BOOLEAN
NTAPI
KdpStub(IN PKTRAP_FRAME TrapFrame,
IN PKEXCEPTION_FRAME ExceptionFrame,
IN PEXCEPTION_RECORD ExceptionRecord,
IN PCONTEXT ContextRecord,
IN KPROCESSOR_MODE PreviousMode,
IN BOOLEAN SecondChanceException)
{
ULONG_PTR ExceptionCommand = ExceptionRecord->ExceptionInformation[0];
/* Check if this was a breakpoint due to DbgPrint or Load/UnloadSymbols */
if ((ExceptionRecord->ExceptionCode == STATUS_BREAKPOINT) &&
(ExceptionRecord->NumberParameters > 0) &&
((ExceptionCommand == BREAKPOINT_LOAD_SYMBOLS) ||
(ExceptionCommand == BREAKPOINT_UNLOAD_SYMBOLS) ||
(ExceptionCommand == BREAKPOINT_COMMAND_STRING) ||
(ExceptionCommand == BREAKPOINT_PRINT)))
{
/* This we can handle: simply bump the Program Counter */
KeSetContextPc(ContextRecord,
KeGetContextPc(ContextRecord) + KD_BREAKPOINT_SIZE);
return TRUE;
}
else if (KdPitchDebugger)
{
/* There's no debugger, fail. */
return FALSE;
}
else if ((KdAutoEnableOnEvent) &&
(KdPreviouslyEnabled) &&
!(KdDebuggerEnabled) &&
(NT_SUCCESS(KdEnableDebugger())) &&
(KdDebuggerEnabled))
{
/* Debugging was Auto-Enabled. We can now send this to KD. */
return KdpTrap(TrapFrame,
ExceptionFrame,
ExceptionRecord,
ContextRecord,
PreviousMode,
SecondChanceException);
}
else
{
/* FIXME: All we can do in this case is trace this exception */
return FALSE;
}
}
NTSTATUS
NTAPI
PspCreateThread(OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
IN PEPROCESS TargetProcess,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended,
IN PKSTART_ROUTINE StartRoutine OPTIONAL,
IN PVOID StartContext OPTIONAL)
{
HANDLE hThread;
PEPROCESS Process;
PETHREAD Thread;
PTEB TebBase = NULL;
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
NTSTATUS Status, AccessStatus;
HANDLE_TABLE_ENTRY CidEntry;
ACCESS_STATE LocalAccessState;
PACCESS_STATE AccessState = &LocalAccessState;
AUX_ACCESS_DATA AuxData;
BOOLEAN Result, SdAllocated;
PSECURITY_DESCRIPTOR SecurityDescriptor;
SECURITY_SUBJECT_CONTEXT SubjectContext;
PAGED_CODE();
PSTRACE(PS_THREAD_DEBUG,
"ThreadContext: %p TargetProcess: %p ProcessHandle: %p\n",
ThreadContext, TargetProcess, ProcessHandle);
/* If we were called from PsCreateSystemThread, then we're kernel mode */
if (StartRoutine) PreviousMode = KernelMode;
/* Reference the Process by handle or pointer, depending on what we got */
if (ProcessHandle)
{
/* Normal thread or System Thread */
Status = ObReferenceObjectByHandle(ProcessHandle,
PROCESS_CREATE_THREAD,
PsProcessType,
PreviousMode,
(PVOID*)&Process,
NULL);
PSREFTRACE(Process);
}
else
{
/* System thread inside System Process, or Normal Thread with a bug */
if (StartRoutine)
{
/* Reference the Process by Pointer */
ObReferenceObject(TargetProcess);
Process = TargetProcess;
Status = STATUS_SUCCESS;
}
else
{
/* Fake ObReference returning this */
Status = STATUS_INVALID_HANDLE;
}
}
/* Check for success */
if (!NT_SUCCESS(Status)) return Status;
/* Also make sure that User-Mode isn't trying to create a system thread */
if ((PreviousMode != KernelMode) && (Process == PsInitialSystemProcess))
{
/* Fail */
ObDereferenceObject(Process);
return STATUS_INVALID_HANDLE;
}
/* Create Thread Object */
Status = ObCreateObject(PreviousMode,
PsThreadType,
ObjectAttributes,
PreviousMode,
NULL,
sizeof(ETHREAD),
0,
0,
(PVOID*)&Thread);
if (!NT_SUCCESS(Status))
{
/* We failed; dereference the process and exit */
ObDereferenceObject(Process);
return Status;
}
/* Zero the Object entirely */
RtlZeroMemory(Thread, sizeof(ETHREAD));
/* Initialize rundown protection */
ExInitializeRundownProtection(&Thread->RundownProtect);
/* Initialize exit code */
Thread->ExitStatus = STATUS_PENDING;
/* Set the Process CID */
Thread->ThreadsProcess = Process;
Thread->Cid.UniqueProcess = Process->UniqueProcessId;
/* Create Cid Handle */
CidEntry.Object = Thread;
CidEntry.GrantedAccess = 0;
Thread->Cid.UniqueThread = ExCreateHandle(PspCidTable, &CidEntry);
if (!Thread->Cid.UniqueThread)
{
/* We couldn't create the CID, dereference the thread and fail */
ObDereferenceObject(Thread);
return STATUS_INSUFFICIENT_RESOURCES;
}
/* Save the read cluster size */
Thread->ReadClusterSize = MmReadClusterSize;
/* Initialize the LPC Reply Semaphore */
KeInitializeSemaphore(&Thread->LpcReplySemaphore, 0, 1);
/* Initialize the list heads and locks */
InitializeListHead(&Thread->LpcReplyChain);
InitializeListHead(&Thread->IrpList);
InitializeListHead(&Thread->PostBlockList);
InitializeListHead(&Thread->ActiveTimerListHead);
KeInitializeSpinLock(&Thread->ActiveTimerListLock);
/* Acquire rundown protection */
if (!ExAcquireRundownProtection (&Process->RundownProtect))
{
/* Fail */
ObDereferenceObject(Thread);
return STATUS_PROCESS_IS_TERMINATING;
}
/* Now let the kernel initialize the context */
if (ThreadContext)
{
/* User-mode Thread, create Teb */
Status = MmCreateTeb(Process, &Thread->Cid, InitialTeb, &TebBase);
if (!NT_SUCCESS(Status))
{
/* Failed to create the TEB. Release rundown and dereference */
ExReleaseRundownProtection(&Process->RundownProtect);
ObDereferenceObject(Thread);
return Status;
}
/* Set the Start Addresses from the untrusted ThreadContext */
_SEH2_TRY
{
Thread->StartAddress = (PVOID)KeGetContextPc(ThreadContext);
Thread->Win32StartAddress = (PVOID)KeGetContextReturnRegister(ThreadContext);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
/* Let the kernel intialize the Thread */
if (NT_SUCCESS(Status))
{
Status = KeInitThread(&Thread->Tcb,
NULL,
PspUserThreadStartup,
NULL,
Thread->StartAddress,
ThreadContext,
TebBase,
&Process->Pcb);
}
}
else
{
BOOLEAN
NTAPI
KdpEnterDebuggerException(IN PKTRAP_FRAME TrapFrame,
IN PKEXCEPTION_FRAME ExceptionFrame,
IN PEXCEPTION_RECORD ExceptionRecord,
IN PCONTEXT Context,
IN KPROCESSOR_MODE PreviousMode,
IN BOOLEAN SecondChance)
{
KD_CONTINUE_TYPE Return = kdHandleException;
ULONG ExceptionCommand = ExceptionRecord->ExceptionInformation[0];
/* Check if this was a breakpoint due to DbgPrint or Load/UnloadSymbols */
if ((ExceptionRecord->ExceptionCode == STATUS_BREAKPOINT) &&
(ExceptionRecord->NumberParameters > 0) &&
((ExceptionCommand == BREAKPOINT_LOAD_SYMBOLS) ||
(ExceptionCommand == BREAKPOINT_UNLOAD_SYMBOLS) ||
(ExceptionCommand == BREAKPOINT_COMMAND_STRING) ||
(ExceptionCommand == BREAKPOINT_PRINT) ||
(ExceptionCommand == BREAKPOINT_PROMPT)))
{
/* Check if this is a debug print */
if (ExceptionCommand == BREAKPOINT_PRINT)
{
/* Print the string */
KdpServiceDispatcher(BREAKPOINT_PRINT,
(PVOID)ExceptionRecord->ExceptionInformation[1],
ExceptionRecord->ExceptionInformation[2]);
/* Return success */
KeSetContextReturnRegister(Context, STATUS_SUCCESS);
}
#ifdef KDBG
else if (ExceptionCommand == BREAKPOINT_LOAD_SYMBOLS)
{
PLDR_DATA_TABLE_ENTRY LdrEntry;
/* Load symbols. Currently implemented only for KDBG! */
if(KdbpSymFindModule(((PKD_SYMBOLS_INFO)ExceptionRecord->ExceptionInformation[2])->BaseOfDll, NULL, -1, &LdrEntry))
KdbSymProcessSymbols(LdrEntry);
}
else if (ExceptionCommand == BREAKPOINT_PROMPT)
{
ULONG ReturnValue;
LPSTR OutString;
USHORT OutStringLength;
/* Get the response string and length */
OutString = (LPSTR)Context->Ebx;
OutStringLength = (USHORT)Context->Edi;
/* Call KDBG */
ReturnValue = KdpPrompt((LPSTR)ExceptionRecord->
ExceptionInformation[1],
(USHORT)ExceptionRecord->
ExceptionInformation[2],
OutString,
OutStringLength);
/* Return the number of characters that we received */
Context->Eax = ReturnValue;
}
#endif
/* This we can handle: simply bump the Program Counter */
KeSetContextPc(Context, KeGetContextPc(Context) + KD_BREAKPOINT_SIZE);
return TRUE;
}
#ifdef KDBG
/* Check if this is an assertion failure */
if (ExceptionRecord->ExceptionCode == STATUS_ASSERTION_FAILURE)
{
/* Bump EIP to the instruction following the int 2C */
Context->Eip += 2;
}
#endif
/* Get out of here if the Debugger isn't connected */
if (KdDebuggerNotPresent) return FALSE;
#ifdef KDBG
/* Call KDBG if available */
Return = KdbEnterDebuggerException(ExceptionRecord,
PreviousMode,
Context,
TrapFrame,
!SecondChance);
#else /* not KDBG */
if (WrapperInitRoutine)
{
/* Call GDB */
Return = WrapperTable.KdpExceptionRoutine(ExceptionRecord,
Context,
TrapFrame);
}
#endif /* not KDBG */
/* Debugger didn't handle it, please handle! */
if (Return == kdHandleException) return FALSE;
/* Debugger handled it */
return TRUE;
}
BOOLEAN
NTAPI
KdpTrap(IN PKTRAP_FRAME TrapFrame,
IN PKEXCEPTION_FRAME ExceptionFrame,
IN PEXCEPTION_RECORD ExceptionRecord,
IN PCONTEXT ContextRecord,
IN KPROCESSOR_MODE PreviousMode,
IN BOOLEAN SecondChanceException)
{
BOOLEAN Unload = FALSE;
ULONG_PTR ProgramCounter;
BOOLEAN Handled;
NTSTATUS ReturnStatus;
USHORT ReturnLength;
/*
* Check if we got a STATUS_BREAKPOINT with a SubID for Print, Prompt or
* Load/Unload symbols. Make sure it isn't a software breakpoints as those
* are handled by KdpReport.
*/
if ((ExceptionRecord->ExceptionCode == STATUS_BREAKPOINT) &&
(ExceptionRecord->ExceptionInformation[0] != BREAKPOINT_BREAK))
{
/* Save Program Counter */
ProgramCounter = KeGetContextPc(ContextRecord);
/* Check what kind of operation was requested from us */
switch (ExceptionRecord->ExceptionInformation[0])
{
/* DbgPrint */
case BREAKPOINT_PRINT:
/* Call the worker routine */
ReturnStatus = KdpPrint((ULONG)KdpGetParameterThree(ContextRecord),
(ULONG)KdpGetParameterFour(ContextRecord),
(LPSTR)ExceptionRecord->
ExceptionInformation[1],
(USHORT)ExceptionRecord->
ExceptionInformation[2],
PreviousMode,
TrapFrame,
ExceptionFrame,
&Handled);
/* Update the return value for the caller */
KeSetContextReturnRegister(ContextRecord, ReturnStatus);
break;
/* DbgPrompt */
case BREAKPOINT_PROMPT:
/* Call the worker routine */
ReturnLength = KdpPrompt((LPSTR)ExceptionRecord->
ExceptionInformation[1],
(USHORT)ExceptionRecord->
ExceptionInformation[2],
(LPSTR)KdpGetParameterThree(ContextRecord),
(USHORT)KdpGetParameterFour(ContextRecord),
PreviousMode,
TrapFrame,
ExceptionFrame);
Handled = TRUE;
/* Update the return value for the caller */
KeSetContextReturnRegister(ContextRecord, ReturnLength);
break;
/* DbgUnLoadImageSymbols */
case BREAKPOINT_UNLOAD_SYMBOLS:
/* Drop into the load case below, with the unload parameter */
Unload = TRUE;
/* DbgLoadImageSymbols */
case BREAKPOINT_LOAD_SYMBOLS:
/* Call the worker routine */
KdpSymbol((PSTRING)ExceptionRecord->
ExceptionInformation[1],
(PKD_SYMBOLS_INFO)ExceptionRecord->
ExceptionInformation[2],
Unload,
PreviousMode,
ContextRecord,
TrapFrame,
ExceptionFrame);
Handled = TRUE;
break;
/* DbgCommandString */
case BREAKPOINT_COMMAND_STRING:
/* Call the worker routine */
KdpCommandString((PSTRING)ExceptionRecord->
ExceptionInformation[1],
(PSTRING)ExceptionRecord->
ExceptionInformation[2],
PreviousMode,
ContextRecord,
TrapFrame,
ExceptionFrame);
Handled = TRUE;
break;
/* Anything else, do nothing */
default:
/* Invalid debug service! Don't handle this! */
Handled = FALSE;
break;
}
/*
* If the PC was not updated, we'll increment it ourselves so execution
* continues past the breakpoint.
*/
if (ProgramCounter == KeGetContextPc(ContextRecord))
{
/* Update it */
KeSetContextPc(ContextRecord,
ProgramCounter + KD_BREAKPOINT_SIZE);
}
}
else
{
/* Call the worker routine */
Handled = KdpReport(TrapFrame,
ExceptionFrame,
ExceptionRecord,
ContextRecord,
PreviousMode,
SecondChanceException);
}
/* Return TRUE or FALSE to caller */
return Handled;
}
NTSTATUS
NTAPI
PspCreateThread(OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
IN PEPROCESS TargetProcess,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended,
IN PKSTART_ROUTINE StartRoutine OPTIONAL,
IN PVOID StartContext OPTIONAL)
{
HANDLE hThread;
PEPROCESS Process;
PETHREAD Thread;
PTEB TebBase = NULL;
KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
NTSTATUS Status, AccessStatus;
HANDLE_TABLE_ENTRY CidEntry;
ACCESS_STATE LocalAccessState;
PACCESS_STATE AccessState = &LocalAccessState;
AUX_ACCESS_DATA AuxData;
BOOLEAN Result, SdAllocated;
PSECURITY_DESCRIPTOR SecurityDescriptor;
SECURITY_SUBJECT_CONTEXT SubjectContext;
PAGED_CODE();
PSTRACE(PS_THREAD_DEBUG,
"ThreadContext: %p TargetProcess: %p ProcessHandle: %p\n",
ThreadContext, TargetProcess, ProcessHandle);
/* If we were called from PsCreateSystemThread, then we're kernel mode */
if (StartRoutine) PreviousMode = KernelMode;
/* Reference the Process by handle or pointer, depending on what we got */
if (ProcessHandle)
{
/* Normal thread or System Thread */
Status = ObReferenceObjectByHandle(ProcessHandle,
PROCESS_CREATE_THREAD,
PsProcessType,
PreviousMode,
(PVOID*)&Process,
NULL);
PSREFTRACE(Process);
}
else
{
/* System thread inside System Process, or Normal Thread with a bug */
if (StartRoutine)
{
/* Reference the Process by Pointer */
ObReferenceObject(TargetProcess);
Process = TargetProcess;
Status = STATUS_SUCCESS;
}
else
{
/* Fake ObReference returning this */
Status = STATUS_INVALID_HANDLE;
}
}
/* Check for success */
if (!NT_SUCCESS(Status)) return Status;
/* Also make sure that User-Mode isn't trying to create a system thread */
if ((PreviousMode != KernelMode) && (Process == PsInitialSystemProcess))
{
/* Fail */
ObDereferenceObject(Process);
return STATUS_INVALID_HANDLE;
}
/* Create Thread Object */
Status = ObCreateObject(PreviousMode,
PsThreadType,
ObjectAttributes,
PreviousMode,
NULL,
sizeof(ETHREAD),
0,
0,
(PVOID*)&Thread);
if (!NT_SUCCESS(Status))
{
/* We failed; dereference the process and exit */
ObDereferenceObject(Process);
return Status;
}
/* Zero the Object entirely */
RtlZeroMemory(Thread, sizeof(ETHREAD));
/* Initialize rundown protection */
ExInitializeRundownProtection(&Thread->RundownProtect);
/* Initialize exit code */
Thread->ExitStatus = STATUS_PENDING;
/* Set the Process CID */
Thread->ThreadsProcess = Process;
Thread->Cid.UniqueProcess = Process->UniqueProcessId;
/* Create Cid Handle */
CidEntry.Object = Thread;
CidEntry.GrantedAccess = 0;
Thread->Cid.UniqueThread = ExCreateHandle(PspCidTable, &CidEntry);
if (!Thread->Cid.UniqueThread)
{
/* We couldn't create the CID, dereference the thread and fail */
ObDereferenceObject(Thread);
return STATUS_INSUFFICIENT_RESOURCES;
}
/* Save the read cluster size */
Thread->ReadClusterSize = MmReadClusterSize;
/* Initialize the LPC Reply Semaphore */
KeInitializeSemaphore(&Thread->LpcReplySemaphore, 0, 1);
/* Initialize the list heads and locks */
InitializeListHead(&Thread->LpcReplyChain);
InitializeListHead(&Thread->IrpList);
InitializeListHead(&Thread->PostBlockList);
InitializeListHead(&Thread->ActiveTimerListHead);
KeInitializeSpinLock(&Thread->ActiveTimerListLock);
/* Acquire rundown protection */
if (!ExAcquireRundownProtection (&Process->RundownProtect))
{
/* Fail */
ObDereferenceObject(Thread);
return STATUS_PROCESS_IS_TERMINATING;
}
/* Now let the kernel initialize the context */
if (ThreadContext)
{
/* User-mode Thread, create Teb */
Status = MmCreateTeb(Process, &Thread->Cid, InitialTeb, &TebBase);
if (!NT_SUCCESS(Status))
{
/* Failed to create the TEB. Release rundown and dereference */
ExReleaseRundownProtection(&Process->RundownProtect);
ObDereferenceObject(Thread);
return Status;
}
/* Set the Start Addresses */
Thread->StartAddress = (PVOID)KeGetContextPc(ThreadContext);
Thread->Win32StartAddress = (PVOID)KeGetContextReturnRegister(ThreadContext);
/* Let the kernel intialize the Thread */
Status = KeInitThread(&Thread->Tcb,
NULL,
PspUserThreadStartup,
NULL,
Thread->StartAddress,
ThreadContext,
TebBase,
&Process->Pcb);
}
else
{
/* System Thread */
Thread->StartAddress = StartRoutine;
PspSetCrossThreadFlag(Thread, CT_SYSTEM_THREAD_BIT);
/* Let the kernel intialize the Thread */
Status = KeInitThread(&Thread->Tcb,
NULL,
PspSystemThreadStartup,
StartRoutine,
StartContext,
NULL,
NULL,
&Process->Pcb);
}
/* Check if we failed */
if (!NT_SUCCESS(Status))
{
/* Delete the TEB if we had done */
if (TebBase) MmDeleteTeb(Process, TebBase);
/* Release rundown and dereference */
ExReleaseRundownProtection(&Process->RundownProtect);
ObDereferenceObject(Thread);
return Status;
}
/* Lock the process */
KeEnterCriticalRegion();
ExAcquirePushLockExclusive(&Process->ProcessLock);
/* Make sure the proces didn't just die on us */
if (Process->ProcessDelete) goto Quickie;
/* Check if the thread was ours, terminated and it was user mode */
if ((Thread->Terminated) &&
(ThreadContext) &&
(Thread->ThreadsProcess == Process))
{
/* Cleanup, we don't want to start it up and context switch */
goto Quickie;
}
/*
* Insert the Thread into the Process's Thread List
* Note, this is the ETHREAD Thread List. It is removed in
* ps/kill.c!PspExitThread.
*/
InsertTailList(&Process->ThreadListHead, &Thread->ThreadListEntry);
Process->ActiveThreads++;
/* Start the thread */
KeStartThread(&Thread->Tcb);
/* Release the process lock */
ExReleasePushLockExclusive(&Process->ProcessLock);
KeLeaveCriticalRegion();
/* Release rundown */
ExReleaseRundownProtection(&Process->RundownProtect);
/* Notify WMI */
//WmiTraceProcess(Process, TRUE);
//WmiTraceThread(Thread, InitialTeb, TRUE);
/* Notify Thread Creation */
PspRunCreateThreadNotifyRoutines(Thread, TRUE);
/* Reference ourselves as a keep-alive */
ObReferenceObjectEx(Thread, 2);
/* Suspend the Thread if we have to */
if (CreateSuspended) KeSuspendThread(&Thread->Tcb);
/* Check if we were already terminated */
if (Thread->Terminated) KeForceResumeThread(&Thread->Tcb);
/* Create an access state */
Status = SeCreateAccessStateEx(NULL,
ThreadContext ?
PsGetCurrentProcess() : Process,
&LocalAccessState,
&AuxData,
DesiredAccess,
&PsThreadType->TypeInfo.GenericMapping);
if (!NT_SUCCESS(Status))
{
/* Access state failed, thread is dead */
PspSetCrossThreadFlag(Thread, CT_DEAD_THREAD_BIT);
/* If we were suspended, wake it up */
if (CreateSuspended) KeResumeThread(&Thread->Tcb);
/* Dispatch thread */
KeReadyThread(&Thread->Tcb);
/* Dereference completely to kill it */
ObDereferenceObjectEx(Thread, 2);
return Status;
}
/* Insert the Thread into the Object Manager */
Status = ObInsertObject(Thread,
AccessState,
DesiredAccess,
0,
NULL,
&hThread);
/* Delete the access state if we had one */
if (AccessState) SeDeleteAccessState(AccessState);
/* Check for success */
if (NT_SUCCESS(Status))
{
/* Wrap in SEH to protect against bad user-mode pointers */
_SEH2_TRY
{
/* Return Cid and Handle */
if (ClientId) *ClientId = Thread->Cid;
*ThreadHandle = hThread;
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
/* Thread insertion failed, thread is dead */
PspSetCrossThreadFlag(Thread, CT_DEAD_THREAD_BIT);
/* If we were suspended, wake it up */
if (CreateSuspended) KeResumeThread(&Thread->Tcb);
/* Dispatch thread */
KeReadyThread(&Thread->Tcb);
/* Dereference it, leaving only the keep-alive */
ObDereferenceObject(Thread);
/* Close its handle, killing it */
ObCloseHandle(ThreadHandle, PreviousMode);
/* Return the exception code */
_SEH2_YIELD(return _SEH2_GetExceptionCode());
}
_SEH2_END;
}
else
{
