PEPROCESS DKOM_SearchProcessByPID(IN long pid)
{
PEPROCESS foundProc;
/* ANOTHER WAY TO FIND PEPROCESS VIA PID
if (PsLookupProcessByProcessId ((PVOID)pid, &foundProc) == STATUS_SUCCESS) {
DbgPrint("PID %ld found for '%s'", pid, (char*)((char*)foundProc + EPROCESS_OFFSET_IMAGENAME));
return (foundProc);
}
*/
PEPROCESS saveProc;
PEPROCESS currProc;
PLIST_ENTRY list;
long* tmp = NULL;
saveProc = IoGetCurrentProcess();
currProc = saveProc;
do {
tmp = ((unsigned char*)currProc + EPROCESS_OFFSET_PID);
//DbgPrint("[%s] %ld (0x%X) == %ld (0x%X)", (char*)currProc + EPROCESS_OFFSET_IMAGENAME, pid, pid, *tmp, *tmp);
if (pid == (*tmp)) {
DbgPrint("Process %ld found '%s'", pid, ((unsigned char*)currProc + EPROCESS_OFFSET_IMAGENAME));
return (currProc);
}
list = (PLIST_ENTRY)((unsigned char*)currProc + EPROCESS_OFFSET_ELIST);
currProc = (PEPROCESS)list->Flink;
currProc = (PEPROCESS)((unsigned char*)currProc - EPROCESS_OFFSET_ELIST);
} while (saveProc != currProc);
return (0);
}
PEPROCESS GetEprocess(PUCHAR szProcessName)
{
PEPROCESS pBaseEprocess = NULL;
PEPROCESS pCurrentEprocess = NULL;
PLIST_ENTRY pCurrentList = NULL;
pCurrentEprocess = (PEPROCESS)IoGetCurrentProcess();
pBaseEprocess = pCurrentEprocess;
do
{
//DbgPrint("\nProcess : %s", ((PUCHAR)pCurrentEprocess+0x174));
pCurrentList = (PLIST_ENTRY)((PUCHAR)pCurrentEprocess + off_EPROCESS_ActiveProcessLink);
if (pCurrentList->Flink == NULL)
return NULL;
pCurrentEprocess = (PEPROCESS)((PUCHAR)pCurrentList->Flink - off_EPROCESS_ActiveProcessLink);
if (pBaseEprocess == pCurrentEprocess)
return NULL;
} while (strcmp(szProcessName, (PUCHAR)pCurrentEprocess + off_EPROCESS_ProcessName));
return pCurrentEprocess;
}
NTSTATUS dc_create_close_irp(PDEVICE_OBJECT dev_obj, PIRP irp)
{
PIO_STACK_LOCATION irp_sp = IoGetCurrentIrpStackLocation(irp);
NTSTATUS status = STATUS_SUCCESS;
PEPROCESS process;
PACCESS_TOKEN token;
/* get requestor process */
process = IoGetRequestorProcess(irp);
if (process == NULL) process = IoGetCurrentProcess();
if (irp_sp->MajorFunction == IRP_MJ_CREATE)
{
/* check process token */
if ( (token = PsReferencePrimaryToken(process)) == NULL || SeTokenIsAdmin(token) == FALSE ) {
status = STATUS_ACCESS_DENIED;
}
if (token != NULL) PsDereferencePrimaryToken(token);
}
if (irp_sp->MajorFunction == IRP_MJ_CLOSE)
{
/* unlock all memory locked by this process */
mm_unlock_user_memory(NULL, process);
/* syncronize all encryptions */
dc_sync_all_encs();
}
return dc_complete_irp(irp, status, 0);
}
NTSTATUS VBoxMRxCreateSrvCall(PMRX_SRV_CALL pSrvCall, PMRX_SRVCALL_CALLBACK_CONTEXT pCallbackContext)
{
PMRX_SRVCALLDOWN_STRUCTURE SrvCalldownStructure = (PMRX_SRVCALLDOWN_STRUCTURE)(pCallbackContext->SrvCalldownStructure);
RT_NOREF(pSrvCall);
Log(("VBOXSF: MRxCreateSrvCall: %p.\n", pSrvCall));
if (IoGetCurrentProcess() == RxGetRDBSSProcess())
{
Log(("VBOXSF: MRxCreateSrvCall: Called in context of RDBSS process\n"));
vbsfExecuteCreateSrvCall(pCallbackContext);
}
else
{
NTSTATUS Status;
Log(("VBOXSF: MRxCreateSrvCall: Dispatching to worker thread\n"));
Status = RxDispatchToWorkerThread(VBoxMRxDeviceObject, DelayedWorkQueue,
(PWORKER_THREAD_ROUTINE)vbsfExecuteCreateSrvCall,
pCallbackContext);
if (Status == STATUS_SUCCESS)
Log(("VBOXSF: MRxCreateSrvCall: queued\n"));
else
{
pCallbackContext->Status = Status;
SrvCalldownStructure->CallBack(pCallbackContext);
}
}
/* RDBSS expect this. */
return STATUS_PENDING;
}
VOID
BowserUninitializeTraceLog()
{
BOOLEAN ProcessAttached = FALSE;
PAGED_CODE();
ExDeleteResource(&BrowserTraceLock);
if (BrowserTraceLogHandle != NULL) {
if (IoGetCurrentProcess() != BowserFspProcess) {
KeAttachProcess(BowserFspProcess);
ProcessAttached = TRUE;
}
ZwClose(BrowserTraceLogHandle);
if (ProcessAttached) {
KeDetachProcess();
}
}
BrowserTraceLogHandle = NULL;
}
NTSTATUS
BowserDebugCall(
IN PLMDR_REQUEST_PACKET InputBuffer,
IN ULONG InputBufferLength
)
{
NTSTATUS Status;
PAGED_CODE();
ASSERT (IoGetCurrentProcess() == BowserFspProcess);
if (InputBufferLength < sizeof(LMDR_REQUEST_PACKET)) {
return STATUS_BUFFER_TOO_SMALL;
}
if (InputBuffer->Version != LMDR_REQUEST_PACKET_VERSION) {
return (Status = STATUS_INVALID_PARAMETER);
}
if (InputBuffer->Parameters.Debug.OpenLog && InputBuffer->Parameters.Debug.CloseLog) {
return (Status = STATUS_INVALID_PARAMETER);
}
if (InputBuffer->Parameters.Debug.OpenLog) {
Status = BowserOpenTraceLogFile(InputBuffer->Parameters.Debug.TraceFileName);
return Status;
} else if (InputBuffer->Parameters.Debug.CloseLog) {
Status = ZwClose(BrowserTraceLogHandle);
if (NT_SUCCESS(Status)) {
BrowserTraceLogHandle = NULL;
}
return Status;
} else if (InputBuffer->Parameters.Debug.TruncateLog) {
FILE_END_OF_FILE_INFORMATION EndOfFileInformation;
IO_STATUS_BLOCK IoStatus;
if (BrowserTraceLogHandle == NULL) {
return STATUS_INVALID_HANDLE;
}
EndOfFileInformation.EndOfFile.HighPart = 0;
EndOfFileInformation.EndOfFile.LowPart = 0;
Status = NtSetInformationFile(BrowserTraceLogHandle,
&IoStatus,
&EndOfFileInformation,
sizeof(EndOfFileInformation),
FileEndOfFileInformation);
return Status;
} else {
BowserDebugTraceLevel = InputBuffer->Parameters.Debug.DebugTraceBits;
KdPrint(("Setting Browser Debug Trace Bits to %lx\n", BowserDebugTraceLevel));
}
return STATUS_SUCCESS;
}
BOOLEAN IsTbsServiceProcess()
{
char* ProcessName;
PAGED_CODE();
ProcessName = (char*)IoGetCurrentProcess();
ProcessName += ProcessNameOffset;
if( strncmp(ProcessName,"svchost.exe",11) == 0)
{
return TRUE;
}
return FALSE;
}
/// <summary>
/// This routine is called by the operating system
/// when a process or thread handle operation occurs.
/// </summary>
OB_PREOP_CALLBACK_STATUS HspObPreCallback(
_In_ PVOID RegistrationContext,
_Inout_ POB_PRE_OPERATION_INFORMATION OperationInformation)
{
PEPROCESS process;
ACCESS_MASK processAccessBitsToClear;
ACCESS_MASK threadAccessBitsToClear;
UNREFERENCED_PARAMETER(RegistrationContext);
// ObRegisterCallbacks doesn't allow changing access of kernel handles.
if (OperationInformation->KernelHandle)
return OB_PREOP_SUCCESS;
// Get target process.
if (OperationInformation->ObjectType == *PsProcessType)
process = OperationInformation->Object;
else if (OperationInformation->ObjectType == *PsThreadType)
process = IoThreadToProcess(OperationInformation->Object);
else
return OB_PREOP_SUCCESS; // Shouldn't ever happen.
// Allow process to open itself.
if (process == IoGetCurrentProcess())
return OB_PREOP_SUCCESS;
if (HsIsProcessProtected(process, &processAccessBitsToClear, &threadAccessBitsToClear))
{
ACCESS_MASK accessBitsToClear;
if (OperationInformation->ObjectType == *PsProcessType)
accessBitsToClear = processAccessBitsToClear;
else
accessBitsToClear = threadAccessBitsToClear;
// Remove access flags.
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~accessBitsToClear;
}
else if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
{
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess &= ~accessBitsToClear;
}
}
return OB_PREOP_SUCCESS;
}
ULONG GetProcessNameOffset()
{
ULONG Offset = 0;
char* Eprocess;
PAGED_CODE();
Eprocess = (char*)IoGetCurrentProcess();
while(Offset < 0x3000)
{
if(strncmp(Eprocess+Offset,"System",6) == 0)
break;
Offset++;
}
return Offset < 0x3000 ? Offset : 0;
}
VOID APCInjectRoutine(PKAPC pkaApc, PKNORMAL_ROUTINE*, PVOID*, PVOID*, PVOID*)
{
WI_INJECT wiiItem;
ExFreePool(pkaApc);
wiiItem.pktThread = KeGetCurrentThread();
wiiItem.pepProcess = IoGetCurrentProcess();
wiiItem.hProcessID = PsGetCurrentProcessId();
KeInitializeEvent(&wiiItem.keEvent, NotificationEvent, FALSE);
ExInitializeWorkItem(&wiiItem.qiItem, InjectorWorkItem, &wiiItem);
ExQueueWorkItem(&wiiItem.qiItem, DelayedWorkQueue);
//was KernelMode not work do UserMode and work
KeWaitForSingleObject(&wiiItem.keEvent, Executive, UserMode, TRUE, 0);
return;
}
PEPROCESS DKOM_SearchProcessByName(IN char* procName, IN int lenName)
{
PEPROCESS saveProc;
PEPROCESS currProc;
PLIST_ENTRY list;
saveProc = IoGetCurrentProcess();
currProc = saveProc;
do {
if (strncmp(procName, ((unsigned char*)currProc + EPROCESS_OFFSET_IMAGENAME), lenName) == 0) {
DbgPrint("Process %.*s found with uPID:%ld", lenName, procName, *((unsigned char*)currProc + EPROCESS_OFFSET_PID));
return (currProc);
}
list = (PLIST_ENTRY)((unsigned char*)currProc + EPROCESS_OFFSET_ELIST);
currProc = (PEPROCESS)list->Flink;
currProc = (PEPROCESS)((unsigned char*)currProc - EPROCESS_OFFSET_ELIST);
} while (saveProc != currProc);
return (0);
}
NTSTATUS
DriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This is the initialization routine for the AFD device driver.
Arguments:
DriverObject - Pointer to driver object created by the system.
Return Value:
The function value is the final status from the initialization operation.
--*/
{
NTSTATUS status;
UNICODE_STRING deviceName;
CLONG i;
BOOLEAN success;
PAGED_CODE( );
//
// Create the device object. (IoCreateDevice zeroes the memory
// occupied by the object.)
//
// !!! Apply an ACL to the device object.
//
RtlInitUnicodeString( &deviceName, AFD_DEVICE_NAME );
status = IoCreateDevice(
DriverObject, // DriverObject
0, // DeviceExtension
&deviceName, // DeviceName
FILE_DEVICE_NAMED_PIPE, // DeviceType
0, // DeviceCharacteristics
FALSE, // Exclusive
&AfdDeviceObject // DeviceObject
);
if ( !NT_SUCCESS(status) ) {
KdPrint(( "AFD DriverEntry: unable to create device object: %X\n", status ));
return status;
}
//
// Create the security descriptor used for raw socket access checks.
//
status = AfdCreateRawSecurityDescriptor();
if (!NT_SUCCESS(status)) {
IoDeleteDevice(AfdDeviceObject);
return status;
}
AfdDeviceObject->Flags |= DO_DIRECT_IO;
//
// Initialize the driver object for this file system driver.
//
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) {
DriverObject->MajorFunction[i] = AfdDispatch;
}
DriverObject->FastIoDispatch = &AfdFastIoDispatch;
DriverObject->DriverUnload = NULL;
//
// Initialize global data.
//
success = AfdInitializeData( );
if ( !success ) {
IoDeleteDevice(AfdDeviceObject);
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// Initialize group ID manager.
//
success = AfdInitializeGroup();
if ( !success ) {
IoDeleteDevice(AfdDeviceObject);
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// Read registry information.
//
AfdReadRegistry( );
#if DBG
if( AfdEnableUnload ) {
KdPrint(( "AFD: DriverUnload enabled\n" ));
DriverObject->DriverUnload = AfdUnload;
}
#endif
//
// Initialize the lookaside lists.
//
AfdLookasideLists = AFD_ALLOCATE_POOL(
NonPagedPool,
sizeof(*AfdLookasideLists),
AFD_LOOKASIDE_LISTS_POOL_TAG
);
if( AfdLookasideLists == NULL ) {
IoDeleteDevice(AfdDeviceObject);
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// Initialize the work queue item lookaside list.
//
ExInitializeNPagedLookasideList(
&AfdLookasideLists->WorkQueueList,
#if DBG
AfdAllocateWorkItemPool,
AfdFreeWorkItemPool,
#else
NULL,
NULL,
#endif
NonPagedPoolMustSucceed,
sizeof( AFD_WORK_ITEM ),
AFD_WORK_ITEM_POOL_TAG,
12
);
//
// Initialize the AFD buffer lookaside lists. These must be
// initialized *after* the registry data has been read.
//
ExInitializeNPagedLookasideList(
&AfdLookasideLists->LargeBufferList,
AfdAllocateBuffer,
#if DBG
AfdFreeBufferPool,
#else
NULL,
#endif
0,
AfdLargeBufferSize,
AFD_DATA_BUFFER_POOL_TAG,
(USHORT)AfdLargeBufferListDepth
);
ExInitializeNPagedLookasideList(
&AfdLookasideLists->MediumBufferList,
AfdAllocateBuffer,
#if DBG
AfdFreeBufferPool,
#else
NULL,
#endif
0,
AfdMediumBufferSize,
AFD_DATA_BUFFER_POOL_TAG,
(USHORT)AfdMediumBufferListDepth
);
ExInitializeNPagedLookasideList(
&AfdLookasideLists->SmallBufferList,
AfdAllocateBuffer,
#if DBG
AfdFreeBufferPool,
#else
NULL,
#endif
0,
AfdSmallBufferSize,
AFD_DATA_BUFFER_POOL_TAG,
(USHORT)AfdSmallBufferListDepth
);
//
// Initialize our device object.
//
AfdDeviceObject->StackSize = AfdIrpStackSize;
//
// Remember a pointer to the system process. We'll use this pointer
// for KeAttachProcess() calls so that we can open handles in the
// context of the system process.
//
AfdSystemProcess = (PKPROCESS)IoGetCurrentProcess();
//
// Tell MM that it can page all of AFD it is desires. We will reset
// to normal paging of AFD code as soon as an AFD endpoint is
// opened.
//
AfdLoaded = FALSE;
MmPageEntireDriver( DriverEntry );
return (status);
} // DriverEntry
BOOLEAN
NTAPI
InitializeDeviceData(IN PDEVICE_OBJECT DeviceObject)
{
PSAC_DEVICE_EXTENSION DeviceExtension = DeviceObject->DeviceExtension;
BOOLEAN EnableData;
ULONG PriorityValue;
NTSTATUS Status;
LARGE_INTEGER DueTime;
PWCHAR Message;
PAGED_CODE();
SAC_DBG(SAC_DBG_ENTRY_EXIT, "Entering.\n");
/* If we already did this, bail out */
if (DeviceExtension->Initialized) goto SuccessExit;
/* Setup the DO flags */
DeviceObject->Flags |= DO_DIRECT_IO;
DeviceObject->StackSize = 16;
/* Setup the device extension */
DeviceExtension->DeviceObject = DeviceObject;
DeviceExtension->PriorityBoost = IO_SERIAL_INCREMENT;
DeviceExtension->PriorityFail = 0;
DeviceExtension->RundownInProgress = 0;
/* Initialize locks, events, timers, DPCs, etc... */
KeInitializeTimer(&DeviceExtension->Timer);
KeInitializeDpc(&DeviceExtension->Dpc, TimerDpcRoutine, DeviceExtension);
KeInitializeSpinLock(&DeviceExtension->Lock);
KeInitializeEvent(&DeviceExtension->Event, SynchronizationEvent, FALSE);
InitializeListHead(&DeviceExtension->List);
/* Attempt to enable HDL support */
EnableData = TRUE;
Status = HeadlessDispatch(HeadlessCmdEnableTerminal,
&EnableData,
sizeof(EnableData),
NULL,
0);
if (!NT_SUCCESS(Status))
{
/* Bail out if we couldn't even get this far */
SAC_DBG(SAC_DBG_ENTRY_EXIT, "Exiting (1) with status FALSE\n");
return FALSE;
}
/* Remember which process we started in */
DeviceExtension->Process = IoGetCurrentProcess();
/* Protect the device against non-admins */
Status = CreateDeviceSecurityDescriptor(&DeviceExtension->DeviceObject);
if (!NT_SUCCESS(Status))
{
/* Write down why we failed */
SAC_DBG(SAC_DBG_ENTRY_EXIT, "Exiting (2) with status FALSE\n");
/* Disable the HDL terminal on failure */
EnableData = FALSE;
Status = HeadlessDispatch(HeadlessCmdEnableTerminal,
&EnableData,
sizeof(EnableData),
NULL,
NULL);
if (!NT_SUCCESS(Status)) SAC_DBG(SAC_DBG_INIT, "Failed dispatch\n");
/* Bail out */
return FALSE;
}
/* Create the worker thread */
Status = PsCreateSystemThread(&DeviceExtension->WorkerThreadHandle,
THREAD_ALL_ACCESS,
NULL,
NULL,
NULL,
WorkerThreadStartUp,
DeviceExtension);
if (!NT_SUCCESS(Status))
{
/* Write down why we failed */
SAC_DBG(SAC_DBG_ENTRY_EXIT, "Exiting (3) with status FALSE\n");
/* Disable the HDL terminal on failure */
EnableData = FALSE;
Status = HeadlessDispatch(HeadlessCmdEnableTerminal,
&EnableData,
sizeof(EnableData),
NULL,
NULL);
if (!NT_SUCCESS(Status)) SAC_DBG(SAC_DBG_INIT, "Failed dispatch\n");
/* Bail out */
return FALSE;
}
/* Set the priority of our thread to highest */
PriorityValue = HIGH_PRIORITY;
Status = NtSetInformationThread(DeviceExtension->WorkerThreadHandle,
ThreadPriority,
&PriorityValue,
sizeof(PriorityValue));
if (!NT_SUCCESS(Status))
{
/* For debugging, write down why we failed */
SAC_DBG(SAC_DBG_ENTRY_EXIT, "Exiting (6) with status FALSE\n");
DeviceExtension->PriorityFail = TRUE;
/* Initialize rundown and wait for the thread to do it */
KeInitializeEvent(&DeviceExtension->RundownEvent, SynchronizationEvent, FALSE);
KeSetEvent(&DeviceExtension->Event, DeviceExtension->PriorityBoost, FALSE);
Status = KeWaitForSingleObject(&DeviceExtension->RundownEvent,
Executive,
KernelMode,
FALSE,
NULL);
ASSERT(Status == STATUS_SUCCESS);
/* Disable the HDL terminal on failure */
EnableData = FALSE;
Status = HeadlessDispatch(HeadlessCmdEnableTerminal,
&EnableData,
sizeof(EnableData),
NULL,
0);
if (!NT_SUCCESS(Status)) SAC_DBG(SAC_DBG_INIT, "Failed dispatch\n");
/* Bail out */
return FALSE;
}
/* The first "packet" is the machine information in XML... */
Status = TranslateMachineInformationXML(&Message, NULL);
if (NT_SUCCESS(Status))
{
/* Go ahead and send it */
UTF8EncodeAndSend(L"<?xml version=\"1.0\"?>\r\n");
UTF8EncodeAndSend(Message);
/* Free the temporary buffer */
SacFreePool(Message);
}
/* Finally, initialize the I/O Manager */
Status = ConMgrInitialize();
if (!NT_SUCCESS(Status)) return FALSE;
/* Set the timer. Once this is done, the device is initialized */
DueTime.QuadPart = -4000;
KeSetTimerEx(&DeviceExtension->Timer, DueTime, 4, &DeviceExtension->Dpc);
DeviceExtension->Initialized = TRUE;
SuccessExit:
/* Success path -- everything worked */
SAC_DBG(SAC_DBG_ENTRY_EXIT, "Exiting with status TRUE\n");
return TRUE;
}
NTSTATUS VBoxMRxCreateSrvCall (PMRX_SRV_CALL pSrvCall, PMRX_SRVCALL_CALLBACK_CONTEXT pCallbackContext)
/*++
Routine Description:
This routine patches the RDBSS created srv call instance with the information required
by the mini redirector.
Arguments:
RxContext - Supplies the context of the original create/ioctl
CallBackContext - the call back context in RDBSS for continuation.
Return Value:
RXSTATUS - The return status for the operation
--*/
{
NTSTATUS Status;
PMRX_SRVCALLDOWN_STRUCTURE SrvCalldownStructure = (PMRX_SRVCALLDOWN_STRUCTURE)(pCallbackContext->SrvCalldownStructure);
Assert(pSrvCall);
Assert(NodeType(pSrvCall) == RDBSS_NTC_SRVCALL);
Log(("VBOXSF: VBoxMRxCreateSrvCall: Called %p.\n", pSrvCall));
//
// If this request was made on behalf of the RDBSS, do ExecuteCreatSrvCall
// immediately. If the request was made from somewhere else, create a work item
// and place it on a queue for a worker thread to process later. This distinction
// is made to simplify transport handle management.
//
if (IoGetCurrentProcess() == RxGetRDBSSProcess())
{
Log(("VBOXSF: VBoxMRxCreateSrvCall: Called in context of RDBSS process\n"));
//
// Peform the processing immediately because RDBSS is the initiator of this
// request
//
ExecuteCreateSrvCall(pCallbackContext);
}
else
{
Log(("VBOXSF: VBoxMRxCreateSrvCall: Dispatching to worker thread\n"));
//
// Dispatch the request to a worker thread because the redirected drive
// buffering sub-system (RDBSS) was not the initiator
//
Status = RxDispatchToWorkerThread(VBoxMRxDeviceObject, DelayedWorkQueue, (PWORKER_THREAD_ROUTINE)ExecuteCreateSrvCall, /* explicit cast for first parameter type */
pCallbackContext);
if (Status == STATUS_SUCCESS)
{
Log(("VBOXSF: VBoxMRxCreateSrvCall: queued!\n"));
}
else
{
pCallbackContext->Status = Status;
SrvCalldownStructure->CallBack(pCallbackContext);
}
}
//
// The wrapper expects PENDING.
//
return STATUS_PENDING;
}
//*************************************************************************
// HandleInDebuggerFault()
//
//*************************************************************************
ULONG HandleInDebuggerFault(FRAME* ptr,ULONG address)
{
PEPROCESS tsk;
ENTER_FUNC();
DPRINT((0,"HandleInDebuggerFault(): ###### page fault @ %.8X while inside debugger, eip: %x\n",address, ptr->eip));
// fault in this page fault handler
if(bInPageFaultHandler)
{
DPRINT((0,"HandleInDebuggerFault(): ###### page fault @ %.8X while in page fault handler\n",address));
DPRINT((0,"!!! machine is halted !!!\n"));
__asm__ __volatile__ ("hlt");
LEAVE_FUNC();
return 0;
}
bInPageFaultHandler = TRUE;
// when we come here from DebuggerShell() we live on a different stack
// so the current task is different as well
tsk = IoGetCurrentProcess();
DPRINT((0,"%.8X (%.4X:%.8X %.8X %s %s %s task=%.8X )\n",
address,
ptr->cs,
ptr->eip,
ptr->eflags,
(ptr->error_code&1)?"PLP":"NP",
(ptr->error_code&2)?"WRITE":"READ",
(ptr->error_code&4)?"USER-MODE":"KERNEL-MODE",
(ULONG)tsk));
if(!bInPrintk)
{
DPRINT((0,"HandleInDebuggerFault(): unexpected pagefault in command handler!\n",address));
}
else
{
DPRINT((0,"HandleInDebuggerFault(): unexpected pagefault in command handler while in PrintkCallback()!\n",address));
}
if(tsk)
{
PULONG pPGD;
PULONG pPTE;
pPGD = ADDR_TO_PDE(address);
DPRINT((0,"PGD for %.8X @ %.8X = %.8X\n",address,(ULONG)pPGD,(ULONG)(*pPGD) ));
if(pPGD && (*pPGD)&_PAGE_PRESENT)
{
// not large page
if(!((*pPGD)&_PAGE_4M))
{
pPTE = ADDR_TO_PTE(address);
if(pPTE)
{
DPRINT((0,"PTE for %.8X @ %.8X = %.8X\n",address,(ULONG)pPTE,(ULONG)(*pPTE) ));
}
}
}
}
IntelStackWalk(ptr->eip,CurrentEBP,ulRealStackPtr);
DPRINT((0,"!!! machine is halted !!!\n"));
__asm__ __volatile__ ("hlt");
LEAVE_FUNC();
return 2;
}
//*************************************************************************
// HandlePageFault()
//
// returns:
// 0 = let the system handle it
// 1 = call DebuggerShell()
// 2 = FATAL error inside debugger
//*************************************************************************
ULONG HandlePageFault(FRAME* ptr)
{
PVOID address;
PEPROCESS tsk, tsk1;
PMADDRESS_SPACE vma;
PLIST_ENTRY current_entry;
MEMORY_AREA* current;
ULONG value;
PKTHREAD CurrentThread;
PETHREAD CurrentEThread;
// get linear address of page fault
__asm__ __volatile__("movl %%cr2,%0"
:"=r" (address));
DPRINT((0,"\nPageFault: bInDebShell: %d, error: %d, addr: %x\n", bInDebuggerShell, ptr->error_code, address));
// there's something terribly wrong if we get a fault in our command handler
if(bInDebuggerShell)
{
DPRINT((0,"return handleindebuggerfault\n"));
return HandleInDebuggerFault(ptr,(ULONG)address);
}
ASSERT(IsAddressValid((ULONG)ptr));
// remember error code so we can push it back on the stack
error_code = ptr->error_code;
//ei Check IRQL here!!!
/*
if(in_interrupt())
{
Print(OUTPUT_WINDOW,"pICE: system is currently processing an interrupt!\n");
return 1;
}
*/
// current process
tsk = IoGetCurrentProcess();
DPRINT((0,"tsk: %x\t", tsk));
if( !tsk || !(IsAddressValid((ULONG)tsk))){
DPRINT((0,"tsk address not valid: tsk: %x\n", tsk));
return 0;
}
// lookup VMA for this address
if( (ULONG)address > KERNEL_BASE )
vma = my_init_mm; // use kernel mem area for kernel addresses
else vma = &(tsk->AddressSpace); // otherwise, use user memory area
if( !vma ){
DPRINT((0,"vma not valid: vma: %x\n", vma));
return 0;
}
current_entry = vma->MAreaListHead.Flink;
ASSERT(current_entry);
DPRINT((0,"vma: %x, current_entry: %x, kernel arena: %x\n", vma, current_entry, my_init_mm));
while(current_entry != &vma->MAreaListHead)
{
ASSERT(current_entry);
ASSERT(IsAddressValid((ULONG)current_entry));
current = CONTAINING_RECORD(current_entry,
MEMORY_AREA,
Entry);
if( (address >= current->BaseAddress) && (address <= current->BaseAddress + current->Length ))
{
DPRINT((0,"address: %x %x - %x Attrib: %x, Type: %x\n", address, current->BaseAddress, current->BaseAddress + current->Length, current->Attributes, current->Type));
//page not present
if( !(error_code & 1) ){
//check it is in pageable area
if( current->Type == MEMORY_AREA_SECTION_VIEW ||
current->Type == MEMORY_AREA_VIRTUAL_MEMORY ||
current->Type == MEMORY_AREA_PAGED_POOL ||
current->Type == MEMORY_AREA_SHARED_DATA
){
//ei too much output Print(OUTPUT_WINDOW,"pICE: VMA Pageable Section.\n");
//ei DPRINT((0,"return 0 1\n"));
return 0; //let the system handle this
}
Print(OUTPUT_WINDOW,"pICE: VMA Page not present in non-pageable Section!\n");
//ei DPRINT((0,"Type: currenttype: %x return 1 2\n", current->Type));
return 0;
}
else{ //access violation
if( error_code & 4 )
{ //user mode
if( (ULONG)address >= KERNEL_BASE )
{
Print(OUTPUT_WINDOW,"pICE: User mode program trying to access kernel memory!\n");
//DPRINT((0,"return 0 3\n"));
return 1;
}
//DPRINT((0,"return 0 4\n"));
return 0;
}
/*
if(error_code & 2)
{
//on write
if(!(current->Attributes & PAGE_READONLY))
{
Print(OUTPUT_WINDOW,"pICE: virtual memory arena is not writeable!\n");
return 1;
}
}
// READ ACCESS
else
{
// test EXT bit in error code
if (error_code & 1)
{
Print(OUTPUT_WINDOW,"pICE: page-level protection fault!\n");
return 1;
}
//
*/
/*
if (!(current->Attributes & PAGE_EXECUTE_READ))
{
Print(OUTPUT_WINDOW,"pICE: VMA is not readable!\n");
return 1;
}
*/
// let the system handle it
//DPRINT((0,"return 0 5\n"));
return 0;
}
}
current_entry = current_entry->Flink;
}
Print(OUTPUT_WINDOW,"pICE: no virtual memory arena at this address!\n");
DPRINT((0,"return 0 6\n"));
return 1;
// let the system handle it
// return 0;
}
NTSTATUS
ForceDelete(
wchar_t *path
)
{
HANDLE fileHandle;
NTSTATUS result;
IO_STATUS_BLOCK ioBlock;
DEVICE_OBJECT *device_object;
void* object = NULL;
OBJECT_ATTRIBUTES fileObject;
wchar_t deviceName[14];
UNICODE_STRING uDeviceName;
UNICODE_STRING uPath;
EPROCESS *eproc = IoGetCurrentProcess();
//switch context to UserMode
KeAttachProcess(eproc);
//initialize file to delete variable
g_fileToDelete = path;
g_fileToDelete += 6; //take from \??\C:\example only \example
//e.g "\??\C:\"
memset(deviceName,0,sizeof(deviceName));
wcsncpy(deviceName,path,7);
uDeviceName.Buffer = deviceName;
uDeviceName.Length = 14;
//file path to unicode string
RtlInitUnicodeString(&uPath,path);
InitializeObjectAttributes(&fileObject,
&uDeviceName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
result = ZwOpenFile(&fileHandle,
SYNCHRONIZE,
&fileObject,
&ioBlock,
FILE_SHARE_READ,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_DIRECTORY_FILE);
if(result != STATUS_SUCCESS)
{
DbgPrint("Some problems with open file ;[");
goto _end;
}
if ( !ObReferenceObjectByHandle(fileHandle, 0, 0, 0, &object, 0) )
{
device_object = IoGetBaseFileSystemDeviceObject(object);
ObfDereferenceObject(object);
}
ZwClose(fileHandle);
InitializeObjectAttributes(&fileObject,
&uPath,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
result = IoCreateFileSpecifyDeviceObjectHint(
&fileHandle,
SYNCHRONIZE | FILE_WRITE_ATTRIBUTES | FILE_READ_ATTRIBUTES | FILE_READ_DATA, //0x100181
&fileObject,
&ioBlock,
0,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE |FILE_SHARE_DELETE, //FILE_SHARE_VALID_FLAGS,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,//0x60,
0,
0,
CreateFileTypeNone,
0,
IO_IGNORE_SHARE_ACCESS_CHECK,
device_object);
if(result != STATUS_SUCCESS)
{
DbgPrint("error in IoCreateFileSpecifyDeviceObjectHint");
goto _end;
}
result = ObReferenceObjectByHandle(fileHandle, 0, 0, 0, &object, 0);
if(result != STATUS_SUCCESS)
{
DbgPrint("error in ObReferenceObjectByHandle");
ZwClose(fileHandle);
goto _end;
}
/*
METHOD 1
*/
((FILE_OBJECT*)object)->SectionObjectPointer->ImageSectionObject = 0;
((FILE_OBJECT*)object)->DeleteAccess = 1;
result = ZwDeleteFile(&fileObject);
if(result != STATUS_SUCCESS)
{
DbgPrint("\n[+]error in ZwDeleteFile");
}
ObDereferenceObject(object);
ZwClose(fileHandle);
result = ZwDeleteFile(&fileObject);
if(result != STATUS_SUCCESS)
{
DbgPrint("\n[+]error in ZwDeleteFile");
/*
METHOD 2
*/
r0_fileToDelete(path);
/*
METHOD 3
If simple solutions did not help, try this one.
*/
hook_it(device_object)
}
VOID
BowserTrace(
PCHAR FormatString,
...
)
#define LAST_NAMED_ARGUMENT FormatString
{
CHAR OutputString[1024];
IO_STATUS_BLOCK IoStatus;
BOOLEAN ProcessAttached = FALSE;
va_list ParmPtr; // Pointer to stack parms.
NTSTATUS Status;
PAGED_CODE();
if (IoGetCurrentProcess() != BowserFspProcess) {
KeAttachProcess(BowserFspProcess);
ProcessAttached = TRUE;
}
if (BrowserTraceLogHandle == NULL) {
if (!NT_SUCCESS(BowserOpenTraceLogFile(L"\\SystemRoot\\Bowser.Log"))) {
BrowserTraceLogHandle = (HANDLE)0xffffffff;
if (ProcessAttached) {
KeDetachProcess();
}
return;
}
} else if (BrowserTraceLogHandle == (HANDLE)0xffffffff) {
if (ProcessAttached) {
KeDetachProcess();
}
return;
}
ExAcquireResourceExclusive(&BrowserTraceLock, TRUE);
if (BrowserTraceLogHandle == NULL) {
ExReleaseResource(&BrowserTraceLock);
if (ProcessAttached) {
KeDetachProcess();
}
return;
}
try {
LARGE_INTEGER EndOfFile;
EndOfFile.HighPart = 0xffffffff;
EndOfFile.LowPart = FILE_WRITE_TO_END_OF_FILE;
if (LastCharacter == '\n') {
LARGE_INTEGER SystemTime;
TIME_FIELDS TimeFields;
KeQuerySystemTime(&SystemTime);
ExSystemTimeToLocalTime(&SystemTime, &SystemTime);
RtlTimeToTimeFields(&SystemTime, &TimeFields);
//
// The last character written was a newline character. We should
// timestamp this record in the file.
//
/****
sprintf(OutputString, "%2.2d/%2.2d/%4.4d %2.2d:%2.2d:%2.2d.%3.3d: ", TimeFields.Month,
TimeFields.Day,
TimeFields.Year,
TimeFields.Hour,
TimeFields.Minute,
TimeFields.Second,
TimeFields.Milliseconds);
****/
if (!NT_SUCCESS(Status = ZwWriteFile(BrowserTraceLogHandle, NULL, NULL, NULL, &IoStatus, OutputString, strlen(OutputString), &EndOfFile, NULL))) {
KdPrint(("Error writing time to Browser log file: %lX\n", Status));
return;
}
if (!NT_SUCCESS(IoStatus.Status)) {
KdPrint(("Error writing time to Browser log file: %lX\n", IoStatus.Status));
return;
}
if (IoStatus.Information != strlen(OutputString)) {
KdPrint(("Error writing time to Browser log file: %lX\n", IoStatus.Status));
return;
}
}
va_start(ParmPtr, LAST_NAMED_ARGUMENT);
//
// Format the parameters to the string.
//
vsprintf(OutputString, FormatString, ParmPtr);
if (!NT_SUCCESS(Status = ZwWriteFile(BrowserTraceLogHandle, NULL, NULL, NULL, &IoStatus, OutputString, strlen(OutputString), &EndOfFile, NULL))) {
KdPrint(("Error writing string to Browser log file: %ld\n", Status));
return;
}
if (!NT_SUCCESS(IoStatus.Status)) {
KdPrint(("Error writing string to Browser log file: %lX\n", IoStatus.Status));
return;
}
if (IoStatus.Information != strlen(OutputString)) {
KdPrint(("Error writing string to Browser log file: %ld\n", IoStatus.Status));
return;
}
//
// Remember the last character output to the log.
//
LastCharacter = OutputString[strlen(OutputString)-1];
} finally {
ExReleaseResource(&BrowserTraceLock);
if (ProcessAttached) {
KeDetachProcess();
}
}
}