BOOL _SpySrv_RefreshProcList () { PVOID pBuffer ; DWORD nBufferSize ; DWORD nBytesReturned=0 ; BOOL bSuccess ; PROCESSLISTENTRY* pEntry ; nBufferSize = 1024*1024 ; pBuffer = malloc (nBufferSize) ; bSuccess = DeviceIoControl (g_hDriver, IOCTL_GET_PROCESSLIST, NULL, 0, pBuffer, nBufferSize, &nBytesReturned, NULL) ; if( ! bSuccess || nBytesReturned==0 ) { TRACE_ERROR (TEXT("Failed to get process list (error=%u)\n"), GetLastError()) ; free (pBuffer) ; return FALSE ; } ProcList_Lock () ; ProcList_Clear () ; pEntry = pBuffer ; while( 1 ) { PROCSTRUCT proc ; TRACE_INFO (TEXT("%d : %ls\n"), pEntry->nProcessId, pEntry->wszFilePath) ; proc.nProcessAddress = pEntry->nProcessAddress ; proc.nProcessId = pEntry->nProcessId ; proc.nState = PS_HOOKED_WHILE_RUNNING ; wcslcpy (proc.szName, PathFindFileName(pEntry->wszFilePath), 32) ; wcslcpy (proc.szPath, pEntry->wszFilePath, MAX_PATH) ; ProcList_Add (&proc) ; if( pEntry->nNextEntry == 0 ) break ; pEntry = (PROCESSLISTENTRY*)( (BYTE*)pEntry + pEntry->nNextEntry ) ; } ProcList_Unlock () ; free (pBuffer) ; return TRUE ; }
NTSTATUS HookSys_ProcessCreated (HANDLE hProcess, LPCWSTR wszFilePath) { PROCSTRUCT *pProc ; PROCADDR nProcessAddress ; PROCID nProcessId ; BOOL bNoNotification ; NTSTATUS nStatus ; // get information on new process ProcInfo_GetAddress (hProcess, &nProcessAddress) ; ProcInfo_GetProcessId (hProcess, &nProcessId) ; // alloc a new process descriptor pProc = ProcList_New (nProcessAddress, nProcessId, wszFilePath) ; bNoNotification = pProc->nFlags & PROCESS_NO_NOTIFICATION ; // get associated filters nStatus = DrvFilter_LockMutex () ; if( nStatus != STATUS_SUCCESS ) return nStatus ; DrvFilter_GetFiltersForProgram (pProc->wszPath, pProc->aFilters, &pProc->nFilters, MAX_FILTERS) ; DrvFilter_UnlockMutex () ; // add process descriptor to process list nStatus = ProcList_Lock () ; if( nStatus != STATUS_SUCCESS ) return nStatus ; ProcList_Add (pProc) ; ProcList_Unlock () ; // notify application if( ! bNoNotification ) HookCommon_SendProcessCreatedNotification (nProcessAddress, nProcessId, wszFilePath) ; return STATUS_SUCCESS ; }
DWORD _SpySrv_RequestFromDriver (LPVOID pBuffer, DWORD nSize) { SDNMHDR *p = pBuffer ; VOID *pSerial ; UINT nSerialSize ; DWORD nResponseSize = 0 ; TRACE ; ASSERT (pBuffer) ; ASSERT (nSize>0) ; ASSERT (nSize>=sizeof(SDNMHDR)) ; TRACE_INFO (TEXT(" /----REQ-%d----\\ (size=%d\n"), p->dwCode, nSize) ; switch( p->dwCode ) { case SDN_ASK: { DWORD nReaction ; FILTCOND cond ; pSerial = ((SDNASK*)p)->data ; nSerialSize = nSize - sizeof(SDNASK) ; ASSERT (nSerialSize>0) ; if( ! FiltCond_Unserialize (&cond, pSerial, nSerialSize) ) { TRACE_ERROR (TEXT("FiltCond_Unserialize failed\n")) ; nReaction = RULE_ACCEPT ; } else { nReaction = _SpySrv_Ask (((SDNASK*)p)->nProcessAddress, ((SDNASK*)p)->nDefReaction, &cond) ; } *((DWORD*)pBuffer) = nReaction ; nResponseSize = sizeof(DWORD) ; } break ; case SDN_LOG: case SDN_ALERT: { DWORD nReaction ; FILTCOND cond ; nReaction = ((SDNLOG*)p)->dwReaction ; pSerial = ((SDNLOG*)p)->data ; nSerialSize = nSize - sizeof(SDNLOG) ; if( ! FiltCond_Unserialize (&cond, pSerial, nSerialSize) ) { TRACE_ERROR (TEXT("FiltCond_Unserialize failed\n")) ; nReaction = RULE_ACCEPT ; } else { _SpySrv_Log (((SDNLOG*)p)->nProcessAddress, &cond, nReaction, p->dwCode==SDN_ALERT) ; } } break ; case SDN_SCANFILE: { DWORD nScanResult ; nScanResult = SpySrv_ScanFile (((SDNSCANFILE*)pBuffer)->wszFilePath, FALSE) ; *((DWORD*)pBuffer) = nScanResult ; nResponseSize = sizeof(DWORD) ; } break ; case SDN_PROCESSCREATED: { SDNPROCESSCREATED * pSdnpc = pBuffer ; PROCSTRUCT proc ; proc.nProcessAddress = pSdnpc->nProcessAddress ; proc.nProcessId = pSdnpc->nProcessId ; proc.nState = PS_HOOKED_SINCE_BIRTH ; wcslcpy (proc.szName, PathFindFileName(pSdnpc->wszFilePath), 32) ; wcslcpy (proc.szPath, pSdnpc->wszFilePath, MAX_PATH) ; ProcList_Lock () ; ProcList_Add (&proc) ; ProcList_Unlock () ; PostMessage (g_hwndMain, WM_SPYNOTIFY, SN_PROCESSCREATED, pSdnpc->nProcessAddress) ; } break ; case SDN_PIDCHANGED: { SDNPIDCHANGED *pSdnpc = pBuffer ; PROCSTRUCT *pProc ; ProcList_Lock () ; pProc = ProcList_Get (pSdnpc->nProcessAddress) ; if( pProc ) { TRACE_ALWAYS (TEXT("PID changed %d -> %d\n"), pProc->nProcessId, pSdnpc->nNewProcessId) ; pProc->nProcessId = pSdnpc->nNewProcessId ; } ProcList_Unlock () ; // This notification has been disabled because it caused a dead-lock. // PostMessage (g_hwndMain, WM_SPYNOTIFY, SN_PIDCHANGED, pSdnpc->nProcessAddress) ; } break ; case SDN_PROCESSTERMINATED: { SDNPROCESSTERMINATED * pSdnpt = pBuffer ; TRACE_INFO (TEXT("Process terminated 0x%08X\n"),pSdnpt->nProcessAddress) ; ProcList_Lock () ; ProcList_Remove (pSdnpt->nProcessAddress) ; ProcList_Unlock () ; PostMessage (g_hwndMain, WM_SPYNOTIFY, SN_PROCESSTERMINATED, pSdnpt->nProcessAddress) ; } break ; default: TRACE_WARNING (TEXT("Driver request not handled (code=%d)\n"), p->dwCode) ; } TRACE_INFO (TEXT(" \\----ANS------/\n")) ; return nResponseSize ; }