📄 driver.c
字号:
KeLowerIrql(irql);
/*
* The order of the following calls is important:
*
* InitProcessEntries() initializes OzoneInstallPath
* InitPolicy() initiailizes policy related variables
* InitProcessNameEntries() then uses policy vars & OzoneInstallPath to load policies
*/
#if HOOK_PROCESS
if (!InitProcessEntries())
ABORT_DriverEntry("InitProcessEntries() failed\n");
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitProcessEntries\n"));
#endif
if (!InitProcessNameEntries())
ABORT_DriverEntry("InitProcessNameEntries() failed\n");
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitProcessNameEntries\n"));
if (!InitPolicy())
ABORT_DriverEntry("InitPolicy() failed\n");
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitPolicy\n"));
EnumerateExistingProcesses();
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past EnumerateExistingProcesses\n"));
if (LearningMode == TRUE)
{
if (!InitLearningMode())
ABORT_DriverEntry("InitLearningMode() failed\n");
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitLearningMode\n"));
}
#if HOOK_MEDIA
if (!InitRemovableMediaHooks(pDriverObject, pDeviceObject))
ABORT_DriverEntry("InitRemovableMedia() failed\n");
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitRemovableMediaHooks\n"));
#endif
#if HOOK_BOPROT
if (!InitBufferOverflowProtection())
ABORT_DriverEntry("InitBufferOverflowProtection() failed\n");
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitBufferOverflowProtection\n"));
#endif
if (!InitLog())
ABORT_DriverEntry("InitLog() failed\n");
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitLog\n"));
if (!InitUserland())
ABORT_DriverEntry("InitUserland() failed\n");
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitUserland\n"));
} // __try
__except(EXCEPTION_EXECUTE_HANDLER)
{
NTSTATUS status = GetExceptionCode();
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_CRITICAL, ("DriverEntry: caught an exception. status = 0x%x\n", status));
return STATUS_DRIVER_INTERNAL_ERROR;
}
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverEntry: Done\n"));
return STATUS_SUCCESS;
}
/*
* DriverUnload()
*
* Description:
* Clean up and unload the driver.
*
* NOTE: Since this driver mediates system calls and other devices, it is not safe to
* unload the driver since there might remain outstanding references to our driver code and data
* segments once the driver is unloaded.
*
* NOTE2: In release builds, unload functionality should be disabled for security reasons.
*
* Parameters:
* pDriverObject - pointer to a driver object that represents this driver.
*
* Returns:
* Nothing.
*/
VOID
DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDeviceObject, pNextDeviceObject;
PDEVICE_EXTENSION pDeviceExtension;
LARGE_INTEGER delay;
#if DBG
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverUnload: irql = %d %d\n", KeGetCurrentIrql(), HookedTDIRunning));
#endif
if (SysenterEip)
_asm
{
mov ecx, SYSENTER_EIP_MSR
mov eax, SysenterEip
xor edx, edx
wrmsr
}
#if HOOK_BOPROT
ShutdownBufferOverflowProtection();
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past ShutdownBufferOverflowProtection\n"));
#endif
RemoveRemovableMediaHooks();
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past RemoveRemovableMediaHooks\n"));
RemoveNetworkHooks(pDriverObject);
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past RemoveNetworkHooks\n"));
RemoveSyscallsHooks();
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past RemoveSyscallsHooks\n"));
RemoveProcessNameEntries();
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past RemoveProcessNameEntries\n"));
if (LearningMode)
ShutdownLearningMode();
else
PolicyRemove();
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past LearningMode\n"));
ShutdownLog();
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past ShutdownLog\n"));
ShutdownUserland();
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past UserlandShutdown\n"));
pDeviceObject = pNextDeviceObject = pDriverObject->DeviceObject;
while (pNextDeviceObject != NULL)
{
pNextDeviceObject = pDeviceObject->NextDevice;
pDeviceExtension = (PDEVICE_EXTENSION) pDeviceObject->DeviceExtension;
if (pDeviceExtension)
{
NTSTATUS status;
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverUnload: IoDeleteSymbolicLink(%S)\n", pDeviceExtension->usSymLink.Buffer));
status = IoDeleteSymbolicLink(&pDeviceExtension->usSymLink);
if (! NT_SUCCESS(status))
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverUnload: IoDeleteSymbolicLink failed: %x\n", status));
}
else
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverUnload: pDeviceExtension = NULL\n"));
IoDeleteDevice(pDeviceObject);
pDeviceObject = pNextDeviceObject;
}
/* wait for 1 second for all timers/callbacks to complete */
delay.QuadPart = SECONDS(1);
KeDelayExecutionThread(KernelMode, FALSE, &delay);
#if DBG
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverUnload: HookedRoutineRunning = %d\n", HookedRoutineRunning));
#endif
return;
}
/*
* DriverDeviceControl()
*
* Description:
* Dispatch routine. Process network (TDI) and our driver requests.
*
* Parameters:
* pDeviceObject - pointer to a device object that a request is being sent to.
* pIrp - IRP (I/O Request Packet) request.
*
* Returns:
* Nothing.
*/
#define COMPLETE_REQUEST(irp, status) \
pIrp->IoStatus.Status = (status); \
IoCompleteRequest((irp), IO_NO_INCREMENT); \
return((status));
NTSTATUS
DriverDeviceControl(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
PIO_STACK_LOCATION pIrpStack;
ULONG ControlCode;
NTSTATUS status;
ULONG InSize, OutSize;
KIRQL irql;
if (pDeviceObject == NULL || pIrp == NULL)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: NULL value %x %x\n", pDeviceObject, pIrp));
COMPLETE_REQUEST(pIrp, STATUS_UNSUCCESSFUL);
}
#if HOOK_NETWORK
if (TDIDispatch(pDeviceObject, pIrp, &status) == TRUE)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverDeviceControl(%x, %x): TDIDispatch\n", pDeviceObject, pIrp));
return status;
}
#endif
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
pIrp->IoStatus.Information = 0;
ControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
InSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
OutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch (ControlCode)
{
/*
* When userland agent service starts up, it registers with the driver using IOCTL_REGISTER_AGENT_SERVICE.
* Expects back 1 ULONG - version of the driver
*/
// XXX save agent pid and version?
case IOCTL_REGISTER_AGENT_SERVICE:
{
ULONG DriverVersion = DRIVER_VERSION;
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_REGISTER_AGENT_SERVICE ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
if (OutSize < sizeof(ULONG))
{
status = STATUS_INVALID_BUFFER_SIZE;
break;
}
RtlCopyMemory(pIrp->AssociatedIrp.SystemBuffer, &DriverVersion, sizeof(ULONG));
ActiveUserAgent = TRUE;
pIrp->IoStatus.Information = sizeof(ULONG);
status = STATUS_SUCCESS;
break;
}
/*
* Userland agent service retrieves log alerts using IOCTL_GET_ALERT
*/
case IOCTL_GET_ALERT:
{
PSECURITY_ALERT TmpAlert;
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_ALERT ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
// if (UserAgentRegistered == FALSE)
// XXX;
KeAcquireSpinLock(&gLogSpinLock, &irql);
{
if (LogList == NULL)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_ALERT No More Alerts\n"));
status = STATUS_NO_MORE_ENTRIES;
KeReleaseSpinLock(&gLogSpinLock, irql);
break;
}
/* don't count the size of the Next pointer */
LogList->Size -= sizeof(struct _SECURITY_ALERT *);
if (OutSize < LogList->Size)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_ALERT %d < %d\n", OutSize, LogList->Size));
status = STATUS_INVALID_BUFFER_SIZE;
KeReleaseSpinLock(&gLogSpinLock, irql);
break;
}
/* copy the SECURITY_ALERT structure without including the Next pointer */
RtlCopyMemory(pIrp->AssociatedIrp.SystemBuffer, (PCHAR)LogList + sizeof(struct _SECURITY_ALERT *), LogList->Size);
pIrp->IoStatus.Information = LogList->Size;
--NumberOfAlerts;
TmpAlert = LogList;
LogList = LogList->Next;
ExFreePoolWithTag(TmpAlert, _POOL_TAG);
}
KeReleaseSpinLock(&gLogSpinLock, irql);
status = STATUS_SUCCESS;
break;
}
/*
* Userland agent service retrieves userland requests using IOCTL_GET_USERLAND_REQUEST
*/
case IOCTL_GET_USERLAND_REQUEST:
{
PUSERLAND_REQUEST_HEADER TmpRequest;
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_USERLAND_REQUEST ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
KeAcquireSpinLock(&gUserlandRequestListSpinLock, &irql);
{
USHORT UserlandRequestSize;
if (UserlandRequestList == NULL)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_USERLAND_REQUEST No More Process Requests\n"));
status = STATUS_NO_MORE_ENTRIES;
KeReleaseSpinLock(&gUserlandRequestListSpinLock, irql);
break;
}
/* don't count the size of the Next pointer */
UserlandRequestSize = UserlandRequestList->RequestSize - sizeof(struct _USERLAND_REQUEST *);
if (OutSize < UserlandRequestSize)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_USERLAND_REQUEST %d < %d\n", OutSize, UserlandRequestSize));
KeReleaseSpinLock(&gUserlandRequestListSpinLock, irql);
status = STATUS_INVALID_BUFFER_SIZE;
break;
}
/* copy the PROCESS_REQUEST structure without including the Next pointer */
RtlCopyMemory(pIrp->AssociatedIrp.SystemBuffer, (PCHAR)UserlandRequestList + sizeof(struct _USERLAND_REQUEST *), UserlandRequestSize);
pIrp->IoStatus.Information = UserlandRequestSize;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -