mirrors/fort
1
0
Fork 0
mirror of https://github.com/tnodir/fort synced 2024-11-15 07:25:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Driver: fortcout: Check "ServiceTag" on Windows 10+ (TODO)

Browse Source
This commit is contained in:
Nodir Temirkhodjaev 2023-07-09 17:50:59 +03:00
parent b9067be4ba
commit 7554b735de
3 changed files with 43 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/driver/fortcout.c
View File

@ -312,11 +312,19 @@ inline static void fort_callout_ale_check_conf(
real_path.MaximumLength = real_path.Length;
real_path.Buffer = (PWSTR) ca->inMetaValues->processPath->data;
BOOL isSvcHost = FALSE;
BOOL inherited = FALSE;
UNICODE_STRING path;
if (!fort_pstree_get_proc_name(&fort_device()->ps_tree, process_id, &path, &inherited)) {
if (!fort_pstree_get_proc_name(
&fort_device()->ps_tree, process_id, &path, &isSvcHost, &inherited)) {
path = real_path;
} else if (!inherited) {
/* TODO: Check "ServiceTag" on Windows 10+ */
#if 0 // !defined(FORT_WIN7_COMPAT)
PVOID subProcessTag = ca->inMetaValues->subProcessTag;
if (subProcessTag && isSvcHost) { }
#endif
real_path = path;
}

61
src/driver/fortps.c
View File

@ -33,6 +33,7 @@ typedef struct fort_psname
#define FORT_PSNODE_NAME_INHERITED 0x0002
#define FORT_PSNODE_NAME_CUSTOM 0x0004
#define FORT_PSNODE_KILL_PROCESS 0x0008
#define FORT_PSNODE_IS_SVCHOST 0x0010
/* Synchronize with tommy_hashdyn_node! */
typedef struct fort_psnode
@ -231,12 +232,8 @@ static BOOL fort_pstree_svchost_path_check(PCUNICODE_STRING path)
return TRUE;
}
static BOOL fort_pstree_svchost_check(
PCUNICODE_STRING path, PCUNICODE_STRING commandLine, PUNICODE_STRING serviceName)
static BOOL fort_pstree_svchost_check(PCUNICODE_STRING commandLine, PUNICODE_STRING serviceName)
{
if (!fort_pstree_svchost_path_check(path))
return FALSE;
PWCHAR argp = wcsstr(commandLine->Buffer, L"-s ");
if (argp == NULL)
return FALSE;
@ -282,18 +279,6 @@ static PFORT_PSNAME fort_pstree_create_service_name(
return ps_name;
}
static PFORT_PSNAME fort_pstree_add_service_name(PFORT_PSTREE ps_tree, PCFORT_PSINFO_HASH psi)
{
if (psi->path == NULL || psi->commandLine == NULL)
return NULL;
UNICODE_STRING serviceName;
if (!fort_pstree_svchost_check(psi->path, psi->commandLine, &serviceName))
return NULL;
return fort_pstree_create_service_name(ps_tree, &serviceName);
}
static void fort_pstree_proc_set_service_name(PFORT_PSNODE proc, PFORT_PSNAME ps_name)
{
assert(proc->ps_name == NULL);
@ -306,6 +291,26 @@ static void fort_pstree_proc_set_service_name(PFORT_PSNODE proc, PFORT_PSNAME ps
}
}
static void fort_pstree_proc_check_svchost(
PFORT_PSTREE ps_tree, PCFORT_PSINFO_HASH psi, PFORT_PSNODE proc)
{
if (psi->path == NULL || psi->commandLine == NULL)
return;
if (!fort_pstree_svchost_path_check(psi->path))
return;
proc->flags |= FORT_PSNODE_IS_SVCHOST;
UNICODE_STRING serviceName;
if (!fort_pstree_svchost_check(psi->commandLine, &serviceName))
return;
PFORT_PSNAME ps_name = fort_pstree_create_service_name(ps_tree, &serviceName);
fort_pstree_proc_set_service_name(proc, ps_name);
}
static PFORT_PSNODE fort_pstree_proc_new(PFORT_PSTREE ps_tree, tommy_key_t pid_hash)
{
tommy_hashdyn_node *proc_node = tommy_list_tail(&ps_tree->free_procs);
@ -448,18 +453,14 @@ static void fort_pstree_check_proc_inheritance(
static PFORT_PSNODE fort_pstree_handle_new_proc(PFORT_PSTREE ps_tree, PCFORT_PSINFO_HASH psi)
{
PFORT_PSNAME ps_name = fort_pstree_add_service_name(ps_tree, psi);
PFORT_PSNODE proc = fort_pstree_proc_new(ps_tree, psi->pid_hash);
if (proc == NULL) {
fort_pstree_name_del(ps_tree, ps_name);
if (proc == NULL)
return NULL;
}
proc->process_id = psi->processId;
proc->flags = 0;
fort_pstree_proc_set_service_name(proc, ps_name);
fort_pstree_proc_check_svchost(ps_tree, psi, proc);
fort_pstree_check_proc_inheritance(ps_tree, psi, proc);
@ -633,18 +634,20 @@ FORT_API void fort_pstree_close(PFORT_PSTREE ps_tree)
KeReleaseInStackQueuedSpinLock(&lock_queue);
}
static BOOL fort_pstree_get_proc_name_locked(
PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path, BOOL *inherited)
static BOOL fort_pstree_get_proc_name_locked(PFORT_PSTREE ps_tree, DWORD processId,
PUNICODE_STRING path, BOOL *isSvcHost, BOOL *inherited)
{
PFORT_PSNODE proc = fort_pstree_find_proc(ps_tree, processId);
if (proc == NULL)
return FALSE;
const UINT16 procFlags = proc->flags;
*isSvcHost = (procFlags & FORT_PSNODE_IS_SVCHOST) != 0;
PFORT_PSNAME ps_name = proc->ps_name;
if (ps_name == NULL)
return FALSE;
const UINT16 procFlags = proc->flags;
if ((procFlags & (FORT_PSNODE_NAME_INHERIT | FORT_PSNODE_NAME_CUSTOM))
== FORT_PSNODE_NAME_INHERIT)
return FALSE;
@ -658,15 +661,15 @@ static BOOL fort_pstree_get_proc_name_locked(
return TRUE;
}
FORT_API BOOL fort_pstree_get_proc_name(
PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path, BOOL *inherited)
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path,
BOOL *isSvcHost, BOOL *inherited)
{
BOOL res;
KLOCK_QUEUE_HANDLE lock_queue;
KeAcquireInStackQueuedSpinLock(&ps_tree->lock, &lock_queue);
{
res = fort_pstree_get_proc_name_locked(ps_tree, processId, path, inherited);
res = fort_pstree_get_proc_name_locked(ps_tree, processId, path, isSvcHost, inherited);
}
KeReleaseInStackQueuedSpinLock(&lock_queue);

4
src/driver/fortps.h
View File

@ -32,8 +32,8 @@ FORT_API void fort_pstree_open(PFORT_PSTREE ps_tree);
FORT_API void fort_pstree_close(PFORT_PSTREE ps_tree);
FORT_API BOOL fort_pstree_get_proc_name(
PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path, BOOL *inherited);
FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PUNICODE_STRING path,
BOOL *isSvcHost, BOOL *inherited);
FORT_API void fort_pstree_update_services(
PFORT_PSTREE ps_tree, const PFORT_SERVICE_INFO_LIST services, ULONG data_len);