c:

2024-11-21 22:24:08 +01:00 · 2023-08-30 19:19:41 +10:00 · 2023-08-30 19:19:41 +10:00 · 40d8a39aa8
commit 40d8a39aa8
parent 6e2eff8dd2
5 changed files with 109 additions and 17 deletions
--- a/driver/callbacks.c
+++ b/driver/callbacks.c
@ -3,6 +3,7 @@
 #include "driver.h"

 #include "queue.h"
+#include "pool.h"

 CALLBACK_CONFIGURATION configuration;
 QUEUE_HEAD head = { 0 };
@ -440,25 +441,34 @@ VOID EnumerateProcessListWithCallbackFunction(
 	_In_ PVOID Function
 )
 {
+	UINT64 current_process;
+	UINT64 active_process_head = NULL;
+	PLIST_ENTRY process_list_head = NULL;
+	PLIST_ENTRY process_list_entry = NULL;
+
 	if ( !Function )
 		return;

-	PEPROCESS base_process = PsInitialSystemProcess;
+	GetPsActiveProcessHead( &active_process_head );

-	if ( !base_process )
+	if ( !active_process_head )
 		return;

-	PEPROCESS current_process = base_process;
+	DEBUG_LOG( "ActiveProcessHead: %llx", active_process_head );
+
+	process_list_head = (PLIST_ENTRY)( active_process_head );
+	process_list_entry = process_list_head;

 	do
 	{
+		current_process = ( PEPROCESS )( ( UINT64 )process_list_entry - EPROCESS_PLIST_ENTRY_OFFSET );
+
 		VOID( *callback_function_ptr )( PEPROCESS ) = Function;
 		( *callback_function_ptr )( current_process );

-		PLIST_ENTRY list = ( PLIST_ENTRY )( ( uintptr_t )current_process + EPROCESS_PLIST_ENTRY_OFFSET );
-		current_process = ( PEPROCESS )( ( uintptr_t )list->Flink - EPROCESS_PLIST_ENTRY_OFFSET );
+		process_list_entry = process_list_entry->Flink;

-	} while ( current_process != base_process || !current_process );
+	} while ( process_list_entry != process_list_head->Blink );
 }

 NTSTATUS InitiateDriverCallbacks()
--- a/driver/pool.c
+++ b/driver/pool.c
@ -75,6 +75,18 @@ end:
 	return debugger_data;
 }

+VOID GetPsActiveProcessHead(
+	_In_ PUINT64 Address
+)
+{
+	/* TODO: have a global debugger pool here since shit aint really change */
+	PKDDEBUGGER_DATA64 debugger_data = GetGlobalDebuggerData();
+
+	*Address = *(UINT64*)( debugger_data->PsActiveProcessHead );
+
+	ExFreePoolWithTag( debugger_data, POOL_DEBUGGER_DATA_TAG );
+}
+
 /*
 * For ~90% of EPROCESS structures the header layout is as follows:
 *
--- a/driver/pool.h
+++ b/driver/pool.h
@ -42,6 +42,10 @@ NTSTATUS FindUnlinkedProcesses(
 	_In_ PIRP Irp
 );

+VOID GetPsActiveProcessHead(
+	_In_ PUINT64 Address
+);
+
 /* creds: https://www.unknowncheats.me/forum/2602838-post2.html */

 typedef struct _DBGKD_DEBUG_DATA_HEADER64
--- a/driver/thread.c
+++ b/driver/thread.c
@ -3,6 +3,8 @@
 #include "pool.h"
 #include "callbacks.h"

+#include <intrin.h>
+
 /*
 * How this will work:
 * 
@ -31,22 +33,47 @@
 * IDEA: we can run a thread on each core to maximise the search, so it would be 3 * num procs
 */

-BOOLEAN HasThreadBeenRemovedFromPspCidTable(
-	_In_ PETHREAD Thread
+UINT8 thread_found_in_pspcidtable = FALSE;
+UINT8 thread_found_in_kthreadlist = FALSE;
+BOOLEAN finished = FALSE;
+
+UINT64 current_kpcrb_thread = NULL;
+
+VOID ProcessEnumerationCallback(
+	_In_ PEPROCESS Process
 )
 {
-	BOOLEAN result = TRUE;
+	NTSTATUS status;
+	PLIST_ENTRY thread_list_head;
+	PLIST_ENTRY thread_list_entry;
+	PETHREAD current_thread;
+	UINT32 thread_id;

-	return result;
-}
+	if ( finished == TRUE )
+		return;

-BOOLEAN HasThreadBeenRemovedFromEThreadList(
-	_In_ PETHREAD Thread
-)
-{
-	BOOLEAN result = TRUE;
+	thread_list_head = ( PLIST_ENTRY )( ( UINT64 )Process + KPROCESS_THREADLIST_OFFSET );
+	thread_list_entry = thread_list_head->Flink;

-	return result;
+	while ( thread_list_entry != thread_list_head )
+	{
+		current_thread = ( PETHREAD )( ( UINT64 )thread_list_entry - KTHREAD_THREADLIST_OFFSET );
+
+		if ( current_thread == current_kpcrb_thread )
+		{
+			thread_found_in_kthreadlist = TRUE;
+
+			thread_id = PsGetThreadId( current_thread );
+
+			if ( thread_id != NULL )
+			{
+				thread_found_in_pspcidtable = TRUE;
+				finished = TRUE;
+			}
+		}
+
+		thread_list_entry = thread_list_entry->Flink;
+	}
 }

 NTSTATUS ValidateKPCRBThreads(
@ -54,4 +81,37 @@ NTSTATUS ValidateKPCRBThreads(
 )
 {
 	NTSTATUS status;
+	UINT64 kpcr;
+	UINT64 kprcb;
+	KAFFINITY old_affinity = { 0 };
+
+	for ( LONG processor_index = 0; processor_index < KeQueryActiveProcessorCount( 0 ); processor_index++ )
+	{
+		old_affinity = KeSetSystemAffinityThreadEx( ( KAFFINITY )( 1 << processor_index ) );
+
+		kpcr = __readmsr( IA32_GS_BASE );
+		kprcb = kpcr + KPRCB_OFFSET_FROM_GS_BASE;
+		current_kpcrb_thread = *( UINT64* )( kprcb + KPCRB_CURRENT_THREAD );
+
+		DEBUG_LOG( "Current processor: %lx, current kprcb: %llx, current thread: %llx", KeGetCurrentProcessorNumber(), kprcb, current_kpcrb_thread );
+
+		EnumerateProcessListWithCallbackFunction(
+			ProcessEnumerationCallback
+		);
+
+		DEBUG_LOG( "Thread in psp: %i, thread in list: %i", thread_found_in_pspcidtable, thread_found_in_kthreadlist );
+
+		if ( thread_found_in_kthreadlist == FALSE || thread_found_in_pspcidtable == FALSE )
+		{
+
+		}
+
+		current_kpcrb_thread = NULL;
+		thread_found_in_pspcidtable = FALSE;
+		thread_found_in_kthreadlist = FALSE;
+		finished = FALSE;
+
+		KeRevertToUserAffinityThreadEx( old_affinity );
+	}
+
 }
--- a/driver/thread.h
+++ b/driver/thread.h
@ -5,6 +5,12 @@

 #include  "common.h"

+#define IA32_GS_BASE 0xc0000101
+#define KPRCB_OFFSET_FROM_GS_BASE 0x180
+#define KPCRB_CURRENT_THREAD 0x8
+#define KPROCESS_THREADLIST_OFFSET 0x030
+#define KTHREAD_THREADLIST_OFFSET 0x2f8
+
 NTSTATUS ValidateKPCRBThreads(
 	//_In_ PIRP Irp
 );