BOOL _SpySrv_RefreshProcList ()
{
PVOID pBuffer ;
DWORD nBufferSize ;
DWORD nBytesReturned=0 ;
BOOL bSuccess ;
PROCESSLISTENTRY* pEntry ;
nBufferSize = 1024*1024 ;
pBuffer = malloc (nBufferSize) ;
bSuccess = DeviceIoControl (g_hDriver, IOCTL_GET_PROCESSLIST,
NULL, 0,
pBuffer, nBufferSize,
&nBytesReturned, NULL) ;
if( ! bSuccess || nBytesReturned==0 )
{
TRACE_ERROR (TEXT("Failed to get process list (error=%u)\n"),
GetLastError()) ;
free (pBuffer) ;
return FALSE ;
}
ProcList_Lock () ;
ProcList_Clear () ;
pEntry = pBuffer ;
while( 1 )
{
PROCSTRUCT proc ;
TRACE_INFO (TEXT("%d : %ls\n"), pEntry->nProcessId, pEntry->wszFilePath) ;
proc.nProcessAddress = pEntry->nProcessAddress ;
proc.nProcessId = pEntry->nProcessId ;
proc.nState = PS_HOOKED_WHILE_RUNNING ;
wcslcpy (proc.szName, PathFindFileName(pEntry->wszFilePath), 32) ;
wcslcpy (proc.szPath, pEntry->wszFilePath, MAX_PATH) ;
ProcList_Add (&proc) ;
if( pEntry->nNextEntry == 0 ) break ;
pEntry = (PROCESSLISTENTRY*)( (BYTE*)pEntry + pEntry->nNextEntry ) ;
}
ProcList_Unlock () ;
free (pBuffer) ;
return TRUE ;
}
NTSTATUS HookSys_ProcessCreated (HANDLE hProcess, LPCWSTR wszFilePath)
{
PROCSTRUCT *pProc ;
PROCADDR nProcessAddress ;
PROCID nProcessId ;
BOOL bNoNotification ;
NTSTATUS nStatus ;
// get information on new process
ProcInfo_GetAddress (hProcess, &nProcessAddress) ;
ProcInfo_GetProcessId (hProcess, &nProcessId) ;
// alloc a new process descriptor
pProc = ProcList_New (nProcessAddress, nProcessId, wszFilePath) ;
bNoNotification = pProc->nFlags & PROCESS_NO_NOTIFICATION ;
// get associated filters
nStatus = DrvFilter_LockMutex () ;
if( nStatus != STATUS_SUCCESS ) return nStatus ;
DrvFilter_GetFiltersForProgram (pProc->wszPath, pProc->aFilters,
&pProc->nFilters, MAX_FILTERS) ;
DrvFilter_UnlockMutex () ;
// add process descriptor to process list
nStatus = ProcList_Lock () ;
if( nStatus != STATUS_SUCCESS ) return nStatus ;
ProcList_Add (pProc) ;
ProcList_Unlock () ;
// notify application
if( ! bNoNotification )
HookCommon_SendProcessCreatedNotification (nProcessAddress, nProcessId, wszFilePath) ;
return STATUS_SUCCESS ;
}
DWORD _SpySrv_RequestFromDriver (LPVOID pBuffer, DWORD nSize)
{
SDNMHDR *p = pBuffer ;
VOID *pSerial ;
UINT nSerialSize ;
DWORD nResponseSize = 0 ;
TRACE ;
ASSERT (pBuffer) ;
ASSERT (nSize>0) ;
ASSERT (nSize>=sizeof(SDNMHDR)) ;
TRACE_INFO (TEXT(" /----REQ-%d----\\ (size=%d\n"), p->dwCode, nSize) ;
switch( p->dwCode )
{
case SDN_ASK:
{
DWORD nReaction ;
FILTCOND cond ;
pSerial = ((SDNASK*)p)->data ;
nSerialSize = nSize - sizeof(SDNASK) ;
ASSERT (nSerialSize>0) ;
if( ! FiltCond_Unserialize (&cond, pSerial, nSerialSize) )
{
TRACE_ERROR (TEXT("FiltCond_Unserialize failed\n")) ;
nReaction = RULE_ACCEPT ;
}
else
{
nReaction = _SpySrv_Ask (((SDNASK*)p)->nProcessAddress,
((SDNASK*)p)->nDefReaction,
&cond) ;
}
*((DWORD*)pBuffer) = nReaction ;
nResponseSize = sizeof(DWORD) ;
}
break ;
case SDN_LOG:
case SDN_ALERT:
{
DWORD nReaction ;
FILTCOND cond ;
nReaction = ((SDNLOG*)p)->dwReaction ;
pSerial = ((SDNLOG*)p)->data ;
nSerialSize = nSize - sizeof(SDNLOG) ;
if( ! FiltCond_Unserialize (&cond, pSerial, nSerialSize) )
{
TRACE_ERROR (TEXT("FiltCond_Unserialize failed\n")) ;
nReaction = RULE_ACCEPT ;
}
else
{
_SpySrv_Log (((SDNLOG*)p)->nProcessAddress, &cond, nReaction, p->dwCode==SDN_ALERT) ;
}
}
break ;
case SDN_SCANFILE:
{
DWORD nScanResult ;
nScanResult = SpySrv_ScanFile (((SDNSCANFILE*)pBuffer)->wszFilePath, FALSE) ;
*((DWORD*)pBuffer) = nScanResult ;
nResponseSize = sizeof(DWORD) ;
}
break ;
case SDN_PROCESSCREATED:
{
SDNPROCESSCREATED * pSdnpc = pBuffer ;
PROCSTRUCT proc ;
proc.nProcessAddress = pSdnpc->nProcessAddress ;
proc.nProcessId = pSdnpc->nProcessId ;
proc.nState = PS_HOOKED_SINCE_BIRTH ;
wcslcpy (proc.szName, PathFindFileName(pSdnpc->wszFilePath), 32) ;
wcslcpy (proc.szPath, pSdnpc->wszFilePath, MAX_PATH) ;
ProcList_Lock () ;
ProcList_Add (&proc) ;
ProcList_Unlock () ;
PostMessage (g_hwndMain, WM_SPYNOTIFY, SN_PROCESSCREATED, pSdnpc->nProcessAddress) ;
}
break ;
case SDN_PIDCHANGED:
{
SDNPIDCHANGED *pSdnpc = pBuffer ;
PROCSTRUCT *pProc ;
ProcList_Lock () ;
pProc = ProcList_Get (pSdnpc->nProcessAddress) ;
if( pProc )
{
TRACE_ALWAYS (TEXT("PID changed %d -> %d\n"), pProc->nProcessId, pSdnpc->nNewProcessId) ;
pProc->nProcessId = pSdnpc->nNewProcessId ;
}
ProcList_Unlock () ;
// This notification has been disabled because it caused a dead-lock.
// PostMessage (g_hwndMain, WM_SPYNOTIFY, SN_PIDCHANGED, pSdnpc->nProcessAddress) ;
}
break ;
case SDN_PROCESSTERMINATED:
{
SDNPROCESSTERMINATED * pSdnpt = pBuffer ;
TRACE_INFO (TEXT("Process terminated 0x%08X\n"),pSdnpt->nProcessAddress) ;
ProcList_Lock () ;
ProcList_Remove (pSdnpt->nProcessAddress) ;
ProcList_Unlock () ;
PostMessage (g_hwndMain, WM_SPYNOTIFY, SN_PROCESSTERMINATED, pSdnpt->nProcessAddress) ;
}
break ;
default:
TRACE_WARNING (TEXT("Driver request not handled (code=%d)\n"), p->dwCode) ;
}
TRACE_INFO (TEXT(" \\----ANS------/\n")) ;
return nResponseSize ;
}
