Mirrors/hidden
6
0
Fork 0
mirror of https://github.com/JKornev/hidden synced 2024-06-16 03:58:04 +00:00
Code Issues Projects Releases Wiki Activity

Fix for possible IRQL violations

Browse Source
This commit is contained in:
JKornev 2016-12-29 22:48:37 +03:00
parent 67355c72c4
commit fbae5ffa57
3 changed files with 48 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Hidden/ExcludeList.c
View File

@ -94,7 +94,6 @@ NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, U
{
enum { MAX_PATH_SIZE = 1024 };
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry, head;
UNICODE_STRING temp;
SIZE_T size;
@ -172,7 +171,6 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId)
{
NTSTATUS status = STATUS_NOT_FOUND;
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
ExAcquireFastMutex(&cntx->listLock);
@ -199,7 +197,6 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId)
NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
ExAcquireFastMutex(&cntx->listLock);
@ -221,7 +218,6 @@ NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context)
BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
BOOLEAN result = FALSE;
@ -247,7 +243,6 @@ BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path)
BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory, dir;
BOOLEAN result = FALSE;
@ -293,7 +288,6 @@ BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path)
BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory;
BOOLEAN result = FALSE;
@ -331,7 +325,6 @@ BOOLEAN CheckExcludeListRegKey(ExcludeContext Context, PUNICODE_STRING Key)
BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament)
{
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory;
BOOLEAN result = FALSE;

84
Hidden/PsMonitor.c
View File

@ -18,7 +18,7 @@ OB_CALLBACK_REGISTRATION g_regCallback;
PsRulesContext g_excludeProcessRules;
PsRulesContext g_protectProcessRules;
KSPIN_LOCK g_processTableLock;
FAST_MUTEX g_processTableLock;
typedef struct _ProcessListEntry {
LPCWSTR path;
@ -47,7 +47,6 @@ WCHAR g_csrssPathBuffer[CSRSS_PAHT_BUFFER_SIZE];
BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
{
ProcessTableEntry srcInfo, destInfo;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result;
if (Source == Destination)
@ -55,9 +54,9 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
srcInfo.processId = Source;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&srcInfo);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
return FALSE;
@ -67,11 +66,11 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
// Spinlock is locked once for both Get\Update process table functions
// because we want to prevent situations when another thread can change
// any state of process beetwen get and update functions on this place
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
if (!GetProcessInProcessTable(&destInfo))
{
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
return FALSE;
}
@ -88,7 +87,7 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
result = FALSE;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update initial state for process: %d\n", destInfo.processId);
@ -96,7 +95,7 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
return FALSE;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!destInfo.protected)
return FALSE;
@ -178,7 +177,6 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
{
ProcessTableEntry lookup;
ULONG inheritType;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result;
RtlZeroMemory(&lookup, sizeof(lookup));
@ -203,9 +201,9 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
{
lookup.processId = ParentId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&lookup);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (result)
{
@ -236,9 +234,9 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
{
lookup.processId = ParentId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&lookup);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (result)
{
@ -259,7 +257,6 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo)
{
ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result;
UNREFERENCED_PARAMETER(Process);
@ -304,9 +301,9 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
if (entry.protected)
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", ProcessId);
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = AddProcessToProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", ProcessId);
@ -315,9 +312,9 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
}
else
{
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = RemoveProcessFromProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove process(pid:%d) from process table\n", ProcessId);
@ -328,14 +325,13 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
BOOLEAN IsProcessExcluded(HANDLE ProcessId)
{
ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result;
entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
return FALSE;
@ -347,14 +343,13 @@ BOOLEAN IsProcessExcluded(HANDLE ProcessId)
BOOLEAN IsProcessProtected(HANDLE ProcessId)
{
ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result;
entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
return FALSE;
@ -535,7 +530,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
// Process table
KeInitializeSpinLock(&g_processTableLock);
ExInitializeFastMutex(&g_processTableLock);
status = InitializeProcessTable(CheckProcessFlags);
if (!NT_SUCCESS(status))
@ -591,8 +586,6 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
NTSTATUS DestroyPsMonitor()
{
KLOCK_QUEUE_HANDLE lockHandle;
if (!g_psMonitorInited)
return STATUS_ALREADY_DISCONNECTED;
@ -607,9 +600,9 @@ NTSTATUS DestroyPsMonitor()
DestroyPsRuleListContext(g_excludeProcessRules);
DestroyPsRuleListContext(g_protectProcessRules);
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
DestroyProcessTable();
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
g_psMonitorInited = FALSE;
@ -638,7 +631,6 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude
OBJECT_ATTRIBUTES attribs;
PUNICODE_STRING procName;
ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
processInfo = (PSYSTEM_PROCESS_INFORMATION)((SIZE_T)processInfo + offset);
@ -678,7 +670,7 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude
// Spinlock is locked once for both Get\Update process table functions
// because we want to prevent situations when another thread can change
// any state of process beetwen get and update functions on this place
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
if (GetProcessInProcessTable(&entry))
{
@ -698,7 +690,7 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude
result = FALSE;
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update process %d\n", processInfo->ProcessId);
@ -750,14 +742,13 @@ NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN
NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable)
{
ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result;
entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
return STATUS_NOT_FOUND;
@ -772,14 +763,13 @@ NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN E
{
NTSTATUS status = STATUS_SUCCESS;
ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result;
entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
return STATUS_NOT_FOUND;
@ -794,9 +784,9 @@ NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN E
entry.protected = FALSE;
}
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = UpdateProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
return STATUS_NOT_FOUND;
@ -852,14 +842,13 @@ NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN
NTSTATUS GetExcludedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable)
{
ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result;
entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
return STATUS_NOT_FOUND;
@ -874,14 +863,13 @@ NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN En
{
NTSTATUS status = STATUS_SUCCESS;
ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result;
entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
return STATUS_NOT_FOUND;
@ -896,9 +884,9 @@ NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN En
entry.excluded = FALSE;
}
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle);
ExAcquireFastMutex(&g_processTableLock);
result = UpdateProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&g_processTableLock);
if (!result)
return STATUS_NOT_FOUND;

29
Hidden/PsRules.c
View File

@ -5,7 +5,7 @@
typedef struct _PsRulesInternalContext {
RTL_AVL_TABLE table;
ULONGLONG idCounter;
KSPIN_LOCK tableLock;
FAST_MUTEX tableLock;
} PsRulesInternalContext, *PPsRulesInternalContext;
RTL_GENERIC_COMPARE_RESULTS ComparePsRuleEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct)
@ -52,7 +52,7 @@ NTSTATUS InitializePsRuleListContext(PPsRulesContext pRuleContext)
}
context->idCounter = 1;
KeInitializeSpinLock(&context->tableLock);
ExInitializeFastMutex(&context->tableLock);
RtlInitializeGenericTableAvl(&context->table, ComparePsRuleEntry, AllocatePsRuleEntry, FreePsRuleEntry, NULL);
*pRuleContext = context;
@ -68,7 +68,6 @@ VOID DestroyPsRuleListContext(PsRulesContext RuleContext)
NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath, ULONG InheritType, PPsRuleEntryId EntryId)
{
PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
KLOCK_QUEUE_HANDLE lockHandle;
NTSTATUS status = STATUS_SUCCESS;
ULONGLONG guid;
PPsRuleEntry entry;
@ -97,11 +96,11 @@ NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath
entry->imagePath.MaximumLength = ImgPath->Length;
RtlCopyUnicodeString(&entry->imagePath, ImgPath);
KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle);
ExAcquireFastMutex(&context->tableLock);
guid = context->idCounter++;
entry->guid = guid;
buf = RtlInsertElementGenericTableAvl(&context->table, entry, entryLen, &newElem);
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&context->tableLock);
if (!buf)
{
@ -123,11 +122,10 @@ NTSTATUS RemoveRuleFromPsRuleList(PsRulesContext RuleContext, PsRuleEntryId Entr
{
PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
NTSTATUS status = STATUS_NOT_FOUND;
KLOCK_QUEUE_HANDLE lockHandle;
PPsRuleEntry entry;
PVOID restartKey = NULL;
KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle);
ExAcquireFastMutex(&context->tableLock);
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
entry != NULL;
@ -143,7 +141,7 @@ NTSTATUS RemoveRuleFromPsRuleList(PsRulesContext RuleContext, PsRuleEntryId Entr
}
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&context->tableLock);
return status;
}
@ -152,11 +150,10 @@ NTSTATUS RemoveAllRulesFromPsRuleList(PsRulesContext RuleContext)
{
PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
NTSTATUS status = STATUS_SUCCESS;
KLOCK_QUEUE_HANDLE lockHandle;
PPsRuleEntry entry;
PVOID restartKey = NULL;
KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle);
ExAcquireFastMutex(&context->tableLock);
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
entry != NULL;
@ -168,7 +165,7 @@ NTSTATUS RemoveAllRulesFromPsRuleList(PsRulesContext RuleContext)
restartKey = NULL; // reset enum
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&context->tableLock);
return status;
}
@ -177,11 +174,10 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath,
{
PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
NTSTATUS status = STATUS_NOT_FOUND;
KLOCK_QUEUE_HANDLE lockHandle;
PPsRuleEntry entry;
PVOID restartKey = NULL;
KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle);
ExAcquireFastMutex(&context->tableLock);
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
entry != NULL;
@ -203,7 +199,7 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath,
}
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&context->tableLock);
return status;
}
@ -211,12 +207,11 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath,
BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PULONG pInheritance)
{
PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
KLOCK_QUEUE_HANDLE lockHandle;
PPsRuleEntry entry;
PVOID restartKey = NULL;
BOOLEAN result = FALSE;
KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle);
ExAcquireFastMutex(&context->tableLock);
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
entry != NULL;
@ -230,7 +225,7 @@ BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING
}
}
KeReleaseInStackQueuedSpinLock(&lockHandle);
ExReleaseFastMutex(&context->tableLock);
return result;
}