-
Notifications
You must be signed in to change notification settings - Fork 5
/
protect.h
129 lines (101 loc) · 2.68 KB
/
protect.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#ifndef __PROTECT_H__
#define __PROTECT_H__
#ifndef RTL_USE_AVL_TABLES
#define RTL_USE_AVL_TABLES
#endif // !RTL_USE_AVL_TABLES
#include <fltKernel.h>
#include <ntstrsafe.h>
#include <minwindef.h>
#include <wdf.h>
#include "ptEtw.h"
#include "registry.h"
#include "process.h"
#include "file.h"
/*************************************************************************
Globals
*************************************************************************/
typedef struct _PROTECT_GLOBAL_DATA
{
//
// Driver object, used for writing event logs.
//
PDRIVER_OBJECT DriverObject;
//
// Reg path, used to monitor for config updates.
//
PUNICODE_STRING RegistryPath;
//
// WDF Driver Object, user for registry management.
//
WDFDRIVER WdfDriver;
//
// Keep track of how many events we've recorded.
//
LONGLONG EventIdCounter;
//
// Mini Filter filter.
//
PFLT_FILTER Filter;
//
// Registry cookie to track out RegNotify
//
LARGE_INTEGER RegCookie;
//
// Reg Altitude
//
ULONG RegAlt;
//
// Config Whitelisted Directory
//
PUNICODE_STRING ConfigWhiteListedDirectory[128];
ULONG ConfigDirSize;
//
// Config Whitelisted Processes
//
PUNICODE_STRING ConfigWhitelistedProcesses[128];
ULONG ConfigProcessSize;
//
// Config Whitelisted Registry
//
PUNICODE_STRING ConfigWhitelistedRegistry[128];
ULONG ConfigRegSize;
//
// Config Enforced
// Are we enforcing blocking processes?
//
BOOLEAN Enforced;
} PROTECT_GLOBAL_DATA, *PPROTECT_GLOBAL_DATA;
PROTECT_GLOBAL_DATA Globals;
/*************************************************************************
Driver Registration Function Prototypes
*************************************************************************/
DRIVER_INITIALIZE DriverEntry;
NTSTATUS
DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
);
VOID
PtUnload(
_In_ PDRIVER_OBJECT DriverObject
);
NTSTATUS
PtMFUnload(
_Unreferenced_parameter_ FLT_FILTER_UNLOAD_FLAGS Flags
);
NTSTATUS
InitGlobal(
_In_ UNICODE_STRING RegistryPath
);
/*************************************************************************
WinApi Function Prototypes
*************************************************************************/
NTSTATUS
ZwQueryInformationProcess(
_In_ HANDLE ProcessHandle,
_In_ PROCESSINFOCLASS ProcessInformationClass,
_Out_ PVOID ProcessInformation,
_In_ ULONG ProcessInformationLength,
_Out_opt_ PULONG ReturnLength
);
#endif // !__PROTECT_H__