obp.h File Reference

#include "ntos.h"
#include "seopaque.h"
#include <zwapi.h>

Go to the source code of this file.

Classes
struct	_SECURITY_DESCRIPTOR_HEADER
Defines
#define	ObpBeginTypeSpecificCallOut(IRQL)
#define	ObpEndTypeSpecificCallOut(IRQL, str, ot, o)
#define	ObpValidateIrql(str)
#define	ObpIncrPointerCount(np)   InterlockedIncrement( &np->PointerCount )
#define	ObpDecrPointerCount(np)   InterlockedDecrement( &np->PointerCount )
#define	ObpDecrPointerCountWithResult(np)   (InterlockedDecrement( &np->PointerCount ) == 0)
#define	ObpIncrHandleCount(np)   InterlockedIncrement( &np->HandleCount )
#define	ObpDecrHandleCount(np)   (InterlockedDecrement( &np->HandleCount ) == 0)
#define	ObpEnterObjectTypeMutex(_ObjectType)
#define	ObpLeaveObjectTypeMutex(_ObjectType)
#define	ObpEnterRootDirectoryMutex()
#define	ObpLeaveRootDirectoryMutex()
#define	ObpGetObjectTable()   (PsGetCurrentProcess()->ObjectTable)
#define	ObpCentralizedSecurity(_ObjectType)   ((_ObjectType)->TypeInfo.SecurityProcedure == SeDefaultObjectMethod)
#define	OBP_MAX_DEFINED_OBJECT_TYPES   24
#define	OBJ_PROTECT_CLOSE   0x1
#define	OBJ_AUDIT_OBJECT_CLOSE   0x00000004L
#define	OBJ_HANDLE_ATTRIBUTES   (OBJ_PROTECT_CLOSE | OBJ_INHERIT | OBJ_AUDIT_OBJECT_CLOSE)
#define	SD_TO_SD_HEADER(_sd)   CONTAINING_RECORD( (_sd), SECURITY_DESCRIPTOR_HEADER, SecurityDescriptor )
#define	LINK_TO_SD_HEADER(_link)   CONTAINING_RECORD( (_link), SECURITY_DESCRIPTOR_HEADER, Link )
#define	NEXT_SDHEADER(_sdh)
#define	PREV_SDHEADER(_sdh)
#define	SECURITY_DESCRIPTOR_CACHE_ENTRIES   256
#define	OBJECT_NAME_BUFFER_SIZE   248
#define	KERNEL_HANDLE_MASK   ((ULONG_PTR)((LONG)0x80000000))
#define	IsKernelHandle(H, M)
#define	EncodeKernelHandle(H)   (HANDLE)(KERNEL_HANDLE_MASK | (ULONG_PTR)(H))
#define	DecodeKernelHandle(H)   (HANDLE)(KERNEL_HANDLE_MASK ^ (ULONG_PTR)(H))
#define	ObpIsOverflow(A, B)   ((A) > ((A) + (B)))
#define	ObpFreeObjectCreateInformation(_ObjectCreateInfo)
#define	ObpReleaseObjectCreateInformation(_ObjectCreateInfo)
#define	ObpAllocateObjectCreateInfoBuffer()   (POBJECT_CREATE_INFORMATION)ExAllocateFromPPNPagedLookasideList(LookasideCreateInfoList)
#define	ObpFreeObjectCreateInfoBuffer(ObjectCreateInfo)   ExFreeToPPNPagedLookasideList(LookasideCreateInfoList, ObjectCreateInfo)
Typedefs
typedef _SECURITY_DESCRIPTOR_HEADER	SECURITY_DESCRIPTOR_HEADER
typedef _SECURITY_DESCRIPTOR_HEADER *	PSECURITY_DESCRIPTOR_HEADER
Functions
VOID	ObpAcquireDescriptorCacheWriteLock (VOID)
VOID	ObpAcquireDescriptorCacheReadLock (VOID)
VOID	ObpReleaseDescriptorCacheLock (VOID)
NTSTATUS	ObpCaptureObjectCreateInformation (IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE ProbeMode, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PUNICODE_STRING CapturedObjectName, IN POBJECT_CREATE_INFORMATION ObjectCreateInfo, IN LOGICAL UseLookaside)
NTSTATUS	ObpCaptureObjectName (IN KPROCESSOR_MODE ProbeMode, IN PUNICODE_STRING ObjectName, IN OUT PUNICODE_STRING CapturedObjectName, IN LOGICAL UseLookaside)
PWCHAR	ObpAllocateObjectNameBuffer (IN ULONG Length, IN LOGICAL UseLookaside, IN OUT PUNICODE_STRING ObjectName)
VOID FASTCALL	ObpFreeObjectNameBuffer (IN PUNICODE_STRING ObjectName)
NTSTATUS	ObpAllocateObject (IN POBJECT_CREATE_INFORMATION ObjectCreateInfo, IN KPROCESSOR_MODE OwnershipMode, IN POBJECT_TYPE ObjectType, IN PUNICODE_STRING ObjectName, IN ULONG ObjectBodySize, OUT POBJECT_HEADER *ReturnedObjectHeader)
VOID FASTCALL	ObpFreeObject (IN PVOID Object)
NTSTATUS	ObpParseSymbolicLink (IN PVOID ParseObject, IN PVOID ObjectType, IN PACCESS_STATE AccessState, IN KPROCESSOR_MODE AccessMode, IN ULONG Attributes, IN OUT PUNICODE_STRING CompleteName, IN OUT PUNICODE_STRING RemainingName, IN OUT PVOID Context OPTIONAL, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL, OUT PVOID *Object)
VOID	ObpDeleteSymbolicLink (IN PVOID Object)
VOID	ObpCreateSymbolicLinkName (POBJECT_SYMBOLIC_LINK SymbolicLink)
VOID	ObpDeleteSymbolicLinkName (POBJECT_SYMBOLIC_LINK SymbolicLink)
PVOID	ObpLookupDirectoryEntry (IN POBJECT_DIRECTORY Directory, IN PUNICODE_STRING Name, IN ULONG Attributes)
BOOLEAN	ObpInsertDirectoryEntry (IN POBJECT_DIRECTORY Directory, IN PVOID Object)
BOOLEAN	ObpDeleteDirectoryEntry (IN POBJECT_DIRECTORY Directory)
NTSTATUS	ObpLookupObjectName (IN HANDLE RootDirectoryHandle, IN PUNICODE_STRING ObjectName, IN ULONG Attributes, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN PVOID ParseContext OPTIONAL, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL, IN PVOID InsertObject OPTIONAL, IN OUT PACCESS_STATE AccessState, OUT PBOOLEAN DirectoryLocked, OUT PVOID *FoundObject)
VOID	ObpUnlockObjectDirectoryPath (IN POBJECT_DIRECTORY LockedDirectory)
VOID	ObpDeleteNameCheck (IN PVOID Object, IN BOOLEAN TypeMutexHeld)
VOID	ObpProcessRemoveObjectQueue (PVOID Parameter)
VOID	ObpRemoveObjectRoutine (PVOID Object)
POBJECT_HANDLE_COUNT_ENTRY	ObpInsertHandleCount (POBJECT_HEADER ObjectHeader)
NTSTATUS	ObpIncrementHandleCount (OB_OPEN_REASON OpenReason, PEPROCESS Process, PVOID Object, POBJECT_TYPE ObjectType, PACCESS_STATE AccessState OPTIONAL, KPROCESSOR_MODE AccessMode, ULONG Attributes)
VOID	ObpDecrementHandleCount (PEPROCESS Process, POBJECT_HEADER ObjectHeader, POBJECT_TYPE ObjectType, ACCESS_MASK GrantedAccess)
NTSTATUS	ObpCreateHandle (IN OB_OPEN_REASON OpenReason, IN PVOID Object, IN POBJECT_TYPE ExpectedObjectType OPTIONAL, IN PACCESS_STATE AccessState, IN ULONG ObjectPointerBias OPTIONAL, IN ULONG Attributes, IN BOOLEAN DirectoryLocked, IN KPROCESSOR_MODE AccessMode, OUT PVOID *ReferencedNewObject OPTIONAL, OUT PHANDLE Handle)
NTSTATUS	ObpIncrementUnnamedHandleCount (PACCESS_MASK DesiredAccess, PEPROCESS Process, PVOID Object, POBJECT_TYPE ObjectType, KPROCESSOR_MODE AccessMode, ULONG Attributes)
NTSTATUS	ObpCreateUnnamedHandle (IN PVOID Object, IN ACCESS_MASK DesiredAccess, IN ULONG ObjectPointerBias OPTIONAL, IN ULONG Attributes, IN KPROCESSOR_MODE AccessMode, OUT PVOID *ReferencedNewObject OPTIONAL, OUT PHANDLE Handle)
NTSTATUS	ObpChargeQuotaForObject (IN POBJECT_HEADER ObjectHeader, IN POBJECT_TYPE ObjectType, OUT PBOOLEAN NewObject)
NTSTATUS	ObpValidateDesiredAccess (IN ACCESS_MASK DesiredAccess)
BOOLEAN	ObpCheckPseudoHandleAccess (IN PVOID Object, IN ACCESS_MASK DesiredAccess, OUT PNTSTATUS AccessStatus, IN BOOLEAN TypeMutexLocked)
BOOLEAN	ObpCheckTraverseAccess (IN PVOID DirectoryObject, IN ACCESS_MASK TraverseAccess, IN PACCESS_STATE AccessState OPTIONAL, IN BOOLEAN TypeMutexLocked, IN KPROCESSOR_MODE PreviousMode, OUT PNTSTATUS AccessStatus)
BOOLEAN	ObpCheckObjectReference (IN PVOID Object, IN OUT PACCESS_STATE AccessState, IN BOOLEAN TypeMutexLocked, IN KPROCESSOR_MODE AccessMode, OUT PNTSTATUS AccessStatus)
NTSTATUS	ObpInitSecurityDescriptorCache (VOID)
ULONG	ObpHashSecurityDescriptor (PSECURITY_DESCRIPTOR SecurityDescriptor)
ULONG	ObpHashBuffer (PVOID Data, ULONG Length)
NTSTATUS	ObpLogSecurityDescriptor (IN PSECURITY_DESCRIPTOR InputSecurityDescriptor, OUT PSECURITY_DESCRIPTOR *OutputSecurityDescriptor)
PSECURITY_DESCRIPTOR_HEADER	ObpCreateCacheEntry (PSECURITY_DESCRIPTOR InputSecurityDescriptor, ULONG FullHash)
PSECURITY_DESCRIPTOR	ObpReferenceSecurityDescriptor (PVOID Object)
VOID	ObpDereferenceSecurityDescriptor (PSECURITY_DESCRIPTOR SecurityDescriptor)
VOID	ObpDestroySecurityDescriptorHeader (IN PSECURITY_DESCRIPTOR_HEADER Header)
BOOLEAN	ObpCompareSecurityDescriptors (IN PSECURITY_DESCRIPTOR SD1, IN PSECURITY_DESCRIPTOR SD2)
NTSTATUS	ObpValidateAccessMask (PACCESS_STATE AccessState)
Variables
KSPIN_LOCK	ObpLock
KEVENT	ObpDefaultObject
WORK_QUEUE_ITEM	ObpRemoveObjectWorkItem
PSINGLE_LIST_ENTRY	ObpRemoveObjectQueue
KSPIN_LOCK	ObpDeviceMapLock
POBJECT_TYPE	ObpObjectTypes [OBP_MAX_DEFINED_OBJECT_TYPES]
POBJECT_TYPE	ObpTypeObjectType
POBJECT_TYPE	ObpDirectoryObjectType
POBJECT_TYPE	ObpSymbolicLinkObjectType
POBJECT_TYPE	ObpDeviceMapObjectType
POBJECT_DIRECTORY	ObpRootDirectoryObject
POBJECT_DIRECTORY	ObpTypeDirectoryObject
ULARGE_INTEGER	ObpDosDevicesShortNamePrefix
ULARGE_INTEGER	ObpDosDevicesShortNameRoot
UNICODE_STRING	ObpDosDevicesShortName
ERESOURCE	ObpRootDirectoryMutex
ERESOURCE	SecurityDescriptorCacheLock
NPAGED_LOOKASIDE_LIST	ObpCreateInfoLookasideList
NPAGED_LOOKASIDE_LIST	ObpNameBufferLookasideList
PHANDLE_TABLE	ObpKernelHandleTable

---

Define Documentation

#define DecodeKernelHandle (  H   )     (HANDLE)(KERNEL_HANDLE_MASK ^ (ULONG_PTR)(H))

Definition at line 418 of file obp.h. Referenced by NtClose(), NtSetInformationObject(), NtWaitForMultipleObjects(), and ObReferenceObjectByHandle().

#define EncodeKernelHandle (  H   )     (HANDLE)(KERNEL_HANDLE_MASK | (ULONG_PTR)(H))

Definition at line 416 of file obp.h. Referenced by ObpCreateHandle(), and ObpCreateUnnamedHandle().

#define IsKernelHandle (  H, M   )

Value: (((KERNEL_HANDLE_MASK & (ULONG_PTR)(H)) == KERNEL_HANDLE_MASK) && \ ((M) == KernelMode) && \ ((H) != NtCurrentThread()) && \ ((H) != NtCurrentProcess())) Definition at line 410 of file obp.h.

#define KERNEL_HANDLE_MASK   ((ULONG_PTR)((LONG)0x80000000))

Definition at line 408 of file obp.h.

#define LINK_TO_SD_HEADER (  _link   )     CONTAINING_RECORD( (_link), SECURITY_DESCRIPTOR_HEADER, Link )

Definition at line 318 of file obp.h. Referenced by ObpLogSecurityDescriptor().

#define NEXT_SDHEADER (  _sdh   )

Value: ( \ (_sdh)->Link.Flink == NULL ? NULL : \ CONTAINING_RECORD( (_sdh)->Link.Flink, SECURITY_DESCRIPTOR_HEADER, Link ) \ ) Definition at line 325 of file obp.h.

#define OBJ_AUDIT_OBJECT_CLOSE   0x00000004L

Definition at line 282 of file obp.h.

#define OBJ_HANDLE_ATTRIBUTES   (OBJ_PROTECT_CLOSE | OBJ_INHERIT | OBJ_AUDIT_OBJECT_CLOSE)

Definition at line 289 of file obp.h. Referenced by NtClose(), NtDuplicateObject(), NtWaitForMultipleObjects(), ObDupHandleProcedure(), ObpCaptureHandleInformation(), ObpCreateHandle(), ObpCreateUnnamedHandle(), ObpEnumFindHandleProcedure(), ObpSetHandleAttributes(), and ObReferenceObjectByHandle().

#define OBJ_PROTECT_CLOSE   0x1

Definition at line 261 of file obp.h. Referenced by NtClose(), NtQueryObject(), and ObpSetHandleAttributes().

#define OBJECT_NAME_BUFFER_SIZE   248

Definition at line 390 of file obp.h. Referenced by ObInitSystem(), ObpAllocateObjectNameBuffer(), and ObpFreeObjectNameBuffer().

#define OBP_MAX_DEFINED_OBJECT_TYPES   24

Definition at line 228 of file obp.h. Referenced by NtQueryObject(), and ObCreateObjectType().

#define ObpAllocateObjectCreateInfoBuffer (   )     (POBJECT_CREATE_INFORMATION)ExAllocateFromPPNPagedLookasideList(LookasideCreateInfoList)

Definition at line 519 of file obp.h. Referenced by ObCreateObject().

#define ObpBeginTypeSpecificCallOut (  IRQL   )

Definition at line 56 of file obp.h. Referenced by NtClose(), ObAssignSecurity(), ObGetObjectSecurity(), ObpDecrementHandleCount(), ObpDeleteNameCheck(), ObpIncrementHandleCount(), ObpIncrementUnnamedHandleCount(), ObpLookupObjectName(), ObpRemoveObjectRoutine(), and ObQueryNameString().

#define ObpCentralizedSecurity (  _ObjectType   )     ((_ObjectType)->TypeInfo.SecurityProcedure == SeDefaultObjectMethod)

Definition at line 221 of file obp.h. Referenced by ObGetObjectSecurity(), and ObpReferenceSecurityDescriptor().

#define ObpDecrHandleCount (  np   )     (InterlockedDecrement( &np->HandleCount ) == 0)

Definition at line 148 of file obp.h. Referenced by ObpDecrementHandleCount(), ObpIncrementHandleCount(), and ObpIncrementUnnamedHandleCount().

#define ObpDecrPointerCount (  np   )     InterlockedDecrement( &np->PointerCount )

Definition at line 144 of file obp.h. Referenced by ObpCreateHandle(), and ObpCreateUnnamedHandle().

#define ObpDecrPointerCountWithResult (  np   )     (InterlockedDecrement( &np->PointerCount ) == 0)

Definition at line 145 of file obp.h. Referenced by ObfDereferenceObject().

#define ObpEndTypeSpecificCallOut (  IRQL, str, ot, o   )

Definition at line 57 of file obp.h. Referenced by NtClose(), ObAssignSecurity(), ObGetObjectSecurity(), ObpDecrementHandleCount(), ObpDeleteNameCheck(), ObpIncrementHandleCount(), ObpIncrementUnnamedHandleCount(), ObpLookupObjectName(), ObpRemoveObjectRoutine(), and ObQueryNameString().

#define ObpEnterObjectTypeMutex (  _ObjectType   )

Value: { \ ObpValidateIrql("ObpEnterObjectTypeMutex"); \ KeEnterCriticalRegion(); \ ExAcquireResourceExclusiveLite(&(_ObjectType)->Mutex, TRUE); \ } Definition at line 163 of file obp.h. Referenced by NtQuerySymbolicLinkObject(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObCreateObjectType(), ObEnumerateObjectsByType(), ObGetObjectInformation(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), ObpCreateTypeArray(), ObpDecrementHandleCount(), ObpDeleteNameCheck(), ObpIncrementHandleCount(), ObpIncrementUnnamedHandleCount(), and ObpRemoveObjectRoutine().

#define ObpEnterRootDirectoryMutex (   )

Value: { \ ObpValidateIrql("ObpEnterRootDirectoryMutex"); \ KeEnterCriticalRegion(); \ ExAcquireResourceExclusiveLite(&ObpRootDirectoryMutex, TRUE); \ } Definition at line 189 of file obp.h. Referenced by NtQueryDirectoryObject(), NtQueryObject(), ObCreateObjectType(), ObInitSystem(), ObpDeleteNameCheck(), ObpDeleteSymbolicLinkName(), ObpLookupObjectName(), ObpParseSymbolicLink(), and ObQueryNameString().

#define ObpFreeObjectCreateInfoBuffer (  ObjectCreateInfo   )     ExFreeToPPNPagedLookasideList(LookasideCreateInfoList, ObjectCreateInfo)

Definition at line 547 of file obp.h. Referenced by ObCreateObject(), and ObFreeObjectCreateInfoBuffer().

#define ObpFreeObjectCreateInformation (  _ObjectCreateInfo   )

Value: { \ ObpReleaseObjectCreateInformation((_ObjectCreateInfo)); \ ObpFreeObjectCreateInfoBuffer((_ObjectCreateInfo)); \ } Definition at line 431 of file obp.h. Referenced by ObDeleteCapturedInsertInfo(), ObInsertObject(), ObOpenObjectByName(), and ObpFreeObject().

#define ObpGetObjectTable (   )     (PsGetCurrentProcess()->ObjectTable)

Definition at line 213 of file obp.h. Referenced by NtClose(), NtDuplicateObject(), NtSetInformationObject(), NtWaitForMultipleObjects(), ObpCreateHandle(), ObpCreateUnnamedHandle(), ObQueryObjectAuditingByHandle(), ObReferenceObjectByHandle(), and obtest().

#define ObpIncrHandleCount (  np   )     InterlockedIncrement( &np->HandleCount )

Definition at line 147 of file obp.h. Referenced by ObpIncrementHandleCount(), and ObpIncrementUnnamedHandleCount().

#define ObpIncrPointerCount (  np   )     InterlockedIncrement( &np->PointerCount )

Definition at line 143 of file obp.h. Referenced by NtWaitForMultipleObjects(), ObDupHandleProcedure(), ObfReferenceObject(), ObpCreateHandle(), ObpCreateUnnamedHandle(), ObpLookupObjectName(), ObReferenceObjectByHandle(), and ObReferenceObjectByPointer().

#define ObpIsOverflow (  A, B   )     ((A) > ((A) + (B)))

Definition at line 424 of file obp.h. Referenced by NtQueryDirectoryObject().

#define ObpLeaveObjectTypeMutex (  _ObjectType   )

Value: { \ ExReleaseResource(&(_ObjectType)->Mutex); \ KeLeaveCriticalRegion(); \ ObpValidateIrql("ObpLeaveObjectTypeMutex"); \ } Definition at line 176 of file obp.h. Referenced by NtQuerySymbolicLinkObject(), ObCheckCreateObjectAccess(), ObCheckObjectAccess(), ObCreateObjectType(), ObEnumerateObjectsByType(), ObGetObjectInformation(), ObpCheckObjectReference(), ObpCheckTraverseAccess(), ObpCreateTypeArray(), ObpDecrementHandleCount(), ObpDeleteNameCheck(), ObpIncrementHandleCount(), ObpIncrementUnnamedHandleCount(), and ObpRemoveObjectRoutine().

#define ObpLeaveRootDirectoryMutex (   )

Value: { \ ExReleaseResource(&ObpRootDirectoryMutex); \ KeLeaveCriticalRegion(); \ ObpValidateIrql("ObpLeaveRootDirectoryMutex"); \ } Definition at line 202 of file obp.h. Referenced by NtQueryDirectoryObject(), NtQueryObject(), ObCreateObjectType(), ObInitSystem(), ObInsertObject(), ObOpenObjectByName(), ObpCreateHandle(), ObpDeleteNameCheck(), ObpDeleteSymbolicLinkName(), ObpLookupObjectName(), ObpParseSymbolicLink(), ObQueryNameString(), and ObReferenceObjectByName().

#define ObpReleaseObjectCreateInformation (  _ObjectCreateInfo   )

Value: { \ if ((_ObjectCreateInfo)->SecurityDescriptor != NULL) { \ SeReleaseSecurityDescriptor((_ObjectCreateInfo)->SecurityDescriptor, \ (_ObjectCreateInfo)->ProbeMode, \ TRUE); \ (_ObjectCreateInfo)->SecurityDescriptor = NULL; \ } \ } Definition at line 436 of file obp.h. Referenced by ObCreateObject(), ObOpenObjectByName(), and ObpCaptureObjectCreateInformation().

#define ObpValidateIrql (  str   )

Definition at line 71 of file obp.h. Referenced by NtClose(), NtCreateDirectoryObject(), NtOpenDirectoryObject(), NtQueryDirectoryObject(), ObCreateObjectType(), ObInsertObject(), ObKillProcess(), ObOpenObjectByName(), ObOpenObjectByPointer(), ObpCreateHandle(), ObpCreateUnnamedHandle(), ObpDeleteNameCheck(), ObpIncrementHandleCount(), ObpIncrementUnnamedHandleCount(), ObpLookupObjectName(), ObpRemoveObjectRoutine(), ObQueryObjectAuditingByHandle(), ObReferenceObjectByHandle(), and ObReferenceObjectByName().

#define PREV_SDHEADER (  _sdh   )

Value: ( \ (sdh)->Link.Blink == NULL ? NULL : \ CONTAINING_RECORD( (sdh)->Link.Blink, SECURITY_DESCRIPTOR_HEADER, Link ) \ ) Definition at line 330 of file obp.h.

#define SD_TO_SD_HEADER (  _sd   )     CONTAINING_RECORD( (_sd), SECURITY_DESCRIPTOR_HEADER, SecurityDescriptor )

Definition at line 311 of file obp.h. Referenced by ObDeassignSecurity(), ObpDereferenceSecurityDescriptor(), and ObpReferenceSecurityDescriptor().

#define SECURITY_DESCRIPTOR_CACHE_ENTRIES   256

Definition at line 339 of file obp.h. Referenced by ObpInitSecurityDescriptorCache().

---

Typedef Documentation

typedef struct _SECURITY_DESCRIPTOR_HEADER * PSECURITY_DESCRIPTOR_HEADER

typedef struct _SECURITY_DESCRIPTOR_HEADER SECURITY_DESCRIPTOR_HEADER

---

Function Documentation

VOID ObpAcquireDescriptorCacheReadLock (  VOID   )

Definition at line 914 of file obsdata.c. References ExAcquireResourceShared, KeEnterCriticalRegion, ObsSecurityDescriptorCacheLock, TRUE, and VOID(). Referenced by NtQueryObject(), and ObQuerySecurityDescriptorInfo(). : Takes a read lock on the security descriptor cache. Arguments: none Return Value: None. --*/ { KeEnterCriticalRegion(); (VOID)ExAcquireResourceShared( &ObsSecurityDescriptorCacheLock,TRUE ); return; }

VOID ObpAcquireDescriptorCacheWriteLock (  VOID   )

Definition at line 886 of file obsdata.c. References ExAcquireResourceExclusive, KeEnterCriticalRegion, ObsSecurityDescriptorCacheLock, TRUE, and VOID(). Referenced by ObDeassignSecurity(), ObpDereferenceSecurityDescriptor(), ObpLogSecurityDescriptor(), ObpReferenceSecurityDescriptor(), and ObSetSecurityDescriptorInfo(). : Takes a write lock on the security descriptor cache. Arguments: none Return Value: None. --*/ { KeEnterCriticalRegion(); (VOID)ExAcquireResourceExclusive( &ObsSecurityDescriptorCacheLock, TRUE ); return; }

NTSTATUS ObpAllocateObject (  IN POBJECT_CREATE_INFORMATION  ObjectCreateInfo, IN KPROCESSOR_MODE  OwnershipMode, IN POBJECT_TYPE  ObjectType, IN PUNICODE_STRING  ObjectName, IN ULONG  ObjectBodySize, OUT POBJECT_HEADER *  ReturnedObjectHeader )

Definition at line 761 of file obcreate.c. References _OBJECT_HEADER_CREATOR_INFO::CreatorBackTraceIndex, _OBJECT_HEADER_CREATOR_INFO::CreatorUniqueProcess, DbgPrint, _OBJECT_HEADER_NAME_INFO::Directory, ExAllocatePoolWithTag, _OBJECT_HEADER_QUOTA_INFO::ExclusiveProcess, _OBJECT_HEADER::Flags, _OBJECT_HEADER::HandleCount, _OBJECT_HANDLE_COUNT_ENTRY::HandleCount, _OBJECT_HEADER::HandleInfoOffset, KernelMode, _OBJECT_HEADER_NAME_INFO::Name, _OBJECT_HEADER::NameInfoOffset, NonPagedPool, _OBJECT_HEADER_QUOTA_INFO::NonPagedPoolCharge, NTSTATUS(), NULL, OB_FLAG_CREATOR_INFO, OB_FLAG_EXCLUSIVE_OBJECT, OB_FLAG_KERNEL_OBJECT, OB_FLAG_NEW_OBJECT, OB_FLAG_PERMANENT_OBJECT, OB_FLAG_SINGLE_HANDLE_ENTRY, _OBJECT_HEADER::ObjectCreateInfo, ObpObjectsCreated, ObpObjectsWithCreatorInfo, ObpObjectsWithHandleDB, ObpObjectsWithName, ObpObjectsWithPoolQuota, PAGED_CODE, PagedPool, _OBJECT_HEADER_QUOTA_INFO::PagedPoolCharge, _OBJECT_HEADER::PointerCount, POOL_TYPE, PROTECTED_POOL, PsGetCurrentProcess, _OBJECT_HEADER::QuotaInfoOffset, SE_DEFAULT_SECURITY_QUOTA, _OBJECT_HEADER::SecurityDescriptor, _OBJECT_HEADER_QUOTA_INFO::SecurityDescriptorCharge, _OBJECT_HEADER_HANDLE_INFO::SingleEntry, Status, _OBJECT_HEADER::Type, and _OBJECT_HEADER_CREATOR_INFO::TypeList. Referenced by ObCreateObject(), and ObCreateObjectType(). : This routine allocates a new object including the object header and body from pool and fill in the appropriate fields. Arguments: ObjectCreateInfo - Supplies the create information for the new object OwnershipMode - Supplies the processor mode of who is going to own the object ObjectType - Optionally supplies the object type of the object being created. If the object create info not null then this field must be supplied. ObjectName - Supplies the name of the object being created ObjectBodySize - Specifies the size, in bytes, of the body of the object being created ReturnedObjectHeader - Receives a pointer to the object header for the newly created objet. Return Value: An appropriate status value. --*/ { ULONG HeaderSize; POBJECT_HEADER ObjectHeader; NTSTATUS Status; PVOID ZoneSegment; ULONG QuotaInfoSize; ULONG HandleInfoSize; ULONG NameInfoSize; ULONG CreatorInfoSize; POBJECT_HEADER_QUOTA_INFO QuotaInfo; POBJECT_HEADER_HANDLE_INFO HandleInfo; POBJECT_HEADER_NAME_INFO NameInfo; POBJECT_HEADER_CREATOR_INFO CreatorInfo; POOL_TYPE PoolType; PAGED_CODE(); ObpObjectsCreated += 1; // // Compute the sizes of the optional object header components. // if (ObjectCreateInfo == NULL) { QuotaInfoSize = 0; HandleInfoSize = 0; NameInfoSize = sizeof( OBJECT_HEADER_NAME_INFO ); CreatorInfoSize = sizeof( OBJECT_HEADER_CREATOR_INFO ); } else { // // The caller specified some additional object create info // // First check to see if we need to set the quota // if (ObjectCreateInfo->PagedPoolCharge != ObjectType->TypeInfo.DefaultPagedPoolCharge || ObjectCreateInfo->NonPagedPoolCharge != ObjectType->TypeInfo.DefaultNonPagedPoolCharge || ObjectCreateInfo->SecurityDescriptorCharge > SE_DEFAULT_SECURITY_QUOTA || (ObjectCreateInfo->Attributes & OBJ_EXCLUSIVE)) { QuotaInfoSize = sizeof( OBJECT_HEADER_QUOTA_INFO ); ObpObjectsWithPoolQuota += 1; } else { QuotaInfoSize = 0; } // // Check if we are to allocate space to maintain handle counts // if (ObjectType->TypeInfo.MaintainHandleCount) { HandleInfoSize = sizeof( OBJECT_HEADER_HANDLE_INFO ); ObpObjectsWithHandleDB += 1; } else { HandleInfoSize = 0; } // // Check if we are to allocate space for the name // if (ObjectName->Buffer != NULL) { NameInfoSize = sizeof( OBJECT_HEADER_NAME_INFO ); ObpObjectsWithName += 1; } else { NameInfoSize = 0; } // // Finally check if we are to maintain the creator info // if (ObjectType->TypeInfo.MaintainTypeList) { CreatorInfoSize = sizeof( OBJECT_HEADER_CREATOR_INFO ); ObpObjectsWithCreatorInfo += 1; } else { CreatorInfoSize = 0; } } // // Now compute the total header size // HeaderSize = QuotaInfoSize + HandleInfoSize + NameInfoSize + CreatorInfoSize + FIELD_OFFSET( OBJECT_HEADER, Body ); // // Allocate and initialize the object. // // If the object type is not specified or specifies nonpaged pool, // then allocate the object from nonpaged pool. // Otherwise, allocate the object from paged pool. // if ((ObjectType == NULL) || (ObjectType->TypeInfo.PoolType == NonPagedPool)) { PoolType = NonPagedPool; } else { PoolType = PagedPool; } ObjectHeader = ExAllocatePoolWithTag( PoolType, HeaderSize + ObjectBodySize, (ObjectType == NULL ? 'TjbO' : ObjectType->Key) | PROTECTED_POOL ); if (ObjectHeader == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } // // Now based on if we are to put in the quota, handle, name, or creator info we // will do the extra work. This order is very important because we rely on // it to free the object. // if (QuotaInfoSize != 0) { QuotaInfo = (POBJECT_HEADER_QUOTA_INFO)ObjectHeader; QuotaInfo->PagedPoolCharge = ObjectCreateInfo->PagedPoolCharge; QuotaInfo->NonPagedPoolCharge = ObjectCreateInfo->NonPagedPoolCharge; QuotaInfo->SecurityDescriptorCharge = ObjectCreateInfo->SecurityDescriptorCharge; QuotaInfo->ExclusiveProcess = NULL; ObjectHeader = (POBJECT_HEADER)(QuotaInfo + 1); } if (HandleInfoSize != 0) { HandleInfo = (POBJECT_HEADER_HANDLE_INFO)ObjectHeader; HandleInfo->SingleEntry.HandleCount = 0; ObjectHeader = (POBJECT_HEADER)(HandleInfo + 1); } if (NameInfoSize != 0) { NameInfo = (POBJECT_HEADER_NAME_INFO)ObjectHeader; NameInfo->Name = *ObjectName; NameInfo->Directory = NULL; ObjectHeader = (POBJECT_HEADER)(NameInfo + 1); } if (CreatorInfoSize != 0) { CreatorInfo = (POBJECT_HEADER_CREATOR_INFO)ObjectHeader; CreatorInfo->CreatorBackTraceIndex = 0; CreatorInfo->CreatorUniqueProcess = PsGetCurrentProcess()->UniqueProcessId; InitializeListHead( &CreatorInfo->TypeList ); ObjectHeader = (POBJECT_HEADER)(CreatorInfo + 1); } // // Compute the proper offsets based on what we have // if (QuotaInfoSize != 0) { ObjectHeader->QuotaInfoOffset = (UCHAR)(QuotaInfoSize + HandleInfoSize + NameInfoSize + CreatorInfoSize); } else { ObjectHeader->QuotaInfoOffset = 0; } if (HandleInfoSize != 0) { ObjectHeader->HandleInfoOffset = (UCHAR)(HandleInfoSize + NameInfoSize + CreatorInfoSize); } else { ObjectHeader->HandleInfoOffset = 0; } if (NameInfoSize != 0) { ObjectHeader->NameInfoOffset = (UCHAR)(NameInfoSize + CreatorInfoSize); } else { ObjectHeader->NameInfoOffset = 0; } // // Say that this is a new object, and conditionally set the other flags // ObjectHeader->Flags = OB_FLAG_NEW_OBJECT; if (CreatorInfoSize != 0) { ObjectHeader->Flags |= OB_FLAG_CREATOR_INFO; } if (HandleInfoSize != 0) { ObjectHeader->Flags |= OB_FLAG_SINGLE_HANDLE_ENTRY; } // // Set the counters and its type // ObjectHeader->PointerCount = 1; ObjectHeader->HandleCount = 0; ObjectHeader->Type = ObjectType; // // Initialize the object header. // // N.B. The initialization of the object header is done field by // field rather than zeroing the memory and then initializing // the pertinent fields. // // N.B. It is assumed that the caller will initialize the object // attributes, object ownership, and parse context. // if (OwnershipMode == KernelMode) { ObjectHeader->Flags |= OB_FLAG_KERNEL_OBJECT; } if (ObjectCreateInfo != NULL && ObjectCreateInfo->Attributes & OBJ_PERMANENT ) { ObjectHeader->Flags |= OB_FLAG_PERMANENT_OBJECT; } if ((ObjectCreateInfo != NULL) && (ObjectCreateInfo->Attributes & OBJ_EXCLUSIVE)) { ObjectHeader->Flags |= OB_FLAG_EXCLUSIVE_OBJECT; } ObjectHeader->ObjectCreateInfo = ObjectCreateInfo; ObjectHeader->SecurityDescriptor = NULL; if (ObjectType != NULL) { ObjectType->TotalNumberOfObjects += 1; if (ObjectType->TotalNumberOfObjects > ObjectType->HighWaterNumberOfObjects) { ObjectType->HighWaterNumberOfObjects = ObjectType->TotalNumberOfObjects; } } #if DBG // // On a checked build echo out allocs // if (ObpShowAllocAndFree) { DbgPrint( "OB: Alloc %lx (%lx) %04lu", ObjectHeader, ObjectHeader, ObjectBodySize ); if (ObjectType) { DbgPrint(" - %wZ\n", &ObjectType->Name ); } else { DbgPrint(" - Type\n" ); } } #endif *ReturnedObjectHeader = ObjectHeader; return STATUS_SUCCESS; }

PWCHAR ObpAllocateObjectNameBuffer (  IN ULONG  Length, IN LOGICAL  UseLookaside, IN OUT PUNICODE_STRING  ObjectName )

Definition at line 583 of file obcreate.c. References Buffer, ExAllocateFromPPNPagedLookasideList(), ExAllocatePoolWithTag, FALSE, LookasideNameBufferList, NonPagedPool, OBJECT_NAME_BUFFER_SIZE, and USHORT. Referenced by ObpCaptureObjectName(). : This function allocates an object name buffer. N.B. This function is nonpageable. Arguments: Length - Supplies the length of the required buffer in bytes. UseLookaside - Supplies a logical variable that determines whether an attempt is made to allocate the name buffer from the lookaside list. ObjectName - Supplies a pointer to a name buffer string descriptor. Return Value: If the allocation is successful, then name buffer string descriptor is initialized and the address of the name buffer is returned as the function value. Otherwise, a value of NULL is returned. --*/ { PVOID Buffer; ULONG Maximum; KIRQL OldIrql; PKPRCB Prcb; // // If allocation from the lookaside lists is specified and the buffer // size is less than the size of lookaside list entries, then attempt // to allocate the name buffer from the lookaside lists. Otherwise, // attempt to allocate the name buffer from nonpaged pool. // Maximum = Length + sizeof(WCHAR); if ((UseLookaside == FALSE) || (Maximum > OBJECT_NAME_BUFFER_SIZE)) { // // Attempt to allocate the buffer from nonpaged pool. // Buffer = ExAllocatePoolWithTag(NonPagedPool, Maximum, 'mNbO'); } else { // // Attempt to allocate the name buffer from the lookaside list. If // the allocation attempt fails, then attempt to allocate the name // buffer from pool. // Maximum = OBJECT_NAME_BUFFER_SIZE; Buffer = ExAllocateFromPPNPagedLookasideList(LookasideNameBufferList); } // // Initialize the string descriptor and return the buffer address. // ObjectName->Length = (USHORT)Length; ObjectName->MaximumLength = (USHORT)Maximum; ObjectName->Buffer = Buffer; return (PWCHAR)Buffer; }

NTSTATUS ObpCaptureObjectCreateInformation (  IN POBJECT_TYPE ObjectType  OPTIONAL, IN KPROCESSOR_MODE  ProbeMode, IN POBJECT_ATTRIBUTES  ObjectAttributes, OUT PUNICODE_STRING  CapturedObjectName, IN POBJECT_CREATE_INFORMATION  ObjectCreateInfo, IN LOGICAL  UseLookaside )

Referenced by ObCreateObject(), and ObOpenObjectByName().

NTSTATUS ObpCaptureObjectName (  IN KPROCESSOR_MODE  ProbeMode, IN PUNICODE_STRING  ObjectName, IN OUT PUNICODE_STRING  CapturedObjectName, IN LOGICAL  UseLookaside )

Definition at line 438 of file obcreate.c. References ExFreePool(), ExSystemExceptionFilter(), KernelMode, NTSTATUS(), NULL, ObpAllocateObjectNameBuffer(), PAGED_CODE, ProbeAndReadUnicodeString, ProbeForRead, and Status. Referenced by ObpCaptureObjectCreateInformation(), and ObReferenceObjectByName(). : This function captures the object name but first verifies that it is at least properly sized. Arguments: ProbeMode - Supplies the processor mode to use when probing the object name ObjectName - Supplies the caller's version of the object name CapturedObjectName - Receives the captured verified version of the object name UseLookaside - Indicates if the captured name buffer should be allocated from the lookaside list or from straight pool Return Value: An appropriate status value --*/ { PWCH FreeBuffer; UNICODE_STRING InputObjectName; ULONG Length; NTSTATUS Status; PAGED_CODE(); // // Initialize the object name descriptor and capture the specified name // string. // CapturedObjectName->Buffer = NULL; CapturedObjectName->Length = 0; CapturedObjectName->MaximumLength = 0; Status = STATUS_SUCCESS; try { // // Probe and capture the name string descriptor and probe the // name string, if necessary. // FreeBuffer = NULL; if (ProbeMode != KernelMode) { InputObjectName = ProbeAndReadUnicodeString(ObjectName); ProbeForRead( InputObjectName.Buffer, InputObjectName.Length, sizeof(WCHAR) ); } else { InputObjectName = *ObjectName; } // // If the length of the string is not zero, then capture the string. // if (InputObjectName.Length != 0) { // // If the length of the string is not an even multiple of the // size of a UNICODE character or cannot be zero terminated, // then return an error. // Length = InputObjectName.Length; if (((Length & (sizeof(WCHAR) - 1)) != 0) || (Length == (MAXUSHORT - sizeof(WCHAR) + 1))) { Status = STATUS_OBJECT_NAME_INVALID; } else { // // Allocate a buffer for the specified name string. // // N.B. The name buffer allocation routine adds one // UNICODE character to the length and initializes // the string descriptor. // FreeBuffer = ObpAllocateObjectNameBuffer( Length, UseLookaside, CapturedObjectName ); if (FreeBuffer == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; } else { // // Copy the specified name string to the destination // buffer. // RtlMoveMemory(FreeBuffer, InputObjectName.Buffer, Length); // // Zero terminate the name string and initialize the // string descriptor. // FreeBuffer[Length / sizeof(WCHAR)] = UNICODE_NULL; } } } } except(ExSystemExceptionFilter()) { Status = GetExceptionCode(); if (FreeBuffer != NULL) { ExFreePool(FreeBuffer); } } return Status; }

NTSTATUS ObpChargeQuotaForObject (  IN POBJECT_HEADER  ObjectHeader, IN POBJECT_TYPE  ObjectType, OUT PBOOLEAN  NewObject )

Definition at line 1861 of file obhandle.c. References FALSE, _OBJECT_HEADER_QUOTA_INFO::NonPagedPoolCharge, NULL, OB_FLAG_DEFAULT_SECURITY_QUOTA, OB_FLAG_NEW_OBJECT, OBJECT_HEADER_TO_QUOTA_INFO, _OBJECT_HEADER_QUOTA_INFO::PagedPoolCharge, PsChargeSharedPoolQuota(), PsGetCurrentProcess, SE_DEFAULT_SECURITY_QUOTA, _OBJECT_HEADER_QUOTA_INFO::SecurityDescriptorCharge, and TRUE. Referenced by ObpIncrementHandleCount(), and ObpIncrementUnnamedHandleCount(). : This routine charges quota against the current process for the new object Arguments: ObjectHeader - Supplies a pointer to the new object being charged for ObjectType - Supplies the type of the new object NewObject - Returns true if the object is really new and false otherwise Return Value: An appropriate status value --*/ { POBJECT_HEADER_QUOTA_INFO QuotaInfo; ULONG NonPagedPoolCharge; ULONG PagedPoolCharge; // // Get a pointer to the quota block for this object // QuotaInfo = OBJECT_HEADER_TO_QUOTA_INFO( ObjectHeader ); *NewObject = FALSE; // // If the object is new then we have work to do otherwise // we'll return with NewObject set to false // if (ObjectHeader->Flags & OB_FLAG_NEW_OBJECT) { // // Say the object now isn't new // ObjectHeader->Flags &= ~OB_FLAG_NEW_OBJECT; // // If there does exist a quota info structure for this // object then calculate what our charge should be from // the information stored in that structure // if (QuotaInfo != NULL) { PagedPoolCharge = QuotaInfo->PagedPoolCharge + QuotaInfo->SecurityDescriptorCharge; NonPagedPoolCharge = QuotaInfo->NonPagedPoolCharge; } else { // // There isn't any quota information so we're on our own // Paged pool charge is the default for the object plus // the security descriptor if present. Nonpaged pool charge // is the default for the object. // PagedPoolCharge = ObjectType->TypeInfo.DefaultPagedPoolCharge; if (ObjectHeader->SecurityDescriptor != NULL) { ObjectHeader->Flags |= OB_FLAG_DEFAULT_SECURITY_QUOTA; PagedPoolCharge += SE_DEFAULT_SECURITY_QUOTA; } NonPagedPoolCharge = ObjectType->TypeInfo.DefaultNonPagedPoolCharge; } // // Now charge for the quota and make sure it succeeds // ObjectHeader->QuotaBlockCharged = (PVOID)PsChargeSharedPoolQuota( PsGetCurrentProcess(), PagedPoolCharge, NonPagedPoolCharge ); if (ObjectHeader->QuotaBlockCharged == NULL) { return STATUS_QUOTA_EXCEEDED; } *NewObject = TRUE; } return STATUS_SUCCESS; }

BOOLEAN ObpCheckObjectReference (  IN PVOID  Object, IN OUT PACCESS_STATE  AccessState, IN BOOLEAN  TypeMutexLocked, IN KPROCESSOR_MODE  AccessMode, OUT PNTSTATUS  AccessStatus )

Definition at line 602 of file obse.c. References FALSE, _OBJECT_TYPE_INITIALIZER::GenericMapping, NT_SUCCESS, NTSTATUS(), NULL, ObGetObjectSecurity(), OBJECT_TO_OBJECT_HEADER, ObpEnterObjectTypeMutex, ObpLeaveObjectTypeMutex, ObReleaseObjectSecurity(), PAGED_CODE, SeAccessCheck(), SeLockSubjectContext(), SeObjectReferenceAuditAlarm(), SeUnlockSubjectContext(), Status, TRUE, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by ObReferenceObjectByName(). : The routine performs access validation on the passed object. The remaining desired access mask is extracted from the AccessState parameter and passes to the appropriate security routine to perform the access check. If the access attempt is successful, SeAccessCheck returns a mask containing the granted accesses. The bits in this mask are turned on in the PreviouslyGrantedAccess field of the AccessState, and are turned off in the RemainingDesiredAccess field. This routine differs from ObpCheckObjectAccess in that it calls a different audit routine. Arguments: Object - The object being examined. AccessState - The ACCESS_STATE structure containing accumulated information about the current attempt to gain access to the object. TypeMutexLocked - Indicates whether the type mutex for this object's type is locked. The type mutex is used to protect the object's security descriptor from being modified while it is being accessed. AccessMode - The previous processor mode. AccessStatus - Pointer to a variable to return the status code of the access attempt. In the case of failure this status code must be propagated back to the user. Return Value: BOOLEAN - TRUE if access is allowed and FALSE otherwise --*/ { BOOLEAN AccessAllowed; ACCESS_MASK GrantedAccess = 0; BOOLEAN MemoryAllocated; PSECURITY_DESCRIPTOR SecurityDescriptor; NTSTATUS Status; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; PPRIVILEGE_SET Privileges = NULL; PAGED_CODE(); // // Map the object body to an object header and the // corresponding object type // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ObjectType = ObjectHeader->Type; // // If the caller does not have the object type locked // then lock it down // if (!TypeMutexLocked) { ObpEnterObjectTypeMutex( ObjectType ); } // // Obtain the object's security descriptor // Status = ObGetObjectSecurity( Object, &SecurityDescriptor, &MemoryAllocated ); // // If we failed in getting the security descriptor then // put the object type lock back where it was and return // the error back to our caller // if (!NT_SUCCESS( Status )) { if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } *AccessStatus = Status; return( FALSE ); } // // Lock the caller's tokens until after auditing has been // performed. // SeLockSubjectContext( &AccessState->SubjectSecurityContext ); // // Do the access check, and if we have some privileges then // put those in the access state too. // AccessAllowed = SeAccessCheck( SecurityDescriptor, &AccessState->SubjectSecurityContext, TRUE, // Tokens are locked AccessState->RemainingDesiredAccess, AccessState->PreviouslyGrantedAccess, &Privileges, &ObjectType->TypeInfo.GenericMapping, AccessMode, &GrantedAccess, AccessStatus ); if (AccessAllowed) { AccessState->PreviouslyGrantedAccess |= GrantedAccess; AccessState->RemainingDesiredAccess &= ~GrantedAccess; } // // If we have a security descriptor then call the security routine // to audit this reference and then unlock the caller's token // if ( SecurityDescriptor != NULL ) { SeObjectReferenceAuditAlarm( &AccessState->OperationID, Object, SecurityDescriptor, &AccessState->SubjectSecurityContext, AccessState->RemainingDesiredAccess | AccessState->PreviouslyGrantedAccess, ((PAUX_ACCESS_DATA)(AccessState->AuxData))->PrivilegesUsed, AccessAllowed, AccessMode ); } SeUnlockSubjectContext( &AccessState->SubjectSecurityContext ); // // If the caller didn't have the object type locked then remove // our lock // if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } // // Finally free the security descriptor // and return to our caller // ObReleaseObjectSecurity( SecurityDescriptor, MemoryAllocated ); return( AccessAllowed ); }

BOOLEAN ObpCheckPseudoHandleAccess (  IN PVOID  Object, IN ACCESS_MASK  DesiredAccess, OUT PNTSTATUS  AccessStatus, IN BOOLEAN  TypeMutexLocked )

BOOLEAN ObpCheckTraverseAccess (  IN PVOID  DirectoryObject, IN ACCESS_MASK  TraverseAccess, IN PACCESS_STATE AccessState  OPTIONAL, IN BOOLEAN  TypeMutexLocked, IN KPROCESSOR_MODE  PreviousMode, OUT PNTSTATUS  AccessStatus )

Definition at line 778 of file obse.c. References FALSE, _OBJECT_TYPE_INITIALIZER::GenericMapping, NT_SUCCESS, NTSTATUS(), NULL, ObGetObjectSecurity(), OBJECT_TO_OBJECT_HEADER, ObpEnterObjectTypeMutex, ObpLeaveObjectTypeMutex, ObReleaseObjectSecurity(), PAGED_CODE, SeAccessCheck(), SeAppendPrivileges(), SeFastTraverseCheck(), SeFreePrivileges(), SeLockSubjectContext(), SeUnlockSubjectContext(), Status, TOKEN_IS_RESTRICTED, TRUE, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by ObpLookupObjectName(). : This routine checks for traverse access to the given directory object. Note that the contents of the AccessState structure are not modified, since it is assumed that this access check is incidental to another access operation. Arguments: DirectoryObject - The object body of the object being examined. TraverseAccess - The desired access to the object, most likely DIRECTORY TRAVERSE access. AccessState - Checks for traverse access will typically be incidental to some other access attempt. Information on the current state of that access attempt is required so that the constituent access attempts may be associated with each other in the audit log. This is an OPTIONAL parameter, in which case the call will success ONLY if the Directory Object grants World traverse access rights. TypeMutexLocked - Indicates whether the type mutex for this object's type is locked. The type mutex is used to protect the object's security descriptor from being modified while it is being accessed. PreviousMode - The previous processor mode. AccessStatus - Pointer to a variable to return the status code of the access attempt. In the case of failure this status code must be propagated back to the user. Return Value: BOOLEAN - TRUE if access is allowed and FALSE otherwise. AccessStatus contains the status code to be passed back to the caller. It is not correct to simply pass back STATUS_ACCESS_DENIED, since this will have to change with the advent of mandatory access control. --*/ { BOOLEAN AccessAllowed; ACCESS_MASK GrantedAccess = 0; PSECURITY_DESCRIPTOR SecurityDescriptor; BOOLEAN MemoryAllocated; NTSTATUS Status; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; BOOLEAN SubjectContextLocked = FALSE; PPRIVILEGE_SET Privileges = NULL; PAGED_CODE(); // // Map the object body to an object header and corresponding // object type // ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryObject ); ObjectType = ObjectHeader->Type; // // If the caller hasn't locked down the object type then // lock it down now // if (!TypeMutexLocked) { ObpEnterObjectTypeMutex( ObjectType ); } // // Obtain the object's security descriptor and make it was // successful // Status = ObGetObjectSecurity( DirectoryObject, &SecurityDescriptor, &MemoryAllocated ); if (!NT_SUCCESS( Status )) { if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } *AccessStatus = Status; return( FALSE ); } // // Check to see if WORLD has TRAVERSE access, by seeing if the // token is restricted or the fast traverse check fails meaning // that the world does not have traverse access // if (((AccessState->Flags & TOKEN_IS_RESTRICTED) != 0) || (!SeFastTraverseCheck( SecurityDescriptor, DIRECTORY_TRAVERSE, PreviousMode ))) { // // SeFastTraverseCheck could be modified to tell us that // no one has any access to this directory. However, // we're going to have to fail this entire call if // that is the case, so we really don't need to worry // all that much about making it blindingly fast. // if (ARGUMENT_PRESENT( AccessState )) { // // The world does not have traverse access and we have // the client's access state so lock down the client's // token and then do the access check, appending privileges // if present. The access check will give the answer // we return back to our caller // SeLockSubjectContext( &AccessState->SubjectSecurityContext ); SubjectContextLocked = TRUE; AccessAllowed = SeAccessCheck( SecurityDescriptor, &AccessState->SubjectSecurityContext, TRUE, // Tokens are locked TraverseAccess, 0, &Privileges, &ObjectType->TypeInfo.GenericMapping, PreviousMode, &GrantedAccess, AccessStatus ); if (Privileges != NULL) { Status = SeAppendPrivileges( AccessState, Privileges ); SeFreePrivileges( Privileges ); } } } else { // // At this point the world has traverse access // AccessAllowed = TRUE; } // // If the client's token is locked then now we can unlock it // // **** this should be able to move up into the preceding clause // where it is locked // if ( SubjectContextLocked ) { SeUnlockSubjectContext( &AccessState->SubjectSecurityContext ); } // // If the caller did not lock the object type then we // now need to unlock it // if (!TypeMutexLocked) { ObpLeaveObjectTypeMutex( ObjectType ); } // // Finally free the security descriptor // and then return to our caller // ObReleaseObjectSecurity( SecurityDescriptor, MemoryAllocated ); return( AccessAllowed ); }

BOOLEAN ObpCompareSecurityDescriptors (  IN PSECURITY_DESCRIPTOR  SD1, IN PSECURITY_DESCRIPTOR  SD2 )

Definition at line 839 of file obsdata.c. References Compare(), FALSE, and RtlLengthSecurityDescriptor(). Referenced by ObpLogSecurityDescriptor(). : Performs a byte by byte comparison of two self relative security descriptors to determine if they are identical. Arguments: SD1, SD2 - Security descriptors to be compared. Return Value: TRUE - They are the same. FALSE - They are different. --*/ { ULONG Length1; ULONG Length2; ULONG Compare; // // Calculating the length is pretty fast, see if we // can get away with doing only that. // Length1 = RtlLengthSecurityDescriptor ( SD1 ); Length2 = RtlLengthSecurityDescriptor ( SD2 ); if (Length1 != Length2) { return( FALSE ); } return (BOOLEAN)RtlEqualMemory ( SD1, SD2, Length1 ); }

PSECURITY_DESCRIPTOR_HEADER ObpCreateCacheEntry (  PSECURITY_DESCRIPTOR  InputSecurityDescriptor, ULONG  FullHash )

Definition at line 491 of file obsdata.c. References ExAllocatePoolWithTag, _SECURITY_DESCRIPTOR_HEADER::FullHash, _SECURITY_DESCRIPTOR_HEADER::Link, NULL, PagedPool, _SECURITY_DESCRIPTOR_HEADER::RefCount, RtlLengthSecurityDescriptor(), and _SECURITY_DESCRIPTOR_HEADER::SecurityDescriptor. Referenced by ObpLogSecurityDescriptor(). : Allocates and initializes a new cache entry. Arguments: InputSecurityDescriptor - The security descriptor to be cached. FullHash - Full 32 bit hash of the security descriptor. Return Value: A pointer to the newly allocated cache entry, or NULL --*/ { ULONG SecurityDescriptorLength; ULONG CacheEntrySize; PSECURITY_DESCRIPTOR_HEADER NewDescriptor; // // Compute the size that we'll need to allocate. We need space for // the security descriptor cache minus the funny quad at the end and the // security descriptor itself. // SecurityDescriptorLength = RtlLengthSecurityDescriptor ( InputSecurityDescriptor ); CacheEntrySize = SecurityDescriptorLength + (sizeof(SECURITY_DESCRIPTOR_HEADER) - sizeof( QUAD )); // // Now allocate space for the cached entry // NewDescriptor = ExAllocatePoolWithTag( PagedPool, CacheEntrySize, 'dSeS'); if ( NewDescriptor == NULL ) { return( NULL ); } // // Fill the header, copy over the descriptor data, and return to our // caller // NewDescriptor->RefCount = 1; NewDescriptor->FullHash = FullHash; NewDescriptor->Link.Flink = NULL; NewDescriptor->Link.Blink = NULL; RtlCopyMemory( &NewDescriptor->SecurityDescriptor, InputSecurityDescriptor, SecurityDescriptorLength ); return( NewDescriptor ); }

NTSTATUS ObpCreateHandle (  IN OB_OPEN_REASON  OpenReason, IN PVOID  Object, IN POBJECT_TYPE ExpectedObjectType  OPTIONAL, IN PACCESS_STATE  AccessState, IN ULONG ObjectPointerBias  OPTIONAL, IN ULONG  Attributes, IN BOOLEAN  DirectoryLocked, IN KPROCESSOR_MODE  AccessMode, OUT PVOID *ReferencedNewObject  OPTIONAL, OUT PHANDLE  Handle )

Definition at line 2160 of file obhandle.c. References _HANDLE_TABLE_ENTRY::CreatorBackTraceIndex, EncodeKernelHandle, ExCreateHandle(), FALSE, _HANDLE_TABLE_ENTRY::GrantedAccess, _HANDLE_TABLE_ENTRY::GrantedAccessIndex, Handle, KernelMode, KeStackAttachProcess(), KeUnstackDetachProcess(), NT_SUCCESS, NtGlobalFlag, NTSTATUS(), NULL, _HANDLE_TABLE_ENTRY::ObAttributes, ObCreateHandle, OBJ_AUDIT_OBJECT_CLOSE, OBJ_HANDLE_ATTRIBUTES, _HANDLE_TABLE_ENTRY::Object, OBJECT_TO_OBJECT_HEADER, ObpDecrementHandleCount(), ObpDecrPointerCount, ObpGetObjectTable, ObpIncrementHandleCount(), ObpIncrPointerCount, ObpKernelHandleTable, ObpLeaveRootDirectoryMutex, ObpValidateIrql, PAGED_CODE, PAUX_ACCESS_DATA, _EPROCESS::Pcb, _AUX_ACCESS_DATA::PrivilegesUsed, PsGetCurrentProcess, PsInitialSystemProcess, SeAuditHandleCreation(), SePrivilegeObjectAuditAlarm(), Status, TRUE, _OBJECT_HEADER::Type, _OBJECT_TYPE::TypeInfo, and _OBJECT_TYPE_INITIALIZER::ValidAccessMask. Referenced by ObInsertObject(), ObOpenObjectByName(), and ObOpenObjectByPointer(). : This function creates a new handle to an existing object Arguments: OpenReason - The reason why we are doing this work Object - A pointer to the body of the new object ExpectedObjectType - Optionally Supplies the object type that the caller is expecting AccessState - Supplies the access state for the handle requested by the caller ObjectPointerBias - Optionally supplies a count of addition increments we do to the pointer count for the object Attributes - Desired attributes for the handle DirectoryLocked - Indicates if the root directory mutex is already held AccessMode - Supplies the mode of the requestor. ReferencedNewObject - Optionally receives a pointer to the body of the new object Handle - Receives the new handle value Return Value: An appropriate status value --*/ { NTSTATUS Status; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; PVOID ObjectTable; HANDLE_TABLE_ENTRY ObjectTableEntry; HANDLE NewHandle; ACCESS_MASK DesiredAccess; ACCESS_MASK GrantedAccess; ULONG BiasCount; BOOLEAN AttachedToProcess = FALSE; BOOLEAN KernelHandle = FALSE; KAPC_STATE ApcState; PAGED_CODE(); ObpValidateIrql( "ObpCreateHandle" ); // // Merge both the remaining desired access and the currently // granted access states into one mask // // **** why is this being done here and then later in the this // same routine. // DesiredAccess = AccessState->RemainingDesiredAccess | AccessState->PreviouslyGrantedAccess; // // Get a pointer to the object header and object type // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ObjectType = ObjectHeader->Type; // // If the object type isn't what was expected then // return an error to our caller, but first see if // we should release the directory mutex // if ((ARGUMENT_PRESENT( ExpectedObjectType )) && (ObjectType != ExpectedObjectType )) { if (DirectoryLocked) { ObpLeaveRootDirectoryMutex(); } return( STATUS_OBJECT_TYPE_MISMATCH ); } // // Set the first ulong of the object table entry to point // back to the object header // ObjectTableEntry.Object = ObjectHeader; // // Now get a pointer to the object table for either the current process // of the kernel handle table // if ((Attributes & OBJ_KERNEL_HANDLE) && (AccessMode == KernelMode)) { ObjectTable = ObpKernelHandleTable; KernelHandle = TRUE; // // Go to the system process if we have to // if (PsGetCurrentProcess() != PsInitialSystemProcess) { KeStackAttachProcess (&PsInitialSystemProcess->Pcb, &ApcState); AttachedToProcess = TRUE; } } else { ObjectTable = ObpGetObjectTable(); } // // ObpIncrementHandleCount will perform access checking on the // object being opened as appropriate. // Status = ObpIncrementHandleCount( OpenReason, PsGetCurrentProcess(), Object, ObjectType, AccessState, AccessMode, Attributes ); if (AccessState->GenerateOnClose) { Attributes |= OBJ_AUDIT_OBJECT_CLOSE; } // // Or in some low order bits into the first ulong of the object // table entry // ObjectTableEntry.ObAttributes |= (Attributes & OBJ_HANDLE_ATTRIBUTES); // // Merge both the remaining desired access and the currently // granted access states into one mask and then compute // the granted access // DesiredAccess = AccessState->RemainingDesiredAccess | AccessState->PreviouslyGrantedAccess; GrantedAccess = DesiredAccess & (ObjectType->TypeInfo.ValidAccessMask | ACCESS_SYSTEM_SECURITY ); // // Unlock the directory if it is locked and make sure // we've been successful so far // if (DirectoryLocked) { ObpLeaveRootDirectoryMutex(); } if (!NT_SUCCESS( Status )) { // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } return( Status ); } // // Bias the pointer count if that is what the caller wanted // if (ARGUMENT_PRESENT( (PVOID)(ULONG_PTR)ObjectPointerBias )) { BiasCount = ObjectPointerBias; while (BiasCount--) { ObpIncrPointerCount( ObjectHeader ); } } // // Set the granted access mask in the object table entry (second ulong) // #if i386 && !FPO if (NtGlobalFlag & FLG_KERNEL_STACK_TRACE_DB) { ObjectTableEntry.GrantedAccessIndex = ObpComputeGrantedAccessIndex( GrantedAccess ); ObjectTableEntry.CreatorBackTraceIndex = RtlLogStackBackTrace(); } else { ObjectTableEntry.GrantedAccess = GrantedAccess; } #else ObjectTableEntry.GrantedAccess = GrantedAccess; #endif // i386 && !FPO // // Add this new object table entry to the object table for the process // NewHandle = ExCreateHandle( ObjectTable, &ObjectTableEntry ); // // If we didn't get a handle then cleanup after ourselves and return // the error to our caller // if (NewHandle == NULL) { if (ARGUMENT_PRESENT( (PVOID)(ULONG_PTR)ObjectPointerBias )) { BiasCount = ObjectPointerBias; while (BiasCount--) { ObpDecrPointerCount( ObjectHeader ); } } ObpDecrementHandleCount( PsGetCurrentProcess(), ObjectHeader, ObjectType, GrantedAccess ); // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } return( STATUS_INSUFFICIENT_RESOURCES ); } // // We have a new Ex style handle now make it an ob style handle and also // adjust for the kernel handle by setting the sign bit in the handle // value // if (KernelHandle) { NewHandle = EncodeKernelHandle( NewHandle ); } *Handle = NewHandle; // // If requested, generate audit messages to indicate that a new handle // has been allocated. // // This is the final security operation in the creation/opening of the // object. // if ( AccessState->GenerateAudit ) { SeAuditHandleCreation( AccessState, *Handle ); } if (OpenReason == ObCreateHandle) { PAUX_ACCESS_DATA AuxData = AccessState->AuxData; if ( ( AuxData->PrivilegesUsed != NULL) && (AuxData->PrivilegesUsed->PrivilegeCount > 0) ) { SePrivilegeObjectAuditAlarm( *Handle, &AccessState->SubjectSecurityContext, GrantedAccess, AuxData->PrivilegesUsed, TRUE, KeGetPreviousMode() ); } } // // If the caller had a pointer bias and wanted the new reference object // then return that value // if ((ARGUMENT_PRESENT( (PVOID)(ULONG_PTR)ObjectPointerBias )) && (ARGUMENT_PRESENT( ReferencedNewObject ))) { *ReferencedNewObject = Object; } // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } // // And return to our caller // return( STATUS_SUCCESS ); }

VOID ObpCreateSymbolicLinkName (  POBJECT_SYMBOLIC_LINK  SymbolicLink  )

Definition at line 1015 of file oblink.c. References CREATE_SYMBOLIC_LINK, _OBJECT_DIRECTORY::DeviceMap, _OBJECT_HEADER_NAME_INFO::Directory, _OBJECT_SYMBOLIC_LINK::DosDeviceDriveIndex, L, _OBJECT_HEADER_NAME_INFO::Name, NULL, OBJECT_HEADER_TO_NAME_INFO, OBJECT_TO_OBJECT_HEADER, ObpProcessDosDeviceSymbolicLink(), and RtlUpcaseUnicodeChar(). Referenced by ObInsertObject(). : This routine does extra processing for symbolic links being created in object directories controlled by device map objects. This processing consists of: 1. Determine if the name of the symbolic link is a drive letter. If so, then we will need to update the drive type in the associated device map object. 2. Process the link target, trying to resolve it into a pointer to an object other than a object directory object. All object directories traversed must grant world traverse access other wise we bail out. If we successfully find a non object directory object, then reference the object pointer and store it in the symbolic link object, along with a remaining string if any. ObpLookupObjectName will used this cache object pointer to short circuit the name lookup directly to the cached object's parse routine. For any object directory objects traversed along the way, increment their symbolic link SymbolicLinkUsageCount field. This field is used whenever an object directory is deleted or its security is changed such that it no longer grants world traverse access. In either case, if the field is non-zero we walk all the symbolic links and resnap them. Arguments: SymbolicLink - pointer to symbolic link object being created. Return Value: None. --*/ { POBJECT_HEADER ObjectHeader; POBJECT_HEADER_NAME_INFO NameInfo; WCHAR DosDeviceDriveLetter; ULONG DosDeviceDriveIndex; // // Now see if this symbolic link is being created in an object directory // controlled by a device map object. Since we are only called from // NtCreateSymbolicLinkObject, after the handle to this symbolic link // has been created but before it is returned to the caller the handle can't // be closed while we are executing, unless via a random close, // So no need to hold the type specific mutex while we look at the name. // ObjectHeader = OBJECT_TO_OBJECT_HEADER( SymbolicLink ); NameInfo = OBJECT_HEADER_TO_NAME_INFO( ObjectHeader ); if ((NameInfo == NULL) || (NameInfo->Directory == NULL) || (NameInfo->Directory->DeviceMap == NULL)) { return; } // // Here if we are creating a symbolic link in an object directory controlled // by a device map object. See if this is a drive letter definition. If so // calculate the drive letter index and remember in the symbolic link object. // DosDeviceDriveIndex = 0; if ((NameInfo->Name.Length == (2 * sizeof( WCHAR ))) && (NameInfo->Name.Buffer[ 1 ] == L':')) { DosDeviceDriveLetter = RtlUpcaseUnicodeChar( NameInfo->Name.Buffer[ 0 ] ); if ((DosDeviceDriveLetter >= L'A') && (DosDeviceDriveLetter <= L'Z')) { DosDeviceDriveIndex = DosDeviceDriveLetter - L'A'; DosDeviceDriveIndex += 1; SymbolicLink->DosDeviceDriveIndex = DosDeviceDriveIndex; } } // // Now traverse the target path seeing if we can snap the link now. // ObpProcessDosDeviceSymbolicLink( SymbolicLink, CREATE_SYMBOLIC_LINK ); return; }

NTSTATUS ObpCreateUnnamedHandle (  IN PVOID  Object, IN ACCESS_MASK  DesiredAccess, IN ULONG ObjectPointerBias  OPTIONAL, IN ULONG  Attributes, IN KPROCESSOR_MODE  AccessMode, OUT PVOID *ReferencedNewObject  OPTIONAL, OUT PHANDLE  Handle )

Definition at line 2507 of file obhandle.c. References _HANDLE_TABLE_ENTRY::CreatorBackTraceIndex, EncodeKernelHandle, ExCreateHandle(), FALSE, _HANDLE_TABLE_ENTRY::GrantedAccess, _HANDLE_TABLE_ENTRY::GrantedAccessIndex, Handle, KernelMode, KeStackAttachProcess(), KeUnstackDetachProcess(), NT_SUCCESS, NtGlobalFlag, NTSTATUS(), NULL, _HANDLE_TABLE_ENTRY::ObAttributes, OBJ_HANDLE_ATTRIBUTES, _HANDLE_TABLE_ENTRY::Object, OBJECT_TO_OBJECT_HEADER, ObpDecrementHandleCount(), ObpDecrPointerCount, ObpGetObjectTable, ObpIncrementUnnamedHandleCount(), ObpIncrPointerCount, ObpKernelHandleTable, ObpValidateIrql, PAGED_CODE, _EPROCESS::Pcb, PsGetCurrentProcess, PsInitialSystemProcess, Status, TRUE, _OBJECT_HEADER::Type, _OBJECT_TYPE::TypeInfo, and _OBJECT_TYPE_INITIALIZER::ValidAccessMask. Referenced by ObInsertObject(). : This function creates a new unnamed handle for an existing object Arguments: Object - A pointer to the body of the new object DesiredAccess - Supplies the access mask being requsted ObjectPointerBias - Optionally supplies a count of addition increments we do to the pointer count for the object Attributes - Desired attributes for the handle AccessMode - Supplies the mode of the requestor. ReferencedNewObject - Optionally receives a pointer to the body of the new object Handle - Receives the new handle value Return Value: An appropriate status value --*/ { NTSTATUS Status; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; PVOID ObjectTable; HANDLE_TABLE_ENTRY ObjectTableEntry; HANDLE NewHandle; ULONG BiasCount; ACCESS_MASK GrantedAccess; BOOLEAN AttachedToProcess = FALSE; BOOLEAN KernelHandle = FALSE; KAPC_STATE ApcState; PAGED_CODE(); ObpValidateIrql( "ObpCreateUnnamedHandle" ); // // Get the object header and type for the new object // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ObjectType = ObjectHeader->Type; // // Set the first ulong of the object table entry to point // to the object header and then or in the low order attribute // bits // ObjectTableEntry.Object = ObjectHeader; ObjectTableEntry.ObAttributes |= (Attributes & OBJ_HANDLE_ATTRIBUTES); // // Now get a pointer to the object table for either the current process // of the kernel handle table // if ((Attributes & OBJ_KERNEL_HANDLE) && (AccessMode == KernelMode)) { ObjectTable = ObpKernelHandleTable; KernelHandle = TRUE; // // Go to the system process if we have to // if (PsGetCurrentProcess() != PsInitialSystemProcess) { KeStackAttachProcess (&PsInitialSystemProcess->Pcb, &ApcState); AttachedToProcess = TRUE; } } else { ObjectTable = ObpGetObjectTable(); } // // Increment the handle count, this routine also does the access // check if necessary // Status = ObpIncrementUnnamedHandleCount( &DesiredAccess, PsGetCurrentProcess(), Object, ObjectType, AccessMode, Attributes ); GrantedAccess = DesiredAccess & (ObjectType->TypeInfo.ValidAccessMask | ACCESS_SYSTEM_SECURITY ); if (!NT_SUCCESS( Status )) { // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } return( Status ); } // // Bias the pointer count if that is what the caller wanted // if (ARGUMENT_PRESENT( (PVOID)(ULONG_PTR)ObjectPointerBias )) { BiasCount = ObjectPointerBias; while (BiasCount--) { ObpIncrPointerCount( ObjectHeader ); } } // // Set the granted access mask in the object table entry (second ulong) // #if i386 && !FPO if (NtGlobalFlag & FLG_KERNEL_STACK_TRACE_DB) { ObjectTableEntry.GrantedAccessIndex = ObpComputeGrantedAccessIndex( GrantedAccess ); ObjectTableEntry.CreatorBackTraceIndex = RtlLogStackBackTrace(); } else { ObjectTableEntry.GrantedAccess = GrantedAccess; } #else ObjectTableEntry.GrantedAccess = GrantedAccess; #endif // i386 && !FPO // // Add this new object table entry to the object table for the process // NewHandle = ExCreateHandle( ObjectTable, &ObjectTableEntry ); // // If we didn't get a handle then cleanup after ourselves and return // the error to our caller // if (NewHandle == NULL) { if (ARGUMENT_PRESENT( (PVOID)(ULONG_PTR)ObjectPointerBias )) { BiasCount = ObjectPointerBias; while (BiasCount--) { ObpDecrPointerCount( ObjectHeader ); } } ObpDecrementHandleCount( PsGetCurrentProcess(), ObjectHeader, ObjectType, GrantedAccess ); // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } return( STATUS_INSUFFICIENT_RESOURCES ); } // // We have a new Ex style handle now make it an ob style handle and also // adjust for the kernel handle by setting the sign bit in the handle // value // if (KernelHandle) { NewHandle = EncodeKernelHandle( NewHandle ); } *Handle = NewHandle; // // If the caller had a pointer bias and wanted the new reference object // then return that value // if ((ARGUMENT_PRESENT( (PVOID)(ULONG_PTR)ObjectPointerBias )) && (ARGUMENT_PRESENT( ReferencedNewObject ))) { *ReferencedNewObject = Object; } // // If we are attached to the system process then return // back to our caller // if (AttachedToProcess) { KeUnstackDetachProcess(&ApcState); AttachedToProcess = FALSE; } return( STATUS_SUCCESS ); }

VOID ObpDecrementHandleCount (  PEPROCESS  Process, POBJECT_HEADER  ObjectHeader, POBJECT_TYPE  ObjectType, ACCESS_MASK  GrantedAccess )

Definition at line 1967 of file obhandle.c. References ASSERT, _OBJECT_HEADER::Body, _OBJECT_TYPE_INITIALIZER::CloseProcedure, _OBJECT_HANDLE_COUNT_DATABASE::CountEntries, FALSE, _OBJECT_HEADER::Flags, _OBJECT_HANDLE_COUNT_ENTRY::HandleCount, _OBJECT_HEADER::HandleCount, _OBJECT_HEADER_HANDLE_INFO::HandleCountDataBase, _OBJECT_HANDLE_COUNT_DATABASE::HandleCountEntries, _OBJECT_TYPE_INITIALIZER::MaintainHandleCount, NULL, OB_FLAG_EXCLUSIVE_OBJECT, OB_FLAG_SINGLE_HANDLE_ENTRY, OBJECT_HEADER_TO_CREATOR_INFO, OBJECT_HEADER_TO_HANDLE_INFO, OBJECT_HEADER_TO_QUOTA_INFO, ObpBeginTypeSpecificCallOut, ObpDecrHandleCount, ObpDeleteNameCheck(), ObpEndTypeSpecificCallOut, ObpEnterObjectTypeMutex, ObpLeaveObjectTypeMutex, PAGED_CODE, _OBJECT_HANDLE_COUNT_ENTRY::Process, _OBJECT_HEADER_HANDLE_INFO::SingleEntry, _OBJECT_TYPE::TotalNumberOfHandles, TRUE, _OBJECT_TYPE::TypeInfo, and _OBJECT_HEADER_CREATOR_INFO::TypeList. Referenced by NtClose(), NtDuplicateObject(), ObpCreateHandle(), and ObpCreateUnnamedHandle(). : This procedure decrements the handle count for the specified object Arguments: Process - Supplies the process where the handle existed ObjectHeader - Supplies a pointer to the object header for the object ObjectType - Supplies a type of the object GrantedAccess - Supplies the current access mask to the object Return Value: None. --*/ { POBJECT_HEADER_HANDLE_INFO HandleInfo; POBJECT_HANDLE_COUNT_DATABASE HandleCountDataBase; POBJECT_HANDLE_COUNT_ENTRY HandleCountEntry; POBJECT_HEADER_CREATOR_INFO CreatorInfo; PVOID Object; ULONG CountEntries; ULONG ProcessHandleCount; ULONG SystemHandleCount; BOOLEAN HandleCountIsZero; PAGED_CODE(); ObpEnterObjectTypeMutex( ObjectType ); Object = (PVOID)&ObjectHeader->Body; SystemHandleCount = ObjectHeader->HandleCount; ProcessHandleCount = 0; // // Decrement the handle count and it was one and it // was an exclusive object then zero out the exclusive // process // HandleCountIsZero = ObpDecrHandleCount( ObjectHeader ); if ( HandleCountIsZero && (ObjectHeader->Flags & OB_FLAG_EXCLUSIVE_OBJECT)) { OBJECT_HEADER_TO_QUOTA_INFO( ObjectHeader )->ExclusiveProcess = NULL; } if ( HandleCountIsZero ) { CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO( ObjectHeader ); // // If there is a creator info record and we are on the list // for the object type then remove this object from the list // if (CreatorInfo != NULL && !IsListEmpty( &CreatorInfo->TypeList )) { RemoveEntryList( &CreatorInfo->TypeList ); InitializeListHead( &CreatorInfo->TypeList ); } } // // If the object maintains a handle count database then // search through the handle database and decrement // the necessary information // if (ObjectType->TypeInfo.MaintainHandleCount) { HandleInfo = OBJECT_HEADER_TO_HANDLE_INFO( ObjectHeader ); // // Check if there is a single handle entry, then it better // be ours // if (ObjectHeader->Flags & OB_FLAG_SINGLE_HANDLE_ENTRY) { ASSERT(HandleInfo->SingleEntry.Process == Process); ASSERT(HandleInfo->SingleEntry.HandleCount > 0); ProcessHandleCount = HandleInfo->SingleEntry.HandleCount--; HandleCountEntry = &HandleInfo->SingleEntry; } else { // // Otherwise search the database for a process match // HandleCountDataBase = HandleInfo->HandleCountDataBase; if (HandleCountDataBase != NULL) { CountEntries = HandleCountDataBase->CountEntries; HandleCountEntry = &HandleCountDataBase->HandleCountEntries[ 0 ]; while (CountEntries) { if ((HandleCountEntry->HandleCount != 0) && (HandleCountEntry->Process == Process)) { ProcessHandleCount = HandleCountEntry->HandleCount--; break; } HandleCountEntry++; CountEntries--; } } } // // Now if the process is giving up all handles to the object // then zero out the handle count entry. For a single handle // entry this is just the single entry in the header handle info // structure // if (ProcessHandleCount == 1) { HandleCountEntry->Process = NULL; HandleCountEntry->HandleCount = 0; } } // // If the Object Type has a Close Procedure, then release the type // mutex before calling it, and then call ObpDeleteNameCheck without // the mutex held. // if (ObjectType->TypeInfo.CloseProcedure) { KIRQL SaveIrql; ObpLeaveObjectTypeMutex( ObjectType ); ObpBeginTypeSpecificCallOut( SaveIrql ); (*ObjectType->TypeInfo.CloseProcedure)( Process, Object, GrantedAccess, ProcessHandleCount, SystemHandleCount ); ObpEndTypeSpecificCallOut( SaveIrql, "Close", ObjectType, Object ); ObpDeleteNameCheck( Object, FALSE ); } else { // // If there is no Close Procedure, then just call ObpDeleteNameCheck // with the mutex held. // // The following call will release the type mutex // ObpDeleteNameCheck( Object, TRUE ); } ObpEnterObjectTypeMutex( ObjectType ); ObjectType->TotalNumberOfHandles -= 1; ObpLeaveObjectTypeMutex( ObjectType ); return; }

BOOLEAN ObpDeleteDirectoryEntry (  IN POBJECT_DIRECTORY  Directory  )

Definition at line 1009 of file obdir.c. References _OBJECT_DIRECTORY_ENTRY::ChainLink, Directory(), ExFreePool(), FALSE, NULL, and TRUE. Referenced by ObInsertObject(), and ObpDeleteNameCheck(). : This routine deletes the most recently found directory entry from the specified directory object. It will only succeed after a successful ObpLookupDirectoryEntry call. Arguments: Directory - Supplies the directory being modified Return Value: TRUE if the deletion succeeded and FALSE otherwise --*/ { POBJECT_DIRECTORY_ENTRY *HeadDirectoryEntry; POBJECT_DIRECTORY_ENTRY DirectoryEntry; // // Make sure we have a directory and that it has a found entry // if (!Directory || !Directory->LookupFound) { return( FALSE ); } // // Also make sure that the lookup bucket is valid // HeadDirectoryEntry = Directory->LookupBucket; if (!HeadDirectoryEntry) { return( FALSE ); } DirectoryEntry = *HeadDirectoryEntry; if (!DirectoryEntry) { return( FALSE ); } // // Unlink the entry from the head of the bucket chain and free the // memory for the entry. // *HeadDirectoryEntry = DirectoryEntry->ChainLink; DirectoryEntry->ChainLink = NULL; ExFreePool( DirectoryEntry ); // // Return success // return( TRUE ); }

VOID ObpDeleteNameCheck (  IN PVOID  Object, IN BOOLEAN  TypeMutexHeld )

Definition at line 1497 of file obref.c. References DeleteSecurityDescriptor, _OBJECT_HEADER_NAME_INFO::Directory, ExFreePool(), _OBJECT_HEADER::Flags, _OBJECT_HEADER::HandleCount, _OBJECT_HEADER_NAME_INFO::Name, NULL, OB_FLAG_PERMANENT_OBJECT, ObDereferenceObject, OBJECT_HEADER_TO_NAME_INFO, OBJECT_TO_OBJECT_HEADER, ObpBeginTypeSpecificCallOut, ObpDeleteDirectoryEntry(), ObpDeleteSymbolicLinkName(), ObpEndTypeSpecificCallOut, ObpEnterObjectTypeMutex, ObpEnterRootDirectoryMutex, ObpLeaveObjectTypeMutex, ObpLeaveRootDirectoryMutex, ObpLookupDirectoryEntry(), ObpSymbolicLinkObjectType, ObpValidateIrql, PAGED_CODE, _OBJECT_TYPE_INITIALIZER::PoolType, _OBJECT_HEADER::SecurityDescriptor, _OBJECT_TYPE_INITIALIZER::SecurityProcedure, _OBJECT_TYPE_INITIALIZER::SecurityRequired, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by ObInsertObject(), ObMakeTemporaryObject(), and ObpDecrementHandleCount(). : This routine removes the name of an object from its parent directory Arguments: Object - Supplies a pointer to the object body whose name is being checked TypeMutexHeld - Indicates if the lock on object type is being held by the caller Return Value: None. --*/ { POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; POBJECT_HEADER_NAME_INFO NameInfo; PVOID DirObject; PAGED_CODE(); ObpValidateIrql( "ObpDeleteNameCheck" ); // // Translate the object body to an object header also get // the object type and name info if present // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); NameInfo = OBJECT_HEADER_TO_NAME_INFO( ObjectHeader ); ObjectType = ObjectHeader->Type; // // If the lock is not held then get the lock now // if (!TypeMutexHeld) { ObpEnterObjectTypeMutex( ObjectType ); } // // Make sure that the object has a zero handle count, has a non // empty name buffer, and is not a permanent object // if ((ObjectHeader->HandleCount == 0) && (NameInfo != NULL) && (NameInfo->Name.Length != 0) && (!(ObjectHeader->Flags & OB_FLAG_PERMANENT_OBJECT))) { // // Give up the lock on the object type and instead // get the lock on the object directories // ObpLeaveObjectTypeMutex( ObjectType ); ObpEnterRootDirectoryMutex(); DirObject = NULL; // // Check that the object we is still in the directory otherwise // then is nothing for us to remove // if (Object == ObpLookupDirectoryEntry( NameInfo->Directory, &NameInfo->Name, 0 )) { // // Now reacquire the lock on the object type and // check check the handle count again. If it is still // zero then we can do the actual delete name operation // ObpEnterObjectTypeMutex( ObjectType ); if (ObjectHeader->HandleCount == 0) { KIRQL SaveIrql; // // Delete the directory entry // ObpDeleteDirectoryEntry( NameInfo->Directory ); // // If security is not required invoke the // security callback to delete the security descriptor // if ( !ObjectType->TypeInfo.SecurityRequired ) { ObpBeginTypeSpecificCallOut( SaveIrql ); (ObjectType->TypeInfo.SecurityProcedure)( Object, DeleteSecurityDescriptor, NULL, NULL, NULL, &ObjectHeader->SecurityDescriptor, ObjectType->TypeInfo.PoolType, NULL ); ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object ); } // // If this is a symbolic link object then we also need to // delete the symbolic link // if (ObjectType == ObpSymbolicLinkObjectType) { ObpDeleteSymbolicLinkName( (POBJECT_SYMBOLIC_LINK)Object ); } // // Free the name buffer and zero out the name data fields // ExFreePool( NameInfo->Name.Buffer ); NameInfo->Name.Buffer = NULL; NameInfo->Name.Length = 0; NameInfo->Name.MaximumLength = 0; DirObject = NameInfo->Directory; NameInfo->Directory = NULL; } ObpLeaveObjectTypeMutex( ObjectType ); } ObpLeaveRootDirectoryMutex(); // // If there is a directory object for the name then decrement // its reference count for it and for the object // if (DirObject != NULL) { ObDereferenceObject( DirObject ); ObDereferenceObject( Object ); } } else { // // Otherwise don't do any work but simply release the object type // lock and return to our caller // ObpLeaveObjectTypeMutex( ObjectType ); } return; }

VOID ObpDeleteSymbolicLink (  IN PVOID  Object  )

Definition at line 904 of file oblink.c. References ExFreePool(), _OBJECT_SYMBOLIC_LINK::LinkTarget, NULL, and PAGED_CODE. Referenced by ObInitSystem(). : This routine is called when a reference to a symbolic link goes to zero. Its job is to clean up the memory used to the symbolic link string Arguments: Object - Supplies a pointer to the symbolic link object being deleted Return Value: None. --*/ { POBJECT_SYMBOLIC_LINK SymbolicLink = (POBJECT_SYMBOLIC_LINK)Object; PAGED_CODE(); // // The only cleaning up we need to do is to free the link target // buffer // if (SymbolicLink->LinkTarget.Buffer != NULL) { ExFreePool( SymbolicLink->LinkTarget.Buffer ); } SymbolicLink->LinkTarget.Buffer = NULL; // // And return to our caller // return; }

VOID ObpDeleteSymbolicLinkName (  POBJECT_SYMBOLIC_LINK  SymbolicLink  )

Definition at line 951 of file oblink.c. References DELETE_SYMBOLIC_LINK, _OBJECT_SYMBOLIC_LINK::LinkTargetObject, NULL, ObDereferenceObject, ObpEnterRootDirectoryMutex, ObpLeaveRootDirectoryMutex, ObpProcessDosDeviceSymbolicLink(), and ObReferenceObject. Referenced by ObpDeleteNameCheck(). : This routine delete the symbolic from the system Arguments: SymbolicLink - Supplies a pointer to the object body for the symbolic link object to delete Return Value: None. --*/ { PVOID CapturedLinkTargetObject; CapturedLinkTargetObject = NULL; // // Lock the root directory mutex while we look at the target path to // prevent names from disappearing out from under us. Also protects // against collisions with NtCreateSymbolicLink // ObpEnterRootDirectoryMutex(); // // Capture the link target object and referenced one more time // to avoid destroying while the RootDirectoryMutex is hold // CapturedLinkTargetObject = SymbolicLink->LinkTargetObject; if (CapturedLinkTargetObject != NULL) { ObReferenceObject(CapturedLinkTargetObject); } ObpProcessDosDeviceSymbolicLink( SymbolicLink, DELETE_SYMBOLIC_LINK ); ObpLeaveRootDirectoryMutex(); // // Remove the extra-reference for the link target object // if (CapturedLinkTargetObject != NULL) { ObDereferenceObject(CapturedLinkTargetObject); } return; }

VOID ObpDereferenceSecurityDescriptor (  PSECURITY_DESCRIPTOR  SecurityDescriptor  )

Definition at line 700 of file obsdata.c. References ASSERT, _SECURITY_DESCRIPTOR_HEADER::FullHash, ObpAcquireDescriptorCacheWriteLock(), ObpDestroySecurityDescriptorHeader(), ObpReleaseDescriptorCacheLock(), ObPrint, _SECURITY_DESCRIPTOR_HEADER::RefCount, and SD_TO_SD_HEADER. Referenced by ObDeassignSecurity(), ObReleaseObjectSecurity(), and ObSetSecurityDescriptorInfo(). : Decrements the refcount of a cached security descriptor Arguments: SecurityDescriptor - Points to a cached security descriptor Return Value: None. --*/ { PSECURITY_DESCRIPTOR_HEADER SecurityDescriptorHeader; // // Lock the security descriptor cache and get a pointer // to the security descriptor header // ObpAcquireDescriptorCacheWriteLock(); SecurityDescriptorHeader = SD_TO_SD_HEADER( SecurityDescriptor ); // // Do some debug work // ObPrint( SHOW_REFERENCES, ("Dereferencing SecurityDescriptor %x, hash %lx, refcount = %d \n", SecurityDescriptor, SecurityDescriptorHeader->FullHash,SecurityDescriptorHeader->RefCount)); ASSERT(SecurityDescriptorHeader->RefCount != 0); // // Decrement the ref count and if it is now zero then // we can completely remove this entry from the cache // if (--SecurityDescriptorHeader->RefCount == 0) { ObpDestroySecurityDescriptorHeader( SecurityDescriptorHeader ); } // // Unlock the security descriptor cache and return to our caller // ObpReleaseDescriptorCacheLock(); }

VOID ObpDestroySecurityDescriptorHeader (  IN PSECURITY_DESCRIPTOR_HEADER  Header  )

Definition at line 759 of file obsdata.c. References ASSERT, ExFreePool(), Header, NULL, ObPrint, and ObsSecurityDescriptorCache. Referenced by ObpDereferenceSecurityDescriptor(). : Frees a cached security descriptor and unlinks it from the chain. Arguments: Header - Pointer to a security descriptor header (cached security descriptor) Return Value: None. --*/ { PLIST_ENTRY Forward; PLIST_ENTRY Rear; UCHAR SmallHash; ASSERT ( Header->RefCount == 0 ); #if OB_DIAGNOSTICS_ENABLED ObsTotalCacheEntries--; #endif ObPrint( SHOW_STATISTICS, ("ObsTotalCacheEntries = %d \n",ObsTotalCacheEntries)); // // Unlink the cached security descriptor from its linked list and // from the small hash table if it was at the head of the list // // **** this should all be rewritten to use the regular set of // link list macros // SmallHash = (UCHAR)Header->FullHash; Forward = Header->Link.Flink; Rear = Header->Link.Blink; if ( Forward != NULL ) { Forward->Blink = Rear; } if ( Rear != NULL ) { Rear->Flink = Forward; } else { // // if Rear is NULL, we're deleting the head of the list // ObsSecurityDescriptorCache[SmallHash] = Forward; } ObPrint( SHOW_HEADER_FREE, ("Freeing memory at %x \n",Header)); // // Now return the cached descriptor to pool and return to our caller // ExFreePool( Header ); return; }

VOID FASTCALL ObpFreeObject (  IN PVOID  Object  )

Definition at line 1098 of file obcreate.c. References DbgPrint, _OBJECT_TYPE_INITIALIZER::DefaultNonPagedPoolCharge, _OBJECT_TYPE_INITIALIZER::DefaultPagedPoolCharge, ExFreePool(), ExFreePoolWithTag, _OBJECT_HEADER_HANDLE_INFO::HandleCountDataBase, _OBJECT_HEADER_NAME_INFO::Name, _OBJECT_TYPE::Name, _OBJECT_HEADER_QUOTA_INFO::NonPagedPoolCharge, NULL, OB_FLAG_DEFAULT_SECURITY_QUOTA, OB_FLAG_NEW_OBJECT, OB_FLAG_SINGLE_HANDLE_ENTRY, OBJECT_HEADER_TO_CREATOR_INFO, OBJECT_HEADER_TO_HANDLE_INFO, OBJECT_HEADER_TO_NAME_INFO, OBJECT_HEADER_TO_QUOTA_INFO, OBJECT_TO_OBJECT_HEADER, ObpFreeObjectCreateInformation, PAGED_CODE, _OBJECT_HEADER_QUOTA_INFO::PagedPoolCharge, PROTECTED_POOL, PsReturnSharedPoolQuota(), SE_DEFAULT_SECURITY_QUOTA, _OBJECT_HEADER_QUOTA_INFO::SecurityDescriptorCharge, _OBJECT_TYPE::TotalNumberOfObjects, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by ObCreateObject(), and ObpRemoveObjectRoutine(). : This routine undoes ObpAllocateObject. It returns the object back to free pool. Arguments: Object - Supplies a pointer to the body of the object being freed. Return Value: None. --*/ { POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; POBJECT_HEADER_QUOTA_INFO QuotaInfo; POBJECT_HEADER_HANDLE_INFO HandleInfo; POBJECT_HEADER_NAME_INFO NameInfo; POBJECT_HEADER_CREATOR_INFO CreatorInfo; PVOID FreeBuffer; ULONG NonPagedPoolCharge; ULONG PagedPoolCharge; PAGED_CODE(); // // Get the address of the object header. // ObjectHeader = OBJECT_TO_OBJECT_HEADER(Object); ObjectType = ObjectHeader->Type; // // Now from the header determine the start of the allocation. We need // to backup based on what precedes the header. The order is very // important and must be the inverse of that used by ObpAllocateObject // FreeBuffer = ObjectHeader; CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO( ObjectHeader ); if (CreatorInfo != NULL) { FreeBuffer = CreatorInfo; } NameInfo = OBJECT_HEADER_TO_NAME_INFO( ObjectHeader ); if (NameInfo != NULL) { FreeBuffer = NameInfo; } HandleInfo = OBJECT_HEADER_TO_HANDLE_INFO( ObjectHeader ); if (HandleInfo != NULL) { FreeBuffer = HandleInfo; } QuotaInfo = OBJECT_HEADER_TO_QUOTA_INFO( ObjectHeader ); if (QuotaInfo != NULL) { FreeBuffer = QuotaInfo; } #if DBG // // On a checked build echo out frees // if (ObpShowAllocAndFree) { DbgPrint( "OB: Free %lx (%lx) - Type: %wZ\n", ObjectHeader, ObjectHeader, &ObjectType->Name ); } #endif // // Decrement the number of objects of this type // ObjectType->TotalNumberOfObjects -= 1; // // Check where we were in the object initialization phase. This // flag really only tests if we have charged quota for this object. // This is because the object create info and the quota block charged // are unioned together. // if (ObjectHeader->Flags & OB_FLAG_NEW_OBJECT) { if (ObjectHeader->ObjectCreateInfo != NULL) { ObpFreeObjectCreateInformation( ObjectHeader->ObjectCreateInfo ); ObjectHeader->ObjectCreateInfo = NULL; } } else { if (ObjectHeader->QuotaBlockCharged != NULL) { if (QuotaInfo != NULL) { PagedPoolCharge = QuotaInfo->PagedPoolCharge + QuotaInfo->SecurityDescriptorCharge; NonPagedPoolCharge = QuotaInfo->NonPagedPoolCharge; } else { PagedPoolCharge = ObjectType->TypeInfo.DefaultPagedPoolCharge; if (ObjectHeader->Flags & OB_FLAG_DEFAULT_SECURITY_QUOTA ) { PagedPoolCharge += SE_DEFAULT_SECURITY_QUOTA; } NonPagedPoolCharge = ObjectType->TypeInfo.DefaultNonPagedPoolCharge; } PsReturnSharedPoolQuota( ObjectHeader->QuotaBlockCharged, PagedPoolCharge, NonPagedPoolCharge ); } } if ((HandleInfo != NULL) && ((ObjectHeader->Flags & OB_FLAG_SINGLE_HANDLE_ENTRY) == 0)) { // // If a handle database has been allocated, then free the memory. // ExFreePool( HandleInfo->HandleCountDataBase ); HandleInfo->HandleCountDataBase = NULL; } // // If a name string buffer has been allocated, then free the memory. // if (NameInfo != NULL && NameInfo->Name.Buffer != NULL) { ExFreePool( NameInfo->Name.Buffer ); NameInfo->Name.Buffer = NULL; } // // Trash type field so we don't get far if we attempt to // use a stale object pointer to this object. // // Sundown Note: trash it by zero-extended it. // sign-extension will create a valid kernel address. ObjectHeader->Type = UIntToPtr(0xBAD0B0B0); ExFreePoolWithTag( FreeBuffer, (ObjectType == NULL ? 'TjbO' : ObjectType->Key) | PROTECTED_POOL ); return; }

VOID FASTCALL ObpFreeObjectNameBuffer (  IN PUNICODE_STRING  ObjectName  )

Referenced by ObCreateObject(), ObOpenObjectByName(), and ObReferenceObjectByName().

ULONG ObpHashBuffer (  PVOID  Data, ULONG  Length )

Definition at line 253 of file obsdata.c. References Buffer. Referenced by ObpHashSecurityDescriptor(). : Hashes a buffer into a 32 bit value Arguments: Data - Buffer containing the data to be hashed. Length - The length in bytes of the buffer Return Value: ULONG - a 32 bit hash value. --*/ { PCHAR Buffer; ULONG Result = 0; LONG i; Buffer = (PCHAR)Data; for (i = 0; i <= (LONG)((Length-3)-sizeof(ULONG)); i++) { ULONG Tmp; Tmp = *((ULONG UNALIGNED *)(Buffer + i)); Result += Tmp; } return( Result ); }

ULONG ObpHashSecurityDescriptor (  PSECURITY_DESCRIPTOR  SecurityDescriptor  )

Definition at line 182 of file obsdata.c. References Dacl, FALSE, Group, NTSTATUS(), NULL, ObpHashBuffer(), Owner, RtlGetDaclSecurityDescriptor(), RtlGetGroupSecurityDescriptor(), RtlGetOwnerSecurityDescriptor(), RtlGetSaclSecurityDescriptor(), RtlLengthSid(), and Status. Referenced by ObpLogSecurityDescriptor(). : Hashes a security descriptor to a 32 bit value Arguments: SecurityDescriptor - Provides the security descriptor to be hashed Return Value: ULONG - a 32 bit hash value. --*/ { PSID Owner = NULL; PSID Group = NULL; PACL Dacl; PACL Sacl; ULONG Hash = 0; BOOLEAN Junk; NTSTATUS Status; BOOLEAN DaclPresent = FALSE; BOOLEAN SaclPresent = FALSE; PISECURITY_DESCRIPTOR sd; // // Cast the actually opaque security descriptor into something // that we can decipher // sd = (PISECURITY_DESCRIPTOR)SecurityDescriptor; Status = RtlGetOwnerSecurityDescriptor( sd, &Owner, &Junk ); Status = RtlGetGroupSecurityDescriptor( sd, &Group, &Junk ); Status = RtlGetDaclSecurityDescriptor( sd, &DaclPresent, &Dacl, &Junk ); Status = RtlGetSaclSecurityDescriptor( sd, &SaclPresent, &Sacl, &Junk ); if ( Owner != NULL ) { Hash = ObpHashBuffer( Owner, RtlLengthSid( Owner )); } if ( Group != NULL ) { Hash += ObpHashBuffer( Group, RtlLengthSid( Group)); } if ( DaclPresent && (Dacl != NULL)) { Hash += ObpHashBuffer( Dacl, Dacl->AclSize); } if ( SaclPresent && (Sacl != NULL)) { Hash += ObpHashBuffer( Sacl, Sacl->AclSize); } return( Hash ); }

NTSTATUS ObpIncrementHandleCount (  OB_OPEN_REASON  OpenReason, PEPROCESS  Process, PVOID  Object, POBJECT_TYPE  ObjectType, PACCESS_STATE AccessState  OPTIONAL, KPROCESSOR_MODE  AccessMode, ULONG  Attributes )

Definition at line 1232 of file obhandle.c. References _OBJECT_TYPE_INITIALIZER::CloseProcedure, EXCEPTION_EXECUTE_HANDLER, FALSE, _OBJECT_HEADER::Flags, GENERIC_ACCESS, _OBJECT_TYPE_INITIALIZER::GenericMapping, _OBJECT_HEADER::HandleCount, _OBJECT_TYPE::HighWaterNumberOfHandles, _OBJECT_TYPE_INITIALIZER::MaintainHandleCount, NT_SUCCESS, NTSTATUS(), NULL, OB_FLAG_EXCLUSIVE_OBJECT, ObCheckObjectAccess(), ObCreateHandle, ObDuplicateHandle, OBJECT_HEADER_TO_CREATOR_INFO, OBJECT_HEADER_TO_EXCLUSIVE_PROCESS, OBJECT_HEADER_TO_QUOTA_INFO, OBJECT_TO_OBJECT_HEADER, ObOpenHandle, ObpBeginTypeSpecificCallOut, ObpChargeQuotaForObject(), ObpDecrHandleCount, ObpEndTypeSpecificCallOut, ObpEnterObjectTypeMutex, ObpIncrementHandleDataBase(), ObpIncrHandleCount, ObpLeaveObjectTypeMutex, ObpValidateIrql, _OBJECT_TYPE_INITIALIZER::OpenProcedure, PAGED_CODE, PsGetCurrentProcess, RtlMapGenericMask(), SeAppendPrivileges(), SePrivilegeCheck(), SePrivilegedServiceAuditAlarm(), SeSecurityPrivilege, Status, _OBJECT_TYPE::TotalNumberOfHandles, TRUE, _OBJECT_TYPE::TypeInfo, _OBJECT_HEADER_CREATOR_INFO::TypeList, _OBJECT_TYPE::TypeList, and VOID(). Referenced by NtDuplicateObject(), ObDupHandleProcedure(), and ObpCreateHandle(). : Increments the count of number of handles to the given object. If the object is being opened or created, access validation and auditing will be performed as appropriate. Arguments: OpenReason - Supplies the reason the handle count is being incremented. Process - Pointer to the process in which the new handle will reside. Object - Supplies a pointer to the body of the object. ObjectType - Supplies the type of the object. AccessState - Optional parameter supplying the current accumulated security information describing the attempt to access the object. AccessMode - Supplies the mode of the requestor. Attributes - Desired attributes for the handle Return Value: An appropriate status value --*/ { NTSTATUS Status; ULONG ProcessHandleCount; BOOLEAN ExclusiveHandle; POBJECT_HEADER_CREATOR_INFO CreatorInfo; POBJECT_HEADER_QUOTA_INFO QuotaInfo; POBJECT_HEADER ObjectHeader; BOOLEAN HasPrivilege = FALSE; PRIVILEGE_SET Privileges; BOOLEAN NewObject; BOOLEAN HoldObjectTypeMutex = FALSE; PAGED_CODE(); ObpValidateIrql( "ObpIncrementHandleCount" ); // // Get a pointer to the object header // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); // // Charge the user quota for the object // Status = ObpChargeQuotaForObject( ObjectHeader, ObjectType, &NewObject ); if (!NT_SUCCESS( Status )) { return Status; } ObpEnterObjectTypeMutex( ObjectType ); HoldObjectTypeMutex = TRUE; try { ExclusiveHandle = FALSE; // // Check if the caller wants exlusive access and if so then // make sure the attributes and header flags match up correctly // if (Attributes & OBJ_EXCLUSIVE) { if ((Attributes & OBJ_INHERIT) || ((ObjectHeader->Flags & OB_FLAG_EXCLUSIVE_OBJECT) == 0)) { Status = STATUS_INVALID_PARAMETER; leave; } if (((OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader) == NULL) && (ObjectHeader->HandleCount != 0)) || ((OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader) != NULL) && (OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader) != PsGetCurrentProcess()))) { Status = STATUS_ACCESS_DENIED; leave; } ExclusiveHandle = TRUE; // // The user doesn't want exclusive access so now check to make sure // the attriutes and header flags match up correctly // } else if ((ObjectHeader->Flags & OB_FLAG_EXCLUSIVE_OBJECT) && (OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader) != NULL)) { Status = STATUS_ACCESS_DENIED; leave; } // // If handle count going from zero to one for an existing object that // maintains a handle count database, but does not have an open procedure // just a close procedure, then fail the call as they are trying to // reopen an object by pointer and the close procedure will not know // that the object has been 'recreated' // if ((ObjectHeader->HandleCount == 0) && (!NewObject) && (ObjectType->TypeInfo.MaintainHandleCount) && (ObjectType->TypeInfo.OpenProcedure == NULL) && (ObjectType->TypeInfo.CloseProcedure != NULL)) { Status = STATUS_UNSUCCESSFUL; leave; } if ((OpenReason == ObOpenHandle) || ((OpenReason == ObDuplicateHandle) && ARGUMENT_PRESENT(AccessState))) { // // Perform Access Validation to see if we can open this // (already existing) object. // if (!ObCheckObjectAccess( Object, AccessState, TRUE, AccessMode, &Status )) { leave; } } else if ((OpenReason == ObCreateHandle)) { // // We are creating a new instance of this object type. // A total of three audit messages may be generated: // // 1 - Audit the attempt to create an instance of this // object type. // // 2 - Audit the successful creation. // // 3 - Audit the allocation of the handle. // // // At this point, the RemainingDesiredAccess field in // the AccessState may still contain either Generic access // types, or MAXIMUM_ALLOWED. We will map the generics // and substitute GenericAll for MAXIMUM_ALLOWED. // if ( AccessState->RemainingDesiredAccess & MAXIMUM_ALLOWED ) { AccessState->RemainingDesiredAccess &= ~MAXIMUM_ALLOWED; AccessState->RemainingDesiredAccess |= GENERIC_ALL; } if ((GENERIC_ACCESS & AccessState->RemainingDesiredAccess) != 0) { RtlMapGenericMask( &AccessState->RemainingDesiredAccess, &ObjectType->TypeInfo.GenericMapping ); } // // Since we are creating the object, we can give any access the caller // wants. The only exception is ACCESS_SYSTEM_SECURITY, which requires // a privilege. // if ( AccessState->RemainingDesiredAccess & ACCESS_SYSTEM_SECURITY ) { // // We could use SeSinglePrivilegeCheck here, but it // captures the subject context again, and we don't // want to do that in this path for performance reasons. // Privileges.PrivilegeCount = 1; Privileges.Control = PRIVILEGE_SET_ALL_NECESSARY; Privileges.Privilege[0].Luid = SeSecurityPrivilege; Privileges.Privilege[0].Attributes = 0; HasPrivilege = SePrivilegeCheck( &Privileges, &AccessState->SubjectSecurityContext, KeGetPreviousMode() ); if (!HasPrivilege) { SePrivilegedServiceAuditAlarm ( NULL, &AccessState->SubjectSecurityContext, &Privileges, FALSE ); Status = STATUS_PRIVILEGE_NOT_HELD; leave; } AccessState->RemainingDesiredAccess &= ~ACCESS_SYSTEM_SECURITY; AccessState->PreviouslyGrantedAccess |= ACCESS_SYSTEM_SECURITY; (VOID) SeAppendPrivileges( AccessState, &Privileges ); } // // Get the objects creator info block and insert it on the // global list of objects for that type // CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO( ObjectHeader ); if (CreatorInfo != NULL) { InsertTailList( &ObjectType->TypeList, &CreatorInfo->TypeList ); } } if (ExclusiveHandle) { OBJECT_HEADER_TO_QUOTA_INFO(ObjectHeader)->ExclusiveProcess = Process; } ObpIncrHandleCount( ObjectHeader ); ProcessHandleCount = 0; // // If the object type wants us to keep try of the handle counts // then call our routine to do the work // if (ObjectType->TypeInfo.MaintainHandleCount) { Status = ObpIncrementHandleDataBase( ObjectHeader, Process, &ProcessHandleCount ); if (!NT_SUCCESS(Status)) { // BUG BUG, We probably need more backout than this, NeillC ObpDecrHandleCount( ObjectHeader ); leave; } } // // Set our preliminary status now to success because // the call to the open procedure might change this // Status = STATUS_SUCCESS; // // If the object type has an open procedure // then invoke that procedure // if (ObjectType->TypeInfo.OpenProcedure != NULL) { KIRQL SaveIrql; // // Leave the object type mutex when call the OpenProcedure. If an exception // while OpenProcedure the HoldObjectTypeMutex disable leaving the mutex // on finally block // ObpLeaveObjectTypeMutex( ObjectType ); HoldObjectTypeMutex = FALSE; ObpBeginTypeSpecificCallOut( SaveIrql ); try { (*ObjectType->TypeInfo.OpenProcedure)( OpenReason, Process, Object, AccessState ? AccessState->PreviouslyGrantedAccess : 0, ProcessHandleCount ); } except( EXCEPTION_EXECUTE_HANDLER ) { Status = GetExceptionCode(); } ObpEndTypeSpecificCallOut( SaveIrql, "Open", ObjectType, Object ); // // Hold back the object type mutex and set the HoldObjectTypeMutex variable // to allow releasing the mutex while leaving this procedure // ObpEnterObjectTypeMutex( ObjectType ); HoldObjectTypeMutex = TRUE; if (!NT_SUCCESS(Status)) { (VOID)ObpDecrHandleCount( ObjectHeader ); leave; } } // // Do some simple bookkeeping for the handle counts // and then return to our caller // ObjectType->TotalNumberOfHandles += 1; if (ObjectType->TotalNumberOfHandles > ObjectType->HighWaterNumberOfHandles) { ObjectType->HighWaterNumberOfHandles = ObjectType->TotalNumberOfHandles; } } finally { if ( HoldObjectTypeMutex ) { ObpLeaveObjectTypeMutex( ObjectType ); } } return( Status ); }

NTSTATUS ObpIncrementUnnamedHandleCount (  PACCESS_MASK  DesiredAccess, PEPROCESS  Process, PVOID  Object, POBJECT_TYPE  ObjectType, KPROCESSOR_MODE  AccessMode, ULONG  Attributes )

Definition at line 1587 of file obhandle.c. References _OBJECT_TYPE_INITIALIZER::CloseProcedure, EXCEPTION_EXECUTE_HANDLER, FALSE, _OBJECT_HEADER::Flags, GENERIC_ACCESS, _OBJECT_TYPE_INITIALIZER::GenericMapping, _OBJECT_HEADER::HandleCount, _OBJECT_TYPE::HighWaterNumberOfHandles, _OBJECT_TYPE_INITIALIZER::MaintainHandleCount, NT_SUCCESS, NTSTATUS(), NULL, OB_FLAG_EXCLUSIVE_OBJECT, ObCreateHandle, OBJECT_HEADER_TO_CREATOR_INFO, OBJECT_HEADER_TO_EXCLUSIVE_PROCESS, OBJECT_HEADER_TO_QUOTA_INFO, OBJECT_TO_OBJECT_HEADER, ObpBeginTypeSpecificCallOut, ObpChargeQuotaForObject(), ObpDecrHandleCount, ObpEndTypeSpecificCallOut, ObpEnterObjectTypeMutex, ObpIncrementHandleDataBase(), ObpIncrHandleCount, ObpLeaveObjectTypeMutex, ObpValidateIrql, _OBJECT_TYPE_INITIALIZER::OpenProcedure, PAGED_CODE, PsGetCurrentProcess, RtlMapGenericMask(), Status, _OBJECT_TYPE::TotalNumberOfHandles, TRUE, _OBJECT_TYPE::TypeInfo, _OBJECT_HEADER_CREATOR_INFO::TypeList, _OBJECT_TYPE::TypeList, and VOID(). Referenced by ObpCreateUnnamedHandle(). : Increments the count of number of handles to the given object. Arguments: Desired Access - Supplies the desired access to the object and receives the assign access mask Process - Pointer to the process in which the new handle will reside. Object - Supplies a pointer to the body of the object. ObjectType - Supplies the type of the object. AccessMode - Supplies the mode of the requestor. Attributes - Desired attributes for the handle Return Value: An appropriate status value --*/ { NTSTATUS Status; BOOLEAN ExclusiveHandle; POBJECT_HEADER_CREATOR_INFO CreatorInfo; POBJECT_HEADER_QUOTA_INFO QuotaInfo; POBJECT_HEADER ObjectHeader; BOOLEAN NewObject; ULONG ProcessHandleCount; BOOLEAN HoldObjectTypeMutex = FALSE; PAGED_CODE(); ObpValidateIrql( "ObpIncrementUnnamedHandleCount" ); // // Get a pointer to the object header // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); // // Charge the user quota for the object // Status = ObpChargeQuotaForObject( ObjectHeader, ObjectType, &NewObject ); if (!NT_SUCCESS( Status )) { return Status; } ObpEnterObjectTypeMutex( ObjectType ); HoldObjectTypeMutex = TRUE; try { ExclusiveHandle = FALSE; // // Check if the caller wants exlusive access and if so then // make sure the attributes and header flags match up correctly // if (Attributes & OBJ_EXCLUSIVE) { if ((Attributes & OBJ_INHERIT) || ((ObjectHeader->Flags & OB_FLAG_EXCLUSIVE_OBJECT) == 0)) { Status = STATUS_INVALID_PARAMETER; leave; } if (((OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader) == NULL) && (ObjectHeader->HandleCount != 0)) || ((OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader) != NULL) && (OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader) != PsGetCurrentProcess()))) { Status = STATUS_ACCESS_DENIED; leave; } ExclusiveHandle = TRUE; // // The user doesn't want exclusive access so now check to make sure // the attriutes and header flags match up correctly // } else if ((ObjectHeader->Flags & OB_FLAG_EXCLUSIVE_OBJECT) && (OBJECT_HEADER_TO_EXCLUSIVE_PROCESS(ObjectHeader) != NULL)) { Status = STATUS_ACCESS_DENIED; leave; } // // If handle count going from zero to one for an existing object that // maintains a handle count database, but does not have an open procedure // just a close procedure, then fail the call as they are trying to // reopen an object by pointer and the close procedure will not know // that the object has been 'recreated' // if ((ObjectHeader->HandleCount == 0) && (!NewObject) && (ObjectType->TypeInfo.MaintainHandleCount) && (ObjectType->TypeInfo.OpenProcedure == NULL) && (ObjectType->TypeInfo.CloseProcedure != NULL)) { Status = STATUS_UNSUCCESSFUL; leave; } // // If the user asked for the maximum allowed then remove the bit and // or in generic all access // if ( *DesiredAccess & MAXIMUM_ALLOWED ) { *DesiredAccess &= ~MAXIMUM_ALLOWED; *DesiredAccess |= GENERIC_ALL; } // If the user asked for any generic bit then translate it to // someone more appropriate for the object type // if ((GENERIC_ACCESS & *DesiredAccess) != 0) { RtlMapGenericMask( DesiredAccess, &ObjectType->TypeInfo.GenericMapping ); } // // Get a pointer to the creator info block for the object and insert // it on the global list of object for that type // CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO( ObjectHeader ); if (CreatorInfo != NULL) { InsertTailList( &ObjectType->TypeList, &CreatorInfo->TypeList ); } if (ExclusiveHandle) { OBJECT_HEADER_TO_QUOTA_INFO(ObjectHeader)->ExclusiveProcess = Process; } ObpIncrHandleCount( ObjectHeader ); ProcessHandleCount = 0; // // If the object type wants us to keep try of the handle counts // then call our routine to do the work // if (ObjectType->TypeInfo.MaintainHandleCount) { Status = ObpIncrementHandleDataBase( ObjectHeader, Process, &ProcessHandleCount ); if (!NT_SUCCESS(Status)) { // BUG BUG, We probably need more backout than this, NeillC ObpDecrHandleCount( ObjectHeader ); leave; } } // // Set our preliminary status now to success because // the call to the open procedure might change this // Status = STATUS_SUCCESS; // // If the object type has an open procedure // then invoke that procedure // if (ObjectType->TypeInfo.OpenProcedure != NULL) { KIRQL SaveIrql; // // Leave the object type mutex when call the OpenProcedure. If an exception // while OpenProcedure the HoldObjectTypeMutex disable leaving the mutex // on finally block // ObpLeaveObjectTypeMutex( ObjectType ); HoldObjectTypeMutex = FALSE; ObpBeginTypeSpecificCallOut( SaveIrql ); try { (*ObjectType->TypeInfo.OpenProcedure)( ObCreateHandle, Process, Object, *DesiredAccess, ProcessHandleCount ); } except( EXCEPTION_EXECUTE_HANDLER ) { Status = GetExceptionCode(); } ObpEndTypeSpecificCallOut( SaveIrql, "Open", ObjectType, Object ); // // Hold back the object type mutex and set the HoldObjectTypeMutex variable // to allow releasing the mutex while leaving this procedure // ObpEnterObjectTypeMutex( ObjectType ); HoldObjectTypeMutex = TRUE; if (!NT_SUCCESS(Status)) { (VOID)ObpDecrHandleCount( ObjectHeader ); leave; } } // // Do some simple bookkeeping for the handle counts // and then return to our caller // ObjectType->TotalNumberOfHandles += 1; if (ObjectType->TotalNumberOfHandles > ObjectType->HighWaterNumberOfHandles) { ObjectType->HighWaterNumberOfHandles = ObjectType->TotalNumberOfHandles; } } finally { if ( HoldObjectTypeMutex ) { ObpLeaveObjectTypeMutex( ObjectType ); } } return( Status ); }

NTSTATUS ObpInitSecurityDescriptorCache (  VOID   )

Definition at line 118 of file obsdata.c. References ExAllocatePoolWithTag, ExFreePool(), ExInitializeResource, IF_OB_GLOBAL, NT_SUCCESS, NTSTATUS(), NULL, ObsSecurityDescriptorCache, ObsSecurityDescriptorCacheLock, PagedPool, SECURITY_DESCRIPTOR_CACHE_ENTRIES, Size, and Status. Referenced by ObInitSystem(). : Allocates and initializes the globalSecurity Descriptor Cache Arguments: None Return Value: STATUS_SUCCESS on success, NTSTATUS on failure. --*/ { ULONG Size; NTSTATUS Status; IF_OB_GLOBAL( BREAK_ON_INIT ) { DbgBreakPoint(); } // // Allocate the cache of pointers and zero it out // Size = SECURITY_DESCRIPTOR_CACHE_ENTRIES * sizeof(PLIST_ENTRY); ObsSecurityDescriptorCache = ExAllocatePoolWithTag( PagedPool, Size, 'cCdS' ); if (ObsSecurityDescriptorCache == NULL ) { return( STATUS_INSUFFICIENT_RESOURCES ); } RtlZeroMemory( ObsSecurityDescriptorCache, Size ); // // Initialize the resource used to protect the security cache // Status = ExInitializeResource ( &ObsSecurityDescriptorCacheLock ); if ( !NT_SUCCESS(Status) ) { ExFreePool( ObsSecurityDescriptorCache ); return( Status ); } // // And return to our caller // return( STATUS_SUCCESS ); }

BOOLEAN ObpInsertDirectoryEntry (  IN POBJECT_DIRECTORY  Directory, IN PVOID  Object )

Definition at line 903 of file obdir.c. References _OBJECT_DIRECTORY_ENTRY::ChainLink, _OBJECT_HEADER_NAME_INFO::Directory, Directory(), ExAllocatePoolWithTag, FALSE, NULL, _OBJECT_DIRECTORY_ENTRY::Object, OBJECT_HEADER_TO_NAME_INFO, OBJECT_TO_OBJECT_HEADER, PagedPool, and TRUE. Referenced by ObCreateObjectType(), ObInitSystem(), and ObpLookupObjectName(). : This routine will insert a new directory entry into a directory object. The directory must have already have been searched using ObpLookupDirectoryEntry because that routine sets the LookupBucket Arguments: Directory - Supplies the directory object being modified. This function assumes that we earlier did a lookup on the name that was successful or we just did an insertion Object - Supplies the object to insert into the directory Return Value: TRUE if the object is inserted successfully and FALSE otherwise --*/ { POBJECT_DIRECTORY_ENTRY *HeadDirectoryEntry; POBJECT_DIRECTORY_ENTRY NewDirectoryEntry; POBJECT_HEADER_NAME_INFO NameInfo; // // Make sure we have a directory and that the last search was // successful, meaning there is a lookupbuket // if (!Directory || Directory->LookupFound) { return( FALSE ); } // // Also verify that we have a good lookupbucket // HeadDirectoryEntry = Directory->LookupBucket; if (!HeadDirectoryEntry) { return( FALSE ); } // // Translate the object into a name info record, and make sure // that the object has a name // NameInfo = OBJECT_HEADER_TO_NAME_INFO( OBJECT_TO_OBJECT_HEADER( Object ) ); if (NameInfo == NULL) { return FALSE; } // // Allocate memory for a new entry, and fail if not enough memory. // NewDirectoryEntry = (POBJECT_DIRECTORY_ENTRY)ExAllocatePoolWithTag( PagedPool, sizeof( OBJECT_DIRECTORY_ENTRY ), 'iDbO' ); if (NewDirectoryEntry == NULL) { return( FALSE ); } // // Link the new entry into the chain at the insertion point. // This puts the new object right at the head of the current // hash bucket chain // NewDirectoryEntry->ChainLink = *HeadDirectoryEntry; *HeadDirectoryEntry = NewDirectoryEntry; NewDirectoryEntry->Object = Object; // // Point the object header back to the directory we just inserted // it into. // NameInfo->Directory = Directory; // // Return success. // Directory->LookupFound = TRUE; return( TRUE ); }

POBJECT_HANDLE_COUNT_ENTRY ObpInsertHandleCount (  POBJECT_HEADER  ObjectHeader  )

Definition at line 908 of file obhandle.c. References _OBJECT_HANDLE_COUNT_DATABASE::CountEntries, ExAllocatePoolWithTag, ExFreePool(), _OBJECT_HEADER::Flags, _OBJECT_HEADER_HANDLE_INFO::HandleCountDataBase, _OBJECT_HANDLE_COUNT_DATABASE::HandleCountEntries, NULL, OB_FLAG_SINGLE_HANDLE_ENTRY, OBJECT_HEADER_TO_HANDLE_INFO, PAGED_CODE, PagedPool, and _OBJECT_HEADER_HANDLE_INFO::SingleEntry. Referenced by ObpIncrementHandleDataBase(). : This function will increase the size of the handle database stored in the handle information of an object header. If necessary it will allocate new and free old handle databases. This routine should not be called if there is already free space in the handle table. Arguments: ObjectHeader - The object whose handle count is being incremented Return Value: The pointer to the next free handle count entry within the handle database. --*/ { POBJECT_HEADER_HANDLE_INFO HandleInfo; POBJECT_HANDLE_COUNT_DATABASE OldHandleCountDataBase; POBJECT_HANDLE_COUNT_DATABASE NewHandleCountDataBase; POBJECT_HANDLE_COUNT_ENTRY FreeHandleCountEntry; ULONG CountEntries; ULONG OldSize; ULONG NewSize; OBJECT_HANDLE_COUNT_DATABASE SingleEntryDataBase; PAGED_CODE(); // // Check if the object has any handle information // HandleInfo = OBJECT_HEADER_TO_HANDLE_INFO(ObjectHeader); if (HandleInfo == NULL) { return NULL; } // // The object does have some handle information. If it has // a single handle entry then we'll construct a local dummy // handle count database and come up with a new data base for // storing two entries. // if (ObjectHeader->Flags & OB_FLAG_SINGLE_HANDLE_ENTRY) { SingleEntryDataBase.CountEntries = 1; SingleEntryDataBase.HandleCountEntries[0] = HandleInfo->SingleEntry; OldHandleCountDataBase = &SingleEntryDataBase; OldSize = sizeof( SingleEntryDataBase ); CountEntries = 2; NewSize = sizeof(OBJECT_HANDLE_COUNT_DATABASE) + ((CountEntries - 1) * sizeof( OBJECT_HANDLE_COUNT_ENTRY )); } else { // // The object already has multiple handles so we reference the // current handle database, and compute a new size bumped by four // OldHandleCountDataBase = HandleInfo->HandleCountDataBase; CountEntries = OldHandleCountDataBase->CountEntries; OldSize = sizeof(OBJECT_HANDLE_COUNT_DATABASE) + ((CountEntries - 1) * sizeof( OBJECT_HANDLE_COUNT_ENTRY)); CountEntries += 4; NewSize = sizeof(OBJECT_HANDLE_COUNT_DATABASE) + ((CountEntries - 1) * sizeof( OBJECT_HANDLE_COUNT_ENTRY)); } // // Now allocate pool for the new handle database. // NewHandleCountDataBase = ExAllocatePoolWithTag(PagedPool, NewSize,'dHbO'); if (NewHandleCountDataBase == NULL) { return NULL; } // // Copy over the old database. Note that this might just copy our // local dummy entry for the single entry case // RtlMoveMemory(NewHandleCountDataBase, OldHandleCountDataBase, OldSize); // // If the previous mode was a single entry then remove that // indication otherwise free up with previous handle database // if (ObjectHeader->Flags & OB_FLAG_SINGLE_HANDLE_ENTRY) { ObjectHeader->Flags &= ~OB_FLAG_SINGLE_HANDLE_ENTRY; } else { ExFreePool( OldHandleCountDataBase ); } // // Find the end of the new database that is used and zero out // the memory // FreeHandleCountEntry = (POBJECT_HANDLE_COUNT_ENTRY)((PCHAR)NewHandleCountDataBase + OldSize); RtlZeroMemory(FreeHandleCountEntry, NewSize - OldSize); // // Set the new database to the proper entry count and put it // all in the object // NewHandleCountDataBase->CountEntries = CountEntries; HandleInfo->HandleCountDataBase = NewHandleCountDataBase; // // And return to our caller // return FreeHandleCountEntry; }

NTSTATUS ObpLogSecurityDescriptor (  IN PSECURITY_DESCRIPTOR  InputSecurityDescriptor, OUT PSECURITY_DESCRIPTOR *  OutputSecurityDescriptor )

Definition at line 297 of file obsdata.c. References ExFreePool(), FALSE, Header, _SECURITY_DESCRIPTOR_HEADER::Link, LINK_TO_SD_HEADER, NULL, ObpAcquireDescriptorCacheWriteLock(), ObpCompareSecurityDescriptors(), ObpCreateCacheEntry(), ObpHashSecurityDescriptor(), ObpReleaseDescriptorCacheLock(), ObPrint, ObsSecurityDescriptorCache, and _SECURITY_DESCRIPTOR_HEADER::SecurityDescriptor. Referenced by ObAssignObjectSecurityDescriptor(), and ObSetSecurityDescriptorInfo(). : Takes a passed security descriptor and registers it into the security descriptor database. Arguments: InputSecurityDescriptor - The new security descriptor to be logged into the database. On a successful return this memory will have been freed back to pool. OutputSecurityDescriptor - Output security descriptor to be used by the caller. Return Value: An appropriate status value --*/ { ULONG FullHash; UCHAR SmallHash; PSECURITY_DESCRIPTOR_HEADER NewDescriptor; PLIST_ENTRY Front; PLIST_ENTRY Back; PSECURITY_DESCRIPTOR_HEADER Header; BOOLEAN Match; FullHash = ObpHashSecurityDescriptor( InputSecurityDescriptor ); SmallHash = (UCHAR)FullHash; // // See if the entry matching SmallHash is in use. // Lock the table first, unlock if if we don't need it. // ObpAcquireDescriptorCacheWriteLock(); Front = ObsSecurityDescriptorCache[SmallHash]; Back = NULL; Match = FALSE; // // Zoom down the hash bucket looking for a full hash match // while ( Front != NULL ) { Header = LINK_TO_SD_HEADER( Front ); // // **** is this test really right? Is the full hash value really // ordered like this? // if ( Header->FullHash > FullHash ) { break; } if ( Header->FullHash == FullHash ) { Match = ObpCompareSecurityDescriptors( InputSecurityDescriptor, &Header->SecurityDescriptor ); if ( Match ) { break; } ObPrint( SHOW_COLLISIONS,("Got a collision on %d, no match\n",SmallHash)); } Back = Front; Front = Front->Flink; } // // If we have a match then we'll get the caller to use the old // cached descriptor, but bumping its ref count, freeing what // the caller supplied and returning the old one to our caller // if ( Match ) { Header->RefCount++; ObPrint( SHOW_REFERENCES, ("Reference Hash = 0x%lX, New RefCount = %d\n",Header->FullHash,Header->RefCount)); *OutputSecurityDescriptor = &Header->SecurityDescriptor; ExFreePool( InputSecurityDescriptor ); ObpReleaseDescriptorCacheLock(); return( STATUS_SUCCESS ); } // // Can't use an existing one, create a new entry // and insert it into the list. // NewDescriptor = ObpCreateCacheEntry( InputSecurityDescriptor, FullHash ); if ( NewDescriptor == NULL ) { ObpReleaseDescriptorCacheLock(); return( STATUS_INSUFFICIENT_RESOURCES ); } #if OB_DIAGNOSTICS_ENABLED ObsTotalCacheEntries++; #endif ObPrint( SHOW_STATISTICS, ("ObsTotalCacheEntries = %d \n",ObsTotalCacheEntries)); ObPrint( SHOW_COLLISIONS, ("Adding new entry for index #%d \n",SmallHash)); // // We don't need the old security descriptor any more. // ExFreePool( InputSecurityDescriptor ); // // The following logic inserts the new security descriptor into the // small hash list. We need to first decide if the we're adding // the entry to the beginning of the list (back is null) or if we're // further in the list. // // **** This logic is plain bizzare because (1) the small hash // should probably just be an array of list heads and not single // pointer value and (2) the doubly linked list of security descriptors // is not circular! This should be fixed to use the regular set // of link list macros // if ( Back == NULL ) { // // We're inserting at the beginning of the list for this // minor index // NewDescriptor->Link.Flink = ObsSecurityDescriptorCache[SmallHash]; ObsSecurityDescriptorCache[SmallHash] = &NewDescriptor->Link; if ( NewDescriptor->Link.Flink != NULL ) { NewDescriptor->Link.Flink->Blink = &NewDescriptor->Link; } } else { // // Hook new descriptor entry into list. // NewDescriptor->Link.Flink = Front; NewDescriptor->Link.Blink = Back; Back->Flink = &NewDescriptor->Link; if (Front != NULL) { Front->Blink = &NewDescriptor->Link; } } // // Set the output security descriptor and return to our caller // *OutputSecurityDescriptor = &NewDescriptor->SecurityDescriptor; ObpReleaseDescriptorCacheLock(); return( STATUS_SUCCESS ); }

PVOID ObpLookupDirectoryEntry (  IN POBJECT_DIRECTORY  Directory, IN PUNICODE_STRING  Name, IN ULONG  Attributes )

Definition at line 705 of file obdir.c. References Buffer, _OBJECT_DIRECTORY_ENTRY::ChainLink, Directory(), FALSE, _OBJECT_HEADER_NAME_INFO::Name, Name, NULL, NUMBER_HASH_BUCKETS, _OBJECT_DIRECTORY_ENTRY::Object, OBJECT_HEADER_TO_NAME_INFO, OBJECT_TO_OBJECT_HEADER, PAGED_CODE, RtlEqualUnicodeString(), RtlUpcaseUnicodeChar(), and TRUE. Referenced by ObCreateObjectType(), ObInitSystem(), ObpDeleteNameCheck(), ObpLookupObjectName(), and ObpProcessDosDeviceSymbolicLink(). : This routine will lookup a single directory entry in a given directory. I believe this routine assumes that it is called with the root directory locked. Also note that this routine does not reference the returned object Arguments: Directory - Supplies the directory being searched Name - Supplies the name of entry we're looking for Attributes - Indicates if the lookup should be case insensitive or not Return Value: Returns a pointer to the corresponding object body if found and NULL otherwise. --*/ { POBJECT_DIRECTORY_ENTRY *HeadDirectoryEntry; POBJECT_DIRECTORY_ENTRY DirectoryEntry; POBJECT_HEADER ObjectHeader; POBJECT_HEADER_NAME_INFO NameInfo; PWCH Buffer; WCHAR Wchar; ULONG HashIndex; ULONG WcharLength; BOOLEAN CaseInSensitive; PAGED_CODE(); // // The caller needs to specify both a directory and a name otherwise // we can't process the request // if (!Directory || !Name) { return( NULL ); // BUG BUG } // // Set a local variable to tell us if the search is case sensitive // if (Attributes & OBJ_CASE_INSENSITIVE) { CaseInSensitive = TRUE; } else { CaseInSensitive = FALSE; } // // Establish our local pointer to the input name buffer and get the // number of unicode characters in the input name. Also make sure // the caller gave us a non null name // Buffer = Name->Buffer; WcharLength = Name->Length / sizeof( *Buffer ); if (!WcharLength || !Buffer) { return( NULL ); // BUG BUG } // // Compute the address of the head of the bucket chain for this name. // HashIndex = 0; while (WcharLength--) { Wchar = *Buffer++; HashIndex += (HashIndex << 1) + (HashIndex >> 1); if (Wchar < 'a') { HashIndex += Wchar; } else if (Wchar > 'z') { HashIndex += RtlUpcaseUnicodeChar( Wchar ); } else { HashIndex += (Wchar - ('a'-'A')); } } HashIndex %= NUMBER_HASH_BUCKETS; HeadDirectoryEntry = (POBJECT_DIRECTORY_ENTRY *)&Directory->HashBuckets[ HashIndex ]; Directory->LookupBucket = HeadDirectoryEntry; // // Walk the chain of directory entries for this hash bucket, looking // for either a match, or the insertion point if no match in the chain. // while ((DirectoryEntry = *HeadDirectoryEntry) != NULL) { // // Get the object header and name from the object body // // This function assumes the name must exist, otherwise it // wouldn't be in a directory // ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryEntry->Object ); NameInfo = OBJECT_HEADER_TO_NAME_INFO( ObjectHeader ); // // Compare strings using appropriate function. // if ((Name->Length == NameInfo->Name.Length) && RtlEqualUnicodeString( Name, &NameInfo->Name, CaseInSensitive )) { // // If name matches, then exit loop with DirectoryEntry // pointing to matching entry. // break; } HeadDirectoryEntry = &DirectoryEntry->ChainLink; } // // At this point, there are two possiblilities: // // - we found an entry that matched and DirectoryEntry points to that // entry. Update the bucket chain so that the entry found is at the // head of the bucket chain. This is so the ObpDeleteDirectoryEntry // and ObpInsertDirectoryEntry functions will work. Also repeated // lookups of the same name will succeed quickly. // // - we did not find an entry that matched and DirectoryEntry is NULL. // if (DirectoryEntry) { Directory->LookupFound = TRUE; // // The following convoluted piece of code moves a directory entry // we've found to the front of the hash list. // if (HeadDirectoryEntry != Directory->LookupBucket) { *HeadDirectoryEntry = DirectoryEntry->ChainLink; DirectoryEntry->ChainLink = *(Directory->LookupBucket); *(Directory->LookupBucket) = DirectoryEntry; } // // Now return the object to our caller // return( DirectoryEntry->Object ); } else { // // Otherwise we didn't find anything so return null // Directory->LookupFound = FALSE; return( NULL ); } }

NTSTATUS ObpLookupObjectName (  IN HANDLE  RootDirectoryHandle, IN PUNICODE_STRING  ObjectName, IN ULONG  Attributes, IN POBJECT_TYPE  ObjectType, IN KPROCESSOR_MODE  AccessMode, IN PVOID ParseContext  OPTIONAL, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos  OPTIONAL, IN PVOID InsertObject  OPTIONAL, IN OUT PACCESS_STATE  AccessState, OUT PBOOLEAN  DirectoryLocked, OUT PVOID *  FoundObject )

Definition at line 1081 of file obdir.c. References ASSERT, _OBJECT_HEADER::Body, _OBJECT_DIRECTORY::DeviceMap, Directory(), _DEVICE_MAP::DosDevicesDirectory, ExAllocatePoolWithTag, ExFreePool(), FALSE, IoFileObjectType, _OBJECT_HEADER_NAME_INFO::Name, NewName, NT_SUCCESS, NTSTATUS(), NULL, OB_PARSE_METHOD, ObCheckCreateObjectAccess(), ObDereferenceObject, OBJECT_HEADER_TO_NAME_INFO, OBJECT_TO_OBJECT_HEADER, ObpBeginTypeSpecificCallOut, ObpCheckTraverseAccess(), ObpDeviceMapLock, ObpDirectoryObjectType, ObpDosDevicesShortName, ObpDosDevicesShortNamePrefix, ObpDosDevicesShortNameRoot, ObpEndTypeSpecificCallOut, ObpEnterRootDirectoryMutex, ObpIncrPointerCount, ObpInsertDirectoryEntry(), ObpLeaveRootDirectoryMutex, ObpLookupDirectoryEntry(), ObpParseSymbolicLink(), ObpRootDirectoryObject, ObpValidateIrql, ObReferenceObject, ObReferenceObjectByHandle(), ObReferenceObjectByPointer(), PagedPool, _OBJECT_TYPE_INITIALIZER::ParseProcedure, PsGetCurrentProcess, _DEVICE_MAP::ReferenceCount, SecurityQos, Status, TOKEN_HAS_TRAVERSE_PRIVILEGE, TRUE, _OBJECT_HEADER::Type, and _OBJECT_TYPE::TypeInfo. Referenced by ObInsertObject(), ObOpenObjectByName(), and ObReferenceObjectByName(). : This function will search a given directoroy for a specified object name. It will also create a new object specified by InsertObject. Arguments: RootDirectoryHandle - Optionally supplies the directory being searched. If not supplied then this routine searches the root directory ObjectName - Supplies the name of object to lookup Attributes - Specifies the attributes for the lookup (e.g., case insensitive) ObjectType - Specifies the type of the object to lookup AccessMode - Specifies the callers processor mode ParseContext - Optionally supplies a parse context that is blindly passed to the parse callback routines SecurityQos - Optionally supplies a pointer to the passed Security Quality of Service parameter that is blindly passed to the parse callback routines InsertObject - Optionally supplies the object we think will be found. This is used if the caller did not give a root directory handle and the object name is "\" and the root object directory hasn't been created yet. In other cases where we wind up creating a new directory entry this is the object inserted. AccessState - Current access state, describing already granted access types, the privileges used to get them, and any access types yet to be granted. The access masks may not contain any generic access types. DirectoryLocked - Receives an indication if this routine has returned with the input directory locked FoundObject - Receives a pointer to the object body if found Return Value: An appropriate status value --*/ { POBJECT_DIRECTORY RootDirectory; POBJECT_DIRECTORY Directory; POBJECT_DIRECTORY ParentDirectory = NULL; POBJECT_HEADER ObjectHeader; POBJECT_HEADER_NAME_INFO NameInfo; PDEVICE_MAP DeviceMap = NULL; PVOID Object; UNICODE_STRING RemainingName; UNICODE_STRING ComponentName; PWCH NewName; NTSTATUS Status; BOOLEAN Reparse; ULONG MaxReparse = OBJ_MAX_REPARSE_ATTEMPTS; OB_PARSE_METHOD ParseProcedure; extern POBJECT_TYPE IoFileObjectType; ObpValidateIrql( "ObpLookupObjectName" ); // // Initialize our output variables to say we haven't lock or found // anything but we were successful at it // *DirectoryLocked = FALSE; *FoundObject = NULL; Status = STATUS_SUCCESS; Object = NULL; // // Check if the caller has given us a directory to search. Otherwise // we'll search the root object directory // if (ARGUMENT_PRESENT( RootDirectoryHandle )) { // // Otherwise reference the directory object and make sure // that we successfully got the object // Status = ObReferenceObjectByHandle( RootDirectoryHandle, 0, NULL, AccessMode, (PVOID *)&RootDirectory, NULL ); if (!NT_SUCCESS( Status )) { return( Status ); } // // Translate the directory object to its object header // ObjectHeader = OBJECT_TO_OBJECT_HEADER( RootDirectory ); // // Now if the name we're looking up starts with a "\" and it // does not have a parse procedure then the syntax is bad // if ((ObjectName->Buffer != NULL) && (*(ObjectName->Buffer) == OBJ_NAME_PATH_SEPARATOR) && (ObjectHeader->Type != IoFileObjectType)) { ObDereferenceObject( RootDirectory ); return( STATUS_OBJECT_PATH_SYNTAX_BAD ); } // // Now make sure that we do not have the directory of the // object types // if (ObjectHeader->Type != ObpDirectoryObjectType) { // // We have an object directory that is not the object type // directory. So now if it doesn't have a parse routine // then there is nothing we can // if (ObjectHeader->Type->TypeInfo.ParseProcedure == NULL) { ObDereferenceObject( RootDirectory ); return( STATUS_INVALID_HANDLE ); } else { MaxReparse = OBJ_MAX_REPARSE_ATTEMPTS; // // The following loop cycles cycles through the various // parse routine to we could encounter trying to resolve // this name through symbolic links. // while (TRUE) { KIRQL SaveIrql; RemainingName = *ObjectName; // // Invoke the callback routine to parse the remaining // object name // ObpBeginTypeSpecificCallOut( SaveIrql ); Status = (*ObjectHeader->Type->TypeInfo.ParseProcedure)( RootDirectory, ObjectType, AccessState, AccessMode, Attributes, ObjectName, &RemainingName, ParseContext, SecurityQos, &Object ); ObpEndTypeSpecificCallOut( SaveIrql, "Parse", ObjectHeader->Type, Object ); // // If the status was not to do a reparse and the lookup // was not successful then we found nothing so we // dereference the directory and return the status to // our caller. If the object we got back was null then // we'll tell our caller that we couldn't find the name. // Lastly if we did not get a reparse and we were // successful and the object is not null then everything // gets nicely returned to our caller // if ( ( Status != STATUS_REPARSE ) && ( Status != STATUS_REPARSE_OBJECT )) { if (!NT_SUCCESS( Status )) { Object = NULL; } else if (Object == NULL) { Status = STATUS_OBJECT_NAME_NOT_FOUND; } ObDereferenceObject( RootDirectory ); *FoundObject = Object; return( Status ); // // We got a status reparse, which means the object // name has been modified to have use start all over // again. If the reparse target is now empty or it // is a path separator then we start the parse at the // root directory // } else if ((ObjectName->Length == 0) || (ObjectName->Buffer == NULL) || (*(ObjectName->Buffer) == OBJ_NAME_PATH_SEPARATOR)) { // // Restart the parse relative to the root directory. // ObDereferenceObject( RootDirectory ); RootDirectory = ObpRootDirectoryObject; RootDirectoryHandle = NULL; break; // // We got a reparse and we actually have a new name to // go to we if we haven't exhausted our reparse attempts // yet then just continue to the top of this loop. // } else if (--MaxReparse) { continue; // // We got a reparse and we've exhausted our times through // the loop so we'll return what we found. // // **** this doesn't seem right. It probably should be // an error // } else { ObDereferenceObject( RootDirectory ); *FoundObject = Object; // // At this point we were failing in stress by // returning to the caller with a success status but // a null object pointer. // if (Object == NULL) { Status = STATUS_OBJECT_NAME_NOT_FOUND; } return( Status ); } } } // // At this point the caller has given us the directory of object // types. If the caller didn't specify a name then we'll return // a pointer to the root object directory. // } else if ((ObjectName->Length == 0) || (ObjectName->Buffer == NULL)) { Status = ObReferenceObjectByPointer( RootDirectory, 0, ObjectType, AccessMode ); if (NT_SUCCESS( Status )) { Object = RootDirectory; } ObDereferenceObject( RootDirectory ); *FoundObject = Object; return( Status ); } // // Otherwise the caller did not specify a directory to search so // we'll default to the object root directory // } else { RootDirectory = ObpRootDirectoryObject; // // If the name we're looking for is empty then it is illformed. // Also it has to start with a "\" or it is illformed. // if ((ObjectName->Length == 0) || (ObjectName->Buffer == NULL) || (*(ObjectName->Buffer) != OBJ_NAME_PATH_SEPARATOR)) { return( STATUS_OBJECT_PATH_SYNTAX_BAD ); } // // Check if the name is has only one character (that is the "\") // Which means that the caller really just wants to lookup the // root directory. // if (ObjectName->Length == sizeof( OBJ_NAME_PATH_SEPARATOR )) { // // If there is not a root directory yet. Then we really // can't return it, however if the caller specified // an insert object that is the one we'll reference and // return to our caller // if (!RootDirectory) { if (InsertObject) { Status = ObReferenceObjectByPointer( InsertObject, 0, ObjectType, AccessMode ); if (NT_SUCCESS( Status )) { *FoundObject = InsertObject; } return( Status ); } else { return( STATUS_INVALID_PARAMETER ); } // // At this point the caller did not specify a root directory, // the name is "\" and the root object directory exists so // we'll simply return the real root directory object // } else { Status = ObReferenceObjectByPointer( RootDirectory, 0, ObjectType, AccessMode ); if (NT_SUCCESS( Status )) { *FoundObject = RootDirectory; } return( Status ); } // // At this pointer the caller did not specify a root directory, // and the name is more than just a "\" // // Now if the lookup is case insensitive, and the name buffer is a // legitimate pointer (meaning that is it quadword aligned), and // there is a dos device map for the process. Then we'll handle // the situation here. First get the device map and make sure it // doesn't go away while we're using it. // } else { KIRQL OldIrql; ExAcquireSpinLock( &ObpDeviceMapLock, &OldIrql ); if ((DeviceMap = PsGetCurrentProcess()->DeviceMap) != NULL) { DeviceMap->ReferenceCount++; ExReleaseSpinLock( &ObpDeviceMapLock, OldIrql ); if (!((ULONG_PTR)(ObjectName->Buffer) & (sizeof(ULONGLONG)-1)) && (DeviceMap->DosDevicesDirectory != NULL )) { // // Check if the object name is actually equal to the // global dos devices short name prefix "\??\" // if ((ObjectName->Length >= ObpDosDevicesShortName.Length) && (*(PULONGLONG)(ObjectName->Buffer) == ObpDosDevicesShortNamePrefix.QuadPart)) { // // The user gave us the dos short name prefix so we'll // look down the directory, and start the search at the // dos device directory // *DirectoryLocked = TRUE; ObpEnterRootDirectoryMutex(); ParentDirectory = RootDirectory; Directory = DeviceMap->DosDevicesDirectory; RemainingName = *ObjectName; RemainingName.Buffer += (ObpDosDevicesShortName.Length / sizeof( WCHAR )); RemainingName.Length -= ObpDosDevicesShortName.Length; goto quickStart; // // The name is not equal to "\??\" but check if it is // equal to "\??" // } else if ((ObjectName->Length == ObpDosDevicesShortName.Length - sizeof( WCHAR )) && (*(PULONG)(ObjectName->Buffer) == ObpDosDevicesShortNameRoot.LowPart) && (*((PWCHAR)(ObjectName->Buffer)+2) == (WCHAR)(ObpDosDevicesShortNameRoot.HighPart))) { // // The user specified "\??" so we return to dos devices // directory to our caller // Status = ObReferenceObjectByPointer( DeviceMap->DosDevicesDirectory, 0, ObjectType, AccessMode ); if (NT_SUCCESS( Status )) { *FoundObject = DeviceMap->DosDevicesDirectory; } // // Dereference the Device Map // { KIRQL OldIrql; ExAcquireSpinLock( &ObpDeviceMapLock, &OldIrql ); DeviceMap->ReferenceCount--; if (DeviceMap->ReferenceCount == 0) { ExReleaseSpinLock( &ObpDeviceMapLock, OldIrql ); DeviceMap->DosDevicesDirectory->DeviceMap = NULL; ObDereferenceObject( DeviceMap->DosDevicesDirectory ); ExFreePool( DeviceMap ); } else { ExReleaseSpinLock( &ObpDeviceMapLock, OldIrql ); } } return( Status ); } } } else { ExReleaseSpinLock( &ObpDeviceMapLock, OldIrql ); } } } // // At this point either // // the user specified a directory that is not the object // type directory and got repase back to the root directory // // the user specified the object type directory and gave us // a name to actually look up // // the user did not specify a search directory (default // to root object directory) and if the name did start off // with the dos device prefix we've munged outselves back to // it to the dos device directory for the process // Reparse = TRUE; MaxReparse = OBJ_MAX_REPARSE_ATTEMPTS; while (Reparse) { RemainingName = *ObjectName; quickStart: Reparse = FALSE; while (TRUE) { Object = NULL; //if (RemainingName.Length == 0) { // Status = STATUS_OBJECT_NAME_INVALID; // break; // } // // If the remaining name for the object starts with a // "\" then just gobble up the "\" // if ( (RemainingName.Length != 0) && (*(RemainingName.Buffer) == OBJ_NAME_PATH_SEPARATOR) ) { RemainingName.Buffer++; RemainingName.Length -= sizeof( OBJ_NAME_PATH_SEPARATOR ); } // // The following piece of code will calculate the first // component of the remaining name. If there is not // a remaining component then the object name is illformed // ComponentName = RemainingName; while (RemainingName.Length != 0) { if (*(RemainingName.Buffer) == OBJ_NAME_PATH_SEPARATOR) { break; } RemainingName.Buffer++; RemainingName.Length -= sizeof( OBJ_NAME_PATH_SEPARATOR ); } ComponentName.Length -= RemainingName.Length; if (ComponentName.Length == 0) { Status = STATUS_OBJECT_NAME_INVALID; break; } // // Now we have the first component name to lookup so we'll // look the directory is necessary // if (!*DirectoryLocked) { *DirectoryLocked = TRUE; ObpEnterRootDirectoryMutex(); Directory = RootDirectory; } // // Now if the caller does not have traverse privilege and // there is a parent directory then we must check if the // user has traverse access to the directory. Our local // Reparse variable should be false at this point so we'll // drop out of both loops // if ( !(AccessState->Flags & TOKEN_HAS_TRAVERSE_PRIVILEGE) && (ParentDirectory != NULL) ) { if (!ObpCheckTraverseAccess( ParentDirectory, DIRECTORY_TRAVERSE, AccessState, FALSE, AccessMode, &Status )) { break; } } // // If the object already exists in this directory, find it, // else return NULL. // Object = ObpLookupDirectoryEntry( Directory, &ComponentName, Attributes ); if (!Object) { // // We didn't find the object. If there is some remaining // name left (meaning the component name is a directory in // path we trying to break) or the caller didn't specify an // insert object then we then we'll break out here with an // error status // if (RemainingName.Length != 0) { Status = STATUS_OBJECT_PATH_NOT_FOUND; break; } if (!InsertObject) { Status = STATUS_OBJECT_NAME_NOT_FOUND; break; } // // Check that the caller has the access to the directory // to either create a subdirectory (in the object type // directory) or to create an object of the given component // name. If the call fails then we'll break out of here // with the status value set // if (!ObCheckCreateObjectAccess( Directory, ObjectType == ObpDirectoryObjectType ? DIRECTORY_CREATE_SUBDIRECTORY : DIRECTORY_CREATE_OBJECT, AccessState, &ComponentName, FALSE, AccessMode, &Status )) { break; } // // The object does not exist in the directory and // we are allowed to create one. So allocate space // for the name and insert the name into the directory // NewName = ExAllocatePoolWithTag( PagedPool, ComponentName.Length, 'mNbO' ); if ((NewName == NULL) || !ObpInsertDirectoryEntry( Directory, InsertObject )) { if (NewName != NULL) { ExFreePool( NewName ); } Status = STATUS_INSUFFICIENT_RESOURCES; break; } // // We have an insert object so now get its name info, // because we are going to change its name and insert it // into the directory // ObReferenceObject( InsertObject ); ObjectHeader = OBJECT_TO_OBJECT_HEADER( InsertObject ); NameInfo = OBJECT_HEADER_TO_NAME_INFO( ObjectHeader ); ObReferenceObject( Directory ); RtlMoveMemory( NewName, ComponentName.Buffer, ComponentName.Length ); if (NameInfo->Name.Buffer) { ExFreePool( NameInfo->Name.Buffer ); } NameInfo->Name.Buffer = NewName; NameInfo->Name.Length = ComponentName.Length; NameInfo->Name.MaximumLength = ComponentName.Length; Object = InsertObject; Status = STATUS_SUCCESS; break; } // // At this point we've found the component name within // the directory. So we'll now grab the components object // header, and get its parse routine // ReparseObject: ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ParseProcedure = ObjectHeader->Type->TypeInfo.ParseProcedure; // // Now if there is a parse routine for the type and we are not // inserting a new object or the parse routine is for symbolic // links then we'll actually call the parse routine // if (ParseProcedure && (!InsertObject || (ParseProcedure == ObpParseSymbolicLink))) { KIRQL SaveIrql; // // Reference the object and then free the directory lock // This will keep the object from going away with the // directory unlocked // ObpIncrPointerCount( ObjectHeader ); ASSERT(*DirectoryLocked); ObpLeaveRootDirectoryMutex(); *DirectoryLocked = FALSE; ObpBeginTypeSpecificCallOut( SaveIrql ); // // Call the objects parse routine // Status = (*ParseProcedure)( Object, (PVOID)ObjectType, AccessState, AccessMode, Attributes, ObjectName, &RemainingName, ParseContext, SecurityQos, &Object ); ObpEndTypeSpecificCallOut( SaveIrql, "Parse", ObjectHeader->Type, Object ); // // We can now decrement the object reference count // ObDereferenceObject( &ObjectHeader->Body ); // // Check if we have some reparsing to do // if ((Status == STATUS_REPARSE) || (Status == STATUS_REPARSE_OBJECT)) { // // See if we've reparsed too many times already and if // so we'll fail the request // if (--MaxReparse) { // // Tell the outer loop to continue looping // Reparse = TRUE; // // Check if we have a reparse object or the name // starts with a "\" // if ((Status == STATUS_REPARSE_OBJECT) || (*(ObjectName->Buffer) == OBJ_NAME_PATH_SEPARATOR)) { // // If the user specified a start directory then // remove this information because we're taking // a reparse point to someplace else // if (ARGUMENT_PRESENT( RootDirectoryHandle )) { ObDereferenceObject( RootDirectory ); RootDirectoryHandle = NULL; } // // And where we start is the root directory // object // ParentDirectory = NULL; RootDirectory = ObpRootDirectoryObject; // // Now if this is a reparse object (means we have // encountered a symbolic link that has already been // snapped so we have an object and remaining // name that need to be examined) and we didn't // find an object from the parse routine object // break out of both loops. // if (Status == STATUS_REPARSE_OBJECT) { Reparse = FALSE; if (Object == NULL) { Status = STATUS_OBJECT_NAME_NOT_FOUND; } else { // // At this point we have a reparse object // so we'll look the directory down and // parse the new object // *DirectoryLocked = TRUE; ObpEnterRootDirectoryMutex(); goto ReparseObject; } } // // We did not have a reparse object and the name // does not start with a "\". Meaning we got back // STATUS_REPASE, so now check if the directory // is the root object directory and if so then // we didn't the name otherwise we'll drop out of // the inner loop and reparse true to get back to // outer loop // } else if (RootDirectory == ObpRootDirectoryObject) { Object = NULL; Status = STATUS_OBJECT_NAME_NOT_FOUND; Reparse = FALSE; } } else { // // **** this should probably be a differnt error // status related to too many reparse points // Object = NULL; Status = STATUS_OBJECT_NAME_NOT_FOUND; } // // We are not reparsing and if we did not get success then // the object is null and we'll break out of our loops // } else if (!NT_SUCCESS( Status )) { Object = NULL; // // We are not reparsing and we got back success but check // if the object is null because that means we really didn't // find the object, and then break out of our loops // // If the object is not null then we've been successful and // prosperous so break out with the object set. // } else if (Object == NULL) { Status = STATUS_OBJECT_NAME_NOT_FOUND; } break; } else { // // At this point we do not have a parse routine or if there // is a parse routine it is not for symbolic links or there // may not be a specified insert object // // Check to see if we have exhausted the remaining name // if (RemainingName.Length == 0) { // // Check if the caller specified an object to insert. // If specified then we'll break out of our loops with // the object that we've found // if (!InsertObject) { // // The user did not specify an insert object // so we're opening an existing object. Make sure // we have traverse access to the container // directory. // if ( !(AccessState->Flags & TOKEN_HAS_TRAVERSE_PRIVILEGE) ) { if (!ObpCheckTraverseAccess( Directory, DIRECTORY_TRAVERSE, AccessState, FALSE, AccessMode, &Status )) { Object = NULL; break; } } Status = ObReferenceObjectByPointer( Object, 0, ObjectType, AccessMode ); if (!NT_SUCCESS( Status )) { Object = NULL; } } break; } else { // // There is some name remaining names to process // if the directory we're looking at is the // directory of object types and set ourselves // up to parse it all over again. // if (ObjectHeader->Type == ObpDirectoryObjectType) { ParentDirectory = Directory; Directory = (POBJECT_DIRECTORY)Object; } else { // // Otherwise there has been a mismatch so we'll // set our error status and break out of the // loops // Status = STATUS_OBJECT_TYPE_MISMATCH; Object = NULL; break; } } } } } // // If the device map has been referenced then dereference it // if (DeviceMap != NULL) { KIRQL OldIrql; ExAcquireSpinLock( &ObpDeviceMapLock, &OldIrql ); DeviceMap->ReferenceCount--; if (DeviceMap->ReferenceCount == 0) { ExReleaseSpinLock( &ObpDeviceMapLock, OldIrql ); DeviceMap->DosDevicesDirectory->DeviceMap = NULL; ObDereferenceObject( DeviceMap->DosDevicesDirectory ); ExFreePool( DeviceMap ); } else { ExReleaseSpinLock( &ObpDeviceMapLock, OldIrql ); } } // // At this point we've parsed the object name as much as possible // going through symbolic links as necessary. So now set the // output object pointer, and if we really did not find an object // then we might need to modify the error status. If the // status was repase or some success status then translate it // to name not found. // if (!(*FoundObject = Object)) { if (Status == STATUS_REPARSE) { Status = STATUS_OBJECT_NAME_NOT_FOUND; } else if (NT_SUCCESS( Status )) { Status = STATUS_OBJECT_NAME_NOT_FOUND; } } // // If the caller gave us a root directory to search (and we didn't // zero out this value) then free up our reference // if (ARGUMENT_PRESENT( RootDirectoryHandle )) { ObDereferenceObject( RootDirectory ); RootDirectoryHandle = NULL; } // // And return to our caller // return( Status ); }

NTSTATUS ObpParseSymbolicLink (  IN PVOID  ParseObject, IN PVOID  ObjectType, IN PACCESS_STATE  AccessState, IN KPROCESSOR_MODE  AccessMode, IN ULONG  Attributes, IN OUT PUNICODE_STRING  CompleteName, IN OUT PUNICODE_STRING  RemainingName, IN OUT PVOID Context  OPTIONAL, IN PSECURITY_QUALITY_OF_SERVICE SecurityQos  OPTIONAL, OUT PVOID *  Object )

Definition at line 501 of file oblink.c. References ExAllocatePoolWithTag, ExFreePool(), _OBJECT_SYMBOLIC_LINK::LinkTarget, _OBJECT_SYMBOLIC_LINK::LinkTargetObject, _OBJECT_SYMBOLIC_LINK::LinkTargetRemaining, NewName, NonPagedPool, NT_SUCCESS, NTSTATUS(), NULL, ObpEnterRootDirectoryMutex, ObpLeaveRootDirectoryMutex, ObReferenceObjectByPointer(), PAGED_CODE, Status, and USHORT. Referenced by ObInitSystem(), and ObpLookupObjectName(). : This is the call back routine for parsing symbolic link objects. It is invoked as part of ObpLookupObjectName Arguments: ParseObject - This will actually be a symbolic link object ObjectType - Specifies the type of the object to lookup AccessState - Current access state, describing already granted access types, the privileges used to get them, and any access types yet to be granted. The access masks may not contain any generic access types. AccessMode - Specifies the callers processor mode Attributes - Specifies the attributes for the lookup (e.g., case insensitive) CompleteName - Supplies a pointer to the complete name that we are trying to open. On return this could be modified to fit the new reparse buffer RemainingName - Supplies a pointer to the remaining name that we are trying to open. On return this will point to what remains after we processed the symbolic link. Context - Unused SecurityQos - Unused Object - Receives a pointer to the symbolic link object that we resolve to Return Value: STATUS_REPARSE_OBJECT if the parse object is already a snapped symbolic link meaning we've modified the remaining name and and have returned the target object of the symbolic link STATUS_REPARSE if the parse object has not been snapped. In this case the Complete name has been modified with the link target name added in front of the remaining name. The parameters remaining name and object must now be ignored by the caller An appropriate error value --*/ { ULONG NewLength; USHORT Length; USHORT MaximumLength; PWCHAR NewName, NewRemainingName; ULONG InsertAmount; NTSTATUS Status; POBJECT_SYMBOLIC_LINK SymbolicLink; PUNICODE_STRING LinkTargetName; PAGED_CODE(); // // This routine needs to be synchonized with the delete symbolic link // operation. Which uses the root directory mutex. // ObpEnterRootDirectoryMutex(); try { *Object = NULL; // // If there isn't any name remaining and the caller gave us // an object type then we'll reference the parse object. If // this is successful then that's the object we return. Otherwise // if the status is anything but a type mismatch then we'll // return that error status // if (RemainingName->Length == 0) { if ( ObjectType ) { Status = ObReferenceObjectByPointer( ParseObject, 0, ObjectType, AccessMode ); if (NT_SUCCESS( Status )) { *Object = ParseObject; leave; } else if (Status != STATUS_OBJECT_TYPE_MISMATCH) { leave; } } // // If the remaining name does not start with a "\" then // its is illformed and we'll call it a type mismatch // } else if (*(RemainingName->Buffer) != OBJ_NAME_PATH_SEPARATOR) { Status = STATUS_OBJECT_TYPE_MISMATCH; leave; } // // A symbolic link has been encountered. See if this link has been snapped // to a particular object. // SymbolicLink = (POBJECT_SYMBOLIC_LINK)ParseObject; if (SymbolicLink->LinkTargetObject != NULL) { // // This is a snapped link. Get the remaining portion of the // symbolic link target, if any. // LinkTargetName = &SymbolicLink->LinkTargetRemaining; if (LinkTargetName->Length == 0) { // // Remaining link target string is zero, so return to caller // quickly with snapped object pointer and remaining object name // which we haven't touched yet. // *Object = SymbolicLink->LinkTargetObject; Status = STATUS_REPARSE_OBJECT; leave; } // // We have a snapped symbolic link that has additional text. // Insert that in front of the current remaining name, preserving // and text between CompleteName and RemainingName // InsertAmount = LinkTargetName->Length; if ((LinkTargetName->Buffer[ (InsertAmount / sizeof( WCHAR )) - 1 ] == OBJ_NAME_PATH_SEPARATOR) && (*(RemainingName->Buffer) == OBJ_NAME_PATH_SEPARATOR)) { // // Both the link target name ends in a "\" and the remaining // starts with a "\" but we only need one when we're done // InsertAmount -= sizeof( WCHAR ); } // // **** don't see why we need to bias the differnce between two // pointers with * sizeof(wchar) // NewLength = (ULONG)(((RemainingName->Buffer - CompleteName->Buffer) * sizeof( WCHAR )) + InsertAmount + RemainingName->Length); if (NewLength > 0xFFF0) { Status = STATUS_NAME_TOO_LONG; leave; } Length = (USHORT)NewLength; // // Now check if the new computed length is too big for the input // buffer containing the complete name // if (CompleteName->MaximumLength <= Length) { // // The new concatentated name is larger than the buffer supplied for // the complete name. Allocate space for this new string // MaximumLength = Length + sizeof( UNICODE_NULL ); NewName = ExAllocatePoolWithTag( NonPagedPool, MaximumLength, 'mNbO' ); if (NewName == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; leave; } // // Calculate the pointer within this buffer for the remaining // name. This value has not been biased by the new link // target name // NewRemainingName = NewName + (RemainingName->Buffer - CompleteName->Buffer); // // Copy over all the names that we've processed so far // RtlMoveMemory( NewName, CompleteName->Buffer, ((RemainingName->Buffer - CompleteName->Buffer) * sizeof( WCHAR ))); // // If we have some remaining names then those over at the // the location offset to hold the link target name // if (RemainingName->Length != 0) { RtlMoveMemory( (PVOID)((PUCHAR)NewRemainingName + InsertAmount), RemainingName->Buffer, RemainingName->Length ); } // // Now insert the link target name // RtlMoveMemory( NewRemainingName, LinkTargetName->Buffer, InsertAmount ); // // Free the old complete name buffer and reset the input // strings to use the new buffer // ExFreePool( CompleteName->Buffer ); CompleteName->Buffer = NewName; CompleteName->Length = Length; CompleteName->MaximumLength = MaximumLength; RemainingName->Buffer = NewRemainingName; RemainingName->Length = Length - (USHORT)((PCHAR)NewRemainingName - (PCHAR)NewName); RemainingName->MaximumLength = RemainingName->Length + sizeof( UNICODE_NULL ); } else { // // Insert extra text associated with this symbolic link name before // existing remaining name, if any. // // First shove over the remaining name to make a hole for the // link target name // if (RemainingName->Length != 0) { RtlMoveMemory( (PVOID)((PUCHAR)RemainingName->Buffer + InsertAmount), RemainingName->Buffer, RemainingName->Length ); } // // Now insert the link target name // RtlMoveMemory( RemainingName->Buffer, LinkTargetName->Buffer, InsertAmount ); // // Adjust input strings to account for this inserted text // CompleteName->Length += LinkTargetName->Length; RemainingName->Length += LinkTargetName->Length; RemainingName->MaximumLength += RemainingName->Length + sizeof( UNICODE_NULL ); CompleteName->Buffer[ CompleteName->Length / sizeof( WCHAR ) ] = UNICODE_NULL; } // // Return the object address associated with snapped symbolic link // and the reparse object status code. // *Object = SymbolicLink->LinkTargetObject; Status = STATUS_REPARSE_OBJECT; leave; } // // The symbolic has not yet been snapped // // Compute the size of the new name and check if the name will // fit in the existing complete name buffer. // LinkTargetName = &SymbolicLink->LinkTarget; NewLength = LinkTargetName->Length + RemainingName->Length; if (NewLength > 0xFFF0) { Status = STATUS_NAME_TOO_LONG; leave; } Length = (USHORT)NewLength; if (CompleteName->MaximumLength <= Length) { // // The new concatentated name is larger than the buffer supplied for // the complete name. // MaximumLength = Length + sizeof( UNICODE_NULL ); NewName = ExAllocatePoolWithTag( NonPagedPool, MaximumLength, 'mNbO' ); if (NewName == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; leave; } } else { MaximumLength = CompleteName->MaximumLength; NewName = CompleteName->Buffer; } // // Concatenate the symbolic link name with the remaining name, // if any. What this does is overwrite the front of the complete // name up to the remaining name with the links target name // if (RemainingName->Length != 0) { RtlMoveMemory( (PVOID)((PUCHAR)NewName + LinkTargetName->Length), RemainingName->Buffer, RemainingName->Length ); } RtlMoveMemory( NewName, LinkTargetName->Buffer, LinkTargetName->Length ); NewName[ Length / sizeof( WCHAR ) ] = UNICODE_NULL; // // If a new name buffer was allocated, then free the original complete // name buffer. // if (NewName != CompleteName->Buffer) { ExFreePool( CompleteName->Buffer ); } // // Set the new complete name buffer parameters and return a reparse // status. // CompleteName->Buffer = NewName; CompleteName->Length = Length; CompleteName->MaximumLength = MaximumLength; Status = STATUS_REPARSE; } finally { ObpLeaveRootDirectoryMutex(); } return Status; }

VOID ObpProcessRemoveObjectQueue (  PVOID  Parameter  )

Definition at line 1299 of file obref.c. References _OBJECT_HEADER::Body, FALSE, NULL, ObpLock, ObpRemoveObjectQueue, ObpRemoveObjectRoutine(), and ObpRemoveQueueActive. Referenced by ObfDereferenceObject(). : This is the work routine for the remove object work queue. Its job is to remove and process items from the remove object queue. Arguments: Parameter - Ignored Return Value: None. --*/ { PSINGLE_LIST_ENTRY Entry; POBJECT_HEADER ObjectHeader; KIRQL OldIrql; // // Lock the work queue this will keep the preceding routine // from monkeying with the queue // ExAcquireSpinLock( &ObpLock, &OldIrql ); // // While there are items in our private remove object work queue // then we remove each item, get back up to the object header, // and delete the object. The latter part done outside of the // work queue lock // Entry = PopEntryList( (PSINGLE_LIST_ENTRY)&ObpRemoveObjectQueue ); while ( Entry != NULL ) { ExReleaseSpinLock( &ObpLock, OldIrql ); ObjectHeader = CONTAINING_RECORD( Entry, OBJECT_HEADER, SEntry ); ObpRemoveObjectRoutine( &ObjectHeader->Body ); ExAcquireSpinLock( &ObpLock, &OldIrql ); Entry = PopEntryList((PSINGLE_LIST_ENTRY)&ObpRemoveObjectQueue ); } // // Indicate that we are now going inactive and then unlock // the work queue // ObpRemoveQueueActive = FALSE; ExReleaseSpinLock( &ObpLock, OldIrql ); return; }

PSECURITY_DESCRIPTOR ObpReferenceSecurityDescriptor (  PVOID  Object  )

Definition at line 559 of file obsdata.c. References ASSERT, _SECURITY_DESCRIPTOR_HEADER::FullHash, IF_OB_GLOBAL, NULL, OBJECT_TO_OBJECT_HEADER, ObpAcquireDescriptorCacheWriteLock(), ObpCentralizedSecurity, ObpReleaseDescriptorCacheLock(), ObPrint, _SECURITY_DESCRIPTOR_HEADER::RefCount, RtlValidSecurityDescriptor(), SD_TO_SD_HEADER, and _OBJECT_HEADER::Type. Referenced by ObGetObjectSecurity(). : References the security descriptor of the passed object. Arguments: Object - Object being access validated. Return Value: The security descriptor of the object. --*/ { PSECURITY_DESCRIPTOR_HEADER SecurityDescriptorHeader; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; PSECURITY_DESCRIPTOR SecurityDescriptor; // // Make sure the sure that the object in question is being // maintained by the system and doesn't have it own security // management routines. // // **** the first two lines should probably be only done on // a checked build // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ObjectType = ObjectHeader->Type; ASSERT( ObpCentralizedSecurity(ObjectType) ); // // Lock the security descriptor cache and get the objects // security descriptor // ObpAcquireDescriptorCacheWriteLock(); SecurityDescriptor = OBJECT_TO_OBJECT_HEADER( Object )->SecurityDescriptor; IF_OB_GLOBAL( STOP_INVALID_DESCRIPTOR ) { if((SecurityDescriptor != NULL) && (!RtlValidSecurityDescriptor ( SecurityDescriptor ))) { DbgBreakPoint(); } } // // If the object has a security descriptor then we need to // get the security descriptor header and increment its // ref count before releasing the lock and returning to // our caller // if ( SecurityDescriptor != NULL ) { SecurityDescriptorHeader = SD_TO_SD_HEADER( SecurityDescriptor ); ObPrint( SHOW_REFERENCES, ("Referencing Hash %lX, Refcount = %d \n",SecurityDescriptorHeader->FullHash,SecurityDescriptorHeader->RefCount)); SecurityDescriptorHeader->RefCount++; } ObpReleaseDescriptorCacheLock(); return( SecurityDescriptor ); }

VOID ObpReleaseDescriptorCacheLock (  VOID   )

Definition at line 942 of file obsdata.c. References ExReleaseResource, KeLeaveCriticalRegion, ObsSecurityDescriptorCacheLock, and VOID(). Referenced by NtQueryObject(), ObDeassignSecurity(), ObpDereferenceSecurityDescriptor(), ObpLogSecurityDescriptor(), ObpReferenceSecurityDescriptor(), ObQuerySecurityDescriptorInfo(), and ObSetSecurityDescriptorInfo(). : Releases a lock on the security descriptor cache. Arguments: none Return Value: None. --*/ { (VOID)ExReleaseResource( &ObsSecurityDescriptorCacheLock ); KeLeaveCriticalRegion (); return; }

VOID ObpRemoveObjectRoutine (  PVOID  Object  )

Definition at line 1370 of file obref.c. References _OBJECT_TYPE_INITIALIZER::DeleteProcedure, DeleteSecurityDescriptor, ExFreePool(), _OBJECT_HEADER_NAME_INFO::Name, NTSTATUS(), NULL, OBJECT_HEADER_TO_CREATOR_INFO, OBJECT_HEADER_TO_NAME_INFO, OBJECT_TO_OBJECT_HEADER, ObpBeginTypeSpecificCallOut, ObpEndTypeSpecificCallOut, ObpEnterObjectTypeMutex, ObpFreeObject(), ObpLeaveObjectTypeMutex, ObpValidateIrql, PAGED_CODE, _OBJECT_HEADER::SecurityDescriptor, _OBJECT_TYPE_INITIALIZER::SecurityProcedure, Status, _OBJECT_HEADER::Type, _OBJECT_TYPE::TypeInfo, and _OBJECT_HEADER_CREATOR_INFO::TypeList. Referenced by ObfDereferenceObject(), and ObpProcessRemoveObjectQueue(). : This routine is used to delete an object whose reference count has gone to zero. Arguments: Object - Supplies a pointer to the body of the object being deleted Return Value: None. --*/ { NTSTATUS Status; POBJECT_HEADER ObjectHeader; POBJECT_TYPE ObjectType; POBJECT_HEADER_CREATOR_INFO CreatorInfo; POBJECT_HEADER_NAME_INFO NameInfo; PAGED_CODE(); ObpValidateIrql( "ObpRemoveObjectRoutine" ); // // Retrieve an object header from the object body, and also get // the object type, creator and name info if available // ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); ObjectType = ObjectHeader->Type; CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO( ObjectHeader ); NameInfo = OBJECT_HEADER_TO_NAME_INFO( ObjectHeader ); // // Get exclusive access to the object type object // ObpEnterObjectTypeMutex( ObjectType ); // // If there is a creator info record and we are on the list // for the object type then remove this object from the list // if (CreatorInfo != NULL && !IsListEmpty( &CreatorInfo->TypeList )) { RemoveEntryList( &CreatorInfo->TypeList ); } // // If there is a name info record and the name buffer is not null // then free the buffer and zero out the name record // if (NameInfo != NULL && NameInfo->Name.Buffer != NULL) { ExFreePool( NameInfo->Name.Buffer ); NameInfo->Name.Buffer = NULL; NameInfo->Name.Length = 0; NameInfo->Name.MaximumLength = 0; } // // We are done with the object type object so we can now release it // ObpLeaveObjectTypeMutex( ObjectType ); // // Security descriptor deletion must precede the // call to the object's DeleteProcedure. Check if we have // a security descriptor and if so then call the routine // to delete the security descritpor. // if (ObjectHeader->SecurityDescriptor != NULL) { KIRQL SaveIrql; ObpBeginTypeSpecificCallOut( SaveIrql ); Status = (ObjectType->TypeInfo.SecurityProcedure)( Object, DeleteSecurityDescriptor, NULL, NULL, NULL, &ObjectHeader->SecurityDescriptor, 0, NULL ); ObpEndTypeSpecificCallOut( SaveIrql, "Security", ObjectType, Object ); } // // Now if there is a delete callback for the object type invoke // the routine // if (ObjectType->TypeInfo.DeleteProcedure) { KIRQL SaveIrql; ObpBeginTypeSpecificCallOut( SaveIrql ); (*(ObjectType->TypeInfo.DeleteProcedure))( Object ); ObpEndTypeSpecificCallOut( SaveIrql, "Delete", ObjectType, Object ); } // // Finally return the object back to pool including releasing any quota // charges // ObpFreeObject( Object ); }

VOID ObpUnlockObjectDirectoryPath (  IN POBJECT_DIRECTORY  LockedDirectory  )

NTSTATUS ObpValidateAccessMask (  PACCESS_STATE  AccessState  )

Definition at line 1886 of file obse.c. References NULL, PAGED_CODE, _ACCESS_STATE::PreviouslyGrantedAccess, _ACCESS_STATE::RemainingDesiredAccess, and _ACCESS_STATE::SecurityDescriptor. Referenced by ObInsertObject(), and ObOpenObjectByName(). : Checks the desired access mask of a passed object against the passed security descriptor. Arguments: AccessState - A pointer to the AccessState for the pending operation. Return Value: Only returns STATUS_SUCCESS --*/ { SECURITY_DESCRIPTOR *SecurityDescriptor = AccessState->SecurityDescriptor; PAGED_CODE(); // // First make sure the access state has a security descriptor. If there // is one and it has a system acl and the previously granted access did // not include system security then add the fact that we want system // security to the remaining desired access state. // if (SecurityDescriptor != NULL) { if ( SecurityDescriptor->Control & SE_SACL_PRESENT ) { if ( !(AccessState->PreviouslyGrantedAccess & ACCESS_SYSTEM_SECURITY)) { AccessState->RemainingDesiredAccess |= ACCESS_SYSTEM_SECURITY; } } } return( STATUS_SUCCESS ); }

NTSTATUS ObpValidateDesiredAccess (  IN ACCESS_MASK  DesiredAccess  )

Definition at line 2752 of file obhandle.c. Referenced by NtDuplicateObject(). : This routine checks the input desired access mask to see that some invalid bits are not set. The invalid bits are the top two reserved bits and the top three standard rights bits. See \nt\public\sdk\inc\ntseapi.h for more details. Arguments: DesiredAccess - Supplies the mask being checked Return Value: STATUS_ACCESS_DENIED if one or more of the wrongs bits are set and STATUS_SUCCESS otherwise --*/ { if (DesiredAccess & 0x0CE00000) { return( STATUS_ACCESS_DENIED ); } else { return( STATUS_SUCCESS ); } }

---

Variable Documentation

NPAGED_LOOKASIDE_LIST ObpCreateInfoLookasideList

Definition at line 384 of file obp.h. Referenced by ObInitSystem().

KEVENT ObpDefaultObject

Definition at line 88 of file obp.h. Referenced by ObCreateObjectType(), and ObInitSystem().

KSPIN_LOCK ObpDeviceMapLock

Definition at line 98 of file obp.h. Referenced by ObDereferenceDeviceMap(), ObInheritDeviceMap(), ObInitSystem(), ObpLookupObjectName(), ObQueryDeviceMapInformation(), and ObSetDeviceMap().

POBJECT_TYPE ObpDeviceMapObjectType

Definition at line 369 of file obp.h.

POBJECT_TYPE ObpDirectoryObjectType

Definition at line 367 of file obp.h. Referenced by NtCreateDirectoryObject(), NtOpenDirectoryObject(), NtQueryDirectoryObject(), ObAssignSecurity(), ObInitSystem(), ObpLookupObjectName(), ObpProcessDosDeviceSymbolicLink(), ObSetDeviceMap(), and ObSetSecurityDescriptorInfo().

UNICODE_STRING ObpDosDevicesShortName

Definition at line 375 of file obp.h.

ULARGE_INTEGER ObpDosDevicesShortNamePrefix

Definition at line 373 of file obp.h.

ULARGE_INTEGER ObpDosDevicesShortNameRoot

Definition at line 374 of file obp.h.

PHANDLE_TABLE ObpKernelHandleTable

Definition at line 399 of file obp.h. Referenced by NtClose(), NtSetInformationObject(), NtWaitForMultipleObjects(), ObInitSystem(), ObpCreateHandle(), ObpCreateUnnamedHandle(), and ObReferenceObjectByHandle().

KSPIN_LOCK ObpLock

Definition at line 87 of file obp.h. Referenced by ObfDereferenceObject(), ObInitSystem(), and ObpProcessRemoveObjectQueue().

NPAGED_LOOKASIDE_LIST ObpNameBufferLookasideList

Definition at line 392 of file obp.h. Referenced by ObInitSystem().

POBJECT_TYPE ObpObjectTypes[OBP_MAX_DEFINED_OBJECT_TYPES]

Definition at line 229 of file obp.h. Referenced by NtQueryObject(), and ObCreateObjectType().

PSINGLE_LIST_ENTRY ObpRemoveObjectQueue

Definition at line 90 of file obp.h. Referenced by ObfDereferenceObject(), ObInitSystem(), and ObpProcessRemoveObjectQueue().

WORK_QUEUE_ITEM ObpRemoveObjectWorkItem

Definition at line 89 of file obp.h. Referenced by ObfDereferenceObject().

ERESOURCE ObpRootDirectoryMutex

Definition at line 377 of file obp.h. Referenced by ObInitSystem().

POBJECT_DIRECTORY ObpRootDirectoryObject

Definition at line 370 of file obp.h.

POBJECT_TYPE ObpSymbolicLinkObjectType

Definition at line 368 of file obp.h. Referenced by NtCreateSymbolicLinkObject(), NtOpenSymbolicLinkObject(), NtQueryObject(), NtQuerySymbolicLinkObject(), ObInitSystem(), ObInsertObject(), ObpDeleteNameCheck(), ObpProcessDosDeviceSymbolicLink(), and ObReferenceObjectByPointer().

POBJECT_DIRECTORY ObpTypeDirectoryObject

Definition at line 371 of file obp.h. Referenced by ObCreateObjectType(), and ObInitSystem().

POBJECT_TYPE ObpTypeObjectType

Definition at line 366 of file obp.h.

ERESOURCE SecurityDescriptorCacheLock

Definition at line 378 of file obp.h.

---