mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7079 lines
182 KiB
7079 lines
182 KiB
/*++
|
|
|
|
Copyright (c) 1989 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
verifier.c
|
|
|
|
Abstract:
|
|
|
|
This module contains the routines to verify the system kernel, HAL and
|
|
drivers.
|
|
|
|
Author:
|
|
|
|
Landy Wang (landyw) 3-Sep-1998
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
#include "mi.h"
|
|
|
|
#define THUNKED_API
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierAllocatePool (
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes
|
|
);
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierAllocatePoolWithTag (
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN ULONG Tag
|
|
);
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierAllocatePoolWithQuotaTag (
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN ULONG Tag
|
|
);
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierAllocatePoolWithTagPriority (
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN ULONG Tag,
|
|
IN EX_POOL_PRIORITY Priority
|
|
);
|
|
|
|
PVOID
|
|
VeAllocatePoolWithTagPriority (
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN ULONG Tag,
|
|
IN EX_POOL_PRIORITY Priority,
|
|
IN PVOID CallingAddress
|
|
);
|
|
|
|
VOID
|
|
VerifierFreePool (
|
|
IN PVOID P
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierFreePoolWithTag (
|
|
IN PVOID P,
|
|
IN ULONG TagToFree
|
|
);
|
|
|
|
THUNKED_API
|
|
LONG
|
|
VerifierSetEvent (
|
|
IN PRKEVENT Event,
|
|
IN KPRIORITY Increment,
|
|
IN BOOLEAN Wait
|
|
);
|
|
|
|
THUNKED_API
|
|
KIRQL
|
|
FASTCALL
|
|
VerifierKfRaiseIrql (
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
KIRQL
|
|
VerifierKeRaiseIrqlToDpcLevel (
|
|
VOID
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierKfLowerIrql (
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeRaiseIrql (
|
|
IN KIRQL NewIrql,
|
|
OUT PKIRQL OldIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeLowerIrql (
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeAcquireSpinLock (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
OUT PKIRQL OldIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeReleaseSpinLock (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
#if defined(_X86_)
|
|
FASTCALL
|
|
#endif
|
|
VerifierKeAcquireSpinLockAtDpcLevel (
|
|
IN PKSPIN_LOCK SpinLock
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
#if defined(_X86_)
|
|
FASTCALL
|
|
#endif
|
|
VerifierKeReleaseSpinLockFromDpcLevel (
|
|
IN PKSPIN_LOCK SpinLock
|
|
);
|
|
|
|
THUNKED_API
|
|
KIRQL
|
|
FASTCALL
|
|
VerifierKfAcquireSpinLock (
|
|
IN PKSPIN_LOCK SpinLock
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierKfReleaseSpinLock (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
#if !defined(_X86_)
|
|
THUNKED_API
|
|
KIRQL
|
|
VerifierKeAcquireSpinLockRaiseToDpc (
|
|
IN PKSPIN_LOCK SpinLock
|
|
);
|
|
#endif
|
|
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeInitializeTimerEx (
|
|
IN PKTIMER Timer,
|
|
IN TIMER_TYPE Type
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeInitializeTimer (
|
|
IN PKTIMER Timer
|
|
);
|
|
|
|
THUNKED_API
|
|
BOOLEAN
|
|
FASTCALL
|
|
VerifierExTryToAcquireFastMutex (
|
|
IN PFAST_MUTEX FastMutex
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierExAcquireFastMutex (
|
|
IN PFAST_MUTEX FastMutex
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierExReleaseFastMutex (
|
|
IN PFAST_MUTEX FastMutex
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierExAcquireFastMutexUnsafe (
|
|
IN PFAST_MUTEX FastMutex
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierExReleaseFastMutexUnsafe (
|
|
IN PFAST_MUTEX FastMutex
|
|
);
|
|
|
|
THUNKED_API
|
|
BOOLEAN
|
|
VerifierExAcquireResourceExclusiveLite (
|
|
IN PERESOURCE Resource,
|
|
IN BOOLEAN Wait
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierExReleaseResourceLite (
|
|
IN PERESOURCE Resource
|
|
);
|
|
|
|
THUNKED_API
|
|
KIRQL
|
|
FASTCALL
|
|
VerifierKeAcquireQueuedSpinLock (
|
|
IN KSPIN_LOCK_QUEUE_NUMBER Number
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierKeReleaseQueuedSpinLock (
|
|
IN KSPIN_LOCK_QUEUE_NUMBER Number,
|
|
IN KIRQL OldIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
BOOLEAN
|
|
VerifierSynchronizeExecution (
|
|
IN PKINTERRUPT Interrupt,
|
|
IN PKSYNCHRONIZE_ROUTINE SynchronizeRoutine,
|
|
IN PVOID SynchronizeContext
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierProbeAndLockPages (
|
|
IN OUT PMDL MemoryDescriptorList,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN LOCK_OPERATION Operation
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierProbeAndLockProcessPages (
|
|
IN OUT PMDL MemoryDescriptorList,
|
|
IN PEPROCESS Process,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN LOCK_OPERATION Operation
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierProbeAndLockSelectedPages (
|
|
IN OUT PMDL MemoryDescriptorList,
|
|
IN PFILE_SEGMENT_ELEMENT SegmentArray,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN LOCK_OPERATION Operation
|
|
);
|
|
|
|
VOID
|
|
VerifierUnlockPages (
|
|
IN OUT PMDL MemoryDescriptorList
|
|
);
|
|
|
|
VOID
|
|
VerifierUnmapLockedPages (
|
|
IN PVOID BaseAddress,
|
|
IN PMDL MemoryDescriptorList
|
|
);
|
|
|
|
VOID
|
|
VerifierUnmapIoSpace (
|
|
IN PVOID BaseAddress,
|
|
IN SIZE_T NumberOfBytes
|
|
);
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierMapIoSpace (
|
|
IN PHYSICAL_ADDRESS PhysicalAddress,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN MEMORY_CACHING_TYPE CacheType
|
|
);
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierMapLockedPages (
|
|
IN PMDL MemoryDescriptorList,
|
|
IN KPROCESSOR_MODE AccessMode
|
|
);
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierMapLockedPagesSpecifyCache (
|
|
IN PMDL MemoryDescriptorList,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN MEMORY_CACHING_TYPE CacheType,
|
|
IN PVOID RequestedAddress,
|
|
IN ULONG BugCheckOnFailure,
|
|
IN MM_PAGE_PRIORITY Priority
|
|
);
|
|
|
|
THUNKED_API
|
|
NTSTATUS
|
|
VerifierKeWaitForSingleObject (
|
|
IN PVOID Object,
|
|
IN KWAIT_REASON WaitReason,
|
|
IN KPROCESSOR_MODE WaitMode,
|
|
IN BOOLEAN Alertable,
|
|
IN PLARGE_INTEGER Timeout OPTIONAL
|
|
);
|
|
|
|
THUNKED_API
|
|
LONG
|
|
VerifierKeReleaseMutex (
|
|
IN PRKMUTEX Mutex,
|
|
IN BOOLEAN Wait
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeInitializeMutex (
|
|
IN PRKMUTEX Mutex,
|
|
IN ULONG Level
|
|
);
|
|
|
|
THUNKED_API
|
|
LONG
|
|
VerifierKeReleaseMutant(
|
|
IN PRKMUTANT Mutant,
|
|
IN KPRIORITY Increment,
|
|
IN BOOLEAN Abandoned,
|
|
IN BOOLEAN Wait
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeInitializeMutant(
|
|
IN PRKMUTANT Mutant,
|
|
IN BOOLEAN InitialOwner
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeInitializeSpinLock (
|
|
IN PKSPIN_LOCK SpinLock
|
|
);
|
|
|
|
VOID
|
|
ViCheckMdlPages (
|
|
IN PMDL MemoryDescriptorList,
|
|
IN MEMORY_CACHING_TYPE CacheType
|
|
);
|
|
|
|
VOID
|
|
ViFreeTrackedPool (
|
|
IN PVOID VirtualAddress,
|
|
IN SIZE_T ChargedBytes,
|
|
IN LOGICAL CheckType,
|
|
IN LOGICAL SpecialPool
|
|
);
|
|
|
|
VOID
|
|
VerifierFreeTrackedPool (
|
|
IN PVOID VirtualAddress,
|
|
IN SIZE_T ChargedBytes,
|
|
IN LOGICAL CheckType,
|
|
IN LOGICAL SpecialPool
|
|
);
|
|
|
|
VOID
|
|
ViPrintString (
|
|
IN PUNICODE_STRING DriverName
|
|
);
|
|
|
|
LOGICAL
|
|
ViInjectResourceFailure (
|
|
VOID
|
|
);
|
|
|
|
VOID
|
|
ViTrimAllSystemPagableMemory (
|
|
VOID
|
|
);
|
|
|
|
VOID
|
|
ViInitializeEntry (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
|
|
IN LOGICAL FirstLoad
|
|
);
|
|
|
|
LOGICAL
|
|
ViReservePoolAllocation (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier
|
|
);
|
|
|
|
ULONG_PTR
|
|
ViInsertPoolAllocation (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
|
|
IN PVOID VirtualAddress,
|
|
IN PVOID CallingAddress,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN ULONG Tag
|
|
);
|
|
|
|
VOID
|
|
ViCancelPoolAllocation (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier
|
|
);
|
|
|
|
VOID
|
|
ViReleasePoolAllocation (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
|
|
IN PVOID VirtualAddress,
|
|
IN ULONG_PTR ListIndex,
|
|
IN SIZE_T ChargedBytes
|
|
);
|
|
|
|
VOID
|
|
KfSanityCheckRaiseIrql (
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
VOID
|
|
KfSanityCheckLowerIrql (
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
NTSTATUS
|
|
VerifierReferenceObjectByHandle (
|
|
IN HANDLE Handle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_TYPE ObjectType OPTIONAL,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
OUT PVOID *Object,
|
|
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
|
|
);
|
|
|
|
MM_DRIVER_VERIFIER_DATA MmVerifierData;
|
|
|
|
//
|
|
// Any flags which can be modified on the fly without rebooting are set here.
|
|
//
|
|
|
|
ULONG VerifierModifyableOptions;
|
|
ULONG VerifierOptionChanges;
|
|
|
|
LIST_ENTRY MiSuspectDriverList;
|
|
|
|
LOGICAL MiVerifyAllDrivers;
|
|
|
|
WCHAR MiVerifyRandomDrivers;
|
|
|
|
ULONG MiActiveVerifies;
|
|
|
|
ULONG MiActiveVerifierThunks;
|
|
|
|
ULONG MiNoPageOnRaiseIrql;
|
|
|
|
ULONG MiVerifierStackProtectTime;
|
|
|
|
LOGICAL MmDontVerifyRandomDrivers = TRUE;
|
|
|
|
LOGICAL VerifierSystemSufficientlyBooted;
|
|
|
|
LARGE_INTEGER VerifierRequiredTimeSinceBoot = {(ULONG)(40 * 1000 * 1000 * 10), 1};
|
|
|
|
LOGICAL VerifierIsTrackingPool = FALSE;
|
|
|
|
KSPIN_LOCK VerifierListLock;
|
|
|
|
KSPIN_LOCK VerifierPoolLock;
|
|
|
|
FAST_MUTEX VerifierPoolMutex;
|
|
|
|
PRTL_BITMAP VerifierLargePagedPoolMap;
|
|
|
|
LIST_ENTRY MiVerifierDriverAddedThunkListHead;
|
|
|
|
extern LOGICAL MmSpecialPoolCatchOverruns;
|
|
|
|
LOGICAL KernelVerifier = FALSE;
|
|
|
|
ULONG KernelVerifierTickPage = 0x7;
|
|
|
|
ULONG MiVerifierThunksAdded;
|
|
|
|
PDRIVER_VERIFIER_THUNK_ROUTINE
|
|
MiResolveVerifierExports (
|
|
IN PLOADER_PARAMETER_BLOCK LoaderBlock,
|
|
IN PCHAR PristineName
|
|
);
|
|
|
|
LOGICAL
|
|
MiEnableVerifier (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
);
|
|
|
|
LOGICAL
|
|
MiReEnableVerifier (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
);
|
|
|
|
VOID
|
|
ViInsertVerifierEntry (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier
|
|
);
|
|
|
|
PVOID
|
|
ViPostPoolAllocation (
|
|
IN PVOID VirtualAddress,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG Tag,
|
|
IN PVOID CallingAddress
|
|
);
|
|
|
|
PMI_VERIFIER_DRIVER_ENTRY
|
|
ViLocateVerifierEntry (
|
|
IN PVOID SystemAddress
|
|
);
|
|
|
|
VOID
|
|
MiVerifierCheckThunks (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
);
|
|
|
|
//
|
|
// Track irqls functions
|
|
//
|
|
|
|
VOID
|
|
ViTrackIrqlInitialize (
|
|
);
|
|
|
|
VOID
|
|
ViTrackIrqlLog (
|
|
IN KIRQL CurrentIrql,
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
//
|
|
// Fault injection stack trace log
|
|
//
|
|
|
|
#if defined(_X86_)
|
|
|
|
VOID
|
|
ViFaultTracesInitialize (
|
|
);
|
|
|
|
VOID
|
|
ViFaultTracesLog (
|
|
);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef ALLOC_PRAGMA
|
|
#pragma alloc_text(INIT,MiInitializeDriverVerifierList)
|
|
#pragma alloc_text(INIT,MiInitializeVerifyingComponents)
|
|
#pragma alloc_text(INIT,ViTrackIrqlInitialize)
|
|
#pragma alloc_text(INIT,MiResolveVerifierExports)
|
|
#if defined(_X86_)
|
|
#pragma alloc_text(INIT,MiEnableKernelVerifier)
|
|
#pragma alloc_text(INIT,ViFaultTracesInitialize)
|
|
#endif
|
|
#pragma alloc_text(PAGE,MiApplyDriverVerifier)
|
|
#pragma alloc_text(PAGE,MiEnableVerifier)
|
|
#pragma alloc_text(INIT,MiReEnableVerifier)
|
|
#pragma alloc_text(PAGE,ViPrintString)
|
|
#pragma alloc_text(PAGE,MmGetVerifierInformation)
|
|
#pragma alloc_text(PAGE,MmSetVerifierInformation)
|
|
#pragma alloc_text(PAGE,MmAddVerifierThunks)
|
|
#pragma alloc_text(PAGE,MmIsVerifierEnabled)
|
|
#pragma alloc_text(PAGE,MiVerifierCheckThunks)
|
|
#pragma alloc_text(PAGEVRFY,MiVerifyingDriverUnloading)
|
|
|
|
#pragma alloc_text(PAGE,MmAddVerifierEntry)
|
|
#pragma alloc_text(PAGE,MmRemoveVerifierEntry)
|
|
#pragma alloc_text(INIT,MiReApplyVerifierToLoadedModules)
|
|
#pragma alloc_text(PAGEVRFY,VerifierProbeAndLockPages)
|
|
#pragma alloc_text(PAGEVRFY,VerifierProbeAndLockProcessPages)
|
|
#pragma alloc_text(PAGEVRFY,VerifierProbeAndLockSelectedPages)
|
|
#pragma alloc_text(PAGEVRFY,VerifierUnlockPages)
|
|
#pragma alloc_text(PAGEVRFY,VerifierMapIoSpace)
|
|
#pragma alloc_text(PAGEVRFY,VerifierMapLockedPages)
|
|
#pragma alloc_text(PAGEVRFY,VerifierMapLockedPagesSpecifyCache)
|
|
#pragma alloc_text(PAGEVRFY,VerifierUnmapLockedPages)
|
|
#pragma alloc_text(PAGEVRFY,VerifierUnmapIoSpace)
|
|
#pragma alloc_text(PAGEVRFY,VerifierAllocatePool)
|
|
#pragma alloc_text(PAGEVRFY,VerifierAllocatePoolWithTag)
|
|
#pragma alloc_text(PAGEVRFY,VerifierAllocatePoolWithTagPriority)
|
|
#pragma alloc_text(PAGEVRFY,VerifierAllocatePoolWithQuotaTag)
|
|
#pragma alloc_text(PAGEVRFY,VerifierFreePool)
|
|
#pragma alloc_text(PAGEVRFY,VerifierFreePoolWithTag)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeWaitForSingleObject)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKfRaiseIrql)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeRaiseIrqlToDpcLevel)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKfLowerIrql)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeRaiseIrql)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeLowerIrql)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeAcquireSpinLock)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeReleaseSpinLock)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeAcquireSpinLockAtDpcLevel)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeReleaseSpinLockFromDpcLevel)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKfAcquireSpinLock)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKfReleaseSpinLock)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeInitializeTimer)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeInitializeTimerEx)
|
|
#pragma alloc_text(PAGEVRFY,VerifierExTryToAcquireFastMutex)
|
|
#pragma alloc_text(PAGEVRFY,VerifierExAcquireFastMutex)
|
|
#pragma alloc_text(PAGEVRFY,VerifierExReleaseFastMutex)
|
|
#pragma alloc_text(PAGEVRFY,VerifierExAcquireFastMutexUnsafe)
|
|
#pragma alloc_text(PAGEVRFY,VerifierExReleaseFastMutexUnsafe)
|
|
#pragma alloc_text(PAGEVRFY,VerifierExAcquireResourceExclusiveLite)
|
|
#pragma alloc_text(PAGEVRFY,VerifierExReleaseResourceLite)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeAcquireQueuedSpinLock)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeReleaseQueuedSpinLock)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeReleaseMutex)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeInitializeMutex)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeReleaseMutant)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeInitializeMutant)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeInitializeSpinLock)
|
|
#pragma alloc_text(PAGEVRFY,VerifierSynchronizeExecution)
|
|
#pragma alloc_text(PAGEVRFY,VerifierReferenceObjectByHandle)
|
|
#pragma alloc_text(PAGEVRFY,VerifierSetEvent)
|
|
|
|
#pragma alloc_text(PAGEVRFY,ViFreeTrackedPool)
|
|
|
|
#pragma alloc_text(PAGEVRFY,VeAllocatePoolWithTagPriority)
|
|
#pragma alloc_text(PAGEVRFY,ViCheckMdlPages)
|
|
#pragma alloc_text(PAGEVRFY,ViInsertVerifierEntry)
|
|
#pragma alloc_text(PAGEVRFY,ViLocateVerifierEntry)
|
|
#pragma alloc_text(PAGEVRFY,ViPostPoolAllocation)
|
|
#pragma alloc_text(PAGEVRFY,ViInjectResourceFailure)
|
|
#pragma alloc_text(PAGEVRFY,ViTrimAllSystemPagableMemory)
|
|
#pragma alloc_text(PAGEVRFY,ViInitializeEntry)
|
|
#pragma alloc_text(PAGEVRFY,ViReservePoolAllocation)
|
|
#pragma alloc_text(PAGEVRFY,ViInsertPoolAllocation)
|
|
#pragma alloc_text(PAGEVRFY,ViCancelPoolAllocation)
|
|
#pragma alloc_text(PAGEVRFY,ViReleasePoolAllocation)
|
|
#pragma alloc_text(PAGEVRFY,KfSanityCheckRaiseIrql)
|
|
#pragma alloc_text(PAGEVRFY,KfSanityCheckLowerIrql)
|
|
#pragma alloc_text(PAGEVRFY,ViTrackIrqlLog)
|
|
|
|
#if defined(_X86_)
|
|
#pragma alloc_text(PAGEVRFY,ViFaultTracesLog)
|
|
#endif
|
|
|
|
#if !defined(_X86_)
|
|
#pragma alloc_text(PAGEVRFY,VerifierKeAcquireSpinLockRaiseToDpc)
|
|
#endif
|
|
|
|
#endif
|
|
|
|
typedef struct _VERIFIER_THUNKS {
|
|
union {
|
|
PCHAR PristineRoutineAsciiName;
|
|
|
|
//
|
|
// The actual pristine routine address is derived from exports
|
|
//
|
|
|
|
PDRIVER_VERIFIER_THUNK_ROUTINE PristineRoutine;
|
|
};
|
|
PDRIVER_VERIFIER_THUNK_ROUTINE NewRoutine;
|
|
} VERIFIER_THUNKS, *PVERIFIER_THUNKS;
|
|
|
|
extern const VERIFIER_THUNKS MiVerifierThunks[];
|
|
extern const VERIFIER_THUNKS MiVerifierPoolThunks[];
|
|
|
|
#if defined (_X86_)
|
|
|
|
#define VI_KE_RAISE_IRQL 0
|
|
#define VI_KE_LOWER_IRQL 1
|
|
#define VI_KE_ACQUIRE_SPINLOCK 2
|
|
#define VI_KE_RELEASE_SPINLOCK 3
|
|
#define VI_KF_RAISE_IRQL 4
|
|
#define VI_KE_RAISE_IRQL_TO_DPC_LEVEL 5
|
|
#define VI_KF_LOWER_IRQL 6
|
|
#define VI_KF_ACQUIRE_SPINLOCK 7
|
|
#define VI_KF_RELEASE_SPINLOCK 8
|
|
#define VI_KE_ACQUIRE_QUEUED_SPINLOCK 9
|
|
#define VI_KE_RELEASE_QUEUED_SPINLOCK 10
|
|
|
|
#define VI_HALMAX 11
|
|
|
|
PVOID MiKernelVerifierOriginalCalls[VI_HALMAX];
|
|
|
|
#endif
|
|
|
|
//
|
|
// Track irql package declarations
|
|
//
|
|
|
|
#define VI_TRACK_IRQL_TRACE_LENGTH 5
|
|
|
|
typedef struct _VI_TRACK_IRQL {
|
|
|
|
PVOID Thread;
|
|
KIRQL OldIrql;
|
|
KIRQL NewIrql;
|
|
UCHAR Processor;
|
|
ULONG TickCount;
|
|
PVOID StackTrace [VI_TRACK_IRQL_TRACE_LENGTH];
|
|
|
|
} VI_TRACK_IRQL, *PVI_TRACK_IRQL;
|
|
|
|
PVI_TRACK_IRQL ViTrackIrqlQueue;
|
|
ULONG ViTrackIrqlIndex;
|
|
ULONG ViTrackIrqlQueueLength = 128;
|
|
|
|
VOID
|
|
ViTrackIrqlInitialize (
|
|
)
|
|
{
|
|
ULONG Length;
|
|
ULONG Round;
|
|
|
|
//
|
|
// Round up length to a power of two and prepare
|
|
// mask for the length.
|
|
//
|
|
|
|
Length = ViTrackIrqlQueueLength;
|
|
|
|
if (Length > 0x10000) {
|
|
Length = 0x10000;
|
|
}
|
|
|
|
for (Round = 0x10000; Round != 0; Round >>= 1) {
|
|
|
|
if (Length == Round) {
|
|
break;
|
|
}
|
|
else if ((Length & Round) == Round) {
|
|
Length = (Round << 1);
|
|
break;
|
|
}
|
|
}
|
|
|
|
ViTrackIrqlQueueLength = Length;
|
|
|
|
//
|
|
// Note POOL_DRIVER_MASK must be set to stop the recursion loop
|
|
// when using the kernel verifier.
|
|
//
|
|
|
|
ViTrackIrqlQueue = ExAllocatePoolWithTagPriority (
|
|
NonPagedPool | POOL_DRIVER_MASK,
|
|
ViTrackIrqlQueueLength * sizeof (VI_TRACK_IRQL),
|
|
'lqrI',
|
|
HighPoolPriority);
|
|
}
|
|
|
|
VOID
|
|
ViTrackIrqlLog (
|
|
IN KIRQL CurrentIrql,
|
|
IN KIRQL NewIrql
|
|
)
|
|
{
|
|
PVI_TRACK_IRQL Information;
|
|
LARGE_INTEGER TimeStamp;
|
|
ULONG Index;
|
|
ULONG Hash;
|
|
|
|
ASSERT (ViTrackIrqlQueue != NULL);
|
|
|
|
if (CurrentIrql > DISPATCH_LEVEL || NewIrql > DISPATCH_LEVEL) {
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Get a slot to write into.
|
|
//
|
|
|
|
Index = InterlockedIncrement((PLONG)&ViTrackIrqlIndex);
|
|
Index &= (ViTrackIrqlQueueLength - 1);
|
|
|
|
//
|
|
// Capture information.
|
|
//
|
|
|
|
Information = &(ViTrackIrqlQueue[Index]);
|
|
|
|
Information->Thread = KeGetCurrentThread();
|
|
Information->OldIrql = CurrentIrql;
|
|
Information->NewIrql = NewIrql;
|
|
Information->Processor = (UCHAR)(KeGetCurrentProcessorNumber());
|
|
KeQueryTickCount(&TimeStamp);
|
|
Information->TickCount = TimeStamp.LowPart;
|
|
|
|
RtlCaptureStackBackTrace (2,
|
|
VI_TRACK_IRQL_TRACE_LENGTH,
|
|
Information->StackTrace,
|
|
&Hash);
|
|
}
|
|
|
|
//
|
|
// Detect the caller of the current function in an architecture
|
|
// dependent way.
|
|
//
|
|
|
|
#define VI_DETECT_RETURN_ADDRESS(Caller) { \
|
|
PVOID CallersCaller; \
|
|
RtlGetCallersAddress(&Caller, &CallersCaller); \
|
|
}
|
|
|
|
//
|
|
// Fault injection stack trace log.
|
|
//
|
|
|
|
#define VI_FAULT_TRACE_LENGTH 8
|
|
|
|
typedef struct _VI_FAULT_TRACE {
|
|
|
|
PVOID StackTrace [VI_FAULT_TRACE_LENGTH];
|
|
|
|
} VI_FAULT_TRACE, *PVI_FAULT_TRACE;
|
|
|
|
PVI_FAULT_TRACE ViFaultTraces;
|
|
ULONG ViFaultTracesIndex;
|
|
ULONG ViFaultTracesLength = 128;
|
|
|
|
VOID
|
|
ViFaultTracesInitialize (
|
|
VOID
|
|
)
|
|
{
|
|
//
|
|
// Note POOL_DRIVER_MASK must be set to stop the recursion loop
|
|
// when using the kernel verifier.
|
|
//
|
|
|
|
ViFaultTraces = ExAllocatePoolWithTagPriority (
|
|
NonPagedPool | POOL_DRIVER_MASK,
|
|
ViFaultTracesLength * sizeof (VI_FAULT_TRACE),
|
|
'ttlF',
|
|
HighPoolPriority);
|
|
}
|
|
|
|
VOID
|
|
ViFaultTracesLog (
|
|
VOID
|
|
)
|
|
{
|
|
PVI_FAULT_TRACE Information;
|
|
ULONG Hash;
|
|
ULONG Index;
|
|
|
|
//
|
|
// Sanity check
|
|
//
|
|
|
|
if (ViFaultTraces == NULL) {
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Get slot to write into.
|
|
//
|
|
|
|
Index = InterlockedIncrement ((PLONG)&ViFaultTracesIndex);
|
|
Index &= (ViFaultTracesLength - 1);
|
|
|
|
//
|
|
// Capture information. Even if we lose performance it is
|
|
// worth zeroing the trace buffer to avoid confusing people
|
|
// if old traces get merged with new ones. This zeroing
|
|
// will happen only if we actually inject a failure.
|
|
//
|
|
|
|
Information = &(ViFaultTraces[Index]);
|
|
|
|
RtlZeroMemory (Information, sizeof (VI_FAULT_TRACE));
|
|
|
|
RtlCaptureStackBackTrace (2,
|
|
VI_FAULT_TRACE_LENGTH,
|
|
Information->StackTrace,
|
|
&Hash);
|
|
}
|
|
|
|
//
|
|
// Don't fail any requests in the first 7 or 8 minutes as we want to
|
|
// give the system enough time to boot.
|
|
//
|
|
#define MI_CHECK_UPTIME() \
|
|
if (VerifierSystemSufficientlyBooted == FALSE) { \
|
|
LARGE_INTEGER _CurrentTime; \
|
|
KeQuerySystemTime (&_CurrentTime); \
|
|
if (_CurrentTime.QuadPart > KeBootTime.QuadPart + VerifierRequiredTimeSinceBoot.QuadPart) { \
|
|
VerifierSystemSufficientlyBooted = TRUE; \
|
|
} \
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierProbeAndLockPages (
|
|
IN OUT PMDL MemoryDescriptorList,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN LOCK_OPERATION Operation
|
|
)
|
|
{
|
|
ULONG i;
|
|
KIRQL CurrentIrql;
|
|
PPFN_NUMBER Page;
|
|
PVOID StartingVa;
|
|
LOGICAL ValidPfn;
|
|
PFN_NUMBER NumberOfPages;
|
|
PEPROCESS CurrentProcess;
|
|
PLIST_ENTRY NextEntry;
|
|
PPFN_NUMBER LastPage;
|
|
PMI_PHYSICAL_VIEW PhysicalView;
|
|
|
|
CurrentIrql = KeGetCurrentIrql();
|
|
if (CurrentIrql > DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x70,
|
|
CurrentIrql,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
(ULONG_PTR)AccessMode);
|
|
}
|
|
|
|
if (ViInjectResourceFailure () == TRUE) {
|
|
ExRaiseStatus (STATUS_WORKING_SET_QUOTA);
|
|
}
|
|
|
|
MmProbeAndLockPages (MemoryDescriptorList, AccessMode, Operation);
|
|
|
|
//
|
|
// Every page that has been probed and locked must have a PFN with the
|
|
// exception of physical section mappings.
|
|
//
|
|
|
|
Page = (PPFN_NUMBER)(MemoryDescriptorList + 1);
|
|
StartingVa = (PVOID)((PCHAR)MemoryDescriptorList->StartVa +
|
|
MemoryDescriptorList->ByteOffset);
|
|
|
|
NumberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES(StartingVa,
|
|
MemoryDescriptorList->ByteCount);
|
|
|
|
LastPage = Page + NumberOfPages;
|
|
|
|
ASSERT (NumberOfPages != 0);
|
|
|
|
LOCK_PFN2 (CurrentIrql);
|
|
|
|
do {
|
|
|
|
if (*Page == MM_EMPTY_LIST) {
|
|
|
|
//
|
|
// There are no more locked pages.
|
|
//
|
|
|
|
break;
|
|
}
|
|
|
|
ValidPfn = FALSE;
|
|
for (i = 0; i < MmPhysicalMemoryBlock->NumberOfRuns; i += 1) {
|
|
if ((*Page >= MmPhysicalMemoryBlock->Run[i].BasePage) &&
|
|
(*Page <= MmPhysicalMemoryBlock->Run[i].BasePage +
|
|
MmPhysicalMemoryBlock->Run[i].PageCount)) {
|
|
|
|
//
|
|
// A valid PFN exists for this page, march to the next one.
|
|
//
|
|
|
|
ValidPfn = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (ValidPfn == FALSE) {
|
|
|
|
CurrentProcess = PsGetCurrentProcess ();
|
|
|
|
//
|
|
// Check for a transfer to/from a physical VAD - these are
|
|
// allowed to have no backing PFNs.
|
|
//
|
|
|
|
if ((StartingVa <= MM_HIGHEST_USER_ADDRESS) &&
|
|
(CurrentProcess->Flags & PS_PROCESS_FLAGS_HAS_PHYSICAL_VAD)) {
|
|
|
|
//
|
|
// This process has a physical VAD which maps directly to RAM
|
|
// not necessarily present in the PFN database. See if the
|
|
// MDL request intersects this physical VAD.
|
|
//
|
|
|
|
NextEntry = CurrentProcess->PhysicalVadList.Flink;
|
|
while (NextEntry != &CurrentProcess->PhysicalVadList) {
|
|
|
|
PhysicalView = CONTAINING_RECORD(NextEntry,
|
|
MI_PHYSICAL_VIEW,
|
|
ListEntry);
|
|
|
|
if ((PhysicalView->Vad->u.VadFlags.PhysicalMapping == 1) &&
|
|
(StartingVa >= (PVOID)PhysicalView->StartVa) &&
|
|
(StartingVa <= (PVOID)PhysicalView->EndVa)) {
|
|
|
|
ValidPfn = TRUE;
|
|
break;
|
|
}
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
}
|
|
|
|
if (ValidPfn == FALSE) {
|
|
|
|
//
|
|
// The MDL being probed has no backing PFNs and it was not
|
|
// a user physical VAD. This means that PFN entries had their
|
|
// reference counts bumped, but since they don't exist, random
|
|
// physical pages just got what are going to usually look
|
|
// like single bit errors. This is bad.
|
|
//
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x6F,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
(ULONG_PTR)(*Page),
|
|
(ULONG_PTR)MmHighestPhysicalPage);
|
|
}
|
|
break;
|
|
}
|
|
|
|
Page += 1;
|
|
} while (Page < LastPage);
|
|
|
|
UNLOCK_PFN2 (CurrentIrql);
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierProbeAndLockProcessPages (
|
|
IN OUT PMDL MemoryDescriptorList,
|
|
IN PEPROCESS Process,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN LOCK_OPERATION Operation
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql();
|
|
if (CurrentIrql > DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x71,
|
|
CurrentIrql,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
(ULONG_PTR)Process);
|
|
}
|
|
|
|
if (ViInjectResourceFailure () == TRUE) {
|
|
ExRaiseStatus (STATUS_WORKING_SET_QUOTA);
|
|
}
|
|
|
|
MmProbeAndLockProcessPages (MemoryDescriptorList,
|
|
Process,
|
|
AccessMode,
|
|
Operation);
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierProbeAndLockSelectedPages (
|
|
IN OUT PMDL MemoryDescriptorList,
|
|
IN PFILE_SEGMENT_ELEMENT SegmentArray,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN LOCK_OPERATION Operation
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql();
|
|
if (CurrentIrql > APC_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x72,
|
|
CurrentIrql,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
(ULONG_PTR)AccessMode);
|
|
}
|
|
|
|
if (ViInjectResourceFailure () == TRUE) {
|
|
ExRaiseStatus (STATUS_WORKING_SET_QUOTA);
|
|
}
|
|
|
|
MmProbeAndLockSelectedPages (MemoryDescriptorList,
|
|
SegmentArray,
|
|
AccessMode,
|
|
Operation);
|
|
}
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierMapIoSpace (
|
|
IN PHYSICAL_ADDRESS PhysicalAddress,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN MEMORY_CACHING_TYPE CacheType
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
ULONG Hint;
|
|
PMMPFN Pfn1;
|
|
PFN_NUMBER NumberOfPages;
|
|
PFN_NUMBER PageFrameIndex;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
if (CurrentIrql > DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x73,
|
|
CurrentIrql,
|
|
(ULONG_PTR)PhysicalAddress.LowPart,
|
|
NumberOfBytes);
|
|
}
|
|
|
|
//
|
|
// See if the first frame is in the PFN database and if so, they all must
|
|
// be.
|
|
//
|
|
|
|
Hint = 0;
|
|
PageFrameIndex = (PFN_NUMBER)(PhysicalAddress.QuadPart >> PAGE_SHIFT);
|
|
|
|
if (MiIsPhysicalMemoryAddress (PageFrameIndex, &Hint, TRUE) == TRUE) {
|
|
|
|
Pfn1 = MI_PFN_ELEMENT (PageFrameIndex);
|
|
|
|
NumberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES (PhysicalAddress.LowPart,
|
|
NumberOfBytes);
|
|
|
|
do {
|
|
|
|
//
|
|
// Each frame better be locked down already. Bugcheck if not.
|
|
//
|
|
|
|
if ((Pfn1->u3.e2.ReferenceCount != 0) ||
|
|
((Pfn1->u3.e1.Rom == 1) && ((CacheType & 0xFF) == MmCached))) {
|
|
|
|
NOTHING;
|
|
}
|
|
else {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x83,
|
|
(ULONG_PTR)PhysicalAddress.LowPart,
|
|
NumberOfBytes,
|
|
(ULONG_PTR)(Pfn1 - MmPfnDatabase));
|
|
}
|
|
|
|
if (Pfn1->u3.e1.CacheAttribute == MiNotMapped) {
|
|
|
|
//
|
|
// This better be for a page allocated with
|
|
// MmAllocatePagesForMdl. Otherwise it might be a
|
|
// page on the freelist which could subsequently be
|
|
// given out with a different attribute !
|
|
//
|
|
|
|
if ((Pfn1->u4.PteFrame == MI_MAGIC_AWE_PTEFRAME) ||
|
|
#if defined (_MI_MORE_THAN_4GB_)
|
|
(Pfn1->u4.PteFrame == MI_MAGIC_4GB_RECLAIM) ||
|
|
#endif
|
|
(Pfn1->PteAddress == (PVOID) (ULONG_PTR)(X64K | 0x1))) {
|
|
|
|
NOTHING;
|
|
}
|
|
else {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x84,
|
|
(ULONG_PTR)PhysicalAddress.LowPart,
|
|
NumberOfBytes,
|
|
(ULONG_PTR)(Pfn1 - MmPfnDatabase));
|
|
}
|
|
}
|
|
Pfn1 += 1;
|
|
NumberOfPages -= 1;
|
|
} while (NumberOfPages != 0);
|
|
}
|
|
|
|
if (ViInjectResourceFailure () == TRUE) {
|
|
return NULL;
|
|
}
|
|
|
|
return MmMapIoSpace (PhysicalAddress, NumberOfBytes, CacheType);
|
|
}
|
|
|
|
VOID
|
|
ViCheckMdlPages (
|
|
IN PMDL MemoryDescriptorList,
|
|
IN MEMORY_CACHING_TYPE CacheType
|
|
)
|
|
{
|
|
PMMPFN Pfn1;
|
|
PFN_NUMBER NumberOfPages;
|
|
PPFN_NUMBER Page;
|
|
PPFN_NUMBER LastPage;
|
|
PVOID StartingVa;
|
|
|
|
ASSERT ((MemoryDescriptorList->MdlFlags & MDL_IO_SPACE) == 0);
|
|
|
|
StartingVa = (PVOID)((PCHAR)MemoryDescriptorList->StartVa +
|
|
MemoryDescriptorList->ByteOffset);
|
|
|
|
Page = (PPFN_NUMBER)(MemoryDescriptorList + 1);
|
|
NumberOfPages = ADDRESS_AND_SIZE_TO_SPAN_PAGES (StartingVa,
|
|
MemoryDescriptorList->ByteCount);
|
|
LastPage = Page + NumberOfPages;
|
|
|
|
do {
|
|
|
|
if (*Page == MM_EMPTY_LIST) {
|
|
break;
|
|
}
|
|
|
|
Pfn1 = MI_PFN_ELEMENT (*Page);
|
|
|
|
//
|
|
// Each frame better be locked down already. Bugcheck if not.
|
|
//
|
|
|
|
if ((Pfn1->u3.e2.ReferenceCount != 0) ||
|
|
((Pfn1->u3.e1.Rom == 1) && (CacheType == MmCached))) {
|
|
|
|
NOTHING;
|
|
}
|
|
else {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x85,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
NumberOfPages,
|
|
(ULONG_PTR)(Pfn1 - MmPfnDatabase));
|
|
}
|
|
|
|
if (Pfn1->u3.e1.CacheAttribute == MiNotMapped) {
|
|
|
|
//
|
|
// This better be for a page allocated with
|
|
// MmAllocatePagesForMdl. Otherwise it might be a
|
|
// page on the freelist which could subsequently be
|
|
// given out with a different attribute !
|
|
//
|
|
|
|
if ((Pfn1->u4.PteFrame == MI_MAGIC_AWE_PTEFRAME) ||
|
|
#if defined (_MI_MORE_THAN_4GB_)
|
|
(Pfn1->u4.PteFrame == MI_MAGIC_4GB_RECLAIM) ||
|
|
#endif
|
|
(Pfn1->PteAddress == (PVOID) (ULONG_PTR)(X64K | 0x1))) {
|
|
|
|
NOTHING;
|
|
}
|
|
else {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x86,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
NumberOfPages,
|
|
(ULONG_PTR)(Pfn1 - MmPfnDatabase));
|
|
}
|
|
}
|
|
|
|
Page += 1;
|
|
} while (Page < LastPage);
|
|
}
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierMapLockedPages (
|
|
IN PMDL MemoryDescriptorList,
|
|
IN KPROCESSOR_MODE AccessMode
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql();
|
|
|
|
if (AccessMode == KernelMode) {
|
|
if (CurrentIrql > DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x74,
|
|
CurrentIrql,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
(ULONG_PTR)AccessMode);
|
|
}
|
|
}
|
|
else {
|
|
if (CurrentIrql > APC_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x75,
|
|
CurrentIrql,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
(ULONG_PTR)AccessMode);
|
|
}
|
|
}
|
|
|
|
if ((MemoryDescriptorList->MdlFlags & MDL_IO_SPACE) == 0) {
|
|
ViCheckMdlPages (MemoryDescriptorList, MmCached);
|
|
}
|
|
|
|
if ((MemoryDescriptorList->MdlFlags & MDL_MAPPING_CAN_FAIL) == 0) {
|
|
|
|
MI_CHECK_UPTIME ();
|
|
|
|
if (VerifierSystemSufficientlyBooted == TRUE) {
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x81,
|
|
(ULONG_PTR) MemoryDescriptorList,
|
|
MemoryDescriptorList->MdlFlags,
|
|
0);
|
|
}
|
|
}
|
|
|
|
return MmMapLockedPages (MemoryDescriptorList, AccessMode);
|
|
}
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierMapLockedPagesSpecifyCache (
|
|
IN PMDL MemoryDescriptorList,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
IN MEMORY_CACHING_TYPE CacheType,
|
|
IN PVOID RequestedAddress,
|
|
IN ULONG BugCheckOnFailure,
|
|
IN MM_PAGE_PRIORITY Priority
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
if (AccessMode == KernelMode) {
|
|
if (CurrentIrql > DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x76,
|
|
CurrentIrql,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
(ULONG_PTR)AccessMode);
|
|
}
|
|
}
|
|
else {
|
|
if (CurrentIrql > APC_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x77,
|
|
CurrentIrql,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
(ULONG_PTR)AccessMode);
|
|
}
|
|
}
|
|
|
|
if ((MemoryDescriptorList->MdlFlags & MDL_IO_SPACE) == 0) {
|
|
ViCheckMdlPages (MemoryDescriptorList, CacheType);
|
|
}
|
|
|
|
if ((MemoryDescriptorList->MdlFlags & MDL_MAPPING_CAN_FAIL) ||
|
|
(BugCheckOnFailure == 0)) {
|
|
|
|
if (ViInjectResourceFailure () == TRUE) {
|
|
return NULL;
|
|
}
|
|
}
|
|
else {
|
|
|
|
//
|
|
// All drivers must specify can fail or don't bugcheck.
|
|
//
|
|
|
|
MI_CHECK_UPTIME ();
|
|
|
|
if (VerifierSystemSufficientlyBooted == TRUE) {
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x82,
|
|
(ULONG_PTR) MemoryDescriptorList,
|
|
MemoryDescriptorList->MdlFlags,
|
|
BugCheckOnFailure);
|
|
}
|
|
}
|
|
|
|
return MmMapLockedPagesSpecifyCache (MemoryDescriptorList,
|
|
AccessMode,
|
|
CacheType,
|
|
RequestedAddress,
|
|
BugCheckOnFailure,
|
|
Priority);
|
|
}
|
|
|
|
VOID
|
|
VerifierUnlockPages (
|
|
IN OUT PMDL MemoryDescriptorList
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql();
|
|
if (CurrentIrql > DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x78,
|
|
CurrentIrql,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
0);
|
|
}
|
|
|
|
if ((MemoryDescriptorList->MdlFlags & MDL_PAGES_LOCKED) == 0) {
|
|
|
|
//
|
|
// The caller is trying to unlock an MDL that was never locked down.
|
|
//
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x7C,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
(ULONG_PTR)MemoryDescriptorList->MdlFlags,
|
|
0);
|
|
}
|
|
|
|
if (MemoryDescriptorList->MdlFlags & MDL_SOURCE_IS_NONPAGED_POOL) {
|
|
|
|
//
|
|
// Nonpaged pool should never be locked down.
|
|
//
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x7D,
|
|
(ULONG_PTR)MemoryDescriptorList,
|
|
(ULONG_PTR)MemoryDescriptorList->MdlFlags,
|
|
0);
|
|
}
|
|
|
|
MmUnlockPages (MemoryDescriptorList);
|
|
}
|
|
|
|
VOID
|
|
VerifierUnmapLockedPages (
|
|
IN PVOID BaseAddress,
|
|
IN PMDL MemoryDescriptorList
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql();
|
|
|
|
if (BaseAddress > MM_HIGHEST_USER_ADDRESS) {
|
|
if (CurrentIrql > DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x79,
|
|
CurrentIrql,
|
|
(ULONG_PTR)BaseAddress,
|
|
(ULONG_PTR)MemoryDescriptorList);
|
|
}
|
|
}
|
|
else {
|
|
if (CurrentIrql > APC_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x7A,
|
|
CurrentIrql,
|
|
(ULONG_PTR)BaseAddress,
|
|
(ULONG_PTR)MemoryDescriptorList);
|
|
}
|
|
}
|
|
|
|
MmUnmapLockedPages (BaseAddress, MemoryDescriptorList);
|
|
}
|
|
|
|
VOID
|
|
VerifierUnmapIoSpace (
|
|
IN PVOID BaseAddress,
|
|
IN SIZE_T NumberOfBytes
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql();
|
|
if (CurrentIrql > DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x7B,
|
|
CurrentIrql,
|
|
(ULONG_PTR)BaseAddress,
|
|
(ULONG_PTR)NumberOfBytes);
|
|
}
|
|
|
|
MmUnmapIoSpace (BaseAddress, NumberOfBytes);
|
|
}
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierAllocatePool (
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes
|
|
)
|
|
{
|
|
PVOID CallingAddress;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
|
|
VI_DETECT_RETURN_ADDRESS (CallingAddress);
|
|
|
|
if (KernelVerifier == TRUE) {
|
|
|
|
Verifier = ViLocateVerifierEntry (CallingAddress);
|
|
|
|
if ((Verifier == NULL) ||
|
|
((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
|
|
|
|
return ExAllocatePool (PoolType | POOL_DRIVER_MASK, NumberOfBytes);
|
|
}
|
|
PoolType |= POOL_DRIVER_MASK;
|
|
}
|
|
|
|
MmVerifierData.AllocationsWithNoTag += 1;
|
|
|
|
return VeAllocatePoolWithTagPriority (PoolType,
|
|
NumberOfBytes,
|
|
'parW',
|
|
HighPoolPriority,
|
|
CallingAddress);
|
|
}
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierAllocatePoolWithTag (
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN ULONG Tag
|
|
)
|
|
{
|
|
PVOID CallingAddress;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
|
|
VI_DETECT_RETURN_ADDRESS (CallingAddress);
|
|
|
|
if (KernelVerifier == TRUE) {
|
|
Verifier = ViLocateVerifierEntry (CallingAddress);
|
|
|
|
if ((Verifier == NULL) ||
|
|
((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
|
|
|
|
return ExAllocatePoolWithTag (PoolType | POOL_DRIVER_MASK,
|
|
NumberOfBytes,
|
|
Tag);
|
|
}
|
|
PoolType |= POOL_DRIVER_MASK;
|
|
}
|
|
|
|
return VeAllocatePoolWithTagPriority (PoolType,
|
|
NumberOfBytes,
|
|
Tag,
|
|
HighPoolPriority,
|
|
CallingAddress);
|
|
}
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierAllocatePoolWithQuota(
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes
|
|
)
|
|
{
|
|
PVOID Va;
|
|
LOGICAL RaiseOnQuotaFailure;
|
|
PVOID CallingAddress;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
|
|
VI_DETECT_RETURN_ADDRESS (CallingAddress);
|
|
|
|
if (KernelVerifier == TRUE) {
|
|
Verifier = ViLocateVerifierEntry (CallingAddress);
|
|
|
|
if ((Verifier == NULL) ||
|
|
((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
|
|
|
|
return ExAllocatePoolWithQuota (PoolType | POOL_DRIVER_MASK,
|
|
NumberOfBytes);
|
|
}
|
|
PoolType |= POOL_DRIVER_MASK;
|
|
}
|
|
|
|
MmVerifierData.AllocationsWithNoTag += 1;
|
|
|
|
if (PoolType & POOL_QUOTA_FAIL_INSTEAD_OF_RAISE) {
|
|
RaiseOnQuotaFailure = FALSE;
|
|
PoolType &= ~POOL_QUOTA_FAIL_INSTEAD_OF_RAISE;
|
|
}
|
|
else {
|
|
RaiseOnQuotaFailure = TRUE;
|
|
}
|
|
|
|
Va = VeAllocatePoolWithTagPriority (PoolType,
|
|
NumberOfBytes,
|
|
'parW',
|
|
HighPoolPriority,
|
|
CallingAddress);
|
|
|
|
if (Va == NULL) {
|
|
if (RaiseOnQuotaFailure == TRUE) {
|
|
ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
|
|
}
|
|
}
|
|
|
|
return Va;
|
|
}
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierAllocatePoolWithQuotaTag(
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN ULONG Tag
|
|
)
|
|
{
|
|
PVOID Va;
|
|
LOGICAL RaiseOnQuotaFailure;
|
|
PVOID CallingAddress;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
|
|
VI_DETECT_RETURN_ADDRESS (CallingAddress);
|
|
|
|
if (KernelVerifier == TRUE) {
|
|
Verifier = ViLocateVerifierEntry (CallingAddress);
|
|
|
|
if ((Verifier == NULL) ||
|
|
((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
|
|
|
|
return ExAllocatePoolWithQuotaTag (PoolType | POOL_DRIVER_MASK,
|
|
NumberOfBytes,
|
|
Tag);
|
|
}
|
|
PoolType |= POOL_DRIVER_MASK;
|
|
}
|
|
|
|
if (PoolType & POOL_QUOTA_FAIL_INSTEAD_OF_RAISE) {
|
|
RaiseOnQuotaFailure = FALSE;
|
|
PoolType &= ~POOL_QUOTA_FAIL_INSTEAD_OF_RAISE;
|
|
}
|
|
else {
|
|
RaiseOnQuotaFailure = TRUE;
|
|
}
|
|
|
|
Va = VeAllocatePoolWithTagPriority (PoolType,
|
|
NumberOfBytes,
|
|
Tag,
|
|
HighPoolPriority,
|
|
CallingAddress);
|
|
|
|
if (Va == NULL) {
|
|
if (RaiseOnQuotaFailure == TRUE) {
|
|
ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
|
|
}
|
|
}
|
|
|
|
return Va;
|
|
}
|
|
|
|
THUNKED_API
|
|
PVOID
|
|
VerifierAllocatePoolWithTagPriority(
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN ULONG Tag,
|
|
IN EX_POOL_PRIORITY Priority
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This thunked-in function:
|
|
|
|
- Performs sanity checks on the caller.
|
|
- Can optionally provide allocation failures to the caller.
|
|
- Attempts to provide the allocation from special pool.
|
|
- Tracks pool to ensure callers free everything they allocate.
|
|
|
|
--*/
|
|
|
|
{
|
|
PVOID CallingAddress;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
|
|
VI_DETECT_RETURN_ADDRESS (CallingAddress);
|
|
|
|
if (KernelVerifier == TRUE) {
|
|
Verifier = ViLocateVerifierEntry (CallingAddress);
|
|
|
|
if ((Verifier == NULL) ||
|
|
((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) {
|
|
|
|
return ExAllocatePoolWithTagPriority (PoolType | POOL_DRIVER_MASK,
|
|
NumberOfBytes,
|
|
Tag,
|
|
Priority);
|
|
}
|
|
PoolType |= POOL_DRIVER_MASK;
|
|
}
|
|
|
|
return VeAllocatePoolWithTagPriority (PoolType,
|
|
NumberOfBytes,
|
|
Tag,
|
|
Priority,
|
|
CallingAddress);
|
|
}
|
|
|
|
LOGICAL
|
|
ViInjectResourceFailure (
|
|
VOID
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function determines whether a resource allocation should be
|
|
deliberately failed. This may be a pool allocation, MDL creation,
|
|
system PTE allocation, etc.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
TRUE if the allocation should be failed. FALSE otherwise.
|
|
|
|
Environment:
|
|
|
|
Kernel mode. DISPATCH_LEVEL or below.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG TimeLow;
|
|
LARGE_INTEGER CurrentTime;
|
|
|
|
if ((MmVerifierData.Level & DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES) == 0) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Don't fail any requests in the first 7 or 8 minutes as we want to
|
|
// give the system enough time to boot.
|
|
//
|
|
|
|
MI_CHECK_UPTIME ();
|
|
|
|
if (VerifierSystemSufficientlyBooted == TRUE) {
|
|
|
|
KeQueryTickCount(&CurrentTime);
|
|
|
|
TimeLow = CurrentTime.LowPart;
|
|
|
|
if ((TimeLow & 0xF) == 0) {
|
|
|
|
MmVerifierData.AllocationsFailedDeliberately += 1;
|
|
|
|
//
|
|
// Deliberately fail this request.
|
|
//
|
|
|
|
if (MiFaultRetryMask != 0xFFFFFFFF) {
|
|
MiFaultRetryMask = 0xFFFFFFFF;
|
|
MiUserFaultRetryMask = 0xFFFFFFFF;
|
|
}
|
|
|
|
#if defined(_X86_)
|
|
ViFaultTracesLog ();
|
|
#endif
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
//
|
|
// Approximately every 5 minutes (on most systems), fail all of this
|
|
// components allocations for a 10 second burst. This more closely
|
|
// simulates (and exaggerates) the duration of the typical low resource
|
|
// scenario.
|
|
//
|
|
|
|
TimeLow &= 0x7FFF;
|
|
|
|
if (TimeLow < 0x400) {
|
|
|
|
MmVerifierData.BurstAllocationsFailedDeliberately += 1;
|
|
|
|
//
|
|
// Deliberately fail this request.
|
|
//
|
|
|
|
if (MiFaultRetryMask != 0xFFFFFFFF) {
|
|
MiFaultRetryMask = 0xFFFFFFFF;
|
|
MiUserFaultRetryMask = 0xFFFFFFFF;
|
|
}
|
|
|
|
#if defined(_X86_)
|
|
ViFaultTracesLog ();
|
|
#endif
|
|
|
|
return TRUE;
|
|
}
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
LOGICAL
|
|
ViReservePoolAllocation (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier
|
|
)
|
|
{
|
|
ULONG_PTR OldSize;
|
|
ULONG_PTR NewSize;
|
|
ULONG_PTR NewHashOffset;
|
|
ULONG_PTR Increment;
|
|
ULONG_PTR Entries;
|
|
ULONG_PTR i;
|
|
KIRQL OldIrql;
|
|
PVOID NewHashTable;
|
|
PVI_POOL_ENTRY HashEntry;
|
|
PVI_POOL_ENTRY OldHashTable;
|
|
|
|
ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
|
|
|
|
while (Verifier->PoolHashSize <= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved) {
|
|
|
|
//
|
|
// More space is needed. Try for it now.
|
|
//
|
|
|
|
#define VI_POOL_ENTRIES_PER_PAGE (PAGE_SIZE / sizeof(VI_POOL_ENTRY))
|
|
|
|
OldSize = Verifier->PoolHashSize * sizeof(VI_POOL_ENTRY);
|
|
|
|
if (Verifier->PoolHashSize >= VI_POOL_ENTRIES_PER_PAGE) {
|
|
Increment = PAGE_SIZE;
|
|
}
|
|
else {
|
|
Increment = 16 * sizeof (VI_POOL_ENTRY);
|
|
}
|
|
|
|
ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
|
|
|
|
NewSize = OldSize + Increment;
|
|
|
|
if (NewSize < OldSize) {
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Note POOL_DRIVER_MASK must be set to stop the recursion loop
|
|
// when using the kernel verifier.
|
|
//
|
|
|
|
NewHashTable = ExAllocatePoolWithTagPriority (NonPagedPool | POOL_DRIVER_MASK,
|
|
NewSize,
|
|
'ppeV',
|
|
HighPoolPriority);
|
|
|
|
ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
|
|
|
|
OldSize = Verifier->PoolHashSize * sizeof(VI_POOL_ENTRY);
|
|
|
|
if (NewHashTable == NULL) {
|
|
if (Verifier->PoolHashSize <= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved) {
|
|
ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Another thread got here before us and space is available.
|
|
//
|
|
|
|
break;
|
|
}
|
|
|
|
if (NewSize != OldSize + Increment) {
|
|
|
|
//
|
|
// Another thread got here before us.
|
|
//
|
|
|
|
ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
|
|
ExFreePool (NewHashTable);
|
|
ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
|
|
}
|
|
else {
|
|
|
|
//
|
|
// Rebuild the list into the new table.
|
|
//
|
|
|
|
OldHashTable = Verifier->PoolHash;
|
|
if (OldHashTable != NULL) {
|
|
RtlCopyMemory (NewHashTable, OldHashTable, OldSize);
|
|
}
|
|
|
|
//
|
|
// Construct the freelist chaining it through any existing
|
|
// list (any free entries must be already reserved).
|
|
//
|
|
|
|
HashEntry = (PVI_POOL_ENTRY) ((PCHAR)NewHashTable + OldSize);
|
|
Entries = Increment / sizeof (VI_POOL_ENTRY);
|
|
NewHashOffset = HashEntry - (PVI_POOL_ENTRY)NewHashTable;
|
|
|
|
//
|
|
// If list compaction becomes important then chaining it on the
|
|
// end here will need to be revisited.
|
|
//
|
|
|
|
for (i = 0; i < Entries; i += 1) {
|
|
HashEntry->FreeListNext = NewHashOffset + i + 1;
|
|
HashEntry += 1;
|
|
}
|
|
HashEntry -= 1;
|
|
HashEntry->FreeListNext = Verifier->PoolHashFree;
|
|
Verifier->PoolHashFree = NewHashOffset;
|
|
Verifier->PoolHash = NewHashTable;
|
|
Verifier->PoolHashSize += Entries;
|
|
|
|
//
|
|
// Free the old table.
|
|
//
|
|
|
|
if (OldHashTable != NULL) {
|
|
ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
|
|
ExFreePool (OldHashTable);
|
|
ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
|
|
}
|
|
}
|
|
}
|
|
|
|
Verifier->PoolHashReserved += 1;
|
|
|
|
ASSERT (Verifier->PoolHashSize >= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved);
|
|
|
|
ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
ULONG_PTR
|
|
ViInsertPoolAllocation (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
|
|
IN PVOID VirtualAddress,
|
|
IN PVOID CallingAddress,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN ULONG Tag
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function inserts the specified virtual address into the verifier
|
|
list for this driver.
|
|
|
|
Arguments:
|
|
|
|
Verifier - Supplies the verifier entry to update.
|
|
|
|
VirtualAddress - Supplies the virtual address to insert.
|
|
|
|
CallingAddress - Supplies the caller's address.
|
|
|
|
NumberOfBytes - Supplies the number of bytes to allocate.
|
|
|
|
Tag - Supplies the tag for the pool being allocated.
|
|
|
|
Return Value:
|
|
|
|
The list index this virtual address was inserted at.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, DISPATCH_LEVEL. The Verifier->VerifierPoolLock must be held.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG_PTR Index;
|
|
PVI_POOL_ENTRY HashEntry;
|
|
|
|
ASSERT (KeGetCurrentIrql() == DISPATCH_LEVEL);
|
|
|
|
//
|
|
// The list entry must be reserved in advance.
|
|
//
|
|
|
|
ASSERT (Verifier->PoolHashReserved != 0);
|
|
|
|
ASSERT (Verifier->PoolHashSize >= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved);
|
|
|
|
//
|
|
// Use the next free list entry.
|
|
//
|
|
|
|
Index = Verifier->PoolHashFree;
|
|
ASSERT (Index != VI_POOL_FREELIST_END);
|
|
|
|
HashEntry = Verifier->PoolHash + Index;
|
|
|
|
Verifier->PoolHashFree = HashEntry->FreeListNext;
|
|
|
|
Verifier->PoolHashReserved -= 1;
|
|
|
|
#if defined (_X86_)
|
|
//
|
|
// MiUseMaximumSystemSpace denotes an x86 mode where kernel pointers don't
|
|
// necessarily have the high bit set.
|
|
//
|
|
ASSERT (((HashEntry->FreeListNext & MINLONG_PTR) == 0) ||
|
|
(HashEntry->FreeListNext == VI_POOL_FREELIST_END) ||
|
|
(MiUseMaximumSystemSpace != 0));
|
|
#else
|
|
ASSERT (((HashEntry->FreeListNext & MINLONG_PTR) == 0) ||
|
|
(HashEntry->FreeListNext == VI_POOL_FREELIST_END));
|
|
#endif
|
|
|
|
HashEntry->InUse.VirtualAddress = VirtualAddress;
|
|
HashEntry->InUse.CallingAddress = CallingAddress;
|
|
HashEntry->InUse.NumberOfBytes = NumberOfBytes;
|
|
HashEntry->InUse.Tag = Tag;
|
|
|
|
#if defined (_X86_)
|
|
//
|
|
// MiUseMaximumSystemSpace denotes an x86 mode where kernel pointers don't
|
|
// necessarily have the high bit set.
|
|
//
|
|
ASSERT (((HashEntry->FreeListNext & MINLONG_PTR) != 0) ||
|
|
(MiUseMaximumSystemSpace != 0));
|
|
#else
|
|
ASSERT ((HashEntry->FreeListNext & MINLONG_PTR) != 0);
|
|
#endif
|
|
|
|
return Index;
|
|
}
|
|
|
|
VOID
|
|
ViReleasePoolAllocation (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
|
|
IN PVOID VirtualAddress,
|
|
IN ULONG_PTR ListIndex,
|
|
IN SIZE_T ChargedBytes
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function removes the specified virtual address from the verifier
|
|
list for this driver.
|
|
|
|
Arguments:
|
|
|
|
Verifier - Supplies the verifier entry to update.
|
|
|
|
VirtualAddress - Supplies the virtual address to release.
|
|
|
|
ListIndex - Supplies the verifier pool hash index for the address being
|
|
released.
|
|
|
|
ChargedBytes - Supplies the bytes charged for this allocation.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, DISPATCH_LEVEL. The Verifier->VerifierPoolLock must be held.
|
|
|
|
--*/
|
|
|
|
{
|
|
PFN_NUMBER PageFrameIndex;
|
|
PFN_NUMBER PageFrameIndex2;
|
|
PVI_POOL_ENTRY HashEntry;
|
|
PMMPTE PointerPte;
|
|
|
|
ASSERT (KeGetCurrentIrql() == DISPATCH_LEVEL);
|
|
|
|
if (Verifier->PoolHash == NULL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x59,
|
|
(ULONG_PTR)VirtualAddress,
|
|
ListIndex,
|
|
(ULONG_PTR)Verifier);
|
|
}
|
|
|
|
//
|
|
// Ensure that the list pointer has not been overrun and still
|
|
// points at something decent.
|
|
//
|
|
|
|
HashEntry = Verifier->PoolHash + ListIndex;
|
|
|
|
if (ListIndex >= Verifier->PoolHashSize) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x54,
|
|
(ULONG_PTR)VirtualAddress,
|
|
Verifier->PoolHashSize,
|
|
ListIndex);
|
|
}
|
|
|
|
if (HashEntry->InUse.VirtualAddress != VirtualAddress) {
|
|
|
|
PageFrameIndex = 0;
|
|
PageFrameIndex2 = 1;
|
|
|
|
if ((!MI_IS_PHYSICAL_ADDRESS(VirtualAddress)) &&
|
|
(MI_IS_PHYSICAL_ADDRESS(HashEntry->InUse.VirtualAddress))) {
|
|
|
|
PointerPte = MiGetPteAddress(VirtualAddress);
|
|
if (PointerPte->u.Hard.Valid == 1) {
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
|
|
|
|
PageFrameIndex2 = MI_CONVERT_PHYSICAL_TO_PFN (HashEntry->InUse.VirtualAddress);
|
|
}
|
|
}
|
|
|
|
//
|
|
// Caller overran and corrupted the virtual address - the linked
|
|
// list cannot be counted on either.
|
|
//
|
|
|
|
if (PageFrameIndex != PageFrameIndex2) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x52,
|
|
(ULONG_PTR)VirtualAddress,
|
|
(ULONG_PTR)HashEntry->InUse.VirtualAddress,
|
|
ChargedBytes);
|
|
}
|
|
}
|
|
|
|
if (HashEntry->InUse.NumberOfBytes != ChargedBytes) {
|
|
|
|
//
|
|
// Caller overran and corrupted the byte count - the linked
|
|
// list cannot be counted on either.
|
|
//
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x51,
|
|
(ULONG_PTR)VirtualAddress,
|
|
(ULONG_PTR)HashEntry,
|
|
ChargedBytes);
|
|
}
|
|
|
|
//
|
|
// Put this list entry into the freelist.
|
|
//
|
|
|
|
HashEntry->FreeListNext = Verifier->PoolHashFree;
|
|
Verifier->PoolHashFree = HashEntry - Verifier->PoolHash;
|
|
}
|
|
|
|
VOID
|
|
ViCancelPoolAllocation (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function removes a reservation from the verifier list for this driver.
|
|
All reservations must be made in advance. This routine is used when an
|
|
earlier reservation is not going to be used (ie: the actual pool
|
|
allocation failed so no reservation will be needed after all).
|
|
|
|
Arguments:
|
|
|
|
Verifier - Supplies the verifier entry to update.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, DISPATCH_LEVEL or below, no verifier mutexes held.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
|
|
ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
|
|
|
|
//
|
|
// The hash entry reserved earlier is not going to be used after all.
|
|
//
|
|
|
|
ASSERT (Verifier->PoolHashReserved != 0);
|
|
|
|
ASSERT (Verifier->PoolHashSize >= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved);
|
|
|
|
ASSERT (Verifier->PoolHashFree != VI_POOL_FREELIST_END);
|
|
|
|
Verifier->PoolHashReserved -= 1;
|
|
|
|
ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
|
|
}
|
|
|
|
PVOID
|
|
ViPostPoolAllocation (
|
|
IN PVOID VirtualAddress,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN POOL_TYPE PoolType,
|
|
IN ULONG Tag,
|
|
IN PVOID CallingAddress
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function performs verifier book-keeping on the allocation attempt.
|
|
|
|
Arguments:
|
|
|
|
VirtualAddress - Supplies the virtual address that should be allocated.
|
|
|
|
NumberOfBytes - Supplies the number of bytes to allocate.
|
|
|
|
PoolType - Supplies the type of pool being allocated.
|
|
|
|
Tag - Supplies the tag for the pool being allocated.
|
|
|
|
CallingAddress - Supplies the caller's address.
|
|
|
|
Return Value:
|
|
|
|
The virtual address the caller should use.
|
|
|
|
Environment:
|
|
|
|
Kernel mode. DISPATCH_LEVEL or below.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
PMI_VERIFIER_POOL_HEADER Header;
|
|
SIZE_T ChargedBytes;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
ULONG_PTR InsertedIndex;
|
|
LOGICAL SpecialPoolAllocation;
|
|
PPOOL_HEADER PoolHeader;
|
|
|
|
InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceeded);
|
|
ChargedBytes = EX_REAL_POOL_USAGE(NumberOfBytes);
|
|
SpecialPoolAllocation = FALSE;
|
|
|
|
if (MmIsSpecialPoolAddress (VirtualAddress) == TRUE) {
|
|
ChargedBytes = NumberOfBytes;
|
|
InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceededSpecialPool);
|
|
SpecialPoolAllocation = TRUE;
|
|
}
|
|
else if (NumberOfBytes <= POOL_BUDDY_MAX) {
|
|
ChargedBytes -= POOL_OVERHEAD;
|
|
}
|
|
else {
|
|
|
|
//
|
|
// This isn't exactly true but it does give the user a way to see
|
|
// if this machine is large enough to support special pool 100%.
|
|
//
|
|
|
|
InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceededSpecialPool);
|
|
}
|
|
|
|
if ((PoolType & POOL_VERIFIER_MASK) == 0) {
|
|
return VirtualAddress;
|
|
}
|
|
|
|
if (NumberOfBytes > POOL_BUDDY_MAX) {
|
|
ASSERT (BYTE_OFFSET(VirtualAddress) == 0);
|
|
}
|
|
|
|
Verifier = ViLocateVerifierEntry (CallingAddress);
|
|
ASSERT (Verifier != NULL);
|
|
VerifierIsTrackingPool = TRUE;
|
|
|
|
if (SpecialPoolAllocation == TRUE) {
|
|
|
|
//
|
|
// Carefully adjust the special pool page to move the verifier tracking
|
|
// header to the front. This allows the allocation to remain butted
|
|
// against the end of the page so overruns can be detected immediately.
|
|
//
|
|
|
|
if (((ULONG_PTR)VirtualAddress & (PAGE_SIZE - 1))) {
|
|
PoolHeader = (PPOOL_HEADER)(PAGE_ALIGN (VirtualAddress));
|
|
Header = (PMI_VERIFIER_POOL_HEADER) (PoolHeader + 1);
|
|
VirtualAddress = (PVOID) ((PCHAR)VirtualAddress + sizeof (MI_VERIFIER_POOL_HEADER));
|
|
}
|
|
else {
|
|
PoolHeader = (PPOOL_HEADER)((PCHAR)PAGE_ALIGN (VirtualAddress) + PAGE_SIZE - POOL_OVERHEAD);
|
|
Header = (PMI_VERIFIER_POOL_HEADER) (PoolHeader - 1);
|
|
}
|
|
// ASSERT (PoolHeader->Ulong1 & MI_SPECIAL_POOL_VERIFIER);
|
|
PoolHeader->Ulong1 -= sizeof (MI_VERIFIER_POOL_HEADER);
|
|
ChargedBytes -= sizeof (MI_VERIFIER_POOL_HEADER);
|
|
PoolHeader->Ulong1 |= MI_SPECIAL_POOL_VERIFIER;
|
|
}
|
|
else {
|
|
Header = (PMI_VERIFIER_POOL_HEADER)((PCHAR)VirtualAddress +
|
|
ChargedBytes -
|
|
sizeof(MI_VERIFIER_POOL_HEADER));
|
|
}
|
|
|
|
ASSERT (((ULONG_PTR)Header & (sizeof(ULONG) - 1)) == 0);
|
|
|
|
|
|
Header->Verifier = Verifier;
|
|
|
|
//
|
|
// Enqueue the entry and update per-driver counters.
|
|
// Note that paged pool allocations must be chained using nonpaged
|
|
// pool to prevent deadlocks.
|
|
//
|
|
|
|
ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
|
|
|
|
InsertedIndex = ViInsertPoolAllocation (Verifier,
|
|
VirtualAddress,
|
|
CallingAddress,
|
|
ChargedBytes,
|
|
Tag);
|
|
|
|
if ((PoolType & BASE_POOL_TYPE_MASK) == PagedPool) {
|
|
|
|
Verifier->PagedBytes += ChargedBytes;
|
|
if (Verifier->PagedBytes > Verifier->PeakPagedBytes) {
|
|
Verifier->PeakPagedBytes = Verifier->PagedBytes;
|
|
}
|
|
|
|
Verifier->CurrentPagedPoolAllocations += 1;
|
|
if (Verifier->CurrentPagedPoolAllocations > Verifier->PeakPagedPoolAllocations) {
|
|
Verifier->PeakPagedPoolAllocations = Verifier->CurrentPagedPoolAllocations;
|
|
}
|
|
}
|
|
else {
|
|
Verifier->NonPagedBytes += ChargedBytes;
|
|
if (Verifier->NonPagedBytes > Verifier->PeakNonPagedBytes) {
|
|
Verifier->PeakNonPagedBytes = Verifier->NonPagedBytes;
|
|
}
|
|
|
|
Verifier->CurrentNonPagedPoolAllocations += 1;
|
|
if (Verifier->CurrentNonPagedPoolAllocations > Verifier->PeakNonPagedPoolAllocations) {
|
|
Verifier->PeakNonPagedPoolAllocations = Verifier->CurrentNonPagedPoolAllocations;
|
|
}
|
|
}
|
|
|
|
ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
|
|
|
|
//
|
|
// Since the header for paged pool is paged, don't initialize it until the
|
|
// spinlock above is released.
|
|
//
|
|
|
|
Header->ListIndex = InsertedIndex;
|
|
|
|
//
|
|
// Update systemwide counters.
|
|
//
|
|
|
|
if ((PoolType & BASE_POOL_TYPE_MASK) == PagedPool) {
|
|
ExAcquireFastMutex (&VerifierPoolMutex);
|
|
|
|
MmVerifierData.PagedBytes += ChargedBytes;
|
|
if (MmVerifierData.PagedBytes > MmVerifierData.PeakPagedBytes) {
|
|
MmVerifierData.PeakPagedBytes = MmVerifierData.PagedBytes;
|
|
}
|
|
|
|
MmVerifierData.CurrentPagedPoolAllocations += 1;
|
|
if (MmVerifierData.CurrentPagedPoolAllocations > MmVerifierData.PeakPagedPoolAllocations) {
|
|
MmVerifierData.PeakPagedPoolAllocations = MmVerifierData.CurrentPagedPoolAllocations;
|
|
}
|
|
|
|
ExReleaseFastMutex (&VerifierPoolMutex);
|
|
}
|
|
else {
|
|
ExAcquireSpinLock (&VerifierPoolLock, &OldIrql);
|
|
|
|
MmVerifierData.NonPagedBytes += ChargedBytes;
|
|
if (MmVerifierData.NonPagedBytes > MmVerifierData.PeakNonPagedBytes) {
|
|
MmVerifierData.PeakNonPagedBytes = MmVerifierData.NonPagedBytes;
|
|
}
|
|
|
|
MmVerifierData.CurrentNonPagedPoolAllocations += 1;
|
|
if (MmVerifierData.CurrentNonPagedPoolAllocations > MmVerifierData.PeakNonPagedPoolAllocations) {
|
|
MmVerifierData.PeakNonPagedPoolAllocations = MmVerifierData.CurrentNonPagedPoolAllocations;
|
|
}
|
|
|
|
ExReleaseSpinLock (&VerifierPoolLock, OldIrql);
|
|
}
|
|
|
|
return VirtualAddress;
|
|
}
|
|
|
|
PVOID
|
|
VeAllocatePoolWithTagPriority (
|
|
IN POOL_TYPE PoolType,
|
|
IN SIZE_T NumberOfBytes,
|
|
IN ULONG Tag,
|
|
IN EX_POOL_PRIORITY Priority,
|
|
IN PVOID CallingAddress
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine is called both from ex\pool.c and directly within this module.
|
|
|
|
- Performs sanity checks on the caller.
|
|
- Can optionally provide allocation failures to the caller.
|
|
- Attempts to provide the allocation from special pool.
|
|
- Tracks pool to ensure callers free everything they allocate.
|
|
|
|
--*/
|
|
|
|
{
|
|
PVOID VirtualAddress;
|
|
EX_POOL_PRIORITY AllocationPriority;
|
|
SIZE_T ChargedBytes;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
LOGICAL ReservedHash;
|
|
ULONG HeaderSize;
|
|
|
|
ExAllocatePoolSanityChecks (PoolType, NumberOfBytes);
|
|
|
|
InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsAttempted);
|
|
|
|
if ((PoolType & MUST_SUCCEED_POOL_TYPE_MASK) == 0) {
|
|
|
|
if (ViInjectResourceFailure () == TRUE) {
|
|
|
|
//
|
|
// Caller requested an exception - throw it here.
|
|
//
|
|
|
|
if ((PoolType & POOL_RAISE_IF_ALLOCATION_FAILURE) != 0) {
|
|
ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
}
|
|
else {
|
|
MI_CHECK_UPTIME ();
|
|
|
|
if (VerifierSystemSufficientlyBooted == TRUE) {
|
|
|
|
KeBugCheckEx (BAD_POOL_CALLER,
|
|
0x9A,
|
|
PoolType,
|
|
NumberOfBytes,
|
|
Tag);
|
|
}
|
|
}
|
|
|
|
ASSERT ((PoolType & POOL_VERIFIER_MASK) == 0);
|
|
|
|
//
|
|
// Initializing Verifier is not needed for
|
|
// correctness but without it the compiler cannot compile this code
|
|
// W4 to check for use of uninitialized variables.
|
|
//
|
|
|
|
Verifier = NULL;
|
|
|
|
AllocationPriority = Priority;
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_SPECIAL_POOLING) {
|
|
|
|
//
|
|
// Try for a special pool overrun allocation unless the caller has
|
|
// explicitly specified otherwise.
|
|
//
|
|
|
|
if ((AllocationPriority & (LowPoolPrioritySpecialPoolOverrun | LowPoolPrioritySpecialPoolUnderrun)) == 0) {
|
|
if (MmSpecialPoolCatchOverruns == TRUE) {
|
|
AllocationPriority |= LowPoolPrioritySpecialPoolOverrun;
|
|
}
|
|
else {
|
|
AllocationPriority |= LowPoolPrioritySpecialPoolUnderrun;
|
|
}
|
|
}
|
|
}
|
|
|
|
ReservedHash = FALSE;
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS) {
|
|
|
|
if (PoolType & SESSION_POOL_MASK) {
|
|
|
|
//
|
|
// Session pool is directly tracked by default already.
|
|
//
|
|
|
|
NOTHING;
|
|
}
|
|
else {
|
|
HeaderSize = sizeof(MI_VERIFIER_POOL_HEADER);
|
|
|
|
ChargedBytes = MI_ROUND_TO_SIZE (NumberOfBytes, sizeof(ULONG)) + HeaderSize;
|
|
Verifier = ViLocateVerifierEntry (CallingAddress);
|
|
|
|
if ((Verifier == NULL) ||
|
|
((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0) ||
|
|
(Verifier->Flags & VI_DISABLE_VERIFICATION)) {
|
|
|
|
//
|
|
// This can happen for many reasons including no framing (which
|
|
// can cause RtlGetCallersAddress to return the wrong address),
|
|
// etc.
|
|
//
|
|
|
|
MmVerifierData.UnTrackedPool += 1;
|
|
}
|
|
else if (ChargedBytes <= NumberOfBytes) {
|
|
|
|
//
|
|
// Don't let the verifier header transform a bad caller into a
|
|
// good caller. Fail via the fall through so an exception
|
|
// can be thrown if asked for, etc.
|
|
//
|
|
|
|
MmVerifierData.UnTrackedPool += 1;
|
|
}
|
|
else if (((PoolType & MUST_SUCCEED_POOL_TYPE_MASK) == 0) ||
|
|
(ChargedBytes <= PAGE_SIZE)) {
|
|
|
|
//
|
|
// Any pool allocation that is allowed to fail or where the
|
|
// total number of charged bytes fits in a page (nonpaged-
|
|
// must-succeed requires this) is suitable for tracking.
|
|
// Just ensure that the hash list has space for it.
|
|
//
|
|
|
|
if (ViReservePoolAllocation (Verifier) == TRUE) {
|
|
ReservedHash = TRUE;
|
|
NumberOfBytes = ChargedBytes;
|
|
PoolType |= POOL_VERIFIER_MASK;
|
|
}
|
|
}
|
|
else {
|
|
ASSERT ((PoolType & BASE_POOL_TYPE_MASK) == NonPagedPool);
|
|
MmVerifierData.UnTrackedPool += 1;
|
|
}
|
|
}
|
|
}
|
|
|
|
VirtualAddress = ExAllocatePoolWithTagPriority (PoolType,
|
|
NumberOfBytes,
|
|
Tag,
|
|
AllocationPriority);
|
|
|
|
if (VirtualAddress == NULL) {
|
|
MmVerifierData.AllocationsFailed += 1;
|
|
|
|
if (ReservedHash == TRUE) {
|
|
|
|
//
|
|
// Release the hash table entry now as it's not needed.
|
|
//
|
|
|
|
ViCancelPoolAllocation (Verifier);
|
|
}
|
|
|
|
if ((PoolType & POOL_RAISE_IF_ALLOCATION_FAILURE) != 0) {
|
|
ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES);
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
VirtualAddress = ViPostPoolAllocation (VirtualAddress,
|
|
NumberOfBytes,
|
|
PoolType,
|
|
Tag,
|
|
CallingAddress);
|
|
|
|
|
|
|
|
return VirtualAddress;
|
|
}
|
|
|
|
VOID
|
|
ViFreeTrackedPool (
|
|
IN PVOID VirtualAddress,
|
|
IN SIZE_T ChargedBytes,
|
|
IN LOGICAL CheckType,
|
|
IN LOGICAL SpecialPool
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Called directly from the pool manager or the memory manager for verifier-
|
|
tracked allocations. The call to ExFreePool is already in progress.
|
|
|
|
Arguments:
|
|
|
|
VirtualAddress - Supplies the virtual address being freed.
|
|
|
|
ChargedBytes - Supplies the number of bytes charged to this allocation.
|
|
|
|
CheckType - Supplies PagedPool or NonPagedPool.
|
|
|
|
SpecialPool - Supplies TRUE if the allocation is from special pool.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode.
|
|
|
|
N.B.
|
|
|
|
Callers freeing small pool allocations hold no locks or mutexes on entry.
|
|
|
|
Callers freeing special pool hold no locks or mutexes on entry.
|
|
|
|
Callers freeing pool of PAGE_SIZE or larger hold the nonpaged pool spinlock
|
|
or the PagedPool mutex (depending on allocation type) on entry.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
ULONG_PTR Index;
|
|
PPOOL_HEADER PoolHeader;
|
|
PMI_VERIFIER_POOL_HEADER Header;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
|
|
ASSERT (VerifierIsTrackingPool == TRUE);
|
|
|
|
if (SpecialPool == TRUE) {
|
|
|
|
//
|
|
// Special pool allocation.
|
|
//
|
|
|
|
if (((ULONG_PTR)VirtualAddress & (PAGE_SIZE - 1))) {
|
|
PoolHeader = PAGE_ALIGN (VirtualAddress);
|
|
Header = (PMI_VERIFIER_POOL_HEADER)(PoolHeader + 1);
|
|
}
|
|
else {
|
|
PoolHeader = (PPOOL_HEADER)((PCHAR)PAGE_ALIGN (VirtualAddress) + PAGE_SIZE - POOL_OVERHEAD);
|
|
Header = (PMI_VERIFIER_POOL_HEADER)(PoolHeader - 1);
|
|
}
|
|
}
|
|
else if (PAGE_ALIGNED(VirtualAddress)) {
|
|
|
|
//
|
|
// Large page allocation.
|
|
//
|
|
|
|
Header = (PMI_VERIFIER_POOL_HEADER) ((PCHAR)VirtualAddress +
|
|
ChargedBytes -
|
|
sizeof(MI_VERIFIER_POOL_HEADER));
|
|
}
|
|
else {
|
|
ChargedBytes -= POOL_OVERHEAD;
|
|
Header = (PMI_VERIFIER_POOL_HEADER) ((PCHAR)VirtualAddress +
|
|
ChargedBytes -
|
|
sizeof(MI_VERIFIER_POOL_HEADER));
|
|
}
|
|
|
|
Verifier = Header->Verifier;
|
|
|
|
//
|
|
// Check the pointer now so we can give a more friendly bugcheck
|
|
// rather than crashing below on a bad reference.
|
|
//
|
|
|
|
if ((((ULONG_PTR)Verifier & (sizeof(ULONG) - 1)) != 0) ||
|
|
(!MmIsAddressValid(&Verifier->Signature)) ||
|
|
(Verifier->Signature != MI_VERIFIER_ENTRY_SIGNATURE)) {
|
|
|
|
//
|
|
// The caller corrupted the saved verifier field.
|
|
//
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x53,
|
|
(ULONG_PTR)VirtualAddress,
|
|
(ULONG_PTR)Header,
|
|
(ULONG_PTR)Verifier);
|
|
}
|
|
|
|
Index = Header->ListIndex;
|
|
|
|
ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
|
|
|
|
ViReleasePoolAllocation (Verifier,
|
|
VirtualAddress,
|
|
Index,
|
|
ChargedBytes);
|
|
|
|
if (CheckType == PagedPool) {
|
|
Verifier->PagedBytes -= ChargedBytes;
|
|
Verifier->CurrentPagedPoolAllocations -= 1;
|
|
|
|
ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
|
|
|
|
ExAcquireFastMutex (&VerifierPoolMutex);
|
|
MmVerifierData.PagedBytes -= ChargedBytes;
|
|
MmVerifierData.CurrentPagedPoolAllocations -= 1;
|
|
ExReleaseFastMutex (&VerifierPoolMutex);
|
|
}
|
|
else {
|
|
Verifier->NonPagedBytes -= ChargedBytes;
|
|
Verifier->CurrentNonPagedPoolAllocations -= 1;
|
|
ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
|
|
|
|
ExAcquireSpinLock (&VerifierPoolLock, &OldIrql);
|
|
MmVerifierData.NonPagedBytes -= ChargedBytes;
|
|
MmVerifierData.CurrentNonPagedPoolAllocations -= 1;
|
|
ExReleaseSpinLock (&VerifierPoolLock, OldIrql);
|
|
}
|
|
}
|
|
|
|
VOID
|
|
VerifierFreeTrackedPool (
|
|
IN PVOID VirtualAddress,
|
|
IN SIZE_T ChargedBytes,
|
|
IN LOGICAL CheckType,
|
|
IN LOGICAL SpecialPool
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Called directly from the pool manager or the memory manager for verifier-
|
|
tracked allocations. The call to ExFreePool is already in progress.
|
|
|
|
Arguments:
|
|
|
|
VirtualAddress - Supplies the virtual address being freed.
|
|
|
|
ChargedBytes - Supplies the number of bytes charged to this allocation.
|
|
|
|
CheckType - Supplies PagedPool or NonPagedPool.
|
|
|
|
SpecialPool - Supplies TRUE if the allocation is from special pool.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode.
|
|
|
|
N.B.
|
|
|
|
Callers freeing small pool allocations hold no locks or mutexes on entry.
|
|
|
|
Callers freeing special pool hold no locks or mutexes on entry.
|
|
|
|
Callers freeing pool of PAGE_SIZE or larger hold the nonpaged pool spinlock
|
|
or the PagedPool mutex (depending on allocation type) on entry.
|
|
|
|
--*/
|
|
|
|
{
|
|
if (VerifierIsTrackingPool == FALSE) {
|
|
|
|
//
|
|
// The verifier is not enabled so the only way this routine is being
|
|
// called is because the pool header is mangled or the caller specified
|
|
// a bad address. Either way it's a bugcheck.
|
|
//
|
|
|
|
KeBugCheckEx (BAD_POOL_CALLER,
|
|
0x99,
|
|
(ULONG_PTR)VirtualAddress,
|
|
0,
|
|
0);
|
|
}
|
|
|
|
ViFreeTrackedPool (VirtualAddress, ChargedBytes, CheckType, SpecialPool);
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierFreePool(
|
|
IN PVOID P
|
|
)
|
|
{
|
|
if (KernelVerifier == TRUE) {
|
|
ExFreePool (P);
|
|
return;
|
|
}
|
|
|
|
VerifierFreePoolWithTag (P, 0);
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierFreePoolWithTag(
|
|
IN PVOID P,
|
|
IN ULONG TagToFree
|
|
)
|
|
{
|
|
if (KernelVerifier == TRUE) {
|
|
ExFreePoolWithTag (P, TagToFree);
|
|
return;
|
|
}
|
|
|
|
ExFreePoolSanityChecks (P);
|
|
|
|
ExFreePoolWithTag (P, TagToFree);
|
|
}
|
|
|
|
THUNKED_API
|
|
LONG
|
|
VerifierSetEvent (
|
|
IN PRKEVENT Event,
|
|
IN KPRIORITY Increment,
|
|
IN BOOLEAN Wait
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql();
|
|
if (CurrentIrql > DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x80,
|
|
CurrentIrql,
|
|
(ULONG_PTR)Event,
|
|
(ULONG_PTR)0);
|
|
}
|
|
|
|
return KeSetEvent (Event, Increment, Wait);
|
|
}
|
|
|
|
THUNKED_API
|
|
BOOLEAN
|
|
VerifierExAcquireResourceExclusiveLite(
|
|
IN PERESOURCE Resource,
|
|
IN BOOLEAN Wait
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
if ((CurrentIrql != APC_LEVEL) &&
|
|
(!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
|
|
(KeGetCurrentThread()->KernelApcDisable == 0)) {
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x37,
|
|
CurrentIrql,
|
|
(ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable),
|
|
(ULONG_PTR)Resource);
|
|
}
|
|
|
|
return ExAcquireResourceExclusiveLite (Resource, Wait);
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierExReleaseResourceLite(
|
|
IN PERESOURCE Resource
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
if ((CurrentIrql != APC_LEVEL) &&
|
|
(!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
|
|
(KeGetCurrentThread()->KernelApcDisable == 0)) {
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x38,
|
|
CurrentIrql,
|
|
(ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable),
|
|
(ULONG_PTR)Resource);
|
|
}
|
|
|
|
ExReleaseResourceLite (Resource);
|
|
}
|
|
|
|
int VerifierIrqlData[0x10];
|
|
|
|
VOID
|
|
KfSanityCheckRaiseIrql (
|
|
IN KIRQL NewIrql
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
//
|
|
// Check for the caller inadvertently lowering.
|
|
//
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
if (CurrentIrql == NewIrql) {
|
|
VerifierIrqlData[0] += 1;
|
|
if (CurrentIrql == APC_LEVEL) {
|
|
VerifierIrqlData[1] += 1;
|
|
}
|
|
else if (CurrentIrql == DISPATCH_LEVEL) {
|
|
VerifierIrqlData[2] += 1;
|
|
}
|
|
else {
|
|
VerifierIrqlData[3] += 1;
|
|
}
|
|
}
|
|
else {
|
|
VerifierIrqlData[4] += 1;
|
|
}
|
|
|
|
if (CurrentIrql > NewIrql) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x30,
|
|
CurrentIrql,
|
|
NewIrql,
|
|
0);
|
|
}
|
|
|
|
//
|
|
// Check for the caller using an uninitialized variable.
|
|
//
|
|
|
|
if (NewIrql > HIGH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x30,
|
|
CurrentIrql,
|
|
NewIrql,
|
|
0);
|
|
}
|
|
|
|
if (ViTrackIrqlQueue != NULL) {
|
|
ViTrackIrqlLog (CurrentIrql, NewIrql);
|
|
}
|
|
}
|
|
|
|
VOID
|
|
KfSanityCheckLowerIrql (
|
|
IN KIRQL NewIrql
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
//
|
|
// Check for the caller inadvertently lowering.
|
|
//
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
if (CurrentIrql == NewIrql) {
|
|
VerifierIrqlData[8] += 1;
|
|
if (CurrentIrql == APC_LEVEL) {
|
|
VerifierIrqlData[9] += 1;
|
|
}
|
|
else if (CurrentIrql == DISPATCH_LEVEL) {
|
|
VerifierIrqlData[10] += 1;
|
|
}
|
|
else {
|
|
VerifierIrqlData[11] += 1;
|
|
}
|
|
}
|
|
else {
|
|
VerifierIrqlData[12] += 1;
|
|
}
|
|
|
|
if (CurrentIrql < NewIrql) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x31,
|
|
CurrentIrql,
|
|
NewIrql,
|
|
0);
|
|
}
|
|
|
|
//
|
|
// Check for the caller using an uninitialized variable.
|
|
//
|
|
|
|
if (NewIrql > HIGH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x31,
|
|
CurrentIrql,
|
|
NewIrql,
|
|
0);
|
|
}
|
|
|
|
if (ViTrackIrqlQueue != NULL) {
|
|
ViTrackIrqlLog (CurrentIrql, NewIrql);
|
|
}
|
|
}
|
|
|
|
#define VI_TRIM_KERNEL 0x00000001
|
|
#define VI_TRIM_USER 0x00000002
|
|
#define VI_TRIM_SESSION 0x00000004
|
|
#define VI_TRIM_PURGE 0x80000000
|
|
|
|
ULONG ViTrimSpaces = VI_TRIM_KERNEL;
|
|
|
|
VOID
|
|
ViTrimAllSystemPagableMemory (
|
|
VOID
|
|
)
|
|
{
|
|
LOGICAL PurgeTransition;
|
|
LARGE_INTEGER CurrentTime;
|
|
LOGICAL PageOut;
|
|
|
|
PageOut = TRUE;
|
|
if (KernelVerifier == TRUE) {
|
|
KeQueryTickCount(&CurrentTime);
|
|
if ((CurrentTime.LowPart & KernelVerifierTickPage) != 0) {
|
|
PageOut = FALSE;
|
|
}
|
|
}
|
|
|
|
if ((PageOut == TRUE) && (MiNoPageOnRaiseIrql == 0)) {
|
|
MmVerifierData.TrimRequests += 1;
|
|
|
|
if (ViTrimSpaces & VI_TRIM_PURGE) {
|
|
PurgeTransition = TRUE;
|
|
}
|
|
else {
|
|
PurgeTransition = FALSE;
|
|
}
|
|
|
|
if (ViTrimSpaces & VI_TRIM_KERNEL) {
|
|
if (MmTrimAllSystemPagableMemory (PurgeTransition) == TRUE) {
|
|
MmVerifierData.Trims += 1;
|
|
}
|
|
}
|
|
|
|
if (ViTrimSpaces & VI_TRIM_USER) {
|
|
if (MmTrimProcessMemory (PurgeTransition) == TRUE) {
|
|
MmVerifierData.UserTrims += 1;
|
|
}
|
|
}
|
|
|
|
if (ViTrimSpaces & VI_TRIM_SESSION) {
|
|
if (MmTrimSessionMemory (PurgeTransition) == TRUE) {
|
|
MmVerifierData.SessionTrims += 1;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
typedef
|
|
VOID
|
|
(*PKE_ACQUIRE_SPINLOCK) (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
OUT PKIRQL OldIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeAcquireSpinLock (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
OUT PKIRQL OldIrql
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
#if defined (_X86_)
|
|
PKE_ACQUIRE_SPINLOCK HalRoutine;
|
|
#endif
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
|
|
|
|
MmVerifierData.AcquireSpinLocks += 1;
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
|
|
if (CurrentIrql < DISPATCH_LEVEL) {
|
|
ViTrimAllSystemPagableMemory ();
|
|
}
|
|
}
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKE_ACQUIRE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_ACQUIRE_SPINLOCK];
|
|
|
|
if (HalRoutine) {
|
|
(*HalRoutine)(SpinLock, OldIrql);
|
|
|
|
VfDeadlockAcquireResource(SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
FALSE,
|
|
_ReturnAddress());
|
|
return;
|
|
}
|
|
#endif
|
|
|
|
KeAcquireSpinLock (SpinLock, OldIrql);
|
|
|
|
VfDeadlockAcquireResource(SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
FALSE,
|
|
_ReturnAddress());
|
|
}
|
|
|
|
typedef
|
|
VOID
|
|
(*PKE_RELEASE_SPINLOCK) (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeReleaseSpinLock (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
IN KIRQL NewIrql
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
#if defined (_X86_)
|
|
PKE_RELEASE_SPINLOCK HalRoutine;
|
|
#endif
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
//
|
|
// Caller better still be at DISPATCH_LEVEL when releasing the spinlock
|
|
//
|
|
|
|
if (CurrentIrql < DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x32,
|
|
CurrentIrql,
|
|
(ULONG_PTR)SpinLock,
|
|
0);
|
|
}
|
|
|
|
KfSanityCheckLowerIrql (NewIrql);
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKE_RELEASE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RELEASE_SPINLOCK];
|
|
|
|
if (HalRoutine) {
|
|
VfDeadlockReleaseResource(SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
_ReturnAddress());
|
|
(*HalRoutine)(SpinLock, NewIrql);
|
|
|
|
return;
|
|
}
|
|
#endif
|
|
|
|
VfDeadlockReleaseResource(SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
_ReturnAddress());
|
|
|
|
KeReleaseSpinLock (SpinLock, NewIrql);
|
|
}
|
|
|
|
//
|
|
// Verifier thunks for AcquireSpinLockAtDpcLevel and ReleaseSpinLockFromDpcLevel.
|
|
//
|
|
// On x86 the functions exported by the kernel that are used by the driver are:
|
|
// KefAcquire.../KefRelease.... On other platforms the functions used by drivers
|
|
// are KeAcquire.../KeRelease. Among other differences the x86 versions use the
|
|
// fastcall convention which requires additional precaution.
|
|
//
|
|
|
|
THUNKED_API
|
|
VOID
|
|
#if defined(_X86_)
|
|
FASTCALL
|
|
#endif
|
|
VerifierKeAcquireSpinLockAtDpcLevel (
|
|
IN PKSPIN_LOCK SpinLock
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
//
|
|
// Caller better be at or above DISPATCH_LEVEL.
|
|
//
|
|
|
|
if (CurrentIrql < DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x40,
|
|
CurrentIrql,
|
|
(ULONG_PTR)SpinLock,
|
|
0);
|
|
}
|
|
|
|
MmVerifierData.AcquireSpinLocks += 1;
|
|
|
|
KeAcquireSpinLockAtDpcLevel (SpinLock);
|
|
|
|
VfDeadlockAcquireResource(SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
FALSE,
|
|
_ReturnAddress());
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
#if defined(_X86_)
|
|
FASTCALL
|
|
#endif
|
|
VerifierKeReleaseSpinLockFromDpcLevel (
|
|
IN PKSPIN_LOCK SpinLock
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
//
|
|
// Caller better be at DISPATCH_LEVEL.
|
|
//
|
|
|
|
if (CurrentIrql < DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x41,
|
|
CurrentIrql,
|
|
(ULONG_PTR)SpinLock,
|
|
0);
|
|
}
|
|
|
|
VfDeadlockReleaseResource(SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
_ReturnAddress());
|
|
|
|
KeReleaseSpinLockFromDpcLevel (SpinLock);
|
|
}
|
|
|
|
#if !defined(_X86_)
|
|
|
|
THUNKED_API
|
|
KIRQL
|
|
VerifierKeAcquireSpinLockRaiseToDpc (
|
|
IN PKSPIN_LOCK SpinLock
|
|
)
|
|
{
|
|
KIRQL NewIrql = KeAcquireSpinLockRaiseToDpc (SpinLock);
|
|
|
|
VfDeadlockAcquireResource (SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
FALSE,
|
|
_ReturnAddress());
|
|
|
|
return NewIrql;
|
|
}
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#if defined (_X86_)
|
|
|
|
typedef
|
|
KIRQL
|
|
(FASTCALL *PKF_ACQUIRE_SPINLOCK) (
|
|
IN PKSPIN_LOCK SpinLock
|
|
);
|
|
|
|
THUNKED_API
|
|
KIRQL
|
|
FASTCALL
|
|
VerifierKfAcquireSpinLock (
|
|
IN PKSPIN_LOCK SpinLock
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
PKF_ACQUIRE_SPINLOCK HalRoutine;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
|
|
|
|
MmVerifierData.AcquireSpinLocks += 1;
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
|
|
if (CurrentIrql < DISPATCH_LEVEL) {
|
|
ViTrimAllSystemPagableMemory ();
|
|
}
|
|
}
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKF_ACQUIRE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_ACQUIRE_SPINLOCK];
|
|
|
|
if (HalRoutine) {
|
|
CurrentIrql = (*HalRoutine)(SpinLock);
|
|
|
|
VfDeadlockAcquireResource(SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
FALSE,
|
|
_ReturnAddress());
|
|
|
|
return CurrentIrql;
|
|
}
|
|
#endif
|
|
|
|
CurrentIrql = KfAcquireSpinLock (SpinLock);
|
|
|
|
VfDeadlockAcquireResource(SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
FALSE,
|
|
_ReturnAddress());
|
|
|
|
return CurrentIrql;
|
|
}
|
|
|
|
typedef
|
|
VOID
|
|
(FASTCALL *PKF_RELEASE_SPINLOCK) (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierKfReleaseSpinLock (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
IN KIRQL NewIrql
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
PKF_RELEASE_SPINLOCK HalRoutine;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
//
|
|
// Caller better still be at DISPATCH_LEVEL when releasing the spinlock.
|
|
//
|
|
|
|
if (CurrentIrql < DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x35,
|
|
CurrentIrql,
|
|
(ULONG_PTR)SpinLock,
|
|
NewIrql);
|
|
}
|
|
|
|
KfSanityCheckLowerIrql (NewIrql);
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKF_RELEASE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_RELEASE_SPINLOCK];
|
|
|
|
if (HalRoutine) {
|
|
VfDeadlockReleaseResource(SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
_ReturnAddress());
|
|
|
|
(*HalRoutine)(SpinLock, NewIrql);
|
|
return;
|
|
}
|
|
#endif
|
|
|
|
VfDeadlockReleaseResource(SpinLock,
|
|
VfDeadlockSpinLock,
|
|
KeGetCurrentThread(),
|
|
_ReturnAddress());
|
|
|
|
KfReleaseSpinLock (SpinLock, NewIrql);
|
|
}
|
|
|
|
|
|
#if !defined(NT_UP)
|
|
|
|
typedef
|
|
KIRQL
|
|
(FASTCALL *PKE_ACQUIRE_QUEUED_SPINLOCK) (
|
|
IN KSPIN_LOCK_QUEUE_NUMBER Number
|
|
);
|
|
|
|
THUNKED_API
|
|
KIRQL
|
|
FASTCALL
|
|
VerifierKeAcquireQueuedSpinLock (
|
|
IN KSPIN_LOCK_QUEUE_NUMBER Number
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
PKE_ACQUIRE_QUEUED_SPINLOCK HalRoutine;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
|
|
|
|
MmVerifierData.AcquireSpinLocks += 1;
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
|
|
if (CurrentIrql < DISPATCH_LEVEL) {
|
|
ViTrimAllSystemPagableMemory ();
|
|
}
|
|
}
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKE_ACQUIRE_QUEUED_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_ACQUIRE_QUEUED_SPINLOCK];
|
|
|
|
if (HalRoutine) {
|
|
return (*HalRoutine)(Number);
|
|
}
|
|
#endif
|
|
|
|
|
|
CurrentIrql = KeAcquireQueuedSpinLock (Number);
|
|
|
|
return CurrentIrql;
|
|
}
|
|
|
|
typedef
|
|
VOID
|
|
(FASTCALL *PKE_RELEASE_QUEUED_SPINLOCK) (
|
|
IN KSPIN_LOCK_QUEUE_NUMBER Number,
|
|
IN KIRQL OldIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierKeReleaseQueuedSpinLock (
|
|
IN KSPIN_LOCK_QUEUE_NUMBER Number,
|
|
IN KIRQL OldIrql
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
PKE_RELEASE_QUEUED_SPINLOCK HalRoutine;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
if (KernelVerifier == TRUE) {
|
|
if (CurrentIrql < DISPATCH_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x36,
|
|
CurrentIrql,
|
|
(ULONG_PTR)Number,
|
|
(ULONG_PTR)OldIrql);
|
|
}
|
|
}
|
|
|
|
KfSanityCheckLowerIrql (OldIrql);
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKE_RELEASE_QUEUED_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RELEASE_QUEUED_SPINLOCK];
|
|
|
|
if (HalRoutine) {
|
|
(*HalRoutine)(Number, OldIrql);
|
|
return;
|
|
}
|
|
#endif
|
|
|
|
KeReleaseQueuedSpinLock (Number, OldIrql);
|
|
}
|
|
#endif // NT_UP
|
|
|
|
#endif // _X86_
|
|
|
|
#if defined(_X86_) || defined(_AMD64_)
|
|
|
|
typedef
|
|
KIRQL
|
|
(FASTCALL *PKF_RAISE_IRQL) (
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
KIRQL
|
|
FASTCALL
|
|
VerifierKfRaiseIrql (
|
|
IN KIRQL NewIrql
|
|
)
|
|
{
|
|
#if defined (_X86_)
|
|
PKF_RAISE_IRQL HalRoutine;
|
|
#endif
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
KfSanityCheckRaiseIrql (NewIrql);
|
|
|
|
MmVerifierData.RaiseIrqls += 1;
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
|
|
if ((CurrentIrql < DISPATCH_LEVEL) && (NewIrql >= DISPATCH_LEVEL)) {
|
|
ViTrimAllSystemPagableMemory ();
|
|
}
|
|
}
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKF_RAISE_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_RAISE_IRQL];
|
|
if (HalRoutine) {
|
|
return (*HalRoutine)(NewIrql);
|
|
}
|
|
#endif
|
|
|
|
return KfRaiseIrql (NewIrql);
|
|
}
|
|
|
|
typedef
|
|
KIRQL
|
|
(FASTCALL *PKE_RAISE_IRQL_TO_DPC_LEVEL) (
|
|
VOID
|
|
);
|
|
|
|
THUNKED_API
|
|
KIRQL
|
|
VerifierKeRaiseIrqlToDpcLevel (
|
|
VOID
|
|
)
|
|
{
|
|
#if defined (_X86_)
|
|
PKE_RAISE_IRQL_TO_DPC_LEVEL HalRoutine;
|
|
#endif
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
KfSanityCheckRaiseIrql (DISPATCH_LEVEL);
|
|
|
|
MmVerifierData.RaiseIrqls += 1;
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
|
|
if (CurrentIrql < DISPATCH_LEVEL) {
|
|
ViTrimAllSystemPagableMemory ();
|
|
}
|
|
}
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKE_RAISE_IRQL_TO_DPC_LEVEL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RAISE_IRQL_TO_DPC_LEVEL];
|
|
if (HalRoutine) {
|
|
return (*HalRoutine)();
|
|
}
|
|
#endif
|
|
|
|
return KeRaiseIrqlToDpcLevel ();
|
|
}
|
|
|
|
#endif // _X86_ || _AMD64_
|
|
|
|
#if defined(_X86_)
|
|
|
|
typedef
|
|
VOID
|
|
(FASTCALL *PKF_LOWER_IRQL) (
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierKfLowerIrql (
|
|
IN KIRQL NewIrql
|
|
)
|
|
{
|
|
PKF_LOWER_IRQL HalRoutine;
|
|
|
|
KfSanityCheckLowerIrql (NewIrql);
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKF_LOWER_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KF_LOWER_IRQL];
|
|
if (HalRoutine) {
|
|
(*HalRoutine)(NewIrql);
|
|
return;
|
|
}
|
|
#endif
|
|
|
|
KfLowerIrql (NewIrql);
|
|
}
|
|
|
|
#endif
|
|
|
|
THUNKED_API
|
|
BOOLEAN
|
|
FASTCALL
|
|
VerifierExTryToAcquireFastMutex (
|
|
IN PFAST_MUTEX FastMutex
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
BOOLEAN Acquired;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
//
|
|
// Caller better be at or below APC_LEVEL or have APCs blocked.
|
|
//
|
|
|
|
if (CurrentIrql > APC_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x33,
|
|
CurrentIrql,
|
|
(ULONG_PTR)FastMutex,
|
|
0);
|
|
}
|
|
|
|
Acquired = ExTryToAcquireFastMutex (FastMutex);
|
|
if (Acquired != FALSE) {
|
|
VfDeadlockAcquireResource(FastMutex,
|
|
VfDeadlockFastMutex,
|
|
KeGetCurrentThread(),
|
|
TRUE,
|
|
_ReturnAddress());
|
|
}
|
|
|
|
return Acquired;
|
|
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierExAcquireFastMutex (
|
|
IN PFAST_MUTEX FastMutex
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
//
|
|
// Caller better be at or below APC_LEVEL or have APCs blocked.
|
|
//
|
|
|
|
if (CurrentIrql > APC_LEVEL) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x33,
|
|
CurrentIrql,
|
|
(ULONG_PTR)FastMutex,
|
|
0);
|
|
}
|
|
|
|
ExAcquireFastMutex (FastMutex);
|
|
|
|
VfDeadlockAcquireResource(FastMutex,
|
|
VfDeadlockFastMutex,
|
|
KeGetCurrentThread(),
|
|
FALSE,
|
|
_ReturnAddress());
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierExAcquireFastMutexUnsafe (
|
|
IN PFAST_MUTEX FastMutex
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
//
|
|
// Caller better be at APC_LEVEL or have APCs blocked.
|
|
//
|
|
|
|
if ((CurrentIrql != APC_LEVEL) &&
|
|
(!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
|
|
(KeGetCurrentThread()->KernelApcDisable == 0)) {
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x39,
|
|
CurrentIrql,
|
|
(ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable),
|
|
(ULONG_PTR)FastMutex);
|
|
}
|
|
ExAcquireFastMutexUnsafe (FastMutex);
|
|
|
|
VfDeadlockAcquireResource(FastMutex,
|
|
VfDeadlockFastMutexUnsafe,
|
|
KeGetCurrentThread(),
|
|
FALSE,
|
|
_ReturnAddress());
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierExReleaseFastMutex (
|
|
IN PFAST_MUTEX FastMutex
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
//
|
|
// Caller better be at APC_LEVEL or have APCs blocked.
|
|
//
|
|
|
|
if ((CurrentIrql != APC_LEVEL) &&
|
|
(!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
|
|
(KeGetCurrentThread()->KernelApcDisable == 0)) {
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x34,
|
|
CurrentIrql,
|
|
(ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable),
|
|
(ULONG_PTR)FastMutex);
|
|
}
|
|
|
|
VfDeadlockReleaseResource(FastMutex,
|
|
VfDeadlockFastMutex,
|
|
KeGetCurrentThread(),
|
|
_ReturnAddress());
|
|
ExReleaseFastMutex (FastMutex);
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
FASTCALL
|
|
VerifierExReleaseFastMutexUnsafe (
|
|
IN PFAST_MUTEX FastMutex
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
//
|
|
// Caller better be at APC_LEVEL or have APCs blocked.
|
|
//
|
|
|
|
if ((CurrentIrql != APC_LEVEL) &&
|
|
(!IS_SYSTEM_THREAD(PsGetCurrentThread())) &&
|
|
(KeGetCurrentThread()->KernelApcDisable == 0)) {
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x3A,
|
|
CurrentIrql,
|
|
(ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable),
|
|
(ULONG_PTR)FastMutex);
|
|
}
|
|
|
|
VfDeadlockReleaseResource(FastMutex,
|
|
VfDeadlockFastMutexUnsafe,
|
|
KeGetCurrentThread(),
|
|
_ReturnAddress());
|
|
ExReleaseFastMutexUnsafe (FastMutex);
|
|
|
|
}
|
|
|
|
typedef
|
|
VOID
|
|
(*PKE_RAISE_IRQL) (
|
|
IN KIRQL NewIrql,
|
|
OUT PKIRQL OldIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeRaiseIrql (
|
|
IN KIRQL NewIrql,
|
|
OUT PKIRQL OldIrql
|
|
)
|
|
{
|
|
#if defined (_X86_)
|
|
PKE_RAISE_IRQL HalRoutine;
|
|
#endif
|
|
|
|
*OldIrql = KeGetCurrentIrql ();
|
|
|
|
KfSanityCheckRaiseIrql (NewIrql);
|
|
|
|
MmVerifierData.RaiseIrqls += 1;
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
|
|
if ((*OldIrql < DISPATCH_LEVEL) && (NewIrql >= DISPATCH_LEVEL)) {
|
|
ViTrimAllSystemPagableMemory ();
|
|
}
|
|
}
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKE_RAISE_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RAISE_IRQL];
|
|
if (HalRoutine) {
|
|
(*HalRoutine)(NewIrql, OldIrql);
|
|
return;
|
|
}
|
|
#endif
|
|
|
|
KeRaiseIrql (NewIrql, OldIrql);
|
|
}
|
|
|
|
typedef
|
|
VOID
|
|
(*PKE_LOWER_IRQL) (
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeLowerIrql (
|
|
IN KIRQL NewIrql
|
|
)
|
|
{
|
|
#if defined (_X86_)
|
|
PKE_LOWER_IRQL HalRoutine;
|
|
#endif
|
|
|
|
KfSanityCheckLowerIrql (NewIrql);
|
|
|
|
#if defined (_X86_)
|
|
HalRoutine = (PKE_LOWER_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_LOWER_IRQL];
|
|
if (HalRoutine) {
|
|
(*HalRoutine)(NewIrql);
|
|
return;
|
|
}
|
|
#endif
|
|
|
|
KeLowerIrql (NewIrql);
|
|
}
|
|
|
|
THUNKED_API
|
|
BOOLEAN
|
|
VerifierSynchronizeExecution (
|
|
IN PKINTERRUPT Interrupt,
|
|
IN PKSYNCHRONIZE_ROUTINE SynchronizeRoutine,
|
|
IN PVOID SynchronizeContext
|
|
)
|
|
{
|
|
KIRQL OldIrql;
|
|
|
|
OldIrql = KeGetCurrentIrql ();
|
|
|
|
KfSanityCheckRaiseIrql (Interrupt->SynchronizeIrql);
|
|
|
|
MmVerifierData.SynchronizeExecutions += 1;
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
|
|
if ((OldIrql < DISPATCH_LEVEL) && (Interrupt->SynchronizeIrql >= DISPATCH_LEVEL)) {
|
|
ViTrimAllSystemPagableMemory ();
|
|
}
|
|
}
|
|
|
|
return KeSynchronizeExecution (Interrupt,
|
|
SynchronizeRoutine,
|
|
SynchronizeContext);
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeInitializeTimerEx(
|
|
IN PKTIMER Timer,
|
|
IN TIMER_TYPE Type
|
|
)
|
|
{
|
|
//
|
|
// Check the object being initialized isn't already an
|
|
// active timer. Make sure the timer table list is initialized.
|
|
//
|
|
|
|
if (KiTimerTableListHead[0].Flink != NULL) {
|
|
KeCheckForTimer(Timer, sizeof(KTIMER));
|
|
}
|
|
|
|
KeInitializeTimerEx(Timer, Type);
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeInitializeTimer(
|
|
IN PKTIMER Timer
|
|
)
|
|
{
|
|
VerifierKeInitializeTimerEx(Timer, NotificationTimer);
|
|
}
|
|
|
|
|
|
THUNKED_API
|
|
NTSTATUS
|
|
VerifierKeWaitForSingleObject (
|
|
IN PVOID Object,
|
|
IN KWAIT_REASON WaitReason,
|
|
IN KPROCESSOR_MODE WaitMode,
|
|
IN BOOLEAN Alertable,
|
|
IN PLARGE_INTEGER Timeout OPTIONAL
|
|
)
|
|
{
|
|
KIRQL CurrentIrql;
|
|
PRKTHREAD Thread;
|
|
NTSTATUS Status;
|
|
BOOLEAN TryAcquire;
|
|
|
|
if (! ((ARGUMENT_PRESENT(Timeout)) && (Timeout->QuadPart == 0))) {
|
|
|
|
CurrentIrql = KeGetCurrentIrql ();
|
|
|
|
if (CurrentIrql >= DISPATCH_LEVEL) {
|
|
|
|
Thread = KeGetCurrentThread();
|
|
|
|
//
|
|
// Skip situations where KeWait is called at DPC level
|
|
// to optimize dispatcher database lock handling.
|
|
//
|
|
|
|
if (Thread->WaitNext == FALSE) {
|
|
|
|
//
|
|
// Cannot call KeWait at DPC level.
|
|
//
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x3B,
|
|
(ULONG_PTR)CurrentIrql,
|
|
(ULONG_PTR)Object,
|
|
(ULONG_PTR)Timeout);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
Status = KeWaitForSingleObject (Object,
|
|
WaitReason,
|
|
WaitMode,
|
|
Alertable,
|
|
Timeout);
|
|
|
|
if ((STATUS_SUCCESS == Status) &&
|
|
(((PRKMUTANT) Object)->Header.Type == MutantObject)) {
|
|
|
|
if (ARGUMENT_PRESENT(Timeout)) {
|
|
TryAcquire = TRUE;
|
|
}
|
|
else {
|
|
TryAcquire = FALSE;
|
|
}
|
|
|
|
VfDeadlockAcquireResource (Object,
|
|
VfDeadlockMutex,
|
|
KeGetCurrentThread (),
|
|
TryAcquire,
|
|
_ReturnAddress ());
|
|
}
|
|
|
|
return Status;
|
|
|
|
}
|
|
|
|
THUNKED_API
|
|
LONG
|
|
VerifierKeReleaseMutex(
|
|
IN PRKMUTEX Mutex,
|
|
IN BOOLEAN Wait
|
|
)
|
|
{
|
|
VfDeadlockReleaseResource(Mutex,
|
|
VfDeadlockMutex,
|
|
KeGetCurrentThread(),
|
|
_ReturnAddress());
|
|
|
|
return KeReleaseMutex(Mutex, Wait);
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeInitializeMutex(
|
|
IN PRKMUTEX Mutex,
|
|
IN ULONG Level
|
|
)
|
|
{
|
|
KeInitializeMutex (Mutex,Level);
|
|
VfDeadlockInitializeResource (Mutex, VfDeadlockMutex, _ReturnAddress(), FALSE);
|
|
}
|
|
|
|
THUNKED_API
|
|
LONG
|
|
VerifierKeReleaseMutant(
|
|
IN PRKMUTANT Mutant,
|
|
IN KPRIORITY Increment,
|
|
IN BOOLEAN Abandoned,
|
|
IN BOOLEAN Wait
|
|
)
|
|
{
|
|
VfDeadlockReleaseResource(Mutant,
|
|
VfDeadlockMutex,
|
|
KeGetCurrentThread(),
|
|
_ReturnAddress());
|
|
|
|
return KeReleaseMutant(Mutant, Increment, Abandoned, Wait);
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeInitializeMutant(
|
|
IN PRKMUTANT Mutant,
|
|
IN BOOLEAN InitialOwner
|
|
)
|
|
{
|
|
KeInitializeMutant (Mutant, InitialOwner);
|
|
VfDeadlockInitializeResource (Mutant, VfDeadlockMutex, _ReturnAddress(), FALSE);
|
|
|
|
if (InitialOwner) {
|
|
|
|
VfDeadlockAcquireResource (Mutant,
|
|
VfDeadlockMutex,
|
|
KeGetCurrentThread(),
|
|
FALSE,
|
|
_ReturnAddress());
|
|
}
|
|
}
|
|
|
|
THUNKED_API
|
|
VOID
|
|
VerifierKeInitializeSpinLock(
|
|
IN PKSPIN_LOCK SpinLock
|
|
)
|
|
{
|
|
KeInitializeSpinLock (SpinLock);
|
|
VfDeadlockInitializeResource (SpinLock, VfDeadlockSpinLock, _ReturnAddress(), FALSE);
|
|
|
|
}
|
|
|
|
NTSTATUS
|
|
VerifierReferenceObjectByHandle (
|
|
IN HANDLE Handle,
|
|
IN ACCESS_MASK DesiredAccess,
|
|
IN POBJECT_TYPE ObjectType OPTIONAL,
|
|
IN KPROCESSOR_MODE AccessMode,
|
|
OUT PVOID *Object,
|
|
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
Status = ObReferenceObjectByHandle (Handle,
|
|
DesiredAccess,
|
|
ObjectType,
|
|
AccessMode,
|
|
Object,
|
|
HandleInformation);
|
|
if (AccessMode == KernelMode || PsIsSystemThread (PsGetCurrentThread ())) {
|
|
if (Status == STATUS_INVALID_HANDLE || Status == STATUS_OBJECT_TYPE_MISMATCH) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x3C,
|
|
(ULONG_PTR)Handle,
|
|
(ULONG_PTR)ObjectType,
|
|
(ULONG_PTR)0);
|
|
}
|
|
}
|
|
return Status;
|
|
}
|
|
|
|
|
|
VOID
|
|
ViInitializeEntry (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier,
|
|
IN LOGICAL FirstLoad
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Initialize various verifier fields as the driver is being (re)loaded now.
|
|
|
|
Arguments:
|
|
|
|
Verifier - Supplies the verifier entry to be initialized.
|
|
|
|
FirstLoad - Supplies TRUE if this is the first load of this driver.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
|
|
//
|
|
// Only the BaseName field is initialized on entry.
|
|
//
|
|
|
|
KeInitializeSpinLock (&Verifier->VerifierPoolLock);
|
|
|
|
Verifier->CurrentPagedPoolAllocations = 0;
|
|
Verifier->CurrentNonPagedPoolAllocations = 0;
|
|
Verifier->PeakPagedPoolAllocations = 0;
|
|
Verifier->PeakNonPagedPoolAllocations = 0;
|
|
|
|
Verifier->PagedBytes = 0;
|
|
Verifier->NonPagedBytes = 0;
|
|
Verifier->PeakPagedBytes = 0;
|
|
Verifier->PeakNonPagedBytes = 0;
|
|
|
|
Verifier->PoolHash = NULL;
|
|
Verifier->PoolHashSize = 0;
|
|
Verifier->PoolHashFree = VI_POOL_FREELIST_END;
|
|
Verifier->PoolHashReserved = 0;
|
|
|
|
Verifier->Signature = MI_VERIFIER_ENTRY_SIGNATURE;
|
|
|
|
if (FirstLoad == TRUE) {
|
|
Verifier->Flags = 0;
|
|
Verifier->Loads = 0;
|
|
Verifier->Unloads = 0;
|
|
}
|
|
|
|
ExAcquireSpinLock (&VerifierListLock, &OldIrql);
|
|
Verifier->StartAddress = NULL;
|
|
Verifier->EndAddress = NULL;
|
|
ExReleaseSpinLock (&VerifierListLock, OldIrql);
|
|
}
|
|
|
|
#define UNICODE_TAB 0x0009
|
|
#define UNICODE_LF 0x000A
|
|
#define UNICODE_CR 0x000D
|
|
#define UNICODE_SPACE 0x0020
|
|
#define UNICODE_CJK_SPACE 0x3000
|
|
|
|
#define UNICODE_WHITESPACE(_ch) (((_ch) == UNICODE_TAB) || \
|
|
((_ch) == UNICODE_LF) || \
|
|
((_ch) == UNICODE_CR) || \
|
|
((_ch) == UNICODE_SPACE) || \
|
|
((_ch) == UNICODE_CJK_SPACE) || \
|
|
((_ch) == UNICODE_NULL))
|
|
|
|
LOGICAL
|
|
MiInitializeDriverVerifierList (
|
|
IN PLOADER_PARAMETER_BLOCK LoaderBlock
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Parse the registry settings and set up the list of driver names that will
|
|
be put through the validation process.
|
|
|
|
It is important that this list be parsed early because the machine-specific
|
|
memory management initialization needs to know whether the verifier is
|
|
going to be enabled.
|
|
|
|
Arguments:
|
|
|
|
LoaderBlock - Supplies the loader block used by the system to boot.
|
|
|
|
Return Value:
|
|
|
|
TRUE if successful, FALSE if not.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization.
|
|
|
|
Nonpaged (but not paged) pool exists.
|
|
|
|
The PsLoadedModuleList has not been set up yet AND the boot drivers
|
|
have NOT been relocated to their final resting places.
|
|
|
|
--*/
|
|
|
|
{
|
|
PWCHAR Start;
|
|
PWCHAR End;
|
|
PWCHAR Walk;
|
|
ULONG NameLength;
|
|
LARGE_INTEGER CurrentTime;
|
|
UNICODE_STRING KernelString;
|
|
UNICODE_STRING DriverBaseName;
|
|
|
|
UNREFERENCED_PARAMETER (LoaderBlock);
|
|
|
|
InitializeListHead (&MiSuspectDriverList);
|
|
|
|
if (MmVerifyDriverLevel != (ULONG)-1) {
|
|
if (MmVerifyDriverLevel & DRIVER_VERIFIER_IO_CHECKING) {
|
|
if (MmVerifyDriverBufferLength == (ULONG)-1) {
|
|
MmVerifyDriverBufferLength = 0; // Mm will not page out verifier pages.
|
|
}
|
|
}
|
|
}
|
|
|
|
if (MmVerifyDriverBufferLength == (ULONG)-1) {
|
|
|
|
if (MmDontVerifyRandomDrivers == TRUE) {
|
|
return FALSE;
|
|
}
|
|
|
|
MmVerifyDriverBufferLength = 0;
|
|
|
|
CurrentTime = KeQueryPerformanceCounter (NULL);
|
|
CurrentTime.LowPart = (CurrentTime.LowPart % 26);
|
|
|
|
MiVerifyRandomDrivers = (WCHAR)('A' + (WCHAR)CurrentTime.LowPart);
|
|
|
|
if ((MiVerifyRandomDrivers == (WCHAR)'H') ||
|
|
(MiVerifyRandomDrivers == (WCHAR)'J') ||
|
|
(MiVerifyRandomDrivers == (WCHAR)'X') ||
|
|
(MiVerifyRandomDrivers == (WCHAR)'Y') ||
|
|
(MiVerifyRandomDrivers == (WCHAR)'Z')) {
|
|
MiVerifyRandomDrivers = (WCHAR)'X';
|
|
}
|
|
}
|
|
|
|
KeInitializeSpinLock (&VerifierListLock);
|
|
|
|
KeInitializeSpinLock (&VerifierPoolLock);
|
|
ExInitializeFastMutex (&VerifierPoolMutex);
|
|
|
|
//
|
|
// Initializing this listhead indicates to the rest of this module that
|
|
// the system was booted with verification of some sort configured.
|
|
//
|
|
|
|
InitializeListHead (&MiVerifierDriverAddedThunkListHead);
|
|
|
|
//
|
|
// If no default is specified, then special pool, pagable code/data
|
|
// flushing and pool leak detection are enabled.
|
|
//
|
|
|
|
if (MmVerifyDriverLevel == (ULONG)-1) {
|
|
MmVerifierData.Level = DRIVER_VERIFIER_SPECIAL_POOLING |
|
|
DRIVER_VERIFIER_FORCE_IRQL_CHECKING |
|
|
DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS;
|
|
}
|
|
else {
|
|
MmVerifierData.Level = MmVerifyDriverLevel;
|
|
}
|
|
|
|
VerifierModifyableOptions = (DRIVER_VERIFIER_SPECIAL_POOLING |
|
|
DRIVER_VERIFIER_FORCE_IRQL_CHECKING |
|
|
DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES);
|
|
|
|
//
|
|
// An initial parse of the driver list is needed here to see if it's the
|
|
// kernel as special machine-dependent initialization is needed to fully
|
|
// support kernel verification (ie: no use of large pages, etc).
|
|
//
|
|
|
|
if (MiVerifyRandomDrivers == (WCHAR)0) {
|
|
|
|
RtlInitUnicodeString (&KernelString, (PUSHORT)L"ntoskrnl.exe");
|
|
|
|
Start = MmVerifyDriverBuffer;
|
|
End = MmVerifyDriverBuffer + (MmVerifyDriverBufferLength - sizeof(WCHAR)) / sizeof(WCHAR);
|
|
|
|
while (Start < End) {
|
|
if (UNICODE_WHITESPACE(*Start)) {
|
|
Start += 1;
|
|
continue;
|
|
}
|
|
|
|
if (*Start == (WCHAR)'*') {
|
|
MiVerifyAllDrivers = TRUE;
|
|
break;
|
|
}
|
|
|
|
for (Walk = Start; Walk < End; Walk += 1) {
|
|
if (UNICODE_WHITESPACE(*Walk)) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Got a string - see if it indicates the kernel.
|
|
//
|
|
|
|
NameLength = (ULONG)(Walk - Start + 1) * sizeof (WCHAR);
|
|
|
|
DriverBaseName.Buffer = Start;
|
|
DriverBaseName.Length = (USHORT)(NameLength - sizeof (UNICODE_NULL));
|
|
DriverBaseName.MaximumLength = (USHORT)NameLength;
|
|
|
|
if (RtlEqualUnicodeString (&KernelString,
|
|
&DriverBaseName,
|
|
TRUE)) {
|
|
|
|
//
|
|
// AcquireAtDpc/ReleaseFromDpc calls made by the kernel are not
|
|
// intercepted which confuses the deadlock verifier. So disable
|
|
// deadlock verification if we are kernel verifying.
|
|
//
|
|
|
|
MmVerifyDriverLevel &= ~DRIVER_VERIFIER_DEADLOCK_DETECTION;
|
|
MmVerifierData.Level &= ~DRIVER_VERIFIER_DEADLOCK_DETECTION;
|
|
|
|
//
|
|
//
|
|
// All driver pool allocation calls must be intercepted so
|
|
// they are not mistaken for kernel pool allocations.
|
|
//
|
|
|
|
MiVerifyAllDrivers = TRUE;
|
|
KernelVerifier = TRUE;
|
|
ExSetPoolFlags (EX_KERNEL_VERIFIER_ENABLED);
|
|
break;
|
|
}
|
|
|
|
Start = Walk + 1;
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
VOID
|
|
MiReApplyVerifierToLoadedModules(
|
|
IN PLIST_ENTRY ModuleListHead
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Walk the supplied module list and re-thunk any drivers that are being
|
|
verified. This allows the module to pick up any new thunks that have
|
|
been added.
|
|
|
|
Arguments:
|
|
|
|
ModuleListHead - Supplies a pointer to the head of a loaded module list.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization only.
|
|
|
|
--*/
|
|
|
|
{
|
|
LOGICAL Skip;
|
|
PLIST_ENTRY Entry;
|
|
PKLDR_DATA_TABLE_ENTRY TableEntry;
|
|
UNICODE_STRING HalString;
|
|
UNICODE_STRING KernelString;
|
|
|
|
//
|
|
// If the thunk listhead is NULL then the verifier is not enabled so
|
|
// don't notify any components.
|
|
//
|
|
|
|
if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Initialize unicode strings to use to bypass modules
|
|
// in the list. There's no reason to reapply verifier to
|
|
// the kernel or to the hal.
|
|
//
|
|
|
|
RtlInitUnicodeString (&KernelString, (PUSHORT)L"ntoskrnl.exe");
|
|
RtlInitUnicodeString (&HalString, (PUSHORT)L"hal.dll");
|
|
|
|
//
|
|
// Walk the list and reapply verifier to all the modules except those
|
|
// selected for exclusion.
|
|
//
|
|
|
|
Entry = ModuleListHead->Flink;
|
|
while (Entry != ModuleListHead) {
|
|
|
|
TableEntry = CONTAINING_RECORD(Entry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
Skip = TRUE;
|
|
|
|
if (RtlEqualUnicodeString (&KernelString,
|
|
&TableEntry->BaseDllName,
|
|
TRUE)) {
|
|
NOTHING;
|
|
}
|
|
else if (RtlEqualUnicodeString (&HalString,
|
|
&TableEntry->BaseDllName,
|
|
TRUE)) {
|
|
NOTHING;
|
|
}
|
|
else {
|
|
Skip = FALSE;
|
|
}
|
|
|
|
//
|
|
// Reapply verifier thunks to the image if it is already being
|
|
// verified and if it is not one of the modules we've decided to skip.
|
|
//
|
|
|
|
if ((Skip == FALSE) && (TableEntry->Flags & LDRP_IMAGE_VERIFYING)) {
|
|
#if DBG
|
|
PLIST_ENTRY NextEntry;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
|
|
//
|
|
// Initializing Verifier is not needed for correctness, but
|
|
// without it the compiler cannot compile this code W4 to check
|
|
// for use of uninitialized variables.
|
|
//
|
|
|
|
Verifier = NULL;
|
|
|
|
//
|
|
// Find the entry for this driver in the suspect list. This is
|
|
// expected to succeed since we are re-applying thunks to a module
|
|
// that has already been verified at least once before.
|
|
//
|
|
|
|
NextEntry = MiSuspectDriverList.Flink;
|
|
while (NextEntry != &MiSuspectDriverList) {
|
|
|
|
Verifier = CONTAINING_RECORD(NextEntry,
|
|
MI_VERIFIER_DRIVER_ENTRY,
|
|
Links);
|
|
|
|
if (RtlEqualUnicodeString (&Verifier->BaseName,
|
|
&TableEntry->BaseDllName,
|
|
TRUE)) {
|
|
|
|
break;
|
|
}
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
ASSERT (NextEntry != &MiSuspectDriverList);
|
|
|
|
//
|
|
// Sanity tests. We should always find this module in the suspect
|
|
// driver list because it is already being verified. And the
|
|
// start and end addresses should still match those of the this
|
|
// module.
|
|
//
|
|
|
|
ASSERT(NextEntry != &MiSuspectDriverList);
|
|
ASSERT(Verifier->StartAddress == TableEntry->DllBase);
|
|
ASSERT(Verifier->EndAddress ==
|
|
(PVOID)((ULONG_PTR)TableEntry->DllBase +
|
|
TableEntry->SizeOfImage));
|
|
#endif
|
|
MiReEnableVerifier (TableEntry);
|
|
}
|
|
|
|
Entry = Entry->Flink;
|
|
}
|
|
}
|
|
|
|
LOGICAL
|
|
MiInitializeVerifyingComponents (
|
|
IN PLOADER_PARAMETER_BLOCK LoaderBlock
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Walk the loaded module list and thunk any drivers that need/deserve it.
|
|
|
|
Arguments:
|
|
|
|
LoaderBlock - Supplies the loader block used by the system to boot.
|
|
|
|
Return Value:
|
|
|
|
TRUE if successful, FALSE if not.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization.
|
|
|
|
Both nonpaged and paged pool exist.
|
|
|
|
The PsLoadedModuleList has not been set up yet although the boot drivers
|
|
have been relocated to their final resting places.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG i;
|
|
PWCHAR Start;
|
|
PWCHAR End;
|
|
PWCHAR Walk;
|
|
ULONG NameLength;
|
|
PLIST_ENTRY NextEntry;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
PMI_VERIFIER_DRIVER_ENTRY KernelEntry;
|
|
PMI_VERIFIER_DRIVER_ENTRY HalEntry;
|
|
UNICODE_STRING HalString;
|
|
UNICODE_STRING KernelString;
|
|
PVERIFIER_THUNKS Thunk;
|
|
PDRIVER_VERIFIER_THUNK_ROUTINE PristineRoutine;
|
|
|
|
//
|
|
// If the thunk listhead is NULL then the verifier is not enabled so
|
|
// don't notify any components.
|
|
//
|
|
|
|
if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
KernelEntry = NULL;
|
|
HalEntry = NULL;
|
|
|
|
if (MiVerifyRandomDrivers == (WCHAR)0) {
|
|
|
|
RtlInitUnicodeString (&KernelString, (PUSHORT)L"ntoskrnl.exe");
|
|
RtlInitUnicodeString (&HalString, (PUSHORT)L"hal.dll");
|
|
|
|
Start = MmVerifyDriverBuffer;
|
|
End = MmVerifyDriverBuffer + (MmVerifyDriverBufferLength - sizeof(WCHAR)) / sizeof(WCHAR);
|
|
|
|
while (Start < End) {
|
|
if (UNICODE_WHITESPACE(*Start)) {
|
|
Start += 1;
|
|
continue;
|
|
}
|
|
|
|
if (*Start == (WCHAR)'*') {
|
|
MiVerifyAllDrivers = TRUE;
|
|
break;
|
|
}
|
|
|
|
for (Walk = Start; Walk < End; Walk += 1) {
|
|
if (UNICODE_WHITESPACE(*Walk)) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Got a string. Save it.
|
|
//
|
|
|
|
NameLength = (ULONG)(Walk - Start + 1) * sizeof (WCHAR);
|
|
|
|
Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag (
|
|
NonPagedPool,
|
|
sizeof (MI_VERIFIER_DRIVER_ENTRY) +
|
|
NameLength,
|
|
'dLmM');
|
|
|
|
if (Verifier == NULL) {
|
|
break;
|
|
}
|
|
|
|
Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier +
|
|
sizeof (MI_VERIFIER_DRIVER_ENTRY));
|
|
Verifier->BaseName.Length = (USHORT)(NameLength - sizeof (UNICODE_NULL));
|
|
Verifier->BaseName.MaximumLength = (USHORT)NameLength;
|
|
|
|
RtlCopyMemory (Verifier->BaseName.Buffer,
|
|
Start,
|
|
NameLength - sizeof (UNICODE_NULL));
|
|
|
|
ViInitializeEntry (Verifier, TRUE);
|
|
|
|
Verifier->Flags |= VI_VERIFYING_DIRECTLY;
|
|
|
|
ViInsertVerifierEntry (Verifier);
|
|
|
|
if (RtlEqualUnicodeString (&KernelString,
|
|
&Verifier->BaseName,
|
|
TRUE)) {
|
|
|
|
//
|
|
// All driver pool allocation calls must be intercepted so
|
|
// they are not mistaken for kernel pool allocations.
|
|
//
|
|
|
|
ASSERT (MiVerifyAllDrivers == TRUE);
|
|
ASSERT (KernelVerifier == TRUE);
|
|
|
|
KernelEntry = Verifier;
|
|
|
|
}
|
|
else if (RtlEqualUnicodeString (&HalString,
|
|
&Verifier->BaseName,
|
|
TRUE)) {
|
|
|
|
HalEntry = Verifier;
|
|
}
|
|
|
|
Start = Walk + 1;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Enable deadlock detection if the deadlock bit was set in the
|
|
// registry.
|
|
//
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_DEADLOCK_DETECTION) {
|
|
VfDeadlockDetectionInitialize (MiVerifyAllDrivers, KernelVerifier);
|
|
ExSetPoolFlags (EX_VERIFIER_DEADLOCK_DETECTION_ENABLED);
|
|
}
|
|
|
|
//
|
|
// Initialize i/o verifier.
|
|
//
|
|
|
|
IoVerifierInit (MmVerifierData.Level);
|
|
|
|
if (MiTriageAddDrivers (LoaderBlock) == TRUE) {
|
|
|
|
//
|
|
// Disable random driver verification if triage has picked driver(s).
|
|
//
|
|
|
|
MiVerifyRandomDrivers = (WCHAR)0;
|
|
}
|
|
|
|
Thunk = (PVERIFIER_THUNKS) &MiVerifierThunks[0];
|
|
|
|
while (Thunk->PristineRoutineAsciiName != NULL) {
|
|
PristineRoutine = MiResolveVerifierExports (LoaderBlock,
|
|
Thunk->PristineRoutineAsciiName);
|
|
ASSERT (PristineRoutine != NULL);
|
|
Thunk->PristineRoutine = PristineRoutine;
|
|
Thunk += 1;
|
|
}
|
|
|
|
Thunk = (PVERIFIER_THUNKS) &MiVerifierPoolThunks[0];
|
|
while (Thunk->PristineRoutineAsciiName != NULL) {
|
|
PristineRoutine = MiResolveVerifierExports (LoaderBlock,
|
|
Thunk->PristineRoutineAsciiName);
|
|
ASSERT (PristineRoutine != NULL);
|
|
Thunk->PristineRoutine = PristineRoutine;
|
|
Thunk += 1;
|
|
}
|
|
|
|
//
|
|
// Process the boot-loaded drivers now.
|
|
//
|
|
|
|
i = 0;
|
|
NextEntry = LoaderBlock->LoadOrderListHead.Flink;
|
|
|
|
for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) {
|
|
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
//
|
|
// Process the kernel and HAL specially.
|
|
//
|
|
|
|
if (i == 0) {
|
|
if (KernelEntry != NULL) {
|
|
MiApplyDriverVerifier (DataTableEntry, KernelEntry);
|
|
}
|
|
}
|
|
else if (i == 1) {
|
|
if (HalEntry != NULL) {
|
|
MiApplyDriverVerifier (DataTableEntry, HalEntry);
|
|
}
|
|
}
|
|
else {
|
|
MiApplyDriverVerifier (DataTableEntry, NULL);
|
|
}
|
|
i += 1;
|
|
}
|
|
|
|
//
|
|
// Initialize irql tracking package. The drivers that will be verified
|
|
// will have automatically tracked all their raise/lower irql operations.
|
|
//
|
|
|
|
ViTrackIrqlInitialize ();
|
|
|
|
//
|
|
// Initialize fault injection stack trace log package.
|
|
//
|
|
|
|
#if defined(_X86_)
|
|
ViFaultTracesInitialize ();
|
|
#endif
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
NTSTATUS
|
|
MmAddVerifierEntry (
|
|
IN PUNICODE_STRING ImageFileName
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine inserts a new verifier entry for the specified driver so that
|
|
when the driver is loaded it will automatically be verified.
|
|
|
|
Note that if the driver is already loaded, then no entry is added and
|
|
STATUS_IMAGE_ALREADY_LOADED is returned.
|
|
|
|
If the system was booted with an empty verifier list, then no entries can
|
|
be added now as the current system configuration will not support special
|
|
pool, etc.
|
|
|
|
Note also that no registry changes are made so any insertions made by this
|
|
routine are lost on reboot.
|
|
|
|
Arguments:
|
|
|
|
ImageFileName - Supplies the name of the desired driver.
|
|
|
|
Return Value:
|
|
|
|
Various NTSTATUS codes.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, PASSIVE_LEVEL, arbitrary process context.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKTHREAD CurrentThread;
|
|
PLIST_ENTRY NextEntry;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
PMI_VERIFIER_DRIVER_ENTRY VerifierEntry;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
|
|
ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL);
|
|
|
|
//
|
|
// If the system was not booted with verification on, then bail.
|
|
//
|
|
|
|
if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
|
|
return STATUS_NOT_SUPPORTED;
|
|
}
|
|
|
|
//
|
|
// First build up a verifier entry.
|
|
//
|
|
|
|
Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag (
|
|
NonPagedPool,
|
|
sizeof (MI_VERIFIER_DRIVER_ENTRY) +
|
|
ImageFileName->MaximumLength,
|
|
'dLmM');
|
|
|
|
if (Verifier == NULL) {
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier +
|
|
sizeof (MI_VERIFIER_DRIVER_ENTRY));
|
|
Verifier->BaseName.Length = ImageFileName->Length;
|
|
Verifier->BaseName.MaximumLength = ImageFileName->MaximumLength;
|
|
|
|
RtlCopyMemory (Verifier->BaseName.Buffer,
|
|
ImageFileName->Buffer,
|
|
ImageFileName->Length);
|
|
|
|
ViInitializeEntry (Verifier, TRUE);
|
|
|
|
Verifier->Flags |= VI_VERIFYING_DIRECTLY;
|
|
|
|
//
|
|
// Arbitrary process context so prevent suspend APCs now.
|
|
//
|
|
|
|
CurrentThread = KeGetCurrentThread ();
|
|
KeEnterCriticalRegionThread (CurrentThread);
|
|
|
|
//
|
|
// Acquire the load lock so the verifier list can be read.
|
|
// Then ensure that the specified driver is not already in the list.
|
|
//
|
|
|
|
KeWaitForSingleObject (&MmSystemLoadLock,
|
|
WrVirtualMemory,
|
|
KernelMode,
|
|
FALSE,
|
|
(PLARGE_INTEGER)NULL);
|
|
|
|
//
|
|
// Check to make sure the requested entry is not already present in
|
|
// the verifier list and that the driver is not currently loaded.
|
|
//
|
|
|
|
NextEntry = MiSuspectDriverList.Flink;
|
|
while (NextEntry != &MiSuspectDriverList) {
|
|
|
|
VerifierEntry = CONTAINING_RECORD(NextEntry,
|
|
MI_VERIFIER_DRIVER_ENTRY,
|
|
Links);
|
|
|
|
if (RtlEqualUnicodeString (&Verifier->BaseName,
|
|
&VerifierEntry->BaseName,
|
|
TRUE)) {
|
|
|
|
//
|
|
// The driver is already in the verifier list - just mark the
|
|
// entry as verification-enabled and free the temporary allocation.
|
|
//
|
|
|
|
if ((VerifierEntry->Loads > VerifierEntry->Unloads) &&
|
|
(VerifierEntry->Flags & VI_DISABLE_VERIFICATION)) {
|
|
|
|
//
|
|
// The driver is loaded and verification is disabled. Don't
|
|
// turn it on now because we don't want to mislead our caller.
|
|
//
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
ExFreePool (Verifier);
|
|
return STATUS_IMAGE_ALREADY_LOADED;
|
|
}
|
|
VerifierEntry->Flags &= ~VI_DISABLE_VERIFICATION;
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
ExFreePool (Verifier);
|
|
return STATUS_SUCCESS;
|
|
}
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
//
|
|
// A new verifier entry will need to be added so check to
|
|
// make sure the specified driver is not already loaded.
|
|
//
|
|
|
|
ExAcquireResourceSharedLite (&PsLoadedModuleResource, TRUE);
|
|
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
while (NextEntry != &PsLoadedModuleList) {
|
|
|
|
DataTableEntry = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
if (RtlEqualUnicodeString (&Verifier->BaseName,
|
|
&DataTableEntry->BaseDllName,
|
|
TRUE)) {
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
ExReleaseResourceLite (&PsLoadedModuleResource);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
ExFreePool (Verifier);
|
|
return STATUS_IMAGE_ALREADY_LOADED;
|
|
}
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
//
|
|
// The entry is not already in the verifier list and the driver is not
|
|
// currently loaded. Proceed to insert it now.
|
|
//
|
|
|
|
ViInsertVerifierEntry (Verifier);
|
|
|
|
ExReleaseResourceLite (&PsLoadedModuleResource);
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
NTSTATUS
|
|
MmRemoveVerifierEntry (
|
|
IN PUNICODE_STRING ImageFileName
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine doesn't actually remove the verifier entry for the
|
|
specified driver as we don't want to lose any valuable information
|
|
already gathered on the driver if it was previously loaded.
|
|
Instead, this routine disables verification for this driver for future
|
|
loads.
|
|
|
|
Note that if the driver is already loaded, then the removal is not
|
|
performed and STATUS_IMAGE_ALREADY_LOADED is returned.
|
|
|
|
Note also that no registry changes are made so any removals made by this
|
|
routine are lost on reboot.
|
|
|
|
Arguments:
|
|
|
|
ImageFileName - Supplies the name of the desired driver.
|
|
|
|
Return Value:
|
|
|
|
Various NTSTATUS codes.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, PASSIVE_LEVEL, arbitrary process context.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKTHREAD CurrentThread;
|
|
PLIST_ENTRY NextEntry;
|
|
PMI_VERIFIER_DRIVER_ENTRY VerifierEntry;
|
|
|
|
ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL);
|
|
|
|
//
|
|
// If the system was not booted with verification on, then bail.
|
|
//
|
|
|
|
if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
|
|
return STATUS_NOT_SUPPORTED;
|
|
}
|
|
|
|
//
|
|
// Arbitrary process context so prevent suspend APCs now.
|
|
//
|
|
|
|
CurrentThread = KeGetCurrentThread ();
|
|
KeEnterCriticalRegionThread (CurrentThread);
|
|
|
|
//
|
|
// Acquire the load lock so the verifier list can be read.
|
|
// Then ensure that the specified driver is not already in the list.
|
|
//
|
|
|
|
KeWaitForSingleObject (&MmSystemLoadLock,
|
|
WrVirtualMemory,
|
|
KernelMode,
|
|
FALSE,
|
|
(PLARGE_INTEGER)NULL);
|
|
|
|
//
|
|
// Check to make sure the requested entry is not already present in
|
|
// the verifier list and that the driver is not currently loaded.
|
|
//
|
|
|
|
NextEntry = MiSuspectDriverList.Flink;
|
|
while (NextEntry != &MiSuspectDriverList) {
|
|
|
|
VerifierEntry = CONTAINING_RECORD(NextEntry,
|
|
MI_VERIFIER_DRIVER_ENTRY,
|
|
Links);
|
|
|
|
if (RtlEqualUnicodeString (ImageFileName,
|
|
&VerifierEntry->BaseName,
|
|
TRUE)) {
|
|
|
|
//
|
|
// The driver is already in the verifier list - just mark the
|
|
// entry as verification-enabled and free the temporary allocation.
|
|
// No need to check the loaded module list if the entry is already
|
|
// in the verifier list.
|
|
//
|
|
|
|
if ((VerifierEntry->Loads > VerifierEntry->Unloads) &&
|
|
((VerifierEntry->Flags & VI_DISABLE_VERIFICATION) == 0)) {
|
|
|
|
//
|
|
// The driver is loaded and verification is enabled. Don't
|
|
// disable it now because we don't want to mislead our caller.
|
|
//
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
return STATUS_IMAGE_ALREADY_LOADED;
|
|
}
|
|
|
|
VerifierEntry->Flags |= VI_DISABLE_VERIFICATION;
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
return STATUS_SUCCESS;
|
|
}
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
|
|
return STATUS_NOT_FOUND;
|
|
}
|
|
|
|
VOID
|
|
ViInsertVerifierEntry (
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Nonpagable wrapper to insert a new verifier entry.
|
|
|
|
Note that the system load mutant or the verifier load spinlock is sufficient
|
|
for readers to access the list. This is because the insertion path
|
|
acquires both.
|
|
|
|
Lock synchronization is needed because pool allocators walk the
|
|
verifier list at DISPATCH_LEVEL.
|
|
|
|
Arguments:
|
|
|
|
Verifier - Supplies a caller-initialized entry for the driver.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
|
|
ExAcquireSpinLock (&VerifierListLock, &OldIrql);
|
|
InsertTailList (&MiSuspectDriverList, &Verifier->Links);
|
|
ExReleaseSpinLock (&VerifierListLock, OldIrql);
|
|
}
|
|
|
|
PMI_VERIFIER_DRIVER_ENTRY
|
|
ViLocateVerifierEntry (
|
|
IN PVOID SystemAddress
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Locate the Driver Verifier entry for the specified system address.
|
|
|
|
Arguments:
|
|
|
|
SystemAddress - Supplies a code or data address within a driver.
|
|
|
|
Return Value:
|
|
|
|
The Verifier entry corresponding to the driver or NULL.
|
|
|
|
Environment:
|
|
|
|
The caller may be at DISPATCH_LEVEL and does not hold the MmSystemLoadLock.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
PLIST_ENTRY NextEntry;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
|
|
ExAcquireSpinLock (&VerifierListLock, &OldIrql);
|
|
|
|
NextEntry = MiSuspectDriverList.Flink;
|
|
while (NextEntry != &MiSuspectDriverList) {
|
|
|
|
Verifier = CONTAINING_RECORD(NextEntry,
|
|
MI_VERIFIER_DRIVER_ENTRY,
|
|
Links);
|
|
|
|
if ((SystemAddress >= Verifier->StartAddress) &&
|
|
(SystemAddress < Verifier->EndAddress)) {
|
|
|
|
ExReleaseSpinLock (&VerifierListLock, OldIrql);
|
|
return Verifier;
|
|
}
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
ExReleaseSpinLock (&VerifierListLock, OldIrql);
|
|
return NULL;
|
|
}
|
|
|
|
LOGICAL
|
|
MiApplyDriverVerifier (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry,
|
|
IN PMI_VERIFIER_DRIVER_ENTRY Verifier
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is called as each module is loaded. If the module being
|
|
loaded is in the suspect list, thunk it here.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - Supplies the data table entry for the module.
|
|
|
|
Verifier - Non-NULL if verification must be applied. FALSE indicates
|
|
that the driver name must match for verification to be
|
|
applied.
|
|
|
|
Return Value:
|
|
|
|
TRUE if thunking was applied, FALSE if not.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization and normal runtime.
|
|
Non paged pool exists in Phase0, but paged pool does not.
|
|
Post-Phase0 serialization is provided by the MmSystemLoadLock.
|
|
|
|
--*/
|
|
|
|
{
|
|
WCHAR FirstChar;
|
|
LOGICAL Found;
|
|
PLIST_ENTRY NextEntry;
|
|
ULONG VerifierFlags;
|
|
|
|
if (Verifier != NULL) {
|
|
Found = TRUE;
|
|
}
|
|
else {
|
|
Found = FALSE;
|
|
NextEntry = MiSuspectDriverList.Flink;
|
|
while (NextEntry != &MiSuspectDriverList) {
|
|
|
|
Verifier = CONTAINING_RECORD(NextEntry,
|
|
MI_VERIFIER_DRIVER_ENTRY,
|
|
Links);
|
|
|
|
if (RtlEqualUnicodeString (&Verifier->BaseName,
|
|
&DataTableEntry->BaseDllName,
|
|
TRUE)) {
|
|
|
|
Found = TRUE;
|
|
ViInitializeEntry (Verifier, FALSE);
|
|
break;
|
|
}
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
}
|
|
|
|
if (Found == FALSE) {
|
|
VerifierFlags = VI_VERIFYING_DIRECTLY;
|
|
if (MiVerifyAllDrivers == TRUE) {
|
|
if (KernelVerifier == TRUE) {
|
|
VerifierFlags = VI_VERIFYING_INVERSELY;
|
|
}
|
|
Found = TRUE;
|
|
}
|
|
else if (MiVerifyRandomDrivers != (WCHAR)0) {
|
|
|
|
//
|
|
// Wildcard match drivers randomly.
|
|
//
|
|
|
|
FirstChar = RtlUpcaseUnicodeChar(DataTableEntry->BaseDllName.Buffer[0]);
|
|
|
|
if (MiVerifyRandomDrivers == FirstChar) {
|
|
Found = TRUE;
|
|
}
|
|
else if (MiVerifyRandomDrivers == (WCHAR)'X') {
|
|
if ((FirstChar >= (WCHAR)'0') && (FirstChar <= (WCHAR)'9')) {
|
|
Found = TRUE;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (Found == FALSE) {
|
|
return FALSE;
|
|
}
|
|
|
|
Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag (
|
|
NonPagedPool,
|
|
sizeof (MI_VERIFIER_DRIVER_ENTRY) +
|
|
DataTableEntry->BaseDllName.MaximumLength,
|
|
'dLmM');
|
|
|
|
if (Verifier == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier +
|
|
sizeof (MI_VERIFIER_DRIVER_ENTRY));
|
|
Verifier->BaseName.Length = DataTableEntry->BaseDllName.Length;
|
|
Verifier->BaseName.MaximumLength = DataTableEntry->BaseDllName.MaximumLength;
|
|
|
|
RtlCopyMemory (Verifier->BaseName.Buffer,
|
|
DataTableEntry->BaseDllName.Buffer,
|
|
DataTableEntry->BaseDllName.Length);
|
|
|
|
ViInitializeEntry (Verifier, TRUE);
|
|
|
|
Verifier->Flags = VerifierFlags;
|
|
|
|
ViInsertVerifierEntry (Verifier);
|
|
}
|
|
|
|
Verifier->StartAddress = DataTableEntry->DllBase;
|
|
Verifier->EndAddress = (PVOID)((ULONG_PTR)DataTableEntry->DllBase + DataTableEntry->SizeOfImage);
|
|
|
|
ASSERT (Found == TRUE);
|
|
|
|
if (Verifier->Flags & VI_DISABLE_VERIFICATION) {
|
|
|
|
//
|
|
// We've been instructed to not verify this driver. If kernel
|
|
// verification is enabled, then the driver must still be thunked
|
|
// for "inverse-verification". If kernel verification is disabled,
|
|
// nothing needs to be done here except load/unload counting.
|
|
//
|
|
|
|
if (KernelVerifier == TRUE) {
|
|
Found = MiEnableVerifier (DataTableEntry);
|
|
}
|
|
else {
|
|
Found = FALSE;
|
|
}
|
|
}
|
|
else {
|
|
Found = MiEnableVerifier (DataTableEntry);
|
|
}
|
|
|
|
if (Found == TRUE) {
|
|
|
|
if (Verifier->Flags & VI_VERIFYING_DIRECTLY &&
|
|
((DataTableEntry->Flags & LDRP_IMAGE_VERIFYING) == 0)) {
|
|
ViPrintString (&DataTableEntry->BaseDllName);
|
|
}
|
|
|
|
MmVerifierData.Loads += 1;
|
|
Verifier->Loads += 1;
|
|
|
|
DataTableEntry->Flags |= LDRP_IMAGE_VERIFYING;
|
|
MiActiveVerifies += 1;
|
|
|
|
if (MiActiveVerifies == 1) {
|
|
|
|
#ifndef NO_POOL_CHECKS
|
|
|
|
//
|
|
// If a loaded driver(s) is undergoing validation, the default
|
|
// special pool randomizer is disabled as the precious virtual
|
|
// address space and physical memory is being put to specific
|
|
// use.
|
|
//
|
|
|
|
MiEnableRandomSpecialPool (FALSE);
|
|
#endif
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
|
|
|
|
//
|
|
// Page out all thread stacks as soon as possible to
|
|
// catch drivers using local events that do usermode waits.
|
|
//
|
|
|
|
if (KernelVerifier == FALSE) {
|
|
MiVerifierStackProtectTime = KiStackProtectTime;
|
|
KiStackProtectTime = 0;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return Found;
|
|
}
|
|
|
|
PUNICODE_STRING ViBadDriver;
|
|
|
|
VOID
|
|
MiVerifyingDriverUnloading (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function is called as a driver that was being verified is now being
|
|
unloaded.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - Supplies the data table entry for the driver.
|
|
|
|
Return Value:
|
|
|
|
TRUE if thunking was applied, FALSE if not.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization and normal runtime.
|
|
Non paged pool exists in Phase0, but paged pool does not.
|
|
Post-Phase0 serialization is provided by the MmSystemLoadLock.
|
|
|
|
--*/
|
|
|
|
{
|
|
KIRQL OldIrql;
|
|
PLIST_ENTRY NextEntry;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
PVI_POOL_ENTRY OldHashTable;
|
|
|
|
//
|
|
// Initializing Verifier is not needed for correctness, but without it
|
|
// the compiler cannot compile this code W4 to check for use of
|
|
// uninitialized variables.
|
|
//
|
|
|
|
Verifier = NULL;
|
|
|
|
NextEntry = MiSuspectDriverList.Flink;
|
|
while (NextEntry != &MiSuspectDriverList) {
|
|
|
|
Verifier = CONTAINING_RECORD(NextEntry,
|
|
MI_VERIFIER_DRIVER_ENTRY,
|
|
Links);
|
|
|
|
if (RtlEqualUnicodeString (&Verifier->BaseName,
|
|
&DataTableEntry->BaseDllName,
|
|
TRUE)) {
|
|
|
|
break;
|
|
}
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
|
|
ASSERT (NextEntry != &MiSuspectDriverList);
|
|
|
|
//
|
|
// Delete any static locks in the driver image.
|
|
//
|
|
// silviuc: might be able to get rid of this call if we get a
|
|
// hook in MmSystemImageUnload.
|
|
//
|
|
|
|
VfDeadlockDeleteMemoryRange(DataTableEntry->DllBase,
|
|
(SIZE_T) DataTableEntry->SizeOfImage);
|
|
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS) {
|
|
|
|
//
|
|
// Better not be any pool left that wasn't freed.
|
|
//
|
|
|
|
if (Verifier->PagedBytes) {
|
|
|
|
#if DBG
|
|
DbgPrint ("Driver %wZ leaked %d paged pool allocations (0x%x bytes)\n",
|
|
&DataTableEntry->FullDllName,
|
|
Verifier->CurrentPagedPoolAllocations,
|
|
Verifier->PagedBytes);
|
|
#endif
|
|
|
|
//
|
|
// It would be nice to fault in the driver's paged pool allocations
|
|
// now to make debugging easier, but this cannot be easily done
|
|
// in a deadlock free manner.
|
|
//
|
|
// At least disable the paging of pool on IRQL raising in attempt
|
|
// to keep some of these allocations resident for debugging.
|
|
// No need to undo the increment as we're about to bugcheck anyway.
|
|
//
|
|
|
|
InterlockedIncrement ((PLONG)&MiNoPageOnRaiseIrql);
|
|
}
|
|
#if DBG
|
|
if (Verifier->NonPagedBytes) {
|
|
DbgPrint ("Driver %wZ leaked %d nonpaged pool allocations (0x%x bytes)\n",
|
|
&DataTableEntry->FullDllName,
|
|
Verifier->CurrentNonPagedPoolAllocations,
|
|
Verifier->NonPagedBytes);
|
|
}
|
|
#endif
|
|
|
|
if (Verifier->PagedBytes || Verifier->NonPagedBytes) {
|
|
#if 0
|
|
DbgBreakPoint ();
|
|
InterlockedDecrement (&MiNoPageOnRaiseIrql);
|
|
#else
|
|
//
|
|
// Snap this so the build/BVT lab can easily triage the culprit.
|
|
//
|
|
|
|
ViBadDriver = &Verifier->BaseName;
|
|
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x60,
|
|
Verifier->PagedBytes,
|
|
Verifier->NonPagedBytes,
|
|
Verifier->CurrentPagedPoolAllocations +
|
|
Verifier->CurrentNonPagedPoolAllocations);
|
|
#endif
|
|
}
|
|
|
|
ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql);
|
|
|
|
if (Verifier->PoolHashReserved != 0) {
|
|
KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION,
|
|
0x61,
|
|
Verifier->PagedBytes,
|
|
Verifier->NonPagedBytes,
|
|
Verifier->CurrentPagedPoolAllocations +
|
|
Verifier->CurrentNonPagedPoolAllocations);
|
|
}
|
|
|
|
OldHashTable = Verifier->PoolHash;
|
|
if (OldHashTable != NULL) {
|
|
Verifier->PoolHashSize = 0;
|
|
Verifier->PoolHashFree = VI_POOL_FREELIST_END;
|
|
Verifier->PoolHash = NULL;
|
|
}
|
|
else {
|
|
ASSERT (Verifier->PoolHashSize == 0);
|
|
ASSERT (Verifier->PoolHashFree == VI_POOL_FREELIST_END);
|
|
}
|
|
|
|
ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql);
|
|
|
|
if (OldHashTable != NULL) {
|
|
ExFreePool (OldHashTable);
|
|
}
|
|
|
|
//
|
|
// Clear these fields so reuse of stale addresses don't trigger
|
|
// erroneous bucket fills.
|
|
//
|
|
|
|
ExAcquireSpinLock (&VerifierListLock, &OldIrql);
|
|
Verifier->StartAddress = NULL;
|
|
Verifier->EndAddress = NULL;
|
|
ExReleaseSpinLock (&VerifierListLock, OldIrql);
|
|
}
|
|
|
|
Verifier->Unloads += 1;
|
|
MmVerifierData.Unloads += 1;
|
|
MiActiveVerifies -= 1;
|
|
|
|
if (MiActiveVerifies == 0) {
|
|
|
|
if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) {
|
|
|
|
//
|
|
// Return to normal thread stack protection.
|
|
//
|
|
|
|
if (KernelVerifier == FALSE) {
|
|
KiStackProtectTime = MiVerifierStackProtectTime;
|
|
}
|
|
}
|
|
|
|
#ifndef NO_POOL_CHECKS
|
|
MiEnableRandomSpecialPool (TRUE);
|
|
#endif
|
|
}
|
|
}
|
|
|
|
NTKERNELAPI
|
|
LOGICAL
|
|
MmIsDriverVerifying (
|
|
IN PDRIVER_OBJECT DriverObject
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function informs the caller if the argument driver is being verified.
|
|
|
|
Arguments:
|
|
|
|
DriverObject - Supplies the driver object.
|
|
|
|
Return Value:
|
|
|
|
TRUE if this driver is being verified, FALSE if not.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, any IRQL, any needed synchronization must be provided by the
|
|
caller.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
|
|
DataTableEntry = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
|
|
|
|
if (DataTableEntry == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
if ((DataTableEntry->Flags & LDRP_IMAGE_VERIFYING) == 0) {
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
NTSTATUS
|
|
MmAddVerifierThunks (
|
|
IN PVOID ThunkBuffer,
|
|
IN ULONG ThunkBufferSize
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine adds another set of thunks to the verifier list.
|
|
|
|
Arguments:
|
|
|
|
ThunkBuffer - Supplies the buffer containing the thunk pairs.
|
|
|
|
ThunkBufferSize - Supplies the number of bytes in the thunk buffer.
|
|
|
|
Return Value:
|
|
|
|
Returns the status of the operation.
|
|
|
|
Environment:
|
|
|
|
Kernel mode. APC_LEVEL and below, arbitrary process context.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG i;
|
|
PKTHREAD CurrentThread;
|
|
ULONG NumberOfThunkPairs;
|
|
PDRIVER_VERIFIER_THUNK_PAIRS ThunkPairs;
|
|
PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable;
|
|
PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry2;
|
|
PLIST_ENTRY NextEntry;
|
|
PVOID DriverStartAddress;
|
|
PVOID DriverEndAddress;
|
|
|
|
PAGED_CODE();
|
|
|
|
if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
|
|
return STATUS_NOT_SUPPORTED;
|
|
}
|
|
|
|
ThunkPairs = (PDRIVER_VERIFIER_THUNK_PAIRS)ThunkBuffer;
|
|
NumberOfThunkPairs = ThunkBufferSize / sizeof(DRIVER_VERIFIER_THUNK_PAIRS);
|
|
|
|
if (NumberOfThunkPairs == 0) {
|
|
return STATUS_INVALID_PARAMETER_1;
|
|
}
|
|
|
|
ThunkTableBase = (PDRIVER_SPECIFIED_VERIFIER_THUNKS) ExAllocatePoolWithTag (
|
|
PagedPool,
|
|
sizeof (DRIVER_SPECIFIED_VERIFIER_THUNKS) + NumberOfThunkPairs * sizeof (DRIVER_VERIFIER_THUNK_PAIRS),
|
|
'tVmM');
|
|
|
|
if (ThunkTableBase == NULL) {
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1);
|
|
|
|
RtlCopyMemory (ThunkTable,
|
|
ThunkPairs,
|
|
NumberOfThunkPairs * sizeof(DRIVER_VERIFIER_THUNK_PAIRS));
|
|
|
|
CurrentThread = KeGetCurrentThread ();
|
|
KeEnterCriticalRegionThread (CurrentThread);
|
|
|
|
KeWaitForSingleObject (&MmSystemLoadLock,
|
|
WrVirtualMemory,
|
|
KernelMode,
|
|
FALSE,
|
|
(PLARGE_INTEGER)NULL);
|
|
|
|
//
|
|
// Find and validate the image that contains the routines to be thunked.
|
|
//
|
|
|
|
DataTableEntry = MiLookupDataTableEntry ((PVOID)(ULONG_PTR)ThunkTable->PristineRoutine,
|
|
TRUE);
|
|
|
|
if (DataTableEntry == NULL) {
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
ExFreePool (ThunkTableBase);
|
|
return STATUS_INVALID_PARAMETER_2;
|
|
}
|
|
|
|
DriverStartAddress = (PVOID)(DataTableEntry->DllBase);
|
|
DriverEndAddress = (PVOID)((PCHAR)DataTableEntry->DllBase + DataTableEntry->SizeOfImage);
|
|
|
|
//
|
|
// Don't let drivers hook calls to kernel or HAL routines.
|
|
//
|
|
|
|
i = 0;
|
|
NextEntry = PsLoadedModuleList.Flink;
|
|
while (NextEntry != &PsLoadedModuleList) {
|
|
|
|
DataTableEntry2 = CONTAINING_RECORD(NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
if (DataTableEntry == DataTableEntry2) {
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
ExFreePool (ThunkTableBase);
|
|
return STATUS_INVALID_PARAMETER_2;
|
|
}
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
i += 1;
|
|
if (i >= 2) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
for (i = 0; i < NumberOfThunkPairs; i += 1) {
|
|
|
|
//
|
|
// Ensure all the routines being thunked are in the same driver.
|
|
//
|
|
|
|
if (((ULONG_PTR)ThunkTable->PristineRoutine < (ULONG_PTR)DriverStartAddress) ||
|
|
((ULONG_PTR)ThunkTable->PristineRoutine >= (ULONG_PTR)DriverEndAddress) ||
|
|
((ULONG_PTR)ThunkTable->NewRoutine < (ULONG_PTR)DriverStartAddress) ||
|
|
((ULONG_PTR)ThunkTable->NewRoutine >= (ULONG_PTR)DriverEndAddress)
|
|
) {
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
ExFreePool (ThunkTableBase);
|
|
return STATUS_INVALID_PARAMETER_2;
|
|
}
|
|
ThunkTable += 1;
|
|
}
|
|
|
|
//
|
|
// Add the validated thunk table to the verifier's global list.
|
|
//
|
|
|
|
ThunkTableBase->DataTableEntry = DataTableEntry;
|
|
ThunkTableBase->NumberOfThunks = NumberOfThunkPairs;
|
|
MiActiveVerifierThunks += 1;
|
|
|
|
InsertTailList (&MiVerifierDriverAddedThunkListHead,
|
|
&ThunkTableBase->ListEntry);
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
|
|
//
|
|
// Indicate that new thunks have been added to the verifier list.
|
|
//
|
|
|
|
MiVerifierThunksAdded += 1;
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
VOID
|
|
MiVerifierCheckThunks (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine adds another set of thunks to the verifier list.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - Supplies the data table entry for the driver.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode. APC_LEVEL and below.
|
|
The system load lock must be held by the caller.
|
|
|
|
--*/
|
|
|
|
{
|
|
PLIST_ENTRY NextEntry;
|
|
PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
|
|
|
|
PAGED_CODE ();
|
|
|
|
//
|
|
// N.B. The DataTableEntry can move (see MiInitializeLoadedModuleList),
|
|
// but this only happens long before IoInitialize so this is safe.
|
|
//
|
|
|
|
NextEntry = MiVerifierDriverAddedThunkListHead.Flink;
|
|
while (NextEntry != &MiVerifierDriverAddedThunkListHead) {
|
|
|
|
ThunkTableBase = CONTAINING_RECORD(NextEntry,
|
|
DRIVER_SPECIFIED_VERIFIER_THUNKS,
|
|
ListEntry);
|
|
|
|
if (ThunkTableBase->DataTableEntry == DataTableEntry) {
|
|
RemoveEntryList (NextEntry);
|
|
NextEntry = NextEntry->Flink;
|
|
ExFreePool (ThunkTableBase);
|
|
MiActiveVerifierThunks -= 1;
|
|
|
|
//
|
|
// Keep looking as the driver may have made multiple calls.
|
|
//
|
|
|
|
continue;
|
|
}
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
}
|
|
|
|
NTSTATUS
|
|
MmIsVerifierEnabled (
|
|
OUT PULONG VerifierFlags
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine is called by drivers to query whether the Driver Verifier
|
|
is enabled and to find out what the currently enabled options are.
|
|
|
|
Arguments:
|
|
|
|
VerifierFlags - Returns the current driver verifier flags. Note these
|
|
flags can change dynamically without rebooting.
|
|
|
|
Return Value:
|
|
|
|
Returns STATUS_SUCCESS if the verifier is enabled, or a failure code if not.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, PASSIVE_LEVEL.
|
|
|
|
--*/
|
|
|
|
{
|
|
if (MiVerifierDriverAddedThunkListHead.Flink == NULL) {
|
|
*VerifierFlags = 0;
|
|
return STATUS_NOT_SUPPORTED;
|
|
}
|
|
|
|
*VerifierFlags = MmVerifierData.Level;
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
#define ROUND_UP(VALUE,ROUND) ((ULONG)(((ULONG)VALUE + \
|
|
((ULONG)ROUND - 1L)) & (~((ULONG)ROUND - 1L))))
|
|
|
|
NTSTATUS
|
|
MmGetVerifierInformation (
|
|
OUT PVOID SystemInformation,
|
|
IN ULONG SystemInformationLength,
|
|
OUT PULONG Length
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine returns information about drivers undergoing verification.
|
|
|
|
Arguments:
|
|
|
|
SystemInformation - Returns the driver verification information.
|
|
|
|
SystemInformationLength - Supplies the length of the SystemInformation
|
|
buffer.
|
|
|
|
Length - Returns the length of the driver verification file information
|
|
placed in the buffer.
|
|
|
|
Return Value:
|
|
|
|
Returns the status of the operation.
|
|
|
|
Environment:
|
|
|
|
The SystemInformation buffer is in user space and our caller has wrapped
|
|
a try-except around this entire routine. Capture any exceptions here and
|
|
release resources accordingly.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKTHREAD CurrentThread;
|
|
PSYSTEM_VERIFIER_INFORMATION UserVerifyBuffer;
|
|
ULONG NextEntryOffset;
|
|
ULONG TotalSize;
|
|
NTSTATUS Status;
|
|
PLIST_ENTRY NextEntry;
|
|
PMI_VERIFIER_DRIVER_ENTRY Verifier;
|
|
UNICODE_STRING UserBufferDriverName;
|
|
|
|
PAGED_CODE();
|
|
|
|
NextEntryOffset = 0;
|
|
TotalSize = 0;
|
|
|
|
*Length = 0;
|
|
UserVerifyBuffer = (PSYSTEM_VERIFIER_INFORMATION)SystemInformation;
|
|
|
|
//
|
|
// Capture the number of verifying drivers and the relevant data while
|
|
// synchronized. Then return it to our caller.
|
|
//
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
CurrentThread = KeGetCurrentThread ();
|
|
KeEnterCriticalRegionThread (CurrentThread);
|
|
|
|
KeWaitForSingleObject (&MmSystemLoadLock,
|
|
WrVirtualMemory,
|
|
KernelMode,
|
|
FALSE,
|
|
(PLARGE_INTEGER)NULL);
|
|
|
|
try {
|
|
|
|
NextEntry = MiSuspectDriverList.Flink;
|
|
while (NextEntry != &MiSuspectDriverList) {
|
|
|
|
Verifier = CONTAINING_RECORD(NextEntry,
|
|
MI_VERIFIER_DRIVER_ENTRY,
|
|
Links);
|
|
|
|
if (((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0) ||
|
|
(Verifier->Flags & VI_DISABLE_VERIFICATION)) {
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
continue;
|
|
}
|
|
|
|
UserVerifyBuffer = (PSYSTEM_VERIFIER_INFORMATION)(
|
|
(PUCHAR)UserVerifyBuffer + NextEntryOffset);
|
|
NextEntryOffset = sizeof(SYSTEM_VERIFIER_INFORMATION);
|
|
TotalSize += sizeof(SYSTEM_VERIFIER_INFORMATION);
|
|
|
|
if (TotalSize > SystemInformationLength) {
|
|
ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH);
|
|
}
|
|
|
|
//
|
|
// This data is cumulative for all drivers.
|
|
//
|
|
|
|
UserVerifyBuffer->Level = MmVerifierData.Level;
|
|
UserVerifyBuffer->RaiseIrqls = MmVerifierData.RaiseIrqls;
|
|
UserVerifyBuffer->AcquireSpinLocks = MmVerifierData.AcquireSpinLocks;
|
|
|
|
UserVerifyBuffer->UnTrackedPool = MmVerifierData.UnTrackedPool;
|
|
UserVerifyBuffer->SynchronizeExecutions = MmVerifierData.SynchronizeExecutions;
|
|
|
|
UserVerifyBuffer->AllocationsAttempted = MmVerifierData.AllocationsAttempted;
|
|
UserVerifyBuffer->AllocationsSucceeded = MmVerifierData.AllocationsSucceeded;
|
|
UserVerifyBuffer->AllocationsSucceededSpecialPool = MmVerifierData.AllocationsSucceededSpecialPool;
|
|
UserVerifyBuffer->AllocationsWithNoTag = MmVerifierData.AllocationsWithNoTag;
|
|
|
|
UserVerifyBuffer->TrimRequests = MmVerifierData.TrimRequests;
|
|
UserVerifyBuffer->Trims = MmVerifierData.Trims;
|
|
UserVerifyBuffer->AllocationsFailed = MmVerifierData.AllocationsFailed;
|
|
UserVerifyBuffer->AllocationsFailedDeliberately = MmVerifierData.AllocationsFailedDeliberately;
|
|
|
|
//
|
|
// This data is kept on a per-driver basis.
|
|
//
|
|
|
|
UserVerifyBuffer->CurrentPagedPoolAllocations = Verifier->CurrentPagedPoolAllocations;
|
|
UserVerifyBuffer->CurrentNonPagedPoolAllocations = Verifier->CurrentNonPagedPoolAllocations;
|
|
UserVerifyBuffer->PeakPagedPoolAllocations = Verifier->PeakPagedPoolAllocations;
|
|
UserVerifyBuffer->PeakNonPagedPoolAllocations = Verifier->PeakNonPagedPoolAllocations;
|
|
|
|
UserVerifyBuffer->PagedPoolUsageInBytes = Verifier->PagedBytes;
|
|
UserVerifyBuffer->NonPagedPoolUsageInBytes = Verifier->NonPagedBytes;
|
|
UserVerifyBuffer->PeakPagedPoolUsageInBytes = Verifier->PeakPagedBytes;
|
|
UserVerifyBuffer->PeakNonPagedPoolUsageInBytes = Verifier->PeakNonPagedBytes;
|
|
|
|
UserVerifyBuffer->Loads = Verifier->Loads;
|
|
UserVerifyBuffer->Unloads = Verifier->Unloads;
|
|
|
|
//
|
|
// The DriverName portion of the UserVerifyBuffer must be saved
|
|
// locally to protect against a malicious thread changing the
|
|
// contents. This is because we will reference the contents
|
|
// ourselves when the actual string is copied out carefully below.
|
|
//
|
|
|
|
UserBufferDriverName.Length = Verifier->BaseName.Length;
|
|
UserBufferDriverName.MaximumLength = (USHORT)(Verifier->BaseName.Length + sizeof (WCHAR));
|
|
UserBufferDriverName.Buffer = (PWCHAR)(UserVerifyBuffer + 1);
|
|
|
|
UserVerifyBuffer->DriverName = UserBufferDriverName;
|
|
|
|
TotalSize += ROUND_UP (UserBufferDriverName.MaximumLength,
|
|
sizeof(PVOID));
|
|
NextEntryOffset += ROUND_UP (UserBufferDriverName.MaximumLength,
|
|
sizeof(PVOID));
|
|
|
|
if (TotalSize > SystemInformationLength) {
|
|
ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH);
|
|
}
|
|
|
|
//
|
|
// Carefully reference the UserVerifyBuffer here.
|
|
//
|
|
|
|
RtlCopyMemory(UserBufferDriverName.Buffer,
|
|
Verifier->BaseName.Buffer,
|
|
Verifier->BaseName.Length);
|
|
|
|
UserBufferDriverName.Buffer[
|
|
Verifier->BaseName.Length/sizeof(WCHAR)] = UNICODE_NULL;
|
|
UserVerifyBuffer->NextEntryOffset = NextEntryOffset;
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
} except (EXCEPTION_EXECUTE_HANDLER) {
|
|
Status = GetExceptionCode();
|
|
}
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
|
|
if (Status != STATUS_INFO_LENGTH_MISMATCH) {
|
|
UserVerifyBuffer->NextEntryOffset = 0;
|
|
*Length = TotalSize;
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
NTSTATUS
|
|
MmSetVerifierInformation (
|
|
IN OUT PVOID SystemInformation,
|
|
IN ULONG SystemInformationLength
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine sets any driver verifier flags that can be done without
|
|
rebooting.
|
|
|
|
Arguments:
|
|
|
|
SystemInformation - Gets and returns the driver verification flags.
|
|
|
|
SystemInformationLength - Supplies the length of the SystemInformation
|
|
buffer.
|
|
|
|
Return Value:
|
|
|
|
Returns the status of the operation.
|
|
|
|
Environment:
|
|
|
|
The SystemInformation buffer is in user space and our caller has wrapped
|
|
a try-except around this entire routine. Capture any exceptions here and
|
|
release resources accordingly.
|
|
|
|
--*/
|
|
|
|
{
|
|
PKTHREAD CurrentThread;
|
|
ULONG UserFlags;
|
|
ULONG NewFlags;
|
|
ULONG NewFlagsOn;
|
|
ULONG NewFlagsOff;
|
|
NTSTATUS Status;
|
|
PULONG UserVerifyBuffer;
|
|
|
|
PAGED_CODE();
|
|
|
|
if (SystemInformationLength < sizeof (ULONG)) {
|
|
ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH);
|
|
}
|
|
|
|
UserVerifyBuffer = (PULONG)SystemInformation;
|
|
|
|
//
|
|
// Synchronize all changes to the flags here.
|
|
//
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
CurrentThread = KeGetCurrentThread ();
|
|
KeEnterCriticalRegionThread (CurrentThread);
|
|
|
|
KeWaitForSingleObject (&MmSystemLoadLock,
|
|
WrVirtualMemory,
|
|
KernelMode,
|
|
FALSE,
|
|
(PLARGE_INTEGER)NULL);
|
|
|
|
try {
|
|
|
|
UserFlags = *UserVerifyBuffer;
|
|
|
|
//
|
|
// Ensure nothing is being set or cleared that isn't supported.
|
|
//
|
|
//
|
|
|
|
NewFlagsOn = UserFlags & VerifierModifyableOptions;
|
|
|
|
NewFlags = MmVerifierData.Level | NewFlagsOn;
|
|
|
|
//
|
|
// Any bits set in NewFlagsOff must be zeroed in the NewFlags.
|
|
//
|
|
|
|
NewFlagsOff = ((~UserFlags) & VerifierModifyableOptions);
|
|
|
|
NewFlags &= ~NewFlagsOff;
|
|
|
|
if (NewFlags != MmVerifierData.Level) {
|
|
VerifierOptionChanges += 1;
|
|
MmVerifierData.Level = NewFlags;
|
|
*UserVerifyBuffer = NewFlags;
|
|
}
|
|
|
|
} except (EXCEPTION_EXECUTE_HANDLER) {
|
|
Status = GetExceptionCode();
|
|
}
|
|
|
|
KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE);
|
|
|
|
KeLeaveCriticalRegionThread (CurrentThread);
|
|
|
|
return Status;
|
|
}
|
|
|
|
typedef struct _VERIFIER_STRING_INFO {
|
|
ULONG BuildNumber;
|
|
ULONG DriverVerifierLevel;
|
|
ULONG Flags;
|
|
ULONG Check;
|
|
} VERIFIER_STRING_INFO, *PVERIFIER_STRING_INFO;
|
|
|
|
#ifdef ALLOC_DATA_PRAGMA
|
|
#pragma const_seg("PAGECONST")
|
|
#endif
|
|
|
|
static const WCHAR Printable[] = L"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
|
|
static const ULONG PrintableChars = sizeof (Printable) / sizeof (Printable[0]) - 1;
|
|
|
|
#ifdef ALLOC_DATA_PRAGMA
|
|
#pragma const_seg()
|
|
#endif
|
|
|
|
VOID
|
|
ViPrintString (
|
|
IN PUNICODE_STRING DriverName
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine does a really bad hash of build number, verifier level and
|
|
flags by using the driver name as a stream of bytes to XOR into the flags,
|
|
etc.
|
|
|
|
This is a Neill Clift special.
|
|
|
|
Arguments:
|
|
|
|
DriverName - Supplies the name of the driver.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
VERIFIER_STRING_INFO Bld;
|
|
PUCHAR BufPtr;
|
|
PWCHAR DriverPtr;
|
|
ULONG BufLen;
|
|
ULONG i;
|
|
ULONG j;
|
|
ULONG DriverChars;
|
|
ULONG MaxChars;
|
|
WCHAR OutBuf[sizeof (VERIFIER_STRING_INFO) * 2 + 1];
|
|
UNICODE_STRING OutBufU;
|
|
ULONG Rem;
|
|
ULONG LastRem;
|
|
LOGICAL Done;
|
|
|
|
Bld.BuildNumber = NtBuildNumber;
|
|
Bld.DriverVerifierLevel = MmVerifierData.Level;
|
|
|
|
//
|
|
// Unloads and other actions could be encoded in the Flags field here.
|
|
//
|
|
|
|
Bld.Flags = 0;
|
|
|
|
//
|
|
// Make the last ULONG a weird function of the others.
|
|
//
|
|
|
|
Bld.Check = ((Bld.Flags + 1) * Bld.BuildNumber * (Bld.DriverVerifierLevel + 1)) * 123456789;
|
|
|
|
BufPtr = (PUCHAR) &Bld;
|
|
BufLen = sizeof (Bld);
|
|
|
|
DriverChars = DriverName->Length / sizeof (DriverName->Buffer[0]);
|
|
DriverPtr = DriverName->Buffer;
|
|
MaxChars = DriverChars;
|
|
|
|
if (DriverChars < sizeof (VERIFIER_STRING_INFO)) {
|
|
MaxChars = sizeof (VERIFIER_STRING_INFO);
|
|
}
|
|
|
|
//
|
|
// Xor each character in the driver name into the buffer.
|
|
//
|
|
|
|
for (i = 0; i < MaxChars; i += 1) {
|
|
BufPtr[i % BufLen] ^= (UCHAR) RtlUpcaseUnicodeChar(DriverPtr[i % DriverChars]);
|
|
}
|
|
|
|
//
|
|
// Produce a base N decoding of the binary buffer using the printable
|
|
// characters defines. Treat the binary as a byte array and do the
|
|
// division for each, tracking the carry.
|
|
//
|
|
|
|
j = 0;
|
|
do {
|
|
Done = TRUE;
|
|
|
|
for (i = 0, LastRem = 0; i < sizeof (VERIFIER_STRING_INFO); i += 1) {
|
|
Rem = BufPtr[i] + 256 * LastRem;
|
|
BufPtr[i] = (UCHAR) (Rem / PrintableChars);
|
|
LastRem = Rem % PrintableChars;
|
|
if (BufPtr[i]) {
|
|
Done = FALSE;
|
|
}
|
|
}
|
|
OutBuf[j++] = Printable[LastRem];
|
|
|
|
if (j >= sizeof (OutBuf) / sizeof (OutBuf[0])) {
|
|
|
|
//
|
|
// The stack buffer isn't big enough.
|
|
//
|
|
|
|
return;
|
|
}
|
|
|
|
} while (Done == FALSE);
|
|
|
|
OutBuf[j] = L'\0';
|
|
|
|
OutBufU.Length = OutBufU.MaximumLength = (USHORT) (j * sizeof (WCHAR));
|
|
OutBufU.Buffer = OutBuf;
|
|
|
|
DbgPrint ("*******************************************************************************\n"
|
|
"*\n"
|
|
"* This is the string you add to your checkin description\n"
|
|
"* Driver Verifier: Enabled for %Z on Build %ld %wZ\n"
|
|
"*\n"
|
|
"*******************************************************************************\n",
|
|
DriverName, NtBuildNumber & 0xFFFFFFF, &OutBufU);
|
|
|
|
return;
|
|
}
|
|
|
|
//
|
|
// BEWARE: Various kernel macros are undefined here so we can pull in the
|
|
// real routines. This is needed because the real routines are exported for
|
|
// driver compatibility. This module has been carefully laid out so these
|
|
// macros are not referenced from this point down and references go to the
|
|
// real routines.
|
|
//
|
|
|
|
|
|
|
|
|
|
#undef KeRaiseIrql
|
|
#undef KeLowerIrql
|
|
#undef KeAcquireSpinLock
|
|
#undef KeReleaseSpinLock
|
|
#undef KeAcquireSpinLockAtDpcLevel
|
|
#undef KeReleaseSpinLockFromDpcLevel
|
|
#if 0
|
|
#undef ExAcquireResourceExclusive
|
|
#endif
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
VOID
|
|
KeRaiseIrql (
|
|
IN KIRQL NewIrql,
|
|
OUT PKIRQL OldIrql
|
|
);
|
|
|
|
#endif
|
|
|
|
VOID
|
|
KeLowerIrql (
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
VOID
|
|
KeAcquireSpinLock (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
OUT PKIRQL OldIrql
|
|
);
|
|
|
|
#endif
|
|
|
|
VOID
|
|
KeReleaseSpinLock (
|
|
IN PKSPIN_LOCK SpinLock,
|
|
IN KIRQL NewIrql
|
|
);
|
|
|
|
VOID
|
|
KeAcquireSpinLockAtDpcLevel (
|
|
IN PKSPIN_LOCK SpinLock
|
|
);
|
|
|
|
VOID
|
|
KeReleaseSpinLockFromDpcLevel (
|
|
IN PKSPIN_LOCK SpinLock
|
|
);
|
|
|
|
#if 0
|
|
BOOLEAN
|
|
ExAcquireResourceExclusive (
|
|
IN PERESOURCE Resource,
|
|
IN BOOLEAN Wait
|
|
);
|
|
#endif
|
|
|
|
#ifdef ALLOC_DATA_PRAGMA
|
|
#pragma const_seg("PAGECONST")
|
|
#endif
|
|
|
|
const VERIFIER_THUNKS MiVerifierThunks[] = {
|
|
|
|
"KeSetEvent",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierSetEvent,
|
|
|
|
"ExAcquireFastMutexUnsafe",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExAcquireFastMutexUnsafe,
|
|
|
|
"ExReleaseFastMutexUnsafe",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExReleaseFastMutexUnsafe,
|
|
|
|
"ExAcquireResourceExclusiveLite",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExAcquireResourceExclusiveLite,
|
|
|
|
"ExReleaseResourceLite",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExReleaseResourceLite,
|
|
|
|
"MmProbeAndLockPages",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierProbeAndLockPages,
|
|
|
|
#if 0
|
|
//
|
|
// Don't bother thunking this API as it appears no drivers use it.
|
|
//
|
|
"MmProbeAndLockSelectedPages",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierProbeAndLockSelectedPages,
|
|
#endif
|
|
|
|
"MmProbeAndLockProcessPages",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierProbeAndLockProcessPages,
|
|
|
|
"MmMapIoSpace",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierMapIoSpace,
|
|
|
|
"MmMapLockedPages",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierMapLockedPages,
|
|
|
|
"MmMapLockedPagesSpecifyCache",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierMapLockedPagesSpecifyCache,
|
|
|
|
"MmUnlockPages",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierUnlockPages,
|
|
|
|
"MmUnmapLockedPages",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierUnmapLockedPages,
|
|
|
|
"MmUnmapIoSpace",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierUnmapIoSpace,
|
|
|
|
"ExAcquireFastMutex",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExAcquireFastMutex,
|
|
|
|
"ExTryToAcquireFastMutex",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExTryToAcquireFastMutex,
|
|
|
|
"ExReleaseFastMutex",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierExReleaseFastMutex,
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
"KeRaiseIrql",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrql,
|
|
|
|
#endif
|
|
|
|
"KeLowerIrql",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeLowerIrql,
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
"KeAcquireSpinLock",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLock,
|
|
|
|
#endif
|
|
|
|
"KeReleaseSpinLock",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLock,
|
|
|
|
#if defined(_X86_)
|
|
"KefAcquireSpinLockAtDpcLevel",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLockAtDpcLevel,
|
|
|
|
"KefReleaseSpinLockFromDpcLevel",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLockFromDpcLevel,
|
|
#else
|
|
"KeAcquireSpinLockAtDpcLevel",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLockAtDpcLevel,
|
|
|
|
"KeReleaseSpinLockFromDpcLevel",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLockFromDpcLevel,
|
|
#endif
|
|
|
|
"KeSynchronizeExecution",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierSynchronizeExecution,
|
|
|
|
"KeInitializeTimerEx",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeInitializeTimerEx,
|
|
|
|
"KeInitializeTimer",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeInitializeTimer,
|
|
|
|
"KeWaitForSingleObject",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeWaitForSingleObject,
|
|
|
|
#if defined(_X86_) || defined(_AMD64_)
|
|
|
|
"KfRaiseIrql",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfRaiseIrql,
|
|
|
|
"KeRaiseIrqlToDpcLevel",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrqlToDpcLevel,
|
|
|
|
#endif
|
|
|
|
#if defined(_X86_)
|
|
|
|
"KfLowerIrql",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfLowerIrql,
|
|
|
|
"KfAcquireSpinLock",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfAcquireSpinLock,
|
|
|
|
"KfReleaseSpinLock",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfReleaseSpinLock,
|
|
|
|
#endif
|
|
|
|
#if !defined(_X86_)
|
|
|
|
"KeAcquireSpinLockRaiseToDpc",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLockRaiseToDpc,
|
|
|
|
#endif
|
|
|
|
"IoFreeIrp",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)IovFreeIrp,
|
|
|
|
"IofCallDriver",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)IovCallDriver,
|
|
|
|
"IofCompleteRequest",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)IovCompleteRequest,
|
|
|
|
"IoBuildDeviceIoControlRequest",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)IovBuildDeviceIoControlRequest,
|
|
|
|
"IoBuildAsynchronousFsdRequest",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)IovBuildAsynchronousFsdRequest,
|
|
|
|
"IoInitializeTimer",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)IovInitializeTimer,
|
|
|
|
"KeQueryPerformanceCounter",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfQueryPerformanceCounter,
|
|
|
|
"IoGetDmaAdapter",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfGetDmaAdapter,
|
|
|
|
"HalAllocateCrashDumpRegisters",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfAllocateCrashDumpRegisters,
|
|
|
|
"ObReferenceObjectByHandle",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierReferenceObjectByHandle,
|
|
|
|
"KeReleaseMutex",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeReleaseMutex,
|
|
|
|
"KeInitializeMutex",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeInitializeMutex,
|
|
|
|
"KeReleaseMutant",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeReleaseMutant,
|
|
|
|
"KeInitializeMutant",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeInitializeMutant,
|
|
|
|
"KeInitializeSpinLock",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE) VerifierKeInitializeSpinLock,
|
|
|
|
#if !defined(NO_LEGACY_DRIVERS)
|
|
"HalGetAdapter",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfLegacyGetAdapter,
|
|
|
|
"IoMapTransfer",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfMapTransfer,
|
|
|
|
"IoFlushAdapterBuffers",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfFlushAdapterBuffers,
|
|
|
|
"HalAllocateCommonBuffer",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfAllocateCommonBuffer,
|
|
|
|
"HalFreeCommonBuffer",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfFreeCommonBuffer,
|
|
|
|
"IoAllocateAdapterChannel",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfAllocateAdapterChannel,
|
|
|
|
"IoFreeAdapterChannel",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfFreeAdapterChannel,
|
|
|
|
"IoFreeMapRegisters",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VfFreeMapRegisters,
|
|
#endif
|
|
|
|
"NtCreateFile",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierNtCreateFile,
|
|
|
|
"NtWriteFile",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierNtWriteFile,
|
|
|
|
"NtReadFile",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierNtReadFile,
|
|
|
|
NULL,
|
|
NULL,
|
|
};
|
|
|
|
const VERIFIER_THUNKS MiVerifierPoolThunks[] = {
|
|
|
|
"ExAllocatePool",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePool,
|
|
|
|
"ExAllocatePoolWithQuota",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithQuota,
|
|
|
|
"ExAllocatePoolWithQuotaTag",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithQuotaTag,
|
|
|
|
"ExAllocatePoolWithTag",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithTag,
|
|
|
|
"ExAllocatePoolWithTagPriority",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierAllocatePoolWithTagPriority,
|
|
|
|
"ExFreePool",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierFreePool,
|
|
|
|
"ExFreePoolWithTag",
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierFreePoolWithTag,
|
|
|
|
NULL,
|
|
NULL,
|
|
};
|
|
|
|
#ifdef ALLOC_DATA_PRAGMA
|
|
#pragma data_seg()
|
|
#endif
|
|
|
|
PDRIVER_VERIFIER_THUNK_ROUTINE
|
|
MiResolveVerifierExports (
|
|
IN PLOADER_PARAMETER_BLOCK LoaderBlock,
|
|
IN PCHAR PristineName
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function scans the kernel & HAL exports for the specified routine name.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - Supplies the data table entry for the driver.
|
|
|
|
Return Value:
|
|
|
|
Non-NULL address of routine to thunk or NULL if the routine could not be
|
|
found.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization only.
|
|
The PsLoadedModuleList has not been initialized yet.
|
|
Non paged pool exists in Phase0, but paged pool does not.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG i;
|
|
PIMAGE_EXPORT_DIRECTORY ExportDirectory;
|
|
PULONG NameTableBase;
|
|
PUSHORT NameOrdinalTableBase;
|
|
PULONG Addr;
|
|
ULONG ExportSize;
|
|
ULONG Low;
|
|
ULONG Middle;
|
|
ULONG High;
|
|
PLIST_ENTRY NextEntry;
|
|
PKLDR_DATA_TABLE_ENTRY DataTableEntry;
|
|
USHORT OrdinalNumber;
|
|
LONG Result;
|
|
PCHAR DllBase;
|
|
|
|
i = 0;
|
|
NextEntry = LoaderBlock->LoadOrderListHead.Flink;
|
|
|
|
for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) {
|
|
|
|
DataTableEntry = CONTAINING_RECORD (NextEntry,
|
|
KLDR_DATA_TABLE_ENTRY,
|
|
InLoadOrderLinks);
|
|
|
|
//
|
|
// Process the kernel and HAL exports so the proper routine
|
|
// addresses can be generated now that relocations are complete.
|
|
//
|
|
|
|
DllBase = (PCHAR) DataTableEntry->DllBase;
|
|
|
|
ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData(
|
|
(PVOID) DllBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_EXPORT,
|
|
&ExportSize);
|
|
|
|
if (ExportDirectory != NULL) {
|
|
|
|
//
|
|
// Lookup the import name in the name table using a binary search.
|
|
//
|
|
|
|
NameTableBase = (PULONG)(DllBase + (ULONG)ExportDirectory->AddressOfNames);
|
|
NameOrdinalTableBase = (PUSHORT)(DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
|
|
|
|
Low = 0;
|
|
High = ExportDirectory->NumberOfNames - 1;
|
|
|
|
//
|
|
// Initializing Middle is not needed for correctness, but without it
|
|
// the compiler cannot compile this code W4 to check for use of
|
|
// uninitialized variables.
|
|
//
|
|
|
|
Middle = 0;
|
|
|
|
while (High >= Low) {
|
|
|
|
//
|
|
// Compute the next probe index and compare the import name
|
|
// with the export name entry.
|
|
//
|
|
|
|
Middle = (Low + High) >> 1;
|
|
Result = strcmp (PristineName,
|
|
(PCHAR)DllBase + NameTableBase[Middle]);
|
|
|
|
if (Result < 0) {
|
|
High = Middle - 1;
|
|
|
|
} else if (Result > 0) {
|
|
Low = Middle + 1;
|
|
|
|
}
|
|
else {
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// If the high index is less than the low index, then a matching
|
|
// table entry was not found. Otherwise, get the ordinal number
|
|
// from the ordinal table.
|
|
//
|
|
|
|
if ((LONG)High >= (LONG)Low) {
|
|
OrdinalNumber = NameOrdinalTableBase[Middle];
|
|
|
|
//
|
|
// If OrdinalNumber is not within the Export Address Table,
|
|
// then DLL does not implement function. Otherwise we have
|
|
// the export that matches the specified argument routine name.
|
|
//
|
|
|
|
if ((ULONG)OrdinalNumber < ExportDirectory->NumberOfFunctions) {
|
|
|
|
Addr = (PULONG)(DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
|
|
return (PDRIVER_VERIFIER_THUNK_ROUTINE)(ULONG_PTR)(DllBase + Addr[OrdinalNumber]);
|
|
}
|
|
}
|
|
}
|
|
|
|
i += 1;
|
|
if (i == 2) {
|
|
break;
|
|
}
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
LOGICAL
|
|
MiEnableVerifier (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function enables the verifier for the argument driver by thunking
|
|
relevant system APIs in the argument driver import table.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - Supplies the data table entry for the driver.
|
|
|
|
Return Value:
|
|
|
|
TRUE if thunking was applied, FALSE if not.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization and normal runtime.
|
|
Non paged pool exists in Phase0, but paged pool does not.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG i;
|
|
ULONG j;
|
|
PULONG_PTR ImportThunk;
|
|
ULONG ImportSize;
|
|
VERIFIER_THUNKS const *VerifierThunk;
|
|
LOGICAL Found;
|
|
ULONG_PTR RealRoutine;
|
|
PLIST_ENTRY NextEntry;
|
|
PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable;
|
|
PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
|
|
|
|
ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
|
|
DataTableEntry->DllBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_IAT,
|
|
&ImportSize);
|
|
|
|
if (ImportThunk == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
ImportSize /= sizeof(PULONG_PTR);
|
|
|
|
for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
|
|
|
|
Found = FALSE;
|
|
|
|
if (KernelVerifier == FALSE) {
|
|
VerifierThunk = MiVerifierThunks;
|
|
|
|
while (VerifierThunk->PristineRoutineAsciiName != NULL) {
|
|
|
|
RealRoutine = (ULONG_PTR)VerifierThunk->PristineRoutine;
|
|
|
|
if (*ImportThunk == RealRoutine) {
|
|
*ImportThunk = (ULONG_PTR)(VerifierThunk->NewRoutine);
|
|
Found = TRUE;
|
|
break;
|
|
}
|
|
VerifierThunk += 1;
|
|
}
|
|
}
|
|
|
|
if (Found == FALSE) {
|
|
VerifierThunk = MiVerifierPoolThunks;
|
|
|
|
while (VerifierThunk->PristineRoutineAsciiName != NULL) {
|
|
|
|
RealRoutine = (ULONG_PTR)VerifierThunk->PristineRoutine;
|
|
|
|
if (*ImportThunk == RealRoutine) {
|
|
*ImportThunk = (ULONG_PTR)(VerifierThunk->NewRoutine);
|
|
Found = TRUE;
|
|
break;
|
|
}
|
|
VerifierThunk += 1;
|
|
}
|
|
}
|
|
|
|
if (Found == FALSE) {
|
|
|
|
NextEntry = MiVerifierDriverAddedThunkListHead.Flink;
|
|
while (NextEntry != &MiVerifierDriverAddedThunkListHead) {
|
|
|
|
ThunkTableBase = CONTAINING_RECORD(NextEntry,
|
|
DRIVER_SPECIFIED_VERIFIER_THUNKS,
|
|
ListEntry);
|
|
|
|
ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1);
|
|
|
|
for (j = 0; j < ThunkTableBase->NumberOfThunks; j += 1) {
|
|
|
|
if (*ImportThunk == (ULONG_PTR)ThunkTable->PristineRoutine) {
|
|
*ImportThunk = (ULONG_PTR)(ThunkTable->NewRoutine);
|
|
Found = TRUE;
|
|
break;
|
|
}
|
|
ThunkTable += 1;
|
|
}
|
|
|
|
if (Found == TRUE) {
|
|
break;
|
|
}
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
}
|
|
}
|
|
return TRUE;
|
|
}
|
|
|
|
LOGICAL
|
|
MiReEnableVerifier (
|
|
IN PKLDR_DATA_TABLE_ENTRY DataTableEntry
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function thunks DLL-supplied APIs in the argument driver import table.
|
|
|
|
Arguments:
|
|
|
|
DataTableEntry - Supplies the data table entry for the driver.
|
|
|
|
Return Value:
|
|
|
|
TRUE if thunking was applied, FALSE if not.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 0 Initialization only.
|
|
Non paged pool exists in Phase0, but paged pool does not.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG i;
|
|
ULONG j;
|
|
PULONG_PTR ImportThunk;
|
|
ULONG ImportSize;
|
|
LOGICAL Found;
|
|
PLIST_ENTRY NextEntry;
|
|
PMMPTE PointerPte;
|
|
PULONG_PTR VirtualThunk;
|
|
PFN_NUMBER PageFrameIndex;
|
|
PFN_NUMBER VirtualPageFrameIndex;
|
|
PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable;
|
|
PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase;
|
|
ULONG Offset;
|
|
|
|
ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
|
|
DataTableEntry->DllBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_IAT,
|
|
&ImportSize);
|
|
|
|
if (ImportThunk == NULL) {
|
|
return FALSE;
|
|
}
|
|
|
|
VirtualThunk = NULL;
|
|
ImportSize /= sizeof(PULONG_PTR);
|
|
|
|
//
|
|
// Initializing VirtualPageFrameIndex is not needed for correctness, but
|
|
// without it the compiler cannot compile this code W4 to check for use of
|
|
// uninitialized variables.
|
|
//
|
|
|
|
VirtualPageFrameIndex = 0;
|
|
|
|
for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
|
|
|
|
Found = FALSE;
|
|
|
|
NextEntry = MiVerifierDriverAddedThunkListHead.Flink;
|
|
while (NextEntry != &MiVerifierDriverAddedThunkListHead) {
|
|
|
|
ThunkTableBase = CONTAINING_RECORD(NextEntry,
|
|
DRIVER_SPECIFIED_VERIFIER_THUNKS,
|
|
ListEntry);
|
|
|
|
ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1);
|
|
|
|
for (j = 0; j < ThunkTableBase->NumberOfThunks; j += 1) {
|
|
|
|
if (*ImportThunk == (ULONG_PTR)ThunkTable->PristineRoutine) {
|
|
|
|
ASSERT (MI_IS_PHYSICAL_ADDRESS(ImportThunk) == 0);
|
|
PointerPte = MiGetPteAddress (ImportThunk);
|
|
ASSERT (PointerPte->u.Hard.Valid == 1);
|
|
PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte);
|
|
Offset = (ULONG) MiGetByteOffset(ImportThunk);
|
|
|
|
if ((VirtualThunk != NULL) &&
|
|
(VirtualPageFrameIndex == PageFrameIndex)) {
|
|
|
|
NOTHING;
|
|
}
|
|
else {
|
|
|
|
VirtualThunk = MiMapSinglePage (VirtualThunk,
|
|
PageFrameIndex,
|
|
MmCached,
|
|
HighPagePriority);
|
|
|
|
if (VirtualThunk == NULL) {
|
|
return FALSE;
|
|
}
|
|
VirtualPageFrameIndex = PageFrameIndex;
|
|
}
|
|
|
|
*(PULONG_PTR)((PUCHAR)VirtualThunk + Offset) =
|
|
(ULONG_PTR)(ThunkTable->NewRoutine);
|
|
|
|
Found = TRUE;
|
|
break;
|
|
}
|
|
ThunkTable += 1;
|
|
}
|
|
|
|
if (Found == TRUE) {
|
|
break;
|
|
}
|
|
|
|
NextEntry = NextEntry->Flink;
|
|
}
|
|
}
|
|
|
|
if (VirtualThunk != NULL) {
|
|
MiUnmapSinglePage (VirtualThunk);
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
typedef struct _KERNEL_VERIFIER_THUNK_PAIRS {
|
|
PDRIVER_VERIFIER_THUNK_ROUTINE PristineRoutine;
|
|
PDRIVER_VERIFIER_THUNK_ROUTINE NewRoutine;
|
|
} KERNEL_VERIFIER_THUNK_PAIRS, *PKERNEL_VERIFIER_THUNK_PAIRS;
|
|
|
|
#if defined(_X86_)
|
|
|
|
#ifdef ALLOC_DATA_PRAGMA
|
|
#pragma const_seg("INITCONST")
|
|
#endif
|
|
|
|
const KERNEL_VERIFIER_THUNK_PAIRS MiKernelVerifierThunks[] = {
|
|
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KeRaiseIrql,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrql,
|
|
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KeLowerIrql,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeLowerIrql,
|
|
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KeAcquireSpinLock,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireSpinLock,
|
|
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KeReleaseSpinLock,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseSpinLock,
|
|
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KfRaiseIrql,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfRaiseIrql,
|
|
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KeRaiseIrqlToDpcLevel,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeRaiseIrqlToDpcLevel,
|
|
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KfLowerIrql,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfLowerIrql,
|
|
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KfAcquireSpinLock,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfAcquireSpinLock,
|
|
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KfReleaseSpinLock,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKfReleaseSpinLock,
|
|
|
|
#if !defined(NT_UP)
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KeAcquireQueuedSpinLock,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeAcquireQueuedSpinLock,
|
|
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)KeReleaseQueuedSpinLock,
|
|
(PDRIVER_VERIFIER_THUNK_ROUTINE)VerifierKeReleaseQueuedSpinLock,
|
|
#endif
|
|
};
|
|
|
|
#ifdef ALLOC_DATA_PRAGMA
|
|
#pragma data_seg()
|
|
#endif
|
|
|
|
VOID
|
|
MiEnableKernelVerifier (
|
|
VOID
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function enables the verifier for the kernel by thunking
|
|
relevant HAL APIs in the kernel's import table.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode, Phase 1 Initialization.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG i;
|
|
PULONG_PTR ImportThunk;
|
|
ULONG ImportSize;
|
|
KERNEL_VERIFIER_THUNK_PAIRS const *VerifierThunk;
|
|
ULONG ThunkCount;
|
|
ULONG_PTR RealRoutine;
|
|
PULONG_PTR PointerRealRoutine;
|
|
|
|
if (KernelVerifier == FALSE) {
|
|
return;
|
|
}
|
|
|
|
ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData(
|
|
PsNtosImageBase,
|
|
TRUE,
|
|
IMAGE_DIRECTORY_ENTRY_IAT,
|
|
&ImportSize);
|
|
|
|
if (ImportThunk == NULL) {
|
|
return;
|
|
}
|
|
|
|
ImportSize /= sizeof(PULONG_PTR);
|
|
|
|
for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) {
|
|
|
|
VerifierThunk = MiKernelVerifierThunks;
|
|
|
|
for (ThunkCount = 0; ThunkCount < sizeof (MiKernelVerifierThunks) / sizeof (KERNEL_VERIFIER_THUNK_PAIRS); ThunkCount += 1) {
|
|
|
|
//
|
|
// Only the x86 has/needs this oddity - take the kernel address,
|
|
// knowing that it points at a 2 byte jmp opcode followed by
|
|
// a 4-byte indirect pointer to a destination address.
|
|
//
|
|
|
|
PointerRealRoutine = (PULONG_PTR)*((PULONG_PTR)((ULONG_PTR)VerifierThunk->PristineRoutine + 2));
|
|
RealRoutine = *PointerRealRoutine;
|
|
|
|
if (*ImportThunk == RealRoutine) {
|
|
|
|
//
|
|
// Order is important here.
|
|
//
|
|
|
|
if (MiKernelVerifierOriginalCalls[ThunkCount] == NULL) {
|
|
MiKernelVerifierOriginalCalls[ThunkCount] = (PVOID)RealRoutine;
|
|
}
|
|
|
|
*ImportThunk = (ULONG_PTR)(VerifierThunk->NewRoutine);
|
|
|
|
break;
|
|
}
|
|
VerifierThunk += 1;
|
|
}
|
|
}
|
|
return;
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// BEWARE: Various kernel macros were undefined above so we can pull in the
|
|
// real routines. This is needed because the real routines are exported for
|
|
// driver compatibility. This module has been carefully laid out so these
|
|
// macros are not referenced from that point to here and references go to the
|
|
// real routines.
|
|
//
|
|
// BE EXTREMELY CAREFUL IF YOU DECIDE TO ADD ROUTINES BELOW THIS POINT !
|
|
//
|