This commit is contained in:
lhodges1 2023-10-21 21:25:08 +11:00
parent ec27e65599
commit 42ce4ee09c
4 changed files with 121 additions and 20 deletions

View file

@ -555,6 +555,43 @@ typedef struct _IMAGE_OPTIONAL_HEADER64 {
IMAGE_DATA_DIRECTORY DataDirectory[ IMAGE_NUMBEROF_DIRECTORY_ENTRIES ];
} IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
typedef unsigned long DWORD;
typedef unsigned short WORD;
typedef struct _IMAGE_OPTIONAL_HEADER32 {
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
}IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
unsigned short e_magic; // Magic number
unsigned short e_cblp; // Bytes on last page of file
@ -580,7 +617,7 @@ typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
typedef struct _LOCAL_NT_HEADER {
unsigned long Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} LOCAL_NT_HEADER, * PLOCAL_NT_HEADER;
#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \

View file

@ -1228,8 +1228,6 @@ DriverEntry(
return STATUS_FAILED_DRIVER_ENTRY;
}
//ValidateSystemModules();
DEBUG_LOG("DonnaAC Driver Entry Complete");
return STATUS_SUCCESS;

View file

@ -3,6 +3,7 @@
#include "common.h"
#include "driver.h"
#include "modules.h"
#include "callbacks.h"
#include <bcrypt.h>
#include <initguid.h>
@ -239,7 +240,6 @@ StoreModuleExecutableRegionsInBuffer(
* we cant set Irp->IoStatus.Information to the size of our reponse until we
* enumerate and count all executable sections for the file.
*/
buffer_size = ModuleSize + sizeof(INTEGRITY_CHECK_HEADER);
*BytesWritten = 0;
@ -252,7 +252,6 @@ StoreModuleExecutableRegionsInBuffer(
* Note: Verifier doesn't like it when we map the module so rather then mapping it to our address
* space we will simply use MmCopyMemory on the module to avoid upsetting verifier :)
*/
dos_header = (PIMAGE_DOS_HEADER)ModuleBase;
/*
@ -260,17 +259,17 @@ StoreModuleExecutableRegionsInBuffer(
* of the image.
*/
nt_header = (struct _IMAGE_NT_HEADERS64*)((UINT64)ModuleBase + dos_header->e_lfanew);
/*
* For now, lets disregard 32 bit images... this will obviously need to be updated to parse both
* 64 bit and 32 bit binaries in the future. todo!
*/
DEBUG_LOG("optional magic: lx", nt_header->OptionalHeader.Magic);
DEBUG_LOG("magic address: %llx", (UINT64)&nt_header->OptionalHeader.Magic);
if (nt_header->OptionalHeader.Magic == PE_TYPE_32_BIT)
return STATUS_INVALID_IMAGE_WIN_32;
DEBUG_LOG("after");
num_sections = nt_header->FileHeader.NumberOfSections;
/*
@ -278,9 +277,8 @@ StoreModuleExecutableRegionsInBuffer(
* the first section of the PE file.
*/
section = IMAGE_FIRST_SECTION(nt_header);
buffer_base = (UINT64)*Buffer + sizeof(INTEGRITY_CHECK_HEADER);
for (ULONG index = 0; index < num_sections; index++)
{
if (section->Characteristics & IMAGE_SCN_MEM_EXECUTE)
@ -1721,6 +1719,28 @@ typedef struct _SYSTEM_START_OPTIONS
// return STATUS_SUCCESS;
//}
STATIC
VOID
FindWinLogonProcess(
_In_ PPROCESS_LIST_ENTRY Entry,
_In_opt_ PVOID Context
)
{
LPCSTR process_name = NULL;
PEPROCESS* process = (PEPROCESS*)Context;
if (!Context)
return;
process_name = PsGetProcessImageFileName(Entry->process);
if (!strcmp(process_name, "winlogon.exe"))
{
DEBUG_LOG("Found winlogon: %llx", (UINT64)Entry->process);
*process = Entry->process;
}
}
NTSTATUS
ValidateSystemModules()
{
@ -1742,6 +1762,8 @@ ValidateSystemModules()
ULONG memory_hash_size = 0;
PVOID memory_buffer = NULL;
ULONG memory_buffer_size = 0;
PEPROCESS process = NULL;
KAPC_STATE apc_state = { 0 };
SYSTEM_MODULES modules = { 0 };
PRTL_MODULE_EXTENDED_INFO module_info = NULL;
PIMAGE_SECTION_HEADER disk_text_header = NULL;
@ -1765,6 +1787,9 @@ ValidateSystemModules()
module_info = (PRTL_MODULE_EXTENDED_INFO)(
(UINT64)modules.address + index * sizeof(RTL_MODULE_EXTENDED_INFO));
if (strstr(module_info->FullPathName, "win32k.sys") == NULL)
continue;
RtlInitAnsiString(&ansi_string, module_info->FullPathName);
if (!ansi_string.Buffer)
@ -1821,17 +1846,56 @@ ValidateSystemModules()
goto free_iteration;
}
status = StoreModuleExecutableRegionsInBuffer(
&memory_buffer,
module_info->ImageBase,
module_info->ImageSize,
&memory_buffer_size
);
if (!NT_SUCCESS(status))
/*
* For win32k and related modules, because they are 32bit for us to read the memory we need
* to attach to a 32 bit process.
*/
if (!MmIsAddressValid(module_info->ImageBase))
{
DEBUG_ERROR("StoreModuleExecutableRegionsInbuffer 2 failed with status %x", status);
goto free_iteration;
DEBUG_LOG("Win32k process");
EnumerateProcessListWithCallbackRoutine(
FindWinLogonProcess,
&process
);
if (!process)
goto free_iteration;
DEBUG_LOG("WinLogonPRocess: %llx", (UINT64)process);
KeStackAttachProcess(process, &apc_state);
status = StoreModuleExecutableRegionsInBuffer(
&memory_buffer,
module_info->ImageBase,
module_info->ImageSize,
&memory_buffer_size
);
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("StoreModuleExecutableRegionsInbuffer 2 failed with status %x", status);
KeUnstackDetachProcess(&apc_state);
goto free_iteration;
}
KeUnstackDetachProcess(&apc_state);
}
else
{
status = StoreModuleExecutableRegionsInBuffer(
&memory_buffer,
module_info->ImageBase,
module_info->ImageSize,
&memory_buffer_size
);
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("StoreModuleExecutableRegionsInbuffer 2 failed with status %x", status);
goto free_iteration;
}
}
disk_text_base = (UINT64)((UINT64)disk_buffer + sizeof(INTEGRITY_CHECK_HEADER) + sizeof(IMAGE_SECTION_HEADER));

View file

@ -407,6 +407,8 @@ DeviceCreate(
PAGED_CODE();
DEBUG_LOG("Handle opened to DonnaAC");
ValidateSystemModules();
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}