//
// Retrieves the 'negotiate' AuthPackage from the LSA. In this case, Kerberos
// For more information on auth packages see this msdn page:
// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/msv1_0_lm20_logon.asp
//
HRESULT RetrieveNegotiateAuthPackage(ULONG * pulAuthPackage)
{
HRESULT hr;
HANDLE hLsa;
NTSTATUS status = LsaConnectUntrusted(&hLsa);
if (SUCCEEDED(HRESULT_FROM_NT(status)))
{
ULONG ulAuthPackage;
LSA_STRING lsaszKerberosName;
LsaInitString(&lsaszKerberosName, NEGOSSP_NAME);
status = LsaLookupAuthenticationPackage(hLsa, &lsaszKerberosName, &ulAuthPackage);
if (SUCCEEDED(HRESULT_FROM_NT(status)))
{
*pulAuthPackage = ulAuthPackage;
hr = S_OK;
}
else
{
hr = HRESULT_FROM_NT(status);
}
LsaDeregisterLogonProcess(hLsa);
}
else
{
hr= HRESULT_FROM_NT(status);
}
return hr;
}
HRESULT GetNTObjectSymbolicLinkTarget(LPCWSTR path, LPCWSTR entryName, PUNICODE_STRING LinkTarget)
{
HANDLE handle;
WCHAR buffer[MAX_PATH];
LPWSTR pend = buffer;
StringCbCopyExW(buffer, sizeof(buffer), path, &pend, NULL, 0);
if (pend[-1] != '\\')
{
*pend++ = '\\';
*pend = 0;
}
StringCbCatW(buffer, sizeof(buffer), entryName);
DbgPrint("GetNTObjectSymbolicLinkTarget %d\n", buffer);
LinkTarget->Length = 0;
DWORD err = NtOpenObject(SYMBOLICLINK_OBJECT, &handle, SYMBOLIC_LINK_QUERY, buffer);
if (!NT_SUCCESS(err))
return HRESULT_FROM_NT(err);
err = NtQuerySymbolicLinkObject(handle, LinkTarget, NULL);
if (!NT_SUCCESS(err))
return HRESULT_FROM_NT(err);
NtClose(handle);
return S_OK;
}
HRESULT ReadRegistryValue(HKEY root, PCWSTR path, PCWSTR valueName, PVOID * valueData, PDWORD valueLength)
{
HKEY hkey;
DWORD res;
if (root)
{
res = RegOpenKeyExW(root, *path == '\\' ? path + 1 : path, 0, STANDARD_RIGHTS_READ | KEY_QUERY_VALUE, &hkey);
}
else
{
res = NtOpenObject(KEY_OBJECT, (PHANDLE) &hkey, STANDARD_RIGHTS_READ | KEY_QUERY_VALUE, path);
}
if (!NT_SUCCESS(res))
{
ERR("RegOpenKeyExW failed for path %S with status=%x\n", path, res);
return HRESULT_FROM_NT(res);
}
res = RegQueryValueExW(hkey, valueName, NULL, NULL, NULL, valueLength);
if (!NT_SUCCESS(res))
{
ERR("RegQueryValueExW failed for path %S with status=%x\n", path, res);
return HRESULT_FROM_NT(res);
}
if (*valueLength > 0)
{
PBYTE data = (PBYTE) CoTaskMemAlloc(*valueLength);
*valueData = data;
res = RegQueryValueExW(hkey, valueName, NULL, NULL, data, valueLength);
if (!NT_SUCCESS(res))
{
CoTaskMemFree(data);
*valueData = NULL;
RegCloseKey(hkey);
ERR("RegOpenKeyExW failed for path %S with status=%x\n", path, res);
return HRESULT_FROM_NT(res);
}
}
else
{
*valueData = NULL;
}
RegCloseKey(hkey);
return S_OK;
}
/*----------------------------------------------------------------------
*
* Methods.
*
*/
static HRESULT JpfsvsStartKernelTraceSession(
__in PJPFSV_TRACE_SESSION This,
__in UINT BufferCount,
__in UINT BufferSize,
__in PJPFSV_EVENT_PROESSOR EventProcessor
)
{
PJPFSVP_KM_TRACE_SESSION Session;
NTSTATUS Status;
UNREFERENCED_PARAMETER( EventProcessor );
Session = ( PJPFSVP_KM_TRACE_SESSION ) This;
if ( Session->TraceActive )
{
return E_UNEXPECTED;
}
Status = JpkfbtInitializeTracing(
Session->KfbtSession,
Session->TracingType,
BufferCount,
BufferSize,
Session->LogFilePath );
if ( NT_SUCCESS( Status ) )
{
Session->TraceActive = TRUE;
return S_OK;
}
else
{
return HRESULT_FROM_NT( Status );
}
}
std::string msgDebugEngineComResult(HRESULT hr)
{
switch (hr) {
case S_OK:
return std::string("S_OK");
case S_FALSE:
return std::string("S_FALSE");
case E_FAIL:
break;
case E_INVALIDARG:
return std::string("E_INVALIDARG");
case E_NOINTERFACE:
return std::string("E_NOINTERFACE");
case E_OUTOFMEMORY:
return std::string("E_OUTOFMEMORY");
case E_UNEXPECTED:
return std::string("E_UNEXPECTED");
case E_NOTIMPL:
return std::string("E_NOTIMPL");
}
if (hr == HRESULT_FROM_WIN32(ERROR_ACCESS_DENIED))
return std::string("ERROR_ACCESS_DENIED");;
if (hr == HRESULT_FROM_NT(STATUS_CONTROL_C_EXIT))
return std::string("STATUS_CONTROL_C_EXIT");
return std::string("E_FAIL ") + winErrorMessage(HRESULT_CODE(hr));
}
/*----------------------------------------------------------------------
*
* Test Kernel.
*
*/
static VOID TestAttachDetachKernel()
{
HRESULT Hr;
JPFSV_HANDLE KernelCtx;
JPFSV_TRACING_TYPE TracingType;
ULONG TypesTested= 0;
for ( TracingType = JpfsvTracingTypeDefault;
TracingType <= JpfsvTracingTypeMax;
TracingType++ )
{
Hr = JpfsvLoadContext( JPFSV_KERNEL, NULL, &KernelCtx );
if ( Hr == JPFSV_E_UNSUP_ON_WOW64 )
{
CFIX_INCONCLUSIVE( L"Not supported on WOW64" );
return;
}
TEST_OK( Hr );
TEST( JPFSV_E_NO_TRACESESSION == JpfsvDetachContext( KernelCtx, TRUE ) );
DeleteFile( L"__kern.log" );
if ( TracingType != JpfsvTracingTypeWmk )
{
TEST( E_INVALIDARG == JpfsvAttachContext( KernelCtx, TracingType, NULL ) );
Hr = JpfsvAttachContext( KernelCtx, TracingType, L"__kern.log" );
}
else
{
TEST( E_INVALIDARG == JpfsvAttachContext( KernelCtx, TracingType, L"__kern.log" ) );
Hr = JpfsvAttachContext( KernelCtx, TracingType, NULL );
}
if ( Hr == JPFSV_E_UNSUPPORTED_TRACING_TYPE ||
Hr == HRESULT_FROM_NT( 0xC0049300L ) ) // STATUS_KFBT_KERNEL_NOT_SUPPORTED
{
continue;
}
TEST_OK( Hr );
TEST( S_FALSE == JpfsvAttachContext( KernelCtx, TracingType, NULL ) );
TEST_OK( DetachContextSafe( KernelCtx ) );
TEST( JPFSV_E_NO_TRACESESSION == JpfsvDetachContext( KernelCtx, TRUE ) );
TEST_OK( JpfsvUnloadContext( KernelCtx ) );
TypesTested++;
}
if ( TypesTested == 0 )
{
CFIX_INCONCLUSIVE( L"No TracingTypes supported" );
}
}
//*****************************************************************************
// Convert a string to UNICODE into the caller's buffer.
//*****************************************************************************
HRESULT StgPoolReadOnly::GetStringW( // Return code.
ULONG iOffset, // Offset of string in pool.
LPWSTR szOut, // Output buffer for string.
int cchBuffer) // Size of output buffer.
{
LPCSTR pString; // The string in UTF8.
int iChars;
pString = GetString(iOffset);
iChars = ::WszMultiByteToWideChar(CP_UTF8, 0, pString, -1, szOut, cchBuffer);
if (iChars == 0)
return (BadError(HRESULT_FROM_NT(GetLastError())));
return (S_OK);
}
// ReportResult is completely optional. Its purpose is to allow a credential to customize the string
// and the icon displayed in the case of a logon failure. For example, we have chosen to
// customize the error shown in the case of bad username/password and in the case of the account
// being disabled.
HRESULT CardUnlockCredential::ReportResult(
NTSTATUS ntsStatus,
NTSTATUS ntsSubstatus,
PWSTR* ppwszOptionalStatusText,
CREDENTIAL_PROVIDER_STATUS_ICON* pcpsiOptionalStatusIcon
)
{
*ppwszOptionalStatusText = NULL;
*pcpsiOptionalStatusIcon = CPSI_NONE;
DWORD dwStatusInfo = (DWORD)-1;
// Look for a match on status and substatus.
for (DWORD i = 0; i < ARRAYSIZE(s_rgLogonStatusInfo); i++)
{
if (s_rgLogonStatusInfo[i].ntsStatus == ntsStatus && s_rgLogonStatusInfo[i].ntsSubstatus == ntsSubstatus)
{
dwStatusInfo = i;
break;
}
}
if ((DWORD)-1 != dwStatusInfo)
{
if (SUCCEEDED(SHStrDupW(s_rgLogonStatusInfo[dwStatusInfo].pwzMessage, ppwszOptionalStatusText)))
{
*pcpsiOptionalStatusIcon = s_rgLogonStatusInfo[dwStatusInfo].cpsi;
}
}
// If we failed the logon, try to erase the password field.
if (!SUCCEEDED(HRESULT_FROM_NT(ntsStatus)))
{
if (_pCredProvCredentialEvents)
{
_pCredProvCredentialEvents->SetFieldString(this, SFI_PASSWORD, L"");
}
// clear credentials
SetUserData(L"", L"");
// disconnect listener if login failed
if (_rfidListener)
_rfidListener->Disconnect();
}
// Since NULL is a valid value for *ppwszOptionalStatusText and *pcpsiOptionalStatusIcon
// this function can't fail.
return S_OK;
}
ULONG64 searchMemory(unsigned char * byteBuffer, unsigned long length){
ULONG64 addressHit = 0;
HRESULT memSearch = S_OK;
if((memSearch = g_ExtData->SearchVirtual((ULONG64)0, (ULONG64)-1, byteBuffer,
length, 1, &addressHit)) != S_OK){
#if 0
if(memSearch == HRESULT_FROM_NT(STATUS_NO_MORE_ENTRIES)){
dprintf("[J] byte sequence not found in virtual memory\n");
}
else{
dprintf("[J] byte search failed for another reason\n");
}
#endif
return (0);
}
if (!(addressHit >= disassemblyBuffer && addressHit <= (disassemblyBuffer+0x1000)))
return (addressHit);
return (0);
}
static HRESULT JpfsvsStopKernelTraceSession(
__in PJPFSV_TRACE_SESSION This,
__in BOOL Wait
)
{
PJPFSVP_KM_TRACE_SESSION Session;
NTSTATUS Status;
Session = ( PJPFSVP_KM_TRACE_SESSION ) This;
UNREFERENCED_PARAMETER( Wait );
Status = JpkfbtShutdownTracing( Session->KfbtSession );
if ( NT_SUCCESS( Status ) )
{
Session->TraceActive = FALSE;
return S_OK;
}
else
{
return HRESULT_FROM_NT( Status );
}
}
static VOID TestTraceKernel()
{
ULONG BufferCount;
ULONG BufferSize;
PROC_SET Set;
DWORD_PTR FailedProc;
UINT Tracepoints, Count;
UINT EnumCount;
JPFSV_TRACEPOINT Tracepnt;
HRESULT Hr;
JPFSV_HANDLE KernelCtx;
JPFSV_TRACING_TYPE TracingType;
ULONG TypesTested = 0;
TEST_OK( CdiagCreateSession( NULL, NULL, &DiagSession ) );
for ( TracingType = JpfsvTracingTypeDefault;
TracingType <= JpfsvTracingTypeMax;
TracingType++ )
{
UINT Index;
BOOL Instrumentable;
WCHAR LogFile[ MAX_PATH ];
UINT PaddingSize;
TEST_OK( StringCchPrintf(
LogFile, _countof( LogFile ), L"__kern%d.log", TracingType ) );
//
// Start a trace.
//
KernelCtx = NULL;
Hr = JpfsvLoadContext( JPFSV_KERNEL, NULL, &KernelCtx );
if ( Hr == JPFSV_E_UNSUP_ON_WOW64 )
{
CFIX_INCONCLUSIVE( L"Not supported on WOW64" );
return;
}
TEST_OK( Hr );
TEST( JPFSV_E_NO_TRACESESSION ==
JpfsvGetTracepointContext( KernelCtx, 0xF00, &Tracepnt ) );
DeleteFile( LogFile );
if ( TracingType != JpfsvTracingTypeWmk )
{
TEST( E_INVALIDARG == JpfsvAttachContext( KernelCtx, TracingType, NULL ) );
Hr = JpfsvAttachContext( KernelCtx, TracingType, LogFile );
}
else
{
TEST( E_INVALIDARG == JpfsvAttachContext( KernelCtx, TracingType, LogFile ) );
Hr = JpfsvAttachContext( KernelCtx, TracingType, NULL );
}
if ( Hr == JPFSV_E_UNSUPPORTED_TRACING_TYPE ||
Hr == HRESULT_FROM_NT( 0xC0049300L ) ) // STATUS_KFBT_KERNEL_NOT_SUPPORTED
{
continue;
}
TEST_OK( Hr );
if ( TracingType == JpfsvTracingTypeWmk )
{
BufferCount = 0;
BufferSize = 0;
}
else
{
BufferCount = 5;
BufferSize = 1024;
}
//
// Instrument some procedures.
//
Set.Count = 0;
Set.ContextHandle = KernelCtx;
Set.Process = JpfsvGetProcessHandleContext( KernelCtx );
TEST( Set.Process );
//
// Not all patchable...
//
TEST( SymEnumSymbols(
Set.Process,
0,
L"tcpip!*",
AddProcedureSymCallback,
&Set ) );
TEST_OK( JpfsvStartTraceContext(
KernelCtx,
BufferCount,
BufferSize,
DiagSession ) );
TEST( E_UNEXPECTED == JpfsvStartTraceContext(
KernelCtx,
BufferCount,
BufferSize,
DiagSession ) );
TEST( Set.Count > 0 );
TEST_OK( JpfsvCountTracePointsContext( KernelCtx, &Count ) );
TEST( 0 == Count );
TEST_STATUS( ( ULONG ) HRESULT_FROM_NT( STATUS_FBT_PROC_NOT_PATCHABLE ),
JpfsvSetTracePointsContext(
KernelCtx,
JpfsvAddTracepoint,
Set.Count,
Set.Procedures,
&FailedProc ) );
//
// Instrumentable...
//
Set.Count = 0;
Set.ContextHandle = KernelCtx;
Set.Process = JpfsvGetProcessHandleContext( KernelCtx );
TEST( SymEnumSymbols(
Set.Process,
0,
IsVistaOrLater()
? L"tcpip!IPReg*"
: L"tcpip!IPRc*",
AddProcedureSymCallback,
&Set ) );
TEST( Set.Count > 0 );
for ( Index = 0; Index < Set.Count; Index++ )
{
TEST_OK( JpfsvCheckProcedureInstrumentability(
KernelCtx,
Set.Procedures[ Index ],
&Instrumentable,
&PaddingSize ) );
TEST( Instrumentable );
TEST( PaddingSize == 5 );
}
//
// Not instrumentable...
//
Set.Count = 0;
Set.ContextHandle = KernelCtx;
Set.Process = JpfsvGetProcessHandleContext( KernelCtx );
TEST( SymEnumSymbols(
Set.Process,
0,
IsVistaOrLater()
? L"tcpip!__report_gsfailure"
: L"tcpip!_wcsicmp",
AddProcedureSymCallback,
&Set ) );
TEST( Set.Count > 0 );
TEST_OK( JpfsvCheckProcedureInstrumentability(
KernelCtx,
Set.Procedures[ 0 ],
&Instrumentable,
&PaddingSize ) );
TEST( ! Instrumentable );
TEST( PaddingSize == 0 );
//
// All patchable...
//
Set.Count = 0;
Set.ContextHandle = KernelCtx;
Set.Process = JpfsvGetProcessHandleContext( KernelCtx );
TEST( Set.Process );
TEST( SymEnumSymbols(
Set.Process,
0,
IsVistaOrLater()
? L"tcpip!IPReg*"
: L"tcpip!IPRc*",
AddProcedureSymCallback,
&Set ) );
TEST( Set.Count >= 3 );
TEST_OK( JpfsvSetTracePointsContext(
KernelCtx,
JpfsvAddTracepoint,
Set.Count,
Set.Procedures,
&FailedProc ) );
// again - should be a noop.
TEST_OK( JpfsvSetTracePointsContext(
KernelCtx,
JpfsvAddTracepoint,
Set.Count,
Set.Procedures,
&FailedProc ) );
TEST( FailedProc == 0 );
TEST_OK( JpfsvCountTracePointsContext( KernelCtx, &Tracepoints ) );
TEST( Tracepoints > Set.Count / 2 ); // Duplicate-cleaned!
TEST( Tracepoints <= Set.Count );
TEST_OK( JpfsvGetTracepointContext( KernelCtx, Set.Procedures[ 0 ], &Tracepnt ) );
TEST( Tracepnt.Procedure == Set.Procedures[ 0 ] );
TEST( wcslen( Tracepnt.SymbolName ) );
TEST( wcslen( Tracepnt.ModuleName ) );
TEST( JPFSV_E_TRACEPOINT_NOT_FOUND == JpfsvGetTracepointContext( KernelCtx, 0xBA2, &Tracepnt ) );
//
// Count enum callbacks.
//
EnumCount = 0;
TEST_OK( JpfsvEnumTracePointsContext(
KernelCtx,
CountTracepointsCallback,
&EnumCount ) );
TEST( EnumCount == Tracepoints );
//
// Stop while tracing active -> implicitly revoke all tracepoints.
//
TEST_OK( JpfsvStopTraceContext( KernelCtx, TRUE ) );
TEST_OK( JpfsvCountTracePointsContext( KernelCtx, &Count ) );
TEST( 0 == Count );
//
// Trace again.
//
DeleteFile( LogFile );
TEST_OK( JpfsvStartTraceContext(
KernelCtx,
BufferCount,
BufferSize,
DiagSession ) );
TEST_OK( JpfsvSetTracePointsContext(
KernelCtx,
JpfsvAddTracepoint,
Set.Count,
Set.Procedures,
&FailedProc ) );
TEST( FailedProc == 0 );
TEST_OK( JpfsvCountTracePointsContext( KernelCtx, &Count ) );
TEST( Tracepoints == Count );
//
// Clean shutdown.
//
TEST_OK( JpfsvSetTracePointsContext(
KernelCtx,
JpfsvRemoveTracepoint,
Set.Count,
Set.Procedures,
&FailedProc ) );
TEST( FailedProc == 0 );
TEST_OK( JpfsvCountTracePointsContext( KernelCtx, &Count ) );
TEST( 0 == Count );
TEST_OK( JpfsvStopTraceContext( KernelCtx, TRUE ) );
TEST_OK( DetachContextSafe( KernelCtx ) );
TEST_OK( JpfsvUnloadContext( KernelCtx ) );
TypesTested++;
}
TEST_OK( CdiagDereferenceSession( DiagSession ) );
if ( TypesTested == 0 )
{
CFIX_INCONCLUSIVE( L"No TracingTypes supported" );
}
}
