/*
* TsmiHandleMemWrite
*
* Purpose:
*
* Patch vbox dll in memory.
*
* Warning: potential BSOD-generator due to nonstandard way of loading, take care with patch offsets.
*
*/
NTSTATUS TsmiHandleMemWrite(
_In_ PVOID SrcAddress,
_In_ PVOID DestAddress,
_In_ ULONG Size
)
{
PMDL mdl;
NTSTATUS status = STATUS_SUCCESS;
PAGED_CODE();
mdl = IoAllocateMdl(DestAddress, Size, FALSE, FALSE, NULL);
if (mdl == NULL) {
return STATUS_INSUFFICIENT_RESOURCES;
}
if (DestAddress >= MmSystemRangeStart)
if (!MmIsAddressValid(DestAddress)) {
return STATUS_ACCESS_VIOLATION;
}
MmProbeAndLockPages(mdl, KernelMode, IoReadAccess);
DestAddress = MmGetSystemAddressForMdlSafe(mdl, HighPagePriority);
if (DestAddress != NULL) {
status = MmProtectMdlSystemAddress(mdl, PAGE_EXECUTE_READWRITE);
__movsb((PUCHAR)DestAddress, (const UCHAR *)SrcAddress, Size);
MmUnmapLockedPages(DestAddress, mdl);
MmUnlockPages(mdl);
}
else {
status = STATUS_ACCESS_VIOLATION;
}
IoFreeMdl(mdl);
return status;
}
NTSTATUS DumpKernelMemory(PVOID DstAddr, PVOID SrcAddr, ULONG Size)
{
PMDL pSrcMdl, pDstMdl;
PUCHAR pAddress, pDstAddress;
NTSTATUS st = STATUS_UNSUCCESSFUL;
ULONG r;
// Создаем MDL для буфера-источника
pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL);
if (pSrcMdl)
{
// Построение MDL
MmBuildMdlForNonPagedPool(pSrcMdl);
// Получение адреса из MDL
pAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority);
zDbgPrint("pAddress = %x", pAddress);
if (pAddress != NULL)
{
pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL);
zDbgPrint("pDstMdl = %x", pDstMdl);
if (pDstMdl != NULL)
{
__try
{
MmProbeAndLockPages(pDstMdl, KernelMode, IoWriteAccess);
pDstAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority);
zDbgPrint("pDstAddress = %x", pDstAddress);
if (pDstAddress != NULL)
{
memset(pDstAddress, 0, Size);
zDbgPrint("Copy block");
for (r = 1; r < Size; r++)
{
if (MmIsAddressValid(pAddress))
*pDstAddress = *pAddress;
else
*pDstAddress = 0;
pAddress++;
pDstAddress++;
}
st = STATUS_SUCCESS;
}
MmUnlockPages(pDstMdl);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
zDbgPrint("Copy block exception");
}
IoFreeMdl(pDstMdl);
}
}
PMDL
Ext2CreateMdl (
IN PVOID Buffer,
IN BOOLEAN bPaged,
IN ULONG Length,
IN LOCK_OPERATION Operation
)
{
NTSTATUS Status;
PMDL Mdl = NULL;
ASSERT (Buffer != NULL);
Mdl = IoAllocateMdl (Buffer, Length, FALSE, FALSE, NULL);
if (Mdl == NULL) {
Status = STATUS_INSUFFICIENT_RESOURCES;
} else {
__try {
if (bPaged) {
MmProbeAndLockPages(Mdl, KernelMode, Operation);
} else {
MmBuildMdlForNonPagedPool (Mdl);
}
Status = STATUS_SUCCESS;
} __except (EXCEPTION_EXECUTE_HANDLER) {
IoFreeMdl (Mdl);
Mdl = NULL;
DbgBreak();
Status = STATUS_INVALID_USER_BUFFER;
}
}
return Mdl;
}
NTSTATUS
Ext2LockUserBuffer (IN PIRP Irp,
IN ULONG Length,
IN LOCK_OPERATION Operation)
{
NTSTATUS Status;
ASSERT(Irp != NULL);
if (Irp->MdlAddress != NULL) {
return STATUS_SUCCESS;
}
IoAllocateMdl(Irp->UserBuffer, Length, FALSE, FALSE, Irp);
if (Irp->MdlAddress == NULL) {
return STATUS_INSUFFICIENT_RESOURCES;
}
__try {
MmProbeAndLockPages(Irp->MdlAddress, Irp->RequestorMode, Operation);
Status = STATUS_SUCCESS;
} __except (EXCEPTION_EXECUTE_HANDLER) {
DbgBreak();
IoFreeMdl(Irp->MdlAddress);
Irp->MdlAddress = NULL;
Status = STATUS_INVALID_USER_BUFFER;
}
return Status;
}
NTSTATUS
TdiQueryAddress(
PFILE_OBJECT AddressObject,
PTDI_ADDRESS_INFO AddressInfo,
PULONG pInfoLength
)
{
NTSTATUS ntStatus;
PIRP Irp;
PMDL Mdl;
PDEVICE_OBJECT DeviceObject = IoGetRelatedDeviceObject(AddressObject);
IO_STATUS_BLOCK IoStatus;
if (!(Irp = TdiBuildInternalDeviceControlIrp(TDI_QUERY_INFORMATION, DeviceObject, FileObject, NULL, &IoStatus)))
return STATUS_INSUFFICIENT_RESOURCES;
if (!(Mdl = IoAllocateMdl(AddressInfo, *pInfoLength, FALSE, FALSE, Irp)))
{
IoFreeIrp(Irp);
return STATUS_INSUFFICIENT_RESOURCES;
}
MmProbeAndLockPages(Mdl, KernelMode, IoModifyAccess);
TdiBuildQueryInformation(Irp, DeviceObject, AddressObject, NULL, NULL, TDI_QUERY_ADDRESS_INFO, Mdl);
ntStatus = IoCallDriver(DeviceObject, Irp);
return(ntStatus == STATUS_SUCCESS ? IoStatus.Status : ntStatus);
}
NTSTATUS createcomplete(PDEVICE_OBJECT dev, PIRP irp, PVOID context)
{
UNREFERENCED_PARAMETER(dev);
UNREFERENCED_PARAMETER(irp);
UNREFERENCED_PARAMETER(context);
DbgPrint("enter createcomplete\n");
PIO_STACK_LOCATION sa = IoGetCurrentIrpStackLocation(irp);
PCONTEXTI info = context;
DbgPrint("1\n");
TDI_ADDRESS_INFO *tai = ExAllocatePool(NonPagedPool, sizeof(TDI_ADDRESS_INFO));
DbgPrint("2\n");
PMDL mdl = IoAllocateMdl(tai, sizeof(TDI_ADDRESS_INFO), FALSE, FALSE, info->query_irp);
MmBuildMdlForNonPagedPool(mdl);
info->mdl = mdl;
DbgPrint("3\n");
IoCopyCurrentIrpStackLocationToNext(irp);
TdiBuildQueryInformation(info->query_irp, info->realdev, sa->FileObject, querycom, info, TDI_QUERY_ADDRESS_INFO, mdl);
DbgPrint("4\n");
if (irp->PendingReturned)
{
IoMarkIrpPending(irp);
DbgPrint("pending\n");
}
IoCallDriver(info->realdev, info->query_irp);
DbgPrint("6\n");
IoFreeMdl(info->mdl);
ExFreePool(context);
return STATUS_SUCCESS;
}
//
// file local helper functions.
//
NTSTATUS
InitScratchpad(
IN PUSB_FDO_CONTEXT fdoContext)
{
NTSTATUS status;
KeInitializeEvent(&fdoContext->ScratchPad.CompletionEvent, NotificationEvent, FALSE);
fdoContext->ScratchPad.Buffer = ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE, XVU1);
if (!fdoContext->ScratchPad.Buffer)
{
status = STATUS_NO_MEMORY;
TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE,
__FUNCTION__": Device %p ExAllocatePoolWithTag failed\n",
fdoContext->WdfDevice);
return status;
}
RtlZeroMemory(fdoContext->ScratchPad.Buffer, PAGE_SIZE);
fdoContext->ScratchPad.Mdl = IoAllocateMdl(fdoContext->ScratchPad.Buffer,
PAGE_SIZE,
FALSE,
FALSE,
NULL);
if (!fdoContext->ScratchPad.Mdl)
{
status = STATUS_NO_MEMORY;
TraceEvents(TRACE_LEVEL_ERROR, TRACE_DEVICE,
__FUNCTION__": device %p IoAllocateMdl failed\n",
fdoContext->WdfDevice);
return status;
}
MmBuildMdlForNonPagedPool(fdoContext->ScratchPad.Mdl);
return STATUS_SUCCESS;
}
sint _init_evt_priv(struct evt_priv *pevtpriv)
{
sint res=_SUCCESS;
_func_enter_;
#ifdef CONFIG_EVENT_THREAD_MODE
_init_sema(&(pevtpriv->evt_notify), 0);
_init_sema(&(pevtpriv->terminate_evtthread_sema), 0);
#endif
#ifdef CONFIG_H2CLBK
_init_sema(&(pevtpriv->lbkevt_done), 0);
pevtpriv->lbkevt_limit = 0;
pevtpriv->lbkevt_num = 0;
pevtpriv->cmdevt_parm = NULL;
#endif
//allocate DMA-able/Non-Page memory for cmd_buf and rsp_buf
pevtpriv->event_seq = 0;
pevtpriv->evt_allocated_buf = _malloc(MAX_EVTSZ + 4);
if (pevtpriv->evt_allocated_buf == NULL){
res= _FAIL;
goto exit;
}
pevtpriv->evt_buf = pevtpriv->evt_allocated_buf + 4 - ((unsigned int)(pevtpriv->evt_allocated_buf) & 3);
pevtpriv->evt_done_cnt = 0;
#ifdef CONFIG_SDIO_HCI
pevtpriv->allocated_c2h_mem = _malloc(C2H_MEM_SZ +4);
if (pevtpriv->allocated_c2h_mem == NULL){
res= _FAIL;
goto exit;
}
pevtpriv->c2h_mem = pevtpriv->allocated_c2h_mem + 4\
- ( (u32)(pevtpriv->allocated_c2h_mem) & 3);
#ifdef PLATFORM_OS_XP
pevtpriv->pc2h_mdl= IoAllocateMdl((u8 *)pevtpriv->c2h_mem, C2H_MEM_SZ , FALSE, FALSE, NULL);
if(pevtpriv->pc2h_mdl == NULL){
res= _FAIL;
goto exit;
}
MmBuildMdlForNonPagedPool(pevtpriv->pc2h_mdl);
#endif
#endif
exit:
#ifdef CONFIG_RECV_BH
_init_queue(&(pevtpriv->evt_queue));
#endif
_func_exit_;
return res;
}
NTSTATUS ChangeServiceTableMemoryFlags()
{
// Map the memory into our domain and change the permissions on the memory page by using a MDL
g_MappedSystemCallTableMDL = IoAllocateMdl( KeServiceDescriptorTable.ServiceTableBase, // starting virtual address
KeServiceDescriptorTable.NumberOfServices*4, // size of buffer
FALSE, // not associated with an IRP
FALSE, // charge quota, should be FALSE
NULL // IRP * should be NULL
);
if(!g_MappedSystemCallTableMDL)
{
DbgPrint("MDL could not be allocated...");
return STATUS_UNSUCCESSFUL;
}
else
{
DbgPrint("The MDL is at 0x%x\n", g_MappedSystemCallTableMDL);
}
// MmBuildMdlForNonPagedPool fills in the corresponding physical page array
// of a given MDL for a buffer in nonpaged system space (pool).
MmBuildMdlForNonPagedPool(g_MappedSystemCallTableMDL);
// MDL's are supposed to be opaque, but this is the only way we know of getting to these flags...
g_MappedSystemCallTableMDL->MdlFlags = g_MappedSystemCallTableMDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
// finish off the mapping...
g_MappedSystemCallTable = MmMapLockedPages(g_MappedSystemCallTableMDL, KernelMode);
return STATUS_SUCCESS;
}
NTSTATUS tdi_recv_stream(PFILE_OBJECT connectionFileObject, char *buf, int len, ULONG flags)
{
PDEVICE_OBJECT devObj;
KEVENT event;
PIRP irp;
PMDL mdl;
IO_STATUS_BLOCK iosb;
NTSTATUS status;
devObj = IoGetRelatedDeviceObject(connectionFileObject);
KeInitializeEvent(&event, NotificationEvent, FALSE);
irp = TdiBuildInternalDeviceControlIrp(TDI_RECEIVE, devObj, connectionFileObject, &event, &iosb);
if (irp == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
if (len)
{
mdl = IoAllocateMdl((void*) buf, len, FALSE, FALSE, NULL);
if (mdl == NULL)
{
IoFreeIrp(irp);
return STATUS_INSUFFICIENT_RESOURCES;
}
__try
{
MmProbeAndLockPages(mdl, KernelMode, IoWriteAccess);
status = STATUS_SUCCESS;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(mdl);
IoFreeIrp(irp);
status = STATUS_INVALID_USER_BUFFER;
}
if (!NT_SUCCESS(status))
{
return status;
}
}
TdiBuildReceive(irp, devObj, connectionFileObject, NULL, NULL, len ? mdl : 0, flags, len);
status = IoCallDriver(devObj, irp);
if (status == STATUS_PENDING)
{
KeWaitForSingleObject(&event, Executive, KernelMode, FALSE, NULL);
status = iosb.Status;
}
return NT_SUCCESS(status) ? iosb.Information : status;
}
NTSTATUS
InitWskBuffer(
__in PVOID Buffer,
__in ULONG BufferSize,
__out PWSK_BUF WskBuffer
)
{
NTSTATUS Status = STATUS_SUCCESS;
ASSERT(Buffer);
ASSERT(BufferSize);
ASSERT(WskBuffer);
WskBuffer->Offset = 0;
WskBuffer->Length = BufferSize;
WskBuffer->Mdl = IoAllocateMdl(Buffer, BufferSize, FALSE, FALSE, NULL);
if (!WskBuffer->Mdl) {
return STATUS_INSUFFICIENT_RESOURCES;
}
try {
MmProbeAndLockPages(WskBuffer->Mdl, KernelMode, IoWriteAccess);
} except(EXCEPTION_EXECUTE_HANDLER) {
if (WskBuffer->Mdl != NULL) {
IoFreeMdl(WskBuffer->Mdl);
}
WDRBD_ERROR("MmProbeAndLockPages failed. exception code=0x%x\n", GetExceptionCode());
return STATUS_INSUFFICIENT_RESOURCES;
}
return Status;
}
static
PVOID
MapAndLockUserBuffer(
_In_ _Out_ PIRP Irp,
_In_ ULONG BufferLength)
{
PMDL Mdl;
if (Irp->MdlAddress == NULL)
{
Mdl = IoAllocateMdl(Irp->UserBuffer, BufferLength, FALSE, FALSE, Irp);
if (Mdl == NULL)
{
return NULL;
}
_SEH2_TRY
{
MmProbeAndLockPages(Mdl, Irp->RequestorMode, IoWriteAccess);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(Mdl);
Irp->MdlAddress = NULL;
_SEH2_YIELD(return NULL);
}
_SEH2_END;
}
int hax_pin_user_pages(uint64 start_uva, uint64 size, hax_memdesc_user *memdesc)
{
PMDL pmdl = NULL;
if (!memdesc) {
hax_error("%s: memdesc == NULL\n", __func__);
return -EINVAL;
}
// TODO: Check whether [start_uva, start_uva + size) is a valid UVA range
pmdl = IoAllocateMdl((PVOID)start_uva, size, FALSE, FALSE, NULL);
if (!pmdl) {
hax_error("Failed to allocate MDL for va: 0x%llx, size: 0x%llx.\n",
start_uva, size);
return -EFAULT;
}
try {
MmProbeAndLockPages(pmdl, UserMode, IoWriteAccess);
} except (EXCEPTION_EXECUTE_HANDLER) {
hax_error("Failed to probe pages for guest's memory! va: 0x%llx\n",
start_uva);
IoFreeMdl(pmdl);
return -ENOMEM;
}
memdesc->pmdl = pmdl;
return 0;
}
NTSTATUS SafeCopyMemory(PVOID SrcAddr, PVOID DstAddr, ULONG Size)
{
PMDL pSrcMdl, pDstMdl;
PUCHAR pSrcAddress, pDstAddress;
NTSTATUS st = STATUS_UNSUCCESSFUL;
ULONG r;
BOOL bInit = FALSE;
pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL);
if (MmIsAddressValidEx(pSrcMdl))
{
MmBuildMdlForNonPagedPool(pSrcMdl);
pSrcAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority);
if (MmIsAddressValidEx(pSrcAddress))
{
pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL);
if (MmIsAddressValidEx(pDstMdl))
{
__try
{
MmProbeAndLockPages(pDstMdl, KernelMode, IoWriteAccess);
pDstAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority);
if (MmIsAddressValidEx(pDstAddress))
{
RtlZeroMemory(pDstAddress,Size);
RtlCopyMemory(pDstAddress, pSrcAddress, Size);
st = STATUS_SUCCESS;
}
MmUnlockPages(pDstMdl);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
if (pDstMdl) MmUnlockPages(pDstMdl);
if (pDstMdl) IoFreeMdl(pDstMdl);
if (pSrcMdl) IoFreeMdl(pSrcMdl);
return GetExceptionCode();
}
IoFreeMdl(pDstMdl);
}
}
IoFreeMdl(pSrcMdl);
}
return st;
}
NTSTATUS
NTAPI
USBPORT_ValidateTransferParametersURB(IN PURB Urb)
{
struct _URB_CONTROL_TRANSFER *UrbRequest;
PMDL Mdl;
DPRINT_URB("USBPORT_ValidateTransferParametersURB: Urb - %p\n", Urb);
UrbRequest = &Urb->UrbControlTransfer;
if (UrbRequest->TransferBuffer == NULL &&
UrbRequest->TransferBufferMDL == NULL &&
UrbRequest->TransferBufferLength > 0)
{
DPRINT1("USBPORT_ValidateTransferParametersURB: Not valid parameter\n");
USBPORT_DumpingURB(Urb);
return STATUS_INVALID_PARAMETER;
}
if ((UrbRequest->TransferBuffer != NULL) &&
(UrbRequest->TransferBufferMDL != NULL) &&
UrbRequest->TransferBufferLength == 0)
{
DPRINT1("USBPORT_ValidateTransferParametersURB: Not valid parameter\n");
USBPORT_DumpingURB(Urb);
return STATUS_INVALID_PARAMETER;
}
if (UrbRequest->TransferBuffer != NULL &&
UrbRequest->TransferBufferMDL == NULL &&
UrbRequest->TransferBufferLength != 0)
{
DPRINT_URB("USBPORT_ValidateTransferParametersURB: TransferBuffer - %p, TransferBufferLength - %x\n",
UrbRequest->TransferBuffer,
UrbRequest->TransferBufferLength);
Mdl = IoAllocateMdl(UrbRequest->TransferBuffer,
UrbRequest->TransferBufferLength,
FALSE,
FALSE,
NULL);
if (!Mdl)
{
DPRINT1("USBPORT_ValidateTransferParametersURB: Not allocated Mdl\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
MmBuildMdlForNonPagedPool(Mdl);
UrbRequest->TransferBufferMDL = Mdl;
Urb->UrbHeader.UsbdFlags |= USBD_FLAG_ALLOCATED_MDL;
DPRINT_URB("USBPORT_ValidateTransferParametersURB: Mdl - %p\n", Mdl);
}
return STATUS_SUCCESS;
}
//------------------------------------------------------------------------------
tOplkError drv_mapPdoMem(UINT8** ppKernelMem_p, UINT8** ppUserMem_p,
size_t* pMemSize_p)
{
tOplkError ret;
// Get PDO memory
ret = pdokcal_getPdoMemRegion((UINT8**)&pdoMemInfo_l.pKernelVa,
&pdoMemInfo_l.memSize);
if (ret != kErrorOk || pdoMemInfo_l.pKernelVa == NULL)
return kErrorNoResource;
if (*pMemSize_p > pdoMemInfo_l.memSize)
{
DEBUG_LVL_ERROR_TRACE("%s() Higher Memory requested (Kernel-%d User-%d) !\n",
__func__, pdoMemInfo_l.memSize, *pMemSize_p);
*pMemSize_p = 0;
return kErrorNoResource;
}
// Allocate new MDL pointing to PDO memory
pdoMemInfo_l.pMdl = IoAllocateMdl(pdoMemInfo_l.pKernelVa, pdoMemInfo_l.memSize, FALSE, FALSE,
NULL);
if (pdoMemInfo_l.pMdl == NULL)
{
DEBUG_LVL_ERROR_TRACE("%s() Error allocating MDL !\n", __func__);
return kErrorNoResource;
}
// Update the MDL with physical addresses
MmBuildMdlForNonPagedPool(pdoMemInfo_l.pMdl);
// Map the memory in user space and get the address
pdoMemInfo_l.pUserVa = MmMapLockedPagesSpecifyCache(pdoMemInfo_l.pMdl, // MDL
UserMode, // Mode
MmCached, // Caching
NULL, // Address
FALSE, // Bug-check?
NormalPagePriority); // Priority
if (pdoMemInfo_l.pUserVa == NULL)
{
MmUnmapLockedPages(pdoMemInfo_l.pUserVa, pdoMemInfo_l.pMdl);
IoFreeMdl(pdoMemInfo_l.pMdl);
DEBUG_LVL_ERROR_TRACE("%s() Error mapping MDL !\n", __func__);
return kErrorNoResource;
}
*ppKernelMem_p = pdoMemInfo_l.pKernelVa;
*ppUserMem_p = pdoMemInfo_l.pUserVa;
*pMemSize_p = pdoMemInfo_l.memSize;
TRACE("Mapped memory info U:%p K:%p size %x", pdoMemInfo_l.pUserVa,
(UINT8*)pdoMemInfo_l.pKernelVa,
pdoMemInfo_l.memSize);
return kErrorOk;
}
//-----------------------------------------------------------------------------
// MAIN
//-----------------------------------------------------------------------------
NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object,
PUNICODE_STRING registry_path)
{
NTSTATUS ret;
if (!driver_object)
{
DbgPrint("\n!!! ERROR: invalid driver_object in DriverEntry()\n");
return STATUS_UNSUCCESSFUL;
}
driver_object->DriverUnload = OnUnload;
DbgPrint("---------------- Driver Loaded\n");
// routine allocates a memory descriptor list (MDL)
mdl_sys_call = IoAllocateMdl(KeServiceDescriptorTable.ServiceTableBase,
KeServiceDescriptorTable.NumberOfServices * 4,
FALSE, FALSE, NULL);
if (!mdl_sys_call )
{
DbgPrint("\n!!! ERROR: invalid mdl in DriverEntry()\n");
return STATUS_UNSUCCESSFUL;
}
MmBuildMdlForNonPagedPool(mdl_sys_call);
mdl_sys_call->MdlFlags = mdl_sys_call->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
// map the physical pages
syscall_tbl = MmMapLockedPagesSpecifyCache(mdl_sys_call, KernelMode,
MmNonCached, NULL, FALSE,
HighPagePriority);
if (!syscall_tbl)
{
DbgPrint("\n!!! ERROR: invalid mapped syscall table in DriverEntry()\n");
return STATUS_UNSUCCESSFUL;
}
hook_syscalls();
debug("register our callback for when our target proc is loaded:\n %ws\n\n",
target_file_loc);
#if BREAK_POINT
// register a callback func that is invoked when our target proc is loaded
ret = PsSetLoadImageNotifyRoutine(add_one_time_bp);
#endif
#if DATA_MINING
ret = PsSetLoadImageNotifyRoutine(add_hooks_for_data_mining);
#endif
if (ret != STATUS_SUCCESS)
DbgPrint("\n!!! ERROR: PsSetLoadImageNotifyRoutine()\n\n");
return STATUS_SUCCESS;
}
CMdl::CMdl(
__in void* virtualAddress,
__in size_t size
) : m_locked(false),
m_mem(NULL)
{
m_lockOperation = IoModifyAccess;
m_mdl = IoAllocateMdl(virtualAddress, (ULONG)size, FALSE, FALSE, NULL);
}
CMdl::CMdl(
__in const void* virtualAddress,
__in size_t size
) : m_locked(false),
m_mem(NULL)
{
m_lockOperation = IoReadAccess;
m_mdl = IoAllocateMdl(const_cast<void*>(virtualAddress), (ULONG)size, FALSE, FALSE, NULL);
}
NTSTATUS
AsyncReadWriteSec(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP ParentIrp,
IN ULONG ulStartSec,
IN ULONG ulSectors,
IN PVOID pBuffer,
IN UCHAR MajorFunction
)
{
PMDL MDL;
KEVENT event;
PIRP Irp;
ULONG ulBytes;
LARGE_INTEGER Start;
IO_STATUS_BLOCK ioStatus;
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION NextIrpStack;
PDEVICE_EXTENSION deviceExtension = DeviceObject->DeviceExtension;
ulBytes = ulSectors * SECTOR_SIZE;
Start.QuadPart = ((LONGLONG)ulStartSec)*SECTOR_SIZE;
Irp = IoAllocateIrp(LOBYTE(LOWORD(deviceExtension->TargetDeviceObject->StackSize+1)),FALSE);
//Irp = IoBuildSynchronousFsdRequest( MajorFunction,
// deviceExtension->TargetDeviceObject,
// pBuffer,ulBytes,
// &Start,&event,
// &ioStatus );
ASSERT(Irp);
if (!Irp)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
MDL = IoAllocateMdl(pBuffer,ulBytes,FALSE,FALSE,Irp);
if (!MDL)
return STATUS_INSUFFICIENT_RESOURCES;
MmBuildMdlForNonPagedPool(MDL);
IoSetNextIrpStackLocation(Irp);
NextIrpStack = IoGetNextIrpStackLocation(Irp);
NextIrpStack->DeviceObject = deviceExtension->TargetDeviceObject;
NextIrpStack->MajorFunction = MajorFunction;
NextIrpStack->MinorFunction = 0;
NextIrpStack->Parameters.Read.Length = ulBytes;
NextIrpStack->Parameters.Read.Key = 0;
NextIrpStack->Parameters.Read.ByteOffset.QuadPart = Start.QuadPart;
RtlCopyMemory(&(NextIrpStack->Parameters.Write),&(NextIrpStack->Parameters.Read),sizeof(NextIrpStack->Parameters.Read));
IoSetCompletionRoutine(Irp,AsyncCompletion,ParentIrp,TRUE,TRUE,TRUE);
status = IoCallDriver(deviceExtension->TargetDeviceObject,Irp);
return status;
} // end SyncReadWriteSec()
int dump_hook_init(PDRIVER_OBJECT drv_obj)
{
PLDR_DATA_TABLE_ENTRY table;
PHYSICAL_ADDRESS high_addr;
PLIST_ENTRY entry;
NTSTATUS status;
int resl = 0;
ExInitializeFastMutex(&dump_sync);
ExAcquireFastMutex(&dump_sync);
/* find PsLoadedModuleListHead */
entry = ((PLIST_ENTRY)(drv_obj->DriverSection))->Flink;
while (entry != drv_obj->DriverSection)
{
table = CONTAINING_RECORD(entry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
entry = entry->Flink;
if ( (table->BaseDllName.Length == 0x18) &&
(p32(table->BaseDllName.Buffer)[0] == 0x0074006E) )
{
ps_loaded_mod_list = pv(table->InLoadOrderLinks.Blink);
break;
}
}
ExReleaseFastMutex(&dump_sync);
do
{
if (ps_loaded_mod_list == NULL) break;
status = PsSetLoadImageNotifyRoutine(load_img_routine);
if (NT_SUCCESS(status) == FALSE) break;
high_addr.HighPart = 0;
high_addr.LowPart = 0xFFFFFFFF;
dump_mem = MmAllocateContiguousMemory(DUMP_MEM_SIZE, high_addr);
if (dump_mem == NULL) break;
dump_mdl = IoAllocateMdl(dump_mem, DUMP_MEM_SIZE, FALSE, FALSE, NULL);
if (dump_mdl == NULL) break;
MmBuildMdlForNonPagedPool(dump_mdl);
memset(dump_mem, 0, DUMP_MEM_SIZE);
resl = 1;
} while (0);
if (resl == 0) {
if (dump_mdl != NULL) IoFreeMdl(dump_mdl);
if (dump_mem != NULL) MmFreeContiguousMemory(dump_mem);
}
return resl;
}
/*
* TsmiHandleMemWrite
*
* Purpose:
*
* Patch vbox dll in memory.
*
* Warning: If compiled not in ReleaseSigned configuration this function is a
* potential BSOD-generator due to nonstandard way of loading, take care with patch offsets.
*
*/
NTSTATUS TsmiHandleMemWrite(
_In_ PVOID SrcAddress,
_In_ PVOID DestAddress,
_In_ ULONG Size
)
{
PMDL mdl;
NTSTATUS status = STATUS_SUCCESS;
PAGED_CODE();
mdl = IoAllocateMdl(DestAddress, Size, FALSE, FALSE, NULL);
if (mdl == NULL) {
#ifdef _DEBUGMSG
DbgPrint("[TSMI] Failed to create MDL at write\n");
#endif
return STATUS_INSUFFICIENT_RESOURCES;
}
#ifdef _SIGNED_BUILD
__try {
#endif //_SIGNED_BUILD
if (DestAddress >= MmSystemRangeStart)
if (!MmIsAddressValid(DestAddress)) {
#ifdef _DEBUGMSG
DbgPrint("[TSMI] Invalid address\n");
#endif //_DEBUGMSG
return STATUS_ACCESS_VIOLATION;
}
MmProbeAndLockPages(mdl, KernelMode, IoReadAccess);
DestAddress = MmGetSystemAddressForMdlSafe(mdl, HighPagePriority);
if (DestAddress != NULL) {
status = MmProtectMdlSystemAddress(mdl, PAGE_EXECUTE_READWRITE);
__movsb((PUCHAR)DestAddress, (const UCHAR *)SrcAddress, Size);
MmUnmapLockedPages(DestAddress, mdl);
MmUnlockPages(mdl);
}
else {
status = STATUS_ACCESS_VIOLATION;
}
#ifdef _SIGNED_BUILD
}
__except (EXCEPTION_EXECUTE_HANDLER) {
status = STATUS_ACCESS_VIOLATION;
#ifdef _DEBUGMSG
DbgPrint("[TSMI] MmProbeAndLockPages failed at write DestAddress = %p\n", DestAddress);
#endif //_DEBUGMSG
}
#endif //_SIGNED_BUILD
IoFreeMdl(mdl);
return status;
}
NTSTATUS
xixfs_PinCallersBuffer(
PIRP PtrIrp,
BOOLEAN IsReadOperation,
uint32 Length
)
{
NTSTATUS RC = STATUS_SUCCESS;
PMDL PtrMdl = NULL;
PAGED_CODE();
DebugTrace(DEBUG_LEVEL_TRACE, (DEBUG_TARGET_READ|DEBUG_TARGET_WRITE),
("Enter xixfs_PinCallersBuffer \n"));
ASSERT(PtrIrp);
try {
// Is a MDL already present in the IRP
if (!(PtrIrp->MdlAddress)) {
DebugTrace(DEBUG_LEVEL_ERROR, DEBUG_TARGET_ALL,
("PtrIrp->MdlAddress is NULL!!!\n"));
// Allocate a MDL
if (!(PtrMdl = IoAllocateMdl(PtrIrp->UserBuffer, Length, FALSE, FALSE, PtrIrp))) {
DebugTrace(DEBUG_LEVEL_ERROR, DEBUG_TARGET_ALL,
("Fail Allocate Mdl!!!\n"));
RC = STATUS_INSUFFICIENT_RESOURCES;
try_return(RC);
}
// Probe and lock the pages described by the MDL
// We could encounter an exception doing so, swallow the exception
// NOTE: The exception could be due to an unexpected (from our
// perspective), invalidation of the virtual addresses that comprise
// the passed in buffer
try {
MmProbeAndLockPages(PtrMdl, PtrIrp->RequestorMode, (IsReadOperation ? IoReadAccess : IoWriteAccess));
} except(EXCEPTION_EXECUTE_HANDLER) {
DebugTrace(DEBUG_LEVEL_ERROR, DEBUG_TARGET_ALL,
("Fail Mdl Lock Page Fail!!!\n"));
RC = STATUS_INVALID_USER_BUFFER;
}
}
;
} finally {
PMDL mm_allocate_mdl_success(void *data, u32 size)
{
PMDL mdl;
int timeout;
for (timeout = DC_MEM_RETRY_TIMEOUT; timeout > 0; timeout -= DC_MEM_RETRY_TIME)
{
if (mdl = IoAllocateMdl(data, size, FALSE, FALSE, NULL)) break;
if (KeGetCurrentIrql() >= DISPATCH_LEVEL) break;
dc_delay(DC_MEM_RETRY_TIME);
}
return mdl;
}
NTSTATUS TdiQueryMaxDatagramLength(
PFILE_OBJECT FileObject,
PUINT MaxDatagramLength)
{
PMDL Mdl;
PTDI_MAX_DATAGRAM_INFO Buffer;
NTSTATUS Status = STATUS_SUCCESS;
Buffer = ExAllocatePool(NonPagedPool, sizeof(TDI_MAX_DATAGRAM_INFO));
if (!Buffer) return STATUS_NO_MEMORY;
Mdl = IoAllocateMdl(Buffer, sizeof(TDI_MAX_DATAGRAM_INFO), FALSE, FALSE, NULL);
if (!Mdl)
{
ExFreePool(Buffer);
return STATUS_NO_MEMORY;
}
_SEH2_TRY
{
MmProbeAndLockPages(Mdl, KernelMode, IoModifyAccess);
}
_SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
{
Status = _SEH2_GetExceptionCode();
}
_SEH2_END;
if (!NT_SUCCESS(Status))
{
AFD_DbgPrint(MIN_TRACE,("Failed to lock pages\n"));
IoFreeMdl(Mdl);
ExFreePool(Buffer);
return Status;
}
Status = TdiQueryInformation(FileObject,
TDI_QUERY_MAX_DATAGRAM_INFO,
Mdl);
if (!NT_SUCCESS(Status))
{
ExFreePool(Buffer);
return Status;
}
*MaxDatagramLength = Buffer->MaxDatagramSize;
ExFreePool(Buffer);
return STATUS_SUCCESS;
}
BOOLEAN AllocateSharedMemory(PSHARED_MEMORY lpSharedMemory, POOL_TYPE PoolType, ULONG dwSizeRegion)
{
if (!_MmIsAddressValid(lpSharedMemory))
return FALSE;
if (!dwSizeRegion)
return FALSE;
memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY));
#ifndef __MISC_USE_KHEAP
lpSharedMemory->m_lpKernelMemory = ExAllocatePool(PoolType, dwSizeRegion);
#else
lpSharedMemory->m_lpKernelMemory = (CHAR*) _AllocatePoolFromKHeap(hKHeapMiscDefault, dwSizeRegion);
#endif //!__MISC_USE_KHEAP
if (!lpSharedMemory->m_lpKernelMemory)
return FALSE;
lpSharedMemory->m_Mdl = IoAllocateMdl(lpSharedMemory->m_lpKernelMemory, dwSizeRegion, FALSE, FALSE, NULL);
if (!lpSharedMemory->m_Mdl)
{
#ifndef __MISC_USE_KHEAP
ExFreePool(lpSharedMemory->m_lpKernelMemory);
#else
FreePoolToKHeap(hKHeapMiscDefault, lpSharedMemory->m_lpKernelMemory);
#endif //!__MISC_USE_KHEAP
memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY));
return FALSE;
}
MmBuildMdlForNonPagedPool(lpSharedMemory->m_Mdl);
lpSharedMemory->m_lpUserPage = MmMapLockedPages(lpSharedMemory->m_Mdl, UserMode);
lpSharedMemory->m_lpUserMemory = (PVOID) (((ULONG)PAGE_ALIGN(lpSharedMemory->m_lpUserPage))+MmGetMdlByteOffset(lpSharedMemory->m_Mdl));
if (!_MmIsAddressValid(lpSharedMemory->m_lpUserMemory))
{
MmUnmapLockedPages(lpSharedMemory->m_lpUserPage, lpSharedMemory->m_Mdl);
IoFreeMdl(lpSharedMemory->m_Mdl);
#ifndef __MISC_USE_KHEAP
ExFreePool(lpSharedMemory->m_lpKernelMemory);
#else
FreePoolToKHeap(hKHeapMiscDefault, lpSharedMemory->m_lpKernelMemory);
#endif //!__MISC_USE_KHEAP
memset(lpSharedMemory, 0, sizeof(SHARED_MEMORY));
return FALSE;
}
lpSharedMemory->m_dwSizeRegion = dwSizeRegion;
return TRUE;
}
NTSTATUS
TdiRecvfrom(
PFILE_OBJECT AddressObject,
PVOID Data,
ULONG Length,
ULONG Addr,
USHORT Port,
PULONG pRead,
PKEVENT ReadEvent
)
{
KEVENT Event;
PIRP Irp;
PMDL Mdl;
NTSTATUS ntStatus;
IO_STATUS_BLOCK IoStatus;
PDEVICE_OBJECT DeviceObject = IoGetRelatedDeviceObject(AddressObject);
TA_IP_ADDRESS SrcAddr = {1, {TDI_ADDRESS_LENGTH_IP, TDI_ADDRESS_TYPE_IP, {Port, Addr}}};
TDI_CONNECTION_INFORMATION Src = {0, 0, 0, 0, sizeof SrcAddr, &SrcAddr};
PKEVENT pEvent = ReadEvent;
if (!ReadEvent)
{
KeInitializeEvent(&Event, NotificationEvent, FALSE);
pEvent = &Event;
}
if (!(Irp = TdiBuildInternalDeviceControlIrp(TDI_RECEIVE_DATAGRAM, DeviceObject, AddressObject, pEvent, &IoStatus)))
return STATUS_INSUFFICIENT_RESOURCES;
if (!(Mdl = IoAllocateMdl(Data, Length, FALSE, FALSE, Irp)))
return STATUS_INSUFFICIENT_RESOURCES;
MmProbeAndLockPages(Mdl, KernelMode, IoModifyAccess);
TdiBuildReceiveDatagram(Irp, DeviceObject, AddressObject, 0, 0, Mdl, Length, &Src, &Src, TDI_RECEIVE_NORMAL);
ntStatus = IoCallDriver(DeviceObject, Irp);
if ((ntStatus == STATUS_PENDING) && (!ReadEvent))
ntStatus = KeWaitForSingleObject(pEvent, UserRequest, KernelMode, FALSE, 0);
if (ntStatus == STATUS_SUCCESS)
{
*pRead = IoStatus.Status;
}
return(ntStatus);
}
PMDL
NTAPI
CcpBuildCacheMdl
(PFILE_OBJECT FileObject,
PLARGE_INTEGER FileOffset,
ULONG Length,
PIO_STATUS_BLOCK IOSB)
{
PMDL Mdl;
PVOID Bcb, Buffer;
BOOLEAN Result = CcMapData
(FileObject,
FileOffset,
Length,
PIN_WAIT,
&Bcb,
&Buffer);
if (!Result)
{
IOSB->Information = 0;
IOSB->Status = STATUS_UNSUCCESSFUL;
return NULL;
}
IOSB->Information = Length;
IOSB->Status = STATUS_SUCCESS;
Mdl = IoAllocateMdl
(Buffer,
Length,
FALSE,
FALSE,
NULL);
if (!Mdl)
{
IOSB->Information = 0;
IOSB->Status = STATUS_NO_MEMORY;
return NULL;
}
IOSB->Information = Length;
IOSB->Status = STATUS_SUCCESS;
return Mdl;
}
void __ConsPacket(OUT PPACKET_BASE pPacket)
{
PVOID Va;
PMDL pMdl;
Va = ExAllocatePoolWithTag(
NonPagedPool,
MDL_BUFFER_SIZE,
(ULONG)'TTWH');
RtlZeroMemory(Va, MDL_BUFFER_SIZE);
pMdl = IoAllocateMdl(Va, MDL_BUFFER_SIZE, FALSE, FALSE, NULL);
MmBuildMdlForNonPagedPool(pMdl);
pPacket->pMdl = pMdl;
}
NTSTATUS
TdiSendto(
PFILE_OBJECT AddressObject,
PVOID Data,
ULONG Length,
ULONG Addr,
USHORT Port,
PKEVENT WriteEvent
)
{
KEVENT Event;
PIRP Irp;
PMDL Mdl;
NTSTATUS ntStatus;
PDEVICE_OBJECT DeviceObject = IoGetRelatedDeviceObject(AddressObject);
IO_STATUS_BLOCK IoStatus;
TA_IP_ADDRESS DstAddr = {1, {TDI_ADDRESS_LENGTH_IP, TDI_ADDRESS_TYPE_IP, {Port, Addr}}};
TDI_CONNECTION_INFORMATION Dst = {0, 0, 0, 0, sizeof DstAddr, &DstAddr};
PKEVENT pEvent = WriteEvent;
if (!WriteEvent)
{
KeInitializeEvent(&Event, NotificationEvent, FALSE);
pEvent = &Event;
}
if (!(Irp = TdiBuildInternalDeviceControlIrp(TDI_SEND_DATAGRAM, DeviceObject, AddressObject, pEvent, &IoStatus)))
return STATUS_INSUFFICIENT_RESOURCES;
if (!(Mdl = IoAllocateMdl(Data, Length, FALSE, FALSE, Irp)))
{
IoFreeIrp(Irp);
return STATUS_INSUFFICIENT_RESOURCES;
}
MmProbeAndLockPages(Mdl, KernelMode, IoModifyAccess);
TdiBuildSendDatagram(Irp, DeviceObject, AddressObject, 0, 0, Mdl, Length, &Dst);
ntStatus = IoCallDriver(DeviceObject, Irp);
if ((ntStatus == STATUS_PENDING) && (!WriteEvent))
ntStatus = KeWaitForSingleObject(pEvent, UserRequest, KernelMode, FALSE, 0);
return(ntStatus == STATUS_SUCCESS ? IoStatus.Status : ntStatus);
}
