process.c

臭氧层主动防御系统驱动源代码!臭氧层主动防御系统驱动源代码!

		status = ZwAllocateVirtualMemory(*ProcessHandle, &Base, 0L, &Size, MEM_RESERVE, PAGE_NOACCESS);

		if (! NT_SUCCESS(status))
			LOG(LOG_SS_PROCESS, LOG_PRIORITY_DEBUG, ("PostProcessNtCreateProcess: ZwAllocateVirtualMemory1(%x, %x) failed with status %x\n", Base, Size, status));
		else
			LOG(LOG_SS_PROCESS, LOG_PRIORITY_VERBOSE, ("PostProcessNtCreateProcess: size=%u base=%x status=%d\n", Size, Base, status));

		/*
		 * allocate up to 10 megs of virtual address space after the code segment,
		 * this affects non-main thread stack as well as some heaps
		 */

#define	IMAGE_BASE	(4 * ONE_MEGABYTE)

		Size = IMAGE_BASE + (rand(ProcessId) % (10 * ONE_MEGABYTE));
		Base = (PULONG_PTR) NULL;

		status = ZwAllocateVirtualMemory(*ProcessHandle, &Base, 0L, &Size, MEM_RESERVE, PAGE_NOACCESS);

		LOG(LOG_SS_PROCESS, LOG_PRIORITY_VERBOSE, ("PostProcessNtCreateProcess: size=%u base=%x status=%d\n", Size, Base, status));

		if (! NT_SUCCESS(status))
			LOG(LOG_SS_PROCESS, LOG_PRIORITY_DEBUG, ("PostProcessNtCreateProcess: ZwAllocateVirtualMemory2(%x, %x) failed with status %x\n", Base, Size, status));



		/*
		 * allocate the entire KnownDll space
		 */
//#if 0
//		Size = (4 * ONE_MEGABYTE) + (rand(ProcessId) % (100 * ONE_MEGABYTE));
//		Base = (PULONG_PTR) 0x71bf0000;

//		Size = 0x7000000;//(125 * ONE_MEGABYTE);
//		Base = (PULONG_PTR) 0x70000000;

#if HOOK_BOPROT
		if (strstr(ProcessPathUnresolved, "stack.exe") != NULL)
		{
			Size = PAGE_SIZE;	
	//		Base = (PULONG_PTR) 0x77d00000;	//user32
			Base = (PULONG_PTR) 0x77e30000;	//kernel32 on win2k3
//			Base = (PULONG_PTR) 0x77e80000;	//kernel32 on win2k

			status = ZwAllocateVirtualMemory(*ProcessHandle, &Base, 0L, &Size, MEM_RESERVE, PAGE_NOACCESS);

			LOG(LOG_SS_PROCESS, LOG_PRIORITY_DEBUG, ("PostProcessNtCreateProcess: kernel32.dll size=%u base=%x status=%d\n", Size, Base, status));

			if (! NT_SUCCESS(status))
				LOG(LOG_SS_PROCESS, LOG_PRIORITY_DEBUG, ("PostProcessNtCreateProcess: ZwAllocateVirtualMemory1(%x, %x) failed with status %x\n", Base, Size, status));
		}
		else
			NewProcess->FirstThread = FALSE;//XXX remove
#endif
	}

	
	return ACTION_PERMIT;
}



/*
 * HookedNtCreateProcess()
 *
 * Description:
 *		This function mediates the NtCreateProcess() system service in order to keep track of all
 *		the newly created processes.
 *
 *		NOTE: ZwCreateProcess creates a process object. [NAR]
 *
 * Parameters:
 *		Those of NtCreateProcess().
 *
 * Returns:
 *		NTSTATUS returned by NtCreateProcess().
 */

NTSTATUS
NTAPI
HookedNtCreateProcess
(
	OUT PHANDLE ProcessHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN HANDLE InheritFromProcessHandle,
	IN BOOLEAN InheritHandles,
	IN HANDLE SectionHandle OPTIONAL,
	IN HANDLE DebugPort OPTIONAL,
	IN HANDLE ExceptionPort OPTIONAL
)
{
	HOOK_ROUTINE_ENTER();


	ASSERT(OriginalNtCreateProcess);

	rc = OriginalNtCreateProcess(ProcessHandle, DesiredAccess, ObjectAttributes, InheritFromProcessHandle,
									InheritHandles, SectionHandle, DebugPort, ExceptionPort);


	if (NT_SUCCESS(rc))
	{
		ULONG	ret = PostProcessNtCreateProcess(ProcessHandle, SectionHandle);

		if (ret == ACTION_DENY || ret == STATUS_ACCESS_DENIED)
		{
			ZwClose(*ProcessHandle);
			rc = STATUS_ACCESS_DENIED;
		}
	}


	HOOK_ROUTINE_EXIT(rc);
}



/*
 * HookedNtCreateProcessEx()
 *
 * Description:
 *		This function mediates the NtCreateProcessEx() system service in order to keep track of all
 *		the newly created processes.
 *
 *		NOTE: ZwCreateProcessEx creates a process object. [NAR]
 *
 * Parameters:
 *		Those of NtCreateProcessEx().
 *
 * Returns:
 *		NTSTATUS returned by NtCreateProcessEx().
 */

NTSTATUS
NTAPI
HookedNtCreateProcessEx
(
	OUT PHANDLE ProcessHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN HANDLE InheritFromProcessHandle,
	IN ULONG Unknown1,
	IN HANDLE SectionHandle OPTIONAL,
	IN HANDLE DebugPort OPTIONAL,
	IN HANDLE ExceptionPort OPTIONAL,
	IN ULONG Unknown2
)
{
	HOOK_ROUTINE_ENTER();


	ASSERT(OriginalNtCreateProcessEx);

	rc = OriginalNtCreateProcessEx(ProcessHandle, DesiredAccess, ObjectAttributes, InheritFromProcessHandle, 
									 Unknown1, SectionHandle, DebugPort, ExceptionPort, Unknown2);


	if (NT_SUCCESS(rc))
	{
		ULONG	ret = PostProcessNtCreateProcess(ProcessHandle, SectionHandle);

		if (ret == ACTION_DENY || ret == STATUS_ACCESS_DENIED)
		{
			ZwClose(*ProcessHandle);
			rc = STATUS_ACCESS_DENIED;
		}
	}


	HOOK_ROUTINE_EXIT(rc);
}



/*
 * HookedNtOpenProcess()
 *
 * Description:
 *		This function mediates the NtOpenProcess() system service and disallows certain operations such as
 *		PROCESS_VM_WRITE and PROCESS_CREATE_THREAD.
 *
 *		NOTE: ZwOpenProcess opens a process object. [NAR]
 *
 * Parameters:
 *		Those of NtOpenProcess().
 *
 * Returns:
 *		NTSTATUS returned by NtOpenProcess().
 */

NTSTATUS
NTAPI
HookedNtOpenProcess
(
	OUT PHANDLE ProcessHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN PCLIENT_ID ClientId OPTIONAL
)
{
	PCHAR	FunctionName = "HookedNtOpenProcess";
	CHAR	PROCESSNAME[MAX_PATH];


//taskmgr uses PROCESS_TERMINATE to kill processes
//XXX IPD disallows PROCESS_CREATE_THREAD|PROCESS_VM_WRITE

/*
PROCESS_TERMINATE Terminate process
PROCESS_CREATE_THREAD Create threads in process
PROCESS_SET_SESSIONID Set process session id
PROCESS_VM_OPERATION Protect and lock memory of process
PROCESS_VM_READ Read memory of process
PROCESS_VM_WRITE Write memory of process
PROCESS_DUP_HANDLE Duplicate handles of process
PROCESS_CREATE_PROCESS Bequeath address space and handles to new process
PROCESS_SET_QUOTA Set process quotas
PROCESS_SET_INFORMATION Set information about process
PROCESS_QUERY_INFORMATION Query information about process
PROCESS_SET_PORT Set process exception or debug port
PROCESS_ALL_ACCESS All of the preceding

find out who uses which flags, i.e. VM_READ, etc.. filter out accordingly
*/

	HOOK_ROUTINE_ENTER();


//	if (! IS_BIT_SET(DesiredAccess, PROCESS_QUERY_INFORMATION) &&
//		! IS_BIT_SET(DesiredAccess, PROCESS_DUP_HANDLE) &&
//		! IS_BIT_SET(DesiredAccess, SYNCHRONIZE) )


	if (! ARGUMENT_PRESENT(ClientId) || KeGetPreviousMode() != UserMode || KeGetCurrentIrql() != PASSIVE_LEVEL)
		goto done;


	__try
	{
		ProbeForRead(ClientId, sizeof(*ClientId), sizeof(PULONG_PTR));
	}

	__except(EXCEPTION_EXECUTE_HANDLER)
	{
		NTSTATUS status = GetExceptionCode();

		LOG(LOG_SS_MISC, LOG_PRIORITY_DEBUG, ("%s: caught an exception. address=%x, status = 0x%x\n", FunctionName, ClientId, status));

		goto done;
	}


	if (PsGetCurrentProcessId() != ClientId->UniqueProcess &&
		(ULONG) PsGetCurrentProcessId() != SystemProcessId &&
		ClientId->UniqueProcess != 0)
	{
		PIMAGE_PID_ENTRY	p;

		/* can't access ClientId (pageable memory) while holding spinlonk */
		ULONG				RequestedProcessId = (ULONG) ClientId->UniqueProcess;


	//XXX
/*
		if (RequestedProcessId == UserAgentServicePid)
		{
			LOG(LOG_SS_PROCESS, LOG_PRIORITY_VERBOSE, ("%s: FindImagePidEntry(%d) UserAgent %x\n", FunctionName, RequestedProcessId, DesiredAccess));

			if (IS_BIT_SET(DesiredAccess, PROCESS_TERMINATE))
			{
				HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
			}
		}
*/


		p  = FindImagePidEntry(RequestedProcessId, 0);

		if (p == NULL)
		{
			LOG(LOG_SS_PROCESS, LOG_PRIORITY_DEBUG, ("%d %s: FindImagePidEntry(%d) failed\n", CURRENT_PROCESS_PID, FunctionName, RequestedProcessId));
			goto done;
		}

/*
		if (DesiredAccess & PROCESS_CREATE_THREAD)
		{
			LOG(LOG_SS_PROCESS, LOG_PRIORITY_DEBUG, ("%d %s(%d): %x (PROCESS_CREATE_THREAD). (%S)\n", CURRENT_PROCESS_PID, FunctionName, RequestedProcessId, DesiredAccess, p->ImageName));
		}
		else if (DesiredAccess & PROCESS_VM_WRITE)
		{
			LOG(LOG_SS_PROCESS, LOG_PRIORITY_DEBUG, ("%d %s(%d): %x (PROCESS_VM_WRITE). (%S)\n", CURRENT_PROCESS_PID, FunctionName, RequestedProcessId, DesiredAccess, p->ImageName));
		}
		else
		{
			LOG(LOG_SS_PROCESS, LOG_PRIORITY_VERBOSE, ("%d %s(%d): %x. (%S)\n", CURRENT_PROCESS_PID, FunctionName, RequestedProcessId, DesiredAccess, p->ImageName));
		}
*/


		if (LearningMode == FALSE)
		{
			CHAR	ProcessPathUnresolved[MAX_PATH];


			_snprintf(ProcessPathUnresolved, MAX_PATH, "%S", p->ImageName);
			ProcessPathUnresolved[ MAX_PATH - 1 ] = 0;


			FixupFilename(ProcessPathUnresolved, PROCESSNAME, MAX_PATH);


			POLICY_CHECK_OPTYPE_NAME(PROCESS, OP_PROC_OPEN);
		}
		else
		{
			// learning mode
			_snprintf(PROCESSNAME, MAX_PATH, "%S", p->ImageName);
			PROCESSNAME[ MAX_PATH - 1 ] = 0;

			AddRule(RULE_PROCESS, PROCESSNAME, OP_PROC_OPEN);
		}
	}


	if (LearningMode == FALSE && GetPathFromOA(ObjectAttributes, PROCESSNAME, MAX_PATH, RESOLVE_LINKS))
	{
		LOG(LOG_SS_PROCESS, LOG_PRIORITY_DEBUG, ("%d %s: %s SPECIAL CASE\n", (ULONG) PsGetCurrentProcessId(), FunctionName, PROCESSNAME));
	}


done:

	ASSERT(OriginalNtOpenProcess);

	rc = OriginalNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);


	HOOK_ROUTINE_EXIT(rc);
}



/*
 * HookedNtCreateThread()
 *
 * Description:
 *		This function mediates the NtCreateThread() system service in order to randomize thread stack
 *		and inject userland dll into newly created main threads.
 *
 *		NOTE: ZwCreateThread creates a thread in a process. [NAR]
 *
 * Parameters:
 *		Those of NtCreateThread().
 *
 * Returns:
 *		NTSTATUS returned by NtCreateThread().
 */

NTSTATUS
NTAPI
HookedNtCreateThread
(
	OUT PHANDLE ThreadHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN HANDLE ProcessHandle,
	OUT PCLIENT_ID ClientId,
	IN PCONTEXT ThreadContext,
	IN PUSER_STACK UserStack,
	IN BOOLEAN CreateSuspended
)
{
	PEPROCESS			proc = NULL;
	USHORT				StackOffset = 0;
	PCHAR				FunctionName = "HookedNtCreateThread";


	HOOK_ROUTINE_ENTER();


	if (ARGUMENT_PRESENT(ThreadContext) && KeGetPreviousMode() == UserMode && LearningMode == FALSE && BootingUp == FALSE)
	{
		NTSTATUS					status;
		ULONG						ProcessId;
		PCHAR						InstructionAddress;
		ULONG						Size;
		PCHAR						Base;
		PROCESS_BASIC_INFORMATION	ProcessBasicInfo;
		ULONG						ret;
		PIMAGE_PID_ENTRY			p;


		VerifyUserReturnAddress();


		/* verify userland parameter threadcontext */
		__try
		{
			ProbeForRead(ThreadContext, sizeof(*ThreadContext), sizeof(ULONG));
			ProbeForWrite(ThreadContext, sizeof(*ThreadContext), sizeof(ULONG));
		}

		__except(EXCEPTION_EXECUTE_HANDLER)
		{
			NTSTATUS status = GetExceptionCode();

			LOG(LOG_SS_PROCESS, LOG_PRIORITY_DEBUG, ("%s: caught an exception. status = 0x%x\n", FunctionName, status));

			goto done;
		}


		if (ThreadContext->Eax > SystemAddressStart)
		{
			LOG(LOG_SS_PROCESS, LOG_PRIORITY_DEBUG, ("%s: eax=%x > %x (SystemAddressStart)\n", FunctionName, ThreadContext->Eax, SystemAddressStart));
			goto done;
		}


		/* retrieve the Process ID */
		status = ZwQueryInformationProcess(ProcessHandle, ProcessBasicInformation, &ProcessBasicInfo, sizeof(ProcessBasicInfo), &Size);