24 #define VERIFIER_DLL_FLAGS_RESOLVED 1 88 if (ReadAdvancedOptions)
133 PBYTE DllBase = LdrEntry->DllBase;
136 if (!ImportDescriptor)
146 SIZE_T UnprotectedSize = 0;
147 ULONG OldProtection = 0;
161 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
165 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
177 UnprotectedPtr =
Ptr;
178 UnprotectedSize =
Size;
188 DbgPrint(
"AVRF: Unable to unprotect IAT to modify thunks (status %08X).\n",
Status);
189 UnprotectedPtr =
NULL;
196 DbgPrint(
"AVRF: internal error: New thunk for %s is null.\n", ThunkDescriptor->
ThunkName);
201 DbgPrint(
"AVRF: Snapped (%wZ: %s) with (%wZ: %p).\n",
202 &LdrEntry->BaseDllName,
217 UnprotectedPtr =
Ptr;
218 UnprotectedSize =
Size;
227 DbgPrint(
"AVRF: Unable to reprotect IAT to modify thunks (status %08X).\n",
Status);
249 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
258 DbgPrint(
"AVRF: pid 0x%X: found dll descriptor for `%wZ' with verified exports\n",
260 &LdrEntry->BaseDllName);
262 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
273 DbgPrint(
"AVRF: (%wZ) %Z export found.\n", &LdrEntry->BaseDllName, &ThunkName);
278 DbgPrint(
"AVRF: warning: did not find `%Z' export in %wZ.\n", &ThunkName, &LdrEntry->BaseDllName);
313 ProviderDllLoadCallback =
Provider->ProviderDllLoadCallback;
314 if (ProviderDllLoadCallback)
316 ProviderDllLoadCallback(LdrEntry->BaseDllName.Buffer,
318 LdrEntry->SizeOfImage,
345 ProviderDllUnloadCallback =
Provider->ProviderDllUnloadCallback;
346 if (ProviderDllUnloadCallback)
348 ProviderDllUnloadCallback(LdrEntry->BaseDllName.Buffer,
350 LdrEntry->SizeOfImage,
379 for (ListEntry = ListHead->
Flink; ListHead != ListEntry; ListEntry = ListEntry->
Flink)
416 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
426 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
429 DbgPrint(
"AVRF: chain: thunk: %s == %s ?\n", ThunkDescriptor->
ThunkName, ThunkName);
434 DbgPrint(
"AVRF: Found duplicate for (%ws: %s) in %wZ\n",
460 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
462 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
467 DbgPrint(
"AVRF: Checking %wZ for duplicate (%ws: %s)\n",
503 DbgPrint(
"AVRF: %wZ: failed to load provider `%wZ' (status %08X) from %wZ\n",
523 DbgPrint(
"AVRF: cannot find an entry point for provider %wZ\n", &
Provider->DllName);
548 DPRINT1(
"AVRF: RtlpGetStackTraceAddress MISSING\n");
549 DPRINT1(
"AVRF: RtlpDebugPageHeapCreate MISSING\n");
550 DPRINT1(
"AVRF: RtlpDebugPageHeapDestroy MISSING\n");
564 DbgPrint(
"AVRF: provider %wZ did not initialize correctly\n", &
Provider->DllName);
595 DbgPrint(
"AVRF: provider %wZ did not initialize correctly\n", &
Provider->DllName);
625 DbgPrint(
"AVRF: %wZ: pid 0x%X: flags 0x%X: application verifier enabled\n",
639 while (*Next ==
L' ' || *Next ==
L'\t')
644 while (*Next !=
' ' && *Next !=
'\t' && *Next)
678 DbgPrint(
"AVRF: %wZ: pid 0x%X: application verifier will be disabled due to an initialization error.\n",
VOID NTAPI AVrfPageHeapDllNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks
RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback
NTSTATUS NTAPI LdrQueryImageFileKeyOption(IN HANDLE KeyHandle, IN PCWSTR ValueName, IN ULONG Type, OUT PVOID Buffer, IN ULONG BufferSize, OUT PULONG ReturnedLength OPTIONAL)
RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback
VOID(NTAPI * RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK)(PVOID AllocationBase, SIZE_T AllocationSize)
RTL_CRITICAL_SECTION AVrfpVerifierLock
_Must_inspect_result_ _In_ WDFIORESLIST _In_ PIO_RESOURCE_DESCRIPTOR Descriptor
struct _VERIFIER_PROVIDER * PVERIFIER_PROVIDER
_Must_inspect_result_ _Out_ PNDIS_STATUS _In_ NDIS_HANDLE _In_ ULONG _Out_ PNDIS_STRING _Out_ PNDIS_HANDLE KeyHandle
#define RTL_VRF_DBG_SHOWVERIFIEDEXPORTS
VOID(NTAPI * RTL_VERIFIER_DLL_LOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
_Must_inspect_result_ _In_ PFSRTL_PER_STREAM_CONTEXT Ptr
#define RTL_VRF_DBG_SHOWSNAPS
VOID NTAPI AVrfDllUnloadNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
NTSTATUS NTAPI NtProtectVirtualMemory(IN HANDLE ProcessHandle, IN OUT PVOID *UnsafeBaseAddress, IN OUT SIZE_T *UnsafeNumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG UnsafeOldAccessProtection)
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
BOOLEAN AVrfpIsVerifierProviderDll(PVOID BaseAddress)
VOID AVrfpSnapDllImports(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
NTSYSAPI NTSTATUS NTAPI RtlEnterCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
IN PVOID IN PVOID IN USHORT IN USHORT Size
#define DLL_PROCESS_ATTACH
#define DLL_PROCESS_VERIFIER
RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback
#define InsertTailList(ListHead, Entry)
#define RTL_VRF_FLG_FAST_FILL_HEAP
PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls
BOOLEAN RtlpPageHeapEnabled
VOID(NTAPI * RTL_VERIFIER_DLL_UNLOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
NTSYSAPI VOID NTAPI RtlInitAnsiString(PANSI_STRING DestinationString, PCSZ SourceString)
FORCEINLINE BOOLEAN RemoveEntryList(_In_ PLIST_ENTRY Entry)
LIST_ENTRY AVrfpVerifierProvidersList
VOID NTAPI AVrfpChainDuplicateThunks(VOID)
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
NTSYSAPI NTSTATUS NTAPI RtlLeaveCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
PVOID NTAPI LdrpFetchAddressOfEntryPoint(PVOID ImageBase)
NTSTATUS NTAPI LdrpInitializeApplicationVerifierPackage(HANDLE KeyHandle, PPEB Peb, BOOLEAN SystemWide, BOOLEAN ReadAdvancedOptions)
#define FLG_APPLICATION_VERIFIER
PFLT_MESSAGE_WAITER_QUEUE CONTAINING_RECORD(Csq, DEVICE_EXTENSION, IrpQueue)) -> WaiterQ.mLock) _IRQL_raises_(DISPATCH_LEVEL) VOID NTAPI FltpAcquireMessageWaiterLock(_In_ PIO_CSQ Csq, _Out_ PKIRQL Irql)
VOID NTAPI AVrfDllLoadNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
#define NtCurrentProcess()
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
NTSTATUS RtlAppendUnicodeToString(IN PUNICODE_STRING Str1, IN PWSTR Str2)
struct _LIST_ENTRY * Flink
_In_ HANDLE _Outptr_result_bytebuffer_ ViewSize PVOID * BaseAddress
union _IMAGE_THUNK_DATA32::@2092 u1
_Out_ PCLIENT_ID ClientId
NTSYSAPI NTSTATUS NTAPI RtlInitializeCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
#define NT_SUCCESS(StatCode)
#define EXCEPTION_EXECUTE_HANDLER
#define FLG_HEAP_PAGE_ALLOCS
#define RTL_VRF_DBG_LISTPROVIDERS
NTSTATUS NTAPI LdrpGetProcedureAddress(IN PVOID BaseAddress, IN PANSI_STRING Name, IN ULONG Ordinal, OUT PVOID *ProcedureAddress, IN BOOLEAN ExecuteInit)
VOID AvrfpResolveThunks(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
#define RTL_VRF_FLG_HANDLE_CHECKS
#define VERIFIER_DLL_FLAGS_RESOLVED
PVOID NTAPI AvrfpFindDuplicateThunk(PLIST_ENTRY EndEntry, PWCHAR DllName, PCHAR ThunkName)
#define RtlImageDirectoryEntryToData
NTSTATUS NTAPI DECLSPEC_HOTPATCH LdrLoadDll(IN PWSTR SearchPath OPTIONAL, IN PULONG DllCharacteristics OPTIONAL, IN PUNICODE_STRING DllName, OUT PVOID *BaseAddress)
WCHAR AVrfpVerifierDllsString[256]
#define STATUS_DLL_INIT_FAILED
FORCEINLINE struct _TEB * NtCurrentTeb(VOID)
static const char const char * DllPath
#define InitializeListHead(ListHead)
NTSTATUS NTAPI AVrfpLoadAndInitializeProvider(PVERIFIER_PROVIDER Provider)
UNICODE_STRING BaseDllName
#define STATUS_PROCEDURE_NOT_FOUND
#define DPH_FLAG_DLL_NOTIFY
#define IMAGE_DIRECTORY_ENTRY_IMPORT
PLDR_DATA_TABLE_ENTRY LdrpImageEntry
#define RTL_VRF_DBG_SHOWFOUNDEXPORTS
VOID NTAPI AVrfReadIFEO(HANDLE KeyHandle)
#define RTL_VRF_FLG_LOCK_CHECKS
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
PIMAGE_NT_HEADERS WINAPI ImageNtHeader(_In_ PVOID)
#define RTL_VRF_DBG_SHOWCHAINING
#define _SEH2_EXCEPT(...)
#define PAGE_EXECUTE_READWRITE
VOID NTAPI AVrfpResnapInitialModules(VOID)
struct _VERIFIER_PROVIDER VERIFIER_PROVIDER
#define _SEH2_GetExceptionCode()
#define STATUS_INVALID_PARAMETER_4
NTSTATUS NTAPI AVrfInitializeVerifier(VOID)
base of all file and directory entries
_Check_return_ _CRTIMP int __cdecl _wcsicmp(_In_z_ const wchar_t *_Str1, _In_z_ const wchar_t *_Str2)
#define RTL_VRF_DBG_SHOWCHAINING_DEBUG
SIZE_T AVrfpCountThunks(PIMAGE_THUNK_DATA Thunk)
PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA
BOOLEAN NTAPI LdrpCallInitRoutine(IN PDLL_INIT_ROUTINE EntryPoint, IN PVOID BaseAddress, IN ULONG Reason, IN PVOID Context)