LOL

2024-11-21 22:24:08 +01:00 · 2023-09-07 01:33:08 +10:00 · 2023-09-07 01:33:08 +10:00 · 500fd4d6d8
commit 500fd4d6d8
parent 8d4a4d3344
5 changed files with 246 additions and 3 deletions
--- a/driver/common.h
+++ b/driver/common.h
@ -1001,6 +1001,102 @@ typedef struct _RTL_RELATIVE_NAME {
    void* CurDirRef;
 } RTL_RELATIVE_NAME, * PRTL_RELATIVE_NAME;

+typedef struct _STORAGE_DESCRIPTOR_HEADER {
+    ULONG  Version;
+    ULONG  Size;
+} STORAGE_DESCRIPTOR_HEADER, * PSTORAGE_DESCRIPTOR_HEADER;
+
+typedef enum _STORAGE_BUS_TYPE {
+    BusTypeUnknown = 0x00,
+    BusTypeScsi,
+    BusTypeAtapi,
+    BusTypeAta,
+    BusType1394,
+    BusTypeSsa,
+    BusTypeFibre,
+    BusTypeUsb,
+    BusTypeRAID,
+    BusTypeMaxReserved = 0x7F
+} STORAGE_BUS_TYPE, * PSTORAGE_BUS_TYPE;
+
+typedef enum _STORAGE_SET_TYPE {
+    PropertyStandardSet = 0,          // Sets the descriptor
+    PropertyExistsSet,                // Used to test whether the descriptor is supported
+    PropertySetMaxDefined             // use to validate the value
+} STORAGE_SET_TYPE, * PSTORAGE_SET_TYPE;
+
+//
+// define some initial property id's
+//
+
+typedef enum _STORAGE_QUERY_TYPE {
+    PropertyStandardQuery = 0,          // Retrieves the descriptor
+    PropertyExistsQuery,                // Used to test whether the descriptor is supported
+    PropertyMaskQuery,                  // Used to retrieve a mask of writeable fields in the descriptor
+    PropertyQueryMaxDefined     // use to validate the value
+} STORAGE_QUERY_TYPE, * PSTORAGE_QUERY_TYPE;
+
+typedef enum _STORAGE_PROPERTY_ID {
+    StorageDeviceProperty = 0,
+    StorageAdapterProperty,
+    StorageDeviceIdProperty,
+    StorageDeviceUniqueIdProperty,                  // See storduid.h for details
+    StorageDeviceWriteCacheProperty,
+    StorageMiniportProperty,
+    StorageAccessAlignmentProperty,
+    StorageDeviceSeekPenaltyProperty,
+    StorageDeviceTrimProperty,
+    StorageDeviceWriteAggregationProperty,
+    StorageDeviceDeviceTelemetryProperty,
+    StorageDeviceLBProvisioningProperty,
+    StorageDevicePowerProperty,
+    StorageDeviceCopyOffloadProperty,
+    StorageDeviceResiliencyProperty,
+    StorageDeviceMediumProductType,
+    StorageAdapterRpmbProperty,
+    StorageAdapterCryptoProperty,
+    StorageDeviceIoCapabilityProperty = 48,
+    StorageAdapterProtocolSpecificProperty,
+    StorageDeviceProtocolSpecificProperty,
+    StorageAdapterTemperatureProperty,
+    StorageDeviceTemperatureProperty,
+    StorageAdapterPhysicalTopologyProperty,
+    StorageDevicePhysicalTopologyProperty,
+    StorageDeviceAttributesProperty,
+    StorageDeviceManagementStatus,
+    StorageAdapterSerialNumberProperty,
+    StorageDeviceLocationProperty,
+    StorageDeviceNumaProperty,
+    StorageDeviceZonedDeviceProperty,
+    StorageDeviceUnsafeShutdownCount,
+    StorageDeviceEnduranceProperty,
+    StorageDeviceLedStateProperty,
+    StorageDeviceSelfEncryptionProperty = 64,
+    StorageFruIdProperty,
+} STORAGE_PROPERTY_ID, * PSTORAGE_PROPERTY_ID;
+
+typedef struct _STORAGE_PROPERTY_QUERY {
+    STORAGE_PROPERTY_ID  PropertyId;
+    STORAGE_QUERY_TYPE  QueryType;
+    UCHAR  AdditionalParameters[ 1 ];
+} STORAGE_PROPERTY_QUERY, * PSTORAGE_PROPERTY_QUERY;
+
+typedef struct _STORAGE_DEVICE_DESCRIPTOR {
+    ULONG  Version;
+    ULONG  Size;
+    UCHAR  DeviceType;
+    UCHAR  DeviceTypeModifier;
+    BOOLEAN  RemovableMedia;
+    BOOLEAN  CommandQueueing;
+    ULONG  VendorIdOffset;
+    ULONG  ProductIdOffset;
+    ULONG  ProductRevisionOffset;
+    ULONG  SerialNumberOffset;
+    STORAGE_BUS_TYPE  BusType;
+    ULONG  RawPropertiesLength;
+    UCHAR  RawDeviceProperties[ 1 ];
+} STORAGE_DEVICE_DESCRIPTOR, * PSTORAGE_DEVICE_DESCRIPTOR;
+
 NTKERNELAPI
 BOOLEAN
 ExEnumHandleTable(
--- a/driver/driver.c
+++ b/driver/driver.c
@ -236,7 +236,20 @@ NTSTATUS InitialiseDriverConfigOnDriverEntry(
 		return status;
 	}

+	status = GetHardDiskDriveSerialNumber(
+		&driver_config.system_information.drive_0_serial,
+		sizeof( driver_config.system_information.drive_0_serial )
+	);
+
+	if ( !NT_SUCCESS( status ) )
+	{
+		DEBUG_ERROR( "GetHardDiskDriverSerialNumber failed with status %x", status );
+		FreeDriverConfigurationStringBuffers();
+		return status;
+	}
+
 	DEBUG_LOG( "Motherboard serial: %s", driver_config.system_information.motherboard_serial );
+	DEBUG_LOG( "Drive 0 serial: %s", driver_config.system_information.drive_0_serial );

 	return status;
 }
--- a/driver/driver.h
+++ b/driver/driver.h
@ -8,12 +8,16 @@

 #define DRIVER_PATH_MAX_LENGTH 512
 #define MOTHERBOARD_SERIAL_CODE_LENGTH 128
+#define DEVICE_DRIVE_0_SERIAL_CODE_LENGTH 256

 #define POOL_TAG_STRINGS 'strs'

+#define IOCTL_STORAGE_QUERY_PROPERTY 0x002D1400
+
 typedef struct _SYSTEM_INFORMATION
 {
 	CHAR motherboard_serial[ MOTHERBOARD_SERIAL_CODE_LENGTH ];
+	CHAR drive_0_serial[ DEVICE_DRIVE_0_SERIAL_CODE_LENGTH ];

 }SYSTEM_INFORMATION, * PSYSTEM_INFORMATION;

--- a/driver/integrity.c
+++ b/driver/integrity.c
@ -818,7 +818,7 @@ NTSTATUS GetStringAtIndexFromSMBIOSTable(

 NTSTATUS ParseSMBIOSTable(
    _In_ PVOID ConfigMotherboardSerialNumber,
-    _In_ SIZE_T ConfigMotherboardSerialNumberSize
+    _In_ SIZE_T ConfigMotherboardSerialNumberMaxSize
 )
 {
    NTSTATUS status;
@ -882,7 +882,7 @@ NTSTATUS ParseSMBIOSTable(
        smbios_table_header,
        VMWARE_SMBIOS_TABLE_INDEX,
        ConfigMotherboardSerialNumber,
-        ConfigMotherboardSerialNumberSize
+        ConfigMotherboardSerialNumberMaxSize
    );

    if ( !NT_SUCCESS( status ) )
@ -1056,5 +1056,130 @@ end:
    if ( disk_hash )
        ExFreePoolWithTag( disk_hash, POOL_TAG_INTEGRITY );

+    return status;
+}
+
+NTSTATUS GetHardDiskDriveSerialNumber(
+    _In_ PVOID ConfigDrive0Serial,
+    _In_ SIZE_T ConfigDrive0MaxSize
+) 
+{
+    NTSTATUS status;
+    HANDLE handle;
+    OBJECT_ATTRIBUTES attributes;
+    IO_STATUS_BLOCK status_block;
+    STORAGE_PROPERTY_QUERY storage_property = { 0 };
+    STORAGE_DESCRIPTOR_HEADER storage_descriptor_header = { 0 };
+    PSTORAGE_DEVICE_DESCRIPTOR device_descriptor = NULL;
+    UNICODE_STRING physical_drive_path;
+    PCHAR serial_number = NULL;
+    SIZE_T serial_length = NULL;
+
+    RtlInitUnicodeString( &physical_drive_path, L"\\DosDevices\\PhysicalDrive0" );
+
+    InitializeObjectAttributes( 
+        &attributes, 
+        &physical_drive_path,
+        OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 
+        NULL, 
+        NULL 
+    );
+
+    status = ZwCreateFile(
+        &handle,
+        GENERIC_READ,
+        &attributes,
+        &status_block,
+        NULL,
+        FILE_ATTRIBUTE_NORMAL,
+        FILE_SHARE_READ | FILE_SHARE_WRITE,
+        FILE_OPEN,
+        FILE_NON_DIRECTORY_FILE,
+        NULL,
+        NULL 
+    );
+
+    if ( !NT_SUCCESS( status ) ) 
+    {
+        DEBUG_LOG( "Open PhysicalDrive0 failed with status %x", status);
+        goto end;
+    }
+
+    storage_property.PropertyId = StorageDeviceProperty;
+    storage_property.QueryType = PropertyStandardQuery;
+
+    status = ZwDeviceIoControlFile(
+        handle,
+        NULL,
+        NULL,
+        NULL,
+        &status_block,
+        IOCTL_STORAGE_QUERY_PROPERTY,
+        &storage_property,
+        sizeof( STORAGE_PROPERTY_QUERY ),
+        &storage_descriptor_header,
+        sizeof( STORAGE_DESCRIPTOR_HEADER ) 
+    );
+
+    if ( !NT_SUCCESS( status ) ) 
+    {
+        DEBUG_LOG( "ZwDeviceIoControlFile first call failed with status %x", status );
+        goto end;
+    }
+
+    device_descriptor = ExAllocatePool2( POOL_FLAG_NON_PAGED, storage_descriptor_header.Size, POOL_TAG_INTEGRITY );
+
+    if ( !device_descriptor ) 
+    {
+        status = STATUS_MEMORY_NOT_ALLOCATED;
+        goto end;
+    }
+
+    status = ZwDeviceIoControlFile(
+        handle,
+        NULL,
+        NULL,
+        NULL,
+        &status_block,
+        IOCTL_STORAGE_QUERY_PROPERTY,
+        &storage_property,
+        sizeof( STORAGE_PROPERTY_QUERY ),
+        device_descriptor,
+        storage_descriptor_header.Size
+    );
+
+    if ( !NT_SUCCESS( status )  ) 
+    {
+        DEBUG_LOG( "ZwDeviceIoControlFile second call failed with status %x", status );
+        goto end;
+    }
+
+    if ( device_descriptor->SerialNumberOffset > 0 ) 
+    {
+        serial_number = ( PCHAR )( ( UINT64 )device_descriptor + device_descriptor->SerialNumberOffset );
+        serial_length = strnlen_s( serial_number, DEVICE_DRIVE_0_SERIAL_CODE_LENGTH ) + 1;
+
+        if ( serial_length > ConfigDrive0MaxSize )
+        {
+            DEBUG_ERROR( "Serial length is greater then config drive 0 buffer size" );
+            status = STATUS_BUFFER_TOO_SMALL;
+            goto end;
+        }
+
+        RtlCopyMemory(
+            ConfigDrive0Serial,
+            serial_number,
+            serial_length
+        );
+    }
+
+end:
+
+    if ( handle )
+        ZwClose( handle );
+
+    if ( device_descriptor )
+        ExFreePoolWithTag( device_descriptor, POOL_TAG_INTEGRITY );
+
    return status;
 }
--- a/driver/integrity.h
+++ b/driver/integrity.h
@ -47,11 +47,16 @@ NTSTATUS RetrieveInMemoryModuleExecutableSections(

 NTSTATUS ParseSMBIOSTable(
 	_In_ PVOID ConfigMotherboardSerialNumber,
-	_In_ SIZE_T ConfigMotherboardSerialNumberSize
+	_In_ SIZE_T ConfigMotherboardSerialMaxNumberSize
 );

 NTSTATUS ValidateProcessLoadedModule(
 	_In_ PIRP Irp
 );

+NTSTATUS GetHardDiskDriveSerialNumber(
+	_In_ PVOID ConfigDrive0Serial,
+	_In_ SIZE_T ConfigDrive0MaxSize
+);
+
 #endif