summaryrefslogtreecommitdiff
path: root/log.h
blob: 3e5b77e006946a38bac8e44984c049c43a08c938 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236

/*
 * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
 *
 * Module Name:
 *
 *		log.h
 *
 * Abstract:
 *
 *		This module defines various macros used for logging.
 *
 * Author:
 *
 *		Eugene Tsyrklevich 17-Mar-2004
 *
 * Revision History:
 *
 *		None.
 */


#ifndef __LOG_H__
#define __LOG_H__


#include <NTDDK.h>
#include "ntproto.h"
#include "misc.h"


/* maximum number of alerts the kernel will queue */
#define	MAXIMUM_OUTSTANDING_ALERTS	1000

#define	LOG_USER_EVENT_NAME	L"\\BaseNamedObjects\\OzoneLogEvent"


/*
 * Logging SubSystems
 */

#define	LOG_SS_DRIVER_INTERNAL			(1 <<  0)
#define	LOG_SS_POLICY					(1 <<  1)
#define	LOG_SS_POLICY_PARSER			(1 <<  2)
#define	LOG_SS_FILE						(1 <<  3)
#define	LOG_SS_DIRECTORY				(1 <<  3)	// same as LOG_SS_FILE, used in HookedNtCreateFile
#define	LOG_SS_SEMAPHORE				(1 <<  4)
#define	LOG_SS_EVENT					(1 <<  5)
#define	LOG_SS_SECTION					(1 <<  6)
#define	LOG_SS_REGISTRY					(1 <<  7)
#define	LOG_SS_PROCESS					(1 <<  8)
#define	LOG_SS_HOOKPROC					(1 <<  9)
#define	LOG_SS_LEARN					(1 << 10)
#define	LOG_SS_PATHPROC					(1 << 11)
#define	LOG_SS_NETWORK					(1 << 12)
#define	LOG_SS_TIME						(1 << 13)
#define	LOG_SS_SYSINFO					(1 << 14)
#define	LOG_SS_JOB						(1 << 15)
#define	LOG_SS_MUTANT					(1 << 16)
#define	LOG_SS_PORT						(1 << 17)
#define	LOG_SS_SYMLINK					(1 << 18)
#define	LOG_SS_TIMER					(1 << 19)
#define	LOG_SS_TOKEN					(1 << 20)
#define	LOG_SS_NAMEDPIPE				(1 << 21)
#define	LOG_SS_MAILSLOT					(1 << 22)
#define	LOG_SS_DRIVER					(1 << 23)
#define	LOG_SS_DIROBJ					(1 << 24)
#define	LOG_SS_ATOM						(1 << 25)
#define	LOG_SS_VDM						(1 << 26)
#define	LOG_SS_DEBUG					(1 << 27)
#define	LOG_SS_DRIVE					(1 << 28)
#define	LOG_SS_MISC						(1 << 29)


/* log the following subsytems */

#define	LOG_SUBSYSTEMS						(LOG_SS_ATOM			|	\
											LOG_SS_DIROBJ			|	\
											LOG_SS_DRIVER			|	\
											LOG_SS_DRIVER_INTERNAL	|	\
											LOG_SS_EVENT			|	\
											LOG_SS_FILE				|	\
											LOG_SS_HOOKPROC			|	\
											LOG_SS_JOB				|	\
											LOG_SS_LEARN			|	\
											LOG_SS_MAILSLOT			|	\
											LOG_SS_MISC				|	\
											LOG_SS_MUTANT			|	\
											LOG_SS_NAMEDPIPE		|	\
											LOG_SS_NETWORK			|	\
											LOG_SS_PATHPROC			|	\
											LOG_SS_POLICY			|	\
											LOG_SS_POLICY_PARSER	|	\
											LOG_SS_PORT				|	\
											LOG_SS_PROCESS			|	\
											LOG_SS_REGISTRY			|	\
											LOG_SS_SECTION			|	\
											LOG_SS_SEMAPHORE		|	\
											LOG_SS_SYMLINK			|	\
											LOG_SS_SYSINFO			|	\
											LOG_SS_TIME				|	\
											LOG_SS_TIMER			|	\
											LOG_SS_TOKEN			|	\
											LOG_SS_VDM				|	\
											LOG_SS_DRIVE			|	\
											LOG_SS_DEBUG)

#define	LOG_PRIORITY_VERBOSE		1
#define	LOG_PRIORITY_DEBUG			2
#define	LOG_PRIORITY_WARNING		3
#define	LOG_PRIORITY_ERROR			4
#define	LOG_PRIORITY_CRITICAL		5


#define	MINIMUM_LOGGING_PRIORITY	LOG_PRIORITY_DEBUG


#define	LOG(subsystem, priority, msg)					\
	do {												\
		if (priority >= LOG_PRIORITY_WARNING) {			\
			DbgPrint msg;								\
		} else if (priority > MINIMUM_LOGGING_PRIORITY){\
			KdPrint(msg);								\
		} else if (subsystem & LOG_SUBSYSTEMS) {		\
			if (priority == MINIMUM_LOGGING_PRIORITY) {	\
				KdPrint(msg);							\
			}											\
		}												\
	} while(0)



/*
 * Alert SubSystems (sorted in the same order as RULEs in policy.h)
 *
 * We have an alert subsystem for each category of alert that Ozone generates.
 * (These are mostly the same as RuleTypes plus several extra ones)
 */

#define	ALERT_SS_FILE							0
#define	ALERT_SS_DIRECTORY						1
#define	ALERT_SS_MAILSLOT					    2
#define	ALERT_SS_NAMEDPIPE					    3
#define	ALERT_SS_REGISTRY						4
#define	ALERT_SS_SECTION						5
#define	ALERT_SS_DLL							6
#define	ALERT_SS_EVENT							7
#define	ALERT_SS_SEMAPHORE						8
#define	ALERT_SS_JOB						    9
#define	ALERT_SS_MUTANT						   10
#define	ALERT_SS_PORT						   11
#define	ALERT_SS_SYMLINK					   12
#define	ALERT_SS_TIMER						   13
#define	ALERT_SS_PROCESS					   14
#define	ALERT_SS_DRIVER						   15
#define	ALERT_SS_DIROBJ						   16
#define	ALERT_SS_ATOM						   17

#define	ALERT_SS_NETWORK					   18
#define	ALERT_SS_SERVICE					   19
#define	ALERT_SS_TIME						   20
#define	ALERT_SS_TOKEN						   21
#define	ALERT_SS_SYSCALL					   22
#define	ALERT_SS_VDM						   23
#define	ALERT_SS_DEBUG						   24
#define	ALERT_SS_BOPROT						   25


/* 
 * Alert Rules
 */

#define	ALERT_RULE_NONE							0

#define	ALERT_RULE_PROCESS_EXEC_2EXTS			1		// Executing a binary with more than one extension
#define	ALERT_RULE_PROCESS_EXEC_UNKNOWN			2		// Executing a binary with an unknown extension
#define	ALERT_RULE_PROCESS_EXEC_NOEXT			3		// Executing binary without an extension

#define	ALERT_RULE_BOPROT_INVALIDCALL			1		// System call originating directly from user code


/* defined in policy.h */
typedef unsigned char ACTION_TYPE;
typedef struct _POLICY_RULE POLICY_RULE, *PPOLICY_RULE;
typedef enum _AlertPriority ALERT_PRIORITY;


#pragma pack(push, 1)
typedef	struct _SECURITY_ALERT
{
	struct _SECURITY_ALERT	*Next;

	/* size of the entire alert = sizeof(SECURITY_ALERT) + strlen(ObjectName) + sizeof(SID) */
	USHORT					Size;
	UCHAR					AlertSubsystem;
	UCHAR					AlertType;
	UCHAR					AlertRuleNumber;
	UCHAR/*ALERT_PRIORITY*/	Priority;
	UCHAR/*ACTION_TYPE*/	Action;				/* UINT8 Action that was taken (denied, logged) */
	ULONG					ProcessId;
	USHORT					ObjectNameLength;
	USHORT					ProcessNameLength;
	USHORT					PolicyNameLength;
	USHORT					PolicyLineNumber;

	/* space for ObjectName, ProcessName, PolicyName and SID are dynamically allocated */
	WCHAR					ObjectName[ANYSIZE_ARRAY];

	/* ProcessName follows the zero-terminated ObjectName */
//	WCHAR					ProcessName[ANYSIZE_ARRAY];

	/* PolicyName follows the zero-terminated ProcessName */
//	WCHAR					PolicyName[ANYSIZE_ARRAY];

	/* SID follows the zero-terminated PolicyName */
//	SID_AND_ATTRIBUTES		UserInfo;

} SECURITY_ALERT, *PSECURITY_ALERT;
#pragma pack(pop)


extern KSPIN_LOCK			gLogSpinLock;
extern PSECURITY_ALERT		LogList;
extern PSECURITY_ALERT		LastAlert;
extern USHORT				NumberOfAlerts;


BOOLEAN			InitLog();
VOID			ShutdownLog();
VOID			LogAlert(UCHAR AlertSubSystem, UCHAR OperationType, UCHAR AlertRuleNumber, ACTION_TYPE ActionTaken, ALERT_PRIORITY AlertPriority, PWSTR PolicyFilename, USHORT PolicyLineNumber, PCHAR ObjectName);
ALERT_PRIORITY	GetObjectAccessAlertPriority(UCHAR AlertSubSystem, UCHAR Operation, ACTION_TYPE ActionTaken);
BOOLEAN			LogPostBootup();

PCHAR			FilterObjectName(PCHAR ObjectName);


#endif	/* __LOG_H__ */