initial commit

author: tumagonx 2017-08-08 10:54:53 +0700
committer: tumagonx 2017-08-08 10:54:53 +0700
commit: 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree: a8bea139ddd26116d44ea182b0b8436f2162e6e3 /sysinfo.c
1 files changed, 197 insertions, 0 deletions
diff --git a/sysinfo.c b/sysinfo.c
new file mode 100644
index 0000000..5e08179
--- /dev/null
+++ b/sysinfo.c
@@ -0,0 +1,197 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              sysinfo.c
+ *
+ * Abstract:
+ *
+ *              This module defines various routines used for hooking ZwSetSystemInformation() routine.
+ *              ZwSetSystemInformation's SystemLoadAndCallImage and SystemLoadImage parameters can be used
+ *              to load code into kernel address space.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 01-Mar-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include <NTDDK.h>
+#include "sysinfo.h"
+#include "hookproc.h"
+#include "procname.h"
+#include "learn.h"
+#include "time.h"
+#include "log.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitSysInfoHooks)
+#endif
+fpZwSetSystemInformation                OriginalNtSetSystemInformation = NULL;
+/*
+ * HookedNtSetSystemInformation()
+ *
+ * Description:
+ *              This function mediates the NtSetSystemInformation() system service and disallows access to
+ *              Information Classes 26 (SystemLoadImage) and 38 (SystemLoadAndCallImage) which allow
+ *              applications to load code into kernel memory.
+ *
+ *              NOTE: ZwSetSystemInformation sets information that affects the operation of the system. [NAR]
+ *
+ * Parameters:
+ *              Those of NtSetSystemInformation().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if Information Class 26 or 38 is used.
+ *              Otherwise, NTSTATUS returned by NtSetSystemInformation().
+ */
+NTSTATUS
+NTAPI
+HookedNtSetSystemInformation
+(
+        IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
+        IN OUT PVOID SystemInformation,
+        IN ULONG SystemInformationLength
+)
+{
+        PCHAR                   FunctionName = "HookedNtSetSystemInformation";
+        HOOK_ROUTINE_ENTER();
+        if (SystemInformationClass == SystemLoadImage ||
+                SystemInformationClass == SystemLoadAndCallImage)
+        {
+                UNICODE_STRING          usImageName;
+                ANSI_STRING                     asImageName;
+                CHAR                            DriverNameUnresolved[MAX_PATH];
+                if (!VerifyUnicodeString(SystemInformation, &usImageName))
+                {
+                        LOG(LOG_SS_PORT, LOG_PRIORITY_DEBUG, ("%s: VerifyUnicodeString failed\n", FunctionName));
+                        HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+                }
+                if (_snprintf(DriverNameUnresolved, MAX_PATH, "%S", usImageName.Buffer) < 0)
+                {
+                        LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("%s: Driver name '%S' is too long\n", FunctionName, usImageName.Buffer));
+                        HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+                }
+                LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d %s: SystemLoad %d %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, SystemInformationClass, DriverNameUnresolved));
+                /*
+                 * Verify the image name against the security policy
+                 */
+                if (LearningMode == FALSE)
+                {
+                        CHAR            DRIVERNAME[MAX_PATH];
+                        FixupFilename(DriverNameUnresolved, DRIVERNAME, MAX_PATH);
+                        LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d %s: SystemLoad %d %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, SystemInformationClass, DRIVERNAME));
+                        POLICY_CHECK_OPTYPE_NAME(DRIVER, OP_LOAD);
+                }
+                else
+                {
+                        AddRule(RULE_DRIVER, DriverNameUnresolved, OP_LOAD);
+                }
+        }
+        else if (SystemInformationClass == SystemUnloadImage)
+        {
+                LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d HookedNtSetSystemInformation: SystemUnloadImage %x\n", (ULONG) PsGetCurrentProcessId(), SystemInformation));
+        }
+        else if (SystemInformationClass == SystemTimeAdjustment)
+        {
+                LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d HookedNtSetSystemInformation: SystemTimeAdjustment\n", (ULONG) PsGetCurrentProcessId()));
+                if (LearningMode == FALSE)
+                {
+                        PCHAR           TIMENAME = NULL;        /* allow the use of POLICY_CHECK_OPTYPE_NAME() macro */
+                        POLICY_CHECK_OPTYPE_NAME(TIME, OP_TIME_CHANGE);
+                }
+                else if (LearningMode == TRUE)
+                {
+                        AddRule(RULE_TIME, NULL, OP_TIME_CHANGE);
+                }
+        }
+        else if (SystemInformationClass == SystemProcessesAndThreadsInformation)
+        {
+                LOG(LOG_SS_SYSINFO, LOG_PRIORITY_DEBUG, ("%d HookedNtSetSystemInformation: SystemProcessesAndThreadsInformation\n", (ULONG) PsGetCurrentProcessId()));
+        }
+        else if (SystemInformationClass == SystemModuleInformation)
+        {
+                LOG(LOG_SS_SYSINFO, LOG_PRIORITY_DEBUG, ("%d HookedNtSetSystemInformation: SystemModuleInformation\n", (ULONG) PsGetCurrentProcessId()));
+        }
+        else if (SystemInformationClass == SystemCreateSession)
+        {
+                LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d HookedNtSetSystemInformation: SystemCreateSession %x %x\n", (ULONG) PsGetCurrentProcessId(), SystemInformation, *(PULONG) SystemInformation));
+        }
+        else if (SystemInformationClass == SystemDeleteSession)
+        {
+                LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d HookedNtSetSystemInformation: SystemDeleteSession %x %x\n", (ULONG) PsGetCurrentProcessId(), SystemInformation, *(PULONG) SystemInformation));
+        }
+        else if (SystemInformationClass == SystemSessionProcessesInformation)
+        {
+                LOG(LOG_SS_SYSINFO, LOG_PRIORITY_DEBUG, ("%d HookedNtSetSystemInformation: SystemSessionProcessesInformation\n", (ULONG) PsGetCurrentProcessId()));
+        }
+        ASSERT(OriginalNtSetSystemInformation);
+        rc = OriginalNtSetSystemInformation(SystemInformationClass, SystemInformation, SystemInformationLength);
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * InitSysInfoHooks()
+ *
+ * Description:
+ *              Initializes all the mediated system information operation pointers. The "OriginalFunction" pointers
+ *              are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitSysInfoHooks()
+{
+        if ((OriginalNtSetSystemInformation = (fpZwSetSystemInformation) ZwCalls[ZW_SET_SYSTEM_INFORMATION_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_SYSINFO, LOG_PRIORITY_DEBUG, ("InitSysInfoHooks: OriginalNtSetSystemInformation is NULL\n"));
+                return FALSE;
+        }
+        return TRUE;
+}
author	tumagonx	2017-08-08 10:54:53 +0700
committer	tumagonx	2017-08-08 10:54:53 +0700
commit	2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree	a8bea139ddd26116d44ea182b0b8436f2162e6e3 /sysinfo.c

diff --git a/sysinfo.c b/sysinfo.c new file mode 100644 index 0000000..5e08179 --- /dev/null +++ b/sysinfo.c
@@ -0,0 +1,197 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* sysinfo.c
	7	*
	8	* Abstract:
	9	*
	10	* This module defines various routines used for hooking ZwSetSystemInformation() routine.
	11	* ZwSetSystemInformation's SystemLoadAndCallImage and SystemLoadImage parameters can be used
	12	* to load code into kernel address space.
	13	*
	14	* Author:
	15	*
	16	* Eugene Tsyrklevich 01-Mar-2004
	17	*
	18	* Revision History:
	19	*
	20	* None.
	21	*/
	22
	23
	24	#include <NTDDK.h>
	25	#include "sysinfo.h"
	26	#include "hookproc.h"
	27	#include "procname.h"
	28	#include "learn.h"
	29	#include "time.h"
	30	#include "log.h"
	31
	32
	33	#ifdef ALLOC_PRAGMA
	34	#pragma alloc_text (INIT, InitSysInfoHooks)
	35	#endif
	36
	37
	38	fpZwSetSystemInformation OriginalNtSetSystemInformation = NULL;
	39
	40
	41	/*
	42	* HookedNtSetSystemInformation()
	43	*
	44	* Description:
	45	* This function mediates the NtSetSystemInformation() system service and disallows access to
	46	* Information Classes 26 (SystemLoadImage) and 38 (SystemLoadAndCallImage) which allow
	47	* applications to load code into kernel memory.
	48	*
	49	* NOTE: ZwSetSystemInformation sets information that affects the operation of the system. [NAR]
	50	*
	51	* Parameters:
	52	* Those of NtSetSystemInformation().
	53	*
	54	* Returns:
	55	* STATUS_ACCESS_DENIED if Information Class 26 or 38 is used.
	56	* Otherwise, NTSTATUS returned by NtSetSystemInformation().
	57	*/
	58
	59	NTSTATUS
	60	NTAPI
	61	HookedNtSetSystemInformation
	62	(
	63	IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
	64	IN OUT PVOID SystemInformation,
	65	IN ULONG SystemInformationLength
	66	)
	67	{
	68	PCHAR FunctionName = "HookedNtSetSystemInformation";
	69
	70
	71	HOOK_ROUTINE_ENTER();
	72
	73
	74	if (SystemInformationClass == SystemLoadImage \|\|
	75	SystemInformationClass == SystemLoadAndCallImage)
	76	{
	77	UNICODE_STRING usImageName;
	78	ANSI_STRING asImageName;
	79	CHAR DriverNameUnresolved[MAX_PATH];
	80
	81
	82	if (!VerifyUnicodeString(SystemInformation, &usImageName))
	83	{
	84	LOG(LOG_SS_PORT, LOG_PRIORITY_DEBUG, ("%s: VerifyUnicodeString failed\n", FunctionName));
	85	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	86	}
	87
	88
	89	if (_snprintf(DriverNameUnresolved, MAX_PATH, "%S", usImageName.Buffer) < 0)
	90	{
	91	LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("%s: Driver name '%S' is too long\n", FunctionName, usImageName.Buffer));
	92	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	93	}
	94
	95
	96	LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d %s: SystemLoad %d %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, SystemInformationClass, DriverNameUnresolved));
	97
	98
	99	/*
	100	* Verify the image name against the security policy
	101	*/
	102
	103	if (LearningMode == FALSE)
	104	{
	105	CHAR DRIVERNAME[MAX_PATH];
	106
	107
	108	FixupFilename(DriverNameUnresolved, DRIVERNAME, MAX_PATH);
	109
	110	LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d %s: SystemLoad %d %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, SystemInformationClass, DRIVERNAME));
	111
	112	POLICY_CHECK_OPTYPE_NAME(DRIVER, OP_LOAD);
	113	}
	114	else
	115	{
	116	AddRule(RULE_DRIVER, DriverNameUnresolved, OP_LOAD);
	117	}
	118	}
	119	else if (SystemInformationClass == SystemUnloadImage)
	120	{
	121	LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d HookedNtSetSystemInformation: SystemUnloadImage %x\n", (ULONG) PsGetCurrentProcessId(), SystemInformation));
	122	}
	123	else if (SystemInformationClass == SystemTimeAdjustment)
	124	{
	125	LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d HookedNtSetSystemInformation: SystemTimeAdjustment\n", (ULONG) PsGetCurrentProcessId()));
	126
	127
	128	if (LearningMode == FALSE)
	129	{
	130	PCHAR TIMENAME = NULL; /* allow the use of POLICY_CHECK_OPTYPE_NAME() macro */
	131
	132	POLICY_CHECK_OPTYPE_NAME(TIME, OP_TIME_CHANGE);
	133	}
	134	else if (LearningMode == TRUE)
	135	{
	136	AddRule(RULE_TIME, NULL, OP_TIME_CHANGE);
	137	}
	138	}
	139	else if (SystemInformationClass == SystemProcessesAndThreadsInformation)
	140	{
	141	LOG(LOG_SS_SYSINFO, LOG_PRIORITY_DEBUG, ("%d HookedNtSetSystemInformation: SystemProcessesAndThreadsInformation\n", (ULONG) PsGetCurrentProcessId()));
	142	}
	143	else if (SystemInformationClass == SystemModuleInformation)
	144	{
	145	LOG(LOG_SS_SYSINFO, LOG_PRIORITY_DEBUG, ("%d HookedNtSetSystemInformation: SystemModuleInformation\n", (ULONG) PsGetCurrentProcessId()));
	146	}
	147	else if (SystemInformationClass == SystemCreateSession)
	148	{
	149	LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d HookedNtSetSystemInformation: SystemCreateSession %x %x\n", (ULONG) PsGetCurrentProcessId(), SystemInformation, *(PULONG) SystemInformation));
	150	}
	151	else if (SystemInformationClass == SystemDeleteSession)
	152	{
	153	LOG(LOG_SS_SYSINFO, LOG_PRIORITY_VERBOSE, ("%d HookedNtSetSystemInformation: SystemDeleteSession %x %x\n", (ULONG) PsGetCurrentProcessId(), SystemInformation, *(PULONG) SystemInformation));
	154	}
	155	else if (SystemInformationClass == SystemSessionProcessesInformation)
	156	{
	157	LOG(LOG_SS_SYSINFO, LOG_PRIORITY_DEBUG, ("%d HookedNtSetSystemInformation: SystemSessionProcessesInformation\n", (ULONG) PsGetCurrentProcessId()));
	158	}
	159
	160
	161	ASSERT(OriginalNtSetSystemInformation);
	162
	163	rc = OriginalNtSetSystemInformation(SystemInformationClass, SystemInformation, SystemInformationLength);
	164
	165
	166	HOOK_ROUTINE_EXIT(rc);
	167	}
	168
	169
	170
	171	/*
	172	* InitSysInfoHooks()
	173	*
	174	* Description:
	175	* Initializes all the mediated system information operation pointers. The "OriginalFunction" pointers
	176	* are initialized by InstallSyscallsHooks() that must be called prior to this function.
	177	*
	178	* NOTE: Called once during driver initialization (DriverEntry()).
	179	*
	180	* Parameters:
	181	* None.
	182	*
	183	* Returns:
	184	* TRUE to indicate success, FALSE if failed.
	185	*/
	186
	187	BOOLEAN
	188	InitSysInfoHooks()
	189	{
	190	if ((OriginalNtSetSystemInformation = (fpZwSetSystemInformation) ZwCalls[ZW_SET_SYSTEM_INFORMATION_INDEX].OriginalFunction) == NULL)
	191	{
	192	LOG(LOG_SS_SYSINFO, LOG_PRIORITY_DEBUG, ("InitSysInfoHooks: OriginalNtSetSystemInformation is NULL\n"));
	193	return FALSE;
	194	}
	195
	196	return TRUE;
	197	}