Skip to content

Commit

Permalink
General stabality improvements (#3)
Browse files Browse the repository at this point in the history
see CHANGELOG
  • Loading branch information
sn99 authored Dec 19, 2022
1 parent 2107b6b commit 9414821
Show file tree
Hide file tree
Showing 10 changed files with 35 additions and 16 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
# v0.5.5

- Upgrade `C` standard to `C11`
- General stability improvements around IRQL, DriverEntry, etc
- Update `sysinfo` to `0.27.1`

# v0.5.0

- Replace `ZwClose` with `FltClose` in minifilter to solve potential memory leak
Expand Down
4 changes: 2 additions & 2 deletions Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "fsfilter-rs"
version = "0.5.0"
version = "0.5.5"
edition = "2021"
authors = ["sn99 <[email protected]>"]
description = "A rust library to monitor filesystem and more in windows"
Expand All @@ -13,7 +13,7 @@ categories = ["development-tools", "os::windows-apis", "filesystem", "api-bindin
documentation = "https://docs.rs/fsfilter-rs"

[dependencies]
sysinfo = "0.26.4"
sysinfo = "0.27.1"
widestring = "1.0.1"
serde = { version = "1.0.130", features = ["derive"] }
num-derive = "0.3"
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ You can also build using [EWDK](EWDKbuild.md) if you don't want to install Visua

## RUNNING EXAMPLE

Use `cargo run --bin minifilter --release` to run the example application or just [run the `.exe` provided in
Use `cargo run --bin minifilter --release` to run the example application or just [run the `.exe` provided in
releases](https://github.com/SubconsciousCompute/fsfilter-rs/releases/latest/download/minifilter.exe) as administrator (for
some reason the new default terminal (not the one that opens when you run it as administrator) on 2H22 is very, very slow).

Expand Down
3 changes: 2 additions & 1 deletion minifilter/snFilter/DriverData.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,8 @@ BOOLEAN DriverData::RemoveProcess(ULONG ProcessId)
return ret;
}

BOOLEAN DriverData::RecordNewProcess(PUNICODE_STRING ProcessName, ULONG ProcessId, ULONG ParentPid)
_IRQL_raises_(DISPATCH_LEVEL) BOOLEAN DriverData::RecordNewProcess(PUNICODE_STRING ProcessName, ULONG ProcessId,
ULONG ParentPid)
{
BOOLEAN ret = FALSE;
KIRQL irql = KeGetCurrentIrql();
Expand Down
3 changes: 2 additions & 1 deletion minifilter/snFilter/DriverData.h
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,8 @@ class DriverData
BOOLEAN RemoveProcess(ULONG ProcessId);

// record a process which was created to the GID system, function raise IRQL
BOOLEAN RecordNewProcess(PUNICODE_STRING ProcessName, ULONG ProcessId, ULONG ParentPid);
_IRQL_raises_(DISPATCH_LEVEL) BOOLEAN
RecordNewProcess(PUNICODE_STRING ProcessName, ULONG ProcessId, ULONG ParentPid);

// removed a gid from the system, function raise IRQL
BOOLEAN RemoveGid(ULONGLONG gid);
Expand Down
5 changes: 4 additions & 1 deletion minifilter/snFilter/HashTable.h
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,10 @@ struct HashNode
void *operator new(size_t size)
{
void *ptr = ExAllocatePool2(POOL_FLAG_NON_PAGED, size, 'RW');
memset(ptr, 0, size);
if (ptr != 0)
{
memset(ptr, 0, size);
}
return ptr;
}

Expand Down
8 changes: 5 additions & 3 deletions minifilter/snFilter/ShanonEntropy.cpp
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
// #pragma warning(disable : 28110)

#include "ShanonEntropy.h"

constexpr DOUBLE M_LOG2E = 1.4426950408889634;
Expand All @@ -15,10 +17,10 @@ _Kernel_float_used_ DOUBLE shannonEntropy(PUCHAR buffer, size_t size)
bucketByteVals[buffer[i]]++;
}

XSTATE_SAVE SaveState;
KFLOATING_SAVE SaveState;
__try
{
KeSaveExtendedProcessorState(XSTATE_MASK_LEGACY, &SaveState);
KeSaveFloatingPointState(&SaveState);
for (ULONG i = 0; i < MAX_BYTE_SIZE; i++)
{
if (bucketByteVals[i] != 0)
Expand All @@ -31,7 +33,7 @@ _Kernel_float_used_ DOUBLE shannonEntropy(PUCHAR buffer, size_t size)
}
__finally
{
KeRestoreExtendedProcessorState(&SaveState);
KeRestoreFloatingPointState(&SaveState);
}
return entropy;
}
17 changes: 11 additions & 6 deletions minifilter/snFilter/snFilter.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,11 @@ Module Name:

EXTERN_C_START

DRIVER_INITIALIZE DriverEntry;

NTSTATUS
DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);

DRIVER_INITIALIZE DriverEntry;

EXTERN_C_END

//
Expand Down Expand Up @@ -75,6 +75,8 @@ CONST FLT_REGISTRATION FilterRegistration = {
//
////////////////////////////////////////////////////////////////////////////

DRIVER_INITIALIZE DriverEntry;

NTSTATUS
DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
/*++
Expand Down Expand Up @@ -972,9 +974,12 @@ FLT_POSTOP_CALLBACK_STATUS FSProcessPostReadSafe(_Inout_ PFLT_CALLBACK_DATA Data
{
__try
{
entry->data.Entropy = shannonEntropy((PUCHAR)ReadBuffer, Data->IoStatus.Information);
entry->data.MemSizeUsed = Data->IoStatus.Information;
entry->data.isEntropyCalc = TRUE;
if (entry != nullptr)
{
entry->data.Entropy = shannonEntropy((PUCHAR)ReadBuffer, Data->IoStatus.Information);
entry->data.MemSizeUsed = Data->IoStatus.Information;
entry->data.isEntropyCalc = TRUE;
}
if (IS_DEBUG_IRP)
DbgPrint("!!! snFilter: Adding entry to irps IRP_MJ_READ\n");
if (driverData->AddIrpMessage(entry))
Expand Down Expand Up @@ -1141,7 +1146,7 @@ static NTSTATUS GetProcessNameByHandle(_In_ HANDLE ProcessHandle, _Out_ PUNICODE
}

// new code process recording
VOID AddRemProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
_IRQL_raises_(DISPATCH_LEVEL) VOID AddRemProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
{
if (commHandle->CommClosed)
return;
Expand Down
2 changes: 1 addition & 1 deletion minifilter/snFilter/snFilter.h
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,6 @@ VOID CopyExtension(PWCHAR dest, PFLT_FILE_NAME_INFORMATION nameInfo);
// if parent doesn't have a gid and both are system process, new process isn't recorded
// else we create a new gid for process

VOID AddRemProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);
_IRQL_raises_(DISPATCH_LEVEL) VOID AddRemProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);

UNICODE_STRING GvolumeData;
1 change: 1 addition & 0 deletions minifilter/snFilter/snFilter.vcxproj
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
<FloatingPointModel>Precise</FloatingPointModel>
<LanguageStandard_C>stdc11</LanguageStandard_C>
</ClCompile>
<DriverSign>
<FileDigestAlgorithm>SHA1</FileDigestAlgorithm>
Expand Down

0 comments on commit 9414821

Please sign in to comment.