peloader.h File Reference

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions
BOOLEAN	PeLdrLoadImage (IN PCHAR FileName, IN TYPE_OF_MEMORY MemoryType, OUT PVOID *ImageBasePA)
BOOLEAN	PeLdrAllocateDataTableEntry (IN OUT PLIST_ENTRY ModuleListHead, IN PCCH BaseDllName, IN PCCH FullDllName, IN PVOID BasePA, OUT PLDR_DATA_TABLE_ENTRY *NewEntry)
BOOLEAN	PeLdrScanImportDescriptorTable (IN OUT PLIST_ENTRY ModuleListHead, IN PCCH DirectoryPath, IN PLDR_DATA_TABLE_ENTRY ScanDTE)
BOOLEAN	PeLdrCheckForLoadedDll (IN OUT PLIST_ENTRY ModuleListHead, IN PCH DllName, OUT PLDR_DATA_TABLE_ENTRY *LoadedEntry)

Function Documentation

PeLdrAllocateDataTableEntry()

BOOLEAN PeLdrAllocateDataTableEntry	(	IN OUT PLIST_ENTRY	ModuleListHead,
		IN PCCH	BaseDllName,
		IN PCCH	FullDllName,
		IN PVOID	BasePA,
		OUT PLDR_DATA_TABLE_ENTRY *	NewEntry
	)

Definition at line 585 of file peloader.c.

{
    PVOID BaseVA = PaToVa(BasePA);
    PWSTR BaseDllNameBuffer, Buffer;
    PLDR_DATA_TABLE_ENTRY DataTableEntry;
    PIMAGE_NT_HEADERS NtHeaders;
    USHORT Length;

    TRACE("PeLdrAllocateDataTableEntry(, '%s', '%s', %p)\n",
          BaseDllName, FullDllName, BasePA);

    /* Allocate memory for a data table entry, zero-initialize it */
    DataTableEntry = (PLDR_DATA_TABLE_ENTRY)FrLdrHeapAlloc(sizeof(LDR_DATA_TABLE_ENTRY),
                                                           TAG_WLDR_DTE);
    if (DataTableEntry == NULL)
        return FALSE;

    /* Get NT headers from the image */
    NtHeaders = RtlImageNtHeader(BasePA);

    /* Initialize corresponding fields of DTE based on NT headers value */
    RtlZeroMemory(DataTableEntry, sizeof(LDR_DATA_TABLE_ENTRY));
    DataTableEntry->DllBase = BaseVA;
    DataTableEntry->SizeOfImage = NtHeaders->OptionalHeader.SizeOfImage;
    DataTableEntry->EntryPoint = RVA(BaseVA, NtHeaders->OptionalHeader.AddressOfEntryPoint);
    DataTableEntry->SectionPointer = 0;
    DataTableEntry->CheckSum = NtHeaders->OptionalHeader.CheckSum;

    /* Initialize BaseDllName field (UNICODE_STRING) from the Ansi BaseDllName
       by simple conversion - copying each character */
    Length = (USHORT)(strlen(BaseDllName) * sizeof(WCHAR));
    Buffer = (PWSTR)FrLdrHeapAlloc(Length, TAG_WLDR_NAME);
    if (Buffer == NULL)
    {
        FrLdrHeapFree(DataTableEntry, TAG_WLDR_DTE);
        return FALSE;
    }

    /* Save Buffer, in case of later failure */
    BaseDllNameBuffer = Buffer;

    DataTableEntry->BaseDllName.Length = Length;
    DataTableEntry->BaseDllName.MaximumLength = Length;
    DataTableEntry->BaseDllName.Buffer = PaToVa(Buffer);

    RtlZeroMemory(Buffer, Length);
    Length /= sizeof(WCHAR);
    while (Length--)
    {
        *Buffer++ = *BaseDllName++;
    }

    /* Initialize FullDllName field (UNICODE_STRING) from the Ansi FullDllName
       using the same method */
    Length = (USHORT)(strlen(FullDllName) * sizeof(WCHAR));
    Buffer = (PWSTR)FrLdrHeapAlloc(Length, TAG_WLDR_NAME);
    if (Buffer == NULL)
    {
        FrLdrHeapFree(BaseDllNameBuffer, TAG_WLDR_NAME);
        FrLdrHeapFree(DataTableEntry, TAG_WLDR_DTE);
        return FALSE;
    }

    DataTableEntry->FullDllName.Length = Length;
    DataTableEntry->FullDllName.MaximumLength = Length;
    DataTableEntry->FullDllName.Buffer = PaToVa(Buffer);

    RtlZeroMemory(Buffer, Length);
    Length /= sizeof(WCHAR);
    while (Length--)
    {
        *Buffer++ = *FullDllName++;
    }

    /* Initialize what's left - LoadCount which is 1, and set Flags so that
       we know this entry is processed */
    DataTableEntry->Flags = LDRP_ENTRY_PROCESSED;
    DataTableEntry->LoadCount = 1;

    /* Honour the FORCE_INTEGRITY flag */
    if (NtHeaders->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY)
    {
        /*
         * On Vista and above, the LDRP_IMAGE_INTEGRITY_FORCED flag must be set
         * if IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY is set in the image header.
         * This is done after the image has been loaded and the digital signature
         * check has passed successfully. (We do not do it yet!)
         *
         * Several OS functionality depend on the presence of this flag.
         * For example, when using Object-Manager callbacks the latter will call
         * MmVerifyCallbackFunction() to verify whether the flag is present.
         * If not callbacks will not work.
         * (See Windows Internals Part 1, 6th edition, p. 176.)
         */
        DataTableEntry->Flags |= LDRP_IMAGE_INTEGRITY_FORCED;
    }

    /* Insert this DTE to a list in the LPB */
    InsertTailList(ModuleListHead, &DataTableEntry->InLoadOrderLinks);
    TRACE("Inserting DTE %p, name='%.*S' DllBase=%p\n", DataTableEntry,
          DataTableEntry->BaseDllName.Length / sizeof(WCHAR),
          VaToPa(DataTableEntry->BaseDllName.Buffer),
          DataTableEntry->DllBase);

    /* Save pointer to a newly allocated and initialized entry */
    *NewEntry = DataTableEntry;

    /* Return success */
    return TRUE;
}

Referenced by LoadBootDeviceDriver(), LoadModule(), PeLdrpLoadAndScanReferencedDll(), and WinLdrLoadDeviceDriver().

PeLdrCheckForLoadedDll()

BOOLEAN PeLdrCheckForLoadedDll	(	IN OUT PLIST_ENTRY	ModuleListHead,
		IN PCH	DllName,
		OUT PLDR_DATA_TABLE_ENTRY *	LoadedEntry
	)

Definition at line 465 of file peloader.c.

{
    PLDR_DATA_TABLE_ENTRY DataTableEntry;
    LIST_ENTRY *ModuleEntry;

    TRACE("PeLdrCheckForLoadedDll: DllName %s\n", DllName);

    /* Just go through each entry in the LoadOrderList and compare loaded module's
       name with a given name */
    ModuleEntry = ModuleListHead->Flink;
    while (ModuleEntry != ModuleListHead)
    {
        /* Get pointer to the current DTE */
        DataTableEntry = CONTAINING_RECORD(ModuleEntry,
            LDR_DATA_TABLE_ENTRY,
            InLoadOrderLinks);

        TRACE("PeLdrCheckForLoadedDll: DTE %p, EP %p, base %p name '%.*ws'\n",
              DataTableEntry, DataTableEntry->EntryPoint, DataTableEntry->DllBase,
              DataTableEntry->BaseDllName.Length / 2, VaToPa(DataTableEntry->BaseDllName.Buffer));

        /* Compare names */
        if (PeLdrpCompareDllName(DllName, &DataTableEntry->BaseDllName))
        {
            /* Yes, found it, report pointer to the loaded module's DTE
               to the caller and increase load count for it */
            *LoadedEntry = DataTableEntry;
            DataTableEntry->LoadCount++;
            TRACE("PeLdrCheckForLoadedDll: LoadedEntry %X\n", DataTableEntry);
            return TRUE;
        }

        /* Go to the next entry */
        ModuleEntry = ModuleEntry->Flink;
    }

    /* Nothing found */
    return FALSE;
}

Referenced by PeLdrpBindImportName(), PeLdrScanImportDescriptorTable(), and WinLdrLoadDeviceDriver().

PeLdrLoadImage()

BOOLEAN PeLdrLoadImage	(	IN PCHAR	FileName,
		IN TYPE_OF_MEMORY	MemoryType,
		OUT PVOID *	ImageBasePA
	)

Definition at line 709 of file peloader.c.

{
    ULONG FileId;
    PVOID PhysicalBase;
    PVOID VirtualBase = NULL;
    UCHAR HeadersBuffer[SECTOR_SIZE * 2];
    PIMAGE_NT_HEADERS NtHeaders;
    PIMAGE_SECTION_HEADER SectionHeader;
    ULONG VirtualSize, SizeOfRawData, NumberOfSections;
    ARC_STATUS Status;
    LARGE_INTEGER Position;
    ULONG i, BytesRead;

    TRACE("PeLdrLoadImage(%s, %ld, *)\n", FileName, MemoryType);

    /* Open the image file */
    Status = ArcOpen((PSTR)FileName, OpenReadOnly, &FileId);
    if (Status != ESUCCESS)
    {
        WARN("ArcOpen(FileName: '%s') failed. Status: %u\n", FileName, Status);
        return FALSE;
    }

    /* Load the first 2 sectors of the image so we can read the PE header */
    Status = ArcRead(FileId, HeadersBuffer, SECTOR_SIZE * 2, &BytesRead);
    if (Status != ESUCCESS)
    {
        ERR("ArcRead(File: '%s') failed. Status: %u\n", FileName, Status);
        UiMessageBox("Error reading from file.");
        ArcClose(FileId);
        return FALSE;
    }

    /* Now read the MZ header to get the offset to the PE Header */
    NtHeaders = RtlImageNtHeader(HeadersBuffer);
    if (!NtHeaders)
    {
        ERR("No NT header found in \"%s\"\n", FileName);
        UiMessageBox("Error: No NT header found.");
        ArcClose(FileId);
        return FALSE;
    }

    /* Ensure this is executable image */
    if (((NtHeaders->FileHeader.Characteristics & IMAGE_FILE_EXECUTABLE_IMAGE) == 0))
    {
        ERR("Not an executable image \"%s\"\n", FileName);
        UiMessageBox("Not an executable image.");
        ArcClose(FileId);
        return FALSE;
    }

    /* Store number of sections to read and a pointer to the first section */
    NumberOfSections = NtHeaders->FileHeader.NumberOfSections;
    SectionHeader = IMAGE_FIRST_SECTION(NtHeaders);

    /* Try to allocate this memory, if fails - allocate somewhere else */
    PhysicalBase = MmAllocateMemoryAtAddress(NtHeaders->OptionalHeader.SizeOfImage,
                       (PVOID)((ULONG)NtHeaders->OptionalHeader.ImageBase & (KSEG0_BASE - 1)),
                       MemoryType);

    if (PhysicalBase == NULL)
    {
        /* It's ok, we don't panic - let's allocate again at any other "low" place */
        PhysicalBase = MmAllocateMemoryWithType(NtHeaders->OptionalHeader.SizeOfImage, MemoryType);

        if (PhysicalBase == NULL)
        {
            ERR("Failed to alloc %lu bytes for image %s\n", NtHeaders->OptionalHeader.SizeOfImage, FileName);
            UiMessageBox("Failed to alloc pages for image.");
            ArcClose(FileId);
            return FALSE;
        }
    }

    /* This is the real image base - in form of a virtual address */
    VirtualBase = PaToVa(PhysicalBase);

    TRACE("Base PA: 0x%X, VA: 0x%X\n", PhysicalBase, VirtualBase);

    /* Copy headers from already read data */
    RtlCopyMemory(PhysicalBase, HeadersBuffer, min(NtHeaders->OptionalHeader.SizeOfHeaders, sizeof(HeadersBuffer)));
    /* If headers are quite big, request next bytes from file */
    if (NtHeaders->OptionalHeader.SizeOfHeaders > sizeof(HeadersBuffer))
    {
        Status = ArcRead(FileId, (PUCHAR)PhysicalBase + sizeof(HeadersBuffer), NtHeaders->OptionalHeader.SizeOfHeaders - sizeof(HeadersBuffer), &BytesRead);
        if (Status != ESUCCESS)
        {
            ERR("ArcRead(File: '%s') failed. Status: %u\n", FileName, Status);
            UiMessageBox("Error reading headers.");
            ArcClose(FileId);
            return FALSE;
        }
    }

    /*
     * On Vista and above, a digital signature check is performed when the image
     * has the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag set in its header.
     * (We of course do not perform this check yet!)
     */

    /* Reload the NT Header */
    NtHeaders = RtlImageNtHeader(PhysicalBase);

    /* Load the first section */
    SectionHeader = IMAGE_FIRST_SECTION(NtHeaders);

    /* Fill output parameters */
    *ImageBasePA = PhysicalBase;

    /* Walk through each section and read it (check/fix any possible
       bad situations, if they arise) */
    for (i = 0; i < NumberOfSections; i++)
    {
        VirtualSize = SectionHeader->Misc.VirtualSize;
        SizeOfRawData = SectionHeader->SizeOfRawData;

        /* Handle a case when VirtualSize equals 0 */
        if (VirtualSize == 0)
            VirtualSize = SizeOfRawData;

        /* If PointerToRawData is 0, then force its size to be also 0 */
        if (SectionHeader->PointerToRawData == 0)
        {
            SizeOfRawData = 0;
        }
        else
        {
            /* Cut the loaded size to the VirtualSize extents */
            if (SizeOfRawData > VirtualSize)
                SizeOfRawData = VirtualSize;
        }

        /* Actually read the section (if its size is not 0) */
        if (SizeOfRawData != 0)
        {
            /* Seek to the correct position */
            Position.QuadPart = SectionHeader->PointerToRawData;
            Status = ArcSeek(FileId, &Position, SeekAbsolute);

            TRACE("SH->VA: 0x%X\n", SectionHeader->VirtualAddress);

            /* Read this section from the file, size = SizeOfRawData */
            Status = ArcRead(FileId, (PUCHAR)PhysicalBase + SectionHeader->VirtualAddress, SizeOfRawData, &BytesRead);
            if (Status != ESUCCESS)
            {
                ERR("PeLdrLoadImage(): Error reading section from file!\n");
                break;
            }
        }

        /* Size of data is less than the virtual size - fill up the remainder with zeroes */
        if (SizeOfRawData < VirtualSize)
        {
            TRACE("PeLdrLoadImage(): SORD %d < VS %d\n", SizeOfRawData, VirtualSize);
            RtlZeroMemory((PVOID)(SectionHeader->VirtualAddress + (ULONG_PTR)PhysicalBase + SizeOfRawData), VirtualSize - SizeOfRawData);
        }

        SectionHeader++;
    }

    /* We are done with the file - close it */
    ArcClose(FileId);

    /* If loading failed - return right now */
    if (Status != ESUCCESS)
        return FALSE;

    /* Relocate the image, if it needs it */
    if (NtHeaders->OptionalHeader.ImageBase != (ULONG_PTR)VirtualBase)
    {
        WARN("Relocating %p -> %p\n", NtHeaders->OptionalHeader.ImageBase, VirtualBase);
        return (BOOLEAN)LdrRelocateImageWithBias(PhysicalBase,
                                                 (ULONG_PTR)VirtualBase - (ULONG_PTR)PhysicalBase,
                                                 "FreeLdr",
                                                 TRUE,
                                                 TRUE, /* in case of conflict still return success */
                                                 FALSE);
    }

    TRACE("PeLdrLoadImage() done, PA = %p\n", *ImageBasePA);
    return TRUE;
}

Referenced by LoadBootDeviceDriver(), LoadModule(), PeLdrpLoadAndScanReferencedDll(), and WinLdrLoadDeviceDriver().

PeLdrScanImportDescriptorTable()

BOOLEAN PeLdrScanImportDescriptorTable	(	IN OUT PLIST_ENTRY	ModuleListHead,
		IN PCCH	DirectoryPath,
		IN PLDR_DATA_TABLE_ENTRY	ScanDTE
	)

Definition at line 509 of file peloader.c.

{
    PLDR_DATA_TABLE_ENTRY DataTableEntry;
    PIMAGE_IMPORT_DESCRIPTOR ImportTable;
    ULONG ImportTableSize;
    PCH ImportName;
    BOOLEAN Success;

    /* Get a pointer to the import table of this image */
    ImportTable = (PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData(VaToPa(ScanDTE->DllBase),
        TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ImportTableSize);

#if DBG
    {
        UNICODE_STRING BaseName;
        BaseName.Buffer = VaToPa(ScanDTE->BaseDllName.Buffer);
        BaseName.MaximumLength = ScanDTE->BaseDllName.MaximumLength;
        BaseName.Length = ScanDTE->BaseDllName.Length;
        TRACE("PeLdrScanImportDescriptorTable(): %wZ ImportTable = 0x%X\n",
              &BaseName, ImportTable);
    }
#endif

    /* If image doesn't have any import directory - just return success */
    if (ImportTable == NULL)
        return TRUE;

    /* Loop through all entries */
    for (;(ImportTable->Name != 0) && (ImportTable->FirstThunk != 0);ImportTable++)
    {
        /* Get pointer to the name */
        ImportName = (PCH)VaToPa(RVA(ScanDTE->DllBase, ImportTable->Name));
        TRACE("PeLdrScanImportDescriptorTable(): Looking at %s\n", ImportName);

        /* In case we get a reference to ourselves - just skip it */
        if (PeLdrpCompareDllName(ImportName, &ScanDTE->BaseDllName))
            continue;

        /* Load the DLL if it is not already loaded */
        if (!PeLdrCheckForLoadedDll(ModuleListHead, ImportName, &DataTableEntry))
        {
            Success = PeLdrpLoadAndScanReferencedDll(ModuleListHead,
                                                     DirectoryPath,
                                                     ImportName,
                                                     &ScanDTE->InLoadOrderLinks,
                                                     &DataTableEntry);
            if (!Success)
            {
                ERR("PeLdrpLoadAndScanReferencedDll() failed\n");
                return Success;
            }
        }

        /* Scan its import address table */
        Success = PeLdrpScanImportAddressTable(ModuleListHead,
                                               DataTableEntry->DllBase,
                                               ScanDTE->DllBase,
                                               (PIMAGE_THUNK_DATA)RVA(ScanDTE->DllBase, ImportTable->FirstThunk),
                                               DirectoryPath,
                                               &ScanDTE->InLoadOrderLinks);

        if (!Success)
        {
            ERR("PeLdrpScanImportAddressTable() failed: ImportName = '%s', DirectoryPath = '%s'\n",
                ImportName, DirectoryPath);
            return Success;
        }
    }

    return TRUE;
}

Referenced by LoadBootDeviceDriver(), LoadWindowsCore(), PeLdrpLoadAndScanReferencedDll(), and WinLdrLoadDeviceDriver().