cleanup integrity check routines

driver/callbacks.c

@@ -458,52 +458,6 @@ end:
         return OB_PREOP_SUCCESS;
 }
 
-// VOID ProcessCreateNotifyRoutine(
-//	_In_ HANDLE ParentId,
-//	_In_ HANDLE ProcessId,
-//	_In_ BOOLEAN Create
-//)
-//{
-//	NTSTATUS status;
-//	PEPROCESS parent_process;
-//	PEPROCESS target_process;
-//	LONG parent_process_id;
-//	LONG target_process_id;
-//	LPCSTR target_process_name = NULL;
-//	LPCSTR parent_process_name = NULL;
-//
-//	status = PsLookupProcessByProcessId( ParentId, &parent_process );
-//
-//	if ( !NT_SUCCESS( status ) )
-//		return;
-//
-//	status = PsLookupProcessByProcessId( ProcessId, &target_process );
-//
-//	if ( !NT_SUCCESS( status ) )
-//		return;
-//
-//	parent_process_name = PsGetProcessImageFileName( parent_process );
-//
-//	if ( !parent_process_name )
-//		return;
-//
-//	target_process_name = PsGetProcessImageFileName( target_process );
-//
-//	if ( !target_process_name )
-//		return;
-//
-//	if ( !strcmp( target_process_name, "notepad.exe") )
-//	{
-//		parent_process_id = PsGetProcessId( parent_process );
-//		UpdateProtectedProcessParentId( parent_process_id );
-//
-//		target_process_id = PsGetProcessId( target_process );
-//		UpdateProtectedProcessId( target_process_id );
-//
-//		DEBUG_LOG( "Protected process parent proc id: %lx", parent_process_id );
-//	}
-// }
-
 /* stolen from ReactOS xD */
 VOID NTAPI
 ExUnlockHandleTableEntry(IN PHANDLE_TABLE HandleTable, IN PHANDLE_TABLE_ENTRY HandleTableEntry)
@@ -557,7 +511,7 @@ EnumHandleCallback(_In_ PHANDLE_TABLE       HandleTable,
                         goto end;
 
                 DEBUG_VERBOSE("Handle references our protected process with access mask: %lx",
-                          (ACCESS_MASK)Entry->GrantedAccessBits);
+                              (ACCESS_MASK)Entry->GrantedAccessBits);
 
                 handle_access_mask = (ACCESS_MASK)Entry->GrantedAccessBits;
 
@@ -704,48 +658,4 @@ EnumerateProcessHandles(_In_ PPROCESS_LIST_ENTRY ProcessListEntry, _In_opt_ PVOI
 #pragma warning(pop)
 
         return STATUS_SUCCESS;
-}
-
-/*
- * I dont think this way of enumerating processes is valid for something like an anti
- * cheat which is mass deployed and needs to ensure that it won't crash the system.
- * Since we have no access to the process structure locks it is definitely not
- * mass deployment safe lol.
- *
- * The Context argument is simply a pointer to a user designed context structure
- * which is passed to the callback function.
- */
-// VOID
-// EnumerateProcessListWithCallbackFunction(
-//	_In_ PVOID Function,
-//	_In_opt_ PVOID Context
-//)
-//{
-//	PAGED_CODE();
-//
-//	UINT64 current_process = 0;
-//	PLIST_ENTRY process_list_head = NULL;
-//	PLIST_ENTRY process_list_entry = NULL;
-//	PEPROCESS base_process = PsInitialSystemProcess;
-//
-//	if (!base_process)
-//		return;
-//
-//	process_list_head = (UINT64)((UINT64)base_process + EPROCESS_PLIST_ENTRY_OFFSET);
-//	process_list_entry = process_list_head;
-//
-//	do
-//	{
-//		current_process = (PEPROCESS)((UINT64)process_list_entry -
-// EPROCESS_PLIST_ENTRY_OFFSET);
-//
-//		if (!current_process)
-//			return;
-//
-//		VOID(*callback_function_ptr)(PEPROCESS, PVOID) = Function;
-//		(*callback_function_ptr)(current_process, Context);
-//
-//		process_list_entry = process_list_entry->Flink;
-//
-//	} while (process_list_entry != process_list_head->Blink);
-// }
+}

driver/common.h

@@ -534,6 +534,8 @@ typedef struct _OBJECT_HEADER
 } OBJECT_HEADER, *POBJECT_HEADER;
 
 #define IMAGE_SCN_MEM_EXECUTE 0x20000000
+#define IMAGE_SCN_MEM_READ    0x40000000
+#define IMAGE_SCN_MEM_WRITE   0x80000000
 
 #define IMAGE_SIZEOF_SHORT_NAME 8
 

driver/driver.c

@@ -950,6 +950,15 @@ DrvUnloadFreeProcessList()
         CleanupProcessListOnDriverUnload();
 }
 
+STATIC
+VOID
+DrvUnloadFreeModuleValidationContext()
+{
+        PAGED_CODE();
+
+        CleanupValidationContextOnUnload(&driver_config.sys_val_context);
+}
+
 STATIC
 VOID
 DriverUnload(_In_ PDRIVER_OBJECT DriverObject)
@@ -966,6 +975,7 @@ DriverUnload(_In_ PDRIVER_OBJECT DriverObject)
         while (DrvUnloadFreeAllApcContextStructures() == FALSE)
                 YieldProcessor();
 
+        DrvUnloadFreeModuleValidationContext();
         DrvUnloadUnregisterObCallbacks();
         DrvUnloadFreeThreadList();
         DrvUnloadFreeProcessList();

driver/integrity.h

@@ -77,11 +77,6 @@ typedef enum _SMBIOS_TABLE_INDEX
 NTSTATUS
 GetDriverImageSize(_Inout_ PIRP Irp);
 
-NTSTATUS
-VerifyInMemoryImageVsDiskImage(
-    //_In_ PIRP Irp
-);
-
 NTSTATUS
 RetrieveInMemoryModuleExecutableSections(_Inout_ PIRP Irp);
 
@@ -123,4 +118,10 @@ GetOsVersionInformation(_Out_ PRTL_OSVERSIONINFOW VersionInfo);
 NTSTATUS
 SystemModuleVerificationDispatcher();
 
+NTSTATUS
+ValidateOurDriverImage();
+
+VOID
+CleanupValidationContextOnUnload(_In_ PSYS_MODULE_VAL_CONTEXT Context);
+
 #endif

driver/ioctl.c

@@ -356,7 +356,7 @@ DeviceControl(_In_ PDRIVER_OBJECT DriverObject, _Inout_ PIRP Irp)
 
                 DEBUG_INFO("IOCTL_PERFORM_INTEGRITY_CHECK Received");
 
-                status = VerifyInMemoryImageVsDiskImage();
+                status = ValidateOurDriverImage();
 
                 if (!NT_SUCCESS(status))
                         DEBUG_ERROR("VerifyInMemoryImageVsDiskImage failed with status %x", status);

user/main.cpp

@@ -76,28 +76,33 @@ Init(HINSTANCE hinstDLL)
 
         srand(time(NULL));
 
-         while (!GetAsyncKeyState(VK_DELETE))
+        while (!GetAsyncKeyState(VK_DELETE))
         {
-                 int seed = (rand() % 11);
+                // int seed = (rand() % 11);
 
-                std::cout << "Seed: " << seed << std::endl;
+                // std::cout << "Seed: " << seed << std::endl;
 
-                switch (seed)
-                {
-                case 0: kmanager.EnumerateHandleTables(); break;
-                case 1: kmanager.PerformIntegrityCheck(); break;
-                case 2: kmanager.ScanPoolsForUnlinkedProcesses(); break;
-                case 3: kmanager.VerifySystemModuleDriverObjects(); break;
-                case 4: kmanager.ValidateProcessModules(); break;
-                case 5: kmanager.RunNmiCallbacks(); break;
-                case 6: kmanager.CheckForAttachedThreads(); break;
-                case 7: kmanager.InitiateApcStackwalkOperation(); break;
-                case 8: kmanager.CheckForEptHooks(); break;
-                case 9: kmanager.StackwalkThreadsViaDpc(); break;
-                case 10: kmanager.ValidateSystemModules(); break;
-                }
+                // switch (seed)
+                //{
+                // case 0: kmanager.EnumerateHandleTables(); break;
+                // case 1: kmanager.PerformIntegrityCheck(); break;
+                // case 2: kmanager.ScanPoolsForUnlinkedProcesses(); break;
+                // case 3: kmanager.VerifySystemModuleDriverObjects(); break;
+                // case 4: kmanager.ValidateProcessModules(); break;
+                // case 5: kmanager.RunNmiCallbacks(); break;
+                // case 6: kmanager.CheckForAttachedThreads(); break;
+                // case 7: kmanager.InitiateApcStackwalkOperation(); break;
+                // case 8: kmanager.CheckForEptHooks(); break;
+                // case 9: kmanager.StackwalkThreadsViaDpc(); break;
+                // case 10: kmanager.ValidateSystemModules(); break;
+                // }
 
-                kmanager.MonitorCallbackReports();
+                kmanager.ValidateSystemModules();
+                std::this_thread::sleep_for(std::chrono::seconds(2));
+                kmanager.PerformIntegrityCheck();
+                std::this_thread::sleep_for(std::chrono::seconds(2));
+                kmanager.ValidateProcessModules();
+                // kmanager.MonitorCallbackReports();
                 std::this_thread::sleep_for(std::chrono::seconds(10));
         }