1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
|
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
// See the LICENSE file in the project root for more information.
//
// ProfAttach.cpp
//
//
// Definitions of functions that help with attaching and detaching profilers
//
// ======================================================================================
#include "common.h"
#ifdef FEATURE_PROFAPI_ATTACH_DETACH
#include <sddl.h> // Windows security descriptor language
#include <SecurityUtil.h>
#include "eeprofinterfaces.h"
#include "eetoprofinterfaceimpl.h"
#include "corprof.h"
#include "proftoeeinterfaceimpl.h"
#include "proftoeeinterfaceimpl.inl"
#include "profilinghelper.h"
#include "profilinghelper.inl"
#include "profattach.h"
#include "profattach.inl"
#include "securitywrapper.h"
#include "profattachserver.h"
#include "profattachserver.inl"
#include "profattachclient.h"
#include "profdetach.h"
PSECURITY_DESCRIPTOR ProfilingAPIAttachDetach::s_pSecurityDescriptor = NULL;
HANDLE ProfilingAPIAttachDetach::s_hAttachEvent = NULL;
ProfilingAPIAttachDetach::AttachThreadingMode ProfilingAPIAttachDetach::s_attachThreadingMode =
ProfilingAPIAttachDetach::kUninitialized;
BOOL ProfilingAPIAttachDetach::s_fInitializeCalled = FALSE;
// Both the trigger (via code:ProfilingAPIAttachClient) and the target profilee (via
// code:ProfilingAPIAttachServer) use this constant to identify their own version.
const VersionBlock ProfilingAPIAttachDetach::kCurrentProcessVersion(
CLR_MAJOR_VERSION,
CLR_MINOR_VERSION,
CLR_BUILD_VERSION,
CLR_BUILD_VERSION_QFE);
// Note that the following two VersionBlocks are initialized with static numerals rather
// than using the VER_* preproc defines, as we don't want these VersionBlocks to change
// on us from version to version unless we explicitly make a choice to begin breaking
// compatibility between triggers and profilees (and hopefully we won't need to do this
// ever!).
// A profilee compiled into this mscorwks.dll states that it can only interoperate with
// triggers (i.e., AttachProfiler() implementations (pipe clients)) whose runtime version
// is >= this constant.
//
// This value should not change as new runtimes are released unless
// code:ProfilingAPIAttachServer is modified to accept newer requests or send newer
// response messages in a way incompatible with older code:ProfilingAPIAttachClient
// objects implementing AttachProfiler(). And that is generally discouraged anyway.
const VersionBlock ProfilingAPIAttachDetach::kMinimumAllowableTriggerVersion(
4,
0,
0,
0);
// An AttachProfiler() implementation compiled into this mscorwks.dll, and called within
// a trigger process, can only interoperate with target profilee apps (pipe servers)
// whose runtime version is >= this constant.
//
// This value should not change as new runtimes are released unless
// code:ProfilingAPIAttachClient is modified to send newer request or interpret newer
// response messages in a way incompatible with older code:ProfilingAPIAttachServer
// objects implementing the pipe server. And that is generally discouraged anyway.
const VersionBlock ProfilingAPIAttachDetach::kMinimumAllowableProfileeVersion(
4,
0,
0,
0);
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::OverlappedResultHolder implementation. See
// code:ProfilingAPIAttachDetach::OverlappedResultHolder for more information
//
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::OverlappedResultHolder::Initialize
//
// Description:
// Call this first! This initializes the contained OVERLAPPED structure
//
// Return Value:
// Returns E_OUTOFMEMORY if OVERLAPPED structure could not be allocated.
// Else S_OK.
//
HRESULT ProfilingAPIAttachDetach::OverlappedResultHolder::Initialize()
{
CONTRACTL
{
NOTHROW;
GC_NOTRIGGER;
SO_INTOLERANT;
MODE_ANY;
}
CONTRACTL_END;
Assign(new (nothrow) OVERLAPPED);
if (m_value == NULL)
{
return E_OUTOFMEMORY;
}
memset(m_value, 0, sizeof(OVERLAPPED));
return S_OK;
}
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::OverlappedResultHolder::Wait
//
// Description:
// Uses the contained OVERLAPPED structure (pointed to by m_value) to call
// WaitForSingleObject to wait for an overlapped read or write on the pipe to complete
// (or timeout).
//
// Arguments:
// * dwMillisecondsMax - [in] Timeout for the wait
// * hPipe - [in] Handle to the pipe object carrying out the request (may be either a
// server or client pipe handle).
// * pcbReceived - [out] Number of bytes received from the overlapped request
//
// Return Value:
// HRESULT indicating success or failure
//
// Assumptions:
// * Must call code:ProfilingAPIAttachDetach::OverlappedResultHolder::Initialize first
HRESULT ProfilingAPIAttachDetach::OverlappedResultHolder::Wait(
DWORD dwMillisecondsMax,
HANDLE hPipe,
DWORD * pcbReceived)
{
CONTRACTL
{
THROWS;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
}
CONTRACTL_END;
_ASSERTE(IsValidHandle(hPipe));
_ASSERTE(m_value != NULL);
_ASSERTE(pcbReceived != NULL);
HRESULT hr = E_UNEXPECTED;
// Since the OVERLAPPED structure referenced by m_value contains a NULL event, the OS
// will signal hPipe itself when the operation is complete
switch (WaitForSingleObject(hPipe, dwMillisecondsMax))
{
default:
_ASSERTE(!"Unexpected return from WaitForSingleObject()");
hr = E_UNEXPECTED;
break;
case WAIT_FAILED:
hr = HRESULT_FROM_GetLastError();
break;
case WAIT_TIMEOUT:
hr = HRESULT_FROM_WIN32(ERROR_TIMEOUT);
break;
case WAIT_OBJECT_0:
// Operation finished in time. Get the results
if (!GetOverlappedResult(
hPipe,
m_value,
pcbReceived,
TRUE)) // bWait: operation is done, so this returns immediately anyway
{
hr = HRESULT_FROM_GetLastError();
}
else
{
hr = S_OK;
}
break;
}
// The gymnastics below are to ensure that Windows is done with the overlapped
// structure, so we know it's safe to allow the base class (NewHolder) to free it
// when the destructor is called.
if (SUCCEEDED(hr))
{
// Operation successful, so we're done with the OVERLAPPED structure pointed to
// by m_value and may return
return hr;
}
_ASSERTE(FAILED(hr));
// There was a failure waiting for or retrieving the result. Cancel the operation and
// wait again for verification that the operation is completed or canceled.
// Note that we're ignoring whether CancelIo succeeds or fails, as our action is the
// same either way: Wait on the pipe again to verify that no active operation remains.
CancelIo(hPipe);
if (WaitForSingleObject(hPipe, dwMillisecondsMax) == WAIT_OBJECT_0)
{
// Typical case: The wait returns successfully and quickly, so we have
// verification that the OVERLAPPED structured pointed to by m_value is done
// being used.
return hr;
}
// Atypical case: For all our trying, we're unable to force this request to end
// before returning. Therefore, we're intentionally leaking the OVERLAPPED structured
// pointed to by m_value, as Windows may write to it at a later time.
SuppressRelease();
return hr;
}
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::ProfilingAPIAttachThreadStart
//
// Description:
// Thread proc for AttachThread. Serves as simple try/catch wrapper around
// ProfilingAPIAttachThreadMain
//
// Arguments:
// * LPVOID thread proc param is ignored
//
// Return Value:
// Just returns 0 always.
//
// static
DWORD WINAPI ProfilingAPIAttachDetach::ProfilingAPIAttachThreadStart(LPVOID)
{
CONTRACTL
{
NOTHROW;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
}
CONTRACTL_END;
// At start of this thread, set its type so SOS !threads and anyone else knows who we
// are.
ClrFlsSetThreadType(ThreadType_ProfAPI_Attach);
LOG((
LF_CORPROF,
LL_INFO10,
"**PROF: AttachThread created and executing.\n"));
// This try block is a last-ditch stop-gap to prevent an unhandled exception on the
// AttachThread from bringing down the process. Note that if the unhandled
// exception is a terminal one, then hey, sure, let's tear everything down. Also
// note that any naughtiness in the profiler (e.g., throwing an exception from its
// Initialize callback) should already be handled before we pop back to here, so this
// is just being super paranoid.
EX_TRY
{
// Don't care about return value, thread proc will just return 0 regardless
ProfilingAPIAttachThreadMain();
}
EX_CATCH
{
_ASSERTE(!"Unhandled exception on profiling API attach / detach thread");
}
EX_END_CATCH(RethrowTerminalExceptions);
LOG((
LF_CORPROF,
LL_INFO10,
"**PROF: AttachThread exiting.\n"));
return 0;
}
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::ProfilingAPIAttachThreadMain
//
// Description:
// Main code for AttachThread. Includes all attach functionality.
//
// Return Value:
// S_OK if a profiler ever attached, error HRESULT otherwise
//
// static
HRESULT ProfilingAPIAttachDetach::ProfilingAPIAttachThreadMain()
{
CONTRACTL
{
THROWS;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
}
CONTRACTL_END;
HRESULT hr;
ProfilingAPIAttachServer attachServer;
hr = attachServer.ExecutePipeRequests();
if (FAILED(hr))
{
// No profiler got attached, so we're done
return hr;
}
// If we made it here, a profiler was successfully attached. It would be nice to be
// able to assert g_profControlBlock.curProfStatus.Get() == kProfStatusActive, but
// that's prone to a theoretical race: the profiler might have attached and detached
// by the time we get here.
return S_OK;
}
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::InitSecurityAttributes
//
// Description:
// Initializes a SECURITY_ATTRIBUTES struct using the result of
// code:ProfilingAPIAttachDetach::GetSecurityDescriptor
//
// Arguments:
// * pSecAttrs - [in/out] SECURITY_ATTRIBUTES struct to initialize
// * cbSecAttrs - Size in bytes of *pSecAttrs
//
// Return Value:
// HRESULT indicating success or failure
//
// static
HRESULT ProfilingAPIAttachDetach::InitSecurityAttributes(
SECURITY_ATTRIBUTES * pSecAttrs,
DWORD cbSecAttrs)
{
CONTRACTL
{
THROWS;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
}
CONTRACTL_END;
PSECURITY_DESCRIPTOR psd = NULL;
HRESULT hr = GetSecurityDescriptor(&psd);
if (FAILED(hr))
{
return hr;
}
_ASSERTE(psd != NULL);
memset(pSecAttrs, 0, cbSecAttrs);
pSecAttrs->nLength = cbSecAttrs;
pSecAttrs->lpSecurityDescriptor = psd;
pSecAttrs->bInheritHandle = FALSE;
return S_OK;
}
//---------------------------------------------------------------------------------------
//
// Helper function that gets the string (SDDL) form of the mandatory SID for this
// process. This encodes the integrity level of the process for use in security
// descriptors. The integrity level is capped at "high". See code:#HighGoodEnough.
//
// Arguments:
// * pwszIntegritySidString - [out] On return will point to a buffer allocated by
// Windows that contains the string representation of the SID. If
// GetIntegritySidString succeeds, the caller is responsible for freeing
// *pwszIntegritySidString via LocalFree().
//
// Return Value:
// HRESULT indicating success or failure.
//
//
static HRESULT GetIntegritySidString(__out LPWSTR * pwszIntegritySidString)
{
CONTRACTL
{
NOTHROW;
GC_NOTRIGGER;
MODE_ANY;
CANNOT_TAKE_LOCK;
}
CONTRACTL_END;
HRESULT hr;
_ASSERTE(pwszIntegritySidString != NULL);
NewArrayHolder<BYTE> pbLabel;
// This grabs the mandatory label SID of the current process. We will write this
// SID into the security descriptor, to ensure that triggers of lower integrity
// levels may NOT access the object... with one exception. See code:#HighGoodEnough
hr = SecurityUtil::GetMandatoryLabelFromProcess(GetCurrentProcess(), &pbLabel);
if (FAILED(hr))
{
return hr;
}
TOKEN_MANDATORY_LABEL * ptml = (TOKEN_MANDATORY_LABEL *) pbLabel.GetValue();
// #HighGoodEnough:
// The mandatory label SID we write into the security descriptor is the same as that
// of the current process, with one exception. If the current process's integrity
// level > high (e.g., ASP.NET running at "system" integrity level), then write
// "high" into the security descriptor instead of the current process's actual
// integrity level. This allows a high integrity trigger to access the object. This
// implements the policy that a high integrity level is "good enough" to profile any
// process, even if the target process is at an even higher integrity level than
// "high". Why have this policy:
// * A high integrity process represents an elevated admin, which morally equates
// to a principal that should have complete control over the machine. This
// includes debugging or profiling any process.
// * According to a security expert dev on Windows, integrity level is not a
// "security feature". It's mainly useful as defense-in-depth or to protect
// IE users and admins from themselves in most cases.
// * It's impossible to spawn a system integrity trigger process outside of
// session 0 services. So profiling ASP.NET would be crazy hard without this
// policy.
DWORD * pdwIntegrityLevel = SecurityUtil::GetIntegrityLevelFromMandatorySID(ptml->Label.Sid);
if (*pdwIntegrityLevel > SECURITY_MANDATORY_HIGH_RID)
{
*pdwIntegrityLevel = SECURITY_MANDATORY_HIGH_RID;
}
if (!ConvertSidToStringSid(ptml->Label.Sid, pwszIntegritySidString))
{
return HRESULT_FROM_GetLastError();
}
return S_OK;
}
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::GetSecurityDescriptor
//
// Description:
// Generates a security descriptor based on an ACL containing (1) an ACE that allows
// the current user read / write and (2) an ACE that allows admins read / write.
// Resulting security descriptor is returned in an [out] param, and is also cached for
// future use.
//
// Arguments:
// * ppsd - [out] Generated (or cached) security descriptor
//
// Return Value:
// HRESULT indicating success or failure.
//
// static
HRESULT ProfilingAPIAttachDetach::GetSecurityDescriptor(PSECURITY_DESCRIPTOR * ppsd)
{
CONTRACTL
{
THROWS;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
}
CONTRACTL_END;
_ASSERTE(ppsd != NULL);
if (s_pSecurityDescriptor != NULL)
{
*ppsd = s_pSecurityDescriptor;
return S_OK;
}
// Get the user SID for the DACL
PSID psidUser = NULL;
HRESULT hr = ProfilingAPIUtility::GetCurrentProcessUserSid(&psidUser);
if (FAILED(hr))
{
return hr;
}
WinAllocatedBlockHolder pvCurrentUserSidString;
if (!ConvertSidToStringSid(psidUser, (LPWSTR *)(LPVOID *) &pvCurrentUserSidString))
{
return HRESULT_FROM_GetLastError();
}
// Get the integrity / mandatory SID for the SACL, if Vista+
LPCWSTR pwszIntegritySid = NULL;
WinAllocatedBlockHolder pvIntegritySidString;
hr = GetIntegritySidString((LPWSTR *) (LPVOID *) &pvIntegritySidString);
if (FAILED(hr))
{
return hr;
}
pwszIntegritySid = (LPCWSTR) pvIntegritySidString.GetValue();
ULONG cbsd;
StackSString sddlSecurityDescriptor;
WinAllocatedBlockHolder pvSecurityDescriptor;
// The following API (ConvertStringSecurityDescriptorToSecurityDescriptorW) takes a
// string representation of a security descriptor (using the SDDL language), and
// returns back the security descriptor object to be used when defining the globally
// named event or pipe object. For a description of this language, go to the help on
// the API, and click on "string-format security descriptor":
// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_descriptor_string_format.asp
// or look through sddl.h.
// Cheat sheet for the subset of the format that we're using:
//
// Security Descriptor string:
// D:dacl_flags(string_ace1)(string_ace2)... (string_acen)
// Security SACL string:
// S:sacl_flags(string_ace1)(string_ace2)... (string_acen)
// Each string_ace:
// ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
//
// The following portions of the security descriptor string are NOT used:
// O:owner_sid (b/c we want current user to be the owner)
// G:group_sid (b/c not setting the primary group of the object)
// This reusable chunk defines the "(string_ace)" portion of the DACL. Given
// a SID, this makes an ACE for the SID with GENERIC_READ | GENERIC_WRITE access
#define ACE_STRING(AccountSidString) \
\
SDDL_ACE_BEGIN \
\
/* ace_type: "A;" An "allow" DACL (not "deny") */ \
SDDL_ACCESS_ALLOWED SDDL_SEPERATOR \
\
/* (skipping ace_flags, so that no child auto-inherits from this object) */ \
SDDL_SEPERATOR \
\
/* rights: "GRGW": GENERIC_READ | GENERIC_WRITE access allowed */ \
SDDL_GENERIC_READ SDDL_GENERIC_WRITE SDDL_SEPERATOR \
\
/* (skipping object_guid) */ \
SDDL_SEPERATOR \
\
/* (skipping inherit_object_guid) */ \
SDDL_SEPERATOR \
\
/* account_sid (filled in by macro user) */ \
AccountSidString \
\
SDDL_ACE_END
// First, construct the DACL
sddlSecurityDescriptor.Printf(
// "D:" This is a DACL
SDDL_DACL SDDL_DELIMINATOR
// dacl_flags:
// "P" This is protected (i.e., don't allow security descriptor to be modified
// by inheritable ACEs)
SDDL_PROTECTED
// (string_ace1)
// account_sid: "BA" built-in local administrators group
ACE_STRING(SDDL_BUILTIN_ADMINISTRATORS)
// (string_ace2)
// account_sid: to be filled in with the current process token's primary SID
ACE_STRING(W("%s")),
// current process token's primary SID
(LPCWSTR) (LPVOID) pvCurrentUserSidString);
// Next, add the SACL (Vista+ only)
if (pwszIntegritySid != NULL)
{
sddlSecurityDescriptor.AppendPrintf(
// "S:" This is a SACL -- for the integrity level of the current process
SDDL_SACL SDDL_DELIMINATOR
// The SACL ACE begins here
SDDL_ACE_BEGIN
// ace_type: "ML;" A Mandatory Label ACE (i.e., integrity level)
SDDL_MANDATORY_LABEL SDDL_SEPERATOR
// (skipping ace_flags, so that no child auto-inherits from this object)
SDDL_SEPERATOR
// rights: "NWNR;" If the trigger's integrity level is lower than the
// integrity level we're writing into this security descriptor, then that
// trigger may not read or write to this object.
SDDL_NO_WRITE_UP SDDL_NO_READ_UP SDDL_SEPERATOR
// (skipping object_guid)
SDDL_SEPERATOR
// (skipping inherit_object_guid)
SDDL_SEPERATOR
// To be filled in with the current process's mandatory label SID (which
// describes the current process's integrity level, capped at "high integrity")
W("%s")
SDDL_ACE_END,
// current process's mandatory label SID
pwszIntegritySid);
}
if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(
sddlSecurityDescriptor.GetUnicode(),
SDDL_REVISION_1,
(PSECURITY_DESCRIPTOR *) (LPVOID *) &pvSecurityDescriptor,
&cbsd))
{
return HRESULT_FROM_GetLastError();
}
if (FastInterlockCompareExchangePointer(
&s_pSecurityDescriptor,
(PSECURITY_DESCRIPTOR) pvSecurityDescriptor,
NULL) == NULL)
{
// Ownership transferred to s_pSecurityDescriptor, so don't free it here
pvSecurityDescriptor.SuppressRelease();
}
_ASSERTE(s_pSecurityDescriptor != NULL);
*ppsd = s_pSecurityDescriptor;
return S_OK;
}
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::Initialize
//
// Description:
// Perform startup (one-time-only) initialization for attach / detach infrastructure.
// This includes the Global Attach Event, but does NOT include the Global Attach Pipe
// (which is created only on demand). This is lazily called the first time the
// finalizer asks for the attach event.
//
// Return Value:
// S_OK: Attach / detach infrastructure initialized ok
// S_FALSE: Attach / detach infrastructure not initialized, but for an acceptable reason
// (e.g., executing memory- or sync- hosted)
// else: error HRESULT indicating an unacceptable failure that prevented attach /
// detach infrastructure from initializing (e.g., security problem, OOM, etc.)
//
// Assumptions:
// * By the time this is called:
// * Configuration must have been read from the registry
// * If there is a host, it has already initialized its state, including its
// intent to memory-host or sync-host.
// * Finalizer thread is initializing and is first asking for the attach event.
//
// static
HRESULT ProfilingAPIAttachDetach::Initialize()
{
CONTRACTL
{
THROWS;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
}
CONTRACTL_END;
// This one assert verifies two things:
// * 1. Configuration has been read from the registry, AND
// * 2. If there is a host, it has already initialized its state.
// #2 is implied by this assert, because the host initializes its state before
// EEStartup is even called: Host directly calls CorHost2::SetHostControl to
// initialize itself, announce whether the CLR will be memory hosted, sync hosted,
// etc., and then host calls CorHost2::Start, which calls EEStartup, which
// initializes configuration information. So if configuration information is
// available, the host must have already initialized itself.
//
// The reason we care is that, for profiling API attach to be enabled during this
// run, we need to have the finalizer thread wait on multiple sync objects. And
// waiting on multiple objects is disallowed if we're memory / sync-hosted. So we
// need to know now whether waiting on multiple objects is allowed, so we know
// whether we can initialize the Attach support objects.
_ASSERTE(g_pConfig != NULL);
// Even if we fail to create the event, this BOOL indicates we at least
// tried to.
_ASSERTE(!s_fInitializeCalled);
s_fInitializeCalled = TRUE;
INDEBUG(VerifyMessageStructureLayout());
InitializeAttachThreadingMode();
if (s_attachThreadingMode == kOnDemand)
{
return InitializeForOnDemandMode();
}
_ASSERTE(s_attachThreadingMode == kAlwaysOn);
return InitializeForAlwaysOnMode();
}
#ifdef _DEBUG
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::VerifyMessageStructureLayout
//
// Description:
// Debug-only function that asserts if there appear to be changes to structures that
// are not allowed to change (for backward-compatibility reasons). In particular:
// * VersionBlock must not change
// * BaseRequestMessage must not change
//
// static
void ProfilingAPIAttachDetach::VerifyMessageStructureLayout()
{
LIMITED_METHOD_CONTRACT;
// If any of these asserts fire, then VersionBlock is changing its binary
// layout in an incompatible way. Bad!
_ASSERTE(sizeof(VersionBlock) == 16);
_ASSERTE(offsetof(VersionBlock, m_dwMajor) == 0);
_ASSERTE(offsetof(VersionBlock, m_dwMinor) == 4);
_ASSERTE(offsetof(VersionBlock, m_dwBuild) == 8);
_ASSERTE(offsetof(VersionBlock, m_dwQFE) == 12);
// If any of these asserts fire, then GetVersionRequestMessage is changing its binary
// layout in an incompatible way. Bad!
_ASSERTE(sizeof(GetVersionRequestMessage) == 8);
_ASSERTE(offsetof(GetVersionRequestMessage, m_cbMessage) == 0);
_ASSERTE(offsetof(GetVersionRequestMessage, m_requestMessageType) == 4);
// If any of these asserts fire, then GetVersionResponseMessage is changing its binary
// layout in an incompatible way. Bad!
_ASSERTE(sizeof(GetVersionResponseMessage) == 36);
_ASSERTE(offsetof(GetVersionResponseMessage, m_hr) == 0);
_ASSERTE(offsetof(GetVersionResponseMessage, m_profileeVersion) == 4);
_ASSERTE(offsetof(GetVersionResponseMessage, m_minimumAllowableTriggerVersion) == 20);
}
#endif //_DEBUG
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::InitializeAttachThreadingMode
//
// Description:
// Looks at environment and GC mode to determine whether the AttachThread should
// always be around, or created only on demand. See
// code:ProfilingAPIAttachDetach::AttachThreadingMode.
//
// static
void ProfilingAPIAttachDetach::InitializeAttachThreadingMode()
{
CONTRACTL
{
THROWS;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
}
CONTRACTL_END;
_ASSERTE(s_attachThreadingMode == kUninitialized);
// Environment variable trumps all, so check it first
DWORD dwAlwaysOn = g_pConfig->GetConfigDWORD_DontUse_(
CLRConfig::EXTERNAL_AttachThreadAlwaysOn,
GCHeapUtilities::IsServerHeap() ? 1 : 0); // Default depends on GC server mode
if (dwAlwaysOn == 0)
{
s_attachThreadingMode = kOnDemand;
}
else
{
s_attachThreadingMode = kAlwaysOn;
}
}
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::InitializeForAlwaysOnMode
//
// Description:
// Performs initialization specific to running in Always On mode. Specifically, this
// means creating the AttachThread. The attach event is not created in this case.
//
// Return Value:
// HRESULT indicating success or failure.
//
// static
HRESULT ProfilingAPIAttachDetach::InitializeForAlwaysOnMode()
{
CONTRACTL
{
THROWS;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
}
CONTRACTL_END;
_ASSERTE(s_attachThreadingMode == kAlwaysOn);
LOG((LF_CORPROF, LL_INFO10, "**PROF: Attach AlwaysOn mode invoked; creating new AttachThread.\n"));
CreateAttachThread();
return S_OK;
}
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::InitializeForOnDemandMode
//
// Description:
// Performs initialization specific to running in On Demand mode. Specifically, this
// means creating the attach event. (The AttachThread will only be created when this
// event is signaled by a trigger process.)
//
// Return Value:
// HRESULT indicating success or failure.
//
// static
HRESULT ProfilingAPIAttachDetach::InitializeForOnDemandMode()
{
CONTRACTL
{
THROWS;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
}
CONTRACTL_END;
_ASSERTE(s_attachThreadingMode == kOnDemand);
LOG((LF_CORPROF, LL_INFO10, "**PROF: Attach OnDemand mode invoked; creating attach event.\n"));
// The only part of attach that gets initialized before a profiler has
// actually requested to attach is the single global event that gets
// signaled from out-of-process.
StackSString attachEventName;
HRESULT hr;
hr = GetAttachEventName(::GetCurrentProcess(), &attachEventName);
if (FAILED(hr))
{
return hr;
}
// Deliberately NOT using CLREvent, as it does not have support for a global name.
// It's ok not to use CLREvent, as we're assured above that we're not sync-hosted,
// which means CLREvent would just use raw Windows events anyway.
SECURITY_ATTRIBUTES *psa = NULL;
SECURITY_ATTRIBUTES sa;
// Only assign security attributes for non-app container scenario
// We are assuming the default (blocking everything for app container scenario is good enough
if (!IsAppContainerProcess(::GetCurrentProcess()))
{
hr = InitSecurityAttributes(&sa, sizeof(sa));
if (FAILED(hr))
{
return hr;
}
psa = &sa;
}
_ASSERTE(s_hAttachEvent == NULL);
s_hAttachEvent = WszCreateEvent(
psa, // security attributes
FALSE, // bManualReset = FALSE: autoreset after waiting thread is unblocked
FALSE, // initial state = FALSE, i.e., unsignaled
attachEventName.GetUnicode() // Global name seen out-of-proc
);
if (s_hAttachEvent == NULL)
{
return HRESULT_FROM_GetLastError();
}
return S_OK;
}
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::GetAttachEvent
//
// Description:
// Used by finalizer thread to get the profiling API attach event. First time this is
// called, the event and other supporting objects will be created.
//
// Return Value:
// The attach event or NULL if attach event creation failed during startup. In either
// case, do NOT call CloseHandle on the returned event handle.
//
// Assumptions:
// * ProfilingAPIUtility::InitializeProfiling should already have been called before
// this is called. That ensures that, if a profiler was configured to load on
// startup, then that load has already occurred by now.
// * The event's HANDLE refcount is managed solely by ProfilingAPIAttachDetach. So do
// not call CloseHandle() on the HANDLE returned.
//
// Notes:
// * If the attach event was not created on startup, then this will return NULL.
// Possible reasons why this can occur:
// * The current process is the NGEN service, OR
// * The process is sync- or memory- hosted, OR
// * Attach is running in "always on" mode, meaning we always have an AttachThread
// with a pipe, so there's no need for an event.
//
// static
HANDLE ProfilingAPIAttachDetach::GetAttachEvent()
{
CONTRACTL
{
THROWS;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
}
CONTRACTL_END;
if (IsCompilationProcess())
{
// No profiler attach on NGEN!
return NULL;
}
if (!s_fInitializeCalled)
{
// If a profiler was supposed to load on startup, it's already happened
// now. So it's safe to set up the attach support objects, and allow
// an attaching profiler to make an attempt (which can now gracefully fail
// if a startup profiler has loaded).
HRESULT hr = Initialize();
if (FAILED(hr))
{
LOG((
LF_CORPROF,
LL_ERROR,
"**PROF: ProfilingAPIAttachDetach::Initialize failed, so this process will not "
"be able to attach a profiler. hr=0x%x.\n",
hr));
ProfilingAPIUtility::LogProfError(IDS_E_PROF_ATTACH_INIT, hr);
return NULL;
}
}
if (s_attachThreadingMode == kAlwaysOn)
{
// In always-on mode, we always have an AttachThread listening on the pipe, so
// there's no need for an event.
_ASSERTE(s_hAttachEvent == NULL);
}
return s_hAttachEvent;
}
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::ProcessSignaledAttachEvent
//
// Description:
// Called by finalizer thread when the finalizer thread detects that the globally
// named Profiler Attach Event is signaled. This simply spins up the AttachThread
// (starting in ProfilingAPIAttachThreadStart) and returns.
//
// static
void ProfilingAPIAttachDetach::ProcessSignaledAttachEvent()
{
// This function is practically a leaf (though not quite), and is called from the
// finalizer thread at various points, so keeping the contract strict to allow for
// maximum flexibility on when this may called.
CONTRACTL
{
NOTHROW;
GC_NOTRIGGER;
MODE_ANY;
CANNOT_TAKE_LOCK;
}
CONTRACTL_END;
LOG((LF_CORPROF, LL_INFO10, "**PROF: Attach event signaled; creating new AttachThread.\n"));
CreateAttachThread();
}
typedef BOOL
(WINAPI *PFN_GetAppContainerNamedObjectPath)(
HANDLE Token,
PSID AppContainerSid,
ULONG ObjectPathLength,
WCHAR * ObjectPath,
PULONG ReturnLength
);
static Volatile<PFN_GetAppContainerNamedObjectPath> g_pfnGetAppContainerNamedObjectPath = NULL;
// ----------------------------------------------------------------------------
// GetAppContainerNamedObjectPath
//
// Description:
// Retrieve named object path for the specified app container process
// The name looks something like the following:
// LowBoxNamedObjects\<AppContainer_SID>
// AppContainer_SID is the SID for the app container, for example: S-1-15-2-3-4-5-6-7-8
//
// Arguments:
// * hProcess - handle of the app container proces
// * wszObjectPath - [out] Buffer to fill in
// * dwObjectPathSizeInChar - Size of buffer
//
HRESULT ProfilingAPIAttachDetach::GetAppContainerNamedObjectPath(HANDLE hProcess, __out_ecount(dwObjectPathSizeInChar) WCHAR * wszObjectPath, DWORD dwObjectPathSizeInChar)
{
LIMITED_METHOD_CONTRACT;
_ASSERTE(wszObjectPath != NULL);
HandleHolder hToken;
if (!OpenProcessToken(hProcess, TOKEN_QUERY, &hToken))
{
return HRESULT_FROM_GetLastError();
}
if (g_pfnGetAppContainerNamedObjectPath.Load() == NULL)
{
HMODULE hMod = WszGetModuleHandle(W("kernel32.dll"));
if (hMod == NULL)
{
// This should never happen but I'm checking it anyway
return HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND);
}
PFN_GetAppContainerNamedObjectPath pfnGetAppContainerNamedObjectPath = (PFN_GetAppContainerNamedObjectPath)
::GetProcAddress(
hMod,
"GetAppContainerNamedObjectPath");
if (!pfnGetAppContainerNamedObjectPath)
{
return HRESULT_FROM_GetLastError();
}
// We should always get the same address back from GetProcAddress so there is no concern for race condition
g_pfnGetAppContainerNamedObjectPath = pfnGetAppContainerNamedObjectPath;
}
DWORD dwBufferLength;
if (!g_pfnGetAppContainerNamedObjectPath(
hToken, // Process token
NULL, // AppContainer package SID optional.
dwObjectPathSizeInChar, // Object path length
wszObjectPath, // Object path
&dwBufferLength // return length
))
{
return HRESULT_FROM_GetLastError();
}
return S_OK;
}
// @TODO: Update this once Windows header file is updated to Win8
#ifndef TokenIsAppContainer
#define TokenIsAppContainer ((TOKEN_INFORMATION_CLASS) 29)
#endif
// ----------------------------------------------------------------------------
// ProfilingAPIAttachDetach::IsAppContainerProcess
//
// Description:
// Return whether the specified process is a app container process
//
// static
BOOL ProfilingAPIAttachDetach::IsAppContainerProcess(HANDLE hProcess)
{
CONTRACTL
{
NOTHROW;
GC_NOTRIGGER;
MODE_ANY;
CANNOT_TAKE_LOCK;
}
CONTRACTL_END;
HandleHolder hToken;
if(!::OpenProcessToken(hProcess, TOKEN_QUERY, &hToken))
{
return FALSE;
}
BOOL fIsAppContainerProcess;
DWORD dwReturnLength;
if (!::GetTokenInformation(
hToken,
TokenIsAppContainer,
&fIsAppContainerProcess,
sizeof(BOOL),
&dwReturnLength) ||
dwReturnLength != sizeof(BOOL))
{
return FALSE;
}
else
{
return fIsAppContainerProcess;
}
}
//---------------------------------------------------------------------------------------
//
// Called by other points in the runtime (e.g., finalizer thread) to create a new thread
// to fill the role of the AttachThread.
//
// static
void ProfilingAPIAttachDetach::CreateAttachThread()
{
// This function is practically a leaf (though not quite), and is called from the
// finalizer thread at various points, so keeping the contract strict to allow for
// maximum flexibility on when this may called.
CONTRACTL
{
NOTHROW;
GC_NOTRIGGER;
MODE_ANY;
CANNOT_TAKE_LOCK;
}
CONTRACTL_END;
HandleHolder hAttachThread;
// The AttachThread is intentionally not an EE Thread-object thread
hAttachThread = ::CreateThread(
NULL, // lpThreadAttributes; don't want child processes inheriting this handle
0, // dwStackSize (0 = use default)
ProfilingAPIAttachThreadStart,
NULL, // lpParameter (none to pass)
0, // dwCreationFlags (0 = use default flags, start thread immediately)
NULL // lpThreadId (don't need therad ID)
);
if (hAttachThread == NULL)
{
LOG((
LF_CORPROF,
LL_ERROR,
"**PROF: Failed to create AttachThread. GetLastError=%d.\n",
GetLastError()));
// No other error-specific code really makes much sense here. An error here is
// probably due to serious OOM issues which would also probably prevent logging
// an event. A trigger process will report that it waited for the pipe to be
// created, and timed out during the wait. That should be enough for the user.
}
}
// ----------------------------------------------------------------------------
// CLRProfilingClassFactoryImpl::CreateInstance
//
// Description:
// A standard IClassFactory interface function to allow a profiling trigger
// to query for IID_ICLRProfiling interface
//
HRESULT CLRProfilingClassFactoryImpl::CreateInstance(IUnknown * pUnkOuter, REFIID riid, void ** ppv)
{
CONTRACTL
{
NOTHROW;
GC_NOTRIGGER;
MODE_PREEMPTIVE;
SO_NOT_MAINLINE;
}
CONTRACTL_END;
if (ppv == NULL)
return E_POINTER;
*ppv = NULL;
NewHolder<CLRProfilingImpl> pProfilingImpl = new (nothrow) CLRProfilingImpl();
if (pProfilingImpl == NULL)
return E_OUTOFMEMORY;
HRESULT hr = pProfilingImpl->QueryInterface(riid, ppv);
if (SUCCEEDED(hr))
{
pProfilingImpl.SuppressRelease();
}
return hr;
}
// ----------------------------------------------------------------------------
// CLRProfilingClassFactoryImpl::LockServer
//
// Description:
// A standard IClassFactory interface function that doesn't do anything interesting here
//
HRESULT CLRProfilingClassFactoryImpl::LockServer(BOOL fLock)
{
LIMITED_METHOD_CONTRACT;
return S_OK;
}
// ----------------------------------------------------------------------------
// CLRProfilingImpl::AttachProfiler
//
// Description:
// A wrapper COM function to invoke AttachProfiler with parameters from
// profiling trigger along with a runtime version string
//
HRESULT CLRProfilingImpl::AttachProfiler(DWORD dwProfileeProcessID,
DWORD dwMillisecondsMax,
const CLSID *pClsidProfiler,
LPCWSTR wszProfilerPath,
void *pvClientData,
UINT cbClientData)
{
CONTRACTL
{
NOTHROW;
GC_TRIGGERS;
MODE_PREEMPTIVE;
CAN_TAKE_LOCK;
SO_NOT_MAINLINE;
}
CONTRACTL_END;
WCHAR wszRuntimeVersion[MAX_PATH_FNAME];
DWORD dwSize = _countof(wszRuntimeVersion);
HRESULT hr = GetCORVersionInternal(wszRuntimeVersion, dwSize, &dwSize);
if (FAILED(hr))
return hr;
return ::AttachProfiler(dwProfileeProcessID,
dwMillisecondsMax,
pClsidProfiler,
wszProfilerPath,
pvClientData,
cbClientData,
wszRuntimeVersion);
}
// ----------------------------------------------------------------------------
// ICLRProfilingGetClassObject
//
// Description:
// A wrapper to create a CLRProfilingImpl object and to QueryInterface on the CLRProfilingImpl object
//
HRESULT ICLRProfilingGetClassObject(REFCLSID rclsid, REFIID riid, void **ppv)
{
CONTRACTL
{
NOTHROW;
GC_NOTRIGGER;
MODE_PREEMPTIVE;
SO_NOT_MAINLINE;
PRECONDITION(rclsid == CLSID_CLRProfiling);
}
CONTRACTL_END;
if (ppv == NULL)
return E_POINTER;
*ppv = NULL;
NewHolder<CLRProfilingClassFactoryImpl> pCLRProfilingClassFactoryImpl = new (nothrow) CLRProfilingClassFactoryImpl();
if (pCLRProfilingClassFactoryImpl == NULL)
return E_OUTOFMEMORY;
HRESULT hr = pCLRProfilingClassFactoryImpl->QueryInterface(riid, ppv);
if (SUCCEEDED(hr))
{
pCLRProfilingClassFactoryImpl.SuppressRelease();
}
return hr;
}
#endif // FEATURE_PROFAPI_ATTACH_DETACH
|
