diff options
Diffstat (limited to 'atom.c')
| -rw-r--r-- | atom.c | 187 |
1 files changed, 187 insertions, 0 deletions
| @@ -0,0 +1,187 @@ | |||
| 1 | /* | ||
| 2 | * Copyright (c) 2004 Security Architects Corporation. All rights reserved. | ||
| 3 | * | ||
| 4 | * Module Name: | ||
| 5 | * | ||
| 6 | * atom.c | ||
| 7 | * | ||
| 8 | * Abstract: | ||
| 9 | * | ||
| 10 | * This module implements various atom hooking routines. | ||
| 11 | * | ||
| 12 | * Author: | ||
| 13 | * | ||
| 14 | * Eugene Tsyrklevich 25-Mar-2004 | ||
| 15 | * | ||
| 16 | * Revision History: | ||
| 17 | * | ||
| 18 | * None. | ||
| 19 | */ | ||
| 20 | |||
| 21 | |||
| 22 | #include "atom.h" | ||
| 23 | |||
| 24 | |||
| 25 | #ifdef ALLOC_PRAGMA | ||
| 26 | #pragma alloc_text (INIT, InitAtomHooks) | ||
| 27 | #endif | ||
| 28 | |||
| 29 | |||
| 30 | fpZwAddAtom OriginalNtAddAtom = NULL; | ||
| 31 | fpZwFindAtom OriginalNtFindAtom = NULL; | ||
| 32 | |||
| 33 | |||
| 34 | |||
| 35 | /* | ||
| 36 | * HookedNtCreateAtom() | ||
| 37 | * | ||
| 38 | * Description: | ||
| 39 | * This function mediates the NtAddAtom() system service and checks the | ||
| 40 | * provided atom name against the global and current process security policies. | ||
| 41 | * | ||
| 42 | * NOTE: ZwAddAtom adds an atom to the global atom table. [NAR] | ||
| 43 | * | ||
| 44 | * Parameters: | ||
| 45 | * Those of NtAddAtom(). | ||
| 46 | * | ||
| 47 | * Returns: | ||
| 48 | * STATUS_ACCESS_DENIED if the call does not pass the security policy check. | ||
| 49 | * Otherwise, NTSTATUS returned by NtAddAtom(). | ||
| 50 | */ | ||
| 51 | |||
| 52 | NTSTATUS | ||
| 53 | NTAPI | ||
| 54 | HookedNtAddAtom | ||
| 55 | ( | ||
| 56 | IN PWSTR String, | ||
| 57 | IN ULONG StringLength, | ||
| 58 | OUT PUSHORT Atom | ||
| 59 | ) | ||
| 60 | { | ||
| 61 | PCHAR FunctionName = "HookedNtAddAtom"; | ||
| 62 | CHAR ATOMNAME[MAX_PATH]; | ||
| 63 | |||
| 64 | |||
| 65 | HOOK_ROUTINE_ENTER(); | ||
| 66 | |||
| 67 | |||
| 68 | if (!VerifyPwstr(String, StringLength)) | ||
| 69 | { | ||
| 70 | LOG(LOG_SS_ATOM, LOG_PRIORITY_DEBUG, ("HookedNtAddAtom: VerifyPwstr(%x) failed\n", String)); | ||
| 71 | HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED ); | ||
| 72 | } | ||
| 73 | |||
| 74 | |||
| 75 | _snprintf(ATOMNAME, MAX_PATH, "%S", String); | ||
| 76 | ATOMNAME[ MAX_PATH - 1 ] = 0; | ||
| 77 | |||
| 78 | |||
| 79 | if (LearningMode == FALSE) | ||
| 80 | { | ||
| 81 | POLICY_CHECK_OPTYPE_NAME(ATOM, OP_WRITE); | ||
| 82 | } | ||
| 83 | |||
| 84 | |||
| 85 | ASSERT(OriginalNtAddAtom); | ||
| 86 | |||
| 87 | rc = OriginalNtAddAtom(String, StringLength, Atom); | ||
| 88 | |||
| 89 | |||
| 90 | HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(ATOM, ATOMNAME, OP_WRITE); | ||
| 91 | } | ||
| 92 | |||
| 93 | |||
| 94 | |||
| 95 | /* | ||
| 96 | * HookedNtFindAtom() | ||
| 97 | * | ||
| 98 | * Description: | ||
| 99 | * This function mediates the NtFindAtom() system service and checks the | ||
| 100 | * provided atom name against the global and current process security policies. | ||
| 101 | * | ||
| 102 | * NOTE: ZwFindAtom searches for an atom in the global atom table. [NAR] | ||
| 103 | * | ||
| 104 | * Parameters: | ||
| 105 | * Those of NtFindAtom(). | ||
| 106 | * | ||
| 107 | * Returns: | ||
| 108 | * STATUS_ACCESS_DENIED if the call does not pass the security policy check. | ||
| 109 | * Otherwise, NTSTATUS returned by NtFindAtom(). | ||
| 110 | */ | ||
| 111 | |||
| 112 | NTSTATUS | ||
| 113 | NTAPI | ||
| 114 | HookedNtFindAtom | ||
| 115 | ( | ||
| 116 | IN PWSTR String, | ||
| 117 | IN ULONG StringLength, | ||
| 118 | OUT PUSHORT Atom | ||
| 119 | ) | ||
| 120 | { | ||
| 121 | PCHAR FunctionName = "HookedNtFindAtom"; | ||
| 122 | CHAR ATOMNAME[MAX_PATH]; | ||
| 123 | |||
| 124 | |||
| 125 | HOOK_ROUTINE_ENTER(); | ||
| 126 | |||
| 127 | |||
| 128 | if (!VerifyPwstr(String, StringLength)) | ||
| 129 | { | ||
| 130 | LOG(LOG_SS_ATOM, LOG_PRIORITY_DEBUG, ("HookedNtFindAtom: VerifyPwstr(%x) failed\n", String)); | ||
| 131 | HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED ); | ||
| 132 | } | ||
| 133 | |||
| 134 | |||
| 135 | _snprintf(ATOMNAME, MAX_PATH, "%S", String); | ||
| 136 | ATOMNAME[ MAX_PATH - 1 ] = 0; | ||
| 137 | |||
| 138 | |||
| 139 | if (LearningMode == FALSE) | ||
| 140 | { | ||
| 141 | POLICY_CHECK_OPTYPE_NAME(ATOM, OP_READ); | ||
| 142 | } | ||
| 143 | |||
| 144 | |||
| 145 | ASSERT(OriginalNtFindAtom); | ||
| 146 | |||
| 147 | rc = OriginalNtFindAtom(String, StringLength, Atom); | ||
| 148 | |||
| 149 | |||
| 150 | HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(ATOM, ATOMNAME, OP_READ); | ||
| 151 | } | ||
| 152 | |||
| 153 | |||
| 154 | |||
| 155 | /* | ||
| 156 | * InitAtomHooks() | ||
| 157 | * | ||
| 158 | * Description: | ||
| 159 | * Initializes all the mediated atom operation pointers. The "OriginalFunction" pointers | ||
| 160 | * are initialized by InstallSyscallsHooks() that must be called prior to this function. | ||
| 161 | * | ||
| 162 | * NOTE: Called once during driver initialization (DriverEntry()). | ||
| 163 | * | ||
| 164 | * Parameters: | ||
| 165 | * None. | ||
| 166 | * | ||
| 167 | * Returns: | ||
| 168 | * TRUE to indicate success, FALSE if failed. | ||
| 169 | */ | ||
| 170 | |||
| 171 | BOOLEAN | ||
| 172 | InitAtomHooks() | ||
| 173 | { | ||
| 174 | if ( (OriginalNtAddAtom = (fpZwAddAtom) ZwCalls[ZW_ADD_ATOM_INDEX].OriginalFunction) == NULL) | ||
| 175 | { | ||
| 176 | LOG(LOG_SS_ATOM, LOG_PRIORITY_DEBUG, ("InitAtomHooks: OriginalNtAddAtom is NULL\n")); | ||
| 177 | return FALSE; | ||
| 178 | } | ||
| 179 | |||
| 180 | if ( (OriginalNtFindAtom = (fpZwFindAtom) ZwCalls[ZW_FIND_ATOM_INDEX].OriginalFunction) == NULL) | ||
| 181 | { | ||
| 182 | LOG(LOG_SS_ATOM, LOG_PRIORITY_DEBUG, ("InitAtomHooks: OriginalNtFindAtom is NULL\n")); | ||
| 183 | return FALSE; | ||
| 184 | } | ||
| 185 | |||
| 186 | return TRUE; | ||
| 187 | } | ||