noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

make da service shite beda

Browse source
This commit is contained in:
lhodges1 2023-08-24 17:29:16 +10:00
parent 05210ba08a
commit 258352f180
5 changed files with 250 additions and 198 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

115
service/Types.cs
View file

@ -11,66 +11,81 @@ namespace service
{ {
namespace Types namespace Types
{ {
[StructLayout(LayoutKind.Sequential)] namespace Receive
public unsafe struct MODULE_VERIFICATION_CHECKSUM_FAILURE
{ {
public int ReportCode; struct PIPE_PACKET_SEND_EXTENSION_HEADER
public UInt64 ModuleBaseAddress; {
public UInt64 ModuleSize; public int request_id;
public fixed char ModuleName[512]; public int current_packet_number;
public int total_incoming_packet_count;
public long packet_size;
public long total_incoming_packet_size;
};
} }
public struct PROCESS_THREAD_START_FAILURE namespace Reports
{ {
public int ReportCode; [StructLayout(LayoutKind.Sequential)]
public long ThreadId; public unsafe struct MODULE_VERIFICATION_CHECKSUM_FAILURE
public UInt64 StartAddress; {
} public int ReportCode;
public UInt64 ModuleBaseAddress;
public UInt64 ModuleSize;
public fixed char ModuleName[512];
}
public struct PAGE_PROTECTION_FAILURE public struct PROCESS_THREAD_START_FAILURE
{ {
public int ReportCode; public int ReportCode;
public UInt64 PageBaseAddress; public long ThreadId;
public long AllocationProtection; public UInt64 StartAddress;
public long AllocationState; }
public long AllocationType;
}
public struct PATTERN_SCAN_FAILURE public struct PAGE_PROTECTION_FAILURE
{ {
public int ReportCode; public int ReportCode;
public int SignatureId; public UInt64 PageBaseAddress;
public UInt64 Address; public long AllocationProtection;
} public long AllocationState;
public long AllocationType;
}
public struct NMI_CALLBACK_FAILURE public struct PATTERN_SCAN_FAILURE
{ {
public int ReportCode; public int ReportCode;
public int WereNmisDisabled; public int SignatureId;
public UInt64 KThreadAddress; public UInt64 Address;
public UInt64 InvalidRip; }
}
[StructLayout(LayoutKind.Sequential)] public struct NMI_CALLBACK_FAILURE
public unsafe struct MODULE_VALIDATION_FAILURE {
{ public int ReportCode;
public int ReportCode; public int WereNmisDisabled;
public int ReportType; public UInt64 KThreadAddress;
public long DriverBaseAddress; public UInt64 InvalidRip;
public long DriverSize; }
public fixed char ModuleName[128];
}
[StructLayout(LayoutKind.Sequential)] [StructLayout(LayoutKind.Sequential)]
public unsafe struct OPEN_HANDLE_FAILURE_REPORT public unsafe struct MODULE_VALIDATION_FAILURE
{ {
public int ReportCode; public int ReportCode;
public int IsKernelHandle; public int ReportType;
public uint ProcessId; public long DriverBaseAddress;
public uint ThreadId; public long DriverSize;
public uint DesiredAccess; public fixed char ModuleName[128];
public fixed char ProcessName[64]; }
[StructLayout(LayoutKind.Sequential)]
public unsafe struct OPEN_HANDLE_FAILURE_REPORT
{
public int ReportCode;
public int IsKernelHandle;
public uint ProcessId;
public uint ThreadId;
public uint DesiredAccess;
public fixed char ProcessName[64];
}
} }
} }
} }

139
service/Worker.cs
View file

@ -2,6 +2,8 @@ using System.IO.Pipes;
using System.Runtime.CompilerServices; using System.Runtime.CompilerServices;
using System.Runtime.InteropServices; using System.Runtime.InteropServices;
using service.Types; using service.Types;
using service.messages;
using System;
#pragma warning disable CS1998 // Async method lacks 'await' operators and will run synchronously #pragma warning disable CS1998 // Async method lacks 'await' operators and will run synchronously
#pragma warning disable CS8600 #pragma warning disable CS8600
@ -19,9 +21,9 @@ namespace service
private enum MESSAGE_TYPE private enum MESSAGE_TYPE
{ {
MESSAGE_TYPE_REPORT, MESSAGE_TYPE_REPORT = 1,
MESSAGE_TYPE_RECEIVE, MESSAGE_TYPE_SEND = 2,
MESSAGE_TYPE_SEND, MESSAGE_TYPE_RECEIVE = 3
} }
struct PIPE_PACKET_HEADER struct PIPE_PACKET_HEADER
@ -64,16 +66,13 @@ namespace service
switch (header) switch (header)
{ {
case MESSAGE_TYPE_REPORT: case (int)MESSAGE_TYPE.MESSAGE_TYPE_REPORT:
Report report = new Report(_pipeServer, _headerSize);
_pipeServer.Read(_buffer, 0, PIPE_BUFFER_READ_SIZE + _headerBufSize);
await TranslatePipeBuffer();
break; break;
case MESSAGE_TYPE_REQUEST: case (int)MESSAGE_TYPE.MESSAGE_TYPE_RECEIVE:
Receive receive = new Receive(_pipeServer, _headerSize);
_logger.LogInformation("Request received lLOL"); receive.StoreMessage();
Array.Clear(_buffer, 0, _buffer.Length);
break; break;
} }
} }
@ -82,124 +81,8 @@ namespace service
{ {
_logger.LogError("Reading buffer from pipe failed with message: {0}", ex.Message); _logger.LogError("Reading buffer from pipe failed with message: {0}", ex.Message);
} }
}
}
private async Task TranslatePipeBuffer() Array.Clear(_header, 0, _headerSize);
{
int reportCode = BitConverter.ToInt32(_buffer, 0);
_logger.LogInformation("Report received with code: {0}", reportCode);
switch (reportCode)
{
case REPORT_PROCESS_MODULE_FAILURE:
var checksumFailurePacket = BytesToStructure<MODULE_VERIFICATION_CHECKSUM_FAILURE>();
unsafe
{
_logger.LogInformation("Report code: {0}, Base address: {1:x}, Size: {2:x}, Name: ",
checksumFailurePacket.ReportCode,
checksumFailurePacket.ModuleBaseAddress,
checksumFailurePacket.ModuleSize);
}
goto end;
case REPORT_PROCESS_THREAD_START_ADDRESS_FAILURE:
var startAddressFailurePacket = BytesToStructure<PROCESS_THREAD_START_FAILURE>();
_logger.LogInformation("Report code: {0}, Thread Id: {1:x}, Start Address: {2:x}",
startAddressFailurePacket.ReportCode,
startAddressFailurePacket.ThreadId,
startAddressFailurePacket.StartAddress);
goto end;
case REPORT_PAGE_PROTECTION_VERIFICATION:
var pageProtectionFailure = BytesToStructure<PAGE_PROTECTION_FAILURE>();
_logger.LogInformation("Report code: {0}, page base address: {1:x}, allocation protection {2:x}, allocation state: {3:x}, allocation type: {4:x}",
pageProtectionFailure.ReportCode,
pageProtectionFailure.PageBaseAddress,
pageProtectionFailure.AllocationProtection,
pageProtectionFailure.AllocationState,
pageProtectionFailure.AllocationType);
goto end;
case REPORT_PATTERN_SCAN_FAILURE:
var patternScanFailure = BytesToStructure<PATTERN_SCAN_FAILURE>();
_logger.LogInformation("Report code: {0}, signature id: {1:x}, Address: {2:x}",
patternScanFailure.ReportCode,
patternScanFailure.SignatureId,
patternScanFailure.Address);
goto end;
case REPORT_NMI_CALLBACK_FAILURE:
var nmiCallbackFailure = BytesToStructure<NMI_CALLBACK_FAILURE>();
_logger.LogInformation("Report code: {0}, WereNmisDisabled: {1:x}, KThreadAddress: {2:x}, InvalidRip: {3:x}",
nmiCallbackFailure.ReportCode,
nmiCallbackFailure.WereNmisDisabled,
nmiCallbackFailure.KThreadAddress,
nmiCallbackFailure.InvalidRip);
goto end;
case REPORT_KERNEL_MODULE_FAILURE:
var kernelModuleFailure = BytesToStructure<MODULE_VALIDATION_FAILURE>();
_logger.LogInformation("Report code: {0}, REportType: {1:x}, DriverBaseAddress: {2:x}, DriverSize: {3:x}",
kernelModuleFailure.ReportCode,
kernelModuleFailure.ReportType,
kernelModuleFailure.DriverBaseAddress,
kernelModuleFailure.DriverSize);
goto end;
case REPORT_OPEN_HANDLE_FAILURE_REPORT:
var openHandleFailure = BytesToStructure<OPEN_HANDLE_FAILURE_REPORT>();
_logger.LogInformation("Report code: {0}, ProcessID: {1:x}, ThreadId: {2:x}, DesiredAccess{3:x}",
openHandleFailure.ReportCode,
openHandleFailure.ProcessId,
openHandleFailure.ThreadId,
openHandleFailure.DesiredAccess);
goto end;
default:
_logger.LogError("Invalid report code received");
goto end;
}
end:
Array.Clear(_buffer, 0, _buffer.Length);
}
private T BytesToStructure<T>()
{
int size = Marshal.SizeOf(typeof(T));
IntPtr ptr = Marshal.AllocHGlobal(size);
try
{
unsafe { Marshal.Copy(_buffer, 0, ptr, size); }
return (T)Marshal.PtrToStructure(ptr, typeof(T));
}
finally
{
Marshal.FreeHGlobal(ptr);
} }
} }

26
service/messages/Message.cs Normal file
View file

@ -0,0 +1,26 @@
using System;
using System.Collections.Generic;
using System.Diagnostics.CodeAnalysis;
using System.IO.Pipes;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace service.messages
{
public class Message
{
private NamedPipeServerStream _pipeServer;
private int _packetHeaderSize;
public Message(NamedPipeServerStream pipeServer, int packetHeaderSize)
{
_pipeServer = pipeServer;
_packetHeaderSize = packetHeaderSize;
}
public void ReadPipeBuffer(ref byte[] buffer, int bufferSize )
{
_pipeServer.Read(buffer, 0, bufferSize + _packetHeaderSize);
}
}
}

59
service/messages/Receive.cs
View file

@ -1,12 +1,67 @@
using System; using Serilog;
using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.IO.Pipes;
using System.Linq; using System.Linq;
using System.Runtime.InteropServices;
using System.Text; using System.Text;
using System.Threading.Tasks; using System.Threading.Tasks;
namespace service.messages namespace service.messages
{ {
internal class Receive public class Receive : Message
{ {
private byte[] _buffer;
private static int RECEIVE_BUFFER_SIZE = 8192;
private IntPtr _receiveMessageAllocation;
private enum RECEIVE_TYPE
{
SERVER_SEND_MODULE_INTEGRITY_CHECK = 10
}
public Receive(NamedPipeServerStream pipeServer, int pipePacketHeaderSize)
: base(pipeServer, pipePacketHeaderSize)
{
_buffer = new byte[RECEIVE_BUFFER_SIZE];
}
public void StoreMessage()
{
ReadPipeBuffer(ref _buffer, RECEIVE_BUFFER_SIZE);
Types.Receive.PIPE_PACKET_SEND_EXTENSION_HEADER header = GetPacketHeader();
_receiveMessageAllocation = Marshal.AllocHGlobal((int)header.total_incoming_packet_size);
int incoming_packets_count = header.total_incoming_packet_count;
Log.Information("Incoming packet count: {0}", incoming_packets_count);
if (incoming_packets_count > 1)
{
for (int i=0; i < incoming_packets_count; i++)
{
Marshal.Copy(_buffer, 0, _receiveMessageAllocation + i * RECEIVE_BUFFER_SIZE, (int)header.packet_size);
Array.Clear(_buffer);
ReadPipeBuffer(ref _buffer, RECEIVE_BUFFER_SIZE);
Types.Receive.PIPE_PACKET_SEND_EXTENSION_HEADER test = GetPacketHeader();
Log.Information("Packet number: {0}, packet size: {1}", test.current_packet_number, test.packet_size);
}
}
else
{
Marshal.Copy(_buffer, 0, _receiveMessageAllocation, (int)header.total_incoming_packet_size);
}
}
private Types.Receive.PIPE_PACKET_SEND_EXTENSION_HEADER GetPacketHeader()
{
return Helper.BytesToStructure<Types.Receive.PIPE_PACKET_SEND_EXTENSION_HEADER>(ref _buffer);
}
} }
} }

109
service/messages/Report.cs
View file

@ -6,16 +6,14 @@ using service;
using System.Runtime.ConstrainedExecution; using System.Runtime.ConstrainedExecution;
using System.Text; using System.Text;
using System.Threading.Tasks; using System.Threading.Tasks;
using service.Types.Reports;
using Serilog;
namespace service.messages namespace service.messages
{ {
public class Report public class Report : Message
{ {
private NamedPipeServerStream _pipeServer;
private readonly ILogger<Report> _logger;
private byte[] _buffer; private byte[] _buffer;
private static int REPORT_BUFFER_SIZE = 1024; private static int REPORT_BUFFER_SIZE = 1024;
private enum REPORT_TYPE private enum REPORT_TYPE
@ -29,22 +27,14 @@ namespace service.messages
REPORT_OPEN_HANDLE_FAILURE_REPORT = 70 REPORT_OPEN_HANDLE_FAILURE_REPORT = 70
} }
public Report( public Report(NamedPipeServerStream pipeServer, int pipePacketHeaderSize)
ILogger<Report> logger, : base(pipeServer, pipePacketHeaderSize)
NamedPipeServerStream pipeServer,
int pipePacketHeaderSize
)
{ {
_logger = logger;
_pipeServer = pipeServer;
_buffer = new byte[REPORT_BUFFER_SIZE]; _buffer = new byte[REPORT_BUFFER_SIZE];
ReadReportIntoBuffer(pipePacketHeaderSize); ReadPipeBuffer(ref _buffer, REPORT_BUFFER_SIZE);
}
private void ReadReportIntoBuffer(int pipePacketHeaderSize) ConvertByteReportIntoStructure();
{
_pipeServer.Read(_buffer, 0, REPORT_BUFFER_SIZE + pipePacketHeaderSize);
} }
// This is fine for now as the report header is only an int // This is fine for now as the report header is only an int
@ -58,7 +48,7 @@ namespace service.messages
if (!Enum.IsDefined(typeof(REPORT_TYPE), reportType)) if (!Enum.IsDefined(typeof(REPORT_TYPE), reportType))
{ {
_logger.LogError("Enum value of {0} is invalid.", reportType); //_logger.LogError("Enum value of {0} is invalid.", reportType);
return Task.CompletedTask; return Task.CompletedTask;
} }
@ -66,18 +56,25 @@ namespace service.messages
switch(reportType) switch(reportType)
{ {
case (int)REPORT_TYPE.REPORT_PROCESS_MODULE_FAILURE: case (int)REPORT_TYPE.REPORT_PROCESS_MODULE_FAILURE:
PrintProcessModuleFailureReport();
break; break;
case (int)REPORT_TYPE.REPORT_PROCESS_THREAD_START_ADDRESS_FAILURE: case (int)REPORT_TYPE.REPORT_PROCESS_THREAD_START_ADDRESS_FAILURE:
PrintStartAddressFailure();
break; break;
case (int)REPORT_TYPE.REPORT_PAGE_PROTECTION_VERIFICATION: case (int)REPORT_TYPE.REPORT_PAGE_PROTECTION_VERIFICATION:
PrintPageProtectionFailure();
break; break;
case (int)REPORT_TYPE.REPORT_PATTERN_SCAN_FAILURE: case (int)REPORT_TYPE.REPORT_PATTERN_SCAN_FAILURE:
PrintPatternScanFailure();
break; break;
case (int)REPORT_TYPE.REPORT_NMI_CALLBACK_FAILURE: case (int)REPORT_TYPE.REPORT_NMI_CALLBACK_FAILURE:
PrintNmiCallbackFailure();
break; break;
case (int)REPORT_TYPE.REPORT_KERNEL_MODULE_FAILURE: case (int)REPORT_TYPE.REPORT_KERNEL_MODULE_FAILURE:
PrintKernelModuleFailure();
break; break;
case (int)REPORT_TYPE.REPORT_OPEN_HANDLE_FAILURE_REPORT: case (int)REPORT_TYPE.REPORT_OPEN_HANDLE_FAILURE_REPORT:
PrintOpenHandleFailure();
break; break;
default: default:
break; break;
@ -85,5 +82,81 @@ namespace service.messages
return Task.CompletedTask; return Task.CompletedTask;
} }
private void PrintProcessModuleFailureReport()
{
MODULE_VERIFICATION_CHECKSUM_FAILURE report = Helper.BytesToStructure<MODULE_VERIFICATION_CHECKSUM_FAILURE>(ref _buffer);
Log.Information("Report code: {0}, Base address: {1:x}, Size: {2:x}, Name: ",
report.ReportCode,
report.ModuleBaseAddress,
report.ModuleSize);
}
private void PrintStartAddressFailure()
{
PROCESS_THREAD_START_FAILURE report = Helper.BytesToStructure<PROCESS_THREAD_START_FAILURE>(ref _buffer);
Log.Information("Report code: {0}, Thread Id: {1:x}, Start Address: {2:x}",
report.ReportCode,
report.ThreadId,
report.StartAddress);
}
private void PrintPageProtectionFailure()
{
PAGE_PROTECTION_FAILURE report = Helper.BytesToStructure<PAGE_PROTECTION_FAILURE>(ref _buffer);
Log.Information("Report code: {0}, page base address: {1:x}, allocation protection {2:x}, allocation state: {3:x}, allocation type: {4:x}",
report.ReportCode,
report.PageBaseAddress,
report.AllocationProtection,
report.AllocationState,
report.AllocationType);
}
private void PrintPatternScanFailure()
{
PATTERN_SCAN_FAILURE report = Helper.BytesToStructure<PATTERN_SCAN_FAILURE>(ref _buffer);
Log.Information("Report code: {0}, signature id: {1:x}, Address: {2:x}",
report.ReportCode,
report.SignatureId,
report.Address);
}
private void PrintNmiCallbackFailure()
{
NMI_CALLBACK_FAILURE report = Helper.BytesToStructure<NMI_CALLBACK_FAILURE>(ref _buffer);
Log.Information("Report code: {0}, WereNmisDisabled: {1:x}, KThreadAddress: {2:x}, InvalidRip: {3:x}",
report.ReportCode,
report.WereNmisDisabled,
report.KThreadAddress,
report.InvalidRip);
}
private void PrintKernelModuleFailure()
{
MODULE_VALIDATION_FAILURE report = Helper.BytesToStructure<MODULE_VALIDATION_FAILURE>(ref _buffer);
Log.Information("Report code: {0}, REportType: {1:x}, DriverBaseAddress: {2:x}, DriverSize: {3:x}",
report.ReportCode,
report.ReportType,
report.DriverBaseAddress,
report.DriverSize);
}
private void PrintOpenHandleFailure()
{
OPEN_HANDLE_FAILURE_REPORT report = Helper.BytesToStructure<OPEN_HANDLE_FAILURE_REPORT>(ref _buffer);
Log.Information("Report code: {0}, ProcessID: {1:x}, ThreadId: {2:x}, DesiredAccess{3:x}",
report.ReportCode,
report.ProcessId,
report.ThreadId,
report.DesiredAccess);
}
} }
} }