summaryrefslogtreecommitdiff
path: root/driver.c
diff options
context:
space:
mode:
Diffstat (limited to 'driver.c')
-rw-r--r--driver.c1237
1 files changed, 1237 insertions, 0 deletions
diff --git a/driver.c b/driver.c
new file mode 100644
index 0000000..09f66ad
--- /dev/null
+++ b/driver.c
@@ -0,0 +1,1237 @@
1/*
2 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
3 *
4 * Module Name:
5 *
6 * driver.c
7 *
8 * Abstract:
9 *
10 * This module implements all the device driver "plumbing" (DriverEntry, etc).
11 *
12 * Author:
13 *
14 * Eugene Tsyrklevich 9-Feb-2004
15 *
16 * Revision History:
17 *
18 * None.
19 */
20
21
22#include <NTDDK.h>
23#include <devioctl.h>
24
25#include "driver.h"
26//#include "eugene.h"
27#include "file.h"
28#include "registry.h"
29#include "sysinfo.h"
30#include "policy.h"
31#include "process.h"
32#include "learn.h"
33#include "event.h"
34#include "semaphore.h"
35#include "dirobj.h"
36#include "symlink.h"
37#include "mutant.h"
38#include "port.h"
39#include "timer.h"
40#include "token.h"
41#include "job.h"
42#include "driverobj.h"
43#include "network.h"
44#include "section.h"
45#include "atom.h"
46#include "time.h"
47#include "vdm.h"
48#include "procname.h"
49#include "userland.h"
50#include "media.h"
51#include "boprot.h"
52#include "debug.h"
53#include "i386.h"
54#include "misc.h"
55#include "log.h"
56
57
58LONG SysenterEip = 0;
59
60
61__declspec(naked)
62VOID
63SysenterHandler()
64{
65 _asm and ecx, 0x000000FF
66 _asm sub esp, ecx
67 _asm jmp [SysenterEip]
68}
69
70
71VOID
72blah()
73{
74 LONG c, s;
75
76#define SYSENTER_CS_MSR 0x174
77#define SYSENTER_ESP_MSR 0x175
78#define SYSENTER_EIP_MSR 0x176
79
80 _asm
81 {
82 mov ecx, SYSENTER_CS_MSR
83 rdmsr
84
85 mov c, eax
86
87
88 mov ecx, SYSENTER_ESP_MSR
89 rdmsr
90
91 mov s, eax
92
93
94 mov ecx, SYSENTER_EIP_MSR
95 rdmsr
96
97 mov SysenterEip, eax
98
99 mov eax, SysenterHandler
100
101 wrmsr
102 }
103
104 KdPrint(("old eip=%x:%x (%x), new eip=%x\n", c, SysenterEip, s, SysenterHandler));
105}
106
107
108
109/*
110 * DriverEntry()
111 *
112 * Description:
113 * Driver entry point.
114 *
115 * Parameters:
116 * pDriverObject - pointer to an initialized driver object that represents our driver
117 * pRegistryPath - name of the service key in the registry
118 *
119 * Returns:
120 * STATUS_SUCCESS to indicate success or an error code to indicate an error.
121 */
122
123/* macro shortcut for bailing out of DriverEntry in case of an error */
124
125#define ABORT_DriverEntry(msg) \
126 { \
127 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_CRITICAL, (msg)); \
128 if (irql != PASSIVE_LEVEL) KeLowerIrql(irql); \
129 DriverUnload(pDriverObject); \
130 return status; \
131 }
132/*
133PVOID Find_Kernel32_Base();
134NTSTATUS
135NTAPI
136ZwCreateSymbolicLinkObject(
137 OUT PHANDLE SymbolicLinkHandle,
138 IN ACCESS_MASK DesiredAccess,
139 IN POBJECT_ATTRIBUTES ObjectAttributes,
140 IN PUNICODE_STRING TargetName
141 );
142 HANDLE h;
143*/
144NTSTATUS
145DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
146{
147 UNICODE_STRING usDeviceName, usSymLinkName;
148 PDEVICE_OBJECT pDeviceObject;
149 PDEVICE_EXTENSION pDeviceExtension;
150 NTSTATUS status;
151 KIRQL irql = KeGetCurrentIrql();
152 int i;
153
154/*
155 {
156 OBJECT_ATTRIBUTES ObjectAttributes;
157 UNICODE_STRING dest, target;
158 NTSTATUS status;
159
160 RtlInitUnicodeString(&dest, L"\\??\\MyRegistryMachine");
161 RtlInitUnicodeString(&target, L"\\Registry\\Machine");
162
163 InitializeObjectAttributes(&ObjectAttributes, &dest, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
164
165 status = ZwCreateSymbolicLinkObject(&h, SYMBOLIC_LINK_ALL_ACCESS, &ObjectAttributes, &target);
166 if (! NT_SUCCESS(status))
167 {
168 KdPrint(("failed, status %x\n", status));
169 }
170 else
171 {
172 KdPrint(("link ok\n"));
173 }
174
175// return STATUS_UNSUCCESSFUL;
176 }
177*/
178 //XXX add pRegistryPath to deny registry access rule?!
179
180 __try
181 {
182 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverEntry: Entered (%x %S)\n", pDriverObject, pRegistryPath->Buffer));
183
184
185// blah();
186// KdPrint(("after blah\n"));
187
188
189 /*
190 * Verify we are running on x86 & everything is in order
191 */
192
193 if (!InitI386())
194 {
195 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_CRITICAL, ("InitI386 failed. Aborting.\n"));
196 return STATUS_UNSUCCESSFUL;
197 }
198
199
200 /*
201 * Initialize all the driver object related data and create a device representing our device
202 */
203
204 // set to NULL to disable unload by admins
205// pDriverObject->DriverUnload = NULL;
206 pDriverObject->DriverUnload = DriverUnload;
207
208//XXX need to intercept DriverObject->FastIoDispatch = &VTrcFSFastIoDispatchTable;
209
210 for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
211 //XXX don't intercept IRP_MJ_POWER & IRP_MJ_PNP
212 pDriverObject->MajorFunction[i] = DriverDeviceControl;
213
214 pDriverObject->MajorFunction[ IRP_MJ_CREATE ] = DriverCreate;
215 pDriverObject->MajorFunction[ IRP_MJ_CLEANUP ] = DriverCleanup;
216 pDriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DriverClose;
217 pDriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DriverDeviceControl;
218/*
219 pDriverObject->MajorFunction[ IRP_MJ_READ ] = DriverRead;
220 pDriverObject->MajorFunction[ IRP_MJ_WRITE ] = DriverWrite;
221 */
222 RtlInitUnicodeString(&usDeviceName, DEVICE_NAME);
223
224 status = IoCreateDevice(pDriverObject, sizeof(DEVICE_EXTENSION),
225 &usDeviceName, FILE_DEVICE_UNKNOWN,
226 FILE_DEVICE_SECURE_OPEN, FALSE,//FALSE (Exclusive - Reserved for system use. Drivers set this parameter to FALSE.)
227// 0, TRUE,
228 &pDeviceObject);
229
230 if (!NT_SUCCESS(status))
231 {
232 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverEntry: IoCreateDevice failed with status %x\n", status));
233
234 return status;
235 }
236
237
238 pDeviceObject->Flags |= DO_BUFFERED_IO;
239
240 pDeviceExtension = (PDEVICE_EXTENSION) pDeviceObject->DeviceExtension;
241 pDeviceExtension->pDeviceObject = pDeviceObject;
242
243
244 RtlInitUnicodeString(&pDeviceExtension->usSymLink, DEVICE_SYMLINK_NAME);
245
246 status = IoCreateSymbolicLink(&pDeviceExtension->usSymLink, &usDeviceName);
247 if (!NT_SUCCESS(status))
248 {
249 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverEntry: IoCreateSymbolicLink failed with status %x\n", status));
250
251 IoDeleteDevice(pDeviceObject);
252
253 return status;
254 }
255
256
257 /*
258 * Now, mediate all the necessary calls
259 */
260
261#if HOOK_NETWORK
262 status = InstallNetworkHooks(pDriverObject);
263 if (! NT_SUCCESS(status))
264 ABORT_DriverEntry("InstallNetworkHooks() failed");
265#endif
266
267
268 /* all consequitive calls that fail will cause the following error to be returned */
269
270 status = STATUS_DRIVER_INTERNAL_ERROR;
271
272 if (!InitSyscallsHooks())
273 ABORT_DriverEntry("InitSyscallsHooks() failed\n");
274
275
276 /*
277 * raise irql to DPC level to avoid any spurious system calls taking place before we
278 * manage to initialize appropriate hooked function pointers
279 */
280
281 irql = KeRaiseIrqlToDpcLevel();
282
283
284 if (!InstallSyscallsHooks())
285 ABORT_DriverEntry("InstallSyscallsHooks() failed\n");
286
287
288#if HOOK_FILE
289 if (!InitFileHooks())
290 ABORT_DriverEntry("InitFileHooks() failed\n");
291
292 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitFileHooks\n"));
293#endif
294
295#if HOOK_REGISTRY
296 if (!InitRegistryHooks())
297 ABORT_DriverEntry("InitRegistryHooks() failed\n");
298
299 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitRegistryHooks\n"));
300#endif
301
302#if HOOK_SECTION
303 if (!InitSectionHooks())
304 ABORT_DriverEntry("InitSectionHooks() failed\n");
305
306 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitSectionHooks\n"));
307#endif
308
309#if HOOK_SYSINFO
310 if (!InitSysInfoHooks())
311 ABORT_DriverEntry("InitSysInfoHooks() failed\n");
312
313 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitSysInfoHooks\n"));
314#endif
315
316#if HOOK_EVENT
317 if (!InitEventHooks())
318 ABORT_DriverEntry("InitEventHooks() failed\n");
319
320 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitEventHooks\n"));
321#endif
322
323#if HOOK_SEMAPHORE
324 if (!InitSemaphoreHooks())
325 ABORT_DriverEntry("InitSemaphoreHooks() failed\n");
326
327 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitSemaphoreHooks\n"));
328#endif
329
330#if HOOK_JOB
331 if (!InitJobHooks())
332 ABORT_DriverEntry("InitJobHooks() failed\n");
333
334 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitJobHooks\n"));
335#endif
336
337#if HOOK_MUTANT
338 if (!InitMutantHooks())
339 ABORT_DriverEntry("InitMutantHooks() failed\n");
340
341 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitMutantHooks\n"));
342#endif
343
344#if HOOK_DIROBJ
345 if (!InitDirobjHooks())
346 ABORT_DriverEntry("InitDirobjHooks() failed\n");
347
348 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitDirobjHooks\n"));
349#endif
350
351#if HOOK_PORT
352 if (!InitPortHooks())
353 ABORT_DriverEntry("InitPortHooks() failed\n");
354
355 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitPortHooks\n"));
356#endif
357
358#if HOOK_SYMLINK
359 if (!InitSymlinkHooks())
360 ABORT_DriverEntry("InitSymlinkHooks() failed\n");
361
362 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitSymlinkHooks\n"));
363#endif
364
365#if HOOK_TIMER
366 if (!InitTimerHooks())
367 ABORT_DriverEntry("InitTimerHooks() failed\n");
368
369 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitTimerHooks\n"));
370#endif
371
372#if HOOK_TOKEN
373 if (!InitTokenHooks())
374 ABORT_DriverEntry("InitTokenHooks() failed\n");
375
376 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitTokenHooks\n"));
377#endif
378
379#if HOOK_TIME
380 if (!InitTimeHooks())
381 ABORT_DriverEntry("InitTimeHooks() failed\n");
382
383 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitTimeHooks\n"));
384#endif
385
386#if HOOK_DRIVEROBJ
387 if (!InitDriverObjectHooks())
388 ABORT_DriverEntry("InitDriverObjectHooks() failed\n");
389
390 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitDriverObjectHooks\n"));
391#endif
392
393#if HOOK_ATOM
394 if (!InitAtomHooks())
395 ABORT_DriverEntry("InitAtomHooks() failed\n");
396
397 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitAtomHooks\n"));
398#endif
399
400#if HOOK_VDM
401 if (!InitVdmHooks())
402 ABORT_DriverEntry("InitVdmHooks() failed\n");
403
404 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitVdmHooks\n"));
405#endif
406
407
408#if HOOK_DEBUG
409 if (!InitDebugHooks())
410 ABORT_DriverEntry("InitDebugHooks() failed\n");
411
412 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitDebugHooks\n"));
413#endif
414
415
416 KeLowerIrql(irql);
417
418
419 /*
420 * The order of the following calls is important:
421 *
422 * InitProcessEntries() initializes OzoneInstallPath
423 * InitPolicy() initiailizes policy related variables
424 * InitProcessNameEntries() then uses policy vars & OzoneInstallPath to load policies
425 */
426
427#if HOOK_PROCESS
428 if (!InitProcessEntries())
429 ABORT_DriverEntry("InitProcessEntries() failed\n");
430
431 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitProcessEntries\n"));
432#endif
433
434
435 if (!InitProcessNameEntries())
436 ABORT_DriverEntry("InitProcessNameEntries() failed\n");
437
438 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitProcessNameEntries\n"));
439
440
441 if (!InitPolicy())
442 ABORT_DriverEntry("InitPolicy() failed\n");
443
444 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitPolicy\n"));
445
446
447 EnumerateExistingProcesses();
448
449 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past EnumerateExistingProcesses\n"));
450
451
452
453 if (LearningMode == TRUE)
454 {
455 if (!InitLearningMode())
456 ABORT_DriverEntry("InitLearningMode() failed\n");
457
458 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitLearningMode\n"));
459 }
460
461
462#if HOOK_MEDIA
463 if (!InitRemovableMediaHooks(pDriverObject, pDeviceObject))
464 ABORT_DriverEntry("InitRemovableMedia() failed\n");
465
466 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitRemovableMediaHooks\n"));
467#endif
468
469
470#if HOOK_BOPROT
471 if (!InitBufferOverflowProtection())
472 ABORT_DriverEntry("InitBufferOverflowProtection() failed\n");
473
474 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitBufferOverflowProtection\n"));
475#endif
476
477
478 if (!InitLog())
479 ABORT_DriverEntry("InitLog() failed\n");
480
481 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitLog\n"));
482
483
484 if (!InitUserland())
485 ABORT_DriverEntry("InitUserland() failed\n");
486
487 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverEntry: Past InitUserland\n"));
488
489 } // __try
490
491 __except(EXCEPTION_EXECUTE_HANDLER)
492 {
493 NTSTATUS status = GetExceptionCode();
494 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_CRITICAL, ("DriverEntry: caught an exception. status = 0x%x\n", status));
495
496 return STATUS_DRIVER_INTERNAL_ERROR;
497 }
498
499
500 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverEntry: Done\n"));
501
502
503 return STATUS_SUCCESS;
504}
505
506
507
508/*
509 * DriverUnload()
510 *
511 * Description:
512 * Clean up and unload the driver.
513 *
514 * NOTE: Since this driver mediates system calls and other devices, it is not safe to
515 * unload the driver since there might remain outstanding references to our driver code and data
516 * segments once the driver is unloaded.
517 *
518 * NOTE2: In release builds, unload functionality should be disabled for security reasons.
519 *
520 * Parameters:
521 * pDriverObject - pointer to a driver object that represents this driver.
522 *
523 * Returns:
524 * Nothing.
525 */
526
527VOID
528DriverUnload(IN PDRIVER_OBJECT pDriverObject)
529{
530 PDEVICE_OBJECT pDeviceObject, pNextDeviceObject;
531 PDEVICE_EXTENSION pDeviceExtension;
532 LARGE_INTEGER delay;
533
534
535#if DBG
536 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverUnload: irql = %d %d\n", KeGetCurrentIrql(), HookedTDIRunning));
537#endif
538
539
540 if (SysenterEip)
541 _asm
542 {
543 mov ecx, SYSENTER_EIP_MSR
544 mov eax, SysenterEip
545 xor edx, edx
546 wrmsr
547 }
548
549#if HOOK_BOPROT
550 ShutdownBufferOverflowProtection();
551 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past ShutdownBufferOverflowProtection\n"));
552#endif
553
554
555 RemoveRemovableMediaHooks();
556 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past RemoveRemovableMediaHooks\n"));
557
558 RemoveNetworkHooks(pDriverObject);
559 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past RemoveNetworkHooks\n"));
560
561 RemoveSyscallsHooks();
562 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past RemoveSyscallsHooks\n"));
563
564 RemoveProcessNameEntries();
565 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past RemoveProcessNameEntries\n"));
566
567
568 if (LearningMode)
569 ShutdownLearningMode();
570 else
571 PolicyRemove();
572
573 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past LearningMode\n"));
574
575
576 ShutdownLog();
577 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past ShutdownLog\n"));
578
579
580 ShutdownUserland();
581 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverUnload: Past UserlandShutdown\n"));
582
583
584 pDeviceObject = pNextDeviceObject = pDriverObject->DeviceObject;
585
586 while (pNextDeviceObject != NULL)
587 {
588 pNextDeviceObject = pDeviceObject->NextDevice;
589 pDeviceExtension = (PDEVICE_EXTENSION) pDeviceObject->DeviceExtension;
590
591 if (pDeviceExtension)
592 {
593 NTSTATUS status;
594
595 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverUnload: IoDeleteSymbolicLink(%S)\n", pDeviceExtension->usSymLink.Buffer));
596
597 status = IoDeleteSymbolicLink(&pDeviceExtension->usSymLink);
598 if (! NT_SUCCESS(status))
599 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverUnload: IoDeleteSymbolicLink failed: %x\n", status));
600 }
601 else
602 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverUnload: pDeviceExtension = NULL\n"));
603
604 IoDeleteDevice(pDeviceObject);
605 pDeviceObject = pNextDeviceObject;
606 }
607
608
609 /* wait for 1 second for all timers/callbacks to complete */
610 delay.QuadPart = SECONDS(1);
611
612 KeDelayExecutionThread(KernelMode, FALSE, &delay);
613
614
615#if DBG
616 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverUnload: HookedRoutineRunning = %d\n", HookedRoutineRunning));
617#endif
618
619
620 return;
621}
622
623
624
625/*
626 * DriverDeviceControl()
627 *
628 * Description:
629 * Dispatch routine. Process network (TDI) and our driver requests.
630 *
631 * Parameters:
632 * pDeviceObject - pointer to a device object that a request is being sent to.
633 * pIrp - IRP (I/O Request Packet) request.
634 *
635 * Returns:
636 * Nothing.
637 */
638
639#define COMPLETE_REQUEST(irp, status) \
640 pIrp->IoStatus.Status = (status); \
641 IoCompleteRequest((irp), IO_NO_INCREMENT); \
642 return((status));
643
644NTSTATUS
645DriverDeviceControl(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
646{
647 PIO_STACK_LOCATION pIrpStack;
648 ULONG ControlCode;
649 NTSTATUS status;
650 ULONG InSize, OutSize;
651 KIRQL irql;
652
653
654 if (pDeviceObject == NULL || pIrp == NULL)
655 {
656 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: NULL value %x %x\n", pDeviceObject, pIrp));
657
658 COMPLETE_REQUEST(pIrp, STATUS_UNSUCCESSFUL);
659 }
660
661
662#if HOOK_NETWORK
663 if (TDIDispatch(pDeviceObject, pIrp, &status) == TRUE)
664 {
665 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverDeviceControl(%x, %x): TDIDispatch\n", pDeviceObject, pIrp));
666 return status;
667 }
668#endif
669
670
671 pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
672
673 pIrp->IoStatus.Information = 0;
674
675
676 ControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
677 InSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
678 OutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
679
680 switch (ControlCode)
681 {
682 /*
683 * When userland agent service starts up, it registers with the driver using IOCTL_REGISTER_AGENT_SERVICE.
684 * Expects back 1 ULONG - version of the driver
685 */
686
687 // XXX save agent pid and version?
688 case IOCTL_REGISTER_AGENT_SERVICE:
689 {
690 ULONG DriverVersion = DRIVER_VERSION;
691
692
693 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_REGISTER_AGENT_SERVICE ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
694
695
696 if (OutSize < sizeof(ULONG))
697 {
698 status = STATUS_INVALID_BUFFER_SIZE;
699 break;
700 }
701
702
703 RtlCopyMemory(pIrp->AssociatedIrp.SystemBuffer, &DriverVersion, sizeof(ULONG));
704
705 ActiveUserAgent = TRUE;
706
707
708 pIrp->IoStatus.Information = sizeof(ULONG);
709
710 status = STATUS_SUCCESS;
711
712
713 break;
714 }
715
716
717 /*
718 * Userland agent service retrieves log alerts using IOCTL_GET_ALERT
719 */
720
721 case IOCTL_GET_ALERT:
722 {
723 PSECURITY_ALERT TmpAlert;
724
725
726 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_ALERT ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
727
728
729// if (UserAgentRegistered == FALSE)
730// XXX;
731
732 KeAcquireSpinLock(&gLogSpinLock, &irql);
733 {
734 if (LogList == NULL)
735 {
736 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_ALERT No More Alerts\n"));
737
738 status = STATUS_NO_MORE_ENTRIES;
739
740 KeReleaseSpinLock(&gLogSpinLock, irql);
741
742 break;
743 }
744
745 /* don't count the size of the Next pointer */
746 LogList->Size -= sizeof(struct _SECURITY_ALERT *);
747
748 if (OutSize < LogList->Size)
749 {
750 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_ALERT %d < %d\n", OutSize, LogList->Size));
751 status = STATUS_INVALID_BUFFER_SIZE;
752 KeReleaseSpinLock(&gLogSpinLock, irql);
753 break;
754 }
755
756 /* copy the SECURITY_ALERT structure without including the Next pointer */
757 RtlCopyMemory(pIrp->AssociatedIrp.SystemBuffer, (PCHAR)LogList + sizeof(struct _SECURITY_ALERT *), LogList->Size);
758
759 pIrp->IoStatus.Information = LogList->Size;
760
761
762 --NumberOfAlerts;
763
764 TmpAlert = LogList;
765 LogList = LogList->Next;
766
767 ExFreePoolWithTag(TmpAlert, _POOL_TAG);
768 }
769 KeReleaseSpinLock(&gLogSpinLock, irql);
770
771
772 status = STATUS_SUCCESS;
773
774 break;
775 }
776
777
778 /*
779 * Userland agent service retrieves userland requests using IOCTL_GET_USERLAND_REQUEST
780 */
781
782 case IOCTL_GET_USERLAND_REQUEST:
783 {
784 PUSERLAND_REQUEST_HEADER TmpRequest;
785
786
787 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_USERLAND_REQUEST ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
788
789
790 KeAcquireSpinLock(&gUserlandRequestListSpinLock, &irql);
791 {
792 USHORT UserlandRequestSize;
793
794
795 if (UserlandRequestList == NULL)
796 {
797 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_USERLAND_REQUEST No More Process Requests\n"));
798
799 status = STATUS_NO_MORE_ENTRIES;
800
801 KeReleaseSpinLock(&gUserlandRequestListSpinLock, irql);
802
803 break;
804 }
805
806
807 /* don't count the size of the Next pointer */
808 UserlandRequestSize = UserlandRequestList->RequestSize - sizeof(struct _USERLAND_REQUEST *);
809
810 if (OutSize < UserlandRequestSize)
811 {
812 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_GET_USERLAND_REQUEST %d < %d\n", OutSize, UserlandRequestSize));
813
814 KeReleaseSpinLock(&gUserlandRequestListSpinLock, irql);
815
816 status = STATUS_INVALID_BUFFER_SIZE;
817
818 break;
819 }
820
821 /* copy the PROCESS_REQUEST structure without including the Next pointer */
822 RtlCopyMemory(pIrp->AssociatedIrp.SystemBuffer, (PCHAR)UserlandRequestList + sizeof(struct _USERLAND_REQUEST *), UserlandRequestSize);
823
824 pIrp->IoStatus.Information = UserlandRequestSize;
825
826
827 TmpRequest = UserlandRequestList;
828 UserlandRequestList = UserlandRequestList->Next;
829
830 ExFreePoolWithTag(TmpRequest, _POOL_TAG);
831 }
832 KeReleaseSpinLock(&gUserlandRequestListSpinLock, irql);
833
834
835 status = STATUS_SUCCESS;
836
837 break;
838 }
839
840
841 /*
842 * Userland agent service returns userland replies using IOCTL_SEND_USERLAND_SID_RESOLVE_REPLY
843 */
844
845#define MAXIMUM_USERLAND_REPLY_SIZE 512
846
847 case IOCTL_SEND_USERLAND_SID_RESOLVE_REPLY:
848 {
849 PSID_RESOLVE_REPLY pSidResolveReply;
850 PIMAGE_PID_ENTRY ProcessEntry;
851
852
853 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_SID_RESOLVE_REPLY ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
854
855
856 if (InSize > MAXIMUM_USERLAND_REPLY_SIZE)
857 {
858 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_SID_RESOLVE_REPLY %d > %d\n", InSize, MAXIMUM_USERLAND_REPLY_SIZE));
859 status = STATUS_INVALID_BUFFER_SIZE;
860 break;
861 }
862
863 pSidResolveReply = ExAllocatePoolWithTag(PagedPool, InSize, _POOL_TAG);
864 if (pSidResolveReply == NULL)
865 {
866 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_SID_RESOLVE_REPLY out of memory\n"));
867 status = STATUS_UNSUCCESSFUL;
868 break;
869 }
870
871
872 RtlCopyMemory(pSidResolveReply, pIrp->AssociatedIrp.SystemBuffer, InSize);
873
874 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Received sid resolve reply. insize=%d seq=%d, %S\n", InSize, pSidResolveReply->ReplyHeader.SeqId, pSidResolveReply->UserName));
875
876 ProcessEntry = FindImagePidEntry(pSidResolveReply->ReplyHeader.ProcessId, 0);
877
878 if (ProcessEntry)
879 {
880 if (ProcessEntry->WaitingForUserRequestId == 0)
881 {
882 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Process (pid=%d) is not expecting a user request!\n", pSidResolveReply->ReplyHeader.ProcessId));
883 ExFreePoolWithTag(pSidResolveReply, _POOL_TAG);
884 ProcessEntry->UserlandReply = NULL;
885 break;
886 }
887
888 if (ProcessEntry->WaitingForUserRequestId != pSidResolveReply->ReplyHeader.SeqId)
889 {
890 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Process (pid=%d) is expecting to receive sequence id %d. Got %d\n", pSidResolveReply->ReplyHeader.ProcessId, ProcessEntry->WaitingForUserRequestId, pSidResolveReply->ReplyHeader.SeqId));
891 ExFreePoolWithTag(pSidResolveReply, _POOL_TAG);
892 ProcessEntry->UserlandReply = NULL;
893 break;
894 }
895
896
897 /* deliver the reply */
898 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Waking up process %d\n", pSidResolveReply->ReplyHeader.ProcessId));
899
900 ProcessEntry->UserlandReply = (PUSERLAND_REPLY_HEADER) pSidResolveReply;
901
902 KeSetEvent(&ProcessEntry->UserlandRequestDoneEvent, IO_NO_INCREMENT, FALSE);
903 }
904 else
905 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: cannot find process with pid=%d\n", pSidResolveReply->ReplyHeader.ProcessId));
906
907
908 status = STATUS_SUCCESS;
909
910 break;
911 }
912
913
914 /*
915 * Userland agent service returns "ask user" replies using IOCTL_SEND_USERLAND_ASK_USER_REPLY
916 */
917
918 case IOCTL_SEND_USERLAND_ASK_USER_REPLY:
919 {
920 PASK_USER_REPLY pAskUserReply;
921 PIMAGE_PID_ENTRY ProcessEntry;
922
923
924 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_ASK_USER_REPLY ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
925
926
927 if (InSize != sizeof(ASK_USER_REPLY))
928 {
929 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_ASK_USER_REPLY %d != %d\n", InSize, sizeof(ASK_USER_REPLY)));
930 status = STATUS_INVALID_BUFFER_SIZE;
931 break;
932 }
933
934 pAskUserReply = ExAllocatePoolWithTag(PagedPool, sizeof(ASK_USER_REPLY), _POOL_TAG);
935 if (pAskUserReply == NULL)
936 {
937 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_SEND_USERLAND_ASK_USER_REPLY out of memory\n"));
938 status = STATUS_UNSUCCESSFUL;
939 break;
940 }
941
942
943 RtlCopyMemory(pAskUserReply, pIrp->AssociatedIrp.SystemBuffer, InSize);
944
945 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Received ask user reply. insize=%d, action=%d\n", InSize, pAskUserReply->Action));
946
947 ProcessEntry = FindImagePidEntry(pAskUserReply->ReplyHeader.ProcessId, 0);
948
949 if (ProcessEntry)
950 {
951 if (ProcessEntry->WaitingForUserRequestId == 0)
952 {
953 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Process (pid=%d) is not expecting a user request!\n", pAskUserReply->ReplyHeader.ProcessId));
954 ExFreePoolWithTag(pAskUserReply, _POOL_TAG);
955 ProcessEntry->UserlandReply = NULL;
956 break;
957 }
958
959 if (ProcessEntry->WaitingForUserRequestId != pAskUserReply->ReplyHeader.SeqId)
960 {
961 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Process (pid=%d) is expecting to receive sequence id %d. Got %d\n", pAskUserReply->ReplyHeader.ProcessId, ProcessEntry->WaitingForUserRequestId, pAskUserReply->ReplyHeader.SeqId));
962 ExFreePoolWithTag(pAskUserReply, _POOL_TAG);
963 ProcessEntry->UserlandReply = NULL;
964 break;
965 }
966
967
968 /* deliver the reply */
969 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: Waking up process %d\n", pAskUserReply->ReplyHeader.ProcessId));
970
971 ProcessEntry->UserlandReply = (PUSERLAND_REPLY_HEADER) pAskUserReply;
972
973 KeSetEvent(&ProcessEntry->UserlandRequestDoneEvent, IO_NO_INCREMENT, FALSE);
974 }
975 else
976 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("cannot find process with pid=%d\n", pAskUserReply->ReplyHeader.ProcessId));
977
978
979 status = STATUS_SUCCESS;
980
981 break;
982 }
983
984
985 /*
986 * train.exe puts the driver in learning/training mode using IOCTL_START_CREATE_POLICY
987 */
988
989 case IOCTL_START_CREATE_POLICY:
990 {
991 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverDeviceControl: IOCTL_START_CREATE_POLICY ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
992
993
994 if ((InSize > MAX_PROCESS_NAME * sizeof(WCHAR)) || (InSize % 2))
995 {
996 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_START_CREATE_POLICY Invalid Insize: %d\n", InSize));
997 status = STATUS_INVALID_BUFFER_SIZE;
998 break;
999 }
1000
1001 status = STATUS_SUCCESS;
1002
1003 if (LearningMode == TRUE)
1004 {
1005 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_START_CREATE_POLICY Already in Learning Mode\n"));
1006 break;
1007 }
1008
1009 RtlCopyMemory(ProcessToMonitor, pIrp->AssociatedIrp.SystemBuffer, InSize);
1010 ProcessToMonitor[(InSize / sizeof(WCHAR)) - 1] = 0;
1011
1012 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_START_CREATE_POLICY Learning about '%S'\n", ProcessToMonitor));
1013
1014 LearningMode = TRUE;
1015
1016 InitLearningMode();
1017
1018 break;
1019 }
1020
1021
1022 /*
1023 * train.exe stops training/learning mode using IOCTL_STOP_CREATE_POLICY
1024 */
1025
1026 case IOCTL_STOP_CREATE_POLICY:
1027 {
1028 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverDeviceControl: IOCTL_STOP_CREATE_POLICY ControlCode=%x InBufferSize=%x OutBufferSize=%x\n", ControlCode, InSize, OutSize));
1029
1030
1031 if ((InSize > MAX_PROCESS_NAME * sizeof(WCHAR)) || (InSize % 2))
1032 {
1033 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_STOP_CREATE_POLICY Invalid Insize: %d\n", InSize));
1034 status = STATUS_INVALID_BUFFER_SIZE;
1035 break;
1036 }
1037
1038 status = STATUS_SUCCESS;
1039
1040 if (LearningMode == FALSE)
1041 {
1042 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_STOP_CREATE_POLICY Not in Learning Mode\n"));
1043 break;
1044 }
1045
1046// RtlCopyMemory(ProcessToMonitor, pIrp->AssociatedIrp.SystemBuffer, InSize);
1047// ProcessToMonitor[(InSize / sizeof(WCHAR)) - 1] = 0;
1048
1049// LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_STOP_CREATE_POLICY '%S'\n", ProcessToMonitor));
1050 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverDeviceControl: IOCTL_STOP_CREATE_POLICY\n"));
1051
1052 ShutdownLearningMode();
1053
1054 LearningMode = FALSE;
1055
1056 break;
1057 }
1058
1059
1060 default:
1061 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("%d DriverDeviceControl default %x %x %x %x\n", (ULONG) PsGetCurrentProcessId(), pIrpStack->MajorFunction, ControlCode, InSize, OutSize));
1062 status = STATUS_INVALID_DEVICE_REQUEST;
1063 break;
1064 }
1065
1066
1067 COMPLETE_REQUEST(pIrp, status);
1068}
1069
1070
1071
1072NTSTATUS
1073DriverCreate(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
1074{
1075 NTSTATUS status;
1076
1077
1078#if HOOK_NETWORK
1079 if (TDIDispatch(pDeviceObject, pIrp, &status) == TRUE)
1080 {
1081 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverCreate(%x, %x): TDIDispatch\n", pDeviceObject, pIrp));
1082 return status;
1083 }
1084#endif
1085
1086
1087 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverCreate(%x, %x)\n", pDeviceObject, pIrp));
1088
1089
1090 //XXX need to consider any possible lock out issues where a valid userland agent is disallowed access
1091 //can verify userland binary name as well
1092#if 0
1093 if (ActiveUserAgent == TRUE)
1094 {
1095 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("Userland agent already exists!\n"));
1096
1097 pIrp->IoStatus.Status = STATUS_ACCESS_DENIED;
1098 pIrp->IoStatus.Information = 0;
1099 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1100
1101 return STATUS_ACCESS_DENIED;
1102 }
1103
1104 ActiveUserAgent = TRUE;
1105#endif
1106
1107 pIrp->IoStatus.Status = STATUS_SUCCESS;
1108 pIrp->IoStatus.Information = 0;
1109 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1110
1111
1112 return STATUS_SUCCESS;
1113}
1114
1115
1116
1117NTSTATUS
1118DriverClose(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
1119{
1120 NTSTATUS status;
1121
1122
1123#if HOOK_NETWORK
1124 if (TDIDispatch(pDeviceObject, pIrp, &status) == TRUE)
1125 {
1126 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverClose(%x, %x): TDIDispatch\n", pDeviceObject, pIrp));
1127 return status;
1128 }
1129#endif
1130
1131
1132 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverClose(%x, %x)\n", pDeviceObject, pIrp));
1133
1134#if 0
1135 if (ActiveUserAgent == FALSE)
1136 {
1137 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("Userland agent does not exist!\n"));
1138 }
1139
1140 ActiveUserAgent = FALSE;
1141#endif
1142
1143 pIrp->IoStatus.Status = STATUS_SUCCESS;
1144 pIrp->IoStatus.Information = 0;
1145 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1146
1147 return STATUS_SUCCESS;
1148}
1149
1150
1151
1152NTSTATUS
1153DriverCleanup(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
1154{
1155 NTSTATUS status;
1156
1157
1158#if HOOK_NETWORK
1159 if (TDIDispatch(pDeviceObject, pIrp, &status) == TRUE)
1160 {
1161 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_VERBOSE, ("DriverCleanup(%x, %x): TDIDispatch\n", pDeviceObject, pIrp));
1162 return status;
1163 }
1164#endif
1165
1166
1167 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverCleanup(%x, %x)\n", pDeviceObject, pIrp));
1168
1169 pIrp->IoStatus.Status = STATUS_SUCCESS;
1170 pIrp->IoStatus.Information = 0;
1171 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1172
1173 return STATUS_SUCCESS;
1174}
1175
1176
1177
1178#if 0
1179NTSTATUS
1180DriverRead(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
1181{
1182 PDEVICE_EXTENSION pDeviceExtension;
1183 PIO_STACK_LOCATION pIrpStack;
1184 ULONG size = 0;
1185
1186
1187 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("DriverRead()\n"));
1188
1189 pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
1190
1191 pDeviceExtension = (PDEVICE_EXTENSION) pDeviceObject->DeviceExtension;
1192/*
1193 size = min(pDeviceExtension->BufferSize, pIrpStack->Parameters.Read.Length);
1194
1195 RtlCopyMemory(pIrp->AssociatedIrp.SystemBuffer, pDeviceExtension->Buffer, size);
1196
1197 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("Wrote %d bytes: %s\n", size, pDeviceExtension->Buffer));
1198
1199 pDeviceExtension->BufferSize = 0;
1200*/
1201 pIrp->IoStatus.Status = STATUS_SUCCESS;
1202 pIrp->IoStatus.Information = size;
1203 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1204
1205 return STATUS_SUCCESS;
1206}
1207
1208
1209
1210NTSTATUS
1211DriverWrite(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp)
1212{
1213 PDEVICE_EXTENSION pDeviceExtension;
1214 PIO_STACK_LOCATION pIrpStack;
1215 ULONG size = 0;
1216
1217
1218 LOG(LOG_SS_DRIVER_INTERNAL,LOG_PRIORITY_DEBUG, ("DriverWrite()\n"));
1219
1220 pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
1221
1222 pDeviceExtension = (PDEVICE_EXTENSION) pDeviceObject->DeviceExtension;
1223/*
1224 size = min(128, pIrpStack->Parameters.Write.Length);
1225 RtlCopyMemory(pDeviceExtension->Buffer, pIrp->AssociatedIrp.SystemBuffer, size);
1226
1227 pDeviceExtension->BufferSize = size;
1228
1229 LOG(LOG_SS_DRIVER_INTERNAL, LOG_PRIORITY_DEBUG, ("Read %d bytes: %s\n", size, pDeviceExtension->Buffer));
1230*/
1231 pIrp->IoStatus.Status = STATUS_SUCCESS;
1232 pIrp->IoStatus.Information = size;
1233 IoCompleteRequest(pIrp, IO_NO_INCREMENT);
1234
1235 return STATUS_SUCCESS;
1236}
1237#endif