/*++ Copyright (c) 2000 Microsoft Corporation Module Name: dbgkobj.c Abstract: This module houses routines to handle the debug object Author: Neill Clift (NeillC) 26-Apr-2000 Revision History: --*/ #include "dbgkp.h" #pragma hdrstop #ifdef ALLOC_PRAGMA #pragma alloc_text(INIT, DbgkInitialize) #pragma alloc_text(PAGE, NtCreateDebugObject) #pragma alloc_text(PAGE, NtDebugActiveProcess) #pragma alloc_text(PAGE, NtRemoveProcessDebug) #pragma alloc_text(PAGE, NtWaitForDebugEvent) #pragma alloc_text(PAGE, NtDebugContinue) #pragma alloc_text(PAGE, NtSetInformationDebugObject) #pragma alloc_text(PAGE, DbgkpDeleteObject) #pragma alloc_text(PAGE, DbgkpCloseObject) #pragma alloc_text(PAGE, DbgkCopyProcessDebugPort) #pragma alloc_text(PAGE, DbgkOpenProcessDebugPort) #pragma alloc_text(PAGE, DbgkpSetProcessDebugObject) #pragma alloc_text(PAGE, DbgkpQueueMessage) #pragma alloc_text(PAGE, DbgkpOpenHandles) #pragma alloc_text(PAGE, DbgkClearProcessDebugObject) #pragma alloc_text(PAGE, DbgkpConvertKernelToUserStateChange) #pragma alloc_text(PAGE, DbgkpMarkProcessPeb) #pragma alloc_text(PAGE, DbgkpFreeDebugEvent) #pragma alloc_text(PAGE, DbgkpPostFakeProcessCreateMessages) #pragma alloc_text(PAGE, DbgkpPostFakeModuleMessages) #pragma alloc_text(PAGE, DbgkpPostFakeThreadMessages) #pragma alloc_text(PAGE, DbgkpWakeTarget) #pragma alloc_text(PAGE, DbgkpPostAdditionalThreadMessages) #endif // // Define this to not suspend threads while attaching. // This makes race conditions more prevelent. // //#define DBGK_DONT_SUSPEND // // Non-pageable data // // // This mutex protects the debug port object of processes. // FAST_MUTEX DbgkpProcessDebugPortMutex; // // Pageable data // //#ifdef ALLOC_PRAGMA //#pragma data_seg("PAGEDATA") //#endif POBJECT_TYPE DbgkDebugObjectType = NULL; //#ifdef ALLOC_PRAGMA //#pragma data_seg() //#endif NTSTATUS DbgkInitialize ( VOID ) /*++ Routine Description: Initialize the debug system Arguments: None Return Value: NTSTATUS - Status of operation --*/ { NTSTATUS Status; UNICODE_STRING Name; OBJECT_TYPE_INITIALIZER oti = {0}; GENERIC_MAPPING GenericMapping = {STANDARD_RIGHTS_READ | DEBUG_READ_EVENT, STANDARD_RIGHTS_WRITE | DEBUG_PROCESS_ASSIGN, STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE, DEBUG_ALL_ACCESS}; PAGED_CODE (); ExInitializeFastMutex (&DbgkpProcessDebugPortMutex); RtlInitUnicodeString (&Name, L"DebugObject"); oti.Length = sizeof (oti); oti.SecurityRequired = TRUE; oti.InvalidAttributes = 0; oti.PoolType = NonPagedPool; oti.DeleteProcedure = DbgkpDeleteObject; oti.CloseProcedure = DbgkpCloseObject; oti.ValidAccessMask = DEBUG_ALL_ACCESS; oti.GenericMapping = GenericMapping; oti.DefaultPagedPoolCharge = 0; oti.DefaultNonPagedPoolCharge = 0; Status = ObCreateObjectType (&Name, &oti, NULL, &DbgkDebugObjectType); if (!NT_SUCCESS (Status)) { return Status; } return Status; } VOID DbgkpDeleteObject ( IN PVOID Object ) /*++ Routine Description: Called by the object manager when the last reference to the object goes away. Arguments: Object - Debug object being deleted Return Value: None. --*/ { #if DBG PDEBUG_OBJECT DebugObject; #endif PAGED_CODE(); #if DBG DebugObject = Object; ASSERT (IsListEmpty (&DebugObject->EventList)); #else UNREFERENCED_PARAMETER(Object); #endif } VOID DbgkpMarkProcessPeb ( PEPROCESS Process ) /*++ Routine Description: This routine writes the debug variable in the PEB Arguments: Process - Process that needs its PEB modified Return Value: None. --*/ { KAPC_STATE ApcState; PAGED_CODE (); // // Acquire process rundown protection as we are about to look at the processes address space // if (ExAcquireRundownProtection (&Process->RundownProtect)) { if (Process->Peb != NULL) { KeStackAttachProcess(&Process->Pcb, &ApcState); ExAcquireFastMutex (&DbgkpProcessDebugPortMutex); try { Process->Peb->BeingDebugged = (BOOLEAN)(Process->DebugPort != NULL ? TRUE : FALSE); #if defined(_WIN64) if (Process->Wow64Process != NULL) { PPEB32 Peb32 = (PPEB32)Process->Wow64Process->Wow64; if (Peb32 != NULL) { Peb32->BeingDebugged = Process->Peb->BeingDebugged; } } #endif } except (EXCEPTION_EXECUTE_HANDLER) { } ExReleaseFastMutex (&DbgkpProcessDebugPortMutex); KeUnstackDetachProcess(&ApcState); } ExReleaseRundownProtection (&Process->RundownProtect); } } VOID DbgkpWakeTarget ( IN PDEBUG_EVENT DebugEvent ) { PETHREAD Thread; Thread = DebugEvent->Thread; if ((DebugEvent->Flags&DEBUG_EVENT_SUSPEND) != 0) { PsResumeThread (DebugEvent->Thread, NULL); } if (DebugEvent->Flags&DEBUG_EVENT_RELEASE) { ExReleaseRundownProtection (&Thread->RundownProtect); } // // If we have an actual thread waiting then wake it up else free the memory. // if ((DebugEvent->Flags&DEBUG_EVENT_NOWAIT) == 0) { KeSetEvent (&DebugEvent->ContinueEvent, 0, FALSE); // Wake up waiting process } else { DbgkpFreeDebugEvent (DebugEvent); } } VOID DbgkpCloseObject ( IN PEPROCESS Process, IN PVOID Object, IN ACCESS_MASK GrantedAccess, IN ULONG ProcessHandleCount, IN ULONG SystemHandleCount ) /*++ Routine Description: Called by the object manager when a handle is closed to the object. Arguments: Process - Process doing the close Object - Debug object being deleted GrantedAccess - Access ranted for this handle ProcessHandleCount - Unused and unmaintained by OB SystemHandleCount - Current handle count for this object Return Value: None. --*/ { PDEBUG_OBJECT DebugObject = Object; PDEBUG_EVENT DebugEvent; PLIST_ENTRY ListPtr; BOOLEAN Deref; PAGED_CODE (); UNREFERENCED_PARAMETER (GrantedAccess); UNREFERENCED_PARAMETER (ProcessHandleCount); // // If this isn't the last handle then do nothing. // if (SystemHandleCount > 1) { return; } ExAcquireFastMutex (&DebugObject->Mutex); // // Mark this object as going away and wake up any processes that are waiting. // DebugObject->Flags |= DEBUG_OBJECT_DELETE_PENDING; // // Remove any events and queue them to a temporary queue // ListPtr = DebugObject->EventList.Flink; InitializeListHead (&DebugObject->EventList); ExReleaseFastMutex (&DebugObject->Mutex); // // Wake anyone waiting. They need to leave this object alone now as its deleting // KeSetEvent (&DebugObject->EventsPresent, 0, FALSE); // // Loop over all processes and remove the debug port from any that still have it. // Debug port propogation was disabled by setting the delete pending flag above so we only have to do this // once. No more refs can appear now. // for (Process = PsGetNextProcess (NULL); Process != NULL; Process = PsGetNextProcess (Process)) { if (Process->DebugPort == DebugObject) { Deref = FALSE; ExAcquireFastMutex (&DbgkpProcessDebugPortMutex); if (Process->DebugPort == DebugObject) { Process->DebugPort = NULL; Deref = TRUE; } ExReleaseFastMutex (&DbgkpProcessDebugPortMutex); if (Deref) { DbgkpMarkProcessPeb (Process); // // If the caller wanted process deletion on debugger dying (old interface) then kill off the process. // if (DebugObject->Flags&DEBUG_OBJECT_KILL_ON_CLOSE) { PsTerminateProcess (Process, STATUS_DEBUGGER_INACTIVE); } ObDereferenceObject (DebugObject); } } } // // Wake up all the removed threads. // while (ListPtr != &DebugObject->EventList) { DebugEvent = CONTAINING_RECORD (ListPtr, DEBUG_EVENT, EventList); ListPtr = ListPtr->Flink; DebugEvent->Status = STATUS_DEBUGGER_INACTIVE; DbgkpWakeTarget (DebugEvent); } } VOID DbgkCopyProcessDebugPort ( IN PEPROCESS TargetProcess, IN PEPROCESS SourceProcess ) /*++ Routine Description: Copies a debug port from one process to another. Arguments: TargetProcess - Process to move port to sourceProcess - Process to move port from Return Value: None --*/ { PDEBUG_OBJECT DebugObject; PAGED_CODE (); TargetProcess->DebugPort = NULL; // New process. Needs no locks. if (SourceProcess->DebugPort != NULL) { ExAcquireFastMutex (&DbgkpProcessDebugPortMutex); DebugObject = SourceProcess->DebugPort; if (DebugObject != NULL && (SourceProcess->Flags&PS_PROCESS_FLAGS_NO_DEBUG_INHERIT) == 0) { // // We must not propogate a debug port thats got no handles left. // ExAcquireFastMutex (&DebugObject->Mutex); // // If the object is delete pending then don't propogate this object. // if ((DebugObject->Flags&DEBUG_OBJECT_DELETE_PENDING) == 0) { ObReferenceObject (DebugObject); TargetProcess->DebugPort = DebugObject; } ExReleaseFastMutex (&DebugObject->Mutex); } ExReleaseFastMutex (&DbgkpProcessDebugPortMutex); } } NTSTATUS DbgkOpenProcessDebugPort ( IN PEPROCESS Process, IN KPROCESSOR_MODE PreviousMode, OUT HANDLE *pHandle ) /*++ Routine Description: References the target processes debug port. Arguments: Process - Process to reference debug port Return Value: PDEBUG_OBJECT - Referenced object or NULL --*/ { PDEBUG_OBJECT DebugObject; NTSTATUS Status; PAGED_CODE (); Status = STATUS_PORT_NOT_SET; if (Process->DebugPort != NULL) { ExAcquireFastMutex (&DbgkpProcessDebugPortMutex); DebugObject = Process->DebugPort; if (DebugObject != NULL) { ObReferenceObject (DebugObject); } ExReleaseFastMutex (&DbgkpProcessDebugPortMutex); if (DebugObject != NULL) { Status = ObOpenObjectByPointer (DebugObject, 0, NULL, MAXIMUM_ALLOWED, DbgkDebugObjectType, PreviousMode, pHandle); if (!NT_SUCCESS (Status)) { ObDereferenceObject (DebugObject); } } } return Status; } NTSTATUS NtCreateDebugObject ( OUT PHANDLE DebugObjectHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN ULONG Flags ) /*++ Routine Description: Creates a new debug object that maintains the context for a single debug session. Multiple processes may be associated with a single debug object. Arguments: DebugObjectHandle - Pointer to a handle to recive the output objects handle DesiredAccess - Required handle access ObjectAttributes - Standard object attributes structure Flags - Only one flag DEBUG_KILL_ON_CLOSE Return Value: NTSTATUS - Status of call. --*/ { NTSTATUS Status; HANDLE Handle; KPROCESSOR_MODE PreviousMode; PDEBUG_OBJECT DebugObject; PAGED_CODE(); // // Get previous processor mode and probe output arguments if necessary. // Zero the handle for error paths. // PreviousMode = KeGetPreviousMode(); try { if (PreviousMode != KernelMode) { ProbeForWriteHandle (DebugObjectHandle); } *DebugObjectHandle = NULL; } except (ExSystemExceptionFilter ()) { // If previous mode is kernel then don't handle the exception return GetExceptionCode (); } if (Flags & ~DEBUG_KILL_ON_CLOSE) { return STATUS_INVALID_PARAMETER; } // // Create a new debug object and initialize it. // Status = ObCreateObject (PreviousMode, DbgkDebugObjectType, ObjectAttributes, PreviousMode, NULL, sizeof (DEBUG_OBJECT), 0, 0, &DebugObject); if (!NT_SUCCESS (Status)) { return Status; } ExInitializeFastMutex (&DebugObject->Mutex); InitializeListHead (&DebugObject->EventList); KeInitializeEvent (&DebugObject->EventsPresent, NotificationEvent, FALSE); if (Flags & DEBUG_KILL_ON_CLOSE) { DebugObject->Flags = DEBUG_OBJECT_KILL_ON_CLOSE; } else { DebugObject->Flags = 0; } // // Insert the object into the handle table // Status = ObInsertObject (DebugObject, NULL, DesiredAccess, 0, NULL, &Handle); if (!NT_SUCCESS (Status)) { return Status; } try { *DebugObjectHandle = Handle; } except (ExSystemExceptionFilter ()) { // // The caller changed the page protection or deleted the memory for the handle. // No point closing the handle as process rundown will do that and we don't know its still the same handle // Status = GetExceptionCode (); } return Status; } VOID DbgkpFreeDebugEvent ( IN PDEBUG_EVENT DebugEvent ) { NTSTATUS Status; PAGED_CODE (); switch (DebugEvent->ApiMsg.ApiNumber) { case DbgKmCreateProcessApi : if (DebugEvent->ApiMsg.u.CreateProcessInfo.FileHandle != NULL) { Status = ObCloseHandle (DebugEvent->ApiMsg.u.CreateProcessInfo.FileHandle, KernelMode); } break; case DbgKmLoadDllApi : if (DebugEvent->ApiMsg.u.LoadDll.FileHandle != NULL) { Status = ObCloseHandle (DebugEvent->ApiMsg.u.LoadDll.FileHandle, KernelMode); } break; } ObDereferenceObject (DebugEvent->Process); ObDereferenceObject (DebugEvent->Thread); ExFreePool (DebugEvent); } NTSTATUS DbgkpQueueMessage ( IN PEPROCESS Process, IN PETHREAD Thread, IN OUT PDBGKM_APIMSG ApiMsg, IN ULONG Flags, IN PDEBUG_OBJECT TargetDebugObject ) /*++ Routine Description: Queues a debug message to the port for a user mode debugger to get. Arguments: Process - Process being debugged Thread - Thread making call ApiMsg - Message being sent and received NoWait - Don't wait for a responce. Buffer message and return. TargetDebugObject - Port to queue nowait messages to Return Value: NTSTATUS - Status of call. --*/ { PDEBUG_EVENT DebugEvent; DEBUG_EVENT StaticDebugEvent; PDEBUG_OBJECT DebugObject; NTSTATUS Status; PAGED_CODE (); if (Flags&DEBUG_EVENT_NOWAIT) { DebugEvent = ExAllocatePoolWithQuotaTag (NonPagedPool|POOL_QUOTA_FAIL_INSTEAD_OF_RAISE, sizeof (*DebugEvent), 'EgbD'); if (DebugEvent == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } DebugEvent->Flags = Flags|DEBUG_EVENT_INACTIVE; ObReferenceObject (Process); ObReferenceObject (Thread); DebugEvent->BackoutThread = PsGetCurrentThread (); DebugObject = TargetDebugObject; } else { DebugEvent = &StaticDebugEvent; DebugEvent->Flags = Flags; ExAcquireFastMutex (&DbgkpProcessDebugPortMutex); DebugObject = Process->DebugPort; // // See if this create message has already been sent. // if (ApiMsg->ApiNumber == DbgKmCreateThreadApi || ApiMsg->ApiNumber == DbgKmCreateProcessApi) { if (Thread->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_SKIP_CREATION_MSG) { DebugObject = NULL; } } // // See if this exit message is for a thread that never had a create // if (ApiMsg->ApiNumber == DbgKmExitThreadApi || ApiMsg->ApiNumber == DbgKmExitProcessApi) { if (Thread->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_SKIP_TERMINATION_MSG) { DebugObject = NULL; } } } KeInitializeEvent (&DebugEvent->ContinueEvent, SynchronizationEvent, FALSE); DebugEvent->Process = Process; DebugEvent->Thread = Thread; DebugEvent->ApiMsg = *ApiMsg; DebugEvent->ClientId = Thread->Cid; if (DebugObject == NULL) { Status = STATUS_PORT_NOT_SET; } else { // // We must not use a debug port thats got no handles left. // ExAcquireFastMutex (&DebugObject->Mutex); // // If the object is delete pending then don't use this object. // if ((DebugObject->Flags&DEBUG_OBJECT_DELETE_PENDING) == 0) { InsertTailList (&DebugObject->EventList, &DebugEvent->EventList); // // Set the event to say there is an unread event in the object // if ((Flags&DEBUG_EVENT_NOWAIT) == 0) { KeSetEvent (&DebugObject->EventsPresent, 0, FALSE); } Status = STATUS_SUCCESS; } else { Status = STATUS_DEBUGGER_INACTIVE; } ExReleaseFastMutex (&DebugObject->Mutex); } if ((Flags&DEBUG_EVENT_NOWAIT) == 0) { ExReleaseFastMutex (&DbgkpProcessDebugPortMutex); if (NT_SUCCESS (Status)) { KeWaitForSingleObject (&DebugEvent->ContinueEvent, Executive, KernelMode, FALSE, NULL); Status = DebugEvent->Status; *ApiMsg = DebugEvent->ApiMsg; } } else { if (!NT_SUCCESS (Status)) { ObDereferenceObject (Process); ObDereferenceObject (Thread); ExFreePool (DebugEvent); } } return Status; } NTSTATUS DbgkClearProcessDebugObject ( IN PEPROCESS Process, IN PDEBUG_OBJECT SourceDebugObject ) /*++ Routine Description: Remove a debug object from a process. Arguments: Process - Process to be debugged sourceDebugObject - Debug object to detach Return Value: NTSTATUS - Status of call. --*/ { NTSTATUS Status; PDEBUG_OBJECT DebugObject; PDEBUG_EVENT DebugEvent; LIST_ENTRY TempList; PLIST_ENTRY Entry; PAGED_CODE (); ExAcquireFastMutex (&DbgkpProcessDebugPortMutex); DebugObject = Process->DebugPort; if (DebugObject == NULL || (DebugObject != SourceDebugObject && SourceDebugObject != NULL)) { DebugObject = NULL; Status = STATUS_PORT_NOT_SET; } else { Process->DebugPort = NULL; Status = STATUS_SUCCESS; } ExReleaseFastMutex (&DbgkpProcessDebugPortMutex); if (NT_SUCCESS (Status)) { DbgkpMarkProcessPeb (Process); } // // Remove any events for this process and wake up the threads. // if (DebugObject) { // // Remove any events and queue them to a temporary queue // InitializeListHead (&TempList); ExAcquireFastMutex (&DebugObject->Mutex); for (Entry = DebugObject->EventList.Flink; Entry != &DebugObject->EventList; ) { DebugEvent = CONTAINING_RECORD (Entry, DEBUG_EVENT, EventList); Entry = Entry->Flink; if (DebugEvent->Process == Process) { RemoveEntryList (&DebugEvent->EventList); InsertTailList (&TempList, &DebugEvent->EventList); } } ExReleaseFastMutex (&DebugObject->Mutex); ObDereferenceObject (DebugObject); // // Wake up all the removed threads. // while (!IsListEmpty (&TempList)) { Entry = RemoveHeadList (&TempList); DebugEvent = CONTAINING_RECORD (Entry, DEBUG_EVENT, EventList); DebugEvent->Status = STATUS_DEBUGGER_INACTIVE; DbgkpWakeTarget (DebugEvent); } } return Status; } NTSTATUS DbgkpSetProcessDebugObject ( IN PEPROCESS Process, IN PDEBUG_OBJECT DebugObject, IN NTSTATUS MsgStatus, IN PETHREAD LastThread ) /*++ Routine Description: Attach a debug object to a process. Arguments: Process - Process to be debugged DebugObject - Debug object to attach MsgStatus - Status from queing the messages LastThread - Last thread seen in attach loop. Return Value: NTSTATUS - Status of call. --*/ { NTSTATUS Status; PETHREAD ThisThread; LIST_ENTRY TempList; PLIST_ENTRY Entry; PDEBUG_EVENT DebugEvent; BOOLEAN First; PETHREAD Thread; BOOLEAN GlobalHeld; PETHREAD FirstThread; PAGED_CODE (); ThisThread = PsGetCurrentThread (); InitializeListHead (&TempList); First = TRUE; GlobalHeld = FALSE; if (!NT_SUCCESS (MsgStatus)) { LastThread = NULL; Status = MsgStatus; } else { Status = STATUS_SUCCESS; } // // Pick up any threads we missed // if (NT_SUCCESS (Status)) { while (1) { // // Acquire the debug port mutex so we know that any new threads will // have to wait to behind us. // GlobalHeld = TRUE; ExAcquireFastMutex (&DbgkpProcessDebugPortMutex); // // If the port has been set then exit now. // if (Process->DebugPort != NULL) { Status = STATUS_PORT_ALREADY_SET; break; } // // Assign the debug port to the process to pick up any new threads // Process->DebugPort = DebugObject; // // Reference the last thread so we can deref outside the lock // ObReferenceObject (LastThread); // // Search forward for new threads // Thread = PsGetNextProcessThread (Process, LastThread); if (Thread != NULL) { // // Remove the debug port from the process as we are // about to drop the lock // Process->DebugPort = NULL; ExReleaseFastMutex (&DbgkpProcessDebugPortMutex); GlobalHeld = FALSE; ObDereferenceObject (LastThread); // // Queue any new thread messages and repeat. // Status = DbgkpPostFakeThreadMessages (Process, DebugObject, Thread, &FirstThread, &LastThread); if (!NT_SUCCESS (Status)) { LastThread = NULL; break; } ObDereferenceObject (FirstThread); } else { break; } } } // // Lock the debug object so we can check its deleted status // ExAcquireFastMutex (&DebugObject->Mutex); // // We must not propogate a debug port thats got no handles left. // if (NT_SUCCESS (Status)) { if ((DebugObject->Flags&DEBUG_OBJECT_DELETE_PENDING) == 0) { PS_SET_BITS (&Process->Flags, PS_PROCESS_FLAGS_NO_DEBUG_INHERIT); ObReferenceObject (DebugObject); } else { Process->DebugPort = NULL; Status = STATUS_DEBUGGER_INACTIVE; } } for (Entry = DebugObject->EventList.Flink; Entry != &DebugObject->EventList; ) { DebugEvent = CONTAINING_RECORD (Entry, DEBUG_EVENT, EventList); Entry = Entry->Flink; if ((DebugEvent->Flags&DEBUG_EVENT_INACTIVE) != 0 && DebugEvent->BackoutThread == ThisThread) { Thread = DebugEvent->Thread; // // If the thread has not been inserted by CreateThread yet then don't // create a handle. We skip system threads here also // if (NT_SUCCESS (Status) && Thread->GrantedAccess != 0 && !IS_SYSTEM_THREAD (Thread)) { // // If we could not acquire rundown protection on this // thread then we need to supress its exit message. // if ((DebugEvent->Flags&DEBUG_EVENT_PROTECT_FAILED) != 0) { PS_SET_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_SKIP_TERMINATION_MSG); RemoveEntryList (&DebugEvent->EventList); InsertTailList (&TempList, &DebugEvent->EventList); } else { if (First) { DebugEvent->Flags &= ~DEBUG_EVENT_INACTIVE; KeSetEvent (&DebugObject->EventsPresent, 0, FALSE); First = FALSE; } DebugEvent->BackoutThread = NULL; PS_SET_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_SKIP_CREATION_MSG); } } else { RemoveEntryList (&DebugEvent->EventList); InsertTailList (&TempList, &DebugEvent->EventList); } if (DebugEvent->Flags&DEBUG_EVENT_RELEASE) { DebugEvent->Flags &= ~DEBUG_EVENT_RELEASE; ExReleaseRundownProtection (&Thread->RundownProtect); } } } ExReleaseFastMutex (&DebugObject->Mutex); if (GlobalHeld) { ExReleaseFastMutex (&DbgkpProcessDebugPortMutex); } if (LastThread != NULL) { ObDereferenceObject (LastThread); } while (!IsListEmpty (&TempList)) { Entry = RemoveHeadList (&TempList); DebugEvent = CONTAINING_RECORD (Entry, DEBUG_EVENT, EventList); DbgkpWakeTarget (DebugEvent); } if (NT_SUCCESS (Status)) { DbgkpMarkProcessPeb (Process); } return Status; } NTSTATUS DbgkpPostFakeThreadMessages ( IN PEPROCESS Process, IN PDEBUG_OBJECT DebugObject, IN PETHREAD StartThread, OUT PETHREAD *pFirstThread, OUT PETHREAD *pLastThread ) /*++ Routine Description: This routine posts the faked initial process create, thread create messages Arguments: Process - Process to be debugged DebugObject - Debug object to queue messages to StartThread - Thread to start search from pFirstThread - First thread found in the list pLastThread - Last thread found in the list Return Value: None. --*/ { NTSTATUS Status; PETHREAD Thread, FirstThread, LastThread; DBGKM_APIMSG ApiMsg; BOOLEAN First = TRUE; PIMAGE_NT_HEADERS NtHeaders; ULONG Flags; #if !defined (DBGK_DONT_SUSPEND) NTSTATUS Status1; #endif PAGED_CODE (); LastThread = FirstThread = NULL; Status = STATUS_UNSUCCESSFUL; if (StartThread != NULL) { First = FALSE; FirstThread = StartThread; ObReferenceObject (FirstThread); } else { StartThread = PsGetNextProcessThread (Process, NULL); First = TRUE; } for (Thread = StartThread; Thread != NULL; Thread = PsGetNextProcessThread (Process, Thread)) { Flags = DEBUG_EVENT_NOWAIT; // // Keep a track ont he last thread we have seen. // We use this as a starting point for new threads after we // really attach so we can pick up any new threads. // if (LastThread != NULL) { ObDereferenceObject (LastThread); } LastThread = Thread; ObReferenceObject (LastThread); // // Acquire rundown protection of the thread. // This stops the thread exiting so we know it can't send // it's termination message // if (ExAcquireRundownProtection (&Thread->RundownProtect)) { Flags |= DEBUG_EVENT_RELEASE; // // Suspend the thread if we can for the debugger // We don't suspend terminating threads as we will not be giving details // of these to the debugger. // #if !defined (DBGK_DONT_SUSPEND) if (!IS_SYSTEM_THREAD (Thread)) { Status1 = PsSuspendThread (Thread, NULL); if (NT_SUCCESS (Status1)) { Flags |= DEBUG_EVENT_SUSPEND; } } #endif } else { // // Rundown protection failed for this thread. // This means the thread is exiting. We will mark this thread // later so it doesn't sent a thread termination message. // We can't do this now because this attach might fail. // Flags |= DEBUG_EVENT_PROTECT_FAILED; } RtlZeroMemory (&ApiMsg, sizeof (ApiMsg)); if (First) { ApiMsg.ApiNumber = DbgKmCreateProcessApi; if (Process->SectionObject != NULL) { // system process doesn't have one of these! ApiMsg.u.CreateProcessInfo.FileHandle = DbgkpSectionToFileHandle (Process->SectionObject); } else { ApiMsg.u.CreateProcessInfo.FileHandle = NULL; } ApiMsg.u.CreateProcessInfo.BaseOfImage = Process->SectionBaseAddress; try { NtHeaders = RtlImageNtHeader(Process->SectionBaseAddress); if (NtHeaders) { ApiMsg.u.CreateProcessInfo.InitialThread.StartAddress = NULL; // Filling this in breaks MSDEV! // (PVOID)(NtHeaders->OptionalHeader.ImageBase + NtHeaders->OptionalHeader.AddressOfEntryPoint); ApiMsg.u.CreateProcessInfo.DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable; ApiMsg.u.CreateProcessInfo.DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols; } } except (EXCEPTION_EXECUTE_HANDLER) { ApiMsg.u.CreateProcessInfo.InitialThread.StartAddress = NULL; ApiMsg.u.CreateProcessInfo.DebugInfoFileOffset = 0; ApiMsg.u.CreateProcessInfo.DebugInfoSize = 0; } } else { ApiMsg.ApiNumber = DbgKmCreateThreadApi; ApiMsg.u.CreateThread.StartAddress = Thread->StartAddress; } Status = DbgkpQueueMessage (Process, Thread, &ApiMsg, Flags, DebugObject); if (!NT_SUCCESS (Status)) { if (Flags&DEBUG_EVENT_SUSPEND) { PsResumeThread (Thread, NULL); } if (Flags&DEBUG_EVENT_RELEASE) { ExReleaseRundownProtection (&Thread->RundownProtect); } if (ApiMsg.ApiNumber == DbgKmCreateProcessApi && ApiMsg.u.CreateProcessInfo.FileHandle != NULL) { ObCloseHandle (ApiMsg.u.CreateProcessInfo.FileHandle, KernelMode); } PsQuitNextProcessThread (Thread); break; } else if (First) { First = FALSE; ObReferenceObject (Thread); FirstThread = Thread; } } if (!NT_SUCCESS (Status)) { if (FirstThread) { ObDereferenceObject (FirstThread); } if (LastThread != NULL) { ObDereferenceObject (LastThread); } } else { if (FirstThread) { *pFirstThread = FirstThread; *pLastThread = LastThread; } else { Status = STATUS_UNSUCCESSFUL; } } return Status; } NTSTATUS DbgkpPostFakeModuleMessages ( IN PEPROCESS Process, IN PETHREAD Thread, IN PDEBUG_OBJECT DebugObject) /*++ Routine Description: This routine posts the faked module load messages when we debug an active process. Arguments: ProcessHandle - Handle to a process to be debugged DebugObjectHandle - Handle to a debug object Return Value: None. --*/ { PPEB Peb = Process->Peb; PPEB_LDR_DATA Ldr; PLIST_ENTRY LdrHead, LdrNext; PLDR_DATA_TABLE_ENTRY LdrEntry; DBGKM_APIMSG ApiMsg; ULONG i; OBJECT_ATTRIBUTES oa; UNICODE_STRING Name; PIMAGE_NT_HEADERS NtHeaders; NTSTATUS Status; IO_STATUS_BLOCK iosb; PAGED_CODE (); if (Peb == NULL) { return STATUS_SUCCESS; } try { Ldr = Peb->Ldr; LdrHead = &Ldr->InLoadOrderModuleList; ProbeForReadSmallStructure (LdrHead, sizeof (LIST_ENTRY), sizeof (UCHAR)); for (LdrNext = LdrHead->Flink, i = 0; LdrNext != LdrHead && i < 500; LdrNext = LdrNext->Flink, i++) { // // First image got send with process create message // if (i > 0) { RtlZeroMemory (&ApiMsg, sizeof (ApiMsg)); LdrEntry = CONTAINING_RECORD (LdrNext, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); ProbeForReadSmallStructure (LdrEntry, sizeof (LDR_DATA_TABLE_ENTRY), sizeof (UCHAR)); ApiMsg.ApiNumber = DbgKmLoadDllApi; ApiMsg.u.LoadDll.BaseOfDll = LdrEntry->DllBase; ProbeForReadSmallStructure (ApiMsg.u.LoadDll.BaseOfDll, sizeof (IMAGE_DOS_HEADER), sizeof (UCHAR)); NtHeaders = RtlImageNtHeader (ApiMsg.u.LoadDll.BaseOfDll); if (NtHeaders) { ApiMsg.u.LoadDll.DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable; ApiMsg.u.LoadDll.DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols; } Status = MmGetFileNameForAddress (NtHeaders, &Name); if (NT_SUCCESS (Status)) { InitializeObjectAttributes (&oa, &Name, OBJ_FORCE_ACCESS_CHECK|OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL); Status = ZwOpenFile (&ApiMsg.u.LoadDll.FileHandle, GENERIC_READ|SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_SYNCHRONOUS_IO_NONALERT); if (!NT_SUCCESS (Status)) { ApiMsg.u.LoadDll.FileHandle = NULL; } ExFreePool (Name.Buffer); } Status = DbgkpQueueMessage (Process, Thread, &ApiMsg, DEBUG_EVENT_NOWAIT, DebugObject); if (!NT_SUCCESS (Status) && ApiMsg.u.LoadDll.FileHandle != NULL) { ObCloseHandle (ApiMsg.u.LoadDll.FileHandle, KernelMode); } } ProbeForReadSmallStructure (LdrNext, sizeof (LIST_ENTRY), sizeof (UCHAR)); } } except (EXCEPTION_EXECUTE_HANDLER) { } #if defined(_WIN64) if (Process->Wow64Process != NULL && Process->Wow64Process->Wow64 != NULL) { PPEB32 Peb32; PPEB_LDR_DATA32 Ldr32; PLIST_ENTRY32 LdrHead32, LdrNext32; PLDR_DATA_TABLE_ENTRY32 LdrEntry32; PWCHAR pSys; Peb32 = (PPEB32)Process->Wow64Process->Wow64; try { Ldr32 = (PVOID) UlongToPtr(Peb32->Ldr); LdrHead32 = &Ldr32->InLoadOrderModuleList; ProbeForReadSmallStructure (LdrHead32, sizeof (LIST_ENTRY32), sizeof (UCHAR)); for (LdrNext32 = (PVOID) UlongToPtr(LdrHead32->Flink), i = 0; LdrNext32 != LdrHead32 && i < 500; LdrNext32 = (PVOID) UlongToPtr(LdrNext32->Flink), i++) { if (i > 0) { RtlZeroMemory (&ApiMsg, sizeof (ApiMsg)); LdrEntry32 = CONTAINING_RECORD (LdrNext32, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks); ProbeForReadSmallStructure (LdrEntry32, sizeof (LDR_DATA_TABLE_ENTRY32), sizeof (UCHAR)); ApiMsg.ApiNumber = DbgKmLoadDllApi; ApiMsg.u.LoadDll.BaseOfDll = (PVOID) UlongToPtr(LdrEntry32->DllBase); ProbeForReadSmallStructure (ApiMsg.u.LoadDll.BaseOfDll, sizeof (IMAGE_DOS_HEADER), sizeof (UCHAR)); NtHeaders = RtlImageNtHeader(ApiMsg.u.LoadDll.BaseOfDll); if (NtHeaders) { ApiMsg.u.LoadDll.DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable; ApiMsg.u.LoadDll.DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols; } Status = MmGetFileNameForAddress (NtHeaders, &Name); if (NT_SUCCESS (Status)) { ASSERT (sizeof (L"SYSTEM32") == sizeof (WOW64_SYSTEM_DIRECTORY_U)); pSys = wcsstr (Name.Buffer, L"\\SYSTEM32\\"); if (pSys != NULL) { RtlCopyMemory (pSys+1, WOW64_SYSTEM_DIRECTORY_U, sizeof(WOW64_SYSTEM_DIRECTORY_U) - sizeof(UNICODE_NULL)); } InitializeObjectAttributes (&oa, &Name, OBJ_FORCE_ACCESS_CHECK|OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL); Status = ZwOpenFile (&ApiMsg.u.LoadDll.FileHandle, GENERIC_READ|SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_SYNCHRONOUS_IO_NONALERT); if (!NT_SUCCESS (Status)) { ApiMsg.u.LoadDll.FileHandle = NULL; } ExFreePool (Name.Buffer); } Status = DbgkpQueueMessage (Process, Thread, &ApiMsg, DEBUG_EVENT_NOWAIT, DebugObject); if (!NT_SUCCESS (Status) && ApiMsg.u.LoadDll.FileHandle != NULL) { ObCloseHandle (ApiMsg.u.LoadDll.FileHandle, KernelMode); } } ProbeForReadSmallStructure (LdrNext32, sizeof (LIST_ENTRY32), sizeof (UCHAR)); } } except (EXCEPTION_EXECUTE_HANDLER) { } } #endif return STATUS_SUCCESS; } NTSTATUS DbgkpPostFakeProcessCreateMessages ( IN PEPROCESS Process, IN PDEBUG_OBJECT DebugObject, IN PETHREAD *pLastThread ) /*++ Routine Description: This routine posts the faked initial process create, thread create and mudule load messages Arguments: ProcessHandle - Handle to a process to be debugged DebugObjectHandle - Handle to a debug object Return Value: None. --*/ { NTSTATUS Status; KAPC_STATE ApcState; PETHREAD Thread; PETHREAD LastThread; PAGED_CODE (); // // Attach to the process so we can touch its address space // KeStackAttachProcess(&Process->Pcb, &ApcState); Status = DbgkpPostFakeThreadMessages (Process, DebugObject, NULL, &Thread, &LastThread); if (NT_SUCCESS (Status)) { Status = DbgkpPostFakeModuleMessages (Process, Thread, DebugObject); if (!NT_SUCCESS (Status)) { ObDereferenceObject (LastThread); LastThread = NULL; } ObDereferenceObject (Thread); } else { LastThread = NULL; } KeUnstackDetachProcess(&ApcState); *pLastThread = LastThread; return Status; } NTSTATUS NtDebugActiveProcess ( IN HANDLE ProcessHandle, IN HANDLE DebugObjectHandle ) /*++ Routine Description: Attach a debug object to a process. Arguments: ProcessHandle - Handle to a process to be debugged DebugObjectHandle - Handle to a debug object Return Value: NTSTATUS - Status of call. --*/ { NTSTATUS Status; KPROCESSOR_MODE PreviousMode; PDEBUG_OBJECT DebugObject; PEPROCESS Process; PETHREAD LastThread; PAGED_CODE (); PreviousMode = KeGetPreviousMode(); Status = ObReferenceObjectByHandle (ProcessHandle, PROCESS_SET_PORT, PsProcessType, PreviousMode, &Process, NULL); if (!NT_SUCCESS (Status)) { return Status; } // // Don't let us debug ourselves or the system process. // if (Process == PsGetCurrentProcess () || Process == PsInitialSystemProcess) { ObDereferenceObject (Process); return STATUS_ACCESS_DENIED; } Status = ObReferenceObjectByHandle (DebugObjectHandle, DEBUG_PROCESS_ASSIGN, DbgkDebugObjectType, PreviousMode, &DebugObject, NULL); if (NT_SUCCESS (Status)) { // // We will be touching process address space. Block process rundown. // if (ExAcquireRundownProtection (&Process->RundownProtect)) { // // Post the fake process create messages etc. // Status = DbgkpPostFakeProcessCreateMessages (Process, DebugObject, &LastThread); // // Set the debug port. If this fails it will remove any faked messages. // Status = DbgkpSetProcessDebugObject (Process, DebugObject, Status, LastThread); ExReleaseRundownProtection (&Process->RundownProtect); } else { Status = STATUS_PROCESS_IS_TERMINATING; } ObDereferenceObject (DebugObject); } ObDereferenceObject (Process); return Status; } NTSTATUS NtRemoveProcessDebug ( IN HANDLE ProcessHandle, IN HANDLE DebugObjectHandle ) /*++ Routine Description: Remove a debug object from a process. Arguments: ProcessHandle - Handle to a process currently being debugged Return Value: NTSTATUS - Status of call. --*/ { NTSTATUS Status; KPROCESSOR_MODE PreviousMode; PDEBUG_OBJECT DebugObject; PEPROCESS Process; PAGED_CODE (); PreviousMode = KeGetPreviousMode(); Status = ObReferenceObjectByHandle (ProcessHandle, PROCESS_SET_PORT, PsProcessType, PreviousMode, &Process, NULL); if (!NT_SUCCESS (Status)) { return Status; } Status = ObReferenceObjectByHandle (DebugObjectHandle, DEBUG_PROCESS_ASSIGN, DbgkDebugObjectType, PreviousMode, &DebugObject, NULL); if (NT_SUCCESS (Status)) { Status = DbgkClearProcessDebugObject (Process, DebugObject); ObDereferenceObject (DebugObject); } ObDereferenceObject (Process); return Status; } VOID DbgkpOpenHandles ( PDBGUI_WAIT_STATE_CHANGE WaitStateChange, PEPROCESS Process, PETHREAD Thread ) /*++ Routine Description: Opens up process, thread and filehandles if need be for some of the requests Arguments: WaitStateChange - User mode format change block Process - Pointer to target process Thread - Pointer to target thread Return Value: None --*/ { NTSTATUS Status; PEPROCESS CurrentProcess; HANDLE OldHandle; PAGED_CODE (); switch (WaitStateChange->NewState) { case DbgCreateThreadStateChange : // // We have the right to open up any thread in the process if we are allowed to debug it. // Use kernel mode here so we are always granted it regardless of protection. // Status = ObOpenObjectByPointer (Thread, 0, NULL, THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME | \ THREAD_QUERY_INFORMATION | THREAD_SET_INFORMATION | THREAD_TERMINATE | READ_CONTROL | SYNCHRONIZE, PsThreadType, KernelMode, &WaitStateChange->StateInfo.CreateThread.HandleToThread); if (!NT_SUCCESS (Status)) { WaitStateChange->StateInfo.CreateThread.HandleToThread = NULL; } break; case DbgCreateProcessStateChange : Status = ObOpenObjectByPointer (Thread, 0, NULL, THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME | \ THREAD_QUERY_INFORMATION | THREAD_SET_INFORMATION | THREAD_TERMINATE | READ_CONTROL | SYNCHRONIZE, PsThreadType, KernelMode, &WaitStateChange->StateInfo.CreateProcessInfo.HandleToThread); if (!NT_SUCCESS (Status)) { WaitStateChange->StateInfo.CreateProcessInfo.HandleToThread = NULL; } Status = ObOpenObjectByPointer (Process, 0, NULL, PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION | PROCESS_SET_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_TERMINATE | READ_CONTROL | SYNCHRONIZE, PsProcessType, KernelMode, &WaitStateChange->StateInfo.CreateProcessInfo.HandleToProcess); if (!NT_SUCCESS (Status)) { WaitStateChange->StateInfo.CreateProcessInfo.HandleToProcess = NULL; } OldHandle = WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.FileHandle; if (OldHandle != NULL) { CurrentProcess = PsGetCurrentProcess (); Status = ObDuplicateObject (CurrentProcess, OldHandle, CurrentProcess, &WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.FileHandle, 0, 0, DUPLICATE_SAME_ACCESS, KernelMode); if (!NT_SUCCESS (Status)) { WaitStateChange->StateInfo.CreateProcessInfo.NewProcess.FileHandle = NULL; } ObCloseHandle (OldHandle, KernelMode); } break; case DbgLoadDllStateChange : OldHandle = WaitStateChange->StateInfo.LoadDll.FileHandle; if (OldHandle != NULL) { CurrentProcess = PsGetCurrentProcess (); Status = ObDuplicateObject (CurrentProcess, OldHandle, CurrentProcess, &WaitStateChange->StateInfo.LoadDll.FileHandle, 0, 0, DUPLICATE_SAME_ACCESS, KernelMode); if (!NT_SUCCESS (Status)) { WaitStateChange->StateInfo.LoadDll.FileHandle = NULL; } ObCloseHandle (OldHandle, KernelMode); } break; default : break; } } VOID DbgkpConvertKernelToUserStateChange ( PDBGUI_WAIT_STATE_CHANGE WaitStateChange, PDEBUG_EVENT DebugEvent) /*++ Routine Description: Converts a kernel message to one the user expects Arguments: WaitStateChange - User mode format DebugEvent - Debug event block to copy from Return Value: None --*/ { PAGED_CODE (); WaitStateChange->AppClientId = DebugEvent->ClientId; switch (DebugEvent->ApiMsg.ApiNumber) { case DbgKmExceptionApi : switch (DebugEvent->ApiMsg.u.Exception.ExceptionRecord.ExceptionCode) { case STATUS_BREAKPOINT : WaitStateChange->NewState = DbgBreakpointStateChange; break; case STATUS_SINGLE_STEP : WaitStateChange->NewState = DbgSingleStepStateChange; break; default : WaitStateChange->NewState = DbgExceptionStateChange; break; } WaitStateChange->StateInfo.Exception = DebugEvent->ApiMsg.u.Exception; break; case DbgKmCreateThreadApi : WaitStateChange->NewState = DbgCreateThreadStateChange; WaitStateChange->StateInfo.CreateThread.NewThread = DebugEvent->ApiMsg.u.CreateThread; break; case DbgKmCreateProcessApi : WaitStateChange->NewState = DbgCreateProcessStateChange; WaitStateChange->StateInfo.CreateProcessInfo.NewProcess = DebugEvent->ApiMsg.u.CreateProcessInfo; // // clear out the handle in the message as we will close this when we duplicate. // DebugEvent->ApiMsg.u.CreateProcessInfo.FileHandle = NULL; break; case DbgKmExitThreadApi : WaitStateChange->NewState = DbgExitThreadStateChange; WaitStateChange->StateInfo.ExitThread = DebugEvent->ApiMsg.u.ExitThread; break; case DbgKmExitProcessApi : WaitStateChange->NewState = DbgExitProcessStateChange; WaitStateChange->StateInfo.ExitProcess = DebugEvent->ApiMsg.u.ExitProcess; break; case DbgKmLoadDllApi : WaitStateChange->NewState = DbgLoadDllStateChange; WaitStateChange->StateInfo.LoadDll = DebugEvent->ApiMsg.u.LoadDll; // // clear out the handle in the message as we will close this when we duplicate. // DebugEvent->ApiMsg.u.LoadDll.FileHandle = NULL; break; case DbgKmUnloadDllApi : WaitStateChange->NewState = DbgUnloadDllStateChange; WaitStateChange->StateInfo.UnloadDll = DebugEvent->ApiMsg.u.UnloadDll; break; default : ASSERT (FALSE); } } NTSTATUS NtWaitForDebugEvent ( IN HANDLE DebugObjectHandle, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout OPTIONAL, OUT PDBGUI_WAIT_STATE_CHANGE WaitStateChange ) /*++ Routine Description: Waits for a debug event and returns it to the user if one arives Arguments: DebugObjectHandle - Handle to a debug object Alertable - TRUE is the wait is to be alertable Timeout - Operation timeout value WaitStateChange - Returned debug event Return Value: Status of operation --*/ { NTSTATUS Status; KPROCESSOR_MODE PreviousMode; PDEBUG_OBJECT DebugObject; LARGE_INTEGER Tmo = {0}; LARGE_INTEGER StartTime = {0}; DBGUI_WAIT_STATE_CHANGE tWaitStateChange = {0}; PEPROCESS Process; PETHREAD Thread; PLIST_ENTRY Entry, Entry2; PDEBUG_EVENT DebugEvent, DebugEvent2; BOOLEAN GotEvent; PAGED_CODE (); PreviousMode = KeGetPreviousMode(); try { if (ARGUMENT_PRESENT (Timeout)) { if (PreviousMode != KernelMode) { ProbeForReadSmallStructure (Timeout, sizeof (*Timeout), sizeof (UCHAR)); } Tmo = *Timeout; Timeout = &Tmo; KeQuerySystemTime (&StartTime); } if (PreviousMode != KernelMode) { ProbeForWriteSmallStructure (WaitStateChange, sizeof (*WaitStateChange), sizeof (UCHAR)); } } except (ExSystemExceptionFilter ()) { // If previous mode is kernel then don't handle the exception return GetExceptionCode (); } Status = ObReferenceObjectByHandle (DebugObjectHandle, DEBUG_READ_EVENT, DbgkDebugObjectType, PreviousMode, &DebugObject, NULL); if (!NT_SUCCESS (Status)) { return Status; } Process = NULL; Thread = NULL; while (1) { Status = KeWaitForSingleObject (&DebugObject->EventsPresent, Executive, PreviousMode, Alertable, Timeout); if (!NT_SUCCESS (Status) || Status == STATUS_TIMEOUT || Status == STATUS_ALERTED || Status == STATUS_USER_APC) { break; } GotEvent = FALSE; DebugEvent = NULL; ExAcquireFastMutex (&DebugObject->Mutex); // // If the object is delete pending then return an error. // if ((DebugObject->Flags&DEBUG_OBJECT_DELETE_PENDING) == 0) { for (Entry = DebugObject->EventList.Flink; Entry != &DebugObject->EventList; Entry = Entry->Flink) { DebugEvent = CONTAINING_RECORD (Entry, DEBUG_EVENT, EventList); // // If this event has not been given back to the user yet and is not // inactive then pass it back. // We check to see if we have any other outstanding messages for this // thread as this confuses VC. You can only get multiple events // for the same thread for the attach faked messages. // if ((DebugEvent->Flags&(DEBUG_EVENT_READ|DEBUG_EVENT_INACTIVE)) == 0) { GotEvent = TRUE; for (Entry2 = DebugObject->EventList.Flink; Entry2 != Entry; Entry2 = Entry2->Flink) { DebugEvent2 = CONTAINING_RECORD (Entry2, DEBUG_EVENT, EventList); if (DebugEvent->ClientId.UniqueProcess == DebugEvent2->ClientId.UniqueProcess) { // // This event has the same process as an earlier event. Mark it as inactive. // DebugEvent->Flags |= DEBUG_EVENT_INACTIVE; DebugEvent->BackoutThread = NULL; GotEvent = FALSE; break; } } if (GotEvent) { break; } } } if (GotEvent) { Process = DebugEvent->Process; Thread = DebugEvent->Thread; ObReferenceObject (Thread); ObReferenceObject (Process); DbgkpConvertKernelToUserStateChange (&tWaitStateChange, DebugEvent); DebugEvent->Flags |= DEBUG_EVENT_READ; } else { // // No unread events there. Clear the event. // KeClearEvent (&DebugObject->EventsPresent); } Status = STATUS_SUCCESS; } else { Status = STATUS_DEBUGGER_INACTIVE; } ExReleaseFastMutex (&DebugObject->Mutex); if (NT_SUCCESS (Status)) { // // If we woke up and found nothing // if (GotEvent == FALSE) { // // If timeout is a delta time then adjust it for the wait so far. // if (Tmo.QuadPart < 0) { LARGE_INTEGER NewTime; KeQuerySystemTime (&NewTime); Tmo.QuadPart = Tmo.QuadPart + (NewTime.QuadPart - StartTime.QuadPart); StartTime = NewTime; if (Tmo.QuadPart >= 0) { Status = STATUS_TIMEOUT; break; } } } else { // // Fixup needed handles. The caller could have guessed the thread id etc by now and made the target thread // continue. This isn't a problem as we won't do anything damaging to the system in this case. The caller // won't get the correct results but they set out to break us. // DbgkpOpenHandles (&tWaitStateChange, Process, Thread); ObDereferenceObject (Thread); ObDereferenceObject (Process); break; } } else { break; } } ObDereferenceObject (DebugObject); try { *WaitStateChange = tWaitStateChange; } except (ExSystemExceptionFilter ()) { // If previous mode is kernel then don't handle the exception Status = GetExceptionCode (); } return Status; } NTSTATUS NtDebugContinue ( IN HANDLE DebugObjectHandle, IN PCLIENT_ID ClientId, IN NTSTATUS ContinueStatus ) /*++ Routine Description: Coninues a stalled debugged thread Arguments: DebugObjectHandle - Handle to a debug object ClientId - ClientId of thread tro continue ContinueStatus - Status of continue Return Value: Status of operation --*/ { NTSTATUS Status; PDEBUG_OBJECT DebugObject; PDEBUG_EVENT DebugEvent, FoundDebugEvent; KPROCESSOR_MODE PreviousMode; CLIENT_ID Clid; PLIST_ENTRY Entry; BOOLEAN GotEvent; PreviousMode = KeGetPreviousMode(); try { if (PreviousMode != KernelMode) { ProbeForReadSmallStructure (ClientId, sizeof (*ClientId), sizeof (UCHAR)); } Clid = *ClientId; } except (ExSystemExceptionFilter ()) { // If previous mode is kernel then don't handle the exception return GetExceptionCode (); } switch (ContinueStatus) { case DBG_EXCEPTION_HANDLED : case DBG_EXCEPTION_NOT_HANDLED : case DBG_TERMINATE_THREAD : case DBG_TERMINATE_PROCESS : case DBG_CONTINUE : break; default : return STATUS_INVALID_PARAMETER; } Status = ObReferenceObjectByHandle (DebugObjectHandle, DEBUG_READ_EVENT, DbgkDebugObjectType, PreviousMode, &DebugObject, NULL); if (!NT_SUCCESS (Status)) { return Status; } GotEvent = FALSE; FoundDebugEvent = NULL; ExAcquireFastMutex (&DebugObject->Mutex); for (Entry = DebugObject->EventList.Flink; Entry != &DebugObject->EventList; Entry = Entry->Flink) { DebugEvent = CONTAINING_RECORD (Entry, DEBUG_EVENT, EventList); // // Make sure the client ID matches and that the debugger saw all the events. // We don't allow the caller to start a thread that it never saw a message for. // This would do no harm but its probably a bug in the debugger. // if (DebugEvent->ClientId.UniqueProcess == Clid.UniqueProcess) { if (!GotEvent) { if (DebugEvent->ClientId.UniqueThread == Clid.UniqueThread && (DebugEvent->Flags&DEBUG_EVENT_READ) != 0) { RemoveEntryList (Entry); FoundDebugEvent = DebugEvent; GotEvent = TRUE; } } else { // // VC breaks if it sees more than one event at a time // for the same process. // DebugEvent->Flags &= ~DEBUG_EVENT_INACTIVE; KeSetEvent (&DebugObject->EventsPresent, 0, FALSE); break; } } } ExReleaseFastMutex (&DebugObject->Mutex); ObDereferenceObject (DebugObject); if (GotEvent) { FoundDebugEvent->ApiMsg.ReturnedStatus = ContinueStatus; FoundDebugEvent->Status = STATUS_SUCCESS; DbgkpWakeTarget (FoundDebugEvent); } else { Status = STATUS_INVALID_PARAMETER; } return Status; } NTSTATUS NtSetInformationDebugObject ( IN HANDLE DebugObjectHandle, IN DEBUGOBJECTINFOCLASS DebugObjectInformationClass, IN PVOID DebugInformation, IN ULONG DebugInformationLength, OUT PULONG ReturnLength OPTIONAL ) /*++ Routine Description: This function sets the state of a debug object. Arguments: ProcessHandle - Supplies a handle to a process object. ProcessInformationClass - Supplies the class of information being set. ProcessInformation - Supplies a pointer to a record that contains the information to set. ProcessInformationLength - Supplies the length of the record that contains the information to set. Return Value: NTSTATUS - Status of call --*/ { KPROCESSOR_MODE PreviousMode; NTSTATUS Status; PDEBUG_OBJECT DebugObject; ULONG Flags; PreviousMode = KeGetPreviousMode(); try { if (PreviousMode != KernelMode) { ProbeForRead (DebugInformation, DebugInformationLength, sizeof (ULONG)); if (ARGUMENT_PRESENT (ReturnLength)) { ProbeForWriteUlong (ReturnLength); } } if (ARGUMENT_PRESENT (ReturnLength)) { *ReturnLength = 0; } switch (DebugObjectInformationClass) { case DebugObjectFlags : { if (DebugInformationLength != sizeof (ULONG)) { if (ARGUMENT_PRESENT (ReturnLength)) { *ReturnLength = sizeof (ULONG); } return STATUS_INFO_LENGTH_MISMATCH; } Flags = *(PULONG) DebugInformation; break; } default : { return STATUS_INVALID_PARAMETER; } } } except (ExSystemExceptionFilter ()) { return GetExceptionCode (); } switch (DebugObjectInformationClass) { case DebugObjectFlags : { if (Flags & ~DEBUG_KILL_ON_CLOSE) { return STATUS_INVALID_PARAMETER; } Status = ObReferenceObjectByHandle (DebugObjectHandle, DEBUG_SET_INFORMATION, DbgkDebugObjectType, PreviousMode, &DebugObject, NULL); if (!NT_SUCCESS (Status)) { return Status; } ExAcquireFastMutex (&DebugObject->Mutex); if (Flags&DEBUG_KILL_ON_CLOSE) { DebugObject->Flags |= DEBUG_OBJECT_KILL_ON_CLOSE; } else { DebugObject->Flags &= ~DEBUG_OBJECT_KILL_ON_CLOSE; } ExReleaseFastMutex (&DebugObject->Mutex); ObDereferenceObject (DebugObject); } } return STATUS_SUCCESS; }