driver.c

臭氧层主动防御系统驱动源代码!臭氧层主动防御系统驱动源代码!

/*
 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
 *
 * Module Name:
 *
 *		driver.c
 *
 * Abstract:
 *
 *		This module implements all the device driver "plumbing" (DriverEntry, etc).
 *
 * Author:
 *
 *		Eugene Tsyrklevich 9-Feb-2004
 *
 * Revision History:
 *
 *		None.
 */


#include <NTDDK.h>
#include <devioctl.h>

#include "driver.h"
//#include "eugene.h"
#include "file.h"
#include "registry.h"
#include "sysinfo.h"
#include "policy.h"
#include "process.h"
#include "learn.h"
#include "event.h"
#include "semaphore.h"
#include "dirobj.h"
#include "symlink.h"
#include "mutant.h"
#include "port.h"
#include "timer.h"
#include "token.h"
#include "job.h"
#include "driverobj.h"
#include "network.h"
#include "section.h"
#include "atom.h"
#include "time.h"
#include "vdm.h"
#include "procname.h"
#include "userland.h"
#include "media.h"
#include "boprot.h"
#include "debug.h"
#include "i386.h"
#include "misc.h"
#include "log.h"


LONG	SysenterEip = 0;


__declspec(naked)
VOID
SysenterHandler()
{
	_asm	and ecx, 0x000000FF
	_asm	sub	esp, ecx
	_asm	jmp	[SysenterEip]
}


VOID
blah()
{
	LONG	c, s;

#define SYSENTER_CS_MSR			0x174
#define SYSENTER_ESP_MSR		0x175
#define SYSENTER_EIP_MSR		0x176

	_asm
	{
		mov	ecx, SYSENTER_CS_MSR
		rdmsr

		mov	c, eax


		mov	ecx, SYSENTER_ESP_MSR
		rdmsr

		mov	s, eax


		mov	ecx, SYSENTER_EIP_MSR
		rdmsr

		mov SysenterEip, eax

		mov eax, SysenterHandler
	
		wrmsr
	}

	KdPrint(("old eip=%x:%x (%x), new eip=%x\n", c, SysenterEip, s, SysenterHandler));
}



/*
 * DriverEntry()
 *
 * Description:
 *		Driver entry point.
 *
 * Parameters:
 *		pDriverObject - pointer to an initialized driver object that represents our driver
 *		pRegistryPath - name of the service key in the registry
 *
 * Returns:
 *		STATUS_SUCCESS to indicate success or an error code to indicate an error.
 */

/* macro shortcut for bailing out of DriverEntry in case of an error */

#define	ABORT_DriverEntry(msg)												\
		{																	\
			LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_CRITICAL, (msg));		\
			if (irql != PASSIVE_LEVEL) KeLowerIrql(irql);					\
			DriverUnload(pDriverObject);									\
			return status;													\
		}
/*
PVOID Find_Kernel32_Base();
NTSTATUS
NTAPI
ZwCreateSymbolicLinkObject(
	OUT PHANDLE SymbolicLinkHandle,
	IN ACCESS_MASK DesiredAccess,
	IN POBJECT_ATTRIBUTES ObjectAttributes,
	IN PUNICODE_STRING TargetName
	);
		HANDLE				h;
*/
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
{
	UNICODE_STRING		usDeviceName, usSymLinkName;
	PDEVICE_OBJECT		pDeviceObject;
	PDEVICE_EXTENSION	pDeviceExtension;
	NTSTATUS			status;
	KIRQL				irql = KeGetCurrentIrql();
	int					i;

/*
	{
		OBJECT_ATTRIBUTES	ObjectAttributes;
		UNICODE_STRING		dest, target;
		NTSTATUS			status;

		RtlInitUnicodeString(&dest, L"\\??\\MyRegistryMachine");
		RtlInitUnicodeString(&target, L"\\Registry\\Machine");

		InitializeObjectAttributes(&ObjectAttributes, &dest, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

		status = ZwCreateSymbolicLinkObject(&h, SYMBOLIC_LINK_ALL_ACCESS, &ObjectAttributes, &target);
		if (! NT_SUCCESS(status))
		{
			KdPrint(("failed, status %x\n", status));
		}
		else
		{
			KdPrint(("link ok\n"));
		}

//		return STATUS_UNSUCCESSFUL;
	}
*/
	//XXX add pRegistryPath to deny registry access rule?!

	__try
	{
		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverEntry: Entered (%x %S)\n", pDriverObject, pRegistryPath->Buffer));


//		blah();
//		KdPrint(("after blah\n"));


		/*
		 * Verify we are running on x86 & everything is in order
		 */

		if (!InitI386())
		{
			LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_CRITICAL, ("InitI386 failed. Aborting.\n"));
			return STATUS_UNSUCCESSFUL;
		}


		/*
		 * Initialize all the driver object related data and create a device representing our device
		 */

		// set to NULL to disable unload by admins
//		pDriverObject->DriverUnload = NULL;
		pDriverObject->DriverUnload = DriverUnload;

//XXX need to intercept DriverObject->FastIoDispatch = &VTrcFSFastIoDispatchTable;

		for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
			//XXX don't intercept IRP_MJ_POWER & IRP_MJ_PNP
			pDriverObject->MajorFunction[i] = DriverDeviceControl;

		pDriverObject->MajorFunction[ IRP_MJ_CREATE ] = DriverCreate;
		pDriverObject->MajorFunction[ IRP_MJ_CLEANUP ] = DriverCleanup;
		pDriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DriverClose;
		pDriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DriverDeviceControl;
/*
		pDriverObject->MajorFunction[ IRP_MJ_READ ] = DriverRead;
		pDriverObject->MajorFunction[ IRP_MJ_WRITE ] = DriverWrite;
 */
		RtlInitUnicodeString(&usDeviceName, DEVICE_NAME);

		status = IoCreateDevice(pDriverObject, sizeof(DEVICE_EXTENSION),
								&usDeviceName, FILE_DEVICE_UNKNOWN,
								FILE_DEVICE_SECURE_OPEN, FALSE,//FALSE (Exclusive - Reserved for system use. Drivers set this parameter to FALSE.)
//								0, TRUE,
								&pDeviceObject);

		if (!NT_SUCCESS(status))
		{
			LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverEntry: IoCreateDevice failed with status %x\n", status));

			return status;
		}


		pDeviceObject->Flags |= DO_BUFFERED_IO;

		pDeviceExtension = (PDEVICE_EXTENSION) pDeviceObject->DeviceExtension;
		pDeviceExtension->pDeviceObject = pDeviceObject;


		RtlInitUnicodeString(&pDeviceExtension->usSymLink, DEVICE_SYMLINK_NAME);

		status = IoCreateSymbolicLink(&pDeviceExtension->usSymLink, &usDeviceName);
		if (!NT_SUCCESS(status))
		{
			LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverEntry: IoCreateSymbolicLink failed with status %x\n", status));

			IoDeleteDevice(pDeviceObject);

			return status;
		}


		/*
		 * Now, mediate all the necessary calls
		 */

#if HOOK_NETWORK
		status = InstallNetworkHooks(pDriverObject);
		if (! NT_SUCCESS(status))
			ABORT_DriverEntry("InstallNetworkHooks() failed");
#endif


		/* all consequitive calls that fail will cause the following error to be returned */

		status = STATUS_DRIVER_INTERNAL_ERROR;

		if (!InitSyscallsHooks())
			ABORT_DriverEntry("InitSyscallsHooks() failed\n");


		/*
		 * raise irql to DPC level to avoid any spurious system calls taking place before we
		 * manage to initialize appropriate hooked function pointers
		 */

		irql = KeRaiseIrqlToDpcLevel();


		if (!InstallSyscallsHooks())
			ABORT_DriverEntry("InstallSyscallsHooks() failed\n");


#if HOOK_FILE
		if (!InitFileHooks())
			ABORT_DriverEntry("InitFileHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitFileHooks\n"));
#endif

#if HOOK_REGISTRY
		if (!InitRegistryHooks())
			ABORT_DriverEntry("InitRegistryHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitRegistryHooks\n"));
#endif

#if HOOK_SECTION
		if (!InitSectionHooks())
			ABORT_DriverEntry("InitSectionHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitSectionHooks\n"));
#endif

#if HOOK_SYSINFO
		if (!InitSysInfoHooks())
			ABORT_DriverEntry("InitSysInfoHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitSysInfoHooks\n"));
#endif

#if HOOK_EVENT
		if (!InitEventHooks())
			ABORT_DriverEntry("InitEventHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitEventHooks\n"));
#endif

#if HOOK_SEMAPHORE
		if (!InitSemaphoreHooks())
			ABORT_DriverEntry("InitSemaphoreHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitSemaphoreHooks\n"));
#endif

#if HOOK_JOB
		if (!InitJobHooks())
			ABORT_DriverEntry("InitJobHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitJobHooks\n"));
#endif

#if HOOK_MUTANT
		if (!InitMutantHooks())
			ABORT_DriverEntry("InitMutantHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitMutantHooks\n"));
#endif

#if HOOK_DIROBJ
		if (!InitDirobjHooks())
			ABORT_DriverEntry("InitDirobjHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitDirobjHooks\n"));
#endif

#if HOOK_PORT
		if (!InitPortHooks())
			ABORT_DriverEntry("InitPortHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitPortHooks\n"));
#endif

#if HOOK_SYMLINK
		if (!InitSymlinkHooks())
			ABORT_DriverEntry("InitSymlinkHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitSymlinkHooks\n"));
#endif

#if HOOK_TIMER
		if (!InitTimerHooks())
			ABORT_DriverEntry("InitTimerHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitTimerHooks\n"));
#endif

#if HOOK_TOKEN
		if (!InitTokenHooks())
			ABORT_DriverEntry("InitTokenHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitTokenHooks\n"));
#endif

#if HOOK_TIME
		if (!InitTimeHooks())
			ABORT_DriverEntry("InitTimeHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitTimeHooks\n"));
#endif

#if HOOK_DRIVEROBJ
		if (!InitDriverObjectHooks())
			ABORT_DriverEntry("InitDriverObjectHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitDriverObjectHooks\n"));
#endif

#if HOOK_ATOM
		if (!InitAtomHooks())
			ABORT_DriverEntry("InitAtomHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitAtomHooks\n"));
#endif

#if HOOK_VDM
		if (!InitVdmHooks())
			ABORT_DriverEntry("InitVdmHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitVdmHooks\n"));
#endif


#if HOOK_DEBUG
		if (!InitDebugHooks())
			ABORT_DriverEntry("InitDebugHooks() failed\n");

		LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitDebugHooks\n"));
#endif