From 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 Mon Sep 17 00:00:00 2001
From: tumagonx
Date: Tue, 8 Aug 2017 10:54:53 +0700
Subject: initial commit

---
 driverobj.c | 205 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 205 insertions(+)
 create mode 100644 driverobj.c

(limited to 'driverobj.c')

diff --git a/driverobj.c b/driverobj.c
new file mode 100644
index 0000000..9b159d4
--- /dev/null
+++ b/driverobj.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *		driverobj.c
+ *
+ * Abstract:
+ *
+ *		This module implements various driver object hooking routines.
+ *
+ * Author:
+ *
+ *		Eugene Tsyrklevich 06-Apr-2004
+ *
+ * Revision History:
+ *
+ *		None.
+ */
+
+
+#include "driverobj.h"
+
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text (INIT, InitDriverObjectHooks)
+#endif
+
+
+fpZwLoadDriver		OriginalNtLoadDriver = NULL;
+fpZwUnloadDriver	OriginalNtUnloadDriver = NULL;
+
+
+/*
+ * HookedNtLoadDriver()
+ *
+ * Description:
+ *		This function mediates the NtLoadDriver() system service and checks the
+ *		provided driver object name against the global and current process security policies.
+ *
+ *		NOTE: ZwLoadDriver loads a device driver. [NAR]
+ *
+ * Parameters:
+ *		Those of NtLoadDriver().
+ *
+ * Returns:
+ *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *		Otherwise, NTSTATUS returned by NtLoadDriver().
+ */
+
+NTSTATUS
+NTAPI
+HookedNtLoadDriver
+(
+	IN PUNICODE_STRING DriverServiceName
+)
+{
+	PCHAR			FunctionName = "HookedNtLoadDriver";
+	UNICODE_STRING	usDriverName;
+	ANSI_STRING		AnsiDriverName;
+	CHAR			DRIVERNAME[MAX_PATH];
+
+
+	HOOK_ROUTINE_ENTER();
+
+
+	if (!VerifyUnicodeString(DriverServiceName, &usDriverName))
+	{
+		LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtLoadDriver: VerifyUnicodeString(%x) failed\n", DriverServiceName));
+		HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+	}
+
+
+	if (_snprintf(DRIVERNAME, MAX_PATH, "%S", usDriverName.Buffer) < 0)
+	{
+		LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("%s: Driver name '%S' is too long\n", FunctionName, usDriverName.Buffer));
+		HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+	}
+
+
+	LOG(LOG_SS_DRIVER, LOG_PRIORITY_VERBOSE, ("HookedNtLoadDriver: %s\n", DRIVERNAME));
+
+
+	if (LearningMode == FALSE)
+	{
+		POLICY_CHECK_OPTYPE_NAME(DRIVER, OP_REGLOAD);
+	}
+
+
+	ASSERT(OriginalNtLoadDriver);
+
+	rc = OriginalNtLoadDriver(DriverServiceName);
+
+
+	HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(DRIVER, DRIVERNAME, OP_REGLOAD);
+}
+
+
+
+/*
+ * HookedNtUnloadDriver()
+ *
+ * Description:
+ *		This function mediates the NtUnloadDriver() system service and checks the
+ *		provided driver object name against the global and current process security policies.
+ *
+ *		NOTE: ZwUnloadDriver unloads a device driver. [NAR]
+ *
+ * Parameters:
+ *		Those of NtUnloadDriver().
+ *
+ * Returns:
+ *		STATUS_ACCESS_DENIED if the call does not pass the security policy check.
+ *		Otherwise, NTSTATUS returned by NtUnloadDriver().
+ */
+
+//XXX cannot mediate this function if we want to be able to unload our own driver
+/* uncomment originalfunction pointer code in Init() routine and hookproc.c hook to enable
+NTSTATUS
+NTAPI
+HookedNtUnloadDriver
+(
+	IN PUNICODE_STRING DriverServiceName
+)
+{
+	PCHAR			FunctionName = "HookedNtUnloadDriver";
+	UNICODE_STRING	usDriverName;
+	ANSI_STRING		AnsiDriverName;
+	CHAR			DRIVERNAME[MAX_PATH];
+
+
+	HOOK_ROUTINE_ENTER();
+
+
+	if (!VerifyUnicodeString(DriverServiceName, &usDriverName))
+	{
+		LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtUnloadDriver: VerifyUnicodeString failed\n"));
+		HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+	}
+
+	AnsiDriverName.Length = 0;
+	AnsiDriverName.MaximumLength = MAX_PATH - 1;
+	AnsiDriverName.Buffer = DRIVERNAME;
+
+	if (! NT_SUCCESS(RtlUnicodeStringToAnsiString(&AnsiDriverName, &usDriverName, FALSE)))
+	{
+		LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtUnloadDriver: RtlUnicodeStringToAnsiString failed\n"));
+		HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
+	}
+
+	DRIVERNAME[AnsiDriverName.Length] = 0;
+
+
+	LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("HookedNtUnloadDriver: %s\n", DRIVERNAME));
+
+
+	if (LearningMode == FALSE)
+	{
+		POLICY_CHECK_OPTYPE_NAME(DRIVER, OP_UNLOAD);
+	}
+
+
+	ASSERT(OriginalNtUnloadDriver);
+
+	rc = OriginalNtUnloadDriver(DriverServiceName);
+
+
+	HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(DRIVER, DRIVERNAME, OP_UNLOAD);
+}
+*/
+
+
+/*
+ * InitDriverHooks()
+ *
+ * Description:
+ *		Initializes all the mediated driver object operation pointers. The "OriginalFunction" pointers
+ *		are initialized by InstallSyscallsHooks() that must be called prior to this function.
+ *
+ *		NOTE: Called once during driver initialization (DriverEntry()).
+ *
+ * Parameters:
+ *		None.
+ *
+ * Returns:
+ *		TRUE to indicate success, FALSE if failed.
+ */
+
+BOOLEAN
+InitDriverObjectHooks()
+{
+	if ( (OriginalNtLoadDriver = (fpZwLoadDriver) ZwCalls[ZW_LOAD_DRIVER_INDEX].OriginalFunction) == NULL)
+	{
+		LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("InitDriverHooks: OriginalNtLoadDriver is NULL\n"));
+		return FALSE;
+	}
+/*
+	if ( (OriginalNtUnloadDriver = (fpZwUnloadDriver) ZwCalls[ZW_UNLOAD_DRIVER_INDEX].OriginalFunction) == NULL)
+	{
+		LOG(LOG_SS_DRIVER, LOG_PRIORITY_DEBUG, ("InitDriverHooks: OriginalNtUnloadDriver is NULL\n"));
+		return FALSE;
+	}
+*/
+	return TRUE;
+}
-- 
cgit v1.3