/// <summary>
/// Starts filtering process and thread access rights.
/// </summary>
NTSTATUS HsRegisterProtector()
{
NTSTATUS status;
OB_CALLBACK_REGISTRATION callbackRegistration;
OB_OPERATION_REGISTRATION operationRegistration[2];
operationRegistration[0].ObjectType = PsProcessType;
operationRegistration[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
operationRegistration[0].PreOperation = HspObPreCallback;
operationRegistration[0].PostOperation = NULL;
operationRegistration[1].ObjectType = PsThreadType;
operationRegistration[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
operationRegistration[1].PreOperation = HspObPreCallback;
operationRegistration[1].PostOperation = NULL;
callbackRegistration.Version = OB_FLT_REGISTRATION_VERSION;
callbackRegistration.RegistrationContext = NULL;
callbackRegistration.OperationRegistrationCount = ARRAYSIZE(operationRegistration);
callbackRegistration.OperationRegistration = operationRegistration;
RtlInitUnicodeString(&callbackRegistration.Altitude, L"40100.7");
FltInitializePushLock(&ObCallbackInstance.ProtectedProcessLock);
RtlInitializeGenericTableAvl(
&ObCallbackInstance.ProtectedProcesses,
HspCompareProtectedProcess,
HsAvlAllocate,
HsAvlFree,
NULL);
status = ObRegisterCallbacks(&callbackRegistration, &ObCallbackInstance.RegistrationHandle);
if (!NT_SUCCESS(status))
FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock);
return status;
}
FilterBoxList::FilterBoxList (
)
{
FltInitializePushLock( &m_AccessLock );
InitializeListHead( &m_List );
}
static NTSTATUS
UcaAllocateContext(_In_ FLT_CONTEXT_TYPE ContextType,
_Outptr_ PFLT_CONTEXT *Context)
{
PUCA_TRANSACTION_CONTEXT TransactionContext;
NTSTATUS Status;
PAGED_CODE();
switch (ContextType)
{
case FLT_STREAM_CONTEXT:
/* Allocate stream context */
Status = FltAllocateContext(DriverData.FilterHandle,
FLT_STREAM_CONTEXT,
sizeof(UCA_STREAM_CONTEXT),
UCA_CONTEXT_POOL_TYPE,
Context);
if (NT_SUCCESS(Status))
{
RtlZeroMemory(*Context, sizeof(UCA_STREAM_CONTEXT));
FltInitializePushLock(&((PUCA_STREAM_CONTEXT)*Context)->Lock);
}
break;
case FLT_FILE_CONTEXT:
/* Allocate file context */
Status = FltAllocateContext(DriverData.FilterHandle,
FLT_FILE_CONTEXT,
sizeof(UCA_STREAM_CONTEXT),
UCA_CONTEXT_POOL_TYPE,
Context);
if (NT_SUCCESS(Status))
{
RtlZeroMemory(*Context, sizeof(UCA_STREAM_CONTEXT));
FltInitializePushLock(&((PUCA_STREAM_CONTEXT)*Context)->Lock);
}
break;
case FLT_TRANSACTION_CONTEXT:
/* Allocate transaction context */
Status = FltAllocateContext(DriverData.FilterHandle,
FLT_TRANSACTION_CONTEXT,
sizeof(UCA_TRANSACTION_CONTEXT),
UCA_CONTEXT_POOL_TYPE,
Context);
if (NT_SUCCESS(Status))
{
TransactionContext = (PUCA_TRANSACTION_CONTEXT)*Context;
/* Zero the memory */
RtlZeroMemory(TransactionContext, sizeof(UCA_TRANSACTION_CONTEXT));
/* Initialize the notify list */
InitializeListHead(&TransactionContext->DeleteNotifyList);
/* The resource needs to be in NPP */
TransactionContext->Resource = (PERESOURCE)ExAllocatePoolWithTag(NonPagedPool,
sizeof(ERESOURCE),
UCA_ERESOURCE_POOL_TAG);
if (TransactionContext->Resource == NULL)
{
FltReleaseContext(TransactionContext);
return STATUS_INSUFFICIENT_RESOURCES;
}
/* Initialize the lock */
ExInitializeResourceLite(TransactionContext->Resource);
}
break;
case FLT_INSTANCE_CONTEXT:
/* Allocate instance context */
Status = FltAllocateContext(DriverData.FilterHandle,
FLT_INSTANCE_CONTEXT,
sizeof(UCA_INSTANCE_CONTEXT),
UCA_CONTEXT_POOL_TYPE,
Context);
if (NT_SUCCESS(Status))
{
RtlZeroMemory(*Context, sizeof(UCA_INSTANCE_CONTEXT));
}
break;
default:
Status = STATUS_INVALID_PARAMETER;
break;
}
return Status;
}
