/*************************************************************************
MiniFilter initialization and unload routines.
*************************************************************************/
NTSTATUS
DriverEntry (
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("minifilter0!DriverEntry: Entered\n") );
//
// Register with FltMgr to tell it our callback routines
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&gFilterHandle );
ASSERT( NT_SUCCESS( status ) );
if (NT_SUCCESS( status ))
{
//
// Start filtering i/o
//
status = FltStartFiltering( gFilterHandle );
if (!NT_SUCCESS( status ))
FltUnregisterFilter( gFilterHandle );
}
return status;
}
__checkReturn
NTSTATUS
FileMgrInit (
__in PDRIVER_OBJECT DriverObject,
__in _tpOnOnload UnloadCb,
__in FilteringSystem* FltSystem
)
{
ASSERT( FltSystem );
NTSTATUS status = FltSystem->AddRef();
if ( !NT_SUCCESS( status ) )
{
return status;
}
gFileMgr.m_UnloadCb = UnloadCb;
gFileMgr.m_FltSystem = FltSystem;
status = FltRegisterFilter(
DriverObject,
(PFLT_REGISTRATION) &filterRegistration,
&gFileMgr.m_FileFilter
);
if ( !NT_SUCCESS( status ) )
{
FltSystem->Release();
}
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DBG_PRINT("SecretStash!DriverEntry: Entered\n");
secretStashConfig.RegDataLoaded = FALSE;
NTSTATUS status = STATUS_SUCCESS;
try
{
LeaveOnFail(FltRegisterFilter(DriverObject, &FilterRegistration, &secretStashConfig.Filter)); // Register with FltMgr to tell it our callback routines
LeaveOnFail(GetRegistryConfigData(RegistryPath));
LeaveOnFail(CreateCommunicationPort());
LeaveOnFail(FltStartFiltering(secretStashConfig.Filter));
}
finally
{
if (!NT_SUCCESS(status))
{
if (secretStashConfig.ComPortConfig.ServerPort != NULL)
FltCloseCommunicationPort(secretStashConfig.ComPortConfig.ServerPort);
if (secretStashConfig.Filter != NULL)
FltUnregisterFilter(secretStashConfig.Filter);
}
}
return status;
}
NTSTATUS
DriverEntry (
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This is the initialization routine for this miniFilter driver. This
registers with FltMgr and initializes all global data structures.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Returns STATUS_SUCCESS.
--*/
{
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("PassThrough!DriverEntry: Entered\n") );
//
// Register with FltMgr to tell it our callback routines
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&gFilterHandle );
ASSERT( NT_SUCCESS( status ) );
if (NT_SUCCESS( status )) {
//
// Start filtering i/o
//
status = FltStartFiltering( gFilterHandle );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( gFilterHandle );
}
}
return status;
}
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This is the initialization routine for this miniFilter driver. This
registers the miniFilter with FltMgr and initializes all
its global data structures.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Returns STATUS_SUCCESS.
--*/
{
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
//
// Register with FltMgr
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&NullFilterData.FilterHandle );
FLT_ASSERT( NT_SUCCESS( status ) );
if (NT_SUCCESS( status )) {
//
// Start filtering i/o
//
status = FltStartFiltering( NullFilterData.FilterHandle );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( NullFilterData.FilterHandle );
}
}
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING str)
{
UNREFERENCED_PARAMETER(driver);
UNREFERENCED_PARAMETER(str);
NTSTATUS sta;
driver->DriverUnload = unload;
CONST FLT_OPERATION_REGISTRATION Callbacks[] = {
{
IRP_MJ_CREATE,
0,
precreate,
postcreate
},
{
IRP_MJ_OPERATION_END
}
};
FLT_REGISTRATION fr;
fr.Size = sizeof(FLT_REGISTRATION);
fr.ContextRegistration = 0;
fr.FilterUnloadCallback = fltunload;
fr.Flags = 0;
fr.GenerateFileNameCallback = 0;
fr.InstanceQueryTeardownCallback = 0;
fr.InstanceSetupCallback = 0;
fr.InstanceTeardownCompleteCallback = 0;
fr.InstanceTeardownStartCallback = 0;
fr.NormalizeContextCleanupCallback = 0;
fr.NormalizeNameComponentCallback = 0;
fr.NormalizeNameComponentExCallback = 0;
fr.OperationRegistration = Callbacks;
fr.SectionNotificationCallback = 0;
fr.TransactionNotificationCallback = 0;
fr.Version = FLT_REGISTRATION_VERSION;
sta = FltRegisterFilter(driver, &fr, &pf);
DbgPrint("0x%x\n", sta);
if (NT_SUCCESS(sta))
{
DbgPrint("MINI驱动\t create by:zlz 五邑大学\n");
DbgPrint("MINI驱动初始化成功,开始过滤\n");
FltStartFiltering(pf);
}
return STATUS_SUCCESS;
}
VOID
FltFilterInstall( DRIVER_OBJECT* DriverObject )
{
NTSTATUS status;
FLT_REGISTRATION FilterRegistration;
FLT_CONTEXT_REGISTRATION ContextReg[]=
{
{FLT_CONTEXT_END}
};
FLT_OPERATION_REGISTRATION OperationReg[]=
{
{IRP_MJ_CREATE, 0, FilterPreCreate, NULL, NULL},
{IRP_MJ_OPERATION_END}
};
DbgPrint("[PUSH] => (PushFilterInstall)");
memset(&FilterRegistration,0,sizeof(FilterRegistration));
FilterRegistration.Size=sizeof(FilterRegistration);
FilterRegistration.Version=FLT_REGISTRATION_VERSION;
FilterRegistration.Flags=0;
//we do not use any contexts yet
FilterRegistration.ContextRegistration=ContextReg;
FilterRegistration.OperationRegistration=OperationReg;
FilterRegistration.FilterUnloadCallback = FilterUnload;
status = FltRegisterFilter(
DriverObject,
&FilterRegistration,
&FltFilterData
);
if (NT_SUCCESS(status))
{
FltStartFiltering(FltFilterData);
FltInitialized = TRUE;
}
DbgPrint("[PUSH] <= (PushFilterInstall)");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
ntStatus = FltRegisterFilter(DriverObject, &FilterRegistration, &FilterHandle);
ASSERT(NT_SUCCESS(ntStatus));
if (NT_SUCCESS(ntStatus))
{
ntStatus = FltStartFiltering(FilterHandle);
if (!NT_SUCCESS(ntStatus))
{
FltUnregisterFilter(FilterHandle);
}
}
return ntStatus;
}
NTSTATUS FilemonEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
NTSTATUS status;
FltData.Filter = NULL;
status = FltRegisterFilter(pDriverObject, &FilterRegistration, &FltData.Filter);
if(!NT_SUCCESS(status))
return status;
status = FltStartFiltering(FltData.Filter);
if(!NT_SUCCESS(status))
{
FltUnregisterFilter(FltData.Filter);
return status;
}
// 初始
KeInitializeSpinLock(&FltData.spinkLock);
InitializeListHead(&FltData.listGuard);
return STATUS_SUCCESS;
}
//---------------------------------------------------------------
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegistryPath)
{
NTSTATUS tRetStatus;
PEPROCESS tCurProcess = PsGetCurrentProcess();
if(0 == tCurProcess)
return 0;
for(int i=0; i<3*PAGE_SIZE; i++)
{
if(0 == _strnicmp("System", (char*)tCurProcess + i, strlen("System")))
{
ProcessNameOffset = i;
break;
}
}
if(0 == ProcessNameOffset)
{
return STATUS_UNSUCCESSFUL;
}
tRetStatus = FltRegisterFilter(pDriverObject, &g_FltRegistration, &g_FltFilterHandle);
if(false == NT_SUCCESS(tRetStatus))
{
Debug("FltRegisterFilter failed");
return STATUS_UNSUCCESSFUL;
}
tRetStatus = FltStartFiltering(g_FltFilterHandle);
if(false == NT_SUCCESS(tRetStatus))
{
Debug("FltStartFiltering failed");
FltUnregisterFilter(g_FltFilterHandle);
return STATUS_UNSUCCESSFUL;
}
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
UNREFERENCED_PARAMETER(RegistryPath);
KdPrint(("Passthrough!DriverEntry: entered\n"));
status = FltRegisterFilter(DriverObject, &FilterRegistration, &gFilterHandle);
FLT_ASSERT(NT_SUCCESS(status));
if (NT_SUCCESS(status))
{
status = FltStartFiltering(gFilterHandle);
if (!NT_SUCCESS(status))
{
FltUnregisterFilter(gFilterHandle);
}
KdPrint(("Passthrough!DriverEntry: start mini filter \n"));
}
return status;
}
NTSTATUS
DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This is the initialization routine for this miniFilter driver. This
registers with FltMgr and initializes all global data structures.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Routine can return non success error codes.
--*/
{
NTSTATUS status;
OBJECT_ATTRIBUTES oa;
PSECURITY_DESCRIPTOR sd;
UNICODE_STRING uniString;
//UNREFERENCED_PARAMETER(RegistryPath);
PT_DBG_PRINT(PTDBG_TRACE_ROUTINES,
("claimsman!DriverEntry: Entered\n"));
//
// Default to NonPagedPoolNx for non paged pool allocations where supported.
//
ExInitializeDriverRuntime(DrvRtPoolNxOptIn);
//
// Obtain the extensions to monitor from the registry
//
status = InitializeMonitoredExtensions(RegistryPath);
if (!NT_SUCCESS(status)) {
status = STATUS_SUCCESS;
ClaimsmanData.MonitoredExtensions = &MonitoredExtensionDefault;
ClaimsmanData.MonitoredExtensionCount = 1;
}
//
// Obtain the ignored users from the registry
//
status = InitializeIgnoredUsers(RegistryPath);
if (!NT_SUCCESS(status)) {
status = STATUS_SUCCESS;
ClaimsmanData.IgnoredUsers = &MonitoredExtensionDefault;
ClaimsmanData.IgnoredUserCount = 1;
}
//
// Register with FltMgr to tell it our callback routines
//
status = FltRegisterFilter(DriverObject,
&FilterRegistration,
&ClaimsmanData.Filter);
if (!NT_SUCCESS(status)) {
return status;
}
//
// Initialize communication port
//
RtlInitUnicodeString(&uniString, ClaimsmanPortName);
// Only ADMINs & SYSTEM can access the port
status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS);
if (NT_SUCCESS(status)) {
InitializeObjectAttributes(&oa,
&uniString,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
sd);
status = FltCreateCommunicationPort(ClaimsmanData.Filter,
&ClaimsmanData.ServerPort,
&oa,
NULL,
ClaimsmanConnect,
ClaimsmanDisconnect,
NULL,
1);
// Not needed anymore
FltFreeSecurityDescriptor(sd);
if (!NT_SUCCESS(status)) {
PT_DBG_PRINT(PTDBG_TRACE_ROUTINES,
("claimsman!DriverEntry: Unable to create communication port: %d\n", status));
}
else {
//
// Start filtering I/O.
//
status = FltStartFiltering(ClaimsmanData.Filter);
if (!NT_SUCCESS(status)) {
FltUnregisterFilter(ClaimsmanData.Filter);
FltCloseCommunicationPort(ClaimsmanData.ServerPort);
}
}
}
return status;
}
NTSTATUS
DriverEntry (
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
PSECURITY_DESCRIPTOR sd;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString; //for communication port name
UNREFERENCED_PARAMETER( RegistryPath );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("NPminifilter!DriverEntry: Entered\n") );
//
// Register with FltMgr to tell it our callback routines
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&gFilterHandle );
ASSERT( NT_SUCCESS( status ) );
if (NT_SUCCESS( status )) {
//
// Start filtering i/o
//
status = FltStartFiltering( gFilterHandle );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( gFilterHandle );
}
}
//Communication Port
status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS );
if (!NT_SUCCESS( status )) {
goto final;
}
status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS );
if (!NT_SUCCESS( status )) {
goto final;
}
RtlInitUnicodeString( &uniString, MINISPY_PORT_NAME );
InitializeObjectAttributes( &oa,
&uniString,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
sd );
status = FltCreateCommunicationPort( gFilterHandle,
&gServerPort,
&oa,
NULL,
NPMiniConnect,
NPMiniDisconnect,
NPMiniMessage,
1 );
FltFreeSecurityDescriptor( sd );
if (!NT_SUCCESS( status )) {
goto final;
}
final :
/*
* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= **
*
*
* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= **
*/
NTSTATUS
DriverEntry( IN PDRIVER_OBJECT theDriverObject,
IN PUNICODE_STRING theRegistryPath )
{
NTSTATUS Status;
PSECURITY_DESCRIPTOR SecurityDescriptor;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING uPortName;
// Open the registry and read in all the setting we will use in kernel mode
EnumerateRegistryValues( theRegistryPath );
// DDK : "...Add itself to the global list of registered minifilters and to provide
// the Filter Manager with a list of callback functions and other information
// about the minifilter."
Status = FltRegisterFilter( theDriverObject,
&cfsd_FilterRegistration,
&gFilterPointer );
if ( NT_SUCCESS( Status ) )
{
#if ENABLE_USER_INTERFACE
Status = FltBuildDefaultSecurityDescriptor( &SecurityDescriptor,
FLT_PORT_ALL_ACCESS );
if ( NT_SUCCESS( Status ) )
{
RtlInitUnicodeString( &uPortName, USER_COMMUNICATION_PORT_NAME );
InitializeObjectAttributes( &ObjectAttributes,
&uPortName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
SecurityDescriptor );
KdPrint( (PRINT_TAG "Attempting to create Communication Port for user mode access\n") );
Status = FltCreateCommunicationPort( gFilterPointer, // Filter
&gUserModeConnection.ServerPort,// *ServerPort
&ObjectAttributes, // ObjectAttributes
NULL, // ServerPortCookie
cfsd_UserModeConnect, // ConnectNotifyCallback
cfsd_UserModeDisconnect, // DisconnectNotifyCallback
cfsd_UserModeCommunication, // MessageNotifyCallback
1 ); // MaxConnections
FltFreeSecurityDescriptor( SecurityDescriptor );
// If we failed to create a communications port then we are going to fail the driver
if ( !NT_SUCCESS( Status ) )
{
KdPrint( (PRINT_TAG "Failed FltCreateCommunicationPort() with NTSTATUS 0x%x\n",Status ) );
// Release our hidden data memory
ExFreePoolWithTag( gHiddenData, 'parC' );
return Status;
}
KdPrint( (PRINT_TAG "Created ServerPort 0x%X\n", gUserModeConnection.ServerPort ) );
}
#endif
// DDK : "...Notifies the Filter Manager that the minifilter is ready to
// begin attaching to volumes and filtering I/O requests"
Status = FltStartFiltering( gFilterPointer );
if ( !NT_SUCCESS( Status ))
{
#if ENABLE_USER_INTERFACE
FltCloseCommunicationPort( gUserModeConnection.ServerPort );
#endif
// If we failed FltStartFiltering() then we unregister ourself with the Filter Manager
// so that we no longer recieve calls to process I/O operations.
FltUnregisterFilter( gFilterPointer );
// Release our hidden data memory
ExFreePoolWithTag( gHiddenData, 'parC' );
}
}
return Status;
}
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This is the initialization routine for this filter driver. It registers
itself with the filter manager and initializes all its global data structures.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Returns STATUS_SUCCESS.
--*/
{
NTSTATUS status;
//
// Default to NonPagedPoolNx for non paged pool allocations where supported.
//
ExInitializeDriverRuntime( DrvRtPoolNxOptIn );
RtlZeroMemory( &Globals, sizeof( Globals ) );
#if DBG
//
// Initialize global debug level
//
CtxInitializeDebugLevel( RegistryPath );
#else
UNREFERENCED_PARAMETER( RegistryPath );
#endif
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
("[Ctx]: Driver being loaded\n") );
//
// Register with the filter manager
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&Globals.Filter );
if (!NT_SUCCESS( status )) {
return status;
}
//
// Start filtering I/O
//
status = FltStartFiltering( Globals.Filter );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( Globals.Filter );
}
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
("[Ctx]: Driver loaded complete (Status = 0x%08X)\n",
status) );
return status;
}
NTSTATUS
DriverEntry (
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This is the initialization routine for the Filter driver. This
registers the Filter with the filter manager and initializes all
its global data structures.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Returns STATUS_SUCCESS.
--*/
{
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
PSECURITY_DESCRIPTOR sd;
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
//
// 向过滤管理器注册过滤器
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&ScannerData.Filter );
if (!NT_SUCCESS( status )) {
return status;
}
//
// 创建一个通信端口
//
RtlInitUnicodeString( &uniString, ScannerPortName );
//
// We secure the port so only ADMINs & SYSTEM can acecss it.
// 我们设置只有管理员权限用户与SYSTEM用户权限的程序可以接入这个端口
//
status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS );
if (NT_SUCCESS( status )) {
InitializeObjectAttributes( &oa,
&uniString,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
sd );
status = FltCreateCommunicationPort( ScannerData.Filter,
&ScannerData.ServerPort,
&oa,
NULL,
ScannerPortConnect,
ScannerPortDisconnect,
NULL,
1 );
//
// 当调用FltCreateCommunicationPort()后,安全描述符已经没有需要了,应当释放掉。
//
FltFreeSecurityDescriptor( sd );
if (NT_SUCCESS( status )) {
//
// 开始过滤IO
//
status = FltStartFiltering( ScannerData.Filter );
if (NT_SUCCESS( status )) {
return STATUS_SUCCESS;
}
FltCloseCommunicationPort( ScannerData.ServerPort );
}
}
FltUnregisterFilter( ScannerData.Filter );
return status;
}
NTSTATUS file_start (void)
{
NTSTATUS retval;
const static FLT_OPERATION_REGISTRATION callbacks[] = {
// {IRP_MJ_CLEANUP, 0, on_pre_op, on_post_op, NULL},
{IRP_MJ_CLOSE, 0, on_pre_op, on_post_op, NULL},
{IRP_MJ_CREATE, 0, on_pre_op, on_post_op, NULL},
{IRP_MJ_CREATE_MAILSLOT, 0, on_pre_op, on_post_op, NULL},
{IRP_MJ_CREATE_NAMED_PIPE, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_DEVICE_CONTROL, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_DIRECTORY_CONTROL, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_FILE_SYSTEM_CONTROL, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_FLUSH_BUFFERS, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_INTERNAL_DEVICE_CONTROL, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_LOCK_CONTROL, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_PNP, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_QUERY_EA, 0, on_pre_op, on_post_op, NULL},
{IRP_MJ_QUERY_INFORMATION, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_QUERY_QUOTA, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_QUERY_SECURITY, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_QUERY_VOLUME_INFORMATION, 0, on_pre_op, on_post_op, NULL},
{IRP_MJ_READ, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_SET_EA, 0, on_pre_op, on_post_op, NULL},
{IRP_MJ_SET_INFORMATION, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_SET_QUOTA, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_SET_SECURITY, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_SET_VOLUME_INFORMATION, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_SHUTDOWN, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_SYSTEM_CONTROL, 0, on_pre_op, on_post_op, NULL},
{IRP_MJ_WRITE, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_ACQUIRE_FOR_CC_FLUSH, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_ACQUIRE_FOR_MOD_WRITE, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_MDL_READ, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_MDL_READ_COMPLETE, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_MDL_WRITE_COMPLETE, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_NETWORK_QUERY_OPEN, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_PREPARE_MDL_WRITE, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_RELEASE_FOR_CC_FLUSH, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_RELEASE_FOR_MOD_WRITE, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_VOLUME_DISMOUNT, 0, on_pre_op, on_post_op, NULL},
// {IRP_MJ_VOLUME_MOUNT, 0, on_pre_op, on_post_op, NULL},
{IRP_MJ_OPERATION_END}
};
const static FLT_REGISTRATION reg = {
sizeof(FLT_REGISTRATION),
FLT_REGISTRATION_VERSION,
0,
NULL,
callbacks,
NULL,
NULL, // we don't want to be unloaded by the manager.
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
};
retval = FltRegisterFilter(driver_object, ®, &filter);
if (retval != STATUS_SUCCESS) {
DbgPrint("FltRegisterFilter failed: err=0x%8x\n", retval);
return retval;
}
retval = FltStartFiltering(filter);
if (retval != STATUS_SUCCESS) {
DbgPrint("FltStartFiltering failed: err=0x%8x\n", retval);
FltUnregisterFilter(filter);
filter = NULL;
return retval;
}
return STATUS_SUCCESS;
}
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This routine is called when a driver first loads. Its purpose is to
initialize global state and then register with FltMgr to start filtering.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Status of the operation.
--*/
{
PSECURITY_DESCRIPTOR sd;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
NTSTATUS status = STATUS_SUCCESS;
try {
//
// Initialize global data structures.
//
MiniSpyData.LogSequenceNumber = 0;
MiniSpyData.MaxRecordsToAllocate = DEFAULT_MAX_RECORDS_TO_ALLOCATE;
MiniSpyData.RecordsAllocated = 0;
MiniSpyData.NameQueryMethod = DEFAULT_NAME_QUERY_METHOD;
MiniSpyData.DriverObject = DriverObject;
InitializeListHead( &MiniSpyData.OutputBufferList );
KeInitializeSpinLock( &MiniSpyData.OutputBufferLock );
ExInitializeNPagedLookasideList( &MiniSpyData.FreeBufferList,
NULL,
NULL,
0,
RECORD_SIZE,
SPY_TAG,
0 );
#if MINISPY_VISTA
//
// Dynamically import FilterMgr APIs for transaction support
//
#pragma warning(push)
#pragma warning(disable:4055) // type cast from data pointer to function pointer
MiniSpyData.PFltSetTransactionContext = (PFLT_SET_TRANSACTION_CONTEXT) FltGetRoutineAddress( "FltSetTransactionContext" );
MiniSpyData.PFltGetTransactionContext = (PFLT_GET_TRANSACTION_CONTEXT) FltGetRoutineAddress( "FltGetTransactionContext" );
MiniSpyData.PFltEnlistInTransaction = (PFLT_ENLIST_IN_TRANSACTION) FltGetRoutineAddress( "FltEnlistInTransaction" );
#pragma warning(pop)
#endif
//
// Read the custom parameters for MiniSpy from the registry
//
SpyReadDriverParameters(RegistryPath);
//
// Now that our global configuration is complete, register with FltMgr.
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&MiniSpyData.Filter );
if (!NT_SUCCESS( status )) {
leave;
}
status = FltBuildDefaultSecurityDescriptor( &sd,
FLT_PORT_ALL_ACCESS );
if (!NT_SUCCESS( status )) {
leave;
}
RtlInitUnicodeString( &uniString, MINISPY_PORT_NAME );
InitializeObjectAttributes( &oa,
&uniString,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
sd );
status = FltCreateCommunicationPort( MiniSpyData.Filter,
&MiniSpyData.ServerPort,
&oa,
NULL,
SpyConnect,
SpyDisconnect,
SpyMessage,
1 );
FltFreeSecurityDescriptor( sd );
if (!NT_SUCCESS( status )) {
leave;
}
//
// We are now ready to start filtering
//
status = FltStartFiltering( MiniSpyData.Filter );
//If all went ok, register a process creation notification cb.
if (NT_SUCCESS(status))
{
status = PsSetCreateProcessNotifyRoutine(ProcessCreationCB, FALSE);
}
//If all went ok, register also a register filter.
if (NT_SUCCESS(status))
{
status = CmRegisterCallback(RegistryCallback, NULL, &g_CmCookie);
}
} finally {
if (!NT_SUCCESS( status ) ) {
if (NULL != MiniSpyData.ServerPort) {
FltCloseCommunicationPort( MiniSpyData.ServerPort );
}
if (NULL != MiniSpyData.Filter) {
FltUnregisterFilter( MiniSpyData.Filter );
}
ExDeleteNPagedLookasideList( &MiniSpyData.FreeBufferList );
}
}
return status;
}
/*
* DriverEntry
*
* Main device driver entry point (the driver equivalent of "WinMain", 'cept for
* drivers). This is the first routine called:
*
* http://msdn.microsoft.com/en-us/library/windows/hardware/ff557309(v=vs.85).aspx
*
* In this specific initialization, we register with something called the
* "Filter Manager"...which gives us something like an "Application Framework"
* where much of the boilerplate work is taken care of for us. Except this is
* a "Driver Framework", and it allows us to provide only the parts we are
* interested in writing and accept most of the defaults. By stylizing our code
* in this way we are creating something known as a miniFilter:
*
* http://msdn.microsoft.com/en-us/library/windows/hardware/ff538896(v=vs.85).aspx
*/
NTSTATUS
DriverEntry(
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
PSECURITY_DESCRIPTOR sd;
NTSTATUS status;
UNREFERENCED_PARAMETER(RegistryPath);
/* Register with filter manager. */
status = FltRegisterFilter(
DriverObject,
&FilterRegistration,
&Globals.Filter
);
if (!NT_SUCCESS(status)) {
return status;
}
/* Create a communication port. */
RtlInitUnicodeString(&uniString, LockerPortName);
/* We secure the port so only ADMINs & SYSTEM can access it. */
status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS);
if (NT_SUCCESS(status)) {
InitializeObjectAttributes(
&oa,
&uniString,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
sd
);
status = FltCreateCommunicationPort(
Globals.Filter,
&Globals.ServerPort,
&oa,
NULL,
LockerPortConnect,
LockerPortDisconnect,
LockerMessage,
1 /* MaxConnections: Only accept one connection! */
);
/*
* Free the security descriptor in all cases. It is not needed once
* the call to FltCreateCommunicationPort() is made.
*/
FltFreeSecurityDescriptor(sd);
if (NT_SUCCESS(status)) {
/*
* Start filtering I/O. This is blocking, and the minifilter
* will keep running until the service is stopped, e.g. with
* "SC STOP CloneLocker" at the command line or using a GUI
* service manager.
*/
status = FltStartFiltering(Globals.Filter);
if (NT_SUCCESS(status)) {
return STATUS_SUCCESS;
}
FltCloseCommunicationPort(Globals.ServerPort);
}
}
FltUnregisterFilter(Globals.Filter);
return status;
}
NTSTATUS
CtxDriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
#endif
/*++
Routine Description:
This is the initialization routine for this filter driver. It registers
itself with the filter manager and initializes all its global data structures.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Returns STATUS_SUCCESS.
--*/
{
NTSTATUS status;
//
// Filters callback routines
//
FLT_OPERATION_REGISTRATION callbacks[] = {
{ IRP_MJ_CREATE,
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
CtxPreCreate,
CtxPostCreate },
{ IRP_MJ_CLEANUP,
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
CtxPreCleanup,
NULL },
{ IRP_MJ_CLOSE,
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
CtxPreClose,
NULL },
{ IRP_MJ_SET_INFORMATION,
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
CtxPreSetInfo,
CtxPostSetInfo },
{ IRP_MJ_OPERATION_END }
};
const FLT_CONTEXT_REGISTRATION contextRegistration[] = {
{ FLT_INSTANCE_CONTEXT,
0,
CtxContextCleanup,
CTX_INSTANCE_CONTEXT_SIZE,
CTX_INSTANCE_CONTEXT_TAG },
{ FLT_FILE_CONTEXT,
0,
CtxContextCleanup,
CTX_FILE_CONTEXT_SIZE,
CTX_FILE_CONTEXT_TAG },
{ FLT_STREAM_CONTEXT,
0,
CtxContextCleanup,
CTX_STREAM_CONTEXT_SIZE,
CTX_STREAM_CONTEXT_TAG },
{ FLT_STREAMHANDLE_CONTEXT,
0,
CtxContextCleanup,
CTX_STREAMHANDLE_CONTEXT_SIZE,
CTX_STREAMHANDLE_CONTEXT_TAG },
{ FLT_CONTEXT_END }
};
//
// Filters registration data structure
//
#if !__NDAS_FS_MINI__
FLT_REGISTRATION filterRegistration = {
#else
FLT_REGISTRATION CtxFilterRegistration = {
#endif
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
contextRegistration, // Context
callbacks, // Operation callbacks
CtxUnload, // Filters unload routine
CtxInstanceSetup, // InstanceSetup routine
CtxInstanceQueryTeardown, // InstanceQueryTeardown routine
CtxInstanceTeardownStart, // InstanceTeardownStart routine
CtxInstanceTeardownComplete, // InstanceTeardownComplete routine
NULL, NULL, NULL // Unused naming support callbacks
};
RtlZeroMemory( &Globals, sizeof( Globals ) );
#if DBG
//
// Initialize global debug level
//
CtxInitializeDebugLevel( RegistryPath );
#else
UNREFERENCED_PARAMETER( RegistryPath );
#endif
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
("[Ctx]: Driver being loaded\n") );
#if __NDAS_FS_MINI__
UNREFERENCED_PARAMETER( DriverObject );
UNREFERENCED_PARAMETER( RegistryPath );
status = STATUS_SUCCESS;
#else
//
// Register with the filter manager
//
status = FltRegisterFilter( DriverObject,
&filterRegistration,
&Globals.Filter );
if (!NT_SUCCESS( status )) {
return status;
}
//
// Start filtering I/O
//
status = FltStartFiltering( Globals.Filter );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( Globals.Filter );
}
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
("[Ctx]: Driver loaded complete (Status = 0x%08X)\n",
status) );
#endif
return status;
}
#if DBG
VOID
CtxInitializeDebugLevel (
__in PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This routine tries to read the filter DebugLevel parameter from
the registry. This value will be found in the registry location
indicated by the RegistryPath passed in.
Arguments:
RegistryPath - The path key passed to the driver during DriverEntry.
Return Value:
None.
--*/
{
OBJECT_ATTRIBUTES attributes;
HANDLE driverRegKey;
NTSTATUS status;
ULONG resultLength;
UNICODE_STRING valueName;
UCHAR buffer[sizeof( KEY_VALUE_PARTIAL_INFORMATION ) + sizeof( LONG )];
Globals.DebugLevel = DEBUG_TRACE_ERROR;
#if __NDAS_FS_MINI__
Globals.DebugLevel |= DEBUG_TRACE_INSTANCES;
Globals.DebugLevel |= DEBUG_TRACE_INSTANCE_CONTEXT_OPERATIONS;
Globals.DebugLevel |= DEBUG_INFO_CREATE;
//Globals.DebugLevel |= 0xFFFFFFFF;
#endif
//
// Open the desired registry key
//
InitializeObjectAttributes( &attributes,
RegistryPath,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );
status = ZwOpenKey( &driverRegKey,
KEY_READ,
&attributes );
if (NT_SUCCESS( status )) {
//
// Read the DebugFlags value from the registry.
//
RtlInitUnicodeString( &valueName, L"DebugLevel" );
status = ZwQueryValueKey( driverRegKey,
&valueName,
KeyValuePartialInformation,
buffer,
sizeof(buffer),
&resultLength );
if (NT_SUCCESS( status )) {
Globals.DebugLevel = *((PULONG) &(((PKEY_VALUE_PARTIAL_INFORMATION) buffer)->Data));
}
}
//
// Close the registry entry
//
ZwClose( driverRegKey );
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Description : initializes the driver and the filter port, registers driver and registry callbacks.
//
// Parameters :
// _in_ PDRIVER_OBJECT pDriverObject : Data structure used to represent the driver.
// _in_ PUNICODE_STRING pRegistryPath : Registry location where the information for the driver
// was stored.
// Return value :
// NTSTATUS : STATUS_SUCCESS if the driver initialization has been well completed
// Process :
// Defines hidden / blocked processes names.
// Creates the device driver and its symbolic link.
// Sets IRP callbacks.
// Creates filter communication port to send logs from the driver to the userland process.
// Creates logs mutex.
// Register image load and registry callbacks.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
PVOID adrFunc;
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING usDriverName;
UNICODE_STRING filterPortName;
UNICODE_STRING function;
OBJECT_ATTRIBUTES objAttr;
RTL_OSVERSIONINFOW osInfo;
PSECURITY_DESCRIPTOR securityDescriptor;
NTSTATUS status;
ULONG i;
// import some functions we will need
RtlInitUnicodeString(&function, L"ZwQueryInformationThread");
ZwQueryInformationThread = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&function, L"ZwQueryInformationProcess");
ZwQueryInformationProcess = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&function, L"ZwQuerySystemInformation");
ZwQuerySystemInformation = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&usDriverName, L"\\Device\\DriverSSDT");
RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\DriverSSDT");
status = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);
if(!NT_SUCCESS(status))
return status;
status = IoCreateSymbolicLink(&usDosDeviceName, &usDriverName);
if(!NT_SUCCESS(status))
return status;
pDeviceObject->Flags |= DO_BUFFERED_IO;
pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
for(i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++)
pDriverObject->MajorFunction[i] = ioctl_NotSupported;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioctl_DeviceControl;
monitored_process_list = NULL;
hidden_process_list = NULL;
monitored_handle_list = NULL;
// initialize every function pointers to null
oldNtMapViewOfSection = NULL;
oldNtSetContextThread = NULL;
oldNtCreateThread = NULL;
oldNtQueueApcThread = NULL;
oldNtCreateProcess = NULL;
oldNtSystemDebugControl = NULL;
oldNtCreateProcessEx = NULL;
oldNtWriteVirtualMemory = NULL;
oldNtDebugActiveProcess = NULL;
oldNtOpenProcess = NULL;
oldNtOpenThread = NULL;
oldNtQuerySystemInformation = NULL;
oldNtCreateFile = NULL;
oldNtReadFile = NULL;
oldNtWriteFile = NULL;
oldNtDeleteFile = NULL;
oldNtSetInformationFile = NULL;
oldNtQueryInformationFile = NULL;
oldNtCreateMutant = NULL;
oldNtDeviceIoControlFile = NULL;
oldNtTerminateProcess = NULL;
oldNtDelayExecution = NULL;
oldNtQueryValueKey = NULL;
oldNtQueryAttributesFile = NULL;
oldNtReadVirtualMemory = NULL;
oldNtResumeThread = NULL;
oldNtCreateSection = NULL;
oldNtUserCallOneParam = NULL;
oldNtUserCallNoParam = NULL;
oldNtClose = NULL;
oldNtOpenFile = NULL;
#ifdef DEBUG
DbgPrint("IOCTL_CUCKOO_PATH : 0x%08x\n", IOCTL_CUCKOO_PATH);
#endif
// get os version
if(!NT_SUCCESS(RtlGetVersion(&osInfo)))
return status;
// check os version
if(osInfo.dwMajorVersion == 5 && osInfo.dwMinorVersion == 1) // xp 32 bits
{
is_xp = 1;
#ifdef DEBUG
DbgPrint("windows xp !\n");
#endif
}
else if(osInfo.dwMajorVersion == 6 && osInfo.dwMinorVersion == 1) // win 7
{
is_xp = 0;
#ifdef DEBUG
DbgPrint("windows 7!\n");
#endif
}
else
{
#ifdef DEBUG
DbgPrint("error : not supported os\n");
#endif
return -1;
}
status = FltRegisterFilter(pDriverObject,®istration,&filter);
if(!NT_SUCCESS(status))
return status;
RtlInitUnicodeString(&filterPortName, L"\\FilterPort");
status = FltBuildDefaultSecurityDescriptor(&securityDescriptor, FLT_PORT_ALL_ACCESS);
if(!NT_SUCCESS(status))
return status;
InitializeObjectAttributes(&objAttr, &filterPortName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, securityDescriptor);
status = FltCreateCommunicationPort(filter, &serverPort, &objAttr, NULL, ConnectCallback, DisconnectCallback, NULL, 1);
FltFreeSecurityDescriptor(securityDescriptor);
if(!NT_SUCCESS(status))
return status;
KeInitializeMutex(&mutex, 0);
status = CmRegisterCallback(regCallback, NULL, &cookie);
if(!NT_SUCCESS(status))
return status;
status = PsSetLoadImageNotifyRoutine(imageCallback);
if(!NT_SUCCESS(status))
return status;
KeServiceDescriptorTableShadow = getShadowTableAddress();
if(!KeServiceDescriptorTableShadow)
{
#ifdef DEBUG
DbgPrint("error : couldn't retrieve Shadow SSDT\n");
#endif
return STATUS_UNSUCCESSFUL;
}
pDriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
NTSTATUS
DriverEntry (
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This is the initialization routine for this filter driver. It registers
itself with the filter manager and initializes all its global data structures.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Returns STATUS_SUCCESS.
--*/
{
NTSTATUS status;
//
// Filters callback routines
//
FLT_OPERATION_REGISTRATION callbacks[] = {
{ IRP_MJ_CREATE,
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
CtxPreCreate,
CtxPostCreate },
{ IRP_MJ_CLEANUP,
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
CtxPreCleanup,
NULL },
{ IRP_MJ_CLOSE,
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
CtxPreClose,
NULL },
{ IRP_MJ_SET_INFORMATION,
FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
CtxPreSetInfo,
CtxPostSetInfo },
{ IRP_MJ_OPERATION_END }
};
const FLT_CONTEXT_REGISTRATION contextRegistration[] = {
{ FLT_INSTANCE_CONTEXT,
0,
CtxContextCleanup,
CTX_INSTANCE_CONTEXT_SIZE,
CTX_INSTANCE_CONTEXT_TAG },
{ FLT_FILE_CONTEXT,
0,
CtxContextCleanup,
CTX_FILE_CONTEXT_SIZE,
CTX_FILE_CONTEXT_TAG },
{ FLT_STREAM_CONTEXT,
0,
CtxContextCleanup,
CTX_STREAM_CONTEXT_SIZE,
CTX_STREAM_CONTEXT_TAG },
{ FLT_STREAMHANDLE_CONTEXT,
0,
CtxContextCleanup,
CTX_STREAMHANDLE_CONTEXT_SIZE,
CTX_STREAMHANDLE_CONTEXT_TAG },
{ FLT_CONTEXT_END }
};
//
// Filters registration data structure
//
FLT_REGISTRATION filterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
contextRegistration, // Context
callbacks, // Operation callbacks
CtxUnload, // Filters unload routine
CtxInstanceSetup, // InstanceSetup routine
CtxInstanceQueryTeardown, // InstanceQueryTeardown routine
CtxInstanceTeardownStart, // InstanceTeardownStart routine
CtxInstanceTeardownComplete, // InstanceTeardownComplete routine
NULL, NULL, NULL // Unused naming support callbacks
};
RtlZeroMemory( &Globals, sizeof( Globals ) );
#if DBG
//
// Initialize global debug level
//
CtxInitializeDebugLevel( RegistryPath );
#else
UNREFERENCED_PARAMETER( RegistryPath );
#endif
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
("[Ctx]: Driver being loaded\n") );
//
// Register with the filter manager
//
status = FltRegisterFilter( DriverObject,
&filterRegistration,
&Globals.Filter );
if (!NT_SUCCESS( status )) {
return status;
}
//
// Start filtering I/O
//
status = FltStartFiltering( Globals.Filter );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( Globals.Filter );
}
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
("[Ctx]: Driver loaded complete (Status = 0x%08X)\n",
status) );
return status;
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath )
{
/* IRQL == PASSIVE_LEVEL */
UNREFERENCED_PARAMETER( DriverObject );
UNREFERENCED_PARAMETER( RegistryPath );
NTSTATUS status;
DbgPrint( "file system protection filter start" );
/* initialize IRP */
InitializeIrpDispatchers( DriverObject );
/* create device */
UNICODE_STRING deviceObjectName;
RtlInitUnicodeString( &deviceObjectName, L"\\device\\disklocker_fsprotdrv" );
PDEVICE_OBJECT DeviceObject;
status = CreateIoDevice( deviceObjectName, DriverObject, &DeviceObject );
if (!NT_SUCCESS( status ))
{
DbgPrint( "CreateIoDevice() failed with code = %08x\n", status );
return status;
}
SetDeviceExt( DeviceObject->DeviceExtension );
/* initialize device extension */
GetDeviceExt()->DeviceObject = DeviceObject;
GetDeviceExt()->DriverObject = DriverObject;
GetDeviceExt()->UnloadRoutine = OnUnload;
GetDeviceExt()->FileListHead = NULL;
GetDeviceExt()->LastUniqueKey = 1;
KeInitializeSpinLock( &(GetDeviceExt()->FileListAccessSpinLock) );
/* create symlink */
RtlInitUnicodeString( &SymbolicLinkName, L"\\DosDevices\\disklocker_fsprotdrv" );
status = IoCreateSymbolicLink( &SymbolicLinkName, &deviceObjectName );
if (!NT_SUCCESS( status ))
{
/* delete registered device */
IoDeleteDevice( GetDeviceExt()->DeviceObject );
DbgPrint( "IoCreateSymbolicLink() failed with code = %08x\n", status );
return status;
}
/* register filter */
status = FltRegisterFilter( DriverObject, &FilterRegistration, &(GetDeviceExt()->FltFilter) );
if (!NT_SUCCESS( status ))
{
/* delete registered symbolic link */
IoDeleteSymbolicLink( &SymbolicLinkName );
/* delete registered device */
IoDeleteDevice( GetDeviceExt()->DeviceObject );
DbgPrint( "FltRegisterFilter() failed with code = %08x\n", status );
return status;
}
/* start filtering */
status = FltStartFiltering( GetDeviceExt()->FltFilter );
if (!NT_SUCCESS( status ))
{
/* delete registered symbolic link */
IoDeleteSymbolicLink( &SymbolicLinkName );
/* delete registered device */
IoDeleteDevice( GetDeviceExt()->DeviceObject );
/* unregister filter */
FltUnregisterFilter( GetDeviceExt()->FltFilter );
DbgPrint( "FltStartFiltering() failed with code = %08x\n", status );
return status;
}
/* initialization done */
DbgPrint( "file system filter initialization done..." );
return STATUS_SUCCESS;
}
NTSTATUS
DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
//
// This defines what we want to filter with FltMgr
//
CONST FLT_REGISTRATION filterRegistration = {
sizeof( FLT_REGISTRATION ), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
NULL, // Context
NULL, // Operation callbacks
CdoUnload, // MiniFilterUnload
CdoInstanceSetup, // InstanceSetup
NULL, // InstanceQueryTeardown
NULL, // InstanceTeardownStart
NULL, // InstanceTeardownComplete
NULL,NULL // NameProvider callbacks
};
RtlZeroMemory( &Globals, sizeof( Globals ) );
#if DBG
//
// Initialize global debug level
//
CdoInitializeDebugLevel( RegistryPath );
#else
UNREFERENCED_PARAMETER( RegistryPath );
#endif
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
("[Cdo]: Driver being loaded\n") );
//
// Initialize the resource
//
ExInitializeResourceLite( &Globals.Resource );
//
// Record the driver object
//
Globals.FilterDriverObject = DriverObject;
//
// Register with FltMgr to tell it our callback routines
//
status = FltRegisterFilter( DriverObject,
&filterRegistration,
&Globals.Filter );
if (!NT_SUCCESS( status )) {
ExDeleteResourceLite( &Globals.Resource );
return status;
}
//
// Now create our control device object
//
status = CdoCreateControlDeviceObject( DriverObject );
if (!NT_SUCCESS( status )) {
FltUnregisterFilter( Globals.Filter );
ExDeleteResourceLite( &Globals.Resource );
return status;
}
//
// Start filtering i/o
//
status = FltStartFiltering( Globals.Filter );
if (!NT_SUCCESS( status )) {
CdoDeleteControlDeviceObject();
FltUnregisterFilter( Globals.Filter );
ExDeleteResourceLite( &Globals.Resource );
return status;
}
return status;
}
NTSTATUS
DriverEntry (
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This is the initialization routine for this miniFilter driver. This
registers with FltMgr and initializes all global data structures.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Returns STATUS_SUCCESS.
--*/
{
NTSTATUS status;
BOOLEAN bInit = FALSE;
PSECURITY_DESCRIPTOR sd;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
UNREFERENCED_PARAMETER( RegistryPath );
PT_DBG_PRINT( PTDBG_TRACE_ROUTINES,
("PassThrough!DriverEntry: Entered\n") );
try
{
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&gFilterHandle );
if (!NT_SUCCESS( status ))
{
leave;
}
#ifdef CV
VirtualizerStart();
#endif
status = InitDriverEntry( DriverObject,RegistryPath);
#ifdef CV
VirtualizerEnd();
#endif
if (!NT_SUCCESS( status ))
{
bInit = FALSE;
leave;
}
bInit = TRUE;
status = FltBuildDefaultSecurityDescriptor( &sd,
FLT_PORT_ALL_ACCESS );
if (!NT_SUCCESS( status ))
{
leave;
}
RtlInitUnicodeString( &uniString, X70FSD_PORT_NAME );
InitializeObjectAttributes( &oa,
&uniString,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
sd );
status = FltCreateCommunicationPort( gFilterHandle,
&gServerPort,
&oa,
NULL,
PtMiniConnect,
PtMiniDisconnect,
PtMiniMessage,
1 );
FltFreeSecurityDescriptor( sd );
if (!NT_SUCCESS( status ))
{
leave;
}
status = FltStartFiltering( gFilterHandle );
}
finally
{
if (!NT_SUCCESS( status ) )
{
if (NULL != gServerPort)
{
FltCloseCommunicationPort( gServerPort);
}
if (NULL != gFilterHandle)
{
FltUnregisterFilter( gFilterHandle );
}
if(bInit)
{
UnloadDriver();
}
}
}
DbgPrint("status = %x ",status);
return status;
}
NTSTATUS
DriverEntry (
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
PSECURITY_DESCRIPTOR sd;
NTSTATUS status;
UNREFERENCED_PARAMETER( RegistryPath );
//Timeouts hardcoded for now
FilterConf.ReadTimeout.QuadPart = (LONGLONG) - 30 * 1000 * 1000; //3 seconds
FilterConf.WriteTimeout.QuadPart = (LONGLONG) - 1500 * 1000 * 1000; //150 seconds
#ifdef DBG_PRINT
DbgPrint("In DriverEntry");
#endif
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&FilterConf.Filter );
if (!NT_SUCCESS( status )) {
return status;
}
RtlInitUnicodeString( &uniString, MyDLPMFPortName );
status = FltBuildDefaultSecurityDescriptor( &sd, FLT_PORT_ALL_ACCESS );
if (NT_SUCCESS( status )) {
InitializeObjectAttributes( &oa,
&uniString,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
sd );
status = FltCreateCommunicationPort( FilterConf.Filter,
&FilterConf.ServerPort,
&oa,
NULL,
MyDLPMFPortConnect,
MyDLPMFPortDisconnect,
NULL,
1 );
FltFreeSecurityDescriptor( sd );
if (NT_SUCCESS( status )) {
writeNotification = ExAllocatePoolWithTag( NonPagedPool,
sizeof( MYDLPMF_WRITE_NOTIFICATION ),
'mdlp' );
if (writeNotification == NULL)
{
#ifdef DBG_PRINT
DbgPrint("ExAllocatePoolWithTag failed for writeNotification!!!");
#endif
FltCloseCommunicationPort( FilterConf.ServerPort );
FltUnregisterFilter( FilterConf.Filter );
return status;
}
fileNotification = ExAllocatePoolWithTag( NonPagedPool,
sizeof( MYDLPMF_FILE_NOTIFICATION ),
'mdlp' );
if (fileNotification == NULL)
{
#ifdef DBG_PRINT
DbgPrint("ExAllocatePoolWithTag failed for fileNotification!!!");
#endif
FltCloseCommunicationPort( FilterConf.ServerPort );
FltUnregisterFilter( FilterConf.Filter );
return status;
}
notification = ExAllocatePoolWithTag( NonPagedPool,
sizeof( MYDLPMF_NOTIFICATION ),
'mdlp' );
if (notification == NULL)
{
#ifdef DBG_PRINT
DbgPrint("ExAllocatePoolWithTag failed for notification!!!");
#endif
FltCloseCommunicationPort( FilterConf.ServerPort );
FltUnregisterFilter( FilterConf.Filter );
return status;
}
#ifdef DBG_PRINT
DbgPrint("ExAllocatePoolWithTag success for notification!!!");
#endif
reply = ExAllocatePoolWithTag( NonPagedPool,
sizeof( MYDLPMF_REPLY ) + sizeof (FILTER_REPLY_HEADER),
'mdlp' );
if (reply == NULL)
{
#ifdef DBG_PRINT
DbgPrint("ExAllocatePoolWithTag failed for reply!!!");
#endif
FltCloseCommunicationPort( FilterConf.ServerPort );
FltUnregisterFilter( FilterConf.Filter );
return status;
}
confReply = ExAllocatePoolWithTag( NonPagedPool,
sizeof( MYDLPMF_CONF_REPLY ) + sizeof (FILTER_REPLY_HEADER),
'mdlp' );
if (confReply == NULL)
{
#ifdef DBG_PRINT
DbgPrint("ExAllocatePoolWithTag failed for confReply!!!");
#endif
FltCloseCommunicationPort( FilterConf.ServerPort );
FltUnregisterFilter( FilterConf.Filter );
return status;
}
status = FltStartFiltering( FilterConf.Filter );
if (NT_SUCCESS( status )) {
return STATUS_SUCCESS;
}
FltCloseCommunicationPort( FilterConf.ServerPort );
}
}
FltUnregisterFilter( FilterConf.Filter );
return status;
}
/*---------------------------------------------------------
函数名称: DriverEntry
函数描述: 驱动程序入口,注册微过滤驱动,通信端口
输入参数:
DriverObject 驱动对象
RegistryPath 驱动路径
输出参数:
DriverObject 驱动对象
返回值:
STATUS_SUCCESSFUL 为成功否则返回失败状态值
其他:
更新维护: 2011.3.20 最初版本
---------------------------------------------------------*/
NTSTATUS DriverEntry(
__inout PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
DebugTrace(DEBUG_TRACE_LOAD_UNLOAD,"DriverEntry",
("[Antinvader]DriverEntry Enter."));
//返回值
NTSTATUS status = STATUS_SUCCESS;
//初始化数据返回值
BOOLEAN bReturn = 0;
//安全性叙述子
PSECURITY_DESCRIPTOR psdSecurityDescriptor;
//对象权限结构
OBJECT_ATTRIBUTES oaObjectAttributes;
//保存全局驱动对象
pdoGlobalDrvObj = DriverObject;
//
//注册过滤驱动
//
if(NT_SUCCESS(status = FltRegisterFilter(
DriverObject,//驱动对象
&FilterRegistration,//驱动注册信息
&pfltGlobalFilterHandle//驱动句柄,保存到全局变量
))) {
//
//如果成功了 启动过滤
//
DebugTrace(DEBUG_TRACE_NORMAL_INFO,"DriverEntry",
("[Antinvader]Register succeed!"));
if(!NT_SUCCESS(status = FltStartFiltering(
pfltGlobalFilterHandle
))) {
//
//如果启动失败 卸载驱动
//
DebugTrace(DEBUG_TRACE_ERROR,"DriverEntry",
("[Antinvader]Starting filter failed."));
FltUnregisterFilter(pfltGlobalFilterHandle);
return status;
}
} else {
//
//如果连注册都没有成功 返回错误码
//
DebugTrace(DEBUG_TRACE_ERROR,"DriverEntry",
("[Antinvader]Register failed."));
return status;
}
//
//建立通信端口
//
//
//初始化安全性叙述子,权限为FLT_PORT_ALL_ACCESS
//
status = FltBuildDefaultSecurityDescriptor(
&psdSecurityDescriptor,
FLT_PORT_ALL_ACCESS );
if (!NT_SUCCESS( status )) {
//
//如果初始化失败 ,卸载驱动
//
DebugTrace(DEBUG_TRACE_ERROR,"DriverEntry",
("[Antinvader]Built security descriptor failed."));
FltUnregisterFilter( pfltGlobalFilterHandle );
//
//返回信息
//
return status;
}
//初始化对象权限结构
InitializeObjectAttributes( &oaObjectAttributes,//结构
&usCommunicatePortName,//对象名称
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,//内核句柄 大小写不敏感
NULL,
psdSecurityDescriptor );
//创建通信端口
status = FltCreateCommunicationPort( pfltGlobalFilterHandle,//过滤驱动句柄
&pfpGlobalServerPort,//服务端端口
&oaObjectAttributes,//权限
NULL,
Antinvader_Connect,
Antinvader_Disconnect,
Antinvader_Message,
1//最大连接数
);
//释放安全性叙述子
FltFreeSecurityDescriptor( psdSecurityDescriptor );
if (!NT_SUCCESS( status )) {
//
//如果最终的操作失败 释放已经申请的资源
//
DebugTrace(DEBUG_TRACE_ERROR,"DriverEntry",
("[Antinvader]Creating communication port failed."));
if (NULL != pfpGlobalServerPort) {
FltCloseCommunicationPort( pfpGlobalServerPort );
}
if (NULL != pfltGlobalFilterHandle) {
FltUnregisterFilter( pfltGlobalFilterHandle );
}
}
//
//初始化进程名偏移
//
InitProcessNameOffset();
// FctInitializeHashTable();
//
//初始化机密进程表
//
PctInitializeHashTable();
//
//初始化旁视链表
//
ExInitializeNPagedLookasideList(
&nliNewFileHeaderLookasideList,
NULL,
NULL,
0,
CONFIDENTIAL_FILE_HEAD_SIZE,
MEM_FILE_TAG,
0
);
/*
ExInitializeNPagedLookasideList(
&nliCallbackContextLookasideList,
NULL,
NULL,
0,
sizeof(_POST_CALLBACK_CONTEXT),
MEM_CALLBACK_TAG,
0
);
ExInitializeNPagedLookasideList(
&nliFileStreamContextLookasideList,
NULL,
NULL,
0,
FILE_STREAM_CONTEXT_SIZE,
MEM_TAG_FILE_TABLE,
0
);*/
//
//结束
//
DebugTrace(DEBUG_TRACE_LOAD_UNLOAD,"DriverEntry",
("[Antinvader]DriverEntry all succeed leave now."));
return status;
}
EXTERN_C NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath) {
const FLT_OPERATION_REGISTRATION fltCallbacks[] = {
{
IRP_MJ_CLEANUP, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, nullptr,
ScvnpPostCleanupAndFlushBuffers,
},
{
IRP_MJ_FLUSH_BUFFERS, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
nullptr, ScvnpPostCleanupAndFlushBuffers,
},
{IRP_MJ_SET_INFORMATION, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO,
ScvnpPreSetInformation, nullptr},
{IRP_MJ_OPERATION_END}};
const FLT_REGISTRATION filterRegistration = {
sizeof(filterRegistration), // Size
FLT_REGISTRATION_VERSION, // Version
0, // Flags
nullptr, // Context
fltCallbacks, // Operation callbacks
ScvnpUnload, // FilterUnload
nullptr, // InstanceSetup
nullptr, // InstanceQueryTeardown
nullptr, // InstanceTeardownStart
nullptr, // InstanceTeardownComplete
nullptr, // GenerateFileName
nullptr, // GenerateDestinationFileName
nullptr, // NormalizeNameComponent
};
PAGED_CODE();
UNREFERENCED_PARAMETER(RegistryPath);
// DBG_BREAK();
auto status = ScvnpCreateDirectory(SCVNP_OUT_DIRECTORY_PATH);
if (!NT_SUCCESS(status)) {
return status;
}
// Initialize the Log system
status = LogInitialization(
SCVNP_LOG_LEVEL | LOG_OPT_DISABLE_TIME | LOG_OPT_DISABLE_FUNCTION_NAME,
SCVNP_LOG_FILE_PATH, nullptr);
if (!NT_SUCCESS(status)) {
return status;
}
// Initialize the crypt APIs.
status = BCryptOpenAlgorithmProvider(&g_ScvnpSha1AlgorithmHandle,
BCRYPT_SHA1_ALGORITHM, nullptr, 0);
if (!NT_SUCCESS(status)) {
LOG_ERROR("BCryptOpenAlgorithmProvider failed (%08x)", status);
LogTermination(nullptr);
return status;
}
// Register and start a mini filter driver
status = FltRegisterFilter(DriverObject, &filterRegistration,
&g_ScvnpFilterHandle);
if (!NT_SUCCESS(status)) {
LOG_ERROR("FltRegisterFilter failed (%08x)", status);
BCryptCloseAlgorithmProvider(g_ScvnpSha1AlgorithmHandle, 0);
LogTermination(nullptr);
return status;
}
status = FltStartFiltering(g_ScvnpFilterHandle);
if (!NT_SUCCESS(status)) {
LOG_ERROR("FltStartFiltering failed (%08x)", status);
FltUnregisterFilter(g_ScvnpFilterHandle);
BCryptCloseAlgorithmProvider(g_ScvnpSha1AlgorithmHandle, 0);
LogTermination(nullptr);
return status;
}
LOG_INFO("Scavenger installed");
return status;
}
/* Main entry point into the driver, is called when the driver is loaded */
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
PSECURITY_DESCRIPTOR pSecurityDescriptor;
UNICODE_STRING fileMonitorPortName;
LARGE_INTEGER fileEventsTimeout;
busy = FALSE;
fileManager.bReady = FALSE;
fileManager.bCollectDeletedFiles = FALSE;
KeInitializeSpinLock(&fileManager.lQueuedFileEventsSpinLock);
InitializeListHead(&fileManager.lQueuedFileEvents);
fileManager.pDriverObject = DriverObject;
//fileManager.logDirectory.Buffer = NULL;
/* Register driver with the filter manager */
status = FltRegisterFilter(DriverObject, &FilterRegistration, &fileManager.pFilter);
if (!NT_SUCCESS(status))
{
DbgPrint("CaptureFileMonitor: ERROR FltRegisterFilter - %08x\n", status);
return status;
}
status = FltBuildDefaultSecurityDescriptor( &pSecurityDescriptor, FLT_PORT_ALL_ACCESS );
if (!NT_SUCCESS(status))
{
DbgPrint("CaptureFileMonitor: ERROR FltBuildDefaultSecurityDescriptor - %08x\n", status);
return status;
}
RtlInitUnicodeString( &fileMonitorPortName, CAPTURE_FILEMON_PORT_NAME );
InitializeObjectAttributes( &objectAttributes,
&fileMonitorPortName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
pSecurityDescriptor);
/* Create the communications port to communicate with the user space process (pipe) */
status = FltCreateCommunicationPort( fileManager.pFilter,
&fileManager.pServerPort,
&objectAttributes,
NULL,
ConnectCallback,
DisconnectCallback,
MessageCallback,
1 );
FltFreeSecurityDescriptor(pSecurityDescriptor);
/* Start the filtering */
if(NT_SUCCESS(status))
{
status = FltStartFiltering(fileManager.pFilter);
if(!NT_SUCCESS(status))
{
DbgPrint("CaptureFileMonitor: ERROR FltStartFiltering - %08x\n", status);
}
} else {
DbgPrint("CaptureFileMonitor: ERROR FltCreateCommunicationPort - %08x\n", status);
}
/* If there was a problem during initialisation of the filter then uninstall everything */
if(!NT_SUCCESS(status))
{
if (fileManager.pServerPort != NULL)
FltCloseCommunicationPort(fileManager.pServerPort);
if (fileManager.pFilter != NULL)
FltUnregisterFilter(fileManager.pFilter);
return status;
}
UpdateLastContactTime();
/* Create a DPC routine so that it can be called periodically */
KeInitializeDpc(&fileManager.connectionCheckerFunction,
(PKDEFERRED_ROUTINE)ConnectionChecker, &fileManager);
KeInitializeTimer(&fileManager.connectionCheckerTimer);
fileEventsTimeout.QuadPart = 0;
/* Set the ConnectionChecker routine to be called every so often */
KeSetTimerEx(&fileManager.connectionCheckerTimer,
fileEventsTimeout,
(USERSPACE_CONNECTION_TIMEOUT+(USERSPACE_CONNECTION_TIMEOUT/2))*1000,
&fileManager.connectionCheckerFunction);
fileManager.bReady = TRUE;
fileManager.logDirectory.Length = 0;
fileManager.logDirectory.Buffer = NULL;
DbgPrint("CaptureFileMonitor: Successfully Loaded\n");
return STATUS_SUCCESS;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Description : initializes the driver and the filter port, registers driver and registry callbacks.
//
// Parameters :
// _in_ PDRIVER_OBJECT pDriverObject : Data structure used to represent the driver.
// _in_ PUNICODE_STRING pRegistryPath : Registry location where the information for the driver
// was stored.
// Return value :
// NTSTATUS : STATUS_SUCCESS if the driver initialization has been well completed
// Process :
// Defines hidden / blocked processes names.
// Creates the device driver and its symbolic link.
// Sets IRP callbacks.
// Creates filter communication port to send logs from the driver to the userland process.
// Creates logs mutex.
// Hooks SSDT.
// Register image load and registry callbacks.
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
PVOID adrFunc;
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING usDriverName;
UNICODE_STRING filterPortName;
UNICODE_STRING function;
OBJECT_ATTRIBUTES objAttr;
PSECURITY_DESCRIPTOR securityDescriptor;
NTSTATUS status;
ULONG i;
// import some functions we will need
RtlInitUnicodeString(&function, L"ZwQueryInformationThread");
ZwQueryInformationThread = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&function, L"ZwQueryInformationProcess");
ZwQueryInformationProcess = MmGetSystemRoutineAddress(&function);
RtlInitUnicodeString(&usDriverName, L"\\Device\\DriverSSDT");
RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\DriverSSDT");
status = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);
if(!NT_SUCCESS(status))
return status;
status = IoCreateSymbolicLink(&usDosDeviceName, &usDriverName);
if(!NT_SUCCESS(status))
return status;
pDeviceObject->Flags |= DO_BUFFERED_IO;
pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
for(i=0; i<IRP_MJ_MAXIMUM_FUNCTION; i++)
pDriverObject->MajorFunction[i] = ioctl_NotSupported;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioctl_DeviceControl;
monitored_process_list = NULL;
hidden_process_list = NULL;
// initialize every function pointers to null
oldZwMapViewOfSection = NULL;
oldZwSetContextThread = NULL;
oldZwCreateThread = NULL;
oldZwQueueApcThread = NULL;
oldZwCreateProcess = NULL;
oldZwSystemDebugControl = NULL;
oldZwCreateProcessEx = NULL;
oldZwWriteVirtualMemory = NULL;
oldZwDebugActiveProcess = NULL;
oldZwOpenProcess = NULL;
oldZwOpenThread = NULL;
oldZwQuerySystemInformation = NULL;
oldZwCreateFile = NULL;
oldZwReadFile = NULL;
oldZwWriteFile = NULL;
oldZwDeleteFile = NULL;
oldZwSetInformationFile = NULL;
oldZwQueryInformationFile = NULL;
oldZwCreateMutant = NULL;
status = FltRegisterFilter(pDriverObject,®istration,&filter);
if(!NT_SUCCESS(status))
return status;
RtlInitUnicodeString(&filterPortName, L"\\FilterPort");
status = FltBuildDefaultSecurityDescriptor(&securityDescriptor, FLT_PORT_ALL_ACCESS);
if(!NT_SUCCESS(status))
return status;
InitializeObjectAttributes(&objAttr, &filterPortName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, securityDescriptor);
status = FltCreateCommunicationPort(filter, &serverPort, &objAttr, NULL, ConnectCallback, DisconnectCallback, NULL, 1);
FltFreeSecurityDescriptor(securityDescriptor);
if(!NT_SUCCESS(status))
return status;
KeInitializeMutex(&mutex, 0);
status = CmRegisterCallback(regCallback, NULL, &cookie);
if(!NT_SUCCESS(status))
return status;
status = PsSetLoadImageNotifyRoutine(imageCallback);
if(!NT_SUCCESS(status))
return status;
hook_ssdt_entries();
pDriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
