Lines Matching defs:pNtProtect
297 static void supdrvNtProtectRelease(PSUPDRVNTPROTECT pNtProtect);
299 static int supdrvNtProtectFindAssociatedCsrss(PSUPDRVNTPROTECT pNtProtect);
300 static int supdrvNtProtectVerifyProcess(PSUPDRVNTPROTECT pNtProtect);
782 PSUPDRVNTPROTECT pNtProtect = NULL;
783 rc = supdrvNtProtectCreate(&pNtProtect, PsGetProcessId(PsGetCurrentProcess()),
787 rc = supdrvNtProtectFindAssociatedCsrss(pNtProtect);
789 rc = supdrvNtProtectVerifyProcess(pNtProtect);
792 pFileObj->FsContext = pNtProtect; /* Keeps reference. */
796 supdrvNtProtectRelease(pNtProtect);
808 PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(PsGetProcessId(PsGetCurrentProcess()));
809 if (pNtProtect)
811 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
813 rc = supdrvNtProtectVerifyProcess(pNtProtect);
826 pSession->pNtProtect = pNtProtect; /* Keeps reference. */
833 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessConfirmed)
834 pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
847 PsGetProcessId(PsGetCurrentProcess()), pNtProtect->enmProcessKind));
850 supdrvNtProtectRelease(pNtProtect);
872 pSession->pNtProtect = NULL;
921 PSUPDRVNTPROTECT pNtProtect = (PSUPDRVNTPROTECT)pFileObj->FsContext;
922 Log(("VBoxDrvNtCleanup: pDevExt=%p pFileObj=%p pNtProtect=%p\n", pDevExt, pFileObj, pNtProtect));
923 if (pNtProtect)
925 supdrvNtProtectRelease(pNtProtect);
963 PSUPDRVNTPROTECT pNtProtect = (PSUPDRVNTPROTECT)pFileObj->FsContext;
964 Log(("VBoxDrvNtClose: pDevExt=%p pFileObj=%p pNtProtect=%p\n", pDevExt, pFileObj, pNtProtect));
965 if (pNtProtect)
967 supdrvNtProtectRelease(pNtProtect);
1602 if (pSession->pNtProtect)
1604 supdrvNtProtectRelease(pSession->pNtProtect);
1605 pSession->pNtProtect = NULL;
2537 * @param pNtProtect The NT protected process structure. The
2540 static int supdrvNtProtectFindAssociatedCsrss(PSUPDRVNTPROTECT pNtProtect)
2542 Assert(pNtProtect->AvlCore.Key == PsGetCurrentProcessId());
2543 Assert(pNtProtect->pCsrssProcess == NULL);
2544 Assert(pNtProtect->hCsrssPid == NULL);
2717 pNtProtect->hCsrssPid = pProcInfo->UniqueProcessId;
2718 pNtProtect->pCsrssProcess = pProcess;
2748 * @param pNtProtect The NT protection structure.
2752 static bool supdrvNtProtectIsAssociatedCsrss(PSUPDRVNTPROTECT pNtProtect, PEPROCESS pCsrss)
2754 if (pNtProtect->pCsrssProcess == pCsrss)
2756 if (pNtProtect->hCsrssPid == PsGetProcessId(pCsrss))
2771 * @param pNtProtect The NT protection structure.
2775 static bool supdrvNtProtectIsFrigginThemesService(PSUPDRVNTPROTECT pNtProtect, PEPROCESS pAnnoyingProcess)
2966 PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(hDeadPid);
2967 if (pNtProtect)
2977 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
2979 PSUPDRVNTPROTECT pNtParent = pNtProtect->u.pParent;
2980 AssertRelease(pNtParent); AssertRelease(pNtParent->u.pChild == pNtProtect);
2982 pNtProtect->u.pParent = NULL;
2983 pNtChild = pNtProtect;
2990 else if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent
2991 && pNtProtect->u.pChild)
2993 pNtChild = pNtProtect->u.pChild;
2994 pNtProtect->u.pChild = NULL;
3003 if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3004 || pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessConfirmed)
3005 pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
3006 else if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent
3007 || pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubSpawning
3008 || pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubUnverified)
3009 pNtProtect->enmProcessKind = kSupDrvNtProtectKind_StubDead;
3013 supdrvNtProtectRelease(pNtProtect);
3211 PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(hObjPid);
3212 if (!pNtProtect)
3221 pNtProtect = supdrvNtProtectLookup(hObjPid);
3226 pOpInfo->CallContext = pNtProtect; /* Just for reference. */
3227 if (pNtProtect)
3241 pNtProtect->fFirstProcessCreateHandle = false;
3246 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3254 pNtProtect->fFirstProcessCreateHandle = false;
3259 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3274 if ( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3275 && pNtProtect->fFirstProcessCreateHandle
3277 && pNtProtect->hParentPid == PsGetProcessId(PsGetCurrentProcess())
3294 pNtProtect->fFirstProcessCreateHandle = false;
3303 && pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3304 && pNtProtect->fCsrssFirstProcessCreateHandle
3307 && supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()) )
3309 pNtProtect->fCsrssFirstProcessCreateHandle = false;
3331 && pNtProtect->fThemesFirstProcessCreateHandle
3334 && supdrvNtProtectIsFrigginThemesService(pNtProtect, PsGetCurrentProcess()) )
3336 pNtProtect->fThemesFirstProcessCreateHandle = true; /* Only once! */
3344 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, fAllowedRights,
3363 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3373 && pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3374 && pNtProtect->cCsrssFirstProcessDuplicateHandle > 0
3377 && pNtProtect->hParentPid
3381 && supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()))
3383 if (ASMAtomicDecS32(&pNtProtect->cCsrssFirstProcessDuplicateHandle) >= 0)
3402 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3408 supdrvNtProtectRelease(pNtProtect);
3485 PSUPDRVNTPROTECT pNtProtect = supdrvNtProtectLookup(PsGetProcessId(pProcess));
3486 pOpInfo->CallContext = pNtProtect; /* Just for reference. */
3487 if (pNtProtect)
3500 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind));
3502 pNtProtect->fFirstThreadCreateHandle = false;
3511 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3524 && pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed
3525 && pNtProtect->fFirstThreadCreateHandle
3528 && pNtProtect->hParentPid == PsGetProcessId(PsGetCurrentProcess()) )
3536 pNtProtect->fFirstThreadCreateHandle = false;
3547 && ( (enmProcessKind = pNtProtect->enmProcessKind) == kSupDrvNtProtectKind_VmProcessConfirmed
3551 && supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()) )
3562 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, fAllowedRights,
3581 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind,
3591 && ( (enmProcessKind = pNtProtect->enmProcessKind) == kSupDrvNtProtectKind_VmProcessConfirmed
3596 && supdrvNtProtectIsAssociatedCsrss(pNtProtect, PsGetCurrentProcess()) )
3610 pOpInfo->Object, pNtProtect->AvlCore.Key, pNtProtect->enmProcessKind, fAllowedRights,
3618 supdrvNtProtectRelease(pNtProtect);
3665 PSUPDRVNTPROTECT pNtProtect = (PSUPDRVNTPROTECT)RTMemAllocZ(sizeof(*pNtProtect));
3666 if (!pNtProtect)
3669 pNtProtect->AvlCore.Key = hPid;
3670 pNtProtect->u32Magic = SUPDRVNTPROTECT_MAGIC;
3671 pNtProtect->cRefs = 1;
3672 pNtProtect->enmProcessKind = enmProcessKind;
3673 pNtProtect->hParentPid = NULL;
3674 pNtProtect->hOpenTid = NULL;
3675 pNtProtect->hCsrssPid = NULL;
3676 pNtProtect->pCsrssProcess = NULL;
3681 bool fSuccess = RTAvlPVInsert(&g_NtProtectTree, &pNtProtect->AvlCore);
3687 pNtProtect->u32Magic = SUPDRVNTPROTECT_MAGIC_DEAD;
3688 LogRel(("supdrvNtProtectCreate: Duplicate (%#x).\n", pNtProtect->AvlCore.Key));
3689 RTMemFree(pNtProtect);
3694 *ppNtProtect = pNtProtect;
3702 * @param pNtProtect The NT protection structure.
3704 static void supdrvNtProtectRelease(PSUPDRVNTPROTECT pNtProtect)
3706 if (!pNtProtect)
3708 AssertReturnVoid(pNtProtect->u32Magic == SUPDRVNTPROTECT_MAGIC);
3711 uint32_t cRefs = ASMAtomicDecU32(&pNtProtect->cRefs);
3721 ASMAtomicWriteU32(&pNtProtect->u32Magic, SUPDRVNTPROTECT_MAGIC_DEAD);
3722 PSUPDRVNTPROTECT pRemoved = (PSUPDRVNTPROTECT)RTAvlPVRemove(&g_NtProtectTree, pNtProtect->AvlCore.Key);
3726 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubParent)
3728 pChild = pNtProtect->u.pChild;
3731 pNtProtect->u.pChild = NULL;
3742 AssertRelease(pNtProtect->enmProcessKind != kSupDrvNtProtectKind_VmProcessUnconfirmed);
3745 Assert(pRemoved == pNtProtect);
3748 if (pNtProtect->pCsrssProcess)
3750 ObDereferenceObject(pNtProtect->pCsrssProcess);
3751 pNtProtect->pCsrssProcess = NULL;
3754 RTMemFree(pNtProtect);
3787 * @param pNtProtect The unconfirmed VM process currently trying to
3791 static int supdrvNtProtectVerifyStubForVmProcess(PSUPDRVNTPROTECT pNtProtect, PRTERRINFO pErrInfo)
3799 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
3801 pNtStub = pNtProtect->u.pParent; /* weak reference. */
3883 * @param pNtProtect The NT protect structure for getting information
3887 static int supdrvNtProtectRestrictHandlesToProcessAndThread(PSUPDRVNTPROTECT pNtProtect, PRTERRINFO pErrInfo)
3895 AssertReturn(pNtProtect->AvlCore.Key == hProtectedPid, VERR_INTERNAL_ERROR_5);
3964 && pHandleInfo->UniqueProcessId == pNtProtect->hCsrssPid)
3997 && pHandleInfo->UniqueProcessId == pNtProtect->hCsrssPid)
4068 * @param pNtProtect The NT protect structure. This is upgraded to a
4071 static int supdrvNtProtectVerifyProcess(PSUPDRVNTPROTECT pNtProtect)
4073 AssertReturn(PsGetProcessId(PsGetCurrentProcess()) == pNtProtect->AvlCore.Key, VERR_INTERNAL_ERROR_3);
4088 if (pNtProtect->enmProcessKind >= kSupDrvNtProtectKind_VmProcessUnconfirmed)
4089 rc = supdrvNtProtectRestrictHandlesToProcessAndThread(pNtProtect, &ErrInfo);
4094 if (RT_SUCCESS(rc) && pNtProtect->enmProcessKind >= kSupDrvNtProtectKind_VmProcessUnconfirmed)
4095 rc = supdrvNtProtectVerifyStubForVmProcess(pNtProtect, &ErrInfo);
4108 if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubUnverified)
4110 pNtProtect->enmProcessKind = RT_SUCCESS(rc) ? kSupDrvNtProtectKind_StubSpawning : kSupDrvNtProtectKind_StubDead;
4111 pNtProtect->hOpenTid = hOpenTid;
4115 else if (pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessUnconfirmed)
4117 AssertRelease(pNtProtect->cRefs >= 2); /* Parent + Caller */
4118 PSUPDRVNTPROTECT pParent = pNtProtect->u.pParent;
4120 AssertRelease(pParent->u.pParent == pNtProtect);
4124 pNtProtect->u.pParent = NULL;
4125 ASMAtomicDecU32(&pNtProtect->cRefs);
4129 pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessConfirmed;
4130 pNtProtect->hOpenTid = hOpenTid;
4133 pNtProtect->enmProcessKind = kSupDrvNtProtectKind_VmProcessDead;
4150 AssertReleaseMsg( pNtProtect->enmProcessKind == kSupDrvNtProtectKind_StubDead
4151 || pNtProtect->enmProcessKind == kSupDrvNtProtectKind_VmProcessDead,
4152 ("enmProcessKind=%d rc=%Rrc\n", pNtProtect->enmProcessKind, rc));