24#define VERIFIER_DLL_FLAGS_RESOLVED 1
88 if (ReadAdvancedOptions)
133 PBYTE DllBase = LdrEntry->DllBase;
136 if (!ImportDescriptor)
146 SIZE_T UnprotectedSize = 0;
147 ULONG OldProtection = 0;
161 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
165 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
177 UnprotectedPtr =
Ptr;
178 UnprotectedSize =
Size;
188 DbgPrint(
"AVRF: Unable to unprotect IAT to modify thunks (status %08X).\n",
Status);
189 UnprotectedPtr =
NULL;
196 DbgPrint(
"AVRF: internal error: New thunk for %s is null.\n", ThunkDescriptor->
ThunkName);
201 DbgPrint(
"AVRF: Snapped (%wZ: %s) with (%wZ: %p).\n",
202 &LdrEntry->BaseDllName,
217 UnprotectedPtr =
Ptr;
218 UnprotectedSize =
Size;
227 DbgPrint(
"AVRF: Unable to reprotect IAT to modify thunks (status %08X).\n",
Status);
249 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
258 DbgPrint(
"AVRF: pid 0x%X: found dll descriptor for `%wZ' with verified exports\n",
260 &LdrEntry->BaseDllName);
262 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
273 DbgPrint(
"AVRF: (%wZ) %Z export found.\n", &LdrEntry->BaseDllName, &ThunkName);
278 DbgPrint(
"AVRF: warning: did not find `%Z' export in %wZ.\n", &ThunkName, &LdrEntry->BaseDllName);
313 ProviderDllLoadCallback =
Provider->ProviderDllLoadCallback;
314 if (ProviderDllLoadCallback)
316 ProviderDllLoadCallback(LdrEntry->BaseDllName.Buffer,
318 LdrEntry->SizeOfImage,
345 ProviderDllUnloadCallback =
Provider->ProviderDllUnloadCallback;
346 if (ProviderDllUnloadCallback)
348 ProviderDllUnloadCallback(LdrEntry->BaseDllName.Buffer,
350 LdrEntry->SizeOfImage,
379 for (ListEntry = ListHead->
Flink; ListHead != ListEntry; ListEntry = ListEntry->
Flink)
416 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
426 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
429 DbgPrint(
"AVRF: chain: thunk: %s == %s ?\n", ThunkDescriptor->
ThunkName, ThunkName);
434 DbgPrint(
"AVRF: Found duplicate for (%ws: %s) in %wZ\n",
460 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
462 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
467 DbgPrint(
"AVRF: Checking %wZ for duplicate (%ws: %s)\n",
503 DbgPrint(
"AVRF: %wZ: failed to load provider `%wZ' (status %08X) from %wZ\n",
523 DbgPrint(
"AVRF: cannot find an entry point for provider %wZ\n", &
Provider->DllName);
548 DPRINT1(
"AVRF: RtlpGetStackTraceAddress MISSING\n");
549 DPRINT1(
"AVRF: RtlpDebugPageHeapCreate MISSING\n");
550 DPRINT1(
"AVRF: RtlpDebugPageHeapDestroy MISSING\n");
564 DbgPrint(
"AVRF: provider %wZ did not initialize correctly\n", &
Provider->DllName);
595 DbgPrint(
"AVRF: provider %wZ did not initialize correctly\n", &
Provider->DllName);
625 DbgPrint(
"AVRF: %wZ: pid 0x%X: flags 0x%X: application verifier enabled\n",
639 while (*Next ==
L' ' || *Next ==
L'\t')
644 while (*Next !=
' ' && *Next !=
'\t' && *Next)
678 DbgPrint(
"AVRF: %wZ: pid 0x%X: application verifier will be disabled due to an initialization error.\n",
680 NtCurrentPeb()->NtGlobalFlag &= ~FLG_APPLICATION_VERIFIER;
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
PIMAGE_NT_HEADERS WINAPI ImageNtHeader(_In_ PVOID)
#define NT_SUCCESS(StatCode)
#define DLL_PROCESS_ATTACH
#define RtlImageDirectoryEntryToData
#define RemoveEntryList(Entry)
#define InsertTailList(ListHead, Entry)
NTSTATUS RtlAppendUnicodeToString(IN PUNICODE_STRING Str1, IN PWSTR Str2)
#define InitializeListHead(ListHead)
_Must_inspect_result_ _In_ PFSRTL_PER_STREAM_CONTEXT Ptr
#define FLG_HEAP_PAGE_ALLOCS
#define FLG_APPLICATION_VERIFIER
#define EXCEPTION_EXECUTE_HANDLER
NTSTATUS NTAPI DECLSPEC_HOTPATCH LdrLoadDll(_In_opt_ PWSTR SearchPath, _In_opt_ PULONG DllCharacteristics, _In_ PUNICODE_STRING DllName, _Out_ PVOID *BaseAddress)
NTSTATUS NTAPI LdrQueryImageFileKeyOption(_In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _In_ ULONG Type, _Out_ PVOID Buffer, _In_ ULONG BufferSize, _Out_opt_ PULONG ReturnedLength)
static const char const char * DllPath
_Must_inspect_result_ _Out_ PNDIS_STATUS _In_ NDIS_HANDLE _In_ ULONG _Out_ PNDIS_STRING _Out_ PNDIS_HANDLE KeyHandle
_In_ HANDLE _Outptr_result_bytebuffer_ ViewSize PVOID * BaseAddress
NTSYSAPI NTSTATUS NTAPI RtlEnterCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
NTSYSAPI NTSTATUS NTAPI RtlLeaveCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
NTSYSAPI NTSTATUS NTAPI RtlInitializeCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
#define NtCurrentProcess()
NTSYSAPI VOID NTAPI RtlInitAnsiString(PANSI_STRING DestinationString, PCSZ SourceString)
#define PAGE_EXECUTE_READWRITE
LIST_ENTRY AVrfpVerifierProvidersList
PLDR_DATA_TABLE_ENTRY LdrpImageEntry
NTSTATUS NTAPI LdrpInitializeApplicationVerifierPackage(HANDLE KeyHandle, PPEB Peb, BOOLEAN SystemWide, BOOLEAN ReadAdvancedOptions)
VOID NTAPI AVrfReadIFEO(HANDLE KeyHandle)
NTSTATUS NTAPI AVrfInitializeVerifier(VOID)
struct _VERIFIER_PROVIDER * PVERIFIER_PROVIDER
RTL_CRITICAL_SECTION AVrfpVerifierLock
SIZE_T AVrfpCountThunks(PIMAGE_THUNK_DATA Thunk)
#define VERIFIER_DLL_FLAGS_RESOLVED
VOID NTAPI AVrfpResnapInitialModules(VOID)
struct _VERIFIER_PROVIDER VERIFIER_PROVIDER
PVOID NTAPI AvrfpFindDuplicateThunk(PLIST_ENTRY EndEntry, PWCHAR DllName, PCHAR ThunkName)
BOOLEAN AVrfpIsVerifierProviderDll(PVOID BaseAddress)
WCHAR AVrfpVerifierDllsString[256]
VOID NTAPI AVrfDllUnloadNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
NTSTATUS NTAPI AVrfpLoadAndInitializeProvider(PVERIFIER_PROVIDER Provider)
VOID NTAPI AVrfDllLoadNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
VOID NTAPI AVrfpChainDuplicateThunks(VOID)
VOID AVrfpSnapDllImports(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
VOID NTAPI AVrfPageHeapDllNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
VOID AvrfpResolveThunks(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
NTSTATUS NTAPI LdrpGetProcedureAddress(_In_ PVOID BaseAddress, _In_opt_ _When_(Ordinal==0, _Notnull_) PANSI_STRING Name, _In_opt_ _When_(Name==NULL, _In_range_(>, 0)) ULONG Ordinal, _Out_ PVOID *ProcedureAddress, _In_ BOOLEAN ExecuteInit)
BOOLEAN NTAPI LdrpCallInitRoutine(IN PDLL_INIT_ROUTINE EntryPoint, IN PVOID BaseAddress, IN ULONG Reason, IN PVOID Context)
PVOID NTAPI LdrpFetchAddressOfEntryPoint(PVOID ImageBase)
BOOLEAN RtlpPageHeapEnabled
#define DPH_FLAG_DLL_NOTIFY
PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA
NTSTATUS NTAPI NtProtectVirtualMemory(IN HANDLE ProcessHandle, IN OUT PVOID *UnsafeBaseAddress, IN OUT SIZE_T *UnsafeNumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG UnsafeOldAccessProtection)
#define STATUS_INVALID_PARAMETER_4
#define STATUS_PROCEDURE_NOT_FOUND
#define STATUS_DLL_INIT_FAILED
#define IMAGE_DIRECTORY_ENTRY_IMPORT
#define _SEH2_GetExceptionCode()
#define _SEH2_EXCEPT(...)
_Check_return_ _CRTIMP int __cdecl _wcsicmp(_In_z_ const wchar_t *_Str1, _In_z_ const wchar_t *_Str2)
base of all file and directory entries
union _IMAGE_THUNK_DATA32::@2143 u1
UNICODE_STRING BaseDllName
struct _LIST_ENTRY * Flink
PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks
RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback
PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls
RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback
RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback
#define CONTAINING_RECORD(address, type, field)
VOID(NTAPI * RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK)(PVOID AllocationBase, SIZE_T AllocationSize)
#define RTL_VRF_DBG_SHOWFOUNDEXPORTS
#define RTL_VRF_DBG_SHOWCHAINING
#define RTL_VRF_DBG_LISTPROVIDERS
#define RTL_VRF_FLG_HANDLE_CHECKS
#define RTL_VRF_DBG_SHOWSNAPS
#define DLL_PROCESS_VERIFIER
#define RTL_VRF_DBG_SHOWCHAINING_DEBUG
#define RTL_VRF_DBG_SHOWVERIFIEDEXPORTS
VOID(NTAPI * RTL_VERIFIER_DLL_UNLOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
#define RTL_VRF_FLG_LOCK_CHECKS
#define RTL_VRF_FLG_FAST_FILL_HEAP
VOID(NTAPI * RTL_VERIFIER_DLL_LOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
_Must_inspect_result_ _In_ WDFDEVICE _In_ PWDF_DEVICE_PROPERTY_DATA _In_ DEVPROPTYPE _In_ ULONG Size
_Must_inspect_result_ _In_ WDFIORESLIST _In_ PIO_RESOURCE_DESCRIPTOR Descriptor
_Out_ PCLIENT_ID ClientId