_Use_decl_annotations_
NTSTATUS ProcessObserverUnload()
{
PLIST_ENTRY pEntry;
NTSTATUS Status;
OpenProcessCallbacksUnload();
Status = PsSetCreateProcessNotifyRoutineEx(ProcessNotifyRoutine, TRUE);
if (!NT_SUCCESS(Status))
{
return Status;
}
WLockResourceList(&ProcessRuleList);
for (
pEntry = ProcessRuleList.ListEntry.Flink;
pEntry != &ProcessRuleList.ListEntry;
)
{
PPROCESS_RULE_LIST_ENTRY pCurrentEntry = CONTAINING_RECORD(pEntry, PROCESS_RULE_LIST_ENTRY, ListEntry);
pEntry = pEntry->Flink;
RemoveEntryList(&pCurrentEntry->ListEntry);
PROCESS_OBSERVER_FREE(pCurrentEntry);
}
WUnlockResourceList(&ProcessRuleList);
ExDeleteResourceLite(&ProcessRuleList.Resource);
DEBUG_LOG("ProcessObserverUnload completed");
return Status;
}
VOID UnLoadProcessRoutine()
{
if (g_isProcessRoutine)//如果回调函数存在
{
PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)MyCreateProcessNotifyEx, TRUE);
g_isProcessRoutine = 0;
}
KdPrint(("UnLoadProcessRoutine"));
}
NTSTATUS CreateProcessRoutine()
{
NTSTATUS status = STATUS_SUCCESS;
status = PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)MyCreateProcessNotifyEx, FALSE);
if (status == STATUS_SUCCESS)
{
g_isProcessRoutine = 1;//表示创建回调函数成功
}
KdPrint(("PsSetCreateProcessNotifyRoutineEx return: %x", status));
return status;
}
VOID
TdDeviceUnload (
_In_ PDRIVER_OBJECT DriverObject
)
{
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING DosDevicesLinkName = RTL_CONSTANT_STRING (TD_DOS_DEVICES_LINK_NAME);
DbgPrintEx (DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "ObCallbackTest: TdDeviceUnload\n");
//
// Unregister process notify routines.
//
if (TdProcessNotifyRoutineSet2 == TRUE)
{
Status = PsSetCreateProcessNotifyRoutineEx (
TdCreateProcessNotifyRoutine2,
TRUE
);
TD_ASSERT (Status == STATUS_SUCCESS);
TdProcessNotifyRoutineSet2 = FALSE;
}
// remove filtering and remove any OB callbacks
TdbProtectName = FALSE;
Status = TdDeleteProtectNameCallback();
TD_ASSERT (Status == STATUS_SUCCESS);
//
// Delete the link from our device name to a name in the Win32 namespace.
//
Status = IoDeleteSymbolicLink (&DosDevicesLinkName);
if (Status != STATUS_INSUFFICIENT_RESOURCES) {
//
// IoDeleteSymbolicLink can fail with STATUS_INSUFFICIENT_RESOURCES.
//
TD_ASSERT (NT_SUCCESS (Status));
}
//
// Delete our device object.
//
IoDeleteDevice (DriverObject->DeviceObject);
}
NTSTATUS
DriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
OB_OPERATION_REGISTRATION ObOperations[] = {
{PsProcessType, OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE, ObCallbackPreProcess, ObCallbackPostProcess},
{PsThreadType, OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE, ObCallbackPreThread, ObCallbackPostThread}
};
OB_CALLBACK_REGISTRATION ObRegistration = {
OB_FLT_REGISTRATION_VERSION,
sizeof(ObOperations) / sizeof(OB_OPERATION_REGISTRATION),
{sizeof(L"320400") - sizeof(WCHAR), sizeof(L"320400"), L"320400"},
&Globals,
ObOperations
};
PVOID RegistrationHandle = NULL;
UNREFERENCED_PARAMETER( RegistryPath );
RtlZeroMemory( &Globals, sizeof(Globals) );
Globals.m_FilterDriverObject = DriverObject;
status = ObRegisterCallbacks( &ObRegistration, &RegistrationHandle );
if (NT_SUCCESS( status ))
{
status = PsSetCreateProcessNotifyRoutineEx( cbCreateNotifyEx, FALSE );
if (NT_SUCCESS( status ))
Globals.m_RegistrationHandle = RegistrationHandle;
else
{
ObUnRegisterCallbacks( RegistrationHandle );
DbgBreakPoint();
}
}
else
{
DbgBreakPoint();
}
return status;
}
void
NTAPI
OnUserConnect(
IN HANDLE processId,
IN PVOID pContext
)
{
UNREFERENCED_PARAMETER(pContext);
DbgPrint("[%s:%d] User Process ID : %d\n", _FN_, _LN_, processId);
NTSTATUS status = PsSetCreateProcessNotifyRoutineEx(KnProcessNotifyRoutineEx, FALSE);
if (!NT_SUCCESS(status))
{
DbgPrint("[%s:%d] Error on PsSetCreateProcessNotifyRoutineEx(FALSE). status : 0x%X\n", _FN_, _LN_, status);
}
}
_Use_decl_annotations_
NTSTATUS ProcessObserverInitialize()
{
NTSTATUS Status;
InitializeResourceList(&ProcessRuleList);
Status = PsSetCreateProcessNotifyRoutineEx(ProcessNotifyRoutine, FALSE);
if (!NT_SUCCESS(Status))
{
return Status;
}
Status = OpenProcessCallbacksInitialize();
if (!NT_SUCCESS(Status))
{
return Status;
}
DEBUG_LOG("ProcessObserverInitialize completed");
return Status;
}
///////////////////////////////////////////////////////////////////////////////
///
/// Handle driver unloading. All this driver needs to do
/// is to delete the device object and the symbolic link between our
/// device name and the Win32 visible name.
///
///////////////////////////////////////////////////////////////////////////////
VOID
TdDeviceUnload(
_In_ PDRIVER_OBJECT DriverObject
)
{
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING DosDevicesLinkName = RTL_CONSTANT_STRING(QD_DOS_DEVICES_LINK_NAME);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "QuietDragon: TdDeviceUnload\n");
// Unregister process notify routines.
if (gProcessNotifyRoutine_isSet == TRUE)
{
Status = PsSetCreateProcessNotifyRoutineEx(
MyCreateProcessNotifyRoutine,
TRUE
);
TD_ASSERT(Status == STATUS_SUCCESS);
gProcessNotifyRoutine_isSet = FALSE;
}
// TODO Need to clean up lists and locks
// Free allocated mem
PQD_COMM_CONTROL_DEVICE_EXTENSION controlExt = (PQD_COMM_CONTROL_DEVICE_EXTENSION)g_CommDeviceObject->DeviceExtension;
ExFreePoolWithTag(controlExt->DecisionData, 'SRdd');
// Delete the link from our device name to a name in the Win32 namespace.
Status = IoDeleteSymbolicLink(&DosDevicesLinkName);
if (Status != STATUS_INSUFFICIENT_RESOURCES)
{
// IoDeleteSymbolicLink can fail with STATUS_INSUFFICIENT_RESOURCES.
TD_ASSERT(NT_SUCCESS(Status));
}
// Delete our device object.
IoDeleteDevice(DriverObject->DeviceObject);
}
RBOOL
collector_1_deinitialize
(
)
{
RBOOL isSuccess = FALSE;
RU32 status = 0;
status = PsSetCreateProcessNotifyRoutineEx( CreateProcessNotifyEx, TRUE );
if( NT_SUCCESS( status ) )
{
isSuccess = TRUE;
}
else
{
rpal_debug_kernel( "Failed to deinitialize: 0x%08X", status );
}
return isSuccess;
}
///////////////////////////////////////////////////////////////////////////////
///
/// Driver entry
///
///////////////////////////////////////////////////////////////////////////////
NTSTATUS
DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS Status;
UNICODE_STRING NtDeviceName = RTL_CONSTANT_STRING(QD_NT_DEVICE_NAME);
UNICODE_STRING DosDevicesLinkName = RTL_CONSTANT_STRING(QD_DOS_DEVICES_LINK_NAME);
BOOLEAN SymLinkCreated = FALSE;
PQD_COMM_CONTROL_DEVICE_EXTENSION controlExt;
UNREFERENCED_PARAMETER(RegistryPath);
// Request NX Non-Paged Pool when available
ExInitializeDriverRuntime(DrvRtPoolNxOptIn);
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "QuietDragon: DriverEntry: Driver loaded\n");
//
// Initialize globals.
//
//
// Create our device object.
//
// TODO Consider using IoCreateDeviceSecure
Status = IoCreateDevice(
DriverObject, // pointer to driver object
sizeof(QD_COMM_CONTROL_DEVICE_EXTENSION), // device extension size
&NtDeviceName, // device name
FILE_DEVICE_UNKNOWN, // device type
0, // device characteristics
FALSE, // not exclusive
&g_CommDeviceObject); // returned device object pointer
if (!NT_SUCCESS(Status))
{
goto Exit;
}
TD_ASSERT(g_CommDeviceObject == DriverObject->DeviceObject);
//
// Set dispatch routines.
//
DriverObject->MajorFunction[IRP_MJ_CREATE] = TdDeviceCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = TdDeviceClose;
DriverObject->MajorFunction[IRP_MJ_CLEANUP] = TdDeviceCleanup;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = TdDeviceControl;
DriverObject->DriverUnload = TdDeviceUnload;
//
// Set up the device extension
//
controlExt = (PQD_COMM_CONTROL_DEVICE_EXTENSION)g_CommDeviceObject->DeviceExtension;
controlExt->MagicNumber = QD_COMM_CONTROL_EXTENSION_MAGIC_NUMBER;
InitializeListHead(&controlExt->ProcessQueue);
ExInitializeFastMutex(&controlExt->ProcessQueueLock);
InitializeListHead(&controlExt->RequestQueue);
ExInitializeFastMutex(&controlExt->RequestQueueLock);
ExInitializeFastMutex(&controlExt->DecisionDataLock);
controlExt->DecisionData = (PCONTROL_PROC_INTERNAL)ExAllocatePoolWithTag(NonPagedPool, sizeof(CONTROL_PROC_INTERNAL)*QD_MAX_PROCS, 'SRdd');
RtlZeroMemory(controlExt->DecisionData, sizeof(CONTROL_PROC_INTERNAL)*QD_MAX_PROCS);
// Init DecisionData
for (USHORT i = 0; i < QD_MAX_PROCS; i++) {
PCONTROL_PROC_INTERNAL control_proc = &(controlExt->DecisionData[i]);
control_proc->StartTime.QuadPart = 0;
KeInitializeEvent(&(control_proc->DecisionEvent), NotificationEvent, FALSE);
}
//
// Create a link in the Win32 namespace.
//
Status = IoCreateSymbolicLink(&DosDevicesLinkName, &NtDeviceName);
if (!NT_SUCCESS(Status))
{
goto Exit;
}
SymLinkCreated = TRUE;
//
// Set process create routines.
//
Status = PsSetCreateProcessNotifyRoutineEx(
MyCreateProcessNotifyRoutine,
FALSE
);
if (!NT_SUCCESS(Status))
{
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "QuietDragon: DriverEntry: PsSetCreateProcessNotifyRoutineEx returned 0x%x\n", Status);
goto Exit;
}
gProcessNotifyRoutine_isSet = TRUE;
Exit:
if (!NT_SUCCESS(Status))
{
if (gProcessNotifyRoutine_isSet == TRUE)
{
Status = PsSetCreateProcessNotifyRoutineEx(
MyCreateProcessNotifyRoutine,
TRUE
);
TD_ASSERT(Status == STATUS_SUCCESS);
gProcessNotifyRoutine_isSet = FALSE;
}
if (SymLinkCreated == TRUE)
{
IoDeleteSymbolicLink(&DosDevicesLinkName);
}
if (g_CommDeviceObject != NULL)
{
IoDeleteDevice(g_CommDeviceObject);
}
}
return Status;
}
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS Status;
UNICODE_STRING NtDeviceName = RTL_CONSTANT_STRING (TD_NT_DEVICE_NAME);
UNICODE_STRING DosDevicesLinkName = RTL_CONSTANT_STRING (TD_DOS_DEVICES_LINK_NAME);
PDEVICE_OBJECT Device = NULL;
BOOLEAN SymLinkCreated = FALSE;
USHORT CallbackVersion;
UNREFERENCED_PARAMETER (RegistryPath);
DbgPrintEx (DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "ObCallbackTest: DriverEntry: Driver loaded. Use ed nt!Kd_IHVDRIVER_Mask f (or 7) to enable more traces\n");
CallbackVersion = ObGetFilterVersion();
DbgPrintEx (DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "ObCallbackTest: DriverEntry: Callback version 0x%hx\n", CallbackVersion);
//
// Initialize globals.
//
KeInitializeGuardedMutex (&TdCallbacksMutex);
//
// Create our device object.
//
Status = IoCreateDevice (
DriverObject, // pointer to driver object
0, // device extension size
&NtDeviceName, // device name
FILE_DEVICE_UNKNOWN, // device type
0, // device characteristics
FALSE, // not exclusive
&Device); // returned device object pointer
if (! NT_SUCCESS(Status))
{
goto Exit;
}
TD_ASSERT (Device == DriverObject->DeviceObject);
//
// Set dispatch routines.
//
DriverObject->MajorFunction[IRP_MJ_CREATE] = TdDeviceCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = TdDeviceClose;
DriverObject->MajorFunction[IRP_MJ_CLEANUP] = TdDeviceCleanup;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = TdDeviceControl;
DriverObject->DriverUnload = TdDeviceUnload;
//
// Create a link in the Win32 namespace.
//
Status = IoCreateSymbolicLink (&DosDevicesLinkName, &NtDeviceName);
if (! NT_SUCCESS(Status))
{
goto Exit;
}
SymLinkCreated = TRUE;
//
// Set process create routines.
//
Status = PsSetCreateProcessNotifyRoutineEx (
TdCreateProcessNotifyRoutine2,
FALSE
);
if (! NT_SUCCESS(Status))
{
DbgPrintEx (DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "ObCallbackTest: DriverEntry: PsSetCreateProcessNotifyRoutineEx(2) returned 0x%x\n", Status);
goto Exit;
}
TdProcessNotifyRoutineSet2 = TRUE;
Exit:
if (!NT_SUCCESS (Status))
{
if (TdProcessNotifyRoutineSet2 == TRUE)
{
Status = PsSetCreateProcessNotifyRoutineEx (
TdCreateProcessNotifyRoutine2,
TRUE
);
TD_ASSERT (Status == STATUS_SUCCESS);
TdProcessNotifyRoutineSet2 = FALSE;
}
if (SymLinkCreated == TRUE)
{
IoDeleteSymbolicLink (&DosDevicesLinkName);
}
if (Device != NULL)
{
IoDeleteDevice (Device);
}
}
return Status;
}
