1 files changed, 185 insertions, 0 deletions
diff --git a/symlink.c b/symlink.c
new file mode 100644
index 0000000..237ac97
--- /dev/null
+++ b/symlink.c
@@ -0,0 +1,185 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              symlink.c
+ *
+ * Abstract:
+ *
+ *              This module implements various symbolic link object hooking routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 25-Mar-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include "symlink.h"
+#include "media.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitSymlinkHooks)
+#endif
+fpZwCreateSymbolicLinkObject    OriginalNtCreateSymbolicLinkObject = NULL;
+fpZwOpenSymbolicLinkObject              OriginalNtOpenSymbolicLinkObject = NULL;
+/*
+ * HookedNtCreateSymbolicLinkObject()
+ *
+ * Description:
+ *              This function mediates the NtCreateSymbolicLinkObject() system service and checks the
+ *              provided symbolic link object name against the global and current process security policies.
+ *
+ *              NOTE: ZwCreateSymbolicLinkObject creates or opens a symbolic link object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtCreateSymbolicLinkObject().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtCreateSymbolicLinkObject().
+ */
+NTSTATUS
+NTAPI
+HookedNtCreateSymbolicLinkObject
+(
+        OUT PHANDLE SymbolicLinkHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes,
+        IN PUNICODE_STRING TargetName
+)
+{
+        PCHAR                   FunctionName = "HookedNtCreateSymbolicLinkObject";
+        CHAR                    SYMLINKNAME[MAX_PATH];
+        HOOK_ROUTINE_ENTER();
+        if (LearningMode == FALSE && GetPathFromOA(ObjectAttributes, SYMLINKNAME, MAX_PATH, RESOLVE_LINKS))
+        {
+                /* TargetName is not verified to be valid but it's ok as we don't use it for anything but printing (in debugging mode only) */
+                if (TargetName)
+                        LOG(LOG_SS_SYMLINK, LOG_PRIORITY_VERBOSE, ("%d HookedNtCreateSymbolicLinkObject: %s -> %S\n", (ULONG) PsGetCurrentProcessId(), SYMLINKNAME, TargetName->Buffer));
+                else
+                        LOG(LOG_SS_SYMLINK, LOG_PRIORITY_VERBOSE, ("%d HookedNtCreateSymbolicLinkObject: %s ->.\n", (ULONG) PsGetCurrentProcessId(), SYMLINKNAME));
+                POLICY_CHECK_OPTYPE_NAME(SYMLINK, Get_SYMLINK_OperationType(DesiredAccess));
+        }
+        ASSERT(OriginalNtCreateSymbolicLinkObject);
+        rc = OriginalNtCreateSymbolicLinkObject(SymbolicLinkHandle, DesiredAccess, ObjectAttributes, TargetName);
+#if HOOK_MEDIA
+        /* removable media hook */
+        if (LearningMode == FALSE && NT_SUCCESS(rc) && KeGetPreviousMode() == KernelMode)
+        {
+                MonitorDriveLinks(SYMLINKNAME);
+        }
+#endif
+        HOOK_ROUTINE_FINISH(SYMLINK);
+}
+/*
+ * HookedNtOpenSymbolicLinkObject()
+ *
+ * Description:
+ *              This function mediates the NtOpenSymbolicLinkObject() system service and checks the
+ *              provided symbolic link object name against the global and current process security policies.
+ *
+ *              NOTE: ZwOpenSymbolicLinkObject opens a symbolic link object. [NAR]
+ *
+ * Parameters:
+ *              Those of NtOpenSymbolicLinkObject().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *              Otherwise, NTSTATUS returned by NtOpenSymbolicLinkObject().
+ */
+NTSTATUS
+NTAPI
+HookedNtOpenSymbolicLinkObject
+(
+        OUT PHANDLE SymbolicLinkHandle,
+        IN ACCESS_MASK DesiredAccess,
+        IN POBJECT_ATTRIBUTES ObjectAttributes
+)
+{
+        PCHAR                   FunctionName = "HookedNtOpenSymbolicLinkObject";
+        CHAR                    SYMLINKNAME[MAX_PATH];
+        HOOK_ROUTINE_ENTER();
+        /* Cannot use RESOLVE_LINKS! (to avoid infinite recursion) */
+        if (LearningMode == FALSE && GetPathFromOA(ObjectAttributes, SYMLINKNAME, MAX_PATH, DO_NOT_RESOLVE_LINKS))
+        {
+                POLICY_CHECK_OPTYPE_NAME(SYMLINK, Get_SYMLINK_OperationType(DesiredAccess));
+        }
+        ASSERT(OriginalNtOpenSymbolicLinkObject);
+        rc = OriginalNtOpenSymbolicLinkObject(SymbolicLinkHandle, DesiredAccess, ObjectAttributes);
+        HOOK_ROUTINE_FINISH(SYMLINK);
+}
+/*
+ * InitSymlinkHooks()
+ *
+ * Description:
+ *              Initializes all the mediated symbolic link object operation pointers. The "OriginalFunction" pointers
+ *              are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitSymlinkHooks()
+{
+        if ( (OriginalNtCreateSymbolicLinkObject = (fpZwCreateSymbolicLinkObject) ZwCalls[ZW_CREATE_SYMLINK_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_SYMLINK, LOG_PRIORITY_DEBUG, ("InitSymlinkHooks: OriginalNtCreateSymbolicLinkObject is NULL\n"));
+                return FALSE;
+        }
+/*
+        disabled due to performance issues - this function is called by every system call (from ResolveFilename)
+        if ( (OriginalNtOpenSymbolicLinkObject = (fpZwOpenSymbolicLinkObject) ZwCalls[ZW_OPEN_SYMLINK_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_SYMLINK, LOG_PRIORITY_DEBUG, ("InitSymlinkHooks: OriginalNtOpenSymbolicLinkObject is NULL\n"));
+                return FALSE;
+        }
+*/
+        return TRUE;
+}

diff --git a/symlink.c b/symlink.c new file mode 100644 index 0000000..237ac97 --- /dev/null +++ b/symlink.c
@@ -0,0 +1,185 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* symlink.c
	7	*
	8	* Abstract:
	9	*
	10	* This module implements various symbolic link object hooking routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 25-Mar-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#include "symlink.h"
	23	#include "media.h"
	24
	25
	26	#ifdef ALLOC_PRAGMA
	27	#pragma alloc_text (INIT, InitSymlinkHooks)
	28	#endif
	29
	30
	31	fpZwCreateSymbolicLinkObject OriginalNtCreateSymbolicLinkObject = NULL;
	32	fpZwOpenSymbolicLinkObject OriginalNtOpenSymbolicLinkObject = NULL;
	33
	34
	35	/*
	36	* HookedNtCreateSymbolicLinkObject()
	37	*
	38	* Description:
	39	* This function mediates the NtCreateSymbolicLinkObject() system service and checks the
	40	* provided symbolic link object name against the global and current process security policies.
	41	*
	42	* NOTE: ZwCreateSymbolicLinkObject creates or opens a symbolic link object. [NAR]
	43	*
	44	* Parameters:
	45	* Those of NtCreateSymbolicLinkObject().
	46	*
	47	* Returns:
	48	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	49	* Otherwise, NTSTATUS returned by NtCreateSymbolicLinkObject().
	50	*/
	51
	52	NTSTATUS
	53	NTAPI
	54	HookedNtCreateSymbolicLinkObject
	55	(
	56	OUT PHANDLE SymbolicLinkHandle,
	57	IN ACCESS_MASK DesiredAccess,
	58	IN POBJECT_ATTRIBUTES ObjectAttributes,
	59	IN PUNICODE_STRING TargetName
	60	)
	61	{
	62	PCHAR FunctionName = "HookedNtCreateSymbolicLinkObject";
	63	CHAR SYMLINKNAME[MAX_PATH];
	64
	65
	66	HOOK_ROUTINE_ENTER();
	67
	68
	69	if (LearningMode == FALSE && GetPathFromOA(ObjectAttributes, SYMLINKNAME, MAX_PATH, RESOLVE_LINKS))
	70	{
	71	/* TargetName is not verified to be valid but it's ok as we don't use it for anything but printing (in debugging mode only) */
	72	if (TargetName)
	73	LOG(LOG_SS_SYMLINK, LOG_PRIORITY_VERBOSE, ("%d HookedNtCreateSymbolicLinkObject: %s -> %S\n", (ULONG) PsGetCurrentProcessId(), SYMLINKNAME, TargetName->Buffer));
	74	else
	75	LOG(LOG_SS_SYMLINK, LOG_PRIORITY_VERBOSE, ("%d HookedNtCreateSymbolicLinkObject: %s ->.\n", (ULONG) PsGetCurrentProcessId(), SYMLINKNAME));
	76
	77
	78	POLICY_CHECK_OPTYPE_NAME(SYMLINK, Get_SYMLINK_OperationType(DesiredAccess));
	79	}
	80
	81
	82	ASSERT(OriginalNtCreateSymbolicLinkObject);
	83
	84	rc = OriginalNtCreateSymbolicLinkObject(SymbolicLinkHandle, DesiredAccess, ObjectAttributes, TargetName);
	85
	86
	87	#if HOOK_MEDIA
	88	/* removable media hook */
	89	if (LearningMode == FALSE && NT_SUCCESS(rc) && KeGetPreviousMode() == KernelMode)
	90	{
	91	MonitorDriveLinks(SYMLINKNAME);
	92	}
	93	#endif
	94
	95
	96	HOOK_ROUTINE_FINISH(SYMLINK);
	97	}
	98
	99
	100
	101	/*
	102	* HookedNtOpenSymbolicLinkObject()
	103	*
	104	* Description:
	105	* This function mediates the NtOpenSymbolicLinkObject() system service and checks the
	106	* provided symbolic link object name against the global and current process security policies.
	107	*
	108	* NOTE: ZwOpenSymbolicLinkObject opens a symbolic link object. [NAR]
	109	*
	110	* Parameters:
	111	* Those of NtOpenSymbolicLinkObject().
	112	*
	113	* Returns:
	114	* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
	115	* Otherwise, NTSTATUS returned by NtOpenSymbolicLinkObject().
	116	*/
	117
	118	NTSTATUS
	119	NTAPI
	120	HookedNtOpenSymbolicLinkObject
	121	(
	122	OUT PHANDLE SymbolicLinkHandle,
	123	IN ACCESS_MASK DesiredAccess,
	124	IN POBJECT_ATTRIBUTES ObjectAttributes
	125	)
	126	{
	127	PCHAR FunctionName = "HookedNtOpenSymbolicLinkObject";
	128	CHAR SYMLINKNAME[MAX_PATH];
	129
	130
	131	HOOK_ROUTINE_ENTER();
	132
	133
	134	/* Cannot use RESOLVE_LINKS! (to avoid infinite recursion) */
	135	if (LearningMode == FALSE && GetPathFromOA(ObjectAttributes, SYMLINKNAME, MAX_PATH, DO_NOT_RESOLVE_LINKS))
	136	{
	137	POLICY_CHECK_OPTYPE_NAME(SYMLINK, Get_SYMLINK_OperationType(DesiredAccess));
	138	}
	139
	140
	141	ASSERT(OriginalNtOpenSymbolicLinkObject);
	142
	143	rc = OriginalNtOpenSymbolicLinkObject(SymbolicLinkHandle, DesiredAccess, ObjectAttributes);
	144
	145
	146	HOOK_ROUTINE_FINISH(SYMLINK);
	147	}
	148
	149
	150
	151	/*
	152	* InitSymlinkHooks()
	153	*
	154	* Description:
	155	* Initializes all the mediated symbolic link object operation pointers. The "OriginalFunction" pointers
	156	* are initialized by InstallSyscallsHooks() that must be called prior to this function.
	157	*
	158	* NOTE: Called once during driver initialization (DriverEntry()).
	159	*
	160	* Parameters:
	161	* None.
	162	*
	163	* Returns:
	164	* TRUE to indicate success, FALSE if failed.
	165	*/
	166
	167	BOOLEAN
	168	InitSymlinkHooks()
	169	{
	170	if ( (OriginalNtCreateSymbolicLinkObject = (fpZwCreateSymbolicLinkObject) ZwCalls[ZW_CREATE_SYMLINK_INDEX].OriginalFunction) == NULL)
	171	{
	172	LOG(LOG_SS_SYMLINK, LOG_PRIORITY_DEBUG, ("InitSymlinkHooks: OriginalNtCreateSymbolicLinkObject is NULL\n"));
	173	return FALSE;
	174	}
	175	/*
	176	disabled due to performance issues - this function is called by every system call (from ResolveFilename)
	177
	178	if ( (OriginalNtOpenSymbolicLinkObject = (fpZwOpenSymbolicLinkObject) ZwCalls[ZW_OPEN_SYMLINK_INDEX].OriginalFunction) == NULL)
	179	{
	180	LOG(LOG_SS_SYMLINK, LOG_PRIORITY_DEBUG, ("InitSymlinkHooks: OriginalNtOpenSymbolicLinkObject is NULL\n"));
	181	return FALSE;
	182	}
	183	*/
	184	return TRUE;
	185	}