ReactOS 0.4.16-dev-983-g23ad936
Classes | Macros | Typedefs | Functions | Variables
verifier.c File Reference
#include <ntdll.h>
#include <reactos/verifier.h>
#include <debug.h>
Include dependency graph for verifier.c:

Go to the source code of this file.

Classes

struct  _VERIFIER_PROVIDER
 

Macros

#define NDEBUG
 
#define VERIFIER_DLL_FLAGS_RESOLVED   1
 

Typedefs

typedef struct _VERIFIER_PROVIDER VERIFIER_PROVIDER
 
typedef struct _VERIFIER_PROVIDERPVERIFIER_PROVIDER
 

Functions

HANDLE NTAPI RtlpPageHeapCreate (ULONG Flags, PVOID Addr, SIZE_T TotalSize, SIZE_T CommitSize, PVOID Lock, PRTL_HEAP_PARAMETERS Parameters)
 
PVOID NTAPI RtlpPageHeapDestroy (HANDLE HeapPtr)
 
VOID NTAPI AVrfReadIFEO (HANDLE KeyHandle)
 
NTSTATUS NTAPI LdrpInitializeApplicationVerifierPackage (HANDLE KeyHandle, PPEB Peb, BOOLEAN SystemWide, BOOLEAN ReadAdvancedOptions)
 
BOOLEAN AVrfpIsVerifierProviderDll (PVOID BaseAddress)
 
SIZE_T AVrfpCountThunks (PIMAGE_THUNK_DATA Thunk)
 
VOID AVrfpSnapDllImports (IN PLDR_DATA_TABLE_ENTRY LdrEntry)
 
VOID AvrfpResolveThunks (IN PLDR_DATA_TABLE_ENTRY LdrEntry)
 
VOID NTAPI AVrfDllLoadNotification (IN PLDR_DATA_TABLE_ENTRY LdrEntry)
 
VOID NTAPI AVrfDllUnloadNotification (IN PLDR_DATA_TABLE_ENTRY LdrEntry)
 
VOID NTAPI AVrfInternalHeapFreeNotification (PVOID AllocationBase, SIZE_T AllocationSize)
 
VOID NTAPI AVrfPageHeapDllNotification (IN PLDR_DATA_TABLE_ENTRY LdrEntry)
 
VOID NTAPI AVrfpResnapInitialModules (VOID)
 
PVOID NTAPI AvrfpFindDuplicateThunk (PLIST_ENTRY EndEntry, PWCHAR DllName, PCHAR ThunkName)
 
VOID NTAPI AVrfpChainDuplicateThunks (VOID)
 
static PVOID NTAPI AVrfpGetStackTraceAddress (ULONG Arg0)
 
static HANDLE NTAPI AVrfpDebugPageHeapCreate (ULONG Flags, PVOID Addr, SIZE_T TotalSize, SIZE_T CommitSize, PVOID Lock, PRTL_HEAP_PARAMETERS Parameters)
 
static PVOID AVrfpDebugPageHeapDestroy (HANDLE HeapPtr)
 
NTSTATUS NTAPI AVrfpLoadAndInitializeProvider (PVERIFIER_PROVIDER Provider)
 
NTSTATUS NTAPI AVrfInitializeVerifier (VOID)
 

Variables

PLDR_DATA_TABLE_ENTRY LdrpImageEntry
 
ULONG AVrfpVerifierFlags = 0
 
WCHAR AVrfpVerifierDllsString [256] = { 0 }
 
ULONG AVrfpDebug = 0
 
BOOL AVrfpInitialized = FALSE
 
RTL_CRITICAL_SECTION AVrfpVerifierLock
 
LIST_ENTRY AVrfpVerifierProvidersList
 

Macro Definition Documentation

◆ NDEBUG

#define NDEBUG

Definition at line 13 of file verifier.c.

◆ VERIFIER_DLL_FLAGS_RESOLVED

#define VERIFIER_DLL_FLAGS_RESOLVED   1

Definition at line 28 of file verifier.c.

Typedef Documentation

◆ PVERIFIER_PROVIDER

typedef struct _VERIFIER_PROVIDER * PVERIFIER_PROVIDER

◆ VERIFIER_PROVIDER

typedef struct _VERIFIER_PROVIDER VERIFIER_PROVIDER

Function Documentation

◆ AVrfDllLoadNotification()

VOID NTAPI AVrfDllLoadNotification ( IN PLDR_DATA_TABLE_ENTRY  LdrEntry)

Definition at line 298 of file verifier.c.

299{
300 PLIST_ENTRY Entry;
301
302 if (!(NtCurrentPeb()->NtGlobalFlag & FLG_APPLICATION_VERIFIER))
303 return;
304
305 RtlEnterCriticalSection(&AVrfpVerifierLock);
306 if (!AVrfpIsVerifierProviderDll(LdrEntry->DllBase))
307 {
308 AvrfpResolveThunks(LdrEntry);
309
310 for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
311 {
312 PVERIFIER_PROVIDER Provider;
313 RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;
314
315 Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
316
317 ProviderDllLoadCallback = Provider->ProviderDllLoadCallback;
318 if (ProviderDllLoadCallback)
319 {
320 ProviderDllLoadCallback(LdrEntry->BaseDllName.Buffer,
321 LdrEntry->DllBase,
322 LdrEntry->SizeOfImage,
323 LdrEntry);
324 }
325 }
326 }
327 RtlLeaveCriticalSection(&AVrfpVerifierLock);
328}
NtCurrentPeb
#define NtCurrentPeb()
Definition: FLS.c:22
FLG_APPLICATION_VERIFIER
#define FLG_APPLICATION_VERIFIER
Definition: pstypes.h:64
RtlEnterCriticalSection
NTSYSAPI NTSTATUS NTAPI RtlEnterCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
RtlLeaveCriticalSection
NTSYSAPI NTSTATUS NTAPI RtlLeaveCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
AVrfpVerifierProvidersList
LIST_ENTRY AVrfpVerifierProvidersList
Definition: verifier.c:26
AVrfpVerifierLock
RTL_CRITICAL_SECTION AVrfpVerifierLock
Definition: verifier.c:25
AVrfpIsVerifierProviderDll
BOOLEAN AVrfpIsVerifierProviderDll(PVOID BaseAddress)
Definition: verifier.c:107
AvrfpResolveThunks
VOID AvrfpResolveThunks(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
Definition: verifier.c:239
NtGlobalFlag
ULONG NtGlobalFlag
Definition: init.c:54
Entry
base of all file and directory entries
Definition: entries.h:83
_LIST_ENTRY
Definition: typedefs.h:120
_LIST_ENTRY::Flink
struct _LIST_ENTRY * Flink
Definition: typedefs.h:121
_VERIFIER_PROVIDER
Definition: verifier.c:32
CONTAINING_RECORD
#define CONTAINING_RECORD(address, type, field)
Definition: typedefs.h:260
RTL_VERIFIER_DLL_LOAD_CALLBACK
VOID(NTAPI * RTL_VERIFIER_DLL_LOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
Definition: verifier.h:6

Referenced by LdrpWalkImportDescriptor().

◆ AVrfDllUnloadNotification()

VOID NTAPI AVrfDllUnloadNotification ( IN PLDR_DATA_TABLE_ENTRY  LdrEntry)

Definition at line 332 of file verifier.c.

333{
334 PLIST_ENTRY Entry;
335
336 if (!(NtCurrentPeb()->NtGlobalFlag & FLG_APPLICATION_VERIFIER) || !AVrfpInitialized)
337 return;
338
339 RtlEnterCriticalSection(&AVrfpVerifierLock);
340 if (!AVrfpIsVerifierProviderDll(LdrEntry->DllBase))
341 {
342 for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
343 {
344 PVERIFIER_PROVIDER Provider;
345 RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;
346
347 Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
348
349 ProviderDllUnloadCallback = Provider->ProviderDllUnloadCallback;
350 if (ProviderDllUnloadCallback)
351 {
352 ProviderDllUnloadCallback(LdrEntry->BaseDllName.Buffer,
353 LdrEntry->DllBase,
354 LdrEntry->SizeOfImage,
355 LdrEntry);
356 }
357 }
358 }
359 RtlLeaveCriticalSection(&AVrfpVerifierLock);
360}
AVrfpInitialized
BOOL AVrfpInitialized
Definition: verifier.c:24
RTL_VERIFIER_DLL_UNLOAD_CALLBACK
VOID(NTAPI * RTL_VERIFIER_DLL_UNLOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
Definition: verifier.h:7

Referenced by LdrUnloadDll().

◆ AVrfInitializeVerifier()

NTSTATUS NTAPI AVrfInitializeVerifier ( VOID  )

Definition at line 672 of file verifier.c.

673{
674 NTSTATUS Status;
675 PVERIFIER_PROVIDER Provider;
676 PLIST_ENTRY Entry;
677 WCHAR* Ptr, *Next;
678
679 Status = RtlInitializeCriticalSection(&AVrfpVerifierLock);
680 InitializeListHead(&AVrfpVerifierProvidersList);
681
682 if (!NT_SUCCESS(Status))
683 return Status;
684
685 DbgPrint("AVRF: %wZ: pid 0x%X: flags 0x%X: application verifier enabled\n",
686 &LdrpImageEntry->BaseDllName, NtCurrentTeb()->ClientId.UniqueProcess, AVrfpVerifierFlags);
687
688 Provider = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(VERIFIER_PROVIDER));
689 if (!Provider)
690 return STATUS_NO_MEMORY;
691
692 RtlInitUnicodeString(&Provider->DllName, L"verifier.dll");
693 InsertTailList(&AVrfpVerifierProvidersList, &Provider->ListEntry);
694
695 Next = AVrfpVerifierDllsString;
696
697 do
698 {
699 while (*Next == L' ' || *Next == L'\t')
700 Next++;
701
702 Ptr = Next;
703
704 while (*Next != ' ' && *Next != '\t' && *Next)
705 Next++;
706
707 if (*Next)
708 *(Next++) = '\0';
709 else
710 Next = NULL;
711
712 if (*Ptr)
713 {
714 Provider = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(VERIFIER_PROVIDER));
715 if (!Provider)
716 return STATUS_NO_MEMORY;
717 RtlInitUnicodeString(&Provider->DllName, Ptr);
718 InsertTailList(&AVrfpVerifierProvidersList, &Provider->ListEntry);
719 }
720 } while (Next);
721
722 Entry = AVrfpVerifierProvidersList.Flink;
723 while (Entry != &AVrfpVerifierProvidersList)
724 {
725 Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
726 Entry = Entry->Flink;
727
728 Status = AVrfpLoadAndInitializeProvider(Provider);
729 if (!NT_SUCCESS(Status))
730 {
731 RemoveEntryList(&Provider->ListEntry);
732 RtlFreeHeap(RtlGetProcessHeap(), 0, Provider);
733 }
734 }
735
736 if (!NT_SUCCESS(Status))
737 {
738 DbgPrint("AVRF: %wZ: pid 0x%X: application verifier will be disabled due to an initialization error.\n",
739 &LdrpImageEntry->BaseDllName, NtCurrentTeb()->ClientId.UniqueProcess);
740 NtCurrentPeb()->NtGlobalFlag &= ~FLG_APPLICATION_VERIFIER;
741 }
742
743 return Status;
744}
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:616
RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:634
STATUS_NO_MEMORY
#define STATUS_NO_MEMORY
Definition: d3dkmdt.h:51
NULL
#define NULL
Definition: types.h:112
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33
HEAP_ZERO_MEMORY
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
RemoveEntryList
#define RemoveEntryList(Entry)
Definition: env_spec_w32.h:986
InsertTailList
#define InsertTailList(ListHead, Entry)
Definition: env_spec_w32.h:1003
InitializeListHead
#define InitializeListHead(ListHead)
Definition: env_spec_w32.h:944
Ptr
_Must_inspect_result_ _In_ PFSRTL_PER_STREAM_CONTEXT Ptr
Definition: fsrtlfuncs.h:898
Status
Status
Definition: gdiplustypes.h:25
DbgPrint
#define DbgPrint
Definition: hal.h:12
NtCurrentTeb
#define NtCurrentTeb
Definition: iphlpapi_private.h:4
RtlInitializeCriticalSection
NTSYSAPI NTSTATUS NTAPI RtlInitializeCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
RtlInitUnicodeString
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
AVrfpVerifierFlags
ULONG AVrfpVerifierFlags
Definition: verifier.c:21
LdrpImageEntry
PLDR_DATA_TABLE_ENTRY LdrpImageEntry
Definition: ldrinit.c:39
AVrfpVerifierDllsString
WCHAR AVrfpVerifierDllsString[256]
Definition: verifier.c:22
AVrfpLoadAndInitializeProvider
NTSTATUS NTAPI AVrfpLoadAndInitializeProvider(PVERIFIER_PROVIDER Provider)
Definition: verifier.c:549
L
#define L(x)
Definition: ntvdm.h:50
Next
STDMETHOD() Next(THIS_ ULONG celt, IAssociationElement *pElement, ULONG *pceltFetched) PURE
_CLIENT_ID::UniqueProcess
HANDLE UniqueProcess
Definition: compat.h:825
_LDR_DATA_TABLE_ENTRY::BaseDllName
UNICODE_STRING BaseDllName
Definition: ldrtypes.h:149
ClientId
_Out_ PCLIENT_ID ClientId
Definition: kefuncs.h:1151
WCHAR
__wchar_t WCHAR
Definition: xmlstorage.h:180

Referenced by LdrpInitializeProcess().

◆ AVrfInternalHeapFreeNotification()

VOID NTAPI AVrfInternalHeapFreeNotification ( PVOID  AllocationBase,
SIZE_T  AllocationSize 
)

Definition at line 364 of file verifier.c.

365{
366 PLIST_ENTRY Entry;
367
368 if (!(NtCurrentPeb()->NtGlobalFlag & FLG_APPLICATION_VERIFIER) || !AVrfpInitialized)
369 return;
370
371 RtlEnterCriticalSection(&AVrfpVerifierLock);
372 for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
373 {
374 PVERIFIER_PROVIDER Provider;
375 RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderHeapFreeCallback;
376
377 Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
378
379 ProviderHeapFreeCallback = Provider->ProviderNtdllHeapFreeCallback;
380 if (ProviderHeapFreeCallback)
381 {
382 ProviderHeapFreeCallback(AllocationBase, AllocationSize);
383 }
384 }
385 RtlLeaveCriticalSection(&AVrfpVerifierLock);
386}
AllocationSize
IN PFCB IN PFILE_OBJECT FileObject IN ULONG AllocationSize
Definition: fatprocs.h:323
RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK
VOID(NTAPI * RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK)(PVOID AllocationBase, SIZE_T AllocationSize)
Definition: verifier.h:8

◆ AVrfPageHeapDllNotification()

VOID NTAPI AVrfPageHeapDllNotification ( IN PLDR_DATA_TABLE_ENTRY  LdrEntry)

Definition at line 390 of file verifier.c.

391{
392 /* Check if page heap dll notification is turned on */
393 if (!(RtlpDphGlobalFlags & DPH_FLAG_DLL_NOTIFY))
394 return;
395
396 /* We don't support this flag currently */
397 UNIMPLEMENTED;
398}
UNIMPLEMENTED
#define UNIMPLEMENTED
Definition: ntoskrnl.c:15
RtlpDphGlobalFlags
ULONG RtlpDphGlobalFlags
Definition: heappage.c:108
DPH_FLAG_DLL_NOTIFY
#define DPH_FLAG_DLL_NOTIFY
Definition: ntdllp.h:24

Referenced by LdrpWalkImportDescriptor().

◆ AVrfpChainDuplicateThunks()

VOID NTAPI AVrfpChainDuplicateThunks ( VOID  )

Definition at line 477 of file verifier.c.

478{
479 PLIST_ENTRY Entry;
480 PVERIFIER_PROVIDER Provider;
481
482 for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
483 {
484 PRTL_VERIFIER_DLL_DESCRIPTOR DllDescriptor;
485 PRTL_VERIFIER_THUNK_DESCRIPTOR ThunkDescriptor;
486
487 Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
488
489 for (DllDescriptor = Provider->ProviderDlls; DllDescriptor && DllDescriptor->DllName; ++DllDescriptor)
490 {
491 for (ThunkDescriptor = DllDescriptor->DllThunks; ThunkDescriptor && ThunkDescriptor->ThunkName; ++ThunkDescriptor)
492 {
493 PVOID Ptr;
494
495 if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING_DEBUG)
496 DbgPrint("AVRF: Checking %wZ for duplicate (%ws: %s)\n",
497 &Provider->DllName, DllDescriptor->DllName, ThunkDescriptor->ThunkName);
498
499 Ptr = AvrfpFindDuplicateThunk(Entry, DllDescriptor->DllName, ThunkDescriptor->ThunkName);
500 if (Ptr)
501 {
502 if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING)
503 DbgPrint("AVRF: Chaining (%ws: %s) to %wZ\n", DllDescriptor->DllName, ThunkDescriptor->ThunkName, &Provider->DllName);
504
505 ThunkDescriptor->ThunkOldAddress = Ptr;
506 }
507 }
508 }
509 }
510}
AVrfpDebug
ULONG AVrfpDebug
Definition: verifier.c:23
AvrfpFindDuplicateThunk
PVOID NTAPI AvrfpFindDuplicateThunk(PLIST_ENTRY EndEntry, PWCHAR DllName, PCHAR ThunkName)
Definition: verifier.c:431
_RTL_VERIFIER_DLL_DESCRIPTOR
Definition: verifier.h:16
_RTL_VERIFIER_DLL_DESCRIPTOR::DllName
PWCHAR DllName
Definition: verifier.h:17
_RTL_VERIFIER_DLL_DESCRIPTOR::DllThunks
PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks
Definition: verifier.h:20
_RTL_VERIFIER_THUNK_DESCRIPTOR
Definition: verifier.h:10
_RTL_VERIFIER_THUNK_DESCRIPTOR::ThunkName
PCHAR ThunkName
Definition: verifier.h:11
_RTL_VERIFIER_THUNK_DESCRIPTOR::ThunkOldAddress
PVOID ThunkOldAddress
Definition: verifier.h:12
RTL_VRF_DBG_SHOWCHAINING
#define RTL_VRF_DBG_SHOWCHAINING
Definition: verifier.h:73
RTL_VRF_DBG_SHOWCHAINING_DEBUG
#define RTL_VRF_DBG_SHOWCHAINING_DEBUG
Definition: verifier.h:74

Referenced by AVrfpLoadAndInitializeProvider().

◆ AVrfpCountThunks()

SIZE_T AVrfpCountThunks ( PIMAGE_THUNK_DATA  Thunk)

Definition at line 124 of file verifier.c.

125{
126 SIZE_T Count = 0;
127 while (Thunk[Count].u1.Function)
128 Count++;
129 return Count;
130}
u1
GLdouble u1
Definition: glext.h:8308
Count
int Count
Definition: noreturn.cpp:7
SIZE_T
ULONG_PTR SIZE_T
Definition: typedefs.h:80

Referenced by AVrfpSnapDllImports().

◆ AVrfpDebugPageHeapCreate()

static HANDLE NTAPI AVrfpDebugPageHeapCreate ( ULONG  Flags,
PVOID  Addr,
SIZE_T  TotalSize,
SIZE_T  CommitSize,
PVOID  Lock,
PRTL_HEAP_PARAMETERS  Parameters 
)
static

Definition at line 525 of file verifier.c.

531{
532 HANDLE hHeap;
533 hHeap = RtlpPageHeapCreate(Flags, Addr, TotalSize, CommitSize, Lock, Parameters);
534 DbgPrint("AVRF: DebugPageHeapCreate(Flags=%x, Addr=%p, TotalSize=%u, CommitSize=%u, Lock=%p, Parameters=%p) = %p\n",
535 Flags, Addr, TotalSize, CommitSize, Lock, Parameters, hHeap);
536 return hHeap;
537}
CommitSize
_In_ HANDLE _Outptr_result_bytebuffer_ ViewSize PVOID _In_ ULONG_PTR _In_ SIZE_T CommitSize
Definition: mmfuncs.h:406
RtlpPageHeapCreate
HANDLE NTAPI RtlpPageHeapCreate(ULONG Flags, PVOID Addr, SIZE_T TotalSize, SIZE_T CommitSize, PVOID Lock, PRTL_HEAP_PARAMETERS Parameters)
Definition: heappage.c:1537
Parameters
_Must_inspect_result_ _In_ WDFQUEUE _In_opt_ WDFREQUEST _In_opt_ WDFFILEOBJECT _Inout_opt_ PWDF_REQUEST_PARAMETERS Parameters
Definition: wdfio.h:869
Lock
_Must_inspect_result_ _In_opt_ PWDF_OBJECT_ATTRIBUTES _Out_ WDFWAITLOCK * Lock
Definition: wdfsync.h:127
Flags
_Must_inspect_result_ _In_ ULONG Flags
Definition: wsk.h:170

Referenced by AVrfpLoadAndInitializeProvider().

◆ AVrfpDebugPageHeapDestroy()

static PVOID AVrfpDebugPageHeapDestroy ( HANDLE  HeapPtr)
static

Definition at line 541 of file verifier.c.

542{
543 DbgPrint("AVRF: DebugPageHeapDestroy(HeapPtr=%p)\n", HeapPtr);
544 return RtlpPageHeapDestroy(HeapPtr);
545}
RtlpPageHeapDestroy
PVOID NTAPI RtlpPageHeapDestroy(HANDLE HeapPtr)
Definition: heappage.c:1678

Referenced by AVrfpLoadAndInitializeProvider().

◆ AvrfpFindDuplicateThunk()

PVOID NTAPI AvrfpFindDuplicateThunk ( PLIST_ENTRY  EndEntry,
PWCHAR  DllName,
PCHAR  ThunkName 
)

Definition at line 431 of file verifier.c.

432{
433 PLIST_ENTRY Entry;
434
435 for (Entry = AVrfpVerifierProvidersList.Flink; Entry != EndEntry; Entry = Entry->Flink)
436 {
437 PVERIFIER_PROVIDER Provider;
438 PRTL_VERIFIER_DLL_DESCRIPTOR DllDescriptor;
439
440 Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
441
442 if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING_DEBUG)
443 DbgPrint("AVRF: chain: searching in %wZ\n", &Provider->DllName);
444
445 for (DllDescriptor = Provider->ProviderDlls; DllDescriptor && DllDescriptor->DllName; ++DllDescriptor)
446 {
447 PRTL_VERIFIER_THUNK_DESCRIPTOR ThunkDescriptor;
448
449 if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING_DEBUG)
450 DbgPrint("AVRF: chain: dll: %ws\n", DllDescriptor->DllName);
451
452 if (_wcsicmp(DllDescriptor->DllName, DllName))
453 continue;
454
455 for (ThunkDescriptor = DllDescriptor->DllThunks; ThunkDescriptor && ThunkDescriptor->ThunkName; ++ThunkDescriptor)
456 {
457 if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING_DEBUG)
458 DbgPrint("AVRF: chain: thunk: %s == %s ?\n", ThunkDescriptor->ThunkName, ThunkName);
459
460 if (!_stricmp(ThunkDescriptor->ThunkName, ThunkName))
461 {
462 if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING_DEBUG)
463 DbgPrint("AVRF: Found duplicate for (%ws: %s) in %wZ\n",
464 DllDescriptor->DllName, ThunkDescriptor->ThunkName, &Provider->DllName);
465
466 return ThunkDescriptor->ThunkNewAddress;
467 }
468 }
469 }
470 }
471 return NULL;
472}
_stricmp
#define _stricmp
Definition: cat.c:22
_wcsicmp
_Check_return_ _CRTIMP int __cdecl _wcsicmp(_In_z_ const wchar_t *_Str1, _In_z_ const wchar_t *_Str2)
_RTL_VERIFIER_THUNK_DESCRIPTOR::ThunkNewAddress
PVOID ThunkNewAddress
Definition: verifier.h:13

Referenced by AVrfpChainDuplicateThunks().

◆ AVrfpGetStackTraceAddress()

static PVOID NTAPI AVrfpGetStackTraceAddress ( ULONG  Arg0)
static

Definition at line 515 of file verifier.c.

516{
517 UNIMPLEMENTED;
518 DbgBreakPoint();
519 return NULL;
520}
DbgBreakPoint
NTSYSAPI void WINAPI DbgBreakPoint(void)

Referenced by AVrfpLoadAndInitializeProvider().

◆ AVrfpIsVerifierProviderDll()

BOOLEAN AVrfpIsVerifierProviderDll ( PVOID  BaseAddress)

Definition at line 107 of file verifier.c.

108{
109 PLIST_ENTRY Entry;
110 PVERIFIER_PROVIDER Provider;
111
112 for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
113 {
114 Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
115
116 if (BaseAddress == Provider->BaseAddress)
117 return TRUE;
118 }
119
120 return FALSE;
121}
TRUE
#define TRUE
Definition: types.h:120
FALSE
#define FALSE
Definition: types.h:117
BaseAddress
_In_ HANDLE _Outptr_result_bytebuffer_ ViewSize PVOID * BaseAddress
Definition: mmfuncs.h:404

Referenced by AVrfDllLoadNotification(), AVrfDllUnloadNotification(), and AVrfpResnapInitialModules().

◆ AVrfpLoadAndInitializeProvider()

NTSTATUS NTAPI AVrfpLoadAndInitializeProvider ( PVERIFIER_PROVIDER  Provider)

Definition at line 549 of file verifier.c.

550{
551 WCHAR StringBuffer[MAX_PATH + 11];
552 UNICODE_STRING DllPath;
553 PRTL_VERIFIER_PROVIDER_DESCRIPTOR Descriptor = NULL;
554 PIMAGE_NT_HEADERS ImageNtHeader;
555 NTSTATUS Status;
556
557 RtlInitEmptyUnicodeString(&DllPath, StringBuffer, sizeof(StringBuffer));
558 RtlAppendUnicodeToString(&DllPath, SharedUserData->NtSystemRoot);
559 RtlAppendUnicodeToString(&DllPath, L"\\System32\\");
560
561 if (AVrfpDebug & RTL_VRF_DBG_SHOWSNAPS)
562 DbgPrint("AVRF: verifier dll `%wZ'\n", &Provider->DllName);
563
564 Status = LdrLoadDll(DllPath.Buffer, NULL, &Provider->DllName, &Provider->BaseAddress);
565 if (!NT_SUCCESS(Status))
566 {
567 DbgPrint("AVRF: %wZ: failed to load provider `%wZ' (status %08X) from %wZ\n",
568 &LdrpImageEntry->BaseDllName,
569 &Provider->DllName,
570 Status,
571 &DllPath);
572 return Status;
573 }
574
575 /* Prevent someone funny from specifying his own application as provider */
576 ImageNtHeader = RtlImageNtHeader(Provider->BaseAddress);
577 if (!ImageNtHeader ||
578 !(ImageNtHeader->FileHeader.Characteristics & IMAGE_FILE_DLL))
579 {
580 DbgPrint("AVRF: provider %wZ is not a DLL image\n", &Provider->DllName);
581 return STATUS_DLL_INIT_FAILED;
582 }
583
584 Provider->EntryPoint = LdrpFetchAddressOfEntryPoint(Provider->BaseAddress);
585 if (!Provider->EntryPoint)
586 {
587 DbgPrint("AVRF: cannot find an entry point for provider %wZ\n", &Provider->DllName);
588 return STATUS_PROCEDURE_NOT_FOUND;
589 }
590
591 _SEH2_TRY
592 {
593 if (LdrpCallInitRoutine(Provider->EntryPoint,
594 Provider->BaseAddress,
595 DLL_PROCESS_VERIFIER,
596 &Descriptor))
597 {
598 if (Descriptor && Descriptor->Length == sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR))
599 {
600 /* Copy the data */
601 Provider->ProviderDlls = Descriptor->ProviderDlls;
602 Provider->ProviderDllLoadCallback = Descriptor->ProviderDllLoadCallback;
603 Provider->ProviderDllUnloadCallback = Descriptor->ProviderDllUnloadCallback;
604 Provider->ProviderNtdllHeapFreeCallback = Descriptor->ProviderNtdllHeapFreeCallback;
605
606 /* Update some info for the provider */
607 Descriptor->VerifierImage = LdrpImageEntry->BaseDllName.Buffer;
608 Descriptor->VerifierFlags = AVrfpVerifierFlags;
609 Descriptor->VerifierDebug = AVrfpDebug;
610
611 Descriptor->RtlpGetStackTraceAddress = AVrfpGetStackTraceAddress;
612 Descriptor->RtlpDebugPageHeapCreate = AVrfpDebugPageHeapCreate;
613 Descriptor->RtlpDebugPageHeapDestroy = AVrfpDebugPageHeapDestroy;
614 Status = STATUS_SUCCESS;
615 }
616 else
617 {
618 DbgPrint("AVRF: provider %wZ passed an invalid descriptor @ %p\n", &Provider->DllName, Descriptor);
619 Status = STATUS_INVALID_PARAMETER_4;
620 }
621 }
622 else
623 {
624 DbgPrint("AVRF: provider %wZ did not initialize correctly\n", &Provider->DllName);
625 Status = STATUS_DLL_INIT_FAILED;
626 }
627 }
628 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
629 {
630 Status = _SEH2_GetExceptionCode();
631 }
632 _SEH2_END;
633
634 if (!NT_SUCCESS(Status))
635 return Status;
636
637
638 if (AVrfpDebug & RTL_VRF_DBG_LISTPROVIDERS)
639 DbgPrint("AVRF: initialized provider %wZ (descriptor @ %p)\n", &Provider->DllName, Descriptor);
640
641 /* Done loading providers, allow dll notifications */
642 AVrfpInitialized = TRUE;
643
644 AVrfpChainDuplicateThunks();
645 AVrfpResnapInitialModules();
646
647 /* Manually call with DLL_PROCESS_ATTACH, since the process is not done initializing */
648 _SEH2_TRY
649 {
650 if (!LdrpCallInitRoutine(Provider->EntryPoint,
651 Provider->BaseAddress,
652 DLL_PROCESS_ATTACH,
653 NULL))
654 {
655 DbgPrint("AVRF: provider %wZ did not initialize correctly\n", &Provider->DllName);
656 Status = STATUS_DLL_INIT_FAILED;
657 }
658
659 }
660 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
661 {
662 Status = _SEH2_GetExceptionCode();
663 }
664 _SEH2_END;
665
666 return Status;
667}
ImageNtHeader
PIMAGE_NT_HEADERS WINAPI ImageNtHeader(_In_ PVOID)
DLL_PROCESS_ATTACH
#define DLL_PROCESS_ATTACH
Definition: compat.h:131
RtlImageNtHeader
#define RtlImageNtHeader
Definition: compat.h:806
MAX_PATH
#define MAX_PATH
Definition: compat.h:34
RtlAppendUnicodeToString
NTSTATUS RtlAppendUnicodeToString(IN PUNICODE_STRING Str1, IN PWSTR Str2)
Definition: string_lib.cpp:62
EXCEPTION_EXECUTE_HANDLER
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:90
StringBuffer
WCHAR StringBuffer[156]
Definition: ldrinit.c:41
LdrLoadDll
NTSTATUS NTAPI DECLSPEC_HOTPATCH LdrLoadDll(_In_opt_ PWSTR SearchPath, _In_opt_ PULONG DllCharacteristics, _In_ PUNICODE_STRING DllName, _Out_ PVOID *BaseAddress)
Definition: ldrapi.c:312
DllPath
static const char const char * DllPath
Definition: image.c:34
AVrfpDebugPageHeapDestroy
static PVOID AVrfpDebugPageHeapDestroy(HANDLE HeapPtr)
Definition: verifier.c:541
AVrfpGetStackTraceAddress
static PVOID NTAPI AVrfpGetStackTraceAddress(ULONG Arg0)
Definition: verifier.c:515
AVrfpResnapInitialModules
VOID NTAPI AVrfpResnapInitialModules(VOID)
Definition: verifier.c:403
AVrfpDebugPageHeapCreate
static HANDLE NTAPI AVrfpDebugPageHeapCreate(ULONG Flags, PVOID Addr, SIZE_T TotalSize, SIZE_T CommitSize, PVOID Lock, PRTL_HEAP_PARAMETERS Parameters)
Definition: verifier.c:525
AVrfpChainDuplicateThunks
VOID NTAPI AVrfpChainDuplicateThunks(VOID)
Definition: verifier.c:477
LdrpCallInitRoutine
BOOLEAN NTAPI LdrpCallInitRoutine(IN PDLL_INIT_ROUTINE EntryPoint, IN PVOID BaseAddress, IN ULONG Reason, IN PVOID Context)
Definition: ldrutils.c:100
LdrpFetchAddressOfEntryPoint
PVOID NTAPI LdrpFetchAddressOfEntryPoint(PVOID ImageBase)
STATUS_INVALID_PARAMETER_4
#define STATUS_INVALID_PARAMETER_4
Definition: ntstatus.h:478
STATUS_PROCEDURE_NOT_FOUND
#define STATUS_PROCEDURE_NOT_FOUND
Definition: ntstatus.h:358
STATUS_DLL_INIT_FAILED
#define STATUS_DLL_INIT_FAILED
Definition: ntstatus.h:558
IMAGE_FILE_DLL
#define IMAGE_FILE_DLL
Definition: pedump.c:169
_SEH2_GetExceptionCode
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:181
_SEH2_EXCEPT
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:82
_SEH2_END
#define _SEH2_END
Definition: pseh2_64.h:171
_SEH2_TRY
#define _SEH2_TRY
Definition: pseh2_64.h:71
SharedUserData
#define SharedUserData
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65
_IMAGE_FILE_HEADER::Characteristics
WORD Characteristics
Definition: ntddk_ex.h:128
_IMAGE_NT_HEADERS
Definition: ntddk_ex.h:181
_IMAGE_NT_HEADERS::FileHeader
IMAGE_FILE_HEADER FileHeader
Definition: ntddk_ex.h:183
_RTL_VERIFIER_PROVIDER_DESCRIPTOR
Definition: verifier.h:23
_UNICODE_STRING
Definition: env_spec_w32.h:368
_UNICODE_STRING::Buffer
PWSTR Buffer
Definition: env_spec_w32.h:371
RTL_VRF_DBG_LISTPROVIDERS
#define RTL_VRF_DBG_LISTPROVIDERS
Definition: verifier.h:72
RTL_VRF_DBG_SHOWSNAPS
#define RTL_VRF_DBG_SHOWSNAPS
Definition: verifier.h:69
DLL_PROCESS_VERIFIER
#define DLL_PROCESS_VERIFIER
Definition: verifier.h:4
Descriptor
_Must_inspect_result_ _In_ WDFIORESLIST _In_ PIO_RESOURCE_DESCRIPTOR Descriptor
Definition: wdfresource.h:342

Referenced by AVrfInitializeVerifier().

◆ AVrfpResnapInitialModules()

VOID NTAPI AVrfpResnapInitialModules ( VOID  )

Definition at line 403 of file verifier.c.

404{
405 PLIST_ENTRY ListHead, ListEntry;
406
407 ListHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList;
408 for (ListEntry = ListHead->Flink; ListHead != ListEntry; ListEntry = ListEntry->Flink)
409 {
410 PLDR_DATA_TABLE_ENTRY LdrEntry;
411
412 LdrEntry = CONTAINING_RECORD(ListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
413
414 if (AVrfpIsVerifierProviderDll(LdrEntry->DllBase))
415 {
416 if (AVrfpDebug & RTL_VRF_DBG_SHOWSNAPS)
417 DbgPrint("AVRF: skipped resnapping provider %wZ ...\n", &LdrEntry->BaseDllName);
418 }
419 else
420 {
421 if (AVrfpDebug & RTL_VRF_DBG_SHOWSNAPS)
422 DbgPrint("AVRF: resnapping %wZ ...\n", &LdrEntry->BaseDllName);
423
424 AvrfpResolveThunks(LdrEntry);
425 }
426 }
427}
_LDR_DATA_TABLE_ENTRY
Definition: btrfs_drv.h:1876
_LDR_DATA_TABLE_ENTRY::DllBase
PVOID DllBase
Definition: btrfs_drv.h:1880

Referenced by AVrfpLoadAndInitializeProvider().

◆ AvrfpResolveThunks()

VOID AvrfpResolveThunks ( IN PLDR_DATA_TABLE_ENTRY  LdrEntry)

Definition at line 239 of file verifier.c.

240{
241 PLIST_ENTRY Entry;
242 PVERIFIER_PROVIDER Provider;
243
244 if (!AVrfpInitialized)
245 return;
246
247 for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
248 {
249 PRTL_VERIFIER_DLL_DESCRIPTOR DllDescriptor;
250
251 Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
252
253 for (DllDescriptor = Provider->ProviderDlls; DllDescriptor && DllDescriptor->DllName; ++DllDescriptor)
254 {
255 PRTL_VERIFIER_THUNK_DESCRIPTOR ThunkDescriptor;
256
257 if ((DllDescriptor->DllFlags & VERIFIER_DLL_FLAGS_RESOLVED) ||
258 _wcsicmp(DllDescriptor->DllName, LdrEntry->BaseDllName.Buffer))
259 continue;
260
261 if (AVrfpDebug & RTL_VRF_DBG_SHOWVERIFIEDEXPORTS)
262 DbgPrint("AVRF: pid 0x%X: found dll descriptor for `%wZ' with verified exports\n",
263 NtCurrentTeb()->ClientId.UniqueProcess,
264 &LdrEntry->BaseDllName);
265
266 for (ThunkDescriptor = DllDescriptor->DllThunks; ThunkDescriptor && ThunkDescriptor->ThunkName; ++ThunkDescriptor)
267 {
268 if (!ThunkDescriptor->ThunkOldAddress)
269 {
270 ANSI_STRING ThunkName;
271
272 RtlInitAnsiString(&ThunkName, ThunkDescriptor->ThunkName);
273 /* We cannot call the public api, because that would run init routines! */
274 if (NT_SUCCESS(LdrpGetProcedureAddress(LdrEntry->DllBase, &ThunkName, 0, &ThunkDescriptor->ThunkOldAddress, FALSE)))
275 {
276 if (AVrfpDebug & RTL_VRF_DBG_SHOWFOUNDEXPORTS)
277 DbgPrint("AVRF: (%wZ) %Z export found.\n", &LdrEntry->BaseDllName, &ThunkName);
278 }
279 else
280 {
281 if (AVrfpDebug & RTL_VRF_DBG_SHOWFOUNDEXPORTS)
282 DbgPrint("AVRF: warning: did not find `%Z' export in %wZ.\n", &ThunkName, &LdrEntry->BaseDllName);
283 }
284 }
285 }
286
287 DllDescriptor->DllFlags |= VERIFIER_DLL_FLAGS_RESOLVED;
288 }
289 }
290
291 AVrfpSnapDllImports(LdrEntry);
292}
RtlInitAnsiString
NTSYSAPI VOID NTAPI RtlInitAnsiString(PANSI_STRING DestinationString, PCSZ SourceString)
VERIFIER_DLL_FLAGS_RESOLVED
#define VERIFIER_DLL_FLAGS_RESOLVED
Definition: verifier.c:28
AVrfpSnapDllImports
VOID AVrfpSnapDllImports(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
Definition: verifier.c:133
LdrpGetProcedureAddress
NTSTATUS NTAPI LdrpGetProcedureAddress(_In_ PVOID BaseAddress, _In_opt_ _When_(Ordinal==0, _Notnull_) PANSI_STRING Name, _In_opt_ _When_(Name==NULL, _In_range_(>, 0)) ULONG Ordinal, _Out_ PVOID *ProcedureAddress, _In_ BOOLEAN ExecuteInit)
Definition: ldrutils.c:2231
_ANSI_STRING
Definition: env_spec_w32.h:375
_RTL_VERIFIER_DLL_DESCRIPTOR::DllFlags
DWORD DllFlags
Definition: verifier.h:18
RTL_VRF_DBG_SHOWFOUNDEXPORTS
#define RTL_VRF_DBG_SHOWFOUNDEXPORTS
Definition: verifier.h:70
RTL_VRF_DBG_SHOWVERIFIEDEXPORTS
#define RTL_VRF_DBG_SHOWVERIFIEDEXPORTS
Definition: verifier.h:71

Referenced by AVrfDllLoadNotification(), and AVrfpResnapInitialModules().

◆ AVrfpSnapDllImports()

VOID AVrfpSnapDllImports ( IN PLDR_DATA_TABLE_ENTRY  LdrEntry)

Definition at line 133 of file verifier.c.

134{
135 ULONG Size;
136 PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor;
137 PBYTE DllBase = LdrEntry->DllBase;
138
139 ImportDescriptor = RtlImageDirectoryEntryToData(DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size);
140 if (!ImportDescriptor)
141 {
142 //SHIMENG_INFO("Skipping module 0x%p \"%wZ\" due to no iat found\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
143 return;
144 }
145
146 for (; ImportDescriptor->Name && ImportDescriptor->OriginalFirstThunk; ImportDescriptor++)
147 {
148 PIMAGE_THUNK_DATA FirstThunk;
149 PVOID UnprotectedPtr = NULL;
150 SIZE_T UnprotectedSize = 0;
151 ULONG OldProtection = 0;
152 FirstThunk = (PIMAGE_THUNK_DATA)(DllBase + ImportDescriptor->FirstThunk);
153
154 /* Walk all imports */
155 for (;FirstThunk->u1.Function; FirstThunk++)
156 {
157 PLIST_ENTRY Entry;
158 PVERIFIER_PROVIDER Provider;
159
160 for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
161 {
162 PRTL_VERIFIER_DLL_DESCRIPTOR DllDescriptor;
163
164 Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
165 for (DllDescriptor = Provider->ProviderDlls; DllDescriptor && DllDescriptor->DllName; ++DllDescriptor)
166 {
167 PRTL_VERIFIER_THUNK_DESCRIPTOR ThunkDescriptor;
168
169 for (ThunkDescriptor = DllDescriptor->DllThunks; ThunkDescriptor && ThunkDescriptor->ThunkName; ++ThunkDescriptor)
170 {
171 /* Just compare function addresses, the loader will have handled forwarders and ordinals for us */
172 if ((PVOID)FirstThunk->u1.Function != ThunkDescriptor->ThunkOldAddress)
173 continue;
174
175 if (!UnprotectedPtr)
176 {
177 PVOID Ptr = &FirstThunk->u1.Function;
178 SIZE_T Size = sizeof(FirstThunk->u1.Function) * AVrfpCountThunks(FirstThunk);
179 NTSTATUS Status;
180
181 UnprotectedPtr = Ptr;
182 UnprotectedSize = Size;
183
184 Status = NtProtectVirtualMemory(NtCurrentProcess(),
185 &Ptr,
186 &Size,
187 PAGE_EXECUTE_READWRITE,
188 &OldProtection);
189
190 if (!NT_SUCCESS(Status))
191 {
192 DbgPrint("AVRF: Unable to unprotect IAT to modify thunks (status %08X).\n", Status);
193 UnprotectedPtr = NULL;
194 continue;
195 }
196 }
197
198 if (ThunkDescriptor->ThunkNewAddress == NULL)
199 {
200 DbgPrint("AVRF: internal error: New thunk for %s is null.\n", ThunkDescriptor->ThunkName);
201 continue;
202 }
203 FirstThunk->u1.Function = (SIZE_T)ThunkDescriptor->ThunkNewAddress;
204 if (AVrfpDebug & RTL_VRF_DBG_SHOWSNAPS)
205 DbgPrint("AVRF: Snapped (%wZ: %s) with (%wZ: %p).\n",
206 &LdrEntry->BaseDllName,
207 ThunkDescriptor->ThunkName,
208 &Provider->DllName,
209 ThunkDescriptor->ThunkNewAddress);
210 }
211 }
212 }
213 }
214
215 if (UnprotectedPtr)
216 {
217 PVOID Ptr = UnprotectedPtr;
218 SIZE_T Size = UnprotectedSize;
219 NTSTATUS Status;
220
221 UnprotectedPtr = Ptr;
222 UnprotectedSize = Size;
223
224 Status = NtProtectVirtualMemory(NtCurrentProcess(),
225 &Ptr,
226 &Size,
227 OldProtection,
228 &OldProtection);
229 if (!NT_SUCCESS(Status))
230 {
231 DbgPrint("AVRF: Unable to reprotect IAT to modify thunks (status %08X).\n", Status);
232 }
233 }
234 }
235}
RtlImageDirectoryEntryToData
#define RtlImageDirectoryEntryToData
Definition: compat.h:809
if
if(dx< 0)
Definition: linetemp.h:194
NtCurrentProcess
#define NtCurrentProcess()
Definition: nt_native.h:1657
PAGE_EXECUTE_READWRITE
#define PAGE_EXECUTE_READWRITE
Definition: nt_native.h:1308
AVrfpCountThunks
SIZE_T AVrfpCountThunks(PIMAGE_THUNK_DATA Thunk)
Definition: verifier.c:124
PIMAGE_THUNK_DATA
PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA
Definition: ntimage.h:566
NtProtectVirtualMemory
NTSTATUS NTAPI NtProtectVirtualMemory(IN HANDLE ProcessHandle, IN OUT PVOID *UnsafeBaseAddress, IN OUT SIZE_T *UnsafeNumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG UnsafeOldAccessProtection)
Definition: virtual.c:3111
IMAGE_DIRECTORY_ENTRY_IMPORT
#define IMAGE_DIRECTORY_ENTRY_IMPORT
Definition: pedump.c:260
PBYTE
BYTE * PBYTE
Definition: pedump.c:66
_IMAGE_IMPORT_DESCRIPTOR
Definition: ntimage.h:572
_IMAGE_IMPORT_DESCRIPTOR::FirstThunk
ULONG FirstThunk
Definition: ntimage.h:580
_IMAGE_IMPORT_DESCRIPTOR::Name
ULONG Name
Definition: ntimage.h:579
_IMAGE_IMPORT_DESCRIPTOR::OriginalFirstThunk
ULONG OriginalFirstThunk
Definition: ntimage.h:575
_IMAGE_THUNK_DATA32
Definition: ntimage.h:510
_IMAGE_THUNK_DATA32::Function
ULONG Function
Definition: ntimage.h:513
_IMAGE_THUNK_DATA32::u1
union _IMAGE_THUNK_DATA32::@2218 u1
ULONG
uint32_t ULONG
Definition: typedefs.h:59
Size
_Must_inspect_result_ _In_ WDFDEVICE _In_ PWDF_DEVICE_PROPERTY_DATA _In_ DEVPROPTYPE _In_ ULONG Size
Definition: wdfdevice.h:4533

Referenced by AvrfpResolveThunks().

◆ AVrfReadIFEO()

VOID NTAPI AVrfReadIFEO ( HANDLE  KeyHandle)

Definition at line 50 of file verifier.c.

51{
52 NTSTATUS Status;
53
54 Status = LdrQueryImageFileKeyOption(KeyHandle,
55 L"VerifierDlls",
56 REG_SZ,
57 AVrfpVerifierDllsString,
58 sizeof(AVrfpVerifierDllsString) - sizeof(WCHAR),
59 NULL);
60
61 if (!NT_SUCCESS(Status))
62 AVrfpVerifierDllsString[0] = UNICODE_NULL;
63
64 Status = LdrQueryImageFileKeyOption(KeyHandle,
65 L"VerifierFlags",
66 REG_DWORD,
67 &AVrfpVerifierFlags,
68 sizeof(AVrfpVerifierFlags),
69 NULL);
70 if (!NT_SUCCESS(Status))
71 AVrfpVerifierFlags = RTL_VRF_FLG_HANDLE_CHECKS | RTL_VRF_FLG_FAST_FILL_HEAP | RTL_VRF_FLG_LOCK_CHECKS;
72
73 Status = LdrQueryImageFileKeyOption(KeyHandle,
74 L"VerifierDebug",
75 REG_DWORD,
76 &AVrfpDebug,
77 sizeof(AVrfpDebug),
78 NULL);
79 if (!NT_SUCCESS(Status))
80 AVrfpDebug = 0;
81}
REG_SZ
#define REG_SZ
Definition: layer.c:22
LdrQueryImageFileKeyOption
NTSTATUS NTAPI LdrQueryImageFileKeyOption(_In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _In_ ULONG Type, _Out_ PVOID Buffer, _In_ ULONG BufferSize, _Out_opt_ PULONG ReturnedLength)
Definition: ldrinit.c:184
KeyHandle
_Must_inspect_result_ _Out_ PNDIS_STATUS _In_ NDIS_HANDLE _In_ ULONG _Out_ PNDIS_STRING _Out_ PNDIS_HANDLE KeyHandle
Definition: ndis.h:4715
UNICODE_NULL
#define UNICODE_NULL
REG_DWORD
#define REG_DWORD
Definition: sdbapi.c:596
RTL_VRF_FLG_HANDLE_CHECKS
#define RTL_VRF_FLG_HANDLE_CHECKS
Definition: verifier.h:47
RTL_VRF_FLG_LOCK_CHECKS
#define RTL_VRF_FLG_LOCK_CHECKS
Definition: verifier.h:64
RTL_VRF_FLG_FAST_FILL_HEAP
#define RTL_VRF_FLG_FAST_FILL_HEAP
Definition: verifier.h:60

Referenced by LdrpInitializeApplicationVerifierPackage().

◆ LdrpInitializeApplicationVerifierPackage()

NTSTATUS NTAPI LdrpInitializeApplicationVerifierPackage ( HANDLE  KeyHandle,
PPEB  Peb,
BOOLEAN  SystemWide,
BOOLEAN  ReadAdvancedOptions 
)

Definition at line 86 of file verifier.c.

87{
88 /* If global flags request DPH, perform some additional actions */
89 if (Peb->NtGlobalFlag & FLG_HEAP_PAGE_ALLOCS)
90 {
91 // TODO: Read advanced DPH flags from the registry if requested
92 if (ReadAdvancedOptions)
93 {
94 UNIMPLEMENTED;
95 }
96
97 /* Enable page heap */
98 RtlpPageHeapEnabled = TRUE;
99 }
100
101 AVrfReadIFEO(KeyHandle);
102
103 return STATUS_SUCCESS;
104}
Peb
PPEB Peb
Definition: dllmain.c:27
FLG_HEAP_PAGE_ALLOCS
#define FLG_HEAP_PAGE_ALLOCS
Definition: pstypes.h:84
AVrfReadIFEO
VOID NTAPI AVrfReadIFEO(HANDLE KeyHandle)
Definition: verifier.c:50
RtlpPageHeapEnabled
BOOLEAN RtlpPageHeapEnabled
Definition: heappage.c:107
_PEB::NtGlobalFlag
ULONG NtGlobalFlag
Definition: ntddk_ex.h:270

◆ RtlpPageHeapCreate()

HANDLE NTAPI RtlpPageHeapCreate ( ULONG  Flags,
PVOID  Addr,
SIZE_T  TotalSize,
SIZE_T  CommitSize,
PVOID  Lock,
PRTL_HEAP_PARAMETERS  Parameters 
)

Definition at line 1537 of file heappage.c.

1543{
1544 PVOID Base = NULL;
1545 PHEAP HeapPtr;
1546 PDPH_HEAP_ROOT DphRoot;
1547 PDPH_HEAP_BLOCK DphNode;
1548 ULONG MemSize;
1549 NTSTATUS Status;
1550 LARGE_INTEGER PerfCounter;
1551
1552 /* Check for a DPH bypass flag */
1553 if ((ULONG_PTR)Parameters == -1) return NULL;
1554
1555 /* Make sure no user-allocated stuff was provided */
1556 if (Addr || Lock) return NULL;
1557
1558 /* Allocate minimum amount of virtual memory */
1559 MemSize = DPH_RESERVE_SIZE;
1560 Status = RtlpDphAllocateVm(&Base, MemSize, MEM_COMMIT, PAGE_NOACCESS);
1561 if (!NT_SUCCESS(Status))
1562 {
1563 ASSERT(FALSE);
1564 return NULL;
1565 }
1566
1567 /* Set protection */
1568 Status = RtlpDphProtectVm(Base, 2*PAGE_SIZE + DPH_POOL_SIZE, PAGE_READWRITE);
1569 if (!NT_SUCCESS(Status))
1570 {
1571 //RtlpDphFreeVm(Base, 0, 0, 0);
1572 ASSERT(FALSE);
1573 return NULL;
1574 }
1575
1576 /* Start preparing the 1st page. Fill it with the default filler */
1577 RtlFillMemoryUlong(Base, PAGE_SIZE, DPH_FILL);
1578
1579 /* Set flags in the "HEAP" structure */
1580 HeapPtr = (PHEAP)Base;
1581 HeapPtr->Flags = Flags | HEAP_FLAG_PAGE_ALLOCS;
1582 HeapPtr->ForceFlags = Flags | HEAP_FLAG_PAGE_ALLOCS;
1583
1584 /* Set 1st page to read only now */
1585 Status = RtlpDphProtectVm(Base, PAGE_SIZE, PAGE_READONLY);
1586 if (!NT_SUCCESS(Status))
1587 {
1588 ASSERT(FALSE);
1589 return NULL;
1590 }
1591
1592 /* 2nd page is the real DPH root block */
1593 DphRoot = (PDPH_HEAP_ROOT)((PCHAR)Base + PAGE_SIZE);
1594
1595 /* Initialize the DPH root */
1596 DphRoot->Signature = DPH_SIGNATURE;
1597 DphRoot->HeapFlags = Flags;
1598 DphRoot->HeapCritSect = (PHEAP_LOCK)((PCHAR)DphRoot + DPH_POOL_SIZE);
1599 DphRoot->ExtraFlags = RtlpDphGlobalFlags;
1600
1601 ZwQueryPerformanceCounter(&PerfCounter, NULL);
1602 DphRoot->Seed = PerfCounter.LowPart;
1603
1604 RtlInitializeHeapLock(&DphRoot->HeapCritSect);
1605 InitializeListHead(&DphRoot->AvailableAllocationHead);
1606
1607 /* Create a normal heap for this paged heap */
1608 DphRoot->NormalHeap = RtlCreateHeap(Flags, NULL, TotalSize, CommitSize, NULL, (PRTL_HEAP_PARAMETERS)-1);
1609 if (!DphRoot->NormalHeap)
1610 {
1611 ASSERT(FALSE);
1612 return NULL;
1613 }
1614
1615 /* 3rd page: a pool for DPH allocations */
1616 RtlpDphAddNewPool(DphRoot, NULL, DphRoot + 1, DPH_POOL_SIZE - sizeof(DPH_HEAP_ROOT), FALSE);
1617
1618 /* Allocate internal heap blocks. For the root */
1619 DphNode = RtlpDphAllocateNode(DphRoot);
1620 ASSERT(DphNode != NULL);
1621 DphNode->pVirtualBlock = (PUCHAR)DphRoot;
1622 DphNode->nVirtualBlockSize = DPH_POOL_SIZE;
1623 RtlpDphPlaceOnPoolList(DphRoot, DphNode);
1624
1625 /* For the memory we allocated as a whole */
1626 DphNode = RtlpDphAllocateNode(DphRoot);
1627 ASSERT(DphNode != NULL);
1628 DphNode->pVirtualBlock = Base;
1629 DphNode->nVirtualBlockSize = MemSize;
1630 RtlpDphPlaceOnVirtualList(DphRoot, DphNode);
1631
1632 /* For the remaining part */
1633 DphNode = RtlpDphAllocateNode(DphRoot);
1634 ASSERT(DphNode != NULL);
1635 DphNode->pVirtualBlock = (PUCHAR)Base + 2*PAGE_SIZE + DPH_POOL_SIZE;
1636 DphNode->nVirtualBlockSize = MemSize - (2*PAGE_SIZE + DPH_POOL_SIZE);
1637 RtlpDphCoalesceNodeIntoAvailable(DphRoot, DphNode);
1638
1639 //DphRoot->CreateStackTrace = RtlpDphLogStackTrace(1);
1640
1641 /* Initialize AVL-based busy nodes table */
1642 RtlInitializeGenericTableAvl(&DphRoot->BusyNodesTable,
1643 RtlpDphCompareNodeForTable,
1644 RtlpDphAllocateNodeForTable,
1645 RtlpDphFreeNodeForTable,
1646 NULL);
1647
1648 /* Initialize per-process startup info */
1649 if (!RtlpDphPageHeapListInitialized) RtlpDphProcessStartupInitialization();
1650
1651 /* Acquire the heap list lock */
1652 RtlEnterHeapLock(RtlpDphPageHeapListLock, TRUE);
1653
1654 /* Insert this heap to the tail of the global list */
1655 InsertTailList(&RtlpDphPageHeapList, &DphRoot->NextHeap);
1656
1657 /* Note we increased the size of the list */
1658 RtlpDphPageHeapListLength++;
1659
1660 /* Release the heap list lock */
1661 RtlLeaveHeapLock(RtlpDphPageHeapListLock);
1662
1663 if (RtlpDphDebugOptions & DPH_DEBUG_VERBOSE)
1664 {
1665 DPRINT1("Page heap: process 0x%p created heap @ %p (%p, flags 0x%X)\n",
1666 NtCurrentTeb()->ClientId.UniqueProcess, (PUCHAR)DphRoot - PAGE_SIZE,
1667 DphRoot->NormalHeap, DphRoot->ExtraFlags);
1668 }
1669
1670 /* Perform internal validation if required */
1671 if (RtlpDphDebugOptions & DPH_DEBUG_INTERNAL_VALIDATE)
1672 RtlpDphInternalValidatePageHeap(DphRoot, NULL, 0);
1673
1674 return (PUCHAR)DphRoot - PAGE_SIZE;
1675}
RtlInitializeGenericTableAvl
VOID NTAPI RtlInitializeGenericTableAvl(IN OUT PRTL_AVL_TABLE Table, IN PRTL_AVL_COMPARE_ROUTINE CompareRoutine, IN PRTL_AVL_ALLOCATE_ROUTINE AllocateRoutine, IN PRTL_AVL_FREE_ROUTINE FreeRoutine, IN PVOID TableContext)
Definition: avltable.c:26
DPRINT1
#define DPRINT1
Definition: precomp.h:8
PHEAP
struct _HEAP * PHEAP
RtlInitializeHeapLock
NTSTATUS NTAPI RtlInitializeHeapLock(IN OUT PHEAP_LOCK *Lock)
Definition: libsupp.c:128
RtlEnterHeapLock
NTSTATUS NTAPI RtlEnterHeapLock(IN OUT PHEAP_LOCK Lock, IN BOOLEAN Exclusive)
Definition: libsupp.c:110
RtlLeaveHeapLock
NTSTATUS NTAPI RtlLeaveHeapLock(IN OUT PHEAP_LOCK Lock)
Definition: libsupp.c:135
PAGE_READONLY
#define PAGE_READONLY
Definition: compat.h:138
PAGE_SIZE
#define PAGE_SIZE
Definition: env_spec_w32.h:49
RtlpDphPlaceOnPoolList
VOID NTAPI RtlpDphPlaceOnPoolList(PDPH_HEAP_ROOT DphRoot, PDPH_HEAP_BLOCK Node)
Definition: heappage.c:515
RtlpDphPageHeapListLock
PHEAP_LOCK RtlpDphPageHeapListLock
Definition: heappage.c:116
RtlpDphGlobalFlags
ULONG RtlpDphGlobalFlags
Definition: heappage.c:108
RtlpDphPageHeapList
LIST_ENTRY RtlpDphPageHeapList
Definition: heappage.c:113
RtlpDphFreeNodeForTable
VOID NTAPI RtlpDphFreeNodeForTable(IN PRTL_AVL_TABLE Table, IN PVOID Buffer)
Definition: heappage.c:1227
RtlpDphProtectVm
NTSTATUS NTAPI RtlpDphProtectVm(PVOID Base, SIZE_T Size, ULONG Protection)
Definition: heappage.c:421
RtlpDphPageHeapListInitialized
BOOLEAN RtlpDphPageHeapListInitialized
Definition: heappage.c:114
RtlpDphAllocateNode
PDPH_HEAP_BLOCK NTAPI RtlpDphAllocateNode(PDPH_HEAP_ROOT DphRoot)
Definition: heappage.c:1018
DPH_RESERVE_SIZE
#define DPH_RESERVE_SIZE
Definition: heappage.c:134
RtlpDphInternalValidatePageHeap
VOID NTAPI RtlpDphInternalValidatePageHeap(PDPH_HEAP_ROOT DphRoot, PVOID Address, ULONG Value)
Definition: heappage.c:1318
RtlpDphAddNewPool
VOID NTAPI RtlpDphAddNewPool(PDPH_HEAP_ROOT DphRoot, PDPH_HEAP_BLOCK NodeBlock, PVOID Virtual, SIZE_T Size, BOOLEAN PlaceOnPool)
Definition: heappage.c:829
RtlpDphCoalesceNodeIntoAvailable
VOID NTAPI RtlpDphCoalesceNodeIntoAvailable(PDPH_HEAP_ROOT DphRoot, PDPH_HEAP_BLOCK Node)
Definition: heappage.c:684
DPH_FILL
#define DPH_FILL
Definition: heappage.c:155
RtlpDphPageHeapListLength
ULONG RtlpDphPageHeapListLength
Definition: heappage.c:117
RtlpDphAllocateNodeForTable
PVOID NTAPI RtlpDphAllocateNodeForTable(IN PRTL_AVL_TABLE Table, IN CLONG ByteSize)
Definition: heappage.c:1206
DPH_DEBUG_INTERNAL_VALIDATE
#define DPH_DEBUG_INTERNAL_VALIDATE
Definition: heappage.c:147
RtlpDphProcessStartupInitialization
NTSTATUS NTAPI RtlpDphProcessStartupInitialization(VOID)
Definition: heappage.c:1496
DPH_DEBUG_VERBOSE
#define DPH_DEBUG_VERBOSE
Definition: heappage.c:148
PDPH_HEAP_ROOT
struct _DPH_HEAP_ROOT * PDPH_HEAP_ROOT
RtlpDphCompareNodeForTable
RTL_GENERIC_COMPARE_RESULTS NTAPI RtlpDphCompareNodeForTable(IN PRTL_AVL_TABLE Table, IN PVOID FirstStruct, IN PVOID SecondStruct)
Definition: heappage.c:1187
DPH_POOL_SIZE
#define DPH_POOL_SIZE
Definition: heappage.c:135
DPH_SIGNATURE
#define DPH_SIGNATURE
Definition: heappage.c:176
RtlpDphDebugOptions
ULONG RtlpDphDebugOptions
Definition: heappage.c:185
RtlpDphAllocateVm
NTSTATUS NTAPI RtlpDphAllocateVm(PVOID *Base, SIZE_T Size, ULONG Type, ULONG Protection)
Definition: heappage.c:346
RtlpDphPlaceOnVirtualList
VOID NTAPI RtlpDphPlaceOnVirtualList(PDPH_HEAP_ROOT DphRoot, PDPH_HEAP_BLOCK Node)
Definition: heappage.c:535
RtlFillMemoryUlong
#define RtlFillMemoryUlong(dst, len, val)
Definition: mkhive.h:55
ASSERT
#define ASSERT(a)
Definition: mode.c:44
ZwQueryPerformanceCounter
NTSYSAPI NTSTATUS NTAPI ZwQueryPerformanceCounter(_Out_ PLARGE_INTEGER Counter, _Out_opt_ PLARGE_INTEGER Frequency)
Base
_In_opt_ ULONG Base
Definition: rtlfuncs.h:2478
PHEAP_LOCK
struct _HEAP_LOCK * PHEAP_LOCK
HEAP_FLAG_PAGE_ALLOCS
#define HEAP_FLAG_PAGE_ALLOCS
Definition: rtltypes.h:160
PAGE_READWRITE
#define PAGE_READWRITE
Definition: nt_native.h:1304
RtlCreateHeap
NTSYSAPI PVOID NTAPI RtlCreateHeap(IN ULONG Flags, IN PVOID HeapBase OPTIONAL, IN ULONG ReserveSize OPTIONAL, IN ULONG CommitSize OPTIONAL, IN PVOID Lock OPTIONAL, IN PRTL_HEAP_PARAMETERS Parameters OPTIONAL)
MEM_COMMIT
#define MEM_COMMIT
Definition: nt_native.h:1313
PAGE_NOACCESS
#define PAGE_NOACCESS
Definition: nt_native.h:1302
_DPH_HEAP_BLOCK
Definition: heappage.c:42
_DPH_HEAP_BLOCK::pVirtualBlock
PUCHAR pVirtualBlock
Definition: heappage.c:50
_DPH_HEAP_BLOCK::nVirtualBlockSize
SIZE_T nVirtualBlockSize
Definition: heappage.c:51
_DPH_HEAP_ROOT
Definition: heappage.c:63
_DPH_HEAP_ROOT::HeapCritSect
PHEAP_LOCK HeapCritSect
Definition: heappage.c:66
_DPH_HEAP_ROOT::Seed
ULONG Seed
Definition: heappage.c:99
_DPH_HEAP_ROOT::NextHeap
LIST_ENTRY NextHeap
Definition: heappage.c:97
_DPH_HEAP_ROOT::AvailableAllocationHead
LIST_ENTRY AvailableAllocationHead
Definition: heappage.c:84
_DPH_HEAP_ROOT::ExtraFlags
ULONG ExtraFlags
Definition: heappage.c:98
_DPH_HEAP_ROOT::Signature
ULONG Signature
Definition: heappage.c:64
_DPH_HEAP_ROOT::HeapFlags
ULONG HeapFlags
Definition: heappage.c:65
_DPH_HEAP_ROOT::NormalHeap
PVOID NormalHeap
Definition: heappage.c:100
_DPH_HEAP_ROOT::BusyNodesTable
RTL_AVL_TABLE BusyNodesTable
Definition: heappage.c:74
_HEAP
Definition: heap.c:52
_HEAP::Flags
ULONG Flags
Definition: heap.h:226
_HEAP::ForceFlags
ULONG ForceFlags
Definition: heap.h:227
_RTL_HEAP_PARAMETERS
Definition: nt_native.h:1666
ULONG_PTR
uint32_t ULONG_PTR
Definition: typedefs.h:65
PUCHAR
unsigned char * PUCHAR
Definition: typedefs.h:53
PCHAR
char * PCHAR
Definition: typedefs.h:51
_LARGE_INTEGER
Definition: typedefs.h:103
_LARGE_INTEGER::LowPart
ULONG LowPart
Definition: typedefs.h:106

Referenced by AVrfpDebugPageHeapCreate(), and RtlCreateHeap().

◆ RtlpPageHeapDestroy()

PVOID NTAPI RtlpPageHeapDestroy ( HANDLE  HeapPtr)

Definition at line 1678 of file heappage.c.

1679{
1680 PDPH_HEAP_ROOT DphRoot;
1681 PVOID Ptr;
1682 PDPH_HEAP_BLOCK Node, Next;
1683 PHEAP NormalHeap;
1684 ULONG Value;
1685
1686 /* Check if it's not a process heap */
1687 if (HeapPtr == RtlGetProcessHeap())
1688 {
1689 VERIFIER_STOP(APPLICATION_VERIFIER_DESTROY_PROCESS_HEAP,
1690 "attempt to destroy process heap",
1691 HeapPtr, "Heap handle",
1692 0, "",
1693 0, "",
1694 0, "");
1695 return NULL;
1696 }
1697
1698 /* Get pointer to the heap root */
1699 DphRoot = RtlpDphPointerFromHandle(HeapPtr);
1700 if (!DphRoot) return NULL;
1701
1702 RtlpDphPreProcessing(DphRoot, DphRoot->HeapFlags);
1703
1704 /* Get the pointer to the normal heap */
1705 NormalHeap = DphRoot->NormalHeap;
1706
1707 /* Free the delayed-free blocks */
1708 RtlpDphFreeDelayedBlocksFromHeap(DphRoot, NormalHeap);
1709
1710 /* Go through the busy blocks */
1711 Ptr = RtlEnumerateGenericTableAvl(&DphRoot->BusyNodesTable, TRUE);
1712
1713 while (Ptr)
1714 {
1715 Node = CONTAINING_RECORD(Ptr, DPH_HEAP_BLOCK, pUserAllocation);
1716 if (!(DphRoot->ExtraFlags & DPH_EXTRA_CHECK_UNDERRUN))
1717 {
1718 if (!RtlpDphIsPageHeapBlock(DphRoot, Node->pUserAllocation, &Value, TRUE))
1719 {
1720 RtlpDphReportCorruptedBlock(DphRoot, 3, Node->pUserAllocation, Value);
1721 }
1722 }
1723
1724 AVrfInternalHeapFreeNotification(Node->pUserAllocation, Node->nUserRequestedSize);
1725
1726 /* Go to the next node */
1727 Ptr = RtlEnumerateGenericTableAvl(&DphRoot->BusyNodesTable, FALSE);
1728 }
1729
1730 /* Acquire the global heap list lock */
1731 RtlEnterHeapLock(RtlpDphPageHeapListLock, TRUE);
1732
1733 /* Remove the entry and decrement the global counter */
1734 RemoveEntryList(&DphRoot->NextHeap);
1735 RtlpDphPageHeapListLength--;
1736
1737 /* Release the global heap list lock */
1738 RtlLeaveHeapLock(RtlpDphPageHeapListLock);
1739
1740 /* Leave and delete this heap's critical section */
1741 RtlLeaveHeapLock(DphRoot->HeapCritSect);
1742 RtlDeleteHeapLock(DphRoot->HeapCritSect);
1743
1744 /* Now go through all virtual list nodes and release the VM */
1745 Node = DphRoot->pVirtualStorageListHead;
1746 while (Node)
1747 {
1748 Next = Node->pNextAlloc;
1749 /* Release the memory without checking result */
1750 RtlpDphFreeVm(Node->pVirtualBlock, 0, MEM_RELEASE);
1751 Node = Next;
1752 }
1753
1754 /* Destroy the normal heap */
1755 RtlDestroyHeap(NormalHeap);
1756
1757 /* Report success */
1758 if (RtlpDphDebugOptions & DPH_DEBUG_VERBOSE)
1759 DPRINT1("Page heap: process 0x%p destroyed heap @ %p (%p)\n",
1760 NtCurrentTeb()->ClientId.UniqueProcess, HeapPtr, NormalHeap);
1761
1762 return NULL;
1763}
RtlDeleteHeapLock
NTSTATUS NTAPI RtlDeleteHeapLock(IN OUT PHEAP_LOCK Lock)
Definition: libsupp.c:103
Node
union node Node
Definition: types.h:1255
RtlpDphFreeVm
NTSTATUS NTAPI RtlpDphFreeVm(PVOID Base, SIZE_T Size, ULONG Type)
Definition: heappage.c:385
RtlpDphPreProcessing
VOID NTAPI RtlpDphPreProcessing(PDPH_HEAP_ROOT DphRoot, ULONG Flags)
Definition: heappage.c:301
AVrfInternalHeapFreeNotification
VOID NTAPI AVrfInternalHeapFreeNotification(PVOID AllocationBase, SIZE_T AllocationSize)
Definition: verifier.c:364
DPH_EXTRA_CHECK_UNDERRUN
#define DPH_EXTRA_CHECK_UNDERRUN
Definition: heappage.c:152
RtlpDphPointerFromHandle
PVOID NTAPI RtlpDphPointerFromHandle(PVOID Handle)
Definition: heappage.c:227
RtlpDphIsPageHeapBlock
BOOLEAN NTAPI RtlpDphIsPageHeapBlock(PDPH_HEAP_ROOT DphRoot, PVOID Block, PULONG ValidationInformation, BOOLEAN CheckFillers)
Definition: heappage.c:1421
RtlpDphFreeDelayedBlocksFromHeap
VOID NTAPI RtlpDphFreeDelayedBlocksFromHeap(PDPH_HEAP_ROOT DphRoot, PHEAP NormalHeap)
Definition: heappage.c:1258
RtlpDphReportCorruptedBlock
VOID NTAPI RtlpDphReportCorruptedBlock(_In_ PDPH_HEAP_ROOT DphRoot, _In_ ULONG Reserved, _In_ PVOID Block, _In_ ULONG ValidationInfo)
Definition: heappage.c:1330
RtlDestroyHeap
NTSYSAPI PVOID NTAPI RtlDestroyHeap(IN PVOID HeapHandle)
MEM_RELEASE
#define MEM_RELEASE
Definition: nt_native.h:1316
_DPH_HEAP_ROOT::pVirtualStorageListHead
PDPH_HEAP_BLOCK pVirtualStorageListHead
Definition: heappage.c:69
node
Definition: dlist.c:348
VERIFIER_STOP
#define VERIFIER_STOP(Code, Msg, Val1, Desc1, Val2, Desc2, Val3, Desc3, Val4, Desc4)
Definition: verifier.h:171
APPLICATION_VERIFIER_DESTROY_PROCESS_HEAP
#define APPLICATION_VERIFIER_DESTROY_PROCESS_HEAP
Definition: verifier.h:102
Value
_Must_inspect_result_ _In_ WDFKEY _In_ PCUNICODE_STRING _Out_opt_ PUSHORT _Inout_opt_ PUNICODE_STRING Value
Definition: wdfregistry.h:413
RtlEnumerateGenericTableAvl
_Must_inspect_result_ NTSYSAPI PVOID NTAPI RtlEnumerateGenericTableAvl(_In_ PRTL_AVL_TABLE Table, _In_ BOOLEAN Restart)

Referenced by AVrfpDebugPageHeapDestroy(), and RtlDestroyHeap().

Variable Documentation

◆ AVrfpDebug

ULONG AVrfpDebug = 0

Definition at line 23 of file verifier.c.

Referenced by AVrfpChainDuplicateThunks(), AvrfpFindDuplicateThunk(), AVrfpLoadAndInitializeProvider(), AVrfpResnapInitialModules(), AvrfpResolveThunks(), AVrfpSnapDllImports(), and AVrfReadIFEO().

◆ AVrfpInitialized

BOOL AVrfpInitialized = FALSE

Definition at line 24 of file verifier.c.

Referenced by AVrfDllUnloadNotification(), AVrfInternalHeapFreeNotification(), AVrfpLoadAndInitializeProvider(), and AvrfpResolveThunks().

◆ AVrfpVerifierDllsString

WCHAR AVrfpVerifierDllsString[256] = { 0 }

Definition at line 22 of file verifier.c.

Referenced by AVrfInitializeVerifier(), and AVrfReadIFEO().

◆ AVrfpVerifierFlags

ULONG AVrfpVerifierFlags = 0

Definition at line 21 of file verifier.c.

Referenced by AVrfInitializeVerifier(), AVrfpLoadAndInitializeProvider(), and AVrfReadIFEO().

◆ AVrfpVerifierLock

RTL_CRITICAL_SECTION AVrfpVerifierLock

Definition at line 25 of file verifier.c.

Referenced by AVrfDllLoadNotification(), AVrfDllUnloadNotification(), AVrfInitializeVerifier(), and AVrfInternalHeapFreeNotification().

◆ AVrfpVerifierProvidersList

LIST_ENTRY AVrfpVerifierProvidersList

Definition at line 26 of file verifier.c.

Referenced by AVrfDllLoadNotification(), AVrfDllUnloadNotification(), AVrfInitializeVerifier(), AVrfInternalHeapFreeNotification(), AVrfpChainDuplicateThunks(), AvrfpFindDuplicateThunk(), AVrfpIsVerifierProviderDll(), AvrfpResolveThunks(), and AVrfpSnapDllImports().

◆ LdrpImageEntry

PLDR_DATA_TABLE_ENTRY LdrpImageEntry
extern

Definition at line 39 of file ldrinit.c.

Referenced by AVrfInitializeVerifier(), AVrfpLoadAndInitializeProvider(), LdrpInitializeProcess(), LdrpInitializeThread(), LdrpRunInitializeRoutines(), LdrShutdownProcess(), and LdrShutdownThread().