verifier.c File Reference

#include "mi.h"

Go to the source code of this file.

Classes
struct	_VERIFIER_THUNKS
struct	_DRIVER_SPECIFIED_VERIFIER_THUNKS
struct	_VERIFIER_STRING_INFO
Defines
#define	THUNKED_API
#define	VI_BAD_MAPPERS_MAX   100
#define	VI_POOL_ENTRIES_PER_PAGE   (PAGE_SIZE / sizeof(VI_POOL_ENTRY))
#define	UNICODE_TAB   0x0009
#define	UNICODE_LF   0x000A
#define	UNICODE_CR   0x000D
#define	UNICODE_SPACE   0x0020
#define	UNICODE_CJK_SPACE   0x3000
#define	UNICODE_WHITESPACE(_ch)
#define	MM_BOOT_IMAGE_SIZE   (16 * 1024 * 1024)
#define	ROUND_UP(VALUE, ROUND)
#define	X86_HAL_ROUTINE   0
#define	POOL_ROUTINE   2
#define	VERIFIER_THUNK_IN_HAL(Flag)   (Flag & X86_HAL_ROUTINE)
#define	VERIFIER_POOL_ROUTINE(Flag)   (Flag & POOL_ROUTINE)
Typedefs
typedef _VERIFIER_THUNKS	VERIFIER_THUNKS
typedef _VERIFIER_THUNKS *	PVERIFIER_THUNKS
typedef _DRIVER_SPECIFIED_VERIFIER_THUNKS	DRIVER_SPECIFIED_VERIFIER_THUNKS
typedef _DRIVER_SPECIFIED_VERIFIER_THUNKS *	PDRIVER_SPECIFIED_VERIFIER_THUNKS
typedef VOID(*	PKE_ACQUIRE_SPINLOCK )(IN PKSPIN_LOCK SpinLock, OUT PKIRQL OldIrql)
typedef VOID(*	PKE_RELEASE_SPINLOCK )(IN PKSPIN_LOCK SpinLock, IN KIRQL NewIrql)
typedef VOID(*	PKE_RAISE_IRQL )(IN KIRQL NewIrql, OUT PKIRQL OldIrql)
typedef VOID(*	PKE_LOWER_IRQL )(IN KIRQL NewIrql)
typedef _VERIFIER_STRING_INFO	VERIFIER_STRING_INFO
typedef _VERIFIER_STRING_INFO *	PVERIFIER_STRING_INFO
Functions
THUNKED_API PVOID	VerifierAllocatePool (IN POOL_TYPE PoolType, IN SIZE_T NumberOfBytes)
THUNKED_API PVOID	VerifierAllocatePoolWithTag (IN POOL_TYPE PoolType, IN SIZE_T NumberOfBytes, IN ULONG Tag)
THUNKED_API PVOID	VerifierAllocatePoolWithQuotaTag (IN POOL_TYPE PoolType, IN SIZE_T NumberOfBytes, IN ULONG Tag)
THUNKED_API PVOID	VerifierAllocatePoolWithTagPriority (IN POOL_TYPE PoolType, IN SIZE_T NumberOfBytes, IN ULONG Tag, IN EX_POOL_PRIORITY Priority)
PVOID	VeAllocatePoolWithTagPriority (IN POOL_TYPE PoolType, IN SIZE_T NumberOfBytes, IN ULONG Tag, IN EX_POOL_PRIORITY Priority, IN PVOID CallingAddress)
VOID	VerifierFreePool (IN PVOID P)
THUNKED_API VOID	VerifierFreePoolWithTag (IN PVOID P, IN ULONG TagToFree)
THUNKED_API LONG	VerifierSetEvent (IN PRKEVENT Event, IN KPRIORITY Increment, IN BOOLEAN Wait)
THUNKED_API KIRQL FASTCALL	VerifierKfRaiseIrql (IN KIRQL NewIrql)
THUNKED_API VOID FASTCALL	VerifierKfLowerIrql (IN KIRQL NewIrql)
THUNKED_API VOID	VerifierKeRaiseIrql (IN KIRQL NewIrql, OUT PKIRQL OldIrql)
THUNKED_API VOID	VerifierKeLowerIrql (IN KIRQL NewIrql)
THUNKED_API VOID	VerifierKeAcquireSpinLock (IN PKSPIN_LOCK SpinLock, OUT PKIRQL OldIrql)
THUNKED_API VOID	VerifierKeReleaseSpinLock (IN PKSPIN_LOCK SpinLock, IN KIRQL NewIrql)
THUNKED_API KIRQL FASTCALL	VerifierKfAcquireSpinLock (IN PKSPIN_LOCK SpinLock)
THUNKED_API VOID FASTCALL	VerifierKfReleaseSpinLock (IN PKSPIN_LOCK SpinLock, IN KIRQL NewIrql)
THUNKED_API VOID	VerifierKeInitializeTimerEx (IN PKTIMER Timer, IN TIMER_TYPE Type)
THUNKED_API VOID	VerifierKeInitializeTimer (IN PKTIMER Timer)
THUNKED_API BOOLEAN FASTCALL	VerifierExTryToAcquireFastMutex (IN PFAST_MUTEX FastMutex)
THUNKED_API VOID FASTCALL	VerifierExAcquireFastMutex (IN PFAST_MUTEX FastMutex)
THUNKED_API VOID FASTCALL	VerifierExReleaseFastMutex (IN PFAST_MUTEX FastMutex)
THUNKED_API VOID FASTCALL	VerifierExAcquireFastMutexUnsafe (IN PFAST_MUTEX FastMutex)
THUNKED_API VOID FASTCALL	VerifierExReleaseFastMutexUnsafe (IN PFAST_MUTEX FastMutex)
THUNKED_API BOOLEAN	VerifierExAcquireResourceExclusive (IN PERESOURCE Resource, IN BOOLEAN Wait)
THUNKED_API VOID FASTCALL	VerifierExReleaseResource (IN PERESOURCE Resource)
THUNKED_API KIRQL FASTCALL	VerifierKeAcquireQueuedSpinLock (IN KSPIN_LOCK_QUEUE_NUMBER Number)
THUNKED_API VOID FASTCALL	VerifierKeReleaseQueuedSpinLock (IN KSPIN_LOCK_QUEUE_NUMBER Number, IN KIRQL OldIrql)
THUNKED_API BOOLEAN	VerifierSynchronizeExecution (IN PKINTERRUPT Interrupt, IN PKSYNCHRONIZE_ROUTINE SynchronizeRoutine, IN PVOID SynchronizeContext)
THUNKED_API VOID	VerifierProbeAndLockPages (IN OUT PMDL MemoryDescriptorList, IN KPROCESSOR_MODE AccessMode, IN LOCK_OPERATION Operation)
THUNKED_API VOID	VerifierProbeAndLockProcessPages (IN OUT PMDL MemoryDescriptorList, IN PEPROCESS Process, IN KPROCESSOR_MODE AccessMode, IN LOCK_OPERATION Operation)
THUNKED_API VOID	VerifierProbeAndLockSelectedPages (IN OUT PMDL MemoryDescriptorList, IN PFILE_SEGMENT_ELEMENT SegmentArray, IN KPROCESSOR_MODE AccessMode, IN LOCK_OPERATION Operation)
VOID	VerifierUnlockPages (IN OUT PMDL MemoryDescriptorList)
VOID	VerifierUnmapLockedPages (IN PVOID BaseAddress, IN PMDL MemoryDescriptorList)
VOID	VerifierUnmapIoSpace (IN PVOID BaseAddress, IN SIZE_T NumberOfBytes)
THUNKED_API PVOID	VerifierMapIoSpace (IN PHYSICAL_ADDRESS PhysicalAddress, IN SIZE_T NumberOfBytes, IN MEMORY_CACHING_TYPE CacheType)
THUNKED_API PVOID	VerifierMapLockedPages (IN PMDL MemoryDescriptorList, IN KPROCESSOR_MODE AccessMode)
THUNKED_API PVOID	VerifierMapLockedPagesSpecifyCache (IN PMDL MemoryDescriptorList, IN KPROCESSOR_MODE AccessMode, IN MEMORY_CACHING_TYPE CacheType, IN PVOID RequestedAddress, IN ULONG BugCheckOnFailure, IN MM_PAGE_PRIORITY Priority)
VOID	VerifierFreeTrackedPool (IN PVOID VirtualAddress, IN SIZE_T ChargedBytes, IN LOGICAL CheckType, IN LOGICAL SpecialPool)
VOID	ViPrintString (IN PUNICODE_STRING DriverName)
LOGICAL	ViInjectResourceFailure (VOID)
VOID	ViTrimAllSystemPagableMemory (VOID)
VOID	ViInitializeEntry (IN PMI_VERIFIER_DRIVER_ENTRY Verifier, IN LOGICAL FirstLoad)
LOGICAL	ViReservePoolAllocation (IN PMI_VERIFIER_DRIVER_ENTRY Verifier)
ULONG_PTR	ViInsertPoolAllocation (IN PMI_VERIFIER_DRIVER_ENTRY Verifier, IN PVOID VirtualAddress, IN PVOID CallingAddress, IN SIZE_T NumberOfBytes, IN ULONG Tag)
VOID	ViCancelPoolAllocation (IN PMI_VERIFIER_DRIVER_ENTRY Verifier)
VOID	ViReleasePoolAllocation (IN PMI_VERIFIER_DRIVER_ENTRY Verifier, IN PVOID VirtualAddress, IN ULONG_PTR ListIndex, IN SIZE_T ChargedBytes)
VOID	KfSanityCheckRaiseIrql (IN KIRQL NewIrql)
VOID	KfSanityCheckLowerIrql (IN KIRQL NewIrql)
LOGICAL	MiEnableVerifier (IN PLDR_DATA_TABLE_ENTRY DataTableEntry)
VOID	ViInsertVerifierEntry (IN PMI_VERIFIER_DRIVER_ENTRY Verifier)
PVOID	ViPostPoolAllocation (IN PVOID VirtualAddress, IN SIZE_T NumberOfBytes, IN POOL_TYPE PoolType, IN ULONG Tag, IN PVOID CallingAddress)
PMI_VERIFIER_DRIVER_ENTRY	ViLocateVerifierEntry (IN PVOID SystemAddress)
VOID	MiVerifierCheckThunks (IN PLDR_DATA_TABLE_ENTRY DataTableEntry)
LOGICAL	ViAddBadMapper (IN PVOID BadMapper)
THUNKED_API PVOID	VerifierAllocatePoolWithQuota (IN POOL_TYPE PoolType, IN SIZE_T NumberOfBytes)
LOGICAL	MiInitializeDriverVerifierList (IN PLOADER_PARAMETER_BLOCK LoaderBlock)
LOGICAL	MiApplyDriverVerifier (IN PLDR_DATA_TABLE_ENTRY DataTableEntry, IN PMI_VERIFIER_DRIVER_ENTRY Verifier)
VOID	MiVerifyingDriverUnloading (IN PLDR_DATA_TABLE_ENTRY DataTableEntry)
NTKERNELAPI LOGICAL	MmIsDriverVerifying (IN PDRIVER_OBJECT DriverObject)
NTSTATUS	MmAddVerifierThunks (IN PVOID ThunkBuffer, IN ULONG ThunkBufferSize)
NTSTATUS	MmGetVerifierInformation (OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG Length)
NTSTATUS	MmSetVerifierInformation (IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength)
VOID	KeRaiseIrql (IN KIRQL NewIrql, OUT PKIRQL OldIrql)
VOID	KeLowerIrql (IN KIRQL NewIrql)
VOID	KeAcquireSpinLock (IN PKSPIN_LOCK SpinLock, OUT PKIRQL OldIrql)
VOID	KeReleaseSpinLock (IN PKSPIN_LOCK SpinLock, IN KIRQL NewIrql)
BOOLEAN	ExAcquireResourceExclusive (IN PERESOURCE Resource, IN BOOLEAN Wait)
Variables
MM_DRIVER_VERIFIER_DATA	MmVerifierData
ULONG	VerifierModifyableOptions
ULONG	VerifierOptionChanges
LIST_ENTRY	MiSuspectDriverList
LOGICAL	MiVerifyAllDrivers
WCHAR	MiVerifyRandomDrivers
ULONG	MiActiveVerifies
ULONG	MiActiveVerifierThunks
ULONG	MiNoPageOnRaiseIrql
ULONG	MiVerifierStackProtectTime
LOGICAL	MmDontVerifyRandomDrivers = TRUE
LOGICAL	VerifierSystemSufficientlyBooted
LARGE_INTEGER	VerifierRequiredTimeSinceBoot = {(ULONG)(40 * 1000 * 1000 * 10), 1}
LOGICAL	VerifierIsTrackingPool = FALSE
KSPIN_LOCK	VerifierListLock
KSPIN_LOCK	VerifierPoolLock
FAST_MUTEX	VerifierPoolMutex
PRTL_BITMAP	VerifierLargePagedPoolMap
LIST_ENTRY	MiVerifierDriverAddedThunkListHead
LOGICAL	MmSpecialPoolCatchOverruns
LOGICAL	KernelVerifier = FALSE
ULONG	KernelVerifierTickPage = 0x7
KSPIN_LOCK	ViBadMapperLock
PVOID	ViBadMappers [VI_BAD_MAPPERS_MAX]
int	VerifierIrqlData [0x10]
PUNICODE_STRING	ViBadDriver
WCHAR	Printable [] = L"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
ULONG	PrintableChars = sizeof (Printable) / sizeof (Printable[0]) - 1
VERIFIER_THUNKS	MiVerifierThunks []

---

Define Documentation

#define MM_BOOT_IMAGE_SIZE   (16 * 1024 * 1024)

Definition at line 3843 of file verifier.c.

#define POOL_ROUTINE   2

Definition at line 4511 of file verifier.c.

#define ROUND_UP (  VALUE, ROUND   )

Value: ((ULONG)(((ULONG)VALUE + \ ((ULONG)ROUND - 1L)) & (~((ULONG)ROUND - 1L)))) Definition at line 4042 of file verifier.c.

#define THUNKED_API

Definition at line 22 of file verifier.c.

#define UNICODE_CJK_SPACE   0x3000

Definition at line 3112 of file verifier.c. Referenced by RtlIsTextUnicode().

#define UNICODE_CR   0x000D

Definition at line 3110 of file verifier.c. Referenced by RtlIsTextUnicode().

#define UNICODE_LF   0x000A

Definition at line 3109 of file verifier.c. Referenced by RtlIsTextUnicode().

#define UNICODE_SPACE   0x0020

Definition at line 3111 of file verifier.c. Referenced by CharHandlerToConsole(), FastStreamWrite(), FE_StreamWriteToScreenBuffer(), FE_TranslateOutputToAnsiUnicodeInternal(), GetSystemLineJ(), GetSystemLineP(), GetSystemLineT(), ImeUIComposition(), ImeUIEndComposition(), ImeUIStartComposition(), IncludeCandidateP(), InitConsoleIME(), MakeInfoStringKorea(), MakeStatusStrPRC1(), MakeStatusStrPRC2(), MakeStatusStrTaiwan1(), MakeStatusStrTaiwan2(), NumString(), ReadOutputString(), ReadRectFromScreenBuffer(), RtlIsTextUnicode(), StoreSelection(), WWSB_DoWriteConsole(), WWSB_FillOutput(), WWSB_FillRectangle(), WWSB_WriteChars(), WWSB_WriteOutputString(), WWSB_WriteRectToScreenBuffer(), and WWSB_WriteRegionToScreen().

#define UNICODE_TAB   0x0009

Definition at line 3108 of file verifier.c. Referenced by ECInsertText(), RetrieveNumberOfSpaces(), RetrieveTotalNumberOfSpaces(), RtlIsTextUnicode(), and WWSB_WriteChars().

#define UNICODE_WHITESPACE (  _ch   )

Value: (((_ch) == UNICODE_TAB) || \ ((_ch) == UNICODE_LF) || \ ((_ch) == UNICODE_CR) || \ ((_ch) == UNICODE_SPACE) || \ ((_ch) == UNICODE_CJK_SPACE)) Definition at line 3114 of file verifier.c. Referenced by MiInitializeDriverVerifierList().

#define VERIFIER_POOL_ROUTINE (  Flag   )     (Flag & POOL_ROUTINE)

Definition at line 4514 of file verifier.c. Referenced by MiEnableVerifier().

#define VERIFIER_THUNK_IN_HAL (  Flag   )     (Flag & X86_HAL_ROUTINE)

Definition at line 4513 of file verifier.c. Referenced by MiEnableVerifier().

#define VI_BAD_MAPPERS_MAX   100

Definition at line 626 of file verifier.c. Referenced by ViAddBadMapper().

#define VI_POOL_ENTRIES_PER_PAGE   (PAGE_SIZE / sizeof(VI_POOL_ENTRY))

Referenced by ViReservePoolAllocation().

#define X86_HAL_ROUTINE   0

Definition at line 4508 of file verifier.c.

---

Typedef Documentation

typedef struct _DRIVER_SPECIFIED_VERIFIER_THUNKS DRIVER_SPECIFIED_VERIFIER_THUNKS

typedef struct _DRIVER_SPECIFIED_VERIFIER_THUNKS * PDRIVER_SPECIFIED_VERIFIER_THUNKS

Referenced by MiEnableVerifier(), MiVerifierCheckThunks(), and MmAddVerifierThunks().

typedef VOID(* PKE_ACQUIRE_SPINLOCK)(IN PKSPIN_LOCK SpinLock, OUT PKIRQL OldIrql)

Definition at line 2358 of file verifier.c. Referenced by VerifierKeAcquireSpinLock().

typedef VOID(* PKE_LOWER_IRQL)(IN KIRQL NewIrql)

Definition at line 2966 of file verifier.c. Referenced by VerifierKeLowerIrql().

typedef VOID(* PKE_RAISE_IRQL)(IN KIRQL NewIrql, OUT PKIRQL OldIrql)

Definition at line 2927 of file verifier.c. Referenced by VerifierKeRaiseIrql().

typedef VOID(* PKE_RELEASE_SPINLOCK)(IN PKSPIN_LOCK SpinLock, IN KIRQL NewIrql)

Definition at line 2399 of file verifier.c. Referenced by VerifierKeReleaseSpinLock().

typedef struct _VERIFIER_STRING_INFO * PVERIFIER_STRING_INFO

typedef struct _VERIFIER_THUNKS * PVERIFIER_THUNKS

Referenced by MiEnableVerifier().

typedef struct _VERIFIER_STRING_INFO VERIFIER_STRING_INFO

typedef struct _VERIFIER_THUNKS VERIFIER_THUNKS

---

Function Documentation

BOOLEAN ExAcquireResourceExclusive (  IN PERESOURCE  Resource, IN BOOLEAN  Wait )

VOID KeAcquireSpinLock (  IN PKSPIN_LOCK  SpinLock, OUT PKIRQL  OldIrql )

VOID KeLowerIrql (  IN KIRQL  NewIrql  )

Referenced by CmNotifyRunDown(), CmpNotifyChangeKey(), CmpPostApcRunDown(), CmpPostNotify(), CmpReportNotifyHelper(), ExAllocatePool(), ExFreePool(), ExUnlockPool(), IoCancelFileOpen(), IoCancelThreadIo(), IopCancelAlertedRequest(), IopCloseFile(), IopDeleteFile(), IopDisassociateThreadIrp(), IopParseDevice(), IopSynchronousServiceTail(), IoStartPacket(), IovpCompleteRequest5(), KdDisableDebugger(), KdEnableDebugger(), KdLogDbgPrint(), KdPollBreakIn(), KeChangeColorPage(), KeConnectInterrupt(), KeContextToKframes(), KeDeregisterBugCheckCallback(), KeDisconnectInterrupt(), KeFlushEntireTb(), KeFlushIoBuffers(), KeFlushMultipleTb(), KeFlushMultipleTb64(), KeFlushSingleTb(), KeFlushSingleTb64(), KeInsertQueueDpc(), KeRegisterBugCheckCallback(), KeSetAutoAlignmentThread(), KeSetSystemTime(), KeStartProfile(), KeStopProfile(), KeSweepCacheRange(), KeSweepDcache(), KeSweepDcacheRange(), KeSweepIcache(), KeSweepIcacheRange(), KeSynchronizeMemoryAccess(), KeThawExecution(), KiContinue(), KiDeliverApc(), KiEmulateByteWord(), KiEmulateReference(), KiFreezeTargetExecution(), KiInitializeKernel(), KiIpiGenericCall(), KiTimerListExpire(), MiCheckVirtualAddress(), MiEmptyWorkingSet(), MiGatherMappedPages(), MiGatherPagefilePages(), MiInitMachineDependent(), MiMappedPageWriter(), MiReleaseSystemPtes(), MiReserveSystemPtes2(), MmAccessFault(), MmCopyToCachedPage(), MmTrimAllSystemPagableMemory(), MmWorkingSetManager(), NtCancelIoFile(), NTFastDOSIO(), NtGetContextThread(), NtNotifyChangeMultipleKeys(), NtQueryInformationFile(), NtQueryInformationThread(), NtSetContextThread(), NtSetInformationFile(), Ps386GetVdmIoHandler(), Psp386CreateVdmIoListHead(), Psp386InstallIoHandler(), Psp386RemoveIoHandler(), PspExitThread(), PspSystemThreadStartup(), PspUserThreadStartup(), VdmDispatchPageFault(), VdmFlushPrinterWriteData(), VdmPrinterStatus(), VdmpStartExecution(), VdmQueryDirectoryFile(), VdmTraceEvent(), and VerifierKeLowerIrql().

VOID KeRaiseIrql (  IN KIRQL  NewIrql, OUT PKIRQL  OldIrql )

Referenced by CmNotifyRunDown(), CmpNotifyChangeKey(), CmpPostApcRunDown(), CmpPostNotify(), CmpReportNotifyHelper(), ExAllocatePool(), ExFreePool(), ExLockPool(), IoCancelFileOpen(), IoCancelThreadIo(), IopCancelAlertedRequest(), IopCloseFile(), IopDeleteFile(), IopDisassociateThreadIrp(), IopParseDevice(), IopSynchronousServiceTail(), IoStartPacket(), IovpCompleteRequest2(), KdDisableDebugger(), KdEnableDebugger(), KdLogDbgPrint(), KdPollBreakIn(), KeBugCheckEx(), KeConnectInterrupt(), KeDeregisterBugCheckCallback(), KeDisconnectInterrupt(), KeEnterKernelDebugger(), KeFreezeExecution(), KeInsertQueueDpc(), KeRegisterBugCheckCallback(), KeSetAutoAlignmentThread(), KeSetSystemTime(), KeStartProfile(), KeStopProfile(), KiCompleteEffectiveRangeChange(), KiContinue(), KiDeliverApc(), KiEmulateByteWord(), KiEmulateReference(), KiFreezeTargetExecution(), KiInitializeKernel(), KiInitializePAT(), KiIpiGenericCall(), MiCheckVirtualAddress(), MiEmptyWorkingSet(), MiGatherMappedPages(), MiGatherPagefilePages(), MiInitMachineDependent(), MiMappedPageWriter(), MiReleaseSystemPtes(), MiReserveSystemPtes2(), MmAccessFault(), MmCopyToCachedPage(), MmWorkingSetManager(), NtCancelIoFile(), NTFastDOSIO(), NtGetContextThread(), NtNotifyChangeMultipleKeys(), NtQueryInformationFile(), NtQueryInformationThread(), NtSetContextThread(), NtSetInformationFile(), Ps386GetVdmIoHandler(), Psp386CreateVdmIoListHead(), Psp386InstallIoHandler(), Psp386RemoveIoHandler(), VdmDispatchPageFault(), VdmFlushPrinterWriteData(), VdmPrinterStatus(), VdmpStartExecution(), VdmQueryDirectoryFile(), VdmTraceEvent(), and VerifierKeRaiseIrql().

VOID KeReleaseSpinLock (  IN PKSPIN_LOCK  SpinLock, IN KIRQL  NewIrql )

Referenced by ExAllocatePool(), ExFreePool(), ExNotifyCallback(), ExRegisterCallback(), ExUnlockPool(), ExUnregisterCallback(), KdDeregisterDebuggerDataBlock(), KdpTimeSlipWork(), KdRegisterDebuggerDataBlock(), KdUpdateTimeSlipEvent(), KeRestoreMtrr(), KeSetPhysicalCacheTypeRange(), KeSweepDcache(), KeSweepIcache(), KiAmdK6InitializeMTRR(), KiAmdK6MtrrSetMemoryType(), KiInitializeKernel(), MemPrint(), MemPrintFlush(), MemPrintWriteCompleteApc(), MemPrintWriteThread(), PspDeleteVdmObjects(), RtlAcquireRemoveLockEx(), RtlReleaseRemoveLock(), UdfAddToWorkque(), UdfFspDispatch(), VdmpDelayIntApcRoutine(), VdmpDelayIntDpcRoutine(), VdmpDelayInterrupt(), and VerifierKeReleaseSpinLock().

VOID KfSanityCheckLowerIrql (  IN KIRQL  NewIrql  )

Definition at line 2283 of file verifier.c. References APC_LEVEL, DISPATCH_LEVEL, HIGH_LEVEL, KeBugCheckEx(), and VerifierIrqlData. Referenced by VerifierKeLowerIrql(), and VerifierKeReleaseSpinLock(). { KIRQL CurrentIrql; // // Check for the caller inadvertently lowering. // CurrentIrql = KeGetCurrentIrql (); if (CurrentIrql == NewIrql) { VerifierIrqlData[8] += 1; if (CurrentIrql == APC_LEVEL) { VerifierIrqlData[9] += 1; } else if (CurrentIrql == DISPATCH_LEVEL) { VerifierIrqlData[10] += 1; } else { VerifierIrqlData[11] += 1; } } else { VerifierIrqlData[12] += 1; } if (CurrentIrql < NewIrql) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x31, CurrentIrql, NewIrql, 0); } // // Check for the caller using an uninitialized variable. // if (NewIrql > HIGH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x31, CurrentIrql, NewIrql, 0); } }

VOID KfSanityCheckRaiseIrql (  IN KIRQL  NewIrql  )

Definition at line 2233 of file verifier.c. References APC_LEVEL, DISPATCH_LEVEL, HIGH_LEVEL, KeBugCheckEx(), and VerifierIrqlData. Referenced by VerifierKeAcquireSpinLock(), VerifierKeRaiseIrql(), and VerifierSynchronizeExecution(). { KIRQL CurrentIrql; // // Check for the caller inadvertently lowering. // CurrentIrql = KeGetCurrentIrql (); if (CurrentIrql == NewIrql) { VerifierIrqlData[0] += 1; if (CurrentIrql == APC_LEVEL) { VerifierIrqlData[1] += 1; } else if (CurrentIrql == DISPATCH_LEVEL) { VerifierIrqlData[2] += 1; } else { VerifierIrqlData[3] += 1; } } else { VerifierIrqlData[4] += 1; } if (CurrentIrql > NewIrql) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x30, CurrentIrql, NewIrql, 0); } // // Check for the caller using an uninitialized variable. // if (NewIrql > HIGH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x30, CurrentIrql, NewIrql, 0); } }

LOGICAL MiApplyDriverVerifier (  IN PLDR_DATA_TABLE_ENTRY  DataTableEntry, IN PMI_VERIFIER_DRIVER_ENTRY  Verifier )

Definition at line 3448 of file verifier.c. References ExAllocatePoolWithTag, FALSE, KernelVerifier, KiStackProtectTime, MI_VERIFIER_DRIVER_ENTRY, MiActiveVerifies, MiEnableRandomSpecialPool(), MiEnableVerifier(), MiFaultRetries, MiIoRetryLevel, MiSuspectDriverList, MiUserFaultRetries, MiUserIoRetryLevel, MiVerifierStackProtectTime, MiVerifyAllDrivers, MiVerifyRandomDrivers, MmVerifierData, NonPagedPool, NULL, RtlEqualUnicodeString(), RtlUpcaseUnicodeChar(), TRUE, VI_VERIFYING_DIRECTLY, VI_VERIFYING_INVERSELY, ViInitializeEntry(), ViInsertVerifierEntry(), and ViPrintString(). Referenced by MiInitializeDriverVerifierList(), and MiLoadSystemImage(). : This function is called as each module is loaded. If the module being loaded is in the suspect list, thunk it here. Arguments: DataTableEntry - Supplies the data table entry for the module. Verifier - Non-NULL if verification must be applied. FALSE indicates that the driver name must match for verification to be applied. Return Value: TRUE if thunking was applied, FALSE if not. Environment: Kernel mode, Phase 0 Initialization and normal runtime. Non paged pool exists in Phase0, but paged pool does not. Post-Phase0 serialization is provided by the MmSystemLoadLock. --*/ { WCHAR FirstChar; LOGICAL Found; PLIST_ENTRY NextEntry; ULONG VerifierFlags; if (Verifier != NULL) { Found = TRUE; } else { Found = FALSE; NextEntry = MiSuspectDriverList.Flink; while (NextEntry != &MiSuspectDriverList) { Verifier = CONTAINING_RECORD(NextEntry, MI_VERIFIER_DRIVER_ENTRY, Links); if (RtlEqualUnicodeString (&Verifier->BaseName, &DataTableEntry->BaseDllName, TRUE)) { Found = TRUE; ViInitializeEntry (Verifier, FALSE); break; } NextEntry = NextEntry->Flink; } } if (Found == FALSE) { VerifierFlags = VI_VERIFYING_DIRECTLY; if (MiVerifyAllDrivers == TRUE) { if (KernelVerifier == TRUE) { VerifierFlags = VI_VERIFYING_INVERSELY; } Found = TRUE; } else if (MiVerifyRandomDrivers != (WCHAR)0) { // // Wildcard match drivers randomly. // FirstChar = RtlUpcaseUnicodeChar(DataTableEntry->BaseDllName.Buffer[0]); if (MiVerifyRandomDrivers == FirstChar) { Found = TRUE; } else if (MiVerifyRandomDrivers == (WCHAR)'X') { if ((FirstChar >= (WCHAR)'0') && (FirstChar <= (WCHAR)'9')) { Found = TRUE; } } } if (Found == FALSE) { return FALSE; } Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag ( NonPagedPool, sizeof (MI_VERIFIER_DRIVER_ENTRY) + DataTableEntry->BaseDllName.MaximumLength, 'dLmM'); if (Verifier == NULL) { return FALSE; } Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier + sizeof (MI_VERIFIER_DRIVER_ENTRY)); Verifier->BaseName.Length = DataTableEntry->BaseDllName.Length; Verifier->BaseName.MaximumLength = DataTableEntry->BaseDllName.MaximumLength; RtlMoveMemory (Verifier->BaseName.Buffer, DataTableEntry->BaseDllName.Buffer, DataTableEntry->BaseDllName.Length); ViInitializeEntry (Verifier, TRUE); Verifier->Flags = VerifierFlags; ViInsertVerifierEntry (Verifier); } Verifier->StartAddress = DataTableEntry->DllBase; Verifier->EndAddress = (PVOID)((ULONG_PTR)DataTableEntry->DllBase + DataTableEntry->SizeOfImage); if (MiEnableVerifier (DataTableEntry) == TRUE) { if (Verifier->Flags & VI_VERIFYING_DIRECTLY) { ViPrintString (&DataTableEntry->BaseDllName); } MmVerifierData.Loads += 1; Verifier->Loads += 1; DataTableEntry->Flags |= LDRP_IMAGE_VERIFYING; MiActiveVerifies += 1; if (MiActiveVerifies == 1) { // // Up the retry mechanism for potential injection failures. // MiIoRetryLevel = (ULONG)-1; MiFaultRetries = MiIoRetryLevel; MiUserIoRetryLevel = (ULONG)-1; MiUserFaultRetries = MiUserIoRetryLevel; #ifndef NO_POOL_CHECKS // // If a loaded driver(s) is undergoing validation, the default // special pool randomizer is disabled as the precious virtual // address space and physical memory is being put to specific // use. // MiEnableRandomSpecialPool (FALSE); #endif if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) { // // Page out all thread stacks as soon as possible to // catch drivers using local events that do usermode waits. // if (KernelVerifier == FALSE) { MiVerifierStackProtectTime = KiStackProtectTime; KiStackProtectTime = 0; } } } } return Found; }

LOGICAL MiEnableVerifier (  IN PLDR_DATA_TABLE_ENTRY  DataTableEntry  )

Definition at line 4712 of file verifier.c. References FALSE, _VERIFIER_THUNKS::Flag, KernelVerifier, MiVerifierDriverAddedThunkListHead, MiVerifierThunks, _VERIFIER_THUNKS::NewRoutine, NULL, _DRIVER_SPECIFIED_VERIFIER_THUNKS::NumberOfThunks, PDRIVER_SPECIFIED_VERIFIER_THUNKS, _VERIFIER_THUNKS::PristineRoutine, PVERIFIER_THUNKS, RtlImageDirectoryEntryToData(), TRUE, VERIFIER_POOL_ROUTINE, and VERIFIER_THUNK_IN_HAL. Referenced by MiApplyDriverVerifier(). : This function enables the verifier for the argument driver by thunking relevant system APIs in the argument driver import table. Arguments: DataTableEntry - Supplies the data table entry for the driver. Return Value: TRUE if thunking was applied, FALSE if not. Environment: Kernel mode, Phase 0 Initialization and normal runtime. Non paged pool exists in Phase0, but paged pool does not. --*/ { ULONG i; ULONG j; PULONG_PTR ImportThunk; ULONG ImportSize; PVERIFIER_THUNKS VerifierThunk; ULONG ThunkCount; LOGICAL Found; ULONG_PTR RealRoutine; PULONG_PTR PointerRealRoutine; PLIST_ENTRY NextEntry; PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable; PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase; ImportThunk = (PULONG_PTR)RtlImageDirectoryEntryToData( DataTableEntry->DllBase, TRUE, IMAGE_DIRECTORY_ENTRY_IAT, &ImportSize); if (ImportThunk == NULL) { return FALSE; } ImportSize /= sizeof(PULONG_PTR); for (i = 0; i < ImportSize; i += 1, ImportThunk += 1) { Found = FALSE; VerifierThunk = MiVerifierThunks; for (ThunkCount = 0; ThunkCount < sizeof (MiVerifierThunks) / sizeof (VERIFIER_THUNKS); ThunkCount += 1) { if (KernelVerifier == TRUE) { if (VERIFIER_POOL_ROUTINE (VerifierThunk->Flag) == 0) { VerifierThunk += 1; continue; } } if (VERIFIER_THUNK_IN_HAL (VerifierThunk->Flag) == 0) { RealRoutine = (ULONG_PTR)VerifierThunk->PristineRoutine; } else { // // Only the x86 has/needs this oddity - take the kernel address, // knowing that it points at a 2 byte jmp opcode followed by // a 4-byte indirect pointer to a destination address. // PointerRealRoutine = (PULONG_PTR)*((PULONG_PTR)((PCHAR)VerifierThunk->PristineRoutine + 2)); RealRoutine = *PointerRealRoutine; } if (*ImportThunk == RealRoutine) { *ImportThunk = (ULONG_PTR)(VerifierThunk->NewRoutine); Found = TRUE; break; } VerifierThunk += 1; } if (Found == FALSE) { NextEntry = MiVerifierDriverAddedThunkListHead.Flink; while (NextEntry != &MiVerifierDriverAddedThunkListHead) { ThunkTableBase = CONTAINING_RECORD(NextEntry, DRIVER_SPECIFIED_VERIFIER_THUNKS, ListEntry); ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1); for (j = 0; j < ThunkTableBase->NumberOfThunks; j += 1) { if (*ImportThunk == (ULONG_PTR)ThunkTable->PristineRoutine) { *ImportThunk = (ULONG_PTR)(ThunkTable->NewRoutine); Found = TRUE; break; } ThunkTable += 1; } if (Found == TRUE) { break; } NextEntry = NextEntry->Flink; } } } return TRUE; }

LOGICAL MiInitializeDriverVerifierList (  IN PLOADER_PARAMETER_BLOCK  LoaderBlock  )

Definition at line 3121 of file verifier.c. References _MI_VERIFIER_DRIVER_ENTRY::BaseName, End, ExAllocatePoolWithTag, ExInitializeFastMutex, FALSE, _MI_VERIFIER_DRIVER_ENTRY::Flags, IoVerifierInit(), IOVERIFIERINIT_EVERYTHING_TRACKED, IOVERIFIERINIT_PHASE0, IOVERIFIERINIT_VERIFIER_DRIVER_LIST, KeInitializeSpinLock(), KeQueryPerformanceCounter(), KernelVerifier, L, MI_VERIFIER_DRIVER_ENTRY, MiApplyDriverVerifier(), MiSuspectDriverList, MiTriageAddDrivers(), MiVerifierDriverAddedThunkListHead, MiVerifyAllDrivers, MiVerifyRandomDrivers, MmDontVerifyRandomDrivers, MmVerifierData, MmVerifyDriverBuffer, MmVerifyDriverBufferLength, MmVerifyDriverLevel, NonPagedPool, NULL, RtlEqualUnicodeString(), RtlInitUnicodeString(), Start, TRUE, UNICODE_WHITESPACE, USHORT, VerifierListLock, VerifierModifyableOptions, VerifierPoolLock, VerifierPoolMutex, VI_VERIFYING_DIRECTLY, ViBadMapperLock, ViInitializeEntry(), and ViInsertVerifierEntry(). Referenced by MmInitSystem(). : Parse the registry setting and set up the list of driver names that will be put through the validation process. Walk the loaded module list and thunk any drivers that need/deserve it. Arguments: None. Return Value: TRUE if successful, FALSE if not. Environment: Kernel mode, Phase 0 Initialization. Nonpaged (but not paged) pool exists. The PsLoadedModuleList has not been set up yet although the boot drivers have been relocated to their final resting places. --*/ { ULONG i; PLIST_ENTRY NextEntry; PLDR_DATA_TABLE_ENTRY DataTableEntry; PWCHAR Start; PWCHAR End; PWCHAR Walk; ULONG NameLength; PMI_VERIFIER_DRIVER_ENTRY Verifier; LARGE_INTEGER CurrentTime; UNICODE_STRING KernelString; UNICODE_STRING HalString; PMI_VERIFIER_DRIVER_ENTRY KernelEntry; PMI_VERIFIER_DRIVER_ENTRY HalEntry; InitializeListHead (&MiSuspectDriverList); if (MmVerifyDriverLevel != (ULONG)-1) { if (MmVerifyDriverLevel & DRIVER_VERIFIER_IO_CHECKING) { if (MmVerifyDriverBufferLength == (ULONG)-1) { MmVerifyDriverBufferLength = 0; // Mm will not page out verifier pages. } } } if (MmVerifyDriverBufferLength == (ULONG)-1) { if (MmDontVerifyRandomDrivers == TRUE) { return FALSE; } MmVerifyDriverBufferLength = 0; CurrentTime = KeQueryPerformanceCounter (NULL); CurrentTime.LowPart = (CurrentTime.LowPart % 26); MiVerifyRandomDrivers = (WCHAR)'A' + (WCHAR)CurrentTime.LowPart; if ((MiVerifyRandomDrivers == (WCHAR)'H') || (MiVerifyRandomDrivers == (WCHAR)'J') || (MiVerifyRandomDrivers == (WCHAR)'X') || (MiVerifyRandomDrivers == (WCHAR)'Y') || (MiVerifyRandomDrivers == (WCHAR)'Z')) { MiVerifyRandomDrivers = (WCHAR)'X'; } } KeInitializeSpinLock (&ViBadMapperLock); KeInitializeSpinLock (&VerifierListLock); KeInitializeSpinLock (&VerifierPoolLock); ExInitializeFastMutex (&VerifierPoolMutex); InitializeListHead (&MiVerifierDriverAddedThunkListHead); // // If no default is specified, then special pool, pagable code/data // flushing and pool leak detection are enabled. // if (MmVerifyDriverLevel == (ULONG)-1) { MmVerifierData.Level = DRIVER_VERIFIER_SPECIAL_POOLING | DRIVER_VERIFIER_FORCE_IRQL_CHECKING | DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS; } else { MmVerifierData.Level = MmVerifyDriverLevel; } VerifierModifyableOptions = (DRIVER_VERIFIER_SPECIAL_POOLING | DRIVER_VERIFIER_FORCE_IRQL_CHECKING | DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES); IoVerifierInit (MmVerifierData.Level, IOVERIFIERINIT_PHASE0 | IOVERIFIERINIT_EVERYTHING_TRACKED | IOVERIFIERINIT_VERIFIER_DRIVER_LIST); KernelEntry = NULL; HalEntry = NULL; if (MiVerifyRandomDrivers == (WCHAR)0) { RtlInitUnicodeString (&KernelString, L"ntoskrnl.exe"); RtlInitUnicodeString (&HalString, L"hal.dll"); Start = MmVerifyDriverBuffer; End = MmVerifyDriverBuffer + (MmVerifyDriverBufferLength - sizeof(WCHAR)) / sizeof(WCHAR); while (Start < End) { if (UNICODE_WHITESPACE(*Start)) { Start += 1; continue; } if (*Start == (WCHAR)'*') { MiVerifyAllDrivers = TRUE; break; } for (Walk = Start; Walk < End; Walk += 1) { if (UNICODE_WHITESPACE(*Walk)) { break; } } // // Got a string. Save it. // NameLength = (ULONG)(Walk - Start + 1) * sizeof (WCHAR); Verifier = (PMI_VERIFIER_DRIVER_ENTRY)ExAllocatePoolWithTag ( NonPagedPool, sizeof (MI_VERIFIER_DRIVER_ENTRY) + NameLength, 'dLmM'); if (Verifier == NULL) { break; } Verifier->BaseName.Buffer = (PWSTR)((PCHAR)Verifier + sizeof (MI_VERIFIER_DRIVER_ENTRY)); Verifier->BaseName.Length = (USHORT)NameLength - sizeof (UNICODE_NULL); Verifier->BaseName.MaximumLength = (USHORT)NameLength; RtlMoveMemory (Verifier->BaseName.Buffer, Start, NameLength - sizeof (UNICODE_NULL)); ViInitializeEntry (Verifier, TRUE); Verifier->Flags |= VI_VERIFYING_DIRECTLY; ViInsertVerifierEntry (Verifier); if (RtlEqualUnicodeString (&KernelString, &Verifier->BaseName, TRUE)) { // // All driver pool allocation calls must be intercepted so // they are not mistaken for kernel pool allocations. // MiVerifyAllDrivers = TRUE; KernelVerifier = TRUE; KernelEntry = Verifier; } else if (RtlEqualUnicodeString (&HalString, &Verifier->BaseName, TRUE)) { HalEntry = Verifier; } Start = Walk + 1; } } if (MiTriageAddDrivers (LoaderBlock) == TRUE) { // // Disable random driver verification if triage has picked driver(s). // MiVerifyRandomDrivers = (WCHAR)0; } // // Process the boot-loaded drivers now. // i = 0; NextEntry = LoaderBlock->LoadOrderListHead.Flink; for ( ; NextEntry != &LoaderBlock->LoadOrderListHead; NextEntry = NextEntry->Flink) { DataTableEntry = CONTAINING_RECORD(NextEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); // // Process the kernel and HAL specially. // if (i == 0) { if (KernelEntry != NULL) { MiApplyDriverVerifier (DataTableEntry, KernelEntry); } } else if (i == 1) { if (HalEntry != NULL) { MiApplyDriverVerifier (DataTableEntry, HalEntry); } } else { MiApplyDriverVerifier (DataTableEntry, NULL); } i += 1; } return TRUE; }

VOID MiVerifierCheckThunks (  IN PLDR_DATA_TABLE_ENTRY  DataTableEntry  )

Referenced by MmUnloadSystemImage().

VOID MiVerifyingDriverUnloading (  IN PLDR_DATA_TABLE_ENTRY  DataTableEntry  )

Definition at line 3625 of file verifier.c. References ASSERT, _MI_VERIFIER_DRIVER_ENTRY::BaseName, _MI_VERIFIER_DRIVER_ENTRY::CurrentNonPagedPoolAllocations, _MI_VERIFIER_DRIVER_ENTRY::CurrentPagedPoolAllocations, DbgPrint, _MI_VERIFIER_DRIVER_ENTRY::EndAddress, ExFreePool(), FALSE, KeBugCheckEx(), KernelVerifier, KiStackProtectTime, MiActiveVerifies, MiEnableRandomSpecialPool(), MiNoPageOnRaiseIrql, MiSuspectDriverList, MiVerifierStackProtectTime, MmVerifierData, _MI_VERIFIER_DRIVER_ENTRY::NonPagedBytes, NULL, _MI_VERIFIER_DRIVER_ENTRY::PagedBytes, _MI_VERIFIER_DRIVER_ENTRY::PoolHash, _MI_VERIFIER_DRIVER_ENTRY::PoolHashFree, _MI_VERIFIER_DRIVER_ENTRY::PoolHashReserved, _MI_VERIFIER_DRIVER_ENTRY::PoolHashSize, RtlEqualUnicodeString(), _MI_VERIFIER_DRIVER_ENTRY::StartAddress, TRUE, _MI_VERIFIER_DRIVER_ENTRY::Unloads, VerifierListLock, _MI_VERIFIER_DRIVER_ENTRY::VerifierPoolLock, VI_POOL_FREELIST_END, and ViBadDriver. Referenced by MmUnloadSystemImage(). : This function is called as a driver that was being verified is now being unloaded. Arguments: DataTableEntry - Supplies the data table entry for the driver. Return Value: TRUE if thunking was applied, FALSE if not. Environment: Kernel mode, Phase 0 Initialization and normal runtime. Non paged pool exists in Phase0, but paged pool does not. Post-Phase0 serialization is provided by the MmSystemLoadLock. --*/ { KIRQL OldIrql; LOGICAL Found; PLIST_ENTRY NextEntry; PMI_VERIFIER_DRIVER_ENTRY Verifier; PVI_POOL_ENTRY OldHashTable; Found = FALSE; NextEntry = MiSuspectDriverList.Flink; while (NextEntry != &MiSuspectDriverList) { Verifier = CONTAINING_RECORD(NextEntry, MI_VERIFIER_DRIVER_ENTRY, Links); if (RtlEqualUnicodeString (&Verifier->BaseName, &DataTableEntry->BaseDllName, TRUE)) { Found = TRUE; break; } NextEntry = NextEntry->Flink; } ASSERT (Found == TRUE); if (MmVerifierData.Level & DRIVER_VERIFIER_TRACK_POOL_ALLOCATIONS) { // // Better not be any pool left that wasn't freed. Walk the pagable // allocations in an attempt to make them all resident for a // kernel debugger session. // if (Verifier->PagedBytes) { #if DBG DbgPrint ("Driver %wZ leaked %d paged pool allocations (0x%x bytes)\n", &DataTableEntry->FullDllName, Verifier->CurrentPagedPoolAllocations, Verifier->PagedBytes); #endif // // It would be nice to fault in the driver's paged pool allocations // now to make debugging easier, but this cannot be easily done // in a deadlock free manner. // // At least disable the paging of pool on IRQL raising in attempt // to keep some of these allocations resident for debugging. // No need to undo the increment as we're about to bugcheck anyway. // InterlockedIncrement ((PLONG)&MiNoPageOnRaiseIrql); } #if DBG if (Verifier->NonPagedBytes) { DbgPrint ("Driver %wZ leaked %d nonpaged pool allocations (0x%x bytes)\n", &DataTableEntry->FullDllName, Verifier->CurrentNonPagedPoolAllocations, Verifier->NonPagedBytes); } #endif if (Verifier->PagedBytes || Verifier->NonPagedBytes) { #if 0 DbgBreakPoint (); InterlockedDecrement (&MiNoPageOnRaiseIrql); #else // // Snap this so the build/BVT lab can easily triage the culprit. // ViBadDriver = &Verifier->BaseName; KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x60, Verifier->PagedBytes, Verifier->NonPagedBytes, Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations); #endif } ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql); if (Verifier->PoolHashReserved != 0) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x61, Verifier->PagedBytes, Verifier->NonPagedBytes, Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations); } OldHashTable = Verifier->PoolHash; if (OldHashTable != NULL) { Verifier->PoolHashSize = 0; Verifier->PoolHashFree = VI_POOL_FREELIST_END; Verifier->PoolHash = NULL; } else { ASSERT (Verifier->PoolHashSize == 0); ASSERT (Verifier->PoolHashFree == VI_POOL_FREELIST_END); } ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql); if (OldHashTable != NULL) { ExFreePool (OldHashTable); } // // Clear these fields so reuse of stale addresses don't trigger // erroneous bucket fills. // ExAcquireSpinLock (&VerifierListLock, &OldIrql); Verifier->StartAddress = NULL; Verifier->EndAddress = NULL; ExReleaseSpinLock (&VerifierListLock, OldIrql); } Verifier->Unloads += 1; MmVerifierData.Unloads += 1; MiActiveVerifies -= 1; if (MiActiveVerifies == 0) { if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) { // // Return to normal thread stack protection. // if (KernelVerifier == FALSE) { KiStackProtectTime = MiVerifierStackProtectTime; } } #ifndef NO_POOL_CHECKS MiEnableRandomSpecialPool (TRUE); #endif } }

NTSTATUS MmAddVerifierThunks (  IN PVOID  ThunkBuffer, IN ULONG  ThunkBufferSize )

Definition at line 3846 of file verifier.c. References _DRIVER_SPECIFIED_VERIFIER_THUNKS::DataTableEntry, ExAllocatePoolWithTag, ExFreePool(), FALSE, KeEnterCriticalRegion, KeLeaveCriticalRegion, KeReleaseMutant(), KernelMode, KeWaitForSingleObject(), KSEG0_BASE, _DRIVER_SPECIFIED_VERIFIER_THUNKS::ListEntry, MiActiveVerifierThunks, MiLookupDataTableEntry(), MiVerifierDriverAddedThunkListHead, MM_BOOT_IMAGE_SIZE, MmSystemLoadLock, NULL, _DRIVER_SPECIFIED_VERIFIER_THUNKS::NumberOfThunks, PAGED_CODE, PagedPool, PDRIVER_SPECIFIED_VERIFIER_THUNKS, TRUE, and WrVirtualMemory. Referenced by NtSetSystemInformation(). : This routine adds another set of thunks to the verifier list. Arguments: ThunkBuffer - Supplies the buffer containing the thunk pairs. ThunkBufferSize - Supplies the number of bytes in the thunk buffer. Return Value: Returns the status of the operation. Environment: Kernel mode. APC_LEVEL and below. --*/ { ULONG i; ULONG NumberOfThunkPairs; PDRIVER_VERIFIER_THUNK_PAIRS ThunkPairs; PDRIVER_VERIFIER_THUNK_PAIRS ThunkTable; PDRIVER_SPECIFIED_VERIFIER_THUNKS ThunkTableBase; PLDR_DATA_TABLE_ENTRY DataTableEntry; PVOID DriverStartAddress; PVOID DriverEndAddress; PAGED_CODE(); if (MiVerifierDriverAddedThunkListHead.Flink == NULL) { return STATUS_NOT_SUPPORTED; } ThunkPairs = (PDRIVER_VERIFIER_THUNK_PAIRS)ThunkBuffer; NumberOfThunkPairs = ThunkBufferSize / sizeof(DRIVER_VERIFIER_THUNK_PAIRS); if (NumberOfThunkPairs == 0) { return STATUS_INVALID_PARAMETER_1; } ThunkTableBase = (PDRIVER_SPECIFIED_VERIFIER_THUNKS) ExAllocatePoolWithTag ( PagedPool, sizeof (DRIVER_SPECIFIED_VERIFIER_THUNKS) + NumberOfThunkPairs * sizeof (DRIVER_VERIFIER_THUNK_PAIRS), 'tVmM'); if (ThunkTableBase == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } ThunkTable = (PDRIVER_VERIFIER_THUNK_PAIRS)(ThunkTableBase + 1); RtlCopyMemory (ThunkTable, ThunkPairs, NumberOfThunkPairs * sizeof(DRIVER_VERIFIER_THUNK_PAIRS)); KeEnterCriticalRegion(); KeWaitForSingleObject (&MmSystemLoadLock, WrVirtualMemory, KernelMode, FALSE, (PLARGE_INTEGER)NULL); // // Find and validate the image that contains the routines to be thunked. // DataTableEntry = MiLookupDataTableEntry (ThunkTable->PristineRoutine, TRUE); if (DataTableEntry == NULL) { KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegion(); ExFreePool (ThunkTableBase); return STATUS_INVALID_PARAMETER_2; } DriverStartAddress = (PVOID)(DataTableEntry->DllBase); DriverEndAddress = (PVOID)((PCHAR)DataTableEntry->DllBase + DataTableEntry->SizeOfImage); // // Don't let drivers hook calls to kernel or HAL routines. // if (DriverStartAddress < (PVOID)(KSEG0_BASE + MM_BOOT_IMAGE_SIZE)) { KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegion(); ExFreePool (ThunkTableBase); return STATUS_INVALID_PARAMETER_2; } for (i = 0; i < NumberOfThunkPairs; i += 1) { // // Ensure all the routines being thunked are in the same driver. // if (((ULONG_PTR)ThunkTable->PristineRoutine < (ULONG_PTR)DriverStartAddress) || ((ULONG_PTR)ThunkTable->PristineRoutine >= (ULONG_PTR)DriverEndAddress)) { KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegion(); ExFreePool (ThunkTableBase); return STATUS_INVALID_PARAMETER_2; } ThunkTable += 1; } // // Add the validated thunk table to the verifier's global list. // ThunkTableBase->DataTableEntry = DataTableEntry; ThunkTableBase->NumberOfThunks = NumberOfThunkPairs; MiActiveVerifierThunks += 1; InsertTailList (&MiVerifierDriverAddedThunkListHead, &ThunkTableBase->ListEntry); KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegion(); return STATUS_SUCCESS; }

NTSTATUS MmGetVerifierInformation (  OUT PVOID  SystemInformation, IN ULONG  SystemInformationLength, OUT PULONG  Length )

Definition at line 4046 of file verifier.c. References _MI_VERIFIER_DRIVER_ENTRY::BaseName, _MI_VERIFIER_DRIVER_ENTRY::CurrentNonPagedPoolAllocations, _MI_VERIFIER_DRIVER_ENTRY::CurrentPagedPoolAllocations, EXCEPTION_EXECUTE_HANDLER, ExRaiseStatus(), FALSE, _MI_VERIFIER_DRIVER_ENTRY::Flags, KeEnterCriticalRegion, KeLeaveCriticalRegion, KeReleaseMutant(), KernelMode, KeWaitForSingleObject(), _MI_VERIFIER_DRIVER_ENTRY::Loads, MiSuspectDriverList, MmSystemLoadLock, MmVerifierData, _MI_VERIFIER_DRIVER_ENTRY::NonPagedBytes, NTSTATUS(), NULL, PAGED_CODE, _MI_VERIFIER_DRIVER_ENTRY::PagedBytes, _MI_VERIFIER_DRIVER_ENTRY::PeakNonPagedBytes, _MI_VERIFIER_DRIVER_ENTRY::PeakNonPagedPoolAllocations, _MI_VERIFIER_DRIVER_ENTRY::PeakPagedBytes, _MI_VERIFIER_DRIVER_ENTRY::PeakPagedPoolAllocations, ROUND_UP, Status, _MI_VERIFIER_DRIVER_ENTRY::Unloads, VI_VERIFYING_DIRECTLY, and WrVirtualMemory. Referenced by NtQuerySystemInformation(). : This routine returns information about drivers undergoing verification. Arguments: SystemInformation - Returns the driver verification information. SystemInformationLength - Supplies the length of the SystemInformation buffer. Length - Returns the length of the driver verification file information placed in the buffer. Return Value: Returns the status of the operation. Environment: The SystemInformation buffer is in user space and our caller has wrapped a try-except around this entire routine. Capture any exceptions here and release resources accordingly. --*/ { PSYSTEM_VERIFIER_INFORMATION UserVerifyBuffer; ULONG NextEntryOffset; ULONG TotalSize; NTSTATUS Status; PLIST_ENTRY NextEntry; PMI_VERIFIER_DRIVER_ENTRY Verifier; UNICODE_STRING UserBufferDriverName; PAGED_CODE(); NextEntryOffset = 0; TotalSize = 0; *Length = 0; UserVerifyBuffer = (PSYSTEM_VERIFIER_INFORMATION)SystemInformation; // // Capture the number of verifying drivers and the relevant data while // synchronized. Then return it to our caller. // Status = STATUS_SUCCESS; KeEnterCriticalRegion(); KeWaitForSingleObject (&MmSystemLoadLock, WrVirtualMemory, KernelMode, FALSE, (PLARGE_INTEGER)NULL); try { NextEntry = MiSuspectDriverList.Flink; while (NextEntry != &MiSuspectDriverList) { Verifier = CONTAINING_RECORD(NextEntry, MI_VERIFIER_DRIVER_ENTRY, Links); if ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0) { NextEntry = NextEntry->Flink; continue; } UserVerifyBuffer = (PSYSTEM_VERIFIER_INFORMATION)( (PUCHAR)UserVerifyBuffer + NextEntryOffset); NextEntryOffset = sizeof(SYSTEM_VERIFIER_INFORMATION); TotalSize += sizeof(SYSTEM_VERIFIER_INFORMATION); if (TotalSize > SystemInformationLength) { ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH); } // // This data is cumulative for all drivers. // UserVerifyBuffer->Level = MmVerifierData.Level; UserVerifyBuffer->RaiseIrqls = MmVerifierData.RaiseIrqls; UserVerifyBuffer->AcquireSpinLocks = MmVerifierData.AcquireSpinLocks; UserVerifyBuffer->UnTrackedPool = MmVerifierData.UnTrackedPool; UserVerifyBuffer->SynchronizeExecutions = MmVerifierData.SynchronizeExecutions; UserVerifyBuffer->AllocationsAttempted = MmVerifierData.AllocationsAttempted; UserVerifyBuffer->AllocationsSucceeded = MmVerifierData.AllocationsSucceeded; UserVerifyBuffer->AllocationsSucceededSpecialPool = MmVerifierData.AllocationsSucceededSpecialPool; UserVerifyBuffer->AllocationsWithNoTag = MmVerifierData.AllocationsWithNoTag; UserVerifyBuffer->TrimRequests = MmVerifierData.TrimRequests; UserVerifyBuffer->Trims = MmVerifierData.Trims; UserVerifyBuffer->AllocationsFailed = MmVerifierData.AllocationsFailed; UserVerifyBuffer->AllocationsFailedDeliberately = MmVerifierData.AllocationsFailedDeliberately; // // This data is kept on a per-driver basis. // UserVerifyBuffer->CurrentPagedPoolAllocations = Verifier->CurrentPagedPoolAllocations; UserVerifyBuffer->CurrentNonPagedPoolAllocations = Verifier->CurrentNonPagedPoolAllocations; UserVerifyBuffer->PeakPagedPoolAllocations = Verifier->PeakPagedPoolAllocations; UserVerifyBuffer->PeakNonPagedPoolAllocations = Verifier->PeakNonPagedPoolAllocations; UserVerifyBuffer->PagedPoolUsageInBytes = Verifier->PagedBytes; UserVerifyBuffer->NonPagedPoolUsageInBytes = Verifier->NonPagedBytes; UserVerifyBuffer->PeakPagedPoolUsageInBytes = Verifier->PeakPagedBytes; UserVerifyBuffer->PeakNonPagedPoolUsageInBytes = Verifier->PeakNonPagedBytes; UserVerifyBuffer->Loads = Verifier->Loads; UserVerifyBuffer->Unloads = Verifier->Unloads; // // The DriverName portion of the UserVerifyBuffer must be saved // locally to protect against a malicious thread changing the // contents. This is because we will reference the contents // ourselves when the actual string is copied out carefully below. // UserBufferDriverName.Length = Verifier->BaseName.Length; UserBufferDriverName.MaximumLength = Verifier->BaseName.Length + sizeof (WCHAR); UserBufferDriverName.Buffer = (PWCHAR)(UserVerifyBuffer + 1); UserVerifyBuffer->DriverName = UserBufferDriverName; TotalSize += ROUND_UP (UserBufferDriverName.MaximumLength, sizeof(ULONG)); NextEntryOffset += ROUND_UP (UserBufferDriverName.MaximumLength, sizeof(ULONG)); if (TotalSize > SystemInformationLength) { ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH); } // // Carefully reference the UserVerifyBuffer here. // RtlMoveMemory(UserBufferDriverName.Buffer, Verifier->BaseName.Buffer, Verifier->BaseName.Length); UserBufferDriverName.Buffer[ Verifier->BaseName.Length/sizeof(WCHAR)] = UNICODE_NULL; UserVerifyBuffer->NextEntryOffset = NextEntryOffset; NextEntry = NextEntry->Flink; } } except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); } KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegion(); if (Status != STATUS_INFO_LENGTH_MISMATCH) { UserVerifyBuffer->NextEntryOffset = 0; *Length = TotalSize; } return Status; }

NTKERNELAPI LOGICAL MmIsDriverVerifying (  IN PDRIVER_OBJECT  DriverObject  )

Definition at line 3802 of file verifier.c. References FALSE, NULL, and TRUE. Referenced by IovpIsInterestingDriver(). : This function informs the caller if the argument driver is being verified. Arguments: DriverObject - Supplies the driver object. Return Value: TRUE if this driver is being verified, FALSE if not. Environment: Kernel mode, any IRQL, any needed synchronization must be provided by the caller. --*/ { PLDR_DATA_TABLE_ENTRY DataTableEntry; DataTableEntry = (PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection; if (DataTableEntry == NULL) { return FALSE; } if ((DataTableEntry->Flags & LDRP_IMAGE_VERIFYING) == 0) { return FALSE; } return TRUE; }

NTSTATUS MmSetVerifierInformation (  IN OUT PVOID  SystemInformation, IN ULONG  SystemInformationLength )

Definition at line 4226 of file verifier.c. References EXCEPTION_EXECUTE_HANDLER, ExRaiseStatus(), FALSE, KeEnterCriticalRegion, KeLeaveCriticalRegion, KeReleaseMutant(), KernelMode, KeWaitForSingleObject(), MmSystemLoadLock, MmVerifierData, NTSTATUS(), NULL, PAGED_CODE, Status, VerifierModifyableOptions, VerifierOptionChanges, and WrVirtualMemory. Referenced by NtSetSystemInformation(). : This routine sets any driver verifier flags that can be done without rebooting. Arguments: SystemInformation - Gets and returns the driver verification flags. SystemInformationLength - Supplies the length of the SystemInformation buffer. Return Value: Returns the status of the operation. Environment: The SystemInformation buffer is in user space and our caller has wrapped a try-except around this entire routine. Capture any exceptions here and release resources accordingly. --*/ { ULONG UserFlags; ULONG NewFlags; ULONG NewFlagsOn; ULONG NewFlagsOff; NTSTATUS Status; PULONG UserVerifyBuffer; PAGED_CODE(); if (SystemInformationLength < sizeof (ULONG)) { ExRaiseStatus (STATUS_INFO_LENGTH_MISMATCH); } UserVerifyBuffer = (PULONG)SystemInformation; // // Synchronize all changes to the flags here. // Status = STATUS_SUCCESS; KeEnterCriticalRegion(); KeWaitForSingleObject (&MmSystemLoadLock, WrVirtualMemory, KernelMode, FALSE, (PLARGE_INTEGER)NULL); try { UserFlags = *UserVerifyBuffer; // // Ensure nothing is being set or cleared that isn't supported. // // NewFlagsOn = UserFlags & VerifierModifyableOptions; NewFlags = MmVerifierData.Level | NewFlagsOn; // // Any bits set in NewFlagsOff must be zeroed in the NewFlags. // NewFlagsOff = ((~UserFlags) & VerifierModifyableOptions); NewFlags &= ~NewFlagsOff; if (NewFlags != MmVerifierData.Level) { VerifierOptionChanges += 1; MmVerifierData.Level = NewFlags; *UserVerifyBuffer = NewFlags; } } except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); } KeReleaseMutant (&MmSystemLoadLock, 1, FALSE, FALSE); KeLeaveCriticalRegion(); return Status; }

PVOID VeAllocatePoolWithTagPriority (  IN POOL_TYPE  PoolType, IN SIZE_T  NumberOfBytes, IN ULONG  Tag, IN EX_POOL_PRIORITY  Priority, IN PVOID  CallingAddress )

Referenced by ExAllocatePoolWithTag(), VerifierAllocatePool(), VerifierAllocatePoolWithQuota(), VerifierAllocatePoolWithQuotaTag(), VerifierAllocatePoolWithTag(), and VerifierAllocatePoolWithTagPriority().

THUNKED_API PVOID VerifierAllocatePool (  IN POOL_TYPE  PoolType, IN SIZE_T  NumberOfBytes )

Definition at line 927 of file verifier.c. References ExAllocatePool, _MI_VERIFIER_DRIVER_ENTRY::Flags, HighPoolPriority, KernelVerifier, MmVerifierData, NULL, POOL_DRIVER_MASK, RtlGetCallersAddress(), TRUE, VeAllocatePoolWithTagPriority(), VI_VERIFYING_DIRECTLY, and ViLocateVerifierEntry(). { PVOID CallingAddress; PVOID CallersCaller; PMI_VERIFIER_DRIVER_ENTRY Verifier; #if defined (_X86_) RtlGetCallersAddress(&CallingAddress, &CallersCaller); #else CallingAddress = (PVOID)_ReturnAddress(); #endif if (KernelVerifier == TRUE) { Verifier = ViLocateVerifierEntry (CallingAddress); if ((Verifier == NULL) || ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) { return ExAllocatePool (PoolType | POOL_DRIVER_MASK, NumberOfBytes); } PoolType |= POOL_DRIVER_MASK; } MmVerifierData.AllocationsWithNoTag += 1; return VeAllocatePoolWithTagPriority (PoolType, NumberOfBytes, 'parW', HighPoolPriority, CallingAddress); }

THUNKED_API PVOID VerifierAllocatePoolWithQuota (  IN POOL_TYPE  PoolType, IN SIZE_T  NumberOfBytes )

Definition at line 1003 of file verifier.c. References ExAllocatePoolWithQuota, ExRaiseStatus(), FALSE, _MI_VERIFIER_DRIVER_ENTRY::Flags, HighPoolPriority, KernelVerifier, MmVerifierData, NULL, POOL_DRIVER_MASK, POOL_QUOTA_FAIL_INSTEAD_OF_RAISE, RtlGetCallersAddress(), TRUE, VeAllocatePoolWithTagPriority(), VI_VERIFYING_DIRECTLY, and ViLocateVerifierEntry(). { PVOID Va; LOGICAL RaiseOnQuotaFailure; PVOID CallingAddress; PVOID CallersCaller; PMI_VERIFIER_DRIVER_ENTRY Verifier; #if defined (_X86_) RtlGetCallersAddress(&CallingAddress, &CallersCaller); #else CallingAddress = (PVOID)_ReturnAddress(); #endif if (KernelVerifier == TRUE) { Verifier = ViLocateVerifierEntry (CallingAddress); if ((Verifier == NULL) || ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) { return ExAllocatePoolWithQuota (PoolType | POOL_DRIVER_MASK, NumberOfBytes); } PoolType |= POOL_DRIVER_MASK; } MmVerifierData.AllocationsWithNoTag += 1; if (PoolType & POOL_QUOTA_FAIL_INSTEAD_OF_RAISE) { RaiseOnQuotaFailure = FALSE; PoolType &= ~POOL_QUOTA_FAIL_INSTEAD_OF_RAISE; } else { RaiseOnQuotaFailure = TRUE; } Va = VeAllocatePoolWithTagPriority (PoolType, NumberOfBytes, 'parW', HighPoolPriority, CallingAddress); if (Va == NULL) { if (RaiseOnQuotaFailure == TRUE) { ExRaiseStatus (STATUS_INSUFFICIENT_RESOURCES); } } return Va; }

THUNKED_API PVOID VerifierAllocatePoolWithQuotaTag (  IN POOL_TYPE  PoolType, IN SIZE_T  NumberOfBytes, IN ULONG  Tag )

THUNKED_API PVOID VerifierAllocatePoolWithTag (  IN POOL_TYPE  PoolType, IN SIZE_T  NumberOfBytes, IN ULONG  Tag )

Definition at line 965 of file verifier.c. References ExAllocatePoolWithTag, _MI_VERIFIER_DRIVER_ENTRY::Flags, HighPoolPriority, KernelVerifier, NULL, POOL_DRIVER_MASK, RtlGetCallersAddress(), TRUE, VeAllocatePoolWithTagPriority(), VI_VERIFYING_DIRECTLY, and ViLocateVerifierEntry(). { PVOID CallingAddress; PVOID CallersCaller; PMI_VERIFIER_DRIVER_ENTRY Verifier; #if defined (_X86_) RtlGetCallersAddress(&CallingAddress, &CallersCaller); #else CallingAddress = (PVOID)_ReturnAddress(); #endif if (KernelVerifier == TRUE) { Verifier = ViLocateVerifierEntry (CallingAddress); if ((Verifier == NULL) || ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) { return ExAllocatePoolWithTag (PoolType | POOL_DRIVER_MASK, NumberOfBytes, Tag); } PoolType |= POOL_DRIVER_MASK; } return VeAllocatePoolWithTagPriority (PoolType, NumberOfBytes, Tag, HighPoolPriority, CallingAddress); }

THUNKED_API PVOID VerifierAllocatePoolWithTagPriority (  IN POOL_TYPE  PoolType, IN SIZE_T  NumberOfBytes, IN ULONG  Tag, IN EX_POOL_PRIORITY  Priority )

Definition at line 1115 of file verifier.c. References ExAllocatePoolWithTagPriority(), _MI_VERIFIER_DRIVER_ENTRY::Flags, KernelVerifier, NULL, POOL_DRIVER_MASK, RtlGetCallersAddress(), TRUE, VeAllocatePoolWithTagPriority(), VI_VERIFYING_DIRECTLY, and ViLocateVerifierEntry(). : This thunked-in function: - Performs sanity checks on the caller. - Can optionally provide allocation failures to the caller. - Attempts to provide the allocation from special pool. - Tracks pool to ensure callers free everything they allocate. --*/ { PVOID CallingAddress; PVOID CallersCaller; PMI_VERIFIER_DRIVER_ENTRY Verifier; #if defined (_X86_) RtlGetCallersAddress(&CallingAddress, &CallersCaller); #else CallingAddress = (PVOID)_ReturnAddress(); #endif if (KernelVerifier == TRUE) { Verifier = ViLocateVerifierEntry (CallingAddress); if ((Verifier == NULL) || ((Verifier->Flags & VI_VERIFYING_DIRECTLY) == 0)) { return ExAllocatePoolWithTagPriority (PoolType | POOL_DRIVER_MASK, NumberOfBytes, Tag, Priority); } PoolType |= POOL_DRIVER_MASK; } return VeAllocatePoolWithTagPriority (PoolType, NumberOfBytes, Tag, Priority, CallingAddress); }

THUNKED_API VOID FASTCALL VerifierExAcquireFastMutex (  IN PFAST_MUTEX  FastMutex  )

Definition at line 2815 of file verifier.c. References APC_LEVEL, and KeBugCheckEx(). { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql (); // // Caller better be at or below APC_LEVEL or have APCs blocked. // if (CurrentIrql > APC_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x33, CurrentIrql, (ULONG_PTR)FastMutex, 0); } ExAcquireFastMutex (FastMutex); }

THUNKED_API VOID FASTCALL VerifierExAcquireFastMutexUnsafe (  IN PFAST_MUTEX  FastMutex  )

Definition at line 2841 of file verifier.c. References APC_LEVEL, ExAcquireFastMutexUnsafe(), IS_SYSTEM_THREAD, KeBugCheckEx(), KeGetCurrentThread, and PsGetCurrentThread. { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql (); // // Caller better be at APC_LEVEL or have APCs blocked. // if ((CurrentIrql != APC_LEVEL) && (!IS_SYSTEM_THREAD(PsGetCurrentThread())) && (KeGetCurrentThread()->KernelApcDisable == 0)) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x39, CurrentIrql, (ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable), (ULONG_PTR)FastMutex); } ExAcquireFastMutexUnsafe (FastMutex); }

THUNKED_API BOOLEAN VerifierExAcquireResourceExclusive (  IN PERESOURCE  Resource, IN BOOLEAN  Wait )

Definition at line 2182 of file verifier.c. References APC_LEVEL, ExAcquireResourceExclusiveLite(), IS_SYSTEM_THREAD, KeBugCheckEx(), KeGetCurrentThread, PsGetCurrentThread, and Resource. { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql (); if ((CurrentIrql != APC_LEVEL) && (!IS_SYSTEM_THREAD(PsGetCurrentThread())) && (KeGetCurrentThread()->KernelApcDisable == 0)) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x37, CurrentIrql, (ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable), (ULONG_PTR)Resource); } return ExAcquireResourceExclusiveLite (Resource, Wait); }

THUNKED_API VOID FASTCALL VerifierExReleaseFastMutex (  IN PFAST_MUTEX  FastMutex  )

Definition at line 2870 of file verifier.c. References APC_LEVEL, IS_SYSTEM_THREAD, KeBugCheckEx(), KeGetCurrentThread, and PsGetCurrentThread. { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql (); // // Caller better be at APC_LEVEL or have APCs blocked. // if ((CurrentIrql != APC_LEVEL) && (!IS_SYSTEM_THREAD(PsGetCurrentThread())) && (KeGetCurrentThread()->KernelApcDisable == 0)) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x34, CurrentIrql, (ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable), (ULONG_PTR)FastMutex); } ExReleaseFastMutex (FastMutex); }

THUNKED_API VOID FASTCALL VerifierExReleaseFastMutexUnsafe (  IN PFAST_MUTEX  FastMutex  )

Definition at line 2899 of file verifier.c. References APC_LEVEL, ExReleaseFastMutexUnsafe(), IS_SYSTEM_THREAD, KeBugCheckEx(), KeGetCurrentThread, and PsGetCurrentThread. { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql (); // // Caller better be at APC_LEVEL or have APCs blocked. // if ((CurrentIrql != APC_LEVEL) && (!IS_SYSTEM_THREAD(PsGetCurrentThread())) && (KeGetCurrentThread()->KernelApcDisable == 0)) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x3A, CurrentIrql, (ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable), (ULONG_PTR)FastMutex); } ExReleaseFastMutexUnsafe (FastMutex); }

THUNKED_API VOID FASTCALL VerifierExReleaseResource (  IN PERESOURCE  Resource  )

Definition at line 2208 of file verifier.c. References APC_LEVEL, ExReleaseResourceLite(), IS_SYSTEM_THREAD, KeBugCheckEx(), KeGetCurrentThread, PsGetCurrentThread, and Resource. { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql (); if ((CurrentIrql != APC_LEVEL) && (!IS_SYSTEM_THREAD(PsGetCurrentThread())) && (KeGetCurrentThread()->KernelApcDisable == 0)) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x38, CurrentIrql, (ULONG_PTR)(KeGetCurrentThread()->KernelApcDisable), (ULONG_PTR)Resource); } ExReleaseResourceLite (Resource); }

THUNKED_API BOOLEAN FASTCALL VerifierExTryToAcquireFastMutex (  IN PFAST_MUTEX  FastMutex  )

Definition at line 2789 of file verifier.c. References APC_LEVEL, and KeBugCheckEx(). { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql (); // // Caller better be at or below APC_LEVEL or have APCs blocked. // if (CurrentIrql > APC_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x33, CurrentIrql, (ULONG_PTR)FastMutex, 0); } return ExTryToAcquireFastMutex (FastMutex); }

THUNKED_API VOID VerifierFreePool (  IN PVOID  P  )

Definition at line 2129 of file verifier.c. References ExFreePool(), KernelVerifier, TRUE, and VerifierFreePoolWithTag(). { if (KernelVerifier == TRUE) { ExFreePool (P); return; } VerifierFreePoolWithTag (P, 0); }

THUNKED_API VOID VerifierFreePoolWithTag (  IN PVOID  P, IN ULONG  TagToFree )

Definition at line 2143 of file verifier.c. References ExFreePoolSanityChecks(), ExFreePoolWithTag, KernelVerifier, and TRUE. Referenced by VerifierFreePool(). { if (KernelVerifier == TRUE) { ExFreePoolWithTag (P, TagToFree); return; } ExFreePoolSanityChecks (P); ExFreePoolWithTag (P, TagToFree); }

VOID VerifierFreeTrackedPool (  IN PVOID  VirtualAddress, IN SIZE_T  ChargedBytes, IN LOGICAL  CheckType, IN LOGICAL  SpecialPool )

Referenced by ExFreePoolWithTag(), MiFreePoolPages(), and MmFreeSpecialPool().

THUNKED_API KIRQL FASTCALL VerifierKeAcquireQueuedSpinLock (  IN KSPIN_LOCK_QUEUE_NUMBER  Number  )

THUNKED_API VOID VerifierKeAcquireSpinLock (  IN PKSPIN_LOCK  SpinLock, OUT PKIRQL  OldIrql )

Definition at line 2365 of file verifier.c. References DISPATCH_LEVEL, KeAcquireSpinLock, KfSanityCheckRaiseIrql(), MmVerifierData, PKE_ACQUIRE_SPINLOCK, and ViTrimAllSystemPagableMemory(). { KIRQL CurrentIrql; PKE_ACQUIRE_SPINLOCK HalRoutine; CurrentIrql = KeGetCurrentIrql (); KfSanityCheckRaiseIrql (DISPATCH_LEVEL); MmVerifierData.AcquireSpinLocks += 1; if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) { if (CurrentIrql < DISPATCH_LEVEL) { ViTrimAllSystemPagableMemory (); } } #if defined (_X86_) HalRoutine = (PKE_ACQUIRE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_ACQUIRE_SPINLOCK]; if (HalRoutine) { (*HalRoutine)(SpinLock, OldIrql); return; } #endif KeAcquireSpinLock (SpinLock, OldIrql); }

THUNKED_API VOID VerifierKeInitializeTimer (  IN PKTIMER  Timer  )

Definition at line 3039 of file verifier.c. References VerifierKeInitializeTimerEx(). { VerifierKeInitializeTimerEx(Timer, NotificationTimer); }

THUNKED_API VOID VerifierKeInitializeTimerEx (  IN PKTIMER  Timer, IN TIMER_TYPE  Type )

Definition at line 3020 of file verifier.c. References KeCheckForTimer(), KeInitializeTimerEx(), KiTimerTableListHead, and NULL. Referenced by VerifierKeInitializeTimer(). { // // Check the object being initialized isn't already an // active timer. Make sure the timer table list is initialized. // if (KiTimerTableListHead[0].Flink != NULL) { KeCheckForTimer(Timer, sizeof(KTIMER)); } KeInitializeTimerEx(Timer, Type); }

THUNKED_API VOID VerifierKeLowerIrql (  IN KIRQL  NewIrql  )

Definition at line 2972 of file verifier.c. References KeLowerIrql(), KfSanityCheckLowerIrql(), and PKE_LOWER_IRQL. { PKE_LOWER_IRQL HalRoutine; KfSanityCheckLowerIrql (NewIrql); #if defined (_X86_) HalRoutine = (PKE_LOWER_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_LOWER_IRQL]; if (HalRoutine) { (*HalRoutine)(NewIrql); return; } #endif KeLowerIrql (NewIrql); }

THUNKED_API VOID VerifierKeRaiseIrql (  IN KIRQL  NewIrql, OUT PKIRQL  OldIrql )

Definition at line 2934 of file verifier.c. References DISPATCH_LEVEL, KeRaiseIrql(), KfSanityCheckRaiseIrql(), MmVerifierData, PKE_RAISE_IRQL, and ViTrimAllSystemPagableMemory(). { PKE_RAISE_IRQL HalRoutine; *OldIrql = KeGetCurrentIrql (); KfSanityCheckRaiseIrql (NewIrql); MmVerifierData.RaiseIrqls += 1; if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) { if ((*OldIrql < DISPATCH_LEVEL) && (NewIrql >= DISPATCH_LEVEL)) { ViTrimAllSystemPagableMemory (); } } #if defined (_X86_) HalRoutine = (PKE_RAISE_IRQL) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RAISE_IRQL]; if (HalRoutine) { (*HalRoutine)(NewIrql, OldIrql); return; } #endif KeRaiseIrql (NewIrql, OldIrql); }

THUNKED_API VOID FASTCALL VerifierKeReleaseQueuedSpinLock (  IN KSPIN_LOCK_QUEUE_NUMBER  Number, IN KIRQL  OldIrql )

THUNKED_API VOID VerifierKeReleaseSpinLock (  IN PKSPIN_LOCK  SpinLock, IN KIRQL  NewIrql )

Definition at line 2406 of file verifier.c. References DISPATCH_LEVEL, KeBugCheckEx(), KeReleaseSpinLock(), KfSanityCheckLowerIrql(), and PKE_RELEASE_SPINLOCK. { KIRQL CurrentIrql; PKE_RELEASE_SPINLOCK HalRoutine; CurrentIrql = KeGetCurrentIrql (); // // Caller better still be at DISPATCH_LEVEL when releasing the spinlock // if (CurrentIrql != DISPATCH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x32, CurrentIrql, (ULONG_PTR)SpinLock, 0); } KfSanityCheckLowerIrql (NewIrql); #if defined (_X86_) HalRoutine = (PKE_RELEASE_SPINLOCK) (ULONG_PTR) MiKernelVerifierOriginalCalls[VI_KE_RELEASE_SPINLOCK]; if (HalRoutine) { (*HalRoutine)(SpinLock, NewIrql); return; } #endif KeReleaseSpinLock (SpinLock, NewIrql); }

THUNKED_API KIRQL FASTCALL VerifierKfAcquireSpinLock (  IN PKSPIN_LOCK  SpinLock  )

THUNKED_API VOID FASTCALL VerifierKfLowerIrql (  IN KIRQL  NewIrql  )

THUNKED_API KIRQL FASTCALL VerifierKfRaiseIrql (  IN KIRQL  NewIrql  )

THUNKED_API VOID FASTCALL VerifierKfReleaseSpinLock (  IN PKSPIN_LOCK  SpinLock, IN KIRQL  NewIrql )

THUNKED_API PVOID VerifierMapIoSpace (  IN PHYSICAL_ADDRESS  PhysicalAddress, IN SIZE_T  NumberOfBytes, IN MEMORY_CACHING_TYPE  CacheType )

Definition at line 662 of file verifier.c. References DISPATCH_LEVEL, KeBugCheckEx(), MmMapIoSpace(), NULL, TRUE, and ViInjectResourceFailure(). { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql(); if (CurrentIrql > DISPATCH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x73, CurrentIrql, (ULONG_PTR)PhysicalAddress.LowPart, NumberOfBytes); } if (ViInjectResourceFailure () == TRUE) { return NULL; } return MmMapIoSpace (PhysicalAddress, NumberOfBytes, CacheType); }

THUNKED_API PVOID VerifierMapLockedPages (  IN PMDL  MemoryDescriptorList, IN KPROCESSOR_MODE  AccessMode )

Definition at line 688 of file verifier.c. References APC_LEVEL, DbgPrint, DISPATCH_LEVEL, KeBugCheckEx(), KernelMode, MDL_MAPPING_CAN_FAIL, MmMapLockedPages(), RtlGetCallersAddress(), TRUE, and ViAddBadMapper(). { PVOID CallingAddress; PVOID CallersCaller; KIRQL CurrentIrql; #if defined (_X86_) RtlGetCallersAddress(&CallingAddress, &CallersCaller); #else CallingAddress = (PVOID)_ReturnAddress(); #endif CurrentIrql = KeGetCurrentIrql(); if (AccessMode == KernelMode) { if (CurrentIrql > DISPATCH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x74, CurrentIrql, (ULONG_PTR)MemoryDescriptorList, (ULONG_PTR)AccessMode); } } else { if (CurrentIrql > APC_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x75, CurrentIrql, (ULONG_PTR)MemoryDescriptorList, (ULONG_PTR)AccessMode); } } if ((MemoryDescriptorList->MdlFlags & MDL_MAPPING_CAN_FAIL) == 0) { if (ViAddBadMapper (CallingAddress) == TRUE) { // // All drivers must specify can fail. We'd really like to bugcheck // here to get drivers to convert but cut them some slack for now. // DbgPrint ("*******************************************************************************\n"); DbgPrint ("* *\n"); DbgPrint ("* The Driver Verifier has detected the driver at address %p\n", CallingAddress); DbgPrint ("* is calling MmMapLockedPages instead of MmMapLockedPagesSpecifyCache.\n"); DbgPrint ("* This can cause the system to needlessly bugcheck whenever system\n"); DbgPrint ("* resources are low. This driver needs to be fixed.\n"); DbgPrint ("* *\n"); DbgPrint ("*******************************************************************************\n"); } } return MmMapLockedPages (MemoryDescriptorList, AccessMode); }

THUNKED_API PVOID VerifierMapLockedPagesSpecifyCache (  IN PMDL  MemoryDescriptorList, IN KPROCESSOR_MODE  AccessMode, IN MEMORY_CACHING_TYPE  CacheType, IN PVOID  RequestedAddress, IN ULONG  BugCheckOnFailure, IN MM_PAGE_PRIORITY  Priority )

Definition at line 751 of file verifier.c. References APC_LEVEL, DbgPrint, DISPATCH_LEVEL, KeBugCheckEx(), KernelMode, MDL_MAPPING_CAN_FAIL, MmMapLockedPagesSpecifyCache(), NULL, RtlGetCallersAddress(), TRUE, ViAddBadMapper(), and ViInjectResourceFailure(). { PVOID CallingAddress; PVOID CallersCaller; KIRQL CurrentIrql; #if defined (_X86_) RtlGetCallersAddress(&CallingAddress, &CallersCaller); #else CallingAddress = (PVOID)_ReturnAddress(); #endif CurrentIrql = KeGetCurrentIrql(); if (AccessMode == KernelMode) { if (CurrentIrql > DISPATCH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x76, CurrentIrql, (ULONG_PTR)MemoryDescriptorList, (ULONG_PTR)AccessMode); } } else { if (CurrentIrql > APC_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x77, CurrentIrql, (ULONG_PTR)MemoryDescriptorList, (ULONG_PTR)AccessMode); } } if ((MemoryDescriptorList->MdlFlags & MDL_MAPPING_CAN_FAIL) || (BugCheckOnFailure == 0)) { if (ViInjectResourceFailure () == TRUE) { return NULL; } } else { // // All drivers must specify can fail or don't bugcheck. We'd // really like to bugcheck here to get drivers to convert but // cut them some slack for now. // if (ViAddBadMapper (CallingAddress) == TRUE) { DbgPrint ("*******************************************************************************\n"); DbgPrint ("* *\n"); DbgPrint ("* The Driver Verifier has detected the driver at address %p\n", CallingAddress); DbgPrint ("* is not calling the safe version of MmMapLockedPagesSpecifyCache.\n"); DbgPrint ("* This can cause the system to needlessly bugcheck whenever system\n"); DbgPrint ("* resources are low. This driver needs to be fixed.\n"); DbgPrint ("* *\n"); DbgPrint ("*******************************************************************************\n"); } } return MmMapLockedPagesSpecifyCache (MemoryDescriptorList, AccessMode, CacheType, RequestedAddress, BugCheckOnFailure, Priority); }

THUNKED_API VOID VerifierProbeAndLockPages (  IN OUT PMDL  MemoryDescriptorList, IN KPROCESSOR_MODE  AccessMode, IN LOCK_OPERATION  Operation )

Definition at line 537 of file verifier.c. References DISPATCH_LEVEL, ExRaiseStatus(), KeBugCheckEx(), MmProbeAndLockPages(), TRUE, and ViInjectResourceFailure(). { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql(); if (CurrentIrql > DISPATCH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x70, CurrentIrql, (ULONG_PTR)MemoryDescriptorList, (ULONG_PTR)AccessMode); } if (ViInjectResourceFailure () == TRUE) { ExRaiseStatus (STATUS_WORKING_SET_QUOTA); } MmProbeAndLockPages (MemoryDescriptorList, AccessMode, Operation); }

THUNKED_API VOID VerifierProbeAndLockProcessPages (  IN OUT PMDL  MemoryDescriptorList, IN PEPROCESS  Process, IN KPROCESSOR_MODE  AccessMode, IN LOCK_OPERATION  Operation )

Definition at line 563 of file verifier.c. References DISPATCH_LEVEL, ExRaiseStatus(), KeBugCheckEx(), MmProbeAndLockProcessPages(), TRUE, and ViInjectResourceFailure(). { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql(); if (CurrentIrql > DISPATCH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x71, CurrentIrql, (ULONG_PTR)MemoryDescriptorList, (ULONG_PTR)Process); } if (ViInjectResourceFailure () == TRUE) { ExRaiseStatus (STATUS_WORKING_SET_QUOTA); } MmProbeAndLockProcessPages (MemoryDescriptorList, Process, AccessMode, Operation); }

THUNKED_API VOID VerifierProbeAndLockSelectedPages (  IN OUT PMDL  MemoryDescriptorList, IN PFILE_SEGMENT_ELEMENT  SegmentArray, IN KPROCESSOR_MODE  AccessMode, IN LOCK_OPERATION  Operation )

Definition at line 593 of file verifier.c. References APC_LEVEL, ExRaiseStatus(), KeBugCheckEx(), MmProbeAndLockSelectedPages(), TRUE, and ViInjectResourceFailure(). { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql(); if (CurrentIrql > APC_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x72, CurrentIrql, (ULONG_PTR)MemoryDescriptorList, (ULONG_PTR)AccessMode); } if (ViInjectResourceFailure () == TRUE) { ExRaiseStatus (STATUS_WORKING_SET_QUOTA); } MmProbeAndLockSelectedPages (MemoryDescriptorList, SegmentArray, AccessMode, Operation); }

THUNKED_API LONG VerifierSetEvent (  IN PRKEVENT  Event, IN KPRIORITY  Increment, IN BOOLEAN  Wait )

Definition at line 2160 of file verifier.c. References DISPATCH_LEVEL, Event(), Increment, KeBugCheckEx(), and KeSetEvent(). { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql(); if (CurrentIrql > DISPATCH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x80, CurrentIrql, (ULONG_PTR)Event, (ULONG_PTR)0); } return KeSetEvent (Event, Increment, Wait); }

THUNKED_API BOOLEAN VerifierSynchronizeExecution (  IN PKINTERRUPT  Interrupt, IN PKSYNCHRONIZE_ROUTINE  SynchronizeRoutine, IN PVOID  SynchronizeContext )

Definition at line 2993 of file verifier.c. References DISPATCH_LEVEL, KeSynchronizeExecution(), KfSanityCheckRaiseIrql(), MmVerifierData, and ViTrimAllSystemPagableMemory(). { KIRQL OldIrql; OldIrql = KeGetCurrentIrql (); KfSanityCheckRaiseIrql (Interrupt->SynchronizeIrql); MmVerifierData.SynchronizeExecutions += 1; if (MmVerifierData.Level & DRIVER_VERIFIER_FORCE_IRQL_CHECKING) { if ((OldIrql < DISPATCH_LEVEL) && (Interrupt->SynchronizeIrql >= DISPATCH_LEVEL)) { ViTrimAllSystemPagableMemory (); } } return KeSynchronizeExecution (Interrupt, SynchronizeRoutine, SynchronizeContext); }

VOID VerifierUnlockPages (  IN OUT PMDL  MemoryDescriptorList  )

Definition at line 829 of file verifier.c. References DISPATCH_LEVEL, KeBugCheckEx(), MDL_PAGES_LOCKED, MDL_SOURCE_IS_NONPAGED_POOL, and MmUnlockPages(). { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql(); if (CurrentIrql > DISPATCH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x78, CurrentIrql, (ULONG_PTR)MemoryDescriptorList, 0); } if ((MemoryDescriptorList->MdlFlags & MDL_PAGES_LOCKED) == 0) { // // The caller is trying to unlock an MDL that was never locked down. // KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x7C, (ULONG_PTR)MemoryDescriptorList, (ULONG_PTR)MemoryDescriptorList->MdlFlags, 0); } if (MemoryDescriptorList->MdlFlags & MDL_SOURCE_IS_NONPAGED_POOL) { // // Nonpaged pool should never be locked down. // KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x7D, (ULONG_PTR)MemoryDescriptorList, (ULONG_PTR)MemoryDescriptorList->MdlFlags, 0); } MmUnlockPages (MemoryDescriptorList); }

VOID VerifierUnmapIoSpace (  IN PVOID  BaseAddress, IN SIZE_T  NumberOfBytes )

Definition at line 906 of file verifier.c. References DISPATCH_LEVEL, KeBugCheckEx(), and MmUnmapIoSpace(). { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql(); if (CurrentIrql > DISPATCH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x7B, CurrentIrql, (ULONG_PTR)BaseAddress, (ULONG_PTR)NumberOfBytes); } MmUnmapIoSpace (BaseAddress, NumberOfBytes); }

VOID VerifierUnmapLockedPages (  IN PVOID  BaseAddress, IN PMDL  MemoryDescriptorList )

Definition at line 874 of file verifier.c. References APC_LEVEL, DISPATCH_LEVEL, KeBugCheckEx(), and MmUnmapLockedPages(). { KIRQL CurrentIrql; CurrentIrql = KeGetCurrentIrql(); if (BaseAddress > MM_HIGHEST_USER_ADDRESS) { if (CurrentIrql > DISPATCH_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x79, CurrentIrql, (ULONG_PTR)BaseAddress, (ULONG_PTR)MemoryDescriptorList); } } else { if (CurrentIrql > APC_LEVEL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x7A, CurrentIrql, (ULONG_PTR)BaseAddress, (ULONG_PTR)MemoryDescriptorList); } } MmUnmapLockedPages (BaseAddress, MemoryDescriptorList); }

LOGICAL ViAddBadMapper (  IN PVOID  BadMapper  )

Definition at line 632 of file verifier.c. References FALSE, NULL, TRUE, VI_BAD_MAPPERS_MAX, ViBadMapperLock, and ViBadMappers. Referenced by VerifierMapLockedPages(), and VerifierMapLockedPagesSpecifyCache(). { ULONG i; KIRQL OldIrql; LOGICAL Added; Added = FALSE; ExAcquireSpinLock (&ViBadMapperLock, &OldIrql); for (i = 0; i < VI_BAD_MAPPERS_MAX; i += 1) { if (ViBadMappers[i] == BadMapper) { break; } if (ViBadMappers[i] == NULL) { ViBadMappers[i] = BadMapper; Added = TRUE; break; } } ExReleaseSpinLock (&ViBadMapperLock, OldIrql); return Added; }

VOID ViCancelPoolAllocation (  IN PMI_VERIFIER_DRIVER_ENTRY  Verifier  )

Definition at line 1566 of file verifier.c. References ASSERT, and VI_POOL_FREELIST_END. Referenced by VeAllocatePoolWithTagPriority(). : This function removes a reservation from the verifier list for this driver. All reservations must be made in advance. This routine is used when an earlier reservation is not going to be used (ie: the actual pool allocation failed so no reservation will be needed after all). Arguments: Verifier - Supplies the verifier entry to update. Return Value: None. Environment: Kernel mode, DISPATCH_LEVEL or below, no verifier mutexes held. --*/ { KIRQL OldIrql; ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql); // // The hash entry reserved earlier is not going to be used after all. // ASSERT (Verifier->PoolHashReserved != 0); ASSERT (Verifier->PoolHashSize >= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved); ASSERT (Verifier->PoolHashFree != VI_POOL_FREELIST_END); Verifier->PoolHashReserved -= 1; ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql); }

VOID ViInitializeEntry (  IN PMI_VERIFIER_DRIVER_ENTRY  Verifier, IN LOGICAL  FirstLoad )

Definition at line 3047 of file verifier.c. References KeInitializeSpinLock(), MI_VERIFIER_ENTRY_SIGNATURE, NULL, TRUE, VerifierListLock, and VI_POOL_FREELIST_END. Referenced by MiApplyDriverVerifier(), and MiInitializeDriverVerifierList(). : Initialize various verifier fields as the driver is being (re)loaded now. Arguments: Verifier - Supplies the verifier entry to be initialized. FirstLoad - Supplies TRUE if this is the first load of this driver. Return Value: None. --*/ { KIRQL OldIrql; // // Only the BaseName field is initialized on entry. // KeInitializeSpinLock (&Verifier->VerifierPoolLock); Verifier->CurrentPagedPoolAllocations = 0; Verifier->CurrentNonPagedPoolAllocations = 0; Verifier->PeakPagedPoolAllocations = 0; Verifier->PeakNonPagedPoolAllocations = 0; Verifier->PagedBytes = 0; Verifier->NonPagedBytes = 0; Verifier->PeakPagedBytes = 0; Verifier->PeakNonPagedBytes = 0; Verifier->PoolHash = NULL; Verifier->PoolHashSize = 0; Verifier->PoolHashFree = VI_POOL_FREELIST_END; Verifier->PoolHashReserved = 0; Verifier->Signature = MI_VERIFIER_ENTRY_SIGNATURE; if (FirstLoad == TRUE) { Verifier->Flags = 0; Verifier->Loads = 0; Verifier->Unloads = 0; } ExAcquireSpinLock (&VerifierListLock, &OldIrql); Verifier->StartAddress = NULL; Verifier->EndAddress = NULL; ExReleaseSpinLock (&VerifierListLock, OldIrql); }

LOGICAL ViInjectResourceFailure (  VOID   )

Definition at line 1168 of file verifier.c. References FALSE, KeBootTime, KeQuerySystemTime(), KeQueryTickCount(), MmVerifierData, TRUE, VerifierRequiredTimeSinceBoot, and VerifierSystemSufficientlyBooted. Referenced by VeAllocatePoolWithTagPriority(), VerifierMapIoSpace(), VerifierMapLockedPagesSpecifyCache(), VerifierProbeAndLockPages(), VerifierProbeAndLockProcessPages(), and VerifierProbeAndLockSelectedPages(). : This function determines whether a resource allocation should be deliberately failed. This may be a pool allocation, MDL creation, system PTE allocation, etc. Arguments: None. Return Value: TRUE if the allocation should be failed. FALSE otherwise. Environment: Kernel mode. DISPATCH_LEVEL or below. --*/ { LARGE_INTEGER CurrentTime; if ((MmVerifierData.Level & DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES) == 0) { return FALSE; } // // Don't fail any requests in the first 7 or 8 minutes as we want to // give the system enough time to boot. // if (VerifierSystemSufficientlyBooted == FALSE) { KeQuerySystemTime (&CurrentTime); if (CurrentTime.QuadPart > KeBootTime.QuadPart + VerifierRequiredTimeSinceBoot.QuadPart) { VerifierSystemSufficientlyBooted = TRUE; } } if (VerifierSystemSufficientlyBooted == TRUE) { KeQueryTickCount(&CurrentTime); if ((CurrentTime.LowPart & 0xF) == 0) { MmVerifierData.AllocationsFailedDeliberately += 1; // // Deliberately fail this request. // return TRUE; } } return FALSE; }

ULONG_PTR ViInsertPoolAllocation (  IN PMI_VERIFIER_DRIVER_ENTRY  Verifier, IN PVOID  VirtualAddress, IN PVOID  CallingAddress, IN SIZE_T  NumberOfBytes, IN ULONG  Tag )

Definition at line 1369 of file verifier.c. References ASSERT, _VI_POOL_ENTRY_INUSE::CallingAddress, DISPATCH_LEVEL, _VI_POOL_ENTRY::FreeListNext, Index, _VI_POOL_ENTRY::InUse, _VI_POOL_ENTRY_INUSE::NumberOfBytes, _VI_POOL_ENTRY_INUSE::Tag, VI_POOL_FREELIST_END, and _VI_POOL_ENTRY_INUSE::VirtualAddress. Referenced by ViPostPoolAllocation(). : This function inserts the specified virtual address into the verifier list for this driver. Arguments: Verifier - Supplies the verifier entry to update. VirtualAddress - Supplies the virtual address to insert. CallingAddress - Supplies the caller's address. NumberOfBytes - Supplies the number of bytes to allocate. Tag - Supplies the tag for the pool being allocated. Return Value: The list index this virtual address was inserted at. Environment: Kernel mode, DISPATCH_LEVEL. The Verifier->VerifierPoolLock must be held. --*/ { ULONG_PTR Index; PVI_POOL_ENTRY HashEntry; ASSERT (KeGetCurrentIrql() == DISPATCH_LEVEL); // // The list entry must be reserved in advance. // ASSERT (Verifier->PoolHashReserved != 0); ASSERT (Verifier->PoolHashSize >= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved); // // Use the next free list entry. // Index = Verifier->PoolHashFree; ASSERT (Index != VI_POOL_FREELIST_END); HashEntry = Verifier->PoolHash + Index; Verifier->PoolHashFree = HashEntry->FreeListNext; Verifier->PoolHashReserved -= 1; ASSERT (((HashEntry->FreeListNext & MINLONG_PTR) == 0) || (HashEntry->FreeListNext == VI_POOL_FREELIST_END)); HashEntry->InUse.VirtualAddress = VirtualAddress; HashEntry->InUse.CallingAddress = CallingAddress; HashEntry->InUse.NumberOfBytes = NumberOfBytes; HashEntry->InUse.Tag = Tag; ASSERT ((HashEntry->FreeListNext & MINLONG_PTR) != 0); return Index; }

VOID ViInsertVerifierEntry (  IN PMI_VERIFIER_DRIVER_ENTRY  Verifier  )

Definition at line 3360 of file verifier.c. References MiSuspectDriverList, and VerifierListLock. Referenced by MiApplyDriverVerifier(), and MiInitializeDriverVerifierList(). : Nonpagable wrapper to insert a new verifier entry. Note that the system load mutant or the verifier load spinlock is sufficient for readers to access the list. This is because the insertion path acquires both. Lock synchronization is needed because pool allocators walk the verifier list at DISPATCH_LEVEL. Arguments: Verifier - Supplies a caller-initialized entry for the driver. Return Value: None. --*/ { KIRQL OldIrql; ExAcquireSpinLock (&VerifierListLock, &OldIrql); InsertTailList (&MiSuspectDriverList, &Verifier->Links); ExReleaseSpinLock (&VerifierListLock, OldIrql); }

PMI_VERIFIER_DRIVER_ENTRY ViLocateVerifierEntry (  IN PVOID  SystemAddress  )

Definition at line 3396 of file verifier.c. References _MI_VERIFIER_DRIVER_ENTRY::EndAddress, MiSuspectDriverList, NULL, _MI_VERIFIER_DRIVER_ENTRY::StartAddress, and VerifierListLock. Referenced by VeAllocatePoolWithTagPriority(), VerifierAllocatePool(), VerifierAllocatePoolWithQuota(), VerifierAllocatePoolWithQuotaTag(), VerifierAllocatePoolWithTag(), VerifierAllocatePoolWithTagPriority(), and ViPostPoolAllocation(). : Locate the Driver Verifier entry for the specified system address. Arguments: SystemAddress - Supplies a code or data address within a driver. Return Value: The Verifier entry corresponding to the driver or NULL. Environment: The caller may be at DISPATCH_LEVEL and does not hold the MmSystemLoadLock. --*/ { KIRQL OldIrql; PLIST_ENTRY NextEntry; PMI_VERIFIER_DRIVER_ENTRY Verifier; ExAcquireSpinLock (&VerifierListLock, &OldIrql); NextEntry = MiSuspectDriverList.Flink; while (NextEntry != &MiSuspectDriverList) { Verifier = CONTAINING_RECORD(NextEntry, MI_VERIFIER_DRIVER_ENTRY, Links); if ((SystemAddress >= Verifier->StartAddress) && (SystemAddress < Verifier->EndAddress)) { ExReleaseSpinLock (&VerifierListLock, OldIrql); return Verifier; } NextEntry = NextEntry->Flink; } ExReleaseSpinLock (&VerifierListLock, OldIrql); return NULL; }

PVOID ViPostPoolAllocation (  IN PVOID  VirtualAddress, IN SIZE_T  NumberOfBytes, IN POOL_TYPE  PoolType, IN ULONG  Tag, IN PVOID  CallingAddress )

Definition at line 1614 of file verifier.c. References ASSERT, BASE_POOL_TYPE_MASK, BYTE_OFFSET, _MI_VERIFIER_DRIVER_ENTRY::CurrentNonPagedPoolAllocations, _MI_VERIFIER_DRIVER_ENTRY::CurrentPagedPoolAllocations, EX_REAL_POOL_USAGE, FALSE, Header, MI_SPECIAL_POOL_VERIFIER, MI_VERIFIER_POOL_HEADER, MmSpecialPoolEnd, MmSpecialPoolStart, MmVerifierData, _MI_VERIFIER_DRIVER_ENTRY::NonPagedBytes, NULL, PAGE_ALIGN, PAGE_SIZE, _MI_VERIFIER_DRIVER_ENTRY::PagedBytes, PagedPool, _MI_VERIFIER_DRIVER_ENTRY::PeakNonPagedBytes, _MI_VERIFIER_DRIVER_ENTRY::PeakNonPagedPoolAllocations, _MI_VERIFIER_DRIVER_ENTRY::PeakPagedBytes, _MI_VERIFIER_DRIVER_ENTRY::PeakPagedPoolAllocations, PMI_VERIFIER_POOL_HEADER, POOL_BUDDY_MAX, POOL_OVERHEAD, POOL_VERIFIER_MASK, TRUE, _POOL_HEADER::Ulong1, VerifierIsTrackingPool, VerifierPoolLock, _MI_VERIFIER_DRIVER_ENTRY::VerifierPoolLock, VerifierPoolMutex, ViInsertPoolAllocation(), and ViLocateVerifierEntry(). Referenced by VeAllocatePoolWithTagPriority(). : This function performs verifier book-keeping on the allocation attempt. Arguments: VirtualAddress - Supplies the virtual address that should be allocated. NumberOfBytes - Supplies the number of bytes to allocate. PoolType - Supplies the type of pool being allocated. Tag - Supplies the tag for the pool being allocated. CallingAddress - Supplies the caller's address. Return Value: The virtual address the caller should use. Environment: Kernel mode. DISPATCH_LEVEL or below. --*/ { KIRQL OldIrql; PMI_VERIFIER_POOL_HEADER Header; SIZE_T ChargedBytes; PMI_VERIFIER_DRIVER_ENTRY Verifier; ULONG_PTR InsertedIndex; LOGICAL SpecialPoolAllocation; PPOOL_HEADER PoolHeader; InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceeded); ChargedBytes = EX_REAL_POOL_USAGE(NumberOfBytes); SpecialPoolAllocation = FALSE; if (VirtualAddress >= MmSpecialPoolStart && VirtualAddress < MmSpecialPoolEnd) { ChargedBytes = NumberOfBytes; InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceededSpecialPool); SpecialPoolAllocation = TRUE; } else if (NumberOfBytes <= POOL_BUDDY_MAX) { ChargedBytes -= POOL_OVERHEAD; } else { // // This isn't exactly true but it does give the user a way to see // if this machine is large enough to support special pool 100%. // InterlockedIncrement ((PLONG)&MmVerifierData.AllocationsSucceededSpecialPool); } if ((PoolType & POOL_VERIFIER_MASK) == 0) { return VirtualAddress; } if (NumberOfBytes > POOL_BUDDY_MAX) { ASSERT (BYTE_OFFSET(VirtualAddress) == 0); } Verifier = ViLocateVerifierEntry (CallingAddress); ASSERT (Verifier != NULL); VerifierIsTrackingPool = TRUE; if (SpecialPoolAllocation == TRUE) { // // Carefully adjust the special pool page to move the verifier tracking // header to the front. This allows the allocation to remain butted // against the end of the page so overruns can be detected immediately. // if (((ULONG_PTR)VirtualAddress & (PAGE_SIZE - 1))) { PoolHeader = (PPOOL_HEADER)(PAGE_ALIGN (VirtualAddress)); Header = (PMI_VERIFIER_POOL_HEADER) (PoolHeader + 1); VirtualAddress = (PVOID) ((PCHAR)VirtualAddress + sizeof (MI_VERIFIER_POOL_HEADER)); } else { PoolHeader = (PPOOL_HEADER)((PCHAR)PAGE_ALIGN (VirtualAddress) + PAGE_SIZE - POOL_OVERHEAD); Header = (PMI_VERIFIER_POOL_HEADER) (PoolHeader - 1); } // ASSERT (PoolHeader->Ulong1 & MI_SPECIAL_POOL_VERIFIER); PoolHeader->Ulong1 -= sizeof (MI_VERIFIER_POOL_HEADER); ChargedBytes -= sizeof (MI_VERIFIER_POOL_HEADER); PoolHeader->Ulong1 |= MI_SPECIAL_POOL_VERIFIER; } else { Header = (PMI_VERIFIER_POOL_HEADER)((PCHAR)VirtualAddress + ChargedBytes - sizeof(MI_VERIFIER_POOL_HEADER)); } ASSERT (((ULONG_PTR)Header & (sizeof(ULONG) - 1)) == 0); Header->Verifier = Verifier; // // Enqueue the entry and update per-driver counters. // Note that paged pool allocations must be chained using nonpaged // pool to prevent deadlocks. // ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql); InsertedIndex = ViInsertPoolAllocation (Verifier, VirtualAddress, CallingAddress, ChargedBytes, Tag); if ((PoolType & BASE_POOL_TYPE_MASK) == PagedPool) { Verifier->PagedBytes += ChargedBytes; if (Verifier->PagedBytes > Verifier->PeakPagedBytes) { Verifier->PeakPagedBytes = Verifier->PagedBytes; } Verifier->CurrentPagedPoolAllocations += 1; if (Verifier->CurrentPagedPoolAllocations > Verifier->PeakPagedPoolAllocations) { Verifier->PeakPagedPoolAllocations = Verifier->CurrentPagedPoolAllocations; } } else { Verifier->NonPagedBytes += ChargedBytes; if (Verifier->NonPagedBytes > Verifier->PeakNonPagedBytes) { Verifier->PeakNonPagedBytes = Verifier->NonPagedBytes; } Verifier->CurrentNonPagedPoolAllocations += 1; if (Verifier->CurrentNonPagedPoolAllocations > Verifier->PeakNonPagedPoolAllocations) { Verifier->PeakNonPagedPoolAllocations = Verifier->CurrentNonPagedPoolAllocations; } } ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql); // // Since the header for paged pool is paged, don't initialize it until the // spinlock above is released. // Header->ListIndex = InsertedIndex; // // Update systemwide counters. // if ((PoolType & BASE_POOL_TYPE_MASK) == PagedPool) { ExAcquireFastMutex (&VerifierPoolMutex); MmVerifierData.PagedBytes += ChargedBytes; if (MmVerifierData.PagedBytes > MmVerifierData.PeakPagedBytes) { MmVerifierData.PeakPagedBytes = MmVerifierData.PagedBytes; } MmVerifierData.CurrentPagedPoolAllocations += 1; if (MmVerifierData.CurrentPagedPoolAllocations > MmVerifierData.PeakPagedPoolAllocations) { MmVerifierData.PeakPagedPoolAllocations = MmVerifierData.CurrentPagedPoolAllocations; } ExReleaseFastMutex (&VerifierPoolMutex); } else { ExAcquireSpinLock (&VerifierPoolLock, &OldIrql); MmVerifierData.NonPagedBytes += ChargedBytes; if (MmVerifierData.NonPagedBytes > MmVerifierData.PeakNonPagedBytes) { MmVerifierData.PeakNonPagedBytes = MmVerifierData.NonPagedBytes; } MmVerifierData.CurrentNonPagedPoolAllocations += 1; if (MmVerifierData.CurrentNonPagedPoolAllocations > MmVerifierData.PeakNonPagedPoolAllocations) { MmVerifierData.PeakNonPagedPoolAllocations = MmVerifierData.CurrentNonPagedPoolAllocations; } ExReleaseSpinLock (&VerifierPoolLock, OldIrql); } return VirtualAddress; }

VOID ViPrintString (  IN PUNICODE_STRING  DriverName  )

Definition at line 4336 of file verifier.c. References _VERIFIER_STRING_INFO::BuildNumber, _VERIFIER_STRING_INFO::Check, DbgPrint, _VERIFIER_STRING_INFO::DriverVerifierLevel, FALSE, _VERIFIER_STRING_INFO::Flags, L, MmVerifierData, NtBuildNumber, Printable, PrintableChars, RtlUpcaseUnicodeChar(), TRUE, and USHORT. Referenced by MiApplyDriverVerifier(). : This routine does a really bad hash of build number, verifier level and flags by using the driver name as a stream of bytes to XOR into the flags, etc. This is a Neill Clift special. Arguments: DriverName - Supplies the name of the driver. Return Value: None. --*/ { VERIFIER_STRING_INFO Bld; PUCHAR BufPtr; PWCHAR DriverPtr; ULONG BufLen; ULONG i; ULONG j; ULONG DriverChars; ULONG MaxChars; WCHAR OutBuf[sizeof (VERIFIER_STRING_INFO) * 2 + 1]; UNICODE_STRING OutBufU; ULONG Rem; ULONG LastRem; LOGICAL Done; Bld.BuildNumber = NtBuildNumber; Bld.DriverVerifierLevel = MmVerifierData.Level; // // Unloads and other actions could be encoded in the Flags field here. // Bld.Flags = 0; // // Make the last ULONG a weird function of the others. // Bld.Check = ((Bld.Flags + 1) * Bld.BuildNumber * (Bld.DriverVerifierLevel + 1)) * 123456789; BufPtr = (PUCHAR) &Bld; BufLen = sizeof (Bld); DriverChars = DriverName->Length / sizeof (DriverName->Buffer[0]); DriverPtr = DriverName->Buffer; MaxChars = DriverChars; if (DriverChars < sizeof (VERIFIER_STRING_INFO)) { MaxChars = sizeof (VERIFIER_STRING_INFO); } // // Xor each character in the driver name into the buffer. // for (i = 0; i < MaxChars; i += 1) { BufPtr[i % BufLen] ^= (UCHAR) RtlUpcaseUnicodeChar(DriverPtr[i % DriverChars]); } // // Produce a base N decoding of the binary buffer using the printable // characters defines. Treat the binary as a byte array and do the // division for each, tracking the carry. // j = 0; do { Done = TRUE; for (i = 0, LastRem = 0; i < sizeof (VERIFIER_STRING_INFO); i += 1) { Rem = BufPtr[i] + 256 * LastRem; BufPtr[i] = (UCHAR) (Rem / PrintableChars); LastRem = Rem % PrintableChars; if (BufPtr[i]) { Done = FALSE; } } OutBuf[j++] = Printable[LastRem]; if (j >= sizeof (OutBuf) / sizeof (OutBuf[0])) { // // The stack buffer isn't big enough. // return; } } while (Done == FALSE); OutBuf[j] = L'\0'; OutBufU.Length = OutBufU.MaximumLength = (USHORT) j * sizeof (WCHAR); OutBufU.Buffer = OutBuf; DbgPrint ("*******************************************************************************\n"); DbgPrint ("* *\n"); DbgPrint ("* This is the string to paste into your build mail\n"); DbgPrint ("* Driver Verifier: Enabled for %Z on Build %ld %wZ\n", DriverName, NtBuildNumber & 0xFFFFFFF, &OutBufU); DbgPrint ("* *\n"); DbgPrint ("*******************************************************************************\n"); return; }

VOID ViReleasePoolAllocation (  IN PMI_VERIFIER_DRIVER_ENTRY  Verifier, IN PVOID  VirtualAddress, IN ULONG_PTR  ListIndex, IN SIZE_T  ChargedBytes )

Definition at line 1447 of file verifier.c. References ASSERT, DISPATCH_LEVEL, _VI_POOL_ENTRY::FreeListNext, _VI_POOL_ENTRY::InUse, KeBugCheckEx(), MI_CONVERT_PHYSICAL_TO_PFN, MI_GET_PAGE_FRAME_FROM_PTE, MI_IS_PHYSICAL_ADDRESS, MiGetPteAddress, NULL, _VI_POOL_ENTRY_INUSE::NumberOfBytes, _MMPTE::u, and _VI_POOL_ENTRY_INUSE::VirtualAddress. Referenced by VerifierFreeTrackedPool(). : This function removes the specified virtual address from the verifier list for this driver. Arguments: Verifier - Supplies the verifier entry to update. VirtualAddress - Supplies the virtual address to release. ListIndex - Supplies the verifier pool hash index for the address being released. ChargedBytes - Supplies the bytes charged for this allocation. Return Value: None. Environment: Kernel mode, DISPATCH_LEVEL. The Verifier->VerifierPoolLock must be held. --*/ { PFN_NUMBER PageFrameIndex; PFN_NUMBER PageFrameIndex2; PVI_POOL_ENTRY HashEntry; PMMPTE PointerPte; ASSERT (KeGetCurrentIrql() == DISPATCH_LEVEL); if (Verifier->PoolHash == NULL) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x59, (ULONG_PTR)VirtualAddress, ListIndex, (ULONG_PTR)Verifier); } // // Ensure that the list pointer has not been overrun and still // points at something decent. // HashEntry = Verifier->PoolHash + ListIndex; if (ListIndex >= Verifier->PoolHashSize) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x54, (ULONG_PTR)VirtualAddress, Verifier->PoolHashSize, ListIndex); } if (HashEntry->InUse.VirtualAddress != VirtualAddress) { PageFrameIndex = 0; PageFrameIndex2 = 1; if ((!MI_IS_PHYSICAL_ADDRESS(VirtualAddress)) && (MI_IS_PHYSICAL_ADDRESS(HashEntry->InUse.VirtualAddress))) { PointerPte = MiGetPteAddress(VirtualAddress); if (PointerPte->u.Hard.Valid == 1) { PageFrameIndex = MI_GET_PAGE_FRAME_FROM_PTE (PointerPte); PageFrameIndex2 = MI_CONVERT_PHYSICAL_TO_PFN (HashEntry->InUse.VirtualAddress); } } // // Caller overran and corrupted the virtual address - the linked // list cannot be counted on either. // if (PageFrameIndex != PageFrameIndex2) { KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x52, (ULONG_PTR)VirtualAddress, (ULONG_PTR)HashEntry->InUse.VirtualAddress, ChargedBytes); } } if (HashEntry->InUse.NumberOfBytes != ChargedBytes) { // // Caller overran and corrupted the byte count - the linked // list cannot be counted on either. // KeBugCheckEx (DRIVER_VERIFIER_DETECTED_VIOLATION, 0x51, (ULONG_PTR)VirtualAddress, (ULONG_PTR)HashEntry, ChargedBytes); } // // Put this list entry into the freelist. // HashEntry->FreeListNext = Verifier->PoolHashFree; Verifier->PoolHashFree = HashEntry - Verifier->PoolHash; }

LOGICAL ViReservePoolAllocation (  IN PMI_VERIFIER_DRIVER_ENTRY  Verifier  )

Definition at line 1233 of file verifier.c. References ASSERT, ExAllocatePoolWithTagPriority(), ExFreePool(), FALSE, _VI_POOL_ENTRY::FreeListNext, HighPoolPriority, Increment, NonPagedPool, NULL, PAGE_SIZE, POOL_DRIVER_MASK, PVI_POOL_ENTRY, TRUE, VI_POOL_ENTRIES_PER_PAGE, and VI_POOL_ENTRY. Referenced by VeAllocatePoolWithTagPriority(). { ULONG_PTR OldSize; ULONG_PTR NewSize; ULONG_PTR NewHashOffset; ULONG_PTR Increment; ULONG_PTR Entries; ULONG_PTR i; KIRQL OldIrql; PVOID NewHashTable; PVI_POOL_ENTRY HashEntry; PVI_POOL_ENTRY OldHashTable; ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql); while (Verifier->PoolHashSize <= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved) { // // More space is needed. Try for it now. // #define VI_POOL_ENTRIES_PER_PAGE (PAGE_SIZE / sizeof(VI_POOL_ENTRY)) OldSize = Verifier->PoolHashSize * sizeof(VI_POOL_ENTRY); if (Verifier->PoolHashSize >= VI_POOL_ENTRIES_PER_PAGE) { Increment = PAGE_SIZE; } else { Increment = 16 * sizeof (VI_POOL_ENTRY); } ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql); NewSize = OldSize + Increment; if (NewSize < OldSize) { return FALSE; } // // Note POOL_DRIVER_MASK must be set to stop the recursion loop // when using the kernel verifier. // NewHashTable = ExAllocatePoolWithTagPriority (NonPagedPool | POOL_DRIVER_MASK, NewSize, 'ppeV', HighPoolPriority); ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql); OldSize = Verifier->PoolHashSize * sizeof(VI_POOL_ENTRY); if (NewHashTable == NULL) { if (Verifier->PoolHashSize <= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved) { ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql); return FALSE; } // // Another thread got here before us and space is available. // break; } if (NewSize != OldSize + Increment) { // // Another thread got here before us. // ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql); ExFreePool (NewHashTable); ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql); } else { // // Rebuild the list into the new table. // OldHashTable = Verifier->PoolHash; if (OldHashTable != NULL) { RtlCopyMemory (NewHashTable, OldHashTable, OldSize); } // // Construct the freelist chaining it through any existing // list (any free entries must be already reserved). // HashEntry = (PVI_POOL_ENTRY) ((PCHAR)NewHashTable + OldSize); Entries = Increment / sizeof (VI_POOL_ENTRY); NewHashOffset = HashEntry - (PVI_POOL_ENTRY)NewHashTable; // // If list compaction becomes important then chaining it on the // end here will need to be revisited. // for (i = 0; i < Entries; i += 1) { HashEntry->FreeListNext = NewHashOffset + i + 1; HashEntry += 1; } HashEntry -= 1; HashEntry->FreeListNext = Verifier->PoolHashFree; Verifier->PoolHashFree = NewHashOffset; Verifier->PoolHash = NewHashTable; Verifier->PoolHashSize += Entries; // // Free the old table. // if (OldHashTable != NULL) { ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql); ExFreePool (OldHashTable); ExAcquireSpinLock (&Verifier->VerifierPoolLock, &OldIrql); } } } Verifier->PoolHashReserved += 1; ASSERT (Verifier->PoolHashSize >= Verifier->CurrentPagedPoolAllocations + Verifier->CurrentNonPagedPoolAllocations + Verifier->PoolHashReserved); ExReleaseSpinLock (&Verifier->VerifierPoolLock, OldIrql); return TRUE; }

VOID ViTrimAllSystemPagableMemory (  VOID   )

Definition at line 2333 of file verifier.c. References FALSE, KeQueryTickCount(), KernelVerifier, KernelVerifierTickPage, MiNoPageOnRaiseIrql, MmTrimAllSystemPagableMemory(), MmVerifierData, and TRUE. Referenced by VerifierKeAcquireSpinLock(), VerifierKeRaiseIrql(), and VerifierSynchronizeExecution(). { LARGE_INTEGER CurrentTime; LOGICAL PageOut; PageOut = TRUE; if (KernelVerifier == TRUE) { KeQueryTickCount(&CurrentTime); if ((CurrentTime.LowPart & KernelVerifierTickPage) != 0) { PageOut = FALSE; } } if ((PageOut == TRUE) && (MiNoPageOnRaiseIrql == 0)) { MmVerifierData.TrimRequests += 1; if (MmTrimAllSystemPagableMemory (FALSE) == TRUE) { MmVerifierData.Trims += 1; } } }

---

Variable Documentation

LOGICAL KernelVerifier = FALSE

Definition at line 404 of file verifier.c.

ULONG KernelVerifierTickPage = 0x7

Definition at line 406 of file verifier.c. Referenced by ViTrimAllSystemPagableMemory().

ULONG MiActiveVerifierThunks

Definition at line 378 of file verifier.c. Referenced by MiVerifierCheckThunks(), MmAddVerifierThunks(), and MmUnloadSystemImage().

ULONG MiActiveVerifies

Definition at line 376 of file verifier.c. Referenced by MiApplyDriverVerifier(), and MiVerifyingDriverUnloading().

ULONG MiNoPageOnRaiseIrql

Definition at line 380 of file verifier.c. Referenced by MiVerifyingDriverUnloading(), and ViTrimAllSystemPagableMemory().

LIST_ENTRY MiSuspectDriverList

Definition at line 370 of file verifier.c. Referenced by MiApplyDriverVerifier(), MiInitializeDriverVerifierList(), MiVerifyingDriverUnloading(), MmGetVerifierInformation(), ViInsertVerifierEntry(), and ViLocateVerifierEntry().

LIST_ENTRY MiVerifierDriverAddedThunkListHead

Definition at line 400 of file verifier.c. Referenced by MiEnableVerifier(), MiInitializeDriverVerifierList(), MiVerifierCheckThunks(), and MmAddVerifierThunks().

ULONG MiVerifierStackProtectTime

Definition at line 382 of file verifier.c. Referenced by MiApplyDriverVerifier(), and MiVerifyingDriverUnloading().

VERIFIER_THUNKS MiVerifierThunks[]

Definition at line 4516 of file verifier.c. Referenced by MiEnableVerifier().

LOGICAL MiVerifyAllDrivers

Definition at line 372 of file verifier.c. Referenced by MiApplyDriverVerifier(), and MiInitializeDriverVerifierList().

WCHAR MiVerifyRandomDrivers

Definition at line 374 of file verifier.c. Referenced by MiApplyDriverVerifier(), and MiInitializeDriverVerifierList().

LOGICAL MmDontVerifyRandomDrivers = TRUE

Definition at line 384 of file verifier.c.

LOGICAL MmSpecialPoolCatchOverruns

Definition at line 402 of file verifier.c.

MM_DRIVER_VERIFIER_DATA MmVerifierData

Definition at line 361 of file verifier.c.

WCHAR Printable[] = L"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" [static]

Definition at line 4332 of file verifier.c. Referenced by ViPrintString().

ULONG PrintableChars = sizeof (Printable) / sizeof (Printable[0]) - 1 [static]

Definition at line 4333 of file verifier.c. Referenced by ViPrintString().

int VerifierIrqlData[0x10]

Definition at line 2230 of file verifier.c. Referenced by KfSanityCheckLowerIrql(), and KfSanityCheckRaiseIrql().

LOGICAL VerifierIsTrackingPool = FALSE

Definition at line 390 of file verifier.c. Referenced by VerifierFreeTrackedPool(), and ViPostPoolAllocation().

PRTL_BITMAP VerifierLargePagedPoolMap

Definition at line 398 of file verifier.c. Referenced by MiAllocatePoolPages(), MiBuildPagedPool(), and MiFreePoolPages().

KSPIN_LOCK VerifierListLock

Definition at line 392 of file verifier.c. Referenced by MiInitializeDriverVerifierList(), MiVerifyingDriverUnloading(), ViInitializeEntry(), ViInsertVerifierEntry(), and ViLocateVerifierEntry().

ULONG VerifierModifyableOptions

Definition at line 367 of file verifier.c. Referenced by MiInitializeDriverVerifierList(), and MmSetVerifierInformation().

ULONG VerifierOptionChanges

Definition at line 368 of file verifier.c. Referenced by MmSetVerifierInformation().

KSPIN_LOCK VerifierPoolLock

Definition at line 394 of file verifier.c. Referenced by MiInitializeDriverVerifierList(), VerifierFreeTrackedPool(), and ViPostPoolAllocation().

FAST_MUTEX VerifierPoolMutex

Definition at line 396 of file verifier.c. Referenced by MiInitializeDriverVerifierList(), VerifierFreeTrackedPool(), and ViPostPoolAllocation().

LARGE_INTEGER VerifierRequiredTimeSinceBoot = {(ULONG)(40 * 1000 * 1000 * 10), 1}

Definition at line 388 of file verifier.c. Referenced by ViInjectResourceFailure().

LOGICAL VerifierSystemSufficientlyBooted

Definition at line 386 of file verifier.c. Referenced by ViInjectResourceFailure().

PUNICODE_STRING ViBadDriver

Definition at line 3622 of file verifier.c. Referenced by MiVerifyingDriverUnloading().

KSPIN_LOCK ViBadMapperLock

Definition at line 628 of file verifier.c. Referenced by MiInitializeDriverVerifierList(), and ViAddBadMapper().

PVOID ViBadMappers[VI_BAD_MAPPERS_MAX]

Definition at line 629 of file verifier.c. Referenced by ViAddBadMapper().

---