mirror-ac/driver/driver.c

436 lines
11 KiB
C
Raw Normal View History

2023-08-17 10:45:50 +02:00
#include "driver.h"
#include "common.h"
#include "ioctl.h"
2023-08-20 16:12:04 +02:00
#include "callbacks.h"
2023-08-21 14:40:40 +02:00
#include "hv.h"
2023-08-28 11:17:38 +02:00
#include "pool.h"
2023-08-29 19:36:58 +02:00
#include "thread.h"
2023-08-31 12:33:26 +02:00
#include "modules.h"
2023-08-22 19:32:25 +02:00
#include "integrity.h"
2023-09-02 10:54:04 +02:00
#include "queue.h"
2023-09-01 14:30:32 +02:00
DRIVER_CONFIG driver_config = { 0 };
PROCESS_CONFIG process_config = { 0 };
2023-08-20 17:04:53 +02:00
2023-09-01 14:30:32 +02:00
VOID ReadProcessInitialisedConfigFlag(
_Out_ PBOOLEAN Flag
2023-09-01 13:46:31 +02:00
)
{
2023-09-11 11:23:29 +02:00
if ( Flag == NULL )
return;
2023-09-01 14:30:32 +02:00
KeAcquireGuardedMutex( &process_config.lock );
*Flag = process_config.initialised;
KeReleaseGuardedMutex( &process_config.lock );
2023-09-01 13:46:31 +02:00
}
2023-09-01 14:30:32 +02:00
VOID GetProtectedProcessEProcess(
_Out_ PEPROCESS* Process
2023-08-24 17:10:40 +02:00
)
{
2023-09-11 11:23:29 +02:00
if ( Process == NULL )
return;
2023-09-01 14:30:32 +02:00
KeAcquireGuardedMutex( &process_config.lock );
*Process = process_config.protected_process_eprocess;
KeReleaseGuardedMutex( &process_config.lock );
2023-08-24 17:10:40 +02:00
}
2023-09-01 14:30:32 +02:00
VOID GetProtectedProcessId(
_Out_ PLONG ProcessId
)
{
KeAcquireGuardedMutex( &process_config.lock );
2023-09-11 11:23:29 +02:00
RtlZeroMemory( ProcessId, sizeof( LONG ) );
*ProcessId = process_config.km_handle;
2023-09-01 14:30:32 +02:00
KeReleaseGuardedMutex( &process_config.lock );
}
VOID ClearProcessConfigOnProcessTermination()
{
DEBUG_LOG( "Process closed, clearing driver process_configuration" );
KeAcquireGuardedMutex( &process_config.lock );
2023-09-11 11:23:29 +02:00
process_config.km_handle = NULL;
process_config.um_handle = NULL;
2023-09-01 14:30:32 +02:00
process_config.protected_process_eprocess = NULL;
process_config.initialised = FALSE;
KeReleaseGuardedMutex( &process_config.lock );
}
VOID GetDriverName(
2023-09-11 11:23:29 +02:00
_Out_ LPCSTR* DriverName
2023-08-20 16:12:04 +02:00
)
{
2023-09-11 11:23:29 +02:00
if ( DriverName == NULL )
return;
2023-09-01 14:30:32 +02:00
KeAcquireGuardedMutex( &driver_config.lock );
2023-09-01 18:45:06 +02:00
*DriverName = driver_config.ansi_driver_name.Buffer;
2023-09-01 14:30:32 +02:00
KeReleaseGuardedMutex( &driver_config.lock );
2023-08-20 16:12:04 +02:00
}
2023-09-01 14:30:32 +02:00
VOID GetDriverPath(
2023-09-11 11:23:29 +02:00
_Out_ PUNICODE_STRING DriverPath
2023-08-20 16:12:04 +02:00
)
{
2023-09-01 14:30:32 +02:00
KeAcquireGuardedMutex( &driver_config.lock );
2023-09-11 11:23:29 +02:00
RtlZeroMemory( DriverPath, sizeof( UNICODE_STRING ) );
RtlInitUnicodeString( DriverPath, driver_config.driver_path.Buffer );
2023-09-01 14:30:32 +02:00
KeReleaseGuardedMutex( &driver_config.lock );
2023-08-20 16:12:04 +02:00
}
2023-09-01 14:30:32 +02:00
VOID GetDriverRegistryPath(
2023-09-11 11:23:29 +02:00
_Out_ PUNICODE_STRING RegistryPath
2023-09-01 14:30:32 +02:00
)
2023-08-20 16:12:04 +02:00
{
2023-09-01 14:30:32 +02:00
KeAcquireGuardedMutex( &driver_config.lock );
2023-09-11 11:23:29 +02:00
RtlZeroMemory( RegistryPath, sizeof( UNICODE_STRING ) );
2023-09-01 14:30:32 +02:00
RtlCopyUnicodeString( RegistryPath, &driver_config.registry_path );
KeReleaseGuardedMutex( &driver_config.lock );
2023-08-20 16:12:04 +02:00
}
2023-09-01 14:30:32 +02:00
VOID GetDriverDeviceName(
2023-09-11 11:23:29 +02:00
_Out_ PUNICODE_STRING DeviceName
2023-09-01 14:30:32 +02:00
)
{
KeAcquireGuardedMutex( &driver_config.lock );
2023-09-11 11:23:29 +02:00
RtlZeroMemory( DeviceName, sizeof( UNICODE_STRING ) );
2023-09-01 14:30:32 +02:00
RtlCopyUnicodeString( DeviceName, &driver_config.device_name );
KeReleaseGuardedMutex( &driver_config.lock );
}
VOID GetDriverSymbolicLink(
2023-09-11 11:23:29 +02:00
_Out_ PUNICODE_STRING DeviceSymbolicLink
2023-09-01 14:30:32 +02:00
)
{
KeAcquireGuardedMutex( &driver_config.lock );
2023-09-11 11:23:29 +02:00
RtlZeroMemory( DeviceSymbolicLink, sizeof( UNICODE_STRING ) );
2023-09-01 14:30:32 +02:00
RtlCopyUnicodeString( DeviceSymbolicLink, &driver_config.device_symbolic_link );
KeReleaseGuardedMutex( &driver_config.lock );
}
2023-09-07 19:49:36 +02:00
VOID GetDriverConfigSystemInformation(
2023-09-11 11:23:29 +02:00
_Out_ PSYSTEM_INFORMATION* SystemInformation
2023-09-07 19:49:36 +02:00
)
{
2023-09-11 11:23:29 +02:00
if ( SystemInformation == NULL )
return;
2023-09-07 19:49:36 +02:00
KeAcquireGuardedMutex( &driver_config.lock );
*SystemInformation = &driver_config.system_information;
KeReleaseGuardedMutex( &driver_config.lock );
}
2023-09-01 18:45:06 +02:00
NTSTATUS RegistryPathQueryCallbackRoutine(
IN PWSTR ValueName,
IN ULONG ValueType,
IN PVOID ValueData,
IN ULONG ValueLength,
IN PVOID Context,
IN PVOID EntryContext
)
{
UNICODE_STRING value_name;
2023-09-03 19:33:27 +02:00
UNICODE_STRING image_path = RTL_CONSTANT_STRING( L"ImagePath" );
UNICODE_STRING display_name = RTL_CONSTANT_STRING( L"DisplayName" );
UNICODE_STRING value;
PVOID temp_buffer;
2023-09-03 19:33:27 +02:00
2023-09-01 18:45:06 +02:00
RtlInitUnicodeString( &value_name, ValueName );
if ( RtlCompareUnicodeString(&value_name, &image_path, FALSE) == FALSE )
{
temp_buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, ValueLength, POOL_TAG_STRINGS );
if ( !temp_buffer )
return STATUS_MEMORY_NOT_ALLOCATED;
RtlCopyMemory(
temp_buffer,
ValueData,
ValueLength
2023-09-01 18:45:06 +02:00
);
driver_config.driver_path.Buffer = (PWCH)temp_buffer;
driver_config.driver_path.Length = ValueLength;
driver_config.driver_path.MaximumLength = ValueLength + 1;
2023-09-01 18:45:06 +02:00
}
if ( RtlCompareUnicodeString( &value_name, &display_name, FALSE ) == FALSE )
{
temp_buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, ValueLength, POOL_TAG_STRINGS );
2023-09-01 18:45:06 +02:00
if ( !temp_buffer )
return STATUS_MEMORY_NOT_ALLOCATED;
2023-09-01 18:45:06 +02:00
RtlCopyMemory(
temp_buffer,
2023-09-01 18:45:06 +02:00
ValueData,
ValueLength
);
driver_config.unicode_driver_name.Buffer = ( PWCH )temp_buffer;
driver_config.unicode_driver_name.Length = ValueLength;
driver_config.unicode_driver_name.MaximumLength = ValueLength + 1;
2023-09-01 18:45:06 +02:00
}
return STATUS_SUCCESS;
}
VOID FreeDriverConfigurationStringBuffers()
{
if ( driver_config.unicode_driver_name.Buffer )
ExFreePoolWithTag( driver_config.unicode_driver_name.Buffer, POOL_TAG_STRINGS );
2023-09-01 18:45:06 +02:00
if ( driver_config.driver_path.Buffer )
ExFreePoolWithTag( driver_config.driver_path.Buffer, POOL_TAG_STRINGS );
2023-09-01 18:45:06 +02:00
if (driver_config.ansi_driver_name.Buffer )
RtlFreeAnsiString( &driver_config.ansi_driver_name );
}
NTSTATUS InitialiseDriverConfigOnDriverEntry(
2023-09-01 14:30:32 +02:00
_In_ PUNICODE_STRING RegistryPath
)
{
2023-09-01 18:45:06 +02:00
NTSTATUS status;
2023-09-02 10:54:04 +02:00
2023-09-03 19:33:27 +02:00
/* 3rd page acts as a null terminator for the callback routine */
2023-09-02 10:54:04 +02:00
RTL_QUERY_REGISTRY_TABLE query_table[ 3 ] = { 0 };
2023-09-01 18:45:06 +02:00
2023-09-01 14:30:32 +02:00
KeInitializeGuardedMutex( &driver_config.lock );
RtlInitUnicodeString( &driver_config.device_name, L"\\Device\\DonnaAC" );
RtlInitUnicodeString( &driver_config.device_symbolic_link, L"\\??\\DonnaAC" );
RtlCopyUnicodeString( &driver_config.registry_path, RegistryPath );
2023-09-01 18:45:06 +02:00
query_table[ 0 ].Flags = RTL_QUERY_REGISTRY_NOEXPAND;
query_table[ 0 ].Name = L"ImagePath";
query_table[ 0 ].DefaultType = REG_MULTI_SZ;
query_table[ 0 ].DefaultLength = 0;
query_table[ 0 ].DefaultData = NULL;
query_table[ 0 ].EntryContext = NULL;
query_table[ 0 ].QueryRoutine = RegistryPathQueryCallbackRoutine;
query_table[ 1 ].Flags = RTL_QUERY_REGISTRY_NOEXPAND;
query_table[ 1 ].Name = L"DisplayName";
query_table[ 1 ].DefaultType = REG_SZ;
query_table[ 1 ].DefaultLength = 0;
query_table[ 1 ].DefaultData = NULL;
query_table[ 1 ].EntryContext = NULL;
query_table[ 1 ].QueryRoutine = RegistryPathQueryCallbackRoutine;
status = RtlxQueryRegistryValues(
RTL_REGISTRY_ABSOLUTE,
RegistryPath->Buffer,
&query_table,
NULL,
NULL
);
2023-09-01 13:46:31 +02:00
2023-09-01 18:45:06 +02:00
if ( !NT_SUCCESS( status ) )
2023-09-01 13:46:31 +02:00
{
2023-09-02 10:54:04 +02:00
DEBUG_ERROR( "RtlxQueryRegistryValues failed with status %x", status );
2023-09-01 18:45:06 +02:00
FreeDriverConfigurationStringBuffers();
return status;
2023-09-01 13:46:31 +02:00
}
2023-09-01 18:45:06 +02:00
status = RtlUnicodeStringToAnsiString(
&driver_config.ansi_driver_name,
&driver_config.unicode_driver_name,
TRUE
);
2023-09-01 13:46:31 +02:00
if ( !NT_SUCCESS( status ) )
{
2023-09-01 18:45:06 +02:00
DEBUG_ERROR( "Failed to convert unicode string to ansi string" );
FreeDriverConfigurationStringBuffers();
return status;
2023-09-01 13:46:31 +02:00
}
2023-09-04 15:36:26 +02:00
status = ParseSMBIOSTable(
2023-09-04 17:00:36 +02:00
&driver_config.system_information.motherboard_serial,
sizeof(driver_config.system_information.motherboard_serial)
2023-09-04 15:36:26 +02:00
);
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "ParseSMBIOSTable failed with status %x", status );
FreeDriverConfigurationStringBuffers();
return status;
}
2023-09-06 17:33:08 +02:00
status = GetHardDiskDriveSerialNumber(
&driver_config.system_information.drive_0_serial,
sizeof( driver_config.system_information.drive_0_serial )
);
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "GetHardDiskDriverSerialNumber failed with status %x", status );
FreeDriverConfigurationStringBuffers();
return status;
}
2023-09-04 17:00:36 +02:00
DEBUG_LOG( "Motherboard serial: %s", driver_config.system_information.motherboard_serial );
2023-09-06 17:33:08 +02:00
DEBUG_LOG( "Drive 0 serial: %s", driver_config.system_information.drive_0_serial );
2023-09-04 15:36:26 +02:00
2023-09-01 18:45:06 +02:00
return status;
2023-09-01 13:46:31 +02:00
}
2023-09-02 10:54:04 +02:00
NTSTATUS InitialiseProcessConfigOnProcessLaunch(
2023-08-24 15:12:49 +02:00
_In_ PIRP Irp
2023-08-20 16:12:04 +02:00
)
{
2023-08-24 15:12:49 +02:00
NTSTATUS status;
PDRIVER_INITIATION_INFORMATION information;
PEPROCESS eprocess;
information = ( PDRIVER_INITIATION_INFORMATION )Irp->AssociatedIrp.SystemBuffer;
status = PsLookupProcessByProcessId( information->protected_process_id, &eprocess );
if ( !NT_SUCCESS( status ) )
return status;
2023-08-24 17:10:40 +02:00
/*
* acquire the mutex here to prevent a race condition if an unknown party trys
* to fuzz our IOCTL codes whilst the target process launches.
*/
2023-09-01 14:30:32 +02:00
KeAcquireGuardedMutex( &process_config.lock );
2023-08-24 17:10:40 +02:00
2023-09-01 14:30:32 +02:00
process_config.protected_process_eprocess = eprocess;
2023-09-11 11:23:29 +02:00
process_config.um_handle = information->protected_process_id;
process_config.km_handle = PsGetProcessId( eprocess );
2023-09-01 14:30:32 +02:00
process_config.initialised = TRUE;
2023-08-24 15:12:49 +02:00
2023-09-01 14:30:32 +02:00
KeReleaseGuardedMutex( &process_config.lock );
2023-08-24 17:10:40 +02:00
2023-08-24 15:12:49 +02:00
return status;
2023-08-20 16:12:04 +02:00
}
2023-08-17 10:45:50 +02:00
2023-09-03 19:33:27 +02:00
VOID InitialiseProcessConfigOnDriverEntry()
{
KeInitializeGuardedMutex( &process_config.lock );
}
2023-09-01 14:30:32 +02:00
VOID CleanupDriverConfigOnUnload()
{
2023-09-01 18:45:06 +02:00
FreeDriverConfigurationStringBuffers();
2023-09-02 10:54:04 +02:00
FreeGlobalReportQueueObjects();
2023-09-01 14:30:32 +02:00
IoDeleteSymbolicLink( &driver_config.device_symbolic_link );
}
2023-08-17 10:45:50 +02:00
VOID DriverUnload(
_In_ PDRIVER_OBJECT DriverObject
)
{
2023-08-24 15:12:49 +02:00
//PsSetCreateProcessNotifyRoutine( ProcessCreateNotifyRoutine, TRUE );
2023-09-01 14:30:32 +02:00
CleanupDriverConfigOnUnload();
2023-08-19 05:36:21 +02:00
IoDeleteDevice( DriverObject->DeviceObject );
2023-08-17 10:45:50 +02:00
}
2023-09-01 18:45:06 +02:00
VOID TerminateProtectedProcessOnViolation()
{
NTSTATUS status;
ULONG process_id;
GetProtectedProcessId( &process_id );
if ( !process_id )
{
DEBUG_ERROR( "Failed to terminate process as process id is null" );
return;
}
2023-09-11 11:23:29 +02:00
2023-09-05 18:47:46 +02:00
/*
2023-09-11 11:23:29 +02:00
* Make sure we pass a km handle to ZwTerminateProcess and NOT a usermode handle.
2023-09-05 18:47:46 +02:00
*/
2023-09-01 18:45:06 +02:00
status = ZwTerminateProcess( process_id, STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION );
if ( !NT_SUCCESS( status ) )
2023-09-02 10:54:04 +02:00
{
/*
* We don't want to clear the process config if ZwTerminateProcess fails
* so we can try again.
*/
2023-09-01 18:45:06 +02:00
DEBUG_ERROR( "ZwTerminateProcess failed with status %x", status );
2023-09-02 10:54:04 +02:00
return;
}
2023-09-01 18:45:06 +02:00
ClearProcessConfigOnProcessTermination();
}
2023-08-17 10:45:50 +02:00
NTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
2023-08-21 11:45:00 +02:00
BOOLEAN flag = FALSE;
2023-08-17 10:45:50 +02:00
NTSTATUS status;
2023-08-24 15:12:49 +02:00
2023-09-05 11:16:32 +02:00
status = InitialiseDriverConfigOnDriverEntry( RegistryPath );
2023-09-01 18:45:06 +02:00
2023-09-05 11:16:32 +02:00
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "InitialiseDriverConfigOnDriverEntry failed with status %x", status );
return status;
}
2023-08-30 13:15:57 +02:00
2023-09-05 11:16:32 +02:00
InitialiseProcessConfigOnDriverEntry();
2023-09-03 19:33:27 +02:00
2023-08-17 10:45:50 +02:00
status = IoCreateDevice(
DriverObject,
NULL,
2023-09-01 14:30:32 +02:00
&driver_config.device_name,
2023-08-17 10:45:50 +02:00
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&DriverObject->DeviceObject
);
if ( !NT_SUCCESS( status ) )
2023-09-01 18:45:06 +02:00
{
2023-09-02 10:54:04 +02:00
DEBUG_ERROR( "IoCreateDevice failed with status %x", status );
2023-09-01 18:45:06 +02:00
FreeDriverConfigurationStringBuffers();
2023-08-17 10:45:50 +02:00
return STATUS_FAILED_DRIVER_ENTRY;
2023-09-01 18:45:06 +02:00
}
2023-08-17 10:45:50 +02:00
status = IoCreateSymbolicLink(
2023-09-01 14:30:32 +02:00
&driver_config.device_symbolic_link,
&driver_config.device_name
2023-08-17 10:45:50 +02:00
);
if ( !NT_SUCCESS( status ) )
{
2023-08-20 18:06:21 +02:00
DEBUG_ERROR( "failed to create symbolic link" );
2023-09-01 18:45:06 +02:00
FreeDriverConfigurationStringBuffers();
2023-08-19 05:36:21 +02:00
IoDeleteDevice( DriverObject->DeviceObject );
2023-08-17 10:45:50 +02:00
return STATUS_FAILED_DRIVER_ENTRY;
}
DriverObject->MajorFunction[ IRP_MJ_CREATE ] = DeviceCreate;
DriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DeviceClose;
DriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DeviceControl;
DriverObject->DriverUnload = DriverUnload;
2023-09-02 10:54:04 +02:00
InitialiseGlobalReportQueue(&flag);
2023-08-20 16:12:04 +02:00
if ( !flag )
{
2023-08-20 18:06:21 +02:00
DEBUG_ERROR( "failed to init report queue" );
2023-09-01 18:45:06 +02:00
FreeDriverConfigurationStringBuffers();
2023-09-01 14:30:32 +02:00
IoDeleteSymbolicLink( &driver_config.device_symbolic_link );
2023-08-20 16:12:04 +02:00
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_FAILED_DRIVER_ENTRY;
2023-08-30 13:15:57 +02:00
}
2023-08-20 16:12:04 +02:00
2023-08-30 13:15:57 +02:00
DEBUG_LOG( "DonnaAC Driver Entry Complete" );
2023-08-17 10:45:50 +02:00
2023-08-30 13:15:57 +02:00
return STATUS_SUCCESS;
2023-08-17 10:45:50 +02:00
}