//
// file local helper functions.
//
NTSTATUS
InitScratchpad(
IN PUSB_FDO_CONTEXT fdoContext)
{
NTSTATUS status;
KeInitializeEvent(&fdoContext->ScratchPad.CompletionEvent, NotificationEvent, FALSE);
fdoContext->ScratchPad.Buffer = ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE, XVU1);
if (!fdoContext->ScratchPad.Buffer)
{
status = STATUS_NO_MEMORY;
TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE,
__FUNCTION__": Device %p ExAllocatePoolWithTag failed\n",
fdoContext->WdfDevice);
return status;
}
RtlZeroMemory(fdoContext->ScratchPad.Buffer, PAGE_SIZE);
fdoContext->ScratchPad.Mdl = IoAllocateMdl(fdoContext->ScratchPad.Buffer,
PAGE_SIZE,
FALSE,
FALSE,
NULL);
if (!fdoContext->ScratchPad.Mdl)
{
status = STATUS_NO_MEMORY;
TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE,
__FUNCTION__": device %p IoAllocateMdl failed\n",
fdoContext->WdfDevice);
return status;
}
MmBuildMdlForNonPagedPool(fdoContext->ScratchPad.Mdl);
return STATUS_SUCCESS;
}
sint _init_evt_priv(struct evt_priv *pevtpriv)
{
sint res=_SUCCESS;
_func_enter_;
#ifdef CONFIG_EVENT_THREAD_MODE
_init_sema(&(pevtpriv->evt_notify), 0);
_init_sema(&(pevtpriv->terminate_evtthread_sema), 0);
#endif
#ifdef CONFIG_H2CLBK
_init_sema(&(pevtpriv->lbkevt_done), 0);
pevtpriv->lbkevt_limit = 0;
pevtpriv->lbkevt_num = 0;
pevtpriv->cmdevt_parm = NULL;
#endif
//allocate DMA-able/Non-Page memory for cmd_buf and rsp_buf
pevtpriv->event_seq = 0;
pevtpriv->evt_allocated_buf = _malloc(MAX_EVTSZ + 4);
if (pevtpriv->evt_allocated_buf == NULL){
res= _FAIL;
goto exit;
}
pevtpriv->evt_buf = pevtpriv->evt_allocated_buf + 4 - ((unsigned int)(pevtpriv->evt_allocated_buf) & 3);
pevtpriv->evt_done_cnt = 0;
#ifdef CONFIG_SDIO_HCI
pevtpriv->allocated_c2h_mem = _malloc(C2H_MEM_SZ +4);
if (pevtpriv->allocated_c2h_mem == NULL){
res= _FAIL;
goto exit;
}
pevtpriv->c2h_mem = pevtpriv->allocated_c2h_mem + 4\
- ( (u32)(pevtpriv->allocated_c2h_mem) & 3);
#ifdef PLATFORM_OS_XP
pevtpriv->pc2h_mdl= IoAllocateMdl((u8 *)pevtpriv->c2h_mem, C2H_MEM_SZ , FALSE, FALSE, NULL);
if(pevtpriv->pc2h_mdl == NULL){
res= _FAIL;
goto exit;
}
MmBuildMdlForNonPagedPool(pevtpriv->pc2h_mdl);
#endif
#endif
exit:
#ifdef CONFIG_RECV_BH
_init_queue(&(pevtpriv->evt_queue));
#endif
_func_exit_;
return res;
}
PMDL
Ext2CreateMdl (
IN PVOID Buffer,
IN BOOLEAN bPaged,
IN ULONG Length,
IN LOCK_OPERATION Operation
)
{
NTSTATUS Status;
PMDL Mdl = NULL;
ASSERT (Buffer != NULL);
Mdl = IoAllocateMdl (Buffer, Length, FALSE, FALSE, NULL);
if (Mdl == NULL) {
Status = STATUS_INSUFFICIENT_RESOURCES;
} else {
__try {
if (bPaged) {
MmProbeAndLockPages(Mdl, KernelMode, Operation);
} else {
MmBuildMdlForNonPagedPool (Mdl);
}
Status = STATUS_SUCCESS;
} __except (EXCEPTION_EXECUTE_HANDLER) {
IoFreeMdl (Mdl);
Mdl = NULL;
DbgBreak();
Status = STATUS_INVALID_USER_BUFFER;
}
}
return Mdl;
}
NTSTATUS createcomplete(PDEVICE_OBJECT dev, PIRP irp, PVOID context)
{
UNREFERENCED_PARAMETER(dev);
UNREFERENCED_PARAMETER(irp);
UNREFERENCED_PARAMETER(context);
DbgPrint("enter createcomplete\n");
PIO_STACK_LOCATION sa = IoGetCurrentIrpStackLocation(irp);
PCONTEXTI info = context;
DbgPrint("1\n");
TDI_ADDRESS_INFO *tai = ExAllocatePool(NonPagedPool, sizeof(TDI_ADDRESS_INFO));
DbgPrint("2\n");
PMDL mdl = IoAllocateMdl(tai, sizeof(TDI_ADDRESS_INFO), FALSE, FALSE, info->query_irp);
MmBuildMdlForNonPagedPool(mdl);
info->mdl = mdl;
DbgPrint("3\n");
IoCopyCurrentIrpStackLocationToNext(irp);
TdiBuildQueryInformation(info->query_irp, info->realdev, sa->FileObject, querycom, info, TDI_QUERY_ADDRESS_INFO, mdl);
DbgPrint("4\n");
if (irp->PendingReturned)
{
IoMarkIrpPending(irp);
DbgPrint("pending\n");
}
IoCallDriver(info->realdev, info->query_irp);
DbgPrint("6\n");
IoFreeMdl(info->mdl);
ExFreePool(context);
return STATUS_SUCCESS;
}
NTSTATUS ChangeServiceTableMemoryFlags()
{
// Map the memory into our domain and change the permissions on the memory page by using a MDL
g_MappedSystemCallTableMDL = IoAllocateMdl( KeServiceDescriptorTable.ServiceTableBase, // starting virtual address
KeServiceDescriptorTable.NumberOfServices*4, // size of buffer
FALSE, // not associated with an IRP
FALSE, // charge quota, should be FALSE
NULL // IRP * should be NULL
);
if(!g_MappedSystemCallTableMDL)
{
DbgPrint("MDL could not be allocated...");
return STATUS_UNSUCCESSFUL;
}
else
{
DbgPrint("The MDL is at 0x%x\n", g_MappedSystemCallTableMDL);
}
// MmBuildMdlForNonPagedPool fills in the corresponding physical page array
// of a given MDL for a buffer in nonpaged system space (pool).
MmBuildMdlForNonPagedPool(g_MappedSystemCallTableMDL);
// MDL's are supposed to be opaque, but this is the only way we know of getting to these flags...
g_MappedSystemCallTableMDL->MdlFlags = g_MappedSystemCallTableMDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
// finish off the mapping...
g_MappedSystemCallTable = MmMapLockedPages(g_MappedSystemCallTableMDL, KernelMode);
return STATUS_SUCCESS;
}
NTSTATUS
NTAPI
USBPORT_ValidateTransferParametersURB(IN PURB Urb)
{
struct _URB_CONTROL_TRANSFER *UrbRequest;
PMDL Mdl;
DPRINT_URB("USBPORT_ValidateTransferParametersURB: Urb - %p\n", Urb);
UrbRequest = &Urb->UrbControlTransfer;
if (UrbRequest->TransferBuffer == NULL &&
UrbRequest->TransferBufferMDL == NULL &&
UrbRequest->TransferBufferLength > 0)
{
DPRINT1("USBPORT_ValidateTransferParametersURB: Not valid parameter\n");
USBPORT_DumpingURB(Urb);
return STATUS_INVALID_PARAMETER;
}
if ((UrbRequest->TransferBuffer != NULL) &&
(UrbRequest->TransferBufferMDL != NULL) &&
UrbRequest->TransferBufferLength == 0)
{
DPRINT1("USBPORT_ValidateTransferParametersURB: Not valid parameter\n");
USBPORT_DumpingURB(Urb);
return STATUS_INVALID_PARAMETER;
}
if (UrbRequest->TransferBuffer != NULL &&
UrbRequest->TransferBufferMDL == NULL &&
UrbRequest->TransferBufferLength != 0)
{
DPRINT_URB("USBPORT_ValidateTransferParametersURB: TransferBuffer - %p, TransferBufferLength - %x\n",
UrbRequest->TransferBuffer,
UrbRequest->TransferBufferLength);
Mdl = IoAllocateMdl(UrbRequest->TransferBuffer,
UrbRequest->TransferBufferLength,
FALSE,
FALSE,
NULL);
if (!Mdl)
{
DPRINT1("USBPORT_ValidateTransferParametersURB: Not allocated Mdl\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
MmBuildMdlForNonPagedPool(Mdl);
UrbRequest->TransferBufferMDL = Mdl;
Urb->UrbHeader.UsbdFlags |= USBD_FLAG_ALLOCATED_MDL;
DPRINT_URB("USBPORT_ValidateTransferParametersURB: Mdl - %p\n", Mdl);
}
return STATUS_SUCCESS;
}
//------------------------------------------------------------------------------
tOplkError drv_mapPdoMem(UINT8** ppKernelMem_p, UINT8** ppUserMem_p,
size_t* pMemSize_p)
{
tOplkError ret;
// Get PDO memory
ret = pdokcal_getPdoMemRegion((UINT8**)&pdoMemInfo_l.pKernelVa,
&pdoMemInfo_l.memSize);
if (ret != kErrorOk || pdoMemInfo_l.pKernelVa == NULL)
return kErrorNoResource;
if (*pMemSize_p > pdoMemInfo_l.memSize)
{
DEBUG_LVL_ERROR_TRACE("%s() Higher Memory requested (Kernel-%d User-%d) !\n",
__func__, pdoMemInfo_l.memSize, *pMemSize_p);
*pMemSize_p = 0;
return kErrorNoResource;
}
// Allocate new MDL pointing to PDO memory
pdoMemInfo_l.pMdl = IoAllocateMdl(pdoMemInfo_l.pKernelVa, pdoMemInfo_l.memSize, FALSE, FALSE,
NULL);
if (pdoMemInfo_l.pMdl == NULL)
{
DEBUG_LVL_ERROR_TRACE("%s() Error allocating MDL !\n", __func__);
return kErrorNoResource;
}
// Update the MDL with physical addresses
MmBuildMdlForNonPagedPool(pdoMemInfo_l.pMdl);
// Map the memory in user space and get the address
pdoMemInfo_l.pUserVa = MmMapLockedPagesSpecifyCache(pdoMemInfo_l.pMdl, // MDL
UserMode, // Mode
MmCached, // Caching
NULL, // Address
FALSE, // Bug-check?
NormalPagePriority); // Priority
if (pdoMemInfo_l.pUserVa == NULL)
{
MmUnmapLockedPages(pdoMemInfo_l.pUserVa, pdoMemInfo_l.pMdl);
IoFreeMdl(pdoMemInfo_l.pMdl);
DEBUG_LVL_ERROR_TRACE("%s() Error mapping MDL !\n", __func__);
return kErrorNoResource;
}
*ppKernelMem_p = pdoMemInfo_l.pKernelVa;
*ppUserMem_p = pdoMemInfo_l.pUserVa;
*pMemSize_p = pdoMemInfo_l.memSize;
TRACE("Mapped memory info U:%p K:%p size %x", pdoMemInfo_l.pUserVa,
(UINT8*)pdoMemInfo_l.pKernelVa,
pdoMemInfo_l.memSize);
return kErrorOk;
}
//-----------------------------------------------------------------------------
// MAIN
//-----------------------------------------------------------------------------
NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object,
PUNICODE_STRING registry_path)
{
NTSTATUS ret;
if (!driver_object)
{
DbgPrint("\n!!! ERROR: invalid driver_object in DriverEntry()\n");
return STATUS_UNSUCCESSFUL;
}
driver_object->DriverUnload = OnUnload;
DbgPrint("---------------- Driver Loaded\n");
// routine allocates a memory descriptor list (MDL)
mdl_sys_call = IoAllocateMdl(KeServiceDescriptorTable.ServiceTableBase,
KeServiceDescriptorTable.NumberOfServices * 4,
FALSE, FALSE, NULL);
if (!mdl_sys_call )
{
DbgPrint("\n!!! ERROR: invalid mdl in DriverEntry()\n");
return STATUS_UNSUCCESSFUL;
}
MmBuildMdlForNonPagedPool(mdl_sys_call);
mdl_sys_call->MdlFlags = mdl_sys_call->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
// map the physical pages
syscall_tbl = MmMapLockedPagesSpecifyCache(mdl_sys_call, KernelMode,
MmNonCached, NULL, FALSE,
HighPagePriority);
if (!syscall_tbl)
{
DbgPrint("\n!!! ERROR: invalid mapped syscall table in DriverEntry()\n");
return STATUS_UNSUCCESSFUL;
}
hook_syscalls();
debug("register our callback for when our target proc is loaded:\n %ws\n\n",
target_file_loc);
#if BREAK_POINT
// register a callback func that is invoked when our target proc is loaded
ret = PsSetLoadImageNotifyRoutine(add_one_time_bp);
#endif
#if DATA_MINING
ret = PsSetLoadImageNotifyRoutine(add_hooks_for_data_mining);
#endif
if (ret != STATUS_SUCCESS)
DbgPrint("\n!!! ERROR: PsSetLoadImageNotifyRoutine()\n\n");
return STATUS_SUCCESS;
}
NTSTATUS
AsyncReadWriteSec(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP ParentIrp,
IN ULONG ulStartSec,
IN ULONG ulSectors,
IN PVOID pBuffer,
IN UCHAR MajorFunction
)
{
PMDL MDL;
KEVENT event;
PIRP Irp;
ULONG ulBytes;
LARGE_INTEGER Start;
IO_STATUS_BLOCK ioStatus;
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION NextIrpStack;
PDEVICE_EXTENSION deviceExtension = DeviceObject->DeviceExtension;
ulBytes = ulSectors * SECTOR_SIZE;
Start.QuadPart = ((LONGLONG)ulStartSec)*SECTOR_SIZE;
Irp = IoAllocateIrp(LOBYTE(LOWORD(deviceExtension->TargetDeviceObject->StackSize+1)),FALSE);
//Irp = IoBuildSynchronousFsdRequest( MajorFunction,
// deviceExtension->TargetDeviceObject,
// pBuffer,ulBytes,
// &Start,&event,
// &ioStatus );
ASSERT(Irp);
if (!Irp)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
MDL = IoAllocateMdl(pBuffer,ulBytes,FALSE,FALSE,Irp);
if (!MDL)
return STATUS_INSUFFICIENT_RESOURCES;
MmBuildMdlForNonPagedPool(MDL);
IoSetNextIrpStackLocation(Irp);
NextIrpStack = IoGetNextIrpStackLocation(Irp);
NextIrpStack->DeviceObject = deviceExtension->TargetDeviceObject;
NextIrpStack->MajorFunction = MajorFunction;
NextIrpStack->MinorFunction = 0;
NextIrpStack->Parameters.Read.Length = ulBytes;
NextIrpStack->Parameters.Read.Key = 0;
NextIrpStack->Parameters.Read.ByteOffset.QuadPart = Start.QuadPart;
RtlCopyMemory(&(NextIrpStack->Parameters.Write),&(NextIrpStack->Parameters.Read),sizeof(NextIrpStack->Parameters.Read));
IoSetCompletionRoutine(Irp,AsyncCompletion,ParentIrp,TRUE,TRUE,TRUE);
status = IoCallDriver(deviceExtension->TargetDeviceObject,Irp);
return status;
} // end SyncReadWriteSec()
int dump_hook_init(PDRIVER_OBJECT drv_obj)
{
PLDR_DATA_TABLE_ENTRY table;
PHYSICAL_ADDRESS high_addr;
PLIST_ENTRY entry;
NTSTATUS status;
int resl = 0;
ExInitializeFastMutex(&dump_sync);
ExAcquireFastMutex(&dump_sync);
/* find PsLoadedModuleListHead */
entry = ((PLIST_ENTRY)(drv_obj->DriverSection))->Flink;
while (entry != drv_obj->DriverSection)
{
table = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
entry = entry->Flink;
if ( (table->BaseDllName.Length == 0x18) &&
(p32(table->BaseDllName.Buffer)[0] == 0x0074006E) )
{
ps_loaded_mod_list = pv(table->InLoadOrderLinks.Blink);
break;
}
}
ExReleaseFastMutex(&dump_sync);
do
{
if (ps_loaded_mod_list == NULL) break;
status = PsSetLoadImageNotifyRoutine(load_img_routine);
if (NT_SUCCESS(status) == FALSE) break;
high_addr.HighPart = 0;
high_addr.LowPart = 0xFFFFFFFF;
dump_mem = MmAllocateContiguousMemory(DUMP_MEM_SIZE, high_addr);
if (dump_mem == NULL) break;
dump_mdl = IoAllocateMdl(dump_mem, DUMP_MEM_SIZE, FALSE, FALSE, NULL);
if (dump_mdl == NULL) break;
MmBuildMdlForNonPagedPool(dump_mdl);
memset(dump_mem, 0, DUMP_MEM_SIZE);
resl = 1;
} while (0);
if (resl == 0) {
if (dump_mdl != NULL) IoFreeMdl(dump_mdl);
if (dump_mem != NULL) MmFreeContiguousMemory(dump_mem);
}
return resl;
}
NTSTATUS DumpKernelMemory(PVOID DstAddr, PVOID SrcAddr, ULONG Size)
{
PMDL pSrcMdl, pDstMdl;
PUCHAR pAddress, pDstAddress;
NTSTATUS st = STATUS_UNSUCCESSFUL;
ULONG r;
// Создаем MDL для буфера-источника
pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL);
if (pSrcMdl)
{
// Построение MDL
MmBuildMdlForNonPagedPool(pSrcMdl);
// Получение адреса из MDL
pAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority);
zDbgPrint("pAddress = %x", pAddress);
if (pAddress != NULL)
{
pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL);
zDbgPrint("pDstMdl = %x", pDstMdl);
if (pDstMdl != NULL)
{
__try
{
MmProbeAndLockPages(pDstMdl, KernelMode, IoWriteAccess);
pDstAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority);
zDbgPrint("pDstAddress = %x", pDstAddress);
if (pDstAddress != NULL)
{
memset(pDstAddress, 0, Size);
zDbgPrint("Copy block");
for (r = 1; r < Size; r++)
{
if (MmIsAddressValid(pAddress))
*pDstAddress = *pAddress;
else
*pDstAddress = 0;
pAddress++;
pDstAddress++;
}
st = STATUS_SUCCESS;
}
MmUnlockPages(pDstMdl);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
zDbgPrint("Copy block exception");
}
IoFreeMdl(pDstMdl);
}
}
BOOLEAN AllocateSharedMemory(PSHARED_MEMORY lpSharedMemory, POOL_TYPE PoolType, ULONG dwSizeRegion)
{
if (!_MmIsAddressValid(lpSharedMemory))
return FALSE;
if (!dwSizeRegion)
return FALSE;
memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY));
#ifndef __MISC_USE_KHEAP
lpSharedMemory->m_lpKernelMemory = ExAllocatePool(PoolType, dwSizeRegion);
#else
lpSharedMemory->m_lpKernelMemory = (CHAR*) _AllocatePoolFromKHeap(hKHeapMiscDefault, dwSizeRegion);
#endif //!__MISC_USE_KHEAP
if (!lpSharedMemory->m_lpKernelMemory)
return FALSE;
lpSharedMemory->m_Mdl = IoAllocateMdl(lpSharedMemory->m_lpKernelMemory, dwSizeRegion, FALSE, FALSE, NULL);
if (!lpSharedMemory->m_Mdl)
{
#ifndef __MISC_USE_KHEAP
ExFreePool(lpSharedMemory->m_lpKernelMemory);
#else
FreePoolToKHeap(hKHeapMiscDefault, lpSharedMemory->m_lpKernelMemory);
#endif //!__MISC_USE_KHEAP
memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY));
return FALSE;
}
MmBuildMdlForNonPagedPool(lpSharedMemory->m_Mdl);
lpSharedMemory->m_lpUserPage = MmMapLockedPages(lpSharedMemory->m_Mdl, UserMode);
lpSharedMemory->m_lpUserMemory = (PVOID) (((ULONG)PAGE_ALIGN(lpSharedMemory->m_lpUserPage))+MmGetMdlByteOffset(lpSharedMemory->m_Mdl));
if (!_MmIsAddressValid(lpSharedMemory->m_lpUserMemory))
{
MmUnmapLockedPages(lpSharedMemory->m_lpUserPage, lpSharedMemory->m_Mdl);
IoFreeMdl(lpSharedMemory->m_Mdl);
#ifndef __MISC_USE_KHEAP
ExFreePool(lpSharedMemory->m_lpKernelMemory);
#else
FreePoolToKHeap(hKHeapMiscDefault, lpSharedMemory->m_lpKernelMemory);
#endif //!__MISC_USE_KHEAP
memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY));
return FALSE;
}
lpSharedMemory->m_dwSizeRegion = dwSizeRegion;
return TRUE;
}
void __ConsPacket(OUT PPACKET_BASE pPacket)
{
PVOID Va;
PMDL pMdl;
Va = ExAllocatePoolWithTag(
NonPagedPool,
MDL_BUFFER_SIZE,
(ULONG)'TTWH');
RtlZeroMemory(Va, MDL_BUFFER_SIZE);
pMdl = IoAllocateMdl(Va, MDL_BUFFER_SIZE, FALSE, FALSE, NULL);
MmBuildMdlForNonPagedPool(pMdl);
pPacket->pMdl = pMdl;
}
NTSTATUS SafeCopyMemory(PVOID SrcAddr, PVOID DstAddr, ULONG Size)
{
PMDL pSrcMdl, pDstMdl;
PUCHAR pSrcAddress, pDstAddress;
NTSTATUS st = STATUS_UNSUCCESSFUL;
ULONG r;
BOOL bInit = FALSE;
pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL);
if (MmIsAddressValidEx(pSrcMdl))
{
MmBuildMdlForNonPagedPool(pSrcMdl);
pSrcAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority);
if (MmIsAddressValidEx(pSrcAddress))
{
pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL);
if (MmIsAddressValidEx(pDstMdl))
{
__try
{
MmProbeAndLockPages(pDstMdl, KernelMode, IoWriteAccess);
pDstAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority);
if (MmIsAddressValidEx(pDstAddress))
{
RtlZeroMemory(pDstAddress,Size);
RtlCopyMemory(pDstAddress, pSrcAddress, Size);
st = STATUS_SUCCESS;
}
MmUnlockPages(pDstMdl);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
if (pDstMdl) MmUnlockPages(pDstMdl);
if (pDstMdl) IoFreeMdl(pDstMdl);
if (pSrcMdl) IoFreeMdl(pSrcMdl);
return GetExceptionCode();
}
IoFreeMdl(pDstMdl);
}
}
IoFreeMdl(pSrcMdl);
}
return st;
}
//----------------------------------------------------------------------
//
// RegmonMapServiceTable
//
// If we are running on Whistler then we have
// to double map the system service table to get around the
// fact that the system service table is write-protected on systems
// with > 128MB memory. Since there's no harm in always double mapping,
// we always do it, regardless of whether or not we are on Whistler.
//
//----------------------------------------------------------------------
PVOID *
RegmonMapServiceTable(
SERVICE_HOOK_DESCRIPTOR **HookDescriptors
)
{
//
// Allocate an array to store original function addresses in. This
// makes us play well with other hookers.
//
*HookDescriptors = (SERVICE_HOOK_DESCRIPTOR *) ExAllocatePool( NonPagedPool,
KeServiceDescriptorTable->Limit * sizeof(SERVICE_HOOK_DESCRIPTOR));
if( !*HookDescriptors ) {
return NULL;
}
memset( *HookDescriptors, 0,
KeServiceDescriptorTable->Limit * sizeof(SERVICE_HOOK_DESCRIPTOR));
//
// Build an MDL that describes the system service table function
// pointers array.
//
KdPrint(("Reglib: KeServiceDescriptorTable: %I64x Pointers: %I64x Limit: %d\n",
KeServiceDescriptorTable, KeServiceDescriptorTable->ServicePointers,
KeServiceDescriptorTable->Limit ));
KeServiceTableMdl = MmCreateMdl( NULL, KeServiceDescriptorTable->ServicePointers,
KeServiceDescriptorTable->Limit * sizeof(PVOID));
if( !KeServiceTableMdl ) {
return NULL;
}
//
// Fill in the physical pages and then double-map the description. Note
// that MmMapLockedPages is obsolete as of Win2K and has been replaced
// with MmMapLockedPagesSpecifyCache. However, we use the same driver
// on all NT platforms, so we use it anyway.
//
MmBuildMdlForNonPagedPool( KeServiceTableMdl );
KeServiceTableMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
#if defined(_M_IA64)
return MmMapLockedPagesSpecifyCache( KeServiceTableMdl, KernelMode,
MmCached, NULL, FALSE, NormalPagePriority );
#else
return MmMapLockedPages( KeServiceTableMdl, KernelMode );
#endif
}
NTSTATUS initMDL()
{
// map memory into our domain
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase,
KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
// change MDL permissions
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
MDLinit = TRUE;
return STATUS_SUCCESS;
}
// Does memcpy safely even if Destination is a read only region.
_Use_decl_annotations_ EXTERN_C NTSTATUS UtilForceMemCpy(void *Destination,
const void *Source,
SIZE_T Length) {
auto mdl = std::experimental::make_unique_resource(
IoAllocateMdl(Destination, static_cast<ULONG>(Length), FALSE, FALSE,
nullptr),
&IoFreeMdl);
if (!mdl) {
return STATUS_INSUFFICIENT_RESOURCES;
}
MmBuildMdlForNonPagedPool(mdl.get());
#pragma warning(push)
#pragma warning(disable : 28145)
//
// Following MmMapLockedPagesSpecifyCache() call causes bug check in case
// you are using Driver Verifier. The reason is explained as follows:
//
// A driver must not try to create more than one system-address-space
// mapping for an MDL. Additionally, because an MDL that is built by the
// MmBuildMdlForNonPagedPool routine is already mapped to the system
// address space, a driver must not try to map this MDL into the system
// address space again by using the MmMapLockedPagesSpecifyCache routine.
// -- MSDN
//
// This flag modification hacks Driver Verifier's check and prevent leading
// bug check.
//
mdl.get()->MdlFlags &= ~MDL_SOURCE_IS_NONPAGED_POOL;
mdl.get()->MdlFlags |= MDL_PAGES_LOCKED;
#pragma warning(pop)
auto writableDest = MmMapLockedPagesSpecifyCache(
mdl.get(), KernelMode, MmCached, nullptr, FALSE, NormalPagePriority);
if (!writableDest) {
return STATUS_INSUFFICIENT_RESOURCES;
}
memcpy(writableDest, Source, Length);
MmUnmapLockedPages(writableDest, mdl.get());
return STATUS_SUCCESS;
}
/**
* 设置钩子函数
*
*/
NTSTATUS sstHook_OpenProcess()
{
if(m_MDL == NULL)
{
m_MDL = MmCreateMdl(NULL,KeServiceDescriptorTable->ServiceTableBase,KeServiceDescriptorTable->NumberOfService*4);
if(!m_MDL)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(m_MDL);
m_MDL->MdlFlags = m_MDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
m_Mapped = (PVOID *)MmMapLockedPages(m_MDL, KernelMode);
HOOK_SYSCALL(ZwOpenProcess,MyNtOpenProcess,pOriNtOpenProcess);
g_openProcessId = (ULONG)SYSTEMSERVICE(ZwOpenProcess);
return STATUS_SUCCESS;
}
UpdateService(SYSCALL_INDEX(ZwOpenProcess),(PVOID)MyNtOpenProcess);
return STATUS_SUCCESS;
}
DECLHIDDEN(int) rtR0MemObjNativeAllocPage(PPRTR0MEMOBJINTERNAL ppMem, size_t cb, bool fExecutable)
{
AssertMsgReturn(cb <= _1G, ("%#x\n", cb), VERR_OUT_OF_RANGE); /* for safe size_t -> ULONG */
/*
* Try allocate the memory and create an MDL for them so
* we can query the physical addresses and do mappings later
* without running into out-of-memory conditions and similar problems.
*/
int rc = VERR_NO_PAGE_MEMORY;
void *pv = ExAllocatePoolWithTag(NonPagedPool, cb, IPRT_NT_POOL_TAG);
if (pv)
{
PMDL pMdl = IoAllocateMdl(pv, (ULONG)cb, FALSE, FALSE, NULL);
if (pMdl)
{
MmBuildMdlForNonPagedPool(pMdl);
#ifdef RT_ARCH_AMD64
MmProtectMdlSystemAddress(pMdl, PAGE_EXECUTE_READWRITE);
#endif
/*
* Create the IPRT memory object.
*/
PRTR0MEMOBJNT pMemNt = (PRTR0MEMOBJNT)rtR0MemObjNew(sizeof(*pMemNt), RTR0MEMOBJTYPE_PAGE, pv, cb);
if (pMemNt)
{
pMemNt->cMdls = 1;
pMemNt->apMdls[0] = pMdl;
*ppMem = &pMemNt->Core;
return VINF_SUCCESS;
}
rc = VERR_NO_MEMORY;
IoFreeMdl(pMdl);
}
ExFreePool(pv);
}
return rc;
}
//----------------------------------------------------------------------
//
// RegmonMapMem
//
// Double maps memory for writing.
//
//----------------------------------------------------------------------
PVOID
RegmonMapMem(
PVOID Pointer,
ULONG Length,
PMDL *MapMdl
)
{
*MapMdl = MmCreateMdl( NULL, Pointer, Length );
if( !(*MapMdl)) {
return NULL;
}
MmBuildMdlForNonPagedPool( *MapMdl );
(*MapMdl)->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
#if defined(_M_IA64)
return MmMapLockedPagesSpecifyCache( *MapMdl, KernelMode,
MmCached, NULL, FALSE, NormalPagePriority );
#else
return MmMapLockedPages( *MapMdl, KernelMode );
#endif
}
//------------------------------------------------------------------------------------
NTSTATUS UnProtectSSDT(PVOID **MappedSystemCallTable)
{
PMDL g_pmdlSystemCall ;
g_pmdlSystemCall = IoAllocateMdl(KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4 , FALSE , FALSE ,NULL);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
// Change the flags of the MDL
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
*MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
IoFreeMdl(g_pmdlSystemCall);
return STATUS_SUCCESS;
}
co_rc_t co_os_userspace_map(void *address, unsigned int pages, void **user_address_out, void **handle_out)
{
void *user_address;
unsigned long memory_size = ((unsigned long)pages) << CO_ARCH_PAGE_SHIFT;
PMDL mdl;
mdl = IoAllocateMdl(address, memory_size, FALSE, FALSE, NULL);
if (!mdl)
return CO_RC(ERROR);
MmBuildMdlForNonPagedPool(mdl);
user_address = MmMapLockedPagesSpecifyCache(mdl, UserMode, MmCached, NULL, FALSE, HighPagePriority);
if (!user_address) {
IoFreeMdl(mdl);
return CO_RC(ERROR);
}
*handle_out = (void *)mdl;
*user_address_out = PAGE_ALIGN(user_address) + MmGetMdlByteOffset(mdl);
return CO_RC(OK);
}
static
FORCEINLINE
NTSTATUS
xTdiAllocateInternalMdl(
__in PVOID Buffer,
__in ULONG BufferLen,
__out PMDL* Mdl)
{
PMDL localMdl;
ASSERT(NULL != Mdl);
localMdl = IoAllocateMdl(
Buffer,
BufferLen,
FALSE,
FALSE,
NULL);
if (NULL == localMdl)
{
NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES;
xTdiTrace(XTDI_GENERAL, TRACE_LEVEL_ERROR,
"xTdiAllocateInternalMdl failed to allocate MDL, status=%x\n",
status);
return status;
}
MmBuildMdlForNonPagedPool(localMdl);
xTdiTrace(XTDI_GENERAL, TRACE_LEVEL_VERBOSE,
"Allocated Buffer=%p, Length=0x%X, Mdl=%p\n",
Buffer, BufferLen, localMdl);
*Mdl = localMdl;
return STATUS_SUCCESS;
}
NTSTATUS
senddata(PWSK_SOCKET sock, PVOID data, ULONG datal)
{
WSK_BUF wskbuf;
NTSTATUS status;
KEVENT event;
PIRP irp;
irp = IoAllocateIrp(1, FALSE);
if(!irp){
return STATUS_INSUFFICIENT_RESOURCES;
}
KeInitializeEvent(&event, NotificationEvent, FALSE);
IoSetCompletionRoutine(irp, senddatacomplete, &event, TRUE, TRUE, TRUE);
wskbuf.Mdl = IoAllocateMdl(data, datal, FALSE, FALSE, NULL);
if(!wskbuf.Mdl){
DbgPrint("Failed to allocate MDL!\n");
return STATUS_MORE_PROCESSING_REQUIRED;
}
MmBuildMdlForNonPagedPool(wskbuf.Mdl);
wskbuf.Offset = 0;
wskbuf.Length = datal;
status = ((PWSK_PROVIDER_CONNECTION_DISPATCH)(sock->Dispatch))->WskSend(sock, &wskbuf, 0, irp);
if(status == STATUS_PENDING){
KeWaitForSingleObject(&event, Executive, KernelMode, FALSE, NULL);
status = irp->IoStatus.Status;
}
IoFreeIrp(irp);
return status;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath)
{
DriverObject->DriverUnload = OnUnload;
DbgPrint("Driver cargado");
ZwOpenProcessIni =(TypZwOpenProc)(SYSTEMSERVICE(ZwOpenProcess));
//Creamos la MDL para deshabilitar la protección de memoria
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
DbgPrint("Hookeando...");
HOOK_SYSCALL( ZwOpenProcess, NewZwOpenProcess, ZwOpenProcessIni );
return STATUS_SUCCESS;
}
NTSTATUS
LpxTdiSendDataGram(
IN PFILE_OBJECT AddressFileObject,
PLPX_ADDRESS LpxRemoteAddress,
IN PUCHAR SendBuffer,
IN ULONG SendLength,
IN ULONG Flags,
OUT PLONG Result
)
{
KEVENT event;
PDEVICE_OBJECT deviceObject;
PIRP irp;
IO_STATUS_BLOCK ioStatusBlock;
NTSTATUS ntStatus;
PMDL mdl;
TDI_CONNECTION_INFORMATION SendDatagramInfo;
UCHAR AddrBuffer[256];
PTRANSPORT_ADDRESS RemoteAddress = (PTRANSPORT_ADDRESS)AddrBuffer;
UNREFERENCED_PARAMETER(Flags);
LtDebugPrint (3, ("LpxTdiSendDataGram: Entered\n"));
//
// Make Event.
//
KeInitializeEvent(&event, NotificationEvent, FALSE);
deviceObject = IoGetRelatedDeviceObject(AddressFileObject);
//
// Make IRP.
//
irp = TdiBuildInternalDeviceControlIrp(
TDI_SEND_DATAGRAM,
deviceObject,
AddressFileObject,
&event,
&ioStatusBlock
);
if(irp == NULL) {
LtDebugPrint(1, ("[LpxTdi]LpxTdiSendDataGram: Can't Build IRP.\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// Make MDL.
//
mdl = IoAllocateMdl(
SendBuffer,
SendLength,
FALSE,
FALSE,
irp
);
if(mdl == NULL) {
LtDebugPrint(1, ("[LpxTdi]LpxTdiSendDataGram: Can't Allocate MDL.\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
MmBuildMdlForNonPagedPool(mdl);
mdl->Next = NULL;
// MmProbeAndLockPages(
// mdl,
// KernelMode,
// IoReadAccess
// );
RemoteAddress->TAAddressCount = 1;
RemoteAddress->Address[0].AddressType = TDI_ADDRESS_TYPE_LPX;
RemoteAddress->Address[0].AddressLength = TDI_ADDRESS_LENGTH_LPX;
RtlCopyMemory(RemoteAddress->Address[0].Address, LpxRemoteAddress, sizeof(LPX_ADDRESS));
SendDatagramInfo.UserDataLength = 0;
SendDatagramInfo.UserData = NULL;
SendDatagramInfo.OptionsLength = 0;
SendDatagramInfo.Options = NULL;
SendDatagramInfo.RemoteAddressLength = TPADDR_LPX_LENGTH;
SendDatagramInfo.RemoteAddress = RemoteAddress;
TdiBuildSendDatagram(
irp,
deviceObject,
AddressFileObject,
LpxTdiSendCompletionRoutine,
NULL,
mdl,
SendLength,
&SendDatagramInfo
);
ntStatus = LpxTdiIoCallDriver(
deviceObject,
irp,
&ioStatusBlock,
&event,
NULL
);
if(!NT_SUCCESS(ntStatus)) {
LtDebugPrint(1, ("[LpxTdi]LpxTdiSendDataGram: Failed.\n"));
*Result = -1;
return ntStatus;
}
*Result = ioStatusBlock.Information;
return ntStatus;
}
NTSTATUS
LpxTdiRecvWithCompletionEvent_TimeOut(
IN PFILE_OBJECT ConnectionFileObject,
IN PTDI_RECEIVE_CONTEXT TdiReceiveContext,
OUT PUCHAR RecvBuffer,
IN ULONG RecvLength,
IN ULONG Flags,
IN PLARGE_INTEGER TimeOut
)
{
PDEVICE_OBJECT deviceObject;
PIRP irp;
NTSTATUS ntStatus;
PMDL mdl;
ASSERT(ConnectionFileObject);
LtDebugPrint (3, ("LpxTdiRecvWithCompletionEvent: Entered\n"));
if((RecvBuffer == NULL) || (RecvLength == 0))
{
LtDebugPrint(1, ("[LpxTdi]TdiReceive: Rcv buffer == NULL or RcvLen == 0.\n"));
return STATUS_NOT_IMPLEMENTED;
}
deviceObject = IoGetRelatedDeviceObject(ConnectionFileObject);
//
// Make IRP.
//
irp = TdiBuildInternalDeviceControlIrp(
TDI_RECEIVE,
deviceObject,
connectionFileObject,
NULL,
NULL
);
if(irp == NULL)
{
LtDebugPrint(1, ("[LpxTdi]TdiReceive: Can't Build IRP.\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
mdl = IoAllocateMdl(
RecvBuffer,
RecvLength,
FALSE,
FALSE,
irp
);
if(mdl == NULL)
{
LtDebugPrint(1, ("[LpxTdi]TdiReceive: Can't Allocate MDL.\n"));
IoFreeIrp(irp);
return STATUS_INSUFFICIENT_RESOURCES;
}
mdl->Next = NULL;
MmBuildMdlForNonPagedPool(mdl);
TdiBuildReceive(
irp,
deviceObject,
ConnectionFileObject,
LpxTdiRecvWithCompletionEventCompletionRoutine,
TdiReceiveContext,
mdl,
Flags,
RecvLength
);
if(TimeOut)
SET_IRP_EXPTIME(irp, CurrentTime().QuadPart + TimeOut->QuadPart);
else
SET_IRP_EXPTIME(irp, 0);
ntStatus = IoCallDriver(
deviceObject,
irp
);
if(!NT_SUCCESS(ntStatus))
{
TdiReceiveContext->Irp = NULL;
LtDebugPrint(1, ("[LpxTdi]LpxTdiRecv: Failed.\n"));
return ntStatus;
}
TdiReceiveContext->Irp = irp;
return ntStatus;
}
NTSTATUS
LpxTdiRecv_TimeOut(
IN PFILE_OBJECT ConnectionFileObject,
OUT PUCHAR RecvBuffer,
IN ULONG RecvLength,
IN ULONG Flags,
IN PLONG Result,
IN PLARGE_INTEGER TimeOut
)
{
KEVENT event;
PDEVICE_OBJECT deviceObject;
PIRP irp;
IO_STATUS_BLOCK ioStatusBlock;
NTSTATUS ntStatus;
PMDL mdl;
if((RecvBuffer == NULL) || (RecvLength == 0))
{
LtDebugPrint(1, ("[LpxTdi]TdiReceive: Rcv buffer == NULL or RcvLen == 0.\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
LtDebugPrint (3, ("LpxTdiRecv: Entered\n"));
//
// Make Event.
//
KeInitializeEvent(&event, NotificationEvent, FALSE);
deviceObject = IoGetRelatedDeviceObject(ConnectionFileObject);
//
// Make IRP.
//
irp = TdiBuildInternalDeviceControlIrp(
TDI_RECEIVE,
deviceObject,
connectionFileObject,
&event,
&ioStatusBlock
);
if(irp == NULL) {
LtDebugPrint(1, ("[LpxTdi]TdiReceive: Can't Build IRP.\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
/*
try {
//
// Make MDL.
//
*/
mdl = IoAllocateMdl(
RecvBuffer,
RecvLength,
FALSE,
FALSE,
irp
);
if(mdl == NULL) {
LtDebugPrint(1, ("[LpxTdi]TdiReceive: Can't Allocate MDL.\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
mdl->Next = NULL;
MmBuildMdlForNonPagedPool(mdl);
/*
MmProbeAndLockPages(
mdl,
KernelMode,
IoWriteAccess
);
} except (EXCEPTION_EXECUTE_HANDLER) {
LtDebugPrint(1, ("[LpxTdi]TdiReceive: Can't Convert Non-Paged Memory MDL.\n"));
if(mdl){
IoFreeMdl(mdl);
//IoFreeIrp(irp);
}
return STATUS_INSUFFICIENT_RESOURCES;
}
*/
TdiBuildReceive(
irp,
deviceObject,
ConnectionFileObject,
LpxTdiRcvCompletionRoutine,
NULL,
mdl,
Flags,
RecvLength
);
ntStatus = LpxTdiIoCallDriver(
deviceObject,
irp,
&ioStatusBlock,
&event,
TimeOut
);
if(!NT_SUCCESS(ntStatus)) {
LtDebugPrint(1, ("[LpxTdi]LpxTdiRecv: Failed.\n"));
*Result = -1;
return ntStatus;
}
*Result = ioStatusBlock.Information;
return ntStatus;
}
NTSTATUS
LpxTdiSendEx(
IN PFILE_OBJECT ConnectionFileObject,
IN PUCHAR SendBuffer,
IN ULONG SendLength,
IN ULONG Flags,
IN PKEVENT CompEvent,
IN PLARGE_INTEGER TimeOut,
IN OUT PVOID CompletionContext,
OUT PIO_STATUS_BLOCK IoStatusBlock
)
{
PDEVICE_OBJECT deviceObject;
PIRP irp;
NTSTATUS ntStatus;
PMDL mdl;
LtDebugPrint (3, ("[LPXTDI]LpxTdiSendEx: Entered\n"));
deviceObject = IoGetRelatedDeviceObject(ConnectionFileObject);
//
// Make IRP.
//
irp = TdiBuildInternalDeviceControlIrp(
TDI_SEND,
deviceObject,
ConnectionFileObject,
CompEvent,
IoStatusBlock
);
if(irp == NULL) {
LtDebugPrint(1, ("[LpxTdi]LpxTdiSendEx: Can't Build IRP.\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
mdl = IoAllocateMdl(
SendBuffer,
SendLength,
FALSE,
FALSE,
irp
);
if(mdl == NULL) {
LtDebugPrint(1, ("[LpxTdi]LpxTdiSendEx: Can't Allocate MDL.\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
mdl->Next = NULL;
MmBuildMdlForNonPagedPool(mdl);
if(CompletionContext) {
TdiBuildSend(
irp,
deviceObject,
ConnectionFileObject,
LpxTdiSendCompletionRoutine,
CompletionContext,
mdl,
Flags,
SendLength
);
} else {
TdiBuildSend(
irp,
deviceObject,
ConnectionFileObject,
NULL,
NULL,
mdl,
Flags,
SendLength
);
}
ntStatus = LpxTdiIoCallDriver(
deviceObject,
irp,
IoStatusBlock,
CompEvent,
TimeOut
);
if(!NT_SUCCESS(ntStatus)) {
LtDebugPrint(1, ("[LpxTdi]LpxTdiSendEx: Failed.\n"));
}
return ntStatus;
}
NTSTATUS
LpxTdiSend_TimeOut(
IN PFILE_OBJECT ConnectionFileObject,
IN PUCHAR SendBuffer,
IN ULONG SendLength,
IN ULONG Flags,
OUT PLONG Result,
IN PLARGE_INTEGER TimeOut
)
{
KEVENT event;
PDEVICE_OBJECT deviceObject;
PIRP irp;
IO_STATUS_BLOCK ioStatusBlock;
NTSTATUS ntStatus;
PMDL mdl;
LtDebugPrint (3, ("LpxTdiSend: Entered\n"));
//
// Send bytes is restricted below 64 KBytes.
// Removed.
// Now NDAS service will control request data size.
// Write size will be controlled by retransmits
// SendLength = SendLength > LPXTDI_BYTEPERPACKET?LPXTDI_BYTEPERPACKET:SendLength;
//
// Make Event.
//
KeInitializeEvent(&event, NotificationEvent, FALSE);
deviceObject = IoGetRelatedDeviceObject(ConnectionFileObject);
//
// Make IRP.
//
irp = TdiBuildInternalDeviceControlIrp(
TDI_SEND,
deviceObject,
ConnectionFileObject,
&event,
&ioStatusBlock
);
if(irp == NULL) {
LtDebugPrint(1, ("[LpxTdi]TdiSend: Can't Build IRP.\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
/*
try {
//
// Make MDL.
//
*/
mdl = IoAllocateMdl(
SendBuffer,
SendLength,
FALSE,
FALSE,
irp
);
if(mdl == NULL) {
LtDebugPrint(1, ("[LpxTdi]TdiSend: Can't Allocate MDL.\n"));
return STATUS_INSUFFICIENT_RESOURCES;
}
mdl->Next = NULL;
MmBuildMdlForNonPagedPool(mdl);
/*
MmProbeAndLockPages(
mdl,
KernelMode,
IoReadAccess
);
} except (EXCEPTION_EXECUTE_HANDLER) {
LtDebugPrint(1, ("[LpxTdi]TdiSend: Can't Convert Non-Paged Memory MDL.\n"));
if(mdl){
IoFreeMdl(mdl);
}
return STATUS_INSUFFICIENT_RESOURCES;
}
if(!MmIsNonPagedSystemAddressValid(MmGetMdlVirtualAddress(mdl)))
{
if(mdl){
IoFreeMdl(mdl);
};
return STATUS_INSUFFICIENT_RESOURCES;
}
*/
TdiBuildSend(
irp,
deviceObject,
ConnectionFileObject,
LpxTdiSendCompletionRoutine,
NULL,
mdl,
Flags,
SendLength
);
ntStatus = LpxTdiIoCallDriver(
deviceObject,
irp,
&ioStatusBlock,
&event,
TimeOut
);
if(!NT_SUCCESS(ntStatus)) {
LtDebugPrint(1, ("[LpxTdi]LpxTdiSend: Failed.\n"));
*Result = -1;
return ntStatus;
}
*Result = ioStatusBlock.Information;
return ntStatus;
}
