2023-08-17 10:45:50 +02:00
|
|
|
#include "driver.h"
|
|
|
|
|
|
2023-08-20 09:32:46 +02:00
|
|
|
#include <iostream>
|
|
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
#include "../common.h"
|
|
|
|
|
|
2023-08-19 08:06:51 +02:00
|
|
|
kernelmode::Driver::Driver( LPCWSTR DriverName, std::shared_ptr<global::Report> ReportInterface )
|
2023-08-17 10:45:50 +02:00
|
|
|
{
|
|
|
|
|
this->driver_name = DriverName;
|
2023-08-18 07:33:13 +02:00
|
|
|
this->report_interface = ReportInterface;
|
2023-08-19 05:04:37 +02:00
|
|
|
this->driver_handle = CreateFileW(
|
|
|
|
|
DriverName,
|
|
|
|
|
GENERIC_WRITE | GENERIC_READ | GENERIC_EXECUTE,
|
|
|
|
|
0,
|
|
|
|
|
0,
|
|
|
|
|
OPEN_EXISTING,
|
|
|
|
|
FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
|
|
|
|
|
0
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if ( this->driver_handle == INVALID_HANDLE_VALUE )
|
|
|
|
|
LOG_ERROR( "Failed to open handle to driver with status 0x%x", GetLastError() );
|
2023-08-17 10:45:50 +02:00
|
|
|
}
|
2023-08-19 04:52:57 +02:00
|
|
|
|
|
|
|
|
void kernelmode::Driver::RunNmiCallbacks()
|
|
|
|
|
{
|
|
|
|
|
BOOLEAN status;
|
|
|
|
|
DWORD bytes_returned;
|
|
|
|
|
global::report_structures::NMI_CALLBACK_FAILURE report;
|
|
|
|
|
|
|
|
|
|
status = DeviceIoControl(
|
|
|
|
|
this->driver_handle,
|
|
|
|
|
IOCCTL_RUN_NMI_CALLBACKS,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
&report,
|
|
|
|
|
sizeof( global::report_structures::NMI_CALLBACK_FAILURE ),
|
|
|
|
|
&bytes_returned,
|
|
|
|
|
( LPOVERLAPPED )NULL
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if ( status == NULL )
|
|
|
|
|
{
|
|
|
|
|
LOG_ERROR( "DeviceIoControl failed with status code 0x%x", GetLastError() );
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( bytes_returned == NULL )
|
|
|
|
|
{
|
|
|
|
|
LOG_INFO( "All threads valid, nmis fine." );
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* else, report */
|
|
|
|
|
this->report_interface->ReportViolation( &report );
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-19 11:44:42 +02:00
|
|
|
/*
|
|
|
|
|
* 1. Checks that every device object has a system module to back it
|
|
|
|
|
* 2. Checks the IOCTL dispatch routines to ensure they lie within the module
|
|
|
|
|
*/
|
|
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
void kernelmode::Driver::VerifySystemModules()
|
|
|
|
|
{
|
|
|
|
|
BOOLEAN status;
|
2023-08-19 08:06:51 +02:00
|
|
|
DWORD bytes_returned;
|
2023-08-19 04:52:57 +02:00
|
|
|
PVOID buffer;
|
|
|
|
|
SIZE_T buffer_size;
|
|
|
|
|
SIZE_T header_size;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* allocate enough to report 5 invalid driver objects + header. The reason we use a raw
|
|
|
|
|
* pointer here is so we can pass the address to DeviceIoControl. You are not able (atleast
|
|
|
|
|
* as far as im concerned) to pass a shared ptr to DeviceIoControl.
|
|
|
|
|
*/
|
|
|
|
|
header_size = sizeof( global::report_structures::MODULE_VALIDATION_FAILURE_HEADER );
|
|
|
|
|
|
2023-08-19 08:06:51 +02:00
|
|
|
buffer_size = sizeof( global::report_structures::MODULE_VALIDATION_FAILURE ) *
|
2023-08-19 04:52:57 +02:00
|
|
|
MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT +
|
|
|
|
|
header_size;
|
|
|
|
|
|
|
|
|
|
buffer = malloc( buffer_size );
|
|
|
|
|
|
2023-08-19 05:04:37 +02:00
|
|
|
if ( !buffer )
|
|
|
|
|
return;
|
|
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
status = DeviceIoControl(
|
|
|
|
|
this->driver_handle,
|
|
|
|
|
IOCTL_VALIDATE_DRIVER_OBJECTS,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
buffer,
|
|
|
|
|
buffer_size,
|
|
|
|
|
&bytes_returned,
|
2023-08-19 08:06:51 +02:00
|
|
|
NULL
|
2023-08-19 04:52:57 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if ( status == NULL )
|
|
|
|
|
{
|
|
|
|
|
LOG_ERROR( "DeviceIoControl failed with status code 0x%x", GetLastError() );
|
|
|
|
|
free( buffer );
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-19 06:37:53 +02:00
|
|
|
if ( bytes_returned == NULL )
|
2023-08-19 04:52:57 +02:00
|
|
|
{
|
2023-08-19 06:22:43 +02:00
|
|
|
LOG_INFO( "All modules valid :)" );
|
2023-08-19 04:52:57 +02:00
|
|
|
free( buffer );
|
|
|
|
|
return;
|
2023-08-19 08:06:51 +02:00
|
|
|
}
|
2023-08-19 04:52:57 +02:00
|
|
|
|
|
|
|
|
/*
|
2023-08-19 08:06:51 +02:00
|
|
|
* We are splitting up each packet here and passing them on one by one since
|
2023-08-19 04:52:57 +02:00
|
|
|
* if I am being honest it is just easier in c++ and that way the process
|
|
|
|
|
* is streamlined just like all other report packets.
|
|
|
|
|
*/
|
2023-08-20 10:21:20 +02:00
|
|
|
global::report_structures::MODULE_VALIDATION_FAILURE_HEADER* header =
|
|
|
|
|
( global::report_structures::MODULE_VALIDATION_FAILURE_HEADER* )buffer;
|
2023-08-19 06:37:53 +02:00
|
|
|
|
2023-08-20 10:21:20 +02:00
|
|
|
for ( int i = 0; i < header->module_count; i++ )
|
2023-08-19 04:52:57 +02:00
|
|
|
{
|
2023-08-20 10:21:20 +02:00
|
|
|
global::report_structures::MODULE_VALIDATION_FAILURE* report =
|
|
|
|
|
( global::report_structures::MODULE_VALIDATION_FAILURE* )(
|
|
|
|
|
( UINT64 )buffer + sizeof( global::report_structures::MODULE_VALIDATION_FAILURE_HEADER ) +
|
|
|
|
|
i * sizeof( global::report_structures::MODULE_VALIDATION_FAILURE ) );
|
2023-08-20 09:32:46 +02:00
|
|
|
|
2023-08-20 11:17:03 +02:00
|
|
|
this->report_interface->ReportViolation( report );
|
2023-08-19 04:52:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free( buffer );
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-20 16:12:04 +02:00
|
|
|
/*
|
|
|
|
|
* HOW THIS WILL WORK:
|
|
|
|
|
*
|
|
|
|
|
* 1. On driver initiation, ObRegisterCallbacks will be registered
|
|
|
|
|
* 2. Each time a process that is not whitelisted tries to open a handle
|
|
|
|
|
* to our game we will store the report in an a report queue
|
|
|
|
|
* 3. the user mode app will then periodically query the driver asking
|
|
|
|
|
* how many pending reports there are
|
|
|
|
|
* 4. once the number is received, the app will allocate a buffer large enough
|
|
|
|
|
* for all the reports and once again call CompleteQueuedCallbackReports
|
|
|
|
|
* 5. This will then retrieve the reports into the buffer and from there
|
|
|
|
|
* we can iteratively report them the same way as we do with the system
|
|
|
|
|
* modules.
|
|
|
|
|
*/
|
|
|
|
|
|
2023-08-20 17:04:53 +02:00
|
|
|
void kernelmode::Driver::QueryReportQueue()
|
2023-08-20 16:12:04 +02:00
|
|
|
{
|
|
|
|
|
BOOLEAN status;
|
|
|
|
|
DWORD bytes_returned;
|
2023-08-20 17:04:53 +02:00
|
|
|
PVOID buffer;
|
|
|
|
|
LONG buffer_size;
|
2023-08-20 16:12:04 +02:00
|
|
|
global::report_structures::OPEN_HANDLE_FAILURE_REPORT report;
|
|
|
|
|
|
2023-08-20 17:04:53 +02:00
|
|
|
buffer_size = sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT ) * MAX_HANDLE_REPORTS_PER_IRP ;
|
|
|
|
|
buffer = malloc( buffer_size );
|
2023-08-20 16:12:04 +02:00
|
|
|
|
|
|
|
|
status = DeviceIoControl(
|
|
|
|
|
this->driver_handle,
|
2023-08-20 17:04:53 +02:00
|
|
|
IOCTL_HANDLE_REPORTS_IN_CALLBACK_QUEUE,
|
2023-08-20 16:12:04 +02:00
|
|
|
NULL,
|
|
|
|
|
NULL,
|
2023-08-20 17:04:53 +02:00
|
|
|
buffer,
|
|
|
|
|
buffer_size,
|
2023-08-20 16:12:04 +02:00
|
|
|
&bytes_returned,
|
2023-08-20 17:04:53 +02:00
|
|
|
NULL
|
2023-08-20 16:12:04 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if ( status == NULL )
|
|
|
|
|
{
|
|
|
|
|
LOG_ERROR( "DeviceIoControl failed with status code 0x%x", GetLastError() );
|
2023-08-20 17:04:53 +02:00
|
|
|
return;
|
2023-08-20 16:12:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-08-20 17:04:53 +02:00
|
|
|
global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* header =
|
|
|
|
|
( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* )buffer;
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-08-20 17:04:53 +02:00
|
|
|
for ( int i = 0; i < header->count; i++ )
|
|
|
|
|
{
|
|
|
|
|
global::report_structures::OPEN_HANDLE_FAILURE_REPORT* report =
|
|
|
|
|
( global::report_structures::OPEN_HANDLE_FAILURE_REPORT* )(
|
|
|
|
|
( UINT64 )buffer + sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER ) +
|
|
|
|
|
i * sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT ) );
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-08-20 17:04:53 +02:00
|
|
|
this->report_interface->ReportViolation( report );
|
|
|
|
|
}
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-08-20 17:04:53 +02:00
|
|
|
free( buffer );
|
2023-08-20 16:12:04 +02:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void kernelmode::Driver::NotifyDriverOnProcessLaunch()
|
2023-08-19 04:52:57 +02:00
|
|
|
{
|
2023-08-20 16:12:04 +02:00
|
|
|
BOOLEAN status;
|
|
|
|
|
kernelmode::DRIVER_INITIATION_INFORMATION information;
|
|
|
|
|
information.protected_process_id = GetCurrentProcessId();
|
|
|
|
|
|
|
|
|
|
status = DeviceIoControl(
|
|
|
|
|
this->driver_handle,
|
|
|
|
|
IOCTL_NOTIFY_DRIVER_ON_PROCESS_LAUNCH,
|
|
|
|
|
&information,
|
|
|
|
|
sizeof( kernelmode::DRIVER_INITIATION_INFORMATION ),
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if ( status == NULL )
|
|
|
|
|
LOG_ERROR( "DeviceIoControl failed with status code 0x%x", GetLastError() );
|
2023-08-19 04:52:57 +02:00
|
|
|
}
|
|
|
|
|
|
2023-08-20 16:12:04 +02:00
|
|
|
void kernelmode::Driver::CompleteQueuedCallbackReports()
|
2023-08-19 04:52:57 +02:00
|
|
|
{
|
2023-08-20 16:12:04 +02:00
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void kernelmode::Driver::EnableProcessLoadNotifyCallbacks()
|
|
|
|
|
{
|
2023-08-20 16:12:04 +02:00
|
|
|
/*
|
|
|
|
|
* note: no need for these since when the dll is loaded it will simply
|
|
|
|
|
* notify the driver.
|
|
|
|
|
*/
|
2023-08-19 04:52:57 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void kernelmode::Driver::DisableProcessLoadNotifyCallbacks()
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void kernelmode::Driver::ValidateKPRCBThreads()
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void kernelmode::Driver::CheckDriverHeartbeat()
|
|
|
|
|
{
|
|
|
|
|
}
|
