initial commit

author: tumagonx 2017-08-08 10:54:53 +0700
committer: tumagonx 2017-08-08 10:54:53 +0700
commit: 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree: a8bea139ddd26116d44ea182b0b8436f2162e6e3 /driverobj.c
1 files changed, 205 insertions, 0 deletions
diff --git a/driverobj.c b/driverobj.c
new file mode 100644
index 0000000..9b159d4
--- /dev/null
+++ b/driverobj.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              driverobj.c
+ *
+ * Abstract:
+ *
+ *              This module implements various driver object hooking routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 06-Apr-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include "driverobj.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitDriverObjectHooks)
+#endif
+fpZwLoadDriver          OriginalNtLoadDriver = NULL;
+fpZwUnloadDriver        OriginalNtUnloadDriver = NULL;
+/*
+ * HookedNtLoadDriver()
+ *
+ * Description:
+ *              This function mediates the NtLoadDriver() system service and checks the
+ *              provided driver object name against the global and current process security policies.
+ *
+ *              NOTE: ZwLoadDriver loads a device driver. [NAR]
+ *
+ * Parameters:
+ *              Those of NtLoadDriver().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtLoadDriver().
+ */
+NTSTATUS
+NTAPI
+HookedNtLoadDriver
+(
+        IN PUNICODE_STRING DriverServiceName
+)
+{
+        PCHAR                   FunctionName = "HookedNtLoadDriver";
+        UNICODE_STRING  usDriverName;
+        ANSI_STRING             AnsiDriverName;
+        CHAR                    DRIVERNAME[MAX_PATH];
+        HOOK_ROUTINE_ENTER();
+        if (!VerifyUnicodeString(DriverServiceName, &usDriverName))
+        {
+                LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtLoadDriver: VerifyUnicodeString(%x) failed\n", DriverServiceName));
+                HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+        }
+        if (_snprintf(DRIVERNAME, MAX_PATH, "%S", usDriverName.Buffer) < 0)
+        {
+                LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("%s: Driver name '%S' is too long\n", FunctionName, usDriverName.Buffer));
+                HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+        }
+        LOG(LOG_SS_DRIVER, LOG_PRIORITY_VERBOSE, ("HookedNtLoadDriver: %s\n", DRIVERNAME));
+        if (LearningMode == FALSE)
+        {
+                POLICY_CHECK_OPTYPE_NAME(DRIVER, OP_REGLOAD);
+        }
+        ASSERT(OriginalNtLoadDriver);
+        rc = OriginalNtLoadDriver(DriverServiceName);
+        HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(DRIVER, DRIVERNAME, OP_REGLOAD);
+}
+/*
+ * HookedNtUnloadDriver()
+ *
+ * Description:
+ *              This function mediates the NtUnloadDriver() system service and checks the
+ *              provided driver object name against the global and current process security policies.
+ *
+ *              NOTE: ZwUnloadDriver unloads a device driver. [NAR]
+ *
+ * Parameters:
+ *              Those of NtUnloadDriver().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtUnloadDriver().
+ */
+//XXX cannot mediate this function if we want to be able to unload our own driver
+/* uncomment originalfunction pointer code in Init() routine and hookproc.c hook to enable
+NTSTATUS
+NTAPI
+HookedNtUnloadDriver
+(
+        IN PUNICODE_STRING DriverServiceName
+)
+{
+        PCHAR                   FunctionName = "HookedNtUnloadDriver";
+        UNICODE_STRING  usDriverName;
+        ANSI_STRING             AnsiDriverName;
+        CHAR                    DRIVERNAME[MAX_PATH];
+        HOOK_ROUTINE_ENTER();
+        if (!VerifyUnicodeString(DriverServiceName, &usDriverName))
+        {
+                LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtUnloadDriver: VerifyUnicodeString failed\n"));
+                HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+        }
+        AnsiDriverName.Length = 0;
+        AnsiDriverName.MaximumLength = MAX_PATH - 1;
+        AnsiDriverName.Buffer = DRIVERNAME;
+        if (! NT_SUCCESS(RtlUnicodeStringToAnsiString(&AnsiDriverName, &usDriverName, FALSE)))
+        {
+                LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtUnloadDriver: RtlUnicodeStringToAnsiString failed\n"));
+                HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+        }
+        DRIVERNAME[AnsiDriverName.Length] = 0;
+        LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtUnloadDriver: %s\n", DRIVERNAME));
+        if (LearningMode == FALSE)
+        {
+                POLICY_CHECK_OPTYPE_NAME(DRIVER, OP_UNLOAD);
+        }
+        ASSERT(OriginalNtUnloadDriver);
+        rc = OriginalNtUnloadDriver(DriverServiceName);
+        HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(DRIVER, DRIVERNAME, OP_UNLOAD);
+}
+*/
+/*
+ * InitDriverHooks()
+ *
+ * Description:
+ *              Initializes all the mediated driver object operation pointers. The "OriginalFunction" pointers
+ *              are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitDriverObjectHooks()
+{
+        if ( (OriginalNtLoadDriver = (fpZwLoadDriver) ZwCalls[ZW_LOAD_DRIVER_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("InitDriverHooks: OriginalNtLoadDriver is NULL\n"));
+                return FALSE;
+        }
+/*
+        if ( (OriginalNtUnloadDriver = (fpZwUnloadDriver) ZwCalls[ZW_UNLOAD_DRIVER_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("InitDriverHooks: OriginalNtUnloadDriver is NULL\n"));
+                return FALSE;
+        }
+*/
+        return TRUE;
+}
author	tumagonx	2017-08-08 10:54:53 +0700
committer	tumagonx	2017-08-08 10:54:53 +0700
commit	2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree	a8bea139ddd26116d44ea182b0b8436f2162e6e3 /driverobj.c

diff --git a/driverobj.c b/driverobj.c new file mode 100644 index 0000000..9b159d4 --- /dev/null +++ b/driverobj.c
@@ -0,0 +1,205 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* driverobj.c
	7	*
	8	* Abstract:
	9	*
	10	* This module implements various driver object hooking routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 06-Apr-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#include "driverobj.h"
	23
	24
	25	#ifdef ALLOC_PRAGMA
	26	#pragma alloc_text (INIT, InitDriverObjectHooks)
	27	#endif
	28
	29
	30	fpZwLoadDriver OriginalNtLoadDriver = NULL;
	31	fpZwUnloadDriver OriginalNtUnloadDriver = NULL;
	32
	33
	34	/*
	35	* HookedNtLoadDriver()
	36	*
	37	* Description:
	38	* This function mediates the NtLoadDriver() system service and checks the
	39	* provided driver object name against the global and current process security policies.
	40	*
	41	* NOTE: ZwLoadDriver loads a device driver. [NAR]
	42	*
	43	* Parameters:
	44	* Those of NtLoadDriver().
	45	*
	46	* Returns:
	47	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	48	* Otherwise, NTSTATUS returned by NtLoadDriver().
	49	*/
	50
	51	NTSTATUS
	52	NTAPI
	53	HookedNtLoadDriver
	54	(
	55	IN PUNICODE_STRING DriverServiceName
	56	)
	57	{
	58	PCHAR FunctionName = "HookedNtLoadDriver";
	59	UNICODE_STRING usDriverName;
	60	ANSI_STRING AnsiDriverName;
	61	CHAR DRIVERNAME[MAX_PATH];
	62
	63
	64	HOOK_ROUTINE_ENTER();
	65
	66
	67	if (!VerifyUnicodeString(DriverServiceName, &usDriverName))
	68	{
	69	LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtLoadDriver: VerifyUnicodeString(%x) failed\n", DriverServiceName));
	70	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	71	}
	72
	73
	74	if (_snprintf(DRIVERNAME, MAX_PATH, "%S", usDriverName.Buffer) < 0)
	75	{
	76	LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("%s: Driver name '%S' is too long\n", FunctionName, usDriverName.Buffer));
	77	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	78	}
	79
	80
	81	LOG(LOG_SS_DRIVER, LOG_PRIORITY_VERBOSE, ("HookedNtLoadDriver: %s\n", DRIVERNAME));
	82
	83
	84	if (LearningMode == FALSE)
	85	{
	86	POLICY_CHECK_OPTYPE_NAME(DRIVER, OP_REGLOAD);
	87	}
	88
	89
	90	ASSERT(OriginalNtLoadDriver);
	91
	92	rc = OriginalNtLoadDriver(DriverServiceName);
	93
	94
	95	HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(DRIVER, DRIVERNAME, OP_REGLOAD);
	96	}
	97
	98
	99
	100	/*
	101	* HookedNtUnloadDriver()
	102	*
	103	* Description:
	104	* This function mediates the NtUnloadDriver() system service and checks the
	105	* provided driver object name against the global and current process security policies.
	106	*
	107	* NOTE: ZwUnloadDriver unloads a device driver. [NAR]
	108	*
	109	* Parameters:
	110	* Those of NtUnloadDriver().
	111	*
	112	* Returns:
	113	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	114	* Otherwise, NTSTATUS returned by NtUnloadDriver().
	115	*/
	116
	117	//XXX cannot mediate this function if we want to be able to unload our own driver
	118	/* uncomment originalfunction pointer code in Init() routine and hookproc.c hook to enable
	119	NTSTATUS
	120	NTAPI
	121	HookedNtUnloadDriver
	122	(
	123	IN PUNICODE_STRING DriverServiceName
	124	)
	125	{
	126	PCHAR FunctionName = "HookedNtUnloadDriver";
	127	UNICODE_STRING usDriverName;
	128	ANSI_STRING AnsiDriverName;
	129	CHAR DRIVERNAME[MAX_PATH];
	130
	131
	132	HOOK_ROUTINE_ENTER();
	133
	134
	135	if (!VerifyUnicodeString(DriverServiceName, &usDriverName))
	136	{
	137	LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtUnloadDriver: VerifyUnicodeString failed\n"));
	138	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	139	}
	140
	141	AnsiDriverName.Length = 0;
	142	AnsiDriverName.MaximumLength = MAX_PATH - 1;
	143	AnsiDriverName.Buffer = DRIVERNAME;
	144
	145	if (! NT_SUCCESS(RtlUnicodeStringToAnsiString(&AnsiDriverName, &usDriverName, FALSE)))
	146	{
	147	LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtUnloadDriver: RtlUnicodeStringToAnsiString failed\n"));
	148	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	149	}
	150
	151	DRIVERNAME[AnsiDriverName.Length] = 0;
	152
	153
	154	LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtUnloadDriver: %s\n", DRIVERNAME));
	155
	156
	157	if (LearningMode == FALSE)
	158	{
	159	POLICY_CHECK_OPTYPE_NAME(DRIVER, OP_UNLOAD);
	160	}
	161
	162
	163	ASSERT(OriginalNtUnloadDriver);
	164
	165	rc = OriginalNtUnloadDriver(DriverServiceName);
	166
	167
	168	HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(DRIVER, DRIVERNAME, OP_UNLOAD);
	169	}
	170	*/
	171
	172
	173	/*
	174	* InitDriverHooks()
	175	*
	176	* Description:
	177	* Initializes all the mediated driver object operation pointers. The "OriginalFunction" pointers
	178	* are initialized by InstallSyscallsHooks() that must be called prior to this function.
	179	*
	180	* NOTE: Called once during driver initialization (DriverEntry()).
	181	*
	182	* Parameters:
	183	* None.
	184	*
	185	* Returns:
	186	* TRUE to indicate success, FALSE if failed.
	187	*/
	188
	189	BOOLEAN
	190	InitDriverObjectHooks()
	191	{
	192	if ( (OriginalNtLoadDriver = (fpZwLoadDriver) ZwCalls[ZW_LOAD_DRIVER_INDEX].OriginalFunction) == NULL)
	193	{
	194	LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("InitDriverHooks: OriginalNtLoadDriver is NULL\n"));
	195	return FALSE;
	196	}
	197	/*
	198	if ( (OriginalNtUnloadDriver = (fpZwUnloadDriver) ZwCalls[ZW_UNLOAD_DRIVER_INDEX].OriginalFunction) == NULL)
	199	{
	200	LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("InitDriverHooks: OriginalNtUnloadDriver is NULL\n"));
	201	return FALSE;
	202	}
	203	*/
	204	return TRUE;
	205	}