ldrp.h File Reference

#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <string.h>
#include "wdbgexts.h"
#include <ntdbg.h>

Go to the source code of this file.

Classes
struct	_LDRP_PATH_CACHE
struct	_LDRP_TLS_ENTRY
Defines
#define	NOEXTAPI
#define	LDRP_MAX_KNOWN_PATH   128
#define	NATIVE_PAGE_SIZE   PAGE_SIZE
#define	NATIVE_PAGE_SHIFT   PAGE_SHIFT
#define	NATIVE_BYTES_TO_PAGES(Size)   BYTES_TO_PAGES(Size)
#define	LDRP_HASH_TABLE_SIZE   32
#define	LDRP_HASH_MASK   (LDRP_HASH_TABLE_SIZE-1)
#define	LDRP_COMPUTE_HASH_INDEX(wch)   ( (RtlUpcaseUnicodeChar((wch)) - (WCHAR)'A') & LDRP_HASH_MASK )
#define	LDRP_BAD_DLL   LongToPtr(0xffbadd11)
#define	LdrpReferenceLoadedDll(lde)   LdrpUpdateLoadCount( lde, TRUE )
#define	LdrpDereferenceLoadedDll(lde)   LdrpUpdateLoadCount( lde, FALSE )
#define	MAKE_TAG(t)   (RTL_HEAP_MAKE_TAG( NtdllBaseTag, t ))
#define	CSR_TAG   0
#define	LDR_TAG   1
#define	CURDIR_TAG   2
#define	TLS_TAG   3
#define	DBG_TAG   4
#define	SE_TAG   5
#define	TEMP_TAG   6
#define	ATOM_TAG   7
#define	LdrpCallInitRoutine(InitRoutine, DllHandle, Reason, Context)   (InitRoutine)((DllHandle), (Reason), (Context))
Typedefs
typedef _LDRP_PATH_CACHE	LDRP_PATH_CACHE
typedef _LDRP_PATH_CACHE *	PLDRP_PATH_CACHE
typedef _LDRP_TLS_ENTRY	LDRP_TLS_ENTRY
typedef _LDRP_TLS_ENTRY *	PLDRP_TLS_ENTRY
Functions
NTSTATUS	LdrpSnapIAT (IN PLDR_DATA_TABLE_ENTRY LdrDataTableEntry_Export, IN PLDR_DATA_TABLE_ENTRY LdrDataTableEntry_Import, IN PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor, IN BOOLEAN SnapForwardersOnly)
NTSTATUS	LdrpSnapLinksToDllHandle (IN PVOID DllHandle, IN ULONG NumberOfThunks, IN OUT PIMAGE_THUNK_DATA FirstThunk)
NTSTATUS	LdrpSnapThunk (IN PVOID DllBase, IN PVOID ImageBase, IN PIMAGE_THUNK_DATA OriginalThunk, IN OUT PIMAGE_THUNK_DATA Thunk, IN PIMAGE_EXPORT_DIRECTORY ExportDirectory, IN ULONG ExportSize, IN BOOLEAN StaticSnap, IN PSZ DllName OPTIONAL)
USHORT	LdrpNameToOrdinal (IN PSZ Name, IN ULONG NumberOfNames, IN PVOID DllBase, IN PULONG NameTableBase, IN PUSHORT NameOrdinalTableBase)
PLDR_DATA_TABLE_ENTRY	LdrpAllocateDataTableEntry (IN PVOID DllBase)
BOOLEAN	LdrpCheckForLoadedDll (IN PWSTR DllPath OPTIONAL, IN PUNICODE_STRING DllName, IN BOOLEAN StaticLink, IN BOOLEAN Wx86KnownDll, OUT PLDR_DATA_TABLE_ENTRY *LdrDataTableEntry)
BOOLEAN	LdrpCheckForLoadedDllHandle (IN PVOID DllHandle, OUT PLDR_DATA_TABLE_ENTRY *LdrDataTableEntry)
NTSTATUS	LdrpMapDll (IN PWSTR DllPath OPTIONAL, IN PWSTR DllName, IN PULONG DllCharacteristics OPTIONAL, IN BOOLEAN StaticLink, IN BOOLEAN Wx86KnownDll, OUT PLDR_DATA_TABLE_ENTRY *LdrDataTableEntry)
NTSTATUS	LdrpWalkImportDescriptor (IN PWSTR DllPath OPTIONAL, IN PLDR_DATA_TABLE_ENTRY LdrDataTableEntry)
NTSTATUS	LdrpRunInitializeRoutines (IN PCONTEXT Context OPTIONAL)
VOID	LdrpUpdateLoadCount (IN PLDR_DATA_TABLE_ENTRY LdrDataTableEntry, IN BOOLEAN IncrementCount)
NTSTATUS	LdrpInitializeProcess (IN PCONTEXT Context OPTIONAL, IN PVOID SystemDllBase, IN PUNICODE_STRING UnicodeImageName)
VOID	LdrpInitialize (IN PCONTEXT Context, IN PVOID SystemArgument1, IN PVOID SystemArgument2)
VOID	LdrpInsertMemoryTableEntry (IN PLDR_DATA_TABLE_ENTRY LdrDataTableEntry)
BOOLEAN	LdrpResolveDllName (IN PWSTR DllPath OPTIONAL, IN PWSTR DllName, OUT PUNICODE_STRING FullDllName, OUT PUNICODE_STRING BaseDllName, OUT PHANDLE DllFile)
NTSTATUS	LdrpCreateDllSection (IN PUNICODE_STRING FullDllName, IN HANDLE DllFile, IN PUNICODE_STRING BaseName, IN PULONG DllCharacteristics OPTIONAL, OUT PHANDLE SectionHandle)
VOID	LdrpInitializePathCache (VOID)
PVOID	LdrpFetchAddressOfEntryPoint (IN PVOID Base)
BOOLEAN	xRtlDosPathNameToNtPathName (IN PSZ DosFileName, OUT PSTRING NtFileName, OUT PSZ *FilePart OPTIONAL, OUT PRTL_RELATIVE_NAME RelativeName OPTIONAL)
ULONG	xRtlDosSearchPath (PSZ lpPath, PSZ lpFileName, PSZ lpExtension, ULONG nBufferLength, PSZ lpBuffer, PSZ *lpFilePart OPTIONAL)
ULONG	xRtlGetFullPathName (PSZ lpFileName, ULONG nBufferLength, PSZ lpBuffer, PSZ *lpFilePart OPTIONAL)
PSZ	UnicodeToAnsii (IN PWSTR String)
HANDLE	LdrpCheckForKnownDll (IN PWSTR DllName, OUT PUNICODE_STRING FullDllName, OUT PUNICODE_STRING BaseDllName)
NTSTATUS	LdrpSetProtection (IN PVOID Base, IN BOOLEAN Reset, IN BOOLEAN StaticLink)
NTSTATUS	LdrpInitializeTls (VOID)
NTSTATUS	LdrpAllocateTls (VOID)
VOID	LdrpFreeTls (VOID)
VOID	LdrpCallTlsInitializers (PVOID DllBase, ULONG Reason)
NTSTATUS NTAPI	LdrpLoadDll (IN PWSTR DllPath OPTIONAL, IN PULONG DllCharacteristics OPTIONAL, IN PUNICODE_STRING DllName, OUT PVOID *DllHandle, IN BOOLEAN RunInitRoutines)
NTSTATUS NTAPI	LdrpGetProcedureAddress (IN PVOID DllHandle, IN PANSI_STRING ProcedureName OPTIONAL, IN ULONG ProcedureNumber OPTIONAL, OUT PVOID *ProcedureAddress, IN BOOLEAN RunInitRoutines)
PLIST_ENTRY	RtlpLockProcessHeapsList (VOID)
VOID	RtlpUnlockProcessHeapsList (VOID)
BOOLEAN	RtlpSerializeHeap (IN PVOID HeapHandle)
PVOID	LdrpDefineDllTag (PWSTR TagName, PUSHORT TagIndex)
Variables
BOOLEAN	LdrpImageHasTls
UNICODE_STRING	LdrpDefaultPath
HANDLE	LdrpKnownDllObjectDirectory
WCHAR	LdrpKnownDllPathBuffer [LDRP_MAX_KNOWN_PATH]
UNICODE_STRING	LdrpKnownDllPath
LIST_ENTRY	LdrpHashTable [LDRP_HASH_TABLE_SIZE]
LIST_ENTRY	LdrpDefaultPathCache
BOOLEAN	ShowSnaps
BOOLEAN	RtlpTimoutDisable
LARGE_INTEGER	RtlpTimeout
ULONG	NtGlobalFlag
LIST_ENTRY	RtlCriticalSectionList
RTL_CRITICAL_SECTION	RtlCriticalSectionLock
BOOLEAN	LdrpShutdownInProgress
BOOLEAN	LdrpInLdrInit
BOOLEAN	LdrpLdrDatabaseIsSetup
BOOLEAN	LdrpVerifyDlls
PLDR_DATA_TABLE_ENTRY	LdrpImageEntry
LIST_ENTRY	LdrpUnloadHead
BOOLEAN	LdrpActiveUnloadCount
PLDR_DATA_TABLE_ENTRY	LdrpGetModuleHandleCache
PLDR_DATA_TABLE_ENTRY	LdrpLoadedDllHandleCache
ULONG	LdrpFatalHardErrorCount
RTL_CRITICAL_SECTION	FastPebLock
HANDLE	LdrpShutdownThreadId
ULONG	LdrpNumberOfProcessors
LIST_ENTRY	LdrpTlsList
ULONG	LdrpNumberOfTlsEntries
ULONG	NtdllBaseTag

---

Define Documentation

#define ATOM_TAG   7

Definition at line 466 of file ldrp.h. Referenced by LdrpInitializeProcess().

#define CSR_TAG   0

Definition at line 459 of file ldrp.h. Referenced by CsrClientConnectToServer(), and CsrpConnectToServer().

#define CURDIR_TAG   2

Definition at line 461 of file ldrp.h.

#define DBG_TAG   4

Definition at line 463 of file ldrp.h. Referenced by DbgSsHandleKmApiMsg().

#define LDR_TAG   1

Definition at line 460 of file ldrp.h. Referenced by LdrpAllocateDataTableEntry(), LdrpCheckForKnownDll(), LdrpInitializeProcess(), and LdrpResolveDllName().

#define LDRP_BAD_DLL   LongToPtr(0xffbadd11)

Definition at line 166 of file ldrp.h. Referenced by LdrpSnapThunk().

#define LDRP_COMPUTE_HASH_INDEX (  wch   )     ( (RtlUpcaseUnicodeChar((wch)) - (WCHAR)'A') & LDRP_HASH_MASK )

Definition at line 161 of file ldrp.h. Referenced by LdrpCheckForLoadedDll(), and LdrpInsertMemoryTableEntry().

#define LDRP_HASH_MASK   (LDRP_HASH_TABLE_SIZE-1)

Definition at line 160 of file ldrp.h.

#define LDRP_HASH_TABLE_SIZE   32

Definition at line 159 of file ldrp.h. Referenced by LdrpInitializeProcess().

#define LDRP_MAX_KNOWN_PATH   128

Definition at line 35 of file ldrp.h.

#define LdrpCallInitRoutine (  InitRoutine, DllHandle, Reason, Context   )     (InitRoutine)((DllHandle), (Reason), (Context))

Definition at line 484 of file ldrp.h. Referenced by LdrpCallTlsInitializers(), LdrpInitializeThread(), LdrpRunInitializeRoutines(), LdrShutdownProcess(), LdrShutdownThread(), and LdrUnloadDll().

#define LdrpDereferenceLoadedDll (  lde   )     LdrpUpdateLoadCount( lde, FALSE )

Definition at line 254 of file ldrp.h. Referenced by LdrUnloadDll().

#define LdrpReferenceLoadedDll (  lde   )     LdrpUpdateLoadCount( lde, TRUE )

Definition at line 253 of file ldrp.h. Referenced by LdrpInitializeProcess(), and LdrpLoadDll().

#define MAKE_TAG (  t   )     (RTL_HEAP_MAKE_TAG( NtdllBaseTag, t ))

Definition at line 457 of file ldrp.h. Referenced by AddAlias(), AddCommand(), AddExeAliasList(), AddFaceNode(), AllocateCommandHistory(), AllocateConsole(), AllocateScrollBuffer(), BeginPopup(), ConsoleAddProcessRoutine(), ConsoleClientConnectRoutine(), ConvertOutputToOem(), ConvertOutputToUnicode(), CookedRead(), CreateConsoleBitmap(), CreateDbcsScreenBuffer(), CreateInputBuffer(), CreateScreenBuffer(), CsrClientConnectToServer(), CsrpConnectToServer(), DbgSsHandleKmApiMsg(), DoStringPaste(), DrawCommandListPopup(), EnumerateFonts(), FalseUnicodeToRealUnicode(), FE_WriteRegionToScreenHW(), FindExe(), FindExeCommandHistory(), FlushAllButKeys(), FontEnum(), GrowConsoleHandleTable(), GrowIoHandleTable(), InheritIoHandleTable(), InitializeInputHandle(), InitializeScrollBuffer(), LdrpAllocateDataTableEntry(), LdrpAllocateTls(), LdrpCheckForKnownDll(), LdrpGetProcedureAddress(), LdrpInitializeProcess(), LdrpInitializeTls(), LdrpResolveDllName(), LdrpRunInitializeRoutines(), LdrQueryImageFileExecutionOptions(), MatchandCopyAlias(), MergeAttrStrings(), MyRegQueryValue(), PrependInputBuffer(), ProcessCommandListInput(), ProcessCtrlEvents(), QueueConsoleMessage(), QueueThreadMessage(), RawReadWaitRoutine(), ReadChars(), ReadOutputString(), ReallocCommandHistory(), RealUnicodeToFalseUnicode(), ReCreateDbcsScreenBuffer(), ReplaceAlias(), ResizeScreenBuffer(), RtlCopySecurityDescriptor(), RtlCreateAndSetSD(), RtlpConvertAclToAutoInherit(), RtlpConvertToAutoInheritSecurityObject(), RtlpCreateServerAcl(), RtlpGetDefaultsSubjectContext(), RtlpInheritAcl(), RtlpNewSecurityObject(), RtlpSetSecurityObject(), SetInputBufferSize(), SetRAMFont(), SetRAMFontCodePage(), SrvAddConsoleAlias(), SrvAllocConsole(), SrvGetConsoleAlias(), SrvSetConsoleTitle(), SrvVDMConsoleOperation(), SrvWriteConsoleOutput(), StoreSelection(), StoreTextBufferFontInfo(), TranslateConsoleTitle(), UpdateComplexRegion(), WaitForMoreToRead(), WWSB_DoSrvWriteConsole(), WWSB_DoWriteConsole(), WWSB_WriteChars(), WWSB_WriteOutputString(), WWSB_WriteRectToScreenBuffer(), and WWSB_WriteRegionToScreen().

#define NATIVE_BYTES_TO_PAGES (  Size   )     BYTES_TO_PAGES(Size)

Definition at line 155 of file ldrp.h.

#define NATIVE_PAGE_SHIFT   PAGE_SHIFT

Definition at line 154 of file ldrp.h.

#define NATIVE_PAGE_SIZE   PAGE_SIZE

Definition at line 153 of file ldrp.h. Referenced by LdrpInitializeProcess(), and LdrpMapDll().

#define NOEXTAPI

Definition at line 28 of file ldrp.h.

#define SE_TAG   5

Definition at line 464 of file ldrp.h. Referenced by RtlCopySecurityDescriptor(), RtlCreateAndSetSD(), RtlpConvertAclToAutoInherit(), RtlpConvertToAutoInheritSecurityObject(), RtlpCreateServerAcl(), RtlpGetDefaultsSubjectContext(), RtlpInheritAcl(), RtlpNewSecurityObject(), and RtlpSetSecurityObject().

#define TEMP_TAG   6

Definition at line 465 of file ldrp.h. Referenced by LdrpGetProcedureAddress(), LdrpResolveDllName(), LdrpRunInitializeRoutines(), and LdrQueryImageFileExecutionOptions().

#define TLS_TAG   3

Definition at line 462 of file ldrp.h. Referenced by LdrpAllocateTls(), and LdrpInitializeTls().

---

Typedef Documentation

typedef struct _LDRP_PATH_CACHE LDRP_PATH_CACHE

typedef struct _LDRP_TLS_ENTRY LDRP_TLS_ENTRY

Referenced by LdrpAllocateTls().

typedef struct _LDRP_PATH_CACHE * PLDRP_PATH_CACHE

typedef struct _LDRP_TLS_ENTRY * PLDRP_TLS_ENTRY

Referenced by LdrpInitializeTls().

---

Function Documentation

PLDR_DATA_TABLE_ENTRY LdrpAllocateDataTableEntry (  IN PVOID  DllBase  )

Definition at line 3043 of file ldrsnap.c. References LDR_TAG, MAKE_TAG, NULL, RtlAllocateHeap, and RtlImageNtHeader(). Referenced by LdrpInitializeProcess(), and LdrpMapDll(). : This function allocates an entry in the loader data table. If the table is going to overflow, then a new table is allocated. Arguments: DllBase - Supplies the address of the base of the DLL Image. be added to the loader data table. Return Value: Returns the address of the allocated loader data table entry --*/ { PLDR_DATA_TABLE_ENTRY Entry; PIMAGE_NT_HEADERS NtHeaders; NtHeaders = RtlImageNtHeader(DllBase); Entry = NULL; if ( NtHeaders ) { Entry = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( LDR_TAG ) | HEAP_ZERO_MEMORY,sizeof( *Entry )); if ( Entry ) { Entry->DllBase = DllBase; Entry->SizeOfImage = NtHeaders->OptionalHeader.SizeOfImage; Entry->TimeDateStamp = NtHeaders->FileHeader.TimeDateStamp; } } return Entry; }

NTSTATUS LdrpAllocateTls (  VOID   )

Definition at line 2071 of file ldrinit.c. References DbgPrint, LDRP_TLS_ENTRY, LdrpNumberOfTlsEntries, LdrpTlsList, MAKE_TAG, RtlAllocateHeap, ShowSnaps, _LDRP_TLS_ENTRY::Tls, and TLS_TAG. Referenced by LdrpInitializeThread(), and LdrpInitializeTls(). { PTEB Teb; PLIST_ENTRY Head, Next; PLDRP_TLS_ENTRY TlsEntry; PVOID *TlsVector; Teb = NtCurrentTeb(); // // Allocate the array of thread local storage pointers // if ( LdrpNumberOfTlsEntries ) { TlsVector = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( TLS_TAG ),sizeof(PVOID)*LdrpNumberOfTlsEntries); if ( !TlsVector ) { return STATUS_NO_MEMORY; } Teb->ThreadLocalStoragePointer = TlsVector; Head = &LdrpTlsList; Next = Head->Flink; while ( Next != Head ) { TlsEntry = CONTAINING_RECORD(Next, LDRP_TLS_ENTRY, Links); Next = Next->Flink; TlsVector[TlsEntry->Tls.Characteristics] = RtlAllocateHeap( RtlProcessHeap(), MAKE_TAG( TLS_TAG ), TlsEntry->Tls.EndAddressOfRawData - TlsEntry->Tls.StartAddressOfRawData ); if (!TlsVector[TlsEntry->Tls.Characteristics] ) { return STATUS_NO_MEMORY; } if (ShowSnaps) { DbgPrint("LDR: TlsVector %x Index %d = %x copied from %x to %x\n", TlsVector, TlsEntry->Tls.Characteristics, &TlsVector[TlsEntry->Tls.Characteristics], TlsEntry->Tls.StartAddressOfRawData, TlsVector[TlsEntry->Tls.Characteristics] ); } RtlCopyMemory( TlsVector[TlsEntry->Tls.Characteristics], (PVOID)TlsEntry->Tls.StartAddressOfRawData, TlsEntry->Tls.EndAddressOfRawData - TlsEntry->Tls.StartAddressOfRawData ); // // Do the TLS Callouts // } } return STATUS_SUCCESS; }

VOID LdrpCallTlsInitializers (  PVOID  DllBase, ULONG  Reason )

Definition at line 2178 of file ldrinit.c. References DbgPrint, EXCEPTION_EXECUTE_HANDLER, LdrpCallInitRoutine, NULL, RtlImageDirectoryEntryToData(), ShowSnaps, and TRUE. Referenced by LdrpInitializeThread(), LdrpRunInitializeRoutines(), LdrShutdownProcess(), and LdrShutdownThread(). { PIMAGE_TLS_DIRECTORY TlsImage; ULONG TlsSize; PIMAGE_TLS_CALLBACK *CallBackArray; PIMAGE_TLS_CALLBACK InitRoutine; TlsImage = (PIMAGE_TLS_DIRECTORY)RtlImageDirectoryEntryToData( DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_TLS, &TlsSize ); try { if ( TlsImage ) { CallBackArray = (PIMAGE_TLS_CALLBACK *)TlsImage->AddressOfCallBacks; if ( CallBackArray ) { if (ShowSnaps) { DbgPrint( "LDR: Tls Callbacks Found. Imagebase %lx Tls %lx CallBacks %lx\n", DllBase, TlsImage, CallBackArray ); } while(*CallBackArray){ InitRoutine = *CallBackArray++; if (ShowSnaps) { DbgPrint( "LDR: Calling Tls Callback Imagebase %lx Function %lx\n", DllBase, InitRoutine ); } #if defined (WX86) if (!Wx86ProcessInit || LdrpRunWx86DllEntryPoint( (PDLL_INIT_ROUTINE)InitRoutine, NULL, DllBase, Reason, NULL ) == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) #endif { LdrpCallInitRoutine((PDLL_INIT_ROUTINE)InitRoutine, DllBase, Reason, 0); } } } } } except (EXCEPTION_EXECUTE_HANDLER) { ; } }

HANDLE LdrpCheckForKnownDll (  IN PWSTR  DllName, OUT PUNICODE_STRING  FullDllName, OUT PUNICODE_STRING  BaseDllName )

Definition at line 3283 of file ldrsnap.c. References LDR_TAG, LdrpKnownDllObjectDirectory, LdrpKnownDllPath, MAKE_TAG, NT_SUCCESS, NtOpenSection(), NTSTATUS(), NULL, RtlAllocateHeap, RtlFreeHeap, RtlInitUnicodeString(), Status, Unicode, and USHORT. Referenced by LdrpMapDll(). : This function checks to see if the specified DLL is a known DLL. It assumes it is only called for static DLL's, and when the know DLL directory structure has been set up. Arguments: DllName - Supplies the name of the DLL. FullDllName - Returns the fully qualified pathname of the DLL. The Buffer field of this string is dynamically allocated from the processes heap. BaseDLLName - Returns the base dll name of the dll. The base name is the file name portion of the dll path without the trailing extension. The Buffer field of this string is dynamically allocated from the processes heap. Return Value: NON-NULL - Returns an open handle to the section associated with the DLL. NULL - The DLL is not known. --*/ { UNICODE_STRING Unicode; HANDLE Section; NTSTATUS Status; OBJECT_ATTRIBUTES Obja; PSZ p; PWSTR pw; Section = NULL; // // calculate base name // RtlInitUnicodeString(&Unicode,DllName); BaseDllName->Length = Unicode.Length; BaseDllName->MaximumLength = Unicode.MaximumLength; BaseDllName->Buffer = RtlAllocateHeap( RtlProcessHeap(),MAKE_TAG( LDR_TAG ), Unicode.MaximumLength ); if ( !BaseDllName->Buffer ) { return NULL; } RtlMoveMemory(BaseDllName->Buffer,Unicode.Buffer,Unicode.MaximumLength); // // now compute the full name for the dll // FullDllName->Length = (USHORT)(LdrpKnownDllPath.Length + // path prefix (USHORT)sizeof(WCHAR) + // seperator BaseDllName->Length // base ); FullDllName->MaximumLength = FullDllName->Length + (USHORT)sizeof(UNICODE_NULL); FullDllName->Buffer = RtlAllocateHeap( RtlProcessHeap(),MAKE_TAG( LDR_TAG ), FullDllName->MaximumLength ); if ( !FullDllName->Buffer ) { RtlFreeHeap(RtlProcessHeap(),0,BaseDllName->Buffer); return NULL; } p = (PSZ)FullDllName->Buffer; RtlMoveMemory(p,LdrpKnownDllPath.Buffer,LdrpKnownDllPath.Length); p += LdrpKnownDllPath.Length; pw = (PWSTR)p; *pw++ = (WCHAR)'\\'; p = (PSZ)pw; // // This is the relative name of the section // Unicode.Buffer = (PWSTR)p; Unicode.Length = BaseDllName->Length; // base Unicode.MaximumLength = Unicode.Length + (USHORT)sizeof(UNICODE_NULL); RtlMoveMemory(p,BaseDllName->Buffer,BaseDllName->MaximumLength); // // open the section object // InitializeObjectAttributes( &Obja, &Unicode, OBJ_CASE_INSENSITIVE, LdrpKnownDllObjectDirectory, NULL ); Status = NtOpenSection( &Section, SECTION_MAP_READ | SECTION_MAP_EXECUTE | SECTION_MAP_WRITE, &Obja ); if ( !NT_SUCCESS(Status) ) { Section = NULL; RtlFreeHeap(RtlProcessHeap(),0,BaseDllName->Buffer); RtlFreeHeap(RtlProcessHeap(),0,FullDllName->Buffer); } #if DBG else { LdrpSectionOpens++; } #endif // DBG return Section; }

BOOLEAN LdrpCheckForLoadedDll (  IN PWSTR DllPath  OPTIONAL, IN PUNICODE_STRING  DllName, IN BOOLEAN  StaticLink, IN BOOLEAN  Wx86KnownDll, OUT PLDR_DATA_TABLE_ENTRY *  LdrDataTableEntry )

Definition at line 832 of file ldrsnap.c. References CHAR, DbgPrint, EXCEPTION_EXECUTE_HANDLER, FALSE, File, L, LDRP_COMPUTE_HASH_INDEX, LdrpDefaultPath, LdrpHashTable, NT_SUCCESS, NtAreMappedFilesTheSame(), NtClose(), NtCreateSection(), NtMapViewOfSection(), NtOpenFile(), NTSTATUS(), NtUnmapViewOfSection(), NULL, ObjectAttributes, RtlCopyUnicodeString(), RtlDosPathNameToNtPathName_U(), RtlDosSearchPath_U(), RtlEqualUnicodeString(), RtlFreeHeap, RtlImageNtHeader(), ShowSnaps, TRUE, and USHORT. Referenced by LdrGetDllHandle(), LdrpDphDetectSnapRoutines(), LdrpDphInitializeTargetDll(), LdrpLoadDll(), LdrpLoadImportModule(), and LdrpUpdateLoadCount(). : This function scans the loader data table looking to see if the specified DLL has already been mapped into the image. If the dll has been loaded, the address of its data table entry is returned. Arguments: DllPath - Supplies an optional search path used to locate the DLL. DllName - Supplies the name to search for. StaticLink - TRUE if performing a static link. Wx86KnownDll - TRUE, treat Importer as x86 LdrDataTableEntry - Returns the address of the loader data table entry that describes the first dll section that implements the dll. Return Value: TRUE- The dll is already loaded. The address of the data table entries that implement the dll, and the number of data table entries are returned. FALSE - The dll is not already mapped. --*/ { BOOLEAN Result; PLDR_DATA_TABLE_ENTRY Entry; PLIST_ENTRY Head, Next; UNICODE_STRING FullDllName; HANDLE DllFile; BOOLEAN HardCodedPath; PWCH p; WCHAR wch; ULONG i; CHAR FullDllNameBuffer[530+sizeof(UNICODE_NULL)]; ULONG Length = 0; PWCH src,dest; if (!DllName->Buffer || !DllName->Buffer[0]) { return FALSE; } #if defined (WX86) if (Wx86ProcessInit) { FullDllName.Buffer = (PWCHAR)FullDllNameBuffer; FullDllName.MaximumLength = sizeof(FullDllNameBuffer); FullDllName.Length = 0; Entry = LdrpWx86CheckForLoadedDll(DllPath, DllName, Wx86KnownDll, &FullDllName ); if (Entry) { RtlCopyUnicodeString(DllName, &FullDllName); *LdrDataTableEntry = Entry; return TRUE; } else { return FALSE; } } #endif // // for static links, just go to the hash table // staticlink: if ( StaticLink ) { i = LDRP_COMPUTE_HASH_INDEX(DllName->Buffer[0]); Head = &LdrpHashTable[i]; Next = Head->Flink; while ( Next != Head ) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, HashLinks); #if DBG LdrpCompareCount++; #endif if (RtlEqualUnicodeString(DllName, &Entry->BaseDllName, TRUE )) { *LdrDataTableEntry = Entry; return TRUE; } Next = Next->Flink; } } if ( StaticLink ) { return FALSE; } // // If the dll name contained a hard coded path // (dynamic link only), then the fully qualified // name needs to be compared to make sure we // have the correct dll. // p = DllName->Buffer; HardCodedPath = FALSE; while (*p) { wch = *p++; if (wch == (WCHAR)'\\' || wch == (WCHAR)'/' ) { HardCodedPath = TRUE; // // We have a hard coded path, so we have to search path // for the DLL. We need the full DLL name so we can FullDllName.Buffer = (WCHAR *)FullDllNameBuffer; Length = RtlDosSearchPath_U( ARGUMENT_PRESENT(DllPath) ? DllPath : LdrpDefaultPath.Buffer, DllName->Buffer, NULL, sizeof(FullDllNameBuffer)-sizeof(UNICODE_NULL), FullDllName.Buffer, NULL ); if ( !Length || Length > sizeof(FullDllNameBuffer)-sizeof(UNICODE_NULL) ) { if (ShowSnaps) { DbgPrint("LDR: LdrpCheckForLoadedDll - Unable To Locate "); DbgPrint("%ws from %ws\n", DllName->Buffer, ARGUMENT_PRESENT(DllPath) ? DllPath : LdrpDefaultPath.Buffer ); } return FALSE; } FullDllName.Length = (USHORT)Length; FullDllName.MaximumLength = FullDllName.Length + (USHORT)sizeof(UNICODE_NULL); break; } } // // if this is a dynamic load lib, and there is not a hard // coded path, then go to the static lib hash table for resolution // if ( !HardCodedPath ) { StaticLink = TRUE; goto staticlink; } Result = FALSE; Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while ( Next != Head ) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); Next = Next->Flink; // // when we unload, the memory order links flink field is nulled. // this is used to skip the entry pending list removal. // if ( !Entry->InMemoryOrderLinks.Flink ) { continue; } if (RtlEqualUnicodeString( &FullDllName, &Entry->FullDllName, TRUE ) ) { Result = TRUE; *LdrDataTableEntry = Entry; break; } } if ( !Result ) { // // no names matched. This might be a long short name mismatch or // any kind of alias pathname. Deal with this by opening and mapping // full dll name and then repeat the scan this time checking for // timedatestamp matches // HANDLE File; HANDLE Section; NTSTATUS st; OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatus; PVOID ViewBase; SIZE_T ViewSize; PIMAGE_NT_HEADERS NtHeadersSrc,NtHeadersE; UNICODE_STRING NtFileName; if (!RtlDosPathNameToNtPathName_U( FullDllName.Buffer, &NtFileName, NULL, NULL ) ) { goto alldone; } InitializeObjectAttributes( &ObjectAttributes, &NtFileName, OBJ_CASE_INSENSITIVE, NULL, NULL ); st = NtOpenFile( &File, SYNCHRONIZE | FILE_EXECUTE, &ObjectAttributes, &IoStatus, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); RtlFreeHeap(RtlProcessHeap(), 0, NtFileName.Buffer); if (!NT_SUCCESS(st)) { goto alldone; } st = NtCreateSection( &Section, SECTION_MAP_READ | SECTION_MAP_EXECUTE | SECTION_MAP_WRITE, NULL, NULL, PAGE_EXECUTE, SEC_COMMIT, File ); NtClose( File ); if (!NT_SUCCESS(st)) { goto alldone; } ViewBase = NULL; ViewSize = 0; st = NtMapViewOfSection( Section, NtCurrentProcess(), (PVOID *)&ViewBase, 0L, 0L, NULL, &ViewSize, ViewShare, 0L, PAGE_EXECUTE ); NtClose(Section); if (!NT_SUCCESS(st)) { goto alldone; } // // The section is mapped. Now find the headers // NtHeadersSrc = RtlImageNtHeader(ViewBase); if ( !NtHeadersSrc ) { NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); goto alldone; } Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while ( Next != Head ) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); Next = Next->Flink; // // when we unload, the memory order links flink field is nulled. // this is used to skip the entry pending list removal. // if ( !Entry->InMemoryOrderLinks.Flink ) { continue; } try { if ( Entry->TimeDateStamp == NtHeadersSrc->FileHeader.TimeDateStamp && Entry->SizeOfImage == NtHeadersSrc->OptionalHeader.SizeOfImage ) { // // there is a very good chance we have an image match. Check the // entire file header and optional header. If they match, declare // this a match // NtHeadersE = RtlImageNtHeader(Entry->DllBase); if ( RtlCompareMemory(NtHeadersE,NtHeadersSrc,sizeof(*NtHeadersE)) ) { // // Now that it looks like we have a match, compare // volume serial number's and file index's // st = NtAreMappedFilesTheSame(Entry->DllBase,ViewBase); if ( !NT_SUCCESS(st) ) { continue; } else { Result = TRUE; *LdrDataTableEntry = Entry; break; } } } } except (EXCEPTION_EXECUTE_HANDLER) { break; } } NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); } alldone: return Result; }

BOOLEAN LdrpCheckForLoadedDllHandle (  IN PVOID  DllHandle, OUT PLDR_DATA_TABLE_ENTRY *  LdrDataTableEntry )

Definition at line 1196 of file ldrsnap.c. References FALSE, LdrpLoadedDllHandleCache, and TRUE. Referenced by LdrDisableThreadCalloutsForDll(), LdrpGetProcedureAddress(), and LdrUnloadDll(). : This function scans the loader data table looking to see if the specified DLL has already been mapped into the image address space. If the dll has been loaded, the address of its data table entry that describes the dll is returned. Arguments: DllHandle - Supplies the DllHandle of the DLL being searched for. LdrDataTableEntry - Returns the address of the loader data table entry that describes the dll. Return Value: TRUE- The dll is loaded. The address of the data table entry is returned. FALSE - The dll is not loaded. --*/ { PLDR_DATA_TABLE_ENTRY Entry; PLIST_ENTRY Head,Next; if ( LdrpLoadedDllHandleCache && (PVOID) LdrpLoadedDllHandleCache->DllBase == DllHandle ) { *LdrDataTableEntry = LdrpLoadedDllHandleCache; return TRUE; } Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while ( Next != Head ) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); Next = Next->Flink; // // when we unload, the memory order links flink field is nulled. // this is used to skip the entry pending list removal. // if ( !Entry->InMemoryOrderLinks.Flink ) { continue; } if (DllHandle == (PVOID)Entry->DllBase ){ LdrpLoadedDllHandleCache = Entry; *LdrDataTableEntry = Entry; return TRUE; } } return FALSE; }

NTSTATUS LdrpCreateDllSection (  IN PUNICODE_STRING  FullDllName, IN HANDLE  DllFile, IN PUNICODE_STRING  BaseName, IN PULONG DllCharacteristics  OPTIONAL, OUT PHANDLE  SectionHandle )

Definition at line 2150 of file ldrsnap.c. References DbgPrint, File, LdrpFatalHardErrorCount, LdrpInLdrInit, NT_SUCCESS, NtClose(), NtCreateSection(), NtOpenFile(), NtRaiseHardError(), NTSTATUS(), NULL, and ObjectAttributes. Referenced by LdrpMapDll(). { HANDLE File; HANDLE Section; NTSTATUS st; OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatus; if ( !DllFile ) { // // Since ntsdk does not search paths well, we can't use // relative object names // InitializeObjectAttributes( &ObjectAttributes, NtFullDllName, OBJ_CASE_INSENSITIVE, NULL, NULL ); st = NtOpenFile( &File, SYNCHRONIZE | FILE_EXECUTE, &ObjectAttributes, &IoStatus, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT ); if (!NT_SUCCESS(st)) { #if DBG DbgPrint("LDR: LdrCreateDllSection - NtOpenFile( %wZ ) failed. Status == %X\n", NtFullDllName, st ); #endif *SectionHandle = NULL; return st; } } else { File = DllFile; } st = NtCreateSection( SectionHandle, SECTION_MAP_READ | SECTION_MAP_EXECUTE | SECTION_MAP_WRITE | SECTION_QUERY, NULL, NULL, PAGE_EXECUTE, SEC_IMAGE, File ); NtClose( File ); if (!NT_SUCCESS(st)) { // // hard error time // ULONG_PTR ErrorParameters[1]; ULONG ErrorResponse; *SectionHandle = NULL; ErrorParameters[0] = (ULONG_PTR)NtFullDllName; NtRaiseHardError( STATUS_INVALID_IMAGE_FORMAT, 1, 1, ErrorParameters, OptionOk, &ErrorResponse ); if ( LdrpInLdrInit ) { LdrpFatalHardErrorCount++; } #if DBG if (st != STATUS_INVALID_IMAGE_NE_FORMAT && st != STATUS_INVALID_IMAGE_LE_FORMAT && st != STATUS_INVALID_IMAGE_WIN_16 ) { DbgPrint("LDR: LdrCreateDllSection - NtCreateSection %wZ failed. Status == %X\n", NtFullDllName, st ); } #endif } return st; }

PVOID LdrpDefineDllTag (  PWSTR  TagName, PUSHORT  TagIndex )

Definition at line 191 of file heaptag.c. References LDRP_MAXIMUM_DLL_TAGS, LdrpDllTagProcedures, LdrpDllTags, LdrpDllTagsInitialized, LdrpNumberOfDllTags, NULL, RtlAllocateHeap, RtlCreateTagHeap(), RtlpGlobalTagHeap, TRUE, USHORT, and _HEAP::VirtualAllocdBlocks. Referenced by LdrpWalkImportDescriptor(). { PVOID Result; WCHAR TagNameBuffer[ 260 ]; if (RtlpGlobalTagHeap == NULL) { RtlpGlobalTagHeap = RtlAllocateHeap( RtlProcessHeap( ), HEAP_ZERO_MEMORY, sizeof( HEAP )); if (RtlpGlobalTagHeap == NULL) { return NULL; } } if (!LdrpDllTagsInitialized) { // // Keep QUERY.C happy // InitializeListHead( &RtlpGlobalTagHeap->VirtualAllocdBlocks ); LdrpDllTagsInitialized = TRUE; } Result = NULL; if (LdrpNumberOfDllTags < LDRP_MAXIMUM_DLL_TAGS) { memset( TagNameBuffer, 0, sizeof( TagNameBuffer ) ); wcscpy( TagNameBuffer, TagName ); LdrpDllTags[ LdrpNumberOfDllTags ] = RtlCreateTagHeap( NULL, 0, NULL, TagNameBuffer ); if (LdrpDllTags[ LdrpNumberOfDllTags ] != 0) { Result = LdrpDllTagProcedures[ LdrpNumberOfDllTags ]; } if (Result != NULL) { *TagIndex = (USHORT)(LdrpDllTags[ LdrpNumberOfDllTags ] >> HEAP_TAG_SHIFT); LdrpNumberOfDllTags += 1; } } return Result; }

PVOID LdrpFetchAddressOfEntryPoint (  IN PVOID  Base  )

Definition at line 3249 of file ldrsnap.c. References RtlImageNtHeader(). Referenced by LdrpInitializeProcess(), and LdrpMapDll(). : This function returns the address of the initialization routine. Arguments: Base - Base of image. Return Value: Status value --*/ { PIMAGE_NT_HEADERS NtHeaders; ULONG_PTR ep; NtHeaders = RtlImageNtHeader(Base); ep = NtHeaders->OptionalHeader.AddressOfEntryPoint; if (ep) { ep += (ULONG_PTR)Base; } return (PVOID)ep; }

VOID LdrpFreeTls (  VOID   )

Definition at line 2134 of file ldrinit.c. References LdrpTlsList, RtlFreeHeap, and _LDRP_TLS_ENTRY::Tls. Referenced by LdrShutdownThread(). { PTEB Teb; PLIST_ENTRY Head, Next; PLDRP_TLS_ENTRY TlsEntry; PVOID *TlsVector; Teb = NtCurrentTeb(); TlsVector = Teb->ThreadLocalStoragePointer; if ( TlsVector ) { Head = &LdrpTlsList; Next = Head->Flink; while ( Next != Head ) { TlsEntry = CONTAINING_RECORD(Next, LDRP_TLS_ENTRY, Links); Next = Next->Flink; // // Do the TLS callouts // if ( TlsVector[TlsEntry->Tls.Characteristics] ) { RtlFreeHeap( RtlProcessHeap(), 0, TlsVector[TlsEntry->Tls.Characteristics] ); } } RtlFreeHeap( RtlProcessHeap(), 0, TlsVector ); } }

NTSTATUS NTAPI LdrpGetProcedureAddress (  IN PVOID  DllHandle, IN PANSI_STRING ProcedureName  OPTIONAL, IN ULONG ProcedureNumber  OPTIONAL, OUT PVOID *  ProcedureAddress, IN BOOLEAN  RunInitRoutines )

Definition at line 851 of file ldrapi.c. References DbgPrint, EXCEPTION_EXECUTE_HANDLER, FALSE, LdrpCheckForLoadedDllHandle(), LdrpInLdrInit, LdrpRunInitializeRoutines(), LdrpSnapThunk(), LoaderLock, MAKE_TAG, NT_SUCCESS, NTSTATUS(), NULL, RtlAllocateHeap, RtlFreeHeap, RtlImageDirectoryEntryToData(), RtlImageNtHeader(), ShowSnaps, TEMP_TAG, TRUE, and USHORT. Referenced by LdrGetProcedureAddress(), and LdrpSnapThunk(). : This function locates the address of the specified procedure in the specified DLL and returns its address. Arguments: DllHandle - Supplies a handle to the DLL that the address is being looked up in. ProcedureName - Supplies that address of a string that contains the name of the procedure to lookup in the DLL. If this argument is not specified, then the ProcedureNumber is used. ProcedureNumber - Supplies the procedure number to lookup. If ProcedureName is specified, then this argument is ignored. Otherwise, it specifies the procedure ordinal number to locate in the DLL. ProcedureAddress - Returns the address of the procedure found in the DLL. Return Value: TBD --*/ { NTSTATUS st; UCHAR FunctionNameBuffer[64]; PUCHAR src, dst; ULONG cb, ExportSize; PLDR_DATA_TABLE_ENTRY LdrDataTableEntry; IMAGE_THUNK_DATA Thunk; PVOID ImageBase; PIMAGE_IMPORT_BY_NAME FunctionName; PIMAGE_EXPORT_DIRECTORY ExportDirectory; PLIST_ENTRY Next; #if defined (WX86) PTEB Teb; BOOLEAN Wx86KnownDll = FALSE; #endif if (ShowSnaps) { DbgPrint("LDR: LdrGetProcedureAddress by "); } #if defined (WX86) Teb = NtCurrentTeb(); if (Teb->Wx86Thread.UseKnownWx86Dll) { Wx86KnownDll = Teb->Wx86Thread.UseKnownWx86Dll; Teb->Wx86Thread.UseKnownWx86Dll = FALSE; } #endif FunctionName = NULL; if ( ARGUMENT_PRESENT(ProcedureName) ) { if (ShowSnaps) { DbgPrint("NAME - %s\n", ProcedureName->Buffer); } // // BUGBUG need STRING to PSZ // if (ProcedureName->Length >= sizeof( FunctionNameBuffer )-1 ) { FunctionName = RtlAllocateHeap(RtlProcessHeap(), MAKE_TAG( TEMP_TAG ),ProcedureName->Length+1+sizeof(USHORT)); if ( !FunctionName ) { return STATUS_INVALID_PARAMETER; } } else { FunctionName = (PIMAGE_IMPORT_BY_NAME) FunctionNameBuffer; } FunctionName->Hint = 0; cb = ProcedureName->Length; src = ProcedureName->Buffer; dst = FunctionName->Name; while (cb--) { *dst++ = *src++; } *dst = '\0'; // // Make sure we don't pass in address with high bit set so we // can still use it as ordinal flag // ImageBase = FunctionName; Thunk.u1.AddressOfData = 0; } else { ImageBase = NULL; if (ShowSnaps) { DbgPrint("ORDINAL - %lx\n", ProcedureNumber); } if (ProcedureNumber) { Thunk.u1.Ordinal = ProcedureNumber | IMAGE_ORDINAL_FLAG; } else { return STATUS_INVALID_PARAMETER; } } if ( LdrpInLdrInit == FALSE ) { RtlEnterCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock); } try { if (!LdrpCheckForLoadedDllHandle(DllHandle, &LdrDataTableEntry)) { st = STATUS_DLL_NOT_FOUND; return st; } ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &ExportSize ); if (!ExportDirectory) { return STATUS_PROCEDURE_NOT_FOUND; } st = LdrpSnapThunk(LdrDataTableEntry->DllBase, ImageBase, &Thunk, &Thunk, ExportDirectory, ExportSize, FALSE, NULL ); if ( RunInitRoutines ) { PLDR_DATA_TABLE_ENTRY LdrInitEntry; // // Look at last entry in init order list. If entry processed // flag is not set, then a forwarded dll was loaded during the // getprocaddr call and we need to run init routines // Next = NtCurrentPeb()->Ldr->InInitializationOrderModuleList.Blink; LdrInitEntry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks); if ( !(LdrInitEntry->Flags & LDRP_ENTRY_PROCESSED) ) { try { st = LdrpRunInitializeRoutines(NULL); } except( EXCEPTION_EXECUTE_HANDLER ) { st = GetExceptionCode(); } } } if ( NT_SUCCESS(st) ) { *ProcedureAddress = (PVOID)Thunk.u1.Function; #if defined (WX86) // For dlls loaded as a Wx86 plugin ... if (Wx86ProcessInit && (LdrDataTableEntry->Flags & LDRP_WX86_PLUGIN)) { PVOID ExportThunk = NULL; USHORT MachineType = RtlImageNtHeader(LdrDataTableEntry->DllBase)->FileHeader.Machine; // and the GetProcAddress call is cross-architecture ... if ((!Wx86KnownDll && (MachineType == IMAGE_FILE_MACHINE_I386)) || (Wx86KnownDll && (MachineType != IMAGE_FILE_MACHINE_I386))) { // Thunk the export st = Wx86ThunkPluginExport(LdrDataTableEntry->DllBase, FunctionName? FunctionName->Name : NULL, ProcedureNumber, (PVOID)(Thunk.u1.Function), &ExportThunk ); if (NT_SUCCESS(st) && ExportThunk) { *ProcedureAddress = ExportThunk; } else { // Don't let unthunked cross-architecture addresses get out *ProcedureAddress = NULL; st = STATUS_INVALID_IMAGE_FORMAT; } } } #endif } } finally { if ( FunctionName && (FunctionName != (PIMAGE_IMPORT_BY_NAME) FunctionNameBuffer) ) { RtlFreeHeap(RtlProcessHeap(),0,FunctionName); } if ( LdrpInLdrInit == FALSE ) { RtlLeaveCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock); } } return st; }

VOID LdrpInitialize (  IN PCONTEXT  Context, IN PVOID  SystemArgument1, IN PVOID  SystemArgument2 )

Definition at line 186 of file ldrinit.c. References DbgPrint, EXCEPTION_EXECUTE_HANDLER, FALSE, L, LdrpForkProcess(), LdrpInitializationFailure(), LdrpInitializeProcess(), LdrpInitializeThread(), LdrpInLdrInit, LdrQueryImageFileExecutionOptions(), LoaderLock, LoaderLockInitialized, NT_SUCCESS, NtDelayExecution(), NtQueryPerformanceCounter(), NtQueryVirtualMemory(), NTSTATUS(), NtTestAlert(), NULL, RtlImageDirectoryEntryToData(), RtlImageNtHeader(), RtlpDebugPageHeap, RtlpDisableHeapLookaside, RtlpDphDllRangeEnd, RtlpDphDllRangeStart, RtlpDphGlobalFlags, RtlpDphRandomProbability, RtlpDphSizeRangeEnd, RtlpDphSizeRangeStart, RtlpDphTargetDlls, RtlRaiseStatus(), and TRUE. : This function is called as a User-Mode APC routine as the first user-mode code executed by a new thread. It's function is to initialize loader context, perform module initialization callouts... Arguments: Context - Supplies an optional context buffer that will be restore after all DLL initialization has been completed. If this parameter is NULL then this is a dynamic snap of this module. Otherwise this is a static snap prior to the user process gaining control. SystemArgument1 - Supplies the base address of the System Dll. SystemArgument2 - not used. Return Value: None. --*/ { NTSTATUS st, InitStatus; PPEB Peb; PTEB Teb; UNICODE_STRING UnicodeImageName; MEMORY_BASIC_INFORMATION MemInfo; BOOLEAN AlreadyFailed; LARGE_INTEGER DelayValue; #if defined(_WIN64) PIMAGE_NT_HEADERS NtHeader; #endif SystemArgument2; AlreadyFailed = FALSE; Peb = NtCurrentPeb(); Teb = NtCurrentTeb(); if (!Peb->Ldr) { #if defined(_ALPHA_) ULONG temp; // // Set GP register // LdrpGpValue = (ULONG_PTR)RtlImageDirectoryEntryToData( Peb->ImageBaseAddress, TRUE, IMAGE_DIRECTORY_ENTRY_GLOBALPTR, &temp ); if (Context != NULL) { LdrpSetGp( LdrpGpValue ); Context->IntGp = LdrpGpValue; } #endif // ALPHA //#if DBG if (TRUE) //#else // if (Peb->BeingDebugged || Peb->ReadImageFileExecOptions) //#endif { PWSTR pw; pw = (PWSTR)Peb->ProcessParameters->ImagePathName.Buffer; if (!(Peb->ProcessParameters->Flags & RTL_USER_PROC_PARAMS_NORMALIZED)) { pw = (PWSTR)((PCHAR)pw + (ULONG_PTR)(Peb->ProcessParameters)); } UnicodeImageName.Buffer = pw; UnicodeImageName.Length = Peb->ProcessParameters->ImagePathName.Length; UnicodeImageName.MaximumLength = UnicodeImageName.Length; // // Hack for NT4 SP4. So we don't overload another GlobalFlag // bit that we have to be "compatible" with for NT5, look for // another value named "DisableHeapLookaside". // LdrQueryImageFileExecutionOptions( &UnicodeImageName, L"DisableHeapLookaside", REG_DWORD, &RtlpDisableHeapLookaside, sizeof( RtlpDisableHeapLookaside ), NULL ); st = LdrQueryImageFileExecutionOptions( &UnicodeImageName, L"GlobalFlag", REG_DWORD, &Peb->NtGlobalFlag, sizeof( Peb->NtGlobalFlag ), NULL ); if (!NT_SUCCESS( st )) { if (Peb->BeingDebugged) { Peb->NtGlobalFlag |= FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_VALIDATE_PARAMETERS; } } #if defined(_WIN64) NtHeader = RtlImageNtHeader(Peb->ImageBaseAddress); if (NtHeader && NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) { UseWOW64 = TRUE; } #endif } if ( Peb->NtGlobalFlag & FLG_HEAP_PAGE_ALLOCS ) { // // We will enable page heap (RtlpDebugPageHeap) only after // all other initializations for page heap are finished. // // // If page heap is enabled we need to disable any flag that // might force creation of debug heaps for normal NT heaps. // This is due to a dependency between page heap and NT heap // where the page heap within PageHeapCreate tries to create // a normal NT heap to accomodate some of the allocations. // If we do not disable these flags we will get an infinite // recursion between RtlpDebugPageHeapCreate and RtlCreateHeap. // Peb->NtGlobalFlag &= ~( FLG_HEAP_ENABLE_TAGGING | FLG_HEAP_ENABLE_TAG_BY_DLL | FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS | FLG_HEAP_VALIDATE_ALL | FLG_USER_STACK_TRACE_DB ); // // Read page heap per process global flags. If we fail // to read a value, the default ones are kept. // LdrQueryImageFileExecutionOptions( &UnicodeImageName, L"PageHeapFlags", REG_DWORD, &RtlpDphGlobalFlags, sizeof(RtlpDphGlobalFlags), NULL ); // // Read several page heap parameters. // LdrQueryImageFileExecutionOptions( &UnicodeImageName, L"PageHeapSizeRangeStart", REG_DWORD, &RtlpDphSizeRangeStart, sizeof(RtlpDphSizeRangeStart), NULL ); LdrQueryImageFileExecutionOptions( &UnicodeImageName, L"PageHeapSizeRangeEnd", REG_DWORD, &RtlpDphSizeRangeEnd, sizeof(RtlpDphSizeRangeEnd), NULL ); LdrQueryImageFileExecutionOptions( &UnicodeImageName, L"PageHeapRandomProbability", REG_DWORD, &RtlpDphRandomProbability, sizeof(RtlpDphRandomProbability), NULL ); // // The two values below should be read as PVOIDs so that // this works on 64-bit architetures. However since this // feature relies on good stack traces and since we can get // reliable stack traces only on X86 architectures we will // leave it as it is. // LdrQueryImageFileExecutionOptions( &UnicodeImageName, L"PageHeapDllRangeStart", REG_DWORD, &RtlpDphDllRangeStart, sizeof(RtlpDphDllRangeStart), NULL ); LdrQueryImageFileExecutionOptions( &UnicodeImageName, L"PageHeapDllRangeEnd", REG_DWORD, &RtlpDphDllRangeEnd, sizeof(RtlpDphDllRangeEnd), NULL ); LdrQueryImageFileExecutionOptions( &UnicodeImageName, L"PageHeapTargetDlls", REG_SZ, &RtlpDphTargetDlls, 512, NULL ); // // Turn on BOOLEAN RtlpDebugPageHeap to indicate that // new heaps should be created with debug page heap manager // when possible. // RtlpDebugPageHeap = TRUE; } } #if defined(_ALPHA_) else if (Context != NULL) { LdrpSetGp( LdrpGpValue ); Context->IntGp = LdrpGpValue; } #endif // ALPHA // // Serialize for here on out // Peb->LoaderLock = (PVOID)&LoaderLock; if ( !RtlTryEnterCriticalSection(&LoaderLock) ) { if ( LoaderLockInitialized ) { RtlEnterCriticalSection(&LoaderLock); } else { // // drop into a 30ms delay loop // DelayValue.QuadPart = Int32x32To64( 30, -10000 ); while ( !LoaderLockInitialized ) { NtDelayExecution(FALSE,&DelayValue); } RtlEnterCriticalSection(&LoaderLock); } } if (Teb->DeallocationStack == NULL) { st = NtQueryVirtualMemory( NtCurrentProcess(), Teb->NtTib.StackLimit, MemoryBasicInformation, (PVOID)&MemInfo, sizeof(MemInfo), NULL ); if ( !NT_SUCCESS(st) ) { LdrpInitializationFailure(st); RtlRaiseStatus(st); return; } else { Teb->DeallocationStack = MemInfo.AllocationBase; #if defined(_IA64_) Teb->DeallocationBStore = (PVOID)((ULONG_PTR)MemInfo.AllocationBase + MemInfo.RegionSize); #endif // defined(_IA64_) } } InitStatus = STATUS_SUCCESS; try { if (!Peb->Ldr) { LdrpInLdrInit = TRUE; #if DBG // // Time the load. // if (LdrpDisplayLoadTime) { NtQueryPerformanceCounter(&BeginTime, NULL); } #endif // DBG try { InitStatus = LdrpInitializeProcess( Context, SystemArgument1, &UnicodeImageName ); } except ( EXCEPTION_EXECUTE_HANDLER ) { InitStatus = GetExceptionCode(); AlreadyFailed = TRUE; LdrpInitializationFailure(GetExceptionCode()); } #if DBG if (LdrpDisplayLoadTime) { NtQueryPerformanceCounter(&EndTime, NULL); NtQueryPerformanceCounter(&ElapsedTime, &Interval); ElapsedTime.QuadPart = EndTime.QuadPart - BeginTime.QuadPart; DbgPrint("\nLoadTime %ld In units of %ld cycles/second \n", ElapsedTime.LowPart, Interval.LowPart ); ElapsedTime.QuadPart = EndTime.QuadPart - InitbTime.QuadPart; DbgPrint("InitTime %ld\n", ElapsedTime.LowPart ); DbgPrint("Compares %d Bypasses %d Normal Snaps %d\nSecOpens %d SecCreates %d Maps %d Relocates %d\n", LdrpCompareCount, LdrpSnapBypass, LdrpNormalSnap, LdrpSectionOpens, LdrpSectionCreates, LdrpSectionMaps, LdrpSectionRelocates ); } #endif // DBG } else { if ( Peb->InheritedAddressSpace ) { InitStatus = LdrpForkProcess(); } else { #if defined (WX86) if (Teb->Vdm) { InitStatus = LdrpInitWx86(Teb->Vdm, Context, TRUE); } #endif #if defined(_WIN64) // // Load in WOW64 if the image is supposed to run simulated // if (UseWOW64) { RtlLeaveCriticalSection(&LoaderLock); (*Wow64LdrpInitialize)(Context); // This never returns. It will destroy the process. } #endif LdrpInitializeThread(Context); } } } finally { LdrpInLdrInit = FALSE; RtlLeaveCriticalSection(&LoaderLock); } NtTestAlert(); if (!NT_SUCCESS(InitStatus)) { if ( AlreadyFailed == FALSE ) { LdrpInitializationFailure(InitStatus); } RtlRaiseStatus(InitStatus); } }

VOID LdrpInitializePathCache (  VOID   )

NTSTATUS LdrpInitializeProcess (  IN PCONTEXT Context  OPTIONAL, IN PVOID  SystemDllBase, IN PUNICODE_STRING  UnicodeImageName )

Definition at line 616 of file ldrinit.c. References ASSERT, ATOM_TAG, CommandLine, DbgPrint, FALSE, FastPebLock, HeapParameters, InitTableInfo, L, LDR_TAG, LdrGetProcedureAddress(), LdrLoadDll(), LDRP_HASH_TABLE_SIZE, LdrpAllocateDataTableEntry(), LdrpDefaultPath, LdrpFetchAddressOfEntryPoint(), LdrpHashTable, LdrpImageEntry, LdrpInitializationFailure(), LdrpInitializeTls(), LdrpInsertMemoryTableEntry(), LdrpKnownDllObjectDirectory, LdrpKnownDllPath, LdrpKnownDllPathBuffer, LdrpLdrDatabaseIsSetup, LdrpNumberOfProcessors, LdrpReferenceLoadedDll, LdrpRelocateStartContext(), LdrpRunInitializeRoutines(), LdrpSetProtection(), LdrpVerifyDlls, LdrpWalkImportDescriptor(), LdrQueryApplicationCompatibilityGoo(), LdrQueryImageFileExecutionOptions(), LdrRelocateImage(), LoaderLock, LoaderLockInitialized, MAKE_TAG, NATIVE_PAGE_SIZE, NT_SUCCESS, NtAllocateVirtualMemory(), NtClose(), NtDllBase, NtdllBaseTag, NtdllpAllocateStringRoutine(), NtdllpFreeStringRoutine(), NtFreeVirtualMemory(), NtOpenDirectoryObject(), NtOpenSymbolicLinkObject(), NtQueryPerformanceCounter(), NtQuerySymbolicLinkObject(), NtSetInformationProcess(), NTSTATUS(), NtSystemRoot, NULL, PAGE_SIZE, RtlAllocateHeap, RtlAllocateStringRoutine, RtlAppendUnicodeStringToString(), RtlAppendUnicodeToString(), RtlCreateHeap(), RtlCreateTagHeap(), RtlCriticalSectionList, RtlFreeStringRoutine, RtlFreeUnicodeString(), RtlImageDirectoryEntryToData(), RtlImageNtHeader(), RtlInitAnsiString(), RtlInitializeAtomPackage(), RtlInitializeBitMap(), RtlInitializeCriticalSection(), RtlInitializeHeapManager(), RtlInitNlsTables(), RtlInitUnicodeString(), RtlNormalizeProcessParams(), RtlpDebugPageHeap, RtlpInitDeferedCriticalSection(), RtlpTimeout, RtlpTimoutDisable, RtlRaiseStatus(), RtlResetRtlTranslations(), RtlSetCurrentDirectory_U(), ShowSnaps, TlsBitMap, TlsExpansionBitMap, TRUE, Unicode, and USHORT. Referenced by LdrpInitialize(). : This function initializes the loader for the process. This includes: - Initializing the loader data table - Connecting to the loader subsystem - Initializing all staticly linked DLLs Arguments: Context - Supplies an optional context buffer that will be restore after all DLL initialization has been completed. If this parameter is NULL then this is a dynamic snap of this module. Otherwise this is a static snap prior to the user process gaining control. SystemDllBase - Supplies the base address of the system dll. Return Value: Status value --*/ { PPEB Peb; NTSTATUS st; PWCH p, pp; UNICODE_STRING CurDir; UNICODE_STRING FullImageName; UNICODE_STRING CommandLine; ULONG DebugProcessHeapOnly = 0 ; HANDLE LinkHandle; WCHAR SystemDllPathBuffer[DOS_MAX_PATH_LENGTH]; UNICODE_STRING SystemDllPath; PLDR_DATA_TABLE_ENTRY LdrDataTableEntry; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; UNICODE_STRING Unicode; OBJECT_ATTRIBUTES Obja; BOOLEAN StaticCurDir = FALSE; ULONG i; PIMAGE_NT_HEADERS NtHeader = RtlImageNtHeader( NtCurrentPeb()->ImageBaseAddress ); PIMAGE_LOAD_CONFIG_DIRECTORY ImageConfigData; ULONG ProcessHeapFlags; RTL_HEAP_PARAMETERS HeapParameters; NLSTABLEINFO InitTableInfo; LARGE_INTEGER LongTimeout; UNICODE_STRING NtSystemRoot; LONG_PTR Diff; ULONG_PTR OldBase; NtDllBase = SystemDllBase; if ( #if defined(_WIN64) NtHeader->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC && #endif NtHeader->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_NATIVE ) { // // Native subsystems load slower, but validate their DLLs // This is to help CSR detect bad images faster // LdrpVerifyDlls = TRUE; } Peb = NtCurrentPeb(); #if defined(BUILD_WOW6432) { // // The process is running in WOW64. Sort out the optional header // format and reformat the image if its page size is smaller than // the native page size. // PIMAGE_NT_HEADERS32 NtHeader32 = (PIMAGE_NT_HEADERS32)NtHeader; if (NtHeader32->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 && NtHeader32->OptionalHeader.SectionAlignment < NATIVE_PAGE_SIZE && !NT_SUCCESS(st = LdrpWx86FormatVirtualImage(NtHeader32, NtCurrentPeb()->ImageBaseAddress //bugbug: should be: (PVOID)NtHeader32->OptionalHeader.ImageBase ))) { return st; } } #elif defined (_ALPHA_) && defined (WX86) // // Deal with the native page size which is larger than x86 // This needs to be done before any code reads beyond the file headers. // if (NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_I386 && NtHeader->OptionalHeader.SectionAlignment < PAGE_SIZE && !NT_SUCCESS(st = LdrpWx86FormatVirtualImage((PIMAGE_NT_HEADERS32)NtHeader, (PVOID)NtHeader->OptionalHeader.ImageBase ))) { return st; } #endif LdrpNumberOfProcessors = Peb->NumberOfProcessors; RtlpTimeout = Peb->CriticalSectionTimeout; LongTimeout.QuadPart = Int32x32To64( 3600, -10000000 ); if (ProcessParameters = RtlNormalizeProcessParams(Peb->ProcessParameters)) { FullImageName = *(PUNICODE_STRING)&ProcessParameters->ImagePathName; CommandLine = *(PUNICODE_STRING)&ProcessParameters->CommandLine; } else { RtlInitUnicodeString( &FullImageName, NULL ); RtlInitUnicodeString( &CommandLine, NULL ); } RtlInitNlsTables( Peb->AnsiCodePageData, Peb->OemCodePageData, Peb->UnicodeCaseTableData, &InitTableInfo ); RtlResetRtlTranslations(&InitTableInfo); #if defined(_WIN64) if (UseWOW64) { // // Ignore image config data when initializing the 64-bit loader. // The 32-bit loader in ntdll32 will look at the config data // and do the right thing. // ImageConfigData = NULL; } else #endif { ImageConfigData = RtlImageDirectoryEntryToData( Peb->ImageBaseAddress, TRUE, IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG, &i ); } RtlZeroMemory( &HeapParameters, sizeof( HeapParameters ) ); ProcessHeapFlags = HEAP_GROWABLE | HEAP_CLASS_0; HeapParameters.Length = sizeof( HeapParameters ); if (ImageConfigData != NULL && i == sizeof( *ImageConfigData )) { Peb->NtGlobalFlag &= ~ImageConfigData->GlobalFlagsClear; Peb->NtGlobalFlag |= ImageConfigData->GlobalFlagsSet; if (ImageConfigData->CriticalSectionDefaultTimeout != 0) { // // Convert from milliseconds to NT time scale (100ns) // RtlpTimeout.QuadPart = Int32x32To64( (LONG)ImageConfigData->CriticalSectionDefaultTimeout, -10000 ); } if (ImageConfigData->ProcessHeapFlags != 0) { ProcessHeapFlags = ImageConfigData->ProcessHeapFlags; } if (ImageConfigData->DeCommitFreeBlockThreshold != 0) { HeapParameters.DeCommitFreeBlockThreshold = ImageConfigData->DeCommitFreeBlockThreshold; } if (ImageConfigData->DeCommitTotalFreeThreshold != 0) { HeapParameters.DeCommitTotalFreeThreshold = ImageConfigData->DeCommitTotalFreeThreshold; } if (ImageConfigData->MaximumAllocationSize != 0) { HeapParameters.MaximumAllocationSize = ImageConfigData->MaximumAllocationSize; } if (ImageConfigData->VirtualMemoryThreshold != 0) { HeapParameters.VirtualMemoryThreshold = ImageConfigData->VirtualMemoryThreshold; } } // // // // Check if the image has the fast heap flag set // // // // if (NtHeader->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FAST_HEAP) { // RtlpDisableHeapLookaside = 0; // } else { // RtlpDisableHeapLookaside = 1; // } ShowSnaps = (BOOLEAN)(FLG_SHOW_LDR_SNAPS & Peb->NtGlobalFlag); // // This field is non-zero if the image file that was used to create this // process contained a non-zero value in its image header. If so, then // set the affinity mask for the process using this value. It could also // be non-zero if the parent process created us suspended and poked our // PEB with a non-zero value before resuming. // if (Peb->ImageProcessAffinityMask) { st = NtSetInformationProcess( NtCurrentProcess(), ProcessAffinityMask, &Peb->ImageProcessAffinityMask, sizeof( Peb->ImageProcessAffinityMask ) ); if (NT_SUCCESS( st )) { KdPrint(( "LDR: Using ProcessAffinityMask of 0x%x from image.\n", Peb->ImageProcessAffinityMask )); } else { KdPrint(( "LDR: Failed to set ProcessAffinityMask of 0x%x from image (Status == %08x).\n", Peb->ImageProcessAffinityMask, st )); } } if (RtlpTimeout.QuadPart < LongTimeout.QuadPart) { RtlpTimoutDisable = TRUE; } if (ShowSnaps) { DbgPrint( "LDR: PID: 0x%x started - '%wZ'\n", NtCurrentTeb()->ClientId.UniqueProcess, &CommandLine ); } for(i=0;i<LDRP_HASH_TABLE_SIZE;i++) { InitializeListHead(&LdrpHashTable[i]); } // // Initialize the critical section package. // RtlpInitDeferedCriticalSection(); Peb->TlsBitmap = (PVOID)&TlsBitMap; Peb->TlsExpansionBitmap = (PVOID)&TlsExpansionBitMap; RtlInitializeBitMap ( &TlsBitMap, &Peb->TlsBitmapBits[0], TLS_MINIMUM_AVAILABLE ); RtlInitializeBitMap ( &TlsExpansionBitMap, &Peb->TlsExpansionBitmapBits[0], TLS_EXPANSION_SLOTS ); InsertTailList(&RtlCriticalSectionList, &LoaderLock.DebugInfo->ProcessLocksList); LoaderLock.DebugInfo->CriticalSection = &LoaderLock; LoaderLockInitialized = TRUE; // // Initialize the stack trace data base if requested // #if i386 if (Peb->NtGlobalFlag & FLG_USER_STACK_TRACE_DB) { PVOID BaseAddress = NULL; ULONG ReserveSize = 2 * 1024 * 1024; st = NtAllocateVirtualMemory( NtCurrentProcess(), (PVOID *)&BaseAddress, 0, &ReserveSize, MEM_RESERVE, PAGE_READWRITE ); if ( NT_SUCCESS( st ) ) { st = RtlInitializeStackTraceDataBase( BaseAddress, 0, ReserveSize ); if ( !NT_SUCCESS( st ) ) { NtFreeVirtualMemory( NtCurrentProcess(), (PVOID *)&BaseAddress, &ReserveSize, MEM_RELEASE ); } else { Peb->NtGlobalFlag |= FLG_HEAP_VALIDATE_PARAMETERS; } } } #endif // i386 // // Initialize the loader data based in the PEB. // st = RtlInitializeCriticalSection(&FastPebLock); if ( !NT_SUCCESS(st) ) { return st; } Peb->FastPebLock = &FastPebLock; Peb->FastPebLockRoutine = (PVOID)&RtlEnterCriticalSection; Peb->FastPebUnlockRoutine = (PVOID)&RtlLeaveCriticalSection; RtlInitializeHeapManager(); #if defined(_WIN64) if (UseWOW64) { // // Create a heap using all defaults. The 32-bit process heap // will be created later by ntdll32 using the parameters from the exe. // Peb->ProcessHeap = RtlCreateHeap( ProcessHeapFlags, NULL, 0, 0, NULL, &HeapParameters ); } else #endif { if (NtHeader->OptionalHeader.MajorSubsystemVersion <= 3 && NtHeader->OptionalHeader.MinorSubsystemVersion < 51 ) { ProcessHeapFlags |= HEAP_CREATE_ALIGN_16; } Peb->ProcessHeap = RtlCreateHeap( ProcessHeapFlags, NULL, NtHeader->OptionalHeader.SizeOfHeapReserve, NtHeader->OptionalHeader.SizeOfHeapCommit, NULL, // Lock to use for serialization &HeapParameters ); } if (Peb->ProcessHeap == NULL) { return STATUS_NO_MEMORY; } NtdllBaseTag = RtlCreateTagHeap( Peb->ProcessHeap, 0, L"NTDLL!", L"!Process\0" // Heap Name L"CSRSS Client\0" L"LDR Database\0" L"Current Directory\0" L"TLS Storage\0" L"DBGSS Client\0" L"SE Temporary\0" L"Temporary\0" L"LocalAtom\0" ); RtlAllocateStringRoutine = NtdllpAllocateStringRoutine; RtlFreeStringRoutine = NtdllpFreeStringRoutine; RtlInitializeAtomPackage( MAKE_TAG( ATOM_TAG ) ); // // Allow only the process heap to have page allocations turned on // st = LdrQueryImageFileExecutionOptions( UnicodeImageName, L"DebugProcessHeapOnly", REG_DWORD, &DebugProcessHeapOnly, sizeof( DebugProcessHeapOnly ), NULL ); if (NT_SUCCESS( st )) { if ( RtlpDebugPageHeap && ( DebugProcessHeapOnly != 0 ) ) { RtlpDebugPageHeap = FALSE ; } } SystemDllPath.Buffer = SystemDllPathBuffer; SystemDllPath.Length = 0; SystemDllPath.MaximumLength = sizeof( SystemDllPathBuffer ); RtlInitUnicodeString( &NtSystemRoot, USER_SHARED_DATA->NtSystemRoot ); RtlAppendUnicodeStringToString( &SystemDllPath, &NtSystemRoot ); RtlAppendUnicodeToString( &SystemDllPath, L"\\System32\\" ); RtlInitUnicodeString(&Unicode,L"\\KnownDlls"); InitializeObjectAttributes( &Obja, &Unicode, OBJ_CASE_INSENSITIVE, NULL, NULL ); st = NtOpenDirectoryObject( &LdrpKnownDllObjectDirectory, DIRECTORY_QUERY | DIRECTORY_TRAVERSE, &Obja ); if ( !NT_SUCCESS(st) ) { LdrpKnownDllObjectDirectory = NULL; // KnownDlls directory doesn't exist - assume it's system32. RtlInitUnicodeString(&LdrpKnownDllPath, SystemDllPath.Buffer); LdrpKnownDllPath.Length -= sizeof(WCHAR); // remove trailing '\' } else { // // Open up the known dll pathname link // and query its value // RtlInitUnicodeString(&Unicode,L"KnownDllPath"); InitializeObjectAttributes( &Obja, &Unicode, OBJ_CASE_INSENSITIVE, LdrpKnownDllObjectDirectory, NULL ); st = NtOpenSymbolicLinkObject( &LinkHandle, SYMBOLIC_LINK_QUERY, &Obja ); if (NT_SUCCESS( st )) { LdrpKnownDllPath.Length = 0; LdrpKnownDllPath.MaximumLength = sizeof(LdrpKnownDllPathBuffer); LdrpKnownDllPath.Buffer = LdrpKnownDllPathBuffer; st = NtQuerySymbolicLinkObject( LinkHandle, &LdrpKnownDllPath, NULL ); NtClose(LinkHandle); if ( !NT_SUCCESS(st) ) { return st; } } else { return st; } } if (ProcessParameters) { // // If the process was created with process parameters, // than extract: // // - Library Search Path // // - Starting Current Directory // if (ProcessParameters->DllPath.Length) { LdrpDefaultPath = *(PUNICODE_STRING)&ProcessParameters->DllPath; } else { LdrpInitializationFailure( STATUS_INVALID_PARAMETER ); } StaticCurDir = TRUE; CurDir = ProcessParameters->CurrentDirectory.DosPath; if (CurDir.Buffer == NULL || CurDir.Buffer[ 0 ] == UNICODE_NULL || CurDir.Length == 0) { CurDir.Buffer = (RtlAllocateStringRoutine)( (3+1) * sizeof( WCHAR ) ); ASSERT(CurDir.Buffer != NULL); RtlMoveMemory( CurDir.Buffer, USER_SHARED_DATA->NtSystemRoot, 3 * sizeof( WCHAR ) ); CurDir.Buffer[ 3 ] = UNICODE_NULL; } } // // Make sure the module data base is initialized before we take any // exceptions. // Peb->Ldr = RtlAllocateHeap(Peb->ProcessHeap, MAKE_TAG( LDR_TAG ), sizeof(PEB_LDR_DATA)); if ( !Peb->Ldr ) { RtlRaiseStatus(STATUS_NO_MEMORY); } Peb->Ldr->Length = sizeof(PEB_LDR_DATA); Peb->Ldr->Initialized = TRUE; Peb->Ldr->SsHandle = NULL; InitializeListHead(&Peb->Ldr->InLoadOrderModuleList); InitializeListHead(&Peb->Ldr->InMemoryOrderModuleList); InitializeListHead(&Peb->Ldr->InInitializationOrderModuleList); // // Allocate the first data table entry for the image. Since we // have already mapped this one, we need to do the allocation by hand. // Its characteristics identify it as not a Dll, but it is linked // into the table so that pc correlation searching doesn't have to // be special cased. // LdrDataTableEntry = LdrpImageEntry = LdrpAllocateDataTableEntry(Peb->ImageBaseAddress); LdrDataTableEntry->LoadCount = (USHORT)0xffff; LdrDataTableEntry->EntryPoint = LdrpFetchAddressOfEntryPoint(LdrDataTableEntry->DllBase); LdrDataTableEntry->FullDllName = FullImageName; LdrDataTableEntry->Flags = 0; // p = strrchr(FullImageName, '\\'); pp = UNICODE_NULL; p = FullImageName.Buffer; while (*p) { if (*p++ == (WCHAR)'\\') { pp = p; } } LdrDataTableEntry->FullDllName.Length = (USHORT)((ULONG_PTR)p - (ULONG_PTR)FullImageName.Buffer); LdrDataTableEntry->FullDllName.MaximumLength = LdrDataTableEntry->FullDllName.Length + (USHORT)sizeof(UNICODE_NULL); if (pp) { LdrDataTableEntry->BaseDllName.Length = (USHORT)((ULONG_PTR)p - (ULONG_PTR)pp); LdrDataTableEntry->BaseDllName.MaximumLength = LdrDataTableEntry->BaseDllName.Length + (USHORT)sizeof(UNICODE_NULL); LdrDataTableEntry->BaseDllName.Buffer = RtlAllocateHeap(Peb->ProcessHeap, MAKE_TAG( LDR_TAG ), LdrDataTableEntry->BaseDllName.MaximumLength ); RtlMoveMemory(LdrDataTableEntry->BaseDllName.Buffer, pp, LdrDataTableEntry->BaseDllName.MaximumLength ); } else { LdrDataTableEntry->BaseDllName = LdrDataTableEntry->FullDllName; } LdrpInsertMemoryTableEntry(LdrDataTableEntry); LdrDataTableEntry->Flags |= LDRP_ENTRY_PROCESSED; if (ShowSnaps) { DbgPrint( "LDR: NEW PROCESS\n" ); DbgPrint( " Image Path: %wZ (%wZ)\n", &LdrDataTableEntry->FullDllName, &LdrDataTableEntry->BaseDllName ); DbgPrint( " Current Directory: %wZ\n", &CurDir ); DbgPrint( " Search Path: %wZ\n", &LdrpDefaultPath ); } // // The process references the system DLL, so map this one next. Since // we have already mapped this one, we need to do the allocation by // hand. Since every application will be statically linked to the // system Dll, we'll keep the LoadCount initialized to 0. // LdrDataTableEntry = LdrpAllocateDataTableEntry(SystemDllBase); LdrDataTableEntry->Flags = (USHORT)LDRP_IMAGE_DLL; LdrDataTableEntry->EntryPoint = LdrpFetchAddressOfEntryPoint(LdrDataTableEntry->DllBase); LdrDataTableEntry->LoadCount = (USHORT)0xffff; LdrDataTableEntry->BaseDllName.Length = SystemDllPath.Length; RtlAppendUnicodeToString( &SystemDllPath, L"ntdll.dll" ); LdrDataTableEntry->BaseDllName.Length = SystemDllPath.Length - LdrDataTableEntry->BaseDllName.Length; LdrDataTableEntry->BaseDllName.MaximumLength = LdrDataTableEntry->BaseDllName.Length + sizeof( UNICODE_NULL ); LdrDataTableEntry->FullDllName.Buffer = (RtlAllocateStringRoutine)( SystemDllPath.Length + sizeof( UNICODE_NULL ) ); ASSERT(LdrDataTableEntry->FullDllName.Buffer != NULL); RtlMoveMemory( LdrDataTableEntry->FullDllName.Buffer, SystemDllPath.Buffer, SystemDllPath.Length ); LdrDataTableEntry->FullDllName.Buffer[ SystemDllPath.Length / sizeof( WCHAR ) ] = UNICODE_NULL; LdrDataTableEntry->FullDllName.Length = SystemDllPath.Length; LdrDataTableEntry->FullDllName.MaximumLength = SystemDllPath.Length + sizeof( UNICODE_NULL ); LdrDataTableEntry->BaseDllName.Buffer = (PWSTR) ((PCHAR)(LdrDataTableEntry->FullDllName.Buffer) + LdrDataTableEntry->FullDllName.Length - LdrDataTableEntry->BaseDllName.Length ); LdrpInsertMemoryTableEntry(LdrDataTableEntry); // // Add init routine to list // InsertHeadList(&Peb->Ldr->InInitializationOrderModuleList, &LdrDataTableEntry->InInitializationOrderLinks); // // Inherit the current directory // st = RtlSetCurrentDirectory_U(&CurDir); if (!NT_SUCCESS(st)) { if ( !StaticCurDir ) { RtlFreeUnicodeString(&CurDir); } CurDir = NtSystemRoot; st = RtlSetCurrentDirectory_U(&CurDir); } else { if ( !StaticCurDir ) { RtlFreeUnicodeString(&CurDir); } } #if defined(WX86) // // Load in x86 emulator for risc (Wx86.dll) // if (NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) { st = LdrpLoadWx86Dll(Context); if (!NT_SUCCESS(st)) { return st; } } #endif #if defined(_WIN64) // // Load in WOW64 if the image is supposed to run simulated // if (UseWOW64) { UNICODE_STRING Wow64Name; ANSI_STRING ProcName; RtlInitUnicodeString(&Wow64Name, L"wow64.dll"); st = LdrLoadDll(NULL, NULL, &Wow64Name, &Wow64Handle); if (!NT_SUCCESS(st)) { if (ShowSnaps) { DbgPrint("wow64.dll not found. Status=%x\n", st); } return st; } // // Get the entrypoints. They are roughly cloned from ntos\ps\psinit.c // PspInitSystemDll(). // RtlInitAnsiString(&ProcName, "Wow64LdrpInitialize"); st = LdrGetProcedureAddress(Wow64Handle, &ProcName, 0, (PVOID *)&Wow64LdrpInitialize); if (!NT_SUCCESS(st)) { if (ShowSnaps) { DbgPrint("Wow64LdrpInitialize not found. Status=%x\n", st); } return st; } RtlInitAnsiString(&ProcName, "Wow64PrepareForException"); st = LdrGetProcedureAddress(Wow64Handle, &ProcName, 0, (PVOID *)&Wow64PrepareForException); if (!NT_SUCCESS(st)) { if (ShowSnaps) { DbgPrint("Wow64PrepareForException not found. Status=%x\n", st); } return st; } DbgPrint("WARNING: PROCESS HAS BEEN CONVERTED TO WOW64!!!\n"); if (Peb->ProcessParameters) { DbgPrint("CommandLine: %wZ\n", &Peb->ProcessParameters->CommandLine); DbgPrint("ImagePathName: %wZ\n", &Peb->ProcessParameters->ImagePathName); } // // Now that all DLLs are loaded, if the process is being debugged, // signal the debugger with an exception // if ( Peb->BeingDebugged ) { DbgBreakPoint(); } // // Release the loaderlock now - this thread doesn't need it any more. // RtlLeaveCriticalSection(&LoaderLock); // // Call wow64 to load and run 32-bit ntdll.dll. // (*Wow64LdrpInitialize)(Context); // This never returns. It will destroy the process. } #endif st = LdrpWalkImportDescriptor( LdrpDefaultPath.Buffer, LdrpImageEntry ); if ((PVOID)NtHeader->OptionalHeader.ImageBase != NtCurrentPeb()->ImageBaseAddress ) { // // The executable is not at its original address. It must be // relocated now. // PVOID ViewBase; NTSTATUS status; ViewBase = NtCurrentPeb()->ImageBaseAddress; status = LdrpSetProtection(ViewBase, FALSE, TRUE); if (!NT_SUCCESS(status)) { return status; } status = (NTSTATUS)LdrRelocateImage(ViewBase, "LDR", (ULONG)STATUS_SUCCESS, (ULONG)STATUS_CONFLICTING_ADDRESSES, (ULONG)STATUS_INVALID_IMAGE_FORMAT ); if (!NT_SUCCESS(status)) { return status; } // // Update the initial thread context record as per the relocation. // if (Context) { OldBase = NtHeader->OptionalHeader.ImageBase; Diff = (PCHAR)ViewBase - (PCHAR)OldBase; LdrpRelocateStartContext(Context, Diff); } status = LdrpSetProtection(ViewBase, TRUE, TRUE); if (!NT_SUCCESS(status)) { return status; } } #if defined (_ALPHA_) // // Find and apply Alpha architecture fixups for this image // AlphaFindArchitectureFixups(NtHeader, NtCurrentPeb()->ImageBaseAddress, TRUE); #endif LdrpReferenceLoadedDll(LdrpImageEntry); // // Lock the loaded DLLs to prevent dlls that back link to the exe to // cause problems when they are unloaded. // { PLDR_DATA_TABLE_ENTRY Entry; PLIST_ENTRY Head,Next; Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while ( Next != Head ) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); Entry->LoadCount = 0xffff; Next = Next->Flink; } } // // All static DLLs are now pinned in place. No init routines have been run yet // LdrpLdrDatabaseIsSetup = TRUE; if (!NT_SUCCESS(st)) { #if DBG DbgPrint("LDR: Initialize of image failed. Returning Error Status\n"); #endif return st; } if ( !NT_SUCCESS(LdrpInitializeTls()) ) { return st; } // // Now that all DLLs are loaded, if the process is being debugged, // signal the debugger with an exception // if ( Peb->BeingDebugged ) { DbgBreakPoint(); ShowSnaps = (BOOLEAN)(FLG_SHOW_LDR_SNAPS & Peb->NtGlobalFlag); } #if defined (_X86_) if ( LdrpNumberOfProcessors > 1 ) { LdrpValidateImageForMp(LdrDataTableEntry); } #endif #if DBG if (LdrpDisplayLoadTime) { NtQueryPerformanceCounter(&InitbTime, NULL); } #endif // DBG // // Get all application goo here (hacks, flags, etc.) // LdrQueryApplicationCompatibilityGoo(UnicodeImageName); st = LdrpRunInitializeRoutines(Context); if ( NT_SUCCESS(st) && Peb->PostProcessInitRoutine ) { (Peb->PostProcessInitRoutine)(); } return st; }

NTSTATUS LdrpInitializeTls (  VOID   )

Definition at line 1978 of file ldrinit.c. References DbgPrint, FALSE, LdrpAllocateTls(), LdrpImageHasTls, LdrpNumberOfTlsEntries, LdrpTlsList, MAKE_TAG, PLDRP_TLS_ENTRY, RtlAllocateHeap, RtlImageDirectoryEntryToData(), RtlpSerializeHeap(), ShowSnaps, TLS_TAG, TRUE, and USHORT. Referenced by LdrpInitializeProcess(). { PLDR_DATA_TABLE_ENTRY Entry; PLIST_ENTRY Head,Next; PIMAGE_TLS_DIRECTORY TlsImage; PLDRP_TLS_ENTRY TlsEntry; ULONG TlsSize; BOOLEAN FirstTimeThru = TRUE; InitializeListHead(&LdrpTlsList); // // Walk through the loaded modules an look for TLS. If we find TLS, // lock in the module and add to the TLS chain. // Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while ( Next != Head ) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); Next = Next->Flink; TlsImage = (PIMAGE_TLS_DIRECTORY)RtlImageDirectoryEntryToData( Entry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_TLS, &TlsSize ); // // mark whether or not the image file has TLS // if ( FirstTimeThru ) { FirstTimeThru = FALSE; if ( TlsImage && !LdrpImageHasTls) { RtlpSerializeHeap( RtlProcessHeap() ); LdrpImageHasTls = TRUE; } } if ( TlsImage ) { if (ShowSnaps) { DbgPrint( "LDR: Tls Found in %wZ at %lx\n", &Entry->BaseDllName, TlsImage ); } TlsEntry = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( TLS_TAG ),sizeof(*TlsEntry)); if ( !TlsEntry ) { return STATUS_NO_MEMORY; } // // Since this DLL has TLS, lock it in // Entry->LoadCount = (USHORT)0xffff; // // Mark this as having thread local storage // Entry->TlsIndex = (USHORT)0xffff; TlsEntry->Tls = *TlsImage; InsertTailList(&LdrpTlsList,&TlsEntry->Links); // // Update the index for this dll's thread local storage // *(PLONG)TlsEntry->Tls.AddressOfIndex = LdrpNumberOfTlsEntries; TlsEntry->Tls.Characteristics = LdrpNumberOfTlsEntries++; } } // // We now have walked through all static DLLs and know // all DLLs that reference thread local storage. Now we // just have to allocate the thread local storage for the current // thread and for all subsequent threads // return LdrpAllocateTls(); }

VOID LdrpInsertMemoryTableEntry (  IN PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry  )

Definition at line 3084 of file ldrsnap.c. References LDRP_COMPUTE_HASH_INDEX, and LdrpHashTable. Referenced by LdrpInitializeProcess(), and LdrpMapDll(). : This function inserts a loader data table entry into the list of loaded modules for this process. The insertion is done in "image memory base order". Arguments: LdrDataTableEntry - Supplies the address of the loader data table entry to insert in the list of loaded modules for this process. Return Value: None. --*/ { PPEB_LDR_DATA Ldr; ULONG i; Ldr = NtCurrentPeb()->Ldr; i = LDRP_COMPUTE_HASH_INDEX(LdrDataTableEntry->BaseDllName.Buffer[0]); InsertTailList(&LdrpHashTable[i],&LdrDataTableEntry->HashLinks); InsertTailList(&Ldr->InLoadOrderModuleList, &LdrDataTableEntry->InLoadOrderLinks); InsertTailList(&Ldr->InMemoryOrderModuleList, &LdrDataTableEntry->InMemoryOrderLinks); }

NTSTATUS NTAPI LdrpLoadDll (  IN PWSTR DllPath  OPTIONAL, IN PULONG DllCharacteristics  OPTIONAL, IN PUNICODE_STRING  DllName, OUT PVOID *  DllHandle, IN BOOLEAN  RunInitRoutines )

Definition at line 70 of file ldrapi.c. References DbgPrint, DLLEXTENSION, EXCEPTION_EXECUTE_HANDLER, FALSE, L, LdrpCheckForLoadedDll(), LdrpClearLoadInProgress(), LdrpInLdrInit, LdrpLdrDatabaseIsSetup, LdrpMapDll(), LdrpReferenceLoadedDll, LdrpRunInitializeRoutines(), LdrpWalkImportDescriptor(), LdrUnloadDll(), LoaderLock, NT_SUCCESS, NTSTATUS(), NULL, RtlInitUnicodeString(), and ShowSnaps. Referenced by LdrLoadDll(), and LdrpSnapThunk(). { PPEB Peb; PTEB Teb; NTSTATUS st; PLDR_DATA_TABLE_ENTRY LdrDataTableEntry; PWSTR ActualDllName; PWCH p, pp; UNICODE_STRING ActualDllNameStr; BOOLEAN Wx86KnownDll = FALSE; WCHAR FreeBuffer[266]; Peb = NtCurrentPeb(); Teb = NtCurrentTeb(); st = STATUS_SUCCESS; try { // // Grab Peb lock and Snap All Links to specified DLL // if ( LdrpInLdrInit == FALSE ) { RtlEnterCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock); } #if defined (WX86) if (Teb->Wx86Thread.UseKnownWx86Dll) { Wx86KnownDll = Teb->Wx86Thread.UseKnownWx86Dll; Teb->Wx86Thread.UseKnownWx86Dll = FALSE; } #endif p = DllName->Buffer; pp = NULL; while (*p) { if (*p++ == (WCHAR)'.') { // // pp will point to first character after last '.' // pp = p; } } ActualDllName = FreeBuffer; if ( DllName->Length >= sizeof(FreeBuffer)) { return STATUS_NAME_TOO_LONG; } RtlMoveMemory(ActualDllName, DllName->Buffer, DllName->Length); if (!pp || *pp == (WCHAR)'\\') { // // No extension found (just ..\) // if ( DllName->Length+10 >= sizeof(FreeBuffer) ) { return STATUS_NAME_TOO_LONG; } RtlMoveMemory((PCHAR)ActualDllName+DllName->Length, DLLEXTENSION, 10); } else { ActualDllName[DllName->Length >> 1] = UNICODE_NULL; } if (ShowSnaps) { DbgPrint("LDR: LdrLoadDll, loading %ws from %ws\n", ActualDllName, ARGUMENT_PRESENT(DllPath) ? DllPath : L"" ); } RtlInitUnicodeString(&ActualDllNameStr,ActualDllName); ActualDllNameStr.MaximumLength = sizeof(FreeBuffer); if (!LdrpCheckForLoadedDll( DllPath, &ActualDllNameStr, FALSE, Wx86KnownDll, &LdrDataTableEntry ) ) { st = LdrpMapDll(DllPath, ActualDllName, DllCharacteristics, FALSE, Wx86KnownDll, &LdrDataTableEntry ); if (!NT_SUCCESS(st)) { return st; } if (ARGUMENT_PRESENT( DllCharacteristics ) && *DllCharacteristics & IMAGE_FILE_EXECUTABLE_IMAGE ) { LdrDataTableEntry->EntryPoint = 0; LdrDataTableEntry->Flags &= ~LDRP_IMAGE_DLL; } // // and walk the import descriptor. // if (LdrDataTableEntry->Flags & LDRP_IMAGE_DLL) { try { st = LdrpWalkImportDescriptor( DllPath, LdrDataTableEntry ); } except(EXCEPTION_EXECUTE_HANDLER) { st = GetExceptionCode(); } if ( LdrDataTableEntry->LoadCount != 0xffff ) { LdrDataTableEntry->LoadCount++; } LdrpReferenceLoadedDll(LdrDataTableEntry); if (!NT_SUCCESS(st)) { LdrDataTableEntry->EntryPoint = NULL; InsertTailList(&NtCurrentPeb()->Ldr->InInitializationOrderModuleList, &LdrDataTableEntry->InInitializationOrderLinks); LdrpClearLoadInProgress(); LdrUnloadDll((PVOID)LdrDataTableEntry->DllBase); return st; } } else { if ( LdrDataTableEntry->LoadCount != 0xffff ) { LdrDataTableEntry->LoadCount++; } } // // Add init routine to list // InsertTailList(&NtCurrentPeb()->Ldr->InInitializationOrderModuleList, &LdrDataTableEntry->InInitializationOrderLinks); // // If the loader data base is not fully setup, this load was because // of a forwarder in the static load set. Can't run init routines // yet because the load counts are NOT set // if ( RunInitRoutines && LdrpLdrDatabaseIsSetup ) { try { st = LdrpRunInitializeRoutines(NULL); if ( !NT_SUCCESS(st) ) { LdrUnloadDll((PVOID)LdrDataTableEntry->DllBase); } } except( EXCEPTION_EXECUTE_HANDLER ) { LdrUnloadDll((PVOID)LdrDataTableEntry->DllBase); return GetExceptionCode(); } } else { st = STATUS_SUCCESS; } } else { // // Count it. And everything that it imports. // if ( LdrDataTableEntry->Flags & LDRP_IMAGE_DLL && LdrDataTableEntry->LoadCount != 0xffff ) { LdrDataTableEntry->LoadCount++; LdrpReferenceLoadedDll(LdrDataTableEntry); // // Now clear the Load in progress bits // LdrpClearLoadInProgress(); } else { if ( LdrDataTableEntry->LoadCount != 0xffff ) { LdrDataTableEntry->LoadCount++; } } } } finally { if ( LdrpInLdrInit == FALSE ) { RtlLeaveCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock); } } if ( NT_SUCCESS(st) ) { *DllHandle = (PVOID)LdrDataTableEntry->DllBase; } else { *DllHandle = NULL; } return st; }

NTSTATUS LdrpMapDll (  IN PWSTR DllPath  OPTIONAL, IN PWSTR  DllName, IN PULONG DllCharacteristics  OPTIONAL, IN BOOLEAN  StaticLink, IN BOOLEAN  Wx86KnownDll, OUT PLDR_DATA_TABLE_ENTRY *  LdrDataTableEntry )

Definition at line 1261 of file ldrsnap.c. References Action, DbgPrint, FALSE, L, LdrpAllocateDataTableEntry(), LdrpCheckForKnownDll(), LdrpCreateDllSection(), LdrpDefaultPath, LdrpFatalHardErrorCount, LdrpFetchAddressOfEntryPoint(), LdrpInLdrInit, LdrpInsertMemoryTableEntry(), LdrpKnownDllObjectDirectory, LdrpNumberOfProcessors, LdrpResolveDllName(), LdrpSetProtection(), LdrRelocateImage(), NATIVE_PAGE_SIZE, NT_ERROR, NT_SUCCESS, NtClose(), NtMapViewOfSection(), NtQueryPerformanceCounter(), NtRaiseHardError(), NTSTATUS(), NtUnmapViewOfSection(), NULL, PAGE_SIZE, RtlDosPathNameToNtPathName_U(), RtlEqualUnicodeString(), RtlFreeHeap, RtlFreeUnicodeString(), RtlImageDirectoryEntryToData(), RtlImageNtHeader(), RtlInitUnicodeString(), ShowSnaps, TRUE, type, and USHORT. Referenced by LdrpLoadDll(), and LdrpLoadImportModule(). : This routine maps the DLL into the users address space. Arguments: DllPath - Supplies an optional search path to be used to locate the DLL. DllName - Supplies the name of the DLL to load. StaticLink - TRUE if this DLL has a static link to it. Wx86KnownDll - TRUE, treat Importer as x86 LdrDataTableEntry - Supplies the address of the data table entry. Return Value: Status value. --*/ { NTSTATUS st; PVOID ViewBase; PTEB Teb = NtCurrentTeb(); SIZE_T ViewSize; HANDLE Section, DllFile; UNICODE_STRING FullDllName, BaseDllName; UNICODE_STRING NtFileName; PLDR_DATA_TABLE_ENTRY Entry; PIMAGE_NT_HEADERS NtHeaders; PVOID ArbitraryUserPointer; BOOLEAN KnownDll; UNICODE_STRING CollidingDll; PUCHAR ImageBase, ImageBounds, ScanBase, ScanTop; PLDR_DATA_TABLE_ENTRY ScanEntry; PLIST_ENTRY ScanHead,ScanNext; BOOLEAN CollidingDllFound; NTSTATUS ErrorStatus; ULONG_PTR ErrorParameters[2]; ULONG ErrorResponse; #if defined (WX86) BOOLEAN Wx86Plugin = FALSE; #endif // // Get section handle of DLL being snapped // #if LDRDBG if (ShowSnaps) { DbgPrint("LDR: LdrpMapDll: Image Name %ws, Search Path %ws\n", DllName, ARGUMENT_PRESENT(DllPath) ? DllPath : L"" ); } #endif Entry = NULL; KnownDll = FALSE; Section = NULL; if ( LdrpKnownDllObjectDirectory && !Wx86KnownDll) { PWCH p = DllName; WCHAR wch; // // Skip the KnownDll check if this is an explicit path. // while (*p) { wch = *p++; if (wch == (WCHAR)'\\' || wch == (WCHAR)'/' ) { goto SkipKnownDllCheck; } } Section = LdrpCheckForKnownDll( DllName, &FullDllName, &BaseDllName ); } SkipKnownDllCheck: if ( !Section ) { #if defined (WX86) if (Wx86ProcessInit) { RtlInitUnicodeString(&BaseDllName, DllName); st = LdrpWx86MapDll(DllPath, DllCharacteristics, Wx86KnownDll, StaticLink, &BaseDllName, &Entry, &ViewSize, &Section ); if (st == STATUS_DLL_NOT_FOUND) { goto Wx86MapDllNotFound; } if (!NT_SUCCESS(st)) { return st; } ViewBase = Entry->DllBase; FullDllName = Entry->FullDllName; BaseDllName = Entry->BaseDllName; NtHeaders = RtlImageNtHeader(ViewBase); goto Wx86MapComplete; } else #endif if (LdrpResolveDllName( DllPath, DllName, &FullDllName, &BaseDllName, &DllFile ) ) { if (ShowSnaps) { PSZ type; type = StaticLink ? "STATIC" : "DYNAMIC"; DbgPrint("LDR: Loading (%s) %wZ\n", type, &FullDllName ); } if (!RtlDosPathNameToNtPathName_U( FullDllName.Buffer, &NtFileName, NULL, NULL ) ) { return STATUS_OBJECT_PATH_SYNTAX_BAD; } st = LdrpCreateDllSection(&NtFileName, DllFile, &BaseDllName, DllCharacteristics, &Section ); RtlFreeHeap(RtlProcessHeap(), 0, NtFileName.Buffer); if (!NT_SUCCESS(st)) { RtlFreeUnicodeString(&FullDllName); RtlFreeUnicodeString(&BaseDllName); return st; } #if DBG LdrpSectionCreates++; #endif } else { #ifdef WX86 Wx86MapDllNotFound: #endif if ( StaticLink ) { PUNICODE_STRING ErrorStrings[2]; UNICODE_STRING ErrorDllName, ErrorDllPath; ULONG ErrorResponse; ErrorStrings[0] = &ErrorDllName; ErrorStrings[1] = &ErrorDllPath; RtlInitUnicodeString(&ErrorDllName,DllName); RtlInitUnicodeString(&ErrorDllPath, ARGUMENT_PRESENT(DllPath) ? DllPath : LdrpDefaultPath.Buffer); NtRaiseHardError( (NTSTATUS)STATUS_DLL_NOT_FOUND, 2, 0x00000003, (PULONG_PTR)ErrorStrings, OptionOk, &ErrorResponse ); if ( LdrpInLdrInit ) { LdrpFatalHardErrorCount++; } } return STATUS_DLL_NOT_FOUND; } } else { KnownDll = TRUE; } ViewBase = NULL; ViewSize = 0; #if DBG LdrpSectionMaps++; if (LdrpDisplayLoadTime) { NtQueryPerformanceCounter(&MapBeginTime, NULL); } #endif // // arrange for debugger to pick up the image name // ArbitraryUserPointer = Teb->NtTib.ArbitraryUserPointer; Teb->NtTib.ArbitraryUserPointer = (PVOID)FullDllName.Buffer; st = NtMapViewOfSection( Section, NtCurrentProcess(), (PVOID *)&ViewBase, 0L, 0L, NULL, &ViewSize, ViewShare, 0L, PAGE_READWRITE ); Teb->NtTib.ArbitraryUserPointer = ArbitraryUserPointer; if (!NT_SUCCESS(st)) { NtClose(Section); return st; } NtHeaders = RtlImageNtHeader(ViewBase); if ( !NtHeaders ) { NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); return STATUS_INVALID_IMAGE_FORMAT; } #if DBG if (LdrpDisplayLoadTime) { NtQueryPerformanceCounter(&MapEndTime, NULL); MapElapsedTime.QuadPart = MapEndTime.QuadPart - MapBeginTime.QuadPart; DbgPrint("Map View of Section Time %ld %ws\n", MapElapsedTime.LowPart, DllName ); } #endif #if defined (BUILD_WOW6432) if (NtHeaders->OptionalHeader.SectionAlignment < NATIVE_PAGE_SIZE && !NT_SUCCESS(LdrpWx86FormatVirtualImage((PIMAGE_NT_HEADERS32)NtHeaders, ViewBase))) { NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); return st; } #elif defined (_ALPHA_) && defined (WX86) if ((NtHeaders->OptionalHeader.SectionAlignment < PAGE_SIZE) && !NT_SUCCESS(LdrpWx86FormatVirtualImage((PIMAGE_NT_HEADERS32)NtHeaders, ViewBase))) { NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); return STATUS_INVALID_IMAGE_FORMAT; } if (st == STATUS_IMAGE_MACHINE_TYPE_MISMATCH && !StaticLink) { // Attempt to find a plugin provider dll that can thunk this interface // temporarily insert the image in the loaded-module-list Entry = LdrpAllocateDataTableEntry(ViewBase); if (!Entry) { return STATUS_NO_MEMORY; } Entry->Flags = 0; Entry->LoadCount = 0; Entry->FullDllName = FullDllName; Entry->BaseDllName = BaseDllName; Entry->EntryPoint = LdrpFetchAddressOfEntryPoint(Entry->DllBase); LdrpInsertMemoryTableEntry(Entry); // Determine if this dll can be thunked using a plugin st = Wx86IdentifyPlugin(ViewBase, &FullDllName ); // remove the image from the loaded-module-list RemoveEntryList(&Entry->InLoadOrderLinks); RemoveEntryList(&Entry->InMemoryOrderLinks); RemoveEntryList(&Entry->HashLinks); RtlFreeHeap(RtlProcessHeap(), 0, Entry); Entry = NULL; if (st == STATUS_SUCCESS) { // Release the previous mapping because it's going to // be reloaded via Wx86. NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); ViewBase = NULL; // The plugin providers must be statically bound to Wx86 // or dynamically load it in their DllInit. if (Wx86ProcessInit) { // Load the dll again using Wx86. st = LdrpWx86MapDll(NULL, DllCharacteristics, !Wx86KnownDll, // swap sense so we don't get mismatch StaticLink, &FullDllName, &Entry, &ViewSize, &Section ); // Load and thunk the plugin dll if (NT_SUCCESS(st)) { ViewBase = Entry->DllBase; FullDllName = Entry->FullDllName; BaseDllName = Entry->BaseDllName; NtHeaders = RtlImageNtHeader(ViewBase); } } if (!Wx86ProcessInit || NT_ERROR(st)) { Wx86UnloadProviders(ViewBase); st = STATUS_IMAGE_MACHINE_TYPE_MISMATCH; } } // Need to save the status here to put in loader ENTRY after it's allocated. Wx86Plugin = (st == STATUS_SUCCESS); if (ShowSnaps) { PCHAR Action; if (st == STATUS_SUCCESS) { Action = "Loaded"; } else if (st == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) { Action = "Unsupported"; } else { Action = "Failed"; } DbgPrint("LDRWx86: Plugin: %wZ %s.\n", &FullDllName, Action ); } } if (!NT_SUCCESS(st) || (ViewBase == NULL)) { if (ViewBase) NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); return st; } else if (Entry) { goto Wx86MapComplete; } #endif // // Allocate a data table entry. // Entry = LdrpAllocateDataTableEntry(ViewBase); if (!Entry) { NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); return STATUS_NO_MEMORY; } Entry->Flags = (USHORT)(StaticLink ? LDRP_STATIC_LINK : 0); Entry->LoadCount = 0; Entry->FullDllName = FullDllName; Entry->BaseDllName = BaseDllName; Entry->EntryPoint = LdrpFetchAddressOfEntryPoint(Entry->DllBase); #ifdef WX86 Wx86MapComplete: if (Wx86Plugin) { Entry->Flags |= LDRP_WX86_PLUGIN; } #endif #if LDRDBG if (ShowSnaps) { DbgPrint("LDR: LdrpMapDll: Full Name %wZ, Base Name %wZ\n", &FullDllName, &BaseDllName ); } #endif LdrpInsertMemoryTableEntry(Entry); if ( st == STATUS_IMAGE_MACHINE_TYPE_MISMATCH ) { PIMAGE_NT_HEADERS ImageHeader = RtlImageNtHeader( NtCurrentPeb()->ImageBaseAddress ); // // apps compiled for NT 3.x and below can load cross architecture // images // ErrorStatus = STATUS_SUCCESS; ErrorResponse = ResponseCancel; if ( ImageHeader->OptionalHeader.MajorSubsystemVersion <= 3 ) { Entry->EntryPoint = 0; // // Hard Error Time // // // Its error time... // ErrorParameters[0] = (ULONG_PTR)&FullDllName; ErrorStatus = NtRaiseHardError( STATUS_IMAGE_MACHINE_TYPE_MISMATCH, 1, 1, ErrorParameters, OptionOkCancel, &ErrorResponse ); } if ( NT_SUCCESS(ErrorStatus) && ErrorResponse == ResponseCancel ) { RemoveEntryList(&Entry->InLoadOrderLinks); RemoveEntryList(&Entry->InMemoryOrderLinks); RemoveEntryList(&Entry->HashLinks); RtlFreeHeap(RtlProcessHeap(), 0, Entry ); NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); NtClose(Section); if ( ImageHeader->OptionalHeader.MajorSubsystemVersion <= 3 ) { if ( LdrpInLdrInit ) { LdrpFatalHardErrorCount++; } } return STATUS_INVALID_IMAGE_FORMAT; } } else { if (NtHeaders->FileHeader.Characteristics & IMAGE_FILE_DLL) { Entry->Flags |= LDRP_IMAGE_DLL; } if (!(Entry->Flags & LDRP_IMAGE_DLL)) { Entry->EntryPoint = 0; } } *LdrDataTableEntry = Entry; if (st == STATUS_IMAGE_NOT_AT_BASE) { Entry->Flags |= LDRP_IMAGE_NOT_AT_BASE; // // now find the colliding dll. If we can not find a dll, // then the colliding dll must be dynamic memory // ImageBase = (PUCHAR)NtHeaders->OptionalHeader.ImageBase; ImageBounds = ImageBase + ViewSize; CollidingDllFound = FALSE; ScanHead = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; ScanNext = ScanHead->Flink; while ( ScanNext != ScanHead ) { ScanEntry = CONTAINING_RECORD(ScanNext, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); ScanNext = ScanNext->Flink; ScanBase = (PUCHAR)ScanEntry->DllBase; ScanTop = ScanBase + ScanEntry->SizeOfImage; // // when we unload, the memory order links flink field is nulled. // this is used to skip the entry pending list removal. // if ( !ScanEntry->InMemoryOrderLinks.Flink ) { continue; } // // See if the base address of the scan image is within the relocating dll // or if the top address of the scan image is within the relocating dll // if ( (ImageBase >= ScanBase && ImageBase <= ScanTop) || (ImageBounds >= ScanBase && ImageBounds <= ScanTop) || (ScanBase >= ImageBase && ScanBase <= ImageBounds) ){ CollidingDllFound = TRUE; CollidingDll = ScanEntry->FullDllName; break; } } if ( !CollidingDllFound ) { RtlInitUnicodeString(&CollidingDll,L"Dynamically Allocated Memory"); } #if DBG if ( BeginTime.LowPart || BeginTime.HighPart ) { DbgPrint("\nLDR: LdrpMapDll Relocateing Image Name %ws\n", DllName ); } LdrpSectionRelocates++; #endif if (Entry->Flags & LDRP_IMAGE_DLL) { BOOLEAN AllowRelocation; UNICODE_STRING SystemDll; if (!(NtHeaders->FileHeader.Characteristics & IMAGE_FILE_RELOCS_STRIPPED)) { PVOID pBaseRelocs; ULONG BaseRelocCountBytes = 0; // // If the iamge doesn't have the reloc stripped bit set and there's no // relocs in the data directory, allow this through. This is probably // a pure forwarder dll or data w/o relocs. // pBaseRelocs = RtlImageDirectoryEntryToData( ViewBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &BaseRelocCountBytes); if (!pBaseRelocs && !BaseRelocCountBytes) { goto NoRelocNeeded; } } // // decide whether or not to allow the relocation // certain system dll's like user32 and kernel32 are not relocatable // since addresses within these dll's are not always stored per process // do not allow these dll's to be relocated // AllowRelocation = TRUE; RtlInitUnicodeString(&SystemDll,L"user32.dll"); if ( RtlEqualUnicodeString(&BaseDllName,&SystemDll,TRUE) ) { AllowRelocation = FALSE; } else { RtlInitUnicodeString(&SystemDll,L"kernel32.dll"); if ( RtlEqualUnicodeString(&BaseDllName,&SystemDll,TRUE) ) { AllowRelocation = FALSE; } } if ( !AllowRelocation && KnownDll ) { // // totally disallow the relocation since this is a knowndll // that matches our system binaries and is being relocated // // // Hard Error Time // ErrorParameters[0] = (ULONG_PTR)&SystemDll; ErrorParameters[1] = (ULONG_PTR)&CollidingDll; NtRaiseHardError( STATUS_ILLEGAL_DLL_RELOCATION, 2, 3, ErrorParameters, OptionOk, &ErrorResponse ); if ( LdrpInLdrInit ) { LdrpFatalHardErrorCount++; } st = STATUS_CONFLICTING_ADDRESSES; goto skipreloc; } st = LdrpSetProtection(ViewBase, FALSE, StaticLink ); if (NT_SUCCESS(st)) { st = (NTSTATUS)LdrRelocateImage(ViewBase, "LDR", (ULONG)STATUS_SUCCESS, (ULONG)STATUS_CONFLICTING_ADDRESSES, (ULONG)STATUS_INVALID_IMAGE_FORMAT ); if (NT_SUCCESS(st)) { // // If we did relocations, then map the section again. // this will force the debug event // // // arrange for debugger to pick up the image name // ArbitraryUserPointer = Teb->NtTib.ArbitraryUserPointer; Teb->NtTib.ArbitraryUserPointer = (PVOID)FullDllName.Buffer; NtMapViewOfSection( Section, NtCurrentProcess(), (PVOID *)&ViewBase, 0L, 0L, NULL, &ViewSize, ViewShare, 0L, PAGE_READWRITE ); Teb->NtTib.ArbitraryUserPointer = ArbitraryUserPointer; st = LdrpSetProtection(ViewBase, TRUE, StaticLink); } } skipreloc: // // if the set protection failed, or if the relocation failed, then // remove the partially loaded dll from the lists and clear entry // that it has been freed. // if ( !NT_SUCCESS(st) ) { RemoveEntryList(&Entry->InLoadOrderLinks); RemoveEntryList(&Entry->InMemoryOrderLinks); RemoveEntryList(&Entry->HashLinks); NtUnmapViewOfSection(NtCurrentProcess(),ViewBase); Entry = NULL; } if (ShowSnaps) { DbgPrint("LDR: Fixups %successfully re-applied @ %lx\n", NT_SUCCESS(st) ? "s" : "uns", ViewBase); } } else { NoRelocNeeded: st = STATUS_SUCCESS; // // arrange for debugger to pick up the image name // ArbitraryUserPointer = Teb->NtTib.ArbitraryUserPointer; Teb->NtTib.ArbitraryUserPointer = (PVOID)FullDllName.Buffer; NtMapViewOfSection( Section, NtCurrentProcess(), (PVOID *)&ViewBase, 0L, 0L, NULL, &ViewSize, ViewShare, 0L, PAGE_READWRITE ); Teb->NtTib.ArbitraryUserPointer = ArbitraryUserPointer; if (ShowSnaps) { DbgPrint("LDR: Fixups won't be re-applied to non-Dll @ %lx\n", ViewBase); } } } #if defined (_ALPHA_) // // Find and apply Alpha architecture fixups for this dll // if (Entry->Flags & LDRP_IMAGE_DLL) AlphaFindArchitectureFixups(NtHeaders, ViewBase, StaticLink); #endif #if defined(_X86_) if ( LdrpNumberOfProcessors > 1 && Entry && (Entry->Flags & LDRP_IMAGE_DLL) ) { LdrpValidateImageForMp(Entry); } #endif NtClose(Section); return st; }

USHORT LdrpNameToOrdinal (  IN PSZ  Name, IN ULONG  NumberOfNames, IN PVOID  DllBase, IN PULONG  NameTableBase, IN PUSHORT  NameOrdinalTableBase )

Definition at line 2747 of file ldrsnap.c. References Name, and USHORT. Referenced by LdrpSnapThunk(). { LONG High; LONG Low; LONG Middle; LONG Result; // // Lookup the import name in the name table using a binary search. // Low = 0; High = NumberOfNames - 1; while (High >= Low) { // // Compute the next probe index and compare the import name // with the export name entry. // Middle = (Low + High) >> 1; Result = strcmp(Name, (PCHAR)((ULONG_PTR)DllBase + NameTableBase[Middle])); if (Result < 0) { High = Middle - 1; } else if (Result > 0) { Low = Middle + 1; } else { break; } } // // If the high index is less than the low index, then a matching // table entry was not found. Otherwise, get the ordinal number // from the ordinal table. // if (High < Low) { return (USHORT)-1; } else { return NameOrdinalTableBase[Middle]; } }

BOOLEAN LdrpResolveDllName (  IN PWSTR DllPath  OPTIONAL, IN PWSTR  DllName, OUT PUNICODE_STRING  FullDllName, OUT PUNICODE_STRING  BaseDllName, OUT PHANDLE  DllFile )

Definition at line 3120 of file ldrsnap.c. References DbgPrint, FALSE, LDR_TAG, LdrpDefaultPath, MAKE_TAG, NULL, RtlAllocateHeap, RtlDosSearchPath_U(), RtlFreeHeap, RtlFreeUnicodeString(), ShowSnaps, TEMP_TAG, TRUE, and USHORT. Referenced by LdrpMapDll(). : This function computes the DLL pathname and base dll name (the unqualified, extensionless portion of the file name) for the specified DLL. Arguments: DllPath - Supplies the DLL search path. DllName - Supplies the name of the DLL. FullDllName - Returns the fully qualified pathname of the DLL. The Buffer field of this string is dynamically allocated from the processes heap. BaseDLLName - Returns the base dll name of the dll. The base name is the file name portion of the dll path without the trailing extension. The Buffer field of this string is dynamically allocated from the processes heap. DllFile - Returns an open handle to the DLL file. This parameter may still be NULL even upon success. Return Value: TRUE - The operation was successful. A DLL file was found, and the FullDllName->Buffer & BaseDllName->Buffer field points to the base of process heap allocated memory. FALSE - The DLL could not be found. --*/ { ULONG Length; PWCH p, pp; PWCH FullBuffer; *DllFile = NULL; FullDllName->Buffer = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( TEMP_TAG ),530+sizeof(UNICODE_NULL)); if (FullDllName->Buffer == NULL) { return FALSE; } Length = RtlDosSearchPath_U( ARGUMENT_PRESENT(DllPath) ? DllPath : LdrpDefaultPath.Buffer, DllName, NULL, 530, FullDllName->Buffer, &BaseDllName->Buffer ); if ( !Length || Length > 530 ) { if (ShowSnaps) { DbgPrint("LDR: LdrResolveDllName - Unable To Locate "); DbgPrint("%ws from %ws\n", DllName, ARGUMENT_PRESENT(DllPath) ? DllPath : LdrpDefaultPath.Buffer ); } RtlFreeUnicodeString(FullDllName); return FALSE; } FullDllName->Length = (USHORT)Length; FullDllName->MaximumLength = FullDllName->Length + (USHORT)sizeof(UNICODE_NULL); FullBuffer = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( LDR_TAG ),FullDllName->MaximumLength); if ( FullBuffer ) { RtlCopyMemory(FullBuffer,FullDllName->Buffer,FullDllName->MaximumLength); RtlFreeHeap(RtlProcessHeap(), 0, FullDllName->Buffer); FullDllName->Buffer = FullBuffer; } else { return FALSE; } // // Compute Length of base dll name // pp = UNICODE_NULL; p = FullDllName->Buffer; while (*p) { if (*p++ == (WCHAR)'\\') { pp = p; } } p = pp ? pp : DllName; pp = p; while (*p) { ++p; } BaseDllName->Length = (USHORT)((ULONG_PTR)p - (ULONG_PTR)pp); BaseDllName->MaximumLength = BaseDllName->Length + (USHORT)sizeof(UNICODE_NULL); BaseDllName->Buffer = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( LDR_TAG ), BaseDllName->MaximumLength); if ( BaseDllName->Buffer ) { RtlMoveMemory(BaseDllName->Buffer, pp, BaseDllName->Length ); BaseDllName->Buffer[BaseDllName->Length >> 1] = UNICODE_NULL; } else { RtlFreeHeap(RtlProcessHeap(), 0, FullBuffer); return FALSE; } return TRUE; }

NTSTATUS LdrpRunInitializeRoutines (  IN PCONTEXT Context  OPTIONAL  )

Definition at line 652 of file ldrsnap.c. References DbgPrint, L, LdrpCallInitRoutine, LdrpCallTlsInitializers(), LdrpClearLoadInProgress(), LdrpImageHasTls, LdrQueryImageFileExecutionOptions(), MAKE_TAG, NT_SUCCESS, NTSTATUS(), NULL, RtlAllocateHeap, RtlFreeHeap, RtlImageNtHeader(), ShowSnaps, Status, TEMP_TAG, and TRUE. Referenced by LdrpGetProcedureAddress(), LdrpInitializeProcess(), and LdrpLoadDll(). { PLIST_ENTRY Head, Next; PLDR_DATA_TABLE_ENTRY LdrDataTableEntry; PLDR_DATA_TABLE_ENTRY *LdrDataTableBase; PDLL_INIT_ROUTINE InitRoutine; BOOLEAN InitStatus; ULONG NumberOfRoutines; ULONG i; NTSTATUS Status; ULONG BreakOnDllLoad; // // Run the Init routines // // // capture the entries that have init routines // NumberOfRoutines = LdrpClearLoadInProgress(); if ( NumberOfRoutines ) { LdrDataTableBase = RtlAllocateHeap(RtlProcessHeap(),MAKE_TAG( TEMP_TAG ),NumberOfRoutines*sizeof(LdrDataTableBase)); if ( !LdrDataTableBase ) { return STATUS_NO_MEMORY; } } else { LdrDataTableBase = NULL; } Head = &NtCurrentPeb()->Ldr->InInitializationOrderModuleList; Next = Head->Flink; if (ShowSnaps) { DbgPrint("LDR: Real INIT LIST\n"); } i = 0; while ( Next != Head ) { LdrDataTableEntry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InInitializationOrderLinks); #if defined (WX86) if (Wx86ProcessInit && !(LdrDataTableEntry->Flags & LDRP_ENTRY_PROCESSED)) { PIMAGE_NT_HEADERS NtHeaders; NtHeaders = RtlImageNtHeader(LdrDataTableEntry->DllBase); if (NtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_I386) { LdrpWx86DllMapNotify(LdrDataTableEntry->DllBase, TRUE); } } #endif if ( !(LdrDataTableEntry->Flags & LDRP_ENTRY_PROCESSED) && LdrDataTableEntry->EntryPoint) { LdrDataTableBase[i] = LdrDataTableEntry; if (ShowSnaps) { DbgPrint(" %wZ init routine %x\n", &LdrDataTableEntry->FullDllName, LdrDataTableEntry->EntryPoint ); } i++; } LdrDataTableEntry->Flags |= LDRP_ENTRY_PROCESSED; Next = Next->Flink; } if ( !LdrDataTableBase ) { return STATUS_SUCCESS; } try { i = 0; while ( i < NumberOfRoutines ) { LdrDataTableEntry = LdrDataTableBase[i]; i++; InitRoutine = (PDLL_INIT_ROUTINE)LdrDataTableEntry->EntryPoint; // // Walk through the entire list looking for un-processed // entries. For each entry, set the processed flag // and optionally call it's init routine // BreakOnDllLoad = 0; #if DBG if (TRUE) { #else if (NtCurrentPeb()->BeingDebugged || NtCurrentPeb()->ReadImageFileExecOptions) { #endif Status = LdrQueryImageFileExecutionOptions( &LdrDataTableEntry->BaseDllName, L"BreakOnDllLoad", REG_DWORD, &BreakOnDllLoad, sizeof( BreakOnDllLoad ), NULL ); if (!NT_SUCCESS( Status )) { BreakOnDllLoad = 0; } } if (BreakOnDllLoad) { if (ShowSnaps) { DbgPrint( "LDR: %wZ loaded.", &LdrDataTableEntry->BaseDllName ); DbgPrint( " - About to call init routine at %lx\n", InitRoutine ); } DbgBreakPoint(); } else if (ShowSnaps) { if ( InitRoutine ) { DbgPrint( "LDR: %wZ loaded.", &LdrDataTableEntry->BaseDllName ); DbgPrint(" - Calling init routine at %lx\n", InitRoutine); } } if ( InitRoutine ) { // // If the DLL has TLS data, then call the optional initializers // if ( LdrDataTableEntry->TlsIndex && Context) { LdrpCallTlsInitializers(LdrDataTableEntry->DllBase,DLL_PROCESS_ATTACH); } #if defined (WX86) if (!Wx86ProcessInit || LdrpRunWx86DllEntryPoint(InitRoutine, &InitStatus, LdrDataTableEntry->DllBase, DLL_PROCESS_ATTACH, Context ) == STATUS_IMAGE_MACHINE_TYPE_MISMATCH) { InitStatus = LdrpCallInitRoutine(InitRoutine, LdrDataTableEntry->DllBase, DLL_PROCESS_ATTACH, Context ); } #else InitStatus = LdrpCallInitRoutine(InitRoutine, LdrDataTableEntry->DllBase, DLL_PROCESS_ATTACH, Context ); #endif LdrDataTableEntry->Flags |= LDRP_PROCESS_ATTACH_CALLED; if ( !InitStatus ) { return STATUS_DLL_INIT_FAILED; } } } // // If the image has tls than call its initializers // if ( LdrpImageHasTls && Context ) { LdrpCallTlsInitializers(NtCurrentPeb()->ImageBaseAddress,DLL_PROCESS_ATTACH); } } finally { RtlFreeHeap(RtlProcessHeap(),0,LdrDataTableBase); } return STATUS_SUCCESS; }

NTSTATUS LdrpSetProtection (  IN PVOID  Base, IN BOOLEAN  Reset, IN BOOLEAN  StaticLink )

Definition at line 3417 of file ldrsnap.c. References NT_SUCCESS, NtFlushInstructionCache(), NtProtectVirtualMemory(), NTSTATUS(), NULL, PAGE_SIZE, and RtlImageNtHeader(). Referenced by LdrpInitializeProcess(), and LdrpMapDll(). : This function loops thru the images sections/objects, setting all sections/objects marked r/o to r/w. It also resets the original section/object protections. Arguments: Base - Base of image. Reset - If TRUE, reset section/object protection to original protection described by the section/object headers. If FALSE, then set all sections/objects to r/w. StaticLink - TRUE if this is a static link. Return Value: SUCCESS or reason NtProtectVirtualMemory failed. --*/ { HANDLE CurrentProcessHandle; SIZE_T RegionSize; ULONG NewProtect, OldProtect; PVOID VirtualAddress; ULONG i; PLDR_DATA_TABLE_ENTRY LdrDataTableEntry; PIMAGE_NT_HEADERS NtHeaders; PIMAGE_SECTION_HEADER SectionHeader; NTSTATUS st; CurrentProcessHandle = NtCurrentProcess(); NtHeaders = RtlImageNtHeader(Base); #if defined (_ALPHA_) if (NtHeaders->OptionalHeader.SectionAlignment < PAGE_SIZE) { // // if SectionAlignment < PAGE_SIZE the entire image is // exec-copy on write, so we have nothing to do. // return STATUS_SUCCESS; } #endif SectionHeader = (PIMAGE_SECTION_HEADER)((ULONG_PTR)NtHeaders + sizeof(ULONG) + sizeof(IMAGE_FILE_HEADER) + NtHeaders->FileHeader.SizeOfOptionalHeader ); for (i=0; i<NtHeaders->FileHeader.NumberOfSections; i++) { if (!(SectionHeader->Characteristics & IMAGE_SCN_MEM_WRITE) && (SectionHeader->SizeOfRawData)) { // // Object isn't writeable and has a non-zero on disk size, change it. // if (Reset) { if (SectionHeader->Characteristics & IMAGE_SCN_MEM_EXECUTE) { NewProtect = PAGE_EXECUTE; } else { NewProtect = PAGE_READONLY; } NewProtect |= (SectionHeader->Characteristics & IMAGE_SCN_MEM_NOT_CACHED) ? PAGE_NOCACHE : 0; } else { NewProtect = PAGE_READWRITE; } VirtualAddress = (PVOID)((ULONG_PTR)Base + SectionHeader->VirtualAddress); RegionSize = SectionHeader->SizeOfRawData; if (RegionSize != 0) { st = NtProtectVirtualMemory(CurrentProcessHandle, &VirtualAddress, &RegionSize, NewProtect, &OldProtect); if (!NT_SUCCESS(st)) { return st; } } } ++SectionHeader; } if (Reset) { NtFlushInstructionCache(NtCurrentProcess(), NULL, 0); } return STATUS_SUCCESS; }

NTSTATUS LdrpSnapIAT (  IN PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry_Export, IN PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry_Import, IN PIMAGE_IMPORT_DESCRIPTOR  ImportDescriptor, IN BOOLEAN  SnapForwardersOnly )

Definition at line 2258 of file ldrsnap.c. References EXCEPTION_EXECUTE_HANDLER, LdrpSnapThunk(), NT_SUCCESS, NtFlushInstructionCache(), NtProtectVirtualMemory(), NTSTATUS(), NULL, RtlImageDirectoryEntryToData(), RtlImageNtHeader(), and TRUE. Referenced by LdrpWalkImportDescriptor(). : This function snaps the Import Address Table for this Import Descriptor. Arguments: LdrDataTableEntry_Export - Information about the image to import from. LdrDataTableEntry_Import - Information about the image to import to. ImportDescriptor - Contains a pointer to the IAT to snap. SnapForwardersOnly - TRUE if just snapping forwarders only. Return Value: Status value --*/ { PPEB Peb; NTSTATUS st; ULONG ExportSize; PIMAGE_EXPORT_DIRECTORY ExportDirectory; PIMAGE_THUNK_DATA Thunk, OriginalThunk; PSZ ImportName; ULONG ForwarderChain; PIMAGE_NT_HEADERS NtHeaders; PIMAGE_SECTION_HEADER NtSection; ULONG i, Rva; PVOID IATBase; SIZE_T IATSize; ULONG LittleIATSize; ULONG OldProtect; Peb = NtCurrentPeb(); ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)RtlImageDirectoryEntryToData( LdrDataTableEntry_Export->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_EXPORT, &ExportSize ); if (!ExportDirectory) { KdPrint(("LDR: %wZ doesn't contain an EXPORT table\n", &LdrDataTableEntry_Export->BaseDllName)); return STATUS_INVALID_IMAGE_FORMAT; } // // Determine the location and size of the IAT. If the linker did // not tell use explicitly, then use the location and size of the // image section that contains the import table. // IATBase = RtlImageDirectoryEntryToData( LdrDataTableEntry_Import->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IAT, &LittleIATSize ); IATSize = LittleIATSize; if (IATBase == NULL) { NtHeaders = RtlImageNtHeader( LdrDataTableEntry_Import->DllBase ); NtSection = IMAGE_FIRST_SECTION( NtHeaders ); Rva = NtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ].VirtualAddress; if (Rva != 0) { for (i=0; i<NtHeaders->FileHeader.NumberOfSections; i++) { if (Rva >= NtSection->VirtualAddress && Rva < (NtSection->VirtualAddress + NtSection->SizeOfRawData) ) { IATBase = (PVOID) ((ULONG_PTR)(LdrDataTableEntry_Import->DllBase) + NtSection->VirtualAddress); LittleIATSize = NtSection->Misc.VirtualSize; if (LittleIATSize == 0) { LittleIATSize = NtSection->SizeOfRawData; } break; } ++NtSection; } } if (IATBase == NULL) { KdPrint(( "LDR: Unable to unprotect IAT for %wZ (Image Base %x)\n", &LdrDataTableEntry_Import->BaseDllName, LdrDataTableEntry_Import->DllBase )); return STATUS_INVALID_IMAGE_FORMAT; } IATSize = LittleIATSize; } st = NtProtectVirtualMemory( NtCurrentProcess(), &IATBase, &IATSize, PAGE_READWRITE, &OldProtect ); if (!NT_SUCCESS(st)) { KdPrint(( "LDR: Unable to unprotect IAT for %wZ (Status %x)\n", &LdrDataTableEntry_Import->BaseDllName, st )); return st; } // // If just snapping forwarded entries, walk that list // if (SnapForwardersOnly) { ImportName = (PSZ)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->Name); ForwarderChain = ImportDescriptor->ForwarderChain; while (ForwarderChain != -1) { OriginalThunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->OriginalFirstThunk + (ForwarderChain * sizeof(IMAGE_THUNK_DATA))); Thunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->FirstThunk + (ForwarderChain * sizeof(IMAGE_THUNK_DATA))); ForwarderChain = (ULONG) Thunk->u1.Ordinal; try { st = LdrpSnapThunk(LdrDataTableEntry_Export->DllBase, LdrDataTableEntry_Import->DllBase, OriginalThunk, Thunk, ExportDirectory, ExportSize, TRUE, ImportName ); Thunk++; } except (EXCEPTION_EXECUTE_HANDLER) { st = GetExceptionCode(); } if (!NT_SUCCESS(st) ) { break; } } } else // // Otherwise, walk through the IAT and snap all the thunks. // if ( ImportDescriptor->FirstThunk ) { Thunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->FirstThunk); NtHeaders = RtlImageNtHeader( LdrDataTableEntry_Import->DllBase ); // // If the OriginalFirstThunk field does not point inside the image, then ignore // it. This is will detect bogus Borland Linker 2.25 images that did not fill // this field in. // if (ImportDescriptor->Characteristics < NtHeaders->OptionalHeader.SizeOfHeaders || ImportDescriptor->Characteristics >= NtHeaders->OptionalHeader.SizeOfImage ) { OriginalThunk = Thunk; } else { OriginalThunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->OriginalFirstThunk); } ImportName = (PSZ)((ULONG_PTR)LdrDataTableEntry_Import->DllBase + ImportDescriptor->Name); while (OriginalThunk->u1.AddressOfData) { try { st = LdrpSnapThunk(LdrDataTableEntry_Export->DllBase, LdrDataTableEntry_Import->DllBase, OriginalThunk, Thunk, ExportDirectory, ExportSize, TRUE, ImportName ); OriginalThunk++; Thunk++; } except (EXCEPTION_EXECUTE_HANDLER) { st = GetExceptionCode(); } if (!NT_SUCCESS(st) ) { break; } } } // // Restore protection for IAT and flush instruction cache. // NtProtectVirtualMemory( NtCurrentProcess(), &IATBase, &IATSize, OldProtect, &OldProtect ); NtFlushInstructionCache( NtCurrentProcess(), IATBase, LittleIATSize ); return st; }

NTSTATUS LdrpSnapLinksToDllHandle (  IN PVOID  DllHandle, IN ULONG  NumberOfThunks, IN OUT PIMAGE_THUNK_DATA  FirstThunk )

NTSTATUS LdrpSnapThunk (  IN PVOID  DllBase, IN PVOID  ImageBase, IN PIMAGE_THUNK_DATA  OriginalThunk, IN OUT PIMAGE_THUNK_DATA  Thunk, IN PIMAGE_EXPORT_DIRECTORY  ExportDirectory, IN ULONG  ExportSize, IN BOOLEAN  StaticSnap, IN PSZ DllName  OPTIONAL )

Definition at line 2476 of file ldrsnap.c. References DbgPrint, FALSE, LDRP_BAD_DLL, LdrpFatalHardErrorCount, LdrpGetProcedureAddress(), LdrpInLdrInit, LdrpLoadDll(), LdrpNameToOrdinal(), NT_SUCCESS, NtRaiseHardError(), NTSTATUS(), NULL, PAGE_SIZE, PUSHORT, RtlAnsiStringToUnicodeString(), RtlCharToInteger(), RtlFreeUnicodeString(), RtlImageNtHeader(), RtlInitAnsiString(), RtlRaiseStatus(), ShowSnaps, TRUE, and USHORT. Referenced by LdrpGetProcedureAddress(), and LdrpSnapIAT(). : This function snaps a thunk using the specified Export Section data. If the section data does not support the thunk, then the thunk is partially snapped (Dll field is still non-null, but snap address is set). Arguments: DllBase - Base of Dll. ImageBase - Base of image that contains the thunks to snap. Thunk - On input, supplies the thunk to snap. When successfully snapped, the function field is set to point to the address in the DLL, and the DLL field is set to NULL. ExportDirectory - Supplies the Export Section data from a DLL. StaticSnap - If TRUE, then loader is attempting a static snap, and any ordinal/name lookup failure will be reported. Return Value: STATUS_SUCCESS or STATUS_PROCEDURE_NOT_FOUND --*/ { BOOLEAN Ordinal; USHORT OrdinalNumber; ULONG OriginalOrdinalNumber; PIMAGE_IMPORT_BY_NAME AddressOfData; PULONG NameTableBase; PUSHORT NameOrdinalTableBase; PULONG Addr; USHORT HintIndex; NTSTATUS st; PSZ ImportString; // // Determine if snap is by name, or by ordinal // Ordinal = (BOOLEAN)IMAGE_SNAP_BY_ORDINAL(OriginalThunk->u1.Ordinal); if (Ordinal) { OriginalOrdinalNumber = (ULONG)IMAGE_ORDINAL(OriginalThunk->u1.Ordinal); OrdinalNumber = (USHORT)(OriginalOrdinalNumber - ExportDirectory->Base); } else { // // Change AddressOfData from an RVA to a VA. // AddressOfData = (PIMAGE_IMPORT_BY_NAME)((ULONG_PTR)ImageBase + ((ULONG_PTR)OriginalThunk->u1.AddressOfData & 0xffffffff)); ImportString = (PSZ)AddressOfData->Name; // // Lookup Name in NameTable // NameTableBase = (PULONG)((ULONG_PTR)DllBase + (ULONG)ExportDirectory->AddressOfNames); NameOrdinalTableBase = (PUSHORT)((ULONG_PTR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals); // // Before dropping into binary search, see if // the hint index results in a successful // match. If the hint index is zero, then // drop into binary search. // HintIndex = AddressOfData->Hint; if ((ULONG)HintIndex < ExportDirectory->NumberOfNames && !strcmp(ImportString, (PSZ)((ULONG_PTR)DllBase + NameTableBase[HintIndex]))) { OrdinalNumber = NameOrdinalTableBase[HintIndex]; #if LDRDBG if (ShowSnaps) { DbgPrint("LDR: Snapping %s\n", ImportString); } #endif } else { #if LDRDBG if (HintIndex) { DbgPrint("LDR: Warning HintIndex Failure. Name %s (%lx) Hint 0x%lx\n", ImportString, (ULONG)ImportString, (ULONG)HintIndex ); } #endif OrdinalNumber = LdrpNameToOrdinal( ImportString, ExportDirectory->NumberOfNames, DllBase, NameTableBase, NameOrdinalTableBase ); } } // // If OrdinalNumber is not within the Export Address Table, // then DLL does not implement function. Snap to LDRP_BAD_DLL. // if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions) { baddllref: #if DBG if (StaticSnap) { if (Ordinal) { DbgPrint("LDR: Can't locate ordinal 0x%lx\n", OriginalOrdinalNumber); } else { DbgPrint("LDR: Can't locate %s\n", ImportString); } } #endif if ( StaticSnap ) { // // Hard Error Time // ULONG_PTR ErrorParameters[3]; UNICODE_STRING ErrorDllName, ErrorEntryPointName; ANSI_STRING AnsiScratch; ULONG ParameterStringMask; ULONG ErrorResponse; RtlInitAnsiString(&AnsiScratch,DllName ? DllName : "Unknown"); RtlAnsiStringToUnicodeString(&ErrorDllName,&AnsiScratch,TRUE); ErrorParameters[1] = (ULONG_PTR)&ErrorDllName; ParameterStringMask = 2; if ( Ordinal ) { ErrorParameters[0] = OriginalOrdinalNumber; } else { RtlInitAnsiString(&AnsiScratch,ImportString); RtlAnsiStringToUnicodeString(&ErrorEntryPointName,&AnsiScratch,TRUE); ErrorParameters[0] = (ULONG_PTR)&ErrorEntryPointName; ParameterStringMask = 3; } NtRaiseHardError( Ordinal ? STATUS_ORDINAL_NOT_FOUND : STATUS_ENTRYPOINT_NOT_FOUND, 2, ParameterStringMask, ErrorParameters, OptionOk, &ErrorResponse ); if ( LdrpInLdrInit ) { LdrpFatalHardErrorCount++; } RtlFreeUnicodeString(&ErrorDllName); if ( !Ordinal ) { RtlFreeUnicodeString(&ErrorEntryPointName); RtlRaiseStatus(STATUS_ENTRYPOINT_NOT_FOUND); } RtlRaiseStatus(STATUS_ORDINAL_NOT_FOUND); } Thunk->u1.Function = (ULONG_PTR)LDRP_BAD_DLL; st = Ordinal ? STATUS_ORDINAL_NOT_FOUND : STATUS_ENTRYPOINT_NOT_FOUND; } else { Addr = (PULONG)((ULONG_PTR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions); Thunk->u1.Function = ((ULONG_PTR)DllBase + Addr[OrdinalNumber]); if (Thunk->u1.Function > (ULONG_PTR)ExportDirectory && Thunk->u1.Function < ((ULONG_PTR)ExportDirectory + ExportSize) ) { UNICODE_STRING UnicodeString; ANSI_STRING ForwardDllName; PVOID ForwardDllHandle; PUNICODE_STRING ForwardProcName; ULONG ForwardProcOrdinal; ImportString = (PSZ)Thunk->u1.Function; ForwardDllName.Buffer = ImportString, ForwardDllName.Length = (USHORT)(strchr(ImportString, '.') - ImportString); ForwardDllName.MaximumLength = ForwardDllName.Length; st = RtlAnsiStringToUnicodeString(&UnicodeString, &ForwardDllName, TRUE); if (NT_SUCCESS(st)) { #if defined (WX86) if (Wx86ProcessInit) { NtCurrentTeb()->Wx86Thread.UseKnownWx86Dll = RtlImageNtHeader(DllBase)->FileHeader.Machine == IMAGE_FILE_MACHINE_I386; } #endif st = LdrpLoadDll(NULL, NULL, &UnicodeString, &ForwardDllHandle,FALSE); RtlFreeUnicodeString(&UnicodeString); } if (!NT_SUCCESS(st)) { goto baddllref; } RtlInitAnsiString( &ForwardDllName, ImportString + ForwardDllName.Length + 1 ); if (ForwardDllName.Length > 1 && *ForwardDllName.Buffer == '#' ) { ForwardProcName = NULL; st = RtlCharToInteger( ForwardDllName.Buffer+1, 0, &ForwardProcOrdinal ); if (!NT_SUCCESS(st)) { goto baddllref; } } else { ForwardProcName = (PUNICODE_STRING)&ForwardDllName; // // Following line is not needed since this is a by name lookup // // //ForwardProcOrdinal = (ULONG)&ForwardDllName; // } st = LdrpGetProcedureAddress( ForwardDllHandle, (PANSI_STRING )ForwardProcName, ForwardProcOrdinal, &(PVOID)Thunk->u1.Function, FALSE ); if (!NT_SUCCESS(st)) { goto baddllref; } } else { if ( !Addr[OrdinalNumber] ) { goto baddllref; } #if defined (_ALPHA_) && defined (WX86) else { PIMAGE_NT_HEADERS ExportNtHeaders = RtlImageNtHeader(DllBase); if ((ExportNtHeaders->OptionalHeader.SectionAlignment < PAGE_SIZE) && (ExportNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)) { Thunk->u1.Function += LdrpWx86RelocatedFixupDiff(DllBase, Addr[OrdinalNumber]); } } #endif // defined (_ALPHA_) && defined (WX86) } st = STATUS_SUCCESS; } return st; }

VOID LdrpUpdateLoadCount (  IN PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry, IN BOOLEAN  IncrementCount )

Definition at line 2802 of file ldrsnap.c. References DbgPrint, FALSE, LdrpCheckForLoadedDll(), NT_SUCCESS, NTSTATUS(), NULL, RtlAnsiStringToUnicodeString(), RtlImageDirectoryEntryToData(), RtlImageNtHeader(), RtlInitAnsiString(), ShowSnaps, and TRUE. : This function dereferences a loaded DLL adjusting its reference count. It then dereferences each dll referenced by this dll. Arguments: LdrDataTableEntry - Supplies the address of the DLL to dereference IncrementCount - TRUE if adding one to LoadCount, O.W. subtracting one Return Value: None. --*/ { PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor; PIMAGE_BOUND_IMPORT_DESCRIPTOR NewImportDescriptor; PIMAGE_BOUND_FORWARDER_REF NewImportForwarder; PSZ ImportName, NewImportStringBase; ULONG i, ImportSize, NewImportSize; ANSI_STRING AnsiString; PUNICODE_STRING ImportDescriptorName_U; PLDR_DATA_TABLE_ENTRY Entry; NTSTATUS st; BOOLEAN Wx86KnownDll = FALSE; PIMAGE_THUNK_DATA FirstThunk; if (IncrementCount) if (LdrDataTableEntry->Flags & LDRP_LOAD_IN_PROGRESS) { return; } else { LdrDataTableEntry->Flags |= LDRP_LOAD_IN_PROGRESS; } else if (LdrDataTableEntry->Flags & LDRP_UNLOAD_IN_PROGRESS) { return; } else { LdrDataTableEntry->Flags |= LDRP_UNLOAD_IN_PROGRESS; } // // For each DLL used by this DLL, reference or dereference the DLL. // ImportDescriptorName_U = &NtCurrentTeb()->StaticUnicodeString; #if defined (WX86) if (Wx86ProcessInit) { Wx86KnownDll = RtlImageNtHeader(LdrDataTableEntry->DllBase)->FileHeader.Machine == IMAGE_FILE_MACHINE_I386; } #endif // // See if there is a bound import table. If so, walk that to // determine DLL names to reference or dereference. Avoids touching // the .idata section // NewImportDescriptor = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT, &NewImportSize ); if (NewImportDescriptor) { if (IncrementCount) { LdrDataTableEntry->Flags |= LDRP_LOAD_IN_PROGRESS; } else { LdrDataTableEntry->Flags |= LDRP_UNLOAD_IN_PROGRESS; } NewImportStringBase = (LPSTR)NewImportDescriptor; while (NewImportDescriptor->OffsetModuleName) { ImportName = NewImportStringBase + NewImportDescriptor->OffsetModuleName; RtlInitAnsiString(&AnsiString, ImportName); st = RtlAnsiStringToUnicodeString(ImportDescriptorName_U, &AnsiString, FALSE); if ( NT_SUCCESS(st) ) { if (LdrpCheckForLoadedDll( NULL, ImportDescriptorName_U, TRUE, Wx86KnownDll, &Entry ) ) { if ( Entry->LoadCount != 0xffff ) { if (IncrementCount) { Entry->LoadCount++; if (ShowSnaps) { DbgPrint("LDR: Refcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } else { Entry->LoadCount--; if (ShowSnaps) { DbgPrint("LDR: Derefcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } } LdrpUpdateLoadCount(Entry, IncrementCount); } } NewImportForwarder = (PIMAGE_BOUND_FORWARDER_REF)(NewImportDescriptor+1); for (i=0; i<NewImportDescriptor->NumberOfModuleForwarderRefs; i++) { ImportName = NewImportStringBase + NewImportForwarder->OffsetModuleName; RtlInitAnsiString(&AnsiString, ImportName); st = RtlAnsiStringToUnicodeString(ImportDescriptorName_U, &AnsiString, FALSE); if ( NT_SUCCESS(st) ) { if (LdrpCheckForLoadedDll( NULL, ImportDescriptorName_U, TRUE, Wx86KnownDll, &Entry ) ) { if ( Entry->LoadCount != 0xffff ) { if (IncrementCount) { Entry->LoadCount++; if (ShowSnaps) { DbgPrint("LDR: Refcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } else { Entry->LoadCount--; if (ShowSnaps) { DbgPrint("LDR: Derefcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } } LdrpUpdateLoadCount(Entry, IncrementCount); } } NewImportForwarder += 1; } NewImportDescriptor = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)NewImportForwarder; } return; } ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ImportSize ); if (ImportDescriptor) { while (ImportDescriptor->Name && ImportDescriptor->FirstThunk) { // // Match code in walk that skips references like this. IE3 had // some dll's with these bogus links to url.dll. On load, the url.dll // ref was skipped. On unload, it was not skipped because // this code was missing. // // Since the skip logic is only in the old style import // descriptor path, it is only duplicated here. // // check for import that has no references // FirstThunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry->DllBase + ImportDescriptor->FirstThunk); if ( !FirstThunk->u1.Function ) { goto skipskippedimport; } ImportName = (PSZ)((ULONG_PTR)LdrDataTableEntry->DllBase + ImportDescriptor->Name); RtlInitAnsiString(&AnsiString, ImportName); st = RtlAnsiStringToUnicodeString(ImportDescriptorName_U, &AnsiString, FALSE); if ( NT_SUCCESS(st) ) { if (LdrpCheckForLoadedDll( NULL, ImportDescriptorName_U, TRUE, Wx86KnownDll, &Entry ) ) { if ( Entry->LoadCount != 0xffff ) { if (IncrementCount) { Entry->LoadCount++; if (ShowSnaps) { DbgPrint("LDR: Refcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } else { Entry->LoadCount--; if (ShowSnaps) { DbgPrint("LDR: Derefcount %wZ (%lx)\n", ImportDescriptorName_U, (ULONG)Entry->LoadCount ); } } } LdrpUpdateLoadCount(Entry, IncrementCount); } } skipskippedimport: ++ImportDescriptor; } } }

NTSTATUS LdrpWalkImportDescriptor (  IN PWSTR DllPath  OPTIONAL, IN PLDR_DATA_TABLE_ENTRY  LdrDataTableEntry )

Definition at line 214 of file ldrsnap.c. References DbgPrint, FALSE, LdrpDefineDllTag(), LdrpDphInitializeTargetDll(), LdrpLoadImportModule(), LdrpSnapIAT(), Name, NT_SUCCESS, NtProtectVirtualMemory(), NTSTATUS(), NULL, PAGE_SIZE, RtlAllocateHeap, RtlImageDirectoryEntryToData(), RtlImageNtHeader(), ShowSnaps, TRUE, and USHORT. : This is a recursive routine which walks the Import Descriptor Table and loads each DLL that is referenced. Arguments: DllPath - Supplies an optional search path to be used to locate the DLL. LdrDataTableEntry - Supplies the address of the data table entry to initialize. Return Value: Status value. --*/ { ULONG i, ImportSize, NewImportSize; BOOLEAN AlreadyLoaded, SnapForwardersOnly, StaleBinding; PLDR_DATA_TABLE_ENTRY DataTableEntry, FwdDataTableEntry; PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor; PIMAGE_BOUND_IMPORT_DESCRIPTOR NewImportDescriptor; PIMAGE_BOUND_FORWARDER_REF NewImportForwarder; PSZ ImportName, NewImportName, NewFwdImportName, NewImportStringBase; NTSTATUS st; PIMAGE_NT_HEADERS ExportNtHeaders; PVOID ImportBase; ULONG RegionSize; PIMAGE_THUNK_DATA Thunk,Name; PIMAGE_THUNK_DATA FirstThunk; PPEB Peb = NtCurrentPeb(); // // See if there is a bound import table. If so, walk that to // verify if the binding is good. If so, then succeed with // having touched the .idata section, as all the information // in the bound imports table is stored in the header. If any // are stale, then fall out into the unbound case. // NewImportDescriptor = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT, &NewImportSize ); ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ImportSize ); if (NewImportDescriptor) { NewImportStringBase = (LPSTR)NewImportDescriptor; while (NewImportDescriptor->OffsetModuleName) { NewImportName = NewImportStringBase + NewImportDescriptor->OffsetModuleName; if (ShowSnaps) { DbgPrint("LDR: %wZ bound to %s\n", &LdrDataTableEntry->BaseDllName, NewImportName ); } st = LdrpLoadImportModule( DllPath, NewImportName, LdrDataTableEntry->DllBase, &DataTableEntry, &AlreadyLoaded ); if ( !NT_SUCCESS(st) ) { return st; } // // Add to initialization list. // if (!AlreadyLoaded) { InsertTailList(&Peb->Ldr->InInitializationOrderModuleList, &DataTableEntry->InInitializationOrderLinks); } #if defined (_ALPHA_) && defined (WX86) ExportNtHeaders = RtlImageNtHeader(LdrDataTableEntry->DllBase); if ((ExportNtHeaders->OptionalHeader.SectionAlignment < PAGE_SIZE) && (ExportNtHeaders->FileHeader.Machine == IMAGE_FILE_MACHINE_I386)) { if (LdrpWx86DllHasRelocatedSharedSection(LdrDataTableEntry->DllBase)) { DataTableEntry->Flags |= LDRP_IMAGE_NOT_AT_BASE; } } #endif // defined (_ALPHA_) && defined (WX86) if ( NewImportDescriptor->TimeDateStamp != DataTableEntry->TimeDateStamp || (DataTableEntry->Flags & LDRP_IMAGE_NOT_AT_BASE) ) { if (ShowSnaps) { DbgPrint("LDR: %wZ has stale binding to %s\n", &LdrDataTableEntry->BaseDllName, NewImportName ); } StaleBinding = TRUE; } else { #if DBG LdrpSnapBypass++; #endif if (ShowSnaps) { DbgPrint("LDR: %wZ has correct binding to %s\n", &LdrDataTableEntry->BaseDllName, NewImportName ); } StaleBinding = FALSE; } NewImportForwarder = (PIMAGE_BOUND_FORWARDER_REF)(NewImportDescriptor+1); for (i=0; i<NewImportDescriptor->NumberOfModuleForwarderRefs; i++) { NewFwdImportName = NewImportStringBase + NewImportForwarder->OffsetModuleName; if (ShowSnaps) { DbgPrint("LDR: %wZ bound to %s via forwarder(s) from %wZ\n", &LdrDataTableEntry->BaseDllName, NewFwdImportName, &DataTableEntry->BaseDllName ); } st = LdrpLoadImportModule( DllPath, NewFwdImportName, LdrDataTableEntry->DllBase, &FwdDataTableEntry, &AlreadyLoaded ); if ( NT_SUCCESS(st) ) { if (!AlreadyLoaded) { InsertTailList(&Peb->Ldr->InInitializationOrderModuleList, &FwdDataTableEntry->InInitializationOrderLinks); } } if ( !NT_SUCCESS(st) || NewImportForwarder->TimeDateStamp != FwdDataTableEntry->TimeDateStamp || (FwdDataTableEntry->Flags & LDRP_IMAGE_NOT_AT_BASE ) ) { if (ShowSnaps) { DbgPrint("LDR: %wZ has stale binding to %s\n", &LdrDataTableEntry->BaseDllName, NewFwdImportName ); } StaleBinding = TRUE; } else { #if DBG LdrpSnapBypass++; #endif if (ShowSnaps) { DbgPrint("LDR: %wZ has correct binding to %s\n", &LdrDataTableEntry->BaseDllName, NewFwdImportName ); } } NewImportForwarder += 1; } NewImportDescriptor = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)NewImportForwarder; if (StaleBinding) { #if DBG LdrpNormalSnap++; #endif // // Find the unbound import descriptor that matches this bound // import descriptor // ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ImportSize ); while (ImportDescriptor->Name) { ImportName = (PSZ)((ULONG_PTR)LdrDataTableEntry->DllBase + ImportDescriptor->Name); if (!_stricmp(ImportName, NewImportName)) { break; } ImportDescriptor += 1; } if (!ImportDescriptor->Name) { return STATUS_OBJECT_NAME_INVALID; } if (ShowSnaps) { DbgPrint("LDR: Stale Bind %s from %wZ\n",ImportName,&LdrDataTableEntry->BaseDllName); } st = LdrpSnapIAT( DataTableEntry, LdrDataTableEntry, ImportDescriptor, FALSE ); if (!NT_SUCCESS(st)) { return st; } } } } else if (ImportDescriptor) { // // For each DLL used by this DLL, load the dll. Then snap // the IAT, and call the DLL's init routine. // while (ImportDescriptor->Name && ImportDescriptor->FirstThunk) { ImportName = (PSZ)((ULONG_PTR)LdrDataTableEntry->DllBase + ImportDescriptor->Name); // // check for import that has no references // FirstThunk = (PIMAGE_THUNK_DATA)((ULONG_PTR)LdrDataTableEntry->DllBase + ImportDescriptor->FirstThunk); if ( !FirstThunk->u1.Function ) { goto skipimport; } if (ShowSnaps) { DbgPrint("LDR: %s used by %wZ\n", ImportName, &LdrDataTableEntry->BaseDllName ); } st = LdrpLoadImportModule( DllPath, ImportName, LdrDataTableEntry->DllBase, &DataTableEntry, &AlreadyLoaded ); if ( !NT_SUCCESS(st) ) { return st; } if (ShowSnaps) { DbgPrint("LDR: Snapping imports for %wZ from %s\n", &LdrDataTableEntry->BaseDllName, ImportName ); } // // If the image has been bound and the import date stamp // matches the date time stamp in the export modules header, // and the image was mapped at it's prefered base address, // then we are done. // SnapForwardersOnly = FALSE; if ( ImportDescriptor->OriginalFirstThunk ) { if ( ImportDescriptor->TimeDateStamp && ImportDescriptor->TimeDateStamp == DataTableEntry->TimeDateStamp && (! DataTableEntry->Flags & LDRP_IMAGE_NOT_AT_BASE) ) { #if DBG LdrpSnapBypass++; #endif if (ShowSnaps) { DbgPrint("LDR: Snap bypass %s from %wZ\n", ImportName, &LdrDataTableEntry->BaseDllName ); } if (ImportDescriptor->ForwarderChain == -1) { goto bypass_snap; } SnapForwardersOnly = TRUE; } } #if DBG LdrpNormalSnap++; #endif // // Add to initialization list. // if (!AlreadyLoaded) { InsertTailList(&Peb->Ldr->InInitializationOrderModuleList, &DataTableEntry->InInitializationOrderLinks); } st = LdrpSnapIAT( DataTableEntry, LdrDataTableEntry, ImportDescriptor, SnapForwardersOnly ); if (!NT_SUCCESS(st)) { return st; } AlreadyLoaded = TRUE; bypass_snap: // // Add to initialization list. // if (!AlreadyLoaded) { InsertTailList(&Peb->Ldr->InInitializationOrderModuleList, &DataTableEntry->InInitializationOrderLinks); } skipimport: ++ImportDescriptor; } } if (Peb->NtGlobalFlag & FLG_HEAP_ENABLE_TAG_BY_DLL) { PVOID IATBase; SIZE_T BigIATSize; ULONG LittleIATSize; PVOID *ProcAddresses; ULONG NumberOfProcAddresses; ULONG OldProtect; USHORT TagIndex; // // Determine the location and size of the IAT. If found, scan the // IAT address to see if any are pointing to RtlAllocateHeap. If so // replace when with a pointer to a unique thunk function that will // replace the tag with a unique tag for this image. // IATBase = RtlImageDirectoryEntryToData( LdrDataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IAT, &LittleIATSize ); BigIATSize = LittleIATSize; if (IATBase != NULL) { st = NtProtectVirtualMemory( NtCurrentProcess(), &IATBase, &BigIATSize, PAGE_READWRITE, &OldProtect ); if (!NT_SUCCESS(st)) { DbgPrint( "LDR: Unable to unprotect IAT to enable tagging by DLL.\n" ); } else { ProcAddresses = (PVOID *)IATBase; NumberOfProcAddresses = (ULONG)(BigIATSize / sizeof(PVOID)); while (NumberOfProcAddresses--) { if (*ProcAddresses == RtlAllocateHeap) { *ProcAddresses = LdrpDefineDllTag( LdrDataTableEntry->BaseDllName.Buffer, &TagIndex ); if (*ProcAddresses == NULL) { *ProcAddresses = RtlAllocateHeap; } } ProcAddresses += 1; } NtProtectVirtualMemory( NtCurrentProcess(), &IATBase, &BigIATSize, OldProtect, &OldProtect ); } } } // // Check if we need to redirect some imports in case page heap // is enabled and we target specific dlls. // if (Peb->NtGlobalFlag & FLG_HEAP_PAGE_ALLOCS) { LdrpDphInitializeTargetDll (LdrDataTableEntry); } return STATUS_SUCCESS; }

PLIST_ENTRY RtlpLockProcessHeapsList (  VOID   )

BOOLEAN RtlpSerializeHeap (  IN PVOID  HeapHandle  )

Definition at line 323 of file heapdbg.c. References FALSE, _HEAP::Flags, _HEAP::ForceFlags, HeapHandle, IF_DEBUG_PAGE_HEAP_THEN_RETURN, Lock, _HEAP::LockVariable, NT_SUCCESS, NTSTATUS(), NULL, RtlAllocateHeap, RtlFreeHeap, RtlInitializeLockRoutine, RtlpCheckHeapSignature(), RtlpDebugPageHeapSerialize(), RtlpValidateHeapHeaders(), Status, and TRUE. Referenced by LdrpInitializeTls(). : Arguments: Return Value: --*/ { NTSTATUS Status; PHEAP Heap = (PHEAP)HeapHandle; PHEAP_LOCK Lock; IF_DEBUG_PAGE_HEAP_THEN_RETURN( HeapHandle, RtlpDebugPageHeapSerialize( HeapHandle )); // // Validate that HeapAddress points to a HEAP structure. // if (!RtlpCheckHeapSignature( Heap, "RtlpSerializeHeap" )) { return FALSE; } // // Lock the heap. // if (Heap->Flags & HEAP_NO_SERIALIZE) { Lock = RtlAllocateHeap( HeapHandle, HEAP_NO_SERIALIZE, sizeof( *Lock ) ); if ( Lock == NULL ) { return FALSE; } Status = RtlInitializeLockRoutine( Lock ); if (!NT_SUCCESS( Status )) { RtlFreeHeap( HeapHandle, HEAP_NO_SERIALIZE, Lock ); return FALSE; } Heap->LockVariable = Lock; Heap->Flags &= ~HEAP_NO_SERIALIZE; Heap->ForceFlags &= ~HEAP_NO_SERIALIZE; RtlpValidateHeapHeaders( Heap, TRUE ); } return TRUE; }

VOID RtlpUnlockProcessHeapsList (  VOID   )

PSZ UnicodeToAnsii (  IN PWSTR  String  )

BOOLEAN xRtlDosPathNameToNtPathName (  IN PSZ  DosFileName, OUT PSTRING  NtFileName, OUT PSZ *FilePart  OPTIONAL, OUT PRTL_RELATIVE_NAME RelativeName  OPTIONAL )

ULONG xRtlDosSearchPath (  PSZ  lpPath, PSZ  lpFileName, PSZ  lpExtension, ULONG  nBufferLength, PSZ  lpBuffer, PSZ *lpFilePart  OPTIONAL )

ULONG xRtlGetFullPathName (  PSZ  lpFileName, ULONG  nBufferLength, PSZ  lpBuffer, PSZ *lpFilePart  OPTIONAL )

---

Variable Documentation

RTL_CRITICAL_SECTION FastPebLock

Definition at line 388 of file ldrp.h. Referenced by LdrpForkProcess(), and LdrpInitializeProcess().

BOOLEAN LdrpActiveUnloadCount

Definition at line 383 of file ldrp.h. Referenced by LdrUnloadDll().

UNICODE_STRING LdrpDefaultPath

Definition at line 387 of file ldrp.h. Referenced by LdrpCheckForLoadedDll(), LdrpInitializeProcess(), LdrpMapDll(), and LdrpResolveDllName().

LIST_ENTRY LdrpDefaultPathCache

Definition at line 168 of file ldrp.h.

ULONG LdrpFatalHardErrorCount

Definition at line 386 of file ldrp.h. Referenced by LdrpCreateDllSection(), LdrpInitializationFailure(), LdrpMapDll(), and LdrpSnapThunk().

PLDR_DATA_TABLE_ENTRY LdrpGetModuleHandleCache

Definition at line 384 of file ldrp.h. Referenced by LdrGetDllHandle(), and LdrUnloadDll().

LIST_ENTRY LdrpHashTable[LDRP_HASH_TABLE_SIZE]

Definition at line 162 of file ldrp.h. Referenced by LdrpCheckForLoadedDll(), LdrpInitializeProcess(), and LdrpInsertMemoryTableEntry().

PLDR_DATA_TABLE_ENTRY LdrpImageEntry

Definition at line 390 of file ldrp.h. Referenced by LdrpInitializeProcess().

BOOLEAN LdrpImageHasTls

Definition at line 32 of file ldrp.h. Referenced by LdrpInitializeThread(), LdrpInitializeTls(), LdrpRunInitializeRoutines(), LdrShutdownProcess(), and LdrShutdownThread().

BOOLEAN LdrpInLdrInit

Definition at line 374 of file ldrp.h. Referenced by LdrDisableThreadCalloutsForDll(), LdrGetDllHandle(), LdrpCreateDllSection(), LdrpGetProcedureAddress(), LdrpInitialize(), LdrpLoadDll(), LdrpMapDll(), LdrpSnapThunk(), LdrQueryProcessModuleInformation(), and LdrUnloadDll().

HANDLE LdrpKnownDllObjectDirectory

Definition at line 34 of file ldrp.h. Referenced by LdrpCheckForKnownDll(), LdrpInitializeProcess(), and LdrpMapDll().

UNICODE_STRING LdrpKnownDllPath

Definition at line 37 of file ldrp.h. Referenced by LdrpCheckForKnownDll(), and LdrpInitializeProcess().

WCHAR LdrpKnownDllPathBuffer[LDRP_MAX_KNOWN_PATH]

Definition at line 36 of file ldrp.h. Referenced by LdrpInitializeProcess().

BOOLEAN LdrpLdrDatabaseIsSetup

Definition at line 375 of file ldrp.h. Referenced by LdrpInitializeProcess(), and LdrpLoadDll().

PLDR_DATA_TABLE_ENTRY LdrpLoadedDllHandleCache

Definition at line 385 of file ldrp.h. Referenced by LdrpCheckForLoadedDllHandle(), and LdrUnloadDll().

ULONG LdrpNumberOfProcessors

Definition at line 391 of file ldrp.h. Referenced by LdrpInitializeProcess(), and LdrpMapDll().

ULONG LdrpNumberOfTlsEntries

Definition at line 401 of file ldrp.h. Referenced by LdrpAllocateTls(), and LdrpInitializeTls().

BOOLEAN LdrpShutdownInProgress

Definition at line 373 of file ldrp.h.

HANDLE LdrpShutdownThreadId

Definition at line 389 of file ldrp.h. Referenced by LdrShutdownProcess(), RtlpNotOwnerCriticalSection(), and RtlpWaitForCriticalSection().

LIST_ENTRY LdrpTlsList

Definition at line 400 of file ldrp.h. Referenced by LdrpAllocateTls(), LdrpFreeTls(), and LdrpInitializeTls().

LIST_ENTRY LdrpUnloadHead

Definition at line 382 of file ldrp.h. Referenced by LdrUnloadDll().

BOOLEAN LdrpVerifyDlls

Definition at line 376 of file ldrp.h. Referenced by LdrpInitializeProcess().

ULONG NtdllBaseTag

Definition at line 455 of file ldrp.h. Referenced by LdrpInitializeProcess().

ULONG NtGlobalFlag

Definition at line 370 of file ldrp.h. Referenced by ExAllocatePoolWithQuotaTag(), ExInitializeResource(), ExInitializeResourceLite(), InitializePool(), IoInitSystem(), KdpTrap(), MiLoadImageSection(), MiLoadSystemImage(), MiMapViewOfImageSection(), MmCreatePeb(), MmInPageKernelStack(), MmOutPageKernelStack(), NtClose(), NtDuplicateObject(), NtQuerySystemInformation(), NtSetEvent(), NtSetSystemInformation(), NtWaitForMultipleObjects(), ObCreateObjectType(), ObDupHandleProcedure(), ObpCaptureHandleInformation(), ObpCreateHandle(), ObpCreateUnnamedHandle(), ObpEnumFindHandleProcedure(), ObReferenceObjectByHandle(), RtlCreateHeap(), RtlDispatchException(), RtlGetNtGlobalFlags(), RtlpInitializeHeapSegment(), and UserInitialize().

LIST_ENTRY RtlCriticalSectionList

Definition at line 371 of file ldrp.h. Referenced by LdrpForkProcess(), LdrpInitializeProcess(), RtlCheckForOrphanedCriticalSections(), RtlInitializeCriticalSectionAndSpinCount(), RtlpInitDeferedCriticalSection(), and RtlQueryProcessLockInformation().

RTL_CRITICAL_SECTION RtlCriticalSectionLock

Definition at line 372 of file ldrp.h. Referenced by RtlCheckForOrphanedCriticalSections(), RtlDeleteCriticalSection(), RtlInitializeCriticalSectionAndSpinCount(), RtlpInitDeferedCriticalSection(), and RtlQueryProcessLockInformation().

LARGE_INTEGER RtlpTimeout

Definition at line 369 of file ldrp.h. Referenced by LdrpInitializeProcess(), RtlAcquireResourceExclusive(), RtlAcquireResourceShared(), RtlConvertSharedToExclusive(), and RtlpWaitForCriticalSection().

BOOLEAN RtlpTimoutDisable

Definition at line 368 of file ldrp.h. Referenced by LdrpInitializeProcess(), and RtlpWaitForCriticalSection().

BOOLEAN ShowSnaps

Definition at line 367 of file ldrp.h. Referenced by LdrGetDllHandle(), LdrpAllocateTls(), LdrpCallTlsInitializers(), LdrpCheckForLoadedDll(), LdrpGetProcedureAddress(), LdrpInitializeProcess(), LdrpInitializeTls(), LdrpLoadDll(), LdrpMapDll(), LdrpResolveDllName(), LdrpRunInitializeRoutines(), LdrpSnapThunk(), LdrpUpdateLoadCount(), LdrpWalkImportDescriptor(), LdrShutdownProcess(), and LdrUnloadDll().

---