/*
* @implemented
*/
BOOL
APIENTRY
NtUserGetIconSize(
HANDLE hCurIcon,
UINT istepIfAniCur,
PLONG plcx, // &size.cx
PLONG plcy) // &size.cy
{
PCURICON_OBJECT CurIcon;
NTSTATUS Status = STATUS_SUCCESS;
BOOL bRet = FALSE;
TRACE("Enter NtUserGetIconSize\n");
UserEnterExclusive();
if (!(CurIcon = UserGetCurIconObject(hCurIcon)))
{
goto cleanup;
}
if(CurIcon->CURSORF_flags & CURSORF_ACON)
{
/* Use first frame for animated cursors */
PACON AniCurIcon = (PACON)CurIcon;
CurIcon = AniCurIcon->aspcur[0];
UserDereferenceObject(AniCurIcon);
UserReferenceObject(CurIcon);
}
_SEH2_TRY
{
ProbeForWrite(plcx, sizeof(LONG), 1);
*plcx = CurIcon->cx;
ProbeForWrite(plcy, sizeof(LONG), 1);
*plcy = CurIcon->cy;
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
Status = _SEH2_GetExceptionCode();
}
_SEH2_END
if (NT_SUCCESS(Status))
bRet = TRUE;
else
SetLastNtError(Status); // Maybe not, test this
UserDereferenceObject(CurIcon);
cleanup:
TRACE("Leave NtUserGetIconSize, ret=%i\n", bRet);
UserLeave();
return bRet;
}
/*
* NtUserGetKeyboardLayoutName
*
* Returns KLID of current thread keyboard layout
*/
BOOL
APIENTRY
NtUserGetKeyboardLayoutName(
LPWSTR pwszName)
{
BOOL bRet = FALSE;
PKL pKl;
PTHREADINFO pti;
UserEnterShared();
pti = PsGetCurrentThreadWin32Thread();
pKl = pti->KeyboardLayout;
if (!pKl)
goto cleanup;
_SEH2_TRY
{
ProbeForWrite(pwszName, KL_NAMELENGTH*sizeof(WCHAR), 1);
wcscpy(pwszName, pKl->spkf->awchKF);
bRet = TRUE;
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
SetLastNtError(_SEH2_GetExceptionCode());
}
_SEH2_END;
cleanup:
UserLeave();
return bRet;
}
/**
* Opens a process.
*
* \param ProcessHandle A variable which receives the process handle.
* \param DesiredAccess The desired access to the process.
* \param ClientId The identifier of a process or thread. If \a UniqueThread
* is present, the process of the identified thread will be opened. If
* \a UniqueProcess is present, the identified process will be opened.
* \param AccessMode The mode in which to perform access checks.
*/
NTSTATUS KpiOpenProcess(
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in PCLIENT_ID ClientId,
__in KPROCESSOR_MODE AccessMode
)
{
NTSTATUS status;
CLIENT_ID clientId;
PEPROCESS process;
PETHREAD thread;
HANDLE processHandle;
PAGED_CODE();
if (AccessMode != KernelMode)
{
__try
{
ProbeForWrite(ProcessHandle, sizeof(HANDLE), sizeof(HANDLE));
ProbeForRead(ClientId, sizeof(CLIENT_ID), sizeof(ULONG));
clientId = *ClientId;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return GetExceptionCode();
}
}
NTSTATUS BDKitTerminateProcessByClearMemroy(__in PEPROCESS EProcess)
{
NTSTATUS nsStatus = STATUS_UNSUCCESSFUL;
ULONG_PTR MemIndex = 0;
KAPC_STATE kApcState = {0x00};
do
{
_KeStackAttachProcess ((PKPROCESS)EProcess, &kApcState);
{
for ( MemIndex = LOWEST_USER_MEM_ADDRESS;
MemIndex < HIGHEST_USER_MEM_ADDRESS - 1;
MemIndex += PAGE_SIZE
)
{
__try
{
ProbeForWrite ((PVOID)MemIndex, PAGE_SIZE, 4L);
RtlFillMemory ((PVOID)MemIndex, PAGE_SIZE, 0x00);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
break;
}
}
}
_KeUnstackDetachProcess ((PKPROCESS)EProcess, &kApcState);
nsStatus = STATUS_SUCCESS;
} while (FALSE);
return nsStatus;
}
BOOL
APIENTRY
NtGdiSetBrushOrg(
_In_ HDC hdc,
_In_ INT x,
_In_ INT y,
_Out_opt_ LPPOINT pptOut)
{
PDC pdc;
/* Lock the DC */
pdc = DC_LockDc(hdc);
if (pdc == NULL)
{
EngSetLastError(ERROR_INVALID_HANDLE);
return FALSE;
}
/* Check if the old origin was requested */
if (pptOut != NULL)
{
/* Enter SEH for buffer transfer */
_SEH2_TRY
{
/* Probe and copy the old origin */
ProbeForWrite(pptOut, sizeof(POINT), 1);
*pptOut = pdc->pdcattr->ptlBrushOrigin;
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
DC_UnlockDc(pdc);
_SEH2_YIELD(return FALSE);
}
_SEH2_END;
}
/*++
* @name NtQuerySecurityObject
* @implemented NT4
*
* The NtQuerySecurityObject routine <FILLMEIN>
*
* @param Handle
* <FILLMEIN>
*
* @param SecurityInformation
* <FILLMEIN>
*
* @param SecurityDescriptor
* <FILLMEIN>
*
* @param Length
* <FILLMEIN>
*
* @param ResultLength
* <FILLMEIN>
*
* @return STATUS_SUCCESS or appropriate error value.
*
* @remarks None.
*
*--*/
NTSTATUS
NTAPI
NtQuerySecurityObject(IN HANDLE Handle,
IN SECURITY_INFORMATION SecurityInformation,
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ULONG Length,
OUT PULONG ResultLength)
{
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
PVOID Object;
POBJECT_HEADER Header;
POBJECT_TYPE Type;
ACCESS_MASK DesiredAccess;
NTSTATUS Status;
PAGED_CODE();
/* Check if we came from user mode */
if (PreviousMode != KernelMode)
{
/* Enter SEH */
_SEH2_TRY
{
/* Probe the SD and the length pointer */
ProbeForWrite(SecurityDescriptor, Length, sizeof(ULONG));
ProbeForWriteUlong(ResultLength);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
/* Return the exception code */
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
}
INT APIENTRY
NtGdiGetAppClipBox(HDC hDC, PRECTL rc)
{
INT Ret;
NTSTATUS Status = STATUS_SUCCESS;
RECTL Saferect;
Ret = GdiGetClipBox(hDC, &Saferect);
_SEH2_TRY
{
ProbeForWrite(rc,
sizeof(RECT),
1);
*rc = Saferect;
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
if(!NT_SUCCESS(Status))
{
SetLastNtError(Status);
return ERROR;
}
return Ret;
}
/*
* @implemented
*/
NTSTATUS NTAPI
NtAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId)
{
LUID NewLuid;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PAGED_CODE();
PreviousMode = ExGetPreviousMode();
if(PreviousMode != KernelMode)
{
_SEH2_TRY
{
ProbeForWrite(LocallyUniqueId,
sizeof(LUID),
sizeof(ULONG));
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
}
INT
APIENTRY
NtGdiGetAppClipBox(
_In_ HDC hdc,
_Out_ LPRECT prc)
{
RECT rect;
INT iComplexity;
/* Call the internal function */
iComplexity = GdiGetClipBox(hdc, &rect);
if (iComplexity != ERROR)
{
_SEH2_TRY
{
ProbeForWrite(prc, sizeof(RECT), 1);
*prc = rect;
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
iComplexity = ERROR;
}
_SEH2_END
}
NTSTATUS APIENTRY
NtUserCreateLocalMemHandle(
HANDLE hMem,
PVOID pData,
DWORD cbData,
DWORD *pcbData)
{
PCLIPBOARDDATA pMemObj;
NTSTATUS Status = STATUS_SUCCESS;
UserEnterShared();
/* Get Clipboard data object */
pMemObj = (PCLIPBOARDDATA)UserGetObject(gHandleTable, hMem, TYPE_CLIPDATA);
if (!pMemObj)
{
Status = STATUS_INVALID_HANDLE;
goto cleanup;
}
/* Don't overrun */
if (cbData > pMemObj->cbData)
cbData = pMemObj->cbData;
/* Copy data to usermode */
_SEH2_TRY
{
if (pcbData)
{
ProbeForWrite(pcbData, sizeof(*pcbData), 1);
*pcbData = pMemObj->cbData;
}
ProbeForWrite(pData, cbData, 1);
memcpy(pData, pMemObj->Data, cbData);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
cleanup:
UserLeave();
return Status;
}
ULONG
APIENTRY
NtUserCopyAcceleratorTable(
HACCEL hAccel,
LPACCEL Entries,
ULONG EntriesCount)
{
PACCELERATOR_TABLE Accel;
ULONG Ret;
DECLARE_RETURN(int);
TRACE("Enter NtUserCopyAcceleratorTable\n");
UserEnterShared();
Accel = UserGetAccelObject(hAccel);
if (!Accel)
{
RETURN(0);
}
/* If Entries is NULL return table size */
if (!Entries)
{
RETURN(Accel->Count);
}
/* Don't overrun */
if (Accel->Count < EntriesCount)
EntriesCount = Accel->Count;
Ret = 0;
_SEH2_TRY
{
ProbeForWrite(Entries, EntriesCount*sizeof(Entries[0]), 4);
for (Ret = 0; Ret < EntriesCount; Ret++)
{
Entries[Ret].fVirt = Accel->Table[Ret].fVirt;
Entries[Ret].key = Accel->Table[Ret].key;
Entries[Ret].cmd = Accel->Table[Ret].cmd;
}
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
SetLastNtError(_SEH2_GetExceptionCode());
Ret = 0;
}
_SEH2_END;
RETURN(Ret);
CLEANUP:
TRACE("Leave NtUserCopyAcceleratorTable, ret=%i\n", _ret_);
UserLeave();
END_CLEANUP;
}
//枚举进程
//InputBuffer[0] == 是否显示Deleting进程
//OutputBuffer ObjectIdTable缓冲
NTSTATUS
DispatchProcessEnum(PVOID InputBuffer, ULONG InputLength,
PVOID OutputBuffer, ULONG OutputLength,
PULONG Information)
{
BOOLEAN showDeleting;
NTSTATUS status;
PObjectIdTable objIdTable;
*Information = 0;
//首先验证用户参数
if(InputBuffer == NULL ||
InputLength != sizeof(BOOLEAN) ||
OutputBuffer == NULL ||
OutputLength != sizeof(ObjectIdTable))
{
KdPrint(("DispatchProcessEnum Param mismatch: InputLength == %lu(should be %lu), OutputLength == %lu(should be %lu)",
InputLength, sizeof(BOOLEAN), OutputLength, sizeof(ObjectIdTable)));
return STATUS_INVALID_PARAMETER;
}
status = STATUS_SUCCESS;
try{
ProbeForRead(InputBuffer, InputLength, 1);
showDeleting = *(BOOLEAN*)InputBuffer;
}except(EXCEPTION_CONTINUE_EXECUTION){
KdPrint(("DispatchProcessEnum ACCESS_VIOLATION read.\n"));
status = STATUS_ACCESS_VIOLATION;
}
if(!NT_SUCCESS(status))
return status;
//枚举进程信息
objIdTable = ProcessEnum(showDeleting);
if(!objIdTable)
{
status = STATUS_UNSUCCESSFUL;
return status;
}
//拷贝到用户控件
try{
ProbeForWrite(OutputBuffer, OutputLength, 1);
RtlCopyMemory(OutputBuffer, objIdTable, OutputLength);
status = STATUS_SUCCESS;
}except(EXCEPTION_CONTINUE_EXECUTION){
KdPrint(("DispatchProcessEnum ACCESS_VIOLATION write.\n"));
status = STATUS_ACCESS_VIOLATION;
}
ExFreePool(objIdTable);
if(NT_SUCCESS(status))
*Information = OutputLength;
return status;
}
NTSTATUS
NTAPI
NtQueryInformationPort(
IN HANDLE PortHandle OPTIONAL,
IN PORT_INFORMATION_CLASS PortInformationClass,
OUT PVOID PortInformation,
IN ULONG Length,
OUT PULONG ReturnLength OPTIONAL
)
{
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PLPCP_PORT_OBJECT PortObject;
PAGED_CODE();
//
// Get previous processor mode and probe output argument if necessary.
//
PreviousMode = KeGetPreviousMode();
if (PreviousMode != KernelMode) {
try {
ProbeForWrite( PortInformation,
Length,
sizeof( ULONG )
);
if (ARGUMENT_PRESENT( ReturnLength )) {
ProbeForWriteUlong( ReturnLength );
}
}
except( EXCEPTION_EXECUTE_HANDLER ) {
return( GetExceptionCode() );
}
}
if (ARGUMENT_PRESENT( PortHandle )) {
Status = ObReferenceObjectByHandle( PortHandle,
GENERIC_READ,
LpcPortObjectType,
PreviousMode,
&PortObject,
NULL
);
if (!NT_SUCCESS( Status )) {
return( Status );
}
ObDereferenceObject( PortObject );
return STATUS_SUCCESS;
}
else {
return STATUS_INVALID_INFO_CLASS;
}
}
/*
* @implemented
*/
NTSTATUS
NTAPI
NtRequestWaitReplyPort(IN HANDLE PortHandle,
IN PPORT_MESSAGE LpcRequest,
IN OUT PPORT_MESSAGE LpcReply)
{
PORT_MESSAGE LocalLpcRequest;
ULONG NumberOfDataEntries;
PLPCP_PORT_OBJECT Port, QueuePort, ReplyPort, ConnectionPort = NULL;
KPROCESSOR_MODE PreviousMode = KeGetPreviousMode();
NTSTATUS Status;
PLPCP_MESSAGE Message;
PETHREAD Thread = PsGetCurrentThread();
BOOLEAN Callback;
PKSEMAPHORE Semaphore;
ULONG MessageType;
PLPCP_DATA_INFO DataInfo;
PAGED_CODE();
LPCTRACE(LPC_SEND_DEBUG,
"Handle: %p. Messages: %p/%p. Type: %lx\n",
PortHandle,
LpcRequest,
LpcReply,
LpcpGetMessageType(LpcRequest));
/* Check if the thread is dying */
if (Thread->LpcExitThreadCalled) return STATUS_THREAD_IS_TERMINATING;
/* Check for user mode access */
if (PreviousMode != KernelMode)
{
_SEH2_TRY
{
/* Probe the full request message and copy the base structure */
ProbeForRead(LpcRequest, sizeof(*LpcRequest), sizeof(ULONG));
ProbeForRead(LpcRequest, LpcRequest->u1.s1.TotalLength, sizeof(ULONG));
LocalLpcRequest = *LpcRequest;
/* Probe the reply message for write */
ProbeForWrite(LpcReply, sizeof(*LpcReply), sizeof(ULONG));
/* Make sure the data entries in the request message are valid */
Status = LpcpVerifyMessageDataInfo(LpcRequest, &NumberOfDataEntries);
if (!NT_SUCCESS(Status))
{
DPRINT1("LpcpVerifyMessageDataInfo failed\n");
return Status;
}
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
DPRINT1("Got exception\n");
return _SEH2_GetExceptionCode();
}
_SEH2_END;
}
BOOL
APIENTRY
NtGdiGetDeviceGammaRamp(HDC hDC,
LPVOID Ramp)
{
BOOL Ret;
PDC dc;
NTSTATUS Status = STATUS_SUCCESS;
PGAMMARAMP SafeRamp;
if (!Ramp) return FALSE;
dc = DC_LockDc(hDC);
if (!dc)
{
EngSetLastError(ERROR_INVALID_HANDLE);
return FALSE;
}
SafeRamp = ExAllocatePoolWithTag(PagedPool, sizeof(GAMMARAMP), GDITAG_ICM);
if (!SafeRamp)
{
DC_UnlockDc(dc);
EngSetLastError(STATUS_NO_MEMORY);
return FALSE;
}
Ret = IntGetDeviceGammaRamp((HDEV)dc->ppdev, SafeRamp);
if (!Ret) return Ret;
_SEH2_TRY
{
ProbeForWrite( Ramp,
sizeof(PVOID),
1);
RtlCopyMemory( Ramp,
SafeRamp,
sizeof(GAMMARAMP));
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
DC_UnlockDc(dc);
ExFreePoolWithTag(SafeRamp, GDITAG_ICM);
if (!NT_SUCCESS(Status))
{
SetLastNtError(Status);
return FALSE;
}
return Ret;
}
/*
* NtUserGetKeyboardLayoutList
*
* Returns list of loaded keyboard layouts in system
*/
UINT
APIENTRY
NtUserGetKeyboardLayoutList(
ULONG nBuff,
HKL *pHklBuff)
{
UINT uRet = 0;
PKL pKl;
if (!pHklBuff)
nBuff = 0;
UserEnterShared();
if (!gspklBaseLayout)
{
UserLeave();
return 0;
}
pKl = gspklBaseLayout;
if (nBuff == 0)
{
do
{
uRet++;
pKl = pKl->pklNext;
} while (pKl != gspklBaseLayout);
}
else
{
_SEH2_TRY
{
ProbeForWrite(pHklBuff, nBuff*sizeof(HKL), 4);
while (uRet < nBuff)
{
pHklBuff[uRet] = pKl->hkl;
uRet++;
pKl = pKl->pklNext;
if (pKl == gspklBaseLayout)
break;
}
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
SetLastNtError(_SEH2_GetExceptionCode());
uRet = 0;
}
_SEH2_END;
}
UserLeave();
return uRet;
}
/*
* @implemented
*/
BOOL
APIENTRY
NtUserGetCursorInfo(
PCURSORINFO pci)
{
CURSORINFO SafeCi;
PSYSTEM_CURSORINFO CurInfo;
NTSTATUS Status = STATUS_SUCCESS;
PCURICON_OBJECT CurIcon;
BOOL Ret = FALSE;
DECLARE_RETURN(BOOL);
TRACE("Enter NtUserGetCursorInfo\n");
UserEnterExclusive();
CurInfo = IntGetSysCursorInfo();
CurIcon = (PCURICON_OBJECT)CurInfo->CurrentCursorObject;
SafeCi.cbSize = sizeof(CURSORINFO);
SafeCi.flags = ((CurIcon && CurInfo->ShowingCursor >= 0) ? CURSOR_SHOWING : 0);
SafeCi.hCursor = (CurIcon ? CurIcon->head.h : NULL);
SafeCi.ptScreenPos = gpsi->ptCursor;
_SEH2_TRY
{
if (pci->cbSize == sizeof(CURSORINFO))
{
ProbeForWrite(pci, sizeof(CURSORINFO), 1);
RtlCopyMemory(pci, &SafeCi, sizeof(CURSORINFO));
Ret = TRUE;
}
else
{
EngSetLastError(ERROR_INVALID_PARAMETER);
}
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
if (!NT_SUCCESS(Status))
{
SetLastNtError(Status);
}
RETURN(Ret);
CLEANUP:
TRACE("Leave NtUserGetCursorInfo, ret=%i\n",_ret_);
UserLeave();
END_CLEANUP;
}
HDC
APIENTRY
NtGdiOpenDCW(
PUNICODE_STRING pustrDevice,
DEVMODEW *pdmInit,
PUNICODE_STRING pustrLogAddr,
ULONG iType,
BOOL bDisplay,
HANDLE hspool,
VOID *pDriverInfo2,
VOID *pUMdhpdev)
{
UNICODE_STRING ustrDevice;
WCHAR awcDevice[CCHDEVICENAME];
DEVMODEW dmInit;
PVOID dhpdev;
HDC hdc;
/* Only if a devicename is given, we need any data */
if (pustrDevice)
{
/* Initialize destination string */
RtlInitEmptyUnicodeString(&ustrDevice, awcDevice, sizeof(awcDevice));
_SEH2_TRY
{
/* Probe the UNICODE_STRING and the buffer */
ProbeForRead(pustrDevice, sizeof(UNICODE_STRING), 1);
ProbeForRead(pustrDevice->Buffer, pustrDevice->Length, 1);
/* Copy the string */
RtlCopyUnicodeString(&ustrDevice, pustrDevice);
if (pdmInit)
{
/* FIXME: could be larger */
ProbeForRead(pdmInit, sizeof(DEVMODEW), 1);
RtlCopyMemory(&dmInit, pdmInit, sizeof(DEVMODEW));
}
if (pUMdhpdev)
{
ProbeForWrite(pUMdhpdev, sizeof(HANDLE), 1);
}
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
SetLastNtError(_SEH2_GetExceptionCode());
_SEH2_YIELD(return NULL);
}
_SEH2_END
}
else
{
//获取进程的模块信息
//InputBuffer[0] == PEPROCESS指针
//InputBuffer[1] == LdrData指针
//OutputBuffer ModuleInfo缓冲
NTSTATUS
DispatchQueryProcessModuleInfo(PVOID InputBuffer, ULONG InputLength,
PVOID OutputBuffer, ULONG OutputLength,
PULONG Information)
{
NTSTATUS status;
PEPROCESS process;
PVOID ldrData;
PModuleInfo modInfo;
*Information = 0;
if(InputBuffer == NULL ||
InputLength != sizeof(PEPROCESS) + sizeof(PVOID)||
OutputBuffer == NULL ||
OutputLength != sizeof(ModuleInfo))
{
KdPrint(("DispatchQueryProcessModuleInfo Param mismatch: InputLength == %lu(should be %lu), OutputLength == %lu(should be %lu)",
InputLength, sizeof(PEPROCESS) + sizeof(PVOID), OutputLength, sizeof(ModuleInfo)));
return STATUS_INVALID_PARAMETER;
}
try{
ProbeForRead(InputBuffer, InputLength, 1);
process = *(PEPROCESS*)InputBuffer;
ldrData = *(PVOID*)((ULONG)InputBuffer + 4);
status = STATUS_SUCCESS;
}except(EXCEPTION_CONTINUE_EXECUTION){
status = STATUS_ACCESS_VIOLATION;
}
if(!NT_SUCCESS(status))
{
KdPrint(("DispatchQueryProcessModuleInfo ACCESS_VIOLATION read.\n"));
return status;
}
modInfo = QueryModuleInfo(process, ldrData);
if(modInfo == NULL)
return STATUS_UNSUCCESSFUL;
try{
ProbeForWrite(OutputBuffer, OutputLength, 1);
RtlCopyMemory(OutputBuffer, modInfo, OutputLength);
status = STATUS_SUCCESS;
}except(EXCEPTION_CONTINUE_EXECUTION){
KdPrint(("DispatchQueryProcessModuleInfo ACCESS_VIOLATION write.\n"));
status = STATUS_ACCESS_VIOLATION;
}
if(NT_SUCCESS(status))
*Information = OutputLength;
ExFreePool(modInfo);
return status;
}
//获取线程信息
//InputBuffer[0] == PETHREAD指针
//OutputBuffer threadInfo缓冲
NTSTATUS
DispatchQueryThreadInfo(PVOID InputBuffer, ULONG InputLength,
PVOID OutputBuffer, ULONG OutputLength,
PULONG Information)
{
NTSTATUS status;
PETHREAD thread;
PThreadInfo threadInfo;
*Information = 0;
if(InputBuffer == NULL ||
InputLength != sizeof(PETHREAD) ||
OutputBuffer == NULL ||
OutputLength != sizeof(ThreadInfo))
{
KdPrint(("DispatchQueryThreadInfo Param mismatch: InputLength == %lu(should be %lu), OutputLength == %lu(should be %lu)",
InputLength, sizeof(PETHREAD), OutputLength, sizeof(ThreadInfo)));
return STATUS_INVALID_PARAMETER;
}
try{
ProbeForRead(InputBuffer, InputLength, 1);
thread = *(PETHREAD*)(InputBuffer);
status = STATUS_SUCCESS;
}except(EXCEPTION_CONTINUE_EXECUTION){
status = STATUS_ACCESS_VIOLATION;
}
if(!NT_SUCCESS(status))
{
KdPrint(("DispatchQueryThreadInfo ACCESS_VIOLATION read.\n"));
return status;
}
threadInfo = QueryThreadInfo(thread);
if(threadInfo == NULL)
return STATUS_UNSUCCESSFUL;
try{
ProbeForWrite(OutputBuffer, OutputLength, 1);
RtlCopyMemory(OutputBuffer, threadInfo, OutputLength);
status = STATUS_SUCCESS;
}except(EXCEPTION_CONTINUE_EXECUTION){
KdPrint(("DispatchQueryThreadInfo ACCESS_VIOLATION write.\n"));
status = STATUS_ACCESS_VIOLATION;
}
if(NT_SUCCESS(status))
*Information = OutputLength;
ExFreePool(threadInfo);
return status;
}
//枚举进程
//InputBuffer[0] == 是否显示EPROCESS指针
//OutputBuffer ObjectIdTable缓冲
NTSTATUS
DispatchThreadEnum(PVOID InputBuffer, ULONG InputLength,
PVOID OutputBuffer, ULONG OutputLength,
PULONG Information)
{
PEPROCESS process;
NTSTATUS status;
PObjectIdTable objIdTable;
*Information = 0;
if(InputBuffer == NULL ||
InputLength != sizeof(PEPROCESS) ||
OutputBuffer == NULL ||
OutputLength != sizeof(ObjectIdTable))
{
KdPrint(("DispatchThreadEnum Param mismatch: InputLength == %lu(should be %lu), OutputLength == %lu(should be %lu)",
InputLength, sizeof(PEPROCESS), OutputLength, sizeof(ObjectIdTable)));
return STATUS_INVALID_PARAMETER;
}
try{
ProbeForRead(InputBuffer, InputLength, 1);
process = *(PEPROCESS*)InputBuffer;
status = STATUS_SUCCESS;
}except(EXCEPTION_CONTINUE_EXECUTION){
KdPrint(("DispatchThreadEnum ACCESS_VIOLATION read.\n"));
status = STATUS_ACCESS_VIOLATION;
}
if(!NT_SUCCESS(status))
return status;
//枚举线程
objIdTable = ThreadEnum(process);
if(!objIdTable)
return STATUS_UNSUCCESSFUL;
try{
ProbeForWrite(OutputBuffer, OutputLength, 1);
RtlCopyMemory(OutputBuffer, objIdTable, OutputLength);
status = STATUS_SUCCESS;
}except(EXCEPTION_CONTINUE_EXECUTION){
KdPrint(("DispatchThreadEnum ACCESS_VIOLATION write.\n"));
status = STATUS_ACCESS_VIOLATION;
}
ExFreePool(objIdTable);
if(NT_SUCCESS(status))
*Information = OutputLength;
return status;
}
//获取进程的模块列表
//InputBuffer[0] == PEPROCESS指针
//OutputBuffer ProcessModuleList缓冲
NTSTATUS
DispatchQueryProcessModuleList(PVOID InputBuffer, ULONG InputLength,
PVOID OutputBuffer, ULONG OutputLength,
PULONG Information)
{
NTSTATUS status;
PEPROCESS process;
PProcessModuleList processModList;
*Information = 0;
if(InputBuffer == NULL ||
InputLength != sizeof(PEPROCESS) ||
OutputBuffer == NULL ||
OutputLength != sizeof(ProcessModuleList))
{
KdPrint(("DispatchQueryProcessModuleList Param mismatch: InputLength == %lu(should be %lu), OutputLength == %lu(should be %lu)",
InputLength, sizeof(PEPROCESS), OutputLength, sizeof(ProcessModuleList)));
return STATUS_INVALID_PARAMETER;
}
try{
ProbeForRead(InputBuffer, InputLength, 1);
process = *(PEPROCESS*)InputBuffer;
status = STATUS_SUCCESS;
}except(EXCEPTION_CONTINUE_EXECUTION){
status = STATUS_ACCESS_VIOLATION;
}
if(!NT_SUCCESS(status))
{
KdPrint(("DispatchQueryProcessModuleList ACCESS_VIOLATION read.\n"));
return status;
}
processModList = QueryProcessModuleList(process);
if(processModList == NULL)
return STATUS_UNSUCCESSFUL;
try{
ProbeForWrite(OutputBuffer, OutputLength, 1);
RtlCopyMemory(OutputBuffer, processModList, OutputLength);
status = STATUS_SUCCESS;
}except(EXCEPTION_CONTINUE_EXECUTION){
KdPrint(("DispatchQueryProcessModuleList ACCESS_VIOLATION write.\n"));
status = STATUS_ACCESS_VIOLATION;
}
if(NT_SUCCESS(status))
*Information = OutputLength;
ExFreePool(processModList);
return status;
}
ULONG
APIENTRY
NtUserGetAtomName(
_In_ ATOM atom,
_Inout_ PUNICODE_STRING pustrName)
{
WCHAR awcBuffer[256];
ULONG cjLength;
/* Retrieve the atom name into a local buffer (max length is 255 chars) */
cjLength = IntGetAtomName((RTL_ATOM)atom, awcBuffer, sizeof(awcBuffer));
if (cjLength != 0)
{
_SEH2_TRY
{
/* Probe the unicode string and the buffer */
ProbeForRead(pustrName, sizeof(*pustrName), 1);
ProbeForWrite(pustrName->Buffer, pustrName->MaximumLength, 1);
/* Check if we have enough space to write the NULL termination */
if (pustrName->MaximumLength >= sizeof(UNICODE_NULL))
{
/* Limit the length to the buffer size */
cjLength = min(pustrName->MaximumLength - sizeof(UNICODE_NULL),
cjLength);
/* Copy the string and NULL terminate it */
RtlCopyMemory(pustrName->Buffer, awcBuffer, cjLength);
pustrName->Buffer[cjLength / sizeof(WCHAR)] = L'\0';
}
else
{
cjLength = 0;
}
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
/* On exception, set last error and fail */
SetLastNtError(_SEH2_GetExceptionCode());
cjLength = 0;
}
_SEH2_END
}
NTSTATUS KpiGetFeatures(
__out PULONG Features,
__in KPROCESSOR_MODE AccessMode
)
{
PAGED_CODE();
if (AccessMode != KernelMode)
{
__try
{
ProbeForWrite(Features, sizeof(ULONG), sizeof(ULONG));
*Features = KphFeatures;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return GetExceptionCode();
}
}
BOOLEAN
AcpiOsWritable(
void *Memory,
ACPI_SIZE Length)
{
BOOLEAN Ret = FALSE;
_SEH2_TRY
{
ProbeForWrite(Memory, Length, sizeof(UCHAR));
Ret = TRUE;
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
Ret = FALSE;
}
_SEH2_END;
return Ret;
}
INT APIENTRY
NtUserGetClipboardFormatName(UINT fmt, LPWSTR lpszFormatName, INT cchMaxCount)
{
INT iRet = 0;
UserEnterShared();
/* If the format is built-in we fail */
if (fmt < 0xc000)
{
/* Registetrated formats are >= 0xc000 */
goto cleanup;
}
if (cchMaxCount < 1 || !lpszFormatName)
{
EngSetLastError(ERROR_INVALID_PARAMETER);
goto cleanup;
}
_SEH2_TRY
{
ProbeForWrite(lpszFormatName, cchMaxCount * sizeof(WCHAR), 1);
iRet = IntGetAtomName((RTL_ATOM)fmt,
lpszFormatName,
cchMaxCount * sizeof(WCHAR));
iRet /= sizeof(WCHAR);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
SetLastNtError(_SEH2_GetExceptionCode());
}
_SEH2_END;
cleanup:
UserLeave();
return iRet;
}
BOOL
APIENTRY
NtGdiGetDeviceCapsAll(
IN HDC hDC,
OUT PDEVCAPS pDevCaps)
{
PDC pdc;
DEVCAPS devcaps;
BOOL bResult = TRUE;
/* Lock the given DC */
pdc = DC_LockDc(hDC);
if (!pdc)
{
EngSetLastError(ERROR_INVALID_HANDLE);
return FALSE;
}
/* Get the data */
PDEVOBJ_vGetDeviceCaps(pdc->ppdev, &devcaps);
/* Unlock the DC */
DC_UnlockDc(pdc);
/* Copy data to caller */
_SEH2_TRY
{
ProbeForWrite(pDevCaps, sizeof(DEVCAPS), 1);
RtlCopyMemory(pDevCaps, &devcaps, sizeof(DEVCAPS));
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
SetLastNtError(_SEH2_GetExceptionCode());
bResult = FALSE;
}
_SEH2_END;
return bResult;
}
//
// Queries and user-suplyed buffer from the IRP.
// Performs read\write check if needed.
//
static NTSTATUS ProbeAndGetIrpUserBuffer(PIRP Irp, PVOID* pUserBuffer, ULONG Length, BOOL bWrite)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PVOID UserBuffer;
if (!Irp->MdlAddress)
{
UserBuffer = Irp->UserBuffer;
if (Irp->RequestorMode != KernelMode)
{
__try
{
if (bWrite)
ProbeForWrite(UserBuffer, Length, sizeof(UCHAR));
else
ProbeForRead(UserBuffer, Length, sizeof(UCHAR));
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
ntStatus = GetExceptionCode();
}
} // if (Irp->RequestorMode != KernelMode)
static BOOLEAN _OnDriverNameWatchEnum(PWCHAR String, PVOID Data, PVOID Context)
{
SIZE_T len = 0;
SIZE_T requiredLength = 0;
PDRIVER_NAME_WATCH_RECORD rec = (PDRIVER_NAME_WATCH_RECORD)Data;
PDRIVER_NAME_WATCH_ENUM_CONTEXT ctx = (PDRIVER_NAME_WATCH_ENUM_CONTEXT)Context;
DEBUG_ENTER_FUNCTION("String=\"%S\"; Data=0x%p; Context=0x%p", String, Data, Context);
if (NT_SUCCESS(ctx->Status)) {
len = wcslen(String)*sizeof(WCHAR);
requiredLength = sizeof(DRIVER_NAME_WATCH_ENTRY) + len;
if (ctx->RemainingLength >= requiredLength) {
if (ctx->AccessMode == UserMode) {
__try {
ProbeForWrite(ctx->CurrentEntry, requiredLength, 1);
ctx->CurrentEntry->MonitorSettings = rec->MonitorSettings;
ctx->CurrentEntry->NameLength = (ULONG)len;
memcpy(ctx->CurrentEntry + 1, String, len);
} __except (EXCEPTION_EXECUTE_HANDLER) {
ctx->Status = GetExceptionCode();
}
} else {
NTSTATUS
NTAPI
NpTransceive(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PLIST_ENTRY List)
{
PIO_STACK_LOCATION IoStack;
PVOID InBuffer, OutBuffer;
ULONG InLength, OutLength, BytesWritten;
NODE_TYPE_CODE NodeTypeCode;
PNP_CCB Ccb;
ULONG NamedPipeEnd;
PNP_NONPAGED_CCB NonPagedCcb;
PNP_DATA_QUEUE ReadQueue, WriteQueue;
PNP_EVENT_BUFFER EventBuffer;
NTSTATUS Status;
PIRP NewIrp;
PAGED_CODE();
IoStack = IoGetCurrentIrpStackLocation(Irp);
InLength = IoStack->Parameters.FileSystemControl.InputBufferLength;
InBuffer = IoStack->Parameters.FileSystemControl.Type3InputBuffer;
OutLength = IoStack->Parameters.FileSystemControl.OutputBufferLength;
OutBuffer = Irp->UserBuffer;
if (Irp->RequestorMode == UserMode)
{
_SEH2_TRY
{
ProbeForRead(InBuffer, InLength, sizeof(CHAR));
ProbeForWrite(OutBuffer, OutLength, sizeof(CHAR));
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
}
