policy.c

臭氧层主动防御系统驱动源代码!臭氧层主动防御系统驱动源代码!

UCHAR
ParseObjectOperation(IN PCHAR Operation)
{
	if (strlen(Operation) == 4 && _stricmp(Operation, "read") == 0)
		return OP_READ;

	if (strlen(Operation) == 5 && _stricmp(Operation, "write") == 0)
		return OP_WRITE;

	if (strlen(Operation) == 2 && _stricmp(Operation, "rw") == 0)
		return (OP_READ | OP_WRITE);

	if (strlen(Operation) == 3 && _stricmp(Operation, "all") == 0)
		return OP_ALL;

	//XXX valid for files only
//	if (strlen(Operation) == 6 && _stricmp(Operation, "append") == 0)
//		return OP_APPEND;

	if (strlen(Operation) == 7 && _stricmp(Operation, "execute") == 0)
		return OP_EXECUTE;

	if (strlen(Operation) == 6 && _stricmp(Operation, "delete") == 0)
		return OP_DELETE;


	return OP_INVALID;
}



/*
 * ParseProcessOperation()
 *
 * Description:
 *		Parses an operation (i.e. "execute" in "process_execute") specified for a process rule.
 *
 * Parameters:
 *		Operation - specified operation.
 *
 * Returns:
 *		OP_INVALID if a specified operation is invalid or an OP_* value corresponding to the parsed operation.
 */

UCHAR
ParseProcessOperation(IN PCHAR Operation)
{
	if (strlen(Operation) == 3 && _stricmp(Operation, "all") == 0)
		return OP_ALL;

	if (strlen(Operation) == 7 && _stricmp(Operation, "execute") == 0)
		return OP_PROC_EXECUTE;

	if (strlen(Operation) == 4 && _stricmp(Operation, "open") == 0)
		return OP_PROC_OPEN;


	return OP_INVALID;
}



/*
 * ParseServiceOperation()
 *
 * Description:
 *		Parses an operation (i.e. "start" in "service_start") specified for a service object rule.
 *
 * Parameters:
 *		Operation - specified operation.
 *
 * Returns:
 *		OP_INVALID if a specified operation is invalid or an OP_* value corresponding to the parsed operation.
 */

UCHAR
ParseServiceOperation(IN PCHAR Operation)
{
	if (strlen(Operation) == 3 && _stricmp(Operation, "all") == 0)
		return OP_ALL;

	/*
	 * We cannot distinguish between various service operations since service rules are actually
	 * enforced by the registry rules. Thus convert all operations to OP_ALL for now.
	 */

	if (strlen(Operation) == 5 && _stricmp(Operation, "start") == 0)
		return OP_ALL;//OP_SERVICE_START;

	if (strlen(Operation) == 4 && _stricmp(Operation, "stop") == 0)
		return OP_ALL;//OP_SERVICE_STOP;

	if (strlen(Operation) == 6 && _stricmp(Operation, "create") == 0)
		return OP_ALL;//OP_SERVICE_CREATE;

	if (strlen(Operation) == 6 && _stricmp(Operation, "delete") == 0)
		return OP_ALL;//OP_SERVICE_DELETE;

	return OP_INVALID;
}



/*
 * ParseNetworkOperation()
 *
 * Description:
 *		Parses an operation (i.e. "bind" in "network_bind") specified for a network object rule.
 *
 * Parameters:
 *		Operation - specified operation.
 *
 * Returns:
 *		OP_INVALID if a specified operation is invalid or an OP_* value corresponding to the parsed operation.
 */

UCHAR
ParseNetworkOperation(IN PCHAR Operation)
{
	if (strlen(Operation) == 3 && _stricmp(Operation, "all") == 0)
		return OP_ALL;

	if (strlen(Operation) == 10 && _stricmp(Operation, "tcpconnect") == 0)
		return OP_TCPCONNECT;

	if (strlen(Operation) == 10 && _stricmp(Operation, "udpconnect") == 0)
		return OP_UDPCONNECT;

	if (strlen(Operation) == 7 && _stricmp(Operation, "connect") == 0)
		return OP_CONNECT;

	if (strlen(Operation) == 4 && _stricmp(Operation, "bind") == 0)
		return OP_BIND;

	return OP_INVALID;
}




/*****************************************************************************/




/*
 * ParseNetworkObject()
 *
 * Description:
 *		Parses the specified network address (i.e. "127.0.0.1:443").
 *
 * Parameters:
 *		name - string value to parse.
 *		Object - pointer to an Object where the final result will be saved
 *		wildcard - pointer to a BOOLEAN that will indicate whether the specified value contained any regular expressions.
 *
 * Returns:
 *		INVALID_OBJECT_SIZE if the specified network address is invalid. 0 to indicate SUCCESS.
 *		Network addresses do not require any additional memory to be allocated thus the returned size is 0.
 */

size_t
ParseNetworkObject(IN PCHAR name, OUT PCHAR *Object, OUT BOOLEAN *wildcard)
{
	PCHAR	colon;


	//XXX
	// for now connect format is "ipaddr" while bind format is "ipaddr:port"

	colon = strchr(name, ':');

	if (colon)
	{
		*Object = colon + 1;
//		if ((*Object = (PVOID) atoi(colon + 1)) == 0)
//			return INVALID_OBJECT_SIZE;
	}
	else
	{
		*Object = name;
//		if ((*Object = (PVOID) inet_addr(name)) == 0)
//			return INVALID_OBJECT_SIZE;
	}


	return strlen(*Object);
}



/*
 * ParseStub()
 *
 * Description:
 *		Parse stub for strings that do no require any further parsing.
 *
 * Parameters:
 *		name - string value to parse.
 *		Object - pointer to an Object where the final result will be saved.
 *		wildcard - pointer to a BOOLEAN that will indicate whether the specified value contained any regular expressions.
 *
 * Returns:
 *		Length of the specified string value.
 */

size_t
ParseStub(IN PCHAR name, OUT PCHAR *ObjectName, OUT BOOLEAN *wildcard)
{
	*ObjectName = name;

	return strlen(name);
}



/*
 * ParseRegistryObject()
 *
 * Description:
 *		Convert user land registry object names into their kernel land equivalents.
 *
 * Parameters:
 *		name - string value to parse.
 *		Object - pointer to an Object where the final result will be saved.
 *		wildcard - pointer to a BOOLEAN that will indicate whether the specified value contained any regular expressions.
 *
 * Returns:
 *		Length of the specified string value.
 */

size_t
ParseRegistryObject(IN PCHAR name, OUT PCHAR *ObjectName, OUT BOOLEAN *wildcard)
{
	PCHAR			key;
	static CHAR		buffer[MAX_PATH] = { 0 };


	if (_strnicmp(name, "HKEY_LOCAL_MACHINE\\", 19) == 0)
	{
		/* replace HKEY_LOCAL_MACHINE\ with kernel equivalent of \REGISTRY\MACHINE\ */

		strcpy(name + 1, "\\REGISTRY\\MACHINE");
		name[18] = '\\';

		key = name + 1;
	}
	else if (_strnicmp(name, "HKEY_USERS\\", 11) == 0)
	{
		/* replace HKEY_USERS\ with kernel equivalent of \REGISTRY\USER\ */

		strcpy(buffer, "\\REGISTRY\\USER\\");
		strncat(buffer, name + 11, MAX_PATH - 12);

		key = buffer;
	}
	else
	{
		key = name;
	}


	*ObjectName = key;


	return strlen(key);
}



/*
 * ParseFileObject()
 *
 * Description:
 *		Convert user land file object names into their kernel land equivalents.
 *
 * Parameters:
 *		name - string value to parse.
 *		Object - pointer to an Object where the final result will be saved.
 *		wildcard - pointer to a BOOLEAN that will indicate whether the specified value contained any regular expressions.
 *
 * Returns:
 *		Length of the specified string value.
 */

size_t
ParseFileObject(IN PCHAR name, OUT PCHAR *Object, OUT BOOLEAN *wildcard)
{
	PCHAR			filename;
	static CHAR		buffer[MAX_PATH] = { 0 };	//XXX not SMP safe


	if (_strnicmp(name, "%systemdrive%:", 14) == 0)
	{
		name[12] = SystemDrive;

		name += 12;
	}


	// match drive wildcards such as "?:" and "*:" with "\Device\*"
	if (name[1] == ':' && name[2] == '\\' && (name[0] == '?' || name[0] == '*'))
	{
#if 0
		ConvertLongFileNameToShort(name, buffer + 7, MAX_PATH - 7);

		strcpy(buffer, "\\Device\\*");
		buffer[9] = '\\';	/* replace the zero terminator */

		filename = buffer;
#endif

		strcpy(name - 7, "\\Device\\*");

		/*
		 * replace "\Device\*" terminating zero with a '\'
		 * since name is just a pointer to FullName+7, FullName now contains
		 * \Device\*\<user specified path>
		 */

		name[2] = '\\';

		filename = name - 7;


		// mark the rule as wildcard even if the user (mistakenly) used "eq"
		// XXX or should we throw an error if wildcard==0?
		*wildcard = TRUE;
	}
	else if (isalpha(name[0]) && name[1] == ':')
	{
#if 0
		CHAR	buffer2[MAX_PATH];


		ConvertLongFileNameToShort(name, buffer2 + 4, MAX_PATH - 4);

		buffer2[0] = '\\';
		buffer2[1] = '?';
		buffer2[2] = '?';
		buffer2[3] = '\\';

		if (ResolveFilename(buffer2, buffer, MAX_PATH) == FALSE)
			LOG(LOG_SS_POLICY, LOG_PRIORITY_DEBUG, ("ParseFileObject: ResolveFilename(%s) failed\n", name - 4));
#endif


		// match <letter>: drive specifications and prepend "\??\" to them

		*(name - 4) = '\\';
		*(name - 3) = '?';
		*(name - 2) = '?';
		*(name - 1) = '\\';

		if (ResolveFilename(name - 4, buffer, MAX_PATH) == FALSE)
			LOG(LOG_SS_POLICY, LOG_PRIORITY_DEBUG, ("ParseFileObject: ResolveFilename(%s) failed\n", name - 4));

		filename = buffer;
	}
	else if (_strnicmp(name, "%systemroot%\\", 13) == 0)
	{
		strcpy(buffer, SystemRoot);
		strcat(buffer, name + 12);

		filename = buffer;
	}
	else if (_strnicmp(name, "\\pipe\\", 6) == 0)
	{
		strcpy(buffer, "\\device\\namedpipe");
		strcat(buffer, name + 5);

		filename = buffer;
	}
	else
	{
		filename = name;
	}


	*Object = filename;

	return strlen(filename);
}



/*
 * ParseProcessObject()
 *
 * Description:
 *		Convert user land process object names into their kernel land equivalents (strip the drive specification).
 *
 * Parameters:
 *		name - string value to parse.
 *		Object - pointer to an Object where the final result will be saved.
 *		wildcard - pointer to a BOOLEAN that will indicate whether the specified value contained any regular expressions.
 *
 * Returns:
 *		Length of the specified string value.
 */

size_t
ParseProcessObject(IN PCHAR name, OUT PCHAR *Object, OUT BOOLEAN *wildcard)
{
	static CHAR		buffer[MAX_PATH] = { 0 };


	if ((name = StripFileMacros(name, buffer, MAX_PATH)) == NULL)
		return INVALID_OBJECT_SIZE;


	*Object = name;

	return strlen(name);
}



/*
 * ParseBaseNamedObjectsObject()
 *
 * Description:
 *		Convert user land object names into their kernel land equivalents.
 *
 * Parameters:
 *		name - string value to parse.
 *		Object - pointer to an Object where the final result will be saved.
 *		wildcard - pointer to a BOOLEAN that will indicate whether the specified value contained any regular expressions.
 *
 * Returns:
 *		Length of the specified string value.
 */

size_t
ParseBaseNamedObjectsObject(IN PCHAR name, OUT PCHAR *Object, OUT BOOLEAN *wildcard)
{
	PCHAR			ObjectName;


	/*
	 * if an object name does not start with a slash '\' then prepend '\BaseNamedObjects\' to it
	 */

	if (name[0] != '\\')
	{
		//XXX this is a hack, we are prepending to our buffer, knowing that there is space there
		strcpy(name - 18, "\\BaseNamedObjects");

		*(name - 1) = '\\';

		ObjectName = name - 18;
	}
	else
	{
		ObjectName = name;
	}


	*Object = ObjectName;

	return strlen(ObjectName);
}



/*
 * ParseMailslotObject()
 *
 * Description:
 *		Convert user land mailslot object names into their kernel land equivalents.
 *
 * Parameters:
 *		name - string value to parse.
 *		Object - pointer to an Object where the final result will be saved.
 *		wildcard - pointer to a BOOLEAN that will indicate whether the specified value contained any regular expressions.
 *
 * Returns:
 *		Length of the specified string value.
 */

size_t
ParseMailslotObject(IN PCHAR name, OUT PCHAR *Object, OUT BOOLEAN *wildcard)
{
	PCHAR			MailslotName;


	/*
	 * if the mailslot name does not start with a slash '\' then prepend '\Device\Mailslot\' to the name
	 */

	if (name[0] != '\\')
	{
		//XXX this is a hack, we are prepending to our buffer, knowing that there is space there
		strcpy(name - 17, "\\Device\\Mailslot");

		*(name - 1) = '\\';

		MailslotName = name - 17;
	}
	else
	{
		MailslotName = name;
	}


	*Object = MailslotName;

	return strlen(MailslotName);
}



/*
 * ParseNamedpipeObject()
 *
 * Description:
 *		Convert user land namedpipe object names into their kernel land equivalents.
 *
 * Parameters:
 *		name - string value to parse.
 *		Object - pointer to an Object where the final result will be saved.
 *		wildcard - pointer to a BOOLEAN that will indicate whether the specified value contained any regular expressions.
 *
 * Returns:
 *		Length of the specified string value.
 */

size_t
ParseNamedpipeObject(IN PCHAR name, OUT PCHAR *Object, OUT BOOLEAN *wildcard)
{
	PCHAR			NamedpipeName;


	/*
	 * if the namedpipe name does not start with a slash '\' then prepend '\Device\Namedpipe\' to the name
	 */