From 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 Mon Sep 17 00:00:00 2001 From: tumagonx Date: Tue, 8 Aug 2017 10:54:53 +0700 Subject: initial commit --- event.c | 259 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 259 insertions(+) create mode 100644 event.c (limited to 'event.c') diff --git a/event.c b/event.c new file mode 100644 index 0000000..23fa528 --- /dev/null +++ b/event.c @@ -0,0 +1,259 @@ +/* + * Copyright (c) 2004 Security Architects Corporation. All rights reserved. + * + * Module Name: + * + * event.c + * + * Abstract: + * + * This module implements various event hooking routines. + * + * Author: + * + * Eugene Tsyrklevich 09-Mar-2004 + * + * Revision History: + * + * None. + */ + + +#include +#include "event.h" +#include "policy.h" +#include "pathproc.h" +#include "hookproc.h" +#include "accessmask.h" +#include "learn.h" +#include "log.h" + + +#ifdef ALLOC_PRAGMA +#pragma alloc_text (INIT, InitEventHooks) +#endif + + +fpZwCreateEventPair OriginalNtCreateEventPair = NULL; +fpZwOpenEventPair OriginalNtOpenEventPair = NULL; + +fpZwCreateEvent OriginalNtCreateEvent = NULL; +fpZwOpenEvent OriginalNtOpenEvent = NULL; + + +/* + * HookedNtCreateEvent() + * + * Description: + * This function mediates the NtCreateEvent() system service and checks the + * provided event name against the global and current process security policies. + * + * NOTE: ZwCreateEvent creates or opens an event object. [NAR] + * + * Parameters: + * Those of NtCreateEvent(). + * + * Returns: + * STATUS_ACCESS_DENIED if the call does not pass the security policy check. + * Otherwise, NTSTATUS returned by NtCreateEvent(). + */ + +NTSTATUS +NTAPI +HookedNtCreateEvent +( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN EVENT_TYPE EventType, + IN BOOLEAN InitialState +) +{ + PCHAR FunctionName = "HookedNtCreateEvent"; + + + HOOK_ROUTINE_START(EVENT); + + + ASSERT(OriginalNtCreateEvent); + + rc = OriginalNtCreateEvent(EventHandle, DesiredAccess, ObjectAttributes, EventType, InitialState); + + + HOOK_ROUTINE_FINISH(EVENT); +} + + + +/* + * HookedNtOpenEvent() + * + * Description: + * This function mediates the NtOpenEvent() system service and checks the + * provided event name against the global and current process security policies. + * + * NOTE: ZwOpenEvent opens an event object. [NAR] + * + * Parameters: + * Those of NtOpenEvent(). + * + * Returns: + * STATUS_ACCESS_DENIED if the call does not pass the security policy check. + * Otherwise, NTSTATUS returned by NtOpenEvent(). + */ + +NTSTATUS +NTAPI +HookedNtOpenEvent +( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes +) +{ + PCHAR FunctionName = "HookedNtOpenEvent"; + + + HOOK_ROUTINE_START(EVENT); + + + ASSERT(OriginalNtOpenEvent); + + rc = OriginalNtOpenEvent(EventHandle, DesiredAccess, ObjectAttributes); + + + HOOK_ROUTINE_FINISH(EVENT); +} + + + +/* + * HookedNtCreateEventPair() + * + * Description: + * This function mediates the NtCreateEventPair() system service and checks the + * provided eventpair name against the global and current process security policies. + * + * NOTE: ZwCreateEventPair creates or opens an event pair object. [NAR] + * + * Parameters: + * Those of NtCreateEventPair(). + * + * Returns: + * STATUS_ACCESS_DENIED if the call does not pass the security policy check. + * Otherwise, NTSTATUS returned by NtCreateEventPair(). + */ + +NTSTATUS +NTAPI +HookedNtCreateEventPair +( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes +) +{ + PCHAR FunctionName = "HookedNtCreateEventPair"; + + + HOOK_ROUTINE_START(EVENT); + + + ASSERT(OriginalNtCreateEventPair); + + rc = OriginalNtCreateEventPair(EventPairHandle, DesiredAccess, ObjectAttributes); + + + HOOK_ROUTINE_FINISH(EVENT); +} + + + + +/* + * HookedNtOpenEventPair() + * + * Description: + * This function mediates the NtOpenEventPair() system service and checks the + * provided event name against the global and current process security policies. + * + * NOTE: ZwOpenEventPair opens an event pair object. [NAR] + * + * Parameters: + * Those of NtOpenEventPair(). + * + * Returns: + * STATUS_ACCESS_DENIED if the call does not pass the security policy check. + * Otherwise, NTSTATUS returned by NtOpenEventPair(). + */ + +NTSTATUS +NTAPI +HookedNtOpenEventPair +( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes +) +{ + PCHAR FunctionName = "HookedNtOpenEventPair"; + + + HOOK_ROUTINE_START(EVENT); + + + ASSERT(OriginalNtOpenEventPair); + + rc = OriginalNtOpenEventPair(EventPairHandle, DesiredAccess, ObjectAttributes); + + + HOOK_ROUTINE_FINISH(EVENT); +} + + + +/* + * InitEventHooks() + * + * Description: + * Initializes all the mediated event operation pointers. The "OriginalFunction" pointers + * are initialized by InstallSyscallsHooks() that must be called prior to this function. + * + * NOTE: Called once during driver initialization (DriverEntry()). + * + * Parameters: + * None. + * + * Returns: + * TRUE to indicate success, FALSE if failed. + */ + +BOOLEAN +InitEventHooks() +{ + if ( (OriginalNtCreateEventPair = (fpZwCreateEventPair) ZwCalls[ZW_CREATE_EVENT_PAIR_INDEX].OriginalFunction) == NULL) + { + LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtCreateEventPair is NULL\n")); + return FALSE; + } + + if ( (OriginalNtOpenEventPair = (fpZwOpenEventPair) ZwCalls[ZW_OPEN_EVENT_PAIR_INDEX].OriginalFunction) == NULL) + { + LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtOpenEventPair is NULL\n")); + return FALSE; + } + + if ( (OriginalNtCreateEvent = (fpZwCreateEvent) ZwCalls[ZW_CREATE_EVENT_INDEX].OriginalFunction) == NULL) + { + LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtCreateEvent is NULL\n")); + return FALSE; + } + + if ( (OriginalNtOpenEvent = (fpZwOpenEvent) ZwCalls[ZW_OPEN_EVENT_INDEX].OriginalFunction) == NULL) + { + LOG(LOG_SS_EVENT, LOG_PRIORITY_DEBUG, ("InitEventHooks: OriginalNtOpenEvent is NULL\n")); + return FALSE; + } + + return TRUE; +} -- cgit v1.3