Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
Functions | Variables
pano_filter.cpp File Reference
#include "pano_filter.h"
#include "trace.h"

Go to the source code of this file.

Functions

PWCH GetFileInfo (PFLT_CALLBACK_DATA Data)
 
void MailSlotStatus (PFLT_CALLBACK_DATA Data)
 
void NamedPipeStatus (PFLT_CALLBACK_DATA Data)
 
void FileWriteStatus (PFLT_CALLBACK_DATA Data)
 
void FileReadStatus (PFLT_CALLBACK_DATA Data)
 
void FileCreationStatus (PFLT_CALLBACK_DATA Data)
 
FLT_POSTOP_CALLBACK_STATUS PostOperationCallback (PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags)
 
NTSTATUS PanoptesFilterUnload (_In_ FLT_FILTER_UNLOAD_FLAGS Flags)
 
NTSTATUS FilterInit (PDRIVER_OBJECT *DriverObject)
 

Variables

PFLT_FILTER g_FilterHandle
 
const FLT_OPERATION_REGISTRATION Callbacks []
 
const FLT_REGISTRATION FilterRegistration
 

Function Documentation

◆ FileCreationStatus()

void FileCreationStatus ( PFLT_CALLBACK_DATA  Data)

Definition at line 105 of file pano_filter.cpp.

108{
109 PWCH fileName = GetFileInfo(Data);
110
111 HANDLE sourceProcessId = PsGetCurrentProcessId();
112 HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
113 //ULONG createOptions = Data->Iopb->Parameters.Create.Options & 0x00FFFFFF;
114 //ULONG disposition = (Data->Iopb->Parameters.Create.Options >> 24) & 0xFF;
115 //LONG status = Data->IoStatus.Status;
116
117 BOOLEAN completeIfOplocked = (Data->Iopb->Parameters.Create.Options & FILE_COMPLETE_IF_OPLOCKED) != 0;;
118
119 switch (Data->IoStatus.Information) {
120 case FILE_CREATED:
121 Log_FileCreated(sourceProcessId, sourceThreadId, fileName, completeIfOplocked);
122 break;
123 case FILE_OPENED:
124 Log_FileOpen(sourceProcessId, sourceThreadId, fileName, completeIfOplocked);
125 break;
126 case FILE_OVERWRITTEN:
127 Log_FileOverwritten(sourceProcessId, sourceThreadId, fileName);
128 break;
129 case FILE_SUPERSEDED:
130 Log_FileSuperseded(sourceProcessId, sourceThreadId, fileName);
131 break;
132 }
133}
GetFileInfo
PWCH GetFileInfo(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:6
Log_FileOpen
void Log_FileOpen(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, BOOLEAN Oplocked)
Log a file open event.
Definition trace.cpp:111
Log_FileOverwritten
void Log_FileOverwritten(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a file overwrite event.
Definition trace.cpp:125
Log_FileSuperseded
void Log_FileSuperseded(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a file superseded event.
Definition trace.cpp:173
Log_FileCreated
void Log_FileCreated(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, BOOLEAN Oplocked)
Log a file create event.
Definition trace.cpp:97

References GetFileInfo(), Log_FileCreated(), Log_FileOpen(), Log_FileOverwritten(), and Log_FileSuperseded().

Referenced by PostOperationCallback().

◆ FileReadStatus()

void FileReadStatus ( PFLT_CALLBACK_DATA  Data)

Definition at line 83 of file pano_filter.cpp.

86{
87 PWCH fileName = GetFileInfo(Data);
88
89 HANDLE sourceProcessId = PsGetCurrentProcessId();
90 HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
91 ULONG readLength = Data->Iopb->Parameters.Read.Length;
92 LARGE_INTEGER fileOffset = Data->Iopb->Parameters.Read.ByteOffset;
93
94 switch (Data->Iopb->MinorFunction)
95 {
96 case IRP_MN_NORMAL:
97 Log_FileRead(sourceProcessId, sourceThreadId, fileName, fileOffset, readLength, FALSE);
98 break;
99 case IRP_MN_COMPRESSED:
100 Log_FileRead(sourceProcessId, sourceThreadId, fileName, fileOffset, readLength, TRUE);
101 break;
102 }
103}
Log_FileRead
void Log_FileRead(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, LARGE_INTEGER FileOffset, ULONG ReadLength, BOOLEAN Compressed)
Log a file read event.
Definition trace.cpp:137

References GetFileInfo(), and Log_FileRead().

Referenced by PostOperationCallback().

◆ FileWriteStatus()

void FileWriteStatus ( PFLT_CALLBACK_DATA  Data)

Definition at line 62 of file pano_filter.cpp.

65{
66 PWCH fileName = GetFileInfo(Data);
67 HANDLE sourceProcessId = PsGetCurrentProcessId();
68 HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
69 ULONG writeLength = Data->Iopb->Parameters.Write.Length;
70 LARGE_INTEGER fileOffset = Data->Iopb->Parameters.Write.ByteOffset;
71
72 switch (Data->Iopb->MinorFunction)
73 {
74 case IRP_MN_NORMAL:
75 Log_FileWrite(sourceProcessId, sourceThreadId, fileName, fileOffset, writeLength, FALSE);
76 break;
77 case IRP_MN_COMPRESSED:
78 Log_FileWrite(sourceProcessId, sourceThreadId, fileName, fileOffset, writeLength, TRUE);
79 break;
80 }
81}
Log_FileWrite
void Log_FileWrite(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, LARGE_INTEGER FileOffset, ULONG ReadLength, BOOLEAN Compressed)
Log a file write event.
Definition trace.cpp:155

References GetFileInfo(), and Log_FileWrite().

Referenced by PostOperationCallback().

◆ FilterInit()

NTSTATUS FilterInit ( PDRIVER_OBJECT *  DriverObject)

Definition at line 244 of file pano_filter.cpp.

245{
246 NTSTATUS status = FltRegisterFilter(
247 *DriverObject, //Driver
248 &FilterRegistration, //Registration
249 &g_FilterHandle); //RetFilter
250 if (!NT_SUCCESS(status)) {
251 DbgPrint("Failed FltRegisterFilter\n");
252 switch (status)
253 {
254 case STATUS_INSUFFICIENT_RESOURCES:
255 DbgPrint("STATUS_INSUFFICIENT_RESOURCES\n");
256 break;
257 case STATUS_INVALID_PARAMETER:
258 DbgPrint("STATUS_INVALID_PARAMETER\n");
259 break;
260 case STATUS_FLT_NOT_INITIALIZED:
261 DbgPrint("STATUS_FLT_NOT_INITIALIZED\n");
262 break;
263 case STATUS_OBJECT_NAME_NOT_FOUND:
264 DbgPrint("STATUS_OBJECT_NAME_NOT_FOUND\n");
265 break;
266 default:
267 DbgPrint("UNKNOWN\n");
268 break;
269 }
270 return status;
271 }
272
273 status = FltStartFiltering(g_FilterHandle);
274 if (!NT_SUCCESS(status)) {
275 DbgPrint("Failed FltStartFiltering\n");
276 FltUnregisterFilter(g_FilterHandle);
277 g_FilterHandle = nullptr;
278 return status;
279 }
280
281 return status;
282}
FilterRegistration
const FLT_REGISTRATION FilterRegistration
Definition pano_filter.cpp:228
g_FilterHandle
PFLT_FILTER g_FilterHandle
Definition pano_filter.cpp:4

References FilterRegistration, and g_FilterHandle.

Referenced by DriverEntry().

◆ GetFileInfo()

PWCH GetFileInfo ( PFLT_CALLBACK_DATA  Data)

Definition at line 6 of file pano_filter.cpp.

9{
10 PFLT_FILE_NAME_INFORMATION fileNameInfo = NULL;
11 NTSTATUS status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_FILESYSTEM_ONLY | FLT_FILE_NAME_DO_NOT_CACHE, &fileNameInfo);
12 if (!NT_SUCCESS(status)) {
13 DbgPrint("Error getting file info\n");
14 }
15
16 if (fileNameInfo == NULL) {
17 return Data->Iopb->TargetFileObject->FileName.Buffer;
18 }
19 else {
20 return fileNameInfo->Name.Buffer;
21 }
22}

Referenced by FileCreationStatus(), FileReadStatus(), FileWriteStatus(), MailSlotStatus(), and NamedPipeStatus().

◆ MailSlotStatus()

void MailSlotStatus ( PFLT_CALLBACK_DATA  Data)

Definition at line 24 of file pano_filter.cpp.

27{
28 PWCH fileName = GetFileInfo(Data);
29 HANDLE sourceProcessId = PsGetCurrentProcessId();
30 HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
31
32 switch (Data->IoStatus.Information)
33 {
34 case FILE_CREATED:
35 Log_MailSlotCreate(sourceProcessId, sourceThreadId, fileName);
36 break;
37 case FILE_OPENED:
38 Log_MailSlotOpen(sourceProcessId, sourceThreadId, fileName);
39 break;
40 }
41}
Log_MailSlotOpen
void Log_MailSlotOpen(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a mail slot open event.
Definition trace.cpp:44
Log_MailSlotCreate
void Log_MailSlotCreate(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a mail slot create event.
Definition trace.cpp:56

References GetFileInfo(), Log_MailSlotCreate(), and Log_MailSlotOpen().

Referenced by PostOperationCallback().

◆ NamedPipeStatus()

void NamedPipeStatus ( PFLT_CALLBACK_DATA  Data)

Definition at line 43 of file pano_filter.cpp.

46{
47 PWCH fileName = GetFileInfo(Data);
48 HANDLE sourceProcessId = PsGetCurrentProcessId();
49 HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
50
51 switch (Data->IoStatus.Information)
52 {
53 case FILE_CREATED:
54 Log_NamedPipeCreate(sourceProcessId, sourceThreadId, fileName);
55 break;
56 case FILE_OPENED:
57 Log_NamedPipeOpen(sourceProcessId, sourceThreadId, fileName);
58 break;
59 }
60}
Log_NamedPipeCreate
void Log_NamedPipeCreate(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a named pipe create event.
Definition trace.cpp:70
Log_NamedPipeOpen
void Log_NamedPipeOpen(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a named pipe open event.
Definition trace.cpp:82

References GetFileInfo(), Log_NamedPipeCreate(), and Log_NamedPipeOpen().

Referenced by PostOperationCallback().

◆ PanoptesFilterUnload()

NTSTATUS PanoptesFilterUnload ( _In_ FLT_FILTER_UNLOAD_FLAGS  Flags)

Definition at line 177 of file pano_filter.cpp.

181{
182 PAGED_CODE();
183 NTSTATUS status;
184 if (Flags == FLTFL_FILTER_UNLOAD_MANDATORY) {
185 FltUnregisterFilter(g_FilterHandle);
186 status = STATUS_SUCCESS;
187 }
188 else {
189 status = STATUS_FLT_DO_NOT_DETACH;
190 }
191 return status;
192}

References g_FilterHandle.

◆ PostOperationCallback()

FLT_POSTOP_CALLBACK_STATUS PostOperationCallback ( PFLT_CALLBACK_DATA  Data,
PCFLT_RELATED_OBJECTS  FltObjects,
PVOID  CompletionContext,
FLT_POST_OPERATION_FLAGS  Flags 
)

Definition at line 135 of file pano_filter.cpp.

141{
142 UNREFERENCED_PARAMETER(FltObjects);
143 UNREFERENCED_PARAMETER(CompletionContext);
144 UNREFERENCED_PARAMETER(Flags);
145
146 switch (Data->Iopb->MajorFunction)
147 {
148 //https://learn.microsoft.com/en-us/previous-versions/windows/drivers/ifs/irp-mj-read
149 case IRP_MJ_READ:
150 DbgPrint("IRP_MJ_READ\n");
151 FileReadStatus(Data);
152 break;
153 //https://learn.microsoft.com/en-us/previous-versions/windows/drivers/ifs/irp-mj-create
154 case IRP_MJ_CREATE:
155 DbgPrint("IRP_MJ_CREATE\n");
156 FileCreationStatus(Data);
157 break;
158 //https://learn.microsoft.com/en-us/previous-versions/windows/drivers/ifs/irp-mj-write
159 case IRP_MJ_WRITE:
160 DbgPrint("IRP_MJ_WRITE\n");
161 FileWriteStatus(Data);
162 break;
163 //https://learn.microsoft.com/en-us/previous-versions/windows/drivers/ifs/irp-mj-create-named-pipe
164 case IRP_MJ_CREATE_NAMED_PIPE:
165 DbgPrint("IRP_MJ_CREATE_NAMED_PIPE\n");
166 NamedPipeStatus(Data);
167 break;
168 //https://learn.microsoft.com/en-us/previous-versions/windows/drivers/ifs/irp-mj-create-mailslot
169 case IRP_MJ_CREATE_MAILSLOT:
170 DbgPrint("IRP_MJ_CREATE_MAILSLOT\n");
171 MailSlotStatus(Data);
172 break;
173 }
174 return FLT_POSTOP_FINISHED_PROCESSING;
175}
FileReadStatus
void FileReadStatus(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:83
FileCreationStatus
void FileCreationStatus(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:105
MailSlotStatus
void MailSlotStatus(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:24
NamedPipeStatus
void NamedPipeStatus(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:43
FileWriteStatus
void FileWriteStatus(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:62

References FileCreationStatus(), FileReadStatus(), FileWriteStatus(), MailSlotStatus(), and NamedPipeStatus().

Variable Documentation

◆ Callbacks

const FLT_OPERATION_REGISTRATION Callbacks[]

Definition at line 196 of file pano_filter.cpp.

196 {
197
198 { IRP_MJ_CREATE,
199 0,
200 NULL,
201 PostOperationCallback
202 },
203 {
204 IRP_MJ_READ,
205 0,
206 NULL,
207 PostOperationCallback
208 },
209 { IRP_MJ_WRITE,
210 0,
211 NULL,
212 PostOperationCallback
213 },
214 { IRP_MJ_CREATE_NAMED_PIPE,
215 0,
216 NULL,
217 PostOperationCallback
218 },
219 {
220 IRP_MJ_CREATE_MAILSLOT,
221 0,
222 NULL,
223 PostOperationCallback
224 },
225 { IRP_MJ_OPERATION_END}
226};
PostOperationCallback
FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags)
Definition pano_filter.cpp:135

◆ FilterRegistration

const FLT_REGISTRATION FilterRegistration
Initial value:
= {
sizeof(FLT_REGISTRATION),
FLT_REGISTRATION_VERSION,
0,
NULL,
Callbacks,
PanoptesFilterUnload,
NULL,
NULL,
NULL,
NULL,
NULL
}
PanoptesFilterUnload
NTSTATUS PanoptesFilterUnload(_In_ FLT_FILTER_UNLOAD_FLAGS Flags)
Definition pano_filter.cpp:178
Callbacks
const FLT_OPERATION_REGISTRATION Callbacks[]
Definition pano_filter.cpp:196

Definition at line 228 of file pano_filter.cpp.

228 {
229 sizeof(FLT_REGISTRATION), // Size
230 FLT_REGISTRATION_VERSION, // Version
231 0, // Flags
232 NULL, // Context Registration.
233 Callbacks, // Operation callbacks
234 PanoptesFilterUnload, // FilterUnload
235 NULL, // InstanceSetup
236 NULL, // InstanceQueryTeardown
237 NULL, // InstanceTeardownStart
238 NULL, // InstanceTeardownComplete
239 NULL // GenerateFileName
240};

Referenced by FilterInit().

◆ g_FilterHandle

PFLT_FILTER g_FilterHandle

Definition at line 4 of file pano_filter.cpp.

Referenced by FilterInit(), and PanoptesFilterUnload().

Generated by doxygen 1.9.8