blob: 191fbe7de5565f7090bee4f331dde82847b32e34 [file] [log] [blame]
/* **********************************************************
* Copyright (c) 2006-2008 VMware, Inc. All rights reserved.
* **********************************************************/
/*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* * Neither the name of VMware, Inc. nor the names of its contributors may be
* used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL VMWARE, INC. OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*/
/* Copyright (c) 2006-2007 Determina Corp. */
/*
* gbop.h - GBOP hook definitions
*
* Plan to implement only for win32.
*
*/
#ifndef GBOP_H
#define GBOP_H
/* Attempting to keep GBOP hook policies more flexbile, though the
* right place will be in a hotpatch policy file.
*/
/* Support for gbop_include_set */
/* GBOP_DEFINE_HOOK and GBOP_DEFINE_HOOK_MODULE should be defined as
* appropriate by users of hook definitions, note that module name for
* each list is specified by the user since some may need different
* variants of the name.
*/
/* note that we currently do only shallow GBOP checking therefore we
* need all entry points even if they all eventually call a common
* exported implementation that we also hook */
/* Creating processes, modifying files, or creating new network
* connections are the primary behaviors that need to be watched.
* More generic shellcodes will be stopped while trying to setup their
* plumbing when the more generic ones use LoadLibrary/GetProcAddress.
* To minimize overhead due to our checks they shouldn't be added to
* hot routines, and should be best positioned to include the
* initializing call of some facility, but not the more common methods:
* e.g. hook socket() but not necessarily recv().
*/
/* KERNEL32.dll base */
/* likely targets for generic shellcode */
/* mostly in alphabetic order */
#define GBOP_DEFINE_KERNEL32_BASE_HOOKS(module) /* "KERNEL32.dll" */ \
GBOP_DEFINE_HOOK(module, CreateFileA) \
GBOP_DEFINE_HOOK(module, CreateFileW) \
GBOP_DEFINE_HOOK(module, CreateProcessA) \
GBOP_DEFINE_HOOK(module, CreateProcessInternalA) \
GBOP_DEFINE_HOOK(module, CreateProcessInternalW) \
GBOP_DEFINE_HOOK(module, CreateProcessW) \
/* kernel32!CreateProcessInternalWSecure is a RET on XP SP2 */ \
GBOP_DEFINE_HOOK(module, CreateRemoteThread) \
GBOP_DEFINE_HOOK(module, CreateThread) \
GBOP_DEFINE_HOOK(module, FreeLibrary) \
\
GBOP_DEFINE_HOOK(module, GetModuleHandleA) \
GBOP_DEFINE_HOOK(module, GetModuleHandleW) \
GBOP_DEFINE_HOOK(module, GetModuleHandleExW) \
GBOP_DEFINE_HOOK(module, GetModuleHandleExA) \
\
GBOP_DEFINE_HOOK(module, GetProcAddress) \
GBOP_DEFINE_HOOK(module, LoadLibraryA) \
GBOP_DEFINE_HOOK(module, LoadLibraryExA) \
GBOP_DEFINE_HOOK(module, LoadLibraryExW) \
GBOP_DEFINE_HOOK(module, LoadLibraryW) \
GBOP_DEFINE_HOOK(module, LoadModule) \
/* wrapper around CreateProcess */ \
\
GBOP_DEFINE_HOOK(module, OpenProcess) \
GBOP_DEFINE_HOOK(module, VirtualAlloc) \
GBOP_DEFINE_HOOK(module, VirtualAllocEx) \
GBOP_DEFINE_HOOK(module, VirtualProtect) \
GBOP_DEFINE_HOOK(module, VirtualProtectEx) \
GBOP_DEFINE_HOOK(module, WinExec) \
/* wrapper around CreateProcess */ \
\
GBOP_DEFINE_HOOK(module, WriteProcessMemory)
/* KERNEL32.dll complete set */
/* adding the less likely to be used by a generic exploit for
* completeness, yet short of KERNEL32!*
*/
#define GBOP_DEFINE_KERNEL32_MORE_HOOKS(module) /* "KERNEL32.dll" */ \
GBOP_DEFINE_HOOK(module, CopyFileA) \
GBOP_DEFINE_HOOK(module, CopyFileW) \
GBOP_DEFINE_HOOK(module, CopyFileExA) \
GBOP_DEFINE_HOOK(module, CopyFileExW) \
GBOP_DEFINE_HOOK(module, CreatePipe) \
GBOP_DEFINE_HOOK(module, CreateNamedPipeA) \
GBOP_DEFINE_HOOK(module, CreateNamedPipeW) \
\
GBOP_DEFINE_HOOK(module, CreateDirectoryA) /* low risk */ \
GBOP_DEFINE_HOOK(module, CreateDirectoryExA) \
GBOP_DEFINE_HOOK(module, CreateDirectoryExW) \
GBOP_DEFINE_HOOK(module, CreateDirectoryW) \
\
GBOP_DEFINE_HOOK(module, DeleteFileA) \
GBOP_DEFINE_HOOK(module, DeleteFileW) \
\
GBOP_DEFINE_HOOK(module, ExitProcess) \
\
GBOP_DEFINE_HOOK(module, GetStartupInfoA) \
GBOP_DEFINE_HOOK(module, GetStartupInfoW) \
\
GBOP_DEFINE_HOOK(module, LZCreateFileW) \
/* may be used to overwrite a file */ \
/* note there is no LZCreateFileA version */ \
/* skipping LZOpenFile[AW] which open only compressed files */ \
\
GBOP_DEFINE_HOOK(module, MoveFileA) \
GBOP_DEFINE_HOOK(module, MoveFileExA) \
GBOP_DEFINE_HOOK(module, MoveFileExW) \
GBOP_DEFINE_HOOK(module, MoveFileW) \
GBOP_DEFINE_HOOK(module, MoveFileWithProgressA) \
GBOP_DEFINE_HOOK(module, MoveFileWithProgressW) \
\
GBOP_DEFINE_HOOK(module, OpenFile) \
GBOP_DEFINE_HOOK(module, OpenDataFile) \
\
GBOP_DEFINE_HOOK(module, PeekNamedPipe) \
GBOP_DEFINE_HOOK(module, PrivCopyFileExW) \
\
/* skipping ReadFile, though hooked by others */ \
GBOP_DEFINE_HOOK(module, ReplaceFileA) \
GBOP_DEFINE_HOOK(module, ReplaceFileW) \
/* skipping kernel32!RemoveDirectoryW on an empty directory */ \
\
GBOP_DEFINE_HOOK(module, SetEndOfFile) \
/* interesting if a handle is open */ \
GBOP_DEFINE_HOOK(module, WriteFile) \
/* FIXME: performance, interesting if a handle is open */ \
GBOP_DEFINE_HOOK(module, WriteFileEx) \
/* FIXME: performance, interesting if a handle is open */ \
/* KERNEL32 presumed to be complete */
#define GBOP_DEFINE_WININET_BASE_HOOKS(module) /* "WININET.dll" */ \
GBOP_DEFINE_HOOK(module, FtpGetFileA) \
/* risk of creating a local file */ \
GBOP_DEFINE_HOOK(module, InternetConnectA) \
GBOP_DEFINE_HOOK(module, InternetConnectW) \
GBOP_DEFINE_HOOK(module, InternetOpenA) \
GBOP_DEFINE_HOOK(module, InternetOpenUrlA) \
GBOP_DEFINE_HOOK(module, InternetOpenUrlW) \
GBOP_DEFINE_HOOK(module, InternetOpenW)
/* InternetReadFile needs a handle created by the above */
/* WININET presumed to be complete */
#define GBOP_DEFINE_MSVCRT_BASE_HOOKS(module) /* "MSVCRT.dll" */ \
GBOP_DEFINE_HOOK(module, system) \
/* FIXME: case 8006 currently unused */
#define GBOP_DEFINE_MSVCRT_MORE_HOOKS(module) /* "MSVCRT.dll" */ \
GBOP_DEFINE_HOOK(module, _execl) \
GBOP_DEFINE_HOOK(module, _execle) \
GBOP_DEFINE_HOOK(module, _execlp) \
GBOP_DEFINE_HOOK(module, _execlpe) \
GBOP_DEFINE_HOOK(module, _execv) \
GBOP_DEFINE_HOOK(module, _execve) \
GBOP_DEFINE_HOOK(module, _execvp) \
GBOP_DEFINE_HOOK(module, _execvpe) \
\
GBOP_DEFINE_HOOK(module, _getdllprocaddr) \
GBOP_DEFINE_HOOK(module, _loaddll) \
GBOP_DEFINE_HOOK(module, _popen /* process+pipe open */) \
\
GBOP_DEFINE_HOOK(module, _spawnl) \
GBOP_DEFINE_HOOK(module, _spawnle) \
GBOP_DEFINE_HOOK(module, _spawnlp) \
GBOP_DEFINE_HOOK(module, _spawnlpe) \
GBOP_DEFINE_HOOK(module, _spawnv) \
GBOP_DEFINE_HOOK(module, _spawnve) \
GBOP_DEFINE_HOOK(module, _spawnvp) \
GBOP_DEFINE_HOOK(module, _spawnvpe) \
\
GBOP_DEFINE_HOOK(module, _wexecl) \
GBOP_DEFINE_HOOK(module, _wexecle) \
GBOP_DEFINE_HOOK(module, _wexeclp) \
GBOP_DEFINE_HOOK(module, _wexeclpe) \
GBOP_DEFINE_HOOK(module, _wexecv) \
GBOP_DEFINE_HOOK(module, _wexecve) \
GBOP_DEFINE_HOOK(module, _wexecvp) \
GBOP_DEFINE_HOOK(module, _wexecvpe) \
GBOP_DEFINE_HOOK(module, _wspawnl) \
GBOP_DEFINE_HOOK(module, _wspawnle) \
GBOP_DEFINE_HOOK(module, _wspawnlp) \
GBOP_DEFINE_HOOK(module, _wspawnlpe) \
GBOP_DEFINE_HOOK(module, _wspawnv) \
GBOP_DEFINE_HOOK(module, _wspawnve) \
GBOP_DEFINE_HOOK(module, _wspawnvp) \
GBOP_DEFINE_HOOK(module, _wspawnvpe) \
GBOP_DEFINE_HOOK(module, _wsystem) \
/* FIXME: more file creation related to add */
#define GBOP_DEFINE_WS2_32_BASE_HOOKS(module) /* "WS2_32.dll" */ \
GBOP_DEFINE_HOOK(module, WSASocketA) \
GBOP_DEFINE_HOOK(module, WSASocketW) \
GBOP_DEFINE_HOOK(module, bind) \
GBOP_DEFINE_HOOK(module, getpeername) \
GBOP_DEFINE_HOOK(module, socket)
/* most operations create a new socket(), or reuse one */
/* FIXME: case 8006 currently unused in default gbop_include_set */
#define GBOP_DEFINE_WS2_32_MORE_HOOKS(module) /* "WS2_32.dll" */ \
GBOP_DEFINE_HOOK(module, connect) \
GBOP_DEFINE_HOOK(module, listen) \
GBOP_DEFINE_HOOK(module, WSAConnect) \
/* not adding the send family: WSASend, WSASendTo, send, sendto */
/* note that WSOCK32.dll is WinSock 1.1 and WS2_32.DLL is WinSock 2,
* yet all interesting routines that we hook of identical names are
* simply forwarded from WSOCK32.dll to WS2_32.DLL so our hooks there
* are sufficient.
*/
#define GBOP_DEFINE_USER32_BASE_HOOKS(module) /* "USER32.dll" */ \
GBOP_DEFINE_HOOK(module, MessageBoxIndirectA) \
GBOP_DEFINE_HOOK(module, MessageBoxA) \
GBOP_DEFINE_HOOK(module, MessageBoxExW) \
GBOP_DEFINE_HOOK(module, MessageBoxExA) \
GBOP_DEFINE_HOOK(module, MessageBoxTimeoutW) \
GBOP_DEFINE_HOOK(module, MessageBoxTimeoutA) \
GBOP_DEFINE_HOOK(module, MessageBoxIndirectW) \
GBOP_DEFINE_HOOK(module, MessageBoxW) \
GBOP_DEFINE_HOOK(module, ExitWindowsEx)
/* USER32 presumed to be complete */
/* FIXME: case 8006 currently unused in default gbop_include_set */
#define GBOP_DEFINE_SHELL32_BASE_HOOKS(module) /* "SHELL32.dll" */ \
GBOP_DEFINE_HOOK(module, RealShellExecuteA) \
GBOP_DEFINE_HOOK(module, RealShellExecuteExA) \
GBOP_DEFINE_HOOK(module, RealShellExecuteExW) \
GBOP_DEFINE_HOOK(module, RealShellExecuteW) \
GBOP_DEFINE_HOOK(module, SHCreateDirectory) \
GBOP_DEFINE_HOOK(module, SHCreateDirectoryExA) \
GBOP_DEFINE_HOOK(module, SHCreateProcessAsUserW) \
/* SHFileOperation is an alias for SHFileOperationA on XP SP2 */ \
GBOP_DEFINE_HOOK(module, SHFileOperationA) \
GBOP_DEFINE_HOOK(module, SHFileOperationW) \
GBOP_DEFINE_HOOK(module, ShellExec_RunDLLA) \
GBOP_DEFINE_HOOK(module, ShellExec_RunDLLW) \
GBOP_DEFINE_HOOK(module, ShellExecuteA) \
GBOP_DEFINE_HOOK(module, ShellExecuteExA) \
GBOP_DEFINE_HOOK(module, ShellExecuteExW) \
GBOP_DEFINE_HOOK(module, ShellExecuteW) \
GBOP_DEFINE_HOOK(module, WOWShellExecute)
/* caution these shouldn't overlap with hooks that DR normally has. */
/* Fortunately hotp_only doesn't allow duplicate hooks so it will
* detect any such overlap. */
#define GBOP_DEFINE_NTDLL_MORE_HOOKS(module) /* "ntdll.dll" */ \
GBOP_DEFINE_HOOK(module, LdrGetDllHandle) \
GBOP_DEFINE_HOOK(module, LdrGetDllHandleEx) \
GBOP_DEFINE_HOOK(module, LdrGetProcedureAddress) \
GBOP_DEFINE_HOOK(module, NtCreateFile) \
GBOP_DEFINE_HOOK(module, NtCreateKey) \
GBOP_DEFINE_HOOK(module, NtCreateToken) \
GBOP_DEFINE_HOOK(module, NtDeleteKey) \
GBOP_DEFINE_HOOK(module, NtDeleteValueKey) \
GBOP_DEFINE_HOOK(module, NtSetValueKey) \
GBOP_DEFINE_HOOK(module, NtShutdownSystem) \
GBOP_DEFINE_HOOK(module, NtWriteVirtualMemory)
/* FIXME: case 8006 have to add a complete set for NTDLL.DLL */
/* FIXME: case 8006, need to add ADVAPI32 wrappers as
* ADVAPI32!CreateProcessAsUser*
*/
/* FIXME: I am not sure if this will scale to the number of modules -
* since there is a limit on the macro size (at least in cl) */
/* all users are expected to define appropriately
* GBOP_DEFINE_HOOK_MODULE and GBOP_DEFINE_HOOK
*/
#define GBOP_ALL_HOOKS \
/* counting hooks that we have without hotp */ \
/* GBOP_SET_NTDLL_BASE 0x1 */ \
GBOP_DEFINE_HOOK_MODULE(KERNEL32, BASE) /* 0x2 */ \
GBOP_DEFINE_HOOK_MODULE(MSVCRT, BASE) /* 0x4 */ \
GBOP_DEFINE_HOOK_MODULE(WS2_32, BASE) /* 0x8 */ \
GBOP_DEFINE_HOOK_MODULE(WININET, BASE) /*0x10 */ \
/* case 8006: gbop_include_set defaults stop here */\
GBOP_DEFINE_HOOK_MODULE(USER32, BASE) /* 0x20 */ \
GBOP_DEFINE_HOOK_MODULE(SHELL32, BASE) /* 0x40 */ \
\
GBOP_DEFINE_HOOK_MODULE(NTDLL, MORE) /* 0x100 */ \
GBOP_DEFINE_HOOK_MODULE(KERNEL32, MORE)/*0x200 */ \
GBOP_DEFINE_HOOK_MODULE(MSVCRT, MORE) /* 0x400 */ \
GBOP_DEFINE_HOOK_MODULE(WS2_32, MORE) /*0x800 */ \
/* FIXME: need GBOP_DEFINE_NTDLL_MORE_HOOKS */
enum {
GBOP_SET_NTDLL_BASE = 0x1,
/* note that all other flags used in -gbop_set have the same bit
* position equal to their order in GBOP_ALL_HOOKS above
*/
};
#endif /* GBOP_H */