From 9414821b891eec4c8f7f9af0d8b985d974a01986 Mon Sep 17 00:00:00 2001
From: sn99 <42946112+sn99@users.noreply.github.com>
Date: Mon, 19 Dec 2022 17:36:28 +0530
Subject: [PATCH] General stabality improvements (#3)

see CHANGELOG
---
 CHANGELOG.md                          |  6 ++++++
 Cargo.toml                            |  4 ++--
 README.md                             |  2 +-
 minifilter/snFilter/DriverData.cpp    |  3 ++-
 minifilter/snFilter/DriverData.h      |  3 ++-
 minifilter/snFilter/HashTable.h       |  5 ++++-
 minifilter/snFilter/ShanonEntropy.cpp |  8 +++++---
 minifilter/snFilter/snFilter.cpp      | 17 +++++++++++------
 minifilter/snFilter/snFilter.h        |  2 +-
 minifilter/snFilter/snFilter.vcxproj  |  1 +
 10 files changed, 35 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a8f77a2..5e50d28 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# v0.5.5
+
+- Upgrade `C` standard to `C11`
+- General stability improvements around IRQL, DriverEntry, etc
+- Update `sysinfo` to `0.27.1`
+
 # v0.5.0
 
 - Replace `ZwClose` with `FltClose` in minifilter to solve potential memory leak
diff --git a/Cargo.toml b/Cargo.toml
index 0c151b1..1802ce4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fsfilter-rs"
-version = "0.5.0"
+version = "0.5.5"
 edition = "2021"
 authors = ["sn99 <siddharthn.099@gmail.com>"]
 description = "A rust library to monitor filesystem and more in windows"
@@ -13,7 +13,7 @@ categories = ["development-tools", "os::windows-apis", "filesystem", "api-bindin
 documentation = "https://docs.rs/fsfilter-rs"
 
 [dependencies]
-sysinfo = "0.26.4"
+sysinfo = "0.27.1"
 widestring = "1.0.1"
 serde = { version = "1.0.130", features = ["derive"] }
 num-derive = "0.3"
diff --git a/README.md b/README.md
index 4ce0633..cf120ca 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@ You can also build using [EWDK](EWDKbuild.md) if you don't want to install Visua
 
 ## RUNNING EXAMPLE
 
-Use `cargo run --bin minifilter --release` to run the example application or just [run the `.exe` provided in
+Use `cargo run --bin minifilter --release` to run the example application or just [run the `.exe` provided in 
 releases](https://github.com/SubconsciousCompute/fsfilter-rs/releases/latest/download/minifilter.exe) as administrator (for 
 some reason the new default terminal (not the one that opens when you run it as administrator) on 2H22 is very, very slow).
 
diff --git a/minifilter/snFilter/DriverData.cpp b/minifilter/snFilter/DriverData.cpp
index 39b5b84..06fde52 100644
--- a/minifilter/snFilter/DriverData.cpp
+++ b/minifilter/snFilter/DriverData.cpp
@@ -109,7 +109,8 @@ BOOLEAN DriverData::RemoveProcess(ULONG ProcessId)
     return ret;
 }
 
-BOOLEAN DriverData::RecordNewProcess(PUNICODE_STRING ProcessName, ULONG ProcessId, ULONG ParentPid)
+_IRQL_raises_(DISPATCH_LEVEL) BOOLEAN DriverData::RecordNewProcess(PUNICODE_STRING ProcessName, ULONG ProcessId,
+                                                                   ULONG ParentPid)
 {
     BOOLEAN ret = FALSE;
     KIRQL irql = KeGetCurrentIrql();
diff --git a/minifilter/snFilter/DriverData.h b/minifilter/snFilter/DriverData.h
index fa53d1e..7ecaba2 100644
--- a/minifilter/snFilter/DriverData.h
+++ b/minifilter/snFilter/DriverData.h
@@ -65,7 +65,8 @@ class DriverData
     BOOLEAN RemoveProcess(ULONG ProcessId);
 
     // record a process which was created to the GID system, function raise IRQL
-    BOOLEAN RecordNewProcess(PUNICODE_STRING ProcessName, ULONG ProcessId, ULONG ParentPid);
+    _IRQL_raises_(DISPATCH_LEVEL) BOOLEAN
+        RecordNewProcess(PUNICODE_STRING ProcessName, ULONG ProcessId, ULONG ParentPid);
 
     // removed a gid from the system, function raise IRQL
     BOOLEAN RemoveGid(ULONGLONG gid);
diff --git a/minifilter/snFilter/HashTable.h b/minifilter/snFilter/HashTable.h
index ab877f5..312d307 100644
--- a/minifilter/snFilter/HashTable.h
+++ b/minifilter/snFilter/HashTable.h
@@ -19,7 +19,10 @@ struct HashNode
     void *operator new(size_t size)
     {
         void *ptr = ExAllocatePool2(POOL_FLAG_NON_PAGED, size, 'RW');
-        memset(ptr, 0, size);
+        if (ptr != 0)
+        {
+            memset(ptr, 0, size);
+        }
         return ptr;
     }
 
diff --git a/minifilter/snFilter/ShanonEntropy.cpp b/minifilter/snFilter/ShanonEntropy.cpp
index cbcc676..5481bd5 100644
--- a/minifilter/snFilter/ShanonEntropy.cpp
+++ b/minifilter/snFilter/ShanonEntropy.cpp
@@ -1,3 +1,5 @@
+// #pragma warning(disable : 28110)
+
 #include "ShanonEntropy.h"
 
 constexpr DOUBLE M_LOG2E = 1.4426950408889634;
@@ -15,10 +17,10 @@ _Kernel_float_used_ DOUBLE shannonEntropy(PUCHAR buffer, size_t size)
         bucketByteVals[buffer[i]]++;
     }
 
-    XSTATE_SAVE SaveState;
+    KFLOATING_SAVE SaveState;
     __try
     {
-        KeSaveExtendedProcessorState(XSTATE_MASK_LEGACY, &SaveState);
+        KeSaveFloatingPointState(&SaveState);
         for (ULONG i = 0; i < MAX_BYTE_SIZE; i++)
         {
             if (bucketByteVals[i] != 0)
@@ -31,7 +33,7 @@ _Kernel_float_used_ DOUBLE shannonEntropy(PUCHAR buffer, size_t size)
     }
     __finally
     {
-        KeRestoreExtendedProcessorState(&SaveState);
+        KeRestoreFloatingPointState(&SaveState);
     }
     return entropy;
 }
\ No newline at end of file
diff --git a/minifilter/snFilter/snFilter.cpp b/minifilter/snFilter/snFilter.cpp
index 56848b9..40ddc86 100644
--- a/minifilter/snFilter/snFilter.cpp
+++ b/minifilter/snFilter/snFilter.cpp
@@ -26,11 +26,11 @@ Module Name:
 
 EXTERN_C_START
 
+DRIVER_INITIALIZE DriverEntry;
+
 NTSTATUS
 DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath);
 
-DRIVER_INITIALIZE DriverEntry;
-
 EXTERN_C_END
 
 //
@@ -75,6 +75,8 @@ CONST FLT_REGISTRATION FilterRegistration = {
 //
 ////////////////////////////////////////////////////////////////////////////
 
+DRIVER_INITIALIZE DriverEntry;
+
 NTSTATUS
 DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 /*++
@@ -972,9 +974,12 @@ FLT_POSTOP_CALLBACK_STATUS FSProcessPostReadSafe(_Inout_ PFLT_CALLBACK_DATA Data
         {
             __try
             {
-                entry->data.Entropy = shannonEntropy((PUCHAR)ReadBuffer, Data->IoStatus.Information);
-                entry->data.MemSizeUsed = Data->IoStatus.Information;
-                entry->data.isEntropyCalc = TRUE;
+                if (entry != nullptr)
+                {
+                    entry->data.Entropy = shannonEntropy((PUCHAR)ReadBuffer, Data->IoStatus.Information);
+                    entry->data.MemSizeUsed = Data->IoStatus.Information;
+                    entry->data.isEntropyCalc = TRUE;
+                }
                 if (IS_DEBUG_IRP)
                     DbgPrint("!!! snFilter: Adding entry to irps IRP_MJ_READ\n");
                 if (driverData->AddIrpMessage(entry))
@@ -1141,7 +1146,7 @@ static NTSTATUS GetProcessNameByHandle(_In_ HANDLE ProcessHandle, _Out_ PUNICODE
 }
 
 // new code process recording
-VOID AddRemProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
+_IRQL_raises_(DISPATCH_LEVEL) VOID AddRemProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
 {
     if (commHandle->CommClosed)
         return;
diff --git a/minifilter/snFilter/snFilter.h b/minifilter/snFilter/snFilter.h
index eaaa3da..945f6f9 100644
--- a/minifilter/snFilter/snFilter.h
+++ b/minifilter/snFilter/snFilter.h
@@ -104,6 +104,6 @@ VOID CopyExtension(PWCHAR dest, PFLT_FILE_NAME_INFORMATION nameInfo);
 // if parent doesn't have a gid and both are system process, new process isn't recorded
 // else we create a new gid for process
 
-VOID AddRemProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);
+_IRQL_raises_(DISPATCH_LEVEL) VOID AddRemProcessRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);
 
 UNICODE_STRING GvolumeData;
\ No newline at end of file
diff --git a/minifilter/snFilter/snFilter.vcxproj b/minifilter/snFilter/snFilter.vcxproj
index ac2fa97..3e6be9a 100644
--- a/minifilter/snFilter/snFilter.vcxproj
+++ b/minifilter/snFilter/snFilter.vcxproj
@@ -106,6 +106,7 @@
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
       <FloatingPointModel>Precise</FloatingPointModel>
+      <LanguageStandard_C>stdc11</LanguageStandard_C>
     </ClCompile>
     <DriverSign>
       <FileDigestAlgorithm>SHA1</FileDigestAlgorithm>