summaryrefslogtreecommitdiff
path: root/job.c
diff options
context:
space:
mode:
authortumagonx2017-08-08 10:54:53 +0700
committertumagonx2017-08-08 10:54:53 +0700
commit2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
treea8bea139ddd26116d44ea182b0b8436f2162e6e3 /job.c
initial commit
Diffstat (limited to 'job.c')
-rw-r--r--job.c157
1 files changed, 157 insertions, 0 deletions
diff --git a/job.c b/job.c
new file mode 100644
index 0000000..cccf224
--- /dev/null
+++ b/job.c
@@ -0,0 +1,157 @@
1/*
2 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
3 *
4 * Module Name:
5 *
6 * job.c
7 *
8 * Abstract:
9 *
10 * This module implements various job object hooking routines.
11 *
12 * Author:
13 *
14 * Eugene Tsyrklevich 25-Mar-2004
15 *
16 * Revision History:
17 *
18 * None.
19 */
20
21
22#include <NTDDK.h>
23#include "job.h"
24#include "policy.h"
25#include "pathproc.h"
26#include "hookproc.h"
27#include "accessmask.h"
28#include "learn.h"
29#include "log.h"
30
31
32#ifdef ALLOC_PRAGMA
33#pragma alloc_text (INIT, InitJobHooks)
34#endif
35
36
37fpZwCreateJobObject OriginalNtCreateJobObject = NULL;
38fpZwOpenJobObject OriginalNtOpenJobObject = NULL;
39
40
41/*
42 * HookedNtCreateJobObject()
43 *
44 * Description:
45 * This function mediates the NtCreateJobObject() system service and checks the
46 * provided job object name against the global and current process security policies.
47 *
48 * NOTE: ZwCreateJobObject creates or opens a job object. [NAR]
49 *
50 * Parameters:
51 * Those of NtCreateJobObject().
52 *
53 * Returns:
54 * STATUS_ACCESS_DENIED if the call does not pass the security policy check.
55 * Otherwise, NTSTATUS returned by NtCreateJobObject().
56 */
57
58NTSTATUS
59NTAPI
60HookedNtCreateJobObject
61(
62 OUT PHANDLE JobHandle,
63 IN ACCESS_MASK DesiredAccess,
64 IN POBJECT_ATTRIBUTES ObjectAttributes
65)
66{
67 PCHAR FunctionName = "HookedNtCreateJobObject";
68
69
70 HOOK_ROUTINE_START(JOB);
71
72
73 ASSERT(OriginalNtCreateJobObject);
74
75 rc = OriginalNtCreateJobObject(JobHandle, DesiredAccess, ObjectAttributes);
76
77
78 HOOK_ROUTINE_FINISH(JOB);
79}
80
81
82
83/*
84 * HookedNtOpenJobObject()
85 *
86 * Description:
87 * This function mediates the NtOpenJobObject() system service and checks the
88 * provided job object name against the global and current process security policies.
89 *
90 * NOTE: ZwOpenJobObject opens a job object. [NAR]
91 *
92 * Parameters:
93 * Those of NtOpenJobObject().
94 *
95 * Returns:
96 * STATUS_ACCESS_DENIED if the call does not pass the security policy check.
97 * Otherwise, NTSTATUS returned by NtOpenJobObject().
98 */
99
100NTSTATUS
101NTAPI
102HookedNtOpenJobObject
103(
104 OUT PHANDLE JobHandle,
105 IN ACCESS_MASK DesiredAccess,
106 IN POBJECT_ATTRIBUTES ObjectAttributes
107)
108{
109 PCHAR FunctionName = "HookedNtOpenJobObject";
110
111
112 HOOK_ROUTINE_START(JOB);
113
114
115 ASSERT(OriginalNtOpenJobObject);
116
117 rc = OriginalNtOpenJobObject(JobHandle, DesiredAccess, ObjectAttributes);
118
119
120 HOOK_ROUTINE_FINISH(JOB);
121}
122
123
124
125/*
126 * InitJobHooks()
127 *
128 * Description:
129 * Initializes all the mediated job object operation pointers. The "OriginalFunction" pointers
130 * are initialized by InstallSyscallsHooks() that must be called prior to this function.
131 *
132 * NOTE: Called once during driver initialization (DriverEntry()).
133 *
134 * Parameters:
135 * None.
136 *
137 * Returns:
138 * TRUE to indicate success, FALSE if failed.
139 */
140
141BOOLEAN
142InitJobHooks()
143{
144 if ( (OriginalNtCreateJobObject = (fpZwCreateJobObject) ZwCalls[ZW_CREATE_JOBOBJECT_INDEX].OriginalFunction) == NULL)
145 {
146 LOG(LOG_SS_JOB, LOG_PRIORITY_DEBUG, ("InitJobObjectHooks: OriginalNtCreateJobObject is NULL\n"));
147 return FALSE;
148 }
149
150 if ( (OriginalNtOpenJobObject = (fpZwOpenJobObject) ZwCalls[ZW_OPEN_JOBOBJECT_INDEX].OriginalFunction) == NULL)
151 {
152 LOG(LOG_SS_JOB, LOG_PRIORITY_DEBUG, ("InitJobObjectHooks: OriginalNtOpenJobObject is NULL\n"));
153 return FALSE;
154 }
155
156 return TRUE;
157}