kjkim
/
BSOne.SFC
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
BSOne.SFC/Tocsg.Module/Bs1Flt/bs1flt/bs1flt_util.c

1225 lines
26 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#include "precomp.h"
#include "ntstrsafe.h"
#include <ntddk.h>
#define NT_PROCNAMELEN 16
#define SYSNAME "System"
#define PAGE_SIZE 0x1000
typedef NTSTATUS(*ZwQueryInformationProcessT)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
ZwQueryInformationProcessT ZwQueryInformationProcess = NULL;
#define MEDIA_POOL_TAG 'cdsa'
PVOID UAlloc(SIZE_T size)
{
PUCHAR buffer = NULL;
buffer = (PUCHAR)ExAllocatePoolWithTag(NonPagedPool, size, MEDIA_POOL_TAG);
if (!buffer)
return NULL;
RtlZeroMemory(buffer, size);
return (PVOID)buffer;
}
VOID UFree(PVOID* buf)
{
if (*buf)
{
ExFreePoolWithTag(*buf, MEDIA_POOL_TAG);
*buf = NULL;
}
return;
}
NTSTATUS UStrNew(PUNICODE_STRING ustr, USHORT bytes)
{
ustr->Buffer = UAlloc(bytes + sizeof(wchar_t));
if (!ustr->Buffer)
return STATUS_INSUFFICIENT_RESOURCES;
ustr->MaximumLength = (USHORT)bytes;
ustr->Length = 0;
RtlZeroMemory(ustr->Buffer, bytes + sizeof(wchar_t));
return STATUS_SUCCESS;
}
NTSTATUS UStrFree(PUNICODE_STRING ustr)
{
if (!ustr->Buffer)
return STATUS_INVALID_PARAMETER;
ustr->Length = 0;
ustr->MaximumLength = 0;
UFree(&ustr->Buffer);
return STATUS_SUCCESS;
}
NTSTATUS UStrCopy(PUNICODE_STRING dst, PUNICODE_STRING src)
{
if (dst->MaximumLength <= src->Length + sizeof(wchar_t))
{
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlUnicodeStringCopy(dst, src);
return STATUS_SUCCESS;
}
NTSTATUS UStrCatC(PUNICODE_STRING ustr, LPCSTR str)
{
UNREFERENCED_PARAMETER(ustr);
UNREFERENCED_PARAMETER(str);
return STATUS_UNSUCCESSFUL;
}
NTSTATUS UStrCatW(PUNICODE_STRING ustr, LPWSTR str)
{
UNICODE_STRING tmp;
RtlInitUnicodeString(&tmp, str);
return UStrCat(ustr, &tmp);
}
NTSTATUS UStrCatA(PUNICODE_STRING ustr, PANSI_STRING str)
{
UNREFERENCED_PARAMETER(ustr);
UNREFERENCED_PARAMETER(str);
return STATUS_UNSUCCESSFUL;
}
NTSTATUS UStrCat(PUNICODE_STRING ustr, PUNICODE_STRING str)
{
USHORT r;
r = ustr->MaximumLength - ustr->Length;
if (r < str->Length)
return STATUS_UNSUCCESSFUL;
RtlCopyMemory(GetPtr(ustr->Buffer, ustr->Length), str->Buffer, str->Length + sizeof(wchar_t));
ustr->Length += str->Length;
return STATUS_SUCCESS;
}
BOOLEAN ISWcstok(WCHAR* pwszSrc, WCHAR* pwszDest, ULONG ulSrcLen, const WCHAR pwszToken, BOOLEAN bNetFlag)
{
//BOOLEAN bRet = TRUE;
ULONG ulCnt = 0;
ULONG i = 0;
if (pwszSrc == NULL || ulSrcLen == 0)
{
return FALSE;
}
while (ulCnt < ulSrcLen)
{
if (pwszSrc[ulCnt] == pwszToken)
break;
pwszDest[ulCnt] = pwszSrc[ulCnt];
ulCnt++;
}
ulCnt++;
if (ulCnt >= ulSrcLen)
return FALSE;
if (!bNetFlag)
return TRUE;
ulSrcLen -= ulCnt;
memset(pwszDest, 0, sizeof(WCHAR) * 260);
while (i < ulSrcLen)
{
if (pwszSrc[ulCnt] == pwszToken)
break;
pwszDest[i] = pwszSrc[ulCnt];
i++;
ulCnt++;
}
return TRUE;
}
NTSTATUS UGetCurrentStackProcessImageName(ULONG processId, PUNICODE_STRING ProcessImageName)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG returnedLength = 0;
ULONG bufferLength = 0;
//HANDLE hProcess = NULL;
PVOID buffer = NULL;
//PEPROCESS eProcess = NULL;
//PUNICODE_STRING imageName;
PAGED_CODE();
if (processId == 0 || processId == 4 || processId == 8)
{
return STATUS_UNSUCCESSFUL;
}
if (ZwQueryInformationProcess == NULL)
{
UNICODE_STRING routineName;
RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");
ZwQueryInformationProcess = (ZwQueryInformationProcessT)MmGetSystemRoutineAddress(&routineName);
if (ZwQueryInformationProcess == NULL)
{
return STATUS_UNSUCCESSFUL;
}
}
// status = PsLookupProcessByProcessId((HANDLE)processId, &eProcess);
//
// if(NT_SUCCESS(status))
// {
// status = ObOpenObjectByPointer(eProcess,0, NULL, 0,*PsProcessType,KernelMode,&hProcess);
// ObDereferenceObject(eProcess);
// if(!NT_SUCCESS(status))
// {
// // sskim - 171117 Added.
// hProcessID = NULL;
// return STATUS_UNSUCCESSFUL;
// }
//
// KLogEx(DEBUG_TRACE_INFO,"hProcess(%p)\n", hProcess);
//
// }
// else
// {
// // sskim - 171117 Added.
// hProcessID = NULL;
// return status;
// }
status = ZwQueryInformationProcess(NtCurrentProcess(),
ProcessImageFileName,
NULL,
0,
&returnedLength);
if (status != STATUS_INFO_LENGTH_MISMATCH)
{
status = STATUS_UNSUCCESSFUL;
goto $cleanup;
}
bufferLength = returnedLength + sizeof(UNICODE_STRING) + sizeof(WCHAR);
buffer = UAlloc(bufferLength);
if (!buffer)
{
status = STATUS_UNSUCCESSFUL;
goto $cleanup;
}
if (!NT_SUCCESS(UStrNew(ProcessImageName, (USHORT)bufferLength)))
{
status = STATUS_UNSUCCESSFUL;
goto $cleanup;
}
status = ZwQueryInformationProcess(NtCurrentProcess(),
ProcessImageFileName,
(PVOID)buffer,
returnedLength,
&returnedLength);
if (NT_SUCCESS(status))
{
RtlCopyUnicodeString(ProcessImageName, (PUNICODE_STRING)buffer);
}
else
{
UStrFree(ProcessImageName);
}
$cleanup:
/// 2014-04-03 <20><><EFBFBD>μ<EFBFBD><CEBC><EFBFBD> <20>ڵ<EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20>Ǽ<EFBFBD> <20>߰<EFBFBD>
// if(hProcess != NULL)
// ZwClose(hProcess);
UFree(&buffer);
return status;
}
ULONG UGetKernelVersion()
{
ULONG mj = 0;
ULONG mi = 0;
RTL_OSVERSIONINFOW os;
//PsGetVersion(&mj, &mi, NULL, NULL);
RtlGetVersion(&os);
mj = os.dwMajorVersion;
mi = os.dwMinorVersion;
KLogEx(DEBUG_TRACE_INFO, "%d %d\n", mj, mi);
if (mj == 10)
{
if (mi > 22000)
return (ULONG)Win11;
return (ULONG)Win10;
}
else if (mj == 6 && mi == 2)
{
return (ULONG)Win8;
}
else if (mj == 6 && mi == 1)
{
return (ULONG)Win7;
}
else if (mj == 6 && mi == 0)
{
// vista, server 2008
return (ULONG)WinVista;
}
else if ((mj == 5 && mi == 1))
{
// XP
return (ULONG)WinXP;
}
else if (mj == 5 && mi == 2)
{
// 2003, 2003 R2
return (ULONG)Win2k3;
}
else if (mj == 5 && mi == 0)
{
// 2000 , NT
return (ULONG)Win2k;
}
return (ULONG)WinUndefined;
}
PLIST_ENTRY WalkList(PLIST_ENTRY head, WalkCallbackFuncT fn, PVOID p, ULONG d)
{
PLIST_ENTRY current, tail, tmp;
tail = head;
current = tail->Flink;
while (tail != current)
{
tmp = current;
current = current->Flink;
__try
{
if (!fn(tmp, p, d))
return tmp;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return NULL;
}
}
return NULL;
}
PLIST_ENTRY WalkListPoint(PLIST_ENTRY head, WalkCallbackFuncPointT fn, PVOID p1, PVOID p2)
{
PLIST_ENTRY current, tail, tmp;
tail = head;
current = tail->Flink;
while (tail != current)
{
tmp = current;
current = current->Flink;
__try
{
if (!fn(tmp, p1, p2))
return tmp;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return NULL;
}
}
return NULL;
}
NTSTATUS UGetProcessFullPathFromPid(
_In_ HANDLE pid,
_Out_writes_bytes_opt_(PathBufferSize) PWCHAR PathBuffer,
_In_ ULONG PathBufferSize,
_Out_writes_bytes_opt_(NameBufferSize) PWCHAR NameBuffer,
_In_ ULONG NameBufferSize
)
{
NTSTATUS status;
PEPROCESS Process = NULL;
PUNICODE_STRING pImageName = NULL;
// PID<49><44> EPROCESS <20><>ü <20><><EFBFBD><EFBFBD>
status = PsLookupProcessByProcessId(pid, &Process);
if (!NT_SUCCESS(status))
{
return status;
}
// <20><>ü <20><><EFBFBD><EFBFBD>(Image Name) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
status = SeLocateProcessImageName(Process, &pImageName);
if (NT_SUCCESS(status) && pImageName != NULL)
{
// <20><>ü <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> (<28><>û <20><>)
if (PathBuffer != NULL && PathBufferSize > 0)
{
RtlStringCbCopyW(PathBuffer, PathBufferSize, pImageName->Buffer);
}
// <20><><EFBFBD>ϸ<EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> (<28><>û <20><>)
if (NameBuffer != NULL && NameBufferSize > 0)
{
// <20>ڿ<EFBFBD><DABF><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '\' <20><><EFBFBD>ڸ<EFBFBD> ã<><C3A3>
WCHAR* pFileName = wcsrchr(pImageName->Buffer, L'\\');
if (pFileName)
{
pFileName++; // '\' <20><><EFBFBD><EFBFBD> <20><><EFBFBD>ڰ<EFBFBD> <20><><EFBFBD><EFBFBD> <20≯<EFBFBD> <20><><EFBFBD><EFBFBD>
}
else
{
pFileName = pImageName->Buffer; // '\'<27><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>ü<EFBFBD><C3BC> <20≯<EFBFBD>
}
RtlStringCbCopyW(NameBuffer, NameBufferSize, pFileName);
}
// <20>޸<EFBFBD><DEB8><EFBFBD> <20><><EFBFBD><EFBFBD>
ExFreePool(pImageName);
}
else
{
// <20><><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD>ڿ<EFBFBD> ó<><C3B3>
if (PathBuffer && PathBufferSize > 0) PathBuffer[0] = L'\0';
if (NameBuffer && NameBufferSize > 0) NameBuffer[0] = L'\0';
}
// <20><><EFBFBD>μ<EFBFBD><CEBC><EFBFBD> <20><>ü <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
ObDereferenceObject(Process);
return status;
}
static ULONG s_ProcessNameOffset = 0;
ULONG
USetProcessNameOffset(void)
{
PEPROCESS curproc = NULL;
DWORD i = 0;
curproc = PsGetCurrentProcess();
if (curproc != NULL)
{
for (i = 0; i < 3 * PAGE_SIZE; i++)
{
if (!memcmp(SYSNAME, (PCHAR)curproc + i, 6))
{
break;
}
}
}
s_ProcessNameOffset = i;
KLogEx(DEBUG_TRACE_INFO, "offset(%x)\n", s_ProcessNameOffset);
return i;
}
BOOLEAN UGetProcessName(PCHAR theName)
{
PEPROCESS curproc = NULL;
char* nameptr = NULL;
if (s_ProcessNameOffset)
{
// if ( g_uiProcessNameOffset > 0x450)
// {
// // bug da~
// g_uiProcessNameOffset = 0x174; // XP<58>ϰ<EFBFBD><CFB0><EFBFBD>
// // KdPrint(("bug da~2, %x\n", gProcessNameOffset));
// }
curproc = PsGetCurrentProcess();
nameptr = (PCHAR)curproc + s_ProcessNameOffset;
memcpy(theName, nameptr, NT_PROCNAMELEN);
theName[NT_PROCNAMELEN] = 0; /* NULL at end */
return TRUE;
}
return FALSE;
}
extern UCHAR* PsGetProcessImageFileName(IN PEPROCESS Process);
NTSTATUS UGetProcessNameFromPid(
_In_ HANDLE pid,
_Out_writes_bytes_(BufferSize) PCHAR Buffer,
_In_ ULONG BufferSize
)
{
PEPROCESS Process = NULL;
NTSTATUS status;
status = PsLookupProcessByProcessId(pid, &Process);
if (!NT_SUCCESS(status))
{
if (BufferSize > 0)
{
RtlStringCbCopyA(Buffer, BufferSize, "Unknown0");
}
return status;
}
PCHAR pName = (PCHAR)PsGetProcessImageFileName(Process);
if (pName)
{
status = RtlStringCbCopyA(Buffer, BufferSize, pName);
}
else
{
status = STATUS_NOT_FOUND;
if (BufferSize > 0)
RtlStringCbCopyA(Buffer, BufferSize, "Unknown1");
//Buffer[0] = '\0';
}
ObDereferenceObject(Process);
return status;
}
//BOOLEAN UGetProcessNameFormPid(PCHAR theName, HANDLE pid)
//{
// PEPROCESS curproc = NULL;
// char* nameptr = NULL;
//
// if (KeGetCurrentIrql() > PASSIVE_LEVEL)
// return FALSE;
//
// if (PsLookupProcessByProcessId(pid, &curproc) == STATUS_INVALID_PARAMETER)
// {
// return "??";
// }
// nameptr = PsGetProcessImageFileName(curproc);
// ObDereferenceObject(curproc);
// return (CHAR*)
//
// //if (!s_ProcessNameOffset)
// // return FALSE;
//
// //// if ( g_uiProcessNameOffset > 0x450)
// //// {
// //// // bug da~
// //// g_uiProcessNameOffset = 0x174; // XP<58>ϰ<EFBFBD><CFB0><EFBFBD>
// //// // KdPrint(("bug da~2, %x\n", gProcessNameOffset));
// //// }
// //if (PsLookupProcessByProcessId(pid, &curproc) == STATUS_SUCCESS)
// //{
// // //curproc = PsGetCurrentProcess();
//
// // nameptr = (PCHAR)curproc + s_ProcessNameOffset;
// // memcpy(theName, nameptr, NT_PROCNAMELEN);
// // theName[NT_PROCNAMELEN] = 0; /* NULL at end */
// // ObDereferenceObject(curproc);
// // return TRUE;
// //}
//
// return FALSE;
//}
NTSTATUS UDeleteFile(wchar_t* path)
{
OBJECT_ATTRIBUTES oa;
UNICODE_STRING FileNameUnicode;
// WCHAR szTemp[300] = L"\\??\\";
//HANDLE Directory = NULL;
NTSTATUS ntStatus = STATUS_SUCCESS;
// wcscat( szTemp , path );
RtlInitUnicodeString(&FileNameUnicode, path);
InitializeObjectAttributes(&oa, &FileNameUnicode, OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = ZwDeleteFile(&oa);
return ntStatus;
}
NTSTATUS UTerminateProcess(ULONG pid)
{
HANDLE ProcessHandle = NULL;
OBJECT_ATTRIBUTES ObjectAttributes = { 0, };
CLIENT_ID ClientId = { 0, };
NTSTATUS NtStatus = STATUS_SUCCESS;
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.RootDirectory = NULL;
ObjectAttributes.ObjectName = NULL;
ObjectAttributes.Attributes = OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
ObjectAttributes.SecurityDescriptor = NULL;
ObjectAttributes.SecurityQualityOfService = NULL;
ClientId.UniqueThread = 0;
ClientId.UniqueProcess = (HANDLE)pid;
NtStatus = ZwOpenProcess(
&ProcessHandle,
PROCESS_ALL_ACCESS,
&ObjectAttributes,
&ClientId);
if (!NT_SUCCESS(NtStatus))
{
return NtStatus;
}
NtStatus = ZwTerminateProcess(ProcessHandle, STATUS_SUCCESS);
if (ProcessHandle)
ZwClose(ProcessHandle);
return NtStatus;
}
BOOLEAN UGetDosFilePath(PFLT_VOLUME pVolume, UNICODE_STRING FilePath, PUNICODE_STRING OUT pDosFilePath)
{
NTSTATUS status = 0;
BOOLEAN bResult = FALSE;
PDEVICE_OBJECT devObj = NULL;
UNICODE_STRING VolumeName = { 0, };
UNICODE_STRING DosVolumeName = { 0, };
ULONG ulBufferNeeded = 0;
ULONG ulVolumeNameLength = 0;
if (pVolume == NULL)
{
return FALSE;
}
status = FltGetDiskDeviceObject(pVolume, &devObj);
if (NT_SUCCESS(status))
{
status = FltGetVolumeName(pVolume, NULL, &ulBufferNeeded);
if (status == STATUS_BUFFER_TOO_SMALL)
{
status = UStrNew(&VolumeName, (USHORT)(ulBufferNeeded + 1));
if (NT_SUCCESS(status))
{
status = FltGetVolumeName(pVolume, &VolumeName, &ulBufferNeeded);
if (NT_SUCCESS(status))
{
status = RtlVolumeDeviceToDosName(devObj, &DosVolumeName);
if (NT_SUCCESS(status) && VolumeName.Buffer != NULL)
{
ulVolumeNameLength = (ULONG)wcslen(VolumeName.Buffer);
status = UStrNew(pDosFilePath, DosVolumeName.MaximumLength + FilePath.MaximumLength);
if (NT_SUCCESS(status))
{
UStrCopy(pDosFilePath, &DosVolumeName);
wcscat(pDosFilePath->Buffer, FilePath.Buffer + ulVolumeNameLength);
bResult = TRUE;
}
}
else
{
KLogEx(DEBUG_TRACE_INFO, "RtlVolumeDeviceToDosName Return Fail %x \n", status);
}
}
else
{
KLogEx(DEBUG_TRACE_ERROR, "FltGetVolumeName(2) Return Fail %x \n", status);
}
}
else
{
KLogEx(DEBUG_TRACE_ERROR, "IStrNew Return Fail %x \n", status);
}
UStrFree(&VolumeName);
}
else
{
KLogEx(DEBUG_TRACE_ERROR, "FltGetVolumeName(1) Return Fail %x \n", status);
}
}
else
{
KLogEx(DEBUG_TRACE_ERROR, "FltGetDiskDeviceObject Return Fail %x \n", status);
}
return bResult;
}
PFN_IoOpenDriverRegistryKey
UGetIoOpenDriverRegistryKey(
VOID
)
{
static PFN_IoOpenDriverRegistryKey pIoOpenDriverRegistryKey = NULL;
UNICODE_STRING FunctionName = { 0 };
if (pIoOpenDriverRegistryKey == NULL) {
RtlInitUnicodeString(&FunctionName, L"IoOpenDriverRegistryKey");
pIoOpenDriverRegistryKey = (PFN_IoOpenDriverRegistryKey)MmGetSystemRoutineAddress(&FunctionName);
}
return pIoOpenDriverRegistryKey;
}
NTSTATUS
UOpenServiceParametersKey(
_In_ PUNICODE_STRING RegistryPath,
_Out_ PHANDLE ServiceParametersKey
)
{
NTSTATUS Status;
HANDLE ServiceKey = NULL;
HANDLE ParametersKey = NULL;
OBJECT_ATTRIBUTES Attributes;
UNICODE_STRING SubKeyName;
// 1. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>Ʈ Ű <20><><EFBFBD><EFBFBD> (\Registry\...\bs1flt)
InitializeObjectAttributes(&Attributes,
RegistryPath,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
Status = ZwOpenKey(&ServiceKey, KEY_READ, &Attributes);
if (!NT_SUCCESS(Status)) {
return Status;
}
// 2. "Parameters" <20><><EFBFBD><EFBFBD> Ű <20><><EFBFBD><EFBFBD>
RtlInitUnicodeString(&SubKeyName, L"Parameters");
InitializeObjectAttributes(&Attributes,
&SubKeyName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
ServiceKey,
NULL);
Status = ZwOpenKey(&ParametersKey, KEY_READ, &Attributes);
// 3. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>Ʈ Ű<><C5B0> <20><><EFBFBD><EFBFBD> <20>ʿ<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD> <20><><EFBFBD><EFBFBD>
ZwClose(ServiceKey);
if (NT_SUCCESS(Status)) {
*ServiceParametersKey = ParametersKey;
}
return Status;
}
///NTSTATUS USetConfiguration(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath);
NTSTATUS
USetConfiguration(
_In_ PUNICODE_STRING RegistryPath // DriverObject<63><74> <20>ʿ<EFBFBD> <20><><EFBFBD><EFBFBD>
)
{
NTSTATUS status;
HANDLE settingsKey = NULL;
UNICODE_STRING valueName;
// <20><><EFBFBD><EFBFBD> ũ<><20>˳<EFBFBD><CBB3>ϰ<EFBFBD> <20><><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD>Ͱ<EFBFBD> ULONG<4E><47> <20>ƴ<EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>Ƿ<EFBFBD>)
UCHAR buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG)];
PKEY_VALUE_PARTIAL_INFORMATION value = (PKEY_VALUE_PARTIAL_INFORMATION)buffer;
ULONG resultLength;
// 1. Parameters Ű <20><><EFBFBD><EFBFBD>
status = UOpenServiceParametersKey(RegistryPath, &settingsKey);
if (!NT_SUCCESS(status)) {
return STATUS_SUCCESS;
}
// 2. DebugLevel <20><> <20>б<EFBFBD>
RtlInitUnicodeString(&valueName, L"DebugLevel");
status = ZwQueryValueKey(settingsKey,
&valueName,
KeyValuePartialInformation,
value,
sizeof(buffer),
&resultLength);
if (NT_SUCCESS(status) && value->Type == REG_DWORD) {
// <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> (extern <20><><EFBFBD><EFBFBD> <20>ʿ<EFBFBD>)
g_DebugLevel = *(PULONG)value->Data;
}
// 3. ProcessCreate <20><> <20>б<EFBFBD>
RtlInitUnicodeString(&valueName, L"ProcessCreate");
status = ZwQueryValueKey(settingsKey,
&valueName,
KeyValuePartialInformation,
value,
sizeof(buffer),
&resultLength);
if (NT_SUCCESS(status) && value->Type == REG_DWORD) {
g_bs1Flt.IsProcessCreate = *(PULONG)value->Data;
}
// 4. <20>ڵ<EFBFBD> <20>ݱ<EFBFBD> (<28>ʼ<EFBFBD>)
ZwClose(settingsKey);
return STATUS_SUCCESS;
}
//NTSTATUS
//ObOpenObjectByName(
// IN POBJECT_ATTRIBUTES ObjectAttributes,
// IN ULONG_PTR OPTIONAL,
// IN ULONG AccessMode,
// IN ULONG OPTIONAL2,
// IN ULONG DesiredAccess OPTIONAL,
// IN OUT PVOID ParseContext OPTIONAL,
// OUT PHANDLE Handle
//);
NTSYSAPI
NTSTATUS
NTAPI
ObReferenceObjectByName(
IN PUNICODE_STRING ObjectPath,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID* ObjectPtr
);
extern POBJECT_TYPE* IoDriverObjectType;
PDRIVER_OBJECT SearchDriverObject(WCHAR* name)
{
NTSTATUS st;
//HANDLE Handle;
//OBJECT_ATTRIBUTES ObjectAttributes;
PDRIVER_OBJECT Object;
UNICODE_STRING Uni;
RtlInitUnicodeString(&Uni, name);
st = ObReferenceObjectByName(&Uni,
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
&Object);
if (st != STATUS_SUCCESS)
{
// SHOW_DEBUG(("ObReferenceObjectByName fail(0x%X)", ntStatus));
return (PDRIVER_OBJECT)0;
}
ObDereferenceObject(Object);
/*
RtlInitUnicodeString(&Uni, name);
InitializeObjectAttributes(&ObjectAttributes,
&Uni,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
st = ObOpenObjectByName(&ObjectAttributes,
(ULONG_PTR)*IoDriverObjectType,
KernelMode,
0L,
0L,
0L,
&Handle);
if (st != STATUS_SUCCESS)
{
KLogEx(DEBUG_TRACE_INFO, "ObOpenObjectByName status(%08x)\n", st);
return (PDRIVER_OBJECT)0;
}
st = ObReferenceObjectByHandle(Handle,
0x80000000,
NULL,
KernelMode,
&Object,
NULL);
if (st != STATUS_SUCCESS)
{
ZwClose(Handle);
KLogEx(DEBUG_TRACE_INFO, "ObReferenceObjectByHandle status(%08x)\n", st);
return (PDRIVER_OBJECT)0;
}
ZwClose(Handle);
ObDereferenceObject(Object);
*/
return Object;
}
DWORD IsExceptionProcess(PPROCESS_MANAGER proccess_manager, ULONG cnt, WCHAR* processname)
{
//ULONG type = 0;
ULONG i = 0;
for (i = 0; i < cnt; ++i)
{
if (_wcsnicmp(processname, proccess_manager[i].path, proccess_manager[i].size) == 0)
return proccess_manager[i].type;
}
return PG_PID_UNDEFINED;
}
int ISWtoi(const WCHAR* pwszStr)
{
int dwRet = 0;
int dwTemp = 1;
int nCnt = (int)wcslen(pwszStr) - (int)1;
while (nCnt >= 0)
{
if (pwszStr[nCnt] >= L'0' && pwszStr[nCnt] <= L'9')
{
dwRet += ((pwszStr[nCnt] - 48) * dwTemp);
dwTemp *= 10;
}
nCnt--;
}
return dwRet;
}
VOID ISIPAddressToInt(PWCHAR ip_address, const ULONG ulLen, ULONG* pulIP)
{
WCHAR wszTemp[4][4] = { 0, };
ULONG ulTempIP = 0;
ULONG nlCnt = 0;
int nShift = 24;
int i = 0;
int j = 0;
for (nlCnt = 0; nlCnt < ulLen; nlCnt++)
{
if (ip_address[nlCnt] == L'.')
{
i++;
j = 0;
continue;
}
wszTemp[i][j] = ip_address[nlCnt];
j++;
}
for (nlCnt = 0; nlCnt < 4; nlCnt++)
{
ulTempIP = ISWtoi(wszTemp[nlCnt]);
if (nlCnt == 3)
{
*pulIP |= ulTempIP;
}
else
{
*pulIP |= ulTempIP << nShift;
}
nShift -= 8;
}
}
BOOLEAN ISIPAddress(PWCHAR pwszPath, const ULONG ulLen)
{
BOOLEAN bReturn = TRUE;
ULONG ulPeriod = 0;
ULONG ulCnt = 0;
if (ulLen < 7 || ulLen > 15)
{
return FALSE;
}
for (ulCnt = 0; ulCnt < ulLen; ulCnt++)
{
if (pwszPath[ulCnt] == L'.')
{
ulPeriod++;
continue;
}
if (!(pwszPath[ulCnt] >= L'0' && pwszPath[ulCnt] <= L'9'))
{
bReturn = FALSE;
break;
}
}
if (ulPeriod != 3)
{
bReturn = FALSE;
}
return bReturn;
}
void PrintHexData(unsigned char* data, int datalength)
{
char szBuffer[128] = { 0, };
size_t cbDest = sizeof(szBuffer);
size_t cbCurrentLen = 0;
int i = 0;
if (data == NULL || datalength <= 0) return;
for (i = 0; i < datalength; i++)
{
// <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20>̾<EFBFBD> <20><><EFBFBD>̱<EFBFBD>
RtlStringCbPrintfA(szBuffer + cbCurrentLen, cbDest - cbCurrentLen, "%02X ", data[i]);
cbCurrentLen += 3; // "XX " 3<><33><EFBFBD><EFBFBD>Ʈ <20><><EFBFBD><EFBFBD>
// 32<33><32><EFBFBD><EFBFBD>Ʈ <20><><EFBFBD><EFBFBD> Ȥ<><C8A4> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD>
if (((i + 1) % 32 == 0) || (i == datalength - 1))
{
KLogEx(DEBUG_TRACE_INFO, "%s", szBuffer);
// <20>ʱ<EFBFBD>ȭ
szBuffer[0] = '\0';
cbCurrentLen = 0;
}
}
}
// -----------------------------------------------------------------------------
// [<5B><><EFBFBD><EFBFBD> API] <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>ϴ<EFBFBD> <20>Լ<EFBFBD>
// -----------------------------------------------------------------------------
NTSTATUS GetAllVolumeDetails(
_In_ PFLT_INSTANCE Instance,
_Out_ PVOLUME_DETAILS pOutDetails
)
{
NTSTATUS status;
IO_STATUS_BLOCK iosb;
// <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>͸<EFBFBD> <20>ޱ<EFBFBD> <20><><EFBFBD><EFBFBD> <20>ӽ<EFBFBD> <20><><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD> 1KB)
UCHAR buffer[1024];
if (!pOutDetails) return STATUS_INVALID_PARAMETER;
// <20><><EFBFBD><EFBFBD>ü <20>ʱ<EFBFBD>ȭ
RtlZeroMemory(pOutDetails, sizeof(VOLUME_DETAILS));
RtlZeroMemory(buffer, sizeof(buffer));
// =========================================================================
// 1. <20><20><><EFBFBD><EFBFBD> (FileFsSizeInformation) - <20><><EFBFBD><EFBFBD> <20>߿<EFBFBD>
// =========================================================================
{
FILE_FS_SIZE_INFORMATION info;
status = FltQueryVolumeInformation(Instance, &iosb, &info, sizeof(info), FileFsSizeInformation);
if (NT_SUCCESS(status))
{
pOutDetails->TotalBytes = info.TotalAllocationUnits.QuadPart * info.SectorsPerAllocationUnit * info.BytesPerSector;
pOutDetails->FreeBytes = info.AvailableAllocationUnits.QuadPart * info.SectorsPerAllocationUnit * info.BytesPerSector;
}
}
// =========================================================================
// 2. <20><><EFBFBD><EFBFBD> <20><20><><EFBFBD><EFBFBD> (FileFsVolumeInformation) - <20><><EFBFBD><EFBFBD>, <20>ø<EFBFBD><C3B8><EFBFBD>
// =========================================================================
{
PFILE_FS_VOLUME_INFORMATION info = (PFILE_FS_VOLUME_INFORMATION)buffer;
RtlZeroMemory(buffer, sizeof(buffer));
status = FltQueryVolumeInformation(Instance, &iosb, info, sizeof(buffer), FileFsVolumeInformation);
if (NT_SUCCESS(status))
{
pOutDetails->VolumeSerialNumber = info->VolumeSerialNumber;
// <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> (Buffer Overflow <20><><EFBFBD><EFBFBD>)
if (info->VolumeLabelLength > 0)
{
ULONG copyLen = min(info->VolumeLabelLength, sizeof(pOutDetails->VolumeLabel) - sizeof(WCHAR));
RtlCopyMemory(pOutDetails->VolumeLabel, info->VolumeLabel, copyLen);
pOutDetails->VolumeLabel[copyLen / sizeof(WCHAR)] = L'\0'; // Null Termination
}
}
}
// =========================================================================
// 3. <20><><EFBFBD><EFBFBD> <20>ý<EFBFBD><C3BD><EFBFBD> <20>Ӽ<EFBFBD> (FileFsAttributeInformation) - FS<46≯<EFBFBD>, Flag
// =========================================================================
{
PFILE_FS_ATTRIBUTE_INFORMATION info = (PFILE_FS_ATTRIBUTE_INFORMATION)buffer;
RtlZeroMemory(buffer, sizeof(buffer));
status = FltQueryVolumeInformation(Instance, &iosb, info, sizeof(buffer), FileFsAttributeInformation);
if (NT_SUCCESS(status))
{
pOutDetails->FileSystemAttributes = info->FileSystemAttributes;
// FS <20≯<EFBFBD> <20><><EFBFBD><EFBFBD> (<28><>: NTFS)
if (info->FileSystemNameLength > 0)
{
ULONG copyLen = min(info->FileSystemNameLength, sizeof(pOutDetails->FileSystemName) - sizeof(WCHAR));
RtlCopyMemory(pOutDetails->FileSystemName, info->FileSystemName, copyLen);
pOutDetails->FileSystemName[copyLen / sizeof(WCHAR)] = L'\0';
}
}
}
// =========================================================================
// 4. <20><><EFBFBD><EFBFBD><EFBFBD>̽<EFBFBD> <20><><EFBFBD><EFBFBD> (FileFsDeviceInformation)
// =========================================================================
{
FILE_FS_DEVICE_INFORMATION info;
status = FltQueryVolumeInformation(Instance, &iosb, &info, sizeof(info), FileFsDeviceInformation);
if (NT_SUCCESS(status))
{
pOutDetails->DeviceType = info.DeviceType;
pOutDetails->DeviceCharacteristics = info.Characteristics;
}
}
// =========================================================================
// 5. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> (FileFsSectorSizeInformation) - Win7 <20>̻<EFBFBD>
// =========================================================================
{
FILE_FS_SECTOR_SIZE_INFORMATION info;
status = FltQueryVolumeInformation(Instance, &iosb, &info, sizeof(info), FileFsSectorSizeInformation);
if (NT_SUCCESS(status))
{
pOutDetails->PhysicalBytesPerSector = info.PhysicalBytesPerSectorForPerformance;
pOutDetails->LogicalBytesPerSector = info.LogicalBytesPerSector;
}
else
{
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>ʴ<EFBFBD> OS<4F><53> 0<><30><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
pOutDetails->PhysicalBytesPerSector = 0;
pOutDetails->LogicalBytesPerSector = 0;
}
}
// =========================================================================
// 6. <20><><EFBFBD><EFBFBD> GUID (FileFsGuidInformation) - Win10 <20>̻<EFBFBD> (Optional)
// =========================================================================
{
// <20><><EFBFBD><EFBFBD>ü <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD> WDK ȣȯ<C8A3><C8AF>)
typedef struct _LOC_FILE_FS_GUID_INFORMATION {
GUID FsGuid;
} LOC_FILE_FS_GUID_INFORMATION;
LOC_FILE_FS_GUID_INFORMATION info;
status = FltQueryVolumeInformation(Instance, &iosb, &info, sizeof(info), FileFsGuidInformation);
if (NT_SUCCESS(status))
{
pOutDetails->VolumeGuid = info.FsGuid;
}
}
// <20>ٽ<EFBFBD> <20><><EFBFBD><EFBFBD>(Size <20><>)<29><> <20><> <20><><EFBFBD>ߴ<EFBFBD><DFB4><EFBFBD><EFBFBD><EFBFBD> <20>Լ<EFBFBD> <20><>ü<EFBFBD><C3BC> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>ȯ<EFBFBD>Ͽ<EFBFBD>
// <20>κ<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20>ְ<EFBFBD> <20><>.
return STATUS_SUCCESS;
}
// JSON<4F><4E> <20><><EFBFBD><20><> <20>ֵ<EFBFBD><D6B5><EFBFBD> <20><EFBFBD><E9BDBD><EFBFBD><EFBFBD>(\)<29><> ū<><C5AB><EFBFBD><EFBFBD>ǥ(")<29><> <20>̽<EFBFBD><CCBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ó<><C3B3><EFBFBD>ϴ<EFBFBD> <20>Լ<EFBFBD>
NTSTATUS EscapeJsonStringW(
_In_ PWCHAR Src,
_Out_writes_z_(DestSizeInChars) PWCHAR Dest,
_In_ size_t DestSizeInChars
)
{
size_t i = 0, j = 0;
if (!Src || !Dest || DestSizeInChars == 0)
return STATUS_INVALID_PARAMETER;
while (Src[i] != L'\0')
{
// 1. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ó<EFBFBD> ū<><C5AB><EFBFBD><EFBFBD>ǥ<EFBFBD><C7A5> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>տ<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>ϳ<EFBFBD> <20><> <20>߰<EFBFBD>
if (Src[i] == L'\\' || Src[i] == L'"')
{
if (j + 2 >= DestSizeInChars)
return STATUS_BUFFER_TOO_SMALL; // <20><><EFBFBD><EFBFBD> <20>ʰ<EFBFBD> <20><><EFBFBD><EFBFBD>
Dest[j++] = L'\\';
Dest[j++] = Src[i];
}
// 2. <20>Ϲ<EFBFBD> <20><><EFBFBD><EFBFBD>
else
{
if (j + 1 >= DestSizeInChars)
return STATUS_BUFFER_TOO_SMALL;
Dest[j++] = Src[i];
}
i++;
}
Dest[j] = L'\0'; // <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20>߰<EFBFBD>
return STATUS_SUCCESS;
}
Reference in New Issue View Git Blame Copy Permalink