NTSTATUS DDKAPI Hook_PspTerminateProcess (IN PEPROCESS Eprocess,
IN NTSTATUS ExitStatus)
{
PROC pfnStub = Hooks_GetStubAddress (HOOKS_PSPTERMINATEPROCESS) ;
NTSTATUS nStatus ;
TRACE_ALWAYS (TEXT("Eprocess = 0x%08X\n"), Eprocess) ;
nStatus = (NTSTATUS) pfnStub (Eprocess, ExitStatus) ;
if( SUCCEEDED(nStatus) )
{
PROCSTRUCT *pProc ;
if( nStatus!=STATUS_SUCCESS )
TRACE_WARNING(TEXT("PspTerminateProcess returned 0x%08X\n"), nStatus) ;
nStatus = ProcList_Lock () ;
if( nStatus != STATUS_SUCCESS ) return nStatus ;
pProc = ProcList_Remove ((PROCADDR)Eprocess) ;
ProcList_Unlock () ;
if( pProc==NULL || (pProc->nFlags&PROCESS_NO_NOTIFICATION)==0 )
HookCommon_SendProcessTerminatedNotification ((PROCADDR)Eprocess) ;
ProcList_Delete (pProc) ;
}
return nStatus ;
}
DWORD _SpySrv_RequestFromDriver (LPVOID pBuffer, DWORD nSize)
{
SDNMHDR *p = pBuffer ;
VOID *pSerial ;
UINT nSerialSize ;
DWORD nResponseSize = 0 ;
TRACE ;
ASSERT (pBuffer) ;
ASSERT (nSize>0) ;
ASSERT (nSize>=sizeof(SDNMHDR)) ;
TRACE_INFO (TEXT(" /----REQ-%d----\\ (size=%d\n"), p->dwCode, nSize) ;
switch( p->dwCode )
{
case SDN_ASK:
{
DWORD nReaction ;
FILTCOND cond ;
pSerial = ((SDNASK*)p)->data ;
nSerialSize = nSize - sizeof(SDNASK) ;
ASSERT (nSerialSize>0) ;
if( ! FiltCond_Unserialize (&cond, pSerial, nSerialSize) )
{
TRACE_ERROR (TEXT("FiltCond_Unserialize failed\n")) ;
nReaction = RULE_ACCEPT ;
}
else
{
nReaction = _SpySrv_Ask (((SDNASK*)p)->nProcessAddress,
((SDNASK*)p)->nDefReaction,
&cond) ;
}
*((DWORD*)pBuffer) = nReaction ;
nResponseSize = sizeof(DWORD) ;
}
break ;
case SDN_LOG:
case SDN_ALERT:
{
DWORD nReaction ;
FILTCOND cond ;
nReaction = ((SDNLOG*)p)->dwReaction ;
pSerial = ((SDNLOG*)p)->data ;
nSerialSize = nSize - sizeof(SDNLOG) ;
if( ! FiltCond_Unserialize (&cond, pSerial, nSerialSize) )
{
TRACE_ERROR (TEXT("FiltCond_Unserialize failed\n")) ;
nReaction = RULE_ACCEPT ;
}
else
{
_SpySrv_Log (((SDNLOG*)p)->nProcessAddress, &cond, nReaction, p->dwCode==SDN_ALERT) ;
}
}
break ;
case SDN_SCANFILE:
{
DWORD nScanResult ;
nScanResult = SpySrv_ScanFile (((SDNSCANFILE*)pBuffer)->wszFilePath, FALSE) ;
*((DWORD*)pBuffer) = nScanResult ;
nResponseSize = sizeof(DWORD) ;
}
break ;
case SDN_PROCESSCREATED:
{
SDNPROCESSCREATED * pSdnpc = pBuffer ;
PROCSTRUCT proc ;
proc.nProcessAddress = pSdnpc->nProcessAddress ;
proc.nProcessId = pSdnpc->nProcessId ;
proc.nState = PS_HOOKED_SINCE_BIRTH ;
wcslcpy (proc.szName, PathFindFileName(pSdnpc->wszFilePath), 32) ;
wcslcpy (proc.szPath, pSdnpc->wszFilePath, MAX_PATH) ;
ProcList_Lock () ;
ProcList_Add (&proc) ;
ProcList_Unlock () ;
PostMessage (g_hwndMain, WM_SPYNOTIFY, SN_PROCESSCREATED, pSdnpc->nProcessAddress) ;
}
break ;
case SDN_PIDCHANGED:
{
SDNPIDCHANGED *pSdnpc = pBuffer ;
PROCSTRUCT *pProc ;
ProcList_Lock () ;
pProc = ProcList_Get (pSdnpc->nProcessAddress) ;
if( pProc )
{
TRACE_ALWAYS (TEXT("PID changed %d -> %d\n"), pProc->nProcessId, pSdnpc->nNewProcessId) ;
pProc->nProcessId = pSdnpc->nNewProcessId ;
}
ProcList_Unlock () ;
// This notification has been disabled because it caused a dead-lock.
// PostMessage (g_hwndMain, WM_SPYNOTIFY, SN_PIDCHANGED, pSdnpc->nProcessAddress) ;
}
break ;
case SDN_PROCESSTERMINATED:
{
SDNPROCESSTERMINATED * pSdnpt = pBuffer ;
TRACE_INFO (TEXT("Process terminated 0x%08X\n"),pSdnpt->nProcessAddress) ;
ProcList_Lock () ;
ProcList_Remove (pSdnpt->nProcessAddress) ;
ProcList_Unlock () ;
PostMessage (g_hwndMain, WM_SPYNOTIFY, SN_PROCESSTERMINATED, pSdnpt->nProcessAddress) ;
}
break ;
default:
TRACE_WARNING (TEXT("Driver request not handled (code=%d)\n"), p->dwCode) ;
}
TRACE_INFO (TEXT(" \\----ANS------/\n")) ;
return nResponseSize ;
}
NTSTATUS DDKAPI Hook_NtTerminateProcess (IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus)
{
PROC pfnStub = Hooks_GetStubAddress (HOOKS_NTTERMINATEPROCESS) ;
NTSTATUS nStatus ;
TRACE_INFO (TEXT("ProcessHandle=0x%08X (currentprocess=0x%08X)\n"), ProcessHandle, ProcInfo_GetCurrentProcessAddress()) ;
if( ProcessHandle!=INVALID_HANDLE_VALUE && ProcessHandle!=NULL )
{
PROCSTRUCT *pProc ;
PROCADDR nProcessAddress ;
UINT nReaction = RULE_ACCEPT ;
WCHAR wszFilePath[MAX_PATH] ;
ProcInfo_GetAddress (ProcessHandle, &nProcessAddress) ;
TRACE_ALWAYS (TEXT("Process 0x%08X is killing process 0x%08X\n"),
ProcInfo_GetCurrentProcessAddress(), nProcessAddress) ;
wcscpy (wszFilePath, g_usUnknownFile.Buffer) ;
nStatus = ProcList_Lock () ;
if( nStatus == STATUS_SUCCESS )
{
pProc = ProcList_Get (nProcessAddress) ;
if( pProc != NULL ) wcscpy (wszFilePath, pProc->wszPath) ;
ProcList_Unlock () ;
}
HookCommon_CatchCall (&nReaction, NULL,
FILTREASON_SYS_KILLPROCESS,
TEXT("s"), wszFilePath) ;
if( nReaction == RULE_REJECT ) return STATUS_ACCESS_DENIED ;
if( nReaction == RULE_FEIGN ) return STATUS_SUCCESS ;
}
// if NtTerminateProcess is called with ProcessHandle==0xFFFFFFFF, it will not return
// in this case, we call it later
if( ProcessHandle!=INVALID_HANDLE_VALUE )
nStatus = (NTSTATUS) pfnStub (ProcessHandle, ExitStatus) ;
else
nStatus = STATUS_SUCCESS ;
// we ignore the call if it ProcessHandle==NULL because NtTerminateProcess will be called
// a second time with a valie ProcessHandle or with 0xFFFFFFFF
// (this has been observed on Windows XP SP2 and Windows 2000 SP4)
if( SUCCEEDED(nStatus) && ProcessHandle!=NULL )
{
PROCSTRUCT *pProc ;
PROCADDR nProcessAddress ;
if( nStatus!=STATUS_SUCCESS )
TRACE_WARNING(TEXT("NtTerminateProcess returned 0x%08X\n"), nStatus) ;
if( ProcessHandle!=NULL && ProcessHandle!=INVALID_HANDLE_VALUE )
ProcInfo_GetAddress (ProcessHandle, &nProcessAddress) ;
else
nProcessAddress = ProcInfo_GetCurrentProcessAddress() ;
nStatus = ProcList_Lock () ;
if( nStatus != STATUS_SUCCESS ) return nStatus ;
pProc = ProcList_Remove (nProcessAddress) ;
ProcList_Unlock () ;
if( pProc==NULL )
TRACE_WARNING (TEXT("Unknown process (handle=0x%08X, address=0x%08)\n"), ProcessHandle, nProcessAddress) ;
if( pProc!=NULL && (pProc->nFlags&PROCESS_NO_NOTIFICATION)==0 )
HookCommon_SendProcessTerminatedNotification (nProcessAddress) ;
ProcList_Delete (pProc) ;
}
// read comment above
if( ProcessHandle==INVALID_HANDLE_VALUE )
nStatus = (NTSTATUS) pfnStub (ProcessHandle, ExitStatus) ;
return nStatus ;
}
