NTSTATUS proc_del(CONST ULONG pid)
{
ULONG hash = CALC_HASH(pid);
KIRQL irql;
proc_entry_t *ote, *prev_ote;
NTSTATUS status;
KeAcquireSpinLock(&g_proc_hash_guard, &irql);
prev_ote = NULL;
for (ote = g_proc_hash[hash]; ote; ote = ote->next) {
if (ote->pid == pid) break;
prev_ote = ote;
}
if (!ote) {
status = STATUS_OBJECT_NAME_NOT_FOUND;
goto done;
}
if (prev_ote) prev_ote->next = ote->next;
else g_proc_hash[hash] = ote->next;
FreeProcessData((ProcessData *)ote->pProcInfo);
free((ProcessData *)ote->pProcInfo);
free(ote);
status = STATUS_SUCCESS;
done:
KeReleaseSpinLock(&g_proc_hash_guard, irql);
return status;
}
NTSTATUS
ot_del_fileobj(PFILE_OBJECT fileobj, int *fileobj_type)
{
ULONG hash = CALC_HASH(fileobj);
KIRQL irql;
struct ot_entry *ote, *prev_ote;
NTSTATUS status;
if (fileobj == NULL)
return STATUS_INVALID_PARAMETER_1;
KeAcquireSpinLock(&g_ot_hash_guard, &irql);
prev_ote = NULL;
for (ote = g_ot_hash[hash]; ote; ote = ote->next) {
if (ote->fileobj == fileobj)
break;
prev_ote = ote;
}
if (ote == NULL) {
KdPrint(("[tdi_fw] ot_del_fileobj: fileobj 0x%x not found!\n", fileobj));
status = STATUS_OBJECT_NAME_NOT_FOUND;
goto done;
}
if (ote->type == FILEOBJ_ADDROBJ && ote->listen_entry != NULL)
del_listen_obj(ote->listen_entry, FALSE);
else if (ote->type == FILEOBJ_CONNOBJ && ote->conn_entry != NULL) {
if (ote->ipproto == IPPROTO_TCP && ote->log_disconnect)
log_disconnect(ote);
del_tcp_conn_obj(ote->conn_entry, FALSE);
}
if (fileobj_type != NULL)
*fileobj_type = ote->type;
if (prev_ote != NULL)
prev_ote->next = ote->next;
else
g_ot_hash[hash] = ote->next;
if (ote->sid_a != NULL)
free(ote->sid_a);
free(ote);
status = STATUS_SUCCESS;
done:
KeReleaseSpinLock(&g_ot_hash_guard, irql);
return status;
}
NTSTATUS proc_add(CONST ULONG pid, CONST ProcessData *pProcInfo, CONST TIME seen)
{
ULONG hash = CALC_HASH(pid);
KIRQL irql;
proc_entry_t *ote, *old_next;
NTSTATUS status;
int i;
KeAcquireSpinLock(&g_proc_hash_guard, &irql);
for (ote = g_proc_hash[hash]; ote; ote = ote->next)
if (ote->pid == pid) break;
if (!ote) {
ote = (proc_entry_t *)malloc_np(sizeof(*ote));
if (!ote) {
status = STATUS_NO_MEMORY;
goto done;
}
memset(ote, 0, sizeof(*ote));
ote->next = g_proc_hash[hash];
g_proc_hash[hash] = ote;
ote->pid = pid;
} else {
struct proc_entry *saved_next;
ULONG saved_pid;
DBGOUT(("proc_add: reuse pid 0x%x\n", pid));
// set all fields to zero except "next" and "fileobj" (cleanup listen/conn_entry if any)
saved_next = ote->next;
saved_pid = ote->pid;
memset(ote, 0, sizeof(*ote));
ote->next = saved_next;
ote->pid = saved_pid;
}
ote->lastseen = seen;
ote->pProcInfo = pProcInfo;
status = STATUS_SUCCESS;
done:
KeReleaseSpinLock(&g_proc_hash_guard, irql);
RemoveUnseenProcesses();
return status;
}
proc_entry_t *proc_find(CONST ULONG pid, KIRQL *irql)
{
ULONG hash = CALC_HASH(pid);
proc_entry_t *ote;
NTSTATUS status;
if (irql) KeAcquireSpinLock(&g_proc_hash_guard, irql);
for (ote = g_proc_hash[hash]; ote; ote = ote->next)
if (ote->pid == pid) break;
if (!ote) {
if (irql) KeReleaseSpinLock(&g_proc_hash_guard, *irql);
}
return ote;
}
struct ot_entry *
ot_find_fileobj(PFILE_OBJECT fileobj, KIRQL *irql)
{
ULONG hash = CALC_HASH(fileobj);
struct ot_entry *ote;
if (fileobj == NULL)
return NULL;
if (irql != NULL)
KeAcquireSpinLock(&g_ot_hash_guard, irql);
for (ote = g_ot_hash[hash]; ote != NULL; ote = ote->next)
if (ote->fileobj == fileobj)
break;
if (ote == NULL) {
KdPrint(("[tdi_fw] ot_find_fileobj: fileobj 0x%x not found!\n", fileobj));
if (irql != NULL)
KeReleaseSpinLock(&g_ot_hash_guard, *irql);
}
return ote;
}
NTSTATUS
ot_add_fileobj(PDEVICE_OBJECT devobj, PFILE_OBJECT fileobj, int fileobj_type, int ipproto,
CONNECTION_CONTEXT conn_ctx) // must be called at PASSIVE_LEVEL!
{
ULONG hash = CALC_HASH(fileobj);
KIRQL irql;
struct ot_entry *ote;
NTSTATUS status;
int i;
SID_AND_ATTRIBUTES *sid_a;
ULONG sid_a_size;
if (fileobj == NULL)
return STATUS_INVALID_PARAMETER_2;
// while we're at PASSIVE_LEVEL get SID & attributes
sid_a = get_current_sid_a(&sid_a_size);
KeAcquireSpinLock(&g_ot_hash_guard, &irql);
for (ote = g_ot_hash[hash]; ote != NULL; ote = ote->next)
if (ote->fileobj == fileobj)
break;
if (ote == NULL) {
ote = (struct ot_entry *)malloc_np(sizeof(*ote));
if (ote == NULL) {
KdPrint(("[tdi_fw] ot_add_fileobj: malloc_np\n"));
status = STATUS_INSUFFICIENT_RESOURCES;
goto done;
}
memset(ote, 0, sizeof(*ote));
ote->next = g_ot_hash[hash];
g_ot_hash[hash] = ote;
ote->fileobj = fileobj;
for (i = 0; i < MAX_EVENT; i++)
ote->ctx[i].fileobj = fileobj;
} else {
KdPrint(("[tdi_fw] ot_add_fileobj: reuse fileobj 0x%x\n", fileobj));
ot_cleanup_ote(ote);
}
ote->signature = 'OTE ';
ote->pid = (ULONG)PsGetCurrentProcessId();
// save SID & attributes
ote->sid_a = sid_a;
ote->sid_a_size = sid_a_size;
sid_a = NULL;
ote->devobj = devobj;
ote->type = fileobj_type;
ote->ipproto = ipproto;
ote->conn_ctx = conn_ctx;
status = STATUS_SUCCESS;
done:
// cleanup
KeReleaseSpinLock(&g_ot_hash_guard, irql);
if (sid_a != NULL)
free(sid_a);
return status;
}
