2023-08-19 04:52:57 +02:00
|
|
|
#ifndef MODULES_H
|
|
|
|
|
#define MODULES_H
|
|
|
|
|
|
|
|
|
|
#include <ntifs.h>
|
|
|
|
|
#include <intrin.h>
|
2023-08-22 19:32:25 +02:00
|
|
|
#include "common.h"
|
2023-08-19 04:52:57 +02:00
|
|
|
|
|
|
|
|
#define REPORT_MODULE_VALIDATION_FAILURE 60
|
2023-08-21 17:48:34 +02:00
|
|
|
#define MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT 20
|
2023-08-19 04:52:57 +02:00
|
|
|
|
|
|
|
|
#define MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE 128
|
|
|
|
|
|
2023-08-19 11:44:42 +02:00
|
|
|
#define REASON_NO_BACKING_MODULE 1
|
|
|
|
|
#define REASON_INVALID_IOCTL_DISPATCH 2
|
|
|
|
|
|
2023-08-28 17:00:52 +02:00
|
|
|
#define REPORT_NMI_CALLBACK_FAILURE 50
|
|
|
|
|
|
|
|
|
|
NTSTATUS HandleNmiIOCTL(
|
|
|
|
|
_In_ PIRP Irp
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef struct _WHITELISTED_REGIONS
|
|
|
|
|
{
|
|
|
|
|
UINT64 base;
|
|
|
|
|
UINT64 end;
|
|
|
|
|
|
|
|
|
|
}WHITELISTED_REGIONS, * PWHITELISTED_REGIONS;
|
|
|
|
|
|
|
|
|
|
typedef struct _NMI_POOLS
|
|
|
|
|
{
|
|
|
|
|
PVOID thread_data_pool;
|
|
|
|
|
PVOID stack_frames;
|
|
|
|
|
PVOID nmi_context;
|
|
|
|
|
|
|
|
|
|
}NMI_POOLS, * PNMI_POOLS;
|
|
|
|
|
|
|
|
|
|
typedef struct NMI_CALLBACK_FAILURE
|
|
|
|
|
{
|
|
|
|
|
INT report_code;
|
|
|
|
|
INT were_nmis_disabled;
|
|
|
|
|
UINT64 kthread_address;
|
|
|
|
|
UINT64 invalid_rip;
|
|
|
|
|
|
|
|
|
|
}NMI_CALLBACK_FAILURE, * PNMI_CALLBACK_FAILURE;
|
|
|
|
|
|
|
|
|
|
typedef struct _NMI_CONTEXT
|
|
|
|
|
{
|
|
|
|
|
INT nmi_callbacks_run;
|
|
|
|
|
|
|
|
|
|
}NMI_CONTEXT, * PNMI_CONTEXT;
|
|
|
|
|
|
|
|
|
|
typedef struct _NMI_CALLBACK_DATA
|
|
|
|
|
{
|
|
|
|
|
UINT64 kthread_address;
|
|
|
|
|
UINT64 kprocess_address;
|
|
|
|
|
UINT64 start_address;
|
|
|
|
|
UINT64 stack_limit;
|
|
|
|
|
UINT64 stack_base;
|
|
|
|
|
uintptr_t stack_frames_offset;
|
|
|
|
|
INT num_frames_captured;
|
|
|
|
|
UINT64 cr3;
|
|
|
|
|
|
|
|
|
|
}NMI_CALLBACK_DATA, * PNMI_CALLBACK_DATA;
|
|
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
typedef struct _MODULE_VALIDATION_FAILURE_HEADER
|
|
|
|
|
{
|
|
|
|
|
INT module_count;
|
|
|
|
|
|
|
|
|
|
}MODULE_VALIDATION_FAILURE_HEADER, *PMODULE_VALIDATION_FAILURE_HEADER;
|
|
|
|
|
|
|
|
|
|
typedef struct _MODULE_VALIDATION_FAILURE
|
|
|
|
|
{
|
|
|
|
|
INT report_code;
|
2023-08-19 11:44:42 +02:00
|
|
|
INT report_type;
|
2023-08-19 04:52:57 +02:00
|
|
|
UINT64 driver_base_address;
|
|
|
|
|
UINT64 driver_size;
|
2023-08-20 07:46:02 +02:00
|
|
|
CHAR driver_name[ 128 ];
|
2023-08-19 04:52:57 +02:00
|
|
|
|
|
|
|
|
}MODULE_VALIDATION_FAILURE, *PMODULE_VALIDATION_FAILURE;
|
|
|
|
|
|
|
|
|
|
typedef struct _INVALID_DRIVER
|
|
|
|
|
{
|
|
|
|
|
struct _INVALID_DRIVER* next;
|
2023-08-19 11:44:42 +02:00
|
|
|
INT reason;
|
2023-08-19 04:52:57 +02:00
|
|
|
PDRIVER_OBJECT driver;
|
|
|
|
|
|
|
|
|
|
}INVALID_DRIVER, * PINVALID_DRIVER;
|
|
|
|
|
|
|
|
|
|
typedef struct _INVALID_DRIVERS_HEAD
|
|
|
|
|
{
|
|
|
|
|
PINVALID_DRIVER first_entry;
|
|
|
|
|
INT count; //keeps track of the number of drivers in the list
|
|
|
|
|
|
|
|
|
|
}INVALID_DRIVERS_HEAD, * PINVALID_DRIVERS_HEAD;
|
|
|
|
|
|
|
|
|
|
/* system modules information */
|
|
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_MODULES
|
|
|
|
|
{
|
|
|
|
|
PVOID address;
|
|
|
|
|
INT module_count;
|
|
|
|
|
|
|
|
|
|
}SYSTEM_MODULES, * PSYSTEM_MODULES;
|
|
|
|
|
|
|
|
|
|
NTSTATUS GetSystemModuleInformation(
|
|
|
|
|
_Out_ PSYSTEM_MODULES ModuleInformation
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
NTSTATUS HandleValidateDriversIOCTL(
|
|
|
|
|
_In_ PIRP Irp
|
|
|
|
|
);
|
|
|
|
|
|
2023-08-22 19:32:25 +02:00
|
|
|
PRTL_MODULE_EXTENDED_INFO FindSystemModuleByName(
|
|
|
|
|
_In_ LPCSTR ModuleName,
|
|
|
|
|
_In_ PSYSTEM_MODULES SystemModules
|
|
|
|
|
);
|
|
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
#endif
|
