NTSTATUS proc_del(CONST ULONG pid) { ULONG hash = CALC_HASH(pid); KIRQL irql; proc_entry_t *ote, *prev_ote; NTSTATUS status; KeAcquireSpinLock(&g_proc_hash_guard, &irql); prev_ote = NULL; for (ote = g_proc_hash[hash]; ote; ote = ote->next) { if (ote->pid == pid) break; prev_ote = ote; } if (!ote) { status = STATUS_OBJECT_NAME_NOT_FOUND; goto done; } if (prev_ote) prev_ote->next = ote->next; else g_proc_hash[hash] = ote->next; FreeProcessData((ProcessData *)ote->pProcInfo); free((ProcessData *)ote->pProcInfo); free(ote); status = STATUS_SUCCESS; done: KeReleaseSpinLock(&g_proc_hash_guard, irql); return status; }
NTSTATUS ot_del_fileobj(PFILE_OBJECT fileobj, int *fileobj_type) { ULONG hash = CALC_HASH(fileobj); KIRQL irql; struct ot_entry *ote, *prev_ote; NTSTATUS status; if (fileobj == NULL) return STATUS_INVALID_PARAMETER_1; KeAcquireSpinLock(&g_ot_hash_guard, &irql); prev_ote = NULL; for (ote = g_ot_hash[hash]; ote; ote = ote->next) { if (ote->fileobj == fileobj) break; prev_ote = ote; } if (ote == NULL) { KdPrint(("[tdi_fw] ot_del_fileobj: fileobj 0x%x not found!\n", fileobj)); status = STATUS_OBJECT_NAME_NOT_FOUND; goto done; } if (ote->type == FILEOBJ_ADDROBJ && ote->listen_entry != NULL) del_listen_obj(ote->listen_entry, FALSE); else if (ote->type == FILEOBJ_CONNOBJ && ote->conn_entry != NULL) { if (ote->ipproto == IPPROTO_TCP && ote->log_disconnect) log_disconnect(ote); del_tcp_conn_obj(ote->conn_entry, FALSE); } if (fileobj_type != NULL) *fileobj_type = ote->type; if (prev_ote != NULL) prev_ote->next = ote->next; else g_ot_hash[hash] = ote->next; if (ote->sid_a != NULL) free(ote->sid_a); free(ote); status = STATUS_SUCCESS; done: KeReleaseSpinLock(&g_ot_hash_guard, irql); return status; }
NTSTATUS proc_add(CONST ULONG pid, CONST ProcessData *pProcInfo, CONST TIME seen) { ULONG hash = CALC_HASH(pid); KIRQL irql; proc_entry_t *ote, *old_next; NTSTATUS status; int i; KeAcquireSpinLock(&g_proc_hash_guard, &irql); for (ote = g_proc_hash[hash]; ote; ote = ote->next) if (ote->pid == pid) break; if (!ote) { ote = (proc_entry_t *)malloc_np(sizeof(*ote)); if (!ote) { status = STATUS_NO_MEMORY; goto done; } memset(ote, 0, sizeof(*ote)); ote->next = g_proc_hash[hash]; g_proc_hash[hash] = ote; ote->pid = pid; } else { struct proc_entry *saved_next; ULONG saved_pid; DBGOUT(("proc_add: reuse pid 0x%x\n", pid)); // set all fields to zero except "next" and "fileobj" (cleanup listen/conn_entry if any) saved_next = ote->next; saved_pid = ote->pid; memset(ote, 0, sizeof(*ote)); ote->next = saved_next; ote->pid = saved_pid; } ote->lastseen = seen; ote->pProcInfo = pProcInfo; status = STATUS_SUCCESS; done: KeReleaseSpinLock(&g_proc_hash_guard, irql); RemoveUnseenProcesses(); return status; }
proc_entry_t *proc_find(CONST ULONG pid, KIRQL *irql) { ULONG hash = CALC_HASH(pid); proc_entry_t *ote; NTSTATUS status; if (irql) KeAcquireSpinLock(&g_proc_hash_guard, irql); for (ote = g_proc_hash[hash]; ote; ote = ote->next) if (ote->pid == pid) break; if (!ote) { if (irql) KeReleaseSpinLock(&g_proc_hash_guard, *irql); } return ote; }
struct ot_entry * ot_find_fileobj(PFILE_OBJECT fileobj, KIRQL *irql) { ULONG hash = CALC_HASH(fileobj); struct ot_entry *ote; if (fileobj == NULL) return NULL; if (irql != NULL) KeAcquireSpinLock(&g_ot_hash_guard, irql); for (ote = g_ot_hash[hash]; ote != NULL; ote = ote->next) if (ote->fileobj == fileobj) break; if (ote == NULL) { KdPrint(("[tdi_fw] ot_find_fileobj: fileobj 0x%x not found!\n", fileobj)); if (irql != NULL) KeReleaseSpinLock(&g_ot_hash_guard, *irql); } return ote; }
NTSTATUS ot_add_fileobj(PDEVICE_OBJECT devobj, PFILE_OBJECT fileobj, int fileobj_type, int ipproto, CONNECTION_CONTEXT conn_ctx) // must be called at PASSIVE_LEVEL! { ULONG hash = CALC_HASH(fileobj); KIRQL irql; struct ot_entry *ote; NTSTATUS status; int i; SID_AND_ATTRIBUTES *sid_a; ULONG sid_a_size; if (fileobj == NULL) return STATUS_INVALID_PARAMETER_2; // while we're at PASSIVE_LEVEL get SID & attributes sid_a = get_current_sid_a(&sid_a_size); KeAcquireSpinLock(&g_ot_hash_guard, &irql); for (ote = g_ot_hash[hash]; ote != NULL; ote = ote->next) if (ote->fileobj == fileobj) break; if (ote == NULL) { ote = (struct ot_entry *)malloc_np(sizeof(*ote)); if (ote == NULL) { KdPrint(("[tdi_fw] ot_add_fileobj: malloc_np\n")); status = STATUS_INSUFFICIENT_RESOURCES; goto done; } memset(ote, 0, sizeof(*ote)); ote->next = g_ot_hash[hash]; g_ot_hash[hash] = ote; ote->fileobj = fileobj; for (i = 0; i < MAX_EVENT; i++) ote->ctx[i].fileobj = fileobj; } else { KdPrint(("[tdi_fw] ot_add_fileobj: reuse fileobj 0x%x\n", fileobj)); ot_cleanup_ote(ote); } ote->signature = 'OTE '; ote->pid = (ULONG)PsGetCurrentProcessId(); // save SID & attributes ote->sid_a = sid_a; ote->sid_a_size = sid_a_size; sid_a = NULL; ote->devobj = devobj; ote->type = fileobj_type; ote->ipproto = ipproto; ote->conn_ctx = conn_ctx; status = STATUS_SUCCESS; done: // cleanup KeReleaseSpinLock(&g_ot_hash_guard, irql); if (sid_a != NULL) free(sid_a); return status; }