2023-08-19 04:52:57 +02:00
|
|
|
#include "modules.h"
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
#include "apc.h"
|
2023-09-24 13:13:20 +02:00
|
|
|
#include "callbacks.h"
|
2024-07-19 16:27:50 +02:00
|
|
|
#include "containers/tree.h"
|
|
|
|
#include "crypt.h"
|
2023-09-25 17:41:38 +02:00
|
|
|
#include "driver.h"
|
2023-12-29 17:20:32 +01:00
|
|
|
#include "ia32.h"
|
2024-01-07 05:13:41 +01:00
|
|
|
#include "imports.h"
|
2024-07-19 16:27:50 +02:00
|
|
|
#include "io.h"
|
2024-05-04 17:43:01 +02:00
|
|
|
#include "pe.h"
|
2024-07-19 16:27:50 +02:00
|
|
|
#include "thread.h"
|
2023-12-30 08:52:44 +01:00
|
|
|
|
2024-07-22 12:43:09 +02:00
|
|
|
#include "lib/stdlib.h"
|
|
|
|
|
2023-10-08 06:24:54 +02:00
|
|
|
#define WHITELISTED_MODULE_TAG 'whte'
|
|
|
|
|
|
|
|
#define NMI_DELAY 200 * 10000
|
|
|
|
|
2023-10-08 16:07:49 +02:00
|
|
|
#define WHITELISTED_MODULE_COUNT 11
|
2023-12-13 05:06:27 +01:00
|
|
|
#define MODULE_MAX_STRING_SIZE 256
|
2023-10-08 06:24:54 +02:00
|
|
|
|
|
|
|
#define NTOSKRNL 0
|
|
|
|
#define CLASSPNP 1
|
|
|
|
#define WDF01000 2
|
|
|
|
|
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* The modules seen in the array below have been seen to commonly hook other
|
|
|
|
* drivers' IOCTL dispatch routines. Its possible to see this by using
|
|
|
|
* WinObjEx64 and checking which module each individual dispatch routine lies
|
|
|
|
* in. These modules are then addded to the list (in addition to either the
|
|
|
|
* driver itself or ntoskrnl) which is seen as a valid region for a drivers
|
|
|
|
* dispatch routine to lie within.
|
2023-12-13 05:06:27 +01:00
|
|
|
*/
|
2024-04-13 06:40:51 +02:00
|
|
|
CHAR WHITELISTED_MODULES[WHITELISTED_MODULE_COUNT][MODULE_MAX_STRING_SIZE] = {
|
|
|
|
"ntoskrnl.exe",
|
|
|
|
"CLASSPNP.SYS",
|
|
|
|
"Wdf01000.sys",
|
|
|
|
"HIDCLASS.SYS",
|
|
|
|
"storport.sys",
|
|
|
|
"dxgkrnl.sys",
|
|
|
|
"ndis.sys",
|
|
|
|
"ks.sys",
|
|
|
|
"portcls.sys",
|
|
|
|
"rdbss.sys",
|
|
|
|
"LXCORE.SYS"};
|
2023-10-08 06:24:54 +02:00
|
|
|
|
|
|
|
#define MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE 128
|
|
|
|
|
|
|
|
#define SYSTEM_IDLE_PROCESS_ID 0
|
2023-12-13 05:06:27 +01:00
|
|
|
#define SYSTEM_PROCESS_ID 4
|
|
|
|
#define SVCHOST_PROCESS_ID 8
|
2023-10-08 06:24:54 +02:00
|
|
|
|
2024-04-13 06:40:51 +02:00
|
|
|
typedef struct _WHITELISTED_REGIONS {
|
2024-04-13 10:23:14 +02:00
|
|
|
UINT64 base;
|
2024-08-04 08:30:31 +02:00
|
|
|
UINT64 size;
|
2023-09-27 15:10:12 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
} WHITELISTED_REGIONS, *PWHITELISTED_REGIONS;
|
2023-09-27 15:10:12 +02:00
|
|
|
|
2024-04-13 06:40:51 +02:00
|
|
|
typedef struct _NMI_CONTEXT {
|
2024-08-01 06:21:53 +02:00
|
|
|
UINT64 interrupted_rip;
|
|
|
|
UINT64 interrupted_rsp;
|
|
|
|
UINT64 kthread;
|
|
|
|
UINT32 callback_count;
|
2024-04-13 10:23:14 +02:00
|
|
|
BOOLEAN user_thread;
|
2023-09-13 11:46:28 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
} NMI_CONTEXT, *PNMI_CONTEXT;
|
2023-09-13 11:46:28 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
#define DPC_STACKWALK_STACKFRAME_COUNT 10
|
|
|
|
|
|
|
|
/* the first 3 frames are isr handlers which we dont care about */
|
|
|
|
#define DPC_STACKWALK_FRAMES_TO_SKIP 3
|
|
|
|
|
|
|
|
typedef struct _DPC_CONTEXT {
|
2024-08-01 06:21:53 +02:00
|
|
|
UINT64 stack_frame[DPC_STACKWALK_STACKFRAME_COUNT];
|
|
|
|
UINT16 frames_captured;
|
2024-07-19 16:27:50 +02:00
|
|
|
volatile BOOLEAN executed;
|
|
|
|
|
|
|
|
} DPC_CONTEXT, *PDPC_CONTEXT;
|
|
|
|
|
|
|
|
// clang-format off
|
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
STATIC
|
2024-05-05 15:20:35 +02:00
|
|
|
VOID
|
2024-07-19 16:27:50 +02:00
|
|
|
PopulateWhitelistedModuleBuffer(
|
|
|
|
_Inout_ PWHITELISTED_REGIONS Whitelist,
|
|
|
|
_In_ PSYSTEM_MODULES SystemModules
|
|
|
|
);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
|
|
|
STATIC
|
|
|
|
NTSTATUS
|
2024-07-19 16:27:50 +02:00
|
|
|
ValidateDriverObjectsWrapper(
|
|
|
|
_In_ PSYSTEM_MODULES SystemModules
|
|
|
|
);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
|
|
|
STATIC
|
|
|
|
NTSTATUS
|
2024-07-19 16:27:50 +02:00
|
|
|
AnalyseNmiData(
|
|
|
|
_In_ PNMI_CONTEXT NmiContext,
|
|
|
|
_In_ PSYSTEM_MODULES SystemModules
|
|
|
|
);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
|
|
|
STATIC
|
|
|
|
NTSTATUS
|
2024-01-13 22:33:57 +01:00
|
|
|
LaunchNonMaskableInterrupt();
|
2023-10-08 06:24:54 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
STATIC
|
|
|
|
VOID
|
2024-07-19 16:27:50 +02:00
|
|
|
ApcRundownRoutine(
|
|
|
|
_In_ PRKAPC Apc
|
|
|
|
);
|
2023-10-08 06:24:54 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
STATIC
|
|
|
|
VOID
|
2024-07-19 16:27:50 +02:00
|
|
|
ApcKernelRoutine(
|
|
|
|
_In_ PRKAPC Apc,
|
|
|
|
_Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine,
|
|
|
|
_Inout_ _Deref_pre_maybenull_ PVOID* NormalContext,
|
|
|
|
_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1,
|
|
|
|
_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2);
|
2023-10-08 06:24:54 +02:00
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
STATIC
|
|
|
|
VOID
|
2024-07-19 16:27:50 +02:00
|
|
|
ApcNormalRoutine(
|
|
|
|
_In_opt_ PVOID NormalContext,
|
|
|
|
_In_opt_ PVOID SystemArgument1,
|
|
|
|
_In_opt_ PVOID SystemArgument2
|
|
|
|
);
|
2023-10-08 06:24:54 +02:00
|
|
|
|
2023-10-09 09:34:30 +02:00
|
|
|
STATIC
|
|
|
|
VOID
|
2024-07-19 16:27:50 +02:00
|
|
|
ValidateThreadViaKernelApcCallback(
|
|
|
|
_In_ PTHREAD_LIST_ENTRY ThreadListEntry,
|
|
|
|
_Inout_opt_ PVOID Context
|
|
|
|
);
|
|
|
|
|
|
|
|
// clang-format on
|
2023-10-07 17:37:47 +02:00
|
|
|
|
|
|
|
#ifdef ALLOC_PRAGMA
|
2024-04-13 10:23:14 +02:00
|
|
|
# pragma alloc_text(PAGE, FindSystemModuleByName)
|
|
|
|
# pragma alloc_text(PAGE, PopulateWhitelistedModuleBuffer)
|
|
|
|
# pragma alloc_text(PAGE, GetSystemModuleInformation)
|
|
|
|
# pragma alloc_text(PAGE, ValidateDriverObjectsWrapper)
|
|
|
|
# pragma alloc_text(PAGE, HandleValidateDriversIOCTL)
|
|
|
|
# pragma alloc_text(PAGE, IsInstructionPointerInInvalidRegion)
|
|
|
|
# pragma alloc_text(PAGE, AnalyseNmiData)
|
|
|
|
# pragma alloc_text(PAGE, LaunchNonMaskableInterrupt)
|
|
|
|
# pragma alloc_text(PAGE, HandleNmiIOCTL)
|
|
|
|
# pragma alloc_text(PAGE, ApcRundownRoutine)
|
|
|
|
# pragma alloc_text(PAGE, ApcKernelRoutine)
|
|
|
|
# pragma alloc_text(PAGE, ApcNormalRoutine)
|
|
|
|
# pragma alloc_text(PAGE, ValidateThreadsViaKernelApc)
|
|
|
|
# pragma alloc_text(PAGE, ValidateThreadViaKernelApcCallback)
|
2023-10-07 17:37:47 +02:00
|
|
|
#endif
|
|
|
|
|
2023-08-31 17:49:04 +02:00
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* This returns a reference to an entry in the system modules array retrieved
|
|
|
|
* via GetSystemModuleInformation. It's important to remember we don't free the
|
|
|
|
* modules once we retrieve this reference, and instead only free them when we
|
|
|
|
* are done using it.
|
2023-12-13 05:06:27 +01:00
|
|
|
*/
|
2023-10-05 08:27:17 +02:00
|
|
|
PRTL_MODULE_EXTENDED_INFO
|
2024-08-01 06:21:53 +02:00
|
|
|
FindSystemModuleByName(
|
|
|
|
_In_ LPCSTR ModuleName, _In_ PSYSTEM_MODULES SystemModules)
|
2023-08-21 11:13:00 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-10-09 20:19:51 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!ModuleName || !SystemModules)
|
|
|
|
return NULL;
|
2023-08-21 11:13:00 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
PRTL_MODULE_EXTENDED_INFO modules =
|
|
|
|
(PRTL_MODULE_EXTENDED_INFO)SystemModules->address;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
for (INT index = 0; index < SystemModules->module_count; index++) {
|
2024-07-22 12:43:09 +02:00
|
|
|
if (IntFindSubstring(modules[index].FullPathName, ModuleName)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
return &modules[index];
|
2023-12-13 05:06:27 +01:00
|
|
|
}
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2023-11-09 12:11:02 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
return NULL;
|
2023-08-21 11:13:00 +02:00
|
|
|
}
|
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
STATIC
|
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
PopulateWhitelistedModuleBuffer(
|
|
|
|
_Inout_ PWHITELISTED_REGIONS Whitelist, _In_ PSYSTEM_MODULES SystemModules)
|
2023-08-21 11:13:00 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-10-09 20:19:51 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
LPCSTR entry = NULL;
|
2024-07-19 16:27:50 +02:00
|
|
|
PRTL_MODULE_EXTENDED_INFO module = NULL;
|
2024-08-01 06:21:53 +02:00
|
|
|
PWHITELISTED_REGIONS region = NULL;
|
2023-08-21 11:13:00 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
for (UINT32 index = 0; index < WHITELISTED_MODULE_COUNT; index++) {
|
2024-08-01 06:21:53 +02:00
|
|
|
entry = WHITELISTED_MODULES[index];
|
2024-07-19 16:27:50 +02:00
|
|
|
module = FindSystemModuleByName(entry, SystemModules);
|
2023-08-21 11:13:00 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/* not everyone will contain all whitelisted modules */
|
|
|
|
if (!module)
|
|
|
|
continue;
|
2023-10-07 17:37:47 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
region = &Whitelist[index];
|
2024-07-19 16:27:50 +02:00
|
|
|
region->base = (UINT64)module->ImageBase;
|
2024-08-04 08:30:31 +02:00
|
|
|
region->size = (UINT64)module->ImageBase + module->ImageSize;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2023-08-21 11:13:00 +02:00
|
|
|
}
|
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
STATIC
|
|
|
|
UINT64
|
|
|
|
GetDriverMajorDispatchFunction(_In_ PDRIVER_OBJECT Driver)
|
|
|
|
{
|
|
|
|
return Driver->MajorFunction[IRP_MJ_DEVICE_CONTROL];
|
|
|
|
}
|
|
|
|
|
2023-09-26 12:00:45 +02:00
|
|
|
STATIC
|
2024-05-05 14:36:25 +02:00
|
|
|
BOOLEAN
|
2024-08-01 06:21:53 +02:00
|
|
|
DoesDriverHaveInvalidDispatchRoutine(
|
|
|
|
_In_ PDRIVER_OBJECT Driver,
|
|
|
|
_In_ PSYSTEM_MODULES Modules,
|
|
|
|
_In_ PWHITELISTED_REGIONS Regions)
|
2023-08-19 11:44:42 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
UINT64 dispatch_function = 0;
|
|
|
|
UINT64 module_base = 0;
|
|
|
|
UINT64 module_end = 0;
|
|
|
|
PRTL_MODULE_EXTENDED_INFO module = NULL;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
dispatch_function = GetDriverMajorDispatchFunction(Driver);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (!dispatch_function)
|
2024-05-05 14:36:25 +02:00
|
|
|
return FALSE;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
module = (PRTL_MODULE_EXTENDED_INFO)Modules->address;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
for (UINT32 index = 0; index < Modules->module_count; index++) {
|
2024-04-13 10:23:14 +02:00
|
|
|
if (module[index].ImageBase != Driver->DriverStart)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
/* make sure our driver has a device object which is required
|
|
|
|
* for IOCTL */
|
2024-07-19 16:27:50 +02:00
|
|
|
if (!Driver->DeviceObject)
|
2024-05-05 14:36:25 +02:00
|
|
|
return FALSE;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
module_base = (UINT64)module[index].ImageBase;
|
2024-08-01 06:21:53 +02:00
|
|
|
module_end = module_base + module[index].ImageSize;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
/* firstly, check if its inside its own module */
|
|
|
|
if (dispatch_function >= module_base && dispatch_function <= module_end)
|
2024-05-05 14:36:25 +02:00
|
|
|
return FALSE;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
* The WDF framework and other low level drivers often hook the
|
|
|
|
* dispatch routines when initiating the respective config of
|
|
|
|
* their framework or system. With a bit of digging you can view
|
|
|
|
* the drivers reponsible for the hooks. What this means is that
|
|
|
|
* there will be legit drivers with dispatch routines that point
|
|
|
|
* outside of ntoskrnl and their own memory region. So, I have
|
|
|
|
* formed a list which contains the drivers that perform these
|
|
|
|
* hooks and we iteratively check if the dispatch routine is
|
|
|
|
* contained within one of these whitelisted regions. A note on
|
|
|
|
* how to imrpove this is the fact that a code cave can be used
|
|
|
|
* inside a whitelisted region which then jumps to an invalid
|
|
|
|
* region such as a manually mapped driver. So in the future we
|
|
|
|
* should implement a function which checks for standard hook
|
|
|
|
* implementations like mov rax jmp rax etc.
|
|
|
|
*/
|
2024-05-05 14:36:25 +02:00
|
|
|
for (UINT32 index = 0; index < WHITELISTED_MODULE_COUNT; index++) {
|
|
|
|
if (dispatch_function >= Regions[index].base &&
|
2024-08-04 08:30:31 +02:00
|
|
|
dispatch_function <= Regions[index].size)
|
2024-05-05 14:36:25 +02:00
|
|
|
return FALSE;
|
2023-12-13 05:06:27 +01:00
|
|
|
}
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_WARNING(
|
|
|
|
"Driver with invalid dispatch routine found: %s",
|
|
|
|
module[index].FullPathName);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
return TRUE;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
return FALSE;
|
2023-08-19 04:52:57 +02:00
|
|
|
}
|
|
|
|
|
2023-09-26 12:00:45 +02:00
|
|
|
STATIC
|
2024-05-05 14:36:25 +02:00
|
|
|
BOOLEAN
|
2024-08-01 06:21:53 +02:00
|
|
|
DoesDriverObjectHaveBackingModule(
|
|
|
|
_In_ PSYSTEM_MODULES ModuleInformation, _In_ PDRIVER_OBJECT DriverObject)
|
2023-08-19 04:52:57 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-10-10 15:52:42 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
PRTL_MODULE_EXTENDED_INFO modules = NULL;
|
2024-08-01 06:21:53 +02:00
|
|
|
PRTL_MODULE_EXTENDED_INFO entry = NULL;
|
2024-07-19 16:27:50 +02:00
|
|
|
|
|
|
|
modules = (PRTL_MODULE_EXTENDED_INFO)ModuleInformation->address;
|
2023-08-19 04:52:57 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
for (UINT32 index = 0; index < ModuleInformation->module_count; index++) {
|
|
|
|
entry = &modules[index];
|
|
|
|
|
|
|
|
if (entry->ImageSize == 0 || entry->ImageBase == 0)
|
2024-04-13 10:23:14 +02:00
|
|
|
return STATUS_INVALID_MEMBER;
|
2023-11-18 11:40:22 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (entry->ImageBase == DriverObject->DriverStart) {
|
2024-05-05 14:36:25 +02:00
|
|
|
return TRUE;
|
2023-12-13 05:06:27 +01:00
|
|
|
}
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2023-08-19 04:52:57 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_WARNING(
|
|
|
|
"Driver found with no backing system image at address: %llx",
|
|
|
|
(UINT64)DriverObject->DriverStart);
|
2023-08-19 04:52:57 +02:00
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
return FALSE;
|
2023-08-19 04:52:57 +02:00
|
|
|
}
|
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
FORCEINLINE
|
|
|
|
STATIC
|
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
InitSystemModulesStructure(
|
|
|
|
_Out_ PSYSTEM_MODULES Modules, _In_ PVOID Buffer, _In_ INT Count)
|
2024-05-04 17:43:01 +02:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
Modules->address = Buffer;
|
2024-05-04 17:43:01 +02:00
|
|
|
Modules->module_count = Count;
|
|
|
|
}
|
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
// https://imphash.medium.com/windows-process-internals-a-few-concepts-to-know-before-jumping-on-memory-forensics-part-3-4a0e195d947b
|
2023-10-05 08:27:17 +02:00
|
|
|
NTSTATUS
|
2023-12-13 05:06:27 +01:00
|
|
|
GetSystemModuleInformation(_Out_ PSYSTEM_MODULES ModuleInformation)
|
2023-08-19 04:52:57 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
ULONG size = 0;
|
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
2024-07-19 16:27:50 +02:00
|
|
|
PRTL_MODULE_EXTENDED_INFO buffer = NULL;
|
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!ModuleInformation)
|
|
|
|
return STATUS_INVALID_PARAMETER;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
status = RtlQueryModuleInformation(
|
|
|
|
&size,
|
|
|
|
sizeof(RTL_MODULE_EXTENDED_INFO),
|
|
|
|
NULL);
|
2023-12-23 19:52:55 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("RtlQueryModuleInformation failed with status %x", status);
|
|
|
|
return status;
|
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
buffer = ExAllocatePool2(POOL_FLAG_NON_PAGED, size, SYSTEM_MODULES_POOL);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
if (!buffer) {
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_ERROR("Failed to allocate pool LOL");
|
|
|
|
return STATUS_MEMORY_NOT_ALLOCATED;
|
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
status = RtlQueryModuleInformation(
|
|
|
|
&size,
|
|
|
|
sizeof(RTL_MODULE_EXTENDED_INFO),
|
|
|
|
buffer);
|
2023-12-23 19:52:55 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
"RtlQueryModuleInformation 2 failed with status %x",
|
|
|
|
status);
|
2024-05-04 17:43:01 +02:00
|
|
|
ExFreePoolWithTag(buffer, SYSTEM_MODULES_POOL);
|
2024-04-13 10:23:14 +02:00
|
|
|
return STATUS_ABANDONED;
|
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
InitSystemModulesStructure(
|
|
|
|
ModuleInformation,
|
|
|
|
buffer,
|
|
|
|
ARRAYLEN(size, RTL_MODULE_EXTENDED_INFO));
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
2023-08-19 04:52:57 +02:00
|
|
|
}
|
|
|
|
|
2024-04-13 10:06:59 +02:00
|
|
|
STATIC
|
|
|
|
VOID
|
2024-05-05 14:36:25 +02:00
|
|
|
ReportInvalidDriverObject(_In_ PDRIVER_OBJECT Driver, _In_ UINT32 ReportSubType)
|
2024-04-13 10:06:59 +02:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
UINT32 len = 0;
|
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
ANSI_STRING string = {0};
|
2024-07-19 16:27:50 +02:00
|
|
|
PMODULE_VALIDATION_FAILURE report = NULL;
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
len = CryptRequestRequiredBufferLength(sizeof(MODULE_VALIDATION_FAILURE));
|
|
|
|
report = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, len, POOL_TAG_INTEGRITY);
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
if (!report)
|
2024-04-13 10:23:14 +02:00
|
|
|
return;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
INIT_REPORT_PACKET(report, REPORT_MODULE_VALIDATION_FAILURE, ReportSubType);
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
report->driver_base_address = Driver->DriverStart;
|
2024-08-01 06:21:53 +02:00
|
|
|
report->driver_size = Driver->DriverSize;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
string.Length = 0;
|
2024-05-05 14:36:25 +02:00
|
|
|
string.MaximumLength = MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE;
|
2024-08-01 06:21:53 +02:00
|
|
|
string.Buffer = &report->driver_name;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
/* Continue regardless of result */
|
|
|
|
ImpRtlUnicodeStringToAnsiString(&string, &Driver->DriverName, FALSE);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = CryptEncryptBuffer(report, len);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("CryptEncryptBuffer: %lx", status);
|
|
|
|
ImpExFreePoolWithTag(report, REPORT_POOL_TAG);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
IrpQueueSchedulePacket(report, len);
|
2024-05-05 14:36:25 +02:00
|
|
|
}
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
FORCEINLINE
|
|
|
|
STATIC
|
|
|
|
POBJECT_DIRECTORY_ENTRY
|
|
|
|
GetNextObject(_In_ POBJECT_DIRECTORY_ENTRY Entry)
|
|
|
|
{
|
|
|
|
return Entry->ChainLink;
|
|
|
|
}
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
FORCEINLINE
|
|
|
|
STATIC
|
|
|
|
PVOID
|
|
|
|
GetObjectFromDirectory(_In_ POBJECT_DIRECTORY_ENTRY Entry)
|
|
|
|
{
|
|
|
|
return Entry->Object;
|
|
|
|
}
|
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
STATIC
|
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
ValidateDriverObjects(
|
|
|
|
_In_ PSYSTEM_MODULES Modules,
|
|
|
|
_In_ POBJECT_DIRECTORY_ENTRY Entry,
|
|
|
|
_In_ PWHITELISTED_REGIONS Whitelist)
|
2024-05-05 14:36:25 +02:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
POBJECT_DIRECTORY_ENTRY entry = Entry;
|
|
|
|
PDRIVER_OBJECT driver = NULL;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
while (entry) {
|
2024-07-19 16:27:50 +02:00
|
|
|
driver = GetObjectFromDirectory(entry);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
if (!DoesDriverObjectHaveBackingModule(Modules, driver)) {
|
|
|
|
ReportInvalidDriverObject(driver, REPORT_SUBTYPE_NO_BACKING_MODULE);
|
2024-04-13 10:06:59 +02:00
|
|
|
}
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-05 15:20:35 +02:00
|
|
|
if (DoesDriverHaveInvalidDispatchRoutine(driver, Modules, Whitelist)) {
|
2024-05-05 14:36:25 +02:00
|
|
|
ReportInvalidDriverObject(driver, REPORT_SUBTYPE_INVALID_DISPATCH);
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
|
|
|
|
2024-05-05 14:36:25 +02:00
|
|
|
entry = GetNextObject(entry);
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2024-04-13 10:06:59 +02:00
|
|
|
}
|
|
|
|
|
2024-04-13 06:40:51 +02:00
|
|
|
/* TODO: this function needs to be rewritten. Infact, this entire file needs to
|
2024-04-13 10:06:59 +02:00
|
|
|
* be rewritten.
|
|
|
|
* god this is so bad.
|
|
|
|
*/
|
2023-09-26 12:00:45 +02:00
|
|
|
STATIC
|
2023-10-05 08:27:17 +02:00
|
|
|
NTSTATUS
|
2024-05-05 14:36:25 +02:00
|
|
|
ValidateDriverObjectsWrapper(_In_ PSYSTEM_MODULES SystemModules)
|
2023-08-19 04:52:57 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
HANDLE handle = NULL;
|
|
|
|
OBJECT_ATTRIBUTES oa = {0};
|
|
|
|
PVOID dir = {0};
|
|
|
|
UNICODE_STRING dir_name = {0};
|
|
|
|
PWHITELISTED_REGIONS wl = NULL;
|
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
POBJECT_DIRECTORY dir_object = NULL;
|
|
|
|
POBJECT_DIRECTORY_ENTRY bucket = NULL;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
ImpRtlInitUnicodeString(&dir_name, L"\\Driver");
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
InitializeObjectAttributes(
|
|
|
|
&oa,
|
|
|
|
&dir_name,
|
|
|
|
OBJ_CASE_INSENSITIVE,
|
|
|
|
NULL,
|
|
|
|
NULL);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = ImpZwOpenDirectoryObject(&handle, DIRECTORY_ALL_ACCESS, &oa);
|
2023-12-23 19:52:55 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("ZwOpenDirectoryObject failed with status %x", status);
|
|
|
|
return status;
|
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
status = ImpObReferenceObjectByHandle(
|
|
|
|
handle,
|
|
|
|
DIRECTORY_ALL_ACCESS,
|
|
|
|
NULL,
|
|
|
|
KernelMode,
|
|
|
|
&dir,
|
|
|
|
NULL);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("ObReferenceObjectByHandle failed with status %x", status);
|
|
|
|
ImpZwClose(handle);
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Windows organises its drivers in object directories (not the same as
|
|
|
|
* files directories). For the driver directory, there are 37 entries,
|
|
|
|
* each driver is hashed and indexed. If there is a driver with a
|
|
|
|
* duplicate index, it is inserted into same index in a linked list
|
|
|
|
* using the _OBJECT_DIRECTORY_ENTRY struct. So to enumerate all drivers
|
|
|
|
* we visit each entry in the hashmap, enumerate all objects in the
|
|
|
|
* linked list at entry j then we increment the hashmap index i. The
|
|
|
|
* motivation behind this is that when a driver is accessed, it is
|
|
|
|
* brought to the first index in the linked list, so drivers that are
|
|
|
|
* accessed the most can be accessed quickly
|
|
|
|
*/
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
dir_object = (POBJECT_DIRECTORY)dir;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
ImpExAcquirePushLockExclusiveEx(&dir_object->Lock, NULL);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
wl = ImpExAllocatePool2(
|
|
|
|
POOL_FLAG_NON_PAGED,
|
|
|
|
WHITELISTED_MODULE_COUNT * sizeof(WHITELISTED_REGIONS),
|
|
|
|
WHITELISTED_MODULE_TAG);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (!wl)
|
2024-04-13 10:23:14 +02:00
|
|
|
goto end;
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
PopulateWhitelistedModuleBuffer(wl, SystemModules);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
"PopulateWhitelistedModuleBuffer failed with status %x",
|
|
|
|
status);
|
2024-04-13 10:23:14 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
for (UINT32 index = 0; index < NUMBER_HASH_BUCKETS; index++) {
|
|
|
|
bucket = dir_object->HashBuckets[index];
|
|
|
|
ValidateDriverObjects(SystemModules, bucket, wl);
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2023-08-19 04:52:57 +02:00
|
|
|
|
2023-08-21 11:13:00 +02:00
|
|
|
end:
|
2024-07-19 16:27:50 +02:00
|
|
|
if (wl)
|
|
|
|
ImpExFreePoolWithTag(wl, WHITELISTED_MODULE_TAG);
|
2023-08-21 11:13:00 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
ImpExReleasePushLockExclusiveEx(&dir_object->Lock, 0);
|
|
|
|
ImpObDereferenceObject(dir);
|
2024-04-13 10:23:14 +02:00
|
|
|
ImpZwClose(handle);
|
2023-08-19 04:52:57 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
return STATUS_SUCCESS;
|
2023-08-19 04:52:57 +02:00
|
|
|
}
|
|
|
|
|
2024-07-13 07:43:50 +02:00
|
|
|
FORCEINLINE
|
|
|
|
STATIC
|
|
|
|
BOOLEAN
|
|
|
|
IsUserModeAddress(_In_ UINT64 Rip)
|
|
|
|
{
|
|
|
|
return Rip <= WINDOWS_USERMODE_MAX_ADDRESS ? TRUE : FALSE;
|
|
|
|
}
|
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
NTSTATUS
|
2024-01-21 08:22:06 +01:00
|
|
|
HandleValidateDriversIOCTL()
|
2023-08-19 04:52:57 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
ULONG length = 0;
|
2024-07-19 16:27:50 +02:00
|
|
|
SYSTEM_MODULES modules = {0};
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = GetSystemModuleInformation(&modules);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("GetSystemModuleInformation failed with status %x", status);
|
|
|
|
return status;
|
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = ValidateDriverObjectsWrapper(&modules);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("ValidateDriverObjects failed with status %x", status);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2023-11-09 08:30:59 +01:00
|
|
|
end:
|
2024-05-04 17:43:01 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (modules.address)
|
|
|
|
ImpExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL);
|
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
2023-08-28 17:00:52 +02:00
|
|
|
}
|
|
|
|
|
2023-12-29 17:20:32 +01:00
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* TODO: this probably doesnt need to return an NTSTATUS, we can just return a
|
|
|
|
* boolean and remove the out variable.
|
2023-12-29 17:20:32 +01:00
|
|
|
*/
|
2024-05-05 15:58:36 +02:00
|
|
|
BOOLEAN
|
2024-08-01 06:21:53 +02:00
|
|
|
IsInstructionPointerInInvalidRegion(
|
|
|
|
_In_ UINT64 Rip, _In_ PSYSTEM_MODULES SystemModules)
|
2023-08-28 17:00:52 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
PRTL_MODULE_EXTENDED_INFO modules =
|
|
|
|
(PRTL_MODULE_EXTENDED_INFO)SystemModules->address;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/* Note that this does not check for HAL or PatchGuard Execution */
|
2024-07-19 16:27:50 +02:00
|
|
|
for (UINT32 index = 0; index < SystemModules->module_count; index++) {
|
2024-04-13 10:23:14 +02:00
|
|
|
UINT64 base = (UINT64)modules[index].ImageBase;
|
2024-08-01 06:21:53 +02:00
|
|
|
UINT64 end = base + modules[index].ImageSize;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (Rip >= base && Rip <= end) {
|
2024-05-05 15:58:36 +02:00
|
|
|
return FALSE;
|
2023-12-13 05:06:27 +01:00
|
|
|
}
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
return TRUE;
|
2023-08-28 17:00:52 +02:00
|
|
|
}
|
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
BOOLEAN
|
2024-08-01 06:21:53 +02:00
|
|
|
IsInstructionPointerInsideSpecifiedModule(
|
|
|
|
_In_ UINT64 Rip, _In_ PRTL_MODULE_EXTENDED_INFO Module)
|
2024-01-01 17:45:40 +01:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
UINT64 base = (UINT64)Module->ImageBase;
|
2024-08-01 06:21:53 +02:00
|
|
|
UINT64 end = base + Module->ImageSize;
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
if (Rip >= base && Rip <= end)
|
|
|
|
return TRUE;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
return FALSE;
|
2024-01-01 17:45:40 +01:00
|
|
|
}
|
|
|
|
|
2024-04-13 10:06:59 +02:00
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
ReportNmiBlocking()
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
UINT32 len = 0;
|
2024-07-19 16:27:50 +02:00
|
|
|
PNMI_CALLBACK_FAILURE report = NULL;
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
len = CryptRequestRequiredBufferLength(sizeof(NMI_CALLBACK_FAILURE));
|
2024-07-19 16:27:50 +02:00
|
|
|
report = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, len, REPORT_POOL_TAG);
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!report)
|
|
|
|
return STATUS_INSUFFICIENT_RESOURCES;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
INIT_REPORT_PACKET(report, REPORT_NMI_CALLBACK_FAILURE, 0);
|
2024-05-05 12:42:22 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
report->kthread_address = NULL;
|
|
|
|
report->invalid_rip = NULL;
|
2024-04-13 10:23:14 +02:00
|
|
|
report->were_nmis_disabled = TRUE;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = CryptEncryptBuffer(report, len);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("CryptEncryptBuffer: %lx", status);
|
|
|
|
ImpExFreePoolWithTag(report, REPORT_POOL_TAG);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
IrpQueueSchedulePacket(report, len);
|
2024-04-13 10:06:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
ReportMissingCidTableEntry(_In_ PNMI_CONTEXT Context)
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
UINT32 len = 0;
|
2024-07-19 16:27:50 +02:00
|
|
|
PHIDDEN_SYSTEM_THREAD_REPORT report = NULL;
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
len = CryptRequestRequiredBufferLength(sizeof(HIDDEN_SYSTEM_THREAD_REPORT));
|
|
|
|
report = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, len, REPORT_POOL_TAG);
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!report)
|
|
|
|
return;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
INIT_REPORT_PACKET(report, REPORT_HIDDEN_SYSTEM_THREAD, 0);
|
2024-05-05 12:42:22 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
report->found_in_kthreadlist = FALSE; // wip
|
|
|
|
report->found_in_pspcidtable = FALSE;
|
2024-08-01 06:21:53 +02:00
|
|
|
report->thread_id = ImpPsGetThreadId(Context->kthread);
|
|
|
|
report->thread_address = Context->kthread;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-07-22 12:43:09 +02:00
|
|
|
IntCopyMemory(report->thread, Context->kthread, sizeof(report->thread));
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = CryptEncryptBuffer(report, len);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("CryptEncryptBuffer: %lx", status);
|
|
|
|
ImpExFreePoolWithTag(report, REPORT_POOL_TAG);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
IrpQueueSchedulePacket(report, len);
|
2024-04-13 10:06:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
ReportInvalidRipFoundDuringNmi(
|
|
|
|
_In_ PNMI_CONTEXT Context, _In_ UINT32 ReportSubCode)
|
2024-04-13 10:06:59 +02:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
UINT32 len = 0;
|
2024-07-19 16:27:50 +02:00
|
|
|
PNMI_CALLBACK_FAILURE report = NULL;
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
len = CryptRequestRequiredBufferLength(sizeof(HIDDEN_SYSTEM_THREAD_REPORT));
|
|
|
|
report = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, len, REPORT_POOL_TAG);
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-05-05 12:42:22 +02:00
|
|
|
if (!report)
|
|
|
|
return;
|
|
|
|
|
2024-07-13 07:43:50 +02:00
|
|
|
INIT_REPORT_PACKET(report, REPORT_NMI_CALLBACK_FAILURE, ReportSubCode);
|
2024-05-05 12:42:22 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
report->kthread_address = Context->kthread;
|
|
|
|
report->invalid_rip = Context->interrupted_rip;
|
2024-04-13 10:23:14 +02:00
|
|
|
report->were_nmis_disabled = FALSE;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = CryptEncryptBuffer(report, len);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("CryptEncryptBuffer: %lx", status);
|
|
|
|
ImpExFreePoolWithTag(report, REPORT_POOL_TAG);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
IrpQueueSchedulePacket(report, len);
|
2024-04-13 10:06:59 +02:00
|
|
|
}
|
|
|
|
|
2024-07-13 07:43:50 +02:00
|
|
|
#define INSTRUCTION_UD2_BYTE_1 0x0F
|
|
|
|
#define INSTRUCTION_UD2_BYTE_2 0x0B
|
|
|
|
#define INSTRUCTION_INT3_BYTE_1 0xCC
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
BOOLEAN
|
|
|
|
DoesRetInstructionCauseException(_In_ UINT64 ReturnAddress)
|
|
|
|
{
|
|
|
|
/* UD2 instruction is 2 bytes*/
|
|
|
|
UCHAR opcodes[2] = {0};
|
|
|
|
|
|
|
|
/* we deal with um later */
|
|
|
|
if (IsUserModeAddress(ReturnAddress))
|
|
|
|
return FALSE;
|
|
|
|
|
2024-07-13 11:51:06 +02:00
|
|
|
if (!MmIsAddressValid(ReturnAddress))
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
/* Shoudln't really ever occur */
|
|
|
|
__try {
|
2024-07-22 12:43:09 +02:00
|
|
|
IntCopyMemory(&opcodes, ReturnAddress, sizeof(opcodes));
|
2024-07-13 11:51:06 +02:00
|
|
|
}
|
|
|
|
__except (EXCEPTION_EXECUTE_HANDLER) {
|
|
|
|
return FALSE;
|
|
|
|
}
|
2024-07-13 07:43:50 +02:00
|
|
|
|
|
|
|
if (opcodes[0] == INSTRUCTION_UD2_BYTE_1 &&
|
|
|
|
opcodes[1] == INSTRUCTION_UD2_BYTE_2)
|
|
|
|
return TRUE;
|
|
|
|
|
|
|
|
if (opcodes[0] == INSTRUCTION_INT3_BYTE_1)
|
|
|
|
return TRUE;
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
DEBUG_VERBOSE(
|
|
|
|
"Ret address instruction doesnt unconditionally throw exception");
|
2024-07-13 07:43:50 +02:00
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2023-12-23 19:52:55 +01:00
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* todo: i think we should split this function up into each analysis i.e one for
|
|
|
|
* the interrupted rip, one for the cid etc.
|
2023-12-29 17:20:32 +01:00
|
|
|
*/
|
2023-09-26 12:00:45 +02:00
|
|
|
STATIC
|
2023-10-05 08:27:17 +02:00
|
|
|
NTSTATUS
|
2024-07-19 16:27:50 +02:00
|
|
|
AnalyseNmiData(_In_ PNMI_CONTEXT NmiContext, _In_ PSYSTEM_MODULES Modules)
|
2023-08-28 17:00:52 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
BOOLEAN flag = FALSE;
|
2024-07-19 16:27:50 +02:00
|
|
|
PNMI_CONTEXT context = NULL;
|
2023-08-28 17:00:52 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (!NmiContext || !Modules)
|
2024-04-13 10:23:14 +02:00
|
|
|
return STATUS_INVALID_PARAMETER;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
for (UINT32 core = 0; core < ImpKeQueryActiveProcessorCount(0); core++) {
|
|
|
|
context = &NmiContext[core];
|
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/* Make sure our NMIs were run */
|
2024-07-19 16:27:50 +02:00
|
|
|
if (!context->callback_count) {
|
2024-04-13 10:23:14 +02:00
|
|
|
ReportNmiBlocking();
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
DEBUG_VERBOSE(
|
|
|
|
"Analysing Nmi Data for: cpu number: %i callback count: %lx",
|
|
|
|
core,
|
2024-07-19 16:27:50 +02:00
|
|
|
context->callback_count);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
|
|
|
/*
|
2024-04-13 10:23:14 +02:00
|
|
|
* Our NMI callback allows us to interrupt every running thread
|
|
|
|
* on each core. Now it is common practice for malicious
|
|
|
|
* programs to either unlink their thread from the KTHREAD
|
|
|
|
* linked list or remove their threads entry from the
|
|
|
|
* PspCidTable or both. Now the reason an unlinked thread can
|
|
|
|
* still be scheduled is because the scheduler keeps a seperate
|
|
|
|
* list that it uses to schedule threads. It then places these
|
|
|
|
* threads in the KPRCB in either the CurrentThread, IdleThread
|
|
|
|
* or NextThread.
|
|
|
|
*
|
|
|
|
* Since you can't just set a threads affinity to enumerate over
|
|
|
|
* all cores and read the KPCRB->CurrentThread (since it will
|
|
|
|
* just show your thread) we have to interrupt the thread. So
|
|
|
|
* below we are validating that the thread is indeed in our own
|
|
|
|
* threads list using our callback routine and then using
|
|
|
|
* PsGetThreadId
|
2023-12-29 17:20:32 +01:00
|
|
|
*
|
2024-04-13 10:23:14 +02:00
|
|
|
* I also want to integrate a way to SAFELY determine whether a
|
|
|
|
* thread has been removed from the KTHREADs linked list, maybe
|
|
|
|
* PsGetNextProcess ?
|
2023-12-13 05:06:27 +01:00
|
|
|
*/
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (!DoesThreadHaveValidCidEntry(context->kthread))
|
|
|
|
ReportMissingCidTableEntry(context);
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(
|
|
|
|
context->interrupted_rip,
|
|
|
|
Modules))
|
2024-07-19 16:27:50 +02:00
|
|
|
ReportInvalidRipFoundDuringNmi(context, 0);
|
2023-12-29 17:20:32 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (context->user_thread)
|
2024-04-13 10:23:14 +02:00
|
|
|
continue;
|
2023-12-29 17:20:32 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (DoesRetInstructionCauseException(context->interrupted_rip))
|
2024-07-13 07:43:50 +02:00
|
|
|
ReportInvalidRipFoundDuringNmi(
|
2024-07-19 16:27:50 +02:00
|
|
|
context,
|
|
|
|
REPORT_SUBTYPE_EXCEPTION_THROWING_RET);
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
}
|
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
FORCEINLINE
|
|
|
|
STATIC
|
|
|
|
TASK_STATE_SEGMENT_64*
|
|
|
|
GetTaskStateSegment(_In_ UINT64 Kpcr)
|
|
|
|
{
|
|
|
|
return *(TASK_STATE_SEGMENT_64**)(Kpcr + KPCR_TSS_BASE_OFFSET);
|
|
|
|
}
|
|
|
|
|
|
|
|
FORCEINLINE
|
|
|
|
STATIC
|
|
|
|
PMACHINE_FRAME
|
|
|
|
GetIsrMachineFrame(_In_ TASK_STATE_SEGMENT_64* TaskStateSegment)
|
|
|
|
{
|
|
|
|
return TaskStateSegment->Ist3 - sizeof(MACHINE_FRAME);
|
|
|
|
}
|
|
|
|
|
|
|
|
STATIC BOOLEAN
|
2024-04-13 10:23:14 +02:00
|
|
|
NmiCallback(_Inout_opt_ PVOID Context, _In_ BOOLEAN Handled)
|
|
|
|
{
|
|
|
|
UNREFERENCED_PARAMETER(Handled);
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
ULONG core = KeGetCurrentProcessorNumber();
|
|
|
|
PNMI_CONTEXT context = &((PNMI_CONTEXT)Context)[core];
|
|
|
|
UINT64 kpcr = 0;
|
|
|
|
TASK_STATE_SEGMENT_64* tss = NULL;
|
|
|
|
PMACHINE_FRAME machine_frame = NULL;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
if (!ARGUMENT_PRESENT(Context))
|
|
|
|
return TRUE;
|
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/*
|
|
|
|
* To find the IRETQ frame (MACHINE_FRAME) we need to find the top of
|
|
|
|
* the NMI ISR stack. This is stored at TSS->Ist[3]. To find the TSS, we
|
|
|
|
* can read it from KPCR->TSS_BASE. Once we have our TSS, we can read
|
|
|
|
* the value at TSS->Ist[3] which points to the top of the ISR stack,
|
|
|
|
* and subtract the size of the MACHINE_FRAME struct. Allowing us read
|
|
|
|
* the interrupted RIP.
|
|
|
|
*
|
|
|
|
* The reason this is needed is because RtlCaptureStackBackTrace is not
|
|
|
|
* safe to run at IRQL = HIGH_LEVEL, hence we need to manually unwind
|
|
|
|
* the ISR stack to find the interrupted rip.
|
|
|
|
*/
|
2024-08-01 06:21:53 +02:00
|
|
|
kpcr = __readmsr(IA32_GS_BASE);
|
|
|
|
tss = GetTaskStateSegment(kpcr);
|
2024-05-04 17:43:01 +02:00
|
|
|
machine_frame = GetIsrMachineFrame(tss);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
if (IsUserModeAddress(machine_frame->rip))
|
2024-05-05 16:07:33 +02:00
|
|
|
context->user_thread = TRUE;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-05 16:07:33 +02:00
|
|
|
context->interrupted_rip = machine_frame->rip;
|
|
|
|
context->interrupted_rsp = machine_frame->rsp;
|
2024-08-01 06:21:53 +02:00
|
|
|
context->kthread = PsGetCurrentThread();
|
2024-05-05 16:07:33 +02:00
|
|
|
context->callback_count++;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
return TRUE;
|
2023-08-28 17:00:52 +02:00
|
|
|
}
|
|
|
|
|
2023-12-29 17:20:32 +01:00
|
|
|
#define NMI_DELAY_TIME 200 * 10000
|
2023-12-23 19:52:55 +01:00
|
|
|
|
2023-09-26 12:00:45 +02:00
|
|
|
STATIC
|
2023-10-05 08:27:17 +02:00
|
|
|
NTSTATUS
|
2023-12-29 17:20:32 +01:00
|
|
|
LaunchNonMaskableInterrupt()
|
2023-08-28 17:00:52 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-10-10 15:52:42 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
PKAFFINITY_EX affinity = NULL;
|
2024-08-01 06:21:53 +02:00
|
|
|
LARGE_INTEGER delay = {0};
|
2024-07-19 16:27:50 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
affinity = ImpExAllocatePool2(
|
|
|
|
POOL_FLAG_NON_PAGED,
|
|
|
|
sizeof(KAFFINITY_EX),
|
|
|
|
PROC_AFFINITY_POOL);
|
2023-08-28 17:00:52 +02:00
|
|
|
|
2024-05-06 10:40:55 +02:00
|
|
|
if (!affinity)
|
2024-04-13 10:23:14 +02:00
|
|
|
return STATUS_MEMORY_NOT_ALLOCATED;
|
2023-08-28 17:00:52 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
delay.QuadPart -= NMI_DELAY_TIME;
|
2023-08-30 18:29:44 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
for (ULONG core = 0; core < ImpKeQueryActiveProcessorCount(0); core++) {
|
2024-05-06 10:40:55 +02:00
|
|
|
ImpKeInitializeAffinityEx(affinity);
|
|
|
|
ImpKeAddProcessorAffinityEx(affinity, core);
|
2023-08-30 18:29:44 +02:00
|
|
|
|
2024-05-06 10:40:55 +02:00
|
|
|
HalSendNMI(affinity);
|
2023-08-28 17:00:52 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/*
|
|
|
|
* Only a single NMI can be active at any given time, so
|
|
|
|
* arbitrarily delay execution to allow time for the NMI to be
|
|
|
|
* processed
|
|
|
|
*/
|
|
|
|
ImpKeDelayExecutionThread(KernelMode, FALSE, &delay);
|
|
|
|
}
|
2023-08-28 17:00:52 +02:00
|
|
|
|
2024-05-06 10:40:55 +02:00
|
|
|
ImpExFreePoolWithTag(affinity, PROC_AFFINITY_POOL);
|
2024-04-13 10:23:14 +02:00
|
|
|
return STATUS_SUCCESS;
|
2023-08-28 17:00:52 +02:00
|
|
|
}
|
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
NTSTATUS
|
2024-01-25 12:09:16 +01:00
|
|
|
HandleNmiIOCTL()
|
2023-08-28 17:00:52 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-10-10 15:52:42 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
PVOID handle = NULL;
|
2024-05-06 10:40:55 +02:00
|
|
|
SYSTEM_MODULES modules = {0};
|
2024-08-01 06:21:53 +02:00
|
|
|
PNMI_CONTEXT context = NULL;
|
|
|
|
UINT32 size = 0;
|
2023-12-29 17:20:32 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
size = ImpKeQueryActiveProcessorCount(0) * sizeof(NMI_CONTEXT);
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
/* Ensure we don't continue if another NMI operation is in progress */
|
2024-04-13 10:23:14 +02:00
|
|
|
if (IsNmiInProgress())
|
|
|
|
return STATUS_ALREADY_COMMITTED;
|
2024-01-25 12:09:16 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = ValidateHalDispatchTables();
|
2023-08-28 17:00:52 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/* do we continue ? probably. */
|
|
|
|
if (!NT_SUCCESS(status))
|
|
|
|
DEBUG_ERROR("ValidateHalDispatchTables failed with status %x", status);
|
2023-08-28 17:00:52 +02:00
|
|
|
|
2024-05-06 10:40:55 +02:00
|
|
|
context = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, size, NMI_CONTEXT_POOL);
|
2023-12-29 17:20:32 +01:00
|
|
|
|
2024-05-05 16:07:33 +02:00
|
|
|
if (!context) {
|
2024-04-13 10:23:14 +02:00
|
|
|
UnsetNmiInProgressFlag();
|
|
|
|
return STATUS_MEMORY_NOT_ALLOCATED;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We want to register and unregister our callback each time so it
|
|
|
|
* becomes harder for people to hook our callback and get up to some
|
|
|
|
* funny business
|
|
|
|
*/
|
2024-05-05 16:07:33 +02:00
|
|
|
handle = ImpKeRegisterNmiCallback(NmiCallback, context);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-05 16:07:33 +02:00
|
|
|
if (!handle) {
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_ERROR("KeRegisterNmiCallback failed with no status.");
|
2024-05-05 16:07:33 +02:00
|
|
|
goto end;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2023-08-28 17:00:52 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/*
|
|
|
|
* We query the system modules each time since they can potentially
|
|
|
|
* change at any time
|
|
|
|
*/
|
2024-05-05 16:07:33 +02:00
|
|
|
status = GetSystemModuleInformation(&modules);
|
2023-09-29 14:43:03 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("Error retriving system module information");
|
2024-05-05 16:07:33 +02:00
|
|
|
goto end;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2023-09-13 12:25:32 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = LaunchNonMaskableInterrupt();
|
2023-09-13 12:25:32 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("Error running NMI callbacks");
|
2024-05-05 16:07:33 +02:00
|
|
|
goto end;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
|
|
|
|
2024-05-05 16:07:33 +02:00
|
|
|
status = AnalyseNmiData(context, &modules);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status))
|
|
|
|
DEBUG_ERROR("Error analysing nmi data");
|
|
|
|
|
2024-05-05 16:07:33 +02:00
|
|
|
end:
|
|
|
|
|
|
|
|
if (modules.address)
|
|
|
|
ImpExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL);
|
|
|
|
|
|
|
|
if (context)
|
|
|
|
ImpExFreePoolWithTag(context, NMI_CONTEXT_POOL);
|
|
|
|
|
|
|
|
if (handle)
|
|
|
|
ImpKeDeregisterNmiCallback(handle);
|
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
UnsetNmiInProgressFlag();
|
|
|
|
return status;
|
2023-09-24 13:13:20 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* The RundownRoutine is executed if the thread terminates before the APC was
|
|
|
|
* delivered to user mode.
|
2023-12-13 05:06:27 +01:00
|
|
|
*/
|
2023-09-26 12:00:45 +02:00
|
|
|
STATIC
|
2023-10-05 08:27:17 +02:00
|
|
|
VOID
|
2023-12-13 05:06:27 +01:00
|
|
|
ApcRundownRoutine(_In_ PRKAPC Apc)
|
2023-09-24 13:13:20 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
FreeApcAndDecrementApcCount(Apc, APC_CONTEXT_ID_STACKWALK);
|
2023-09-24 13:13:20 +02:00
|
|
|
}
|
|
|
|
|
2024-04-13 10:06:59 +02:00
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
ReportApcStackwalkViolation(_In_ UINT64 Rip)
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
UINT32 len = 0;
|
2024-07-19 16:27:50 +02:00
|
|
|
PAPC_STACKWALK_REPORT report = NULL;
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
len = CryptRequestRequiredBufferLength(sizeof(APC_STACKWALK_REPORT));
|
2024-07-19 16:27:50 +02:00
|
|
|
report = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, len, REPORT_POOL_TAG);
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!report)
|
|
|
|
return;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
INIT_REPORT_PACKET(report, REPORT_APC_STACKWALK, 0);
|
2024-05-05 12:42:22 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
report->kthread_address = (UINT64)KeGetCurrentThread();
|
2024-08-01 06:21:53 +02:00
|
|
|
report->invalid_rip = Rip;
|
2024-05-05 12:42:22 +02:00
|
|
|
// report->driver ?? todo!
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = CryptEncryptBuffer(report, len);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("CryptEncryptBuffer: %lx", status);
|
|
|
|
ImpExFreePoolWithTag(report, REPORT_POOL_TAG);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
IrpQueueSchedulePacket(report, len);
|
2024-04-13 10:06:59 +02:00
|
|
|
}
|
|
|
|
|
2023-09-24 13:13:20 +02:00
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* The KernelRoutine is executed in kernel mode at APC_LEVEL before the APC is
|
|
|
|
* delivered. This is also where we want to free our APC object.
|
2023-12-13 05:06:27 +01:00
|
|
|
*/
|
2023-09-26 12:00:45 +02:00
|
|
|
STATIC
|
2023-10-05 08:27:17 +02:00
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
ApcKernelRoutine(
|
|
|
|
_In_ PRKAPC Apc,
|
|
|
|
_Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine,
|
|
|
|
_Inout_ _Deref_pre_maybenull_ PVOID* NormalContext,
|
|
|
|
_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1,
|
|
|
|
_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2)
|
2023-09-28 15:56:07 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
PVOID buffer = NULL;
|
|
|
|
INT frames_captured = 0;
|
|
|
|
UINT64 frame = 0;
|
|
|
|
PAPC_STACKWALK_CONTEXT context = NULL;
|
|
|
|
PTHREAD_LIST_ENTRY entry = NULL;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
context = (PAPC_STACKWALK_CONTEXT)Apc->NormalContext;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
FindThreadListEntryByThreadAddress(KeGetCurrentThread(), &entry);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (!entry)
|
2024-04-13 10:23:14 +02:00
|
|
|
return;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
buffer = ImpExAllocatePool2(
|
|
|
|
POOL_FLAG_NON_PAGED,
|
|
|
|
STACK_FRAME_POOL_SIZE,
|
|
|
|
POOL_TAG_APC);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!buffer)
|
|
|
|
goto free;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
frames_captured = ImpRtlCaptureStackBackTrace(
|
|
|
|
NULL,
|
|
|
|
STACK_FRAME_POOL_SIZE / sizeof(UINT64),
|
|
|
|
buffer,
|
|
|
|
NULL);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!frames_captured)
|
|
|
|
goto free;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
for (UINT32 index = 0; index < frames_captured; index++) {
|
|
|
|
frame = ((PUINT64)buffer)[index];
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/*
|
|
|
|
* Apc->NormalContext holds the address of our context data
|
|
|
|
* structure that we passed into KeInitializeApc as the last
|
|
|
|
* argument.
|
|
|
|
*/
|
2024-07-19 16:27:50 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(frame, context->modules)) {
|
|
|
|
ReportApcStackwalkViolation(frame);
|
|
|
|
}
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
|
|
|
|
2023-09-28 15:56:07 +02:00
|
|
|
free:
|
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (buffer)
|
|
|
|
ImpExFreePoolWithTag(buffer, POOL_TAG_APC);
|
2023-09-28 15:56:07 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
FreeApcAndDecrementApcCount(Apc, APC_CONTEXT_ID_STACKWALK);
|
2023-10-09 09:34:30 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
entry->apc = NULL;
|
2024-07-19 16:27:50 +02:00
|
|
|
entry->apc_queued = FALSE;
|
2023-09-24 13:13:20 +02:00
|
|
|
}
|
|
|
|
|
2023-09-28 15:56:07 +02:00
|
|
|
/*
|
2023-12-13 05:06:27 +01:00
|
|
|
* The NormalRoutine is executed in user mode when the APC is delivered.
|
|
|
|
*/
|
2023-09-28 15:56:07 +02:00
|
|
|
STATIC
|
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
ApcNormalRoutine(
|
|
|
|
_In_opt_ PVOID NormalContext,
|
|
|
|
_In_opt_ PVOID SystemArgument1,
|
|
|
|
_In_opt_ PVOID SystemArgument2)
|
2023-09-28 15:56:07 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-09-28 15:56:07 +02:00
|
|
|
}
|
2023-09-24 13:13:20 +02:00
|
|
|
|
2023-10-08 16:07:49 +02:00
|
|
|
#define THREAD_STATE_TERMINATED 4
|
2023-12-13 05:06:27 +01:00
|
|
|
#define THREAD_STATE_WAIT 5
|
|
|
|
#define THREAD_STATE_INIT 0
|
2023-10-08 16:07:49 +02:00
|
|
|
|
2023-09-28 15:56:07 +02:00
|
|
|
STATIC
|
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
ValidateThreadViaKernelApcCallback(
|
|
|
|
_In_ PTHREAD_LIST_ENTRY Entry, _Inout_opt_ PVOID Context)
|
2023-09-28 15:56:07 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
PKAPC apc = NULL;
|
|
|
|
PLONG flags = NULL;
|
|
|
|
PCHAR prev_mode = NULL;
|
|
|
|
PUCHAR state = NULL;
|
|
|
|
BOOLEAN apc_queueable = FALSE;
|
|
|
|
LPCSTR proc_name = NULL;
|
|
|
|
PAPC_STACKWALK_CONTEXT context = NULL;
|
2024-07-19 16:27:50 +02:00
|
|
|
|
|
|
|
context = (PAPC_STACKWALK_CONTEXT)Context;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
if (!ARGUMENT_PRESENT(Context))
|
|
|
|
return;
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
proc_name = ImpPsGetProcessImageFileName(Entry->owning_process);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Its possible to set the KThread->ApcQueueable flag to false ensuring
|
|
|
|
* that no APCs can be queued to the thread, as KeInsertQueueApc will
|
|
|
|
* check this flag before queueing an APC so lets make sure we flip this
|
|
|
|
* before before queueing ours. Since we filter out any system threads
|
|
|
|
* this should be fine... c:
|
|
|
|
*/
|
2024-08-01 06:21:53 +02:00
|
|
|
flags = RVA(PLONG, Entry->thread, KTHREAD_MISC_FLAGS_OFFSET);
|
2024-07-19 16:27:50 +02:00
|
|
|
prev_mode = RVA(PCHAR, Entry->thread, KTHREAD_PREVIOUS_MODE_OFFSET);
|
2024-08-01 06:21:53 +02:00
|
|
|
state = RVA(PUCHAR, Entry->thread, KTHREAD_STATE_OFFSET);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
/*
|
|
|
|
* For now, lets only check for system threads. However, we also want to
|
|
|
|
* check for threads executing in kernel mode, i.e KTHREAD->PreviousMode
|
|
|
|
* == UserMode.
|
|
|
|
*/
|
2024-07-19 16:27:50 +02:00
|
|
|
if (Entry->owning_process != PsInitialSystemProcess)
|
2024-04-13 10:23:14 +02:00
|
|
|
return;
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (Entry->thread == KeGetCurrentThread() || !Entry->thread)
|
2024-04-13 10:23:14 +02:00
|
|
|
return;
|
|
|
|
|
|
|
|
DEBUG_VERBOSE(
|
|
|
|
"Validating thread: %llx, process name: %s via kernel APC stackwalk.",
|
2024-07-19 16:27:50 +02:00
|
|
|
Entry->thread,
|
|
|
|
proc_name);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
SetFlag(*flags, KTHREAD_MISC_FLAGS_ALERTABLE);
|
|
|
|
SetFlag(*flags, KTHREAD_MISC_FLAGS_APC_QUEUEABLE);
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
apc = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(KAPC), POOL_TAG_APC);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
if (!apc)
|
|
|
|
return;
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
ImpKeInitializeApc(
|
|
|
|
apc,
|
|
|
|
Entry->thread,
|
|
|
|
OriginalApcEnvironment,
|
|
|
|
ApcKernelRoutine,
|
|
|
|
ApcRundownRoutine,
|
|
|
|
ApcNormalRoutine,
|
|
|
|
KernelMode,
|
|
|
|
Context);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
if (!ImpKeInsertQueueApc(apc, NULL, NULL, IO_NO_INCREMENT)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_ERROR("KeInsertQueueApc failed with no status.");
|
|
|
|
ImpExFreePoolWithTag(apc, POOL_TAG_APC);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
Entry->apc = apc;
|
2024-07-19 16:27:50 +02:00
|
|
|
Entry->apc_queued = TRUE;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
IncrementApcCount(APC_CONTEXT_ID_STACKWALK);
|
2023-09-24 13:13:20 +02:00
|
|
|
}
|
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
FORCEINLINE
|
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
SetApcAllocationInProgress(_In_ PAPC_STACKWALK_CONTEXT Context)
|
|
|
|
{
|
|
|
|
Context->header.allocation_in_progress = TRUE;
|
|
|
|
}
|
|
|
|
|
2024-05-30 07:42:35 +02:00
|
|
|
FORCEINLINE
|
|
|
|
STATIC
|
|
|
|
VOID
|
2024-05-04 17:43:01 +02:00
|
|
|
UnsetApcAllocationInProgress(_In_ PAPC_STACKWALK_CONTEXT Context)
|
|
|
|
{
|
|
|
|
Context->header.allocation_in_progress = FALSE;
|
|
|
|
}
|
|
|
|
|
2023-09-24 13:13:20 +02:00
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* Since NMIs are only executed on the thread that is running on each logical
|
|
|
|
* core, it makes sense to make use of APCs that, while can be masked off,
|
|
|
|
* provide us to easily issue a callback routine to threads we want a stack
|
|
|
|
* trace of. Hence by utilising both APCs and NMIs we get excellent coverage of
|
|
|
|
* the entire system.
|
2023-12-13 05:06:27 +01:00
|
|
|
*/
|
2023-10-05 08:27:17 +02:00
|
|
|
NTSTATUS
|
2023-09-26 12:00:45 +02:00
|
|
|
ValidateThreadsViaKernelApc()
|
2023-09-24 13:13:20 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-10-10 15:52:42 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
2024-04-13 10:23:14 +02:00
|
|
|
PAPC_STACKWALK_CONTEXT context = NULL;
|
2023-09-25 17:41:38 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/* First, ensure we dont already have an ongoing operation */
|
|
|
|
GetApcContext(&context, APC_CONTEXT_ID_STACKWALK);
|
2023-09-28 18:10:01 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (context) {
|
|
|
|
DEBUG_WARNING("Existing APC_STACKWALK operation already in progress.");
|
|
|
|
return STATUS_SUCCESS;
|
|
|
|
}
|
2023-09-28 18:10:01 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
context = ImpExAllocatePool2(
|
|
|
|
POOL_FLAG_NON_PAGED,
|
|
|
|
sizeof(APC_STACKWALK_CONTEXT),
|
|
|
|
POOL_TAG_APC);
|
2023-09-25 17:41:38 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!context)
|
|
|
|
return STATUS_MEMORY_NOT_ALLOCATED;
|
2023-09-25 17:41:38 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
context->header.context_id = APC_CONTEXT_ID_STACKWALK;
|
2024-08-01 06:21:53 +02:00
|
|
|
context->modules = ImpExAllocatePool2(
|
|
|
|
POOL_FLAG_NON_PAGED,
|
|
|
|
sizeof(SYSTEM_MODULES),
|
|
|
|
POOL_TAG_APC);
|
2023-09-25 17:41:38 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!context->modules) {
|
|
|
|
ImpExFreePoolWithTag(context, POOL_TAG_APC);
|
|
|
|
return STATUS_MEMORY_NOT_ALLOCATED;
|
|
|
|
}
|
2023-09-25 17:41:38 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = GetSystemModuleInformation(context->modules);
|
2023-09-25 17:41:38 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("GetSystemModuleInformation failed with status %x", status);
|
|
|
|
ImpExFreePoolWithTag(context->modules, POOL_TAG_APC);
|
|
|
|
ImpExFreePoolWithTag(context, POOL_TAG_APC);
|
|
|
|
return STATUS_MEMORY_NOT_ALLOCATED;
|
|
|
|
}
|
2023-09-25 17:41:38 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
InsertApcContext(context);
|
2023-10-09 09:34:30 +02:00
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
SetApcAllocationInProgress(context);
|
2024-07-19 16:27:50 +02:00
|
|
|
ENUMERATE_THREADS(ValidateThreadViaKernelApcCallback, context);
|
2024-05-04 17:43:01 +02:00
|
|
|
UnsetApcAllocationInProgress(context);
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
2023-09-25 17:41:38 +02:00
|
|
|
}
|
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
VOID
|
2023-12-13 05:06:27 +01:00
|
|
|
FreeApcStackwalkApcContextInformation(_Inout_ PAPC_STACKWALK_CONTEXT Context)
|
2023-09-25 17:41:38 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
if (Context->modules->address)
|
|
|
|
ImpExFreePoolWithTag(Context->modules->address, SYSTEM_MODULES_POOL);
|
|
|
|
if (Context->modules)
|
|
|
|
ImpExFreePoolWithTag(Context->modules, POOL_TAG_APC);
|
2023-09-29 14:43:03 +02:00
|
|
|
}
|
|
|
|
|
2023-12-29 17:20:32 +01:00
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
DpcStackwalkCallbackRoutine(
|
|
|
|
_In_ PKDPC Dpc,
|
|
|
|
_In_opt_ PVOID DeferredContext,
|
|
|
|
_In_opt_ PVOID SystemArgument1,
|
|
|
|
_In_opt_ PVOID SystemArgument2)
|
2023-12-29 17:20:32 +01:00
|
|
|
{
|
2024-05-11 14:54:58 +02:00
|
|
|
UNREFERENCED_PARAMETER(Dpc);
|
|
|
|
UNREFERENCED_PARAMETER(SystemArgument2);
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
PDPC_CONTEXT context = NULL;
|
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
if (!ARGUMENT_PRESENT(DeferredContext))
|
|
|
|
return;
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
context = &((PDPC_CONTEXT)DeferredContext)[KeGetCurrentProcessorNumber()];
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
context->frames_captured = ImpRtlCaptureStackBackTrace(
|
|
|
|
DPC_STACKWALK_FRAMES_TO_SKIP,
|
|
|
|
DPC_STACKWALK_STACKFRAME_COUNT,
|
|
|
|
&context->stack_frame,
|
|
|
|
NULL);
|
2024-07-19 16:27:50 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
InterlockedExchange(&context->executed, TRUE);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
|
|
|
#pragma warning(push)
|
|
|
|
#pragma warning(disable : C6387)
|
2024-04-13 10:23:14 +02:00
|
|
|
ImpKeSignalCallDpcDone(SystemArgument1);
|
2024-05-11 14:54:58 +02:00
|
|
|
#pragma warning(pop)
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_VERBOSE(
|
|
|
|
"Executed DPC on core: %lx, with %lx frames captured.",
|
|
|
|
KeGetCurrentProcessorNumber(),
|
|
|
|
context->frames_captured);
|
2023-12-29 17:20:32 +01:00
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2023-12-29 17:20:32 +01:00
|
|
|
STATIC
|
2024-04-13 10:06:59 +02:00
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
ReportDpcStackwalkViolation(
|
|
|
|
_In_ PDPC_CONTEXT Context, _In_ UINT64 Frame, _In_ UINT32 ReportSubtype)
|
2024-04-13 10:06:59 +02:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
UINT32 len = 0;
|
2024-07-19 16:27:50 +02:00
|
|
|
PDPC_STACKWALK_REPORT report = NULL;
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
len = CryptRequestRequiredBufferLength(sizeof(DPC_STACKWALK_REPORT));
|
2024-07-19 16:27:50 +02:00
|
|
|
report = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, len, REPORT_POOL_TAG);
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!report)
|
|
|
|
return;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-07-13 07:43:50 +02:00
|
|
|
INIT_REPORT_PACKET(report, REPORT_DPC_STACKWALK, ReportSubtype);
|
2024-05-05 12:42:22 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
report->kthread_address = PsGetCurrentThread();
|
2024-08-01 06:21:53 +02:00
|
|
|
report->invalid_rip = Frame;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-07-22 12:43:09 +02:00
|
|
|
// IntCopyMemory(report->driver,
|
2024-04-13 10:23:14 +02:00
|
|
|
// (UINT64)Context[core].stack_frame[frame]
|
|
|
|
// - 0x50,
|
|
|
|
// APC_STACKWALK_BUFFER_SIZE);
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = CryptEncryptBuffer(report, len);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("CryptEncryptBuffer: %lx", status);
|
|
|
|
ImpExFreePoolWithTag(report, REPORT_POOL_TAG);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
IrpQueueSchedulePacket(report, len);
|
2024-04-13 10:06:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
ValidateDpcStackFrame(_In_ PDPC_CONTEXT Context, _In_ PSYSTEM_MODULES Modules)
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
2024-08-01 06:21:53 +02:00
|
|
|
BOOLEAN flag = FALSE;
|
|
|
|
UINT64 rip = 0;
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-07-13 07:43:50 +02:00
|
|
|
/* With regards to this, lets only check the interrupted rip */
|
|
|
|
if (DoesRetInstructionCauseException(Context->stack_frame[0]))
|
2024-08-01 06:21:53 +02:00
|
|
|
ReportDpcStackwalkViolation(
|
|
|
|
Context,
|
|
|
|
Context->stack_frame[0],
|
|
|
|
REPORT_SUBTYPE_EXCEPTION_THROWING_RET);
|
2024-07-13 07:43:50 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
for (UINT32 frame = 0; frame < Context->frames_captured; frame++) {
|
2024-07-19 16:27:50 +02:00
|
|
|
rip = Context->stack_frame[frame];
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(rip, Modules))
|
2024-07-13 07:43:50 +02:00
|
|
|
ReportDpcStackwalkViolation(Context, rip, 0);
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2024-04-13 10:06:59 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
ValidateDpcCapturedStack(
|
|
|
|
_In_ PSYSTEM_MODULES Modules, _In_ PDPC_CONTEXT Context)
|
2023-12-29 17:20:32 +01:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
BOOLEAN flag = FALSE;
|
2024-07-19 16:27:50 +02:00
|
|
|
PDPC_CONTEXT context = NULL;
|
2024-08-01 06:21:53 +02:00
|
|
|
UINT32 count = ImpKeQueryActiveProcessorCount(0);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
for (UINT32 core = 0; core < count; core++) {
|
2024-07-19 16:27:50 +02:00
|
|
|
context = &Context[core];
|
|
|
|
|
|
|
|
if (!context->executed)
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_WARNING(
|
|
|
|
"DPC Stackwalk routine not executed. Core: %lx",
|
|
|
|
core);
|
2024-07-19 16:27:50 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
ValidateDpcStackFrame(&Context[core], Modules);
|
|
|
|
}
|
2023-12-29 17:20:32 +01:00
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2023-12-29 17:20:32 +01:00
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* Lets use DPCs as another form of stackwalking rather then inter-process
|
|
|
|
* interrupts because DPCs run at IRQL = DISPATCH_LEVEL, allowing us to use
|
|
|
|
* functions such as RtlCaptureStackBackTrace whereas IPIs run at IRQL =
|
|
|
|
* IPI_LEVEL. DPCs are also harder to mask compared to APCs which can be masked
|
|
|
|
* with the flip of a bit in the KTHREAD structure.
|
2023-12-29 17:20:32 +01:00
|
|
|
*/
|
|
|
|
NTSTATUS
|
|
|
|
DispatchStackwalkToEachCpuViaDpc()
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
PDPC_CONTEXT context = NULL;
|
2024-04-13 10:23:14 +02:00
|
|
|
SYSTEM_MODULES modules = {0};
|
2024-08-01 06:21:53 +02:00
|
|
|
UINT32 size = 0;
|
2023-12-29 17:20:32 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
size = ImpKeQueryActiveProcessorCount(0) * sizeof(DPC_CONTEXT);
|
2024-04-13 10:23:14 +02:00
|
|
|
context = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, size, POOL_TAG_DPC);
|
2023-12-29 17:20:32 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!context)
|
|
|
|
return STATUS_MEMORY_NOT_ALLOCATED;
|
2023-12-29 17:20:32 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = GetSystemModuleInformation(&modules);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("GetSystemModuleInformation failed with status %x", status);
|
|
|
|
goto end;
|
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/* KeGenericCallDpc will queue a DPC to each processor with importance =
|
|
|
|
* HighImportance. This means our DPC will be inserted into the front of
|
|
|
|
* the DPC queue and executed immediately.*/
|
|
|
|
ImpKeGenericCallDpc(DpcStackwalkCallbackRoutine, context);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
/* Flush all DPC's in the system to ensure ours have run */
|
|
|
|
KeFlushQueuedDpcs();
|
2023-10-30 12:57:24 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
ValidateDpcCapturedStack(&modules, context);
|
2023-10-30 12:57:24 +01:00
|
|
|
|
2023-12-29 17:20:32 +01:00
|
|
|
end:
|
2023-10-30 12:57:24 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (modules.address)
|
|
|
|
ImpExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL);
|
|
|
|
if (context)
|
|
|
|
ImpExFreePoolWithTag(context, POOL_TAG_DPC);
|
2023-10-30 12:57:24 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
2024-01-01 17:45:40 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/* todo: walk the chain of pointers to prevent jmp chaining */
|
|
|
|
STATIC
|
2024-06-09 09:22:22 +02:00
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
ValidateTableDispatchRoutines(
|
|
|
|
_In_ PVOID* Base,
|
|
|
|
_In_ UINT32 Entries,
|
|
|
|
_In_ PSYSTEM_MODULES Modules,
|
|
|
|
_Out_ PVOID* Routine)
|
2024-01-01 17:45:40 +01:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
for (UINT32 index = 0; index < Entries; index++) {
|
|
|
|
if (!Base[index])
|
|
|
|
continue;
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(Base[index], Modules))
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = Base[index];
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* windows version info: https://www.techthoughts.info/windows-version-numbers/
|
|
|
|
*
|
|
|
|
* sizes:
|
|
|
|
* https://www.vergiliusproject.com/kernels/x64/Windows%2011/22H2%20(2022%20Update)/HAL_PRIVATE_DISPATCH
|
|
|
|
*/
|
|
|
|
#define HAL_PRIVATE_DISPATCH_W11_22H2_SIZE 0x4f0
|
|
|
|
#define HAL_PRIVATE_DISPATCH_W10_22H2_SIZE 0x4b0
|
|
|
|
|
|
|
|
#define WINDOWS_10_MAX_BUILD_NUMBER 19045
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
UINT32
|
|
|
|
GetHalPrivateDispatchTableRoutineCount(_In_ PRTL_OSVERSIONINFOW VersionInfo)
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
if (VersionInfo->dwBuildNumber <= WINDOWS_10_MAX_BUILD_NUMBER)
|
|
|
|
return (HAL_PRIVATE_DISPATCH_W10_22H2_SIZE / sizeof(UINT64)) - 1;
|
|
|
|
else
|
|
|
|
return (HAL_PRIVATE_DISPATCH_W11_22H2_SIZE / sizeof(UINT64)) - 1;
|
2024-01-01 17:45:40 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
NTSTATUS
|
2024-08-01 06:21:53 +02:00
|
|
|
ValidateHalPrivateDispatchTable(
|
|
|
|
_Out_ PVOID* Routine, _In_ PSYSTEM_MODULES Modules)
|
2024-01-01 17:45:40 +01:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
PVOID table = NULL;
|
|
|
|
UNICODE_STRING string = RTL_CONSTANT_STRING(L"HalPrivateDispatchTable");
|
|
|
|
PVOID* base = NULL;
|
2024-04-13 10:23:14 +02:00
|
|
|
RTL_OSVERSIONINFOW os_info = {0};
|
2024-08-01 06:21:53 +02:00
|
|
|
UINT32 count = 0;
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_VERBOSE("Validating HalPrivateDispatchTable.");
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
table = ImpMmGetSystemRoutineAddress(&string);
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!table)
|
|
|
|
return status;
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = GetOsVersionInformation(&os_info);
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("GetOsVersionInformation failed with status %x", status);
|
|
|
|
return status;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
base = (UINT64)table + sizeof(UINT64);
|
2024-04-13 10:23:14 +02:00
|
|
|
count = GetHalPrivateDispatchTableRoutineCount(&os_info);
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
ValidateTableDispatchRoutines(base, count, Modules, Routine);
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
2024-01-01 17:45:40 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
STATIC
|
2024-06-09 09:22:22 +02:00
|
|
|
VOID
|
2024-01-01 17:45:40 +01:00
|
|
|
ValidateHalDispatchTable(_Out_ PVOID* Routine, _In_ PSYSTEM_MODULES Modules)
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = NULL;
|
|
|
|
|
|
|
|
DEBUG_VERBOSE("Validating HalDispatchTable.");
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Since windows exports all the function pointers inside the
|
|
|
|
* HalDispatchTable, we may aswell make use of them and validate it this
|
|
|
|
* way. While it definitely is ugly, it is the safest way to do it.
|
|
|
|
*
|
|
|
|
* What if there are 2 invalid routines? hmm.. tink.
|
|
|
|
*/
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(
|
|
|
|
HalQuerySystemInformation,
|
|
|
|
Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalQuerySystemInformation;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalSetSystemInformation, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalSetSystemInformation;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalQueryBusSlots, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalQueryBusSlots;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(
|
|
|
|
HalReferenceHandlerForBus,
|
|
|
|
Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalReferenceHandlerForBus;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalReferenceBusHandler, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalReferenceBusHandler;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(
|
|
|
|
HalDereferenceBusHandler,
|
|
|
|
Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalDereferenceBusHandler;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalInitPnpDriver, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalInitPnpDriver;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalInitPowerManagement, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalInitPowerManagement;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalGetDmaAdapter, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalGetDmaAdapter;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(
|
|
|
|
HalGetInterruptTranslator,
|
|
|
|
Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalGetInterruptTranslator;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalStartMirroring, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalStartMirroring;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalEndMirroring, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalEndMirroring;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalMirrorPhysicalMemory, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalMirrorPhysicalMemory;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalEndOfBoot, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalEndOfBoot;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalMirrorVerify, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalMirrorVerify;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalGetCachedAcpiTable, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalGetCachedAcpiTable;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(
|
|
|
|
HalSetPciErrorHandlerCallback,
|
|
|
|
Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalSetPciErrorHandlerCallback;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (IsInstructionPointerInInvalidRegion(HalGetPrmCache, Modules)) {
|
2024-04-13 10:23:14 +02:00
|
|
|
*Routine = HalGetPrmCache;
|
2024-05-05 15:58:36 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
end:
|
2024-06-09 09:22:22 +02:00
|
|
|
return;
|
2024-01-01 17:45:40 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
ReportDataTableInvalidRoutine(_In_ TABLE_ID TableId, _In_ UINT64 Address)
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
UINT32 len = 0;
|
2024-07-19 16:27:50 +02:00
|
|
|
PDATA_TABLE_ROUTINE_REPORT report = NULL;
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
len = CryptRequestRequiredBufferLength(sizeof(DATA_TABLE_ROUTINE_REPORT));
|
|
|
|
report = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, len, REPORT_POOL_TAG);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
if (!report)
|
|
|
|
return;
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_WARNING(
|
|
|
|
"Invalid data table routine found. Table: %lx, Address: %llx",
|
|
|
|
TableId,
|
|
|
|
Address);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
INIT_REPORT_PACKET(report, REPORT_DATA_TABLE_ROUTINE, 0);
|
2024-05-05 12:42:22 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
report->address = Address;
|
2024-05-05 12:42:22 +02:00
|
|
|
report->table_id = TableId;
|
2024-08-01 06:21:53 +02:00
|
|
|
report->index = 0;
|
2024-07-19 16:27:50 +02:00
|
|
|
|
2024-07-22 12:43:09 +02:00
|
|
|
IntCopyMemory(report->routine, Address, DATA_TABLE_ROUTINE_BUF_SIZE);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = CryptEncryptBuffer(report, len);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("CryptEncryptBuffer: %lx", status);
|
|
|
|
ImpExFreePoolWithTag(report, REPORT_POOL_TAG);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
IrpQueueSchedulePacket(report, len);
|
2024-01-01 17:45:40 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
|
|
ValidateHalDispatchTables()
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
SYSTEM_MODULES modules = {0};
|
|
|
|
PVOID routine1 = NULL;
|
|
|
|
PVOID routine2 = NULL;
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = GetSystemModuleInformation(&modules);
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("GetSystemModuleInformation failed with status %x", status);
|
|
|
|
return status;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
ValidateHalDispatchTable(&routine1, &modules);
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (routine1)
|
|
|
|
ReportDataTableInvalidRoutine(HalDispatch, routine1);
|
|
|
|
else
|
|
|
|
DEBUG_VERBOSE("HalDispatch dispatch routines are valid.");
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = ValidateHalPrivateDispatchTable(&routine2, &modules);
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
"ValidateHalPrivateDispatchTable failed with status %x",
|
|
|
|
status);
|
2024-04-13 10:23:14 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (routine2)
|
|
|
|
ReportDataTableInvalidRoutine(HalPrivateDispatch, routine2);
|
|
|
|
else
|
|
|
|
DEBUG_VERBOSE("HalPrivateDispatch dispatch routines are valid.");
|
2024-01-01 17:45:40 +01:00
|
|
|
|
|
|
|
end:
|
2024-04-13 10:23:14 +02:00
|
|
|
if (modules.address)
|
|
|
|
ImpExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL);
|
2024-01-01 17:45:40 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
2024-02-13 19:08:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
2024-08-01 06:21:53 +02:00
|
|
|
GetDriverObjectByDriverName(
|
|
|
|
_In_ PUNICODE_STRING DriverName, _Out_ PDRIVER_OBJECT* DriverObject)
|
2024-02-13 19:08:38 +01:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
HANDLE handle = NULL;
|
|
|
|
OBJECT_ATTRIBUTES attributes = {0};
|
|
|
|
PVOID dir = {0};
|
|
|
|
UNICODE_STRING dir_name = {0};
|
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
POBJECT_DIRECTORY dir_object = NULL;
|
|
|
|
POBJECT_DIRECTORY_ENTRY entry = NULL;
|
|
|
|
POBJECT_DIRECTORY_ENTRY sub_entry = NULL;
|
|
|
|
PDRIVER_OBJECT driver = NULL;
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
*DriverObject = NULL;
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
ImpRtlInitUnicodeString(&dir_name, L"\\Driver");
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
InitializeObjectAttributes(
|
|
|
|
&attributes,
|
|
|
|
&dir_name,
|
|
|
|
OBJ_CASE_INSENSITIVE,
|
|
|
|
NULL,
|
|
|
|
NULL);
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status =
|
|
|
|
ImpZwOpenDirectoryObject(&handle, DIRECTORY_ALL_ACCESS, &attributes);
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("ZwOpenDirectoryObject failed with status %x", status);
|
|
|
|
return status;
|
|
|
|
}
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
status = ImpObReferenceObjectByHandle(
|
|
|
|
handle,
|
|
|
|
DIRECTORY_ALL_ACCESS,
|
|
|
|
NULL,
|
|
|
|
KernelMode,
|
|
|
|
&dir,
|
|
|
|
NULL);
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("ObReferenceObjectByHandle failed with status %x", status);
|
|
|
|
ImpZwClose(handle);
|
|
|
|
return status;
|
|
|
|
}
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
dir_object = (POBJECT_DIRECTORY)dir;
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
ImpExAcquirePushLockExclusiveEx(&dir_object->Lock, NULL);
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
for (UINT32 index = 0; index < NUMBER_HASH_BUCKETS; index++) {
|
|
|
|
entry = dir_object->HashBuckets[index];
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!entry)
|
|
|
|
continue;
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
sub_entry = entry;
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
while (sub_entry) {
|
2024-07-19 16:27:50 +02:00
|
|
|
driver = GetObjectFromDirectory(sub_entry);
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
if (!RtlCompareUnicodeString(
|
|
|
|
DriverName,
|
|
|
|
&driver->DriverName,
|
|
|
|
FALSE)) {
|
2024-07-19 16:27:50 +02:00
|
|
|
*DriverObject = driver;
|
2024-04-13 10:23:14 +02:00
|
|
|
goto end;
|
|
|
|
}
|
2024-02-13 19:08:38 +01:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
sub_entry = GetNextObject(sub_entry);
|
2024-02-13 19:08:38 +01:00
|
|
|
}
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2024-02-13 19:08:38 +01:00
|
|
|
|
|
|
|
end:
|
2024-07-19 16:27:50 +02:00
|
|
|
ImpExReleasePushLockExclusiveEx(&dir_object->Lock, 0);
|
|
|
|
ImpObDereferenceObject(dir);
|
2024-04-13 10:23:14 +02:00
|
|
|
ImpZwClose(handle);
|
|
|
|
return STATUS_SUCCESS;
|
2024-05-04 17:43:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
PVOID
|
|
|
|
FindDriverBaseNoApi(_In_ PDRIVER_OBJECT DriverObject, _In_ PWCH Name)
|
|
|
|
{
|
2024-07-19 16:27:50 +02:00
|
|
|
PKLDR_DATA_TABLE_ENTRY first = NULL;
|
|
|
|
PKLDR_DATA_TABLE_ENTRY entry = NULL;
|
2024-05-04 17:43:01 +02:00
|
|
|
|
|
|
|
/* first entry contains invalid data, 2nd entry is the kernel */
|
2024-07-19 16:27:50 +02:00
|
|
|
first = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
|
|
|
|
entry = ((PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection)
|
|
|
|
->InLoadOrderLinks.Flink->Flink;
|
2024-05-04 17:43:01 +02:00
|
|
|
|
|
|
|
while (entry->InLoadOrderLinks.Flink != first) {
|
|
|
|
/* todo: write our own unicode string comparison function, since
|
|
|
|
* the entire point of this is to find exports with no exports.
|
|
|
|
*/
|
|
|
|
if (!wcscmp(entry->BaseDllName.Buffer, Name)) {
|
|
|
|
return entry->DllBase;
|
|
|
|
}
|
|
|
|
|
|
|
|
entry = entry->InLoadOrderLinks.Flink;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
|
|
ValidateDispatchTableRoutines(_In_ PVOID* Table, _In_ UINT32 Entries)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
PRTL_MODULE_EXTENDED_INFO
|
|
|
|
FindModuleByName(_In_ PSYSTEM_MODULES Modules, _In_ PCHAR ModuleName)
|
|
|
|
{
|
|
|
|
for (UINT32 index = 0; index < Modules->module_count; index++) {
|
|
|
|
PRTL_MODULE_EXTENDED_INFO entry =
|
|
|
|
&((PRTL_MODULE_EXTENDED_INFO)(Modules->address))[index];
|
2024-07-22 12:43:09 +02:00
|
|
|
if (IntFindSubstring(entry->FullPathName, ModuleName))
|
2024-05-04 17:43:01 +02:00
|
|
|
return entry;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define KERNEL_LOW_ADDRESS 0xFFFF000000000000
|
|
|
|
#define KERNEL_HIGH_ADDRESS 0xFFFFFFFFFFFFFFFF
|
|
|
|
|
|
|
|
BOOLEAN
|
|
|
|
IsValidKernelAddress(_In_ UINT64 Address)
|
|
|
|
{
|
|
|
|
if (!(Address >= KERNEL_LOW_ADDRESS && Address <= KERNEL_HIGH_ADDRESS))
|
|
|
|
return FALSE;
|
|
|
|
if (!MmIsAddressValid(Address))
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Follows a chain of valid pointers until a pointer is no longer present in the
|
|
|
|
* chain, and returns the final pointer. Assumes the argument "Start" contains a
|
|
|
|
* valid pointer at its address.
|
|
|
|
*
|
|
|
|
* The try catch here is also useless. We can work on making this more secure
|
|
|
|
* later.
|
|
|
|
*/
|
|
|
|
PVOID
|
|
|
|
FindChainedPointerEnding(_In_ PVOID* Start)
|
|
|
|
{
|
|
|
|
PVOID* current = *Start;
|
2024-08-01 06:21:53 +02:00
|
|
|
PVOID prev = Start;
|
2024-05-04 17:43:01 +02:00
|
|
|
|
|
|
|
while (IsValidKernelAddress(current)) {
|
|
|
|
__try {
|
2024-08-01 06:21:53 +02:00
|
|
|
prev = current;
|
2024-05-04 17:43:01 +02:00
|
|
|
current = *current;
|
|
|
|
}
|
|
|
|
__except (EXCEPTION_EXECUTE_HANDLER) {
|
|
|
|
return prev;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return prev;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define WIN32KBASE_DXGKRNL_INTERFACE_FUNC_COUNT 98
|
|
|
|
|
|
|
|
// clang-format off
|
|
|
|
/*
|
|
|
|
* ffffa135`fa847828 fffff805`5c7ccf60
|
|
|
|
* ffffa135`fa847828 fffff805`5c7ccf60 dxgkrnl!DXG_GUEST_COMPOSITIONOBJECTCHANNEL::ChannelStarted
|
|
|
|
* ffffa135`fa847830 fffff805`5c7ccf60 dxgkrnl!DXG_GUEST_COMPOSITIONOBJECTCHANNEL::ChannelStarted
|
|
|
|
* ffffa135`fa847838 fffff805`5c7e4ca0 dxgkrnl!DxgkProcessCallout
|
|
|
|
* ffffa135`fa847840 fffff805`5c7b2580 dxgkrnl!DxgkNotifyProcessFreezeCallout
|
|
|
|
* ffffa135`fa847848 fffff805`5c7b2430 dxgkrnl!DxgkNotifyProcessThawCallout
|
|
|
|
* ffffa135`fa847850 fffff805`5c7daf30 dxgkrnl!DxgkOpenAdapter
|
|
|
|
* ffffa135`fa847858 fffff805`5c7ff6e0 dxgkrnl!DxgkEnumAdapters2Impl
|
|
|
|
* ffffa135`fa847860 fffff805`5c839f00 dxgkrnl!DxgkGetMaximumAdapterCount
|
|
|
|
* ffffa135`fa847868 fffff805`5c7e37c0 dxgkrnl!DxgkCloseAdapterImpl
|
|
|
|
* ffffa135`fa847870 fffff805`5c7b3970 dxgkrnl!DxgkDestroyDevice
|
|
|
|
* ffffa135`fa847878 fffff805`5c7c8370 dxgkrnl!DxgkEscape
|
|
|
|
* ffffa135`fa847880 fffff805`5c7c58d0 dxgkrnl!DxgkGetPresentHistoryInternal
|
|
|
|
* ffffa135`fa847888 fffff805`5c9569a0 dxgkrnl!DxgkReleaseProcessVidPnSourceOwners
|
|
|
|
* ffffa135`fa847890 fffff805`5c8f4de0 dxgkrnl!DxgkPollDisplayChildrenInternal
|
|
|
|
* ffffa135`fa847898 fffff805`5c837390 dxgkrnl!DxgkFlushPresentHistory
|
|
|
|
* ffffa135`fa8478a0 fffff805`5c802e00 dxgkrnl!DxgkGetPathsModality
|
|
|
|
* ffffa135`fa8478a8 fffff805`5c82e7c0 dxgkrnl!DxgkFunctionalizePathsModality
|
|
|
|
* ffffa135`fa8478b0 fffff805`5c82e6d0 dxgkrnl!DxgkApplyPathsModality
|
|
|
|
* ffffa135`fa8478b8 fffff805`5c819740 dxgkrnl!DxgkFinalizePathsModality
|
|
|
|
* ffffa135`fa8478c0 fffff805`5c7b01c0 dxgkrnl!DxgkPersistPathsModality
|
|
|
|
* ffffa135`fa8478c8 fffff805`5c839d80 dxgkrnl!DxgkFreePathsModality
|
|
|
|
* ffffa135`fa8478d0 fffff805`5c816870 dxgkrnl!DxgkAugmentCdsj
|
|
|
|
* ffffa135`fa8478d8 fffff805`5c821270 dxgkrnl!DxgkGetPresentHistoryReadyEvent
|
|
|
|
* ffffa135`fa8478e0 fffff805`5c806eb0 dxgkrnl!DxgkGetDisplayConfigBufferSizes
|
|
|
|
* ffffa135`fa8478e8 fffff805`5c8070e0 dxgkrnl!DxgkQueryDisplayConfig
|
|
|
|
* ffffa135`fa8478f0 fffff805`5c9677d0 dxgkrnl!DxgkHandleForceProjectionMonitor
|
|
|
|
* ffffa135`fa8478f8 fffff805`5c838f10 dxgkrnl!DxgkUpdateCddDevmodeExtraData
|
|
|
|
* ffffa135`fa847900 fffff805`5c967ca0 dxgkrnl!DxgkProcessDisplayCalloutBatch
|
|
|
|
* ffffa135`fa847908 fffff805`5c7f8880 dxgkrnl!DxgkDisplayConfigDeviceInfo
|
|
|
|
* ffffa135`fa847910 fffff805`5c7e11f0 dxgkrnl!DxgkGetAdapterDeviceDesc
|
|
|
|
* ffffa135`fa847918 fffff805`5c7e9200 dxgkrnl!DxgkGetMonitorInternalInfo
|
|
|
|
* ffffa135`fa847920 fffff805`5c82a4f0 dxgkrnl!DxgkBeginTopologyTransition
|
|
|
|
* ffffa135`fa847928 fffff805`5c829f50 dxgkrnl!DxgkCompleteTopologyTransition
|
|
|
|
* ffffa135`fa847930 fffff805`5c8f4130 dxgkrnl!DxgkNeedToEnableCddPrimary
|
|
|
|
* ffffa135`fa847938 fffff805`5c82a090 dxgkrnl!DxgkInvalidateMonitorConnections
|
|
|
|
* ffffa135`fa847940 fffff805`5c807340 dxgkrnl!DxgkWriteDiagEntry
|
|
|
|
* ffffa135`fa847948 fffff805`5c815800 dxgkrnl!DxgkGetAdapterDefaultScaling
|
|
|
|
* ffffa135`fa847950 fffff805`5c816240 dxgkrnl!DxgkConvertDisplayConfigCScalingToDdiScaling
|
|
|
|
* ffffa135`fa847958 fffff805`5c8397e0 dxgkrnl!DxgkGetGlobalRawmodeFlag
|
|
|
|
* ffffa135`fa847960 fffff805`5c967e70 dxgkrnl!DxgkSetGlobalRawmodeFlag
|
|
|
|
* ffffa135`fa847968 fffff805`5c839530 dxgkrnl!DxgkQueryModeListCacheLuid
|
|
|
|
* ffffa135`fa847970 fffff805`5c826ff0 dxgkrnl!DxgkThreadCallout
|
|
|
|
* ffffa135`fa847978 fffff805`5c829c40 dxgkrnl!DxgkSessionConnected
|
|
|
|
* ffffa135`fa847980 fffff805`5c829a60 dxgkrnl!DxgkPreSessionDisconnected
|
|
|
|
* ffffa135`fa847988 fffff805`5c829b90 dxgkrnl!DxgkSessionDisconnected
|
|
|
|
* ffffa135`fa847990 fffff805`5c844420 dxgkrnl!DxgkSessionReconnected
|
|
|
|
* ffffa135`fa847998 fffff805`5c8440f0 dxgkrnl!DxgkGetAdapter
|
|
|
|
* ffffa135`fa8479a0 fffff805`5c844290 dxgkrnl!DxgkReleaseAdapter
|
|
|
|
* ffffa135`fa8479a8 fffff805`5c82c200 dxgkrnl!DxgkDesktopSwitch
|
|
|
|
* ffffa135`fa8479b0 fffff805`5c811860 dxgkrnl!DxgkStatusChangeNotify
|
|
|
|
* ffffa135`fa8479b8 fffff805`5c928fd0 dxgkrnl!DxgkEnableUnorderedWaitsForDevice
|
|
|
|
* ffffa135`fa8479c0 fffff805`5c839670 dxgkrnl!DxgkCddVerifyCddDevMode
|
|
|
|
* ffffa135`fa8479c8 fffff805`5c93bf30 dxgkrnl!DxgkIsVidPnSourceOwnerDwm
|
|
|
|
* ffffa135`fa8479d0 fffff805`5c8377a0 dxgkrnl!DxgkIsVidPnSourceOwnerExclusive
|
|
|
|
* ffffa135`fa8479d8 fffff805`5c7f8720 dxgkrnl!DxgkGetMonitorDeviceObject
|
|
|
|
* ffffa135`fa8479e0 fffff805`5c831680 dxgkrnl!DxgkRegisterDwmProcess
|
|
|
|
* ffffa135`fa8479e8 fffff805`5c8fa0a0 dxgkrnl!DxgkGetSharedResourceAdapterLuid
|
|
|
|
* ffffa135`fa8479f0 fffff805`5c8e7590 dxgkrnl!DxgkNotifyMonitorDimming
|
|
|
|
* ffffa135`fa8479f8 fffff805`5c820d10 dxgkrnl!DxgkGetSharedAllocationObjectType
|
|
|
|
* ffffa135`fa847a00 fffff805`5c820d20 dxgkrnl!DxgkGetSharedSyncObjectType
|
|
|
|
* ffffa135`fa847a08 fffff805`5c83b1b0 dxgkrnl!DxgkGetDisplayManagerObjectType
|
|
|
|
* ffffa135`fa847a10 fffff805`5c93be10 dxgkrnl!DxgkGetProcessInterferenceCount
|
|
|
|
* ffffa135`fa847a18 fffff805`5c839cd0 dxgkrnl!DxgkGetGpuUsageStatistics
|
|
|
|
* ffffa135`fa847a20 fffff805`5c815320 dxgkrnl!DxgkUpdateGdiInfo
|
|
|
|
* ffffa135`fa847a28 fffff805`5c8393d0 dxgkrnl!DxgkSetPresenterViewMode
|
|
|
|
* ffffa135`fa847a30 fffff805`5c836930 dxgkrnl!DxgkGetPresenterViewMode
|
|
|
|
* ffffa135`fa847a38 fffff805`5c827820 dxgkrnl!DxgkSetProcessStatus
|
|
|
|
* ffffa135`fa847a40 fffff805`5c7fa180 dxgkrnl!DxgkConvertLegacyQDCAdapterAndIdToActual
|
|
|
|
* ffffa135`fa847a48 fffff805`5c81b510 dxgkrnl!DxgkDisplayOnOff
|
|
|
|
* ffffa135`fa847a50 fffff805`5c815c30 dxgkrnl!DxgkIsVirtualizationDisabledForTarget
|
|
|
|
* ffffa135`fa847a58 fffff805`5c8378f0 dxgkrnl!DxgkIsSourceInHardwareClone
|
|
|
|
* ffffa135`fa847a60 fffff805`5c96d7d0 dxgkrnl!DxgkProcessLockScreen
|
|
|
|
* ffffa135`fa847a68 fffff805`5c964bd0 dxgkrnl!DxgkCopyPathsModality
|
|
|
|
* ffffa135`fa847a70 fffff805`5c964b30 dxgkrnl!DxgkApplyCdsjToPathsModality
|
|
|
|
* ffffa135`fa847a78 fffff805`5c979410 dxgkrnl!DxgkUpdateDpiInfoForNewOverride
|
|
|
|
* ffffa135`fa847a80 fffff805`5c839a00 dxgkrnl!DxgkInitializeDpi
|
|
|
|
* ffffa135`fa847a88 fffff805`5c839930 dxgkrnl!DxgkGetDpiOverrideForSource
|
|
|
|
* ffffa135`fa847a90 fffff805`5c980420 dxgkrnl!DxgkGetLegacyDpiInfo
|
|
|
|
* ffffa135`fa847a98 fffff805`5c94e0e0 dxgkrnl!DxgkWin32kSetPointerPosition
|
|
|
|
* ffffa135`fa847aa0 fffff805`5c94e240 dxgkrnl!DxgkWin32kSetPointerShape
|
|
|
|
* ffffa135`fa847aa8 fffff805`5c844730 dxgkrnl!DxgkGetUseHWGPUInRemoteSession
|
|
|
|
* ffffa135`fa847ab0 fffff805`5c945520 dxgkrnl!DxgkLPMDisplayControl
|
|
|
|
* ffffa135`fa847ab8 fffff805`5c945470 dxgkrnl!DxgkEnableHighPrecisionBrightness
|
|
|
|
* ffffa135`fa847ac0 fffff805`5c945640 dxgkrnl!DxgkSetHighPrecisionBrightness
|
|
|
|
* ffffa135`fa847ac8 fffff805`5c844670 dxgkrnl!DxgkChangeD3RequestsState
|
|
|
|
* ffffa135`fa847ad0 fffff805`5c836b90 dxgkrnl!DxgkGetMonitorEdid
|
|
|
|
* ffffa135`fa847ad8 fffff805`5c967620 dxgkrnl!DxgkConvertPathsModalityToDisplayConfig
|
|
|
|
* ffffa135`fa847ae0 fffff805`5c815d40 dxgkrnl!DxgkConvertDisplayConfigToDevMode
|
|
|
|
* ffffa135`fa847ae8 fffff805`5c7febd0 dxgkrnl!DxgkDDisplayEnumInternal
|
|
|
|
* ffffa135`fa847af0 fffff805`5c9677a0 dxgkrnl!DxgkGetMonitorDisplayId
|
|
|
|
* ffffa135`fa847af8 fffff805`5c964c60 dxgkrnl!DxgkEnumerateModesForPathsModality
|
|
|
|
* ffffa135`fa847b00 fffff805`5c8f0e70 dxgkrnl!DxgCreateLiveDumpWithWdLogs
|
|
|
|
* ffffa135`fa847b08 fffff805`5c9818d0 dxgkrnl!DxgkDispMgrReferenceObjectByHandle
|
|
|
|
* ffffa135`fa847b10 fffff805`5c9818b0 dxgkrnl!DxgkDispMgrIsTargetOwned
|
|
|
|
* ffffa135`fa847b18 fffff805`5c98bb20 dxgkrnl!DxgkCheckDisplayState
|
|
|
|
* ffffa135`fa847b20 fffff805`5c8363c0 dxgkrnl!DxgkSetKernelDisplayPolicy
|
|
|
|
* ffffa135`fa847b28 fffff805`5c839720 dxgkrnl!DxgkSendDisplayBrokerMessage
|
|
|
|
* ffffa135`fa847b30 fffff805`5c96fb30 dxgkrnl!DxgkGetWddmRemoteSessionGdiViewRange
|
|
|
|
*/
|
|
|
|
// clang-format on
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
VOID
|
2024-08-01 06:21:53 +02:00
|
|
|
ReportWin32kBase_DxgInterfaceViolation(
|
|
|
|
_In_ UINT32 TableIndex, _In_ UINT64 Address)
|
2024-05-04 17:43:01 +02:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
UINT32 len = 0;
|
2024-07-19 16:27:50 +02:00
|
|
|
PDATA_TABLE_ROUTINE_REPORT report = NULL;
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
len = CryptRequestRequiredBufferLength(sizeof(DATA_TABLE_ROUTINE_REPORT));
|
|
|
|
report = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, len, REPORT_POOL_TAG);
|
2024-05-04 17:43:01 +02:00
|
|
|
|
|
|
|
if (!report)
|
|
|
|
return;
|
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
INIT_REPORT_PACKET(report, REPORT_DATA_TABLE_ROUTINE, 0);
|
2024-05-05 12:42:22 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
report->address = Address;
|
2024-05-05 12:42:22 +02:00
|
|
|
report->table_id = Win32kBase_gDxgInterface;
|
2024-08-01 06:21:53 +02:00
|
|
|
report->index = TableIndex;
|
2024-05-04 17:43:01 +02:00
|
|
|
// todo! report->routine = ??
|
2024-05-05 12:42:22 +02:00
|
|
|
// todo: maybe get routine by name from index ?
|
2024-05-04 17:43:01 +02:00
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
status = CryptEncryptBuffer(report, len);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("CryptEncryptBuffer: %lx", status);
|
|
|
|
ImpExFreePoolWithTag(report, REPORT_POOL_TAG);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
IrpQueueSchedulePacket(report, len);
|
2024-05-04 17:43:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
NTSTATUS
|
|
|
|
ValidateWin32kBase_gDxgInterface()
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
SYSTEM_MODULES modules = {0};
|
|
|
|
PRTL_MODULE_EXTENDED_INFO win32kbase = NULL;
|
|
|
|
PRTL_MODULE_EXTENDED_INFO dxgkrnl = NULL;
|
|
|
|
KAPC_STATE apc = {0};
|
|
|
|
PKPROCESS winlogon = NULL;
|
|
|
|
PVOID* dxg_interface = NULL;
|
|
|
|
PVOID entry = NULL;
|
2024-05-04 17:43:01 +02:00
|
|
|
|
|
|
|
status = GetSystemModuleInformation(&modules);
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("GetSystemModuleInformation failed %x", status);
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
|
|
|
win32kbase = FindModuleByName(&modules, "win32kbase.sys");
|
|
|
|
|
|
|
|
if (!win32kbase) {
|
|
|
|
status = STATUS_UNSUCCESSFUL;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2024-06-11 13:41:55 +02:00
|
|
|
RtlHashmapEnumerate(GetProcessHashmap(), FindWinLogonProcess, &winlogon);
|
2024-05-04 17:43:01 +02:00
|
|
|
|
|
|
|
if (!winlogon) {
|
|
|
|
status = STATUS_UNSUCCESSFUL;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
|
|
|
KeStackAttachProcess(winlogon, &apc);
|
|
|
|
dxg_interface = PeFindExportByName(win32kbase->ImageBase, "gDxgkInterface");
|
|
|
|
|
|
|
|
if (!dxg_interface) {
|
|
|
|
status = STATUS_UNSUCCESSFUL;
|
|
|
|
goto detatch;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* The functions in this table reside in dxgkrnl.sys */
|
|
|
|
dxgkrnl = FindModuleByName(&modules, "dxgkrnl.sys");
|
|
|
|
|
|
|
|
if (!dxgkrnl) {
|
|
|
|
status = STATUS_UNSUCCESSFUL;
|
|
|
|
goto detatch;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* first 3 qwords are housekeeping. */
|
|
|
|
for (UINT32 index = 3; index < WIN32KBASE_DXGKRNL_INTERFACE_FUNC_COUNT + 3;
|
|
|
|
index++) {
|
|
|
|
if (!dxg_interface[index])
|
|
|
|
continue;
|
|
|
|
|
2024-07-19 16:27:50 +02:00
|
|
|
entry = FindChainedPointerEnding(dxg_interface[index]);
|
2024-05-04 17:43:01 +02:00
|
|
|
|
|
|
|
#if DEBUG
|
|
|
|
DEBUG_INFO("chain entry test: %p", entry);
|
|
|
|
DEBUG_INFO("regular entry: %p", dxg_interface[index]);
|
|
|
|
#endif
|
|
|
|
|
2024-05-05 15:58:36 +02:00
|
|
|
if (!IsInstructionPointerInsideSpecifiedModule(entry, dxgkrnl)) {
|
2024-05-04 17:43:01 +02:00
|
|
|
DEBUG_ERROR("invalid entry!!!");
|
|
|
|
ReportWin32kBase_DxgInterfaceViolation(index, entry);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
detatch:
|
|
|
|
KeUnstackDetachProcess(&apc);
|
|
|
|
|
|
|
|
end:
|
|
|
|
if (modules.address)
|
|
|
|
ExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL);
|
|
|
|
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* todo: win32kEngInterface */
|
|
|
|
NTSTATUS
|
|
|
|
ValidateWin32kDispatchTables()
|
|
|
|
{
|
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
|
|
|
|
status = ValidateWin32kBase_gDxgInterface();
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("ValidateWin32kBase_gDxgInterface: %x", status);
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
|
|
|
return status;
|
2023-12-29 17:20:32 +01:00
|
|
|
}
|