initial commit

author: tumagonx 2017-08-08 10:54:53 +0700
committer: tumagonx 2017-08-08 10:54:53 +0700
commit: 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree: a8bea139ddd26116d44ea182b0b8436f2162e6e3 /log.h
1 files changed, 236 insertions, 0 deletions
diff --git a/log.h b/log.h
new file mode 100644
index 0000000..3e5b77e
--- /dev/null
+++ b/log.h
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              log.h
+ *
+ * Abstract:
+ *
+ *              This module defines various macros used for logging.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 17-Mar-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#ifndef __LOG_H__
+#define __LOG_H__
+#include <NTDDK.h>
+#include "ntproto.h"
+#include "misc.h"
+/* maximum number of alerts the kernel will queue */
+#define MAXIMUM_OUTSTANDING_ALERTS      1000
+#define LOG_USER_EVENT_NAME     L"\\BaseNamedObjects\\OzoneLogEvent"
+/*
+ * Logging SubSystems
+ */
+#define LOG_SS_DRIVER_INTERNAL                  (1 <<  0)
+#define LOG_SS_POLICY                                   (1 <<  1)
+#define LOG_SS_POLICY_PARSER                    (1 <<  2)
+#define LOG_SS_FILE                                             (1 <<  3)
+#define LOG_SS_DIRECTORY                                (1 <<  3)       // same as LOG_SS_FILE, used in HookedNtCreateFile
+#define LOG_SS_SEMAPHORE                                (1 <<  4)
+#define LOG_SS_EVENT                                    (1 <<  5)
+#define LOG_SS_SECTION                                  (1 <<  6)
+#define LOG_SS_REGISTRY                                 (1 <<  7)
+#define LOG_SS_PROCESS                                  (1 <<  8)
+#define LOG_SS_HOOKPROC                                 (1 <<  9)
+#define LOG_SS_LEARN                                    (1 << 10)
+#define LOG_SS_PATHPROC                                 (1 << 11)
+#define LOG_SS_NETWORK                                  (1 << 12)
+#define LOG_SS_TIME                                             (1 << 13)
+#define LOG_SS_SYSINFO                                  (1 << 14)
+#define LOG_SS_JOB                                              (1 << 15)
+#define LOG_SS_MUTANT                                   (1 << 16)
+#define LOG_SS_PORT                                             (1 << 17)
+#define LOG_SS_SYMLINK                                  (1 << 18)
+#define LOG_SS_TIMER                                    (1 << 19)
+#define LOG_SS_TOKEN                                    (1 << 20)
+#define LOG_SS_NAMEDPIPE                                (1 << 21)
+#define LOG_SS_MAILSLOT                                 (1 << 22)
+#define LOG_SS_DRIVER                                   (1 << 23)
+#define LOG_SS_DIROBJ                                   (1 << 24)
+#define LOG_SS_ATOM                                             (1 << 25)
+#define LOG_SS_VDM                                              (1 << 26)
+#define LOG_SS_DEBUG                                    (1 << 27)
+#define LOG_SS_DRIVE                                    (1 << 28)
+#define LOG_SS_MISC                                             (1 << 29)
+/* log the following subsytems */
+#define LOG_SUBSYSTEMS                                          (LOG_SS_ATOM                    |       \
+                                                                                        LOG_SS_DIROBJ                   |       \
+                                                                                        LOG_SS_DRIVER                   |       \
+                                                                                        LOG_SS_DRIVER_INTERNAL  |       \
+                                                                                        LOG_SS_EVENT                    |       \
+                                                                                        LOG_SS_FILE                             |       \
+                                                                                        LOG_SS_HOOKPROC                 |       \
+                                                                                        LOG_SS_JOB                              |       \
+                                                                                        LOG_SS_LEARN                    |       \
+                                                                                        LOG_SS_MAILSLOT                 |       \
+                                                                                        LOG_SS_MISC                             |       \
+                                                                                        LOG_SS_MUTANT                   |       \
+                                                                                        LOG_SS_NAMEDPIPE                |       \
+                                                                                        LOG_SS_NETWORK                  |       \
+                                                                                        LOG_SS_PATHPROC                 |       \
+                                                                                        LOG_SS_POLICY                   |       \
+                                                                                        LOG_SS_POLICY_PARSER    |       \
+                                                                                        LOG_SS_PORT                             |       \
+                                                                                        LOG_SS_PROCESS                  |       \
+                                                                                        LOG_SS_REGISTRY                 |       \
+                                                                                        LOG_SS_SECTION                  |       \
+                                                                                        LOG_SS_SEMAPHORE                |       \
+                                                                                        LOG_SS_SYMLINK                  |       \
+                                                                                        LOG_SS_SYSINFO                  |       \
+                                                                                        LOG_SS_TIME                             |       \
+                                                                                        LOG_SS_TIMER                    |       \
+                                                                                        LOG_SS_TOKEN                    |       \
+                                                                                        LOG_SS_VDM                              |       \
+                                                                                        LOG_SS_DRIVE                    |       \
+                                                                                        LOG_SS_DEBUG)
+#define LOG_PRIORITY_VERBOSE            1
+#define LOG_PRIORITY_DEBUG                      2
+#define LOG_PRIORITY_WARNING            3
+#define LOG_PRIORITY_ERROR                      4
+#define LOG_PRIORITY_CRITICAL           5
+#define MINIMUM_LOGGING_PRIORITY        LOG_PRIORITY_DEBUG
+#define LOG(subsystem, priority, msg)                                   \
+        do {                                                                                            \
+                if (priority >= LOG_PRIORITY_WARNING) {                 \
+                        DbgPrint msg;                                                           \
+                } else if (priority > MINIMUM_LOGGING_PRIORITY){\
+                        KdPrint(msg);                                                           \
+                } else if (subsystem & LOG_SUBSYSTEMS) {                \
+                        if (priority == MINIMUM_LOGGING_PRIORITY) {     \
+                                KdPrint(msg);                                                   \
+                        }                                                                                       \
+                }                                                                                               \
+        } while(0)
+/*
+ * Alert SubSystems (sorted in the same order as RULEs in policy.h)
+ *
+ * We have an alert subsystem for each category of alert that Ozone generates.
+ * (These are mostly the same as RuleTypes plus several extra ones)
+ */
+#define ALERT_SS_FILE                                                   0
+#define ALERT_SS_DIRECTORY                                              1
+#define ALERT_SS_MAILSLOT                                           2
+#define ALERT_SS_NAMEDPIPE                                          3
+#define ALERT_SS_REGISTRY                                               4
+#define ALERT_SS_SECTION                                                5
+#define ALERT_SS_DLL                                                    6
+#define ALERT_SS_EVENT                                                  7
+#define ALERT_SS_SEMAPHORE                                              8
+#define ALERT_SS_JOB                                                9
+#define ALERT_SS_MUTANT                                            10
+#define ALERT_SS_PORT                                              11
+#define ALERT_SS_SYMLINK                                           12
+#define ALERT_SS_TIMER                                             13
+#define ALERT_SS_PROCESS                                           14
+#define ALERT_SS_DRIVER                                            15
+#define ALERT_SS_DIROBJ                                            16
+#define ALERT_SS_ATOM                                              17
+#define ALERT_SS_NETWORK                                           18
+#define ALERT_SS_SERVICE                                           19
+#define ALERT_SS_TIME                                              20
+#define ALERT_SS_TOKEN                                             21
+#define ALERT_SS_SYSCALL                                           22
+#define ALERT_SS_VDM                                               23
+#define ALERT_SS_DEBUG                                             24
+#define ALERT_SS_BOPROT                                            25
+/* 
+ * Alert Rules
+ */
+#define ALERT_RULE_NONE                                                 0
+#define ALERT_RULE_PROCESS_EXEC_2EXTS                   1               // Executing a binary with more than one extension
+#define ALERT_RULE_PROCESS_EXEC_UNKNOWN                 2               // Executing a binary with an unknown extension
+#define ALERT_RULE_PROCESS_EXEC_NOEXT                   3               // Executing binary without an extension
+#define ALERT_RULE_BOPROT_INVALIDCALL                   1               // System call originating directly from user code
+/* defined in policy.h */
+typedef unsigned char ACTION_TYPE;
+typedef struct _POLICY_RULE POLICY_RULE, *PPOLICY_RULE;
+typedef enum _AlertPriority ALERT_PRIORITY;
+#pragma pack(push, 1)
+typedef struct _SECURITY_ALERT
+{
+        struct _SECURITY_ALERT  *Next;
+        /* size of the entire alert = sizeof(SECURITY_ALERT) + strlen(ObjectName) + sizeof(SID) */
+        USHORT                                  Size;
+        UCHAR                                   AlertSubsystem;
+        UCHAR                                   AlertType;
+        UCHAR                                   AlertRuleNumber;
+        UCHAR/*ALERT_PRIORITY*/ Priority;
+        UCHAR/*ACTION_TYPE*/    Action;                         /* UINT8 Action that was taken (denied, logged) */
+        ULONG                                   ProcessId;
+        USHORT                                  ObjectNameLength;
+        USHORT                                  ProcessNameLength;
+        USHORT                                  PolicyNameLength;
+        USHORT                                  PolicyLineNumber;
+        /* space for ObjectName, ProcessName, PolicyName and SID are dynamically allocated */
+        WCHAR                                   ObjectName[ANYSIZE_ARRAY];
+        /* ProcessName follows the zero-terminated ObjectName */
+//      WCHAR                                   ProcessName[ANYSIZE_ARRAY];
+        /* PolicyName follows the zero-terminated ProcessName */
+//      WCHAR                                   PolicyName[ANYSIZE_ARRAY];
+        /* SID follows the zero-terminated PolicyName */
+//      SID_AND_ATTRIBUTES              UserInfo;
+} SECURITY_ALERT, *PSECURITY_ALERT;
+#pragma pack(pop)
+extern KSPIN_LOCK                       gLogSpinLock;
+extern PSECURITY_ALERT          LogList;
+extern PSECURITY_ALERT          LastAlert;
+extern USHORT                           NumberOfAlerts;
+BOOLEAN                 InitLog();
+VOID                    ShutdownLog();
+VOID                    LogAlert(UCHAR AlertSubSystem, UCHAR OperationType, UCHAR AlertRuleNumber, ACTION_TYPE ActionTaken, ALERT_PRIORITY AlertPriority, PWSTR PolicyFilename, USHORT PolicyLineNumber, PCHAR ObjectName);
+ALERT_PRIORITY  GetObjectAccessAlertPriority(UCHAR AlertSubSystem, UCHAR Operation, ACTION_TYPE ActionTaken);
+BOOLEAN                 LogPostBootup();
+PCHAR                   FilterObjectName(PCHAR ObjectName);
+#endif  /* __LOG_H__ */
author	tumagonx	2017-08-08 10:54:53 +0700
committer	tumagonx	2017-08-08 10:54:53 +0700
commit	2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree	a8bea139ddd26116d44ea182b0b8436f2162e6e3 /log.h

diff --git a/log.h b/log.h new file mode 100644 index 0000000..3e5b77e --- /dev/null +++ b/log.h
@@ -0,0 +1,236 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* log.h
	7	*
	8	* Abstract:
	9	*
	10	* This module defines various macros used for logging.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 17-Mar-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#ifndef __LOG_H__
	23	#define __LOG_H__
	24
	25
	26	#include <NTDDK.h>
	27	#include "ntproto.h"
	28	#include "misc.h"
	29
	30
	31	/* maximum number of alerts the kernel will queue */
	32	#define MAXIMUM_OUTSTANDING_ALERTS 1000
	33
	34	#define LOG_USER_EVENT_NAME L"\\BaseNamedObjects\\OzoneLogEvent"
	35
	36
	37	/*
	38	* Logging SubSystems
	39	*/
	40
	41	#define LOG_SS_DRIVER_INTERNAL (1 << 0)
	42	#define LOG_SS_POLICY (1 << 1)
	43	#define LOG_SS_POLICY_PARSER (1 << 2)
	44	#define LOG_SS_FILE (1 << 3)
	45	#define LOG_SS_DIRECTORY (1 << 3) // same as LOG_SS_FILE, used in HookedNtCreateFile
	46	#define LOG_SS_SEMAPHORE (1 << 4)
	47	#define LOG_SS_EVENT (1 << 5)
	48	#define LOG_SS_SECTION (1 << 6)
	49	#define LOG_SS_REGISTRY (1 << 7)
	50	#define LOG_SS_PROCESS (1 << 8)
	51	#define LOG_SS_HOOKPROC (1 << 9)
	52	#define LOG_SS_LEARN (1 << 10)
	53	#define LOG_SS_PATHPROC (1 << 11)
	54	#define LOG_SS_NETWORK (1 << 12)
	55	#define LOG_SS_TIME (1 << 13)
	56	#define LOG_SS_SYSINFO (1 << 14)
	57	#define LOG_SS_JOB (1 << 15)
	58	#define LOG_SS_MUTANT (1 << 16)
	59	#define LOG_SS_PORT (1 << 17)
	60	#define LOG_SS_SYMLINK (1 << 18)
	61	#define LOG_SS_TIMER (1 << 19)
	62	#define LOG_SS_TOKEN (1 << 20)
	63	#define LOG_SS_NAMEDPIPE (1 << 21)
	64	#define LOG_SS_MAILSLOT (1 << 22)
	65	#define LOG_SS_DRIVER (1 << 23)
	66	#define LOG_SS_DIROBJ (1 << 24)
	67	#define LOG_SS_ATOM (1 << 25)
	68	#define LOG_SS_VDM (1 << 26)
	69	#define LOG_SS_DEBUG (1 << 27)
	70	#define LOG_SS_DRIVE (1 << 28)
	71	#define LOG_SS_MISC (1 << 29)
	72
	73
	74	/* log the following subsytems */
	75
	76	#define LOG_SUBSYSTEMS (LOG_SS_ATOM \| \
	77	LOG_SS_DIROBJ \| \
	78	LOG_SS_DRIVER \| \
	79	LOG_SS_DRIVER_INTERNAL \| \
	80	LOG_SS_EVENT \| \
	81	LOG_SS_FILE \| \
	82	LOG_SS_HOOKPROC \| \
	83	LOG_SS_JOB \| \
	84	LOG_SS_LEARN \| \
	85	LOG_SS_MAILSLOT \| \
	86	LOG_SS_MISC \| \
	87	LOG_SS_MUTANT \| \
	88	LOG_SS_NAMEDPIPE \| \
	89	LOG_SS_NETWORK \| \
	90	LOG_SS_PATHPROC \| \
	91	LOG_SS_POLICY \| \
	92	LOG_SS_POLICY_PARSER \| \
	93	LOG_SS_PORT \| \
	94	LOG_SS_PROCESS \| \
	95	LOG_SS_REGISTRY \| \
	96	LOG_SS_SECTION \| \
	97	LOG_SS_SEMAPHORE \| \
	98	LOG_SS_SYMLINK \| \
	99	LOG_SS_SYSINFO \| \
	100	LOG_SS_TIME \| \
	101	LOG_SS_TIMER \| \
	102	LOG_SS_TOKEN \| \
	103	LOG_SS_VDM \| \
	104	LOG_SS_DRIVE \| \
	105	LOG_SS_DEBUG)
	106
	107	#define LOG_PRIORITY_VERBOSE 1
	108	#define LOG_PRIORITY_DEBUG 2
	109	#define LOG_PRIORITY_WARNING 3
	110	#define LOG_PRIORITY_ERROR 4
	111	#define LOG_PRIORITY_CRITICAL 5
	112
	113
	114	#define MINIMUM_LOGGING_PRIORITY LOG_PRIORITY_DEBUG
	115
	116
	117	#define LOG(subsystem, priority, msg) \
	118	do { \
	119	if (priority >= LOG_PRIORITY_WARNING) { \
	120	DbgPrint msg; \
	121	} else if (priority > MINIMUM_LOGGING_PRIORITY){\
	122	KdPrint(msg); \
	123	} else if (subsystem & LOG_SUBSYSTEMS) { \
	124	if (priority == MINIMUM_LOGGING_PRIORITY) { \
	125	KdPrint(msg); \
	126	} \
	127	} \
	128	} while(0)
	129
	130
	131
	132	/*
	133	* Alert SubSystems (sorted in the same order as RULEs in policy.h)
	134	*
	135	* We have an alert subsystem for each category of alert that Ozone generates.
	136	* (These are mostly the same as RuleTypes plus several extra ones)
	137	*/
	138
	139	#define ALERT_SS_FILE 0
	140	#define ALERT_SS_DIRECTORY 1
	141	#define ALERT_SS_MAILSLOT 2
	142	#define ALERT_SS_NAMEDPIPE 3
	143	#define ALERT_SS_REGISTRY 4
	144	#define ALERT_SS_SECTION 5
	145	#define ALERT_SS_DLL 6
	146	#define ALERT_SS_EVENT 7
	147	#define ALERT_SS_SEMAPHORE 8
	148	#define ALERT_SS_JOB 9
	149	#define ALERT_SS_MUTANT 10
	150	#define ALERT_SS_PORT 11
	151	#define ALERT_SS_SYMLINK 12
	152	#define ALERT_SS_TIMER 13
	153	#define ALERT_SS_PROCESS 14
	154	#define ALERT_SS_DRIVER 15
	155	#define ALERT_SS_DIROBJ 16
	156	#define ALERT_SS_ATOM 17
	157
	158	#define ALERT_SS_NETWORK 18
	159	#define ALERT_SS_SERVICE 19
	160	#define ALERT_SS_TIME 20
	161	#define ALERT_SS_TOKEN 21
	162	#define ALERT_SS_SYSCALL 22
	163	#define ALERT_SS_VDM 23
	164	#define ALERT_SS_DEBUG 24
	165	#define ALERT_SS_BOPROT 25
	166
	167
	168	/*
	169	* Alert Rules
	170	*/
	171
	172	#define ALERT_RULE_NONE 0
	173
	174	#define ALERT_RULE_PROCESS_EXEC_2EXTS 1 // Executing a binary with more than one extension
	175	#define ALERT_RULE_PROCESS_EXEC_UNKNOWN 2 // Executing a binary with an unknown extension
	176	#define ALERT_RULE_PROCESS_EXEC_NOEXT 3 // Executing binary without an extension
	177
	178	#define ALERT_RULE_BOPROT_INVALIDCALL 1 // System call originating directly from user code
	179
	180
	181	/* defined in policy.h */
	182	typedef unsigned char ACTION_TYPE;
	183	typedef struct _POLICY_RULE POLICY_RULE, *PPOLICY_RULE;
	184	typedef enum _AlertPriority ALERT_PRIORITY;
	185
	186
	187	#pragma pack(push, 1)
	188	typedef struct _SECURITY_ALERT
	189	{
	190	struct _SECURITY_ALERT *Next;
	191
	192	/* size of the entire alert = sizeof(SECURITY_ALERT) + strlen(ObjectName) + sizeof(SID) */
	193	USHORT Size;
	194	UCHAR AlertSubsystem;
	195	UCHAR AlertType;
	196	UCHAR AlertRuleNumber;
	197	UCHAR/ALERT_PRIORITY/ Priority;
	198	UCHAR/ACTION_TYPE/ Action; /* UINT8 Action that was taken (denied, logged) */
	199	ULONG ProcessId;
	200	USHORT ObjectNameLength;
	201	USHORT ProcessNameLength;
	202	USHORT PolicyNameLength;
	203	USHORT PolicyLineNumber;
	204
	205	/* space for ObjectName, ProcessName, PolicyName and SID are dynamically allocated */
	206	WCHAR ObjectName[ANYSIZE_ARRAY];
	207
	208	/* ProcessName follows the zero-terminated ObjectName */
	209	// WCHAR ProcessName[ANYSIZE_ARRAY];
	210
	211	/* PolicyName follows the zero-terminated ProcessName */
	212	// WCHAR PolicyName[ANYSIZE_ARRAY];
	213
	214	/* SID follows the zero-terminated PolicyName */
	215	// SID_AND_ATTRIBUTES UserInfo;
	216
	217	} SECURITY_ALERT, *PSECURITY_ALERT;
	218	#pragma pack(pop)
	219
	220
	221	extern KSPIN_LOCK gLogSpinLock;
	222	extern PSECURITY_ALERT LogList;
	223	extern PSECURITY_ALERT LastAlert;
	224	extern USHORT NumberOfAlerts;
	225
	226
	227	BOOLEAN InitLog();
	228	VOID ShutdownLog();
	229	VOID LogAlert(UCHAR AlertSubSystem, UCHAR OperationType, UCHAR AlertRuleNumber, ACTION_TYPE ActionTaken, ALERT_PRIORITY AlertPriority, PWSTR PolicyFilename, USHORT PolicyLineNumber, PCHAR ObjectName);
	230	ALERT_PRIORITY GetObjectAccessAlertPriority(UCHAR AlertSubSystem, UCHAR Operation, ACTION_TYPE ActionTaken);
	231	BOOLEAN LogPostBootup();
	232
	233	PCHAR FilterObjectName(PCHAR ObjectName);
	234
	235
	236	#endif /* __LOG_H__ */