/// <summary> /// Returns TRUE if the given process is protected, otherwise FALSE. /// </summary> /// <param name="Process">Pointer to a process object.</param> /// <param name="ProcessAccessBitsToClear">Process access rights to clear.</param> /// <param name="ThreadAccessBitsToClear">Thread access rights to clear.</param> BOOLEAN HsIsProcessProtected( _In_ PEPROCESS Process, _Out_ PACCESS_MASK ProcessAccessBitsToClear, _Out_ PACCESS_MASK ThreadAccessBitsToClear) { BOOLEAN found; HSP_PROTECTED_PROCESS searchKey; PHSP_PROTECTED_PROCESS protectedProcess; searchKey.Process = Process; FltAcquirePushLockShared(&ObCallbackInstance.ProtectedProcessLock); protectedProcess = RtlLookupElementGenericTableAvl( &ObCallbackInstance.ProtectedProcesses, &searchKey); found = protectedProcess != NULL; if (found) { *ProcessAccessBitsToClear = protectedProcess->ProcessAccessBitsToClear; *ThreadAccessBitsToClear = protectedProcess->ThreadAccessBitsToClear; } FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock); return found; }
__checkReturn NTSTATUS FilterBoxList::GetOrCreateBox ( __in LPGUID Guid, __deref_out_opt PFilterBox* FltBox ) { ASSERT( Guid ); NTSTATUS status = STATUS_INSUFFICIENT_RESOURCES; FilterBox* fltbox = NULL; FltAcquirePushLockExclusive( &m_AccessLock ); fltbox = LookupBoxp( Guid ); if ( !fltbox ) { fltbox = CreateNewp( Guid ); } FltReleasePushLock( &m_AccessLock ); if ( fltbox ) { fltbox->AddRef(); *FltBox = fltbox; status = STATUS_SUCCESS; } return status; }
static NTSTATUS EvhdDirectIoControl(ParserInstance *parser, ULONG ControlCode, PVOID pSystemBuffer, ULONG InputBufferSize, ULONG OutputBufferSize) { NTSTATUS status = STATUS_SUCCESS; PDEVICE_OBJECT pDeviceObject = NULL; KeEnterCriticalRegion(); FltAcquirePushLockExclusive(&parser->DirectIoPushLock); IoReuseIrp(parser->pDirectIoIrp, STATUS_PENDING); parser->pDirectIoIrp->Flags |= IRP_NOCACHE; parser->pDirectIoIrp->Tail.Overlay.Thread = (PETHREAD)__readgsqword(0x188); // Pointer to calling thread control block parser->pDirectIoIrp->AssociatedIrp.SystemBuffer = pSystemBuffer; // IO buffer for buffered control code // fill stack frame parameters for synchronous IRP call PIO_STACK_LOCATION pStackFrame = IoGetNextIrpStackLocation(parser->pDirectIoIrp); pDeviceObject = IoGetRelatedDeviceObject(parser->pVhdmpFileObject); pStackFrame->FileObject = parser->pVhdmpFileObject; pStackFrame->DeviceObject = pDeviceObject; pStackFrame->Parameters.DeviceIoControl.IoControlCode = ControlCode; pStackFrame->Parameters.DeviceIoControl.InputBufferLength = InputBufferSize; pStackFrame->Parameters.DeviceIoControl.OutputBufferLength = OutputBufferSize; pStackFrame->MajorFunction = IRP_MJ_DEVICE_CONTROL; pStackFrame->MinorFunction = 0; pStackFrame->Flags = 0; pStackFrame->Control = 0; IoSynchronousCallDriver(pDeviceObject, parser->pDirectIoIrp); status = parser->pDirectIoIrp->IoStatus.Status; FltReleasePushLock(&parser->DirectIoPushLock); KeLeaveCriticalRegion(); return status; }
/// <summary> /// Removes a process from the list of protected processes. /// </summary> /// <param name="Process">Pointer to the process object to unprotect.</param> VOID HsUnProtectProcess( _In_ PEPROCESS Process) { HSP_PROTECTED_PROCESS protectedProcess; protectedProcess.Process = Process; FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock); RtlDeleteElementGenericTableAvl(&ObCallbackInstance.ProtectedProcesses, &protectedProcess); FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock); }
/// <summary> /// Stops process and thread access rights filtering. /// </summary> VOID HsUnRegisterProtector() { ObUnRegisterCallbacks(ObCallbackInstance.RegistrationHandle); // If ObUnRegisterCallbacks waits for callbacks to finish processing // there is no need to lock here. FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock); HsAvlDeleteAllElements(&ObCallbackInstance.ProtectedProcesses); FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock); FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock); }
/// <summary> /// Marks a process as protected. When this process or its threads are opened, the /// given access rights will be stripped. Call HsUnProtectProcess when the process /// no longer needs protection, or when it exits. /// </summary> /// <param name="Process">Pointer to the process object to protect.</param> /// <param name="ProcessAccessBitsToClear">Process access rights to clear.</param> /// <param name="ThreadAccessBitsToClear">Thread access rights to clear.</param> VOID HsProtectProcess( _In_ PEPROCESS Process, _In_ ACCESS_MASK ProcessAccessBitsToClear, _In_ ACCESS_MASK ThreadAccessBitsToClear) { HSP_PROTECTED_PROCESS protectedProcess; protectedProcess.Process = Process; protectedProcess.ProcessAccessBitsToClear = ProcessAccessBitsToClear; protectedProcess.ThreadAccessBitsToClear = ThreadAccessBitsToClear; FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock); RtlInsertElementGenericTableAvl( &ObCallbackInstance.ProtectedProcesses, &protectedProcess, sizeof(HSP_PROTECTED_PROCESS), NULL); FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock); }