driver.c

一文件过滤与加密,系统监视以及控制的东东,自己看

      return Link_CatchIrpApp2Drv (pDeviceObject, pIrp) ;

    case IOCTL_SET_FILTERSET:   
      { 
	INT		nInBufSize ;
	LPVOID		pInBuf ;

	TRACE_INFO (TEXT("IOCTL_SET_FILTERSET\n")) ;

	nInBufSize = pStackLoc->Parameters.DeviceIoControl.InputBufferLength ;
	pInBuf = pIrp->AssociatedIrp.SystemBuffer ;
       
	nStatus = DrvFilter_LockMutex () ;
	if( nStatus != STATUS_SUCCESS ) break ;

	nStatus = DrvFilter_SetSerializedFilterSet (pInBuf, nInBufSize) ;

	if( nStatus==STATUS_SUCCESS )
	  {
	    DbgPrint (TRACE_HEADER TEXT("Filters has been updated.\n")) ;

	    nStatus = ProcList_Lock () ;

	    if( nStatus==STATUS_SUCCESS )
	      {
		ProcList_RefreshFilterLists () ;
		ProcList_Unlock () ;
	      }
	  }

	DrvFilter_UnlockMutex () ;
      }
      break ;


    case IOCTL_GET_PROCESSLIST:
      {
	INT		nOutBufSize ;
	LPVOID		pOutBuf ;

	ENUMPROCCONTEXT	context ;

	TRACE_INFO (TEXT("IOCTL_GET_PROCESSLIST\n")) ;

       	nOutBufSize = pStackLoc->Parameters.DeviceIoControl.OutputBufferLength ;
	pOutBuf = pIrp->AssociatedIrp.SystemBuffer ;

	context.pPrevBlock = pOutBuf ;
	context.pWritePos = pOutBuf ;
	context.nRemainBytes = nOutBufSize ;
	
	nStatus = ProcList_Lock () ;	
	
	if( nStatus==STATUS_SUCCESS )
	  {	
	    nStatus = ProcList_Enum (_Driver_EnumProcCallback, &context) ;		       
	    ProcList_Unlock () ;
	  }

	if( nStatus==STATUS_SUCCESS )
	  {
	    nTransferedBytes = nOutBufSize - context.nRemainBytes ;	    
	    ((PROCESSLISTENTRY*)context.pPrevBlock)->nNextEntry = 0 ;
	  }
	else
	  {
	    TRACE_WARNING (TEXT("Buffer too small for process list\n")) ;
	    nTransferedBytes = 0 ;
	    nStatus = STATUS_BUFFER_TOO_SMALL ;
	  }
      }       
      break ;

    case IOCTL_SET_SCANNER_PATH:   
      { 
	INT		nInBufSize ;
	LPVOID		pInBuf ;

	TRACE_INFO (TEXT("IOCTL_SET_SCANNER_PATH\n")) ;

	nInBufSize = pStackLoc->Parameters.DeviceIoControl.InputBufferLength ;
	pInBuf = pIrp->AssociatedIrp.SystemBuffer ;

	if( ( pInBuf!=NULL && nInBufSize!=0 ) ||
	    ( pInBuf==NULL && nInBufSize==0 ) )
	  {
	    nStatus = ProcList_Lock() ;
	    if( nStatus == STATUS_SUCCESS )
	      {
		nStatus = ProcList_SetScannerExePath (pInBuf) ;
		ProcList_Unlock() ;
	      }
	  }
	else 
	  TRACE_ERROR (TEXT("Wrong arguments to IOCTL_SET_SCANNER_PATH\n")) ;
      }
      break ;

    case IOCTL_SET_SCAN_FILTERS:
      {
	INT		nInBufSize ;
	LPVOID		pInBuf ;

	TRACE_INFO (TEXT("IOCTL_SET_SCAN_FILTERS\n")) ;

	nInBufSize = pStackLoc->Parameters.DeviceIoControl.InputBufferLength ;
	pInBuf = pIrp->AssociatedIrp.SystemBuffer ;

	if( ( pInBuf!=NULL && nInBufSize!=0 ) ||
	    ( pInBuf==NULL && nInBufSize==0 ) )
	  {	    
	    nStatus = HookCommon_SetScanFilters (pInBuf, nInBufSize) ;
	  }
	else 
	  TRACE_ERROR (TEXT("Wrong arguments to IOCTL_SET_SCAN_FILTERS\n")) ;
      }
      break ;

    case IOCTL_KILL_PROCESS:
      {
	INT		nInBufSize ;
	LPVOID		pInBuf ;

	TRACE_INFO (TEXT("IOCTL_KILL_PROCESS\n")) ;
	
	nInBufSize = pStackLoc->Parameters.DeviceIoControl.InputBufferLength ;
	pInBuf = pIrp->AssociatedIrp.SystemBuffer ;

	if( pInBuf!=NULL && nInBufSize==sizeof(PROCADDR) )
	  {
	    PROCADDR	nProcessAddress = *(PROCADDR*)pInBuf ;
	    BOOL	bIsInList = FALSE ;

	    TRACE_ALWAYS (TEXT("IOCTL_KILL_PROCESS (ProcessAddess = 0x%08X\n"), nProcessAddress) ;

	    nStatus = ProcList_Lock () ;
	    
	    if( nStatus == STATUS_SUCCESS )
	      {
		PROCSTRUCT* p =	ProcList_Get (nProcessAddress) ;
		ProcList_Unlock () ;
		bIsInList = p != NULL ;
	      }

	    if( bIsInList )
	      {
		if( ntundoc.PspTerminateProcess )
		  nStatus = ntundoc.PspTerminateProcess ((PEPROCESS)nProcessAddress,
							 STATUS_SUCCESS) ;
		else
		  nStatus = STATUS_NOT_IMPLEMENTED ;

		if( nStatus!=STATUS_SUCCESS )
		  TRACE_ERROR (TEXT("PspTerminateProcess failed (status=0x%08X)\n"), nStatus) ;	    
	      }
	    else 
	      {
		nStatus = STATUS_INVALID_ADDRESS ;
		TRACE_ERROR (TEXT("Process 0x%08X is not in list\n"), nProcessAddress) ;
	      }	      
	  }
      }
      break ;

    case IOCTL_IGNORE_PROCESS:
      {
	INT		nInBufSize ;
	LPVOID		pInBuf ;

	TRACE_INFO (TEXT("IOCTL_IGNORE_PROCESS\n")) ;
	
	nInBufSize = pStackLoc->Parameters.DeviceIoControl.InputBufferLength ;
	pInBuf = pIrp->AssociatedIrp.SystemBuffer ;

	if( pInBuf!=NULL && nInBufSize==sizeof(SDCIGNOREPROC) )
	  {
	    SDCIGNOREPROC* pParam = pInBuf ;

	    nStatus = ProcList_Lock () ;

	    if( nStatus == STATUS_SUCCESS )
	      {
		PROCSTRUCT* p =	ProcList_Get (pParam->nProcessAddress) ;

		if( p!=NULL )
		  {
		    if( pParam->bIgnore )
		      p->nFlags |= PROCESS_IGNORE_ALL ; 
		    else
		      p->nFlags &= ~PROCESS_IGNORE_ALL ;
		  }
		else nStatus = STATUS_INVALID_ADDRESS ;

		ProcList_Unlock () ;
	      }
	  }
	else
	  {
	    TRACE_ERROR (TEXT("Wrong parameters to IOCTL_IGNORE_PROCESS\n")) ;
	  }
      }
      break ;

    case IOCTL_SYNC_CACHE:
      {
	INT		nOutBufSize ;
	LPVOID		pOutBuf ;
	INT		nInBufSize ;
	LPVOID		pInBuf ;
	LARGE_INTEGER	liLastSyncTime ;

	ENUMPROCCONTEXT	context ;

	TRACE_INFO (TEXT("IOCTL_SYNC_CACHE\n")) ;

	nInBufSize = pStackLoc->Parameters.DeviceIoControl.InputBufferLength ;
	pInBuf = pIrp->AssociatedIrp.SystemBuffer ;

       	nOutBufSize = pStackLoc->Parameters.DeviceIoControl.OutputBufferLength ;
	pOutBuf = pIrp->AssociatedIrp.SystemBuffer ;

	liLastSyncTime =  ((SDCSYNCCACHE*)pInBuf)->liLastSyncTime ;

	if( nInBufSize>=sizeof(SDCSYNCCACHE) && nOutBufSize>=sizeof(SCANCACHEHEADER) )
	  {
	    context.pPrevBlock = (BYTE*)pOutBuf + sizeof(SCANCACHEHEADER) ;
	    context.pWritePos = context.pPrevBlock ;
	    context.nRemainBytes = nOutBufSize - sizeof(SCANCACHEHEADER) ;
	    
	    nStatus = ScanCache_Lock () ;	
	    
	    if( nStatus==STATUS_SUCCESS )
	      {	
		ScanCache_GetCacheInfo (&((SCANCACHEHEADER*)pOutBuf)->nMaxCacheLength,
					&((SCANCACHEHEADER*)pOutBuf)->nFirstIdentifier,
					&((SCANCACHEHEADER*)pOutBuf)->nLastIdentifier) ;
		
		nStatus = ScanCache_EnumChangesSince (_Driver_EnumCacheCallback, 
						      &context, 
						      &liLastSyncTime) ;		       
		ScanCache_Unlock () ;
		
		if( nStatus==STATUS_SUCCESS )
		  {
		    nTransferedBytes = nOutBufSize - context.nRemainBytes ;	    
		    ((SCANCACHEENTRY*)context.pPrevBlock)->nNextEntry = 0 ;
		  }
		else
		  {
		    TRACE_WARNING (TEXT("Buffer too small for scan cache\n")) ;
		    nTransferedBytes = 0 ;
		    nStatus = STATUS_BUFFER_TOO_SMALL ;
		  }
	      }
	  }
	else
	  {
	    TRACE_WARNING (TEXT("Buffer too small for scan cache\n")) ;
	    nTransferedBytes = 0 ;
	    nStatus = STATUS_BUFFER_TOO_SMALL ;	    
	  }
      } 
      break ;

    case IOCTL_ADD_FILE_TO_CACHE:
      {
	INT		nInBufSize ;
	LPVOID		pInBuf ;

	TRACE_INFO (TEXT("IOCTL_ADD_FILE_TO_CACHE\n")) ;

	nInBufSize = pStackLoc->Parameters.DeviceIoControl.InputBufferLength ;
	pInBuf = pIrp->AssociatedIrp.SystemBuffer ;

	if( nInBufSize>=sizeof(SDCADDFILETOCACHE) )
	  {
	    SDCADDFILETOCACHE* pParams = (SDCADDFILETOCACHE*)pInBuf ;
	    WCHAR szFilePath[MAX_PATH] ;

	    wcslcpy (szFilePath, pParams->wszFilePath, min(MAX_PATH,nInBufSize-sizeof(SDCADDFILETOCACHE))) ;

	    nStatus = ScanCache_Lock () ;

	    if( nStatus == STATUS_SUCCESS )
	      {
		SCANCACHEID nIdentifier ;

		nStatus = ScanCache_GetFileId (szFilePath, &nIdentifier) ;

		if( nStatus == STATUS_SUCCESS )
		  {
		    TRACE_INFO (TEXT("Adding file \"%ls\" to cache\n"), szFilePath) ;

		    nStatus = ScanCache_SetStatus (nIdentifier, pParams->nScanResult, &pParams->liScanTime) ;
		  }

		ScanCache_Unlock () ;
	      }
	  }
	else
	  {
	    TRACE_WARNING (TEXT("Input buffer too small for IOCTL_ADD_FILE_TO_CACHE (size=%u)\n"), nInBufSize) ;
	    nTransferedBytes = 0 ;
	    nStatus = STATUS_BUFFER_TOO_SMALL ;
	  }		
      }
      break ;

    default:

      TRACE_WARNING (TEXT("IO control code 0x%06X not supported\n"), nCode) ;
      break ;
    }

  // simply complete the request
  pIrp->IoStatus.Status = nStatus ;
  pIrp->IoStatus.Information = nTransferedBytes ;
  IoCompleteRequest (pIrp, IO_NO_INCREMENT) ;
	
  return nStatus ;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

BOOL _Driver_EnumProcCallback (PVOID	pUserPtr, 
			       PROCADDR	nProcessAddress,
			       ULONG	nProcessId,
			       LPCWSTR	wszFilePath)
{
  ENUMPROCCONTEXT * pContext = pUserPtr ;
  ULONG	nBlockSize = sizeof(PROCESSLISTENTRY) + wcslen(wszFilePath)*2 + 2 ;

  TRACE_INFO (TEXT("%d : %ls\n"), nProcessId, wszFilePath) ;

  if( pContext->nRemainBytes < nBlockSize )
    {
      TRACE_WARNING (TEXT("Buffer too small (remain=%u, need=%u)\n"),
		     pContext->nRemainBytes, nBlockSize) ;
      return FALSE ;
    }

  ((PROCESSLISTENTRY*)pContext->pWritePos)->nNextEntry		= nBlockSize ;
  ((PROCESSLISTENTRY*)pContext->pWritePos)->nProcessAddress	= nProcessAddress ;
  ((PROCESSLISTENTRY*)pContext->pWritePos)->nProcessId		= nProcessId ;
  wcscpy (((PROCESSLISTENTRY*)pContext->pWritePos)->wszFilePath, wszFilePath) ;

  pContext->pPrevBlock = pContext->pWritePos ;
  pContext->nRemainBytes -= nBlockSize ;
  pContext->pWritePos = (BYTE*)pContext->pWritePos + nBlockSize ;

  return TRUE ;
}


/******************************************************************/
/* Internal function                                              */
/******************************************************************/

BOOL _Driver_EnumCacheCallback (VOID * pUserPtr, SCANCACHEID nIdentifier, LPCWSTR wszFilePath, SCANRESULT nScanResult, LARGE_INTEGER*pliScanTime) 
{
  ENUMCACHECONTEXT * pContext = pUserPtr ;
  ULONG	nBlockSize = sizeof(SCANCACHEENTRY) + wcslen(wszFilePath)*2 + 2 ;

  TRACE_INFO (TEXT("%lu : %ls\n"), nIdentifier, wszFilePath) ;

  if( pContext->nRemainBytes < nBlockSize )
    {
      TRACE_WARNING (TEXT("Buffer too small (remain=%u, need=%u)\n"),
		     pContext->nRemainBytes, nBlockSize) ;
      return FALSE ;
    }

  ((SCANCACHEENTRY*)pContext->pWritePos)->nNextEntry		= nBlockSize ;
  ((SCANCACHEENTRY*)pContext->pWritePos)->nIdentifier		= nIdentifier ;
  ((SCANCACHEENTRY*)pContext->pWritePos)->nScanResult		= nScanResult ;
  ((SCANCACHEENTRY*)pContext->pWritePos)->liScanTime		= *pliScanTime ;
  wcscpy (((SCANCACHEENTRY*)pContext->pWritePos)->wszFilePath, wszFilePath) ;

  pContext->pPrevBlock = pContext->pWritePos ;
  pContext->nRemainBytes -= nBlockSize ;
  pContext->pWritePos = (BYTE*)pContext->pWritePos + nBlockSize ;

  return TRUE ;
}