mirror-ac/driver/callbacks.h

#ifndef CALLBACKS_H
#define CALLBACKS_H

#include "driver.h"
#include "common.h"

#include <wdf.h>

typedef void (*THREADLIST_CALLBACK_ROUTINE)(
    _In_ PTHREAD_LIST_ENTRY ThreadListEntry, _In_opt_ PVOID Context);

#define DRIVER_PATH_LENGTH  0x100
#define SHA_256_HASH_LENGTH 32

typedef struct _DRIVER_LIST_ENTRY {
    LIST_ENTRY list_entry;
    PVOID      ImageBase;
    ULONG      ImageSize;
    BOOLEAN    hashed;
    BOOLEAN    x86;
    CHAR       path[DRIVER_PATH_LENGTH];
    CHAR       text_hash[SHA_256_HASH_LENGTH];

    /*
     * This LIST_ENTRY is to be used for modules where the hashing needs to
     * be deferred. For example, when x86 modules can't be hashed on driver
     * load.
     */
    LIST_ENTRY deferred_entry;

} DRIVER_LIST_ENTRY, *PDRIVER_LIST_ENTRY;

typedef void (*DRIVERLIST_CALLBACK_ROUTINE)(
    _In_ PDRIVER_LIST_ENTRY DriverListEntry, _In_opt_ PVOID Context);

typedef BOOLEAN (*PROCESS_MODULE_CALLBACK)(_In_ PPROCESS_MAP_MODULE_ENTRY Entry,
                                           _In_opt_ PVOID Context);

NTSTATUS
InitialiseDriverList();

VOID NTAPI
ExUnlockHandleTableEntry(IN PHANDLE_TABLE       HandleTable,
                         IN PHANDLE_TABLE_ENTRY HandleTableEntry);

VOID
ObPostOpCallbackRoutine(_In_ PVOID RegistrationContext,
                        _In_ POB_POST_OPERATION_INFORMATION
                            OperationInformation);

OB_PREOP_CALLBACK_STATUS
ObPreOpCallbackRoutine(_In_ PVOID                         RegistrationContext,
                       _In_ POB_PRE_OPERATION_INFORMATION OperationInformation);

NTSTATUS
InitialiseThreadList();

VOID
ThreadCreateNotifyRoutine(_In_ HANDLE  ProcessId,
                          _In_ HANDLE  ThreadId,
                          _In_ BOOLEAN Create);

VOID
ProcessCreateNotifyRoutine(_In_ HANDLE  ParentId,
                           _In_ HANDLE  ProcessId,
                           _In_ BOOLEAN Create);

VOID
CleanupThreadListOnDriverUnload();

VOID
FindThreadListEntryByThreadAddress(_In_ HANDLE               ThreadId,
                                   _Out_ PTHREAD_LIST_ENTRY* Entry);

VOID
FindDriverEntryByBaseAddress(_In_ PVOID                ImageBase,
                             _Out_ PDRIVER_LIST_ENTRY* Entry);

VOID
CleanupDriverListOnDriverUnload();

VOID
ImageLoadNotifyRoutineCallback(_In_opt_ PUNICODE_STRING FullImageName,
                               _In_ HANDLE              ProcessId,
                               _In_ PIMAGE_INFO         ImageInfo);

NTSTATUS
InitialiseTimerObject(_Out_ PTIMER_OBJECT Timer);

VOID
CleanupDriverTimerObjects(_Inout_ PTIMER_OBJECT Timer);

VOID
UnregisterProcessCreateNotifyRoutine();

VOID
UnregisterImageLoadNotifyRoutine();

VOID
UnregisterThreadCreateNotifyRoutine();

VOID
UnregisterProcessObCallbacks();

NTSTATUS
RegisterProcessObCallbacks();

VOID
InitialiseObCallbacksConfiguration(_Out_ PACTIVE_SESSION ProcessConfig);

VOID
EnumerateDriverListWithCallbackRoutine(
    _In_ DRIVERLIST_CALLBACK_ROUTINE CallbackRoutine, _In_opt_ PVOID Context);

VOID
DriverListEntryToExtendedModuleInfo(_In_ PDRIVER_LIST_ENTRY         Entry,
                                    _Out_ PRTL_MODULE_EXTENDED_INFO Extended);

NTSTATUS
InitialiseProcessHashmap();

NTSTATUS
EnumerateProcessHandles(_In_ PPROCESS_LIST_ENTRY Entry, _In_opt_ PVOID Context);

VOID
EnumerateAndPrintProcessHashmap();

VOID
CleanupProcessHashmap();

VOID
EnumerateProcessModuleList(_In_ HANDLE                  ProcessId,
                           _In_ PROCESS_MODULE_CALLBACK Callback,
                           _In_opt_ PVOID               Context);

VOID
FindOurUserModeModuleEntry(_In_ PROCESS_MODULE_CALLBACK Callback,
                           _In_opt_ PVOID               Context);

#endif
excellent progress :) 2023-08-20 16:12:04 +02:00			`#ifndef CALLBACKS_H`
			`#define CALLBACKS_H`
lil refactoring 2024-01-15 02:01:14 +01:00
implement timer objects + some stuf 2024-01-12 06:40:33 +01:00			`#include "driver.h"`
lil refactoring 2024-01-15 02:01:14 +01:00			`#include "common.h"`

			`#include <wdf.h>`

80 line limit - need to refactor lots of code but ceebs atm 2024-04-13 06:40:51 +02:00			`typedef void (*THREADLIST_CALLBACK_ROUTINE)(`
			`_In_ PTHREAD_LIST_ENTRY ThreadListEntry, _In_opt_ PVOID Context);`
lil refactoring 2024-01-15 02:01:14 +01:00
remove ugly compuiler macros 2024-01-08 04:57:07 +01:00			`#define DRIVER_PATH_LENGTH 0x100`
minor stuff 2024-01-07 05:42:40 +01:00			`#define SHA_256_HASH_LENGTH 32`

80 line limit - need to refactor lots of code but ceebs atm 2024-04-13 06:40:51 +02:00			`typedef struct _DRIVER_LIST_ENTRY {`
remove unused list + queue implementations 2024-06-16 11:21:37 +02:00			`LIST_ENTRY list_entry;`
			`PVOID ImageBase;`
			`ULONG ImageSize;`
			`BOOLEAN hashed;`
			`BOOLEAN x86;`
			`CHAR path[DRIVER_PATH_LENGTH];`
			`CHAR text_hash[SHA_256_HASH_LENGTH];`
indentation 2024-04-13 10:23:14 +02:00
			`/*`
			`* This LIST_ENTRY is to be used for modules where the hashing needs to`
			`* be deferred. For example, when x86 modules can't be hashed on driver`
			`* load.`
			`*/`
			`LIST_ENTRY deferred_entry;`
implement deferred module hashing 2024-02-11 15:34:28 +01:00
significant refactor to mdouel vaerification + expoert stuff kinda wip 2024-01-07 05:13:41 +01:00			`} DRIVER_LIST_ENTRY, *PDRIVER_LIST_ENTRY;`

80 line limit - need to refactor lots of code but ceebs atm 2024-04-13 06:40:51 +02:00			`typedef void (*DRIVERLIST_CALLBACK_ROUTINE)(`
			`_In_ PDRIVER_LIST_ENTRY DriverListEntry, _In_opt_ PVOID Context);`
implement deferred module hashing 2024-02-11 15:34:28 +01:00
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`typedef BOOLEAN (*PROCESS_MODULE_CALLBACK)(_In_ PPROCESS_MAP_MODULE_ENTRY Entry,`
			`_In_opt_ PVOID Context);`

significant refactor to mdouel vaerification + expoert stuff kinda wip 2024-01-07 05:13:41 +01:00			`NTSTATUS`
			`InitialiseDriverList();`

some formatting. Smiley face 2023-12-13 05:06:27 +01:00			`VOID NTAPI`
80 line limit - need to refactor lots of code but ceebs atm 2024-04-13 06:40:51 +02:00			`ExUnlockHandleTableEntry(IN PHANDLE_TABLE HandleTable,`
			`IN PHANDLE_TABLE_ENTRY HandleTableEntry);`
bed time c: 2023-08-29 19:36:58 +02:00
da 2023-10-05 08:27:17 +02:00			`VOID`
80 line limit - need to refactor lots of code but ceebs atm 2024-04-13 06:40:51 +02:00			`ObPostOpCallbackRoutine(_In_ PVOID RegistrationContext,`
			`_In_ POB_POST_OPERATION_INFORMATION`
			`OperationInformation);`
excellent progress :) 2023-08-20 16:12:04 +02:00
da 2023-10-05 08:27:17 +02:00			`OB_PREOP_CALLBACK_STATUS`
some formatting. Smiley face 2023-12-13 05:06:27 +01:00			`ObPreOpCallbackRoutine(_In_ PVOID RegistrationContext,`
			`_In_ POB_PRE_OPERATION_INFORMATION OperationInformation);`
excellent progress :) 2023-08-20 16:12:04 +02:00
implement lookaside lists 2024-01-14 05:31:19 +01:00			`NTSTATUS`
implement thread list 2023-10-08 16:07:49 +02:00			`InitialiseThreadList();`

			`VOID`
80 line limit - need to refactor lots of code but ceebs atm 2024-04-13 06:40:51 +02:00			`ThreadCreateNotifyRoutine(_In_ HANDLE ProcessId,`
			`_In_ HANDLE ThreadId,`
			`_In_ BOOLEAN Create);`
implement thread list 2023-10-08 16:07:49 +02:00
bed time c: 2023-10-10 19:49:17 +02:00			`VOID`
80 line limit - need to refactor lots of code but ceebs atm 2024-04-13 06:40:51 +02:00			`ProcessCreateNotifyRoutine(_In_ HANDLE ParentId,`
			`_In_ HANDLE ProcessId,`
			`_In_ BOOLEAN Create);`
bed time c: 2023-10-10 19:49:17 +02:00
implement thread list 2023-10-08 16:07:49 +02:00			`VOID`
			`CleanupThreadListOnDriverUnload();`

implement new thread list 2023-10-09 09:34:30 +02:00			`VOID`
rb tree implementation 2024-06-16 10:04:28 +02:00			`FindThreadListEntryByThreadAddress(_In_ HANDLE ThreadId,`
packet encryption! 2024-05-11 14:54:58 +02:00			`_Out_ PTHREAD_LIST_ENTRY* Entry);`
implement new thread list 2023-10-09 09:34:30 +02:00
significant refactor to mdouel vaerification + expoert stuff kinda wip 2024-01-07 05:13:41 +01:00			`VOID`
80 line limit - need to refactor lots of code but ceebs atm 2024-04-13 06:40:51 +02:00			`FindDriverEntryByBaseAddress(_In_ PVOID ImageBase,`
			`_Out_ PDRIVER_LIST_ENTRY* Entry);`
significant refactor to mdouel vaerification + expoert stuff kinda wip 2024-01-07 05:13:41 +01:00
			`VOID`
			`CleanupDriverListOnDriverUnload();`

			`VOID`
			`ImageLoadNotifyRoutineCallback(_In_opt_ PUNICODE_STRING FullImageName,`
			`_In_ HANDLE ProcessId,`
			`_In_ PIMAGE_INFO ImageInfo);`

implement timer objects + some stuf 2024-01-12 06:40:33 +01:00			`NTSTATUS`
			`InitialiseTimerObject(_Out_ PTIMER_OBJECT Timer);`

			`VOID`
packet encryption! 2024-05-11 14:54:58 +02:00			`CleanupDriverTimerObjects(_Inout_ PTIMER_OBJECT Timer);`
implement timer objects + some stuf 2024-01-12 06:40:33 +01:00
implement lookaside lists 2024-01-14 05:31:19 +01:00			`VOID`
			`UnregisterProcessCreateNotifyRoutine();`

			`VOID`
			`UnregisterImageLoadNotifyRoutine();`

			`VOID`
			`UnregisterThreadCreateNotifyRoutine();`

lil refactoring 2024-01-15 02:01:14 +01:00			`VOID`
			`UnregisterProcessObCallbacks();`

			`NTSTATUS`
			`RegisterProcessObCallbacks();`

			`VOID`
lil big of stuf 2024-01-31 08:32:13 +01:00			`InitialiseObCallbacksConfiguration(_Out_ PACTIVE_SESSION ProcessConfig);`
lil refactoring 2024-01-15 02:01:14 +01:00
implement deferred module hashing 2024-02-11 15:34:28 +01:00			`VOID`
80 line limit - need to refactor lots of code but ceebs atm 2024-04-13 06:40:51 +02:00			`EnumerateDriverListWithCallbackRoutine(`
			`_In_ DRIVERLIST_CALLBACK_ROUTINE CallbackRoutine, _In_opt_ PVOID Context);`
implement deferred module hashing 2024-02-11 15:34:28 +01:00
			`VOID`
			`DriverListEntryToExtendedModuleInfo(_In_ PDRIVER_LIST_ENTRY Entry,`
			`_Out_ PRTL_MODULE_EXTENDED_INFO Extended);`

internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`NTSTATUS`
			`InitialiseProcessHashmap();`

			`NTSTATUS`
			`EnumerateProcessHandles(_In_ PPROCESS_LIST_ENTRY Entry, _In_opt_ PVOID Context);`

			`VOID`
			`EnumerateAndPrintProcessHashmap();`

			`VOID`
			`CleanupProcessHashmap();`

			`VOID`
			`EnumerateProcessModuleList(_In_ HANDLE ProcessId,`
			`_In_ PROCESS_MODULE_CALLBACK Callback,`
			`_In_opt_ PVOID Context);`

			`VOID`
			`FindOurUserModeModuleEntry(_In_ PROCESS_MODULE_CALLBACK Callback,`
			`_In_opt_ PVOID Context);`

excellent progress :) 2023-08-20 16:12:04 +02:00			`#endif`