2023-08-17 10:45:50 +02:00
|
|
|
#include "driver.h"
|
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
#include "apc.h"
|
2023-08-20 16:12:04 +02:00
|
|
|
#include "callbacks.h"
|
2024-08-01 06:21:53 +02:00
|
|
|
#include "common.h"
|
|
|
|
|
#include "crypt.h"
|
2023-08-21 14:40:40 +02:00
|
|
|
#include "hv.h"
|
2024-08-01 06:21:53 +02:00
|
|
|
#include "hw.h"
|
2024-01-07 05:13:41 +01:00
|
|
|
#include "imports.h"
|
2024-08-01 06:21:53 +02:00
|
|
|
#include "integrity.h"
|
|
|
|
|
#include "io.h"
|
2024-08-04 08:30:31 +02:00
|
|
|
#include "lib/stdlib.h"
|
2024-08-01 06:21:53 +02:00
|
|
|
#include "modules.h"
|
|
|
|
|
#include "pool.h"
|
2024-01-31 08:32:13 +01:00
|
|
|
#include "session.h"
|
2024-08-01 06:21:53 +02:00
|
|
|
#include "thread.h"
|
2023-08-22 19:32:25 +02:00
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
#include <immintrin.h>
|
|
|
|
|
|
2023-12-13 05:06:27 +01:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DriverUnload(_In_ PDRIVER_OBJECT DriverObject);
|
|
|
|
|
|
|
|
|
|
_Function_class_(DRIVER_INITIALIZE) _IRQL_requires_same_
|
|
|
|
|
NTSTATUS
|
2024-08-01 06:21:53 +02:00
|
|
|
DriverEntry(
|
|
|
|
|
_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
2024-08-01 06:21:53 +02:00
|
|
|
RegistryPathQueryCallbackRoutine(
|
|
|
|
|
IN PWSTR ValueName,
|
|
|
|
|
IN ULONG ValueType,
|
|
|
|
|
IN PVOID ValueData,
|
|
|
|
|
IN ULONG ValueLength,
|
|
|
|
|
IN PVOID Context,
|
|
|
|
|
IN PVOID EntryContext);
|
2023-10-06 13:08:30 +02:00
|
|
|
|
2023-10-09 18:27:04 +02:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DrvUnloadUnregisterObCallbacks();
|
|
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DrvUnloadFreeConfigStrings();
|
|
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DrvUnloadFreeThreadList();
|
|
|
|
|
|
2023-10-10 19:49:17 +02:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DrvUnloadFreeProcessList();
|
|
|
|
|
|
2023-10-09 18:27:04 +02:00
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
|
|
|
|
DrvLoadEnableNotifyRoutines();
|
|
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
2024-08-01 06:21:53 +02:00
|
|
|
DrvLoadInitialiseDriverConfig(
|
|
|
|
|
_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath);
|
2023-10-09 18:27:04 +02:00
|
|
|
|
2023-10-06 13:08:30 +02:00
|
|
|
#ifdef ALLOC_PRAGMA
|
2024-04-13 10:23:14 +02:00
|
|
|
# pragma alloc_text(INIT, DriverEntry)
|
|
|
|
|
# pragma alloc_text(PAGE, GetDriverName)
|
|
|
|
|
# pragma alloc_text(PAGE, GetDriverPath)
|
|
|
|
|
# pragma alloc_text(PAGE, GetDriverRegistryPath)
|
|
|
|
|
# pragma alloc_text(PAGE, GetDriverDeviceName)
|
|
|
|
|
# pragma alloc_text(PAGE, GetDriverSymbolicLink)
|
|
|
|
|
# pragma alloc_text(PAGE, GetDriverConfigSystemInformation)
|
|
|
|
|
# pragma alloc_text(PAGE, RegistryPathQueryCallbackRoutine)
|
|
|
|
|
# pragma alloc_text(PAGE, DrvUnloadUnregisterObCallbacks)
|
|
|
|
|
# pragma alloc_text(PAGE, DrvUnloadFreeConfigStrings)
|
|
|
|
|
# pragma alloc_text(PAGE, DrvUnloadFreeThreadList)
|
|
|
|
|
# pragma alloc_text(PAGE, DrvLoadEnableNotifyRoutines)
|
|
|
|
|
# pragma alloc_text(PAGE, DrvLoadEnableNotifyRoutines)
|
|
|
|
|
# pragma alloc_text(PAGE, DrvLoadInitialiseDriverConfig)
|
2023-10-06 13:08:30 +02:00
|
|
|
#endif
|
|
|
|
|
|
2024-04-13 06:40:51 +02:00
|
|
|
typedef struct _DRIVER_CONFIG {
|
2024-08-01 06:21:53 +02:00
|
|
|
volatile UINT32 nmi_status;
|
|
|
|
|
UNICODE_STRING unicode_driver_name;
|
|
|
|
|
ANSI_STRING ansi_driver_name;
|
|
|
|
|
PUNICODE_STRING device_name;
|
|
|
|
|
PUNICODE_STRING device_symbolic_link;
|
|
|
|
|
UNICODE_STRING driver_path;
|
|
|
|
|
UNICODE_STRING registry_path;
|
|
|
|
|
SYSTEM_INFORMATION system_information;
|
|
|
|
|
PVOID apc_contexts[MAXIMUM_APC_CONTEXTS];
|
|
|
|
|
PDRIVER_OBJECT driver_object;
|
|
|
|
|
PDEVICE_OBJECT device_object;
|
|
|
|
|
volatile BOOLEAN unload_in_progress;
|
|
|
|
|
KGUARDED_MUTEX lock;
|
2024-04-13 10:23:14 +02:00
|
|
|
SYS_MODULE_VAL_CONTEXT sys_val_context;
|
2024-08-01 06:21:53 +02:00
|
|
|
IRP_QUEUE_HEAD irp_queue;
|
|
|
|
|
TIMER_OBJECT integrity_check_timer;
|
|
|
|
|
ACTIVE_SESSION session_information;
|
|
|
|
|
RB_TREE thread_tree;
|
|
|
|
|
DRIVER_LIST_HEAD driver_list;
|
|
|
|
|
RTL_HASHMAP process_hashmap;
|
|
|
|
|
SHARED_MAPPING mapping;
|
|
|
|
|
BOOLEAN has_driver_loaded;
|
|
|
|
|
BCRYPT_ALG_HANDLE aes_hash;
|
|
|
|
|
BCRYPT_ALG_HANDLE sha256_hash;
|
2023-12-13 05:06:27 +01:00
|
|
|
} DRIVER_CONFIG, *PDRIVER_CONFIG;
|
2023-09-27 15:10:12 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
UNICODE_STRING g_DeviceName = RTL_CONSTANT_STRING(L"\\Device\\DonnaAC");
|
2024-01-28 08:34:09 +01:00
|
|
|
UNICODE_STRING g_DeviceSymbolicLink = RTL_CONSTANT_STRING(L"\\??\\DonnaAC");
|
|
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
/* xor key generated on driver entry used to encrypt the imports array. Kept in
|
|
|
|
|
* here since imports array is encrypted before the device extension is
|
|
|
|
|
* allocated.*/
|
|
|
|
|
__m256i g_ImportsKey;
|
|
|
|
|
|
|
|
|
|
/* xor key generated that encrypts the DeviceObject->DeviceExtension aswell as
|
|
|
|
|
* our g_DriverConfig pointer. Probably best not to even use the device
|
|
|
|
|
* extension but whatevs */
|
|
|
|
|
UINT64 g_DeviceExtensionKey;
|
|
|
|
|
|
2023-09-27 15:10:12 +02:00
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* Rather then getting the driver state from the device object passed to our
|
|
|
|
|
* IOCTL handlers, store a pointer to the device extension here and abstract it
|
|
|
|
|
* with getters which can be accessed globally. The reason for this is because
|
|
|
|
|
* there isnt a way for us to pass a context structure to some of notify
|
|
|
|
|
* routines so I think it's better to do it this way.
|
2024-01-13 22:33:57 +01:00
|
|
|
*
|
|
|
|
|
* Note that the device extension pointer should be encrypted
|
2023-12-13 05:06:27 +01:00
|
|
|
*/
|
2024-01-13 22:33:57 +01:00
|
|
|
PDRIVER_CONFIG g_DriverConfig = NULL;
|
2023-11-18 11:40:22 +01:00
|
|
|
|
2024-07-18 13:34:52 +02:00
|
|
|
/* Its not ideal that this isnt inlined, but it causes errors with the
|
|
|
|
|
* decryption process and subsequently causes deadlocks / invalid pointer errors
|
|
|
|
|
* etc. Will need to look into it.*/
|
2024-07-13 12:32:00 +02:00
|
|
|
DECLSPEC_NOINLINE
|
|
|
|
|
PDRIVER_CONFIG
|
|
|
|
|
GetDecryptedDriverConfig()
|
|
|
|
|
{
|
|
|
|
|
return (PDRIVER_CONFIG)CryptDecryptPointerOutOfPlace64(
|
2024-07-22 12:43:09 +02:00
|
|
|
(PUINT64)&g_DriverConfig,
|
|
|
|
|
g_DeviceExtensionKey);
|
2024-07-13 12:32:00 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-06 10:30:14 +02:00
|
|
|
#define POOL_TAG_CONFIG 'conf'
|
|
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
EncryptDeviceExtensionPointers(_In_ PDEVICE_OBJECT DeviceObject)
|
|
|
|
|
{
|
|
|
|
|
CryptEncryptPointer64(&g_DriverConfig, g_DeviceExtensionKey);
|
|
|
|
|
CryptEncryptPointer64(&DeviceObject->DeviceExtension, g_DeviceExtensionKey);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DecryptDeviceExtensionPointers(_In_ PDEVICE_OBJECT DeviceObject)
|
|
|
|
|
{
|
|
|
|
|
CryptDecryptPointer64(&g_DriverConfig, g_DeviceExtensionKey);
|
|
|
|
|
CryptDecryptPointer64(&DeviceObject->DeviceExtension, g_DeviceExtensionKey);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
PUINT64
|
|
|
|
|
GetDriverDeviceExtensionKey()
|
|
|
|
|
{
|
|
|
|
|
return &g_DeviceExtensionKey;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
__m256i*
|
|
|
|
|
GetDriverImportsKey()
|
|
|
|
|
{
|
|
|
|
|
return &g_ImportsKey;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
SetDriverLoadedFlag()
|
|
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
GetDecryptedDriverConfig()->has_driver_loaded = TRUE;
|
2024-06-21 15:55:23 +02:00
|
|
|
}
|
|
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
BCRYPT_ALG_HANDLE*
|
2024-06-09 09:22:22 +02:00
|
|
|
GetCryptHandle_Sha256()
|
2024-05-11 14:54:58 +02:00
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
return &GetDecryptedDriverConfig()->sha256_hash;
|
2024-06-09 09:22:22 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
PRTL_HASHMAP
|
|
|
|
|
GetProcessHashmap()
|
|
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
return &GetDecryptedDriverConfig()->process_hashmap;
|
2024-06-09 09:22:22 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
BCRYPT_ALG_HANDLE*
|
|
|
|
|
GetCryptHandle_AES()
|
|
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
return &GetDecryptedDriverConfig()->aes_hash;
|
2024-05-11 14:54:58 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-31 08:32:13 +01:00
|
|
|
BOOLEAN
|
|
|
|
|
HasDriverLoaded()
|
|
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
return GetDecryptedDriverConfig()->has_driver_loaded;
|
2024-01-31 08:32:13 +01:00
|
|
|
}
|
|
|
|
|
|
2024-01-25 12:09:16 +01:00
|
|
|
VOID
|
|
|
|
|
UnsetNmiInProgressFlag()
|
|
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
InterlockedDecrement(&GetDecryptedDriverConfig()->nmi_status);
|
2024-01-25 12:09:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
BOOLEAN
|
|
|
|
|
IsNmiInProgress()
|
|
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
2024-08-01 06:21:53 +02:00
|
|
|
return InterlockedCompareExchange(
|
|
|
|
|
&GetDecryptedDriverConfig()->nmi_status,
|
|
|
|
|
TRUE,
|
|
|
|
|
FALSE) != 0;
|
2024-01-25 12:09:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
PSHARED_MAPPING
|
|
|
|
|
GetSharedMappingConfig()
|
|
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
return &GetDecryptedDriverConfig()->mapping;
|
2024-01-25 12:09:16 +01:00
|
|
|
}
|
|
|
|
|
|
2023-10-09 18:27:04 +02:00
|
|
|
VOID
|
2024-01-13 22:33:57 +01:00
|
|
|
AcquireDriverConfigLock()
|
2023-10-08 16:07:49 +02:00
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
ImpKeAcquireGuardedMutex(&GetDecryptedDriverConfig()->lock);
|
2023-09-25 17:41:38 +02:00
|
|
|
}
|
|
|
|
|
|
2023-09-26 15:32:06 +02:00
|
|
|
VOID
|
2024-01-13 22:33:57 +01:00
|
|
|
ReleaseDriverConfigLock()
|
2023-09-26 15:32:06 +02:00
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
ImpKeReleaseGuardedMutex(&GetDecryptedDriverConfig()->lock);
|
2023-09-26 15:32:06 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PUINT64
|
|
|
|
|
GetApcContextArray()
|
2023-09-26 15:32:06 +02:00
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
return (PUINT64)GetDecryptedDriverConfig()->apc_contexts;
|
2023-09-27 06:22:14 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
BOOLEAN
|
|
|
|
|
IsDriverUnloading()
|
2023-09-27 06:22:14 +02:00
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
2024-08-01 06:21:53 +02:00
|
|
|
return InterlockedExchange(
|
|
|
|
|
&GetDecryptedDriverConfig()->unload_in_progress,
|
|
|
|
|
GetDecryptedDriverConfig()->unload_in_progress);
|
2023-09-27 06:22:14 +02:00
|
|
|
}
|
2023-09-26 15:32:06 +02:00
|
|
|
|
2024-01-31 08:32:13 +01:00
|
|
|
PACTIVE_SESSION
|
|
|
|
|
GetActiveSession()
|
2023-09-25 17:41:38 +02:00
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
return &GetDecryptedDriverConfig()->session_information;
|
2023-09-25 17:41:38 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
LPCSTR
|
|
|
|
|
GetDriverName()
|
2023-09-25 17:41:38 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return GetDecryptedDriverConfig()->ansi_driver_name.Buffer;
|
2024-01-08 04:57:07 +01:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PDEVICE_OBJECT
|
|
|
|
|
GetDriverDeviceObject()
|
2024-01-08 04:57:07 +01:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return GetDecryptedDriverConfig()->device_object;
|
2023-09-26 12:00:45 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PDRIVER_OBJECT
|
|
|
|
|
GetDriverObject()
|
2023-09-26 12:00:45 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return GetDecryptedDriverConfig()->driver_object;
|
2023-09-25 17:41:38 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PIRP_QUEUE_HEAD
|
|
|
|
|
GetIrpQueueHead()
|
2023-08-24 17:10:40 +02:00
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
return &GetDecryptedDriverConfig()->irp_queue;
|
2023-09-01 14:30:32 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PSYS_MODULE_VAL_CONTEXT
|
|
|
|
|
GetSystemModuleValidationContext()
|
2023-08-20 16:12:04 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return &GetDecryptedDriverConfig()->sys_val_context;
|
2023-08-20 16:12:04 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PUNICODE_STRING
|
|
|
|
|
GetDriverPath()
|
2023-12-31 15:06:24 +01:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return &GetDecryptedDriverConfig()->driver_path;
|
2023-12-31 15:06:24 +01:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PUNICODE_STRING
|
|
|
|
|
GetDriverRegistryPath()
|
2024-01-07 05:13:41 +01:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return &GetDecryptedDriverConfig()->registry_path;
|
2024-01-07 05:13:41 +01:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PUNICODE_STRING
|
|
|
|
|
GetDriverDeviceName()
|
2024-01-11 10:16:55 +01:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return &GetDecryptedDriverConfig()->device_name;
|
2024-01-11 10:16:55 +01:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PUNICODE_STRING
|
|
|
|
|
GetDriverSymbolicLink()
|
2024-01-01 17:45:40 +01:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return &GetDecryptedDriverConfig()->device_symbolic_link;
|
2024-01-01 17:45:40 +01:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PSYSTEM_INFORMATION
|
|
|
|
|
GetDriverConfigSystemInformation()
|
2023-08-20 16:12:04 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return &GetDecryptedDriverConfig()->system_information;
|
2023-08-20 16:12:04 +02:00
|
|
|
}
|
|
|
|
|
|
2024-06-16 10:04:28 +02:00
|
|
|
PRB_TREE
|
|
|
|
|
GetThreadTree()
|
2023-09-01 14:30:32 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return &GetDecryptedDriverConfig()->thread_tree;
|
2023-09-01 14:30:32 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
PDRIVER_LIST_HEAD
|
|
|
|
|
GetDriverList()
|
2023-09-01 14:30:32 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
return &GetDecryptedDriverConfig()->driver_list;
|
2023-09-01 14:30:32 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-09 18:27:04 +02:00
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* The question is, What happens if we attempt to register our callbacks after
|
|
|
|
|
* we unregister them but before we free the pool? Hm.. No Good.
|
2023-12-13 05:06:27 +01:00
|
|
|
*
|
|
|
|
|
* Okay to solve this well acquire the driver lock aswell, we could also just
|
|
|
|
|
* store the structure in the .data section but i ceebs atm.
|
|
|
|
|
*
|
|
|
|
|
* This definitely doesn't seem optimal, but it works ...
|
|
|
|
|
*/
|
2023-10-09 18:27:04 +02:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DrvUnloadUnregisterObCallbacks()
|
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
UnregisterProcessObCallbacks();
|
2023-10-09 18:27:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-09-26 12:00:45 +02:00
|
|
|
STATIC
|
2023-10-05 08:27:17 +02:00
|
|
|
VOID
|
2023-10-09 18:27:04 +02:00
|
|
|
DrvUnloadFreeConfigStrings()
|
2023-09-01 18:45:06 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-10-10 15:52:42 +02:00
|
|
|
|
2024-07-13 12:32:00 +02:00
|
|
|
PDRIVER_CONFIG cfg = GetDecryptedDriverConfig();
|
2024-06-21 15:55:23 +02:00
|
|
|
|
|
|
|
|
if (cfg->unicode_driver_name.Buffer)
|
|
|
|
|
ImpExFreePoolWithTag(cfg->unicode_driver_name.Buffer, POOL_TAG_STRINGS);
|
2023-09-01 18:45:06 +02:00
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
if (cfg->driver_path.Buffer)
|
|
|
|
|
ImpExFreePoolWithTag(cfg->driver_path.Buffer, POOL_TAG_STRINGS);
|
2023-09-01 18:45:06 +02:00
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
if (cfg->ansi_driver_name.Buffer)
|
|
|
|
|
ImpRtlFreeAnsiString(&cfg->ansi_driver_name);
|
2023-09-01 18:45:06 +02:00
|
|
|
}
|
|
|
|
|
|
2023-10-09 18:27:04 +02:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
2024-01-28 08:34:09 +01:00
|
|
|
DrvUnloadDeleteSymbolicLink()
|
2023-10-09 18:27:04 +02:00
|
|
|
{
|
2024-07-13 12:32:00 +02:00
|
|
|
if (GetDecryptedDriverConfig()->device_symbolic_link)
|
|
|
|
|
ImpIoDeleteSymbolicLink(
|
|
|
|
|
GetDecryptedDriverConfig()->device_symbolic_link);
|
2023-10-09 18:27:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DrvUnloadFreeThreadList()
|
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
CleanupThreadListOnDriverUnload();
|
2023-10-09 18:27:04 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-07 05:13:41 +01:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DrvUnloadFreeDriverList()
|
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
CleanupDriverListOnDriverUnload();
|
2024-01-07 05:13:41 +01:00
|
|
|
}
|
|
|
|
|
|
2024-01-12 06:40:33 +01:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DrvUnloadFreeTimerObject()
|
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-27 17:15:29 +02:00
|
|
|
CleanupDriverTimerObjects(
|
|
|
|
|
&GetDecryptedDriverConfig()->integrity_check_timer);
|
2024-01-12 06:40:33 +01:00
|
|
|
}
|
|
|
|
|
|
2023-10-10 19:49:17 +02:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DrvUnloadFreeProcessList()
|
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-06-09 09:22:22 +02:00
|
|
|
CleanupProcessHashmap();
|
2023-10-10 19:49:17 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-02 23:29:23 +01:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
DrvUnloadFreeModuleValidationContext()
|
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-07-13 12:32:00 +02:00
|
|
|
CleanupValidationContextOnUnload(
|
|
|
|
|
&GetDecryptedDriverConfig()->sys_val_context);
|
2024-01-02 23:29:23 +01:00
|
|
|
}
|
|
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
|
|
|
|
CloseHashingAlgorithmProvider()
|
|
|
|
|
{
|
|
|
|
|
BCRYPT_ALG_HANDLE* handle = GetCryptHandle_Sha256();
|
|
|
|
|
BCryptCloseAlgorithmProvider(*handle, 0);
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-09 18:27:04 +02:00
|
|
|
STATIC
|
|
|
|
|
VOID
|
2023-12-13 05:06:27 +01:00
|
|
|
DriverUnload(_In_ PDRIVER_OBJECT DriverObject)
|
2023-10-09 18:27:04 +02:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_VERBOSE("Unloading...");
|
2023-10-09 18:27:04 +02:00
|
|
|
|
2024-07-13 12:32:00 +02:00
|
|
|
InterlockedExchange(&GetDecryptedDriverConfig()->unload_in_progress, TRUE);
|
2023-10-09 18:27:04 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
while (DrvUnloadFreeAllApcContextStructures() == FALSE)
|
|
|
|
|
YieldProcessor();
|
2023-10-09 18:27:04 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
DrvUnloadFreeTimerObject();
|
|
|
|
|
DrvUnloadFreeModuleValidationContext();
|
|
|
|
|
DrvUnloadUnregisterObCallbacks();
|
2024-01-14 05:31:19 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
UnregisterThreadCreateNotifyRoutine();
|
|
|
|
|
UnregisterProcessCreateNotifyRoutine();
|
|
|
|
|
UnregisterImageLoadNotifyRoutine();
|
2024-01-14 05:31:19 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
DrvUnloadFreeThreadList();
|
|
|
|
|
DrvUnloadFreeProcessList();
|
|
|
|
|
DrvUnloadFreeDriverList();
|
2024-01-14 05:31:19 +01:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
CryptCloseProvider();
|
2024-06-09 09:22:22 +02:00
|
|
|
CloseHashingAlgorithmProvider();
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
DrvUnloadFreeConfigStrings();
|
|
|
|
|
DrvUnloadDeleteSymbolicLink();
|
2024-06-21 15:55:23 +02:00
|
|
|
|
|
|
|
|
DecryptDeviceExtensionPointers(DriverObject->DeviceObject);
|
2024-04-13 10:23:14 +02:00
|
|
|
ImpIoDeleteDevice(DriverObject->DeviceObject);
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_INFO("Driver successfully unloaded.");
|
2023-10-09 18:27:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-09-26 12:00:45 +02:00
|
|
|
STATIC
|
2023-10-05 08:27:17 +02:00
|
|
|
NTSTATUS
|
2023-10-09 18:27:04 +02:00
|
|
|
DrvLoadEnableNotifyRoutines()
|
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
2023-12-23 19:52:55 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_VERBOSE("Enabling driver wide notify routines.");
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = PsSetLoadImageNotifyRoutine(ImageLoadNotifyRoutineCallback);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
|
"PsSetLoadImageNotifyRoutine failed with status %x",
|
|
|
|
|
status);
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
|
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = ImpPsSetCreateThreadNotifyRoutine(ThreadCreateNotifyRoutine);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
|
"PsSetCreateThreadNotifyRoutine failed with status %x",
|
|
|
|
|
status);
|
2024-04-13 10:23:14 +02:00
|
|
|
PsRemoveLoadImageNotifyRoutine(ImageLoadNotifyRoutineCallback);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status =
|
|
|
|
|
ImpPsSetCreateProcessNotifyRoutine(ProcessCreateNotifyRoutine, FALSE);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
|
"PsSetCreateProcessNotifyRoutine failed with status %x",
|
|
|
|
|
status);
|
2024-04-13 10:23:14 +02:00
|
|
|
ImpPsRemoveCreateThreadNotifyRoutine(ThreadCreateNotifyRoutine);
|
|
|
|
|
PsRemoveLoadImageNotifyRoutine(ImageLoadNotifyRoutineCallback);
|
2023-12-13 05:06:27 +01:00
|
|
|
return status;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DEBUG_VERBOSE("Successfully enabled driver wide notify routines.");
|
|
|
|
|
return status;
|
2023-10-09 18:27:04 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-14 05:31:19 +01:00
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
|
|
|
|
DrvLoadSetupDriverLists()
|
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
|
|
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
|
|
|
|
|
|
status = InitialiseDriverList();
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
UnregisterProcessCreateNotifyRoutine();
|
|
|
|
|
UnregisterThreadCreateNotifyRoutine();
|
|
|
|
|
UnregisterImageLoadNotifyRoutine();
|
|
|
|
|
DEBUG_ERROR("InitialiseDriverList failed with status %x", status);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
status = InitialiseThreadList();
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("InitialiseThreadList failed with status %x", status);
|
|
|
|
|
UnregisterProcessCreateNotifyRoutine();
|
|
|
|
|
UnregisterThreadCreateNotifyRoutine();
|
|
|
|
|
UnregisterImageLoadNotifyRoutine();
|
|
|
|
|
CleanupDriverListOnDriverUnload();
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
status = InitialiseProcessHashmap();
|
2024-01-14 05:31:19 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("InitialiseProcessList failed with status %x", status);
|
|
|
|
|
UnregisterProcessCreateNotifyRoutine();
|
|
|
|
|
UnregisterThreadCreateNotifyRoutine();
|
|
|
|
|
UnregisterImageLoadNotifyRoutine();
|
|
|
|
|
CleanupDriverListOnDriverUnload();
|
|
|
|
|
CleanupThreadListOnDriverUnload();
|
2024-01-14 05:31:19 +01:00
|
|
|
return status;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return status;
|
2024-01-14 05:31:19 +01:00
|
|
|
}
|
|
|
|
|
|
2024-01-13 22:33:57 +01:00
|
|
|
/*
|
|
|
|
|
* Regular routines
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
2024-08-01 06:21:53 +02:00
|
|
|
RegistryPathQueryCallbackRoutine(
|
|
|
|
|
IN PWSTR ValueName,
|
|
|
|
|
IN ULONG ValueType,
|
|
|
|
|
IN PVOID ValueData,
|
|
|
|
|
IN ULONG ValueLength,
|
|
|
|
|
IN PVOID Context,
|
|
|
|
|
IN PVOID EntryContext)
|
2024-01-13 22:33:57 +01:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
UNICODE_STRING value_name = {0};
|
|
|
|
|
UNICODE_STRING image_path = RTL_CONSTANT_STRING(L"ImagePath");
|
2024-04-13 10:23:14 +02:00
|
|
|
UNICODE_STRING display_name = RTL_CONSTANT_STRING(L"DisplayName");
|
2024-08-01 06:21:53 +02:00
|
|
|
UNICODE_STRING value = {0};
|
|
|
|
|
PVOID temp_buffer = NULL;
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
ImpRtlInitUnicodeString(&value_name, ValueName);
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-07-13 12:32:00 +02:00
|
|
|
PDRIVER_CONFIG cfg = GetDecryptedDriverConfig();
|
2024-06-21 15:55:23 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (ImpRtlCompareUnicodeString(&value_name, &image_path, FALSE) == FALSE) {
|
|
|
|
|
temp_buffer =
|
|
|
|
|
ImpExAllocatePool2(POOL_FLAG_PAGED, ValueLength, POOL_TAG_STRINGS);
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!temp_buffer)
|
|
|
|
|
return STATUS_MEMORY_NOT_ALLOCATED;
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-07-22 12:43:09 +02:00
|
|
|
IntCopyMemory(temp_buffer, ValueData, ValueLength);
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
cfg->driver_path.Buffer = (PWCH)temp_buffer;
|
|
|
|
|
cfg->driver_path.Length = ValueLength;
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->driver_path.MaximumLength = ValueLength;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (ImpRtlCompareUnicodeString(&value_name, &display_name, FALSE) ==
|
|
|
|
|
FALSE) {
|
2024-08-01 06:21:53 +02:00
|
|
|
temp_buffer = ImpExAllocatePool2(
|
|
|
|
|
POOL_FLAG_PAGED,
|
|
|
|
|
ValueLength + 20,
|
|
|
|
|
POOL_TAG_STRINGS);
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!temp_buffer)
|
|
|
|
|
return STATUS_MEMORY_NOT_ALLOCATED;
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-07-22 12:43:09 +02:00
|
|
|
IntCopyMemory(temp_buffer, ValueData, ValueLength);
|
2024-08-01 06:21:53 +02:00
|
|
|
IntWideStringCopy(
|
|
|
|
|
(PWCH)((UINT64)temp_buffer + ValueLength - 2),
|
|
|
|
|
L".sys");
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
cfg->unicode_driver_name.Buffer = (PWCH)temp_buffer;
|
|
|
|
|
cfg->unicode_driver_name.Length = ValueLength + 20;
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->unicode_driver_name.MaximumLength = ValueLength + 20;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
return STATUS_SUCCESS;
|
2023-10-09 18:27:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-12-25 16:54:35 +01:00
|
|
|
/*
|
|
|
|
|
* Values returned from CPUID that are equval to the vendor string
|
|
|
|
|
*/
|
|
|
|
|
#define CPUID_AUTHENTIC_AMD_EBX 0x68747541
|
|
|
|
|
#define CPUID_AUTHENTIC_AMD_EDX 0x69746e65
|
|
|
|
|
#define CPUID_AUTHENTIC_AMD_ECX 0x444d4163
|
|
|
|
|
|
|
|
|
|
#define CPUID_GENUINE_INTEL_EBX 0x756e6547
|
|
|
|
|
#define CPUID_GENUINE_INTEL_EDX 0x49656e69
|
|
|
|
|
#define CPUID_GENUINE_INTEL_ECX 0x6c65746e
|
|
|
|
|
|
2023-12-27 04:35:46 +01:00
|
|
|
#define EBX_REGISTER 1
|
|
|
|
|
#define ECX_REGISTER 2
|
|
|
|
|
#define EDX_REGISTER 3
|
|
|
|
|
|
2023-10-09 18:27:04 +02:00
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
2023-12-25 16:54:35 +01:00
|
|
|
GetSystemProcessorType()
|
2023-09-01 14:30:32 +02:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
UINT32 cpuid[4] = {0};
|
|
|
|
|
PDRIVER_CONFIG cfg = GetDecryptedDriverConfig();
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
|
__cpuid(cpuid, 0);
|
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_VERBOSE(
|
|
|
|
|
"Cpuid: EBX: %lx, ECX: %lx, EDX: %lx",
|
|
|
|
|
cpuid[1],
|
|
|
|
|
cpuid[2],
|
|
|
|
|
cpuid[3]);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
|
if (cpuid[EBX_REGISTER] == CPUID_AUTHENTIC_AMD_EBX &&
|
|
|
|
|
cpuid[ECX_REGISTER] == CPUID_AUTHENTIC_AMD_ECX &&
|
|
|
|
|
cpuid[EDX_REGISTER] == CPUID_AUTHENTIC_AMD_EDX) {
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->system_information.processor = AuthenticAmd;
|
2024-04-13 10:23:14 +02:00
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
2024-08-01 06:21:53 +02:00
|
|
|
else if (
|
|
|
|
|
cpuid[EBX_REGISTER] == CPUID_GENUINE_INTEL_EBX &&
|
|
|
|
|
cpuid[ECX_REGISTER] == CPUID_GENUINE_INTEL_ECX &&
|
|
|
|
|
cpuid[EDX_REGISTER] == CPUID_GENUINE_INTEL_EDX) {
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->system_information.processor = GenuineIntel;
|
2024-04-13 10:23:14 +02:00
|
|
|
return STATUS_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
else {
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->system_information.processor = Unknown;
|
2024-04-13 10:23:14 +02:00
|
|
|
return STATUS_UNSUCCESSFUL;
|
|
|
|
|
}
|
2023-12-25 16:54:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2024-04-13 06:40:51 +02:00
|
|
|
* Even though we are technically not meant to be operating when running under a
|
|
|
|
|
* virtualized system, it is still useful to test the attainment of system
|
|
|
|
|
* information under a virtualized system for testing purposes.
|
2023-12-25 16:54:35 +01:00
|
|
|
*/
|
|
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
|
|
|
|
ParseSmbiosForGivenSystemEnvironment()
|
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
|
PDRIVER_CONFIG cfg = GetDecryptedDriverConfig();
|
2023-12-25 16:54:35 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
status = ParseSMBIOSTable(
|
|
|
|
|
&cfg->system_information.vendor,
|
|
|
|
|
VENDOR_STRING_MAX_LENGTH,
|
|
|
|
|
SmbiosInformation,
|
|
|
|
|
SMBIOS_VENDOR_STRING_SUB_INDEX);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("ParseSMBIOSTable failed with status %x", status);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
2024-07-22 12:43:09 +02:00
|
|
|
if (IntFindSubstring(&cfg->system_information.vendor, "VMware, Inc"))
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->system_information.environment = Vmware;
|
2024-07-22 12:43:09 +02:00
|
|
|
else if (IntFindSubstring(&cfg->system_information.vendor, "innotek GmbH"))
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->system_information.environment = VirtualBox;
|
2024-04-13 10:23:14 +02:00
|
|
|
else
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->system_information.environment = NativeWindows;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
switch (cfg->system_information.environment) {
|
2024-04-13 10:23:14 +02:00
|
|
|
case NativeWindows: {
|
2024-08-01 06:21:53 +02:00
|
|
|
status = ParseSMBIOSTable(
|
|
|
|
|
&cfg->system_information.motherboard_serial,
|
|
|
|
|
MOTHERBOARD_SERIAL_CODE_LENGTH,
|
|
|
|
|
VendorSpecificInformation,
|
|
|
|
|
SMBIOS_NATIVE_SERIAL_NUMBER_SUB_INDEX);
|
2024-04-13 10:23:14 +02:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
case Vmware: {
|
2024-08-01 06:21:53 +02:00
|
|
|
status = ParseSMBIOSTable(
|
|
|
|
|
&cfg->system_information.motherboard_serial,
|
|
|
|
|
MOTHERBOARD_SERIAL_CODE_LENGTH,
|
|
|
|
|
SystemInformation,
|
|
|
|
|
SMBIOS_VMWARE_SERIAL_NUMBER_SUB_INDEX);
|
2024-04-13 10:23:14 +02:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
case VirtualBox:
|
|
|
|
|
default:
|
|
|
|
|
DEBUG_WARNING("Environment type not supported.");
|
|
|
|
|
return STATUS_NOT_SUPPORTED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("ParseSMBIOSTable 2 failed with status %x", status);
|
2023-12-25 16:54:35 +01:00
|
|
|
return status;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return status;
|
2023-12-25 16:54:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
|
|
|
|
DrvLoadGatherSystemEnvironmentSettings()
|
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
|
PDRIVER_CONFIG cfg = GetDecryptedDriverConfig();
|
2023-12-25 16:54:35 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (APERFMsrTimingCheck())
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->system_information.virtualised_environment = TRUE;
|
2024-01-08 04:57:07 +01:00
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
status = GetOsVersionInformation(&cfg->system_information.os_information);
|
2023-12-25 16:54:35 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("GetOsVersionInformation failed with status %x", status);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
2024-01-08 04:57:07 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = GetSystemProcessorType();
|
2023-12-25 16:54:35 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("GetSystemProcessorType failed with status %x", status);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
2024-01-08 04:57:07 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = ParseSmbiosForGivenSystemEnvironment();
|
2023-12-25 16:54:35 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR(
|
|
|
|
|
"ParseSmbiosForGivenSystemEnvironment failed with status %x",
|
|
|
|
|
status);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
2024-01-08 04:57:07 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = GetHardDiskDriveSerialNumber(
|
2024-06-21 15:55:23 +02:00
|
|
|
&cfg->system_information.drive_0_serial,
|
|
|
|
|
sizeof(cfg->system_information.drive_0_serial));
|
2023-12-25 16:54:35 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
|
"GetHardDiskDriverSerialNumber failed with status %x",
|
|
|
|
|
status);
|
2023-12-25 16:54:35 +01:00
|
|
|
return status;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DEBUG_VERBOSE(
|
|
|
|
|
"OS Major Version: %lx, Minor Version: %lx, Build Number: %lx",
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->system_information.os_information.dwMajorVersion,
|
|
|
|
|
cfg->system_information.os_information.dwMinorVersion,
|
|
|
|
|
cfg->system_information.os_information.dwBuildNumber);
|
|
|
|
|
DEBUG_VERBOSE("Environment type: %lx", cfg->system_information.environment);
|
|
|
|
|
DEBUG_VERBOSE("Processor type: %lx", cfg->system_information.processor);
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_VERBOSE(
|
|
|
|
|
"Motherboard serial: %s",
|
|
|
|
|
cfg->system_information.motherboard_serial);
|
2024-06-21 15:55:23 +02:00
|
|
|
DEBUG_VERBOSE("Drive 0 serial: %s", cfg->system_information.drive_0_serial);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
|
return status;
|
2023-12-25 16:54:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
2023-12-27 04:35:46 +01:00
|
|
|
DrvLoadRetrieveDriverNameFromRegistry(_In_ PUNICODE_STRING RegistryPath)
|
2023-12-25 16:54:35 +01:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
|
PDRIVER_CONFIG cfg = GetDecryptedDriverConfig();
|
2024-07-13 12:32:00 +02:00
|
|
|
RTL_QUERY_REGISTRY_TABLE query[3] = {0};
|
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
query[0].Flags = RTL_QUERY_REGISTRY_NOEXPAND;
|
|
|
|
|
query[0].Name = L"ImagePath";
|
|
|
|
|
query[0].DefaultType = REG_MULTI_SZ;
|
2024-07-13 12:32:00 +02:00
|
|
|
query[0].DefaultLength = 0;
|
2024-08-01 06:21:53 +02:00
|
|
|
query[0].DefaultData = NULL;
|
|
|
|
|
query[0].EntryContext = NULL;
|
|
|
|
|
query[0].QueryRoutine = RegistryPathQueryCallbackRoutine;
|
2024-07-13 12:32:00 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
query[1].Flags = RTL_QUERY_REGISTRY_NOEXPAND;
|
|
|
|
|
query[1].Name = L"DisplayName";
|
|
|
|
|
query[1].DefaultType = REG_SZ;
|
2024-07-13 12:32:00 +02:00
|
|
|
query[1].DefaultLength = 0;
|
2024-08-01 06:21:53 +02:00
|
|
|
query[1].DefaultData = NULL;
|
|
|
|
|
query[1].EntryContext = NULL;
|
|
|
|
|
query[1].QueryRoutine = RegistryPathQueryCallbackRoutine;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
status = RtlxQueryRegistryValues(
|
|
|
|
|
RTL_REGISTRY_ABSOLUTE,
|
|
|
|
|
RegistryPath->Buffer,
|
|
|
|
|
&query,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("RtlxQueryRegistryValues failed with status %x", status);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The registry path contains the name of the driver i.e Driver, but
|
|
|
|
|
* does not contain the .sys extension. Lets add it to our stored driver
|
|
|
|
|
* name since we need the .sys extension when querying the system
|
|
|
|
|
* modules for our driver.
|
|
|
|
|
*/
|
2024-08-01 06:21:53 +02:00
|
|
|
status = ImpRtlUnicodeStringToAnsiString(
|
|
|
|
|
&cfg->ansi_driver_name,
|
|
|
|
|
&cfg->unicode_driver_name,
|
|
|
|
|
TRUE);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
|
"RtlUnicodeStringToAnsiString failed with status %x",
|
|
|
|
|
status);
|
2024-06-21 15:55:23 +02:00
|
|
|
}
|
2024-01-11 10:16:55 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
2023-12-27 04:35:46 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
2024-08-01 06:21:53 +02:00
|
|
|
DrvLoadInitialiseDriverConfig(
|
|
|
|
|
_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
|
2023-12-27 04:35:46 +01:00
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
PAGED_CODE();
|
|
|
|
|
DEBUG_VERBOSE("Initialising driver configuration");
|
2023-12-27 04:35:46 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
|
PDRIVER_CONFIG cfg = GetDecryptedDriverConfig();
|
2023-12-27 04:35:46 +01:00
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
ImpKeInitializeGuardedMutex(&cfg->lock);
|
2024-01-29 17:31:12 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
IrpQueueInitialise();
|
|
|
|
|
SessionInitialiseCallbackConfiguration();
|
2024-01-11 10:16:55 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
cfg->unload_in_progress = FALSE;
|
2024-06-21 15:55:23 +02:00
|
|
|
cfg->system_information.virtualised_environment = FALSE;
|
2024-08-01 06:21:53 +02:00
|
|
|
cfg->sys_val_context.active = FALSE;
|
2023-12-27 04:35:46 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = DrvLoadRetrieveDriverNameFromRegistry(RegistryPath);
|
2023-12-27 04:35:46 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR(
|
|
|
|
|
"DrvLoadRetrieveDriverNameFromRegistry failed with status %x",
|
|
|
|
|
status);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
/* when this function failed, we bugcheck in freeconfigstrings todo: fix */
|
2024-04-13 10:23:14 +02:00
|
|
|
status = DrvLoadGatherSystemEnvironmentSettings();
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
|
"GatherSystemEnvironmentSettings failed with status %x",
|
|
|
|
|
status);
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
|
|
|
|
}
|
2024-01-12 06:40:33 +01:00
|
|
|
|
2024-07-27 17:15:29 +02:00
|
|
|
status = InitialiseTimerObject(&cfg->integrity_check_timer);
|
2024-01-12 06:40:33 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("InitialiseTimerObject failed with status %x", status);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
2024-01-21 08:22:06 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = IrpQueueInitialise();
|
2024-01-21 08:22:06 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("IrpQueueInitialise failed with status %x", status);
|
2023-12-13 05:06:27 +01:00
|
|
|
return status;
|
2024-04-13 10:23:14 +02:00
|
|
|
}
|
|
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
DEBUG_VERBOSE("driver name: %s", cfg->ansi_driver_name.Buffer);
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
2023-09-01 13:46:31 +02:00
|
|
|
}
|
|
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
STATIC
|
|
|
|
|
NTSTATUS
|
|
|
|
|
InitialiseHashingAlgorithmProvider()
|
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
2024-06-09 09:22:22 +02:00
|
|
|
BCRYPT_ALG_HANDLE* handle = GetCryptHandle_Sha256();
|
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
status = BCryptOpenAlgorithmProvider(
|
|
|
|
|
handle,
|
|
|
|
|
BCRYPT_SHA256_ALGORITHM,
|
|
|
|
|
NULL,
|
|
|
|
|
BCRYPT_PROV_DISPATCH);
|
2024-06-09 09:22:22 +02:00
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status))
|
|
|
|
|
DEBUG_ERROR("BCryptOpenAlgorithmProvider: %x", status);
|
|
|
|
|
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-05 08:27:17 +02:00
|
|
|
NTSTATUS
|
2023-12-13 05:06:27 +01:00
|
|
|
DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
|
2023-08-17 10:45:50 +02:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
BOOLEAN flag = FALSE;
|
2024-04-13 10:23:14 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
2024-01-08 04:57:07 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
DriverObject->MajorFunction[IRP_MJ_CREATE] = DeviceCreate;
|
|
|
|
|
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DeviceClose;
|
2024-04-13 10:23:14 +02:00
|
|
|
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControl;
|
2024-08-01 06:21:53 +02:00
|
|
|
DriverObject->DriverUnload = DriverUnload;
|
2024-01-12 06:40:33 +01:00
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
g_DeviceExtensionKey = CryptXorKeyGenerate_uint64();
|
|
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = ImpResolveDynamicImports(DriverObject);
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status))
|
|
|
|
|
return STATUS_FAILED_DRIVER_ENTRY;
|
2023-12-13 05:06:27 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_VERBOSE("Beginning driver entry routine...");
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
status = ImpIoCreateDevice(
|
|
|
|
|
DriverObject,
|
|
|
|
|
sizeof(DRIVER_CONFIG),
|
|
|
|
|
&g_DeviceName,
|
|
|
|
|
FILE_DEVICE_UNKNOWN,
|
|
|
|
|
FILE_DEVICE_SECURE_OPEN,
|
|
|
|
|
FALSE,
|
|
|
|
|
&DriverObject->DeviceObject);
|
2024-01-13 22:33:57 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("IoCreateDevice failed with status %x", status);
|
|
|
|
|
return status;
|
|
|
|
|
}
|
2023-12-23 19:52:55 +01:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
g_DriverConfig = DriverObject->DeviceObject->DeviceExtension;
|
2024-04-13 10:23:14 +02:00
|
|
|
g_DriverConfig->device_object = DriverObject->DeviceObject;
|
|
|
|
|
g_DriverConfig->driver_object = DriverObject;
|
2024-08-01 06:21:53 +02:00
|
|
|
g_DriverConfig->device_name = &g_DeviceName;
|
2024-04-13 10:23:14 +02:00
|
|
|
g_DriverConfig->device_symbolic_link = &g_DeviceSymbolicLink;
|
2024-01-28 08:34:09 +01:00
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
EncryptDeviceExtensionPointers(DriverObject->DeviceObject);
|
|
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = DrvLoadInitialiseDriverConfig(DriverObject, RegistryPath);
|
2024-01-12 06:40:33 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
|
"InitialiseDriverConfigOnDriverEntry failed with status %x",
|
|
|
|
|
status);
|
2024-04-13 10:23:14 +02:00
|
|
|
DrvUnloadFreeConfigStrings();
|
2024-07-13 12:32:00 +02:00
|
|
|
ImpIoDeleteDevice(GetDecryptedDriverConfig()->device_object);
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
status = SessionInitialiseStructure();
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("SessionInitialiseStructure failed with status %x", status);
|
|
|
|
|
DrvUnloadFreeConfigStrings();
|
|
|
|
|
DrvUnloadFreeTimerObject();
|
2024-07-13 12:32:00 +02:00
|
|
|
ImpIoDeleteDevice(GetDecryptedDriverConfig()->device_object);
|
2024-05-11 14:54:58 +02:00
|
|
|
return status;
|
|
|
|
|
}
|
2024-04-13 10:23:14 +02:00
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
status = IoCreateSymbolicLink(
|
|
|
|
|
GetDecryptedDriverConfig()->device_symbolic_link,
|
|
|
|
|
GetDecryptedDriverConfig()->device_name);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("IoCreateSymbolicLink failed with status %x", status);
|
|
|
|
|
DrvUnloadFreeConfigStrings();
|
|
|
|
|
DrvUnloadFreeTimerObject();
|
2024-07-13 12:32:00 +02:00
|
|
|
ImpIoDeleteDevice(GetDecryptedDriverConfig()->device_object);
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
status = DrvLoadEnableNotifyRoutines();
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("EnablenotifyRoutines failed with status %x", status);
|
|
|
|
|
DrvUnloadFreeConfigStrings();
|
|
|
|
|
DrvUnloadFreeTimerObject();
|
|
|
|
|
DrvUnloadDeleteSymbolicLink();
|
2024-07-13 12:32:00 +02:00
|
|
|
ImpIoDeleteDevice(GetDecryptedDriverConfig()->device_object);
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
status = InitialiseHashingAlgorithmProvider();
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
2024-08-01 06:21:53 +02:00
|
|
|
DEBUG_ERROR(
|
|
|
|
|
"InitialiseHashingAlgorithmProvider failed with status %x",
|
|
|
|
|
status);
|
2024-06-09 09:22:22 +02:00
|
|
|
DrvUnloadFreeConfigStrings();
|
|
|
|
|
DrvUnloadFreeTimerObject();
|
|
|
|
|
DrvUnloadDeleteSymbolicLink();
|
2024-07-13 12:32:00 +02:00
|
|
|
ImpIoDeleteDevice(GetDecryptedDriverConfig()->device_object);
|
2024-06-09 09:22:22 +02:00
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
status = DrvLoadSetupDriverLists();
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
|
DEBUG_ERROR("DrvLoadSetupDriverLists failed with status %x", status);
|
2024-06-09 09:22:22 +02:00
|
|
|
CloseHashingAlgorithmProvider();
|
2024-04-13 10:23:14 +02:00
|
|
|
DrvUnloadFreeConfigStrings();
|
|
|
|
|
DrvUnloadFreeTimerObject();
|
|
|
|
|
DrvUnloadDeleteSymbolicLink();
|
2024-07-13 12:32:00 +02:00
|
|
|
ImpIoDeleteDevice(GetDecryptedDriverConfig()->device_object);
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-21 15:55:23 +02:00
|
|
|
SetDriverLoadedFlag();
|
2024-05-30 07:45:33 +02:00
|
|
|
TpmExtractEndorsementKey();
|
2024-08-04 08:30:31 +02:00
|
|
|
// PoolScanForManualMappedDrivers();
|
2024-05-30 07:42:35 +02:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_INFO("Driver Entry Complete.");
|
|
|
|
|
return STATUS_SUCCESS;
|
2023-08-17 10:45:50 +02:00
|
|
|
}
|
