//
// возвращает размер зан¤той списком файлов пам¤ти в байтах
//
BOOLEAN GetFileListSizeByBytes(PULONG pdwSize)
{
BOOLEAN bRes = FALSE;
KDLinkedListItem* pNode;
PFILEINFO pFileInfo;
if (
KeGetCurrentIrql() == PASSIVE_LEVEL &&
_MmIsAddressValid(pdwSize) &&
_MmIsAddressValid(pSaveList)
)
{
*pdwSize = 0;
MUTEX_WAIT(LockMutexToFileSaveList);
pNode = pSaveList->GetHead();
while (_MmIsAddressValid(pNode))
{
pFileInfo = (PFILEINFO)pNode->GetObject();
if (_MmIsAddressValid(pFileInfo))
{
*pdwSize += pFileInfo->dwSizeAllNamesArea + SIZEOF_FILEINFO_REAL;
}
pNode = pNode->GetNext();
}
MUTEX_RELEASE(LockMutexToFileSaveList);
bRes = TRUE;
}
return bRes;
}
void Timer::removeEvent(uint event_id)
{
if( (event_id!=0) && ((timers_used & (1<<event_id)) != 0) )
{
MUTEX_GET(events_mutex);
{
timers_used&= ~(1<<event_id);
Debug("[SCHEDULER] Event removed: %s\n", events[event_id].func_name.c_str());
}
MUTEX_RELEASE(events_mutex);
}
}
BOOLEAN GetFileSaveList(PFILEINFOSET pFileInfoSet)
{
BOOLEAN bRes = FALSE;
KDLinkedListItem* pNode;
PFILEINFO pFileInfo, pFileInfoDest;
ULONG dwSize;
if (
KeGetCurrentIrql() == PASSIVE_LEVEL &&
_MmIsAddressValid(pSaveList) &&
_MmIsAddressValid(pFileInfoSet) &&
pFileInfoSet->dwSize >= SIZEOF_FILEINFOSET
)
{
dwSize = pFileInfoSet->dwSize;
memset(pFileInfoSet, 0, dwSize);
dwSize -= sizeof(ULONG);
pFileInfoDest = &pFileInfoSet->FileInfo[0];
MUTEX_WAIT(LockMutexToFileSaveList);
pNode = pSaveList->GetHead();
while (_MmIsAddressValid(pNode))
{
pFileInfo = (PFILEINFO)pNode->GetObject();
if (_MmIsAddressValid(pFileInfo))
{
if (dwSize >= (pFileInfo->dwSizeAllNamesArea + SIZEOF_FILEINFO_REAL))
{
memcpy(pFileInfoDest, pFileInfo, (pFileInfo->dwSizeAllNamesArea + SIZEOF_FILEINFO_REAL));
// if (dwSize >= (pFileInfo->dwSizeAllNamesArea + SIZEOF_FILEINFO_REAL))
dwSize -= (pFileInfo->dwSizeAllNamesArea + SIZEOF_FILEINFO_REAL);
// else
// dwSize = 0;
pFileInfoDest = (PFILEINFO)((CHAR*)pFileInfoDest + (pFileInfo->dwSizeAllNamesArea + SIZEOF_FILEINFO_REAL));
pFileInfoSet->dwSize += (pFileInfo->dwSizeAllNamesArea + SIZEOF_FILEINFO_REAL);
}
}
pNode = pNode->GetNext();
}
MUTEX_RELEASE(LockMutexToFileSaveList);
if (pFileInfoSet->dwSize != 0)
pFileInfoSet->dwSize += sizeof(ULONG);
bRes = TRUE;
}
return bRes;
}
//******************************************************************//
//********************* List destroy functions *********************//
//******************************************************************//
void ClearSaveFileList(void)
{
PFILEINFO lpFileInfo;
KDLinkedListItem* lpNode;
__try
{
MUTEX_WAIT(LockMutexToFileSaveList);
if (_MmIsAddressValid(pDirTree))
delete pDirTree;
pDirTree = NULL;
if (_MmIsAddressValid(pSaveList))
{
lpNode = pSaveList->GetHead();
while (_MmIsAddressValid(lpNode))
{
lpFileInfo = (PFILEINFO)pSaveList->RemoveHead();
if (_MmIsAddressValid(lpFileInfo))
{
FreePoolToKHeap(hKHeapSOFileList, lpFileInfo);
}
lpNode = pSaveList->GetHead();
}
delete pSaveList;
pSaveList = NULL;
}
MUTEX_RELEASE(LockMutexToFileSaveList);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
MUTEX_RELEASE(LockMutexToFileSaveList);
DbgPrintSO(("He4HookInv: ClearSaveFileList: EXCEPTION\n"));
}
}
uint Timer::addEvent(Script *p, const string &func, uint seconds, const vector<string> &vParams)
{
bool add= true;
TimedEvent ev(p, func, seconds);
uint newid;
// find a free index
for(newid= 1; newid< MAX_TIMER_COUNT; newid++)
{
if( !isIDValid(newid) )
break;
}
if( newid < MAX_TIMER_COUNT )
{
/*
// look in the existing events to see if it is not already registered
for(uint i= 1; i< MAX_TIMER_COUNT; i++)
{
TimedEvent &e= events[i];
// event already registered, return
if( isIDValid(i) && (p == e.plugin) && (func == e.func_name) && (seconds == e.delay_sec) )
{
add= false;
break;
}
}
*/
if( add )
{
MUTEX_GET(events_mutex);
{
ev.next= time(NULL) + ev.delay_sec;
ev.vCallbackParams= vParams;
events[newid]= ev;
}
MUTEX_RELEASE(events_mutex);
Debug("[SCHEDULER] Event added by \"%s\": %s (delay: %ds) \n", p->getName(), func.c_str(), seconds);
timers_used|= (1<<newid);
return newid;
}
}
return 0;
}
void Timer::user_func()
{
//Debug("[SCHEDULER] Started.\n");
for(int i= 0; i< 20; i++)
{
usleep(250000);
cancel_point();
}
while(1)
{
usleep(250000);
cancel_point();
MUTEX_GET(events_mutex);
{
for(uint i= 1; i< MAX_TIMER_COUNT; i++)
{
if( (timers_used & (1<<i)) != 0 )
{
TimedEvent &ev= events[i];
time_t timestamp= time(NULL);
cancel_point();
if( ev.next <= timestamp )
{
ev.plugin->callFunctionEx(ev.func_name.c_str(), "iw", i, &ev.vCallbackParams);
ev.next= timestamp + ev.delay_sec;
Debug("[SCHEDULER] Executing event %s::%s\n", ev.plugin->getName(), ev.func_name.c_str());
}
}
}
}
MUTEX_RELEASE(events_mutex);
}
//Debug("[SCHEDULER] Exited.\n");
}
/*
* mutex_vector_exit:
*
* Support routine for mutex_exit() that handles all cases.
*/
void
mutex_vector_exit(kmutex_t *mtx)
{
turnstile_t *ts;
uintptr_t curthread;
if (MUTEX_SPIN_P(mtx)) {
#ifdef FULL
if (__predict_false(!MUTEX_SPINBIT_LOCKED_P(mtx))) {
if (panicstr != NULL)
return;
MUTEX_ABORT(mtx, "exiting unheld spin mutex");
}
MUTEX_UNLOCKED(mtx);
MUTEX_SPINBIT_LOCK_UNLOCK(mtx);
#endif
MUTEX_SPIN_SPLRESTORE(mtx);
return;
}
if (__predict_false((uintptr_t)panicstr | cold)) {
MUTEX_UNLOCKED(mtx);
MUTEX_RELEASE(mtx);
return;
}
curthread = (uintptr_t)curlwp;
MUTEX_DASSERT(mtx, curthread != 0);
MUTEX_ASSERT(mtx, MUTEX_OWNER(mtx->mtx_owner) == curthread);
MUTEX_UNLOCKED(mtx);
#if !defined(LOCKDEBUG)
__USE(curthread);
#endif
#ifdef LOCKDEBUG
/*
* Avoid having to take the turnstile chain lock every time
* around. Raise the priority level to splhigh() in order
* to disable preemption and so make the following atomic.
*/
{
int s = splhigh();
if (!MUTEX_HAS_WAITERS(mtx)) {
MUTEX_RELEASE(mtx);
splx(s);
return;
}
splx(s);
}
#endif
/*
* Get this lock's turnstile. This gets the interlock on
* the sleep queue. Once we have that, we can clear the
* lock. If there was no turnstile for the lock, there
* were no waiters remaining.
*/
ts = turnstile_lookup(mtx);
if (ts == NULL) {
MUTEX_RELEASE(mtx);
turnstile_exit(mtx);
} else {
MUTEX_RELEASE(mtx);
turnstile_wakeup(ts, TS_WRITER_Q,
TS_WAITERS(ts, TS_WRITER_Q), NULL);
}
}
BOOLEAN DelFileSaveList(PFILEINFOSET lpFileInfoSet)
{
ULONG dwSize, dwSizeOfItem;
CHAR *lpszStr;
KDLinkedListItem* lpNode;
PFILEINFO lpFileInfo, lpFileInfoIn;
if (!_MmIsAddressValid(pSaveList))
return FALSE;
if (!_MmIsAddressValid(pDirTree))
return FALSE;
if (!_MmIsAddressValid(lpFileInfoSet))
return FALSE;
if (lpFileInfoSet->dwSize < SIZEOF_FILEINFOSET)
return FALSE;
MUTEX_WAIT(LockMutexToFileSaveList);
dwSize = lpFileInfoSet->dwSize - (SIZEOF_FILEINFOSET - SIZEOF_FILEINFO);
lpFileInfoIn = &lpFileInfoSet->FileInfo[0];
while (dwSize > SIZEOF_FILEINFO)
{
if (!CheckFileInfo(lpFileInfoIn))
break;
dwSizeOfItem = ((SIZEOF_FILEINFO-sizeof(CHAR)) + lpFileInfoIn->dwSizeAllNamesArea);
if (lpFileInfoIn->dwSizeAnsiName > sizeof(CHAR))
{
lpNode = pSaveList->GetHead();
while (_MmIsAddressValid(lpNode))
{
lpFileInfo = (PFILEINFO)lpNode->GetObject();
if (!_MmIsAddressValid(lpFileInfo))
{
lpNode = lpNode->GetNext();
continue;
}
lpszStr = lpFileInfoIn->szNames+lpFileInfoIn->dwOffsetToAnsiName;
if (!CompareString(lpFileInfo->szNames+lpFileInfo->dwOffsetToAnsiName, lpszStr, TRUE))
{
DbgPrintSO(("He4HookInv: DelFileSaveList: Start delete - %s\n", lpszStr));
pDirTree->Remove((PWSTR)(lpFileInfo->szNames+lpFileInfo->dwOffsetToUniName), NULL);
pSaveList->Remove(lpNode);
lpNode = pSaveList->GetHead();
DbgPrintSO(("He4HookInv: DelFileSaveList: End delete - %s\n", lpszStr));
FreePoolToKHeap(hKHeapSOFileList, lpFileInfo);
continue;
}
lpNode = lpNode->GetNext();
}
}
dwSize -= dwSizeOfItem;
lpFileInfoIn = (PFILEINFO)((PCHAR)lpFileInfoIn + dwSizeOfItem);
}
MUTEX_RELEASE(LockMutexToFileSaveList);
return TRUE;
}
BOOLEAN AddFileSaveList(PFILEINFOSET lpFileInfoSet)
{
PFILEINFO lpFileInfo, lpFileInfoIn;
ULONG dwSize, dwSizeOfItem, dwSizeOfItemNew;
PWSTR pwszNtFileName;
ULONG dwSizeOfNtFileName;
ANSI_STRING FileNameAnsi;
UNICODE_STRING FileNameUni;
if (!_MmIsAddressValid(lpFileInfoSet))
return FALSE;
if (lpFileInfoSet->dwSize < SIZEOF_FILEINFOSET)
return FALSE;
MUTEX_WAIT(LockMutexToFileSaveList);
DbgPrintSO(("He4HookInv: AddFileSaveList: Start!!!\n"));
if (!_MmIsAddressValid(pSaveList))
{
pSaveList = new KDLinkedList(NULL);
if (pSaveList == NULL)
{
DbgPrintSO(("He4HookInv: AddFileSaveList: File list create ERROR!!!\n"));
MUTEX_RELEASE(LockMutexToFileSaveList);
return FALSE;
}
}
if (!_MmIsAddressValid(pDirTree))
{
pDirTree = new KShieldDirectoryTree();
if (pDirTree == NULL)
{
DbgPrintSO(("He4HookInv: AddFileSaveList: KShieldDirectoryTree create ERROR!!!\n"));
MUTEX_RELEASE(LockMutexToFileSaveList);
return FALSE;
}
}
DbgPrintSO(("He4HookInv: AddFileSaveList: List created OK!!!\n"));
dwSize = lpFileInfoSet->dwSize - (SIZEOF_FILEINFOSET - SIZEOF_FILEINFO);
lpFileInfoIn = &lpFileInfoSet->FileInfo[0];
while(dwSize > SIZEOF_FILEINFO)
{
if (!CheckFileInfo(lpFileInfoIn))
break;
dwSizeOfItem = ((SIZEOF_FILEINFO-sizeof(CHAR)) + lpFileInfoIn->dwSizeAllNamesArea);
if (lpFileInfoIn->dwSizeAnsiName > sizeof(CHAR))
{
pwszNtFileName = (PWSTR)_AllocatePoolFromKHeap(hKHeapSOFileList, sizeof(WCHAR)*lpFileInfoIn->dwSizeAnsiName+2048);
if (pwszNtFileName)
{
RtlInitAnsiString(&FileNameAnsi, lpFileInfoIn->szNames+lpFileInfoIn->dwOffsetToAnsiName);
RtlAnsiStringToUnicodeString(&FileNameUni, &FileNameAnsi, TRUE);
dwSizeOfNtFileName = DosPathNameToNtPathName(FileNameUni.Buffer, pwszNtFileName, sizeof(WCHAR)*lpFileInfoIn->dwSizeAnsiName+2048, 255, NULL);
RtlFreeUnicodeString(&FileNameUni);
if (dwSizeOfNtFileName)
{
dwSizeOfNtFileName += sizeof(WCHAR);
dwSizeOfItemNew = (SIZEOF_FILEINFO-sizeof(CHAR)) + lpFileInfoIn->dwSizeAnsiName + dwSizeOfNtFileName;
#define ADD_NT_PATH L"\\??\\"
//L"\\DosDevices\\"
//L"\\??\\"
if (lpFileInfoIn->dwAccessType & FILE_ACC_TYPE_EXCHANGE)
{
if (lpFileInfoIn->dwSizeAnsiChangedName > sizeof(CHAR))
{
dwSizeOfItemNew += sizeof(WCHAR)*lpFileInfoIn->dwSizeAnsiChangedName + sizeof(ADD_NT_PATH)-sizeof(WCHAR);
}
else
{
if (lpFileInfoIn->dwSizeUniChangedName > sizeof(WCHAR))
dwSizeOfItemNew += lpFileInfoIn->dwSizeUniChangedName;
}
}
lpFileInfo = (PFILEINFO)_AllocatePoolFromKHeap(hKHeapSOFileList, dwSizeOfItemNew+sizeof(WCHAR));
if (lpFileInfo)
{
memset(lpFileInfo, 0, dwSizeOfItemNew+sizeof(WCHAR));
lpFileInfo->dwAccessType = lpFileInfoIn->dwAccessType;
lpFileInfo->dwSizeAllNamesArea = dwSizeOfItemNew - (SIZEOF_FILEINFO-sizeof(CHAR));
lpFileInfo->dwOffsetToAnsiName = 0;
lpFileInfo->dwSizeAnsiName = lpFileInfoIn->dwSizeAnsiName;
RtlCopyMemory(lpFileInfo->szNames+lpFileInfo->dwOffsetToAnsiName,
lpFileInfoIn->szNames+lpFileInfoIn->dwOffsetToAnsiName,
lpFileInfo->dwSizeAnsiName);
lpFileInfo->dwOffsetToUniName = lpFileInfo->dwOffsetToAnsiName + lpFileInfo->dwSizeAnsiName;
lpFileInfo->dwSizeUniName = dwSizeOfNtFileName;
RtlCopyMemory(lpFileInfo->szNames+lpFileInfo->dwOffsetToUniName, pwszNtFileName, dwSizeOfNtFileName);
if (lpFileInfoIn->dwAccessType & FILE_ACC_TYPE_EXCHANGE)
{
if (lpFileInfoIn->dwSizeAnsiChangedName > sizeof(CHAR))
{
lpFileInfo->dwOffsetToUniChangedName = lpFileInfo->dwOffsetToUniName + lpFileInfo->dwSizeUniName;
lpFileInfo->dwSizeUniChangedName = sizeof(WCHAR)*lpFileInfoIn->dwSizeAnsiChangedName+sizeof(ADD_NT_PATH)-sizeof(WCHAR);
RtlInitAnsiString(&FileNameAnsi, lpFileInfoIn->szNames+lpFileInfoIn->dwOffsetToAnsiChangedName);
RtlAnsiStringToUnicodeString(&FileNameUni, &FileNameAnsi, TRUE);
RtlCopyMemory(lpFileInfo->szNames+lpFileInfo->dwOffsetToUniChangedName, ADD_NT_PATH, sizeof(ADD_NT_PATH));
RtlCopyMemory((lpFileInfo->szNames+lpFileInfo->dwOffsetToUniChangedName+sizeof(ADD_NT_PATH)-sizeof(WCHAR)), FileNameUni.Buffer,
(sizeof(WCHAR)*lpFileInfoIn->dwSizeAnsiChangedName) < (FileNameUni.Length+sizeof(WCHAR)) ? (sizeof(WCHAR)*lpFileInfoIn->dwSizeAnsiChangedName) : (FileNameUni.Length+sizeof(WCHAR)));
RtlFreeUnicodeString(&FileNameUni);
}
else
{
if (lpFileInfoIn->dwSizeUniChangedName > sizeof(WCHAR))
{
lpFileInfo->dwOffsetToUniChangedName = lpFileInfo->dwOffsetToUniName + lpFileInfo->dwSizeUniName;
lpFileInfo->dwSizeUniChangedName = lpFileInfoIn->dwSizeUniChangedName;
RtlCopyMemory(
lpFileInfo->szNames+lpFileInfo->dwOffsetToUniChangedName,
lpFileInfoIn->szNames+lpFileInfoIn->dwOffsetToUniChangedName,
lpFileInfo->dwSizeUniChangedName
);
}
else
{
lpFileInfo->dwAccessType &= ~FILE_ACC_TYPE_EXCHANGE;
}
}
}
PVOID pContext;
if (pDirTree->Find((PWSTR)(lpFileInfo->szNames+lpFileInfo->dwOffsetToUniName), &pContext) == NULL)
{
DbgPrintSO(("He4HookInv: AddFileSaveList: %s, type = %x\n", lpFileInfo->szNames+lpFileInfo->dwOffsetToAnsiName, lpFileInfo->dwAccessType));
if (pDirTree->Add((PWSTR)(lpFileInfo->szNames+lpFileInfo->dwOffsetToUniName), (PVOID)lpFileInfo) == TRUE)
{
if (pSaveList->AddTailObject(lpFileInfo) == FALSE)
{
pDirTree->Remove((PWSTR)(lpFileInfo->szNames+lpFileInfo->dwOffsetToUniName), NULL);
FreePoolToKHeap(hKHeapSOFileList, lpFileInfo);
}
}
else
{
FreePoolToKHeap(hKHeapSOFileList, lpFileInfo);
}
}
else
{
FreePoolToKHeap(hKHeapSOFileList, lpFileInfo);
}
}
}
FreePoolToKHeap(hKHeapSOFileList, pwszNtFileName);
}
}
dwSize -= dwSizeOfItem;
lpFileInfoIn = (PFILEINFO)((PCHAR)lpFileInfoIn + dwSizeOfItem);
}
MUTEX_RELEASE(LockMutexToFileSaveList);
return TRUE;
}
