
|
|
PteContents.u.Hard.PageFrameNumber,
|
|
MM_EXECUTE_READWRITE,
|
|
PointerPte);
|
|
MI_SET_PTE_DIRTY (TempPte);
|
|
|
|
MI_WRITE_VALID_PTE (PointerPte, TempPte);
|
|
}
|
|
|
|
PointerPte += 1;
|
|
LoaderPte += 1;
|
|
}
|
|
PointerPte -= NumberOfPtes;
|
|
|
|
ASSERT (*(PULONG)NewImageAddress == *(PULONG)LoaderImageAddress);
|
|
|
|
//
|
|
// Image is now mapped at the new address. Relocate it (again).
|
|
//
|
|
|
|
NtHeader->OptionalHeader.ImageBase = (ULONG_PTR)LoaderImageAddress;
|
|
if (MmMakeLowMemory == TRUE) {
|
|
PIMAGE_NT_HEADERS NtHeader2;
|
|
|
|
NtHeader2 = (PIMAGE_NT_HEADERS)((PCHAR)NtHeader + (RelocatedVa - NonRelocatedVa));
|
|
NtHeader2->OptionalHeader.ImageBase = (ULONG_PTR)LoaderImageAddress;
|
|
}
|
|
|
|
if (HasRelocations == TRUE) {
|
|
Status = (NTSTATUS)LdrRelocateImage(NewImageAddress,
|
|
(CONST PCHAR)"SYSLDR",
|
|
(ULONG)STATUS_SUCCESS,
|
|
(ULONG)STATUS_CONFLICTING_ADDRESSES,
|
|
(ULONG)STATUS_INVALID_IMAGE_FORMAT
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status)) {
|
|
|
|
if (MmMakeLowMemory == TRUE) {
|
|
while (PointerPte < LastPte) {
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
|
|
Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
|
|
MiDecrementShareAndValidCount (Pfn1->u4.PteFrame);
|
|
MI_SET_PFN_DELETED (Pfn1);
|
|
MiDecrementShareCountOnly (PageFrameIndex);
|
|
PointerPte += 1;
|
|
}
|
|
PointerPte -= NumberOfPtes;
|
|
}
|
|
|
|
MiReleaseSystemPtes (PointerPte, NumberOfPtes, SystemPteSpace);
|
|
|
|
if (StopMoving == TRUE) {
|
|
MmMakeLowMemory = FALSE;
|
|
}
|
|
|
|
continue;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Update the IATs for all other loaded modules that reference this one.
|
|
//
|
|
|
|
NonRelocatedVa = (PCHAR) DataTableEntry->DllBase;
|
|
DataTableEntry->DllBase = NewImageAddress;
|
|
|
|
MiUpdateThunks (LoaderBlock,
|
|
LoaderImageAddress,
|
|
NewImageAddress,
|
|
DataTableEntry->SizeOfImage);
|
|
|
|
|
|
//
|
|
// Update the loaded module list entry.
|
|
//
|
|
|
|
DataTableEntry->Flags |= LDRP_SYSTEM_MAPPED;
|
|
DataTableEntry->DllBase = NewImageAddress;
|
|
DataTableEntry->EntryPoint =
|
|
(PVOID)((PCHAR)NewImageAddress + NtHeader->OptionalHeader.AddressOfEntryPoint);
|
|
DataTableEntry->SizeOfImage = NumberOfPtes << PAGE_SHIFT;
|
|
|
|
//
|
|
// Update the PFNs of the image to support trimming.
|
|
// Note that the loader addresses are freed now so no references
|
|
// to it are permitted after this point.
|
|
//
|
|
|
|
LoaderPte = MiGetPteAddress (NonRelocatedVa);
|
|
|
|
LOCK_PFN (OldIrql);
|
|
|
|
while (PointerPte < LastPte) {
|
|
ASSERT (PointerPte->u.Hard.Valid == 1);
|
|
|
|
if (MmMakeLowMemory == TRUE) {
|
|
ASSERT (LoaderPte->u.Hard.Valid == 1);
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (LoaderPte);
|
|
Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
|
|
|
|
//
|
|
// Decrement the share count on the original page table
|
|
// page so it can be freed.
|
|
//
|
|
|
|
MiDecrementShareAndValidCount (Pfn1->u4.PteFrame);
|
|
|
|
MI_SET_PFN_DELETED (Pfn1);
|
|
MiDecrementShareCountOnly (PageFrameIndex);
|
|
LoaderPte += 1;
|
|
}
|
|
else {
|
|
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
|
|
Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
|
|
|
|
//
|
|
// Decrement the share count on the original page table
|
|
// page so it can be freed.
|
|
//
|
|
|
|
MiDecrementShareAndValidCount (Pfn1->u4.PteFrame);
|
|
*Pfn1->PteAddress = ZeroPte;
|
|
|
|
//
|
|
// Chain the PFN entry to its new page table.
|
|
//
|
|
|
|
PteFramePointer = MiGetPteAddress(PointerPte);
|
|
PteFramePage = MI_GET_PAGE_FRAME_FROM_PTE (PteFramePointer);
|
|
|
|
Pfn1->u4.PteFrame = PteFramePage;
|
|
Pfn1->PteAddress = PointerPte;
|
|
|
|
//
|
|
// Increment the share count for the page table page that now
|
|
// contains the PTE that was copied.
|
|
//
|
|
|
|
Pfn2 = MI_PFN_ELEMENT (PteFramePage);
|
|
Pfn2->u2.ShareCount += 1;
|
|
}
|
|
|
|
PointerPte += 1;
|
|
}
|
|
|
|
UNLOCK_PFN (OldIrql);
|
|
|
|
//
|
|
// The physical pages mapping the relocation section are freed
|
|
// later with the rest of the initialization code spanned by the
|
|
// DataTableEntry->SizeOfImage.
|
|
//
|
|
|
|
if (StopMoving == TRUE) {
|
|
MmMakeLowMemory = FALSE;
|
|
}
|
|
}
|
|
}
|
|
|
|
#if defined (_X86_)
|
|
PMMPTE MiKernelResourceStartPte;
|
|
PMMPTE MiKernelResourceEndPte;
|
|
#endif
|
|
|
|
VOID
|
|
MiLocateKernelSections (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function locates the resource section in the kernel so it can be
|
|
made readwrite if we bugcheck later, as the bugcheck code will write
|
|
into it.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - Supplies the kernel's data table entry.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization.
|
|
|
|
--*/
|
|
|
|
{
|
|
PVOID CurrentBase;
|
|
PIMAGE_NT_HEADERS NtHeader;
|
|
PIMAGE_SECTION_HEADER SectionTableEntry;
|
|
LONG i;
|
|
PMMPTE PointerPte;
|
|
PVOID SectionBaseAddress;
|
|
|
|
CurrentBase = (PVOID)DataTableEntry->DllBase;
|
|
|
|
NtHeader = RtlImageNtHeader(CurrentBase);
|
|
|
|
SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeader +
|
|
sizeof(ULONG) +
|
|
sizeof(IMAGE_FILE_HEADER) +
|
|
NtHeader->FileHeader.SizeOfOptionalHeader);
|
|
|
|
//
|
|
// From the image header, locate the section named '.rsrc'.
|
|
//
|
|
|
|
i = NtHeader->FileHeader.NumberOfSections;
|
|
|
|
PointerPte = NULL;
|
|
|
|
while (i > 0) {
|
|
|
|
SectionBaseAddress = SECTION_BASE_ADDRESS(SectionTableEntry);
|
|
|
|
#if defined (_X86_)
|
|
if (*(PULONG)SectionTableEntry->Name == 'rsr.') {
|
|
|
|
MiKernelResourceStartPte = MiGetPteAddress ((ULONG_PTR)CurrentBase +
|
|
SectionTableEntry->VirtualAddress);
|
|
|
|
MiKernelResourceEndPte = MiGetPteAddress (ROUND_TO_PAGES((ULONG_PTR)CurrentBase +
|
|
SectionTableEntry->VirtualAddress +
|
|
SectionTableEntry->SizeOfRawData));
|
|
break;
|
|
}
|
|
#endif
|
|
if (*(PULONG)SectionTableEntry->Name == 'LOOP') {
|
|
if (*(PULONG)&SectionTableEntry->Name[4] == 'EDOC') {
|
|
ExPoolCodeStart = (PVOID)((ULONG_PTR)CurrentBase +
|
|
SectionTableEntry->VirtualAddress);
|
|
ExPoolCodeEnd = (PVOID)((ULONG_PTR)CurrentBase +
|
|
SectionTableEntry->VirtualAddress +
|
|
SectionTableEntry->SizeOfRawData);
|
|
}
|
|
else if (*(PUSHORT)&SectionTableEntry->Name[4] == 'IM') {
|
|
MmPoolCodeStart = (PVOID)((ULONG_PTR)CurrentBase +
|
|
SectionTableEntry->VirtualAddress);
|
|
MmPoolCodeEnd = (PVOID)((ULONG_PTR)CurrentBase +
|
|
SectionTableEntry->VirtualAddress +
|
|
SectionTableEntry->SizeOfRawData);
|
|
}
|
|
}
|
|
else if ((*(PULONG)SectionTableEntry->Name == 'YSIM') &&
|
|
(*(PULONG)&SectionTableEntry->Name[4] == 'ETPS')) {
|
|
MmPteCodeStart = (PVOID)((ULONG_PTR)CurrentBase +
|
|
SectionTableEntry->VirtualAddress);
|
|
MmPteCodeEnd = (PVOID)((ULONG_PTR)CurrentBase +
|
|
SectionTableEntry->VirtualAddress +
|
|
SectionTableEntry->SizeOfRawData);
|
|
}
|
|
|
|
i -= 1;
|
|
SectionTableEntry += 1;
|
|
}
|
|
}
|
|
|
|
VOID
|
|
MmMakeKernelResourceSectionWritable (
|
|
VOID
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function makes the kernel's resource section readwrite so the bugcheck
|
|
code can write into it.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode. Any IRQL.
|
|
|
|
--*/
|
|
|
|
{
|
|
#if defined (_X86_)
|
|
MMPTE TempPte;
|
|
MMPTE PteContents;
|
|
PMMPTE PointerPte;
|
|
|
|
if (MiKernelResourceStartPte == NULL) {
|
|
return;
|
|
}
|
|
|
|
PointerPte = MiKernelResourceStartPte;
|
|
|
|
if (MI_IS_PHYSICAL_ADDRESS (MiGetVirtualAddressMappedByPte (PointerPte))) {
|
|
|
|
//
|
|
// Mapped physically, doesn't need to be made readwrite.
|
|
//
|
|
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Since the entry state and IRQL are unknown, just go through the
|
|
// PTEs without a lock and make them all readwrite.
|
|
//
|
|
|
|
do {
|
|
PteContents = *PointerPte;
|
|
#if defined(NT_UP)
|
|
if (PteContents.u.Hard.Write == 0)
|
|
#else
|
|
if (PteContents.u.Hard.Writable == 0)
|
|
#endif
|
|
{
|
|
MI_MAKE_VALID_PTE (TempPte,
|
|
PteContents.u.Hard.PageFrameNumber,
|
|
MM_READWRITE,
|
|
PointerPte);
|
|
#if !defined(NT_UP)
|
|
TempPte.u.Hard.Writable = 1;
|
|
#endif
|
|
MI_WRITE_VALID_PTE_NEW_PROTECTION (PointerPte, TempPte);
|
|
}
|
|
PointerPte += 1;
|
|
} while (PointerPte < MiKernelResourceEndPte);
|
|
|
|
//
|
|
// Don't do this more than once.
|
|
//
|
|
|
|
MiKernelResourceStartPte = NULL;
|
|
|
|
//
|
|
// Only flush this processor as the state of the others is unknown.
|
|
//
|
|
|
|
KeFlushCurrentTb ();
|
|
#endif
|
|
}
|
|
|
|
#ifdef i386
|
|
PVOID PsNtosImageBase = (PVOID)0x80100000;
|
|
#else
|
|
PVOID PsNtosImageBase;
|
|
#endif
|
|
|
|
#if DBG
|
|
PVOID PsNtosImageEnd;
|
|
#endif
|
|
|
|
#if defined(_AMD64_) // || defined(_IA64_)
|
|
|
|
INVERTED_FUNCTION_TABLE PsInvertedFunctionTable = {
|
|
0, MAXIMUM_INVERTED_FUNCTION_TABLE_SIZE, FALSE};
|
|
|
|
#endif
|
|
|
|
LIST_ENTRY PsLoadedModuleList;
|
|
ERESOURCE PsLoadedModuleResource;
|
|
|
|
LOGICAL
|
|
MiInitializeLoadedModuleList (
|
|
IN PLOADER_PARAMETER_BLOCK LoaderBlock
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function initializes the loaded module list based on the LoaderBlock.
|
|
|
|
Arguments:
|
|
|
|
LoaderBlock - Supplies a pointer to the system loader block.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization.
|
|
|
|
--*/
|
|
|
|
{
|
|
SIZE_T DataTableEntrySize;
|
|
PLIST_ENTRY NextEntry;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry1;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry2;
|
|
|
|
//
|
|
// Initialize the loaded module list executive resource and spin lock.
|
|
//
|
|
|
|
ExInitializeResourceLite (&PsLoadedModuleResource);
|
|
KeInitializeSpinLock (&PsLoadedModuleSpinLock);
|
|
|
|
InitializeListHead (&PsLoadedModuleList);
|
|
|
|
//
|
|
// Scan the loaded module list and allocate and initialize a data table
|
|
// entry for each module. The data table entry is inserted in the loaded
|
|
// module list and the initialization order list in the order specified
|
|
// in the loader parameter block. The data table entry is inserted in the
|
|
// memory order list in memory order.
|
|
//
|
|
|
|
NextEntry = LoaderBlock->LoadOrderListHead.Flink;
|
|
DataTableEntry2 = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
PsNtosImageBase = DataTableEntry2->DllBase;
|
|
|
|
#if DBG
|
|
PsNtosImageEnd = (PVOID) ((ULONG_PTR) DataTableEntry2->DllBase + DataTableEntry2->SizeOfImage);
|
|
#endif
|
|
|
|
MiLocateKernelSections (DataTableEntry2);
|
|
|
|
while (NextEntry != &LoaderBlock->LoadOrderListHead) {
|
|
|
|
DataTableEntry2 = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
//
|
|
// Allocate a data table entry.
|
|
//
|
|
|
|
DataTableEntrySize = sizeof (KLDR_DATA_TABLE_ENTRY) +
|
|
DataTableEntry2->BaseDllName.MaximumLength + sizeof(UNICODE_NULL);
|
|
|
|
DataTableEntry1 = ExAllocatePoolWithTag (NonPagedPool,
|
|
DataTableEntrySize,
|
|
'dLmM');
|
|
|
|
if (DataTableEntry1 == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
ASSERT (sizeof(KLDR_DATA_TABLE_ENTRY) == sizeof(LDR_DATA_TABLE_ENTRY));
|
|
|
|
//
|
|
// Copy the data table entry.
|
|
//
|
|
|
|
*DataTableEntry1 = *DataTableEntry2;
|
|
|
|
//
|
|
// Clear fields we may use later so they don't inherit irrelevant
|
|
// loader values.
|
|
//
|
|
|
|
((PKLDR_DATA_TABLE_ENTRY)DataTableEntry1)->NonPagedDebugInfo = NULL;
|
|
|
|
DataTableEntry1->FullDllName.Buffer = ExAllocatePoolWithTag (PagedPool,
|
|
DataTableEntry2->FullDllName.MaximumLength + sizeof(UNICODE_NULL),
|
|
'TDmM');
|
|
|
|
if (DataTableEntry1->FullDllName.Buffer == NULL) {
|
|
ExFreePool (DataTableEntry1);
|
|
return FALSE;
|
|
}
|
|
|
|
DataTableEntry1->BaseDllName.Buffer = (PWSTR)((ULONG_PTR)DataTableEntry1 + sizeof (KLDR_DATA_TABLE_ENTRY));
|
|
|
|
//
|
|
// Copy the strings.
|
|
//
|
|
|
|
RtlCopyMemory (DataTableEntry1->FullDllName.Buffer,
|
|
DataTableEntry2->FullDllName.Buffer,
|
|
DataTableEntry1->FullDllName.MaximumLength);
|
|
|
|
RtlCopyMemory (DataTableEntry1->BaseDllName.Buffer,
|
|
DataTableEntry2->BaseDllName.Buffer,
|
|
DataTableEntry1->BaseDllName.MaximumLength);
|
|
|
|
DataTableEntry1->BaseDllName.Buffer[DataTableEntry1->BaseDllName.Length/sizeof(WCHAR)] = UNICODE_NULL;
|
|
|
|
//
|
|
// Insert the data table entry in the load order list in the order
|
|
// they are specified.
|
|
//
|
|
|
|
InsertTailList(&PsLoadedModuleList,
|
|
&DataTableEntry1->InLoadOrderLinks);
|
|
|
|
#if defined(_AMD64_) // || defined(_IA64_)
|
|
|
|
RtlInsertInvertedFunctionTable (&PsInvertedFunctionTable,
|
|
DataTableEntry1->DllBase,
|
|
DataTableEntry1->SizeOfImage);
|
|
|
|
#endif
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
MiBuildImportsForBootDrivers ();
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
NTSTATUS
|
|
MmCallDllInitialize (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry,
|
|
IN PLIST_ENTRY ModuleListHead
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function calls the DLL's initialize routine.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - Supplies the kernel's data table entry.
|
|
|
|
Return Value:
|
|
|
|
Various NTSTATUS error codes.
|
|
|
|
Environment:
|
|
|
|
Kernel mode.
|
|
|
|
--*/
|
|
|
|
{
|
|
NTSTATUS st;
|
|
PWCHAR Dot;
|
|
PMM_DLL_INITIALIZE Func;
|
|
UNICODE_STRING RegistryPath;
|
|
UNICODE_STRING ImportName;
|
|
ULONG ThunksAdded;
|
|
|
|
Func = (PMM_DLL_INITIALIZE)(ULONG_PTR)MiLocateExportName (DataTableEntry->DllBase, "DllInitialize");
|
|
|
|
if (!Func) {
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
ImportName.MaximumLength = DataTableEntry->BaseDllName.Length;
|
|
ImportName.Buffer = ExAllocatePoolWithTag (NonPagedPool,
|
|
ImportName.MaximumLength,
|
|
'TDmM');
|
|
|
|
if (ImportName.Buffer == NULL) {
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
ImportName.Length = DataTableEntry->BaseDllName.Length;
|
|
RtlCopyMemory (ImportName.Buffer,
|
|
DataTableEntry->BaseDllName.Buffer,
|
|
ImportName.Length);
|
|
|
|
RegistryPath.MaximumLength = (USHORT)(CmRegistryMachineSystemCurrentControlSetServices.Length +
|
|
ImportName.Length +
|
|
2*sizeof(WCHAR));
|
|
|
|
RegistryPath.Buffer = ExAllocatePoolWithTag (NonPagedPool,
|
|
RegistryPath.MaximumLength,
|
|
'TDmM');
|
|
|
|
if (RegistryPath.Buffer == NULL) {
|
|
ExFreePool (ImportName.Buffer);
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
RegistryPath.Length = CmRegistryMachineSystemCurrentControlSetServices.Length;
|
|
RtlCopyMemory (RegistryPath.Buffer,
|
|
CmRegistryMachineSystemCurrentControlSetServices.Buffer,
|
|
CmRegistryMachineSystemCurrentControlSetServices.Length);
|
|
|
|
RtlAppendUnicodeToString (&RegistryPath, (const PUSHORT)L"\\");
|
|
Dot = wcschr (ImportName.Buffer, L'.');
|
|
if (Dot) {
|
|
ImportName.Length = (USHORT)((Dot - ImportName.Buffer) * sizeof(WCHAR));
|
|
}
|
|
|
|
RtlAppendUnicodeStringToString (&RegistryPath, &ImportName);
|
|
ExFreePool (ImportName.Buffer);
|
|
|
|
//
|
|
// Save the number of verifier thunks currently added so we know
|
|
// if this activation adds any. To extend the thunk list, the module
|
|
// performs an NtSetSystemInformation call which calls back to the
|
|
// verifier's MmAddVerifierThunks, which increments MiVerifierThunksAdded.
|
|
//
|
|
|
|
ThunksAdded = MiVerifierThunksAdded;
|
|
|
|
//
|
|
// Invoke the DLL's initialization routine.
|
|
//
|
|
|
|
st = Func (&RegistryPath);
|
|
|
|
ExFreePool (RegistryPath.Buffer);
|
|
|
|
//
|
|
// If the module's initialization routine succeeded, and if it extended
|
|
// the verifier thunk list, and this is boot time, reapply the verifier
|
|
// to the loaded modules.
|
|
//
|
|
// Note that boot time is the special case because after boot time, Mm
|
|
// loads all the DLLs itself and a DLL initialize is thus guaranteed to
|
|
// complete and add its thunks before the importing driver load finishes.
|
|
// Since the importing driver is only thunked after its load finishes,
|
|
// ordering implicitly guarantees that all DLL-registered thunks are
|
|
// properly factored in to the importing driver.
|
|
//
|
|
// Boot time is special because the loader (not the Mm) already loaded
|
|
// the DLLs *AND* the importing drivers so we have to look over our
|
|
// shoulder and make it all right after the fact.
|
|
//
|
|
|
|
if ((NT_SUCCESS(st)) &&
|
|
(MiFirstDriverLoadEver == 0) &&
|
|
(MiVerifierThunksAdded != ThunksAdded)) {
|
|
|
|
MiReApplyVerifierToLoadedModules (ModuleListHead);
|
|
}
|
|
|
|
return st;
|
|
}
|
|
|
|
NTKERNELAPI
|
|
PVOID
|
|
MmGetSystemRoutineAddress (
|
|
IN PUNICODE_STRING SystemRoutineName
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function returns the address of the argument function pointer if
|
|
it is in the kernel or HAL, NULL if it is not.
|
|
|
|
Arguments:
|
|
|
|
SystemRoutineName - Supplies the name of the desired routine.
|
|
|
|
Return Value:
|
|
|
|
Non-NULL function pointer if successful. NULL if not.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, PASSIVE_LEVEL, arbitrary process context.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKTHREAD CurrentThread;
|
|
NTSTATUS Status;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
ANSI_STRING AnsiString;
|
|
PLIST_ENTRY NextEntry;
|
|
UNICODE_STRING KernelString;
|
|
UNICODE_STRING HalString;
|
|
PVOID FunctionAddress;
|
|
LOGICAL Found;
|
|
ULONG EntriesChecked;
|
|
|
|
ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL);
|
|
|
|
EntriesChecked = 0;
|
|
FunctionAddress = NULL;
|
|
|
|
RtlInitUnicodeString (&KernelString, (const PUSHORT)L"ntoskrnl.exe");
|
|
RtlInitUnicodeString (&HalString, (const PUSHORT)L"hal.dll");
|
|
|
|
do {
|
|
Status = RtlUnicodeStringToAnsiString (&AnsiString,
|
|
SystemRoutineName,
|
|
TRUE);
|
|
|
|
if (NT_SUCCESS (Status)) {
|
|
break;
|
|
}
|
|
|
|
KeDelayExecutionThread (KernelMode, FALSE, (PLARGE_INTEGER)&MmShortTime);
|
|
|
|
} while (TRUE);
|
|
|
|
//
|
|
// Arbitrary process context so prevent suspend APCs now.
|
|
//
|
|
|
|
CurrentThread = KeGetCurrentThread ();
|
|
KeEnterCriticalRegionThread (CurrentThread);
|
|
ExAcquireResourceSharedLite (&PsLoadedModuleResource, TRUE);
|
|
|
|
//
|
|
// Check only the kernel and the HAL for exports.
|
|
//
|
|
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
while (NextEntry != &PsLoadedModuleList) {
|
|
|
|
Found = FALSE;
|
|
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
if (RtlEqualUnicodeString (&KernelString,
|
|
&DataTableEntry->BaseDllName,
|
|
TRUE)) {
|
|
|
|
Found = TRUE;
|
|
EntriesChecked += 1;
|
|
|
|
}
|
|
else if (RtlEqualUnicodeString (&HalString,
|
|
&DataTableEntry->BaseDllName,
|
|
TRUE)) {
|
|
|
|
Found = TRUE;
|
|
EntriesChecked += 1;
|
|
}
|
|
|
|
if (Found == TRUE) {
|
|
|
|
FunctionAddress = MiFindExportedRoutineByName (DataTableEntry->DllBase,
|
|
&AnsiString);
|
|
|
|
if (FunctionAddress != NULL) {
|
|
break;
|
|
}
|
|
|
|
if (EntriesChecked == 2) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
ExReleaseResourceLite (&PsLoadedModuleResource);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
|
|
RtlFreeAnsiString (&AnsiString);
|
|
|
|
return FunctionAddress;
|
|
}
|
|
|
|
PVOID
|
|
MiFindExportedRoutineByName (
|
|
IN PVOID DllBase,
|
|
IN PANSI_STRING AnsiImageRoutineName
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function searches the argument module looking for the requested
|
|
exported function name.
|
|
|
|
Arguments:
|
|
|
|
DllBase - Supplies the base address of the requested module.
|
|
|
|
AnsiImageRoutineName - Supplies the ANSI routine name being searched for.
|
|
|
|
Return Value:
|
|
|
|
The virtual address of the requested routine or NULL if not found.
|
|
|
|
--*/
|
|
|
|
{
|
|
USHORT OrdinalNumber;
|
|
PULONG NameTableBase;
|
|
PUSHORT NameOrdinalTableBase;
|
|
PULONG Addr;
|
|
ULONG High;
|
|
ULONG Low;
|
|
ULONG Middle;
|
|
LONG Result;
|
|
ULONG ExportSize;
|
|
PVOID FunctionAddress;
|
|
PIMAGE_EXPORT_DIRECTORY ExportDirectory;
|
|
|
|
PAGED_CODE();
|
|
|
|
ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData(
|
|
DllBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_EXPORT,
|
|
&ExportSize
|
|
);
|
|
|
|
if (ExportDirectory == NULL) {
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// Initialize the pointer to the array of RVA-based ansi export strings.
|
|
//
|
|
|
|
NameTableBase = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNames);
|
|
|
|
//
|
|
// Initialize the pointer to the array of USHORT ordinal numbers.
|
|
//
|
|
|
|
NameOrdinalTableBase = (PUSHORT)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
|
|
|
|
//
|
|
// Lookup the desired name in the name table using a binary search.
|
|
//
|
|
|
|
Low = 0;
|
|
High = ExportDirectory->NumberOfNames - 1;
|
|
|
|
//
|
|
// Initializing Middle is not needed for correctness, but without it
|
|
// the compiler cannot compile this code W4 to check for use of
|
|
// uninitialized variables.
|
|
//
|
|
|
|
Middle = 0;
|
|
|
|
while (High >= Low) {
|
|
|
|
//
|
|
// Compute the next probe index and compare the import name
|
|
// with the export name entry.
|
|
//
|
|
|
|
Middle = (Low + High) >> 1;
|
|
|
|
Result = strcmp (AnsiImageRoutineName->Buffer,
|
|
(PCHAR)DllBase + NameTableBase[Middle]);
|
|
|
|
if (Result < 0) {
|
|
High = Middle - 1;
|
|
}
|
|
else if (Result > 0) {
|
|
Low = Middle + 1;
|
|
}
|
|
else {
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// If the high index is less than the low index, then a matching
|
|
// table entry was not found. Otherwise, get the ordinal number
|
|
// from the ordinal table.
|
|
//
|
|
|
|
if ((LONG)High < (LONG)Low) {
|
|
return NULL;
|
|
}
|
|
|
|
OrdinalNumber = NameOrdinalTableBase[Middle];
|
|
|
|
//
|
|
// If the OrdinalNumber is not within the Export Address Table,
|
|
// then this image does not implement the function. Return not found.
|
|
//
|
|
|
|
if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions) {
|
|
return NULL;
|
|
}
|
|
|
|
//
|
|
// Index into the array of RVA export addresses by ordinal number.
|
|
//
|
|
|
|
Addr = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
|
|
|
|
FunctionAddress = (PVOID)((PCHAR)DllBase + Addr[OrdinalNumber]);
|
|
|
|
//
|
|
// Forwarders are not used by the kernel and HAL to each other.
|
|
//
|
|
|
|
ASSERT ((FunctionAddress <= (PVOID)ExportDirectory) ||
|
|
(FunctionAddress >= (PVOID)((PCHAR)ExportDirectory + ExportSize)));
|
|
|
|
return FunctionAddress;
|
|
}
|
|
|
|
#if _MI_DEBUG_RONLY
|
|
|
|
PMMPTE MiSessionDataStartPte;
|
|
PMMPTE MiSessionDataEndPte;
|
|
|
|
VOID
|
|
MiAssertNotSessionData (
|
|
IN PMMPTE PointerPte
|
|
)
|
|
{
|
|
if (MI_IS_SESSION_IMAGE_PTE (PointerPte)) {
|
|
if ((PointerPte >= MiSessionDataStartPte) &&
|
|
(PointerPte <= MiSessionDataEndPte)) {
|
|
KeBugCheckEx (MEMORY_MANAGEMENT,
|
|
0x41287,
|
|
(ULONG_PTR) PointerPte,
|
|
0,
|
|
0);
|
|
}
|
|
}
|
|
}
|
|
|
|
VOID
|
|
MiLogSessionDataStart (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
)
|
|
{
|
|
LONG i;
|
|
PVOID CurrentBase;
|
|
PIMAGE_NT_HEADERS NtHeader;
|
|
PIMAGE_SECTION_HEADER SectionTableEntry;
|
|
PVOID DataStart;
|
|
PVOID DataEnd;
|
|
|
|
if (MiSessionDataStartPte != NULL) {
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Crack the image header to mark the data.
|
|
//
|
|
|
|
CurrentBase = (PVOID)DataTableEntry->DllBase;
|
|
|
|
NtHeader = RtlImageNtHeader(CurrentBase);
|
|
|
|
SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeader +
|
|
sizeof(ULONG) +
|
|
sizeof(IMAGE_FILE_HEADER) +
|
|
NtHeader->FileHeader.SizeOfOptionalHeader);
|
|
|
|
i = NtHeader->FileHeader.NumberOfSections;
|
|
|
|
while (i > 0) {
|
|
|
|
//
|
|
// Save the start and end of the data section.
|
|
//
|
|
|
|
if ((*(PULONG)SectionTableEntry->Name == 0x7461642e) &&
|
|
(*(PULONG)&SectionTableEntry->Name[4] == 0x61)) {
|
|
|
|
DataStart = (PVOID)((PCHAR)CurrentBase + SectionTableEntry->VirtualAddress);
|
|
DataEnd = (PVOID)((PCHAR)DataStart + SectionTableEntry->SizeOfRawData - 1);
|
|
|
|
MiSessionDataStartPte = MiGetPteAddress (DataStart);
|
|
MiSessionDataEndPte = MiGetPteAddress (DataEnd);
|
|
break;
|
|
}
|
|
i -= 1;
|
|
SectionTableEntry += 1;
|
|
}
|
|
}
|
|
#endif
|