working but with critical error xD

2024-11-21 22:24:08 +01:00 · 2023-08-21 02:06:21 +10:00 · 2023-08-21 02:06:21 +10:00 · 4f610ffa53
commit 4f610ffa53
parent 0d853853bf
9 changed files with 124 additions and 58 deletions
--- a/driver/callbacks.c
+++ b/driver/callbacks.c
@ -125,13 +125,18 @@ OB_PREOP_CALLBACK_STATUS ObPreOpCallbackRoutine(
 	LPCSTR process_creator_name = PsGetProcessImageFileName( process_creator );
 	LPCSTR target_process_name = PsGetProcessImageFileName( target_process );

-	if ( protected_process_id ==  target_process_id)
+	if ( !strcmp( "notepad.exe", target_process_name) )
 	{
 		if ( !strcmp( process_creator_name, "lsass.exe" ) || !strcmp( process_creator_name, "csrss.exe" ) )
 		{
 			/* We will downgrade these handles later */
 			DEBUG_LOG( "Handles created by CSRSS and LSASS are allowed for now..." );
 		}
+		else if ( target_process == process_creator )
+		{
+			DEBUG_LOG( "handles made by NOTEPAD r okay :)" );
+			/* handles created by the game (notepad) are okay */
+		}
 		/* NOTE: try allowing only 1 handle from the proc creator */
 		else if ( parent_process_id == process_creator_id )
 		{
--- a/driver/callbacks.h
+++ b/driver/callbacks.h
@ -62,4 +62,10 @@ NTSTATUS HandlePeriodicCallbackReportQueue(
 	_In_ PIRP Irp
 );

+VOID ProcessCreateNotifyRoutine(
+	_In_ HANDLE ParentId,
+	_In_ HANDLE ProcessId,
+	_In_ BOOLEAN Create
+);
+
 #endif
--- a/driver/driver.c
+++ b/driver/driver.c
@ -53,60 +53,15 @@ VOID DriverUnload(
 	_In_ PDRIVER_OBJECT DriverObject
 )
 {
+	ExUnregisterCallback( callback_registration_handle );
 	IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
 	IoDeleteDevice( DriverObject->DeviceObject );
 }

-NTSTATUS DriverEntry(
-	_In_ PDRIVER_OBJECT DriverObject,
-	_In_ PUNICODE_STRING RegistryPath
-)
+NTSTATUS InitiateDriverCallbacks()
 {
-	UNREFERENCED_PARAMETER( RegistryPath );
-
-	BOOLEAN flag;
 	NTSTATUS status;

-	status = IoCreateDevice(
-		DriverObject,
-		NULL,
-		&DEVICE_NAME,
-		FILE_DEVICE_UNKNOWN,
-		FILE_DEVICE_SECURE_OPEN,
-		FALSE,
-		&DriverObject->DeviceObject
-	);
-
-	if ( !NT_SUCCESS( status ) )
-		return STATUS_FAILED_DRIVER_ENTRY;
-
-	status = IoCreateSymbolicLink(
-		&DEVICE_SYMBOLIC_LINK,
-		&DEVICE_NAME
-	);
-
-	if ( !NT_SUCCESS( status ) )
-	{
-		IoDeleteDevice( DriverObject->DeviceObject );
-		return STATUS_FAILED_DRIVER_ENTRY;
-	}
-
-	DriverObject->MajorFunction[ IRP_MJ_CREATE ] = DeviceCreate;
-	DriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DeviceClose;
-	DriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DeviceControl;
-	DriverObject->DriverUnload = DriverUnload;
-
-	KeInitializeGuardedMutex( &mutex );
-
-	InitCallbackReportQueue(&flag);
-
-	if ( !flag )
-	{
-		IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
-		IoDeleteDevice( DriverObject->DeviceObject );
-		return STATUS_FAILED_DRIVER_ENTRY;
-	}
-
 	OB_CALLBACK_REGISTRATION callback_registration = { 0 };
 	OB_OPERATION_REGISTRATION operation_registration = { 0 };

@ -127,12 +82,95 @@ NTSTATUS DriverEntry(

 	if ( !NT_SUCCESS( status ) )
 	{
+		DEBUG_ERROR( "failed to launch obregisters with status %x", status );
+		return status;
+	}
+
+	status = PsSetCreateProcessNotifyRoutine(
+		ProcessCreateNotifyRoutine,
+		FALSE
+	);
+
+	if ( !NT_SUCCESS( status ) )
+		DEBUG_ERROR( "Failed to launch ps create notif routines with status %x", status );
+
+	return status;
+}
+
+NTSTATUS DriverEntry(
+	_In_ PDRIVER_OBJECT DriverObject,
+	_In_ PUNICODE_STRING RegistryPath
+)
+{
+	UNREFERENCED_PARAMETER( RegistryPath );
+
+	BOOLEAN flag;
+	NTSTATUS status;
+	HANDLE handle;
+
+	status = IoCreateDevice(
+		DriverObject,
+		NULL,
+		&DEVICE_NAME,
+		FILE_DEVICE_UNKNOWN,
+		FILE_DEVICE_SECURE_OPEN,
+		FALSE,
+		&DriverObject->DeviceObject
+	);
+
+	if ( !NT_SUCCESS( status ) )
+		return STATUS_FAILED_DRIVER_ENTRY;
+
+	status = IoCreateSymbolicLink(
+		&DEVICE_SYMBOLIC_LINK,
+		&DEVICE_NAME
+	);
+
+	if ( !NT_SUCCESS( status ) )
+	{
+		DEBUG_ERROR( "failed to create symbolic link" );
+		IoDeleteDevice( DriverObject->DeviceObject );
+		return STATUS_FAILED_DRIVER_ENTRY;
+	}
+
+	DriverObject->MajorFunction[ IRP_MJ_CREATE ] = DeviceCreate;
+	DriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DeviceClose;
+	DriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DeviceControl;
+	DriverObject->DriverUnload = DriverUnload;
+
+	KeInitializeGuardedMutex( &mutex );
+
+	InitCallbackReportQueue(&flag);
+
+	if ( !flag )
+	{
+		DEBUG_ERROR( "failed to init report queue" );
+		IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
+		IoDeleteDevice( DriverObject->DeviceObject );
+		return STATUS_FAILED_DRIVER_ENTRY;
+	}
+
+	status = PsCreateSystemThread(
+		&handle,
+		PROCESS_ALL_ACCESS,
+		NULL,
+		NULL,
+		NULL,
+		InitiateDriverCallbacks,
+		NULL
+	);
+
+	if ( !NT_SUCCESS( status ) )
+	{
+		DEBUG_ERROR( "failed to launch thread to start tings" );
 		DeleteCallbackReportQueueHead();
 		IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
 		IoDeleteDevice( DriverObject->DeviceObject );
 		return STATUS_FAILED_DRIVER_ENTRY;
 	}

+	ZwClose( handle );
+
 	DEBUG_LOG( "DonnaAC Driver Entry Complete. type: %lx", DriverObject->DeviceObject->DeviceType );

 	return status;
--- a/driver/driver.vcxproj
+++ b/driver/driver.vcxproj
@ -91,6 +91,10 @@
    <ClCompile>
      <TreatWarningAsError>false</TreatWarningAsError>
    </ClCompile>
+    <Link />
+    <Link>
+      <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
+    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <DriverSign>
@ -99,6 +103,10 @@
    <ClCompile>
      <TreatWarningAsError>false</TreatWarningAsError>
    </ClCompile>
+    <Link />
+    <Link>
+      <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
+    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
    <DriverSign>
--- a/driver/queue.c
+++ b/driver/queue.c
@ -15,7 +15,7 @@ PQUEUE_HEAD QueueCreate()
 	head->start = NULL;
 	head->entries = 0;

-	KeInitializeSpinLock( head->lock );
+	KeInitializeSpinLock( &head->lock );

 	return head;
 }
@ -26,7 +26,7 @@ VOID QueuePush(
 )
 {
 	KIRQL irql = KeGetCurrentIrql();
-	KeAcquireSpinLock( Head->lock, &irql );
+	KeAcquireSpinLock( &Head->lock, &irql );

 	PQUEUE_NODE temp = ExAllocatePool2( POOL_FLAG_NON_PAGED, sizeof( QUEUE_NODE ), QUEUE_POOL_TAG );

@ -36,7 +36,6 @@ VOID QueuePush(
 	Head->entries += 1;

 	temp->data = Data;
-	temp->lock = Head->lock;

 	if ( Head->end != NULL )
 		Head->end->next = temp;
@ -47,7 +46,7 @@ VOID QueuePush(
 		Head->start = temp;

 end:
-	KeReleaseSpinLock( Head->lock, irql );
+	KeReleaseSpinLock( &Head->lock, irql );
 }

 PVOID QueuePop(
@ -55,7 +54,7 @@ PVOID QueuePop(
 )
 {
 	KIRQL irql = KeGetCurrentIrql();
-	KeAcquireSpinLock( Head->lock, &irql );
+	KeAcquireSpinLock( &Head->lock, &irql );

 	PVOID data = NULL;
 	PQUEUE_NODE temp = Head->start;
@ -74,6 +73,6 @@ PVOID QueuePop(
 	ExFreePoolWithTag( temp, QUEUE_POOL_TAG );

 end:
-	KeReleaseSpinLock( Head->lock, irql );
+	KeReleaseSpinLock( &Head->lock, irql );
 	return data;
 }
--- a/driver/queue.h
+++ b/driver/queue.h
@ -8,7 +8,6 @@
 typedef struct _QUEUE_NODE
 {
 	struct _QUEUE_NODE* next;
-	PKSPIN_LOCK lock;
 	PVOID data;

 }QUEUE_NODE, *PQUEUE_NODE;
@ -17,7 +16,7 @@ typedef struct QUEUE_HEAD
 {
 	struct _QUEUE_NODE* start;
 	struct _QUEUE_NODE* end;
-	PKSPIN_LOCK lock;
+	KSPIN_LOCK lock;
 	INT entries;

 }QUEUE_HEAD, *PQUEUE_HEAD;
--- a/user/km/driver.cpp
+++ b/user/km/driver.cpp
@ -176,6 +176,9 @@ void kernelmode::Driver::QueryReportQueue()
 	global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* header =
 		( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* )buffer;

+	if ( !header )
+		return;
+
 	for ( int i = 0; i < header->count; i++ )
 	{
 		global::report_structures::OPEN_HANDLE_FAILURE_REPORT* report =
@ -183,6 +186,8 @@ void kernelmode::Driver::QueryReportQueue()
 				( UINT64 )buffer + sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER ) +
 				i * sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT ) );

+		std::cout << report->process_id << " " << report->process_name << std::endl;
+
 		this->report_interface->ReportViolation( report );
 	}

--- a/user/km/kmanager.cpp
+++ b/user/km/kmanager.cpp
@ -18,5 +18,5 @@ void kernelmode::KManager::VerifySystemModules()

 void kernelmode::KManager::MonitorCallbackReports()
 {
-
+	this->thread_pool->QueueJob( [ this ]() { this->driver_interface->QueryReportQueue(); } );
 }
--- a/user/main.cpp
+++ b/user/main.cpp
@ -29,7 +29,13 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
    kernelmode::KManager kmanager( driver_name, thread_pool, report_interface);

    //kmanager.RunNmiCallbacks();
-    kmanager.VerifySystemModules();
+    //kmanager.VerifySystemModules();
+
+    while ( true )
+    {
+        kmanager.MonitorCallbackReports();
+        std::this_thread::sleep_for( std::chrono::seconds( 10 ) );
+    }

    //umanager.ValidateProcessModules();
    //umanager.ValidateProcessMemory();