_Use_decl_annotations_ NTSTATUS ProcessObserverUnload() { PLIST_ENTRY pEntry; NTSTATUS Status; OpenProcessCallbacksUnload(); Status = PsSetCreateProcessNotifyRoutineEx(ProcessNotifyRoutine, TRUE); if (!NT_SUCCESS(Status)) { return Status; } WLockResourceList(&ProcessRuleList); for ( pEntry = ProcessRuleList.ListEntry.Flink; pEntry != &ProcessRuleList.ListEntry; ) { PPROCESS_RULE_LIST_ENTRY pCurrentEntry = CONTAINING_RECORD(pEntry, PROCESS_RULE_LIST_ENTRY, ListEntry); pEntry = pEntry->Flink; RemoveEntryList(&pCurrentEntry->ListEntry); PROCESS_OBSERVER_FREE(pCurrentEntry); } WUnlockResourceList(&ProcessRuleList); ExDeleteResourceLite(&ProcessRuleList.Resource); DEBUG_LOG("ProcessObserverUnload completed"); return Status; }
VOID UnLoadProcessRoutine() { if (g_isProcessRoutine)//如果回调函数存在 { PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)MyCreateProcessNotifyEx, TRUE); g_isProcessRoutine = 0; } KdPrint(("UnLoadProcessRoutine")); }
NTSTATUS CreateProcessRoutine() { NTSTATUS status = STATUS_SUCCESS; status = PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)MyCreateProcessNotifyEx, FALSE); if (status == STATUS_SUCCESS) { g_isProcessRoutine = 1;//表示创建回调函数成功 } KdPrint(("PsSetCreateProcessNotifyRoutineEx return: %x", status)); return status; }
VOID TdDeviceUnload ( _In_ PDRIVER_OBJECT DriverObject ) { NTSTATUS Status = STATUS_SUCCESS; UNICODE_STRING DosDevicesLinkName = RTL_CONSTANT_STRING (TD_DOS_DEVICES_LINK_NAME); DbgPrintEx (DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "ObCallbackTest: TdDeviceUnload\n"); // // Unregister process notify routines. // if (TdProcessNotifyRoutineSet2 == TRUE) { Status = PsSetCreateProcessNotifyRoutineEx ( TdCreateProcessNotifyRoutine2, TRUE ); TD_ASSERT (Status == STATUS_SUCCESS); TdProcessNotifyRoutineSet2 = FALSE; } // remove filtering and remove any OB callbacks TdbProtectName = FALSE; Status = TdDeleteProtectNameCallback(); TD_ASSERT (Status == STATUS_SUCCESS); // // Delete the link from our device name to a name in the Win32 namespace. // Status = IoDeleteSymbolicLink (&DosDevicesLinkName); if (Status != STATUS_INSUFFICIENT_RESOURCES) { // // IoDeleteSymbolicLink can fail with STATUS_INSUFFICIENT_RESOURCES. // TD_ASSERT (NT_SUCCESS (Status)); } // // Delete our device object. // IoDeleteDevice (DriverObject->DeviceObject); }
NTSTATUS DriverEntry ( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS status = STATUS_UNSUCCESSFUL; OB_OPERATION_REGISTRATION ObOperations[] = { {PsProcessType, OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE, ObCallbackPreProcess, ObCallbackPostProcess}, {PsThreadType, OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE, ObCallbackPreThread, ObCallbackPostThread} }; OB_CALLBACK_REGISTRATION ObRegistration = { OB_FLT_REGISTRATION_VERSION, sizeof(ObOperations) / sizeof(OB_OPERATION_REGISTRATION), {sizeof(L"320400") - sizeof(WCHAR), sizeof(L"320400"), L"320400"}, &Globals, ObOperations }; PVOID RegistrationHandle = NULL; UNREFERENCED_PARAMETER( RegistryPath ); RtlZeroMemory( &Globals, sizeof(Globals) ); Globals.m_FilterDriverObject = DriverObject; status = ObRegisterCallbacks( &ObRegistration, &RegistrationHandle ); if (NT_SUCCESS( status )) { status = PsSetCreateProcessNotifyRoutineEx( cbCreateNotifyEx, FALSE ); if (NT_SUCCESS( status )) Globals.m_RegistrationHandle = RegistrationHandle; else { ObUnRegisterCallbacks( RegistrationHandle ); DbgBreakPoint(); } } else { DbgBreakPoint(); } return status; }
void NTAPI OnUserConnect( IN HANDLE processId, IN PVOID pContext ) { UNREFERENCED_PARAMETER(pContext); DbgPrint("[%s:%d] User Process ID : %d\n", _FN_, _LN_, processId); NTSTATUS status = PsSetCreateProcessNotifyRoutineEx(KnProcessNotifyRoutineEx, FALSE); if (!NT_SUCCESS(status)) { DbgPrint("[%s:%d] Error on PsSetCreateProcessNotifyRoutineEx(FALSE). status : 0x%X\n", _FN_, _LN_, status); } }
_Use_decl_annotations_ NTSTATUS ProcessObserverInitialize() { NTSTATUS Status; InitializeResourceList(&ProcessRuleList); Status = PsSetCreateProcessNotifyRoutineEx(ProcessNotifyRoutine, FALSE); if (!NT_SUCCESS(Status)) { return Status; } Status = OpenProcessCallbacksInitialize(); if (!NT_SUCCESS(Status)) { return Status; } DEBUG_LOG("ProcessObserverInitialize completed"); return Status; }
/////////////////////////////////////////////////////////////////////////////// /// /// Handle driver unloading. All this driver needs to do /// is to delete the device object and the symbolic link between our /// device name and the Win32 visible name. /// /////////////////////////////////////////////////////////////////////////////// VOID TdDeviceUnload( _In_ PDRIVER_OBJECT DriverObject ) { NTSTATUS Status = STATUS_SUCCESS; UNICODE_STRING DosDevicesLinkName = RTL_CONSTANT_STRING(QD_DOS_DEVICES_LINK_NAME); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "QuietDragon: TdDeviceUnload\n"); // Unregister process notify routines. if (gProcessNotifyRoutine_isSet == TRUE) { Status = PsSetCreateProcessNotifyRoutineEx( MyCreateProcessNotifyRoutine, TRUE ); TD_ASSERT(Status == STATUS_SUCCESS); gProcessNotifyRoutine_isSet = FALSE; } // TODO Need to clean up lists and locks // Free allocated mem PQD_COMM_CONTROL_DEVICE_EXTENSION controlExt = (PQD_COMM_CONTROL_DEVICE_EXTENSION)g_CommDeviceObject->DeviceExtension; ExFreePoolWithTag(controlExt->DecisionData, 'SRdd'); // Delete the link from our device name to a name in the Win32 namespace. Status = IoDeleteSymbolicLink(&DosDevicesLinkName); if (Status != STATUS_INSUFFICIENT_RESOURCES) { // IoDeleteSymbolicLink can fail with STATUS_INSUFFICIENT_RESOURCES. TD_ASSERT(NT_SUCCESS(Status)); } // Delete our device object. IoDeleteDevice(DriverObject->DeviceObject); }
RBOOL collector_1_deinitialize ( ) { RBOOL isSuccess = FALSE; RU32 status = 0; status = PsSetCreateProcessNotifyRoutineEx( CreateProcessNotifyEx, TRUE ); if( NT_SUCCESS( status ) ) { isSuccess = TRUE; } else { rpal_debug_kernel( "Failed to deinitialize: 0x%08X", status ); } return isSuccess; }
/////////////////////////////////////////////////////////////////////////////// /// /// Driver entry /// /////////////////////////////////////////////////////////////////////////////// NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) { NTSTATUS Status; UNICODE_STRING NtDeviceName = RTL_CONSTANT_STRING(QD_NT_DEVICE_NAME); UNICODE_STRING DosDevicesLinkName = RTL_CONSTANT_STRING(QD_DOS_DEVICES_LINK_NAME); BOOLEAN SymLinkCreated = FALSE; PQD_COMM_CONTROL_DEVICE_EXTENSION controlExt; UNREFERENCED_PARAMETER(RegistryPath); // Request NX Non-Paged Pool when available ExInitializeDriverRuntime(DrvRtPoolNxOptIn); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "QuietDragon: DriverEntry: Driver loaded\n"); // // Initialize globals. // // // Create our device object. // // TODO Consider using IoCreateDeviceSecure Status = IoCreateDevice( DriverObject, // pointer to driver object sizeof(QD_COMM_CONTROL_DEVICE_EXTENSION), // device extension size &NtDeviceName, // device name FILE_DEVICE_UNKNOWN, // device type 0, // device characteristics FALSE, // not exclusive &g_CommDeviceObject); // returned device object pointer if (!NT_SUCCESS(Status)) { goto Exit; } TD_ASSERT(g_CommDeviceObject == DriverObject->DeviceObject); // // Set dispatch routines. // DriverObject->MajorFunction[IRP_MJ_CREATE] = TdDeviceCreate; DriverObject->MajorFunction[IRP_MJ_CLOSE] = TdDeviceClose; DriverObject->MajorFunction[IRP_MJ_CLEANUP] = TdDeviceCleanup; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = TdDeviceControl; DriverObject->DriverUnload = TdDeviceUnload; // // Set up the device extension // controlExt = (PQD_COMM_CONTROL_DEVICE_EXTENSION)g_CommDeviceObject->DeviceExtension; controlExt->MagicNumber = QD_COMM_CONTROL_EXTENSION_MAGIC_NUMBER; InitializeListHead(&controlExt->ProcessQueue); ExInitializeFastMutex(&controlExt->ProcessQueueLock); InitializeListHead(&controlExt->RequestQueue); ExInitializeFastMutex(&controlExt->RequestQueueLock); ExInitializeFastMutex(&controlExt->DecisionDataLock); controlExt->DecisionData = (PCONTROL_PROC_INTERNAL)ExAllocatePoolWithTag(NonPagedPool, sizeof(CONTROL_PROC_INTERNAL)*QD_MAX_PROCS, 'SRdd'); RtlZeroMemory(controlExt->DecisionData, sizeof(CONTROL_PROC_INTERNAL)*QD_MAX_PROCS); // Init DecisionData for (USHORT i = 0; i < QD_MAX_PROCS; i++) { PCONTROL_PROC_INTERNAL control_proc = &(controlExt->DecisionData[i]); control_proc->StartTime.QuadPart = 0; KeInitializeEvent(&(control_proc->DecisionEvent), NotificationEvent, FALSE); } // // Create a link in the Win32 namespace. // Status = IoCreateSymbolicLink(&DosDevicesLinkName, &NtDeviceName); if (!NT_SUCCESS(Status)) { goto Exit; } SymLinkCreated = TRUE; // // Set process create routines. // Status = PsSetCreateProcessNotifyRoutineEx( MyCreateProcessNotifyRoutine, FALSE ); if (!NT_SUCCESS(Status)) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "QuietDragon: DriverEntry: PsSetCreateProcessNotifyRoutineEx returned 0x%x\n", Status); goto Exit; } gProcessNotifyRoutine_isSet = TRUE; Exit: if (!NT_SUCCESS(Status)) { if (gProcessNotifyRoutine_isSet == TRUE) { Status = PsSetCreateProcessNotifyRoutineEx( MyCreateProcessNotifyRoutine, TRUE ); TD_ASSERT(Status == STATUS_SUCCESS); gProcessNotifyRoutine_isSet = FALSE; } if (SymLinkCreated == TRUE) { IoDeleteSymbolicLink(&DosDevicesLinkName); } if (g_CommDeviceObject != NULL) { IoDeleteDevice(g_CommDeviceObject); } } return Status; }
NTSTATUS DriverEntry ( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) { NTSTATUS Status; UNICODE_STRING NtDeviceName = RTL_CONSTANT_STRING (TD_NT_DEVICE_NAME); UNICODE_STRING DosDevicesLinkName = RTL_CONSTANT_STRING (TD_DOS_DEVICES_LINK_NAME); PDEVICE_OBJECT Device = NULL; BOOLEAN SymLinkCreated = FALSE; USHORT CallbackVersion; UNREFERENCED_PARAMETER (RegistryPath); DbgPrintEx (DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "ObCallbackTest: DriverEntry: Driver loaded. Use ed nt!Kd_IHVDRIVER_Mask f (or 7) to enable more traces\n"); CallbackVersion = ObGetFilterVersion(); DbgPrintEx (DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "ObCallbackTest: DriverEntry: Callback version 0x%hx\n", CallbackVersion); // // Initialize globals. // KeInitializeGuardedMutex (&TdCallbacksMutex); // // Create our device object. // Status = IoCreateDevice ( DriverObject, // pointer to driver object 0, // device extension size &NtDeviceName, // device name FILE_DEVICE_UNKNOWN, // device type 0, // device characteristics FALSE, // not exclusive &Device); // returned device object pointer if (! NT_SUCCESS(Status)) { goto Exit; } TD_ASSERT (Device == DriverObject->DeviceObject); // // Set dispatch routines. // DriverObject->MajorFunction[IRP_MJ_CREATE] = TdDeviceCreate; DriverObject->MajorFunction[IRP_MJ_CLOSE] = TdDeviceClose; DriverObject->MajorFunction[IRP_MJ_CLEANUP] = TdDeviceCleanup; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = TdDeviceControl; DriverObject->DriverUnload = TdDeviceUnload; // // Create a link in the Win32 namespace. // Status = IoCreateSymbolicLink (&DosDevicesLinkName, &NtDeviceName); if (! NT_SUCCESS(Status)) { goto Exit; } SymLinkCreated = TRUE; // // Set process create routines. // Status = PsSetCreateProcessNotifyRoutineEx ( TdCreateProcessNotifyRoutine2, FALSE ); if (! NT_SUCCESS(Status)) { DbgPrintEx (DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "ObCallbackTest: DriverEntry: PsSetCreateProcessNotifyRoutineEx(2) returned 0x%x\n", Status); goto Exit; } TdProcessNotifyRoutineSet2 = TRUE; Exit: if (!NT_SUCCESS (Status)) { if (TdProcessNotifyRoutineSet2 == TRUE) { Status = PsSetCreateProcessNotifyRoutineEx ( TdCreateProcessNotifyRoutine2, TRUE ); TD_ASSERT (Status == STATUS_SUCCESS); TdProcessNotifyRoutineSet2 = FALSE; } if (SymLinkCreated == TRUE) { IoDeleteSymbolicLink (&DosDevicesLinkName); } if (Device != NULL) { IoDeleteDevice (Device); } } return Status; }