static DWORD NtOpenObject(OBJECT_TYPE type, PHANDLE phandle, DWORD access, LPCWSTR path) { UNICODE_STRING ustr; RtlInitUnicodeString(&ustr, path); OBJECT_ATTRIBUTES open_struct = { sizeof(OBJECT_ATTRIBUTES), 0x00, &ustr, 0x40 }; if (type != FILE_OBJECT) access |= STANDARD_RIGHTS_READ; IO_STATUS_BLOCK ioStatusBlock; switch (type) { case DIRECTORY_OBJECT: return NtOpenDirectoryObject(phandle, access, &open_struct); case SYMBOLICLINK_OBJECT: return NtOpenSymbolicLinkObject(phandle, access, &open_struct); case MUTANT_OBJECT: return NtOpenMutant(phandle, access, &open_struct); case SECTION_OBJECT: return NtOpenSection(phandle, access, &open_struct); case EVENT_OBJECT: return NtOpenEvent(phandle, access, &open_struct); case SEMAPHORE_OBJECT: return NtOpenSemaphore(phandle, access, &open_struct); case TIMER_OBJECT: return NtOpenTimer(phandle, access, &open_struct); case KEY_OBJECT: return NtOpenKey(phandle, access, &open_struct); case EVENTPAIR_OBJECT: return NtOpenEventPair(phandle, access, &open_struct); case IOCOMPLETION_OBJECT: return NtOpenIoCompletion(phandle, access, &open_struct); case FILE_OBJECT: return NtOpenFile(phandle, access, &open_struct, &ioStatusBlock, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 0); default: return ERROR_INVALID_FUNCTION; } }
static int OnNtCreateSectionClick(HWND hDlg, UINT nIDCtrl) { TFileTestData * pData = GetDialogData(hDlg); POBJECT_ATTRIBUTES pObjectAttributes = NULL; OBJECT_ATTRIBUTES ObjAttr; UNICODE_STRING SectionName; NTSTATUS Status; HANDLE FileHandle = NULL; // Close the section, if already open if(IsHandleValid(pData->hSection)) OnNtCloseClick(hDlg); // Get the values from dialog controls to the dialog data if(SaveDialog1(hDlg) != ERROR_SUCCESS) return FALSE; // Format the object attributes if(pData->szSectionName[0] != 0) { InitializeObjectAttributes(&ObjAttr, &SectionName, OBJ_CASE_INSENSITIVE, NULL, NULL); RtlInitUnicodeString(&SectionName, pData->szSectionName); pObjectAttributes = &ObjAttr; } // Get the file handle for it if(IsHandleValid(pData->hFile)) FileHandle = pData->hFile; // Either create a section or open one if(nIDCtrl == IDC_NTCREATE_SECTION) { Status = NtCreateSection(&pData->hSection, pData->dwSectDesiredAccess, pObjectAttributes, &pData->MaximumSize, pData->dwSectPageProtection, pData->dwSectAllocAttributes, FileHandle); } else { Status = NtOpenSection(&pData->hSection, pData->dwSectDesiredAccess, pObjectAttributes); } // Set the result info SetResultInfo(hDlg, Status, pData->hSection); UpdateDialog(hDlg, pData); return TRUE; }
/* FIXME: Convert to the new macros */ HANDLE NTAPI OpenFileMappingW(IN DWORD dwDesiredAccess, IN BOOL bInheritHandle, IN LPCWSTR lpName) { NTSTATUS Status; HANDLE SectionHandle; OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING UnicodeName; /* We need a name */ if (!lpName) { /* Otherwise, fail */ SetLastError(ERROR_INVALID_PARAMETER); return NULL; } /* Convert attributes */ RtlInitUnicodeString(&UnicodeName, lpName); InitializeObjectAttributes(&ObjectAttributes, &UnicodeName, (bInheritHandle ? OBJ_INHERIT : 0), BaseGetNamedObjectDirectory(), NULL); /* Convert COPY to READ */ if (dwDesiredAccess == FILE_MAP_COPY) { /* Fixup copy */ dwDesiredAccess = SECTION_MAP_READ; } else if (dwDesiredAccess & FILE_MAP_EXECUTE) { /* Fixup execute */ dwDesiredAccess = (dwDesiredAccess & ~FILE_MAP_EXECUTE) | SECTION_MAP_EXECUTE; } /* Open the section */ Status = NtOpenSection(&SectionHandle, dwDesiredAccess, &ObjectAttributes); if (!NT_SUCCESS(Status)) { /* We failed */ BaseSetLastNTError(Status); return NULL; } /* Otherwise, return the handle */ return SectionHandle; }
/*********************************************************************** * OpenFileMappingW (KERNEL32.@) * * See OpenFileMappingA. */ HANDLE WINAPI OpenFileMappingW( DWORD access, BOOL inherit, LPCWSTR name) { OBJECT_ATTRIBUTES attr; UNICODE_STRING nameW; HANDLE ret; NTSTATUS status; if (!name) { SetLastError( ERROR_INVALID_PARAMETER ); return 0; } attr.Length = sizeof(attr); attr.RootDirectory = get_BaseNamedObjects_handle(); attr.ObjectName = &nameW; attr.Attributes = inherit ? OBJ_INHERIT : 0; attr.SecurityDescriptor = NULL; attr.SecurityQualityOfService = NULL; RtlInitUnicodeString( &nameW, name ); if (access == FILE_MAP_COPY) access = SECTION_MAP_READ; access |= SECTION_QUERY; if (GetVersion() & 0x80000000) { /* win9x doesn't do access checks, so try with full access first */ if (!NtOpenSection( &ret, access | SECTION_MAP_READ | SECTION_MAP_WRITE, &attr )) return ret; } if ((status = NtOpenSection( &ret, access, &attr ))) { SetLastError( RtlNtStatusToDosError(status) ); ret = 0; } return ret; }
HANDLE APIENTRY OpenFileMappingW( DWORD dwDesiredAccess, BOOL bInheritHandle, LPCWSTR lpName ) { OBJECT_ATTRIBUTES Obja; UNICODE_STRING ObjectName; NTSTATUS Status; HANDLE Object; if ( !lpName ) { BaseSetLastNTError(STATUS_INVALID_PARAMETER); return NULL; } RtlInitUnicodeString(&ObjectName,lpName); InitializeObjectAttributes( &Obja, &ObjectName, (bInheritHandle ? OBJ_INHERIT : 0), BaseGetNamedObjectDirectory(), NULL ); if ( dwDesiredAccess == FILE_MAP_COPY ) { dwDesiredAccess = FILE_MAP_READ; } Status = NtOpenSection( &Object, dwDesiredAccess, &Obja ); if ( !NT_SUCCESS(Status) ) { BaseSetLastNTError(Status); return NULL; } return Object; }
// OpensPhysicalMemory // This function opens the physical memory device. It // uses the native API since // HANDLE OpenPhysicalMemory() { NTSTATUS status; HANDLE physmem; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; WCHAR physmemName[] = L"\\device\\physicalmemory"; RtlInitUnicodeString( &physmemString, physmemName ); InitializeObjectAttributes( &attributes, &physmemString, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtOpenSection( &physmem, SECTION_MAP_READ, &attributes ); if( !NT_SUCCESS( status )) { // PrintError( "Could not open \\device\\physicalmemory", status ); return NULL; } return physmem; }
/* * propOpenCurrentObject * * Purpose: * * Opens currently viewed object depending on type * */ BOOL propOpenCurrentObject( _In_ PROP_OBJECT_INFO *Context, _Inout_ PHANDLE phObject, _In_ ACCESS_MASK DesiredAccess ) { BOOL bResult; HANDLE hObject, hDirectory; NTSTATUS status; UNICODE_STRING ustr; OBJECT_ATTRIBUTES obja; IO_STATUS_BLOCK iost; bResult = FALSE; if (Context == NULL) { return bResult; } //we don't know who is it if (Context->TypeIndex == TYPE_UNKNOWN) { SetLastError(ERROR_UNSUPPORTED_TYPE); return bResult; } if (phObject == NULL) { SetLastError(ERROR_OBJECT_NOT_FOUND); return bResult; } if (Context->lpObjectName == NULL) { SetLastError(ERROR_OBJECT_NOT_FOUND); return bResult; } if (Context->lpCurrentObjectPath == NULL) { SetLastError(ERROR_OBJECT_NOT_FOUND); return bResult; } //ports not supported if ( (Context->TypeIndex == TYPE_PORT) || (Context->TypeIndex == TYPE_FLTCOMM_PORT) || (Context->TypeIndex == TYPE_FLTCONN_PORT) || (Context->TypeIndex == TYPE_WAITABLEPORT) ) { SetLastError(ERROR_UNSUPPORTED_TYPE); return bResult; } hDirectory = NULL; if (DesiredAccess == 0) { DesiredAccess = 1; } //handle directory type if (Context->TypeIndex == TYPE_DIRECTORY) { //if this is root, then root hDirectory = NULL if (_strcmpi(Context->lpObjectName, L"\\") != 0) { //else open directory that holds this object hDirectory = supOpenDirectoryForObject(Context->lpObjectName, Context->lpCurrentObjectPath); if (hDirectory == NULL) { SetLastError(ERROR_OBJECT_NOT_FOUND); return bResult; } } //open object in directory RtlSecureZeroMemory(&ustr, sizeof(ustr)); RtlInitUnicodeString(&ustr, Context->lpObjectName); InitializeObjectAttributes(&obja, &ustr, OBJ_CASE_INSENSITIVE, hDirectory, NULL); hObject = NULL; status = NtOpenDirectoryObject(&hObject, DesiredAccess, &obja); //DIRECTORY_QUERY for query SetLastError(RtlNtStatusToDosError(status)); bResult = ((NT_SUCCESS(status)) && (hObject != NULL)); if (bResult && phObject) { *phObject = hObject; } //dont forget to close directory handle if it was opened if (hDirectory != NULL) { NtClose(hDirectory); } return bResult; } //handle window station type if (Context->TypeIndex == TYPE_WINSTATION) { hObject = OpenWindowStation(Context->lpObjectName, FALSE, DesiredAccess); //WINSTA_READATTRIBUTES for query bResult = (hObject != NULL); if (bResult && phObject) { *phObject = hObject; } return bResult; } //handle desktop type if (Context->TypeIndex == TYPE_DESKTOP) { hObject = OpenDesktop(Context->lpObjectName, 0, FALSE, DesiredAccess); //DESKTOP_READOBJECTS for query bResult = (hObject != NULL); if (bResult && phObject) { *phObject = hObject; } return bResult; } //open directory which current object belongs hDirectory = supOpenDirectoryForObject(Context->lpObjectName, Context->lpCurrentObjectPath); if (hDirectory == NULL) { SetLastError(ERROR_OBJECT_NOT_FOUND); return bResult; } RtlSecureZeroMemory(&ustr, sizeof(ustr)); RtlInitUnicodeString(&ustr, Context->lpObjectName); InitializeObjectAttributes(&obja, &ustr, OBJ_CASE_INSENSITIVE, hDirectory, NULL); status = STATUS_UNSUCCESSFUL; hObject = NULL; //handle supported objects switch (Context->TypeIndex) { case TYPE_DEVICE: //FILE_OBJECT status = NtCreateFile(&hObject, DesiredAccess, &obja, &iost, NULL, 0, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, 0, NULL, 0);//generic access rights break; case TYPE_MUTANT: status = NtOpenMutant(&hObject, DesiredAccess, &obja); //MUTANT_QUERY_STATE for query break; case TYPE_KEY: status = NtOpenKey(&hObject, DesiredAccess, &obja); //KEY_QUERY_VALUE for query break; case TYPE_SEMAPHORE: status = NtOpenSemaphore(&hObject, DesiredAccess, &obja); //SEMAPHORE_QUERY_STATE for query break; case TYPE_TIMER: status = NtOpenTimer(&hObject, DesiredAccess, &obja); //TIMER_QUERY_STATE for query break; case TYPE_EVENT: status = NtOpenEvent(&hObject, DesiredAccess, &obja); //EVENT_QUERY_STATE for query break; case TYPE_EVENTPAIR: status = NtOpenEventPair(&hObject, DesiredAccess, &obja); //generic access break; case TYPE_SYMLINK: status = NtOpenSymbolicLinkObject(&hObject, DesiredAccess, &obja); //SYMBOLIC_LINK_QUERY for query break; case TYPE_IOCOMPLETION: status = NtOpenIoCompletion(&hObject, DesiredAccess, &obja); //IO_COMPLETION_QUERY_STATE for query break; case TYPE_SECTION: status = NtOpenSection(&hObject, DesiredAccess, &obja); //SECTION_QUERY for query break; case TYPE_JOB: status = NtOpenJobObject(&hObject, DesiredAccess, &obja); //JOB_OBJECT_QUERY for query break; } SetLastError(RtlNtStatusToDosError(status)); NtClose(hDirectory); bResult = ((NT_SUCCESS(status)) && (hObject != NULL)); if (bResult && phObject) { *phObject = hObject; } return bResult; }
PVOID DisableProt(BOOL mode) { HANDLE Section; DWORD Res; NTSTATUS ntS; PACL OldDacl=NULL, NewDacl=NULL; PSECURITY_DESCRIPTOR SecDesc=NULL; EXPLICIT_ACCESS Access; OBJECT_ATTRIBUTES ObAttributes; INIT_UNICODE(ObName, L"\\Device\\PhysicalMemory"); //mode 1 = current //mode 2 = user memset(&Access, 0, sizeof(EXPLICIT_ACCESS)); InitializeObjectAttributes(&ObAttributes, &ObName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); // open handle de \Device\PhysicalMemory ntS = NtOpenSection(&Section, WRITE_DAC | READ_CONTROL, &ObAttributes); if (ntS != STATUS_SUCCESS) { printf("error: NtOpenSection (code: %x)\n", ntS); goto cleanup; } // retrieve a copy of the security descriptor Res = GetSecurityInfo(Section, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &OldDacl, NULL, &SecDesc); if (Res != ERROR_SUCCESS) { printf("error: GetSecurityInfo (code: %lu)\n", Res); goto cleanup; } Access.grfAccessPermissions = SECTION_ALL_ACCESS; // :P Access.grfAccessMode = GRANT_ACCESS; Access.grfInheritance = NO_INHERITANCE; Access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; // change these informations to grant access to a group or other user Access.Trustee.TrusteeForm = TRUSTEE_IS_NAME; Access.Trustee.TrusteeType = TRUSTEE_IS_USER; Access.Trustee.ptstrName = "CURRENT_USER"; // create the new ACL Res = SetEntriesInAcl(1, &Access, OldDacl, &NewDacl); if (Res != ERROR_SUCCESS) { printf("error: SetEntriesInAcl (code: %lu)\n", Res); goto cleanup; } // update ACL Res = SetSecurityInfo(Section, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, NewDacl, NULL); if (Res != ERROR_SUCCESS) { printf("error: SetEntriesInAcl (code: %lu)\n", Res); goto cleanup; } printf("\\Device\\PhysicalMemory chmoded\n"); cleanup: if (Section) NtClose(Section); if (SecDesc) LocalFree(SecDesc); return(0); }
BOOLEAN WepOpenServerObjects( VOID ) { OBJECT_ATTRIBUTES objectAttributes; WCHAR buffer[256]; UNICODE_STRING objectName; if (!WeServerSharedSection) { WeFormatLocalObjectName(WE_SERVER_SHARED_SECTION_NAME, buffer, &objectName); InitializeObjectAttributes(&objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, NULL, NULL); if (!NT_SUCCESS(NtOpenSection( &WeServerSharedSection, SECTION_ALL_ACCESS, &objectAttributes ))) { return FALSE; } } if (!WeServerSharedData) { PVOID viewBase; SIZE_T viewSize; viewBase = NULL; viewSize = sizeof(WE_HOOK_SHARED_DATA); if (!NT_SUCCESS(NtMapViewOfSection( WeServerSharedSection, NtCurrentProcess(), &viewBase, 0, 0, NULL, &viewSize, ViewShare, 0, PAGE_READWRITE ))) { WepCloseServerObjects(); return FALSE; } WeServerSharedData = viewBase; } if (!WeServerSharedSectionLock) { WeFormatLocalObjectName(WE_SERVER_SHARED_SECTION_LOCK_NAME, buffer, &objectName); InitializeObjectAttributes(&objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, NULL, NULL); if (!NT_SUCCESS(NtOpenMutant( &WeServerSharedSectionLock, MUTANT_ALL_ACCESS, &objectAttributes ))) { WepCloseServerObjects(); return FALSE; } } if (!WeServerSharedSectionEvent) { WeFormatLocalObjectName(WE_SERVER_SHARED_SECTION_EVENT_NAME, buffer, &objectName); InitializeObjectAttributes(&objectAttributes, &objectName, OBJ_CASE_INSENSITIVE, NULL, NULL); if (!NT_SUCCESS(NtOpenEvent( &WeServerSharedSectionEvent, EVENT_ALL_ACCESS, &objectAttributes ))) { WepCloseServerObjects(); return FALSE; } } return TRUE; }
static HANDLE devmem_open(Devtab_t *pdevtab, Pfd_t *fpd, Path_t *ip, int oflags, HANDLE *extra) { HANDLE hp; int blkno, minor = ip->name[1]; unsigned short *blocks = devtab_ptr(Share->chardev_index, DEVMEM_MAJOR); NTSTATUS r; UNICODE_STRING ucstr; OBJECT_ATTRIBUTES attr; SYSTEM_BASIC_INFORMATION sbi; Pdevmem_t *pdm; ACCESS_MASK am; if(Share->Platform != VER_PLATFORM_WIN32_NT) { logerr(0, "/dev/mem not supported on non NT systems"); goto enodev; } if(!devmem_api()) { logerr(0, "failed to get ntdll.dll API functions"); goto enodev; } if(minor > DEVALLKMEM_MINOR) { logerr(0, "illegal minor device number"); goto enodev; } if(minor > DEVPORT_MINOR) { logerr(0, "minor device not implemented yet"); goto enodev; } if(blkno = blocks[minor]) { /* device already in use, increase device usage counter */ pdm = (Pdevmem_t*)dev_ptr(blkno); InterlockedIncrement(&pdm->count); } else { /* allocate new device block, fill in info */ if((blkno = block_alloc(BLK_PDEV)) == 0) return(0); pdm = (Pdevmem_t*)dev_ptr(blkno); ZeroMemory((void *)pdm, BLOCK_SIZE-1); pdm->major = DEVMEM_MAJOR; pdm->minor = minor; blocks[minor] = blkno; /* get physical memory size */ r = NtQuerySystemInformation(SystemBasicInformation, &sbi, sizeof(sbi), 0); if(!NT_SUCCESS(r)) { logerr(0, "NtQuerySystemInformation failed"); goto nterr; } switch(minor) { case DEVMEM_MINOR: pdm->min_addr = 0; // sbi.LowestPhysicalPage * sbi.PhysicalPageSize; pdm->max_addr = sbi.HighestPhysicalPage * sbi.PhysicalPageSize; break; case DEVPORT_MINOR: pdm->min_addr = 0; pdm->max_addr = 0x10000; break; default: pdm->min_addr = pdm->max_addr = 0; break; } } fpd->devno = blkno; fpd->extra64 = 0; RtlInitUnicodeString(&ucstr, L"\\Device\\PhysicalMemory"); InitializeObjectAttributes(&attr, &ucstr, OBJ_CASE_INSENSITIVE | OBJ_INHERIT, 0, 0); switch(oflags & O_ACCMODE) { case O_RDONLY: am = SECTION_MAP_READ; break; case O_WRONLY: case O_RDWR: am = SECTION_MAP_READ | SECTION_MAP_WRITE; break; } r = NtOpenSection(&hp, am, &attr); if(!NT_SUCCESS(r)) { logerr(0, "NtOpenSection failed"); goto nterr; } return hp; nterr: errno = unix_err(RtlNtStatusToDosError(r)); return 0; enodev: errno = ENODEV; return 0; }
PPH_LIST QueryDotNetAppDomainsForPid_V4( _In_ BOOLEAN Wow64, _In_ HANDLE ProcessHandle, _In_ HANDLE ProcessId ) { HANDLE legacyPrivateBlockHandle = NULL; PVOID ipcControlBlockTable = NULL; LARGE_INTEGER sectionOffset = { 0 }; SIZE_T viewSize = 0; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING sectionNameUs; PPH_LIST appDomainsList = NULL; if (!PhStringRefToUnicodeString(&GeneratePrivateNameV4(ProcessId)->sr, §ionNameUs)) goto CleanupExit; InitializeObjectAttributes( &objectAttributes, §ionNameUs, OBJ_CASE_INSENSITIVE, NULL, NULL ); if (!NT_SUCCESS(NtOpenSection( &legacyPrivateBlockHandle, SECTION_MAP_READ, &objectAttributes ))) { goto CleanupExit; } if (!NT_SUCCESS(NtMapViewOfSection( legacyPrivateBlockHandle, NtCurrentProcess(), &ipcControlBlockTable, 0, viewSize, §ionOffset, &viewSize, ViewShare, 0, PAGE_READONLY ))) { goto CleanupExit; } if (Wow64) { LegacyPrivateIPCControlBlock_Wow64* legacyPrivateBlock; AppDomainEnumerationIPCBlock_Wow64* appDomainEnumBlock; legacyPrivateBlock = (LegacyPrivateIPCControlBlock_Wow64*)ipcControlBlockTable; appDomainEnumBlock = &legacyPrivateBlock->AppDomainBlock; // Check the IPCControlBlock is initialized. if ((legacyPrivateBlock->FullIPCHeader.Header.Flags & IPC_FLAG_INITIALIZED) != IPC_FLAG_INITIALIZED) { goto CleanupExit; } // Check the IPCControlBlock version is valid. if (legacyPrivateBlock->FullIPCHeader.Header.Version > VER_LEGACYPRIVATE_IPC_BLOCK) { goto CleanupExit; } appDomainsList = EnumerateAppDomainIpcBlockWow64( ProcessHandle, appDomainEnumBlock ); } else { LegacyPrivateIPCControlBlock* legacyPrivateBlock; AppDomainEnumerationIPCBlock* appDomainEnumBlock; legacyPrivateBlock = (LegacyPrivateIPCControlBlock*)ipcControlBlockTable; appDomainEnumBlock = &legacyPrivateBlock->AppDomainBlock; // Check the IPCControlBlock is initialized. if ((legacyPrivateBlock->FullIPCHeader.Header.Flags & IPC_FLAG_INITIALIZED) != IPC_FLAG_INITIALIZED) { goto CleanupExit; } // Check the IPCControlBlock version is valid. if (legacyPrivateBlock->FullIPCHeader.Header.Version > VER_LEGACYPRIVATE_IPC_BLOCK) { goto CleanupExit; } appDomainsList = EnumerateAppDomainIpcBlock( ProcessHandle, appDomainEnumBlock ); } CleanupExit: if (ipcControlBlockTable) { NtUnmapViewOfSection(NtCurrentProcess(), ipcControlBlockTable); } if (legacyPrivateBlockHandle) { NtClose(legacyPrivateBlockHandle); } return appDomainsList; }
BOOLEAN OpenDotNetPublicControlBlock_V4( _In_ BOOLEAN IsImmersive, _In_ HANDLE ProcessHandle, _In_ HANDLE ProcessId, _Out_ HANDLE* BlockTableHandle, _Out_ PVOID* BlockTableAddress ) { BOOLEAN result = FALSE; PVOID boundaryDescriptorHandle = NULL; HANDLE privateNamespaceHandle = NULL; HANDLE blockTableHandle = NULL; HANDLE tokenHandle = NULL; PSID everyoneSIDHandle = NULL; PVOID blockTableAddress = NULL; LARGE_INTEGER sectionOffset = { 0 }; SIZE_T viewSize = 0; UNICODE_STRING prefixNameUs; UNICODE_STRING sectionNameUs; UNICODE_STRING boundaryNameUs; OBJECT_ATTRIBUTES namespaceObjectAttributes; OBJECT_ATTRIBUTES sectionObjectAttributes; PTOKEN_APPCONTAINER_INFORMATION appContainerInfo = NULL; SID_IDENTIFIER_AUTHORITY SIDWorldAuth = SECURITY_WORLD_SID_AUTHORITY; if (!PhStringRefToUnicodeString(&GenerateBoundaryDescriptorName(ProcessId)->sr, &boundaryNameUs)) goto CleanupExit; if (!(boundaryDescriptorHandle = RtlCreateBoundaryDescriptor(&boundaryNameUs, 0))) goto CleanupExit; if (!NT_SUCCESS(RtlAllocateAndInitializeSid(&SIDWorldAuth, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyoneSIDHandle))) goto CleanupExit; if (!NT_SUCCESS(RtlAddSIDToBoundaryDescriptor(&boundaryDescriptorHandle, everyoneSIDHandle))) goto CleanupExit; if (WINDOWS_HAS_IMMERSIVE && IsImmersive) { if (NT_SUCCESS(NtOpenProcessToken(&tokenHandle, TOKEN_QUERY, ProcessHandle))) { ULONG returnLength = 0; if (NtQueryInformationToken( tokenHandle, TokenAppContainerSid, NULL, 0, &returnLength ) != STATUS_BUFFER_TOO_SMALL) { goto CleanupExit; } appContainerInfo = PhAllocate(returnLength); if (!NT_SUCCESS(NtQueryInformationToken( tokenHandle, TokenAppContainerSid, appContainerInfo, returnLength, &returnLength ))) { goto CleanupExit; } if (!NT_SUCCESS(RtlAddSIDToBoundaryDescriptor(&boundaryDescriptorHandle, appContainerInfo->TokenAppContainer))) goto CleanupExit; } } RtlInitUnicodeString(&prefixNameUs, CorSxSReaderPrivateNamespacePrefix); InitializeObjectAttributes( &namespaceObjectAttributes, &prefixNameUs, OBJ_CASE_INSENSITIVE, boundaryDescriptorHandle, NULL ); if (!NT_SUCCESS(NtOpenPrivateNamespace( &privateNamespaceHandle, MAXIMUM_ALLOWED, &namespaceObjectAttributes, boundaryDescriptorHandle ))) { goto CleanupExit; } RtlInitUnicodeString(§ionNameUs, CorSxSVistaPublicIPCBlock); InitializeObjectAttributes( §ionObjectAttributes, §ionNameUs, OBJ_CASE_INSENSITIVE, privateNamespaceHandle, NULL ); if (!NT_SUCCESS(NtOpenSection( &blockTableHandle, SECTION_MAP_READ, §ionObjectAttributes ))) { goto CleanupExit; } if (!NT_SUCCESS(NtMapViewOfSection( blockTableHandle, NtCurrentProcess(), &blockTableAddress, 0, viewSize, §ionOffset, &viewSize, ViewShare, 0, PAGE_READONLY ))) { goto CleanupExit; } *BlockTableHandle = blockTableHandle; *BlockTableAddress = blockTableAddress; result = TRUE; CleanupExit: if (!result) { if (blockTableHandle) { NtClose(blockTableHandle); } if (blockTableAddress) { NtUnmapViewOfSection(NtCurrentProcess(), blockTableAddress); } *BlockTableHandle = NULL; *BlockTableAddress = NULL; } if (tokenHandle) { NtClose(tokenHandle); } if (appContainerInfo) { PhFree(appContainerInfo); } if (privateNamespaceHandle) { NtClose(privateNamespaceHandle); } if (everyoneSIDHandle) { RtlFreeSid(everyoneSIDHandle); } if (boundaryDescriptorHandle) { RtlDeleteBoundaryDescriptor(boundaryDescriptorHandle); } return result; }
BOOLEAN OpenDotNetPublicControlBlock_V2( _In_ HANDLE ProcessId, _Out_ HANDLE* BlockTableHandle, _Out_ PVOID* BlockTableAddress ) { BOOLEAN result = FALSE; HANDLE blockTableHandle = NULL; PVOID blockTableAddress = NULL; UNICODE_STRING sectionNameUs; OBJECT_ATTRIBUTES objectAttributes; LARGE_INTEGER sectionOffset = { 0 }; SIZE_T viewSize = 0; if (!PhStringRefToUnicodeString(&GenerateLegacyPublicName(ProcessId)->sr, §ionNameUs)) return FALSE; InitializeObjectAttributes( &objectAttributes, §ionNameUs, OBJ_CASE_INSENSITIVE, NULL, NULL ); if (!NT_SUCCESS(NtOpenSection( &blockTableHandle, SECTION_MAP_READ, &objectAttributes ))) { return FALSE; } if (NT_SUCCESS(NtMapViewOfSection( blockTableHandle, NtCurrentProcess(), &blockTableAddress, 0, viewSize, §ionOffset, &viewSize, ViewShare, 0, PAGE_READONLY ))) { *BlockTableHandle = blockTableHandle; *BlockTableAddress = blockTableAddress; return TRUE; } if (blockTableHandle) NtClose(blockTableHandle); if (blockTableAddress) NtUnmapViewOfSection(NtCurrentProcess(), blockTableAddress); return FALSE; }
PPH_LIST QueryDotNetAppDomainsForPid_V2( _In_ BOOLEAN Wow64, _In_ HANDLE ProcessHandle, _In_ HANDLE ProcessId ) { LARGE_INTEGER sectionOffset = { 0 }; SIZE_T viewSize = 0; OBJECT_ATTRIBUTES objectAttributes; UNICODE_STRING sectionNameUs; HANDLE legacyPrivateBlockHandle = NULL; PVOID ipcControlBlockTable = NULL; PPH_LIST appDomainsList = NULL; __try { if (!PhStringRefToUnicodeString(&GeneratePrivateName(ProcessId)->sr, §ionNameUs)) __leave; InitializeObjectAttributes( &objectAttributes, §ionNameUs, 0, NULL, NULL ); if (!NT_SUCCESS(NtOpenSection( &legacyPrivateBlockHandle, SECTION_MAP_READ, &objectAttributes ))) { __leave; } if (!NT_SUCCESS(NtMapViewOfSection( legacyPrivateBlockHandle, NtCurrentProcess(), &ipcControlBlockTable, 0, viewSize, §ionOffset, &viewSize, ViewShare, 0, PAGE_READONLY ))) { __leave; } if (Wow64) { LegacyPrivateIPCControlBlock_Wow64* legacyPrivateBlock; AppDomainEnumerationIPCBlock_Wow64* appDomainEnumBlock; legacyPrivateBlock = (LegacyPrivateIPCControlBlock_Wow64*)ipcControlBlockTable; // NOTE: .NET 2.0 processes do not have the IPC_FLAG_INITIALIZED flag. // Check the IPCControlBlock version is valid. if (legacyPrivateBlock->FullIPCHeader.Header.Version > VER_LEGACYPRIVATE_IPC_BLOCK) { __leave; } appDomainEnumBlock = GetLegacyBlockTableEntry( Wow64, ipcControlBlockTable, eLegacyPrivateIPC_AppDomain ); appDomainsList = EnumerateAppDomainIpcBlockWow64( ProcessHandle, appDomainEnumBlock ); } else { LegacyPrivateIPCControlBlock* legacyPrivateBlock; AppDomainEnumerationIPCBlock* appDomainEnumBlock; legacyPrivateBlock = (LegacyPrivateIPCControlBlock*)ipcControlBlockTable; // NOTE: .NET 2.0 processes do not have the IPC_FLAG_INITIALIZED flag. // Check the IPCControlBlock version is valid. if (legacyPrivateBlock->FullIPCHeader.Header.Version > VER_LEGACYPRIVATE_IPC_BLOCK) { __leave; } appDomainEnumBlock = GetLegacyBlockTableEntry( Wow64, ipcControlBlockTable, eLegacyPrivateIPC_AppDomain ); appDomainsList = EnumerateAppDomainIpcBlock( ProcessHandle, appDomainEnumBlock ); } } __finally { if (ipcControlBlockTable) { NtUnmapViewOfSection(NtCurrentProcess(), ipcControlBlockTable); } if (legacyPrivateBlockHandle) { NtClose(legacyPrivateBlockHandle); } } return appDomainsList; }
_CRTAPI1 main() { LONG i, j; PULONG p4, p3, p2, p1, oldp1, vp1; ULONG Size1, Size2, Size3; NTSTATUS status, alstatus; HANDLE CurrentProcessHandle; HANDLE GiantSection; HANDLE Section2, Section4; MEMORY_BASIC_INFORMATION MemInfo; ULONG OldProtect; STRING Name3; HANDLE Section1; OBJECT_ATTRIBUTES ObjectAttributes; OBJECT_ATTRIBUTES Object1Attributes; ULONG ViewSize; LARGE_INTEGER Offset; LARGE_INTEGER SectionSize; UNICODE_STRING Unicode; CurrentProcessHandle = NtCurrentProcess(); DbgPrint(" Memory Management Tests - AllocVm, FreeVm, ProtectVm, QueryVm\n"); p1 = (PULONG)0x20020000; Size1 = 0xbc0000; alstatus = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, 0, &Size1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); if (!NT_SUCCESS(alstatus)) { DbgPrint("failed first created vm status %X start %lx size %lx\n", alstatus, (ULONG)p1, Size1); DbgPrint("******** FAILED TEST 1 **************\n"); } status = NtQueryVirtualMemory (CurrentProcessHandle, p1, MemoryBasicInformation, &MemInfo, sizeof (MEMORY_BASIC_INFORMATION), NULL); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 2 **************\n"); DbgPrint("FAILURE query vm status %X address %lx Base %lx size %lx\n", status, p1, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.Type); } if ((MemInfo.RegionSize != Size1) || (MemInfo.BaseAddress != p1) || (MemInfo.Protect != PAGE_READWRITE) || (MemInfo.Type != MEM_PRIVATE) || (MemInfo.State != MEM_COMMIT)) { DbgPrint("******** FAILED TEST 3 **************\n"); DbgPrint("FAILURE query vm status %X address %lx Base %lx size %lx\n", status, p1, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.Type); } p2 = (PULONG)NULL; Size2 = 0x100000; alstatus = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p2, 3, &Size2, MEM_TOP_DOWN | MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); if (!NT_SUCCESS(alstatus)) { DbgPrint("failed first created vm status %lC start %lx size %lx\n", status, (ULONG)p1, Size1); DbgPrint("******** FAILED TEST 3a.1 **************\n"); NtTerminateProcess(NtCurrentProcess(),status); } // // Touch every other page. // vp1 = p2 + 3000; while (vp1 < (PULONG)((PCHAR)p2 + Size2)) { *vp1 = 938; vp1 += 3000; } // // Decommit pages. // Size3 = Size2 - 5044; vp1 = p2 + 3000; status = NtFreeVirtualMemory (CurrentProcessHandle, (PVOID *)&p2, &Size3, MEM_DECOMMIT); if (!(NT_SUCCESS(status))) { DbgPrint(" free vm failed - status %lx\n",status); DbgPrint("******** FAILED TEST 3a.4 **************\n"); NtTerminateProcess(NtCurrentProcess(),status); } // // Split the memory block using MEM_RELEASE. // vp1 = p2 + 5000; Size3 = Size2 - 50000; status = NtFreeVirtualMemory (CurrentProcessHandle, (PVOID *)&vp1, &Size3, MEM_RELEASE); if (!(NT_SUCCESS(status))) { DbgPrint(" free vm failed - status %lx\n",status); DbgPrint("******** FAILED TEST 3a.b **************\n"); NtTerminateProcess(NtCurrentProcess(),status); } vp1 = p2 + 3000; Size3 = 41; status = NtFreeVirtualMemory (CurrentProcessHandle, (PVOID *)&vp1, &Size3, MEM_RELEASE); if (!(NT_SUCCESS(status))) { DbgPrint(" free vm failed - status %lx\n",status); DbgPrint("******** FAILED TEST 3a.5 **************\n"); NtTerminateProcess(NtCurrentProcess(),status); } // // free every page, ignore the status. // vp1 = p2; Size3 = 30; while (vp1 < (PULONG)((PCHAR)p2 + Size2)) { status = NtFreeVirtualMemory (CurrentProcessHandle, (PVOID *)&vp1, &Size3, MEM_RELEASE); vp1 += 128; } p2 = (PULONG)NULL; Size2 = 0x10000; status = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p2, 3, &Size2, MEM_TOP_DOWN | MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); if (!NT_SUCCESS(status)) { DbgPrint("failed first created vm status %X start %lx size %lx\n", status, (ULONG)p1, Size1); DbgPrint("******** FAILED TEST 3.1 **************\n"); } else { if (p2 != (PVOID)0x1fff0000) { DbgPrint("******** FAILED TEST 3.2 **************\n"); DbgPrint("p2 = %lx\n",p2); } status = NtFreeVirtualMemory (CurrentProcessHandle, (PVOID *)&p2, &Size2, MEM_RELEASE); if (!(NT_SUCCESS(status))) { DbgPrint(" free vm failed - status %lx\n",status); DbgPrint("******** FAILED TEST 3.3 **************\n"); NtTerminateProcess(NtCurrentProcess(),status); } } if (NT_SUCCESS(alstatus)) { status = NtFreeVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, &Size1, MEM_RELEASE); } if (!(NT_SUCCESS(status))) { DbgPrint(" free vm failed - status %lx\n",status); DbgPrint("******** FAILED TEST 4 **************\n"); NtTerminateProcess(NtCurrentProcess(),status); } p1 = (PULONG)NULL; Size1 = 16 * 4096; status = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, 0, &Size1, MEM_RESERVE, PAGE_READWRITE | PAGE_GUARD); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 5 **************\n"); DbgPrint("created vm status %X start %lx size %lx\n", status, (ULONG)p1, Size1); } status = NtQueryVirtualMemory (CurrentProcessHandle, p1, MemoryBasicInformation, &MemInfo, sizeof (MEMORY_BASIC_INFORMATION), NULL); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 6 **************\n"); DbgPrint("query vm status %X address %lx Base %lx size %lx\n", status, p1, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx alloc_protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.AllocationProtect, MemInfo.Type); } if ((MemInfo.RegionSize != Size1) || (MemInfo.BaseAddress != p1) || (MemInfo.AllocationProtect != (PAGE_READWRITE | PAGE_GUARD)) || (MemInfo.Protect != 0) || (MemInfo.Type != MEM_PRIVATE) || (MemInfo.State != MEM_RESERVE)) { DbgPrint("******** FAILED TEST 7 **************\n"); DbgPrint("query vm status %X address %lx Base %lx size %lx\n", status, p1, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx alloc_protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.AllocationProtect, MemInfo.Type); } Size2 = 8192; oldp1 = p1; p1 = p1 + 14336; // 64k -8k /4 status = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, 0, &Size2, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 8 **************\n"); DbgPrint("created vm status %X start %lx size %lx\n", status, (ULONG)p1, Size1); } status = NtQueryVirtualMemory (CurrentProcessHandle, oldp1, MemoryBasicInformation, &MemInfo, sizeof (MEMORY_BASIC_INFORMATION), NULL); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 9 **************\n"); DbgPrint("query vm status %X address %lx Base %lx size %lx\n", status, oldp1, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.Type); } if ((MemInfo.RegionSize != 56*1024) || (MemInfo.BaseAddress != oldp1) || (MemInfo.AllocationProtect != (PAGE_READWRITE | PAGE_GUARD)) || (MemInfo.Protect != 0) || (MemInfo.Type != MEM_PRIVATE) || (MemInfo.State != MEM_RESERVE)) { DbgPrint("******** FAILED TEST 10 **************\n"); DbgPrint("query vm status %X address %lx Base %lx size %lx\n", status, oldp1, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx alloc_protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.AllocationProtect, MemInfo.Type); } status = NtQueryVirtualMemory (CurrentProcessHandle, p1, MemoryBasicInformation, &MemInfo, sizeof (MEMORY_BASIC_INFORMATION), NULL); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 11 **************\n"); DbgPrint("query vm status %X address %lx Base %lx size %lx\n", status, p1, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.Type); } if ((MemInfo.RegionSize != Size2) || (MemInfo.BaseAddress != p1) || (MemInfo.Protect != PAGE_EXECUTE_READWRITE) || (MemInfo.Type != MEM_PRIVATE) || (MemInfo.State != MEM_COMMIT) || (MemInfo.AllocationBase != oldp1)) { DbgPrint("******** FAILED TEST 12 **************\n"); DbgPrint("query vm status %X address %lx Base %lx size %lx\n", status, oldp1, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.Type); } Size1 = Size2; status = NtProtectVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, &Size1, PAGE_READONLY | PAGE_NOCACHE, &OldProtect); if ((!NT_SUCCESS(status)) || (OldProtect != PAGE_EXECUTE_READWRITE)) { DbgPrint("******** FAILED TEST 13 **************\n"); DbgPrint("protected VM status %X, base %lx, size %lx, old protect %lx\n", status, p1, Size1, OldProtect); } status = NtQueryVirtualMemory (CurrentProcessHandle, p1, MemoryBasicInformation, &MemInfo, sizeof (MEMORY_BASIC_INFORMATION), NULL); if ((!NT_SUCCESS(status)) || MemInfo.Protect != (PAGE_NOCACHE | PAGE_READONLY)) { DbgPrint("******** FAILED TEST 14 **************\n"); DbgPrint("query vm status %X address %lx Base %lx size %lx\n", status, p1, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.Type); } i = *p1; status = NtProtectVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, &Size1, PAGE_NOACCESS | PAGE_NOCACHE, &OldProtect); if (status != STATUS_INVALID_PAGE_PROTECTION) { DbgPrint("******** FAILED TEST 15 **************\n"); DbgPrint("protected VM status %X, base %lx, size %lx, old protect %lx\n", status, p1, Size1, OldProtect, i); } status = NtProtectVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, &Size1, PAGE_READONLY, &OldProtect); if ((!NT_SUCCESS(status)) || (OldProtect != (PAGE_NOCACHE | PAGE_READONLY))) { DbgPrint("******** FAILED TEST 16 **************\n"); DbgPrint("protected VM status %X, base %lx, size %lx, old protect %lx\n", status, p1, Size1, OldProtect); } status = NtProtectVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, &Size1, PAGE_READWRITE, &OldProtect); if ((!NT_SUCCESS(status)) || (OldProtect != (PAGE_READONLY))) { DbgPrint("******** FAILED TEST 17 **************\n"); DbgPrint("protected VM status %X, base %lx, size %lx, old protect %lx\n", status, p1, Size1, OldProtect); } for (i = 1; i < 12; i++) { p2 = (PULONG)NULL; Size2 = i * 4096; status = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p2, 0, &Size2, MEM_COMMIT, PAGE_READWRITE); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 18 **************\n"); DbgPrint("created vm status %X start %lx size %lx\n", status, (ULONG)p2, Size2); } if (i==4) { p3 = p2; } if (i == 8) { Size3 = 12000; status = NtFreeVirtualMemory (CurrentProcessHandle,(PVOID *)&p3, &Size3, MEM_RELEASE); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 19 **************\n"); DbgPrint("free vm status %X start %lx size %lx\n", status, (ULONG)p3, Size3); } } } p3 = p1 + 8 * 1024; status = NtQueryVirtualMemory (CurrentProcessHandle, p3, MemoryBasicInformation, &MemInfo, sizeof (MEMORY_BASIC_INFORMATION), NULL); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 20 **************\n"); DbgPrint("query vm status %X address %lx Base %lx size %lx\n", status, p3, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.Type); } p3 = p1 - 8 * 1024; status = NtQueryVirtualMemory (CurrentProcessHandle, p3, MemoryBasicInformation, &MemInfo, sizeof (MEMORY_BASIC_INFORMATION), NULL); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 21 **************\n"); DbgPrint("query vm status %X address %lx Base %lx size %lx\n", status, p3, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.Type); } Size3 = 16 * 4096; status = NtFreeVirtualMemory (CurrentProcessHandle, (PVOID *)&p3, &Size3, MEM_RELEASE); if (status != STATUS_UNABLE_TO_FREE_VM) { DbgPrint("******** FAILED TEST 22 **************\n"); DbgPrint("free vm status %X start %lx size %lx\n", status, (ULONG)p3, Size3); } Size3 = 1 * 4096; status = NtFreeVirtualMemory (CurrentProcessHandle, (PVOID *)&p3, &Size3, MEM_RELEASE); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 23 **************\n"); DbgPrint("free vm status %X start %lx size %lx\n", status, (ULONG)p3, Size3); } p3 = (PULONG)NULL; Size3 = 300 * 4096; status = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p3, 0, &Size3, MEM_COMMIT, PAGE_READWRITE); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 24 **************\n"); DbgPrint("created vm status %X start %lx size %lx\n", status, (ULONG)p3, Size3); } p1 = p3; p2 = ((PULONG)((PUCHAR)p3 + Size3)); p4 = p1; j = 0; while (p3 < p2) { j += 1; if (j % 8 == 0) { if (*p4 != (ULONG)p4) { DbgPrint("bad value in xcell %lx value is %lx\n",p4, *p4); } p4 += 1; *p4 = (ULONG)p4; p4 = p4 + 1026; } *p3 = (ULONG)p3; p3 += 1027; } DbgPrint("checking values\n"); status = NtQueryVirtualMemory (CurrentProcessHandle, p3, MemoryBasicInformation, &MemInfo, sizeof (MEMORY_BASIC_INFORMATION), NULL); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 25 **************\n"); DbgPrint("query vm status %X address %lx Base %lx size %lx\n", status, p3, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.Type); } p3 = p1; while (p3 < p2) { if (*p3 != (ULONG)p3) { DbgPrint("bad value in 1cell %lx value is %lx\n",p3, *p3); } p3 += 1027; } p3 = p1; while (p3 < p2) { if (*p3 != (ULONG)p3) { DbgPrint("bad value in 2cell %lx value is %lx\n",p3, *p3); } p3 += 1027; } p3 = p1; while (p3 < p2) { if (*p3 != (ULONG)p3) { DbgPrint("bad value in 3cell %lx value is %lx\n",p3, *p3); } p3 += 1027; } p3 = p1; while (p3 < p2) { if (*p3 != (ULONG)p3) { DbgPrint("bad value in 4cell %lx value is %lx\n",p3, *p3); } p3 += 1027; } p3 = p1; while (p3 < p2) { if (*p3 != (ULONG)p3) { DbgPrint("bad value in 5cell %lx value is %lx\n",p3, *p3); } p3 += 1027; } p3 = p1; while (p3 < p2) { if (*p3 != (ULONG)p3) { DbgPrint("bad value in cell %lx value is %lx\n",p3, *p3); } p3 += 1027; } // // Check physical frame mapping. // // // Check physical frame mapping. // RtlInitAnsiString (&Name3, "\\Device\\PhysicalMemory"); status = RtlAnsiStringToUnicodeString(&Unicode,&Name3,TRUE); if (!NT_SUCCESS(status)) { printf("string conversion failed status %lx\n", status); ExitProcess (status); } InitializeObjectAttributes( &ObjectAttributes, &Unicode, OBJ_CASE_INSENSITIVE, NULL, NULL ); status = NtOpenSection ( &Section1, SECTION_MAP_READ | SECTION_MAP_WRITE, &ObjectAttributes ); RtlFreeUnicodeString(&Unicode); if (status != 0) { DbgPrint("******** FAILED TEST 26 **************\n"); DbgPrint("open physical section failed %lx\n", status); } p1 = NULL; Offset.LowPart = 0x810ff033; Offset.HighPart = 0; ViewSize = 300*4096; status = NtMapViewOfSection (Section1, NtCurrentProcess(), (PVOID *)&p1, 0, ViewSize, &Offset, &ViewSize, ViewUnmap, 0, PAGE_READWRITE ); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 27 **************\n"); DbgPrint ("map physical section %X offset = %lx, base %lx\n",status, Offset.LowPart, p1); } p1 = NULL; Size1 = 8 * 1024 * 1024; alstatus = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, 0, &Size1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); if (!NT_SUCCESS(alstatus)) { DbgPrint("failed first created vm status %X start %lx size %lx\n", alstatus, (ULONG)p1, Size1); DbgPrint("******** FAILED TEST 28 **************\n"); } RtlZeroMemory (p1, Size1); Size1 -= 20000; (PUCHAR)p1 += 5000; status = NtFreeVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, &Size1 , MEM_DECOMMIT); if (!(NT_SUCCESS(status))) { DbgPrint(" free vm failed - status %lx\n",status); DbgPrint("******** FAILED TEST 29 **************\n"); NtTerminateProcess(NtCurrentProcess(),status); } Size1 -= 20000; (PUCHAR)p1 += 5000; alstatus = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, 0, &Size1, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (!NT_SUCCESS(alstatus)) { DbgPrint("failed first created vm status %X start %lx size %lx\n", alstatus, (ULONG)p1, Size1); DbgPrint("******** FAILED TEST 30 **************\n"); } RtlZeroMemory (p1, Size1); Size1 = 28 * 4096; p1 = NULL; status = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, 0, &Size1, MEM_COMMIT, PAGE_READWRITE | PAGE_GUARD); if (!NT_SUCCESS(status)) { DbgPrint("failed first created vm status %X start %lx size %lx\n", status, (ULONG)p1, Size1); DbgPrint("******** FAILED TEST 31 **************\n"); } try { // // attempt to write the guard page. // *p1 = 973; DbgPrint("************ FAILURE TEST 31.3 guard page exception did not occur\n"); } except (EXCEPTION_EXECUTE_HANDLER) { status = GetExceptionCode(); if (status != STATUS_GUARD_PAGE_VIOLATION) { DbgPrint("******** FAILED TEST 32 ******\n"); } } p2 = NULL; Size2 = 200*1024*1024; //200MB status = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p2, 0, &Size2, MEM_COMMIT, PAGE_READWRITE); if (NT_SUCCESS(status)) { status = NtFreeVirtualMemory (CurrentProcessHandle, (PVOID *)&p2, &Size2, MEM_RELEASE); } else { if ((status != STATUS_COMMITMENT_LIMIT) && (status != STATUS_PAGEFILE_QUOTA_EXCEEDED)) { DbgPrint("******** FAILED TEST 33 ************** %lx\n",status); } } // // Create a giant section (2gb) // InitializeObjectAttributes( &Object1Attributes, NULL, 0, NULL, NULL ); SectionSize.LowPart = 0x7f000000; SectionSize.HighPart = 0; status = NtCreateSection (&GiantSection, SECTION_MAP_READ | SECTION_MAP_WRITE, &Object1Attributes, &SectionSize, PAGE_READWRITE, SEC_RESERVE, NULL); if (!NT_SUCCESS(status)) { DbgPrint("failed create big section status %X\n", status); DbgPrint("******** FAILED TEST 41 **************\n"); } // // Attempt to map the section (this should fail). // p1 = NULL; ViewSize = 0; status = NtMapViewOfSection (GiantSection, CurrentProcessHandle, (PVOID *)&p1, 0L, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_READWRITE ); if (status != STATUS_NO_MEMORY) { DbgPrint("failed map big section status %X\n", status); DbgPrint("******** FAILED TEST 42 **************\n"); } #ifdef i386 // // Test MEM_DOS_LIM support. // InitializeObjectAttributes( &Object1Attributes, NULL, OBJ_CASE_INSENSITIVE, NULL, NULL ); SectionSize.LowPart = 1575757, SectionSize.HighPart = 0; status = NtCreateSection (&Section4, SECTION_MAP_READ | SECTION_MAP_WRITE, &Object1Attributes, &SectionSize, PAGE_READWRITE, SEC_COMMIT, NULL); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 42 **************\n"); DbgPrint("t1 create section status %X section handle %lx\n", status, (ULONG)Section4); } p3 = (PVOID)0x9001000; ViewSize = 8000; status = NtMapViewOfSection (Section4, CurrentProcessHandle, (PVOID *)&p3, 0L, 0, 0, &ViewSize, ViewUnmap, MEM_DOS_LIM, PAGE_READWRITE ); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 43 **************\n"); DbgPrint("t1 map section status %X base %lx size %lx\n", status, (ULONG)p3, ViewSize); NtTerminateProcess(NtCurrentProcess(),STATUS_SUCCESS); } p2 = (PVOID)0x9003000; ViewSize = 8000; status = NtMapViewOfSection (Section4, CurrentProcessHandle, (PVOID *)&p2, 0L, 0, 0, &ViewSize, ViewUnmap, MEM_DOS_LIM, PAGE_READWRITE ); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 44 **************\n"); DbgPrint("t1 map section status %X base %lx size %lx\n", status, (ULONG)p3, ViewSize); NtTerminateProcess(NtCurrentProcess(),STATUS_SUCCESS); } status = NtQueryVirtualMemory (CurrentProcessHandle, p3, MemoryBasicInformation, &MemInfo, sizeof (MEMORY_BASIC_INFORMATION), NULL); if (!NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 44 **************\n"); DbgPrint("FAILURE query vm status %X address %lx Base %lx size %lx\n", status, p1, MemInfo.BaseAddress, MemInfo.RegionSize); DbgPrint(" state %lx protect %lx type %lx\n", MemInfo.State, MemInfo.Protect, MemInfo.Type); } *p3 = 98; if (*p3 != *p2) { DbgPrint("******** FAILED TEST 45 **************\n"); } Size2 = 8; p1 = (PVOID)((ULONG)p2 - 0x3000); status = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p1, 0, &Size2, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (NT_SUCCESS(status)) { DbgPrint("******** FAILED TEST 46 **************\n"); DbgPrint("created vm status %X start %lx size %lx\n", status, (ULONG)p1, Size1); } #endif DbgPrint(" End of Memory Management Tests - CreateSection, MapView\n"); DbgPrint("creating too much virtual address space\n"); i = 0; do { p2 = NULL; Size2 = 8*1024*1024 + 9938; i += 1; status = NtAllocateVirtualMemory (CurrentProcessHandle, (PVOID *)&p2, 0, &Size2, MEM_RESERVE, PAGE_READWRITE); } while (NT_SUCCESS (status)); if (status != STATUS_NO_MEMORY) { DbgPrint("******** FAILED TEST 46 **************\n"); } DbgPrint("created vm done (successfully) status %X, number of allocs %ld\n", status, i); DbgPrint(" End of Memory Management Tests - AllocVm, FreeVm, ProtectVm, QueryVm\n"); { ULONG size, Size; PVOID BaseAddress; NTSTATUS Status; Size = 50*1024; size = Size - 1; BaseAddress = (PVOID)1; // we pass an address of 1, so mm will round it down to 0. if we // passed 0, it looks like a not present argument // N.B. We have to make two separate calls to allocatevm, because // we want a specific virtual address. If we don't first reserve // the address, the mm fails the commit call. Status = NtAllocateVirtualMemory( NtCurrentProcess(), &BaseAddress, 0L, &size, MEM_RESERVE, PAGE_READWRITE ); if (!NT_SUCCESS(Status)) { DbgPrint("NtReserveVirtualMemory failed !!!! Status = %lx\n", Status); } size = Size - 1; BaseAddress = (PVOID)1; Status = NtAllocateVirtualMemory( NtCurrentProcess(), &BaseAddress, 0L, &size, MEM_COMMIT, PAGE_READWRITE ); if (!NT_SUCCESS(Status)) { DbgPrint("NtCommitVirtualMemory failed !!!! Status = %lx\n", Status); } } ExitProcess (0); }
/* * supQuerySectionFileInfo * * Purpose: * * Query section object type File + Image description from version info block * */ BOOL supQuerySectionFileInfo( _In_opt_ HANDLE hRootDirectory, _In_ PUNICODE_STRING ObjectName, _Inout_ LPWSTR Buffer, _In_ DWORD ccBuffer //size of buffer in chars ) { HANDLE hSection; PVOID vinfo; LPWSTR pcValue, lpszFileName, lpszKnownDlls; LPTRANSLATE lpTranslate; SIZE_T cLength = 0; NTSTATUS status; DWORD dwHandle = 0, dwSize, dwInfoSize; BOOL bResult, cond = FALSE; OBJECT_ATTRIBUTES Obja; SECTION_BASIC_INFORMATION sbi; SECTION_IMAGE_INFORMATION sii; WCHAR szQueryBlock[MAX_PATH]; bResult = FALSE; if ( (ObjectName == NULL) || (Buffer == NULL) || (ccBuffer == 0) ) { return bResult; } vinfo = NULL; lpszFileName = NULL; hSection = NULL; lpszKnownDlls = NULL; do { //oleaut32.dll does not have FileDescription // open section with query access InitializeObjectAttributes(&Obja, ObjectName, OBJ_CASE_INSENSITIVE, hRootDirectory, NULL); status = NtOpenSection(&hSection, SECTION_QUERY, &Obja); if (!NT_SUCCESS(status)) break; // query section flags RtlSecureZeroMemory(&sbi, sizeof(sbi)); status = NtQuerySection(hSection, SectionBasicInformation, (PVOID)&sbi, sizeof(sbi), &cLength); if (!NT_SUCCESS(status)) break; // check if section is SEC_IMAGE | SEC_FILE if (!((sbi.AllocationAttributes & SEC_IMAGE) && (sbi.AllocationAttributes & SEC_FILE))) break; // check image machine type RtlSecureZeroMemory(&sii, sizeof(sii)); status = NtQuerySection(hSection, SectionImageInformation, (PVOID)&sii, sizeof(sii), &cLength); if (!NT_SUCCESS(status)) break; // select proper decoded KnownDlls path if (sii.Machine == IMAGE_FILE_MACHINE_I386) { lpszKnownDlls = g_lpKnownDlls32; } else if (sii.Machine == IMAGE_FILE_MACHINE_AMD64) { lpszKnownDlls = g_lpKnownDlls64; } // paranoid if (lpszKnownDlls == NULL) { RtlSecureZeroMemory(szQueryBlock, sizeof(szQueryBlock)); GetSystemDirectory(szQueryBlock, MAX_PATH); lpszKnownDlls = szQueryBlock; } // allocate memory buffer to store full filename // KnownDlls + \\ + Object->Name + \0 cLength = (_strlen(lpszKnownDlls) * sizeof(WCHAR)) + (_strlen(ObjectName->Buffer) * sizeof(WCHAR)) + 2 * sizeof(WCHAR); lpszFileName = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cLength); if (lpszFileName == NULL) break; // construct target filepath _strcpy(lpszFileName, lpszKnownDlls); _strcat(lpszFileName, L"\\"); _strcat(lpszFileName, ObjectName->Buffer); // query size of version info dwSize = GetFileVersionInfoSize(lpszFileName, &dwHandle); if (dwSize == 0) break; // allocate memory for version_info structure vinfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize); if (vinfo == NULL) break; // query it from file if (!GetFileVersionInfo(lpszFileName, 0, dwSize, vinfo)) break; // query codepage and language id info if (!VerQueryValue(vinfo, VERSION_TRANSLATION, &lpTranslate, (PUINT)&dwInfoSize)) break; if (dwInfoSize == 0) break; // query filedescription from file with given codepage & language id RtlSecureZeroMemory(szQueryBlock, sizeof(szQueryBlock)); wsprintf(szQueryBlock, VERSION_DESCRIPTION, lpTranslate[0].wLanguage, lpTranslate[0].wCodePage); // finally query pointer to version_info filedescription block data pcValue = NULL; dwInfoSize = 0; bResult = VerQueryValue(vinfo, szQueryBlock, &pcValue, (PUINT)&dwInfoSize); if (bResult) { _strncpy(Buffer, ccBuffer, pcValue, dwInfoSize); } } while (cond); if (hSection) NtClose(hSection); if (vinfo) HeapFree(GetProcessHeap(), 0, vinfo); if (lpszFileName) HeapFree(GetProcessHeap(), 0, lpszFileName); return bResult; }