mirrors/fort
1
0
Fork 0
mirror of https://github.com/tnodir/fort synced 2024-11-15 04:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Driver: fortps: Improve SvcHost checking

Browse Source
This commit is contained in:
Nodir Temirkhodjaev 2024-10-29 17:50:23 +05:00
parent 2d2e78a59a
commit df936acc2f
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/driver/fortps.c
View File

@ -212,6 +212,9 @@ static void fort_pstree_name_del(PFORT_PSTREE ps_tree, PFORT_PSNAME ps_name)
static BOOL fort_pstree_svchost_path_check(PCUNICODE_STRING path) static BOOL fort_pstree_svchost_path_check(PCUNICODE_STRING path)
{ {
if (path == NULL)
return FALSE;
const USHORT svchostSize = sizeof(FORT_SVCHOST_EXE) - sizeof(WCHAR); /* skip terminating zero */ const USHORT svchostSize = sizeof(FORT_SVCHOST_EXE) - sizeof(WCHAR); /* skip terminating zero */
const USHORT pathLength = path->Length; const USHORT pathLength = path->Length;
@ -246,6 +249,9 @@ static BOOL fort_pstree_svchost_path_check(PCUNICODE_STRING path)
static BOOL fort_pstree_svchost_name_check( static BOOL fort_pstree_svchost_name_check(
PCUNICODE_STRING commandLine, PUNICODE_STRING serviceName) PCUNICODE_STRING commandLine, PUNICODE_STRING serviceName)
{ {
if (commandLine == NULL)
return FALSE;
PWCHAR argp = wcsstr(commandLine->Buffer, L"-s "); PWCHAR argp = wcsstr(commandLine->Buffer, L"-s ");
if (argp == NULL) if (argp == NULL)
return FALSE; return FALSE;
@ -306,9 +312,6 @@ static void fort_pstree_proc_set_service_name(PFORT_PSNODE proc, PFORT_PSNAME ps
static void fort_pstree_proc_check_svchost( static void fort_pstree_proc_check_svchost(
PFORT_PSTREE ps_tree, PCFORT_PSINFO_HASH psi, PFORT_PSNODE proc) PFORT_PSTREE ps_tree, PCFORT_PSINFO_HASH psi, PFORT_PSNODE proc)
{ {
if (psi->path == NULL || psi->commandLine == NULL)
return;
if (!fort_pstree_svchost_path_check(psi->path)) if (!fort_pstree_svchost_path_check(psi->path))
return; return;
@ -567,6 +570,8 @@ inline static void fort_pstree_notify_process_created(
if (fort_is_system_process(psi->processId, psi->parentProcessId)) if (fort_is_system_process(psi->processId, psi->parentProcessId))
return; /* skip System (sub)processes */ return; /* skip System (sub)processes */
psi->commandLine = createInfo->CommandLine;
PFORT_PSNODE proc = fort_pstree_handle_created_proc(ps_tree, psi); PFORT_PSNODE proc = fort_pstree_handle_created_proc(ps_tree, psi);
fort_pstree_check_kill_proc(proc, createInfo, FORT_PSNODE_KILL_PROCESS); fort_pstree_check_kill_proc(proc, createInfo, FORT_PSNODE_KILL_PROCESS);
@ -610,8 +615,6 @@ inline static void fort_pstree_notify_process(PFORT_PSTREE ps_tree, PCFORT_PSTRE
.pid_hash = fort_pstree_proc_hash(processId), .pid_hash = fort_pstree_proc_hash(processId),
.processId = processId, .processId = processId,
.parentProcessId = parentProcessId, .parentProcessId = parentProcessId,
.commandLine = (createInfo != NULL ? createInfo->CommandLine : NULL),
}; };
#ifdef FORT_DEBUG #ifdef FORT_DEBUG