28#define VERIFIER_DLL_FLAGS_RESOLVED 1
92 if (ReadAdvancedOptions)
137 PBYTE DllBase = LdrEntry->DllBase;
140 if (!ImportDescriptor)
150 SIZE_T UnprotectedSize = 0;
151 ULONG OldProtection = 0;
165 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
169 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
181 UnprotectedPtr =
Ptr;
182 UnprotectedSize =
Size;
192 DbgPrint(
"AVRF: Unable to unprotect IAT to modify thunks (status %08X).\n",
Status);
193 UnprotectedPtr =
NULL;
200 DbgPrint(
"AVRF: internal error: New thunk for %s is null.\n", ThunkDescriptor->
ThunkName);
205 DbgPrint(
"AVRF: Snapped (%wZ: %s) with (%wZ: %p).\n",
206 &LdrEntry->BaseDllName,
221 UnprotectedPtr =
Ptr;
222 UnprotectedSize =
Size;
231 DbgPrint(
"AVRF: Unable to reprotect IAT to modify thunks (status %08X).\n",
Status);
253 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
262 DbgPrint(
"AVRF: pid 0x%X: found dll descriptor for `%wZ' with verified exports\n",
264 &LdrEntry->BaseDllName);
266 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
277 DbgPrint(
"AVRF: (%wZ) %Z export found.\n", &LdrEntry->BaseDllName, &ThunkName);
282 DbgPrint(
"AVRF: warning: did not find `%Z' export in %wZ.\n", &ThunkName, &LdrEntry->BaseDllName);
317 ProviderDllLoadCallback =
Provider->ProviderDllLoadCallback;
318 if (ProviderDllLoadCallback)
320 ProviderDllLoadCallback(LdrEntry->BaseDllName.Buffer,
322 LdrEntry->SizeOfImage,
349 ProviderDllUnloadCallback =
Provider->ProviderDllUnloadCallback;
350 if (ProviderDllUnloadCallback)
352 ProviderDllUnloadCallback(LdrEntry->BaseDllName.Buffer,
354 LdrEntry->SizeOfImage,
379 ProviderHeapFreeCallback =
Provider->ProviderNtdllHeapFreeCallback;
380 if (ProviderHeapFreeCallback)
408 for (ListEntry = ListHead->
Flink; ListHead != ListEntry; ListEntry = ListEntry->
Flink)
445 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
455 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
458 DbgPrint(
"AVRF: chain: thunk: %s == %s ?\n", ThunkDescriptor->
ThunkName, ThunkName);
463 DbgPrint(
"AVRF: Found duplicate for (%ws: %s) in %wZ\n",
489 for (DllDescriptor =
Provider->ProviderDlls; DllDescriptor && DllDescriptor->
DllName; ++DllDescriptor)
491 for (ThunkDescriptor = DllDescriptor->
DllThunks; ThunkDescriptor && ThunkDescriptor->
ThunkName; ++ThunkDescriptor)
496 DbgPrint(
"AVRF: Checking %wZ for duplicate (%ws: %s)\n",
534 DbgPrint(
"AVRF: DebugPageHeapCreate(Flags=%x, Addr=%p, TotalSize=%u, CommitSize=%u, Lock=%p, Parameters=%p) = %p\n",
543 DbgPrint(
"AVRF: DebugPageHeapDestroy(HeapPtr=%p)\n", HeapPtr);
567 DbgPrint(
"AVRF: %wZ: failed to load provider `%wZ' (status %08X) from %wZ\n",
587 DbgPrint(
"AVRF: cannot find an entry point for provider %wZ\n", &
Provider->DllName);
624 DbgPrint(
"AVRF: provider %wZ did not initialize correctly\n", &
Provider->DllName);
655 DbgPrint(
"AVRF: provider %wZ did not initialize correctly\n", &
Provider->DllName);
685 DbgPrint(
"AVRF: %wZ: pid 0x%X: flags 0x%X: application verifier enabled\n",
738 DbgPrint(
"AVRF: %wZ: pid 0x%X: application verifier will be disabled due to an initialization error.\n",
740 NtCurrentPeb()->NtGlobalFlag &= ~FLG_APPLICATION_VERIFIER;
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
PIMAGE_NT_HEADERS WINAPI ImageNtHeader(_In_ PVOID)
#define NT_SUCCESS(StatCode)
#define DLL_PROCESS_ATTACH
#define RtlImageDirectoryEntryToData
#define RemoveEntryList(Entry)
#define InsertTailList(ListHead, Entry)
NTSTATUS RtlAppendUnicodeToString(IN PUNICODE_STRING Str1, IN PWSTR Str2)
#define InitializeListHead(ListHead)
IN PFCB IN PFILE_OBJECT FileObject IN ULONG AllocationSize
_Must_inspect_result_ _In_ PFSRTL_PER_STREAM_CONTEXT Ptr
#define FLG_HEAP_PAGE_ALLOCS
#define FLG_APPLICATION_VERIFIER
NTSYSAPI void WINAPI DbgBreakPoint(void)
#define EXCEPTION_EXECUTE_HANDLER
NTSTATUS NTAPI LdrQueryImageFileKeyOption(_In_ HANDLE KeyHandle, _In_ PCWSTR ValueName, _In_ ULONG Type, _Out_ PVOID Buffer, _In_ ULONG BufferSize, _Out_opt_ PULONG ReturnedLength)
NTSTATUS NTAPI DECLSPEC_HOTPATCH LdrLoadDll(_In_opt_ PWSTR SearchPath, _In_opt_ PULONG DllCharacteristics, _In_ PUNICODE_STRING DllName, _Out_ PVOID *BaseAddress)
static const char const char * DllPath
_Must_inspect_result_ _Out_ PNDIS_STATUS _In_ NDIS_HANDLE _In_ ULONG _Out_ PNDIS_STRING _Out_ PNDIS_HANDLE KeyHandle
_In_ HANDLE _Outptr_result_bytebuffer_ ViewSize PVOID * BaseAddress
_In_ HANDLE _Outptr_result_bytebuffer_ ViewSize PVOID _In_ ULONG_PTR _In_ SIZE_T CommitSize
NTSYSAPI NTSTATUS NTAPI RtlEnterCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
NTSYSAPI NTSTATUS NTAPI RtlLeaveCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
NTSYSAPI NTSTATUS NTAPI RtlInitializeCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)
#define NtCurrentProcess()
NTSYSAPI VOID NTAPI RtlInitAnsiString(PANSI_STRING DestinationString, PCSZ SourceString)
#define PAGE_EXECUTE_READWRITE
LIST_ENTRY AVrfpVerifierProvidersList
PLDR_DATA_TABLE_ENTRY LdrpImageEntry
NTSTATUS NTAPI LdrpInitializeApplicationVerifierPackage(HANDLE KeyHandle, PPEB Peb, BOOLEAN SystemWide, BOOLEAN ReadAdvancedOptions)
PVOID NTAPI RtlpPageHeapDestroy(HANDLE HeapPtr)
VOID NTAPI AVrfReadIFEO(HANDLE KeyHandle)
static PVOID AVrfpDebugPageHeapDestroy(HANDLE HeapPtr)
NTSTATUS NTAPI AVrfInitializeVerifier(VOID)
struct _VERIFIER_PROVIDER * PVERIFIER_PROVIDER
RTL_CRITICAL_SECTION AVrfpVerifierLock
VOID NTAPI AVrfInternalHeapFreeNotification(PVOID AllocationBase, SIZE_T AllocationSize)
SIZE_T AVrfpCountThunks(PIMAGE_THUNK_DATA Thunk)
#define VERIFIER_DLL_FLAGS_RESOLVED
static PVOID NTAPI AVrfpGetStackTraceAddress(ULONG Arg0)
VOID NTAPI AVrfpResnapInitialModules(VOID)
struct _VERIFIER_PROVIDER VERIFIER_PROVIDER
PVOID NTAPI AvrfpFindDuplicateThunk(PLIST_ENTRY EndEntry, PWCHAR DllName, PCHAR ThunkName)
BOOLEAN AVrfpIsVerifierProviderDll(PVOID BaseAddress)
WCHAR AVrfpVerifierDllsString[256]
VOID NTAPI AVrfDllUnloadNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
static HANDLE NTAPI AVrfpDebugPageHeapCreate(ULONG Flags, PVOID Addr, SIZE_T TotalSize, SIZE_T CommitSize, PVOID Lock, PRTL_HEAP_PARAMETERS Parameters)
NTSTATUS NTAPI AVrfpLoadAndInitializeProvider(PVERIFIER_PROVIDER Provider)
VOID NTAPI AVrfDllLoadNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
VOID NTAPI AVrfpChainDuplicateThunks(VOID)
VOID AVrfpSnapDllImports(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
VOID NTAPI AVrfPageHeapDllNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
HANDLE NTAPI RtlpPageHeapCreate(ULONG Flags, PVOID Addr, SIZE_T TotalSize, SIZE_T CommitSize, PVOID Lock, PRTL_HEAP_PARAMETERS Parameters)
VOID AvrfpResolveThunks(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
NTSTATUS NTAPI LdrpGetProcedureAddress(_In_ PVOID BaseAddress, _In_opt_ _When_(Ordinal==0, _Notnull_) PANSI_STRING Name, _In_opt_ _When_(Name==NULL, _In_range_(>, 0)) ULONG Ordinal, _Out_ PVOID *ProcedureAddress, _In_ BOOLEAN ExecuteInit)
BOOLEAN NTAPI LdrpCallInitRoutine(IN PDLL_INIT_ROUTINE EntryPoint, IN PVOID BaseAddress, IN ULONG Reason, IN PVOID Context)
PVOID NTAPI LdrpFetchAddressOfEntryPoint(PVOID ImageBase)
BOOLEAN RtlpPageHeapEnabled
#define DPH_FLAG_DLL_NOTIFY
PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA
NTSTATUS NTAPI NtProtectVirtualMemory(IN HANDLE ProcessHandle, IN OUT PVOID *UnsafeBaseAddress, IN OUT SIZE_T *UnsafeNumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG UnsafeOldAccessProtection)
#define STATUS_INVALID_PARAMETER_4
#define STATUS_PROCEDURE_NOT_FOUND
#define STATUS_DLL_INIT_FAILED
#define IMAGE_DIRECTORY_ENTRY_IMPORT
#define _SEH2_GetExceptionCode()
#define _SEH2_EXCEPT(...)
_Check_return_ _CRTIMP int __cdecl _wcsicmp(_In_z_ const wchar_t *_Str1, _In_z_ const wchar_t *_Str2)
STDMETHOD() Next(THIS_ ULONG celt, IAssociationElement *pElement, ULONG *pceltFetched) PURE
base of all file and directory entries
union _IMAGE_THUNK_DATA32::@2218 u1
UNICODE_STRING BaseDllName
struct _LIST_ENTRY * Flink
PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks
RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback
PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls
RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback
RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback
#define CONTAINING_RECORD(address, type, field)
VOID(NTAPI * RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK)(PVOID AllocationBase, SIZE_T AllocationSize)
#define RTL_VRF_DBG_SHOWFOUNDEXPORTS
#define RTL_VRF_DBG_SHOWCHAINING
#define RTL_VRF_DBG_LISTPROVIDERS
#define RTL_VRF_FLG_HANDLE_CHECKS
#define RTL_VRF_DBG_SHOWSNAPS
#define DLL_PROCESS_VERIFIER
#define RTL_VRF_DBG_SHOWCHAINING_DEBUG
#define RTL_VRF_DBG_SHOWVERIFIEDEXPORTS
VOID(NTAPI * RTL_VERIFIER_DLL_UNLOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
#define RTL_VRF_FLG_LOCK_CHECKS
#define RTL_VRF_FLG_FAST_FILL_HEAP
VOID(NTAPI * RTL_VERIFIER_DLL_LOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
_Must_inspect_result_ _In_ WDFDEVICE _In_ PWDF_DEVICE_PROPERTY_DATA _In_ DEVPROPTYPE _In_ ULONG Size
_Must_inspect_result_ _In_ WDFQUEUE _In_opt_ WDFREQUEST _In_opt_ WDFFILEOBJECT _Inout_opt_ PWDF_REQUEST_PARAMETERS Parameters
_Must_inspect_result_ _In_ WDFIORESLIST _In_ PIO_RESOURCE_DESCRIPTOR Descriptor
_Must_inspect_result_ _In_opt_ PWDF_OBJECT_ATTRIBUTES _Out_ WDFWAITLOCK * Lock
_Must_inspect_result_ _In_ ULONG Flags
_Out_ PCLIENT_ID ClientId
1.9.6