Windows-Server-2003/base/ntos/ps/create.c

2470 lines
70 KiB
C
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
create.c
Abstract:
Process and Thread Creation.
Author:
Mark Lucovsky (markl) 20-Apr-1989
Neill Clift (NeillC) 8-Apr-2001
Revamped process lock usage to limit time spend under the lock.
Use rundown protection to protect parent against deletion.
Tidy up errors paths to be small and mostly handled by process delete.
Lock free and unload safe callouts.
Revision History:
--*/
#include "psp.h"
ULONG
PspUnhandledExceptionInSystemThread(
IN PEXCEPTION_POINTERS ExceptionPointers
);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE, NtCreateThread)
#pragma alloc_text(PAGE, PsCreateSystemThread)
#pragma alloc_text(PAGE, PspCreateThread)
#pragma alloc_text(PAGE, NtCreateProcess)
#pragma alloc_text(PAGE, NtCreateProcessEx)
#pragma alloc_text(PAGE, PsCreateSystemProcess)
#pragma alloc_text(PAGE, PspCreateProcess)
#pragma alloc_text(PAGE, PsSetCreateProcessNotifyRoutine)
#pragma alloc_text(PAGE, PsSetCreateThreadNotifyRoutine)
#pragma alloc_text(PAGE, PsRemoveCreateThreadNotifyRoutine)
#pragma alloc_text(PAGE, PspUserThreadStartup)
#pragma alloc_text(PAGE, PsSetLoadImageNotifyRoutine)
#pragma alloc_text(PAGE, PsRemoveLoadImageNotifyRoutine)
#pragma alloc_text(PAGE, PsCallImageNotifyRoutines)
#pragma alloc_text(PAGE, PspUnhandledExceptionInSystemThread)
#pragma alloc_text(PAGE, PspSystemThreadStartup)
#pragma alloc_text(PAGE, PspImageNotifyTest)
#endif
extern UNICODE_STRING CmCSDVersionString;
#ifdef ALLOC_DATA_PRAGMA
#pragma data_seg("PAGEDATA")
#endif
LCID PsDefaultSystemLocaleId = 0;
LCID PsDefaultThreadLocaleId = 0;
LANGID PsDefaultUILanguageId = 0;
LANGID PsInstallUILanguageId = 0;
//
// The following two globals are present to make it easier to change
// working set sizes when debugging.
//
ULONG PsMinimumWorkingSet = 20;
ULONG PsMaximumWorkingSet = 45;
BOOLEAN PsImageNotifyEnabled = FALSE;
#ifdef ALLOC_DATA_PRAGMA
#pragma data_seg()
#endif
//
// Define the local storage for the process lock fast mutex.
//
NTSTATUS
NtCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
OUT PCLIENT_ID ClientId,
IN PCONTEXT ThreadContext,
IN PINITIAL_TEB InitialTeb,
IN BOOLEAN CreateSuspended
)
/*++
Routine Description:
This system service API creates and initializes a thread object.
Arguments:
ThreadHandle - Returns the handle for the new thread.
DesiredAccess - Supplies the desired access modes to the new thread.
ObjectAttributes - Supplies the object attributes of the new thread.
ProcessHandle - Supplies a handle to the process that the thread is being
created within.
ClientId - Returns the CLIENT_ID of the new thread.
ThreadContext - Supplies an initial context for the new thread.
InitialTeb - Supplies the initial contents for the thread's TEB.
CreateSuspended - Supplies a value that controls whether or not a
thread is created in a suspended state.
Return Value:
TBD
--*/
{
NTSTATUS Status;
INITIAL_TEB CapturedInitialTeb;
PAGED_CODE();
//
// Probe all arguments
//
try {
if (KeGetPreviousMode () != KernelMode) {
ProbeForWriteHandle (ThreadHandle);
if (ARGUMENT_PRESENT (ClientId)) {
ProbeForWriteSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG));
}
if (ARGUMENT_PRESENT (ThreadContext) ) {
ProbeForReadSmallStructure (ThreadContext, sizeof (CONTEXT), CONTEXT_ALIGN);
} else {
return STATUS_INVALID_PARAMETER;
}
ProbeForReadSmallStructure (InitialTeb, sizeof (InitialTeb->OldInitialTeb), sizeof (ULONG));
}
CapturedInitialTeb.OldInitialTeb = InitialTeb->OldInitialTeb;
if (CapturedInitialTeb.OldInitialTeb.OldStackBase == NULL &&
CapturedInitialTeb.OldInitialTeb.OldStackLimit == NULL) {
//
// Since the structure size here is less than 64k we don't need to reprobe
//
CapturedInitialTeb = *InitialTeb;
}
} except (ExSystemExceptionFilter ()) {
return GetExceptionCode ();
}
Status = PspCreateThread (ThreadHandle,
DesiredAccess,
ObjectAttributes,
ProcessHandle,
NULL,
ClientId,
ThreadContext,
&CapturedInitialTeb,
CreateSuspended,
NULL,
NULL);
return Status;
}
NTSTATUS
PsCreateSystemThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle OPTIONAL,
OUT PCLIENT_ID ClientId OPTIONAL,
IN PKSTART_ROUTINE StartRoutine,
IN PVOID StartContext
)
/*++
Routine Description:
This routine creates and starts a system thread.
Arguments:
ThreadHandle - Returns the handle for the new thread.
DesiredAccess - Supplies the desired access modes to the new thread.
ObjectAttributes - Supplies the object attributes of the new thread.
ProcessHandle - Supplies a handle to the process that the thread is being
created within. If this parameter is not specified, then
the initial system process is used.
ClientId - Returns the CLIENT_ID of the new thread.
StartRoutine - Supplies the address of the system thread start routine.
StartContext - Supplies context for a system thread start routine.
Return Value:
TBD
--*/
{
NTSTATUS Status;
HANDLE SystemProcess;
PEPROCESS ProcessPointer;
PAGED_CODE();
ProcessPointer = NULL;
if (ARGUMENT_PRESENT (ProcessHandle)) {
SystemProcess = ProcessHandle;
} else {
SystemProcess = NULL;
ProcessPointer = PsInitialSystemProcess;
}
Status = PspCreateThread (ThreadHandle,
DesiredAccess,
ObjectAttributes,
SystemProcess,
ProcessPointer,
ClientId,
NULL,
NULL,
FALSE,
StartRoutine,
StartContext);
return Status;
}
BOOLEAN PsUseImpersonationToken = FALSE;
NTSTATUS
PspCreateThread(
OUT PHANDLE ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ProcessHandle,
IN PEPROCESS ProcessPointer,
OUT PCLIENT_ID ClientId OPTIONAL,
IN PCONTEXT ThreadContext OPTIONAL,
IN PINITIAL_TEB InitialTeb OPTIONAL,
IN BOOLEAN CreateSuspended,
IN PKSTART_ROUTINE StartRoutine OPTIONAL,
IN PVOID StartContext
)
/*++
Routine Description:
This routine creates and initializes a thread object. It implements the
foundation for NtCreateThread and for PsCreateSystemThread.
Arguments:
ThreadHandle - Returns the handle for the new thread.
DesiredAccess - Supplies the desired access modes to the new thread.
ObjectAttributes - Supplies the object attributes of the new thread.
ProcessHandle - Supplies a handle to the process that the thread is being
created within.
ClientId - Returns the CLIENT_ID of the new thread.
ThreadContext - Supplies a pointer to a context frame that represents the
initial user-mode context for a user-mode thread. The absence
of this parameter indicates that a system thread is being
created.
InitialTeb - Supplies the contents of certain fields for the new threads
TEB. This parameter is only examined if both a trap and
exception frame were specified.
CreateSuspended - Supplies a value that controls whether or not a user-mode
thread is created in a suspended state.
StartRoutine - Supplies the address of the system thread start routine.
StartContext - Supplies context for a system thread start routine.
Return Value:
TBD
--*/
{
HANDLE_TABLE_ENTRY CidEntry;
NTSTATUS Status;
PETHREAD Thread;
PETHREAD CurrentThread;
PEPROCESS Process;
PTEB Teb;
KPROCESSOR_MODE PreviousMode;
HANDLE LocalThreadHandle;
BOOLEAN AccessCheck;
BOOLEAN MemoryAllocated;
PSECURITY_DESCRIPTOR SecurityDescriptor;
SECURITY_SUBJECT_CONTEXT SubjectContext;
NTSTATUS accesst;
LARGE_INTEGER CreateTime;
ULONG OldActiveThreads;
PEJOB Job;
AUX_ACCESS_DATA AuxData;
PACCESS_STATE AccessState;
ACCESS_STATE LocalAccessState;
PAGED_CODE();
CurrentThread = PsGetCurrentThread ();
if (StartRoutine != NULL) {
PreviousMode = KernelMode;
} else {
PreviousMode = KeGetPreviousModeByThread (&CurrentThread->Tcb);
}
Teb = NULL;
Thread = NULL;
Process = NULL;
if (ProcessHandle != NULL) {
//
// Process object reference count is biased by one for each thread.
// This accounts for the pointer given to the kernel that remains
// in effect until the thread terminates (and becomes signaled)
//
Status = ObReferenceObjectByHandle (ProcessHandle,
PROCESS_CREATE_THREAD,
PsProcessType,
PreviousMode,
&Process,
NULL);
} else {
if (StartRoutine != NULL) {
ObReferenceObject (ProcessPointer);
Process = ProcessPointer;
Status = STATUS_SUCCESS;
} else {
Status = STATUS_INVALID_HANDLE;
}
}
if (!NT_SUCCESS (Status)) {
return Status;
}
//
// If the previous mode is user and the target process is the system
// process, then the operation cannot be performed.
//
if ((PreviousMode != KernelMode) && (Process == PsInitialSystemProcess)) {
ObDereferenceObject (Process);
return STATUS_INVALID_HANDLE;
}
Status = ObCreateObject (PreviousMode,
PsThreadType,
ObjectAttributes,
PreviousMode,
NULL,
sizeof(ETHREAD),
0,
0,
&Thread);
if (!NT_SUCCESS (Status)) {
ObDereferenceObject (Process);
return Status;
}
RtlZeroMemory (Thread, sizeof (ETHREAD));
//
// Initialize rundown protection for cross thread TEB refs etc.
//
ExInitializeRundownProtection (&Thread->RundownProtect);
//
// Assign this thread to the process so that from now on
// we don't have to dereference in error paths.
//
Thread->ThreadsProcess = Process;
Thread->Cid.UniqueProcess = Process->UniqueProcessId;
CidEntry.Object = Thread;
CidEntry.GrantedAccess = 0;
Thread->Cid.UniqueThread = ExCreateHandle (PspCidTable, &CidEntry);
if (Thread->Cid.UniqueThread == NULL) {
ObDereferenceObject (Thread);
return (STATUS_INSUFFICIENT_RESOURCES);
}
//
// Initialize Mm
//
Thread->ReadClusterSize = MmReadClusterSize;
//
// Initialize LPC
//
KeInitializeSemaphore (&Thread->LpcReplySemaphore, 0L, 1L);
InitializeListHead (&Thread->LpcReplyChain);
//
// Initialize Io
//
InitializeListHead (&Thread->IrpList);
//
// Initialize Registry
//
InitializeListHead (&Thread->PostBlockList);
//
// Initialize the thread lock
//
PspInitializeThreadLock (Thread);
//
// Initialize Security. Unneeded as we zero out the entire thread block
//
// PspInitializeThreadSecurity (Process, Thread);
//
// Initialize Termination port list. Unneeded as we zero out the entire thread
//
// InitializeListHead (&Thread->TerminationPort);
KeInitializeSpinLock (&Thread->ActiveTimerListLock);
InitializeListHead (&Thread->ActiveTimerListHead);
if (!ExAcquireRundownProtection (&Process->RundownProtect)) {
ObDereferenceObject (Thread);
return STATUS_PROCESS_IS_TERMINATING;
}
if (ARGUMENT_PRESENT (ThreadContext)) {
//
// User-mode thread. Create TEB etc
//
Status = MmCreateTeb (Process, InitialTeb, &Thread->Cid, &Teb);
if (!NT_SUCCESS (Status)) {
ExReleaseRundownProtection (&Process->RundownProtect);
ObDereferenceObject (Thread);
return Status;
}
try {
//
// Initialize kernel thread object for user mode thread.
//
Thread->StartAddress = (PVOID)CONTEXT_TO_PROGRAM_COUNTER(ThreadContext);
#if defined(_IA64_)
Thread->Win32StartAddress = (PVOID)ThreadContext->IntT0;
#elif defined(_AMD64_)
Thread->Win32StartAddress = (PVOID)ThreadContext->Rdx;
#elif defined(_X86_)
Thread->Win32StartAddress = (PVOID)ThreadContext->Eax;
#else
#error "no target architecture"
#endif // defined(_IA64_)
} except (EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
}
if (NT_SUCCESS (Status)) {
Status = KeInitThread (&Thread->Tcb,
NULL,
PspUserThreadStartup,
(PKSTART_ROUTINE)NULL,
Thread->StartAddress,
ThreadContext,
Teb,
&Process->Pcb);
#if defined(_AMD64_)
//
// Always save the legacy floating point state for wow64 threads.
//
if ((NT_SUCCESS (Status)) &&
(Process->Wow64Process != NULL)) {
Thread->Tcb.NpxState = LEGACY_STATE_SWITCH;
}
#endif
}
} else {
Teb = NULL;
//
// Set the system thread bit thats kept for all time
//
PS_SET_BITS (&Thread->CrossThreadFlags, PS_CROSS_THREAD_FLAGS_SYSTEM);
//
// Initialize kernel thread object for kernel mode thread.
//
Thread->StartAddress = (PKSTART_ROUTINE) StartRoutine;
Status = KeInitThread (&Thread->Tcb,
NULL,
PspSystemThreadStartup,
StartRoutine,
StartContext,
NULL,
NULL,
&Process->Pcb);
}
if (!NT_SUCCESS (Status)) {
if (Teb != NULL) {
MmDeleteTeb(Process, Teb);
}
ExReleaseRundownProtection (&Process->RundownProtect);
ObDereferenceObject (Thread);
return Status;
}
PspLockProcessExclusive (Process, CurrentThread);
//
// Process is exiting or has had delete process called
//
if ((Process->Flags&PS_PROCESS_FLAGS_PROCESS_DELETE) != 0) {
PspUnlockProcessExclusive (Process, CurrentThread);
KeUninitThread (&Thread->Tcb);
if (Teb != NULL) {
MmDeleteTeb(Process, Teb);
}
ExReleaseRundownProtection (&Process->RundownProtect);
ObDereferenceObject(Thread);
return STATUS_PROCESS_IS_TERMINATING;
}
OldActiveThreads = Process->ActiveThreads++;
InsertTailList (&Process->ThreadListHead, &Thread->ThreadListEntry);
KeStartThread (&Thread->Tcb);
PspUnlockProcessExclusive (Process, CurrentThread);
ExReleaseRundownProtection (&Process->RundownProtect);
//
// Failures that occur after this point cause the thread to
// go through PspExitThread
//
if (OldActiveThreads == 0) {
PERFINFO_PROCESS_CREATE (Process);
if (PspCreateProcessNotifyRoutineCount != 0) {
ULONG i;
PEX_CALLBACK_ROUTINE_BLOCK CallBack;
PCREATE_PROCESS_NOTIFY_ROUTINE Rtn;
for (i=0; i<PSP_MAX_CREATE_PROCESS_NOTIFY; i++) {
CallBack = ExReferenceCallBackBlock (&PspCreateProcessNotifyRoutine[i]);
if (CallBack != NULL) {
Rtn = (PCREATE_PROCESS_NOTIFY_ROUTINE) ExGetCallBackBlockRoutine (CallBack);
Rtn (Process->InheritedFromUniqueProcessId,
Process->UniqueProcessId,
TRUE);
ExDereferenceCallBackBlock (&PspCreateProcessNotifyRoutine[i],
CallBack);
}
}
}
}
//
// If the process has a job with a completion port,
// AND if the process is really considered to be in the Job, AND
// the process has not reported, report in
//
// This should really be done in add process to job, but can't
// in this path because the process's ID isn't assigned until this point
// in time
//
Job = Process->Job;
if (Job != NULL && Job->CompletionPort &&
!(Process->JobStatus & (PS_JOB_STATUS_NOT_REALLY_ACTIVE|PS_JOB_STATUS_NEW_PROCESS_REPORTED))) {
PS_SET_BITS (&Process->JobStatus, PS_JOB_STATUS_NEW_PROCESS_REPORTED);
KeEnterCriticalRegionThread (&CurrentThread->Tcb);
ExAcquireResourceSharedLite (&Job->JobLock, TRUE);
if (Job->CompletionPort != NULL) {
IoSetIoCompletion (Job->CompletionPort,
Job->CompletionKey,
(PVOID)Process->UniqueProcessId,
STATUS_SUCCESS,
JOB_OBJECT_MSG_NEW_PROCESS,
FALSE);
}
ExReleaseResourceLite (&Job->JobLock);
KeLeaveCriticalRegionThread (&CurrentThread->Tcb);
}
PERFINFO_THREAD_CREATE(Thread, InitialTeb);
//
// Notify registered callout routines of thread creation.
//
if (PspCreateThreadNotifyRoutineCount != 0) {
ULONG i;
PEX_CALLBACK_ROUTINE_BLOCK CallBack;
PCREATE_THREAD_NOTIFY_ROUTINE Rtn;
for (i = 0; i < PSP_MAX_CREATE_THREAD_NOTIFY; i++) {
CallBack = ExReferenceCallBackBlock (&PspCreateThreadNotifyRoutine[i]);
if (CallBack != NULL) {
Rtn = (PCREATE_THREAD_NOTIFY_ROUTINE) ExGetCallBackBlockRoutine (CallBack);
Rtn (Thread->Cid.UniqueProcess,
Thread->Cid.UniqueThread,
TRUE);
ExDereferenceCallBackBlock (&PspCreateThreadNotifyRoutine[i],
CallBack);
}
}
}
//
// Reference count of thread is biased once for itself and once for the handle if we create it.
//
ObReferenceObjectEx (Thread, 2);
if (CreateSuspended) {
try {
KeSuspendThread (&Thread->Tcb);
} except ((GetExceptionCode () == STATUS_SUSPEND_COUNT_EXCEEDED)?
EXCEPTION_EXECUTE_HANDLER :
EXCEPTION_CONTINUE_SEARCH) {
}
//
// If deletion was started after we suspended then wake up the thread
//
if (Thread->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_TERMINATED) {
KeForceResumeThread (&Thread->Tcb);
}
}
AccessState = NULL;
if (!PsUseImpersonationToken) {
AccessState = &LocalAccessState;
Status = SeCreateAccessStateEx (NULL,
ARGUMENT_PRESENT (ThreadContext)?PsGetCurrentProcessByThread (CurrentThread) : Process,
AccessState,
&AuxData,
DesiredAccess,
&PsThreadType->TypeInfo.GenericMapping);
if (!NT_SUCCESS (Status)) {
PS_SET_BITS (&Thread->CrossThreadFlags,
PS_CROSS_THREAD_FLAGS_DEADTHREAD);
if (CreateSuspended) {
(VOID) KeResumeThread (&Thread->Tcb);
}
KeReadyThread (&Thread->Tcb);
ObDereferenceObject (Thread);
return Status;
}
}
Status = ObInsertObject (Thread,
AccessState,
DesiredAccess,
0,
NULL,
&LocalThreadHandle);
if (AccessState != NULL) {
SeDeleteAccessState (AccessState);
}
if (!NT_SUCCESS (Status)) {
//
// The insert failed. Terminate the thread.
//
//
// This trick is used so that Dbgk doesn't report
// events for dead threads
//
PS_SET_BITS (&Thread->CrossThreadFlags,
PS_CROSS_THREAD_FLAGS_DEADTHREAD);
if (CreateSuspended) {
KeResumeThread (&Thread->Tcb);
}
} else {
try {
*ThreadHandle = LocalThreadHandle;
if (ARGUMENT_PRESENT (ClientId)) {
*ClientId = Thread->Cid;
}
} except(EXCEPTION_EXECUTE_HANDLER) {
PS_SET_BITS (&Thread->CrossThreadFlags,
PS_CROSS_THREAD_FLAGS_DEADTHREAD);
if (CreateSuspended) {
(VOID) KeResumeThread (&Thread->Tcb);
}
KeReadyThread (&Thread->Tcb);
ObDereferenceObject (Thread);
ObCloseHandle (LocalThreadHandle, PreviousMode);
return GetExceptionCode();
}
}
KeQuerySystemTime(&CreateTime);
ASSERT ((CreateTime.HighPart & 0xf0000000) == 0);
PS_SET_THREAD_CREATE_TIME(Thread, CreateTime);
if ((Thread->CrossThreadFlags&PS_CROSS_THREAD_FLAGS_DEADTHREAD) == 0) {
Status = ObGetObjectSecurity (Thread,
&SecurityDescriptor,
&MemoryAllocated);
if (!NT_SUCCESS (Status)) {
//
// This trick us used so that Dbgk doesn't report
// events for dead threads
//
PS_SET_BITS (&Thread->CrossThreadFlags,
PS_CROSS_THREAD_FLAGS_DEADTHREAD);
if (CreateSuspended) {
KeResumeThread(&Thread->Tcb);
}
KeReadyThread (&Thread->Tcb);
ObDereferenceObject (Thread);
ObCloseHandle (LocalThreadHandle, PreviousMode);
return Status;
}
//
// Compute the subject security context
//
SubjectContext.ProcessAuditId = Process;
SubjectContext.PrimaryToken = PsReferencePrimaryToken(Process);
SubjectContext.ClientToken = NULL;
AccessCheck = SeAccessCheck (SecurityDescriptor,
&SubjectContext,
FALSE,
MAXIMUM_ALLOWED,
0,
NULL,
&PsThreadType->TypeInfo.GenericMapping,
PreviousMode,
&Thread->GrantedAccess,
&accesst);
PsDereferencePrimaryTokenEx (Process, SubjectContext.PrimaryToken);
ObReleaseObjectSecurity (SecurityDescriptor,
MemoryAllocated);
if (!AccessCheck) {
Thread->GrantedAccess = 0;
}
Thread->GrantedAccess |= (THREAD_TERMINATE | THREAD_SET_INFORMATION | THREAD_QUERY_INFORMATION);
} else {
Thread->GrantedAccess = THREAD_ALL_ACCESS;
}
KeReadyThread (&Thread->Tcb);
ObDereferenceObject (Thread);
return Status;
}
NTSTATUS
NtCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritObjectTable,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL
)
{
ULONG Flags = 0;
if ((ULONG_PTR)SectionHandle & 1) {
Flags |= PROCESS_CREATE_FLAGS_BREAKAWAY;
}
if ((ULONG_PTR) DebugPort & 1) {
Flags |= PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT;
}
if (InheritObjectTable) {
Flags |= PROCESS_CREATE_FLAGS_INHERIT_HANDLES;
}
return NtCreateProcessEx (ProcessHandle,
DesiredAccess,
ObjectAttributes OPTIONAL,
ParentProcess,
Flags,
SectionHandle,
DebugPort,
ExceptionPort,
0);
}
NTSTATUS
NtCreateProcessEx(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess,
IN ULONG Flags,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN ULONG JobMemberLevel
)
/*++
Routine Description:
This routine creates a process object.
Arguments:
ProcessHandle - Returns the handle for the new process.
DesiredAccess - Supplies the desired access modes to the new process.
ObjectAttributes - Supplies the object attributes of the new process.
.
.
.
Return Value:
TBD
--*/
{
NTSTATUS Status;
PAGED_CODE();
if (KeGetPreviousMode() != KernelMode) {
//
// Probe all arguments
//
try {
ProbeForWriteHandle (ProcessHandle);
} except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode ();
}
}
if (ARGUMENT_PRESENT (ParentProcess)) {
Status = PspCreateProcess (ProcessHandle,
DesiredAccess,
ObjectAttributes,
ParentProcess,
Flags,
SectionHandle,
DebugPort,
ExceptionPort,
JobMemberLevel);
} else {
Status = STATUS_INVALID_PARAMETER;
}
return Status;
}
NTSTATUS
PsCreateSystemProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL
)
/*++
Routine Description:
This routine creates a system process object. A system process
has an address space that is initialized to an empty address space
that maps the system.
The process inherits its access token and other attributes from the
initial system process. The process is created with an empty handle table.
Arguments:
ProcessHandle - Returns the handle for the new process.
DesiredAccess - Supplies the desired access modes to the new process.
ObjectAttributes - Supplies the object attributes of the new process.
Return Value:
TBD
--*/
{
NTSTATUS Status;
PAGED_CODE();
Status = PspCreateProcess (ProcessHandle,
DesiredAccess,
ObjectAttributes,
PspInitialSystemProcessHandle,
0,
NULL,
NULL,
NULL,
0);
return Status;
}
NTSTATUS
PspCreateProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN HANDLE ParentProcess OPTIONAL,
IN ULONG Flags,
IN HANDLE SectionHandle OPTIONAL,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
IN ULONG JobMemberLevel
)
/*++
Routine Description:
This routine creates and initializes a process object. It implements the
foundation for NtCreateProcess and for system initialization process
creation.
Arguments:
ProcessHandle - Returns the handle for the new process.
DesiredAccess - Supplies the desired access modes to the new process.
ObjectAttributes - Supplies the object attributes of the new process.
ParentProcess - Supplies a handle to the process' parent process. If this
parameter is not specified, then the process has no parent
and is created using the system address space.
Flags - Process creation flags
SectionHandle - Supplies a handle to a section object to be used to create
the process' address space. If this parameter is not
specified, then the address space is simply a clone of the
parent process' address space.
DebugPort - Supplies a handle to a port object that will be used as the
process' debug port.
ExceptionPort - Supplies a handle to a port object that will be used as the
process' exception port.
JobMemberLevel - Level for a create process in a jobset
Return Value:
TBD
--*/
{
NTSTATUS Status;
PEPROCESS Process;
PEPROCESS CurrentProcess;
PEPROCESS Parent;
PETHREAD CurrentThread;
KAFFINITY Affinity;
KPRIORITY BasePriority;
PVOID SectionObject;
PVOID ExceptionPortObject;
PVOID DebugPortObject;
ULONG WorkingSetMinimum, WorkingSetMaximum;
HANDLE LocalProcessHandle;
KPROCESSOR_MODE PreviousMode;
INITIAL_PEB InitialPeb;
BOOLEAN CreatePeb;
ULONG_PTR DirectoryTableBase[2];
BOOLEAN AccessCheck;
BOOLEAN MemoryAllocated;
PSECURITY_DESCRIPTOR SecurityDescriptor;
SECURITY_SUBJECT_CONTEXT SubjectContext;
NTSTATUS accesst;
NTSTATUS SavedStatus;
ULONG ImageFileNameSize;
HANDLE_TABLE_ENTRY CidEntry;
PEJOB Job;
PPEB Peb;
AUX_ACCESS_DATA AuxData;
PACCESS_STATE AccessState;
ACCESS_STATE LocalAccessState;
PAGED_CODE();
CurrentThread = PsGetCurrentThread ();
PreviousMode = KeGetPreviousModeByThread(&CurrentThread->Tcb);
CurrentProcess = PsGetCurrentProcessByThread (CurrentThread);
CreatePeb = FALSE;
DirectoryTableBase[0] = 0;
DirectoryTableBase[1] = 0;
Peb = NULL;
//
// Reject bogus create parameters for future expansion
//
if (Flags&~PROCESS_CREATE_FLAGS_LEGAL_MASK) {
return STATUS_INVALID_PARAMETER;
}
//
// Parent
//
if (ARGUMENT_PRESENT (ParentProcess)) {
Status = ObReferenceObjectByHandle (ParentProcess,
PROCESS_CREATE_PROCESS,
PsProcessType,
PreviousMode,
&Parent,
NULL);
if (!NT_SUCCESS (Status)) {
return Status;
}
if (JobMemberLevel != 0 && Parent->Job == NULL) {
ObDereferenceObject (Parent);
return STATUS_INVALID_PARAMETER;
}
BasePriority = (KPRIORITY) NORMAL_BASE_PRIORITY;
//
//BasePriority = Parent->Pcb.BasePriority;
//
Affinity = Parent->Pcb.Affinity;
WorkingSetMinimum = PsMinimumWorkingSet;
WorkingSetMaximum = PsMaximumWorkingSet;
} else {
Parent = NULL;
Affinity = KeActiveProcessors;
BasePriority = (KPRIORITY) NORMAL_BASE_PRIORITY;
WorkingSetMinimum = PsMinimumWorkingSet;
WorkingSetMaximum = PsMaximumWorkingSet;
}
//
// Create the process object
//
Status = ObCreateObject (PreviousMode,
PsProcessType,
ObjectAttributes,
PreviousMode,
NULL,
sizeof (EPROCESS),
0,
0,
&Process);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref_parent;
}
//
// The process object is created set to NULL. Errors
// That occur after this step cause the process delete
// routine to be entered.
//
// Teardown actions that occur in the process delete routine
// do not need to be performed inline.
//
RtlZeroMemory (Process, sizeof(EPROCESS));
ExInitializeRundownProtection (&Process->RundownProtect);
PspInitializeProcessLock (Process);
InitializeListHead (&Process->ThreadListHead);
#if defined(_WIN64)
if (Flags & PROCESS_CREATE_FLAGS_OVERRIDE_ADDRESS_SPACE) {
PS_SET_BITS (&Process->Flags, PS_PROCESS_FLAGS_OVERRIDE_ADDRESS_SPACE);
}
#endif
PspInheritQuota (Process, Parent);
ObInheritDeviceMap (Process, Parent);
if (Parent != NULL) {
Process->DefaultHardErrorProcessing = Parent->DefaultHardErrorProcessing;
Process->InheritedFromUniqueProcessId = Parent->UniqueProcessId;
} else {
Process->DefaultHardErrorProcessing = 1;
Process->InheritedFromUniqueProcessId = NULL;
}
//
// Section
//
if (ARGUMENT_PRESENT (SectionHandle)) {
Status = ObReferenceObjectByHandle (SectionHandle,
SECTION_MAP_EXECUTE,
MmSectionObjectType,
PreviousMode,
&SectionObject,
NULL);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
} else {
SectionObject = NULL;
if (Parent != PsInitialSystemProcess) {
//
// Fetch the section pointer from the parent process
// as we will be cloning. Since the section pointer
// is removed at last thread exit we need to protect against
// process exit here to be safe.
//
if (ExAcquireRundownProtection (&Parent->RundownProtect)) {
SectionObject = Parent->SectionObject;
if (SectionObject != NULL) {
ObReferenceObject (SectionObject);
}
ExReleaseRundownProtection (&Parent->RundownProtect);
}
if (SectionObject == NULL) {
Status = STATUS_PROCESS_IS_TERMINATING;
goto exit_and_deref;
}
}
}
Process->SectionObject = SectionObject;
//
// DebugPort
//
if (ARGUMENT_PRESENT (DebugPort)) {
Status = ObReferenceObjectByHandle (DebugPort,
DEBUG_PROCESS_ASSIGN,
DbgkDebugObjectType,
PreviousMode,
&DebugPortObject,
NULL);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
Process->DebugPort = DebugPortObject;
if (Flags&PROCESS_CREATE_FLAGS_NO_DEBUG_INHERIT) {
PS_SET_BITS (&Process->Flags, PS_PROCESS_FLAGS_NO_DEBUG_INHERIT);
}
} else {
if (Parent != NULL) {
DbgkCopyProcessDebugPort (Process, Parent);
}
}
//
// ExceptionPort
//
if (ARGUMENT_PRESENT (ExceptionPort)) {
Status = ObReferenceObjectByHandle (ExceptionPort,
0,
LpcPortObjectType,
PreviousMode,
&ExceptionPortObject,
NULL);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
Process->ExceptionPort = ExceptionPortObject;
}
Process->ExitStatus = STATUS_PENDING;
//
// Clone parent's object table.
// If no parent (booting) then use the current object table created in
// ObInitSystem.
//
if (Parent != NULL) {
//
// Calculate address space
//
// If Parent == PspInitialSystem
//
if (!MmCreateProcessAddressSpace (WorkingSetMinimum,
Process,
&DirectoryTableBase[0])) {
Status = STATUS_INSUFFICIENT_RESOURCES;
goto exit_and_deref;
}
} else {
Process->ObjectTable = CurrentProcess->ObjectTable;
//
// Initialize the Working Set Mutex and address creation mutex
// for this "hand built" process.
// Normally, the call to MmInitializeAddressSpace initializes the
// working set mutex, however, in this case, we have already initialized
// the address space and we are now creating a second process using
// the address space of the idle thread.
//
Status = MmInitializeHandBuiltProcess (Process, &DirectoryTableBase[0]);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
}
PS_SET_BITS (&Process->Flags, PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE);
Process->Vm.MaximumWorkingSetSize = WorkingSetMaximum;
KeInitializeProcess (&Process->Pcb,
BasePriority,
Affinity,
&DirectoryTableBase[0],
(BOOLEAN)(Process->DefaultHardErrorProcessing & PROCESS_HARDERROR_ALIGNMENT_BIT));
//
// Initialize the security fields of the process
// The parent may be null exactly once (during system init).
// Thereafter, a parent is always required so that we have a
// security context to duplicate for the new process.
//
Status = PspInitializeProcessSecurity (Parent, Process);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
Process->Pcb.ThreadQuantum = PspForegroundQuantum[0];
Process->PriorityClass = PROCESS_PRIORITY_CLASS_NORMAL;
if (Parent != NULL) {
if (Parent->PriorityClass == PROCESS_PRIORITY_CLASS_IDLE ||
Parent->PriorityClass == PROCESS_PRIORITY_CLASS_BELOW_NORMAL) {
Process->PriorityClass = Parent->PriorityClass;
}
//
// if address space creation worked, then when going through
// delete, we will attach. Of course, attaching means that the kprocess
// must be initialized, so we delay the object stuff till here.
//
Status = ObInitProcess ((Flags&PROCESS_CREATE_FLAGS_INHERIT_HANDLES) ? Parent : NULL,
Process);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
} else {
Status = MmInitializeHandBuiltProcess2 (Process);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
}
Status = STATUS_SUCCESS;
SavedStatus = STATUS_SUCCESS;
//
// Initialize the process address space
// The address space has four possibilities
//
// 1 - Boot Process. Address space is initialized during
// MmInit. Parent is not specified.
//
// 2 - System Process. Address space is a virgin address
// space that only maps system space. Process is same
// as PspInitialSystemProcess.
//
// 3 - User Process (Cloned Address Space). Address space
// is cloned from the specified process.
//
// 4 - User Process (New Image Address Space). Address space
// is initialized so that it maps the specified section.
//
if (SectionHandle != NULL) {
//
// User Process (New Image Address Space). Don't specify Process to
// clone, just SectionObject.
//
//
// Passing in the 4th parameter as below lets the EPROCESS struct contain its image file name, provided that
// appropriate audit settings are enabled. Memory is allocated inside of MmInitializeProcessAddressSpace
// and pointed to by ImageFileName, so that must be freed in the process deletion routine (PspDeleteProcess())
//
Status = MmInitializeProcessAddressSpace (Process,
NULL,
SectionObject,
&(Process->SeAuditProcessCreationInfo.ImageFileName));
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
//
// In order to support relocating executables, the proper status
// (STATUS_IMAGE_NOT_AT_BASE) must be returned, so save it here.
//
SavedStatus = Status;
CreatePeb = TRUE;
} else if (Parent != NULL) {
if (Parent != PsInitialSystemProcess) {
Process->SectionBaseAddress = Parent->SectionBaseAddress;
//
// User Process ( Cloned Address Space ). Don't specify section to
// map, just Process to clone.
//
Status = MmInitializeProcessAddressSpace (Process,
Parent,
NULL,
NULL);
CreatePeb = TRUE;
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
//
// A cloned process isn't started from an image file, so we give it the name
// of the process of which it is a clone, provided the original has a name.
//
if (Parent->SeAuditProcessCreationInfo.ImageFileName != NULL) {
ImageFileNameSize = sizeof(OBJECT_NAME_INFORMATION) +
Parent->SeAuditProcessCreationInfo.ImageFileName->Name.MaximumLength;
Process->SeAuditProcessCreationInfo.ImageFileName =
ExAllocatePoolWithTag (PagedPool,
ImageFileNameSize,
'aPeS');
if (Process->SeAuditProcessCreationInfo.ImageFileName != NULL) {
RtlCopyMemory (Process->SeAuditProcessCreationInfo.ImageFileName,
Parent->SeAuditProcessCreationInfo.ImageFileName,
ImageFileNameSize);
//
// The UNICODE_STRING in the process is self contained, so calculate the
// offset for the buffer.
//
Process->SeAuditProcessCreationInfo.ImageFileName->Name.Buffer =
(PUSHORT)(((PUCHAR) Process->SeAuditProcessCreationInfo.ImageFileName) +
sizeof(UNICODE_STRING));
} else {
Status = STATUS_INSUFFICIENT_RESOURCES;
goto exit_and_deref;
}
}
} else {
//
// System Process. Don't specify Process to clone or section to map
//
Status = MmInitializeProcessAddressSpace (Process,
NULL,
NULL,
NULL);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
//
// In case the image file name of this system process is ever queried, we give
// a zero length UNICODE_STRING.
//
Process->SeAuditProcessCreationInfo.ImageFileName =
ExAllocatePoolWithTag (PagedPool,
sizeof(OBJECT_NAME_INFORMATION),
'aPeS');
if (Process->SeAuditProcessCreationInfo.ImageFileName != NULL) {
RtlZeroMemory (Process->SeAuditProcessCreationInfo.ImageFileName,
sizeof(OBJECT_NAME_INFORMATION));
} else {
Status = STATUS_INSUFFICIENT_RESOURCES;
goto exit_and_deref;
}
}
}
//
// Create the process ID
//
CidEntry.Object = Process;
CidEntry.GrantedAccess = 0;
Process->UniqueProcessId = ExCreateHandle (PspCidTable, &CidEntry);
if (Process->UniqueProcessId == NULL) {
Status = STATUS_INSUFFICIENT_RESOURCES;
goto exit_and_deref;
}
ExSetHandleTableOwner (Process->ObjectTable, Process->UniqueProcessId);
//
// Audit the process creation.
//
if (SeDetailedAuditingWithToken (NULL)) {
SeAuditProcessCreation (Process);
}
//
// See if the parent has a job. If so reference the job
// and add the process in.
//
if (Parent) {
Job = Parent->Job;
if (Job != NULL && !(Job->LimitFlags & JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK)) {
if (Flags&PROCESS_CREATE_FLAGS_BREAKAWAY) {
if (!(Job->LimitFlags & JOB_OBJECT_LIMIT_BREAKAWAY_OK)) {
Status = STATUS_ACCESS_DENIED;
} else {
Status = STATUS_SUCCESS;
}
} else {
Status = PspGetJobFromSet (Job, JobMemberLevel, &Process->Job);
if (NT_SUCCESS (Status)) {
PACCESS_TOKEN Token, NewToken;
Job = Process->Job;
Status = PspAddProcessToJob (Job, Process);
//
// Duplicate a new process token if one is specified for the job
//
Token = Job->Token;
if (Token != NULL) {
Status = SeSubProcessToken (Token,
&NewToken,
FALSE,
Job->SessionId);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
SeAssignPrimaryToken (Process, NewToken);
ObDereferenceObject (NewToken);
}
}
}
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
}
}
if (Parent && CreatePeb) {
//
// For processes created w/ a section,
// a new "virgin" PEB is created. Otherwise,
// for forked processes, uses inherited PEB
// with an updated mutant.
RtlZeroMemory (&InitialPeb, FIELD_OFFSET(INITIAL_PEB, Mutant));
InitialPeb.Mutant = (HANDLE)(-1);
if (SectionHandle != NULL) {
Status = MmCreatePeb (Process, &InitialPeb, &Process->Peb);
if (!NT_SUCCESS (Status)) {
Process->Peb = NULL;
goto exit_and_deref;
}
Peb = Process->Peb;
} else {
SIZE_T BytesCopied;
InitialPeb.InheritedAddressSpace = TRUE;
Process->Peb = Parent->Peb;
MmCopyVirtualMemory (CurrentProcess,
&InitialPeb,
Process,
Process->Peb,
sizeof (INITIAL_PEB),
KernelMode,
&BytesCopied);
}
}
Peb = Process->Peb;
//
// Add the process to the global list of processes.
//
PspLockProcessList (CurrentThread);
InsertTailList (&PsActiveProcessHead, &Process->ActiveProcessLinks);
PspUnlockProcessList (CurrentThread);
AccessState = NULL;
if (!PsUseImpersonationToken) {
AccessState = &LocalAccessState;
Status = SeCreateAccessStateEx (NULL,
(Parent == NULL || Parent != PsInitialSystemProcess)?
PsGetCurrentProcessByThread (CurrentThread) :
PsInitialSystemProcess,
AccessState,
&AuxData,
DesiredAccess,
&PsProcessType->TypeInfo.GenericMapping);
if (!NT_SUCCESS (Status)) {
goto exit_and_deref;
}
}
//
// Insert the object. Once we do this is reachable from the outside world via
// open by name. Open by ID is still disabled. Since its reachable
// somebody might create a thread in the process and cause
// rundown.
//
Status = ObInsertObject (Process,
AccessState,
DesiredAccess,
1, // bias the refcnt by one for future process manipulations
NULL,
&LocalProcessHandle);
if (AccessState != NULL) {
SeDeleteAccessState (AccessState);
}
if (!NT_SUCCESS (Status)) {
goto exit_and_deref_parent;
}
//
// As soon as we create the handle the process is accessible to the outside world. Allow the process to
// be deleted.
//
Process->GrantedAccess = PROCESS_TERMINATE;
PsSetProcessPriorityByClass (Process, PsProcessPriorityBackground);
if (Parent && Parent != PsInitialSystemProcess) {
Status = ObGetObjectSecurity (Process,
&SecurityDescriptor,
&MemoryAllocated);
if (!NT_SUCCESS (Status)) {
ObCloseHandle (LocalProcessHandle, PreviousMode);
goto exit_and_deref;
}
//
// Compute the subject security context
//
SubjectContext.ProcessAuditId = Process;
SubjectContext.PrimaryToken = PsReferencePrimaryToken(Process);
SubjectContext.ClientToken = NULL;
AccessCheck = SeAccessCheck (SecurityDescriptor,
&SubjectContext,
FALSE,
MAXIMUM_ALLOWED,
0,
NULL,
&PsProcessType->TypeInfo.GenericMapping,
PreviousMode,
&Process->GrantedAccess,
&accesst);
PsDereferencePrimaryTokenEx (Process, SubjectContext.PrimaryToken);
ObReleaseObjectSecurity (SecurityDescriptor,
MemoryAllocated);
if (!AccessCheck) {
Process->GrantedAccess = 0;
}
//
// It does not make any sense to create a process that can not
// do anything to itself.
// Note: Changes to this set of bits should be reflected in psquery.c
// code, in PspSetPrimaryToken.
//
Process->GrantedAccess |= (PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION | PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS | PROCESS_SET_INFORMATION | STANDARD_RIGHTS_ALL);
} else {
Process->GrantedAccess = PROCESS_ALL_ACCESS;
}
KeQuerySystemTime (&Process->CreateTime);
try {
if (Peb != NULL && CurrentThread->Tcb.Teb != NULL) {
((PTEB)(CurrentThread->Tcb.Teb))->NtTib.ArbitraryUserPointer = Peb;
}
*ProcessHandle = LocalProcessHandle;
} except (EXCEPTION_EXECUTE_HANDLER) {
}
if (SavedStatus != STATUS_SUCCESS) {
Status = SavedStatus;
}
exit_and_deref:
ObDereferenceObject (Process);
exit_and_deref_parent:
if (Parent != NULL) {
ObDereferenceObject (Parent);
}
return Status;
}
NTSTATUS
PsSetCreateProcessNotifyRoutine(
IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
IN BOOLEAN Remove
)
/*++
Routine Description:
This function allows an installable file system to hook into process
creation and deletion to track those events against their own internal
data structures.
Arguments:
NotifyRoutine - Supplies the address of a routine which is called at
process creation and deletion. The routine is passed the unique Id
of the created or deleted process and the parent process if it was
created with the inherit handles option. If it was created without
the inherit handle options, then the parent process Id will be NULL.
The third parameter passed to the notify routine is TRUE if the process
is being created and FALSE if it is being deleted.
The callout for creation happens just after the first thread in the
process has been created. The callout for deletion happens after the
last thread in a process has terminated and the address space is about
to be deleted. It is possible to get a deletion call without a creation
call if the pathological case where a process is created and deleted
without a thread ever being created.
Remove - FALSE specifies to install the callout and TRUE specifies to
remove the callout that mat
Return Value:
STATUS_SUCCESS if successful, and STATUS_INVALID_PARAMETER if not.
--*/
{
ULONG i;
PEX_CALLBACK_ROUTINE_BLOCK CallBack;
PAGED_CODE();
if (Remove) {
for (i = 0; i < PSP_MAX_CREATE_PROCESS_NOTIFY; i++) {
//
// Reference the callback so we can check its routine address.
//
CallBack = ExReferenceCallBackBlock (&PspCreateProcessNotifyRoutine[i]);
if (CallBack != NULL) {
//
// See if the routine matches our target
//
if ((PCREATE_PROCESS_NOTIFY_ROUTINE) ExGetCallBackBlockRoutine (CallBack) == NotifyRoutine) {
if (ExCompareExchangeCallBack (&PspCreateProcessNotifyRoutine[i],
NULL,
CallBack)) {
InterlockedDecrement ((PLONG) &PspCreateProcessNotifyRoutineCount);
ExDereferenceCallBackBlock (&PspCreateProcessNotifyRoutine[i],
CallBack);
//
// Wait for any active callbacks to finish and free the block.
//
ExWaitForCallBacks (CallBack);
ExFreeCallBack (CallBack);
return STATUS_SUCCESS;
}
}
ExDereferenceCallBackBlock (&PspCreateProcessNotifyRoutine[i],
CallBack);
}
}
return STATUS_PROCEDURE_NOT_FOUND;
} else {
//
// Allocate a new callback block.
//
CallBack = ExAllocateCallBack ((PEX_CALLBACK_FUNCTION) NotifyRoutine, NULL);
if (CallBack == NULL) {
return STATUS_INSUFFICIENT_RESOURCES;
}
for (i = 0; i < PSP_MAX_CREATE_PROCESS_NOTIFY; i++) {
//
// Try and swap a null entry for the new block.
//
if (ExCompareExchangeCallBack (&PspCreateProcessNotifyRoutine[i],
CallBack,
NULL)) {
InterlockedIncrement ((PLONG) &PspCreateProcessNotifyRoutineCount);
return STATUS_SUCCESS;
}
}
//
// No slots left. Free the block and return.
//
ExFreeCallBack (CallBack);
return STATUS_INVALID_PARAMETER;
}
}
NTSTATUS
PsSetCreateThreadNotifyRoutine(
IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
)
/*++
Routine Description:
This function allows an installable file system to hook into thread
creation and deletion to track those events against their own internal
data structures.
Arguments:
NotifyRoutine - Supplies the address of the routine which is called at
thread creation and deletion. The routine is passed the unique Id
of the created or deleted thread and the unique Id of the containing
process. The third parameter passed to the notify routine is TRUE if
the thread is being created and FALSE if it is being deleted.
Return Value:
STATUS_SUCCESS if successful, and STATUS_INSUFFICIENT_RESOURCES if not.
--*/
{
ULONG i;
PEX_CALLBACK_ROUTINE_BLOCK CallBack;
PAGED_CODE();
//
// Allocate a new callback block.
//
CallBack = ExAllocateCallBack ((PEX_CALLBACK_FUNCTION) NotifyRoutine, NULL);
if (CallBack == NULL) {
return STATUS_INSUFFICIENT_RESOURCES;
}
for (i = 0; i < PSP_MAX_CREATE_THREAD_NOTIFY; i += 1) {
//
// Try and swap a null entry for the new block.
//
if (ExCompareExchangeCallBack (&PspCreateThreadNotifyRoutine[i],
CallBack,
NULL)) {
InterlockedIncrement ((PLONG) &PspCreateThreadNotifyRoutineCount);
return STATUS_SUCCESS;
}
}
//
// No slots left. Free the block and return.
//
ExFreeCallBack (CallBack);
return STATUS_INSUFFICIENT_RESOURCES;
}
NTSTATUS
PsRemoveCreateThreadNotifyRoutine (
IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine
)
/*++
Routine Description:
This function allows an installable file system to unhook from thread
creation and deletion.
Arguments:
NotifyRoutine - Supplies the address of the routine which was previously
registered with PsSetCreateThreadNotifyRoutine
Return Value:
STATUS_SUCCESS if successful, and STATUS_PROCEDURE_NOT_FOUND if not.
--*/
{
ULONG i;
PEX_CALLBACK_ROUTINE_BLOCK CallBack;
PAGED_CODE();
for (i = 0; i < PSP_MAX_CREATE_THREAD_NOTIFY; i += 1) {
//
// Reference the callback so we can check its routine address.
//
CallBack = ExReferenceCallBackBlock (&PspCreateThreadNotifyRoutine[i]);
if (CallBack != NULL) {
//
// See if the routine matches our target
//
if ((PCREATE_THREAD_NOTIFY_ROUTINE) ExGetCallBackBlockRoutine (CallBack) == NotifyRoutine) {
if (ExCompareExchangeCallBack (&PspCreateThreadNotifyRoutine[i],
NULL,
CallBack)) {
InterlockedDecrement ((PLONG) &PspCreateThreadNotifyRoutineCount);
ExDereferenceCallBackBlock (&PspCreateThreadNotifyRoutine[i],
CallBack);
//
// Wait for any active callbacks to finish and free the block.
//
ExWaitForCallBacks (CallBack);
ExFreeCallBack (CallBack);
return STATUS_SUCCESS;
}
}
ExDereferenceCallBackBlock (&PspCreateThreadNotifyRoutine[i],
CallBack);
}
}
return STATUS_PROCEDURE_NOT_FOUND;
}
VOID
PspUserThreadStartup(
IN PKSTART_ROUTINE StartRoutine,
IN PVOID StartContext
)
/*++
Routine Description:
This function is called by the kernel to start a user-mode thread.
Arguments:
StartRoutine - Ignored.
StartContext - Supplies the initial pc value for the thread.
Return Value:
None.
--*/
{
PETHREAD Thread;
PEPROCESS Process;
PTEB Teb;
ULONG OldFlags;
BOOLEAN KillThread;
KIRQL OldIrql;
PAGED_CODE();
UNREFERENCED_PARAMETER(StartRoutine);
KeLowerIrql (PASSIVE_LEVEL);
Thread = PsGetCurrentThread ();
Process = PsGetCurrentProcessByThread (Thread);
//
// All threads start with an APC at LdrInitializeThunk
//
//
// See if we need to terminate early becuase of a error in the create path
//
KillThread = FALSE;
if ((Thread->CrossThreadFlags & PS_CROSS_THREAD_FLAGS_DEADTHREAD) != 0) {
KillThread = TRUE;
}
if (!KillThread) {
Teb = NtCurrentTeb ();
try {
Teb->CurrentLocale = MmGetSessionLocaleId ();
Teb->IdealProcessor = Thread->Tcb.IdealProcessor;
} except (EXCEPTION_EXECUTE_HANDLER) {
}
}
//
// If the create worked then notify the debugger.
//
if ((Thread->CrossThreadFlags&
(PS_CROSS_THREAD_FLAGS_DEADTHREAD|PS_CROSS_THREAD_FLAGS_HIDEFROMDBG)) == 0) {
DbgkCreateThread (Thread, StartContext);
}
//
// If something went wrong then terminate the thread
//
if (KillThread) {
PspTerminateThreadByPointer (Thread,
STATUS_THREAD_IS_TERMINATING,
TRUE);
} else {
if (CCPF_IS_PREFETCHER_ENABLED()) {
//
// If this is the first thread we are starting up in this process,
// prefetch the pages likely to be used when initializing the
// application into the system cache.
//
if ((Process->Flags & PS_PROCESS_FLAGS_LAUNCH_PREFETCHED) == 0) {
OldFlags = PS_TEST_SET_BITS(&Process->Flags, PS_PROCESS_FLAGS_LAUNCH_PREFETCHED);
if ((OldFlags & PS_PROCESS_FLAGS_LAUNCH_PREFETCHED) == 0) {
if (Process->SectionObject) {
//
// Notify cache manager of this application launch.
//
CcPfBeginAppLaunch(Process, Process->SectionObject);
}
}
}
}
//
// Queue the initial APC to the thread
//
KeRaiseIrql (APC_LEVEL, &OldIrql);
KiInitializeUserApc (PspGetBaseExceptionFrame (Thread),
PspGetBaseTrapFrame (Thread),
PspSystemDll.LoaderInitRoutine,
NULL,
PspSystemDll.DllBase,
NULL);
KeLowerIrql (PASSIVE_LEVEL);
}
}
ULONG
PspUnhandledExceptionInSystemThread(
IN PEXCEPTION_POINTERS ExceptionPointers
)
{
KdPrint(("PS: Unhandled Kernel Mode Exception Pointers = 0x%p\n", ExceptionPointers));
KdPrint(("Code %x Addr %p Info0 %p Info1 %p Info2 %p Info3 %p\n",
ExceptionPointers->ExceptionRecord->ExceptionCode,
(ULONG_PTR)ExceptionPointers->ExceptionRecord->ExceptionAddress,
ExceptionPointers->ExceptionRecord->ExceptionInformation[0],
ExceptionPointers->ExceptionRecord->ExceptionInformation[1],
ExceptionPointers->ExceptionRecord->ExceptionInformation[2],
ExceptionPointers->ExceptionRecord->ExceptionInformation[3]
));
KeBugCheckEx(
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED,
ExceptionPointers->ExceptionRecord->ExceptionCode,
(ULONG_PTR)ExceptionPointers->ExceptionRecord->ExceptionAddress,
(ULONG_PTR)ExceptionPointers->ExceptionRecord,
(ULONG_PTR)ExceptionPointers->ContextRecord);
// return EXCEPTION_EXECUTE_HANDLER;
}
// PspUnhandledExceptionInSystemThread doesn't return, and the compiler
// sometimes gives 'unreachable code' warnings as a result.
#pragma warning(push)
#pragma warning(disable:4702)
VOID
PspSystemThreadStartup(
IN PKSTART_ROUTINE StartRoutine,
IN PVOID StartContext
)
/*++
Routine Description:
This function is called by the kernel to start a system thread.
Arguments:
StartRoutine - Supplies the address of the system threads entry point.
StartContext - Supplies a context value for the system thread.
Return Value:
None.
--*/
{
PETHREAD Thread;
KeLowerIrql(0);
Thread = PsGetCurrentThread ();
try {
if ((Thread->CrossThreadFlags&(PS_CROSS_THREAD_FLAGS_TERMINATED|PS_CROSS_THREAD_FLAGS_DEADTHREAD)) == 0) {
(StartRoutine)(StartContext);
}
} except (PspUnhandledExceptionInSystemThread(GetExceptionInformation())) {
KeBugCheck(KMODE_EXCEPTION_NOT_HANDLED);
}
PspTerminateThreadByPointer (Thread, STATUS_SUCCESS, TRUE);
}
#pragma warning(pop)
HANDLE
PsGetCurrentProcessId( VOID )
{
return PsGetCurrentThread()->Cid.UniqueProcess;
}
HANDLE
PsGetCurrentThreadId( VOID )
{
return PsGetCurrentThread()->Cid.UniqueThread;
}
BOOLEAN
PsGetVersion(
PULONG MajorVersion OPTIONAL,
PULONG MinorVersion OPTIONAL,
PULONG BuildNumber OPTIONAL,
PUNICODE_STRING CSDVersion OPTIONAL
)
{
if (ARGUMENT_PRESENT(MajorVersion)) {
*MajorVersion = NtMajorVersion;
}
if (ARGUMENT_PRESENT(MinorVersion)) {
*MinorVersion = NtMinorVersion;
}
if (ARGUMENT_PRESENT(BuildNumber)) {
*BuildNumber = NtBuildNumber & 0x3FFF;
}
if (ARGUMENT_PRESENT(CSDVersion)) {
*CSDVersion = CmCSDVersionString;
}
return (BOOLEAN)((NtBuildNumber >> 28) == 0xC);
}
NTSTATUS
PsSetLoadImageNotifyRoutine(
IN PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
)
/*++
Routine Description:
This function allows a device driver to get notified for
image loads. The notify is issued for both kernel and user
mode image loads system-wide.
Arguments:
NotifyRoutine - Supplies the address of a routine which is called at
image load. The routine is passed information describing the
image being loaded.
The callout for creation happens just after the image is loaded
into memory but before executiona of the image.
Return Value:
STATUS_SUCCESS if successful, and STATUS_INVALID_PARAMETER if not.
--*/
{
ULONG i;
PEX_CALLBACK_ROUTINE_BLOCK CallBack;
PAGED_CODE();
//
// Allocate a new callback block.
//
CallBack = ExAllocateCallBack ((PEX_CALLBACK_FUNCTION) NotifyRoutine, NULL);
if (CallBack == NULL) {
return STATUS_INSUFFICIENT_RESOURCES;
}
for (i = 0; i < PSP_MAX_LOAD_IMAGE_NOTIFY; i++) {
//
// Try and swap a null entry for the new block.
//
if (ExCompareExchangeCallBack (&PspLoadImageNotifyRoutine[i],
CallBack,
NULL)) {
InterlockedIncrement ((PLONG) &PspLoadImageNotifyRoutineCount);
PsImageNotifyEnabled = TRUE;
return STATUS_SUCCESS;
}
}
//
// No slots left. Free the block and return.
//
ExFreeCallBack (CallBack);
return STATUS_INSUFFICIENT_RESOURCES;
}
NTSTATUS
PsRemoveLoadImageNotifyRoutine(
IN PLOAD_IMAGE_NOTIFY_ROUTINE NotifyRoutine
)
/*++
Routine Description:
This function allows an installable file system to unhook from image
load notification.
Arguments:
NotifyRoutine - Supplies the address of the routine which was previously
registered with PsSetLoadImageNotifyRoutine
Return Value:
STATUS_SUCCESS if successful, and STATUS_PROCEDURE_NOT_FOUND if not.
--*/
{
ULONG i;
PEX_CALLBACK_ROUTINE_BLOCK CallBack;
PAGED_CODE();
for (i = 0; i < PSP_MAX_LOAD_IMAGE_NOTIFY; i++) {
//
// Reference the callback so we can check its routine address.
//
CallBack = ExReferenceCallBackBlock (&PspLoadImageNotifyRoutine[i]);
if (CallBack != NULL) {
//
// See if the routine matches our target
//
if ((PLOAD_IMAGE_NOTIFY_ROUTINE) ExGetCallBackBlockRoutine (CallBack) == NotifyRoutine) {
if (ExCompareExchangeCallBack (&PspLoadImageNotifyRoutine[i],
NULL,
CallBack)) {
InterlockedDecrement ((PLONG) &PspLoadImageNotifyRoutineCount);
ExDereferenceCallBackBlock (&PspLoadImageNotifyRoutine[i],
CallBack);
//
// Wait for any active callbacks to finish and free the block.
//
ExWaitForCallBacks (CallBack);
ExFreeCallBack (CallBack);
return STATUS_SUCCESS;
}
}
ExDereferenceCallBackBlock (&PspLoadImageNotifyRoutine[i],
CallBack);
}
}
return STATUS_PROCEDURE_NOT_FOUND;
}
VOID
PsCallImageNotifyRoutines(
IN PUNICODE_STRING FullImageName,
IN HANDLE ProcessId, // pid into which image is being mapped
IN PIMAGE_INFO ImageInfo
)
/*++
Routine Description:
This function actually calls the registered image notify functions (on behalf)
of mapview.c and sysload.c
Arguments:
FullImageName - The name of the image being loaded
ProcessId - The process that the image is being loaded into (0 for driver loads)
ImageInfo - Various flags for the image
Return Value:
None.
--*/
{
ULONG i;
PEX_CALLBACK_ROUTINE_BLOCK CallBack;
PLOAD_IMAGE_NOTIFY_ROUTINE Rtn;
PAGED_CODE();
if (PsImageNotifyEnabled) {
for (i=0; i < PSP_MAX_LOAD_IMAGE_NOTIFY; i++) {
CallBack = ExReferenceCallBackBlock (&PspLoadImageNotifyRoutine[i]);
if (CallBack != NULL) {
Rtn = (PLOAD_IMAGE_NOTIFY_ROUTINE) ExGetCallBackBlockRoutine (CallBack);
Rtn (FullImageName,
ProcessId,
ImageInfo);
ExDereferenceCallBackBlock (&PspLoadImageNotifyRoutine[i], CallBack);
}
}
}
}
VOID
PspImageNotifyTest(
IN PUNICODE_STRING FullImageName,
IN HANDLE ProcessId,
IN PIMAGE_INFO ImageInfo
)
/*++
Routine Description:
This function is registered as a image notify routine on checked systems to test the interface.
Arguments:
FullImageName - The name of the image being loaded
ProcessId - The process that the image is being loaded into (0 for driver loads)
ImageInfo - Various flags for the image
Return Value:
None.
--*/
{
UNREFERENCED_PARAMETER (FullImageName);
UNREFERENCED_PARAMETER (ProcessId);
UNREFERENCED_PARAMETER (ImageInfo);
return;
}