Driver: fortps: Prepare fort_pstree_get_svchost_name()

src/driver/fortcout.c

@@ -402,9 +402,12 @@ inline static BOOL fort_callout_ale_fill_path_sid(PCFORT_CALLOUT_ARG ca, PFORT_C
             continue; // not "NT Authority"
 
         // Get Service Name by SID
-        // TODO
+        cx->path.buffer = cx->svchost_name;
 
-        return FALSE;
+        if (fort_pstree_get_svchost_name(&fort_device()->ps_tree, &subAuth[1], &cx->path))
+            return TRUE;
+
+        break;
     }
 
     return FALSE;

src/driver/fortcoutarg.h

@@ -60,6 +60,7 @@ typedef struct fort_callout_ale_extra
 
     FORT_APP_PATH path;
     FORT_APP_PATH real_path;
+    WCHAR svchost_name[80];
 
     PIRP irp;
     ULONG_PTR info;

src/driver/fortps.c

@@ -826,6 +826,26 @@ FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, P
     return res;
 }
 
+static BOOL fort_pstree_get_svchost_name_locked(
+        PFORT_PSTREE ps_tree, const DWORD *sidBytes, PFORT_APP_PATH path)
+{
+    return FALSE;
+}
+
+BOOL fort_pstree_get_svchost_name(PFORT_PSTREE ps_tree, const DWORD *sidBytes, PFORT_APP_PATH path)
+{
+    BOOL res;
+
+    KLOCK_QUEUE_HANDLE lock_queue;
+    KeAcquireInStackQueuedSpinLock(&ps_tree->lock, &lock_queue);
+    {
+        res = fort_pstree_get_svchost_name_locked(ps_tree, sidBytes, path);
+    }
+    KeReleaseInStackQueuedSpinLock(&lock_queue);
+
+    return res;
+}
+
 inline static void fort_pstree_update_service_proc(
         PFORT_PSTREE ps_tree, PCUNICODE_STRING serviceName, DWORD processId)
 {

src/driver/fortps.h

@@ -37,6 +37,9 @@ FORT_API void fort_pstree_enum_processes(PFORT_PSTREE ps_tree);
 FORT_API BOOL fort_pstree_get_proc_name(PFORT_PSTREE ps_tree, DWORD processId, PFORT_APP_PATH path,
         BOOL *isSvcHost, BOOL *inherited);
 
+FORT_API BOOL fort_pstree_get_svchost_name(
+        PFORT_PSTREE ps_tree, const DWORD *sidBytes, PFORT_APP_PATH path);
+
 FORT_API void fort_pstree_update_services(
         PFORT_PSTREE ps_tree, const PFORT_SERVICE_INFO_LIST services, ULONG data_len);