From 0b191fdb5533e062bebb622f9e3e09995b398961 Mon Sep 17 00:00:00 2001 From: Nodir Temirkhodjaev Date: Tue, 22 Oct 2024 14:10:18 +0500 Subject: [PATCH] Driver: Minor refactor --- src/driver/common/fortconf.h | 2 +- src/driver/fortcout.c | 52 ++++++++++++++++++++++++++++++------ src/driver/fortps.c | 4 +-- 3 files changed, 47 insertions(+), 11 deletions(-) diff --git a/src/driver/common/fortconf.h b/src/driver/common/fortconf.h index e549f3cd..45bd3bf1 100644 --- a/src/driver/common/fortconf.h +++ b/src/driver/common/fortconf.h @@ -226,7 +226,7 @@ typedef struct fort_app_data { FORT_APP_FLAGS flags; - UINT16 is_new : 1; /* can replace an existing app data? */ + UINT16 is_new : 1; /* can not replace an existing app data? */ UINT16 found : 1; /* is app data not empty? */ UINT16 alerted : 1; UINT16 rule_id : 13; diff --git a/src/driver/fortcout.c b/src/driver/fortcout.c index 113a90f9..24698cee 100644 --- a/src/driver/fortcout.c +++ b/src/driver/fortcout.c @@ -365,33 +365,69 @@ inline static void fort_callout_ale_classify_action(PCFORT_CALLOUT_ARG ca, } } +#if 0 +inline static BOOL fort_callout_ale_fill_path_sid(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx) +{ + const FWP_VALUE0 userIdField = ca->inFixedValues->incomingValue[ca->fi->userId].value; + if (userIdField.type != FWP_TOKEN_ACCESS_INFORMATION_TYPE) + return FALSE; + + const PTOKEN_ACCESS_INFORMATION tokenInfo = + (PTOKEN_ACCESS_INFORMATION) userIdField.tokenAccessInformation->data; + if (tokenInfo == NULL) + return FALSE; + + const PSID sid = tokenInfo->SidHash->SidAttr->Sid; + if (sid == NULL) + return FALSE; + + WCHAR buffer[256]; + UNICODE_STRING sid_str = { + .Length = 0, + .MaximumLength = sizeof(buffer), + .Buffer = buffer, + }; + + if (NT_SUCCESS(RtlConvertSidToUnicodeString(&sid_str, sid, /*allocate=*/FALSE))) { + LOG("TEST> pid=%d sid=%c%c%c%c%c%c%c%c%c%c%c%c\n", cx->process_id, (char) buffer[0], + (char) buffer[1], (char) buffer[2], (char) buffer[3], (char) buffer[4], + (char) buffer[5], (char) buffer[6], (char) buffer[7], (char) buffer[8], + (char) buffer[9], (char) buffer[10], (char) buffer[11]); + } + + return FALSE; +} +#endif + inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx) { - const UINT32 process_id = (UINT32) ca->inMetaValues->processId; - PFORT_APP_PATH real_path = &cx->real_path; + real_path->len = (UINT16) (ca->inMetaValues->processPath->size - sizeof(WCHAR)); /* chop terminating zero */ real_path->buffer = (PCWSTR) ca->inMetaValues->processPath->data; BOOL isSvcHost = FALSE; BOOL inherited = FALSE; - PFORT_APP_PATH path = &cx->path; - if (!fort_pstree_get_proc_name( - &fort_device()->ps_tree, process_id, path, &isSvcHost, &inherited)) { + + if (fort_pstree_get_proc_name( + &fort_device()->ps_tree, cx->process_id, path, &isSvcHost, &inherited)) { + if (!inherited) { + *real_path = *path; + } + } else { *path = *real_path; - } else if (!inherited) { - *real_path = *path; } - cx->process_id = process_id; cx->inherited = (UCHAR) inherited; } inline static void fort_callout_ale_check_conf( PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref) { + cx->process_id = (UINT32) ca->inMetaValues->processId; + fort_callout_ale_fill_path(ca, cx); cx->blocked = TRUE; diff --git a/src/driver/fortps.c b/src/driver/fortps.c index 94296683..60a755db 100644 --- a/src/driver/fortps.c +++ b/src/driver/fortps.c @@ -838,10 +838,10 @@ inline static void fort_pstree_update_service_proc( proc = fort_pstree_proc_new(ps_tree, pid_hash); proc->process_id = processId; - proc->flags = 0; + proc->flags = FORT_PSNODE_IS_SVCHOST; } - if (proc != NULL && proc->ps_name == NULL) { + if (proc->ps_name == NULL) { PFORT_PSNAME ps_name = fort_pstree_create_service_name(ps_tree, serviceName); fort_pstree_proc_set_service_name(proc, ps_name);