2024-01-31 08:32:13 +01:00
|
|
|
#include "session.h"
|
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
#include "crypt.h"
|
2024-08-01 06:21:53 +02:00
|
|
|
#include "imports.h"
|
2024-06-09 09:22:22 +02:00
|
|
|
#include "util.h"
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-07-22 12:43:09 +02:00
|
|
|
#include "lib/stdlib.h"
|
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
NTSTATUS
|
|
|
|
SessionInitialiseStructure()
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
2024-05-11 14:54:58 +02:00
|
|
|
PACTIVE_SESSION session = GetActiveSession();
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-05-12 09:26:36 +02:00
|
|
|
KeInitializeGuardedMutex(&session->lock);
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
status = CryptInitialiseProvider();
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
if (!NT_SUCCESS(status))
|
|
|
|
DEBUG_ERROR("CryptInitialiseProvider: %x", status);
|
|
|
|
|
|
|
|
return status;
|
2024-01-31 08:32:13 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
|
|
SessionInitialiseCallbackConfiguration()
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
InitialiseObCallbacksConfiguration(GetActiveSession());
|
2024-01-31 08:32:13 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
|
|
SessionIsActive(_Out_ PBOOLEAN Flag)
|
|
|
|
{
|
2024-05-12 09:26:36 +02:00
|
|
|
KeAcquireGuardedMutex(&GetActiveSession()->lock);
|
|
|
|
*Flag = GetActiveSession()->is_session_active;
|
|
|
|
KeReleaseGuardedMutex(&GetActiveSession()->lock);
|
2024-01-31 08:32:13 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
|
|
SessionGetProcess(_Out_ PEPROCESS* Process)
|
|
|
|
{
|
2024-05-12 09:26:36 +02:00
|
|
|
KeAcquireGuardedMutex(&GetActiveSession()->lock);
|
|
|
|
*Process = GetActiveSession()->process;
|
|
|
|
KeReleaseGuardedMutex(&GetActiveSession()->lock);
|
2024-01-31 08:32:13 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
|
|
SessionGetProcessId(_Out_ PLONG ProcessId)
|
|
|
|
{
|
2024-05-12 09:26:36 +02:00
|
|
|
KeAcquireGuardedMutex(&GetActiveSession()->lock);
|
2024-04-13 10:23:14 +02:00
|
|
|
*ProcessId = GetActiveSession()->km_handle;
|
2024-05-12 09:26:36 +02:00
|
|
|
KeReleaseGuardedMutex(&GetActiveSession()->lock);
|
2024-01-31 08:32:13 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
2024-04-13 06:40:51 +02:00
|
|
|
SessionGetCallbackConfiguration(
|
|
|
|
_Out_ POB_CALLBACKS_CONFIG* CallbackConfiguration)
|
2024-01-31 08:32:13 +01:00
|
|
|
{
|
2024-05-12 09:26:36 +02:00
|
|
|
KeAcquireGuardedMutex(&GetActiveSession()->lock);
|
2024-04-13 10:23:14 +02:00
|
|
|
*CallbackConfiguration = &GetActiveSession()->callback_configuration;
|
2024-05-12 09:26:36 +02:00
|
|
|
KeReleaseGuardedMutex(&GetActiveSession()->lock);
|
2024-01-31 08:32:13 +01:00
|
|
|
}
|
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
STATIC
|
|
|
|
VOID
|
|
|
|
SessionTerminateHeartbeat(_In_ PHEARTBEAT_CONFIGURATION Configuration)
|
|
|
|
{
|
|
|
|
FreeHeartbeatConfiguration(Configuration);
|
|
|
|
}
|
|
|
|
|
2024-01-31 08:32:13 +01:00
|
|
|
VOID
|
|
|
|
SessionTerminate()
|
|
|
|
{
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_INFO("Termination active session.");
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
PACTIVE_SESSION session = GetActiveSession();
|
2024-08-01 06:21:53 +02:00
|
|
|
KIRQL irql = {0};
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-05-12 09:26:36 +02:00
|
|
|
KeAcquireGuardedMutex(&session->lock);
|
2024-08-01 06:21:53 +02:00
|
|
|
session->km_handle = NULL;
|
|
|
|
session->um_handle = NULL;
|
|
|
|
session->process = NULL;
|
2024-04-13 10:23:14 +02:00
|
|
|
session->is_session_active = FALSE;
|
2024-06-09 09:26:12 +02:00
|
|
|
|
|
|
|
RtlZeroMemory(&session->module, sizeof(MODULE_INFORMATION));
|
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
SessionTerminateHeartbeat(&session->heartbeat_config);
|
2024-05-11 14:54:58 +02:00
|
|
|
CryptCloseSessionCryptObjects();
|
2024-05-12 09:26:36 +02:00
|
|
|
KeReleaseGuardedMutex(&session->lock);
|
2024-01-31 08:32:13 +01:00
|
|
|
}
|
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
/* Return type for this doesnt matter */
|
|
|
|
STATIC
|
|
|
|
BOOLEAN
|
2024-08-01 06:21:53 +02:00
|
|
|
HashOurUserModuleOnEntryCallback(
|
|
|
|
_In_ PPROCESS_MAP_MODULE_ENTRY Entry, _In_opt_ PVOID Context)
|
2024-06-09 09:22:22 +02:00
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
2024-06-09 09:22:22 +02:00
|
|
|
PACTIVE_SESSION session = (PACTIVE_SESSION)Context;
|
|
|
|
|
|
|
|
if (!ARGUMENT_PRESENT(Context))
|
|
|
|
return FALSE;
|
|
|
|
|
2024-08-01 06:21:53 +02:00
|
|
|
status = HashUserModule(
|
|
|
|
Entry,
|
|
|
|
session->module.module_hash,
|
|
|
|
sizeof(session->module.module_hash));
|
2024-06-09 09:22:22 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("HashUserModule: %lx", status);
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
DEBUG_VERBOSE("User module hashed!");
|
2024-08-01 06:21:53 +02:00
|
|
|
DumpBufferToKernelDebugger(
|
|
|
|
session->module.module_hash,
|
|
|
|
sizeof(session->module.module_hash));
|
2024-06-09 09:22:22 +02:00
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
2024-01-31 08:32:13 +01:00
|
|
|
NTSTATUS
|
|
|
|
SessionInitialise(_In_ PIRP Irp)
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
PEPROCESS process = NULL;
|
2024-05-11 14:54:58 +02:00
|
|
|
PSESSION_INITIATION_PACKET initiation = NULL;
|
2024-08-01 06:21:53 +02:00
|
|
|
PACTIVE_SESSION session = GetActiveSession();
|
|
|
|
KIRQL irql = {0};
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
DEBUG_VERBOSE("Initialising new session.");
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
status = ValidateIrpInputBuffer(
|
2024-08-01 06:21:53 +02:00
|
|
|
Irp,
|
|
|
|
sizeof(SESSION_INITIATION_PACKET) - SHA_256_HASH_LENGTH);
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("ValidateIrpInputBuffer failed with status %x", status);
|
|
|
|
return status;
|
|
|
|
}
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
initiation = (PSESSION_INITIATION_PACKET)Irp->AssociatedIrp.SystemBuffer;
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-05-12 09:26:36 +02:00
|
|
|
KeAcquireGuardedMutex(&session->lock);
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
session->um_handle = initiation->process_id;
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
/* What if we pass an invalid handle here? not good. */
|
|
|
|
status = ImpPsLookupProcessByProcessId(session->um_handle, &process);
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-04-13 10:23:14 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
status = STATUS_INVALID_PARAMETER;
|
|
|
|
goto end;
|
|
|
|
}
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-06-21 16:22:11 +02:00
|
|
|
session->km_handle = ImpPsGetProcessId(process);
|
2024-08-01 06:21:53 +02:00
|
|
|
session->process = process;
|
|
|
|
session->cookie = initiation->cookie;
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-07-22 12:43:09 +02:00
|
|
|
IntCopyMemory(session->aes_key, initiation->aes_key, AES_256_KEY_SIZE);
|
|
|
|
IntCopyMemory(session->iv, initiation->aes_iv, AES_256_IV_SIZE);
|
2024-05-11 14:54:58 +02:00
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
session->module.base_address = initiation->module_info.base_address;
|
2024-08-01 06:21:53 +02:00
|
|
|
session->module.size = initiation->module_info.size;
|
2024-06-09 09:22:22 +02:00
|
|
|
|
2024-07-22 12:43:09 +02:00
|
|
|
IntCopyMemory(
|
2024-08-01 06:21:53 +02:00
|
|
|
session->module.path,
|
|
|
|
initiation->module_info.path,
|
|
|
|
MAX_MODULE_PATH);
|
2024-06-09 09:22:22 +02:00
|
|
|
|
|
|
|
DEBUG_VERBOSE("Module base: %llx", session->module.base_address);
|
|
|
|
DEBUG_VERBOSE("Module size: %lx ", session->module.size);
|
|
|
|
DEBUG_VERBOSE("Module path: %s", session->module.path);
|
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
status = CryptInitialiseSessionCryptObjects();
|
2024-04-13 10:06:59 +02:00
|
|
|
|
2024-05-11 14:54:58 +02:00
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("CryptInitialiseSessionCryptObjects: %x", status);
|
|
|
|
goto end;
|
|
|
|
}
|
2024-01-31 08:32:13 +01:00
|
|
|
|
2024-05-04 17:43:01 +02:00
|
|
|
status = InitialiseHeartbeatConfiguration(&session->heartbeat_config);
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
DEBUG_ERROR("InitialiseHeartbeatConfiguration %x", status);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2024-06-09 09:22:22 +02:00
|
|
|
FindOurUserModeModuleEntry(HashOurUserModuleOnEntryCallback, session);
|
2024-06-21 16:22:11 +02:00
|
|
|
session->is_session_active = TRUE;
|
|
|
|
|
2024-01-31 08:32:13 +01:00
|
|
|
end:
|
2024-05-12 09:26:36 +02:00
|
|
|
KeReleaseGuardedMutex(&session->lock);
|
2024-04-13 10:23:14 +02:00
|
|
|
return status;
|
2024-01-31 08:32:13 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
|
|
SessionTerminateProcess()
|
|
|
|
{
|
2024-08-01 06:21:53 +02:00
|
|
|
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
|
|
|
ULONG process_id = 0;
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
SessionGetProcessId(&process_id);
|
|
|
|
|
|
|
|
if (!process_id) {
|
|
|
|
DEBUG_ERROR("Failed to terminate process as process id is null");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Make sure we pass a km handle to ZwTerminateProcess and NOT a
|
|
|
|
* usermode handle. */
|
2024-08-01 06:21:53 +02:00
|
|
|
status = ZwTerminateProcess(
|
|
|
|
process_id,
|
|
|
|
STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION);
|
2024-04-13 10:23:14 +02:00
|
|
|
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
|
|
/*
|
|
|
|
* We don't want to clear the process config if
|
|
|
|
* ZwTerminateProcess fails so we can try again.
|
|
|
|
*/
|
|
|
|
DEBUG_ERROR("ZwTerminateProcess failed with status %x", status);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
/* this wont be needed when procloadstuff is implemented */
|
|
|
|
SessionTerminate();
|
2024-02-14 17:56:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
|
|
SessionIncrementIrpsProcessedCount()
|
|
|
|
{
|
2024-05-12 09:26:36 +02:00
|
|
|
KeAcquireGuardedMutex(&GetActiveSession()->lock);
|
2024-05-04 17:43:01 +02:00
|
|
|
GetActiveSession()->irps_received;
|
2024-05-12 09:26:36 +02:00
|
|
|
KeReleaseGuardedMutex(&GetActiveSession()->lock);
|
2024-02-14 17:56:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
|
|
SessionIncrementReportCount()
|
|
|
|
{
|
2024-05-12 09:26:36 +02:00
|
|
|
KeAcquireGuardedMutex(&GetActiveSession()->lock);
|
2024-04-13 10:23:14 +02:00
|
|
|
GetActiveSession()->report_count++;
|
2024-05-12 09:26:36 +02:00
|
|
|
KeReleaseGuardedMutex(&GetActiveSession()->lock);
|
2024-02-14 17:56:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
VOID
|
|
|
|
SessionIncrementHeartbeatCount()
|
|
|
|
{
|
2024-05-12 09:26:36 +02:00
|
|
|
KeAcquireGuardedMutex(&GetActiveSession()->lock);
|
2024-04-13 10:23:14 +02:00
|
|
|
GetActiveSession()->heartbeat_count++;
|
2024-05-12 09:26:36 +02:00
|
|
|
KeReleaseGuardedMutex(&GetActiveSession()->lock);
|
2024-01-31 08:32:13 +01:00
|
|
|
}
|