time 4 sleep c:

This commit is contained in:
lhodges1 2023-09-02 02:45:06 +10:00
parent 29def070b8
commit 3d1e2c7235
4 changed files with 167 additions and 40 deletions

View file

@ -56,7 +56,7 @@ VOID GetDriverName(
)
{
KeAcquireGuardedMutex( &driver_config.lock );
*DriverName = driver_config.driver_name;
*DriverName = driver_config.ansi_driver_name.Buffer;
KeReleaseGuardedMutex( &driver_config.lock );
}
@ -96,42 +96,131 @@ VOID GetDriverSymbolicLink(
KeReleaseGuardedMutex( &driver_config.lock );
}
VOID InitialiseDriverConfigOnDriverEntry(
NTSTATUS RegistryPathQueryCallbackRoutine(
IN PWSTR ValueName,
IN ULONG ValueType,
IN PVOID ValueData,
IN ULONG ValueLength,
IN PVOID Context,
IN PVOID EntryContext
)
{
UNICODE_STRING value_name;
BOOLEAN result;
RtlInitUnicodeString( &value_name, ValueName );
UNICODE_STRING image_path = RTL_CONSTANT_STRING( L"ImagePath" );
UNICODE_STRING display_name = RTL_CONSTANT_STRING( L"DisplayName" );
if ( RtlCompareUnicodeString(&value_name, &image_path, FALSE) == FALSE )
{
DEBUG_LOG( "Value type image path given" );
driver_config.driver_path.Buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, ValueLength, DRIVER_PATH_POOL_TAG );
driver_config.driver_path.Length = ValueLength;
driver_config.driver_path.MaximumLength = ValueLength;
if ( !driver_config.driver_path.Buffer )
return STATUS_ABANDONED;
RtlCopyMemory(
driver_config.driver_path.Buffer,
ValueData,
ValueLength
);
}
if ( RtlCompareUnicodeString( &value_name, &display_name, FALSE ) == FALSE )
{
DEBUG_LOG( "Value type image path given" );
driver_config.unicode_driver_name.Buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, ValueLength, DRIVER_PATH_POOL_TAG );
driver_config.unicode_driver_name.Length = ValueLength;
driver_config.unicode_driver_name.MaximumLength = ValueLength;
if ( !driver_config.unicode_driver_name.Buffer )
return STATUS_ABANDONED;
RtlCopyMemory(
driver_config.unicode_driver_name.Buffer,
ValueData,
ValueLength
);
}
return STATUS_SUCCESS;
}
VOID FreeDriverConfigurationStringBuffers()
{
if ( driver_config.unicode_driver_name.Buffer )
ExFreePoolWithTag( driver_config.unicode_driver_name.Buffer, DRIVER_PATH_POOL_TAG );
if ( driver_config.driver_path.Buffer )
ExFreePoolWithTag( driver_config.driver_path.Buffer, DRIVER_PATH_POOL_TAG );
if (driver_config.ansi_driver_name.Buffer )
RtlFreeAnsiString( &driver_config.ansi_driver_name );
}
NTSTATUS InitialiseDriverConfigOnDriverEntry(
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
RTL_QUERY_REGISTRY_TABLE query_table[ 2 ] = { 0 };
KeInitializeGuardedMutex( &driver_config.lock );
RtlInitUnicodeString( &driver_config.device_name, L"\\Device\\DonnaAC" );
RtlInitUnicodeString( &driver_config.device_symbolic_link, L"\\??\\DonnaAC" );
RtlCopyUnicodeString( &driver_config.registry_path, RegistryPath );
}
query_table[ 0 ].Flags = RTL_QUERY_REGISTRY_NOEXPAND;
query_table[ 0 ].Name = L"ImagePath";
query_table[ 0 ].DefaultType = REG_MULTI_SZ;
query_table[ 0 ].DefaultLength = 0;
query_table[ 0 ].DefaultData = NULL;
query_table[ 0 ].EntryContext = NULL;
query_table[ 0 ].QueryRoutine = RegistryPathQueryCallbackRoutine;
VOID TerminateProtectedProcessOnViolation()
{
NTSTATUS status;
ULONG process_id;
query_table[ 1 ].Flags = RTL_QUERY_REGISTRY_NOEXPAND;
query_table[ 1 ].Name = L"DisplayName";
query_table[ 1 ].DefaultType = REG_SZ;
query_table[ 1 ].DefaultLength = 0;
query_table[ 1 ].DefaultData = NULL;
query_table[ 1 ].EntryContext = NULL;
query_table[ 1 ].QueryRoutine = RegistryPathQueryCallbackRoutine;
GetProtectedProcessId( &process_id );
if ( !process_id )
{
DEBUG_ERROR( "Failed to terminate process as process id is null" );
return;
}
status = ZwTerminateProcess( process_id, STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION );
status = RtlxQueryRegistryValues(
RTL_REGISTRY_ABSOLUTE,
RegistryPath->Buffer,
&query_table,
NULL,
NULL
);
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "ZwTerminateProcess failed with status %x", status );
return;
FreeDriverConfigurationStringBuffers();
return status;
}
ClearDriverConfigOnProcessTermination();
status = RtlUnicodeStringToAnsiString(
&driver_config.ansi_driver_name,
&driver_config.unicode_driver_name,
TRUE
);
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "Failed to convert unicode string to ansi string" );
FreeDriverConfigurationStringBuffers();
return status;
}
return status;
}
NTSTATUS InitialiseDriverConfigOnProcessLaunch(
_In_ PIRP Irp
)
@ -166,6 +255,7 @@ NTSTATUS InitialiseDriverConfigOnProcessLaunch(
VOID CleanupDriverConfigOnUnload()
{
FreeDriverConfigurationStringBuffers();
IoDeleteSymbolicLink( &driver_config.device_symbolic_link );
}
@ -178,6 +268,27 @@ VOID DriverUnload(
IoDeleteDevice( DriverObject->DeviceObject );
}
VOID TerminateProtectedProcessOnViolation()
{
NTSTATUS status;
ULONG process_id;
GetProtectedProcessId( &process_id );
if ( !process_id )
{
DEBUG_ERROR( "Failed to terminate process as process id is null" );
return;
}
status = ZwTerminateProcess( process_id, STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION );
if ( !NT_SUCCESS( status ) )
DEBUG_ERROR( "ZwTerminateProcess failed with status %x", status );
ClearProcessConfigOnProcessTermination();
}
NTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
@ -188,7 +299,11 @@ NTSTATUS DriverEntry(
BOOLEAN flag = FALSE;
NTSTATUS status;
InitialiseDriverConfigOnDriverEntry( RegistryPath );
status = InitialiseDriverConfigOnDriverEntry( RegistryPath );
if ( !NT_SUCCESS( status ) )
return STATUS_ABANDONED;
status = IoCreateDevice(
DriverObject,
@ -201,7 +316,10 @@ NTSTATUS DriverEntry(
);
if ( !NT_SUCCESS( status ) )
{
FreeDriverConfigurationStringBuffers();
return STATUS_FAILED_DRIVER_ENTRY;
}
status = IoCreateSymbolicLink(
&driver_config.device_symbolic_link,
@ -211,6 +329,7 @@ NTSTATUS DriverEntry(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "failed to create symbolic link" );
FreeDriverConfigurationStringBuffers();
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_FAILED_DRIVER_ENTRY;
}
@ -225,6 +344,7 @@ NTSTATUS DriverEntry(
if ( !flag )
{
DEBUG_ERROR( "failed to init report queue" );
FreeDriverConfigurationStringBuffers();
IoDeleteSymbolicLink( &driver_config.device_symbolic_link );
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_FAILED_DRIVER_ENTRY;
@ -232,18 +352,18 @@ NTSTATUS DriverEntry(
DEBUG_LOG( "DonnaAC Driver Entry Complete" );
HANDLE handle;
PsCreateSystemThread(
&handle,
PROCESS_ALL_ACCESS,
NULL,
NULL,
NULL,
VerifyInMemoryImageVsDiskImage,
NULL
);
//HANDLE handle;
//PsCreateSystemThread(
// &handle,
// PROCESS_ALL_ACCESS,
// NULL,
// NULL,
// NULL,
// VerifyInMemoryImageVsDiskImage,
// NULL
//);
ZwClose( handle );
//ZwClose( handle );
return STATUS_SUCCESS;
}

View file

@ -5,6 +5,9 @@
#include <wdftypes.h>
#include <wdf.h>
#define DRIVER_PATH_MAX_LENGTH 512
#define DRIVER_PATH_POOL_TAG 'path'
/*
* This structure is strictly for driver related stuff
* that should only be written at driver entry.
@ -14,7 +17,8 @@
*/
typedef struct _DRIVER_CONFIG
{
CHAR driver_name[ 128 ];
UNICODE_STRING unicode_driver_name;
ANSI_STRING ansi_driver_name;
UNICODE_STRING device_name;
UNICODE_STRING device_symbolic_link;
UNICODE_STRING driver_path;
@ -53,6 +57,10 @@ VOID ReadProcessInitialisedConfigFlag(
_Out_ PBOOLEAN Flag
);
VOID GetDriverPath(
_In_ PUNICODE_STRING DriverPath
);
VOID TerminateProtectedProcessOnViolation();

View file

@ -222,9 +222,9 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(
HANDLE file_handle;
OBJECT_ATTRIBUTES object_attributes;
PIO_STATUS_BLOCK pio_block;
UNICODE_STRING path;
UNICODE_STRING path = { 0 };
RtlInitUnicodeString( &path, L"\\SystemRoot\\System32\\Drivers\\driver.sys" );
GetDriverPath( &path );
InitializeObjectAttributes(
&object_attributes,
@ -491,7 +491,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
)
{
NTSTATUS status;
UNICODE_STRING path;
UNICODE_STRING path = { 0 };
HANDLE section_handle = NULL;
PVOID section = NULL;
SIZE_T section_size = NULL;
@ -509,8 +509,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
ULONG memory_text_hash_size = NULL;
SIZE_T result = NULL;
/* TODO: ad this into global config */
RtlInitUnicodeString( &path, L"\\SystemRoot\\System32\\Drivers\\driver.sys" );
GetDriverPath( &path );
status = MapDiskImageIntoVirtualAddressSpace(
&section_handle,

View file

@ -29,7 +29,7 @@ NTSTATUS DeviceControl(
* and trying to fuzz the IOCTL access or codes. This definitely isnt a perfect
* solution though... xD
*/
ReadInitialisedConfigFlag( &security_flag );
ReadProcessInitialisedConfigFlag( &security_flag );
if ( security_flag == FALSE &&
stack_location->Parameters.DeviceIoControl.IoControlCode != IOCTL_NOTIFY_DRIVER_ON_PROCESS_LAUNCH )
@ -205,7 +205,7 @@ NTSTATUS DeviceControl(
case IOCTL_NOTIFY_DRIVER_ON_PROCESS_TERMINATION:
ClearDriverConfigOnProcessTermination();
ClearProcessConfigOnProcessTermination();
UnregisterCallbacksOnProcessTermination();
break;
@ -253,7 +253,7 @@ NTSTATUS DeviceClose(
DEBUG_LOG( "Handle closed to DonnaAC" );
FreeQueueObjectsAndCleanup();
ClearDriverConfigOnProcessTermination();
ClearProcessConfigOnProcessTermination();
UnregisterCallbacksOnProcessTermination();
IoCompleteRequest( Irp, IO_NO_INCREMENT );