readme + some small stuff

README.md

@@ -21,15 +21,13 @@ open source anti cheat (lol) which I made for fun.
 - Driver integrity checks both locally and over server
 - Hypervisor detection
 - HalDispatch and HalPrivateDispatch routine validation
-- Dynamic import resolving 
+- Dynamic import resolving & encryption
+- Malicious PCI device detection via configuration space scanning
 
 # planned features
 
 - Heartbeat
-- optimise stuff 
 - ntoskrnl integrity checks
-- spoofed stack identifier
-- process module inline hook detection (this would include checking whether the hook is valid, as many legimate programs hook user mode modules such as discord, nvidia overlay etc.)
 - cr3 protection 
 - string, packet and other encryption
 - tpm ek extraction

driver/common.h

@@ -227,6 +227,13 @@ typedef struct _ACTIVE_SESSION
         UINT32 session_cookie;
         CHAR   session_aes_key[AES_128_KEY_SIZE];
 
+        struct SESSION_STATISTICS
+        {
+                UINT32 irps_processed;
+                UINT32 report_count;
+                UINT32 heartbeat_count;
+        };
+
         KGUARDED_MUTEX lock;
 
 } ACTIVE_SESSION, *PACTIVE_SESSION;
@@ -236,7 +243,7 @@ typedef struct _ACTIVE_SESSION
 #define INVALID_DRIVER_LIST_HEAD_POOL  'rwar'
 #define INVALID_DRIVER_LIST_ENTRY_POOL 'gaah'
 #define POOL_TAG_APC                   'apcc'
-#define POOL_TAG_HW                   'hwhw'
+#define POOL_TAG_HW                    'hwhw'
 #define POOL_TAG_DPC                   'apcc'
 #define SYSTEM_MODULES_POOL            'halb'
 #define THREAD_DATA_POOL               'doof'

driver/io.c

@@ -246,11 +246,11 @@ IrpQueueDeferReport(_In_ PIRP_QUEUE_HEAD Queue, _In_ PVOID Buffer, _In_ UINT32 B
         KeReleaseSpinLock(&GetIrpQueueHead()->deferred_reports.lock, irql);
 }
 
-/* 
-* takes ownership of the buffer, and regardless of the outcome will free it. 
-* 
-* IMPORTANT: All report buffers must be allocated in non paged memory.
-*/
+/*
+ * takes ownership of the buffer, and regardless of the outcome will free it.
+ *
+ * IMPORTANT: All report buffers must be allocated in non paged memory.
+ */
 NTSTATUS
 IrpQueueCompleteIrp(_In_ PVOID Buffer, _In_ ULONG BufferSize)
 {
@@ -778,12 +778,6 @@ DeviceControl(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
                         DEBUG_ERROR("QueryActiveApcContextsForCompletion failed with status %x",
                                     status);
 
-                // status = HandlePeriodicGlobalReportQueueQuery(Irp);
-
-                // if (!NT_SUCCESS(status))
-                //         DEBUG_ERROR("HandlePeriodicGlobalReportQueueQuery failed with status %x",
-                //                     status);
-
                 break;
 
         case IOCTL_PERFORM_VIRTUALIZATION_CHECK:
@@ -906,8 +900,7 @@ DeviceControl(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
 
                 DEBUG_INFO("IOCTL_REQUEST_HARDWARE_INFORMATION Received");
 
-                PSYSTEM_INFORMATION system_information =
-                    GetDriverConfigSystemInformation(&system_information);
+                PSYSTEM_INFORMATION system_information = GetDriverConfigSystemInformation();
 
                 status = ValidateIrpOutputBuffer(Irp, sizeof(SYSTEM_INFORMATION));
 
@@ -1004,6 +997,8 @@ DeviceControl(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
 
         case IOCTL_INITIATE_SHARED_MAPPING:
 
+                DEBUG_INFO("IOCTL_INITIATE_SHARED_MAPPING Received");
+
                 status = SharedMappingInitialise(Irp);
 
                 if (!NT_SUCCESS(status))
@@ -1013,6 +1008,8 @@ DeviceControl(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
 
         case IOCTL_VALIDATE_PCI_DEVICES:
 
+                DEBUG_INFO("IOCTL_VALIDATE_PCI_DEVICES Received");
+
                 status = ValidatePciDevices();
 
                 if (!NT_SUCCESS(status))
@@ -1040,10 +1037,8 @@ DeviceClose(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
 {
         PAGED_CODE();
         UNREFERENCED_PARAMETER(DeviceObject);
-
         DEBUG_INFO("Handle to driver closed.");
 
-        /* we also lose reports here, so sohuld pass em into the irp before freeing */
         SessionTerminate();
         UnregisterProcessObCallbacks();
         SharedMappingTerminate();
@@ -1056,6 +1051,7 @@ NTSTATUS
 DeviceCreate(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
 {
         PAGED_CODE();
+        UNREFERENCED_PARAMETER(DeviceObject);
         DEBUG_INFO("Handle to driver opened.");
 
         NTSTATUS status = ValidatePciDevices();

driver/session.c

@@ -153,4 +153,28 @@ SessionTerminateProcess()
         }
         /* this wont be needed when procloadstuff is implemented */
         SessionTerminate();
+}
+
+VOID
+SessionIncrementIrpsProcessedCount()
+{
+        ImpKeAcquireGuardedMutex(&GetActiveSession()->lock);
+        GetActiveSession()->irps_processed++;
+        ImpKeReleaseGuardedMutex(&GetActiveSession()->lock);
+}
+
+VOID
+SessionIncrementReportCount()
+{
+        ImpKeAcquireGuardedMutex(&GetActiveSession()->lock);
+        GetActiveSession()->report_count++;
+        ImpKeReleaseGuardedMutex(&GetActiveSession()->lock);
+}
+
+VOID
+SessionIncrementHeartbeatCount()
+{
+        ImpKeAcquireGuardedMutex(&GetActiveSession()->lock);
+        GetActiveSession()->heartbeat_count++;
+        ImpKeReleaseGuardedMutex(&GetActiveSession()->lock);
 }

driver/session.h

@@ -32,4 +32,13 @@ SessionInitialise(_In_ PIRP Irp);
 VOID
 SessionTerminateProcess();
 
+VOID
+SessionIncrementIrpsProcessedCount();
+
+VOID
+SessionIncrementReportCount();
+
+VOID
+SessionIncrementHeartbeatCount();
+
 #endif