Skip to content

Commit

Permalink
Port LogSyscallsPlugin to driver
Browse files Browse the repository at this point in the history
  • Loading branch information
Stephen Eckels committed Nov 21, 2023
1 parent e7e45ab commit 95fa194
Show file tree
Hide file tree
Showing 21 changed files with 6,845 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@
<LanguageStandard>stdcpp20</LanguageStandard>
<PreprocessorDefinitions>KERNEL_MODE;_WIN64;_AMD64_;AMD64;ENABLE_LOG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>false</SDLCheck>
<LanguageStandard_C>stdc17</LanguageStandard_C>
</ClCompile>
<Link>
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
Expand All @@ -114,6 +115,7 @@
<LanguageStandard>stdcpp20</LanguageStandard>
<PreprocessorDefinitions>KERNEL_MODE;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>false</SDLCheck>
<LanguageStandard_C>stdc17</LanguageStandard_C>
</ClCompile>
<Link>
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
Expand All @@ -135,7 +137,7 @@
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="FileDeleteRecordPluginDriver.cpp" />
<ClCompile Include="main.cpp" />
<ClCompile Include="Interface.cpp" />
</ItemGroup>
<ItemGroup>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="FileDeleteRecordPluginDriver.cpp">
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="Interface.cpp">
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@

#include "utils.h"

const unsigned long PLUGIN_POOL_TAG = 'LEDS';

#pragma warning(disable: 6011)
PluginApis g_Apis;

Expand Down Expand Up @@ -74,7 +72,7 @@ OBJECT_NAME_INFORMATION* getFilePathFromHandle(HANDLE hFile) {
NTSTATUS status = ZwQueryObject(hFile, (OBJECT_INFORMATION_CLASS)1 /*ObjectNameInformation*/, pObjectName, 0, &dwSize);
if (dwSize)
{
pObjectName = (OBJECT_NAME_INFORMATION*)ExAllocatePoolWithTag(NonPagedPoolNx, dwSize, PLUGIN_POOL_TAG);
pObjectName = (OBJECT_NAME_INFORMATION*)ExAllocatePoolWithTag(NonPagedPoolNx, dwSize, POOL_TAG);
if (pObjectName) {
status = ZwQueryObject(hFile, (OBJECT_INFORMATION_CLASS)1 /*ObjectNameInformation*/, pObjectName, dwSize, &dwSize);
}
Expand All @@ -85,7 +83,7 @@ OBJECT_NAME_INFORMATION* getFilePathFromHandle(HANDLE hFile) {
}

if (pObjectName) {
ExFreePoolWithTag(pObjectName, PLUGIN_POOL_TAG);
ExFreePoolWithTag(pObjectName, POOL_TAG);
pObjectName = nullptr;
}
return nullptr;
Expand Down
46 changes: 25 additions & 21 deletions C/FileDeleteRecordPluginDriver/utils.h
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,6 @@
const unsigned long POOL_TAG = '0RTS';
const wchar_t* backup_directory = L"\\??\\C:\\deleted";

template<typename T, typename... Args>
int string_printf(String& str, T printer, Args&&... args) {
char tmp[512] = { 0 };

int size = printer(tmp, sizeof(tmp), std::forward<Args>(args)...);
if (size < 0) {
return -1;
}

str += (char*)tmp;
return size;
}

using hash_t = uint64_t;

consteval uint64_t fnv1a_imp(uint64_t h, const char* s)
Expand All @@ -50,6 +37,21 @@ consteval uint64_t get_type_id() {
return fnv1a(__FUNCSIG__);
}

// given a typedef, match the arg list and convert each arg to a typeid. Store results in an array.
template<typename T>
struct arg_types {};

template<typename R, typename... A>
struct arg_types<R(*)(A...)> {
static constexpr std::array<uint64_t, sizeof...(A)> value = { get_type_id<A>()... };
};

// msvc doesn't implement a constructor for std::span from iterators. This does that...
template<typename It>
consteval auto make_span(It begin, It end) {
return std::span<std::remove_reference_t<std::iter_reference_t<It>>>(&(*begin), std::distance(begin, end));
}

template<typename Func>
class FinalAction {
public:
Expand Down Expand Up @@ -82,14 +84,16 @@ T FnCast(void* fnToCast, T pFnCastTo) {
return (T)fnToCast;
}

// analog of dtrace_copyin. Given a pointer to a usermode structure, safely read that structure in.
// Dtrace returns a pointer to that result. We can be slightly nicer and give a copy of the value exactly.
//template<typename T, typename T2 = uint64_t>
//std::remove_pointer_t<T> readUserArg(T2 pUserAddress, PluginApis pApis) {
// std::remove_pointer_t<T> tmp = { 0 };
// pApis.pTraceAccessMemory(&tmp, (uint64_t)pUserAddress, sizeof(tmp), 1, TRUE);
// return tmp;
//}
template<typename T, typename T2 = uint64_t>
std::remove_pointer_t<T> readUserArgPtr(T2 pUserAddress, PluginApis& pApis) {
std::remove_pointer_t<T> tmp = { 0 };

// if this read fails we just return the type's default value. This is fine.
if (!pApis.pTraceAccessMemory(&tmp, (uint64_t)pUserAddress, sizeof(tmp), 1, TRUE)) {
return std::remove_pointer_t<T>{ 0 }; // return a new value, the other may have been partially written
}
return tmp;
}

bool createFile(PUNICODE_STRING filePath, PHANDLE hFileOut) {
*hFileOut = NULL;
Expand Down
10 changes: 10 additions & 0 deletions C/LogSyscallsPluginDriver/Constants.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#pragma once

#define DRIVER_POOL_TAG ' xtS'
#define DRIVER_NAME_WITH_EXT L"strace.sys"
#define NT_DEVICE_NAME L"\\Device\\STrace"
#define DOS_DEVICES_LINK_NAME L"\\DosDevices\\STrace"
#define DEVICE_SDDL L"D:P(A;;GA;;;SY)(A;;GA;;;BA)"

#define IOCTL_LOADDLL CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 0), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IOCTL_UNLOADDLL CTL_CODE (FILE_DEVICE_UNKNOWN, (0x800 + 1), METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
25 changes: 25 additions & 0 deletions C/LogSyscallsPluginDriver/Interface.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#include "Interface.h"

UNICODE_STRING WideToUnicodeString(PCWSTR SourceString)
{
UNICODE_STRING DestinationString;

SIZE_T Size;
CONST SIZE_T MaxSize = (MAXUSHORT & ~1) - sizeof(UNICODE_NULL); // an even number

if (SourceString)
{
Size = wcslen(SourceString) * sizeof(WCHAR);
if (Size > MaxSize)
Size = MaxSize;
DestinationString.Length = (USHORT)Size;
DestinationString.MaximumLength = (USHORT)Size + sizeof(UNICODE_NULL);
}
else {
DestinationString.Length = 0;
DestinationString.MaximumLength = 0;
}

DestinationString.Buffer = (PWCHAR)SourceString;
return DestinationString;
}
Loading

0 comments on commit 95fa194

Please sign in to comment.