From 4f610ffa53723a3189fecaaf6239056db083d2ba Mon Sep 17 00:00:00 2001
From: lhodges1 <lachiehodges7785@gmail.com>
Date: Mon, 21 Aug 2023 02:06:21 +1000
Subject: [PATCH] working but with critical error xD

---
 driver/callbacks.c    |   7 ++-
 driver/callbacks.h    |   6 ++
 driver/driver.c       | 132 +++++++++++++++++++++++++++---------------
 driver/driver.vcxproj |   8 +++
 driver/queue.c        |  11 ++--
 driver/queue.h        |   3 +-
 user/km/driver.cpp    |   5 ++
 user/km/kmanager.cpp  |   2 +-
 user/main.cpp         |   8 ++-
 9 files changed, 124 insertions(+), 58 deletions(-)

diff --git a/driver/callbacks.c b/driver/callbacks.c
index 6331cc8..2a28559 100644
--- a/driver/callbacks.c
+++ b/driver/callbacks.c
@@ -125,13 +125,18 @@ OB_PREOP_CALLBACK_STATUS ObPreOpCallbackRoutine(
 	LPCSTR process_creator_name = PsGetProcessImageFileName( process_creator );
 	LPCSTR target_process_name = PsGetProcessImageFileName( target_process );
 
-	if ( protected_process_id ==  target_process_id)
+	if ( !strcmp( "notepad.exe", target_process_name) )
 	{
 		if ( !strcmp( process_creator_name, "lsass.exe" ) || !strcmp( process_creator_name, "csrss.exe" ) )
 		{
 			/* We will downgrade these handles later */
 			DEBUG_LOG( "Handles created by CSRSS and LSASS are allowed for now..." );
 		}
+		else if ( target_process == process_creator )
+		{
+			DEBUG_LOG( "handles made by NOTEPAD r okay :)" );
+			/* handles created by the game (notepad) are okay */
+		}
 		/* NOTE: try allowing only 1 handle from the proc creator */
 		else if ( parent_process_id == process_creator_id )
 		{
diff --git a/driver/callbacks.h b/driver/callbacks.h
index 6ccb9d6..f1daa59 100644
--- a/driver/callbacks.h
+++ b/driver/callbacks.h
@@ -62,4 +62,10 @@ NTSTATUS HandlePeriodicCallbackReportQueue(
 	_In_ PIRP Irp
 );
 
+VOID ProcessCreateNotifyRoutine(
+	_In_ HANDLE ParentId,
+	_In_ HANDLE ProcessId,
+	_In_ BOOLEAN Create
+);
+
 #endif
diff --git a/driver/driver.c b/driver/driver.c
index d5a1f67..c5c959a 100644
--- a/driver/driver.c
+++ b/driver/driver.c
@@ -53,60 +53,15 @@ VOID DriverUnload(
 	_In_ PDRIVER_OBJECT DriverObject
 )
 {
+	ExUnregisterCallback( callback_registration_handle );
 	IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
 	IoDeleteDevice( DriverObject->DeviceObject );
 }
 
-NTSTATUS DriverEntry(
-	_In_ PDRIVER_OBJECT DriverObject,
-	_In_ PUNICODE_STRING RegistryPath
-)
+NTSTATUS InitiateDriverCallbacks()
 {
-	UNREFERENCED_PARAMETER( RegistryPath );
-
-	BOOLEAN flag;
 	NTSTATUS status;
 
-	status = IoCreateDevice(
-		DriverObject,
-		NULL,
-		&DEVICE_NAME,
-		FILE_DEVICE_UNKNOWN,
-		FILE_DEVICE_SECURE_OPEN,
-		FALSE,
-		&DriverObject->DeviceObject
-	);
-
-	if ( !NT_SUCCESS( status ) )
-		return STATUS_FAILED_DRIVER_ENTRY;
-
-	status = IoCreateSymbolicLink(
-		&DEVICE_SYMBOLIC_LINK,
-		&DEVICE_NAME
-	);
-
-	if ( !NT_SUCCESS( status ) )
-	{
-		IoDeleteDevice( DriverObject->DeviceObject );
-		return STATUS_FAILED_DRIVER_ENTRY;
-	}
-
-	DriverObject->MajorFunction[ IRP_MJ_CREATE ] = DeviceCreate;
-	DriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DeviceClose;
-	DriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DeviceControl;
-	DriverObject->DriverUnload = DriverUnload;
-
-	KeInitializeGuardedMutex( &mutex );
-
-	InitCallbackReportQueue(&flag);
-
-	if ( !flag )
-	{
-		IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
-		IoDeleteDevice( DriverObject->DeviceObject );
-		return STATUS_FAILED_DRIVER_ENTRY;
-	}
-
 	OB_CALLBACK_REGISTRATION callback_registration = { 0 };
 	OB_OPERATION_REGISTRATION operation_registration = { 0 };
 
@@ -127,12 +82,95 @@ NTSTATUS DriverEntry(
 
 	if ( !NT_SUCCESS( status ) )
 	{
+		DEBUG_ERROR( "failed to launch obregisters with status %x", status );
+		return status;
+	}
+
+	status = PsSetCreateProcessNotifyRoutine(
+		ProcessCreateNotifyRoutine,
+		FALSE
+	);
+
+	if ( !NT_SUCCESS( status ) )
+		DEBUG_ERROR( "Failed to launch ps create notif routines with status %x", status );
+
+	return status;
+}
+
+NTSTATUS DriverEntry(
+	_In_ PDRIVER_OBJECT DriverObject,
+	_In_ PUNICODE_STRING RegistryPath
+)
+{
+	UNREFERENCED_PARAMETER( RegistryPath );
+
+	BOOLEAN flag;
+	NTSTATUS status;
+	HANDLE handle;
+
+	status = IoCreateDevice(
+		DriverObject,
+		NULL,
+		&DEVICE_NAME,
+		FILE_DEVICE_UNKNOWN,
+		FILE_DEVICE_SECURE_OPEN,
+		FALSE,
+		&DriverObject->DeviceObject
+	);
+
+	if ( !NT_SUCCESS( status ) )
+		return STATUS_FAILED_DRIVER_ENTRY;
+
+	status = IoCreateSymbolicLink(
+		&DEVICE_SYMBOLIC_LINK,
+		&DEVICE_NAME
+	);
+
+	if ( !NT_SUCCESS( status ) )
+	{
+		DEBUG_ERROR( "failed to create symbolic link" );
+		IoDeleteDevice( DriverObject->DeviceObject );
+		return STATUS_FAILED_DRIVER_ENTRY;
+	}
+
+	DriverObject->MajorFunction[ IRP_MJ_CREATE ] = DeviceCreate;
+	DriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DeviceClose;
+	DriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DeviceControl;
+	DriverObject->DriverUnload = DriverUnload;
+
+	KeInitializeGuardedMutex( &mutex );
+
+	InitCallbackReportQueue(&flag);
+
+	if ( !flag )
+	{
+		DEBUG_ERROR( "failed to init report queue" );
+		IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
+		IoDeleteDevice( DriverObject->DeviceObject );
+		return STATUS_FAILED_DRIVER_ENTRY;
+	}
+
+	status = PsCreateSystemThread(
+		&handle,
+		PROCESS_ALL_ACCESS,
+		NULL,
+		NULL,
+		NULL,
+		InitiateDriverCallbacks,
+		NULL
+	);
+
+	if ( !NT_SUCCESS( status ) )
+	{
+		DEBUG_ERROR( "failed to launch thread to start tings" );
 		DeleteCallbackReportQueueHead();
 		IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
 		IoDeleteDevice( DriverObject->DeviceObject );
 		return STATUS_FAILED_DRIVER_ENTRY;
 	}
 
+	ZwClose( handle );
+
 	DEBUG_LOG( "DonnaAC Driver Entry Complete. type: %lx", DriverObject->DeviceObject->DeviceType );
 
 	return status;
diff --git a/driver/driver.vcxproj b/driver/driver.vcxproj
index b91300d..791c378 100644
--- a/driver/driver.vcxproj
+++ b/driver/driver.vcxproj
@@ -91,6 +91,10 @@
     <ClCompile>
       <TreatWarningAsError>false</TreatWarningAsError>
     </ClCompile>
+    <Link />
+    <Link>
+      <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
+    </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <DriverSign>
@@ -99,6 +103,10 @@
     <ClCompile>
       <TreatWarningAsError>false</TreatWarningAsError>
     </ClCompile>
+    <Link />
+    <Link>
+      <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
+    </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
     <DriverSign>
diff --git a/driver/queue.c b/driver/queue.c
index f977349..182c630 100644
--- a/driver/queue.c
+++ b/driver/queue.c
@@ -15,7 +15,7 @@ PQUEUE_HEAD QueueCreate()
 	head->start = NULL;
 	head->entries = 0;
 
-	KeInitializeSpinLock( head->lock );
+	KeInitializeSpinLock( &head->lock );
 
 	return head;
 }
@@ -26,7 +26,7 @@ VOID QueuePush(
 )
 {
 	KIRQL irql = KeGetCurrentIrql();
-	KeAcquireSpinLock( Head->lock, &irql );
+	KeAcquireSpinLock( &Head->lock, &irql );
 
 	PQUEUE_NODE temp = ExAllocatePool2( POOL_FLAG_NON_PAGED, sizeof( QUEUE_NODE ), QUEUE_POOL_TAG );
 
@@ -36,7 +36,6 @@ VOID QueuePush(
 	Head->entries += 1;
 
 	temp->data = Data;
-	temp->lock = Head->lock;
 
 	if ( Head->end != NULL )
 		Head->end->next = temp;
@@ -47,7 +46,7 @@ VOID QueuePush(
 		Head->start = temp;
 
 end:
-	KeReleaseSpinLock( Head->lock, irql );
+	KeReleaseSpinLock( &Head->lock, irql );
 }
 
 PVOID QueuePop(
@@ -55,7 +54,7 @@ PVOID QueuePop(
 )
 {
 	KIRQL irql = KeGetCurrentIrql();
-	KeAcquireSpinLock( Head->lock, &irql );
+	KeAcquireSpinLock( &Head->lock, &irql );
 
 	PVOID data = NULL;
 	PQUEUE_NODE temp = Head->start;
@@ -74,6 +73,6 @@ PVOID QueuePop(
 	ExFreePoolWithTag( temp, QUEUE_POOL_TAG );
 
 end:
-	KeReleaseSpinLock( Head->lock, irql );
+	KeReleaseSpinLock( &Head->lock, irql );
 	return data;
 }
diff --git a/driver/queue.h b/driver/queue.h
index 6f0f684..d31b998 100644
--- a/driver/queue.h
+++ b/driver/queue.h
@@ -8,7 +8,6 @@
 typedef struct _QUEUE_NODE
 {
 	struct _QUEUE_NODE* next;
-	PKSPIN_LOCK lock;
 	PVOID data;
 
 }QUEUE_NODE, *PQUEUE_NODE;
@@ -17,7 +16,7 @@ typedef struct QUEUE_HEAD
 {
 	struct _QUEUE_NODE* start;
 	struct _QUEUE_NODE* end;
-	PKSPIN_LOCK lock;
+	KSPIN_LOCK lock;
 	INT entries;
 
 }QUEUE_HEAD, *PQUEUE_HEAD;
diff --git a/user/km/driver.cpp b/user/km/driver.cpp
index 152beab..51d145c 100644
--- a/user/km/driver.cpp
+++ b/user/km/driver.cpp
@@ -176,6 +176,9 @@ void kernelmode::Driver::QueryReportQueue()
 	global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* header =
 		( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* )buffer;
 
+	if ( !header )
+		return;
+
 	for ( int i = 0; i < header->count; i++ )
 	{
 		global::report_structures::OPEN_HANDLE_FAILURE_REPORT* report =
@@ -183,6 +186,8 @@ void kernelmode::Driver::QueryReportQueue()
 				( UINT64 )buffer + sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER ) +
 				i * sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT ) );
 
+		std::cout << report->process_id << " " << report->process_name << std::endl;
+
 		this->report_interface->ReportViolation( report );
 	}
 
diff --git a/user/km/kmanager.cpp b/user/km/kmanager.cpp
index 21a9fc5..9e2e964 100644
--- a/user/km/kmanager.cpp
+++ b/user/km/kmanager.cpp
@@ -18,5 +18,5 @@ void kernelmode::KManager::VerifySystemModules()
 
 void kernelmode::KManager::MonitorCallbackReports()
 {
-
+	this->thread_pool->QueueJob( [ this ]() { this->driver_interface->QueryReportQueue(); } );
 }
diff --git a/user/main.cpp b/user/main.cpp
index 8f1f7f7..64233fb 100644
--- a/user/main.cpp
+++ b/user/main.cpp
@@ -29,7 +29,13 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
     kernelmode::KManager kmanager( driver_name, thread_pool, report_interface);
 
     //kmanager.RunNmiCallbacks();
-    kmanager.VerifySystemModules();
+    //kmanager.VerifySystemModules();
+
+    while ( true )
+    {
+        kmanager.MonitorCallbackReports();
+        std::this_thread::sleep_for( std::chrono::seconds( 10 ) );
+    }
 
     //umanager.ValidateProcessModules();
     //umanager.ValidateProcessMemory();