-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathsection.c
285 lines (236 loc) · 6.94 KB
/
section.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
/*
* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
*
* Module Name:
*
* section.c
*
* Abstract:
*
* This module defines various routines used for hooking section objects related routines.
* Section objects are objects that can be mapped into the virtual address space of a process.
* The Win32 API refers to section objects as file-mapping objects.
*
* Hooked routines protect "\Device\PhysicalMemory" device from being accessed.
*
* Author:
*
* Eugene Tsyrklevich 29-Feb-2004
*
* Revision History:
*
* None.
*/
#include <NTDDK.h>
#include "section.h"
#include "hookproc.h"
#include "pathproc.h"
#include "process.h"
#include "accessmask.h"
#include "procname.h"
#include "learn.h"
#include "log.h"
#ifdef ALLOC_PRAGMA
#pragma alloc_text (INIT, InitSectionHooks)
#endif
fpZwCreateSection OriginalNtCreateSection = NULL;
fpZwOpenSection OriginalNtOpenSection = NULL;
fpZwMapViewOfSection OriginalNtMapViewOfSection = NULL;
//XXX make sure people cannot create symlinks to physicalmemory or we at least resolve all of them!
// http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-rutkowski/bh-us-03-rutkowski-r2.pdf
/*
* HookedNtCreateSection()
*
* Description:
* This function mediates the NtCreateSection() system service and checks the
* provided section name against the global and current process security policies.
*
* NOTE: ZwCreateSection creates a section object. [NAR]
*
* Parameters:
* Those of NtCreateSection().
*
* Returns:
* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
* Otherwise, NTSTATUS returned by NtCreateSection().
*/
NTSTATUS
NTAPI
HookedNtCreateSection
(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PLARGE_INTEGER SectionSize OPTIONAL,
IN ULONG Protect,
IN ULONG Attributes,
IN HANDLE FileHandle
)
{
PCHAR FunctionName = "HookedNtCreateSection";
HOOK_ROUTINE_START(SECTION);
ASSERT(OriginalNtCreateSection);
rc = OriginalNtCreateSection(SectionHandle, DesiredAccess, ObjectAttributes, SectionSize,
Protect, Attributes, FileHandle);
// HOOK_ROUTINE_FINISH(SECTION);
if (LearningMode == TRUE)
{
if (GetPathFromOA(ObjectAttributes, SECTIONNAME, MAX_PATH, DO_NOT_RESOLVE_LINKS))
{
/*
* Special Case.
* \KnownDlls\* requests are processed as DLL rules.
*
* In addition, they are processed even if NtCreateSection() failed because not
* all the existing DLLs are "known".
*/
if (_strnicmp(SECTIONNAME, "\\KnownDlls\\", 11) == 0)
{
AddRule(RULE_DLL, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
}
else if (NT_SUCCESS(rc))
{
AddRule(RULE_SECTION, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
}
}
}
HOOK_ROUTINE_EXIT(rc);
}
/*
* HookedNtOpenSection()
*
* Description:
* This function mediates the NtOpenSection() system service and checks the
* provided section name against the global and current process security policies.
*
* NOTE: ZwOpenSection opens a section object. [NAR]
*
* Parameters:
* Those of NtOpenSection().
*
* Returns:
* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
* Otherwise, NTSTATUS returned by NtOpenSection().
*/
NTSTATUS
NTAPI
HookedNtOpenSection
(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
)
{
PCHAR FunctionName = "HookedNtOpenSection";
HOOK_ROUTINE_START(SECTION);
ASSERT(OriginalNtOpenSection);
rc = OriginalNtOpenSection(SectionHandle, DesiredAccess, ObjectAttributes);
// HOOK_ROUTINE_FINISH(SECTION);
if (LearningMode == TRUE)
{
if (GetPathFromOA(ObjectAttributes, SECTIONNAME, MAX_PATH, DO_NOT_RESOLVE_LINKS))
{
/*
* Special Case.
* \KnownDlls\* requests are processed as DLL rules.
*
* In addition, they are processed even if NtOpenSection() failed because not
* all the existing DLLs are "known".
*/
if (_strnicmp(SECTIONNAME, "\\KnownDlls\\", 11) == 0)
{
AddRule(RULE_DLL, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
}
else if (NT_SUCCESS(rc))
{
AddRule(RULE_SECTION, SECTIONNAME, Get_SECTION_OperationType(DesiredAccess));
}
}
}
HOOK_ROUTINE_EXIT(rc);
}
/*
* HookedNtMapViewOfSection()
*
* Description:
* This function mediates the NtMapViewOfSection() system service and checks the
* provided section name against the global and current process security policies.
*
* NOTE: ZwMapViewOfSection maps a view of a section to a range of virtual addresses. [NAR]
*
* Parameters:
* Those of NtMapViewOfSection().
*
* Returns:
* STATUS_ACCESS_DENIED if the call does not pass the security policy check.
* Otherwise, NTSTATUS returned by NtMapViewOfSection().
*/
NTSTATUS
NTAPI
HookedNtMapViewOfSection
(
IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN ULONG CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PULONG ViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType,
IN ULONG Protect
)
{
CHAR section[512];
HOOK_ROUTINE_ENTER();
// LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("%d HookedNtMapViewOfSection: %x %x %x %x\n", (ULONG) PsGetCurrentProcessId(), SectionHandle, ProcessHandle, BaseAddress, CommitSize));
/*
if (GetPathFromOA(ObjectAttributes, section, RESOLVE_LINKS))
{
LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("HookedNtMapViewOfSection: %s\n", section));
// if (PolicyCheck(&gSecPolicy, key, GetRegistryOperationType(DesiredAccess)) == STATUS_ACCESS_DENIED)
// HOOK_ROUTINE_EXIT( STATUS_ACCESS_DENIED );
}
*/
ASSERT(OriginalNtMapViewOfSection);
rc = OriginalNtMapViewOfSection(SectionHandle, ProcessHandle, BaseAddress, ZeroBits, CommitSize,
SectionOffset, ViewSize, InheritDisposition, AllocationType, Protect);
HOOK_ROUTINE_EXIT(rc);
}
/*
* InitSectionHooks()
*
* Description:
* Initializes all the mediated section object operation pointers. The "OriginalFunction" pointers
* are initialized by InstallSyscallsHooks() that must be called prior to this function.
*
* NOTE: Called once during driver initialization (DriverEntry()).
*
* Parameters:
* None.
*
* Returns:
* TRUE to indicate success, FALSE if failed.
*/
BOOLEAN
InitSectionHooks()
{
if ( (OriginalNtCreateSection = (fpZwCreateSection) ZwCalls[ZW_CREATE_SECTION_INDEX].OriginalFunction) == NULL)
{
LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("InitSectionHooks: OriginalNtCreateSection is NULL\n"));
return FALSE;
}
if ( (OriginalNtOpenSection = (fpZwOpenSection) ZwCalls[ZW_OPEN_SECTION_INDEX].OriginalFunction) == NULL)
{
LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("InitSectionHooks: OriginalNtOpenSection is NULL\n"));
return FALSE;
}
/*
if ((OriginalNtMapViewOfSection = (fpZwMapViewOfSection) ZwCalls[ZW_MAPVIEW_SECTION_INDEX].OriginalFunction) == NULL)
{
LOG(LOG_SS_SECTION, LOG_PRIORITY_DEBUG, ("InitSectionHooks: OriginalNtMapViewOfSection is NULL\n"));
return FALSE;
}
*/
return TRUE;
}