skmon_dispatch.c

在windows下面通过驱动进行进程的隐藏

//SkMon_Dispatch.c
/////////////////////////////////////////////////////////////////////////////////////////
// The File contains function that execute SkMon_Registry
//  Dispatch functions.
/////////////////////////////////////////////////////////////////////////////////////////

#include <ntddk.h>
#include "SkDrv_Misc.h" //for Misc group functions.
#include "SkMon_reg.h" //for Local functions & variables set.
#include "SkMon_ioctl.h"

//local function declare.
BOOLEAN SkMon_DeviceControl( IN PFILE_OBJECT FileObject, IN BOOLEAN bWait,
                            IN PVOID InputBuffer, IN ULONG InputBufferLength,
                            OUT PVOID OutputBuffer, IN ULONG OutputBufferLength,
                            IN ULONG IoControlCode, OUT PIO_STATUS_BLOCK IoStatus,
                            IN PDEVICE_OBJECT DeviceObject);

NTSTATUS SkMon_Dispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP pIrp)
{
  NTSTATUS status;
  PIO_STACK_LOCATION irpStack;
  PVOID inputBuffer, outputBuffer;
  ULONG inputBufferLength, outputBufferLength;
  ULONG ioControlCode;

  pIrp->IoStatus.Status = STATUS_SUCCESS;
  pIrp->IoStatus.Information = 0;

  irpStack = IoGetCurrentIrpStackLocation( pIrp);

  //get Buffer's Positon & length.
  inputBuffer = pIrp->AssociatedIrp.SystemBuffer;
  inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
  outputBuffer = pIrp->AssociatedIrp.SystemBuffer;
  outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
  ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;

  switch( irpStack->MajorFunction){
  case IRP_MJ_CREATE:
    //if is already logging... then shutdown it. ??? need?
    //in order to simple program, then ignore this.
    break;
  case IRP_MJ_SHUTDOWN:
    //the system is shutdowning...
    //Write all log into file.
    //here, ignore it.
    break;
  case IRP_MJ_CLOSE:
    //reset the logging.
    Sk_LogUnit_FreeAll(&skLogLink);
    break;
  case IRP_MJ_DEVICE_CONTROL:
    if( (ioControlCode&3) == METHOD_NEITHER){
      outputBuffer = pIrp->UserBuffer;
    }
    SkMon_DeviceControl( irpStack->FileObject, TRUE,
      inputBuffer, inputBufferLength,
      outputBuffer, outputBufferLength,
      ioControlCode, &pIrp->IoStatus, DeviceObject);
    break;
  }
  IoCompleteRequest( pIrp, IO_NO_INCREMENT);
  status = STATUS_SUCCESS;
  return status;
}

//next function called by SkMon_Dispatch to handle DeviceControl function.
BOOLEAN SkMon_DeviceControl( IN PFILE_OBJECT FileObject, IN BOOLEAN bWait,
                            IN PVOID InputBuffer, IN ULONG InputBufferLength,
                            OUT PVOID OutputBuffer, IN ULONG OutputBufferLength,
                            IN ULONG IoControlCode, OUT PIO_STATUS_BLOCK IoStatus,
                            IN PDEVICE_OBJECT DeviceObject)
{
  BOOLEAN retval = FALSE;
  LogUnit *pGetUnit;
  int iCopySize;
  ULONG dwData;

  IoStatus->Status = STATUS_SUCCESS;
  IoStatus->Information = 0;
  switch( IoControlCode){
  case IOCTL_SKMON_REG_HOOK:
    HookSkMonRegistry();
    break;
  case IOCTL_SKMON_REG_UNHOOK:
    UnHookSkMonRegistry();
    break;
  case IOCTL_SKMON_REG_COPY_LOG:
    /*try{
      ProbeForWrite( OutputBuffer, OutputBufferLength, sizeof(ULONG));
    }
    except( EXCEPTION_EXECUTE_HANDLER){
      IoStatus->Status = STATUS_INVALID_PARAMETER;
      return FALSE;
    }*/
    pGetUnit = Sk_LogUnit_PopUnitFromLink(&skLogLink, FALSE); //Pop Unit from link's tail.
    if( !pGetUnit){
      IoStatus->Information = 0;
    }
    else{
      //copy to output buffer.
      iCopySize = (OutputBufferLength > pGetUnit->iStrSize)?pGetUnit->iStrSize:OutputBufferLength-1;
      memcpy( OutputBuffer, pGetUnit->pszStr, iCopySize);
      ((char *)OutputBuffer)[iCopySize] = 0;
      //the Unit don't need any more. so free it.
      Sk_LogUnit_FreeLogUnit( &skLogLink, pGetUnit); 

      IoStatus->Information = iCopySize;
    }
    break;
  case IOCTL_SKMON_CLEAR_REG_ALL_BUFFER: //clear all buffer.
    Sk_LogUnit_FreeAll( &skLogLink);
    break;
  case IOCTL_SKMON_REG_ADD_FILTER_ID:
    dwData = *(ULONG*)InputBuffer;
    Sk_dwLink_Insert_Data( &Disable_ProcessIDTable, dwData);
    break;
  case IOCTL_SKMON_REG_DEL_FILTER_ID:
    dwData = *(ULONG *)InputBuffer;
    Sk_dwLink_Remove_Data( &Disable_ProcessIDTable, dwData);
    break;
  case IOCTL_SKMON_REG_ADD_FILTER_STR:
    Sk_dwLink_Insert_Str( &Disable_ProcessNameTable, (LPCTSTR)InputBuffer);
    break;
  case IOCTL_SKMON_REG_DEL_FILTER_STR:
    Sk_dwLink_Remove_Str( &Disable_ProcessNameTable, (LPCTSTR)InputBuffer,TRUE);
    break;
  case IOCTL_SKMON_REG_GET_LOG_NUMBER:
    RtlMoveMemory( OutputBuffer, &skLogLink.iLogUnitNum, sizeof(ULONG));
    IoStatus->Information = sizeof(ULONG);
    //memcpy( OutputBuffer, &skLogLink.iLogUnitNum, OutputBufferLength);
    // *(ULONG*)OutputBuffer = skLogLink.iLogUnitNum;
    break;
  case IOCTL_SKMON_REG_GET_LOG_BUFFER:
    dwData = Sk_dwLink_Get_Link_Buff_Size( &skLogLink);
    RtlMoveMemory( OutputBuffer, &dwData, sizeof(ULONG));
    IoStatus->Information = sizeof(ULONG);
    break;
  case IOCTL_SKMON_REG_SET_MAX_LOG_NUMBER:
    skLogLink.iMaxLogUnitNum = *(ULONG*)InputBuffer;
    break;
  case IOCTL_SKMON_REG_SET_LOG_PROCESS_ONLY:
    byLogProcessInListOnly = (*((char *)InputBuffer)>0)?1:0;
    break;
  case IOCTL_SKMON_REG_ADD_LOG_PROCESS_ID:
    dwData = *(ULONG*)InputBuffer;
    Sk_dwLink_Insert_Data(&Log_ProcessIDTable, dwData);
    break;
  case IOCTL_SKMON_REG_DEL_LOG_PROCESS_ID:
    dwData = *(ULONG*)InputBuffer;
    Sk_dwLink_Remove_Data( &Log_ProcessIDTable, dwData);
    break;
  case IOCTL_SKMON_REG_ADD_LOG_PROCESS_STR:
    Sk_dwLink_Insert_Str( &Log_ProcessNameTable, (LPCTSTR)InputBuffer);
    break;
  case IOCTL_SKMON_REG_DEL_LOG_PROCESS_STR:
    Sk_dwLink_Remove_Str( &Log_ProcessNameTable, (LPCTSTR)InputBuffer, TRUE);
    break;
  default:
    IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
    break;
  }
  return TRUE;
}