noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

working but with critical error xD

Browse source
This commit is contained in:
lhodges1 2023-08-21 02:06:21 +10:00
parent 0d853853bf
commit 4f610ffa53
9 changed files with 124 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
driver/callbacks.c
View file

@ -125,13 +125,18 @@ OB_PREOP_CALLBACK_STATUS ObPreOpCallbackRoutine(
LPCSTR process_creator_name = PsGetProcessImageFileName( process_creator ); LPCSTR process_creator_name = PsGetProcessImageFileName( process_creator );
LPCSTR target_process_name = PsGetProcessImageFileName( target_process ); LPCSTR target_process_name = PsGetProcessImageFileName( target_process );
if ( protected_process_id == target_process_id) if ( !strcmp( "notepad.exe", target_process_name) )
{ {
if ( !strcmp( process_creator_name, "lsass.exe" ) || !strcmp( process_creator_name, "csrss.exe" ) ) if ( !strcmp( process_creator_name, "lsass.exe" ) || !strcmp( process_creator_name, "csrss.exe" ) )
{ {
/* We will downgrade these handles later */ /* We will downgrade these handles later */
DEBUG_LOG( "Handles created by CSRSS and LSASS are allowed for now..." ); DEBUG_LOG( "Handles created by CSRSS and LSASS are allowed for now..." );
} }
else if ( target_process == process_creator )
{
DEBUG_LOG( "handles made by NOTEPAD r okay :)" );
/* handles created by the game (notepad) are okay */
}
/* NOTE: try allowing only 1 handle from the proc creator */ /* NOTE: try allowing only 1 handle from the proc creator */
else if ( parent_process_id == process_creator_id ) else if ( parent_process_id == process_creator_id )
{ {

6
driver/callbacks.h
View file

@ -62,4 +62,10 @@ NTSTATUS HandlePeriodicCallbackReportQueue(
_In_ PIRP Irp _In_ PIRP Irp
); );
VOID ProcessCreateNotifyRoutine(
_In_ HANDLE ParentId,
_In_ HANDLE ProcessId,
_In_ BOOLEAN Create
);
#endif #endif

132
driver/driver.c
View file

@ -53,60 +53,15 @@ VOID DriverUnload(
_In_ PDRIVER_OBJECT DriverObject _In_ PDRIVER_OBJECT DriverObject
) )
{ {
ExUnregisterCallback( callback_registration_handle );
IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK ); IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
IoDeleteDevice( DriverObject->DeviceObject ); IoDeleteDevice( DriverObject->DeviceObject );
} }
NTSTATUS DriverEntry( NTSTATUS InitiateDriverCallbacks()
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{ {
UNREFERENCED_PARAMETER( RegistryPath );
BOOLEAN flag;
NTSTATUS status; NTSTATUS status;
status = IoCreateDevice(
DriverObject,
NULL,
&DEVICE_NAME,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&DriverObject->DeviceObject
);
if ( !NT_SUCCESS( status ) )
return STATUS_FAILED_DRIVER_ENTRY;
status = IoCreateSymbolicLink(
&DEVICE_SYMBOLIC_LINK,
&DEVICE_NAME
);
if ( !NT_SUCCESS( status ) )
{
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_FAILED_DRIVER_ENTRY;
}
DriverObject->MajorFunction[ IRP_MJ_CREATE ] = DeviceCreate;
DriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DeviceClose;
DriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DeviceControl;
DriverObject->DriverUnload = DriverUnload;
KeInitializeGuardedMutex( &mutex );
InitCallbackReportQueue(&flag);
if ( !flag )
{
IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_FAILED_DRIVER_ENTRY;
}
OB_CALLBACK_REGISTRATION callback_registration = { 0 }; OB_CALLBACK_REGISTRATION callback_registration = { 0 };
OB_OPERATION_REGISTRATION operation_registration = { 0 }; OB_OPERATION_REGISTRATION operation_registration = { 0 };
@ -127,12 +82,95 @@ NTSTATUS DriverEntry(
if ( !NT_SUCCESS( status ) ) if ( !NT_SUCCESS( status ) )
{ {
DEBUG_ERROR( "failed to launch obregisters with status %x", status );
return status;
}
status = PsSetCreateProcessNotifyRoutine(
ProcessCreateNotifyRoutine,
FALSE
);
if ( !NT_SUCCESS( status ) )
DEBUG_ERROR( "Failed to launch ps create notif routines with status %x", status );
return status;
}
NTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
UNREFERENCED_PARAMETER( RegistryPath );
BOOLEAN flag;
NTSTATUS status;
HANDLE handle;
status = IoCreateDevice(
DriverObject,
NULL,
&DEVICE_NAME,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&DriverObject->DeviceObject
);
if ( !NT_SUCCESS( status ) )
return STATUS_FAILED_DRIVER_ENTRY;
status = IoCreateSymbolicLink(
&DEVICE_SYMBOLIC_LINK,
&DEVICE_NAME
);
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "failed to create symbolic link" );
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_FAILED_DRIVER_ENTRY;
}
DriverObject->MajorFunction[ IRP_MJ_CREATE ] = DeviceCreate;
DriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DeviceClose;
DriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DeviceControl;
DriverObject->DriverUnload = DriverUnload;
KeInitializeGuardedMutex( &mutex );
InitCallbackReportQueue(&flag);
if ( !flag )
{
DEBUG_ERROR( "failed to init report queue" );
IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_FAILED_DRIVER_ENTRY;
}
status = PsCreateSystemThread(
&handle,
PROCESS_ALL_ACCESS,
NULL,
NULL,
NULL,
InitiateDriverCallbacks,
NULL
);
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "failed to launch thread to start tings" );
DeleteCallbackReportQueueHead(); DeleteCallbackReportQueueHead();
IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK ); IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
IoDeleteDevice( DriverObject->DeviceObject ); IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_FAILED_DRIVER_ENTRY; return STATUS_FAILED_DRIVER_ENTRY;
} }
ZwClose( handle );
DEBUG_LOG( "DonnaAC Driver Entry Complete. type: %lx", DriverObject->DeviceObject->DeviceType ); DEBUG_LOG( "DonnaAC Driver Entry Complete. type: %lx", DriverObject->DeviceObject->DeviceType );
return status; return status;

8
driver/driver.vcxproj
View file

@ -91,6 +91,10 @@
<ClCompile> <ClCompile>
<TreatWarningAsError>false</TreatWarningAsError> <TreatWarningAsError>false</TreatWarningAsError>
</ClCompile> </ClCompile>
<Link />
<Link>
<AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
</Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DriverSign> <DriverSign>
@ -99,6 +103,10 @@
<ClCompile> <ClCompile>
<TreatWarningAsError>false</TreatWarningAsError> <TreatWarningAsError>false</TreatWarningAsError>
</ClCompile> </ClCompile>
<Link />
<Link>
<AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
</Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DriverSign> <DriverSign>

11
driver/queue.c
View file

@ -15,7 +15,7 @@ PQUEUE_HEAD QueueCreate()
head->start = NULL; head->start = NULL;
head->entries = 0; head->entries = 0;
KeInitializeSpinLock( head->lock ); KeInitializeSpinLock( &head->lock );
return head; return head;
} }
@ -26,7 +26,7 @@ VOID QueuePush(
) )
{ {
KIRQL irql = KeGetCurrentIrql(); KIRQL irql = KeGetCurrentIrql();
KeAcquireSpinLock( Head->lock, &irql ); KeAcquireSpinLock( &Head->lock, &irql );
PQUEUE_NODE temp = ExAllocatePool2( POOL_FLAG_NON_PAGED, sizeof( QUEUE_NODE ), QUEUE_POOL_TAG ); PQUEUE_NODE temp = ExAllocatePool2( POOL_FLAG_NON_PAGED, sizeof( QUEUE_NODE ), QUEUE_POOL_TAG );
@ -36,7 +36,6 @@ VOID QueuePush(
Head->entries += 1; Head->entries += 1;
temp->data = Data; temp->data = Data;
temp->lock = Head->lock;
if ( Head->end != NULL ) if ( Head->end != NULL )
Head->end->next = temp; Head->end->next = temp;
@ -47,7 +46,7 @@ VOID QueuePush(
Head->start = temp; Head->start = temp;
end: end:
KeReleaseSpinLock( Head->lock, irql ); KeReleaseSpinLock( &Head->lock, irql );
} }
PVOID QueuePop( PVOID QueuePop(
@ -55,7 +54,7 @@ PVOID QueuePop(
) )
{ {
KIRQL irql = KeGetCurrentIrql(); KIRQL irql = KeGetCurrentIrql();
KeAcquireSpinLock( Head->lock, &irql ); KeAcquireSpinLock( &Head->lock, &irql );
PVOID data = NULL; PVOID data = NULL;
PQUEUE_NODE temp = Head->start; PQUEUE_NODE temp = Head->start;
@ -74,6 +73,6 @@ PVOID QueuePop(
ExFreePoolWithTag( temp, QUEUE_POOL_TAG ); ExFreePoolWithTag( temp, QUEUE_POOL_TAG );
end: end:
KeReleaseSpinLock( Head->lock, irql ); KeReleaseSpinLock( &Head->lock, irql );
return data; return data;
} }

3
driver/queue.h
View file

@ -8,7 +8,6 @@
typedef struct _QUEUE_NODE typedef struct _QUEUE_NODE
{ {
struct _QUEUE_NODE* next; struct _QUEUE_NODE* next;
PKSPIN_LOCK lock;
PVOID data; PVOID data;
}QUEUE_NODE, *PQUEUE_NODE; }QUEUE_NODE, *PQUEUE_NODE;
@ -17,7 +16,7 @@ typedef struct QUEUE_HEAD
{ {
struct _QUEUE_NODE* start; struct _QUEUE_NODE* start;
struct _QUEUE_NODE* end; struct _QUEUE_NODE* end;
PKSPIN_LOCK lock; KSPIN_LOCK lock;
INT entries; INT entries;
}QUEUE_HEAD, *PQUEUE_HEAD; }QUEUE_HEAD, *PQUEUE_HEAD;

5
user/km/driver.cpp
View file

@ -176,6 +176,9 @@ void kernelmode::Driver::QueryReportQueue()
global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* header = global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* header =
( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* )buffer; ( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* )buffer;
if ( !header )
return;
for ( int i = 0; i < header->count; i++ ) for ( int i = 0; i < header->count; i++ )
{ {
global::report_structures::OPEN_HANDLE_FAILURE_REPORT* report = global::report_structures::OPEN_HANDLE_FAILURE_REPORT* report =
@ -183,6 +186,8 @@ void kernelmode::Driver::QueryReportQueue()
( UINT64 )buffer + sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER ) + ( UINT64 )buffer + sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER ) +
i * sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT ) ); i * sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT ) );
std::cout << report->process_id << " " << report->process_name << std::endl;
this->report_interface->ReportViolation( report ); this->report_interface->ReportViolation( report );
} }

2
user/km/kmanager.cpp
View file

@ -18,5 +18,5 @@ void kernelmode::KManager::VerifySystemModules()
void kernelmode::KManager::MonitorCallbackReports() void kernelmode::KManager::MonitorCallbackReports()
{ {
this->thread_pool->QueueJob( [ this ]() { this->driver_interface->QueryReportQueue(); } );
} }

8
user/main.cpp
View file

@ -29,7 +29,13 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
kernelmode::KManager kmanager( driver_name, thread_pool, report_interface); kernelmode::KManager kmanager( driver_name, thread_pool, report_interface);
//kmanager.RunNmiCallbacks(); //kmanager.RunNmiCallbacks();
kmanager.VerifySystemModules(); //kmanager.VerifySystemModules();
while ( true )
{
kmanager.MonitorCallbackReports();
std::this_thread::sleep_for( std::chrono::seconds( 10 ) );
}
//umanager.ValidateProcessModules(); //umanager.ValidateProcessModules();
//umanager.ValidateProcessMemory(); //umanager.ValidateProcessMemory();