mirror of
https://github.com/donnaskiez/ac.git
synced 2024-11-21 22:24:08 +01:00
fixd
This commit is contained in:
lhodges1
parent
0172aebe6d
commit
06822f69c6
4 changed files with 84 additions and 5 deletions
|
|
@ -205,7 +205,7 @@ InitialiseDriverList()
|
|||
return status;
|
||||
}
|
||||
|
||||
/* skip hal.dll and ntosknrl.exe */
|
||||
/* skip hal.dll and ntoskrnl.exe */
|
||||
for (INT index = 2; index < modules.module_count; index++)
|
||||
{
|
||||
entry = ImpExAllocatePool2(
|
||||
|
|
|
|||
|
|
@ -189,9 +189,87 @@ ResolveNtImports()
|
|||
driver_imports->DrvImpRtlCompareUnicodeString = FindNtExport("RtlCompareUnicodeString");
|
||||
driver_imports->DrvImpRtlFreeUnicodeString = FindNtExport("RtlFreeUnicodeString");
|
||||
driver_imports->DrvImpPsLookupThreadByThreadId = FindNtExport("PsLookupThreadByThreadId");
|
||||
driver_imports->DrvImpIoGetCurrentIrpStackLocation = FindNtExport("IoGetCurrentIrpStackLocation");
|
||||
driver_imports->DrvImpMmIsAddressValid = FindNtExport("MmIsAddressValid");
|
||||
|
||||
DEBUG_VERBOSE("DrvImpObDereferenceObject); %llx", (UINT64)driver_imports->DrvImpObDereferenceObject);
|
||||
DEBUG_VERBOSE("DrvImpPsGetProcessImageFileName); %llx", (UINT64)driver_imports->DrvImpPsGetProcessImageFileName);
|
||||
DEBUG_VERBOSE("DrvImpPsSetCreateProcessNotifyRoutine); %llx", (UINT64)driver_imports->DrvImpPsSetCreateProcessNotifyRoutine);
|
||||
DEBUG_VERBOSE("DrvImpPsRemoveCreateThreadNotifyRoutine); %llx", (UINT64)driver_imports->DrvImpPsRemoveCreateThreadNotifyRoutine);
|
||||
DEBUG_VERBOSE("DrvImpPsGetCurrentThreadId); %llx", (UINT64)driver_imports->DrvImpPsGetCurrentThreadId);
|
||||
DEBUG_VERBOSE("DrvImpPsGetProcessId); %llx", (UINT64)driver_imports->DrvImpPsGetProcessId);
|
||||
DEBUG_VERBOSE("DrvImpPsLookupProcessByProcessId);%llx", (UINT64)driver_imports->DrvImpPsLookupProcessByProcessId);
|
||||
DEBUG_VERBOSE("DrvImpExEnumHandleTable);%llx", (UINT64)driver_imports->DrvImpExEnumHandleTable);
|
||||
DEBUG_VERBOSE("DrvImpObGetObjectType);%llx", (UINT64)driver_imports->DrvImpObGetObjectType);
|
||||
DEBUG_VERBOSE("DrvImpExfUnblockPushLock);%llx", (UINT64)driver_imports->DrvImpExfUnblockPushLock);
|
||||
DEBUG_VERBOSE("DrvImpstrstr);%llx", (UINT64)driver_imports->DrvImpstrstr);
|
||||
DEBUG_VERBOSE("DrvImpRtlInitUnicodeString);%llx", (UINT64)driver_imports->DrvImpRtlInitUnicodeString);
|
||||
DEBUG_VERBOSE("DrvImpMmGetSystemRoutineAddress);%llx", (UINT64)driver_imports->DrvImpMmGetSystemRoutineAddress);
|
||||
DEBUG_VERBOSE("DrvImpRtlUnicodeStringToAnsiString);%llx", (UINT64)driver_imports->DrvImpRtlUnicodeStringToAnsiString);
|
||||
DEBUG_VERBOSE("DrvImpRtlCopyUnicodeString);%llx", (UINT64)driver_imports->DrvImpRtlCopyUnicodeString);
|
||||
DEBUG_VERBOSE("DrvImpRtlFreeAnsiString);%llx", (UINT64)driver_imports->DrvImpRtlFreeAnsiString);
|
||||
DEBUG_VERBOSE("DrvImpKeInitializeGuardedMutex);%llx", (UINT64)driver_imports->DrvImpKeInitializeGuardedMutex);
|
||||
DEBUG_VERBOSE("DrvImpIoCreateDevice);%llx", (UINT64)driver_imports->DrvImpIoCreateDevice);
|
||||
DEBUG_VERBOSE("DrvImpIoCreateSymbolicLink);%llx", (UINT64)driver_imports->DrvImpIoCreateSymbolicLink);
|
||||
DEBUG_VERBOSE("DrvImpIoDeleteDevice);%llx", (UINT64)driver_imports->DrvImpIoDeleteDevice);
|
||||
DEBUG_VERBOSE("DrvImpIoDeleteSymbolicLink);%llx", (UINT64)driver_imports->DrvImpIoDeleteSymbolicLink);
|
||||
DEBUG_VERBOSE("DrvImpObRegisterCallbacks);%llx", (UINT64)driver_imports->DrvImpObRegisterCallbacks);
|
||||
DEBUG_VERBOSE("DrvImpObUnRegisterCallbacks);%llx", (UINT64)driver_imports->DrvImpObUnRegisterCallbacks);
|
||||
DEBUG_VERBOSE("DrvImpPsSetCreateThreadNotifyRoutine);%llx", (UINT64)driver_imports->DrvImpPsSetCreateThreadNotifyRoutine);
|
||||
DEBUG_VERBOSE("DrvImpKeRevertToUserAffinityThreadEx);%llx", (UINT64)driver_imports->DrvImpKeRevertToUserAffinityThreadEx);
|
||||
DEBUG_VERBOSE("DrvImpKeSetSystemAffinityThreadEx);%llx", (UINT64)driver_imports->DrvImpKeSetSystemAffinityThreadEx);
|
||||
DEBUG_VERBOSE("DrvImpstrnlen );%llx", (UINT64)driver_imports->DrvImpstrnlen );
|
||||
DEBUG_VERBOSE("DrvImpRtlInitAnsiString);%llx", (UINT64)driver_imports->DrvImpRtlInitAnsiString);
|
||||
DEBUG_VERBOSE("DrvImpRtlAnsiStringToUnicodeString);%llx", (UINT64)driver_imports->DrvImpRtlAnsiStringToUnicodeString);
|
||||
DEBUG_VERBOSE("DrvImpIoGetCurrentProcess);%llx", (UINT64)driver_imports->DrvImpIoGetCurrentProcess);
|
||||
DEBUG_VERBOSE("DrvImpRtlGetVersion);%llx", (UINT64)driver_imports->DrvImpRtlGetVersion);
|
||||
DEBUG_VERBOSE("DrvImpRtlCompareMemory);%llx", (UINT64)driver_imports->DrvImpRtlCompareMemory);
|
||||
DEBUG_VERBOSE("DrvImpExGetSystemFirmwareTable);%llx", (UINT64)driver_imports->DrvImpExGetSystemFirmwareTable);
|
||||
DEBUG_VERBOSE("DrvImpIoAllocateWorkItem);%llx", (UINT64)driver_imports->DrvImpIoAllocateWorkItem);
|
||||
DEBUG_VERBOSE("DrvImpIoFreeWorkItem);%llx", (UINT64)driver_imports->DrvImpIoFreeWorkItem);
|
||||
DEBUG_VERBOSE("DrvImpIoQueueWorkItem);%llx", (UINT64)driver_imports->DrvImpIoQueueWorkItem);
|
||||
DEBUG_VERBOSE("DrvImpZwOpenFile );%llx", (UINT64)driver_imports->DrvImpZwOpenFile );
|
||||
DEBUG_VERBOSE("DrvImpZwClose );%llx", (UINT64)driver_imports->DrvImpZwClose );
|
||||
DEBUG_VERBOSE("DrvImpZwCreateSection);%llx", (UINT64)driver_imports->DrvImpZwCreateSection);
|
||||
DEBUG_VERBOSE("DrvImpZwMapViewOfSection);%llx", (UINT64)driver_imports->DrvImpZwMapViewOfSection);
|
||||
DEBUG_VERBOSE("DrvImpZwUnmapViewOfSection);%llx", (UINT64)driver_imports->DrvImpZwUnmapViewOfSection);
|
||||
DEBUG_VERBOSE("DrvImpMmCopyMemory);%llx", (UINT64)driver_imports->DrvImpMmCopyMemory);
|
||||
DEBUG_VERBOSE("DrvImpZwDeviceIoControlFile);%llx", (UINT64)driver_imports->DrvImpZwDeviceIoControlFile);
|
||||
DEBUG_VERBOSE("DrvImpKeStackAttachProcess);%llx", (UINT64)driver_imports->DrvImpKeStackAttachProcess);
|
||||
DEBUG_VERBOSE("DrvImpKeUnstackDetachProcess);%llx", (UINT64)driver_imports->DrvImpKeUnstackDetachProcess);
|
||||
DEBUG_VERBOSE("DrvImpKeWaitForSingleObject);%llx", (UINT64)driver_imports->DrvImpKeWaitForSingleObject);
|
||||
DEBUG_VERBOSE("DrvImpPsCreateSystemThread);%llx", (UINT64)driver_imports->DrvImpPsCreateSystemThread);
|
||||
DEBUG_VERBOSE("DrvImpIofCompleteRequest);%llx", (UINT64)driver_imports->DrvImpIofCompleteRequest);
|
||||
DEBUG_VERBOSE("DrvImpObReferenceObjectByHandle);%llx", (UINT64)driver_imports->DrvImpObReferenceObjectByHandle);
|
||||
DEBUG_VERBOSE("DrvImpKeDelayExecutionThread);%llx", (UINT64)driver_imports->DrvImpKeDelayExecutionThread);
|
||||
DEBUG_VERBOSE("DrvImpKeRegisterNmiCallback);%llx", (UINT64)driver_imports->DrvImpKeRegisterNmiCallback);
|
||||
DEBUG_VERBOSE("DrvImpKeDeregisterNmiCallback);%llx", (UINT64)driver_imports->DrvImpKeDeregisterNmiCallback);
|
||||
DEBUG_VERBOSE("DrvImpKeQueryActiveProcessorCount);%llx", (UINT64)driver_imports->DrvImpKeQueryActiveProcessorCount);
|
||||
DEBUG_VERBOSE("DrvImpExAcquirePushLockExclusiveEx);%llx", (UINT64)driver_imports->DrvImpExAcquirePushLockExclusiveEx);
|
||||
DEBUG_VERBOSE("DrvImpExReleasePushLockExclusiveEx);%llx", (UINT64)driver_imports->DrvImpExReleasePushLockExclusiveEx);
|
||||
DEBUG_VERBOSE("DrvImpPsGetThreadId);%llx", (UINT64)driver_imports->DrvImpPsGetThreadId);
|
||||
DEBUG_VERBOSE("DrvImpRtlCaptureStackBackTrace);%llx", (UINT64)driver_imports->DrvImpRtlCaptureStackBackTrace);
|
||||
DEBUG_VERBOSE("DrvImpZwOpenDirectoryObject);%llx", (UINT64)driver_imports->DrvImpZwOpenDirectoryObject);
|
||||
DEBUG_VERBOSE("DrvImpKeInitializeAffinityEx);%llx", (UINT64)driver_imports->DrvImpKeInitializeAffinityEx);
|
||||
DEBUG_VERBOSE("DrvImpKeAddProcessorAffinityEx);%llx", (UINT64)driver_imports->DrvImpKeAddProcessorAffinityEx);
|
||||
DEBUG_VERBOSE("DrvImpRtlQueryModuleInformation);%llx", (UINT64)driver_imports->DrvImpRtlQueryModuleInformation);
|
||||
DEBUG_VERBOSE("DrvImpKeInitializeApc);%llx", (UINT64)driver_imports->DrvImpKeInitializeApc);
|
||||
DEBUG_VERBOSE("DrvImpKeInsertQueueApc);%llx", (UINT64)driver_imports->DrvImpKeInsertQueueApc);
|
||||
DEBUG_VERBOSE("DrvImpKeGenericCallDpc);%llx", (UINT64)driver_imports->DrvImpKeGenericCallDpc);
|
||||
DEBUG_VERBOSE("DrvImpKeSignalCallDpcDone);%llx", (UINT64)driver_imports->DrvImpKeSignalCallDpcDone);
|
||||
DEBUG_VERBOSE("DrvImpMmGetPhysicalMemoryRangesEx2);%llx", (UINT64)driver_imports->DrvImpMmGetPhysicalMemoryRangesEx2);
|
||||
DEBUG_VERBOSE("DrvImpMmGetVirtualForPhysical);%llx", (UINT64)driver_imports->DrvImpMmGetVirtualForPhysical);
|
||||
DEBUG_VERBOSE("DrvImpObfReferenceObject);%llx", (UINT64)driver_imports->DrvImpObfReferenceObject);
|
||||
DEBUG_VERBOSE("DrvImpExFreePoolWithTag);%llx", (UINT64)driver_imports->DrvImpExFreePoolWithTag);
|
||||
DEBUG_VERBOSE("DrvImpExAllocatePool2);%llx", (UINT64)driver_imports->DrvImpExAllocatePool2);
|
||||
DEBUG_VERBOSE("DrvImpKeReleaseGuardedMutex);%llx", (UINT64)driver_imports->DrvImpKeReleaseGuardedMutex);
|
||||
DEBUG_VERBOSE("DrvImpKeAcquireGuardedMutex);%llx", (UINT64)driver_imports->DrvImpKeAcquireGuardedMutex);
|
||||
DEBUG_VERBOSE("DrvImpDbgPrintEx );%llx", (UINT64)driver_imports->DrvImpDbgPrintEx );
|
||||
DEBUG_VERBOSE("DrvImpRtlCompareUnicodeString);%llx", (UINT64)driver_imports->DrvImpRtlCompareUnicodeString);
|
||||
DEBUG_VERBOSE("DrvImpRtlFreeUnicodeString);%llx", (UINT64)driver_imports->DrvImpRtlFreeUnicodeString);
|
||||
DEBUG_VERBOSE("DrvImpPsLookupThreadByThreadId);%llx", (UINT64)driver_imports->DrvImpPsLookupThreadByThreadId);
|
||||
DEBUG_VERBOSE("DrvImpIoGetCurrentIrpStackLocation);%llx", (UINT64)driver_imports->DrvImpIoGetCurrentIrpStackLocation);
|
||||
DEBUG_VERBOSE("DrvImpMmIsAddressValid); %llx", (UINT64)driver_imports->DrvImpMmIsAddressValid);
|
||||
|
||||
if (!driver_imports->DrvImpObDereferenceObject) return STATUS_UNSUCCESSFUL;
|
||||
if (!driver_imports->DrvImpPsGetProcessImageFileName) return STATUS_UNSUCCESSFUL;
|
||||
if (!driver_imports->DrvImpPsSetCreateProcessNotifyRoutine) return STATUS_UNSUCCESSFUL;
|
||||
|
|
@ -267,8 +345,7 @@ ResolveNtImports()
|
|||
if (!driver_imports->DrvImpDbgPrintEx) return STATUS_UNSUCCESSFUL;
|
||||
if (!driver_imports->DrvImpRtlCompareUnicodeString) return STATUS_UNSUCCESSFUL;
|
||||
if (!driver_imports->DrvImpRtlFreeUnicodeString) return STATUS_UNSUCCESSFUL;
|
||||
if (!driver_imports->DrvImpPsLookupThreadByThreadId) return STATUS_UNSUCCESSFUL;
|
||||
if (!driver_imports->DrvImpIoGetCurrentIrpStackLocation) return STATUS_UNSUCCESSFUL;
|
||||
if (!driver_imports->DrvImpPsLookupThreadByThreadId) return STATUS_UNSUCCESSFUL;
|
||||
if (!driver_imports->DrvImpMmIsAddressValid) return STATUS_UNSUCCESSFUL;
|
||||
// clang-format on
|
||||
|
||||
|
|
|
|||
|
|
@ -1534,7 +1534,7 @@ ValidateSystemModule(_In_ PRTL_MODULE_EXTENDED_INFO Module)
|
|||
PDRIVER_LIST_ENTRY entry = NULL;
|
||||
PVOID hash = NULL;
|
||||
|
||||
hash = ExAllocatePool2(POOL_FLAG_NON_PAGED, 32, POOL_TAG_INTEGRITY);
|
||||
hash = ExAllocatePool2(POOL_FLAG_NON_PAGED, SHA_256_HASH_LENGTH, POOL_TAG_INTEGRITY);
|
||||
|
||||
if (!hash)
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -1528,6 +1528,8 @@ ValidateDpcCapturedStack(_In_ PSYSTEM_MODULES Modules, _In_ PDPC_CONTEXT Context
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
|||
Loading…
Reference in a new issue