mirror-ac/user/km/driver.h

#ifndef DRIVER_H
#define DRIVER_H

#include <Windows.h>

#include "../threadpool.h"
#include "../client.h"

#define IOCCTL_RUN_NMI_CALLBACKS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20001, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_VALIDATE_DRIVER_OBJECTS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20002, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_LAUNCH CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20004, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_HANDLE_REPORTS_IN_CALLBACK_QUEUE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20005, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PERFORM_VIRTUALIZATION_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20006, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_ENUMERATE_HANDLE_TABLES CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20007, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_RETRIEVE_MODULE_EXECUTABLE_REGIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20008, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_REQUEST_TOTAL_MODULE_SIZE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20009, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_TERMINATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20010, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_SCAN_FOR_UNLINKED_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20011, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_VALIDATE_KPRCB_CURRENT_THREAD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20012, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PERFORM_INTEGRITY_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20013, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_DETECT_ATTACHED_THREADS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20014, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_VALIDATE_PROCESS_LOADED_MODULE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20015, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_REQUEST_HARDWARE_INFORMATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20016, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_INITIATE_APC_OPERATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20017, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_CHECK_FOR_EPT_HOOK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20018, METHOD_BUFFERED, FILE_ANY_ACCESS)

#define MAX_REPORTS_PER_IRP 20

#define MAX_MODULE_PATH 256

namespace kernelmode
{
	enum APC_OPERATION_IDS
	{
		operation_stackwalk = 0x1
	};

	class Driver
	{
		HANDLE driver_handle;
		LPCWSTR driver_name;
		std::shared_ptr<global::Client> report_interface;

		ULONG RequestTotalModuleSize();
		VOID NotifyDriverOnProcessLaunch();
		VOID CheckDriverHeartbeat();
		VOID NotifyDriverOnProcessTermination();
		//VOID GetKernelStructureOffsets();

		template <typename T>
		VOID ReportTypeFromReportQueue( CONST PVOID Buffer, PSIZE_T Offset, PVOID Report )
		{
			Report = ( T* )(
				( UINT64 )Buffer + sizeof( global::report_structures::REPORT_QUEUE_HEADER ) + *Offset );

			this->report_interface->ReportViolation( ( T* )Report );

			*Offset += sizeof( T );
		}

	public:

		Driver(LPCWSTR DriverName, std::shared_ptr<global::Client> ReportInterface );
		~Driver();

		VOID RunNmiCallbacks();
		VOID VerifySystemModules();
		VOID RunCallbackReportQueue();
		VOID DetectSystemVirtualization();
		VOID QueryReportQueue();
		VOID ValidateKPRCBThreads();
		VOID CheckHandleTableEntries();
		VOID RequestModuleExecutableRegions();
		VOID ScanForUnlinkedProcess();
		VOID PerformIntegrityCheck();
		VOID CheckForAttachedThreads();
		VOID VerifyProcessLoadedModuleExecutableRegions();
		VOID SendClientHardwareInformation();
		VOID CheckForHiddenThreads();
		VOID CheckForEptHooks();
		BOOLEAN InitiateApcOperation( INT OperationId );
	};

	struct DRIVER_INITIATION_INFORMATION
	{
		LONG protected_process_id;
	};

	struct HYPERVISOR_DETECTION_REPORT
	{
		INT aperf_msr_timing_check;
		INT invd_emulation_check;
	};

	struct PROCESS_MODULE_INFORMATION
	{
		PVOID module_base;
		SIZE_T module_size;
		WCHAR module_path[ MAX_MODULE_PATH ];
	};

	struct PROCESS_MODULE_VALIDATION_RESULT
	{
		INT is_module_valid;
	};

	struct APC_OPERATION_INFORMATION
	{
		int operation_id;
	};
}

#endif
e 2023-08-17 10:45:50 +02:00			`#ifndef DRIVER_H`
			`#define DRIVER_H`

			`#include <Windows.h>`

			`#include "../threadpool.h"`
AAAAAA 2023-08-22 19:32:25 +02:00			`#include "../client.h"`
e 2023-08-17 10:45:50 +02:00
working!!! qwoooo 2023-10-11 18:05:29 +02:00			`#define IOCCTL_RUN_NMI_CALLBACKS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20001, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_VALIDATE_DRIVER_OBJECTS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20002, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_LAUNCH CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20004, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_HANDLE_REPORTS_IN_CALLBACK_QUEUE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20005, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_PERFORM_VIRTUALIZATION_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20006, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_ENUMERATE_HANDLE_TABLES CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20007, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_RETRIEVE_MODULE_EXECUTABLE_REGIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20008, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_REQUEST_TOTAL_MODULE_SIZE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20009, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_TERMINATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20010, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_SCAN_FOR_UNLINKED_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20011, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_VALIDATE_KPRCB_CURRENT_THREAD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20012, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_PERFORM_INTEGRITY_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20013, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_DETECT_ATTACHED_THREADS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20014, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_VALIDATE_PROCESS_LOADED_MODULE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20015, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_REQUEST_HARDWARE_INFORMATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20016, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_INITIATE_APC_OPERATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20017, METHOD_BUFFERED, FILE_ANY_ACCESS)`
			`#define IOCTL_CHECK_FOR_EPT_HOOK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20018, METHOD_BUFFERED, FILE_ANY_ACCESS)`
eee 2023-08-20 17:04:53 +02:00
implemented global report irp queue 2023-09-02 10:54:04 +02:00			`#define MAX_REPORTS_PER_IRP 20`
big money changes to driver 2023-08-19 04:52:57 +02:00
c: 2023-09-05 11:16:32 +02:00			`#define MAX_MODULE_PATH 256`

e 2023-08-17 10:45:50 +02:00			`namespace kernelmode`
			`{`
apc operation stuff 2023-09-28 18:10:01 +02:00			`enum APC_OPERATION_IDS`
			`{`
			`operation_stackwalk = 0x1`
			`};`

e 2023-08-17 10:45:50 +02:00			`class Driver`
			`{`
			`HANDLE driver_handle;`
			`LPCWSTR driver_name;`
AAAAAA 2023-08-22 19:32:25 +02:00			`std::shared_ptr<global::Client> report_interface;`
eee 2023-08-21 06:45:33 +02:00
working on integrity checks 2023-08-23 14:14:20 +02:00			`ULONG RequestTotalModuleSize();`
BLAH 2023-08-24 17:10:40 +02:00			`VOID NotifyDriverOnProcessLaunch();`
			`VOID CheckDriverHeartbeat();`
			`VOID NotifyDriverOnProcessTermination();`
sleep 2023-09-15 22:25:02 +02:00			`//VOID GetKernelStructureOffsets();`
AAAAAAAAHHHHHHH 2023-08-21 17:48:34 +02:00
small fixes 2023-09-29 05:56:44 +02:00			`template <typename T>`
start doing some ept detection stuff 2023-10-02 16:31:30 +02:00			`VOID ReportTypeFromReportQueue( CONST PVOID Buffer, PSIZE_T Offset, PVOID Report )`
small fixes 2023-09-29 05:56:44 +02:00			`{`
			`Report = ( T* )(`
			`( UINT64 )Buffer + sizeof( global::report_structures::REPORT_QUEUE_HEADER ) + *Offset );`

			`this->report_interface->ReportViolation( ( T* )Report );`

			`*Offset += sizeof( T );`
			`}`

e 2023-08-17 10:45:50 +02:00			`public:`

AAAAAA 2023-08-22 19:32:25 +02:00			`Driver(LPCWSTR DriverName, std::shared_ptr<global::Client> ReportInterface );`
BLAH 2023-08-24 17:10:40 +02:00			`~Driver();`
big money changes to driver 2023-08-19 04:52:57 +02:00
working on integrity checks 2023-08-23 14:14:20 +02:00			`VOID RunNmiCallbacks();`
			`VOID VerifySystemModules();`
			`VOID RunCallbackReportQueue();`
			`VOID DetectSystemVirtualization();`
testing fixes 2023-08-30 15:23:04 +02:00			`VOID QueryReportQueue();`
working on integrity checks 2023-08-23 14:14:20 +02:00			`VOID ValidateKPRCBThreads();`
			`VOID CheckHandleTableEntries();`
			`VOID RequestModuleExecutableRegions();`
bed time c: 2023-08-28 17:00:52 +02:00			`VOID ScanForUnlinkedProcess();`
break time C: 2023-09-01 13:46:31 +02:00			`VOID PerformIntegrityCheck();`
e 2023-09-02 15:47:15 +02:00			`VOID CheckForAttachedThreads();`
c: 2023-09-05 11:16:32 +02:00			`VOID VerifyProcessLoadedModuleExecutableRegions();`
WOO! 2023-09-08 20:41:11 +02:00			`VOID SendClientHardwareInformation();`
PLZ no CORRUPT :c 2023-10-06 07:47:01 +02:00			`VOID CheckForHiddenThreads();`
refactor ept detection a bit 2023-10-06 09:02:10 +02:00			`VOID CheckForEptHooks();`
apc operation stuff 2023-09-28 18:10:01 +02:00			`BOOLEAN InitiateApcOperation( INT OperationId );`
e 2023-08-17 10:45:50 +02:00			`};`
excellent progress :) 2023-08-20 16:12:04 +02:00
			`struct DRIVER_INITIATION_INFORMATION`
			`{`
			`LONG protected_process_id;`
			`};`
AAAAAAAAHHHHHHH 2023-08-21 17:48:34 +02:00
			`struct HYPERVISOR_DETECTION_REPORT`
			`{`
			`INT aperf_msr_timing_check;`
			`INT invd_emulation_check;`
			`};`
c: 2023-09-05 11:16:32 +02:00
			`struct PROCESS_MODULE_INFORMATION`
			`{`
			`PVOID module_base;`
			`SIZE_T module_size;`
			`WCHAR module_path[ MAX_MODULE_PATH ];`
			`};`

			`struct PROCESS_MODULE_VALIDATION_RESULT`
			`{`
			`INT is_module_valid;`
			`};`
apc operation stuff 2023-09-28 18:10:01 +02:00
			`struct APC_OPERATION_INFORMATION`
			`{`
			`int operation_id;`
			`};`
e 2023-08-17 10:45:50 +02:00			`}`

			`#endif`