2023-08-20 16:12:04 +02:00
|
|
|
#include "queue.h"
|
|
|
|
|
|
2023-09-02 10:54:04 +02:00
|
|
|
#include "callbacks.h"
|
|
|
|
|
|
|
|
|
|
#include "driver.h"
|
|
|
|
|
|
|
|
|
|
#include "queue.h"
|
|
|
|
|
#include "pool.h"
|
|
|
|
|
#include "thread.h"
|
2023-11-09 08:30:59 +01:00
|
|
|
#include "ioctl.h"
|
2023-08-30 18:29:44 +02:00
|
|
|
#include "common.h"
|
2024-01-07 05:13:41 +01:00
|
|
|
#include "imports.h"
|
2023-08-30 18:29:44 +02:00
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
VOID
|
2024-01-13 22:33:57 +01:00
|
|
|
InitialiseGlobalReportQueue()
|
2023-09-02 10:54:04 +02:00
|
|
|
{
|
2024-01-13 22:33:57 +01:00
|
|
|
PREPORT_QUEUE_HEAD queue = GetDriverReportQueue();
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
queue->head.start = NULL;
|
|
|
|
|
queue->head.end = NULL;
|
|
|
|
|
queue->head.entries = 0;
|
|
|
|
|
queue->is_driver_unloading = FALSE;
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
ImpKeInitializeGuardedMutex(&queue->head.lock);
|
|
|
|
|
ImpKeInitializeGuardedMutex(&queue->lock);
|
2023-09-02 10:54:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
VOID
|
2023-12-13 05:06:27 +01:00
|
|
|
QueuePush(_Inout_ PQUEUE_HEAD Head, _In_ PVOID Data)
|
2023-08-20 16:12:04 +02:00
|
|
|
{
|
2024-01-07 05:13:41 +01:00
|
|
|
ImpKeAcquireGuardedMutex(&Head->lock);
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
PQUEUE_NODE temp = ExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(QUEUE_NODE), QUEUE_POOL_TAG);
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
if (!temp)
|
|
|
|
|
goto end;
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
Head->entries += 1;
|
2023-08-20 17:04:53 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
temp->data = Data;
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
if (Head->end != NULL)
|
|
|
|
|
Head->end->next = temp;
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
Head->end = temp;
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
if (Head->start == NULL)
|
|
|
|
|
Head->start = temp;
|
2023-08-20 16:12:04 +02:00
|
|
|
|
|
|
|
|
end:
|
2024-01-07 05:13:41 +01:00
|
|
|
ImpKeReleaseGuardedMutex(&Head->lock);
|
2023-08-20 16:12:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
PVOID
|
2023-12-13 05:06:27 +01:00
|
|
|
QueuePop(_Inout_ PQUEUE_HEAD Head)
|
2023-08-20 16:12:04 +02:00
|
|
|
{
|
2024-01-07 05:13:41 +01:00
|
|
|
ImpKeAcquireGuardedMutex(&Head->lock);
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
PVOID data = NULL;
|
|
|
|
|
PQUEUE_NODE temp = Head->start;
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
if (temp == NULL)
|
|
|
|
|
goto end;
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
Head->entries = Head->entries - 1;
|
2023-08-20 17:04:53 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
data = temp->data;
|
|
|
|
|
Head->start = temp->next;
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
if (Head->end == temp)
|
|
|
|
|
Head->end = NULL;
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2024-01-07 05:13:41 +01:00
|
|
|
ImpExFreePoolWithTag(temp, QUEUE_POOL_TAG);
|
2023-08-20 16:12:04 +02:00
|
|
|
|
|
|
|
|
end:
|
2024-01-07 05:13:41 +01:00
|
|
|
ImpKeReleaseGuardedMutex(&Head->lock);
|
2023-12-13 05:06:27 +01:00
|
|
|
return data;
|
2023-08-20 16:12:04 +02:00
|
|
|
}
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
VOID
|
2023-12-13 05:06:27 +01:00
|
|
|
InsertReportToQueue(_In_ PVOID Report)
|
2023-09-02 10:54:04 +02:00
|
|
|
{
|
2024-01-13 22:33:57 +01:00
|
|
|
PREPORT_QUEUE_HEAD queue = GetDriverReportQueue();
|
|
|
|
|
|
|
|
|
|
if (InterlockedExchange(&queue->is_driver_unloading, queue->is_driver_unloading))
|
2023-12-13 05:06:27 +01:00
|
|
|
return;
|
2023-10-11 18:05:29 +02:00
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
ImpKeAcquireGuardedMutex(&queue->lock);
|
|
|
|
|
QueuePush(&queue->head, Report);
|
|
|
|
|
ImpKeReleaseGuardedMutex(&queue->lock);
|
2023-09-02 10:54:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
VOID
|
2023-09-27 06:22:14 +02:00
|
|
|
FreeGlobalReportQueueObjects()
|
2023-09-02 10:54:04 +02:00
|
|
|
{
|
2024-01-13 22:33:57 +01:00
|
|
|
PREPORT_QUEUE_HEAD queue = GetDriverReportQueue();
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
InterlockedExchange(&queue->is_driver_unloading, TRUE);
|
|
|
|
|
ImpKeAcquireGuardedMutex(&queue->lock);
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PVOID report = QueuePop(&queue->head);
|
|
|
|
|
|
|
|
|
|
while (report)
|
2023-12-13 05:06:27 +01:00
|
|
|
{
|
2024-01-07 05:13:41 +01:00
|
|
|
ImpExFreePoolWithTag(report, REPORT_POOL_TAG);
|
2024-01-13 22:33:57 +01:00
|
|
|
report = QueuePop(&queue->head);
|
2023-12-13 05:06:27 +01:00
|
|
|
}
|
2023-09-02 10:54:04 +02:00
|
|
|
|
|
|
|
|
end:
|
2024-01-13 22:33:57 +01:00
|
|
|
ImpKeReleaseGuardedMutex(&queue->lock);
|
2023-09-02 10:54:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2023-12-13 05:06:27 +01:00
|
|
|
* This function handles sending all the pending reports in the global report
|
|
|
|
|
* queue to the usermode application. This function is called periodically by the
|
|
|
|
|
* usermode application. The reason I have implemented this is because as this application
|
|
|
|
|
* expanded, it became apparent that some of the driver functions will generate multiple
|
|
|
|
|
* reports as a result of a single usermode request and hence it makes dealing with
|
|
|
|
|
* reports generated from ObRegisterCallbacks for example much easier.
|
|
|
|
|
*/
|
2023-10-05 08:27:17 +02:00
|
|
|
NTSTATUS
|
2024-01-13 22:33:57 +01:00
|
|
|
HandlePeriodicGlobalReportQueueQuery(_Out_ PIRP Irp)
|
2023-09-02 10:54:04 +02:00
|
|
|
{
|
2023-12-13 05:06:27 +01:00
|
|
|
INT count = 0;
|
2023-12-23 19:52:55 +01:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
2023-12-13 05:06:27 +01:00
|
|
|
PVOID report = NULL;
|
|
|
|
|
SIZE_T total_size = 0;
|
|
|
|
|
PVOID report_buffer = NULL;
|
|
|
|
|
ULONG report_buffer_size = 0;
|
|
|
|
|
PREPORT_HEADER report_header = NULL;
|
|
|
|
|
GLOBAL_REPORT_QUEUE_HEADER header = {0};
|
2024-01-13 22:33:57 +01:00
|
|
|
PREPORT_QUEUE_HEAD queue = GetDriverReportQueue();
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
ImpKeAcquireGuardedMutex(&queue->lock);
|
2023-10-11 18:05:29 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
report_buffer_size = sizeof(INVALID_PROCESS_ALLOCATION_REPORT) * MAX_REPORTS_PER_IRP +
|
|
|
|
|
sizeof(GLOBAL_REPORT_QUEUE_HEADER);
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
status = ValidateIrpOutputBuffer(Irp, report_buffer_size);
|
2023-11-09 08:30:59 +01:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
if (!NT_SUCCESS(status))
|
|
|
|
|
{
|
2023-12-23 19:52:55 +01:00
|
|
|
DEBUG_ERROR("ValidateIrpOutputBuffer failed with status %x", status);
|
2024-01-13 22:33:57 +01:00
|
|
|
ImpKeReleaseGuardedMutex(&queue->lock);
|
2023-12-13 05:06:27 +01:00
|
|
|
return status;
|
|
|
|
|
}
|
2023-11-09 08:30:59 +01:00
|
|
|
|
2024-01-07 05:13:41 +01:00
|
|
|
report_buffer = ImpExAllocatePool2(
|
|
|
|
|
POOL_FLAG_NON_PAGED, report_buffer_size, REPORT_QUEUE_TEMP_BUFFER_TAG);
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
if (!report_buffer)
|
|
|
|
|
{
|
2024-01-13 22:33:57 +01:00
|
|
|
ImpKeReleaseGuardedMutex(&queue->lock);
|
2023-12-13 05:06:27 +01:00
|
|
|
return STATUS_MEMORY_NOT_ALLOCATED;
|
|
|
|
|
}
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
report = QueuePop(&queue->head);
|
2023-11-09 08:30:59 +01:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
if (report == NULL)
|
|
|
|
|
{
|
2023-12-23 19:52:55 +01:00
|
|
|
DEBUG_VERBOSE("Callback report queue is empty. No reports to be sent to usermode.");
|
2023-12-13 05:06:27 +01:00
|
|
|
goto end;
|
|
|
|
|
}
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
while (report != NULL)
|
|
|
|
|
{
|
|
|
|
|
if (count >= MAX_REPORTS_PER_IRP)
|
|
|
|
|
goto end;
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
report_header = (PREPORT_HEADER)report;
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
switch (report_header->report_id)
|
|
|
|
|
{
|
|
|
|
|
case REPORT_ILLEGAL_HANDLE_OPERATION:
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
RtlCopyMemory((UINT64)report_buffer + sizeof(GLOBAL_REPORT_QUEUE_HEADER) +
|
|
|
|
|
total_size,
|
|
|
|
|
report,
|
|
|
|
|
sizeof(OPEN_HANDLE_FAILURE_REPORT));
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
total_size += sizeof(OPEN_HANDLE_FAILURE_REPORT);
|
|
|
|
|
break;
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
case REPORT_ILLEGAL_ATTACH_PROCESS:
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
RtlCopyMemory((UINT64)report_buffer + sizeof(GLOBAL_REPORT_QUEUE_HEADER) +
|
|
|
|
|
total_size,
|
|
|
|
|
report,
|
|
|
|
|
sizeof(ATTACH_PROCESS_REPORT));
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
total_size += sizeof(ATTACH_PROCESS_REPORT);
|
|
|
|
|
break;
|
2023-09-18 05:15:26 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
case REPORT_INVALID_PROCESS_ALLOCATION:
|
2023-09-18 05:15:26 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
RtlCopyMemory((UINT64)report_buffer + sizeof(GLOBAL_REPORT_QUEUE_HEADER) +
|
|
|
|
|
total_size,
|
|
|
|
|
report,
|
|
|
|
|
sizeof(INVALID_PROCESS_ALLOCATION_REPORT));
|
2023-09-18 05:15:26 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
total_size += sizeof(INVALID_PROCESS_ALLOCATION_REPORT);
|
|
|
|
|
break;
|
2023-09-28 15:56:07 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
case REPORT_APC_STACKWALK:
|
2023-09-28 15:56:07 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
RtlCopyMemory((UINT64)report_buffer + sizeof(GLOBAL_REPORT_QUEUE_HEADER) +
|
|
|
|
|
total_size,
|
|
|
|
|
report,
|
|
|
|
|
sizeof(APC_STACKWALK_REPORT));
|
2023-09-28 15:56:07 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
total_size += sizeof(APC_STACKWALK_REPORT);
|
|
|
|
|
break;
|
2023-09-28 15:56:07 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
case REPORT_HIDDEN_SYSTEM_THREAD:
|
2023-10-06 07:47:01 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
RtlCopyMemory((UINT64)report_buffer + sizeof(GLOBAL_REPORT_QUEUE_HEADER) +
|
|
|
|
|
total_size,
|
|
|
|
|
report,
|
|
|
|
|
sizeof(HIDDEN_SYSTEM_THREAD_REPORT));
|
2023-10-06 07:47:01 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
total_size += sizeof(HIDDEN_SYSTEM_THREAD_REPORT);
|
|
|
|
|
break;
|
2023-12-29 17:20:32 +01:00
|
|
|
|
|
|
|
|
case REPORT_DPC_STACKWALK:
|
|
|
|
|
|
|
|
|
|
RtlCopyMemory((UINT64)report_buffer + sizeof(GLOBAL_REPORT_QUEUE_HEADER) +
|
|
|
|
|
total_size,
|
|
|
|
|
report,
|
|
|
|
|
sizeof(DPC_STACKWALK_REPORT));
|
|
|
|
|
|
|
|
|
|
total_size += sizeof(DPC_STACKWALK_REPORT);
|
|
|
|
|
break;
|
2024-01-01 17:45:40 +01:00
|
|
|
|
|
|
|
|
case REPORT_DATA_TABLE_ROUTINE:
|
|
|
|
|
|
|
|
|
|
RtlCopyMemory((UINT64)report_buffer + sizeof(GLOBAL_REPORT_QUEUE_HEADER) +
|
|
|
|
|
total_size,
|
|
|
|
|
report,
|
|
|
|
|
sizeof(DATA_TABLE_ROUTINE_REPORT));
|
|
|
|
|
|
|
|
|
|
total_size += sizeof(DATA_TABLE_ROUTINE_REPORT);
|
|
|
|
|
break;
|
2023-12-13 05:06:27 +01:00
|
|
|
}
|
2023-10-06 07:47:01 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
/* QueuePop frees the node, but we still need to free the returned data */
|
2024-01-07 05:13:41 +01:00
|
|
|
ImpExFreePoolWithTag(report, REPORT_POOL_TAG);
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
report = QueuePop(&queue->head);
|
2023-12-13 05:06:27 +01:00
|
|
|
count += 1;
|
|
|
|
|
}
|
2023-09-02 10:54:04 +02:00
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
ImpKeReleaseGuardedMutex(&queue->lock);
|
2023-09-03 19:33:27 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
Irp->IoStatus.Information = sizeof(GLOBAL_REPORT_QUEUE_HEADER) + total_size;
|
2024-01-11 10:16:55 +01:00
|
|
|
header.count = count;
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
RtlCopyMemory(report_buffer, &header, sizeof(GLOBAL_REPORT_QUEUE_HEADER));
|
|
|
|
|
RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,
|
|
|
|
|
report_buffer,
|
|
|
|
|
sizeof(GLOBAL_REPORT_QUEUE_HEADER) + total_size);
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
if (report_buffer)
|
2024-01-07 05:13:41 +01:00
|
|
|
ImpExFreePoolWithTag(report_buffer, REPORT_QUEUE_TEMP_BUFFER_TAG);
|
2023-09-02 10:54:04 +02:00
|
|
|
|
2023-12-23 19:52:55 +01:00
|
|
|
DEBUG_VERBOSE("All reports moved into the IRP, sending to usermode.");
|
2023-12-13 05:06:27 +01:00
|
|
|
return STATUS_SUCCESS;
|
2024-01-14 05:31:19 +01:00
|
|
|
}
|
