mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
394 lines
6.6 KiB
394 lines
6.6 KiB
#include <ntddk.h>
|
|
|
|
#include "tdriver.h"
|
|
#include "bugcheck.h"
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////
|
|
////////////////////////////////////////////////// Bugcheck functions
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
VOID
|
|
BgChkForceCustomBugcheck (
|
|
PVOID NotUsed
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function breaks into debugger and waits for the user to set the
|
|
value for bugcheck data. Then it will bugcheck using the specified code
|
|
and data. It is useful to test the mini triage feature.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode.
|
|
|
|
--*/
|
|
{
|
|
ULONG BugcheckData [5];
|
|
|
|
DbgPrint ("Buggy: `ed %p' to enter the bugcheck code and data \n", BugcheckData );
|
|
DbgBreakPoint();
|
|
|
|
KeBugCheckEx (
|
|
BugcheckData [ 0 ],
|
|
BugcheckData [ 1 ],
|
|
BugcheckData [ 2 ],
|
|
BugcheckData [ 3 ],
|
|
BugcheckData [ 4 ] );
|
|
}
|
|
|
|
|
|
VOID BgChkProcessHasLockedPages (
|
|
PVOID NotUsed
|
|
)
|
|
{
|
|
PMDL Mdl;
|
|
PVOID Address;
|
|
|
|
DbgPrint ("Buggy: ProcessHasLockedPages \n");
|
|
|
|
Mdl = IoAllocateMdl(
|
|
|
|
(PVOID)0x10000, // adress
|
|
0x1000, // size
|
|
FALSE, // not secondary buffer
|
|
FALSE, // do not charge quota
|
|
NULL); // no irp
|
|
|
|
if (Mdl != NULL) {
|
|
DbgPrint ("Buggy: mdl created \n");
|
|
}
|
|
#if 0
|
|
try {
|
|
|
|
MmProbeAndLockPages (
|
|
Mdl,
|
|
KernelMode,
|
|
IoReadAccess);
|
|
|
|
DbgPrint ("Buggy: locked pages \n");
|
|
}
|
|
except (EXCEPTION_EXECUTE_HANDLER) {
|
|
|
|
DbgPrint ("Buggy: exception raised while locking \n");
|
|
}
|
|
#endif
|
|
}
|
|
|
|
|
|
VOID BgChkNoMoreSystemPtes (
|
|
PVOID NotUsed
|
|
)
|
|
{
|
|
DWORDLONG Index;
|
|
PHYSICAL_ADDRESS Address;
|
|
ULONG Count = 0;
|
|
char Buffer [1024];
|
|
|
|
DbgPrint ("Buggy: NoMoresystemPtes\n");
|
|
|
|
for (Index = 0; Index < (DWORDLONG)0x80000000 * 4; Index += 0x10000) {
|
|
Address.QuadPart = (DWORDLONG)Index;
|
|
if (MmMapIoSpace (Address, 0x10000, FALSE)) {
|
|
Count += 0x10000;
|
|
}
|
|
}
|
|
|
|
DbgPrint ("Finished eating system PTEs %08X ... \n", Count);
|
|
}
|
|
|
|
|
|
VOID BgChkBadPoolHeader (
|
|
PVOID NotUsed
|
|
)
|
|
{
|
|
PULONG Block;
|
|
|
|
DbgPrint ("Buggy: BadPoolHeader\n");
|
|
|
|
Block = (PULONG) ExAllocatePoolWithTag (
|
|
NonPagedPool,
|
|
128,
|
|
TD_POOL_TAG);
|
|
|
|
//
|
|
// Trash 4 bytes in the block header.
|
|
//
|
|
|
|
*(Block - 1) = 0xBADBAD01;
|
|
|
|
//
|
|
// This free operation should bugcheck.
|
|
//
|
|
|
|
ExFreePool (Block);
|
|
}
|
|
|
|
|
|
VOID BgChkDriverCorruptedSystemPtes (
|
|
PVOID NotUsed
|
|
)
|
|
{
|
|
PVOID Block;
|
|
|
|
DbgPrint ("Buggy: DriverCorruptedSystemPtes\n");
|
|
|
|
Block = (PULONG) ExAllocatePoolWithTag (
|
|
NonPagedPool,
|
|
0x2000,
|
|
TD_POOL_TAG);
|
|
|
|
MmUnmapIoSpace (Block, 0x2000);
|
|
|
|
}
|
|
|
|
|
|
VOID BgChkDriverCorruptedExPool (
|
|
PVOID NotUsed
|
|
)
|
|
{
|
|
PULONG Block;
|
|
|
|
DbgPrint ("Buggy: DriverCorruptedExPool\n");
|
|
|
|
Block = (PULONG) ExAllocatePoolWithTag (
|
|
NonPagedPool,
|
|
128,
|
|
TD_POOL_TAG);
|
|
|
|
//
|
|
// Trash 8 bytes in the block header.
|
|
//
|
|
|
|
*(Block - 2) = 0xBADBAD01;
|
|
*(Block - 1) = 0xBADBAD01;
|
|
|
|
//
|
|
// This free operation should bugcheck.
|
|
//
|
|
|
|
ExFreePool (Block);
|
|
}
|
|
|
|
|
|
VOID BgChkDriverCorruptedMmPool (
|
|
PVOID NotUsed
|
|
)
|
|
{
|
|
DbgPrint ("Buggy: DriverCorruptedMmPool\n");
|
|
|
|
ExFreePool (NULL);
|
|
}
|
|
|
|
|
|
VOID BgChkIrqlNotLessOrEqual (
|
|
PVOID NotUsed
|
|
)
|
|
{
|
|
KIRQL irql;
|
|
VOID *pPagedData;
|
|
|
|
DbgPrint ("Buggy: IrqlNotLessOrEqual\n");
|
|
|
|
pPagedData = ExAllocatePoolWithTag(
|
|
PagedPool,
|
|
16,
|
|
TD_POOL_TAG);
|
|
|
|
if( pPagedData == NULL )
|
|
{
|
|
DbgPrint( "Cannot allocate 16 bytes of paged pool\n" );
|
|
return;
|
|
}
|
|
|
|
KeRaiseIrql( DISPATCH_LEVEL, &irql );
|
|
|
|
*((ULONG*)pPagedData) = 16;
|
|
|
|
KeLowerIrql( irql );
|
|
}
|
|
|
|
|
|
VOID BgChkPageFaultBeyondEndOfAllocation (
|
|
PVOID NotUsed
|
|
)
|
|
{
|
|
PVOID *pHalfPage;
|
|
PVOID *pLastUlongToWrite;
|
|
ULONG *pCrtULONG;
|
|
|
|
DbgPrint ("Buggy: PageFaultBeyondEndOfAllocation\n");
|
|
|
|
//
|
|
// allocate half a page
|
|
//
|
|
|
|
pHalfPage = ExAllocatePoolWithTag(
|
|
NonPagedPool,
|
|
PAGE_SIZE >> 1,
|
|
TD_POOL_TAG);
|
|
|
|
if( pHalfPage == NULL )
|
|
{
|
|
DbgPrint ("Buggy: cannot allocate half page of NP pool\n");
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// touch a page more
|
|
//
|
|
|
|
pCrtULONG = (ULONG*)pHalfPage;
|
|
|
|
while( (ULONG_PTR)pCrtULONG < (ULONG_PTR)pHalfPage + (PAGE_SIZE >> 1) + 2 * PAGE_SIZE )
|
|
{
|
|
*pCrtULONG = PtrToUlong( pCrtULONG );
|
|
pCrtULONG ++;
|
|
}
|
|
|
|
ExFreePool( pHalfPage );
|
|
}
|
|
}
|
|
|
|
|
|
VOID BgChkDriverVerifierDetectedViolation (
|
|
PVOID NotUsed
|
|
)
|
|
{
|
|
PVOID *pHalfPage;
|
|
PVOID *pLastUlongToWrite;
|
|
ULONG *pCrtULONG;
|
|
|
|
DbgPrint ("Buggy: DriverVerifierDetectedViolation\n");
|
|
|
|
//
|
|
// allocate half a page
|
|
//
|
|
|
|
pHalfPage = ExAllocatePoolWithTag(
|
|
NonPagedPool,
|
|
PAGE_SIZE >> 1,
|
|
TD_POOL_TAG);
|
|
|
|
if( pHalfPage == NULL )
|
|
{
|
|
DbgPrint ("Buggy: cannot allocate half page of NP pool\n");
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// touch 1 ULONG more
|
|
//
|
|
|
|
pCrtULONG = (ULONG*)pHalfPage;
|
|
|
|
while( (ULONG_PTR)pCrtULONG < (ULONG_PTR)pHalfPage + (PAGE_SIZE >> 1) + sizeof( ULONG) )
|
|
{
|
|
*pCrtULONG = PtrToUlong( pCrtULONG );
|
|
pCrtULONG ++;
|
|
}
|
|
|
|
//
|
|
// free -> BC
|
|
//
|
|
|
|
ExFreePool( pHalfPage );
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
BgChkCorruptSystemPtes(
|
|
PVOID NotUsed
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function corrupts system PTEs area on purpose. This is
|
|
done so that we can test if the crache is mini triaged correctly.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode.
|
|
|
|
--*/
|
|
|
|
{
|
|
PULONG puCrtAdress = (PULONG)LongToPtr(0xC0300000);
|
|
ULONG uCrtValue;
|
|
int nCrtStep;
|
|
|
|
#define NUM_ULONGS_TO_CORRUPT 0x100
|
|
#define FIRST_ULONG_VALUE 0xABCDDCBA
|
|
#define NUM_ULONGS_SKIP_EACH_STEP 16
|
|
|
|
|
|
uCrtValue = FIRST_ULONG_VALUE;
|
|
|
|
for( nCrtStep = 0; nCrtStep < NUM_ULONGS_TO_CORRUPT; nCrtStep++ )
|
|
{
|
|
*puCrtAdress = uCrtValue;
|
|
|
|
puCrtAdress += NUM_ULONGS_SKIP_EACH_STEP;
|
|
|
|
uCrtValue++;
|
|
}
|
|
}
|
|
|
|
|
|
VOID
|
|
BgChkHangCurrentProcessor (
|
|
PVOID NotUsed
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine will hang the current processor.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
Environment:
|
|
|
|
Kernel mode.
|
|
|
|
--*/
|
|
{
|
|
KIRQL PreviousIrql;
|
|
|
|
KeRaiseIrql( DISPATCH_LEVEL, &PreviousIrql );
|
|
|
|
while ( TRUE ) {
|
|
//
|
|
// this will hang the current processor
|
|
//
|
|
}
|
|
}
|
|
|
|
|
|
|