NTSTATUS PsLookupProcessByProcessId( __in HANDLE ProcessId, __deref_out PEPROCESS *Process ) /*++ Routine Description: This function accepts the process id of a process and returns a referenced pointer to the process. Arguments: ProcessId - Specifies the Process ID of the process. Process - Returns a referenced pointer to the process specified by the process id. Return Value: STATUS_SUCCESS - A process was located based on the contents of the process id. STATUS_INVALID_PARAMETER - The process was not found. --*/ { PHANDLE_TABLE_ENTRY CidEntry; PEPROCESS lProcess; PETHREAD CurrentThread; NTSTATUS Status; PAGED_CODE(); Status = STATUS_INVALID_PARAMETER; CurrentThread = PsGetCurrentThread (); KeEnterCriticalRegionThread (&CurrentThread->Tcb); CidEntry = ExMapHandleToPointer(PspCidTable, ProcessId); if (CidEntry != NULL) { lProcess = (PEPROCESS)CidEntry->Object; if (lProcess->Pcb.Header.Type == ProcessObject && lProcess->GrantedAccess != 0) { if (ObReferenceObjectSafe(lProcess)) { *Process = lProcess; Status = STATUS_SUCCESS; } } ExUnlockHandleTableEntry(PspCidTable, CidEntry); } KeLeaveCriticalRegionThread (&CurrentThread->Tcb); return Status; }
PRTL_ATOM_TABLE_ENTRY RtlpAtomMapAtomToHandleEntry( IN PRTL_ATOM_TABLE AtomTable, IN ULONG HandleIndex ) { PHANDLE_TABLE_ENTRY ExHandleEntry; PRTL_ATOM_TABLE_ENTRY a; EXHANDLE ExHandle; ExHandle.GenericHandleOverlay = 0; ExHandle.Index = HandleIndex; ExHandleEntry = ExMapHandleToPointer( AtomTable->ExHandleTable, ExHandle.GenericHandleOverlay ); if (ExHandleEntry != NULL) { a = ExHandleEntry->Object; ExUnlockHandleTableEntry( AtomTable->ExHandleTable, ExHandleEntry ); return a; } return NULL; }
NTSTATUS PsLookupProcessThreadByCid( __in PCLIENT_ID Cid, __deref_opt_out PEPROCESS *Process, __deref_out PETHREAD *Thread ) /*++ Routine Description: This function accepts The Client ID of a thread, and returns a referenced pointer to the thread, and possibly a referenced pointer to the process. Arguments: Cid - Specifies the Client ID of the thread. Process - If specified, returns a referenced pointer to the process specified in the Cid. Thread - Returns a referenced pointer to the thread specified in the Cid. Return Value: STATUS_SUCCESS - A process and thread were located based on the contents of the Cid. STATUS_INVALID_CID - The specified Cid is invalid. --*/ { PHANDLE_TABLE_ENTRY CidEntry; PETHREAD lThread; PETHREAD CurrentThread; PEPROCESS lProcess; NTSTATUS Status; PAGED_CODE(); lThread = NULL; CurrentThread = PsGetCurrentThread (); KeEnterCriticalRegionThread (&CurrentThread->Tcb); CidEntry = ExMapHandleToPointer(PspCidTable, Cid->UniqueThread); if (CidEntry != NULL) { lThread = (PETHREAD)CidEntry->Object; if (!ObReferenceObjectSafe (lThread)) { lThread = NULL; } ExUnlockHandleTableEntry(PspCidTable, CidEntry); } KeLeaveCriticalRegionThread (&CurrentThread->Tcb); Status = STATUS_INVALID_CID; if (lThread != NULL) { // // This could be a thread or a process. Check its a thread. // if (lThread->Tcb.Header.Type != ThreadObject || lThread->Cid.UniqueProcess != Cid->UniqueProcess || lThread->GrantedAccess == 0) { ObDereferenceObject (lThread); } else { *Thread = lThread; if (ARGUMENT_PRESENT (Process)) { lProcess = THREAD_TO_PROCESS (lThread); *Process = lProcess; // // Since the thread holds a reference to the process this reference does not have to // be protected. // ObReferenceObject (lProcess); } Status = STATUS_SUCCESS; } } return Status; }
NTSTATUS PsLookupThreadByThreadId( __in HANDLE ThreadId, __deref_out PETHREAD *Thread ) /*++ Routine Description: This function accepts the thread id of a thread and returns a referenced pointer to the thread. Arguments: ThreadId - Specifies the Thread ID of the thread. Thread - Returns a referenced pointer to the thread specified by the thread id. Return Value: STATUS_SUCCESS - A thread was located based on the contents of the thread id. STATUS_INVALID_PARAMETER - The thread was not found. --*/ { PHANDLE_TABLE_ENTRY CidEntry; PETHREAD lThread; PETHREAD CurrentThread; NTSTATUS Status; PAGED_CODE(); Status = STATUS_INVALID_PARAMETER; CurrentThread = PsGetCurrentThread (); KeEnterCriticalRegionThread (&CurrentThread->Tcb); CidEntry = ExMapHandleToPointer(PspCidTable, ThreadId); if (CidEntry != NULL) { lThread = (PETHREAD)CidEntry->Object; if (lThread->Tcb.Header.Type == ThreadObject && lThread->GrantedAccess) { if (ObReferenceObjectSafe(lThread)) { *Thread = lThread; Status = STATUS_SUCCESS; } } ExUnlockHandleTableEntry(PspCidTable, CidEntry); } KeLeaveCriticalRegionThread (&CurrentThread->Tcb); return Status; }
NTSTATUS NtClose ( IN HANDLE Handle ) /*++ Routine Description: This function is used to close access to the specified handle Arguments: Handle - Supplies the handle being closed Return Value: An appropriate status value --*/ { PHANDLE_TABLE ObjectTable; PHANDLE_TABLE_ENTRY ObjectTableEntry; PVOID Object; ULONG CapturedGrantedAccess; ULONG CapturedAttributes; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; NTSTATUS Status; BOOLEAN AttachedToProcess = FALSE; KAPC_STATE ApcState; // // Protect ourselves from being interrupted while we hold a handle table // entry lock // KeEnterCriticalRegion(); try { #if DBG KIRQL SaveIrql; #endif // DBG ObpValidateIrql( "NtClose" ); ObpBeginTypeSpecificCallOut( SaveIrql ); #if DBG // // On checked builds, check that if the Kernel handle bit is set, then // we're coming from Kernel mode. We should probably fail the call if // bit set && !Kmode // if ((Handle != NtCurrentThread()) && (Handle != NtCurrentProcess())) { ASSERT((Handle < 0 ) ? (KeGetPreviousMode() == KernelMode) : TRUE); } #endif // // For the current process we will grab its handle/object table and // translate the handle to its corresponding table entry. If the // call is successful it also lock down the handle table. But first // check for a kernel handle and attach and use that table if so. // if (IsKernelHandle( Handle, KeGetPreviousMode() )) { Handle = DecodeKernelHandle( Handle ); ObjectTable = ObpKernelHandleTable; // // Go to the system process if we have to // if (PsGetCurrentProcess() != PsInitialSystemProcess) { KeStackAttachProcess (&PsInitialSystemProcess->Pcb, &ApcState); AttachedToProcess = TRUE; } } else { ObjectTable = ObpGetObjectTable(); } ObjectTableEntry = ExMapHandleToPointer( ObjectTable, Handle ); // // Check that the specified handle is legitimate otherwise we can // assume the caller just passed in some bogus handle value // if (ObjectTableEntry != NULL) { // // From the object table entry we can grab a pointer to the object // header, get its type and its body // ObjectHeader = (POBJECT_HEADER)(((ULONG_PTR)(ObjectTableEntry->Object)) & ~OBJ_HANDLE_ATTRIBUTES); ObjectType = ObjectHeader->Type; Object = &ObjectHeader->Body; // // If the object type specifies an okay to close procedure then we // need to invoke that callback. If the callback doesn't want us to // close handle then unlock the object table and return the error // to our caller // if (ObjectType->TypeInfo.OkayToCloseProcedure != NULL) { if (!(*ObjectType->TypeInfo.OkayToCloseProcedure)( PsGetCurrentProcess(), Object, Handle )) { ObpEndTypeSpecificCallOut( SaveIrql, "NtClose", ObjectType, Object ); ExUnlockHandleTableEntry( ObjectTable, ObjectTableEntry ); // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } Status = STATUS_HANDLE_NOT_CLOSABLE; leave; } } CapturedAttributes = ObjectTableEntry->ObAttributes; // // If the previous mode was user and the handle is protected from // being closed, then we'll either raise or return an error depending // on the global flags and debugger port situation. // if ((CapturedAttributes & OBJ_PROTECT_CLOSE) != 0) { if (KeGetPreviousMode() != KernelMode) { ExUnlockHandleTableEntry( ObjectTable, ObjectTableEntry ); if ((NtGlobalFlag & FLG_ENABLE_CLOSE_EXCEPTIONS) || (PsGetCurrentProcess()->DebugPort != NULL)) { // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } Status = KeRaiseUserException(STATUS_HANDLE_NOT_CLOSABLE); leave; } else { // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } Status = STATUS_HANDLE_NOT_CLOSABLE; leave; } } else { if ((!PsIsThreadTerminating(PsGetCurrentThread())) && (PsGetCurrentProcess()->Peb != NULL)) { ExUnlockHandleTableEntry( ObjectTable, ObjectTableEntry ); #if DBG // // bugcheck here on checked builds if kernel mode code is // closing a protected handle and process is not exiting. // Ignore if no PEB as this occurs if process is killed // before really starting. // KeBugCheckEx(INVALID_KERNEL_HANDLE, (ULONG_PTR)Handle, 0, 0, 0); #else // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } Status = STATUS_HANDLE_NOT_CLOSABLE; leave; #endif // DBG } } } // // Get the granted access for the handle // #if defined(_X86_) && !FPO if (NtGlobalFlag & FLG_KERNEL_STACK_TRACE_DB) { CapturedGrantedAccess = ObpTranslateGrantedAccessIndex( ObjectTableEntry->GrantedAccessIndex ); } else { CapturedGrantedAccess = ObjectTableEntry->GrantedAccess; } #else CapturedGrantedAccess = ObjectTableEntry->GrantedAccess; #endif // _X86_ && !FPO // // Now remove the handle from the handle table // ExDestroyHandle( ObjectTable, Handle, ObjectTableEntry ); // // perform any auditing required // // // Extract the value of the GenerateOnClose bit stored // after object open auditing is performed. This value // was stored by a call to ObSetGenerateOnClosed. // if (CapturedAttributes & OBJ_AUDIT_OBJECT_CLOSE) { if ( SepAdtAuditingEnabled ) { SeCloseObjectAuditAlarm( Object, (HANDLE)((ULONG_PTR)Handle & ~OBJ_HANDLE_TAGBITS), // Mask off the tagbits defined for OB objects. TRUE ); } } // // Since we took the handle away we need to decrement the objects // handle count, and remove a reference // ObpDecrementHandleCount( PsGetCurrentProcess(), ObjectHeader, ObjectHeader->Type, CapturedGrantedAccess ); ObDereferenceObject( Object ); ObpEndTypeSpecificCallOut( SaveIrql, "NtClose", ObjectType, Object ); // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } // // And return to our caller // Status = STATUS_SUCCESS; leave; } else { // // At this point the input handle did not translate to a valid // object table entry // ObpEndTypeSpecificCallOut( SaveIrql, "NtClose", ObpTypeObjectType, Handle ); // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } // // Now if the handle is not null and it does not represent the // current thread or process then if we're user mode we either raise // or return an error // if ((Handle != NULL) && (Handle != NtCurrentThread()) && (Handle != NtCurrentProcess())) { if (KeGetPreviousMode() != KernelMode) { if ((NtGlobalFlag & FLG_ENABLE_CLOSE_EXCEPTIONS) || (PsGetCurrentProcess()->DebugPort != NULL)) { Status = KeRaiseUserException(STATUS_INVALID_HANDLE); leave; } else { Status = STATUS_INVALID_HANDLE; leave; } } else { // // bugcheck here if kernel debugger is enabled and if kernel mode code is // closing a bogus handle and process is not exiting. Ignore // if no PEB as this occurs if process is killed before // really starting. // if (( !PsIsThreadTerminating(PsGetCurrentThread())) && (PsGetCurrentProcess()->Peb != NULL)) { if (KdDebuggerEnabled) { KeBugCheckEx(INVALID_KERNEL_HANDLE, (ULONG_PTR)Handle, 1, 0, 0); } } } } Status = STATUS_INVALID_HANDLE; leave; } } finally { KeLeaveCriticalRegion(); } return Status; }