Beispiel #1
0
/// <summary>
/// Returns TRUE if the given process is protected, otherwise FALSE.
/// </summary>
/// <param name="Process">Pointer to a process object.</param>
/// <param name="ProcessAccessBitsToClear">Process access rights to clear.</param>
/// <param name="ThreadAccessBitsToClear">Thread access rights to clear.</param>
BOOLEAN HsIsProcessProtected(
	_In_ PEPROCESS Process,
	_Out_ PACCESS_MASK ProcessAccessBitsToClear,
	_Out_ PACCESS_MASK ThreadAccessBitsToClear)
{
	BOOLEAN found;
	HSP_PROTECTED_PROCESS searchKey;
	PHSP_PROTECTED_PROCESS protectedProcess;

	searchKey.Process = Process;

	FltAcquirePushLockShared(&ObCallbackInstance.ProtectedProcessLock);

	protectedProcess = RtlLookupElementGenericTableAvl(
		&ObCallbackInstance.ProtectedProcesses,
		&searchKey);

	found = protectedProcess != NULL;

	if (found)
	{
		*ProcessAccessBitsToClear = protectedProcess->ProcessAccessBitsToClear;
		*ThreadAccessBitsToClear = protectedProcess->ThreadAccessBitsToClear;
	}

	FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock);

	return found;
}
Beispiel #2
0
__checkReturn
NTSTATUS
FilterBoxList::GetOrCreateBox (
    __in LPGUID Guid,
    __deref_out_opt PFilterBox* FltBox
    )
{
    ASSERT( Guid );

    NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES;
    FilterBox* fltbox = NULL;

    FltAcquirePushLockExclusive( &m_AccessLock );

    fltbox = LookupBoxp( Guid );
    if ( !fltbox )
    {
        fltbox = CreateNewp( Guid );
    }

    FltReleasePushLock( &m_AccessLock );

    if ( fltbox )
    {
        fltbox->AddRef();

        *FltBox = fltbox;
        status = STATUS_SUCCESS;
    }
    
    return status;
}
Beispiel #3
0
static NTSTATUS EvhdDirectIoControl(ParserInstance *parser, ULONG ControlCode, PVOID pSystemBuffer, ULONG InputBufferSize,
	ULONG OutputBufferSize)
{
	NTSTATUS status = STATUS_SUCCESS;
	PDEVICE_OBJECT pDeviceObject = NULL;
	KeEnterCriticalRegion();
	FltAcquirePushLockExclusive(&parser->DirectIoPushLock);

	IoReuseIrp(parser->pDirectIoIrp, STATUS_PENDING);
	parser->pDirectIoIrp->Flags |= IRP_NOCACHE;
	parser->pDirectIoIrp->Tail.Overlay.Thread = (PETHREAD)__readgsqword(0x188);		// Pointer to calling thread control block
	parser->pDirectIoIrp->AssociatedIrp.SystemBuffer = pSystemBuffer;				// IO buffer for buffered control code
	// fill stack frame parameters for synchronous IRP call
	PIO_STACK_LOCATION pStackFrame = IoGetNextIrpStackLocation(parser->pDirectIoIrp);
	pDeviceObject = IoGetRelatedDeviceObject(parser->pVhdmpFileObject);
	pStackFrame->FileObject = parser->pVhdmpFileObject;
	pStackFrame->DeviceObject = pDeviceObject;
	pStackFrame->Parameters.DeviceIoControl.IoControlCode = ControlCode;
	pStackFrame->Parameters.DeviceIoControl.InputBufferLength = InputBufferSize;
	pStackFrame->Parameters.DeviceIoControl.OutputBufferLength = OutputBufferSize;
	pStackFrame->MajorFunction = IRP_MJ_DEVICE_CONTROL;
	pStackFrame->MinorFunction = 0;
	pStackFrame->Flags = 0;
	pStackFrame->Control = 0;
	IoSynchronousCallDriver(pDeviceObject, parser->pDirectIoIrp);
	status = parser->pDirectIoIrp->IoStatus.Status;
	FltReleasePushLock(&parser->DirectIoPushLock);
	KeLeaveCriticalRegion();
	return status;
}
Beispiel #4
0
/// <summary>
/// Removes a process from the list of protected processes.
/// </summary>
/// <param name="Process">Pointer to the process object to unprotect.</param>
VOID HsUnProtectProcess(
	_In_ PEPROCESS Process)
{
	HSP_PROTECTED_PROCESS protectedProcess;

	protectedProcess.Process = Process;

	FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock);
	RtlDeleteElementGenericTableAvl(&ObCallbackInstance.ProtectedProcesses, &protectedProcess);
	FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock);
}
Beispiel #5
0
/// <summary>
/// Stops process and thread access rights filtering.
/// </summary>
VOID HsUnRegisterProtector()
{
	ObUnRegisterCallbacks(ObCallbackInstance.RegistrationHandle);

	// If ObUnRegisterCallbacks waits for callbacks to finish processing
	// there is no need to lock here.

	FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock);
	HsAvlDeleteAllElements(&ObCallbackInstance.ProtectedProcesses);
	FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock);
	FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock);
}
Beispiel #6
0
/// <summary>
/// Marks a process as protected. When this process or its threads are opened, the
/// given access rights will be stripped. Call HsUnProtectProcess when the process
/// no longer needs protection, or when it exits.
/// </summary>
/// <param name="Process">Pointer to the process object to protect.</param>
/// <param name="ProcessAccessBitsToClear">Process access rights to clear.</param>
/// <param name="ThreadAccessBitsToClear">Thread access rights to clear.</param>
VOID HsProtectProcess(
	_In_ PEPROCESS Process,
	_In_ ACCESS_MASK ProcessAccessBitsToClear,
	_In_ ACCESS_MASK ThreadAccessBitsToClear)
{
	HSP_PROTECTED_PROCESS protectedProcess;

	protectedProcess.Process = Process;
	protectedProcess.ProcessAccessBitsToClear = ProcessAccessBitsToClear;
	protectedProcess.ThreadAccessBitsToClear = ThreadAccessBitsToClear;

	FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock);

	RtlInsertElementGenericTableAvl(
		&ObCallbackInstance.ProtectedProcesses,
		&protectedProcess,
		sizeof(HSP_PROTECTED_PROCESS),
		NULL);

	FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock);
}