185 lines
4.9 KiB
C
185 lines
4.9 KiB
C
#include "precomp.h"
|
||
|
||
|
||
|
||
static DEVICE_POLICY s_policy[BDC_MAX_DEVICE_TYPE] = { 0, };
|
||
static ULONG s_usb_policy[BDC_USB_CLASS_VENDOR_SPECIFIC] = { 0, };
|
||
|
||
void Initpolicy()
|
||
{
|
||
RtlZeroMemory(s_policy, sizeof(s_policy));
|
||
RtlZeroMemory(s_usb_policy, sizeof(s_usb_policy));
|
||
}
|
||
|
||
void SetPolicy(ULONG device_type, ULONG state, ULONG islog)
|
||
{
|
||
s_policy[device_type].device_type = device_type;
|
||
s_policy[device_type].state = state;
|
||
s_policy[device_type].islog = islog;
|
||
}
|
||
|
||
ULONG GetPolicyState(ULONG device_type)
|
||
{
|
||
return s_policy[device_type].state;
|
||
}
|
||
|
||
BOOLEAN IsPolicyDisable(ULONG device_type)
|
||
{
|
||
if (s_policy[device_type].state == DISABLE)
|
||
return TRUE;
|
||
|
||
return FALSE;
|
||
}
|
||
|
||
ULONG IsPolicyLog(ULONG device_type)
|
||
{
|
||
return s_policy[device_type].islog;
|
||
}
|
||
|
||
|
||
void SetUsbPolicy(ULONG usb_classtype, ULONG state)
|
||
{
|
||
s_usb_policy[usb_classtype] = state;
|
||
|
||
}
|
||
|
||
BOOLEAN IsUsbPolicyDisable(ULONG usb_classtype)
|
||
{
|
||
if (usb_classtype >= BDC_USB_CLASS_VENDOR_SPECIFIC )
|
||
return FALSE;
|
||
|
||
if (s_usb_policy[usb_classtype] == DISABLE)
|
||
return TRUE;
|
||
|
||
return FALSE;
|
||
}
|
||
|
||
|
||
|
||
|
||
//ULONG IsNetwork(PFLT_CALLBACK_DATA data, PCFLT_RELATED_OBJECTS fltobject)
|
||
//{
|
||
// ULONG create_character = 0;
|
||
// ULONG device_type = 0;
|
||
// ULONG state = DEVICE_UNKNOWN;
|
||
// PVOLUME_CONTEXT vctx = NULL;
|
||
// NTSTATUS ntstatus = STATUS_SUCCESS;
|
||
//
|
||
// create_character = fltobject->FileObject->DeviceObject->Characteristics;
|
||
// device_type = fltobject->FileObject->DeviceObject->DeviceType;
|
||
//
|
||
// if ((create_character & FILE_REMOTE_DEVICE) && (device_type == FILE_DEVICE_NETWORK_FILE_SYSTEM))
|
||
// {
|
||
// return DEVICE_NETWORKDRIVEOUT;
|
||
// }
|
||
// return FALSE;
|
||
//}
|
||
|
||
ULONG GetDeviceType(PFLT_CALLBACK_DATA data, PCFLT_RELATED_OBJECTS fltobject)
|
||
{
|
||
ULONG create_character = fltobject->FileObject->DeviceObject->Characteristics;
|
||
ULONG device_type = fltobject->FileObject->DeviceObject->DeviceType;
|
||
ULONG state = BDC_UNKNOWN_DEV;
|
||
PVOLUME_CONTEXT vctx = NULL;
|
||
NTSTATUS ntstatus = STATUS_SUCCESS;
|
||
|
||
|
||
///USB DISK Àΰæ¿ì
|
||
if ((create_character & FILE_REMOVABLE_MEDIA) && (device_type == FILE_DEVICE_DISK))
|
||
{
|
||
if ((create_character & FILE_FLOPPY_DISKETTE))
|
||
state = BDC_FLOOPY;
|
||
else
|
||
state = BDC_USB_DISK;
|
||
}
|
||
else if ((create_character & FILE_FLOPPY_DISKETTE) && (device_type == FILE_DEVICE_DISK))
|
||
{
|
||
state = BDC_FLOOPY;
|
||
}
|
||
///CD ROM ÀÎ °æ¿ì
|
||
else if (device_type == FILE_DEVICE_CD_ROM)
|
||
{
|
||
state = BDC_CDROM;
|
||
}
|
||
///³×Æ®¿öÅ© ÀÏ °æ¿ì
|
||
else if ((create_character & FILE_REMOTE_DEVICE) && (device_type == FILE_DEVICE_NETWORK_FILE_SYSTEM))
|
||
{
|
||
state = BDC_NETWORKDRIVEOUT;
|
||
}
|
||
else
|
||
{
|
||
if (GetPolicyState(BDC_NETWORKDRIVEIN) != ENABLE)
|
||
{
|
||
PSECURITY_SUBJECT_CONTEXT subjectContext = NULL;
|
||
PACCESS_TOKEN accessToken = NULL;
|
||
PTOKEN_SOURCE tokenSource = NULL;
|
||
ULONG majorfunction = data->Iopb->MajorFunction;
|
||
|
||
if (majorfunction == IRP_MJ_CREATE)
|
||
{
|
||
// 1. IRP ÆĶó¹ÌÅÍ¿¡¼ Á÷Á¢ º¸¾È ÄÁÅؽºÆ® °¡Á®¿À±â (SeCaptureSubjectContext ºÒÇÊ¿ä)
|
||
if (data->Iopb->Parameters.Create.SecurityContext != NULL &&
|
||
data->Iopb->Parameters.Create.SecurityContext->AccessState != NULL)
|
||
{
|
||
subjectContext = &data->Iopb->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext;
|
||
|
||
// 2. ÅäÅ« °¡Á®¿À±â
|
||
accessToken = SeQuerySubjectContextToken(subjectContext);
|
||
|
||
if (accessToken)
|
||
{
|
||
// 3. ÅäÅ« Á¤º¸ Äõ¸® (TokenSource)
|
||
// SeQueryInformationTokenÀº ¸Þ¸ð¸®¸¦ ÇÒ´çÇϹǷΠ¹Ýµå½Ã ÇØÁ¦ÇØ¾ß ÇÔ
|
||
ntstatus = SeQueryInformationToken(accessToken, TokenSource, (PVOID)&tokenSource);
|
||
|
||
if (NT_SUCCESS(ntstatus) && tokenSource != NULL)
|
||
{
|
||
// [Áß¿ä] SourceNameÀº Null·Î ³¡³ªÁö ¾ÊÀ¸¹Ç·Î %.8s »ç¿ë
|
||
|
||
|
||
// 4. ¼Ò½º À̸§ ºñ±³ (NtLmSsp, KSecDD)
|
||
// TOKEN_SOURCE_LENGTH´Â 8ÀÔ´Ï´Ù.
|
||
if ((RtlCompareMemory(tokenSource->SourceName, "NtLmSsp ", TOKEN_SOURCE_LENGTH) == TOKEN_SOURCE_LENGTH) ||
|
||
(RtlCompareMemory(tokenSource->SourceName, "KSecDD ", TOKEN_SOURCE_LENGTH) == TOKEN_SOURCE_LENGTH))
|
||
{
|
||
KLogEx(DEBUG_TRACE_ERROR, "DEVICE_NETWORKDRIVEIN Check: pid(%x), Token Source=[%.8s], create_char=[%x], type=[%x]\n",
|
||
PsGetCurrentProcessId(), tokenSource->SourceName, create_character, device_type);
|
||
KLogEx(DEBUG_TRACE_ERROR, "DEVICE_NETWORKDRIVEIN Detected! Blocking.\n");
|
||
|
||
// ¸Þ¸ð¸® ÇØÁ¦ ÈÄ ¸®ÅÏ
|
||
ExFreePool(tokenSource);
|
||
return BDC_NETWORKDRIVEIN;
|
||
}
|
||
|
||
// ¸ÅĪµÇÁö ¾ÊÀº °æ¿ì ¸Þ¸ð¸® ÇØÁ¦
|
||
ExFreePool(tokenSource);
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
state = BDC_LOCAL_DISK;
|
||
if (GetPolicyState(BDC_EXTERNALHDD) != ENABLE || IsPolicyLog(BDC_EXTERNALHDD) == TRUE)
|
||
{
|
||
if (device_type == FILE_DEVICE_DISK)
|
||
{
|
||
///device_type ÀÌ 7À϶§¸¸ ¾Æ·¡ÀÇ ÇÔ¼ö¸¦ ½ÇÇàÇÑ´Ù..
|
||
ntstatus = FltGetVolumeContext(fltobject->Filter, fltobject->Volume, &vctx);
|
||
if (!NT_SUCCESS(ntstatus))
|
||
return BDC_UNKNOWN_DEV;
|
||
|
||
if (vctx->bustype == 7) ///BusTypeUsb
|
||
{
|
||
/// ¿ÜÀå ÇÏµå µð½ºÅ©ÀÇ °æ¿ì
|
||
state = BDC_EXTERNALHDD;
|
||
}
|
||
|
||
FltReleaseContext(vctx);
|
||
}
|
||
}
|
||
}
|
||
|
||
return state;
|
||
}
|