mirror of
https://github.com/JKornev/hidden
synced 2024-06-16 12:08:05 +00:00
Fixes for Code Analysis artifacts
This commit is contained in:
JKornev
parent
da777eb050
commit
d2af2c51e0
@ -10,6 +10,8 @@ PDEVICE_OBJECT g_deviceObject = NULL;
|
||||
|
||||
// =========================================================================================
|
||||
|
||||
_Function_class_(DRIVER_DISPATCH)
|
||||
_Dispatch_type_(IRP_MJ_CREATE)
|
||||
NTSTATUS IrpDeviceCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(DeviceObject);
|
||||
@ -21,6 +23,8 @@ NTSTATUS IrpDeviceCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
_Function_class_(DRIVER_DISPATCH)
|
||||
_Dispatch_type_(IRP_MJ_CLOSE)
|
||||
NTSTATUS IrpDeviceClose(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(DeviceObject);
|
||||
@ -31,6 +35,9 @@ NTSTATUS IrpDeviceClose(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
_Function_class_(DRIVER_DISPATCH)
|
||||
_Dispatch_type_(IRP_MJ_CLEANUP)
|
||||
NTSTATUS IrpDeviceCleanup(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(DeviceObject);
|
||||
@ -334,6 +341,8 @@ NTSTATUS GetDriverStateObject(PHid_DriverStatus Packet, USHORT Size, PULONG stat
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
_Function_class_(DRIVER_DISPATCH)
|
||||
_Dispatch_type_(IRP_MJ_DEVICE_CONTROL)
|
||||
NTSTATUS IrpDeviceControlHandler(PDEVICE_OBJECT DeviceObject, PIRP Irp)
|
||||
{
|
||||
PIO_STACK_LOCATION irpStack;
|
||||
|
||||
@ -10,6 +10,8 @@
|
||||
#include "Configs.h"
|
||||
#include "Helper.h"
|
||||
|
||||
#define DRIVER_ALLOC_TAG 'nddH'
|
||||
|
||||
PDRIVER_OBJECT g_driverObject = NULL;
|
||||
|
||||
volatile LONG g_driverActive = FALSE;
|
||||
@ -44,7 +46,7 @@ NTSTATUS InitializeStealthMode(PDRIVER_OBJECT DriverObject, PUNICODE_STRING Regi
|
||||
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = LdrEntry->FullModuleName.Length + NORMALIZE_INCREAMENT;
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, normalized.MaximumLength);
|
||||
normalized.Buffer = (PWCH)ExAllocatePoolWithQuotaTag(PagedPool, normalized.MaximumLength, DRIVER_ALLOC_TAG);
|
||||
|
||||
if (!normalized.Buffer)
|
||||
{
|
||||
@ -56,7 +58,7 @@ NTSTATUS InitializeStealthMode(PDRIVER_OBJECT DriverObject, PUNICODE_STRING Regi
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &LdrEntry->FullModuleName);
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, DRIVER_ALLOC_TAG);
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -64,7 +66,7 @@ NTSTATUS InitializeStealthMode(PDRIVER_OBJECT DriverObject, PUNICODE_STRING Regi
|
||||
if (!NT_SUCCESS(status))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't hide self registry key\n");
|
||||
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, DRIVER_ALLOC_TAG);
|
||||
|
||||
status = AddHiddenRegKey(RegistryPath, &g_hiddenRegConfigId);
|
||||
if (!NT_SUCCESS(status))
|
||||
@ -75,6 +77,7 @@ NTSTATUS InitializeStealthMode(PDRIVER_OBJECT DriverObject, PUNICODE_STRING Regi
|
||||
|
||||
// =========================================================================================
|
||||
|
||||
_Function_class_(DRIVER_UNLOAD)
|
||||
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(DriverObject);
|
||||
@ -85,6 +88,7 @@ VOID DriverUnload(PDRIVER_OBJECT DriverObject)
|
||||
DestroyPsMonitor();
|
||||
}
|
||||
|
||||
_Function_class_(DRIVER_INITIALIZE)
|
||||
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
@ -377,8 +377,14 @@ BOOLEAN FillDirectoryFromPath(PEXCULE_FILE_PATH path, PUNICODE_STRING filePath)
|
||||
LPWSTR buffer = filePath->Buffer;
|
||||
|
||||
count = filePath->Length / sizeof(WCHAR);
|
||||
for (i = count - 1; i < count; i--)
|
||||
if (count < 1)
|
||||
return FALSE;
|
||||
|
||||
i = count;
|
||||
do
|
||||
{
|
||||
i--;
|
||||
|
||||
if (buffer[i] == L'\\')
|
||||
{
|
||||
if (i + 1 >= count)
|
||||
@ -397,6 +403,7 @@ BOOLEAN FillDirectoryFromPath(PEXCULE_FILE_PATH path, PUNICODE_STRING filePath)
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
while (i > 0);
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -10,6 +10,8 @@
|
||||
#include "Driver.h"
|
||||
#include "Configs.h"
|
||||
|
||||
#define FSFILTER_ALLOC_TAG 'DHlF'
|
||||
|
||||
NTSTATUS FilterSetup(PCFLT_RELATED_OBJECTS FltObjects, FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType);
|
||||
|
||||
FLT_PREOP_CALLBACK_STATUS FltCreatePreOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext);
|
||||
@ -78,8 +80,6 @@ NTSTATUS FilterSetup(PCFLT_RELATED_OBJECTS FltObjects, FLT_INSTANCE_SETUP_FLAGS
|
||||
UNREFERENCED_PARAMETER(VolumeDeviceType);
|
||||
UNREFERENCED_PARAMETER(VolumeFilesystemType);
|
||||
|
||||
PAGED_CODE();
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Entered %d\n", (UINT32)KeGetCurrentIrql());
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
@ -142,7 +142,7 @@ FLT_PREOP_CALLBACK_STATUS FltCreatePreOperation(
|
||||
|
||||
if (neededPrevent)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Create file\\dir operation canceled for: %wZ, %d\n", &Data->Iopb->TargetFileObject->FileName, PsGetCurrentProcessId());
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": Create file\\dir operation canceled for: %wZ, %p\n", &Data->Iopb->TargetFileObject->FileName, PsGetCurrentProcessId());
|
||||
Data->IoStatus.Status = STATUS_NO_SUCH_FILE;
|
||||
return FLT_PREOP_COMPLETE;
|
||||
}
|
||||
@ -155,8 +155,6 @@ FLT_PREOP_CALLBACK_STATUS FltDirCtrlPreOperation(PFLT_CALLBACK_DATA Data, PCFLT_
|
||||
UNREFERENCED_PARAMETER(FltObjects);
|
||||
UNREFERENCED_PARAMETER(CompletionContext);
|
||||
|
||||
PAGED_CODE();
|
||||
|
||||
if (!IsDriverEnabled())
|
||||
return FLT_POSTOP_FINISHED_PROCESSING;
|
||||
|
||||
@ -192,8 +190,6 @@ FLT_POSTOP_CALLBACK_STATUS FltDirCtrlPostOperation(PFLT_CALLBACK_DATA Data, PCFL
|
||||
UNREFERENCED_PARAMETER(CompletionContext);
|
||||
UNREFERENCED_PARAMETER(Flags);
|
||||
|
||||
PAGED_CODE();
|
||||
|
||||
if (!IsDriverEnabled())
|
||||
return FLT_POSTOP_FINISHED_PROCESSING;
|
||||
|
||||
@ -205,7 +201,7 @@ FLT_POSTOP_CALLBACK_STATUS FltDirCtrlPostOperation(PFLT_CALLBACK_DATA Data, PCFL
|
||||
|
||||
if (IsProcessExcluded(PsGetCurrentProcessId()))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %d\n", PsGetCurrentProcessId());
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! process excluded %p\n", PsGetCurrentProcessId());
|
||||
return FLT_POSTOP_FINISHED_PROCESSING;
|
||||
}
|
||||
|
||||
@ -292,7 +288,7 @@ NTSTATUS CleanFileFullDirectoryInformation(PFILE_FULL_DIR_INFORMATION info, PFLT
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
RtlFillMemory(info, sizeof(FILE_FULL_DIR_INFORMATION), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -376,7 +372,7 @@ NTSTATUS CleanFileBothDirectoryInformation(PFILE_BOTH_DIR_INFORMATION info, PFLT
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
RtlFillMemory(info, sizeof(FILE_BOTH_DIR_INFORMATION), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -460,7 +456,7 @@ NTSTATUS CleanFileDirectoryInformation(PFILE_DIRECTORY_INFORMATION info, PFLT_FI
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
RtlFillMemory(info, sizeof(FILE_DIRECTORY_INFORMATION), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -544,7 +540,7 @@ NTSTATUS CleanFileIdFullDirectoryInformation(PFILE_ID_FULL_DIR_INFORMATION info,
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
RtlFillMemory(info, sizeof(FILE_ID_FULL_DIR_INFORMATION), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -628,7 +624,7 @@ NTSTATUS CleanFileIdBothDirectoryInformation(PFILE_ID_BOTH_DIR_INFORMATION info,
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
RtlFillMemory(info, sizeof(FILE_ID_BOTH_DIR_INFORMATION), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -708,7 +704,7 @@ NTSTATUS CleanFileNamesInformation(PFILE_NAMES_INFORMATION info, PFLT_FILE_NAME_
|
||||
retn = TRUE;
|
||||
}
|
||||
|
||||
RtlFillMemory(info, sizeof(info), 0);
|
||||
RtlFillMemory(info, sizeof(FILE_NAMES_INFORMATION), 0);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -856,7 +852,7 @@ NTSTATUS AddHiddenFile(PUNICODE_STRING FilePath, PULONGLONG ObjId)
|
||||
UNICODE_STRING normalized;
|
||||
NTSTATUS status;
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
|
||||
normalized.Buffer = (PWCH)ExAllocatePoolWithTag(PagedPool, maxBufSize, FSFILTER_ALLOC_TAG);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
|
||||
@ -870,14 +866,14 @@ NTSTATUS AddHiddenFile(PUNICODE_STRING FilePath, PULONGLONG ObjId)
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, FilePath);
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, FSFILTER_ALLOC_TAG);
|
||||
return status;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": add file:%wZ\n", &normalized);
|
||||
status = AddExcludeListFile(g_excludeFileContext, &normalized, ObjId);
|
||||
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, FSFILTER_ALLOC_TAG);
|
||||
|
||||
return status;
|
||||
}
|
||||
@ -898,7 +894,7 @@ NTSTATUS AddHiddenDir(PUNICODE_STRING DirPath, PULONGLONG ObjId)
|
||||
UNICODE_STRING normalized;
|
||||
NTSTATUS status;
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
|
||||
normalized.Buffer = (PWCH)ExAllocatePoolWithTag(PagedPool, maxBufSize, FSFILTER_ALLOC_TAG);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
|
||||
@ -912,13 +908,13 @@ NTSTATUS AddHiddenDir(PUNICODE_STRING DirPath, PULONGLONG ObjId)
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, DirPath);
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, FSFILTER_ALLOC_TAG);
|
||||
return status;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": add dir:%wZ\n", &normalized);
|
||||
status = AddExcludeListDirectory(g_excludeDirectoryContext, &normalized, ObjId);
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, FSFILTER_ALLOC_TAG);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -6,6 +6,8 @@
|
||||
#include "Driver.h"
|
||||
#include "Configs.h"
|
||||
|
||||
#define PSMON_ALLOC_TAG 'nMsP'
|
||||
|
||||
#define PROCESS_QUERY_LIMITED_INFORMATION 0x1000
|
||||
#define SYSTEM_PROCESS_ID (HANDLE)4
|
||||
|
||||
@ -90,7 +92,7 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
|
||||
ExReleaseFastMutex(&g_processTableLock);
|
||||
|
||||
if (!result)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update initial state for process: %d\n", destInfo.processId);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update initial state for process: %p\n", destInfo.processId);
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
@ -119,7 +121,7 @@ OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_O
|
||||
if (OperationInformation->KernelHandle)
|
||||
return OB_PREOP_SUCCESS;
|
||||
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! Process: %d(%d:%d), Oper: %s, Space: %s\n",
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! Process: %p(%p:%p), Oper: %s, Space: %s\n",
|
||||
// PsGetProcessId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(),
|
||||
// (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"),
|
||||
// (OperationInformation->KernelHandle ? "kernel" : "user")
|
||||
@ -127,11 +129,11 @@ OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_O
|
||||
|
||||
if (!CheckProtectedOperation(PsGetCurrentProcessId(), PsGetProcessId(OperationInformation->Object)))
|
||||
{
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected process %d\n", PsGetCurrentProcessId());
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected process %p\n", PsGetCurrentProcessId());
|
||||
return OB_PREOP_SUCCESS;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! disallow protected process %d\n", PsGetCurrentProcessId());
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! disallow protected process %p\n", PsGetCurrentProcessId());
|
||||
|
||||
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
|
||||
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION);
|
||||
@ -151,7 +153,7 @@ OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OP
|
||||
if (OperationInformation->KernelHandle)
|
||||
return OB_PREOP_SUCCESS;
|
||||
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": Thread: %d(%d:%d), Oper: %s, Space: %s\n",
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": Thread: %p(%p:%p), Oper: %s, Space: %s\n",
|
||||
// PsGetThreadId(OperationInformation->Object), PsGetCurrentProcessId(), PsGetCurrentThreadId(),
|
||||
// (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE ? "create" : "dup"),
|
||||
// (OperationInformation->KernelHandle ? "kernel" : "user")
|
||||
@ -159,11 +161,11 @@ OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OP
|
||||
|
||||
if (!CheckProtectedOperation(PsGetCurrentProcessId(), PsGetProcessId(OperationInformation->Object)))
|
||||
{
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected thread %d\n", PsGetCurrentProcessId());
|
||||
//DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! allow protected thread %p\n", PsGetCurrentProcessId());
|
||||
return OB_PREOP_SUCCESS;
|
||||
}
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! disallow protected thread %d\n", PsGetCurrentProcessId());
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! disallow protected thread %p\n", PsGetCurrentProcessId());
|
||||
|
||||
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
|
||||
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = (SYNCHRONIZE | THREAD_QUERY_LIMITED_INFORMATION);
|
||||
@ -262,9 +264,9 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
|
||||
UNREFERENCED_PARAMETER(Process);
|
||||
|
||||
if (CreateInfo)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! new process: %d (%d:%d), %wZ\n", ProcessId, PsGetCurrentProcessId(), PsGetCurrentThreadId(), CreateInfo->ImageFileName);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! new process: %p (%p:%p), %wZ\n", ProcessId, PsGetCurrentProcessId(), PsGetCurrentThreadId(), CreateInfo->ImageFileName);
|
||||
else
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! destroy process: %d (%d:%d)\n", ProcessId, PsGetCurrentProcessId(), PsGetCurrentThreadId());
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": !!!!! destroy process: %p (%p:%p)\n", ProcessId, PsGetCurrentProcessId(), PsGetCurrentThreadId());
|
||||
|
||||
RtlZeroMemory(&entry, sizeof(entry));
|
||||
entry.processId = ProcessId;
|
||||
@ -275,7 +277,7 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
|
||||
UNICODE_STRING normalized;
|
||||
NTSTATUS status;
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
|
||||
normalized.Buffer = (PWCH)ExAllocatePoolWithTag(PagedPool, maxBufSize, PSMON_ALLOC_TAG);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
|
||||
@ -289,26 +291,26 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, CreateInfo->ImageFileName);
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, PSMON_ALLOC_TAG);
|
||||
return;
|
||||
}
|
||||
|
||||
CheckProcessFlags(&entry, &normalized, PsGetCurrentProcessId()/*CreateInfo->ParentProcessId*/);
|
||||
|
||||
if (entry.excluded)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": excluded process:%d\n", ProcessId);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": excluded process:%p\n", ProcessId);
|
||||
|
||||
if (entry.protected)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", ProcessId);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%p\n", ProcessId);
|
||||
|
||||
ExAcquireFastMutex(&g_processTableLock);
|
||||
result = AddProcessToProcessTable(&entry);
|
||||
ExReleaseFastMutex(&g_processTableLock);
|
||||
|
||||
if (!result)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", ProcessId);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%p) to process table\n", ProcessId);
|
||||
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, PSMON_ALLOC_TAG);
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -317,7 +319,7 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
|
||||
ExReleaseFastMutex(&g_processTableLock);
|
||||
|
||||
if (!result)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove process(pid:%d) from process table\n", ProcessId);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove process(pid:%p) from process table\n", ProcessId);
|
||||
}
|
||||
|
||||
}
|
||||
@ -460,7 +462,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
|
||||
// Init normalization buffer
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(NonPagedPool, maxBufSize);
|
||||
normalized.Buffer = (PWCH)ExAllocatePoolWithTag(NonPagedPool, maxBufSize, PSMON_ALLOC_TAG);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
if (!normalized.Buffer)
|
||||
@ -477,7 +479,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": excluded process rules initialization failed with code:%08x\n", status);
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, PSMON_ALLOC_TAG);
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -506,7 +508,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process rules initialization failed with code:%08x\n", status);
|
||||
DestroyPsRuleListContext(g_excludeProcessRules);
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, PSMON_ALLOC_TAG);
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -537,11 +539,11 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
DestroyPsRuleListContext(g_excludeProcessRules);
|
||||
DestroyPsRuleListContext(g_protectProcessRules);
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, PSMON_ALLOC_TAG);
|
||||
return status;
|
||||
}
|
||||
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, PSMON_ALLOC_TAG);
|
||||
|
||||
g_psMonitorInited = TRUE;
|
||||
|
||||
@ -647,7 +649,7 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude
|
||||
status = ZwOpenProcess(&hProcess, 0x1000/*PROCESS_QUERY_LIMITED_INFORMATION*/, &attribs, &clientId);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't open process (pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't open process (pid:%p) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||
offset = processInfo->NextEntryOffset;
|
||||
continue;
|
||||
}
|
||||
@ -657,7 +659,7 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude
|
||||
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": query process information(pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": query process information(pid:%p) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||
offset = processInfo->NextEntryOffset;
|
||||
continue;
|
||||
}
|
||||
@ -693,7 +695,7 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude
|
||||
ExReleaseFastMutex(&g_processTableLock);
|
||||
|
||||
if (!result)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update process %d\n", processInfo->ProcessId);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update process %p\n", processInfo->ProcessId);
|
||||
}
|
||||
|
||||
FreeInformation(procName);
|
||||
@ -710,7 +712,7 @@ NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN
|
||||
UNICODE_STRING normalized;
|
||||
NTSTATUS status;
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
|
||||
normalized.Buffer = (PWCH)ExAllocatePoolWithTag(PagedPool, maxBufSize, PSMON_ALLOC_TAG);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
|
||||
@ -724,7 +726,7 @@ NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, ImagePath);
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, PSMON_ALLOC_TAG);
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -734,7 +736,7 @@ NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN
|
||||
if (ApplyForProcesses)
|
||||
SetStateForProcessesByImage(&normalized, FALSE, TRUE);
|
||||
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, PSMON_ALLOC_TAG);
|
||||
|
||||
return status;
|
||||
}
|
||||
@ -810,7 +812,7 @@ NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN
|
||||
UNICODE_STRING normalized;
|
||||
NTSTATUS status;
|
||||
|
||||
normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, maxBufSize);
|
||||
normalized.Buffer = (PWCH)ExAllocatePoolWithTag(PagedPool, maxBufSize, PSMON_ALLOC_TAG);
|
||||
normalized.Length = 0;
|
||||
normalized.MaximumLength = maxBufSize;
|
||||
|
||||
@ -824,7 +826,7 @@ NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, ImagePath);
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, PSMON_ALLOC_TAG);
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -834,7 +836,7 @@ NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN
|
||||
if (ApplyForProcesses)
|
||||
SetStateForProcessesByImage(&normalized, TRUE, FALSE);
|
||||
|
||||
ExFreePool(normalized.Buffer);
|
||||
ExFreePoolWithTag(normalized.Buffer, PSMON_ALLOC_TAG);
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -8,6 +8,7 @@ typedef struct _PsRulesInternalContext {
|
||||
FAST_MUTEX tableLock;
|
||||
} PsRulesInternalContext, *PPsRulesInternalContext;
|
||||
|
||||
_Function_class_(RTL_AVL_COMPARE_ROUTINE)
|
||||
RTL_GENERIC_COMPARE_RESULTS ComparePsRuleEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct)
|
||||
{
|
||||
PPsRuleEntry first = *(PPsRuleEntry*)FirstStruct;
|
||||
@ -27,12 +28,14 @@ RTL_GENERIC_COMPARE_RESULTS ComparePsRuleEntry(struct _RTL_AVL_TABLE *Table, PV
|
||||
return GenericEqual;
|
||||
}
|
||||
|
||||
_Function_class_(RTL_AVL_ALLOCATE_ROUTINE)
|
||||
PVOID AllocatePsRuleEntry(struct _RTL_AVL_TABLE *Table, CLONG ByteSize)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(Table);
|
||||
return ExAllocatePoolWithTag(NonPagedPool, ByteSize, PSRULE_ALLOC_TAG);
|
||||
}
|
||||
|
||||
_Function_class_(RTL_AVL_FREE_ROUTINE)
|
||||
VOID FreePsRuleEntry(struct _RTL_AVL_TABLE *Table, PVOID Buffer)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(Table);
|
||||
|
||||
@ -5,6 +5,7 @@
|
||||
|
||||
RTL_AVL_TABLE g_processTable;
|
||||
|
||||
_Function_class_(RTL_AVL_COMPARE_ROUTINE)
|
||||
RTL_GENERIC_COMPARE_RESULTS CompareProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct)
|
||||
{
|
||||
PProcessTableEntry first = (PProcessTableEntry)FirstStruct;
|
||||
@ -21,12 +22,14 @@ RTL_GENERIC_COMPARE_RESULTS CompareProcessTableEntry(struct _RTL_AVL_TABLE *Tab
|
||||
return GenericEqual;
|
||||
}
|
||||
|
||||
_Function_class_(RTL_AVL_ALLOCATE_ROUTINE)
|
||||
PVOID AllocateProcessTableEntry(struct _RTL_AVL_TABLE *Table, CLONG ByteSize)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(Table);
|
||||
return ExAllocatePoolWithTag(NonPagedPool, ByteSize, PSTREE_ALLOC_TAG);
|
||||
}
|
||||
|
||||
_Function_class_(RTL_AVL_FREE_ROUTINE)
|
||||
VOID FreeProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID Buffer)
|
||||
{
|
||||
UNREFERENCED_PARAMETER(Table);
|
||||
@ -122,7 +125,7 @@ NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEnt
|
||||
status = ZwOpenProcess(&hProcess, 0x1000/*PROCESS_QUERY_LIMITED_INFORMATION*/, &attribs, &clientId);
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't open process (pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't open process (pid:%p) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||
offset = processInfo->NextEntryOffset;
|
||||
continue;
|
||||
}
|
||||
@ -132,7 +135,7 @@ NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEnt
|
||||
|
||||
if (!NT_SUCCESS(status))
|
||||
{
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": query process information(pid:%d) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": query process information(pid:%p) failed with code:%08x\n", processInfo->ProcessId, status);
|
||||
offset = processInfo->NextEntryOffset;
|
||||
continue;
|
||||
}
|
||||
@ -142,20 +145,20 @@ NTSTATUS InitializeProcessTable(VOID(*InitProcessEntryCallback)(PProcessTableEnt
|
||||
RtlZeroMemory(&entry, sizeof(entry));
|
||||
entry.processId = processInfo->ProcessId;
|
||||
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": add process: %d, %wZ\n", processInfo->ProcessId, procName);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": add process: %p, %wZ\n", processInfo->ProcessId, procName);
|
||||
|
||||
InitProcessEntryCallback(&entry, procName, processInfo->InheritedFromProcessId);
|
||||
if (!AddProcessToProcessTable(&entry))
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", processInfo->ProcessId);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%p) to process table\n", processInfo->ProcessId);
|
||||
|
||||
if (entry.excluded)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": excluded process:%d\n", entry.processId);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": excluded process:%p\n", entry.processId);
|
||||
|
||||
if (entry.protected)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", entry.processId);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%p\n", entry.processId);
|
||||
|
||||
if (entry.subsystem)
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": subsystem process:%d\n", entry.processId);
|
||||
DbgPrint("FsFilter1!" __FUNCTION__ ": subsystem process:%p\n", entry.processId);
|
||||
|
||||
// Go to next
|
||||
|
||||
|
||||
@ -551,6 +551,7 @@ NTSTATUS RegPreQueryMultipleValue(PVOID context, PREG_QUERY_MULTIPLE_VALUE_KEY_I
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
_Function_class_(EX_CALLBACK_FUNCTION)
|
||||
NTSTATUS RegistryFilterCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2)
|
||||
{
|
||||
REG_NOTIFY_CLASS notifyClass = (REG_NOTIFY_CLASS)(ULONG_PTR)Argument1;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user