/* * @implemented */ BOOL APIENTRY NtUserGetIconSize( HANDLE hCurIcon, UINT istepIfAniCur, PLONG plcx, // &size.cx PLONG plcy) // &size.cy { PCURICON_OBJECT CurIcon; NTSTATUS Status = STATUS_SUCCESS; BOOL bRet = FALSE; TRACE("Enter NtUserGetIconSize\n"); UserEnterExclusive(); if (!(CurIcon = UserGetCurIconObject(hCurIcon))) { goto cleanup; } if(CurIcon->CURSORF_flags & CURSORF_ACON) { /* Use first frame for animated cursors */ PACON AniCurIcon = (PACON)CurIcon; CurIcon = AniCurIcon->aspcur[0]; UserDereferenceObject(AniCurIcon); UserReferenceObject(CurIcon); } _SEH2_TRY { ProbeForWrite(plcx, sizeof(LONG), 1); *plcx = CurIcon->cx; ProbeForWrite(plcy, sizeof(LONG), 1); *plcy = CurIcon->cy; } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { Status = _SEH2_GetExceptionCode(); } _SEH2_END if (NT_SUCCESS(Status)) bRet = TRUE; else SetLastNtError(Status); // Maybe not, test this UserDereferenceObject(CurIcon); cleanup: TRACE("Leave NtUserGetIconSize, ret=%i\n", bRet); UserLeave(); return bRet; }
/* * NtUserGetKeyboardLayoutName * * Returns KLID of current thread keyboard layout */ BOOL APIENTRY NtUserGetKeyboardLayoutName( LPWSTR pwszName) { BOOL bRet = FALSE; PKL pKl; PTHREADINFO pti; UserEnterShared(); pti = PsGetCurrentThreadWin32Thread(); pKl = pti->KeyboardLayout; if (!pKl) goto cleanup; _SEH2_TRY { ProbeForWrite(pwszName, KL_NAMELENGTH*sizeof(WCHAR), 1); wcscpy(pwszName, pKl->spkf->awchKF); bRet = TRUE; } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { SetLastNtError(_SEH2_GetExceptionCode()); } _SEH2_END; cleanup: UserLeave(); return bRet; }
/** * Opens a process. * * \param ProcessHandle A variable which receives the process handle. * \param DesiredAccess The desired access to the process. * \param ClientId The identifier of a process or thread. If \a UniqueThread * is present, the process of the identified thread will be opened. If * \a UniqueProcess is present, the identified process will be opened. * \param AccessMode The mode in which to perform access checks. */ NTSTATUS KpiOpenProcess( __out PHANDLE ProcessHandle, __in ACCESS_MASK DesiredAccess, __in PCLIENT_ID ClientId, __in KPROCESSOR_MODE AccessMode ) { NTSTATUS status; CLIENT_ID clientId; PEPROCESS process; PETHREAD thread; HANDLE processHandle; PAGED_CODE(); if (AccessMode != KernelMode) { __try { ProbeForWrite(ProcessHandle, sizeof(HANDLE), sizeof(HANDLE)); ProbeForRead(ClientId, sizeof(CLIENT_ID), sizeof(ULONG)); clientId = *ClientId; } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } }
NTSTATUS BDKitTerminateProcessByClearMemroy(__in PEPROCESS EProcess) { NTSTATUS nsStatus = STATUS_UNSUCCESSFUL; ULONG_PTR MemIndex = 0; KAPC_STATE kApcState = {0x00}; do { _KeStackAttachProcess ((PKPROCESS)EProcess, &kApcState); { for ( MemIndex = LOWEST_USER_MEM_ADDRESS; MemIndex < HIGHEST_USER_MEM_ADDRESS - 1; MemIndex += PAGE_SIZE ) { __try { ProbeForWrite ((PVOID)MemIndex, PAGE_SIZE, 4L); RtlFillMemory ((PVOID)MemIndex, PAGE_SIZE, 0x00); } __except(EXCEPTION_EXECUTE_HANDLER) { break; } } } _KeUnstackDetachProcess ((PKPROCESS)EProcess, &kApcState); nsStatus = STATUS_SUCCESS; } while (FALSE); return nsStatus; }
BOOL APIENTRY NtGdiSetBrushOrg( _In_ HDC hdc, _In_ INT x, _In_ INT y, _Out_opt_ LPPOINT pptOut) { PDC pdc; /* Lock the DC */ pdc = DC_LockDc(hdc); if (pdc == NULL) { EngSetLastError(ERROR_INVALID_HANDLE); return FALSE; } /* Check if the old origin was requested */ if (pptOut != NULL) { /* Enter SEH for buffer transfer */ _SEH2_TRY { /* Probe and copy the old origin */ ProbeForWrite(pptOut, sizeof(POINT), 1); *pptOut = pdc->pdcattr->ptlBrushOrigin; } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { DC_UnlockDc(pdc); _SEH2_YIELD(return FALSE); } _SEH2_END; }
/*++ * @name NtQuerySecurityObject * @implemented NT4 * * The NtQuerySecurityObject routine <FILLMEIN> * * @param Handle * <FILLMEIN> * * @param SecurityInformation * <FILLMEIN> * * @param SecurityDescriptor * <FILLMEIN> * * @param Length * <FILLMEIN> * * @param ResultLength * <FILLMEIN> * * @return STATUS_SUCCESS or appropriate error value. * * @remarks None. * *--*/ NTSTATUS NTAPI NtQuerySecurityObject(IN HANDLE Handle, IN SECURITY_INFORMATION SecurityInformation, OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN ULONG Length, OUT PULONG ResultLength) { KPROCESSOR_MODE PreviousMode = ExGetPreviousMode(); PVOID Object; POBJECT_HEADER Header; POBJECT_TYPE Type; ACCESS_MASK DesiredAccess; NTSTATUS Status; PAGED_CODE(); /* Check if we came from user mode */ if (PreviousMode != KernelMode) { /* Enter SEH */ _SEH2_TRY { /* Probe the SD and the length pointer */ ProbeForWrite(SecurityDescriptor, Length, sizeof(ULONG)); ProbeForWriteUlong(ResultLength); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { /* Return the exception code */ _SEH2_YIELD(return _SEH2_GetExceptionCode()); } _SEH2_END; }
INT APIENTRY NtGdiGetAppClipBox(HDC hDC, PRECTL rc) { INT Ret; NTSTATUS Status = STATUS_SUCCESS; RECTL Saferect; Ret = GdiGetClipBox(hDC, &Saferect); _SEH2_TRY { ProbeForWrite(rc, sizeof(RECT), 1); *rc = Saferect; } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { Status = _SEH2_GetExceptionCode(); } _SEH2_END; if(!NT_SUCCESS(Status)) { SetLastNtError(Status); return ERROR; } return Ret; }
/* * @implemented */ NTSTATUS NTAPI NtAllocateLocallyUniqueId(OUT LUID *LocallyUniqueId) { LUID NewLuid; KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PAGED_CODE(); PreviousMode = ExGetPreviousMode(); if(PreviousMode != KernelMode) { _SEH2_TRY { ProbeForWrite(LocallyUniqueId, sizeof(LUID), sizeof(ULONG)); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { _SEH2_YIELD(return _SEH2_GetExceptionCode()); } _SEH2_END; }
INT APIENTRY NtGdiGetAppClipBox( _In_ HDC hdc, _Out_ LPRECT prc) { RECT rect; INT iComplexity; /* Call the internal function */ iComplexity = GdiGetClipBox(hdc, &rect); if (iComplexity != ERROR) { _SEH2_TRY { ProbeForWrite(prc, sizeof(RECT), 1); *prc = rect; } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { iComplexity = ERROR; } _SEH2_END }
NTSTATUS APIENTRY NtUserCreateLocalMemHandle( HANDLE hMem, PVOID pData, DWORD cbData, DWORD *pcbData) { PCLIPBOARDDATA pMemObj; NTSTATUS Status = STATUS_SUCCESS; UserEnterShared(); /* Get Clipboard data object */ pMemObj = (PCLIPBOARDDATA)UserGetObject(gHandleTable, hMem, TYPE_CLIPDATA); if (!pMemObj) { Status = STATUS_INVALID_HANDLE; goto cleanup; } /* Don't overrun */ if (cbData > pMemObj->cbData) cbData = pMemObj->cbData; /* Copy data to usermode */ _SEH2_TRY { if (pcbData) { ProbeForWrite(pcbData, sizeof(*pcbData), 1); *pcbData = pMemObj->cbData; } ProbeForWrite(pData, cbData, 1); memcpy(pData, pMemObj->Data, cbData); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { Status = _SEH2_GetExceptionCode(); } _SEH2_END; cleanup: UserLeave(); return Status; }
ULONG APIENTRY NtUserCopyAcceleratorTable( HACCEL hAccel, LPACCEL Entries, ULONG EntriesCount) { PACCELERATOR_TABLE Accel; ULONG Ret; DECLARE_RETURN(int); TRACE("Enter NtUserCopyAcceleratorTable\n"); UserEnterShared(); Accel = UserGetAccelObject(hAccel); if (!Accel) { RETURN(0); } /* If Entries is NULL return table size */ if (!Entries) { RETURN(Accel->Count); } /* Don't overrun */ if (Accel->Count < EntriesCount) EntriesCount = Accel->Count; Ret = 0; _SEH2_TRY { ProbeForWrite(Entries, EntriesCount*sizeof(Entries[0]), 4); for (Ret = 0; Ret < EntriesCount; Ret++) { Entries[Ret].fVirt = Accel->Table[Ret].fVirt; Entries[Ret].key = Accel->Table[Ret].key; Entries[Ret].cmd = Accel->Table[Ret].cmd; } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { SetLastNtError(_SEH2_GetExceptionCode()); Ret = 0; } _SEH2_END; RETURN(Ret); CLEANUP: TRACE("Leave NtUserCopyAcceleratorTable, ret=%i\n", _ret_); UserLeave(); END_CLEANUP; }
//枚举进程 //InputBuffer[0] == 是否显示Deleting进程 //OutputBuffer ObjectIdTable缓冲 NTSTATUS DispatchProcessEnum(PVOID InputBuffer, ULONG InputLength, PVOID OutputBuffer, ULONG OutputLength, PULONG Information) { BOOLEAN showDeleting; NTSTATUS status; PObjectIdTable objIdTable; *Information = 0; //首先验证用户参数 if(InputBuffer == NULL || InputLength != sizeof(BOOLEAN) || OutputBuffer == NULL || OutputLength != sizeof(ObjectIdTable)) { KdPrint(("DispatchProcessEnum Param mismatch: InputLength == %lu(should be %lu), OutputLength == %lu(should be %lu)", InputLength, sizeof(BOOLEAN), OutputLength, sizeof(ObjectIdTable))); return STATUS_INVALID_PARAMETER; } status = STATUS_SUCCESS; try{ ProbeForRead(InputBuffer, InputLength, 1); showDeleting = *(BOOLEAN*)InputBuffer; }except(EXCEPTION_CONTINUE_EXECUTION){ KdPrint(("DispatchProcessEnum ACCESS_VIOLATION read.\n")); status = STATUS_ACCESS_VIOLATION; } if(!NT_SUCCESS(status)) return status; //枚举进程信息 objIdTable = ProcessEnum(showDeleting); if(!objIdTable) { status = STATUS_UNSUCCESSFUL; return status; } //拷贝到用户控件 try{ ProbeForWrite(OutputBuffer, OutputLength, 1); RtlCopyMemory(OutputBuffer, objIdTable, OutputLength); status = STATUS_SUCCESS; }except(EXCEPTION_CONTINUE_EXECUTION){ KdPrint(("DispatchProcessEnum ACCESS_VIOLATION write.\n")); status = STATUS_ACCESS_VIOLATION; } ExFreePool(objIdTable); if(NT_SUCCESS(status)) *Information = OutputLength; return status; }
NTSTATUS NTAPI NtQueryInformationPort( IN HANDLE PortHandle OPTIONAL, IN PORT_INFORMATION_CLASS PortInformationClass, OUT PVOID PortInformation, IN ULONG Length, OUT PULONG ReturnLength OPTIONAL ) { KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PLPCP_PORT_OBJECT PortObject; PAGED_CODE(); // // Get previous processor mode and probe output argument if necessary. // PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { try { ProbeForWrite( PortInformation, Length, sizeof( ULONG ) ); if (ARGUMENT_PRESENT( ReturnLength )) { ProbeForWriteUlong( ReturnLength ); } } except( EXCEPTION_EXECUTE_HANDLER ) { return( GetExceptionCode() ); } } if (ARGUMENT_PRESENT( PortHandle )) { Status = ObReferenceObjectByHandle( PortHandle, GENERIC_READ, LpcPortObjectType, PreviousMode, &PortObject, NULL ); if (!NT_SUCCESS( Status )) { return( Status ); } ObDereferenceObject( PortObject ); return STATUS_SUCCESS; } else { return STATUS_INVALID_INFO_CLASS; } }
/* * @implemented */ NTSTATUS NTAPI NtRequestWaitReplyPort(IN HANDLE PortHandle, IN PPORT_MESSAGE LpcRequest, IN OUT PPORT_MESSAGE LpcReply) { PORT_MESSAGE LocalLpcRequest; ULONG NumberOfDataEntries; PLPCP_PORT_OBJECT Port, QueuePort, ReplyPort, ConnectionPort = NULL; KPROCESSOR_MODE PreviousMode = KeGetPreviousMode(); NTSTATUS Status; PLPCP_MESSAGE Message; PETHREAD Thread = PsGetCurrentThread(); BOOLEAN Callback; PKSEMAPHORE Semaphore; ULONG MessageType; PLPCP_DATA_INFO DataInfo; PAGED_CODE(); LPCTRACE(LPC_SEND_DEBUG, "Handle: %p. Messages: %p/%p. Type: %lx\n", PortHandle, LpcRequest, LpcReply, LpcpGetMessageType(LpcRequest)); /* Check if the thread is dying */ if (Thread->LpcExitThreadCalled) return STATUS_THREAD_IS_TERMINATING; /* Check for user mode access */ if (PreviousMode != KernelMode) { _SEH2_TRY { /* Probe the full request message and copy the base structure */ ProbeForRead(LpcRequest, sizeof(*LpcRequest), sizeof(ULONG)); ProbeForRead(LpcRequest, LpcRequest->u1.s1.TotalLength, sizeof(ULONG)); LocalLpcRequest = *LpcRequest; /* Probe the reply message for write */ ProbeForWrite(LpcReply, sizeof(*LpcReply), sizeof(ULONG)); /* Make sure the data entries in the request message are valid */ Status = LpcpVerifyMessageDataInfo(LpcRequest, &NumberOfDataEntries); if (!NT_SUCCESS(Status)) { DPRINT1("LpcpVerifyMessageDataInfo failed\n"); return Status; } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { DPRINT1("Got exception\n"); return _SEH2_GetExceptionCode(); } _SEH2_END; }
BOOL APIENTRY NtGdiGetDeviceGammaRamp(HDC hDC, LPVOID Ramp) { BOOL Ret; PDC dc; NTSTATUS Status = STATUS_SUCCESS; PGAMMARAMP SafeRamp; if (!Ramp) return FALSE; dc = DC_LockDc(hDC); if (!dc) { EngSetLastError(ERROR_INVALID_HANDLE); return FALSE; } SafeRamp = ExAllocatePoolWithTag(PagedPool, sizeof(GAMMARAMP), GDITAG_ICM); if (!SafeRamp) { DC_UnlockDc(dc); EngSetLastError(STATUS_NO_MEMORY); return FALSE; } Ret = IntGetDeviceGammaRamp((HDEV)dc->ppdev, SafeRamp); if (!Ret) return Ret; _SEH2_TRY { ProbeForWrite( Ramp, sizeof(PVOID), 1); RtlCopyMemory( Ramp, SafeRamp, sizeof(GAMMARAMP)); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { Status = _SEH2_GetExceptionCode(); } _SEH2_END; DC_UnlockDc(dc); ExFreePoolWithTag(SafeRamp, GDITAG_ICM); if (!NT_SUCCESS(Status)) { SetLastNtError(Status); return FALSE; } return Ret; }
/* * NtUserGetKeyboardLayoutList * * Returns list of loaded keyboard layouts in system */ UINT APIENTRY NtUserGetKeyboardLayoutList( ULONG nBuff, HKL *pHklBuff) { UINT uRet = 0; PKL pKl; if (!pHklBuff) nBuff = 0; UserEnterShared(); if (!gspklBaseLayout) { UserLeave(); return 0; } pKl = gspklBaseLayout; if (nBuff == 0) { do { uRet++; pKl = pKl->pklNext; } while (pKl != gspklBaseLayout); } else { _SEH2_TRY { ProbeForWrite(pHklBuff, nBuff*sizeof(HKL), 4); while (uRet < nBuff) { pHklBuff[uRet] = pKl->hkl; uRet++; pKl = pKl->pklNext; if (pKl == gspklBaseLayout) break; } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { SetLastNtError(_SEH2_GetExceptionCode()); uRet = 0; } _SEH2_END; } UserLeave(); return uRet; }
/* * @implemented */ BOOL APIENTRY NtUserGetCursorInfo( PCURSORINFO pci) { CURSORINFO SafeCi; PSYSTEM_CURSORINFO CurInfo; NTSTATUS Status = STATUS_SUCCESS; PCURICON_OBJECT CurIcon; BOOL Ret = FALSE; DECLARE_RETURN(BOOL); TRACE("Enter NtUserGetCursorInfo\n"); UserEnterExclusive(); CurInfo = IntGetSysCursorInfo(); CurIcon = (PCURICON_OBJECT)CurInfo->CurrentCursorObject; SafeCi.cbSize = sizeof(CURSORINFO); SafeCi.flags = ((CurIcon && CurInfo->ShowingCursor >= 0) ? CURSOR_SHOWING : 0); SafeCi.hCursor = (CurIcon ? CurIcon->head.h : NULL); SafeCi.ptScreenPos = gpsi->ptCursor; _SEH2_TRY { if (pci->cbSize == sizeof(CURSORINFO)) { ProbeForWrite(pci, sizeof(CURSORINFO), 1); RtlCopyMemory(pci, &SafeCi, sizeof(CURSORINFO)); Ret = TRUE; } else { EngSetLastError(ERROR_INVALID_PARAMETER); } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { Status = _SEH2_GetExceptionCode(); } _SEH2_END; if (!NT_SUCCESS(Status)) { SetLastNtError(Status); } RETURN(Ret); CLEANUP: TRACE("Leave NtUserGetCursorInfo, ret=%i\n",_ret_); UserLeave(); END_CLEANUP; }
HDC APIENTRY NtGdiOpenDCW( PUNICODE_STRING pustrDevice, DEVMODEW *pdmInit, PUNICODE_STRING pustrLogAddr, ULONG iType, BOOL bDisplay, HANDLE hspool, VOID *pDriverInfo2, VOID *pUMdhpdev) { UNICODE_STRING ustrDevice; WCHAR awcDevice[CCHDEVICENAME]; DEVMODEW dmInit; PVOID dhpdev; HDC hdc; /* Only if a devicename is given, we need any data */ if (pustrDevice) { /* Initialize destination string */ RtlInitEmptyUnicodeString(&ustrDevice, awcDevice, sizeof(awcDevice)); _SEH2_TRY { /* Probe the UNICODE_STRING and the buffer */ ProbeForRead(pustrDevice, sizeof(UNICODE_STRING), 1); ProbeForRead(pustrDevice->Buffer, pustrDevice->Length, 1); /* Copy the string */ RtlCopyUnicodeString(&ustrDevice, pustrDevice); if (pdmInit) { /* FIXME: could be larger */ ProbeForRead(pdmInit, sizeof(DEVMODEW), 1); RtlCopyMemory(&dmInit, pdmInit, sizeof(DEVMODEW)); } if (pUMdhpdev) { ProbeForWrite(pUMdhpdev, sizeof(HANDLE), 1); } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { SetLastNtError(_SEH2_GetExceptionCode()); _SEH2_YIELD(return NULL); } _SEH2_END } else {
//获取进程的模块信息 //InputBuffer[0] == PEPROCESS指针 //InputBuffer[1] == LdrData指针 //OutputBuffer ModuleInfo缓冲 NTSTATUS DispatchQueryProcessModuleInfo(PVOID InputBuffer, ULONG InputLength, PVOID OutputBuffer, ULONG OutputLength, PULONG Information) { NTSTATUS status; PEPROCESS process; PVOID ldrData; PModuleInfo modInfo; *Information = 0; if(InputBuffer == NULL || InputLength != sizeof(PEPROCESS) + sizeof(PVOID)|| OutputBuffer == NULL || OutputLength != sizeof(ModuleInfo)) { KdPrint(("DispatchQueryProcessModuleInfo Param mismatch: InputLength == %lu(should be %lu), OutputLength == %lu(should be %lu)", InputLength, sizeof(PEPROCESS) + sizeof(PVOID), OutputLength, sizeof(ModuleInfo))); return STATUS_INVALID_PARAMETER; } try{ ProbeForRead(InputBuffer, InputLength, 1); process = *(PEPROCESS*)InputBuffer; ldrData = *(PVOID*)((ULONG)InputBuffer + 4); status = STATUS_SUCCESS; }except(EXCEPTION_CONTINUE_EXECUTION){ status = STATUS_ACCESS_VIOLATION; } if(!NT_SUCCESS(status)) { KdPrint(("DispatchQueryProcessModuleInfo ACCESS_VIOLATION read.\n")); return status; } modInfo = QueryModuleInfo(process, ldrData); if(modInfo == NULL) return STATUS_UNSUCCESSFUL; try{ ProbeForWrite(OutputBuffer, OutputLength, 1); RtlCopyMemory(OutputBuffer, modInfo, OutputLength); status = STATUS_SUCCESS; }except(EXCEPTION_CONTINUE_EXECUTION){ KdPrint(("DispatchQueryProcessModuleInfo ACCESS_VIOLATION write.\n")); status = STATUS_ACCESS_VIOLATION; } if(NT_SUCCESS(status)) *Information = OutputLength; ExFreePool(modInfo); return status; }
//获取线程信息 //InputBuffer[0] == PETHREAD指针 //OutputBuffer threadInfo缓冲 NTSTATUS DispatchQueryThreadInfo(PVOID InputBuffer, ULONG InputLength, PVOID OutputBuffer, ULONG OutputLength, PULONG Information) { NTSTATUS status; PETHREAD thread; PThreadInfo threadInfo; *Information = 0; if(InputBuffer == NULL || InputLength != sizeof(PETHREAD) || OutputBuffer == NULL || OutputLength != sizeof(ThreadInfo)) { KdPrint(("DispatchQueryThreadInfo Param mismatch: InputLength == %lu(should be %lu), OutputLength == %lu(should be %lu)", InputLength, sizeof(PETHREAD), OutputLength, sizeof(ThreadInfo))); return STATUS_INVALID_PARAMETER; } try{ ProbeForRead(InputBuffer, InputLength, 1); thread = *(PETHREAD*)(InputBuffer); status = STATUS_SUCCESS; }except(EXCEPTION_CONTINUE_EXECUTION){ status = STATUS_ACCESS_VIOLATION; } if(!NT_SUCCESS(status)) { KdPrint(("DispatchQueryThreadInfo ACCESS_VIOLATION read.\n")); return status; } threadInfo = QueryThreadInfo(thread); if(threadInfo == NULL) return STATUS_UNSUCCESSFUL; try{ ProbeForWrite(OutputBuffer, OutputLength, 1); RtlCopyMemory(OutputBuffer, threadInfo, OutputLength); status = STATUS_SUCCESS; }except(EXCEPTION_CONTINUE_EXECUTION){ KdPrint(("DispatchQueryThreadInfo ACCESS_VIOLATION write.\n")); status = STATUS_ACCESS_VIOLATION; } if(NT_SUCCESS(status)) *Information = OutputLength; ExFreePool(threadInfo); return status; }
//枚举进程 //InputBuffer[0] == 是否显示EPROCESS指针 //OutputBuffer ObjectIdTable缓冲 NTSTATUS DispatchThreadEnum(PVOID InputBuffer, ULONG InputLength, PVOID OutputBuffer, ULONG OutputLength, PULONG Information) { PEPROCESS process; NTSTATUS status; PObjectIdTable objIdTable; *Information = 0; if(InputBuffer == NULL || InputLength != sizeof(PEPROCESS) || OutputBuffer == NULL || OutputLength != sizeof(ObjectIdTable)) { KdPrint(("DispatchThreadEnum Param mismatch: InputLength == %lu(should be %lu), OutputLength == %lu(should be %lu)", InputLength, sizeof(PEPROCESS), OutputLength, sizeof(ObjectIdTable))); return STATUS_INVALID_PARAMETER; } try{ ProbeForRead(InputBuffer, InputLength, 1); process = *(PEPROCESS*)InputBuffer; status = STATUS_SUCCESS; }except(EXCEPTION_CONTINUE_EXECUTION){ KdPrint(("DispatchThreadEnum ACCESS_VIOLATION read.\n")); status = STATUS_ACCESS_VIOLATION; } if(!NT_SUCCESS(status)) return status; //枚举线程 objIdTable = ThreadEnum(process); if(!objIdTable) return STATUS_UNSUCCESSFUL; try{ ProbeForWrite(OutputBuffer, OutputLength, 1); RtlCopyMemory(OutputBuffer, objIdTable, OutputLength); status = STATUS_SUCCESS; }except(EXCEPTION_CONTINUE_EXECUTION){ KdPrint(("DispatchThreadEnum ACCESS_VIOLATION write.\n")); status = STATUS_ACCESS_VIOLATION; } ExFreePool(objIdTable); if(NT_SUCCESS(status)) *Information = OutputLength; return status; }
//获取进程的模块列表 //InputBuffer[0] == PEPROCESS指针 //OutputBuffer ProcessModuleList缓冲 NTSTATUS DispatchQueryProcessModuleList(PVOID InputBuffer, ULONG InputLength, PVOID OutputBuffer, ULONG OutputLength, PULONG Information) { NTSTATUS status; PEPROCESS process; PProcessModuleList processModList; *Information = 0; if(InputBuffer == NULL || InputLength != sizeof(PEPROCESS) || OutputBuffer == NULL || OutputLength != sizeof(ProcessModuleList)) { KdPrint(("DispatchQueryProcessModuleList Param mismatch: InputLength == %lu(should be %lu), OutputLength == %lu(should be %lu)", InputLength, sizeof(PEPROCESS), OutputLength, sizeof(ProcessModuleList))); return STATUS_INVALID_PARAMETER; } try{ ProbeForRead(InputBuffer, InputLength, 1); process = *(PEPROCESS*)InputBuffer; status = STATUS_SUCCESS; }except(EXCEPTION_CONTINUE_EXECUTION){ status = STATUS_ACCESS_VIOLATION; } if(!NT_SUCCESS(status)) { KdPrint(("DispatchQueryProcessModuleList ACCESS_VIOLATION read.\n")); return status; } processModList = QueryProcessModuleList(process); if(processModList == NULL) return STATUS_UNSUCCESSFUL; try{ ProbeForWrite(OutputBuffer, OutputLength, 1); RtlCopyMemory(OutputBuffer, processModList, OutputLength); status = STATUS_SUCCESS; }except(EXCEPTION_CONTINUE_EXECUTION){ KdPrint(("DispatchQueryProcessModuleList ACCESS_VIOLATION write.\n")); status = STATUS_ACCESS_VIOLATION; } if(NT_SUCCESS(status)) *Information = OutputLength; ExFreePool(processModList); return status; }
ULONG APIENTRY NtUserGetAtomName( _In_ ATOM atom, _Inout_ PUNICODE_STRING pustrName) { WCHAR awcBuffer[256]; ULONG cjLength; /* Retrieve the atom name into a local buffer (max length is 255 chars) */ cjLength = IntGetAtomName((RTL_ATOM)atom, awcBuffer, sizeof(awcBuffer)); if (cjLength != 0) { _SEH2_TRY { /* Probe the unicode string and the buffer */ ProbeForRead(pustrName, sizeof(*pustrName), 1); ProbeForWrite(pustrName->Buffer, pustrName->MaximumLength, 1); /* Check if we have enough space to write the NULL termination */ if (pustrName->MaximumLength >= sizeof(UNICODE_NULL)) { /* Limit the length to the buffer size */ cjLength = min(pustrName->MaximumLength - sizeof(UNICODE_NULL), cjLength); /* Copy the string and NULL terminate it */ RtlCopyMemory(pustrName->Buffer, awcBuffer, cjLength); pustrName->Buffer[cjLength / sizeof(WCHAR)] = L'\0'; } else { cjLength = 0; } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { /* On exception, set last error and fail */ SetLastNtError(_SEH2_GetExceptionCode()); cjLength = 0; } _SEH2_END }
NTSTATUS KpiGetFeatures( __out PULONG Features, __in KPROCESSOR_MODE AccessMode ) { PAGED_CODE(); if (AccessMode != KernelMode) { __try { ProbeForWrite(Features, sizeof(ULONG), sizeof(ULONG)); *Features = KphFeatures; } __except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } }
BOOLEAN AcpiOsWritable( void *Memory, ACPI_SIZE Length) { BOOLEAN Ret = FALSE; _SEH2_TRY { ProbeForWrite(Memory, Length, sizeof(UCHAR)); Ret = TRUE; } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { Ret = FALSE; } _SEH2_END; return Ret; }
INT APIENTRY NtUserGetClipboardFormatName(UINT fmt, LPWSTR lpszFormatName, INT cchMaxCount) { INT iRet = 0; UserEnterShared(); /* If the format is built-in we fail */ if (fmt < 0xc000) { /* Registetrated formats are >= 0xc000 */ goto cleanup; } if (cchMaxCount < 1 || !lpszFormatName) { EngSetLastError(ERROR_INVALID_PARAMETER); goto cleanup; } _SEH2_TRY { ProbeForWrite(lpszFormatName, cchMaxCount * sizeof(WCHAR), 1); iRet = IntGetAtomName((RTL_ATOM)fmt, lpszFormatName, cchMaxCount * sizeof(WCHAR)); iRet /= sizeof(WCHAR); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { SetLastNtError(_SEH2_GetExceptionCode()); } _SEH2_END; cleanup: UserLeave(); return iRet; }
BOOL APIENTRY NtGdiGetDeviceCapsAll( IN HDC hDC, OUT PDEVCAPS pDevCaps) { PDC pdc; DEVCAPS devcaps; BOOL bResult = TRUE; /* Lock the given DC */ pdc = DC_LockDc(hDC); if (!pdc) { EngSetLastError(ERROR_INVALID_HANDLE); return FALSE; } /* Get the data */ PDEVOBJ_vGetDeviceCaps(pdc->ppdev, &devcaps); /* Unlock the DC */ DC_UnlockDc(pdc); /* Copy data to caller */ _SEH2_TRY { ProbeForWrite(pDevCaps, sizeof(DEVCAPS), 1); RtlCopyMemory(pDevCaps, &devcaps, sizeof(DEVCAPS)); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { SetLastNtError(_SEH2_GetExceptionCode()); bResult = FALSE; } _SEH2_END; return bResult; }
// // Queries and user-suplyed buffer from the IRP. // Performs read\write check if needed. // static NTSTATUS ProbeAndGetIrpUserBuffer(PIRP Irp, PVOID* pUserBuffer, ULONG Length, BOOL bWrite) { NTSTATUS ntStatus = STATUS_SUCCESS; PVOID UserBuffer; if (!Irp->MdlAddress) { UserBuffer = Irp->UserBuffer; if (Irp->RequestorMode != KernelMode) { __try { if (bWrite) ProbeForWrite(UserBuffer, Length, sizeof(UCHAR)); else ProbeForRead(UserBuffer, Length, sizeof(UCHAR)); } __except(EXCEPTION_EXECUTE_HANDLER) { ntStatus = GetExceptionCode(); } } // if (Irp->RequestorMode != KernelMode)
static BOOLEAN _OnDriverNameWatchEnum(PWCHAR String, PVOID Data, PVOID Context) { SIZE_T len = 0; SIZE_T requiredLength = 0; PDRIVER_NAME_WATCH_RECORD rec = (PDRIVER_NAME_WATCH_RECORD)Data; PDRIVER_NAME_WATCH_ENUM_CONTEXT ctx = (PDRIVER_NAME_WATCH_ENUM_CONTEXT)Context; DEBUG_ENTER_FUNCTION("String=\"%S\"; Data=0x%p; Context=0x%p", String, Data, Context); if (NT_SUCCESS(ctx->Status)) { len = wcslen(String)*sizeof(WCHAR); requiredLength = sizeof(DRIVER_NAME_WATCH_ENTRY) + len; if (ctx->RemainingLength >= requiredLength) { if (ctx->AccessMode == UserMode) { __try { ProbeForWrite(ctx->CurrentEntry, requiredLength, 1); ctx->CurrentEntry->MonitorSettings = rec->MonitorSettings; ctx->CurrentEntry->NameLength = (ULONG)len; memcpy(ctx->CurrentEntry + 1, String, len); } __except (EXCEPTION_EXECUTE_HANDLER) { ctx->Status = GetExceptionCode(); } } else {
NTSTATUS NTAPI NpTransceive(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PLIST_ENTRY List) { PIO_STACK_LOCATION IoStack; PVOID InBuffer, OutBuffer; ULONG InLength, OutLength, BytesWritten; NODE_TYPE_CODE NodeTypeCode; PNP_CCB Ccb; ULONG NamedPipeEnd; PNP_NONPAGED_CCB NonPagedCcb; PNP_DATA_QUEUE ReadQueue, WriteQueue; PNP_EVENT_BUFFER EventBuffer; NTSTATUS Status; PIRP NewIrp; PAGED_CODE(); IoStack = IoGetCurrentIrpStackLocation(Irp); InLength = IoStack->Parameters.FileSystemControl.InputBufferLength; InBuffer = IoStack->Parameters.FileSystemControl.Type3InputBuffer; OutLength = IoStack->Parameters.FileSystemControl.OutputBufferLength; OutBuffer = Irp->UserBuffer; if (Irp->RequestorMode == UserMode) { _SEH2_TRY { ProbeForRead(InBuffer, InLength, sizeof(CHAR)); ProbeForWrite(OutBuffer, OutLength, sizeof(CHAR)); } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { _SEH2_YIELD(return _SEH2_GetExceptionCode()); } _SEH2_END; }