hookfile.c

一文件过滤与加密,系统监视以及控制的东东,自己看

	    TRACE_INFO (TEXT("File path = %s\n"), szFilePath) ;
	    
	    if( bIsFile )
	      {
		HookCommon_CatchCall (&nReaction, NULL,
				      FILTREASON_FILE_WRITE, 
				      TEXT("s"), szFilePath) ;
	      }
	  }
      }

    if( nReaction == RULE_FEIGN ) 
      return STATUS_SUCCESS ;
    
    if( nReaction != RULE_ACCEPT ) 
      return STATUS_ACCESS_DENIED ;
  }

  JUMP_TO_STUB (HOOKS_NTSETINFORMATIONFILE) ;
  ASSERT (0) ;
  return 0 ;
}


void _HookFile_IPv4toString (LPWSTR szAddr, struct in_addr * pAddr)
{
  ntundoc.swprintf (szAddr, L"%d.%d.%d.%d", 
		    pAddr->S_un.S_un_b.s_b1,
		    pAddr->S_un.S_un_b.s_b2,
		    pAddr->S_un.S_un_b.s_b3,
		    pAddr->S_un.S_un_b.s_b4) ;
}

int _HookFile_GetProtocol (HANDLE h)
{
  SOCKETDATA	*pData ;
  ULONG		nSize ;
  NTSTATUS	nStatus ;
  int		nProtocol = 1 ;
  PVOID		pObject = NULL ;
  
  nStatus = ObReferenceObjectByHandle (h, GENERIC_ALL, NULL, KernelMode, &pObject, NULL) ;    
      
  if( nStatus==STATUS_SUCCESS && pObject!=NULL )
    {
      nStatus = WatchObjs_Lock () ;

      if( nStatus == STATUS_SUCCESS )
	{  
	  nStatus = WatchObjs_GetFromPointer (pObject, WOT_SOCKET, (void**)&pData, &nSize) ;
	  
	  if( nStatus==STATUS_SUCCESS )
	    nProtocol = pData->nProtocol ;
	  
	  WatchObjs_Unlock () ;
	}
      
      ObDereferenceObject (pObject) ;
    }   
  else 
    {
      TRACE_ERROR (TEXT("ObReferenceObjectByHandle failed (status=0x%08X)\n"), nStatus) ;
    }    
  
  return nProtocol ;
}


VOID DDKAPI _HookFile_Recv (PVOID ApcContext,
			    PIO_STATUS_BLOCK IoStatusBlock,
			    ULONG Reserved)
{
  DbgPrint ("+++++++++++++++ COUCOU +++++++++++++++++\n") ;
}
  
/******************************************************************/
/* Exported function                                              */
/******************************************************************/

NTSTATUS WINAPI Hook_NtDeviceIoControlFile (HANDLE FileHandle,
					    HANDLE Event,
					    PIO_APC_ROUTINE ApcRoutine,
					    PVOID ApcContext,
					    PIO_STATUS_BLOCK IoStatusBlock,
					    ULONG IoControlCode,
					    PVOID InputBuffer,
					    ULONG InputBufferLength,
					    PVOID OutputBuffer,
					    ULONG OutputBufferLength) 
{
/*
  {
    NTSTATUS	nStatus ;
    ULONG	n, nRemainBytes ;

    WOTFILE	*pWotFileData ;
    ULONG	nWotDataSize ;

    WatchObjs_Lock () ;      
    nStatus = WatchObjs_GetFromHandle (FileHandle, 
				       WOT_FILE, 
				       (void**)&pWotFileData, 
				       &nWotDataSize) ;    
    if( nStatus!=STATUS_SUCCESS )
      pWotFileData = NULL ;

    if( (IoControlCode & 0x00FF000) == 0x12000 )
       //if( IoControlCode == 0x12003 )
      {
	DbgPrint ("  I/O Control 0x%08X on %ls\n", IoControlCode, pWotFileData ? pWotFileData->wszFilePath : L"???") ; 

	nRemainBytes = InputBufferLength ;
	
	if( nRemainBytes>32 ) nRemainBytes = 32 ;
	
	for( n=0 ; n<nRemainBytes ; n+=4 )
	  DbgPrint ("  +%04X - %08X - %02X %02X %02X %02X\n", n,
		    *(ULONG*)((BYTE*)InputBuffer+n),
		    ((BYTE*)InputBuffer+n)[0],
		    ((BYTE*)InputBuffer+n)[1], 
		    ((BYTE*)InputBuffer+n)[2],
		    ((BYTE*)InputBuffer+n)[3]) ; 	  
      }

    WatchObjs_Unlock () ;

    // if( IoControlCode == 0x1201F )
    //  DbgBreakPoint () ;
  }
*/
  {
    switch( IoControlCode )
      {
      case 0x12003:
	{
	  struct INPUT 
	  {
	    DWORD     	nReserved0 ;
	    DWORD	nReserved4 ;
	    WORD	nAddrSize ;
	    SOCKADDR_IN	addr ;	    
	  } PACKED ;

	  SOCKADDR_IN *pAddr = &((struct INPUT*)InputBuffer)->addr ;
	  // SOCKADDR_IN *pAddr = (void*)( (BYTE*)InputBuffer + 0x0A ) ;

	  if( ((struct INPUT*)InputBuffer)->nReserved0==0 && pAddr->sin_family == AF_INET )
	    {
	      UINT		nReaction ;
	      WCHAR		szAddr[16] ;
	      USHORT		nPort, nProtocol ;	      

	      _HookFile_IPv4toString (szAddr, &pAddr->sin_addr) ;
	    
	      ((BYTE*)&nPort)[0] = ((BYTE*)&pAddr->sin_port)[1] ;
	      ((BYTE*)&nPort)[1] = ((BYTE*)&pAddr->sin_port)[0] ;

	      nProtocol = _HookFile_GetProtocol(FileHandle) ;
	     
	      TRACE_INFO (TEXT("Bind (addr=%ls, port=%d, proto=%d)\n"), szAddr, nPort, nProtocol) ;	    
	    
	      HookCommon_CatchCall (&nReaction, NULL,
				    FILTREASON_NET_LISTEN, 
				    TEXT("snn"), szAddr, nPort, nProtocol) ;

	      if( nReaction!=RULE_ACCEPT )
		return STATUS_ACCESS_DENIED ;
	    }
	}
	break ;

      case 0x12007:
	{
	  struct sockaddr_in * pAddr ;

	  pAddr = (void*)( (BYTE*)InputBuffer + 0x12 ) ;

	  if( pAddr->sin_family == AF_INET )
	    {
	      NTSTATUS		nStatus ;
	      PVOID		pObject ;
	      UINT		nReaction ;
	      SOCKETDATA	*pData ;
	      ULONG		nSize ;
	      
	      USHORT		nPort, nProtocol ;	      
	      WCHAR		szAddr[16] ;

	      nStatus = ObReferenceObjectByHandle (FileHandle, GENERIC_ALL, NULL, KernelMode, &pObject, NULL) ;    
	      if( nStatus!=STATUS_SUCCESS || pObject==NULL )
		{
		  TRACE_ERROR (TEXT("ObReferenceObjectByHandle failed (status=0x%08X)\n"), nStatus) ;
		  return nStatus ;
		}
		 		  
	      nStatus = WatchObjs_Lock () ;
	      if( nStatus != STATUS_SUCCESS ) 
		{
		  ObDereferenceObject (pObject) ;
		  return nStatus ;
		}
	      
	      nStatus = WatchObjs_GetFromPointer (pObject, WOT_SOCKET, (void**)&pData, &nSize) ;
	      
	      if( nStatus!=STATUS_SUCCESS )
		{
		  TRACE_WARNING (TEXT("Socket 0x%08X was not in object list\n"), FileHandle) ;
		  nSize = sizeof(SOCKETDATA) ;
		  pData = MALLOC (nSize) ;
		  
		  if( pData == NULL )
		    {
		      TRACE_ERROR (TEXT("Failed to allocate strcuture SOCKETDATA (%u bytes)\n"),
				   nSize) ;
		      WatchObjs_Unlock () ;
		      ObDereferenceObject (pObject) ;
		      return STATUS_INSUFFICIENT_RESOURCES ;
		    }
		  
		  memset (pData, 0, nSize) ;
		  pData->nProtocol = -1 ;
		  WatchObjs_AddFromPointer (pObject, WOT_SOCKET, pData, nSize) ;
		}
	      
	      memcpy (&pData->address, pAddr, sizeof(SOCKADDR_IN)) ;
	      nProtocol = pData->nProtocol ;
	      
	      WatchObjs_Unlock () ;	  
	      ObDereferenceObject (pObject) ;

	      _HookFile_IPv4toString (szAddr, &pAddr->sin_addr) ;
	      
	      ((BYTE*)&nPort)[0] = ((BYTE*)&pAddr->sin_port)[1] ;
	      ((BYTE*)&nPort)[1] = ((BYTE*)&pAddr->sin_port)[0] ;
	      
	      TRACE_INFO ("Connect (addr=%ls, port=%d, proto=%d)\n", szAddr, nPort, nProtocol) ;
	      
	      HookCommon_CatchCall (&nReaction, NULL,
				    FILTREASON_NET_CONNECT, 
				    TEXT("snn"), szAddr, nPort, nProtocol) ;

	      if( nReaction!=RULE_ACCEPT )
		return STATUS_ACCESS_DENIED ;
	    }
	}
	break ;	

	//
	// recvfrom () ;
	//
      case 0x1201B:
	{
	  TRACE_INFO (TEXT("Recvfrom not supported\n")) ;
	}
	break ;

	//
	// send () ;
	//
      case 0x1201F:
	{
	  NTSTATUS	nStatus ;
	  UINT		nReaction ;
	  SOCKETDATA	*pData ;
	  ULONG		nSize ;
	  struct sockaddr_in addr ;
	  WCHAR		szAddr[16] ;
	  USHORT	nPort, nProtocol ;
	  PVOID		pObject ;

	  nStatus = ObReferenceObjectByHandle (FileHandle, GENERIC_ALL, NULL, KernelMode, &pObject, NULL) ;    
	  if( nStatus!=STATUS_SUCCESS || pObject==NULL )
	    {
	      TRACE_ERROR (TEXT("ObReferenceObjectByHandle failed (status=0x%08X)\n"), nStatus) ;
	      return nStatus ;
	    }

	  nStatus = WatchObjs_Lock () ;
	  if( nStatus != STATUS_SUCCESS )
	    {
	      ObDereferenceObject (pObject) ;
	      return nStatus ;
	    }
	  
	  nStatus = WatchObjs_GetFromPointer (pObject, WOT_SOCKET, (void**)&pData, &nSize) ;
	  
	  if( nStatus==STATUS_SUCCESS )
	    {
	      memcpy (&addr, &pData->address, sizeof(SOCKADDR_IN)) ;
	      nProtocol = pData->nProtocol ;
	    }
	  
	  WatchObjs_Unlock () ;
	  ObDereferenceObject (pObject) ;

	  if( nStatus==STATUS_SUCCESS && addr.sin_family==AF_INET )
	    {
	      _HookFile_IPv4toString (szAddr, &addr.sin_addr) ;

	      ((BYTE*)&nPort)[0] = ((BYTE*)&addr.sin_port)[1] ;
	      ((BYTE*)&nPort)[1] = ((BYTE*)&addr.sin_port)[0] ;

	      HookCommon_CatchCall (&nReaction, NULL,
				    FILTREASON_NET_SEND, 
				    TEXT("snn"), szAddr, nPort, nProtocol) ;
	      
	      if( nReaction!=RULE_ACCEPT )
		return STATUS_ACCESS_DENIED ;
	    }
	}
	break ;

	//
	// sendto () ;
	//
      case 0x12023:
	{
	  BYTE ** p ;
	  struct sockaddr_in * pAddr ;

	  p = (BYTE**)((BYTE*)InputBuffer + 0x34) ;
	  pAddr = (void*)( *p+6 ) ;

	  if( pAddr->sin_family == AF_INET )
	    {
	      UINT	nReaction ;
	      USHORT	nPort, nProtocol ;
	      WCHAR	szAddr[16] ;

	      _HookFile_IPv4toString (szAddr, &pAddr->sin_addr) ;
	    
	      ((BYTE*)&nPort)[0] = ((BYTE*)&pAddr->sin_port)[1] ;
	      ((BYTE*)&nPort)[1] = ((BYTE*)&pAddr->sin_port)[0] ;

	      nProtocol = _HookFile_GetProtocol(FileHandle) ;
	    
	      TRACE_INFO (TEXT("Sendto (addr=%ls, port=%d, proto=%d)\n"), szAddr, nPort, nProtocol) ;

	      HookCommon_CatchCall (&nReaction, NULL,
				    FILTREASON_NET_SEND, 
				    TEXT("snn"), szAddr, nPort, nProtocol) ;

	      if( nReaction!=RULE_ACCEPT )
		return STATUS_ACCESS_DENIED ;
	    }
	}
	break ;	

      case 0x12047:
	{	  
	  struct INPUT
	  {
	    ULONG	nReserved0 ;
	    ULONG	nAddressFamily ;
	    ULONG	nSocketType ;
	    ULONG	nProtocol ;
	  } ;

	  SOCKETDATA	*pData ;
	  ULONG		nSize ;
	  NTSTATUS	nStatus ;
	  PVOID		pObject ;

	  nStatus = ObReferenceObjectByHandle (FileHandle, GENERIC_ALL, NULL, KernelMode, &pObject, NULL) ;    
	  if( nStatus!=STATUS_SUCCESS || pObject==NULL )
	    {
	      TRACE_ERROR (TEXT("ObReferenceObjectByHandle failed (status=0x%08X)\n"), nStatus) ;
	      return nStatus ;
	    }

	  nStatus = WatchObjs_Lock () ;
	  if( nStatus != STATUS_SUCCESS ) 
	    {
	      ObDereferenceObject (pObject) ;
	      return nStatus ;
	    }
	  
	  nStatus = WatchObjs_GetFromPointer (pObject, WOT_SOCKET, (void**)&pData, &nSize) ;

	  if( nStatus != STATUS_SUCCESS )
	    {
	      nSize = sizeof(SOCKETDATA) ;
	      pData = MALLOC (nSize) ;
	      
	      if( pData == NULL )
		{
		  TRACE_ERROR (TEXT("Failed to allocate strcuture SOCKETDATA (%u bytes)\n"), nSize) ;
		  WatchObjs_Unlock () ;
		  ObDereferenceObject (pObject) ;
		  return STATUS_INSUFFICIENT_RESOURCES ;
		}	      

	      pData->address.ss_family = AF_UNSPEC ;
	      WatchObjs_AddFromPointer (pObject, WOT_SOCKET, pData, nSize) ;
	    }
	  
	  pData->nType = ((struct INPUT*)InputBuffer)->nSocketType ;
	  pData->nProtocol = ((struct INPUT*)InputBuffer)->nProtocol ;

	  TRACE_INFO (TEXT("Socket 0x%08X (type=%d, protocol=%d)\n"), 
			FileHandle, pData->nType, pData->nProtocol) ;  
	  
	  WatchObjs_Unlock () ;
	  ObDereferenceObject (pObject) ;
	}
	break ;
      }
  }
 
  JUMP_TO_STUB (HOOKS_NTDEVICEIOCONTROLFILE) ;
  ASSERT (0) ;
  return 0 ;
}

/*
NTSTATUS WINAPI Hook_NtWriteFile (IN HANDLE FileHandle,
				  IN HANDLE  Event  OPTIONAL,
				  IN PIO_APC_ROUTINE  ApcRoutine  OPTIONAL,
				  IN PVOID  ApcContext  OPTIONAL,
				  OUT PIO_STATUS_BLOCK  IoStatusBlock,
				  IN PVOID  Buffer,
				  IN ULONG  Length,
				  IN PLARGE_INTEGER  ByteOffset  OPTIONAL,
				  IN PULONG  Key  OPTIONAL) 
{
  {
    NTSTATUS	nStatus ;
    LPVOID pUserData ;
    ULONG nUserDataSize ;

    nStatus = WatchObjs_Lock () ;
    if( nStatus != STATUS_SUCCESS ) return nStatus ;

    nStatus = WatchObjs_GetFromHandle (FileHandle, WOT_FILE,
				       &pUserData, &nUserDataSize) ;

    if( nStatus!=STATUS_SUCCESS )
      pUserData = L"?????" ;

    DbgPrint ("  Write %lu bytes on %ls\n", Length, pUserData) ; 

    WatchObjs_Unlock () ;
  }

  JUMP_TO_STUB (HOOKS_NTWRITEFILE) ;
  ASSERT (0) ;
  return 0 ; 
}
*/