Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
pano_filter.cpp
Go to the documentation of this file.
1#include "pano_filter.h"
2#include "trace.h"
3
4PFLT_FILTER g_FilterHandle;
5
6PWCH GetFileInfo(
7 PFLT_CALLBACK_DATA Data
8)
9{
10 PFLT_FILE_NAME_INFORMATION fileNameInfo = NULL;
11 NTSTATUS status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_FILESYSTEM_ONLY | FLT_FILE_NAME_DO_NOT_CACHE, &fileNameInfo);
12 if (!NT_SUCCESS(status)) {
13 DbgPrint("Error getting file info\n");
14 }
15
16 if (fileNameInfo == NULL) {
17 return Data->Iopb->TargetFileObject->FileName.Buffer;
18 }
19 else {
20 return fileNameInfo->Name.Buffer;
21 }
22}
23
24void MailSlotStatus(
25 PFLT_CALLBACK_DATA Data
26)
27{
28 PWCH fileName = GetFileInfo(Data);
29 HANDLE sourceProcessId = PsGetCurrentProcessId();
30 HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
31
32 switch (Data->IoStatus.Information)
33 {
34 case FILE_CREATED:
35 Log_MailSlotCreate(sourceProcessId, sourceThreadId, fileName);
36 break;
37 case FILE_OPENED:
38 Log_MailSlotOpen(sourceProcessId, sourceThreadId, fileName);
39 break;
40 }
41}
42
43void NamedPipeStatus(
44 PFLT_CALLBACK_DATA Data
45)
46{
47 PWCH fileName = GetFileInfo(Data);
48 HANDLE sourceProcessId = PsGetCurrentProcessId();
49 HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
50
51 switch (Data->IoStatus.Information)
52 {
53 case FILE_CREATED:
54 Log_NamedPipeCreate(sourceProcessId, sourceThreadId, fileName);
55 break;
56 case FILE_OPENED:
57 Log_NamedPipeOpen(sourceProcessId, sourceThreadId, fileName);
58 break;
59 }
60}
61
62void FileWriteStatus(
63 PFLT_CALLBACK_DATA Data
64)
65{
66 PWCH fileName = GetFileInfo(Data);
67 HANDLE sourceProcessId = PsGetCurrentProcessId();
68 HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
69 ULONG writeLength = Data->Iopb->Parameters.Write.Length;
70 LARGE_INTEGER fileOffset = Data->Iopb->Parameters.Write.ByteOffset;
71
72 switch (Data->Iopb->MinorFunction)
73 {
74 case IRP_MN_NORMAL:
75 Log_FileWrite(sourceProcessId, sourceThreadId, fileName, fileOffset, writeLength, FALSE);
76 break;
77 case IRP_MN_COMPRESSED:
78 Log_FileWrite(sourceProcessId, sourceThreadId, fileName, fileOffset, writeLength, TRUE);
79 break;
80 }
81}
82
83void FileReadStatus(
84 PFLT_CALLBACK_DATA Data
85)
86{
87 PWCH fileName = GetFileInfo(Data);
88
89 HANDLE sourceProcessId = PsGetCurrentProcessId();
90 HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
91 ULONG readLength = Data->Iopb->Parameters.Read.Length;
92 LARGE_INTEGER fileOffset = Data->Iopb->Parameters.Read.ByteOffset;
93
94 switch (Data->Iopb->MinorFunction)
95 {
96 case IRP_MN_NORMAL:
97 Log_FileRead(sourceProcessId, sourceThreadId, fileName, fileOffset, readLength, FALSE);
98 break;
99 case IRP_MN_COMPRESSED:
100 Log_FileRead(sourceProcessId, sourceThreadId, fileName, fileOffset, readLength, TRUE);
101 break;
102 }
103}
104
105void FileCreationStatus(
106 PFLT_CALLBACK_DATA Data
107)
108{
109 PWCH fileName = GetFileInfo(Data);
110
111 HANDLE sourceProcessId = PsGetCurrentProcessId();
112 HANDLE sourceThreadId = PsGetThreadId(Data->Thread);
113 //ULONG createOptions = Data->Iopb->Parameters.Create.Options & 0x00FFFFFF;
114 //ULONG disposition = (Data->Iopb->Parameters.Create.Options >> 24) & 0xFF;
115 //LONG status = Data->IoStatus.Status;
116
117 BOOLEAN completeIfOplocked = (Data->Iopb->Parameters.Create.Options & FILE_COMPLETE_IF_OPLOCKED) != 0;;
118
119 switch (Data->IoStatus.Information) {
120 case FILE_CREATED:
121 Log_FileCreated(sourceProcessId, sourceThreadId, fileName, completeIfOplocked);
122 break;
123 case FILE_OPENED:
124 Log_FileOpen(sourceProcessId, sourceThreadId, fileName, completeIfOplocked);
125 break;
126 case FILE_OVERWRITTEN:
127 Log_FileOverwritten(sourceProcessId, sourceThreadId, fileName);
128 break;
129 case FILE_SUPERSEDED:
130 Log_FileSuperseded(sourceProcessId, sourceThreadId, fileName);
131 break;
132 }
133}
134
135FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(
136 PFLT_CALLBACK_DATA Data,
137 PCFLT_RELATED_OBJECTS FltObjects,
138 PVOID CompletionContext,
139 FLT_POST_OPERATION_FLAGS Flags
140)
141{
142 UNREFERENCED_PARAMETER(FltObjects);
143 UNREFERENCED_PARAMETER(CompletionContext);
144 UNREFERENCED_PARAMETER(Flags);
145
146 switch (Data->Iopb->MajorFunction)
147 {
148 //https://learn.microsoft.com/en-us/previous-versions/windows/drivers/ifs/irp-mj-read
149 case IRP_MJ_READ:
150 DbgPrint("IRP_MJ_READ\n");
151 FileReadStatus(Data);
152 break;
153 //https://learn.microsoft.com/en-us/previous-versions/windows/drivers/ifs/irp-mj-create
154 case IRP_MJ_CREATE:
155 DbgPrint("IRP_MJ_CREATE\n");
156 FileCreationStatus(Data);
157 break;
158 //https://learn.microsoft.com/en-us/previous-versions/windows/drivers/ifs/irp-mj-write
159 case IRP_MJ_WRITE:
160 DbgPrint("IRP_MJ_WRITE\n");
161 FileWriteStatus(Data);
162 break;
163 //https://learn.microsoft.com/en-us/previous-versions/windows/drivers/ifs/irp-mj-create-named-pipe
164 case IRP_MJ_CREATE_NAMED_PIPE:
165 DbgPrint("IRP_MJ_CREATE_NAMED_PIPE\n");
166 NamedPipeStatus(Data);
167 break;
168 //https://learn.microsoft.com/en-us/previous-versions/windows/drivers/ifs/irp-mj-create-mailslot
169 case IRP_MJ_CREATE_MAILSLOT:
170 DbgPrint("IRP_MJ_CREATE_MAILSLOT\n");
171 MailSlotStatus(Data);
172 break;
173 }
174 return FLT_POSTOP_FINISHED_PROCESSING;
175}
176
177NTSTATUS PanoptesFilterUnload
178(
179 _In_ FLT_FILTER_UNLOAD_FLAGS Flags
180)
181{
182 PAGED_CODE();
183 NTSTATUS status;
184 if (Flags == FLTFL_FILTER_UNLOAD_MANDATORY) {
185 FltUnregisterFilter(g_FilterHandle);
186 status = STATUS_SUCCESS;
187 }
188 else {
189 status = STATUS_FLT_DO_NOT_DETACH;
190 }
191 return status;
192}
193
194#pragma region FilterRegistration
195
196const FLT_OPERATION_REGISTRATION Callbacks[] = {
197
198 { IRP_MJ_CREATE,
199 0,
200 NULL,
201 PostOperationCallback
202 },
203 {
204 IRP_MJ_READ,
205 0,
206 NULL,
207 PostOperationCallback
208 },
209 { IRP_MJ_WRITE,
210 0,
211 NULL,
212 PostOperationCallback
213 },
214 { IRP_MJ_CREATE_NAMED_PIPE,
215 0,
216 NULL,
217 PostOperationCallback
218 },
219 {
220 IRP_MJ_CREATE_MAILSLOT,
221 0,
222 NULL,
223 PostOperationCallback
224 },
225 { IRP_MJ_OPERATION_END}
226};
227
228const FLT_REGISTRATION FilterRegistration = {
229 sizeof(FLT_REGISTRATION), // Size
230 FLT_REGISTRATION_VERSION, // Version
231 0, // Flags
232 NULL, // Context Registration.
233 Callbacks, // Operation callbacks
234 PanoptesFilterUnload, // FilterUnload
235 NULL, // InstanceSetup
236 NULL, // InstanceQueryTeardown
237 NULL, // InstanceTeardownStart
238 NULL, // InstanceTeardownComplete
239 NULL // GenerateFileName
240};
241
242#pragma endregion
243
244NTSTATUS FilterInit(PDRIVER_OBJECT* DriverObject)
245{
246 NTSTATUS status = FltRegisterFilter(
247 *DriverObject, //Driver
248 &FilterRegistration, //Registration
249 &g_FilterHandle); //RetFilter
250 if (!NT_SUCCESS(status)) {
251 DbgPrint("Failed FltRegisterFilter\n");
252 switch (status)
253 {
254 case STATUS_INSUFFICIENT_RESOURCES:
255 DbgPrint("STATUS_INSUFFICIENT_RESOURCES\n");
256 break;
257 case STATUS_INVALID_PARAMETER:
258 DbgPrint("STATUS_INVALID_PARAMETER\n");
259 break;
260 case STATUS_FLT_NOT_INITIALIZED:
261 DbgPrint("STATUS_FLT_NOT_INITIALIZED\n");
262 break;
263 case STATUS_OBJECT_NAME_NOT_FOUND:
264 DbgPrint("STATUS_OBJECT_NAME_NOT_FOUND\n");
265 break;
266 default:
267 DbgPrint("UNKNOWN\n");
268 break;
269 }
270 return status;
271 }
272
273 status = FltStartFiltering(g_FilterHandle);
274 if (!NT_SUCCESS(status)) {
275 DbgPrint("Failed FltStartFiltering\n");
276 FltUnregisterFilter(g_FilterHandle);
277 g_FilterHandle = nullptr;
278 return status;
279 }
280
281 return status;
282}
FileReadStatus
void FileReadStatus(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:83
GetFileInfo
PWCH GetFileInfo(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:6
FileCreationStatus
void FileCreationStatus(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:105
FilterRegistration
const FLT_REGISTRATION FilterRegistration
Definition pano_filter.cpp:228
g_FilterHandle
PFLT_FILTER g_FilterHandle
Definition pano_filter.cpp:4
PanoptesFilterUnload
NTSTATUS PanoptesFilterUnload(_In_ FLT_FILTER_UNLOAD_FLAGS Flags)
Definition pano_filter.cpp:178
MailSlotStatus
void MailSlotStatus(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:24
NamedPipeStatus
void NamedPipeStatus(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:43
Callbacks
const FLT_OPERATION_REGISTRATION Callbacks[]
Definition pano_filter.cpp:196
FileWriteStatus
void FileWriteStatus(PFLT_CALLBACK_DATA Data)
Definition pano_filter.cpp:62
PostOperationCallback
FLT_POSTOP_CALLBACK_STATUS PostOperationCallback(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID CompletionContext, FLT_POST_OPERATION_FLAGS Flags)
Definition pano_filter.cpp:135
FilterInit
NTSTATUS FilterInit(PDRIVER_OBJECT *DriverObject)
Definition pano_filter.cpp:244
pano_filter.h
Log_FileOpen
void Log_FileOpen(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, BOOLEAN Oplocked)
Log a file open event.
Definition trace.cpp:111
Log_NamedPipeCreate
void Log_NamedPipeCreate(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a named pipe create event.
Definition trace.cpp:70
Log_NamedPipeOpen
void Log_NamedPipeOpen(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a named pipe open event.
Definition trace.cpp:82
Log_FileOverwritten
void Log_FileOverwritten(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a file overwrite event.
Definition trace.cpp:125
Log_FileSuperseded
void Log_FileSuperseded(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a file superseded event.
Definition trace.cpp:173
Log_FileRead
void Log_FileRead(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, LARGE_INTEGER FileOffset, ULONG ReadLength, BOOLEAN Compressed)
Log a file read event.
Definition trace.cpp:137
Log_MailSlotOpen
void Log_MailSlotOpen(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a mail slot open event.
Definition trace.cpp:44
Log_MailSlotCreate
void Log_MailSlotCreate(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName)
Log a mail slot create event.
Definition trace.cpp:56
Log_FileWrite
void Log_FileWrite(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, LARGE_INTEGER FileOffset, ULONG ReadLength, BOOLEAN Compressed)
Log a file write event.
Definition trace.cpp:155
Log_FileCreated
void Log_FileCreated(HANDLE ProcessId, HANDLE ThreadId, PWCH FileName, BOOLEAN Oplocked)
Log a file create event.
Definition trace.cpp:97
Generated by doxygen 1.9.8