mirror-ac/driver/session.c

#include "session.h"

#include "crypt.h"
#include "imports.h"
#include "util.h"

#include "lib/stdlib.h"

NTSTATUS
SessionInitialiseStructure()
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    PACTIVE_SESSION session = GetActiveSession();

    KeInitializeGuardedMutex(&session->lock);

    status = CryptInitialiseProvider();

    if (!NT_SUCCESS(status))
        DEBUG_ERROR("CryptInitialiseProvider: %x", status);

    return status;
}

VOID
SessionInitialiseCallbackConfiguration()
{
    InitialiseObCallbacksConfiguration(GetActiveSession());
}

VOID
SessionIsActive(_Out_ PBOOLEAN Flag)
{
    KeAcquireGuardedMutex(&GetActiveSession()->lock);
    *Flag = GetActiveSession()->is_session_active;
    KeReleaseGuardedMutex(&GetActiveSession()->lock);
}

VOID
SessionGetProcess(_Out_ PEPROCESS* Process)
{
    KeAcquireGuardedMutex(&GetActiveSession()->lock);
    *Process = GetActiveSession()->process;
    KeReleaseGuardedMutex(&GetActiveSession()->lock);
}

VOID
SessionGetProcessId(_Out_ PLONG ProcessId)
{
    KeAcquireGuardedMutex(&GetActiveSession()->lock);
    *ProcessId = GetActiveSession()->km_handle;
    KeReleaseGuardedMutex(&GetActiveSession()->lock);
}

VOID
SessionGetCallbackConfiguration(
    _Out_ POB_CALLBACKS_CONFIG* CallbackConfiguration)
{
    KeAcquireGuardedMutex(&GetActiveSession()->lock);
    *CallbackConfiguration = &GetActiveSession()->callback_configuration;
    KeReleaseGuardedMutex(&GetActiveSession()->lock);
}

STATIC
VOID
SessionTerminateHeartbeat(_In_ PHEARTBEAT_CONFIGURATION Configuration)
{
    FreeHeartbeatConfiguration(Configuration);
}

VOID
SessionTerminate()
{
    DEBUG_INFO("Termination active session.");

    PACTIVE_SESSION session = GetActiveSession();
    KIRQL irql = {0};

    KeAcquireGuardedMutex(&session->lock);
    session->km_handle = NULL;
    session->um_handle = NULL;
    session->process = NULL;
    session->is_session_active = FALSE;

    RtlZeroMemory(&session->module, sizeof(MODULE_INFORMATION));

    SessionTerminateHeartbeat(&session->heartbeat_config);
    CryptCloseSessionCryptObjects();
    KeReleaseGuardedMutex(&session->lock);
}

/* Return type for this doesnt matter */
STATIC
BOOLEAN
HashOurUserModuleOnEntryCallback(
    _In_ PPROCESS_MAP_MODULE_ENTRY Entry, _In_opt_ PVOID Context)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    PACTIVE_SESSION session = (PACTIVE_SESSION)Context;

    if (!ARGUMENT_PRESENT(Context))
        return FALSE;

    status = HashUserModule(
        Entry,
        session->module.module_hash,
        sizeof(session->module.module_hash));

    if (!NT_SUCCESS(status)) {
        DEBUG_ERROR("HashUserModule: %lx", status);
        return FALSE;
    }

    DEBUG_VERBOSE("User module hashed!");
    DumpBufferToKernelDebugger(
        session->module.module_hash,
        sizeof(session->module.module_hash));

    return TRUE;
}

NTSTATUS
SessionInitialise(_In_ PIRP Irp)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    PEPROCESS process = NULL;
    PSESSION_INITIATION_PACKET initiation = NULL;
    PACTIVE_SESSION session = GetActiveSession();
    KIRQL irql = {0};

    DEBUG_VERBOSE("Initialising new session.");

    status = ValidateIrpInputBuffer(
        Irp,
        sizeof(SESSION_INITIATION_PACKET) - SHA_256_HASH_LENGTH);

    if (!NT_SUCCESS(status)) {
        DEBUG_ERROR("ValidateIrpInputBuffer failed with status %x", status);
        return status;
    }

    initiation = (PSESSION_INITIATION_PACKET)Irp->AssociatedIrp.SystemBuffer;

    KeAcquireGuardedMutex(&session->lock);

    session->um_handle = initiation->process_id;

    /* What if we pass an invalid handle here? not good. */
    status = ImpPsLookupProcessByProcessId(session->um_handle, &process);

    if (!NT_SUCCESS(status)) {
        status = STATUS_INVALID_PARAMETER;
        goto end;
    }

    session->km_handle = ImpPsGetProcessId(process);
    session->process = process;
    session->cookie = initiation->cookie;

    IntCopyMemory(session->aes_key, initiation->aes_key, AES_256_KEY_SIZE);
    IntCopyMemory(session->iv, initiation->aes_iv, AES_256_IV_SIZE);

    session->module.base_address = initiation->module_info.base_address;
    session->module.size = initiation->module_info.size;

    IntCopyMemory(
        session->module.path,
        initiation->module_info.path,
        MAX_MODULE_PATH);

    DEBUG_VERBOSE("Module base: %llx", session->module.base_address);
    DEBUG_VERBOSE("Module size: %lx ", session->module.size);
    DEBUG_VERBOSE("Module path: %s", session->module.path);

    status = CryptInitialiseSessionCryptObjects();

    if (!NT_SUCCESS(status)) {
        DEBUG_ERROR("CryptInitialiseSessionCryptObjects: %x", status);
        goto end;
    }

    status = InitialiseHeartbeatConfiguration(&session->heartbeat_config);

    if (!NT_SUCCESS(status)) {
        DEBUG_ERROR("InitialiseHeartbeatConfiguration %x", status);
        goto end;
    }

    FindOurUserModeModuleEntry(HashOurUserModuleOnEntryCallback, session);
    session->is_session_active = TRUE;

end:
    KeReleaseGuardedMutex(&session->lock);
    return status;
}

VOID
SessionTerminateProcess()
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    ULONG process_id = 0;

    SessionGetProcessId(&process_id);

    if (!process_id) {
        DEBUG_ERROR("Failed to terminate process as process id is null");
        return;
    }

    /* Make sure we pass a km handle to ZwTerminateProcess and NOT a
     * usermode handle. */
    status = ZwTerminateProcess(
        process_id,
        STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION);

    if (!NT_SUCCESS(status)) {
        /*
         * We don't want to clear the process config if
         * ZwTerminateProcess fails so we can try again.
         */
        DEBUG_ERROR("ZwTerminateProcess failed with status %x", status);
        return;
    }
    /* this wont be needed when procloadstuff is implemented */
    SessionTerminate();
}

VOID
SessionIncrementIrpsProcessedCount()
{
    KeAcquireGuardedMutex(&GetActiveSession()->lock);
    GetActiveSession()->irps_received;
    KeReleaseGuardedMutex(&GetActiveSession()->lock);
}

VOID
SessionIncrementReportCount()
{
    KeAcquireGuardedMutex(&GetActiveSession()->lock);
    GetActiveSession()->report_count++;
    KeReleaseGuardedMutex(&GetActiveSession()->lock);
}

VOID
SessionIncrementHeartbeatCount()
{
    KeAcquireGuardedMutex(&GetActiveSession()->lock);
    GetActiveSession()->heartbeat_count++;
    KeReleaseGuardedMutex(&GetActiveSession()->lock);
}
lil big of stuf 2024-01-31 08:32:13 +01:00			`#include "session.h"`

packet encryption! 2024-05-11 14:54:58 +02:00			`#include "crypt.h"`
format 2024-08-01 06:21:53 +02:00			`#include "imports.h"`
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`#include "util.h"`
lil big of stuf 2024-01-31 08:32:13 +01:00
internal c lib 2024-07-22 12:43:09 +02:00			`#include "lib/stdlib.h"`

packet encryption! 2024-05-11 14:54:58 +02:00			`NTSTATUS`
			`SessionInitialiseStructure()`
			`{`
format 2024-08-01 06:21:53 +02:00			`NTSTATUS status = STATUS_UNSUCCESSFUL;`
packet encryption! 2024-05-11 14:54:58 +02:00			`PACTIVE_SESSION session = GetActiveSession();`
lil big of stuf 2024-01-31 08:32:13 +01:00
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeInitializeGuardedMutex(&session->lock);`
lil big of stuf 2024-01-31 08:32:13 +01:00
packet encryption! 2024-05-11 14:54:58 +02:00			`status = CryptInitialiseProvider();`
lil big of stuf 2024-01-31 08:32:13 +01:00
packet encryption! 2024-05-11 14:54:58 +02:00			`if (!NT_SUCCESS(status))`
			`DEBUG_ERROR("CryptInitialiseProvider: %x", status);`

			`return status;`
lil big of stuf 2024-01-31 08:32:13 +01:00			`}`

			`VOID`
			`SessionInitialiseCallbackConfiguration()`
			`{`
indentation 2024-04-13 10:23:14 +02:00			`InitialiseObCallbacksConfiguration(GetActiveSession());`
lil big of stuf 2024-01-31 08:32:13 +01:00			`}`

			`VOID`
			`SessionIsActive(_Out_ PBOOLEAN Flag)`
			`{`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeAcquireGuardedMutex(&GetActiveSession()->lock);`
			`*Flag = GetActiveSession()->is_session_active;`
			`KeReleaseGuardedMutex(&GetActiveSession()->lock);`
lil big of stuf 2024-01-31 08:32:13 +01:00			`}`

			`VOID`
			`SessionGetProcess(_Out_ PEPROCESS* Process)`
			`{`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeAcquireGuardedMutex(&GetActiveSession()->lock);`
			`*Process = GetActiveSession()->process;`
			`KeReleaseGuardedMutex(&GetActiveSession()->lock);`
lil big of stuf 2024-01-31 08:32:13 +01:00			`}`

			`VOID`
			`SessionGetProcessId(_Out_ PLONG ProcessId)`
			`{`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeAcquireGuardedMutex(&GetActiveSession()->lock);`
indentation 2024-04-13 10:23:14 +02:00			`*ProcessId = GetActiveSession()->km_handle;`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeReleaseGuardedMutex(&GetActiveSession()->lock);`
lil big of stuf 2024-01-31 08:32:13 +01:00			`}`

			`VOID`
80 line limit - need to refactor lots of code but ceebs atm 2024-04-13 06:40:51 +02:00			`SessionGetCallbackConfiguration(`
			`_Out_ POB_CALLBACKS_CONFIG* CallbackConfiguration)`
lil big of stuf 2024-01-31 08:32:13 +01:00			`{`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeAcquireGuardedMutex(&GetActiveSession()->lock);`
indentation 2024-04-13 10:23:14 +02:00			`*CallbackConfiguration = &GetActiveSession()->callback_configuration;`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeReleaseGuardedMutex(&GetActiveSession()->lock);`
lil big of stuf 2024-01-31 08:32:13 +01:00			`}`

integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`STATIC`
			`VOID`
			`SessionTerminateHeartbeat(_In_ PHEARTBEAT_CONFIGURATION Configuration)`
			`{`
			`FreeHeartbeatConfiguration(Configuration);`
			`}`

lil big of stuf 2024-01-31 08:32:13 +01:00			`VOID`
			`SessionTerminate()`
			`{`
indentation 2024-04-13 10:23:14 +02:00			`DEBUG_INFO("Termination active session.");`
lil big of stuf 2024-01-31 08:32:13 +01:00
indentation 2024-04-13 10:23:14 +02:00			`PACTIVE_SESSION session = GetActiveSession();`
format 2024-08-01 06:21:53 +02:00			`KIRQL irql = {0};`
lil big of stuf 2024-01-31 08:32:13 +01:00
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeAcquireGuardedMutex(&session->lock);`
format 2024-08-01 06:21:53 +02:00			`session->km_handle = NULL;`
			`session->um_handle = NULL;`
			`session->process = NULL;`
indentation 2024-04-13 10:23:14 +02:00			`session->is_session_active = FALSE;`
zero previous session info 2024-06-09 09:26:12 +02:00
			`RtlZeroMemory(&session->module, sizeof(MODULE_INFORMATION));`

integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`SessionTerminateHeartbeat(&session->heartbeat_config);`
packet encryption! 2024-05-11 14:54:58 +02:00			`CryptCloseSessionCryptObjects();`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeReleaseGuardedMutex(&session->lock);`
lil big of stuf 2024-01-31 08:32:13 +01:00			`}`

internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`/* Return type for this doesnt matter */`
			`STATIC`
			`BOOLEAN`
format 2024-08-01 06:21:53 +02:00			`HashOurUserModuleOnEntryCallback(`
			`_In_ PPROCESS_MAP_MODULE_ENTRY Entry, _In_opt_ PVOID Context)`
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`{`
format 2024-08-01 06:21:53 +02:00			`NTSTATUS status = STATUS_UNSUCCESSFUL;`
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`PACTIVE_SESSION session = (PACTIVE_SESSION)Context;`

			`if (!ARGUMENT_PRESENT(Context))`
			`return FALSE;`

format 2024-08-01 06:21:53 +02:00			`status = HashUserModule(`
			`Entry,`
			`session->module.module_hash,`
			`sizeof(session->module.module_hash));`
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00
			`if (!NT_SUCCESS(status)) {`
			`DEBUG_ERROR("HashUserModule: %lx", status);`
			`return FALSE;`
			`}`

			`DEBUG_VERBOSE("User module hashed!");`
format 2024-08-01 06:21:53 +02:00			`DumpBufferToKernelDebugger(`
			`session->module.module_hash,`
			`sizeof(session->module.module_hash));`
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00
			`return TRUE;`
			`}`

lil big of stuf 2024-01-31 08:32:13 +01:00			`NTSTATUS`
			`SessionInitialise(_In_ PIRP Irp)`
			`{`
format 2024-08-01 06:21:53 +02:00			`NTSTATUS status = STATUS_UNSUCCESSFUL;`
			`PEPROCESS process = NULL;`
packet encryption! 2024-05-11 14:54:58 +02:00			`PSESSION_INITIATION_PACKET initiation = NULL;`
format 2024-08-01 06:21:53 +02:00			`PACTIVE_SESSION session = GetActiveSession();`
			`KIRQL irql = {0};`
lil big of stuf 2024-01-31 08:32:13 +01:00
indentation 2024-04-13 10:23:14 +02:00			`DEBUG_VERBOSE("Initialising new session.");`
lil big of stuf 2024-01-31 08:32:13 +01:00
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`status = ValidateIrpInputBuffer(`
format 2024-08-01 06:21:53 +02:00			`Irp,`
			`sizeof(SESSION_INITIATION_PACKET) - SHA_256_HASH_LENGTH);`
lil big of stuf 2024-01-31 08:32:13 +01:00
indentation 2024-04-13 10:23:14 +02:00			`if (!NT_SUCCESS(status)) {`
			`DEBUG_ERROR("ValidateIrpInputBuffer failed with status %x", status);`
			`return status;`
			`}`
lil big of stuf 2024-01-31 08:32:13 +01:00
packet encryption! 2024-05-11 14:54:58 +02:00			`initiation = (PSESSION_INITIATION_PACKET)Irp->AssociatedIrp.SystemBuffer;`
lil big of stuf 2024-01-31 08:32:13 +01:00
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeAcquireGuardedMutex(&session->lock);`
lil big of stuf 2024-01-31 08:32:13 +01:00
packet encryption! 2024-05-11 14:54:58 +02:00			`session->um_handle = initiation->process_id;`
lil big of stuf 2024-01-31 08:32:13 +01:00
indentation 2024-04-13 10:23:14 +02:00			`/* What if we pass an invalid handle here? not good. */`
			`status = ImpPsLookupProcessByProcessId(session->um_handle, &process);`
lil big of stuf 2024-01-31 08:32:13 +01:00
indentation 2024-04-13 10:23:14 +02:00			`if (!NT_SUCCESS(status)) {`
			`status = STATUS_INVALID_PARAMETER;`
			`goto end;`
			`}`
lil big of stuf 2024-01-31 08:32:13 +01:00
session fix 2024-06-21 16:22:11 +02:00			`session->km_handle = ImpPsGetProcessId(process);`
format 2024-08-01 06:21:53 +02:00			`session->process = process;`
			`session->cookie = initiation->cookie;`
packet encryption! 2024-05-11 14:54:58 +02:00
internal c lib 2024-07-22 12:43:09 +02:00			`IntCopyMemory(session->aes_key, initiation->aes_key, AES_256_KEY_SIZE);`
			`IntCopyMemory(session->iv, initiation->aes_iv, AES_256_IV_SIZE);`
packet encryption! 2024-05-11 14:54:58 +02:00
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`session->module.base_address = initiation->module_info.base_address;`
format 2024-08-01 06:21:53 +02:00			`session->module.size = initiation->module_info.size;`
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00
internal c lib 2024-07-22 12:43:09 +02:00			`IntCopyMemory(`
format 2024-08-01 06:21:53 +02:00			`session->module.path,`
			`initiation->module_info.path,`
			`MAX_MODULE_PATH);`
internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00
			`DEBUG_VERBOSE("Module base: %llx", session->module.base_address);`
			`DEBUG_VERBOSE("Module size: %lx ", session->module.size);`
			`DEBUG_VERBOSE("Module path: %s", session->module.path);`

packet encryption! 2024-05-11 14:54:58 +02:00			`status = CryptInitialiseSessionCryptObjects();`
code cleanup 2024-04-13 10:06:59 +02:00
packet encryption! 2024-05-11 14:54:58 +02:00			`if (!NT_SUCCESS(status)) {`
			`DEBUG_ERROR("CryptInitialiseSessionCryptObjects: %x", status);`
			`goto end;`
			`}`
lil big of stuf 2024-01-31 08:32:13 +01:00
integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`status = InitialiseHeartbeatConfiguration(&session->heartbeat_config);`

			`if (!NT_SUCCESS(status)) {`
			`DEBUG_ERROR("InitialiseHeartbeatConfiguration %x", status);`
			`goto end;`
			`}`

internal refactoring (#14) - Refactor process list. New implementation consists of a hashmap. Each process entry then contains the associated user modules. - Implement user module integrity checks on timer callback 2024-06-09 09:22:22 +02:00			`FindOurUserModeModuleEntry(HashOurUserModuleOnEntryCallback, session);`
session fix 2024-06-21 16:22:11 +02:00			`session->is_session_active = TRUE;`

lil big of stuf 2024-01-31 08:32:13 +01:00			`end:`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeReleaseGuardedMutex(&session->lock);`
indentation 2024-04-13 10:23:14 +02:00			`return status;`
lil big of stuf 2024-01-31 08:32:13 +01:00			`}`

			`VOID`
			`SessionTerminateProcess()`
			`{`
format 2024-08-01 06:21:53 +02:00			`NTSTATUS status = STATUS_UNSUCCESSFUL;`
			`ULONG process_id = 0;`
indentation 2024-04-13 10:23:14 +02:00
			`SessionGetProcessId(&process_id);`

			`if (!process_id) {`
			`DEBUG_ERROR("Failed to terminate process as process id is null");`
			`return;`
			`}`

			`/* Make sure we pass a km handle to ZwTerminateProcess and NOT a`
			`* usermode handle. */`
format 2024-08-01 06:21:53 +02:00			`status = ZwTerminateProcess(`
			`process_id,`
			`STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION);`
indentation 2024-04-13 10:23:14 +02:00
			`if (!NT_SUCCESS(status)) {`
			`/*`
			`* We don't want to clear the process config if`
			`* ZwTerminateProcess fails so we can try again.`
			`*/`
			`DEBUG_ERROR("ZwTerminateProcess failed with status %x", status);`
			`return;`
			`}`
			`/* this wont be needed when procloadstuff is implemented */`
			`SessionTerminate();`
readme + some small stuff 2024-02-14 17:56:03 +01:00			`}`

			`VOID`
			`SessionIncrementIrpsProcessedCount()`
			`{`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeAcquireGuardedMutex(&GetActiveSession()->lock);`
integrate some new stuff [wip] (#9) 2024-05-04 17:43:01 +02:00			`GetActiveSession()->irps_received;`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeReleaseGuardedMutex(&GetActiveSession()->lock);`
readme + some small stuff 2024-02-14 17:56:03 +01:00			`}`

			`VOID`
			`SessionIncrementReportCount()`
			`{`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeAcquireGuardedMutex(&GetActiveSession()->lock);`
indentation 2024-04-13 10:23:14 +02:00			`GetActiveSession()->report_count++;`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeReleaseGuardedMutex(&GetActiveSession()->lock);`
readme + some small stuff 2024-02-14 17:56:03 +01:00			`}`

			`VOID`
			`SessionIncrementHeartbeatCount()`
			`{`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeAcquireGuardedMutex(&GetActiveSession()->lock);`
indentation 2024-04-13 10:23:14 +02:00			`GetActiveSession()->heartbeat_count++;`
refactor io queue to use mutex. I feel this is the best solution given the irql requirements for each of the potential reporting threads at the irql they will parse the report at, even though there is a potential fro delay. Will soon implement work items that the reports are queued to, allowing execution to return once report is queued. 2024-05-12 09:26:36 +02:00			`KeReleaseGuardedMutex(&GetActiveSession()->lock);`
lil big of stuf 2024-01-31 08:32:13 +01:00			`}`