Skip to content

Commit

Permalink
Block IOCTL_KS_PROPERTY
Browse files Browse the repository at this point in the history
  • Loading branch information
@m417z
m417z committed Aug 25, 2018
1 parent 379cfc2 commit 2393219
Show file tree
Hide file tree
Showing 2 changed files with 104 additions and 0 deletions.
103 changes: 103 additions & 0 deletions filter.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ Module Name:
#include "filter.h"


#define BLOCK_IOCTL_KS_PROPERTY 1


#ifdef ALLOC_PRAGMA
#pragma alloc_text (INIT, DriverEntry)
#pragma alloc_text (PAGE, FilterEvtDeviceAdd)
Expand Down Expand Up @@ -169,6 +172,11 @@ Return Value:
}
#endif // DBG

//
// Register the EvtIoInCallerContext callback to deal with IOCTLs that need to stay in original context.
//
WdfDeviceInitSetIoInCallerContextCallback(DeviceInit, FilterEvtIoInCallerContext);

//
// Specify the size of device extension where we track per device
// context.
Expand Down Expand Up @@ -405,6 +413,101 @@ FilterEvtIrpPreprocess(

#endif // DBG

VOID
FilterEvtIoInCallerContext(
IN WDFDEVICE Device,
IN WDFREQUEST Request
)
{
#if BLOCK_IOCTL_KS_PROPERTY
size_t inBufLen, outBufLen;
PVOID inBuf, outBuf;
WDFMEMORY InputMemoryBuffer, OutputMemoryBuffer;
PKSIDENTIFIER pKSIdent;
PKSSTATE pKSState;
#endif // BLOCK_IOCTL_KS_PROPERTY

WDF_REQUEST_PARAMETERS params;
NTSTATUS status = STATUS_SUCCESS;

WDF_REQUEST_PARAMETERS_INIT(&params);
WdfRequestGetParameters(Request, &params);

#if BLOCK_IOCTL_KS_PROPERTY
if (params.Type == WdfRequestTypeDeviceControl &&
params.Parameters.DeviceIoControl.IoControlCode == IOCTL_KS_PROPERTY) {
//
// The I/O control code is METHOD_NEITHER.
// First, retrieve the virtual addresses of
// the input buffer.
//
status = WdfRequestRetrieveUnsafeUserInputBuffer(Request, sizeof(KSIDENTIFIER), &inBuf, &inBufLen);
if (!NT_SUCCESS(status)) {
goto Error;
}

//
// Next, probe and lock the read buffer.
//
status = WdfRequestProbeAndLockUserBufferForRead(Request, inBuf, inBufLen, &InputMemoryBuffer);
if (!NT_SUCCESS(status)) {
goto Error;
}

pKSIdent = WdfMemoryGetBuffer(InputMemoryBuffer, NULL);

if (IsEqualGUID(&pKSIdent->Set, &GUID_PROPSETID_Connection)) {
if (pKSIdent->Id == KSPROPERTY_CONNECTION_STATE) {
if (pKSIdent->Flags & KSPROPERTY_TYPE_SET) {
status = WdfRequestRetrieveUnsafeUserOutputBuffer(Request, sizeof(KSSTATE), &outBuf, &outBufLen);
if(!NT_SUCCESS(status)) {
goto Error;
}

//
// Note: even though it's an output buffer,
// we're going to read from it, that's how
// IOCTL_KS_PROPERTY works.
//
status = WdfRequestProbeAndLockUserBufferForRead(Request, outBuf, outBufLen, &OutputMemoryBuffer);
if(!NT_SUCCESS(status)) {
goto Error;
}

pKSState = WdfMemoryGetBuffer(OutputMemoryBuffer, NULL);

switch(*pKSState) {
case KSSTATE_ACQUIRE:
status = STATUS_INSUFFICIENT_RESOURCES;
break;

case KSSTATE_RUN:
status = STATUS_ACCESS_DENIED;
break;
}
}
}
}

if (!NT_SUCCESS(status)) {
goto Error;
}
}
#endif // BLOCK_IOCTL_KS_PROPERTY

status = WdfDeviceEnqueueRequest(Device, Request);
if (!NT_SUCCESS(status)) {
KdPrint(("[webcam-interception] WdfDeviceEnqueueRequest failed: %s\n", status));
goto Error;
}

return;

Error:

WdfRequestComplete(Request, status);
}

VOID
FilterEvtIoDeviceControl(
IN WDFQUEUE Queue,
Expand Down
1 change: 1 addition & 0 deletions filter.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(FILTER_EXTENSION,
DRIVER_INITIALIZE DriverEntry;
EVT_WDF_DRIVER_DEVICE_ADD FilterEvtDeviceAdd;
EVT_WDFDEVICE_WDM_IRP_PREPROCESS FilterEvtIrpPreprocess;
EVT_WDF_IO_IN_CALLER_CONTEXT FilterEvtIoInCallerContext;
EVT_WDF_IO_QUEUE_IO_DEVICE_CONTROL FilterEvtIoDeviceControl;

VOID
Expand Down

0 comments on commit 2393219

Please sign in to comment.