|
|
/*++
Copyright (c) Microsoft Corporation. All rights reserved.
Module Name:
WindowsFileProtection.cpp
Abstract:
This AppVerifier shim hooks the file I/O APIs that could potentially change a file under Windows File Protection.
When one of the files is accessed or modified, an event is written to the log.
Notes:
This is a general purpose shim.
History:
06/25/2001 rparsons Created
11/26/2001 rparsons Remove unused local variables. Make SHFileOperation more efficent.
--*/
#include "precomp.h"
#include "rtlutils.h"
#include "sfc.h"
IMPLEMENT_SHIM_BEGIN(WindowsFileProtection)#include "ShimHookMacro.h"
//
// verifier log entries
//
BEGIN_DEFINE_VERIFIER_LOG(WindowFileProtection) VERIFIER_LOG_ENTRY(VLOG_WFP_COPYFILE) VERIFIER_LOG_ENTRY(VLOG_WFP_MOVEFILE) VERIFIER_LOG_ENTRY(VLOG_WFP_DELETEFILE) VERIFIER_LOG_ENTRY(VLOG_WFP_REPLACEFILE) VERIFIER_LOG_ENTRY(VLOG_WFP_WRITEFILE) VERIFIER_LOG_ENTRY(VLOG_WFP_OPENFILE) VERIFIER_LOG_ENTRY(VLOG_WFP_SHFILEOP)END_DEFINE_VERIFIER_LOG(WindowFileProtection)
INIT_VERIFIER_LOG(WindowFileProtection);
APIHOOK_ENUM_BEGIN
APIHOOK_ENUM_ENTRY(CreateFileA) APIHOOK_ENUM_ENTRY(CreateFileW) APIHOOK_ENUM_ENTRY(OpenFile)
APIHOOK_ENUM_ENTRY(CopyFileA) APIHOOK_ENUM_ENTRY(CopyFileW) APIHOOK_ENUM_ENTRY(CopyFileExA) APIHOOK_ENUM_ENTRY(CopyFileExW) APIHOOK_ENUM_ENTRY(DeleteFileA) APIHOOK_ENUM_ENTRY(DeleteFileW) APIHOOK_ENUM_ENTRY(MoveFileA) APIHOOK_ENUM_ENTRY(MoveFileW) APIHOOK_ENUM_ENTRY(MoveFileExA) APIHOOK_ENUM_ENTRY(MoveFileExW) APIHOOK_ENUM_ENTRY(MoveFileWithProgressA) APIHOOK_ENUM_ENTRY(MoveFileWithProgressW) APIHOOK_ENUM_ENTRY(ReplaceFileA) APIHOOK_ENUM_ENTRY(ReplaceFileW) APIHOOK_ENUM_ENTRY(SHFileOperationA) APIHOOK_ENUM_ENTRY(SHFileOperationW)
APIHOOK_ENUM_ENTRY(_lcreat) APIHOOK_ENUM_ENTRY(_lopen)
APIHOOK_ENUM_ENTRY(NtCreateFile) APIHOOK_ENUM_ENTRY(NtOpenFile)
APIHOOK_ENUM_END
/*++
ANSI wrapper for SfcIsFileProtected.
--*/BOOLIsFileProtected( LPCSTR pszFileName ){ LPWSTR pwszWideFileName = NULL; int nLen; BOOL bReturn = FALSE;
//
// Convert from ANSI to Unicode.
//
nLen = lstrlenA(pszFileName) + 1;
if (nLen) {
pwszWideFileName = (LPWSTR)RtlAllocateHeap(RtlProcessHeap(), HEAP_ZERO_MEMORY, nLen * sizeof(WCHAR));
if (!pwszWideFileName) { DPFN(eDbgLevelError, "[IsFileProtected] Failed to allocate memory"); return FALSE; }
if (!MultiByteToWideChar(CP_ACP, 0, pszFileName, -1, pwszWideFileName, nLen)) { DPFN(eDbgLevelError, "[IsFileProtected] ANSI -> Unicode failed"); goto cleanup; }
bReturn = SfcIsFileProtected(NULL, pwszWideFileName); }
cleanup:
if (pwszWideFileName) { RtlFreeHeap(RtlProcessHeap(), 0, pwszWideFileName); }
return bReturn;}
/*++
Wraps SfcIsFileProtected for NT path names.
--*/BOOLIsNtFileProtected( IN PUNICODE_STRING pstrNtFileName ){ NTSTATUS status; RTL_UNICODE_STRING_BUFFER DosPath; BOOL fReturn = FALSE; UCHAR DosPathBuffer[MAX_PATH * 2];
if (!pstrNtFileName) { DPFN(eDbgLevelError, "[IsNtFileProtected] Invalid parameter"); return FALSE; }
//
// Convert from an NT path to a DOS path.
//
RtlInitUnicodeStringBuffer(&DosPath, DosPathBuffer, sizeof(DosPathBuffer));
status = ShimAssignUnicodeStringBuffer(&DosPath, pstrNtFileName);
if (!NT_SUCCESS(status)) { DPFN(eDbgLevelError, "[IsNtFileProtected] Failed to initialize DOS path buffer"); return fReturn; }
status = ShimNtPathNameToDosPathName(0, &DosPath, NULL, NULL);
if (!NT_SUCCESS(status)) { DPFN(eDbgLevelError, "[IsNtFileProtected] Failed to convert NT \"%ls\" to DOS path", pstrNtFileName->Buffer); goto cleanup; }
//
// Now check for a protected file.
//
if (SfcIsFileProtected(NULL, DosPath.String.Buffer)) { fReturn = TRUE; }
cleanup:
RtlFreeUnicodeStringBuffer(&DosPath);
return fReturn;}
BOOLAPIHOOK(CopyFileA)( LPCSTR lpExistingFileName, LPCSTR lpNewFileName, BOOL bFailIfExists ){ //
// Ensure that the destination is not protected.
//
if (!bFailIfExists && IsFileProtected(lpNewFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_COPYFILE, "API: CopyFileA Filename: %s", lpNewFileName); }
return ORIGINAL_API(CopyFileA)(lpExistingFileName, lpNewFileName, bFailIfExists);}
BOOLAPIHOOK(CopyFileW)( LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, BOOL bFailIfExists ){ //
// Ensure that the destination is not protected.
//
if (!bFailIfExists && SfcIsFileProtected(NULL, lpNewFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_COPYFILE, "API: CopyFileW Filename: %ls", lpNewFileName); }
return ORIGINAL_API(CopyFileW)(lpExistingFileName, lpNewFileName, bFailIfExists);}
BOOLAPIHOOK(CopyFileExA)( LPCSTR lpExistingFileName, LPCSTR lpNewFileName, LPPROGRESS_ROUTINE lpProgressRoutine, LPVOID lpData, LPBOOL pbCancel, DWORD dwCopyFlags ){ //
// Ensure that the destination is not protected.
//
if (!(dwCopyFlags & COPY_FILE_FAIL_IF_EXISTS) && IsFileProtected(lpNewFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_COPYFILE, "API: CopyFileExA Filename: %s", lpNewFileName); }
return ORIGINAL_API(CopyFileExA)(lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, pbCancel, dwCopyFlags);
}
BOOLAPIHOOK(CopyFileExW)( LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, LPPROGRESS_ROUTINE lpProgressRoutine, LPVOID lpData, LPBOOL pbCancel, DWORD dwCopyFlags ){ //
// Ensure that the destination is not protected.
//
if (!(dwCopyFlags & COPY_FILE_FAIL_IF_EXISTS) && SfcIsFileProtected(NULL, lpNewFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_COPYFILE, "API: CopyFileExW Filename: %ls", lpNewFileName); }
return ORIGINAL_API(CopyFileExW)(lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, pbCancel, dwCopyFlags);
}
BOOLAPIHOOK(DeleteFileA)( LPCSTR lpFileName ){ if (IsFileProtected(lpFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_DELETEFILE, "API: DeleteFileA Filename: %s", lpFileName); }
return ORIGINAL_API(DeleteFileA)(lpFileName);}
BOOLAPIHOOK(DeleteFileW)( LPCWSTR lpFileName ){ if (SfcIsFileProtected(NULL, lpFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_DELETEFILE, "API: DeleteFileW Filename: %ls", lpFileName); }
return ORIGINAL_API(DeleteFileW)(lpFileName);}
BOOLAPIHOOK(MoveFileA)( LPCSTR lpExistingFileName, LPCSTR lpNewFileName ){ //
// Ensure that the source or destination is not protected.
//
if (IsFileProtected(lpExistingFileName) || IsFileProtected(lpNewFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_MOVEFILE, "API: MoveFileA Filename: %s Filename: %s", lpExistingFileName, lpNewFileName); }
return ORIGINAL_API(MoveFileA)(lpExistingFileName, lpNewFileName);}
BOOLAPIHOOK(MoveFileW)( LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName ){ //
// Ensure that the source or destination is not protected.
//
if (SfcIsFileProtected(NULL, lpExistingFileName) || SfcIsFileProtected(NULL, lpNewFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_MOVEFILE, "API: MoveFileW Filename: %ls Filename: %ls", lpExistingFileName, lpNewFileName); }
return ORIGINAL_API(MoveFileW)(lpExistingFileName, lpNewFileName);}
BOOLAPIHOOK(MoveFileExA)( LPCSTR lpExistingFileName, LPCSTR lpNewFileName, DWORD dwFlags ){ //
// Ensure that the source or destination is not protected.
//
if (IsFileProtected(lpExistingFileName) || IsFileProtected(lpNewFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_MOVEFILE, "API: MoveFileExA Filename: %s Filename: %s", lpExistingFileName, lpNewFileName); }
return ORIGINAL_API(MoveFileExA)(lpExistingFileName, lpNewFileName, dwFlags);}
BOOLAPIHOOK(MoveFileExW)( LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, DWORD dwFlags ){ //
// Ensure that the source or destination is not protected.
//
if (SfcIsFileProtected(NULL, lpExistingFileName) || SfcIsFileProtected(NULL, lpNewFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_MOVEFILE, "API: MoveFileExW Filename: %ls Filename: %ls", lpExistingFileName, lpNewFileName); }
return ORIGINAL_API(MoveFileExW)(lpExistingFileName, lpNewFileName, dwFlags);}
BOOLAPIHOOK(MoveFileWithProgressA)( LPCSTR lpExistingFileName, LPCSTR lpNewFileName, LPPROGRESS_ROUTINE lpProgressRoutine, LPVOID lpData, DWORD dwFlags ){ //
// Ensure that the source or destination is not protected.
//
if (IsFileProtected(lpExistingFileName) || IsFileProtected(lpNewFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_MOVEFILE, "API: MoveFileWithProgressA Filename: %s Filename: %s", lpExistingFileName, lpNewFileName); }
return ORIGINAL_API(MoveFileWithProgressA)(lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, dwFlags);}
BOOLAPIHOOK(MoveFileWithProgressW)( LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, LPPROGRESS_ROUTINE lpProgressRoutine, LPVOID lpData, DWORD dwFlags ){ //
// Ensure that the source or destination is not protected.
//
if (SfcIsFileProtected(NULL, lpExistingFileName) || SfcIsFileProtected(NULL, lpNewFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_MOVEFILE, "API: MoveFileWithProgressW Filename: %ls Filename: %ls", lpExistingFileName, lpNewFileName); }
return ORIGINAL_API(MoveFileWithProgressW)(lpExistingFileName, lpNewFileName, lpProgressRoutine, lpData, dwFlags);}
BOOLAPIHOOK(ReplaceFileA)( LPCSTR lpReplacedFileName, LPCSTR lpReplacementFileName, LPCSTR lpBackupFileName, DWORD dwReplaceFlags, LPVOID lpExclude, LPVOID lpReserved ){ //
// Ensure that the destination is not protected.
//
if (IsFileProtected(lpReplacedFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_REPLACEFILE, "API: ReplaceFileA Filename: %s", lpReplacedFileName); }
return ORIGINAL_API(ReplaceFileA)(lpReplacedFileName, lpReplacementFileName, lpBackupFileName, dwReplaceFlags, lpExclude, lpReserved);
}
BOOLAPIHOOK(ReplaceFileW)( LPCWSTR lpReplacedFileName, LPCWSTR lpReplacementFileName, LPCWSTR lpBackupFileName, DWORD dwReplaceFlags, LPVOID lpExclude, LPVOID lpReserved ){ //
// Ensure that the destination is not protected.
//
if (SfcIsFileProtected(NULL, lpReplacedFileName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_REPLACEFILE, "API: ReplaceFileW Filename: %ls", lpReplacedFileName); }
return ORIGINAL_API(ReplaceFileW)(lpReplacedFileName, lpReplacementFileName, lpBackupFileName, dwReplaceFlags, lpExclude, lpReserved);
}
voidReportProtectedFileA( LPCSTR pszFilePath ){ UINT uSize = 0;
if (pszFilePath) { while (TRUE) { if (IsFileProtected(pszFilePath)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_SHFILEOP, "API: SHFileOperationA Filename: %s", pszFilePath); }
uSize = lstrlenA(pszFilePath) + 1; pszFilePath += uSize;
if (*pszFilePath == '\0') { break; } } }}
voidReportProtectedFileW( LPCWSTR pwszFilePath ){ UINT uSize = 0;
if (pwszFilePath) { while (TRUE) { if (SfcIsFileProtected(NULL, pwszFilePath)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_SHFILEOP, "API: SHFileOperationW Filename: %ls", pwszFilePath); }
uSize = lstrlenW(pwszFilePath) + 1; pwszFilePath += uSize;
if (*pwszFilePath == '\0') { break; } } }}
intAPIHOOK(SHFileOperationA)( LPSHFILEOPSTRUCTA lpFileOp ){ //
// If they're going to rename files on collision, don't bother.
//
if (!(lpFileOp->fFlags & FOF_RENAMEONCOLLISION)) { ReportProtectedFileA(lpFileOp->pFrom); ReportProtectedFileA(lpFileOp->pTo); }
return ORIGINAL_API(SHFileOperationA)(lpFileOp);}
intAPIHOOK(SHFileOperationW)( LPSHFILEOPSTRUCTW lpFileOp ){ //
// If they're going to rename files on collision, don't bother.
//
if (!(lpFileOp->fFlags & FOF_RENAMEONCOLLISION)) { ReportProtectedFileW(lpFileOp->pFrom); ReportProtectedFileW(lpFileOp->pTo); }
return ORIGINAL_API(SHFileOperationW)(lpFileOp);}
HANDLEAPIHOOK(CreateFileA)( LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile ){ if (IsFileProtected(lpFileName) && (dwDesiredAccess & GENERIC_WRITE || dwDesiredAccess & GENERIC_READ)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_OPENFILE, "API: CreateFileA Filename: %s", lpFileName); }
return ORIGINAL_API(CreateFileA)(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);}
HANDLEAPIHOOK(CreateFileW)( LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile ){ if (SfcIsFileProtected(NULL, lpFileName) && (dwDesiredAccess & GENERIC_WRITE || dwDesiredAccess & GENERIC_READ)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_OPENFILE, "API: CreateFileW Filename: %ls", lpFileName); }
return ORIGINAL_API(CreateFileW)(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);}
HFILEAPIHOOK(OpenFile)( LPCSTR lpFileName, LPOFSTRUCT lpReOpenBuff, UINT uStyle ){ if (IsFileProtected(lpFileName) && (uStyle & OF_READWRITE || uStyle & OF_CREATE || uStyle & OF_DELETE)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_OPENFILE, "API: OpenFile Filename: %s", lpFileName); }
return ORIGINAL_API(OpenFile)(lpFileName, lpReOpenBuff, uStyle);}
HFILEAPIHOOK(_lopen)( LPCSTR lpPathName, int iReadWrite ){ if (IsFileProtected(lpPathName) && (iReadWrite & OF_READWRITE || iReadWrite & OF_WRITE)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_OPENFILE, "API: _lopen Filename: %s", lpPathName); }
return ORIGINAL_API(_lopen)(lpPathName, iReadWrite);}
HFILEAPIHOOK(_lcreat)( LPCSTR lpPathName, int iAttribute ){ if (IsFileProtected(lpPathName) && iAttribute != 1) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_OPENFILE, "API: _lcreat Filename: %s", lpPathName); }
return ORIGINAL_API(_lcreat)(lpPathName, iAttribute);
}
NTSTATUSAPIHOOK(NtCreateFile)( PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength ){ if (IsNtFileProtected(ObjectAttributes->ObjectName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_OPENFILE, "API: NtCreateFile Filename: %ls", ObjectAttributes->ObjectName->Buffer); }
return ORIGINAL_API(NtCreateFile)(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
}
NTSTATUSAPIHOOK(NtOpenFile)( PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions ){ if (IsNtFileProtected(ObjectAttributes->ObjectName)) { VLOG(VLOG_LEVEL_ERROR, VLOG_WFP_OPENFILE, "API: NtOpenFile Filename: %ls", ObjectAttributes->ObjectName->Buffer); }
return ORIGINAL_API(NtOpenFile)(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions);
}
SHIM_INFO_BEGIN()
SHIM_INFO_DESCRIPTION(AVS_WINFILEPROTECT_DESC) SHIM_INFO_FRIENDLY_NAME(AVS_WINFILEPROTECT_FRIENDLY) SHIM_INFO_VERSION(1, 5) SHIM_INFO_FLAGS(AVRF_FLAG_EXTERNAL_ONLY) SHIM_INFO_INCLUDE_EXCLUDE("E:rpcrt4.dll kernel32.dll")
SHIM_INFO_END()
/*++
Register hooked functions.
--*/HOOK_BEGIN
DUMP_VERIFIER_LOG_ENTRY(VLOG_WFP_COPYFILE, AVS_WFP_COPYFILE, AVS_WFP_GENERAL_R, AVS_WFP_GENERAL_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_WFP_MOVEFILE, AVS_WFP_MOVEFILE, AVS_WFP_GENERAL_R, AVS_WFP_GENERAL_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_WFP_DELETEFILE, AVS_WFP_DELETEFILE, AVS_WFP_GENERAL_R, AVS_WFP_GENERAL_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_WFP_REPLACEFILE, AVS_WFP_REPLACEFILE, AVS_WFP_GENERAL_R, AVS_WFP_GENERAL_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_WFP_WRITEFILE, AVS_WFP_WRITEFILE, AVS_WFP_GENERAL_R, AVS_WFP_GENERAL_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_WFP_OPENFILE, AVS_WFP_OPENFILE, AVS_WFP_GENERAL_R, AVS_WFP_GENERAL_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_WFP_SHFILEOP, AVS_WFP_SHFILEOP, AVS_WFP_GENERAL_R, AVS_WFP_GENERAL_URL)
APIHOOK_ENTRY(KERNEL32.DLL, CreateFileA) APIHOOK_ENTRY(KERNEL32.DLL, CreateFileW) APIHOOK_ENTRY(KERNEL32.DLL, OpenFile)
APIHOOK_ENTRY(KERNEL32.DLL, CopyFileA) APIHOOK_ENTRY(KERNEL32.DLL, CopyFileW) APIHOOK_ENTRY(KERNEL32.DLL, CopyFileExA) APIHOOK_ENTRY(KERNEL32.DLL, CopyFileExW)
APIHOOK_ENTRY(KERNEL32.DLL, DeleteFileA) APIHOOK_ENTRY(KERNEL32.DLL, DeleteFileW)
APIHOOK_ENTRY(KERNEL32.DLL, MoveFileA) APIHOOK_ENTRY(KERNEL32.DLL, MoveFileW) APIHOOK_ENTRY(KERNEL32.DLL, MoveFileExA) APIHOOK_ENTRY(KERNEL32.DLL, MoveFileExW) APIHOOK_ENTRY(KERNEL32.DLL, MoveFileWithProgressA) APIHOOK_ENTRY(KERNEL32.DLL, MoveFileWithProgressW)
APIHOOK_ENTRY(KERNEL32.DLL, ReplaceFileA) APIHOOK_ENTRY(KERNEL32.DLL, ReplaceFileW)
APIHOOK_ENTRY(SHELL32.DLL, SHFileOperationA) APIHOOK_ENTRY(SHELL32.DLL, SHFileOperationW)
// 16-bit compatibility file routines.
APIHOOK_ENTRY(KERNEL32.DLL, _lopen) APIHOOK_ENTRY(KERNEL32.DLL, _lcreat)
APIHOOK_ENTRY(NTDLL.DLL, NtCreateFile) APIHOOK_ENTRY(NTDLL.DLL, NtOpenFile)
HOOK_END
IMPLEMENT_SHIM_END
|
