| /* Capstone Disassembly Engine */ |
| /* By Satoshi Tanda <tanda.sat@gmail.com>, 2016 */ |
| |
| #include "winkernel_mm.h" |
| #include <ntddk.h> |
| #include <Ntintsafe.h> |
| |
| // A pool tag for memory allocation |
| static const ULONG CS_WINKERNEL_POOL_TAG = 'kwsC'; |
| |
| |
| // A structure to implement realloc() |
| typedef struct _CS_WINKERNEL_MEMBLOCK { |
| size_t size; // A number of bytes allocated |
| char data[1]; // An address returned to a caller |
| } CS_WINKERNEL_MEMBLOCK; |
| C_ASSERT(sizeof(CS_WINKERNEL_MEMBLOCK) == sizeof(void *) * 2); |
| |
| |
| // free() |
| void CAPSTONE_API cs_winkernel_free(void *ptr) |
| { |
| if (ptr) { |
| ExFreePoolWithTag(CONTAINING_RECORD(ptr, CS_WINKERNEL_MEMBLOCK, data), CS_WINKERNEL_POOL_TAG); |
| } |
| } |
| |
| // malloc() |
| void * CAPSTONE_API cs_winkernel_malloc(size_t size) |
| { |
| // Disallow zero length allocation because they waste pool header space and, |
| // in many cases, indicate a potential validation issue in the calling code. |
| NT_ASSERT(size); |
| |
| // FP; a use of NonPagedPool is required for Windows 7 support |
| #pragma prefast(suppress : 30030) // Allocating executable POOL_TYPE memory |
| size_t number_of_bytes = 0; |
| CS_WINKERNEL_MEMBLOCK *block = NULL; |
| // A specially crafted size value can trigger the overflow. |
| // If the sum in a value that overflows or underflows the capacity of the type, |
| // the function returns NULL. |
| if (!NT_SUCCESS(RtlSizeTAdd(size, sizeof(CS_WINKERNEL_MEMBLOCK), &number_of_bytes))) { |
| return NULL; |
| } |
| block = (CS_WINKERNEL_MEMBLOCK *)ExAllocatePoolWithTag( |
| NonPagedPool, number_of_bytes, CS_WINKERNEL_POOL_TAG); |
| if (!block) { |
| return NULL; |
| } |
| block->size = size; |
| |
| return block->data; |
| } |
| |
| // calloc() |
| void * CAPSTONE_API cs_winkernel_calloc(size_t n, size_t size) |
| { |
| size_t total = n * size; |
| |
| void *new_ptr = cs_winkernel_malloc(total); |
| if (!new_ptr) { |
| return NULL; |
| } |
| |
| return RtlFillMemory(new_ptr, total, 0); |
| } |
| |
| // realloc() |
| void * CAPSTONE_API cs_winkernel_realloc(void *ptr, size_t size) |
| { |
| void *new_ptr = NULL; |
| size_t current_size = 0; |
| size_t smaller_size = 0; |
| |
| if (!ptr) { |
| return cs_winkernel_malloc(size); |
| } |
| |
| new_ptr = cs_winkernel_malloc(size); |
| if (!new_ptr) { |
| return NULL; |
| } |
| |
| current_size = CONTAINING_RECORD(ptr, CS_WINKERNEL_MEMBLOCK, data)->size; |
| smaller_size = (current_size < size) ? current_size : size; |
| RtlCopyMemory(new_ptr, ptr, smaller_size); |
| cs_winkernel_free(ptr); |
| |
| return new_ptr; |
| } |
| |
| // vsnprintf(). _vsnprintf() is available for drivers, but it differs from |
| // vsnprintf() in a return value and when a null-terminator is set. |
| // cs_winkernel_vsnprintf() takes care of those differences. |
| #pragma warning(push) |
| // Banned API Usage : _vsnprintf is a Banned API as listed in dontuse.h for |
| // security purposes. |
| #pragma warning(disable : 28719) |
| int CAPSTONE_API cs_winkernel_vsnprintf(char *buffer, size_t count, const char *format, va_list argptr) |
| { |
| int result = _vsnprintf(buffer, count, format, argptr); |
| |
| // _vsnprintf() returns -1 when a string is truncated, and returns "count" |
| // when an entire string is stored but without '\0' at the end of "buffer". |
| // In both cases, null-terminator needs to be added manually. |
| if (result == -1 || (size_t)result == count) { |
| buffer[count - 1] = '\0'; |
| } |
| |
| if (result == -1) { |
| // In case when -1 is returned, the function has to get and return a number |
| // of characters that would have been written. This attempts so by retrying |
| // the same conversion with temp buffer that is most likely big enough to |
| // complete formatting and get a number of characters that would have been |
| // written. |
| char* tmp = cs_winkernel_malloc(0x1000); |
| if (!tmp) { |
| return result; |
| } |
| |
| result = _vsnprintf(tmp, 0x1000, format, argptr); |
| NT_ASSERT(result != -1); |
| cs_winkernel_free(tmp); |
| } |
| |
| return result; |
| } |
| #pragma warning(pop) |