ldrsnap.c File Reference

#include "ntos.h"
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <heap.h>
#include "ldrp.h"

Go to the source code of this file.

Classes
struct	_DPH_SNAP_NAME
Defines
#define	LDRDBG   0
#define	SNAP_ROUTINE_GLOBALALLOC   0
#define	SNAP_ROUTINE_GLOBALREALLOC   1
#define	SNAP_ROUTINE_GLOBALFREE   2
#define	SNAP_ROUTINE_LOCALALLOC   3
#define	SNAP_ROUTINE_LOCALREALLOC   4
#define	SNAP_ROUTINE_LOCALFREE   5
#define	SNAP_ROUTINE_HEAPALLOC   6
#define	SNAP_ROUTINE_HEAPREALLOC   7
#define	SNAP_ROUTINE_HEAPFREE   8
#define	SNAP_ROUTINE_HEAPCREATE   9
#define	SNAP_ROUTINE_MALLOC   10
#define	SNAP_ROUTINE_CALLOC   11
#define	SNAP_ROUTINE_REALLOC   12
#define	SNAP_ROUTINE_FREE   13
#define	SNAP_ROUTINE_NEW   14
#define	SNAP_ROUTINE_DELETE   15
#define	SNAP_ROUTINE_NEW_ARRAY   16
#define	SNAP_ROUTINE_DELETE_ARRAY   17
#define	SNAP_ROUTINE_MAX_INDEX   18
#define	BIAS_POINTER(p)   ((PVOID)((ULONG_PTR)(p) | 0x01))
#define	LMEM_MOVEABLE   0x0002
#define	LMEM_ZEROINIT   0x0040
#define	BASE_HANDLE_MARK_BIT   0x04
Typedefs
typedef _DPH_SNAP_NAME	DPH_SNAP_NAME
typedef _DPH_SNAP_NAME *	PDPH_SNAP_NAME
typedef PVOID(*	FUN_LOCAL_ALLOC )(IN ULONG Flags, IN SIZE_T Size)
typedef PVOID(*	FUN_LOCAL_REALLOC )(IN PVOID Address, IN SIZE_T Size, IN ULONG Flags)
typedef PVOID(*	FUN_LOCAL_FREE )(IN PVOID Address)
typedef PVOID(*	FUN_GLOBAL_ALLOC )(IN ULONG Flags, IN SIZE_T Size)
typedef PVOID(*	FUN_GLOBAL_REALLOC )(IN PVOID Address, IN SIZE_T Size, IN ULONG Flags)
typedef PVOID(*	FUN_GLOBAL_FREE )(IN PVOID Address)
typedef PVOID(*	FUN_HEAP_CREATE )(ULONG Options, SIZE_T InitialSize, SIZE_T MaximumSize)
Functions
NTSTATUS	LdrpWalkImportDescriptor (IN PWSTR DllPath OPTIONAL, IN PLDR_DATA_TABLE_ENTRY LdrDataTableEntry)
VOID	LdrpDphInitializeTargetDll (PLDR_DATA_TABLE_ENTRY LoadedDllData)
NTSTATUS	LdrpLoadImportModule (IN PWSTR DllPath OPTIONAL, IN LPSTR ImportName, IN PVOID DllBaseImporter, OUT PLDR_DATA_TABLE_ENTRY *DataTableEntry, OUT PBOOLEAN AlreadyLoaded)
ULONG	LdrpClearLoadInProgress (VOID)
NTSTATUS	LdrpRunInitializeRoutines (IN PCONTEXT Context OPTIONAL)
BOOLEAN	LdrpCheckForLoadedDll (IN PWSTR DllPath OPTIONAL, IN PUNICODE_STRING DllName, IN BOOLEAN StaticLink, IN BOOLEAN Wx86KnownDll, OUT PLDR_DATA_TABLE_ENTRY *LdrDataTableEntry)
BOOLEAN	LdrpCheckForLoadedDllHandle (IN PVOID DllHandle, OUT PLDR_DATA_TABLE_ENTRY *LdrDataTableEntry)
NTSTATUS	LdrpMapDll (IN PWSTR DllPath OPTIONAL, IN PWSTR DllName, IN PULONG DllCharacteristics OPTIONAL, IN BOOLEAN StaticLink, IN BOOLEAN Wx86KnownDll, OUT PLDR_DATA_TABLE_ENTRY *LdrDataTableEntry)
NTSTATUS	LdrpCreateDllSection (IN PUNICODE_STRING NtFullDllName, IN HANDLE DllFile, IN PUNICODE_STRING BaseName, IN PULONG DllCharacteristics OPTIONAL, OUT PHANDLE SectionHandle)
NTSTATUS	LdrpSnapIAT (IN PLDR_DATA_TABLE_ENTRY LdrDataTableEntry_Export, IN PLDR_DATA_TABLE_ENTRY LdrDataTableEntry_Import, IN PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor, IN BOOLEAN SnapForwardersOnly)
NTSTATUS	LdrpSnapThunk (IN PVOID DllBase, IN PVOID ImageBase, IN PIMAGE_THUNK_DATA OriginalThunk, IN OUT PIMAGE_THUNK_DATA Thunk, IN PIMAGE_EXPORT_DIRECTORY ExportDirectory, IN ULONG ExportSize, IN BOOLEAN StaticSnap, IN PSZ DllName)
USHORT	LdrpNameToOrdinal (IN PSZ Name, IN ULONG NumberOfNames, IN PVOID DllBase, IN PULONG NameTableBase, IN PUSHORT NameOrdinalTableBase)
VOID	LdrpUpdateLoadCount (IN PLDR_DATA_TABLE_ENTRY LdrDataTableEntry, IN BOOLEAN IncrementCount)
PLDR_DATA_TABLE_ENTRY	LdrpAllocateDataTableEntry (IN PVOID DllBase)
VOID	LdrpInsertMemoryTableEntry (IN PLDR_DATA_TABLE_ENTRY LdrDataTableEntry)
BOOLEAN	LdrpResolveDllName (IN PWSTR DllPath OPTIONAL, IN PWSTR DllName, OUT PUNICODE_STRING FullDllName, OUT PUNICODE_STRING BaseDllName, OUT PHANDLE DllFile)
PVOID	LdrpFetchAddressOfEntryPoint (IN PVOID Base)
HANDLE	LdrpCheckForKnownDll (IN PWSTR DllName, OUT PUNICODE_STRING FullDllName, OUT PUNICODE_STRING BaseDllName)
NTSTATUS	LdrpSetProtection (IN PVOID Base, IN BOOLEAN Reset, IN BOOLEAN StaticLink)
PVOID	RtlpDphDllHeapAlloc (IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
PVOID	RtlpDphDllHeapReAlloc (IN PVOID HeapHandle, IN ULONG Flags, IN PVOID Address, IN SIZE_T Size)
BOOLEAN	RtlpDphDllHeapFree (IN PVOID HeapHandle, IN ULONG Flags, IN PVOID Address)
PVOID	RtlpDphDllLocalAlloc (IN ULONG Flags, IN SIZE_T Size)
PVOID	RtlpDphDllLocalReAlloc (IN PVOID Address, IN SIZE_T Size, IN ULONG Flags)
PVOID	RtlpDphDllLocalFree (IN PVOID Address)
PVOID	RtlpDphDllGlobalAlloc (IN ULONG Flags, IN SIZE_T Size)
PVOID	RtlpDphDllGlobalReAlloc (IN PVOID Address, IN SIZE_T Size, IN ULONG Flags)
PVOID	RtlpDphDllGlobalFree (IN PVOID Address)
PVOID __cdecl	RtlpDphDllmalloc (IN SIZE_T Size)
PVOID __cdecl	RtlpDphDllcalloc (IN SIZE_T Number, IN SIZE_T Size)
PVOID __cdecl	RtlpDphDllrealloc (IN PVOID Address, IN SIZE_T Size)
VOID __cdecl	RtlpDphDllfree (IN PVOID Address)
PVOID __cdecl	RtlpDphDllNew (IN SIZE_T Size)
VOID __cdecl	RtlpDphDllDelete (IN PVOID Address)
PVOID __cdecl	RtlpDphDllNewArray (IN SIZE_T Size)
VOID __cdecl	RtlpDphDllDeleteArray (IN PVOID Address)
PVOID	RtlpDphDllHeapCreate (ULONG Options, SIZE_T InitialSize, SIZE_T MaximumSize)
BOOLEAN	LdrpDphDetectSnapRoutines (PWSTR DllString, PDPH_SNAP_NAME SnapNames)
BOOLEAN	LdrpDphSnapImports (PLDR_DATA_TABLE_ENTRY LdrDataTableEntry, BOOLEAN CallToDetectCrtHeap)
Variables
BOOLEAN	LdrpDphKernel32Snapped
BOOLEAN	LdrpDphMsvcrtSnapped
PVOID	LdrpDphSnapRoutines [SNAP_ROUTINE_MAX_INDEX]
DPH_SNAP_NAME	LdrpDphSnapNamesForKernel32 []
DPH_SNAP_NAME	LdrpDphSnapNamesForMsvcrt []
PVOID	RtlpDphMsvcrtHeap

---

Define Documentation

#define BASE_HANDLE_MARK_BIT   0x04

Definition at line 4155 of file ldrsnap.c. Referenced by RtlpDphDllGlobalFree(), and RtlpDphDllLocalFree().

#define BIAS_POINTER (  p   )     ((PVOID)((ULONG_PTR)(p) | 0x01))

Definition at line 4097 of file ldrsnap.c. Referenced by RtlpDebugPageHeapReAllocate(), RtlpDphDllcalloc(), RtlpDphDllGlobalAlloc(), RtlpDphDllGlobalReAlloc(), RtlpDphDllHeapAlloc(), RtlpDphDllHeapReAlloc(), RtlpDphDllLocalAlloc(), RtlpDphDllLocalReAlloc(), RtlpDphDllmalloc(), RtlpDphDllNew(), RtlpDphDllNewArray(), and RtlpDphDllrealloc().

#define LDRDBG   0

Definition at line 23 of file ldrsnap.c.

#define LMEM_MOVEABLE   0x0002

Definition at line 4149 of file ldrsnap.c. Referenced by GetClipboardData(), RtlpDphDllGlobalAlloc(), RtlpDphDllGlobalReAlloc(), RtlpDphDllLocalAlloc(), and RtlpDphDllLocalReAlloc().

#define LMEM_ZEROINIT   0x0040

Definition at line 4150 of file ldrsnap.c. Referenced by GetHardErrorText(), RtlLoadStringOrError(), RtlpDphDllGlobalAlloc(), RtlpDphDllLocalAlloc(), and SoftModalMessageBox().

#define SNAP_ROUTINE_CALLOC   11

Definition at line 3534 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

#define SNAP_ROUTINE_DELETE   15

Definition at line 3538 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

#define SNAP_ROUTINE_DELETE_ARRAY   17

Definition at line 3540 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

#define SNAP_ROUTINE_FREE   13

Definition at line 3536 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

#define SNAP_ROUTINE_GLOBALALLOC   0

Definition at line 3523 of file ldrsnap.c. Referenced by LdrpDphSnapImports(), and RtlpDphDllGlobalAlloc().

#define SNAP_ROUTINE_GLOBALFREE   2

Definition at line 3525 of file ldrsnap.c. Referenced by LdrpDphSnapImports(), and RtlpDphDllGlobalFree().

#define SNAP_ROUTINE_GLOBALREALLOC   1

Definition at line 3524 of file ldrsnap.c. Referenced by LdrpDphSnapImports(), and RtlpDphDllGlobalReAlloc().

#define SNAP_ROUTINE_HEAPALLOC   6

Definition at line 3529 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

#define SNAP_ROUTINE_HEAPCREATE   9

Definition at line 3532 of file ldrsnap.c. Referenced by LdrpDphSnapImports(), and RtlpDphDllHeapCreate().

#define SNAP_ROUTINE_HEAPFREE   8

Definition at line 3531 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

#define SNAP_ROUTINE_HEAPREALLOC   7

Definition at line 3530 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

#define SNAP_ROUTINE_LOCALALLOC   3

Definition at line 3526 of file ldrsnap.c. Referenced by LdrpDphSnapImports(), and RtlpDphDllLocalAlloc().

#define SNAP_ROUTINE_LOCALFREE   5

Definition at line 3528 of file ldrsnap.c. Referenced by LdrpDphSnapImports(), and RtlpDphDllLocalFree().

#define SNAP_ROUTINE_LOCALREALLOC   4

Definition at line 3527 of file ldrsnap.c. Referenced by LdrpDphSnapImports(), and RtlpDphDllLocalReAlloc().

#define SNAP_ROUTINE_MALLOC   10

Definition at line 3533 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

#define SNAP_ROUTINE_MAX_INDEX   18

Definition at line 3541 of file ldrsnap.c.

#define SNAP_ROUTINE_NEW   14

Definition at line 3537 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

#define SNAP_ROUTINE_NEW_ARRAY   16

Definition at line 3539 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

#define SNAP_ROUTINE_REALLOC   12

Definition at line 3535 of file ldrsnap.c. Referenced by LdrpDphSnapImports().

---

Typedef Documentation

typedef struct _DPH_SNAP_NAME DPH_SNAP_NAME

typedef PVOID(* FUN_GLOBAL_ALLOC)(IN ULONG Flags, IN SIZE_T Size)

Definition at line 4177 of file ldrsnap.c. Referenced by RtlpDphDllGlobalAlloc().

typedef PVOID(* FUN_GLOBAL_FREE)(IN PVOID Address)

Definition at line 4190 of file ldrsnap.c. Referenced by RtlpDphDllGlobalFree().

typedef PVOID(* FUN_GLOBAL_REALLOC)(IN PVOID Address, IN SIZE_T Size, IN ULONG Flags)

Definition at line 4183 of file ldrsnap.c. Referenced by RtlpDphDllGlobalReAlloc().

typedef PVOID(* FUN_HEAP_CREATE)(ULONG Options, SIZE_T InitialSize, SIZE_T MaximumSize)

Definition at line 4512 of file ldrsnap.c. Referenced by RtlpDphDllHeapCreate().

typedef PVOID(* FUN_LOCAL_ALLOC)(IN ULONG Flags, IN SIZE_T Size)

Definition at line 4159 of file ldrsnap.c. Referenced by RtlpDphDllLocalAlloc().

typedef PVOID(* FUN_LOCAL_FREE)(IN PVOID Address)

Definition at line 4172 of file ldrsnap.c. Referenced by RtlpDphDllLocalFree().

typedef PVOID(* FUN_LOCAL_REALLOC)(IN PVOID Address, IN SIZE_T Size, IN ULONG Flags)

Definition at line 4165 of file ldrsnap.c. Referenced by RtlpDphDllLocalReAlloc().

typedef struct _DPH_SNAP_NAME * PDPH_SNAP_NAME

Referenced by LdrpDphDetectSnapRoutines().

---

Function Documentation

PLDR_DATA_TABLE_ENTRY LdrpAllocateDataTableEntry (  IN PVOID  DllBase  )

Definition at line 3043 of file ldrsnap.c. References LDR_TAG, MAKE_TAG, NULL, RtlAllocateHeap, and RtlImageNtHeader(). Referenced by LdrpInitializeProcess(), and LdrpMapDll(). : This function allocates an entry in the loader data table. If the table is going to overflow, then a new table is allocated. Arguments: DllBase - Supplies the address of the base of the DLL Image. be added to the loader data table. Return Value: Returns the address of the allocated loader data table entry --*/ { PLDR_DATA_TABLE_ENTRY Entry; PIMAGE_NT_HEADERS NtHeaders; NtHeaders = RtlImageNtHeader(DllBase); Entry = NULL; if ( NtHeaders ) { Entry = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( LDR_TAG ) | HEAP_ZERO_MEMORY,sizeof( *Entry )); if ( Entry ) { Entry->DllBase = DllBase; Entry->SizeOfImage = NtHeaders->OptionalHeader.SizeOfImage; Entry->TimeDateStamp = NtHeaders->FileHeader.TimeDateStamp; } } return Entry; }

HANDLE LdrpCheckForKnownDll (  IN PWSTR  DllName, OUT PUNICODE_STRING  FullDllName, OUT PUNICODE_STRING  BaseDllName )

Definition at line 3283 of file ldrsnap.c. References LDR_TAG, LdrpKnownDllObjectDirectory, LdrpKnownDllPath, MAKE_TAG, NT_SUCCESS, NtOpenSection(), NTSTATUS(), NULL, RtlAllocateHeap, RtlFreeHeap, RtlInitUnicodeString(), Status, Unicode, and USHORT. Referenced by LdrpMapDll(). : This function checks to see if the specified DLL is a known DLL. It assumes it is only called for static DLL's, and when the know DLL directory structure has been set up. Arguments: DllName - Supplies the name of the DLL. FullDllName - Returns the fully qualified pathname of the DLL. The Buffer field of this string is dynamically allocated from the processes heap. BaseDLLName - Returns the base dll name of the dll. The base name is the file name portion of the dll path without the trailing extension. The Buffer field of this string is dynamically allocated from the processes heap. Return Value: NON-NULL - Returns an open handle to the section associated with the DLL. NULL - The DLL is not known. --*/ { UNICODE_STRING Unicode; HANDLE Section; NTSTATUS Status; OBJECT_ATTRIBUTES Obja; PSZ p; PWSTR pw; Section = NULL; // // calculate base name // RtlInitUnicodeString(&Unicode,DllName); BaseDllName->Length = Unicode.Length; BaseDllName->MaximumLength = Unicode.MaximumLength; BaseDllName->Buffer = RtlAllocateHeap( RtlProcessHeap(),MAKE_TAG( LDR_TAG ), Unicode.MaximumLength ); if ( !BaseDllName->Buffer ) { return NULL; } RtlMoveMemory(BaseDllName->Buffer,Unicode.Buffer,Unicode.MaximumLength); // // now compute the full name for the dll // FullDllName->Length = (USHORT)(LdrpKnownDllPath.Length + // path prefix (USHORT)sizeof(WCHAR) + // seperator BaseDllName->Length // base ); FullDllName->MaximumLength = FullDllName->Length + (USHORT)sizeof(UNICODE_NULL); FullDllName->Buffer = RtlAllocateHeap( RtlProcessHeap(),MAKE_TAG( LDR_TAG ), FullDllName->MaximumLength ); if ( !FullDllName->Buffer ) { RtlFreeHeap(RtlProcessHeap(),0,BaseDllName->Buffer); return NULL; } p = (PSZ)FullDllName->Buffer; RtlMoveMemory(p,LdrpKnownDllPath.Buffer,LdrpKnownDllPath.Length); p += LdrpKnownDllPath.Length; pw = (PWSTR)p; *pw++ = (WCHAR)'\\'; p = (PSZ)pw; // // This is the relative name of the section // Unicode.Buffer = (PWSTR)p; Unicode.Length = BaseDllName->Length; // base Unicode.MaximumLength = Unicode.Length + (USHORT)sizeof(UNICODE_NULL); RtlMoveMemory(p,BaseDllName->Buffer,BaseDllName->MaximumLength); // // open the section object // InitializeObjectAttributes( &Obja, &Unicode, OBJ_CASE_INSENSITIVE, LdrpKnownDllObjectDirectory, NULL ); Status = NtOpenSection( &Section, SECTION_MAP_READ | SECTION_MAP_EXECUTE | SECTION_MAP_WRITE, &Obja ); if ( !NT_SUCCESS(Status) ) { Section = NULL; RtlFreeHeap(RtlProcessHeap(),0,BaseDllName->Buffer); RtlFreeHeap(RtlProcessHeap(),0,FullDllName->Buffer); } #if DBG else { LdrpSectionOpens++; } #endif // DBG return Section; }

BOOLEAN LdrpCheckForLoadedDll (  IN PWSTR DllPath  OPTIONAL, IN PUNICODE_STRING  DllName, IN BOOLEAN  StaticLink, IN BOOLEAN  Wx86KnownDll, OUT PLDR_DATA_TABLE_ENTRY *  LdrDataTableEntry )

Definition at line 832 of file ldrsnap.c. References CHAR, DbgPrint, EXCEPTION_EXECUTE_HANDLER, FALSE, File, L, LDRP_COMPUTE_HASH_INDEX, LdrpDefaultPath, LdrpHashTable, NT_SUCCESS, NtAreMappedFilesTheSame(), NtClose(), NtCreateSection(), NtMapViewOfSection(), NtOpenFile(), NTSTATUS(), NtUnmapViewOfSection(), NULL, ObjectAttributes, RtlCopyUnicodeString(), RtlDosPathNameToNtPathName_U(), RtlDosSearchPath_U(), RtlEqualUnicodeString(), RtlFreeHeap, RtlImageNtHeader(), ShowSnaps, TRUE, and USHORT. Referenced by LdrGetDllHandle(), LdrpDphDetectSnapRoutines(), LdrpDphInitializeTargetDll(), LdrpLoadDll(), LdrpLoadImportModule(), and LdrpUpdateLoadCount(). : This function scans the loader data table looking to see if the specified DLL has already been mapped into the image. If the dll has been loaded, the address of its data table entry is returned. Arguments: DllPath - Supplies an optional search path used to locate the DLL. DllName - Supplies the name to search for. StaticLink - TRUE if performing a static link. Wx86KnownDll - TRUE, treat Importer as x86 LdrDataTableEntry - Returns the address of the loader data table entry that describes the first dll section that implements the dll. Return Value: TRUE- The dll is already loaded. The address of the data table entries that implement the dll, and the number of data table entries are returned. FALSE - The dll is not already mapped. --*/ { BOOLEAN Result; PLDR_DATA_TABLE_ENTRY Entry; PLIST_ENTRY Head, Next; UNICODE_STRING FullDllName; HANDLE DllFile; BOOLEAN HardCodedPath; PWCH p; WCHAR wch; ULONG i; CHAR FullDllNameBuffer[530+sizeof(UNICODE_NULL)]; ULONG Length = 0; PWCH src,dest; if (!DllName->Buffer || !DllName->Buffer[0]) { return FALSE; } #if defined (WX86) if (Wx86ProcessInit) { FullDllName.Buffer = (PWCHAR)FullDllNameBuffer; FullDllName.MaximumLength = sizeof(FullDllNameBuffer); FullDllName.Length = 0; Entry = LdrpWx86CheckForLoadedDll(DllPath, DllName, Wx86KnownDll, &FullDllName ); if (Entry) { RtlCopyUnicodeString(DllName, &FullDllName); *LdrDataTableEntry = Entry; return TRUE; } else { return FALSE; } } #endif // // for static links, just go to the hash table // staticlink: if ( StaticLink ) { i = LDRP_COMPUTE_HASH_INDEX(DllName->Buffer[0]); Head = &LdrpHashTable[i]; Next = Head->Flink; while ( Next != Head ) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, HashLinks); #if DBG LdrpCompareCount++; #endif if (RtlEqualUnicodeString(DllName, &Entry->BaseDllName, TRUE )) { *LdrDataTableEntry = Entry; return TRUE; } Next = Next->Flink; } } if ( StaticLink ) { return FALSE; } // // If the dll name contained a hard coded path // (dynamic link only), then the fully qualified // name needs to be compared to make sure we // have the correct dll. // p = DllName->Buffer; HardCodedPath = FALSE; while (*p) { wch = *p++; if (wch == (WCHAR)'\\' || wch == (WCHAR)'/' ) { HardCodedPath = TRUE; // // We have a hard coded path, so we have to search path // for the DLL. We need the full DLL name so we can FullDllName.Buffer = (WCHAR *)FullDllNameBuffer; Length = RtlDosSearchPath_U( ARGUMENT_PRESENT(DllPath) ? DllPath : LdrpDefaultPath.Buffer, DllName->Buffer, NULL, sizeof(FullDllNameBuffer)-sizeof(UNICODE_NULL), FullDllName.Buffer, NULL ); if ( !Length || Length > sizeof(FullDllNameBuffer)-sizeof(UNICODE_NULL) ) { if (ShowSnaps) { DbgPrint("LDR: LdrpCheckForLoadedDll - Unable To Locate "); DbgPrint("%ws from %ws\n", DllName->Buffer, ARGUMENT_PRESENT(DllPath) ? DllPath : LdrpDefaultPath.Buffer ); } return FALSE; } FullDllName.Length = (USHORT)Length; FullDllName.MaximumLength = FullDllName.Length + (USHORT)sizeof(UNICODE_NULL); break; } } // // if this is a dynamic load lib, and there is not a hard // coded path, then go to the static lib hash table for resolution // if ( !HardCodedPath ) { StaticLink = TRUE; goto staticlink; } Result = FALSE; Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while ( Next != Head ) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); Next = Next->Flink; // // when we unload, the memory order links flink field is nulled. // this is used to skip the entry pending list removal. // if ( !Entry->InMemoryOrderLinks.Flink ) { continue; } if (RtlEqualUnicodeString( &FullDllName, &Entry->FullDllName, TRUE ) ) { Result = TRUE; *LdrDataTableEntry = Entry; break; } } if ( !Result ) { // // no names matched. This might be a long short name mismatch or // any kind of alias pathname. Deal with this by opening and mapping // full dll name and then repeat the scan this time checking for // timedatestamp matches // HANDLE File; HANDLE Section; NTSTATUS st; OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatus; PVOID ViewBase; SIZE_T ViewSize; PIMAGE_NT_HEADERS NtHeadersSrc,NtHeadersE; UNICODE_STRING NtFileName; if (!RtlDosPathNameToNtPathName_U( FullDllName.Buffer, &NtFileName, NULL, NULL ) ) { goto alldone; } InitializeObjectAttributes( &ObjectAttributes, &NtFileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); st = NtOpenFile( &File, SYNCHRONIZE | FILE_EXECUTE, &ObjectAttributes, &IoStatus, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); RtlFreeHeap(RtlProcessHeap(), 0, NtFileName.Buffer); if (!NT_SUCCESS(st)) { goto alldone; } st = NtCreateSection( &Section, SECTION_MAP_READ | SECTION_MAP_EXECUTE | SECTION_MAP_WRITE, NULL, NULL, PAGE_EXECUTE, SEC_COMMIT, File ); NtClose( File ); if (!NT_SUCCESS(st)) { goto alldone; } ViewBase = NULL; ViewSize = 0; st = NtMapViewOfSection( Section, NtCurrentProcess(), (PVOID *)&ViewBase, 0L, 0L, NULL, &ViewSize, ViewShare, 0L, PAGE_EXECUTE ); NtClose(Section); if (!NT_SUCCESS(st)) { goto alldone; } // // The section is mapped. Now find the headers // NtHeadersSrc = RtlImageNtHeader(ViewBase); if ( !NtHeadersSrc ) { NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); goto alldone; } Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while ( Next != Head ) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); Next = Next->Flink; // // when we unload, the memory order links flink field is nulled. // this is used to skip the entry pending list removal. // if ( !Entry->InMemoryOrderLinks.Flink ) { continue; } try { if ( Entry->TimeDateStamp == NtHeadersSrc->FileHeader.TimeDateStamp && Entry->SizeOfImage == NtHeadersSrc->OptionalHeader.SizeOfImage ) { // // there is a very good chance we have an image match. Check the // entire file header and optional header. If they match, declare // this a match // NtHeadersE = RtlImageNtHeader(Entry->DllBase); if ( RtlCompareMemory(NtHeadersE,NtHeadersSrc,sizeof(*NtHeadersE)) ) { // // Now that it looks like we have a match, compare // volume serial number's and file index's // st = NtAreMappedFilesTheSame(Entry->DllBase,ViewBase); if ( !NT_SUCCESS(st) ) { continue; } else { Result = TRUE; *LdrDataTableEntry = Entry; break; } } } } except (EXCEPTION_EXECUTE_HANDLER) { break; } } NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); } alldone: return Result; }

BOOLEAN LdrpCheckForLoadedDllHandle (  IN PVOID  DllHandle, OUT PLDR_DATA_TABLE_ENTRY *  LdrDataTableEntry )

Definition at line 1196 of file ldrsnap.c. References FALSE, LdrpLoadedDllHandleCache, and TRUE. Referenced by LdrDisableThreadCalloutsForDll(), LdrpGetProcedureAddress(), and LdrUnloadDll(). : This function scans the loader data table looking to see if the specified DLL has already been mapped into the image address space. If the dll has been loaded, the address of its data table entry that describes the dll is returned. Arguments: DllHandle - Supplies the DllHandle of the DLL being searched for. LdrDataTableEntry - Returns the address of the loader data table entry that describes the dll. Return Value: TRUE- The dll is loaded. The address of the data table entry is returned. FALSE - The dll is not loaded. --*/ { PLDR_DATA_TABLE_ENTRY Entry; PLIST_ENTRY Head,Next; if ( LdrpLoadedDllHandleCache && (PVOID) LdrpLoadedDllHandleCache->DllBase == DllHandle ) { *LdrDataTableEntry = LdrpLoadedDllHandleCache; return TRUE; } Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while ( Next != Head ) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); Next = Next->Flink; // // when we unload, the memory order links flink field is nulled. // this is used to skip the entry pending list removal. // if ( !Entry->InMemoryOrderLinks.Flink ) { continue; } if (DllHandle == (PVOID)Entry->DllBase ){ LdrpLoadedDllHandleCache = Entry; *LdrDataTableEntry = Entry; return TRUE; } } return FALSE; }

ULONG LdrpClearLoadInProgress (  VOID   )

Definition at line 622 of file ldrsnap.c. Referenced by LdrpLoadDll(), and LdrpRunInitializeRoutines(). { PLIST_ENTRY Head, Next; PLDR_DATA_TABLE_ENTRY LdrDataTableEntry; ULONG i; Head = &NtCurrentPeb()->Ldr->InInitializationOrderModuleList; Next = Head->Flink; i = 0; while ( Next != Head ) { LdrDataTableEntry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks); LdrDataTableEntry->Flags &= ~LDRP_LOAD_IN_PROGRESS; // // return the number of entries that have not been processed, but // have init routines // if ( !(LdrDataTableEntry->Flags & LDRP_ENTRY_PROCESSED) && LdrDataTableEntry->EntryPoint) { i++; } Next = Next->Flink; } return i; }

NTSTATUS LdrpCreateDllSection (  IN PUNICODE_STRING  NtFullDllName, IN HANDLE  DllFile, IN PUNICODE_STRING  BaseName, IN PULONG DllCharacteristics  OPTIONAL, OUT PHANDLE  SectionHandle )

Definition at line 2150 of file ldrsnap.c. References DbgPrint, File, LdrpFatalHardErrorCount, LdrpInLdrInit, NT_SUCCESS, NtClose(), NtCreateSection(), NtOpenFile(), NtRaiseHardError(), NTSTATUS(), NULL, and ObjectAttributes. Referenced by LdrpMapDll(). { HANDLE File; HANDLE Section; NTSTATUS st; OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatus; if ( !DllFile ) { // // Since ntsdk does not search paths well, we can't use // relative object names // InitializeObjectAttributes( &ObjectAttributes, NtFullDllName, OBJ_CASE_INSENSITIVE, NULL, NULL ); st = NtOpenFile( &File, SYNCHRONIZE | FILE_EXECUTE, &ObjectAttributes, &IoStatus, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(st)) { #if DBG DbgPrint("LDR: LdrCreateDllSection - NtOpenFile( %wZ ) failed. Status == %X\n", NtFullDllName, st ); #endif *SectionHandle = NULL; return st; } } else { File = DllFile; } st = NtCreateSection( SectionHandle, SECTION_MAP_READ | SECTION_MAP_EXECUTE | SECTION_MAP_WRITE | SECTION_QUERY, NULL, NULL, PAGE_EXECUTE, SEC_IMAGE, File ); NtClose( File ); if (!NT_SUCCESS(st)) { // // hard error time // ULONG_PTR ErrorParameters[1]; ULONG ErrorResponse; *SectionHandle = NULL; ErrorParameters[0] = (ULONG_PTR)NtFullDllName; NtRaiseHardError( STATUS_INVALID_IMAGE_FORMAT, 1, 1, ErrorParameters, OptionOk, &ErrorResponse ); if ( LdrpInLdrInit ) { LdrpFatalHardErrorCount++; } #if DBG if (st != STATUS_INVALID_IMAGE_NE_FORMAT && st != STATUS_INVALID_IMAGE_LE_FORMAT && st != STATUS_INVALID_IMAGE_WIN_16 ) { DbgPrint("LDR: LdrCreateDllSection - NtCreateSection %wZ failed. Status == %X\n", NtFullDllName, st ); } #endif } return st; }

BOOLEAN LdrpDphDetectSnapRoutines (  PWSTR  DllString, PDPH_SNAP_NAME  SnapNames )

Definition at line 3710 of file ldrsnap.c. References DbgPrint, Directory(), FALSE, _DPH_SNAP_NAME::Index, Index, LdrpCheckForLoadedDll(), LdrpDphSnapRoutines, _DPH_SNAP_NAME::Name, NULL, PDPH_SNAP_NAME, RtlImageDirectoryEntryToData(), RtlInitUnicodeString(), Size, TRUE, and USHORT. Referenced by LdrpDphInitializeTargetDll(). { PLDR_DATA_TABLE_ENTRY DllData; PIMAGE_EXPORT_DIRECTORY Directory; ULONG Size; PCHAR NameAddress; PCHAR FunctionAddress; PCHAR Base; PCHAR IndexAddress; ULONG Index; ULONG RealIndex; BOOLEAN Result; UNICODE_STRING DllName; PDPH_SNAP_NAME CurrentSnapName; RtlInitUnicodeString ( &DllName, DllString); Result = LdrpCheckForLoadedDll ( NULL, &DllName, TRUE, FALSE, &DllData); if (Result == FALSE) { return FALSE; } Base = DllData->DllBase; Directory = RtlImageDirectoryEntryToData ( DllData->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &Size ); if (Directory == NULL) { return FALSE; } for (CurrentSnapName = SnapNames; CurrentSnapName->Name; CurrentSnapName += 1) { for (Index = 0; Index < Directory->NumberOfFunctions; Index += 1) { NameAddress = Base + Directory->AddressOfNames; NameAddress = Base + ((ULONG *)NameAddress)[Index]; IndexAddress = Base + Directory->AddressOfNameOrdinals; RealIndex = (ULONG)(((USHORT *)IndexAddress)[Index]); if (_stricmp (NameAddress, CurrentSnapName->Name) == 0) { FunctionAddress = Base + Directory->AddressOfFunctions; FunctionAddress = Base + ((ULONG *)FunctionAddress)[RealIndex]; LdrpDphSnapRoutines[CurrentSnapName->Index] = FunctionAddress; DbgPrint ("Page heap: found %s @ address %p \n", NameAddress, FunctionAddress); } } } return TRUE; }

VOID LdrpDphInitializeTargetDll (  PLDR_DATA_TABLE_ENTRY  LoadedDllData  )

Definition at line 3970 of file ldrsnap.c. References DbgPrint, End, FALSE, L, LdrpCheckForLoadedDll(), LdrpDphDetectSnapRoutines(), LdrpDphKernel32Snapped, LdrpDphMsvcrtSnapped, LdrpDphSnapImports(), LdrpDphSnapNamesForKernel32, LdrpDphSnapNamesForMsvcrt, NULL, RtlInitUnicodeString(), RtlpDphGlobalFlags, RtlpDphIsDllTargeted(), RtlpDphTargetDlls, and TRUE. Referenced by LdrpWalkImportDescriptor(). { BOOLEAN Kernel32JustSnapped = FALSE; BOOLEAN MsvcrtJustSnapped = FALSE; // // If we do not have per dll page heap feature enabled // we return immediately. // if (! (RtlpDphGlobalFlags & PAGE_HEAP_USE_DLL_NAMES)) { return; } if (! LdrpDphKernel32Snapped) { Kernel32JustSnapped = LdrpDphDetectSnapRoutines ( L"kernel32.dll", LdrpDphSnapNamesForKernel32); LdrpDphKernel32Snapped = Kernel32JustSnapped; } if (! LdrpDphMsvcrtSnapped) { MsvcrtJustSnapped = LdrpDphDetectSnapRoutines ( L"msvcrt.dll", LdrpDphSnapNamesForMsvcrt); LdrpDphMsvcrtSnapped = MsvcrtJustSnapped; } // // Snap everything already loaded if we just managed // to detect snap routines. // if (Kernel32JustSnapped || MsvcrtJustSnapped) { PWSTR Current; PWSTR End; WCHAR SavedChar; PLDR_DATA_TABLE_ENTRY DllData; BOOLEAN Result; UNICODE_STRING DllName; Current = RtlpDphTargetDlls; while (*Current) { while (*Current == L' ') { Current += 1; } End = Current; while (*End && *End != L' ') { End += 1; } if (*Current == L'\0') { break; } SavedChar = *End; *End = L'\0'; RtlInitUnicodeString ( &DllName, Current); Result = LdrpCheckForLoadedDll ( NULL, &DllName, TRUE, FALSE, &DllData); if (Result) { if (DllData->DllBase == LoadedDllData->DllBase) { #if DBG DbgPrint ("Page heap: oversnapping %ws \n", DllData->BaseDllName); #endif } LdrpDphSnapImports (DllData, FALSE); } *End = SavedChar; Current = End; } } // // If we just loaded msvcrt.dll we need to redirect HeapCreate call // in order to detect when the CRT heap gets created. // if (_wcsicmp (LoadedDllData->BaseDllName.Buffer, L"msvcrt.dll") == 0) { LdrpDphSnapImports (LoadedDllData, TRUE); } // // Call back into page heap manager to figure out if the // currently loaded dll is a target for page heap. // if (RtlpDphIsDllTargeted (LoadedDllData->BaseDllName.Buffer)) { LdrpDphSnapImports (LoadedDllData, FALSE); } }

BOOLEAN LdrpDphSnapImports (  PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry, BOOLEAN  CallToDetectCrtHeap )

Definition at line 3781 of file ldrsnap.c. References DbgPrint, FALSE, LdrpDphSnapRoutines, NT_SUCCESS, NtProtectVirtualMemory(), NTSTATUS(), NULL, RtlAllocateHeap, RtlFreeHeap, RtlImageDirectoryEntryToData(), RtlpDphDllcalloc(), RtlpDphDllDelete(), RtlpDphDllDeleteArray(), RtlpDphDllfree(), RtlpDphDllGlobalAlloc(), RtlpDphDllGlobalFree(), RtlpDphDllGlobalReAlloc(), RtlpDphDllHeapAlloc(), RtlpDphDllHeapCreate(), RtlpDphDllHeapFree(), RtlpDphDllHeapReAlloc(), RtlpDphDllLocalAlloc(), RtlpDphDllLocalFree(), RtlpDphDllLocalReAlloc(), RtlpDphDllmalloc(), RtlpDphDllNew(), RtlpDphDllNewArray(), RtlpDphDllrealloc(), RtlReAllocateHeap(), SNAP_ROUTINE_CALLOC, SNAP_ROUTINE_DELETE, SNAP_ROUTINE_DELETE_ARRAY, SNAP_ROUTINE_FREE, SNAP_ROUTINE_GLOBALALLOC, SNAP_ROUTINE_GLOBALFREE, SNAP_ROUTINE_GLOBALREALLOC, SNAP_ROUTINE_HEAPALLOC, SNAP_ROUTINE_HEAPCREATE, SNAP_ROUTINE_HEAPFREE, SNAP_ROUTINE_HEAPREALLOC, SNAP_ROUTINE_LOCALALLOC, SNAP_ROUTINE_LOCALFREE, SNAP_ROUTINE_LOCALREALLOC, SNAP_ROUTINE_MALLOC, SNAP_ROUTINE_NEW, SNAP_ROUTINE_NEW_ARRAY, SNAP_ROUTINE_REALLOC, TRUE, and USHORT. Referenced by LdrpDphInitializeTargetDll(). { PVOID IATBase; SIZE_T BigIATSize; ULONG LittleIATSize; PVOID *ProcAddresses; ULONG NumberOfProcAddresses; ULONG OldProtect; USHORT TagIndex; NTSTATUS st; // // Determine the location and size of the IAT. If found, scan the // IAT address to see if any are pointing to alloc/free functions // and replace those thunks. // IATBase = RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IAT, &LittleIATSize); BigIATSize = LittleIATSize; if (IATBase != NULL) { st = NtProtectVirtualMemory( NtCurrentProcess(), &IATBase, &BigIATSize, PAGE_READWRITE, &OldProtect); if (!NT_SUCCESS(st)) { DbgPrint( "LDR: Unable to unprotect IAT to enable per DLL page heap.\n" ); return FALSE; } else { ProcAddresses = (PVOID *)IATBase; NumberOfProcAddresses = (ULONG)(BigIATSize / sizeof(PVOID)); while (NumberOfProcAddresses--) { if (CallToDetectCrtHeap) { if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_HEAPCREATE]) { *ProcAddresses = RtlpDphDllHeapCreate; DbgPrint ("Snapped (%ws) HeapCreate ... \n", LdrDataTableEntry->BaseDllName.Buffer); } } else { // // ntdll imports // if (*ProcAddresses == RtlAllocateHeap) { *ProcAddresses = RtlpDphDllHeapAlloc; DbgPrint ("Snapped (%ws) RtlAllocateHeap ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == RtlReAllocateHeap) { *ProcAddresses = RtlpDphDllHeapReAlloc; DbgPrint ("Snapped (%ws) RtlReAllocateHeap ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == RtlFreeHeap) { *ProcAddresses = RtlpDphDllHeapFree; DbgPrint ("Snapped (%ws) RtlFreeHeap ... \n", LdrDataTableEntry->BaseDllName.Buffer); } // // kernel32 imports // else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_HEAPALLOC]) { *ProcAddresses = RtlpDphDllHeapAlloc; DbgPrint ("Snapped (%ws) HeapAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_HEAPREALLOC]) { *ProcAddresses = RtlpDphDllHeapReAlloc; DbgPrint ("Snapped (%ws) HeapReAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_HEAPFREE]) { *ProcAddresses = RtlpDphDllHeapFree; DbgPrint ("Snapped (%ws) HeapFree ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_LOCALALLOC]) { *ProcAddresses = RtlpDphDllLocalAlloc; DbgPrint ("Snapped (%ws) LocalAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_LOCALREALLOC]) { *ProcAddresses = RtlpDphDllLocalReAlloc; DbgPrint ("Snapped (%ws) LocalReAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_LOCALFREE]) { *ProcAddresses = RtlpDphDllLocalFree; DbgPrint ("Snapped (%ws) LocalFree ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_GLOBALALLOC]) { *ProcAddresses = RtlpDphDllGlobalAlloc; DbgPrint ("Snapped (%ws) GlobalAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_GLOBALREALLOC]) { *ProcAddresses = RtlpDphDllGlobalReAlloc; DbgPrint ("Snapped (%ws) GlobalReAlloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_GLOBALFREE]) { *ProcAddresses = RtlpDphDllGlobalFree; DbgPrint ("Snapped (%ws) GlobalFree ... \n", LdrDataTableEntry->BaseDllName.Buffer); } // // msvcrt imports // else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_MALLOC]) { *ProcAddresses = RtlpDphDllmalloc; DbgPrint ("Snapped (%ws) malloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_REALLOC]) { *ProcAddresses = RtlpDphDllrealloc; DbgPrint ("Snapped (%ws) realloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_CALLOC]) { *ProcAddresses = RtlpDphDllcalloc; DbgPrint ("Snapped (%ws) calloc ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_FREE]) { *ProcAddresses = RtlpDphDllfree; DbgPrint ("Snapped (%ws) free ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_NEW]) { *ProcAddresses = RtlpDphDllNew; DbgPrint ("Snapped (%ws) operator new ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_DELETE]) { *ProcAddresses = RtlpDphDllDelete; DbgPrint ("Snapped (%ws) operator delete ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_NEW_ARRAY]) { *ProcAddresses = RtlpDphDllNewArray; DbgPrint ("Snapped (%ws) operator new[] ... \n", LdrDataTableEntry->BaseDllName.Buffer); } else if (*ProcAddresses == LdrpDphSnapRoutines[SNAP_ROUTINE_DELETE_ARRAY]) { *ProcAddresses = RtlpDphDllDeleteArray; DbgPrint ("Snapped (%ws) operator delete[] ... \n", LdrDataTableEntry->BaseDllName.Buffer); } } ProcAddresses += 1; } NtProtectVirtualMemory( NtCurrentProcess(), &IATBase, &BigIATSize, OldProtect, &OldProtect); } } return TRUE; }

PVOID LdrpFetchAddressOfEntryPoint (  IN PVOID  Base  )

Definition at line 3249 of file ldrsnap.c. References RtlImageNtHeader(). Referenced by LdrpInitializeProcess(), and LdrpMapDll(). : This function returns the address of the initialization routine. Arguments: Base - Base of image. Return Value: Status value --*/ { PIMAGE_NT_HEADERS NtHeaders; ULONG_PTR ep; NtHeaders = RtlImageNtHeader(Base); ep = NtHeaders->OptionalHeader.AddressOfEntryPoint; if (ep) { ep += (ULONG_PTR)Base; } return (PVOID)ep; }

VOID LdrpInsertMemoryTableEntry (  IN PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry  )

Definition at line 3084 of file ldrsnap.c. References LDRP_COMPUTE_HASH_INDEX, and LdrpHashTable. Referenced by LdrpInitializeProcess(), and LdrpMapDll(). : This function inserts a loader data table entry into the list of loaded modules for this process. The insertion is done in "image memory base order". Arguments: LdrDataTableEntry - Supplies the address of the loader data table entry to insert in the list of loaded modules for this process. Return Value: None. --*/ { PPEB_LDR_DATA Ldr; ULONG i; Ldr = NtCurrentPeb()->Ldr; i = LDRP_COMPUTE_HASH_INDEX(LdrDataTableEntry->BaseDllName.Buffer[0]); InsertTailList(&LdrpHashTable[i],&LdrDataTableEntry->HashLinks); InsertTailList(&Ldr->InLoadOrderModuleList, &LdrDataTableEntry->InLoadOrderLinks); InsertTailList(&Ldr->InMemoryOrderModuleList, &LdrDataTableEntry->InMemoryOrderLinks); }

NTSTATUS LdrpLoadImportModule (  IN PWSTR DllPath  OPTIONAL, IN LPSTR  ImportName, IN PVOID  DllBaseImporter, OUT PLDR_DATA_TABLE_ENTRY *  DataTableEntry, OUT PBOOLEAN  AlreadyLoaded )

Definition at line 140 of file ldrsnap.c. References FALSE, LdrpCheckForLoadedDll(), LdrpMapDll(), LdrpWalkImportDescriptor(), NT_SUCCESS, NTSTATUS(), NULL, RtlAnsiStringToUnicodeString(), RtlImageNtHeader(), RtlInitAnsiString(), and TRUE. Referenced by LdrpWalkImportDescriptor(). { NTSTATUS st; ANSI_STRING AnsiString; PUNICODE_STRING ImportDescriptorName_U; BOOLEAN Wx86KnownDll = FALSE; ImportDescriptorName_U = &NtCurrentTeb()->StaticUnicodeString; RtlInitAnsiString(&AnsiString, ImportName); st = RtlAnsiStringToUnicodeString(ImportDescriptorName_U, &AnsiString, FALSE); if (!NT_SUCCESS(st)) { return st; } #if defined (WX86) if (Wx86ProcessInit) { Wx86KnownDll = RtlImageNtHeader(DllBaseImporter)->FileHeader.Machine == IMAGE_FILE_MACHINE_I386; } #endif // // BUGBUG If a DLL refers to itself we will recurse and blow up // // // Check the LdrTable to see if Dll has already been mapped // into this image. If not, map it. // if (LdrpCheckForLoadedDll( DllPath, ImportDescriptorName_U, TRUE, Wx86KnownDll, DataTableEntry ) ) { *AlreadyLoaded = TRUE; } else { *AlreadyLoaded = FALSE; st = LdrpMapDll(DllPath, ImportDescriptorName_U->Buffer, NULL, TRUE, Wx86KnownDll, DataTableEntry ); if (!NT_SUCCESS(st)) { return st; } st = LdrpWalkImportDescriptor( DllPath, *DataTableEntry ); if (!NT_SUCCESS(st)) { InsertTailList(&NtCurrentPeb()->Ldr->InInitializationOrderModuleList, &(*DataTableEntry)->InInitializationOrderLinks); } } return st; }

NTSTATUS LdrpMapDll (  IN PWSTR DllPath  OPTIONAL, IN PWSTR  DllName, IN PULONG DllCharacteristics  OPTIONAL, IN BOOLEAN  StaticLink, IN BOOLEAN  Wx86KnownDll, OUT PLDR_DATA_TABLE_ENTRY *  LdrDataTableEntry )

Definition at line 1261 of file ldrsnap.c. References Action, DbgPrint, FALSE, L, LdrpAllocateDataTableEntry(), LdrpCheckForKnownDll(), LdrpCreateDllSection(), LdrpDefaultPath, LdrpFatalHardErrorCount, LdrpFetchAddressOfEntryPoint(), LdrpInLdrInit, LdrpInsertMemoryTableEntry(), LdrpKnownDllObjectDirectory, LdrpNumberOfProcessors, LdrpResolveDllName(), LdrpSetProtection(), LdrRelocateImage(), NATIVE_PAGE_SIZE, NT_ERROR, NT_SUCCESS, NtClose(), NtMapViewOfSection(), NtQueryPerformanceCounter(), NtRaiseHardError(), NTSTATUS(), NtUnmapViewOfSection(), NULL, PAGE_SIZE, RtlDosPathNameToNtPathName_U(), RtlEqualUnicodeString(), RtlFreeHeap, RtlFreeUnicodeString(), RtlImageDirectoryEntryToData(), RtlImageNtHeader(), RtlInitUnicodeString(), ShowSnaps, TRUE, type, and USHORT. Referenced by LdrpLoadDll(), and LdrpLoadImportModule(). : This routine maps the DLL into the users address space. Arguments: DllPath - Supplies an optional search path to be used to locate the DLL. DllName - Supplies the name of the DLL to load. StaticLink - TRUE if this DLL has a static link to it. Wx86KnownDll - TRUE, treat Importer as x86 LdrDataTableEntry - Supplies the address of the data table entry. Return Value: Status value. --*/ { NTSTATUS st; PVOID ViewBase; PTEB Teb = NtCurrentTeb(); SIZE_T ViewSize; HANDLE Section, DllFile; UNICODE_STRING FullDllName, BaseDllName; UNICODE_STRING NtFileName; PLDR_DATA_TABLE_ENTRY Entry; PIMAGE_NT_HEADERS NtHeaders; PVOID ArbitraryUserPointer; BOOLEAN KnownDll; UNICODE_STRING CollidingDll; PUCHAR ImageBase, ImageBounds, ScanBase, ScanTop; PLDR_DATA_TABLE_ENTRY ScanEntry; PLIST_ENTRY ScanHead,ScanNext; BOOLEAN CollidingDllFound; NTSTATUS ErrorStatus; ULONG_PTR ErrorParameters[2]; ULONG ErrorResponse; #if defined (WX86) BOOLEAN Wx86Plugin = FALSE; #endif // // Get section handle of DLL being snapped // #if LDRDBG if (ShowSnaps) { DbgPrint("LDR: LdrpMapDll: Image Name %ws, Search Path %ws\n", DllName, ARGUMENT_PRESENT(DllPath) ? DllPath : L"" ); } #endif Entry = NULL; KnownDll = FALSE; Section = NULL; if ( LdrpKnownDllObjectDirectory && !Wx86KnownDll) { PWCH p = DllName; WCHAR wch; // // Skip the KnownDll check if this is an explicit path. // while (*p) { wch = *p++; if (wch == (WCHAR)'\\' || wch == (WCHAR)'/' ) { goto SkipKnownDllCheck; } } Section = LdrpCheckForKnownDll( DllName, &FullDllName, &BaseDllName ); } SkipKnownDllCheck: if ( !Section ) { #if defined (WX86) if (Wx86ProcessInit) { RtlInitUnicodeString(&BaseDllName, DllName); st = LdrpWx86MapDll(DllPath, DllCharacteristics, Wx86KnownDll, StaticLink, &BaseDllName, &Entry, &ViewSize, &Section ); if (st == STATUS_DLL_NOT_FOUND) { goto Wx86MapDllNotFound; } if (!NT_SUCCESS(st)) { return st; } ViewBase = Entry->DllBase; FullDllName = Entry->FullDllName; BaseDllName = Entry->BaseDllName; NtHeaders = RtlImageNtHeader(ViewBase); goto Wx86MapComplete; } else #endif if (LdrpResolveDllName( DllPath, DllName, &FullDllName, &BaseDllName, &DllFile ) ) { if (ShowSnaps) { PSZ type; type = StaticLink ? "STATIC" : "DYNAMIC"; DbgPrint("LDR: Loading (%s) %wZ\n", type, &FullDllName ); } if (!RtlDosPathNameToNtPathName_U( FullDllName.Buffer, &NtFileName, NULL, NULL ) ) { return STATUS_OBJECT_PATH_SYNTAX_BAD; } st = LdrpCreateDllSection(&NtFileName, DllFile, &BaseDllName, DllCharacteristics, &Section ); RtlFreeHeap(RtlProcessHeap(), 0, NtFileName.Buffer); if (!NT_SUCCESS(st)) { RtlFreeUnicodeString(&FullDllName); RtlFreeUnicodeString(&BaseDllName); return st; } #if DBG LdrpSectionCreates++; #endif } else { #ifdef WX86 Wx86MapDllNotFound: #endif if ( StaticLink ) { PUNICODE_STRING ErrorStrings[2]; UNICODE_STRING ErrorDllName, ErrorDllPath; ULONG ErrorResponse; ErrorStrings[0] = &ErrorDllName; ErrorStrings[1] = &ErrorDllPath; RtlInitUnicodeString(&ErrorDllName,DllName); RtlInitUnicodeString(&ErrorDllPath, ARGUMENT_PRESENT(DllPath) ? DllPath : LdrpDefaultPath.Buffer); NtRaiseHardError( (NTSTATUS)STATUS_DLL_NOT_FOUND, 2, 0x00000003, (PULONG_PTR)ErrorStrings, OptionOk, &ErrorResponse ); if ( LdrpInLdrInit ) { LdrpFatalHardErrorCount++; } } return STATUS_DLL_NOT_FOUND; } } else { KnownDll = TRUE; } ViewBase = NULL; ViewSize = 0; #if DBG LdrpSectionMaps++; if (LdrpDisplayLoadTime) { NtQueryPerformanceCounter(&MapBeginTime, NULL); } #endif // // arrange for debugger to pick up the image name // ArbitraryUserPointer = Teb->NtTib.ArbitraryUserPointer; Teb->NtTib.ArbitraryUserPointer = (PVOID)FullDllName.Buffer; st = NtMapViewOfSection( Section, NtCurrentProcess(), (PVOID *)&ViewBase, 0L, 0L, NULL, &ViewSize, ViewShare, 0L, PAGE_READWRITE ); Teb->NtTib.ArbitraryUserPointer = ArbitraryUserPointer; if (!NT_SUCCESS(st)) { NtClose(Section); return st; } NtHeaders = RtlImageNtHeader(ViewBase); if ( !NtHeaders ) { NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); return STATUS_INVALID_IMAGE_FORMAT; } #if DBG if (LdrpDisplayLoadTime) { NtQueryPerformanceCounter(&MapEndTime, NULL); MapElapsedTime.QuadPart = MapEndTime.QuadPart - MapBeginTime.QuadPart; DbgPrint("Map View of Section Time %ld %ws\n", MapElapsedTime.LowPart, DllName ); } #endif #if defined (BUILD_WOW6432) if (NtHeaders->OptionalHeader.SectionAlignment < NATIVE_PAGE_SIZE && !NT_SUCCESS(LdrpWx86FormatVirtualImage((PIMAGE_NT_HEADERS32)NtHeaders, ViewBase))) { NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); return st; } #elif defined (_ALPHA_) && defined (WX86) if ((NtHeaders->OptionalHeader.SectionAlignment < PAGE_SIZE) && !NT_SUCCESS(LdrpWx86FormatVirtualImage((PIMAGE_NT_HEADERS32)NtHeaders, ViewBase))) { NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); return STATUS_INVALID_IMAGE_FORMAT; } if (st == STATUS_IMAGE_MACHINE_TYPE_MISMATCH && !StaticLink) { // Attempt to find a plugin provider dll that can thunk this interface // temporarily insert the image in the loaded-module-list Entry = LdrpAllocateDataTableEntry(ViewBase); if (!Entry) { return STATUS_NO_MEMORY; } Entry->Flags = 0; Entry->LoadCount = 0; Entry->FullDllName = FullDllName; Entry->BaseDllName = BaseDllName; Entry->EntryPoint = LdrpFetchAddressOfEntryPoint(Entry->DllBase); LdrpInsertMemoryTableEntry(Entry); // Determine if this dll can be thunked using a plugin st = Wx86IdentifyPlugin(ViewBase, &FullDllName ); // remove the image from the loaded-module-list RemoveEntryList(&Entry->InLoadOrderLinks); RemoveEntryList(&Entry->InMemoryOrderLinks); RemoveEntryList(&Entry->HashLinks); RtlFreeHeap(RtlProcessHeap(), 0, Entry); Entry = NULL; if (st == STATUS_SUCCESS) { // Release the previous mapping because it's going to // be reloaded via Wx86. NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); ViewBase = NULL; // The plugin providers must be statically bound to Wx86 // or dynamically load it in their DllInit. if (Wx86ProcessInit) { // Load the dll again using Wx86. st = LdrpWx86MapDll(NULL, DllCharacteristics, !Wx86KnownDll, // swap sense so we don't get mismatch StaticLink, &FullDllName, &Entry, &ViewSize, &Section ); // Load and thunk the plugin dll if (NT_SUCCESS(st)) { ViewBase = Entry->DllBase; FullDllName = Entry->FullDllName; BaseDllName = Entry->BaseDllName; NtHeaders = RtlImageNtHeader(ViewBase); } } if (!Wx86ProcessInit || NT_ERROR(st)) { Wx86UnloadProviders(ViewBase); st = STATUS_IMAGE_MACHINE_TYPE_MISMATCH; } } // Need to save the status here to put in loader ENTRY after it's allocated. Wx86Plugin = (st == STATUS_SUCCESS); if (ShowSnaps) { PCHAR Action; if (st == STATUS_SUCCESS) { Action = "Loaded"; } else if (st == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) { Action = "Unsupported"; } else { Action = "Failed"; } DbgPrint("LDRWx86: Plugin: %wZ %s.\n", &FullDllName, Action ); } } if (!NT_SUCCESS(st) || (ViewBase == NULL)) { if (ViewBase) NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); return st; } else if (Entry) { goto Wx86MapComplete; } #endif // // Allocate a data table entry. // Entry = LdrpAllocateDataTableEntry(ViewBase); if (!Entry) { NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); return STATUS_NO_MEMORY; } Entry->Flags = (USHORT)(StaticLink ? LDRP_STATIC_LINK : 0); Entry->LoadCount = 0; Entry->FullDllName = FullDllName; Entry->BaseDllName = BaseDllName; Entry->EntryPoint = LdrpFetchAddressOfEntryPoint(Entry->DllBase); #ifdef WX86 Wx86MapComplete: if (Wx86Plugin) { Entry->Flags |= LDRP_WX86_PLUGIN; } #endif #if LDRDBG if (ShowSnaps) { DbgPrint("LDR: LdrpMapDll: Full Name %wZ, Base Name %wZ\n", &FullDllName, &BaseDllName ); } #endif LdrpInsertMemoryTableEntry(Entry); if ( st == STATUS_IMAGE_MACHINE_TYPE_MISMATCH ) { PIMAGE_NT_HEADERS ImageHeader = RtlImageNtHeader( NtCurrentPeb()->ImageBaseAddress ); // // apps compiled for NT 3.x and below can load cross architecture // images // ErrorStatus = STATUS_SUCCESS; ErrorResponse = ResponseCancel; if ( ImageHeader->OptionalHeader.MajorSubsystemVersion <= 3 ) { Entry->EntryPoint = 0; // // Hard Error Time // // // Its error time... // ErrorParameters[0] = (ULONG_PTR)&FullDllName; ErrorStatus = NtRaiseHardError( STATUS_IMAGE_MACHINE_TYPE_MISMATCH, 1, 1, ErrorParameters, OptionOkCancel, &ErrorResponse ); } if ( NT_SUCCESS(ErrorStatus) && ErrorResponse == ResponseCancel ) { RemoveEntryList(&Entry->InLoadOrderLinks); RemoveEntryList(&Entry->InMemoryOrderLinks); RemoveEntryList(&Entry->HashLinks); RtlFreeHeap(RtlProcessHeap(), 0, Entry ); NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); if ( ImageHeader->OptionalHeader.MajorSubsystemVersion <= 3 ) { if ( LdrpInLdrInit ) { LdrpFatalHardErrorCount++; } } return STATUS_INVALID_IMAGE_FORMAT; } } else { if (NtHeaders->FileHeader.Characteristics & IMAGE_FILE_DLL) { Entry->Flags |= LDRP_IMAGE_DLL; } if (!(Entry->Flags & LDRP_IMAGE_DLL)) { Entry->EntryPoint = 0; } } *LdrDataTableEntry = Entry; if (st == STATUS_IMAGE_NOT_AT_BASE) { Entry->Flags |= LDRP_IMAGE_NOT_AT_BASE; // // now find the colliding dll. If we can not find a dll, // then the colliding dll must be dynamic memory // ImageBase = (PUCHAR)NtHeaders->OptionalHeader.ImageBase; ImageBounds = ImageBase + ViewSize; CollidingDllFound = FALSE; ScanHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; ScanNext = ScanHead->Flink; while ( ScanNext != ScanHead ) { ScanEntry = CONTAINING_RECORD(ScanNext, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); ScanNext = ScanNext->Flink; ScanBase = (PUCHAR)ScanEntry->DllBase; ScanTop = ScanBase + ScanEntry->SizeOfImage; // // when we unload, the memory order links flink field is nulled. // this is used to skip the entry pending list removal. // if ( !ScanEntry->InMemoryOrderLinks.Flink ) { continue; } // // See if the base address of the scan image is within the relocating dll // or if the top address of the scan image is within the relocating dll // if ( (ImageBase >= ScanBase && ImageBase <= ScanTop) || (ImageBounds >= ScanBase && ImageBounds <= ScanTop) || (ScanBase >= ImageBase && ScanBase <= ImageBounds) ){ CollidingDllFound = TRUE; CollidingDll = ScanEntry->FullDllName; break; } } if ( !CollidingDllFound ) { RtlInitUnicodeString(&CollidingDll,L"Dynamically Allocated Memory"); } #if DBG if ( BeginTime.LowPart || BeginTime.HighPart ) { DbgPrint("\nLDR: LdrpMapDll Relocateing Image Name %ws\n", DllName ); } LdrpSectionRelocates++; #endif if (Entry->Flags & LDRP_IMAGE_DLL) { BOOLEAN AllowRelocation; UNICODE_STRING SystemDll; if (!(NtHeaders->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED)) { PVOID pBaseRelocs; ULONG BaseRelocCountBytes = 0; // // If the iamge doesn't have the reloc stripped bit set and there's no // relocs in the data directory, allow this through. This is probably // a pure forwarder dll or data w/o relocs. // pBaseRelocs = RtlImageDirectoryEntryToData( ViewBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &BaseRelocCountBytes); if (!pBaseRelocs && !BaseRelocCountBytes) { goto NoRelocNeeded; } } // // decide whether or not to allow the relocation // certain system dll's like user32 and kernel32 are not relocatable // since addresses within these dll's are not always stored per process // do not allow these dll's to be relocated // AllowRelocation = TRUE; RtlInitUnicodeString(&SystemDll,L"user32.dll"); if ( RtlEqualUnicodeString(&BaseDllName,&SystemDll,TRUE) ) { AllowRelocation = FALSE; } else { RtlInitUnicodeString(&SystemDll,L"kernel32.dll"); if ( RtlEqualUnicodeString(&BaseDllName,&SystemDll,TRUE) ) { AllowRelocation = FALSE; } } if ( !AllowRelocation && KnownDll ) { // // totally disallow the relocation since this is a knowndll // that matches our system binaries and is being relocated // // // Hard Error Time // ErrorParameters[0] = (ULONG_PTR)&SystemDll; ErrorParameters[1] = (ULONG_PTR)&CollidingDll; NtRaiseHardError( STATUS_ILLEGAL_DLL_RELOCATION, 2, 3, ErrorParameters, OptionOk, &ErrorResponse ); if ( LdrpInLdrInit ) { LdrpFatalHardErrorCount++; } st = STATUS_CONFLICTING_ADDRESSES; goto skipreloc; } st = LdrpSetProtection(ViewBase, FALSE, StaticLink ); if (NT_SUCCESS(st)) { st = (NTSTATUS)LdrRelocateImage(ViewBase, "LDR", (ULONG)STATUS_SUCCESS, (ULONG)STATUS_CONFLICTING_ADDRESSES, (ULONG)STATUS_INVALID_IMAGE_FORMAT ); if (NT_SUCCESS(st)) { // // If we did relocations, then map the section again. // this will force the debug event // // // arrange for debugger to pick up the image name // ArbitraryUserPointer = Teb->NtTib.ArbitraryUserPointer; Teb->NtTib.ArbitraryUserPointer = (PVOID)FullDllName.Buffer; NtMapViewOfSection( Section, NtCurrentProcess(), (PVOID *)&ViewBase, 0L, 0L, NULL, &ViewSize, ViewShare, 0L, PAGE_READWRITE ); Teb->NtTib.ArbitraryUserPointer = ArbitraryUserPointer; st = LdrpSetProtection(ViewBase, TRUE, StaticLink); } } skipreloc: // // if the set protection failed, or if the relocation failed, then // remove the partially loaded dll from the lists and clear entry // that it has been freed. // if ( !NT_SUCCESS(st) ) { RemoveEntryList(&Entry->InLoadOrderLinks); RemoveEntryList(&Entry->InMemoryOrderLinks); RemoveEntryList(&Entry->HashLinks); NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); Entry = NULL; } if (ShowSnaps) { DbgPrint("LDR: Fixups %successfully re-applied @ %lx\n", NT_SUCCESS(st) ? "s" : "uns", ViewBase); } } else { NoRelocNeeded: st = STATUS_SUCCESS; // // arrange for debugger to pick up the image name // ArbitraryUserPointer = Teb->NtTib.ArbitraryUserPointer; Teb->NtTib.ArbitraryUserPointer = (PVOID)FullDllName.Buffer; NtMapViewOfSection( Section, NtCurrentProcess(), (PVOID *)&ViewBase, 0L, 0L, NULL, &ViewSize, ViewShare, 0L, PAGE_READWRITE ); Teb->NtTib.ArbitraryUserPointer = ArbitraryUserPointer; if (ShowSnaps) { DbgPrint("LDR: Fixups won't be re-applied to non-Dll @ %lx\n", ViewBase); } } } #if defined (_ALPHA_) // // Find and apply Alpha architecture fixups for this dll // if (Entry->Flags & LDRP_IMAGE_DLL) AlphaFindArchitectureFixups(NtHeaders, ViewBase, StaticLink); #endif #if defined(_X86_) if ( LdrpNumberOfProcessors > 1 && Entry && (Entry->Flags & LDRP_IMAGE_DLL) ) { LdrpValidateImageForMp(Entry); } #endif NtClose(Section); return st; }

USHORT LdrpNameToOrdinal (  IN PSZ  Name, IN ULONG  NumberOfNames, IN PVOID  DllBase, IN PULONG  NameTableBase, IN PUSHORT  NameOrdinalTableBase )

Definition at line 2747 of file ldrsnap.c. References Name, and USHORT. Referenced by LdrpSnapThunk(). { LONG High; LONG Low; LONG Middle; LONG Result; // // Lookup the import name in the name table using a binary search. // Low = 0; High = NumberOfNames - 1; while (High >= Low) { // // Compute the next probe index and compare the import name // with the export name entry. // Middle = (Low + High) >> 1; Result = strcmp(Name, (PCHAR)((ULONG_PTR)DllBase + NameTableBase[Middle])); if (Result < 0) { High = Middle - 1; } else if (Result > 0) { Low = Middle + 1; } else { break; } } // // If the high index is less than the low index, then a matching // table entry was not found. Otherwise, get the ordinal number // from the ordinal table. // if (High < Low) { return (USHORT)-1; } else { return NameOrdinalTableBase[Middle]; } }

BOOLEAN LdrpResolveDllName (  IN PWSTR DllPath  OPTIONAL, IN PWSTR  DllName, OUT PUNICODE_STRING  FullDllName, OUT PUNICODE_STRING  BaseDllName, OUT PHANDLE  DllFile )

Definition at line 3120 of file ldrsnap.c. References DbgPrint, FALSE, LDR_TAG, LdrpDefaultPath, MAKE_TAG, NULL, RtlAllocateHeap, RtlDosSearchPath_U(), RtlFreeHeap, RtlFreeUnicodeString(), ShowSnaps, TEMP_TAG, TRUE, and USHORT. Referenced by LdrpMapDll(). : This function computes the DLL pathname and base dll name (the unqualified, extensionless portion of the file name) for the specified DLL. Arguments: DllPath - Supplies the DLL search path. DllName - Supplies the name of the DLL. FullDllName - Returns the fully qualified pathname of the DLL. The Buffer field of this string is dynamically allocated from the processes heap. BaseDLLName - Returns the base dll name of the dll. The base name is the file name portion of the dll path without the trailing extension. The Buffer field of this string is dynamically allocated from the processes heap. DllFile - Returns an open handle to the DLL file. This parameter may still be NULL even upon success. Return Value: TRUE - The operation was successful. A DLL file was found, and the FullDllName->Buffer & BaseDllName->Buffer field points to the base of process heap allocated memory. FALSE - The DLL could not be found. --*/ { ULONG Length; PWCH p, pp; PWCH FullBuffer; *DllFile = NULL; FullDllName->Buffer = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( TEMP_TAG ),530+sizeof(UNICODE_NULL)); if (FullDllName->Buffer == NULL) { return FALSE; } Length = RtlDosSearchPath_U( ARGUMENT_PRESENT(DllPath) ? DllPath : LdrpDefaultPath.Buffer, DllName, NULL, 530, FullDllName->Buffer, &BaseDllName->Buffer ); if ( !Length || Length > 530 ) { if (ShowSnaps) { DbgPrint("LDR: LdrResolveDllName - Unable To Locate "); DbgPrint("%ws from %ws\n", DllName, ARGUMENT_PRESENT(DllPath) ? DllPath : LdrpDefaultPath.Buffer ); } RtlFreeUnicodeString(FullDllName); return FALSE; } FullDllName->Length = (USHORT)Length; FullDllName->MaximumLength = FullDllName->Length + (USHORT)sizeof(UNICODE_NULL); FullBuffer = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( LDR_TAG ),FullDllName->MaximumLength); if ( FullBuffer ) { RtlCopyMemory(FullBuffer,FullDllName->Buffer,FullDllName->MaximumLength); RtlFreeHeap(RtlProcessHeap(), 0, FullDllName->Buffer); FullDllName->Buffer = FullBuffer; } else { return FALSE; } // // Compute Length of base dll name // pp = UNICODE_NULL; p = FullDllName->Buffer; while (*p) { if (*p++ == (WCHAR)'\\') { pp = p; } } p = pp ? pp : DllName; pp = p; while (*p) { ++p; } BaseDllName->Length = (USHORT)((ULONG_PTR)p - (ULONG_PTR)pp); BaseDllName->MaximumLength = BaseDllName->Length + (USHORT)sizeof(UNICODE_NULL); BaseDllName->Buffer = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( LDR_TAG ), BaseDllName->MaximumLength); if ( BaseDllName->Buffer ) { RtlMoveMemory(BaseDllName->Buffer, pp, BaseDllName->Length ); BaseDllName->Buffer[BaseDllName->Length >> 1] = UNICODE_NULL; } else { RtlFreeHeap(RtlProcessHeap(), 0, FullBuffer); return FALSE; } return TRUE; }

NTSTATUS LdrpRunInitializeRoutines (  IN PCONTEXT Context  OPTIONAL  )

Definition at line 652 of file ldrsnap.c. References DbgPrint, L, LdrpCallInitRoutine, LdrpCallTlsInitializers(), LdrpClearLoadInProgress(), LdrpImageHasTls, LdrQueryImageFileExecutionOptions(), MAKE_TAG, NT_SUCCESS, NTSTATUS(), NULL, RtlAllocateHeap, RtlFreeHeap, RtlImageNtHeader(), ShowSnaps, Status, TEMP_TAG, and TRUE. Referenced by LdrpGetProcedureAddress(), LdrpInitializeProcess(), and LdrpLoadDll(). { PLIST_ENTRY Head, Next; PLDR_DATA_TABLE_ENTRY LdrDataTableEntry; PLDR_DATA_TABLE_ENTRY *LdrDataTableBase; PDLL_INIT_ROUTINE InitRoutine; BOOLEAN InitStatus; ULONG NumberOfRoutines; ULONG i; NTSTATUS Status; ULONG BreakOnDllLoad; // // Run the Init routines // // // capture the entries that have init routines // NumberOfRoutines = LdrpClearLoadInProgress(); if ( NumberOfRoutines ) { LdrDataTableBase = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( TEMP_TAG ),NumberOfRoutines*sizeof(LdrDataTableBase)); if ( !LdrDataTableBase ) { return STATUS_NO_MEMORY; } } else { LdrDataTableBase = NULL; } Head = &NtCurrentPeb()->Ldr->InInitializationOrderModuleList; Next = Head->Flink; if (ShowSnaps) { DbgPrint("LDR: Real INIT LIST\n"); } i = 0; while ( Next != Head ) { LdrDataTableEntry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks); #if defined (WX86) if (Wx86ProcessInit && !(LdrDataTableEntry->Flags & LDRP_ENTRY_PROCESSED)) { PIMAGE_NT_HEADERS NtHeaders; NtHeaders = RtlImageNtHeader(LdrDataTableEntry->DllBase); if (NtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) { LdrpWx86DllMapNotify(LdrDataTableEntry->DllBase, TRUE); } } #endif if ( !(LdrDataTableEntry->Flags & LDRP_ENTRY_PROCESSED) && LdrDataTableEntry->EntryPoint) { LdrDataTableBase[i] = LdrDataTableEntry; if (ShowSnaps) { DbgPrint(" %wZ init routine %x\n", &LdrDataTableEntry->FullDllName, LdrDataTableEntry->EntryPoint ); } i++; } LdrDataTableEntry->Flags |= LDRP_ENTRY_PROCESSED; Next = Next->Flink; } if ( !LdrDataTableBase ) { return STATUS_SUCCESS; } try { i = 0; while ( i < NumberOfRoutines ) { LdrDataTableEntry = LdrDataTableBase[i]; i++; InitRoutine = (PDLL_INIT_ROUTINE)LdrDataTableEntry->EntryPoint; // // Walk through the entire list looking for un-processed // entries. For each entry, set the processed flag // and optionally call it's init routine // BreakOnDllLoad = 0; #if DBG if (TRUE) { #else if (NtCurrentPeb()->BeingDebugged || NtCurrentPeb()->ReadImageFileExecOptions) { #endif Status = LdrQueryImageFileExecutionOptions( &LdrDataTableEntry->BaseDllName, L"BreakOnDllLoad", REG_DWORD, &BreakOnDllLoad, sizeof( BreakOnDllLoad ), NULL ); if (!NT_SUCCESS( Status )) { BreakOnDllLoad = 0; } } if (BreakOnDllLoad) { if (ShowSnaps) { DbgPrint( "LDR: %wZ loaded.", &LdrDataTableEntry->BaseDllName ); DbgPrint( " - About to call init routine at %lx\n", InitRoutine ); } DbgBreakPoint(); } else if (ShowSnaps) { if ( InitRoutine ) { DbgPrint( "LDR: %wZ loaded.", &LdrDataTableEntry->BaseDllName ); DbgPrint(" - Calling init routine at %lx\n", InitRoutine); } } if ( InitRoutine ) { // // If the DLL has TLS data, then call the optional initializers // if ( LdrDataTableEntry->TlsIndex && Context) { LdrpCallTlsInitializers(LdrDataTableEntry->DllBase,DLL_PROCESS_ATTACH); } #if defined (WX86) if (!Wx86ProcessInit || LdrpRunWx86DllEntryPoint(InitRoutine, &InitStatus, LdrDataTableEntry->DllBase, DLL_PROCESS_ATTACH, Context ) == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) { InitStatus = LdrpCallInitRoutine(InitRoutine, LdrDataTableEntry->DllBase, DLL_PROCESS_ATTACH, Context ); } #else InitStatus = LdrpCallInitRoutine(InitRoutine, LdrDataTableEntry->DllBase, DLL_PROCESS_ATTACH, Context ); #endif LdrDataTableEntry->Flags |= LDRP_PROCESS_ATTACH_CALLED; if ( !InitStatus ) { return STATUS_DLL_INIT_FAILED; } } } // // If the image has tls than call its initializers // if ( LdrpImageHasTls && Context ) { LdrpCallTlsInitializers(NtCurrentPeb()->ImageBaseAddress,DLL_PROCESS_ATTACH); } } finally { RtlFreeHeap(RtlProcessHeap(),0,LdrDataTableBase); } return STATUS_SUCCESS; }

NTSTATUS LdrpSetProtection (  IN PVOID  Base, IN BOOLEAN  Reset, IN BOOLEAN  StaticLink )

Definition at line 3417 of file ldrsnap.c. References NT_SUCCESS, NtFlushInstructionCache(), NtProtectVirtualMemory(), NTSTATUS(), NULL, PAGE_SIZE, and RtlImageNtHeader(). Referenced by LdrpInitializeProcess(), and LdrpMapDll(). : This function loops thru the images sections/objects, setting all sections/objects marked r/o to r/w. It also resets the original section/object protections. Arguments: Base - Base of image. Reset - If TRUE, reset section/object protection to original protection described by the section/object headers. If FALSE, then set all sections/objects to r/w. StaticLink - TRUE if this is a static link. Return Value: SUCCESS or reason NtProtectVirtualMemory failed. --*/ { HANDLE CurrentProcessHandle; SIZE_T RegionSize; ULONG NewProtect, OldProtect; PVOID VirtualAddress; ULONG i; PLDR_DATA_TABLE_ENTRY LdrDataTableEntry; PIMAGE_NT_HEADERS NtHeaders; PIMAGE_SECTION_HEADER SectionHeader; NTSTATUS st; CurrentProcessHandle = NtCurrentProcess(); NtHeaders = RtlImageNtHeader(Base); #if defined (_ALPHA_) if (NtHeaders->OptionalHeader.SectionAlignment < PAGE_SIZE) { // // if SectionAlignment < PAGE_SIZE the entire image is // exec-copy on write, so we have nothing to do. // return STATUS_SUCCESS; } #endif SectionHeader = (PIMAGE_SECTION_HEADER)((ULONG_PTR)NtHeaders + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) + NtHeaders->FileHeader.SizeOfOptionalHeader ); for (i=0; i<NtHeaders->FileHeader.NumberOfSections; i++) { if (!(SectionHeader->Characteristics & IMAGE_SCN_MEM_WRITE) && (SectionHeader->SizeOfRawData)) { // // Object isn't writeable and has a non-zero on disk size, change it. // if (Reset) { if (SectionHeader->Characteristics & IMAGE_SCN_MEM_EXECUTE) { NewProtect = PAGE_EXECUTE; } else { NewProtect = PAGE_READONLY; } NewProtect |= (SectionHeader->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) ? PAGE_NOCACHE : 0; } else { NewProtect = PAGE_READWRITE; } VirtualAddress = (PVOID)((ULONG_PTR)Base + SectionHeader->VirtualAddress); RegionSize = SectionHeader->SizeOfRawData; if (RegionSize != 0) { st = NtProtectVirtualMemory(CurrentProcessHandle, &VirtualAddress, &RegionSize, NewProtect, &OldProtect); if (!NT_SUCCESS(st)) { return st; } } } ++SectionHeader; } if (Reset) { NtFlushInstructionCache(NtCurrentProcess(), NULL, 0); } return STATUS_SUCCESS; }

NTSTATUS LdrpSnapIAT (  IN PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry_Export, IN PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry_Import, IN PIMAGE_IMPORT_DESCRIPTOR  ImportDescriptor, IN BOOLEAN  SnapForwardersOnly )

Definition at line 2258 of file ldrsnap.c. References EXCEPTION_EXECUTE_HANDLER, LdrpSnapThunk(), NT_SUCCESS, NtFlushInstructionCache(), NtProtectVirtualMemory(), NTSTATUS(), NULL, RtlImageDirectoryEntryToData(), RtlImageNtHeader(), and TRUE. Referenced by LdrpWalkImportDescriptor(). : This function snaps the Import Address Table for this Import Descriptor. Arguments: LdrDataTableEntry_Export - Information about the image to import from. LdrDataTableEntry_Import - Information about the image to import to. ImportDescriptor - Contains a pointer to the IAT to snap. SnapForwardersOnly - TRUE if just snapping forwarders only. Return Value: Status value --*/ { PPEB Peb; NTSTATUS st; ULONG ExportSize; PIMAGE_EXPORT_DIRECTORY ExportDirectory; PIMAGE_THUNK_DATA Thunk, OriginalThunk; PSZ ImportName; ULONG ForwarderChain; PIMAGE_NT_HEADERS NtHeaders; PIMAGE_SECTION_HEADER NtSection; ULONG i, Rva; PVOID IATBase; SIZE_T IATSize; ULONG LittleIATSize; ULONG OldProtect; Peb = NtCurrentPeb(); ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData( LdrDataTableEntry_Export->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &ExportSize ); if (!ExportDirectory) { KdPrint(("LDR: %wZ doesn't contain an EXPORT table\n", &LdrDataTableEntry_Export->BaseDllName)); return STATUS_INVALID_IMAGE_FORMAT; } // // Determine the location and size of the IAT. If the linker did // not tell use explicitly, then use the location and size of the // image section that contains the import table. // IATBase = RtlImageDirectoryEntryToData( LdrDataTableEntry_Import->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IAT, &LittleIATSize ); IATSize = LittleIATSize; if (IATBase == NULL) { NtHeaders = RtlImageNtHeader( LdrDataTableEntry_Import->DllBase ); NtSection = IMAGE_FIRST_SECTION( NtHeaders ); Rva = NtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ].VirtualAddress; if (Rva != 0) { for (i=0; i<NtHeaders->FileHeader.NumberOfSections; i++) { if (Rva >= NtSection->VirtualAddress && Rva < (NtSection->VirtualAddress + NtSection->SizeOfRawData) ) { IATBase = (PVOID) ((ULONG_PTR)(LdrDataTableEntry_Import->DllBase) + NtSection->VirtualAddress); LittleIATSize = NtSection->Misc.VirtualSize; if (LittleIATSize == 0) { LittleIATSize = NtSection->SizeOfRawData; } break; } ++NtSection; } } if (IATBase == NULL) { KdPrint(( "LDR: Unable to unprotect IAT for %wZ (Image Base %x)\n", &LdrDataTableEntry_Import->BaseDllName, LdrDataTableEntry_Import->DllBase )); return STATUS_INVALID_IMAGE_FORMAT; } IATSize = LittleIATSize; } st = NtProtectVirtualMemory( NtCurrentProcess(), &IATBase, &IATSize, PAGE_READWRITE, &OldProtect ); if (!NT_SUCCESS(st)) { KdPrint(( "LDR: Unable to unprotect IAT for %wZ (Status %x)\n", &LdrDataTableEntry_Import->BaseDllName, st )); return st; } // // If just snapping forwarded entries, walk that list // if (SnapForwardersOnly) { ImportName = (PSZ)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->Name); ForwarderChain = ImportDescriptor->ForwarderChain; while (ForwarderChain != -1) { OriginalThunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->OriginalFirstThunk + (ForwarderChain * sizeof(IMAGE_THUNK_DATA))); Thunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->FirstThunk + (ForwarderChain * sizeof(IMAGE_THUNK_DATA))); ForwarderChain = (ULONG) Thunk->u1.Ordinal; try { st = LdrpSnapThunk(LdrDataTableEntry_Export->DllBase, LdrDataTableEntry_Import->DllBase, OriginalThunk, Thunk, ExportDirectory, ExportSize, TRUE, ImportName ); Thunk++; } except (EXCEPTION_EXECUTE_HANDLER) { st = GetExceptionCode(); } if (!NT_SUCCESS(st) ) { break; } } } else // // Otherwise, walk through the IAT and snap all the thunks. // if ( ImportDescriptor->FirstThunk ) { Thunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->FirstThunk); NtHeaders = RtlImageNtHeader( LdrDataTableEntry_Import->DllBase ); // // If the OriginalFirstThunk field does not point inside the image, then ignore // it. This is will detect bogus Borland Linker 2.25 images that did not fill // this field in. // if (ImportDescriptor->Characteristics < NtHeaders->OptionalHeader.SizeOfHeaders || ImportDescriptor->Characteristics >= NtHeaders->OptionalHeader.SizeOfImage ) { OriginalThunk = Thunk; } else { OriginalThunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->OriginalFirstThunk); } ImportName = (PSZ)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->Name); while (OriginalThunk->u1.AddressOfData) { try { st = LdrpSnapThunk(LdrDataTableEntry_Export->DllBase, LdrDataTableEntry_Import->DllBase, OriginalThunk, Thunk, ExportDirectory, ExportSize, TRUE, ImportName ); OriginalThunk++; Thunk++; } except (EXCEPTION_EXECUTE_HANDLER) { st = GetExceptionCode(); } if (!NT_SUCCESS(st) ) { break; } } } // // Restore protection for IAT and flush instruction cache. // NtProtectVirtualMemory( NtCurrentProcess(), &IATBase, &IATSize, OldProtect, &OldProtect ); NtFlushInstructionCache( NtCurrentProcess(), IATBase, LittleIATSize ); return st; }

NTSTATUS LdrpSnapThunk (  IN PVOID  DllBase, IN PVOID  ImageBase, IN PIMAGE_THUNK_DATA  OriginalThunk, IN OUT PIMAGE_THUNK_DATA  Thunk, IN PIMAGE_EXPORT_DIRECTORY  ExportDirectory, IN ULONG  ExportSize, IN BOOLEAN  StaticSnap, IN PSZ  DllName )

Definition at line 2476 of file ldrsnap.c. References DbgPrint, FALSE, LDRP_BAD_DLL, LdrpFatalHardErrorCount, LdrpGetProcedureAddress(), LdrpInLdrInit, LdrpLoadDll(), LdrpNameToOrdinal(), NT_SUCCESS, NtRaiseHardError(), NTSTATUS(), NULL, PAGE_SIZE, PUSHORT, RtlAnsiStringToUnicodeString(), RtlCharToInteger(), RtlFreeUnicodeString(), RtlImageNtHeader(), RtlInitAnsiString(), RtlRaiseStatus(), ShowSnaps, TRUE, and USHORT. Referenced by LdrpGetProcedureAddress(), and LdrpSnapIAT(). : This function snaps a thunk using the specified Export Section data. If the section data does not support the thunk, then the thunk is partially snapped (Dll field is still non-null, but snap address is set). Arguments: DllBase - Base of Dll. ImageBase - Base of image that contains the thunks to snap. Thunk - On input, supplies the thunk to snap. When successfully snapped, the function field is set to point to the address in the DLL, and the DLL field is set to NULL. ExportDirectory - Supplies the Export Section data from a DLL. StaticSnap - If TRUE, then loader is attempting a static snap, and any ordinal/name lookup failure will be reported. Return Value: STATUS_SUCCESS or STATUS_PROCEDURE_NOT_FOUND --*/ { BOOLEAN Ordinal; USHORT OrdinalNumber; ULONG OriginalOrdinalNumber; PIMAGE_IMPORT_BY_NAME AddressOfData; PULONG NameTableBase; PUSHORT NameOrdinalTableBase; PULONG Addr; USHORT HintIndex; NTSTATUS st; PSZ ImportString; // // Determine if snap is by name, or by ordinal // Ordinal = (BOOLEAN)IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Ordinal); if (Ordinal) { OriginalOrdinalNumber = (ULONG)IMAGE_ORDINAL(OriginalThunk->u1.Ordinal); OrdinalNumber = (USHORT)(OriginalOrdinalNumber - ExportDirectory->Base); } else { // // Change AddressOfData from an RVA to a VA. // AddressOfData = (PIMAGE_IMPORT_BY_NAME)((ULONG_PTR)ImageBase + ((ULONG_PTR)OriginalThunk->u1.AddressOfData & 0xffffffff)); ImportString = (PSZ)AddressOfData->Name; // // Lookup Name in NameTable // NameTableBase = (PULONG)((ULONG_PTR)DllBase + (ULONG)ExportDirectory->AddressOfNames); NameOrdinalTableBase = (PUSHORT)((ULONG_PTR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals); // // Before dropping into binary search, see if // the hint index results in a successful // match. If the hint index is zero, then // drop into binary search. // HintIndex = AddressOfData->Hint; if ((ULONG)HintIndex < ExportDirectory->NumberOfNames && !strcmp(ImportString, (PSZ)((ULONG_PTR)DllBase + NameTableBase[HintIndex]))) { OrdinalNumber = NameOrdinalTableBase[HintIndex]; #if LDRDBG if (ShowSnaps) { DbgPrint("LDR: Snapping %s\n", ImportString); } #endif } else { #if LDRDBG if (HintIndex) { DbgPrint("LDR: Warning HintIndex Failure. Name %s (%lx) Hint 0x%lx\n", ImportString, (ULONG)ImportString, (ULONG)HintIndex ); } #endif OrdinalNumber = LdrpNameToOrdinal( ImportString, ExportDirectory->NumberOfNames, DllBase, NameTableBase, NameOrdinalTableBase ); } } // // If OrdinalNumber is not within the Export Address Table, // then DLL does not implement function. Snap to LDRP_BAD_DLL. // if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions) { baddllref: #if DBG if (StaticSnap) { if (Ordinal) { DbgPrint("LDR: Can't locate ordinal 0x%lx\n", OriginalOrdinalNumber); } else { DbgPrint("LDR: Can't locate %s\n", ImportString); } } #endif if ( StaticSnap ) { // // Hard Error Time // ULONG_PTR ErrorParameters[3]; UNICODE_STRING ErrorDllName, ErrorEntryPointName; ANSI_STRING AnsiScratch; ULONG ParameterStringMask; ULONG ErrorResponse; RtlInitAnsiString(&AnsiScratch,DllName ? DllName : "Unknown"); RtlAnsiStringToUnicodeString(&ErrorDllName,&AnsiScratch,TRUE); ErrorParameters[1] = (ULONG_PTR)&ErrorDllName; ParameterStringMask = 2; if ( Ordinal ) { ErrorParameters[0] = OriginalOrdinalNumber; } else { RtlInitAnsiString(&AnsiScratch,ImportString); RtlAnsiStringToUnicodeString(&ErrorEntryPointName,&AnsiScratch,TRUE); ErrorParameters[0] = (ULONG_PTR)&ErrorEntryPointName; ParameterStringMask = 3; } NtRaiseHardError( Ordinal ? STATUS_ORDINAL_NOT_FOUND : STATUS_ENTRYPOINT_NOT_FOUND, 2, ParameterStringMask, ErrorParameters, OptionOk, &ErrorResponse ); if ( LdrpInLdrInit ) { LdrpFatalHardErrorCount++; } RtlFreeUnicodeString(&ErrorDllName); if ( !Ordinal ) { RtlFreeUnicodeString(&ErrorEntryPointName); RtlRaiseStatus(STATUS_ENTRYPOINT_NOT_FOUND); } RtlRaiseStatus(STATUS_ORDINAL_NOT_FOUND); } Thunk->u1.Function = (ULONG_PTR)LDRP_BAD_DLL; st = Ordinal ? STATUS_ORDINAL_NOT_FOUND : STATUS_ENTRYPOINT_NOT_FOUND; } else { Addr = (PULONG)((ULONG_PTR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions); Thunk->u1.Function = ((ULONG_PTR)DllBase + Addr[OrdinalNumber]); if (Thunk->u1.Function > (ULONG_PTR)ExportDirectory && Thunk->u1.Function < ((ULONG_PTR)ExportDirectory + ExportSize) ) { UNICODE_STRING UnicodeString; ANSI_STRING ForwardDllName; PVOID ForwardDllHandle; PUNICODE_STRING ForwardProcName; ULONG ForwardProcOrdinal; ImportString = (PSZ)Thunk->u1.Function; ForwardDllName.Buffer = ImportString, ForwardDllName.Length = (USHORT)(strchr(ImportString, '.') - ImportString); ForwardDllName.MaximumLength = ForwardDllName.Length; st = RtlAnsiStringToUnicodeString(&UnicodeString, &ForwardDllName, TRUE); if (NT_SUCCESS(st)) { #if defined (WX86) if (Wx86ProcessInit) { NtCurrentTeb()->Wx86Thread.UseKnownWx86Dll = RtlImageNtHeader(DllBase)->FileHeader.Machine == IMAGE_FILE_MACHINE_I386; } #endif st = LdrpLoadDll(NULL, NULL, &UnicodeString, &ForwardDllHandle,FALSE); RtlFreeUnicodeString(&UnicodeString); } if (!NT_SUCCESS(st)) { goto baddllref; } RtlInitAnsiString( &ForwardDllName, ImportString + ForwardDllName.Length + 1 ); if (ForwardDllName.Length > 1 && *ForwardDllName.Buffer == '#' ) { ForwardProcName = NULL; st = RtlCharToInteger( ForwardDllName.Buffer+1, 0, &ForwardProcOrdinal ); if (!NT_SUCCESS(st)) { goto baddllref; } } else { ForwardProcName = (PUNICODE_STRING)&ForwardDllName; // // Following line is not needed since this is a by name lookup // // //ForwardProcOrdinal = (ULONG)&ForwardDllName; // } st = LdrpGetProcedureAddress( ForwardDllHandle, (PANSI_STRING )ForwardProcName, ForwardProcOrdinal, &(PVOID)Thunk->u1.Function, FALSE ); if (!NT_SUCCESS(st)) { goto baddllref; } } else { if ( !Addr[OrdinalNumber] ) { goto baddllref; } #if defined (_ALPHA_) && defined (WX86) else { PIMAGE_NT_HEADERS ExportNtHeaders = RtlImageNtHeader(DllBase); if ((ExportNtHeaders->OptionalHeader.SectionAlignment < PAGE_SIZE) && (ExportNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)) { Thunk->u1.Function += LdrpWx86RelocatedFixupDiff(DllBase, Addr[OrdinalNumber]); } } #endif // defined (_ALPHA_) && defined (WX86) } st = STATUS_SUCCESS; } return st; }

VOID LdrpUpdateLoadCount (  IN PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry, IN BOOLEAN  IncrementCount )

Definition at line 2802 of file ldrsnap.c. References DbgPrint, FALSE, LdrpCheckForLoadedDll(), NT_SUCCESS, NTSTATUS(), NULL, RtlAnsiStringToUnicodeString(), RtlImageDirectoryEntryToData(), RtlImageNtHeader(), RtlInitAnsiString(), ShowSnaps, and TRUE. : This function dereferences a loaded DLL adjusting its reference count. It then dereferences each dll referenced by this dll. Arguments: LdrDataTableEntry - Supplies the address of the DLL to dereference IncrementCount - TRUE if adding one to LoadCount, O.W. subtracting one Return Value: None. --*/ { PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor; PIMAGE_BOUND_IMPORT_DESCRIPTOR NewImportDescriptor; PIMAGE_BOUND_FORWARDER_REF NewImportForwarder; PSZ ImportName, NewImportStringBase; ULONG i, ImportSize, NewImportSize; ANSI_STRING AnsiString; PUNICODE_STRING ImportDescriptorName_U; PLDR_DATA_TABLE_ENTRY Entry; NTSTATUS st; BOOLEAN Wx86KnownDll = FALSE; PIMAGE_THUNK_DATA FirstThunk; if (IncrementCount) if (LdrDataTableEntry->Flags & LDRP_LOAD_IN_PROGRESS) { return; } else { LdrDataTableEntry->Flags |= LDRP_LOAD_IN_PROGRESS; } else if (LdrDataTableEntry->Flags & LDRP_UNLOAD_IN_PROGRESS) { return; } else { LdrDataTableEntry->Flags |= LDRP_UNLOAD_IN_PROGRESS; } // // For each DLL used by this DLL, reference or dereference the DLL. // ImportDescriptorName_U = &NtCurrentTeb()->StaticUnicodeString; #if defined (WX86) if (Wx86ProcessInit) { Wx86KnownDll = RtlImageNtHeader(LdrDataTableEntry->DllBase)->FileHeader.Machine == IMAGE_FILE_MACHINE_I386; } #endif // // See if there is a bound import table. If so, walk that to // determine DLL names to reference or dereference. Avoids touching // the .idata section // NewImportDescriptor = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT, &NewImportSize ); if (NewImportDescriptor) { if (IncrementCount) { LdrDataTableEntry->Flags |= LDRP_LOAD_IN_PROGRESS; } else { LdrDataTableEntry->Flags |= LDRP_UNLOAD_IN_PROGRESS; } NewImportStringBase = (LPSTR)NewImportDescriptor; while (NewImportDescriptor->OffsetModuleName) { ImportName = NewImportStringBase + NewImportDescriptor->OffsetModuleName; RtlInitAnsiString(&AnsiString, ImportName); st = RtlAnsiStringToUnicodeString(ImportDescriptorName_U, &AnsiString, FALSE); if ( NT_SUCCESS(st) ) { if (LdrpCheckForLoadedDll( NULL, ImportDescriptorName_U, TRUE, Wx86KnownDll, &Entry ) ) { if ( Entry->LoadCount != 0xffff ) { if (IncrementCount) { Entry->LoadCount++; if (ShowSnaps) { DbgPrint("LDR: Refcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } else { Entry->LoadCount--; if (ShowSnaps) { DbgPrint("LDR: Derefcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } } LdrpUpdateLoadCount(Entry, IncrementCount); } } NewImportForwarder = (PIMAGE_BOUND_FORWARDER_REF)(NewImportDescriptor+1); for (i=0; i<NewImportDescriptor->NumberOfModuleForwarderRefs; i++) { ImportName = NewImportStringBase + NewImportForwarder->OffsetModuleName; RtlInitAnsiString(&AnsiString, ImportName); st = RtlAnsiStringToUnicodeString(ImportDescriptorName_U, &AnsiString, FALSE); if ( NT_SUCCESS(st) ) { if (LdrpCheckForLoadedDll( NULL, ImportDescriptorName_U, TRUE, Wx86KnownDll, &Entry ) ) { if ( Entry->LoadCount != 0xffff ) { if (IncrementCount) { Entry->LoadCount++; if (ShowSnaps) { DbgPrint("LDR: Refcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } else { Entry->LoadCount--; if (ShowSnaps) { DbgPrint("LDR: Derefcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } } LdrpUpdateLoadCount(Entry, IncrementCount); } } NewImportForwarder += 1; } NewImportDescriptor = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)NewImportForwarder; } return; } ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ImportSize ); if (ImportDescriptor) { while (ImportDescriptor->Name && ImportDescriptor->FirstThunk) { // // Match code in walk that skips references like this. IE3 had // some dll's with these bogus links to url.dll. On load, the url.dll // ref was skipped. On unload, it was not skipped because // this code was missing. // // Since the skip logic is only in the old style import // descriptor path, it is only duplicated here. // // check for import that has no references // FirstThunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry->DllBase + ImportDescriptor->FirstThunk); if ( !FirstThunk->u1.Function ) { goto skipskippedimport; } ImportName = (PSZ)((ULONG_PTR)LdrDataTableEntry->DllBase + ImportDescriptor->Name); RtlInitAnsiString(&AnsiString, ImportName); st = RtlAnsiStringToUnicodeString(ImportDescriptorName_U, &AnsiString, FALSE); if ( NT_SUCCESS(st) ) { if (LdrpCheckForLoadedDll( NULL, ImportDescriptorName_U, TRUE, Wx86KnownDll, &Entry ) ) { if ( Entry->LoadCount != 0xffff ) { if (IncrementCount) { Entry->LoadCount++; if (ShowSnaps) { DbgPrint("LDR: Refcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } else { Entry->LoadCount--; if (ShowSnaps) { DbgPrint("LDR: Derefcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } } LdrpUpdateLoadCount(Entry, IncrementCount); } } skipskippedimport: ++ImportDescriptor; } } }

NTSTATUS LdrpWalkImportDescriptor (  IN PWSTR DllPath  OPTIONAL, IN PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry )

Referenced by LdrpInitializeProcess(), LdrpLoadDll(), and LdrpLoadImportModule().

PVOID __cdecl RtlpDphDllcalloc (  IN SIZE_T  Number, IN SIZE_T  Size )

Definition at line 4386 of file ldrsnap.c. References ASSERT, BIAS_POINTER, NULL, RtlpDebugPageHeapAllocate(), RtlpDphMsvcrtHeap, and Size. Referenced by LdrpDphSnapImports(). { PVOID Block; ASSERT(RtlpDphMsvcrtHeap != NULL); Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(RtlpDphMsvcrtHeap), 0, Size * Number); RtlZeroMemory (Block, Size * Number); return Block; }

VOID __cdecl RtlpDphDllDelete (  IN PVOID  Address  )

Definition at line 4469 of file ldrsnap.c. References ASSERT, NULL, RtlpDebugPageHeapFree(), and RtlpDphMsvcrtHeap. Referenced by LdrpDphSnapImports(). { ASSERT(RtlpDphMsvcrtHeap != NULL); RtlpDebugPageHeapFree ( RtlpDphMsvcrtHeap, 0, Address); }

VOID __cdecl RtlpDphDllDeleteArray (  IN PVOID  Address  )

Definition at line 4495 of file ldrsnap.c. References ASSERT, NULL, RtlpDebugPageHeapFree(), and RtlpDphMsvcrtHeap. Referenced by LdrpDphSnapImports(). { ASSERT(RtlpDphMsvcrtHeap != NULL); RtlpDebugPageHeapFree ( RtlpDphMsvcrtHeap, 0, Address); }

VOID __cdecl RtlpDphDllfree (  IN PVOID  Address  )

Definition at line 4434 of file ldrsnap.c. References ASSERT, NULL, RtlpDebugPageHeapFree(), and RtlpDphMsvcrtHeap. Referenced by LdrpDphSnapImports(). { ASSERT(RtlpDphMsvcrtHeap != NULL); RtlpDebugPageHeapFree ( RtlpDphMsvcrtHeap, 0, Address); }

PVOID RtlpDphDllGlobalAlloc (  IN ULONG  Flags, IN SIZE_T  Size )

Definition at line 4280 of file ldrsnap.c. References BIAS_POINTER, FUN_GLOBAL_ALLOC, LdrpDphSnapRoutines, LMEM_MOVEABLE, LMEM_ZEROINIT, RtlpDebugPageHeapAllocate(), Size, and SNAP_ROUTINE_GLOBALALLOC. Referenced by LdrpDphSnapImports(). { PVOID Block; FUN_GLOBAL_ALLOC Original; if (!(Flags & LMEM_MOVEABLE)) { Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(RtlProcessHeap()), 0, Size); if ((Flags & LMEM_ZEROINIT)) { RtlZeroMemory (Block, Size); } return Block; } else { Original = (FUN_GLOBAL_ALLOC)(LdrpDphSnapRoutines[SNAP_ROUTINE_GLOBALALLOC]); return (* Original) (Flags, Size); } }

PVOID RtlpDphDllGlobalFree (  IN PVOID  Address  )

Definition at line 4336 of file ldrsnap.c. References BASE_HANDLE_MARK_BIT, FUN_GLOBAL_FREE, LdrpDphSnapRoutines, NULL, RtlpDebugPageHeapFree(), and SNAP_ROUTINE_GLOBALFREE. Referenced by LdrpDphSnapImports(). { BOOLEAN Result; FUN_GLOBAL_FREE Original; if ((ULONG_PTR)Address & BASE_HANDLE_MARK_BIT) { Original = (FUN_GLOBAL_FREE)(LdrpDphSnapRoutines[SNAP_ROUTINE_GLOBALFREE]); return (* Original) (Address); } else { Result = RtlpDebugPageHeapFree ( RtlProcessHeap(), 0, Address); if (Result) { return NULL; } else { return Address; } } }

PVOID RtlpDphDllGlobalReAlloc (  IN PVOID  Address, IN SIZE_T  Size, IN ULONG  Flags )

Definition at line 4309 of file ldrsnap.c. References BIAS_POINTER, FUN_GLOBAL_REALLOC, LdrpDphSnapRoutines, LMEM_MOVEABLE, RtlpDebugPageHeapReAllocate(), Size, and SNAP_ROUTINE_GLOBALREALLOC. Referenced by LdrpDphSnapImports(). { PVOID Block; FUN_GLOBAL_REALLOC Original; if (!(Flags & LMEM_MOVEABLE)) { Block = RtlpDebugPageHeapReAllocate ( BIAS_POINTER(RtlProcessHeap()), 0, Address, Size); return Block; } else { Original = (FUN_GLOBAL_REALLOC)(LdrpDphSnapRoutines[SNAP_ROUTINE_GLOBALREALLOC]); return (* Original) (Address, Size, Flags); } }

PVOID RtlpDphDllHeapAlloc (  IN PVOID  HeapHandle, IN ULONG  Flags, IN SIZE_T  Size )

Definition at line 4100 of file ldrsnap.c. References BIAS_POINTER, HeapHandle, RtlpDebugPageHeapAllocate(), and Size. Referenced by LdrpDphSnapImports(). { return RtlpDebugPageHeapAllocate ( BIAS_POINTER(HeapHandle), Flags, Size); }

PVOID RtlpDphDllHeapCreate (  ULONG  Options, SIZE_T  InitialSize, SIZE_T  MaximumSize )

Definition at line 4519 of file ldrsnap.c. References DbgPrint, FUN_HEAP_CREATE, LdrpDphSnapRoutines, RtlpDphMsvcrtHeap, and SNAP_ROUTINE_HEAPCREATE. Referenced by LdrpDphSnapImports(). { PVOID Heap; FUN_HEAP_CREATE Original; Original = (FUN_HEAP_CREATE)(LdrpDphSnapRoutines[SNAP_ROUTINE_HEAPCREATE]); Heap = (* Original) (Options, InitialSize, MaximumSize); RtlpDphMsvcrtHeap = Heap; DbgPrint ("Page heap: detected CRT heap @ %p \n", RtlpDphMsvcrtHeap); return Heap; }

BOOLEAN RtlpDphDllHeapFree (  IN PVOID  HeapHandle, IN ULONG  Flags, IN PVOID  Address )

Definition at line 4128 of file ldrsnap.c. References HeapHandle, and RtlpDebugPageHeapFree(). Referenced by LdrpDphSnapImports(). { return RtlpDebugPageHeapFree ( HeapHandle, Flags, Address); }

PVOID RtlpDphDllHeapReAlloc (  IN PVOID  HeapHandle, IN ULONG  Flags, IN PVOID  Address, IN SIZE_T  Size )

Definition at line 4113 of file ldrsnap.c. References BIAS_POINTER, HeapHandle, RtlpDebugPageHeapReAllocate(), and Size. Referenced by LdrpDphSnapImports(). { return RtlpDebugPageHeapReAllocate ( BIAS_POINTER(HeapHandle), Flags, Address, Size); }

PVOID RtlpDphDllLocalAlloc (  IN ULONG  Flags, IN SIZE_T  Size )

Definition at line 4195 of file ldrsnap.c. References BIAS_POINTER, FUN_LOCAL_ALLOC, LdrpDphSnapRoutines, LMEM_MOVEABLE, LMEM_ZEROINIT, RtlpDebugPageHeapAllocate(), Size, and SNAP_ROUTINE_LOCALALLOC. Referenced by LdrpDphSnapImports(). { PVOID Block; FUN_LOCAL_ALLOC Original; if (!(Flags & LMEM_MOVEABLE)) { Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(RtlProcessHeap()), 0, Size); if ((Flags & LMEM_ZEROINIT)) { RtlZeroMemory (Block, Size); } return Block; } else { Original = (FUN_LOCAL_ALLOC)(LdrpDphSnapRoutines[SNAP_ROUTINE_LOCALALLOC]); return (* Original) (Flags, Size); } }

PVOID RtlpDphDllLocalFree (  IN PVOID  Address  )

Definition at line 4251 of file ldrsnap.c. References BASE_HANDLE_MARK_BIT, FUN_LOCAL_FREE, LdrpDphSnapRoutines, NULL, RtlpDebugPageHeapFree(), and SNAP_ROUTINE_LOCALFREE. Referenced by LdrpDphSnapImports(). { BOOLEAN Result; FUN_LOCAL_FREE Original; if ((ULONG_PTR)Address & BASE_HANDLE_MARK_BIT) { Original = (FUN_LOCAL_FREE)(LdrpDphSnapRoutines[SNAP_ROUTINE_LOCALFREE]); return (* Original) (Address); } else { Result = RtlpDebugPageHeapFree ( RtlProcessHeap(), 0, Address); if (Result) { return NULL; } else { return Address; } } }

PVOID RtlpDphDllLocalReAlloc (  IN PVOID  Address, IN SIZE_T  Size, IN ULONG  Flags )

Definition at line 4224 of file ldrsnap.c. References BIAS_POINTER, FUN_LOCAL_REALLOC, LdrpDphSnapRoutines, LMEM_MOVEABLE, RtlpDebugPageHeapReAllocate(), Size, and SNAP_ROUTINE_LOCALREALLOC. Referenced by LdrpDphSnapImports(). { PVOID Block; FUN_LOCAL_REALLOC Original; if (!(Flags & LMEM_MOVEABLE)) { Block = RtlpDebugPageHeapReAllocate ( BIAS_POINTER(RtlProcessHeap()), 0, Address, Size); return Block; } else { Original = (FUN_LOCAL_REALLOC)(LdrpDphSnapRoutines[SNAP_ROUTINE_LOCALREALLOC]); return (* Original) (Address, Size, Flags); } }

PVOID __cdecl RtlpDphDllmalloc (  IN SIZE_T  Size  )

Definition at line 4369 of file ldrsnap.c. References ASSERT, BIAS_POINTER, NULL, RtlpDebugPageHeapAllocate(), RtlpDphMsvcrtHeap, and Size. Referenced by LdrpDphSnapImports(). { PVOID Block; ASSERT(RtlpDphMsvcrtHeap != NULL); Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(RtlpDphMsvcrtHeap), 0, Size); return Block; }

PVOID __cdecl RtlpDphDllNew (  IN SIZE_T  Size  )

Definition at line 4452 of file ldrsnap.c. References ASSERT, BIAS_POINTER, NULL, RtlpDebugPageHeapAllocate(), RtlpDphMsvcrtHeap, and Size. Referenced by LdrpDphSnapImports(). { PVOID Block; ASSERT(RtlpDphMsvcrtHeap != NULL); Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(RtlpDphMsvcrtHeap), 0, Size); return Block; }

PVOID __cdecl RtlpDphDllNewArray (  IN SIZE_T  Size  )

Definition at line 4482 of file ldrsnap.c. References ASSERT, BIAS_POINTER, NULL, RtlpDebugPageHeapAllocate(), RtlpDphMsvcrtHeap, and Size. Referenced by LdrpDphSnapImports(). { ASSERT(RtlpDphMsvcrtHeap != NULL); return RtlpDebugPageHeapAllocate ( BIAS_POINTER(RtlpDphMsvcrtHeap), 0, Size); }

PVOID __cdecl RtlpDphDllrealloc (  IN PVOID  Address, IN SIZE_T  Size )

Definition at line 4405 of file ldrsnap.c. References ASSERT, BIAS_POINTER, NULL, RtlpDebugPageHeapAllocate(), RtlpDebugPageHeapReAllocate(), RtlpDphMsvcrtHeap, and Size. Referenced by LdrpDphSnapImports(). { PVOID Block; ASSERT(RtlpDphMsvcrtHeap != NULL); if (Address == NULL) { Block = RtlpDebugPageHeapAllocate ( BIAS_POINTER(RtlpDphMsvcrtHeap), 0, Size); } else { Block = RtlpDebugPageHeapReAllocate ( BIAS_POINTER(RtlpDphMsvcrtHeap), 0, Address, Size); } return Block; }

---

Variable Documentation

BOOLEAN LdrpDphKernel32Snapped

Definition at line 3520 of file ldrsnap.c. Referenced by LdrpDphInitializeTargetDll().

BOOLEAN LdrpDphMsvcrtSnapped

Definition at line 3521 of file ldrsnap.c. Referenced by LdrpDphInitializeTargetDll().

DPH_SNAP_NAME LdrpDphSnapNamesForKernel32[]

Initial value: { { "GlobalAlloc", 0 }, { "GlobalReAlloc", 1 }, { "GlobalFree", 2 }, { "LocalAlloc", 3 }, { "LocalReAlloc", 4 }, { "LocalFree", 5 }, { "HeapAlloc", 6 }, { "HeapReAlloc", 7 }, { "HeapFree", 8 }, { "HeapCreate", 9 }, { NULL, 0 } } Definition at line 3553 of file ldrsnap.c. Referenced by LdrpDphInitializeTargetDll().

DPH_SNAP_NAME LdrpDphSnapNamesForMsvcrt[]

Initial value: { { "malloc", 10}, { "calloc", 11}, { "realloc", 12}, { "free", 13}, { "??2@YAPAXI@Z", 14}, { "??3@YAXPAX@Z", 15}, { "??_U@YAPAXI@Z", 16}, { "??_V@YAXPAX@Z", 17}, { NULL, 0 } } Definition at line 3569 of file ldrsnap.c. Referenced by LdrpDphInitializeTargetDll().

PVOID LdrpDphSnapRoutines[SNAP_ROUTINE_MAX_INDEX]

Definition at line 3543 of file ldrsnap.c. Referenced by LdrpDphDetectSnapRoutines(), LdrpDphSnapImports(), RtlpDphDllGlobalAlloc(), RtlpDphDllGlobalFree(), RtlpDphDllGlobalReAlloc(), RtlpDphDllHeapCreate(), RtlpDphDllLocalAlloc(), RtlpDphDllLocalFree(), and RtlpDphDllLocalReAlloc().

PVOID RtlpDphMsvcrtHeap

Definition at line 3703 of file ldrsnap.c. Referenced by RtlpDphDllcalloc(), RtlpDphDllDelete(), RtlpDphDllDeleteArray(), RtlpDphDllfree(), RtlpDphDllHeapCreate(), RtlpDphDllmalloc(), RtlpDphDllNew(), RtlpDphDllNewArray(), and RtlpDphDllrealloc().

---