mirror of
https://github.com/donnaskiez/ac.git
synced 2024-11-21 22:24:08 +01:00
221 lines
7.1 KiB
C
221 lines
7.1 KiB
C
|
#pragma once
|
||
|
|
||
|
#include <Windows.h>
|
||
|
|
||
|
#include "../client/message_queue.h"
|
||
|
|
||
|
namespace kernel_interface {
|
||
|
|
||
|
static constexpr int EVENT_COUNT = 5;
|
||
|
static constexpr int MAX_MODULE_PATH = 256;
|
||
|
static constexpr int MAXIMUM_REPORT_BUFFER_SIZE = 1000;
|
||
|
static constexpr int QUERY_DEFERRED_REPORT_COUNT = 10;
|
||
|
|
||
|
enum report_id {
|
||
|
report_nmi_callback_failure = 50,
|
||
|
report_module_validation_failure = 60,
|
||
|
report_illegal_handle_operation = 70,
|
||
|
report_invalid_process_allocation = 80,
|
||
|
report_hidden_system_thread = 90,
|
||
|
report_illegal_attach_process = 100,
|
||
|
report_apc_stackwalk = 110,
|
||
|
report_dpc_stackwalk = 120,
|
||
|
report_data_table_routine = 130,
|
||
|
report_invalid_process_module = 140
|
||
|
};
|
||
|
|
||
|
struct report_header {
|
||
|
int report_id;
|
||
|
};
|
||
|
|
||
|
constexpr int APC_STACKWALK_BUFFER_SIZE = 500;
|
||
|
constexpr int DATA_TABLE_ROUTINE_BUF_SIZE = 256;
|
||
|
constexpr int REPORT_INVALID_PROCESS_BUFFER_SIZE = 500;
|
||
|
constexpr int HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH = 64;
|
||
|
constexpr int MODULE_PATH_LEN = 256;
|
||
|
|
||
|
struct apc_stackwalk_report {
|
||
|
int report_code;
|
||
|
uint64_t kthread_address;
|
||
|
uint64_t invalid_rip;
|
||
|
char driver[APC_STACKWALK_BUFFER_SIZE];
|
||
|
};
|
||
|
|
||
|
struct dpc_stackwalk_report {
|
||
|
uint32_t report_code;
|
||
|
uint64_t kthread_address;
|
||
|
uint64_t invalid_rip;
|
||
|
char driver[APC_STACKWALK_BUFFER_SIZE];
|
||
|
};
|
||
|
|
||
|
struct module_validation_failure {
|
||
|
int report_code;
|
||
|
int report_type;
|
||
|
uint64_t driver_base_address;
|
||
|
uint64_t driver_size;
|
||
|
char driver_name[128];
|
||
|
};
|
||
|
|
||
|
enum table_id { hal_dispatch = 0, hal_private_dispatch };
|
||
|
|
||
|
struct data_table_routine_report {
|
||
|
uint32_t report_code;
|
||
|
table_id id;
|
||
|
uint64_t address;
|
||
|
char routine[DATA_TABLE_ROUTINE_BUF_SIZE];
|
||
|
};
|
||
|
|
||
|
struct nmi_callback_failure {
|
||
|
int report_code;
|
||
|
int were_nmis_disabled;
|
||
|
uint64_t kthread_address;
|
||
|
uint64_t invalid_rip;
|
||
|
};
|
||
|
|
||
|
struct invalid_process_allocation_report {
|
||
|
int report_code;
|
||
|
char process[REPORT_INVALID_PROCESS_BUFFER_SIZE];
|
||
|
};
|
||
|
|
||
|
struct hidden_system_thread_report {
|
||
|
int report_code;
|
||
|
int found_in_kthreadlist;
|
||
|
int found_in_pspcidtable;
|
||
|
uint64_t thread_address;
|
||
|
long thread_id;
|
||
|
char thread[500];
|
||
|
};
|
||
|
|
||
|
struct attach_process_report {
|
||
|
int report_code;
|
||
|
uint32_t thread_id;
|
||
|
uint64_t thread_address;
|
||
|
};
|
||
|
|
||
|
struct kprcb_thread_validation_ctx {
|
||
|
uint64_t thread;
|
||
|
bool thread_found_in_pspcidtable;
|
||
|
bool finished;
|
||
|
};
|
||
|
|
||
|
struct open_handle_failure_report {
|
||
|
int report_code;
|
||
|
int is_kernel_handle;
|
||
|
long process_id;
|
||
|
long thread_id;
|
||
|
long access;
|
||
|
char process_name[HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH];
|
||
|
};
|
||
|
|
||
|
struct process_module_validation_report {
|
||
|
int report_code;
|
||
|
uint64_t image_base;
|
||
|
uint32_t image_size;
|
||
|
wchar_t module_path[MODULE_PATH_LEN];
|
||
|
};
|
||
|
|
||
|
enum apc_operation { operation_stackwalk = 0x1 };
|
||
|
|
||
|
// clang-format off
|
||
|
enum ioctl_code
|
||
|
{
|
||
|
RunNmiCallbacks = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20001, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
ValidateDriverObjects = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20002, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
NotifyDriverOnProcessLaunch = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20004, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
QueryForApcCompletion = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20005, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
PerformVirtualisationCheck = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20006, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
EnumerateHandleTables = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20007, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
NotifyDriverOnProcessTermination = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20010, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
ScanForUnlinkedProcesses = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20011, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
PerformModuleIntegrityCheck = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20013, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
ScanFroAttachedThreads = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20014, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
ValidateProcessLoadedModule = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20015, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
RequestHardwareInformation = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20016, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
InitiateApcStackwalkOperation = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20017, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
ScanForEptHooks = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20018, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
InitiateDpcStackwalk = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20019, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
ValidateSystemModules = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20020, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
InsertIrpIntoIrpQueue = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20021, METHOD_BUFFERED, FILE_ANY_ACCESS),
|
||
|
QueryDeferredReports = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20022, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||
|
};
|
||
|
// clang-format on
|
||
|
|
||
|
struct event_dispatcher {
|
||
|
bool in_use;
|
||
|
OVERLAPPED overlapped;
|
||
|
void *buffer;
|
||
|
unsigned long buffer_size;
|
||
|
|
||
|
event_dispatcher(void *buffer, unsigned long buffer_size) {
|
||
|
this->in_use = false;
|
||
|
this->overlapped.hEvent = CreateEvent(nullptr, false, false, nullptr);
|
||
|
this->buffer = buffer;
|
||
|
this->buffer_size = buffer_size;
|
||
|
}
|
||
|
};
|
||
|
|
||
|
class kernel_interface {
|
||
|
struct process_load_packet {
|
||
|
unsigned long protected_process_id;
|
||
|
};
|
||
|
|
||
|
struct hv_detection_packet {
|
||
|
unsigned long aperf_msr_timing_check;
|
||
|
unsigned long invd_emulation_check;
|
||
|
};
|
||
|
|
||
|
struct process_module {
|
||
|
void *module_base;
|
||
|
size_t module_size;
|
||
|
wchar_t module_path[MAX_MODULE_PATH];
|
||
|
};
|
||
|
|
||
|
struct apc_operation_init {
|
||
|
int operation_id;
|
||
|
};
|
||
|
|
||
|
HANDLE driver_handle;
|
||
|
LPCWSTR driver_name;
|
||
|
client::message_queue &message_queue;
|
||
|
HANDLE port;
|
||
|
std::mutex lock;
|
||
|
std::vector<event_dispatcher> events;
|
||
|
|
||
|
void initiate_completion_port();
|
||
|
void terminate_completion_port();
|
||
|
event_dispatcher *get_free_event_entry();
|
||
|
void release_event_object(OVERLAPPED *event);
|
||
|
void *get_buffer_from_event_object(OVERLAPPED *event);
|
||
|
|
||
|
void notify_driver_on_process_launch();
|
||
|
void notify_driver_on_process_termination();
|
||
|
void generic_driver_call(ioctl_code ioctl);
|
||
|
unsigned int generic_driver_call_output(ioctl_code ioctl, void *output_buffer,
|
||
|
size_t buffer_size,
|
||
|
unsigned long *bytes_returned);
|
||
|
void generic_driver_call_input(ioctl_code ioctl, void *input_buffer,
|
||
|
size_t buffer_size,
|
||
|
unsigned long *bytes_returned);
|
||
|
void generic_driver_call_apc(apc_operation operation);
|
||
|
|
||
|
public:
|
||
|
kernel_interface(LPCWSTR driver_name, client::message_queue &queue);
|
||
|
~kernel_interface();
|
||
|
|
||
|
void run_completion_port();
|
||
|
void run_nmi_callbacks();
|
||
|
void validate_system_driver_objects();
|
||
|
void detect_system_virtualization();
|
||
|
void enumerate_handle_tables();
|
||
|
void scan_for_unlinked_processes();
|
||
|
void perform_integrity_check();
|
||
|
void scan_for_attached_threads();
|
||
|
void scan_for_ept_hooks();
|
||
|
void perform_dpc_stackwalk();
|
||
|
void validate_system_modules();
|
||
|
void verify_process_module_executable_regions();
|
||
|
void initiate_apc_stackwalk();
|
||
|
void send_pending_irp();
|
||
|
void query_deferred_reports();
|
||
|
};
|
||
|
} // namespace kernel_interface
|