mirrors/fort
1
0
Fork 0
mirror of https://github.com/tnodir/fort synced 2024-11-15 01:15:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Driver: Refactor app path handling

Browse Source
This commit is contained in:
Nodir Temirkhodjaev 2024-10-21 14:55:00 +05:00
parent a97c47f8bd
commit 4274370f05
15 changed files with 179 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/driver/common/common_types.h
View File

@ -20,6 +20,14 @@ typedef union ip_addr_t {
ip6_addr_t v6;
} ip_addr_t;
typedef struct fort_app_path
{
unsigned short len;
const void *buffer;
} FORT_APP_PATH, *PFORT_APP_PATH;
typedef const FORT_APP_PATH *PCFORT_APP_PATH;
#define UNUSED(p) ((void) (p))
#endif // COMMON_TYPES_H

55
src/driver/common/fortconf.c
View File

@ -168,28 +168,25 @@ FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf,
return ip_included && !ip_excluded;
}
FORT_API BOOL fort_conf_app_exe_equal(
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len)
FORT_API BOOL fort_conf_app_exe_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
{
const UINT16 path_len = path->len;
if (path_len != app_entry->path_len)
return FALSE;
return fort_memcmp(path, app_entry->path, path_len) == 0;
return fort_memcmp(path->buffer, app_entry->path, path_len) == 0;
}
static BOOL fort_conf_app_wild_equal(
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len)
static BOOL fort_conf_app_wild_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
{
UNUSED(path_len);
return wildmatch(app_entry->path, (const WCHAR *) path) == WM_MATCH;
return wildmatch(app_entry->path, path->buffer) == WM_MATCH;
}
typedef BOOL fort_conf_app_equal_func(
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len);
typedef BOOL fort_conf_app_equal_func(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path);
static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID path,
UINT32 path_len, UINT32 apps_off, UINT16 apps_n, fort_conf_app_equal_func *app_equal_func)
static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, PCFORT_APP_PATH path,
UINT32 apps_off, UINT16 apps_n, fort_conf_app_equal_func *app_equal_func)
{
const FORT_APP_DATA app_data = { 0 };
@ -199,9 +196,9 @@ static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID
const char *app_entries = (const char *) (conf->data + apps_off);
do {
const PFORT_APP_ENTRY app_entry = (const PFORT_APP_ENTRY) app_entries;
PCFORT_APP_ENTRY app_entry = (PCFORT_APP_ENTRY) app_entries;
if (app_equal_func(app_entry, path, path_len))
if (app_equal_func(app_entry, path))
return app_entry->app_data;
app_entries += FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len);
@ -211,32 +208,32 @@ static FORT_APP_DATA fort_conf_app_find_loop(const PFORT_CONF conf, const PVOID
}
FORT_API FORT_APP_DATA fort_conf_app_exe_find(
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len)
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path)
{
UNUSED(context);
return fort_conf_app_find_loop(
conf, path, path_len, conf->exe_apps_off, conf->exe_apps_n, fort_conf_app_exe_equal);
conf, path, conf->exe_apps_off, conf->exe_apps_n, fort_conf_app_exe_equal);
}
static FORT_APP_DATA fort_conf_app_wild_find(
const PFORT_CONF conf, const PVOID path, UINT32 path_len)
static FORT_APP_DATA fort_conf_app_wild_find(const PFORT_CONF conf, PCFORT_APP_PATH path)
{
return fort_conf_app_find_loop(
conf, path, path_len, conf->wild_apps_off, conf->wild_apps_n, fort_conf_app_wild_equal);
conf, path, conf->wild_apps_off, conf->wild_apps_n, fort_conf_app_wild_equal);
}
static int fort_conf_app_prefix_cmp(PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len)
static int fort_conf_app_prefix_cmp(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
{
UINT16 path_len = path->len;
if (path_len > app_entry->path_len) {
path_len = app_entry->path_len;
}
return fort_memcmp(path, app_entry->path, path_len);
return fort_memcmp(path->buffer, app_entry->path, path_len);
}
static FORT_APP_DATA fort_conf_app_prefix_find(
const PFORT_CONF conf, const PVOID path, UINT32 path_len)
static FORT_APP_DATA fort_conf_app_prefix_find(const PFORT_CONF conf, PCFORT_APP_PATH path)
{
const FORT_APP_DATA app_data = { 0 };
@ -254,9 +251,9 @@ static FORT_APP_DATA fort_conf_app_prefix_find(
do {
const int mid = (low + high) / 2;
const UINT32 app_off = app_offsets[mid];
const PFORT_APP_ENTRY app_entry = (PFORT_APP_ENTRY) (app_entries + app_off);
PCFORT_APP_ENTRY app_entry = (PCFORT_APP_ENTRY) (app_entries + app_off);
const int res = fort_conf_app_prefix_cmp(app_entry, path, path_len);
const int res = fort_conf_app_prefix_cmp(app_entry, path);
if (res < 0) {
high = mid - 1;
@ -270,20 +267,20 @@ static FORT_APP_DATA fort_conf_app_prefix_find(
return app_data;
}
FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, const PVOID path, UINT32 path_len,
FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, PCFORT_APP_PATH path,
fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context)
{
FORT_APP_DATA app_data;
app_data = exe_find_func(conf, exe_context, path, path_len);
app_data = exe_find_func(conf, exe_context, path);
if (app_data.found != 0)
return app_data;
app_data = fort_conf_app_wild_find(conf, path, path_len);
app_data = fort_conf_app_wild_find(conf, path);
if (app_data.found != 0)
return app_data;
app_data = fort_conf_app_prefix_find(conf, path, path_len);
app_data = fort_conf_app_prefix_find(conf, path);
return app_data;
}

11
src/driver/common/fortconf.h
View File

@ -244,6 +244,8 @@ typedef struct fort_app_entry
WCHAR path[2];
} FORT_APP_ENTRY, *PFORT_APP_ENTRY;
typedef const FORT_APP_ENTRY *PCFORT_APP_ENTRY;
#define FORT_CONF_APP_ENTRY_PATH_OFF offsetof(FORT_APP_ENTRY, path)
#define FORT_CONF_APP_ENTRY_SIZE(path_len) \
(FORT_CONF_APP_ENTRY_PATH_OFF + (path_len) + sizeof(WCHAR)) /* include terminating zero */
@ -317,7 +319,7 @@ typedef struct fort_conf_io
(FORT_CONF_ADDR4_LIST_SIZE(ip4_n, pair4_n) + FORT_CONF_ADDR6_LIST_SIZE(ip6_n, pair6_n))
typedef FORT_APP_DATA fort_conf_app_exe_find_func(
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len);
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
typedef BOOL fort_conf_zones_ip_included_func(
void *ctx, UINT32 zones_mask, const UINT32 *remote_ip, BOOL isIPv6);
@ -348,13 +350,12 @@ FORT_API BOOL fort_conf_ip_included(const PFORT_CONF conf,
#define fort_conf_ip_inet_included(conf, zone_func, ctx, remote_ip, isIPv6) \
fort_conf_ip_included((conf), (zone_func), (ctx), (remote_ip), isIPv6, /*addr_group_index=*/1)
FORT_API BOOL fort_conf_app_exe_equal(
const PFORT_APP_ENTRY app_entry, const PVOID path, UINT32 path_len);
FORT_API BOOL fort_conf_app_exe_equal(PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path);
FORT_API FORT_APP_DATA fort_conf_app_exe_find(
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len);
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, const PVOID path, UINT32 path_len,
FORT_API FORT_APP_DATA fort_conf_app_find(const PFORT_CONF conf, PCFORT_APP_PATH path,
fort_conf_app_exe_find_func *exe_find_func, PVOID exe_context);
FORT_API BOOL fort_conf_app_group_blocked(const FORT_CONF_FLAGS conf_flags, FORT_APP_DATA app_data);

20
src/driver/common/fortlog.c
View File

@ -12,13 +12,14 @@ FORT_API void fort_log_blocked_header_write(char *p, BOOL blocked, UINT32 pid, U
*up = pid;
}
FORT_API void fort_log_blocked_write(
char *p, BOOL blocked, UINT32 pid, UINT32 path_len, const char *path)
FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_APP_PATH path)
{
const UINT16 path_len = path->len;
fort_log_blocked_header_write(p, blocked, pid, path_len);
if (path_len != 0) {
RtlCopyMemory(p + FORT_LOG_BLOCKED_HEADER_SIZE, path, path_len);
RtlCopyMemory(p + FORT_LOG_BLOCKED_HEADER_SIZE, path->buffer, path_len);
}
}
@ -54,14 +55,15 @@ void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inbound, BOOL i
void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len,
const char *path)
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path)
{
const UINT16 path_len = path->len;
fort_log_blocked_ip_header_write(p, isIPv6, inbound, inherited, block_reason, ip_proto,
local_port, remote_port, local_ip, remote_ip, pid, path_len);
if (path_len != 0) {
RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path, path_len);
RtlCopyMemory(p + FORT_LOG_BLOCKED_IP_HEADER_SIZE(isIPv6), path->buffer, path_len);
}
}
@ -98,12 +100,14 @@ FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_le
*up = pid;
}
FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, UINT32 path_len, const char *path)
FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, PCFORT_APP_PATH path)
{
const UINT16 path_len = path->len;
fort_log_proc_new_header_write(p, pid, path_len);
if (path_len != 0) {
RtlCopyMemory(p + FORT_LOG_PROC_NEW_HEADER_SIZE, path, path_len);
RtlCopyMemory(p + FORT_LOG_PROC_NEW_HEADER_SIZE, path->buffer, path_len);
}
}

8
src/driver/common/fortlog.h
View File

@ -63,8 +63,7 @@ extern "C" {
FORT_API void fort_log_blocked_header_write(char *p, BOOL blocked, UINT32 pid, UINT32 path_len);
FORT_API void fort_log_blocked_write(
char *p, BOOL blocked, UINT32 pid, UINT32 path_len, const char *path);
FORT_API void fort_log_blocked_write(char *p, BOOL blocked, UINT32 pid, PCFORT_APP_PATH path);
FORT_API void fort_log_blocked_header_read(
const char *p, BOOL *blocked, UINT32 *pid, UINT32 *path_len);
@ -75,8 +74,7 @@ FORT_API void fort_log_blocked_ip_header_write(char *p, BOOL isIPv6, BOOL inboun
FORT_API void fort_log_blocked_ip_write(char *p, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len,
const char *path);
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path);
FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL *inbound,
BOOL *inherited, UCHAR *block_reason, UCHAR *ip_proto, UINT16 *local_port,
@ -84,7 +82,7 @@ FORT_API void fort_log_blocked_ip_header_read(const char *p, BOOL *isIPv6, BOOL
FORT_API void fort_log_proc_new_header_write(char *p, UINT32 pid, UINT32 path_len);
FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, UINT32 path_len, const char *path);
FORT_API void fort_log_proc_new_write(char *p, UINT32 pid, PCFORT_APP_PATH path);
FORT_API void fort_log_proc_new_header_read(const char *p, UINT32 *pid, UINT32 *path_len);

43
src/driver/fortbuf.c
View File

@ -9,6 +9,17 @@
#define FORT_BUFFER_POOL_TAG 'BwfF'
static FORT_APP_PATH fort_buffer_adjust_log_path(PCFORT_APP_PATH path)
{
FORT_APP_PATH log_path = *path;
if (log_path.len > FORT_LOG_PATH_MAX) {
log_path.len = 0; /* drop too long path */
}
return log_path;
}
static PFORT_BUFFER_DATA fort_buffer_data_new(PFORT_BUFFER buf)
{
PFORT_BUFFER_DATA data = buf->data_free;
@ -155,15 +166,13 @@ FORT_API NTSTATUS fort_buffer_prepare(
}
FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid,
UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info)
PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info)
{
NTSTATUS status;
if (path_len > FORT_LOG_PATH_MAX) {
path_len = 0; /* drop too long path */
}
const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
const UINT32 len = FORT_LOG_BLOCKED_SIZE(path_len);
const UINT32 len = FORT_LOG_BLOCKED_SIZE(log_path.len);
KLOCK_QUEUE_HANDLE lock_queue;
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
@ -172,7 +181,7 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT
status = fort_buffer_prepare(buf, len, &out, irp, info);
if (NT_SUCCESS(status)) {
fort_log_blocked_write(out, blocked, pid, path_len, path);
fort_log_blocked_write(out, blocked, pid, &log_path);
}
}
KeReleaseInStackQueuedSpinLock(&lock_queue);
@ -182,18 +191,16 @@ FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT
NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound, BOOL inherited,
UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len,
const PVOID path, PIRP *irp, ULONG_PTR *info)
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path,
PIRP *irp, ULONG_PTR *info)
{
FORT_CHECK_STACK(FORT_BUFFER_BLOCKED_IP_WRITE);
NTSTATUS status;
if (path_len > FORT_LOG_PATH_MAX) {
path_len = 0; /* drop too long path */
}
const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(path_len, isIPv6);
const UINT32 len = FORT_LOG_BLOCKED_IP_SIZE(log_path.len, isIPv6);
KLOCK_QUEUE_HANDLE lock_queue;
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
@ -203,7 +210,7 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun
if (NT_SUCCESS(status)) {
fort_log_blocked_ip_write(out, isIPv6, inbound, inherited, block_reason, ip_proto,
local_port, remote_port, local_ip, remote_ip, pid, path_len, path);
local_port, remote_port, local_ip, remote_ip, pid, &log_path);
}
}
KeReleaseInStackQueuedSpinLock(&lock_queue);
@ -212,15 +219,13 @@ NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inboun
}
FORT_API NTSTATUS fort_buffer_proc_new_write(
PFORT_BUFFER buf, UINT32 pid, UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info)
PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info)
{
NTSTATUS status;
if (path_len > FORT_LOG_PATH_MAX) {
path_len = 0; /* drop too long path */
}
const FORT_APP_PATH log_path = fort_buffer_adjust_log_path(path);
const UINT32 len = FORT_LOG_PROC_NEW_SIZE(path_len);
const UINT32 len = FORT_LOG_PROC_NEW_SIZE(log_path.len);
KLOCK_QUEUE_HANDLE lock_queue;
KeAcquireInStackQueuedSpinLock(&buf->lock, &lock_queue);
@ -229,7 +234,7 @@ FORT_API NTSTATUS fort_buffer_proc_new_write(
status = fort_buffer_prepare(buf, len, &out, irp, info);
if (NT_SUCCESS(status)) {
fort_log_proc_new_write(out, pid, path_len, path);
fort_log_proc_new_write(out, pid, &log_path);
}
}
KeReleaseInStackQueuedSpinLock(&lock_queue);

10
src/driver/fortbuf.h
View File

@ -41,15 +41,15 @@ FORT_API NTSTATUS fort_buffer_prepare(
PFORT_BUFFER buf, UINT32 len, PCHAR *out, PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_blocked_write(PFORT_BUFFER buf, BOOL blocked, UINT32 pid,
UINT32 path_len, const PVOID path, PIRP *irp, ULONG_PTR *info);
PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_blocked_ip_write(PFORT_BUFFER buf, BOOL isIPv6, BOOL inbound,
BOOL inherited, UCHAR block_reason, UCHAR ip_proto, UINT16 local_port, UINT16 remote_port,
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, UINT32 path_len,
const PVOID path, PIRP *irp, ULONG_PTR *info);
const UINT32 *local_ip, const UINT32 *remote_ip, UINT32 pid, PCFORT_APP_PATH path,
PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_proc_new_write(PFORT_BUFFER buf, UINT32 pid, UINT32 path_len,
const PVOID path, PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_proc_new_write(
PFORT_BUFFER buf, UINT32 pid, PCFORT_APP_PATH path, PIRP *irp, ULONG_PTR *info);
FORT_API NTSTATUS fort_buffer_xmove(
PFORT_BUFFER buf, PIRP irp, PVOID out, ULONG out_len, ULONG_PTR *info);

63
src/driver/fortcnf.c
View File

@ -43,13 +43,13 @@ FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag)
}
static PFORT_CONF_EXE_NODE fort_conf_ref_exe_find_node(
PFORT_CONF_REF conf_ref, const PVOID path, UINT32 path_len, tommy_key_t path_hash)
PFORT_CONF_REF conf_ref, PCFORT_APP_PATH path, tommy_key_t path_hash)
{
PFORT_CONF_EXE_NODE node =
(PFORT_CONF_EXE_NODE) tommy_hashdyn_bucket(&conf_ref->exe_map, path_hash);
while (node != NULL) {
if (fort_conf_app_exe_equal(node->app_entry, path, path_len))
if (fort_conf_app_exe_equal(node->app_entry, path))
return node;
node = node->next;
@ -59,19 +59,18 @@ static PFORT_CONF_EXE_NODE fort_conf_ref_exe_find_node(
}
FORT_API FORT_APP_DATA fort_conf_exe_find(
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len)
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path)
{
UNUSED(conf);
PFORT_CONF_REF conf_ref = context;
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, path_len);
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len);
FORT_APP_DATA app_data = { 0 };
KIRQL oldIrql = ExAcquireSpinLockShared(&conf_ref->conf_lock);
{
const PFORT_CONF_EXE_NODE node =
fort_conf_ref_exe_find_node(conf_ref, path, path_len, path_hash);
const PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash);
if (node != NULL) {
app_data = node->app_entry->app_data;
@ -107,10 +106,10 @@ static void fort_conf_ref_exe_new_path(
++conf->exe_apps_n;
}
static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref,
const PFORT_APP_ENTRY app_entry, const PVOID path, tommy_key_t path_hash)
static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry,
PCFORT_APP_PATH path, tommy_key_t path_hash)
{
const UINT32 path_len = app_entry->path_len;
const UINT16 path_len = path->len;
const UINT16 entry_size = (UINT16) FORT_CONF_APP_ENTRY_SIZE(path_len);
PFORT_APP_ENTRY entry = fort_pool_malloc(&conf_ref->pool_list, entry_size);
@ -118,11 +117,12 @@ static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref,
if (entry == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
*entry = *app_entry;
entry->app_data = app_entry->app_data;
entry->path_len = path_len;
/* Copy the path */
{
RtlCopyMemory(entry->path, path, path_len);
RtlCopyMemory(entry->path, path->buffer, path_len);
entry->path[path_len / sizeof(WCHAR)] = L'\0';
}
@ -133,10 +133,9 @@ static NTSTATUS fort_conf_ref_exe_new_entry(PFORT_CONF_REF conf_ref,
}
static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref,
const PFORT_APP_ENTRY app_entry, const PVOID path, tommy_key_t path_hash)
PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path, tommy_key_t path_hash)
{
const PFORT_CONF_EXE_NODE node =
fort_conf_ref_exe_find_node(conf_ref, path, app_entry->path_len, path_hash);
const PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash);
if (node == NULL) {
return fort_conf_ref_exe_new_entry(conf_ref, app_entry, path, path_hash);
@ -145,7 +144,7 @@ static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref,
if (app_entry->app_data.is_new)
return FORT_STATUS_USER_ERROR;
/* Replace the data */
/* Replace the app data */
{
PFORT_APP_ENTRY entry = node->app_entry;
entry->app_data = app_entry->app_data;
@ -155,9 +154,9 @@ static NTSTATUS fort_conf_ref_exe_add_path_locked(PFORT_CONF_REF conf_ref,
}
FORT_API NTSTATUS fort_conf_ref_exe_add_path(
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, const PVOID path)
PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path)
{
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, app_entry->path_len);
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len);
NTSTATUS status;
KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock);
@ -168,16 +167,19 @@ FORT_API NTSTATUS fort_conf_ref_exe_add_path(
}
FORT_API NTSTATUS fort_conf_ref_exe_add_entry(
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, BOOL locked)
PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, BOOL locked)
{
const PVOID path = app_entry->path;
const FORT_APP_PATH path = {
.len = app_entry->path_len,
.buffer = app_entry->path,
};
if (locked) {
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, app_entry->path_len);
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path.buffer, path.len);
return fort_conf_ref_exe_add_path_locked(conf_ref, app_entry, path, path_hash);
return fort_conf_ref_exe_add_path_locked(conf_ref, app_entry, &path, path_hash);
} else {
return fort_conf_ref_exe_add_path(conf_ref, app_entry, path);
return fort_conf_ref_exe_add_path(conf_ref, app_entry, &path);
}
}
@ -188,7 +190,7 @@ static void fort_conf_ref_exe_fill(PFORT_CONF_REF conf_ref, const PFORT_CONF con
const int count = conf->exe_apps_n;
for (int i = 0; i < count; ++i) {
const PFORT_APP_ENTRY entry = (const PFORT_APP_ENTRY) app_entries;
PCFORT_APP_ENTRY entry = (PCFORT_APP_ENTRY) app_entries;
fort_conf_ref_exe_add_entry(conf_ref, entry, TRUE);
@ -196,13 +198,13 @@ static void fort_conf_ref_exe_fill(PFORT_CONF_REF conf_ref, const PFORT_CONF con
}
}
static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, const PVOID path, UINT32 path_len)
static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, PCFORT_APP_PATH path)
{
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path, path_len);
const tommy_key_t path_hash = (tommy_key_t) tommy_hash_u64(0, path->buffer, path->len);
KIRQL oldIrql = ExAcquireSpinLockExclusive(&conf_ref->conf_lock);
{
PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_len, path_hash);
PFORT_CONF_EXE_NODE node = fort_conf_ref_exe_find_node(conf_ref, path, path_hash);
if (node != NULL) {
/* Delete from conf */
@ -226,9 +228,14 @@ static void fort_conf_ref_exe_del_path(PFORT_CONF_REF conf_ref, const PVOID path
ExReleaseSpinLockExclusive(&conf_ref->conf_lock, oldIrql);
}
FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry)
FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry)
{
fort_conf_ref_exe_del_path(conf_ref, entry->path, entry->path_len);
const FORT_APP_PATH path = {
.len = entry->path_len,
.buffer = entry->path,
};
fort_conf_ref_exe_del_path(conf_ref, &path);
}
static void fort_conf_ref_init(PFORT_CONF_REF conf_ref)

8
src/driver/fortcnf.h
View File

@ -53,15 +53,15 @@ FORT_API UCHAR fort_device_flag_set(PFORT_DEVICE_CONF device_conf, UCHAR flag, B
FORT_API UCHAR fort_device_flag(PFORT_DEVICE_CONF device_conf, UCHAR flag);
FORT_API FORT_APP_DATA fort_conf_exe_find(
const PFORT_CONF conf, PVOID context, const PVOID path, UINT32 path_len);
const PFORT_CONF conf, PVOID context, PCFORT_APP_PATH path);
FORT_API NTSTATUS fort_conf_ref_exe_add_path(
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY app_entry, const PVOID path);
PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY app_entry, PCFORT_APP_PATH path);
FORT_API NTSTATUS fort_conf_ref_exe_add_entry(
PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry, BOOL locked);
PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry, BOOL locked);
FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, const PFORT_APP_ENTRY entry);
FORT_API void fort_conf_ref_exe_del_entry(PFORT_CONF_REF conf_ref, PCFORT_APP_ENTRY entry);
FORT_API PFORT_CONF_REF fort_conf_ref_new(const PFORT_CONF conf, ULONG len);

49
src/driver/fortcout.c
View File

@ -59,8 +59,8 @@ static FORT_APP_DATA fort_callout_ale_conf_app_data(
if (cx->app_data_found)
return cx->app_data;
const FORT_APP_DATA app_data = fort_conf_app_find(
&conf_ref->conf, cx->path->Buffer, cx->path->Length, fort_conf_exe_find, conf_ref);
const FORT_APP_DATA app_data =
fort_conf_app_find(&conf_ref->conf, &cx->path, fort_conf_exe_find, conf_ref);
fort_callout_ale_set_app_flags(cx, app_data);
@ -94,8 +94,8 @@ inline static BOOL fort_callout_ale_associate_flow(
}
if (!log_stat) {
fort_buffer_proc_new_write(&fort_device()->buffer, cx->process_id, cx->real_path->Length,
cx->real_path->Buffer, &cx->irp, &cx->info);
fort_buffer_proc_new_write(
&fort_device()->buffer, cx->process_id, &cx->real_path, &cx->irp, &cx->info);
}
return FALSE;
@ -124,16 +124,16 @@ inline static void fort_callout_ale_log_app_path(PFORT_CALLOUT_ALE_EXTRA cx,
FORT_APP_ENTRY app_entry = {
.app_data = app_data,
.path_len = cx->path->Length,
.path_len = cx->path.len,
};
if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, cx->path->Buffer)))
if (!NT_SUCCESS(fort_conf_ref_exe_add_path(conf_ref, &app_entry, &cx->path)))
return;
fort_callout_ale_set_app_flags(cx, app_data);
fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id,
cx->real_path->Length, cx->real_path->Buffer, &cx->irp, &cx->info);
fort_buffer_blocked_write(&fort_device()->buffer, cx->blocked, cx->process_id, &cx->real_path,
&cx->irp, &cx->info);
}
inline static BOOL fort_callout_ale_log_blocked_ip_check_app(
@ -174,7 +174,7 @@ inline static void fort_callout_ale_log_blocked_ip(PCFORT_CALLOUT_ARG ca,
fort_buffer_blocked_ip_write(&fort_device()->buffer, ca->isIPv6, ca->inbound, cx->inherited,
cx->block_reason, ip_proto, local_port, remote_port, local_ip, cx->remote_ip,
cx->process_id, cx->real_path->Length, cx->real_path->Buffer, &cx->irp, &cx->info);
cx->process_id, &cx->real_path, &cx->irp, &cx->info);
}
inline static BOOL fort_callout_ale_add_pending(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
@ -365,38 +365,41 @@ inline static void fort_callout_ale_classify_action(PCFORT_CALLOUT_ARG ca,
}
}
inline static void fort_callout_ale_check_conf(
PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref)
inline static void fort_callout_ale_fill_path(PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx)
{
const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags;
const UINT32 process_id = (UINT32) ca->inMetaValues->processId;
UNICODE_STRING real_path;
real_path.Length = (UINT16) (ca->inMetaValues->processPath->size
PFORT_APP_PATH real_path = &cx->real_path;
real_path->len = (UINT16) (ca->inMetaValues->processPath->size
- sizeof(WCHAR)); /* chop terminating zero */
real_path.MaximumLength = real_path.Length;
real_path.Buffer = (PWSTR) ca->inMetaValues->processPath->data;
real_path->buffer = (PCWSTR) ca->inMetaValues->processPath->data;
BOOL isSvcHost = FALSE;
BOOL inherited = FALSE;
UNICODE_STRING path;
PFORT_APP_PATH path = &cx->path;
if (!fort_pstree_get_proc_name(
&fort_device()->ps_tree, process_id, &path, &isSvcHost, &inherited)) {
path = real_path;
&fort_device()->ps_tree, process_id, path, &isSvcHost, &inherited)) {
*path = *real_path;
} else if (!inherited) {
real_path = path;
*real_path = *path;
}
cx->process_id = process_id;
cx->path = &path;
cx->real_path = &real_path;
cx->inherited = (UCHAR) inherited;
}
inline static void fort_callout_ale_check_conf(
PCFORT_CALLOUT_ARG ca, PFORT_CALLOUT_ALE_EXTRA cx, PFORT_CONF_REF conf_ref)
{
fort_callout_ale_fill_path(ca, cx);
cx->blocked = TRUE;
cx->ignore = FALSE;
cx->block_reason = FORT_BLOCK_REASON_UNKNOWN;
const FORT_CONF_FLAGS conf_flags = conf_ref->conf.flags;
if (!fort_callout_ale_check_flags(ca, cx, conf_ref, conf_flags)) {
fort_callout_ale_check_app(ca, cx, conf_ref, conf_flags);
}

4
src/driver/fortcoutarg.h
View File

@ -58,8 +58,8 @@ typedef struct fort_callout_ale_extra
const UINT32 *remote_ip;
PCUNICODE_STRING path;
PCUNICODE_STRING real_path;
FORT_APP_PATH path;
FORT_APP_PATH real_path;
PIRP irp;
ULONG_PTR info;

4
src/driver/fortdev.c
View File

@ -234,7 +234,7 @@ static NTSTATUS fort_device_control_getlog(PFORT_DEVICE_CONTROL_ARG dca)
}
inline static NTSTATUS fort_device_control_app_conf(
const PFORT_APP_ENTRY app_entry, PFORT_CONF_REF conf_ref, BOOL is_adding)
PCFORT_APP_ENTRY app_entry, PFORT_CONF_REF conf_ref, BOOL is_adding)
{
NTSTATUS status;
@ -250,7 +250,7 @@ inline static NTSTATUS fort_device_control_app_conf(
static NTSTATUS fort_device_control_app(PFORT_DEVICE_CONTROL_ARG dca, BOOL is_adding)
{
const PFORT_APP_ENTRY app_entry = dca->buffer;
PCFORT_APP_ENTRY app_entry = dca->buffer;
const ULONG len = dca->in_len;
if (len < sizeof(FORT_APP_ENTRY) || len < FORT_CONF_APP_ENTRY_SIZE(app_entry->path_len))

33
src/driver/fortps.c
View File

@ -393,19 +393,21 @@ static PFORT_PSNODE fort_pstree_find_proc(PFORT_PSTREE ps_tree, DWORD processId)
}
inline static void fort_pstree_proc_set_name(
PFORT_PSTREE ps_tree, PFORT_PSNODE proc, const PVOID path_buf, UINT16 path_len)
PFORT_PSTREE ps_tree, PFORT_PSNODE proc, PCFORT_APP_PATH path)
{
const UINT16 path_len = path->len;
PFORT_PSNAME ps_name = fort_pstree_name_new(ps_tree, path_len);
if (ps_name == NULL)
return;
RtlCopyMemory(ps_name->data, path_buf, path_len);
RtlCopyMemory(ps_name->data, path->buffer, path_len);
proc->ps_name = ps_name;
}
inline static void fort_pstree_check_proc_conf(PFORT_PSTREE ps_tree, PFORT_PSNODE proc,
const PVOID path_buf, UINT16 path_len, FORT_APP_DATA app_data)
inline static void fort_pstree_check_proc_conf(
PFORT_PSTREE ps_tree, PFORT_PSNODE proc, PCFORT_APP_PATH path, FORT_APP_DATA app_data)
{
if (app_data.found == 0)
return;
@ -420,7 +422,7 @@ inline static void fort_pstree_check_proc_conf(PFORT_PSTREE ps_tree, PFORT_PSNOD
const BOOL has_ps_name = (proc->ps_name != NULL);
if (!has_ps_name) {
fort_pstree_proc_set_name(ps_tree, proc, path_buf, path_len);
fort_pstree_proc_set_name(ps_tree, proc, path);
}
proc->flags |= FORT_PSNODE_NAME_INHERIT
@ -472,17 +474,19 @@ static void fort_pstree_check_proc_inheritance(
return;
const BOOL has_ps_name = (proc->ps_name != NULL);
const PVOID path_buf = has_ps_name ? proc->ps_name->data : psi->path->Buffer;
const UINT16 path_len = has_ps_name ? proc->ps_name->size : psi->path->Length;
const FORT_APP_PATH path = {
.len = has_ps_name ? proc->ps_name->size : psi->path->Length,
.buffer = has_ps_name ? proc->ps_name->data : psi->path->Buffer,
};
const PFORT_CONF conf = &conf_ref->conf;
const FORT_APP_DATA app_data = conf->proc_wild
? fort_conf_app_find(conf, path_buf, path_len, fort_conf_exe_find, conf_ref)
: fort_conf_exe_find(conf, conf_ref, path_buf, path_len);
? fort_conf_app_find(conf, &path, fort_conf_exe_find, conf_ref)
: fort_conf_exe_find(conf, conf_ref, &path);
if (!fort_pstree_check_proc_inherited(ps_tree, proc, psi->parentProcessId, app_data)) {
fort_pstree_check_proc_conf(ps_tree, proc, path_buf, path_len, app_data);
fort_pstree_check_proc_conf(ps_tree, proc, &path, app_data);
}
fort_conf_ref_put(device_conf, conf_ref);
@ -784,7 +788,7 @@ FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree)
}
static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD processId,
PUNICODE_STRING path, BOOL *isSvcHost, BOOL *inherited)
PFORT_APP_PATH path, BOOL *isSvcHost, BOOL *inherited)
{
PFORT_PSNODE proc = fort_pstree_find_proc(ps_tree, processId);
if (proc == NULL)
@ -801,16 +805,15 @@ static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD process
== FORT_PSNODE_NAME_INHERIT)
return FALSE;
path->Length = ps_name->size;
path->MaximumLength = ps_name->size;
path->Buffer = ps_name->data;
path->len = ps_name->size;
path->buffer = ps_name->data;
*inherited = (procFlags & FORT_PSNODE_NAME_INHERITED) != 0;
return TRUE;
}
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path,
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PFORT_APP_PATH path,
BOOL *isSvcHost, BOOL *inherited)
{
BOOL res;

2
src/driver/fortps.h
View File

@ -34,7 +34,7 @@ FORT_API void fort_pstree_close(PFORT_PSTREE ps_tree);
FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree);
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path,
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PFORT_APP_PATH path,
BOOL *isSvcHost, BOOL *inherited);
FORT_API void fort_pstree_update_services(

11
src/ui/driver/drivercommon.cpp
View File

@ -214,11 +214,14 @@ FORT_APP_DATA confAppFind(const void *drvConf, const QString &kernelPath)
{
const PFORT_CONF conf = (const PFORT_CONF) drvConf;
const QString kernelPathLower = kernelPath.startsWith('\\') ? kernelPath.toLower() : kernelPath;
const quint32 len = quint32(kernelPathLower.size()) * sizeof(WCHAR);
const WCHAR *p = (PCWCHAR) kernelPathLower.utf16();
const FORT_APP_DATA app_data = fort_conf_app_find(
conf, (const PVOID) p, len, fort_conf_app_exe_find, /*exe_context=*/nullptr);
const FORT_APP_PATH path = {
.len = quint16(kernelPathLower.size() * sizeof(WCHAR)),
.buffer = kernelPathLower.utf16(),
};
const FORT_APP_DATA app_data =
fort_conf_app_find(conf, &path, fort_conf_app_exe_find, /*exe_context=*/nullptr);
return app_data;
}