da/d00/ntdll_2ldr_2verifier_8c_source.html

 /*
  * PROJECT:     ReactOS NT User Mode Library
  * LICENSE:     GPL-2.0+ (https://spdx.org/licenses/GPL-2.0+)
  * PURPOSE:     Verifier support routines
  * COPYRIGHT:   Copyright 2011 Aleksey Bragin (aleksey@reactos.org)
  *              Copyright 2018 Mark Jansen (mark.jansen@reactos.org)
  */


 #include <ntdll.h>
 #include <reactos/verifier.h>

 #define NDEBUG
 #include <debug.h>

 extern PLDR_DATA_TABLE_ENTRY LdrpImageEntry;
 ULONG AVrfpVerifierFlags = 0;
 WCHAR AVrfpVerifierDllsString[256] = { 0 };
 ULONG AVrfpDebug = 0;
 BOOL AVrfpInitialized = FALSE;
 RTL_CRITICAL_SECTION AVrfpVerifierLock;
 LIST_ENTRY AVrfpVerifierProvidersList;

 #define VERIFIER_DLL_FLAGS_RESOLVED  1


 typedef struct _VERIFIER_PROVIDER
 {
     LIST_ENTRY ListEntry;
     UNICODE_STRING DllName;
     PVOID BaseAddress;
     PVOID EntryPoint;

     // Provider data
     PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls;
     RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;
     RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;
     RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback;
 } VERIFIER_PROVIDER, *PVERIFIER_PROVIDER;


 VOID
 NTAPI
 AVrfReadIFEO(HANDLE KeyHandle)
 {
     NTSTATUS Status;

     Status = LdrQueryImageFileKeyOption(KeyHandle,
                                         L"VerifierDlls",
                                         REG_SZ,
                                         AVrfpVerifierDllsString,
                                         sizeof(AVrfpVerifierDllsString) - sizeof(WCHAR),
                                         NULL);

     if (!NT_SUCCESS(Status))
         AVrfpVerifierDllsString[0] = UNICODE_NULL;

     Status = LdrQueryImageFileKeyOption(KeyHandle,
                                         L"VerifierFlags",
                                         REG_DWORD,
                                         &AVrfpVerifierFlags,
                                         sizeof(AVrfpVerifierFlags),
                                         NULL);
     if (!NT_SUCCESS(Status))
         AVrfpVerifierFlags = RTL_VRF_FLG_HANDLE_CHECKS | RTL_VRF_FLG_FAST_FILL_HEAP | RTL_VRF_FLG_LOCK_CHECKS;

     Status = LdrQueryImageFileKeyOption(KeyHandle,
                                         L"VerifierDebug",
                                         REG_DWORD,
                                         &AVrfpDebug,
                                         sizeof(AVrfpDebug),
                                         NULL);
     if (!NT_SUCCESS(Status))
         AVrfpDebug = 0;
 }


 NTSTATUS
 NTAPI
 LdrpInitializeApplicationVerifierPackage(HANDLE KeyHandle, PPEB Peb, BOOLEAN SystemWide, BOOLEAN ReadAdvancedOptions)
 {
     /* If global flags request DPH, perform some additional actions */
     if (Peb->NtGlobalFlag & FLG_HEAP_PAGE_ALLOCS)
     {
         // TODO: Read advanced DPH flags from the registry if requested
         if (ReadAdvancedOptions)
         {
             UNIMPLEMENTED;
         }

         /* Enable page heap */
         RtlpPageHeapEnabled = TRUE;
     }

     AVrfReadIFEO(KeyHandle);

     return STATUS_SUCCESS;
 }

 BOOLEAN
 AVrfpIsVerifierProviderDll(PVOID BaseAddress)
 {
     PLIST_ENTRY Entry;
     PVERIFIER_PROVIDER Provider;

     for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
     {
         Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);

         if (BaseAddress == Provider->BaseAddress)
             return TRUE;
     }

     return FALSE;
 }

 SIZE_T
 AVrfpCountThunks(PIMAGE_THUNK_DATA Thunk)
 {
     SIZE_T Count = 0;
     while (Thunk[Count].u1.Function)
         Count++;
     return Count;
 }

 VOID
 AVrfpSnapDllImports(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
 {
     ULONG Size;
     PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor;
     PBYTE DllBase = LdrEntry->DllBase;

     ImportDescriptor = RtlImageDirectoryEntryToData(DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size);
     if (!ImportDescriptor)
     {
         //SHIMENG_INFO("Skipping module 0x%p \"%wZ\" due to no iat found\n", LdrEntry->DllBase, &LdrEntry->BaseDllName);
         return;
     }

     for (; ImportDescriptor->Name && ImportDescriptor->OriginalFirstThunk; ImportDescriptor++)
     {
         PIMAGE_THUNK_DATA FirstThunk;
         PVOID UnprotectedPtr = NULL;
         SIZE_T UnprotectedSize = 0;
         ULONG OldProtection = 0;
         FirstThunk = (PIMAGE_THUNK_DATA)(DllBase + ImportDescriptor->FirstThunk);

         /* Walk all imports */
         for (;FirstThunk->u1.Function; FirstThunk++)
         {
             PLIST_ENTRY Entry;
             PVERIFIER_PROVIDER Provider;

             for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
             {
                 PRTL_VERIFIER_DLL_DESCRIPTOR DllDescriptor;

                 Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
                 for (DllDescriptor = Provider->ProviderDlls; DllDescriptor && DllDescriptor->DllName; ++DllDescriptor)
                 {
                     PRTL_VERIFIER_THUNK_DESCRIPTOR ThunkDescriptor;

                     for (ThunkDescriptor = DllDescriptor->DllThunks; ThunkDescriptor && ThunkDescriptor->ThunkName; ++ThunkDescriptor)
                     {
                         /* Just compare function addresses, the loader will have handled forwarders and ordinals for us */
                         if ((PVOID)FirstThunk->u1.Function != ThunkDescriptor->ThunkOldAddress)
                             continue;

                         if (!UnprotectedPtr)
                         {
                             PVOID Ptr = &FirstThunk->u1.Function;
                             SIZE_T Size = sizeof(FirstThunk->u1.Function) * AVrfpCountThunks(FirstThunk);
                             NTSTATUS Status;

                             UnprotectedPtr = Ptr;
                             UnprotectedSize = Size;

                             Status = NtProtectVirtualMemory(NtCurrentProcess(),
                                                             &Ptr,
                                                             &Size,
                                                             PAGE_EXECUTE_READWRITE,
                                                             &OldProtection);

                             if (!NT_SUCCESS(Status))
                             {
                                 DbgPrint("AVRF: Unable to unprotect IAT to modify thunks (status %08X).\n", Status);
                                 UnprotectedPtr = NULL;
                                 continue;
                             }
                         }

                         if (ThunkDescriptor->ThunkNewAddress == NULL)
                         {
                             DbgPrint("AVRF: internal error: New thunk for %s is null.\n", ThunkDescriptor->ThunkName);
                             continue;
                         }
                         FirstThunk->u1.Function = (SIZE_T)ThunkDescriptor->ThunkNewAddress;
                         if (AVrfpDebug & RTL_VRF_DBG_SHOWSNAPS)
                             DbgPrint("AVRF: Snapped (%wZ: %s) with (%wZ: %p).\n",
                                         &LdrEntry->BaseDllName,
                                         ThunkDescriptor->ThunkName,
                                         &Provider->DllName,
                                         ThunkDescriptor->ThunkNewAddress);
                     }
                 }
             }
         }

         if (UnprotectedPtr)
         {
             PVOID Ptr = UnprotectedPtr;
             SIZE_T Size = UnprotectedSize;
             NTSTATUS Status;

             UnprotectedPtr = Ptr;
             UnprotectedSize = Size;

             Status = NtProtectVirtualMemory(NtCurrentProcess(),
                                             &Ptr,
                                             &Size,
                                             OldProtection,
                                             &OldProtection);
             if (!NT_SUCCESS(Status))
             {
                 DbgPrint("AVRF: Unable to reprotect IAT to modify thunks (status %08X).\n", Status);
             }
         }
     }
 }


 VOID
 AvrfpResolveThunks(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
 {
     PLIST_ENTRY Entry;
     PVERIFIER_PROVIDER Provider;

     if (!AVrfpInitialized)
         return;

     for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
     {
         PRTL_VERIFIER_DLL_DESCRIPTOR DllDescriptor;

         Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);

         for (DllDescriptor = Provider->ProviderDlls; DllDescriptor && DllDescriptor->DllName; ++DllDescriptor)
         {
             PRTL_VERIFIER_THUNK_DESCRIPTOR ThunkDescriptor;

             if ((DllDescriptor->DllFlags & VERIFIER_DLL_FLAGS_RESOLVED) ||
                 _wcsicmp(DllDescriptor->DllName, LdrEntry->BaseDllName.Buffer))
                 continue;

             if (AVrfpDebug & RTL_VRF_DBG_SHOWVERIFIEDEXPORTS)
                 DbgPrint("AVRF: pid 0x%X: found dll descriptor for `%wZ' with verified exports\n",
                             NtCurrentTeb()->ClientId.UniqueProcess,
                             &LdrEntry->BaseDllName);

             for (ThunkDescriptor = DllDescriptor->DllThunks; ThunkDescriptor && ThunkDescriptor->ThunkName; ++ThunkDescriptor)
             {
                 if (!ThunkDescriptor->ThunkOldAddress)
                 {
                     ANSI_STRING ThunkName;

                     RtlInitAnsiString(&ThunkName, ThunkDescriptor->ThunkName);
                     /* We cannot call the public api, because that would run init routines! */
                     if (NT_SUCCESS(LdrpGetProcedureAddress(LdrEntry->DllBase, &ThunkName, 0, &ThunkDescriptor->ThunkOldAddress, FALSE)))
                     {
                         if (AVrfpDebug & RTL_VRF_DBG_SHOWFOUNDEXPORTS)
                             DbgPrint("AVRF: (%wZ) %Z export found.\n", &LdrEntry->BaseDllName, &ThunkName);
                     }
                     else
                     {
                         if (AVrfpDebug & RTL_VRF_DBG_SHOWFOUNDEXPORTS)
                             DbgPrint("AVRF: warning: did not find `%Z' export in %wZ.\n", &ThunkName, &LdrEntry->BaseDllName);
                     }
                 }
             }

             DllDescriptor->DllFlags |= VERIFIER_DLL_FLAGS_RESOLVED;
         }
     }

     AVrfpSnapDllImports(LdrEntry);
 }


 VOID
 NTAPI
 AVrfDllLoadNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
 {
     PLIST_ENTRY Entry;

     if (!(NtCurrentPeb()->NtGlobalFlag & FLG_APPLICATION_VERIFIER))
         return;

     RtlEnterCriticalSection(&AVrfpVerifierLock);
     if (!AVrfpIsVerifierProviderDll(LdrEntry->DllBase))
     {
         AvrfpResolveThunks(LdrEntry);

         for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
         {
             PVERIFIER_PROVIDER Provider;
             RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback;

             Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);

             ProviderDllLoadCallback = Provider->ProviderDllLoadCallback;
             if (ProviderDllLoadCallback)
             {
                 ProviderDllLoadCallback(LdrEntry->BaseDllName.Buffer,
                                         LdrEntry->DllBase,
                                         LdrEntry->SizeOfImage,
                                         LdrEntry);
             }
         }
     }
     RtlLeaveCriticalSection(&AVrfpVerifierLock);
 }

 VOID
 NTAPI
 AVrfDllUnloadNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
 {
     PLIST_ENTRY Entry;

     if (!(NtCurrentPeb()->NtGlobalFlag & FLG_APPLICATION_VERIFIER))
         return;

     RtlEnterCriticalSection(&AVrfpVerifierLock);
     if (!AVrfpIsVerifierProviderDll(LdrEntry->DllBase))
     {
         for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
         {
             PVERIFIER_PROVIDER Provider;
             RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback;

             Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);

             ProviderDllUnloadCallback = Provider->ProviderDllUnloadCallback;
             if (ProviderDllUnloadCallback)
             {
                 ProviderDllUnloadCallback(LdrEntry->BaseDllName.Buffer,
                                           LdrEntry->DllBase,
                                           LdrEntry->SizeOfImage,
                                           LdrEntry);
             }
         }
     }
     RtlLeaveCriticalSection(&AVrfpVerifierLock);
 }


 VOID
 NTAPI
 AVrfPageHeapDllNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
 {
     /* Check if page heap dll notification is turned on */
     if (!(RtlpDphGlobalFlags & DPH_FLAG_DLL_NOTIFY))
         return;

     /* We don't support this flag currently */
     UNIMPLEMENTED;
 }


 VOID
 NTAPI
 AVrfpResnapInitialModules(VOID)
 {
     PLIST_ENTRY ListHead, ListEntry;

     ListHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList;
     for (ListEntry = ListHead->Flink; ListHead != ListEntry; ListEntry = ListEntry->Flink)
     {
         PLDR_DATA_TABLE_ENTRY LdrEntry;

         LdrEntry = CONTAINING_RECORD(ListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);

         if (AVrfpIsVerifierProviderDll(LdrEntry->DllBase))
         {
             if (AVrfpDebug & RTL_VRF_DBG_SHOWSNAPS)
                 DbgPrint("AVRF: skipped resnapping provider %wZ ...\n", &LdrEntry->BaseDllName);
         }
         else
         {
             if (AVrfpDebug & RTL_VRF_DBG_SHOWSNAPS)
                 DbgPrint("AVRF: resnapping %wZ ...\n", &LdrEntry->BaseDllName);

             AvrfpResolveThunks(LdrEntry);
         }
     }
 }

 PVOID
 NTAPI
 AvrfpFindDuplicateThunk(PLIST_ENTRY EndEntry, PWCHAR DllName, PCHAR ThunkName)
 {
     PLIST_ENTRY Entry;

     for (Entry = AVrfpVerifierProvidersList.Flink; Entry != EndEntry; Entry = Entry->Flink)
     {
         PVERIFIER_PROVIDER Provider;
         PRTL_VERIFIER_DLL_DESCRIPTOR DllDescriptor;

         Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);

         if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING_DEBUG)
             DbgPrint("AVRF: chain: searching in %wZ\n", &Provider->DllName);

         for (DllDescriptor = Provider->ProviderDlls; DllDescriptor && DllDescriptor->DllName; ++DllDescriptor)
         {
             PRTL_VERIFIER_THUNK_DESCRIPTOR ThunkDescriptor;

             if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING_DEBUG)
                 DbgPrint("AVRF: chain: dll: %ws\n", DllDescriptor->DllName);

             if (_wcsicmp(DllDescriptor->DllName, DllName))
                 continue;

             for (ThunkDescriptor = DllDescriptor->DllThunks; ThunkDescriptor && ThunkDescriptor->ThunkName; ++ThunkDescriptor)
             {
                 if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING_DEBUG)
                     DbgPrint("AVRF: chain: thunk: %s == %s ?\n", ThunkDescriptor->ThunkName, ThunkName);

                 if (!_stricmp(ThunkDescriptor->ThunkName, ThunkName))
                 {
                     if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING_DEBUG)
                         DbgPrint("AVRF: Found duplicate for (%ws: %s) in %wZ\n",
                                     DllDescriptor->DllName, ThunkDescriptor->ThunkName, &Provider->DllName);

                     return ThunkDescriptor->ThunkNewAddress;
                 }
             }
         }
     }
     return NULL;
 }


 VOID
 NTAPI
 AVrfpChainDuplicateThunks(VOID)
 {
     PLIST_ENTRY Entry;
     PVERIFIER_PROVIDER Provider;

     for (Entry = AVrfpVerifierProvidersList.Flink; Entry != &AVrfpVerifierProvidersList; Entry = Entry->Flink)
     {
         PRTL_VERIFIER_DLL_DESCRIPTOR DllDescriptor;
         PRTL_VERIFIER_THUNK_DESCRIPTOR ThunkDescriptor;

         Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);

         for (DllDescriptor = Provider->ProviderDlls; DllDescriptor && DllDescriptor->DllName; ++DllDescriptor)
         {
             for (ThunkDescriptor = DllDescriptor->DllThunks; ThunkDescriptor && ThunkDescriptor->ThunkName; ++ThunkDescriptor)
             {
                 PVOID Ptr;

                 if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING_DEBUG)
                     DbgPrint("AVRF: Checking %wZ for duplicate (%ws: %s)\n",
                              &Provider->DllName, DllDescriptor->DllName, ThunkDescriptor->ThunkName);

                 Ptr = AvrfpFindDuplicateThunk(Entry, DllDescriptor->DllName, ThunkDescriptor->ThunkName);
                 if (Ptr)
                 {
                     if (AVrfpDebug & RTL_VRF_DBG_SHOWCHAINING)
                         DbgPrint("AVRF: Chaining (%ws: %s) to %wZ\n", DllDescriptor->DllName, ThunkDescriptor->ThunkName, &Provider->DllName);

                     ThunkDescriptor->ThunkOldAddress = Ptr;
                 }
             }
         }
     }
 }

 NTSTATUS
 NTAPI
 AVrfpLoadAndInitializeProvider(PVERIFIER_PROVIDER Provider)
 {
     WCHAR StringBuffer[MAX_PATH + 11];
     UNICODE_STRING DllPath;
     PRTL_VERIFIER_PROVIDER_DESCRIPTOR Descriptor;
     PIMAGE_NT_HEADERS ImageNtHeader;
     NTSTATUS Status;

     RtlInitEmptyUnicodeString(&DllPath, StringBuffer, sizeof(StringBuffer));
     RtlAppendUnicodeToString(&DllPath, SharedUserData->NtSystemRoot);
     RtlAppendUnicodeToString(&DllPath, L"\\System32\\");

     if (AVrfpDebug & RTL_VRF_DBG_SHOWSNAPS)
         DbgPrint("AVRF: verifier dll `%wZ'\n", &Provider->DllName);

     Status = LdrLoadDll(DllPath.Buffer, NULL, &Provider->DllName, &Provider->BaseAddress);
     if (!NT_SUCCESS(Status))
     {
         DbgPrint("AVRF: %wZ: failed to load provider `%wZ' (status %08X) from %wZ\n",
                  &LdrpImageEntry->BaseDllName,
                  &Provider->DllName,
                  Status,
                  &DllPath);
         return Status;
     }

     /* Prevent someone funny from specifying his own application as provider */
     ImageNtHeader = RtlImageNtHeader(Provider->BaseAddress);
     if (!ImageNtHeader ||
         !(ImageNtHeader->FileHeader.Characteristics & IMAGE_FILE_DLL))
     {
         DbgPrint("AVRF: provider %wZ is not a DLL image\n", &Provider->DllName);
         return STATUS_DLL_INIT_FAILED;
     }

     Provider->EntryPoint = LdrpFetchAddressOfEntryPoint(Provider->BaseAddress);
     if (!Provider->EntryPoint)
     {
         DbgPrint("AVRF: cannot find an entry point for provider %wZ\n", &Provider->DllName);
         return STATUS_PROCEDURE_NOT_FOUND;
     }

     _SEH2_TRY
     {
         if (LdrpCallInitRoutine(Provider->EntryPoint,
                                 Provider->BaseAddress,
                                 DLL_PROCESS_VERIFIER,
                                 &Descriptor))
         {
             if (Descriptor && Descriptor->Length == sizeof(RTL_VERIFIER_PROVIDER_DESCRIPTOR))
             {
                 /* Copy the data */
                 Provider->ProviderDlls = Descriptor->ProviderDlls;
                 Provider->ProviderDllLoadCallback = Descriptor->ProviderDllLoadCallback;
                 Provider->ProviderDllUnloadCallback = Descriptor->ProviderDllUnloadCallback;
                 Provider->ProviderNtdllHeapFreeCallback = Descriptor->ProviderNtdllHeapFreeCallback;

                 /* Update some info for the provider */
                 Descriptor->VerifierImage = LdrpImageEntry->BaseDllName.Buffer;
                 Descriptor->VerifierFlags = AVrfpVerifierFlags;
                 Descriptor->VerifierDebug = AVrfpDebug;

                 /* We don't have these yet */
                 DPRINT1("AVRF: RtlpGetStackTraceAddress MISSING\n");
                 DPRINT1("AVRF: RtlpDebugPageHeapCreate MISSING\n");
                 DPRINT1("AVRF: RtlpDebugPageHeapDestroy MISSING\n");
                 Descriptor->RtlpGetStackTraceAddress = NULL;
                 Descriptor->RtlpDebugPageHeapCreate = NULL;
                 Descriptor->RtlpDebugPageHeapDestroy = NULL;
                 Status = STATUS_SUCCESS;
             }
             else
             {
                 DbgPrint("AVRF: provider %wZ passed an invalid descriptor @ %p\n", &Provider->DllName, Descriptor);
                 Status = STATUS_INVALID_PARAMETER_4;
             }
         }
         else
         {
             DbgPrint("AVRF: provider %wZ did not initialize correctly\n", &Provider->DllName);
             Status = STATUS_DLL_INIT_FAILED;
         }
     }
     _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
     {
         Status = _SEH2_GetExceptionCode();
     }
     _SEH2_END;

     if (!NT_SUCCESS(Status))
         return Status;


     if (AVrfpDebug & RTL_VRF_DBG_LISTPROVIDERS)
         DbgPrint("AVRF: initialized provider %wZ (descriptor @ %p)\n", &Provider->DllName, Descriptor);

     /* Done loading providers, allow dll notifications */
     AVrfpInitialized = TRUE;

     AVrfpChainDuplicateThunks();
     AVrfpResnapInitialModules();

     /* Manually call with DLL_PROCESS_ATTACH, since the process is not done initializing */
     _SEH2_TRY
     {
         if (!LdrpCallInitRoutine(Provider->EntryPoint,
                                  Provider->BaseAddress,
                                  DLL_PROCESS_ATTACH,
                                  NULL))
         {
             DbgPrint("AVRF: provider %wZ did not initialize correctly\n", &Provider->DllName);
             Status = STATUS_DLL_INIT_FAILED;
         }

     }
     _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
     {
         Status = _SEH2_GetExceptionCode();
     }
     _SEH2_END;

     return Status;
 }


 NTSTATUS
 NTAPI
 AVrfInitializeVerifier(VOID)
 {
     NTSTATUS Status;
     PVERIFIER_PROVIDER Provider;
     PLIST_ENTRY Entry;
     WCHAR* Ptr, *Next;

     Status = RtlInitializeCriticalSection(&AVrfpVerifierLock);
     InitializeListHead(&AVrfpVerifierProvidersList);

     if (!NT_SUCCESS(Status))
         return Status;

     DbgPrint("AVRF: %wZ: pid 0x%X: flags 0x%X: application verifier enabled\n",
              &LdrpImageEntry->BaseDllName, NtCurrentTeb()->ClientId.UniqueProcess, AVrfpVerifierFlags);

     Provider = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(VERIFIER_PROVIDER));
     if (!Provider)
         return STATUS_NO_MEMORY;

     RtlInitUnicodeString(&Provider->DllName, L"verifier.dll");
     InsertTailList(&AVrfpVerifierProvidersList, &Provider->ListEntry);

     Next = AVrfpVerifierDllsString;

     do
     {
         while (*Next == L' ' || *Next == L'\t')
             Next++;

         Ptr = Next;

         while (*Next != ' ' && *Next != '\t' && *Next)
             Next++;

         if (*Next)
             *(Next++) = '\0';
         else
             Next = NULL;

         if (*Ptr)
         {
             Provider = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(VERIFIER_PROVIDER));
             if (!Provider)
                 return STATUS_NO_MEMORY;
             RtlInitUnicodeString(&Provider->DllName, Ptr);
             InsertTailList(&AVrfpVerifierProvidersList, &Provider->ListEntry);
         }
     } while (Next);

     Entry = AVrfpVerifierProvidersList.Flink;
     while (Entry != &AVrfpVerifierProvidersList)
     {
         Provider = CONTAINING_RECORD(Entry, VERIFIER_PROVIDER, ListEntry);
         Entry = Entry->Flink;

         Status = AVrfpLoadAndInitializeProvider(Provider);
         if (!NT_SUCCESS(Status))
         {
             RemoveEntryList(&Provider->ListEntry);
             RtlFreeHeap(RtlGetProcessHeap(), 0, Provider);
         }
     }

     if (!NT_SUCCESS(Status))
     {
         DbgPrint("AVRF: %wZ: pid 0x%X: application verifier will be disabled due to an initialization error.\n",
                  &LdrpImageEntry->BaseDllName, NtCurrentTeb()->ClientId.UniqueProcess);
         NtCurrentPeb()->NtGlobalFlag &= ~FLG_APPLICATION_VERIFIER;
     }

     return Status;
 }

PCHAR
signed char * PCHAR
Definition: retypes.h:7

AVrfPageHeapDllNotification
VOID NTAPI AVrfPageHeapDllNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
Definition: verifier.c:361

_VERIFIER_PROVIDER::ListEntry
LIST_ENTRY ListEntry
Definition: verifier.c:29

_RTL_VERIFIER_DLL_DESCRIPTOR::DllThunks
PRTL_VERIFIER_THUNK_DESCRIPTOR DllThunks
Definition: verifier.h:20

_VERIFIER_PROVIDER::ProviderNtdllHeapFreeCallback
RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK ProviderNtdllHeapFreeCallback
Definition: verifier.c:38

IN
#define IN
Definition: typedefs.h:39

LdrQueryImageFileKeyOption
NTSTATUS NTAPI LdrQueryImageFileKeyOption(IN HANDLE KeyHandle, IN PCWSTR ValueName, IN ULONG Type, OUT PVOID Buffer, IN ULONG BufferSize, OUT PULONG ReturnedLength OPTIONAL)
Definition: ldrinit.c:184

_VERIFIER_PROVIDER::ProviderDllUnloadCallback
RTL_VERIFIER_DLL_UNLOAD_CALLBACK ProviderDllUnloadCallback
Definition: verifier.c:37

RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK
VOID(NTAPI * RTL_VERIFIER_NTDLLHEAPFREE_CALLBACK)(PVOID AllocationBase, SIZE_T AllocationSize)
Definition: verifier.h:8

Peb
PPEB Peb
Definition: dllmain.c:27

AVrfpVerifierLock
RTL_CRITICAL_SECTION AVrfpVerifierLock
Definition: verifier.c:21

Descriptor
_Must_inspect_result_ _In_ WDFIORESLIST _In_ PIO_RESOURCE_DESCRIPTOR Descriptor
Definition: wdfresource.h:339

DbgPrint
#define DbgPrint
Definition: hal.h:12

Entry
struct _Entry Entry
Definition: kefuncs.h:627

PVERIFIER_PROVIDER
struct _VERIFIER_PROVIDER * PVERIFIER_PROVIDER

KeyHandle
_Must_inspect_result_ _Out_ PNDIS_STATUS _In_ NDIS_HANDLE _In_ ULONG _Out_ PNDIS_STRING _Out_ PNDIS_HANDLE KeyHandle
Definition: ndis.h:4711

TRUE
#define TRUE
Definition: types.h:120

RTL_VRF_DBG_SHOWVERIFIEDEXPORTS
#define RTL_VRF_DBG_SHOWVERIFIEDEXPORTS
Definition: verifier.h:71

RTL_VERIFIER_DLL_LOAD_CALLBACK
VOID(NTAPI * RTL_VERIFIER_DLL_LOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
Definition: verifier.h:6

Ptr
_Must_inspect_result_ _In_ PFSRTL_PER_STREAM_CONTEXT Ptr
Definition: fsrtlfuncs.h:898

RTL_VRF_DBG_SHOWSNAPS
#define RTL_VRF_DBG_SHOWSNAPS
Definition: verifier.h:69

AVrfDllUnloadNotification
VOID NTAPI AVrfDllUnloadNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
Definition: verifier.c:328

NtProtectVirtualMemory
NTSTATUS NTAPI NtProtectVirtualMemory(IN HANDLE ProcessHandle, IN OUT PVOID *UnsafeBaseAddress, IN OUT SIZE_T *UnsafeNumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG UnsafeOldAccessProtection)
Definition: virtual.c:3100

NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26

RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606

AVrfpIsVerifierProviderDll
BOOLEAN AVrfpIsVerifierProviderDll(PVOID BaseAddress)
Definition: verifier.c:103

AVrfpSnapDllImports
VOID AVrfpSnapDllImports(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
Definition: verifier.c:129

RtlEnterCriticalSection
NTSYSAPI NTSTATUS NTAPI RtlEnterCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)

Size
IN PVOID IN PVOID IN USHORT IN USHORT Size
Definition: pci.h:361

DLL_PROCESS_ATTACH
#define DLL_PROCESS_ATTACH
Definition: compat.h:131

PWCHAR
uint16_t * PWCHAR
Definition: typedefs.h:56

u1
GLdouble u1
Definition: glext.h:8308

DLL_PROCESS_VERIFIER
#define DLL_PROCESS_VERIFIER
Definition: verifier.h:4

_VERIFIER_PROVIDER::ProviderDllLoadCallback
RTL_VERIFIER_DLL_LOAD_CALLBACK ProviderDllLoadCallback
Definition: verifier.c:36

InsertTailList
#define InsertTailList(ListHead, Entry)
Definition: env_spec_w32.h:1003

if
if(dx==0 &&dy==0)
Definition: linetemp.h:174

RTL_VRF_FLG_FAST_FILL_HEAP
#define RTL_VRF_FLG_FAST_FILL_HEAP
Definition: verifier.h:60

_CLIENT_ID::UniqueProcess
HANDLE UniqueProcess
Definition: compat.h:684

_VERIFIER_PROVIDER::ProviderDlls
PRTL_VERIFIER_DLL_DESCRIPTOR ProviderDlls
Definition: verifier.c:35

AVrfpDebug
ULONG AVrfpDebug
Definition: verifier.c:19

_stricmp
#define _stricmp
Definition: cat.c:22

_RTL_VERIFIER_THUNK_DESCRIPTOR
Definition: verifier.h:10

RtlpPageHeapEnabled
BOOLEAN RtlpPageHeapEnabled
Definition: heappage.c:106

IMAGE_FILE_DLL
#define IMAGE_FILE_DLL
Definition: pedump.c:169

_SEH2_TRY
_SEH2_TRY
Definition: create.c:4226

RTL_VERIFIER_DLL_UNLOAD_CALLBACK
VOID(NTAPI * RTL_VERIFIER_DLL_UNLOAD_CALLBACK)(PWSTR DllName, PVOID DllBase, SIZE_T DllSize, PVOID Reserved)
Definition: verifier.h:7

_RTL_VERIFIER_DLL_DESCRIPTOR
Definition: verifier.h:16

RtlInitAnsiString
NTSYSAPI VOID NTAPI RtlInitAnsiString(PANSI_STRING DestinationString, PCSZ SourceString)

RemoveEntryList
FORCEINLINE BOOLEAN RemoveEntryList(_In_ PLIST_ENTRY Entry)
Definition: rtlfuncs.h:105

_LDR_DATA_TABLE_ENTRY::DllBase
PVOID DllBase
Definition: btrfs_drv.h:1926

_PEB::NtGlobalFlag
ULONG NtGlobalFlag
Definition: ntddk_ex.h:270

_IMAGE_IMPORT_DESCRIPTOR::Name
ULONG Name
Definition: ntimage.h:579

AVrfpVerifierProvidersList
LIST_ENTRY AVrfpVerifierProvidersList
Definition: verifier.c:22

AVrfpChainDuplicateThunks
VOID NTAPI AVrfpChainDuplicateThunks(VOID)
Definition: verifier.c:448

NTAPI
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117

FALSE
#define FALSE
Definition: types.h:117

UNICODE_NULL
#define UNICODE_NULL

_RTL_VERIFIER_THUNK_DESCRIPTOR::ThunkName
PCHAR ThunkName
Definition: verifier.h:11

BOOL
unsigned int BOOL
Definition: ntddk_ex.h:94

RtlLeaveCriticalSection
NTSYSAPI NTSTATUS NTAPI RtlLeaveCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)

_UNICODE_STRING::Buffer
PWSTR Buffer
Definition: env_spec_w32.h:371

_ANSI_STRING
Definition: env_spec_w32.h:375

_IMAGE_NT_HEADERS
Definition: ntddk_ex.h:181

_RTL_VERIFIER_PROVIDER_DESCRIPTOR
Definition: verifier.h:23

BOOLEAN
unsigned char BOOLEAN
Definition: ProcessorBind.h:185

RtlpDphGlobalFlags
ULONG RtlpDphGlobalFlags
Definition: heappage.c:107

LdrpFetchAddressOfEntryPoint
PVOID NTAPI LdrpFetchAddressOfEntryPoint(PVOID ImageBase)

LdrpInitializeApplicationVerifierPackage
NTSTATUS NTAPI LdrpInitializeApplicationVerifierPackage(HANDLE KeyHandle, PPEB Peb, BOOLEAN SystemWide, BOOLEAN ReadAdvancedOptions)
Definition: verifier.c:82

FLG_APPLICATION_VERIFIER
#define FLG_APPLICATION_VERIFIER
Definition: pstypes.h:64

AVrfpVerifierFlags
ULONG AVrfpVerifierFlags
Definition: verifier.c:17

_RTL_VERIFIER_THUNK_DESCRIPTOR::ThunkOldAddress
PVOID ThunkOldAddress
Definition: verifier.h:12

_VERIFIER_PROVIDER
Definition: verifier.c:27

_IMAGE_NT_HEADERS::FileHeader
IMAGE_FILE_HEADER FileHeader
Definition: ntddk_ex.h:183

CONTAINING_RECORD
PFLT_MESSAGE_WAITER_QUEUE CONTAINING_RECORD(Csq, DEVICE_EXTENSION, IrpQueue)) -> WaiterQ.mLock) _IRQL_raises_(DISPATCH_LEVEL) VOID NTAPI FltpAcquireMessageWaiterLock(_In_ PIO_CSQ Csq, _Out_ PKIRQL Irql)
Definition: Messaging.c:560

AVrfDllLoadNotification
VOID NTAPI AVrfDllLoadNotification(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
Definition: verifier.c:294

NtCurrentProcess
#define NtCurrentProcess()
Definition: nt_native.h:1657

RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588

_IMAGE_FILE_HEADER::Characteristics
WORD Characteristics
Definition: ntddk_ex.h:128

Status
Status
Definition: gdiplustypes.h:24

_IMAGE_IMPORT_DESCRIPTOR::OriginalFirstThunk
ULONG OriginalFirstThunk
Definition: ntimage.h:575

RtlAppendUnicodeToString
NTSTATUS RtlAppendUnicodeToString(IN PUNICODE_STRING Str1, IN PWSTR Str2)
Definition: string_lib.cpp:62

_LIST_ENTRY::Flink
struct _LIST_ENTRY * Flink
Definition: typedefs.h:121

_RTL_VERIFIER_DLL_DESCRIPTOR::DllFlags
DWORD DllFlags
Definition: verifier.h:18

Count
int Count
Definition: noreturn.cpp:7

BaseAddress
_In_ HANDLE _Outptr_result_bytebuffer_ ViewSize PVOID * BaseAddress
Definition: mmfuncs.h:404

Provider
Definition: provider.h:9

ClientId
_Out_ PCLIENT_ID ClientId
Definition: kefuncs.h:1163

WCHAR
__wchar_t WCHAR
Definition: xmlstorage.h:180

RtlInitializeCriticalSection
NTSYSAPI NTSTATUS NTAPI RtlInitializeCriticalSection(_In_ PRTL_CRITICAL_SECTION CriticalSection)

NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32

_RTL_VERIFIER_DLL_DESCRIPTOR::DllName
PWCHAR DllName
Definition: verifier.h:17

EXCEPTION_EXECUTE_HANDLER
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85

_IMAGE_THUNK_DATA32::Function
ULONG Function
Definition: ntimage.h:513

FLG_HEAP_PAGE_ALLOCS
#define FLG_HEAP_PAGE_ALLOCS
Definition: pstypes.h:84

MAX_PATH
#define MAX_PATH
Definition: compat.h:34

RTL_VRF_DBG_LISTPROVIDERS
#define RTL_VRF_DBG_LISTPROVIDERS
Definition: verifier.h:72

LdrpGetProcedureAddress
NTSTATUS NTAPI LdrpGetProcedureAddress(IN PVOID BaseAddress, IN PANSI_STRING Name, IN ULONG Ordinal, OUT PVOID *ProcedureAddress, IN BOOLEAN ExecuteInit)
Definition: ldrutils.c:2252

AvrfpResolveThunks
VOID AvrfpResolveThunks(IN PLDR_DATA_TABLE_ENTRY LdrEntry)
Definition: verifier.c:235

verifier.h

RTL_VRF_FLG_HANDLE_CHECKS
#define RTL_VRF_FLG_HANDLE_CHECKS
Definition: verifier.h:47

AVrfpInitialized
BOOL AVrfpInitialized
Definition: verifier.c:20

_RTL_CRITICAL_SECTION
Definition: rtltypes.h:1427

VERIFIER_DLL_FLAGS_RESOLVED
#define VERIFIER_DLL_FLAGS_RESOLVED
Definition: verifier.c:24

SharedUserData
#define SharedUserData

AvrfpFindDuplicateThunk
PVOID NTAPI AvrfpFindDuplicateThunk(PLIST_ENTRY EndEntry, PWCHAR DllName, PCHAR ThunkName)
Definition: verifier.c:402

L
static const WCHAR L[]
Definition: oid.c:1250

RtlImageDirectoryEntryToData
#define RtlImageDirectoryEntryToData
Definition: compat.h:668

_LDR_DATA_TABLE_ENTRY
Definition: btrfs_drv.h:1922

LdrLoadDll
NTSTATUS NTAPI DECLSPEC_HOTPATCH LdrLoadDll(IN PWSTR SearchPath OPTIONAL, IN PULONG DllCharacteristics OPTIONAL, IN PUNICODE_STRING DllName, OUT PVOID *BaseAddress)
Definition: ldrapi.c:310

_LIST_ENTRY
Definition: typedefs.h:119

_RTL_VERIFIER_THUNK_DESCRIPTOR::ThunkNewAddress
PVOID ThunkNewAddress
Definition: verifier.h:13

_IMAGE_IMPORT_DESCRIPTOR::FirstThunk
ULONG FirstThunk
Definition: ntimage.h:580

AVrfpVerifierDllsString
WCHAR AVrfpVerifierDllsString[256]
Definition: verifier.c:18

SIZE_T
ULONG_PTR SIZE_T
Definition: typedefs.h:80

STATUS_DLL_INIT_FAILED
#define STATUS_DLL_INIT_FAILED
Definition: ntstatus.h:558

_UNICODE_STRING
Definition: env_spec_w32.h:368

_SEH2_END
_SEH2_END
Definition: create.c:4400

_PEB
Definition: btrfs_drv.h:1953

NtCurrentTeb
FORCEINLINE struct _TEB * NtCurrentTeb(VOID)
Definition: psfuncs.h:420

_IMAGE_THUNK_DATA32::u1
union _IMAGE_THUNK_DATA32::@2078 u1

NtCurrentPeb
#define NtCurrentPeb()
Definition: FLS.c:22

_VERIFIER_PROVIDER::DllName
UNICODE_STRING DllName
Definition: verifier.c:30

DllPath
static const char const char * DllPath
Definition: image.c:34

InitializeListHead
#define InitializeListHead(ListHead)
Definition: env_spec_w32.h:944

STATUS_NO_MEMORY
#define STATUS_NO_MEMORY
Definition: ntstatus.h:260

AVrfpLoadAndInitializeProvider
NTSTATUS NTAPI AVrfpLoadAndInitializeProvider(PVERIFIER_PROVIDER Provider)
Definition: verifier.c:485

_LDR_DATA_TABLE_ENTRY::BaseDllName
UNICODE_STRING BaseDllName
Definition: ldrtypes.h:145

NULL
#define NULL
Definition: types.h:112

STATUS_PROCEDURE_NOT_FOUND
#define STATUS_PROCEDURE_NOT_FOUND
Definition: ntstatus.h:358

HEAP_ZERO_MEMORY
#define HEAP_ZERO_MEMORY
Definition: compat.h:134

_IMAGE_THUNK_DATA32
Definition: ntimage.h:510

DPH_FLAG_DLL_NOTIFY
#define DPH_FLAG_DLL_NOTIFY
Definition: ntdllp.h:24

DPRINT1
#define DPRINT1
Definition: precomp.h:8

RtlImageNtHeader
#define RtlImageNtHeader
Definition: compat.h:665

IMAGE_DIRECTORY_ENTRY_IMPORT
#define IMAGE_DIRECTORY_ENTRY_IMPORT
Definition: pedump.c:260

LdrpImageEntry
PLDR_DATA_TABLE_ENTRY LdrpImageEntry
Definition: ldrinit.c:39

RTL_VRF_DBG_SHOWFOUNDEXPORTS
#define RTL_VRF_DBG_SHOWFOUNDEXPORTS
Definition: verifier.h:70

AVrfReadIFEO
VOID NTAPI AVrfReadIFEO(HANDLE KeyHandle)
Definition: verifier.c:46

ULONG
unsigned int ULONG
Definition: retypes.h:1

RTL_VRF_FLG_LOCK_CHECKS
#define RTL_VRF_FLG_LOCK_CHECKS
Definition: verifier.h:64

RtlInitUnicodeString
NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString)

UNIMPLEMENTED
#define UNIMPLEMENTED
Definition: debug.h:115

ImageNtHeader
PIMAGE_NT_HEADERS WINAPI ImageNtHeader(_In_ PVOID)

RTL_VRF_DBG_SHOWCHAINING
#define RTL_VRF_DBG_SHOWCHAINING
Definition: verifier.h:73

_SEH2_EXCEPT
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40

PAGE_EXECUTE_READWRITE
#define PAGE_EXECUTE_READWRITE
Definition: nt_native.h:1308

AVrfpResnapInitialModules
VOID NTAPI AVrfpResnapInitialModules(VOID)
Definition: verifier.c:374

VERIFIER_PROVIDER
struct _VERIFIER_PROVIDER VERIFIER_PROVIDER

STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65

_SEH2_GetExceptionCode
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165

void
Definition: nsiface.idl:2306

STATUS_INVALID_PARAMETER_4
#define STATUS_INVALID_PARAMETER_4
Definition: ntstatus.h:478

NtGlobalFlag
ULONG NtGlobalFlag
Definition: init.c:52

REG_DWORD
#define REG_DWORD
Definition: sdbapi.c:596

AVrfInitializeVerifier
NTSTATUS NTAPI AVrfInitializeVerifier(VOID)
Definition: verifier.c:612

StringBuffer
WCHAR StringBuffer[156]
Definition: ldrinit.c:41

_IMAGE_IMPORT_DESCRIPTOR
Definition: ntimage.h:572

PBYTE
BYTE * PBYTE
Definition: pedump.c:66

Entry
base of all file and directory entries
Definition: entries.h:82

_wcsicmp
_Check_return_ _CRTIMP int __cdecl _wcsicmp(_In_z_ const wchar_t *_Str1, _In_z_ const wchar_t *_Str2)

RTL_VRF_DBG_SHOWCHAINING_DEBUG
#define RTL_VRF_DBG_SHOWCHAINING_DEBUG
Definition: verifier.h:74

_VERIFIER_PROVIDER::BaseAddress
PVOID BaseAddress
Definition: verifier.c:31

AVrfpCountThunks
SIZE_T AVrfpCountThunks(PIMAGE_THUNK_DATA Thunk)
Definition: verifier.c:120

PIMAGE_THUNK_DATA
PIMAGE_THUNK_DATA32 PIMAGE_THUNK_DATA
Definition: ntimage.h:566

_VERIFIER_PROVIDER::EntryPoint
PVOID EntryPoint
Definition: verifier.c:32

LdrpCallInitRoutine
BOOLEAN NTAPI LdrpCallInitRoutine(IN PDLL_INIT_ROUTINE EntryPoint, IN PVOID BaseAddress, IN ULONG Reason, IN PVOID Context)
Definition: ldrutils.c:100

REG_SZ
#define REG_SZ
Definition: layer.c:22