1 files changed, 285 insertions, 0 deletions
diff --git a/section.c b/section.c
new file mode 100644
index 0000000..ba21b3c
--- /dev/null
+++ b/section.c
@@ -0,0 +1,285 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              section.c
+ *
+ * Abstract:
+ *
+ *              This module defines various routines used for hooking section objects related routines.
+ *              Section objects are objects that can be mapped into the virtual address space of a process.
+ *              The Win32 API refers to section objects as file-mapping objects.
+ *
+ *              Hooked routines protect "\Device\PhysicalMemory" device from being accessed.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 29-Feb-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include <NTDDK.h>
+#include "section.h"
+#include "hookproc.h"
+#include "pathproc.h"
+#include "process.h"
+#include "accessmask.h"
+#include "procname.h"
+#include "learn.h"
+#include "log.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitSectionHooks)
+#endif
+fpZwCreateSection               OriginalNtCreateSection = NULL;
+fpZwOpenSection                 OriginalNtOpenSection = NULL;
+fpZwMapViewOfSection    OriginalNtMapViewOfSection = NULL;
+//XXX make sure people cannot create symlinks to physicalmemory or we at least resolve all of them!
+// http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/bh-us-03-rutkowski-r2.pdf
+/*
+ * HookedNtCreateSection()
+ *
+ * Description:
+ *              This function mediates the NtCreateSection() system service and checks the
+ *              provided section name against the global and current process security policies.
+ *
+ *              NOTE: ZwCreateSection creates a section object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtCreateSection().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtCreateSection().
+ */
+NTSTATUS
+NTAPI
+HookedNtCreateSection
+(
+        OUT PHANDLE SectionHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN PLARGE_INTEGER SectionSize OPTIONAL,
+        IN ULONG Protect,
+        IN ULONG Attributes,
+        IN HANDLE FileHandle
+)
+{
+        PCHAR   FunctionName = "HookedNtCreateSection";
+        HOOK_ROUTINE_START(SECTION);
+        ASSERT(OriginalNtCreateSection);
+        rc = OriginalNtCreateSection(SectionHandle, DesiredAccess, ObjectAttributes, SectionSize,
+                                                                 Protect, Attributes, FileHandle);
+//      HOOK_ROUTINE_FINISH(SECTION);
+        if (LearningMode == TRUE)
+        {
+                if (GetPathFromOA(ObjectAttributes, SECTIONNAME, MAX_PATH, DO_NOT_RESOLVE_LINKS))
+                {
+                        /*
+                         * Special Case.
+                         * \KnownDlls\* requests are processed as DLL rules.
+                         *
+                         * In addition, they are processed even if NtCreateSection() failed because not
+                         * all the existing DLLs are "known".
+                         */
+                        if (_strnicmp(SECTIONNAME, "\\KnownDlls\\", 11) == 0)
+                        {
+                                AddRule(RULE_DLL, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
+                        }
+                        else if (NT_SUCCESS(rc))
+                        {
+                                AddRule(RULE_SECTION, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
+                        }
+                }
+        }
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * HookedNtOpenSection()
+ *
+ * Description:
+ *              This function mediates the NtOpenSection() system service and checks the
+ *              provided section name against the global and current process security policies.
+ *
+ *              NOTE: ZwOpenSection opens a section object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtOpenSection().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtOpenSection().
+ */
+NTSTATUS
+NTAPI
+HookedNtOpenSection
+(
+    OUT PHANDLE  SectionHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes
+)
+{
+        PCHAR   FunctionName = "HookedNtOpenSection";
+        HOOK_ROUTINE_START(SECTION);
+        ASSERT(OriginalNtOpenSection);
+        rc = OriginalNtOpenSection(SectionHandle, DesiredAccess, ObjectAttributes);
+//      HOOK_ROUTINE_FINISH(SECTION);
+        if (LearningMode == TRUE)
+        {
+                if (GetPathFromOA(ObjectAttributes, SECTIONNAME, MAX_PATH, DO_NOT_RESOLVE_LINKS))
+                {
+                        /*
+                         * Special Case.
+                         * \KnownDlls\* requests are processed as DLL rules.
+                         *
+                         * In addition, they are processed even if NtOpenSection() failed because not
+                         * all the existing DLLs are "known".
+                         */
+                        if (_strnicmp(SECTIONNAME, "\\KnownDlls\\", 11) == 0)
+                        {
+                                AddRule(RULE_DLL, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
+                        }
+                        else if (NT_SUCCESS(rc))
+                        {
+                                AddRule(RULE_SECTION, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
+                        }
+                }
+        }
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * HookedNtMapViewOfSection()
+ *
+ * Description:
+ *              This function mediates the NtMapViewOfSection() system service and checks the
+ *              provided section name against the global and current process security policies.
+ *
+ *              NOTE: ZwMapViewOfSection maps a view of a section to a range of virtual addresses. [NAR]
+ *
+ * Parameters:
+ *              Those of NtMapViewOfSection().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtMapViewOfSection().
+ */
+NTSTATUS
+NTAPI
+HookedNtMapViewOfSection
+(
+        IN HANDLE SectionHandle,
+        IN HANDLE ProcessHandle,
+        IN OUT PVOID *BaseAddress,
+        IN ULONG ZeroBits,
+        IN ULONG CommitSize,
+        IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
+        IN OUT PULONG ViewSize,
+        IN SECTION_INHERIT InheritDisposition,
+        IN ULONG AllocationType,
+        IN ULONG Protect
+)
+{
+        CHAR    section[512];
+        HOOK_ROUTINE_ENTER();
+//      LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("%d HookedNtMapViewOfSection: %x %x %x %x\n", (ULONG) PsGetCurrentProcessId(), SectionHandle, ProcessHandle, BaseAddress, CommitSize));
+/*
+        if (GetPathFromOA(ObjectAttributes, section, RESOLVE_LINKS))
+        {
+                LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("HookedNtMapViewOfSection: %s\n", section));
+//              if (PolicyCheck(&gSecPolicy, key, GetRegistryOperationType(DesiredAccess)) == STATUS_ACCESS_DENIED)
+//                      HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+        }
+*/
+        ASSERT(OriginalNtMapViewOfSection);
+        rc =  OriginalNtMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize,
+                                                                        SectionOffset, ViewSize, InheritDisposition, AllocationType, Protect);
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * InitSectionHooks()
+ *
+ * Description:
+ *              Initializes all the mediated section object operation pointers. The "OriginalFunction" pointers
+ *              are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitSectionHooks()
+{
+        if ( (OriginalNtCreateSection = (fpZwCreateSection) ZwCalls[ZW_CREATE_SECTION_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("InitSectionHooks: OriginalNtCreateSection is NULL\n"));
+                return FALSE;
+        }
+        if ( (OriginalNtOpenSection = (fpZwOpenSection) ZwCalls[ZW_OPEN_SECTION_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("InitSectionHooks: OriginalNtOpenSection is NULL\n"));
+                return FALSE;
+        }
+/*
+        if ((OriginalNtMapViewOfSection = (fpZwMapViewOfSection) ZwCalls[ZW_MAPVIEW_SECTION_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("InitSectionHooks: OriginalNtMapViewOfSection is NULL\n"));
+                return FALSE;
+        }
+*/
+        return TRUE;
+}

diff --git a/section.c b/section.c new file mode 100644 index 0000000..ba21b3c --- /dev/null +++ b/section.c
@@ -0,0 +1,285 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* section.c
	7	*
	8	* Abstract:
	9	*
	10	* This module defines various routines used for hooking section objects related routines.
	11	* Section objects are objects that can be mapped into the virtual address space of a process.
	12	* The Win32 API refers to section objects as file-mapping objects.
	13	*
	14	* Hooked routines protect "\Device\PhysicalMemory" device from being accessed.
	15	*
	16	* Author:
	17	*
	18	* Eugene Tsyrklevich 29-Feb-2004
	19	*
	20	* Revision History:
	21	*
	22	* None.
	23	*/
	24
	25
	26	#include <NTDDK.h>
	27	#include "section.h"
	28	#include "hookproc.h"
	29	#include "pathproc.h"
	30	#include "process.h"
	31	#include "accessmask.h"
	32	#include "procname.h"
	33	#include "learn.h"
	34	#include "log.h"
	35
	36
	37	#ifdef ALLOC_PRAGMA
	38	#pragma alloc_text (INIT, InitSectionHooks)
	39	#endif
	40
	41
	42	fpZwCreateSection OriginalNtCreateSection = NULL;
	43	fpZwOpenSection OriginalNtOpenSection = NULL;
	44	fpZwMapViewOfSection OriginalNtMapViewOfSection = NULL;
	45
	46
	47	//XXX make sure people cannot create symlinks to physicalmemory or we at least resolve all of them!
	48	// http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/bh-us-03-rutkowski-r2.pdf
	49
	50
	51	/*
	52	* HookedNtCreateSection()
	53	*
	54	* Description:
	55	* This function mediates the NtCreateSection() system service and checks the
	56	* provided section name against the global and current process security policies.
	57	*
	58	* NOTE: ZwCreateSection creates a section object. [NAR]
	59	*
	60	* Parameters:
	61	* Those of NtCreateSection().
	62	*
	63	* Returns:
	64	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	65	* Otherwise, NTSTATUS returned by NtCreateSection().
	66	*/
	67
	68	NTSTATUS
	69	NTAPI
	70	HookedNtCreateSection
	71	(
	72	OUT PHANDLE SectionHandle,
	73	IN ACCESS_MASK DesiredAccess,
	74	IN POBJECT_ATTRIBUTES ObjectAttributes,
	75	IN PLARGE_INTEGER SectionSize OPTIONAL,
	76	IN ULONG Protect,
	77	IN ULONG Attributes,
	78	IN HANDLE FileHandle
	79	)
	80	{
	81	PCHAR FunctionName = "HookedNtCreateSection";
	82
	83
	84	HOOK_ROUTINE_START(SECTION);
	85
	86
	87	ASSERT(OriginalNtCreateSection);
	88
	89	rc = OriginalNtCreateSection(SectionHandle, DesiredAccess, ObjectAttributes, SectionSize,
	90	Protect, Attributes, FileHandle);
	91
	92
	93	// HOOK_ROUTINE_FINISH(SECTION);
	94	if (LearningMode == TRUE)
	95	{
	96	if (GetPathFromOA(ObjectAttributes, SECTIONNAME, MAX_PATH, DO_NOT_RESOLVE_LINKS))
	97	{
	98	/*
	99	* Special Case.
	100	* \KnownDlls\* requests are processed as DLL rules.
	101	*
	102	* In addition, they are processed even if NtCreateSection() failed because not
	103	* all the existing DLLs are "known".
	104	*/
	105
	106	if (_strnicmp(SECTIONNAME, "\\KnownDlls\\", 11) == 0)
	107	{
	108	AddRule(RULE_DLL, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
	109	}
	110	else if (NT_SUCCESS(rc))
	111	{
	112	AddRule(RULE_SECTION, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
	113	}
	114	}
	115	}
	116
	117	HOOK_ROUTINE_EXIT(rc);
	118	}
	119
	120
	121
	122	/*
	123	* HookedNtOpenSection()
	124	*
	125	* Description:
	126	* This function mediates the NtOpenSection() system service and checks the
	127	* provided section name against the global and current process security policies.
	128	*
	129	* NOTE: ZwOpenSection opens a section object. [NAR]
	130	*
	131	* Parameters:
	132	* Those of NtOpenSection().
	133	*
	134	* Returns:
	135	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	136	* Otherwise, NTSTATUS returned by NtOpenSection().
	137	*/
	138
	139	NTSTATUS
	140	NTAPI
	141	HookedNtOpenSection
	142	(
	143	OUT PHANDLE SectionHandle,
	144	IN ACCESS_MASK DesiredAccess,
	145	IN POBJECT_ATTRIBUTES ObjectAttributes
	146	)
	147	{
	148	PCHAR FunctionName = "HookedNtOpenSection";
	149
	150
	151	HOOK_ROUTINE_START(SECTION);
	152
	153
	154	ASSERT(OriginalNtOpenSection);
	155
	156	rc = OriginalNtOpenSection(SectionHandle, DesiredAccess, ObjectAttributes);
	157
	158
	159	// HOOK_ROUTINE_FINISH(SECTION);
	160	if (LearningMode == TRUE)
	161	{
	162	if (GetPathFromOA(ObjectAttributes, SECTIONNAME, MAX_PATH, DO_NOT_RESOLVE_LINKS))
	163	{
	164	/*
	165	* Special Case.
	166	* \KnownDlls\* requests are processed as DLL rules.
	167	*
	168	* In addition, they are processed even if NtOpenSection() failed because not
	169	* all the existing DLLs are "known".
	170	*/
	171
	172	if (_strnicmp(SECTIONNAME, "\\KnownDlls\\", 11) == 0)
	173	{
	174	AddRule(RULE_DLL, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
	175	}
	176	else if (NT_SUCCESS(rc))
	177	{
	178	AddRule(RULE_SECTION, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
	179	}
	180	}
	181	}
	182
	183	HOOK_ROUTINE_EXIT(rc);
	184	}
	185
	186
	187
	188	/*
	189	* HookedNtMapViewOfSection()
	190	*
	191	* Description:
	192	* This function mediates the NtMapViewOfSection() system service and checks the
	193	* provided section name against the global and current process security policies.
	194	*
	195	* NOTE: ZwMapViewOfSection maps a view of a section to a range of virtual addresses. [NAR]
	196	*
	197	* Parameters:
	198	* Those of NtMapViewOfSection().
	199	*
	200	* Returns:
	201	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	202	* Otherwise, NTSTATUS returned by NtMapViewOfSection().
	203	*/
	204
	205	NTSTATUS
	206	NTAPI
	207	HookedNtMapViewOfSection
	208	(
	209	IN HANDLE SectionHandle,
	210	IN HANDLE ProcessHandle,
	211	IN OUT PVOID *BaseAddress,
	212	IN ULONG ZeroBits,
	213	IN ULONG CommitSize,
	214	IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
	215	IN OUT PULONG ViewSize,
	216	IN SECTION_INHERIT InheritDisposition,
	217	IN ULONG AllocationType,
	218	IN ULONG Protect
	219	)
	220	{
	221	CHAR section[512];
	222
	223
	224	HOOK_ROUTINE_ENTER();
	225
	226	// LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("%d HookedNtMapViewOfSection: %x %x %x %x\n", (ULONG) PsGetCurrentProcessId(), SectionHandle, ProcessHandle, BaseAddress, CommitSize));
	227	/*
	228	if (GetPathFromOA(ObjectAttributes, section, RESOLVE_LINKS))
	229	{
	230	LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("HookedNtMapViewOfSection: %s\n", section));
	231	// if (PolicyCheck(&gSecPolicy, key, GetRegistryOperationType(DesiredAccess)) == STATUS_ACCESS_DENIED)
	232
	233	// HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	234	}
	235	*/
	236
	237	ASSERT(OriginalNtMapViewOfSection);
	238
	239	rc = OriginalNtMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize,
	240	SectionOffset, ViewSize, InheritDisposition, AllocationType, Protect);
	241
	242	HOOK_ROUTINE_EXIT(rc);
	243	}
	244
	245
	246
	247	/*
	248	* InitSectionHooks()
	249	*
	250	* Description:
	251	* Initializes all the mediated section object operation pointers. The "OriginalFunction" pointers
	252	* are initialized by InstallSyscallsHooks() that must be called prior to this function.
	253	*
	254	* NOTE: Called once during driver initialization (DriverEntry()).
	255	*
	256	* Parameters:
	257	* None.
	258	*
	259	* Returns:
	260	* TRUE to indicate success, FALSE if failed.
	261	*/
	262
	263	BOOLEAN
	264	InitSectionHooks()
	265	{
	266	if ( (OriginalNtCreateSection = (fpZwCreateSection) ZwCalls[ZW_CREATE_SECTION_INDEX].OriginalFunction) == NULL)
	267	{
	268	LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("InitSectionHooks: OriginalNtCreateSection is NULL\n"));
	269	return FALSE;
	270	}
	271
	272	if ( (OriginalNtOpenSection = (fpZwOpenSection) ZwCalls[ZW_OPEN_SECTION_INDEX].OriginalFunction) == NULL)
	273	{
	274	LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("InitSectionHooks: OriginalNtOpenSection is NULL\n"));
	275	return FALSE;
	276	}
	277	/*
	278	if ((OriginalNtMapViewOfSection = (fpZwMapViewOfSection) ZwCalls[ZW_MAPVIEW_SECTION_INDEX].OriginalFunction) == NULL)
	279	{
	280	LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("InitSectionHooks: OriginalNtMapViewOfSection is NULL\n"));
	281	return FALSE;
	282	}
	283	*/
	284	return TRUE;
	285	}