aux_klib.c File Reference

#include <ntifs.h>
#include <ntintsafe.h>
#include <ndk/ntndk.h>
#include <pseh/pseh2.h>
#include <aux_klib.h>

Include dependency graph for aux_klib.c:

Go to the source code of this file.

Macros
#define	TAG_AUXK   'AuxK'

Typedefs
typedef NTSTATUS(NTAPI *	PFN_RTLQUERYMODULEINFORMATION) (PULONG, ULONG, PVOID)

Functions
NTSTATUS NTAPI	AuxKlibInitialize (VOID)
NTSTATUS NTAPI	AuxKlibQueryModuleInformation (_In_ PULONG InformationLength, _In_ ULONG SizePerModule, _Inout_ PAUX_MODULE_EXTENDED_INFO ModuleInfo)
NTSTATUS	AuxKlibGetBugCheckData (_Inout_ PKBUGCHECK_DATA BugCheckData)
PIMAGE_EXPORT_DIRECTORY	AuxKlibGetImageExportDirectory (_In_ PVOID ImageBase)
	_IRQL_requires_max_ (PASSIVE_LEVEL)
	Queries information details about a security descriptor.

Variables
PFN_RTLQUERYMODULEINFORMATION	pfnRtlQueryModuleInformation
LONG	gKlibInitialized = 0

Macro Definition Documentation

TAG_AUXK

#define TAG_AUXK   'AuxK'

Definition at line 15 of file aux_klib.c.

Typedef Documentation

PFN_RTLQUERYMODULEINFORMATION

typedef NTSTATUS(NTAPI * PFN_RTLQUERYMODULEINFORMATION) (PULONG, ULONG, PVOID)

Definition at line 17 of file aux_klib.c.

Function Documentation

_IRQL_requires_max_()

_IRQL_requires_max_

(

PASSIVE_LEVEL

)

Queries information details about a security descriptor.

Computes the quota size of a security descriptor.

Assigns a security descriptor for a new object.

An extended function that assigns a security descriptor for a new object.

Frees a security descriptor.

An extended function that sets new information data to a security descriptor.

Modifies some information data about a security descriptor.

Parameters

[in]	SecurityInformation	Security information details to be queried from a security descriptor.
[out]	SecurityDescriptor	The returned security descriptor with security information data.
[in,out]	Length	The returned length of a security descriptor.
[in,out]	ObjectsSecurityDescriptor	The returned object security descriptor.

Returns

Returns STATUS_SUCCESS if the operations have been completed successfully and that the specific information about the security descriptor has been queried. STATUS_BUFFER_TOO_SMALL is returned if the buffer size is too small to contain the queried info about the security descriptor.

Parameters

[in]	Object	If specified, the function will use this arbitrary object that points to an object security descriptor.
[in]	SecurityInformation	Security information details to be set.
[in]	SecurityDescriptor	A security descriptor where its info is to be changed.
[in,out]	ObjectsSecurityDescriptor	The returned pointer to security descriptor objects.
[in]	PoolType	Pool type for the new security descriptor to allocate.
[in]	GenericMapping	The generic mapping of access rights masks.

Returns

See SeSetSecurityDescriptorInfoEx.

Parameters

[in]	Object	If specified, the function will use this arbitrary object that points to an object security descriptor.
[in]	SecurityInformation	Security information details to be set.
[in]	SecurityDescriptor	A security descriptor where its info is to be changed.
[in,out]	ObjectsSecurityDescriptor	The returned pointer to security descriptor objects.
[in]	AutoInheritFlags	Flags bitmask inheritation, influencing how the security descriptor can be inherited and if it can be in the first place.
[in]	PoolType	Pool type for the new security descriptor to allocate.
[in]	GenericMapping	The generic mapping of access rights masks.

Returns

Returns STATUS_SUCCESS if the operations have been completed without problems and that new info has been set to the security descriptor. STATUS_NO_SECURITY_ON_OBJECT is returned if the object does not have a security descriptor. STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation for the new security descriptor with new info set has failed.

Parameters

[in]

SecurityDescriptor

A security descriptor to be freed from memory.

Returns

Returns STATUS_SUCCESS.

Parameters

[in]	_ParentDescriptor	A security descriptor of the parent object that is being created.
[in]	_ExplicitDescriptor	An explicit security descriptor that is applied to a new object.
[out]	NewDescriptor	The new allocated security descriptor.
[in]	ObjectType	The type of the new object.
[in]	IsDirectoryObject	Set this to TRUE if the newly created object is a directory object, otherwise set this to FALSE.
[in]	AutoInheritFlags	Automatic inheritance flags that influence how access control entries within ACLs from security descriptors are inherited.
[in]	SubjectContext	Security subject context of the new object.
[in]	GenericMapping	Generic mapping of access mask rights.
[in]	PoolType	This parameter is unused.

Returns

Returns STATUS_SUCCESS if the operations have been completed successfully and that the security descriptor has been assigned to the new object. STATUS_NO_TOKEN is returned if the caller hasn't supplied a valid argument to a security subject context. STATUS_INVALID_OWNER is returned if the caller hasn't supplied a parent descriptor that belongs to the main user (owner). STATUS_INVALID_PRIMARY_GROUP is returned by the same reason as with the previous NTSTATUS code. The two NTSTATUS codes are returned if the calling thread stated that the owner and/or group is defaulted to the parent descriptor (SEF_DEFAULT_OWNER_FROM_PARENT and/or SEF_DEFAULT_GROUP_FROM_PARENT respectively). STATUS_INSUFFICIENT_RESOURCES is returned if memory pool allocation for the descriptor buffer has failed. A failure NTSTATUS is returned otherwise.

Parameters

[in]	ParentDescriptor	A security descriptor of the parent object that is being created.
[in]	ExplicitDescriptor	An explicit security descriptor that is applied to a new object.
[out]	NewDescriptor	The new allocated security descriptor.
[in]	IsDirectoryObject	Set this to TRUE if the newly created object is a directory object, otherwise set this to FALSE.
[in]	SubjectContext	Security subject context of the new object.
[in]	GenericMapping	Generic mapping of access mask rights.
[in]	PoolType	This parameter is unused.

Returns

See SeAssignSecurityEx.

Parameters

[in]	SecurityDescriptor	A security descriptor.
[out]	QuotaInfoSize	The returned quota size of the given security descriptor to the caller. The function may return 0 to this parameter if the descriptor doesn't have a group or a discretionary access control list (DACL) even.

Returns

Returns STATUS_SUCCESS if the quota size of a security descriptor has been computed successfully. STATUS_UNKNOWN_REVISION is returned if the security descriptor has an invalid revision.

Definition at line 203 of file aux_klib.c.

{
    return STATUS_NOT_IMPLEMENTED;
}

AuxKlibGetBugCheckData()

NTSTATUS AuxKlibGetBugCheckData

(

_Inout_ PKBUGCHECK_DATA

BugCheckData

)

Definition at line 178 of file aux_klib.c.

{
    if (BugCheckData->BugCheckDataSize != sizeof(*BugCheckData))
    {
        return STATUS_INFO_LENGTH_MISMATCH;
    }
 
    BugCheckData->BugCheckCode = KiBugCheckData[0];
    BugCheckData->Parameter1 = KiBugCheckData[1];
    BugCheckData->Parameter2 = KiBugCheckData[2];
    BugCheckData->Parameter3 = KiBugCheckData[3];
    BugCheckData->Parameter4 = KiBugCheckData[4];
 
    return STATUS_SUCCESS;
}

Referenced by FxpBugCheckCallbackFilter().

AuxKlibGetImageExportDirectory()

PIMAGE_EXPORT_DIRECTORY AuxKlibGetImageExportDirectory

(

_In_ PVOID

ImageBase

)

Definition at line 196 of file aux_klib.c.

{
    ULONG size;
    return RtlImageDirectoryEntryToData(ImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &size);
}

AuxKlibInitialize()

NTSTATUS NTAPI AuxKlibInitialize

(

VOID

)

Definition at line 26 of file aux_klib.c.

{
    RTL_OSVERSIONINFOW osVersion;
    UNICODE_STRING strRtlQueryModuleInformation = RTL_CONSTANT_STRING(L"RtlQueryModuleInformation");
 
    PAGED_CODE();
 
    if (!gKlibInitialized)
    {
        RtlGetVersion(&osVersion);
        if (osVersion.dwMajorVersion >= 5)
        {
            pfnRtlQueryModuleInformation = MmGetSystemRoutineAddress(&strRtlQueryModuleInformation);
            InterlockedExchange(&gKlibInitialized, 1);
        }
        else
        {
            return STATUS_NOT_SUPPORTED;
        }
    }
 
    return STATUS_SUCCESS;
}

Referenced by DllInitialize(), and FxpGetImageBase().

AuxKlibQueryModuleInformation()

NTSTATUS NTAPI AuxKlibQueryModuleInformation	(	_In_ PULONG	InformationLength,
		_In_ ULONG	SizePerModule,
		_Inout_ PAUX_MODULE_EXTENDED_INFO	ModuleInfo
	)

Definition at line 53 of file aux_klib.c.

{
    NTSTATUS status;
 
    PAGED_CODE();
 
    if (gKlibInitialized != 1)
    {
        return STATUS_UNSUCCESSFUL;
    }
 
    // if we have the function exported from the kernel, use it
    if (pfnRtlQueryModuleInformation != NULL)
    {
        return pfnRtlQueryModuleInformation(InformationLength, SizePerModule, ModuleInfo);
    }
 
    if (SizePerModule != sizeof(AUX_MODULE_BASIC_INFO) &&
        SizePerModule != sizeof(AUX_MODULE_EXTENDED_INFO))
    {
        return STATUS_INVALID_PARAMETER_2;
    }
 
    if ((ULONG_PTR)ModuleInfo & (TYPE_ALIGNMENT(AUX_MODULE_EXTENDED_INFO) - 1))
    {
        return STATUS_INVALID_PARAMETER_3;
    }
 
    // first call the function with a place for only 1 module
    RTL_PROCESS_MODULES processModulesMinimal;
    PRTL_PROCESS_MODULES processModules = &processModulesMinimal;
    ULONG sysInfoLength = sizeof(processModulesMinimal);
    ULONG resultLength;
 
    // loop until we have a large-enough buffer for all modules
    do
    {
        status = ZwQuerySystemInformation(SystemModuleInformation,
                                          processModules,
                                          sysInfoLength,
                                          &resultLength);
 
        if (status == STATUS_INFO_LENGTH_MISMATCH)
        {
            // free the old buffer if it's not the first one
            if (processModules != &processModulesMinimal)
            {
                ExFreePoolWithTag(processModules, TAG_AUXK);
            }
 
            _SEH2_TRY
            {
                // allocate the new one
                processModules = ExAllocatePoolWithQuotaTag(PagedPool, resultLength, TAG_AUXK);
            }
            _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
            {
                _SEH2_YIELD(return _SEH2_GetExceptionCode());
            }
            _SEH2_END;
 
            if (!processModules)
            {
                return STATUS_INSUFFICIENT_RESOURCES;
            }
            sysInfoLength = resultLength;
        }
 
    } while (status == STATUS_INFO_LENGTH_MISMATCH);
 
    if (!NT_SUCCESS(status))
    {
        goto Cleanup;
    }
 
    ULONG modulesSize;
    status = RtlULongMult(SizePerModule, processModules->NumberOfModules, &modulesSize);
    if (!NT_SUCCESS(status))
    {
        goto Cleanup;
    }
 
    if (ModuleInfo == NULL)
    {
        ASSERT(status == STATUS_SUCCESS);
        *InformationLength = modulesSize;
        goto Cleanup;
    }
 
    if (*InformationLength < modulesSize)
    {
        status = STATUS_BUFFER_TOO_SMALL;
        *InformationLength = modulesSize;
        goto Cleanup;
    }
 
    // copy the information to the input array
    for (UINT32 i = 0; i < processModules->NumberOfModules; i++)
    {
        ModuleInfo[i].BasicInfo.ImageBase = processModules->Modules[i].ImageBase;
 
        if (SizePerModule == sizeof(AUX_MODULE_EXTENDED_INFO))
        {
            ModuleInfo[i].ImageSize = processModules->Modules[i].ImageSize;
            ModuleInfo[i].FileNameOffset = processModules->Modules[i].OffsetToFileName;
            RtlCopyMemory(&ModuleInfo[i].FullPathName,
                          processModules->Modules[i].FullPathName,
                          sizeof(processModules->Modules[i].FullPathName));
        }
    }
 
Cleanup:
    // don't accidentally free the stack buffer
    if (processModules != NULL && processModules != &processModulesMinimal)
    {
        ExFreePoolWithTag(processModules, TAG_AUXK);
    }
 
    return status;
}

Referenced by FxpGetImageBase(), and GetImageInfo().

Variable Documentation

gKlibInitialized

LONG gKlibInitialized = 0

Definition at line 20 of file aux_klib.c.

Referenced by AuxKlibInitialize(), and AuxKlibQueryModuleInformation().

pfnRtlQueryModuleInformation

PFN_RTLQUERYMODULEINFORMATION pfnRtlQueryModuleInformation

Definition at line 19 of file aux_klib.c.

Referenced by AuxKlibInitialize(), and AuxKlibQueryModuleInformation().