noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

minor stuff

Browse source
This commit is contained in:
lhodges1 2024-01-07 15:42:40 +11:00
parent 6d0d9ea796
commit 0172aebe6d
7 changed files with 167 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
driver/callbacks.c
View file

@ -124,7 +124,7 @@ CleanupDriverListOnDriverUnload()
{
if (!ListFreeFirstEntry(&driver_list->start, &driver_list->lock, NULL))
{
ImpExFreePoolWithTag(driver_list, POOL_TAG_THREAD_LIST);
ImpExFreePoolWithTag(driver_list, POOL_TAG_DRIVER_LIST);
return;
}
}
@ -189,7 +189,7 @@ InitialiseDriverList()
PRTL_MODULE_EXTENDED_INFO module_entry = NULL;
driver_list =
ImpExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(DRIVER_LIST), POOL_TAG_THREAD_LIST);
ImpExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(DRIVER_LIST), POOL_TAG_DRIVER_LIST);
if (!driver_list)
return STATUS_MEMORY_NOT_ALLOCATED;
@ -209,7 +209,7 @@ InitialiseDriverList()
for (INT index = 2; index < modules.module_count; index++)
{
entry = ImpExAllocatePool2(
POOL_FLAG_NON_PAGED, sizeof(DRIVER_LIST_ENTRY), POOL_TAG_THREAD_LIST);
POOL_FLAG_NON_PAGED, sizeof(DRIVER_LIST_ENTRY), POOL_TAG_DRIVER_LIST);
if (!entry)
{
@ -248,6 +248,10 @@ end:
return STATUS_SUCCESS;
}
/*
* I actually think a spinlock here for the driver list is what we want rather then a mutex, but
* implementing a spinlock has its challenges... todo: have a think!
*/
_IRQL_requires_max_(APC_LEVEL)
_Acquires_lock_(_Lock_kind_mutex_)
_Releases_lock_(_Lock_kind_mutex_)
@ -285,43 +289,44 @@ ImageLoadNotifyRoutineCallback(_In_opt_ PUNICODE_STRING FullImageName,
if (InterlockedExchange(&driver_list->active, driver_list->active) == FALSE)
return;
if (ImageInfo->SystemModeImage == TRUE)
if (ImageInfo->SystemModeImage == FALSE)
return;
FindDriverEntryByBaseAddress(ImageInfo->ImageBase, &entry);
if (entry)
return;
DEBUG_VERBOSE("New system image: %wZ", FullImageName);
entry =
ExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(DRIVER_LIST_ENTRY), POOL_TAG_DRIVER_LIST);
if (!entry)
return;
entry->hashed = TRUE;
entry->ImageBase = ImageInfo->ImageBase;
entry->ImageSize = ImageInfo->ImageSize;
/*todo: unicode 2 ansi string -> store in buf */
module.ImageBase = ImageInfo->ImageBase;
module.ImageSize = ImageInfo->ImageSize;
status = HashModule(&module, &entry->text_hash);
if (status == STATUS_INVALID_IMAGE_WIN_32)
{
FindDriverEntryByBaseAddress(ImageInfo->ImageBase, &entry);
if (entry)
return;
DEBUG_VERBOSE("New system image: %wZ", FullImageName);
entry = ExAllocatePool2(
POOL_FLAG_NON_PAGED, sizeof(DRIVER_LIST_ENTRY), POOL_TAG_THREAD_LIST);
if (!entry)
return;
entry->hashed = TRUE;
entry->ImageBase = ImageInfo->ImageBase;
entry->ImageSize = ImageInfo->ImageSize;
module.ImageBase = ImageInfo->ImageBase;
module.ImageSize = ImageInfo->ImageSize;
status = HashModule(&module, &entry->text_hash);
if (status == STATUS_INVALID_IMAGE_WIN_32)
{
DEBUG_ERROR("32 bit module not hashed, will hash later. %x", status);
entry->hashed = FALSE;
}
else if (!NT_SUCCESS(status))
{
DEBUG_ERROR("HashModule failed with status %x", status);
entry->hashed = FALSE;
}
ListInsert(&driver_list->start, entry, &driver_list->lock);
DEBUG_ERROR("32 bit module not hashed, will hash later. %x", status);
entry->hashed = FALSE;
}
else if (!NT_SUCCESS(status))
{
DEBUG_ERROR("HashModule failed with status %x", status);
entry->hashed = FALSE;
}
ListInsert(&driver_list->start, entry, &driver_list->lock);
}
NTSTATUS

7
driver/callbacks.h
View file

@ -62,14 +62,17 @@ typedef struct _PROCESS_LIST_ENTRY
} PROCESS_LIST_ENTRY, *PPROCESS_LIST_ENTRY;
#define DRIVER_PATH_LENGTH 0x100
#define SHA_256_HASH_LENGTH 32
typedef struct _DRIVER_LIST_ENTRY
{
SINGLE_LIST_ENTRY list;
PVOID ImageBase;
ULONG ImageSize;
BOOLEAN hashed;
CHAR path[0x100];
CHAR text_hash[32];
CHAR path[DRIVER_PATH_LENGTH];
CHAR text_hash[SHA_256_HASH_LENGTH];
} DRIVER_LIST_ENTRY, *PDRIVER_LIST_ENTRY;

18
driver/common.h
View file

@ -67,6 +67,7 @@
#define MODULES_REPORT_POOL_TAG 'modu'
#define POOL_TAG_LIST_ITEM 'tsil'
#define POOL_TAG_THREAD_LIST 'list'
#define POOL_TAG_DRIVER_LIST 'drvl'
#define IA32_APERF_MSR 0x000000E8
@ -92,6 +93,7 @@
#define EPROCESS_OBJECT_TABLE_OFFSET 0x570
#define EPROCESS_IMAGE_NAME_OFFSET 0x5a8
#define EPROCESS_PEB_OFFSET 0x550
#define EPROCESS_SECTION_BASE_OFFSET 0x520
#define KPROCESS_THREADLIST_OFFSET 0x030
#define KPROCESS_DIRECTORY_TABLE_BASE_OFFSET 0x028
@ -123,6 +125,22 @@
#define REPORT_DPC_STACKWALK 120
#define REPORT_DATA_TABLE_ROUTINE 130
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6
#define IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 /* (MIPS GP) */
#define IMAGE_DIRECTORY_ENTRY_TLS 9
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11
#define IMAGE_DIRECTORY_ENTRY_IAT 12 /* Import Address Table */
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14
/*
* Generic macros that allow you to quickly determine whether
* or not a page table entry is present or may forward to a

5
driver/driver.c
View file

@ -1414,7 +1414,10 @@ DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
/* store the driver object here as we need to access it in ResolveNtImports */
driver_config.driver_object = DriverObject;
ResolveNtImports();
status = ResolveNtImports();
if (!NT_SUCCESS(status))
return status;
DEBUG_VERBOSE("Beginning driver entry routine...");

101
driver/imports.c
View file

@ -3,24 +3,6 @@
#include "common.h"
#include "driver.h"
#define EPROCESS_SECTION_BASE_OFFSET 0x520
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6
#define IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 /* (MIPS GP) */
#define IMAGE_DIRECTORY_ENTRY_TLS 9
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11
#define IMAGE_DIRECTORY_ENTRY_IAT 12 /* Import Address Table */
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14
PDRIVER_IMPORTS driver_imports = NULL;
VOID
@ -84,7 +66,7 @@ FindNtExport(const char* ExportName)
}
/*
* todo: add comment explaining this shit
* todo: add comment explaining this shit also this ugly af
*/
dos_header = (PIMAGE_DOS_HEADER)image_base;
nt_header = (struct _IMAGE_NT_HEADERS64*)((UINT64)image_base + dos_header->e_lfanew);
@ -123,7 +105,7 @@ ResolveNtImports()
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
/* todo fix! */
/* todo fix! store in data or sumting */
driver_imports =
ExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(DRIVER_IMPORTS), POOL_TAG_INTEGRITY);
@ -209,6 +191,85 @@ ResolveNtImports()
driver_imports->DrvImpPsLookupThreadByThreadId = FindNtExport("PsLookupThreadByThreadId");
driver_imports->DrvImpIoGetCurrentIrpStackLocation = FindNtExport("IoGetCurrentIrpStackLocation");
driver_imports->DrvImpMmIsAddressValid = FindNtExport("MmIsAddressValid");
if (!driver_imports->DrvImpObDereferenceObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsGetProcessImageFileName) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsSetCreateProcessNotifyRoutine) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsRemoveCreateThreadNotifyRoutine) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsGetCurrentThreadId) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsGetProcessId) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsLookupProcessByProcessId) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExEnumHandleTable) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpObGetObjectType) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExfUnblockPushLock) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpstrstr) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlInitUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpMmGetSystemRoutineAddress) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlUnicodeStringToAnsiString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlCopyUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlFreeAnsiString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeInitializeGuardedMutex) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoCreateDevice) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoCreateSymbolicLink) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoDeleteDevice) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoDeleteSymbolicLink) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpObRegisterCallbacks) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpObUnRegisterCallbacks) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsSetCreateThreadNotifyRoutine) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeRevertToUserAffinityThreadEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeSetSystemAffinityThreadEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpstrnlen) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlInitAnsiString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlAnsiStringToUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoGetCurrentProcess) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlGetVersion) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlCompareMemory) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExGetSystemFirmwareTable) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoAllocateWorkItem) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoFreeWorkItem) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoQueueWorkItem) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwOpenFile) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwClose) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwCreateSection) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwMapViewOfSection) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwUnmapViewOfSection) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpMmCopyMemory) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwDeviceIoControlFile) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeStackAttachProcess) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeUnstackDetachProcess) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeWaitForSingleObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsCreateSystemThread) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIofCompleteRequest) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpObReferenceObjectByHandle) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeDelayExecutionThread) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeRegisterNmiCallback) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeDeregisterNmiCallback) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeQueryActiveProcessorCount) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExAcquirePushLockExclusiveEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExReleasePushLockExclusiveEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsGetThreadId) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlCaptureStackBackTrace) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwOpenDirectoryObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeInitializeAffinityEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeAddProcessorAffinityEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlQueryModuleInformation) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeInitializeApc) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeInsertQueueApc) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeGenericCallDpc) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeSignalCallDpcDone) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpMmGetPhysicalMemoryRangesEx2) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpMmGetVirtualForPhysical) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpObfReferenceObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExFreePoolWithTag) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExAllocatePool2) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeReleaseGuardedMutex) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeAcquireGuardedMutex) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpDbgPrintEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlCompareUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlFreeUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsLookupThreadByThreadId) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoGetCurrentIrpStackLocation) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpMmIsAddressValid) return STATUS_UNSUCCESSFUL;
// clang-format on
return STATUS_SUCCESS;

4
driver/integrity.c
View file

@ -1555,7 +1555,7 @@ ValidateSystemModule(_In_ PRTL_MODULE_EXTENDED_INFO Module)
goto end;
}
if (CompareHashes(hash, entry->text_hash, sizeof(entry->text_hash)))
if (CompareHashes(hash, entry->text_hash, SHA_256_HASH_LENGTH))
DEBUG_VERBOSE("Module: %s text regions are valid.", Module->FullPathName);
else
DEBUG_WARNING("**!!** Module: %s text regions are not valid **!!**", Module->FullPathName);
@ -1658,7 +1658,7 @@ ValidateOurDriverImage()
* Since we don't pass a return value, I think we would raise an invalid module error and
* stop the users game session ? since module .text section error would be a large red flag
*/
if (CompareHashes(disk_hash, memory_hash, memory_hash_size))
if (CompareHashes(disk_hash, memory_hash, SHA_256_HASH_LENGTH))
DEBUG_VERBOSE("Driver image is valid. Integrity check complete");
else
DEBUG_WARNING("Drive image is NOT valid. !!!");

31
user/main.cpp
View file

@ -82,24 +82,21 @@ Init(HINSTANCE hinstDLL)
std::cout << "Seed: " << seed << std::endl;
//switch (seed)
//{
//case 0: kmanager.EnumerateHandleTables(); break;
//case 1: kmanager.PerformIntegrityCheck(); break;
//case 2: kmanager.ScanPoolsForUnlinkedProcesses(); break;
//case 3: kmanager.VerifySystemModuleDriverObjects(); break;
//case 4: kmanager.ValidateProcessModules(); break;
//case 5: kmanager.RunNmiCallbacks(); break;
//case 6: kmanager.CheckForAttachedThreads(); break;
//case 7: kmanager.InitiateApcStackwalkOperation(); break;
//case 8: kmanager.CheckForEptHooks(); break;
//case 9: kmanager.StackwalkThreadsViaDpc(); break;
//case 10: kmanager.ValidateSystemModules(); break;
//}
switch (seed)
{
case 0: kmanager.EnumerateHandleTables(); break;
case 1: kmanager.PerformIntegrityCheck(); break;
case 2: kmanager.ScanPoolsForUnlinkedProcesses(); break;
case 3: kmanager.VerifySystemModuleDriverObjects(); break;
case 4: kmanager.ValidateProcessModules(); break;
case 5: kmanager.RunNmiCallbacks(); break;
case 6: kmanager.CheckForAttachedThreads(); break;
case 7: kmanager.InitiateApcStackwalkOperation(); break;
case 8: kmanager.CheckForEptHooks(); break;
case 9: kmanager.StackwalkThreadsViaDpc(); break;
case 10: kmanager.ValidateSystemModules(); break;
}
kmanager.ValidateSystemModules();
std::this_thread::sleep_for(std::chrono::seconds(2));
kmanager.PerformIntegrityCheck();
kmanager.MonitorCallbackReports();
std::this_thread::sleep_for(std::chrono::seconds(10));
}