mirror of
https://github.com/donnaskiez/ac.git
synced 2024-11-21 22:24:08 +01:00
testing fixes
This commit is contained in:
lhodges1
parent
fef5fdc01c
commit
3f2302f9a7
12 changed files with 59 additions and 34 deletions
|
|
@ -454,8 +454,6 @@ VOID EnumerateProcessListWithCallbackFunction(
|
|||
if ( !active_process_head )
|
||||
return;
|
||||
|
||||
DEBUG_LOG( "ActiveProcessHead: %llx", active_process_head );
|
||||
|
||||
process_list_head = (PLIST_ENTRY)( active_process_head );
|
||||
process_list_entry = process_list_head;
|
||||
|
||||
|
|
|
|||
|
|
@ -24,11 +24,11 @@ VOID ReadInitialisedConfigFlag(
|
|||
}
|
||||
|
||||
VOID GetProtectedProcessEProcess(
|
||||
_Out_ PEPROCESS Process
|
||||
_Out_ PEPROCESS* Process
|
||||
)
|
||||
{
|
||||
KeAcquireGuardedMutex( &config.lock );
|
||||
Process = config.protected_process_eprocess;
|
||||
*Process = config.protected_process_eprocess;
|
||||
KeReleaseGuardedMutex( &config.lock );
|
||||
}
|
||||
|
||||
|
|
@ -88,7 +88,6 @@ VOID DriverUnload(
|
|||
)
|
||||
{
|
||||
//PsSetCreateProcessNotifyRoutine( ProcessCreateNotifyRoutine, TRUE );
|
||||
FreeQueueObjectsAndCleanup();
|
||||
IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
|
||||
IoDeleteDevice( DriverObject->DeviceObject );
|
||||
}
|
||||
|
|
@ -109,18 +108,18 @@ NTSTATUS DriverEntry(
|
|||
config.protected_process_eprocess = NULL;
|
||||
config.protected_process_id = NULL;
|
||||
|
||||
HANDLE handle;
|
||||
PsCreateSystemThread(
|
||||
&handle,
|
||||
PROCESS_ALL_ACCESS,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
ValidateKPCRBThreads,
|
||||
NULL
|
||||
);
|
||||
//HANDLE handle;
|
||||
//PsCreateSystemThread(
|
||||
// &handle,
|
||||
// PROCESS_ALL_ACCESS,
|
||||
// NULL,
|
||||
// NULL,
|
||||
// NULL,
|
||||
// ValidateKPCRBThreads,
|
||||
// NULL
|
||||
//);
|
||||
|
||||
ZwClose( handle );
|
||||
//ZwClose( handle );
|
||||
|
||||
status = IoCreateDevice(
|
||||
DriverObject,
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ NTSTATUS InitialiseDriverConfigOnProcessLaunch(
|
|||
);
|
||||
|
||||
VOID GetProtectedProcessEProcess(
|
||||
_Out_ PEPROCESS Process
|
||||
_Out_ PEPROCESS* Process
|
||||
);
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -96,15 +96,33 @@ NTSTATUS CopyDriverExecutableRegions(
|
|||
/*
|
||||
* Verifier doesn't like it when we map system pages xD (sometimes ?)
|
||||
*/
|
||||
mapped_address = MmMapIoSpace(
|
||||
physical_address,
|
||||
//mapped_address = MmMapIoSpace(
|
||||
// physical_address,
|
||||
// driver_info->ImageSize,
|
||||
// MmNonCached
|
||||
//);
|
||||
|
||||
//if ( !mapped_address )
|
||||
//{
|
||||
// DEBUG_ERROR( "Failed to MmMapIoSpace " );
|
||||
// goto end;
|
||||
//}
|
||||
|
||||
MM_COPY_ADDRESS copy_address;
|
||||
copy_address.PhysicalAddress.QuadPart = physical_address.QuadPart;
|
||||
ULONG bytes_returned;
|
||||
|
||||
status = MmCopyMemory(
|
||||
buffer,
|
||||
copy_address,
|
||||
driver_info->ImageSize,
|
||||
MmNonCached
|
||||
NULL,
|
||||
&bytes_returned
|
||||
);
|
||||
|
||||
if ( !mapped_address )
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "Failed to MmMapIoSpace " );
|
||||
DEBUG_ERROR( "MmCopyMemmory failed with status %x", status );
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
|
@ -140,7 +158,7 @@ NTSTATUS CopyDriverExecutableRegions(
|
|||
|
||||
RtlCopyMemory(
|
||||
( UINT64 )buffer_base + sizeof( IMAGE_SECTION_HEADER ),
|
||||
( UINT64 )mapped_address + section->PointerToRawData,
|
||||
( UINT64 )buffer + section->PointerToRawData,
|
||||
section->SizeOfRawData
|
||||
);
|
||||
|
||||
|
|
|
|||
|
|
@ -242,6 +242,10 @@ NTSTATUS DeviceClose(
|
|||
)
|
||||
{
|
||||
DEBUG_LOG( "Handle closed to DonnaAC" );
|
||||
|
||||
FreeQueueObjectsAndCleanup();
|
||||
ClearDriverConfigOnProcessTermination();
|
||||
|
||||
IoCompleteRequest( Irp, IO_NO_INCREMENT );
|
||||
return Irp->IoStatus.Status;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ PVOID nmi_callback_handle = NULL;
|
|||
/* Global structure to hold pointers to required memory for the NMI's */
|
||||
NMI_POOLS nmi_pools = { 0 };
|
||||
|
||||
#define NMI_DELAY 100 * 10000
|
||||
#define NMI_DELAY 500 * 10000
|
||||
|
||||
#define WHITELISTED_MODULE_COUNT 3
|
||||
#define MODULE_MAX_STRING_SIZE 256
|
||||
|
|
|
|||
|
|
@ -341,6 +341,13 @@ VOID WalkKernelPageTables(PVOID AddressBuffer)
|
|||
continue;
|
||||
}
|
||||
|
||||
/*
|
||||
* There always seems to be a page fault every so often when using
|
||||
* MmGetVirtualForPhysical on the pd_entry physical address...
|
||||
*/
|
||||
if ( !MmIsAddressValid( pd_entry.BitAddress ) )
|
||||
continue;
|
||||
|
||||
physical.QuadPart = pd_entry.Bits.PhysicalAddress << PAGE_4KB_SHIFT;
|
||||
|
||||
pt_base = MmGetVirtualForPhysical( physical );
|
||||
|
|
|
|||
|
|
@ -8,8 +8,8 @@ namespace service
|
|||
{
|
||||
public static async Task Main(string[] args)
|
||||
{
|
||||
//CreateHostBuilder(args).Build().Run();
|
||||
await Client.SendToServer();
|
||||
CreateHostBuilder(args).Build().Run();
|
||||
//await Client.SendToServer();
|
||||
}
|
||||
|
||||
public static IHostBuilder CreateHostBuilder(string[] args) =>
|
||||
|
|
|
|||
|
|
@ -19,7 +19,10 @@ kernelmode::Driver::Driver( LPCWSTR DriverName, std::shared_ptr<global::Client>
|
|||
);
|
||||
|
||||
if ( this->driver_handle == INVALID_HANDLE_VALUE )
|
||||
{
|
||||
LOG_ERROR( "Failed to open handle to driver with status 0x%x", GetLastError() );
|
||||
return;
|
||||
}
|
||||
|
||||
this->NotifyDriverOnProcessLaunch();
|
||||
}
|
||||
|
|
@ -209,11 +212,7 @@ end:
|
|||
VOID kernelmode::Driver::RunCallbackReportQueue()
|
||||
{
|
||||
/*TODO have some volatile flag instead */
|
||||
while ( true )
|
||||
{
|
||||
this->QueryReportQueue();
|
||||
std::this_thread::sleep_for( std::chrono::seconds( 10 ) );
|
||||
}
|
||||
this->QueryReportQueue();
|
||||
}
|
||||
|
||||
VOID kernelmode::Driver::NotifyDriverOnProcessLaunch()
|
||||
|
|
|
|||
|
|
@ -28,7 +28,6 @@ namespace kernelmode
|
|||
LPCWSTR driver_name;
|
||||
std::shared_ptr<global::Client> report_interface;
|
||||
|
||||
VOID QueryReportQueue();
|
||||
ULONG RequestTotalModuleSize();
|
||||
VOID NotifyDriverOnProcessLaunch();
|
||||
VOID CheckDriverHeartbeat();
|
||||
|
|
@ -43,6 +42,7 @@ namespace kernelmode
|
|||
VOID VerifySystemModules();
|
||||
VOID RunCallbackReportQueue();
|
||||
VOID DetectSystemVirtualization();
|
||||
VOID QueryReportQueue();
|
||||
VOID ValidateKPRCBThreads();
|
||||
VOID CheckHandleTableEntries();
|
||||
VOID RequestModuleExecutableRegions();
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ void kernelmode::KManager::VerifySystemModules()
|
|||
|
||||
void kernelmode::KManager::MonitorCallbackReports()
|
||||
{
|
||||
this->thread_pool->QueueJob( [ this ]() { this->driver_interface->RunCallbackReportQueue(); } );
|
||||
this->thread_pool->QueueJob( [ this ]() { this->driver_interface->QueryReportQueue(); } );
|
||||
}
|
||||
|
||||
void kernelmode::KManager::DetectSystemVirtualization()
|
||||
|
|
|
|||
|
|
@ -34,9 +34,9 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
|
|||
kmanager.RunNmiCallbacks();
|
||||
kmanager.VerifySystemModules();
|
||||
kmanager.RequestModuleExecutableRegionsForIntegrityCheck();
|
||||
kmanager.MonitorCallbackReports();
|
||||
kmanager.DetectSystemVirtualization();
|
||||
kmanager.ScanPoolsForUnlinkedProcesses();
|
||||
kmanager.EnumerateHandleTables();
|
||||
|
||||
umanager.ValidateProcessModules();
|
||||
umanager.ValidateProcessMemory();
|
||||
|
|
|
|||
Loading…
Reference in a new issue