📄 file.c

📁 臭氧层主动防御系统驱动源代码!臭氧层主动防御系统驱动源代码!
💻 C
📖 第 1 页 / 共 2 页
字号:
上一页 12
	rc = OriginalNtQueryFullAttributesFile(ObjectAttributes, FileInformation);


	HOOK_ROUTINE_FINISH_OPTYPE(FILE, OP_READ);
}



/*
 * HookedNtQueryDirectoryFile()
 *
 * Description:
 *		This function mediates the NtQueryDirectoryFile() system service and checks the
 *		provided file name against the global and current process security policies.
 *
 *		NOTE: ZwQueryDirectoryFile retrieves information about the contents of a directory. [NAR]
 *
 * Parameters:
 *		Those of NtQueryDirectoryFile().
 *
 * Returns:
 *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
 *		Otherwise, NTSTATUS returned by NtQueryDirectoryFile().
 */

NTSTATUS
NTAPI
HookedNtQueryDirectoryFile
(
	IN HANDLE FileHandle,
	IN HANDLE Event OPTIONAL,
	IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
	IN PVOID ApcContext OPTIONAL,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	OUT PVOID FileInformation,
	IN ULONG FileInformationLength,
	IN FILE_INFORMATION_CLASS FileInformationClass,
	IN BOOLEAN ReturnSingleEntry,
	IN PUNICODE_STRING FileName OPTIONAL,
	IN BOOLEAN RestartScan
)
{
	PCHAR			FunctionName = "HookedNtQueryDirectoryFile";
	UNICODE_STRING	usInputFileName;
	CHAR			FILENAME[MAX_PATH];
	ANSI_STRING		asFileName;


	HOOK_ROUTINE_ENTER();


	if (ARGUMENT_PRESENT(FileName))
	{
		if (!VerifyUnicodeString(FileName, &usInputFileName))
		{
			LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("HookedNtQueryDirectoryFile: VerifyUnicodeString failed\n"));
			HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
		}


		_snprintf(FILENAME, MAX_PATH, "%S", usInputFileName.Buffer);
		FILENAME[ MAX_PATH - 1 ] = 0;

		LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("HookedNtQueryDirectoryFile: %s\n", FILENAME));
	}


	if (LearningMode == FALSE)
	{
		//XXX
//		POLICY_CHECK_OPTYPE(FILE, OP_READ);
	}


	ASSERT(OriginalNtQueryDirectoryFile);

	rc = OriginalNtQueryDirectoryFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock,
										FileInformation, FileInformationLength, FileInformationClass,
										ReturnSingleEntry, FileName, RestartScan);


//	HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(FILE, FILENAME, OP_READ);
	HOOK_ROUTINE_EXIT(rc);
}



/*
 * HookedNtSetInformationFile()
 *
 * Description:
 *		This function mediates the NtSetInformationFile() system service and checks the
 *		provided file name against the global and current process security policies.
 *
 *		NOTE: ZwSetInformationFile sets information affecting a file object. [NAR]
 *
 * Parameters:
 *		Those of NtSetInformationFile().
 *
 * Returns:
 *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
 *		Otherwise, NTSTATUS returned by NtSetInformationFile().
 */

NTSTATUS
NTAPI
HookedNtSetInformationFile
(
	IN HANDLE FileHandle,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	IN PVOID FileInformation,
	IN ULONG FileInformationLength,
	IN FILE_INFORMATION_CLASS FileInformationClass
)
{
	PCHAR			FunctionName = "HookedNtSetInformationFile";
	CHAR			FILENAME[MAX_PATH];
	WCHAR			FILENAMEW[MAX_PATH];
	PWSTR			FileName = NULL;
	UCHAR			Operation = OP_READ;


	HOOK_ROUTINE_ENTER();


	/* FileDispositionInformation is used to delete files */
	if (FileInformationClass == FileDispositionInformation)
		Operation = OP_DELETE;


	if ((FileName = GetNameFromHandle(FileHandle, FILENAMEW, sizeof(FILENAMEW))) != NULL)
	{
		sprintf(FILENAME, "%S", FileName);

		LOG(LOG_SS_FILE, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, FILENAME));

		if (LearningMode == FALSE)
		{
			POLICY_CHECK_OPTYPE_NAME(FILE, Operation);
		}
	}


	ASSERT(OriginalNtSetInformationFile);

	rc = OriginalNtSetInformationFile(FileHandle, IoStatusBlock, FileInformation, FileInformationLength, FileInformationClass);


	HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(FILE, FileName, Operation);
}



/*
 * HookedNtCreateNamedPipeFile()
 *
 * Description:
 *		This function mediates the NtCreateNamedPipeFile() system service and checks the
 *		provided named pipe name against the global and current process security policies.
 *
 *		NOTE: ZwCreateNamedPipeFile creates a named pipe. [NAR]
 *
 * Parameters:
 *		Those of NtCreateNamedPipeFile().
 *
 * Returns:
 *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
 *		Otherwise, NTSTATUS returned by NtCreateNamedPipeFile().
 */

NTSTATUS
NTAPI
HookedNtCreateNamedPipeFile
(
	OUT PHANDLE FileHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	IN ULONG ShareAccess,
	IN ULONG CreateDisposition,
	IN ULONG CreateOptions,
	IN ULONG TypeMessage,
	IN ULONG ReadmodeMessage,
	IN ULONG Nonblocking,
	IN ULONG MaxInstances,
	IN ULONG InBufferSize,
	IN ULONG OutBufferSize,
	IN PLARGE_INTEGER DefaultTimeout OPTIONAL
)
{
	PCHAR	FunctionName = "HookedNtCreateNamedPipeFile";


	HOOK_ROUTINE_START(NAMEDPIPE);


	ASSERT(OriginalNtCreateNamedPipeFile);

	rc = OriginalNtCreateNamedPipeFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,
										ShareAccess, CreateDisposition, CreateOptions, TypeMessage,
										ReadmodeMessage, Nonblocking, MaxInstances, InBufferSize,
										OutBufferSize, DefaultTimeout);


	HOOK_ROUTINE_FINISH(NAMEDPIPE);
}



/*
 * HookedNtCreateMailslotFile()
 *
 * Description:
 *		This function mediates the NtCreateMailslotFile() system service and checks the
 *		provided mailslot name against the global and current process security policies.
 *
 *		NOTE: ZwCreateMailslotFile creates a mailslot. [NAR]
 *
 * Parameters:
 *		Those of NtCreateMailslotFile().
 *
 * Returns:
 *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
 *		Otherwise, NTSTATUS returned by NtCreateMailslotFile().
 */

NTSTATUS
NTAPI
HookedNtCreateMailslotFile
(
	OUT PHANDLE FileHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	OUT PIO_STATUS_BLOCK IoStatusBlock,
	IN ULONG CreateOptions,
	IN ULONG InBufferSize,
	IN ULONG MaxMessageSize,
	IN PLARGE_INTEGER ReadTimeout OPTIONAL
)
{
	PCHAR	FunctionName = "HookedNtCreateMailslotFile";


	HOOK_ROUTINE_START(MAILSLOT);


	ASSERT(OriginalNtCreateMailslotFile);

	rc = OriginalNtCreateMailslotFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,
										CreateOptions, InBufferSize, MaxMessageSize, ReadTimeout);


	HOOK_ROUTINE_FINISH(MAILSLOT);
}



/*
 * InitFileHooks()
 *
 * Description:
 *		Initializes all the mediated file operation pointers. The "OriginalFunction" pointers
 *		are initialized by InstallSyscallsHooks() that must be called prior to this function.
 *
 *		NOTE: Called once during driver initialization (DriverEntry()).
 *
 * Parameters:
 *		None.
 *
 * Returns:
 *		TRUE to indicate success, FALSE if failed.
 */

BOOLEAN
InitFileHooks()
{
	if ( (OriginalNtCreateFile = (fpZwCreateFile) ZwCalls[ZW_CREATE_FILE_INDEX].OriginalFunction) == NULL)
	{
		LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("InitFileHooks: OriginalNtCreateFile is NULL\n"));
		return FALSE;
	}

	if ( (OriginalNtOpenFile = (fpZwOpenFile) ZwCalls[ZW_OPEN_FILE_INDEX].OriginalFunction) == NULL)
	{
		LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("InitFileHooks: OriginalNtOpenFile is NULL\n"));
		return FALSE;
	}

	if ( (OriginalNtDeleteFile = (fpZwDeleteFile) ZwCalls[ZW_DELETE_FILE_INDEX].OriginalFunction) == NULL)
	{
		LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("InitFileHooks: OriginalNtDeleteFile is NULL\n"));
		return FALSE;
	}

	if ( (OriginalNtQueryAttributesFile = (fpZwQueryAttributesFile) ZwCalls[ZW_QUERY_ATTRIBUTES_FILE_INDEX].OriginalFunction) == NULL)
	{
		LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("InitFileHooks: OriginalNtQueryAttributesFile is NULL\n"));
		return FALSE;
	}

	if ( (OriginalNtQueryFullAttributesFile = (fpZwQueryFullAttributesFile) ZwCalls[ZW_QUERY_FULLATTR_FILE_INDEX].OriginalFunction) == NULL)
	{
		LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("InitFileHooks: OriginalNtQueryFullAttributesFile is NULL\n"));
		return FALSE;
	}
/*
	if ( (OriginalNtQueryDirectoryFile = (fpZwQueryDirectoryFile) ZwCalls[ZW_QUERY_DIRECTORYFILE_INDEX].OriginalFunction) == NULL)
	{
		LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("InitFileHooks: OriginalNtQueryDirectoryFile is NULL\n"));
		return FALSE;
	}
*/
	if ( (OriginalNtSetInformationFile = (fpZwSetInformationFile) ZwCalls[ZW_SET_INFO_FILE_INDEX].OriginalFunction) == NULL)
	{
		LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("InitFileHooks: OriginalNtSetInformationFile is NULL\n"));
		return FALSE;
	}

	if ( (OriginalNtCreateNamedPipeFile = (fpZwCreateNamedPipeFile) ZwCalls[ZW_CREATE_NAMEDPIPEFILE_INDEX].OriginalFunction) == NULL)
	{
		LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("InitFileHooks: OriginalNtCreateNamedPipeFile is NULL\n"));
		return FALSE;
	}

	if ( (OriginalNtCreateMailslotFile = (fpZwCreateMailslotFile) ZwCalls[ZW_CREATE_MAILSLOTFILE_INDEX].OriginalFunction) == NULL)
	{
		LOG(LOG_SS_FILE, LOG_PRIORITY_DEBUG, ("InitFileHooks: OriginalNtCreateMailslotFile is NULL\n"));
		return FALSE;
	}

	return TRUE;
}
上一页 12
💿 文件大小 162 K
👤 上传用户 gjq2000
📂 所属分类驱动编程
🏷️ 相关标签

#臭氧 #主动防御系统 #源代码 #驱动
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -