summaryrefslogtreecommitdiff
path: root/mutant.c
diff options
context:
space:
mode:
Diffstat (limited to 'mutant.c')
-rw-r--r--mutant.c151
1 files changed, 151 insertions, 0 deletions
diff --git a/mutant.c b/mutant.c
new file mode 100644
index 0000000..ec324ca
--- /dev/null
+++ b/mutant.c
@@ -0,0 +1,151 @@
1/*
2 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
3 *
4 * Module Name:
5 *
6 * mutant.c
7 *
8 * Abstract:
9 *
10 * This module implements various mutant (mutex) hooking routines.
11 *
12 * Author:
13 *
14 * Eugene Tsyrklevich 25-Mar-2004
15 *
16 * Revision History:
17 *
18 * None.
19 */
20
21
22#include "mutant.h"
23
24
25#ifdef ALLOC_PRAGMA
26#pragma alloc_text (INIT, InitMutantHooks)
27#endif
28
29
30fpZwCreateMutant OriginalNtCreateMutant = NULL;
31fpZwOpenMutant OriginalNtOpenMutant = NULL;
32
33
34/*
35 * HookedNtCreateMutant()
36 *
37 * Description:
38 * This function mediates the NtCreateMutant() system service and checks the
39 * provided mutant name against the global and current process security policies.
40 *
41 * NOTE: ZwCreateMutant creates or opens a mutant object. [NAR]
42 *
43 * Parameters:
44 * Those of NtCreateMutant().
45 *
46 * Returns:
47 * STATUS_ACCESS_DENIED if the call does not pass the security policy check.
48 * Otherwise, NTSTATUS returned by NtCreateMutant().
49 */
50
51NTSTATUS
52NTAPI
53HookedNtCreateMutant
54(
55 OUT PHANDLE MutantHandle,
56 IN ACCESS_MASK DesiredAccess,
57 IN POBJECT_ATTRIBUTES ObjectAttributes,
58 IN BOOLEAN InitialOwner
59)
60{
61 PCHAR FunctionName = "HookedNtCreateMutant";
62
63
64 HOOK_ROUTINE_START(MUTANT);
65
66
67 ASSERT(OriginalNtCreateMutant);
68
69 rc = OriginalNtCreateMutant(MutantHandle, DesiredAccess, ObjectAttributes, InitialOwner);
70
71
72 HOOK_ROUTINE_FINISH(MUTANT);
73}
74
75
76
77/*
78 * HookedNtOpenMutant()
79 *
80 * Description:
81 * This function mediates the NtOpenMutant() system service and checks the
82 * provided mutant name against the global and current process security policies.
83 *
84 * NOTE: ZwOpenMutant opens a mutant object. [NAR]
85 *
86 * Parameters:
87 * Those of NtOpenMutant().
88 *
89 * Returns:
90 * STATUS_ACCESS_DENIED if the call does not pass the security policy check.
91 * Otherwise, NTSTATUS returned by NtOpenMutant().
92 */
93
94NTSTATUS
95NTAPI
96HookedNtOpenMutant
97(
98 OUT PHANDLE MutantHandle,
99 IN ACCESS_MASK DesiredAccess,
100 IN POBJECT_ATTRIBUTES ObjectAttributes
101)
102{
103 PCHAR FunctionName = "HookedNtOpenMutant";
104
105
106 HOOK_ROUTINE_START(MUTANT);
107
108
109 ASSERT(OriginalNtOpenMutant);
110
111 rc = OriginalNtOpenMutant(MutantHandle, DesiredAccess, ObjectAttributes);
112
113
114 HOOK_ROUTINE_FINISH(MUTANT);
115}
116
117
118
119/*
120 * InitMutantHooks()
121 *
122 * Description:
123 * Initializes all the mediated mutant operation pointers. The "OriginalFunction" pointers
124 * are initialized by InstallSyscallsHooks() that must be called prior to this function.
125 *
126 * NOTE: Called once during driver initialization (DriverEntry()).
127 *
128 * Parameters:
129 * None.
130 *
131 * Returns:
132 * TRUE to indicate success, FALSE if failed.
133 */
134
135BOOLEAN
136InitMutantHooks()
137{
138 if ( (OriginalNtCreateMutant = (fpZwCreateMutant) ZwCalls[ZW_CREATE_MUTANT_INDEX].OriginalFunction) == NULL)
139 {
140 LOG(LOG_SS_MUTANT, LOG_PRIORITY_DEBUG, ("InitMutantHooks: OriginalNtCreateMutant is NULL\n"));
141 return FALSE;
142 }
143
144 if ( (OriginalNtOpenMutant = (fpZwOpenMutant) ZwCalls[ZW_OPEN_MUTANT_INDEX].OriginalFunction) == NULL)
145 {
146 LOG(LOG_SS_MUTANT, LOG_PRIORITY_DEBUG, ("InitMutantHooks: OriginalNtOpenMutant is NULL\n"));
147 return FALSE;
148 }
149
150 return TRUE;
151}