Mirrors/hidden
6
0
Fork 0
mirror of https://github.com/JKornev/hidden synced 2024-06-25 00:18:04 +00:00
Code Issues Projects Releases Wiki Activity

Fix for possible IRQL violations

Browse Source
This commit is contained in:
JKornev 2016-12-29 22:48:37 +03:00
parent 67355c72c4
commit fbae5ffa57
3 changed files with 48 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Hidden/ExcludeList.c
View File

@ -94,7 +94,6 @@ NTSTATUS AddExcludeListEntry(ExcludeContext Context, PUNICODE_STRING FilePath, U
{ {
enum { MAX_PATH_SIZE = 1024 }; enum { MAX_PATH_SIZE = 1024 };
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry, head; PEXCLUDE_FILE_LIST_ENTRY entry, head;
UNICODE_STRING temp; UNICODE_STRING temp;
SIZE_T size; SIZE_T size;
@ -172,7 +171,6 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId)
{ {
NTSTATUS status = STATUS_NOT_FOUND; NTSTATUS status = STATUS_NOT_FOUND;
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry; PEXCLUDE_FILE_LIST_ENTRY entry;
ExAcquireFastMutex(&cntx->listLock); ExAcquireFastMutex(&cntx->listLock);
@ -199,7 +197,6 @@ NTSTATUS RemoveExcludeListEntry(ExcludeContext Context, ExcludeEntryId EntryId)
NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context) NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context)
{ {
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry; PEXCLUDE_FILE_LIST_ENTRY entry;
ExAcquireFastMutex(&cntx->listLock); ExAcquireFastMutex(&cntx->listLock);
@ -221,7 +218,6 @@ NTSTATUS RemoveAllExcludeListEntries(ExcludeContext Context)
BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path) BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path)
{ {
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry; PEXCLUDE_FILE_LIST_ENTRY entry;
BOOLEAN result = FALSE; BOOLEAN result = FALSE;
@ -247,7 +243,6 @@ BOOLEAN CheckExcludeListFile(ExcludeContext Context, PCUNICODE_STRING Path)
BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path) BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path)
{ {
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry; PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory, dir; UNICODE_STRING Directory, dir;
BOOLEAN result = FALSE; BOOLEAN result = FALSE;
@ -293,7 +288,6 @@ BOOLEAN CheckExcludeListDirectory(ExcludeContext Context, PCUNICODE_STRING Path)
BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File) BOOLEAN CheckExcludeListDirFile(ExcludeContext Context, PCUNICODE_STRING Dir, PCUNICODE_STRING File)
{ {
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry; PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory; UNICODE_STRING Directory;
BOOLEAN result = FALSE; BOOLEAN result = FALSE;
@ -331,7 +325,6 @@ BOOLEAN CheckExcludeListRegKey(ExcludeContext Context, PUNICODE_STRING Key)
BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament) BOOLEAN CheckExcludeListRegKeyValueName(ExcludeContext Context, PUNICODE_STRING Key, PUNICODE_STRING Name, PUINT32 Increament)
{ {
PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context; PEXCLUDE_FILE_CONTEXT cntx = (PEXCLUDE_FILE_CONTEXT)Context;
//KLOCK_QUEUE_HANDLE lockHandle;
PEXCLUDE_FILE_LIST_ENTRY entry; PEXCLUDE_FILE_LIST_ENTRY entry;
UNICODE_STRING Directory; UNICODE_STRING Directory;
BOOLEAN result = FALSE; BOOLEAN result = FALSE;

84
Hidden/PsMonitor.c
View File

@ -18,7 +18,7 @@ OB_CALLBACK_REGISTRATION g_regCallback;
PsRulesContext g_excludeProcessRules; PsRulesContext g_excludeProcessRules;
PsRulesContext g_protectProcessRules; PsRulesContext g_protectProcessRules;
KSPIN_LOCK g_processTableLock; FAST_MUTEX g_processTableLock;
typedef struct _ProcessListEntry { typedef struct _ProcessListEntry {
LPCWSTR path; LPCWSTR path;
@ -47,7 +47,6 @@ WCHAR g_csrssPathBuffer[CSRSS_PAHT_BUFFER_SIZE];
BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination) BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
{ {
ProcessTableEntry srcInfo, destInfo; ProcessTableEntry srcInfo, destInfo;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result; BOOLEAN result;
if (Source == Destination) if (Source == Destination)
@ -55,9 +54,9 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
srcInfo.processId = Source; srcInfo.processId = Source;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&srcInfo); result = GetProcessInProcessTable(&srcInfo);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
return FALSE; return FALSE;
@ -67,11 +66,11 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
// Spinlock is locked once for both Get\Update process table functions // Spinlock is locked once for both Get\Update process table functions
// because we want to prevent situations when another thread can change // because we want to prevent situations when another thread can change
// any state of process beetwen get and update functions on this place // any state of process beetwen get and update functions on this place
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
if (!GetProcessInProcessTable(&destInfo)) if (!GetProcessInProcessTable(&destInfo))
{ {
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
return FALSE; return FALSE;
} }
@ -88,7 +87,7 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
result = FALSE; result = FALSE;
} }
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update initial state for process: %d\n", destInfo.processId); DbgPrint("FsFilter1!" __FUNCTION__ ": can't update initial state for process: %d\n", destInfo.processId);
@ -96,7 +95,7 @@ BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination)
return FALSE; return FALSE;
} }
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!destInfo.protected) if (!destInfo.protected)
return FALSE; return FALSE;
@ -178,7 +177,6 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
{ {
ProcessTableEntry lookup; ProcessTableEntry lookup;
ULONG inheritType; ULONG inheritType;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result; BOOLEAN result;
RtlZeroMemory(&lookup, sizeof(lookup)); RtlZeroMemory(&lookup, sizeof(lookup));
@ -203,9 +201,9 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
{ {
lookup.processId = ParentId; lookup.processId = ParentId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&lookup); result = GetProcessInProcessTable(&lookup);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (result) if (result)
{ {
@ -236,9 +234,9 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
{ {
lookup.processId = ParentId; lookup.processId = ParentId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&lookup); result = GetProcessInProcessTable(&lookup);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (result) if (result)
{ {
@ -259,7 +257,6 @@ VOID CheckProcessFlags(PProcessTableEntry Entry, PCUNICODE_STRING ImgPath, HANDL
VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo) VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo)
{ {
ProcessTableEntry entry; ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result; BOOLEAN result;
UNREFERENCED_PARAMETER(Process); UNREFERENCED_PARAMETER(Process);
@ -304,9 +301,9 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
if (entry.protected) if (entry.protected)
DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", ProcessId); DbgPrint("FsFilter1!" __FUNCTION__ ": protected process:%d\n", ProcessId);
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = AddProcessToProcessTable(&entry); result = AddProcessToProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", ProcessId); DbgPrint("FsFilter1!" __FUNCTION__ ": can't add process(pid:%d) to process table\n", ProcessId);
@ -315,9 +312,9 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
} }
else else
{ {
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = RemoveProcessFromProcessTable(&entry); result = RemoveProcessFromProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove process(pid:%d) from process table\n", ProcessId); DbgPrint("FsFilter1!" __FUNCTION__ ": can't remove process(pid:%d) from process table\n", ProcessId);
@ -328,14 +325,13 @@ VOID CreateProcessNotifyCallback(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE
BOOLEAN IsProcessExcluded(HANDLE ProcessId) BOOLEAN IsProcessExcluded(HANDLE ProcessId)
{ {
ProcessTableEntry entry; ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result; BOOLEAN result;
entry.processId = ProcessId; entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry); result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
return FALSE; return FALSE;
@ -347,14 +343,13 @@ BOOLEAN IsProcessExcluded(HANDLE ProcessId)
BOOLEAN IsProcessProtected(HANDLE ProcessId) BOOLEAN IsProcessProtected(HANDLE ProcessId)
{ {
ProcessTableEntry entry; ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result; BOOLEAN result;
entry.processId = ProcessId; entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry); result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
return FALSE; return FALSE;
@ -535,7 +530,7 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
// Process table // Process table
KeInitializeSpinLock(&g_processTableLock); ExInitializeFastMutex(&g_processTableLock);
status = InitializeProcessTable(CheckProcessFlags); status = InitializeProcessTable(CheckProcessFlags);
if (!NT_SUCCESS(status)) if (!NT_SUCCESS(status))
@ -591,8 +586,6 @@ NTSTATUS InitializePsMonitor(PDRIVER_OBJECT DriverObject)
NTSTATUS DestroyPsMonitor() NTSTATUS DestroyPsMonitor()
{ {
KLOCK_QUEUE_HANDLE lockHandle;
if (!g_psMonitorInited) if (!g_psMonitorInited)
return STATUS_ALREADY_DISCONNECTED; return STATUS_ALREADY_DISCONNECTED;
@ -607,9 +600,9 @@ NTSTATUS DestroyPsMonitor()
DestroyPsRuleListContext(g_excludeProcessRules); DestroyPsRuleListContext(g_excludeProcessRules);
DestroyPsRuleListContext(g_protectProcessRules); DestroyPsRuleListContext(g_protectProcessRules);
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
DestroyProcessTable(); DestroyProcessTable();
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
g_psMonitorInited = FALSE; g_psMonitorInited = FALSE;
@ -638,7 +631,6 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude
OBJECT_ATTRIBUTES attribs; OBJECT_ATTRIBUTES attribs;
PUNICODE_STRING procName; PUNICODE_STRING procName;
ProcessTableEntry entry; ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
processInfo = (PSYSTEM_PROCESS_INFORMATION)((SIZE_T)processInfo + offset); processInfo = (PSYSTEM_PROCESS_INFORMATION)((SIZE_T)processInfo + offset);
@ -678,7 +670,7 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude
// Spinlock is locked once for both Get\Update process table functions // Spinlock is locked once for both Get\Update process table functions
// because we want to prevent situations when another thread can change // because we want to prevent situations when another thread can change
// any state of process beetwen get and update functions on this place // any state of process beetwen get and update functions on this place
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
if (GetProcessInProcessTable(&entry)) if (GetProcessInProcessTable(&entry))
{ {
@ -698,7 +690,7 @@ NTSTATUS SetStateForProcessesByImage(PCUNICODE_STRING ImagePath, BOOLEAN Exclude
result = FALSE; result = FALSE;
} }
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
DbgPrint("FsFilter1!" __FUNCTION__ ": can't update process %d\n", processInfo->ProcessId); DbgPrint("FsFilter1!" __FUNCTION__ ": can't update process %d\n", processInfo->ProcessId);
@ -750,14 +742,13 @@ NTSTATUS AddProtectedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN
NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable) NTSTATUS GetProtectedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable)
{ {
ProcessTableEntry entry; ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result; BOOLEAN result;
entry.processId = ProcessId; entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry); result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
return STATUS_NOT_FOUND; return STATUS_NOT_FOUND;
@ -772,14 +763,13 @@ NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN E
{ {
NTSTATUS status = STATUS_SUCCESS; NTSTATUS status = STATUS_SUCCESS;
ProcessTableEntry entry; ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result; BOOLEAN result;
entry.processId = ProcessId; entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry); result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
return STATUS_NOT_FOUND; return STATUS_NOT_FOUND;
@ -794,9 +784,9 @@ NTSTATUS SetProtectedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN E
entry.protected = FALSE; entry.protected = FALSE;
} }
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = UpdateProcessInProcessTable(&entry); result = UpdateProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
return STATUS_NOT_FOUND; return STATUS_NOT_FOUND;
@ -852,14 +842,13 @@ NTSTATUS AddExcludedImage(PUNICODE_STRING ImagePath, ULONG InheritType, BOOLEAN
NTSTATUS GetExcludedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable) NTSTATUS GetExcludedProcessState(HANDLE ProcessId, PULONG InheritType, PBOOLEAN Enable)
{ {
ProcessTableEntry entry; ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result; BOOLEAN result;
entry.processId = ProcessId; entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry); result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
return STATUS_NOT_FOUND; return STATUS_NOT_FOUND;
@ -874,14 +863,13 @@ NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN En
{ {
NTSTATUS status = STATUS_SUCCESS; NTSTATUS status = STATUS_SUCCESS;
ProcessTableEntry entry; ProcessTableEntry entry;
KLOCK_QUEUE_HANDLE lockHandle;
BOOLEAN result; BOOLEAN result;
entry.processId = ProcessId; entry.processId = ProcessId;
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = GetProcessInProcessTable(&entry); result = GetProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
return STATUS_NOT_FOUND; return STATUS_NOT_FOUND;
@ -896,9 +884,9 @@ NTSTATUS SetExcludedProcessState(HANDLE ProcessId, ULONG InheritType, BOOLEAN En
entry.excluded = FALSE; entry.excluded = FALSE;
} }
KeAcquireInStackQueuedSpinLock(&g_processTableLock, &lockHandle); ExAcquireFastMutex(&g_processTableLock);
result = UpdateProcessInProcessTable(&entry); result = UpdateProcessInProcessTable(&entry);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&g_processTableLock);
if (!result) if (!result)
return STATUS_NOT_FOUND; return STATUS_NOT_FOUND;

29
Hidden/PsRules.c
View File

@ -5,7 +5,7 @@
typedef struct _PsRulesInternalContext { typedef struct _PsRulesInternalContext {
RTL_AVL_TABLE table; RTL_AVL_TABLE table;
ULONGLONG idCounter; ULONGLONG idCounter;
KSPIN_LOCK tableLock; FAST_MUTEX tableLock;
} PsRulesInternalContext, *PPsRulesInternalContext; } PsRulesInternalContext, *PPsRulesInternalContext;
RTL_GENERIC_COMPARE_RESULTS ComparePsRuleEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct) RTL_GENERIC_COMPARE_RESULTS ComparePsRuleEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct)
@ -52,7 +52,7 @@ NTSTATUS InitializePsRuleListContext(PPsRulesContext pRuleContext)
} }
context->idCounter = 1; context->idCounter = 1;
KeInitializeSpinLock(&context->tableLock); ExInitializeFastMutex(&context->tableLock);
RtlInitializeGenericTableAvl(&context->table, ComparePsRuleEntry, AllocatePsRuleEntry, FreePsRuleEntry, NULL); RtlInitializeGenericTableAvl(&context->table, ComparePsRuleEntry, AllocatePsRuleEntry, FreePsRuleEntry, NULL);
*pRuleContext = context; *pRuleContext = context;
@ -68,7 +68,6 @@ VOID DestroyPsRuleListContext(PsRulesContext RuleContext)
NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath, ULONG InheritType, PPsRuleEntryId EntryId) NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath, ULONG InheritType, PPsRuleEntryId EntryId)
{ {
PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
KLOCK_QUEUE_HANDLE lockHandle;
NTSTATUS status = STATUS_SUCCESS; NTSTATUS status = STATUS_SUCCESS;
ULONGLONG guid; ULONGLONG guid;
PPsRuleEntry entry; PPsRuleEntry entry;
@ -97,11 +96,11 @@ NTSTATUS AddRuleToPsRuleList(PsRulesContext RuleContext, PUNICODE_STRING ImgPath
entry->imagePath.MaximumLength = ImgPath->Length; entry->imagePath.MaximumLength = ImgPath->Length;
RtlCopyUnicodeString(&entry->imagePath, ImgPath); RtlCopyUnicodeString(&entry->imagePath, ImgPath);
KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle); ExAcquireFastMutex(&context->tableLock);
guid = context->idCounter++; guid = context->idCounter++;
entry->guid = guid; entry->guid = guid;
buf = RtlInsertElementGenericTableAvl(&context->table, entry, entryLen, &newElem); buf = RtlInsertElementGenericTableAvl(&context->table, entry, entryLen, &newElem);
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&context->tableLock);
if (!buf) if (!buf)
{ {
@ -123,11 +122,10 @@ NTSTATUS RemoveRuleFromPsRuleList(PsRulesContext RuleContext, PsRuleEntryId Entr
{ {
PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
NTSTATUS status = STATUS_NOT_FOUND; NTSTATUS status = STATUS_NOT_FOUND;
KLOCK_QUEUE_HANDLE lockHandle;
PPsRuleEntry entry; PPsRuleEntry entry;
PVOID restartKey = NULL; PVOID restartKey = NULL;
KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle); ExAcquireFastMutex(&context->tableLock);
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
entry != NULL; entry != NULL;
@ -143,7 +141,7 @@ NTSTATUS RemoveRuleFromPsRuleList(PsRulesContext RuleContext, PsRuleEntryId Entr
} }
} }
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&context->tableLock);
return status; return status;
} }
@ -152,11 +150,10 @@ NTSTATUS RemoveAllRulesFromPsRuleList(PsRulesContext RuleContext)
{ {
PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
NTSTATUS status = STATUS_SUCCESS; NTSTATUS status = STATUS_SUCCESS;
KLOCK_QUEUE_HANDLE lockHandle;
PPsRuleEntry entry; PPsRuleEntry entry;
PVOID restartKey = NULL; PVOID restartKey = NULL;
KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle); ExAcquireFastMutex(&context->tableLock);
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
entry != NULL; entry != NULL;
@ -168,7 +165,7 @@ NTSTATUS RemoveAllRulesFromPsRuleList(PsRulesContext RuleContext)
restartKey = NULL; // reset enum restartKey = NULL; // reset enum
} }
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&context->tableLock);
return status; return status;
} }
@ -177,11 +174,10 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath,
{ {
PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
NTSTATUS status = STATUS_NOT_FOUND; NTSTATUS status = STATUS_NOT_FOUND;
KLOCK_QUEUE_HANDLE lockHandle;
PPsRuleEntry entry; PPsRuleEntry entry;
PVOID restartKey = NULL; PVOID restartKey = NULL;
KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle); ExAcquireFastMutex(&context->tableLock);
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
entry != NULL; entry != NULL;
@ -203,7 +199,7 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath,
} }
} }
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&context->tableLock);
return status; return status;
} }
@ -211,12 +207,11 @@ NTSTATUS CheckInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath,
BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PULONG pInheritance) BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING ImgPath, PULONG pInheritance)
{ {
PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext; PPsRulesInternalContext context = (PPsRulesInternalContext)RuleContext;
KLOCK_QUEUE_HANDLE lockHandle;
PPsRuleEntry entry; PPsRuleEntry entry;
PVOID restartKey = NULL; PVOID restartKey = NULL;
BOOLEAN result = FALSE; BOOLEAN result = FALSE;
KeAcquireInStackQueuedSpinLock(&context->tableLock, &lockHandle); ExAcquireFastMutex(&context->tableLock);
for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey); for (entry = RtlEnumerateGenericTableWithoutSplayingAvl(&context->table, &restartKey);
entry != NULL; entry != NULL;
@ -230,7 +225,7 @@ BOOLEAN FindInheritanceInPsRuleList(PsRulesContext RuleContext, PCUNICODE_STRING
} }
} }
KeReleaseInStackQueuedSpinLock(&lockHandle); ExReleaseFastMutex(&context->tableLock);
return result; return result;
} }