break time C:

This commit is contained in:
lhodges1 2023-09-01 21:46:31 +10:00
parent def96cfdc6
commit 61bc912b90
10 changed files with 108 additions and 4 deletions

View file

@ -15,6 +15,15 @@ DRIVER_CONFIG config = { 0 };
UNICODE_STRING DEVICE_NAME = RTL_CONSTANT_STRING( L"\\Device\\DonnaAC" );
UNICODE_STRING DEVICE_SYMBOLIC_LINK = RTL_CONSTANT_STRING( L"\\??\\DonnaAC" );
VOID GetDriverName(
_In_ LPCSTR* DriverName
)
{
KeAcquireGuardedMutex( &config.lock );
*DriverName = config.driver_name;
KeReleaseGuardedMutex( &config.lock );
}
VOID ReadInitialisedConfigFlag(
_Out_ PBOOLEAN Flag
)
@ -52,6 +61,30 @@ VOID ClearDriverConfigOnProcessTermination()
KeReleaseGuardedMutex( &config.lock );
}
VOID TerminateProtectedProcessOnViolation()
{
NTSTATUS status;
ULONG process_id;
GetProtectedProcessId( &process_id );
if ( !process_id )
{
DEBUG_ERROR( "Failed to terminate process as process id is null" );
return;
}
status = ZwTerminateProcess( process_id, STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION );
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "ZwTerminateProcess failed with status %x", status );
return;
}
ClearDriverConfigOnProcessTermination();
}
NTSTATUS InitialiseDriverConfigOnProcessLaunch(
_In_ PIRP Irp
)

View file

@ -10,6 +10,8 @@ typedef struct _DRIVER_CONFIG
BOOLEAN initialised;
LONG protected_process_id;
PEPROCESS protected_process_eprocess;
CHAR driver_name[ 128 ];
UNICODE_STRING driver_path;
KGUARDED_MUTEX lock;
}DRIVER_CONFIG, *PDRIVER_CONFIG;
@ -32,5 +34,8 @@ VOID ReadInitialisedConfigFlag(
);
VOID TerminateProtectedProcessOnViolation();
VOID ClearDriverConfigOnProcessTermination();
#endif

View file

@ -1,6 +1,7 @@
#include "integrity.h"
#include "common.h"
#include "driver.h"
#include "modules.h"
#include <bcrypt.h>
@ -60,6 +61,7 @@ NTSTATUS GetModuleInformationByName(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "GetSystemModuleInformation failed with status %x", status );
TerminateProtectedProcessOnViolation();
return status;
}
@ -151,7 +153,6 @@ NTSTATUS StoreModuleExecutableRegionsInBuffer(
/*
* Note: MmCopyMemory will fail on discardable sections.
*/
address.VirtualAddress = section;
status = MmCopyMemory(
@ -166,6 +167,7 @@ NTSTATUS StoreModuleExecutableRegionsInBuffer(
{
DEBUG_ERROR( "MmCopyMemory failed with status %x", status );
ExFreePoolWithTag( *Buffer, POOL_TAG_INTEGRITY );
TerminateProtectedProcessOnViolation();
return status;
}
@ -183,6 +185,7 @@ NTSTATUS StoreModuleExecutableRegionsInBuffer(
{
DEBUG_ERROR( "MmCopyMemory failed with status %x", status );
ExFreePoolWithTag( *Buffer, POOL_TAG_INTEGRITY );
TerminateProtectedProcessOnViolation();
return status;
}
@ -243,6 +246,7 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "ZwOpenFile failed with statsu %x", status );
TerminateProtectedProcessOnViolation();
return status;
}
@ -252,6 +256,7 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(
{
DEBUG_ERROR( "NTSetInformationProcess failed with status %x", status );
ZwClose( file_handle );
TerminateProtectedProcessOnViolation();
return status;
}
@ -273,6 +278,7 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(
{
DEBUG_ERROR( "ZwCreateSection failed with status %x", status );
ZwClose( file_handle );
TerminateProtectedProcessOnViolation();
return status;
}
@ -300,6 +306,7 @@ NTSTATUS MapDiskImageIntoVirtualAddressSpace(
DEBUG_ERROR( "ZwMapViewOfSection failed with status %x", status );
ZwClose( file_handle );
ZwClose( *SectionHandle );
TerminateProtectedProcessOnViolation();
return status;
}
@ -347,6 +354,7 @@ NTSTATUS ComputeHashOfBuffer(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "BCryptOpenAlogrithmProvider failed with status %x", status );
TerminateProtectedProcessOnViolation();
goto end;
}
@ -367,6 +375,7 @@ NTSTATUS ComputeHashOfBuffer(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "BCryptGetProperty failed with status %x", status );
TerminateProtectedProcessOnViolation();
goto end;
}
@ -388,6 +397,7 @@ NTSTATUS ComputeHashOfBuffer(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "BCryptGetProperty failed with status %x", status );
TerminateProtectedProcessOnViolation();
goto end;
}
@ -396,6 +406,9 @@ NTSTATUS ComputeHashOfBuffer(
if ( !resulting_hash )
goto end;
/*
* Here we create our hash object and store it in the hash_object buffer.
*/
status = BCryptCreateHash(
algo_handle,
&hash_handle,
@ -409,6 +422,7 @@ NTSTATUS ComputeHashOfBuffer(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "BCryptCreateHash failed with status %x", status );
TerminateProtectedProcessOnViolation();
goto end;
}
@ -426,6 +440,7 @@ NTSTATUS ComputeHashOfBuffer(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "BCryptHashData failed with status %x", status );
TerminateProtectedProcessOnViolation();
goto end;
}
@ -443,6 +458,7 @@ NTSTATUS ComputeHashOfBuffer(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "BCryptFinishHash failed with status %x", status );
TerminateProtectedProcessOnViolation();
return status;
}
@ -506,6 +522,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "MapDiskImageIntoVirtualAddressSpace failed with status %x", status );
TerminateProtectedProcessOnViolation();
return status;
}
@ -519,13 +536,13 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "StoreModuleExecutableRegionsInBuffer failed with status %x", status );
TerminateProtectedProcessOnViolation();
goto end;
}
/*
* Parse the in-memory module
*/
status = GetModuleInformationByName(
&module_info,
"driver.sys"
@ -534,6 +551,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "GetModuleInformationByName failed with status %x", status );
TerminateProtectedProcessOnViolation();
goto end;
}
@ -547,6 +565,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "StoreModuleExecutableRegionsInBuffe failed with status %x", status );
TerminateProtectedProcessOnViolation();
goto end;
}
@ -559,6 +578,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
if ( !disk_base || !memory_base || !disk_buffer || !in_memory_buffer )
{
DEBUG_ERROR( "buffers are null lmao" );
TerminateProtectedProcessOnViolation();
goto end;
}
@ -566,6 +586,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
{
/* report or bug check etc. */
DEBUG_LOG( "Executable section size differs, LOL" );
TerminateProtectedProcessOnViolation();
goto end;
}
@ -579,6 +600,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "ComputeHashOfBuffer failed with status %x", status );
TerminateProtectedProcessOnViolation();
goto end;
}
@ -592,21 +614,28 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "ComputeHashOfBuffer failed with status %x", status );
TerminateProtectedProcessOnViolation();
goto end;
}
if ( memory_text_hash_size != disk_text_hash_size )
{
DEBUG_ERROR( "Error with the hash algorithm, hash sizes are different." );
TerminateProtectedProcessOnViolation();
goto end;
}
result = RtlCompareMemory( memory_text_hash, disk_text_hash, memory_text_hash_size );
result = RtlCompareMemory(
memory_text_hash,
disk_text_hash,
memory_text_hash_size
);
if (result != memory_text_hash_size)
{
/* report etc. bug check etc. */
DEBUG_ERROR( "Text sections are different from each other!!");
TerminateProtectedProcessOnViolation();
goto end;
}

View file

@ -14,7 +14,7 @@ NTSTATUS GetDriverImageSize(
);
NTSTATUS VerifyInMemoryImageVsDiskImage(
//_In_ PIRP Irp
);
NTSTATUS RetrieveInMemoryModuleExecutableSections(

View file

@ -225,6 +225,15 @@ NTSTATUS DeviceControl(
break;
case IOCTL_PERFORM_INTEGRITY_CHECK:
status = VerifyInMemoryImageVsDiskImage();
if ( !NT_SUCCESS( status ) )
DEBUG_ERROR( "VerifyInMemoryImageVsDisk failed with status %x", status );
break;
default:
DEBUG_ERROR( "Invalid IOCTL passed to driver" );
break;

View file

@ -16,6 +16,7 @@
#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_TERMINATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2010, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_SCAN_FOR_UNLINKED_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2011, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_VALIDATE_KPRCB_CURRENT_THREAD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2012, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PERFORM_INTEGRITY_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2013, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef struct _DRIVER_INITIATION_INFORMATION
{

View file

@ -368,6 +368,25 @@ VOID kernelmode::Driver::ScanForUnlinkedProcess()
this->report_interface->ServerSend( &report, bytes_returned, SERVER_SEND_MODULE_INTEGRITY_CHECK );
}
VOID kernelmode::Driver::PerformIntegrityCheck()
{
BOOLEAN status;
status = DeviceIoControl(
this->driver_handle,
IOCTL_PERFORM_INTEGRITY_CHECK,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
);
if ( status == NULL )
LOG_ERROR( "Failed to perform integrity check with status %x", status );
}
ULONG kernelmode::Driver::RequestTotalModuleSize()
{
BOOLEAN status;

View file

@ -17,6 +17,7 @@
#define IOCTL_NOTIFY_DRIVER_ON_PROCESS_TERMINATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2010, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_SCAN_FOR_UNLINKED_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2011, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_VALIDATE_KPRCB_CURRENT_THREAD CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2012, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PERFORM_INTEGRITY_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2013, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define MAX_HANDLE_REPORTS_PER_IRP 10
@ -47,6 +48,7 @@ namespace kernelmode
VOID CheckHandleTableEntries();
VOID RequestModuleExecutableRegions();
VOID ScanForUnlinkedProcess();
VOID PerformIntegrityCheck();
};
struct DRIVER_INITIATION_INFORMATION

View file

@ -40,3 +40,8 @@ VOID kernelmode::KManager::ScanPoolsForUnlinkedProcesses()
{
this->thread_pool->QueueJob( [ this ]() { this->driver_interface->ScanForUnlinkedProcess(); } );
}
VOID kernelmode::KManager::PerformIntegrityCheck()
{
this->thread_pool->QueueJob( [ this ]() { this->driver_interface->PerformIntegrityCheck(); } );
}

View file

@ -24,6 +24,7 @@ namespace kernelmode
VOID EnumerateHandleTables();
VOID RequestModuleExecutableRegionsForIntegrityCheck();
VOID ScanPoolsForUnlinkedProcesses();
VOID PerformIntegrityCheck();
};
}