2 * The PCI Library -- Access to i386 I/O ports on Windows
4 * Copyright (c) 2004 Alexander Stock <stock.alexander@gmx.de>
5 * Copyright (c) 2006 Martin Mares <mj@ucw.cz>
6 * Copyright (c) 2021 Pali Rohár <pali@kernel.org>
8 * Can be freely distributed and used under the terms of the GNU GPL v2+
10 * SPDX-License-Identifier: GPL-2.0-or-later
18 /* MSVC compiler provides I/O port intrinsics for both 32 and 64-bit modes. */
19 #pragma intrinsic(_outp)
20 #pragma intrinsic(_outpw)
21 #pragma intrinsic(_outpd)
22 #pragma intrinsic(_inp)
23 #pragma intrinsic(_inpw)
24 #pragma intrinsic(_inpd)
25 #elif defined(_WIN64) || defined(_UCRT)
27 * For other compilers I/O port intrinsics are available in <intrin.h> header
28 * file either as inline/external functions or macros. Beware that <intrin.h>
29 * names are different than MSVC intrinsics names and glibc function names.
30 * Usage of <intrin.h> is also the prefered way for 64-bit mode or when using
34 #define _outp(x,y) __outbyte(x,y)
35 #define _outpw(x,y) __outword(x,y)
36 #define _outpd(x,y) __outdword(x,y)
37 #define _inp(x) __inbyte(x)
38 #define _inpw(x) __inword(x)
39 #define _inpd(x) __indword(x)
40 #elif defined(__CRTDLL__) || (defined(__MSVCRT_VERSION__) && __MSVCRT_VERSION__ < 0x400)
42 * Old 32-bit CRTDLL library and pre-4.00 MSVCRT library do not provide I/O
43 * port functions. As these libraries exist only in 32-bit mode variant,
44 * implement I/O port functions via 32-bit inline assembly.
46 static inline int _outp(unsigned short port, int databyte)
48 asm volatile ("outb %b0, %w1" : : "a" (databyte), "Nd" (port));
51 static inline unsigned short _outpw(unsigned short port, unsigned short dataword)
53 asm volatile ("outw %w0, %w1" : : "a" (dataword), "Nd" (port));
56 static inline unsigned long _outpd(unsigned short port, unsigned long dataword)
58 asm volatile ("outl %0, %w1" : : "a" (dataword), "Nd" (port));
61 static inline int _inp(unsigned short port)
64 asm volatile ("inb %w1, %0" : "=a" (ret) : "Nd" (port));
67 static inline unsigned short _inpw(unsigned short port)
70 asm volatile ("inw %w1, %0" : "=a" (ret) : "Nd" (port));
73 static inline unsigned long _inpd(unsigned short port)
76 asm volatile ("inl %w1, %0" : "=a" (ret) : "Nd" (port));
79 #elif !defined(__GNUC__)
81 * Old 32-bit MSVCRT (non-UCRT) library provides I/O port functions. Function
82 * prototypes are defined in <conio.h> header file but they are missing in
83 * some MinGW toolchains. So for GCC compiler define them manually.
87 int _outp(unsigned short port, int databyte);
88 unsigned short _outpw(unsigned short port, unsigned short dataword);
89 unsigned long _outpd(unsigned short port, unsigned long dataword);
90 int _inp(unsigned short port);
91 unsigned short _inpw(unsigned short port);
92 unsigned long _inpd(unsigned short port);
95 #define outb(x,y) _outp(y,x)
96 #define outw(x,y) _outpw(y,x)
97 #define outl(x,y) _outpd(y,x)
99 #define inb(x) _inp(x)
100 #define inw(x) _inpw(x)
101 #define inl(x) _inpd(x)
104 * Define __readeflags() for MSVC and GCC compilers.
105 * MSVC since version 14.00 included in WDK 6001 and since version 15.00
106 * included in VS 2008 provides __readeflags() intrinsic for both 32 and 64-bit
107 * modes. WDK 6001 defines macro __BUILDMACHINE__ to value WinDDK. VS 2008 does
108 * not define this macro at all. MSVC throws error if name of user defined
109 * function conflicts with some MSVC intrinsic.
110 * MSVC supports inline assembly via __asm keyword in 32-bit mode only.
111 * GCC version 4.9.0 and higher provides __builtin_ia32_readeflags_uXX()
112 * builtin for XX-mode. This builtin is also available as __readeflags()
113 * function indirectly via <x86intrin.h> header file.
115 #if defined(_MSC_VER) && (_MSC_VER >= 1500 || (_MSC_VER >= 1400 && defined(__BUILDMACHINE__)))
116 #pragma intrinsic(__readeflags)
117 #elif defined(__GNUC__) && ((__GNUC__ == 4 && __GNUC_MINOR__ >= 9) || (__GNUC__ > 4))
118 #include <x86intrin.h>
119 #elif defined(_MSC_VER) && defined(_M_IX86)
120 static inline unsigned int
126 #elif defined(__GNUC__)
127 static inline unsigned
139 asm volatile ("pushf\n\tpop %0\n" : "=r" (eflags));
143 #error "Unsupported compiler"
146 /* Read IOPL of the current process, IOPL is stored in eflag bits [13:12]. */
147 #define read_iopl() ((__readeflags() >> 12) & 0x3)
149 /* Unfortunately i586-mingw32msvc toolchain does not provide this constant. */
150 #ifndef PROCESS_QUERY_LIMITED_INFORMATION
151 #define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
154 /* Unfortunately some toolchains do not provide this constant. */
155 #ifndef SE_IMPERSONATE_NAME
156 #define SE_IMPERSONATE_NAME TEXT("SeImpersonatePrivilege")
160 * These psapi functions are available in kernel32.dll library with K32 prefix
161 * on Windows 7 and higher systems. On older Windows systems these functions are
162 * available in psapi.dll libary without K32 prefix. So resolve pointers to
163 * these functions dynamically at runtime from the available system library.
164 * Function GetProcessImageFileNameW() is not available on Windows 2000 and
167 typedef BOOL (WINAPI *EnumProcessesProt)(DWORD *lpidProcess, DWORD cb, DWORD *cbNeeded);
168 typedef DWORD (WINAPI *GetProcessImageFileNameWProt)(HANDLE hProcess, LPWSTR lpImageFileName, DWORD nSize);
169 typedef DWORD (WINAPI *GetModuleFileNameExWProt)(HANDLE hProcess, HMODULE hModule, LPWSTR lpImageFileName, DWORD nSize);
172 * These aclapi functions are available in advapi.dll library on Windows NT 4.0
173 * and higher systems.
175 typedef DWORD (WINAPI *GetSecurityInfoProt)(HANDLE handle, SE_OBJECT_TYPE ObjectType, SECURITY_INFORMATION SecurityInfo, PSID *ppsidOwner, PSID *ppsidGroup, PACL *ppDacl, PACL *ppSacl, PSECURITY_DESCRIPTOR *ppSecurityDescriptor);
176 typedef DWORD (WINAPI *SetSecurityInfoProt)(HANDLE handle, SE_OBJECT_TYPE ObjectType, SECURITY_INFORMATION SecurityInfo, PSID psidOwner, PSID psidGroup, PACL pDacl, PACL pSacl);
177 typedef DWORD (WINAPI *SetEntriesInAclProt)(ULONG cCountOfExplicitEntries, PEXPLICIT_ACCESS pListOfExplicitEntries, PACL OldAcl, PACL *NewAcl);
180 * This errhandlingapi function is available in kernel32.dll library on
181 * Windows 7 and higher systems.
183 typedef BOOL (WINAPI *SetThreadErrorModeProt)(DWORD dwNewMode, LPDWORD lpOldMode);
186 * Unfortunately NtSetInformationProcess() function, ProcessUserModeIOPL
187 * constant and all other helpers for its usage are not specified in any
188 * standard WinAPI header file. So define all of required constants and types.
189 * Function NtSetInformationProcess() is available in ntdll.dll library on all
190 * Windows systems but marked as it can be removed in some future version.
193 #define NTSTATUS LONG
195 #ifndef STATUS_NOT_IMPLEMENTED
196 #define STATUS_NOT_IMPLEMENTED (NTSTATUS)0xC0000002
198 #ifndef STATUS_PRIVILEGE_NOT_HELD
199 #define STATUS_PRIVILEGE_NOT_HELD (NTSTATUS)0xC0000061
201 #ifndef PROCESSINFOCLASS
202 #define PROCESSINFOCLASS DWORD
204 #ifndef ProcessUserModeIOPL
205 #define ProcessUserModeIOPL 16
207 typedef NTSTATUS (NTAPI *NtSetInformationProcessProt)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength);
210 * Check if the current thread has particular privilege in current active access
211 * token. Case when it not possible to determinate it (e.g. current thread does
212 * not have permission to open its own current active access token) is evaluated
213 * as thread does not have that privilege.
216 have_privilege(LUID luid_privilege)
223 * If the current thread does not have active access token then thread
224 * uses primary process access token for all permission checks.
226 if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token) &&
227 (GetLastError() != ERROR_NO_TOKEN ||
228 !OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token)))
231 priv.PrivilegeCount = 1;
232 priv.Control = PRIVILEGE_SET_ALL_NECESSARY;
233 priv.Privilege[0].Luid = luid_privilege;
234 priv.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
236 if (!PrivilegeCheck(token, &priv, &ret))
243 * Enable or disable particular privilege in specified access token.
245 * Note that it is not possible to disable privilege in access token with
246 * SE_PRIVILEGE_ENABLED_BY_DEFAULT attribute. This function does not check
247 * this case and incorrectly returns no error even when disabling failed.
248 * Rationale for this decision: Simplification of this function as WinAPI
249 * call AdjustTokenPrivileges() does not signal error in this case too.
252 set_privilege(HANDLE token, LUID luid_privilege, BOOL enable)
254 TOKEN_PRIVILEGES token_privileges;
256 token_privileges.PrivilegeCount = 1;
257 token_privileges.Privileges[0].Luid = luid_privilege;
258 token_privileges.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : 0;
261 * WinAPI function AdjustTokenPrivileges() success also when not all
262 * privileges were enabled. It is always required to check for failure
263 * via GetLastError() call. AdjustTokenPrivileges() always sets error
264 * also when it success, as opposite to other WinAPI functions.
266 if (!AdjustTokenPrivileges(token, FALSE, &token_privileges, sizeof(token_privileges), NULL, NULL) ||
267 GetLastError() != ERROR_SUCCESS)
274 * Change access token for the current thread to new specified access token.
275 * Previously active access token is stored in old_token variable and can be
276 * used for reverting to this access token. It is set to NULL if the current
277 * thread previously used primary process access token.
280 change_token(HANDLE new_token, HANDLE *old_token)
284 if (!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, TRUE, &token))
286 if (GetLastError() != ERROR_NO_TOKEN)
291 if (!ImpersonateLoggedOnUser(new_token))
303 * Change access token for the current thread to the primary process access
304 * token. This function fails also when the current thread already uses primary
305 * process access token.
308 change_token_to_primary(HANDLE *old_token)
312 if (!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, TRUE, &token))
322 * Revert to the specified access token for the current thread. When access
323 * token is specified as NULL then revert to the primary process access token.
324 * Use to revert after change_token() or change_token_to_primary() call.
327 revert_to_token(HANDLE token)
330 * If SetThreadToken() call fails then there is no option to revert to
331 * the specified previous thread access token. So in this case revert to
332 * the primary process access token.
334 if (!token || !SetThreadToken(NULL, token))
341 * Enable particular privilege for the current thread. And set method how to
342 * revert this privilege (if to revert whole token or only privilege).
345 enable_privilege(LUID luid_privilege, HANDLE *revert_token, BOOL *revert_only_privilege)
350 if (OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, TRUE, &thread_token))
352 if (set_privilege(thread_token, luid_privilege, TRUE))
355 * Indicate that correct revert method is just to
356 * disable privilege in access token.
358 if (revert_token && revert_only_privilege)
360 *revert_token = thread_token;
361 *revert_only_privilege = TRUE;
365 CloseHandle(thread_token);
369 CloseHandle(thread_token);
371 * If enabling privilege failed then try to enable it via
372 * primary process access token.
377 * If the current thread has already active thread access token then
378 * open it with just impersonate right as it would be used only for
381 if (revert_token && revert_only_privilege)
383 if (!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE, TRUE, &thread_token))
385 if (GetLastError() != ERROR_NO_TOKEN)
391 * If current thread has no access token (and uses primary
392 * process access token) or it does not have permission to
393 * adjust privileges or it does not have specified privilege
394 * then create a copy of the primary process access token,
395 * assign it for the current thread (= impersonate self)
396 * and then try adjusting privilege again.
398 if (!ImpersonateSelf(SecurityImpersonation))
401 CloseHandle(thread_token);
406 if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES, TRUE, &new_token))
408 /* thread_token is set only when we were asked for revert method. */
409 if (revert_token && revert_only_privilege)
410 revert_to_token(thread_token);
414 if (!set_privilege(new_token, luid_privilege, TRUE))
416 CloseHandle(new_token);
417 /* thread_token is set only when we were asked for revert method. */
418 if (revert_token && revert_only_privilege)
419 revert_to_token(thread_token);
424 * Indicate that correct revert method is to change to the previous
425 * access token. Either to the primary process access token or to the
426 * previous thread access token.
428 if (revert_token && revert_only_privilege)
430 *revert_token = thread_token;
431 *revert_only_privilege = FALSE;
437 * Revert particular privilege for the current thread was previously enabled by
438 * enable_privilege() call. Either disable privilege in specified access token
439 * or revert to previous access token.
442 revert_privilege(LUID luid_privilege, HANDLE revert_token, BOOL revert_only_privilege)
444 if (revert_only_privilege)
446 set_privilege(revert_token, luid_privilege, FALSE);
447 CloseHandle(revert_token);
451 revert_to_token(revert_token);
456 * Return owner of the access token used by the current thread. Buffer for
457 * returned owner needs to be released by LocalFree() call.
460 get_current_token_owner(VOID)
467 * If the current thread does not have active access token then thread
468 * uses primary process access token for all permission checks.
470 if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &token) &&
471 (GetLastError() != ERROR_NO_TOKEN ||
472 !OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token)))
475 if (!GetTokenInformation(token, TokenOwner, NULL, 0, &length) &&
476 GetLastError() != ERROR_INSUFFICIENT_BUFFER)
483 owner = (TOKEN_OWNER *)LocalAlloc(LPTR, length);
490 if (!GetTokenInformation(token, TokenOwner, owner, length, &length))
493 * Length of token owner (SID) buffer between two get calls may
494 * changes (e.g. by another thread of process), so retry.
496 if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
511 * Grant particular permissions in the primary access token of the specified
512 * process for the owner of current thread token and set old DACL of the
513 * process access token for reverting permissions. Security descriptor is
514 * just memory buffer for old DACL.
517 grant_process_token_dacl_permissions(HANDLE process, DWORD permissions, HANDLE *token, PACL *old_dacl, PSECURITY_DESCRIPTOR *security_descriptor)
519 GetSecurityInfoProt MyGetSecurityInfo;
520 SetSecurityInfoProt MySetSecurityInfo;
521 SetEntriesInAclProt MySetEntriesInAcl;
522 EXPLICIT_ACCESS explicit_access;
528 * This source file already uses advapi32.dll library, so it is
529 * linked to executable and automatically loaded when starting
530 * current running process.
532 advapi32 = GetModuleHandle(TEXT("advapi32.dll"));
537 * It does not matter if SetEntriesInAclA() or SetEntriesInAclW() is
538 * called as no string is passed to SetEntriesInAcl function.
540 MyGetSecurityInfo = (GetSecurityInfoProt)(LPVOID)GetProcAddress(advapi32, "GetSecurityInfo");
541 MySetSecurityInfo = (SetSecurityInfoProt)(LPVOID)GetProcAddress(advapi32, "SetSecurityInfo");
542 MySetEntriesInAcl = (SetEntriesInAclProt)(LPVOID)GetProcAddress(advapi32, "SetEntriesInAclA");
543 if (!MyGetSecurityInfo || !MySetSecurityInfo || !MySetEntriesInAcl)
546 owner = get_current_token_owner();
551 * READ_CONTROL is required for GetSecurityInfo(DACL_SECURITY_INFORMATION)
552 * and WRITE_DAC is required for SetSecurityInfo(DACL_SECURITY_INFORMATION).
554 if (!OpenProcessToken(process, READ_CONTROL | WRITE_DAC, token))
560 if (MyGetSecurityInfo(*token, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, old_dacl, NULL, security_descriptor) != ERROR_SUCCESS)
568 * Set new explicit access for the owner of the current thread access
569 * token with non-inherited granting access to specified permissions.
571 explicit_access.grfAccessPermissions = permissions;
572 explicit_access.grfAccessMode = GRANT_ACCESS;
573 explicit_access.grfInheritance = NO_PROPAGATE_INHERIT_ACE;
574 explicit_access.Trustee.pMultipleTrustee = NULL;
575 explicit_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
576 explicit_access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
577 explicit_access.Trustee.TrusteeType = TRUSTEE_IS_USER;
579 * Unfortunately i586-mingw32msvc toolchain does not have pSid pointer
580 * member in Trustee union. So assign owner SID to ptstrName pointer
581 * member which aliases with pSid pointer member in the same union.
583 explicit_access.Trustee.ptstrName = (PVOID)owner->Owner;
585 if (MySetEntriesInAcl(1, &explicit_access, *old_dacl, &new_dacl) != ERROR_SUCCESS)
587 LocalFree(*security_descriptor);
593 if (MySetSecurityInfo(*token, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, new_dacl, NULL) != ERROR_SUCCESS)
595 LocalFree(*security_descriptor);
606 * Revert particular granted permissions in specified access token done by
607 * grant_process_token_dacl_permissions() call.
610 revert_token_dacl_permissions(HANDLE token, PACL old_dacl, PSECURITY_DESCRIPTOR security_descriptor)
612 SetSecurityInfoProt MySetSecurityInfo;
616 * This source file already uses advapi32.dll library, so it is
617 * linked to executable and automatically loaded when starting
618 * current running process.
620 advapi32 = GetModuleHandle(TEXT("advapi32.dll"));
623 MySetSecurityInfo = (SetSecurityInfoProt)(LPVOID)GetProcAddress(advapi32, "SetSecurityInfo");
624 MySetSecurityInfo(token, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, old_dacl, NULL);
627 LocalFree(security_descriptor);
632 * Change error mode of the current thread. If it is not possible then change
633 * error mode of the whole process. Always returns previous error mode.
636 change_error_mode(UINT new_mode)
638 SetThreadErrorModeProt MySetThreadErrorMode = NULL;
643 * Function SetThreadErrorMode() was introduced in Windows 7, so use
644 * GetProcAddress() for compatibility with older systems.
646 kernel32 = GetModuleHandle(TEXT("kernel32.dll"));
648 MySetThreadErrorMode = (SetThreadErrorModeProt)(LPVOID)GetProcAddress(kernel32, "SetThreadErrorMode");
650 if (MySetThreadErrorMode &&
651 MySetThreadErrorMode(new_mode, &old_mode))
655 * Fallback to function SetErrorMode() which modifies error mode of the
656 * whole process and returns old mode.
658 return SetErrorMode(new_mode);
662 * Open process handle specified by the process id with the query right and
663 * optionally also with vm read right.
666 open_process_for_query(DWORD pid, BOOL with_vm_read)
668 BOOL revert_only_privilege;
669 LUID luid_debug_privilege;
670 OSVERSIONINFO version;
676 * Some processes on Windows Vista and higher systems can be opened only
677 * with PROCESS_QUERY_LIMITED_INFORMATION right. This right is enough
678 * for accessing primary process token. But this right is not supported
679 * on older pre-Vista systems. When the current thread on these older
680 * systems does not have Debug privilege then OpenProcess() fails with
681 * ERROR_ACCESS_DENIED. If the current thread has Debug privilege then
682 * OpenProcess() success and returns handle to requested process.
683 * Problem is that this handle does not have PROCESS_QUERY_INFORMATION
684 * right and so cannot be used for accessing primary process token
685 * on those older systems. Moreover it has zero rights and therefore
686 * such handle is fully useless. So never try to use open process with
687 * PROCESS_QUERY_LIMITED_INFORMATION right on older systems than
688 * Windows Vista (NT 6.0).
690 version.dwOSVersionInfoSize = sizeof(version);
691 if (GetVersionEx(&version) &&
692 version.dwPlatformId == VER_PLATFORM_WIN32_NT &&
693 version.dwMajorVersion >= 6)
694 process_right = PROCESS_QUERY_LIMITED_INFORMATION;
696 process_right = PROCESS_QUERY_INFORMATION;
699 process_right |= PROCESS_VM_READ;
701 process = OpenProcess(process_right, FALSE, pid);
706 * It is possible to open only processes to which owner of the current
707 * thread access token has permissions. For opening other processing it
708 * is required to have Debug privilege enabled. By default local
709 * administrators have this privilege, but it is disabled. So try to
710 * enable it and then try to open process again.
713 if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid_debug_privilege))
716 if (!enable_privilege(luid_debug_privilege, &revert_token, &revert_only_privilege))
719 process = OpenProcess(process_right, FALSE, pid);
721 revert_privilege(luid_debug_privilege, revert_token, revert_only_privilege);
727 * Check if process image path name (wide string) matches exe file name
728 * (7-bit ASCII string). Do case-insensitive string comparison. Process
729 * image path name can be in any namespace format (DOS, Win32, UNC, ...).
732 check_process_name(LPCWSTR path, DWORD path_length, LPCSTR exe_file)
734 DWORD exe_file_length;
740 while (exe_file[exe_file_length] != '\0')
743 /* Path must have backslash before exe file name. */
744 if (exe_file_length >= path_length ||
745 path[path_length-exe_file_length-1] != L'\\')
748 for (i = 0; i < exe_file_length; i++)
750 c1 = path[path_length-exe_file_length+i];
753 * Input string for comparison is 7-bit ASCII and file name part
754 * of path must not contain backslash as it is path separator.
756 if (c1 >= 0x80 || c2 >= 0x80 || c1 == L'\\')
758 if (c1 >= L'a' && c1 <= L'z')
760 if (c2 >= 'a' && c2 <= 'z')
769 /* Open process handle with the query right specified by process exe file. */
771 find_and_open_process_for_query(LPCSTR exe_file)
773 GetProcessImageFileNameWProt MyGetProcessImageFileNameW;
774 GetModuleFileNameExWProt MyGetModuleFileNameExW;
775 EnumProcessesProt MyEnumProcesses;
776 HMODULE kernel32, psapi;
777 UINT prev_error_mode;
789 kernel32 = GetModuleHandle(TEXT("kernel32.dll"));
794 * On Windows 7 and higher systems these functions are available in
795 * kernel32.dll library with K32 prefix.
797 MyGetModuleFileNameExW = NULL;
798 MyGetProcessImageFileNameW = (GetProcessImageFileNameWProt)(LPVOID)GetProcAddress(kernel32, "K32GetProcessImageFileNameW");
799 MyEnumProcesses = (EnumProcessesProt)(LPVOID)GetProcAddress(kernel32, "K32EnumProcesses");
800 if (!MyGetProcessImageFileNameW || !MyEnumProcesses)
803 * On older NT-based systems these functions are available in
804 * psapi.dll library without K32 prefix.
806 prev_error_mode = change_error_mode(SEM_FAILCRITICALERRORS);
807 psapi = LoadLibrary(TEXT("psapi.dll"));
808 change_error_mode(prev_error_mode);
814 * Function GetProcessImageFileNameW() is available in
815 * Windows XP and higher systems. On older versions is
816 * available function GetModuleFileNameExW().
818 MyGetProcessImageFileNameW = (GetProcessImageFileNameWProt)(LPVOID)GetProcAddress(psapi, "GetProcessImageFileNameW");
819 MyGetModuleFileNameExW = (GetModuleFileNameExWProt)(LPVOID)GetProcAddress(psapi, "GetModuleFileNameExW");
820 MyEnumProcesses = (EnumProcessesProt)(LPVOID)GetProcAddress(psapi, "EnumProcesses");
821 if ((!MyGetProcessImageFileNameW && !MyGetModuleFileNameExW) || !MyEnumProcesses)
828 /* Make initial buffer size for 1024 processes. */
829 size = 1024 * sizeof(*processes);
832 processes = (DWORD *)LocalAlloc(LPTR, size);
840 if (!MyEnumProcesses(processes, size, &length))
842 LocalFree(processes);
847 else if (size == length)
850 * There is no indication given when the buffer is too small to
851 * store all process identifiers. Therefore if returned length
852 * is same as buffer size there can be more processes. Call
853 * again with larger buffer.
855 LocalFree(processes);
861 count = length / sizeof(*processes);
863 for (i = 0; i < count; i++)
865 /* Skip System Idle Process. */
866 if (processes[i] == 0)
870 * Function GetModuleFileNameExW() requires additional
871 * PROCESS_VM_READ right as opposite to function
872 * GetProcessImageFileNameW() which does not need it.
874 process = open_process_for_query(processes[i], MyGetProcessImageFileNameW ? FALSE : TRUE);
879 * Set initial buffer size to 256 (wide) characters.
880 * Final path length on the modern NT-based systems can be also larger.
883 found_process = FALSE;
887 path = (LPWSTR)LocalAlloc(LPTR, size * sizeof(*path));
891 if (MyGetProcessImageFileNameW)
892 length = MyGetProcessImageFileNameW(process, path, size);
894 length = MyGetModuleFileNameExW(process, NULL, path, size);
896 error = GetLastError();
899 * GetModuleFileNameEx() returns zero and signal error ERROR_PARTIAL_COPY
900 * when remote process is in the middle of updating its module table.
901 * Sleep 10 ms and try again, max 10 attempts.
903 if (!MyGetProcessImageFileNameW)
905 if (length == 0 && error == ERROR_PARTIAL_COPY && partial_retry++ < 10)
914 * When buffer is too small then function GetModuleFileNameEx() returns
915 * its size argument on older systems (Windows XP) or its size minus
916 * argument one on new systems (Windows 10) without signalling any error.
917 * Function GetProcessImageFileNameW() on the other hand returns zero
918 * value and signals error ERROR_INSUFFICIENT_BUFFER. So in all these
919 * cases call function again with larger buffer.
922 if (MyGetProcessImageFileNameW && length == 0 && error != ERROR_INSUFFICIENT_BUFFER)
925 if ((MyGetProcessImageFileNameW && length == 0) ||
926 (!MyGetProcessImageFileNameW && (length == size || length == size-1)))
933 if (length && check_process_name(path, length, exe_file))
934 found_process = TRUE;
946 CloseHandle(process);
950 LocalFree(processes);
959 * Try to open primary access token of the particular process with specified
960 * rights. Before opening access token try to adjust DACL permissions of the
961 * primary process access token, so following open does not fail on error
962 * related to no open permissions. Revert DACL permissions after open attempt.
963 * As following steps are not atomic, try to execute them more times in case
964 * of possible race conditions caused by other threads or processes.
967 try_grant_permissions_and_open_process_token(HANDLE process, DWORD rights)
969 PSECURITY_DESCRIPTOR security_descriptor;
977 * This code is not atomic. Between grant and open calls can other
978 * thread or process change or revert permissions. So try to execute
981 for (retry = 0; retry < 10; retry++)
983 if (!grant_process_token_dacl_permissions(process, rights, &grant_token, &old_dacl, &security_descriptor))
985 if (!OpenProcessToken(process, rights, &token))
988 error = GetLastError();
990 revert_token_dacl_permissions(grant_token, old_dacl, security_descriptor);
993 else if (error != ERROR_ACCESS_DENIED)
1001 * Open primary access token of particular process handle with specified rights.
1002 * If permissions for specified rights are missing then try to grant them.
1005 open_process_token_with_rights(HANDLE process, DWORD rights)
1010 /* First try to open primary access token of process handle directly. */
1011 if (OpenProcessToken(process, rights, &token))
1015 * If opening failed then it means that owner of the current thread
1016 * access token does not have permission for it. Try it again with
1017 * primary process access token.
1019 if (change_token_to_primary(&old_token))
1021 if (!OpenProcessToken(process, rights, &token))
1023 revert_to_token(old_token);
1029 * If opening is still failing then try to grant specified permissions
1030 * for the current thread and try to open it again.
1032 token = try_grant_permissions_and_open_process_token(process, rights);
1037 * And if it is still failing then try it again with granting
1038 * permissions for the primary process token of the current process.
1040 if (change_token_to_primary(&old_token))
1042 token = try_grant_permissions_and_open_process_token(process, rights);
1043 revert_to_token(old_token);
1049 * TODO: Sorry, no other option for now...
1050 * It could be possible to use Take Ownership Name privilege to
1051 * temporary change token owner of specified process to the owner of
1052 * the current thread token, grant permissions for current thread in
1053 * that process token, change ownership back to original one, open
1054 * that process token and revert granted permissions. But this is
1055 * not implemented yet.
1061 * Set x86 I/O Privilege Level to 3 for the whole current NT process. Do it via
1062 * NtSetInformationProcess() call with ProcessUserModeIOPL information class,
1063 * which is supported by 32-bit Windows NT kernel versions and requires Tcb
1067 SetProcessUserModeIOPL(VOID)
1069 NtSetInformationProcessProt MyNtSetInformationProcess;
1071 LUID luid_tcb_privilege;
1072 LUID luid_impersonate_privilege;
1074 HANDLE revert_token_tcb_privilege;
1075 BOOL revert_only_tcb_privilege;
1077 HANDLE revert_token_impersonate_privilege;
1078 BOOL revert_only_impersonate_privilege;
1080 BOOL impersonate_privilege_enabled;
1082 BOOL revert_to_old_token;
1085 HANDLE lsass_process;
1088 UINT prev_error_mode;
1093 impersonate_privilege_enabled = FALSE;
1094 revert_to_old_token = FALSE;
1098 /* Fast path when ProcessUserModeIOPL was already called. */
1099 if (read_iopl() == 3)
1103 * Load ntdll.dll library with disabled critical-error-handler message box.
1104 * It means that NT kernel does not show unwanted GUI message box to user
1105 * when LoadLibrary() function fails.
1107 prev_error_mode = change_error_mode(SEM_FAILCRITICALERRORS);
1108 ntdll = LoadLibrary(TEXT("ntdll.dll"));
1109 change_error_mode(prev_error_mode);
1111 goto err_not_implemented;
1113 /* Retrieve pointer to NtSetInformationProcess() function. */
1114 MyNtSetInformationProcess = (NtSetInformationProcessProt)(LPVOID)GetProcAddress(ntdll, "NtSetInformationProcess");
1115 if (!MyNtSetInformationProcess)
1116 goto err_not_implemented;
1119 * ProcessUserModeIOPL is syscall for NT kernel to change x86 IOPL
1120 * of the current running process to 3.
1122 * Process handle argument for ProcessUserModeIOPL is ignored and
1123 * IOPL is always changed for the current running process. So pass
1124 * GetCurrentProcess() handle for documentation purpose. Process
1125 * information buffer and length are unused for ProcessUserModeIOPL.
1127 * ProcessUserModeIOPL may success (return value >= 0) or may fail
1128 * because it is not implemented or because of missing privilege.
1129 * Other errors are not defined, so handle them as unknown.
1131 nt_status = MyNtSetInformationProcess(GetCurrentProcess(), ProcessUserModeIOPL, NULL, 0);
1134 else if (nt_status == STATUS_NOT_IMPLEMENTED)
1135 goto err_not_implemented;
1136 else if (nt_status != STATUS_PRIVILEGE_NOT_HELD)
1140 * If ProcessUserModeIOPL call failed with STATUS_PRIVILEGE_NOT_HELD
1141 * error then it means that the current thread token does not have
1142 * Tcb privilege enabled. Try to enable it.
1145 if (!LookupPrivilegeValue(NULL, SE_TCB_NAME, &luid_tcb_privilege))
1146 goto err_not_implemented;
1149 * If the current thread has already Tcb privilege enabled then there
1150 * is some additional unhanded restriction.
1152 if (have_privilege(luid_tcb_privilege))
1153 goto err_privilege_not_held;
1155 /* Try to enable Tcb privilege and try ProcessUserModeIOPL call again. */
1156 if (enable_privilege(luid_tcb_privilege, &revert_token_tcb_privilege, &revert_only_tcb_privilege))
1158 nt_status = MyNtSetInformationProcess(GetCurrentProcess(), ProcessUserModeIOPL, NULL, 0);
1159 revert_privilege(luid_tcb_privilege, revert_token_tcb_privilege, revert_only_tcb_privilege);
1162 else if (nt_status == STATUS_NOT_IMPLEMENTED)
1163 goto err_not_implemented;
1164 else if (nt_status == STATUS_PRIVILEGE_NOT_HELD)
1165 goto err_privilege_not_held;
1171 * If enabling of Tcb privilege failed then it means that current thread
1172 * does not this privilege. But current process may have it. So try it
1173 * again with primary process access token.
1177 * If system supports Impersonate privilege (Windows 2000 SP4 or higher) then
1178 * all future actions in this function require this Impersonate privilege.
1179 * So try to enable it in case it is currently disabled.
1181 if (LookupPrivilegeValue(NULL, SE_IMPERSONATE_NAME, &luid_impersonate_privilege) &&
1182 !have_privilege(luid_impersonate_privilege))
1185 * If current thread does not have Impersonate privilege enabled
1186 * then first try to enable it just for the current thread. If
1187 * it is not possible to enable it just for the current thread
1188 * then try it to enable globally for whole process (which
1189 * affects all process threads). Both actions will be reverted
1190 * at the end of this function.
1192 if (enable_privilege(luid_impersonate_privilege, &revert_token_impersonate_privilege, &revert_only_impersonate_privilege))
1194 impersonate_privilege_enabled = TRUE;
1196 else if (enable_privilege(luid_impersonate_privilege, NULL, NULL))
1198 impersonate_privilege_enabled = TRUE;
1199 revert_token_impersonate_privilege = NULL;
1200 revert_only_impersonate_privilege = TRUE;
1204 goto err_privilege_not_held;
1208 * Now when Impersonate privilege is enabled, try to enable Tcb
1209 * privilege again. Enabling other privileges for the current
1210 * thread requires Impersonate privilege, so enabling Tcb again
1213 if (enable_privilege(luid_tcb_privilege, &revert_token_tcb_privilege, &revert_only_tcb_privilege))
1215 nt_status = MyNtSetInformationProcess(GetCurrentProcess(), ProcessUserModeIOPL, NULL, 0);
1216 revert_privilege(luid_tcb_privilege, revert_token_tcb_privilege, revert_only_tcb_privilege);
1219 else if (nt_status == STATUS_NOT_IMPLEMENTED)
1220 goto err_not_implemented;
1221 else if (nt_status == STATUS_PRIVILEGE_NOT_HELD)
1222 goto err_privilege_not_held;
1229 * If enabling Tcb privilege failed then it means that the current
1230 * thread access token does not have this privilege or does not
1231 * have permission to adjust privileges.
1233 * Try to use more privileged token from Local Security Authority
1234 * Subsystem Service process (lsass.exe) which has Tcb privilege.
1235 * Retrieving this more privileged token is possible for local
1236 * administrators (unless it was disabled by local administrators).
1239 lsass_process = find_and_open_process_for_query("lsass.exe");
1241 goto err_privilege_not_held;
1244 * Open primary lsass.exe process access token with query and duplicate
1245 * rights. Just these two rights are required for impersonating other
1246 * primary process token (impersonate right is really not required!).
1248 lsass_token = open_process_token_with_rights(lsass_process, TOKEN_QUERY | TOKEN_DUPLICATE);
1250 CloseHandle(lsass_process);
1253 goto err_privilege_not_held;
1256 * After successful open of the primary lsass.exe process access token,
1257 * assign its copy for the current thread.
1259 if (!change_token(lsass_token, &old_token))
1260 goto err_privilege_not_held;
1262 revert_to_old_token = TRUE;
1264 nt_status = MyNtSetInformationProcess(GetCurrentProcess(), ProcessUserModeIOPL, NULL, 0);
1265 if (nt_status == STATUS_PRIVILEGE_NOT_HELD)
1268 * Now current thread is not using primary process token anymore
1269 * but is using custom access token. There is no need to revert
1270 * enabled Tcb privilege as the whole custom access token would
1271 * be reverted. So there is no need to setup revert method for
1272 * enabling privilege.
1274 if (have_privilege(luid_tcb_privilege) ||
1275 !enable_privilege(luid_tcb_privilege, NULL, NULL))
1276 goto err_privilege_not_held;
1277 nt_status = MyNtSetInformationProcess(GetCurrentProcess(), ProcessUserModeIOPL, NULL, 0);
1281 else if (nt_status == STATUS_NOT_IMPLEMENTED)
1282 goto err_not_implemented;
1283 else if (nt_status == STATUS_PRIVILEGE_NOT_HELD)
1284 goto err_privilege_not_held;
1290 * Some Windows NT kernel versions (e.g. Windows 2003 x64) do not
1291 * implement ProcessUserModeIOPL syscall at all but incorrectly
1292 * returns success when it is called by user process. So always
1293 * after this call verify that IOPL is set to 3.
1295 if (read_iopl() != 3)
1296 goto err_not_implemented;
1300 err_not_implemented:
1301 SetLastError(ERROR_INVALID_FUNCTION);
1305 err_privilege_not_held:
1306 SetLastError(ERROR_PRIVILEGE_NOT_HELD);
1311 SetLastError(ERROR_GEN_FAILURE);
1316 if (revert_to_old_token)
1317 revert_to_token(old_token);
1319 if (impersonate_privilege_enabled)
1320 revert_privilege(luid_impersonate_privilege, revert_token_impersonate_privilege, revert_only_impersonate_privilege);
1323 CloseHandle(lsass_token);
1332 intel_setup_io(struct pci_access *a)
1335 /* 16/32-bit non-NT systems allow applications to access PCI I/O ports without any special setup. */
1336 OSVERSIONINFOA version;
1337 version.dwOSVersionInfoSize = sizeof(version);
1338 if (GetVersionExA(&version) && version.dwPlatformId < VER_PLATFORM_WIN32_NT)
1340 a->debug("Detected 16/32-bit non-NT system, skipping NT setup...");
1345 /* On NT-based systems issue ProcessUserModeIOPL syscall which changes IOPL to 3. */
1346 if (!SetProcessUserModeIOPL())
1348 DWORD error = GetLastError();
1349 a->debug("NT ProcessUserModeIOPL call failed: %s.", error == ERROR_INVALID_FUNCTION ? "Not Implemented" : error == ERROR_PRIVILEGE_NOT_HELD ? "Access Denied" : "Operation Failed");
1353 a->debug("NT ProcessUserModeIOPL call succeeded...");
1358 intel_cleanup_io(struct pci_access *a UNUSED)
1361 * 16/32-bit non-NT systems do not use any special setup and on NT-based
1362 * systems ProcessUserModeIOPL permanently changes IOPL to 3 for the current
1363 * NT process, no revert for current process is possible.
1367 static inline void intel_io_lock(void)
1371 static inline void intel_io_unlock(void)