From fbae5ffa578a5acc2f537aa5cf03e74095676820 Mon Sep 17 00:00:00 2001 From: JKornev <8bit.dosninja@gmail.com> Date: Thu, 29 Dec 2016 22:48:37 +0300 Subject: [PATCH] Fix for possible IRQL violations --- Hidden/ExcludeList.c | 7 ---- Hidden/PsMonitor.c | 84 +++++++++++++++++++------------------------- Hidden/PsRules.c | 29 +++++++-------- 3 files changed, 48 insertions(+), 72 deletions(-) diff --git a/Hidden/ExcludeList.c b/Hidden/ExcludeList.c index 8051e9c..84e65c5 100644 --- a/Hidden/ExcludeList.c +++ b/Hidden/ExcludeList.c @@ -94,7 +94,6 @@ NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, U { enum { MAX_PATH_SIZE = 1024 }; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry, head; UNICODE_STRING temp; SIZE_T size; @@ -172,7 +171,6 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId) { NTSTATUS status = STATUS_NOT_FOUND; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; ExAcquireFastMutex(&cntx->listLock); @@ -199,7 +197,6 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId) NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context) { PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; ExAcquireFastMutex(&cntx->listLock); @@ -221,7 +218,6 @@ NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context) BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path) { PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; BOOLEAN result = FALSE; @@ -247,7 +243,6 @@ BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path) BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path) { PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; UNICODE_STRING Directory, dir; BOOLEAN result = FALSE; @@ -293,7 +288,6 @@ BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path) BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File) { PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; UNICODE_STRING Directory; BOOLEAN result = FALSE; @@ -331,7 +325,6 @@ BOOLEAN CheckExcludeListRegKey(ExcludeContext Context, PUNICODE_STRING Key) BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament) { PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; - //KLOCK_QUEUE_HANDLE lockHandle; PEXCLUDE_FILE_LIST_ENTRY entry; UNICODE_STRING Directory; BOOLEAN result = FALSE; diff --git a/Hidden/PsMonitor.c b/Hidden/PsMonitor.c index 4c958e2..40a16d5 100644 --- a/Hidden/PsMonitor.c +++ b/Hidden/PsMonitor.c @@ -18,7 +18,7 @@ OB_CALLBACK_REGISTRATION g_regCallback; PsRulesContext g_excludeProcessRules; PsRulesContext g_protectProcessRules; -KSPIN_LOCK g_processTableLock; +FAST_MUTEX g_processTableLock; typedef struct _ProcessListEntry { LPCWSTR path; @@ -47,7 +47,6 @@ WCHAR g_csrssPathBuffer[CSRSS_PAHT_BUFFER_SIZE]; BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination) { ProcessTableEntry srcInfo, destInfo; - KLOCK_QUEUE_HANDLE lockHandle; BOOLEAN result; if (Source == Destination) @@ -55,9 +54,9 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination) srcInfo.processId = Source; - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = GetProcessInProcessTable(&srcInfo); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) return FALSE; @@ -67,11 +66,11 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination) // Spinlock is locked once for both Get\Update process table functions // because we want to prevent situations when another thread can change // any state of process beetwen get and update functions on this place - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); if (!GetProcessInProcessTable(&destInfo)) { - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); return FALSE; } @@ -88,7 +87,7 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination) result = FALSE; } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) DbgPrint("FsFilter1!" __FUNCTION__ ": can't update initial state for process: %d\n", destInfo.processId); @@ -96,7 +95,7 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination) return FALSE; } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!destInfo.protected) return FALSE; @@ -178,7 +177,6 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL { ProcessTableEntry lookup; ULONG inheritType; - KLOCK_QUEUE_HANDLE lockHandle; BOOLEAN result; RtlZeroMemory(&lookup, sizeof(lookup)); @@ -203,9 +201,9 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL { lookup.processId = ParentId; - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = GetProcessInProcessTable(&lookup); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (result) { @@ -236,9 +234,9 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL { lookup.processId = ParentId; - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = GetProcessInProcessTable(&lookup); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (result) { @@ -259,7 +257,6 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo) { ProcessTableEntry entry; - KLOCK_QUEUE_HANDLE lockHandle; BOOLEAN result; UNREFERENCED_PARAMETER(Process); @@ -304,9 +301,9 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE if (entry.protected) DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", ProcessId); - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = AddProcessToProcessTable(&entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", ProcessId); @@ -315,9 +312,9 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE } else { - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = RemoveProcessFromProcessTable(&entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove process(pid:%d) from process table\n", ProcessId); @@ -328,14 +325,13 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE BOOLEAN IsProcessExcluded(HANDLE ProcessId) { ProcessTableEntry entry; - KLOCK_QUEUE_HANDLE lockHandle; BOOLEAN result; entry.processId = ProcessId; - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = GetProcessInProcessTable(&entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) return FALSE; @@ -347,14 +343,13 @@ BOOLEAN IsProcessExcluded(HANDLE ProcessId) BOOLEAN IsProcessProtected(HANDLE ProcessId) { ProcessTableEntry entry; - KLOCK_QUEUE_HANDLE lockHandle; BOOLEAN result; entry.processId = ProcessId; - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = GetProcessInProcessTable(&entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) return FALSE; @@ -535,7 +530,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) // Process table - KeInitializeSpinLock(&g_processTableLock); + ExInitializeFastMutex(&g_processTableLock); status = InitializeProcessTable(CheckProcessFlags); if (!NT_SUCCESS(status)) @@ -591,8 +586,6 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject) NTSTATUS DestroyPsMonitor() { - KLOCK_QUEUE_HANDLE lockHandle; - if (!g_psMonitorInited) return STATUS_ALREADY_DISCONNECTED; @@ -607,9 +600,9 @@ NTSTATUS DestroyPsMonitor() DestroyPsRuleListContext(g_excludeProcessRules); DestroyPsRuleListContext(g_protectProcessRules); - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); DestroyProcessTable(); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); g_psMonitorInited = FALSE; @@ -638,7 +631,6 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude OBJECT_ATTRIBUTES attribs; PUNICODE_STRING procName; ProcessTableEntry entry; - KLOCK_QUEUE_HANDLE lockHandle; processInfo = (PSYSTEM_PROCESS_INFORMATION)((SIZE_T)processInfo + offset); @@ -678,7 +670,7 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude // Spinlock is locked once for both Get\Update process table functions // because we want to prevent situations when another thread can change // any state of process beetwen get and update functions on this place - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); if (GetProcessInProcessTable(&entry)) { @@ -698,7 +690,7 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude result = FALSE; } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) DbgPrint("FsFilter1!" __FUNCTION__ ": can't update process %d\n", processInfo->ProcessId); @@ -750,14 +742,13 @@ NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable) { ProcessTableEntry entry; - KLOCK_QUEUE_HANDLE lockHandle; BOOLEAN result; entry.processId = ProcessId; - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = GetProcessInProcessTable(&entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) return STATUS_NOT_FOUND; @@ -772,14 +763,13 @@ NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN E { NTSTATUS status = STATUS_SUCCESS; ProcessTableEntry entry; - KLOCK_QUEUE_HANDLE lockHandle; BOOLEAN result; entry.processId = ProcessId; - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = GetProcessInProcessTable(&entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) return STATUS_NOT_FOUND; @@ -794,9 +784,9 @@ NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN E entry.protected = FALSE; } - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = UpdateProcessInProcessTable(&entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) return STATUS_NOT_FOUND; @@ -852,14 +842,13 @@ NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN NTSTATUS GetExcludedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable) { ProcessTableEntry entry; - KLOCK_QUEUE_HANDLE lockHandle; BOOLEAN result; entry.processId = ProcessId; - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = GetProcessInProcessTable(&entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) return STATUS_NOT_FOUND; @@ -874,14 +863,13 @@ NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN En { NTSTATUS status = STATUS_SUCCESS; ProcessTableEntry entry; - KLOCK_QUEUE_HANDLE lockHandle; BOOLEAN result; entry.processId = ProcessId; - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = GetProcessInProcessTable(&entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) return STATUS_NOT_FOUND; @@ -896,9 +884,9 @@ NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN En entry.excluded = FALSE; } - KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); + ExAcquireFastMutex(&g_processTableLock); result = UpdateProcessInProcessTable(&entry); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&g_processTableLock); if (!result) return STATUS_NOT_FOUND; diff --git a/Hidden/PsRules.c b/Hidden/PsRules.c index 123866c..8103b13 100644 --- a/Hidden/PsRules.c +++ b/Hidden/PsRules.c @@ -5,7 +5,7 @@ typedef struct _PsRulesInternalContext { RTL_AVL_TABLE table; ULONGLONG idCounter; - KSPIN_LOCK tableLock; + FAST_MUTEX tableLock; } PsRulesInternalContext, *PPsRulesInternalContext; RTL_GENERIC_COMPARE_RESULTS ComparePsRuleEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct) @@ -52,7 +52,7 @@ NTSTATUS InitializePsRuleListContext(PPsRulesContext pRuleContext) } context->idCounter = 1; - KeInitializeSpinLock(&context->tableLock); + ExInitializeFastMutex(&context->tableLock); RtlInitializeGenericTableAvl(&context->table, ComparePsRuleEntry, AllocatePsRuleEntry, FreePsRuleEntry, NULL); *pRuleContext = context; @@ -68,7 +68,6 @@ VOID DestroyPsRuleListContext(PsRulesContext RuleContext) NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath, ULONG InheritType, PPsRuleEntryId EntryId) { PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; - KLOCK_QUEUE_HANDLE lockHandle; NTSTATUS status = STATUS_SUCCESS; ULONGLONG guid; PPsRuleEntry entry; @@ -97,11 +96,11 @@ NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath entry->imagePath.MaximumLength = ImgPath->Length; RtlCopyUnicodeString(&entry->imagePath, ImgPath); - KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle); + ExAcquireFastMutex(&context->tableLock); guid = context->idCounter++; entry->guid = guid; buf = RtlInsertElementGenericTableAvl(&context->table, entry, entryLen, &newElem); - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&context->tableLock); if (!buf) { @@ -123,11 +122,10 @@ NTSTATUS RemoveRuleFromPsRuleList(PsRulesContext RuleContext, PsRuleEntryId Entr { PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; NTSTATUS status = STATUS_NOT_FOUND; - KLOCK_QUEUE_HANDLE lockHandle; PPsRuleEntry entry; PVOID restartKey = NULL; - KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle); + ExAcquireFastMutex(&context->tableLock); for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); entry != NULL; @@ -143,7 +141,7 @@ NTSTATUS RemoveRuleFromPsRuleList(PsRulesContext RuleContext, PsRuleEntryId Entr } } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&context->tableLock); return status; } @@ -152,11 +150,10 @@ NTSTATUS RemoveAllRulesFromPsRuleList(PsRulesContext RuleContext) { PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; NTSTATUS status = STATUS_SUCCESS; - KLOCK_QUEUE_HANDLE lockHandle; PPsRuleEntry entry; PVOID restartKey = NULL; - KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle); + ExAcquireFastMutex(&context->tableLock); for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); entry != NULL; @@ -168,7 +165,7 @@ NTSTATUS RemoveAllRulesFromPsRuleList(PsRulesContext RuleContext) restartKey = NULL; // reset enum } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&context->tableLock); return status; } @@ -177,11 +174,10 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, { PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; NTSTATUS status = STATUS_NOT_FOUND; - KLOCK_QUEUE_HANDLE lockHandle; PPsRuleEntry entry; PVOID restartKey = NULL; - KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle); + ExAcquireFastMutex(&context->tableLock); for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); entry != NULL; @@ -203,7 +199,7 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, } } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&context->tableLock); return status; } @@ -211,12 +207,11 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PULONG pInheritance) { PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; - KLOCK_QUEUE_HANDLE lockHandle; PPsRuleEntry entry; PVOID restartKey = NULL; BOOLEAN result = FALSE; - KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle); + ExAcquireFastMutex(&context->tableLock); for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); entry != NULL; @@ -230,7 +225,7 @@ BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING } } - KeReleaseInStackQueuedSpinLock(&lockHandle); + ExReleaseFastMutex(&context->tableLock); return result; }