MalwareSourceCode/Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rules.h

88 lines
2.3 KiB
C
Raw Normal View History

2022-04-12 01:00:13 +00:00
/**
* Structures and defines for IOCTL filtering
*/
#define FLT_DEVICE_NAME 1
#define FLT_DRIVER_NAME 2
#define FLT_IOCTL_CODE 3
#define FLT_PROCESS_PATH 4
typedef struct _IOCTL_FILTER
{
LIST_ENTRY List;
ULONG ReferenceCount;
ULONG Type;
UNICODE_STRING usName;
ULONG IoctlCode;
BOOLEAN bDbgcbAction;
char szKdCommand[1];
} IOCTL_FILTER, *PIOCTL_FILTER;
typedef struct _IOCTL_FILTER_SERIALIZED
{
ULONG Type;
ULONG IoctlCode;
ULONG NameLen;
WCHAR Name[];
} IOCTL_FILTER_SERIALIZED,
*PIOCTL_FILTER_SERIALIZED;
PIOCTL_FILTER FltAdd(PIOCTL_FILTER f, PLIST_ENTRY ListEntry, ULONG KdCommandLength);
BOOLEAN FltIsMatchedRequest(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName
);
char *FltGetKdCommand(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName
);
BOOLEAN SaveRules(PLIST_ENTRY ListEntryHead, HANDLE hKey, PUNICODE_STRING usValueName);
BOOLEAN LoadRules(PLIST_ENTRY ListEntryHead, HANDLE hKey, PUNICODE_STRING usValueName);
/**
* Macro defines for allow/deny lists of IOCTL filtering
*/
// #define FltAllowMatch(_drv_, _dev_, _c_, _p_) FltMatch(&f_allow_head, (_drv_), (_dev_), (_c_), (_p_))
//
// #define FltDenyMatch(_drv_, _dev_, _c_, _p_) FltMatch(&f_deny_head, (_drv_), (_dev_), (_c_), (_p_))
//
NTSTATUS FltInitRuleList();
VOID FltUnInitRuleList();
PIOCTL_FILTER FltAddDbgcbRule(PIOCTL_FILTER f, ULONG KdCommandLength);
PIOCTL_FILTER FltAddDenyRule(PIOCTL_FILTER f, ULONG KdCommandLength);
PIOCTL_FILTER FltAddAllowRule(PIOCTL_FILTER f, ULONG KdCommandLength);
void FltFlushAllList();
BOOLEAN FltMatchAllow(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName);
BOOLEAN FltMatchDeny(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName);
BOOLEAN SaveDenyRules(HANDLE hKey, PUNICODE_STRING usValueName);
BOOLEAN SaveAllowRules(HANDLE hKey, PUNICODE_STRING usValueName);
BOOLEAN LoadDenyRules(HANDLE hKey, PUNICODE_STRING usValueName);
BOOLEAN LoadAllowRules(HANDLE hKey, PUNICODE_STRING usValueName);
VOID DeferenceRuleCount(PIOCTL_FILTER Item);