From ed416b258869cf26fddb15712a3168a302d78c33 Mon Sep 17 00:00:00 2001 From: Nodir Temirkhodjaev Date: Wed, 23 Oct 2024 11:40:08 +0500 Subject: [PATCH] Driver: fortps: Prepare fort_pstree_get_svchost_name() --- src/driver/fortcout.c | 7 +++++-- src/driver/fortcoutarg.h | 1 + src/driver/fortps.c | 20 ++++++++++++++++++++ src/driver/fortps.h | 3 +++ 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/src/driver/fortcout.c b/src/driver/fortcout.c index fc9e3ef9..6c519e0f 100644 --- a/src/driver/fortcout.c +++ b/src/driver/fortcout.c @@ -402,9 +402,12 @@ inline static BOOL fort_callout_ale_fill_path_sid(PCFORT_CALLOUT_ARG ca, PFORT_C continue; // not "NT Authority" // Get Service Name by SID - // TODO + cx->path.buffer = cx->svchost_name; - return FALSE; + if (fort_pstree_get_svchost_name(&fort_device()->ps_tree, &subAuth[1], &cx->path)) + return TRUE; + + break; } return FALSE; diff --git a/src/driver/fortcoutarg.h b/src/driver/fortcoutarg.h index 438c3d62..efee0452 100644 --- a/src/driver/fortcoutarg.h +++ b/src/driver/fortcoutarg.h @@ -60,6 +60,7 @@ typedef struct fort_callout_ale_extra FORT_APP_PATH path; FORT_APP_PATH real_path; + WCHAR svchost_name[80]; PIRP irp; ULONG_PTR info; diff --git a/src/driver/fortps.c b/src/driver/fortps.c index b23401e6..2891aec7 100644 --- a/src/driver/fortps.c +++ b/src/driver/fortps.c @@ -826,6 +826,26 @@ FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, P return res; } +static BOOL fort_pstree_get_svchost_name_locked( + PFORT_PSTREE ps_tree, const DWORD *sidBytes, PFORT_APP_PATH path) +{ + return FALSE; +} + +BOOL fort_pstree_get_svchost_name(PFORT_PSTREE ps_tree, const DWORD *sidBytes, PFORT_APP_PATH path) +{ + BOOL res; + + KLOCK_QUEUE_HANDLE lock_queue; + KeAcquireInStackQueuedSpinLock(&ps_tree->lock, &lock_queue); + { + res = fort_pstree_get_svchost_name_locked(ps_tree, sidBytes, path); + } + KeReleaseInStackQueuedSpinLock(&lock_queue); + + return res; +} + inline static void fort_pstree_update_service_proc( PFORT_PSTREE ps_tree, PCUNICODE_STRING serviceName, DWORD processId) { diff --git a/src/driver/fortps.h b/src/driver/fortps.h index 01a9d9f2..af2348cb 100644 --- a/src/driver/fortps.h +++ b/src/driver/fortps.h @@ -37,6 +37,9 @@ FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree); FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PFORT_APP_PATH path, BOOL *isSvcHost, BOOL *inherited); +FORT_API BOOL fort_pstree_get_svchost_name( + PFORT_PSTREE ps_tree, const DWORD *sidBytes, PFORT_APP_PATH path); + FORT_API void fort_pstree_update_services( PFORT_PSTREE ps_tree, const PFORT_SERVICE_INFO_LIST services, ULONG data_len);