DECLSPEC_NOINLINE
VOID
KiContinuePreviousModeUser (
IN PCONTEXT ContextRecord,
IN PKEXCEPTION_FRAME ExceptionFrame,
IN PKTRAP_FRAME TrapFrame
)
/*++
Routine Description:
This function is called to copy the specified context record when the
previous mode is user. Its only purpose is to save stack space in the
caller.
N.B. This routine assumes that the caller has protected access to the
specified context record.
Arguments:
ContextRecord - Supplies a pointer to a context record.
ExceptionFrame - Supplies a pointer to an exception frame.
TrapFrame - Supplies a pointer to a trap frame.
Return Value:
None.
--*/
{
CONTEXT ContextRecord2;
//
// Probe and copy the context record to a stack local context record.
//
ProbeForReadSmallStructure(ContextRecord, sizeof(CONTEXT), CONTEXT_ALIGN);
RtlCopyMemory(&ContextRecord2, ContextRecord, sizeof(CONTEXT));
//
// Move information from the context record to the exception and trap
// frames.
//
KeContextToKframes(TrapFrame,
ExceptionFrame,
&ContextRecord2,
ContextRecord2.ContextFlags,
UserMode);
return;
}
NTSTATUS
NtImpersonateThread(
__in HANDLE ServerThreadHandle,
__in HANDLE ClientThreadHandle,
__in PSECURITY_QUALITY_OF_SERVICE SecurityQos
)
/*++
Routine Description:
This routine is used to cause the server thread to impersonate the client
thread. The impersonation is done according to the specified quality
of service parameters.
Arguments:
ServerThreadHandle - Is a handle to the server thread (the impersonator, or
doing the impersonation). This handle must be open for
THREAD_IMPERSONATE access.
ClientThreadHandle - Is a handle to the Client thread (the impersonatee, or
one being impersonated). This handle must be open for
THREAD_DIRECT_IMPERSONATION access.
SecurityQos - A pointer to security quality of service information
indicating what form of impersonation is to be performed.
Return Value:
STATUS_SUCCESS - Indicates the call completed successfully.
--*/
{
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PETHREAD ClientThread, ServerThread;
SECURITY_QUALITY_OF_SERVICE CapturedQos;
SECURITY_CLIENT_CONTEXT ClientSecurityContext;
//
// Get previous processor mode and probe and capture arguments if necessary
//
PreviousMode = KeGetPreviousMode();
try {
if (PreviousMode != KernelMode) {
ProbeForReadSmallStructure (SecurityQos,
sizeof (SECURITY_QUALITY_OF_SERVICE),
sizeof (ULONG));
}
CapturedQos = *SecurityQos;
} except (ExSystemExceptionFilter ()) {
return GetExceptionCode ();
}
//
// Reference the client thread, checking for appropriate access.
//
Status = ObReferenceObjectByHandle (ClientThreadHandle, // Handle
THREAD_DIRECT_IMPERSONATION, // DesiredAccess
PsThreadType, // ObjectType
PreviousMode, // AccessMode
&ClientThread, // Object
NULL); // GrantedAccess
if (!NT_SUCCESS (Status)) {
return Status;
}
//
// Reference the client thread, checking for appropriate access.
//
Status = ObReferenceObjectByHandle (ServerThreadHandle, // Handle
THREAD_IMPERSONATE, // DesiredAccess
PsThreadType, // ObjectType
PreviousMode, // AccessMode
&ServerThread, // Object
NULL); // GrantedAccess
if (!NT_SUCCESS (Status)) {
ObDereferenceObject (ClientThread);
return Status;
}
//
// Get the client's security context
//
Status = SeCreateClientSecurity (ClientThread, // ClientThread
&CapturedQos, // SecurityQos
FALSE, // ServerIsRemote
&ClientSecurityContext); // ClientContext
if (!NT_SUCCESS (Status)) {
ObDereferenceObject (ServerThread);
ObDereferenceObject (ClientThread);
return Status;
}
//
// Impersonate the client
//
Status = SeImpersonateClientEx (&ClientSecurityContext, ServerThread);
SeDeleteClientSecurity (&ClientSecurityContext);
//
// Done.
//
ObDereferenceObject (ServerThread);
ObDereferenceObject (ClientThread);
return Status ;
}
NTSTATUS
ObpCaptureObjectCreateInformation (
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE ProbeMode,
IN KPROCESSOR_MODE CreatorMode,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN OUT PUNICODE_STRING CapturedObjectName,
IN POBJECT_CREATE_INFORMATION ObjectCreateInfo,
IN LOGICAL UseLookaside
)
/*++
Routine Description:
This function captures the object creation information and stuff
it into the input variable ObjectCreateInfo
Arguments:
ObjectType - Specifies the type of object we expect to capture,
currently ignored.
ProbeMode - Specifies the processor mode for doing our parameter
probes
CreatorMode - Specifies the mode the object is being created for
ObjectAttributes - Supplies the object attributes we are trying
to capture
CapturedObjectName - Receives the name of the object being created
ObjectCreateInfo - Receives the create information for the object
like its root, attributes, and security information
UseLookaside - Specifies if we are to allocate the captured name
buffer from the lookaside list or from straight pool.
Return Value:
An appropriate status value
--*/
{
PUNICODE_STRING ObjectName;
PSECURITY_DESCRIPTOR SecurityDescriptor;
PSECURITY_QUALITY_OF_SERVICE SecurityQos;
NTSTATUS Status;
ULONG Size;
PAGED_CODE();
UNREFERENCED_PARAMETER (ObjectType);
//
// Capture the object attributes, the security quality of service, if
// specified, and object name, if specified.
//
Status = STATUS_SUCCESS;
RtlZeroMemory(ObjectCreateInfo, sizeof(OBJECT_CREATE_INFORMATION));
try {
if (ARGUMENT_PRESENT(ObjectAttributes)) {
//
// Probe the object attributes if necessary.
//
if (ProbeMode != KernelMode) {
ProbeForReadSmallStructure( ObjectAttributes,
sizeof(OBJECT_ATTRIBUTES),
sizeof(ULONG_PTR) );
}
if (ObjectAttributes->Length != sizeof(OBJECT_ATTRIBUTES) ||
(ObjectAttributes->Attributes & ~OBJ_ALL_VALID_ATTRIBUTES)) {
Status = STATUS_INVALID_PARAMETER;
goto failureExit;
}
//
// Capture the object attributes.
//
ObjectCreateInfo->RootDirectory = ObjectAttributes->RootDirectory;
ObjectCreateInfo->Attributes = ObjectAttributes->Attributes & OBJ_ALL_VALID_ATTRIBUTES;
//
// Remove privileged option if passed in from user mode
//
if (CreatorMode != KernelMode) {
ObjectCreateInfo->Attributes &= ~OBJ_KERNEL_HANDLE;
} else if (ObWatchHandles) {
if ((ObjectCreateInfo->Attributes&OBJ_KERNEL_HANDLE) == 0 &&
PsGetCurrentProcess() != PsInitialSystemProcess) {
DbgBreakPoint ();
}
}
ObjectName = ObjectAttributes->ObjectName;
SecurityDescriptor = ObjectAttributes->SecurityDescriptor;
SecurityQos = ObjectAttributes->SecurityQualityOfService;
if (ARGUMENT_PRESENT(SecurityDescriptor)) {
Status = SeCaptureSecurityDescriptor( SecurityDescriptor,
ProbeMode,
PagedPool,
TRUE,
&ObjectCreateInfo->SecurityDescriptor );
if (!NT_SUCCESS(Status)) {
KdPrint(( "OB: Failed to capture security descriptor at %08x - Status == %08x\n",
SecurityDescriptor,
Status) );
//
// The cleanup routine depends on this being NULL if it isn't
// allocated. SeCaptureSecurityDescriptor may modify this
// parameter even if it fails.
//
ObjectCreateInfo->SecurityDescriptor = NULL;
goto failureExit;
}
SeComputeQuotaInformationSize( ObjectCreateInfo->SecurityDescriptor,
&Size );
ObjectCreateInfo->SecurityDescriptorCharge = SeComputeSecurityQuota( Size );
ObjectCreateInfo->ProbeMode = ProbeMode;
}
if (ARGUMENT_PRESENT(SecurityQos)) {
if (ProbeMode != KernelMode) {
ProbeForReadSmallStructure( SecurityQos, sizeof(*SecurityQos), sizeof(ULONG));
}
ObjectCreateInfo->SecurityQualityOfService = *SecurityQos;
ObjectCreateInfo->SecurityQos = &ObjectCreateInfo->SecurityQualityOfService;
}
} else {
ObjectName = NULL;
}
} except (ExSystemExceptionFilter()) {
Status = GetExceptionCode();
goto failureExit;
}
//
// If an object name is specified, then capture the object name.
// Otherwise, initialize the object name descriptor and check for
// an incorrectly specified root directory.
//
if (ARGUMENT_PRESENT(ObjectName)) {
Status = ObpCaptureObjectName( ProbeMode,
ObjectName,
CapturedObjectName,
UseLookaside );
} else {
CapturedObjectName->Buffer = NULL;
CapturedObjectName->Length = 0;
CapturedObjectName->MaximumLength = 0;
if (ARGUMENT_PRESENT(ObjectCreateInfo->RootDirectory)) {
Status = STATUS_OBJECT_NAME_INVALID;
}
}
//
// If the completion status is not successful, and a security quality
// of service parameter was specified, then free the security quality
// of service memory.
//
failureExit:
if (!NT_SUCCESS(Status)) {
ObpReleaseObjectCreateInformation(ObjectCreateInfo);
}
return Status;
}
NTSTATUS
KiContinueEx (
IN PCONTEXT ContextRecord,
IN BOOLEAN TestAlert,
IN PKEXCEPTION_FRAME ExceptionFrame,
IN PKTRAP_FRAME TrapFrame
)
/*++
Routine Description:
This function is called to copy the specified context frame to the
specified exception and trap frames for the continue system service.
N.B. If the previous mode is user mode, alerts are being tested, a user
APC is available to execute, and the specified context record was
previously placed on the stack by the user APC initialization routine,
then bypass context record copy to the kernel frames and back again.
Arguments:
ContextRecord - Supplies a pointer to a context record.
TestAlert - Supplies a boolean value that determines whether a test alert
is to be performed.
ExceptionFrame - Supplies a pointer to an exception frame.
TrapFrame - Supplies a pointer to a trap frame.
Return Value:
STATUS_ACCESS_VIOLATION is returned if the context record is not readable
from user mode.
STATUS_DATATYPE_MISALIGNMENT is returned if the context record is not
properly aligned.
STATUS_SUCCESS + 1 is returned if the context frame is copied successfully
to the specified exception and trap frames.
STATUS_SUCCESS is returned if the context record copy was bypassed and
another user APC is ready to be delivered.
--*/
{
KIRQL OldIrql;
NTSTATUS Status;
PKTHREAD Thread;
ULONG64 UserStack;
//
// Synchronize with other context operations.
//
// If the current IRQL is less than APC_LEVEL, then raise IRQL to APC level.
//
OldIrql = KeGetCurrentIrql();
if (OldIrql < APC_LEVEL) {
KfRaiseIrql(APC_LEVEL);
}
//
// If the previous mode was not kernel mode, then attempt to bypass
// the copy of the context record. Otherwise, copy context to kernel
// frames directly.
//
Status = STATUS_SUCCESS + 1;
Thread = KeGetCurrentThread();
if (Thread->PreviousMode != KernelMode) {
try {
if (TestAlert != FALSE) {
ProbeForWriteSmallStructure(ContextRecord,
sizeof(CONTEXT),
CONTEXT_ALIGN);
KeTestAlertThread(UserMode);
UserStack = (ContextRecord->Rsp - sizeof(MACHINE_FRAME)) & ~STACK_ROUND;
if (((UserStack - sizeof(CONTEXT)) == (ULONG64)ContextRecord) &&
(Thread->ApcState.UserApcPending != FALSE)) {
//
// Save the context record and exception frame addresses
// in the trap frame and deliver the user APC bypassing
// the context copy.
//
TrapFrame->ContextRecord = (ULONG64)ContextRecord;
TrapFrame->ExceptionFrame = (ULONG64)ExceptionFrame;
KiDeliverApc(UserMode, NULL, TrapFrame);
Status = STATUS_SUCCESS;
leave;
}
} else {
ProbeForReadSmallStructure(ContextRecord,
sizeof(CONTEXT),
CONTEXT_ALIGN);
}
KiContinuePreviousModeUser(ContextRecord,
ExceptionFrame,
TrapFrame);
} except(EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
}
} else {
NTSTATUS
NtReplyWaitReceivePortEx(
__in HANDLE PortHandle,
__out_opt PVOID *PortContext,
__in_opt PPORT_MESSAGE ReplyMessage,
__out PPORT_MESSAGE ReceiveMessage,
__in_opt PLARGE_INTEGER Timeout
)
/*++
Routine Description:
See NtReplyWaitReceivePort.
Arguments:
See NtReplyWaitReceivePort.
Timeout - Supplies an optional timeout value to use when waiting for a
receive.
Return Value:
See NtReplyWaitReceivePort.
--*/
{
PLPCP_PORT_OBJECT PortObject;
PLPCP_PORT_OBJECT ReceivePort;
PORT_MESSAGE CapturedReplyMessage;
KPROCESSOR_MODE PreviousMode;
KPROCESSOR_MODE WaitMode;
NTSTATUS Status;
PLPCP_MESSAGE Msg;
PETHREAD CurrentThread;
PETHREAD WakeupThread;
LARGE_INTEGER TimeoutValue ;
PLPCP_PORT_OBJECT ConnectionPort = NULL;
PAGED_CODE();
CurrentThread = PsGetCurrentThread();
TimeoutValue.QuadPart = 0 ;
//
// Get previous processor mode
//
PreviousMode = KeGetPreviousMode();
WaitMode = PreviousMode;
if (PreviousMode != KernelMode) {
try {
if (ARGUMENT_PRESENT( PortContext )) {
ProbeForWriteUlong( (PULONG)PortContext );
}
if (ARGUMENT_PRESENT( ReplyMessage)) {
ProbeForReadSmallStructure( ReplyMessage,
sizeof( *ReplyMessage ),
sizeof( ULONG ));
CapturedReplyMessage = *ReplyMessage;
}
if (ARGUMENT_PRESENT( Timeout )) {
TimeoutValue = ProbeAndReadLargeInteger( Timeout );
Timeout = &TimeoutValue ;
}
ProbeForWriteSmallStructure( ReceiveMessage,
sizeof( *ReceiveMessage ),
sizeof( ULONG ));
} except( EXCEPTION_EXECUTE_HANDLER ) {
return GetExceptionCode();
}
} else {
//
// Kernel mode threads call with wait mode of user so that their
// kernel // stacks are swappable. Main consumer of this is
// SepRmCommandThread
//
if ( IS_SYSTEM_THREAD(CurrentThread) ) {
NTSTATUS
NtAcceptConnectPort (
__out PHANDLE PortHandle,
__in_opt PVOID PortContext,
__in PPORT_MESSAGE ConnectionRequest,
__in BOOLEAN AcceptConnection,
__inout_opt PPORT_VIEW ServerView,
__out_opt PREMOTE_PORT_VIEW ClientView
)
/*++
Routine Description:
A server process can accept or reject a client connection request
using the NtAcceptConnectPort service.
The ConnectionRequest parameter must specify a connection request
returned by a previous call to the NtListenPort service. This
service will either complete the connection if the AcceptConnection
parameter is TRUE, or reject the connection request if the
AcceptConnection parameter is FALSE.
In either case, the contents of the data portion of the connection
request is the data to return to the caller of NtConnectPort.
If the connection request is accepted, then two communication port
objects will be created and connected together. One will be
inserted in the client process' handle table and returned to the
client via the PortHandle parameter it specified on the
NtConnectPort service. The other will be inserted in the server
process' handle table and returned via the PortHandle parameter
specified on the NtCompleteConnectPort service. In addition the
two communication ports (client and server) will be linked together.
If the connection request is accepted, and the ServerView parameter
was specified, then the section handle is examined. If it is valid,
then the portion of the section described by the SectionOffset and
ViewSize fields will be mapped into both the client and server
process address spaces. The address in server's address space will
be returned in the ViewBase field. The address in the client's
address space will be returned in the ViewRemoteBase field. The
actual offset and size used to map the section will be returned in
the SectionOffset and ViewSize fields.
Communication port objects are temporary objects that have no names
and cannot be inherited. When either the client or server process
calls the !f NtClose service for a communication port, the port will
be deleted since there can never be more than one outstanding handle
for each communication port. The port object type specific delete
procedure will then be invoked. This delete procedure will examine
the communication port, and if it is connected to another
communication port, it will queue an LPC_PORT_CLOSED datagram to
that port's message queue. This will allow both the client and
server processes to notice when a port becomes disconnected, either
because of an explicit call to NtClose or an implicit call due to
process termination. In addition, the delete procedure will scan
the message queue of the port being closed and for each message
still in the queue, it will return an ERROR_PORT_CLOSED status to
any thread that is waiting for a reply to the message.
Arguments:
PortHandle - A pointer to a variable that will receive the server
communication port object handle value.
PortContext - An uninterpreted pointer that is stored in the
server communication port. This pointer is returned whenever
a message is received for this port.
ConnectionRequest - A pointer to a structure that describes the
connection request being accepted or rejected:
The ConnectionRequest structure
ULONG Length - Specifies the size of this data structure in
bytes.
CLIENT_ID ClientId - Specifies a structure that contains the
client identifier (CLIENT_ID) of the thread that sent the
request.
The ClientId Structure
ULONG UniqueProcessId - A unique value for each process
in the system.
ULONG UniqueThreadId - A unique value for each thread in the
system.
ULONG MessageId - A unique value that identifies the connection
request being completed.
ULONG PortAttributes - This field has no meaning for this service.
ULONG ClientViewSize - This field has no meaning for this service.
AcceptConnection - Specifies a boolean value which indicates where
the connection request is being accepted or rejected. A value
of TRUE means that the connection request is accepted and a
server communication port handle will be created and connected
to the client's communication port handle. A value of FALSE
means that the connection request is not accepted.
ServerView - A pointer to a structure that specifies the section that
the server process will use to send messages back to the client
process connected to this port.
The ServerView Structure
ULONG Length - Specifies the size of this data structure in
bytes.
HANDLE SectionHandle - Specifies an open handle to a section
object.
ULONG SectionOffset - Specifies a field that will receive the
actual offset, in bytes, from the start of the section. The
initial value of this parameter specifies the byte offset
within the section that the client's view is based. The
value is rounded down to the next host page size boundary.
ULONG ViewSize - Specifies the size of the view, in bytes.
PVOID ViewBase - Specifies a field that will receive the base
address of the port memory in the server's address space.
PVOID ViewRemoteBase - Specifies a field that will receive
the base address of the server port's memory in the client's
address space. Used to generate pointers that are
meaningful to the client.
ClientView - An optional pointer to a structure that will receive
information about the client process' view in the server's
address space. The server process can use this information
to validate pointers it receives from the client process.
The ClientView Structure
ULONG Length - Specifies the size of this data structure in
bytes.
PVOID ViewBase - Specifies a field that will receive the base
address of the client port's memory in the server's address
space.
ULONG ViewSize - Specifies a field that will receive the
size, in bytes, of the client's view in the server's address
space. If this field is zero, then client has no view in
the server's address space.
Return Value:
NTSTATUS - An appropriate status value.
--*/
{
PLPCP_PORT_OBJECT ConnectionPort;
PLPCP_PORT_OBJECT ServerPort;
PLPCP_PORT_OBJECT ClientPort;
PVOID ClientSectionToMap;
HANDLE Handle;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
ULONG ConnectionInfoLength;
PLPCP_MESSAGE Msg;
PLPCP_CONNECTION_MESSAGE ConnectMsg;
PORT_MESSAGE CapturedReplyMessage;
PVOID SectionToMap;
LARGE_INTEGER SectionOffset;
SIZE_T ViewSize;
PEPROCESS ClientProcess;
PETHREAD ClientThread;
PORT_VIEW CapturedServerView;
PAGED_CODE();
//
// Get previous processor mode and probe output arguments if necessary.
//
PreviousMode = KeGetPreviousMode();
if (PreviousMode != KernelMode) {
try {
ProbeForWriteHandle( PortHandle );
ProbeForReadSmallStructure( ConnectionRequest,
sizeof( *ConnectionRequest ),
sizeof( ULONG ));
CapturedReplyMessage = *ConnectionRequest;
if (ARGUMENT_PRESENT( ServerView )) {
CapturedServerView = ProbeAndReadStructure( ServerView, PORT_VIEW );
if (CapturedServerView.Length != sizeof( *ServerView )) {
return STATUS_INVALID_PARAMETER;
}
ProbeForWriteSmallStructure( ServerView,
sizeof( *ServerView ),
sizeof( ULONG ));
}
if (ARGUMENT_PRESENT( ClientView )) {
if (ProbeAndReadUlong( &ClientView->Length ) != sizeof( *ClientView )) {
return STATUS_INVALID_PARAMETER;
}
ProbeForWriteSmallStructure( ClientView,
sizeof( *ClientView ),
sizeof( ULONG ));
}
} except( EXCEPTION_EXECUTE_HANDLER ) {
return GetExceptionCode();
}
} else {
NTSTATUS
NtImpersonateClientOfPort (
__in HANDLE PortHandle,
__in PPORT_MESSAGE Message
)
/*++
Routine Description:
This procedure is used by the server thread to temporarily acquire the
identifier set of a client thread.
This service establishes an impersonation token for the calling thread.
The impersonation token corresponds to the context provided by the port
client. The client must currently be waiting for a reply to the
specified message.
This service returns an error status code if the client thread is not
waiting for a reply to the message. The security quality of service
parameters specified by the client upon connection dictate what use the
server will have of the client's security context.
For complicated or extended impersonation needs, the server may open a
copy of the client's token (using NtOpenThreadToken()). This must be
done while impersonating the client.
Arguments:
PortHandle - Specifies the handle of the communication port that the
message was received from.
Message - Specifies an address of a message that was received from the
client that is to be impersonated. The ClientId field of the message
identifies the client thread that is to be impersonated. The client
thread must be waiting for a reply to the message in order to
impersonate the client.
Return Value:
NTSTATUS - Status code that indicates whether or not the operation was
successful.
--*/
{
PLPCP_PORT_OBJECT PortObject;
PLPCP_PORT_OBJECT ConnectedPort;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PETHREAD ClientThread;
CLIENT_ID CapturedClientId;
ULONG CapturedMessageId;
SECURITY_CLIENT_CONTEXT DynamicSecurity;
PAGED_CODE();
//
// Get previous processor mode and probe output arguments if necessary.
//
PreviousMode = KeGetPreviousMode();
if (PreviousMode != KernelMode) {
try {
ProbeForReadSmallStructure( Message, sizeof( PORT_MESSAGE ), sizeof( ULONG ));
CapturedClientId = Message->ClientId;
CapturedMessageId = Message->MessageId;
} except( EXCEPTION_EXECUTE_HANDLER ) {
return( GetExceptionCode() );
}
} else {
NTSTATUS
NtOpenProcess (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
/*++
Routine Description:
This function opens a handle to a process object with the specified
desired access.
The object is located either by name, or by locating a thread whose
Client ID matches the specified Client ID and then opening that thread's
process.
Arguments:
ProcessHandle - Supplies a pointer to a variable that will receive
the process object handle.
DesiredAccess - Supplies the desired types of access for the process
object.
ObjectAttributes - Supplies a pointer to an object attributes structure.
If the ObjectName field is specified, then ClientId must not be
specified.
ClientId - Supplies a pointer to a ClientId that if supplied
specifies the thread whose process is to be opened. If this
argument is specified, then ObjectName field of the ObjectAttributes
structure must not be specified.
Return Value:
NTSTATUS - Status of call
--*/
{
HANDLE Handle;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PEPROCESS Process;
PETHREAD Thread;
CLIENT_ID CapturedCid={0};
BOOLEAN ObjectNamePresent;
BOOLEAN ClientIdPresent;
ACCESS_STATE AccessState;
AUX_ACCESS_DATA AuxData;
ULONG Attributes;
PAGED_CODE();
//
// Make sure that only one of either ClientId or ObjectName is
// present.
//
PreviousMode = KeGetPreviousMode();
if (PreviousMode != KernelMode) {
//
// Since we need to look at the ObjectName field, probe
// ObjectAttributes and capture object name present indicator.
//
try {
ProbeForWriteHandle (ProcessHandle);
ProbeForReadSmallStructure (ObjectAttributes,
sizeof(OBJECT_ATTRIBUTES),
sizeof(ULONG));
ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName);
Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, UserMode);
if (ARGUMENT_PRESENT (ClientId)) {
ProbeForReadSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG));
CapturedCid = *ClientId;
ClientIdPresent = TRUE;
} else {
ClientIdPresent = FALSE;
}
} except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
}
} else {
