Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

284 lines
7.1 KiB

/*++
Copyright (c) 2000 Microsoft Corporation
Module Name:
AddWritePermissionsToDeviceFiles.cpp
Abstract:
Add write permissions for IOCTL_SCSI_PASS_THROUGH under SECUROM.
SecuRom can be debugged under a user-mode debugger but the following must
be done before hitting 'g' after attach:
1. sxi av <- ignore access violations
2. sxi sse <- ignore single step exception
3. sxi ssec <- ignore single step exception continue
4. sxi dz <- ignore divide by zero
It checksums it's executable, so breakpoints in certain places don't work.
Notes:
This is a general purpose shim.
History:
09/03/1999 v-johnwh Created
03/09/2001 linstev Rewrote DeviceIoControl to handle bad buffers and added
debugging comments
--*/
#include "precomp.h"
#include "CharVector.h"
IMPLEMENT_SHIM_BEGIN(AddWritePermissionsToDeviceFiles)
#include "ShimHookMacro.h"
APIHOOK_ENUM_BEGIN
APIHOOK_ENUM_ENTRY(CreateFileA)
APIHOOK_ENUM_ENTRY(DeviceIoControl)
APIHOOK_ENUM_ENTRY(CloseHandle)
APIHOOK_ENUM_END
VectorT<HANDLE> * g_hDevices;
CRITICAL_SECTION g_CriticalSection;
// Is this letter a valid drive letter?
inline BOOL IsDriveLetter(char letter)
{
return (letter != '\0') &&
((letter >= 'a') && (letter <= 'z')) ||
((letter >= 'A') && (letter <= 'Z'));
}
/*++
We need to add write permission to all CD-ROM devices
--*/
HANDLE
APIHOOK(CreateFileA)(
LPCSTR lpFileName,
DWORD dwDesiredAccess,
DWORD dwShareMode,
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
DWORD dwCreationDisposition,
DWORD dwFlagsAndAttributes,
HANDLE hTemplateFile
)
{
// Same behavior as the real CreateFileA
if (lpFileName == NULL) {
return INVALID_HANDLE_VALUE;
}
DWORD dwAccessMode = dwDesiredAccess;
// Look for a device name: \\.\C:
if ((lpFileName[0] == '\\') &&
(lpFileName[1] == '\\') &&
(lpFileName[2] == '.') &&
(lpFileName[3] == '\\') &&
IsDriveLetter(lpFileName[4]) &&
(lpFileName[5] == ':')
) {
//
// This file starts with \\.\ so it must be a device file.
//
if (!(dwAccessMode & GENERIC_WRITE)) {
//
// Make sure this device is a CD-ROM
//
char diskRootName[4];
diskRootName[0] = lpFileName[4];
diskRootName[1] = ':';
diskRootName[2] = '\\';
diskRootName[3] = 0;
DWORD dwDriveType = GetDriveTypeA(diskRootName);
if (DRIVE_CDROM == dwDriveType) {
//
// Add write permissions to give us NT4 behavior for device
// files
//
dwAccessMode |= GENERIC_WRITE;
}
}
}
HANDLE hRet = ORIGINAL_API(CreateFileA)(lpFileName, dwAccessMode,
dwShareMode, lpSecurityAttributes, dwCreationDisposition,
dwFlagsAndAttributes, hTemplateFile);
if ((hRet != INVALID_HANDLE_VALUE) && (dwAccessMode != dwDesiredAccess)) {
//
// Add the handle to our list so we can clean it up later.
//
CAutoCrit autoCrit(&g_CriticalSection);
g_hDevices->Append(hRet);
LOGN( eDbgLevelError, "[CreateFileA] Added GENERIC_WRITE permission on device(%s)", lpFileName);
}
return hRet;
}
/*++
Since we added write permission to CD-ROM devices for IOCTL_SCSI_PASS_THROUGH,
we need to remove the write permission for all other IOCTLs passed to that device.
--*/
BOOL
APIHOOK(DeviceIoControl)(
HANDLE hDevice,
DWORD dwIoControlCode,
LPVOID lpInBuffer,
DWORD nInBufferSize,
LPVOID lpOutBuffer,
DWORD nOutBufferSize,
LPDWORD lpBytesReturned,
LPOVERLAPPED lpOverlapped
)
{
LPVOID lpOut = lpOutBuffer;
if (lpOutBuffer && nOutBufferSize && lpBytesReturned) {
//
// Create a new output buffer, if this fails we just keep the original
// buffer.
//
lpOut = malloc(nOutBufferSize);
if (lpOut) {
MoveMemory(lpOut, lpOutBuffer, nOutBufferSize);
} else {
DPFN( eDbgLevelError, "Out of memory");
lpOut = lpOutBuffer;
}
}
BOOL bRet;
if (IOCTL_SCSI_PASS_THROUGH != dwIoControlCode) {
//
// We don't care about IOCTL_SCSI_PASS_THROUGH
//
EnterCriticalSection(&g_CriticalSection);
int existing = g_hDevices->Find(hDevice);
LeaveCriticalSection(&g_CriticalSection);
if (existing >= 0) {
//
// Check to see if this is a device that we added Write permissions
// If it is, we need to create a handle with only Read permissions
//
HANDLE hDupped;
bRet = DuplicateHandle(GetCurrentProcess(), hDevice,
GetCurrentProcess(), &hDupped, GENERIC_READ, FALSE, 0);
if (bRet) {
//
// Call the IOCTL with the original (Read) permissions
//
bRet = ORIGINAL_API(DeviceIoControl)(hDupped, dwIoControlCode,
lpInBuffer, nInBufferSize, lpOut, nOutBufferSize,
lpBytesReturned, lpOverlapped);
CloseHandle(hDupped);
goto Exit;
}
}
}
bRet = ORIGINAL_API(DeviceIoControl)(hDevice, dwIoControlCode, lpInBuffer,
nInBufferSize, lpOut, nOutBufferSize, lpBytesReturned, lpOverlapped);
Exit:
if (lpOut && (lpOut != lpOutBuffer)) {
//
// Need to copy the output back into the true output buffer
//
if (bRet && lpBytesReturned && *lpBytesReturned) {
__try {
MoveMemory(lpOutBuffer, lpOut, *lpBytesReturned);
} __except(1) {
DPFN( eDbgLevelError, "Failed to copy data into output buffer, perhaps it's read-only");
}
}
free(lpOut);
}
return bRet;
}
/*++
If this handle is in our list, remove it.
--*/
BOOL
APIHOOK(CloseHandle)(
HANDLE hObject
)
{
CAutoCrit autoCrit(&g_CriticalSection);
int index = g_hDevices->Find(hObject);
if (index >= 0) {
g_hDevices->Remove(index);
}
return ORIGINAL_API(CloseHandle)(hObject);
}
/*++
Register hooked functions
--*/
BOOL
NOTIFY_FUNCTION(
DWORD fdwReason)
{
if (fdwReason == DLL_PROCESS_ATTACH) {
g_hDevices = new VectorT<HANDLE>;
if (g_hDevices == NULL)
{
return FALSE;
}
return InitializeCriticalSectionAndSpinCount(&g_CriticalSection, 0x80000000);
}
return TRUE;
}
HOOK_BEGIN
CALL_NOTIFY_FUNCTION
APIHOOK_ENTRY(KERNEL32.DLL, CreateFileA)
APIHOOK_ENTRY(KERNEL32.DLL, DeviceIoControl)
APIHOOK_ENTRY(KERNEL32.DLL, CloseHandle)
HOOK_END
IMPLEMENT_SHIM_END