1 files changed, 162 insertions, 0 deletions
diff --git a/debug.c b/debug.c
new file mode 100644
index 0000000..e48a9eb
--- /dev/null
+++ b/debug.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              debug.c
+ *
+ * Abstract:
+ *
+ *              This module implements various debug hooking routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 23-Apr-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include <NTDDK.h>
+#include "debug.h"
+#include "hookproc.h"
+#include "procname.h"
+#include "learn.h"
+#include "log.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitDebugHooks)
+#endif
+fpZwDebugActiveProcess  OriginalNtDebugActiveProcess = NULL;
+//XXX http://www.nsfocus.net/index.php?act=magazine&do=view&mid=2108
+/*
+ * IsDebuggingAllowed()
+ *
+ * Description:
+ *              Check whether the current process is allowed to use debugging functionality.
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              FALSE if debugging is disabled. TRUE otherwise.
+ */
+BOOLEAN
+IsDebuggingAllowed()
+{
+        PIMAGE_PID_ENTRY        CurrentProcess;
+        BOOLEAN                         DebuggingAllowed = FALSE;
+        /* check the global policy first */
+        if (! IS_DEBUGGING_PROTECTION_ON(gSecPolicy))
+                return TRUE;
+        /* now check the process specific policy */
+        CurrentProcess = FindImagePidEntry(CURRENT_PROCESS_PID, 0);
+        if (CurrentProcess != NULL)
+        {
+                DebuggingAllowed = ! IS_DEBUGGING_PROTECTION_ON(CurrentProcess->SecPolicy);
+        }
+        else
+        {
+                LOG(LOG_SS_DEBUG, LOG_PRIORITY_DEBUG, ("%d IsDebuggingAllowed: CurrentProcess = NULL!\n", CURRENT_PROCESS_PID));
+        }
+        return DebuggingAllowed;
+}
+/*
+ * HookedNtDebugActiveProcess()
+ *
+ * Description:
+ *              This function mediates the NtDebugActiveProcess() system service and disallows
+ *              debugging.
+ *
+ * Parameters:
+ *              Those of NtDebugActiveProcess().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtDebugActiveProcess().
+ */
+NTSTATUS
+NTAPI
+HookedNtDebugActiveProcess
+(
+        UINT32  Unknown1,
+        UINT32  Unknown2
+)
+{
+        HOOK_ROUTINE_ENTER();
+        LOG(LOG_SS_DEBUG, LOG_PRIORITY_DEBUG, ("HookedNtDebugActiveProcess(%x %x)\n", Unknown1, Unknown2));
+        if (LearningMode == FALSE && IsDebuggingAllowed() == FALSE)
+        {
+                LOG(LOG_SS_DEBUG, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtDebugActiveProcess: disallowing debugging\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
+                LogAlert(ALERT_SS_DEBUG, OP_DEBUG, ALERT_RULE_NONE, ACTION_DENY, ALERT_PRIORITY_MEDIUM, NULL, 0, NULL);
+                HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+        }
+        ASSERT(OriginalNtDebugActiveProcess);
+        rc = OriginalNtDebugActiveProcess(Unknown1, Unknown2);
+        if (LearningMode == TRUE)
+                TURN_DEBUGGING_PROTECTION_OFF(NewPolicy);
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * InitDebugHooks()
+ *
+ * Description:
+ *              Initializes all the mediated debug operation pointers. The "OriginalFunction" pointers
+ *              are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitDebugHooks()
+{
+        if ( (OriginalNtDebugActiveProcess = (fpZwDebugActiveProcess) ZwCalls[ZW_DEBUG_ACTIVEPROCESS_INDEX].OriginalFunction) == NULL)
+        {
+                /* does not exist on Win2K */
+                LOG(LOG_SS_DEBUG, LOG_PRIORITY_DEBUG, ("InitDebugHooks: OriginalNtDebugActiveProcess is NULL\n"));
+        }
+        return TRUE;
+}

diff --git a/debug.c b/debug.c new file mode 100644 index 0000000..e48a9eb --- /dev/null +++ b/debug.c
@@ -0,0 +1,162 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* debug.c
	7	*
	8	* Abstract:
	9	*
	10	* This module implements various debug hooking routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 23-Apr-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#include <NTDDK.h>
	23	#include "debug.h"
	24	#include "hookproc.h"
	25	#include "procname.h"
	26	#include "learn.h"
	27	#include "log.h"
	28
	29
	30	#ifdef ALLOC_PRAGMA
	31	#pragma alloc_text (INIT, InitDebugHooks)
	32	#endif
	33
	34
	35	fpZwDebugActiveProcess OriginalNtDebugActiveProcess = NULL;
	36
	37
	38	//XXX http://www.nsfocus.net/index.php?act=magazine&do=view&mid=2108
	39
	40
	41	/*
	42	* IsDebuggingAllowed()
	43	*
	44	* Description:
	45	* Check whether the current process is allowed to use debugging functionality.
	46	*
	47	* Parameters:
	48	* None.
	49	*
	50	* Returns:
	51	* FALSE if debugging is disabled. TRUE otherwise.
	52	*/
	53
	54	BOOLEAN
	55	IsDebuggingAllowed()
	56	{
	57	PIMAGE_PID_ENTRY CurrentProcess;
	58	BOOLEAN DebuggingAllowed = FALSE;
	59
	60
	61	/* check the global policy first */
	62	if (! IS_DEBUGGING_PROTECTION_ON(gSecPolicy))
	63	return TRUE;
	64
	65
	66	/* now check the process specific policy */
	67	CurrentProcess = FindImagePidEntry(CURRENT_PROCESS_PID, 0);
	68
	69	if (CurrentProcess != NULL)
	70	{
	71	DebuggingAllowed = ! IS_DEBUGGING_PROTECTION_ON(CurrentProcess->SecPolicy);
	72	}
	73	else
	74	{
	75	LOG(LOG_SS_DEBUG, LOG_PRIORITY_DEBUG, ("%d IsDebuggingAllowed: CurrentProcess = NULL!\n", CURRENT_PROCESS_PID));
	76	}
	77
	78
	79	return DebuggingAllowed;
	80	}
	81
	82
	83
	84	/*
	85	* HookedNtDebugActiveProcess()
	86	*
	87	* Description:
	88	* This function mediates the NtDebugActiveProcess() system service and disallows
	89	* debugging.
	90	*
	91	* Parameters:
	92	* Those of NtDebugActiveProcess().
	93	*
	94	* Returns:
	95	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	96	* Otherwise, NTSTATUS returned by NtDebugActiveProcess().
	97	*/
	98
	99	NTSTATUS
	100	NTAPI
	101	HookedNtDebugActiveProcess
	102	(
	103	UINT32 Unknown1,
	104	UINT32 Unknown2
	105	)
	106	{
	107	HOOK_ROUTINE_ENTER();
	108
	109
	110	LOG(LOG_SS_DEBUG, LOG_PRIORITY_DEBUG, ("HookedNtDebugActiveProcess(%x %x)\n", Unknown1, Unknown2));
	111
	112	if (LearningMode == FALSE && IsDebuggingAllowed() == FALSE)
	113	{
	114	LOG(LOG_SS_DEBUG, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtDebugActiveProcess: disallowing debugging\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
	115
	116	LogAlert(ALERT_SS_DEBUG, OP_DEBUG, ALERT_RULE_NONE, ACTION_DENY, ALERT_PRIORITY_MEDIUM, NULL, 0, NULL);
	117
	118	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	119	}
	120
	121
	122	ASSERT(OriginalNtDebugActiveProcess);
	123
	124	rc = OriginalNtDebugActiveProcess(Unknown1, Unknown2);
	125
	126
	127	if (LearningMode == TRUE)
	128	TURN_DEBUGGING_PROTECTION_OFF(NewPolicy);
	129
	130
	131	HOOK_ROUTINE_EXIT(rc);
	132	}
	133
	134
	135
	136	/*
	137	* InitDebugHooks()
	138	*
	139	* Description:
	140	* Initializes all the mediated debug operation pointers. The "OriginalFunction" pointers
	141	* are initialized by InstallSyscallsHooks() that must be called prior to this function.
	142	*
	143	* NOTE: Called once during driver initialization (DriverEntry()).
	144	*
	145	* Parameters:
	146	* None.
	147	*
	148	* Returns:
	149	* TRUE to indicate success, FALSE if failed.
	150	*/
	151
	152	BOOLEAN
	153	InitDebugHooks()
	154	{
	155	if ( (OriginalNtDebugActiveProcess = (fpZwDebugActiveProcess) ZwCalls[ZW_DEBUG_ACTIVEPROCESS_INDEX].OriginalFunction) == NULL)
	156	{
	157	/* does not exist on Win2K */
	158	LOG(LOG_SS_DEBUG, LOG_PRIORITY_DEBUG, ("InitDebugHooks: OriginalNtDebugActiveProcess is NULL\n"));
	159	}
	160
	161	return TRUE;
	162	}