sum smol comentz c:

2024-11-21 22:24:08 +01:00 · 2023-09-06 02:47:46 +10:00 · 2023-09-06 02:47:46 +10:00 · 30589cf131
commit 30589cf131
parent 289c2bbbb1
4 changed files with 33 additions and 25 deletions
--- a/driver/driver.c
+++ b/driver/driver.c
@ -307,6 +307,9 @@ VOID TerminateProtectedProcessOnViolation()
 		return;
 	}

+	/*
+	* THERE IS A BUG WIHT THE HANDLE!! xD todo fix !
+	*/
 	status = ZwTerminateProcess( process_id, STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION );

 	if ( !NT_SUCCESS( status ) )
--- a/driver/integrity.c
+++ b/driver/integrity.c
@ -121,7 +121,7 @@ NTSTATUS StoreModuleExecutableRegionsInBuffer(

 	/*
 	* Note: Verifier doesn't like it when we map the module so rather then mapping it to our address
-	* space we will simply use MmCopyMemory on the module to avoid upsettings verifier :)
+	* space we will simply use MmCopyMemory on the module to avoid upsetting verifier :)
 	*/

 	dos_header = ( PIMAGE_DOS_HEADER )ModuleBase;
@ -302,6 +302,14 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(

 	if ( !NT_SUCCESS( status ) )
 	{
+		/*
+		* It is of utmost importants to mark SectionHandle as null after closing the
+		* handle from inside this function since an error has occured. The reason this is
+		* so important is because we are not responsible for freeing the function if it succeeds
+		* and even if it fails, we still allocate a value to the handle via ZwCreateSection.
+		* Meaning when the caller goes to check if the handle is null, it will not be null
+		* and will cause a double free. 
+		*/
 		DEBUG_ERROR( "ZwMapViewOfSection failed with status %x", status );
 		ZwClose( file_handle );
 		ZwClose( *SectionHandle );
@ -477,7 +485,7 @@ NTSTATUS ComputeHashOfBuffer(
 end:

 	if ( algo_handle )
-		BCryptCloseAlgorithmProvider( algo_handle, 0 );
+		BCryptCloseAlgorithmProvider( algo_handle, NULL );

 	if ( hash_handle )
 		BCryptDestroyHash( hash_handle );
@ -931,6 +939,7 @@ NTSTATUS ValidateProcessLoadedModule(
 	module_info = ( PPROCESS_MODULE_INFORMATION )Irp->AssociatedIrp.SystemBuffer;

 	GetProtectedProcessEProcess( &process );
+
 	KeStackAttachProcess( process, &apc_state );

 	status = StoreModuleExecutableRegionsInBuffer(
@ -1008,16 +1017,14 @@ NTSTATUS ValidateProcessLoadedModule(

 	bstatus = RtlEqualMemory( in_memory_hash, disk_hash, in_memory_hash_size );

-	if ( bstatus == TRUE )
-	{
-		DEBUG_LOG( "ALL BYTES EQUAL!" );
-	}
-	else
-	{
-		DEBUG_ERROR( "BBTES NOT EQUAL!!" );
-	}
+	/*
+	* Because each module is passed per IRP we don't need to send any reports
+	* to the queue we can simply pass it back to usermode via the same IRP.
+	* We also don't need to send any module information since usermode has everything
+	* needed to file the report.
+	*/
+	validation_result.is_module_valid = bstatus;

-	validation_result.is_module_valid = TRUE;
 	Irp->IoStatus.Information = sizeof( PROCESS_MODULE_VALIDATION_RESULT );

 	RtlCopyMemory( 
--- a/user/client.h
+++ b/user/client.h
@ -82,7 +82,7 @@ namespace global

 	namespace report_structures
 	{
-		struct MODULE_VERIFICATION_CHECKSUM_FAILURE
+		struct PROCESS_MODULES_INTEGRITY_CHECK_FAILURE
 		{
 			INT report_code;
 			UINT64 module_base_address;
--- a/user/km/driver.cpp
+++ b/user/km/driver.cpp
@ -577,19 +577,17 @@ VOID kernelmode::Driver::VerifyProcessLoadedModuleExecutableRegions()
 			continue;
 		}

-		LOG_INFO( "Bytes returned: %lx", bytes_returned );
-
-		/* compare the current checksum to the previously calculated checksum */
-		//if ( this->in_memory_module_checksums[ index ] != in_memory_check_sum )
-		//{
-		//	global::report_structures::MODULE_VERIFICATION_CHECKSUM_FAILURE report;
-		//	report.report_code = REPORT_CODE_MODULE_VERIFICATION;
-		//	report.module_base_address = (UINT64)module_entry.modBaseAddr;
-		//	report.module_size = module_entry.modBaseSize;
-		//	std::wstring wstr( module_entry.szModule );
-		//	report.module_name = std::string( wstr.begin(), wstr.end() );
-		//	this->report_interface->ReportViolation( &report );
-		//}
+		if ( validation_result.is_module_valid == FALSE )
+		{
+			/*TODO: copy module aswell from an anomaly offset */
+			global::report_structures::PROCESS_MODULES_INTEGRITY_CHECK_FAILURE report;
+			report.report_code = REPORT_CODE_MODULE_VERIFICATION;
+			report.module_base_address = (UINT64)module_entry.modBaseAddr;
+			report.module_size = module_entry.modBaseSize;
+			std::wstring wstr( module_entry.szModule );
+			report.module_name = std::string( wstr.begin(), wstr.end() );
+			this->report_interface->ReportViolation( &report );
+		}

 	} while ( Module32Next( process_modules_handle, &module_entry ) );