📄 proclist.c
字号:
/******************************************************************//* *//* Winpooch : Windows Watchdog *//* Copyright (C) 2004-2006 Benoit Blanchon *//* *//* This program is free software; you can redistribute it *//* and/or modify it under the terms of the GNU General Public *//* License as published by the Free Software Foundation; either *//* version 2 of the License, or (at your option) any later *//* version. *//* *//* This program is distributed in the hope that it will be *//* useful, but WITHOUT ANY WARRANTY; without even the implied *//* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR *//* PURPOSE. See the GNU General Public License for more *//* details. *//* *//* You should have received a copy of the GNU General Public *//* License along with this program; if not, write to the Free *//* Software Foundation, Inc., *//* 675 Mass Ave, Cambridge, MA 02139, USA. *//* *//******************************************************************//******************************************************************//* Build configuration *//******************************************************************/#define ONLY_DEFAULT_FILTER 0#define TRACE_LEVEL 2 // warning level/******************************************************************//* Includes *//******************************************************************/// module's interface#include "ProcList.h"// ddk's header#include <ddk/ntifs.h>// project's headers#include "DrvFilter.h"#include "DrvStatus.h"#include "FileInfo.h"#include "FilterSet.h"#include "Malloc.h"#include "NtUndoc.h"#include "ProcInfo.h"#include "Strlcpy.h"#include "SystInfo.h"#include "Trace.h"/******************************************************************//* Internal constants *//******************************************************************/#define LOCK_TIMEOUT 30 /*secondes*//******************************************************************//* Internal data types *//******************************************************************/typedef struct NODE { PROCSTRUCT *pData ; struct NODE *pPrev ; struct NODE *pNext ;} NODE ;typedef struct { BOOL bInitialized ; KMUTEX mutex ; WCHAR szScannerExePath[MAX_PATH] ; struct NODE *pFirst ; struct NODE *pLast ;} INTERNALDATA ;/******************************************************************//* Internal data *//******************************************************************/static INTERNALDATA g_data ;/******************************************************************//* Internal functions *//******************************************************************/NTSTATUS _ProcList_GetProcessPath (LPWSTR wszPath, HANDLE hProcess) ;PROCSTRUCT* _ProcList_DeleteNode (NODE * pNode) ;PROCSTRUCT* _ProcList_NewPid (PROCID nPid) ;/******************************************************************//* Exported function *//******************************************************************/VOID ProcList_Init () { TRACE ; // assert paged memory is accessible PAGED_CODE() ; ASSERT (!g_data.bInitialized) ; KeInitializeMutex (&g_data.mutex, 0) ; g_data.pFirst = NULL ; g_data.pLast = NULL ; g_data.szScannerExePath[0] = 0 ; g_data.bInitialized = TRUE ;}/******************************************************************//* Exported function *//******************************************************************/VOID ProcList_Uninit () { TRACE ; // assert paged memory is accessible PAGED_CODE() ; ASSERT (g_data.bInitialized) ; ProcList_Lock () ; ProcList_Clear () ; ProcList_Unlock () ; g_data.szScannerExePath[0] = 0 ; g_data.bInitialized = FALSE ;}/******************************************************************//* Exported function *//******************************************************************/NTSTATUS ProcList_SetScannerExePath (LPCWSTR szScannerExe){ ASSERT (ProcList_IsLocked()) ; if( szScannerExe!=NULL ) { wcslcpy (g_data.szScannerExePath, szScannerExe, MAX_PATH) ; TRACE_INFO (TEXT("Anti-virus has been changed to %ls\n"), szScannerExe) ; } else { g_data.szScannerExePath[0] = 0 ; TRACE_INFO (TEXT("No anti-virus specified.\n")) ; } return STATUS_SUCCESS ;}/******************************************************************//* Exported function *//******************************************************************/LPCWSTR ProcList_GetScannerExePath (){ return g_data.szScannerExePath ;}/******************************************************************//* Internal function *//******************************************************************/BOOL ProcList_IsLocked () { return 0==KeReadStateMutex(&g_data.mutex) ;}/******************************************************************//* Exported function *//******************************************************************/NTSTATUS ProcList_Lock () { NTSTATUS nStatus ; LARGE_INTEGER liTimeOut ; ASSERT (g_data.bInitialized) ; liTimeOut.QuadPart = - 5000 * 10000 ; nStatus = KeWaitForMutexObject (&g_data.mutex, Executive, KernelMode, FALSE, &liTimeOut) ; if( nStatus==STATUS_TIMEOUT ) { TRACE_WARNING (TEXT("Waiting for ProcList mutex for more than 5 seconds, will fail in %d secondes.\n"), LOCK_TIMEOUT) ; liTimeOut.QuadPart = - LOCK_TIMEOUT * 1000 * 10000 ; nStatus = KeWaitForMutexObject (&g_data.mutex, Executive, KernelMode, FALSE, &liTimeOut) ; } if( nStatus!=STATUS_SUCCESS ) { DrvStatus_Trace() ; TRACE_BREAK (TEXT("KeWaitForMutexObject failed (status=0x%08X)\n"), nStatus) ; } return nStatus ;}/******************************************************************//* Exported function *//******************************************************************/NTSTATUS ProcList_Unlock () { ASSERT (g_data.bInitialized) ; ASSERT (ProcList_IsLocked()) ; KeReleaseMutex (&g_data.mutex, FALSE) ; return STATUS_SUCCESS ;}/******************************************************************//* Exported function *//******************************************************************/VOID ProcList_Clear () { NODE * pCur ; NODE * pNext ; TRACE ; // assert paged memory is accessible PAGED_CODE() ; ASSERT (ProcList_IsLocked()) ; ASSERT (g_data.bInitialized) ; for( pCur=g_data.pFirst ; pCur!=NULL ; pCur=pNext ) { pNext = pCur->pNext ; FREE (pCur->pData) ; FREE (pCur) ; } g_data.pFirst = NULL ; g_data.pLast = NULL ;}/******************************************************************//* Exported function *//******************************************************************/NTSTATUS ProcList_Populate () { NTSTATUS nStatus ; const SYSTEM_PROCESS_INFORMATION * pCurrent ; VOID *pBuffer ; ULONG nBufferSize ; TRACE ; // assert paged memory is accessible PAGED_CODE() ; ASSERT (ProcList_IsLocked()) ; ASSERT (g_data.bInitialized) ; nBufferSize = 1000000 ; do { pBuffer = MALLOC (nBufferSize) ; if( pBuffer == NULL ) { TRACE_ERROR (TEXT("Failed to allocate buffer for process list (%u bytes)\n"), nBufferSize) ; return STATUS_INSUFFICIENT_RESOURCES ; } nStatus = ZwQuerySystemInformation (SystemProcessInformation, pBuffer, nBufferSize, NULL) ; if( nStatus!=STATUS_SUCCESS ) { if( nStatus==STATUS_INFO_LENGTH_MISMATCH ) { FREE (pBuffer) ; nBufferSize *= 2 ; continue ; } else { TRACE_ERROR (TEXT("NtQuerySystemInformation failed (status=0x%08X)\n"), nStatus) ; FREE (pBuffer) ; return nStatus ; } } } while( nStatus!=STATUS_SUCCESS ) ; nStatus = ZwQuerySystemInformation (SystemProcessInformation, pBuffer, nBufferSize, &nBufferSize) ; if( nStatus != STATUS_SUCCESS ) { TRACE_ERROR (TEXT("NtQuerySystemInformation failed (status=0x%08X)\n"), nStatus) ; FREE (pBuffer) ; return nStatus ; } pCurrent = pBuffer ; while( pCurrent ) { PROCSTRUCT * pProc ; TRACE_INFO (TEXT("Process %d (delta=%d)\n"), pCurrent->UniqueProcessId, pCurrent->NextEntryOffset) ; pProc = _ProcList_NewPid ((PROCID)pCurrent->UniqueProcessId) ; ProcList_Add (pProc) ; if( pCurrent->NextEntryOffset!=0 ) pCurrent = (SYSTEM_PROCESS_INFORMATION*)((BYTE*)pCurrent + pCurrent->NextEntryOffset) ; else pCurrent = NULL ; } TRACE_INFO (TEXT("Buffer = 0x%08X\n"), pBuffer) ; //DbgBreakPoint () ; FREE (pBuffer) ; return STATUS_SUCCESS ;}/******************************************************************//* Exported function *//******************************************************************/PROCSTRUCT* ProcList_New (IN PROCADDR nProcessAddress, IN PROCID nProcessId, IN LPCWSTR wszFilePath){ PROCSTRUCT *pProc ; // assert paged memory is accessible PAGED_CODE() ; pProc = MALLOC (sizeof(PROCSTRUCT)) ; if( pProc == NULL ) { TRACE_ERROR (TEXT("Failed to allocate strcuture PROCSTRUCT (%u bytes)\n"), sizeof(PROCSTRUCT)) ; return NULL ; } memset (pProc, 0, sizeof(PROCSTRUCT)) ; pProc->nProcessAddress = nProcessAddress ; pProc->nProcessId = nProcessId ; wcslcpy (pProc->wszPath, wszFilePath, MAX_PATH) ; // if the new file is the scanner, give it special flags if( ! wcsicmp(g_data.szScannerExePath,wszFilePath) ) { TRACE_INFO (TEXT("Anti-virus scanner has been launched (addr=0x%08X, pid=%u)\n"), nProcessAddress, nProcessId) ; pProc->nFlags |= PROCESS_IGNORE_ALL|PROCESS_NO_NOTIFICATION ; } return pProc ;}/******************************************************************//* Exported function *//******************************************************************/VOID ProcList_Delete (PROCSTRUCT * pProc){ FREE (pProc) ;}/******************************************************************/⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -