mirror of
https://github.com/donnaskiez/ac.git
synced 2024-11-21 22:24:08 +01:00
time 4 sleep c:
This commit is contained in:
parent
29def070b8
commit
3d1e2c7235
4 changed files with 167 additions and 40 deletions
182
driver/driver.c
182
driver/driver.c
|
@ -56,7 +56,7 @@ VOID GetDriverName(
|
|||
)
|
||||
{
|
||||
KeAcquireGuardedMutex( &driver_config.lock );
|
||||
*DriverName = driver_config.driver_name;
|
||||
*DriverName = driver_config.ansi_driver_name.Buffer;
|
||||
KeReleaseGuardedMutex( &driver_config.lock );
|
||||
}
|
||||
|
||||
|
@ -96,42 +96,131 @@ VOID GetDriverSymbolicLink(
|
|||
KeReleaseGuardedMutex( &driver_config.lock );
|
||||
}
|
||||
|
||||
VOID InitialiseDriverConfigOnDriverEntry(
|
||||
NTSTATUS RegistryPathQueryCallbackRoutine(
|
||||
IN PWSTR ValueName,
|
||||
IN ULONG ValueType,
|
||||
IN PVOID ValueData,
|
||||
IN ULONG ValueLength,
|
||||
IN PVOID Context,
|
||||
IN PVOID EntryContext
|
||||
)
|
||||
{
|
||||
UNICODE_STRING value_name;
|
||||
BOOLEAN result;
|
||||
RtlInitUnicodeString( &value_name, ValueName );
|
||||
|
||||
UNICODE_STRING image_path = RTL_CONSTANT_STRING( L"ImagePath" );
|
||||
UNICODE_STRING display_name = RTL_CONSTANT_STRING( L"DisplayName" );
|
||||
|
||||
if ( RtlCompareUnicodeString(&value_name, &image_path, FALSE) == FALSE )
|
||||
{
|
||||
DEBUG_LOG( "Value type image path given" );
|
||||
driver_config.driver_path.Buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, ValueLength, DRIVER_PATH_POOL_TAG );
|
||||
driver_config.driver_path.Length = ValueLength;
|
||||
driver_config.driver_path.MaximumLength = ValueLength;
|
||||
|
||||
if ( !driver_config.driver_path.Buffer )
|
||||
return STATUS_ABANDONED;
|
||||
|
||||
RtlCopyMemory(
|
||||
driver_config.driver_path.Buffer,
|
||||
ValueData,
|
||||
ValueLength
|
||||
);
|
||||
}
|
||||
|
||||
if ( RtlCompareUnicodeString( &value_name, &display_name, FALSE ) == FALSE )
|
||||
{
|
||||
DEBUG_LOG( "Value type image path given" );
|
||||
driver_config.unicode_driver_name.Buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, ValueLength, DRIVER_PATH_POOL_TAG );
|
||||
driver_config.unicode_driver_name.Length = ValueLength;
|
||||
driver_config.unicode_driver_name.MaximumLength = ValueLength;
|
||||
|
||||
if ( !driver_config.unicode_driver_name.Buffer )
|
||||
return STATUS_ABANDONED;
|
||||
|
||||
RtlCopyMemory(
|
||||
driver_config.unicode_driver_name.Buffer,
|
||||
ValueData,
|
||||
ValueLength
|
||||
);
|
||||
}
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
VOID FreeDriverConfigurationStringBuffers()
|
||||
{
|
||||
if ( driver_config.unicode_driver_name.Buffer )
|
||||
ExFreePoolWithTag( driver_config.unicode_driver_name.Buffer, DRIVER_PATH_POOL_TAG );
|
||||
|
||||
if ( driver_config.driver_path.Buffer )
|
||||
ExFreePoolWithTag( driver_config.driver_path.Buffer, DRIVER_PATH_POOL_TAG );
|
||||
|
||||
if (driver_config.ansi_driver_name.Buffer )
|
||||
RtlFreeAnsiString( &driver_config.ansi_driver_name );
|
||||
}
|
||||
|
||||
NTSTATUS InitialiseDriverConfigOnDriverEntry(
|
||||
_In_ PUNICODE_STRING RegistryPath
|
||||
)
|
||||
{
|
||||
NTSTATUS status;
|
||||
RTL_QUERY_REGISTRY_TABLE query_table[ 2 ] = { 0 };
|
||||
|
||||
KeInitializeGuardedMutex( &driver_config.lock );
|
||||
|
||||
RtlInitUnicodeString( &driver_config.device_name, L"\\Device\\DonnaAC" );
|
||||
RtlInitUnicodeString( &driver_config.device_symbolic_link, L"\\??\\DonnaAC" );
|
||||
RtlCopyUnicodeString( &driver_config.registry_path, RegistryPath );
|
||||
}
|
||||
|
||||
query_table[ 0 ].Flags = RTL_QUERY_REGISTRY_NOEXPAND;
|
||||
query_table[ 0 ].Name = L"ImagePath";
|
||||
query_table[ 0 ].DefaultType = REG_MULTI_SZ;
|
||||
query_table[ 0 ].DefaultLength = 0;
|
||||
query_table[ 0 ].DefaultData = NULL;
|
||||
query_table[ 0 ].EntryContext = NULL;
|
||||
query_table[ 0 ].QueryRoutine = RegistryPathQueryCallbackRoutine;
|
||||
|
||||
VOID TerminateProtectedProcessOnViolation()
|
||||
{
|
||||
NTSTATUS status;
|
||||
ULONG process_id;
|
||||
query_table[ 1 ].Flags = RTL_QUERY_REGISTRY_NOEXPAND;
|
||||
query_table[ 1 ].Name = L"DisplayName";
|
||||
query_table[ 1 ].DefaultType = REG_SZ;
|
||||
query_table[ 1 ].DefaultLength = 0;
|
||||
query_table[ 1 ].DefaultData = NULL;
|
||||
query_table[ 1 ].EntryContext = NULL;
|
||||
query_table[ 1 ].QueryRoutine = RegistryPathQueryCallbackRoutine;
|
||||
|
||||
GetProtectedProcessId( &process_id );
|
||||
|
||||
if ( !process_id )
|
||||
{
|
||||
DEBUG_ERROR( "Failed to terminate process as process id is null" );
|
||||
return;
|
||||
}
|
||||
|
||||
status = ZwTerminateProcess( process_id, STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION );
|
||||
status = RtlxQueryRegistryValues(
|
||||
RTL_REGISTRY_ABSOLUTE,
|
||||
RegistryPath->Buffer,
|
||||
&query_table,
|
||||
NULL,
|
||||
NULL
|
||||
);
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "ZwTerminateProcess failed with status %x", status );
|
||||
return;
|
||||
FreeDriverConfigurationStringBuffers();
|
||||
return status;
|
||||
}
|
||||
|
||||
ClearDriverConfigOnProcessTermination();
|
||||
status = RtlUnicodeStringToAnsiString(
|
||||
&driver_config.ansi_driver_name,
|
||||
&driver_config.unicode_driver_name,
|
||||
TRUE
|
||||
);
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "Failed to convert unicode string to ansi string" );
|
||||
FreeDriverConfigurationStringBuffers();
|
||||
return status;
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
|
||||
NTSTATUS InitialiseDriverConfigOnProcessLaunch(
|
||||
_In_ PIRP Irp
|
||||
)
|
||||
|
@ -166,6 +255,7 @@ NTSTATUS InitialiseDriverConfigOnProcessLaunch(
|
|||
|
||||
VOID CleanupDriverConfigOnUnload()
|
||||
{
|
||||
FreeDriverConfigurationStringBuffers();
|
||||
IoDeleteSymbolicLink( &driver_config.device_symbolic_link );
|
||||
}
|
||||
|
||||
|
@ -178,6 +268,27 @@ VOID DriverUnload(
|
|||
IoDeleteDevice( DriverObject->DeviceObject );
|
||||
}
|
||||
|
||||
VOID TerminateProtectedProcessOnViolation()
|
||||
{
|
||||
NTSTATUS status;
|
||||
ULONG process_id;
|
||||
|
||||
GetProtectedProcessId( &process_id );
|
||||
|
||||
if ( !process_id )
|
||||
{
|
||||
DEBUG_ERROR( "Failed to terminate process as process id is null" );
|
||||
return;
|
||||
}
|
||||
|
||||
status = ZwTerminateProcess( process_id, STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION );
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
DEBUG_ERROR( "ZwTerminateProcess failed with status %x", status );
|
||||
|
||||
ClearProcessConfigOnProcessTermination();
|
||||
}
|
||||
|
||||
NTSTATUS DriverEntry(
|
||||
_In_ PDRIVER_OBJECT DriverObject,
|
||||
_In_ PUNICODE_STRING RegistryPath
|
||||
|
@ -188,7 +299,11 @@ NTSTATUS DriverEntry(
|
|||
BOOLEAN flag = FALSE;
|
||||
NTSTATUS status;
|
||||
|
||||
InitialiseDriverConfigOnDriverEntry( RegistryPath );
|
||||
status = InitialiseDriverConfigOnDriverEntry( RegistryPath );
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
return STATUS_ABANDONED;
|
||||
|
||||
|
||||
status = IoCreateDevice(
|
||||
DriverObject,
|
||||
|
@ -201,7 +316,10 @@ NTSTATUS DriverEntry(
|
|||
);
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
FreeDriverConfigurationStringBuffers();
|
||||
return STATUS_FAILED_DRIVER_ENTRY;
|
||||
}
|
||||
|
||||
status = IoCreateSymbolicLink(
|
||||
&driver_config.device_symbolic_link,
|
||||
|
@ -211,6 +329,7 @@ NTSTATUS DriverEntry(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "failed to create symbolic link" );
|
||||
FreeDriverConfigurationStringBuffers();
|
||||
IoDeleteDevice( DriverObject->DeviceObject );
|
||||
return STATUS_FAILED_DRIVER_ENTRY;
|
||||
}
|
||||
|
@ -225,6 +344,7 @@ NTSTATUS DriverEntry(
|
|||
if ( !flag )
|
||||
{
|
||||
DEBUG_ERROR( "failed to init report queue" );
|
||||
FreeDriverConfigurationStringBuffers();
|
||||
IoDeleteSymbolicLink( &driver_config.device_symbolic_link );
|
||||
IoDeleteDevice( DriverObject->DeviceObject );
|
||||
return STATUS_FAILED_DRIVER_ENTRY;
|
||||
|
@ -232,18 +352,18 @@ NTSTATUS DriverEntry(
|
|||
|
||||
DEBUG_LOG( "DonnaAC Driver Entry Complete" );
|
||||
|
||||
HANDLE handle;
|
||||
PsCreateSystemThread(
|
||||
&handle,
|
||||
PROCESS_ALL_ACCESS,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
VerifyInMemoryImageVsDiskImage,
|
||||
NULL
|
||||
);
|
||||
//HANDLE handle;
|
||||
//PsCreateSystemThread(
|
||||
// &handle,
|
||||
// PROCESS_ALL_ACCESS,
|
||||
// NULL,
|
||||
// NULL,
|
||||
// NULL,
|
||||
// VerifyInMemoryImageVsDiskImage,
|
||||
// NULL
|
||||
//);
|
||||
|
||||
ZwClose( handle );
|
||||
//ZwClose( handle );
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
|
|
@ -5,6 +5,9 @@
|
|||
#include <wdftypes.h>
|
||||
#include <wdf.h>
|
||||
|
||||
#define DRIVER_PATH_MAX_LENGTH 512
|
||||
#define DRIVER_PATH_POOL_TAG 'path'
|
||||
|
||||
/*
|
||||
* This structure is strictly for driver related stuff
|
||||
* that should only be written at driver entry.
|
||||
|
@ -14,7 +17,8 @@
|
|||
*/
|
||||
typedef struct _DRIVER_CONFIG
|
||||
{
|
||||
CHAR driver_name[ 128 ];
|
||||
UNICODE_STRING unicode_driver_name;
|
||||
ANSI_STRING ansi_driver_name;
|
||||
UNICODE_STRING device_name;
|
||||
UNICODE_STRING device_symbolic_link;
|
||||
UNICODE_STRING driver_path;
|
||||
|
@ -53,6 +57,10 @@ VOID ReadProcessInitialisedConfigFlag(
|
|||
_Out_ PBOOLEAN Flag
|
||||
);
|
||||
|
||||
VOID GetDriverPath(
|
||||
_In_ PUNICODE_STRING DriverPath
|
||||
);
|
||||
|
||||
|
||||
VOID TerminateProtectedProcessOnViolation();
|
||||
|
||||
|
|
|
@ -222,9 +222,9 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(
|
|||
HANDLE file_handle;
|
||||
OBJECT_ATTRIBUTES object_attributes;
|
||||
PIO_STATUS_BLOCK pio_block;
|
||||
UNICODE_STRING path;
|
||||
UNICODE_STRING path = { 0 };
|
||||
|
||||
RtlInitUnicodeString( &path, L"\\SystemRoot\\System32\\Drivers\\driver.sys" );
|
||||
GetDriverPath( &path );
|
||||
|
||||
InitializeObjectAttributes(
|
||||
&object_attributes,
|
||||
|
@ -491,7 +491,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
)
|
||||
{
|
||||
NTSTATUS status;
|
||||
UNICODE_STRING path;
|
||||
UNICODE_STRING path = { 0 };
|
||||
HANDLE section_handle = NULL;
|
||||
PVOID section = NULL;
|
||||
SIZE_T section_size = NULL;
|
||||
|
@ -509,8 +509,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
ULONG memory_text_hash_size = NULL;
|
||||
SIZE_T result = NULL;
|
||||
|
||||
/* TODO: ad this into global config */
|
||||
RtlInitUnicodeString( &path, L"\\SystemRoot\\System32\\Drivers\\driver.sys" );
|
||||
GetDriverPath( &path );
|
||||
|
||||
status = MapDiskImageIntoVirtualAddressSpace(
|
||||
§ion_handle,
|
||||
|
|
|
@ -29,7 +29,7 @@ NTSTATUS DeviceControl(
|
|||
* and trying to fuzz the IOCTL access or codes. This definitely isnt a perfect
|
||||
* solution though... xD
|
||||
*/
|
||||
ReadInitialisedConfigFlag( &security_flag );
|
||||
ReadProcessInitialisedConfigFlag( &security_flag );
|
||||
|
||||
if ( security_flag == FALSE &&
|
||||
stack_location->Parameters.DeviceIoControl.IoControlCode != IOCTL_NOTIFY_DRIVER_ON_PROCESS_LAUNCH )
|
||||
|
@ -205,7 +205,7 @@ NTSTATUS DeviceControl(
|
|||
|
||||
case IOCTL_NOTIFY_DRIVER_ON_PROCESS_TERMINATION:
|
||||
|
||||
ClearDriverConfigOnProcessTermination();
|
||||
ClearProcessConfigOnProcessTermination();
|
||||
UnregisterCallbacksOnProcessTermination();
|
||||
|
||||
break;
|
||||
|
@ -253,7 +253,7 @@ NTSTATUS DeviceClose(
|
|||
DEBUG_LOG( "Handle closed to DonnaAC" );
|
||||
|
||||
FreeQueueObjectsAndCleanup();
|
||||
ClearDriverConfigOnProcessTermination();
|
||||
ClearProcessConfigOnProcessTermination();
|
||||
UnregisterCallbacksOnProcessTermination();
|
||||
|
||||
IoCompleteRequest( Irp, IO_NO_INCREMENT );
|
||||
|
|
Loading…
Reference in a new issue