noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

some bug fixes

Browse source
This commit is contained in:
lhodges1 2024-01-28 18:34:09 +11:00
parent d743f49bd3
commit 034f4dbd20
17 changed files with 587 additions and 513 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
ac.sln
View file

@ -201,30 +201,30 @@ Global
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|x64.Build.0 = Debug|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|x86.ActiveCfg = Debug|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Debug|x86.Build.0 = Debug|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|Any CPU.ActiveCfg = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|Any CPU.Build.0 = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|ARM64.ActiveCfg = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|ARM64.Build.0 = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x64.ActiveCfg = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x64.Build.0 = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x86.ActiveCfg = Release|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x86.Build.0 = Release|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|Any CPU.ActiveCfg = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|Any CPU.Build.0 = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|ARM64.ActiveCfg = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|ARM64.Build.0 = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x64.ActiveCfg = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x64.Build.0 = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x86.ActiveCfg = Release|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x86.Build.0 = Release|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|Any CPU.ActiveCfg = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|Any CPU.Build.0 = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|ARM64.ActiveCfg = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|ARM64.Build.0 = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x64.ActiveCfg = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x64.Build.0 = Release|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x86.ActiveCfg = Release|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x86.Build.0 = Release|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|Any CPU.ActiveCfg = test|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|Any CPU.Build.0 = test|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|ARM64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|ARM64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x86.ActiveCfg = Release - No Server|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win10|x86.Build.0 = Release - No Server|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|Any CPU.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|Any CPU.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|ARM64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|ARM64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x86.ActiveCfg = Release - No Server|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release - No Server - Win11|x86.Build.0 = Release - No Server|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|Any CPU.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|Any CPU.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|ARM64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|ARM64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x64.ActiveCfg = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x64.Build.0 = Release - No Server|x64
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x86.ActiveCfg = Release - No Server|Win32
{3B18467A-4358-45EF-81B1-5C6F9B0B6728}.Release|x86.Build.0 = Release - No Server|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

27
driver/callbacks.c
View file

@ -910,31 +910,14 @@ InitialiseTimerObject(_Out_ PTIMER_OBJECT Timer)
due_time.QuadPart = ABSOLUTE(SECONDS(5));
Timer->timer = ExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(KTIMER), POOL_TAG_TIMER);
if (!Timer->timer)
return STATUS_MEMORY_NOT_ALLOCATED;
Timer->dpc = ExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(KDPC), POOL_TAG_DPC);
if (!Timer->dpc)
{
ExFreePoolWithTag(Timer->timer, POOL_TAG_TIMER);
return STATUS_MEMORY_NOT_ALLOCATED;
}
Timer->work_item = IoAllocateWorkItem(GetDriverDeviceObject());
if (!Timer->work_item)
{
ExFreePoolWithTag(Timer->dpc, POOL_TAG_DPC);
ExFreePoolWithTag(Timer->timer, POOL_TAG_TIMER);
return STATUS_MEMORY_NOT_ALLOCATED;
}
KeInitializeDpc(Timer->dpc, TimerObjectCallbackRoutine, Timer);
KeInitializeTimer(Timer->timer);
KeSetTimerEx(Timer->timer, due_time, REPEAT_TIME_10_SEC, Timer->dpc);
KeInitializeDpc(&Timer->dpc, TimerObjectCallbackRoutine, Timer);
KeInitializeTimer(&Timer->timer);
KeSetTimerEx(&Timer->timer, due_time, REPEAT_TIME_10_SEC, &Timer->dpc);
DEBUG_VERBOSE("Successfully initialised global timer callback.");
return STATUS_SUCCESS;
@ -951,10 +934,8 @@ CleanupDriverTimerObjects(_Out_ PTIMER_OBJECT Timer)
YieldProcessor();
/* now its safe to free and cancel our timers, pools etc. */
KeCancelTimer(Timer->timer);
KeCancelTimer(&Timer->timer);
IoFreeWorkItem(Timer->work_item);
ExFreePoolWithTag(Timer->timer, POOL_TAG_TIMER);
ExFreePoolWithTag(Timer->dpc, POOL_TAG_DPC);
DEBUG_VERBOSE("Freed timer objects.");
}

4
driver/common.h
View file

@ -119,8 +119,8 @@ typedef struct _TIMER_OBJECT
*/
volatile LONG state;
PKTIMER timer;
PKDPC dpc;
KTIMER timer;
KDPC dpc;
PIO_WORKITEM work_item;
} TIMER_OBJECT, *PTIMER_OBJECT;

22
driver/crypt.c Normal file
View file

@ -0,0 +1,22 @@
#include "crypt.h"
#include <immintrin.h>
#define TEMP_KEY 0x5a
VOID
CryptEncryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size)
{
PCHAR entry = (PCHAR)Buffer;
for (UINT32 index = 0; index < Size; index++)
{
entry[index] ^= TEMP_KEY;
}
}
VOID
CryptDecryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size)
{
CryptEncryptBufferInPlace(Buffer, Size);
}

12
driver/crypt.h Normal file
View file

@ -0,0 +1,12 @@
#ifndef CRYPT_H
#define CRYPT_H
#include "common.h"
VOID
CryptEncryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size);
VOID
CryptDecryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size);
#endif

105
driver/driver.c
View file

@ -37,10 +37,6 @@ STATIC
VOID
DrvUnloadFreeConfigStrings();
STATIC
VOID
DrvUnloadFreeSymbolicLink();
STATIC
VOID
DrvUnloadFreeThreadList();
@ -79,7 +75,6 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
# pragma alloc_text(PAGE, TerminateProtectedProcessOnViolation)
# pragma alloc_text(PAGE, DrvUnloadUnregisterObCallbacks)
# pragma alloc_text(PAGE, DrvUnloadFreeConfigStrings)
# pragma alloc_text(PAGE, DrvUnloadFreeSymbolicLink)
# pragma alloc_text(PAGE, DrvUnloadFreeThreadList)
# pragma alloc_text(PAGE, DrvLoadEnableNotifyRoutines)
# pragma alloc_text(PAGE, DrvLoadEnableNotifyRoutines)
@ -94,8 +89,8 @@ typedef struct _DRIVER_CONFIG
volatile LONG nmi_status;
UNICODE_STRING unicode_driver_name;
ANSI_STRING ansi_driver_name;
UNICODE_STRING device_name;
UNICODE_STRING device_symbolic_link;
PUNICODE_STRING device_name;
PUNICODE_STRING device_symbolic_link;
UNICODE_STRING driver_path;
UNICODE_STRING registry_path;
SYSTEM_INFORMATION system_information;
@ -115,6 +110,9 @@ typedef struct _DRIVER_CONFIG
} DRIVER_CONFIG, *PDRIVER_CONFIG;
UNICODE_STRING g_DeviceName = RTL_CONSTANT_STRING(L"\\Device\\DonnaAC");
UNICODE_STRING g_DeviceSymbolicLink = RTL_CONSTANT_STRING(L"\\??\\DonnaAC");
/*
* Rather then getting the driver state from the device object passed to our IOCTL handlers, store a
* pointer to the device extension here and abstract it with getters which can be accessed globally.
@ -393,10 +391,10 @@ DrvUnloadFreeConfigStrings()
STATIC
VOID
DrvUnloadFreeSymbolicLink()
DrvUnloadDeleteSymbolicLink()
{
PAGED_CODE();
ImpIoDeleteSymbolicLink(&g_DriverConfig->device_symbolic_link);
if (g_DriverConfig->device_symbolic_link)
ImpIoDeleteSymbolicLink(g_DriverConfig->device_symbolic_link);
}
STATIC
@ -439,14 +437,6 @@ DrvUnloadFreeModuleValidationContext()
CleanupValidationContextOnUnload(&g_DriverConfig->sys_val_context);
}
STATIC
VOID
DrvUnloadFreeImportsStructure()
{
PAGED_CODE();
FreeDriverImportsStructure();
}
STATIC
VOID
DriverUnload(_In_ PDRIVER_OBJECT DriverObject)
@ -476,12 +466,10 @@ DriverUnload(_In_ PDRIVER_OBJECT DriverObject)
DrvUnloadFreeDriverList();
DrvUnloadFreeConfigStrings();
DrvUnloadFreeSymbolicLink();
DrvUnloadDeleteSymbolicLink();
ImpIoDeleteDevice(DriverObject->DeviceObject);
DEBUG_INFO("Driver successfully unloaded.");
DrvUnloadFreeImportsStructure();
}
STATIC
@ -549,6 +537,7 @@ DrvLoadSetupDriverLists()
DEBUG_ERROR("InitialiseThreadList failed with status %x", status);
UnregisterThreadCreateNotifyRoutine();
UnregisterImageLoadNotifyRoutine();
CleanupDriverListOnDriverUnload();
return status;
}
@ -560,6 +549,8 @@ DrvLoadSetupDriverLists()
UnregisterProcessCreateNotifyRoutine();
UnregisterThreadCreateNotifyRoutine();
UnregisterImageLoadNotifyRoutine();
CleanupDriverListOnDriverUnload();
CleanupThreadListOnDriverUnload();
return status;
}
@ -821,7 +812,6 @@ DrvLoadGatherSystemEnvironmentSettings()
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("ParseSmbiosForGivenSystemEnvironment failed with status %x", status);
DrvUnloadFreeConfigStrings();
return status;
}
@ -832,7 +822,6 @@ DrvLoadGatherSystemEnvironmentSettings()
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("GetHardDiskDriverSerialNumber failed with status %x", status);
DrvUnloadFreeConfigStrings();
return status;
}
@ -917,7 +906,6 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("DrvLoadRetrieveDriverNameFromRegistry failed with status %x", status);
DrvUnloadFreeConfigStrings();
return status;
}
@ -927,7 +915,6 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("GatherSystemEnvironmentSettings failed with status %x", status);
DrvUnloadFreeConfigStrings();
return status;
}
@ -936,7 +923,6 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("AllocateCallbackStructure failed with status %x", status);
DrvUnloadFreeConfigStrings();
return status;
}
@ -945,7 +931,6 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("InitialiseTimerObject failed with status %x", status);
DrvUnloadFreeConfigStrings();
return status;
}
@ -954,7 +939,6 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("IrpQueueInitialise failed with status %x", status);
DrvUnloadFreeConfigStrings();
return status;
}
@ -965,25 +949,28 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
NTSTATUS
DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
BOOLEAN flag = FALSE;
NTSTATUS status = STATUS_UNSUCCESSFUL;
UNICODE_STRING device_name = RTL_CONSTANT_STRING(L"\\Device\\DonnaAC");
UNICODE_STRING symbolic_link = RTL_CONSTANT_STRING(L"\\??\\DonnaAC");
BOOLEAN flag = FALSE;
NTSTATUS status = STATUS_UNSUCCESSFUL;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DeviceCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DeviceClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControl;
DriverObject->DriverUnload = DriverUnload;
status = ResolveDynamicImports(DriverObject);
if (!NT_SUCCESS(status))
return STATUS_FAILED_DRIVER_ENTRY;
DEBUG_VERBOSE("Beginning driver entry routine...");
status = IoCreateDevice(DriverObject,
sizeof(DRIVER_CONFIG),
&device_name,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&DriverObject->DeviceObject);
status = ImpIoCreateDevice(DriverObject,
sizeof(DRIVER_CONFIG),
&g_DeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&DriverObject->DeviceObject);
if (!NT_SUCCESS(status))
{
@ -991,45 +978,34 @@ DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
return status;
}
g_DriverConfig = DriverObject->DeviceObject->DeviceExtension;
g_DriverConfig->driver_object = DriverObject;
g_DriverConfig->device_object = DriverObject->DeviceObject;
RtlCopyUnicodeString(&g_DriverConfig->device_name, &device_name);
RtlCopyUnicodeString(&g_DriverConfig->device_symbolic_link, &symbolic_link);
/* this needs to be restructured since we leak device object */
status = ResolveDynamicImports(DriverObject);
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("ResolveDynamicImports failed with status %x", status);
// ImpIoDeleteDevice(DriverObject->DeviceObject);
return status;
}
g_DriverConfig = DriverObject->DeviceObject->DeviceExtension;
g_DriverConfig->device_object = DriverObject->DeviceObject;
g_DriverConfig->driver_object = DriverObject;
g_DriverConfig->device_name = &g_DeviceName;
g_DriverConfig->device_symbolic_link = &g_DeviceSymbolicLink;
status = DrvLoadInitialiseDriverConfig(DriverObject, RegistryPath);
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("InitialiseDriverConfigOnDriverEntry failed with status %x", status);
DrvUnloadFreeConfigStrings();
ImpIoDeleteDevice(DriverObject->DeviceObject);
DrvUnloadFreeImportsStructure();
return status;
}
DrvLoadInitialiseProcessConfig();
status = IoCreateSymbolicLink(&symbolic_link, &device_name);
status =
IoCreateSymbolicLink(g_DriverConfig->device_symbolic_link, g_DriverConfig->device_name);
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("IoCreateSymbolicLink failed with status %x", status);
DrvUnloadFreeConfigStrings();
ImpIoDeleteDevice(DriverObject->DeviceObject);
DrvUnloadFreeTimerObject();
DrvUnloadFreeImportsStructure();
return STATUS_FAILED_DRIVER_ENTRY;
ImpIoDeleteDevice(DriverObject->DeviceObject);
return status;
}
status = DrvLoadEnableNotifyRoutines();
@ -1039,10 +1015,9 @@ DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
DEBUG_ERROR("EnablenotifyRoutines failed with status %x", status);
DrvUnloadFreeConfigStrings();
DrvUnloadFreeTimerObject();
ImpIoDeleteSymbolicLink(&g_DriverConfig->device_symbolic_link);
DrvUnloadDeleteSymbolicLink();
ImpIoDeleteDevice(DriverObject->DeviceObject);
DrvUnloadFreeImportsStructure();
return STATUS_FAILED_DRIVER_ENTRY;
return status;
}
status = DrvLoadSetupDriverLists();
@ -1052,9 +1027,9 @@ DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
DEBUG_ERROR("DrvLoadSetupDriverLists failed with status %x", status);
DrvUnloadFreeConfigStrings();
DrvUnloadFreeTimerObject();
ImpIoDeleteSymbolicLink(&g_DriverConfig->device_symbolic_link);
DrvUnloadDeleteSymbolicLink();
ImpIoDeleteDevice(DriverObject->DeviceObject);
DrvUnloadFreeImportsStructure();
return status;
}
DEBUG_VERBOSE("Driver Entry Complete.");

2
driver/driver.vcxproj
View file

@ -246,6 +246,7 @@
<ItemGroup>
<ClCompile Include="apc.c" />
<ClCompile Include="callbacks.c" />
<ClCompile Include="crypt.c" />
<ClCompile Include="driver.c" />
<ClCompile Include="hv.c" />
<ClCompile Include="imports.c" />
@ -261,6 +262,7 @@
<ClInclude Include="apc.h" />
<ClInclude Include="callbacks.h" />
<ClInclude Include="common.h" />
<ClInclude Include="crypt.h" />
<ClInclude Include="driver.h" />
<ClInclude Include="hv.h" />
<ClInclude Include="ia32.h" />

6
driver/driver.vcxproj.filters
View file

@ -60,6 +60,9 @@
<ClCompile Include="io.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="crypt.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="driver.h">
@ -107,6 +110,9 @@
<ClInclude Include="types\types.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="crypt.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<MASM Include="arch.asm">

493
driver/imports.c
View file

@ -3,24 +3,16 @@
#include "common.h"
#include "driver.h"
PDRIVER_IMPORTS driver_imports = NULL;
VOID
FreeDriverImportsStructure()
{
if (driver_imports)
ExFreePoolWithTag(driver_imports, POOL_TAG_INTEGRITY);
}
DRIVER_IMPORTS driver_imports = {0};
PVOID
FindDriverBaseNoApi(_In_ PWCH Name)
FindDriverBaseNoApi(_In_ PDRIVER_OBJECT DriverObject, _In_ PWCH Name)
{
PDRIVER_OBJECT driver = GetDriverObject();
PKLDR_DATA_TABLE_ENTRY first = (PKLDR_DATA_TABLE_ENTRY)driver->DriverSection;
PKLDR_DATA_TABLE_ENTRY first = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
/* first entry contains invalid data, 2nd entry is the kernel */
PKLDR_DATA_TABLE_ENTRY entry =
((PKLDR_DATA_TABLE_ENTRY)driver->DriverSection)->InLoadOrderLinks.Flink->Flink;
((PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection)->InLoadOrderLinks.Flink->Flink;
while (entry->InLoadOrderLinks.Flink != first)
{
@ -38,7 +30,7 @@ FindDriverBaseNoApi(_In_ PWCH Name)
}
PVOID
FindNtExport(PCZPSTR ExportName)
FindNtExport(PDRIVER_OBJECT DriverObject, PCZPSTR ExportName)
{
PVOID image_base = NULL;
PIMAGE_DOS_HEADER dos_header = NULL;
@ -57,7 +49,7 @@ FindNtExport(PCZPSTR ExportName)
if (!ExportName)
return NULL;
image_base = FindDriverBaseNoApi(L"ntoskrnl.exe");
image_base = FindDriverBaseNoApi(DriverObject, L"ntoskrnl.exe");
if (!image_base)
{
@ -103,250 +95,241 @@ FindNtExport(PCZPSTR ExportName)
NTSTATUS
ResolveDynamicImports(_In_ PDRIVER_OBJECT DriverObject)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
/* todo fix! store in data or sumting */
driver_imports =
ExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(DRIVER_IMPORTS), POOL_TAG_INTEGRITY);
if (!driver_imports)
return STATUS_MEMORY_NOT_ALLOCATED;
// clang-format off
driver_imports->DrvImpObDereferenceObject = FindNtExport("ObDereferenceObject");
driver_imports->DrvImpPsGetProcessImageFileName = FindNtExport("PsGetProcessImageFileName");
driver_imports->DrvImpPsSetCreateProcessNotifyRoutine = FindNtExport("PsSetCreateProcessNotifyRoutine");
driver_imports->DrvImpPsRemoveCreateThreadNotifyRoutine = FindNtExport("PsRemoveCreateThreadNotifyRoutine");
driver_imports->DrvImpPsGetCurrentThreadId = FindNtExport("PsGetCurrentThreadId");
driver_imports->DrvImpPsGetProcessId = FindNtExport("PsGetProcessId");
driver_imports->DrvImpPsLookupProcessByProcessId = FindNtExport("PsLookupProcessByProcessId");
driver_imports->DrvImpExEnumHandleTable = FindNtExport("ExEnumHandleTable");
driver_imports->DrvImpObGetObjectType = FindNtExport("ObGetObjectType");
driver_imports->DrvImpExfUnblockPushLock = FindNtExport("ExfUnblockPushLock");
driver_imports->DrvImpstrstr = FindNtExport("strstr");
driver_imports->DrvImpRtlInitUnicodeString = FindNtExport("RtlInitUnicodeString");
driver_imports->DrvImpMmGetSystemRoutineAddress = FindNtExport("MmGetSystemRoutineAddress");
driver_imports->DrvImpRtlUnicodeStringToAnsiString = FindNtExport("RtlUnicodeStringToAnsiString");
driver_imports->DrvImpRtlCopyUnicodeString = FindNtExport("RtlCopyUnicodeString");
driver_imports->DrvImpRtlFreeAnsiString = FindNtExport("RtlFreeAnsiString");
driver_imports->DrvImpKeInitializeGuardedMutex = FindNtExport("KeInitializeGuardedMutex");
driver_imports->DrvImpIoCreateDevice = FindNtExport("IoCreateDevice");
driver_imports->DrvImpIoCreateSymbolicLink = FindNtExport("IoCreateSymbolicLink");
driver_imports->DrvImpIoDeleteDevice = FindNtExport("IoDeleteDevice");
driver_imports->DrvImpIoDeleteSymbolicLink = FindNtExport("IoDeleteSymbolicLink");
driver_imports->DrvImpObRegisterCallbacks = FindNtExport("ObRegisterCallbacks");
driver_imports->DrvImpObUnRegisterCallbacks = FindNtExport("ObUnRegisterCallbacks");
driver_imports->DrvImpPsSetCreateThreadNotifyRoutine = FindNtExport("PsSetCreateThreadNotifyRoutine");
driver_imports->DrvImpKeRevertToUserAffinityThreadEx = FindNtExport("KeRevertToUserAffinityThreadEx");
driver_imports->DrvImpKeSetSystemAffinityThreadEx = FindNtExport("KeSetSystemAffinityThreadEx");
driver_imports->DrvImpstrnlen = FindNtExport("strnlen");
driver_imports->DrvImpRtlInitAnsiString = FindNtExport("RtlInitAnsiString");
driver_imports->DrvImpRtlAnsiStringToUnicodeString = FindNtExport("RtlAnsiStringToUnicodeString");
driver_imports->DrvImpIoGetCurrentProcess = FindNtExport("IoGetCurrentProcess");
driver_imports->DrvImpRtlGetVersion = FindNtExport("RtlGetVersion");
driver_imports->DrvImpRtlCompareMemory = FindNtExport("RtlCompareMemory");
driver_imports->DrvImpExGetSystemFirmwareTable = FindNtExport("ExGetSystemFirmwareTable");
driver_imports->DrvImpIoAllocateWorkItem = FindNtExport("IoAllocateWorkItem");
driver_imports->DrvImpIoFreeWorkItem = FindNtExport("IoFreeWorkItem");
driver_imports->DrvImpIoQueueWorkItem = FindNtExport("IoQueueWorkItem");
driver_imports->DrvImpZwOpenFile = FindNtExport("ZwOpenFile");
driver_imports->DrvImpZwClose = FindNtExport("ZwClose");
driver_imports->DrvImpZwCreateSection = FindNtExport("ZwCreateSection");
driver_imports->DrvImpZwMapViewOfSection = FindNtExport("ZwMapViewOfSection");
driver_imports->DrvImpZwUnmapViewOfSection = FindNtExport("ZwUnmapViewOfSection");
driver_imports->DrvImpMmCopyMemory = FindNtExport("MmCopyMemory");
driver_imports->DrvImpZwDeviceIoControlFile = FindNtExport("ZwDeviceIoControlFile");
driver_imports->DrvImpKeStackAttachProcess = FindNtExport("KeStackAttachProcess");
driver_imports->DrvImpKeUnstackDetachProcess = FindNtExport("KeUnstackDetachProcess");
driver_imports->DrvImpKeWaitForSingleObject = FindNtExport("KeWaitForSingleObject");
driver_imports->DrvImpPsCreateSystemThread = FindNtExport("PsCreateSystemThread");
driver_imports->DrvImpIofCompleteRequest = FindNtExport("IofCompleteRequest");
driver_imports->DrvImpObReferenceObjectByHandle = FindNtExport("ObReferenceObjectByHandle");
driver_imports->DrvImpKeDelayExecutionThread = FindNtExport("KeDelayExecutionThread");
driver_imports->DrvImpKeRegisterNmiCallback = FindNtExport("KeRegisterNmiCallback");
driver_imports->DrvImpKeDeregisterNmiCallback = FindNtExport("KeDeregisterNmiCallback");
driver_imports->DrvImpKeQueryActiveProcessorCount = FindNtExport("KeQueryActiveProcessorCount");
driver_imports->DrvImpExAcquirePushLockExclusiveEx = FindNtExport("ExAcquirePushLockExclusiveEx");
driver_imports->DrvImpExReleasePushLockExclusiveEx = FindNtExport("ExReleasePushLockExclusiveEx");
driver_imports->DrvImpPsGetThreadId = FindNtExport("PsGetThreadId");
driver_imports->DrvImpRtlCaptureStackBackTrace = FindNtExport("RtlCaptureStackBackTrace");
driver_imports->DrvImpZwOpenDirectoryObject = FindNtExport("ZwOpenDirectoryObject");
driver_imports->DrvImpKeInitializeAffinityEx = FindNtExport("KeInitializeAffinityEx");
driver_imports->DrvImpKeAddProcessorAffinityEx = FindNtExport("KeAddProcessorAffinityEx");
driver_imports->DrvImpRtlQueryModuleInformation = FindNtExport("RtlQueryModuleInformation");
driver_imports->DrvImpKeInitializeApc = FindNtExport("KeInitializeApc");
driver_imports->DrvImpKeInsertQueueApc = FindNtExport("KeInsertQueueApc");
driver_imports->DrvImpKeGenericCallDpc = FindNtExport("KeGenericCallDpc");
driver_imports->DrvImpKeSignalCallDpcDone = FindNtExport("KeSignalCallDpcDone");
driver_imports->DrvImpMmGetPhysicalMemoryRangesEx2 = FindNtExport("MmGetPhysicalMemoryRangesEx2");
driver_imports->DrvImpMmGetVirtualForPhysical = FindNtExport("MmGetVirtualForPhysical");
driver_imports->DrvImpObfReferenceObject = FindNtExport("ObfReferenceObject");
driver_imports->DrvImpExFreePoolWithTag = FindNtExport("ExFreePoolWithTag");
driver_imports->DrvImpExAllocatePool2 = FindNtExport("ExAllocatePool2");
driver_imports->DrvImpKeReleaseGuardedMutex = FindNtExport("KeReleaseGuardedMutex");
driver_imports->DrvImpKeAcquireGuardedMutex = FindNtExport("KeAcquireGuardedMutex");
driver_imports->DrvImpDbgPrintEx = FindNtExport("DbgPrintEx");
driver_imports->DrvImpRtlCompareUnicodeString = FindNtExport("RtlCompareUnicodeString");
driver_imports->DrvImpRtlFreeUnicodeString = FindNtExport("RtlFreeUnicodeString");
driver_imports->DrvImpPsLookupThreadByThreadId = FindNtExport("PsLookupThreadByThreadId");
driver_imports->DrvImpMmIsAddressValid = FindNtExport("MmIsAddressValid");
driver_imports.DrvImpObDereferenceObject = FindNtExport(DriverObject, "ObDereferenceObject");
driver_imports.DrvImpPsGetProcessImageFileName = FindNtExport(DriverObject, "PsGetProcessImageFileName");
driver_imports.DrvImpPsSetCreateProcessNotifyRoutine = FindNtExport(DriverObject, "PsSetCreateProcessNotifyRoutine");
driver_imports.DrvImpPsRemoveCreateThreadNotifyRoutine = FindNtExport(DriverObject, "PsRemoveCreateThreadNotifyRoutine");
driver_imports.DrvImpPsGetCurrentThreadId = FindNtExport(DriverObject, "PsGetCurrentThreadId");
driver_imports.DrvImpPsGetProcessId = FindNtExport(DriverObject, "PsGetProcessId");
driver_imports.DrvImpPsLookupProcessByProcessId = FindNtExport(DriverObject, "PsLookupProcessByProcessId");
driver_imports.DrvImpExEnumHandleTable = FindNtExport(DriverObject, "ExEnumHandleTable");
driver_imports.DrvImpObGetObjectType = FindNtExport(DriverObject, "ObGetObjectType");
driver_imports.DrvImpExfUnblockPushLock = FindNtExport(DriverObject, "ExfUnblockPushLock");
driver_imports.DrvImpstrstr = FindNtExport(DriverObject, "strstr");
driver_imports.DrvImpRtlInitUnicodeString = FindNtExport(DriverObject, "RtlInitUnicodeString");
driver_imports.DrvImpMmGetSystemRoutineAddress = FindNtExport(DriverObject, "MmGetSystemRoutineAddress");
driver_imports.DrvImpRtlUnicodeStringToAnsiString = FindNtExport(DriverObject, "RtlUnicodeStringToAnsiString");
driver_imports.DrvImpRtlCopyUnicodeString = FindNtExport(DriverObject, "RtlCopyUnicodeString");
driver_imports.DrvImpRtlFreeAnsiString = FindNtExport(DriverObject, "RtlFreeAnsiString");
driver_imports.DrvImpKeInitializeGuardedMutex = FindNtExport(DriverObject, "KeInitializeGuardedMutex");
driver_imports.DrvImpIoCreateDevice = FindNtExport(DriverObject, "IoCreateDevice");
driver_imports.DrvImpIoCreateSymbolicLink = FindNtExport(DriverObject, "IoCreateSymbolicLink");
driver_imports.DrvImpIoDeleteDevice = FindNtExport(DriverObject, "IoDeleteDevice");
driver_imports.DrvImpIoDeleteSymbolicLink = FindNtExport(DriverObject, "IoDeleteSymbolicLink");
driver_imports.DrvImpObRegisterCallbacks = FindNtExport(DriverObject, "ObRegisterCallbacks");
driver_imports.DrvImpObUnRegisterCallbacks = FindNtExport(DriverObject, "ObUnRegisterCallbacks");
driver_imports.DrvImpPsSetCreateThreadNotifyRoutine = FindNtExport(DriverObject, "PsSetCreateThreadNotifyRoutine");
driver_imports.DrvImpKeRevertToUserAffinityThreadEx = FindNtExport(DriverObject, "KeRevertToUserAffinityThreadEx");
driver_imports.DrvImpKeSetSystemAffinityThreadEx = FindNtExport(DriverObject, "KeSetSystemAffinityThreadEx");
driver_imports.DrvImpstrnlen = FindNtExport(DriverObject, "strnlen");
driver_imports.DrvImpRtlInitAnsiString = FindNtExport(DriverObject, "RtlInitAnsiString");
driver_imports.DrvImpRtlAnsiStringToUnicodeString = FindNtExport(DriverObject, "RtlAnsiStringToUnicodeString");
driver_imports.DrvImpIoGetCurrentProcess = FindNtExport(DriverObject, "IoGetCurrentProcess");
driver_imports.DrvImpRtlGetVersion = FindNtExport(DriverObject, "RtlGetVersion");
driver_imports.DrvImpRtlCompareMemory = FindNtExport(DriverObject, "RtlCompareMemory");
driver_imports.DrvImpExGetSystemFirmwareTable = FindNtExport(DriverObject, "ExGetSystemFirmwareTable");
driver_imports.DrvImpIoAllocateWorkItem = FindNtExport(DriverObject, "IoAllocateWorkItem");
driver_imports.DrvImpIoFreeWorkItem = FindNtExport(DriverObject, "IoFreeWorkItem");
driver_imports.DrvImpIoQueueWorkItem = FindNtExport(DriverObject, "IoQueueWorkItem");
driver_imports.DrvImpZwOpenFile = FindNtExport(DriverObject, "ZwOpenFile");
driver_imports.DrvImpZwClose = FindNtExport(DriverObject, "ZwClose");
driver_imports.DrvImpZwCreateSection = FindNtExport(DriverObject, "ZwCreateSection");
driver_imports.DrvImpZwMapViewOfSection = FindNtExport(DriverObject, "ZwMapViewOfSection");
driver_imports.DrvImpZwUnmapViewOfSection = FindNtExport(DriverObject, "ZwUnmapViewOfSection");
driver_imports.DrvImpMmCopyMemory = FindNtExport(DriverObject, "MmCopyMemory");
driver_imports.DrvImpZwDeviceIoControlFile = FindNtExport(DriverObject, "ZwDeviceIoControlFile");
driver_imports.DrvImpKeStackAttachProcess = FindNtExport(DriverObject, "KeStackAttachProcess");
driver_imports.DrvImpKeUnstackDetachProcess = FindNtExport(DriverObject, "KeUnstackDetachProcess");
driver_imports.DrvImpKeWaitForSingleObject = FindNtExport(DriverObject, "KeWaitForSingleObject");
driver_imports.DrvImpPsCreateSystemThread = FindNtExport(DriverObject, "PsCreateSystemThread");
driver_imports.DrvImpIofCompleteRequest = FindNtExport(DriverObject, "IofCompleteRequest");
driver_imports.DrvImpObReferenceObjectByHandle = FindNtExport(DriverObject, "ObReferenceObjectByHandle");
driver_imports.DrvImpKeDelayExecutionThread = FindNtExport(DriverObject, "KeDelayExecutionThread");
driver_imports.DrvImpKeRegisterNmiCallback = FindNtExport(DriverObject, "KeRegisterNmiCallback");
driver_imports.DrvImpKeDeregisterNmiCallback = FindNtExport(DriverObject, "KeDeregisterNmiCallback");
driver_imports.DrvImpKeQueryActiveProcessorCount = FindNtExport(DriverObject, "KeQueryActiveProcessorCount");
driver_imports.DrvImpExAcquirePushLockExclusiveEx = FindNtExport(DriverObject, "ExAcquirePushLockExclusiveEx");
driver_imports.DrvImpExReleasePushLockExclusiveEx = FindNtExport(DriverObject, "ExReleasePushLockExclusiveEx");
driver_imports.DrvImpPsGetThreadId = FindNtExport(DriverObject, "PsGetThreadId");
driver_imports.DrvImpRtlCaptureStackBackTrace = FindNtExport(DriverObject, "RtlCaptureStackBackTrace");
driver_imports.DrvImpZwOpenDirectoryObject = FindNtExport(DriverObject, "ZwOpenDirectoryObject");
driver_imports.DrvImpKeInitializeAffinityEx = FindNtExport(DriverObject, "KeInitializeAffinityEx");
driver_imports.DrvImpKeAddProcessorAffinityEx = FindNtExport(DriverObject, "KeAddProcessorAffinityEx");
driver_imports.DrvImpRtlQueryModuleInformation = FindNtExport(DriverObject, "RtlQueryModuleInformation");
driver_imports.DrvImpKeInitializeApc = FindNtExport(DriverObject, "KeInitializeApc");
driver_imports.DrvImpKeInsertQueueApc = FindNtExport(DriverObject, "KeInsertQueueApc");
driver_imports.DrvImpKeGenericCallDpc = FindNtExport(DriverObject, "KeGenericCallDpc");
driver_imports.DrvImpKeSignalCallDpcDone = FindNtExport(DriverObject, "KeSignalCallDpcDone");
driver_imports.DrvImpMmGetPhysicalMemoryRangesEx2 = FindNtExport(DriverObject, "MmGetPhysicalMemoryRangesEx2");
driver_imports.DrvImpMmGetVirtualForPhysical = FindNtExport(DriverObject, "MmGetVirtualForPhysical");
driver_imports.DrvImpObfReferenceObject = FindNtExport(DriverObject, "ObfReferenceObject");
driver_imports.DrvImpExFreePoolWithTag = FindNtExport(DriverObject, "ExFreePoolWithTag");
driver_imports.DrvImpExAllocatePool2 = FindNtExport(DriverObject, "ExAllocatePool2");
driver_imports.DrvImpKeReleaseGuardedMutex = FindNtExport(DriverObject, "KeReleaseGuardedMutex");
driver_imports.DrvImpKeAcquireGuardedMutex = FindNtExport(DriverObject, "KeAcquireGuardedMutex");
driver_imports.DrvImpDbgPrintEx = FindNtExport(DriverObject, "DbgPrintEx");
driver_imports.DrvImpRtlCompareUnicodeString = FindNtExport(DriverObject, "RtlCompareUnicodeString");
driver_imports.DrvImpRtlFreeUnicodeString = FindNtExport(DriverObject, "RtlFreeUnicodeString");
driver_imports.DrvImpPsLookupThreadByThreadId = FindNtExport(DriverObject, "PsLookupThreadByThreadId");
driver_imports.DrvImpMmIsAddressValid = FindNtExport(DriverObject, "MmIsAddressValid");
DEBUG_VERBOSE("DrvImpObDereferenceObject); %llx", (UINT64)driver_imports->DrvImpObDereferenceObject);
DEBUG_VERBOSE("DrvImpPsGetProcessImageFileName); %llx", (UINT64)driver_imports->DrvImpPsGetProcessImageFileName);
DEBUG_VERBOSE("DrvImpPsSetCreateProcessNotifyRoutine); %llx", (UINT64)driver_imports->DrvImpPsSetCreateProcessNotifyRoutine);
DEBUG_VERBOSE("DrvImpPsRemoveCreateThreadNotifyRoutine); %llx", (UINT64)driver_imports->DrvImpPsRemoveCreateThreadNotifyRoutine);
DEBUG_VERBOSE("DrvImpPsGetCurrentThreadId); %llx", (UINT64)driver_imports->DrvImpPsGetCurrentThreadId);
DEBUG_VERBOSE("DrvImpPsGetProcessId); %llx", (UINT64)driver_imports->DrvImpPsGetProcessId);
DEBUG_VERBOSE("DrvImpPsLookupProcessByProcessId);%llx", (UINT64)driver_imports->DrvImpPsLookupProcessByProcessId);
DEBUG_VERBOSE("DrvImpExEnumHandleTable);%llx", (UINT64)driver_imports->DrvImpExEnumHandleTable);
DEBUG_VERBOSE("DrvImpObGetObjectType);%llx", (UINT64)driver_imports->DrvImpObGetObjectType);
DEBUG_VERBOSE("DrvImpExfUnblockPushLock);%llx", (UINT64)driver_imports->DrvImpExfUnblockPushLock);
DEBUG_VERBOSE("DrvImpstrstr);%llx", (UINT64)driver_imports->DrvImpstrstr);
DEBUG_VERBOSE("DrvImpRtlInitUnicodeString);%llx", (UINT64)driver_imports->DrvImpRtlInitUnicodeString);
DEBUG_VERBOSE("DrvImpMmGetSystemRoutineAddress);%llx", (UINT64)driver_imports->DrvImpMmGetSystemRoutineAddress);
DEBUG_VERBOSE("DrvImpRtlUnicodeStringToAnsiString);%llx", (UINT64)driver_imports->DrvImpRtlUnicodeStringToAnsiString);
DEBUG_VERBOSE("DrvImpRtlCopyUnicodeString);%llx", (UINT64)driver_imports->DrvImpRtlCopyUnicodeString);
DEBUG_VERBOSE("DrvImpRtlFreeAnsiString);%llx", (UINT64)driver_imports->DrvImpRtlFreeAnsiString);
DEBUG_VERBOSE("DrvImpKeInitializeGuardedMutex);%llx", (UINT64)driver_imports->DrvImpKeInitializeGuardedMutex);
DEBUG_VERBOSE("DrvImpIoCreateDevice);%llx", (UINT64)driver_imports->DrvImpIoCreateDevice);
DEBUG_VERBOSE("DrvImpIoCreateSymbolicLink);%llx", (UINT64)driver_imports->DrvImpIoCreateSymbolicLink);
DEBUG_VERBOSE("DrvImpIoDeleteDevice);%llx", (UINT64)driver_imports->DrvImpIoDeleteDevice);
DEBUG_VERBOSE("DrvImpIoDeleteSymbolicLink);%llx", (UINT64)driver_imports->DrvImpIoDeleteSymbolicLink);
DEBUG_VERBOSE("DrvImpObRegisterCallbacks);%llx", (UINT64)driver_imports->DrvImpObRegisterCallbacks);
DEBUG_VERBOSE("DrvImpObUnRegisterCallbacks);%llx", (UINT64)driver_imports->DrvImpObUnRegisterCallbacks);
DEBUG_VERBOSE("DrvImpPsSetCreateThreadNotifyRoutine);%llx", (UINT64)driver_imports->DrvImpPsSetCreateThreadNotifyRoutine);
DEBUG_VERBOSE("DrvImpKeRevertToUserAffinityThreadEx);%llx", (UINT64)driver_imports->DrvImpKeRevertToUserAffinityThreadEx);
DEBUG_VERBOSE("DrvImpKeSetSystemAffinityThreadEx);%llx", (UINT64)driver_imports->DrvImpKeSetSystemAffinityThreadEx);
DEBUG_VERBOSE("DrvImpstrnlen );%llx", (UINT64)driver_imports->DrvImpstrnlen );
DEBUG_VERBOSE("DrvImpRtlInitAnsiString);%llx", (UINT64)driver_imports->DrvImpRtlInitAnsiString);
DEBUG_VERBOSE("DrvImpRtlAnsiStringToUnicodeString);%llx", (UINT64)driver_imports->DrvImpRtlAnsiStringToUnicodeString);
DEBUG_VERBOSE("DrvImpIoGetCurrentProcess);%llx", (UINT64)driver_imports->DrvImpIoGetCurrentProcess);
DEBUG_VERBOSE("DrvImpRtlGetVersion);%llx", (UINT64)driver_imports->DrvImpRtlGetVersion);
DEBUG_VERBOSE("DrvImpRtlCompareMemory);%llx", (UINT64)driver_imports->DrvImpRtlCompareMemory);
DEBUG_VERBOSE("DrvImpExGetSystemFirmwareTable);%llx", (UINT64)driver_imports->DrvImpExGetSystemFirmwareTable);
DEBUG_VERBOSE("DrvImpIoAllocateWorkItem);%llx", (UINT64)driver_imports->DrvImpIoAllocateWorkItem);
DEBUG_VERBOSE("DrvImpIoFreeWorkItem);%llx", (UINT64)driver_imports->DrvImpIoFreeWorkItem);
DEBUG_VERBOSE("DrvImpIoQueueWorkItem);%llx", (UINT64)driver_imports->DrvImpIoQueueWorkItem);
DEBUG_VERBOSE("DrvImpZwOpenFile );%llx", (UINT64)driver_imports->DrvImpZwOpenFile );
DEBUG_VERBOSE("DrvImpZwClose );%llx", (UINT64)driver_imports->DrvImpZwClose );
DEBUG_VERBOSE("DrvImpZwCreateSection);%llx", (UINT64)driver_imports->DrvImpZwCreateSection);
DEBUG_VERBOSE("DrvImpZwMapViewOfSection);%llx", (UINT64)driver_imports->DrvImpZwMapViewOfSection);
DEBUG_VERBOSE("DrvImpZwUnmapViewOfSection);%llx", (UINT64)driver_imports->DrvImpZwUnmapViewOfSection);
DEBUG_VERBOSE("DrvImpMmCopyMemory);%llx", (UINT64)driver_imports->DrvImpMmCopyMemory);
DEBUG_VERBOSE("DrvImpZwDeviceIoControlFile);%llx", (UINT64)driver_imports->DrvImpZwDeviceIoControlFile);
DEBUG_VERBOSE("DrvImpKeStackAttachProcess);%llx", (UINT64)driver_imports->DrvImpKeStackAttachProcess);
DEBUG_VERBOSE("DrvImpKeUnstackDetachProcess);%llx", (UINT64)driver_imports->DrvImpKeUnstackDetachProcess);
DEBUG_VERBOSE("DrvImpKeWaitForSingleObject);%llx", (UINT64)driver_imports->DrvImpKeWaitForSingleObject);
DEBUG_VERBOSE("DrvImpPsCreateSystemThread);%llx", (UINT64)driver_imports->DrvImpPsCreateSystemThread);
DEBUG_VERBOSE("DrvImpIofCompleteRequest);%llx", (UINT64)driver_imports->DrvImpIofCompleteRequest);
DEBUG_VERBOSE("DrvImpObReferenceObjectByHandle);%llx", (UINT64)driver_imports->DrvImpObReferenceObjectByHandle);
DEBUG_VERBOSE("DrvImpKeDelayExecutionThread);%llx", (UINT64)driver_imports->DrvImpKeDelayExecutionThread);
DEBUG_VERBOSE("DrvImpKeRegisterNmiCallback);%llx", (UINT64)driver_imports->DrvImpKeRegisterNmiCallback);
DEBUG_VERBOSE("DrvImpKeDeregisterNmiCallback);%llx", (UINT64)driver_imports->DrvImpKeDeregisterNmiCallback);
DEBUG_VERBOSE("DrvImpKeQueryActiveProcessorCount);%llx", (UINT64)driver_imports->DrvImpKeQueryActiveProcessorCount);
DEBUG_VERBOSE("DrvImpExAcquirePushLockExclusiveEx);%llx", (UINT64)driver_imports->DrvImpExAcquirePushLockExclusiveEx);
DEBUG_VERBOSE("DrvImpExReleasePushLockExclusiveEx);%llx", (UINT64)driver_imports->DrvImpExReleasePushLockExclusiveEx);
DEBUG_VERBOSE("DrvImpPsGetThreadId);%llx", (UINT64)driver_imports->DrvImpPsGetThreadId);
DEBUG_VERBOSE("DrvImpRtlCaptureStackBackTrace);%llx", (UINT64)driver_imports->DrvImpRtlCaptureStackBackTrace);
DEBUG_VERBOSE("DrvImpZwOpenDirectoryObject);%llx", (UINT64)driver_imports->DrvImpZwOpenDirectoryObject);
DEBUG_VERBOSE("DrvImpKeInitializeAffinityEx);%llx", (UINT64)driver_imports->DrvImpKeInitializeAffinityEx);
DEBUG_VERBOSE("DrvImpKeAddProcessorAffinityEx);%llx", (UINT64)driver_imports->DrvImpKeAddProcessorAffinityEx);
DEBUG_VERBOSE("DrvImpRtlQueryModuleInformation);%llx", (UINT64)driver_imports->DrvImpRtlQueryModuleInformation);
DEBUG_VERBOSE("DrvImpKeInitializeApc);%llx", (UINT64)driver_imports->DrvImpKeInitializeApc);
DEBUG_VERBOSE("DrvImpKeInsertQueueApc);%llx", (UINT64)driver_imports->DrvImpKeInsertQueueApc);
DEBUG_VERBOSE("DrvImpKeGenericCallDpc);%llx", (UINT64)driver_imports->DrvImpKeGenericCallDpc);
DEBUG_VERBOSE("DrvImpKeSignalCallDpcDone);%llx", (UINT64)driver_imports->DrvImpKeSignalCallDpcDone);
DEBUG_VERBOSE("DrvImpMmGetPhysicalMemoryRangesEx2);%llx", (UINT64)driver_imports->DrvImpMmGetPhysicalMemoryRangesEx2);
DEBUG_VERBOSE("DrvImpMmGetVirtualForPhysical);%llx", (UINT64)driver_imports->DrvImpMmGetVirtualForPhysical);
DEBUG_VERBOSE("DrvImpObfReferenceObject);%llx", (UINT64)driver_imports->DrvImpObfReferenceObject);
DEBUG_VERBOSE("DrvImpExFreePoolWithTag);%llx", (UINT64)driver_imports->DrvImpExFreePoolWithTag);
DEBUG_VERBOSE("DrvImpExAllocatePool2);%llx", (UINT64)driver_imports->DrvImpExAllocatePool2);
DEBUG_VERBOSE("DrvImpKeReleaseGuardedMutex);%llx", (UINT64)driver_imports->DrvImpKeReleaseGuardedMutex);
DEBUG_VERBOSE("DrvImpKeAcquireGuardedMutex);%llx", (UINT64)driver_imports->DrvImpKeAcquireGuardedMutex);
DEBUG_VERBOSE("DrvImpDbgPrintEx );%llx", (UINT64)driver_imports->DrvImpDbgPrintEx );
DEBUG_VERBOSE("DrvImpRtlCompareUnicodeString);%llx", (UINT64)driver_imports->DrvImpRtlCompareUnicodeString);
DEBUG_VERBOSE("DrvImpRtlFreeUnicodeString);%llx", (UINT64)driver_imports->DrvImpRtlFreeUnicodeString);
DEBUG_VERBOSE("DrvImpPsLookupThreadByThreadId);%llx", (UINT64)driver_imports->DrvImpPsLookupThreadByThreadId);
DEBUG_VERBOSE("DrvImpIoGetCurrentIrpStackLocation);%llx", (UINT64)driver_imports->DrvImpIoGetCurrentIrpStackLocation);
DEBUG_VERBOSE("DrvImpMmIsAddressValid); %llx", (UINT64)driver_imports->DrvImpMmIsAddressValid);
DEBUG_VERBOSE("DrvImpObDereferenceObject); %llx", (UINT64)driver_imports.DrvImpObDereferenceObject);
DEBUG_VERBOSE("DrvImpPsGetProcessImageFileName); %llx", (UINT64)driver_imports.DrvImpPsGetProcessImageFileName);
DEBUG_VERBOSE("DrvImpPsSetCreateProcessNotifyRoutine); %llx", (UINT64)driver_imports.DrvImpPsSetCreateProcessNotifyRoutine);
DEBUG_VERBOSE("DrvImpPsRemoveCreateThreadNotifyRoutine); %llx", (UINT64)driver_imports.DrvImpPsRemoveCreateThreadNotifyRoutine);
DEBUG_VERBOSE("DrvImpPsGetCurrentThreadId); %llx", (UINT64)driver_imports.DrvImpPsGetCurrentThreadId);
DEBUG_VERBOSE("DrvImpPsGetProcessId); %llx", (UINT64)driver_imports.DrvImpPsGetProcessId);
DEBUG_VERBOSE("DrvImpPsLookupProcessByProcessId);%llx", (UINT64)driver_imports.DrvImpPsLookupProcessByProcessId);
DEBUG_VERBOSE("DrvImpExEnumHandleTable);%llx", (UINT64)driver_imports.DrvImpExEnumHandleTable);
DEBUG_VERBOSE("DrvImpObGetObjectType);%llx", (UINT64)driver_imports.DrvImpObGetObjectType);
DEBUG_VERBOSE("DrvImpExfUnblockPushLock);%llx", (UINT64)driver_imports.DrvImpExfUnblockPushLock);
DEBUG_VERBOSE("DrvImpstrstr);%llx", (UINT64)driver_imports.DrvImpstrstr);
DEBUG_VERBOSE("DrvImpRtlInitUnicodeString);%llx", (UINT64)driver_imports.DrvImpRtlInitUnicodeString);
DEBUG_VERBOSE("DrvImpMmGetSystemRoutineAddress);%llx", (UINT64)driver_imports.DrvImpMmGetSystemRoutineAddress);
DEBUG_VERBOSE("DrvImpRtlUnicodeStringToAnsiString);%llx", (UINT64)driver_imports.DrvImpRtlUnicodeStringToAnsiString);
DEBUG_VERBOSE("DrvImpRtlCopyUnicodeString);%llx", (UINT64)driver_imports.DrvImpRtlCopyUnicodeString);
DEBUG_VERBOSE("DrvImpRtlFreeAnsiString);%llx", (UINT64)driver_imports.DrvImpRtlFreeAnsiString);
DEBUG_VERBOSE("DrvImpKeInitializeGuardedMutex);%llx", (UINT64)driver_imports.DrvImpKeInitializeGuardedMutex);
DEBUG_VERBOSE("DrvImpIoCreateDevice);%llx", (UINT64)driver_imports.DrvImpIoCreateDevice);
DEBUG_VERBOSE("DrvImpIoCreateSymbolicLink);%llx", (UINT64)driver_imports.DrvImpIoCreateSymbolicLink);
DEBUG_VERBOSE("DrvImpIoDeleteDevice);%llx", (UINT64)driver_imports.DrvImpIoDeleteDevice);
DEBUG_VERBOSE("DrvImpIoDeleteSymbolicLink);%llx", (UINT64)driver_imports.DrvImpIoDeleteSymbolicLink);
DEBUG_VERBOSE("DrvImpObRegisterCallbacks);%llx", (UINT64)driver_imports.DrvImpObRegisterCallbacks);
DEBUG_VERBOSE("DrvImpObUnRegisterCallbacks);%llx", (UINT64)driver_imports.DrvImpObUnRegisterCallbacks);
DEBUG_VERBOSE("DrvImpPsSetCreateThreadNotifyRoutine);%llx", (UINT64)driver_imports.DrvImpPsSetCreateThreadNotifyRoutine);
DEBUG_VERBOSE("DrvImpKeRevertToUserAffinityThreadEx);%llx", (UINT64)driver_imports.DrvImpKeRevertToUserAffinityThreadEx);
DEBUG_VERBOSE("DrvImpKeSetSystemAffinityThreadEx);%llx", (UINT64)driver_imports.DrvImpKeSetSystemAffinityThreadEx);
DEBUG_VERBOSE("DrvImpstrnlen );%llx", (UINT64)driver_imports.DrvImpstrnlen );
DEBUG_VERBOSE("DrvImpRtlInitAnsiString);%llx", (UINT64)driver_imports.DrvImpRtlInitAnsiString);
DEBUG_VERBOSE("DrvImpRtlAnsiStringToUnicodeString);%llx", (UINT64)driver_imports.DrvImpRtlAnsiStringToUnicodeString);
DEBUG_VERBOSE("DrvImpIoGetCurrentProcess);%llx", (UINT64)driver_imports.DrvImpIoGetCurrentProcess);
DEBUG_VERBOSE("DrvImpRtlGetVersion);%llx", (UINT64)driver_imports.DrvImpRtlGetVersion);
DEBUG_VERBOSE("DrvImpRtlCompareMemory);%llx", (UINT64)driver_imports.DrvImpRtlCompareMemory);
DEBUG_VERBOSE("DrvImpExGetSystemFirmwareTable);%llx", (UINT64)driver_imports.DrvImpExGetSystemFirmwareTable);
DEBUG_VERBOSE("DrvImpIoAllocateWorkItem);%llx", (UINT64)driver_imports.DrvImpIoAllocateWorkItem);
DEBUG_VERBOSE("DrvImpIoFreeWorkItem);%llx", (UINT64)driver_imports.DrvImpIoFreeWorkItem);
DEBUG_VERBOSE("DrvImpIoQueueWorkItem);%llx", (UINT64)driver_imports.DrvImpIoQueueWorkItem);
DEBUG_VERBOSE("DrvImpZwOpenFile );%llx", (UINT64)driver_imports.DrvImpZwOpenFile );
DEBUG_VERBOSE("DrvImpZwClose );%llx", (UINT64)driver_imports.DrvImpZwClose );
DEBUG_VERBOSE("DrvImpZwCreateSection);%llx", (UINT64)driver_imports.DrvImpZwCreateSection);
DEBUG_VERBOSE("DrvImpZwMapViewOfSection);%llx", (UINT64)driver_imports.DrvImpZwMapViewOfSection);
DEBUG_VERBOSE("DrvImpZwUnmapViewOfSection);%llx", (UINT64)driver_imports.DrvImpZwUnmapViewOfSection);
DEBUG_VERBOSE("DrvImpMmCopyMemory);%llx", (UINT64)driver_imports.DrvImpMmCopyMemory);
DEBUG_VERBOSE("DrvImpZwDeviceIoControlFile);%llx", (UINT64)driver_imports.DrvImpZwDeviceIoControlFile);
DEBUG_VERBOSE("DrvImpKeStackAttachProcess);%llx", (UINT64)driver_imports.DrvImpKeStackAttachProcess);
DEBUG_VERBOSE("DrvImpKeUnstackDetachProcess);%llx", (UINT64)driver_imports.DrvImpKeUnstackDetachProcess);
DEBUG_VERBOSE("DrvImpKeWaitForSingleObject);%llx", (UINT64)driver_imports.DrvImpKeWaitForSingleObject);
DEBUG_VERBOSE("DrvImpPsCreateSystemThread);%llx", (UINT64)driver_imports.DrvImpPsCreateSystemThread);
DEBUG_VERBOSE("DrvImpIofCompleteRequest);%llx", (UINT64)driver_imports.DrvImpIofCompleteRequest);
DEBUG_VERBOSE("DrvImpObReferenceObjectByHandle);%llx", (UINT64)driver_imports.DrvImpObReferenceObjectByHandle);
DEBUG_VERBOSE("DrvImpKeDelayExecutionThread);%llx", (UINT64)driver_imports.DrvImpKeDelayExecutionThread);
DEBUG_VERBOSE("DrvImpKeRegisterNmiCallback);%llx", (UINT64)driver_imports.DrvImpKeRegisterNmiCallback);
DEBUG_VERBOSE("DrvImpKeDeregisterNmiCallback);%llx", (UINT64)driver_imports.DrvImpKeDeregisterNmiCallback);
DEBUG_VERBOSE("DrvImpKeQueryActiveProcessorCount);%llx", (UINT64)driver_imports.DrvImpKeQueryActiveProcessorCount);
DEBUG_VERBOSE("DrvImpExAcquirePushLockExclusiveEx);%llx", (UINT64)driver_imports.DrvImpExAcquirePushLockExclusiveEx);
DEBUG_VERBOSE("DrvImpExReleasePushLockExclusiveEx);%llx", (UINT64)driver_imports.DrvImpExReleasePushLockExclusiveEx);
DEBUG_VERBOSE("DrvImpPsGetThreadId);%llx", (UINT64)driver_imports.DrvImpPsGetThreadId);
DEBUG_VERBOSE("DrvImpRtlCaptureStackBackTrace);%llx", (UINT64)driver_imports.DrvImpRtlCaptureStackBackTrace);
DEBUG_VERBOSE("DrvImpZwOpenDirectoryObject);%llx", (UINT64)driver_imports.DrvImpZwOpenDirectoryObject);
DEBUG_VERBOSE("DrvImpKeInitializeAffinityEx);%llx", (UINT64)driver_imports.DrvImpKeInitializeAffinityEx);
DEBUG_VERBOSE("DrvImpKeAddProcessorAffinityEx);%llx", (UINT64)driver_imports.DrvImpKeAddProcessorAffinityEx);
DEBUG_VERBOSE("DrvImpRtlQueryModuleInformation);%llx", (UINT64)driver_imports.DrvImpRtlQueryModuleInformation);
DEBUG_VERBOSE("DrvImpKeInitializeApc);%llx", (UINT64)driver_imports.DrvImpKeInitializeApc);
DEBUG_VERBOSE("DrvImpKeInsertQueueApc);%llx", (UINT64)driver_imports.DrvImpKeInsertQueueApc);
DEBUG_VERBOSE("DrvImpKeGenericCallDpc);%llx", (UINT64)driver_imports.DrvImpKeGenericCallDpc);
DEBUG_VERBOSE("DrvImpKeSignalCallDpcDone);%llx", (UINT64)driver_imports.DrvImpKeSignalCallDpcDone);
DEBUG_VERBOSE("DrvImpMmGetPhysicalMemoryRangesEx2);%llx", (UINT64)driver_imports.DrvImpMmGetPhysicalMemoryRangesEx2);
DEBUG_VERBOSE("DrvImpMmGetVirtualForPhysical);%llx", (UINT64)driver_imports.DrvImpMmGetVirtualForPhysical);
DEBUG_VERBOSE("DrvImpObfReferenceObject);%llx", (UINT64)driver_imports.DrvImpObfReferenceObject);
DEBUG_VERBOSE("DrvImpExFreePoolWithTag);%llx", (UINT64)driver_imports.DrvImpExFreePoolWithTag);
DEBUG_VERBOSE("DrvImpExAllocatePool2);%llx", (UINT64)driver_imports.DrvImpExAllocatePool2);
DEBUG_VERBOSE("DrvImpKeReleaseGuardedMutex);%llx", (UINT64)driver_imports.DrvImpKeReleaseGuardedMutex);
DEBUG_VERBOSE("DrvImpKeAcquireGuardedMutex);%llx", (UINT64)driver_imports.DrvImpKeAcquireGuardedMutex);
DEBUG_VERBOSE("DrvImpDbgPrintEx );%llx", (UINT64)driver_imports.DrvImpDbgPrintEx );
DEBUG_VERBOSE("DrvImpRtlCompareUnicodeString);%llx", (UINT64)driver_imports.DrvImpRtlCompareUnicodeString);
DEBUG_VERBOSE("DrvImpRtlFreeUnicodeString);%llx", (UINT64)driver_imports.DrvImpRtlFreeUnicodeString);
DEBUG_VERBOSE("DrvImpPsLookupThreadByThreadId);%llx", (UINT64)driver_imports.DrvImpPsLookupThreadByThreadId);
DEBUG_VERBOSE("DrvImpIoGetCurrentIrpStackLocation);%llx", (UINT64)driver_imports.DrvImpIoGetCurrentIrpStackLocation);
DEBUG_VERBOSE("DrvImpMmIsAddressValid); %llx", (UINT64)driver_imports.DrvImpMmIsAddressValid);
if (!driver_imports->DrvImpObDereferenceObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsGetProcessImageFileName) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsSetCreateProcessNotifyRoutine) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsRemoveCreateThreadNotifyRoutine) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsGetCurrentThreadId) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsGetProcessId) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsLookupProcessByProcessId) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExEnumHandleTable) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpObGetObjectType) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExfUnblockPushLock) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpstrstr) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlInitUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpMmGetSystemRoutineAddress) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlUnicodeStringToAnsiString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlCopyUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlFreeAnsiString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeInitializeGuardedMutex) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoCreateDevice) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoCreateSymbolicLink) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoDeleteDevice) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoDeleteSymbolicLink) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpObRegisterCallbacks) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpObUnRegisterCallbacks) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsSetCreateThreadNotifyRoutine) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeRevertToUserAffinityThreadEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeSetSystemAffinityThreadEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpstrnlen) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlInitAnsiString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlAnsiStringToUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoGetCurrentProcess) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlGetVersion) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlCompareMemory) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExGetSystemFirmwareTable) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoAllocateWorkItem) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoFreeWorkItem) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIoQueueWorkItem) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwOpenFile) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwClose) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwCreateSection) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwMapViewOfSection) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwUnmapViewOfSection) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpMmCopyMemory) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwDeviceIoControlFile) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeStackAttachProcess) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeUnstackDetachProcess) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeWaitForSingleObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsCreateSystemThread) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpIofCompleteRequest) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpObReferenceObjectByHandle) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeDelayExecutionThread) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeRegisterNmiCallback) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeDeregisterNmiCallback) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeQueryActiveProcessorCount) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExAcquirePushLockExclusiveEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExReleasePushLockExclusiveEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsGetThreadId) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlCaptureStackBackTrace) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpZwOpenDirectoryObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeInitializeAffinityEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeAddProcessorAffinityEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlQueryModuleInformation) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeInitializeApc) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeInsertQueueApc) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeGenericCallDpc) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeSignalCallDpcDone) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpMmGetPhysicalMemoryRangesEx2) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpMmGetVirtualForPhysical) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpObfReferenceObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExFreePoolWithTag) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpExAllocatePool2) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeReleaseGuardedMutex) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpKeAcquireGuardedMutex) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpDbgPrintEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlCompareUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpRtlFreeUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpPsLookupThreadByThreadId) return STATUS_UNSUCCESSFUL;
if (!driver_imports->DrvImpMmIsAddressValid) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpObDereferenceObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpPsGetProcessImageFileName) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpPsSetCreateProcessNotifyRoutine) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpPsRemoveCreateThreadNotifyRoutine) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpPsGetCurrentThreadId) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpPsGetProcessId) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpPsLookupProcessByProcessId) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpExEnumHandleTable) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpObGetObjectType) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpExfUnblockPushLock) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpstrstr) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlInitUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpMmGetSystemRoutineAddress) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlUnicodeStringToAnsiString) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlCopyUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlFreeAnsiString) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeInitializeGuardedMutex) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpIoCreateDevice) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpIoCreateSymbolicLink) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpIoDeleteDevice) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpIoDeleteSymbolicLink) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpObRegisterCallbacks) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpObUnRegisterCallbacks) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpPsSetCreateThreadNotifyRoutine) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeRevertToUserAffinityThreadEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeSetSystemAffinityThreadEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpstrnlen) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlInitAnsiString) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlAnsiStringToUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpIoGetCurrentProcess) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlGetVersion) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlCompareMemory) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpExGetSystemFirmwareTable) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpIoAllocateWorkItem) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpIoFreeWorkItem) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpIoQueueWorkItem) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpZwOpenFile) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpZwClose) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpZwCreateSection) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpZwMapViewOfSection) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpZwUnmapViewOfSection) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpMmCopyMemory) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpZwDeviceIoControlFile) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeStackAttachProcess) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeUnstackDetachProcess) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeWaitForSingleObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpPsCreateSystemThread) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpIofCompleteRequest) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpObReferenceObjectByHandle) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeDelayExecutionThread) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeRegisterNmiCallback) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeDeregisterNmiCallback) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeQueryActiveProcessorCount) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpExAcquirePushLockExclusiveEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpExReleasePushLockExclusiveEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpPsGetThreadId) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlCaptureStackBackTrace) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpZwOpenDirectoryObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeInitializeAffinityEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeAddProcessorAffinityEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlQueryModuleInformation) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeInitializeApc) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeInsertQueueApc) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeGenericCallDpc) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeSignalCallDpcDone) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpMmGetPhysicalMemoryRangesEx2) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpMmGetVirtualForPhysical) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpObfReferenceObject) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpExFreePoolWithTag) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpExAllocatePool2) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeReleaseGuardedMutex) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpKeAcquireGuardedMutex) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpDbgPrintEx) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlCompareUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpRtlFreeUnicodeString) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpPsLookupThreadByThreadId) return STATUS_UNSUCCESSFUL;
if (!driver_imports.DrvImpMmIsAddressValid) return STATUS_UNSUCCESSFUL;
// clang-format on
return STATUS_SUCCESS;

171
driver/imports.h
View file

@ -4,10 +4,7 @@
#include "common.h"
PVOID
FindNtExport(PCZPSTR ExportName);
VOID
FreeDriverImportsStructure();
FindNtExport(PDRIVER_OBJECT DriverObject, PCZPSTR ExportName);
NTSTATUS
ResolveDynamicImports(_In_ PDRIVER_OBJECT DriverObject);
@ -629,91 +626,91 @@ typedef struct _DRIVER_IMPORTS
pPsGetProcessImageFileName DrvImpPsGetProcessImageFileName;
} DRIVER_IMPORTS, *PDRIVER_IMPORTS;
extern PDRIVER_IMPORTS driver_imports;
extern DRIVER_IMPORTS driver_imports;
#define DRVIMPORTS driver_imports
#define ImpIoGetCurrentIrpStackLocation DRVIMPORTS->DrvImpIoGetCurrentIrpStackLocation
#define ImpObDereferenceObject DRVIMPORTS->DrvImpObDereferenceObject
#define ImpPsLookupThreadByThreadId DRVIMPORTS->DrvImpPsLookupThreadByThreadId
#define ImpMmIsAddressValid DRVIMPORTS->DrvImpMmIsAddressValid
#define ImpPsSetCreateProcessNotifyRoutine DRVIMPORTS->DrvImpPsSetCreateProcessNotifyRoutine
#define ImpPsRemoveCreateThreadNotifyRoutine DRVIMPORTS->DrvImpPsRemoveCreateThreadNotifyRoutine
#define ImpPsGetCurrentThreadId DRVIMPORTS->DrvImpPsGetCurrentThreadId
#define ImpPsGetProcessId DRVIMPORTS->DrvImpPsGetProcessId
#define ImpPsLookupProcessByProcessId DRVIMPORTS->DrvImpPsLookupProcessByProcessId
#define ImpExEnumHandleTable DRVIMPORTS->DrvImpExEnumHandleTable
#define ImpObGetObjectType DRVIMPORTS->DrvImpObGetObjectType
#define ImpExfUnblockPushLock DRVIMPORTS->DrvImpExfUnblockPushLock
#define ImpPsGetProcessImageFileName DRVIMPORTS->DrvImpPsGetProcessImageFileName
#define Impstrstr DRVIMPORTS->DrvImpstrstr
#define ImpRtlInitUnicodeString DRVIMPORTS->DrvImpRtlInitUnicodeString
#define ImpRtlQueryRegistryValues DRVIMPORTS->DrvImpRtlQueryRegistryValues
#define ImpMmGetSystemRoutineAddress DRVIMPORTS->DrvImpMmGetSystemRoutineAddress
#define ImpRtlUnicodeStringToAnsiString DRVIMPORTS->DrvImpRtlUnicodeStringToAnsiString
#define ImpRtlCopyUnicodeString DRVIMPORTS->DrvImpRtlCopyUnicodeString
#define ImpRtlFreeAnsiString DRVIMPORTS->DrvImpRtlFreeAnsiString
#define ImpKeInitializeGuardedMutex DRVIMPORTS->DrvImpKeInitializeGuardedMutex
#define ImpIoCreateDevice DRVIMPORTS->DrvImpIoCreateDevice
#define ImpIoCreateSymbolicLink DRVIMPORTS->DrvImpIoCreateSymbolicLink
#define ImpIoDeleteDevice DRVIMPORTS->DrvImpIoDeleteDevice
#define ImpIoDeleteSymbolicLink DRVIMPORTS->DrvImpIoDeleteSymbolicLink
#define ImpObRegisterCallbacks DRVIMPORTS->DrvImpObRegisterCallbacks
#define ImpObUnRegisterCallbacks DRVIMPORTS->DrvImpObUnRegisterCallbacks
#define ImpPsSetCreateThreadNotifyRoutine DRVIMPORTS->DrvImpPsSetCreateThreadNotifyRoutine
#define ImpPsProcessType DRVIMPORTS->DrvImpPsProcessType
#define ImpKeRevertToUserAffinityThreadEx DRVIMPORTS->DrvImpKeRevertToUserAffinityThreadEx
#define ImpKeSetSystemAffinityThreadEx DRVIMPORTS->DrvImpKeSetSystemAffinityThreadEx
#define Impstrnlen DRVIMPORTS->DrvImpstrnlen
#define ImpRtlInitAnsiString DRVIMPORTS->DrvImpRtlInitAnsiString
#define ImpRtlAnsiStringToUnicodeString DRVIMPORTS->DrvImpRtlAnsiStringToUnicodeString
#define ImpIoGetCurrentProcess DRVIMPORTS->DrvImpIoGetCurrentProcess
#define ImpRtlGetVersion DRVIMPORTS->DrvImpRtlGetVersion
#define ImpRtlCompareMemory DRVIMPORTS->DrvImpRtlCompareMemory
#define ImpExGetSystemFirmwareTable DRVIMPORTS->DrvImpExGetSystemFirmwareTable
#define ImpIoAllocateWorkItem DRVIMPORTS->DrvImpIoAllocateWorkItem
#define ImpIoFreeWorkItem DRVIMPORTS->DrvImpIoFreeWorkItem
#define ImpIoQueueWorkItem DRVIMPORTS->DrvImpIoQueueWorkItem
#define ImpZwOpenFile DRVIMPORTS->DrvImpZwOpenFile
#define ImpZwClose DRVIMPORTS->DrvImpZwClose
#define ImpZwCreateSection DRVIMPORTS->DrvImpZwCreateSection
#define ImpZwMapViewOfSection DRVIMPORTS->DrvImpZwMapViewOfSection
#define ImpZwUnmapViewOfSection DRVIMPORTS->DrvImpZwUnmapViewOfSection
#define ImpMmCopyMemory DRVIMPORTS->DrvImpMmCopyMemory
#define ImpZwDeviceIoControlFile DRVIMPORTS->DrvImpZwDeviceIoControlFile
#define ImpKeStackAttachProcess DRVIMPORTS->DrvImpKeStackAttachProcess
#define ImpKeUnstackDetachProcess DRVIMPORTS->DrvImpKeUnstackDetachProcess
#define ImpKeWaitForSingleObject DRVIMPORTS->DrvImpKeWaitForSingleObject
#define ImpPsCreateSystemThread DRVIMPORTS->DrvImpPsCreateSystemThread
#define ImpIofCompleteRequest DRVIMPORTS->DrvImpIofCompleteRequest
#define ImpObReferenceObjectByHandle DRVIMPORTS->DrvImpObReferenceObjectByHandle
#define ImpPsThreadType DRVIMPORTS->DrvImpPsThreadType
#define ImpKeDelayExecutionThread DRVIMPORTS->DrvImpKeDelayExecutionThread
#define ImpKeRegisterNmiCallback DRVIMPORTS->DrvImpKeRegisterNmiCallback
#define ImpKeDeregisterNmiCallback DRVIMPORTS->DrvImpKeDeregisterNmiCallback
#define ImpKeQueryActiveProcessorCount DRVIMPORTS->DrvImpKeQueryActiveProcessorCount
#define ImpExAcquirePushLockExclusiveEx DRVIMPORTS->DrvImpExAcquirePushLockExclusiveEx
#define ImpExReleasePushLockExclusiveEx DRVIMPORTS->DrvImpExReleasePushLockExclusiveEx
#define ImpPsGetThreadId DRVIMPORTS->DrvImpPsGetThreadId
#define ImpRtlCaptureStackBackTrace DRVIMPORTS->DrvImpRtlCaptureStackBackTrace
#define ImpZwOpenDirectoryObject DRVIMPORTS->DrvImpZwOpenDirectoryObject
#define ImpKeInitializeAffinityEx DRVIMPORTS->DrvImpKeInitializeAffinityEx
#define ImpKeAddProcessorAffinityEx DRVIMPORTS->DrvImpKeAddProcessorAffinityEx
#define ImpRtlQueryModuleInformation DRVIMPORTS->DrvImpRtlQueryModuleInformation
#define ImpKeInitializeApc DRVIMPORTS->DrvImpKeInitializeApc
#define ImpKeInsertQueueApc DRVIMPORTS->DrvImpKeInsertQueueApc
#define ImpKeGenericCallDpc DRVIMPORTS->DrvImpKeGenericCallDpc
#define ImpKeSignalCallDpcDone DRVIMPORTS->DrvImpKeSignalCallDpcDone
#define ImpMmGetPhysicalMemoryRangesEx2 DRVIMPORTS->DrvImpMmGetPhysicalMemoryRangesEx2
#define ImpMmGetVirtualForPhysical DRVIMPORTS->DrvImpMmGetVirtualForPhysical
#define ImpObfReferenceObject DRVIMPORTS->DrvImpObfReferenceObject
#define ImpExFreePoolWithTag DRVIMPORTS->DrvImpExFreePoolWithTag
#define ImpExAllocatePool2 DRVIMPORTS->DrvImpExAllocatePool2
#define ImpKeReleaseGuardedMutex DRVIMPORTS->DrvImpKeReleaseGuardedMutex
#define ImpKeAcquireGuardedMutex DRVIMPORTS->DrvImpKeAcquireGuardedMutex
#define ImpDbgPrintEx DRVIMPORTS->DrvImpDbgPrintEx
#define ImpRtlCompareUnicodeString DRVIMPORTS->DrvImpRtlCompareUnicodeString
#define ImpRtlFreeUnicodeString DRVIMPORTS->DrvImpRtlFreeUnicodeString
#define ImpPsGetProcessImageFileName DRVIMPORTS->DrvImpPsGetProcessImageFileName
#define ImpIoGetCurrentIrpStackLocation DRVIMPORTS.DrvImpIoGetCurrentIrpStackLocation
#define ImpObDereferenceObject DRVIMPORTS.DrvImpObDereferenceObject
#define ImpPsLookupThreadByThreadId DRVIMPORTS.DrvImpPsLookupThreadByThreadId
#define ImpMmIsAddressValid DRVIMPORTS.DrvImpMmIsAddressValid
#define ImpPsSetCreateProcessNotifyRoutine DRVIMPORTS.DrvImpPsSetCreateProcessNotifyRoutine
#define ImpPsRemoveCreateThreadNotifyRoutine DRVIMPORTS.DrvImpPsRemoveCreateThreadNotifyRoutine
#define ImpPsGetCurrentThreadId DRVIMPORTS.DrvImpPsGetCurrentThreadId
#define ImpPsGetProcessId DRVIMPORTS.DrvImpPsGetProcessId
#define ImpPsLookupProcessByProcessId DRVIMPORTS.DrvImpPsLookupProcessByProcessId
#define ImpExEnumHandleTable DRVIMPORTS.DrvImpExEnumHandleTable
#define ImpObGetObjectType DRVIMPORTS.DrvImpObGetObjectType
#define ImpExfUnblockPushLock DRVIMPORTS.DrvImpExfUnblockPushLock
#define ImpPsGetProcessImageFileName DRVIMPORTS.DrvImpPsGetProcessImageFileName
#define Impstrstr DRVIMPORTS.DrvImpstrstr
#define ImpRtlInitUnicodeString DRVIMPORTS.DrvImpRtlInitUnicodeString
#define ImpRtlQueryRegistryValues DRVIMPORTS.DrvImpRtlQueryRegistryValues
#define ImpMmGetSystemRoutineAddress DRVIMPORTS.DrvImpMmGetSystemRoutineAddress
#define ImpRtlUnicodeStringToAnsiString DRVIMPORTS.DrvImpRtlUnicodeStringToAnsiString
#define ImpRtlCopyUnicodeString DRVIMPORTS.DrvImpRtlCopyUnicodeString
#define ImpRtlFreeAnsiString DRVIMPORTS.DrvImpRtlFreeAnsiString
#define ImpKeInitializeGuardedMutex DRVIMPORTS.DrvImpKeInitializeGuardedMutex
#define ImpIoCreateDevice DRVIMPORTS.DrvImpIoCreateDevice
#define ImpIoCreateSymbolicLink DRVIMPORTS.DrvImpIoCreateSymbolicLink
#define ImpIoDeleteDevice DRVIMPORTS.DrvImpIoDeleteDevice
#define ImpIoDeleteSymbolicLink DRVIMPORTS.DrvImpIoDeleteSymbolicLink
#define ImpObRegisterCallbacks DRVIMPORTS.DrvImpObRegisterCallbacks
#define ImpObUnRegisterCallbacks DRVIMPORTS.DrvImpObUnRegisterCallbacks
#define ImpPsSetCreateThreadNotifyRoutine DRVIMPORTS.DrvImpPsSetCreateThreadNotifyRoutine
#define ImpPsProcessType DRVIMPORTS.DrvImpPsProcessType
#define ImpKeRevertToUserAffinityThreadEx DRVIMPORTS.DrvImpKeRevertToUserAffinityThreadEx
#define ImpKeSetSystemAffinityThreadEx DRVIMPORTS.DrvImpKeSetSystemAffinityThreadEx
#define Impstrnlen DRVIMPORTS.DrvImpstrnlen
#define ImpRtlInitAnsiString DRVIMPORTS.DrvImpRtlInitAnsiString
#define ImpRtlAnsiStringToUnicodeString DRVIMPORTS.DrvImpRtlAnsiStringToUnicodeString
#define ImpIoGetCurrentProcess DRVIMPORTS.DrvImpIoGetCurrentProcess
#define ImpRtlGetVersion DRVIMPORTS.DrvImpRtlGetVersion
#define ImpRtlCompareMemory DRVIMPORTS.DrvImpRtlCompareMemory
#define ImpExGetSystemFirmwareTable DRVIMPORTS.DrvImpExGetSystemFirmwareTable
#define ImpIoAllocateWorkItem DRVIMPORTS.DrvImpIoAllocateWorkItem
#define ImpIoFreeWorkItem DRVIMPORTS.DrvImpIoFreeWorkItem
#define ImpIoQueueWorkItem DRVIMPORTS.DrvImpIoQueueWorkItem
#define ImpZwOpenFile DRVIMPORTS.DrvImpZwOpenFile
#define ImpZwClose DRVIMPORTS.DrvImpZwClose
#define ImpZwCreateSection DRVIMPORTS.DrvImpZwCreateSection
#define ImpZwMapViewOfSection DRVIMPORTS.DrvImpZwMapViewOfSection
#define ImpZwUnmapViewOfSection DRVIMPORTS.DrvImpZwUnmapViewOfSection
#define ImpMmCopyMemory DRVIMPORTS.DrvImpMmCopyMemory
#define ImpZwDeviceIoControlFile DRVIMPORTS.DrvImpZwDeviceIoControlFile
#define ImpKeStackAttachProcess DRVIMPORTS.DrvImpKeStackAttachProcess
#define ImpKeUnstackDetachProcess DRVIMPORTS.DrvImpKeUnstackDetachProcess
#define ImpKeWaitForSingleObject DRVIMPORTS.DrvImpKeWaitForSingleObject
#define ImpPsCreateSystemThread DRVIMPORTS.DrvImpPsCreateSystemThread
#define ImpIofCompleteRequest DRVIMPORTS.DrvImpIofCompleteRequest
#define ImpObReferenceObjectByHandle DRVIMPORTS.DrvImpObReferenceObjectByHandle
#define ImpPsThreadType DRVIMPORTS.DrvImpPsThreadType
#define ImpKeDelayExecutionThread DRVIMPORTS.DrvImpKeDelayExecutionThread
#define ImpKeRegisterNmiCallback DRVIMPORTS.DrvImpKeRegisterNmiCallback
#define ImpKeDeregisterNmiCallback DRVIMPORTS.DrvImpKeDeregisterNmiCallback
#define ImpKeQueryActiveProcessorCount DRVIMPORTS.DrvImpKeQueryActiveProcessorCount
#define ImpExAcquirePushLockExclusiveEx DRVIMPORTS.DrvImpExAcquirePushLockExclusiveEx
#define ImpExReleasePushLockExclusiveEx DRVIMPORTS.DrvImpExReleasePushLockExclusiveEx
#define ImpPsGetThreadId DRVIMPORTS.DrvImpPsGetThreadId
#define ImpRtlCaptureStackBackTrace DRVIMPORTS.DrvImpRtlCaptureStackBackTrace
#define ImpZwOpenDirectoryObject DRVIMPORTS.DrvImpZwOpenDirectoryObject
#define ImpKeInitializeAffinityEx DRVIMPORTS.DrvImpKeInitializeAffinityEx
#define ImpKeAddProcessorAffinityEx DRVIMPORTS.DrvImpKeAddProcessorAffinityEx
#define ImpRtlQueryModuleInformation DRVIMPORTS.DrvImpRtlQueryModuleInformation
#define ImpKeInitializeApc DRVIMPORTS.DrvImpKeInitializeApc
#define ImpKeInsertQueueApc DRVIMPORTS.DrvImpKeInsertQueueApc
#define ImpKeGenericCallDpc DRVIMPORTS.DrvImpKeGenericCallDpc
#define ImpKeSignalCallDpcDone DRVIMPORTS.DrvImpKeSignalCallDpcDone
#define ImpMmGetPhysicalMemoryRangesEx2 DRVIMPORTS.DrvImpMmGetPhysicalMemoryRangesEx2
#define ImpMmGetVirtualForPhysical DRVIMPORTS.DrvImpMmGetVirtualForPhysical
#define ImpObfReferenceObject DRVIMPORTS.DrvImpObfReferenceObject
#define ImpExFreePoolWithTag DRVIMPORTS.DrvImpExFreePoolWithTag
#define ImpExAllocatePool2 DRVIMPORTS.DrvImpExAllocatePool2
#define ImpKeReleaseGuardedMutex DRVIMPORTS.DrvImpKeReleaseGuardedMutex
#define ImpKeAcquireGuardedMutex DRVIMPORTS.DrvImpKeAcquireGuardedMutex
#define ImpDbgPrintEx DRVIMPORTS.DrvImpDbgPrintEx
#define ImpRtlCompareUnicodeString DRVIMPORTS.DrvImpRtlCompareUnicodeString
#define ImpRtlFreeUnicodeString DRVIMPORTS.DrvImpRtlFreeUnicodeString
#define ImpPsGetProcessImageFileName DRVIMPORTS.DrvImpPsGetProcessImageFileName
#endif

12
driver/integrity.c
View file

@ -947,11 +947,11 @@ ValidateProcessLoadedModule(_Inout_ PIRP Irp)
goto end;
report->report_code = REPORT_INVALID_PROCESS_MODULE;
report->image_base = module_info->module_base;
report->image_size = module_info->module_size;
RtlCopyMemory(report->module_path, module_info->module_path,
sizeof(report->module_path));
report->image_base = module_info->module_base;
report->image_size = module_info->module_size;
RtlCopyMemory(
report->module_path, module_info->module_path, sizeof(report->module_path));
status = IrpQueueCompleteIrp(report, sizeof(PROCESS_MODULE_VALIDATION_REPORT));
if (!NT_SUCCESS(status))
@ -1877,4 +1877,4 @@ ValidateOurDriversDispatchRoutines()
}
return TRUE;
}
}

20
driver/io.c
View file

@ -119,6 +119,14 @@ IrpQueueRemoveDeferredReport(_In_ PIRP_QUEUE_HEAD Queue)
return RemoveHeadList(&Queue->reports.head);
}
STATIC
VOID
IrpQueueFreeDeferredReport(_In_ PDEFERRED_REPORT Report)
{
ImpExFreePoolWithTag(Report->buffer, REPORT_POOL_TAG);
ImpExFreePoolWithTag(Report, REPORT_POOL_TAG);
}
NTSTATUS
IrpQueueCompleteDeferredReport(_In_ PDEFERRED_REPORT Report, _In_ PIRP Irp)
{
@ -131,6 +139,7 @@ IrpQueueCompleteDeferredReport(_In_ PDEFERRED_REPORT Report, _In_ PIRP Irp)
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = Report->buffer_size;
IofCompleteRequest(Irp, IO_NO_INCREMENT);
IrpQueueFreeDeferredReport(Report);
return STATUS_SUCCESS;
}
@ -141,14 +150,22 @@ IrpQueueQueryPendingReports(_In_ PIRP Irp)
PDEFERRED_REPORT report = NULL;
NTSTATUS status = STATUS_UNSUCCESSFUL;
/*
* Important we hold the lock before we call IsThereDeferredReport to prevent the race
* condition where in the period between when we get a TRUE result and another thread
* removes the last entry from the list. We then request a deferred report and will receive
* a null value leading to a bugcheck in the subsequent call to CompleteDeferredReport.
*/
KeAcquireGuardedMutex(&queue->reports.lock);
if (IrpQueueIsThereDeferredReport(queue))
{
KeAcquireGuardedMutex(&queue->reports.lock);
report = IrpQueueRemoveDeferredReport(queue);
status = IrpQueueCompleteDeferredReport(report, Irp);
if (!NT_SUCCESS(status))
{
IrpQueueFreeDeferredReport(report);
KeReleaseGuardedMutex(&queue->reports.lock);
return status;
}
@ -158,6 +175,7 @@ IrpQueueQueryPendingReports(_In_ PIRP Irp)
return status;
}
KeReleaseGuardedMutex(&queue->reports.lock);
return status;
}

2
driver/modules.h
View file

@ -75,6 +75,6 @@ NTSTATUS
ValidateHalDispatchTables();
PVOID
FindDriverBaseNoApi(_In_ PWCH Name);
FindDriverBaseNoApi(_In_ PDRIVER_OBJECT DriverObject, _In_ PWCH Name);
#endif

9
module/dispatcher/dispatcher.cpp
View file

@ -3,6 +3,7 @@
#include "../client/message_queue.h"
#include "../helper.h"
#include <bcrypt.h>
#include <chrono>
dispatcher::dispatcher::dispatcher(LPCWSTR driver_name,
@ -10,6 +11,14 @@ dispatcher::dispatcher::dispatcher(LPCWSTR driver_name,
: thread_pool(DISPATCHER_THREAD_COUNT),
k_interface(driver_name, message_queue) {}
void dispatcher::dispatcher::request_session_pk() {
#ifdef NO_SERVER
LOG_INFO("NO_SERVER Build used. Generating local session key pair.");
#else
LOG_INFO("Requesting session key pair.");
#endif
}
void dispatcher::dispatcher::write_shared_mapping_operation() {
int operation =
helper::generate_rand_int(kernel_interface::SHARED_STATE_OPERATION_COUNT);

1
module/dispatcher/dispatcher.h
View file

@ -24,6 +24,7 @@ class dispatcher {
void init_timer_callbacks();
void run_timer_thread();
void run_io_port_thread();
void request_session_pk();
public:
dispatcher(LPCWSTR driver_name, client::message_queue &queue);

74
module/kernel_interface/kernel_interface.cpp
View file

@ -209,43 +209,43 @@ void kernel_interface::kernel_interface::validate_system_modules() {
void kernel_interface::kernel_interface::
verify_process_module_executable_regions() {
HANDLE handle = INVALID_HANDLE_VALUE;
MODULEENTRY32 module_entry = {0};
BOOLEAN status = FALSE;
process_module module = {0};
unsigned long bytes_returned = 0;
RtlDosPathNameToNtPathName_U pRtlDosPathNameToNtPathName_U = NULL;
UNICODE_STRING nt_path_name = {0};
pRtlDosPathNameToNtPathName_U = (RtlDosPathNameToNtPathName_U)GetProcAddress(
GetModuleHandle(L"ntdll.dll"), "RtlDosPathNameToNtPathName_U");
handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32,
GetCurrentProcessId());
if (handle == INVALID_HANDLE_VALUE) {
LOG_ERROR("CreateToolHelp32Snapshot with TH32CS_SNAPMODULE failed with "
"status 0x%x",
GetLastError());
return;
}
module_entry.dwSize = sizeof(MODULEENTRY32);
if (!Module32First(handle, &module_entry)) {
LOG_ERROR("Module32First failed with status 0x%x", GetLastError());
return;
}
do {
module.module_base = module_entry.modBaseAddr;
module.module_size = module_entry.modBaseSize;
status = (*pRtlDosPathNameToNtPathName_U)(module_entry.szExePath,
&nt_path_name, NULL, NULL);
if (!status) {
LOG_ERROR("RtlDosPathNameToNtPathName_U failed with no status.");
continue;
}
memcpy(module.module_path, nt_path_name.Buffer, MAX_MODULE_PATH);
this->generic_driver_call_input(ioctl_code::ValidateProcessLoadedModule,
&module, sizeof(module), &bytes_returned);
} while (Module32Next(handle, &module_entry));
end:
CloseHandle(handle);
// HANDLE handle = INVALID_HANDLE_VALUE;
// MODULEENTRY32 module_entry = {0};
// BOOLEAN status = FALSE;
// process_module module = {0};
// unsigned long bytes_returned = 0;
// RtlDosPathNameToNtPathName_U pRtlDosPathNameToNtPathName_U = NULL;
// UNICODE_STRING nt_path_name = {0};
// pRtlDosPathNameToNtPathName_U = (RtlDosPathNameToNtPathName_U)GetProcAddress(
// GetModuleHandle("ntdll.dll"), "RtlDosPathNameToNtPathName_U");
// handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32,
// GetCurrentProcessId());
// if (handle == INVALID_HANDLE_VALUE) {
// LOG_ERROR("CreateToolHelp32Snapshot with TH32CS_SNAPMODULE failed with "
// "status 0x%x",
// GetLastError());
// return;
// }
// module_entry.dwSize = sizeof(MODULEENTRY32);
// if (!Module32First(handle, &module_entry)) {
// LOG_ERROR("Module32First failed with status 0x%x", GetLastError());
// return;
// }
// do {
// module.module_base = module_entry.modBaseAddr;
// module.module_size = module_entry.modBaseSize;
// status = (*pRtlDosPathNameToNtPathName_U)(module_entry.szExePath,
// &nt_path_name, NULL, NULL);
// if (!status) {
// LOG_ERROR("RtlDosPathNameToNtPathName_U failed with no status.");
// continue;
// }
// memcpy(module.module_path, nt_path_name.Buffer, MAX_MODULE_PATH);
// this->generic_driver_call_input(ioctl_code::ValidateProcessLoadedModule,
// &module, sizeof(module), &bytes_returned);
// } while (Module32Next(handle, &module_entry));
//end:
// CloseHandle(handle);
}
void kernel_interface::kernel_interface::initiate_apc_stackwalk() {

92
module/module.vcxproj
View file

@ -5,16 +5,24 @@
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<ProjectConfiguration Include="Release - No Server|Win32">
<Configuration>Release - No Server</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<ProjectConfiguration Include="Release - No Server|x64">
<Configuration>Release - No Server</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="test|Win32">
<Configuration>test</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="test|x64">
<Configuration>test</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
@ -32,7 +40,14 @@
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='test|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
@ -45,7 +60,14 @@
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='test|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
@ -60,13 +82,19 @@
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release - No Server|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='test|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='test|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
@ -85,7 +113,26 @@
<EnableUAC>false</EnableUAC>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;MODULE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<PrecompiledHeader>Use</PrecompiledHeader>
<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableUAC>false</EnableUAC>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='test|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
@ -108,7 +155,8 @@
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;MODULE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>
</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
@ -120,13 +168,33 @@
<EnableUAC>false</EnableUAC>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;MODULE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions>NO_SERVER</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
<LanguageStandard>stdcpp20</LanguageStandard>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableUAC>false</EnableUAC>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='test|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NO_SERVER</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<PrecompiledHeader>NotUsing</PrecompiledHeader>
<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>