noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

nice c:

Browse source
This commit is contained in:
lhodges1 2023-09-23 17:22:43 +10:00
parent e1f242a4de
commit 4c22e5fc52
6 changed files with 218 additions and 94 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
driver/common.h
View file

@ -30,6 +30,7 @@
#define QUEUE_POOL_TAG 'qqqq'
#define REPORT_QUEUE_TEMP_BUFFER_TAG 'temp'
#define REPORT_POOL_TAG 'repo'
#define MODULES_REPORT_POOL_TAG 'modu'
#define ERROR -1
#define STACK_FRAME_POOL_SIZE 0x200

22
driver/modules.c
View file

@ -502,11 +502,21 @@ NTSTATUS HandleValidateDriversIOCTL(
{
DEBUG_LOG( "found INVALID drivers with count: %i", head->count );
PVOID buffer = ExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof( MODULE_VALIDATION_FAILURE_HEADER ) +
MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT * sizeof( MODULE_VALIDATION_FAILURE ), MODULES_REPORT_POOL_TAG );
if (!buffer )
{
ExFreePoolWithTag( head, INVALID_DRIVER_LIST_HEAD_POOL );
ExFreePoolWithTag( system_modules.address, SYSTEM_MODULES_POOL );
return STATUS_MEMORY_NOT_ALLOCATED;
}
Irp->IoStatus.Information = sizeof( MODULE_VALIDATION_FAILURE_HEADER ) +
MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT * sizeof( MODULE_VALIDATION_FAILURE );
RtlCopyMemory(
Irp->AssociatedIrp.SystemBuffer,
buffer,
&header,
sizeof( MODULE_VALIDATION_FAILURE_HEADER )
);
@ -542,12 +552,20 @@ NTSTATUS HandleValidateDriversIOCTL(
DEBUG_ERROR( "RtlUnicodeStringToAnsiString failed with statsu %x", status );
RtlCopyMemory(
( UINT64 )Irp->AssociatedIrp.SystemBuffer + sizeof( MODULE_VALIDATION_FAILURE_HEADER ) + i * sizeof( MODULE_VALIDATION_FAILURE ),
( UINT64 )buffer + sizeof( MODULE_VALIDATION_FAILURE_HEADER ) + i * sizeof( MODULE_VALIDATION_FAILURE ),
&report,
sizeof( MODULE_VALIDATION_FAILURE ) );
RemoveInvalidDriverFromList( head );
}
RtlCopyMemory(
Irp->AssociatedIrp.SystemBuffer,
buffer,
sizeof( MODULE_VALIDATION_FAILURE_HEADER ) + MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT * sizeof( MODULE_VALIDATION_FAILURE )
);
ExFreePoolWithTag( buffer, MODULES_REPORT_POOL_TAG );
}
else
{

216
server/Message/ClientReport.cs
View file

@ -8,6 +8,7 @@ using System;
using System.Collections.Generic;
using System.Drawing.Printing;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
using static server.Message.MessageHandler;
@ -55,6 +56,8 @@ namespace server.Message
this._packetHeader = packetHeader;
this._responsePacket = new CLIENT_REPORT_PACKET_RESPONSE();
this.GetPacketHeader();
_logger.Information("buffer size: {0}", bufferSize);
}
unsafe public void GetPacketHeader()
@ -73,6 +76,46 @@ namespace server.Message
this._responsePacket.success = success;
}
private unsafe int GetPacketCount<T>()
{
return this._bufferSize / Marshal.SizeOf(typeof(T));
}
private unsafe T GetPacketData<T>(int index)
{
return Helper.BytesToStructure<T>(this._buffer, index * Marshal.SizeOf(typeof(T)));
}
private unsafe int GetPacketCount(int reportCode)
{
switch (this._clientReportPacketHeader.reportCode)
{
case (int)CLIENT_SEND_REPORT_ID.PROCESS_MODULE_VERIFICATION:
//return this._bufferSize / Marshal.SizeOf(typeof(PROCESS_MODULE_VERIFICATION));
return 0;
case (int)CLIENT_SEND_REPORT_ID.START_ADDRESS_VERIFICATION:
return this._bufferSize / Marshal.SizeOf(typeof(PROCESS_THREAD_START_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.PAGE_PROTECTION_VERIFICATION:
return this._bufferSize / Marshal.SizeOf(typeof(PAGE_PROTECTION_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.PATTERN_SCAN_FAILURE:
return this._bufferSize / Marshal.SizeOf(typeof(PATTERN_SCAN_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.NMI_CALLBACK_FAILURE:
return this._bufferSize / Marshal.SizeOf(typeof(NMI_CALLBACK_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.MODULE_VALIDATION_FAILURE:
return this._bufferSize / Marshal.SizeOf(typeof(MODULE_VALIDATION_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.ILLEGAL_HANDLE_OPERATION:
return this._bufferSize / Marshal.SizeOf(typeof(OPEN_HANDLE_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.INVALID_PROCESS_ALLOCATION:
return this._bufferSize / Marshal.SizeOf(typeof(INVALID_PROCESS_ALLOCATION_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.HIDDEN_SYSTEM_THREAD:
return this._bufferSize / Marshal.SizeOf(typeof(HIDDEN_SYSTEM_THREAD_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.ILLEGAL_ATTACH_PROCESS:
return this._bufferSize / Marshal.SizeOf(typeof(ATTACH_PROCESS_FAILURE));
default:
return 0;
}
}
public bool HandleMessage()
{
if (this._clientReportPacketHeader.reportCode == 0)
@ -81,59 +124,112 @@ namespace server.Message
return false;
}
switch (this._clientReportPacketHeader.reportCode)
int reportCount = GetPacketCount(this._clientReportPacketHeader.reportCode) - 2;
_logger.Information("Packet count: {0}", reportCount);
for (int index = 0 ; index < reportCount; index++)
{
case (int)CLIENT_SEND_REPORT_ID.PROCESS_MODULE_VERIFICATION:
_logger.Information("REPORT CODE: MODULE_VERIFICATION");
break;
case (int)CLIENT_SEND_REPORT_ID.START_ADDRESS_VERIFICATION:
_logger.Information("REPORT CODE: START_ADDRESS_VERIFICATION");
HandleReportStartAddressVerification();
break;
case (int)CLIENT_SEND_REPORT_ID.PAGE_PROTECTION_VERIFICATION:
_logger.Information("REPORT CODE: PAGE_PROTECTION_VERIFICATION");
HandleReportPageProtection();
break;
case (int)CLIENT_SEND_REPORT_ID.PATTERN_SCAN_FAILURE:
_logger.Information("REPORT_PATTERN_SCAN_FAILURE");
HandleReportPatternScan();
break;
case (int)CLIENT_SEND_REPORT_ID.NMI_CALLBACK_FAILURE:
_logger.Information("REPORT_NMI_CALLBACK_FAILURE");
HandleReportNmiCallback();
break;
case (int)CLIENT_SEND_REPORT_ID.MODULE_VALIDATION_FAILURE:
_logger.Information("REPORT_MODULE_VALIDATION_FAILURE");
HandleReportSystemModuleValidation();
break;
case (int)CLIENT_SEND_REPORT_ID.ILLEGAL_HANDLE_OPERATION:
HandleReportIllegalHandleOperation();
break;
case (int)CLIENT_SEND_REPORT_ID.INVALID_PROCESS_ALLOCATION:
_logger.Information("REPORT_INVALID_PROCESS_ALLOCATION");
HandleInvalidProcessAllocation();
break;
case (int)CLIENT_SEND_REPORT_ID.HIDDEN_SYSTEM_THREAD:
_logger.Information("REPORT_HIDDEN_SYSTEM_THREAD");
HandleReportHiddenSystemThread();
break;
case (int)CLIENT_SEND_REPORT_ID.ILLEGAL_ATTACH_PROCESS:
_logger.Information("REPORT_ILLEGAL_ATTACH_PROCESS");
HandleReportAttachProcess();
break;
default:
_logger.Information("Report code not handled yet");
break;
switch (this._clientReportPacketHeader.reportCode)
{
case (int)CLIENT_SEND_REPORT_ID.PROCESS_MODULE_VERIFICATION:
_logger.Information("REPORT CODE: MODULE_VERIFICATION");
break;
case (int)CLIENT_SEND_REPORT_ID.START_ADDRESS_VERIFICATION:
_logger.Information("REPORT CODE: START_ADDRESS_VERIFICATION");
HandleReportStartAddressVerification(
index * Marshal.SizeOf(typeof(PROCESS_THREAD_START_FAILURE)) +
index * Marshal.SizeOf(typeof(PACKET_HEADER)));
break;
case (int)CLIENT_SEND_REPORT_ID.PAGE_PROTECTION_VERIFICATION:
_logger.Information("REPORT CODE: PAGE_PROTECTION_VERIFICATION");
HandleReportPageProtection(
index * Marshal.SizeOf(typeof(PAGE_PROTECTION_FAILURE)) +
index * Marshal.SizeOf(typeof(PACKET_HEADER)));
break;
case (int)CLIENT_SEND_REPORT_ID.PATTERN_SCAN_FAILURE:
_logger.Information("REPORT_PATTERN_SCAN_FAILURE");
HandleReportPatternScan(
index * Marshal.SizeOf(typeof(PATTERN_SCAN_FAILURE)) +
index * Marshal.SizeOf(typeof(PACKET_HEADER)));
break;
case (int)CLIENT_SEND_REPORT_ID.NMI_CALLBACK_FAILURE:
_logger.Information("REPORT_NMI_CALLBACK_FAILURE");
HandleReportNmiCallback(
index * Marshal.SizeOf(typeof(NMI_CALLBACK_FAILURE)) +
index * Marshal.SizeOf(typeof(PACKET_HEADER)));
break;
case (int)CLIENT_SEND_REPORT_ID.MODULE_VALIDATION_FAILURE:
_logger.Information("REPORT_MODULE_VALIDATION_FAILURE");
HandleReportSystemModuleValidation(
index * Marshal.SizeOf(typeof(MODULE_VALIDATION_FAILURE)) +
index * Marshal.SizeOf(typeof(PACKET_HEADER)));
break;
case (int)CLIENT_SEND_REPORT_ID.ILLEGAL_HANDLE_OPERATION:
_logger.Information("REPORT_ILLEGAL_HANDLE_OPERATION");
HandleReportIllegalHandleOperation(
index * Marshal.SizeOf(typeof(OPEN_HANDLE_FAILURE)) +
index * Marshal.SizeOf(typeof(PACKET_HEADER)));
break;
case (int)CLIENT_SEND_REPORT_ID.INVALID_PROCESS_ALLOCATION:
_logger.Information("REPORT_INVALID_PROCESS_ALLOCATION");
HandleInvalidProcessAllocation(
index * Marshal.SizeOf(typeof(INVALID_PROCESS_ALLOCATION_FAILURE)) +
index * Marshal.SizeOf(typeof(PACKET_HEADER)));
break;
case (int)CLIENT_SEND_REPORT_ID.HIDDEN_SYSTEM_THREAD:
_logger.Information("REPORT_HIDDEN_SYSTEM_THREAD");
HandleReportHiddenSystemThread(
index * Marshal.SizeOf(typeof(HIDDEN_SYSTEM_THREAD_FAILURE)) +
index * Marshal.SizeOf(typeof(PACKET_HEADER)));
break;
case (int)CLIENT_SEND_REPORT_ID.ILLEGAL_ATTACH_PROCESS:
_logger.Information("REPORT_ILLEGAL_ATTACH_PROCESS");
HandleReportAttachProcess(
index * Marshal.SizeOf(typeof(ATTACH_PROCESS_FAILURE)) +
index * Marshal.SizeOf(typeof(PACKET_HEADER)));
break;
default:
_logger.Information("Report code not handled yet");
break;
}
}
SetResponsePacketData(1);
return true;
}
unsafe public void HandleReportIllegalHandleOperation()
unsafe public void HandleReportIllegalHandleOperation(int offset)
{
OPEN_HANDLE_FAILURE report =
Helper.BytesToStructure<OPEN_HANDLE_FAILURE>(_buffer, sizeof(PACKET_HEADER));
Helper.BytesToStructure<OPEN_HANDLE_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);
_logger.Information("ProcessName: {0}, ProcessID: {1:x}, ThreadId: {2:x}, DesiredAccess{3:x}",
report.ProcessName,
@ -173,10 +269,10 @@ namespace server.Message
}
}
unsafe public void HandleReportStartAddressVerification()
unsafe public void HandleReportStartAddressVerification(int offset)
{
PROCESS_THREAD_START_FAILURE report =
Helper.BytesToStructure<PROCESS_THREAD_START_FAILURE>(_buffer, sizeof(PACKET_HEADER));
Helper.BytesToStructure<PROCESS_THREAD_START_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);
_logger.Information("ThreadId: {0}, ThreadStartAddress: {1:x}",
report.ThreadId,
@ -207,10 +303,10 @@ namespace server.Message
}
}
unsafe public void HandleReportPageProtection()
unsafe public void HandleReportPageProtection(int offset)
{
PAGE_PROTECTION_FAILURE report =
Helper.BytesToStructure<PAGE_PROTECTION_FAILURE>(_buffer, sizeof(PACKET_HEADER));
Helper.BytesToStructure<PAGE_PROTECTION_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);
_logger.Information("Page base address: {0:x}, allocation protection: {1:x}, allocation state: {2:x}, allocationtype: {3:x}",
report.PageBaseAddress,
@ -245,10 +341,10 @@ namespace server.Message
}
}
unsafe public void HandleReportPatternScan()
unsafe public void HandleReportPatternScan(int offset)
{
PATTERN_SCAN_FAILURE report =
Helper.BytesToStructure<PATTERN_SCAN_FAILURE>(_buffer, sizeof(PACKET_HEADER));
Helper.BytesToStructure<PATTERN_SCAN_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);
_logger.Information("signature id: {0}, address: {1:x}",
report.SignatureId,
@ -279,10 +375,10 @@ namespace server.Message
}
}
unsafe public void HandleReportNmiCallback()
unsafe public void HandleReportNmiCallback(int offset)
{
NMI_CALLBACK_FAILURE report =
Helper.BytesToStructure<NMI_CALLBACK_FAILURE>(_buffer, sizeof(PACKET_HEADER));
Helper.BytesToStructure<NMI_CALLBACK_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);
_logger.Information("were nmis disabled: {0}, kthread: {1:x}, invalid rip: {2:x}",
report.WereNmisDisabled,
@ -315,10 +411,10 @@ namespace server.Message
}
}
unsafe public void HandleReportSystemModuleValidation()
unsafe public void HandleReportSystemModuleValidation(int offset)
{
MODULE_VALIDATION_FAILURE report =
Helper.BytesToStructure<MODULE_VALIDATION_FAILURE>(_buffer, sizeof(PACKET_HEADER));
Helper.BytesToStructure<MODULE_VALIDATION_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);
_logger.Information("report type: {0}, driver base: {1:x}, size: {2}, module name: {3}",
report.ReportType,
@ -353,10 +449,10 @@ namespace server.Message
}
}
unsafe public void HandleReportHiddenSystemThread()
unsafe public void HandleReportHiddenSystemThread(int offset)
{
HIDDEN_SYSTEM_THREAD_FAILURE report =
Helper.BytesToStructure<HIDDEN_SYSTEM_THREAD_FAILURE>(_buffer, sizeof(PACKET_HEADER));
Helper.BytesToStructure<HIDDEN_SYSTEM_THREAD_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);
_logger.Information("found in kthread list: {0}, found in pspcidtable: {1}, thread address: {2:x}, thread id: {3:x}",
report.FoundInKThreadList,
@ -391,10 +487,10 @@ namespace server.Message
}
}
unsafe public void HandleReportAttachProcess()
unsafe public void HandleReportAttachProcess(int offset)
{
ATTACH_PROCESS_FAILURE report =
Helper.BytesToStructure<ATTACH_PROCESS_FAILURE>(_buffer, sizeof(PACKET_HEADER));
Helper.BytesToStructure<ATTACH_PROCESS_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);
_logger.Information("thread id: {0:x}, thread address: {1:x}",
report.ThreadId,
@ -425,10 +521,10 @@ namespace server.Message
}
}
unsafe public void HandleInvalidProcessAllocation()
unsafe public void HandleInvalidProcessAllocation(int offset)
{
INVALID_PROCESS_ALLOCATION_FAILURE report =
Helper.BytesToStructure<INVALID_PROCESS_ALLOCATION_FAILURE>(_buffer, sizeof(PACKET_HEADER));
Helper.BytesToStructure<INVALID_PROCESS_ALLOCATION_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);
_logger.Information("received invalid process allocation structure");

11
service/Worker.cs
View file

@ -27,7 +27,16 @@ namespace service
public Worker(Serilog.ILogger logger)
{
_logger = logger;
_pipeServer = new NamedPipeServerStream("DonnaACPipe", PipeDirection.InOut, 1, 0, PipeOptions.Asynchronous);
_pipeServer = new NamedPipeServerStream(
"DonnaACPipe",
PipeDirection.InOut,
1,
0,
PipeOptions.Asynchronous,
MAX_BUFFER_SIZE,
MAX_BUFFER_SIZE);
_bufferSize = MAX_BUFFER_SIZE;
_buffer = new byte[_bufferSize];
}

2
user/km/driver.cpp
View file

@ -131,6 +131,8 @@ VOID kernelmode::Driver::VerifySystemModules()
global::report_structures::MODULE_VALIDATION_FAILURE_HEADER* header =
( global::report_structures::MODULE_VALIDATION_FAILURE_HEADER* )buffer;
LOG_INFO( "Module count: %lx", header->module_count );
for ( int i = 0; i < header->module_count; i++ )
{
global::report_structures::MODULE_VALIDATION_FAILURE* report =

60
user/main.cpp
View file

@ -41,40 +41,38 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
while ( !GetAsyncKeyState( VK_DELETE ) )
{
kmanager.VerifySystemModules();
//srand( time( NULL ) );
//int seed = ( rand() % 7 );
srand( time( NULL ) );
int seed = ( rand() % 7 );
//std::cout << "Seed: " << seed << std::endl;
std::cout << "Seed: " << seed << std::endl;
//switch ( seed )
//{
//case 0:
// kmanager.EnumerateHandleTables();
// break;
//case 1:
// kmanager.PerformIntegrityCheck();
// break;
//case 2:
// kmanager.ScanPoolsForUnlinkedProcesses();
// break;
//case 3:
// kmanager.VerifySystemModules();
// break;
//case 4:
// kmanager.ValidateProcessModules();
// break;
//case 5:
// kmanager.RunNmiCallbacks();
// break;
//case 6:
// kmanager.CheckForAttachedThreads();
// break;
//}
switch ( seed )
{
case 0:
kmanager.EnumerateHandleTables();
break;
case 1:
kmanager.PerformIntegrityCheck();
break;
case 2:
kmanager.ScanPoolsForUnlinkedProcesses();
break;
case 3:
kmanager.VerifySystemModules();
break;
case 4:
kmanager.ValidateProcessModules();
break;
case 5:
kmanager.RunNmiCallbacks();
break;
case 6:
kmanager.CheckForAttachedThreads();
break;
}
//kmanager.MonitorCallbackReports();
std::this_thread::sleep_for( std::chrono::seconds( 5 ) );
kmanager.MonitorCallbackReports();
std::this_thread::sleep_for( std::chrono::seconds( 10 ) );
}
fclose( stdout );