/*
* @implemented
*/
NTSTATUS
NTAPI
RtlUnlockBootStatusData(IN HANDLE FileHandle)
{
IO_STATUS_BLOCK IoStatusBlock;
/* Flush the file and close it */
ZwFlushBuffersFile(FileHandle,
&IoStatusBlock);
return ZwClose(FileHandle);
}
BOOLEAN
NTAPI
CmpFileFlush(IN PHHIVE RegistryHive,
IN ULONG FileType,
IN OUT PLARGE_INTEGER FileOffset,
IN ULONG Length)
{
PCMHIVE CmHive = (PCMHIVE)RegistryHive;
HANDLE HiveHandle = CmHive->FileHandles[FileType];
IO_STATUS_BLOCK IoStatusBlock;
NTSTATUS Status;
Status = ZwFlushBuffersFile(HiveHandle, &IoStatusBlock);
return NT_SUCCESS(Status) ? TRUE : FALSE;
}
// Logs the current log entry to and flush the log file.
EXTERN_C static NTSTATUS LogpWriteMessageToFile(
_In_ const char *Message, _In_ const LogBufferInfo &Info) {
NT_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);
IO_STATUS_BLOCK ioStatus = {};
auto status =
ZwWriteFile(Info.LogFileHandle, nullptr, nullptr, nullptr, &ioStatus,
const_cast<char *>(Message),
static_cast<ULONG>(strlen(Message)), nullptr, nullptr);
if (!NT_SUCCESS(status)) {
// It could happen when you did not register IRP_SHUTDOWN and call
// LogIrpShutdownHandler() and the system tried to log to a file after
// a filesystem was unmounted.
DBG_BREAK();
}
status = ZwFlushBuffersFile(Info.LogFileHandle, &ioStatus);
return status;
}
// Logs the current log entry to and flush the log file.
_Use_decl_annotations_ static NTSTATUS LogpWriteMessageToFile(
const char *message, const LogBufferInfo &info) {
NT_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);
IO_STATUS_BLOCK io_status = {};
auto status =
ZwWriteFile(info.log_file_handle, nullptr, nullptr, nullptr, &io_status,
const_cast<char *>(message),
static_cast<ULONG>(strlen(message)), nullptr, nullptr);
if (!NT_SUCCESS(status)) {
// It could happen when you did not register IRP_SHUTDOWN and call
// LogIrpShutdownHandler() and the system tried to log to a file after
// a file system was unmounted.
LogpDbgBreak();
}
status = ZwFlushBuffersFile(info.log_file_handle, &io_status);
return status;
}
BOOLEAN
NTAPI
CmpFileFlush(IN PHHIVE RegistryHive,
IN ULONG FileType,
IN OUT PLARGE_INTEGER FileOffset,
IN ULONG Length)
{
PCMHIVE CmHive = (PCMHIVE)RegistryHive;
HANDLE HiveHandle = CmHive->FileHandles[FileType];
IO_STATUS_BLOCK IoStatusBlock;
NTSTATUS Status;
/* Just return success if no file is associated with this hive */
if (HiveHandle == NULL)
return TRUE;
/* Don't do anything if we're not supposed to */
if (CmpNoWrite)
return TRUE;
Status = ZwFlushBuffersFile(HiveHandle, &IoStatusBlock);
return NT_SUCCESS(Status) ? TRUE : FALSE;
}
NTSTATUS NewNtDeviceIoControlFile(
__in HANDLE FileHandle,
__in_opt HANDLE Event,
__in_opt PIO_APC_ROUTINE ApcRoutine,
__in_opt PVOID ApcContext,
__out PIO_STATUS_BLOCK IoStatusBlock,
__in ULONG IoControlCode,
__in_opt PVOID InputBuffer,
__in ULONG InputBufferLength,
__out_opt PVOID OutputBuffer,
__in ULONG OutputBufferLength
)
{
NTSTATUS retour,ntStatus;
PFILE_OBJECT fileObject = NULL;
ULONG retLen, ret;
UNICODE_STRING *path_str = NULL;
UNICODE_STRING afd;//=NULL;
WCHAR deviceafd[] = L"\\Device\\Afd";
PAFD_SEND_INFO pAfdTcpInfo = InputBuffer;
PAFD_SEND_INFO_UDP pAfdUdpSendtoInfo = InputBuffer;
PAFD_RECV_INFO_UDP pAfdUdpRecvFromInfo = InputBuffer;
ULONG dwLen = 0;
PCHAR pBuf = NULL;
int i=0, pid=0;
ProcessInformation process;
char buffer_net[2000];
char prot[10];
IO_STATUS_BLOCK iostatus;
LARGE_INTEGER time;
ULONG ppid = 0;
PCHAR toto;
UCHAR *name;
PUNICODE_STRING temp_unicode, addr=NULL;
ANSI_STRING ansi;
PEPROCESS pep;
TDI_REQUEST_QUERY_INFORMATION Request;
char Address[128];
//Request = TDI_QUERY_ADDRESS_INFO;
KeQuerySystemTime(&time);
RtlZeroMemory(&buffer_net, sizeof(buffer_net));
RtlZeroMemory(&prot, sizeof(prot));
// NTDEVICEIOCONTROLFILE NtDeviceIoControlFile = Zdicf.NtFunc;
RtlInitUnicodeString (&afd, deviceafd);
retour = ((NTDEVICEIOCONTROLFILE) (OldNtDeviceIoControlFile)) (FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
IoControlCode,
InputBuffer,
InputBufferLength,
OutputBuffer,
OutputBufferLength);
if(IoControlCode != AFD_SEND && IoControlCode != AFD_RECV && IoControlCode != AFD_SENDTO && IoControlCode != AFD_RECVFROM)
return retour;
// ZwDeviceIoControlFile(FileHandle,
// NULL,NULL, NULL,
// &iostatus,
// IOCTL_TDI_QUERY_INFORMATION,
// TDI_QUERY_ADDRESS_INFO, 0,//sizeof(TDI_QUERY_ADDRESS_INFO),
// &Address, sizeof(Address));
pid = (LONG)PsGetCurrentProcessId();
if(pid == (int)UserLandID)
return retour;
PsLookupProcessByProcessId((HANDLE)pid,&pep);
toto = (PCHAR) pep;
ppid = *((ULONG*)(toto+0x140));
// On recupere les 16 premiers bits du nom du process
name = PsGetProcessImageFileName(pep);
if(ExGetPreviousMode() == UserMode)
{
if(FileHandle != NULL)
{
ObReferenceObjectByHandle(FileHandle, 0, 0, KernelMode, &fileObject, NULL);
if (fileObject)
{
ntStatus = ObQueryNameString(fileObject, (POBJECT_NAME_INFORMATION)path_str, 0, &retLen);
path_str = (PUNICODE_STRING)ExAllocatePoolWithTag(NonPagedPool, retLen, 0);
if (ntStatus == STATUS_INFO_LENGTH_MISMATCH)
{
if (path_str)
{
ntStatus = ObQueryNameString(fileObject, (POBJECT_NAME_INFORMATION)path_str, retLen, &retLen);
if(RtlCompareUnicodeString(path_str,&afd,TRUE) == 0)
{
trace_net++;
switch(IoControlCode)
{
case AFD_SEND:
sprintf(prot,"tcp");
break;
case AFD_RECV:
sprintf(prot,"tcp");
break;
case AFD_SENDTO:
sprintf(prot,"udp");
break;
case AFD_RECVFROM:
sprintf(prot,"udp");
break;
default:
sprintf(prot,"not");
}
// if(strcmp(prot, "udp") == 0)
// {
// DbgPrint("Taiele de l'address : %i \n", pAfdUdpSendtoInfo->SizeOfRemoteAddress);
// temp_unicode = (PUNICODE_STRING)ExAllocatePoolWithTag(NonPagedPool, pAfdUdpSendtoInfo->SizeOfRemoteAddress, 0);
// temp_unicode = (PUNICODE_STRING) pAfdUdpSendtoInfo->RemoteAddress;
// DbgPrint("address : %wZ \n", &temp_unicode);
//RtlCopyUnicodeString( addr, temp_unicode);
//DbgPrint("addr 1 :%wZ\n" , addr);
// }
if(InputBufferLength > 0)
sprintf(buffer_net, "audit(%I64d,%i) pid=%i name=%s ppid=%i { send } size=%i prot=%s return=%x endoftrace", time.QuadPart, trace_net,pid, name,ppid, InputBufferLength, prot, retour);
if(OutputBufferLength > 0)
sprintf(buffer_net, "audit(%I64d,%i) pid=%i name=%s ppid=%i { recv } size=%i prot=%s return=%x endoftrace", time.QuadPart, trace_net,pid, name, ppid, OutputBufferLength, prot, retour);
//DbgPrint("%wZ \n", path_str);
ZwWriteFile(handlenet, NULL, NULL, NULL, &iostatus, buffer_net, strlen(buffer_net), 0, NULL);
ZwFlushBuffersFile(handlenet, &iostatus);
}
if(path_str)
ExFreePoolWithTag(path_str, 0);
}
}
ObDereferenceObject(fileObject);
}
}
}
// if(fileObject != NULL)
// ObDereferenceObject(fileObject);
return retour;
}
BOOLEAN
CmpFileFlush (
PHHIVE Hive,
ULONG FileType,
PLARGE_INTEGER FileOffset,
ULONG Length
)
/*++
Routine Description:
This routine performs a flush on a file handle.
Arguments:
Hive - Hive we are doing I/O for
FileType - which supporting file to use
FileOffset - If this parameter is supplied (not NULL), then only the
byte range specified by FileOffset and Length are flushed.
Length - Defines the length of the byte range to flush, starting at
FileOffset. This parameter is ignored if FileOffset is
specified as NULL.
Return Value:
FALSE if failure
TRUE if success
Note:
FileOffset and Length are only taken into account when FileType == HFILE_TYPE_PRIMARY
and the hive uses the mapped-views method.
--*/
{
NTSTATUS status;
IO_STATUS_BLOCK IoStatus;
PCMHIVE CmHive;
HANDLE FileHandle;
ASSERT(FIELD_OFFSET(CMHIVE, Hive) == 0);
CmHive = (PCMHIVE)Hive;
FileHandle = CmHive->FileHandles[FileType];
if (FileHandle == NULL) {
return TRUE;
}
if (CmpNoWrite) {
return TRUE;
}
CmKdPrintEx((DPFLTR_CONFIG_ID,CML_IO,"CmpFileFlush:\n\tHandle = %08lx\n", FileHandle));
ASSERT_PASSIVE_LEVEL();
if( HiveWritesThroughCache(Hive,FileType) == TRUE ) {
//
// OK, we need to flush using CcFlushCache
//
CcFlushCache (CmHive->FileObject->SectionObjectPointer,(PLARGE_INTEGER)((ULONG_PTR)FileOffset + 1)/*we are private writers*/,Length,&IoStatus);
status = IoStatus.Status;
if( !NT_SUCCESS(status) ) {
goto Error;
}
}
//
// we have to do that regardless, to make sure the disk cache makes it to the disk.
//
status = ZwFlushBuffersFile(
FileHandle,
&IoStatus
);
if (NT_SUCCESS(status)) {
ASSERT(IoStatus.Status == status);
return TRUE;
} else {
Error:
//
// set debugging info
//
CmRegistryIODebug.Action = CmpIoFileFlush;
CmRegistryIODebug.Handle = FileHandle;
CmRegistryIODebug.Status = status;
#if DBG
DbgPrintEx(DPFLTR_CONFIG_ID,DPFLTR_TRACE_LEVEL,"CmpFileFlush:\tFailure1: status = %08lx IoStatus = %08lx\n",status,IoStatus.Status);
#endif
return FALSE;
}
}
