guh

2024-11-21 22:24:08 +01:00 · 2023-09-27 23:10:12 +10:00 · 2023-09-27 23:10:12 +10:00 · 244450c89b
commit 244450c89b
parent 5dfec7de42
11 changed files with 251 additions and 280 deletions
--- a/driver/driver.c
+++ b/driver/driver.c
@ -10,6 +10,44 @@
 #include "modules.h"
 #include "integrity.h"

+/*
+* This structure is strictly for driver related stuff
+* that should only be written at driver entry.
+*
+* Note that the lock isnt really needed here but Im using one
+* just in case c:
+*/
+
+#define MAXIMUM_APC_CONTEXTS 10
+
+typedef struct _DRIVER_CONFIG
+{
+	UNICODE_STRING unicode_driver_name;
+	ANSI_STRING ansi_driver_name;
+	UNICODE_STRING device_name;
+	UNICODE_STRING device_symbolic_link;
+	UNICODE_STRING driver_path;
+	UNICODE_STRING registry_path;
+	SYSTEM_INFORMATION system_information;
+	PVOID apc_contexts[ MAXIMUM_APC_CONTEXTS ];
+	KGUARDED_MUTEX lock;
+
+}DRIVER_CONFIG, * PDRIVER_CONFIG;
+
+/*
+* This structure can change at anytime based on whether
+* the target process to protect is open / closed / changes etc.
+*/
+typedef struct _PROCESS_CONFIG
+{
+	BOOLEAN initialised;
+	LONG um_handle;
+	LONG km_handle;
+	PEPROCESS protected_process_eprocess;
+	KGUARDED_MUTEX lock;
+
+}PROCESS_CONFIG, * PPROCESS_CONFIG;
+
 DRIVER_CONFIG driver_config = { 0 };
 PROCESS_CONFIG process_config = { 0 };

--- a/driver/driver.h
+++ b/driver/driver.h
@ -26,44 +26,6 @@ typedef struct _SYSTEM_INFORMATION

 }SYSTEM_INFORMATION, * PSYSTEM_INFORMATION;

-/*
-* This structure is strictly for driver related stuff
-* that should only be written at driver entry.
-* 
-* Note that the lock isnt really needed here but Im using one
-* just in case c:
-*/
-
-#define MAXIMUM_APC_CONTEXTS 10
-
-typedef struct _DRIVER_CONFIG
-{
-	UNICODE_STRING unicode_driver_name;
-	ANSI_STRING ansi_driver_name;
-	UNICODE_STRING device_name;
-	UNICODE_STRING device_symbolic_link;
-	UNICODE_STRING driver_path;
-	UNICODE_STRING registry_path;
-	SYSTEM_INFORMATION system_information;
-	PVOID apc_contexts[ MAXIMUM_APC_CONTEXTS ];
-	KGUARDED_MUTEX lock;
-
-}DRIVER_CONFIG, *PDRIVER_CONFIG;
-
-/*
-* This structure can change at anytime based on whether
-* the target process to protect is open / closed / changes etc.
-*/
-typedef struct _PROCESS_CONFIG
-{
-	BOOLEAN initialised;
-	LONG um_handle;
-	LONG km_handle;
-	PEPROCESS protected_process_eprocess;
-	KGUARDED_MUTEX lock;
-
-}PROCESS_CONFIG, *PPROCESS_CONFIG;
-
 NTSTATUS InitialiseProcessConfigOnProcessLaunch(
 	_In_ PIRP Irp
 );
@ -98,16 +60,6 @@ VOID InsertApcContext(
 	_In_ PVOID Context
 );

-VOID RemoveApcFromApcContextList(
-	_In_ PLIST_HEAD ListHead,
-	_Inout_ PLIST_ITEM ListEntry
-);
-
-VOID InsertApcIntoApcContextList(
-	_In_ PLIST_HEAD ListHead,
-	_In_ PAPC_ENTRY ApcStatus
-);
-
 VOID
 GetApcContextByIndex(
 	_Inout_ PVOID* Context,
@ -128,13 +80,10 @@ FreeApcAndDecrementApcCount(
 NTSTATUS
 QueryActiveApcContextsForCompletion();

-VOID TerminateProtectedProcessOnViolation();
+VOID 
+TerminateProtectedProcessOnViolation();

-VOID ClearProcessConfigOnProcessTermination();
-
-NTSTATUS
-QueryActiveApcContextForCompletion(
-	_In_ LONG ContextId
-);
+VOID 
+ClearProcessConfigOnProcessTermination();

 #endif
--- a/driver/integrity.c
+++ b/driver/integrity.c
@ -6,6 +6,18 @@

 #include <bcrypt.h>

+#define SMBIOS_TABLE 'RSMB'
+
+/* for generic intel */
+#define SMBIOS_SYSTEM_INFORMATION_TYPE_2_TABLE 2
+#define MOTHERBOARD_SERIAL_CODE_TABLE_INDEX 4
+
+#define NULL_TERMINATOR '\0'
+
+/* for testing purposes in vmware */
+#define VMWARE_SMBIOS_TABLE 1
+#define VMWARE_SMBIOS_TABLE_INDEX 3
+
 typedef struct _INTEGRITY_CHECK_HEADER
 {
    INT executable_section_count;
@ -13,6 +25,22 @@ typedef struct _INTEGRITY_CHECK_HEADER

 }INTEGRITY_CHECK_HEADER, *PINTEGRITY_CHECK_HEADER;

+#define MAX_MODULE_PATH 256
+
+typedef struct _PROCESS_MODULE_INFORMATION
+{
+    PVOID module_base;
+    SIZE_T module_size;
+    WCHAR module_path[ MAX_MODULE_PATH ];
+
+}PROCESS_MODULE_INFORMATION, * PPROCESS_MODULE_INFORMATION;
+
+typedef struct _PROCESS_MODULE_VALIDATION_RESULT
+{
+    INT is_module_valid;
+
+}PROCESS_MODULE_VALIDATION_RESULT, * PPROCESS_MODULE_VALIDATION_RESULT;
+
 /*
 * note: this can be put into its own function wihtout an IRP as argument then it can be used 
 * in both the get driver image ioctl handler and the CopyDriverExecvutableRegions func
--- a/driver/integrity.h
+++ b/driver/integrity.h
@ -4,31 +4,6 @@
 #include <ntifs.h>
 #include "common.h"

-#define SMBIOS_TABLE 'RSMB'
-#define SMBIOS_SYSTEM_INFORMATION_TYPE_2_TABLE 2
-#define NULL_TERMINATOR '\0'
-#define MOTHERBOARD_SERIAL_CODE_TABLE_INDEX 4
-
-/* for testing purposes */
-#define VMWARE_SMBIOS_TABLE 1
-#define VMWARE_SMBIOS_TABLE_INDEX 3
-
-#define MAX_MODULE_PATH 256
-
-typedef struct _PROCESS_MODULE_INFORMATION
-{
-	PVOID module_base;
-	SIZE_T module_size;
-	WCHAR module_path[ MAX_MODULE_PATH ];
-
-}PROCESS_MODULE_INFORMATION, *PPROCESS_MODULE_INFORMATION;
-
-typedef struct _PROCESS_MODULE_VALIDATION_RESULT
-{
-	INT is_module_valid;
-
-}PROCESS_MODULE_VALIDATION_RESULT, *PPROCESS_MODULE_VALIDATION_RESULT;
-
 NTSTATUS 
 GetDriverImageSize(
 	_In_ PIRP Irp
--- a/driver/ioctl.c
+++ b/driver/ioctl.c
@ -1,7 +1,5 @@
 #include "ioctl.h"

-#include "common.h"
-
 #include "modules.h"
 #include "driver.h"
 #include "callbacks.h"
@ -9,9 +7,24 @@
 #include "integrity.h"
 #include "thread.h"
 #include "queue.h"
-
 #include "hv.h"

+#define IOCCTL_RUN_NMI_CALLBACKS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2001, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_VALIDATE_DRIVER_OBJECTS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2002, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_LAUNCH CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2004, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_HANDLE_REPORTS_IN_CALLBACK_QUEUE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2005, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_PERFORM_VIRTUALIZATION_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2006, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_ENUMERATE_HANDLE_TABLES CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2007, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_RETRIEVE_MODULE_EXECUTABLE_REGIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2008, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_REQUEST_TOTAL_MODULE_SIZE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2009, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_TERMINATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2010, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_SCAN_FOR_UNLINKED_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2011, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_VALIDATE_KPRCB_CURRENT_THREAD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2012, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_PERFORM_INTEGRITY_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2013, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_DETECT_ATTACHED_THREADS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2014, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_VALIDATE_PROCESS_LOADED_MODULE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2015, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_REQUEST_HARDWARE_INFORMATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2016, METHOD_BUFFERED, FILE_ANY_ACCESS)
+
 NTSTATUS 
 DeviceControl(
 	_In_ PDRIVER_OBJECT DriverObject,
--- a/driver/ioctl.h
+++ b/driver/ioctl.h
@ -6,22 +6,6 @@
 #include <wdf.h>
 #include "common.h"

-#define IOCCTL_RUN_NMI_CALLBACKS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2001, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_VALIDATE_DRIVER_OBJECTS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2002, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_LAUNCH CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2004, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_HANDLE_REPORTS_IN_CALLBACK_QUEUE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2005, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_PERFORM_VIRTUALIZATION_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2006, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_ENUMERATE_HANDLE_TABLES CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2007, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_RETRIEVE_MODULE_EXECUTABLE_REGIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2008, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_REQUEST_TOTAL_MODULE_SIZE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2009, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_TERMINATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2010, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_SCAN_FOR_UNLINKED_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2011, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_VALIDATE_KPRCB_CURRENT_THREAD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2012, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_PERFORM_INTEGRITY_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2013, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_DETECT_ATTACHED_THREADS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2014, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_VALIDATE_PROCESS_LOADED_MODULE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2015, METHOD_BUFFERED, FILE_ANY_ACCESS)
-#define IOCTL_REQUEST_HARDWARE_INFORMATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2016, METHOD_BUFFERED, FILE_ANY_ACCESS)
-
 typedef struct _DRIVER_INITIATION_INFORMATION
 {
 	LONG protected_process_id;
--- a/driver/modules.c
+++ b/driver/modules.c
@ -21,12 +21,38 @@ CHAR WHITELISTED_MODULES[ WHITELISTED_MODULE_COUNT ][ MODULE_MAX_STRING_SIZE ] =
 	"Wdf01000.sys",
 };

+#define MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE 128
+
+#define REASON_NO_BACKING_MODULE 1
+#define REASON_INVALID_IOCTL_DISPATCH 2
+
+typedef struct _WHITELISTED_REGIONS
+{
+	UINT64 base;
+	UINT64 end;
+
+}WHITELISTED_REGIONS, * PWHITELISTED_REGIONS;
+
+typedef struct _NMI_POOLS
+{
+	PVOID thread_data_pool;
+	PVOID stack_frames;
+	PVOID nmi_context;
+
+}NMI_POOLS, * PNMI_POOLS;
+
 typedef struct _NMI_CORE_CONTEXT
 {
 	INT nmi_callbacks_run;

 }NMI_CORE_CONTEXT, * PNMI_CORE_CONTEXT;

+typedef struct _MODULE_VALIDATION_FAILURE_HEADER
+{
+	INT module_count;
+
+}MODULE_VALIDATION_FAILURE_HEADER, * PMODULE_VALIDATION_FAILURE_HEADER;
+
 typedef struct _NMI_CONTEXT
 {
 	PVOID thread_data_pool;
@ -36,6 +62,38 @@ typedef struct _NMI_CONTEXT

 }NMI_CONTEXT, * PNMI_CONTEXT;

+typedef struct _NMI_CALLBACK_DATA
+{
+	UINT64		kthread_address;
+	UINT64		kprocess_address;
+	UINT64		start_address;
+	UINT64		stack_limit;
+	UINT64		stack_base;
+	uintptr_t	stack_frames_offset;
+	INT			num_frames_captured;
+	UINT64		cr3;
+
+}NMI_CALLBACK_DATA, * PNMI_CALLBACK_DATA;
+
+typedef struct _INVALID_DRIVER
+{
+	struct _INVALID_DRIVER* next;
+	INT reason;
+	PDRIVER_OBJECT driver;
+
+}INVALID_DRIVER, * PINVALID_DRIVER;
+
+typedef struct _INVALID_DRIVERS_HEAD
+{
+	PINVALID_DRIVER first_entry;
+	INT count;
+
+}INVALID_DRIVERS_HEAD, * PINVALID_DRIVERS_HEAD;
+
+#define SYSTEM_IDLE_PROCESS_ID 0
+#define SYSTEM_PROCESS_ID 4
+#define SVCHOST_PROCESS_ID 8
+
 /*
 * TODO: this needs to be refactored to just return the entry not the whole fukin thing
 */
@ -918,96 +976,101 @@ ApcKernelRoutine(
 	_Inout_ _Deref_pre_maybenull_ PVOID* NormalContext,
 	_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1,
 	_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2
-)
-{
-	PVOID buffer = NULL;
-	INT frames_captured = 0;
-	UINT64 stack_frame = 0;
-	NTSTATUS status;
-	BOOLEAN flag = FALSE;
-	PAPC_STACKWALK_CONTEXT context;
-
-	context = ( PAPC_STACKWALK_CONTEXT )Apc->NormalContext;
-
-	buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, 0x200, POOL_TAG_APC );
-
-	if ( !buffer )
-		goto free;
-
-	frames_captured = RtlCaptureStackBackTrace(
-		NULL,
-		STACK_FRAME_POOL_SIZE / sizeof(UINT64),
-		buffer,
-		NULL
-	);
-
-	if ( frames_captured == NULL )
-		goto free;
-
-	for ( INT index = 0; index < frames_captured; index++ )
-	{
-		stack_frame = *( UINT64* )( ( UINT64 )buffer + index * sizeof(UINT64) );
-
-		/*
-		* Apc->NormalContext holds the address of our context data structure that we passed into
-		* KeInitializeApc as the last argument.
-		*/
-		status = IsInstructionPointerInInvalidRegion(
-			stack_frame,
-			context->modules,
-			&flag
-		);
-
-		if ( !NT_SUCCESS( status ) )
+		)
 		{
-			DEBUG_ERROR( "IsInstructionPointerInInvalidRegion failed with status %x", status );
-			goto free;
-		}
+			PVOID buffer = NULL;
+			INT frames_captured = 0;
+			UINT64 stack_frame = 0;
+			NTSTATUS status;
+			BOOLEAN flag = FALSE;
+			PAPC_STACKWALK_CONTEXT context;
+
+			context = ( PAPC_STACKWALK_CONTEXT )Apc->NormalContext;
+
+			buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, 0x200, POOL_TAG_APC );
+
+			if ( !buffer )
+				goto free;
+
+			frames_captured = RtlCaptureStackBackTrace(
+				NULL,
+				STACK_FRAME_POOL_SIZE / sizeof( UINT64 ),
+				buffer,
+				NULL
+			);
+
+			if ( frames_captured == NULL )
+				goto free;
+
+			for ( INT index = 0; index < frames_captured; index++ )
+			{
+				stack_frame = *( UINT64* )( ( UINT64 )buffer + index * sizeof( UINT64 ) );
+
+				/*
+				* Apc->NormalContext holds the address of our context data structure that we passed into
+				* KeInitializeApc as the last argument.
+				*/
+				status = IsInstructionPointerInInvalidRegion(
+					stack_frame,
+					context->modules,
+					&flag
+				);
+
+				if ( !NT_SUCCESS( status ) )
+				{
+					DEBUG_ERROR( "IsInstructionPointerInInvalidRegion failed with status %x", status );
+					goto free;
+				}
+			}
+
+		free:
+
+			if ( buffer )
+				ExFreePoolWithTag( buffer, POOL_TAG_APC );
+
+			FreeApcAndDecrementApcCount( Apc, APC_CONTEXT_ID_STACKWALK );
+}
+
+	/*
+	* The NormalRoutine is executed in user mode when the APC is delivered.
+	*/
+	STATIC
+		VOID
+		ApcNormalRoutine(
+			_In_opt_ PVOID NormalContext,
+			_In_opt_ PVOID SystemArgument1,
+			_In_opt_ PVOID SystemArgument2
+		)
+	{
+
 	}

-free:
+	STATIC
+		VOID
+		ValidateThreadViaKernelApcCallback(
+			_In_ PEPROCESS Process,
+			_In_ PVOID Context
+		)
+	{
+		NTSTATUS status;
+		PLIST_ENTRY thread_list_head;
+		PLIST_ENTRY thread_list_entry;
+		PETHREAD current_thread;
+		PKAPC apc = NULL;
+		BOOLEAN apc_status;
+		PAPC_STACKWALK_CONTEXT context = ( PAPC_STACKWALK_CONTEXT )Context;
+		LPCSTR process_name = PsGetProcessImageFileName( Process );

-	if (buffer )
-		ExFreePoolWithTag( buffer, POOL_TAG_APC );
+		/* we dont want to schedule an apc to threads owned by the kernel */
+		if ( Process == PsInitialSystemProcess )
+			return;

-	FreeApcAndDecrementApcCount( Apc, APC_CONTEXT_ID_STACKWALK );
-}
-
-/*
-* The NormalRoutine is executed in user mode when the APC is delivered.
-*/
-STATIC
-VOID 
-ApcNormalRoutine(
-	_In_opt_ PVOID NormalContext,
-	_In_opt_ PVOID SystemArgument1,
-	_In_opt_ PVOID SystemArgument2
-)
-{
-
-}
-
-STATIC
-VOID 
-ValidateThreadViaKernelApcCallback(
-	_In_ PEPROCESS Process,
-	_In_ PVOID Context
-)
-{
-	NTSTATUS status;
-	PLIST_ENTRY thread_list_head;
-	PLIST_ENTRY thread_list_entry;
-	PETHREAD current_thread;
-	PKAPC apc = NULL;
-	BOOLEAN apc_status;
-	HANDLE process_id;
-	PAPC_STACKWALK_CONTEXT context = ( PAPC_STACKWALK_CONTEXT )Context;
-
-	HANDLE id = PsGetProcessId( Process );
-
-	/* we dont want to schedule an apc to threads owned by the kernel */
-	if ( Process == PsInitialSystemProcess )
-		return;
+		/* We are not interested in these processess.. for now lol */
+		if ( !strcmp( process_name, "svchost.exe" ) ||
+			 !strcmp( process_name, "Registry" ) ||
+			 !strcmp( process_name, "smss.exe" ) ||
+			 !strcmp( process_name, "csrss.exe" ) )
+			return;

 	thread_list_head = ( PLIST_ENTRY )( ( UINT64 )Process + KPROCESS_THREADLIST_OFFSET );
 	thread_list_entry = thread_list_head->Flink;
@ -1018,14 +1081,6 @@ ValidateThreadViaKernelApcCallback(
 	{
 		current_thread = ( PETHREAD )( ( UINT64 )thread_list_entry - KTHREAD_THREADLIST_OFFSET );

-		process_id = PsGetThreadId(current_thread );
-
-		/* ensure thread has a valid cid entry and is not svchost or the kernel */
-		if ( process_id == SYSTEM_IDLE_PROCESS_ID ||
-			process_id == SYSTEM_PROCESS_ID || 
-			process_id == SVCHOST_PROCESS_ID )
-			goto increment;
-
 		if (current_thread == KeGetCurrentThread())
 			goto increment;

--- a/driver/modules.h
+++ b/driver/modules.h
@ -7,26 +7,6 @@
 #include "common.h"
 #include "queue.h"

-#define MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE 128
-
-#define REASON_NO_BACKING_MODULE 1
-#define REASON_INVALID_IOCTL_DISPATCH 2
-
-typedef struct _WHITELISTED_REGIONS
-{
-	UINT64 base;
-	UINT64 end;
-
-}WHITELISTED_REGIONS, * PWHITELISTED_REGIONS;
-
-typedef struct _NMI_POOLS
-{
-	PVOID thread_data_pool;
-	PVOID stack_frames;
-	PVOID nmi_context;
-
-}NMI_POOLS, * PNMI_POOLS;
-
 typedef struct NMI_CALLBACK_FAILURE
 {
 	INT report_code;
@ -36,25 +16,6 @@ typedef struct NMI_CALLBACK_FAILURE

 }NMI_CALLBACK_FAILURE, * PNMI_CALLBACK_FAILURE;

-typedef struct _NMI_CALLBACK_DATA
-{
-	UINT64		kthread_address;
-	UINT64		kprocess_address;
-	UINT64		start_address;
-	UINT64		stack_limit;
-	UINT64		stack_base;
-	uintptr_t	stack_frames_offset;
-	INT			num_frames_captured;
-	UINT64		cr3;
-
-}NMI_CALLBACK_DATA, * PNMI_CALLBACK_DATA;
-
-typedef struct _MODULE_VALIDATION_FAILURE_HEADER
-{
-	INT module_count;
-
-}MODULE_VALIDATION_FAILURE_HEADER, *PMODULE_VALIDATION_FAILURE_HEADER;
-
 typedef struct _MODULE_VALIDATION_FAILURE
 {
 	INT report_code;
@ -65,21 +26,6 @@ typedef struct _MODULE_VALIDATION_FAILURE

 }MODULE_VALIDATION_FAILURE, *PMODULE_VALIDATION_FAILURE;

-typedef struct _INVALID_DRIVER
-{
-	struct _INVALID_DRIVER* next;
-	INT reason;
-	PDRIVER_OBJECT driver;
-
-}INVALID_DRIVER, * PINVALID_DRIVER;
-
-typedef struct _INVALID_DRIVERS_HEAD
-{
-	PINVALID_DRIVER first_entry;
-	INT count;		//keeps track of the number of drivers in the list
-
-}INVALID_DRIVERS_HEAD, * PINVALID_DRIVERS_HEAD;
-
 /* system modules information */

 typedef struct _SYSTEM_MODULES
@ -89,13 +35,6 @@ typedef struct _SYSTEM_MODULES

 }SYSTEM_MODULES, * PSYSTEM_MODULES;

-typedef struct _APC_ENTRY
-{
-	struct _LIST_ITEM* next;
-	PKAPC apc;
-
-}APC_ENTRY, * PAPC_ENTRY;
-
 #define APC_CONTEXT_ID_STACKWALK 0x1

 typedef struct _APC_CONTEXT_HEADER
@ -113,10 +52,6 @@ typedef struct _APC_STACKWALK_CONTEXT

 }APC_STACKWALK_CONTEXT, * PAPC_STACKWALK_CONTEXT;

-#define SYSTEM_IDLE_PROCESS_ID 0
-#define SYSTEM_PROCESS_ID 4
-#define SVCHOST_PROCESS_ID 8
-
 NTSTATUS 
 GetSystemModuleInformation(
 	_Inout_ PSYSTEM_MODULES ModuleInformation
--- a/driver/pool.c
+++ b/driver/pool.c
@ -1,11 +1,24 @@
 #include "pool.h"

-#include "common.h"
+#include <intrin.h>

 #include "callbacks.h"
 #include "queue.h"

-#include <intrin.h>
+#define PAGE_BASE_SIZE 0x1000
+#define POOL_TAG_SIZE 0x004
+
+#define PML4_ENTRY_COUNT 512
+#define PDPT_ENTRY_COUNT 512
+#define PD_ENTRY_COUNT 512
+#define PT_ENTRY_COUNT 512
+
+#define LARGE_PAGE_2MB_ENTRIES 512
+#define LARGE_PAGE_1GB_ENTRIES 0x40000
+
+#define CHUNK_SIZE 16
+
+#define PROCESS_OBJECT_ALLOCATION_MARGIN 0x90

 #define POOL_TAG_LENGTH 4
 #define EXECUTIVE_OBJECT_COUNT 8
--- a/driver/pool.h
+++ b/driver/pool.h
@ -6,25 +6,6 @@

 #define REPORT_INVALID_PROCESS_BUFFER_SIZE 4096

-#define PAGE_BASE_SIZE 0x1000
-#define POOL_TAG_SIZE 0x004
-
-#define PML4_ENTRY_COUNT 512
-#define PDPT_ENTRY_COUNT 512
-#define PD_ENTRY_COUNT 512
-#define PT_ENTRY_COUNT 512
-
-#define LARGE_PAGE_2MB_ENTRIES 512
-#define LARGE_PAGE_1GB_ENTRIES 0x40000
-
-#define PROCESS_OBJECT_ALLOCATION_MARGIN 0x90
-
-/* SIZE_2 = first alloc + 0x10 */
-#define WIN_PROCESS_ALLOCATION_SIZE 0xcf0
-#define WIN_PROCESS_ALLOCATION_SIZE_2 0xd00
-
-#define CHUNK_SIZE 16
-
 typedef struct _INVALID_PROCESS_ALLOCATION_REPORT
 {
 	INT report_code;
--- a/driver/thread.c
+++ b/driver/thread.c
@ -1,12 +1,12 @@
 #include "thread.h"

+#include <intrin.h>
+
 #include "pool.h"
 #include "callbacks.h"
 #include "driver.h"
 #include "queue.h"

-#include <intrin.h>
-
 typedef struct _KPRCB_THREAD_VALIDATION_CTX
 {
 	UINT64 current_kpcrb_thread;