From 258352f18017770a9b70c0b7c0da2ac6e80b6d05 Mon Sep 17 00:00:00 2001 From: lhodges1 Date: Thu, 24 Aug 2023 17:29:16 +1000 Subject: [PATCH] make da service shite beda --- service/Types.cs | 115 ++++++++++++++++------------- service/Worker.cs | 139 +++--------------------------------- service/messages/Message.cs | 26 +++++++ service/messages/Receive.cs | 59 ++++++++++++++- service/messages/Report.cs | 109 +++++++++++++++++++++++----- 5 files changed, 250 insertions(+), 198 deletions(-) create mode 100644 service/messages/Message.cs diff --git a/service/Types.cs b/service/Types.cs index 10b776f..f3f9e98 100644 --- a/service/Types.cs +++ b/service/Types.cs @@ -11,66 +11,81 @@ namespace service { namespace Types { - [StructLayout(LayoutKind.Sequential)] - public unsafe struct MODULE_VERIFICATION_CHECKSUM_FAILURE + namespace Receive { - public int ReportCode; - public UInt64 ModuleBaseAddress; - public UInt64 ModuleSize; - public fixed char ModuleName[512]; + struct PIPE_PACKET_SEND_EXTENSION_HEADER + { + public int request_id; + public int current_packet_number; + public int total_incoming_packet_count; + public long packet_size; + public long total_incoming_packet_size; + }; } - public struct PROCESS_THREAD_START_FAILURE + namespace Reports { - public int ReportCode; - public long ThreadId; - public UInt64 StartAddress; - } + [StructLayout(LayoutKind.Sequential)] + public unsafe struct MODULE_VERIFICATION_CHECKSUM_FAILURE + { + public int ReportCode; + public UInt64 ModuleBaseAddress; + public UInt64 ModuleSize; + public fixed char ModuleName[512]; + } - public struct PAGE_PROTECTION_FAILURE - { - public int ReportCode; - public UInt64 PageBaseAddress; - public long AllocationProtection; - public long AllocationState; - public long AllocationType; - } + public struct PROCESS_THREAD_START_FAILURE + { + public int ReportCode; + public long ThreadId; + public UInt64 StartAddress; + } - public struct PATTERN_SCAN_FAILURE - { - public int ReportCode; - public int SignatureId; - public UInt64 Address; - } + public struct PAGE_PROTECTION_FAILURE + { + public int ReportCode; + public UInt64 PageBaseAddress; + public long AllocationProtection; + public long AllocationState; + public long AllocationType; + } - public struct NMI_CALLBACK_FAILURE - { - public int ReportCode; - public int WereNmisDisabled; - public UInt64 KThreadAddress; - public UInt64 InvalidRip; - } + public struct PATTERN_SCAN_FAILURE + { + public int ReportCode; + public int SignatureId; + public UInt64 Address; + } - [StructLayout(LayoutKind.Sequential)] - public unsafe struct MODULE_VALIDATION_FAILURE - { - public int ReportCode; - public int ReportType; - public long DriverBaseAddress; - public long DriverSize; - public fixed char ModuleName[128]; - } + public struct NMI_CALLBACK_FAILURE + { + public int ReportCode; + public int WereNmisDisabled; + public UInt64 KThreadAddress; + public UInt64 InvalidRip; + } - [StructLayout(LayoutKind.Sequential)] - public unsafe struct OPEN_HANDLE_FAILURE_REPORT - { - public int ReportCode; - public int IsKernelHandle; - public uint ProcessId; - public uint ThreadId; - public uint DesiredAccess; - public fixed char ProcessName[64]; + [StructLayout(LayoutKind.Sequential)] + public unsafe struct MODULE_VALIDATION_FAILURE + { + public int ReportCode; + public int ReportType; + public long DriverBaseAddress; + public long DriverSize; + public fixed char ModuleName[128]; + } + [StructLayout(LayoutKind.Sequential)] + public unsafe struct OPEN_HANDLE_FAILURE_REPORT + { + public int ReportCode; + public int IsKernelHandle; + public uint ProcessId; + public uint ThreadId; + public uint DesiredAccess; + public fixed char ProcessName[64]; + + } } } } diff --git a/service/Worker.cs b/service/Worker.cs index 23d269e..500a688 100644 --- a/service/Worker.cs +++ b/service/Worker.cs @@ -2,6 +2,8 @@ using System.IO.Pipes; using System.Runtime.CompilerServices; using System.Runtime.InteropServices; using service.Types; +using service.messages; +using System; #pragma warning disable CS1998 // Async method lacks 'await' operators and will run synchronously #pragma warning disable CS8600 @@ -19,9 +21,9 @@ namespace service private enum MESSAGE_TYPE { - MESSAGE_TYPE_REPORT, - MESSAGE_TYPE_RECEIVE, - MESSAGE_TYPE_SEND, + MESSAGE_TYPE_REPORT = 1, + MESSAGE_TYPE_SEND = 2, + MESSAGE_TYPE_RECEIVE = 3 } struct PIPE_PACKET_HEADER @@ -64,16 +66,13 @@ namespace service switch (header) { - case MESSAGE_TYPE_REPORT: - - _pipeServer.Read(_buffer, 0, PIPE_BUFFER_READ_SIZE + _headerBufSize); - await TranslatePipeBuffer(); + case (int)MESSAGE_TYPE.MESSAGE_TYPE_REPORT: + Report report = new Report(_pipeServer, _headerSize); break; - case MESSAGE_TYPE_REQUEST: - - _logger.LogInformation("Request received lLOL"); - Array.Clear(_buffer, 0, _buffer.Length); + case (int)MESSAGE_TYPE.MESSAGE_TYPE_RECEIVE: + Receive receive = new Receive(_pipeServer, _headerSize); + receive.StoreMessage(); break; } } @@ -82,124 +81,8 @@ namespace service { _logger.LogError("Reading buffer from pipe failed with message: {0}", ex.Message); } - } - } - private async Task TranslatePipeBuffer() - { - int reportCode = BitConverter.ToInt32(_buffer, 0); - - _logger.LogInformation("Report received with code: {0}", reportCode); - - switch (reportCode) - { - case REPORT_PROCESS_MODULE_FAILURE: - - var checksumFailurePacket = BytesToStructure(); - - unsafe - { - _logger.LogInformation("Report code: {0}, Base address: {1:x}, Size: {2:x}, Name: ", - checksumFailurePacket.ReportCode, - checksumFailurePacket.ModuleBaseAddress, - checksumFailurePacket.ModuleSize); - } - - goto end; - - case REPORT_PROCESS_THREAD_START_ADDRESS_FAILURE: - - var startAddressFailurePacket = BytesToStructure(); - - _logger.LogInformation("Report code: {0}, Thread Id: {1:x}, Start Address: {2:x}", - startAddressFailurePacket.ReportCode, - startAddressFailurePacket.ThreadId, - startAddressFailurePacket.StartAddress); - - goto end; - - case REPORT_PAGE_PROTECTION_VERIFICATION: - - var pageProtectionFailure = BytesToStructure(); - - _logger.LogInformation("Report code: {0}, page base address: {1:x}, allocation protection {2:x}, allocation state: {3:x}, allocation type: {4:x}", - pageProtectionFailure.ReportCode, - pageProtectionFailure.PageBaseAddress, - pageProtectionFailure.AllocationProtection, - pageProtectionFailure.AllocationState, - pageProtectionFailure.AllocationType); - - goto end; - - case REPORT_PATTERN_SCAN_FAILURE: - - var patternScanFailure = BytesToStructure(); - - _logger.LogInformation("Report code: {0}, signature id: {1:x}, Address: {2:x}", - patternScanFailure.ReportCode, - patternScanFailure.SignatureId, - patternScanFailure.Address); - - goto end; - - case REPORT_NMI_CALLBACK_FAILURE: - - var nmiCallbackFailure = BytesToStructure(); - - _logger.LogInformation("Report code: {0}, WereNmisDisabled: {1:x}, KThreadAddress: {2:x}, InvalidRip: {3:x}", - nmiCallbackFailure.ReportCode, - nmiCallbackFailure.WereNmisDisabled, - nmiCallbackFailure.KThreadAddress, - nmiCallbackFailure.InvalidRip); - - goto end; - - case REPORT_KERNEL_MODULE_FAILURE: - - var kernelModuleFailure = BytesToStructure(); - - _logger.LogInformation("Report code: {0}, REportType: {1:x}, DriverBaseAddress: {2:x}, DriverSize: {3:x}", - kernelModuleFailure.ReportCode, - kernelModuleFailure.ReportType, - kernelModuleFailure.DriverBaseAddress, - kernelModuleFailure.DriverSize); - - goto end; - - case REPORT_OPEN_HANDLE_FAILURE_REPORT: - - var openHandleFailure = BytesToStructure(); - - _logger.LogInformation("Report code: {0}, ProcessID: {1:x}, ThreadId: {2:x}, DesiredAccess{3:x}", - openHandleFailure.ReportCode, - openHandleFailure.ProcessId, - openHandleFailure.ThreadId, - openHandleFailure.DesiredAccess); - - goto end; - - default: - _logger.LogError("Invalid report code received"); - goto end; - - } - end: - Array.Clear(_buffer, 0, _buffer.Length); - } - - private T BytesToStructure() - { - int size = Marshal.SizeOf(typeof(T)); - IntPtr ptr = Marshal.AllocHGlobal(size); - - try - { - unsafe { Marshal.Copy(_buffer, 0, ptr, size); } - return (T)Marshal.PtrToStructure(ptr, typeof(T)); - } - finally - { - Marshal.FreeHGlobal(ptr); + Array.Clear(_header, 0, _headerSize); } } diff --git a/service/messages/Message.cs b/service/messages/Message.cs new file mode 100644 index 0000000..2fd8038 --- /dev/null +++ b/service/messages/Message.cs @@ -0,0 +1,26 @@ +using System; +using System.Collections.Generic; +using System.Diagnostics.CodeAnalysis; +using System.IO.Pipes; +using System.Linq; +using System.Text; +using System.Threading.Tasks; + +namespace service.messages +{ + public class Message + { + private NamedPipeServerStream _pipeServer; + private int _packetHeaderSize; + public Message(NamedPipeServerStream pipeServer, int packetHeaderSize) + { + _pipeServer = pipeServer; + _packetHeaderSize = packetHeaderSize; + } + + public void ReadPipeBuffer(ref byte[] buffer, int bufferSize ) + { + _pipeServer.Read(buffer, 0, bufferSize + _packetHeaderSize); + } + } +} diff --git a/service/messages/Receive.cs b/service/messages/Receive.cs index dfba382..9b9c350 100644 --- a/service/messages/Receive.cs +++ b/service/messages/Receive.cs @@ -1,12 +1,67 @@ -using System; +using Serilog; +using System; using System.Collections.Generic; +using System.IO.Pipes; using System.Linq; +using System.Runtime.InteropServices; using System.Text; using System.Threading.Tasks; namespace service.messages { - internal class Receive + public class Receive : Message { + private byte[] _buffer; + private static int RECEIVE_BUFFER_SIZE = 8192; + private IntPtr _receiveMessageAllocation; + + private enum RECEIVE_TYPE + { + SERVER_SEND_MODULE_INTEGRITY_CHECK = 10 + } + + public Receive(NamedPipeServerStream pipeServer, int pipePacketHeaderSize) + : base(pipeServer, pipePacketHeaderSize) + { + _buffer = new byte[RECEIVE_BUFFER_SIZE]; + } + + public void StoreMessage() + { + ReadPipeBuffer(ref _buffer, RECEIVE_BUFFER_SIZE); + + Types.Receive.PIPE_PACKET_SEND_EXTENSION_HEADER header = GetPacketHeader(); + + _receiveMessageAllocation = Marshal.AllocHGlobal((int)header.total_incoming_packet_size); + + int incoming_packets_count = header.total_incoming_packet_count; + + Log.Information("Incoming packet count: {0}", incoming_packets_count); + + if (incoming_packets_count > 1) + { + for (int i=0; i < incoming_packets_count; i++) + { + Marshal.Copy(_buffer, 0, _receiveMessageAllocation + i * RECEIVE_BUFFER_SIZE, (int)header.packet_size); + + Array.Clear(_buffer); + + ReadPipeBuffer(ref _buffer, RECEIVE_BUFFER_SIZE); + + Types.Receive.PIPE_PACKET_SEND_EXTENSION_HEADER test = GetPacketHeader(); + + Log.Information("Packet number: {0}, packet size: {1}", test.current_packet_number, test.packet_size); + } + } + else + { + Marshal.Copy(_buffer, 0, _receiveMessageAllocation, (int)header.total_incoming_packet_size); + } + } + + private Types.Receive.PIPE_PACKET_SEND_EXTENSION_HEADER GetPacketHeader() + { + return Helper.BytesToStructure(ref _buffer); + } } } diff --git a/service/messages/Report.cs b/service/messages/Report.cs index 35586ed..68b2830 100644 --- a/service/messages/Report.cs +++ b/service/messages/Report.cs @@ -6,16 +6,14 @@ using service; using System.Runtime.ConstrainedExecution; using System.Text; using System.Threading.Tasks; +using service.Types.Reports; +using Serilog; namespace service.messages { - public class Report + public class Report : Message { - private NamedPipeServerStream _pipeServer; - private readonly ILogger _logger; - private byte[] _buffer; - private static int REPORT_BUFFER_SIZE = 1024; private enum REPORT_TYPE @@ -29,22 +27,14 @@ namespace service.messages REPORT_OPEN_HANDLE_FAILURE_REPORT = 70 } - public Report( - ILogger logger, - NamedPipeServerStream pipeServer, - int pipePacketHeaderSize - ) + public Report(NamedPipeServerStream pipeServer, int pipePacketHeaderSize) + : base(pipeServer, pipePacketHeaderSize) { - _logger = logger; - _pipeServer = pipeServer; _buffer = new byte[REPORT_BUFFER_SIZE]; - ReadReportIntoBuffer(pipePacketHeaderSize); - } + ReadPipeBuffer(ref _buffer, REPORT_BUFFER_SIZE); - private void ReadReportIntoBuffer(int pipePacketHeaderSize) - { - _pipeServer.Read(_buffer, 0, REPORT_BUFFER_SIZE + pipePacketHeaderSize); + ConvertByteReportIntoStructure(); } // This is fine for now as the report header is only an int @@ -58,7 +48,7 @@ namespace service.messages if (!Enum.IsDefined(typeof(REPORT_TYPE), reportType)) { - _logger.LogError("Enum value of {0} is invalid.", reportType); + //_logger.LogError("Enum value of {0} is invalid.", reportType); return Task.CompletedTask; } @@ -66,18 +56,25 @@ namespace service.messages switch(reportType) { case (int)REPORT_TYPE.REPORT_PROCESS_MODULE_FAILURE: + PrintProcessModuleFailureReport(); break; case (int)REPORT_TYPE.REPORT_PROCESS_THREAD_START_ADDRESS_FAILURE: + PrintStartAddressFailure(); break; case (int)REPORT_TYPE.REPORT_PAGE_PROTECTION_VERIFICATION: + PrintPageProtectionFailure(); break; case (int)REPORT_TYPE.REPORT_PATTERN_SCAN_FAILURE: + PrintPatternScanFailure(); break; case (int)REPORT_TYPE.REPORT_NMI_CALLBACK_FAILURE: + PrintNmiCallbackFailure(); break; case (int)REPORT_TYPE.REPORT_KERNEL_MODULE_FAILURE: + PrintKernelModuleFailure(); break; case (int)REPORT_TYPE.REPORT_OPEN_HANDLE_FAILURE_REPORT: + PrintOpenHandleFailure(); break; default: break; @@ -85,5 +82,81 @@ namespace service.messages return Task.CompletedTask; } + + private void PrintProcessModuleFailureReport() + { + MODULE_VERIFICATION_CHECKSUM_FAILURE report = Helper.BytesToStructure(ref _buffer); + + Log.Information("Report code: {0}, Base address: {1:x}, Size: {2:x}, Name: ", + report.ReportCode, + report.ModuleBaseAddress, + report.ModuleSize); + } + + private void PrintStartAddressFailure() + { + PROCESS_THREAD_START_FAILURE report = Helper.BytesToStructure(ref _buffer); + + Log.Information("Report code: {0}, Thread Id: {1:x}, Start Address: {2:x}", + report.ReportCode, + report.ThreadId, + report.StartAddress); + } + + private void PrintPageProtectionFailure() + { + PAGE_PROTECTION_FAILURE report = Helper.BytesToStructure(ref _buffer); + + Log.Information("Report code: {0}, page base address: {1:x}, allocation protection {2:x}, allocation state: {3:x}, allocation type: {4:x}", + report.ReportCode, + report.PageBaseAddress, + report.AllocationProtection, + report.AllocationState, + report.AllocationType); + } + + private void PrintPatternScanFailure() + { + PATTERN_SCAN_FAILURE report = Helper.BytesToStructure(ref _buffer); + + Log.Information("Report code: {0}, signature id: {1:x}, Address: {2:x}", + report.ReportCode, + report.SignatureId, + report.Address); + } + + private void PrintNmiCallbackFailure() + { + NMI_CALLBACK_FAILURE report = Helper.BytesToStructure(ref _buffer); + + Log.Information("Report code: {0}, WereNmisDisabled: {1:x}, KThreadAddress: {2:x}, InvalidRip: {3:x}", + report.ReportCode, + report.WereNmisDisabled, + report.KThreadAddress, + report.InvalidRip); + } + + private void PrintKernelModuleFailure() + { + MODULE_VALIDATION_FAILURE report = Helper.BytesToStructure(ref _buffer); + + Log.Information("Report code: {0}, REportType: {1:x}, DriverBaseAddress: {2:x}, DriverSize: {3:x}", + report.ReportCode, + report.ReportType, + report.DriverBaseAddress, + report.DriverSize); + } + + private void PrintOpenHandleFailure() + { + OPEN_HANDLE_FAILURE_REPORT report = Helper.BytesToStructure(ref _buffer); + + Log.Information("Report code: {0}, ProcessID: {1:x}, ThreadId: {2:x}, DesiredAccess{3:x}", + report.ReportCode, + report.ProcessId, + report.ThreadId, + report.DesiredAccess); + } + } }