#include "precomp.h" static DEVICE_POLICY s_policy[BDC_MAX_DEVICE_TYPE] = { 0, }; void Initpolicy() { RtlZeroMemory(s_policy, sizeof(s_policy)); } void SetPolicy(ULONG device_type, ULONG state, ULONG islog) { s_policy[device_type].device_type = device_type; s_policy[device_type].state = state; s_policy[device_type].islog = islog; } ULONG GetPolicyState(ULONG device_type) { return s_policy[device_type].state; } BOOLEAN IsPolicyDisable(ULONG device_type) { if (s_policy[device_type].state == DISABLE) return TRUE; return FALSE; } ULONG IsPolicyLog(ULONG device_type) { return s_policy[device_type].islog; } //ULONG IsNetwork(PFLT_CALLBACK_DATA data, PCFLT_RELATED_OBJECTS fltobject) //{ // ULONG create_character = 0; // ULONG device_type = 0; // ULONG state = DEVICE_UNKNOWN; // PVOLUME_CONTEXT vctx = NULL; // NTSTATUS ntstatus = STATUS_SUCCESS; // // create_character = fltobject->FileObject->DeviceObject->Characteristics; // device_type = fltobject->FileObject->DeviceObject->DeviceType; // // if ((create_character & FILE_REMOTE_DEVICE) && (device_type == FILE_DEVICE_NETWORK_FILE_SYSTEM)) // { // return DEVICE_NETWORKDRIVEOUT; // } // return FALSE; //} ULONG GetDeviceType(PFLT_CALLBACK_DATA data, PCFLT_RELATED_OBJECTS fltobject) { ULONG create_character = fltobject->FileObject->DeviceObject->Characteristics; ULONG device_type = fltobject->FileObject->DeviceObject->DeviceType; ULONG state = BDC_UNKNOWN_DEV; PVOLUME_CONTEXT vctx = NULL; NTSTATUS ntstatus = STATUS_SUCCESS; ///USB DISK Àΰæ¿ì if ((create_character & FILE_REMOVABLE_MEDIA) && (device_type == FILE_DEVICE_DISK)) { if ((create_character & FILE_FLOPPY_DISKETTE)) state = BDC_FLOOPY; else state = BDC_USB_DISK; } else if ((create_character & FILE_FLOPPY_DISKETTE) && (device_type == FILE_DEVICE_DISK)) { state = BDC_FLOOPY; } ///CD ROM ÀÎ °æ¿ì else if (device_type == FILE_DEVICE_CD_ROM) { state = BDC_CDROM; } ///³×Æ®¿öÅ© ÀÏ °æ¿ì else if ((create_character & FILE_REMOTE_DEVICE) && (device_type == FILE_DEVICE_NETWORK_FILE_SYSTEM)) { state = BDC_NETWORKDRIVEOUT; } else { if (GetPolicyState(BDC_NETWORKDRIVEIN) != ENABLE) { PSECURITY_SUBJECT_CONTEXT subjectContext = NULL; PACCESS_TOKEN accessToken = NULL; PTOKEN_SOURCE tokenSource = NULL; ULONG majorfunction = data->Iopb->MajorFunction; if (majorfunction == IRP_MJ_CREATE) { // 1. IRP ÆĶó¹ÌÅÍ¿¡¼­ Á÷Á¢ º¸¾È ÄÁÅؽºÆ® °¡Á®¿À±â (SeCaptureSubjectContext ºÒÇÊ¿ä) if (data->Iopb->Parameters.Create.SecurityContext != NULL && data->Iopb->Parameters.Create.SecurityContext->AccessState != NULL) { subjectContext = &data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext; // 2. ÅäÅ« °¡Á®¿À±â accessToken = SeQuerySubjectContextToken(subjectContext); if (accessToken) { // 3. ÅäÅ« Á¤º¸ Äõ¸® (TokenSource) // SeQueryInformationTokenÀº ¸Þ¸ð¸®¸¦ ÇÒ´çÇϹǷΠ¹Ýµå½Ã ÇØÁ¦ÇØ¾ß ÇÔ ntstatus = SeQueryInformationToken(accessToken, TokenSource, (PVOID)&tokenSource); if (NT_SUCCESS(ntstatus) && tokenSource != NULL) { // [Áß¿ä] SourceNameÀº Null·Î ³¡³ªÁö ¾ÊÀ¸¹Ç·Î %.8s »ç¿ë // 4. ¼Ò½º À̸§ ºñ±³ (NtLmSsp, KSecDD) // TOKEN_SOURCE_LENGTH´Â 8ÀÔ´Ï´Ù. if ((RtlCompareMemory(tokenSource->SourceName, "NtLmSsp ", TOKEN_SOURCE_LENGTH) == TOKEN_SOURCE_LENGTH) || (RtlCompareMemory(tokenSource->SourceName, "KSecDD ", TOKEN_SOURCE_LENGTH) == TOKEN_SOURCE_LENGTH)) { KLogEx(DEBUG_TRACE_ERROR, "DEVICE_NETWORKDRIVEIN Check: pid(%x), Token Source=[%.8s], create_char=[%x], type=[%x]\n", PsGetCurrentProcessId(), tokenSource->SourceName, create_character, device_type); KLogEx(DEBUG_TRACE_ERROR, "DEVICE_NETWORKDRIVEIN Detected! Blocking.\n"); // ¸Þ¸ð¸® ÇØÁ¦ ÈÄ ¸®ÅÏ ExFreePool(tokenSource); return BDC_NETWORKDRIVEIN; } // ¸ÅĪµÇÁö ¾ÊÀº °æ¿ì ¸Þ¸ð¸® ÇØÁ¦ ExFreePool(tokenSource); } } } } } state = BDC_LOCAL_DISK; if (GetPolicyState(BDC_EXTERNALHDD) != ENABLE || IsPolicyLog(BDC_EXTERNALHDD) == TRUE) { if (device_type == FILE_DEVICE_DISK) { ///device_type ÀÌ 7À϶§¸¸ ¾Æ·¡ÀÇ ÇÔ¼ö¸¦ ½ÇÇàÇÑ´Ù.. ntstatus = FltGetVolumeContext(fltobject->Filter, fltobject->Volume, &vctx); if (!NT_SUCCESS(ntstatus)) return BDC_UNKNOWN_DEV; if (vctx->bustype == 7) ///BusTypeUsb { /// ¿ÜÀå ÇÏµå µð½ºÅ©ÀÇ °æ¿ì state = BDC_EXTERNALHDD; } FltReleaseContext(vctx); } } } return state; }