summaryrefslogtreecommitdiff
path: root/registry.c
diff options
context:
space:
mode:
authortumagonx2017-08-08 10:54:53 +0700
committertumagonx2017-08-08 10:54:53 +0700
commit2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
treea8bea139ddd26116d44ea182b0b8436f2162e6e3 /registry.c
initial commit
Diffstat (limited to 'registry.c')
-rw-r--r--registry.c402
1 files changed, 402 insertions, 0 deletions
diff --git a/registry.c b/registry.c
new file mode 100644
index 0000000..c91b7da
--- /dev/null
+++ b/registry.c
@@ -0,0 +1,402 @@
1/*
2 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
3 *
4 * Module Name:
5 *
6 * registry.c
7 *
8 * Abstract:
9 *
10 * This module defines various types used by registry hooking routines.
11 *
12 * Author:
13 *
14 * Eugene Tsyrklevich 20-Feb-2004
15 *
16 * Revision History:
17 *
18 * None.
19 */
20
21
22#include <NTDDK.h>
23#include "registry.h"
24#include "policy.h"
25#include "pathproc.h"
26#include "hookproc.h"
27#include "accessmask.h"
28#include "learn.h"
29#include "misc.h"
30#include "log.h"
31
32
33#ifdef ALLOC_PRAGMA
34#pragma alloc_text (INIT, InitRegistryHooks)
35#endif
36
37
38fpZwCreateKey OriginalNtCreateKey = NULL;
39fpZwOpenKey OriginalNtOpenKey = NULL;
40
41fpZwDeleteKey OriginalNtDeleteKey = NULL;
42
43fpZwSetValueKey OriginalNtSetValueKey = NULL;
44fpZwQueryValueKey OriginalNtQueryValueKey = NULL;
45
46
47
48/*
49 * HookedNtCreateKey()
50 *
51 * Description:
52 * This function mediates the NtCreateKey() system service and checks the
53 * provided registry key against the global and current process security policies.
54 *
55 * NOTE: ZwCreateKey creates or opens a registry key object. [NAR]
56 *
57 * Parameters:
58 * Those of NtCreateKey().
59 *
60 * Returns:
61 * STATUS_ACCESS_DENIED if the call does not pass the security policy check.
62 * Otherwise, NTSTATUS returned by NtCreateKey().
63 */
64
65NTSTATUS
66NTAPI
67HookedNtCreateKey
68(
69 OUT PHANDLE KeyHandle,
70 IN ACCESS_MASK DesiredAccess,
71 IN POBJECT_ATTRIBUTES ObjectAttributes,
72 IN ULONG TitleIndex,
73 IN PUNICODE_STRING Class OPTIONAL,
74 IN ULONG CreateOptions,
75 OUT PULONG Disposition OPTIONAL
76)
77{
78 PCHAR FunctionName = "HookedNtCreateKey";
79
80
81 HOOK_ROUTINE_START(REGISTRY);
82
83
84 ASSERT(OriginalNtOpenKey);
85
86 rc = OriginalNtCreateKey(KeyHandle, DesiredAccess, ObjectAttributes, TitleIndex,
87 Class, CreateOptions, Disposition);
88
89
90 HOOK_ROUTINE_FINISH(REGISTRY);
91}
92
93
94
95/*
96 * HookedNtOpenKey()
97 *
98 * Description:
99 * This function mediates the NtOpenKey() system service and checks the
100 * provided registry key against the global and current process security policies.
101 *
102 * NOTE: ZwOpenKey opens a registry key object. [NAR]
103 *
104 * Parameters:
105 * Those of NtOpenKey().
106 *
107 * Returns:
108 * STATUS_ACCESS_DENIED if the call does not pass the security policy check.
109 * Otherwise, NTSTATUS returned by NtOpenKey().
110 */
111
112NTSTATUS
113NTAPI
114HookedNtOpenKey
115(
116 OUT PHANDLE KeyHandle,
117 IN ACCESS_MASK DesiredAccess,
118 IN POBJECT_ATTRIBUTES ObjectAttributes
119)
120{
121 PCHAR FunctionName = "HookedNtOpenKey";
122
123
124 HOOK_ROUTINE_START(REGISTRY);
125
126
127 ASSERT(OriginalNtOpenKey);
128
129 rc = OriginalNtOpenKey(KeyHandle, DesiredAccess, ObjectAttributes);
130
131
132 HOOK_ROUTINE_FINISH(REGISTRY);
133}
134
135
136
137/*
138 * HookedNtDeleteKey()
139 *
140 * Description:
141 * This function mediates the NtDeleteKey() system service and checks the
142 * provided registry key against the global and current process security policies.
143 *
144 * NOTE: ZwDeleteKey deletes a key in the registry. [NAR]
145 *
146 * Parameters:
147 * Those of NtDeleteKey().
148 *
149 * Returns:
150 * STATUS_ACCESS_DENIED if the call does not pass the security policy check.
151 * Otherwise, NTSTATUS returned by NtDeleteKey().
152 */
153
154NTSTATUS
155NTAPI
156HookedNtDeleteKey
157(
158 IN HANDLE KeyHandle
159)
160{
161 PCHAR FunctionName = "HookedNtDeleteKey";
162 CHAR REGISTRYNAME[MAX_PATH];
163 WCHAR REGISTRYNAMEW[MAX_PATH];
164 PWSTR KeyName = NULL;
165
166
167 HOOK_ROUTINE_ENTER();
168
169
170 if ((KeyName = GetNameFromHandle(KeyHandle, REGISTRYNAMEW, sizeof(REGISTRYNAMEW))) != NULL)
171 {
172 sprintf(REGISTRYNAME, "%S", KeyName);
173
174 LOG(LOG_SS_REGISTRY, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, REGISTRYNAME));
175
176
177 if (LearningMode == FALSE)
178 {
179 POLICY_CHECK_OPTYPE_NAME(REGISTRY, OP_DELETE);
180 }
181 }
182
183
184 ASSERT(OriginalNtDeleteKey);
185
186 rc = OriginalNtDeleteKey(KeyHandle);
187
188
189 if (KeyName)
190 {
191 HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(REGISTRY, REGISTRYNAME, OP_DELETE);
192 }
193 else
194 {
195 HOOK_ROUTINE_EXIT(rc);
196 }
197}
198
199
200
201/*
202 * HookedNtSetValueKey()
203 *
204 * Description:
205 * This function mediates the NtSetValueKey() system service and checks the
206 * provided registry key against the global and current process security policies.
207 *
208 * NOTE: ZwSetValueKey updates or adds a value to a key. [NAR]
209 *
210 * Parameters:
211 * Those of NtSetValueKey().
212 *
213 * Returns:
214 * STATUS_ACCESS_DENIED if the call does not pass the security policy check.
215 * Otherwise, NTSTATUS returned by NtSetValueKey().
216 */
217
218NTSTATUS
219NTAPI
220HookedNtSetValueKey
221(
222 IN HANDLE KeyHandle,
223 IN PUNICODE_STRING ValueName,
224 IN ULONG TitleIndex,
225 IN ULONG Type,
226 IN PVOID Data,
227 IN ULONG DataSize
228)
229{
230 CHAR REGISTRYNAME[MAX_PATH];
231 WCHAR REGISTRYNAMEW[MAX_PATH];
232 PCHAR FunctionName = "HookedNtSetValueKey";
233 UNICODE_STRING usValueName;
234 PWSTR KeyName = NULL;
235
236
237 HOOK_ROUTINE_ENTER();
238
239
240 if (VerifyUnicodeString(ValueName, &usValueName) == TRUE)
241 {
242 if ((KeyName = GetNameFromHandle(KeyHandle, REGISTRYNAMEW, sizeof(REGISTRYNAMEW))) != NULL)
243 {
244 _snprintf(REGISTRYNAME, MAX_PATH, "%S\\%S", KeyName, ValueName->Buffer);
245 REGISTRYNAME[MAX_PATH - 1] = 0;
246
247 LOG(LOG_SS_REGISTRY, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, REGISTRYNAME));
248
249
250 if (LearningMode == FALSE)
251 {
252 POLICY_CHECK_OPTYPE_NAME(REGISTRY, OP_WRITE);
253 }
254 }
255 }
256
257
258 ASSERT(OriginalNtSetValueKey);
259
260 rc = OriginalNtSetValueKey(KeyHandle, ValueName, TitleIndex, Type, Data, DataSize);
261
262
263 if (KeyName)
264 {
265 HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(REGISTRY, REGISTRYNAME, OP_WRITE);
266 }
267 else
268 {
269 HOOK_ROUTINE_EXIT(rc);
270 }
271}
272
273
274
275/*
276 * HookedNtQueryValueKey()
277 *
278 * Description:
279 * This function mediates the NtQueryValueKey() system service and checks the
280 * provided registry key against the global and current process security policies.
281 *
282 * NOTE: ZwQueryValueKey retrieves information about a key value. [NAR]
283 *
284 * Parameters:
285 * Those of NtQueryValueKey().
286 *
287 * Returns:
288 * STATUS_ACCESS_DENIED if the call does not pass the security policy check.
289 * Otherwise, NTSTATUS returned by NtQueryValueKey().
290 */
291
292NTSTATUS
293NTAPI
294HookedNtQueryValueKey
295(
296 IN HANDLE KeyHandle,
297 IN PUNICODE_STRING ValueName,
298 IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
299 OUT PVOID KeyValueInformation,
300 IN ULONG KeyValueInformationLength,
301 OUT PULONG ResultLength
302)
303{
304 CHAR REGISTRYNAME[MAX_PATH];
305 WCHAR REGISTRYNAMEW[MAX_PATH];
306 PCHAR FunctionName = "HookedNtQueryValueKey";
307 UNICODE_STRING usValueName;
308 PWSTR KeyName = NULL;
309
310
311 HOOK_ROUTINE_ENTER();
312
313
314 if (VerifyUnicodeString(ValueName, &usValueName) == TRUE)
315 {
316 if ((KeyName = GetNameFromHandle(KeyHandle, REGISTRYNAMEW, sizeof(REGISTRYNAMEW))) != NULL)
317 {
318 _snprintf(REGISTRYNAME, MAX_PATH, "%S\\%S", KeyName, ValueName->Buffer);
319 REGISTRYNAME[MAX_PATH - 1] = 0;
320
321 LOG(LOG_SS_REGISTRY, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, REGISTRYNAME));
322
323
324 if (LearningMode == FALSE)
325 {
326 POLICY_CHECK_OPTYPE_NAME(REGISTRY, OP_READ);
327 }
328 }
329 }
330
331
332 ASSERT(OriginalNtQueryValueKey);
333
334 rc = OriginalNtQueryValueKey(KeyHandle, ValueName, KeyValueInformationClass, KeyValueInformation,
335 KeyValueInformationLength, ResultLength);
336
337
338 if (KeyName)
339 {
340 HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(REGISTRY, REGISTRYNAME, OP_READ);
341 }
342 else
343 {
344 HOOK_ROUTINE_EXIT(rc);
345 }
346}
347
348
349
350/*
351 * InitRegistryHooks()
352 *
353 * Description:
354 * Initializes all the mediated registry operation pointers. The "OriginalFunction" pointers
355 * are initialized by InstallSyscallsHooks() that must be called prior to this function.
356 *
357 * NOTE: Called once during driver initialization (DriverEntry()).
358 *
359 * Parameters:
360 * None.
361 *
362 * Returns:
363 * TRUE to indicate success, FALSE if failed.
364 */
365
366BOOLEAN
367InitRegistryHooks()
368{
369 if ( (OriginalNtCreateKey = (fpZwCreateKey) ZwCalls[ZW_CREATE_KEY_INDEX].OriginalFunction) == NULL)
370 {
371 LOG(LOG_SS_REGISTRY, LOG_PRIORITY_DEBUG, ("InitRegistryHooks: OriginalNtCreateKey is NULL\n"));
372 return FALSE;
373 }
374
375 if ( (OriginalNtOpenKey = (fpZwOpenKey) ZwCalls[ZW_OPEN_KEY_INDEX].OriginalFunction) == NULL)
376 {
377 LOG(LOG_SS_REGISTRY, LOG_PRIORITY_DEBUG, ("InitRegistryHooks: OriginalNtOpenKey is NULL\n"));
378 return FALSE;
379 }
380
381 if ( (OriginalNtDeleteKey = (fpZwDeleteKey) ZwCalls[ZW_DELETE_KEY_INDEX].OriginalFunction) == NULL)
382 {
383 LOG(LOG_SS_REGISTRY, LOG_PRIORITY_DEBUG, ("InitRegistryHooks: OriginalNtDeleteKey is NULL\n"));
384 return FALSE;
385 }
386
387// XXX ZwDeleteValueKey
388/*
389 if ( (OriginalNtSetValueKey = (fpZwSetValueKey) ZwCalls[ZW_SET_VALUE_KEY_INDEX].OriginalFunction) == NULL)
390 {
391 LOG(LOG_SS_REGISTRY, LOG_PRIORITY_DEBUG, ("InitRegistryHooks: OriginalNtSetValueKey is NULL\n"));
392 return FALSE;
393 }
394
395 if ( (OriginalNtQueryValueKey = (fpZwQueryValueKey) ZwCalls[ZW_QUERY_VALUE_KEY_INDEX].OriginalFunction) == NULL)
396 {
397 LOG(LOG_SS_REGISTRY, LOG_PRIORITY_DEBUG, ("InitRegistryHooks: OriginalNtQueryValueKey is NULL\n"));
398 return FALSE;
399 }
400*/
401 return TRUE;
402}