void win32k_entry_point( void *lParam){
unsigned int len = INI();
char * data = INI();
//..
PMY_STRUCT my_struct = (PMY_STRUCT)lParam;
/*fake function to simulate data transfer from user to kernel in Windows*/
__get_user(data, &my_struct->lpData); // fetch of another value, but didn't cause disturbance
if(data != NULL){
__get_user(len, &my_struct->cbData);// first fetch
unsigned int cbCapture = sizeof(MY_STRUCT) + len;
char* my_allocation = UserAllocPoolWithQuota(cbCapture, TAG_SMS_CAPTURE);
if (my_allocation != NULL){
//..
__get_user(len, &my_struct->cbData); //second fetch
RtlCopyMemory(my_allocation, data, len); //use
}
}
//...
}
BOOL xxxRegisterUserHungAppHandlers(
PFNW32ET pfnW32EndTask,
HANDLE hEventWowExec)
{
BOOL bRetVal;
PPROCESSINFO ppi;
PWOWPROCESSINFO pwpi;
//
// Allocate the per wow process info stuff
// ensuring the memory is Zero init.
//
pwpi = (PWOWPROCESSINFO) UserAllocPoolWithQuota(sizeof(WOWPROCESSINFO), TAG_WOW);
if (!pwpi)
return FALSE;
RtlZeroMemory(pwpi, sizeof(*pwpi));
//
// Reference the WowExec event for kernel access
//
bRetVal = NT_SUCCESS(ObReferenceObjectByHandle(
hEventWowExec,
EVENT_ALL_ACCESS,
NULL,
UserMode,
&pwpi->pEventWowExec,
NULL
));
//
// if sucess then intialize the pwpi, ppi structs
// else free allocated memory
//
if (bRetVal) {
pwpi->hEventWowExecClient = hEventWowExec;
pwpi->lpfnWowExitTask = (DWORD)pfnW32EndTask;
ppi = PpiCurrent();
ppi->pwpi = pwpi;
// add to the list, order doesn't matter
pwpi->pwpiNext = gpwpiFirstWow;
gpwpiFirstWow = pwpi;
}
else {
UserFreePool(pwpi);
}
return bRetVal;
}
/***************************************************************************\
* xxxMessageEvent
*
* Description: Called when a hooked DDE message is sent or posted. flags
* specifies the applicable MF_ flag. This is called in the server side
* context of the sender or poster which may or may not be a DDEML process.
* pdmhd contains DDE data extracted and copied from the client side.
*
* History:
* 12-1-91 sanfords Created.
\***************************************************************************/
VOID xxxMessageEvent(
PWND pwndTo,
UINT message,
WPARAM wParam,
LPARAM lParam,
DWORD flag,
PDDEML_MSG_HOOK_DATA pdmhd)
{
PEVENT_PACKET pep;
PWND pwndFrom;
TL tlpep;
PTHREADINFO pti;
CheckCritIn();
pep = (PEVENT_PACKET)UserAllocPoolWithQuota(sizeof(EVENT_PACKET) -
sizeof(DWORD) + sizeof(MONMSGSTRUCT), TAG_DDE8);
if (pep == NULL) {
return;
}
pep->EventType = flag;
pep->fSense = TRUE;
pep->cbEventData = sizeof(MONMSGSTRUCT);
#define pmsgs ((MONMSGSTRUCT *)&pep->Data)
pmsgs->cb = sizeof(MONMSGSTRUCT);
pmsgs->hwndTo = PtoH(pwndTo);
pmsgs->dwTime = NtGetTickCount();
pwndFrom = RevalidateHwnd((HWND)wParam);
if (pwndFrom != NULL) {
pmsgs->hTask = GETPTI(pwndFrom)->pEThread->Cid.UniqueThread;
} else {
pmsgs->hTask = 0;
}
pmsgs->wMsg = message;
pmsgs->wParam = wParam;
pmsgs->lParam = lParam;
if (pdmhd != NULL) {
pmsgs->dmhd = *pdmhd;
}
#undef pmsgs
pti = PtiCurrent();
ThreadLockPool(pti, pep, &tlpep);
xxxCsEvent(pep, sizeof(MONMSGSTRUCT));
ThreadUnlockAndFreePool(pti, &tlpep);
}
/***************************************************************************\
* MNAllocPopup
*
\***************************************************************************/
PPOPUPMENU MNAllocPopup(BOOL fForceAlloc)
{
PPOPUPMENU ppm;
if (!fForceAlloc && !gfPopupInUse) {
gfPopupInUse = TRUE;
ppm = &gpopupMenu;
} else {
ppm = (PPOPUPMENU)UserAllocPoolWithQuota(sizeof(POPUPMENU), TAG_POPUPMENU);
}
if (ppm) {
RtlZeroMemory(ppm, sizeof(POPUPMENU));
}
return (ppm);
}
/***************************************************************************\
* MNAllocMenuState
*
* Allocates and initializes a pMenuState
*
* 5-21-96 GerardoB Created
\***************************************************************************/
PMENUSTATE MNAllocMenuState(PTHREADINFO ptiCurrent, PTHREADINFO ptiNotify, PPOPUPMENU ppopupmenuRoot)
{
PMENUSTATE pMenuState;
UserAssert(PtiCurrent() == ptiCurrent);
UserAssert(ptiCurrent->rpdesk == ptiNotify->rpdesk);
/*
* If gpMenuState is already taken, allocate one.
*/
if (gfMenuStateInUse) {
pMenuState = (PMENUSTATE)UserAllocPoolWithQuota(sizeof(MENUSTATE), TAG_MENUSTATE);
if (pMenuState == NULL) {
return NULL;
}
} else {
gfMenuStateInUse = TRUE;
pMenuState = &gpMenuState;
}
/*
* This is used by IsSomeOneInMenuMode and for debugging purposes
*/
guMenuStateCount++;
/*
* Initialize pMenuState.
*/
RtlZeroMemory(pMenuState, sizeof(*pMenuState));
pMenuState->pGlobalPopupMenu = ppopupmenuRoot;
pMenuState->ptiMenuStateOwner = ptiCurrent;
UserAssert(ptiCurrent->pMenuState == NULL);
ptiCurrent->pMenuState = pMenuState;
if (ptiNotify != ptiCurrent) {
UserAssert(ptiNotify->pMenuState == NULL);
ptiNotify->pMenuState = pMenuState;
}
return pMenuState;
}
/***************************************************************************\
* xxxCsEvent
*
* Description:
* Handles broadcasting of all types of DDEML events.
*
* History:
* 11-1-91 sanfords Created.
* 10-28-97 FritzS added cbEventData as a passed-in parameter. This was
done because the EVENT_PACKET may be client-side and
we capture the count to keep a hostile app from changing
the size after data probing.
\***************************************************************************/
DWORD xxxCsEvent(
PEVENT_PACKET pep, WORD cbEventData)
{
PSVR_INSTANCE_INFO psiiT;
PEVENT_PACKET pep2;
HWND *ahwndEvent = NULL;
PWND pwnd;
int cHwndAllocated, i, cTargets;
TL tlpwnd;
TL tlpep2;
TL tlahwndEvent;
ULONG cbEventPacket;
PTHREADINFO pti = PtiCurrent();
CheckCritIn();
/*
* Copy pep info to a server side stable area
*/
cbEventPacket = cbEventData + sizeof(EVENT_PACKET) - sizeof(DWORD);
pep2 = (PEVENT_PACKET)UserAllocPoolWithQuota(cbEventPacket, TAG_DDE5);
if (pep2 == NULL) {
return DMLERR_MEMORY_ERROR;
}
try {
RtlCopyMemory((LPSTR)pep2, (LPSTR)pep, cbEventPacket);
} except (W32ExceptionHandler(FALSE, RIP_WARNING)) {
UserFreePool(pep2);
return DMLERR_INVALIDPARAMETER;
}
pep2->cbEventData = cbEventData;
cTargets = 0;
cHwndAllocated = 0;
for (psiiT = psiiList; psiiT != NULL; psiiT = psiiT->next) {
//
// Don't bother with event windows for instances who's flags
// indicate they're not interrested in the event.
//
if (((psiiT->afCmd & pep2->EventType) && !pep2->fSense) ||
(!(psiiT->afCmd & pep2->EventType) && pep2->fSense)) {
continue;
}
if (cTargets >= cHwndAllocated) {
if (ahwndEvent == NULL) {
cHwndAllocated = 8;
ahwndEvent = (HWND *)UserAllocPoolWithQuota(
sizeof(HWND) * cHwndAllocated,
TAG_DDE6);
} else {
DWORD dwSize = cHwndAllocated * sizeof(HWND);
HWND *ahwndEventT = ahwndEvent;
cHwndAllocated += 8;
ahwndEvent = (HWND *)UserReAllocPoolWithQuota(ahwndEvent, dwSize,
sizeof(HWND) * cHwndAllocated, TAG_DDE7);
if (ahwndEvent == NULL) {
UserFreePool(ahwndEventT);
}
}
if (ahwndEvent == NULL) {
UserFreePool(pep2);
return DMLERR_MEMORY_ERROR;
}
}
ahwndEvent[cTargets++] = PtoH(psiiT->spwndEvent);
}
ThreadLockPool(pti, pep2, &tlpep2);
if (ahwndEvent != NULL) {
ThreadLockPool(pti, ahwndEvent, &tlahwndEvent);
for (i = 0; i < cTargets; i++) {
/*
* We need to change contexts for the callback
*/
pwnd = ValidateHwnd(ahwndEvent[i]);
if (pwnd != NULL) {
ThreadLockAlwaysWithPti(pti, pwnd, &tlpwnd);
xxxSendMessage(pwnd, WM_DDEMLEVENT, 0, (LPARAM)pep2);
ThreadUnlock(&tlpwnd);
}
}
ThreadUnlockAndFreePool(pti, &tlahwndEvent);
}
ThreadUnlockAndFreePool(pti, &tlpep2);
return DMLERR_NO_ERROR;
}
BOOL xxxSnapWindow(
PWND pwnd)
{
PTHREADINFO ptiCurrent;
RECT rc;
HDC hdcScr = NULL;
HDC hdcMem = NULL;
BOOL fRet;
HBITMAP hbmOld;
HBITMAP hbm;
HANDLE hPal;
LPLOGPALETTE lppal;
int palsize;
int iFixedPaletteEntries;
BOOL fSuccess;
PWND pwndT;
TL tlpwndT;
PWINDOWSTATION pwinsta;
TL tlpwinsta;
CheckLock(pwnd);
UserAssert(pwnd);
ptiCurrent = PtiCurrent();
/*
* If this is a thread of winlogon, don't do the snapshot.
*/
if (GetCurrentProcessId() == gpidLogon)
return FALSE;
/*
* Get the affected windowstation
*/
if (!NT_SUCCESS(ReferenceWindowStation(
PsGetCurrentThread(),
NULL,
WINSTA_READSCREEN,
&pwinsta,
TRUE)) ||
pwinsta->dwWSF_Flags & WSF_NOIO) {
return FALSE;
}
/*
* If the window is on another windowstation, do nothing
*/
if (pwnd->head.rpdesk->rpwinstaParent != pwinsta)
return FALSE;
/*
* Get the parent of any child windows.
*/
while ((pwnd != NULL) && TestWF(pwnd, WFCHILD)) {
pwnd = pwnd->spwndParent;
}
/*
* Lock the windowstation before we leave the critical section
*/
ThreadLockWinSta(ptiCurrent, pwinsta, &tlpwinsta);
/*
* Open the clipboard and empty it.
*
* pwndDesktop is made the owner of the clipboard, instead of the
* currently active window; -- SANKAR -- 20th July, 1989 --
*/
pwndT = ptiCurrent->rpdesk->pDeskInfo->spwnd;
ThreadLockWithPti(ptiCurrent, pwndT, &tlpwndT);
fSuccess = xxxOpenClipboard(pwndT, NULL);
ThreadUnlock(&tlpwndT);
if (!fSuccess) {
ThreadUnlockWinSta(ptiCurrent, &tlpwinsta);
return FALSE;
}
xxxEmptyClipboard(pwinsta);
/*
* Use the whole window.
*/
CopyRect(&rc, &pwnd->rcWindow);
/*
* Only snap what is on the screen.
*/
if (!IntersectRect(&rc, &rc, &gpDispInfo->rcScreen)) {
fRet = FALSE;
goto SnapExit;
}
rc.right -= rc.left;
rc.bottom -= rc.top;
/*
* Figure out how far offset from window origin visible part is
*/
if (pwnd != PWNDDESKTOP(pwnd)) {
rc.left -= pwnd->rcWindow.left;
rc.top -= pwnd->rcWindow.top;
}
/*
* Get the entire window's DC.
*/
hdcScr = _GetWindowDC(pwnd);
if (!hdcScr)
goto MemoryError;
/*
* Create the memory DC.
*/
hdcMem = GreCreateCompatibleDC(hdcScr);
if (!hdcMem)
goto MemoryError;
/*
* Create the destination bitmap. If it fails, then attempt
* to create a monochrome bitmap.
* Did we have enough memory?
*/
if (SYSMET(SAMEDISPLAYFORMAT)) {
hbm = GreCreateCompatibleBitmap(hdcScr, rc.right, rc.bottom);
} else {
hbm = GreCreateBitmap(rc.right, rc.bottom, 1, gpDispInfo->BitCountMax, NULL);
}
if (!hbm) {
hbm = GreCreateBitmap(rc.right, rc.bottom, 1, 1, NULL);
if (!hbm)
goto MemoryError;
}
/*
* Select the bitmap into the memory DC.
*/
hbmOld = GreSelectBitmap(hdcMem, hbm);
/*
* Snap!!!
* Check the return value because the process taking the snapshot
* may not have access to read the screen.
*/
fRet = GreBitBlt(hdcMem, 0, 0, rc.right, rc.bottom, hdcScr, rc.left, rc.top, SRCCOPY | CAPTUREBLT, 0);
/*
* Restore the old bitmap into the memory DC.
*/
GreSelectBitmap(hdcMem, hbmOld);
/*
* If the blt failed, leave now.
*/
if (!fRet)
goto SnapExit;
_SetClipboardData(CF_BITMAP, hbm, FALSE, TRUE);
/*
* If this is a palette device, let's throw the current system palette
* into the clipboard also. Useful if the user just snapped a window
* containing palette colors...
*/
if (TEST_PUSIF(PUSIF_PALETTEDISPLAY)) {
int i;
int iPalSize;
palsize = GreGetDeviceCaps(hdcScr, SIZEPALETTE);
/*
* Determine the number of system colors.
*/
if (GreGetSystemPaletteUse(hdcScr) == SYSPAL_STATIC)
iFixedPaletteEntries = GreGetDeviceCaps(hdcScr, NUMRESERVED);
else
iFixedPaletteEntries = 2;
lppal = (LPLOGPALETTE)UserAllocPoolWithQuota(
(LONG)(sizeof(LOGPALETTE) + sizeof(PALETTEENTRY) * palsize),
TAG_CLIPBOARD);
if (lppal != NULL) {
lppal->palVersion = 0x300;
lppal->palNumEntries = (WORD)palsize;
if (GreGetSystemPaletteEntries(hdcScr,
0,
palsize,
lppal->palPalEntry)) {
iPalSize = palsize - iFixedPaletteEntries / 2;
for (i = iFixedPaletteEntries / 2; i < iPalSize; i++) {
/*
* Any non system palette enteries need to have the NOCOLLAPSE
* flag set otherwise bitmaps containing different palette
* indices but same colors get messed up.
*/
lppal->palPalEntry[i].peFlags = PC_NOCOLLAPSE;
}
if (hPal = GreCreatePalette(lppal))
_SetClipboardData(CF_PALETTE, hPal, FALSE, TRUE);
}
UserFreePool(lppal);
}
}
PlayEventSound(USER_SOUND_SNAPSHOT);
fRet = TRUE;
SnapExit:
/*
* Release the window/client DC.
*/
if (hdcScr) {
_ReleaseDC(hdcScr);
}
xxxCloseClipboard(pwinsta);
Unlock(&pwinsta->spwndClipOwner);
/*
* Delete the memory DC.
*/
if (hdcMem) {
GreDeleteDC(hdcMem);
}
ThreadUnlockWinSta(ptiCurrent, &tlpwinsta);
return fRet;
MemoryError:
/*
* Display an error message box.
*/
ClientNoMemoryPopup();
fRet = FALSE;
goto SnapExit;
}