You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
284 lines
7.1 KiB
284 lines
7.1 KiB
/*++
|
|
|
|
Copyright (c) 2000 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
AddWritePermissionsToDeviceFiles.cpp
|
|
|
|
Abstract:
|
|
|
|
Add write permissions for IOCTL_SCSI_PASS_THROUGH under SECUROM.
|
|
|
|
SecuRom can be debugged under a user-mode debugger but the following must
|
|
be done before hitting 'g' after attach:
|
|
|
|
1. sxi av <- ignore access violations
|
|
2. sxi sse <- ignore single step exception
|
|
3. sxi ssec <- ignore single step exception continue
|
|
4. sxi dz <- ignore divide by zero
|
|
|
|
It checksums it's executable, so breakpoints in certain places don't work.
|
|
|
|
Notes:
|
|
|
|
This is a general purpose shim.
|
|
|
|
History:
|
|
|
|
09/03/1999 v-johnwh Created
|
|
03/09/2001 linstev Rewrote DeviceIoControl to handle bad buffers and added
|
|
debugging comments
|
|
|
|
--*/
|
|
|
|
#include "precomp.h"
|
|
#include "CharVector.h"
|
|
|
|
IMPLEMENT_SHIM_BEGIN(AddWritePermissionsToDeviceFiles)
|
|
#include "ShimHookMacro.h"
|
|
|
|
APIHOOK_ENUM_BEGIN
|
|
APIHOOK_ENUM_ENTRY(CreateFileA)
|
|
APIHOOK_ENUM_ENTRY(DeviceIoControl)
|
|
APIHOOK_ENUM_ENTRY(CloseHandle)
|
|
APIHOOK_ENUM_END
|
|
|
|
VectorT<HANDLE> * g_hDevices;
|
|
|
|
CRITICAL_SECTION g_CriticalSection;
|
|
|
|
|
|
// Is this letter a valid drive letter?
|
|
inline BOOL IsDriveLetter(char letter)
|
|
{
|
|
return (letter != '\0') &&
|
|
((letter >= 'a') && (letter <= 'z')) ||
|
|
((letter >= 'A') && (letter <= 'Z'));
|
|
}
|
|
|
|
/*++
|
|
|
|
We need to add write permission to all CD-ROM devices
|
|
|
|
--*/
|
|
|
|
HANDLE
|
|
APIHOOK(CreateFileA)(
|
|
LPCSTR lpFileName,
|
|
DWORD dwDesiredAccess,
|
|
DWORD dwShareMode,
|
|
LPSECURITY_ATTRIBUTES lpSecurityAttributes,
|
|
DWORD dwCreationDisposition,
|
|
DWORD dwFlagsAndAttributes,
|
|
HANDLE hTemplateFile
|
|
)
|
|
{
|
|
// Same behavior as the real CreateFileA
|
|
if (lpFileName == NULL) {
|
|
return INVALID_HANDLE_VALUE;
|
|
}
|
|
|
|
DWORD dwAccessMode = dwDesiredAccess;
|
|
|
|
// Look for a device name: \\.\C:
|
|
if ((lpFileName[0] == '\\') &&
|
|
(lpFileName[1] == '\\') &&
|
|
(lpFileName[2] == '.') &&
|
|
(lpFileName[3] == '\\') &&
|
|
IsDriveLetter(lpFileName[4]) &&
|
|
(lpFileName[5] == ':')
|
|
) {
|
|
//
|
|
// This file starts with \\.\ so it must be a device file.
|
|
//
|
|
|
|
if (!(dwAccessMode & GENERIC_WRITE)) {
|
|
//
|
|
// Make sure this device is a CD-ROM
|
|
//
|
|
char diskRootName[4];
|
|
diskRootName[0] = lpFileName[4];
|
|
diskRootName[1] = ':';
|
|
diskRootName[2] = '\\';
|
|
diskRootName[3] = 0;
|
|
|
|
DWORD dwDriveType = GetDriveTypeA(diskRootName);
|
|
if (DRIVE_CDROM == dwDriveType) {
|
|
//
|
|
// Add write permissions to give us NT4 behavior for device
|
|
// files
|
|
//
|
|
dwAccessMode |= GENERIC_WRITE;
|
|
}
|
|
}
|
|
}
|
|
|
|
HANDLE hRet = ORIGINAL_API(CreateFileA)(lpFileName, dwAccessMode,
|
|
dwShareMode, lpSecurityAttributes, dwCreationDisposition,
|
|
dwFlagsAndAttributes, hTemplateFile);
|
|
|
|
if ((hRet != INVALID_HANDLE_VALUE) && (dwAccessMode != dwDesiredAccess)) {
|
|
//
|
|
// Add the handle to our list so we can clean it up later.
|
|
//
|
|
CAutoCrit autoCrit(&g_CriticalSection);
|
|
g_hDevices->Append(hRet);
|
|
LOGN( eDbgLevelError, "[CreateFileA] Added GENERIC_WRITE permission on device(%s)", lpFileName);
|
|
}
|
|
|
|
return hRet;
|
|
}
|
|
|
|
/*++
|
|
|
|
Since we added write permission to CD-ROM devices for IOCTL_SCSI_PASS_THROUGH,
|
|
we need to remove the write permission for all other IOCTLs passed to that device.
|
|
|
|
--*/
|
|
|
|
BOOL
|
|
APIHOOK(DeviceIoControl)(
|
|
HANDLE hDevice,
|
|
DWORD dwIoControlCode,
|
|
LPVOID lpInBuffer,
|
|
DWORD nInBufferSize,
|
|
LPVOID lpOutBuffer,
|
|
DWORD nOutBufferSize,
|
|
LPDWORD lpBytesReturned,
|
|
LPOVERLAPPED lpOverlapped
|
|
)
|
|
{
|
|
LPVOID lpOut = lpOutBuffer;
|
|
if (lpOutBuffer && nOutBufferSize && lpBytesReturned) {
|
|
//
|
|
// Create a new output buffer, if this fails we just keep the original
|
|
// buffer.
|
|
//
|
|
|
|
lpOut = malloc(nOutBufferSize);
|
|
if (lpOut) {
|
|
MoveMemory(lpOut, lpOutBuffer, nOutBufferSize);
|
|
} else {
|
|
DPFN( eDbgLevelError, "Out of memory");
|
|
lpOut = lpOutBuffer;
|
|
}
|
|
}
|
|
|
|
BOOL bRet;
|
|
if (IOCTL_SCSI_PASS_THROUGH != dwIoControlCode) {
|
|
//
|
|
// We don't care about IOCTL_SCSI_PASS_THROUGH
|
|
//
|
|
|
|
EnterCriticalSection(&g_CriticalSection);
|
|
int existing = g_hDevices->Find(hDevice);
|
|
LeaveCriticalSection(&g_CriticalSection);
|
|
|
|
if (existing >= 0) {
|
|
//
|
|
// Check to see if this is a device that we added Write permissions
|
|
// If it is, we need to create a handle with only Read permissions
|
|
//
|
|
|
|
HANDLE hDupped;
|
|
|
|
bRet = DuplicateHandle(GetCurrentProcess(), hDevice,
|
|
GetCurrentProcess(), &hDupped, GENERIC_READ, FALSE, 0);
|
|
|
|
if (bRet) {
|
|
//
|
|
// Call the IOCTL with the original (Read) permissions
|
|
//
|
|
bRet = ORIGINAL_API(DeviceIoControl)(hDupped, dwIoControlCode,
|
|
lpInBuffer, nInBufferSize, lpOut, nOutBufferSize,
|
|
lpBytesReturned, lpOverlapped);
|
|
|
|
CloseHandle(hDupped);
|
|
|
|
goto Exit;
|
|
}
|
|
}
|
|
}
|
|
|
|
bRet = ORIGINAL_API(DeviceIoControl)(hDevice, dwIoControlCode, lpInBuffer,
|
|
nInBufferSize, lpOut, nOutBufferSize, lpBytesReturned, lpOverlapped);
|
|
|
|
Exit:
|
|
|
|
if (lpOut && (lpOut != lpOutBuffer)) {
|
|
//
|
|
// Need to copy the output back into the true output buffer
|
|
//
|
|
if (bRet && lpBytesReturned && *lpBytesReturned) {
|
|
__try {
|
|
MoveMemory(lpOutBuffer, lpOut, *lpBytesReturned);
|
|
} __except(1) {
|
|
DPFN( eDbgLevelError, "Failed to copy data into output buffer, perhaps it's read-only");
|
|
}
|
|
}
|
|
|
|
free(lpOut);
|
|
}
|
|
|
|
return bRet;
|
|
|
|
}
|
|
|
|
/*++
|
|
|
|
If this handle is in our list, remove it.
|
|
|
|
--*/
|
|
|
|
BOOL
|
|
APIHOOK(CloseHandle)(
|
|
HANDLE hObject
|
|
)
|
|
{
|
|
CAutoCrit autoCrit(&g_CriticalSection);
|
|
int index = g_hDevices->Find(hObject);
|
|
|
|
if (index >= 0) {
|
|
g_hDevices->Remove(index);
|
|
}
|
|
|
|
return ORIGINAL_API(CloseHandle)(hObject);
|
|
}
|
|
|
|
/*++
|
|
|
|
Register hooked functions
|
|
|
|
--*/
|
|
|
|
BOOL
|
|
NOTIFY_FUNCTION(
|
|
DWORD fdwReason)
|
|
{
|
|
if (fdwReason == DLL_PROCESS_ATTACH) {
|
|
g_hDevices = new VectorT<HANDLE>;
|
|
if (g_hDevices == NULL)
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
return InitializeCriticalSectionAndSpinCount(&g_CriticalSection, 0x80000000);
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
HOOK_BEGIN
|
|
|
|
CALL_NOTIFY_FUNCTION
|
|
|
|
APIHOOK_ENTRY(KERNEL32.DLL, CreateFileA)
|
|
APIHOOK_ENTRY(KERNEL32.DLL, DeviceIoControl)
|
|
APIHOOK_ENTRY(KERNEL32.DLL, CloseHandle)
|
|
|
|
HOOK_END
|
|
|
|
IMPLEMENT_SHIM_END
|
|
|