mirror of
https://github.com/tnodir/fort
synced 2024-11-15 03:56:18 +00:00
Driver: Refactor app path handling
This commit is contained in:
parent
a97c47f8bd
commit
4274370f05
@ -20,6 +20,14 @@ typedef union ip_addr_t {
|
|||||||
ip6_addr_t v6;
|
ip6_addr_t v6;
|
||||||
} ip_addr_t;
|
} ip_addr_t;
|
||||||
|
|
||||||
|
typedef struct fort_app_path
|
||||||
|
{
|
||||||
|
unsigned short len;
|
||||||
|
const void *buffer;
|
||||||
|
} FORT_APP_PATH, *PFORT_APP_PATH;
|
||||||
|
|
||||||
|
typedef const FORT_APP_PATH *PCFORT_APP_PATH;
|
||||||
|
|
||||||
#define UNUSED(p) ((void) (p))
|
#define UNUSED(p) ((void) (p))
|
||||||
|
|
||||||
#endif // COMMON_TYPES_H
|
#endif // COMMON_TYPES_H
|
||||||
|
@ -168,28 +168,25 @@ FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf,
|
|||||||
return ip_included && !ip_excluded;
|
return ip_included && !ip_excluded;
|
||||||
}
|
}
|
||||||
|
|
||||||
FORT_API BOOL fort_conf_app_exe_equal(
|
FORT_API BOOL fort_conf_app_exe_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
|
||||||
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len)
|
|
||||||
{
|
{
|
||||||
|
const UINT16 path_len = path->len;
|
||||||
|
|
||||||
if (path_len != app_entry->path_len)
|
if (path_len != app_entry->path_len)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
return fort_memcmp(path, app_entry->path, path_len) == 0;
|
return fort_memcmp(path->buffer, app_entry->path, path_len) == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static BOOL fort_conf_app_wild_equal(
|
static BOOL fort_conf_app_wild_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
|
||||||
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len)
|
|
||||||
{
|
{
|
||||||
UNUSED(path_len);
|
return wildmatch(app_entry->path, path->buffer) == WM_MATCH;
|
||||||
|
|
||||||
return wildmatch(app_entry->path, (const WCHAR *) path) == WM_MATCH;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
typedef BOOL fort_conf_app_equal_func(
|
typedef BOOL fort_conf_app_equal_func(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path);
|
||||||
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len);
|
|
||||||
|
|
||||||
static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID path,
|
static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, PCFORT_APP_PATH path,
|
||||||
UINT32 path_len, UINT32 apps_off, UINT16 apps_n, fort_conf_app_equal_func *app_equal_func)
|
UINT32 apps_off, UINT16 apps_n, fort_conf_app_equal_func *app_equal_func)
|
||||||
{
|
{
|
||||||
const FORT_APP_DATA app_data = { 0 };
|
const FORT_APP_DATA app_data = { 0 };
|
||||||
|
|
||||||
@ -199,9 +196,9 @@ static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID
|
|||||||
const char *app_entries = (const char *) (conf->data + apps_off);
|
const char *app_entries = (const char *) (conf->data + apps_off);
|
||||||
|
|
||||||
do {
|
do {
|
||||||
const PFORT_APP_ENTRY app_entry = (const PFORT_APP_ENTRY) app_entries;
|
PCFORT_APP_ENTRY app_entry = (PCFORT_APP_ENTRY) app_entries;
|
||||||
|
|
||||||
if (app_equal_func(app_entry, path, path_len))
|
if (app_equal_func(app_entry, path))
|
||||||
return app_entry->app_data;
|
return app_entry->app_data;
|
||||||
|
|
||||||
app_entries += FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len);
|
app_entries += FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len);
|
||||||
@ -211,32 +208,32 @@ static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID
|
|||||||
}
|
}
|
||||||
|
|
||||||
FORT_API FORT_APP_DATA fort_conf_app_exe_find(
|
FORT_API FORT_APP_DATA fort_conf_app_exe_find(
|
||||||
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len)
|
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path)
|
||||||
{
|
{
|
||||||
UNUSED(context);
|
UNUSED(context);
|
||||||
|
|
||||||
return fort_conf_app_find_loop(
|
return fort_conf_app_find_loop(
|
||||||
conf, path, path_len, conf->exe_apps_off, conf->exe_apps_n, fort_conf_app_exe_equal);
|
conf, path, conf->exe_apps_off, conf->exe_apps_n, fort_conf_app_exe_equal);
|
||||||
}
|
}
|
||||||
|
|
||||||
static FORT_APP_DATA fort_conf_app_wild_find(
|
static FORT_APP_DATA fort_conf_app_wild_find(const PFORT_CONF conf, PCFORT_APP_PATH path)
|
||||||
const PFORT_CONF conf, const PVOID path, UINT32 path_len)
|
|
||||||
{
|
{
|
||||||
return fort_conf_app_find_loop(
|
return fort_conf_app_find_loop(
|
||||||
conf, path, path_len, conf->wild_apps_off, conf->wild_apps_n, fort_conf_app_wild_equal);
|
conf, path, conf->wild_apps_off, conf->wild_apps_n, fort_conf_app_wild_equal);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int fort_conf_app_prefix_cmp(PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len)
|
static int fort_conf_app_prefix_cmp(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
|
||||||
{
|
{
|
||||||
|
UINT16 path_len = path->len;
|
||||||
|
|
||||||
if (path_len > app_entry->path_len) {
|
if (path_len > app_entry->path_len) {
|
||||||
path_len = app_entry->path_len;
|
path_len = app_entry->path_len;
|
||||||
}
|
}
|
||||||
|
|
||||||
return fort_memcmp(path, app_entry->path, path_len);
|
return fort_memcmp(path->buffer, app_entry->path, path_len);
|
||||||
}
|
}
|
||||||
|
|
||||||
static FORT_APP_DATA fort_conf_app_prefix_find(
|
static FORT_APP_DATA fort_conf_app_prefix_find(const PFORT_CONF conf, PCFORT_APP_PATH path)
|
||||||
const PFORT_CONF conf, const PVOID path, UINT32 path_len)
|
|
||||||
{
|
{
|
||||||
const FORT_APP_DATA app_data = { 0 };
|
const FORT_APP_DATA app_data = { 0 };
|
||||||
|
|
||||||
@ -254,9 +251,9 @@ static FORT_APP_DATA fort_conf_app_prefix_find(
|
|||||||
do {
|
do {
|
||||||
const int mid = (low + high) / 2;
|
const int mid = (low + high) / 2;
|
||||||
const UINT32 app_off = app_offsets[mid];
|
const UINT32 app_off = app_offsets[mid];
|
||||||
const PFORT_APP_ENTRY app_entry = (PFORT_APP_ENTRY) (app_entries + app_off);
|
PCFORT_APP_ENTRY app_entry = (PCFORT_APP_ENTRY) (app_entries + app_off);
|
||||||
|
|
||||||
const int res = fort_conf_app_prefix_cmp(app_entry, path, path_len);
|
const int res = fort_conf_app_prefix_cmp(app_entry, path);
|
||||||
|
|
||||||
if (res < 0) {
|
if (res < 0) {
|
||||||
high = mid - 1;
|
high = mid - 1;
|
||||||
@ -270,20 +267,20 @@ static FORT_APP_DATA fort_conf_app_prefix_find(
|
|||||||
return app_data;
|
return app_data;
|
||||||
}
|
}
|
||||||
|
|
||||||
FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, const PVOID path, UINT32 path_len,
|
FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, PCFORT_APP_PATH path,
|
||||||
fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context)
|
fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context)
|
||||||
{
|
{
|
||||||
FORT_APP_DATA app_data;
|
FORT_APP_DATA app_data;
|
||||||
|
|
||||||
app_data = exe_find_func(conf, exe_context, path, path_len);
|
app_data = exe_find_func(conf, exe_context, path);
|
||||||
if (app_data.found != 0)
|
if (app_data.found != 0)
|
||||||
return app_data;
|
return app_data;
|
||||||
|
|
||||||
app_data = fort_conf_app_wild_find(conf, path, path_len);
|
app_data = fort_conf_app_wild_find(conf, path);
|
||||||
if (app_data.found != 0)
|
if (app_data.found != 0)
|
||||||
return app_data;
|
return app_data;
|
||||||
|
|
||||||
app_data = fort_conf_app_prefix_find(conf, path, path_len);
|
app_data = fort_conf_app_prefix_find(conf, path);
|
||||||
|
|
||||||
return app_data;
|
return app_data;
|
||||||
}
|
}
|
||||||
|
@ -244,6 +244,8 @@ typedef struct fort_app_entry
|
|||||||
WCHAR path[2];
|
WCHAR path[2];
|
||||||
} FORT_APP_ENTRY, *PFORT_APP_ENTRY;
|
} FORT_APP_ENTRY, *PFORT_APP_ENTRY;
|
||||||
|
|
||||||
|
typedef const FORT_APP_ENTRY *PCFORT_APP_ENTRY;
|
||||||
|
|
||||||
#define FORT_CONF_APP_ENTRY_PATH_OFF offsetof(FORT_APP_ENTRY, path)
|
#define FORT_CONF_APP_ENTRY_PATH_OFF offsetof(FORT_APP_ENTRY, path)
|
||||||
#define FORT_CONF_APP_ENTRY_SIZE(path_len) \
|
#define FORT_CONF_APP_ENTRY_SIZE(path_len) \
|
||||||
(FORT_CONF_APP_ENTRY_PATH_OFF + (path_len) + sizeof(WCHAR)) /* include terminating zero */
|
(FORT_CONF_APP_ENTRY_PATH_OFF + (path_len) + sizeof(WCHAR)) /* include terminating zero */
|
||||||
@ -317,7 +319,7 @@ typedef struct fort_conf_io
|
|||||||
(FORT_CONF_ADDR4_LIST_SIZE(ip4_n, pair4_n) + FORT_CONF_ADDR6_LIST_SIZE(ip6_n, pair6_n))
|
(FORT_CONF_ADDR4_LIST_SIZE(ip4_n, pair4_n) + FORT_CONF_ADDR6_LIST_SIZE(ip6_n, pair6_n))
|
||||||
|
|
||||||
typedef FORT_APP_DATA fort_conf_app_exe_find_func(
|
typedef FORT_APP_DATA fort_conf_app_exe_find_func(
|
||||||
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len);
|
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
|
||||||
|
|
||||||
typedef BOOL fort_conf_zones_ip_included_func(
|
typedef BOOL fort_conf_zones_ip_included_func(
|
||||||
void *ctx, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6);
|
void *ctx, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6);
|
||||||
@ -348,13 +350,12 @@ FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf,
|
|||||||
#define fort_conf_ip_inet_included(conf, zone_func, ctx, remote_ip, isIPv6) \
|
#define fort_conf_ip_inet_included(conf, zone_func, ctx, remote_ip, isIPv6) \
|
||||||
fort_conf_ip_included((conf), (zone_func), (ctx), (remote_ip), isIPv6, /*addr_group_index=*/1)
|
fort_conf_ip_included((conf), (zone_func), (ctx), (remote_ip), isIPv6, /*addr_group_index=*/1)
|
||||||
|
|
||||||
FORT_API BOOL fort_conf_app_exe_equal(
|
FORT_API BOOL fort_conf_app_exe_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path);
|
||||||
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len);
|
|
||||||
|
|
||||||
FORT_API FORT_APP_DATA fort_conf_app_exe_find(
|
FORT_API FORT_APP_DATA fort_conf_app_exe_find(
|
||||||
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len);
|
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
|
||||||
|
|
||||||
FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, const PVOID path, UINT32 path_len,
|
FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, PCFORT_APP_PATH path,
|
||||||
fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context);
|
fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context);
|
||||||
|
|
||||||
FORT_API BOOL fort_conf_app_group_blocked(const FORT_CONF_FLAGS conf_flags, FORT_APP_DATA app_data);
|
FORT_API BOOL fort_conf_app_group_blocked(const FORT_CONF_FLAGS conf_flags, FORT_APP_DATA app_data);
|
||||||
|
@ -12,13 +12,14 @@ FORT_API void fort_log_blocked_header_write(char *p, BOOL blocked, UINT32 pid, U
|
|||||||
*up = pid;
|
*up = pid;
|
||||||
}
|
}
|
||||||
|
|
||||||
FORT_API void fort_log_blocked_write(
|
FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_APP_PATH path)
|
||||||
char *p, BOOL blocked, UINT32 pid, UINT32 path_len, const char *path)
|
|
||||||
{
|
{
|
||||||
|
const UINT16 path_len = path->len;
|
||||||
|
|
||||||
fort_log_blocked_header_write(p, blocked, pid, path_len);
|
fort_log_blocked_header_write(p, blocked, pid, path_len);
|
||||||
|
|
||||||
if (path_len != 0) {
|
if (path_len != 0) {
|
||||||
RtlCopyMemory(p + FORT_LOG_BLOCKED_HEADER_SIZE, path, path_len);
|
RtlCopyMemory(p + FORT_LOG_BLOCKED_HEADER_SIZE, path->buffer, path_len);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -54,14 +55,15 @@ void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL i
|
|||||||
|
|
||||||
void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
|
void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
|
||||||
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
|
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
|
||||||
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len,
|
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path)
|
||||||
const char *path)
|
|
||||||
{
|
{
|
||||||
|
const UINT16 path_len = path->len;
|
||||||
|
|
||||||
fort_log_blocked_ip_header_write(p, isIPv6, inbound, inherited, block_reason, ip_proto,
|
fort_log_blocked_ip_header_write(p, isIPv6, inbound, inherited, block_reason, ip_proto,
|
||||||
local_port, remote_port, local_ip, remote_ip, pid, path_len);
|
local_port, remote_port, local_ip, remote_ip, pid, path_len);
|
||||||
|
|
||||||
if (path_len != 0) {
|
if (path_len != 0) {
|
||||||
RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path, path_len);
|
RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path->buffer, path_len);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -98,12 +100,14 @@ FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_le
|
|||||||
*up = pid;
|
*up = pid;
|
||||||
}
|
}
|
||||||
|
|
||||||
FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, UINT32 path_len, const char *path)
|
FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, PCFORT_APP_PATH path)
|
||||||
{
|
{
|
||||||
|
const UINT16 path_len = path->len;
|
||||||
|
|
||||||
fort_log_proc_new_header_write(p, pid, path_len);
|
fort_log_proc_new_header_write(p, pid, path_len);
|
||||||
|
|
||||||
if (path_len != 0) {
|
if (path_len != 0) {
|
||||||
RtlCopyMemory(p + FORT_LOG_PROC_NEW_HEADER_SIZE, path, path_len);
|
RtlCopyMemory(p + FORT_LOG_PROC_NEW_HEADER_SIZE, path->buffer, path_len);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -63,8 +63,7 @@ extern "C" {
|
|||||||
|
|
||||||
FORT_API void fort_log_blocked_header_write(char *p, BOOL blocked, UINT32 pid, UINT32 path_len);
|
FORT_API void fort_log_blocked_header_write(char *p, BOOL blocked, UINT32 pid, UINT32 path_len);
|
||||||
|
|
||||||
FORT_API void fort_log_blocked_write(
|
FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_APP_PATH path);
|
||||||
char *p, BOOL blocked, UINT32 pid, UINT32 path_len, const char *path);
|
|
||||||
|
|
||||||
FORT_API void fort_log_blocked_header_read(
|
FORT_API void fort_log_blocked_header_read(
|
||||||
const char *p, BOOL *blocked, UINT32 *pid, UINT32 *path_len);
|
const char *p, BOOL *blocked, UINT32 *pid, UINT32 *path_len);
|
||||||
@ -75,8 +74,7 @@ FORT_API void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inboun
|
|||||||
|
|
||||||
FORT_API void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
|
FORT_API void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
|
||||||
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
|
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
|
||||||
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len,
|
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path);
|
||||||
const char *path);
|
|
||||||
|
|
||||||
FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound,
|
FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound,
|
||||||
BOOL *inherited, UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port,
|
BOOL *inherited, UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port,
|
||||||
@ -84,7 +82,7 @@ FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL
|
|||||||
|
|
||||||
FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len);
|
FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len);
|
||||||
|
|
||||||
FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, UINT32 path_len, const char *path);
|
FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, PCFORT_APP_PATH path);
|
||||||
|
|
||||||
FORT_API void fort_log_proc_new_header_read(const char *p, UINT32 *pid, UINT32 *path_len);
|
FORT_API void fort_log_proc_new_header_read(const char *p, UINT32 *pid, UINT32 *path_len);
|
||||||
|
|
||||||
|
@ -9,6 +9,17 @@
|
|||||||
|
|
||||||
#define FORT_BUFFER_POOL_TAG 'BwfF'
|
#define FORT_BUFFER_POOL_TAG 'BwfF'
|
||||||
|
|
||||||
|
static FORT_APP_PATH fort_buffer_adjust_log_path(PCFORT_APP_PATH path)
|
||||||
|
{
|
||||||
|
FORT_APP_PATH log_path = *path;
|
||||||
|
|
||||||
|
if (log_path.len > FORT_LOG_PATH_MAX) {
|
||||||
|
log_path.len = 0; /* drop too long path */
|
||||||
|
}
|
||||||
|
|
||||||
|
return log_path;
|
||||||
|
}
|
||||||
|
|
||||||
static PFORT_BUFFER_DATA fort_buffer_data_new(PFORT_BUFFER buf)
|
static PFORT_BUFFER_DATA fort_buffer_data_new(PFORT_BUFFER buf)
|
||||||
{
|
{
|
||||||
PFORT_BUFFER_DATA data = buf->data_free;
|
PFORT_BUFFER_DATA data = buf->data_free;
|
||||||
@ -155,15 +166,13 @@ FORT_API NTSTATUS fort_buffer_prepare(
|
|||||||
}
|
}
|
||||||
|
|
||||||
FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid,
|
FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid,
|
||||||
UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info)
|
PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info)
|
||||||
{
|
{
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
|
|
||||||
if (path_len > FORT_LOG_PATH_MAX) {
|
const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
|
||||||
path_len = 0; /* drop too long path */
|
|
||||||
}
|
|
||||||
|
|
||||||
const UINT32 len = FORT_LOG_BLOCKED_SIZE(path_len);
|
const UINT32 len = FORT_LOG_BLOCKED_SIZE(log_path.len);
|
||||||
|
|
||||||
KLOCK_QUEUE_HANDLE lock_queue;
|
KLOCK_QUEUE_HANDLE lock_queue;
|
||||||
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
|
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
|
||||||
@ -172,7 +181,7 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT
|
|||||||
status = fort_buffer_prepare(buf, len, &out, irp, info);
|
status = fort_buffer_prepare(buf, len, &out, irp, info);
|
||||||
|
|
||||||
if (NT_SUCCESS(status)) {
|
if (NT_SUCCESS(status)) {
|
||||||
fort_log_blocked_write(out, blocked, pid, path_len, path);
|
fort_log_blocked_write(out, blocked, pid, &log_path);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
KeReleaseInStackQueuedSpinLock(&lock_queue);
|
KeReleaseInStackQueuedSpinLock(&lock_queue);
|
||||||
@ -182,18 +191,16 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT
|
|||||||
|
|
||||||
NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, BOOL inherited,
|
NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, BOOL inherited,
|
||||||
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
|
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
|
||||||
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len,
|
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path,
|
||||||
const PVOID path, PIRP *irp, ULONG_PTR *info)
|
PIRP *irp, ULONG_PTR *info)
|
||||||
{
|
{
|
||||||
FORT_CHECK_STACK(FORT_BUFFER_BLOCKED_IP_WRITE);
|
FORT_CHECK_STACK(FORT_BUFFER_BLOCKED_IP_WRITE);
|
||||||
|
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
|
|
||||||
if (path_len > FORT_LOG_PATH_MAX) {
|
const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
|
||||||
path_len = 0; /* drop too long path */
|
|
||||||
}
|
|
||||||
|
|
||||||
const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(path_len, isIPv6);
|
const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(log_path.len, isIPv6);
|
||||||
|
|
||||||
KLOCK_QUEUE_HANDLE lock_queue;
|
KLOCK_QUEUE_HANDLE lock_queue;
|
||||||
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
|
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
|
||||||
@ -203,7 +210,7 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun
|
|||||||
|
|
||||||
if (NT_SUCCESS(status)) {
|
if (NT_SUCCESS(status)) {
|
||||||
fort_log_blocked_ip_write(out, isIPv6, inbound, inherited, block_reason, ip_proto,
|
fort_log_blocked_ip_write(out, isIPv6, inbound, inherited, block_reason, ip_proto,
|
||||||
local_port, remote_port, local_ip, remote_ip, pid, path_len, path);
|
local_port, remote_port, local_ip, remote_ip, pid, &log_path);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
KeReleaseInStackQueuedSpinLock(&lock_queue);
|
KeReleaseInStackQueuedSpinLock(&lock_queue);
|
||||||
@ -212,15 +219,13 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun
|
|||||||
}
|
}
|
||||||
|
|
||||||
FORT_API NTSTATUS fort_buffer_proc_new_write(
|
FORT_API NTSTATUS fort_buffer_proc_new_write(
|
||||||
PFORT_BUFFER buf, UINT32 pid, UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info)
|
PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info)
|
||||||
{
|
{
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
|
|
||||||
if (path_len > FORT_LOG_PATH_MAX) {
|
const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
|
||||||
path_len = 0; /* drop too long path */
|
|
||||||
}
|
|
||||||
|
|
||||||
const UINT32 len = FORT_LOG_PROC_NEW_SIZE(path_len);
|
const UINT32 len = FORT_LOG_PROC_NEW_SIZE(log_path.len);
|
||||||
|
|
||||||
KLOCK_QUEUE_HANDLE lock_queue;
|
KLOCK_QUEUE_HANDLE lock_queue;
|
||||||
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
|
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
|
||||||
@ -229,7 +234,7 @@ FORT_API NTSTATUS fort_buffer_proc_new_write(
|
|||||||
status = fort_buffer_prepare(buf, len, &out, irp, info);
|
status = fort_buffer_prepare(buf, len, &out, irp, info);
|
||||||
|
|
||||||
if (NT_SUCCESS(status)) {
|
if (NT_SUCCESS(status)) {
|
||||||
fort_log_proc_new_write(out, pid, path_len, path);
|
fort_log_proc_new_write(out, pid, &log_path);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
KeReleaseInStackQueuedSpinLock(&lock_queue);
|
KeReleaseInStackQueuedSpinLock(&lock_queue);
|
||||||
|
@ -41,15 +41,15 @@ FORT_API NTSTATUS fort_buffer_prepare(
|
|||||||
PFORT_BUFFER buf, UINT32 len, PCHAR *out, PIRP *irp, ULONG_PTR *info);
|
PFORT_BUFFER buf, UINT32 len, PCHAR *out, PIRP *irp, ULONG_PTR *info);
|
||||||
|
|
||||||
FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid,
|
FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid,
|
||||||
UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info);
|
PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info);
|
||||||
|
|
||||||
FORT_API NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound,
|
FORT_API NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound,
|
||||||
BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
|
BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
|
||||||
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len,
|
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path,
|
||||||
const PVOID path, PIRP *irp, ULONG_PTR *info);
|
PIRP *irp, ULONG_PTR *info);
|
||||||
|
|
||||||
FORT_API NTSTATUS fort_buffer_proc_new_write(PFORT_BUFFER buf, UINT32 pid, UINT32 path_len,
|
FORT_API NTSTATUS fort_buffer_proc_new_write(
|
||||||
const PVOID path, PIRP *irp, ULONG_PTR *info);
|
PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info);
|
||||||
|
|
||||||
FORT_API NTSTATUS fort_buffer_xmove(
|
FORT_API NTSTATUS fort_buffer_xmove(
|
||||||
PFORT_BUFFER buf, PIRP irp, PVOID out, ULONG out_len, ULONG_PTR *info);
|
PFORT_BUFFER buf, PIRP irp, PVOID out, ULONG out_len, ULONG_PTR *info);
|
||||||
|
@ -43,13 +43,13 @@ FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static PFORT_CONF_EXE_NODE fort_conf_ref_exe_find_node(
|
static PFORT_CONF_EXE_NODE fort_conf_ref_exe_find_node(
|
||||||
PFORT_CONF_REF conf_ref, const PVOID path, UINT32 path_len, tommy_key_t path_hash)
|
PFORT_CONF_REF conf_ref, PCFORT_APP_PATH path, tommy_key_t path_hash)
|
||||||
{
|
{
|
||||||
PFORT_CONF_EXE_NODE node =
|
PFORT_CONF_EXE_NODE node =
|
||||||
(PFORT_CONF_EXE_NODE) tommy_hashdyn_bucket(&conf_ref->exe_map, path_hash);
|
(PFORT_CONF_EXE_NODE) tommy_hashdyn_bucket(&conf_ref->exe_map, path_hash);
|
||||||
|
|
||||||
while (node != NULL) {
|
while (node != NULL) {
|
||||||
if (fort_conf_app_exe_equal(node->app_entry, path, path_len))
|
if (fort_conf_app_exe_equal(node->app_entry, path))
|
||||||
return node;
|
return node;
|
||||||
|
|
||||||
node = node->next;
|
node = node->next;
|
||||||
@ -59,19 +59,18 @@ static PFORT_CONF_EXE_NODE fort_conf_ref_exe_find_node(
|
|||||||
}
|
}
|
||||||
|
|
||||||
FORT_API FORT_APP_DATA fort_conf_exe_find(
|
FORT_API FORT_APP_DATA fort_conf_exe_find(
|
||||||
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len)
|
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path)
|
||||||
{
|
{
|
||||||
UNUSED(conf);
|
UNUSED(conf);
|
||||||
|
|
||||||
PFORT_CONF_REF conf_ref = context;
|
PFORT_CONF_REF conf_ref = context;
|
||||||
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, path_len);
|
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len);
|
||||||
|
|
||||||
FORT_APP_DATA app_data = { 0 };
|
FORT_APP_DATA app_data = { 0 };
|
||||||
|
|
||||||
KIRQL oldIrql = ExAcquireSpinLockShared(&conf_ref->conf_lock);
|
KIRQL oldIrql = ExAcquireSpinLockShared(&conf_ref->conf_lock);
|
||||||
{
|
{
|
||||||
const PFORT_CONF_EXE_NODE node =
|
const PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash);
|
||||||
fort_conf_ref_exe_find_node(conf_ref, path, path_len, path_hash);
|
|
||||||
|
|
||||||
if (node != NULL) {
|
if (node != NULL) {
|
||||||
app_data = node->app_entry->app_data;
|
app_data = node->app_entry->app_data;
|
||||||
@ -107,10 +106,10 @@ static void fort_conf_ref_exe_new_path(
|
|||||||
++conf->exe_apps_n;
|
++conf->exe_apps_n;
|
||||||
}
|
}
|
||||||
|
|
||||||
static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref,
|
static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry,
|
||||||
const PFORT_APP_ENTRY app_entry, const PVOID path, tommy_key_t path_hash)
|
PCFORT_APP_PATH path, tommy_key_t path_hash)
|
||||||
{
|
{
|
||||||
const UINT32 path_len = app_entry->path_len;
|
const UINT16 path_len = path->len;
|
||||||
|
|
||||||
const UINT16 entry_size = (UINT16) FORT_CONF_APP_ENTRY_SIZE(path_len);
|
const UINT16 entry_size = (UINT16) FORT_CONF_APP_ENTRY_SIZE(path_len);
|
||||||
PFORT_APP_ENTRY entry = fort_pool_malloc(&conf_ref->pool_list, entry_size);
|
PFORT_APP_ENTRY entry = fort_pool_malloc(&conf_ref->pool_list, entry_size);
|
||||||
@ -118,11 +117,12 @@ static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref,
|
|||||||
if (entry == NULL)
|
if (entry == NULL)
|
||||||
return STATUS_INSUFFICIENT_RESOURCES;
|
return STATUS_INSUFFICIENT_RESOURCES;
|
||||||
|
|
||||||
*entry = *app_entry;
|
entry->app_data = app_entry->app_data;
|
||||||
|
entry->path_len = path_len;
|
||||||
|
|
||||||
/* Copy the path */
|
/* Copy the path */
|
||||||
{
|
{
|
||||||
RtlCopyMemory(entry->path, path, path_len);
|
RtlCopyMemory(entry->path, path->buffer, path_len);
|
||||||
entry->path[path_len / sizeof(WCHAR)] = L'\0';
|
entry->path[path_len / sizeof(WCHAR)] = L'\0';
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -133,10 +133,9 @@ static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref,
|
static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref,
|
||||||
const PFORT_APP_ENTRY app_entry, const PVOID path, tommy_key_t path_hash)
|
PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path, tommy_key_t path_hash)
|
||||||
{
|
{
|
||||||
const PFORT_CONF_EXE_NODE node =
|
const PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash);
|
||||||
fort_conf_ref_exe_find_node(conf_ref, path, app_entry->path_len, path_hash);
|
|
||||||
|
|
||||||
if (node == NULL) {
|
if (node == NULL) {
|
||||||
return fort_conf_ref_exe_new_entry(conf_ref, app_entry, path, path_hash);
|
return fort_conf_ref_exe_new_entry(conf_ref, app_entry, path, path_hash);
|
||||||
@ -145,7 +144,7 @@ static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref,
|
|||||||
if (app_entry->app_data.is_new)
|
if (app_entry->app_data.is_new)
|
||||||
return FORT_STATUS_USER_ERROR;
|
return FORT_STATUS_USER_ERROR;
|
||||||
|
|
||||||
/* Replace the data */
|
/* Replace the app data */
|
||||||
{
|
{
|
||||||
PFORT_APP_ENTRY entry = node->app_entry;
|
PFORT_APP_ENTRY entry = node->app_entry;
|
||||||
entry->app_data = app_entry->app_data;
|
entry->app_data = app_entry->app_data;
|
||||||
@ -155,9 +154,9 @@ static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref,
|
|||||||
}
|
}
|
||||||
|
|
||||||
FORT_API NTSTATUS fort_conf_ref_exe_add_path(
|
FORT_API NTSTATUS fort_conf_ref_exe_add_path(
|
||||||
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, const PVOID path)
|
PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
|
||||||
{
|
{
|
||||||
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, app_entry->path_len);
|
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len);
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
|
|
||||||
KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock);
|
KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock);
|
||||||
@ -168,16 +167,19 @@ FORT_API NTSTATUS fort_conf_ref_exe_add_path(
|
|||||||
}
|
}
|
||||||
|
|
||||||
FORT_API NTSTATUS fort_conf_ref_exe_add_entry(
|
FORT_API NTSTATUS fort_conf_ref_exe_add_entry(
|
||||||
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, BOOL locked)
|
PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, BOOL locked)
|
||||||
{
|
{
|
||||||
const PVOID path = app_entry->path;
|
const FORT_APP_PATH path = {
|
||||||
|
.len = app_entry->path_len,
|
||||||
|
.buffer = app_entry->path,
|
||||||
|
};
|
||||||
|
|
||||||
if (locked) {
|
if (locked) {
|
||||||
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, app_entry->path_len);
|
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path.buffer, path.len);
|
||||||
|
|
||||||
return fort_conf_ref_exe_add_path_locked(conf_ref, app_entry, path, path_hash);
|
return fort_conf_ref_exe_add_path_locked(conf_ref, app_entry, &path, path_hash);
|
||||||
} else {
|
} else {
|
||||||
return fort_conf_ref_exe_add_path(conf_ref, app_entry, path);
|
return fort_conf_ref_exe_add_path(conf_ref, app_entry, &path);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -188,7 +190,7 @@ static void fort_conf_ref_exe_fill(PFORT_CONF_REF conf_ref, const PFORT_CONF con
|
|||||||
const int count = conf->exe_apps_n;
|
const int count = conf->exe_apps_n;
|
||||||
|
|
||||||
for (int i = 0; i < count; ++i) {
|
for (int i = 0; i < count; ++i) {
|
||||||
const PFORT_APP_ENTRY entry = (const PFORT_APP_ENTRY) app_entries;
|
PCFORT_APP_ENTRY entry = (PCFORT_APP_ENTRY) app_entries;
|
||||||
|
|
||||||
fort_conf_ref_exe_add_entry(conf_ref, entry, TRUE);
|
fort_conf_ref_exe_add_entry(conf_ref, entry, TRUE);
|
||||||
|
|
||||||
@ -196,13 +198,13 @@ static void fort_conf_ref_exe_fill(PFORT_CONF_REF conf_ref, const PFORT_CONF con
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, const PVOID path, UINT32 path_len)
|
static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, PCFORT_APP_PATH path)
|
||||||
{
|
{
|
||||||
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, path_len);
|
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len);
|
||||||
|
|
||||||
KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock);
|
KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock);
|
||||||
{
|
{
|
||||||
PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_len, path_hash);
|
PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash);
|
||||||
|
|
||||||
if (node != NULL) {
|
if (node != NULL) {
|
||||||
/* Delete from conf */
|
/* Delete from conf */
|
||||||
@ -226,9 +228,14 @@ static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, const PVOID path
|
|||||||
ExReleaseSpinLockExclusive(&conf_ref->conf_lock, oldIrql);
|
ExReleaseSpinLockExclusive(&conf_ref->conf_lock, oldIrql);
|
||||||
}
|
}
|
||||||
|
|
||||||
FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry)
|
FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry)
|
||||||
{
|
{
|
||||||
fort_conf_ref_exe_del_path(conf_ref, entry->path, entry->path_len);
|
const FORT_APP_PATH path = {
|
||||||
|
.len = entry->path_len,
|
||||||
|
.buffer = entry->path,
|
||||||
|
};
|
||||||
|
|
||||||
|
fort_conf_ref_exe_del_path(conf_ref, &path);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void fort_conf_ref_init(PFORT_CONF_REF conf_ref)
|
static void fort_conf_ref_init(PFORT_CONF_REF conf_ref)
|
||||||
|
@ -53,15 +53,15 @@ FORT_API UCHAR fort_device_flag_set(PFORT_DEVICE_CONF device_conf, UCHAR flag, B
|
|||||||
FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag);
|
FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag);
|
||||||
|
|
||||||
FORT_API FORT_APP_DATA fort_conf_exe_find(
|
FORT_API FORT_APP_DATA fort_conf_exe_find(
|
||||||
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len);
|
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
|
||||||
|
|
||||||
FORT_API NTSTATUS fort_conf_ref_exe_add_path(
|
FORT_API NTSTATUS fort_conf_ref_exe_add_path(
|
||||||
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, const PVOID path);
|
PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path);
|
||||||
|
|
||||||
FORT_API NTSTATUS fort_conf_ref_exe_add_entry(
|
FORT_API NTSTATUS fort_conf_ref_exe_add_entry(
|
||||||
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry, BOOL locked);
|
PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry, BOOL locked);
|
||||||
|
|
||||||
FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry);
|
FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry);
|
||||||
|
|
||||||
FORT_API PFORT_CONF_REF fort_conf_ref_new(const PFORT_CONF conf, ULONG len);
|
FORT_API PFORT_CONF_REF fort_conf_ref_new(const PFORT_CONF conf, ULONG len);
|
||||||
|
|
||||||
|
@ -59,8 +59,8 @@ static FORT_APP_DATA fort_callout_ale_conf_app_data(
|
|||||||
if (cx->app_data_found)
|
if (cx->app_data_found)
|
||||||
return cx->app_data;
|
return cx->app_data;
|
||||||
|
|
||||||
const FORT_APP_DATA app_data = fort_conf_app_find(
|
const FORT_APP_DATA app_data =
|
||||||
&conf_ref->conf, cx->path->Buffer, cx->path->Length, fort_conf_exe_find, conf_ref);
|
fort_conf_app_find(&conf_ref->conf, &cx->path, fort_conf_exe_find, conf_ref);
|
||||||
|
|
||||||
fort_callout_ale_set_app_flags(cx, app_data);
|
fort_callout_ale_set_app_flags(cx, app_data);
|
||||||
|
|
||||||
@ -94,8 +94,8 @@ inline static BOOL fort_callout_ale_associate_flow(
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!log_stat) {
|
if (!log_stat) {
|
||||||
fort_buffer_proc_new_write(&fort_device()->buffer, cx->process_id, cx->real_path->Length,
|
fort_buffer_proc_new_write(
|
||||||
cx->real_path->Buffer, &cx->irp, &cx->info);
|
&fort_device()->buffer, cx->process_id, &cx->real_path, &cx->irp, &cx->info);
|
||||||
}
|
}
|
||||||
|
|
||||||
return FALSE;
|
return FALSE;
|
||||||
@ -124,16 +124,16 @@ inline static void fort_callout_ale_log_app_path(PFORT_CALLOUT_ALE_EXTRA cx,
|
|||||||
|
|
||||||
FORT_APP_ENTRY app_entry = {
|
FORT_APP_ENTRY app_entry = {
|
||||||
.app_data = app_data,
|
.app_data = app_data,
|
||||||
.path_len = cx->path->Length,
|
.path_len = cx->path.len,
|
||||||
};
|
};
|
||||||
|
|
||||||
if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, cx->path->Buffer)))
|
if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, &cx->path)))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
fort_callout_ale_set_app_flags(cx, app_data);
|
fort_callout_ale_set_app_flags(cx, app_data);
|
||||||
|
|
||||||
fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id,
|
fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id, &cx->real_path,
|
||||||
cx->real_path->Length, cx->real_path->Buffer, &cx->irp, &cx->info);
|
&cx->irp, &cx->info);
|
||||||
}
|
}
|
||||||
|
|
||||||
inline static BOOL fort_callout_ale_log_blocked_ip_check_app(
|
inline static BOOL fort_callout_ale_log_blocked_ip_check_app(
|
||||||
@ -174,7 +174,7 @@ inline static void fort_callout_ale_log_blocked_ip(PCFORT_CALLOUT_ARG ca,
|
|||||||
|
|
||||||
fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited,
|
fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited,
|
||||||
cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->remote_ip,
|
cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->remote_ip,
|
||||||
cx->process_id, cx->real_path->Length, cx->real_path->Buffer, &cx->irp, &cx->info);
|
cx->process_id, &cx->real_path, &cx->irp, &cx->info);
|
||||||
}
|
}
|
||||||
|
|
||||||
inline static BOOL fort_callout_ale_add_pending(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
|
inline static BOOL fort_callout_ale_add_pending(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
|
||||||
@ -365,38 +365,41 @@ inline static void fort_callout_ale_classify_action(PCFORT_CALLOUT_ARG ca,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
inline static void fort_callout_ale_check_conf(
|
inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
|
||||||
PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref)
|
|
||||||
{
|
{
|
||||||
const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags;
|
|
||||||
|
|
||||||
const UINT32 process_id = (UINT32) ca->inMetaValues->processId;
|
const UINT32 process_id = (UINT32) ca->inMetaValues->processId;
|
||||||
|
|
||||||
UNICODE_STRING real_path;
|
PFORT_APP_PATH real_path = &cx->real_path;
|
||||||
real_path.Length = (UINT16) (ca->inMetaValues->processPath->size
|
real_path->len = (UINT16) (ca->inMetaValues->processPath->size
|
||||||
- sizeof(WCHAR)); /* chop terminating zero */
|
- sizeof(WCHAR)); /* chop terminating zero */
|
||||||
real_path.MaximumLength = real_path.Length;
|
real_path->buffer = (PCWSTR) ca->inMetaValues->processPath->data;
|
||||||
real_path.Buffer = (PWSTR) ca->inMetaValues->processPath->data;
|
|
||||||
|
|
||||||
BOOL isSvcHost = FALSE;
|
BOOL isSvcHost = FALSE;
|
||||||
BOOL inherited = FALSE;
|
BOOL inherited = FALSE;
|
||||||
UNICODE_STRING path;
|
|
||||||
|
PFORT_APP_PATH path = &cx->path;
|
||||||
if (!fort_pstree_get_proc_name(
|
if (!fort_pstree_get_proc_name(
|
||||||
&fort_device()->ps_tree, process_id, &path, &isSvcHost, &inherited)) {
|
&fort_device()->ps_tree, process_id, path, &isSvcHost, &inherited)) {
|
||||||
path = real_path;
|
*path = *real_path;
|
||||||
} else if (!inherited) {
|
} else if (!inherited) {
|
||||||
real_path = path;
|
*real_path = *path;
|
||||||
}
|
}
|
||||||
|
|
||||||
cx->process_id = process_id;
|
cx->process_id = process_id;
|
||||||
cx->path = &path;
|
|
||||||
cx->real_path = &real_path;
|
|
||||||
cx->inherited = (UCHAR) inherited;
|
cx->inherited = (UCHAR) inherited;
|
||||||
|
}
|
||||||
|
|
||||||
|
inline static void fort_callout_ale_check_conf(
|
||||||
|
PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref)
|
||||||
|
{
|
||||||
|
fort_callout_ale_fill_path(ca, cx);
|
||||||
|
|
||||||
cx->blocked = TRUE;
|
cx->blocked = TRUE;
|
||||||
cx->ignore = FALSE;
|
cx->ignore = FALSE;
|
||||||
cx->block_reason = FORT_BLOCK_REASON_UNKNOWN;
|
cx->block_reason = FORT_BLOCK_REASON_UNKNOWN;
|
||||||
|
|
||||||
|
const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags;
|
||||||
|
|
||||||
if (!fort_callout_ale_check_flags(ca, cx, conf_ref, conf_flags)) {
|
if (!fort_callout_ale_check_flags(ca, cx, conf_ref, conf_flags)) {
|
||||||
fort_callout_ale_check_app(ca, cx, conf_ref, conf_flags);
|
fort_callout_ale_check_app(ca, cx, conf_ref, conf_flags);
|
||||||
}
|
}
|
||||||
|
@ -58,8 +58,8 @@ typedef struct fort_callout_ale_extra
|
|||||||
|
|
||||||
const UINT32 *remote_ip;
|
const UINT32 *remote_ip;
|
||||||
|
|
||||||
PCUNICODE_STRING path;
|
FORT_APP_PATH path;
|
||||||
PCUNICODE_STRING real_path;
|
FORT_APP_PATH real_path;
|
||||||
|
|
||||||
PIRP irp;
|
PIRP irp;
|
||||||
ULONG_PTR info;
|
ULONG_PTR info;
|
||||||
|
@ -234,7 +234,7 @@ static NTSTATUS fort_device_control_getlog(PFORT_DEVICE_CONTROL_ARG dca)
|
|||||||
}
|
}
|
||||||
|
|
||||||
inline static NTSTATUS fort_device_control_app_conf(
|
inline static NTSTATUS fort_device_control_app_conf(
|
||||||
const PFORT_APP_ENTRY app_entry, PFORT_CONF_REF conf_ref, BOOL is_adding)
|
PCFORT_APP_ENTRY app_entry, PFORT_CONF_REF conf_ref, BOOL is_adding)
|
||||||
{
|
{
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
|
|
||||||
@ -250,7 +250,7 @@ inline static NTSTATUS fort_device_control_app_conf(
|
|||||||
|
|
||||||
static NTSTATUS fort_device_control_app(PFORT_DEVICE_CONTROL_ARG dca, BOOL is_adding)
|
static NTSTATUS fort_device_control_app(PFORT_DEVICE_CONTROL_ARG dca, BOOL is_adding)
|
||||||
{
|
{
|
||||||
const PFORT_APP_ENTRY app_entry = dca->buffer;
|
PCFORT_APP_ENTRY app_entry = dca->buffer;
|
||||||
const ULONG len = dca->in_len;
|
const ULONG len = dca->in_len;
|
||||||
|
|
||||||
if (len < sizeof(FORT_APP_ENTRY) || len < FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len))
|
if (len < sizeof(FORT_APP_ENTRY) || len < FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len))
|
||||||
|
@ -393,19 +393,21 @@ static PFORT_PSNODE fort_pstree_find_proc(PFORT_PSTREE ps_tree, DWORD processId)
|
|||||||
}
|
}
|
||||||
|
|
||||||
inline static void fort_pstree_proc_set_name(
|
inline static void fort_pstree_proc_set_name(
|
||||||
PFORT_PSTREE ps_tree, PFORT_PSNODE proc, const PVOID path_buf, UINT16 path_len)
|
PFORT_PSTREE ps_tree, PFORT_PSNODE proc, PCFORT_APP_PATH path)
|
||||||
{
|
{
|
||||||
|
const UINT16 path_len = path->len;
|
||||||
|
|
||||||
PFORT_PSNAME ps_name = fort_pstree_name_new(ps_tree, path_len);
|
PFORT_PSNAME ps_name = fort_pstree_name_new(ps_tree, path_len);
|
||||||
if (ps_name == NULL)
|
if (ps_name == NULL)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
RtlCopyMemory(ps_name->data, path_buf, path_len);
|
RtlCopyMemory(ps_name->data, path->buffer, path_len);
|
||||||
|
|
||||||
proc->ps_name = ps_name;
|
proc->ps_name = ps_name;
|
||||||
}
|
}
|
||||||
|
|
||||||
inline static void fort_pstree_check_proc_conf(PFORT_PSTREE ps_tree, PFORT_PSNODE proc,
|
inline static void fort_pstree_check_proc_conf(
|
||||||
const PVOID path_buf, UINT16 path_len, FORT_APP_DATA app_data)
|
PFORT_PSTREE ps_tree, PFORT_PSNODE proc, PCFORT_APP_PATH path, FORT_APP_DATA app_data)
|
||||||
{
|
{
|
||||||
if (app_data.found == 0)
|
if (app_data.found == 0)
|
||||||
return;
|
return;
|
||||||
@ -420,7 +422,7 @@ inline static void fort_pstree_check_proc_conf(PFORT_PSTREE ps_tree, PFORT_PSNOD
|
|||||||
const BOOL has_ps_name = (proc->ps_name != NULL);
|
const BOOL has_ps_name = (proc->ps_name != NULL);
|
||||||
|
|
||||||
if (!has_ps_name) {
|
if (!has_ps_name) {
|
||||||
fort_pstree_proc_set_name(ps_tree, proc, path_buf, path_len);
|
fort_pstree_proc_set_name(ps_tree, proc, path);
|
||||||
}
|
}
|
||||||
|
|
||||||
proc->flags |= FORT_PSNODE_NAME_INHERIT
|
proc->flags |= FORT_PSNODE_NAME_INHERIT
|
||||||
@ -472,17 +474,19 @@ static void fort_pstree_check_proc_inheritance(
|
|||||||
return;
|
return;
|
||||||
|
|
||||||
const BOOL has_ps_name = (proc->ps_name != NULL);
|
const BOOL has_ps_name = (proc->ps_name != NULL);
|
||||||
const PVOID path_buf = has_ps_name ? proc->ps_name->data : psi->path->Buffer;
|
const FORT_APP_PATH path = {
|
||||||
const UINT16 path_len = has_ps_name ? proc->ps_name->size : psi->path->Length;
|
.len = has_ps_name ? proc->ps_name->size : psi->path->Length,
|
||||||
|
.buffer = has_ps_name ? proc->ps_name->data : psi->path->Buffer,
|
||||||
|
};
|
||||||
|
|
||||||
const PFORT_CONF conf = &conf_ref->conf;
|
const PFORT_CONF conf = &conf_ref->conf;
|
||||||
|
|
||||||
const FORT_APP_DATA app_data = conf->proc_wild
|
const FORT_APP_DATA app_data = conf->proc_wild
|
||||||
? fort_conf_app_find(conf, path_buf, path_len, fort_conf_exe_find, conf_ref)
|
? fort_conf_app_find(conf, &path, fort_conf_exe_find, conf_ref)
|
||||||
: fort_conf_exe_find(conf, conf_ref, path_buf, path_len);
|
: fort_conf_exe_find(conf, conf_ref, &path);
|
||||||
|
|
||||||
if (!fort_pstree_check_proc_inherited(ps_tree, proc, psi->parentProcessId, app_data)) {
|
if (!fort_pstree_check_proc_inherited(ps_tree, proc, psi->parentProcessId, app_data)) {
|
||||||
fort_pstree_check_proc_conf(ps_tree, proc, path_buf, path_len, app_data);
|
fort_pstree_check_proc_conf(ps_tree, proc, &path, app_data);
|
||||||
}
|
}
|
||||||
|
|
||||||
fort_conf_ref_put(device_conf, conf_ref);
|
fort_conf_ref_put(device_conf, conf_ref);
|
||||||
@ -784,7 +788,7 @@ FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD processId,
|
static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD processId,
|
||||||
PUNICODE_STRING path, BOOL *isSvcHost, BOOL *inherited)
|
PFORT_APP_PATH path, BOOL *isSvcHost, BOOL *inherited)
|
||||||
{
|
{
|
||||||
PFORT_PSNODE proc = fort_pstree_find_proc(ps_tree, processId);
|
PFORT_PSNODE proc = fort_pstree_find_proc(ps_tree, processId);
|
||||||
if (proc == NULL)
|
if (proc == NULL)
|
||||||
@ -801,16 +805,15 @@ static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD process
|
|||||||
== FORT_PSNODE_NAME_INHERIT)
|
== FORT_PSNODE_NAME_INHERIT)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
path->Length = ps_name->size;
|
path->len = ps_name->size;
|
||||||
path->MaximumLength = ps_name->size;
|
path->buffer = ps_name->data;
|
||||||
path->Buffer = ps_name->data;
|
|
||||||
|
|
||||||
*inherited = (procFlags & FORT_PSNODE_NAME_INHERITED) != 0;
|
*inherited = (procFlags & FORT_PSNODE_NAME_INHERITED) != 0;
|
||||||
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path,
|
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PFORT_APP_PATH path,
|
||||||
BOOL *isSvcHost, BOOL *inherited)
|
BOOL *isSvcHost, BOOL *inherited)
|
||||||
{
|
{
|
||||||
BOOL res;
|
BOOL res;
|
||||||
|
@ -34,7 +34,7 @@ FORT_API void fort_pstree_close(PFORT_PSTREE ps_tree);
|
|||||||
|
|
||||||
FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree);
|
FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree);
|
||||||
|
|
||||||
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path,
|
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PFORT_APP_PATH path,
|
||||||
BOOL *isSvcHost, BOOL *inherited);
|
BOOL *isSvcHost, BOOL *inherited);
|
||||||
|
|
||||||
FORT_API void fort_pstree_update_services(
|
FORT_API void fort_pstree_update_services(
|
||||||
|
@ -214,11 +214,14 @@ FORT_APP_DATA confAppFind(const void *drvConf, const QString &kernelPath)
|
|||||||
{
|
{
|
||||||
const PFORT_CONF conf = (const PFORT_CONF) drvConf;
|
const PFORT_CONF conf = (const PFORT_CONF) drvConf;
|
||||||
const QString kernelPathLower = kernelPath.startsWith('\\') ? kernelPath.toLower() : kernelPath;
|
const QString kernelPathLower = kernelPath.startsWith('\\') ? kernelPath.toLower() : kernelPath;
|
||||||
const quint32 len = quint32(kernelPathLower.size()) * sizeof(WCHAR);
|
|
||||||
const WCHAR *p = (PCWCHAR) kernelPathLower.utf16();
|
|
||||||
|
|
||||||
const FORT_APP_DATA app_data = fort_conf_app_find(
|
const FORT_APP_PATH path = {
|
||||||
conf, (const PVOID) p, len, fort_conf_app_exe_find, /*exe_context=*/nullptr);
|
.len = quint16(kernelPathLower.size() * sizeof(WCHAR)),
|
||||||
|
.buffer = kernelPathLower.utf16(),
|
||||||
|
};
|
||||||
|
|
||||||
|
const FORT_APP_DATA app_data =
|
||||||
|
fort_conf_app_find(conf, &path, fort_conf_app_exe_find, /*exe_context=*/nullptr);
|
||||||
|
|
||||||
return app_data;
|
return app_data;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user