diff --git a/src/driver/common/common_types.h b/src/driver/common/common_types.h index 411561a9..b9c440c1 100644 --- a/src/driver/common/common_types.h +++ b/src/driver/common/common_types.h @@ -20,6 +20,14 @@ typedef union ip_addr_t { ip6_addr_t v6; } ip_addr_t; +typedef struct fort_app_path +{ + unsigned short len; + const void *buffer; +} FORT_APP_PATH, *PFORT_APP_PATH; + +typedef const FORT_APP_PATH *PCFORT_APP_PATH; + #define UNUSED(p) ((void) (p)) #endif // COMMON_TYPES_H diff --git a/src/driver/common/fortconf.c b/src/driver/common/fortconf.c index d0a87336..af08ec33 100644 --- a/src/driver/common/fortconf.c +++ b/src/driver/common/fortconf.c @@ -168,28 +168,25 @@ FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf, return ip_included && !ip_excluded; } -FORT_API BOOL fort_conf_app_exe_equal( - const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len) +FORT_API BOOL fort_conf_app_exe_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path) { + const UINT16 path_len = path->len; + if (path_len != app_entry->path_len) return FALSE; - return fort_memcmp(path, app_entry->path, path_len) == 0; + return fort_memcmp(path->buffer, app_entry->path, path_len) == 0; } -static BOOL fort_conf_app_wild_equal( - const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len) +static BOOL fort_conf_app_wild_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path) { - UNUSED(path_len); - - return wildmatch(app_entry->path, (const WCHAR *) path) == WM_MATCH; + return wildmatch(app_entry->path, path->buffer) == WM_MATCH; } -typedef BOOL fort_conf_app_equal_func( - const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len); +typedef BOOL fort_conf_app_equal_func(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path); -static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID path, - UINT32 path_len, UINT32 apps_off, UINT16 apps_n, fort_conf_app_equal_func *app_equal_func) +static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, PCFORT_APP_PATH path, + UINT32 apps_off, UINT16 apps_n, fort_conf_app_equal_func *app_equal_func) { const FORT_APP_DATA app_data = { 0 }; @@ -199,9 +196,9 @@ static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID const char *app_entries = (const char *) (conf->data + apps_off); do { - const PFORT_APP_ENTRY app_entry = (const PFORT_APP_ENTRY) app_entries; + PCFORT_APP_ENTRY app_entry = (PCFORT_APP_ENTRY) app_entries; - if (app_equal_func(app_entry, path, path_len)) + if (app_equal_func(app_entry, path)) return app_entry->app_data; app_entries += FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len); @@ -211,32 +208,32 @@ static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID } FORT_API FORT_APP_DATA fort_conf_app_exe_find( - const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len) + const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path) { UNUSED(context); return fort_conf_app_find_loop( - conf, path, path_len, conf->exe_apps_off, conf->exe_apps_n, fort_conf_app_exe_equal); + conf, path, conf->exe_apps_off, conf->exe_apps_n, fort_conf_app_exe_equal); } -static FORT_APP_DATA fort_conf_app_wild_find( - const PFORT_CONF conf, const PVOID path, UINT32 path_len) +static FORT_APP_DATA fort_conf_app_wild_find(const PFORT_CONF conf, PCFORT_APP_PATH path) { return fort_conf_app_find_loop( - conf, path, path_len, conf->wild_apps_off, conf->wild_apps_n, fort_conf_app_wild_equal); + conf, path, conf->wild_apps_off, conf->wild_apps_n, fort_conf_app_wild_equal); } -static int fort_conf_app_prefix_cmp(PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len) +static int fort_conf_app_prefix_cmp(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path) { + UINT16 path_len = path->len; + if (path_len > app_entry->path_len) { path_len = app_entry->path_len; } - return fort_memcmp(path, app_entry->path, path_len); + return fort_memcmp(path->buffer, app_entry->path, path_len); } -static FORT_APP_DATA fort_conf_app_prefix_find( - const PFORT_CONF conf, const PVOID path, UINT32 path_len) +static FORT_APP_DATA fort_conf_app_prefix_find(const PFORT_CONF conf, PCFORT_APP_PATH path) { const FORT_APP_DATA app_data = { 0 }; @@ -254,9 +251,9 @@ static FORT_APP_DATA fort_conf_app_prefix_find( do { const int mid = (low + high) / 2; const UINT32 app_off = app_offsets[mid]; - const PFORT_APP_ENTRY app_entry = (PFORT_APP_ENTRY) (app_entries + app_off); + PCFORT_APP_ENTRY app_entry = (PCFORT_APP_ENTRY) (app_entries + app_off); - const int res = fort_conf_app_prefix_cmp(app_entry, path, path_len); + const int res = fort_conf_app_prefix_cmp(app_entry, path); if (res < 0) { high = mid - 1; @@ -270,20 +267,20 @@ static FORT_APP_DATA fort_conf_app_prefix_find( return app_data; } -FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, const PVOID path, UINT32 path_len, +FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, PCFORT_APP_PATH path, fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context) { FORT_APP_DATA app_data; - app_data = exe_find_func(conf, exe_context, path, path_len); + app_data = exe_find_func(conf, exe_context, path); if (app_data.found != 0) return app_data; - app_data = fort_conf_app_wild_find(conf, path, path_len); + app_data = fort_conf_app_wild_find(conf, path); if (app_data.found != 0) return app_data; - app_data = fort_conf_app_prefix_find(conf, path, path_len); + app_data = fort_conf_app_prefix_find(conf, path); return app_data; } diff --git a/src/driver/common/fortconf.h b/src/driver/common/fortconf.h index 91c84bed..e549f3cd 100644 --- a/src/driver/common/fortconf.h +++ b/src/driver/common/fortconf.h @@ -244,6 +244,8 @@ typedef struct fort_app_entry WCHAR path[2]; } FORT_APP_ENTRY, *PFORT_APP_ENTRY; +typedef const FORT_APP_ENTRY *PCFORT_APP_ENTRY; + #define FORT_CONF_APP_ENTRY_PATH_OFF offsetof(FORT_APP_ENTRY, path) #define FORT_CONF_APP_ENTRY_SIZE(path_len) \ (FORT_CONF_APP_ENTRY_PATH_OFF + (path_len) + sizeof(WCHAR)) /* include terminating zero */ @@ -317,7 +319,7 @@ typedef struct fort_conf_io (FORT_CONF_ADDR4_LIST_SIZE(ip4_n, pair4_n) + FORT_CONF_ADDR6_LIST_SIZE(ip6_n, pair6_n)) typedef FORT_APP_DATA fort_conf_app_exe_find_func( - const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len); + const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path); typedef BOOL fort_conf_zones_ip_included_func( void *ctx, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6); @@ -348,13 +350,12 @@ FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf, #define fort_conf_ip_inet_included(conf, zone_func, ctx, remote_ip, isIPv6) \ fort_conf_ip_included((conf), (zone_func), (ctx), (remote_ip), isIPv6, /*addr_group_index=*/1) -FORT_API BOOL fort_conf_app_exe_equal( - const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len); +FORT_API BOOL fort_conf_app_exe_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path); FORT_API FORT_APP_DATA fort_conf_app_exe_find( - const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len); + const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path); -FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, const PVOID path, UINT32 path_len, +FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, PCFORT_APP_PATH path, fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context); FORT_API BOOL fort_conf_app_group_blocked(const FORT_CONF_FLAGS conf_flags, FORT_APP_DATA app_data); diff --git a/src/driver/common/fortlog.c b/src/driver/common/fortlog.c index 2990632c..a57018f5 100644 --- a/src/driver/common/fortlog.c +++ b/src/driver/common/fortlog.c @@ -12,13 +12,14 @@ FORT_API void fort_log_blocked_header_write(char *p, BOOL blocked, UINT32 pid, U *up = pid; } -FORT_API void fort_log_blocked_write( - char *p, BOOL blocked, UINT32 pid, UINT32 path_len, const char *path) +FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_APP_PATH path) { + const UINT16 path_len = path->len; + fort_log_blocked_header_write(p, blocked, pid, path_len); if (path_len != 0) { - RtlCopyMemory(p + FORT_LOG_BLOCKED_HEADER_SIZE, path, path_len); + RtlCopyMemory(p + FORT_LOG_BLOCKED_HEADER_SIZE, path->buffer, path_len); } } @@ -54,14 +55,15 @@ void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL i void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, - const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len, - const char *path) + const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path) { + const UINT16 path_len = path->len; + fort_log_blocked_ip_header_write(p, isIPv6, inbound, inherited, block_reason, ip_proto, local_port, remote_port, local_ip, remote_ip, pid, path_len); if (path_len != 0) { - RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path, path_len); + RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path->buffer, path_len); } } @@ -98,12 +100,14 @@ FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_le *up = pid; } -FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, UINT32 path_len, const char *path) +FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, PCFORT_APP_PATH path) { + const UINT16 path_len = path->len; + fort_log_proc_new_header_write(p, pid, path_len); if (path_len != 0) { - RtlCopyMemory(p + FORT_LOG_PROC_NEW_HEADER_SIZE, path, path_len); + RtlCopyMemory(p + FORT_LOG_PROC_NEW_HEADER_SIZE, path->buffer, path_len); } } diff --git a/src/driver/common/fortlog.h b/src/driver/common/fortlog.h index 384f4c30..7f94a3d8 100644 --- a/src/driver/common/fortlog.h +++ b/src/driver/common/fortlog.h @@ -63,8 +63,7 @@ extern "C" { FORT_API void fort_log_blocked_header_write(char *p, BOOL blocked, UINT32 pid, UINT32 path_len); -FORT_API void fort_log_blocked_write( - char *p, BOOL blocked, UINT32 pid, UINT32 path_len, const char *path); +FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_APP_PATH path); FORT_API void fort_log_blocked_header_read( const char *p, BOOL *blocked, UINT32 *pid, UINT32 *path_len); @@ -75,8 +74,7 @@ FORT_API void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inboun FORT_API void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, - const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len, - const char *path); + const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path); FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound, BOOL *inherited, UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port, @@ -84,7 +82,7 @@ FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len); -FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, UINT32 path_len, const char *path); +FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, PCFORT_APP_PATH path); FORT_API void fort_log_proc_new_header_read(const char *p, UINT32 *pid, UINT32 *path_len); diff --git a/src/driver/fortbuf.c b/src/driver/fortbuf.c index 784c23a1..801b3907 100644 --- a/src/driver/fortbuf.c +++ b/src/driver/fortbuf.c @@ -9,6 +9,17 @@ #define FORT_BUFFER_POOL_TAG 'BwfF' +static FORT_APP_PATH fort_buffer_adjust_log_path(PCFORT_APP_PATH path) +{ + FORT_APP_PATH log_path = *path; + + if (log_path.len > FORT_LOG_PATH_MAX) { + log_path.len = 0; /* drop too long path */ + } + + return log_path; +} + static PFORT_BUFFER_DATA fort_buffer_data_new(PFORT_BUFFER buf) { PFORT_BUFFER_DATA data = buf->data_free; @@ -155,15 +166,13 @@ FORT_API NTSTATUS fort_buffer_prepare( } FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid, - UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info) + PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info) { NTSTATUS status; - if (path_len > FORT_LOG_PATH_MAX) { - path_len = 0; /* drop too long path */ - } + const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path); - const UINT32 len = FORT_LOG_BLOCKED_SIZE(path_len); + const UINT32 len = FORT_LOG_BLOCKED_SIZE(log_path.len); KLOCK_QUEUE_HANDLE lock_queue; KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue); @@ -172,7 +181,7 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT status = fort_buffer_prepare(buf, len, &out, irp, info); if (NT_SUCCESS(status)) { - fort_log_blocked_write(out, blocked, pid, path_len, path); + fort_log_blocked_write(out, blocked, pid, &log_path); } } KeReleaseInStackQueuedSpinLock(&lock_queue); @@ -182,18 +191,16 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, - const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len, - const PVOID path, PIRP *irp, ULONG_PTR *info) + const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path, + PIRP *irp, ULONG_PTR *info) { FORT_CHECK_STACK(FORT_BUFFER_BLOCKED_IP_WRITE); NTSTATUS status; - if (path_len > FORT_LOG_PATH_MAX) { - path_len = 0; /* drop too long path */ - } + const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path); - const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(path_len, isIPv6); + const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(log_path.len, isIPv6); KLOCK_QUEUE_HANDLE lock_queue; KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue); @@ -203,7 +210,7 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun if (NT_SUCCESS(status)) { fort_log_blocked_ip_write(out, isIPv6, inbound, inherited, block_reason, ip_proto, - local_port, remote_port, local_ip, remote_ip, pid, path_len, path); + local_port, remote_port, local_ip, remote_ip, pid, &log_path); } } KeReleaseInStackQueuedSpinLock(&lock_queue); @@ -212,15 +219,13 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun } FORT_API NTSTATUS fort_buffer_proc_new_write( - PFORT_BUFFER buf, UINT32 pid, UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info) + PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info) { NTSTATUS status; - if (path_len > FORT_LOG_PATH_MAX) { - path_len = 0; /* drop too long path */ - } + const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path); - const UINT32 len = FORT_LOG_PROC_NEW_SIZE(path_len); + const UINT32 len = FORT_LOG_PROC_NEW_SIZE(log_path.len); KLOCK_QUEUE_HANDLE lock_queue; KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue); @@ -229,7 +234,7 @@ FORT_API NTSTATUS fort_buffer_proc_new_write( status = fort_buffer_prepare(buf, len, &out, irp, info); if (NT_SUCCESS(status)) { - fort_log_proc_new_write(out, pid, path_len, path); + fort_log_proc_new_write(out, pid, &log_path); } } KeReleaseInStackQueuedSpinLock(&lock_queue); diff --git a/src/driver/fortbuf.h b/src/driver/fortbuf.h index 4b483094..0e3b81b4 100644 --- a/src/driver/fortbuf.h +++ b/src/driver/fortbuf.h @@ -41,15 +41,15 @@ FORT_API NTSTATUS fort_buffer_prepare( PFORT_BUFFER buf, UINT32 len, PCHAR *out, PIRP *irp, ULONG_PTR *info); FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid, - UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info); + PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info); FORT_API NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, - const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len, - const PVOID path, PIRP *irp, ULONG_PTR *info); + const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path, + PIRP *irp, ULONG_PTR *info); -FORT_API NTSTATUS fort_buffer_proc_new_write(PFORT_BUFFER buf, UINT32 pid, UINT32 path_len, - const PVOID path, PIRP *irp, ULONG_PTR *info); +FORT_API NTSTATUS fort_buffer_proc_new_write( + PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info); FORT_API NTSTATUS fort_buffer_xmove( PFORT_BUFFER buf, PIRP irp, PVOID out, ULONG out_len, ULONG_PTR *info); diff --git a/src/driver/fortcnf.c b/src/driver/fortcnf.c index d8790a7e..81199f55 100644 --- a/src/driver/fortcnf.c +++ b/src/driver/fortcnf.c @@ -43,13 +43,13 @@ FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag) } static PFORT_CONF_EXE_NODE fort_conf_ref_exe_find_node( - PFORT_CONF_REF conf_ref, const PVOID path, UINT32 path_len, tommy_key_t path_hash) + PFORT_CONF_REF conf_ref, PCFORT_APP_PATH path, tommy_key_t path_hash) { PFORT_CONF_EXE_NODE node = (PFORT_CONF_EXE_NODE) tommy_hashdyn_bucket(&conf_ref->exe_map, path_hash); while (node != NULL) { - if (fort_conf_app_exe_equal(node->app_entry, path, path_len)) + if (fort_conf_app_exe_equal(node->app_entry, path)) return node; node = node->next; @@ -59,19 +59,18 @@ static PFORT_CONF_EXE_NODE fort_conf_ref_exe_find_node( } FORT_API FORT_APP_DATA fort_conf_exe_find( - const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len) + const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path) { UNUSED(conf); PFORT_CONF_REF conf_ref = context; - const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, path_len); + const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len); FORT_APP_DATA app_data = { 0 }; KIRQL oldIrql = ExAcquireSpinLockShared(&conf_ref->conf_lock); { - const PFORT_CONF_EXE_NODE node = - fort_conf_ref_exe_find_node(conf_ref, path, path_len, path_hash); + const PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash); if (node != NULL) { app_data = node->app_entry->app_data; @@ -107,10 +106,10 @@ static void fort_conf_ref_exe_new_path( ++conf->exe_apps_n; } -static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref, - const PFORT_APP_ENTRY app_entry, const PVOID path, tommy_key_t path_hash) +static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, + PCFORT_APP_PATH path, tommy_key_t path_hash) { - const UINT32 path_len = app_entry->path_len; + const UINT16 path_len = path->len; const UINT16 entry_size = (UINT16) FORT_CONF_APP_ENTRY_SIZE(path_len); PFORT_APP_ENTRY entry = fort_pool_malloc(&conf_ref->pool_list, entry_size); @@ -118,11 +117,12 @@ static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref, if (entry == NULL) return STATUS_INSUFFICIENT_RESOURCES; - *entry = *app_entry; + entry->app_data = app_entry->app_data; + entry->path_len = path_len; /* Copy the path */ { - RtlCopyMemory(entry->path, path, path_len); + RtlCopyMemory(entry->path, path->buffer, path_len); entry->path[path_len / sizeof(WCHAR)] = L'\0'; } @@ -133,10 +133,9 @@ static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref, } static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref, - const PFORT_APP_ENTRY app_entry, const PVOID path, tommy_key_t path_hash) + PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path, tommy_key_t path_hash) { - const PFORT_CONF_EXE_NODE node = - fort_conf_ref_exe_find_node(conf_ref, path, app_entry->path_len, path_hash); + const PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash); if (node == NULL) { return fort_conf_ref_exe_new_entry(conf_ref, app_entry, path, path_hash); @@ -145,7 +144,7 @@ static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref, if (app_entry->app_data.is_new) return FORT_STATUS_USER_ERROR; - /* Replace the data */ + /* Replace the app data */ { PFORT_APP_ENTRY entry = node->app_entry; entry->app_data = app_entry->app_data; @@ -155,9 +154,9 @@ static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref, } FORT_API NTSTATUS fort_conf_ref_exe_add_path( - PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, const PVOID path) + PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path) { - const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, app_entry->path_len); + const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len); NTSTATUS status; KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock); @@ -168,16 +167,19 @@ FORT_API NTSTATUS fort_conf_ref_exe_add_path( } FORT_API NTSTATUS fort_conf_ref_exe_add_entry( - PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, BOOL locked) + PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, BOOL locked) { - const PVOID path = app_entry->path; + const FORT_APP_PATH path = { + .len = app_entry->path_len, + .buffer = app_entry->path, + }; if (locked) { - const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, app_entry->path_len); + const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path.buffer, path.len); - return fort_conf_ref_exe_add_path_locked(conf_ref, app_entry, path, path_hash); + return fort_conf_ref_exe_add_path_locked(conf_ref, app_entry, &path, path_hash); } else { - return fort_conf_ref_exe_add_path(conf_ref, app_entry, path); + return fort_conf_ref_exe_add_path(conf_ref, app_entry, &path); } } @@ -188,7 +190,7 @@ static void fort_conf_ref_exe_fill(PFORT_CONF_REF conf_ref, const PFORT_CONF con const int count = conf->exe_apps_n; for (int i = 0; i < count; ++i) { - const PFORT_APP_ENTRY entry = (const PFORT_APP_ENTRY) app_entries; + PCFORT_APP_ENTRY entry = (PCFORT_APP_ENTRY) app_entries; fort_conf_ref_exe_add_entry(conf_ref, entry, TRUE); @@ -196,13 +198,13 @@ static void fort_conf_ref_exe_fill(PFORT_CONF_REF conf_ref, const PFORT_CONF con } } -static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, const PVOID path, UINT32 path_len) +static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, PCFORT_APP_PATH path) { - const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, path_len); + const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len); KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock); { - PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_len, path_hash); + PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash); if (node != NULL) { /* Delete from conf */ @@ -226,9 +228,14 @@ static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, const PVOID path ExReleaseSpinLockExclusive(&conf_ref->conf_lock, oldIrql); } -FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry) +FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry) { - fort_conf_ref_exe_del_path(conf_ref, entry->path, entry->path_len); + const FORT_APP_PATH path = { + .len = entry->path_len, + .buffer = entry->path, + }; + + fort_conf_ref_exe_del_path(conf_ref, &path); } static void fort_conf_ref_init(PFORT_CONF_REF conf_ref) diff --git a/src/driver/fortcnf.h b/src/driver/fortcnf.h index f2bce98c..088660e5 100644 --- a/src/driver/fortcnf.h +++ b/src/driver/fortcnf.h @@ -53,15 +53,15 @@ FORT_API UCHAR fort_device_flag_set(PFORT_DEVICE_CONF device_conf, UCHAR flag, B FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag); FORT_API FORT_APP_DATA fort_conf_exe_find( - const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len); + const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path); FORT_API NTSTATUS fort_conf_ref_exe_add_path( - PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, const PVOID path); + PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path); FORT_API NTSTATUS fort_conf_ref_exe_add_entry( - PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry, BOOL locked); + PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry, BOOL locked); -FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry); +FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry); FORT_API PFORT_CONF_REF fort_conf_ref_new(const PFORT_CONF conf, ULONG len); diff --git a/src/driver/fortcout.c b/src/driver/fortcout.c index 7d34eff8..113a90f9 100644 --- a/src/driver/fortcout.c +++ b/src/driver/fortcout.c @@ -59,8 +59,8 @@ static FORT_APP_DATA fort_callout_ale_conf_app_data( if (cx->app_data_found) return cx->app_data; - const FORT_APP_DATA app_data = fort_conf_app_find( - &conf_ref->conf, cx->path->Buffer, cx->path->Length, fort_conf_exe_find, conf_ref); + const FORT_APP_DATA app_data = + fort_conf_app_find(&conf_ref->conf, &cx->path, fort_conf_exe_find, conf_ref); fort_callout_ale_set_app_flags(cx, app_data); @@ -94,8 +94,8 @@ inline static BOOL fort_callout_ale_associate_flow( } if (!log_stat) { - fort_buffer_proc_new_write(&fort_device()->buffer, cx->process_id, cx->real_path->Length, - cx->real_path->Buffer, &cx->irp, &cx->info); + fort_buffer_proc_new_write( + &fort_device()->buffer, cx->process_id, &cx->real_path, &cx->irp, &cx->info); } return FALSE; @@ -124,16 +124,16 @@ inline static void fort_callout_ale_log_app_path(PFORT_CALLOUT_ALE_EXTRA cx, FORT_APP_ENTRY app_entry = { .app_data = app_data, - .path_len = cx->path->Length, + .path_len = cx->path.len, }; - if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, cx->path->Buffer))) + if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, &cx->path))) return; fort_callout_ale_set_app_flags(cx, app_data); - fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id, - cx->real_path->Length, cx->real_path->Buffer, &cx->irp, &cx->info); + fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id, &cx->real_path, + &cx->irp, &cx->info); } inline static BOOL fort_callout_ale_log_blocked_ip_check_app( @@ -174,7 +174,7 @@ inline static void fort_callout_ale_log_blocked_ip(PCFORT_CALLOUT_ARG ca, fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited, cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->remote_ip, - cx->process_id, cx->real_path->Length, cx->real_path->Buffer, &cx->irp, &cx->info); + cx->process_id, &cx->real_path, &cx->irp, &cx->info); } inline static BOOL fort_callout_ale_add_pending(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx) @@ -365,38 +365,41 @@ inline static void fort_callout_ale_classify_action(PCFORT_CALLOUT_ARG ca, } } -inline static void fort_callout_ale_check_conf( - PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref) +inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx) { - const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags; - const UINT32 process_id = (UINT32) ca->inMetaValues->processId; - UNICODE_STRING real_path; - real_path.Length = (UINT16) (ca->inMetaValues->processPath->size + PFORT_APP_PATH real_path = &cx->real_path; + real_path->len = (UINT16) (ca->inMetaValues->processPath->size - sizeof(WCHAR)); /* chop terminating zero */ - real_path.MaximumLength = real_path.Length; - real_path.Buffer = (PWSTR) ca->inMetaValues->processPath->data; + real_path->buffer = (PCWSTR) ca->inMetaValues->processPath->data; BOOL isSvcHost = FALSE; BOOL inherited = FALSE; - UNICODE_STRING path; + + PFORT_APP_PATH path = &cx->path; if (!fort_pstree_get_proc_name( - &fort_device()->ps_tree, process_id, &path, &isSvcHost, &inherited)) { - path = real_path; + &fort_device()->ps_tree, process_id, path, &isSvcHost, &inherited)) { + *path = *real_path; } else if (!inherited) { - real_path = path; + *real_path = *path; } cx->process_id = process_id; - cx->path = &path; - cx->real_path = &real_path; cx->inherited = (UCHAR) inherited; +} + +inline static void fort_callout_ale_check_conf( + PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref) +{ + fort_callout_ale_fill_path(ca, cx); cx->blocked = TRUE; cx->ignore = FALSE; cx->block_reason = FORT_BLOCK_REASON_UNKNOWN; + const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags; + if (!fort_callout_ale_check_flags(ca, cx, conf_ref, conf_flags)) { fort_callout_ale_check_app(ca, cx, conf_ref, conf_flags); } diff --git a/src/driver/fortcoutarg.h b/src/driver/fortcoutarg.h index 1130dd30..438c3d62 100644 --- a/src/driver/fortcoutarg.h +++ b/src/driver/fortcoutarg.h @@ -58,8 +58,8 @@ typedef struct fort_callout_ale_extra const UINT32 *remote_ip; - PCUNICODE_STRING path; - PCUNICODE_STRING real_path; + FORT_APP_PATH path; + FORT_APP_PATH real_path; PIRP irp; ULONG_PTR info; diff --git a/src/driver/fortdev.c b/src/driver/fortdev.c index 7bb75d57..d208d9fa 100644 --- a/src/driver/fortdev.c +++ b/src/driver/fortdev.c @@ -234,7 +234,7 @@ static NTSTATUS fort_device_control_getlog(PFORT_DEVICE_CONTROL_ARG dca) } inline static NTSTATUS fort_device_control_app_conf( - const PFORT_APP_ENTRY app_entry, PFORT_CONF_REF conf_ref, BOOL is_adding) + PCFORT_APP_ENTRY app_entry, PFORT_CONF_REF conf_ref, BOOL is_adding) { NTSTATUS status; @@ -250,7 +250,7 @@ inline static NTSTATUS fort_device_control_app_conf( static NTSTATUS fort_device_control_app(PFORT_DEVICE_CONTROL_ARG dca, BOOL is_adding) { - const PFORT_APP_ENTRY app_entry = dca->buffer; + PCFORT_APP_ENTRY app_entry = dca->buffer; const ULONG len = dca->in_len; if (len < sizeof(FORT_APP_ENTRY) || len < FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len)) diff --git a/src/driver/fortps.c b/src/driver/fortps.c index 13866a2c..94296683 100644 --- a/src/driver/fortps.c +++ b/src/driver/fortps.c @@ -393,19 +393,21 @@ static PFORT_PSNODE fort_pstree_find_proc(PFORT_PSTREE ps_tree, DWORD processId) } inline static void fort_pstree_proc_set_name( - PFORT_PSTREE ps_tree, PFORT_PSNODE proc, const PVOID path_buf, UINT16 path_len) + PFORT_PSTREE ps_tree, PFORT_PSNODE proc, PCFORT_APP_PATH path) { + const UINT16 path_len = path->len; + PFORT_PSNAME ps_name = fort_pstree_name_new(ps_tree, path_len); if (ps_name == NULL) return; - RtlCopyMemory(ps_name->data, path_buf, path_len); + RtlCopyMemory(ps_name->data, path->buffer, path_len); proc->ps_name = ps_name; } -inline static void fort_pstree_check_proc_conf(PFORT_PSTREE ps_tree, PFORT_PSNODE proc, - const PVOID path_buf, UINT16 path_len, FORT_APP_DATA app_data) +inline static void fort_pstree_check_proc_conf( + PFORT_PSTREE ps_tree, PFORT_PSNODE proc, PCFORT_APP_PATH path, FORT_APP_DATA app_data) { if (app_data.found == 0) return; @@ -420,7 +422,7 @@ inline static void fort_pstree_check_proc_conf(PFORT_PSTREE ps_tree, PFORT_PSNOD const BOOL has_ps_name = (proc->ps_name != NULL); if (!has_ps_name) { - fort_pstree_proc_set_name(ps_tree, proc, path_buf, path_len); + fort_pstree_proc_set_name(ps_tree, proc, path); } proc->flags |= FORT_PSNODE_NAME_INHERIT @@ -472,17 +474,19 @@ static void fort_pstree_check_proc_inheritance( return; const BOOL has_ps_name = (proc->ps_name != NULL); - const PVOID path_buf = has_ps_name ? proc->ps_name->data : psi->path->Buffer; - const UINT16 path_len = has_ps_name ? proc->ps_name->size : psi->path->Length; + const FORT_APP_PATH path = { + .len = has_ps_name ? proc->ps_name->size : psi->path->Length, + .buffer = has_ps_name ? proc->ps_name->data : psi->path->Buffer, + }; const PFORT_CONF conf = &conf_ref->conf; const FORT_APP_DATA app_data = conf->proc_wild - ? fort_conf_app_find(conf, path_buf, path_len, fort_conf_exe_find, conf_ref) - : fort_conf_exe_find(conf, conf_ref, path_buf, path_len); + ? fort_conf_app_find(conf, &path, fort_conf_exe_find, conf_ref) + : fort_conf_exe_find(conf, conf_ref, &path); if (!fort_pstree_check_proc_inherited(ps_tree, proc, psi->parentProcessId, app_data)) { - fort_pstree_check_proc_conf(ps_tree, proc, path_buf, path_len, app_data); + fort_pstree_check_proc_conf(ps_tree, proc, &path, app_data); } fort_conf_ref_put(device_conf, conf_ref); @@ -784,7 +788,7 @@ FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree) } static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD processId, - PUNICODE_STRING path, BOOL *isSvcHost, BOOL *inherited) + PFORT_APP_PATH path, BOOL *isSvcHost, BOOL *inherited) { PFORT_PSNODE proc = fort_pstree_find_proc(ps_tree, processId); if (proc == NULL) @@ -801,16 +805,15 @@ static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD process == FORT_PSNODE_NAME_INHERIT) return FALSE; - path->Length = ps_name->size; - path->MaximumLength = ps_name->size; - path->Buffer = ps_name->data; + path->len = ps_name->size; + path->buffer = ps_name->data; *inherited = (procFlags & FORT_PSNODE_NAME_INHERITED) != 0; return TRUE; } -FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path, +FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PFORT_APP_PATH path, BOOL *isSvcHost, BOOL *inherited) { BOOL res; diff --git a/src/driver/fortps.h b/src/driver/fortps.h index 32190cca..01a9d9f2 100644 --- a/src/driver/fortps.h +++ b/src/driver/fortps.h @@ -34,7 +34,7 @@ FORT_API void fort_pstree_close(PFORT_PSTREE ps_tree); FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree); -FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path, +FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PFORT_APP_PATH path, BOOL *isSvcHost, BOOL *inherited); FORT_API void fort_pstree_update_services( diff --git a/src/ui/driver/drivercommon.cpp b/src/ui/driver/drivercommon.cpp index 112c0524..6292e395 100644 --- a/src/ui/driver/drivercommon.cpp +++ b/src/ui/driver/drivercommon.cpp @@ -214,11 +214,14 @@ FORT_APP_DATA confAppFind(const void *drvConf, const QString &kernelPath) { const PFORT_CONF conf = (const PFORT_CONF) drvConf; const QString kernelPathLower = kernelPath.startsWith('\\') ? kernelPath.toLower() : kernelPath; - const quint32 len = quint32(kernelPathLower.size()) * sizeof(WCHAR); - const WCHAR *p = (PCWCHAR) kernelPathLower.utf16(); - const FORT_APP_DATA app_data = fort_conf_app_find( - conf, (const PVOID) p, len, fort_conf_app_exe_find, /*exe_context=*/nullptr); + const FORT_APP_PATH path = { + .len = quint16(kernelPathLower.size() * sizeof(WCHAR)), + .buffer = kernelPathLower.utf16(), + }; + + const FORT_APP_DATA app_data = + fort_conf_app_find(conf, &path, fort_conf_app_exe_find, /*exe_context=*/nullptr); return app_data; }