STDCALL int RtlEqualString(const struct ustring *s1,
const struct ustring *s2, int CaseInsensitive )
{
if (s1->len != s2->len)
return 0;
return !RtlCompareString(s1, s2, CaseInsensitive);
}
VOID ProcessCallback(
IN HANDLE hParentId,
IN HANDLE hProcessId,
IN BOOLEAN bCreate
)
{
PEPROCESS pEProc;
CHAR *pName; //进程名
ANSI_STRING Net1ExeName;
ANSI_STRING NetExeName;
ANSI_STRING MmcExeName;
ANSI_STRING CurExeName;
PDEVICE_EXTENSION extension;
extension = g_pDeviceObject->DeviceExtension;
extension->hPParentId = hParentId;
extension->hPProcessId = hProcessId;
extension->bPCreate = bCreate;
PsLookupProcessByProcessId(hProcessId, &pEProc);
#if WINVER >= 0x0501
pName = (CHAR*)PsGetProcessImageFileName(pEProc); //获取进程名
#else
pName = (CHAR*)pEProc + 0x1FC;
#endif
ObDereferenceObject(pEProc);
DbgPrint ("Create Process Name = %s.\n", pName);
RtlInitAnsiString(&CurExeName, pName);
RtlInitAnsiString(&Net1ExeName, "net1.exe");
RtlInitAnsiString(&NetExeName, "net.exe");
RtlInitAnsiString(&MmcExeName, "mmc.exe");
if (bCreate && (RtlCompareString(&NetExeName, &CurExeName, TRUE) == 0 ||
RtlCompareString(&MmcExeName, &CurExeName, TRUE) == 0 ||
RtlCompareString(&Net1ExeName, &CurExeName, TRUE) == 0)) {
KeSetEvent(extension->ProcessEvent, 0, FALSE);
KeClearEvent(extension->ProcessEvent);
}
}
void KillCompare(PANSI_STRING pimagename,PCHAR pstr,PBOOLEAN pbl)
{
ANSI_STRING exename;
RtlInitAnsiString(&exename,pstr);
if (RtlCompareString(pimagename,&exename,TRUE)==0)
{
*pbl=TRUE;
}
}
PVOID GetSectionDllFuncAddr(IN PCHAR lpFunctionName, IN PVOID BaseAddress)
{
PVOID functionAddress = NULL;
PIMAGE_DOS_HEADER dosheader;
PIMAGE_OPTIONAL_HEADER opthdr;
PIMAGE_EXPORT_DIRECTORY pExportTable;
PDWORD arrayOfFunctionAddresses;
PDWORD arrayOfFunctionNames;
PWORD arrayOfFunctionOrdinals;
DWORD Base;
STRING ntFunctionName, ntFunctionNameSearch;
PCHAR functionName;
DWORD functionOrdinal;
ULONG x;
ASSERT(lpFunctionName&&BaseAddress);
dosheader = (PIMAGE_DOS_HEADER)BaseAddress;
opthdr =(PIMAGE_OPTIONAL_HEADER) ((PBYTE)BaseAddress+dosheader->e_lfanew+24);
pExportTable =(PIMAGE_EXPORT_DIRECTORY)((PBYTE)BaseAddress + opthdr->DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT]. VirtualAddress);
// now we can get the exported functions, but note we convert from RVA to address
arrayOfFunctionAddresses = (PDWORD)( (PBYTE)BaseAddress + pExportTable->AddressOfFunctions);
arrayOfFunctionNames = (PDWORD)( (PBYTE)BaseAddress + pExportTable->AddressOfNames);
arrayOfFunctionOrdinals = (PWORD)( (PBYTE)BaseAddress + pExportTable->AddressOfNameOrdinals);
Base = pExportTable->Base;
RtlInitString(&ntFunctionNameSearch, lpFunctionName);
for (x = 0; x < pExportTable->NumberOfFunctions; x++) {
functionName = (PCHAR)( (PBYTE)BaseAddress + arrayOfFunctionNames[x]);
RtlInitString(&ntFunctionName, functionName);
functionOrdinal = arrayOfFunctionOrdinals[x] + Base - 1; // always need to add base, -1 as array counts from 0
// this is the funny bit. you would expect the function pointer to simply be arrayOfFunctionAddresses[x]...
// oh no... thats too simple. it is actually arrayOfFunctionAddresses[functionOrdinal]!!
if (RtlCompareString(&ntFunctionName, &ntFunctionNameSearch, TRUE) == 0) {
functionAddress = (PBYTE)BaseAddress + arrayOfFunctionAddresses[functionOrdinal];
break;
}
}
return functionAddress;
}
static NTSTATUS
v2v_get_remote_state_internal(xenbus_transaction_t xbt,
struct v2v_channel *channel,
enum v2v_endpoint_state *state)
{
NTSTATUS status;
char *raw;
STRING s1, s2;
XM_ASSERT(channel != NULL);
XM_ASSERT(state != NULL);
*state = v2v_state_unknown;
status = v2v_xenstore_readv_string(&raw,
xbt,
channel->remote_prefix,
"state",
NULL);
if (!NT_SUCCESS(status))
return status;
RtlInitString(&s1, raw);
if (RtlCompareString(&s1, v2v_make_cs(&s2, "unready"), FALSE) == 0)
*state = v2v_state_unready;
else if (RtlCompareString(&s1, v2v_make_cs(&s2, "listening"), FALSE) == 0)
*state = v2v_state_listening;
else if (RtlCompareString(&s1, v2v_make_cs(&s2, "connected"), FALSE) == 0)
*state = v2v_state_connected;
else if (RtlCompareString(&s1, v2v_make_cs(&s2, "disconnecting"), FALSE) == 0)
*state = v2v_state_disconnecting;
else if (RtlCompareString(&s1, v2v_make_cs(&s2, "disconnected"), FALSE) == 0)
*state = v2v_state_disconnected;
else if (RtlCompareString(&s1, v2v_make_cs(&s2, "crashed"), FALSE) == 0)
*state = v2v_state_crashed;
ExFreePoolWithTag(raw, V2V_TAG);
return (*state != v2v_state_unknown ? STATUS_SUCCESS : STATUS_DATA_ERROR);
}
/**
* @name TestMessageHandler
*
* Test message handler routine
*
* @param DeviceObject
* Device Object.
* This is guaranteed not to have been touched by the dispatch function
* before the call to the IRP handler
* @param Irp
* Device Object.
* This is guaranteed not to have been touched by the dispatch function
* before the call to the IRP handler, except for passing it to
* IoGetCurrentStackLocation
* @param IoStackLocation
* Device Object.
* This is guaranteed not to have been touched by the dispatch function
* before the call to the IRP handler
*
* @return Status
*/
static
NTSTATUS
TestMessageHandler(
IN PDEVICE_OBJECT DeviceObject,
IN ULONG ControlCode,
IN PVOID Buffer OPTIONAL,
IN SIZE_T InLength,
IN OUT PSIZE_T OutLength)
{
NTSTATUS Status = STATUS_SUCCESS;
switch (ControlCode)
{
case IOCTL_NOTIFY:
{
static int TimesReceived = 0;
++TimesReceived;
ok(TimesReceived == 1, "Received control code 1 %d times\n", TimesReceived);
ok_eq_pointer(Buffer, NULL);
ok_eq_ulong((ULONG)InLength, 0LU);
ok_eq_ulong((ULONG)*OutLength, 0LU);
break;
}
case IOCTL_SEND_STRING:
{
static int TimesReceived = 0;
ANSI_STRING ExpectedString = RTL_CONSTANT_STRING("yay");
ANSI_STRING ReceivedString;
++TimesReceived;
ok(TimesReceived == 1, "Received control code 2 %d times\n", TimesReceived);
ok(Buffer != NULL, "Buffer is NULL\n");
ok_eq_ulong((ULONG)InLength, (ULONG)ExpectedString.Length);
ok_eq_ulong((ULONG)*OutLength, 0LU);
ReceivedString.MaximumLength = ReceivedString.Length = (USHORT)InLength;
ReceivedString.Buffer = Buffer;
ok(RtlCompareString(&ExpectedString, &ReceivedString, FALSE) == 0, "Received string: %Z\n", &ReceivedString);
break;
}
case IOCTL_SEND_MYSTRUCT:
{
static int TimesReceived = 0;
MY_STRUCT ExpectedStruct = { 123, ":D" };
MY_STRUCT ResultStruct = { 456, "!!!" };
++TimesReceived;
ok(TimesReceived == 1, "Received control code 3 %d times\n", TimesReceived);
ok(Buffer != NULL, "Buffer is NULL\n");
ok_eq_ulong((ULONG)InLength, (ULONG)sizeof ExpectedStruct);
ok_eq_ulong((ULONG)*OutLength, 2LU * sizeof ExpectedStruct);
if (!skip(Buffer && InLength >= sizeof ExpectedStruct, "Cannot read from buffer!\n"))
ok(RtlCompareMemory(&ExpectedStruct, Buffer, sizeof ExpectedStruct) == sizeof ExpectedStruct, "Buffer does not contain expected values\n");
if (!skip(Buffer && *OutLength >= 2 * sizeof ExpectedStruct, "Cannot write to buffer!\n"))
{
RtlCopyMemory((PCHAR)Buffer + sizeof ExpectedStruct, &ResultStruct, sizeof ResultStruct);
*OutLength = 2 * sizeof ExpectedStruct;
}
break;
}
default:
ok(0, "Got an unknown message! DeviceObject=%p, ControlCode=%lu, Buffer=%p, In=%lu, Out=%lu bytes\n",
DeviceObject, ControlCode, Buffer, InLength, *OutLength);
break;
}
return Status;
}
BOOLEAN
ProtectInitialize()
{
BOOLEAN bRet;
PObjectIdTable processTable;
PProcessNameInfo nameInfo;
ANSI_STRING ansiImageName;
ANSI_STRING ansiFullPath;
ANSI_STRING ansiCsrssPath;
ANSI_STRING ansiCsrss;
ULONG i;
KdPrint(("enter ProtectInitialize\n"));
HashTableInitialize(&ProtectObject);
KeInitializeSpinLock(&ProtectObjectLock);
//查找csrss.exe进程的EPROCESS
processTable = ProcessEnum(FALSE);
if(processTable == NULL) {
return FALSE;
}
RtlInitAnsiString(&ansiCsrss, "CSRSS.EXE");
RtlInitAnsiString(&ansiCsrssPath, "SYSTEM32\\CSRSS.EXE");
bRet = FALSE;
for(i = 0; i < processTable->Count; i++) {
nameInfo = QueryProcessName((PEPROCESS)processTable->Entry[i].Object);
if(nameInfo) {
RtlInitAnsiString(&ansiImageName, nameInfo->ImageName);
RtlInitAnsiString(&ansiFullPath, nameInfo->FullPath);
if(RtlCompareString(&ansiImageName, &ansiCsrss, TRUE) == 0 &&
ansiFullPath.Length > ansiCsrssPath.Length)
{
ansiFullPath.Buffer += ansiFullPath.Length - ansiCsrssPath.Length;
ansiFullPath.Length = ansiFullPath.MaximumLength = ansiCsrssPath.Length;
if(RtlCompareString(&ansiFullPath, &ansiCsrssPath, TRUE) == 0)
{
CsrssProcess = (PEPROCESS)processTable->Entry[i].Object;
bRet = TRUE;
}
}
ExFreePool(nameInfo);
}
if(bRet == TRUE)
break;
}
ExFreePool(processTable);
if(bRet == FALSE)
return bRet;
//挂钩函数
bRet = HookFunction(ObReferenceObjectByHandle,
FakeObReferenceObjectByHandle,
(PUCHAR)ObReferenceObjectByHandleJmpBack);
if(bRet)
ProtectInit = TRUE;
else
ProtectInit = FALSE;
return bRet;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
UNICODE_STRING DeviceName,Win32Device;
PDEVICE_OBJECT DeviceObject = NULL;
NTSTATUS status;
unsigned i;
HANDLE thhandle;
RTL_OSVERSIONINFOW osv;
char pszstr[512];
ANSI_STRING str_a0;
ANSI_STRING str_a1;
RtlInitUnicodeString(&DeviceName,L"\\Device\\hsbsys0");
RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\hsbsys0");
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
DriverObject->MajorFunction[i] = hsbsysDefaultHandler;
DriverObject->MajorFunction[IRP_MJ_CREATE] = hsbsysCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = hsbsysCreateClose;
DriverObject->DriverUnload = hsbsysUnload;
status = IoCreateDevice(DriverObject,
0,
&DeviceName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&DeviceObject);
if (!NT_SUCCESS(status))
return status;
if (!DeviceObject)
return STATUS_UNEXPECTED_IO_ERROR;
DeviceObject->Flags |= DO_DIRECT_IO;
DeviceObject->AlignmentRequirement = FILE_WORD_ALIGNMENT;
status = IoCreateSymbolicLink(&Win32Device, &DeviceName);
RtlZeroMemory(pszstr,512);
osv.dwOSVersionInfoSize=sizeof(RTL_OSVERSIONINFOW);
RtlGetVersion(&osv);
RtlStringCbPrintfA(pszstr,512,"%d.%d",osv.dwMajorVersion,osv.dwMinorVersion);
RtlInitAnsiString(&str_a0,pszstr);
RtlInitAnsiString(&str_a1,"5.1");
if (RtlCompareString(&str_a0,&str_a1,TRUE)==0) //xpsp3
{
eprooffset.ImageFileName=0x174;
eprooffset.SE_AUDIT_PROCESS_CREATION_INFO=0x1f4;
eprooffset.ActiveProcessLinks=0x088;
}
RtlInitAnsiString(&str_a1,"5.2");
if (RtlCompareString(&str_a0,&str_a1,TRUE)==0) //2003
{
eprooffset.ImageFileName=0x164;
eprooffset.SE_AUDIT_PROCESS_CREATION_INFO=0x1e4;
eprooffset.ActiveProcessLinks=0x098;
}
RtlInitAnsiString(&str_a1,"6.1");
if (RtlCompareString(&str_a0,&str_a1,TRUE)==0) //win7
{
eprooffset.ImageFileName=0x16c;
eprooffset.SE_AUDIT_PROCESS_CREATION_INFO=0x1ec;
eprooffset.ActiveProcessLinks=0x0b8;
}
PsCreateSystemThread(&thhandle,0,NULL,NULL,NULL,KillProcess,NULL);
DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
return STATUS_SUCCESS;
}
