📄 hooksys.c
字号:
/******************************************************************/
/* */
/* Winpooch : Windows Watchdog */
/* Copyright (C) 2004-2006 Benoit Blanchon */
/* */
/* This program is free software; you can redistribute it */
/* and/or modify it under the terms of the GNU General Public */
/* License as published by the Free Software Foundation; either */
/* version 2 of the License, or (at your option) any later */
/* version. */
/* */
/* This program is distributed in the hope that it will be */
/* useful, but WITHOUT ANY WARRANTY; without even the implied */
/* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR */
/* PURPOSE. See the GNU General Public License for more */
/* details. */
/* */
/* You should have received a copy of the GNU General Public */
/* License along with this program; if not, write to the Free */
/* Software Foundation, Inc., */
/* 675 Mass Ave, Cambridge, MA 02139, USA. */
/* */
/******************************************************************/
/******************************************************************/
/* Build configuration */
/******************************************************************/
#define TRACE_LEVEL 2 /* warning */
/******************************************************************/
/* Includes */
/******************************************************************/
// module's interface
#include "HookSys.h"
// project's headers
#include "DrvFilter.h"
#include "DrvInterface.h"
#include "FileInfo.h"
#include "HookCommon.h"
#include "Hooks.h"
#include "Link.h"
#include "Malloc.h"
#include "NtUndoc.h"
#include "ProcInfo.h"
#include "ProcList.h"
#include "Trace.h"
#include "WatchedObjects.h"
/******************************************************************/
/* Internal macros */
/******************************************************************/
#define STATIC_UNICODE_STRING(symbol,value) \
static UNICODE_STRING symbol = {sizeof(value)-sizeof(WCHAR),sizeof(value),value} ;
/******************************************************************/
/* Internal data */
/******************************************************************/
STATIC_UNICODE_STRING (g_usUnknownFile, L"!! Unknown file !!" ) ;
/******************************************************************/
/* Internal function */
/******************************************************************/
NTSTATUS HookSys_ProcessCreated (HANDLE hProcess, LPCWSTR wszFilePath)
{
PROCSTRUCT *pProc ;
PROCADDR nProcessAddress ;
PROCID nProcessId ;
BOOL bNoNotification ;
NTSTATUS nStatus ;
// get information on new process
ProcInfo_GetAddress (hProcess, &nProcessAddress) ;
ProcInfo_GetProcessId (hProcess, &nProcessId) ;
// alloc a new process descriptor
pProc = ProcList_New (nProcessAddress, nProcessId, wszFilePath) ;
bNoNotification = pProc->nFlags & PROCESS_NO_NOTIFICATION ;
// get associated filters
nStatus = DrvFilter_LockMutex () ;
if( nStatus != STATUS_SUCCESS ) return nStatus ;
DrvFilter_GetFiltersForProgram (pProc->wszPath, pProc->aFilters,
&pProc->nFilters, MAX_FILTERS) ;
DrvFilter_UnlockMutex () ;
// add process descriptor to process list
nStatus = ProcList_Lock () ;
if( nStatus != STATUS_SUCCESS ) return nStatus ;
ProcList_Add (pProc) ;
ProcList_Unlock () ;
// notify application
if( ! bNoNotification )
HookCommon_SendProcessCreatedNotification (nProcessAddress, nProcessId, wszFilePath) ;
return STATUS_SUCCESS ;
}
/******************************************************************/
/* Exported function */
/******************************************************************/
NTSTATUS WINAPI Hook_NtCreateProcess (PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ParentProcess,
BOOLEAN InheritObjectTable,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE ExceptionPort)
{
PROC pfnStub = Hooks_GetStubAddress (HOOKS_NTCREATEPROCESS) ;
NTSTATUS nStatus ;
UINT nReaction, nOptions ;
WCHAR wszFilePath[MAX_PATH] ;
LARGE_INTEGER liFileTime ;
WOTSECTION *pWotSectionData ;
ULONG nWotDataSize ;
PVOID pObjectSection = NULL ;
//DbgPrint ("/ Enter \\ irql = %d\n", KeGetCurrentIrql()) ;
TRACE ;
nStatus = ObReferenceObjectByHandle (SectionHandle, GENERIC_ALL, NULL, KernelMode, &pObjectSection, NULL) ;
if( nStatus!=STATUS_SUCCESS || pObjectSection==NULL )
{
TRACE_ERROR (TEXT("ObReferenceObjectByHandle failed (status=0x%08X)\n"), nStatus) ;
return nStatus ;
}
nStatus = WatchObjs_Lock () ;
if( nStatus != STATUS_SUCCESS )
{
ObDereferenceObject (pObjectSection) ;
return nStatus ;
}
nStatus = WatchObjs_GetFromPointer (pObjectSection, WOT_SECTION,
(void**)&pWotSectionData, &nWotDataSize) ;
if( nStatus!=STATUS_SUCCESS )
{
TRACE_WARNING (TEXT("SectionObject is not in watched object list\n")) ;
wcscpy (wszFilePath, g_usUnknownFile.Buffer) ;
liFileTime.QuadPart = 0 ;
}
else
{
wcscpy (wszFilePath, pWotSectionData->wszFilePath) ;
liFileTime = pWotSectionData->liFileTime ;
}
WatchObjs_Unlock () ;
ObDereferenceObject (pObjectSection) ;
TRACE_INFO (TEXT("File = %ls\n"), wszFilePath) ;
HookCommon_CatchCall (&nReaction, &nOptions,
FILTREASON_SYS_EXECUTE,
TEXT("s"), wszFilePath) ;
if( (nOptions&RULE_SCAN)!=0 && nReaction==RULE_ACCEPT && HookCommon_ShouldScanFile(wszFilePath))
{
HookCommon_ScanFile (&nReaction, wszFilePath, &liFileTime) ;
}
if( nReaction == RULE_REJECT )
{
*ProcessHandle = INVALID_HANDLE_VALUE ;
return STATUS_FILE_INVALID ;
}
if( nReaction == RULE_FEIGN )
{
*ProcessHandle = INVALID_HANDLE_VALUE ;
return STATUS_SUCCESS ;
}
//DbgPrint ("Calling NtCreateProcess... %ls\n", wszFilePath) ;
nStatus = pfnStub (ProcessHandle, DesiredAccess,
ObjectAttributes,ParentProcess,
InheritObjectTable,SectionHandle,
DebugPort, ExceptionPort) ;
//DbgPrint ("Calling NtCreateProcess... result = 0x%08X\n", nStatus);
if( SUCCEEDED (nStatus) )
HookSys_ProcessCreated (*ProcessHandle, wszFilePath) ;
//DbgPrint ("\\ Leave /\n") ;
return nStatus ;
}
/******************************************************************/
/* Exported function */
/******************************************************************/
NTSTATUS WINAPI Hook_NtCreateProcessEx (PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ParentProcess,
BOOLEAN InheritObjectTable,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE ExceptionPort,
HANDLE Unknown)
{
PROC pfnStub = Hooks_GetStubAddress (HOOKS_NTCREATEPROCESSEX) ;
NTSTATUS nStatus ;
UINT nReaction, nOptions ;
WCHAR wszFilePath[MAX_PATH] ;
LARGE_INTEGER liFileTime ;
WOTSECTION *pWotSectionData ;
ULONG nWotDataSize ;
PVOID pObjectSection = NULL ;
//DbgPrint ("/ Enter \\ irql = %d\n", KeGetCurrentIrql()) ;
TRACE ;
nStatus = ObReferenceObjectByHandle (SectionHandle, GENERIC_ALL, NULL, KernelMode, &pObjectSection, NULL) ;
if( nStatus!=STATUS_SUCCESS || pObjectSection==NULL )
{
TRACE_ERROR (TEXT("ObReferenceObjectByHandle failed (status=0x%08X)\n"), nStatus) ;
return nStatus ;
}
nStatus = WatchObjs_Lock () ;
if( nStatus != STATUS_SUCCESS )
{
ObDereferenceObject (pObjectSection) ;
return nStatus ;
}
nStatus = WatchObjs_GetFromPointer (pObjectSection, WOT_SECTION,
(void**)&pWotSectionData, &nWotDataSize) ;
if( nStatus!=STATUS_SUCCESS )
{
TRACE_WARNING (TEXT("SectionObject is not in watched object list\n")) ;
wcscpy (wszFilePath, g_usUnknownFile.Buffer) ;
liFileTime.QuadPart = 0 ;
}
else
{
wcscpy (wszFilePath, pWotSectionData->wszFilePath) ;
liFileTime = pWotSectionData->liFileTime ;
}
WatchObjs_Unlock () ;
ObDereferenceObject (pObjectSection) ;
TRACE_INFO (TEXT("File = %ls\n"), wszFilePath) ;
HookCommon_CatchCall (&nReaction, &nOptions,
FILTREASON_SYS_EXECUTE,
TEXT("s"), wszFilePath) ;
if( (nOptions&RULE_SCAN)!=0 && nReaction==RULE_ACCEPT && HookCommon_ShouldScanFile(wszFilePath) )
{
HookCommon_ScanFile (&nReaction, wszFilePath, &liFileTime) ;
}
if( nReaction == RULE_REJECT )
{
*ProcessHandle = INVALID_HANDLE_VALUE ;
return STATUS_FILE_INVALID ;
}
if( nReaction == RULE_FEIGN )
{
*ProcessHandle = INVALID_HANDLE_VALUE ;
return STATUS_SUCCESS ;
}
//DbgPrint ("Calling CreateProcessEx... %ls\n", wszFilePath) ;
nStatus = pfnStub (ProcessHandle, DesiredAccess,
ObjectAttributes,ParentProcess,
InheritObjectTable,SectionHandle,
DebugPort, ExceptionPort, Unknown) ;
//DbgPrint ("Calling CreateProcessEx... result = 0x%08X\n", nStatus);
if( SUCCEEDED (nStatus) )
HookSys_ProcessCreated (*ProcessHandle, wszFilePath) ;
//DbgPrint ("\\ Leave /\n") ;
return nStatus ;
}
/******************************************************************/
/* Exported function */
/******************************************************************/
NTSTATUS DDKAPI Hook_PspTerminateProcess (IN PEPROCESS Eprocess,
IN NTSTATUS ExitStatus)
{
PROC pfnStub = Hooks_GetStubAddress (HOOKS_PSPTERMINATEPROCESS) ;
NTSTATUS nStatus ;
TRACE_ALWAYS (TEXT("Eprocess = 0x%08X\n"), Eprocess) ;
nStatus = (NTSTATUS) pfnStub (Eprocess, ExitStatus) ;
if( SUCCEEDED(nStatus) )
{
PROCSTRUCT *pProc ;
if( nStatus!=STATUS_SUCCESS )
TRACE_WARNING(TEXT("PspTerminateProcess returned 0x%08X\n"), nStatus) ;
nStatus = ProcList_Lock () ;
if( nStatus != STATUS_SUCCESS ) return nStatus ;
pProc = ProcList_Remove ((PROCADDR)Eprocess) ;
ProcList_Unlock () ;
if( pProc==NULL || (pProc->nFlags&PROCESS_NO_NOTIFICATION)==0 )
HookCommon_SendProcessTerminatedNotification ((PROCADDR)Eprocess) ;
ProcList_Delete (pProc) ;
}
return nStatus ;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -