mirror-ac/module/kernel_interface/kernel_interface.h

221 lines
7.1 KiB
C
Raw Normal View History

#pragma once
#include <Windows.h>
#include "../client/message_queue.h"
namespace kernel_interface {
static constexpr int EVENT_COUNT = 5;
static constexpr int MAX_MODULE_PATH = 256;
static constexpr int MAXIMUM_REPORT_BUFFER_SIZE = 1000;
static constexpr int QUERY_DEFERRED_REPORT_COUNT = 10;
enum report_id {
report_nmi_callback_failure = 50,
report_module_validation_failure = 60,
report_illegal_handle_operation = 70,
report_invalid_process_allocation = 80,
report_hidden_system_thread = 90,
report_illegal_attach_process = 100,
report_apc_stackwalk = 110,
report_dpc_stackwalk = 120,
report_data_table_routine = 130,
report_invalid_process_module = 140
};
struct report_header {
int report_id;
};
constexpr int APC_STACKWALK_BUFFER_SIZE = 500;
constexpr int DATA_TABLE_ROUTINE_BUF_SIZE = 256;
constexpr int REPORT_INVALID_PROCESS_BUFFER_SIZE = 500;
constexpr int HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH = 64;
constexpr int MODULE_PATH_LEN = 256;
struct apc_stackwalk_report {
int report_code;
uint64_t kthread_address;
uint64_t invalid_rip;
char driver[APC_STACKWALK_BUFFER_SIZE];
};
struct dpc_stackwalk_report {
uint32_t report_code;
uint64_t kthread_address;
uint64_t invalid_rip;
char driver[APC_STACKWALK_BUFFER_SIZE];
};
struct module_validation_failure {
int report_code;
int report_type;
uint64_t driver_base_address;
uint64_t driver_size;
char driver_name[128];
};
enum table_id { hal_dispatch = 0, hal_private_dispatch };
struct data_table_routine_report {
uint32_t report_code;
table_id id;
uint64_t address;
char routine[DATA_TABLE_ROUTINE_BUF_SIZE];
};
struct nmi_callback_failure {
int report_code;
int were_nmis_disabled;
uint64_t kthread_address;
uint64_t invalid_rip;
};
struct invalid_process_allocation_report {
int report_code;
char process[REPORT_INVALID_PROCESS_BUFFER_SIZE];
};
struct hidden_system_thread_report {
int report_code;
int found_in_kthreadlist;
int found_in_pspcidtable;
uint64_t thread_address;
long thread_id;
char thread[500];
};
struct attach_process_report {
int report_code;
uint32_t thread_id;
uint64_t thread_address;
};
struct kprcb_thread_validation_ctx {
uint64_t thread;
bool thread_found_in_pspcidtable;
bool finished;
};
struct open_handle_failure_report {
int report_code;
int is_kernel_handle;
long process_id;
long thread_id;
long access;
char process_name[HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH];
};
struct process_module_validation_report {
int report_code;
uint64_t image_base;
uint32_t image_size;
wchar_t module_path[MODULE_PATH_LEN];
};
enum apc_operation { operation_stackwalk = 0x1 };
// clang-format off
enum ioctl_code
{
RunNmiCallbacks = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20001, METHOD_BUFFERED, FILE_ANY_ACCESS),
ValidateDriverObjects = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20002, METHOD_BUFFERED, FILE_ANY_ACCESS),
NotifyDriverOnProcessLaunch = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20004, METHOD_BUFFERED, FILE_ANY_ACCESS),
QueryForApcCompletion = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20005, METHOD_BUFFERED, FILE_ANY_ACCESS),
PerformVirtualisationCheck = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20006, METHOD_BUFFERED, FILE_ANY_ACCESS),
EnumerateHandleTables = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20007, METHOD_BUFFERED, FILE_ANY_ACCESS),
NotifyDriverOnProcessTermination = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20010, METHOD_BUFFERED, FILE_ANY_ACCESS),
ScanForUnlinkedProcesses = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20011, METHOD_BUFFERED, FILE_ANY_ACCESS),
PerformModuleIntegrityCheck = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20013, METHOD_BUFFERED, FILE_ANY_ACCESS),
ScanFroAttachedThreads = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20014, METHOD_BUFFERED, FILE_ANY_ACCESS),
ValidateProcessLoadedModule = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20015, METHOD_BUFFERED, FILE_ANY_ACCESS),
RequestHardwareInformation = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20016, METHOD_BUFFERED, FILE_ANY_ACCESS),
InitiateApcStackwalkOperation = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20017, METHOD_BUFFERED, FILE_ANY_ACCESS),
ScanForEptHooks = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20018, METHOD_BUFFERED, FILE_ANY_ACCESS),
InitiateDpcStackwalk = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20019, METHOD_BUFFERED, FILE_ANY_ACCESS),
ValidateSystemModules = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20020, METHOD_BUFFERED, FILE_ANY_ACCESS),
InsertIrpIntoIrpQueue = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20021, METHOD_BUFFERED, FILE_ANY_ACCESS),
QueryDeferredReports = CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20022, METHOD_BUFFERED, FILE_ANY_ACCESS)
};
// clang-format on
struct event_dispatcher {
bool in_use;
OVERLAPPED overlapped;
void *buffer;
unsigned long buffer_size;
event_dispatcher(void *buffer, unsigned long buffer_size) {
this->in_use = false;
this->overlapped.hEvent = CreateEvent(nullptr, false, false, nullptr);
this->buffer = buffer;
this->buffer_size = buffer_size;
}
};
class kernel_interface {
struct process_load_packet {
unsigned long protected_process_id;
};
struct hv_detection_packet {
unsigned long aperf_msr_timing_check;
unsigned long invd_emulation_check;
};
struct process_module {
void *module_base;
size_t module_size;
wchar_t module_path[MAX_MODULE_PATH];
};
struct apc_operation_init {
int operation_id;
};
HANDLE driver_handle;
LPCWSTR driver_name;
client::message_queue &message_queue;
HANDLE port;
std::mutex lock;
std::vector<event_dispatcher> events;
void initiate_completion_port();
void terminate_completion_port();
event_dispatcher *get_free_event_entry();
void release_event_object(OVERLAPPED *event);
void *get_buffer_from_event_object(OVERLAPPED *event);
void notify_driver_on_process_launch();
void notify_driver_on_process_termination();
void generic_driver_call(ioctl_code ioctl);
unsigned int generic_driver_call_output(ioctl_code ioctl, void *output_buffer,
size_t buffer_size,
unsigned long *bytes_returned);
void generic_driver_call_input(ioctl_code ioctl, void *input_buffer,
size_t buffer_size,
unsigned long *bytes_returned);
void generic_driver_call_apc(apc_operation operation);
public:
kernel_interface(LPCWSTR driver_name, client::message_queue &queue);
~kernel_interface();
void run_completion_port();
void run_nmi_callbacks();
void validate_system_driver_objects();
void detect_system_virtualization();
void enumerate_handle_tables();
void scan_for_unlinked_processes();
void perform_integrity_check();
void scan_for_attached_threads();
void scan_for_ept_hooks();
void perform_dpc_stackwalk();
void validate_system_modules();
void verify_process_module_executable_regions();
void initiate_apc_stackwalk();
void send_pending_irp();
void query_deferred_reports();
};
} // namespace kernel_interface