summaryrefslogtreecommitdiff
path: root/hookproc.h
diff options
context:
space:
mode:
authortumagonx2017-08-08 10:54:53 +0700
committertumagonx2017-08-08 10:54:53 +0700
commit2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
treea8bea139ddd26116d44ea182b0b8436f2162e6e3 /hookproc.h
initial commit
Diffstat (limited to 'hookproc.h')
-rw-r--r--hookproc.h460
1 files changed, 460 insertions, 0 deletions
diff --git a/hookproc.h b/hookproc.h
new file mode 100644
index 0000000..7756d23
--- /dev/null
+++ b/hookproc.h
@@ -0,0 +1,460 @@
1/*
2 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
3 *
4 * Module Name:
5 *
6 * hookproc.h
7 *
8 * Abstract:
9 *
10 * This module definies various types used by service operation (system call) hooking routines.
11 *
12 * Author:
13 *
14 * Eugene Tsyrklevich 16-Feb-2004
15 *
16 * Revision History:
17 *
18 * None.
19 */
20
21
22#ifndef __HOOKPROC_H__
23#define __HOOKPROC_H__
24
25
26#include "userland.h"
27
28
29/* should the following calls be intercepted? */
30
31#define HOOK_EVENT 1
32#define HOOK_FILE 1
33#define HOOK_DIROBJ 1
34#define HOOK_JOB 1
35#define HOOK_NETWORK 1
36#define HOOK_MUTANT 1
37#define HOOK_PORT 1
38#define HOOK_PROCESS 1
39#define HOOK_REGISTRY 1
40#define HOOK_SECTION 1
41#define HOOK_SEMAPHORE 1
42#define HOOK_SYMLINK 1
43#define HOOK_SYSINFO 1
44#define HOOK_TIME 1
45#define HOOK_TIMER 1
46#define HOOK_TOKEN 1
47#define HOOK_DRIVEROBJ 1
48#define HOOK_ATOM 1
49#define HOOK_VDM 1
50#define HOOK_SYSCALLS 0
51#define HOOK_DEBUG 1
52#define HOOK_MEDIA 1
53#define HOOK_BOPROT 0
54
55
56#pragma pack(push, 1)
57typedef struct _SERVICE_TABLE_DESCRIPTOR {
58
59 PULONG ServiceTableBase; /* table of function pointers */
60 PVOID ServiceCounterTable; /* used in checked build only */
61 ULONG NumberOfServices; /* number of services in this table */
62 /* extra LONG on IA64 goes here */
63 PVOID ParamTableBase; /* number of parameters */
64
65} SERVICE_TABLE_DESCRIPTOR, *PSERVICE_TABLE_DESCRIPTOR;
66#pragma pack(pop)
67
68
69/*
70 * The Service Descriptor Table index (4 bytes following the mov opcode)
71 *
72 * The index format is as follows:
73 *
74 * Leading 18 bits are all zeroes
75 * Following 2 bits are system service table index (3 bits on Win64)
76 * Following 12 bits are service number
77 */
78
79#define SERVICE_TABLE_INDEX_BITS 2
80#define NUMBER_SERVICE_TABLES (1 << SERVICE_TABLE_INDEX_BITS)
81
82#define SERVICE_ID_NUMBER_BITS 12
83#define SERVICE_ID_NUMBER_MASK ((1 << SERVICE_ID_NUMBER_BITS) - 1)
84
85
86/*
87 * The kernel's service descriptor table, which is used to find the address
88 * of the service dispatch tables to use for a service ID.
89 *
90 * Descriptor 0 is used for core services (NTDLL)
91 * Descriptor 1 is used for GUI services (WIN32K)
92 * Descriptors 2 and 3 are unused on current versions of Windows NT.
93 */
94
95__declspec(dllimport) SERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable[NUMBER_SERVICE_TABLES];
96
97
98/*
99 * not exported
100 */
101
102//PSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTableShadow;
103
104
105
106void SystemCallHandler0(); void SystemCallHandler1(); void SystemCallHandler2(); void SystemCallHandler3();
107void SystemCallHandler4(); void SystemCallHandler5(); void SystemCallHandler6(); void SystemCallHandler7();
108void SystemCallHandler8(); void SystemCallHandler9(); void SystemCallHandler10(); void SystemCallHandler11();
109void SystemCallHandler12(); void SystemCallHandler13(); void SystemCallHandler14(); void SystemCallHandler15();
110void SystemCallHandler16(); void SystemCallHandler17(); void SystemCallHandler18(); void SystemCallHandler19();
111void SystemCallHandler20(); void SystemCallHandler21(); void SystemCallHandler22(); void SystemCallHandler23();
112void SystemCallHandler24(); void SystemCallHandler25(); void SystemCallHandler26(); void SystemCallHandler27();
113void SystemCallHandler28(); void SystemCallHandler29(); void SystemCallHandler30(); void SystemCallHandler31();
114void SystemCallHandler32(); void SystemCallHandler33(); void SystemCallHandler34(); void SystemCallHandler35();
115void SystemCallHandler36(); void SystemCallHandler37(); void SystemCallHandler38(); void SystemCallHandler39();
116void SystemCallHandler40(); void SystemCallHandler41(); void SystemCallHandler42(); void SystemCallHandler43();
117void SystemCallHandler44(); void SystemCallHandler45(); void SystemCallHandler46(); void SystemCallHandler47();
118void SystemCallHandler48(); void SystemCallHandler49(); void SystemCallHandler50(); void SystemCallHandler51();
119void SystemCallHandler52(); void SystemCallHandler53(); void SystemCallHandler54(); void SystemCallHandler55();
120void SystemCallHandler56(); void SystemCallHandler57(); void SystemCallHandler58(); void SystemCallHandler59();
121void SystemCallHandler60(); void SystemCallHandler61(); void SystemCallHandler62(); void SystemCallHandler63();
122void SystemCallHandler64(); void SystemCallHandler65(); void SystemCallHandler66(); void SystemCallHandler67();
123void SystemCallHandler68(); void SystemCallHandler69(); void SystemCallHandler70(); void SystemCallHandler71();
124void SystemCallHandler72(); void SystemCallHandler73(); void SystemCallHandler74(); void SystemCallHandler75();
125void SystemCallHandler76(); void SystemCallHandler77(); void SystemCallHandler78(); void SystemCallHandler79();
126void SystemCallHandler80(); void SystemCallHandler81(); void SystemCallHandler82(); void SystemCallHandler83();
127void SystemCallHandler84(); void SystemCallHandler85(); void SystemCallHandler86(); void SystemCallHandler87();
128void SystemCallHandler88(); void SystemCallHandler89(); void SystemCallHandler90(); void SystemCallHandler91();
129void SystemCallHandler92(); void SystemCallHandler93(); void SystemCallHandler94(); void SystemCallHandler95();
130void SystemCallHandler96(); void SystemCallHandler97(); void SystemCallHandler98(); void SystemCallHandler99();
131void SystemCallHandler100(); void SystemCallHandler101(); void SystemCallHandler102(); void SystemCallHandler103();
132void SystemCallHandler104(); void SystemCallHandler105(); void SystemCallHandler106(); void SystemCallHandler107();
133void SystemCallHandler108(); void SystemCallHandler109(); void SystemCallHandler110(); void SystemCallHandler111();
134void SystemCallHandler112(); void SystemCallHandler113(); void SystemCallHandler114(); void SystemCallHandler115();
135void SystemCallHandler116(); void SystemCallHandler117(); void SystemCallHandler118(); void SystemCallHandler119();
136void SystemCallHandler120(); void SystemCallHandler121(); void SystemCallHandler122(); void SystemCallHandler123();
137void SystemCallHandler124(); void SystemCallHandler125(); void SystemCallHandler126(); void SystemCallHandler127();
138void SystemCallHandler128(); void SystemCallHandler129(); void SystemCallHandler130(); void SystemCallHandler131();
139void SystemCallHandler132(); void SystemCallHandler133(); void SystemCallHandler134(); void SystemCallHandler135();
140void SystemCallHandler136(); void SystemCallHandler137(); void SystemCallHandler138(); void SystemCallHandler139();
141void SystemCallHandler140(); void SystemCallHandler141(); void SystemCallHandler142(); void SystemCallHandler143();
142void SystemCallHandler144(); void SystemCallHandler145(); void SystemCallHandler146(); void SystemCallHandler147();
143void SystemCallHandler148(); void SystemCallHandler149(); void SystemCallHandler150(); void SystemCallHandler151();
144void SystemCallHandler152(); void SystemCallHandler153(); void SystemCallHandler154(); void SystemCallHandler155();
145void SystemCallHandler156(); void SystemCallHandler157(); void SystemCallHandler158(); void SystemCallHandler159();
146void SystemCallHandler160(); void SystemCallHandler161(); void SystemCallHandler162(); void SystemCallHandler163();
147void SystemCallHandler164(); void SystemCallHandler165(); void SystemCallHandler166(); void SystemCallHandler167();
148void SystemCallHandler168(); void SystemCallHandler169(); void SystemCallHandler170(); void SystemCallHandler171();
149void SystemCallHandler172(); void SystemCallHandler173(); void SystemCallHandler174(); void SystemCallHandler175();
150void SystemCallHandler176(); void SystemCallHandler177(); void SystemCallHandler178(); void SystemCallHandler179();
151void SystemCallHandler180(); void SystemCallHandler181(); void SystemCallHandler182(); void SystemCallHandler183();
152void SystemCallHandler184(); void SystemCallHandler185(); void SystemCallHandler186(); void SystemCallHandler187();
153void SystemCallHandler188(); void SystemCallHandler189(); void SystemCallHandler190(); void SystemCallHandler191();
154void SystemCallHandler192(); void SystemCallHandler193(); void SystemCallHandler194(); void SystemCallHandler195();
155void SystemCallHandler196(); void SystemCallHandler197(); void SystemCallHandler198(); void SystemCallHandler199();
156void SystemCallHandler200(); void SystemCallHandler201(); void SystemCallHandler202(); void SystemCallHandler203();
157void SystemCallHandler204(); void SystemCallHandler205(); void SystemCallHandler206(); void SystemCallHandler207();
158void SystemCallHandler208(); void SystemCallHandler209(); void SystemCallHandler210(); void SystemCallHandler211();
159void SystemCallHandler212(); void SystemCallHandler213(); void SystemCallHandler214(); void SystemCallHandler215();
160void SystemCallHandler216(); void SystemCallHandler217(); void SystemCallHandler218(); void SystemCallHandler219();
161void SystemCallHandler220(); void SystemCallHandler221(); void SystemCallHandler222(); void SystemCallHandler223();
162void SystemCallHandler224(); void SystemCallHandler225(); void SystemCallHandler226(); void SystemCallHandler227();
163void SystemCallHandler228(); void SystemCallHandler229(); void SystemCallHandler230(); void SystemCallHandler231();
164void SystemCallHandler232(); void SystemCallHandler233(); void SystemCallHandler234(); void SystemCallHandler235();
165void SystemCallHandler236(); void SystemCallHandler237(); void SystemCallHandler238(); void SystemCallHandler239();
166void SystemCallHandler240(); void SystemCallHandler241(); void SystemCallHandler242(); void SystemCallHandler243();
167void SystemCallHandler244(); void SystemCallHandler245(); void SystemCallHandler246(); void SystemCallHandler247();
168void SystemCallHandler248(); void SystemCallHandler249(); void SystemCallHandler250(); void SystemCallHandler251();
169void SystemCallHandler252(); void SystemCallHandler253(); void SystemCallHandler254(); void SystemCallHandler255();
170void SystemCallHandler256(); void SystemCallHandler257(); void SystemCallHandler258(); void SystemCallHandler259();
171void SystemCallHandler260(); void SystemCallHandler261(); void SystemCallHandler262(); void SystemCallHandler263();
172void SystemCallHandler264(); void SystemCallHandler265(); void SystemCallHandler266(); void SystemCallHandler267();
173void SystemCallHandler268(); void SystemCallHandler269(); void SystemCallHandler270(); void SystemCallHandler271();
174void SystemCallHandler272(); void SystemCallHandler273(); void SystemCallHandler274(); void SystemCallHandler275();
175void SystemCallHandler276(); void SystemCallHandler277(); void SystemCallHandler278(); void SystemCallHandler279();
176void SystemCallHandler280(); void SystemCallHandler281(); void SystemCallHandler282(); void SystemCallHandler283();
177void SystemCallHandler284(); void SystemCallHandler285(); void SystemCallHandler286(); void SystemCallHandler287();
178void SystemCallHandler288(); void SystemCallHandler289(); void SystemCallHandler290(); void SystemCallHandler291();
179void SystemCallHandler292(); void SystemCallHandler293(); void SystemCallHandler294();
180
181
182
183// XXX
184// SystemCallHandler macro depends on the size of this structure and the offset of the OriginalFunction!
185
186extern struct _ZwCalls
187{
188 PCHAR ZwName; // System call name
189 USHORT ZwNameLength; // System call name length
190 USHORT ServiceIDNumber; // System call index (filled in at runtime)
191 PULONG_PTR HookFunction; // Address of the hijacking function (function that will be called instead of the original system call)
192 PULONG_PTR OriginalFunction; // PlaceHolder for the address of the original syscall address
193 BOOLEAN Hijacked; // Flag indicating whether we already hijacked this system call
194 // or whether this is a special system service that needs to be hijacked initially
195};
196
197extern struct _ZwCalls ZwCalls[];
198
199
200#define ZW_ADD_ATOM_INDEX 8
201
202#define ZW_ADJUST_TOKEN_INDEX 12
203
204#define ZW_CONNECT_PORT_INDEX 33
205
206#define ZW_CREATE_DIRECTORYOBJECT_INDEX 36
207#define ZW_CREATE_EVENT_INDEX 37
208#define ZW_CREATE_EVENT_PAIR_INDEX 38
209#define ZW_CREATE_FILE_INDEX 39
210
211#define ZW_CREATE_JOBOBJECT_INDEX 41
212
213#define ZW_CREATE_KEY_INDEX 43
214
215#define ZW_CREATE_MAILSLOTFILE_INDEX 45
216#define ZW_CREATE_MUTANT_INDEX 46
217#define ZW_CREATE_NAMEDPIPEFILE_INDEX 47
218
219#define ZW_CREATE_PORT_INDEX 49
220#define ZW_CREATE_PROCESS_INDEX 50
221#define ZW_CREATE_PROCESSEX_INDEX 51
222
223#define ZW_CREATE_SECTION_INDEX 53
224#define ZW_CREATE_SEMAPHORE_INDEX 54
225#define ZW_CREATE_SYMLINK_INDEX 55
226#define ZW_CREATE_THREAD_INDEX 56
227#define ZW_CREATE_TIMER_INDEX 57
228#define ZW_CREATE_TOKEN_INDEX 58
229#define ZW_CREATE_WAITPORT_INDEX 59
230#define ZW_DEBUG_ACTIVEPROCESS_INDEX 60
231
232#define ZW_DELETE_FILE_INDEX 66
233#define ZW_DELETE_KEY_INDEX 67
234
235#define ZW_FIND_ATOM_INDEX 81
236
237#define ZW_LOAD_DRIVER_INDEX 103
238
239#define ZW_MAPVIEW_SECTION_INDEX 115
240
241#define ZW_OPEN_DIRECTORYOBJECT_INDEX 121
242#define ZW_OPEN_EVENT_INDEX 122
243#define ZW_OPEN_EVENT_PAIR_INDEX 123
244#define ZW_OPEN_FILE_INDEX 124
245
246#define ZW_OPEN_JOBOBJECT_INDEX 126
247#define ZW_OPEN_KEY_INDEX 127
248
249#define ZW_OPEN_MUTANT_INDEX 129
250
251#define ZW_OPEN_PROCESS_INDEX 131
252
253#define ZW_OPEN_SECTION_INDEX 134
254#define ZW_OPEN_SEMAPHORE_INDEX 135
255#define ZW_OPEN_SYMLINK_INDEX 136
256#define ZW_OPEN_THREAD_INDEX 137
257
258#define ZW_OPEN_TIMER_INDEX 140
259
260#define ZW_QUERY_ATTRIBUTES_FILE_INDEX 148
261
262#define ZW_QUERY_DIRECTORYFILE_INDEX 154
263
264#define ZW_QUERY_FULLATTR_FILE_INDEX 159
265
266#define ZW_QUERY_VALUE_KEY_INDEX 189
267
268#define ZW_SECURECONNECT_PORT_INDEX 223
269
270#define ZW_SET_INFO_FILE_INDEX 238
271
272#define ZW_SET_INFO_TOKEN_INDEX 244
273
274#define ZW_SET_LDT_ENTRIES_INDEX 247
275
276#define ZW_SET_SYSTEM_INFORMATION_INDEX 254
277
278#define ZW_SET_SYSTEM_TIME_INDEX 256
279
280#define ZW_SET_TIMER_RESOLUTION_INDEX 259
281
282#define ZW_SET_VALUE_KEY_INDEX 261
283
284#define ZW_UNLOAD_DRIVER_INDEX 276
285
286#define ZW_VDM_CONTROL_INDEX 283
287
288
289/*
290 * make sure we don't try to unload the driver while a system call is in progress
291 * still not atomic but we shouldn't be unloading this driver in any case
292 */
293
294#if DBG
295
296extern int HookedRoutineRunning;
297#define HOOK_ROUTINE_ENTER() NTSTATUS rc; ACTION_TYPE Action; InterlockedIncrement(&HookedRoutineRunning);
298#define HOOK_ROUTINE_EXIT(status) { InterlockedDecrement(&HookedRoutineRunning); return ((status)); }
299
300extern int HookedTDIRunning;
301#define HOOK_TDI_ENTER() NTSTATUS rc; ACTION_TYPE Action; InterlockedIncrement(&HookedTDIRunning);
302#define HOOK_TDI_ENTER_NORC() InterlockedIncrement(&HookedTDIRunning);
303#define HOOK_TDI_EXIT(status) { InterlockedDecrement(&HookedTDIRunning); return ((status)); }
304
305
306#else
307
308
309#define HOOK_ROUTINE_ENTER() NTSTATUS rc; ACTION_TYPE Action;
310#define HOOK_ROUTINE_EXIT(status) { return ((status)); }
311
312#define HOOK_TDI_ENTER() NTSTATUS rc; ACTION_TYPE Action;
313#define HOOK_TDI_ENTER_NORC()
314#define HOOK_TDI_EXIT(status) { return ((status)); }
315
316#endif
317
318
319/*
320 * Various macros used by most of the hooking routines
321 */
322
323#define POLICY_CHECK_OPTYPE_NAME(OBJECTTYPE, OPTYPE) \
324 while (KeGetPreviousMode() == UserMode) { \
325 UCHAR OpType = (OPTYPE); \
326 PWSTR PolicyFilename = NULL; \
327 USHORT PolicyLinenumber = 0; \
328 UCHAR RuleNumber = 0; \
329 LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
330 Action = PolicyCheck(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OpType, &RuleNumber, &PolicyFilename, &PolicyLinenumber);\
331 if (Action & ACTION_ASK) \
332 { \
333 LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: (ask) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
334 /*XXX GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS);*/ \
335 Action = IssueUserlandAskUserRequest(RULE_##OBJECTTYPE, OpType, OBJECTTYPE##NAME); \
336 } \
337 if ((Action & ACTION_QUIETDENY) == ACTION_QUIETDENY) \
338 { \
339 LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: quitely denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
340 HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED ); \
341 } \
342 else if (Action & ACTION_DENY) \
343 { \
344 LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
345 LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action, \
346 GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
347 HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED ); \
348 } \
349 else if (Action & ACTION_LOG) \
350 { \
351 LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: (log) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
352 LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action, \
353 GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
354 } \
355 break; \
356 }
357
358
359#define POLICY_CHECK_OPTYPE(OBJECTTYPE, OPTYPE) \
360 if (KeGetPreviousMode() == UserMode && GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS) )\
361 { \
362 UCHAR OpType = (OPTYPE); \
363 PWSTR PolicyFilename = NULL; \
364 USHORT PolicyLinenumber = 0; \
365 UCHAR RuleNumber = 0; \
366 LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
367 Action = PolicyCheck(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OpType, &RuleNumber, &PolicyFilename, &PolicyLinenumber);\
368 if (Action & ACTION_ASK) \
369 { \
370 LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: (ask) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
371 GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS); \
372 Action = IssueUserlandAskUserRequest(RULE_##OBJECTTYPE, OpType, OBJECTTYPE##NAME); \
373 } \
374 if ((Action & ACTION_QUIETDENY) == ACTION_QUIETDENY) \
375 { \
376 LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: quitely denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
377 HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED ); \
378 } \
379 else if (Action & ACTION_DENY) \
380 { \
381 LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
382 GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS); \
383 LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action, \
384 GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
385 HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED ); \
386 } \
387 else if (Action & ACTION_LOG) \
388 { \
389 LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: (log) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME)); \
390 GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS); \
391 LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action, \
392 GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
393 } \
394 }
395
396
397#define POLICY_CHECK(OBJECTTYPE) POLICY_CHECK_OPTYPE(OBJECTTYPE, Get_##OBJECTTYPE##_OperationType(DesiredAccess))
398
399
400
401#define HOOK_ROUTINE_START_OPTYPE(OBJECTTYPE, OPTYPE) \
402 CHAR OBJECTTYPE##NAME[MAX_PATH]; \
403 HOOK_ROUTINE_ENTER(); \
404 if (LearningMode == FALSE) \
405 { \
406 POLICY_CHECK_OPTYPE(OBJECTTYPE, OPTYPE); \
407 }
408
409
410#define HOOK_ROUTINE_START(OBJECTTYPE) HOOK_ROUTINE_START_OPTYPE(OBJECTTYPE, Get_##OBJECTTYPE##_OperationType(DesiredAccess))
411
412
413#define HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE, OBJECTNAME, OPTYPE) \
414 if (LearningMode == TRUE /*&& NT_SUCCESS(rc)*/) \
415 { \
416 if (OBJECTNAME) \
417 { \
418 AddRule(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OPTYPE); \
419 } \
420 else \
421 { \
422 /*LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: GetPathFromOA() failed. status=%x\n", (ULONG) PsGetCurrentProcessId(), FunctionName, rc));*/ \
423 } \
424 } \
425 HOOK_ROUTINE_EXIT(rc);
426
427
428#define HOOK_ROUTINE_FINISH_OPTYPE(OBJECTTYPE, OPTYPE) \
429 HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE, \
430 GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS), \
431 OPTYPE)
432
433#define HOOK_ROUTINE_FINISH(OBJECTTYPE) \
434 HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE, \
435 GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS), \
436 Get_##OBJECTTYPE##_OperationType(DesiredAccess))
437
438
439
440//#define USE_DEFAULT_HOOK_FUNCTION NULL
441
442
443extern PCHAR NTDLL_Base;
444extern int ZwCallsNumber;
445
446
447PVOID HookSystemService(PVOID OldService, PVOID NewService);
448PVOID HookSystemServiceByIndex(ULONG ServiceIDNumber, PVOID NewService);
449BOOLEAN HookSystemServiceByName(PCHAR ServiceName, PULONG_PTR HookFunction);
450
451BOOLEAN InitSyscallsHooks();
452BOOLEAN InstallSyscallsHooks();
453void RemoveSyscallsHooks();
454
455int FindZwFunctionIndex(PCSTR Name);
456PVOID FindFunctionBase(PCHAR ImageBase, PCSTR Name);
457ULONG FindSystemServiceNumber(PCHAR ServiceName);
458
459
460#endif /* __HOOKPROC_H__ */ \ No newline at end of file