diff --git a/external/usersim b/external/usersim index a9c053d3b2..d517c62796 160000 --- a/external/usersim +++ b/external/usersim @@ -1 +1 @@ -Subproject commit a9c053d3b2c60ed1f21782a94ce2582b45389c7b +Subproject commit d517c6279654c3374e04eab4fc23d30c75e821be diff --git a/netebpfext/net_ebpf_ext_process.c b/netebpfext/net_ebpf_ext_process.c index 45edff1aad..b03d28d5e0 100644 --- a/netebpfext/net_ebpf_ext_process.c +++ b/netebpfext/net_ebpf_ext_process.c @@ -25,6 +25,10 @@ _ebpf_process_context_destroy( _Out_writes_bytes_to_(*context_size_out, *context_size_out) uint8_t* context_out, _Inout_ size_t* context_size_out); +void +_ebpf_process_create_process_notify_routine_ex( + _Inout_ PEPROCESS process, _In_ HANDLE process_id, _Inout_opt_ PPS_CREATE_NOTIFY_INFO create_info); + // // Process Program Information NPI Provider. // @@ -56,6 +60,10 @@ NPI_MODULEID DECLSPEC_SELECTANY _ebpf_process_hook_provider_moduleid = {sizeof(N static net_ebpf_extension_hook_provider_t* _ebpf_process_hook_provider_context = NULL; +EX_PUSH_LOCK _ebpf_process_hook_provider_lock; +BOOL _ebpf_process_hook_provider_registered = FALSE; +uint64_t _ebpf_process_hook_provider_registration_count = 0; + // // Client attach/detach handler routines. // @@ -66,28 +74,61 @@ _net_ebpf_extension_process_on_client_attach( _In_ const net_ebpf_extension_hook_provider_t* provider_context) { ebpf_result_t result = EBPF_SUCCESS; + bool push_lock_acquired = false; NET_EBPF_EXT_LOG_ENTRY(); UNREFERENCED_PARAMETER(attaching_client); + UNREFERENCED_PARAMETER(provider_context); - // Process hook allows only one client at a time. - if (net_ebpf_extension_hook_get_next_attached_client((net_ebpf_extension_hook_provider_t*)provider_context, NULL) != - NULL) { - result = EBPF_ACCESS_DENIED; - goto Exit; + ExAcquirePushLockExclusive(&_ebpf_process_hook_provider_lock); + + push_lock_acquired = true; + + if (!_ebpf_process_hook_provider_registered) { + // Register the process create notify routine. + if (PsSetCreateProcessNotifyRoutineEx(_ebpf_process_create_process_notify_routine_ex, FALSE) != + STATUS_SUCCESS) { + result = EBPF_OPERATION_NOT_SUPPORTED; + goto Exit; + } + _ebpf_process_hook_provider_registered = TRUE; } - result = EBPF_SUCCESS; + _ebpf_process_hook_provider_registration_count++; Exit: + if (push_lock_acquired) { + ExReleasePushLockExclusive(&_ebpf_process_hook_provider_lock); + } + NET_EBPF_EXT_RETURN_RESULT(result); } static void _net_ebpf_extension_process_on_client_detach(_In_ const net_ebpf_extension_hook_client_t* detaching_client) { + ebpf_result_t result = EBPF_SUCCESS; + + NET_EBPF_EXT_LOG_ENTRY(); + UNREFERENCED_PARAMETER(detaching_client); + + // Unregister the process create notify routine. + ExAcquirePushLockExclusive(&_ebpf_process_hook_provider_lock); + + _ebpf_process_hook_provider_registration_count--; + + if (_ebpf_process_hook_provider_registered && _ebpf_process_hook_provider_registration_count == 0) { + if (PsSetCreateProcessNotifyRoutineEx(_ebpf_process_create_process_notify_routine_ex, TRUE) != STATUS_SUCCESS) { + result = EBPF_OPERATION_NOT_SUPPORTED; + } + _ebpf_process_hook_provider_registered = FALSE; + } + + ExReleasePushLockExclusive(&_ebpf_process_hook_provider_lock); + + NET_EBPF_EXT_LOG_EXIT(); } // @@ -250,3 +291,12 @@ _ebpf_process_context_destroy( Exit: NET_EBPF_EXT_LOG_EXIT(); } + +void +_ebpf_process_create_process_notify_routine_ex( + _Inout_ PEPROCESS process, _In_ HANDLE process_id, _Inout_opt_ PPS_CREATE_NOTIFY_INFO create_info) +{ + UNREFERENCED_PARAMETER(process); + UNREFERENCED_PARAMETER(process_id); + UNREFERENCED_PARAMETER(create_info); +}