From 4ce9bf15402a3476ec509748d33f176999a82c4c Mon Sep 17 00:00:00 2001 From: Nodir Temirkhodjaev Date: Mon, 1 Nov 2021 20:03:23 +0300 Subject: [PATCH] Driver: Add fortutl.* for utility functions. --- src/driver/FortFirewallDriver.pro | 2 + src/driver/fortutl.c | 77 +++++++++++++++++++++ src/driver/fortutl.h | 18 +++++ src/driver/loader/fortdl.c | 109 ++++++++---------------------- src/driver/loader/fortdl_amalg.c | 2 + 5 files changed, 127 insertions(+), 81 deletions(-) create mode 100644 src/driver/fortutl.c create mode 100644 src/driver/fortutl.h diff --git a/src/driver/FortFirewallDriver.pro b/src/driver/FortFirewallDriver.pro index 33624125..33efce98 100644 --- a/src/driver/FortFirewallDriver.pro +++ b/src/driver/FortFirewallDriver.pro @@ -17,6 +17,7 @@ SOURCES += \ forttds.c \ forttlsf.c \ forttmr.c \ + fortutl.c \ fortwrk.c \ loader/fortdl.c \ wdm/um_fwpmk.c \ @@ -37,6 +38,7 @@ HEADERS += \ forttds.h \ forttlsf.h \ forttmr.h \ + fortutl.h \ fortwrk.h \ wdm/um_fwpmk.h \ wdm/um_fwpsk.h \ diff --git a/src/driver/fortutl.c b/src/driver/fortutl.c new file mode 100644 index 00000000..1baa5be4 --- /dev/null +++ b/src/driver/fortutl.c @@ -0,0 +1,77 @@ +/* Fort Firewall Utilities */ + +#include "fortutl.h" + +#define FORT_UTIL_POOL_TAG 'UwfF' + +FORT_API NTSTATUS fort_reg_value(HANDLE regKey, PUNICODE_STRING valueName, PWSTR *outData) +{ + NTSTATUS status; + + ULONG keyInfoSize; + status = ZwQueryValueKey(regKey, valueName, KeyValueFullInformation, NULL, 0, &keyInfoSize); + if (status != STATUS_BUFFER_TOO_SMALL || status != STATUS_BUFFER_OVERFLOW) + return status; + + PKEY_VALUE_FULL_INFORMATION keyInfo = fort_mem_alloc(keyInfoSize, FORT_UTIL_POOL_TAG); + if (keyInfo == NULL) + return STATUS_INSUFFICIENT_RESOURCES; + + status = ZwQueryValueKey( + regKey, valueName, KeyValueFullInformation, keyInfo, keyInfoSize, &keyInfoSize); + + if (NT_SUCCESS(status)) { + const PUCHAR src = ((const PUCHAR) keyInfo + keyInfo->DataOffset); + const ULONG len = keyInfo->DataLength; + + PWSTR buf = ExAllocatePool(NonPagedPool, len); + if (buf == NULL) { + status = STATUS_INSUFFICIENT_RESOURCES; + } else { + RtlCopyMemory(buf, src, len); + + *outData = buf; + } + } + + fort_mem_free(keyInfo, FORT_UTIL_POOL_TAG); + + return status; +} + +FORT_API NTSTATUS fort_driver_path(PDRIVER_OBJECT driver, PUNICODE_STRING regPath, PWSTR *outPath) +{ + NTSTATUS status; + +#if defined(FORT_WIN7_COMPAT) + UNUSED(driver); + + HANDLE regKey; + OBJECT_ATTRIBUTES objectAttr; + + InitializeObjectAttributes( + &objectAttr, regPath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); + + status = ZwOpenKey(®Key, KEY_QUERY_VALUE, &objectAttr); + if (!NT_SUCCESS(status)) + return status; + + UNICODE_STRING valueName; + RtlInitUnicodeString(&valueName, L"ImagePath"); + + status = fortdl_reg_value(regKey, &valueName, outPath); + + ZwClose(regKey); +#else + UNUSED(regPath); + + UNICODE_STRING path; + status = IoQueryFullDriverPath(driver, &path); + + if (NT_SUCCESS(status)) { + *outPath = path.Buffer; + } +#endif + + return status; +} diff --git a/src/driver/fortutl.h b/src/driver/fortutl.h new file mode 100644 index 00000000..397be497 --- /dev/null +++ b/src/driver/fortutl.h @@ -0,0 +1,18 @@ +#ifndef FORTUTL_H +#define FORTUTL_H + +#include "fortdrv.h" + +#if defined(__cplusplus) +extern "C" { +#endif + +FORT_API NTSTATUS fort_reg_value(HANDLE regKey, PUNICODE_STRING valueName, PWSTR *outData); + +FORT_API NTSTATUS fort_driver_path(PDRIVER_OBJECT driver, PUNICODE_STRING regPath, PWSTR *outPath); + +#ifdef __cplusplus +} // extern "C" +#endif + +#endif // FORTUTL_H diff --git a/src/driver/loader/fortdl.c b/src/driver/loader/fortdl.c index 9fc5c67f..dffeb3ba 100644 --- a/src/driver/loader/fortdl.c +++ b/src/driver/loader/fortdl.c @@ -2,9 +2,20 @@ #include "fortdl.h" +#include "../fortutl.h" + #define FORTDL_MAX_FILE_SIZE (4 * 1024 * 1024) -static NTSTATUS fortdl_read_file(HANDLE fileHandle, PUCHAR *outData) +static NTSTATUS fortdl_load_image(PUCHAR data, DWORD dataSize) +{ + NTSTATUS status; + + DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, "FORT: Loader Load Image: %d\n", dataSize); + + return STATUS_SUCCESS; +} + +static NTSTATUS fortdl_read_file(HANDLE fileHandle, PUCHAR *outData, DWORD *outSize) { NTSTATUS status; @@ -47,11 +58,12 @@ static NTSTATUS fortdl_read_file(HANDLE fileHandle, PUCHAR *outData) } while (dataSize < fileSize); *outData = data; + *outSize = dataSize; return status; } -static NTSTATUS fortdl_load_file(PCWSTR driverPath, PUCHAR *outData) +static NTSTATUS fortdl_load_file(PCWSTR driverPath, PUCHAR *outData, DWORD *outSize) { NTSTATUS status; @@ -75,7 +87,8 @@ static NTSTATUS fortdl_load_file(PCWSTR driverPath, PUCHAR *outData) return status; } - status = fortdl_read_file(fileHandle, outData); + // Read File + status = fortdl_read_file(fileHandle, outData, outSize); ZwClose(fileHandle); @@ -93,95 +106,29 @@ static void fortdl_init(PDRIVER_OBJECT driver, PVOID context, ULONG count) /* Load the driver file */ PUCHAR data = NULL; + DWORD dataSize = 0; { - status = fortdl_load_file(context, &data); + status = fortdl_load_file(context, &data, &dataSize); /* Free the allocated driver path */ ExFreePool(context); } + // Prepare the driver image + PUCHAR image = NULL; + if (NT_SUCCESS(status)) { + status = fortdl_load_image(data, dataSize); + + /* Free the allocated driver file data */ + fortdl_free(data); + } + if (!NT_SUCCESS(status)) { DbgPrintEx( DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, "FORT: Loader Init: Error: %x\n", status); } } -#if defined(FORT_WIN7_COMPAT) - -static NTSTATUS fortdl_reg_value(HANDLE regKey, PUNICODE_STRING valueName, PWSTR *out_path) -{ - NTSTATUS status; - - ULONG keyInfoSize; - status = ZwQueryValueKey(regKey, valueName, KeyValueFullInformation, NULL, 0, &keyInfoSize); - if (status != STATUS_BUFFER_TOO_SMALL || status != STATUS_BUFFER_OVERFLOW) - return status; - - PKEY_VALUE_FULL_INFORMATION keyInfo = fortdl_alloc(keyInfoSize); - if (keyInfo == NULL) - return STATUS_INSUFFICIENT_RESOURCES; - - status = ZwQueryValueKey( - regKey, valueName, KeyValueFullInformation, keyInfo, keyInfoSize, &keyInfoSize); - - if (NT_SUCCESS(status)) { - const PUCHAR src = ((const PUCHAR) keyInfo + keyInfo->DataOffset); - const ULONG len = keyInfo->DataLength; - - PWSTR buf = ExAllocatePool(NonPagedPool, len); - if (buf == NULL) { - status = STATUS_INSUFFICIENT_RESOURCES; - } else { - RtlCopyMemory(buf, src, len); - - *out_path = buf; - } - } - - fortdl_free(keyInfo); - - return status; -} - -#endif - -static NTSTATUS fortdl_driver_path(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path, PWSTR *out_path) -{ - NTSTATUS status; - -#if defined(FORT_WIN7_COMPAT) - UNUSED(driver); - - HANDLE regKey; - OBJECT_ATTRIBUTES objectAttr; - - InitializeObjectAttributes( - &objectAttr, reg_path, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); - - status = ZwOpenKey(®Key, KEY_QUERY_VALUE, &objectAttr); - if (!NT_SUCCESS(status)) - return status; - - UNICODE_STRING valueName; - RtlInitUnicodeString(&valueName, L"ImagePath"); - - status = fortdl_reg_value(regKey, &valueName, out_path); - - ZwClose(regKey); -#else - UNUSED(reg_path); - - UNICODE_STRING path; - status = IoQueryFullDriverPath(driver, &path); - - if (NT_SUCCESS(status)) { - *out_path = path.Buffer; - } -#endif - - return status; -} - NTSTATUS #if defined(FORT_DRIVER) DriverEntry @@ -193,7 +140,7 @@ DriverLoaderEntry NTSTATUS status; PWSTR driverPath = NULL; - status = fortdl_driver_path(driver, reg_path, &driverPath); + status = fort_driver_path(driver, reg_path, &driverPath); if (!NT_SUCCESS(status)) { DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, "FORT: Loader Entry: Error: %x\n", diff --git a/src/driver/loader/fortdl_amalg.c b/src/driver/loader/fortdl_amalg.c index a20d9efc..f4962a7b 100644 --- a/src/driver/loader/fortdl_amalg.c +++ b/src/driver/loader/fortdl_amalg.c @@ -3,4 +3,6 @@ #define FORT_AMALG #define FORT_DRIVER +#include "../fortutl.c" + #include "fortdl.c"