NTSTATUS NTAPI MyNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL ) { VMProtectBegin("MHVMP"); VMProtectBeginVirtualization("MHVMP"); InterlockedIncrement(&g_HookCounter); bool bLeave=true; if( (KILLKERNEL != DesiredAccess) ) { if( (DesiredAccess&PROCESS_CREATE_THREAD) || (DesiredAccess&VMOPERATION) || (DesiredAccess&VMWRITE) || (DesiredAccess&VMREAD)) { if(ClientId->UniqueProcess > 0) if( isProtectProcess((UINT32)ClientId->UniqueProcess) && !isPassProcess() ) bLeave =false; } } if( !bLeave) { PEPROCESS p=PsGetCurrentProcess(); ANSI_STRING ascallCode; RtlInitAnsiString(&ascallCode,(char *)p+g_processNameOffset); UNICODE_STRING uni; RtlAnsiStringToUnicodeString(&uni,&ascallCode,true); if( g_tmp != (ULONG)PsGetCurrentProcessId() ) WriteSysLog(LOG_TYPE_DEBUG,L"filter process Name: %s PID : %d",uni.Buffer,PsGetCurrentProcessId()); g_tmp = (ULONG)PsGetCurrentProcessId(); RtlFreeUnicodeString(&uni); InterlockedDecrement(&g_HookCounter); return STATUS_ACCESS_DENIED; } else { InterlockedDecrement(&g_HookCounter); return ((pNtOpenProcess) pOriNtOpenProcess)(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId); } VMProtectEnd(); }
////////////////////////////////////////////////////////////////////////// //当用户对某个端口的访问做好决定后会调用这个函数 //此函数不同SetupPortStatus,ResponsePortAsk函数还要负责调用向上indicate一个 syn包 NTSTATUS ResponsePortAsk(FIREWALL_ASKUSER *pPAsk) { NTSTATUS status = STATUS_SUCCESS; AcceptedPort *pAPort =NULL; PLOCK_STATE pLockState1=NULL; PLIST_ENTRY pNext =NULL; ULONG utmp=0; BOOLEAN bFound = FALSE; PAcceptedPort pIndicateContext=NULL; #ifdef VMPROTECT VMProtectBeginVirtualization("Response ask"); #endif pIndicateContext = kmalloc(sizeof(AcceptedPort)); // pLockState1 = kmalloc(sizeof(LOCK_STATE)); NdisAcquireReadWriteLock(&g_AcceptedPortListLock2, KKRWLOCK_FOR_READ, pLockState1); pNext = g_AcceptedPortListHeader.Next.Flink; while(pNext&&(pNext!=&g_AcceptedPortListHeader.Next)) { pAPort = CONTAINING_RECORD(pNext, AcceptedPort, Next); if (pAPort==NULL) { DbgBreakPoint(); } if (pAPort->uPort==pPAsk->uPort&&pAPort->SrcIP==pPAsk->SrcIP) { bFound = TRUE;//找到,则更新状态 pAPort->PStatus = pPAsk->PStatus; break; } pNext = pNext->Flink; } if (bFound) { *pIndicateContext = *pAPort; //为了安全,做一份拷贝吧 } NdisReleaseReadWriteLock(&g_AcceptedPortListLock2, pLockState1); if (bFound&&pPAsk->PStatus==PortAccept) { //找到,并且是接收状态,则需要上传一个第一次握手的syn数据包 PIO_WORKITEM pWorkItem = NULL; PASKUserWorkItemContext pAskContext =NULL; pWorkItem = IoAllocateWorkItem(g_CtlDevice); pAskContext = kmalloc(sizeof(ASKUserWorkItemContext)); pAskContext->pWorkItem = pWorkItem; pAskContext->pContext = pIndicateContext; IoQueueWorkItem(pWorkItem, ResponsePortAskWorkerForIndicateupPacket, DelayedWorkQueue, pAskContext); pIndicateContext=NULL; } if (pIndicateContext) { kfree(pIndicateContext);pIndicateContext=NULL; } kfree(pLockState1); #ifdef VMPROTECT VMProtectEnd(); #endif return status; }
NTSTATUS FWHookTcpipRecvHandler() { PKK_NDIS_PROTOCOL_BLOCK pTcpipProtocolBlcok=NULL; PKK_NDIS_PROTOCOL_BLOCK pProtocolBlockHeader=NULL; ULONG ut1,ut2; PNDIS_COMMON_OPEN_BLOCK_2k3_early pOpenBlock=NULL; NTSTATUS status = STATUS_SUCCESS; PNDIS_HOOK_INFO pHI ; PULONG ptmp; PLOCK_STATE pLockState1=NULL; #ifdef VMPROTECT VMProtectBeginVirtualization("FWHookTcpipRecvHandler"); #endif pLockState1 = kmalloc(sizeof(LOCK_STATE)); ut1 = ut2 = 0; do { pTcpipProtocolBlcok = (PKK_NDIS_PROTOCOL_BLOCK)GetTcpipProtocolBlock(); if (pTcpipProtocolBlcok==0) { status = STATUS_UNSUCCESSFUL; break; } pOpenBlock = pTcpipProtocolBlcok->OpenQueue; NdisAcquireReadWriteLock(&g_HookTcpipFireWallLock, KKRWLOCK_FOR_WRITE, pLockState1); while(pOpenBlock) { // if (!IsPhysicalMiniport(pOpenBlock->MiniportHandle)) // { // goto __nextpOpenBlock; // } pHI = kmalloc(sizeof(NDIS_HOOK_INFO)); ptmp=NULL; RtlZeroMemory(pHI, sizeof(NDIS_HOOK_INFO)); pHI->OldHandler = (PVOID)pOpenBlock->ReceiveHandler; pHI->Address2Restore = &(pOpenBlock->ReceiveHandler); pHI->pMiniBlock = (ULONG)pOpenBlock->MiniportHandle; pHI->pSignContext = (PVOID)pOpenBlock->ProtocolBindingContext; pHI->pProtocolBindingContext = (ULONG)pOpenBlock->ProtocolBindingContext; pHI->pOpenblock = (ULONG_PTR)pOpenBlock; pHI->szFuncname = "KKNewTcpipArpRcv"; pHI->NewHandler = (PVOID)KKNewTcpipArpRcv; *(PULONG)&(pOpenBlock->ReceivePacketHandler)=0; //把这个清0了 InsertHeadList(&g_HookTcpipFireWallList.Next, &pHI->Next); ptmp = (ULONG*)pHI->Address2Restore; *ptmp = (ULONG)KKNewTcpipArpRcv; //__nextpOpenBlock: pOpenBlock = (PNDIS_COMMON_OPEN_BLOCK_2k3_early)pOpenBlock->ProtocolNextOpen; } NdisReleaseReadWriteLock(&g_HookTcpipFireWallLock, pLockState1); } while (0); if (pLockState1) { kfree(pLockState1); } #ifdef VMPROTECT VMProtectEnd(); #endif return status; }