bed time (:

2024-11-21 22:24:08 +01:00 · 2023-08-16 20:47:09 +10:00 · 2023-08-16 20:47:09 +10:00 · 302e50f955
commit 302e50f955
parent 977905ee77
10 changed files with 111 additions and 11 deletions
--- a/user/main.cpp
+++ b/user/main.cpp
@ -5,7 +5,7 @@
 #include "common.h"

 #include "../user/um/threadpool.h"
-#include "../user/um/ummanager.h"
+#include "../user/um/manager.h"

 void TestFunction()
 {
--- a/user/um/ummanager.cpp
+++ b/user/um/ummanager.cpp
@ -1,4 +1,4 @@
-#include "ummanager.h"
+#include "manager.h"

 #include "../common.h"
 #include "process.h"
--- a/user/um/ummanager.h
+++ b/user/um/ummanager.h
@ -1,5 +1,5 @@
-#ifndef UMMANAGER_H
-#define UMMANAGER_H
+#ifndef MANAGER_H
+#define MANAGER_H

 #include <string>
 #include <winternl.h>
@ -12,6 +12,11 @@

 namespace usermode
 {
+	/*
+	* The manager class is meant to abstract away the interaction between the Process
+	* class and the threadpool class to allow a single thread (or multiple) to easily run
+	* the core business logic of running tasks in a certain order.
+	*/
 	class Manager
 	{
 		std::string process_name;
--- a/user/um/module.cpp
+++ b/user/um/module.cpp
@ -0,0 +1 @@
+#include "module.h"
--- a/user/um/module.h
+++ b/user/um/module.h
@ -0,0 +1,8 @@
+#ifndef MODULE_H
+#define MODULE_H
+
+#include <Windows.h>
+
+
+
+#endif
--- a/user/um/process.cpp
+++ b/user/um/process.cpp
@ -5,8 +5,6 @@

 #include <iostream>

-#define ThreadQuerySetWin32StartAddress 9
-
 usermode::Process::Process( int ThreadCount, std::string ProcessName )
 {
 	this->process_name = ProcessName;
@ -32,7 +30,20 @@ usermode::Process::~Process()

 void usermode::Process::ValidateProcessThreads()
 {
+	bool result = false;
 	std::vector<UINT64> threads = GetProcessThreadsStartAddresses();
+
+	for ( int i = 0; i < threads.size(); i++ )
+	{
+		if ( CheckIfAddressLiesWithinValidProcessModule( threads[ i ], &result ) )
+		{
+			if ( result == false )
+			{
+				//REPORT 
+				LOG_ERROR( "thread start address nto from process module OMG" );
+			}
+		}
+	}
 }

 std::vector<UINT64> usermode::Process::GetProcessThreadsStartAddresses()
@ -44,8 +55,10 @@ std::vector<UINT64> usermode::Process::GetProcessThreadsStartAddresses()
 	UINT64 start_address;
 	std::vector<UINT64> start_addresses;

-	pNtQueryInformationThread NtQueryInfo = ( pNtQueryInformationThread )this->function_imports->ImportMap["NtQueryInformationThread"];
+	pNtQueryInformationThread NtQueryInfo = 
+		( pNtQueryInformationThread )this->function_imports->ImportMap["NtQueryInformationThread"];

+	/* th32ProcessId ignored for TH32CS_SNAPTHREAD value */
 	thread_snapshot_handle = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );

 	if ( thread_snapshot_handle == INVALID_HANDLE_VALUE )
@ -94,6 +107,55 @@ std::vector<UINT64> usermode::Process::GetProcessThreadsStartAddresses()
 	return start_addresses;
 }

+/*
+* Iterates through a processes modules and confirms whether the address lies within the memory region
+* of the module. A simple way to check if a thread is a valid thread, however there are ways around
+* this check so it is not a perfect solution.
+*/
+bool usermode::Process::CheckIfAddressLiesWithinValidProcessModule( UINT64 Address, bool* result )
+{
+	HANDLE process_modules_handle;
+	MODULEENTRY32 module_entry;
+
+	process_modules_handle = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, this->process_id );
+
+	LOG_INFO( "Address: %llx", Address );
+
+	if ( process_modules_handle == INVALID_HANDLE_VALUE )
+	{
+		LOG_ERROR( "CreateToolHelp32Snapshot with TH32CS_SNAPMODULE failed with status 0x%x", GetLastError() );
+		return false;
+	}
+
+	module_entry.dwSize = sizeof( MODULEENTRY32 );
+
+	if ( !Module32First( process_modules_handle, &module_entry ) )
+	{
+		LOG_ERROR( "Module32First failed with status 0x%x", GetLastError() );
+		CloseHandle( process_modules_handle );
+		return false;
+	}
+
+	do
+	{
+		UINT64 base = (UINT64)module_entry.modBaseAddr;
+		UINT64 end = base + module_entry.modBaseSize;
+
+		if ( Address >= base && Address <= end )
+		{
+			LOG_INFO( "found valid module LOL" );
+			CloseHandle( process_modules_handle );
+			*result = true;
+			return true;
+		}
+
+	} while ( Module32Next( process_modules_handle, &module_entry ) );
+
+	CloseHandle( process_modules_handle );
+	*result = false;
+	return true;
+}
+

 HANDLE usermode::Process::GetHandleToProcessGivenName( std::string ProcessName )
 {
--- a/user/um/process.h
+++ b/user/um/process.h
@ -9,8 +9,16 @@
 #include "../um/threadpool.h"
 #include "../um/imports.h"

+#define ThreadQuerySetWin32StartAddress 9
+
 namespace usermode 
 {
+	/*
+	* This class represents a process and the usermode functions responsible for
+	* the protection of it. This class represents the protected process and allows
+	* us to split protection class into methods which can then be easily managed
+	* by the usermode manager class.
+	*/
 	class Process
 	{
 		HANDLE process_handle;
@ -21,7 +29,10 @@ namespace usermode

 		HANDLE GetHandleToProcessGivenName( std::string ProcessName );
 		std::vector<UINT64> GetProcessThreadsStartAddresses();
+		bool CheckIfAddressLiesWithinValidProcessModule( UINT64 Address, bool* result );
+
 	public:
+
 		std::unique_ptr<ThreadPool> thread_pool;

 		Process( int ThreadCount, std::string ProcessName );
--- a/user/um/threadpool.h
+++ b/user/um/threadpool.h
@ -8,6 +8,11 @@

 namespace usermode
 {
+	/*
+	* This ThreadPool class is a simple threadpool implementation that will allow us 
+	* to delegate jobs to a set number of threads without the constant need to close
+	* and open new threads.
+	*/
 	class ThreadPool
 	{
 		int thread_count;
--- a/user/user.vcxproj
+++ b/user/user.vcxproj
@ -130,17 +130,19 @@
    <ClCompile Include="km\kprotection.cpp" />
    <ClCompile Include="main.cpp" />
    <ClCompile Include="um\imports.cpp" />
+    <ClCompile Include="um\module.cpp" />
    <ClCompile Include="um\process.cpp" />
    <ClCompile Include="um\threadpool.cpp" />
-    <ClCompile Include="um\ummanager.cpp" />
+    <ClCompile Include="um\manager.cpp" />
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="common.h" />
    <ClInclude Include="km\kprotection.h" />
    <ClInclude Include="um\imports.h" />
+    <ClInclude Include="um\module.h" />
    <ClInclude Include="um\process.h" />
    <ClInclude Include="um\threadpool.h" />
-    <ClInclude Include="um\ummanager.h" />
+    <ClInclude Include="um\manager.h" />
  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
--- a/user/user.vcxproj.filters
+++ b/user/user.vcxproj.filters
@ -18,7 +18,7 @@
    <ClCompile Include="main.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
-    <ClCompile Include="um\ummanager.cpp">
+    <ClCompile Include="um\manager.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="km\kprotection.cpp">
@ -33,12 +33,15 @@
    <ClCompile Include="um\imports.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
+    <ClCompile Include="um\module.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="common.h">
      <Filter>Header Files</Filter>
    </ClInclude>
-    <ClInclude Include="um\ummanager.h">
+    <ClInclude Include="um\manager.h">
      <Filter>Header Files</Filter>
    </ClInclude>
    <ClInclude Include="km\kprotection.h">
@ -53,5 +56,8 @@
    <ClInclude Include="um\imports.h">
      <Filter>Header Files</Filter>
    </ClInclude>
+    <ClInclude Include="um\module.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
  </ItemGroup>
 </Project>