hookcommon.c

一文件过滤与加密,系统监视以及控制的东东,自己看

  *pnReaction = RULE_ACCEPT ;
  if( pnOptions!=NULL ) *pnOptions = 0 ;
  
  //
  // Build condition structure
  //
  va_start (va, szFormat) ;
  bResult = FiltCond_SetFV (&cond, nReason, szFormat, va) ;
  va_end (va) ;

  if( ! bResult ) 
    {
      TRACE_ERROR (TEXT("Failed to create condition\n")) ;
      return STATUS_UNSUCCESSFUL ;
    }

  TRACE_INFO (TEXT("Reason = %d\n"), cond.nReason) ;
  if( cond.nParams>0 && cond.aParams[0].nType==FILTPARAM_STRING )
    TRACE_INFO (TEXT("Param = %ls\n"), cond.aParams[0].szValue) ;
        
  bResult = FALSE ;

  //
  // Apply filtering 
  // ---------------
  // Results are stored in nReaction, nVerbosity and nOptions
  //
  {
    HFILTER	aFilters[MAX_FILTERS] ;
    ULONG	nFilters = 0 ;
    NTSTATUS	nStatus ;
    
    // Lock filters 
    nStatus = DrvFilter_LockMutex () ;

    if( nStatus != STATUS_SUCCESS ) 
      {
	FiltCond_Clear (&cond) ;
	return nStatus ;
      }

    //       
    // Get filters associated to this process
    // 
    {
      PROCSTRUCT	*pProc ;

      nStatus = ProcList_Lock () ;

      if( nStatus != STATUS_SUCCESS )
	{
	  FiltCond_Clear (&cond) ;
	  DrvFilter_UnlockMutex () ;
	  return nStatus ;
	}

      pProc = ProcList_Get (nProcessAddress) ;
      
      if( pProc != NULL )
	{
	  TRACE_INFO (TEXT("Process 0x%08X found in list.\n"), nProcessAddress) ;

	  bPidChanged =  pProc->nProcessId != nProcessId ;
	  pProc->nProcessId = nProcessId ;

	  nProcFlags = pProc->nFlags ;

	  TRACE_INFO (TEXT("Process 0x%08X flags = 0x%08X\n"), nProcessAddress, nProcFlags) ;

	  nFilters = pProc->nFilters ;

	  ASSERT (nFilters<=MAX_FILTERS) ;

	  TRACE_INFO (TEXT("Process 0x%08X filters = 0x%08X\n"), nProcessAddress, nFilters) ;

	  if( nFilters>0 )
	    memcpy (aFilters, pProc->aFilters, nFilters*sizeof(HFILTER)) ; 
	}
      else
	{
	  TRACE_INFO (TEXT("Process 0x%08X not found in list.\n"), nProcessAddress) ;

	  bUnknownProcess = TRUE ;
	}

      ProcList_Unlock () ;
    }

    //
    // If the process was not in list, we have to add it.
    //
    if( bUnknownProcess )
      {
	PROCSTRUCT	*pProc ;

	TRACE_WARNING(TEXT("A process 0x%08X (pid=%u) has been created but I didn't saw it.\n"),
		      nProcessAddress, nProcessId) ;

	// alloc a new process descriptor
	pProc = ProcList_New (nProcessAddress, nProcessId, g_szUnknownFile) ;

	nProcFlags = pProc->nFlags ;
	
	// get associated filters
	DrvFilter_GetFiltersForProgram (pProc->wszPath, pProc->aFilters, 
					&pProc->nFilters, MAX_FILTERS) ;

	// copy associated filters
	nFilters = pProc->nFilters ;

	ASSERT (nFilters<=MAX_FILTERS) ;

	if( nFilters>0 )
	  memcpy (aFilters, pProc->aFilters, nFilters*sizeof(HFILTER)) ; 
	
	// add process descriptor to process list
	nStatus = ProcList_Lock () ;

	if( nStatus == STATUS_SUCCESS )
	  {
	    ProcList_Add (pProc) ;
	    ProcList_Unlock () ;
	  }
      }

    //
    // If the process is flagged "ignore all", we ignore the event
    //
    if( nProcFlags & PROCESS_IGNORE_ALL )
      {
	TRACE_INFO (TEXT("Process 0x%08X (pid=%u) is flagged \"ignore all\"\n"), 
		    nProcessAddress, nProcessId) ;
	DrvFilter_UnlockMutex () ;
	FiltCond_Clear (&cond) ;
	return STATUS_SUCCESS ;
      }

    //
    // Test each filter one by one
    //
    {
      int	i ;     
      
      ASSERT (nFilters<=MAX_FILTERS) ;

      //TRACE_INFO (TEXT("Process 0x%08X (pid=%u) has %u filters\n"), 
      //nProcessAddress, nProcessId, nFilters) ;  

      for( i=0 ; i<nFilters && !bResult ; i++ )
	{
	  TRACE_INFO (TEXT("Testing filter %d/%d\n"), i, nFilters) ;

	  if( aFilters[i]==NULL )
	    TRACE_WARNING (TEXT("Filter %d of process %u is NULL\n"), i, PsGetCurrentProcessId()) ;
	  else
	    bResult = Filter_Test (aFilters[i],&cond,&nReaction,&nVerbosity,&nOptions) ;	
	}
     
      if( nFilters==0 )
	{
	  HFILTERSET	hFilterSet ;
	  HFILTER	hFilter ; 
	  
	  hFilterSet = DrvFilter_GetFilterSet() ;
	  
	  if( hFilterSet ) 
	    {	      
	      TRACE_WARNING (TEXT("Process 0x%08X (pid=%u) has an empty filter list\n"), 
			     nProcessAddress, nProcessId) ;  
	      
	      hFilter = FilterSet_GetDefaultFilter (hFilterSet) ;
	      bResult = hFilter ? Filter_Test (hFilter,&cond,&nReaction,&nVerbosity,&nOptions) : FALSE ; 
	    } 
	}

      // failed to apply filters, use defaults
      if( ! bResult )  
	{
	  nReaction  = DEFAULT_REACTION;
	  nVerbosity = DEFAULT_VERBOSITY ;
	  nOptions = 0 ;
	}
    }
  }

  DrvFilter_UnlockMutex () ;
  
  if( Link_IsConnected() && (nProcFlags&PROCESS_NO_NOTIFICATION)==0 )
    { 
      //
      // If PID of this process has changed, we notify the application
      // (we send notification only when DrvFilter mutex is released).
      //
      if( bPidChanged )
	{
	  TRACE_INFO (TEXT("Process 0x%08X changed its PID to %u\n"), 
		      nProcessAddress, nProcessId) ;
	  HookCommon_SendPidChangedNotification (nProcessAddress,
						 nProcessId) ;
	}
      
      //
      // If the process the process wasn't known, we notify the application
      // (we send notification only when DrvFilter mutex is released).
      //
      if( bUnknownProcess )
	{
	  HookCommon_SendProcessCreatedNotification (nProcessAddress, nProcessId, g_szUnknownFile) ;
	}
      
      if( nOptions & RULE_ASK )
      	_HookCommon_Ask (&cond, &nReaction) ;
      
      if( nVerbosity==RULE_LOG )
	_HookCommon_Log (&cond, nReaction, FALSE) ;    
      
      if( nVerbosity==RULE_ALERT )
	_HookCommon_Log (&cond, nReaction, TRUE) ;    
    }

  *pnReaction = nReaction ;
  if( pnOptions!=NULL ) *pnOptions = nOptions ;

  TRACE_INFO(TEXT("Finished\n")) ;

  if( nReaction == RULE_KILLPROCESS )
    {
      TRACE_WARNING (TEXT("Killing process\n")) ;
      ntundoc.NtTerminateProcess (INVALID_HANDLE_VALUE, 0) ;
    }

  FiltCond_Clear (&cond) ;

  return STATUS_SUCCESS ;
}


/******************************************************************/
/* Exported function                                              */
/******************************************************************/

NTSTATUS HookCommon_SendProcessCreatedNotification (PROCADDR	nProcessAddress,
						    ULONG	nProcessId, 
						    LPCWSTR	wszFilePath)
{
  SDNPROCESSCREATED	*pReq ;
  DWORD			nRequestSize ;
  NTSTATUS		nStatus ;

  if( ! Link_IsConnected() ) return STATUS_SUCCESS ;

  nRequestSize = sizeof(SDNPROCESSCREATED) + wcslen(wszFilePath)*2 + 2 ;

  pReq	= (SDNPROCESSCREATED*) MALLOC (nRequestSize) ;
    
  if( pReq == NULL )
    {
      TRACE_ERROR (TEXT("Failed to allocate strcuture SDNPROCESSCREATED (%u bytes)\n"), nRequestSize) ;
      return STATUS_INSUFFICIENT_RESOURCES ;
    }

  pReq->hdr.dwCode		= SDN_PROCESSCREATED ;      
  pReq->nProcessAddress		= nProcessAddress ;
  pReq->nProcessId		= nProcessId ;

  memcpy (pReq->wszFilePath, wszFilePath, wcslen(wszFilePath)*2+2) ;
        
  nStatus = Link_QueryServer (pReq, nRequestSize, NULL, NULL, 0) ;
  
  if( nStatus!=STATUS_SUCCESS )
    TRACE_ERROR (TEXT("Link_QueryServer failed (status=0x%08X)\n"), nStatus) ;  

  FREE (pReq) ;

  return nStatus ;
}


/******************************************************************/
/* Exported function                                              */
/******************************************************************/

NTSTATUS HookCommon_SendPidChangedNotification (PROCADDR nProcessAddress, ULONG nPid)
{
  SDNPIDCHANGED	req ;
  NTSTATUS	nStatus ;

  if( ! Link_IsConnected() ) return STATUS_SUCCESS ;
    
  req.hdr.dwCode	= SDN_PIDCHANGED;
        
  req.nProcessAddress	= nProcessAddress ;
  req.nNewProcessId	= nPid ;
        
  nStatus = Link_QueryServer (&req, sizeof(req), NULL, NULL, 0) ;
  
  if( nStatus!=STATUS_SUCCESS )
    TRACE_ERROR (TEXT("Link_QueryServer failed (status=0x%08X)\n"), nStatus) ;  

  return nStatus ;
}


/******************************************************************/
/* Exported function                                              */
/******************************************************************/

NTSTATUS HookCommon_SendProcessTerminatedNotification (PROCADDR nProcessAddress)
{
  SDNPROCESSTERMINATED	req ;
  NTSTATUS		nStatus ;

  if( ! Link_IsConnected() ) return STATUS_SUCCESS ;
    
  req.hdr.dwCode		= SDN_PROCESSTERMINATED ;
      
  req.nProcessAddress		= nProcessAddress ;
        
  nStatus = Link_QueryServer (&req, sizeof(req), NULL, NULL, 0) ;
  
  if( nStatus!=STATUS_SUCCESS )
    TRACE_ERROR (TEXT("Link_QueryServer failed (status=0x%08X)\n"), nStatus) ;  

  return nStatus ;
}


NTSTATUS HookCommon_SetScanFilters (LPVOID pInBuf, UINT nInBufSize) 
{
  KeWaitForMutexObject (&g_data.scanfilters.mutex, Executive,
			KernelMode, FALSE, NULL) ;

  FREE (g_data.scanfilters.pszArray) ;
  FREE (g_data.scanfilters.pBuffer) ;

  g_data.scanfilters.nBufferSize = 0 ;
  g_data.scanfilters.pBuffer = NULL ;
  g_data.scanfilters.nLength = 0 ;
  g_data.scanfilters.pszArray = NULL ;
  
  if( nInBufSize > 0 )
    {
      LPWSTR szBuffer ;
      int j, n ;

      g_data.scanfilters.nBufferSize = nInBufSize ;
      g_data.scanfilters.pBuffer = MALLOC (nInBufSize) ;

      if( g_data.scanfilters.pBuffer == NULL )
	{
	  g_data.scanfilters.nBufferSize = 0 ;
	  KeReleaseMutex (&g_data.scanfilters.mutex, FALSE) ;
	  TRACE_ERROR (TEXT("Failed to allocate buffer (%u bytes)\n"), nInBufSize) ;
	  return STATUS_INSUFFICIENT_RESOURCES ;
	}
	  
      TRACE_INFO (TEXT("Reading array...\n")) ;

      memcpy (g_data.scanfilters.pBuffer, pInBuf, nInBufSize) ;
      
      TRACE_INFO (TEXT("Counting string in array...\n")) ;
      
      szBuffer = (LPWSTR)g_data.scanfilters.pBuffer ;
      n = 0 ;
      
      for( j=1 ; j<nInBufSize/sizeof(WCHAR) ; j++ )
	if( szBuffer[j]==0 && szBuffer[j-1]!=0 )  n++ ;		
      
      
      TRACE_INFO (TEXT("Found %d strings.\n"), n) ;
      
      g_data.scanfilters.nLength = n ;
      g_data.scanfilters.pszArray = MALLOC (n*sizeof(LPTSTR)) ;

      if( g_data.scanfilters.pszArray == NULL )
	{
	  FREE (g_data.scanfilters.pBuffer) ;
	  g_data.scanfilters.pBuffer = NULL ;
	  g_data.scanfilters.nBufferSize = 0 ;
	  g_data.scanfilters.nLength = 0 ;
	  KeReleaseMutex (&g_data.scanfilters.mutex, FALSE) ;
	  TRACE_ERROR (TEXT("Failed to allocate array (%u bytes)\n"), n*sizeof(LPTSTR)) ;
	  return STATUS_INSUFFICIENT_RESOURCES ;
	}
      
      n = 0 ;
      g_data.scanfilters.pszArray[n] = szBuffer ;
      TRACE_INFO (TEXT("String %d is \"%ls\"\n"), n, g_data.scanfilters.pszArray[n]) ;
      n++ ;
      
      for( j=1 ; j<nInBufSize/sizeof(WCHAR) ; j++ )
	{
	  if( szBuffer[j]!=0 && szBuffer[j-1]==0 )
	    {
	      g_data.scanfilters.pszArray[n] = &szBuffer[j] ;
	      TRACE_INFO (TEXT("String %d is \"%ls\"\n"), n, g_data.scanfilters.pszArray[n]) ;
	      n++ ;
	    }
	}
      
      TRACE_INFO (TEXT("Finished getting %d strings\n"), n) ;
    }

  KeReleaseMutex (&g_data.scanfilters.mutex, FALSE) ;

  return STATUS_SUCCESS ;
}