fix some bug

driver/integrity.c

@@ -52,7 +52,7 @@ InitiateEptFunctionAddressArrays();
 STATIC 
 NTSTATUS 
 GetModuleInformationByName(
-        _Inout_ PRTL_MODULE_EXTENDED_INFO ModuleInfo, 
+        _Out_ PRTL_MODULE_EXTENDED_INFO ModuleInfo, 
         _In_ LPCSTR ModuleName);
 
 STATIC 
@@ -156,6 +156,13 @@ GetDriverImageSize(
                 &modules
         );
 
+        if (!driver_info)
+        {
+                DEBUG_ERROR("FindSystemModuleByName failed");
+                ExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL);
+                return STATUS_NOT_FOUND;
+        }
+
         status = ValidateIrpOutputBuffer(Irp, sizeof(ULONG));
 
         if (!NT_SUCCESS(status))
@@ -178,7 +185,7 @@ end:
 STATIC
 NTSTATUS
 GetModuleInformationByName(
-        _Inout_ PRTL_MODULE_EXTENDED_INFO ModuleInfo,
+        _Out_ PRTL_MODULE_EXTENDED_INFO ModuleInfo,
         _In_ LPCSTR ModuleName
 )
 {
@@ -201,6 +208,13 @@ GetModuleInformationByName(
                 &modules
         );
 
+        if (!driver_info)
+        {
+                DEBUG_ERROR("FindSystemModuleByName failed");
+                ExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL);
+                return STATUS_NOT_FOUND;
+        }
+
         ModuleInfo->FileNameOffset = driver_info->FileNameOffset;
         ModuleInfo->ImageBase = driver_info->ImageBase;
         ModuleInfo->ImageSize = driver_info->ImageSize;

driver/ioctl.c

@@ -84,6 +84,11 @@ DispatchApcOperation(
 * to DeviceIoControl. The IO manager will then zero our the buffer to the size of the input
 * buffer, so if the output buffer is larger then the input buffer there will be uninitialised 
 * memory in the buffer so we must zero out the buffer to the length of the output buffer.
+* 
+* We then set the IoStatus.Information field to the size of the buffer we are passing back.
+* If we don't do this and we allocate an output buffer of size 0x1000, yet only use 0x100 bytes,
+* the user mode apps output buffer will receive 0x100 bytes + 0x900 bytes of uninitialised memory
+* which is an information leak.
 */
 NTSTATUS
 ValidateIrpOutputBuffer(
@@ -104,6 +109,8 @@ ValidateIrpOutputBuffer(
 
 	RtlSecureZeroMemory(Irp->AssociatedIrp.SystemBuffer, RequiredSize);
 
+	Irp->IoStatus.Information = RequiredSize;
+
 	return STATUS_SUCCESS;
 }
 

driver/modules.c

@@ -130,7 +130,7 @@ InitDriverList(
 	_Inout_ PINVALID_DRIVERS_HEAD ListHead);
 
 STATIC 
-VOID 
+NTSTATUS 
 AddDriverToList(
 	_Inout_ PINVALID_DRIVERS_HEAD InvalidDriversHead, 
 	_In_ PDRIVER_OBJECT Driver,
@@ -231,6 +231,7 @@ ValidateThreadViaKernelApcCallback(
 
 /*
 * TODO: this needs to be refactored to just return the entry not the whole fukin thing
+* TODO: return ntstatus and pass result in an out parameter
 */
 PRTL_MODULE_EXTENDED_INFO
 FindSystemModuleByName(
@@ -241,7 +242,7 @@ FindSystemModuleByName(
 	PAGED_CODE();
 
 	if (!ModuleName || !SystemModules)
-		return STATUS_INVALID_PARAMETER;
+		return NULL;
 
 	for (INT index = 0; index < SystemModules->module_count; index++)
 	{
@@ -253,6 +254,8 @@ FindSystemModuleByName(
 			return system_module;
 		}
 	}
+
+	return NULL;
 }
 
 STATIC
@@ -381,7 +384,7 @@ InitDriverList(
 }
 
 STATIC
-VOID
+NTSTATUS
 AddDriverToList(
 	_Inout_ PINVALID_DRIVERS_HEAD InvalidDriversHead,
 	_In_ PDRIVER_OBJECT Driver,
@@ -397,12 +400,14 @@ AddDriverToList(
 	);
 
 	if (!new_entry)
-		return;
+		return STATUS_MEMORY_NOT_ALLOCATED;
 
 	new_entry->driver = Driver;
 	new_entry->reason = Reason;
 	new_entry->next = InvalidDriversHead->first_entry;
 	InvalidDriversHead->first_entry = new_entry;
+
+	return STATUS_SUCCESS;
 }
 
 STATIC
@@ -650,8 +655,13 @@ ValidateDriverObjects(
 
 			if (!flag)
 			{
-				InvalidDriverListHead->count += 1;
-				AddDriverToList(InvalidDriverListHead, current_driver, REASON_NO_BACKING_MODULE);
+				status = AddDriverToList(InvalidDriverListHead, current_driver, REASON_NO_BACKING_MODULE);
+
+				if (!NT_SUCCESS(status))
+					DEBUG_ERROR("AddDriverToList failed with status %x", status);
+				else
+					InvalidDriverListHead->count += 1;
+
 			}
 
 			/* validate drivers IOCTL dispatch routines */
@@ -672,8 +682,12 @@ ValidateDriverObjects(
 
 			if (!flag)
 			{
-				InvalidDriverListHead->count += 1;
-				AddDriverToList(InvalidDriverListHead, current_driver, REASON_INVALID_IOCTL_DISPATCH);
+				status = AddDriverToList(InvalidDriverListHead, current_driver, REASON_INVALID_IOCTL_DISPATCH);
+
+				if (!NT_SUCCESS(status))
+					DEBUG_ERROR("AddDriverToList failed with status %x", status);
+				else
+					InvalidDriverListHead->count += 1;
 			}
 
 			sub_entry = sub_entry->ChainLink;
@@ -734,8 +748,8 @@ HandleValidateDriversIOCTL(
 	if (!NT_SUCCESS(ValidateDriverObjects(&system_modules, head)))
 	{
 		DEBUG_ERROR("Failed to validate driver objects");
-		ExFreePoolWithTag(system_modules.address, SYSTEM_MODULES_POOL);
-		return STATUS_ABANDONED;
+		status = STATUS_ABANDONED;
+		goto end;
 	}
 
 	MODULE_VALIDATION_FAILURE_HEADER header;
@@ -786,13 +800,13 @@ HandleValidateDriversIOCTL(
 				continue;
 			}
 
-			MODULE_VALIDATION_FAILURE report;
+			MODULE_VALIDATION_FAILURE report = { 0 };
 			report.report_code = REPORT_MODULE_VALIDATION_FAILURE;
 			report.report_type = head->first_entry->reason;
 			report.driver_base_address = head->first_entry->driver->DriverStart;
 			report.driver_size = head->first_entry->driver->DriverSize;
 
-			ANSI_STRING string;
+			ANSI_STRING string = { 0 };
 			string.Length = 0;
 			string.MaximumLength = MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE;
 			string.Buffer = &report.driver_name;