mirror of
https://github.com/donnaskiez/ac.git
synced 2024-11-21 22:24:08 +01:00
break time C:
This commit is contained in:
parent
def96cfdc6
commit
61bc912b90
10 changed files with 108 additions and 4 deletions
|
@ -15,6 +15,15 @@ DRIVER_CONFIG config = { 0 };
|
|||
UNICODE_STRING DEVICE_NAME = RTL_CONSTANT_STRING( L"\\Device\\DonnaAC" );
|
||||
UNICODE_STRING DEVICE_SYMBOLIC_LINK = RTL_CONSTANT_STRING( L"\\??\\DonnaAC" );
|
||||
|
||||
VOID GetDriverName(
|
||||
_In_ LPCSTR* DriverName
|
||||
)
|
||||
{
|
||||
KeAcquireGuardedMutex( &config.lock );
|
||||
*DriverName = config.driver_name;
|
||||
KeReleaseGuardedMutex( &config.lock );
|
||||
}
|
||||
|
||||
VOID ReadInitialisedConfigFlag(
|
||||
_Out_ PBOOLEAN Flag
|
||||
)
|
||||
|
@ -52,6 +61,30 @@ VOID ClearDriverConfigOnProcessTermination()
|
|||
KeReleaseGuardedMutex( &config.lock );
|
||||
}
|
||||
|
||||
VOID TerminateProtectedProcessOnViolation()
|
||||
{
|
||||
NTSTATUS status;
|
||||
ULONG process_id;
|
||||
|
||||
GetProtectedProcessId( &process_id );
|
||||
|
||||
if ( !process_id )
|
||||
{
|
||||
DEBUG_ERROR( "Failed to terminate process as process id is null" );
|
||||
return;
|
||||
}
|
||||
|
||||
status = ZwTerminateProcess( process_id, STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION );
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "ZwTerminateProcess failed with status %x", status );
|
||||
return;
|
||||
}
|
||||
|
||||
ClearDriverConfigOnProcessTermination();
|
||||
}
|
||||
|
||||
NTSTATUS InitialiseDriverConfigOnProcessLaunch(
|
||||
_In_ PIRP Irp
|
||||
)
|
||||
|
|
|
@ -10,6 +10,8 @@ typedef struct _DRIVER_CONFIG
|
|||
BOOLEAN initialised;
|
||||
LONG protected_process_id;
|
||||
PEPROCESS protected_process_eprocess;
|
||||
CHAR driver_name[ 128 ];
|
||||
UNICODE_STRING driver_path;
|
||||
KGUARDED_MUTEX lock;
|
||||
|
||||
}DRIVER_CONFIG, *PDRIVER_CONFIG;
|
||||
|
@ -32,5 +34,8 @@ VOID ReadInitialisedConfigFlag(
|
|||
);
|
||||
|
||||
|
||||
VOID TerminateProtectedProcessOnViolation();
|
||||
|
||||
VOID ClearDriverConfigOnProcessTermination();
|
||||
|
||||
#endif
|
|
@ -1,6 +1,7 @@
|
|||
#include "integrity.h"
|
||||
|
||||
#include "common.h"
|
||||
#include "driver.h"
|
||||
#include "modules.h"
|
||||
|
||||
#include <bcrypt.h>
|
||||
|
@ -60,6 +61,7 @@ NTSTATUS GetModuleInformationByName(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "GetSystemModuleInformation failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -151,7 +153,6 @@ NTSTATUS StoreModuleExecutableRegionsInBuffer(
|
|||
/*
|
||||
* Note: MmCopyMemory will fail on discardable sections.
|
||||
*/
|
||||
|
||||
address.VirtualAddress = section;
|
||||
|
||||
status = MmCopyMemory(
|
||||
|
@ -166,6 +167,7 @@ NTSTATUS StoreModuleExecutableRegionsInBuffer(
|
|||
{
|
||||
DEBUG_ERROR( "MmCopyMemory failed with status %x", status );
|
||||
ExFreePoolWithTag( *Buffer, POOL_TAG_INTEGRITY );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -183,6 +185,7 @@ NTSTATUS StoreModuleExecutableRegionsInBuffer(
|
|||
{
|
||||
DEBUG_ERROR( "MmCopyMemory failed with status %x", status );
|
||||
ExFreePoolWithTag( *Buffer, POOL_TAG_INTEGRITY );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -243,6 +246,7 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "ZwOpenFile failed with statsu %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -252,6 +256,7 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(
|
|||
{
|
||||
DEBUG_ERROR( "NTSetInformationProcess failed with status %x", status );
|
||||
ZwClose( file_handle );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -273,6 +278,7 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(
|
|||
{
|
||||
DEBUG_ERROR( "ZwCreateSection failed with status %x", status );
|
||||
ZwClose( file_handle );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -300,6 +306,7 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(
|
|||
DEBUG_ERROR( "ZwMapViewOfSection failed with status %x", status );
|
||||
ZwClose( file_handle );
|
||||
ZwClose( *SectionHandle );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -347,6 +354,7 @@ NTSTATUS ComputeHashOfBuffer(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "BCryptOpenAlogrithmProvider failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -367,6 +375,7 @@ NTSTATUS ComputeHashOfBuffer(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "BCryptGetProperty failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -388,6 +397,7 @@ NTSTATUS ComputeHashOfBuffer(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "BCryptGetProperty failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -396,6 +406,9 @@ NTSTATUS ComputeHashOfBuffer(
|
|||
if ( !resulting_hash )
|
||||
goto end;
|
||||
|
||||
/*
|
||||
* Here we create our hash object and store it in the hash_object buffer.
|
||||
*/
|
||||
status = BCryptCreateHash(
|
||||
algo_handle,
|
||||
&hash_handle,
|
||||
|
@ -409,6 +422,7 @@ NTSTATUS ComputeHashOfBuffer(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "BCryptCreateHash failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -426,6 +440,7 @@ NTSTATUS ComputeHashOfBuffer(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "BCryptHashData failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -443,6 +458,7 @@ NTSTATUS ComputeHashOfBuffer(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "BCryptFinishHash failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -506,6 +522,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "MapDiskImageIntoVirtualAddressSpace failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -519,13 +536,13 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "StoreModuleExecutableRegionsInBuffer failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse the in-memory module
|
||||
*/
|
||||
|
||||
status = GetModuleInformationByName(
|
||||
&module_info,
|
||||
"driver.sys"
|
||||
|
@ -534,6 +551,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "GetModuleInformationByName failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -547,6 +565,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "StoreModuleExecutableRegionsInBuffe failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -559,6 +578,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
if ( !disk_base || !memory_base || !disk_buffer || !in_memory_buffer )
|
||||
{
|
||||
DEBUG_ERROR( "buffers are null lmao" );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -566,6 +586,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
{
|
||||
/* report or bug check etc. */
|
||||
DEBUG_LOG( "Executable section size differs, LOL" );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -579,6 +600,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "ComputeHashOfBuffer failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
@ -592,21 +614,28 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "ComputeHashOfBuffer failed with status %x", status );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
if ( memory_text_hash_size != disk_text_hash_size )
|
||||
{
|
||||
DEBUG_ERROR( "Error with the hash algorithm, hash sizes are different." );
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
result = RtlCompareMemory( memory_text_hash, disk_text_hash, memory_text_hash_size );
|
||||
result = RtlCompareMemory(
|
||||
memory_text_hash,
|
||||
disk_text_hash,
|
||||
memory_text_hash_size
|
||||
);
|
||||
|
||||
if (result != memory_text_hash_size)
|
||||
{
|
||||
/* report etc. bug check etc. */
|
||||
DEBUG_ERROR( "Text sections are different from each other!!");
|
||||
TerminateProtectedProcessOnViolation();
|
||||
goto end;
|
||||
}
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ NTSTATUS GetDriverImageSize(
|
|||
);
|
||||
|
||||
NTSTATUS VerifyInMemoryImageVsDiskImage(
|
||||
|
||||
//_In_ PIRP Irp
|
||||
);
|
||||
|
||||
NTSTATUS RetrieveInMemoryModuleExecutableSections(
|
||||
|
|
|
@ -225,6 +225,15 @@ NTSTATUS DeviceControl(
|
|||
|
||||
break;
|
||||
|
||||
case IOCTL_PERFORM_INTEGRITY_CHECK:
|
||||
|
||||
status = VerifyInMemoryImageVsDiskImage();
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
DEBUG_ERROR( "VerifyInMemoryImageVsDisk failed with status %x", status );
|
||||
|
||||
break;
|
||||
|
||||
default:
|
||||
DEBUG_ERROR( "Invalid IOCTL passed to driver" );
|
||||
break;
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_TERMINATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2010, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define IOCTL_SCAN_FOR_UNLINKED_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2011, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define IOCTL_VALIDATE_KPRCB_CURRENT_THREAD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2012, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define IOCTL_PERFORM_INTEGRITY_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2013, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
|
||||
typedef struct _DRIVER_INITIATION_INFORMATION
|
||||
{
|
||||
|
|
|
@ -368,6 +368,25 @@ VOID kernelmode::Driver::ScanForUnlinkedProcess()
|
|||
this->report_interface->ServerSend( &report, bytes_returned, SERVER_SEND_MODULE_INTEGRITY_CHECK );
|
||||
}
|
||||
|
||||
VOID kernelmode::Driver::PerformIntegrityCheck()
|
||||
{
|
||||
BOOLEAN status;
|
||||
|
||||
status = DeviceIoControl(
|
||||
this->driver_handle,
|
||||
IOCTL_PERFORM_INTEGRITY_CHECK,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL
|
||||
);
|
||||
|
||||
if ( status == NULL )
|
||||
LOG_ERROR( "Failed to perform integrity check with status %x", status );
|
||||
}
|
||||
|
||||
ULONG kernelmode::Driver::RequestTotalModuleSize()
|
||||
{
|
||||
BOOLEAN status;
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_TERMINATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2010, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define IOCTL_SCAN_FOR_UNLINKED_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2011, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define IOCTL_VALIDATE_KPRCB_CURRENT_THREAD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2012, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
#define IOCTL_PERFORM_INTEGRITY_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2013, METHOD_BUFFERED, FILE_ANY_ACCESS)
|
||||
|
||||
#define MAX_HANDLE_REPORTS_PER_IRP 10
|
||||
|
||||
|
@ -47,6 +48,7 @@ namespace kernelmode
|
|||
VOID CheckHandleTableEntries();
|
||||
VOID RequestModuleExecutableRegions();
|
||||
VOID ScanForUnlinkedProcess();
|
||||
VOID PerformIntegrityCheck();
|
||||
};
|
||||
|
||||
struct DRIVER_INITIATION_INFORMATION
|
||||
|
|
|
@ -40,3 +40,8 @@ VOID kernelmode::KManager::ScanPoolsForUnlinkedProcesses()
|
|||
{
|
||||
this->thread_pool->QueueJob( [ this ]() { this->driver_interface->ScanForUnlinkedProcess(); } );
|
||||
}
|
||||
|
||||
VOID kernelmode::KManager::PerformIntegrityCheck()
|
||||
{
|
||||
this->thread_pool->QueueJob( [ this ]() { this->driver_interface->PerformIntegrityCheck(); } );
|
||||
}
|
||||
|
|
|
@ -24,6 +24,7 @@ namespace kernelmode
|
|||
VOID EnumerateHandleTables();
|
||||
VOID RequestModuleExecutableRegionsForIntegrityCheck();
|
||||
VOID ScanPoolsForUnlinkedProcesses();
|
||||
VOID PerformIntegrityCheck();
|
||||
};
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue