NTSTATUS NTAPI MyNtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
)
{
VMProtectBegin("MHVMP");
VMProtectBeginVirtualization("MHVMP");
InterlockedIncrement(&g_HookCounter);
bool bLeave=true;
if( (KILLKERNEL != DesiredAccess) )
{
if( (DesiredAccess&PROCESS_CREATE_THREAD) || (DesiredAccess&VMOPERATION) || (DesiredAccess&VMWRITE) || (DesiredAccess&VMREAD))
{
if(ClientId->UniqueProcess > 0)
if( isProtectProcess((UINT32)ClientId->UniqueProcess) && !isPassProcess() )
bLeave =false;
}
}
if( !bLeave)
{
PEPROCESS p=PsGetCurrentProcess();
ANSI_STRING ascallCode;
RtlInitAnsiString(&ascallCode,(char *)p+g_processNameOffset);
UNICODE_STRING uni;
RtlAnsiStringToUnicodeString(&uni,&ascallCode,true);
if( g_tmp != (ULONG)PsGetCurrentProcessId() )
WriteSysLog(LOG_TYPE_DEBUG,L"filter process Name: %s PID : %d",uni.Buffer,PsGetCurrentProcessId());
g_tmp = (ULONG)PsGetCurrentProcessId();
RtlFreeUnicodeString(&uni);
InterlockedDecrement(&g_HookCounter);
return STATUS_ACCESS_DENIED;
}
else
{
InterlockedDecrement(&g_HookCounter);
return ((pNtOpenProcess) pOriNtOpenProcess)(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
}
VMProtectEnd();
}
//////////////////////////////////////////////////////////////////////////
//当用户对某个端口的访问做好决定后会调用这个函数
//此函数不同SetupPortStatus,ResponsePortAsk函数还要负责调用向上indicate一个 syn包
NTSTATUS ResponsePortAsk(FIREWALL_ASKUSER *pPAsk)
{
NTSTATUS status = STATUS_SUCCESS;
AcceptedPort *pAPort =NULL;
PLOCK_STATE pLockState1=NULL;
PLIST_ENTRY pNext =NULL;
ULONG utmp=0;
BOOLEAN bFound = FALSE;
PAcceptedPort pIndicateContext=NULL;
#ifdef VMPROTECT
VMProtectBeginVirtualization("Response ask");
#endif
pIndicateContext = kmalloc(sizeof(AcceptedPort)); //
pLockState1 = kmalloc(sizeof(LOCK_STATE));
NdisAcquireReadWriteLock(&g_AcceptedPortListLock2, KKRWLOCK_FOR_READ, pLockState1);
pNext = g_AcceptedPortListHeader.Next.Flink;
while(pNext&&(pNext!=&g_AcceptedPortListHeader.Next))
{
pAPort = CONTAINING_RECORD(pNext, AcceptedPort, Next);
if (pAPort==NULL)
{
DbgBreakPoint();
}
if (pAPort->uPort==pPAsk->uPort&&pAPort->SrcIP==pPAsk->SrcIP)
{
bFound = TRUE;//找到,则更新状态
pAPort->PStatus = pPAsk->PStatus;
break;
}
pNext = pNext->Flink;
}
if (bFound)
{
*pIndicateContext = *pAPort; //为了安全,做一份拷贝吧
}
NdisReleaseReadWriteLock(&g_AcceptedPortListLock2, pLockState1);
if (bFound&&pPAsk->PStatus==PortAccept)
{
//找到,并且是接收状态,则需要上传一个第一次握手的syn数据包
PIO_WORKITEM pWorkItem = NULL;
PASKUserWorkItemContext pAskContext =NULL;
pWorkItem = IoAllocateWorkItem(g_CtlDevice);
pAskContext = kmalloc(sizeof(ASKUserWorkItemContext));
pAskContext->pWorkItem = pWorkItem;
pAskContext->pContext = pIndicateContext;
IoQueueWorkItem(pWorkItem, ResponsePortAskWorkerForIndicateupPacket, DelayedWorkQueue, pAskContext);
pIndicateContext=NULL;
}
if (pIndicateContext)
{
kfree(pIndicateContext);pIndicateContext=NULL;
}
kfree(pLockState1);
#ifdef VMPROTECT
VMProtectEnd();
#endif
return status;
}
NTSTATUS FWHookTcpipRecvHandler()
{
PKK_NDIS_PROTOCOL_BLOCK pTcpipProtocolBlcok=NULL;
PKK_NDIS_PROTOCOL_BLOCK pProtocolBlockHeader=NULL;
ULONG ut1,ut2;
PNDIS_COMMON_OPEN_BLOCK_2k3_early pOpenBlock=NULL;
NTSTATUS status = STATUS_SUCCESS;
PNDIS_HOOK_INFO pHI ;
PULONG ptmp;
PLOCK_STATE pLockState1=NULL;
#ifdef VMPROTECT
VMProtectBeginVirtualization("FWHookTcpipRecvHandler");
#endif
pLockState1 = kmalloc(sizeof(LOCK_STATE));
ut1 = ut2 = 0;
do
{
pTcpipProtocolBlcok = (PKK_NDIS_PROTOCOL_BLOCK)GetTcpipProtocolBlock();
if (pTcpipProtocolBlcok==0)
{
status = STATUS_UNSUCCESSFUL;
break;
}
pOpenBlock = pTcpipProtocolBlcok->OpenQueue;
NdisAcquireReadWriteLock(&g_HookTcpipFireWallLock, KKRWLOCK_FOR_WRITE, pLockState1);
while(pOpenBlock)
{
// if (!IsPhysicalMiniport(pOpenBlock->MiniportHandle))
// {
// goto __nextpOpenBlock;
// }
pHI = kmalloc(sizeof(NDIS_HOOK_INFO));
ptmp=NULL;
RtlZeroMemory(pHI, sizeof(NDIS_HOOK_INFO));
pHI->OldHandler = (PVOID)pOpenBlock->ReceiveHandler;
pHI->Address2Restore = &(pOpenBlock->ReceiveHandler);
pHI->pMiniBlock = (ULONG)pOpenBlock->MiniportHandle;
pHI->pSignContext = (PVOID)pOpenBlock->ProtocolBindingContext;
pHI->pProtocolBindingContext = (ULONG)pOpenBlock->ProtocolBindingContext;
pHI->pOpenblock = (ULONG_PTR)pOpenBlock;
pHI->szFuncname = "KKNewTcpipArpRcv";
pHI->NewHandler = (PVOID)KKNewTcpipArpRcv;
*(PULONG)&(pOpenBlock->ReceivePacketHandler)=0; //把这个清0了
InsertHeadList(&g_HookTcpipFireWallList.Next, &pHI->Next);
ptmp = (ULONG*)pHI->Address2Restore;
*ptmp = (ULONG)KKNewTcpipArpRcv;
//__nextpOpenBlock:
pOpenBlock = (PNDIS_COMMON_OPEN_BLOCK_2k3_early)pOpenBlock->ProtocolNextOpen;
}
NdisReleaseReadWriteLock(&g_HookTcpipFireWallLock, pLockState1);
} while (0);
if (pLockState1)
{
kfree(pLockState1);
}
#ifdef VMPROTECT
VMProtectEnd();
#endif
return status;
}
