initial commit

author: tumagonx 2017-08-08 10:54:53 +0700
committer: tumagonx 2017-08-08 10:54:53 +0700
commit: 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree: a8bea139ddd26116d44ea182b0b8436f2162e6e3 /event.c
1 files changed, 259 insertions, 0 deletions
diff --git a/event.c b/event.c
new file mode 100644
index 0000000..23fa528
--- /dev/null
+++ b/event.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              event.c
+ *
+ * Abstract:
+ *
+ *              This module implements various event hooking routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 09-Mar-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include <NTDDK.h>
+#include "event.h"
+#include "policy.h"
+#include "pathproc.h"
+#include "hookproc.h"
+#include "accessmask.h"
+#include "learn.h"
+#include "log.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitEventHooks)
+#endif
+fpZwCreateEventPair     OriginalNtCreateEventPair = NULL;
+fpZwOpenEventPair OriginalNtOpenEventPair = NULL;
+fpZwCreateEvent OriginalNtCreateEvent = NULL;
+fpZwOpenEvent   OriginalNtOpenEvent = NULL;
+/*
+ * HookedNtCreateEvent()
+ *
+ * Description:
+ *              This function mediates the NtCreateEvent() system service and checks the
+ *              provided event name against the global and current process security policies.
+ *
+ *              NOTE: ZwCreateEvent creates or opens an event object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtCreateEvent().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtCreateEvent().
+ */
+NTSTATUS
+NTAPI
+HookedNtCreateEvent
+(
+        OUT PHANDLE EventHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN EVENT_TYPE EventType,
+        IN BOOLEAN InitialState
+)
+{
+        PCHAR   FunctionName = "HookedNtCreateEvent";
+        HOOK_ROUTINE_START(EVENT);
+        ASSERT(OriginalNtCreateEvent);
+        rc = OriginalNtCreateEvent(EventHandle, DesiredAccess, ObjectAttributes, EventType, InitialState);
+        HOOK_ROUTINE_FINISH(EVENT);
+}
+/*
+ * HookedNtOpenEvent()
+ *
+ * Description:
+ *              This function mediates the NtOpenEvent() system service and checks the
+ *              provided event name against the global and current process security policies.
+ *
+ *              NOTE: ZwOpenEvent opens an event object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtOpenEvent().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtOpenEvent().
+ */
+NTSTATUS
+NTAPI
+HookedNtOpenEvent
+(
+        OUT PHANDLE EventHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes
+)
+{
+        PCHAR   FunctionName = "HookedNtOpenEvent";
+        HOOK_ROUTINE_START(EVENT);
+        ASSERT(OriginalNtOpenEvent);
+        rc = OriginalNtOpenEvent(EventHandle, DesiredAccess, ObjectAttributes);
+        HOOK_ROUTINE_FINISH(EVENT);
+}
+/*
+ * HookedNtCreateEventPair()
+ *
+ * Description:
+ *              This function mediates the NtCreateEventPair() system service and checks the
+ *              provided eventpair name against the global and current process security policies.
+ *
+ *              NOTE: ZwCreateEventPair creates or opens an event pair object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtCreateEventPair().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtCreateEventPair().
+ */
+NTSTATUS
+NTAPI
+HookedNtCreateEventPair
+(
+        OUT PHANDLE EventPairHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes
+)
+{
+        PCHAR   FunctionName = "HookedNtCreateEventPair";
+        HOOK_ROUTINE_START(EVENT);
+        ASSERT(OriginalNtCreateEventPair);
+        rc = OriginalNtCreateEventPair(EventPairHandle, DesiredAccess, ObjectAttributes);
+        HOOK_ROUTINE_FINISH(EVENT);
+}
+/*
+ * HookedNtOpenEventPair()
+ *
+ * Description:
+ *              This function mediates the NtOpenEventPair() system service and checks the
+ *              provided event name against the global and current process security policies.
+ *
+ *              NOTE: ZwOpenEventPair opens an event pair object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtOpenEventPair().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtOpenEventPair().
+ */
+NTSTATUS
+NTAPI
+HookedNtOpenEventPair
+(
+        OUT PHANDLE EventPairHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes
+)
+{
+        PCHAR   FunctionName = "HookedNtOpenEventPair";
+        HOOK_ROUTINE_START(EVENT);
+        ASSERT(OriginalNtOpenEventPair);
+        rc = OriginalNtOpenEventPair(EventPairHandle, DesiredAccess, ObjectAttributes);
+        HOOK_ROUTINE_FINISH(EVENT);
+}
+/*
+ * InitEventHooks()
+ *
+ * Description:
+ *              Initializes all the mediated event operation pointers. The "OriginalFunction" pointers
+ *              are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitEventHooks()
+{
+        if ( (OriginalNtCreateEventPair = (fpZwCreateEventPair) ZwCalls[ZW_CREATE_EVENT_PAIR_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtCreateEventPair is NULL\n"));
+                return FALSE;
+        }
+        if ( (OriginalNtOpenEventPair = (fpZwOpenEventPair) ZwCalls[ZW_OPEN_EVENT_PAIR_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtOpenEventPair is NULL\n"));
+                return FALSE;
+        }
+        if ( (OriginalNtCreateEvent = (fpZwCreateEvent) ZwCalls[ZW_CREATE_EVENT_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtCreateEvent is NULL\n"));
+                return FALSE;
+        }
+        if ( (OriginalNtOpenEvent = (fpZwOpenEvent) ZwCalls[ZW_OPEN_EVENT_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtOpenEvent is NULL\n"));
+                return FALSE;
+        }
+        return TRUE;
+}
author	tumagonx	2017-08-08 10:54:53 +0700
committer	tumagonx	2017-08-08 10:54:53 +0700
commit	2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree	a8bea139ddd26116d44ea182b0b8436f2162e6e3 /event.c

diff --git a/event.c b/event.c new file mode 100644 index 0000000..23fa528 --- /dev/null +++ b/event.c
@@ -0,0 +1,259 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* event.c
	7	*
	8	* Abstract:
	9	*
	10	* This module implements various event hooking routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 09-Mar-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#include <NTDDK.h>
	23	#include "event.h"
	24	#include "policy.h"
	25	#include "pathproc.h"
	26	#include "hookproc.h"
	27	#include "accessmask.h"
	28	#include "learn.h"
	29	#include "log.h"
	30
	31
	32	#ifdef ALLOC_PRAGMA
	33	#pragma alloc_text (INIT, InitEventHooks)
	34	#endif
	35
	36
	37	fpZwCreateEventPair OriginalNtCreateEventPair = NULL;
	38	fpZwOpenEventPair OriginalNtOpenEventPair = NULL;
	39
	40	fpZwCreateEvent OriginalNtCreateEvent = NULL;
	41	fpZwOpenEvent OriginalNtOpenEvent = NULL;
	42
	43
	44	/*
	45	* HookedNtCreateEvent()
	46	*
	47	* Description:
	48	* This function mediates the NtCreateEvent() system service and checks the
	49	* provided event name against the global and current process security policies.
	50	*
	51	* NOTE: ZwCreateEvent creates or opens an event object. [NAR]
	52	*
	53	* Parameters:
	54	* Those of NtCreateEvent().
	55	*
	56	* Returns:
	57	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	58	* Otherwise, NTSTATUS returned by NtCreateEvent().
	59	*/
	60
	61	NTSTATUS
	62	NTAPI
	63	HookedNtCreateEvent
	64	(
	65	OUT PHANDLE EventHandle,
	66	IN ACCESS_MASK DesiredAccess,
	67	IN POBJECT_ATTRIBUTES ObjectAttributes,
	68	IN EVENT_TYPE EventType,
	69	IN BOOLEAN InitialState
	70	)
	71	{
	72	PCHAR FunctionName = "HookedNtCreateEvent";
	73
	74
	75	HOOK_ROUTINE_START(EVENT);
	76
	77
	78	ASSERT(OriginalNtCreateEvent);
	79
	80	rc = OriginalNtCreateEvent(EventHandle, DesiredAccess, ObjectAttributes, EventType, InitialState);
	81
	82
	83	HOOK_ROUTINE_FINISH(EVENT);
	84	}
	85
	86
	87
	88	/*
	89	* HookedNtOpenEvent()
	90	*
	91	* Description:
	92	* This function mediates the NtOpenEvent() system service and checks the
	93	* provided event name against the global and current process security policies.
	94	*
	95	* NOTE: ZwOpenEvent opens an event object. [NAR]
	96	*
	97	* Parameters:
	98	* Those of NtOpenEvent().
	99	*
	100	* Returns:
	101	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	102	* Otherwise, NTSTATUS returned by NtOpenEvent().
	103	*/
	104
	105	NTSTATUS
	106	NTAPI
	107	HookedNtOpenEvent
	108	(
	109	OUT PHANDLE EventHandle,
	110	IN ACCESS_MASK DesiredAccess,
	111	IN POBJECT_ATTRIBUTES ObjectAttributes
	112	)
	113	{
	114	PCHAR FunctionName = "HookedNtOpenEvent";
	115
	116
	117	HOOK_ROUTINE_START(EVENT);
	118
	119
	120	ASSERT(OriginalNtOpenEvent);
	121
	122	rc = OriginalNtOpenEvent(EventHandle, DesiredAccess, ObjectAttributes);
	123
	124
	125	HOOK_ROUTINE_FINISH(EVENT);
	126	}
	127
	128
	129
	130	/*
	131	* HookedNtCreateEventPair()
	132	*
	133	* Description:
	134	* This function mediates the NtCreateEventPair() system service and checks the
	135	* provided eventpair name against the global and current process security policies.
	136	*
	137	* NOTE: ZwCreateEventPair creates or opens an event pair object. [NAR]
	138	*
	139	* Parameters:
	140	* Those of NtCreateEventPair().
	141	*
	142	* Returns:
	143	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	144	* Otherwise, NTSTATUS returned by NtCreateEventPair().
	145	*/
	146
	147	NTSTATUS
	148	NTAPI
	149	HookedNtCreateEventPair
	150	(
	151	OUT PHANDLE EventPairHandle,
	152	IN ACCESS_MASK DesiredAccess,
	153	IN POBJECT_ATTRIBUTES ObjectAttributes
	154	)
	155	{
	156	PCHAR FunctionName = "HookedNtCreateEventPair";
	157
	158
	159	HOOK_ROUTINE_START(EVENT);
	160
	161
	162	ASSERT(OriginalNtCreateEventPair);
	163
	164	rc = OriginalNtCreateEventPair(EventPairHandle, DesiredAccess, ObjectAttributes);
	165
	166
	167	HOOK_ROUTINE_FINISH(EVENT);
	168	}
	169
	170
	171
	172
	173	/*
	174	* HookedNtOpenEventPair()
	175	*
	176	* Description:
	177	* This function mediates the NtOpenEventPair() system service and checks the
	178	* provided event name against the global and current process security policies.
	179	*
	180	* NOTE: ZwOpenEventPair opens an event pair object. [NAR]
	181	*
	182	* Parameters:
	183	* Those of NtOpenEventPair().
	184	*
	185	* Returns:
	186	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	187	* Otherwise, NTSTATUS returned by NtOpenEventPair().
	188	*/
	189
	190	NTSTATUS
	191	NTAPI
	192	HookedNtOpenEventPair
	193	(
	194	OUT PHANDLE EventPairHandle,
	195	IN ACCESS_MASK DesiredAccess,
	196	IN POBJECT_ATTRIBUTES ObjectAttributes
	197	)
	198	{
	199	PCHAR FunctionName = "HookedNtOpenEventPair";
	200
	201
	202	HOOK_ROUTINE_START(EVENT);
	203
	204
	205	ASSERT(OriginalNtOpenEventPair);
	206
	207	rc = OriginalNtOpenEventPair(EventPairHandle, DesiredAccess, ObjectAttributes);
	208
	209
	210	HOOK_ROUTINE_FINISH(EVENT);
	211	}
	212
	213
	214
	215	/*
	216	* InitEventHooks()
	217	*
	218	* Description:
	219	* Initializes all the mediated event operation pointers. The "OriginalFunction" pointers
	220	* are initialized by InstallSyscallsHooks() that must be called prior to this function.
	221	*
	222	* NOTE: Called once during driver initialization (DriverEntry()).
	223	*
	224	* Parameters:
	225	* None.
	226	*
	227	* Returns:
	228	* TRUE to indicate success, FALSE if failed.
	229	*/
	230
	231	BOOLEAN
	232	InitEventHooks()
	233	{
	234	if ( (OriginalNtCreateEventPair = (fpZwCreateEventPair) ZwCalls[ZW_CREATE_EVENT_PAIR_INDEX].OriginalFunction) == NULL)
	235	{
	236	LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtCreateEventPair is NULL\n"));
	237	return FALSE;
	238	}
	239
	240	if ( (OriginalNtOpenEventPair = (fpZwOpenEventPair) ZwCalls[ZW_OPEN_EVENT_PAIR_INDEX].OriginalFunction) == NULL)
	241	{
	242	LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtOpenEventPair is NULL\n"));
	243	return FALSE;
	244	}
	245
	246	if ( (OriginalNtCreateEvent = (fpZwCreateEvent) ZwCalls[ZW_CREATE_EVENT_INDEX].OriginalFunction) == NULL)
	247	{
	248	LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtCreateEvent is NULL\n"));
	249	return FALSE;
	250	}
	251
	252	if ( (OriginalNtOpenEvent = (fpZwOpenEvent) ZwCalls[ZW_OPEN_EVENT_INDEX].OriginalFunction) == NULL)
	253	{
	254	LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtOpenEvent is NULL\n"));
	255	return FALSE;
	256	}
	257
	258	return TRUE;
	259	}