initial commit

author: tumagonx 2017-08-08 10:54:53 +0700
committer: tumagonx 2017-08-08 10:54:53 +0700
commit: 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree: a8bea139ddd26116d44ea182b0b8436f2162e6e3 /timer.c
1 files changed, 151 insertions, 0 deletions
diff --git a/timer.c b/timer.c
new file mode 100644
index 0000000..3210000
--- /dev/null
+++ b/timer.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              timer.c
+ *
+ * Abstract:
+ *
+ *              This module implements various timer hooking routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 25-Mar-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include "timer.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitTimerHooks)
+#endif
+fpZwCreateTimer         OriginalNtCreateTimer = NULL;
+fpZwOpenTimer           OriginalNtOpenTimer = NULL;
+/*
+ * HookedNtCreateTimer()
+ *
+ * Description:
+ *              This function mediates the NtCreateTimer() system service and checks the
+ *              provided timer name against the global and current process security policies.
+ *
+ *              NOTE: ZwCreateTimer creates or opens a timer object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtCreateTimer().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtCreateTimer().
+ */
+NTSTATUS
+NTAPI
+HookedNtCreateTimer
+(
+        OUT PHANDLE TimerHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN TIMER_TYPE TimerType
+)
+{
+        PCHAR   FunctionName = "HookedNtCreateTimer";
+        HOOK_ROUTINE_START(TIMER);
+        ASSERT(OriginalNtCreateTimer);
+        rc = OriginalNtCreateTimer(TimerHandle, DesiredAccess, ObjectAttributes, TimerType);
+        HOOK_ROUTINE_FINISH(TIMER);
+}
+/*
+ * HookedNtOpenTimer()
+ *
+ * Description:
+ *              This function mediates the NtOpenTimer() system service and checks the
+ *              provided timer name against the global and current process security policies.
+ *
+ *              NOTE: ZwOpenTimer opens a timer object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtOpenTimer().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtOpenTimer().
+ */
+NTSTATUS
+NTAPI
+HookedNtOpenTimer
+(
+        OUT PHANDLE TimerHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes
+)
+{
+        PCHAR   FunctionName = "HookedNtOpenTimer";
+        HOOK_ROUTINE_START(TIMER);
+        ASSERT(OriginalNtOpenTimer);
+        rc = OriginalNtOpenTimer(TimerHandle, DesiredAccess, ObjectAttributes);
+        HOOK_ROUTINE_FINISH(TIMER);
+}
+/*
+ * InitTimerHooks()
+ *
+ * Description:
+ *              Initializes all the mediated timer operation pointers. The "OriginalFunction" pointers
+ *              are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitTimerHooks()
+{
+        if ( (OriginalNtCreateTimer = (fpZwCreateTimer) ZwCalls[ZW_CREATE_TIMER_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_TIMER, LOG_PRIORITY_DEBUG, ("InitTimerHooks: OriginalNtCreateTimer is NULL\n"));
+                return FALSE;
+        }
+        if ( (OriginalNtOpenTimer = (fpZwOpenTimer) ZwCalls[ZW_OPEN_TIMER_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_TIMER, LOG_PRIORITY_DEBUG, ("InitTimerHooks: OriginalNtOpenTimer is NULL\n"));
+                return FALSE;
+        }
+        return TRUE;
+}
author	tumagonx	2017-08-08 10:54:53 +0700
committer	tumagonx	2017-08-08 10:54:53 +0700
commit	2acec63b2ed75bf4b71ad257db573c4b8f9639e7 (patch)
tree	a8bea139ddd26116d44ea182b0b8436f2162e6e3 /timer.c

diff --git a/timer.c b/timer.c new file mode 100644 index 0000000..3210000 --- /dev/null +++ b/timer.c
@@ -0,0 +1,151 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* timer.c
	7	*
	8	* Abstract:
	9	*
	10	* This module implements various timer hooking routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 25-Mar-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#include "timer.h"
	23
	24
	25	#ifdef ALLOC_PRAGMA
	26	#pragma alloc_text (INIT, InitTimerHooks)
	27	#endif
	28
	29
	30	fpZwCreateTimer OriginalNtCreateTimer = NULL;
	31	fpZwOpenTimer OriginalNtOpenTimer = NULL;
	32
	33
	34	/*
	35	* HookedNtCreateTimer()
	36	*
	37	* Description:
	38	* This function mediates the NtCreateTimer() system service and checks the
	39	* provided timer name against the global and current process security policies.
	40	*
	41	* NOTE: ZwCreateTimer creates or opens a timer object. [NAR]
	42	*
	43	* Parameters:
	44	* Those of NtCreateTimer().
	45	*
	46	* Returns:
	47	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	48	* Otherwise, NTSTATUS returned by NtCreateTimer().
	49	*/
	50
	51	NTSTATUS
	52	NTAPI
	53	HookedNtCreateTimer
	54	(
	55	OUT PHANDLE TimerHandle,
	56	IN ACCESS_MASK DesiredAccess,
	57	IN POBJECT_ATTRIBUTES ObjectAttributes,
	58	IN TIMER_TYPE TimerType
	59	)
	60	{
	61	PCHAR FunctionName = "HookedNtCreateTimer";
	62
	63
	64	HOOK_ROUTINE_START(TIMER);
	65
	66
	67	ASSERT(OriginalNtCreateTimer);
	68
	69	rc = OriginalNtCreateTimer(TimerHandle, DesiredAccess, ObjectAttributes, TimerType);
	70
	71
	72	HOOK_ROUTINE_FINISH(TIMER);
	73	}
	74
	75
	76
	77	/*
	78	* HookedNtOpenTimer()
	79	*
	80	* Description:
	81	* This function mediates the NtOpenTimer() system service and checks the
	82	* provided timer name against the global and current process security policies.
	83	*
	84	* NOTE: ZwOpenTimer opens a timer object. [NAR]
	85	*
	86	* Parameters:
	87	* Those of NtOpenTimer().
	88	*
	89	* Returns:
	90	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	91	* Otherwise, NTSTATUS returned by NtOpenTimer().
	92	*/
	93
	94	NTSTATUS
	95	NTAPI
	96	HookedNtOpenTimer
	97	(
	98	OUT PHANDLE TimerHandle,
	99	IN ACCESS_MASK DesiredAccess,
	100	IN POBJECT_ATTRIBUTES ObjectAttributes
	101	)
	102	{
	103	PCHAR FunctionName = "HookedNtOpenTimer";
	104
	105
	106	HOOK_ROUTINE_START(TIMER);
	107
	108
	109	ASSERT(OriginalNtOpenTimer);
	110
	111	rc = OriginalNtOpenTimer(TimerHandle, DesiredAccess, ObjectAttributes);
	112
	113
	114	HOOK_ROUTINE_FINISH(TIMER);
	115	}
	116
	117
	118
	119	/*
	120	* InitTimerHooks()
	121	*
	122	* Description:
	123	* Initializes all the mediated timer operation pointers. The "OriginalFunction" pointers
	124	* are initialized by InstallSyscallsHooks() that must be called prior to this function.
	125	*
	126	* NOTE: Called once during driver initialization (DriverEntry()).
	127	*
	128	* Parameters:
	129	* None.
	130	*
	131	* Returns:
	132	* TRUE to indicate success, FALSE if failed.
	133	*/
	134
	135	BOOLEAN
	136	InitTimerHooks()
	137	{
	138	if ( (OriginalNtCreateTimer = (fpZwCreateTimer) ZwCalls[ZW_CREATE_TIMER_INDEX].OriginalFunction) == NULL)
	139	{
	140	LOG(LOG_SS_TIMER, LOG_PRIORITY_DEBUG, ("InitTimerHooks: OriginalNtCreateTimer is NULL\n"));
	141	return FALSE;
	142	}
	143
	144	if ( (OriginalNtOpenTimer = (fpZwOpenTimer) ZwCalls[ZW_OPEN_TIMER_INDEX].OriginalFunction) == NULL)
	145	{
	146	LOG(LOG_SS_TIMER, LOG_PRIORITY_DEBUG, ("InitTimerHooks: OriginalNtOpenTimer is NULL\n"));
	147	return FALSE;
	148	}
	149
	150	return TRUE;
	151	}