Beispiel #1
0
void win32k_entry_point( void *lParam){

	unsigned int len = INI();
	char * data = INI();
	//..
	PMY_STRUCT my_struct = (PMY_STRUCT)lParam;

	/*fake function to simulate data transfer from user to kernel in Windows*/
	__get_user(data, &my_struct->lpData); // fetch of another value, but didn't cause disturbance

	if(data != NULL){

		__get_user(len, &my_struct->cbData);// first fetch

		unsigned int cbCapture = sizeof(MY_STRUCT) + len;

		char* my_allocation = UserAllocPoolWithQuota(cbCapture, TAG_SMS_CAPTURE);

		if (my_allocation != NULL){
			//..
			__get_user(len, &my_struct->cbData);         //second fetch

			RtlCopyMemory(my_allocation, data, len);    //use
		}

	}

	//...

}
Beispiel #2
0
BOOL xxxRegisterUserHungAppHandlers(
    PFNW32ET pfnW32EndTask,
    HANDLE   hEventWowExec)
{
    BOOL   bRetVal;
    PPROCESSINFO    ppi;
    PWOWPROCESSINFO pwpi;

    //
    //  Allocate the per wow process info stuff
    //  ensuring the memory is Zero init.
    //
    pwpi = (PWOWPROCESSINFO) UserAllocPoolWithQuota(sizeof(WOWPROCESSINFO), TAG_WOW);
    if (!pwpi)
        return FALSE;
    RtlZeroMemory(pwpi, sizeof(*pwpi));

    //
    // Reference the WowExec event for kernel access
    //
    bRetVal = NT_SUCCESS(ObReferenceObjectByHandle(
                 hEventWowExec,
                 EVENT_ALL_ACCESS,
                 NULL,
                 UserMode,
                 &pwpi->pEventWowExec,
                 NULL
                 ));

    //
    //  if sucess then intialize the pwpi, ppi structs
    //  else free allocated memory
    //
    if (bRetVal) {
        pwpi->hEventWowExecClient = hEventWowExec;
        pwpi->lpfnWowExitTask = (DWORD)pfnW32EndTask;
        ppi = PpiCurrent();
        ppi->pwpi = pwpi;

        // add to the list, order doesn't matter
        pwpi->pwpiNext = gpwpiFirstWow;
        gpwpiFirstWow  = pwpi;

        }
    else {
        UserFreePool(pwpi);
        }

   return bRetVal;
}
Beispiel #3
0
/***************************************************************************\
* xxxMessageEvent
*
* Description:  Called when a hooked DDE message is sent or posted.  flags
*   specifies the applicable MF_ flag.  This is called in the server side
*   context of the sender or poster which may or may not be a DDEML process.
*   pdmhd contains DDE data extracted and copied from the client side.
*
* History:
* 12-1-91   sanfords    Created.
\***************************************************************************/
VOID xxxMessageEvent(
PWND pwndTo,
UINT message,
WPARAM wParam,
LPARAM lParam,
DWORD flag,
PDDEML_MSG_HOOK_DATA pdmhd)
{
    PEVENT_PACKET pep;
    PWND pwndFrom;
    TL tlpep;
    PTHREADINFO pti;

    CheckCritIn();

    pep = (PEVENT_PACKET)UserAllocPoolWithQuota(sizeof(EVENT_PACKET) -
            sizeof(DWORD) + sizeof(MONMSGSTRUCT), TAG_DDE8);
    if (pep == NULL) {
        return;
    }
    pep->EventType = flag;
    pep->fSense = TRUE;
    pep->cbEventData = sizeof(MONMSGSTRUCT);
#define pmsgs ((MONMSGSTRUCT *)&pep->Data)
    pmsgs->cb = sizeof(MONMSGSTRUCT);
    pmsgs->hwndTo = PtoH(pwndTo);
    pmsgs->dwTime = NtGetTickCount();

    pwndFrom = RevalidateHwnd((HWND)wParam);
    if (pwndFrom != NULL) {
        pmsgs->hTask = GETPTI(pwndFrom)->pEThread->Cid.UniqueThread;
    } else {
        pmsgs->hTask = 0;
    }

    pmsgs->wMsg = message;
    pmsgs->wParam = wParam;
    pmsgs->lParam = lParam;
    if (pdmhd != NULL) {
        pmsgs->dmhd = *pdmhd;
    }
#undef pmsgs
    pti = PtiCurrent();
    ThreadLockPool(pti, pep, &tlpep);
    xxxCsEvent(pep, sizeof(MONMSGSTRUCT));
    ThreadUnlockAndFreePool(pti, &tlpep);
}
Beispiel #4
0
/***************************************************************************\
* MNAllocPopup
*
\***************************************************************************/
PPOPUPMENU MNAllocPopup(BOOL fForceAlloc)
{
    PPOPUPMENU ppm;

    if (!fForceAlloc && !gfPopupInUse) {
        gfPopupInUse = TRUE;

        ppm = &gpopupMenu;
    } else {
        ppm = (PPOPUPMENU)UserAllocPoolWithQuota(sizeof(POPUPMENU), TAG_POPUPMENU);
    }

    if (ppm) {
        RtlZeroMemory(ppm, sizeof(POPUPMENU));
    }

    return (ppm);
}
Beispiel #5
0
/***************************************************************************\
* MNAllocMenuState
*
* Allocates and initializes a pMenuState
*
* 5-21-96 GerardoB      Created
\***************************************************************************/
PMENUSTATE MNAllocMenuState(PTHREADINFO ptiCurrent, PTHREADINFO ptiNotify, PPOPUPMENU ppopupmenuRoot)
{
    PMENUSTATE pMenuState;

    UserAssert(PtiCurrent() == ptiCurrent);
    UserAssert(ptiCurrent->rpdesk == ptiNotify->rpdesk);

    /*
     * If gpMenuState is already taken, allocate one.
     */
    if (gfMenuStateInUse) {
        pMenuState = (PMENUSTATE)UserAllocPoolWithQuota(sizeof(MENUSTATE), TAG_MENUSTATE);
        if (pMenuState == NULL) {
            return NULL;
        }
    } else {
        gfMenuStateInUse = TRUE;
        pMenuState = &gpMenuState;
    }

    /*
     * This is used by IsSomeOneInMenuMode and for debugging purposes
     */
    guMenuStateCount++;

    /*
     * Initialize pMenuState.
     */
    RtlZeroMemory(pMenuState, sizeof(*pMenuState));
    pMenuState->pGlobalPopupMenu = ppopupmenuRoot;
    pMenuState->ptiMenuStateOwner = ptiCurrent;
    UserAssert(ptiCurrent->pMenuState == NULL);
    ptiCurrent->pMenuState = pMenuState;
    if (ptiNotify != ptiCurrent) {
        UserAssert(ptiNotify->pMenuState == NULL);
        ptiNotify->pMenuState = pMenuState;
    }


    return pMenuState;

}
Beispiel #6
0
/***************************************************************************\
* xxxCsEvent
*
* Description:
*   Handles broadcasting of all types of DDEML events.
*
* History:
* 11-1-91   sanfords    Created.
* 10-28-97  FritzS    added cbEventData as a passed-in parameter.  This was
                      done because the EVENT_PACKET may be client-side and
                      we capture the count to keep a hostile app from changing
                      the size after data probing.
\***************************************************************************/
DWORD xxxCsEvent(
PEVENT_PACKET pep, WORD cbEventData)
{
    PSVR_INSTANCE_INFO psiiT;
    PEVENT_PACKET pep2;
    HWND *ahwndEvent = NULL;
    PWND pwnd;
    int cHwndAllocated, i, cTargets;
    TL tlpwnd;
    TL tlpep2;
    TL tlahwndEvent;
    ULONG cbEventPacket;
    PTHREADINFO pti = PtiCurrent();

    CheckCritIn();

    /*
     * Copy pep info to a server side stable area
     */
    cbEventPacket = cbEventData + sizeof(EVENT_PACKET) - sizeof(DWORD);
    pep2 = (PEVENT_PACKET)UserAllocPoolWithQuota(cbEventPacket, TAG_DDE5);
    if (pep2 == NULL) {
        return DMLERR_MEMORY_ERROR;
    }
    try {
        RtlCopyMemory((LPSTR)pep2, (LPSTR)pep, cbEventPacket);
    } except (W32ExceptionHandler(FALSE, RIP_WARNING)) {
        UserFreePool(pep2);
        return DMLERR_INVALIDPARAMETER;
    }

    pep2->cbEventData = cbEventData;
    cTargets = 0;
    cHwndAllocated = 0;

    for (psiiT = psiiList; psiiT != NULL; psiiT =  psiiT->next) {
        //
        // Don't bother with event windows for instances who's flags
        // indicate they're not interrested in the event.
        //
        if (((psiiT->afCmd & pep2->EventType) && !pep2->fSense) ||
                (!(psiiT->afCmd & pep2->EventType) && pep2->fSense)) {
            continue;
        }

        if (cTargets >= cHwndAllocated) {
            if (ahwndEvent == NULL) {
                cHwndAllocated = 8;
                ahwndEvent = (HWND *)UserAllocPoolWithQuota(
                        sizeof(HWND) * cHwndAllocated,
                        TAG_DDE6);
            } else {
                DWORD dwSize = cHwndAllocated * sizeof(HWND);
                HWND *ahwndEventT = ahwndEvent;

                cHwndAllocated += 8;
                ahwndEvent = (HWND *)UserReAllocPoolWithQuota(ahwndEvent, dwSize,
                        sizeof(HWND) * cHwndAllocated, TAG_DDE7);
                if (ahwndEvent == NULL) {
                    UserFreePool(ahwndEventT);
                }
            }
            if (ahwndEvent == NULL) {
                UserFreePool(pep2);
                return DMLERR_MEMORY_ERROR;
            }
        }
        ahwndEvent[cTargets++] = PtoH(psiiT->spwndEvent);
    }

    ThreadLockPool(pti, pep2, &tlpep2);
    if (ahwndEvent != NULL) {
        ThreadLockPool(pti, ahwndEvent, &tlahwndEvent);
        for (i = 0; i < cTargets; i++) {
            /*
             * We need to change contexts for the callback
             */
            pwnd = ValidateHwnd(ahwndEvent[i]);
            if (pwnd != NULL) {
                ThreadLockAlwaysWithPti(pti, pwnd, &tlpwnd);
                xxxSendMessage(pwnd, WM_DDEMLEVENT, 0, (LPARAM)pep2);
                ThreadUnlock(&tlpwnd);
            }
        }
        ThreadUnlockAndFreePool(pti, &tlahwndEvent);
    }
    ThreadUnlockAndFreePool(pti, &tlpep2);

    return DMLERR_NO_ERROR;
}
Beispiel #7
0
BOOL xxxSnapWindow(
    PWND pwnd)
{
    PTHREADINFO    ptiCurrent;
    RECT           rc;
    HDC            hdcScr = NULL;
    HDC            hdcMem = NULL;
    BOOL           fRet;
    HBITMAP        hbmOld;
    HBITMAP        hbm;
    HANDLE         hPal;
    LPLOGPALETTE   lppal;
    int            palsize;
    int            iFixedPaletteEntries;
    BOOL           fSuccess;
    PWND           pwndT;
    TL             tlpwndT;
    PWINDOWSTATION pwinsta;
    TL             tlpwinsta;

    CheckLock(pwnd);
    UserAssert(pwnd);

    ptiCurrent = PtiCurrent();

    /*
     * If this is a thread of winlogon, don't do the snapshot.
     */
    if (GetCurrentProcessId() == gpidLogon)
        return FALSE;

    /*
     * Get the affected windowstation
     */
    if (!NT_SUCCESS(ReferenceWindowStation(
            PsGetCurrentThread(),
            NULL,
            WINSTA_READSCREEN,
            &pwinsta,
            TRUE)) ||
            pwinsta->dwWSF_Flags & WSF_NOIO) {
        return FALSE;
    }

    /*
     * If the window is on another windowstation, do nothing
     */
    if (pwnd->head.rpdesk->rpwinstaParent != pwinsta)
        return FALSE;

    /*
     * Get the parent of any child windows.
     */
    while ((pwnd != NULL) && TestWF(pwnd, WFCHILD)) {
        pwnd = pwnd->spwndParent;
    }

    /*
     * Lock the windowstation before we leave the critical section
     */
    ThreadLockWinSta(ptiCurrent, pwinsta, &tlpwinsta);

    /*
     * Open the clipboard and empty it.
     *
     * pwndDesktop is made the owner of the clipboard, instead of the
     * currently active window; -- SANKAR -- 20th July, 1989 --
     */
    pwndT = ptiCurrent->rpdesk->pDeskInfo->spwnd;
    ThreadLockWithPti(ptiCurrent, pwndT, &tlpwndT);
    fSuccess = xxxOpenClipboard(pwndT, NULL);
    ThreadUnlock(&tlpwndT);

    if (!fSuccess) {
        ThreadUnlockWinSta(ptiCurrent, &tlpwinsta);
        return FALSE;
    }

    xxxEmptyClipboard(pwinsta);

    /*
     * Use the whole window.
     */
    CopyRect(&rc, &pwnd->rcWindow);

    /*
     * Only snap what is on the screen.
     */
    if (!IntersectRect(&rc, &rc, &gpDispInfo->rcScreen)) {
        fRet = FALSE;
        goto SnapExit;
    }

    rc.right -= rc.left;
    rc.bottom -= rc.top;

    /*
     * Figure out how far offset from window origin visible part is
     */
    if (pwnd != PWNDDESKTOP(pwnd)) {
        rc.left -= pwnd->rcWindow.left;
        rc.top -= pwnd->rcWindow.top;
    }

    /*
     * Get the entire window's DC.
     */
    hdcScr = _GetWindowDC(pwnd);
    if (!hdcScr)
        goto MemoryError;

    /*
     * Create the memory DC.
     */
    hdcMem = GreCreateCompatibleDC(hdcScr);
    if (!hdcMem)
        goto MemoryError;

    /*
     * Create the destination bitmap.  If it fails, then attempt
     * to create a monochrome bitmap.
     * Did we have enough memory?
     */

    if (SYSMET(SAMEDISPLAYFORMAT)) {
        hbm = GreCreateCompatibleBitmap(hdcScr, rc.right, rc.bottom);
    } else {
        hbm = GreCreateBitmap(rc.right, rc.bottom, 1, gpDispInfo->BitCountMax, NULL);
    }

    if (!hbm) {
        hbm = GreCreateBitmap(rc.right, rc.bottom, 1, 1, NULL);
        if (!hbm)
            goto MemoryError;
    }

    /*
     * Select the bitmap into the memory DC.
     */
    hbmOld = GreSelectBitmap(hdcMem, hbm);

    /*
     * Snap!!!
     * Check the return value because the process taking the snapshot
     * may not have access to read the screen.
     */
    fRet = GreBitBlt(hdcMem, 0, 0, rc.right, rc.bottom, hdcScr, rc.left, rc.top, SRCCOPY | CAPTUREBLT, 0);

    /*
     * Restore the old bitmap into the memory DC.
     */
    GreSelectBitmap(hdcMem, hbmOld);

    /*
     * If the blt failed, leave now.
     */
    if (!fRet)
        goto SnapExit;

    _SetClipboardData(CF_BITMAP, hbm, FALSE, TRUE);

    /*
     * If this is a palette device, let's throw the current system palette
     * into the clipboard also.  Useful if the user just snapped a window
     * containing palette colors...
     */
    if (TEST_PUSIF(PUSIF_PALETTEDISPLAY)) {

        int i;
        int iPalSize;

        palsize = GreGetDeviceCaps(hdcScr, SIZEPALETTE);

        /*
         * Determine the number of system colors.
         */
        if (GreGetSystemPaletteUse(hdcScr) == SYSPAL_STATIC)
            iFixedPaletteEntries = GreGetDeviceCaps(hdcScr, NUMRESERVED);
        else
            iFixedPaletteEntries = 2;

        lppal = (LPLOGPALETTE)UserAllocPoolWithQuota(
                (LONG)(sizeof(LOGPALETTE) + sizeof(PALETTEENTRY) * palsize),
                TAG_CLIPBOARD);

        if (lppal != NULL) {
            lppal->palVersion = 0x300;
            lppal->palNumEntries = (WORD)palsize;

            if (GreGetSystemPaletteEntries(hdcScr,
                                           0,
                                           palsize,
                                           lppal->palPalEntry)) {

                iPalSize = palsize - iFixedPaletteEntries / 2;

                for (i = iFixedPaletteEntries / 2; i < iPalSize; i++) {

                    /*
                     * Any non system palette enteries need to have the NOCOLLAPSE
                     * flag set otherwise bitmaps containing different palette
                     * indices but same colors get messed up.
                     */
                    lppal->palPalEntry[i].peFlags = PC_NOCOLLAPSE;
                }

                if (hPal = GreCreatePalette(lppal))
                    _SetClipboardData(CF_PALETTE, hPal, FALSE, TRUE);
            }

            UserFreePool(lppal);
        }
    }
    PlayEventSound(USER_SOUND_SNAPSHOT);

    fRet = TRUE;

SnapExit:

    /*
     * Release the window/client DC.
     */
     if (hdcScr) {
         _ReleaseDC(hdcScr);
     }

    xxxCloseClipboard(pwinsta);
    Unlock(&pwinsta->spwndClipOwner);

    /*
     * Delete the memory DC.
     */
    if (hdcMem) {
        GreDeleteDC(hdcMem);
    }

    ThreadUnlockWinSta(ptiCurrent, &tlpwinsta);

    return fRet;

MemoryError:
    /*
     * Display an error message box.
     */
    ClientNoMemoryPopup();
    fRet = FALSE;
    goto SnapExit;
}