/// <summary> /// Starts filtering process and thread access rights. /// </summary> NTSTATUS HsRegisterProtector() { NTSTATUS status; OB_CALLBACK_REGISTRATION callbackRegistration; OB_OPERATION_REGISTRATION operationRegistration[2]; operationRegistration[0].ObjectType = PsProcessType; operationRegistration[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; operationRegistration[0].PreOperation = HspObPreCallback; operationRegistration[0].PostOperation = NULL; operationRegistration[1].ObjectType = PsThreadType; operationRegistration[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; operationRegistration[1].PreOperation = HspObPreCallback; operationRegistration[1].PostOperation = NULL; callbackRegistration.Version = OB_FLT_REGISTRATION_VERSION; callbackRegistration.RegistrationContext = NULL; callbackRegistration.OperationRegistrationCount = ARRAYSIZE(operationRegistration); callbackRegistration.OperationRegistration = operationRegistration; RtlInitUnicodeString(&callbackRegistration.Altitude, L"40100.7"); FltInitializePushLock(&ObCallbackInstance.ProtectedProcessLock); RtlInitializeGenericTableAvl( &ObCallbackInstance.ProtectedProcesses, HspCompareProtectedProcess, HsAvlAllocate, HsAvlFree, NULL); status = ObRegisterCallbacks(&callbackRegistration, &ObCallbackInstance.RegistrationHandle); if (!NT_SUCCESS(status)) FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock); return status; }
/// <summary> /// Stops process and thread access rights filtering. /// </summary> VOID HsUnRegisterProtector() { ObUnRegisterCallbacks(ObCallbackInstance.RegistrationHandle); // If ObUnRegisterCallbacks waits for callbacks to finish processing // there is no need to lock here. FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock); HsAvlDeleteAllElements(&ObCallbackInstance.ProtectedProcesses); FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock); FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock); }
FilterBoxList::~FilterBoxList ( ) { FltDeletePushLock( &m_AccessLock ); FilterBox* pEntry = NULL; PLIST_ENTRY Flink = m_List.Flink; while ( Flink != &m_List ) { pEntry = CONTAINING_RECORD( Flink, FilterBox, m_List ); Flink = Flink->Flink; RemoveEntryList( &pEntry->m_List ); ASSERT( !pEntry->m_RefCount ); pEntry->FilterBox::~FilterBox(); FREE_POOL( pEntry ); } }