Memory leak fixes (Verifier tests)

Hidden/Configs.c

@@ -15,7 +15,7 @@ typedef struct _HidConfigContext {
 
 PHidConfigContext g_configContext = NULL;
 
-NTSTATUS ReleaseConfigContext(PHidConfigContext context);
+VOID ReleaseConfigContext(PHidConfigContext context);
 
 NTSTATUS GetRegistryDWORD(HANDLE hKey, LPCWSTR Value, PULONG Data, ULONG Default);
 NTSTATUS QueryAndAllocRegistryData(HANDLE hKey, LPCWSTR Value, ULONG Type, PUNICODE_STRING Data, PUNICODE_STRING Default);
@@ -79,7 +79,10 @@ NTSTATUS DestroyConfigs()
 	if (!g_configContext)
 		return STATUS_NOT_FOUND;
 
-	return ReleaseConfigContext(g_configContext);
+	ReleaseConfigContext(g_configContext);
+	ExFreePoolWithTag(g_configContext, CONFIG_ALLOC_TAG);
+
+	return STATUS_SUCCESS;
 }
 
 // =========================================================================================
@@ -168,7 +171,7 @@ NTSTATUS CfgEnumConfigsTable(enum CfgMultiStringTables Table, CfgMultiStringCall
 
 // =========================================================================================
 
-NTSTATUS ReleaseConfigContext(PHidConfigContext context)
+VOID ReleaseConfigContext(PHidConfigContext context)
 {
 	ReleaseRegistryData(&context->hideFSDirs);
 	ReleaseRegistryData(&context->hideFSFiles);
@@ -176,8 +179,6 @@ NTSTATUS ReleaseConfigContext(PHidConfigContext context)
 	ReleaseRegistryData(&context->hideRegValues);
 	ReleaseRegistryData(&context->ignoreImages);
 	ReleaseRegistryData(&context->protectImages);
-
-	return STATUS_SUCCESS;
 }
 
 NTSTATUS GetRegistryDWORD(HANDLE hKey, LPCWSTR Value, PULONG Data, ULONG Default)

Hidden/Helper.c

@@ -149,6 +149,7 @@ NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized)
 
 		subPath.Buffer = Path->Buffer;
 		subPath.Length += globalPrefix.Length;
+		subPath.MaximumLength = subPath.Length;
 
 		// Open symlink
 
@@ -173,6 +174,7 @@ NTSTATUS NormalizeDevicePath(PCUNICODE_STRING Path, PUNICODE_STRING Normalized)
 
 		subPath.Buffer = (PWCH)((PUCHAR)Path->Buffer + subPath.Length);
 		subPath.Length = Path->Length - subPath.Length;
+		subPath.MaximumLength = subPath.Length;
 
 		status = RtlAppendUnicodeStringToString(Normalized, &subPath);
 		if (!NT_SUCCESS(status))

Hidden/PsRules.c

@@ -10,8 +10,8 @@ typedef struct _PsRulesInternalContext {
 
 RTL_GENERIC_COMPARE_RESULTS ComparePsRuleEntry(struct _RTL_AVL_TABLE  *Table, PVOID  FirstStruct, PVOID  SecondStruct)
 {
-	PPsRuleEntry first = (PPsRuleEntry)FirstStruct;
+	PPsRuleEntry first = *(PPsRuleEntry*)FirstStruct;
-	PPsRuleEntry second = (PPsRuleEntry)SecondStruct;
+	PPsRuleEntry second = *(PPsRuleEntry*)SecondStruct;
 	INT res;
 
 	UNREFERENCED_PARAMETER(Table);
@@ -35,7 +35,9 @@ PVOID AllocatePsRuleEntry(struct _RTL_AVL_TABLE  *Table, CLONG  ByteSize)
 
 VOID FreePsRuleEntry(struct _RTL_AVL_TABLE  *Table, PVOID  Buffer)
 {
+	//PVOID entry = *(PVOID*)Buffer;
 	UNREFERENCED_PARAMETER(Table);
+	//ExFreePoolWithTag(entry, PSRULE_ALLOC_TAG);
 	ExFreePoolWithTag(Buffer, PSRULE_ALLOC_TAG);
 }
 
@@ -99,7 +101,7 @@ NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath
 	ExAcquireFastMutex(&context->tableLock);
 	guid = context->idCounter++;
 	entry->guid = guid;
-	buf = RtlInsertElementGenericTableAvl(&context->table, entry, entryLen, &newElem);
+	buf = RtlInsertElementGenericTableAvl(&context->table, &entry, sizeof(&entry)/*entryLen*/, &newElem);
 	ExReleaseFastMutex(&context->tableLock);
 
 	if (!buf)
@@ -122,19 +124,22 @@ NTSTATUS RemoveRuleFromPsRuleList(PsRulesContext RuleContext, PsRuleEntryId Entr
 {
 	PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
 	NTSTATUS status = STATUS_NOT_FOUND;
-	PPsRuleEntry entry;
+	PPsRuleEntry entry, *pentry;
 	PVOID restartKey = NULL;
 
 	ExAcquireFastMutex(&context->tableLock);
 
-	for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
+	for (pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
-		entry != NULL;
+		 pentry != NULL;
-		entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey))
+		 pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey))
 	{
+		entry = *pentry;
 		if (entry->guid == EntryId)
 		{
-			if (!RtlDeleteElementGenericTableAvl(&context->table, entry))
+			if (!RtlDeleteElementGenericTableAvl(&context->table, pentry))
 				DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove element from process rules table, looks like memory leak\n");
+			else
+				ExFreePoolWithTag(entry, PSRULE_ALLOC_TAG);
 
 			status = STATUS_SUCCESS;
 			break;
@@ -150,17 +155,20 @@ NTSTATUS RemoveAllRulesFromPsRuleList(PsRulesContext RuleContext)
 {
 	PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
 	NTSTATUS status = STATUS_SUCCESS;
-	PPsRuleEntry entry;
+	PPsRuleEntry entry, *pentry;
 	PVOID restartKey = NULL;
 
 	ExAcquireFastMutex(&context->tableLock);
 
-	for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
+	for (pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
-		entry != NULL;
+		 pentry != NULL;
-		entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey))
+		 pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey))
 	{
-		if (!RtlDeleteElementGenericTableAvl(&context->table, entry))
+		entry = *pentry;
+		if (!RtlDeleteElementGenericTableAvl(&context->table, pentry))
 			DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove element from process rules table, looks like memory leak\n");
+		else
+			ExFreePoolWithTag(entry, PSRULE_ALLOC_TAG);
 
 		restartKey = NULL; // reset enum
 	}
@@ -174,15 +182,16 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath,
 {
 	PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
 	NTSTATUS status = STATUS_NOT_FOUND;
-	PPsRuleEntry entry;
+	PPsRuleEntry entry, *pentry;
 	PVOID restartKey = NULL;
 
 	ExAcquireFastMutex(&context->tableLock);
 
-	for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
+	for (pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
-		 entry != NULL;
+		 pentry != NULL;
-		 entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey))
+		 pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey))
 	{
+		entry = *pentry;
 		if (RtlCompareUnicodeString(&entry->imagePath, ImgPath, TRUE) == 0)
 		{
 			*OutSize = entry->len;
@@ -207,16 +216,17 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath,
 BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PULONG pInheritance)
 {
 	PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
-	PPsRuleEntry entry;
+	PPsRuleEntry entry, *pentry;
 	PVOID restartKey = NULL;
 	BOOLEAN result = FALSE;
 
 	ExAcquireFastMutex(&context->tableLock);
 
-	for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
+	for (pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
-		 entry != NULL;
+		 pentry != NULL;
-		 entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey))
+		 pentry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey))
 	{
+		entry = *pentry;
 		if (RtlCompareUnicodeString(&entry->imagePath, ImgPath, TRUE) == 0)
 		{
 			*pInheritance = entry->inheritType;