2023-08-19 04:52:57 +02:00
|
|
|
#ifndef MODULES_H
|
|
|
|
|
#define MODULES_H
|
|
|
|
|
|
|
|
|
|
#include <ntifs.h>
|
|
|
|
|
#include <intrin.h>
|
2023-09-25 17:41:38 +02:00
|
|
|
|
2023-08-22 19:32:25 +02:00
|
|
|
#include "common.h"
|
2023-09-25 17:41:38 +02:00
|
|
|
#include "queue.h"
|
2023-08-19 04:52:57 +02:00
|
|
|
|
2023-08-28 17:00:52 +02:00
|
|
|
typedef struct NMI_CALLBACK_FAILURE
|
|
|
|
|
{
|
|
|
|
|
INT report_code;
|
|
|
|
|
INT were_nmis_disabled;
|
|
|
|
|
UINT64 kthread_address;
|
|
|
|
|
UINT64 invalid_rip;
|
|
|
|
|
|
|
|
|
|
}NMI_CALLBACK_FAILURE, * PNMI_CALLBACK_FAILURE;
|
|
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
typedef struct _MODULE_VALIDATION_FAILURE
|
|
|
|
|
{
|
|
|
|
|
INT report_code;
|
2023-08-19 11:44:42 +02:00
|
|
|
INT report_type;
|
2023-08-19 04:52:57 +02:00
|
|
|
UINT64 driver_base_address;
|
|
|
|
|
UINT64 driver_size;
|
2023-08-20 07:46:02 +02:00
|
|
|
CHAR driver_name[ 128 ];
|
2023-08-19 04:52:57 +02:00
|
|
|
|
|
|
|
|
}MODULE_VALIDATION_FAILURE, *PMODULE_VALIDATION_FAILURE;
|
|
|
|
|
|
2023-09-28 15:56:07 +02:00
|
|
|
#define APC_STACKWALK_BUFFER_SIZE 4096
|
|
|
|
|
|
|
|
|
|
typedef struct _APC_STACKWALK_REPORT
|
|
|
|
|
{
|
|
|
|
|
INT report_code;
|
|
|
|
|
UINT64 kthread_address;
|
|
|
|
|
UINT64 invalid_rip;
|
|
|
|
|
CHAR driver[ APC_STACKWALK_BUFFER_SIZE ];
|
|
|
|
|
|
|
|
|
|
}APC_STACKWALK_REPORT, *PAPC_STACKWALK_REPORT;
|
|
|
|
|
|
2023-09-28 18:10:01 +02:00
|
|
|
typedef struct _APC_OPERATION_ID
|
|
|
|
|
{
|
|
|
|
|
int operation_id;
|
|
|
|
|
|
|
|
|
|
}APC_OPERATION_ID, *PAPC_OPERATION_ID;
|
|
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
/* system modules information */
|
|
|
|
|
|
|
|
|
|
typedef struct _SYSTEM_MODULES
|
|
|
|
|
{
|
|
|
|
|
PVOID address;
|
|
|
|
|
INT module_count;
|
|
|
|
|
|
|
|
|
|
}SYSTEM_MODULES, * PSYSTEM_MODULES;
|
|
|
|
|
|
2023-09-25 17:41:38 +02:00
|
|
|
#define APC_CONTEXT_ID_STACKWALK 0x1
|
|
|
|
|
|
|
|
|
|
typedef struct _APC_CONTEXT_HEADER
|
|
|
|
|
{
|
|
|
|
|
LONG context_id;
|
2023-09-26 12:00:45 +02:00
|
|
|
volatile INT count;
|
2023-09-27 06:22:14 +02:00
|
|
|
volatile INT allocation_in_progress;
|
2023-09-25 17:41:38 +02:00
|
|
|
|
2023-09-26 12:00:45 +02:00
|
|
|
}APC_CONTEXT_HEADER, * PAPC_CONTEXT_HEADER;
|
|
|
|
|
|
|
|
|
|
typedef struct _APC_STACKWALK_CONTEXT
|
|
|
|
|
{
|
|
|
|
|
APC_CONTEXT_HEADER header;
|
|
|
|
|
PSYSTEM_MODULES modules;
|
|
|
|
|
|
|
|
|
|
}APC_STACKWALK_CONTEXT, * PAPC_STACKWALK_CONTEXT;
|
2023-09-25 17:41:38 +02:00
|
|
|
|
2023-09-27 06:22:14 +02:00
|
|
|
NTSTATUS
|
|
|
|
|
GetSystemModuleInformation(
|
2023-09-26 15:48:21 +02:00
|
|
|
_Inout_ PSYSTEM_MODULES ModuleInformation
|
2023-08-19 04:52:57 +02:00
|
|
|
);
|
|
|
|
|
|
2023-09-27 06:22:14 +02:00
|
|
|
NTSTATUS
|
|
|
|
|
HandleValidateDriversIOCTL(
|
2023-08-19 04:52:57 +02:00
|
|
|
_In_ PIRP Irp
|
|
|
|
|
);
|
|
|
|
|
|
2023-09-27 06:22:14 +02:00
|
|
|
PRTL_MODULE_EXTENDED_INFO
|
|
|
|
|
FindSystemModuleByName(
|
2023-08-22 19:32:25 +02:00
|
|
|
_In_ LPCSTR ModuleName,
|
|
|
|
|
_In_ PSYSTEM_MODULES SystemModules
|
|
|
|
|
);
|
|
|
|
|
|
2023-09-27 06:22:14 +02:00
|
|
|
NTSTATUS
|
|
|
|
|
HandleNmiIOCTL(
|
2023-09-02 15:47:15 +02:00
|
|
|
_In_ PIRP Irp
|
|
|
|
|
);
|
|
|
|
|
|
2023-09-26 15:32:06 +02:00
|
|
|
BOOLEAN
|
|
|
|
|
FreeApcContextStructure(
|
|
|
|
|
_Inout_ PAPC_CONTEXT_HEADER Context
|
2023-09-25 17:41:38 +02:00
|
|
|
);
|
|
|
|
|
|
2023-09-27 06:22:14 +02:00
|
|
|
NTSTATUS
|
|
|
|
|
ValidateThreadsViaKernelApc();
|
2023-09-24 13:13:20 +02:00
|
|
|
|
2023-09-26 15:32:06 +02:00
|
|
|
VOID
|
|
|
|
|
FreeApcStackwalkApcContextInformation(
|
|
|
|
|
_In_ PAPC_STACKWALK_CONTEXT Context
|
|
|
|
|
);
|
2023-09-26 12:00:45 +02:00
|
|
|
|
2023-08-19 04:52:57 +02:00
|
|
|
#endif
|
