mirrors/fort
1
0
Fork 0
mirror of https://github.com/tnodir/fort synced 2024-11-15 03:36:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Driver: Refactor app path handling

Browse Source
This commit is contained in:
Nodir Temirkhodjaev 2024-10-21 14:55:00 +05:00
parent a97c47f8bd
commit 4274370f05
15 changed files with 179 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/driver/common/common_types.h
View File

@ -20,6 +20,14 @@ typedef union ip_addr_t {
ip6_addr_t v6; ip6_addr_t v6;
} ip_addr_t; } ip_addr_t;
typedef struct fort_app_path
{
unsigned short len;
const void *buffer;
} FORT_APP_PATH, *PFORT_APP_PATH;
typedef const FORT_APP_PATH *PCFORT_APP_PATH;
#define UNUSED(p) ((void) (p)) #define UNUSED(p) ((void) (p))
#endif // COMMON_TYPES_H #endif // COMMON_TYPES_H

55
src/driver/common/fortconf.c
View File

@ -168,28 +168,25 @@ FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf,
return ip_included && !ip_excluded; return ip_included && !ip_excluded;
} }
FORT_API BOOL fort_conf_app_exe_equal( FORT_API BOOL fort_conf_app_exe_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len)
{ {
const UINT16 path_len = path->len;
if (path_len != app_entry->path_len) if (path_len != app_entry->path_len)
return FALSE; return FALSE;
return fort_memcmp(path, app_entry->path, path_len) == 0; return fort_memcmp(path->buffer, app_entry->path, path_len) == 0;
} }
static BOOL fort_conf_app_wild_equal( static BOOL fort_conf_app_wild_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len)
{ {
UNUSED(path_len); return wildmatch(app_entry->path, path->buffer) == WM_MATCH;
return wildmatch(app_entry->path, (const WCHAR *) path) == WM_MATCH;
} }
typedef BOOL fort_conf_app_equal_func( typedef BOOL fort_conf_app_equal_func(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path);
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len);
static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID path, static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, PCFORT_APP_PATH path,
UINT32 path_len, UINT32 apps_off, UINT16 apps_n, fort_conf_app_equal_func *app_equal_func) UINT32 apps_off, UINT16 apps_n, fort_conf_app_equal_func *app_equal_func)
{ {
const FORT_APP_DATA app_data = { 0 }; const FORT_APP_DATA app_data = { 0 };
@ -199,9 +196,9 @@ static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID
const char *app_entries = (const char *) (conf->data + apps_off); const char *app_entries = (const char *) (conf->data + apps_off);
do { do {
const PFORT_APP_ENTRY app_entry = (const PFORT_APP_ENTRY) app_entries; PCFORT_APP_ENTRY app_entry = (PCFORT_APP_ENTRY) app_entries;
if (app_equal_func(app_entry, path, path_len)) if (app_equal_func(app_entry, path))
return app_entry->app_data; return app_entry->app_data;
app_entries += FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len); app_entries += FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len);
@ -211,32 +208,32 @@ static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID
} }
FORT_API FORT_APP_DATA fort_conf_app_exe_find( FORT_API FORT_APP_DATA fort_conf_app_exe_find(
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len) const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path)
{ {
UNUSED(context); UNUSED(context);
return fort_conf_app_find_loop( return fort_conf_app_find_loop(
conf, path, path_len, conf->exe_apps_off, conf->exe_apps_n, fort_conf_app_exe_equal); conf, path, conf->exe_apps_off, conf->exe_apps_n, fort_conf_app_exe_equal);
} }
static FORT_APP_DATA fort_conf_app_wild_find( static FORT_APP_DATA fort_conf_app_wild_find(const PFORT_CONF conf, PCFORT_APP_PATH path)
const PFORT_CONF conf, const PVOID path, UINT32 path_len)
{ {
return fort_conf_app_find_loop( return fort_conf_app_find_loop(
conf, path, path_len, conf->wild_apps_off, conf->wild_apps_n, fort_conf_app_wild_equal); conf, path, conf->wild_apps_off, conf->wild_apps_n, fort_conf_app_wild_equal);
} }
static int fort_conf_app_prefix_cmp(PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len) static int fort_conf_app_prefix_cmp(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
{ {
UINT16 path_len = path->len;
if (path_len > app_entry->path_len) { if (path_len > app_entry->path_len) {
path_len = app_entry->path_len; path_len = app_entry->path_len;
} }
return fort_memcmp(path, app_entry->path, path_len); return fort_memcmp(path->buffer, app_entry->path, path_len);
} }
static FORT_APP_DATA fort_conf_app_prefix_find( static FORT_APP_DATA fort_conf_app_prefix_find(const PFORT_CONF conf, PCFORT_APP_PATH path)
const PFORT_CONF conf, const PVOID path, UINT32 path_len)
{ {
const FORT_APP_DATA app_data = { 0 }; const FORT_APP_DATA app_data = { 0 };
@ -254,9 +251,9 @@ static FORT_APP_DATA fort_conf_app_prefix_find(
do { do {
const int mid = (low + high) / 2; const int mid = (low + high) / 2;
const UINT32 app_off = app_offsets[mid]; const UINT32 app_off = app_offsets[mid];
const PFORT_APP_ENTRY app_entry = (PFORT_APP_ENTRY) (app_entries + app_off); PCFORT_APP_ENTRY app_entry = (PCFORT_APP_ENTRY) (app_entries + app_off);
const int res = fort_conf_app_prefix_cmp(app_entry, path, path_len); const int res = fort_conf_app_prefix_cmp(app_entry, path);
if (res < 0) { if (res < 0) {
high = mid - 1; high = mid - 1;
@ -270,20 +267,20 @@ static FORT_APP_DATA fort_conf_app_prefix_find(
return app_data; return app_data;
} }
FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, const PVOID path, UINT32 path_len, FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, PCFORT_APP_PATH path,
fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context) fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context)
{ {
FORT_APP_DATA app_data; FORT_APP_DATA app_data;
app_data = exe_find_func(conf, exe_context, path, path_len); app_data = exe_find_func(conf, exe_context, path);
if (app_data.found != 0) if (app_data.found != 0)
return app_data; return app_data;
app_data = fort_conf_app_wild_find(conf, path, path_len); app_data = fort_conf_app_wild_find(conf, path);
if (app_data.found != 0) if (app_data.found != 0)
return app_data; return app_data;
app_data = fort_conf_app_prefix_find(conf, path, path_len); app_data = fort_conf_app_prefix_find(conf, path);
return app_data; return app_data;
} }

11
src/driver/common/fortconf.h
View File

@ -244,6 +244,8 @@ typedef struct fort_app_entry
WCHAR path[2]; WCHAR path[2];
} FORT_APP_ENTRY, *PFORT_APP_ENTRY; } FORT_APP_ENTRY, *PFORT_APP_ENTRY;
typedef const FORT_APP_ENTRY *PCFORT_APP_ENTRY;
#define FORT_CONF_APP_ENTRY_PATH_OFF offsetof(FORT_APP_ENTRY, path) #define FORT_CONF_APP_ENTRY_PATH_OFF offsetof(FORT_APP_ENTRY, path)
#define FORT_CONF_APP_ENTRY_SIZE(path_len) \ #define FORT_CONF_APP_ENTRY_SIZE(path_len) \
(FORT_CONF_APP_ENTRY_PATH_OFF + (path_len) + sizeof(WCHAR)) /* include terminating zero */ (FORT_CONF_APP_ENTRY_PATH_OFF + (path_len) + sizeof(WCHAR)) /* include terminating zero */
@ -317,7 +319,7 @@ typedef struct fort_conf_io
(FORT_CONF_ADDR4_LIST_SIZE(ip4_n, pair4_n) + FORT_CONF_ADDR6_LIST_SIZE(ip6_n, pair6_n)) (FORT_CONF_ADDR4_LIST_SIZE(ip4_n, pair4_n) + FORT_CONF_ADDR6_LIST_SIZE(ip6_n, pair6_n))
typedef FORT_APP_DATA fort_conf_app_exe_find_func( typedef FORT_APP_DATA fort_conf_app_exe_find_func(
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len); const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
typedef BOOL fort_conf_zones_ip_included_func( typedef BOOL fort_conf_zones_ip_included_func(
void *ctx, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6); void *ctx, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6);
@ -348,13 +350,12 @@ FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf,
#define fort_conf_ip_inet_included(conf, zone_func, ctx, remote_ip, isIPv6) \ #define fort_conf_ip_inet_included(conf, zone_func, ctx, remote_ip, isIPv6) \
fort_conf_ip_included((conf), (zone_func), (ctx), (remote_ip), isIPv6, /*addr_group_index=*/1) fort_conf_ip_included((conf), (zone_func), (ctx), (remote_ip), isIPv6, /*addr_group_index=*/1)
FORT_API BOOL fort_conf_app_exe_equal( FORT_API BOOL fort_conf_app_exe_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path);
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len);
FORT_API FORT_APP_DATA fort_conf_app_exe_find( FORT_API FORT_APP_DATA fort_conf_app_exe_find(
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len); const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, const PVOID path, UINT32 path_len, FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, PCFORT_APP_PATH path,
fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context); fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context);
FORT_API BOOL fort_conf_app_group_blocked(const FORT_CONF_FLAGS conf_flags, FORT_APP_DATA app_data); FORT_API BOOL fort_conf_app_group_blocked(const FORT_CONF_FLAGS conf_flags, FORT_APP_DATA app_data);

20
src/driver/common/fortlog.c
View File

@ -12,13 +12,14 @@ FORT_API void fort_log_blocked_header_write(char *p, BOOL blocked, UINT32 pid, U
*up = pid; *up = pid;
} }
FORT_API void fort_log_blocked_write( FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_APP_PATH path)
char *p, BOOL blocked, UINT32 pid, UINT32 path_len, const char *path)
{ {
const UINT16 path_len = path->len;
fort_log_blocked_header_write(p, blocked, pid, path_len); fort_log_blocked_header_write(p, blocked, pid, path_len);
if (path_len != 0) { if (path_len != 0) {
RtlCopyMemory(p + FORT_LOG_BLOCKED_HEADER_SIZE, path, path_len); RtlCopyMemory(p + FORT_LOG_BLOCKED_HEADER_SIZE, path->buffer, path_len);
} }
} }
@ -54,14 +55,15 @@ void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL i
void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited, void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len, const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path)
const char *path)
{ {
const UINT16 path_len = path->len;
fort_log_blocked_ip_header_write(p, isIPv6, inbound, inherited, block_reason, ip_proto, fort_log_blocked_ip_header_write(p, isIPv6, inbound, inherited, block_reason, ip_proto,
local_port, remote_port, local_ip, remote_ip, pid, path_len); local_port, remote_port, local_ip, remote_ip, pid, path_len);
if (path_len != 0) { if (path_len != 0) {
RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path, path_len); RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path->buffer, path_len);
} }
} }
@ -98,12 +100,14 @@ FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_le
*up = pid; *up = pid;
} }
FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, UINT32 path_len, const char *path) FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, PCFORT_APP_PATH path)
{ {
const UINT16 path_len = path->len;
fort_log_proc_new_header_write(p, pid, path_len); fort_log_proc_new_header_write(p, pid, path_len);
if (path_len != 0) { if (path_len != 0) {
RtlCopyMemory(p + FORT_LOG_PROC_NEW_HEADER_SIZE, path, path_len); RtlCopyMemory(p + FORT_LOG_PROC_NEW_HEADER_SIZE, path->buffer, path_len);
} }
} }

8
src/driver/common/fortlog.h
View File

@ -63,8 +63,7 @@ extern "C" {
FORT_API void fort_log_blocked_header_write(char *p, BOOL blocked, UINT32 pid, UINT32 path_len); FORT_API void fort_log_blocked_header_write(char *p, BOOL blocked, UINT32 pid, UINT32 path_len);
FORT_API void fort_log_blocked_write( FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_APP_PATH path);
char *p, BOOL blocked, UINT32 pid, UINT32 path_len, const char *path);
FORT_API void fort_log_blocked_header_read( FORT_API void fort_log_blocked_header_read(
const char *p, BOOL *blocked, UINT32 *pid, UINT32 *path_len); const char *p, BOOL *blocked, UINT32 *pid, UINT32 *path_len);
@ -75,8 +74,7 @@ FORT_API void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inboun
FORT_API void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited, FORT_API void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len, const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path);
const char *path);
FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound, FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound,
BOOL *inherited, UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port, BOOL *inherited, UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port,
@ -84,7 +82,7 @@ FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL
FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len); FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len);
FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, UINT32 path_len, const char *path); FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, PCFORT_APP_PATH path);
FORT_API void fort_log_proc_new_header_read(const char *p, UINT32 *pid, UINT32 *path_len); FORT_API void fort_log_proc_new_header_read(const char *p, UINT32 *pid, UINT32 *path_len);

43
src/driver/fortbuf.c
View File

@ -9,6 +9,17 @@
#define FORT_BUFFER_POOL_TAG 'BwfF' #define FORT_BUFFER_POOL_TAG 'BwfF'
static FORT_APP_PATH fort_buffer_adjust_log_path(PCFORT_APP_PATH path)
{
FORT_APP_PATH log_path = *path;
if (log_path.len > FORT_LOG_PATH_MAX) {
log_path.len = 0; /* drop too long path */
}
return log_path;
}
static PFORT_BUFFER_DATA fort_buffer_data_new(PFORT_BUFFER buf) static PFORT_BUFFER_DATA fort_buffer_data_new(PFORT_BUFFER buf)
{ {
PFORT_BUFFER_DATA data = buf->data_free; PFORT_BUFFER_DATA data = buf->data_free;
@ -155,15 +166,13 @@ FORT_API NTSTATUS fort_buffer_prepare(
} }
FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid, FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid,
UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info) PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info)
{ {
NTSTATUS status; NTSTATUS status;
if (path_len > FORT_LOG_PATH_MAX) { const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
path_len = 0; /* drop too long path */
}
const UINT32 len = FORT_LOG_BLOCKED_SIZE(path_len); const UINT32 len = FORT_LOG_BLOCKED_SIZE(log_path.len);
KLOCK_QUEUE_HANDLE lock_queue; KLOCK_QUEUE_HANDLE lock_queue;
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue); KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
@ -172,7 +181,7 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT
status = fort_buffer_prepare(buf, len, &out, irp, info); status = fort_buffer_prepare(buf, len, &out, irp, info);
if (NT_SUCCESS(status)) { if (NT_SUCCESS(status)) {
fort_log_blocked_write(out, blocked, pid, path_len, path); fort_log_blocked_write(out, blocked, pid, &log_path);
} }
} }
KeReleaseInStackQueuedSpinLock(&lock_queue); KeReleaseInStackQueuedSpinLock(&lock_queue);
@ -182,18 +191,16 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT
NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, BOOL inherited, NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len, const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path,
const PVOID path, PIRP *irp, ULONG_PTR *info) PIRP *irp, ULONG_PTR *info)
{ {
FORT_CHECK_STACK(FORT_BUFFER_BLOCKED_IP_WRITE); FORT_CHECK_STACK(FORT_BUFFER_BLOCKED_IP_WRITE);
NTSTATUS status; NTSTATUS status;
if (path_len > FORT_LOG_PATH_MAX) { const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
path_len = 0; /* drop too long path */
}
const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(path_len, isIPv6); const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(log_path.len, isIPv6);
KLOCK_QUEUE_HANDLE lock_queue; KLOCK_QUEUE_HANDLE lock_queue;
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue); KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
@ -203,7 +210,7 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun
if (NT_SUCCESS(status)) { if (NT_SUCCESS(status)) {
fort_log_blocked_ip_write(out, isIPv6, inbound, inherited, block_reason, ip_proto, fort_log_blocked_ip_write(out, isIPv6, inbound, inherited, block_reason, ip_proto,
local_port, remote_port, local_ip, remote_ip, pid, path_len, path); local_port, remote_port, local_ip, remote_ip, pid, &log_path);
} }
} }
KeReleaseInStackQueuedSpinLock(&lock_queue); KeReleaseInStackQueuedSpinLock(&lock_queue);
@ -212,15 +219,13 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun
} }
FORT_API NTSTATUS fort_buffer_proc_new_write( FORT_API NTSTATUS fort_buffer_proc_new_write(
PFORT_BUFFER buf, UINT32 pid, UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info) PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info)
{ {
NTSTATUS status; NTSTATUS status;
if (path_len > FORT_LOG_PATH_MAX) { const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
path_len = 0; /* drop too long path */
}
const UINT32 len = FORT_LOG_PROC_NEW_SIZE(path_len); const UINT32 len = FORT_LOG_PROC_NEW_SIZE(log_path.len);
KLOCK_QUEUE_HANDLE lock_queue; KLOCK_QUEUE_HANDLE lock_queue;
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue); KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
@ -229,7 +234,7 @@ FORT_API NTSTATUS fort_buffer_proc_new_write(
status = fort_buffer_prepare(buf, len, &out, irp, info); status = fort_buffer_prepare(buf, len, &out, irp, info);
if (NT_SUCCESS(status)) { if (NT_SUCCESS(status)) {
fort_log_proc_new_write(out, pid, path_len, path); fort_log_proc_new_write(out, pid, &log_path);
} }
} }
KeReleaseInStackQueuedSpinLock(&lock_queue); KeReleaseInStackQueuedSpinLock(&lock_queue);

10
src/driver/fortbuf.h
View File

@ -41,15 +41,15 @@ FORT_API NTSTATUS fort_buffer_prepare(
PFORT_BUFFER buf, UINT32 len, PCHAR *out, PIRP *irp, ULONG_PTR *info); PFORT_BUFFER buf, UINT32 len, PCHAR *out, PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid, FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid,
UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info); PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, FORT_API NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound,
BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port, BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len, const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path,
const PVOID path, PIRP *irp, ULONG_PTR *info); PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_proc_new_write(PFORT_BUFFER buf, UINT32 pid, UINT32 path_len, FORT_API NTSTATUS fort_buffer_proc_new_write(
const PVOID path, PIRP *irp, ULONG_PTR *info); PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_xmove( FORT_API NTSTATUS fort_buffer_xmove(
PFORT_BUFFER buf, PIRP irp, PVOID out, ULONG out_len, ULONG_PTR *info); PFORT_BUFFER buf, PIRP irp, PVOID out, ULONG out_len, ULONG_PTR *info);

63
src/driver/fortcnf.c
View File

@ -43,13 +43,13 @@ FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag)
} }
static PFORT_CONF_EXE_NODE fort_conf_ref_exe_find_node( static PFORT_CONF_EXE_NODE fort_conf_ref_exe_find_node(
PFORT_CONF_REF conf_ref, const PVOID path, UINT32 path_len, tommy_key_t path_hash) PFORT_CONF_REF conf_ref, PCFORT_APP_PATH path, tommy_key_t path_hash)
{ {
PFORT_CONF_EXE_NODE node = PFORT_CONF_EXE_NODE node =
(PFORT_CONF_EXE_NODE) tommy_hashdyn_bucket(&conf_ref->exe_map, path_hash); (PFORT_CONF_EXE_NODE) tommy_hashdyn_bucket(&conf_ref->exe_map, path_hash);
while (node != NULL) { while (node != NULL) {
if (fort_conf_app_exe_equal(node->app_entry, path, path_len)) if (fort_conf_app_exe_equal(node->app_entry, path))
return node; return node;
node = node->next; node = node->next;
@ -59,19 +59,18 @@ static PFORT_CONF_EXE_NODE fort_conf_ref_exe_find_node(
} }
FORT_API FORT_APP_DATA fort_conf_exe_find( FORT_API FORT_APP_DATA fort_conf_exe_find(
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len) const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path)
{ {
UNUSED(conf); UNUSED(conf);
PFORT_CONF_REF conf_ref = context; PFORT_CONF_REF conf_ref = context;
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, path_len); const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len);
FORT_APP_DATA app_data = { 0 }; FORT_APP_DATA app_data = { 0 };
KIRQL oldIrql = ExAcquireSpinLockShared(&conf_ref->conf_lock); KIRQL oldIrql = ExAcquireSpinLockShared(&conf_ref->conf_lock);
{ {
const PFORT_CONF_EXE_NODE node = const PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash);
fort_conf_ref_exe_find_node(conf_ref, path, path_len, path_hash);
if (node != NULL) { if (node != NULL) {
app_data = node->app_entry->app_data; app_data = node->app_entry->app_data;
@ -107,10 +106,10 @@ static void fort_conf_ref_exe_new_path(
++conf->exe_apps_n; ++conf->exe_apps_n;
} }
static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref, static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry,
const PFORT_APP_ENTRY app_entry, const PVOID path, tommy_key_t path_hash) PCFORT_APP_PATH path, tommy_key_t path_hash)
{ {
const UINT32 path_len = app_entry->path_len; const UINT16 path_len = path->len;
const UINT16 entry_size = (UINT16) FORT_CONF_APP_ENTRY_SIZE(path_len); const UINT16 entry_size = (UINT16) FORT_CONF_APP_ENTRY_SIZE(path_len);
PFORT_APP_ENTRY entry = fort_pool_malloc(&conf_ref->pool_list, entry_size); PFORT_APP_ENTRY entry = fort_pool_malloc(&conf_ref->pool_list, entry_size);
@ -118,11 +117,12 @@ static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref,
if (entry == NULL) if (entry == NULL)
return STATUS_INSUFFICIENT_RESOURCES; return STATUS_INSUFFICIENT_RESOURCES;
*entry = *app_entry; entry->app_data = app_entry->app_data;
entry->path_len = path_len;
/* Copy the path */ /* Copy the path */
{ {
RtlCopyMemory(entry->path, path, path_len); RtlCopyMemory(entry->path, path->buffer, path_len);
entry->path[path_len / sizeof(WCHAR)] = L'\0'; entry->path[path_len / sizeof(WCHAR)] = L'\0';
} }
@ -133,10 +133,9 @@ static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref,
} }
static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref, static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref,
const PFORT_APP_ENTRY app_entry, const PVOID path, tommy_key_t path_hash) PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path, tommy_key_t path_hash)
{ {
const PFORT_CONF_EXE_NODE node = const PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash);
fort_conf_ref_exe_find_node(conf_ref, path, app_entry->path_len, path_hash);
if (node == NULL) { if (node == NULL) {
return fort_conf_ref_exe_new_entry(conf_ref, app_entry, path, path_hash); return fort_conf_ref_exe_new_entry(conf_ref, app_entry, path, path_hash);
@ -145,7 +144,7 @@ static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref,
if (app_entry->app_data.is_new) if (app_entry->app_data.is_new)
return FORT_STATUS_USER_ERROR; return FORT_STATUS_USER_ERROR;
/* Replace the data */ /* Replace the app data */
{ {
PFORT_APP_ENTRY entry = node->app_entry; PFORT_APP_ENTRY entry = node->app_entry;
entry->app_data = app_entry->app_data; entry->app_data = app_entry->app_data;
@ -155,9 +154,9 @@ static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref,
} }
FORT_API NTSTATUS fort_conf_ref_exe_add_path( FORT_API NTSTATUS fort_conf_ref_exe_add_path(
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, const PVOID path) PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
{ {
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, app_entry->path_len); const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len);
NTSTATUS status; NTSTATUS status;
KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock); KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock);
@ -168,16 +167,19 @@ FORT_API NTSTATUS fort_conf_ref_exe_add_path(
} }
FORT_API NTSTATUS fort_conf_ref_exe_add_entry( FORT_API NTSTATUS fort_conf_ref_exe_add_entry(
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, BOOL locked) PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, BOOL locked)
{ {
const PVOID path = app_entry->path; const FORT_APP_PATH path = {
.len = app_entry->path_len,
.buffer = app_entry->path,
};
if (locked) { if (locked) {
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, app_entry->path_len); const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path.buffer, path.len);
return fort_conf_ref_exe_add_path_locked(conf_ref, app_entry, path, path_hash); return fort_conf_ref_exe_add_path_locked(conf_ref, app_entry, &path, path_hash);
} else { } else {
return fort_conf_ref_exe_add_path(conf_ref, app_entry, path); return fort_conf_ref_exe_add_path(conf_ref, app_entry, &path);
} }
} }
@ -188,7 +190,7 @@ static void fort_conf_ref_exe_fill(PFORT_CONF_REF conf_ref, const PFORT_CONF con
const int count = conf->exe_apps_n; const int count = conf->exe_apps_n;
for (int i = 0; i < count; ++i) { for (int i = 0; i < count; ++i) {
const PFORT_APP_ENTRY entry = (const PFORT_APP_ENTRY) app_entries; PCFORT_APP_ENTRY entry = (PCFORT_APP_ENTRY) app_entries;
fort_conf_ref_exe_add_entry(conf_ref, entry, TRUE); fort_conf_ref_exe_add_entry(conf_ref, entry, TRUE);
@ -196,13 +198,13 @@ static void fort_conf_ref_exe_fill(PFORT_CONF_REF conf_ref, const PFORT_CONF con
} }
} }
static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, const PVOID path, UINT32 path_len) static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, PCFORT_APP_PATH path)
{ {
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, path_len); const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len);
KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock); KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock);
{ {
PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_len, path_hash); PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash);
if (node != NULL) { if (node != NULL) {
/* Delete from conf */ /* Delete from conf */
@ -226,9 +228,14 @@ static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, const PVOID path
ExReleaseSpinLockExclusive(&conf_ref->conf_lock, oldIrql); ExReleaseSpinLockExclusive(&conf_ref->conf_lock, oldIrql);
} }
FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry) FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry)
{ {
fort_conf_ref_exe_del_path(conf_ref, entry->path, entry->path_len); const FORT_APP_PATH path = {
.len = entry->path_len,
.buffer = entry->path,
};
fort_conf_ref_exe_del_path(conf_ref, &path);
} }
static void fort_conf_ref_init(PFORT_CONF_REF conf_ref) static void fort_conf_ref_init(PFORT_CONF_REF conf_ref)

8
src/driver/fortcnf.h
View File

@ -53,15 +53,15 @@ FORT_API UCHAR fort_device_flag_set(PFORT_DEVICE_CONF device_conf, UCHAR flag, B
FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag); FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag);
FORT_API FORT_APP_DATA fort_conf_exe_find( FORT_API FORT_APP_DATA fort_conf_exe_find(
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len); const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
FORT_API NTSTATUS fort_conf_ref_exe_add_path( FORT_API NTSTATUS fort_conf_ref_exe_add_path(
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, const PVOID path); PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path);
FORT_API NTSTATUS fort_conf_ref_exe_add_entry( FORT_API NTSTATUS fort_conf_ref_exe_add_entry(
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry, BOOL locked); PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry, BOOL locked);
FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry); FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry);
FORT_API PFORT_CONF_REF fort_conf_ref_new(const PFORT_CONF conf, ULONG len); FORT_API PFORT_CONF_REF fort_conf_ref_new(const PFORT_CONF conf, ULONG len);

49
src/driver/fortcout.c
View File

@ -59,8 +59,8 @@ static FORT_APP_DATA fort_callout_ale_conf_app_data(
if (cx->app_data_found) if (cx->app_data_found)
return cx->app_data; return cx->app_data;
const FORT_APP_DATA app_data = fort_conf_app_find( const FORT_APP_DATA app_data =
&conf_ref->conf, cx->path->Buffer, cx->path->Length, fort_conf_exe_find, conf_ref); fort_conf_app_find(&conf_ref->conf, &cx->path, fort_conf_exe_find, conf_ref);
fort_callout_ale_set_app_flags(cx, app_data); fort_callout_ale_set_app_flags(cx, app_data);
@ -94,8 +94,8 @@ inline static BOOL fort_callout_ale_associate_flow(
} }
if (!log_stat) { if (!log_stat) {
fort_buffer_proc_new_write(&fort_device()->buffer, cx->process_id, cx->real_path->Length, fort_buffer_proc_new_write(
cx->real_path->Buffer, &cx->irp, &cx->info); &fort_device()->buffer, cx->process_id, &cx->real_path, &cx->irp, &cx->info);
} }
return FALSE; return FALSE;
@ -124,16 +124,16 @@ inline static void fort_callout_ale_log_app_path(PFORT_CALLOUT_ALE_EXTRA cx,
FORT_APP_ENTRY app_entry = { FORT_APP_ENTRY app_entry = {
.app_data = app_data, .app_data = app_data,
.path_len = cx->path->Length, .path_len = cx->path.len,
}; };
if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, cx->path->Buffer))) if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, &cx->path)))
return; return;
fort_callout_ale_set_app_flags(cx, app_data); fort_callout_ale_set_app_flags(cx, app_data);
fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id, fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id, &cx->real_path,
cx->real_path->Length, cx->real_path->Buffer, &cx->irp, &cx->info); &cx->irp, &cx->info);
} }
inline static BOOL fort_callout_ale_log_blocked_ip_check_app( inline static BOOL fort_callout_ale_log_blocked_ip_check_app(
@ -174,7 +174,7 @@ inline static void fort_callout_ale_log_blocked_ip(PCFORT_CALLOUT_ARG ca,
fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited, fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited,
cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->remote_ip, cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->remote_ip,
cx->process_id, cx->real_path->Length, cx->real_path->Buffer, &cx->irp, &cx->info); cx->process_id, &cx->real_path, &cx->irp, &cx->info);
} }
inline static BOOL fort_callout_ale_add_pending(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx) inline static BOOL fort_callout_ale_add_pending(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
@ -365,38 +365,41 @@ inline static void fort_callout_ale_classify_action(PCFORT_CALLOUT_ARG ca,
} }
} }
inline static void fort_callout_ale_check_conf( inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref)
{ {
const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags;
const UINT32 process_id = (UINT32) ca->inMetaValues->processId; const UINT32 process_id = (UINT32) ca->inMetaValues->processId;
UNICODE_STRING real_path; PFORT_APP_PATH real_path = &cx->real_path;
real_path.Length = (UINT16) (ca->inMetaValues->processPath->size real_path->len = (UINT16) (ca->inMetaValues->processPath->size
- sizeof(WCHAR)); /* chop terminating zero */ - sizeof(WCHAR)); /* chop terminating zero */
real_path.MaximumLength = real_path.Length; real_path->buffer = (PCWSTR) ca->inMetaValues->processPath->data;
real_path.Buffer = (PWSTR) ca->inMetaValues->processPath->data;
BOOL isSvcHost = FALSE; BOOL isSvcHost = FALSE;
BOOL inherited = FALSE; BOOL inherited = FALSE;
UNICODE_STRING path;
PFORT_APP_PATH path = &cx->path;
if (!fort_pstree_get_proc_name( if (!fort_pstree_get_proc_name(
&fort_device()->ps_tree, process_id, &path, &isSvcHost, &inherited)) { &fort_device()->ps_tree, process_id, path, &isSvcHost, &inherited)) {
path = real_path; *path = *real_path;
} else if (!inherited) { } else if (!inherited) {
real_path = path; *real_path = *path;
} }
cx->process_id = process_id; cx->process_id = process_id;
cx->path = &path;
cx->real_path = &real_path;
cx->inherited = (UCHAR) inherited; cx->inherited = (UCHAR) inherited;
}
inline static void fort_callout_ale_check_conf(
PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref)
{
fort_callout_ale_fill_path(ca, cx);
cx->blocked = TRUE; cx->blocked = TRUE;
cx->ignore = FALSE; cx->ignore = FALSE;
cx->block_reason = FORT_BLOCK_REASON_UNKNOWN; cx->block_reason = FORT_BLOCK_REASON_UNKNOWN;
const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags;
if (!fort_callout_ale_check_flags(ca, cx, conf_ref, conf_flags)) { if (!fort_callout_ale_check_flags(ca, cx, conf_ref, conf_flags)) {
fort_callout_ale_check_app(ca, cx, conf_ref, conf_flags); fort_callout_ale_check_app(ca, cx, conf_ref, conf_flags);
} }

4
src/driver/fortcoutarg.h
View File

@ -58,8 +58,8 @@ typedef struct fort_callout_ale_extra
const UINT32 *remote_ip; const UINT32 *remote_ip;
PCUNICODE_STRING path; FORT_APP_PATH path;
PCUNICODE_STRING real_path; FORT_APP_PATH real_path;
PIRP irp; PIRP irp;
ULONG_PTR info; ULONG_PTR info;

4
src/driver/fortdev.c
View File

@ -234,7 +234,7 @@ static NTSTATUS fort_device_control_getlog(PFORT_DEVICE_CONTROL_ARG dca)
} }
inline static NTSTATUS fort_device_control_app_conf( inline static NTSTATUS fort_device_control_app_conf(
const PFORT_APP_ENTRY app_entry, PFORT_CONF_REF conf_ref, BOOL is_adding) PCFORT_APP_ENTRY app_entry, PFORT_CONF_REF conf_ref, BOOL is_adding)
{ {
NTSTATUS status; NTSTATUS status;
@ -250,7 +250,7 @@ inline static NTSTATUS fort_device_control_app_conf(
static NTSTATUS fort_device_control_app(PFORT_DEVICE_CONTROL_ARG dca, BOOL is_adding) static NTSTATUS fort_device_control_app(PFORT_DEVICE_CONTROL_ARG dca, BOOL is_adding)
{ {
const PFORT_APP_ENTRY app_entry = dca->buffer; PCFORT_APP_ENTRY app_entry = dca->buffer;
const ULONG len = dca->in_len; const ULONG len = dca->in_len;
if (len < sizeof(FORT_APP_ENTRY) || len < FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len)) if (len < sizeof(FORT_APP_ENTRY) || len < FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len))

33
src/driver/fortps.c
View File

@ -393,19 +393,21 @@ static PFORT_PSNODE fort_pstree_find_proc(PFORT_PSTREE ps_tree, DWORD processId)
} }
inline static void fort_pstree_proc_set_name( inline static void fort_pstree_proc_set_name(
PFORT_PSTREE ps_tree, PFORT_PSNODE proc, const PVOID path_buf, UINT16 path_len) PFORT_PSTREE ps_tree, PFORT_PSNODE proc, PCFORT_APP_PATH path)
{ {
const UINT16 path_len = path->len;
PFORT_PSNAME ps_name = fort_pstree_name_new(ps_tree, path_len); PFORT_PSNAME ps_name = fort_pstree_name_new(ps_tree, path_len);
if (ps_name == NULL) if (ps_name == NULL)
return; return;
RtlCopyMemory(ps_name->data, path_buf, path_len); RtlCopyMemory(ps_name->data, path->buffer, path_len);
proc->ps_name = ps_name; proc->ps_name = ps_name;
} }
inline static void fort_pstree_check_proc_conf(PFORT_PSTREE ps_tree, PFORT_PSNODE proc, inline static void fort_pstree_check_proc_conf(
const PVOID path_buf, UINT16 path_len, FORT_APP_DATA app_data) PFORT_PSTREE ps_tree, PFORT_PSNODE proc, PCFORT_APP_PATH path, FORT_APP_DATA app_data)
{ {
if (app_data.found == 0) if (app_data.found == 0)
return; return;
@ -420,7 +422,7 @@ inline static void fort_pstree_check_proc_conf(PFORT_PSTREE ps_tree, PFORT_PSNOD
const BOOL has_ps_name = (proc->ps_name != NULL); const BOOL has_ps_name = (proc->ps_name != NULL);
if (!has_ps_name) { if (!has_ps_name) {
fort_pstree_proc_set_name(ps_tree, proc, path_buf, path_len); fort_pstree_proc_set_name(ps_tree, proc, path);
} }
proc->flags |= FORT_PSNODE_NAME_INHERIT proc->flags |= FORT_PSNODE_NAME_INHERIT
@ -472,17 +474,19 @@ static void fort_pstree_check_proc_inheritance(
return; return;
const BOOL has_ps_name = (proc->ps_name != NULL); const BOOL has_ps_name = (proc->ps_name != NULL);
const PVOID path_buf = has_ps_name ? proc->ps_name->data : psi->path->Buffer; const FORT_APP_PATH path = {
const UINT16 path_len = has_ps_name ? proc->ps_name->size : psi->path->Length; .len = has_ps_name ? proc->ps_name->size : psi->path->Length,
.buffer = has_ps_name ? proc->ps_name->data : psi->path->Buffer,
};
const PFORT_CONF conf = &conf_ref->conf; const PFORT_CONF conf = &conf_ref->conf;
const FORT_APP_DATA app_data = conf->proc_wild const FORT_APP_DATA app_data = conf->proc_wild
? fort_conf_app_find(conf, path_buf, path_len, fort_conf_exe_find, conf_ref) ? fort_conf_app_find(conf, &path, fort_conf_exe_find, conf_ref)
: fort_conf_exe_find(conf, conf_ref, path_buf, path_len); : fort_conf_exe_find(conf, conf_ref, &path);
if (!fort_pstree_check_proc_inherited(ps_tree, proc, psi->parentProcessId, app_data)) { if (!fort_pstree_check_proc_inherited(ps_tree, proc, psi->parentProcessId, app_data)) {
fort_pstree_check_proc_conf(ps_tree, proc, path_buf, path_len, app_data); fort_pstree_check_proc_conf(ps_tree, proc, &path, app_data);
} }
fort_conf_ref_put(device_conf, conf_ref); fort_conf_ref_put(device_conf, conf_ref);
@ -784,7 +788,7 @@ FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree)
} }
static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD processId, static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD processId,
PUNICODE_STRING path, BOOL *isSvcHost, BOOL *inherited) PFORT_APP_PATH path, BOOL *isSvcHost, BOOL *inherited)
{ {
PFORT_PSNODE proc = fort_pstree_find_proc(ps_tree, processId); PFORT_PSNODE proc = fort_pstree_find_proc(ps_tree, processId);
if (proc == NULL) if (proc == NULL)
@ -801,16 +805,15 @@ static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD process
== FORT_PSNODE_NAME_INHERIT) == FORT_PSNODE_NAME_INHERIT)
return FALSE; return FALSE;
path->Length = ps_name->size; path->len = ps_name->size;
path->MaximumLength = ps_name->size; path->buffer = ps_name->data;
path->Buffer = ps_name->data;
*inherited = (procFlags & FORT_PSNODE_NAME_INHERITED) != 0; *inherited = (procFlags & FORT_PSNODE_NAME_INHERITED) != 0;
return TRUE; return TRUE;
} }
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path, FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PFORT_APP_PATH path,
BOOL *isSvcHost, BOOL *inherited) BOOL *isSvcHost, BOOL *inherited)
{ {
BOOL res; BOOL res;

2
src/driver/fortps.h
View File

@ -34,7 +34,7 @@ FORT_API void fort_pstree_close(PFORT_PSTREE ps_tree);
FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree); FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree);
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path, FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PFORT_APP_PATH path,
BOOL *isSvcHost, BOOL *inherited); BOOL *isSvcHost, BOOL *inherited);
FORT_API void fort_pstree_update_services( FORT_API void fort_pstree_update_services(

11
src/ui/driver/drivercommon.cpp
View File

@ -214,11 +214,14 @@ FORT_APP_DATA confAppFind(const void *drvConf, const QString &kernelPath)
{ {
const PFORT_CONF conf = (const PFORT_CONF) drvConf; const PFORT_CONF conf = (const PFORT_CONF) drvConf;
const QString kernelPathLower = kernelPath.startsWith('\\') ? kernelPath.toLower() : kernelPath; const QString kernelPathLower = kernelPath.startsWith('\\') ? kernelPath.toLower() : kernelPath;
const quint32 len = quint32(kernelPathLower.size()) * sizeof(WCHAR);
const WCHAR *p = (PCWCHAR) kernelPathLower.utf16();
const FORT_APP_DATA app_data = fort_conf_app_find( const FORT_APP_PATH path = {
conf, (const PVOID) p, len, fort_conf_app_exe_find, /*exe_context=*/nullptr); .len = quint16(kernelPathLower.size() * sizeof(WCHAR)),
.buffer = kernelPathLower.utf16(),
};
const FORT_APP_DATA app_data =
fort_conf_app_find(conf, &path, fort_conf_app_exe_find, /*exe_context=*/nullptr);
return app_data; return app_data;
} }