1 files changed, 227 insertions, 0 deletions
diff --git a/vdm.c b/vdm.c
new file mode 100644
index 0000000..e445d2f
--- /dev/null
+++ b/vdm.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              vdm.c
+ *
+ * Abstract:
+ *
+ *              This module implements various VDM (Virtual Dos Machine) hooking routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 06-Apr-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#include <NTDDK.h>
+#include "vdm.h"
+#include "policy.h"
+#include "hookproc.h"
+#include "procname.h"
+#include "policy.h"
+#include "learn.h"
+#include "log.h"
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitVdmHooks)
+#endif
+fpZwSetLdtEntries               OriginalNtSetLdtEntries = NULL;
+fpZwVdmControl                  OriginalNtVdmControl = NULL;
+/*
+ * IsVdmAllowed()
+ *
+ * Description:
+ *              Check whether the current process is allowed to use dos16/VDM functionality.
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              FALSE if VDM is disabled. TRUE otherwise.
+ */
+BOOLEAN
+IsVdmAllowed()
+{
+        PIMAGE_PID_ENTRY        CurrentProcess;
+        BOOLEAN                         VdmAllowed = FALSE;
+        /* check the global policy first */
+        if (! IS_VDM_PROTECTION_ON(gSecPolicy))
+                return TRUE;
+        /* now check the process specific policy */
+        CurrentProcess = FindImagePidEntry(CURRENT_PROCESS_PID, 0);
+        if (CurrentProcess != NULL)
+        {
+                VdmAllowed = ! IS_VDM_PROTECTION_ON(CurrentProcess->SecPolicy);
+        }
+        else
+        {
+                LOG(LOG_SS_VDM, LOG_PRIORITY_DEBUG, ("%d IsVdmAllowed: CurrentProcess = NULL!\n", CURRENT_PROCESS_PID));
+        }
+        return VdmAllowed;
+}
+/*
+ * HookedNtSetLdtEntries()
+ *
+ * Description:
+ *              This function mediates the NtSetLdtEntries() system service and disallows access to it.
+ *
+ *              NOTE: ZwSetLdtEntries sets Local Descriptor Table (LDT) entries for a Virtual DOS Machine (VDM). [NAR]
+ *
+ * Parameters:
+ *              Those of NtSetLdtEntries().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if 16-bit applications are disabled.
+ *              Otherwise, NTSTATUS returned by NtSetLdtEntries().
+ */
+NTSTATUS
+NTAPI
+HookedNtSetLdtEntries
+(
+    IN ULONG Selector0,
+    IN ULONG Entry0Low,
+    IN ULONG Entry0Hi,
+    IN ULONG Selector1,
+    IN ULONG Entry1Low,
+    IN ULONG Entry1Hi
+)
+{
+        HOOK_ROUTINE_ENTER();
+        LOG(LOG_SS_VDM, LOG_PRIORITY_VERBOSE, ("%d (%S) HookedNtSetLdtEntries(%x %x %x)\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName(), Selector0, Entry0Low, Entry0Hi));
+        if (LearningMode == FALSE && IsVdmAllowed() == FALSE)
+        {
+                LOG(LOG_SS_VDM, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtSetLdtEntries: disallowing VDM access\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
+                LogAlert(ALERT_SS_VDM, OP_VDM_USE, ALERT_RULE_NONE, ACTION_DENY, ALERT_PRIORITY_MEDIUM, NULL, 0, NULL);
+                HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+        }
+        ASSERT(OriginalNtSetLdtEntries);
+        rc = OriginalNtSetLdtEntries(Selector0, Entry0Low, Entry0Hi, Selector1, Entry1Low, Entry1Hi);
+        if (LearningMode == TRUE)
+                TURN_VDM_PROTECTION_OFF(NewPolicy);
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * HookedNtVdmControl()
+ *
+ * Description:
+ *              This function mediates the NtVdmControl() system service and disallows access to it.
+ *
+ *              NOTE: ZwVdmControl performs a control operation on a VDM. [NAR]
+ *
+ * Parameters:
+ *              Those of NtVdmControl().
+ *
+ * Returns:
+ *              STATUS_ACCESS_DENIED if 16-bit applications are disabled.
+ *              Otherwise, NTSTATUS returned by NtVdmControl().
+ */
+NTSTATUS
+NTAPI
+HookedNtVdmControl
+(
+        IN ULONG ControlCode,
+        IN PVOID ControlData
+)
+{
+        HOOK_ROUTINE_ENTER();
+        LOG(LOG_SS_VDM, LOG_PRIORITY_VERBOSE, ("%d (%S) HookedNtVdmControl(%x %x)\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName(), ControlCode, ControlData));
+        if (LearningMode == FALSE && IsVdmAllowed() == FALSE)
+        {
+                LOG(LOG_SS_VDM, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtVdmControl: disallowing VDM access\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
+                LogAlert(ALERT_SS_VDM, OP_VDM_USE, ALERT_RULE_NONE, ACTION_DENY, ALERT_PRIORITY_MEDIUM, NULL, 0, NULL);
+                HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+        }
+        ASSERT(OriginalNtVdmControl);
+        rc = OriginalNtVdmControl(ControlCode, ControlData);
+        if (LearningMode == TRUE)
+                TURN_VDM_PROTECTION_OFF(NewPolicy);
+        HOOK_ROUTINE_EXIT(rc);
+}
+/*
+ * InitVdmHooks()
+ *
+ * Description:
+ *              Initializes all the mediated vdm operation pointers. The "OriginalFunction" pointers
+ *              are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *              NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *              None.
+ *
+ * Returns:
+ *              TRUE to indicate success, FALSE if failed.
+ */
+BOOLEAN
+InitVdmHooks()
+{
+        if ( (OriginalNtSetLdtEntries = (fpZwSetLdtEntries) ZwCalls[ZW_SET_LDT_ENTRIES_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_VDM, LOG_PRIORITY_DEBUG, ("InitVdmHooks: OriginalNtSetLdtEntries is NULL\n"));
+                return FALSE;
+        }
+        if ( (OriginalNtVdmControl = (fpZwVdmControl) ZwCalls[ZW_VDM_CONTROL_INDEX].OriginalFunction) == NULL)
+        {
+                LOG(LOG_SS_VDM, LOG_PRIORITY_DEBUG, ("InitVdmHooks: OriginalNtVdmControl is NULL\n"));
+                return FALSE;
+        }
+        return TRUE;
+}

diff --git a/vdm.c b/vdm.c new file mode 100644 index 0000000..e445d2f --- /dev/null +++ b/vdm.c
@@ -0,0 +1,227 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* vdm.c
	7	*
	8	* Abstract:
	9	*
	10	* This module implements various VDM (Virtual Dos Machine) hooking routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 06-Apr-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#include <NTDDK.h>
	23	#include "vdm.h"
	24	#include "policy.h"
	25	#include "hookproc.h"
	26	#include "procname.h"
	27	#include "policy.h"
	28	#include "learn.h"
	29	#include "log.h"
	30
	31
	32	#ifdef ALLOC_PRAGMA
	33	#pragma alloc_text (INIT, InitVdmHooks)
	34	#endif
	35
	36
	37	fpZwSetLdtEntries OriginalNtSetLdtEntries = NULL;
	38	fpZwVdmControl OriginalNtVdmControl = NULL;
	39
	40
	41
	42	/*
	43	* IsVdmAllowed()
	44	*
	45	* Description:
	46	* Check whether the current process is allowed to use dos16/VDM functionality.
	47	*
	48	* Parameters:
	49	* None.
	50	*
	51	* Returns:
	52	* FALSE if VDM is disabled. TRUE otherwise.
	53	*/
	54
	55	BOOLEAN
	56	IsVdmAllowed()
	57	{
	58	PIMAGE_PID_ENTRY CurrentProcess;
	59	BOOLEAN VdmAllowed = FALSE;
	60
	61
	62	/* check the global policy first */
	63	if (! IS_VDM_PROTECTION_ON(gSecPolicy))
	64	return TRUE;
	65
	66
	67	/* now check the process specific policy */
	68	CurrentProcess = FindImagePidEntry(CURRENT_PROCESS_PID, 0);
	69
	70	if (CurrentProcess != NULL)
	71	{
	72	VdmAllowed = ! IS_VDM_PROTECTION_ON(CurrentProcess->SecPolicy);
	73	}
	74	else
	75	{
	76	LOG(LOG_SS_VDM, LOG_PRIORITY_DEBUG, ("%d IsVdmAllowed: CurrentProcess = NULL!\n", CURRENT_PROCESS_PID));
	77	}
	78
	79
	80	return VdmAllowed;
	81	}
	82
	83
	84
	85	/*
	86	* HookedNtSetLdtEntries()
	87	*
	88	* Description:
	89	* This function mediates the NtSetLdtEntries() system service and disallows access to it.
	90	*
	91	* NOTE: ZwSetLdtEntries sets Local Descriptor Table (LDT) entries for a Virtual DOS Machine (VDM). [NAR]
	92	*
	93	* Parameters:
	94	* Those of NtSetLdtEntries().
	95	*
	96	* Returns:
	97	* STATUS_ACCESS_DENIED if 16-bit applications are disabled.
	98	* Otherwise, NTSTATUS returned by NtSetLdtEntries().
	99	*/
	100
	101	NTSTATUS
	102	NTAPI
	103	HookedNtSetLdtEntries
	104	(
	105	IN ULONG Selector0,
	106	IN ULONG Entry0Low,
	107	IN ULONG Entry0Hi,
	108	IN ULONG Selector1,
	109	IN ULONG Entry1Low,
	110	IN ULONG Entry1Hi
	111	)
	112	{
	113	HOOK_ROUTINE_ENTER();
	114
	115
	116	LOG(LOG_SS_VDM, LOG_PRIORITY_VERBOSE, ("%d (%S) HookedNtSetLdtEntries(%x %x %x)\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName(), Selector0, Entry0Low, Entry0Hi));
	117
	118	if (LearningMode == FALSE && IsVdmAllowed() == FALSE)
	119	{
	120	LOG(LOG_SS_VDM, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtSetLdtEntries: disallowing VDM access\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
	121
	122	LogAlert(ALERT_SS_VDM, OP_VDM_USE, ALERT_RULE_NONE, ACTION_DENY, ALERT_PRIORITY_MEDIUM, NULL, 0, NULL);
	123
	124	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	125	}
	126
	127
	128	ASSERT(OriginalNtSetLdtEntries);
	129
	130	rc = OriginalNtSetLdtEntries(Selector0, Entry0Low, Entry0Hi, Selector1, Entry1Low, Entry1Hi);
	131
	132
	133	if (LearningMode == TRUE)
	134	TURN_VDM_PROTECTION_OFF(NewPolicy);
	135
	136
	137	HOOK_ROUTINE_EXIT(rc);
	138	}
	139
	140
	141
	142	/*
	143	* HookedNtVdmControl()
	144	*
	145	* Description:
	146	* This function mediates the NtVdmControl() system service and disallows access to it.
	147	*
	148	* NOTE: ZwVdmControl performs a control operation on a VDM. [NAR]
	149	*
	150	* Parameters:
	151	* Those of NtVdmControl().
	152	*
	153	* Returns:
	154	* STATUS_ACCESS_DENIED if 16-bit applications are disabled.
	155	* Otherwise, NTSTATUS returned by NtVdmControl().
	156	*/
	157
	158	NTSTATUS
	159	NTAPI
	160	HookedNtVdmControl
	161	(
	162	IN ULONG ControlCode,
	163	IN PVOID ControlData
	164	)
	165	{
	166	HOOK_ROUTINE_ENTER();
	167
	168
	169	LOG(LOG_SS_VDM, LOG_PRIORITY_VERBOSE, ("%d (%S) HookedNtVdmControl(%x %x)\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName(), ControlCode, ControlData));
	170
	171	if (LearningMode == FALSE && IsVdmAllowed() == FALSE)
	172	{
	173	LOG(LOG_SS_VDM, LOG_PRIORITY_DEBUG, ("%d (%S) HookedNtVdmControl: disallowing VDM access\n", (ULONG) PsGetCurrentProcessId(), GetCurrentProcessName()));
	174
	175	LogAlert(ALERT_SS_VDM, OP_VDM_USE, ALERT_RULE_NONE, ACTION_DENY, ALERT_PRIORITY_MEDIUM, NULL, 0, NULL);
	176
	177	HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
	178	}
	179
	180
	181	ASSERT(OriginalNtVdmControl);
	182
	183	rc = OriginalNtVdmControl(ControlCode, ControlData);
	184
	185
	186	if (LearningMode == TRUE)
	187	TURN_VDM_PROTECTION_OFF(NewPolicy);
	188
	189
	190	HOOK_ROUTINE_EXIT(rc);
	191	}
	192
	193
	194
	195	/*
	196	* InitVdmHooks()
	197	*
	198	* Description:
	199	* Initializes all the mediated vdm operation pointers. The "OriginalFunction" pointers
	200	* are initialized by InstallSyscallsHooks() that must be called prior to this function.
	201	*
	202	* NOTE: Called once during driver initialization (DriverEntry()).
	203	*
	204	* Parameters:
	205	* None.
	206	*
	207	* Returns:
	208	* TRUE to indicate success, FALSE if failed.
	209	*/
	210
	211	BOOLEAN
	212	InitVdmHooks()
	213	{
	214	if ( (OriginalNtSetLdtEntries = (fpZwSetLdtEntries) ZwCalls[ZW_SET_LDT_ENTRIES_INDEX].OriginalFunction) == NULL)
	215	{
	216	LOG(LOG_SS_VDM, LOG_PRIORITY_DEBUG, ("InitVdmHooks: OriginalNtSetLdtEntries is NULL\n"));
	217	return FALSE;
	218	}
	219
	220	if ( (OriginalNtVdmControl = (fpZwVdmControl) ZwCalls[ZW_VDM_CONTROL_INDEX].OriginalFunction) == NULL)
	221	{
	222	LOG(LOG_SS_VDM, LOG_PRIORITY_DEBUG, ("InitVdmHooks: OriginalNtVdmControl is NULL\n"));
	223	return FALSE;
	224	}
	225
	226	return TRUE;
	227	}