lpcp.h File Reference

#include "ntos.h"
#include <zwapi.h>

Go to the source code of this file.

Classes
struct	_LPC_MUTEX
Defines
#define	LpcpGenerateMessageId()   LpcpNextMessageId++; if (LpcpNextMessageId == 0) LpcpNextMessageId = 1;
#define	LpcpGenerateCallbackId()   LpcpNextCallbackId++; if (LpcpNextCallbackId == 0) LpcpNextCallbackId = 1;
#define	LpcpInitializeLpcpLock()
#define	LpcpAcquireLpcpLock()
#define	LpcpReleaseLpcpLock()
#define	LpcpPortExtraDataCreate(x)
#define	LpcpPortExtraDataDestroy(x)
#define	LpcpSaveThread(x)
#define	LpcpGetDynamicClientSecurity(Thread, Port, DynamicSecurity)   SeCreateClientSecurity((Thread),&(Port)->SecurityQos,FALSE,(DynamicSecurity))
#define	LpcpFreeDynamicClientSecurity(DynamicSecurity)   SeDeleteClientSecurity( DynamicSecurity )
#define	LpcpReferencePortObject(PortHandle, PortAccess, PreviousMode, PortObject)   ObReferenceObjectByHandle((PortHandle),(PortAccess),LpcPortObjectType,(PreviousMode),(PVOID *)(PortObject),NULL)
#define	ENABLE_LPC_TRACING   0
#define	LpcpPrint(_x_)
#define	LpcpTrace(_x_)
Typedefs
typedef _LPC_MUTEX	LPC_MUTEX
typedef _LPC_MUTEX *	PLPC_MUTEX
Functions
VOID	LpcpClosePort (IN PEPROCESS Process OPTIONAL, IN PVOID Object, IN ACCESS_MASK GrantedAccess, IN ULONG ProcessHandleCount, IN ULONG SystemHandleCount)
VOID	LpcpDeletePort (IN PVOID Object)
NTSTATUS	LpcpInitializePortQueue (IN PLPCP_PORT_OBJECT Port)
VOID	LpcpDestroyPortQueue (IN PLPCP_PORT_OBJECT Port, IN BOOLEAN CleanupAndDestroy)
NTSTATUS	LpcpInitializePortZone (IN ULONG MaxEntrySize, IN ULONG SegmentSize, IN ULONG MaxPoolUsage)
NTSTATUS	LpcpExtendPortZone (VOID)
PLPCP_MESSAGE FASTCALL	LpcpAllocateFromPortZone (ULONG Size)
VOID FASTCALL	LpcpFreeToPortZone (IN PLPCP_MESSAGE Msg, IN BOOLEAN MutexOwned)
VOID	LpcpSaveDataInfoMessage (IN PLPCP_PORT_OBJECT Port, PLPCP_MESSAGE Msg)
VOID	LpcpFreeDataInfoMessage (IN PLPCP_PORT_OBJECT Port, IN ULONG MessageId, IN ULONG CallbackId)
PLPCP_MESSAGE	LpcpFindDataInfoMessage (IN PLPCP_PORT_OBJECT Port, IN ULONG MessageId, IN ULONG CallbackId)
VOID	LpcpMoveMessage (OUT PPORT_MESSAGE DstMsg, IN PPORT_MESSAGE SrcMsg, IN PVOID SrcMsgData, IN ULONG MsgType OPTIONAL, IN PCLIENT_ID ClientId OPTIONAL)
VOID	LpcpFreePortClientSecurity (IN PLPCP_PORT_OBJECT Port)
char *	LpcpGetCreatorName (PLPCP_PORT_OBJECT PortObject)
Variables
LPC_MUTEX	LpcpLock
LPCP_PORT_ZONE	LpcpZone
ULONG	LpcpNextMessageId
ULONG	LpcpNextCallbackId

---

Define Documentation

#define ENABLE_LPC_TRACING   0

Definition at line 294 of file lpcp.h.

#define LpcpAcquireLpcpLock (   )

Value: { \ if ( LpcpLock.Owner == PsGetCurrentThread() ) { \ \ ASSERT ( LpcpLock.Count >= 1 ); \ LpcpLock.Count += 1; \ \ } else { \ \ ExAcquireFastMutex( &LpcpLock.Lock ); \ LpcpLock.Owner = PsGetCurrentThread(); \ LpcpLock.Count = 1; \ } \ } Definition at line 93 of file lpcp.h. Referenced by LpcExitThread(), LpcpCopyRequestData(), LpcpDeletePort(), LpcpDestroyPortQueue(), LpcpExtendPortZone(), LpcpFreeConMsg(), LpcpFreeToPortZone(), LpcpSaveDataInfoMessage(), LpcRequestPort(), LpcRequestWaitReplyPort(), NtAcceptConnectPort(), NtCompleteConnectPort(), NtImpersonateClientOfPort(), NtReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), NtReplyWaitReplyPort(), NtRequestPort(), NtRequestWaitReplyPort(), NtSecureConnectPort(), and ObfDereferenceObject().

#define LpcpFreeDynamicClientSecurity (  DynamicSecurity   )     SeDeleteClientSecurity( DynamicSecurity )

Definition at line 275 of file lpcp.h. Referenced by NtImpersonateClientOfPort().

#define LpcpGenerateCallbackId (   )     LpcpNextCallbackId++; if (LpcpNextCallbackId == 0) LpcpNextCallbackId = 1;

Definition at line 74 of file lpcp.h. Referenced by LpcRequestWaitReplyPort(), and NtRequestWaitReplyPort().

#define LpcpGenerateMessageId (   )     LpcpNextMessageId++; if (LpcpNextMessageId == 0) LpcpNextMessageId = 1;

Definition at line 71 of file lpcp.h. Referenced by LpcRequestPort(), LpcRequestWaitReplyPort(), NtRequestPort(), NtRequestWaitReplyPort(), and NtSecureConnectPort().

#define LpcpGetDynamicClientSecurity (  Thread, Port, DynamicSecurity   )     SeCreateClientSecurity((Thread),&(Port)->SecurityQos,FALSE,(DynamicSecurity))

Definition at line 272 of file lpcp.h. Referenced by NtImpersonateClientOfPort().

#define LpcpInitializeLpcpLock (   )

Value: { \ ExInitializeFastMutex( &LpcpLock.Lock ); \ LpcpLock.Owner = NULL; \ LpcpLock.Count = 0; \ } Definition at line 86 of file lpcp.h. Referenced by LpcInitSystem().

#define LpcpPortExtraDataCreate (  x   )

Definition at line 149 of file lpcp.h.

#define LpcpPortExtraDataDestroy (  x   )

Definition at line 151 of file lpcp.h. Referenced by LpcpDeletePort().

#define LpcpPrint (  _x_   )

Definition at line 319 of file lpcp.h. Referenced by LpcpCreatePort(), LpcpExtendPortZone(), LpcpFreeToPortZone(), NtAcceptConnectPort(), NtReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), NtReplyWaitReplyPort(), and NtRequestWaitReplyPort().

#define LpcpReferencePortObject (  PortHandle, PortAccess, PreviousMode, PortObject   )     ObReferenceObjectByHandle((PortHandle),(PortAccess),LpcPortObjectType,(PreviousMode),(PVOID *)(PortObject),NULL)

Definition at line 278 of file lpcp.h. Referenced by LpcpCopyRequestData(), NtCompleteConnectPort(), NtImpersonateClientOfPort(), NtReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), NtReplyWaitReplyPort(), NtRequestPort(), and NtRequestWaitReplyPort().

#define LpcpReleaseLpcpLock (   )

Value: { \ ASSERT( LpcpLock.Owner == PsGetCurrentThread() ); \ ASSERT( LpcpLock.Count >= 1 ); \ \ LpcpLock.Count -= 1; \ \ if ( LpcpLock.Count == 0 ) { \ \ LpcpLock.Owner = NULL; \ ExReleaseFastMutex( &LpcpLock.Lock ); \ } \ } Definition at line 108 of file lpcp.h. Referenced by LpcExitThread(), LpcpCopyRequestData(), LpcpDeletePort(), LpcpDestroyPortQueue(), LpcpExtendPortZone(), LpcpFreeConMsg(), LpcpFreeToPortZone(), LpcpSaveDataInfoMessage(), LpcRequestPort(), LpcRequestWaitReplyPort(), NtAcceptConnectPort(), NtCompleteConnectPort(), NtImpersonateClientOfPort(), NtReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), NtReplyWaitReplyPort(), NtRequestPort(), NtRequestWaitReplyPort(), NtSecureConnectPort(), and ObfDereferenceObject().

#define LpcpSaveThread (  x   )

Definition at line 153 of file lpcp.h. Referenced by LpcpCopyRequestData(), NtReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), and NtReplyWaitReplyPort().

#define LpcpTrace (  _x_   )

Definition at line 320 of file lpcp.h. Referenced by LpcExitThread(), LpcpAllocateFromPortZone(), LpcpCreatePort(), LpcpDeletePort(), LpcpExtendPortZone(), LpcpFindDataInfoMessage(), LpcpFreeDataInfoMessage(), LpcpFreeToPortZone(), LpcpSaveDataInfoMessage(), LpcRequestPort(), LpcRequestWaitReplyPort(), NtAcceptConnectPort(), NtReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), NtReplyWaitReplyPort(), NtRequestPort(), NtRequestWaitReplyPort(), and NtSecureConnectPort().

---

Typedef Documentation

typedef struct _LPC_MUTEX LPC_MUTEX

typedef struct _LPC_MUTEX * PLPC_MUTEX

---

Function Documentation

PLPCP_MESSAGE FASTCALL LpcpAllocateFromPortZone (  ULONG  Size  )

Definition at line 558 of file lpcqueue.c. References _LPCP_MESSAGE::Entry, ExAllocateFromZone, LpcpExtendPortZone(), LpcpTrace, LpcpZone, NT_SUCCESS, NTSTATUS(), NULL, PAGED_CODE, _LPCP_MESSAGE::RepliedToThread, Status, _LPCP_PORT_ZONE::Zone, and _LPCP_MESSAGE::ZoneIndex. Referenced by LpcRequestPort(), LpcRequestWaitReplyPort(), NtReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), NtReplyWaitReplyPort(), NtRequestPort(), NtRequestWaitReplyPort(), and NtSecureConnectPort(). : This procedure is used to allocate a new msg from the global port zone. Note that we assume our caller owns the LpcpLock mutex. Arguments: Size - Specifies the size, in bytes, needed for the allocation. Currently this variable is ignored Return Value: PLPCP_MESSAGE - returns a pointer to the newly allocate message --*/ { NTSTATUS Status; PLPCP_MESSAGE Msg; PAGED_CODE(); // // Continue looping until we get a message to give back or until when we // extend the zone we get back and error // do { // // Pick off the next message from the zone and if we actually // did get one then initialize some of its fields and return it // to our caller // Msg = (PLPCP_MESSAGE)ExAllocateFromZone( &LpcpZone.Zone ); if (Msg != NULL) { LpcpTrace(( "Allocate Msg %lx\n", Msg )); InitializeListHead( &Msg->Entry ); Msg->RepliedToThread = NULL; #if DBG // // In the debug case mark the message as allocated // Msg->ZoneIndex |= LPCP_ZONE_MESSAGE_ALLOCATED; #endif return Msg; } // // The zone didn't give us an entry so extend the zone and try the // allocation again // LpcpTrace(( "Extending Zone %lx\n", &LpcpZone.Zone )); Status = LpcpExtendPortZone( ); } while (NT_SUCCESS(Status)); // // Return NULL (i.e., an error) to our caller // return NULL; }

VOID LpcpClosePort (  IN PEPROCESS Process  OPTIONAL, IN PVOID  Object, IN ACCESS_MASK  GrantedAccess, IN ULONG  ProcessHandleCount, IN ULONG  SystemHandleCount )

Definition at line 31 of file lpcclose.c. References FALSE, _LPCP_PORT_OBJECT::Flags, LpcpDestroyPortQueue(), PORT_TYPE, SERVER_CONNECTION_PORT, and TRUE. Referenced by LpcInitSystem(). : This routine is the callback used for closing a port object. Arguments: Process - Supplies an optional pointer to the process whose port is being closed Object - Supplies a pointer to the port object being closed GrantedAccess - Supplies the access granted to the handle closing port object ProcessHandleCount - Supplies the number of process handles remaining to the object SystemHandleCount - Supplies the number of system handles remaining to the object Return Value: None. --*/ { // // Translate the object to what it really is, an LPCP port object // PLPCP_PORT_OBJECT Port = Object; // // We only have work to do if the object is a server communication port // if ( (Port->Flags & PORT_TYPE) == SERVER_CONNECTION_PORT ) { // // If this is a server commucation port without any system handles // then we can completely destroy the communication queue for the // port // if ( SystemHandleCount == 0 ) { LpcpDestroyPortQueue( Port, TRUE ); // // If there is only one system handle left then we'll reset the // communication queue for the port // } else if ( SystemHandleCount == 1 ) { LpcpDestroyPortQueue( Port, FALSE ); } // // Otherwise we do nothing // } return; }

VOID LpcpDeletePort (  IN PVOID  Object  )

Definition at line 110 of file lpcclose.c. References CLIENT_COMMUNICATION_PORT, _LPCP_PORT_OBJECT::ClientSectionBase, _LPCP_PORT_OBJECT::ClientThread, ClientThread(), _LPCP_PORT_OBJECT::ConnectionPort, _LPCP_MESSAGE::Entry, _LPCP_PORT_OBJECT::Flags, _LPCP_PORT_OBJECT::LpcDataInfoChainHead, LpcpAcquireLpcpLock, LpcpDestroyPortQueue(), LpcpFreePortClientSecurity(), LpcpFreeToPortZone(), LpcpPortExtraDataDestroy, LpcpReleaseLpcpLock, LpcpTrace, LpcRequestPort(), MmUnmapViewOfSection(), NULL, ObDereferenceObject, PAGED_CODE, PORT_TYPE, PsGetCurrentProcess, PsGetCurrentThread, _LPCP_MESSAGE::Request, SERVER_COMMUNICATION_PORT, SERVER_CONNECTION_PORT, _LPCP_PORT_OBJECT::ServerProcess, _LPCP_PORT_OBJECT::ServerSectionBase, and TRUE. Referenced by LpcInitSystem(). : This routine is the callback used for deleting a port object. Arguments: Object - Supplies a pointer to the port object being deleted Return Value: None. --*/ { PLPCP_PORT_OBJECT Port = Object; PLPCP_PORT_OBJECT ConnectionPort; LPC_CLIENT_DIED_MSG ClientPortClosedDatagram; PLPCP_MESSAGE Msg; PLIST_ENTRY Head, Next; HANDLE CurrentProcessId; PAGED_CODE(); // // If the port is a server communication port then make sure that if // there is a dangling client thread that we get rid of it. This // handles the case of someone calling NtAcceptConnectPort and not // calling NtCompleteConnectPort // LpcpPortExtraDataDestroy( Port ); if ((Port->Flags & PORT_TYPE) == SERVER_COMMUNICATION_PORT) { PETHREAD ClientThread; LpcpAcquireLpcpLock(); if ((ClientThread = Port->ClientThread) != NULL) { Port->ClientThread = NULL; LpcpReleaseLpcpLock(); ObDereferenceObject( ClientThread ); } else { LpcpReleaseLpcpLock(); } } // // Send an LPC_PORT_CLOSED datagram to whoever is connected // to this port so they know they are no longer connected. // if ((Port->Flags & PORT_TYPE) == CLIENT_COMMUNICATION_PORT) { ClientPortClosedDatagram.PortMsg.u1.s1.TotalLength = sizeof( ClientPortClosedDatagram ); ClientPortClosedDatagram.PortMsg.u1.s1.DataLength = sizeof( ClientPortClosedDatagram.CreateTime ); ClientPortClosedDatagram.PortMsg.u2.s2.Type = LPC_PORT_CLOSED; ClientPortClosedDatagram.PortMsg.u2.s2.DataInfoOffset = 0; ClientPortClosedDatagram.CreateTime = PsGetCurrentProcess()->CreateTime; LpcRequestPort( Port, (PPORT_MESSAGE)&ClientPortClosedDatagram ); } // // If connected, disconnect the port, and then scan the message queue // for this port and dereference any messages in the queue. // LpcpDestroyPortQueue( Port, TRUE ); // // If the client has a port memory view, then unmap it // if (Port->ClientSectionBase != NULL) { MmUnmapViewOfSection( PsGetCurrentProcess(), Port->ClientSectionBase ); } // // If the server has a port memory view, then unmap it // if (Port->ServerSectionBase != NULL) { MmUnmapViewOfSection( PsGetCurrentProcess(), Port->ServerSectionBase ); } // // Dereference the pointer to the connection port if it is not // this port. // if (ConnectionPort = Port->ConnectionPort) { CurrentProcessId = PsGetCurrentThread()->Cid.UniqueProcess; LpcpAcquireLpcpLock(); Head = &ConnectionPort->LpcDataInfoChainHead; Next = Head->Flink; while (Next != Head) { Msg = CONTAINING_RECORD( Next, LPCP_MESSAGE, Entry ); Next = Next->Flink; if (Msg->Request.ClientId.UniqueProcess == CurrentProcessId) { LpcpTrace(( "%s Freeing DataInfo Message %lx (%u.%u) Port: %lx\n", PsGetCurrentProcess()->ImageFileName, Msg, Msg->Request.MessageId, Msg->Request.CallbackId, ConnectionPort )); RemoveEntryList( &Msg->Entry ); LpcpFreeToPortZone( Msg, TRUE ); } } LpcpReleaseLpcpLock(); if (ConnectionPort != Port) { ObDereferenceObject( ConnectionPort ); } } if (((Port->Flags & PORT_TYPE) == SERVER_CONNECTION_PORT) && (ConnectionPort->ServerProcess != NULL)) { ObDereferenceObject( ConnectionPort->ServerProcess ); ConnectionPort->ServerProcess = NULL; } // // Free any static client security context // LpcpFreePortClientSecurity( Port ); // // And return to our caller // return; }

VOID LpcpDestroyPortQueue (  IN PLPCP_PORT_OBJECT  Port, IN BOOLEAN  CleanupAndDestroy )

Definition at line 104 of file lpcqueue.c. References _LPCP_MESSAGE::Entry, ExFreePool(), FALSE, KeReadStateSemaphore(), KeReleaseSemaphore(), L, _ETHREAD::LpcExitThreadCalled, LpcpAcquireLpcpLock, LpcpFreeToPortZone(), LpcpReleaseLpcpLock, _ETHREAD::LpcReplyChain, _ETHREAD::LpcReplyMessage, _ETHREAD::LpcReplyMessageId, _ETHREAD::LpcReplySemaphore, NULL, ObDereferenceObject, PAGED_CODE, PORT_NAME_DELETED, PORT_TYPE, _LPCP_MESSAGE::Request, _LPCP_CONNECTION_MESSAGE::SectionToMap, SERVER_CONNECTION_PORT, and TRUE. Referenced by LpcpClosePort(), and LpcpDeletePort(). : This routine is used to teardown the message queue of a port object. After running this message will either be empty (like it was just initialized) or completly gone (needs to be initialized) Arguments: Port - Supplies the port containing the message queue being modified CleanupAndDestroy - Specifies if the message queue should be set back to the freshly initialized state (value of FALSE) or completely torn down (value of TRUE) Return Value: None. --*/ { PLIST_ENTRY Next, Head; PETHREAD ThreadWaitingForReply; PLPCP_MESSAGE Msg; PAGED_CODE(); // // If this port is connected to another port, then disconnect it. // Protect this with a lock in case the other side is going away // at the same time. // LpcpAcquireLpcpLock(); if (Port->ConnectedPort != NULL) { Port->ConnectedPort->ConnectedPort = NULL; } // // If connection port, then mark name as deleted // if ((Port->Flags & PORT_TYPE) == SERVER_CONNECTION_PORT) { Port->Flags |= PORT_NAME_DELETED; } // // Walk list of threads waiting for a reply to a message sent to this // port. Signal each thread's LpcReplySemaphore to wake them up. They // will notice that there was no reply and return // STATUS_PORT_DISCONNECTED // Head = &Port->LpcReplyChainHead; Next = Head->Flink; while ((Next != NULL) && (Next != Head)) { ThreadWaitingForReply = CONTAINING_RECORD( Next, ETHREAD, LpcReplyChain ); // // If the thread is exiting, in the location of LpcReplyChain is stored the ExitTime // We'll stop to search throught the list. if ( ThreadWaitingForReply->LpcExitThreadCalled ) { break; } Next = Next->Flink; RemoveEntryList( &ThreadWaitingForReply->LpcReplyChain ); InitializeListHead( &ThreadWaitingForReply->LpcReplyChain ); if (!KeReadStateSemaphore( &ThreadWaitingForReply->LpcReplySemaphore )) { // // Thread is waiting on a message. Signal the semaphore and free // the message // Msg = ThreadWaitingForReply->LpcReplyMessage; if ( Msg ) { // // If the message is a connection request and has a section object // attached, then dereference that section object // if ((Msg->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE) == LPC_CONNECTION_REQUEST) { PLPCP_CONNECTION_MESSAGE ConnectMsg; ConnectMsg = (PLPCP_CONNECTION_MESSAGE)(Msg + 1); if ( ConnectMsg->SectionToMap != NULL ) { ObDereferenceObject( ConnectMsg->SectionToMap ); } } ThreadWaitingForReply->LpcReplyMessage = NULL; LpcpFreeToPortZone( Msg, TRUE ); } ThreadWaitingForReply->LpcReplyMessageId = 0; KeReleaseSemaphore( &ThreadWaitingForReply->LpcReplySemaphore, 0, 1L, FALSE ); } } InitializeListHead( &Port->LpcReplyChainHead ); // // Walk list of messages queued to this port. Remove each message from // the list and free it. // Head = &Port->MsgQueue.ReceiveHead; Next = Head->Flink; while ((Next != NULL) && (Next != Head)) { Msg = CONTAINING_RECORD( Next, LPCP_MESSAGE, Entry ); Next = Next->Flink; InitializeListHead( &Msg->Entry ); LpcpFreeToPortZone( Msg, TRUE ); } // // Reinitialize the message queue // InitializeListHead( &Port->MsgQueue.ReceiveHead ); LpcpReleaseLpcpLock(); // // Check if the caller wants it all to go away // if ( CleanupAndDestroy ) { // // Free semaphore associated with the queue. // if (Port->MsgQueue.Semaphore != NULL) { ExFreePool( CONTAINING_RECORD( Port->MsgQueue.Semaphore, LPCP_NONPAGED_PORT_QUEUE, Semaphore )); } } // // And return to our caller // return; }

NTSTATUS LpcpExtendPortZone (  VOID   )

Definition at line 397 of file lpcqueue.c. References _ZONE_HEADER::BlockSize, ExAllocatePoolWithTag, Executive, ExExtendZone(), ExFreePool(), FALSE, _LPCP_PORT_ZONE::FreeEvent, _LPCP_PORT_ZONE::GrowSize, KernelMode, KeSetEvent(), KeWaitForSingleObject(), LPC_RELEASE_WAIT_INCREMENT, LpcpAcquireLpcpLock, LpcpPrint, LpcpReleaseLpcpLock, LpcpTrace, LpcpZone, _LPCP_PORT_ZONE::MaxPoolUsage, NT_SUCCESS, NTSTATUS(), NULL, PAGE_SIZE, PAGED_CODE, PagedPool, Status, _ZONE_HEADER::TotalSegmentSize, TRUE, USHORT, _LPCP_PORT_ZONE::Zone, and _LPCP_MESSAGE::ZoneIndex. Referenced by LpcpAllocateFromPortZone(). : This routine is used to increase the size of the global port zone. Note that our caller must have already acquired the LpcpLock mutex. Arguments: None. Return Value: NTSTATUS - An appropriate status value --*/ { NTSTATUS Status; PVOID Segment; PLPCP_MESSAGE Msg; LARGE_INTEGER WaitTimeout; BOOLEAN AlreadyRetried; LONG SegmentSize; PAGED_CODE(); AlreadyRetried = FALSE; retry: // // If we're going to grow across a threshold, we should wait a little in case // an entry gets freed. // if ((LpcpZone.Zone.TotalSegmentSize + LpcpZone.GrowSize) > LpcpZone.MaxPoolUsage) { LpcpPrint(( "Out of space in global LPC zone - current size is %08x\n", LpcpZone.Zone.TotalSegmentSize )); // // Wait time is 1 second. // // We'll actually only go through this path once because on retry we // bump up max pool usage to avoid this wait // WaitTimeout.QuadPart = Int32x32To64( 1000, -10000 ); LpcpReleaseLpcpLock(); Status = KeWaitForSingleObject( &LpcpZone.FreeEvent, Executive, KernelMode, FALSE, &WaitTimeout ); LpcpAcquireLpcpLock(); if (Status != STATUS_SUCCESS) { LpcpPrint(( "Error waiting for %lx->FreeEvent - Status == %X\n", &LpcpZone, Status )); if ( !AlreadyRetried ) { AlreadyRetried = TRUE; LpcpZone.MaxPoolUsage += LpcpZone.GrowSize; goto retry; } } // // return to our caller and let the caller retry the allocation // again // return Status; } // // We need to extend the zone, so allocate another chunk and add it // to the zone // Segment = ExAllocatePoolWithTag( PagedPool, LpcpZone.GrowSize, 'ZcpL' ); if (Segment == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } Status = ExExtendZone( &LpcpZone.Zone, Segment, LpcpZone.GrowSize ); if (!NT_SUCCESS( Status )) { ExFreePool( Segment ); } #if DEVL else { LpcpTrace(( "Extended LPC zone by %x for a total of %x\n", LpcpZone.GrowSize, LpcpZone.Zone.TotalSegmentSize )); // // The following code sets up each msg in the zone by filling in its // index, and zeroing the rest. // // **** note, this is really a backdoor piece of code. First, it assumes // we grew by one page, and second, it assume the zone doesn't touch // those fields for its own bookkeeping. // SegmentSize = PAGE_SIZE; Msg = (PLPCP_MESSAGE)((PZONE_SEGMENT_HEADER)Segment + 1); while (SegmentSize >= (LONG)LpcpZone.Zone.BlockSize) { Msg->ZoneIndex = (USHORT)++LpcpTotalNumberOfMessages; Msg = (PLPCP_MESSAGE)((PCHAR)Msg + LpcpZone.Zone.BlockSize); SegmentSize -= LpcpZone.Zone.BlockSize; } // // Now that we've completely initialized the new segment, go // and wake up any waiters // LpcpReleaseLpcpLock(); KeSetEvent( &LpcpZone.FreeEvent, LPC_RELEASE_WAIT_INCREMENT, FALSE ); LpcpAcquireLpcpLock(); } #endif return Status; }

PLPCP_MESSAGE LpcpFindDataInfoMessage (  IN PLPCP_PORT_OBJECT  Port, IN ULONG  MessageId, IN ULONG  CallbackId )

Definition at line 980 of file lpcqueue.c. References LpcpTrace, NULL, PAGED_CODE, PORT_TYPE, PsGetCurrentProcess, _LPCP_MESSAGE::Request, and UNCONNECTED_COMMUNICATION_PORT. Referenced by LpcpCopyRequestData(). 00988 : 00989 00990 This routine is used to locate a specific message stored off the 00991 data info chain of a port 00992 00993 Arguments: 00994 00995 Port - Supplies the port being examined 00996 00997 MessageId - Supplies the ID of the message being searched for 00998 00999 CallbackId - Supplies the callback ID being searched for 01000 01001 Return Value: 01002 01003 PLPCP_MESSAGE - returns a pointer to the message satisfying the 01004 search criteria or NULL of none was found 01005 01006 --*/ 01007 01008 { 01009 PLPCP_MESSAGE Msg; 01010 PLIST_ENTRY Head, Next; 01011 01012 PAGED_CODE(); 01013 01014 // 01015 // Make sure we get to the connection port object of this port 01016 // 01017 01018 if ((Port->Flags & PORT_TYPE) > UNCONNECTED_COMMUNICATION_PORT) { 01019 01020 Port = Port->ConnectionPort; 01021 } 01022 01023 // 01024 // Zoom down the data info chain for the connection port object looking 01025 // for a match 01026 // 01027 01028 Head = &Port->LpcDataInfoChainHead; 01029 Next = Head->Flink; 01030 01031 while (Next != Head) { 01032 01033 Msg = CONTAINING_RECORD( Next, LPCP_MESSAGE, Entry ); 01034 01035 if ((Msg->Request.MessageId == MessageId) && 01036 (Msg->Request.CallbackId == CallbackId)) { 01037 01038 LpcpTrace(( "%s Found DataInfo Message %lx (%u.%u) Port: %lx\n", 01039 PsGetCurrentProcess()->ImageFileName, 01040 Msg, 01041 Msg->Request.MessageId, 01042 Msg->Request.CallbackId, 01043 Port )); 01044 01045 return Msg; 01046 01047 } else { 01048 01049 Next = Next->Flink; 01050 } 01051 } 01052 01053 // 01054 // We did not find a match so return null to our caller 01055 // 01056 01057 LpcpTrace(( "%s Unable to find DataInfo Message (%u.%u) Port: %lx\n", 01058 PsGetCurrentProcess()->ImageFileName, 01059 MessageId, 01060 CallbackId, 01061 Port )); 01062 01063 return NULL; 01064 } }

VOID LpcpFreeDataInfoMessage (  IN PLPCP_PORT_OBJECT  Port, IN ULONG  MessageId, IN ULONG  CallbackId )

Definition at line 879 of file lpcqueue.c. References _LPCP_MESSAGE::Entry, LpcpFreeToPortZone(), LpcpTrace, PAGED_CODE, PORT_TYPE, PsGetCurrentProcess, _LPCP_MESSAGE::Request, TRUE, and UNCONNECTED_COMMUNICATION_PORT. Referenced by NtReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), and NtReplyWaitReplyPort(). : This routine is used to free up a saved message in a port Arguments: Port - Supplies the port being manipulated MessageId - Supplies the id of the message being freed CallbackId - Supplies the callback id of the message being freed Return Value: None. --*/ { PLPCP_MESSAGE Msg; PLIST_ENTRY Head, Next; PAGED_CODE(); // // Make sure we get to the connection port object of this port // if ((Port->Flags & PORT_TYPE) > UNCONNECTED_COMMUNICATION_PORT) { Port = Port->ConnectionPort; } // // Zoom down the data info chain for the connection port object // Head = &Port->LpcDataInfoChainHead; Next = Head->Flink; while (Next != Head) { Msg = CONTAINING_RECORD( Next, LPCP_MESSAGE, Entry ); // // If this message matches the callers specification then remove // this message, free it back to the port zone, and return back // to our caller // if ((Msg->Request.MessageId == MessageId) && (Msg->Request.CallbackId == CallbackId)) { LpcpTrace(( "%s Removing DataInfo Message %lx (%u.%u) Port: %lx\n", PsGetCurrentProcess()->ImageFileName, Msg, Msg->Request.MessageId, Msg->Request.CallbackId, Port )); RemoveEntryList( &Msg->Entry ); InitializeListHead( &Msg->Entry ); LpcpFreeToPortZone( Msg, TRUE ); return; } else { // // Keep on going down the data info chain // Next = Next->Flink; } } // // We didn't find a match so just return to our caller // LpcpTrace(( "%s Unable to find DataInfo Message (%u.%u) Port: %lx\n", PsGetCurrentProcess()->ImageFileName, MessageId, CallbackId, Port )); return; }

VOID LpcpFreePortClientSecurity (  IN PLPCP_PORT_OBJECT  Port  )

Definition at line 296 of file lpcpriv.c. References CLIENT_COMMUNICATION_PORT, PORT_DYNAMIC_SECURITY, PORT_TYPE, and SeDeleteClientSecurity. Referenced by LpcpDeletePort(). 00302 : 00303 00304 This routine cleans up the captured security context for a client port. 00305 The cleanup is typically done when we are deleting a port 00306 00307 Arguments: 00308 00309 Port - Supplies the client port being deleted 00310 00311 Return Value: 00312 00313 None. 00314 00315 --*/ 00316 00317 { 00318 // 00319 // We only do this action if supplied with a client communication port 00320 // 00321 00322 if ((Port->Flags & PORT_TYPE) == CLIENT_COMMUNICATION_PORT) { 00323 00324 // 00325 // We only do this action if the port has static security tracking, 00326 // and we have a captured client token. The action is to simply 00327 // delete the client token. 00328 // 00329 00330 if (!(Port->Flags & PORT_DYNAMIC_SECURITY)) { 00331 00332 if ( Port->StaticSecurity.ClientToken ) { 00333 00334 SeDeleteClientSecurity( &(Port)->StaticSecurity ); 00335 } 00336 } 00337 } 00338 00339 // 00340 // And return to our caller 00341 // 00342 00343 return; 00344 } }

VOID FASTCALL LpcpFreeToPortZone (  IN PLPCP_MESSAGE  Msg, IN BOOLEAN  MutexOwned )

Definition at line 642 of file lpcqueue.c. References _LPCP_CONNECTION_MESSAGE::ClientPort, ExFreeToZone, FALSE, _LPCP_PORT_ZONE::FreeEvent, KeSetEvent(), LPC_RELEASE_WAIT_INCREMENT, LpcpAcquireLpcpLock, LpcpPrint, LpcpReleaseLpcpLock, LpcpTrace, LpcpZone, NULL, ObDereferenceObject, PAGED_CODE, and _LPCP_PORT_ZONE::Zone. Referenced by LpcExitThread(), LpcpDeletePort(), LpcpDestroyPortQueue(), LpcpFreeDataInfoMessage(), LpcRequestPort(), LpcRequestWaitReplyPort(), NtReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), NtReplyWaitReplyPort(), NtRequestPort(), NtRequestWaitReplyPort(), and NtSecureConnectPort(). : This routine is used to free an old msg back to the global message queue Arguments: Msg - Supplies the message being returned MutexOwned - Specifies if the LpcpLock is already owned by the caller Return Value: None. --*/ { BOOLEAN ZoneMemoryAvailable = FALSE; PLPCP_CONNECTION_MESSAGE ConnectMsg; PAGED_CODE(); // // Take out the global lock if necessary // if (!MutexOwned) { LpcpAcquireLpcpLock(); } LpcpTrace(( "Free Msg %lx\n", Msg )); #if DBG // // In the debug case if the message is not allocated then it's an error // if (!(Msg->ZoneIndex & LPCP_ZONE_MESSAGE_ALLOCATED)) { LpcpPrint(( "Msg %lx has already been freed.\n", Msg )); DbgBreakPoint(); if (!MutexOwned) { LpcpReleaseLpcpLock(); } return; } Msg->ZoneIndex &= ~LPCP_ZONE_MESSAGE_ALLOCATED; #endif // // The non zero reserved0 field tells us that the message has been used // if (Msg->Reserved0 != 0) { // // A entry field connects the message to the message queue of the // owning port object. If not already removed then remove this // message // if (!IsListEmpty( &Msg->Entry )) { RemoveEntryList( &Msg->Entry ); InitializeListHead( &Msg->Entry ); } // // If the replied to thread is not null then we have a reference // to the thread that we should now remove // if (Msg->RepliedToThread != NULL) { ObDereferenceObject( Msg->RepliedToThread ); Msg->RepliedToThread = NULL; } // // If the msg was for a connection request then we know that // right after the lpcp message is a connection message whose // client port field might need to be dereferenced // if ((Msg->Request.u2.s2.Type & ~LPC_KERNELMODE_MESSAGE) == LPC_CONNECTION_REQUEST) { ConnectMsg = (PLPCP_CONNECTION_MESSAGE)(Msg + 1); if (ConnectMsg->ClientPort) { PLPCP_PORT_OBJECT ClientPort; // // Capture a pointer to the client port then null it // out so that no one else can use it, then release // lpcp lock before we dereference the client port // ClientPort = ConnectMsg->ClientPort; ConnectMsg->ClientPort = NULL; LpcpReleaseLpcpLock(); ObDereferenceObject( ClientPort ); LpcpAcquireLpcpLock(); } } // // Now mark this message a free, and return it to the zone // Msg->Reserved0 = 0; ZoneMemoryAvailable = (BOOLEAN)(ExFreeToZone( &LpcpZone.Zone, &Msg->FreeEntry ) == NULL); } // // Check if we need to release the global lpcp lock // if (!MutexOwned) { LpcpReleaseLpcpLock(); } // // If we've actually freed up memory then go wake any waiting allocators // // **** does this need to check to see if it owns the lpcp lock. The // release right above us and this test and set event should be // combined // if (ZoneMemoryAvailable) { KeSetEvent( &LpcpZone.FreeEvent, LPC_RELEASE_WAIT_INCREMENT, FALSE ); } // // And return to our caller // return; }

char* LpcpGetCreatorName (  PLPCP_PORT_OBJECT  PortObject  )

Definition at line 193 of file lpcinit.c. References _LPCP_PORT_OBJECT::Creator, _EPROCESS::ImageFileName, NT_SUCCESS, NTSTATUS(), PsLookupProcessByProcessId(), and Status. Referenced by LpcRequestPort(), LpcRequestWaitReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), NtRequestPort(), and NtRequestWaitReplyPort(). : This routine returns the name of the process that created the specified port object Arguments: PortObject - Supplies the port object being queried Return Value: char * - The image name of the process that created the port process --*/ { NTSTATUS Status; PEPROCESS Process; // // First find the process that created the port object // Status = PsLookupProcessByProcessId( PortObject->Creator.UniqueProcess, &Process ); // // If we were able to get the process then return the name of the process // to our caller // if (NT_SUCCESS( Status )) { return Process->ImageFileName; } else { // // Otherwise tell our caller we don't know the name // return "Unknown"; } }

NTSTATUS LpcpInitializePortQueue (  IN PLPCP_PORT_OBJECT  Port  )

Definition at line 37 of file lpcqueue.c. References _LPCP_NONPAGED_PORT_QUEUE::BackPointer, ExAllocatePoolWithTag, KeInitializeSemaphore(), _LPCP_PORT_OBJECT::MsgQueue, NonPagedPool, NULL, PAGED_CODE, _LPCP_NONPAGED_PORT_QUEUE::Semaphore, and _LPCP_PORT_QUEUE::Semaphore. Referenced by LpcpCreatePort(), and NtSecureConnectPort(). : This routine is used to initialize the message queue for a port object. Arguments: Port - Supplies the port object being initialized Return Value: NTSTATUS - An appropriate status value --*/ { PLPCP_NONPAGED_PORT_QUEUE NonPagedPortQueue; PAGED_CODE(); // // Allocate space for the port queue // NonPagedPortQueue = ExAllocatePoolWithTag( NonPagedPool, sizeof(LPCP_NONPAGED_PORT_QUEUE), 'troP' ); if (NonPagedPortQueue == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } // // Initialize the fields in the non paged port queue // KeInitializeSemaphore( &NonPagedPortQueue->Semaphore, 0, 0x7FFFFFFF ); NonPagedPortQueue->BackPointer = Port; // // Have the port msg queue point to the non nonpaged port queue // Port->MsgQueue.Semaphore = &NonPagedPortQueue->Semaphore; // // Initailize the port msg queue to be empty // InitializeListHead( &Port->MsgQueue.ReceiveHead ); // // And return to our caller // return STATUS_SUCCESS; }

NTSTATUS LpcpInitializePortZone (  IN ULONG  MaxEntrySize, IN ULONG  SegmentSize, IN ULONG  MaxPoolUsage )

Definition at line 287 of file lpcqueue.c. References _ZONE_HEADER::BlockSize, ExAllocatePoolWithTag, ExFreePool(), ExInitializeZone(), FALSE, _LPCP_PORT_ZONE::FreeEvent, _LPCP_PORT_ZONE::GrowSize, KeInitializeEvent, LpcpZone, _LPCP_PORT_ZONE::MaxPoolUsage, NT_SUCCESS, NTSTATUS(), NULL, PAGE_SIZE, PAGED_CODE, PagedPool, _LPCP_MESSAGE::Request, _LPCP_MESSAGE::Reserved0, Status, USHORT, _LPCP_PORT_ZONE::Zone, and _LPCP_MESSAGE::ZoneIndex. Referenced by LpcInitSystem(). : This routine only executes once. It is used to initialize the zone allocator for LPC messages Arguments: MaxEntrySize - Specifies the maximum size, in bytes, that we'll allocate from the zone. SegmentSize - Specifies the number of total bytes to use in the initial zone allocation. This is also the increment use to grow the zone. MaxPoolUsage - Specifies the maximum number of bytes we every want to zone to grow to. Return Value: NTSTATUS - An appropriate status value --*/ { NTSTATUS Status; PVOID Segment; PLPCP_MESSAGE Msg; LONG SegSize; PAGED_CODE(); // // Set the sizes in the global port zone variable // LpcpZone.MaxPoolUsage = MaxPoolUsage; LpcpZone.GrowSize = SegmentSize; // // Allocate and initialize the initial zone // Segment = ExAllocatePoolWithTag( PagedPool, SegmentSize, 'ZcpL' ); if (Segment == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } KeInitializeEvent( &LpcpZone.FreeEvent, SynchronizationEvent, FALSE ); Status = ExInitializeZone( &LpcpZone.Zone, MaxEntrySize, Segment, SegmentSize ); if (!NT_SUCCESS( Status )) { ExFreePool( Segment ); } // // The following code sets up each msg in the zone by filling in its // index, and zeroing the rest. // // **** note, this is really a backdoor piece of code. First, it assumes // segsize is pagesize, and second, it assume the zone doesn't touch // those fields for its own bookkeeping. // SegSize = PAGE_SIZE; LpcpTotalNumberOfMessages = 0; // // Skip over the segment header // Msg = (PLPCP_MESSAGE)((PZONE_SEGMENT_HEADER)Segment + 1); // // For each block in the zone pointed at by Msg, pre-initialize the Msg // while (SegSize >= (LONG)LpcpZone.Zone.BlockSize) { Msg->ZoneIndex = (USHORT)++LpcpTotalNumberOfMessages; Msg->Reserved0 = 0; Msg->Request.MessageId = 0; Msg = (PLPCP_MESSAGE)((PCHAR)Msg + LpcpZone.Zone.BlockSize); SegSize -= LpcpZone.Zone.BlockSize; } // // And return to our caller // return Status; }

VOID LpcpMoveMessage (  OUT PPORT_MESSAGE  DstMsg, IN PPORT_MESSAGE  SrcMsg, IN PVOID  SrcMsgData, IN ULONG MsgType  OPTIONAL, IN PCLIENT_ID ClientId  OPTIONAL )

Referenced by LpcRequestPort(), LpcRequestWaitReplyPort(), NtReplyPort(), NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), NtReplyWaitReplyPort(), NtRequestPort(), and NtRequestWaitReplyPort().

VOID LpcpSaveDataInfoMessage (  IN PLPCP_PORT_OBJECT  Port, PLPCP_MESSAGE  Msg )

Definition at line 809 of file lpcqueue.c. References _LPCP_MESSAGE::Entry, LpcpAcquireLpcpLock, LpcpReleaseLpcpLock, LpcpTrace, PAGED_CODE, PORT_TYPE, PsGetCurrentProcess, _LPCP_MESSAGE::Request, and UNCONNECTED_COMMUNICATION_PORT. Referenced by NtReplyWaitReceivePort(), NtReplyWaitReceivePortEx(), and NtRequestWaitReplyPort(). : This routine is used in place of freeing a message and instead saves the message off a seperate queue from the port. Arguments: Port - Specifies the port object under which to save this message Msg - Supplies the message being saved Return Value: None. --*/ { PAGED_CODE(); // // Take out the global lock // LpcpAcquireLpcpLock(); // // Make sure we get to the connection port object of this port // if ((Port->Flags & PORT_TYPE) > UNCONNECTED_COMMUNICATION_PORT) { Port = Port->ConnectionPort; } LpcpTrace(( "%s Saving DataInfo Message %lx (%u.%u) Port: %lx\n", PsGetCurrentProcess()->ImageFileName, Msg, Msg->Request.MessageId, Msg->Request.CallbackId, Port )); // // Enqueue this message onto the data info chain for the port // InsertTailList( &Port->LpcDataInfoChainHead, &Msg->Entry ); // // Free the global lock // LpcpReleaseLpcpLock(); // // And return to our caller // return; }

---

Variable Documentation

LPC_MUTEX LpcpLock

Definition at line 63 of file lpcp.h.

ULONG LpcpNextCallbackId

Definition at line 69 of file lpcp.h. Referenced by LpcInitSystem().

ULONG LpcpNextMessageId

Definition at line 67 of file lpcp.h. Referenced by LpcInitSystem().

LPCP_PORT_ZONE LpcpZone

Definition at line 65 of file lpcp.h. Referenced by LpcpAllocateFromPortZone(), LpcpCreatePort(), LpcpExtendPortZone(), LpcpFreeToPortZone(), and LpcpInitializePortZone().

---