/*++ Copyright (c) 1991 Microsoft Corporation Module Name: sysload.c Abstract: This module contains the code to load DLLs into the system portion of the address space and calls the DLL at its initialization entry point. Author: Lou Perazzoli 21-May-1991 Landy Wang 02-June-1997 Revision History: --*/ #include "mi.h" KMUTANT MmSystemLoadLock; ULONG MmTotalSystemDriverPages; ULONG MmDriverCommit; ULONG MiFirstDriverLoadEver = 0; // // This key is set to TRUE to make more memory below 16mb available for drivers. // It can be cleared via the registry. // LOGICAL MmMakeLowMemory = TRUE; // // Enabled via the registry to identify drivers which unload without releasing // resources or still have active timers, etc. // PUNLOADED_DRIVERS MmUnloadedDrivers; ULONG MmLastUnloadedDriver; ULONG MiTotalUnloads; ULONG MiUnloadsSkipped; // // This can be set by the registry. // ULONG MmEnforceWriteProtection = 1; // // Referenced by ke\bugcheck.c. // PVOID ExPoolCodeStart; PVOID ExPoolCodeEnd; PVOID MmPoolCodeStart; PVOID MmPoolCodeEnd; PVOID MmPteCodeStart; PVOID MmPteCodeEnd; extern LONG MiSessionLeaderExists; ULONG CacheImageSymbols ( IN PVOID ImageBase ); NTSTATUS MiResolveImageReferences ( PVOID ImageBase, IN PUNICODE_STRING ImageFileDirectory, IN PUNICODE_STRING NamePrefix OPTIONAL, OUT PCHAR *MissingProcedureName, OUT PWSTR *MissingDriverName, OUT PLOAD_IMPORTS *LoadedImports ); NTSTATUS MiSnapThunk ( IN PVOID DllBase, IN PVOID ImageBase, IN PIMAGE_THUNK_DATA NameThunk, OUT PIMAGE_THUNK_DATA AddrThunk, IN PIMAGE_EXPORT_DIRECTORY ExportDirectory, IN ULONG ExportSize, IN LOGICAL SnapForwarder, OUT PCHAR *MissingProcedureName ); NTSTATUS MiLoadImageSection ( IN PSECTION SectionPointer, OUT PVOID *ImageBase, IN PUNICODE_STRING ImageFileName, IN ULONG LoadInSessionSpace ); VOID MiEnablePagingOfDriver ( IN PVOID ImageHandle ); VOID MiSetPagingOfDriver ( IN PMMPTE PointerPte, IN PMMPTE LastPte, IN LOGICAL SessionSpace ); PVOID MiLookupImageSectionByName ( IN PVOID Base, IN LOGICAL MappedAsImage, IN PCHAR SectionName, OUT PULONG SectionSize ); VOID MiClearImports ( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry ); NTSTATUS MiBuildImportsForBootDrivers ( VOID ); NTSTATUS MmCheckSystemImage ( IN HANDLE ImageFileHandle, IN LOGICAL PurgeSection ); LONG MiMapCacheExceptionFilter ( OUT PNTSTATUS Status, IN PEXCEPTION_POINTERS ExceptionPointer ); ULONG MiSetProtectionOnTransitionPte ( IN PMMPTE PointerPte, IN ULONG ProtectionMask ); NTSTATUS MiDereferenceImports ( IN PLOAD_IMPORTS ImportList ); LOGICAL MiCallDllUnloadAndUnloadDll ( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry ); PVOID MiLocateExportName ( IN PVOID DllBase, IN PCHAR FunctionName ); VOID MiRememberUnloadedDriver ( IN PUNICODE_STRING DriverName, IN PVOID Address, IN ULONG Length ); VOID MiWriteProtectSystemImage ( IN PVOID DllBase ); VOID MiLocateKernelSections ( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry ); VOID MiUpdateThunks ( IN PLOADER_PARAMETER_BLOCK LoaderBlock, IN PVOID OldAddress, IN PVOID NewAddress, IN ULONG NumberOfBytes ); PVOID MiFindExportedRoutineByName ( IN PVOID DllBase, IN PANSI_STRING AnsiImageRoutineName ); #if 0 VOID MiLockDriverPdata ( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry ); #endif VOID MiSetSystemCodeProtection ( IN PMMPTE FirstPte, IN PMMPTE LastPte ); LOGICAL MiChargeResidentAvailable ( IN PFN_NUMBER NumberOfPages, IN ULONG Id ); VOID MiReturnResidentAvailable ( IN PFN_NUMBER NumberOfPages, IN ULONG Id ); #ifdef ALLOC_PRAGMA #pragma alloc_text(PAGE,MmCheckSystemImage) #pragma alloc_text(PAGE,MmLoadSystemImage) #pragma alloc_text(PAGE,MiResolveImageReferences) #pragma alloc_text(PAGE,MiSnapThunk) #pragma alloc_text(PAGE,MiEnablePagingOfDriver) #pragma alloc_text(PAGE,MmPageEntireDriver) #pragma alloc_text(PAGE,MiSetImageProtect) #pragma alloc_text(PAGE,MiDereferenceImports) #pragma alloc_text(PAGE,MiCallDllUnloadAndUnloadDll) #pragma alloc_text(PAGE,MiLocateExportName) #pragma alloc_text(PAGE,MiClearImports) #pragma alloc_text(PAGE,MiWriteProtectSystemImage) #pragma alloc_text(PAGE,MmGetSystemRoutineAddress) #pragma alloc_text(PAGE,MiFindExportedRoutineByName) #pragma alloc_text(PAGE,MmCallDllInitialize) #pragma alloc_text(PAGE,MmFreeDriverInitialization) #pragma alloc_text(PAGE,MmResetDriverPaging) #pragma alloc_text(PAGE,MmUnloadSystemImage) #pragma alloc_text(PAGE,MiLoadImageSection) #pragma alloc_text(PAGE,MiRememberUnloadedDriver) #pragma alloc_text(INIT,MiBuildImportsForBootDrivers) #pragma alloc_text(INIT,MiReloadBootLoadedDrivers) #pragma alloc_text(INIT,MiUpdateThunks) #pragma alloc_text(INIT,MiInitializeLoadedModuleList) #pragma alloc_text(INIT,MiLocateKernelSections) #if 0 #pragma alloc_text(PAGEKD,MiLockDriverPdata) #endif #if !defined(NT_UP) #pragma alloc_text(PAGE,MmVerifyImageIsOkForMpUse) #endif #endif CHAR MiPteStr[] = "\0"; VOID MiProcessLoaderEntry ( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry, IN LOGICAL Insert ) /*++ Routine Description: This function is a nonpaged wrapper which acquires the PsLoadedModuleList lock to insert a new entry. Arguments: DataTableEntry - Supplies the loaded module list entry to insert/remove. Insert - Supplies TRUE if the entry should be inserted, FALSE if the entry should be removed. Return Value: None. Environment: Kernel mode. Normal APCs disabled (critical region held). --*/ { KIRQL OldIrql; ExAcquireResourceExclusiveLite (&PsLoadedModuleResource, TRUE); ExAcquireSpinLock (&PsLoadedModuleSpinLock, &OldIrql); if (Insert == TRUE) { InsertTailList (&PsLoadedModuleList, &DataTableEntry->InLoadOrderLinks); #if defined(_AMD64_) // || defined(_IA64_) RtlInsertInvertedFunctionTable (&PsInvertedFunctionTable, DataTableEntry->DllBase, DataTableEntry->SizeOfImage); #endif } else { #if defined(_AMD64_) // || defined(_IA64_) RtlRemoveInvertedFunctionTable (&PsInvertedFunctionTable, DataTableEntry->DllBase); #endif RemoveEntryList (&DataTableEntry->InLoadOrderLinks); } ExReleaseSpinLock (&PsLoadedModuleSpinLock, OldIrql); ExReleaseResourceLite (&PsLoadedModuleResource); } NTSTATUS MmLoadSystemImage ( IN PUNICODE_STRING ImageFileName, IN PUNICODE_STRING NamePrefix OPTIONAL, IN PUNICODE_STRING LoadedBaseName OPTIONAL, IN ULONG LoadFlags, OUT PVOID *ImageHandle, OUT PVOID *ImageBaseAddress ) /*++ Routine Description: This routine reads the image pages from the specified section into the system and returns the address of the DLL's header. At successful completion, the Section is referenced so it remains until the system image is unloaded. Arguments: ImageFileName - Supplies the full path name (including the image name) of the image to load. NamePrefix - If present, supplies the prefix to use with the image name on load operations. This is used to load the same image multiple times, by using different prefixes. LoadedBaseName - If present, supplies the base name to use on the loaded image instead of the base name found on the image name. LoadFlags - Supplies a combination of bit flags as follows: MM_LOAD_IMAGE_IN_SESSION : - Supplies whether to load this image in session space. Each session gets a different copy of this driver with pages shared as much as possible via copy on write. MM_LOAD_IMAGE_AND_LOCKDOWN : - Supplies TRUE if the image pages should be made nonpagable. ImageHandle - Returns an opaque pointer to the referenced section object of the image that was loaded. ImageBaseAddress - Returns the image base within the system. Return Value: Status of the load operation. Environment: Kernel mode, APC_LEVEL or below, arbitrary process context. --*/ { SIZE_T DataTableEntrySize; PWSTR BaseDllNameBuffer; PKLDR_DATA_TABLE_ENTRY DataTableEntry; KLDR_DATA_TABLE_ENTRY TempDataTableEntry; NTSTATUS Status; PSECTION SectionPointer; PIMAGE_NT_HEADERS NtHeaders; UNICODE_STRING PrefixedImageName; UNICODE_STRING BaseName; UNICODE_STRING BaseDirectory; OBJECT_ATTRIBUTES ObjectAttributes; HANDLE FileHandle; HANDLE SectionHandle; IO_STATUS_BLOCK IoStatus; PCHAR NameBuffer; PLIST_ENTRY NextEntry; ULONG NumberOfPtes; PCHAR MissingProcedureName; PWSTR MissingDriverName; PWSTR PrintableMissingDriverName; PLOAD_IMPORTS LoadedImports; PMMSESSION Session; LOGICAL AlreadyOpen; LOGICAL IssueUnloadOnFailure; ULONG SectionAccess; PKTHREAD CurrentThread; PAGED_CODE(); LoadedImports = (PLOAD_IMPORTS)NO_IMPORTS_USED; SectionPointer = (PVOID)-1; FileHandle = (HANDLE)0; MissingProcedureName = NULL; MissingDriverName = NULL; IssueUnloadOnFailure = FALSE; MiFirstDriverLoadEver |= 0x1; NameBuffer = ExAllocatePoolWithTag (NonPagedPool, MAXIMUM_FILENAME_LENGTH, 'nLmM'); if (NameBuffer == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } // // Initializing these is not needed for correctness, but // without it the compiler cannot compile this code W4 to check // for use of uninitialized variables. // NumberOfPtes = (ULONG)-1; DataTableEntry = NULL; if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) { ASSERT (NamePrefix == NULL); ASSERT (LoadedBaseName == NULL); if ((PsGetCurrentProcess()->Flags & PS_PROCESS_FLAGS_IN_SESSION) == 0) { ExFreePool (NameBuffer); return STATUS_NO_MEMORY; } ASSERT (MmIsAddressValid (MmSessionSpace) == TRUE); Session = &MmSessionSpace->Session; } else { Session = &MmSession; } // // Get name roots. // if (ImageFileName->Buffer[0] == OBJ_NAME_PATH_SEPARATOR) { PWCHAR p; ULONG l; p = &ImageFileName->Buffer[ImageFileName->Length>>1]; while (*(p-1) != OBJ_NAME_PATH_SEPARATOR) { p--; } l = (ULONG)(&ImageFileName->Buffer[ImageFileName->Length>>1] - p); l *= sizeof(WCHAR); BaseName.Length = (USHORT)l; BaseName.Buffer = p; } else { BaseName.Length = ImageFileName->Length; BaseName.Buffer = ImageFileName->Buffer; } BaseName.MaximumLength = BaseName.Length; BaseDirectory = *ImageFileName; BaseDirectory.Length = (USHORT)(BaseDirectory.Length - BaseName.Length); BaseDirectory.MaximumLength = BaseDirectory.Length; PrefixedImageName = *ImageFileName; // // If there's a name prefix, add it to the PrefixedImageName. // if (NamePrefix) { PrefixedImageName.MaximumLength = (USHORT)(BaseDirectory.Length + NamePrefix->Length + BaseName.Length); PrefixedImageName.Buffer = ExAllocatePoolWithTag ( NonPagedPool, PrefixedImageName.MaximumLength, 'dLmM'); if (!PrefixedImageName.Buffer) { ExFreePool (NameBuffer); return STATUS_INSUFFICIENT_RESOURCES; } PrefixedImageName.Length = 0; RtlAppendUnicodeStringToString(&PrefixedImageName, &BaseDirectory); RtlAppendUnicodeStringToString(&PrefixedImageName, NamePrefix); RtlAppendUnicodeStringToString(&PrefixedImageName, &BaseName); // // Alter the basename to match. // BaseName.Buffer = PrefixedImageName.Buffer + BaseDirectory.Length / sizeof(WCHAR); BaseName.Length = (USHORT)(BaseName.Length + NamePrefix->Length); BaseName.MaximumLength = (USHORT)(BaseName.MaximumLength + NamePrefix->Length); } // // If there's a loaded base name, use it instead of the base name. // if (LoadedBaseName) { BaseName = *LoadedBaseName; } #if DBG if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) { DbgPrint ("MM:SYSLDR Loading %wZ (%wZ) %s\n", &PrefixedImageName, &BaseName, (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) ? "in session space" : " "); } #endif AlreadyOpen = FALSE; // // Arbitrary process context so prevent suspend APCs now. // CurrentThread = KeGetCurrentThread (); KeEnterCriticalRegionThread (CurrentThread); KeWaitForSingleObject (&MmSystemLoadLock, WrVirtualMemory, KernelMode, FALSE, (PLARGE_INTEGER)NULL); // // Check to see if this name already exists in the loader database. // NextEntry = PsLoadedModuleList.Flink; while (NextEntry != &PsLoadedModuleList) { DataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (RtlEqualUnicodeString (&PrefixedImageName, &DataTableEntry->FullDllName, TRUE)) { if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) { if (MI_IS_SESSION_ADDRESS (DataTableEntry->DllBase) == FALSE) { // // The caller is trying to load a driver in session space // that has already been loaded in system space. This is // not allowed. // Status = STATUS_CONFLICTING_ADDRESSES; goto return2; } AlreadyOpen = TRUE; // // The LoadCount should generally not be 0 here, but it is // possible in the case where an attempt has been made to // unload a DLL on last dereference, but the DLL refused to // unload. // DataTableEntry->LoadCount += 1; SectionPointer = DataTableEntry->SectionPointer; break; } else { if (MI_IS_SESSION_ADDRESS (DataTableEntry->DllBase) == TRUE) { // // The caller is trying to load a driver in systemwide space // that has already been loaded in session space. This is // not allowed. // Status = STATUS_CONFLICTING_ADDRESSES; goto return2; } } *ImageHandle = DataTableEntry; *ImageBaseAddress = DataTableEntry->DllBase; Status = STATUS_IMAGE_ALREADY_LOADED; goto return2; } NextEntry = NextEntry->Flink; } ASSERT (AlreadyOpen == TRUE || NextEntry == &PsLoadedModuleList); if (AlreadyOpen == FALSE) { // // Check and see if a user wants to replace this binary // via a transfer through the kernel debugger. If this // fails just continue on with the existing file. // if (KdDebuggerEnabled && KdDebuggerNotPresent == FALSE) { Status = KdPullRemoteFile(ImageFileName, FILE_ATTRIBUTE_NORMAL, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT); if (NT_SUCCESS(Status)) { DbgPrint("MmLoadSystemImage: Pulled %wZ from kd\n", ImageFileName); } } DataTableEntry = NULL; // // Attempt to open the driver image itself. If this fails, then the // driver image cannot be located, so nothing else matters. // InitializeObjectAttributes (&ObjectAttributes, ImageFileName, (OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE), NULL, NULL); Status = ZwOpenFile (&FileHandle, FILE_EXECUTE, &ObjectAttributes, &IoStatus, FILE_SHARE_READ | FILE_SHARE_DELETE, 0); if (!NT_SUCCESS(Status)) { #if DBG if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) { DbgPrint ("MiLoadImageSection: cannot open %wZ\n", ImageFileName); } #endif // // Don't raise hard error status for file not found. // goto return2; } Status = MmCheckSystemImage(FileHandle, FALSE); if ((Status == STATUS_IMAGE_CHECKSUM_MISMATCH) || (Status == STATUS_IMAGE_MP_UP_MISMATCH) || (Status == STATUS_INVALID_IMAGE_PROTECT)) { goto return1; } // // Now attempt to create an image section for the file. If this fails, // then the driver file is not an image. Session space drivers are // shared text with copy on write data, so don't allow writes here. // if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) { SectionAccess = SECTION_MAP_READ | SECTION_MAP_EXECUTE; } else { SectionAccess = SECTION_ALL_ACCESS; } InitializeObjectAttributes (&ObjectAttributes, NULL, (OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE), NULL, NULL); Status = ZwCreateSection (&SectionHandle, SectionAccess, &ObjectAttributes, (PLARGE_INTEGER) NULL, PAGE_EXECUTE, SEC_IMAGE, FileHandle); if (!NT_SUCCESS(Status)) { goto return1; } // // Now reference the section handle. If this fails something is // very wrong because we are in a privileged process. // // N.B. ObRef sets SectionPointer to NULL on failure so it must be // reset to -1 in this case. // Status = ObReferenceObjectByHandle (SectionHandle, SECTION_MAP_EXECUTE, MmSectionObjectType, KernelMode, (PVOID *) &SectionPointer, (POBJECT_HANDLE_INFORMATION) NULL ); ZwClose (SectionHandle); if (!NT_SUCCESS (Status)) { SectionPointer = (PVOID)-1; // undo ObRef setting. goto return1; } if (SectionPointer->Segment->ControlArea->NumberOfSubsections == 1) { if (((LoadFlags & MM_LOAD_IMAGE_IN_SESSION) == 0) && (SectionPointer->Segment->BasedAddress != (PVOID)Session->SystemSpaceViewStart)) { PSECTION SectionPointer2; // // The driver was linked with subsection alignment such that // it is mapped with one subsection. Since the CreateSection // above guarantees that the driver image is indeed a // satisfactory executable, map it directly now to reuse the // cache from the MmCheckSystemImage call above. // Status = ZwCreateSection (&SectionHandle, SectionAccess, (POBJECT_ATTRIBUTES) NULL, (PLARGE_INTEGER) NULL, PAGE_EXECUTE, SEC_COMMIT, FileHandle ); if (NT_SUCCESS(Status)) { Status = ObReferenceObjectByHandle ( SectionHandle, SECTION_MAP_EXECUTE, MmSectionObjectType, KernelMode, (PVOID *) &SectionPointer2, (POBJECT_HANDLE_INFORMATION) NULL ); ZwClose (SectionHandle); if (NT_SUCCESS (Status)) { // // The number of PTEs won't match if the image is // stripped and the debug directory crosses the last // sector boundary of the file. We could still use the // new section, but these cases are under 2% of all the // drivers loaded so don't bother. // if (SectionPointer->Segment->TotalNumberOfPtes == SectionPointer2->Segment->TotalNumberOfPtes) { ObDereferenceObject (SectionPointer); SectionPointer = SectionPointer2; } else { ObDereferenceObject (SectionPointer2); } } } } } } // // Load the driver from the filesystem and pick a virtual address for it. // For Hydra, this means also allocating session virtual space, and // after mapping a view of the image, either copying or sharing the // driver's code and data in the session virtual space. // // If it is a share map because the image was loaded at its based address, // the disk image will remain busy. // Status = MiLoadImageSection (SectionPointer, ImageBaseAddress, ImageFileName, LoadFlags & MM_LOAD_IMAGE_IN_SESSION); NumberOfPtes = SectionPointer->Segment->TotalNumberOfPtes; if (Status == STATUS_ALREADY_COMMITTED) { // // This is a driver that was relocated that is being loaded into // the same session space twice. Don't increment the overall load // count - just the image count in the session which has already been // done. // ASSERT (AlreadyOpen == TRUE); ASSERT (LoadFlags & MM_LOAD_IMAGE_IN_SESSION); ASSERT (DataTableEntry != NULL); ASSERT (DataTableEntry->LoadCount > 1); *ImageHandle = DataTableEntry; *ImageBaseAddress = DataTableEntry->DllBase; DataTableEntry->LoadCount -= 1; Status = STATUS_SUCCESS; goto return1; } if ((MiFirstDriverLoadEver & 0x2) == 0) { NTSTATUS PagingPathStatus; // // Check with all of the drivers along the path to win32k.sys to // ensure that they are willing to follow the rules required // of them and to give them a chance to lock down code and data // that needs to be locked. If any of the drivers along the path // refuses to participate, fail the win32k.sys load. // // It is assumed that all drivers live on the same physical drive, so // when the very first driver is loaded, this check can be made. // This eliminates the need to check for things like relocated win32ks, // Terminal Server systems, etc. // // // In WinPE removable media boot case don't do this since user might // be running WinPE in RAM and would like to swap out the boot media. // if (InitWinPEModeType & INIT_WINPEMODE_REMOVABLE_MEDIA) { PagingPathStatus = STATUS_SUCCESS; } else { PagingPathStatus = PpPagePathAssign(SectionPointer->Segment->ControlArea->FilePointer); } if (!NT_SUCCESS(PagingPathStatus)) { KdPrint (("PpPagePathAssign FAILED for win32k.sys: %x\n", PagingPathStatus)); // // Failing the insertion of win32k.sys' device in the // pagefile path is commented out until the storage drivers have // been modified to correctly handle this request. If this is // added later, add code here to release relevant resources for // the error path. // } MiFirstDriverLoadEver |= 0x2; } // // Normal drivers are dereferenced here and their images can then be // overwritten. This is ok because we've already read the whole thing // into memory and from here until reboot (or unload), we back them // with the pagefile. // // win32k.sys and session space drivers are the exception - these images // are inpaged from the filesystem and we need to keep our reference to // the file so that it doesn't get overwritten. // if ((LoadFlags & MM_LOAD_IMAGE_IN_SESSION) == 0) { ObDereferenceObject (SectionPointer); SectionPointer = (PVOID)-1; } // // The module LoadCount will be 1 here if the module was just loaded. // The LoadCount will be >1 if it was attached to by a session (as opposed // to just loaded). // if (!NT_SUCCESS(Status)) { if (AlreadyOpen == TRUE) { // // We're failing and we were just attaching to an already loaded // driver. We don't want to go through the forced unload path // because we've already deleted the address space. Simply // decrement our reference and null the DataTableEntry // so we don't go through the forced unload path. // ASSERT (DataTableEntry != NULL); DataTableEntry->LoadCount -= 1; DataTableEntry = NULL; } goto return1; } // // Error recovery from this point out for sessions works as follows: // // For sessions, we may or may not have a DataTableEntry at this point. // If we do, it's because we're attaching to a driver that has already // been loaded - and the DataTableEntry->LoadCount has been bumped - so // the error recovery from here on out is to just call // MmUnloadSystemImage with the DataTableEntry. // // If this is the first load of a given driver into a session space, we // have no DataTableEntry at this point. The view has already been mapped // and committed and the group/session addresses reserved for this DLL. // The error recovery path handles all this because // MmUnloadSystemImage will zero the relevant fields in the // LDR_DATA_TABLE_ENTRY so that MmUnloadSystemImage will work properly. // IssueUnloadOnFailure = TRUE; if (((LoadFlags & MM_LOAD_IMAGE_IN_SESSION) == 0) || (*ImageBaseAddress != SectionPointer->Segment->BasedAddress)) { #if DBG // // Warn users about session images that cannot be shared // because they were linked at a bad address. // if ((LoadFlags & MM_LOAD_IMAGE_IN_SESSION) && (MmSessionSpace->SessionId != 0)) { DbgPrint ("MM: Session %d image %wZ is linked at a nonsharable address (%p)\n", MmSessionSpace->SessionId, ImageFileName, SectionPointer->Segment->BasedAddress); DbgPrint ("MM: Image %wZ has been moved to address (%p) by the system so it can run,\n", ImageFileName, *ImageBaseAddress); DbgPrint (" but this needs to be fixed in the image for sharing to occur.\n"); } #endif // // Apply the fixups to the section. // try { Status = LdrRelocateImage (*ImageBaseAddress, "SYSLDR", STATUS_SUCCESS, STATUS_CONFLICTING_ADDRESSES, STATUS_INVALID_IMAGE_FORMAT); } except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); KdPrint(("MM:sysload - LdrRelocateImage failed status %lx\n", Status)); } if (!NT_SUCCESS(Status)) { // // Unload the system image and dereference the section. // goto return1; } } if (AlreadyOpen == FALSE) { ULONG DebugInfoSize; PIMAGE_DATA_DIRECTORY DataDirectory; PIMAGE_DEBUG_DIRECTORY DebugDir; PNON_PAGED_DEBUG_INFO ssHeader; UCHAR i; DebugInfoSize = 0; DataDirectory = NULL; DebugDir = NULL; NtHeaders = RtlImageNtHeader(*ImageBaseAddress); // // Create a loader table entry for this driver before resolving the // references so that any circular references can resolve properly. // if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) { DebugInfoSize = sizeof (NON_PAGED_DEBUG_INFO); if (IMAGE_DIRECTORY_ENTRY_DEBUG < NtHeaders->OptionalHeader.NumberOfRvaAndSizes) { DataDirectory = &NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DEBUG]; if (DataDirectory->VirtualAddress && DataDirectory->Size && (DataDirectory->VirtualAddress + DataDirectory->Size) < NtHeaders->OptionalHeader.SizeOfImage) { DebugDir = (PIMAGE_DEBUG_DIRECTORY) ((PUCHAR)(*ImageBaseAddress) + DataDirectory->VirtualAddress); DebugInfoSize += DataDirectory->Size; for (i = 0; i < DataDirectory->Size/sizeof(IMAGE_DEBUG_DIRECTORY); i += 1) { if ((DebugDir+i)->PointerToRawData && (DebugDir+i)->PointerToRawData < NtHeaders->OptionalHeader.SizeOfImage && ((DebugDir+i)->PointerToRawData + (DebugDir+i)->SizeOfData) < NtHeaders->OptionalHeader.SizeOfImage) { DebugInfoSize += (DebugDir+i)->SizeOfData; } } } DebugInfoSize = MI_ROUND_TO_SIZE(DebugInfoSize, sizeof(ULONG)); } } DataTableEntrySize = sizeof (KLDR_DATA_TABLE_ENTRY) + DebugInfoSize + BaseName.Length + sizeof(UNICODE_NULL); DataTableEntry = ExAllocatePoolWithTag (NonPagedPool, DataTableEntrySize, 'dLmM'); if (DataTableEntry == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto return1; } // // Initialize the flags and load count. // DataTableEntry->Flags = LDRP_LOAD_IN_PROGRESS; DataTableEntry->LoadCount = 1; DataTableEntry->LoadedImports = (PVOID)LoadedImports; if ((NtHeaders->OptionalHeader.MajorOperatingSystemVersion >= 5) && (NtHeaders->OptionalHeader.MajorImageVersion >= 5)) { DataTableEntry->Flags |= LDRP_ENTRY_NATIVE; } ssHeader = (PNON_PAGED_DEBUG_INFO) ((ULONG_PTR)DataTableEntry + sizeof (KLDR_DATA_TABLE_ENTRY)); BaseDllNameBuffer = (PWSTR) ((ULONG_PTR)ssHeader + DebugInfoSize); // // If loading a session space image, store away some debug data. // DataTableEntry->NonPagedDebugInfo = NULL; if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) { DataTableEntry->NonPagedDebugInfo = ssHeader; DataTableEntry->Flags |= LDRP_NON_PAGED_DEBUG_INFO; ssHeader->Signature = NON_PAGED_DEBUG_SIGNATURE; ssHeader->Flags = 1; ssHeader->Size = DebugInfoSize; ssHeader->Machine = NtHeaders->FileHeader.Machine; ssHeader->Characteristics = NtHeaders->FileHeader.Characteristics; ssHeader->TimeDateStamp = NtHeaders->FileHeader.TimeDateStamp; ssHeader->CheckSum = NtHeaders->OptionalHeader.CheckSum; ssHeader->SizeOfImage = NtHeaders->OptionalHeader.SizeOfImage; ssHeader->ImageBase = (ULONG_PTR) *ImageBaseAddress; if (DebugDir) { RtlCopyMemory(ssHeader + 1, DebugDir, DataDirectory->Size); DebugInfoSize = DataDirectory->Size; for (i = 0; i < DataDirectory->Size/sizeof(IMAGE_DEBUG_DIRECTORY); i += 1) { if ((DebugDir + i)->PointerToRawData && (DebugDir+i)->PointerToRawData < NtHeaders->OptionalHeader.SizeOfImage && ((DebugDir+i)->PointerToRawData + (DebugDir+i)->SizeOfData) < NtHeaders->OptionalHeader.SizeOfImage) { RtlCopyMemory((PUCHAR)(ssHeader + 1) + DebugInfoSize, (PUCHAR)(*ImageBaseAddress) + (DebugDir + i)->PointerToRawData, (DebugDir + i)->SizeOfData); // // Reset the offset in the debug directory to point to // (((PIMAGE_DEBUG_DIRECTORY)(ssHeader + 1)) + i)-> PointerToRawData = DebugInfoSize; DebugInfoSize += (DebugDir+i)->SizeOfData; } else { (((PIMAGE_DEBUG_DIRECTORY)(ssHeader + 1)) + i)-> PointerToRawData = 0; } } } } // // Initialize the address of the DLL image file header and the entry // point address. // DataTableEntry->DllBase = *ImageBaseAddress; DataTableEntry->EntryPoint = ((PCHAR)*ImageBaseAddress + NtHeaders->OptionalHeader.AddressOfEntryPoint); DataTableEntry->SizeOfImage = NumberOfPtes << PAGE_SHIFT; DataTableEntry->CheckSum = NtHeaders->OptionalHeader.CheckSum; DataTableEntry->SectionPointer = (PVOID)SectionPointer; // // Store the DLL name. // DataTableEntry->BaseDllName.Buffer = BaseDllNameBuffer; DataTableEntry->BaseDllName.Length = BaseName.Length; DataTableEntry->BaseDllName.MaximumLength = BaseName.Length; RtlCopyMemory (DataTableEntry->BaseDllName.Buffer, BaseName.Buffer, BaseName.Length ); DataTableEntry->BaseDllName.Buffer[BaseName.Length/sizeof(WCHAR)] = UNICODE_NULL; DataTableEntry->FullDllName.Buffer = ExAllocatePoolWithTag (PagedPool | POOL_COLD_ALLOCATION, PrefixedImageName.Length + sizeof(UNICODE_NULL), 'TDmM'); if (DataTableEntry->FullDllName.Buffer == NULL) { // // Pool could not be allocated, just set the length to 0. // DataTableEntry->FullDllName.Length = 0; DataTableEntry->FullDllName.MaximumLength = 0; } else { DataTableEntry->FullDllName.Length = PrefixedImageName.Length; DataTableEntry->FullDllName.MaximumLength = PrefixedImageName.Length; RtlCopyMemory (DataTableEntry->FullDllName.Buffer, PrefixedImageName.Buffer, PrefixedImageName.Length); DataTableEntry->FullDllName.Buffer[PrefixedImageName.Length/sizeof(WCHAR)] = UNICODE_NULL; } // // Acquire the loaded module list resource and insert this entry // into the list. // MiProcessLoaderEntry (DataTableEntry, TRUE); } MissingProcedureName = NameBuffer; try { // // Resolving the image references results in other DLLs being // loaded if they are referenced by the module that was just loaded. // An example is when an OEM printer or FAX driver links with // other general libraries. This is not a problem for session space // because the general libraries do not have the global data issues // that win32k.sys and the video drivers do. So we just call the // standard kernel reference resolver and any referenced libraries // get loaded into system global space. Code in the routine // restricts which libraries can be referenced by a driver. // Status = MiResolveImageReferences (*ImageBaseAddress, &BaseDirectory, NamePrefix, &MissingProcedureName, &MissingDriverName, &LoadedImports); } except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode (); KdPrint(("MM:sysload - ResolveImageReferences failed status %x\n", Status)); } if (!NT_SUCCESS(Status)) { #if DBG if (Status == STATUS_OBJECT_NAME_NOT_FOUND) { ASSERT (MissingProcedureName == NULL); } if ((Status == STATUS_DRIVER_ORDINAL_NOT_FOUND) || (Status == STATUS_OBJECT_NAME_NOT_FOUND) || (Status == STATUS_DRIVER_ENTRYPOINT_NOT_FOUND)) { if ((ULONG_PTR)MissingProcedureName & ~((ULONG_PTR) (X64K-1))) { // // If not an ordinal, print string // DbgPrint("MissingProcedureName %s\n", MissingProcedureName); } else { DbgPrint("MissingProcedureName 0x%p\n", MissingProcedureName); } } if (MissingDriverName != NULL) { PrintableMissingDriverName = (PWSTR)((ULONG_PTR)MissingDriverName & ~0x1); DbgPrint("MissingDriverName %ws\n", PrintableMissingDriverName); } #endif if (AlreadyOpen == FALSE) { MiProcessLoaderEntry (DataTableEntry, FALSE); if (DataTableEntry->FullDllName.Buffer != NULL) { ExFreePool (DataTableEntry->FullDllName.Buffer); } ExFreePool (DataTableEntry); DataTableEntry = NULL; } goto return1; } if (AlreadyOpen == FALSE) { PERFINFO_IMAGE_LOAD(DataTableEntry); // // Reinitialize the flags and update the loaded imports. // DataTableEntry->Flags |= LDRP_SYSTEM_MAPPED | LDRP_ENTRY_PROCESSED; DataTableEntry->Flags &= ~LDRP_LOAD_IN_PROGRESS; DataTableEntry->LoadedImports = LoadedImports; MiApplyDriverVerifier (DataTableEntry, NULL); MiWriteProtectSystemImage (DataTableEntry->DllBase); if (PsImageNotifyEnabled) { IMAGE_INFO ImageInfo; ImageInfo.Properties = 0; ImageInfo.ImageAddressingMode = IMAGE_ADDRESSING_MODE_32BIT; ImageInfo.SystemModeImage = TRUE; ImageInfo.ImageSize = DataTableEntry->SizeOfImage; ImageInfo.ImageBase = *ImageBaseAddress; ImageInfo.ImageSelector = 0; ImageInfo.ImageSectionNumber = 0; PsCallImageNotifyRoutines(ImageFileName, (HANDLE)NULL, &ImageInfo); } if (CacheImageSymbols (*ImageBaseAddress)) { // // TEMP TEMP TEMP rip out when debugger converted // ANSI_STRING AnsiName; UNICODE_STRING UnicodeName; // // \SystemRoot is 11 characters in length // if (PrefixedImageName.Length > (11 * sizeof (WCHAR )) && !_wcsnicmp (PrefixedImageName.Buffer, (const PUSHORT)L"\\SystemRoot", 11)) { UnicodeName = PrefixedImageName; UnicodeName.Buffer += 11; UnicodeName.Length -= (11 * sizeof (WCHAR)); sprintf (NameBuffer, "%ws%wZ", &SharedUserData->NtSystemRoot[2], &UnicodeName); } else { sprintf (NameBuffer, "%wZ", &BaseName); } RtlInitString (&AnsiName, NameBuffer); DbgLoadImageSymbols (&AnsiName, *ImageBaseAddress, (ULONG_PTR) -1); DataTableEntry->Flags |= LDRP_DEBUG_SYMBOLS_LOADED; } } // // Flush the instruction cache on all systems in the configuration. // KeSweepIcache (TRUE); *ImageHandle = DataTableEntry; Status = STATUS_SUCCESS; if (LoadFlags & MM_LOAD_IMAGE_IN_SESSION) { MI_LOG_SESSION_DATA_START (DataTableEntry); MmPageEntireDriver (DataTableEntry->EntryPoint); } else if ((SectionPointer == (PVOID)-1) && ((LoadFlags & MM_LOAD_IMAGE_AND_LOCKDOWN) == 0)) { MiEnablePagingOfDriver (DataTableEntry); } return1: if (!NT_SUCCESS(Status)) { if ((AlreadyOpen == FALSE) && (SectionPointer != (PVOID)-1)) { // // This is needed for failed win32k.sys loads or any session's // load of the first instance of a driver. // ObDereferenceObject (SectionPointer); } if (IssueUnloadOnFailure == TRUE) { if (DataTableEntry == NULL) { RtlZeroMemory (&TempDataTableEntry, sizeof(KLDR_DATA_TABLE_ENTRY)); DataTableEntry = &TempDataTableEntry; DataTableEntry->DllBase = *ImageBaseAddress; DataTableEntry->SizeOfImage = NumberOfPtes << PAGE_SHIFT; DataTableEntry->LoadCount = 1; DataTableEntry->LoadedImports = LoadedImports; } #if DBG else { // // If DataTableEntry is NULL, then we are unloading before one // got created. Once a LDR_DATA_TABLE_ENTRY is created, the // load cannot fail, so if exists here, at least one other // session contains this image as well. // ASSERT (DataTableEntry->LoadCount > 1); } #endif MmUnloadSystemImage ((PVOID)DataTableEntry); } } if (FileHandle) { ZwClose (FileHandle); } if (!NT_SUCCESS(Status)) { UNICODE_STRING ErrorStrings[4]; ULONG UniqueErrorValue; ULONG StringSize; ULONG StringCount; ANSI_STRING AnsiString; UNICODE_STRING ProcedureName; UNICODE_STRING DriverName; ULONG i; PWCHAR temp; PWCHAR ptr; ULONG PacketSize; SIZE_T length; PIO_ERROR_LOG_PACKET ErrLog; // // The driver could not be loaded - log an event with the details. // KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegionThread (CurrentThread); StringSize = 0; *(&ErrorStrings[0]) = *ImageFileName; StringSize += (ImageFileName->Length + sizeof(UNICODE_NULL)); StringCount = 1; UniqueErrorValue = 0; RtlInitUnicodeString (&ProcedureName, NULL); PrintableMissingDriverName = (PWSTR)((ULONG_PTR)MissingDriverName & ~0x1); if ((Status == STATUS_DRIVER_ORDINAL_NOT_FOUND) || (Status == STATUS_DRIVER_ENTRYPOINT_NOT_FOUND) || (Status == STATUS_OBJECT_NAME_NOT_FOUND) || (Status == STATUS_PROCEDURE_NOT_FOUND)) { ErrorStrings[1].Buffer = L"cannot find"; length = wcslen(ErrorStrings[1].Buffer) * sizeof(WCHAR); ErrorStrings[1].Length = (USHORT) length; StringSize += (ULONG)(length + sizeof (UNICODE_NULL)); StringCount += 1; RtlInitUnicodeString (&DriverName, PrintableMissingDriverName); StringSize += (DriverName.Length + sizeof(UNICODE_NULL)); StringCount += 1; *(&ErrorStrings[2]) = *(&DriverName); if ((ULONG_PTR)MissingProcedureName & ~((ULONG_PTR) (X64K-1))) { // // If not an ordinal, pass as a Unicode string // RtlInitAnsiString (&AnsiString, MissingProcedureName); RtlAnsiStringToUnicodeString (&ProcedureName, &AnsiString, TRUE); StringSize += (ProcedureName.Length + sizeof(UNICODE_NULL)); StringCount += 1; *(&ErrorStrings[3]) = *(&ProcedureName); } else { // // Just pass ordinal values as is in the UniqueErrorValue. // UniqueErrorValue = PtrToUlong (MissingProcedureName); } } else { UniqueErrorValue = (ULONG) Status; Status = STATUS_DRIVER_UNABLE_TO_LOAD; ErrorStrings[1].Buffer = L"failed to load"; length = wcslen(ErrorStrings[1].Buffer) * sizeof(WCHAR); ErrorStrings[1].Length = (USHORT) length; StringSize += (ULONG)(length + sizeof (UNICODE_NULL)); StringCount += 1; } PacketSize = sizeof (IO_ERROR_LOG_PACKET) + StringSize; // // Enforce I/O manager interface (ie: UCHAR) size restrictions. // if (PacketSize < MAXUCHAR) { ErrLog = IoAllocateGenericErrorLogEntry ((UCHAR)PacketSize); if (ErrLog != NULL) { // // Fill it in and write it out as a single string. // ErrLog->ErrorCode = STATUS_LOG_HARD_ERROR; ErrLog->FinalStatus = Status; ErrLog->UniqueErrorValue = UniqueErrorValue; ErrLog->StringOffset = (USHORT) sizeof (IO_ERROR_LOG_PACKET); temp = (PWCHAR) ((PUCHAR) ErrLog + ErrLog->StringOffset); for (i = 0; i < StringCount; i += 1) { ptr = ErrorStrings[i].Buffer; RtlCopyMemory (temp, ptr, ErrorStrings[i].Length); temp += (ErrorStrings[i].Length / sizeof (WCHAR)); *temp = L' '; temp += 1; } *(temp - 1) = UNICODE_NULL; ErrLog->NumberOfStrings = 1; IoWriteErrorLogEntry (ErrLog); } } // // The only way this pointer has the low bit set is if we are expected // to free the pool containing the name. Typically the name points at // a loaded module list entry and so no one has to free it and in this // case the low bit will NOT be set. If the module could not be found // and was therefore not loaded, then we left a piece of pool around // containing the name since there is no loaded module entry already - // this must be released now. // if ((ULONG_PTR)MissingDriverName & 0x1) { ExFreePool (PrintableMissingDriverName); } if (ProcedureName.Buffer != NULL) { RtlFreeUnicodeString (&ProcedureName); } ExFreePool (NameBuffer); return Status; } return2: KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegionThread (CurrentThread); if (NamePrefix) { ExFreePool (PrefixedImageName.Buffer); } ExFreePool (NameBuffer); return Status; } VOID MiReturnFailedSessionPages ( IN PMMPTE PointerPte, IN PMMPTE LastPte, IN PFN_NUMBER NumberOfPages ) /*++ Routine Description: This routine is a nonpaged wrapper which undoes session image loads that failed midway through reading in the pages. Arguments: PointerPte - Supplies the starting PTE for the range to unload. LastPte - Supplies the ending PTE for the range to unload. NumberOfPages - Supplies the number of resident available pages that were charged and now need to be returned. Return Value: None. --*/ { KIRQL OldIrql; PMMPFN Pfn1; PFN_NUMBER PageFrameIndex; LOCK_PFN (OldIrql); while (PointerPte <= LastPte) { if (PointerPte->u.Hard.Valid == 1) { // // Delete the page. // PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte); // // Set the pointer to PTE as empty so the page // is deleted when the reference count goes to zero. // Pfn1 = MI_PFN_ELEMENT (PageFrameIndex); MiDecrementShareAndValidCount (Pfn1->u4.PteFrame); MI_SET_PFN_DELETED (Pfn1); MiDecrementShareCountOnly (PageFrameIndex); MI_WRITE_INVALID_PTE (PointerPte, ZeroPte); } PointerPte += 1; } MmResidentAvailablePages += NumberOfPages; MM_BUMP_COUNTER(17, NumberOfPages); UNLOCK_PFN (OldIrql); } NTSTATUS MiLoadImageSection ( IN PSECTION SectionPointer, OUT PVOID *ImageBaseAddress, IN PUNICODE_STRING ImageFileName, IN ULONG LoadInSessionSpace ) /*++ Routine Description: This routine loads the specified image into the kernel part of the address space. Arguments: SectionPointer - Supplies the section object for the image. ImageBaseAddress - Returns the address that the image header is at. ImageFileName - Supplies the full path name (including the image name) of the image to load. LoadInSessionSpace - Supplies nonzero to load this image in session space. Each session gets a different copy of this driver with pages shared as much as possible via copy on write. Supplies zero if this image should be loaded in global space. Return Value: Status of the operation. --*/ { KAPC_STATE ApcState; PFN_NUMBER PagesRequired; PFN_NUMBER ActualPagesUsed; PVOID OpaqueSession; PMMPTE ProtoPte; PMMPTE FirstPte; PMMPTE LastPte; PMMPTE PointerPte; PEPROCESS Process; PEPROCESS TargetProcess; ULONG NumberOfPtes; MMPTE PteContents; MMPTE TempPte; PFN_NUMBER PageFrameIndex; PVOID UserVa; PVOID SystemVa; NTSTATUS Status; NTSTATUS ExceptionStatus; PVOID Base; ULONG_PTR ViewSize; LARGE_INTEGER SectionOffset; LOGICAL LoadSymbols; PVOID BaseAddress; PFN_NUMBER CommittedPages; SIZE_T SectionSize; LOGICAL AlreadyLoaded; PCONTROL_AREA ControlArea; PSUBSECTION Subsection; PAGED_CODE(); NumberOfPtes = SectionPointer->Segment->TotalNumberOfPtes; if (LoadInSessionSpace != 0) { SectionSize = (ULONG_PTR)NumberOfPtes * PAGE_SIZE; // // Allocate a unique systemwide session space virtual address for // the driver. // Status = MiSessionWideReserveImageAddress (ImageFileName, SectionPointer, PAGE_SIZE, &BaseAddress, &AlreadyLoaded); if (!NT_SUCCESS(Status)) { return Status; } // // This is a request to load an existing driver. This can // occur with printer drivers for example. // if (AlreadyLoaded == TRUE) { *ImageBaseAddress = BaseAddress; return STATUS_ALREADY_COMMITTED; } #if DBG if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) { DbgPrint ("MM: MiLoadImageSection: Image %wZ, BasedAddress 0x%p, Allocated Session BaseAddress 0x%p\n", ImageFileName, SectionPointer->Segment->BasedAddress, BaseAddress); } #endif if (BaseAddress == SectionPointer->Segment->BasedAddress) { // // We were able to load the image at its based address, so // map its image segments as backed directly by the file image. // All pristine pages of the image will be shared across all // sessions, with each page treated as copy-on-write on first write. // // NOTE: This makes the file image "busy", a different behavior // as normal kernel drivers are backed by the paging file only. // // Map the image into session space. // Status = MiShareSessionImage (SectionPointer, &SectionSize); if (!NT_SUCCESS(Status)) { MiRemoveImageSessionWide (BaseAddress); return Status; } ASSERT (BaseAddress == SectionPointer->Segment->BasedAddress); *ImageBaseAddress = BaseAddress; // // Indicate that this section has been loaded into the system. // SectionPointer->Segment->SystemImageBase = BaseAddress; #if DBG if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) { DbgPrint ("MM: MiLoadImageSection: Mapped image %wZ at requested session address 0x%p\n", ImageFileName, BaseAddress); } #endif return Status; } // // The image could not be loaded at its based address. It must be // copied to its new address using private page file backed pages. // Our caller will relocate the internal references and then bind the // image. Allocate the pages and page tables for the image now. // Status = MiSessionCommitImagePages (BaseAddress, SectionSize); if (!NT_SUCCESS(Status)) { #if DBG if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) { DbgPrint ("MM: MiLoadImageSection: Error 0x%x Allocating session space %p Bytes\n", Status, SectionSize); } #endif MiRemoveImageSessionWide (BaseAddress); return Status; } SystemVa = BaseAddress; // // Initializing these is not needed for correctness, but // without it the compiler cannot compile this code W4 to check // for use of uninitialized variables. // PagesRequired = 0; ActualPagesUsed = 0; PointerPte = NULL; FirstPte = NULL; } else { // // Initializing SectionSize and BaseAddress is not needed for // correctness, but without it the compiler cannot compile this // code W4 to check for use of uninitialized variables. // SectionSize = 0; BaseAddress = NULL; // // Calculate the number of pages required to load this image. // // Start out by charging for everything and subtract out any gap // pages after the image loads successfully. // PagesRequired = NumberOfPtes; ActualPagesUsed = 0; // // See if ample pages exist to load this image. // if (MiChargeResidentAvailable (PagesRequired, 14) == FALSE) { return STATUS_INSUFFICIENT_RESOURCES; } // // Reserve the necessary system address space. // FirstPte = MiReserveSystemPtes (NumberOfPtes, SystemPteSpace); if (FirstPte == NULL) { MiReturnResidentAvailable (PagesRequired, 15); return STATUS_INSUFFICIENT_RESOURCES; } PointerPte = FirstPte; SystemVa = MiGetVirtualAddressMappedByPte (PointerPte); if (MiChargeCommitment (PagesRequired, NULL) == FALSE) { MiReturnResidentAvailable (PagesRequired, 15); MiReleaseSystemPtes (FirstPte, NumberOfPtes, SystemPteSpace); return STATUS_INSUFFICIENT_RESOURCES; } MM_TRACK_COMMIT (MM_DBG_COMMIT_DRIVER_PAGES, PagesRequired); InterlockedExchangeAdd ((PLONG)&MmDriverCommit, (LONG) PagesRequired); } // // Map a view into the user portion of the address space. // Process = PsGetCurrentProcess(); // // Since callees are not always in the context of the system process, // attach here when necessary to guarantee the driver load occurs in a // known safe address space to prevent security holes. // OpaqueSession = NULL; if ((Process->Peb != NULL) && (Process->Vm.Flags.SessionLeader == 0) && (MiSessionLeaderExists == 2)) { OpaqueSession = MiAttachToSecureProcessInSession (&ApcState); if (OpaqueSession == NULL) { if (LoadInSessionSpace != 0) { CommittedPages = MiDeleteSystemPagableVm ( MiGetPteAddress (BaseAddress), BYTES_TO_PAGES (SectionSize), ZeroKernelPte, TRUE, NULL); InterlockedExchangeAddSizeT (&MmSessionSpace->CommittedPages, 0 - CommittedPages); MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_COMMIT_IMAGELOAD_FAILED1, (ULONG)CommittedPages); // // Return the commitment we took out on the pagefile when // the page was allocated. This is needed for collided images // since all the pages get committed regardless of writability. // MiRemoveImageSessionWide (BaseAddress); } else { MiReturnResidentAvailable (PagesRequired, 15); MiReleaseSystemPtes (FirstPte, NumberOfPtes, SystemPteSpace); MiReturnCommitment (PagesRequired); } return STATUS_PROCESS_IS_TERMINATING; } // // We are now attached to a secure process in the current session. // } ZERO_LARGE (SectionOffset); Base = NULL; ViewSize = 0; if (NtGlobalFlag & FLG_ENABLE_KDEBUG_SYMBOL_LOAD) { LoadSymbols = TRUE; NtGlobalFlag &= ~FLG_ENABLE_KDEBUG_SYMBOL_LOAD; } else { LoadSymbols = FALSE; } TargetProcess = PsGetCurrentProcess (); Status = MmMapViewOfSection (SectionPointer, TargetProcess, &Base, 0, 0, &SectionOffset, &ViewSize, ViewUnmap, 0, PAGE_EXECUTE); if (LoadSymbols) { NtGlobalFlag |= FLG_ENABLE_KDEBUG_SYMBOL_LOAD; } if (Status == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) { Status = STATUS_INVALID_IMAGE_FORMAT; } if (!NT_SUCCESS(Status)) { if (OpaqueSession != NULL) { MiDetachFromSecureProcessInSession (OpaqueSession, &ApcState); } if (LoadInSessionSpace != 0) { #if DBG if (NtGlobalFlag & FLG_SHOW_LDR_SNAPS) { DbgPrint ("MiLoadImageSection: Error 0x%x in session space mapping via MmMapViewOfSection\n", Status); } #endif CommittedPages = MiDeleteSystemPagableVm ( MiGetPteAddress (BaseAddress), BYTES_TO_PAGES (SectionSize), ZeroKernelPte, TRUE, NULL); InterlockedExchangeAddSizeT (&MmSessionSpace->CommittedPages, 0 - CommittedPages); MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_COMMIT_IMAGELOAD_FAILED1, (ULONG)CommittedPages); // // Return the commitment we took out on the pagefile when // the page was allocated. This is needed for collided images // since all the pages get committed regardless of writability. // MiRemoveImageSessionWide (BaseAddress); } else { MiReturnResidentAvailable (PagesRequired, 16); MiReleaseSystemPtes (FirstPte, NumberOfPtes, SystemPteSpace); MiReturnCommitment (PagesRequired); } return Status; } // // Allocate a physical page(s) and copy the image data. // Note Hydra has already allocated the physical pages and just does // data copying here. // ControlArea = SectionPointer->Segment->ControlArea; if ((ControlArea->u.Flags.GlobalOnlyPerSession == 0) && (ControlArea->u.Flags.Rom == 0)) { Subsection = (PSUBSECTION)(ControlArea + 1); } else { Subsection = (PSUBSECTION)((PLARGE_CONTROL_AREA)ControlArea + 1); } ASSERT (Subsection->SubsectionBase != NULL); ProtoPte = Subsection->SubsectionBase; *ImageBaseAddress = SystemVa; UserVa = Base; TempPte = ValidKernelPte; TempPte.u.Long |= MM_PTE_EXECUTE; LastPte = ProtoPte + NumberOfPtes; ExceptionStatus = STATUS_SUCCESS; while (ProtoPte < LastPte) { PteContents = *ProtoPte; if ((PteContents.u.Hard.Valid == 1) || (PteContents.u.Soft.Protection != MM_NOACCESS)) { if (LoadInSessionSpace == 0) { ActualPagesUsed += 1; PageFrameIndex = MiAllocatePfn (PointerPte, MM_EXECUTE); TempPte.u.Hard.PageFrameNumber = PageFrameIndex; MI_WRITE_VALID_PTE (PointerPte, TempPte); ASSERT (MI_PFN_ELEMENT (PageFrameIndex)->u1.WsIndex == 0); } try { RtlCopyMemory (SystemVa, UserVa, PAGE_SIZE); } except (MiMapCacheExceptionFilter (&ExceptionStatus, GetExceptionInformation())) { // // An exception occurred, unmap the view and // return the error to the caller. // #if DBG DbgPrint("MiLoadImageSection: Exception 0x%x copying driver SystemVa 0x%p, UserVa 0x%p\n",ExceptionStatus,SystemVa,UserVa); #endif if (LoadInSessionSpace != 0) { CommittedPages = MiDeleteSystemPagableVm ( MiGetPteAddress (BaseAddress), BYTES_TO_PAGES (SectionSize), ZeroKernelPte, TRUE, NULL); InterlockedExchangeAddSizeT (&MmSessionSpace->CommittedPages, 0 - CommittedPages); MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_COMMIT_IMAGELOAD_FAILED2, (ULONG)CommittedPages); // // Return the commitment we took out on the pagefile when // the page was allocated. This is needed for collided // images since all the pages get committed regardless // of writability. // MiReturnCommitment (CommittedPages); MM_TRACK_COMMIT (MM_DBG_COMMIT_RETURN_SESSION_DRIVER_LOAD_FAILURE1, CommittedPages); } else { MiReturnFailedSessionPages (FirstPte, PointerPte, PagesRequired); MiReleaseSystemPtes (FirstPte, NumberOfPtes, SystemPteSpace); MiReturnCommitment (PagesRequired); } Status = MiUnmapViewOfSection (TargetProcess, Base, FALSE); ASSERT (NT_SUCCESS (Status)); // // Purge the section as we want these pages on the freelist // instead of at the tail of standby, as we're completely // done with the section. This is because other valuable // standby pages end up getting reused (especially during // bootup) when the section pages are the ones that really // will never be referenced again. // // Note this isn't done for session images as they're // inpaged directly from the filesystem via the section. // if (LoadInSessionSpace == 0) { MmPurgeSection (ControlArea->FilePointer->SectionObjectPointer, NULL, 0, FALSE); } if (OpaqueSession != NULL) { MiDetachFromSecureProcessInSession (OpaqueSession, &ApcState); } if (LoadInSessionSpace != 0) { MiRemoveImageSessionWide (BaseAddress); } return ExceptionStatus; } } else { // // The PTE is no access - if this driver is being loaded in session // space we already preloaded the page so free it now. The // commitment is returned when the whole image is unmapped. // if (LoadInSessionSpace != 0) { CommittedPages = MiDeleteSystemPagableVm ( MiGetPteAddress (SystemVa), 1, ZeroKernelPte, TRUE, NULL); MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_COMMIT_IMAGELOAD_NOACCESS, 1); } else { MI_WRITE_INVALID_PTE (PointerPte, ZeroKernelPte); } } ProtoPte += 1; if (LoadInSessionSpace == 0) { PointerPte += 1; } SystemVa = ((PCHAR)SystemVa + PAGE_SIZE); UserVa = ((PCHAR)UserVa + PAGE_SIZE); } Status = MiUnmapViewOfSection (TargetProcess, Base, FALSE); ASSERT (NT_SUCCESS (Status)); // // Purge the section as we want these pages on the freelist instead of // at the tail of standby, as we're completely done with the section. // This is because other valuable standby pages end up getting reused // (especially during bootup) when the section pages are the ones that // really will never be referenced again. // // Note this isn't done for session images as they're inpaged directly // from the filesystem via the section. // if (LoadInSessionSpace == 0) { MmPurgeSection (ControlArea->FilePointer->SectionObjectPointer, NULL, 0, FALSE); } if (OpaqueSession != NULL) { MiDetachFromSecureProcessInSession (OpaqueSession, &ApcState); } // // Indicate that this section has been loaded into the system. // SectionPointer->Segment->SystemImageBase = *ImageBaseAddress; if (LoadInSessionSpace == 0) { // // Return any excess resident available and commit. // if (PagesRequired != ActualPagesUsed) { ASSERT (PagesRequired > ActualPagesUsed); PagesRequired -= ActualPagesUsed; MiReturnResidentAvailable (PagesRequired, 13); MiReturnCommitment (PagesRequired); } } return Status; } VOID MmFreeDriverInitialization ( IN PVOID ImageHandle ) /*++ Routine Description: This routine removes the pages that relocate and debug information from the address space of the driver. NOTE: This routine looks at the last sections defined in the image header and if that section is marked as DISCARDABLE in the characteristics, it is removed from the image. This means that all discardable sections at the end of the driver are deleted. Arguments: SectionObject - Supplies the section object for the image. Return Value: None. --*/ { PKLDR_DATA_TABLE_ENTRY DataTableEntry; PMMPTE PointerPte; PMMPTE LastPte; PFN_NUMBER NumberOfPtes; PVOID Base; ULONG i; PIMAGE_NT_HEADERS NtHeaders; PIMAGE_SECTION_HEADER NtSection; PIMAGE_SECTION_HEADER FoundSection; PFN_NUMBER PagesDeleted; DataTableEntry = (PKLDR_DATA_TABLE_ENTRY)ImageHandle; Base = DataTableEntry->DllBase; ASSERT (MI_IS_SESSION_ADDRESS (Base) == FALSE); NumberOfPtes = DataTableEntry->SizeOfImage >> PAGE_SHIFT; LastPte = MiGetPteAddress (Base) + NumberOfPtes; NtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(Base); NtSection = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) + NtHeaders->FileHeader.SizeOfOptionalHeader ); NtSection += NtHeaders->FileHeader.NumberOfSections; FoundSection = NULL; for (i = 0; i < NtHeaders->FileHeader.NumberOfSections; i += 1) { NtSection -= 1; if ((NtSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) != 0) { FoundSection = NtSection; } else { // // There was a non discardable section between the this // section and the last non discardable section, don't // discard this section and don't look any more. // break; } } if (FoundSection != NULL) { PointerPte = MiGetPteAddress ((PVOID)(ROUND_TO_PAGES ( (PCHAR)Base + FoundSection->VirtualAddress))); NumberOfPtes = (PFN_NUMBER)(LastPte - PointerPte); PagesDeleted = MiDeleteSystemPagableVm (PointerPte, NumberOfPtes, ZeroKernelPte, FALSE, NULL); MiReturnResidentAvailable (PagesDeleted, 18); MiReturnCommitment (PagesDeleted); MM_TRACK_COMMIT (MM_DBG_COMMIT_RETURN_DRIVER_INIT_CODE, PagesDeleted); InterlockedExchangeAdd ((PLONG)&MmDriverCommit, (LONG) (0 - PagesDeleted)); } return; } LOGICAL MiChargeResidentAvailable ( IN PFN_NUMBER NumberOfPages, IN ULONG Id ) /*++ Routine Description: This routine is a nonpaged wrapper to charge resident available pages. Arguments: NumberOfPages - Supplies the number of pages to charge. Id - Supplies a tracking ID for debugging purposes. Return Value: TRUE if the pages were charged, FALSE if not. --*/ { KIRQL OldIrql; LOCK_PFN (OldIrql); if (MI_NONPAGABLE_MEMORY_AVAILABLE() <= (SPFN_NUMBER)NumberOfPages) { UNLOCK_PFN (OldIrql); return FALSE; } MmResidentAvailablePages -= NumberOfPages; MM_BUMP_COUNTER(Id, NumberOfPages); UNLOCK_PFN (OldIrql); return TRUE; } VOID MiReturnResidentAvailable ( IN PFN_NUMBER NumberOfPages, IN ULONG Id ) /*++ Routine Description: This routine is a nonpaged wrapper to return resident available pages. Arguments: NumberOfPages - Supplies the number of pages to return. Id - Supplies a tracking ID for debugging purposes. Return Value: None. --*/ { KIRQL OldIrql; LOCK_PFN (OldIrql); MmResidentAvailablePages += NumberOfPages; MM_BUMP_COUNTER(Id, NumberOfPages); UNLOCK_PFN (OldIrql); } VOID MiEnablePagingOfDriver ( IN PVOID ImageHandle ) { PKLDR_DATA_TABLE_ENTRY DataTableEntry; PMMPTE LastPte; PMMPTE PointerPte; PVOID Base; ULONG i; PIMAGE_NT_HEADERS NtHeaders; PIMAGE_SECTION_HEADER FoundSection; PIMAGE_OPTIONAL_HEADER OptionalHeader; // // Don't page kernel mode code if customer does not want it paged. // if (MmDisablePagingExecutive & MM_SYSTEM_CODE_LOCKED_DOWN) { return; } // // If the driver has pagable code, make it paged. // DataTableEntry = (PKLDR_DATA_TABLE_ENTRY)ImageHandle; Base = DataTableEntry->DllBase; NtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(Base); OptionalHeader = (PIMAGE_OPTIONAL_HEADER)((PCHAR)NtHeaders + #if defined (_WIN64) FIELD_OFFSET (IMAGE_NT_HEADERS64, OptionalHeader)); #else FIELD_OFFSET (IMAGE_NT_HEADERS32, OptionalHeader)); #endif FoundSection = IMAGE_FIRST_SECTION (NtHeaders); i = NtHeaders->FileHeader.NumberOfSections; PointerPte = NULL; // // Initializing LastPte is not needed for correctness, but without it // the compiler cannot compile this code W4 to check for use of // uninitialized variables. // LastPte = NULL; while (i > 0) { #if DBG if ((*(PULONG)FoundSection->Name == 'tini') || (*(PULONG)FoundSection->Name == 'egap')) { DbgPrint("driver %wZ has lower case sections (init or pagexxx)\n", &DataTableEntry->FullDllName); } #endif //DBG // // Mark as pagable any section which starts with the // first 4 characters PAGE or .eda (for the .edata section). // if ((*(PULONG)FoundSection->Name == 'EGAP') || (*(PULONG)FoundSection->Name == 'ade.')) { // // This section is pagable, save away the start and end. // if (PointerPte == NULL) { // // Previous section was NOT pagable, get the start address. // PointerPte = MiGetPteAddress ((PVOID)(ROUND_TO_PAGES ( (PCHAR)Base + FoundSection->VirtualAddress))); } LastPte = MiGetPteAddress ((PCHAR)Base + FoundSection->VirtualAddress + (OptionalHeader->SectionAlignment - 1) + FoundSection->SizeOfRawData - PAGE_SIZE); } else { // // This section is not pagable, if the previous section was // pagable, enable it. // if (PointerPte != NULL) { MiSetPagingOfDriver (PointerPte, LastPte, FALSE); PointerPte = NULL; } } i -= 1; FoundSection += 1; } if (PointerPte != NULL) { MiSetPagingOfDriver (PointerPte, LastPte, FALSE); } } VOID MiSetPagingOfDriver ( IN PMMPTE PointerPte, IN PMMPTE LastPte, IN LOGICAL SessionSpace ) /*++ Routine Description: This routine marks the specified range of PTEs as pagable. Arguments: PointerPte - Supplies the starting PTE. LastPte - Supplies the ending PTE. SessionSpace - Supplies TRUE if this mapping is in session space, FALSE if not. Return Value: None. Environment: Kernel Mode, IRQL of APC_LEVEL or below. This routine could be made PAGELK but it is a high frequency routine so it is actually better to keep it nonpaged to avoid bringing in the entire PAGELK section. --*/ { PVOID Base; PFN_NUMBER PageCount; PFN_NUMBER PageFrameIndex; PMMPFN Pfn; MMPTE TempPte; MMPTE PreviousPte; KIRQL OldIrql1; KIRQL OldIrql; PAGED_CODE (); ASSERT ((SessionSpace == FALSE) || (MmIsAddressValid(MmSessionSpace) == TRUE)); if (MI_IS_PHYSICAL_ADDRESS(MiGetVirtualAddressMappedByPte(PointerPte))) { // // No need to lock physical addresses. // return; } PageCount = 0; if (SessionSpace == TRUE) { LOCK_SESSION_SPACE_WS (OldIrql1, PsGetCurrentThread ()); } else { LOCK_SYSTEM_WS (OldIrql1, PsGetCurrentThread ()); } LOCK_PFN (OldIrql); Base = MiGetVirtualAddressMappedByPte (PointerPte); while (PointerPte <= LastPte) { // // Check to make sure this PTE has not already been // made pagable (or deleted). It is pagable if it // is not valid, or if the PFN database wsindex element // is non zero. // if (PointerPte->u.Hard.Valid == 1) { PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte); Pfn = MI_PFN_ELEMENT (PageFrameIndex); ASSERT (Pfn->u2.ShareCount == 1); if (Pfn->u1.WsIndex == 0) { // // Original PTE may need to be set for drivers loaded // via ntldr. // if (Pfn->OriginalPte.u.Long == 0) { Pfn->OriginalPte.u.Long = MM_KERNEL_DEMAND_ZERO_PTE; Pfn->OriginalPte.u.Soft.Protection |= MM_EXECUTE; } TempPte = *PointerPte; MI_MAKE_VALID_PTE_TRANSITION (TempPte, Pfn->OriginalPte.u.Soft.Protection); PreviousPte.u.Flush = KeFlushSingleTb (Base, TRUE, TRUE, (PHARDWARE_PTE)PointerPte, TempPte.u.Flush); MI_CAPTURE_DIRTY_BIT_TO_PFN (&PreviousPte, Pfn); // // Flush the translation buffer and decrement the number of valid // PTEs within the containing page table page. Note that for a // private page, the page table page is still needed because the // page is in transition. // MiDecrementShareCount (PageFrameIndex); MmResidentAvailablePages += 1; MM_BUMP_COUNTER(19, 1); MmTotalSystemDriverPages += 1; PageCount += 1; } else { // // This page is already pagable and has a WSLE entry. // Ignore it here and let the trimmer take it if memory // comes under pressure. // } } Base = (PVOID)((PCHAR)Base + PAGE_SIZE); PointerPte += 1; } if (SessionSpace == TRUE) { // // Session space has no ASN - flush the entire TB. // MI_FLUSH_ENTIRE_SESSION_TB (TRUE, TRUE); } UNLOCK_PFN (OldIrql); if (SessionSpace == TRUE) { // // These pages are no longer locked down. // MM_BUMP_SESS_COUNTER (MM_DBG_SESSION_NP_PAGE_DRIVER, (ULONG)PageCount); MmSessionSpace->NonPagablePages -= PageCount; MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_DRIVER_PAGES_UNLOCKED, (ULONG)PageCount); UNLOCK_SESSION_SPACE_WS (OldIrql1); } else { UNLOCK_SYSTEM_WS (OldIrql1); } } PVOID MmPageEntireDriver ( IN PVOID AddressWithinSection ) /*++ Routine Description: This routine allows a driver to page out all of its code and data regardless of the attributes of the various image sections. Note, this routine can be called multiple times with no intervening calls to MmResetDriverPaging. Arguments: AddressWithinSection - Supplies an address within the driver, e.g. DriverEntry. Return Value: Base address of driver. Environment: Kernel mode, APC_LEVEL or below. --*/ { PKLDR_DATA_TABLE_ENTRY DataTableEntry; PMMPTE FirstPte; PMMPTE LastPte; PVOID BaseAddress; PSECTION SectionPointer; LOGICAL SessionSpace; PAGED_CODE(); DataTableEntry = MiLookupDataTableEntry (AddressWithinSection, FALSE); if (DataTableEntry == NULL) { return NULL; } // // Don't page kernel mode code if disabled via registry. // if (MmDisablePagingExecutive & MM_SYSTEM_CODE_LOCKED_DOWN) { BaseAddress = DataTableEntry->DllBase; goto success; } SectionPointer = (PSECTION)DataTableEntry->SectionPointer; SessionSpace = MI_IS_SESSION_IMAGE_ADDRESS (AddressWithinSection); if ((SectionPointer != NULL) && (SectionPointer != (PVOID)-1)) { // // Driver is mapped as an image (ie: win32k), this is always pagable. // For session space, an image that has been loaded at its desired // address is also always pagable. If there was an address collision, // then we fall through because we have to explicitly page it. // if (SessionSpace == TRUE) { if (SectionPointer->Segment && SectionPointer->Segment->BasedAddress == SectionPointer->Segment->SystemImageBase) { BaseAddress = DataTableEntry->DllBase; goto success; } } else { BaseAddress = DataTableEntry->DllBase; goto success; } } BaseAddress = DataTableEntry->DllBase; FirstPte = MiGetPteAddress (BaseAddress); LastPte = (FirstPte - 1) + (DataTableEntry->SizeOfImage >> PAGE_SHIFT); MiSetPagingOfDriver (FirstPte, LastPte, SessionSpace); success: #if 0 // // .rdata and .pdata must be made resident for the kernel debugger to // display stack frames properly. This means these sections must not // only be marked nonpagable, but for drivers like win32k.sys (and // session space drivers that are not relocated) that are paged in and // out directly from the filesystem, these pages must be made explicitly // resident now. // // If the debugger can be pitched, then there is no need to lock down // these subsections as no one will be debugging this system anyway. // if (KdPitchDebugger == 0) { MiLockDriverPdata (DataTableEntry); } #endif return BaseAddress; } VOID MmResetDriverPaging ( IN PVOID AddressWithinSection ) /*++ Routine Description: This routines resets the driver paging to what the image specified. Hence image sections such as the IAT, .text, .data will be locked down in memory. Note, there is no requirement that MmPageEntireDriver was called. Arguments: AddressWithinSection - Supplies an address within the driver, e.g. DriverEntry. Return Value: None. Environment: Kernel mode, APC_LEVEL or below. --*/ { PKLDR_DATA_TABLE_ENTRY DataTableEntry; PMMPTE LastPte; PMMPTE PointerPte; PVOID Base; ULONG i; PIMAGE_NT_HEADERS NtHeaders; PIMAGE_SECTION_HEADER FoundSection; PAGED_CODE(); // // Don't page kernel mode code if disabled via registry. // if (MmDisablePagingExecutive & MM_SYSTEM_CODE_LOCKED_DOWN) { return; } if (MI_IS_PHYSICAL_ADDRESS(AddressWithinSection)) { return; } // // If the driver has pagable code, make it paged. // DataTableEntry = MiLookupDataTableEntry (AddressWithinSection, FALSE); if ((DataTableEntry->SectionPointer != NULL) && (DataTableEntry->SectionPointer != (PVOID)-1)) { // // Driver is mapped by image hence already paged. // return; } Base = DataTableEntry->DllBase; NtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(Base); FoundSection = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) + NtHeaders->FileHeader.SizeOfOptionalHeader ); i = NtHeaders->FileHeader.NumberOfSections; PointerPte = NULL; while (i > 0) { #if DBG if ((*(PULONG)FoundSection->Name == 'tini') || (*(PULONG)FoundSection->Name == 'egap')) { DbgPrint("driver %wZ has lower case sections (init or pagexxx)\n", &DataTableEntry->FullDllName); } #endif // // Don't lock down code for sections marked as discardable or // sections marked with the first 4 characters PAGE or .eda // (for the .edata section) or INIT. // if (((FoundSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) != 0) || (*(PULONG)FoundSection->Name == 'EGAP') || (*(PULONG)FoundSection->Name == 'ade.') || (*(PULONG)FoundSection->Name == 'TINI')) { NOTHING; } else { // // This section is nonpagable. // PointerPte = MiGetPteAddress ( (PCHAR)Base + FoundSection->VirtualAddress); LastPte = MiGetPteAddress ((PCHAR)Base + FoundSection->VirtualAddress + (FoundSection->SizeOfRawData - 1)); ASSERT (PointerPte <= LastPte); MiLockCode (PointerPte, LastPte, MM_LOCK_BY_NONPAGE); } i -= 1; FoundSection += 1; } return; } #if 0 VOID MiLockDriverPdata ( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry ) /*++ Routine Description: This routines locks down the .pdata & .rdata subsections within the driver. Arguments: DataTableEntry - Supplies the argument module's data table entry. Return Value: None. Environment: Kernel mode, APC_LEVEL or below. --*/ { PSECTION SectionPointer; LOGICAL SessionSpace; PMMPTE LastPte; PMMPTE PointerPte; PVOID Base; ULONG i; PIMAGE_NT_HEADERS NtHeaders; PIMAGE_SECTION_HEADER FoundSection; PETHREAD Thread; PAGED_CODE(); // // If the debugger can be pitched, then there is no need to lock down // these subsections as no one will be debugging this system anyway. // ASSERT (KdPitchDebugger == 0); if (MI_IS_PHYSICAL_ADDRESS(DataTableEntry->DllBase)) { return; } SectionPointer = (PSECTION)DataTableEntry->SectionPointer; // // Drivers backed by the paging file require no handling as the .pdata // .rdata sections are not paged by default and have already been inpaged. // if ((SectionPointer == NULL) || (SectionPointer == (PVOID)-1)) { return; } // // The driver is mapped as an image (ie: win32k) which is always pagable. // In fact, it may not even be resident right now because in addition // to being always pagable, it is backed directly by the filesystem, // not the pagefile. So it must be inpaged now. // SessionSpace = MI_IS_SESSION_IMAGE_ADDRESS (DataTableEntry->DllBase); Base = DataTableEntry->DllBase; NtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(Base); FoundSection = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeaders + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) + NtHeaders->FileHeader.SizeOfOptionalHeader); i = NtHeaders->FileHeader.NumberOfSections; PointerPte = NULL; Thread = PsGetCurrentThread (); for ( ; i > 0; i -= 1, FoundSection += 1) { // // Don't lock down discardable sections. // if ((FoundSection->Characteristics & IMAGE_SCN_MEM_DISCARDABLE) != 0) { NOTHING; } // // Inpage and lock down subsections marked as .pdata & .rdata. // if (((*(PULONG)FoundSection->Name == 'adp.') && (FoundSection->Name[4] == 't') && (FoundSection->Name[5] == 'a')) || ((*(PULONG)FoundSection->Name == 'adr.') && (FoundSection->Name[4] == 't') && (FoundSection->Name[5] == 'a'))) { PointerPte = MiGetPteAddress ( (PCHAR)Base + FoundSection->VirtualAddress); LastPte = MiGetPteAddress ((PCHAR)Base + FoundSection->VirtualAddress + (FoundSection->SizeOfRawData - 1)); ASSERT (PointerPte <= LastPte); } } return; } #endif VOID MiClearImports( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry ) /*++ Routine Description: Free up the import list and clear the pointer. This stops the recursion performed in MiDereferenceImports(). Arguments: DataTableEntry - provided for the driver. Return Value: Status of the import list construction operation. --*/ { PAGED_CODE(); if (DataTableEntry->LoadedImports == (PVOID)LOADED_AT_BOOT) { return; } if (DataTableEntry->LoadedImports == (PVOID)NO_IMPORTS_USED) { NOTHING; } else if (SINGLE_ENTRY(DataTableEntry->LoadedImports)) { NOTHING; } else { // // free the memory // ExFreePool ((PVOID)DataTableEntry->LoadedImports); } // // stop the recursion // DataTableEntry->LoadedImports = (PVOID)LOADED_AT_BOOT; } VOID MiRememberUnloadedDriver ( IN PUNICODE_STRING DriverName, IN PVOID Address, IN ULONG Length ) /*++ Routine Description: This routine saves information about unloaded drivers so that ones that forget to delete lookaside lists or queues can be caught. Arguments: DriverName - Supplies a Unicode string containing the driver's name. Address - Supplies the address the driver was loaded at. Length - Supplies the number of bytes the driver load spanned. Return Value: None. --*/ { PUNLOADED_DRIVERS Entry; ULONG NumberOfBytes; if (DriverName->Length == 0) { // // This is an aborted load and the driver name hasn't been filled // in yet. No need to save it. // return; } // // Serialization is provided by the caller, so just update the list now. // Note the allocations are nonpaged so they can be searched at bugcheck // time. // if (MmUnloadedDrivers == NULL) { NumberOfBytes = MI_UNLOADED_DRIVERS * sizeof (UNLOADED_DRIVERS); MmUnloadedDrivers = (PUNLOADED_DRIVERS)ExAllocatePoolWithTag (NonPagedPool, NumberOfBytes, 'TDmM'); if (MmUnloadedDrivers == NULL) { return; } RtlZeroMemory (MmUnloadedDrivers, NumberOfBytes); MmLastUnloadedDriver = 0; } else if (MmLastUnloadedDriver >= MI_UNLOADED_DRIVERS) { MmLastUnloadedDriver = 0; } Entry = &MmUnloadedDrivers[MmLastUnloadedDriver]; // // Free the old entry as we recycle into the new. // RtlFreeUnicodeString (&Entry->Name); Entry->Name.Buffer = ExAllocatePoolWithTag (NonPagedPool, DriverName->Length, 'TDmM'); if (Entry->Name.Buffer == NULL) { Entry->Name.MaximumLength = 0; Entry->Name.Length = 0; MiUnloadsSkipped += 1; return; } RtlCopyMemory(Entry->Name.Buffer, DriverName->Buffer, DriverName->Length); Entry->Name.Length = DriverName->Length; Entry->Name.MaximumLength = DriverName->MaximumLength; Entry->StartAddress = Address; Entry->EndAddress = (PVOID)((PCHAR)Address + Length); KeQuerySystemTime (&Entry->CurrentTime); MiTotalUnloads += 1; MmLastUnloadedDriver += 1; } PUNICODE_STRING MmLocateUnloadedDriver ( IN PVOID VirtualAddress ) /*++ Routine Description: This routine attempts to find the specified virtual address in the unloaded driver list. Arguments: VirtualAddress - Supplies a virtual address that might be within a driver that has already unloaded. Return Value: A pointer to a Unicode string containing the unloaded driver's name. Environment: Kernel mode, bugcheck time. --*/ { PUNLOADED_DRIVERS Entry; ULONG i; ULONG Index; // // No serialization is needed because we've crashed. // if (MmUnloadedDrivers == NULL) { return NULL; } Index = MmLastUnloadedDriver - 1; for (i = 0; i < MI_UNLOADED_DRIVERS; i += 1) { if (Index >= MI_UNLOADED_DRIVERS) { Index = MI_UNLOADED_DRIVERS - 1; } Entry = &MmUnloadedDrivers[Index]; if (Entry->Name.Buffer != NULL) { if ((VirtualAddress >= Entry->StartAddress) && (VirtualAddress < Entry->EndAddress)) { return &Entry->Name; } } Index -= 1; } return NULL; } NTSTATUS MmUnloadSystemImage ( IN PVOID ImageHandle ) /*++ Routine Description: This routine unloads a previously loaded system image and returns the allocated resources. Arguments: ImageHandle - Supplies a pointer to the section object of the image to unload. Return Value: Various NTSTATUS codes. Environment: Kernel mode, APC_LEVEL or below, arbitrary process context. --*/ { PKLDR_DATA_TABLE_ENTRY DataTableEntry; PMMPTE LastPte; PFN_NUMBER PagesRequired; PFN_NUMBER ResidentPages; PMMPTE PointerPte; PFN_NUMBER NumberOfPtes; PVOID BasedAddress; SIZE_T NumberOfBytes; LOGICAL MustFree; SIZE_T CommittedPages; LOGICAL ViewDeleted; PIMAGE_ENTRY_IN_SESSION DriverImage; NTSTATUS Status; PSECTION SectionPointer; PKTHREAD CurrentThread; // // Arbitrary process context so prevent suspend APCs now. // CurrentThread = KeGetCurrentThread (); KeEnterCriticalRegionThread (CurrentThread); KeWaitForSingleObject (&MmSystemLoadLock, WrVirtualMemory, KernelMode, FALSE, (PLARGE_INTEGER)NULL); ViewDeleted = FALSE; DataTableEntry = (PKLDR_DATA_TABLE_ENTRY)ImageHandle; BasedAddress = DataTableEntry->DllBase; #if DBGXX // // MiUnloadSystemImageByForce violates this check so remove it for now. // if (PsLoadedModuleList.Flink) { LOGICAL Found; PLIST_ENTRY NextEntry; PKLDR_DATA_TABLE_ENTRY DataTableEntry2; Found = FALSE; NextEntry = PsLoadedModuleList.Flink; while (NextEntry != &PsLoadedModuleList) { DataTableEntry2 = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (DataTableEntry == DataTableEntry2) { Found = TRUE; break; } NextEntry = NextEntry->Flink; } ASSERT (Found == TRUE); } #endif #if DBG_SYSLOAD if (DataTableEntry->SectionPointer == NULL) { DbgPrint ("MM: Called to unload boot driver %wZ\n", &DataTableEntry->FullDllName); } else { DbgPrint ("MM: Called to unload non-boot driver %wZ\n", &DataTableEntry->FullDllName); } #endif // // Any driver loaded at boot that did not have its import list // and LoadCount reconstructed cannot be unloaded because we don't // know how many other drivers may be linked to it. // if (DataTableEntry->LoadedImports == (PVOID)LOADED_AT_BOOT) { KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegionThread (CurrentThread); return STATUS_SUCCESS; } ASSERT (DataTableEntry->LoadCount != 0); if (MI_IS_SESSION_IMAGE_ADDRESS (BasedAddress)) { // // A printer driver may be referenced multiple times for the // same session space. Only unload the last reference. // DriverImage = MiSessionLookupImage (BasedAddress); ASSERT (DriverImage); ASSERT (DriverImage->ImageCountInThisSession); if (DriverImage->ImageCountInThisSession > 1) { DriverImage->ImageCountInThisSession -= 1; KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegionThread (CurrentThread); return STATUS_SUCCESS; } // // The reference count for this image has dropped to zero in this // session, so we can delete this session's view of the image. // Status = MiSessionWideGetImageSize (BasedAddress, &NumberOfBytes, &CommittedPages); if (!NT_SUCCESS(Status)) { KeBugCheckEx (MEMORY_MANAGEMENT, 0x41286, (ULONG_PTR)MmSessionSpace->SessionId, (ULONG_PTR)BasedAddress, 0); } // // Free the session space taken up by the image, unmapping it from // the current VA space - note this does not remove page table pages // from the session PageTables[]. Each data page is only freed // if there are no other references to it (ie: from any other // sessions). // PointerPte = MiGetPteAddress (BasedAddress); LastPte = MiGetPteAddress ((PVOID)((ULONG_PTR)BasedAddress + NumberOfBytes)); PagesRequired = MiDeleteSystemPagableVm (PointerPte, (PFN_NUMBER)(LastPte - PointerPte), ZeroKernelPte, TRUE, &ResidentPages); // // Note resident available is returned here without waiting for load // count to reach zero because it is charged each time a session space // driver locks down its code or data regardless of whether it is really // the same copy-on-write backing page(s) that some other session has // already locked down. // MiReturnResidentAvailable (ResidentPages, 22); if ((MmDisablePagingExecutive & MM_SYSTEM_CODE_LOCKED_DOWN) == 0) { SectionPointer = (PSECTION)DataTableEntry->SectionPointer; if ((SectionPointer == NULL) || (SectionPointer == (PVOID)-1) || (SectionPointer->Segment == NULL) || (SectionPointer->Segment->BasedAddress != SectionPointer->Segment->SystemImageBase)) { MmTotalSystemDriverPages -= (ULONG)(PagesRequired - ResidentPages); } } InterlockedExchangeAddSizeT (&MmSessionSpace->CommittedPages, 0 - CommittedPages); MM_BUMP_SESS_COUNTER(MM_DBG_SESSION_COMMIT_IMAGE_UNLOAD, (ULONG)CommittedPages); ViewDeleted = TRUE; // // Return the commitment we took out on the pagefile when the // image was allocated. // MiReturnCommitment (CommittedPages); MM_TRACK_COMMIT (MM_DBG_COMMIT_RETURN_DRIVER_UNLOAD, CommittedPages); // // Tell the session space image handler that we are releasing // our claim to the image. // Status = MiRemoveImageSessionWide (BasedAddress); ASSERT (NT_SUCCESS (Status)); } ASSERT (DataTableEntry->LoadCount != 0); DataTableEntry->LoadCount -= 1; if (DataTableEntry->LoadCount != 0) { KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegionThread (CurrentThread); return STATUS_SUCCESS; } #if DBG if (MI_IS_SESSION_IMAGE_ADDRESS (BasedAddress)) { ASSERT (MiSessionLookupImage (BasedAddress) == NULL); } #endif if (MmSnapUnloads) { #if 0 PVOID StillQueued; StillQueued = KeCheckForTimer (DataTableEntry->DllBase, DataTableEntry->SizeOfImage); if (StillQueued != NULL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x18, (ULONG_PTR)StillQueued, (ULONG_PTR)-1, (ULONG_PTR)DataTableEntry->DllBase); } StillQueued = ExpCheckForResource (DataTableEntry->DllBase, DataTableEntry->SizeOfImage); if (StillQueued != NULL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x19, (ULONG_PTR)StillQueued, (ULONG_PTR)-1, (ULONG_PTR)DataTableEntry->DllBase); } #endif } if (MmVerifierData.Level & DRIVER_VERIFIER_DEADLOCK_DETECTION) { VerifierDeadlockFreePool (DataTableEntry->DllBase, DataTableEntry->SizeOfImage); } if (DataTableEntry->Flags & LDRP_IMAGE_VERIFYING) { MiVerifyingDriverUnloading (DataTableEntry); } if (MiActiveVerifierThunks != 0) { MiVerifierCheckThunks (DataTableEntry); } // // Unload symbols from debugger. // if (DataTableEntry->Flags & LDRP_DEBUG_SYMBOLS_LOADED) { // // TEMP TEMP TEMP rip out when debugger converted // ANSI_STRING AnsiName; Status = RtlUnicodeStringToAnsiString (&AnsiName, &DataTableEntry->BaseDllName, TRUE); if (NT_SUCCESS (Status)) { DbgUnLoadImageSymbols (&AnsiName, BasedAddress, (ULONG)-1); RtlFreeAnsiString (&AnsiName); } } // // No unload can happen till after Mm has finished Phase 1 initialization. // Therefore, large pages are already in effect (if this platform supports // it). // if (ViewDeleted == FALSE) { NumberOfPtes = DataTableEntry->SizeOfImage >> PAGE_SHIFT; if (MmSnapUnloads) { MiRememberUnloadedDriver (&DataTableEntry->BaseDllName, BasedAddress, (ULONG)(NumberOfPtes << PAGE_SHIFT)); } if (DataTableEntry->Flags & LDRP_SYSTEM_MAPPED) { PointerPte = MiGetPteAddress (BasedAddress); PagesRequired = MiDeleteSystemPagableVm (PointerPte, NumberOfPtes, ZeroKernelPte, FALSE, &ResidentPages); MmTotalSystemDriverPages -= (ULONG)(PagesRequired - ResidentPages); // // Note that drivers loaded at boot that have not been relocated // have no system PTEs or commit charged. // MiReleaseSystemPtes (PointerPte, (ULONG)NumberOfPtes, SystemPteSpace); MiReturnResidentAvailable (ResidentPages, 21); // // Only return commitment for drivers that weren't loaded by the // boot loader. // if (DataTableEntry->SectionPointer != NULL) { MiReturnCommitment (PagesRequired); MM_TRACK_COMMIT (MM_DBG_COMMIT_RETURN_DRIVER_UNLOAD1, PagesRequired); InterlockedExchangeAdd ((PLONG)&MmDriverCommit, (LONG) (0 - PagesRequired)); } } else { // // This must be a boot driver that was not relocated into // system PTEs. If large or super pages are enabled, the // image pages must be freed without referencing the // non-existent page table pages. If large/super pages are // not enabled, note that system PTEs were not used to map the // image and thus, cannot be freed. // // This is further complicated by the fact that the INIT and/or // discardable portions of these images may have already been freed. // } } // // Search the loaded module list for the data table entry that describes // the DLL that was just unloaded. It is possible an entry is not in the // list if a failure occurred at a point in loading the DLL just before // the data table entry was generated. // if (DataTableEntry->InLoadOrderLinks.Flink != NULL) { MiProcessLoaderEntry (DataTableEntry, FALSE); MustFree = TRUE; } else { MustFree = FALSE; } // // Handle unloading of any dependent DLLs that we loaded automatically // for this image. // MiDereferenceImports ((PLOAD_IMPORTS)DataTableEntry->LoadedImports); MiClearImports (DataTableEntry); // // Free this loader entry. // if (MustFree == TRUE) { if (DataTableEntry->FullDllName.Buffer != NULL) { ExFreePool (DataTableEntry->FullDllName.Buffer); } // // Dereference the section object if there is one. // There should only be one for win32k.sys and Hydra session images. // if ((DataTableEntry->SectionPointer != NULL) && (DataTableEntry->SectionPointer != (PVOID)-1)) { ObDereferenceObject (DataTableEntry->SectionPointer); } ExFreePool((PVOID)DataTableEntry); } KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegionThread (CurrentThread); PERFINFO_IMAGE_UNLOAD(BasedAddress); return STATUS_SUCCESS; } NTSTATUS MiBuildImportsForBootDrivers( VOID ) /*++ Routine Description: Construct an import list chain for boot-loaded drivers. If this cannot be done for an entry, its chain is set to LOADED_AT_BOOT. If a chain can be successfully built, then this driver's DLLs will be automatically unloaded if this driver goes away (provided no other driver is also using them). Otherwise, on driver unload, its dependent DLLs would have to be explicitly unloaded. Note that the incoming LoadCount values are not correct and thus, they are reinitialized here. Arguments: None. Return Value: Various NTSTATUS codes. --*/ { PKLDR_DATA_TABLE_ENTRY DataTableEntry; PLIST_ENTRY NextEntry; PKLDR_DATA_TABLE_ENTRY DataTableEntry2; PLIST_ENTRY NextEntry2; ULONG i; ULONG j; ULONG ImageCount; PVOID *ImageReferences; PVOID LastImageReference; PULONG_PTR ImportThunk; ULONG_PTR BaseAddress; ULONG_PTR LastAddress; ULONG ImportSize; ULONG ImportListSize; PLOAD_IMPORTS ImportList; LOGICAL UndoEverything; PKLDR_DATA_TABLE_ENTRY KernelDataTableEntry; PKLDR_DATA_TABLE_ENTRY HalDataTableEntry; UNICODE_STRING KernelString; UNICODE_STRING HalString; PAGED_CODE(); ImageCount = 0; KernelDataTableEntry = NULL; HalDataTableEntry = NULL; RtlInitUnicodeString (&KernelString, (const PUSHORT)L"ntoskrnl.exe"); RtlInitUnicodeString (&HalString, (const PUSHORT)L"hal.dll"); NextEntry = PsLoadedModuleList.Flink; while (NextEntry != &PsLoadedModuleList) { DataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (RtlEqualUnicodeString (&KernelString, &DataTableEntry->BaseDllName, TRUE)) { KernelDataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); } else if (RtlEqualUnicodeString (&HalString, &DataTableEntry->BaseDllName, TRUE)) { HalDataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); } // // Initialize these properly so error recovery is simplified. // if (DataTableEntry->Flags & LDRP_DRIVER_DEPENDENT_DLL) { if ((DataTableEntry == HalDataTableEntry) || (DataTableEntry == KernelDataTableEntry)) { DataTableEntry->LoadCount = 1; } else { DataTableEntry->LoadCount = 0; } } else { DataTableEntry->LoadCount = 1; } DataTableEntry->LoadedImports = (PVOID)LOADED_AT_BOOT; ImageCount += 1; NextEntry = NextEntry->Flink; } if (KernelDataTableEntry == NULL || HalDataTableEntry == NULL) { return STATUS_NOT_FOUND; } ImageReferences = (PVOID *) ExAllocatePoolWithTag (PagedPool | POOL_COLD_ALLOCATION, ImageCount * sizeof (PVOID), 'TDmM'); if (ImageReferences == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } UndoEverything = FALSE; NextEntry = PsLoadedModuleList.Flink; for ( ; NextEntry != &PsLoadedModuleList; NextEntry = NextEntry->Flink) { DataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData( DataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IAT, &ImportSize); if (ImportThunk == NULL) { DataTableEntry->LoadedImports = NO_IMPORTS_USED; continue; } RtlZeroMemory (ImageReferences, ImageCount * sizeof (PVOID)); ImportSize /= sizeof(PULONG_PTR); BaseAddress = 0; // // Initializing these locals is not needed for correctness, but // without it the compiler cannot compile this code W4 to check // for use of uninitialized variables. // j = 0; LastAddress = 0; for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) { // // Check the hint first. // if (BaseAddress != 0) { if (*ImportThunk >= BaseAddress && *ImportThunk < LastAddress) { ASSERT (ImageReferences[j]); continue; } } j = 0; NextEntry2 = PsLoadedModuleList.Flink; while (NextEntry2 != &PsLoadedModuleList) { DataTableEntry2 = CONTAINING_RECORD(NextEntry2, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); BaseAddress = (ULONG_PTR) DataTableEntry2->DllBase; LastAddress = BaseAddress + DataTableEntry2->SizeOfImage; if (*ImportThunk >= BaseAddress && *ImportThunk < LastAddress) { ImageReferences[j] = DataTableEntry2; break; } NextEntry2 = NextEntry2->Flink; j += 1; } if (*ImportThunk < BaseAddress || *ImportThunk >= LastAddress) { if (*ImportThunk) { #if DBG DbgPrint ("MM: broken import linkage %p %p %p\n", DataTableEntry, ImportThunk, *ImportThunk); DbgBreakPoint (); #endif UndoEverything = TRUE; goto finished; } BaseAddress = 0; } } ImportSize = 0; // // Initializing LastImageReference is not needed for correctness, but // without it the compiler cannot compile this code W4 to check // for use of uninitialized variables. // LastImageReference = NULL; for (i = 0; i < ImageCount; i += 1) { if ((ImageReferences[i] != NULL) && (ImageReferences[i] != KernelDataTableEntry) && (ImageReferences[i] != HalDataTableEntry)) { LastImageReference = ImageReferences[i]; ImportSize += 1; } } if (ImportSize == 0) { DataTableEntry->LoadedImports = NO_IMPORTS_USED; } else if (ImportSize == 1) { #if DBG_SYSLOAD DbgPrint("driver %wZ imports %wZ\n", &DataTableEntry->FullDllName, &((PKLDR_DATA_TABLE_ENTRY)LastImageReference)->FullDllName); #endif DataTableEntry->LoadedImports = POINTER_TO_SINGLE_ENTRY (LastImageReference); ((PKLDR_DATA_TABLE_ENTRY)LastImageReference)->LoadCount += 1; } else { #if DBG_SYSLOAD DbgPrint("driver %wZ imports many\n", &DataTableEntry->FullDllName); #endif ImportListSize = ImportSize * sizeof(PVOID) + sizeof(SIZE_T); ImportList = (PLOAD_IMPORTS) ExAllocatePoolWithTag (PagedPool | POOL_COLD_ALLOCATION, ImportListSize, 'TDmM'); if (ImportList == NULL) { UndoEverything = TRUE; break; } ImportList->Count = ImportSize; j = 0; for (i = 0; i < ImageCount; i += 1) { if ((ImageReferences[i] != NULL) && (ImageReferences[i] != KernelDataTableEntry) && (ImageReferences[i] != HalDataTableEntry)) { #if DBG_SYSLOAD DbgPrint("driver %wZ imports %wZ\n", &DataTableEntry->FullDllName, &((PKLDR_DATA_TABLE_ENTRY)ImageReferences[i])->FullDllName); #endif ImportList->Entry[j] = ImageReferences[i]; ((PKLDR_DATA_TABLE_ENTRY)ImageReferences[i])->LoadCount += 1; j += 1; } } ASSERT (j == ImportSize); DataTableEntry->LoadedImports = ImportList; } #if DBG_SYSLOAD DbgPrint("\n"); #endif } finished: ExFreePool ((PVOID)ImageReferences); // // The kernel and HAL are never unloaded. // if ((KernelDataTableEntry->LoadedImports != NO_IMPORTS_USED) && (!POINTER_TO_SINGLE_ENTRY(KernelDataTableEntry->LoadedImports))) { ExFreePool ((PVOID)KernelDataTableEntry->LoadedImports); } if ((HalDataTableEntry->LoadedImports != NO_IMPORTS_USED) && (!POINTER_TO_SINGLE_ENTRY(HalDataTableEntry->LoadedImports))) { ExFreePool ((PVOID)HalDataTableEntry->LoadedImports); } KernelDataTableEntry->LoadedImports = (PVOID)LOADED_AT_BOOT; HalDataTableEntry->LoadedImports = (PVOID)LOADED_AT_BOOT; if (UndoEverything == TRUE) { #if DBG_SYSLOAD DbgPrint("driver %wZ import rebuild failed\n", &DataTableEntry->FullDllName); DbgBreakPoint(); #endif // // An error occurred and this is an all or nothing operation so // roll everything back. // NextEntry = PsLoadedModuleList.Flink; while (NextEntry != &PsLoadedModuleList) { DataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); ImportList = DataTableEntry->LoadedImports; if (ImportList == LOADED_AT_BOOT || ImportList == NO_IMPORTS_USED || SINGLE_ENTRY(ImportList)) { NOTHING; } else { ExFreePool (ImportList); } DataTableEntry->LoadedImports = (PVOID)LOADED_AT_BOOT; DataTableEntry->LoadCount = 1; NextEntry = NextEntry->Flink; } return STATUS_INSUFFICIENT_RESOURCES; } return STATUS_SUCCESS; } LOGICAL MiCallDllUnloadAndUnloadDll( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry ) /*++ Routine Description: All the references from other drivers to this DLL have been cleared. The only remaining issue is that this DLL must support being unloaded. This means having no outstanding DPCs, allocated pool, etc. If the DLL has an unload routine that returns SUCCESS, then we clean it up and free up its memory now. Note this routine is NEVER called for drivers - only for DLLs that were loaded due to import references from various drivers. Arguments: DataTableEntry - provided for the DLL. Return Value: TRUE if the DLL was successfully unloaded, FALSE if not. --*/ { PMM_DLL_UNLOAD Func; NTSTATUS Status; LOGICAL Unloaded; PAGED_CODE(); Unloaded = FALSE; Func = (PMM_DLL_UNLOAD) (ULONG_PTR) MiLocateExportName (DataTableEntry->DllBase, "DllUnload"); if (Func) { // // The unload function was found in the DLL so unload it now. // Status = Func(); if (NT_SUCCESS(Status)) { // // Set up the reference count so the import DLL looks like a regular // driver image is being unloaded. // ASSERT (DataTableEntry->LoadCount == 0); DataTableEntry->LoadCount = 1; MmUnloadSystemImage ((PVOID)DataTableEntry); Unloaded = TRUE; } } return Unloaded; } PVOID MiLocateExportName ( IN PVOID DllBase, IN PCHAR FunctionName ) /*++ Routine Description: This function is invoked to locate a function name in an export directory. Arguments: DllBase - Supplies the image base. FunctionName - Supplies the the name to be located. Return Value: The address of the located function or NULL. --*/ { PVOID Func; PULONG NameTableBase; PUSHORT NameOrdinalTableBase; PIMAGE_EXPORT_DIRECTORY ExportDirectory; PULONG Addr; ULONG ExportSize; ULONG Low; ULONG Middle; ULONG High; LONG Result; USHORT OrdinalNumber; PAGED_CODE(); Func = NULL; // // Locate the DLL's export directory. // ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData( DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &ExportSize ); if (ExportDirectory) { NameTableBase = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNames); NameOrdinalTableBase = (PUSHORT)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals); // // Look in the export name table for the specified function name. // Low = 0; High = ExportDirectory->NumberOfNames - 1; // // Initializing Middle is not needed for correctness, but without it // the compiler cannot compile this code W4 to check for use of // uninitialized variables. // Middle = 0; while (High >= Low && (LONG)High >= 0) { // // Compute the next probe index and compare the export name entry // with the specified function name. // Middle = (Low + High) >> 1; Result = strcmp(FunctionName, (PCHAR)((PCHAR)DllBase + NameTableBase[Middle])); if (Result < 0) { High = Middle - 1; } else if (Result > 0) { Low = Middle + 1; } else { break; } } // // If the high index is less than the low index, then a matching table // entry was not found. Otherwise, get the ordinal number from the // ordinal table and location the function address. // if ((LONG)High >= (LONG)Low) { OrdinalNumber = NameOrdinalTableBase[Middle]; Addr = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions); Func = (PVOID)((ULONG_PTR)DllBase + Addr[OrdinalNumber]); // // If the function address is w/in range of the export directory, // then the function is forwarded, which is not allowed, so ignore // it. // if ((ULONG_PTR)Func > (ULONG_PTR)ExportDirectory && (ULONG_PTR)Func < ((ULONG_PTR)ExportDirectory + ExportSize)) { Func = NULL; } } } return Func; } NTSTATUS MiDereferenceImports ( IN PLOAD_IMPORTS ImportList ) /*++ Routine Description: Decrement the reference count on each DLL specified in the image import list. If any DLL's reference count reaches zero, then free the DLL. No locks may be held on entry as MmUnloadSystemImage may be called. The parameter list is freed here as well. Arguments: ImportList - Supplies the list of DLLs to dereference. Return Value: Status of the dereference operation. --*/ { ULONG i; LOGICAL Unloaded; PVOID SavedImports; LOAD_IMPORTS SingleTableEntry; PKLDR_DATA_TABLE_ENTRY ImportTableEntry; PAGED_CODE(); if (ImportList == LOADED_AT_BOOT || ImportList == NO_IMPORTS_USED) { return STATUS_SUCCESS; } if (SINGLE_ENTRY(ImportList)) { SingleTableEntry.Count = 1; SingleTableEntry.Entry[0] = SINGLE_ENTRY_TO_POINTER(ImportList); ImportList = &SingleTableEntry; } for (i = 0; i < ImportList->Count && ImportList->Entry[i]; i += 1) { ImportTableEntry = ImportList->Entry[i]; if (ImportTableEntry->LoadedImports == (PVOID)LOADED_AT_BOOT) { // // Skip this one - it was loaded by ntldr. // continue; } #if DBG { ULONG ImageCount; PLIST_ENTRY NextEntry; PKLDR_DATA_TABLE_ENTRY DataTableEntry; // // Assert that the first 2 entries are never dereferenced as // unloading the kernel or HAL would be fatal. // NextEntry = PsLoadedModuleList.Flink; ImageCount = 0; while (NextEntry != &PsLoadedModuleList && ImageCount < 2) { DataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); ASSERT (ImportTableEntry != DataTableEntry); ASSERT (DataTableEntry->LoadCount == 1); NextEntry = NextEntry->Flink; ImageCount += 1; } } #endif ASSERT (ImportTableEntry->LoadCount >= 1); ImportTableEntry->LoadCount -= 1; if (ImportTableEntry->LoadCount == 0) { // // Unload this dependent DLL - we only do this to non-referenced // non-boot-loaded drivers. Stop the import list recursion prior // to unloading - we know we're done at this point. // // Note we can continue on afterwards without restarting // regardless of which locks get released and reacquired // because this chain is private. // SavedImports = ImportTableEntry->LoadedImports; ImportTableEntry->LoadedImports = (PVOID)NO_IMPORTS_USED; Unloaded = MiCallDllUnloadAndUnloadDll ((PVOID)ImportTableEntry); if (Unloaded == TRUE) { // // This DLL was unloaded so recurse through its imports and // attempt to unload all of those too. // MiDereferenceImports ((PLOAD_IMPORTS)SavedImports); if ((SavedImports != (PVOID)LOADED_AT_BOOT) && (SavedImports != (PVOID)NO_IMPORTS_USED) && (!SINGLE_ENTRY(SavedImports))) { ExFreePool (SavedImports); } } else { ImportTableEntry->LoadedImports = SavedImports; } } } return STATUS_SUCCESS; } NTSTATUS MiResolveImageReferences ( PVOID ImageBase, IN PUNICODE_STRING ImageFileDirectory, IN PUNICODE_STRING NamePrefix OPTIONAL, OUT PCHAR *MissingProcedureName, OUT PWSTR *MissingDriverName, OUT PLOAD_IMPORTS *LoadedImports ) /*++ Routine Description: This routine resolves the references from the newly loaded driver to the kernel, HAL and other drivers. Arguments: ImageBase - Supplies the address of which the image header resides. ImageFileDirectory - Supplies the directory to load referenced DLLs. Return Value: Status of the image reference resolution. --*/ { PCHAR MissingProcedureStorageArea; PVOID ImportBase; ULONG ImportSize; ULONG ImportListSize; ULONG Count; ULONG i; PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor; PIMAGE_IMPORT_DESCRIPTOR Imp; NTSTATUS st; ULONG ExportSize; PIMAGE_EXPORT_DIRECTORY ExportDirectory; PIMAGE_THUNK_DATA NameThunk; PIMAGE_THUNK_DATA AddrThunk; PSZ ImportName; PLIST_ENTRY NextEntry; PKLDR_DATA_TABLE_ENTRY DataTableEntry; PKLDR_DATA_TABLE_ENTRY SingleEntry; ANSI_STRING AnsiString; UNICODE_STRING ImportName_U; UNICODE_STRING ImportDescriptorName_U; UNICODE_STRING DllToLoad; UNICODE_STRING DllToLoad2; PVOID Section; PVOID BaseAddress; LOGICAL PrefixedNameAllocated; LOGICAL ReferenceImport; ULONG LinkWin32k = 0; ULONG LinkNonWin32k = 0; PLOAD_IMPORTS ImportList; PLOAD_IMPORTS CompactedImportList; LOGICAL Loaded; UNICODE_STRING DriverDirectory; PAGED_CODE(); *LoadedImports = NO_IMPORTS_USED; MissingProcedureStorageArea = *MissingProcedureName; ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData( ImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ImportSize); if (ImportDescriptor == NULL) { return STATUS_SUCCESS; } // Count the number of imports so we can allocate enough room to // store them all chained off this module's LDR_DATA_TABLE_ENTRY. // Count = 0; for (Imp = ImportDescriptor; Imp->Name && Imp->OriginalFirstThunk; Imp += 1) { Count += 1; } if (Count != 0) { ImportListSize = Count * sizeof(PVOID) + sizeof(SIZE_T); ImportList = (PLOAD_IMPORTS) ExAllocatePoolWithTag (PagedPool | POOL_COLD_ALLOCATION, ImportListSize, 'TDmM'); // // Zero it so we can recover gracefully if we fail in the middle. // If the allocation failed, just don't build the import list. // if (ImportList != NULL) { RtlZeroMemory (ImportList, ImportListSize); ImportList->Count = Count; } } else { ImportList = NULL; } Count = 0; while (ImportDescriptor->Name && ImportDescriptor->OriginalFirstThunk) { ImportName = (PSZ)((PCHAR)ImageBase + ImportDescriptor->Name); // // A driver can link with win32k.sys if and only if it is a GDI // driver. // Also display drivers can only link to win32k.sys (and lego ...). // // So if we get a driver that links to win32k.sys and has more // than one set of imports, we will fail to load it. // LinkWin32k = LinkWin32k | (!_strnicmp(ImportName, "win32k", sizeof("win32k") - 1)); // // We don't want to count coverage, win32k and irt (lego) since // display drivers CAN link against these. // LinkNonWin32k = LinkNonWin32k | ((_strnicmp(ImportName, "win32k", sizeof("win32k") - 1)) && (_strnicmp(ImportName, "dxapi", sizeof("dxapi") - 1)) && (_strnicmp(ImportName, "coverage", sizeof("coverage") - 1)) && (_strnicmp(ImportName, "irt", sizeof("irt") - 1))); if (LinkNonWin32k && LinkWin32k) { MiDereferenceImports (ImportList); if (ImportList) { ExFreePool (ImportList); } return (STATUS_PROCEDURE_NOT_FOUND); } if ((!_strnicmp(ImportName, "ntdll", sizeof("ntdll") - 1)) || (!_strnicmp(ImportName, "winsrv", sizeof("winsrv") - 1)) || (!_strnicmp(ImportName, "advapi32", sizeof("advapi32") - 1)) || (!_strnicmp(ImportName, "kernel32", sizeof("kernel32") - 1)) || (!_strnicmp(ImportName, "user32", sizeof("user32") - 1)) || (!_strnicmp(ImportName, "gdi32", sizeof("gdi32") - 1)) ) { MiDereferenceImports (ImportList); if (ImportList) { ExFreePool (ImportList); } return (STATUS_PROCEDURE_NOT_FOUND); } if ((!_strnicmp(ImportName, "ntoskrnl", sizeof("ntoskrnl") - 1)) || (!_strnicmp(ImportName, "win32k", sizeof("win32k") - 1)) || (!_strnicmp(ImportName, "hal", sizeof("hal") - 1))) { // // These imports don't get refcounted because we don't // ever want to unload them. // ReferenceImport = FALSE; } else { ReferenceImport = TRUE; } RtlInitAnsiString (&AnsiString, ImportName); st = RtlAnsiStringToUnicodeString (&ImportName_U, &AnsiString, TRUE); if (!NT_SUCCESS(st)) { MiDereferenceImports (ImportList); if (ImportList != NULL) { ExFreePool (ImportList); } return st; } if (NamePrefix && (_strnicmp(ImportName, "ntoskrnl", sizeof("ntoskrnl") - 1) && _strnicmp(ImportName, "hal", sizeof("hal") - 1))) { ImportDescriptorName_U.MaximumLength = (USHORT)(ImportName_U.Length + NamePrefix->Length); ImportDescriptorName_U.Buffer = ExAllocatePoolWithTag (NonPagedPool, ImportDescriptorName_U.MaximumLength, 'TDmM'); if (!ImportDescriptorName_U.Buffer) { RtlFreeUnicodeString (&ImportName_U); MiDereferenceImports (ImportList); if (ImportList != NULL) { ExFreePool (ImportList); } return STATUS_INSUFFICIENT_RESOURCES; } ImportDescriptorName_U.Length = 0; RtlAppendUnicodeStringToString(&ImportDescriptorName_U, NamePrefix); RtlAppendUnicodeStringToString(&ImportDescriptorName_U, &ImportName_U); PrefixedNameAllocated = TRUE; } else { ImportDescriptorName_U = ImportName_U; PrefixedNameAllocated = FALSE; } Loaded = FALSE; ReCheck: NextEntry = PsLoadedModuleList.Flink; ImportBase = NULL; // // Initializing DataTableEntry is not needed for correctness // but without it the compiler cannot compile this code // W4 to check for use of uninitialized variables. // DataTableEntry = NULL; while (NextEntry != &PsLoadedModuleList) { DataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (RtlEqualUnicodeString (&ImportDescriptorName_U, &DataTableEntry->BaseDllName, TRUE)) { ImportBase = DataTableEntry->DllBase; // // Only bump the LoadCount if this thread did not initiate // the load below. If this thread initiated the load, then // the LoadCount has already been bumped as part of the // load - we only want to increment it here if we are // "attaching" to a previously loaded DLL. // if ((Loaded == FALSE) && (ReferenceImport == TRUE)) { // // Only increment the load count on the import if it is not // circular (ie: the import is not from the original // caller). // if ((DataTableEntry->Flags & LDRP_LOAD_IN_PROGRESS) == 0) { DataTableEntry->LoadCount += 1; } } break; } NextEntry = NextEntry->Flink; } if (ImportBase == NULL) { // // The DLL name was not located, attempt to load this dll. // DllToLoad.MaximumLength = (USHORT)(ImportName_U.Length + ImageFileDirectory->Length + sizeof(WCHAR)); DllToLoad.Buffer = ExAllocatePoolWithTag (NonPagedPool, DllToLoad.MaximumLength, 'TDmM'); if (DllToLoad.Buffer) { DllToLoad.Length = ImageFileDirectory->Length; RtlCopyMemory (DllToLoad.Buffer, ImageFileDirectory->Buffer, ImageFileDirectory->Length); RtlAppendStringToString ((PSTRING)&DllToLoad, (PSTRING)&ImportName_U); // // Add NULL termination in case the load fails so the name // can be returned as the PWSTR MissingDriverName. // DllToLoad.Buffer[(DllToLoad.MaximumLength - 1) / sizeof (WCHAR)] = UNICODE_NULL; st = MmLoadSystemImage (&DllToLoad, NamePrefix, NULL, FALSE, &Section, &BaseAddress); if (NT_SUCCESS(st)) { // // No need to keep the temporary name buffer around now // that there is a loaded module list entry for this DLL. // ExFreePool (DllToLoad.Buffer); } else { if ((st == STATUS_OBJECT_NAME_NOT_FOUND) && (NamePrefix == NULL) && (MI_IS_SESSION_ADDRESS (ImageBase))) { #define DRIVERS_SUBDIR_NAME L"drivers\\" DriverDirectory.Buffer = (const PUSHORT) DRIVERS_SUBDIR_NAME; DriverDirectory.Length = sizeof (DRIVERS_SUBDIR_NAME) - sizeof (WCHAR); DriverDirectory.MaximumLength = sizeof DRIVERS_SUBDIR_NAME; // // The DLL file was not located, attempt to load it // from the drivers subdirectory. This makes it // possible for drivers like win32k.sys to link to // drivers that reside in the drivers subdirectory // (like dxapi.sys). // DllToLoad2.MaximumLength = (USHORT)(ImportName_U.Length + DriverDirectory.Length + ImageFileDirectory->Length + sizeof(WCHAR)); DllToLoad2.Buffer = ExAllocatePoolWithTag (NonPagedPool, DllToLoad2.MaximumLength, 'TDmM'); if (DllToLoad2.Buffer) { DllToLoad2.Length = ImageFileDirectory->Length; RtlCopyMemory (DllToLoad2.Buffer, ImageFileDirectory->Buffer, ImageFileDirectory->Length); RtlAppendStringToString ((PSTRING)&DllToLoad2, (PSTRING)&DriverDirectory); RtlAppendStringToString ((PSTRING)&DllToLoad2, (PSTRING)&ImportName_U); // // Add NULL termination in case the load fails // so the name can be returned as the PWSTR // MissingDriverName. // DllToLoad2.Buffer[(DllToLoad2.MaximumLength - 1) / sizeof (WCHAR)] = UNICODE_NULL; st = MmLoadSystemImage (&DllToLoad2, NULL, NULL, FALSE, &Section, &BaseAddress); ExFreePool (DllToLoad.Buffer); DllToLoad.Buffer = DllToLoad2.Buffer; DllToLoad.Length = DllToLoad2.Length; DllToLoad.MaximumLength = DllToLoad2.MaximumLength; if (NT_SUCCESS(st)) { ExFreePool (DllToLoad.Buffer); goto LoadFinished; } } else { Section = NULL; BaseAddress = NULL; st = STATUS_INSUFFICIENT_RESOURCES; goto LoadFinished; } } // // Return the temporary name buffer to our caller so // the name of the DLL that failed to load can be displayed. // Set the low bit of the pointer so our caller knows to // free this buffer when he's done displaying it (as opposed // to loaded module list entries which should not be freed). // *MissingDriverName = DllToLoad.Buffer; *(PULONG)MissingDriverName |= 0x1; // // Set this to NULL so the hard error prints properly. // *MissingProcedureName = NULL; } } else { // // Initializing Section and BaseAddress is not needed for // correctness but without it the compiler cannot compile // this code W4 to check for use of uninitialized variables. // Section = NULL; BaseAddress = NULL; st = STATUS_INSUFFICIENT_RESOURCES; } LoadFinished: // // Call any needed DLL initialization now. // if (NT_SUCCESS(st)) { #if DBG PLIST_ENTRY Entry; #endif PKLDR_DATA_TABLE_ENTRY TableEntry; Loaded = TRUE; TableEntry = (PKLDR_DATA_TABLE_ENTRY) Section; ASSERT (BaseAddress == TableEntry->DllBase); #if DBG // // Lookup the dll's table entry in the loaded module list. // This is expected to always succeed. // Entry = PsLoadedModuleList.Blink; while (Entry != &PsLoadedModuleList) { TableEntry = CONTAINING_RECORD (Entry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (BaseAddress == TableEntry->DllBase) { ASSERT (TableEntry == (PKLDR_DATA_TABLE_ENTRY) Section); break; } ASSERT (TableEntry != (PKLDR_DATA_TABLE_ENTRY) Section); Entry = Entry->Blink; } ASSERT (Entry != &PsLoadedModuleList); #endif // // Call the dll's initialization routine if it has // one. This routine will reapply verifier thunks to // any modules that link to this one if necessary. // st = MmCallDllInitialize (TableEntry, &PsLoadedModuleList); // // If the module could not be properly initialized, // unload it. // if (!NT_SUCCESS(st)) { MmUnloadSystemImage ((PVOID)TableEntry); Loaded = FALSE; } } if (!NT_SUCCESS(st)) { RtlFreeUnicodeString (&ImportName_U); if (PrefixedNameAllocated == TRUE) { ExFreePool (ImportDescriptorName_U.Buffer); } MiDereferenceImports (ImportList); if (ImportList != NULL) { ExFreePool (ImportList); } return st; } goto ReCheck; } if ((ReferenceImport == TRUE) && (ImportList)) { // // Only add the image providing satisfying our imports to the // import list if the reference is not circular (ie: the import // is not from the original caller). // if ((DataTableEntry->Flags & LDRP_LOAD_IN_PROGRESS) == 0) { ImportList->Entry[Count] = DataTableEntry; Count += 1; } } RtlFreeUnicodeString (&ImportName_U); if (PrefixedNameAllocated) { ExFreePool (ImportDescriptorName_U.Buffer); } *MissingDriverName = DataTableEntry->BaseDllName.Buffer; ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData( ImportBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &ExportSize ); if (!ExportDirectory) { MiDereferenceImports (ImportList); if (ImportList) { ExFreePool (ImportList); } return STATUS_DRIVER_ENTRYPOINT_NOT_FOUND; } // // Walk through the IAT and snap all the thunks. // if (ImportDescriptor->OriginalFirstThunk) { NameThunk = (PIMAGE_THUNK_DATA)((PCHAR)ImageBase + (ULONG)ImportDescriptor->OriginalFirstThunk); AddrThunk = (PIMAGE_THUNK_DATA)((PCHAR)ImageBase + (ULONG)ImportDescriptor->FirstThunk); while (NameThunk->u1.AddressOfData) { st = MiSnapThunk (ImportBase, ImageBase, NameThunk++, AddrThunk++, ExportDirectory, ExportSize, FALSE, MissingProcedureName); if (!NT_SUCCESS(st) ) { MiDereferenceImports (ImportList); if (ImportList) { ExFreePool (ImportList); } return st; } *MissingProcedureName = MissingProcedureStorageArea; } } ImportDescriptor += 1; } // // All the imports are successfully loaded so establish and compact // the import unload list. // if (ImportList) { // // Blank entries occur for things like the kernel, HAL & win32k.sys // that we never want to unload. Especially for things like // win32k.sys where the reference count can really hit 0. // // // Initializing SingleEntry is not needed for correctness // but without it the compiler cannot compile this code // W4 to check for use of uninitialized variables. // SingleEntry = NULL; Count = 0; for (i = 0; i < ImportList->Count; i += 1) { if (ImportList->Entry[i]) { SingleEntry = POINTER_TO_SINGLE_ENTRY(ImportList->Entry[i]); Count += 1; } } if (Count == 0) { ExFreePool(ImportList); ImportList = NO_IMPORTS_USED; } else if (Count == 1) { ExFreePool(ImportList); ImportList = (PLOAD_IMPORTS)SingleEntry; } else if (Count != ImportList->Count) { ImportListSize = Count * sizeof(PVOID) + sizeof(SIZE_T); CompactedImportList = (PLOAD_IMPORTS) ExAllocatePoolWithTag (PagedPool | POOL_COLD_ALLOCATION, ImportListSize, 'TDmM'); if (CompactedImportList) { CompactedImportList->Count = Count; Count = 0; for (i = 0; i < ImportList->Count; i += 1) { if (ImportList->Entry[i]) { CompactedImportList->Entry[Count] = ImportList->Entry[i]; Count += 1; } } ExFreePool(ImportList); ImportList = CompactedImportList; } } *LoadedImports = ImportList; } return STATUS_SUCCESS; } NTSTATUS MiSnapThunk( IN PVOID DllBase, IN PVOID ImageBase, IN PIMAGE_THUNK_DATA NameThunk, OUT PIMAGE_THUNK_DATA AddrThunk, IN PIMAGE_EXPORT_DIRECTORY ExportDirectory, IN ULONG ExportSize, IN LOGICAL SnapForwarder, OUT PCHAR *MissingProcedureName ) /*++ Routine Description: This function snaps a thunk using the specified Export Section data. If the section data does not support the thunk, then the thunk is partially snapped (Dll field is still non-null, but snap address is set). Arguments: DllBase - Base of DLL being snapped to. ImageBase - Base of image that contains the thunks to snap. Thunk - On input, supplies the thunk to snap. When successfully snapped, the function field is set to point to the address in the DLL, and the DLL field is set to NULL. ExportDirectory - Supplies the Export Section data from a DLL. SnapForwarder - Supplies TRUE if the snap is for a forwarder, and therefore Address of Data is already setup. Return Value: STATUS_SUCCESS or STATUS_DRIVER_ENTRYPOINT_NOT_FOUND or STATUS_DRIVER_ORDINAL_NOT_FOUND --*/ { BOOLEAN Ordinal; USHORT OrdinalNumber; PULONG NameTableBase; PUSHORT NameOrdinalTableBase; PULONG Addr; USHORT HintIndex; ULONG High; ULONG Low; ULONG Middle; LONG Result; NTSTATUS Status; PCHAR MissingProcedureName2; CHAR NameBuffer[ MAXIMUM_FILENAME_LENGTH ]; PAGED_CODE(); // // Determine if snap is by name, or by ordinal // Ordinal = (BOOLEAN)IMAGE_SNAP_BY_ORDINAL(NameThunk->u1.Ordinal); if (Ordinal && !SnapForwarder) { OrdinalNumber = (USHORT)(IMAGE_ORDINAL(NameThunk->u1.Ordinal) - ExportDirectory->Base); *MissingProcedureName = (PCHAR)(ULONG_PTR)OrdinalNumber; } else { // // Change AddressOfData from an RVA to a VA. // if (!SnapForwarder) { NameThunk->u1.AddressOfData = (ULONG_PTR)ImageBase + NameThunk->u1.AddressOfData; } strncpy (*MissingProcedureName, (const PCHAR)&((PIMAGE_IMPORT_BY_NAME)NameThunk->u1.AddressOfData)->Name[0], MAXIMUM_FILENAME_LENGTH - 1); // // Lookup Name in NameTable // NameTableBase = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNames); NameOrdinalTableBase = (PUSHORT)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals); // // Before dropping into binary search, see if // the hint index results in a successful // match. If the hint index is zero, then // drop into binary search. // HintIndex = ((PIMAGE_IMPORT_BY_NAME)NameThunk->u1.AddressOfData)->Hint; if ((ULONG)HintIndex < ExportDirectory->NumberOfNames && !strcmp((PSZ)((PIMAGE_IMPORT_BY_NAME)NameThunk->u1.AddressOfData)->Name, (PSZ)((PCHAR)DllBase + NameTableBase[HintIndex]))) { OrdinalNumber = NameOrdinalTableBase[HintIndex]; } else { // // Lookup the import name in the name table using a binary search. // Low = 0; High = ExportDirectory->NumberOfNames - 1; // // Initializing Middle is not needed for correctness, but without it // the compiler cannot compile this code W4 to check for use of // uninitialized variables. // Middle = 0; while (High >= Low) { // // Compute the next probe index and compare the import name // with the export name entry. // Middle = (Low + High) >> 1; Result = strcmp((const PCHAR)&((PIMAGE_IMPORT_BY_NAME)NameThunk->u1.AddressOfData)->Name[0], (PCHAR)((PCHAR)DllBase + NameTableBase[Middle])); if (Result < 0) { High = Middle - 1; } else if (Result > 0) { Low = Middle + 1; } else { break; } } // // If the high index is less than the low index, then a matching // table entry was not found. Otherwise, get the ordinal number // from the ordinal table. // if ((LONG)High < (LONG)Low) { return STATUS_DRIVER_ENTRYPOINT_NOT_FOUND; } else { OrdinalNumber = NameOrdinalTableBase[Middle]; } } } // // If OrdinalNumber is not within the Export Address Table, // then DLL does not implement function. Snap to LDRP_BAD_DLL. // if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions) { Status = STATUS_DRIVER_ORDINAL_NOT_FOUND; } else { MissingProcedureName2 = NameBuffer; Addr = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions); *(PULONG_PTR)&AddrThunk->u1.Function = (ULONG_PTR)DllBase + Addr[OrdinalNumber]; // AddrThunk s/b used from here on. Status = STATUS_SUCCESS; if (((ULONG_PTR)AddrThunk->u1.Function > (ULONG_PTR)ExportDirectory) && ((ULONG_PTR)AddrThunk->u1.Function < ((ULONG_PTR)ExportDirectory + ExportSize)) ) { UNICODE_STRING UnicodeString; ANSI_STRING ForwardDllName; PLIST_ENTRY NextEntry; PKLDR_DATA_TABLE_ENTRY DataTableEntry; ULONG LocalExportSize; PIMAGE_EXPORT_DIRECTORY LocalExportDirectory; Status = STATUS_DRIVER_ENTRYPOINT_NOT_FOUND; // // Include the dot in the length so we can do prefix later on. // ForwardDllName.Buffer = (PCHAR)AddrThunk->u1.Function; ForwardDllName.Length = (USHORT)(strchr(ForwardDllName.Buffer, '.') - ForwardDllName.Buffer + 1); ForwardDllName.MaximumLength = ForwardDllName.Length; if (NT_SUCCESS(RtlAnsiStringToUnicodeString(&UnicodeString, &ForwardDllName, TRUE))) { NextEntry = PsLoadedModuleList.Flink; while (NextEntry != &PsLoadedModuleList) { DataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); // // We have to do a case INSENSITIVE comparison for // forwarder because the linker just took what is in the // def file, as opposed to looking in the exporting // image for the name. // we also use the prefix function to ignore the .exe or // .sys or .dll at the end. // if (RtlPrefixString((PSTRING)&UnicodeString, (PSTRING)&DataTableEntry->BaseDllName, TRUE)) { LocalExportDirectory = (PIMAGE_EXPORT_DIRECTORY) RtlImageDirectoryEntryToData(DataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &LocalExportSize); if (LocalExportDirectory != NULL) { IMAGE_THUNK_DATA thunkData; PIMAGE_IMPORT_BY_NAME addressOfData; SIZE_T length; // // One extra byte for NULL termination. // length = strlen(ForwardDllName.Buffer + ForwardDllName.Length) + 1; addressOfData = (PIMAGE_IMPORT_BY_NAME) ExAllocatePoolWithTag (PagedPool, length + sizeof(IMAGE_IMPORT_BY_NAME), ' mM'); if (addressOfData) { RtlCopyMemory(&(addressOfData->Name[0]), ForwardDllName.Buffer + ForwardDllName.Length, length); addressOfData->Hint = 0; *(PULONG_PTR)&thunkData.u1.AddressOfData = (ULONG_PTR)addressOfData; Status = MiSnapThunk(DataTableEntry->DllBase, ImageBase, &thunkData, &thunkData, LocalExportDirectory, LocalExportSize, TRUE, &MissingProcedureName2); ExFreePool(addressOfData); AddrThunk->u1 = thunkData.u1; } } break; } NextEntry = NextEntry->Flink; } RtlFreeUnicodeString(&UnicodeString); } } } return Status; } #if 0 PVOID MiLookupImageSectionByName ( IN PVOID Base, IN LOGICAL MappedAsImage, IN PCHAR SectionName, OUT PULONG SectionSize ) /*++ Routine Description: This function locates a Directory Entry within the image header and returns either the virtual address or seek address of the data the Directory describes. Arguments: Base - Supplies the base of the image or data file. MappedAsImage - FALSE if the file is mapped as a data file. - TRUE if the file is mapped as an image. SectionName - Supplies the name of the section to lookup. SectionSize - Return the size of the section. Return Value: NULL - The file does not contain data for the specified section. NON-NULL - Returns the address where the section is mapped in memory. --*/ { ULONG i, j, Match; PIMAGE_NT_HEADERS NtHeaders; PIMAGE_SECTION_HEADER NtSection; NtHeaders = RtlImageNtHeader(Base); NtSection = IMAGE_FIRST_SECTION (NtHeaders); for (i = 0; i < NtHeaders->FileHeader.NumberOfSections; i++) { Match = TRUE; for (j = 0; j < IMAGE_SIZEOF_SHORT_NAME; j++) { if (SectionName[j] != NtSection->Name[j]) { Match = FALSE; break; } if (SectionName[j] == '\0') { break; } } if (Match) { break; } NtSection += 1; } if (Match) { *SectionSize = NtSection->SizeOfRawData; if (MappedAsImage) { return (((PCHAR)Base + NtSection->VirtualAddress)); } else { return (((PCHAR)Base + NtSection->PointerToRawData)); } } return NULL; } #endif //0 NTSTATUS MmCheckSystemImage ( IN HANDLE ImageFileHandle, IN LOGICAL PurgeSection ) /*++ Routine Description: This function ensures the checksum for a system image is correct and matches the data in the image. Arguments: ImageFileHandle - Supplies the file handle of the image. PurgeSection - Supplies TRUE if the data section mapping the image should be purged prior to returning. Note that the first page could be used to speed up subsequent image section creation, but generally the cost of useless data pages sitting in transition is costly. Better to put the pages immediately on the free list to preserve the transition cache for more useful pages. Return Value: Status value. --*/ { NTSTATUS Status; NTSTATUS Status2; HANDLE Section; PVOID ViewBase; SIZE_T ViewSize; IO_STATUS_BLOCK IoStatusBlock; PIMAGE_FILE_HEADER FileHeader; PIMAGE_NT_HEADERS NtHeaders; FILE_STANDARD_INFORMATION StandardInfo; PSECTION SectionPointer; OBJECT_ATTRIBUTES ObjectAttributes; KAPC_STATE ApcState; PAGED_CODE(); InitializeObjectAttributes (&ObjectAttributes, NULL, (OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE), NULL, NULL); Status = ZwCreateSection (&Section, SECTION_MAP_EXECUTE, &ObjectAttributes, NULL, PAGE_EXECUTE, SEC_COMMIT, ImageFileHandle); if (!NT_SUCCESS(Status)) { return Status; } ViewBase = NULL; ViewSize = 0; // // Since callees are not always in the context of the system process, // attach here when necessary to guarantee the driver load occurs in a // known safe address space to prevent security holes. // KeStackAttachProcess (&PsInitialSystemProcess->Pcb, &ApcState); Status = ZwMapViewOfSection (Section, NtCurrentProcess(), (PVOID *)&ViewBase, 0L, 0L, NULL, &ViewSize, ViewShare, 0L, PAGE_EXECUTE); if (!NT_SUCCESS(Status)) { KeUnstackDetachProcess (&ApcState); ZwClose(Section); return Status; } // // Now the image is mapped as a data file... Calculate its size and then // check its checksum. // Status = ZwQueryInformationFile (ImageFileHandle, &IoStatusBlock, &StandardInfo, sizeof(StandardInfo), FileStandardInformation); if (NT_SUCCESS(Status)) { try { if (!LdrVerifyMappedImageMatchesChecksum (ViewBase, StandardInfo.EndOfFile.LowPart)) { Status = STATUS_IMAGE_CHECKSUM_MISMATCH; goto out; } NtHeaders = RtlImageNtHeader (ViewBase); if (NtHeaders == NULL) { Status = STATUS_IMAGE_CHECKSUM_MISMATCH; goto out; } FileHeader = &NtHeaders->FileHeader; // // Detect configurations inadvertently trying to load 32-bit // drivers on NT64 or mismatched platform architectures, etc. // if ((FileHeader->Machine != IMAGE_FILE_MACHINE_NATIVE) || (NtHeaders->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)) { Status = STATUS_INVALID_IMAGE_PROTECT; goto out; } #if !defined(NT_UP) if (!MmVerifyImageIsOkForMpUse (ViewBase)) { Status = STATUS_IMAGE_MP_UP_MISMATCH; goto out; } #endif } except (EXCEPTION_EXECUTE_HANDLER) { Status = STATUS_IMAGE_CHECKSUM_MISMATCH; } } out: ZwUnmapViewOfSection (NtCurrentProcess(), ViewBase); KeUnstackDetachProcess (&ApcState); if (PurgeSection == TRUE) { Status2 = ObReferenceObjectByHandle (Section, SECTION_MAP_EXECUTE, MmSectionObjectType, KernelMode, (PVOID *) &SectionPointer, (POBJECT_HANDLE_INFORMATION) NULL); if (NT_SUCCESS (Status2)) { MmPurgeSection (SectionPointer->Segment->ControlArea->FilePointer->SectionObjectPointer, NULL, 0, FALSE); ObDereferenceObject (SectionPointer); } } ZwClose (Section); return Status; } #if !defined(NT_UP) BOOLEAN MmVerifyImageIsOkForMpUse( IN PVOID BaseAddress ) { PIMAGE_NT_HEADERS NtHeaders; PAGED_CODE(); NtHeaders = RtlImageNtHeader(BaseAddress); if (NtHeaders != NULL) { if ((KeNumberProcessors > 1) && (NtHeaders->FileHeader.Characteristics & IMAGE_FILE_UP_SYSTEM_ONLY)) { return FALSE; } } return TRUE; } #endif PFN_NUMBER MiDeleteSystemPagableVm ( IN PMMPTE PointerPte, IN PFN_NUMBER NumberOfPtes, IN MMPTE NewPteValue, IN LOGICAL SessionAllocation, OUT PPFN_NUMBER ResidentPages ) /*++ Routine Description: This function deletes pagable system address space (paged pool or driver pagable sections). Arguments: PointerPte - Supplies the start of the PTE range to delete. NumberOfPtes - Supplies the number of PTEs in the range. NewPteValue - Supplies the new value for the PTE. SessionAllocation - Supplies TRUE if this is a range in session space. If TRUE is specified, it is assumed that the caller has already attached to the relevant session. If FALSE is supplied, then it is assumed that the range is in the systemwide global space instead. ResidentPages - If not NULL, the number of resident pages freed is returned here. Return Value: Returns the number of pages actually freed. --*/ { PVOID VirtualAddress; PFN_NUMBER PageFrameIndex; MMPTE PteContents; PMMPFN Pfn1; PMMPFN Pfn2; PFN_NUMBER ValidPages; PFN_NUMBER PagesRequired; MMPTE NewContents; WSLE_NUMBER WsIndex; KIRQL OldIrql; KIRQL OldIrqlWs; MMPTE_FLUSH_LIST PteFlushList; MMPTE JunkPte; MMWSLENTRY Locked; PFN_NUMBER PageTableFrameIndex; PETHREAD CurrentThread; LOGICAL WsHeld; ASSERT (KeGetCurrentIrql() <= APC_LEVEL); ValidPages = 0; PagesRequired = 0; PteFlushList.Count = 0; WsHeld = FALSE; OldIrqlWs = PASSIVE_LEVEL; NewContents = NewPteValue; CurrentThread = PsGetCurrentThread (); while (NumberOfPtes != 0) { PteContents = *PointerPte; if (PteContents.u.Long != ZeroKernelPte.u.Long) { if (PteContents.u.Hard.Valid == 1) { // // Once the working set mutex is acquired, it is deliberately // held until all the pages have been freed. This is because // when paged pool is running low on large servers, we need the // segment dereference thread to be able to free large amounts // quickly. Typically this thread will free 64k chunks and we // don't want to have to contend for the mutex 16 times to do // this as there may be thousands of other threads also trying // for it. // if (WsHeld == FALSE) { WsHeld = TRUE; if (SessionAllocation == TRUE) { LOCK_SESSION_SPACE_WS (OldIrqlWs, CurrentThread); } else { LOCK_SYSTEM_WS (OldIrqlWs, CurrentThread); } } PteContents = *(volatile MMPTE *)PointerPte; if (PteContents.u.Hard.Valid == 0) { continue; } // // Delete the page. // PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (&PteContents); Pfn1 = MI_PFN_ELEMENT (PageFrameIndex); // // Check to see if this is a pagable page in which // case it needs to be removed from the working set list. // WsIndex = Pfn1->u1.WsIndex; if (WsIndex == 0) { ValidPages += 1; if (SessionAllocation == TRUE) { MM_BUMP_SESS_COUNTER (MM_DBG_SESSION_NP_DELVA, 1); MmSessionSpace->NonPagablePages -= 1; } } else { if (SessionAllocation == FALSE) { MiRemoveWsle (WsIndex, MmSystemCacheWorkingSetList); MiReleaseWsle (WsIndex, &MmSystemCacheWs); } else { VirtualAddress = MiGetVirtualAddressMappedByPte (PointerPte); WsIndex = MiLocateWsle (VirtualAddress, MmSessionSpace->Vm.VmWorkingSetList, WsIndex); ASSERT (WsIndex != WSLE_NULL_INDEX); // // Check to see if this entry is locked in // the working set or locked in memory. // Locked = MmSessionSpace->Wsle[WsIndex].u1.e1; MiRemoveWsle (WsIndex, MmSessionSpace->Vm.VmWorkingSetList); MiReleaseWsle (WsIndex, &MmSessionSpace->Vm); if (Locked.LockedInWs == 1 || Locked.LockedInMemory == 1) { // // This entry is locked. // MM_BUMP_SESS_COUNTER (MM_DBG_SESSION_NP_DELVA, 1); MmSessionSpace->NonPagablePages -= 1; ValidPages += 1; ASSERT (WsIndex < MmSessionSpace->Vm.VmWorkingSetList->FirstDynamic); MmSessionSpace->Vm.VmWorkingSetList->FirstDynamic -= 1; if (WsIndex != MmSessionSpace->Vm.VmWorkingSetList->FirstDynamic) { WSLE_NUMBER Entry; PVOID SwapVa; Entry = MmSessionSpace->Vm.VmWorkingSetList->FirstDynamic; ASSERT (MmSessionSpace->Wsle[Entry].u1.e1.Valid); SwapVa = MmSessionSpace->Wsle[Entry].u1.VirtualAddress; SwapVa = PAGE_ALIGN (SwapVa); MiSwapWslEntries (Entry, WsIndex, &MmSessionSpace->Vm); } } else { ASSERT (WsIndex >= MmSessionSpace->Vm.VmWorkingSetList->FirstDynamic); } } } LOCK_PFN (OldIrql); #if DBG0 if ((Pfn1->u3.e2.ReferenceCount > 1) && (Pfn1->u3.e1.WriteInProgress == 0)) { DbgPrint ("MM:SYSLOAD - deleting pool locked for I/O PTE %p, pfn %p, share=%x, refcount=%x, wsindex=%x\n", PointerPte, PageFrameIndex, Pfn1->u2.ShareCount, Pfn1->u3.e2.ReferenceCount, Pfn1->u1.WsIndex); // // This case is valid only if the page being deleted // contained a lookaside free list entry that wasn't mapped // and multiple threads faulted on it and waited together. // Some of the faulted threads are still on the ready // list but haven't run yet, and so still have references // to this page that they picked up during the fault. // But this current thread has already allocated the // lookaside entry and is now freeing the entire page. // // BUT - if it is NOT the above case, we really should // trap here. However, we don't have a good way to // distinguish between the two cases. Note // that this complication was inserted when we went to // cmpxchg8 because using locks would prevent anyone from // accessing the lookaside freelist flinks like this. // // So, the ASSERT below comes out, but we leave the print // above in (with more data added) for the case where it's // not a lookaside contender with the reference count, but // is instead a truly bad reference that needs to be // debugged. The system should crash shortly thereafter // and we'll at least have the above print to help us out. // // ASSERT (Pfn1->u3.e2.ReferenceCount == 1); } #endif //DBG // // Check if this is a prototype PTE. // if (Pfn1->u3.e1.PrototypePte == 1) { PMMPTE PointerPde; ASSERT (SessionAllocation == TRUE); // // Capture the state of the modified bit for this // PTE. // MI_CAPTURE_DIRTY_BIT_TO_PFN (PointerPte, Pfn1); // // Decrement the share and valid counts of the page table // page which maps this PTE. // PointerPde = MiGetPteAddress (PointerPte); if (PointerPde->u.Hard.Valid == 0) { #if (_MI_PAGING_LEVELS < 3) if (!NT_SUCCESS(MiCheckPdeForPagedPool (PointerPte))) { #endif KeBugCheckEx (MEMORY_MANAGEMENT, 0x61940, (ULONG_PTR)PointerPte, (ULONG_PTR)PointerPde->u.Long, (ULONG_PTR)MiGetVirtualAddressMappedByPte(PointerPte)); #if (_MI_PAGING_LEVELS < 3) } #endif } PageTableFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPde); Pfn2 = MI_PFN_ELEMENT (PageTableFrameIndex); MiDecrementShareCountInline (Pfn2, PageTableFrameIndex); // // Decrement the share count for the physical page. // MiDecrementShareCount (PageFrameIndex); // // No need to worry about fork prototype PTEs // for kernel addresses. // ASSERT (PointerPte > MiHighestUserPte); } else { PageTableFrameIndex = Pfn1->u4.PteFrame; Pfn2 = MI_PFN_ELEMENT (PageTableFrameIndex); MiDecrementShareCountInline (Pfn2, PageTableFrameIndex); MI_SET_PFN_DELETED (Pfn1); MiDecrementShareCountOnly (PageFrameIndex); } MI_WRITE_INVALID_PTE (PointerPte, NewContents); UNLOCK_PFN (OldIrql); // // Flush the TB for this page. // if (PteFlushList.Count != MM_MAXIMUM_FLUSH_COUNT) { // // We cannot rewrite the PTE later without creating a race // condition. So point the FlushPte at a harmless // location so MiFlushPteList does the right thing. // PteFlushList.FlushPte[PteFlushList.Count] = (PMMPTE)&JunkPte; PteFlushList.FlushVa[PteFlushList.Count] = MiGetVirtualAddressMappedByPte (PointerPte); PteFlushList.Count += 1; } } else if (PteContents.u.Soft.Prototype) { ASSERT (SessionAllocation == TRUE); // // No need to worry about fork prototype PTEs // for kernel addresses. // ASSERT (PointerPte >= MiHighestUserPte); MI_WRITE_INVALID_PTE (PointerPte, NewContents); // // We currently commit for all prototype kernel mappings since // we could copy-on-write. // } else if (PteContents.u.Soft.Transition == 1) { LOCK_PFN (OldIrql); PteContents = *(volatile MMPTE *)PointerPte; if (PteContents.u.Soft.Transition == 0) { UNLOCK_PFN (OldIrql); continue; } // // Transition, release page. // PageFrameIndex = MI_GET_PAGE_FRAME_FROM_TRANSITION_PTE (&PteContents); // // Set the pointer to PTE as empty so the page // is deleted when the reference count goes to zero. // Pfn1 = MI_PFN_ELEMENT (PageFrameIndex); MI_SET_PFN_DELETED (Pfn1); PageTableFrameIndex = Pfn1->u4.PteFrame; Pfn2 = MI_PFN_ELEMENT (PageTableFrameIndex); MiDecrementShareCountInline (Pfn2, PageTableFrameIndex); // // Check the reference count for the page, if the reference // count is zero, move the page to the free list, if the // reference count is not zero, ignore this page. When the // reference count goes to zero, it will be placed on the // free list. // if (Pfn1->u3.e2.ReferenceCount == 0) { MiUnlinkPageFromList (Pfn1); MiReleasePageFileSpace (Pfn1->OriginalPte); MiInsertPageInFreeList (PageFrameIndex); } #if 0 // // This assert is not valid since pool may now be the deferred // MmUnlockPages queue in which case the reference count // will be nonzero with no write in progress pending. // if ((Pfn1->u3.e2.ReferenceCount > 1) && (Pfn1->u3.e1.WriteInProgress == 0)) { DbgPrint ("MM:SYSLOAD - deleting pool locked for I/O %p\n", PageFrameIndex); DbgBreakPoint(); } #endif //DBG MI_WRITE_INVALID_PTE (PointerPte, NewContents); UNLOCK_PFN (OldIrql); } else { // // Demand zero, release page file space. // if (PteContents.u.Soft.PageFileHigh != 0) { LOCK_PFN (OldIrql); MiReleasePageFileSpace (PteContents); UNLOCK_PFN (OldIrql); } MI_WRITE_INVALID_PTE (PointerPte, NewContents); } PagesRequired += 1; } NumberOfPtes -= 1; PointerPte += 1; } if (WsHeld == TRUE) { if (SessionAllocation == TRUE) { UNLOCK_SESSION_SPACE_WS (OldIrqlWs); } else { UNLOCK_SYSTEM_WS (OldIrqlWs); } } // // There is the thorny case where one of the pages we just deleted could // get faulted back in when we released the PFN lock above within the loop. // The only time when this can happen is if a thread faulted during an // interlocked pool allocation for an address that we've just deleted. // // If this thread sees the NewContents in the PTE, it will treat it as // demand zero, and incorrectly allocate a page, PTE and WSL. It will // reference it once and realize it needs to reread the lookaside listhead // and restart the operation. But this page would live on in paged pool // as modified (but unused) until the paged pool allocator chose to give // out its virtual address again. // // The code below rewrites the PTEs which is really bad if another thread // gets a zero page between our first setting of the PTEs above and our // second setting below - because we'll reset the PTE to demand zero, but // we'll still have a WSL entry that's valid, and we spiral from there. // // We really should remove the writing of the PTE below since we've already // done it above. But for now, we're leaving it in - it's harmless because // we've chosen to fix this problem by checking for this case when we // materialize demand zero pages. Note that we have to fix this problem // by checking in the demand zero path because a thread could be coming into // that path any time before or after we flush the PTE list and any fixes // here could only address the before case, not the after. // if (SessionAllocation == TRUE) { // // Session space has no ASN - flush the entire TB. // MI_FLUSH_ENTIRE_SESSION_TB (TRUE, TRUE); } MiFlushPteList (&PteFlushList, TRUE, NewContents); if (ARGUMENT_PRESENT(ResidentPages)) { *ResidentPages = ValidPages; } return PagesRequired; } VOID MiSetImageProtect ( IN PSEGMENT Segment, IN ULONG Protection ) /*++ Routine Description: This function sets the protection of all prototype PTEs to the specified protection. Arguments: Segment - Supplies a pointer to the segment to protect. Protection - Supplies the protection value to set. Return Value: None. --*/ { PMMPTE PointerPte; PMMPTE StartPte; PMMPTE LastPte; MMPTE PteContents; PSUBSECTION Subsection; // // Set the subsection protections. // ASSERT (Segment->ControlArea->u.Flags.GlobalOnlyPerSession == 0); if ((Segment->ControlArea->u.Flags.GlobalOnlyPerSession == 0) && (Segment->ControlArea->u.Flags.Rom == 0)) { Subsection = (PSUBSECTION)(Segment->ControlArea + 1); } else { Subsection = (PSUBSECTION)((PLARGE_CONTROL_AREA)(Segment->ControlArea) + 1); } if ((Protection & MM_PROTECTION_WRITE_MASK) == 0) { Subsection->u.SubsectionFlags.Protection = Protection; Subsection->u.SubsectionFlags.ReadOnly = 1; } StartPte = Subsection->SubsectionBase; PointerPte = StartPte; LastPte = PointerPte + Segment->NonExtendedPtes; MmLockPagedPool (PointerPte, (LastPte - PointerPte) * sizeof (MMPTE)); do { PteContents = *PointerPte; ASSERT (PteContents.u.Hard.Valid == 0); if (PteContents.u.Long != ZeroPte.u.Long) { if ((PteContents.u.Soft.Prototype == 0) && (PteContents.u.Soft.Transition == 1)) { if (MiSetProtectionOnTransitionPte (PointerPte, Protection)) { continue; } } else { PointerPte->u.Soft.Protection = Protection; } } PointerPte += 1; } while (PointerPte < LastPte); MmUnlockPagedPool (StartPte, (LastPte - StartPte) * sizeof (MMPTE)); return; } VOID MiSetSystemCodeProtection ( IN PMMPTE FirstPte, IN PMMPTE LastPte ) /*++ Routine Description: This function sets the protection of system code to read only. Note this is different from protecting section-backed code like win32k. Arguments: FirstPte - Supplies the starting PTE. LastPte - Supplies the ending PTE. Return Value: None. Environment: Kernel Mode, IRQL of APC_LEVEL or below. This routine could be made PAGELK but it is a high frequency routine so it is actually better to keep it nonpaged to avoid bringing in the entire PAGELK section. --*/ { KIRQL OldIrql; MMPTE PteContents; MMPTE TempPte; MMPTE PreviousPte; PMMPTE PointerPte; PMMPTE PointerPde; PMMPTE PointerProtoPte; ULONG ProtectionMask; PMMPFN Pfn1; PMMPFN ProtoPfn; LOGICAL SessionAddress; #if defined(_X86_) ASSERT (MI_IS_PHYSICAL_ADDRESS(MiGetVirtualAddressMappedByPte(FirstPte)) == 0); #endif SessionAddress = FALSE; if (MI_IS_SESSION_ADDRESS(MiGetVirtualAddressMappedByPte(FirstPte))) { SessionAddress = TRUE; } ProtectionMask = MM_EXECUTE_READ; // // Make these PTEs read only. // // Note that the write bit may already be off (in the valid PTE) if the // page has already been inpaged from the paging file and has not since // been dirtied. // PointerPte = FirstPte; LOCK_PFN (OldIrql); while (PointerPte <= LastPte) { PteContents = *PointerPte; if ((PteContents.u.Long == 0) || (!*MiPteStr)) { PointerPte += 1; continue; } if (PteContents.u.Hard.Valid == 1) { Pfn1 = MI_PFN_ELEMENT (PteContents.u.Hard.PageFrameNumber); Pfn1->OriginalPte.u.Soft.Protection = ProtectionMask; // // Note the dirty and write bits get turned off here. // Any existing pagefile addresses for clean pages are preserved. // if (MI_IS_PTE_DIRTY(PteContents)) { MI_CAPTURE_DIRTY_BIT_TO_PFN (&PteContents, Pfn1); } MI_MAKE_VALID_PTE (TempPte, PteContents.u.Hard.PageFrameNumber, Pfn1->OriginalPte.u.Soft.Protection, PointerPte); if (SessionAddress == TRUE) { // // Session space has no ASN - flush the entire TB. // MI_FLUSH_SINGLE_SESSION_TB (MiGetVirtualAddressMappedByPte (PointerPte), TRUE, TRUE, (PHARDWARE_PTE)PointerPte, TempPte.u.Flush, PreviousPte); } else { KeFlushSingleTb (MiGetVirtualAddressMappedByPte (PointerPte), TRUE, TRUE, (PHARDWARE_PTE)PointerPte, TempPte.u.Flush); } } else if (PteContents.u.Soft.Prototype == 1) { if (SessionAddress == TRUE) { PointerPte->u.Proto.ReadOnly = 1; } else { PointerProtoPte = MiPteToProto(PointerPte); ASSERT (!MI_IS_PHYSICAL_ADDRESS(PointerProtoPte)); PointerPde = MiGetPteAddress (PointerProtoPte); if (PointerPde->u.Hard.Valid == 0) { MiMakeSystemAddressValidPfn (PointerProtoPte); // // The world may change if we had to wait. // PteContents = *PointerPte; if ((PteContents.u.Hard.Valid == 1) || (PteContents.u.Soft.Prototype == 0)) { continue; } } ProtoPfn = MI_PFN_ELEMENT (PointerPde->u.Hard.PageFrameNumber); MI_ADD_LOCKED_PAGE_CHARGE(ProtoPfn, 12); ProtoPfn->u3.e2.ReferenceCount += 1; ASSERT (ProtoPfn->u3.e2.ReferenceCount > 1); PteContents = *PointerProtoPte; if (PteContents.u.Long != ZeroPte.u.Long) { ASSERT (PteContents.u.Hard.Valid == 0); PointerProtoPte->u.Soft.Protection = ProtectionMask; if ((PteContents.u.Soft.Prototype == 0) && (PteContents.u.Soft.Transition == 1)) { Pfn1 = MI_PFN_ELEMENT (PteContents.u.Trans.PageFrameNumber); Pfn1->OriginalPte.u.Soft.Protection = ProtectionMask; } } ASSERT (ProtoPfn->u3.e2.ReferenceCount > 1); MI_REMOVE_LOCKED_PAGE_CHARGE_AND_DECREF(ProtoPfn, 13); } } else if (PteContents.u.Soft.Transition == 1) { Pfn1 = MI_PFN_ELEMENT (PteContents.u.Trans.PageFrameNumber); Pfn1->OriginalPte.u.Soft.Protection = ProtectionMask; PointerPte->u.Soft.Protection = ProtectionMask; } else { // // Must be page file space or demand zero. // PointerPte->u.Soft.Protection = ProtectionMask; } PointerPte += 1; } UNLOCK_PFN (OldIrql); } VOID MiWriteProtectSystemImage ( IN PVOID DllBase ) /*++ Routine Description: This function sets the protection of a system component to read only. Arguments: DllBase - Supplies the base address of the system component. Return Value: None. --*/ { ULONG SectionProtection; ULONG NumberOfSubsections; ULONG SectionVirtualSize; ULONG ImageAlignment; ULONG OffsetToSectionTable; ULONG NumberOfPtes; ULONG_PTR VirtualAddress; PVOID LastVirtualAddress; PMMPTE PointerPte; PMMPTE FirstPte; PMMPTE LastPte; PMMPTE LastImagePte; PMMPTE WritablePte; PIMAGE_NT_HEADERS NtHeader; PIMAGE_FILE_HEADER FileHeader; PIMAGE_SECTION_HEADER SectionTableEntry; PAGED_CODE(); if (MI_IS_PHYSICAL_ADDRESS(DllBase)) { return; } NtHeader = RtlImageNtHeader (DllBase); ASSERT (NtHeader); ImageAlignment = NtHeader->OptionalHeader.SectionAlignment; // // All session drivers must be one way or the other - no mixing is allowed // within multiple copy-on-write drivers. // if (MI_IS_SESSION_ADDRESS(DllBase) == 0) { // // Images prior to NT5 were not protected from stepping all over // their (and others) code and readonly data. Here we somewhat // preserve that behavior, but don't allow them to step on anyone else. // if (NtHeader->OptionalHeader.MajorOperatingSystemVersion < 5) { return; } if (NtHeader->OptionalHeader.MajorImageVersion < 5) { return; } } NumberOfPtes = BYTES_TO_PAGES (NtHeader->OptionalHeader.SizeOfImage); FileHeader = &NtHeader->FileHeader; NumberOfSubsections = FileHeader->NumberOfSections; ASSERT (NumberOfSubsections != 0); OffsetToSectionTable = sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) + FileHeader->SizeOfOptionalHeader; SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeader + OffsetToSectionTable); // // Verify the image contains subsections ordered by increasing virtual // address and that there are no overlaps. // FirstPte = NULL; LastVirtualAddress = DllBase; for ( ; NumberOfSubsections > 0; NumberOfSubsections -= 1, SectionTableEntry += 1) { if (SectionTableEntry->Misc.VirtualSize == 0) { SectionVirtualSize = SectionTableEntry->SizeOfRawData; } else { SectionVirtualSize = SectionTableEntry->Misc.VirtualSize; } VirtualAddress = (ULONG_PTR)DllBase + SectionTableEntry->VirtualAddress; if ((PVOID)VirtualAddress <= LastVirtualAddress) { // // Subsections are not in an increasing virtual address ordering. // No protection is provided for such a poorly linked image. // KdPrint (("MM:sysload - Image at %p is badly linked\n", DllBase)); return; } LastVirtualAddress = (PVOID)((PCHAR)VirtualAddress + SectionVirtualSize - 1); } NumberOfSubsections = FileHeader->NumberOfSections; ASSERT (NumberOfSubsections != 0); SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeader + OffsetToSectionTable); LastVirtualAddress = NULL; // // Set writable PTE here so the image headers are excluded. This is // needed so that locking down of sections can continue to edit the // image headers for counts. // WritablePte = MiGetPteAddress ((PVOID)((ULONG_PTR)(SectionTableEntry + NumberOfSubsections) - 1)); LastImagePte = MiGetPteAddress(DllBase) + NumberOfPtes; for ( ; NumberOfSubsections > 0; NumberOfSubsections -= 1, SectionTableEntry += 1) { if (SectionTableEntry->Misc.VirtualSize == 0) { SectionVirtualSize = SectionTableEntry->SizeOfRawData; } else { SectionVirtualSize = SectionTableEntry->Misc.VirtualSize; } VirtualAddress = (ULONG_PTR)DllBase + SectionTableEntry->VirtualAddress; PointerPte = MiGetPteAddress ((PVOID)VirtualAddress); if (PointerPte >= LastImagePte) { // // Skip relocation subsections (which aren't given VA space). // break; } SectionProtection = (SectionTableEntry->Characteristics & (IMAGE_SCN_MEM_WRITE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_EXECUTE)); if (SectionProtection & IMAGE_SCN_MEM_WRITE) { // // This is a writable subsection, skip it. Make sure if it's // sharing a PTE (and update the linker so this doesn't happen // for the kernel at least) that the last PTE isn't made // read only. // WritablePte = MiGetPteAddress ((PVOID)(VirtualAddress + SectionVirtualSize - 1)); if (LastVirtualAddress != NULL) { LastPte = (PVOID) MiGetPteAddress (LastVirtualAddress); if (LastPte == PointerPte) { LastPte -= 1; } if (FirstPte <= LastPte) { ASSERT (PointerPte < LastImagePte); if (LastPte >= LastImagePte) { LastPte = LastImagePte - 1; } MiSetSystemCodeProtection (FirstPte, LastPte); } LastVirtualAddress = NULL; } continue; } if (LastVirtualAddress == NULL) { // // There is no previous subsection or the previous // subsection was writable. Thus the current starting PTE // could be mapping both a readonly and a readwrite // subsection if the image alignment is less than PAGE_SIZE. // These cases (in either order) are handled here. // if (PointerPte == WritablePte) { LastPte = MiGetPteAddress ((PVOID)(VirtualAddress + SectionVirtualSize - 1)); if (PointerPte == LastPte) { // // Nothing can be protected in this subsection // due to the image alignment specified for the executable. // continue; } PointerPte += 1; } FirstPte = PointerPte; } LastVirtualAddress = (PVOID)((PCHAR)VirtualAddress + SectionVirtualSize - 1); } if (LastVirtualAddress != NULL) { LastPte = (PVOID) MiGetPteAddress (LastVirtualAddress); if ((FirstPte <= LastPte) && (FirstPte < LastImagePte)) { if (LastPte >= LastImagePte) { LastPte = LastImagePte - 1; } MiSetSystemCodeProtection (FirstPte, LastPte); } } } VOID MiUpdateThunks ( IN PLOADER_PARAMETER_BLOCK LoaderBlock, IN PVOID OldAddress, IN PVOID NewAddress, IN ULONG NumberOfBytes ) /*++ Routine Description: This function updates the IATs of all the loaded modules in the system to handle a newly relocated image. Arguments: LoaderBlock - Supplies a pointer to the system loader block. OldAddress - Supplies the old address of the DLL which was just relocated. NewAddress - Supplies the new address of the DLL which was just relocated. NumberOfBytes - Supplies the number of bytes spanned by the DLL. Return Value: None. --*/ { PULONG_PTR ImportThunk; ULONG_PTR OldAddressHigh; ULONG_PTR AddressDifference; PKLDR_DATA_TABLE_ENTRY DataTableEntry; PLIST_ENTRY NextEntry; ULONG_PTR i; ULONG ImportSize; // // Note this routine must not call any modules outside the kernel. // This is because that module may itself be the one being relocated right // now. // OldAddressHigh = (ULONG_PTR)((PCHAR)OldAddress + NumberOfBytes - 1); AddressDifference = (ULONG_PTR)NewAddress - (ULONG_PTR)OldAddress; NextEntry = LoaderBlock->LoadOrderListHead.Flink; for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) { DataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData( DataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IAT, &ImportSize); if (ImportThunk == NULL) { continue; } ImportSize /= sizeof(PULONG_PTR); for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) { if (*ImportThunk >= (ULONG_PTR)OldAddress && *ImportThunk <= OldAddressHigh) { *ImportThunk += AddressDifference; } } } } VOID MiReloadBootLoadedDrivers ( IN PLOADER_PARAMETER_BLOCK LoaderBlock ) /*++ Routine Description: The kernel, HAL and boot drivers are relocated by the loader. All the boot drivers are then relocated again here. This function relocates osloader-loaded images into system PTEs. This gives these images the benefits that all other drivers already enjoy, including : 1. Paging of the drivers (this is more than 500K today). 2. Write-protection of their text sections. 3. Automatic unload of drivers on last dereference. Note care must be taken when processing HIGHADJ relocations more than once. Arguments: LoaderBlock - Supplies a pointer to the system loader block. Return Value: None. Environment: Kernel mode, Phase 0 Initialization. --*/ { LOGICAL HasRelocations; PKLDR_DATA_TABLE_ENTRY DataTableEntry; PLIST_ENTRY NextEntry; PIMAGE_FILE_HEADER FileHeader; PIMAGE_NT_HEADERS NtHeader; PIMAGE_DATA_DIRECTORY DataDirectory; ULONG_PTR i; ULONG NumberOfPtes; ULONG NumberOfLoaderPtes; PMMPTE PointerPte; PMMPTE LastPte; PMMPTE LoaderPte; MMPTE PteContents; MMPTE TempPte; PVOID LoaderImageAddress; PVOID NewImageAddress; NTSTATUS Status; PFN_NUMBER PageFrameIndex; PFN_NUMBER PteFramePage; PMMPTE PteFramePointer; PMMPFN Pfn1; PMMPFN Pfn2; KIRQL OldIrql; PCHAR RelocatedVa; PCHAR NonRelocatedVa; LOGICAL StopMoving; #if !defined (_X86_) // // Only try to preserve low memory on x86 machines. // MmMakeLowMemory = FALSE; #endif StopMoving = FALSE; i = 0; NextEntry = LoaderBlock->LoadOrderListHead.Flink; for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) { // // Skip the kernel and the HAL. Note their relocation sections will // be automatically reclaimed. // i += 1; if (i <= 2) { continue; } DataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); NtHeader = RtlImageNtHeader (DataTableEntry->DllBase); // // Ensure that the relocation section exists and that the loader // hasn't freed it already. // if (NtHeader == NULL) { continue; } FileHeader = &NtHeader->FileHeader; if (FileHeader->Characteristics & IMAGE_FILE_RELOCS_STRIPPED) { continue; } if (IMAGE_DIRECTORY_ENTRY_BASERELOC >= NtHeader->OptionalHeader.NumberOfRvaAndSizes) { continue; } DataDirectory = &NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC]; if (DataDirectory->VirtualAddress == 0) { HasRelocations = FALSE; } else { if (DataDirectory->VirtualAddress + DataDirectory->Size > DataTableEntry->SizeOfImage) { // // The relocation section has already been freed, the user must // be using an old loader that didn't save the relocations. // continue; } HasRelocations = TRUE; } LoaderImageAddress = DataTableEntry->DllBase; LoaderPte = MiGetPteAddress(DataTableEntry->DllBase); NumberOfLoaderPtes = (ULONG)((ROUND_TO_PAGES(DataTableEntry->SizeOfImage)) >> PAGE_SHIFT); LOCK_PFN (OldIrql); PointerPte = LoaderPte; LastPte = PointerPte + NumberOfLoaderPtes; while (PointerPte < LastPte) { ASSERT (PointerPte->u.Hard.Valid == 1); PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte); Pfn1 = MI_PFN_ELEMENT (PageFrameIndex); // // Mark the page as modified so boot drivers that call // MmPageEntireDriver don't lose their unmodified data ! // MI_SET_MODIFIED (Pfn1, 1, 0x14); PointerPte += 1; } UNLOCK_PFN (OldIrql); // // Extra PTEs are allocated here to map the relocation section at the // new address so the image can be relocated. // NumberOfPtes = NumberOfLoaderPtes; PointerPte = MiReserveSystemPtes (NumberOfPtes, SystemPteSpace); if (PointerPte == NULL) { continue; } LastPte = PointerPte + NumberOfPtes; NewImageAddress = MiGetVirtualAddressMappedByPte (PointerPte); #if DBG_SYSLOAD DbgPrint ("Relocating %wZ from %p to %p, %x bytes\n", &DataTableEntry->FullDllName, DataTableEntry->DllBase, NewImageAddress, DataTableEntry->SizeOfImage ); #endif // // This assert is important because the assumption is made that PTEs // (not superpages) are mapping these drivers. // ASSERT (InitializationPhase == 0); // // If the system is configured to make low memory available for ISA // type drivers, then copy the boot loaded drivers now. Otherwise // only PTE adjustment is done. Presumably some day when ISA goes // away this code can be removed. // RelocatedVa = NewImageAddress; NonRelocatedVa = (PCHAR) DataTableEntry->DllBase; while (PointerPte < LastPte) { PteContents = *LoaderPte; ASSERT (PteContents.u.Hard.Valid == 1); if (MmMakeLowMemory == TRUE) { #if DBG PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (LoaderPte); Pfn1 = MI_PFN_ELEMENT (PageFrameIndex); ASSERT (Pfn1->u1.WsIndex == 0); #endif LOCK_PFN (OldIrql); MiEnsureAvailablePageOrWait (NULL, NULL); PageFrameIndex = MiRemoveAnyPage( MI_GET_PAGE_COLOR_FROM_PTE (PointerPte)); if (PageFrameIndex < (16*1024*1024)/PAGE_SIZE) { // // If the frames cannot be replaced with high pages // then stop copying. // #if defined (_MI_MORE_THAN_4GB_) if (MiNoLowMemory == 0) #endif StopMoving = TRUE; } MI_MAKE_VALID_PTE (TempPte, PageFrameIndex, MM_EXECUTE_READWRITE, PointerPte); MI_SET_PTE_DIRTY (TempPte); MI_SET_ACCESSED_IN_PTE (&TempPte, 1); MI_WRITE_VALID_PTE (PointerPte, TempPte); MiInitializePfn (PageFrameIndex, PointerPte, 1); Pfn1 = MI_PFN_ELEMENT (PageFrameIndex); MI_SET_MODIFIED (Pfn1, 1, 0x15); // // Initialize the WsIndex just like the original page had it. // Pfn1->u1.WsIndex = 0; UNLOCK_PFN (OldIrql); RtlCopyMemory (RelocatedVa, NonRelocatedVa, PAGE_SIZE); RelocatedVa += PAGE_SIZE; NonRelocatedVa += PAGE_SIZE; } else { MI_MAKE_VALID_PTE (TempPte, PteContents.u.Hard.PageFrameNumber, MM_EXECUTE_READWRITE, PointerPte); MI_SET_PTE_DIRTY (TempPte); MI_WRITE_VALID_PTE (PointerPte, TempPte); } PointerPte += 1; LoaderPte += 1; } PointerPte -= NumberOfPtes; ASSERT (*(PULONG)NewImageAddress == *(PULONG)LoaderImageAddress); // // Image is now mapped at the new address. Relocate it (again). // NtHeader->OptionalHeader.ImageBase = (ULONG_PTR)LoaderImageAddress; if (MmMakeLowMemory == TRUE) { PIMAGE_NT_HEADERS NtHeader2; NtHeader2 = (PIMAGE_NT_HEADERS)((PCHAR)NtHeader + (RelocatedVa - NonRelocatedVa)); NtHeader2->OptionalHeader.ImageBase = (ULONG_PTR)LoaderImageAddress; } if (HasRelocations == TRUE) { Status = (NTSTATUS)LdrRelocateImage(NewImageAddress, (CONST PCHAR)"SYSLDR", (ULONG)STATUS_SUCCESS, (ULONG)STATUS_CONFLICTING_ADDRESSES, (ULONG)STATUS_INVALID_IMAGE_FORMAT ); if (!NT_SUCCESS(Status)) { if (MmMakeLowMemory == TRUE) { while (PointerPte < LastPte) { PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte); Pfn1 = MI_PFN_ELEMENT (PageFrameIndex); MiDecrementShareAndValidCount (Pfn1->u4.PteFrame); MI_SET_PFN_DELETED (Pfn1); MiDecrementShareCountOnly (PageFrameIndex); PointerPte += 1; } PointerPte -= NumberOfPtes; } MiReleaseSystemPtes (PointerPte, NumberOfPtes, SystemPteSpace); if (StopMoving == TRUE) { MmMakeLowMemory = FALSE; } continue; } } // // Update the IATs for all other loaded modules that reference this one. // NonRelocatedVa = (PCHAR) DataTableEntry->DllBase; DataTableEntry->DllBase = NewImageAddress; MiUpdateThunks (LoaderBlock, LoaderImageAddress, NewImageAddress, DataTableEntry->SizeOfImage); // // Update the loaded module list entry. // DataTableEntry->Flags |= LDRP_SYSTEM_MAPPED; DataTableEntry->DllBase = NewImageAddress; DataTableEntry->EntryPoint = (PVOID)((PCHAR)NewImageAddress + NtHeader->OptionalHeader.AddressOfEntryPoint); DataTableEntry->SizeOfImage = NumberOfPtes << PAGE_SHIFT; // // Update the PFNs of the image to support trimming. // Note that the loader addresses are freed now so no references // to it are permitted after this point. // LoaderPte = MiGetPteAddress (NonRelocatedVa); LOCK_PFN (OldIrql); while (PointerPte < LastPte) { ASSERT (PointerPte->u.Hard.Valid == 1); if (MmMakeLowMemory == TRUE) { ASSERT (LoaderPte->u.Hard.Valid == 1); PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (LoaderPte); Pfn1 = MI_PFN_ELEMENT (PageFrameIndex); // // Decrement the share count on the original page table // page so it can be freed. // MiDecrementShareAndValidCount (Pfn1->u4.PteFrame); MI_SET_PFN_DELETED (Pfn1); MiDecrementShareCountOnly (PageFrameIndex); LoaderPte += 1; } else { PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte); Pfn1 = MI_PFN_ELEMENT (PageFrameIndex); // // Decrement the share count on the original page table // page so it can be freed. // MiDecrementShareAndValidCount (Pfn1->u4.PteFrame); *Pfn1->PteAddress = ZeroPte; // // Chain the PFN entry to its new page table. // PteFramePointer = MiGetPteAddress(PointerPte); PteFramePage = MI_GET_PAGE_FRAME_FROM_PTE (PteFramePointer); Pfn1->u4.PteFrame = PteFramePage; Pfn1->PteAddress = PointerPte; // // Increment the share count for the page table page that now // contains the PTE that was copied. // Pfn2 = MI_PFN_ELEMENT (PteFramePage); Pfn2->u2.ShareCount += 1; } PointerPte += 1; } UNLOCK_PFN (OldIrql); // // The physical pages mapping the relocation section are freed // later with the rest of the initialization code spanned by the // DataTableEntry->SizeOfImage. // if (StopMoving == TRUE) { MmMakeLowMemory = FALSE; } } } #if defined (_X86_) PMMPTE MiKernelResourceStartPte; PMMPTE MiKernelResourceEndPte; #endif VOID MiLocateKernelSections ( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry ) /*++ Routine Description: This function locates the resource section in the kernel so it can be made readwrite if we bugcheck later, as the bugcheck code will write into it. Arguments: DataTableEntry - Supplies the kernel's data table entry. Return Value: None. Environment: Kernel mode, Phase 0 Initialization. --*/ { PVOID CurrentBase; PIMAGE_NT_HEADERS NtHeader; PIMAGE_SECTION_HEADER SectionTableEntry; LONG i; PMMPTE PointerPte; PVOID SectionBaseAddress; CurrentBase = (PVOID)DataTableEntry->DllBase; NtHeader = RtlImageNtHeader(CurrentBase); SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeader + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) + NtHeader->FileHeader.SizeOfOptionalHeader); // // From the image header, locate the section named '.rsrc'. // i = NtHeader->FileHeader.NumberOfSections; PointerPte = NULL; while (i > 0) { SectionBaseAddress = SECTION_BASE_ADDRESS(SectionTableEntry); #if defined (_X86_) if (*(PULONG)SectionTableEntry->Name == 'rsr.') { MiKernelResourceStartPte = MiGetPteAddress ((ULONG_PTR)CurrentBase + SectionTableEntry->VirtualAddress); MiKernelResourceEndPte = MiGetPteAddress (ROUND_TO_PAGES((ULONG_PTR)CurrentBase + SectionTableEntry->VirtualAddress + SectionTableEntry->SizeOfRawData)); break; } #endif if (*(PULONG)SectionTableEntry->Name == 'LOOP') { if (*(PULONG)&SectionTableEntry->Name[4] == 'EDOC') { ExPoolCodeStart = (PVOID)((ULONG_PTR)CurrentBase + SectionTableEntry->VirtualAddress); ExPoolCodeEnd = (PVOID)((ULONG_PTR)CurrentBase + SectionTableEntry->VirtualAddress + SectionTableEntry->SizeOfRawData); } else if (*(PUSHORT)&SectionTableEntry->Name[4] == 'IM') { MmPoolCodeStart = (PVOID)((ULONG_PTR)CurrentBase + SectionTableEntry->VirtualAddress); MmPoolCodeEnd = (PVOID)((ULONG_PTR)CurrentBase + SectionTableEntry->VirtualAddress + SectionTableEntry->SizeOfRawData); } } else if ((*(PULONG)SectionTableEntry->Name == 'YSIM') && (*(PULONG)&SectionTableEntry->Name[4] == 'ETPS')) { MmPteCodeStart = (PVOID)((ULONG_PTR)CurrentBase + SectionTableEntry->VirtualAddress); MmPteCodeEnd = (PVOID)((ULONG_PTR)CurrentBase + SectionTableEntry->VirtualAddress + SectionTableEntry->SizeOfRawData); } i -= 1; SectionTableEntry += 1; } } VOID MmMakeKernelResourceSectionWritable ( VOID ) /*++ Routine Description: This function makes the kernel's resource section readwrite so the bugcheck code can write into it. Arguments: None. Return Value: None. Environment: Kernel mode. Any IRQL. --*/ { #if defined (_X86_) MMPTE TempPte; MMPTE PteContents; PMMPTE PointerPte; if (MiKernelResourceStartPte == NULL) { return; } PointerPte = MiKernelResourceStartPte; if (MI_IS_PHYSICAL_ADDRESS (MiGetVirtualAddressMappedByPte (PointerPte))) { // // Mapped physically, doesn't need to be made readwrite. // return; } // // Since the entry state and IRQL are unknown, just go through the // PTEs without a lock and make them all readwrite. // do { PteContents = *PointerPte; #if defined(NT_UP) if (PteContents.u.Hard.Write == 0) #else if (PteContents.u.Hard.Writable == 0) #endif { MI_MAKE_VALID_PTE (TempPte, PteContents.u.Hard.PageFrameNumber, MM_READWRITE, PointerPte); #if !defined(NT_UP) TempPte.u.Hard.Writable = 1; #endif MI_WRITE_VALID_PTE_NEW_PROTECTION (PointerPte, TempPte); } PointerPte += 1; } while (PointerPte < MiKernelResourceEndPte); // // Don't do this more than once. // MiKernelResourceStartPte = NULL; // // Only flush this processor as the state of the others is unknown. // KeFlushCurrentTb (); #endif } #ifdef i386 PVOID PsNtosImageBase = (PVOID)0x80100000; #else PVOID PsNtosImageBase; #endif #if DBG PVOID PsNtosImageEnd; #endif #if defined(_AMD64_) // || defined(_IA64_) INVERTED_FUNCTION_TABLE PsInvertedFunctionTable = { 0, MAXIMUM_INVERTED_FUNCTION_TABLE_SIZE, FALSE}; #endif LIST_ENTRY PsLoadedModuleList; ERESOURCE PsLoadedModuleResource; LOGICAL MiInitializeLoadedModuleList ( IN PLOADER_PARAMETER_BLOCK LoaderBlock ) /*++ Routine Description: This function initializes the loaded module list based on the LoaderBlock. Arguments: LoaderBlock - Supplies a pointer to the system loader block. Return Value: None. Environment: Kernel mode, Phase 0 Initialization. --*/ { SIZE_T DataTableEntrySize; PLIST_ENTRY NextEntry; PKLDR_DATA_TABLE_ENTRY DataTableEntry1; PKLDR_DATA_TABLE_ENTRY DataTableEntry2; // // Initialize the loaded module list executive resource and spin lock. // ExInitializeResourceLite (&PsLoadedModuleResource); KeInitializeSpinLock (&PsLoadedModuleSpinLock); InitializeListHead (&PsLoadedModuleList); // // Scan the loaded module list and allocate and initialize a data table // entry for each module. The data table entry is inserted in the loaded // module list and the initialization order list in the order specified // in the loader parameter block. The data table entry is inserted in the // memory order list in memory order. // NextEntry = LoaderBlock->LoadOrderListHead.Flink; DataTableEntry2 = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); PsNtosImageBase = DataTableEntry2->DllBase; #if DBG PsNtosImageEnd = (PVOID) ((ULONG_PTR) DataTableEntry2->DllBase + DataTableEntry2->SizeOfImage); #endif MiLocateKernelSections (DataTableEntry2); while (NextEntry != &LoaderBlock->LoadOrderListHead) { DataTableEntry2 = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); // // Allocate a data table entry. // DataTableEntrySize = sizeof (KLDR_DATA_TABLE_ENTRY) + DataTableEntry2->BaseDllName.MaximumLength + sizeof(UNICODE_NULL); DataTableEntry1 = ExAllocatePoolWithTag (NonPagedPool, DataTableEntrySize, 'dLmM'); if (DataTableEntry1 == NULL) { return FALSE; } ASSERT (sizeof(KLDR_DATA_TABLE_ENTRY) == sizeof(LDR_DATA_TABLE_ENTRY)); // // Copy the data table entry. // *DataTableEntry1 = *DataTableEntry2; // // Clear fields we may use later so they don't inherit irrelevant // loader values. // ((PKLDR_DATA_TABLE_ENTRY)DataTableEntry1)->NonPagedDebugInfo = NULL; DataTableEntry1->FullDllName.Buffer = ExAllocatePoolWithTag (PagedPool, DataTableEntry2->FullDllName.MaximumLength + sizeof(UNICODE_NULL), 'TDmM'); if (DataTableEntry1->FullDllName.Buffer == NULL) { ExFreePool (DataTableEntry1); return FALSE; } DataTableEntry1->BaseDllName.Buffer = (PWSTR)((ULONG_PTR)DataTableEntry1 + sizeof (KLDR_DATA_TABLE_ENTRY)); // // Copy the strings. // RtlCopyMemory (DataTableEntry1->FullDllName.Buffer, DataTableEntry2->FullDllName.Buffer, DataTableEntry1->FullDllName.MaximumLength); RtlCopyMemory (DataTableEntry1->BaseDllName.Buffer, DataTableEntry2->BaseDllName.Buffer, DataTableEntry1->BaseDllName.MaximumLength); DataTableEntry1->BaseDllName.Buffer[DataTableEntry1->BaseDllName.Length/sizeof(WCHAR)] = UNICODE_NULL; // // Insert the data table entry in the load order list in the order // they are specified. // InsertTailList(&PsLoadedModuleList, &DataTableEntry1->InLoadOrderLinks); #if defined(_AMD64_) // || defined(_IA64_) RtlInsertInvertedFunctionTable (&PsInvertedFunctionTable, DataTableEntry1->DllBase, DataTableEntry1->SizeOfImage); #endif NextEntry = NextEntry->Flink; } MiBuildImportsForBootDrivers (); return TRUE; } NTSTATUS MmCallDllInitialize ( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry, IN PLIST_ENTRY ModuleListHead ) /*++ Routine Description: This function calls the DLL's initialize routine. Arguments: DataTableEntry - Supplies the kernel's data table entry. Return Value: Various NTSTATUS error codes. Environment: Kernel mode. --*/ { NTSTATUS st; PWCHAR Dot; PMM_DLL_INITIALIZE Func; UNICODE_STRING RegistryPath; UNICODE_STRING ImportName; ULONG ThunksAdded; Func = (PMM_DLL_INITIALIZE)(ULONG_PTR)MiLocateExportName (DataTableEntry->DllBase, "DllInitialize"); if (!Func) { return STATUS_SUCCESS; } ImportName.MaximumLength = DataTableEntry->BaseDllName.Length; ImportName.Buffer = ExAllocatePoolWithTag (NonPagedPool, ImportName.MaximumLength, 'TDmM'); if (ImportName.Buffer == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } ImportName.Length = DataTableEntry->BaseDllName.Length; RtlCopyMemory (ImportName.Buffer, DataTableEntry->BaseDllName.Buffer, ImportName.Length); RegistryPath.MaximumLength = (USHORT)(CmRegistryMachineSystemCurrentControlSetServices.Length + ImportName.Length + 2*sizeof(WCHAR)); RegistryPath.Buffer = ExAllocatePoolWithTag (NonPagedPool, RegistryPath.MaximumLength, 'TDmM'); if (RegistryPath.Buffer == NULL) { ExFreePool (ImportName.Buffer); return STATUS_INSUFFICIENT_RESOURCES; } RegistryPath.Length = CmRegistryMachineSystemCurrentControlSetServices.Length; RtlCopyMemory (RegistryPath.Buffer, CmRegistryMachineSystemCurrentControlSetServices.Buffer, CmRegistryMachineSystemCurrentControlSetServices.Length); RtlAppendUnicodeToString (&RegistryPath, (const PUSHORT)L"\\"); Dot = wcschr (ImportName.Buffer, L'.'); if (Dot) { ImportName.Length = (USHORT)((Dot - ImportName.Buffer) * sizeof(WCHAR)); } RtlAppendUnicodeStringToString (&RegistryPath, &ImportName); ExFreePool (ImportName.Buffer); // // Save the number of verifier thunks currently added so we know // if this activation adds any. To extend the thunk list, the module // performs an NtSetSystemInformation call which calls back to the // verifier's MmAddVerifierThunks, which increments MiVerifierThunksAdded. // ThunksAdded = MiVerifierThunksAdded; // // Invoke the DLL's initialization routine. // st = Func (&RegistryPath); ExFreePool (RegistryPath.Buffer); // // If the module's initialization routine succeeded, and if it extended // the verifier thunk list, and this is boot time, reapply the verifier // to the loaded modules. // // Note that boot time is the special case because after boot time, Mm // loads all the DLLs itself and a DLL initialize is thus guaranteed to // complete and add its thunks before the importing driver load finishes. // Since the importing driver is only thunked after its load finishes, // ordering implicitly guarantees that all DLL-registered thunks are // properly factored in to the importing driver. // // Boot time is special because the loader (not the Mm) already loaded // the DLLs *AND* the importing drivers so we have to look over our // shoulder and make it all right after the fact. // if ((NT_SUCCESS(st)) && (MiFirstDriverLoadEver == 0) && (MiVerifierThunksAdded != ThunksAdded)) { MiReApplyVerifierToLoadedModules (ModuleListHead); } return st; } NTKERNELAPI PVOID MmGetSystemRoutineAddress ( IN PUNICODE_STRING SystemRoutineName ) /*++ Routine Description: This function returns the address of the argument function pointer if it is in the kernel or HAL, NULL if it is not. Arguments: SystemRoutineName - Supplies the name of the desired routine. Return Value: Non-NULL function pointer if successful. NULL if not. Environment: Kernel mode, PASSIVE_LEVEL, arbitrary process context. --*/ { PKTHREAD CurrentThread; NTSTATUS Status; PKLDR_DATA_TABLE_ENTRY DataTableEntry; ANSI_STRING AnsiString; PLIST_ENTRY NextEntry; UNICODE_STRING KernelString; UNICODE_STRING HalString; PVOID FunctionAddress; LOGICAL Found; ULONG EntriesChecked; ASSERT (KeGetCurrentIrql() == PASSIVE_LEVEL); EntriesChecked = 0; FunctionAddress = NULL; RtlInitUnicodeString (&KernelString, (const PUSHORT)L"ntoskrnl.exe"); RtlInitUnicodeString (&HalString, (const PUSHORT)L"hal.dll"); do { Status = RtlUnicodeStringToAnsiString (&AnsiString, SystemRoutineName, TRUE); if (NT_SUCCESS (Status)) { break; } KeDelayExecutionThread (KernelMode, FALSE, (PLARGE_INTEGER)&MmShortTime); } while (TRUE); // // Arbitrary process context so prevent suspend APCs now. // CurrentThread = KeGetCurrentThread (); KeEnterCriticalRegionThread (CurrentThread); ExAcquireResourceSharedLite (&PsLoadedModuleResource, TRUE); // // Check only the kernel and the HAL for exports. // NextEntry = PsLoadedModuleList.Flink; while (NextEntry != &PsLoadedModuleList) { Found = FALSE; DataTableEntry = CONTAINING_RECORD(NextEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (RtlEqualUnicodeString (&KernelString, &DataTableEntry->BaseDllName, TRUE)) { Found = TRUE; EntriesChecked += 1; } else if (RtlEqualUnicodeString (&HalString, &DataTableEntry->BaseDllName, TRUE)) { Found = TRUE; EntriesChecked += 1; } if (Found == TRUE) { FunctionAddress = MiFindExportedRoutineByName (DataTableEntry->DllBase, &AnsiString); if (FunctionAddress != NULL) { break; } if (EntriesChecked == 2) { break; } } NextEntry = NextEntry->Flink; } ExReleaseResourceLite (&PsLoadedModuleResource); KeLeaveCriticalRegionThread (CurrentThread); RtlFreeAnsiString (&AnsiString); return FunctionAddress; } PVOID MiFindExportedRoutineByName ( IN PVOID DllBase, IN PANSI_STRING AnsiImageRoutineName ) /*++ Routine Description: This function searches the argument module looking for the requested exported function name. Arguments: DllBase - Supplies the base address of the requested module. AnsiImageRoutineName - Supplies the ANSI routine name being searched for. Return Value: The virtual address of the requested routine or NULL if not found. --*/ { USHORT OrdinalNumber; PULONG NameTableBase; PUSHORT NameOrdinalTableBase; PULONG Addr; ULONG High; ULONG Low; ULONG Middle; LONG Result; ULONG ExportSize; PVOID FunctionAddress; PIMAGE_EXPORT_DIRECTORY ExportDirectory; PAGED_CODE(); ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData( DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &ExportSize ); if (ExportDirectory == NULL) { return NULL; } // // Initialize the pointer to the array of RVA-based ansi export strings. // NameTableBase = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNames); // // Initialize the pointer to the array of USHORT ordinal numbers. // NameOrdinalTableBase = (PUSHORT)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals); // // Lookup the desired name in the name table using a binary search. // Low = 0; High = ExportDirectory->NumberOfNames - 1; // // Initializing Middle is not needed for correctness, but without it // the compiler cannot compile this code W4 to check for use of // uninitialized variables. // Middle = 0; while (High >= Low) { // // Compute the next probe index and compare the import name // with the export name entry. // Middle = (Low + High) >> 1; Result = strcmp (AnsiImageRoutineName->Buffer, (PCHAR)DllBase + NameTableBase[Middle]); if (Result < 0) { High = Middle - 1; } else if (Result > 0) { Low = Middle + 1; } else { break; } } // // If the high index is less than the low index, then a matching // table entry was not found. Otherwise, get the ordinal number // from the ordinal table. // if ((LONG)High < (LONG)Low) { return NULL; } OrdinalNumber = NameOrdinalTableBase[Middle]; // // If the OrdinalNumber is not within the Export Address Table, // then this image does not implement the function. Return not found. // if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions) { return NULL; } // // Index into the array of RVA export addresses by ordinal number. // Addr = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions); FunctionAddress = (PVOID)((PCHAR)DllBase + Addr[OrdinalNumber]); // // Forwarders are not used by the kernel and HAL to each other. // ASSERT ((FunctionAddress <= (PVOID)ExportDirectory) || (FunctionAddress >= (PVOID)((PCHAR)ExportDirectory + ExportSize))); return FunctionAddress; } #if _MI_DEBUG_RONLY PMMPTE MiSessionDataStartPte; PMMPTE MiSessionDataEndPte; VOID MiAssertNotSessionData ( IN PMMPTE PointerPte ) { if (MI_IS_SESSION_IMAGE_PTE (PointerPte)) { if ((PointerPte >= MiSessionDataStartPte) && (PointerPte <= MiSessionDataEndPte)) { KeBugCheckEx (MEMORY_MANAGEMENT, 0x41287, (ULONG_PTR) PointerPte, 0, 0); } } } VOID MiLogSessionDataStart ( IN PKLDR_DATA_TABLE_ENTRY DataTableEntry ) { LONG i; PVOID CurrentBase; PIMAGE_NT_HEADERS NtHeader; PIMAGE_SECTION_HEADER SectionTableEntry; PVOID DataStart; PVOID DataEnd; if (MiSessionDataStartPte != NULL) { return; } // // Crack the image header to mark the data. // CurrentBase = (PVOID)DataTableEntry->DllBase; NtHeader = RtlImageNtHeader(CurrentBase); SectionTableEntry = (PIMAGE_SECTION_HEADER)((PCHAR)NtHeader + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) + NtHeader->FileHeader.SizeOfOptionalHeader); i = NtHeader->FileHeader.NumberOfSections; while (i > 0) { // // Save the start and end of the data section. // if ((*(PULONG)SectionTableEntry->Name == 0x7461642e) && (*(PULONG)&SectionTableEntry->Name[4] == 0x61)) { DataStart = (PVOID)((PCHAR)CurrentBase + SectionTableEntry->VirtualAddress); DataEnd = (PVOID)((PCHAR)DataStart + SectionTableEntry->SizeOfRawData - 1); MiSessionDataStartPte = MiGetPteAddress (DataStart); MiSessionDataEndPte = MiGetPteAddress (DataEnd); break; } i -= 1; SectionTableEntry += 1; } } #endif