From 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 Mon Sep 17 00:00:00 2001
From: tumagonx
Date: Tue, 8 Aug 2017 10:54:53 +0700
Subject: initial commit

---
 hookproc.h | 460 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 460 insertions(+)
 create mode 100644 hookproc.h

(limited to 'hookproc.h')

diff --git a/hookproc.h b/hookproc.h
new file mode 100644
index 0000000..7756d23
--- /dev/null
+++ b/hookproc.h
@@ -0,0 +1,460 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *		hookproc.h
+ *
+ * Abstract:
+ *
+ *		This module definies various types used by service operation (system call) hooking routines.
+ *
+ * Author:
+ *
+ *		Eugene Tsyrklevich 16-Feb-2004
+ *
+ * Revision History:
+ *
+ *		None.
+ */
+
+
+#ifndef __HOOKPROC_H__
+#define __HOOKPROC_H__
+
+
+#include "userland.h"
+
+
+/* should the following calls be intercepted? */
+
+#define	HOOK_EVENT		1
+#define	HOOK_FILE		1
+#define	HOOK_DIROBJ		1
+#define	HOOK_JOB		1
+#define	HOOK_NETWORK	1
+#define	HOOK_MUTANT		1
+#define	HOOK_PORT		1
+#define	HOOK_PROCESS	1
+#define	HOOK_REGISTRY	1
+#define	HOOK_SECTION	1
+#define	HOOK_SEMAPHORE	1
+#define	HOOK_SYMLINK	1
+#define	HOOK_SYSINFO	1
+#define	HOOK_TIME		1
+#define	HOOK_TIMER		1
+#define	HOOK_TOKEN		1
+#define	HOOK_DRIVEROBJ	1
+#define	HOOK_ATOM		1
+#define	HOOK_VDM		1
+#define	HOOK_SYSCALLS	0
+#define	HOOK_DEBUG		1
+#define	HOOK_MEDIA		1
+#define	HOOK_BOPROT		0
+
+
+#pragma pack(push, 1)
+typedef struct _SERVICE_TABLE_DESCRIPTOR {
+
+	PULONG	ServiceTableBase;		/* table of function pointers		*/
+	PVOID	ServiceCounterTable;	/* used in checked build only		*/
+	ULONG	NumberOfServices;		/* number of services in this table	*/
+	/* extra LONG on IA64 goes here */
+	PVOID	ParamTableBase;			/* number of parameters				*/
+
+} SERVICE_TABLE_DESCRIPTOR, *PSERVICE_TABLE_DESCRIPTOR;
+#pragma pack(pop)
+
+
+/*
+ * The Service Descriptor Table index (4 bytes following the mov opcode)
+ *
+ * The index format is as follows:
+ *
+ * Leading 18 bits are all zeroes
+ * Following 2 bits are system service table index (3 bits on Win64)
+ * Following 12 bits are service number
+ */
+
+#define	SERVICE_TABLE_INDEX_BITS	2
+#define	NUMBER_SERVICE_TABLES		(1 << SERVICE_TABLE_INDEX_BITS)
+
+#define	SERVICE_ID_NUMBER_BITS		12
+#define	SERVICE_ID_NUMBER_MASK		((1 << SERVICE_ID_NUMBER_BITS) - 1)
+
+
+/*
+ * The kernel's service descriptor table, which is used to find the address
+ * of the service dispatch tables to use for a service ID.
+ *
+ * Descriptor 0 is used for core services (NTDLL)
+ * Descriptor 1 is used for GUI services (WIN32K)
+ * Descriptors 2 and 3 are unused on current versions of Windows NT.
+ */
+
+__declspec(dllimport) SERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable[NUMBER_SERVICE_TABLES];
+
+
+/*
+ * not exported
+ */
+
+//PSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTableShadow;
+
+
+
+void SystemCallHandler0(); void SystemCallHandler1(); void SystemCallHandler2(); void SystemCallHandler3();
+void SystemCallHandler4(); void SystemCallHandler5(); void SystemCallHandler6(); void SystemCallHandler7();
+void SystemCallHandler8(); void SystemCallHandler9(); void SystemCallHandler10(); void SystemCallHandler11();
+void SystemCallHandler12(); void SystemCallHandler13(); void SystemCallHandler14(); void SystemCallHandler15();
+void SystemCallHandler16(); void SystemCallHandler17(); void SystemCallHandler18(); void SystemCallHandler19();
+void SystemCallHandler20(); void SystemCallHandler21(); void SystemCallHandler22(); void SystemCallHandler23();
+void SystemCallHandler24(); void SystemCallHandler25(); void SystemCallHandler26(); void SystemCallHandler27();
+void SystemCallHandler28(); void SystemCallHandler29(); void SystemCallHandler30(); void SystemCallHandler31();
+void SystemCallHandler32(); void SystemCallHandler33(); void SystemCallHandler34(); void SystemCallHandler35();
+void SystemCallHandler36(); void SystemCallHandler37(); void SystemCallHandler38(); void SystemCallHandler39();
+void SystemCallHandler40(); void SystemCallHandler41(); void SystemCallHandler42(); void SystemCallHandler43();
+void SystemCallHandler44(); void SystemCallHandler45(); void SystemCallHandler46(); void SystemCallHandler47();
+void SystemCallHandler48(); void SystemCallHandler49(); void SystemCallHandler50(); void SystemCallHandler51();
+void SystemCallHandler52(); void SystemCallHandler53(); void SystemCallHandler54(); void SystemCallHandler55();
+void SystemCallHandler56(); void SystemCallHandler57(); void SystemCallHandler58(); void SystemCallHandler59();
+void SystemCallHandler60(); void SystemCallHandler61(); void SystemCallHandler62(); void SystemCallHandler63();
+void SystemCallHandler64(); void SystemCallHandler65(); void SystemCallHandler66(); void SystemCallHandler67();
+void SystemCallHandler68(); void SystemCallHandler69(); void SystemCallHandler70(); void SystemCallHandler71();
+void SystemCallHandler72(); void SystemCallHandler73(); void SystemCallHandler74(); void SystemCallHandler75();
+void SystemCallHandler76(); void SystemCallHandler77(); void SystemCallHandler78(); void SystemCallHandler79();
+void SystemCallHandler80(); void SystemCallHandler81(); void SystemCallHandler82(); void SystemCallHandler83();
+void SystemCallHandler84(); void SystemCallHandler85(); void SystemCallHandler86(); void SystemCallHandler87();
+void SystemCallHandler88(); void SystemCallHandler89(); void SystemCallHandler90(); void SystemCallHandler91();
+void SystemCallHandler92(); void SystemCallHandler93(); void SystemCallHandler94(); void SystemCallHandler95();
+void SystemCallHandler96(); void SystemCallHandler97(); void SystemCallHandler98(); void SystemCallHandler99();
+void SystemCallHandler100(); void SystemCallHandler101(); void SystemCallHandler102(); void SystemCallHandler103();
+void SystemCallHandler104(); void SystemCallHandler105(); void SystemCallHandler106(); void SystemCallHandler107();
+void SystemCallHandler108(); void SystemCallHandler109(); void SystemCallHandler110(); void SystemCallHandler111();
+void SystemCallHandler112(); void SystemCallHandler113(); void SystemCallHandler114(); void SystemCallHandler115();
+void SystemCallHandler116(); void SystemCallHandler117(); void SystemCallHandler118(); void SystemCallHandler119();
+void SystemCallHandler120(); void SystemCallHandler121(); void SystemCallHandler122(); void SystemCallHandler123();
+void SystemCallHandler124(); void SystemCallHandler125(); void SystemCallHandler126(); void SystemCallHandler127();
+void SystemCallHandler128(); void SystemCallHandler129(); void SystemCallHandler130(); void SystemCallHandler131();
+void SystemCallHandler132(); void SystemCallHandler133(); void SystemCallHandler134(); void SystemCallHandler135();
+void SystemCallHandler136(); void SystemCallHandler137(); void SystemCallHandler138(); void SystemCallHandler139();
+void SystemCallHandler140(); void SystemCallHandler141(); void SystemCallHandler142(); void SystemCallHandler143();
+void SystemCallHandler144(); void SystemCallHandler145(); void SystemCallHandler146(); void SystemCallHandler147();
+void SystemCallHandler148(); void SystemCallHandler149(); void SystemCallHandler150(); void SystemCallHandler151();
+void SystemCallHandler152(); void SystemCallHandler153(); void SystemCallHandler154(); void SystemCallHandler155();
+void SystemCallHandler156(); void SystemCallHandler157(); void SystemCallHandler158(); void SystemCallHandler159();
+void SystemCallHandler160(); void SystemCallHandler161(); void SystemCallHandler162(); void SystemCallHandler163();
+void SystemCallHandler164(); void SystemCallHandler165(); void SystemCallHandler166(); void SystemCallHandler167();
+void SystemCallHandler168(); void SystemCallHandler169(); void SystemCallHandler170(); void SystemCallHandler171();
+void SystemCallHandler172(); void SystemCallHandler173(); void SystemCallHandler174(); void SystemCallHandler175();
+void SystemCallHandler176(); void SystemCallHandler177(); void SystemCallHandler178(); void SystemCallHandler179();
+void SystemCallHandler180(); void SystemCallHandler181(); void SystemCallHandler182(); void SystemCallHandler183();
+void SystemCallHandler184(); void SystemCallHandler185(); void SystemCallHandler186(); void SystemCallHandler187();
+void SystemCallHandler188(); void SystemCallHandler189(); void SystemCallHandler190(); void SystemCallHandler191();
+void SystemCallHandler192(); void SystemCallHandler193(); void SystemCallHandler194(); void SystemCallHandler195();
+void SystemCallHandler196(); void SystemCallHandler197(); void SystemCallHandler198(); void SystemCallHandler199();
+void SystemCallHandler200(); void SystemCallHandler201(); void SystemCallHandler202(); void SystemCallHandler203();
+void SystemCallHandler204(); void SystemCallHandler205(); void SystemCallHandler206(); void SystemCallHandler207();
+void SystemCallHandler208(); void SystemCallHandler209(); void SystemCallHandler210(); void SystemCallHandler211();
+void SystemCallHandler212(); void SystemCallHandler213(); void SystemCallHandler214(); void SystemCallHandler215();
+void SystemCallHandler216(); void SystemCallHandler217(); void SystemCallHandler218(); void SystemCallHandler219();
+void SystemCallHandler220(); void SystemCallHandler221(); void SystemCallHandler222(); void SystemCallHandler223();
+void SystemCallHandler224(); void SystemCallHandler225(); void SystemCallHandler226(); void SystemCallHandler227();
+void SystemCallHandler228(); void SystemCallHandler229(); void SystemCallHandler230(); void SystemCallHandler231();
+void SystemCallHandler232(); void SystemCallHandler233(); void SystemCallHandler234(); void SystemCallHandler235();
+void SystemCallHandler236(); void SystemCallHandler237(); void SystemCallHandler238(); void SystemCallHandler239();
+void SystemCallHandler240(); void SystemCallHandler241(); void SystemCallHandler242(); void SystemCallHandler243();
+void SystemCallHandler244(); void SystemCallHandler245(); void SystemCallHandler246(); void SystemCallHandler247();
+void SystemCallHandler248(); void SystemCallHandler249(); void SystemCallHandler250(); void SystemCallHandler251();
+void SystemCallHandler252(); void SystemCallHandler253(); void SystemCallHandler254(); void SystemCallHandler255();
+void SystemCallHandler256(); void SystemCallHandler257(); void SystemCallHandler258(); void SystemCallHandler259();
+void SystemCallHandler260(); void SystemCallHandler261(); void SystemCallHandler262(); void SystemCallHandler263();
+void SystemCallHandler264(); void SystemCallHandler265(); void SystemCallHandler266(); void SystemCallHandler267();
+void SystemCallHandler268(); void SystemCallHandler269(); void SystemCallHandler270(); void SystemCallHandler271();
+void SystemCallHandler272(); void SystemCallHandler273(); void SystemCallHandler274(); void SystemCallHandler275();
+void SystemCallHandler276(); void SystemCallHandler277(); void SystemCallHandler278(); void SystemCallHandler279();
+void SystemCallHandler280(); void SystemCallHandler281(); void SystemCallHandler282(); void SystemCallHandler283();
+void SystemCallHandler284(); void SystemCallHandler285(); void SystemCallHandler286(); void SystemCallHandler287();
+void SystemCallHandler288(); void SystemCallHandler289(); void SystemCallHandler290(); void SystemCallHandler291();
+void SystemCallHandler292(); void SystemCallHandler293(); void SystemCallHandler294();
+
+
+
+// XXX
+// SystemCallHandler macro depends on the size of this structure and the offset of the OriginalFunction!
+
+extern struct _ZwCalls
+{
+	PCHAR			ZwName;				// System call name
+	USHORT			ZwNameLength;		// System call name length
+	USHORT			ServiceIDNumber;	// System call index (filled in at runtime)
+	PULONG_PTR		HookFunction;		// Address of the hijacking function (function that will be called instead of the original system call)
+	PULONG_PTR		OriginalFunction;	// PlaceHolder for the address of the original syscall address
+	BOOLEAN			Hijacked;			// Flag indicating whether we already hijacked this system call
+										// or whether this is a special system service that needs to be hijacked initially
+};
+
+extern struct _ZwCalls ZwCalls[];
+
+
+#define	ZW_ADD_ATOM_INDEX				 8
+
+#define	ZW_ADJUST_TOKEN_INDEX			12
+
+#define	ZW_CONNECT_PORT_INDEX			33
+
+#define	ZW_CREATE_DIRECTORYOBJECT_INDEX	36
+#define	ZW_CREATE_EVENT_INDEX			37
+#define	ZW_CREATE_EVENT_PAIR_INDEX		38
+#define	ZW_CREATE_FILE_INDEX			39
+
+#define	ZW_CREATE_JOBOBJECT_INDEX		41
+
+#define	ZW_CREATE_KEY_INDEX				43
+
+#define	ZW_CREATE_MAILSLOTFILE_INDEX	45
+#define	ZW_CREATE_MUTANT_INDEX			46
+#define	ZW_CREATE_NAMEDPIPEFILE_INDEX	47
+
+#define	ZW_CREATE_PORT_INDEX			49
+#define	ZW_CREATE_PROCESS_INDEX			50
+#define	ZW_CREATE_PROCESSEX_INDEX		51
+
+#define	ZW_CREATE_SECTION_INDEX			53
+#define	ZW_CREATE_SEMAPHORE_INDEX		54
+#define	ZW_CREATE_SYMLINK_INDEX			55
+#define	ZW_CREATE_THREAD_INDEX			56
+#define	ZW_CREATE_TIMER_INDEX			57
+#define	ZW_CREATE_TOKEN_INDEX			58
+#define	ZW_CREATE_WAITPORT_INDEX		59
+#define	ZW_DEBUG_ACTIVEPROCESS_INDEX	60
+
+#define	ZW_DELETE_FILE_INDEX			66
+#define	ZW_DELETE_KEY_INDEX				67
+
+#define	ZW_FIND_ATOM_INDEX				81
+
+#define	ZW_LOAD_DRIVER_INDEX			103
+
+#define	ZW_MAPVIEW_SECTION_INDEX		115
+
+#define	ZW_OPEN_DIRECTORYOBJECT_INDEX	121
+#define	ZW_OPEN_EVENT_INDEX				122
+#define	ZW_OPEN_EVENT_PAIR_INDEX		123
+#define	ZW_OPEN_FILE_INDEX				124
+
+#define	ZW_OPEN_JOBOBJECT_INDEX			126
+#define	ZW_OPEN_KEY_INDEX				127
+
+#define	ZW_OPEN_MUTANT_INDEX			129
+
+#define	ZW_OPEN_PROCESS_INDEX			131
+
+#define	ZW_OPEN_SECTION_INDEX			134
+#define	ZW_OPEN_SEMAPHORE_INDEX			135
+#define	ZW_OPEN_SYMLINK_INDEX			136
+#define	ZW_OPEN_THREAD_INDEX			137
+
+#define	ZW_OPEN_TIMER_INDEX				140
+
+#define	ZW_QUERY_ATTRIBUTES_FILE_INDEX	148
+
+#define	ZW_QUERY_DIRECTORYFILE_INDEX	154
+
+#define	ZW_QUERY_FULLATTR_FILE_INDEX	159
+
+#define	ZW_QUERY_VALUE_KEY_INDEX		189
+
+#define	ZW_SECURECONNECT_PORT_INDEX		223
+
+#define	ZW_SET_INFO_FILE_INDEX			238
+
+#define	ZW_SET_INFO_TOKEN_INDEX			244
+
+#define	ZW_SET_LDT_ENTRIES_INDEX		247
+
+#define	ZW_SET_SYSTEM_INFORMATION_INDEX	254
+
+#define	ZW_SET_SYSTEM_TIME_INDEX		256
+
+#define	ZW_SET_TIMER_RESOLUTION_INDEX	259
+
+#define	ZW_SET_VALUE_KEY_INDEX			261
+
+#define	ZW_UNLOAD_DRIVER_INDEX			276
+
+#define	ZW_VDM_CONTROL_INDEX			283
+
+
+/*
+ * make sure we don't try to unload the driver while a system call is in progress
+ * still not atomic but we shouldn't be unloading this driver in any case
+ */
+
+#if DBG
+
+extern int	HookedRoutineRunning;
+#define	HOOK_ROUTINE_ENTER()			NTSTATUS rc; ACTION_TYPE Action; InterlockedIncrement(&HookedRoutineRunning);
+#define	HOOK_ROUTINE_EXIT(status)		{ InterlockedDecrement(&HookedRoutineRunning); return ((status)); }
+
+extern int	HookedTDIRunning;
+#define	HOOK_TDI_ENTER()			NTSTATUS rc; ACTION_TYPE Action; InterlockedIncrement(&HookedTDIRunning);
+#define	HOOK_TDI_ENTER_NORC()		InterlockedIncrement(&HookedTDIRunning);
+#define	HOOK_TDI_EXIT(status)		{ InterlockedDecrement(&HookedTDIRunning); return ((status)); }
+
+
+#else
+
+
+#define	HOOK_ROUTINE_ENTER()			NTSTATUS rc; ACTION_TYPE Action; 
+#define	HOOK_ROUTINE_EXIT(status)		{ return ((status)); }
+
+#define	HOOK_TDI_ENTER()			NTSTATUS rc; ACTION_TYPE Action;
+#define	HOOK_TDI_ENTER_NORC()		
+#define	HOOK_TDI_EXIT(status)		{ return ((status)); }
+
+#endif
+
+
+/*
+ * Various macros used by most of the hooking routines
+ */
+
+#define	POLICY_CHECK_OPTYPE_NAME(OBJECTTYPE, OPTYPE)								\
+	while (KeGetPreviousMode() == UserMode) {										\
+		UCHAR			OpType = (OPTYPE);											\
+		PWSTR			PolicyFilename = NULL;										\
+		USHORT			PolicyLinenumber = 0;										\
+		UCHAR			RuleNumber = 0;												\
+		LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));						\
+		Action = PolicyCheck(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OpType, &RuleNumber, &PolicyFilename, &PolicyLinenumber);\
+		if (Action & ACTION_ASK)													\
+		{																			\
+			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: (ask) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
+			/*XXX GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS);*/	\
+			Action = IssueUserlandAskUserRequest(RULE_##OBJECTTYPE, OpType, OBJECTTYPE##NAME);	\
+		}																			\
+		if ((Action & ACTION_QUIETDENY) == ACTION_QUIETDENY)						\
+		{																			\
+			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: quitely denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
+			HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );								\
+		}																			\
+		else if (Action & ACTION_DENY)												\
+		{																			\
+			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));	\
+			LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action,				\
+			  GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
+			HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );								\
+		}																			\
+		else if (Action & ACTION_LOG)												\
+		{																			\
+			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: (log) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
+			LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action,				\
+			  GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
+		}																			\
+		break;																		\
+	}
+
+
+#define	POLICY_CHECK_OPTYPE(OBJECTTYPE, OPTYPE)										\
+	if (KeGetPreviousMode() == UserMode && GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS) )\
+	{																				\
+		UCHAR			OpType = (OPTYPE);											\
+		PWSTR			PolicyFilename = NULL;										\
+		USHORT			PolicyLinenumber = 0;										\
+		UCHAR			RuleNumber = 0;												\
+		LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));						\
+		Action = PolicyCheck(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OpType, &RuleNumber, &PolicyFilename, &PolicyLinenumber);\
+		if (Action & ACTION_ASK)													\
+		{																			\
+			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: (ask) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
+			GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS);	\
+			Action = IssueUserlandAskUserRequest(RULE_##OBJECTTYPE, OpType, OBJECTTYPE##NAME);	\
+		}																			\
+		if ((Action & ACTION_QUIETDENY) == ACTION_QUIETDENY)						\
+		{																			\
+			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: quitely denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
+			HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );								\
+		}																			\
+		else if (Action & ACTION_DENY)												\
+		{																			\
+			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: denying access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));	\
+			GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS);	\
+			LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action,				\
+			  GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
+			HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );								\
+		}																			\
+		else if (Action & ACTION_LOG)												\
+		{																			\
+			LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_VERBOSE, ("%d %s: (log) access to %s\n", (ULONG) PsGetCurrentProcessId(), FunctionName, OBJECTTYPE##NAME));		\
+			GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, DO_NOT_RESOLVE_LINKS);	\
+			LogAlert(ALERT_SS_##OBJECTTYPE, OpType, RuleNumber, Action,				\
+			  GetObjectAccessAlertPriority(ALERT_SS_##OBJECTTYPE, OpType, Action), PolicyFilename, PolicyLinenumber, OBJECTTYPE##NAME);\
+		}																			\
+	}
+
+
+#define	POLICY_CHECK(OBJECTTYPE)	POLICY_CHECK_OPTYPE(OBJECTTYPE, Get_##OBJECTTYPE##_OperationType(DesiredAccess))
+
+
+
+#define	HOOK_ROUTINE_START_OPTYPE(OBJECTTYPE, OPTYPE)										\
+	CHAR		OBJECTTYPE##NAME[MAX_PATH];													\
+	HOOK_ROUTINE_ENTER();																	\
+	if (LearningMode == FALSE)																\
+	{																						\
+		POLICY_CHECK_OPTYPE(OBJECTTYPE, OPTYPE);											\
+	}
+
+
+#define	HOOK_ROUTINE_START(OBJECTTYPE)	HOOK_ROUTINE_START_OPTYPE(OBJECTTYPE, Get_##OBJECTTYPE##_OperationType(DesiredAccess))
+
+
+#define	HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE, OBJECTNAME, OPTYPE)								\
+	if (LearningMode == TRUE /*&& NT_SUCCESS(rc)*/)															\
+	{																										\
+		if (OBJECTNAME)																						\
+		{																									\
+			AddRule(RULE_##OBJECTTYPE, OBJECTTYPE##NAME, OPTYPE);											\
+		}																									\
+		else																								\
+		{																									\
+			/*LOG(LOG_SS_##OBJECTTYPE, LOG_PRIORITY_DEBUG, ("%d %s: GetPathFromOA() failed. status=%x\n", (ULONG) PsGetCurrentProcessId(), FunctionName, rc));*/	\
+		}																									\
+	}																										\
+	HOOK_ROUTINE_EXIT(rc);
+
+
+#define	HOOK_ROUTINE_FINISH_OPTYPE(OBJECTTYPE, OPTYPE)												\
+		HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE,											\
+											  GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS),	\
+											  OPTYPE)
+
+#define	HOOK_ROUTINE_FINISH(OBJECTTYPE)																\
+		HOOK_ROUTINE_FINISH_OBJECTNAME_OPTYPE(OBJECTTYPE,											\
+											  GetPathFromOA(ObjectAttributes, OBJECTTYPE##NAME, MAX_PATH, RESOLVE_LINKS),	\
+											  Get_##OBJECTTYPE##_OperationType(DesiredAccess))
+
+
+
+//#define	USE_DEFAULT_HOOK_FUNCTION	NULL
+
+
+extern PCHAR	NTDLL_Base;
+extern int		ZwCallsNumber;
+
+
+PVOID	HookSystemService(PVOID OldService, PVOID NewService);
+PVOID	HookSystemServiceByIndex(ULONG ServiceIDNumber, PVOID NewService);
+BOOLEAN	HookSystemServiceByName(PCHAR ServiceName, PULONG_PTR HookFunction);
+
+BOOLEAN	InitSyscallsHooks();
+BOOLEAN	InstallSyscallsHooks();
+void	RemoveSyscallsHooks();
+
+int		FindZwFunctionIndex(PCSTR Name);
+PVOID	FindFunctionBase(PCHAR ImageBase, PCSTR Name);
+ULONG	FindSystemServiceNumber(PCHAR ServiceName);
+
+
+#endif	/* __HOOKPROC_H__ */
\ No newline at end of file
-- 
cgit v1.3