Updates in comments

Author: tandasat

RemoteWriteMonitor/RemoteWriteMonitor/Arch/AMD64/amd64.asm

@@ -1,5 +1,12 @@
+; Copyright (c) 2015, tandasat. All rights reserved.
+; Use of this source code is governed by a MIT-style license that can be
+; found in the LICENSE file.
+
+;
+; This module implements stub functions implementing overwritten part of the
+; hooked function and providing accesses to the those original functionalities.
 ;
-; This module implements the lowest part of hook handlers
+; Those functions are taken from ntoskrnl.exe and used only on x64 build.
 ;
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -24,7 +31,7 @@ jmp_address:
 ENDM
 
 
-
+; NtMapViewOfSection for Windows 8.1 and 7 (both are identical)
 AsmNtMapViewOfSection_Win81_7 PROC
     mov     qword ptr [rsp+10h], rbx
     mov     qword ptr [rsp+18h], rsi
@@ -37,7 +44,7 @@ AsmNtMapViewOfSection_Win81_7End PROC
 AsmNtMapViewOfSection_Win81_7End ENDP
 
 
-; For Win 8.1
+; NtWriteVirtualMemory for Win 8.1
 AsmNtWriteVirtualMemory_Win81 PROC
     sub     rsp, 38h
     mov     rax, [rsp+60h]
@@ -50,7 +57,7 @@ AsmNtWriteVirtualMemory_Win81End PROC
 AsmNtWriteVirtualMemory_Win81End ENDP
 
 
-; For Win 7
+; NtWriteVirtualMemory for Win 7
 AsmNtWriteVirtualMemory_Win7 PROC
     mov     rax, rsp
     mov     qword ptr [rax+8h], rbx
@@ -64,5 +71,4 @@ AsmNtWriteVirtualMemory_Win7End PROC
 AsmNtWriteVirtualMemory_Win7End ENDP
 
 
-
 END

RemoteWriteMonitor/RemoteWriteMonitor/Arch/x86/asm.cpp

@@ -3,7 +3,8 @@
 // found in the LICENSE file.
 
 //
-//
+// This module implements empty functions for Asm functions to allow us to build
+// the code on x86. Those Asm functions are not used on x86.
 //
 #include "stdafx.h"
 #include "../../asm.h"

RemoteWriteMonitor/RemoteWriteMonitor/RemoteWriteMonitor.cpp

@@ -14,8 +14,6 @@
 #include "ssdt.h"
 #include "util.h"
 
-namespace stdexp = std::experimental;
-
 ////////////////////////////////////////////////////////////////////////////////
 //
 // macro utilities
@@ -98,8 +96,8 @@ EXTERN_C static NTSTATUS NTAPI RWMonpNtMapViewOfSection_Hook(
 // variables
 //
 
-static HookInfo g_RWMonpNtMapViewOfSectionInfo = {};
-static HookInfo g_RWMonpNtWriteVirtualMemoryInfo = {};
+static InlineHookInfo g_RWMonpNtMapViewOfSectionInfo = {};
+static InlineHookInfo g_RWMonpNtWriteVirtualMemoryInfo = {};
 
 static NtMapViewOfSectionType g_RWMonpNtMapViewOfSectionOriginal = nullptr;
 static NtWriteVirtualMemoryType g_RWMonpNtWriteVirtualMemoryOriginal = nullptr;
@@ -120,8 +118,8 @@ EXTERN_C NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject,
                               _In_ PUNICODE_STRING RegistryPath) {
   PAGED_CODE();
   UNREFERENCED_PARAMETER(RegistryPath);
-  auto status = STATUS_UNSUCCESSFUL;
 
+  auto status = STATUS_UNSUCCESSFUL;
   DriverObject->DriverUnload = RWMonpDriverUnload;
   DBG_BREAK();
 
@@ -164,6 +162,7 @@ EXTERN_C NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject,
   auto scopedCheckTermination =
       stdexp::make_scope_exit([] { CheckTermination(); });
 
+  // Install hooks
   status = RWMonpInstallHooks();
   if (!NT_SUCCESS(status)) {
     return status;
@@ -176,6 +175,7 @@ EXTERN_C NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject,
   return status;
 }
 
+// Perform version check and fill out global variable based on the version
 ALLOC_TEXT(INIT, RWMonpInitVersionDependentValues)
 EXTERN_C static NTSTATUS RWMonpInitVersionDependentValues() {
   PAGED_CODE();
@@ -335,6 +335,7 @@ EXTERN_C static NTSTATUS RWMonpSleep(_In_ LONG Millisecond) {
   return KeDelayExecutionThread(KernelMode, FALSE, &interval);
 }
 
+// Install hooks 
 ALLOC_TEXT(INIT, RWMonpInstallHooks)
 EXTERN_C static NTSTATUS RWMonpInstallHooks() {
   PAGED_CODE();
@@ -361,6 +362,7 @@ EXTERN_C static NTSTATUS RWMonpInstallHooks() {
   return status;
 }
 
+// Uninstall hooks
 ALLOC_TEXT(PAGED, RWMonpUninstallHooks)
 EXTERN_C static NTSTATUS RWMonpUninstallHooks() {
   PAGED_CODE();
@@ -420,4 +422,4 @@ RWMonpNtWriteVirtualMemory_Hook(_In_ HANDLE ProcessHandle,
     CheckData(ProcessHandle, BaseAddress, Buffer, BytesToWrite);
   }
   return result;
-}
+}

RemoteWriteMonitor/RemoteWriteMonitor/RemoteWriteMonitor.vcxproj.filters

@@ -74,7 +74,7 @@
   </ItemGroup>
   <ItemGroup>
     <MASM Include="Arch\AMD64\amd64.asm">
-      <Filter>Source Files</Filter>
+      <Filter>Source Files\Arch\AMD64</Filter>
     </MASM>
   </ItemGroup>
 </Project>

RemoteWriteMonitor/RemoteWriteMonitor/check.cpp

@@ -3,15 +3,13 @@
 // found in the LICENSE file.
 
 //
-// This module implements an entry point of the driver and initializes other
-// components in this module.
+// This module implements functions for checking if data is written
+// by a remote process and saving it if so.
 //
 #include "stdafx.h"
 #include "check.h"
 #include "log.h"
 
-namespace stdexp = std::experimental;
-
 ////////////////////////////////////////////////////////////////////////////////
 //
 // macro utilities
@@ -28,6 +26,7 @@ static const auto CHECKP_WHITELIST_ARRAY_SIZE = 1000;
 //
 // types
 //
+
 struct SYSTEM_PROCESS_INFORMATION {
   ULONG NextEntryOffset;
   ULONG NumberOfThreads;
@@ -46,6 +45,7 @@ struct SYSTEM_PROCESS_INFORMATION {
 enum SYSTEM_INFORMATION_CLASS {
   SystemProcessInformation = 5,
 };
+
 ////////////////////////////////////////////////////////////////////////////////
 //
 // prototypes
@@ -95,7 +95,7 @@ EXTERN_C static NTSTATUS CheckpWriteFile(_In_ const wchar_t *OutPathW,
 // variables
 //
 
-static wchar_t g_CheckpLogDirecotry[MAX_PATH];
+static wchar_t g_CheckpLogDirecotry[MAX_PATH] = {};
 static HANDLE g_CheckpWhiteListedProcessIDs[CHECKP_WHITELIST_ARRAY_SIZE] = {};
 static BCRYPT_ALG_HANDLE g_CheckpSha1AlgorithmHandle = nullptr;
 
@@ -104,6 +104,7 @@ static BCRYPT_ALG_HANDLE g_CheckpSha1AlgorithmHandle = nullptr;
 // implementations
 //
 
+// Initialize the Check subsystem
 ALLOC_TEXT(INIT, CheckInitialization)
 EXTERN_C NTSTATUS CheckInitialization(_In_ const wchar_t *LogDirectry) {
   PAGED_CODE();
@@ -133,9 +134,11 @@ EXTERN_C NTSTATUS CheckInitialization(_In_ const wchar_t *LogDirectry) {
   return status;
 }
 
+// Terminates the check subsystem
 ALLOC_TEXT(PAGED, CheckTermination)
 EXTERN_C void CheckTermination() {
   PAGED_CODE();
+
   BCryptCloseAlgorithmProvider(g_CheckpSha1AlgorithmHandle, 0);
 }
 
@@ -225,20 +228,19 @@ EXTERN_C bool CheckData(_In_ HANDLE ProcessHandle, _In_ void *RemoteAddress,
       [targetProcess] { ObDereferenceObject(targetProcess); });
 
   // Allocate a memory to copy written data
-  auto data = stdexp::make_unique_resource(
-      ExAllocatePoolWithTag(PagedPool, DataSize, RWMON_POOL_TAG_NAME),
-      [](void *p) { ExFreePoolWithTag(p, RWMON_POOL_TAG_NAME); });
+  auto data = ExAllocatePoolWithTag(PagedPool, DataSize, RWMON_POOL_TAG_NAME);
   if (!data) {
     return false;
   }
+  auto scopedData = stdexp::make_scope_exit(
+      [data]() { ExFreePoolWithTag(data, RWMON_POOL_TAG_NAME); });
 
   // Copy the written data
   auto status = STATUS_SUCCESS;
   if (Contents) {
-    status =
-        CheckpCopyDataFromUserSpace(data.get(), Contents, DataSize, nullptr);
+    status = CheckpCopyDataFromUserSpace(data, Contents, DataSize, nullptr);
   } else {
-    status = CheckpCopyDataFromUserSpace(data.get(), RemoteAddress, DataSize,
+    status = CheckpCopyDataFromUserSpace(data, RemoteAddress, DataSize,
                                          targetProcess);
   }
   if (!NT_SUCCESS(status)) {
@@ -248,7 +250,7 @@ EXTERN_C bool CheckData(_In_ HANDLE ProcessHandle, _In_ void *RemoteAddress,
 
   // Calculate SHA1 of the written data
   UCHAR sha1Hash[20] = {};
-  if (!CheckpGetSha1(sha1Hash, data.get(), DataSize)) {
+  if (!CheckpGetSha1(sha1Hash, data, DataSize)) {
     return false;
   }
   wchar_t sha1HashW[41] = {};
@@ -265,8 +267,8 @@ EXTERN_C bool CheckData(_In_ HANDLE ProcessHandle, _In_ void *RemoteAddress,
     LOG_ERROR_SAFE("RtlStringCchPrintfW failed (%08x)", status);
     return false;
   }
-  status = CheckpWriteFile(outPathW, data.get(), DataSize, GENERIC_WRITE,
-                           FILE_CREATE);
+  status =
+      CheckpWriteFile(outPathW, data, DataSize, GENERIC_WRITE, FILE_CREATE);
   if (!NT_SUCCESS(status) && status != STATUS_OBJECT_NAME_COLLISION) {
     LOG_ERROR_SAFE("WriteFile failed (%08x)", status);
     return false;

RemoteWriteMonitor/RemoteWriteMonitor/check.h

@@ -3,7 +3,8 @@
 // found in the LICENSE file.
 
 //
-//
+// This module declares interfaces to functions for checking if data is written 
+// by a remote process and saving it if so.
 //
 #pragma once
 

RemoteWriteMonitor/RemoteWriteMonitor/inline.cpp

@@ -3,16 +3,13 @@
 // found in the LICENSE file.
 
 //
-// This module implements an entry point of the driver and initializes other
-// components in this module.
+// This module implements inline hook related functions.
 //
 #include "stdafx.h"
 #include "inline.h"
 #include "log.h"
 #include "util.h"
 
-namespace stdexp = std::experimental;
-
 ////////////////////////////////////////////////////////////////////////////////
 //
 // macro utilities
@@ -34,9 +31,6 @@ struct TrampolineCode {
   UCHAR jmp[6];
   FARPROC FunctionAddress;
 };
-static const auto DISPGP_MININUM_EPILOGUE_LENGTH = sizeof(TrampolineCode);
-static_assert(sizeof(TrampolineCode) == DISPGP_MININUM_EPILOGUE_LENGTH,
-              "Size check");
 #include <poppack.h>
 
 ////////////////////////////////////////////////////////////////////////////////
@@ -62,15 +56,13 @@ EXTERN_C static TrampolineCode InlinepMakeTrampolineCode(
 // implementations
 //
 
-// Fill out HookInfo in order to hook the begging of the function. This is not
-// designed to execute original code like what DispgpSetEpilogueHookInfo() does.
+// Fill out a InlineHookInfo struct with given parameters
 ALLOC_TEXT(INIT, InlineInitHookInfo)
 EXTERN_C NTSTATUS
 InlineInitHookInfo(_In_ UCHAR *HookAddress, _In_ FARPROC HookHandler,
                    _In_ FARPROC AsmHandler, _In_ FARPROC AsmHandlerEnd,
-                   _Out_ HookInfo *Info) {
+                   _Out_ InlineHookInfo *Info) {
   PAGED_CODE();
-
   NT_ASSERT(HookHandler);
   NT_ASSERT(AsmHandler);
   NT_ASSERT(AsmHandlerEnd);
@@ -82,7 +74,7 @@ InlineInitHookInfo(_In_ UCHAR *HookAddress, _In_ FARPROC HookHandler,
 
   Info->HookHandler = HookHandler;
   Info->HookAddress = HookAddress;
-  Info->OriginalCodeSize = DISPGP_MININUM_EPILOGUE_LENGTH;
+  Info->OriginalCodeSize = sizeof(TrampolineCode);
   memcpy(Info->OriginalCode, Info->HookAddress, Info->OriginalCodeSize);
 
   auto status = InlinepFixupAsmCode(HookAddress, AsmHandler, AsmHandlerEnd);
@@ -101,10 +93,11 @@ ALLOC_TEXT(PAGED, InlinepMakeTrampolineCode)
 EXTERN_C static TrampolineCode InlinepMakeTrampolineCode(
     _In_ UCHAR *HookAddress, _In_ FARPROC HookHandler) {
   PAGED_CODE();
+  UNREFERENCED_PARAMETER(HookAddress);
+
   //          jmp qword ptr [nextline]
   // nextline:
   //          dq HookHandler
-  UNREFERENCED_PARAMETER(HookAddress);
   return {
       {
           0xff, 0x25, 0x00, 0x00, 0x00, 0x00,
@@ -114,18 +107,18 @@ EXTERN_C static TrampolineCode InlinepMakeTrampolineCode(
 }
 
 // Replaces placeholder (0xffffffffffffffff) in AsmHandler with a given
-// ReturnAddress. AsmHandler does not has to be writable. Race condition between
-// multiple processors should be taken care of by a programmer it exists; this
-// function does not care about it.
+// OriginalRoutine. AsmHandler does not has to be writable. Race condition 
+// between multiple processors should be taken care of by a programmer.
 ALLOC_TEXT(PAGED, InlinepFixupAsmCode)
 EXTERN_C
 NTSTATUS static InlinepFixupAsmCode(_In_ UCHAR *OriginalRoutine,
                                     _In_ FARPROC AsmHandler,
                                     _In_ FARPROC AsmHandlerEnd) {
   PAGED_CODE();
   ASSERT(AsmHandlerEnd > AsmHandler);
-  SIZE_T asmHandlerSize = reinterpret_cast<ULONG_PTR>(AsmHandlerEnd) -
-                          reinterpret_cast<ULONG_PTR>(AsmHandler);
+
+  const auto asmHandlerSize = reinterpret_cast<ULONG_PTR>(AsmHandlerEnd) -
+                              reinterpret_cast<ULONG_PTR>(AsmHandler);
 
   ULONG64 pattern = 0xffffffffffffffff;
   auto addressOfMarker = UtilMemMem(reinterpret_cast<void *>(AsmHandler),
@@ -137,20 +130,29 @@ NTSTATUS static InlinepFixupAsmCode(_In_ UCHAR *OriginalRoutine,
                          sizeof(destinationAddress));
 }
 
-// Install a inline hook (modify code) using HookInfo.
-ALLOC_TEXT(PAGED, InlineInstallHook)
-EXTERN_C NTSTATUS InlineInstallHook(_In_ const HookInfo &Info) {
-  PAGED_CODE();
+// Install a inline hook (modify code) based on InlineHookInfo. It is not 
+// multi-processor safe.
+EXTERN_C NTSTATUS InlineInstallHook(_In_ const InlineHookInfo &Info) {
   LOG_DEBUG("%p => %p", Info.HookAddress, Info.HookHandler);
   auto newCode = InlinepMakeTrampolineCode(Info.HookAddress, Info.HookHandler);
+  
+  KIRQL oldIrql = 0;
+  KeRaiseIrql(DISPATCH_LEVEL, &oldIrql);
+  const auto scopedIrql =
+      stdexp::make_scope_exit([oldIrql]() { KeLowerIrql(oldIrql); });
+
   auto status = UtilForceMemCpy(Info.HookAddress, newCode.jmp, sizeof(newCode));
   UtilInvalidateInstructionCache(Info.HookAddress, sizeof(newCode));
   return status;
 }
 
-ALLOC_TEXT(PAGED, InlineUninstallHook)
-EXTERN_C NTSTATUS InlineUninstallHook(_In_ const HookInfo &Info) {
-  PAGED_CODE();
+// Uninstall a inline hook (modify code) based on InlineHookInfo.
+EXTERN_C NTSTATUS InlineUninstallHook(_In_ const InlineHookInfo &Info) {
+  KIRQL oldIrql = 0;
+  KeRaiseIrql(DISPATCH_LEVEL, &oldIrql);
+  const auto scopedIrql =
+      stdexp::make_scope_exit([oldIrql]() { KeLowerIrql(oldIrql); });
+
   auto status = UtilForceMemCpy(Info.HookAddress, Info.OriginalCode,
                                 Info.OriginalCodeSize);
   UtilInvalidateInstructionCache(Info.HookAddress, Info.OriginalCodeSize);