From 7eb34e2a58d59bc254f4bd98592de859a172c7d7 Mon Sep 17 00:00:00 2001 From: Nodir Temirkhodjaev Date: Tue, 16 Nov 2021 11:31:06 +0300 Subject: [PATCH] Driver: ProxyCallbacks: Prepare *.asm --- src/driver/FortFirewallDriver.pro | 8 ++-- src/driver/loader/fortdl.c | 4 +- src/driver/loader/fortdl.vcxproj | 4 +- src/driver/loader/fortdl_amalg.c | 2 +- src/driver/{loader => proxycb}/fortpcb.c | 6 +-- src/driver/{loader => proxycb}/fortpcb.h | 4 +- src/driver/{loader => proxycb}/fortpcb_def.c | 5 ++- src/driver/{loader => proxycb}/fortpcb_def.h | 7 +-- src/driver/proxycb/fortpcb_dst_x86.asm | 44 +++++++++++++++++++ .../fortpcb_src_x86.asm} | 19 +++++++- 10 files changed, 82 insertions(+), 21 deletions(-) rename src/driver/{loader => proxycb}/fortpcb.c (67%) rename src/driver/{loader => proxycb}/fortpcb.h (68%) rename src/driver/{loader => proxycb}/fortpcb_def.c (50%) rename src/driver/{loader => proxycb}/fortpcb_def.h (62%) create mode 100644 src/driver/proxycb/fortpcb_dst_x86.asm rename src/driver/{loader/fortpcb_x64.asm => proxycb/fortpcb_src_x86.asm} (58%) diff --git a/src/driver/FortFirewallDriver.pro b/src/driver/FortFirewallDriver.pro index 39ca6d66..f0d0dc50 100644 --- a/src/driver/FortFirewallDriver.pro +++ b/src/driver/FortFirewallDriver.pro @@ -22,8 +22,8 @@ SOURCES += \ loader/fortdl.c \ loader/fortimg.c \ loader/fortmm.c \ - loader/fortpcb.c \ - loader/fortpcb_def.c \ + proxycb/fortpcb.c \ + proxycb/fortpcb_def.c \ wdm/um_aux_klib.c \ wdm/um_fwpmk.c \ wdm/um_fwpsk.c \ @@ -48,8 +48,8 @@ HEADERS += \ loader/fortdl.h \ loader/fortimg.h \ loader/fortmm.h \ - loader/fortpcb.h \ - loader/fortpcb_def.h \ + proxycb/fortpcb.h \ + proxycb/fortpcb_def.h \ wdm/um_aux_klib.h \ wdm/um_fwpmk.h \ wdm/um_fwpsk.h \ diff --git a/src/driver/loader/fortdl.c b/src/driver/loader/fortdl.c index 62dd9b9b..f85d377c 100644 --- a/src/driver/loader/fortdl.c +++ b/src/driver/loader/fortdl.c @@ -4,9 +4,9 @@ #include "../fortutl.h" +#include "../proxycb/fortpcb.h" #include "fortimg.h" #include "fortmm.h" -#include "fortpcb.h" typedef struct fort_loader { @@ -30,7 +30,7 @@ static NTSTATUS fort_loader_entry(PDRIVER_OBJECT driver, PUNICODE_STRING regPath { NTSTATUS status; - SetupProxyCallbacks(); + fort_proxycb_src_setup(); status = CallModuleEntry(&g_loader.module, driver, regPath); if (!NT_SUCCESS(status)) diff --git a/src/driver/loader/fortdl.vcxproj b/src/driver/loader/fortdl.vcxproj index 74e2ed5e..caa46af2 100644 --- a/src/driver/loader/fortdl.vcxproj +++ b/src/driver/loader/fortdl.vcxproj @@ -66,7 +66,9 @@ - + + /safeseh + diff --git a/src/driver/loader/fortdl_amalg.c b/src/driver/loader/fortdl_amalg.c index 7566dfe7..8afc0d22 100644 --- a/src/driver/loader/fortdl_amalg.c +++ b/src/driver/loader/fortdl_amalg.c @@ -5,7 +5,7 @@ #include "../fortutl.c" -#include "fortpcb.c" +#include "../proxycb/fortpcb.c" #include "fortmm.c" #include "fortimg.c" #include "fortdl.c" diff --git a/src/driver/loader/fortpcb.c b/src/driver/proxycb/fortpcb.c similarity index 67% rename from src/driver/loader/fortpcb.c rename to src/driver/proxycb/fortpcb.c index 992e7287..31b0415f 100644 --- a/src/driver/loader/fortpcb.c +++ b/src/driver/proxycb/fortpcb.c @@ -4,7 +4,7 @@ #include "fortpcb_def.h" -static ProxyCallbackProc g_proxyCallbacks[PROXY_CALLBACKS_COUNT] = { +static ProxyCallbackProc g_proxySrcCallbacks[PROXY_CALLBACKS_COUNT] = { proxyCallback0, proxyCallback1, proxyCallback2, @@ -12,8 +12,8 @@ static ProxyCallbackProc g_proxyCallbacks[PROXY_CALLBACKS_COUNT] = { proxyCallback4, }; -FORT_API void SetupProxyCallbacks(void) +FORT_API void fort_proxycb_src_setup(void) { - DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, "FORT: Loader SetupProxyCallbacks: %p\n", + DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, "FORT: ProxyCbSrc Setup: %p\n", &proxyCallback0); } diff --git a/src/driver/loader/fortpcb.h b/src/driver/proxycb/fortpcb.h similarity index 68% rename from src/driver/loader/fortpcb.h rename to src/driver/proxycb/fortpcb.h index 0b8132e1..bad78169 100644 --- a/src/driver/loader/fortpcb.h +++ b/src/driver/proxycb/fortpcb.h @@ -1,13 +1,13 @@ #ifndef FORTPCB_H #define FORTPCB_H -#include "fortdl.h" +#include "../fortdrv.h" #if defined(__cplusplus) extern "C" { #endif -FORT_API void SetupProxyCallbacks(void); +FORT_API void fort_proxycb_src_setup(void); #ifdef __cplusplus } // extern "C" diff --git a/src/driver/loader/fortpcb_def.c b/src/driver/proxycb/fortpcb_def.c similarity index 50% rename from src/driver/loader/fortpcb_def.c rename to src/driver/proxycb/fortpcb_def.c index b7811c14..642dabf1 100644 --- a/src/driver/loader/fortpcb_def.c +++ b/src/driver/proxycb/fortpcb_def.c @@ -2,7 +2,10 @@ #include "fortpcb_def.h" -ProxyCallbackProc g_proxiedCallbacks[PROXY_CALLBACKS_COUNT]; +#define ProxyCallbackFunction(i) \ + void proxyCallback##i(void) { g_proxyDstProcs[i](); } + +ProxyCallbackProc g_proxyDstProcs[PROXY_CALLBACKS_COUNT]; ProxyCallbackFunction(0) ProxyCallbackFunction(1) ProxyCallbackFunction(2) ProxyCallbackFunction(3) ProxyCallbackFunction(4) diff --git a/src/driver/loader/fortpcb_def.h b/src/driver/proxycb/fortpcb_def.h similarity index 62% rename from src/driver/loader/fortpcb_def.h rename to src/driver/proxycb/fortpcb_def.h index ee158a6e..82bf528c 100644 --- a/src/driver/loader/fortpcb_def.h +++ b/src/driver/proxycb/fortpcb_def.h @@ -1,7 +1,7 @@ #ifndef FORTPCB_DEF_H #define FORTPCB_DEF_H -#include "fortdl.h" +#include "../fortdrv.h" #if defined(__cplusplus) extern "C" { @@ -11,10 +11,7 @@ typedef void (*ProxyCallbackProc)(void); #define PROXY_CALLBACKS_COUNT 64 -extern ProxyCallbackProc g_proxiedCallbacks[PROXY_CALLBACKS_COUNT]; - -#define ProxyCallbackFunction(i) \ - void proxyCallback##i(void) { g_proxiedCallbacks[i](); } +extern ProxyCallbackProc g_proxyDstCallbacks[PROXY_CALLBACKS_COUNT]; #define ProxyCallbackExtern(i) extern void proxyCallback##i(void) diff --git a/src/driver/proxycb/fortpcb_dst_x86.asm b/src/driver/proxycb/fortpcb_dst_x86.asm new file mode 100644 index 00000000..d732c3db --- /dev/null +++ b/src/driver/proxycb/fortpcb_dst_x86.asm @@ -0,0 +1,44 @@ +IFDEF RAX +ELSE +.model flat, c +ENDIF + +.DATA +IFDEF RAX + g_proxyDstCallbacks QWORD 040H dup (?) +ELSE + g_proxyDstCallbacks DWORD 040H dup (?) +ENDIF + +.CODE + +ProxyCallbackProc MACRO index:REQ +IFDEF RAX + pop rax + jmp QWORD PTR [g_proxyDstCallbacks + index * 8] +ELSE + jmp DWORD PTR [g_proxyDstCallbacks + index * 4] +ENDIF +ENDM + +proxyCallback0 PROC +ProxyCallbackProc(0) +proxyCallback0 ENDP + +proxyCallback1 PROC +ProxyCallbackProc(1) +proxyCallback1 ENDP + +proxyCallback2 PROC +ProxyCallbackProc(2) +proxyCallback2 ENDP + +proxyCallback3 PROC +ProxyCallbackProc(3) +proxyCallback3 ENDP + +proxyCallback4 PROC +ProxyCallbackProc(4) +proxyCallback4 ENDP + +END diff --git a/src/driver/loader/fortpcb_x64.asm b/src/driver/proxycb/fortpcb_src_x86.asm similarity index 58% rename from src/driver/loader/fortpcb_x64.asm rename to src/driver/proxycb/fortpcb_src_x86.asm index 1afc6355..90b81e42 100644 --- a/src/driver/loader/fortpcb_x64.asm +++ b/src/driver/proxycb/fortpcb_src_x86.asm @@ -1,10 +1,25 @@ +IFDEF RAX +ELSE +.model flat, stdcall +ENDIF + .DATA -g_proxiedCallbacks QWORD 040H dup (?) +IFDEF RAX + g_proxyDstProcs QWORD 040H dup (?) +ELSE + g_proxyDstProcs DWORD 040H dup (?) +ENDIF .CODE ProxyCallbackProc MACRO index:REQ - jmp QWORD PTR [g_proxiedCallbacks + index * 8] +IFDEF RAX + push rax + mov rax, [g_proxyDstProcs + index * 8] + jmp rax +ELSE + jmp DWORD PTR [g_proxyDstProcs + index * 4] +ENDIF ENDM proxyCallback0 PROC