[ion] 23303: - Implement XP-style process name auditing to store the full name of the process in EPROCESS instead of only the first 16 ascii characters. This is required for one of the newer Info process classes. Implemented SeInitializeProcessAuditName and SeLocateProcessImageName. - Remove #ifed out code in PspCreateProcess which was attempting to create the name structure. Add code to MmCreateProcessAddressSpace to initialize the audit name after the 16-byte name. - Implement some helper APIs
Author: ion Date: Thu Jul 27 04:22:36 2006 New Revision: 23303
URL: http://svn.reactos.org/svn/reactos?rev=23303&view=rev Log: - Implement XP-style process name auditing to store the full name of the process in EPROCESS instead of only the first 16 ascii characters. This is required for one of the newer Info process classes. Implemented SeInitializeProcessAuditName and SeLocateProcessImageName. - Remove #ifed out code in PspCreateProcess which was attempting to create the name structure. Add code to MmCreateProcessAddressSpace to initialize the audit name after the 16-byte name. - Implement some helper APIs for better code refactoring. - TODO: Get rid of PspGetImagePath and wrap around SeLocateProcessImageName instead.
Modified: trunk/reactos/ntoskrnl/KrnlFun.c trunk/reactos/ntoskrnl/include/internal/mm.h trunk/reactos/ntoskrnl/include/internal/ps.h trunk/reactos/ntoskrnl/include/internal/se.h trunk/reactos/ntoskrnl/mm/process.c trunk/reactos/ntoskrnl/mm/section.c trunk/reactos/ntoskrnl/ps/process.c trunk/reactos/ntoskrnl/ps/query.c trunk/reactos/ntoskrnl/se/audit.c
Modified: trunk/reactos/ntoskrnl/KrnlFun.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/KrnlFun.c?rev=2330... ============================================================================== --- trunk/reactos/ntoskrnl/KrnlFun.c (original) +++ trunk/reactos/ntoskrnl/KrnlFun.c Thu Jul 27 04:22:36 2006 @@ -24,8 +24,6 @@ // - Add support for Fast Dispatch I/O. // // Ps: -// - Fix API to get process image name. -// - Enabled #ifed out code for Se Process name auditing. // - Re-enable NtQuery/SetInformation Thread. // - Generate process cookie for user-more thread. //
Modified: trunk/reactos/ntoskrnl/include/internal/mm.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/include/internal/m... ============================================================================== --- trunk/reactos/ntoskrnl/include/internal/mm.h (original) +++ trunk/reactos/ntoskrnl/include/internal/mm.h Thu Jul 27 04:22:36 2006 @@ -620,7 +620,8 @@ STDCALL MmCreateProcessAddressSpace( IN PEPROCESS Process, - IN PROS_SECTION_OBJECT Section OPTIONAL + IN PROS_SECTION_OBJECT Section OPTIONAL, + IN POBJECT_NAME_INFORMATION *AuditName OPTIONAL );
NTSTATUS @@ -1299,6 +1300,12 @@ );
/* section.c *****************************************************************/ + +PFILE_OBJECT +NTAPI +MmGetFileObjectForSection( + IN PROS_SECTION_OBJECT Section +);
PVOID STDCALL
Modified: trunk/reactos/ntoskrnl/include/internal/ps.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/include/internal/p... ============================================================================== --- trunk/reactos/ntoskrnl/include/internal/ps.h (original) +++ trunk/reactos/ntoskrnl/include/internal/ps.h Thu Jul 27 04:22:36 2006 @@ -166,6 +166,13 @@ IN ULONG PrioritySeparation );
+NTSTATUS +NTAPI +PsReferenceProcessFilePointer( + IN PEPROCESS Process, + OUT PFILE_OBJECT *FileObject +); + // // Security Routines //
Modified: trunk/reactos/ntoskrnl/include/internal/se.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/include/internal/s... ============================================================================== --- trunk/reactos/ntoskrnl/include/internal/se.h (original) +++ trunk/reactos/ntoskrnl/include/internal/se.h Thu Jul 27 04:22:36 2006 @@ -131,6 +131,21 @@
NTSTATUS NTAPI +SeInitializeProcessAuditName( + IN PFILE_OBJECT FileObject, + IN BOOLEAN DoAudit, + OUT POBJECT_NAME_INFORMATION *AuditInfo +); + +NTSTATUS +NTAPI +SeLocateProcessImageName( + IN PEPROCESS Process, + OUT PUNICODE_STRING *ProcessImageName +); + +NTSTATUS +NTAPI SeCreateAccessStateEx( IN PETHREAD Thread, IN PEPROCESS Process,
Modified: trunk/reactos/ntoskrnl/mm/process.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/mm/process.c?rev=2... ============================================================================== --- trunk/reactos/ntoskrnl/mm/process.c (original) +++ trunk/reactos/ntoskrnl/mm/process.c Thu Jul 27 04:22:36 2006 @@ -472,7 +472,8 @@ NTSTATUS STDCALL MmCreateProcessAddressSpace(IN PEPROCESS Process, - IN PROS_SECTION_OBJECT Section OPTIONAL) + IN PROS_SECTION_OBJECT Section OPTIONAL, + IN POBJECT_NAME_INFORMATION *AuditName OPTIONAL) { NTSTATUS Status; PMADDRESS_SPACE ProcessAddressSpace = (PMADDRESS_SPACE)&Process->VadRoot; @@ -579,27 +580,37 @@ /* Determine the image file name and save it to EPROCESS */ DPRINT("Getting Image name\n"); FileName = Section->FileObject->FileName; - szSrc = (PWCHAR)(FileName.Buffer + (FileName.Length / sizeof(WCHAR)) - 1); - - while(szSrc >= FileName.Buffer) - { - if(*szSrc == L'\') + szSrc = (PWCHAR)(FileName.Buffer + FileName.Length); + while (szSrc >= FileName.Buffer) + { + /* Make sure this isn't a backslash */ + if (*--szSrc == OBJ_NAME_PATH_SEPARATOR) { + /* If so, stop it here */ szSrc++; break; } else { - szSrc--; + /* Otherwise, keep going */ lnFName++; } }
/* Copy the to the process and truncate it to 15 characters if necessary */ - DPRINT("Copying and truncating\n"); szDest = Process->ImageFileName; lnFName = min(lnFName, sizeof(Process->ImageFileName) - 1); - while(lnFName-- > 0) *(szDest++) = (UCHAR)*(szSrc++); + while (lnFName--) *szDest++ = (UCHAR)*szSrc++; + *szDest = UNICODE_NULL; + + /* Check if caller wants an audit name */ + if (AuditName) + { + /* Setup the audit name */ + SeInitializeProcessAuditName(Section->FileObject, + FALSE, + AuditName); + }
/* Return status to caller */ return Status;
Modified: trunk/reactos/ntoskrnl/mm/section.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/mm/section.c?rev=2... ============================================================================== --- trunk/reactos/ntoskrnl/mm/section.c (original) +++ trunk/reactos/ntoskrnl/mm/section.c Thu Jul 27 04:22:36 2006 @@ -94,6 +94,21 @@ };
/* FUNCTIONS *****************************************************************/ + +PFILE_OBJECT +NTAPI +MmGetFileObjectForSection(IN PROS_SECTION_OBJECT Section) +{ + PAGED_CODE(); + ASSERT(Section); + + /* Return the file object */ + return Section->FileObject; // Section->ControlArea->FileObject on NT +} + + + +
/* Note: Mmsp prefix denotes "Memory Manager Section Private". */
Modified: trunk/reactos/ntoskrnl/ps/process.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ps/process.c?rev=2... ============================================================================== --- trunk/reactos/ntoskrnl/ps/process.c (original) +++ trunk/reactos/ntoskrnl/ps/process.c Thu Jul 27 04:22:36 2006 @@ -593,43 +593,10 @@
/* Create the Process' Address Space */ Status = MmCreateProcessAddressSpace(Process, - (PROS_SECTION_OBJECT)SectionObject); + (PROS_SECTION_OBJECT)SectionObject, + &Process->SeAuditProcessCreationInfo. + ImageFileName); if (!NT_SUCCESS(Status)) goto CleanupWithRef; - - /* Check for parent again */ -#if 0 - if (!Parent) - { - /* Allocate our Audit info */ - Process->SeAuditProcessCreationInfo.ImageFileName = - ExAllocatePoolWithTag(PagedPool, - sizeof(SE_AUDIT_PROCESS_CREATION_INFO), - TAG_SEPA); - RtlZeroMemory(Process->SeAuditProcessCreationInfo.ImageFileName, - sizeof(SE_AUDIT_PROCESS_CREATION_INFO)); - } - else - { - /* Allocate our Audit info */ - Process->SeAuditProcessCreationInfo.ImageFileName = - ExAllocatePoolWithTag(PagedPool, - sizeof(SE_AUDIT_PROCESS_CREATION_INFO) + - Parent->SeAuditProcessCreationInfo. - ImageFileName->Name.MaximumLength, - TAG_SEPA); - - /* Copy from parent */ - RtlCopyMemory(Process->SeAuditProcessCreationInfo.ImageFileName, - Parent->SeAuditProcessCreationInfo.ImageFileName, - sizeof(SE_AUDIT_PROCESS_CREATION_INFO) + - Parent->SeAuditProcessCreationInfo.ImageFileName-> - Name.MaximumLength); - - /* Update buffer pointer */ - Process->SeAuditProcessCreationInfo.ImageFileName->Name.Buffer = - (PVOID)(Process->SeAuditProcessCreationInfo.ImageFileName + 1); - } -#endif
/* Check if we have a section object and map the system DLL */ if (SectionObject) PspMapSystemDll(Process, NULL);
Modified: trunk/reactos/ntoskrnl/ps/query.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ps/query.c?rev=233... ============================================================================== --- trunk/reactos/ntoskrnl/ps/query.c (original) +++ trunk/reactos/ntoskrnl/ps/query.c Thu Jul 27 04:22:36 2006 @@ -20,6 +20,33 @@ ULONG PspTraceLevel = PS_KILL_DEBUG | PS_REF_DEBUG;
/* PRIVATE FUNCTIONS *********************************************************/ + +NTSTATUS +NTAPI +PsReferenceProcessFilePointer(IN PEPROCESS Process, + OUT PFILE_OBJECT *FileObject) +{ + PROS_SECTION_OBJECT Section; + PAGED_CODE(); + + /* Lock the process */ + ExAcquireRundownProtection(&Process->RundownProtect); + + /* Get the section */ + Section = (PROS_SECTION_OBJECT)Process->SectionObject; + if (Section) + { + /* Get the file object and reference it */ + *FileObject = MmGetFileObjectForSection(Section); + ObReferenceObject(*FileObject); + } + + /* Release the protection */ + ExReleaseRundownProtection(&Process->RundownProtect); + + /* Return status */ + return Section ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL; +}
/* FIXME: * This entire API is messed up because:
Modified: trunk/reactos/ntoskrnl/se/audit.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/audit.c?rev=233... ============================================================================== --- trunk/reactos/ntoskrnl/se/audit.c (original) +++ trunk/reactos/ntoskrnl/se/audit.c Thu Jul 27 04:22:36 2006 @@ -35,6 +35,149 @@ SeAuditProcessExit(IN PEPROCESS Process) { /* FIXME */ +} + +NTSTATUS +NTAPI +SeInitializeProcessAuditName(IN PFILE_OBJECT FileObject, + IN BOOLEAN DoAudit, + OUT POBJECT_NAME_INFORMATION *AuditInfo) +{ + OBJECT_NAME_INFORMATION LocalNameInfo; + POBJECT_NAME_INFORMATION ObjectNameInfo = NULL; + ULONG ReturnLength = 8; + NTSTATUS Status; + PAGED_CODE(); + ASSERT(AuditInfo); + + /* Check if we should do auditing */ + if (DoAudit) + { + /* FIXME: TODO */ + } + + /* Now query the name */ + Status = ObQueryNameString(FileObject, + &LocalNameInfo, + sizeof(LocalNameInfo), + &ReturnLength); + if (((Status == STATUS_BUFFER_OVERFLOW) || + (Status == STATUS_BUFFER_TOO_SMALL)) && + (ReturnLength != sizeof(LocalNameInfo))) + { + /* Allocate required size */ + ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool, + ReturnLength, + TAG_SEPA); + if (ObjectNameInfo) + { + /* Query the name again */ + Status = ObQueryNameString(FileObject, + ObjectNameInfo, + ReturnLength, + &ReturnLength); + } + } + + /* Check if we got here due to failure */ + if ((ObjectNameInfo) && + (!(NT_SUCCESS(Status)) || (ReturnLength == sizeof(LocalNameInfo)))) + { + /* First, free any buffer we might've allocated */ + KEBUGCHECK(0); + if (ObjectNameInfo) ExFreePool(ObjectNameInfo); + + /* Now allocate a temporary one */ + ReturnLength = sizeof(OBJECT_NAME_INFORMATION); + ObjectNameInfo = ExAllocatePoolWithTag(NonPagedPool, + sizeof(OBJECT_NAME_INFORMATION), + TAG_SEPA); + if (ObjectNameInfo) + { + /* Clear it */ + RtlZeroMemory(ObjectNameInfo, ReturnLength); + Status = STATUS_SUCCESS; + } + } + + /* Check if memory allocation failed */ + if (!ObjectNameInfo) Status = STATUS_NO_MEMORY; + + /* Return the audit name */ + *AuditInfo = ObjectNameInfo; + + /* Return status */ + return Status; +} + +NTSTATUS +NTAPI +SeLocateProcessImageName(IN PEPROCESS Process, + OUT PUNICODE_STRING *ProcessImageName) +{ + POBJECT_NAME_INFORMATION AuditName; + PUNICODE_STRING ImageName; + PFILE_OBJECT FileObject; + NTSTATUS Status = STATUS_SUCCESS; + PAGED_CODE(); + + /* Assume failure */ + *ProcessImageName = NULL; + + /* Check if we have audit info */ + AuditName = Process->SeAuditProcessCreationInfo.ImageFileName; + if (!AuditName) + { + /* Get the file object */ + Status = PsReferenceProcessFilePointer(Process, &FileObject); + if (!NT_SUCCESS(Status)) return Status; + + /* Initialize the audit structure */ + Status = SeInitializeProcessAuditName(FileObject, TRUE, &AuditName); + if (NT_SUCCESS(Status)) + { + /* Set it */ + if (InterlockedCompareExchangePointer(&Process-> + SeAuditProcessCreationInfo, + AuditName, + NULL)) + { + /* Someone beat us to it, deallocate our copy */ + ExFreePool(AuditName); + } + } + + /* Dereference the file object */ + ObDereferenceObject(FileObject); + if (!NT_SUCCESS(Status)) return Status; + } + + /* Allocate the output string */ + ImageName = ExAllocatePoolWithTag(NonPagedPool, + AuditName->Name.MaximumLength + + sizeof(UNICODE_STRING), + TAG_SEPA); + if (ImageName) + { + /* Make a copy of it */ + RtlMoveMemory(ImageName, + &AuditName->Name, + AuditName->Name.MaximumLength + sizeof(UNICODE_STRING)); + + /* Fix up the buffer */ + ImageName->Buffer = (PWSTR)(ImageName + 1); + + /* Return it */ + *ProcessImageName = ImageName; + } + else + { + /* Otherwise, fail */ + Status = STATUS_NO_MEMORY; + } + + /* Return status */ + return Status; }
/* FUNCTIONS ****************************************************************/
-
ion@svn.reactos.org