file.c

臭氧层主动防御系统驱动源代码!臭氧层主动防御系统驱动源代码!

/*
 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
 *
 * Module Name:
 *
 *		file.c
 *
 * Abstract:
 *
 *		This module implements various file hooking routines.
 *
 * Author:
 *
 *		Eugene Tsyrklevich 19-Feb-2004
 *
 * Revision History:
 *
 *		None.
 */


#include <NTDDK.h>
#include "file.h"
#include "policy.h"
#include "pathproc.h"
#include "hookproc.h"
#include "accessmask.h"
#include "learn.h"


#ifdef ALLOC_PRAGMA
#pragma alloc_text (INIT, InitFileHooks)
#endif


fpZwCreateFile				OriginalNtCreateFile = NULL;
fpZwOpenFile				OriginalNtOpenFile = NULL;
fpZwDeleteFile				OriginalNtDeleteFile = NULL;
fpZwQueryAttributesFile		OriginalNtQueryAttributesFile = NULL;
fpZwQueryFullAttributesFile	OriginalNtQueryFullAttributesFile = NULL;
fpZwQueryDirectoryFile		OriginalNtQueryDirectoryFile = NULL;
fpZwSetInformationFile		OriginalNtSetInformationFile = NULL;

fpZwCreateMailslotFile		OriginalNtCreateMailslotFile = NULL;
fpZwCreateNamedPipeFile		OriginalNtCreateNamedPipeFile = NULL;



// XXX make sure that this still works with POSIX subsystem (inside windows 2000 describes how to start posix subsystem)

// XXX make sure streams don't screw anything up... do a search on a directory, observe NtCreateFile output..


/*
 * HookedNtCreateFile()
 *
 * Description:
 *		This function mediates the NtCreateFile() system service and checks the
 *		provided file name against the global and current process security policies.
 *
 *		NOTE: ZwCreateFile() creates or opens a file. [NAR]
 *
 * Parameters:
 *		Those of NtCreateFile().
 *
 * Returns:
 *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
 *		Otherwise, NTSTATUS returned by NtCreateFile().
 */

NTSTATUS
NTAPI
HookedNtCreateFile
(
	OUT PHANDLE FileHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	IN PLARGE_INTEGER AllocationSize OPTIONAL,
	IN ULONG FileAttributes,
	IN ULONG ShareAccess,
	IN ULONG CreateDisposition,
	IN ULONG CreateOptions,
	IN PVOID EaBuffer OPTIONAL,
	IN ULONG EaLength
)
{
	PCHAR		FunctionName = "HookedNtCreateFile";
	CHAR		BufferLongName[MAX_PATH], BufferShortName[MAX_PATH];
	PCHAR		FILENAME = BufferLongName;//BufferShortName;
	PCHAR		DIRECTORYNAME = BufferLongName;//BufferShortName;
	BOOLEAN		CreateDirectoryRequest = FALSE;


	HOOK_ROUTINE_ENTER();


	/* special handling for directories, look at flags to figure out whether we are dealing w/a directory */
	if ((CreateOptions & FILE_DIRECTORY_FILE) && (CreateDisposition & FILE_CREATE))
		CreateDirectoryRequest = TRUE;


	if (LearningMode == FALSE)
	{
		GetPathFromOA(ObjectAttributes, BufferLongName, MAX_PATH, RESOLVE_LINKS);

//		ConvertLongFileNameToShort(BufferLongName, BufferShortName, MAX_PATH);
//KdPrint(("%s\n%s\n", BufferLongName, BufferShortName));

		if (CreateDirectoryRequest == TRUE)
		{
			POLICY_CHECK_OPTYPE(DIRECTORY, OP_DIR_CREATE);
		}
		else
		{
			POLICY_CHECK_OPTYPE(FILE, Get_FILE_OperationType(DesiredAccess));
		}
	}

//XXX if resolved name's first character is not '\' then allow? to allow names such as IDE#CdRomNECVMWar_VMware..


/*
XXX
investigate

The FileId can be used to open the file, when the FILE_OPEN_BY_FILE_ID
CreateOption is specified in a call to ZwCreateFile.

whether this can be used to bypass name checking mechanism
*/
	if (CreateOptions & FILE_OPEN_BY_FILE_ID)
	{
		LOG(LOG_SS_FILE, LOG_PRIORITY_WARNING, ("%d HookedNtCreateFile: FILE_OPEN_BY_FILE_ID set\n", (ULONG) PsGetCurrentProcessId()));

		HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	}


	ASSERT(OriginalNtCreateFile);

	rc = OriginalNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,
								AllocationSize, FileAttributes, ShareAccess, CreateDisposition,
								CreateOptions, EaBuffer, EaLength);


	if (CreateDirectoryRequest == TRUE)
	{
		HOOK_ROUTINE_FINISH_OPTYPE(DIRECTORY, OP_DIR_CREATE);
	}
	else
	{
		HOOK_ROUTINE_FINISH(FILE);
	}
}



/*
 * HookedNtOpenFile()
 *
 * Description:
 *		This function mediates the NtOpenFile() system service and checks the
 *		provided file name against the global and current process security policies.
 *
 *		NOTE: ZwOpenFile() opens a file. [NAR]
 *
 * Parameters:
 *		Those of NtOpenFile().
 *
 * Returns:
 *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
 *		Otherwise, NTSTATUS returned by NtOpenFile().
 */

NTSTATUS
NTAPI
HookedNtOpenFile
(
	OUT PHANDLE  FileHandle,
	IN ACCESS_MASK  DesiredAccess,
	IN POBJECT_ATTRIBUTES  ObjectAttributes,
	OUT PIO_STATUS_BLOCK  IoStatusBlock,
	IN ULONG  ShareAccess,
	IN ULONG  OpenOptions
)
{
	PCHAR		FunctionName = "HookedNtOpenFile";
//	HOOK_ROUTINE_START(FILE);

	CHAR		BufferLongName[MAX_PATH], BufferShortName[MAX_PATH];
	PCHAR		FILENAME = BufferLongName;//BufferShortName;


	HOOK_ROUTINE_ENTER();


	if (LearningMode == FALSE)
	{
		GetPathFromOA(ObjectAttributes, BufferLongName, MAX_PATH, RESOLVE_LINKS);

//		ConvertLongFileNameToShort(BufferLongName, BufferShortName, MAX_PATH);
//KdPrint(("%s\n%s\n", BufferLongName, BufferShortName));

		POLICY_CHECK_OPTYPE(FILE, Get_FILE_OperationType(DesiredAccess));
	}


	ASSERT(OriginalNtOpenFile);

	rc = OriginalNtOpenFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,
							ShareAccess, OpenOptions);


	HOOK_ROUTINE_FINISH(FILE);
}



/*
 * HookedNtDeleteFile()
 *
 * Description:
 *		This function mediates the NtDeleteFile() system service and checks the
 *		provided file name against the global and current process security policies.
 *
 *		NOTE: ZwDeleteFile deletes a file. [NAR]
 *
 * Parameters:
 *		Those of NtDeleteFile().
 *
 * Returns:
 *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
 *		Otherwise, NTSTATUS returned by NtDeleteFile().
 */

NTSTATUS
NTAPI
HookedNtDeleteFile
(
	IN POBJECT_ATTRIBUTES ObjectAttributes
)
{
	PCHAR		FunctionName = "HookedNtDeleteFile";


	HOOK_ROUTINE_START_OPTYPE(FILE, OP_DELETE);


	ASSERT(OriginalNtDeleteFile);

	rc = OriginalNtDeleteFile(ObjectAttributes);


	HOOK_ROUTINE_FINISH_OPTYPE(FILE, OP_DELETE);
}



/*
 * HookedNtQueryAttributesFile()
 *
 * Description:
 *		This function mediates the NtQueryAttributesFile() system service and checks the
 *		provided file name against the global and current process security policies.
 *
 *		NOTE: ZwQueryAttributesFile retrieves basic information about a file object. [NAR]
 *
 * Parameters:
 *		Those of NtQueryAttributesFile().
 *
 * Returns:
 *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
 *		Otherwise, NTSTATUS returned by NtQueryAttributesFile().
 */

NTSTATUS
NTAPI
HookedNtQueryAttributesFile
(
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	OUT PFILE_BASIC_INFORMATION FileInformation
)
{
	PCHAR		FunctionName = "HookedNtQueryAttributesFile";


	HOOK_ROUTINE_START_OPTYPE(FILE, OP_READ);


	ASSERT(OriginalNtQueryAttributesFile);

	rc = OriginalNtQueryAttributesFile(ObjectAttributes, FileInformation);


	HOOK_ROUTINE_FINISH_OPTYPE(FILE, OP_READ);
}



/*
 * HookedNtQueryFullAttributesFile()
 *
 * Description:
 *		This function mediates the NtQueryFullAttributesFile() system service and checks the
 *		provided file name against the global and current process security policies.
 *
 *		NOTE: ZwQueryFullAttributesFile retrieves extended information about a file object. [NAR]
 *
 * Parameters:
 *		Those of NtQueryFullAttributesFile().
 *
 * Returns:
 *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
 *		Otherwise, NTSTATUS returned by NtQueryFullAttributesFile().
 */

NTSTATUS
NTAPI
HookedNtQueryFullAttributesFile
(
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation
)
{
	PCHAR		FunctionName = "HookedNtQueryFullAttributesFile";


	HOOK_ROUTINE_START_OPTYPE(FILE, OP_READ);


	ASSERT(OriginalNtQueryFullAttributesFile);