89{
93#if DBG
95#endif
98 PSID CapturedServerSid;
99 ULONG ConnectionInfoLength = 0;
103 ULONG PortMessageLength;
109
111
112
114 {
115
117 {
118
120
121
124
125
126
127
128
129 if (ClientView)
130 {
132 CapturedClientView = *(
volatile PORT_VIEW*)ClientView;
133
134
135 if (CapturedClientView.
Length !=
sizeof(CapturedClientView))
136 {
137
139 }
140 }
141
142
143 if (ServerView)
144 {
146
147
149 {
150
152 }
153 }
154
155 if (MaxMessageLength)
157
158
159 if (ConnectionInformationLength)
160 {
162 ConnectionInfoLength = *(
volatile ULONG*)ConnectionInformationLength;
163 }
164
165
166 if (ConnectionInformation)
168
169 CapturedServerSid = ServerSid;
170 if (ServerSid)
171 {
172
177 &CapturedServerSid);
179 {
180 DPRINT1(
"Failed to capture ServerSid!\n");
182 }
183 }
184 }
186 {
187
189 }
191 }
192 else
193 {
194 CapturedQos = *SecurityQos;
195
196
197
198
199
200 if (ClientView)
201 {
202
203 if (ClientView->Length != sizeof(*ClientView))
204 {
205
207 }
208 CapturedClientView = *ClientView;
209 }
210
211
212 if (ServerView)
213 {
214
215 if (ServerView->
Length !=
sizeof(*ServerView))
216 {
217
219 }
220 }
221
222
223 if (ConnectionInformationLength)
224 ConnectionInfoLength = *ConnectionInformationLength;
225
226 CapturedServerSid = ServerSid;
227 }
228
229#if DBG
230
231
232
234
236 "Name: %wZ. SecurityQos: %p. Views: %p/%p. Sid: %p\n",
237 &CapturedPortName,
238 SecurityQos,
239 ClientView,
240 ServerView,
241 ServerSid);
242#endif
243
244
246 0,
254 {
255#if DBG
256 DPRINT1(
"Failed to reference port '%wZ': 0x%lx\n", &CapturedPortName,
Status);
258#endif
259
260 if (CapturedServerSid != ServerSid)
262
264 }
265
266
268 {
269#if DBG
270 DPRINT1(
"Port '%wZ' is not a connection port (Flags: 0x%lx)\n", &CapturedPortName,
Port->
Flags);
272#endif
273
274
276
277 if (CapturedServerSid != ServerSid)
279
281 }
282
283
284 if (ServerSid)
285 {
286
287 if (
Port->ServerProcess)
288 {
289
293
294
296 {
297
299 {
300
301#if DBG
302 DPRINT1(
"Port '%wZ': server SID mismatch\n", &CapturedPortName);
303#endif
305 }
306
307
309 }
310 }
311 else
312 {
313
314#if DBG
315 DPRINT1(
"Port '%wZ': server SID mismatch\n", &CapturedPortName);
316#endif
318 }
319
320
321 if (CapturedServerSid != ServerSid)
323 }
324
325#if DBG
327#endif
328
329
331 {
332
335 }
336
337
344 0,
345 0,
348 {
349
353 }
354
355
356
357
358
366
367
369 {
370
372 }
373 else
374 {
375
377 &CapturedQos,
381 {
382
386 }
387 }
388
389
392 {
393
397 }
398
399
400 if (ClientView)
401 {
402
408 (
PVOID*)&SectionToMap,
411 {
412
413 DPRINT1(
"Failed to reference port section handle: 0x%lx\n",
Status);
416 }
417
418
420
421
425 0,
426 0,
430 0,
432
433
435
436
438 {
439
444 }
445
446
448
449
452 }
453 else
454 {
455
457 }
458
459
460 if (ConnectionInfoLength >
Port->MaxConnectionInfoLength)
461 {
462
463 ConnectionInfoLength =
Port->MaxConnectionInfoLength;
464 }
465
466
469 {
470
471 DPRINT1(
"LpcpAllocateFromPortZone failed\n");
475 }
476
477
480
481
482 if (ClientView)
483 {
484
486
487
489 &CapturedClientView,
490 sizeof(CapturedClientView));
492 }
493 else
494 {
495
496 Message->Request.ClientViewSize = 0;
498 }
499
500
503
504
505 Message->Request.u1.s1.DataLength = (
CSHORT)ConnectionInfoLength +
508 Message->Request.u1.s1.DataLength;
510
511
512 if (ConnectionInformation)
513 {
515 {
516
518 ConnectionInformation,
519 ConnectionInfoLength);
520 }
522 {
523 DPRINT1(
"Exception 0x%lx when copying connection info to user mode\n",
525
526
527
528
530
531
534
535
537 }
539 }
540
541
543
544
546
547
549 {
550
552 }
553 else
554 {
555
557
558
562
563
567
568
571
572
574 }
575
576
578
579
581
582
584 {
586 "Messages: %p/%p. Ports: %p/%p. Status: %lx\n",
588 ConnectMessage,
592
593
596
597
600
601
603 }
604
605
607
608
610 {
611
613 {
614
620 }
621
622 goto Failure;
623 }
624
625
627 {
628
629 if ((
Message->Request.u1.s1.DataLength -
631 {
632
633 ConnectionInfoLength =
Message->Request.u1.s1.DataLength -
635 }
636
637
638 if (ConnectionInformation)
639 {
641 {
642
643 if (ConnectionInformationLength)
644 *ConnectionInformationLength = ConnectionInfoLength;
645
646
648 ConnectMessage + 1,
649 ConnectionInfoLength);
650 }
652 {
653
656 }
658 }
659
660
662 {
663
664 PortMessageLength =
Port->MaxMessageLength;
665
666
670 0,
674 {
676 "Handle: %p. Length: %lx\n",
678 PortMessageLength);
679
681 {
682
684
685
686 if (MaxMessageLength)
687 *MaxMessageLength = PortMessageLength;
688
689
690 if (ClientView)
691 {
692
695 sizeof(*ClientView));
696 }
697
698
699 if (ServerView)
700 {
701
704 sizeof(*ServerView));
705 }
706 }
708 {
709
712 }
714 }
715 }
716 else
717 {
718
720
721
723
724
727 {
728
730 }
731 else
732 {
733
735 }
736
737
739
740
742 }
743
744
746 }
747 else
748 {
749
751 goto Failure;
752 }
753
755
756
758
759Failure:
760
762
763
767
768
770}
#define NT_SUCCESS(StatCode)
#define InsertTailList(ListHead, Entry)
#define PsGetCurrentThread()
#define KeWaitForSingleObject(pEvt, foo, a, b, c)
#define KeSetEvent(pEvt, foo, foo2)
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
VOID NTAPI ProbeForWrite(IN PVOID Address, IN SIZE_T Length, IN ULONG Alignment)
_Outptr_ PFLT_PORT * ClientPort
_In_opt_ PFILE_OBJECT _In_opt_ PETHREAD Thread
#define EXCEPTION_EXECUTE_HANDLER
#define KeLeaveCriticalRegion()
#define KeEnterCriticalRegion()
VOID NTAPI LpcpFreeToPortZone(IN PLPCP_MESSAGE Message, IN ULONG LockFlags)
POBJECT_TYPE LpcPortObjectType
#define LPCTRACE(x, fmt,...)
NTSTATUS NTAPI LpcpInitializePortQueue(IN PLPCP_PORT_OBJECT Port)
#define LPC_CONNECT_DEBUG
#define LpcpConnectWait(s, w)
#define LpcpCompleteWait(s)
static __inline PLPCP_MESSAGE LpcpAllocateFromPortZone(VOID)
#define LPCP_SECURITY_DYNAMIC
#define LPCP_CONNECTION_PORT
#define LPCP_NAME_DELETED
#define LPCP_WAITABLE_PORT
#define LPCP_PORT_TYPE_MASK
struct _LPCP_MESSAGE LPCP_MESSAGE
struct _LPCP_CONNECTION_MESSAGE LPCP_CONNECTION_MESSAGE
#define ExFreePoolWithTag(_P, _T)
NTKERNELAPI NTSTATUS NTAPI SeCreateClientSecurity(IN PETHREAD Thread, IN PSECURITY_QUALITY_OF_SERVICE QualityOfService, IN BOOLEAN RemoteClient, OUT PSECURITY_CLIENT_CONTEXT ClientContext)
#define PsDereferencePrimaryToken(T)
#define LPC_CONNECTION_REQUEST
#define KeGetPreviousMode()
_In_ HANDLE _Outptr_result_bytebuffer_ ViewSize PVOID _In_ ULONG_PTR _In_ SIZE_T _Inout_opt_ PLARGE_INTEGER SectionOffset
NTSYSAPI BOOLEAN NTAPI RtlEqualSid(_In_ PSID Sid1, _In_ PSID Sid2)
#define SECTION_MAP_WRITE
_In_ ULONG _In_ ULONG _In_ ULONG Length
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
PVOID NTAPI LpcpFreeConMsg(IN OUT PLPCP_MESSAGE *Message, IN OUT PLPCP_CONNECTION_MESSAGE *ConnectMessage, IN PETHREAD CurrentThread)
PACCESS_TOKEN NTAPI PsReferencePrimaryToken(PEPROCESS Process)
#define STATUS_INVALID_PORT_HANDLE
#define STATUS_PORT_CONNECTION_REFUSED
#define STATUS_SERVER_SID_MISMATCH
NTSTATUS NTAPI ObCloseHandle(IN HANDLE Handle, IN KPROCESSOR_MODE AccessMode)
NTSTATUS NTAPI ObInsertObject(IN PVOID Object, IN PACCESS_STATE AccessState OPTIONAL, IN ACCESS_MASK DesiredAccess, IN ULONG ObjectPointerBias, OUT PVOID *NewObject OPTIONAL, OUT PHANDLE Handle)
NTSTATUS NTAPI ObCreateObject(IN KPROCESSOR_MODE ProbeMode OPTIONAL, IN POBJECT_TYPE Type, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext OPTIONAL, IN ULONG ObjectSize, IN ULONG PagedPoolCharge OPTIONAL, IN ULONG NonPagedPoolCharge OPTIONAL, OUT PVOID *Object)
NTSTATUS NTAPI ObReferenceObjectByName(IN PUNICODE_STRING ObjectPath, IN ULONG Attributes, IN PACCESS_STATE PassedAccessState, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext, OUT PVOID *ObjectPtr)
NTSTATUS NTAPI ObReferenceObjectByHandle(IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
#define _SEH2_GetExceptionCode()
#define _SEH2_EXCEPT(...)
#define _SEH2_YIELD(__stmt)
static __inline NTSTATUS ProbeAndCaptureUnicodeString(OUT PUNICODE_STRING Dest, IN KPROCESSOR_MODE CurrentMode, IN const UNICODE_STRING *UnsafeSrc)
static __inline VOID ReleaseCapturedUnicodeString(IN PUNICODE_STRING CapturedString, IN KPROCESSOR_MODE CurrentMode)
#define ProbeForWriteHandle(Ptr)
#define ProbeForWriteUlong(Ptr)
NTSTATUS NTAPI MmMapViewOfSection(IN PVOID SectionObject, IN PEPROCESS Process, IN OUT PVOID *BaseAddress, IN ULONG_PTR ZeroBits, IN SIZE_T CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PSIZE_T ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect)
POBJECT_TYPE MmSectionObjectType
LONG NTAPI KeReadStateSemaphore(IN PKSEMAPHORE Semaphore)
PLPCP_PORT_OBJECT ClientPort
REMOTE_PORT_VIEW ServerView
SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode
NTSTATUS NTAPI SeQueryInformationToken(_In_ PACCESS_TOKEN AccessToken, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Outptr_result_buffer_(_Inexpressible_(token-dependent)) PVOID *TokenInformation)
Queries information details about the given token to the call. The difference between NtQueryInformat...
#define RtlCopyMemory(Destination, Source, Length)
#define RtlZeroMemory(Destination, Length)
#define STATUS_INVALID_PARAMETER
#define STATUS_OBJECT_NAME_NOT_FOUND
#define ObDereferenceObject
#define ObReferenceObject
#define PsGetCurrentProcess
_In_ KPROCESSOR_MODE PreviousMode
#define SECURITY_DYNAMIC_TRACKING