📄 driver.c
字号:
TmpRequest = UserlandRequestList;
UserlandRequestList = UserlandRequestList->Next;
ExFreePoolWithTag(TmpRequest, _POOL_TAG);
}
KeReleaseSpinLock(&gUserlandRequestListSpinLock, irql);
status = STATUS_SUCCESS;
break;
}
/*
* Userland agent service returns userland replies using IOCTL_SEND_USERLAND_SID_RESOLVE_REPLY
*/
#define MAXIMUM_USERLAND_REPLY_SIZE 512
case IOCTL_SEND_USERLAND_SID_RESOLVE_REPLY:
{
PSID_RESOLVE_REPLY pSidResolveReply;
PIMAGE_PID_ENTRY ProcessEntry;
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_SID_RESOLVE_REPLY ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
if (InSize > MAXIMUM_USERLAND_REPLY_SIZE)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_SID_RESOLVE_REPLY %d > %d\n", InSize, MAXIMUM_USERLAND_REPLY_SIZE));
status = STATUS_INVALID_BUFFER_SIZE;
break;
}
pSidResolveReply = ExAllocatePoolWithTag(PagedPool, InSize, _POOL_TAG);
if (pSidResolveReply == NULL)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_SID_RESOLVE_REPLY out of memory\n"));
status = STATUS_UNSUCCESSFUL;
break;
}
RtlCopyMemory(pSidResolveReply, pIrp->AssociatedIrp.SystemBuffer, InSize);
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Received sid resolve reply. insize=%d seq=%d, %S\n", InSize, pSidResolveReply->ReplyHeader.SeqId, pSidResolveReply->UserName));
ProcessEntry = FindImagePidEntry(pSidResolveReply->ReplyHeader.ProcessId, 0);
if (ProcessEntry)
{
if (ProcessEntry->WaitingForUserRequestId == 0)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Process (pid=%d) is not expecting a user request!\n", pSidResolveReply->ReplyHeader.ProcessId));
ExFreePoolWithTag(pSidResolveReply, _POOL_TAG);
ProcessEntry->UserlandReply = NULL;
break;
}
if (ProcessEntry->WaitingForUserRequestId != pSidResolveReply->ReplyHeader.SeqId)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Process (pid=%d) is expecting to receive sequence id %d. Got %d\n", pSidResolveReply->ReplyHeader.ProcessId, ProcessEntry->WaitingForUserRequestId, pSidResolveReply->ReplyHeader.SeqId));
ExFreePoolWithTag(pSidResolveReply, _POOL_TAG);
ProcessEntry->UserlandReply = NULL;
break;
}
/* deliver the reply */
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Waking up process %d\n", pSidResolveReply->ReplyHeader.ProcessId));
ProcessEntry->UserlandReply = (PUSERLAND_REPLY_HEADER) pSidResolveReply;
KeSetEvent(&ProcessEntry->UserlandRequestDoneEvent, IO_NO_INCREMENT, FALSE);
}
else
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: cannot find process with pid=%d\n", pSidResolveReply->ReplyHeader.ProcessId));
status = STATUS_SUCCESS;
break;
}
/*
* Userland agent service returns "ask user" replies using IOCTL_SEND_USERLAND_ASK_USER_REPLY
*/
case IOCTL_SEND_USERLAND_ASK_USER_REPLY:
{
PASK_USER_REPLY pAskUserReply;
PIMAGE_PID_ENTRY ProcessEntry;
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_ASK_USER_REPLY ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
if (InSize != sizeof(ASK_USER_REPLY))
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_ASK_USER_REPLY %d != %d\n", InSize, sizeof(ASK_USER_REPLY)));
status = STATUS_INVALID_BUFFER_SIZE;
break;
}
pAskUserReply = ExAllocatePoolWithTag(PagedPool, sizeof(ASK_USER_REPLY), _POOL_TAG);
if (pAskUserReply == NULL)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_ASK_USER_REPLY out of memory\n"));
status = STATUS_UNSUCCESSFUL;
break;
}
RtlCopyMemory(pAskUserReply, pIrp->AssociatedIrp.SystemBuffer, InSize);
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Received ask user reply. insize=%d, action=%d\n", InSize, pAskUserReply->Action));
ProcessEntry = FindImagePidEntry(pAskUserReply->ReplyHeader.ProcessId, 0);
if (ProcessEntry)
{
if (ProcessEntry->WaitingForUserRequestId == 0)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Process (pid=%d) is not expecting a user request!\n", pAskUserReply->ReplyHeader.ProcessId));
ExFreePoolWithTag(pAskUserReply, _POOL_TAG);
ProcessEntry->UserlandReply = NULL;
break;
}
if (ProcessEntry->WaitingForUserRequestId != pAskUserReply->ReplyHeader.SeqId)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Process (pid=%d) is expecting to receive sequence id %d. Got %d\n", pAskUserReply->ReplyHeader.ProcessId, ProcessEntry->WaitingForUserRequestId, pAskUserReply->ReplyHeader.SeqId));
ExFreePoolWithTag(pAskUserReply, _POOL_TAG);
ProcessEntry->UserlandReply = NULL;
break;
}
/* deliver the reply */
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Waking up process %d\n", pAskUserReply->ReplyHeader.ProcessId));
ProcessEntry->UserlandReply = (PUSERLAND_REPLY_HEADER) pAskUserReply;
KeSetEvent(&ProcessEntry->UserlandRequestDoneEvent, IO_NO_INCREMENT, FALSE);
}
else
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("cannot find process with pid=%d\n", pAskUserReply->ReplyHeader.ProcessId));
status = STATUS_SUCCESS;
break;
}
/*
* train.exe puts the driver in learning/training mode using IOCTL_START_CREATE_POLICY
*/
case IOCTL_START_CREATE_POLICY:
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverDeviceControl: IOCTL_START_CREATE_POLICY ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
if ((InSize > MAX_PROCESS_NAME * sizeof(WCHAR)) || (InSize % 2))
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_START_CREATE_POLICY Invalid Insize: %d\n", InSize));
status = STATUS_INVALID_BUFFER_SIZE;
break;
}
status = STATUS_SUCCESS;
if (LearningMode == TRUE)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_START_CREATE_POLICY Already in Learning Mode\n"));
break;
}
RtlCopyMemory(ProcessToMonitor, pIrp->AssociatedIrp.SystemBuffer, InSize);
ProcessToMonitor[(InSize / sizeof(WCHAR)) - 1] = 0;
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_START_CREATE_POLICY Learning about '%S'\n", ProcessToMonitor));
LearningMode = TRUE;
InitLearningMode();
break;
}
/*
* train.exe stops training/learning mode using IOCTL_STOP_CREATE_POLICY
*/
case IOCTL_STOP_CREATE_POLICY:
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverDeviceControl: IOCTL_STOP_CREATE_POLICY ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
if ((InSize > MAX_PROCESS_NAME * sizeof(WCHAR)) || (InSize % 2))
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_STOP_CREATE_POLICY Invalid Insize: %d\n", InSize));
status = STATUS_INVALID_BUFFER_SIZE;
break;
}
status = STATUS_SUCCESS;
if (LearningMode == FALSE)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_STOP_CREATE_POLICY Not in Learning Mode\n"));
break;
}
// RtlCopyMemory(ProcessToMonitor, pIrp->AssociatedIrp.SystemBuffer, InSize);
// ProcessToMonitor[(InSize / sizeof(WCHAR)) - 1] = 0;
// LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_STOP_CREATE_POLICY '%S'\n", ProcessToMonitor));
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_STOP_CREATE_POLICY\n"));
ShutdownLearningMode();
LearningMode = FALSE;
break;
}
default:
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("%d DriverDeviceControl default %x %x %x %x\n", (ULONG) PsGetCurrentProcessId(), pIrpStack->MajorFunction, ControlCode, InSize, OutSize));
status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
COMPLETE_REQUEST(pIrp, status);
}
NTSTATUS
DriverCreate(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
NTSTATUS status;
#if HOOK_NETWORK
if (TDIDispatch(pDeviceObject, pIrp, &status) == TRUE)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverCreate(%x, %x): TDIDispatch\n", pDeviceObject, pIrp));
return status;
}
#endif
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverCreate(%x, %x)\n", pDeviceObject, pIrp));
//XXX need to consider any possible lock out issues where a valid userland agent is disallowed access
//can verify userland binary name as well
#if 0
if (ActiveUserAgent == TRUE)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("Userland agent already exists!\n"));
pIrp->IoStatus.Status = STATUS_ACCESS_DENIED;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_ACCESS_DENIED;
}
ActiveUserAgent = TRUE;
#endif
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DriverClose(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
NTSTATUS status;
#if HOOK_NETWORK
if (TDIDispatch(pDeviceObject, pIrp, &status) == TRUE)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverClose(%x, %x): TDIDispatch\n", pDeviceObject, pIrp));
return status;
}
#endif
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverClose(%x, %x)\n", pDeviceObject, pIrp));
#if 0
if (ActiveUserAgent == FALSE)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("Userland agent does not exist!\n"));
}
ActiveUserAgent = FALSE;
#endif
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DriverCleanup(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
NTSTATUS status;
#if HOOK_NETWORK
if (TDIDispatch(pDeviceObject, pIrp, &status) == TRUE)
{
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverCleanup(%x, %x): TDIDispatch\n", pDeviceObject, pIrp));
return status;
}
#endif
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverCleanup(%x, %x)\n", pDeviceObject, pIrp));
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
#if 0
NTSTATUS
DriverRead(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
PDEVICE_EXTENSION pDeviceExtension;
PIO_STACK_LOCATION pIrpStack;
ULONG size = 0;
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverRead()\n"));
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
pDeviceExtension = (PDEVICE_EXTENSION) pDeviceObject->DeviceExtension;
/*
size = min(pDeviceExtension->BufferSize, pIrpStack->Parameters.Read.Length);
RtlCopyMemory(pIrp->AssociatedIrp.SystemBuffer, pDeviceExtension->Buffer, size);
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("Wrote %d bytes: %s\n", size, pDeviceExtension->Buffer));
pDeviceExtension->BufferSize = 0;
*/
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = size;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DriverWrite(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
{
PDEVICE_EXTENSION pDeviceExtension;
PIO_STACK_LOCATION pIrpStack;
ULONG size = 0;
LOG(LOG_SS_DRIVER_INTERNAL,LOG_PRIORITY_DEBUG, ("DriverWrite()\n"));
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
pDeviceExtension = (PDEVICE_EXTENSION) pDeviceObject->DeviceExtension;
/*
size = min(128, pIrpStack->Parameters.Write.Length);
RtlCopyMemory(pDeviceExtension->Buffer, pIrp->AssociatedIrp.SystemBuffer, size);
pDeviceExtension->BufferSize = size;
LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("Read %d bytes: %s\n", size, pDeviceExtension->Buffer));
*/
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = size;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
#endif
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -