bed time c:

2024-11-21 22:24:08 +01:00 · 2023-08-30 03:36:58 +10:00 · 2023-08-30 03:36:58 +10:00 · 6e2eff8dd2
commit 6e2eff8dd2
parent 14651d2a78
14 changed files with 211 additions and 11 deletions
--- a/ac.sln
+++ b/ac.sln
@ -9,6 +9,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "driver", "driver\driver.vcx
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "service", "service\service.csproj", "{6228E9DD-E1EA-45D8-8054-A00FC2D63414}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "server", "server\server.csproj", "{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@ -77,6 +79,22 @@ Global
 		{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release|x64.Build.0 = Release|Any CPU
 		{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release|x86.ActiveCfg = Release|Any CPU
 		{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release|x86.Build.0 = Release|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|ARM64.ActiveCfg = Debug|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|ARM64.Build.0 = Debug|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|x64.Build.0 = Debug|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|x86.Build.0 = Debug|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|ARM64.ActiveCfg = Release|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|ARM64.Build.0 = Release|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|x64.ActiveCfg = Release|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|x64.Build.0 = Release|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|x86.ActiveCfg = Release|Any CPU
+		{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
--- a/driver/callbacks.c
+++ b/driver/callbacks.c
@ -1,6 +1,5 @@
 #include "callbacks.h"

-#include "common.h"
 #include "driver.h"

 #include "queue.h"
@ -18,8 +17,6 @@ QUEUE_HEAD head = { 0 };
 */
 KGUARDED_MUTEX mutex;

-UNICODE_STRING OBJECT_TYPE_PROCESS = RTL_CONSTANT_STRING( L"Process" );
-
 VOID InitCallbackReportQueue(
 	_In_ PBOOLEAN Status 
 )
@ -118,8 +115,6 @@ OB_PREOP_CALLBACK_STATUS ObPreOpCallbackRoutine(
 	_In_ POB_PRE_OPERATION_INFORMATION OperationInformation
 )
 {
-	KeAcquireGuardedMutex( &configuration.mutex );
-
 	UNREFERENCED_PARAMETER( RegistrationContext );

 	/* access mask to completely strip permissions */
@ -140,6 +135,8 @@ OB_PREOP_CALLBACK_STATUS ObPreOpCallbackRoutine(
 	LPCSTR process_creator_name;
 	LPCSTR target_process_name;

+	KeAcquireGuardedMutex( &configuration.mutex );
+
 	GetProtectedProcessId( &protected_process_id );

 	process_creator_name = PsGetProcessImageFileName( process_creator );
@ -469,7 +466,7 @@ NTSTATUS InitiateDriverCallbacks()
 	NTSTATUS status;

 	/*
-	* This mutex ensures we don't  unregister our ObRegisterCallbacks while
+	* This mutex ensures we don't unregister our ObRegisterCallbacks while
 	* the callback function is running since this might cause some funny stuff
 	* to happen. Better to be safe then sorry :)
 	*/
--- a/driver/callbacks.h
+++ b/driver/callbacks.h
@ -4,6 +4,7 @@
 #include <ntifs.h>
 #include <wdftypes.h>
 #include <wdf.h>
+#include "common.h"

 #define REPORT_ILLEGAL_HANDLE_OPERATION 70

@ -60,6 +61,14 @@ static const uintptr_t EPROCESS_HANDLE_TABLE_OFFSET = 0x570;
 static const uintptr_t OBJECT_HEADER_SIZE = 0x30;
 static const uintptr_t EPROCESS_PLIST_ENTRY_OFFSET = 0x448;

+static UNICODE_STRING OBJECT_TYPE_PROCESS = RTL_CONSTANT_STRING( L"Process" );
+static UNICODE_STRING OBJECT_TYPE_THREAD = RTL_CONSTANT_STRING( L"Thread" );
+
+VOID NTAPI ExUnlockHandleTableEntry(
+	IN PHANDLE_TABLE HandleTable,
+	IN PHANDLE_TABLE_ENTRY HandleTableEntry
+);
+
 VOID ObPostOpCallbackRoutine(
 	_In_ PVOID RegistrationContext,
 	_In_ POB_POST_OPERATION_INFORMATION OperationInformation
--- a/driver/driver.c
+++ b/driver/driver.c
@ -6,7 +6,7 @@

 #include "hv.h"
 #include "pool.h"
-
+#include "thread.h"
 #include "integrity.h"

 DRIVER_CONFIG config = { 0 };
@ -116,7 +116,7 @@ NTSTATUS DriverEntry(
 		NULL,
 		NULL,
 		NULL,
-		FindUnlinkedProcesses,
+		ValidateKPCRBThreads,
 		NULL
 	);

--- a/driver/driver.vcxproj
+++ b/driver/driver.vcxproj
@ -134,6 +134,7 @@
    <ClCompile Include="modules.c" />
    <ClCompile Include="pool.c" />
    <ClCompile Include="queue.c" />
+    <ClCompile Include="thread.c" />
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="callbacks.h" />
@ -145,6 +146,7 @@
    <ClInclude Include="modules.h" />
    <ClInclude Include="pool.h" />
    <ClInclude Include="queue.h" />
+    <ClInclude Include="thread.h" />
  </ItemGroup>
  <ItemGroup>
    <MASM Include="asm.asm" />
--- a/driver/driver.vcxproj.filters
+++ b/driver/driver.vcxproj.filters
@ -48,6 +48,9 @@
    <ClCompile Include="pool.c">
      <Filter>Source Files</Filter>
    </ClCompile>
+    <ClCompile Include="thread.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="driver.h">
@ -77,6 +80,9 @@
    <ClInclude Include="pool.h">
      <Filter>Header Files</Filter>
    </ClInclude>
+    <ClInclude Include="thread.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <MASM Include="asm.asm">
--- a/driver/hv.c
+++ b/driver/hv.c
@ -16,7 +16,7 @@
 * for the FYL2XP1 instruction it is a dead giveaway we are running on a 
 * virtualized system.
 * 
-* source: https://secret.club/2020/01/12/battleye-hypervisor-detection.html
+* reference: https://secret.club/2020/01/12/battleye-hypervisor-detection.html
 */

 INT APERFMsrTimingCheck()
--- a/driver/pool.h
+++ b/driver/pool.h
@ -468,4 +468,6 @@ typedef union _PD_ENTRY_LARGE
 #define PAGE_4KB_SHIFT      12
 #define PAGE_4KB_OFFSET(x)  ( x & (~(MAXUINT64 << PAGE_4KB_SHIFT)) )

+PKDDEBUGGER_DATA64 GetGlobalDebuggerData();
+
 #endif
--- a/driver/thread.c
+++ b/driver/thread.c
@ -0,0 +1,57 @@
+#include "thread.h"
+
+#include "pool.h"
+#include "callbacks.h"
+
+/*
+* How this will work:
+* 
+* 1. The KPCRB (processor control block) contains 3 pointers to 3 threads:
+* 
+*		+0x008 CurrentThread    : Ptr64 _KTHREAD
+*		+0x010 NextThread       : Ptr64 _KTHREAD
+*		+0x018 IdleThread       : Ptr64 _KTHREAD
+*
+* 2. These threads are stored in a list that is seperate to the KTHREADs linked list. 
+*    We know this because if you unlink a process, the threads are still scheduled by 
+*	 the OS, meaning the OS has a seperate list that it uses to schedule these threads.
+* 
+* 3. Now from here, we can get thread ID and pass it to PsLookupThreadByThreadId which
+*    takes the thread ID and returns a pointer to the ETHREAD structure. It does this
+*    by indexing the PspCidTable using the TID we pass in. 
+* 
+* What we can potentially observer is that any threads that have been removed from the
+* PspCidTable will return a null ptr from PsLookupThreadById. In addition to this, we
+* can also check if the KTHREAD address referenced in the KPCRB is not in the KTHREAD
+* linked list. Allowing us to find threads removed from both the PspCidTable and the 
+* KTHREAD linked list.
+*/
+
+/*
+* IDEA: we can run a thread on each core to maximise the search, so it would be 3 * num procs
+*/
+
+BOOLEAN HasThreadBeenRemovedFromPspCidTable(
+	_In_ PETHREAD Thread
+)
+{
+	BOOLEAN result = TRUE;
+
+	return result;
+}
+
+BOOLEAN HasThreadBeenRemovedFromEThreadList(
+	_In_ PETHREAD Thread
+)
+{
+	BOOLEAN result = TRUE;
+
+	return result;
+}
+
+NTSTATUS ValidateKPCRBThreads(
+	//_In_ PIRP Irp
+)
+{
+	NTSTATUS status;
+}
--- a/driver/thread.h
+++ b/driver/thread.h
@ -0,0 +1,12 @@
+#ifndef THREAD_H
+#define THREAD_H
+
+#include <ntifs.h>
+
+#include  "common.h"
+
+NTSTATUS ValidateKPCRBThreads(
+	//_In_ PIRP Irp
+);
+
+#endif
--- a/server/Program.cs
+++ b/server/Program.cs
@ -0,0 +1,44 @@
+using System.Net;
+using System.Net.Sockets;
+using System.Reflection.Metadata.Ecma335;
+using System.Text;
+
+namespace server
+{
+    public class Program
+    {
+        public static async Task Main(string[] args)
+        {
+            await Program.Listen();
+        }
+
+        public static async Task Listen()
+        {
+            var ipEndPoint = new IPEndPoint(IPAddress.Any, 8888);
+            TcpListener listener = new(ipEndPoint);
+
+            try
+            {
+                listener.Start();
+
+                using TcpClient handler = await listener.AcceptTcpClientAsync();
+                await using NetworkStream stream = handler.GetStream();
+
+                stream.BeginRead(new byte[1024], 0, 1024, Callback, null);
+
+                var message = $"📅 {DateTime.Now} 🕛";
+                var dateTimeBytes = Encoding.UTF8.GetBytes(message);
+                await stream.WriteAsync(dateTimeBytes);
+            }
+            finally
+            {
+                listener.Stop();
+            }
+        }
+
+        public static void Callback(IAsyncResult ar)
+        {
+            Console.WriteLine("Is ocmpleted: {0}", ar.IsCompleted);
+        }
+    }
+}
--- a/server/server.csproj
+++ b/server/server.csproj
@ -0,0 +1,10 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net7.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+</Project>
--- a/service/Client.cs
+++ b/service/Client.cs
@ -0,0 +1,42 @@
+using Microsoft.AspNetCore.Authentication.OAuth.Claims;
+using System.Net;
+using System.Net.Sockets;
+using System.Text;
+using Serilog;
+
+namespace service
+{
+    public class Client
+    {
+        public static async Task SendToServer()
+        {
+            var ipEndPoint = new IPEndPoint(IPAddress.Parse("127.0.0.1"), 8888);
+
+            using TcpClient client = new();
+
+            await client.ConnectAsync(ipEndPoint);
+            await using NetworkStream stream = client.GetStream();
+
+            var testMessage = "Hello from client";
+
+            stream.BeginWrite(Encoding.UTF8.GetBytes(testMessage), 0, testMessage.Length, Callback, null);
+
+            byte[] buffer = new byte[1024];
+            int received = await stream.ReadAsync(buffer);
+
+            var message = Encoding.UTF8.GetString(buffer, 0, received);
+            Console.WriteLine($"Message received: \"{message}\"");
+
+            while (true)
+            {
+
+            }
+        }
+
+        private static void Callback(IAsyncResult ar)
+        {
+            Log.Information("Sent message lolz");
+        }
+
+    }
+}
--- a/service/Program.cs
+++ b/service/Program.cs
@ -6,9 +6,10 @@ namespace service
 {
    public class Program
    {
-        public static void Main(string[] args)
+        public static async Task Main(string[] args)
        {
-            CreateHostBuilder(args).Build().Run();
+            //CreateHostBuilder(args).Build().Run();
+            await Client.SendToServer();
        }

        public static IHostBuilder CreateHostBuilder(string[] args) =>