noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

start working on import encryption. Simple avx xoring atm need 2 learn MORE!

Browse source
This commit is contained in:
lhodges1 2024-01-30 03:31:12 +11:00
parent 034f4dbd20
commit 762fcaebfd
9 changed files with 1578 additions and 272 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
driver/common.h
View file

@ -41,6 +41,7 @@
##__VA_ARGS__)
#define STATIC static
#define INLINE inline
#define MAX_MODULE_PATH 256

1
driver/cpp.hint
View file

@ -7,3 +7,4 @@
#define _In_
#define STATIC
#define VOID
#define INLINE

126
driver/crypt.c
View file

@ -1,22 +1,126 @@
#include "crypt.h"
#include <immintrin.h>
#include "imports.h"
#define TEMP_KEY 0x5a
#define XOR_KEY_1 0x1122334455667788
#define XOR_KEY_2 0x0011223344556677
#define XOR_KEY_3 0x5566778899AABBCC
#define XOR_KEY_4 0x66778899AABBCCDD
VOID
CryptEncryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size)
STATIC
__m256i
CryptGenerateSseXorKey()
{
PCHAR entry = (PCHAR)Buffer;
for (UINT32 index = 0; index < Size; index++)
{
entry[index] ^= TEMP_KEY;
}
return _mm256_set_epi64x(XOR_KEY_1, XOR_KEY_2, XOR_KEY_3, XOR_KEY_4);
}
VOID
CryptDecryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size)
CryptEncryptImportsArray(_In_ PUINT64 Array, _In_ UINT32 Entries)
{
CryptEncryptBufferInPlace(Buffer, Size);
UINT32 block_size = sizeof(__m256i) / sizeof(UINT64);
UINT32 block_count = Entries / block_size;
/*
* Here we break down the import array into blocks of 32 bytes. Each block is loaded into an
* SSE register, xored with the key, and then copied back into the array.
*/
for (UINT32 block_index = 0; block_index < block_count; block_index++)
{
__m256i current_block = {0};
__m256i load_block = {0};
__m256i xored_block = {0};
RtlCopyMemory(&current_block, &Array[block_index * block_size], sizeof(__m256i));
load_block = _mm256_loadu_si256(&current_block);
xored_block = _mm256_xor_si256(load_block, CryptGenerateSseXorKey());
RtlCopyMemory(&Array[block_index * block_size], &xored_block, sizeof(__m256i));
}
}
STATIC
INLINE
__m256i
CryptDecryptImportBlock(_In_ PUINT64 Array, _In_ UINT32 BlockIndex)
{
__m256i load_block = {0};
UINT32 block_size = sizeof(__m256i) / sizeof(UINT64);
RtlCopyMemory(&load_block, &Array[BlockIndex * block_size], sizeof(__m256i));
return _mm256_xor_si256(load_block, CryptGenerateSseXorKey());
}
STATIC
INLINE
VOID
CryptFindContainingBlockForArrayIndex(_In_ UINT32 EntryIndex,
_In_ UINT32 BlockSize,
_Out_ PUINT32 ContainingBlockIndex,
_Out_ PUINT32 BlockSubIndex)
{
UINT32 containing_block = EntryIndex;
UINT32 block_index = 0;
if (EntryIndex < BlockSize)
{
*ContainingBlockIndex = 0;
*BlockSubIndex = EntryIndex;
return;
}
if (EntryIndex == BlockSize)
{
*ContainingBlockIndex = 1;
*BlockSubIndex = 0;
return;
}
while (containing_block % BlockSize != 0)
{
containing_block--;
block_index++;
}
*ContainingBlockIndex = containing_block / BlockSize;
*BlockSubIndex = block_index;
}
UINT64
CryptDecryptImportsArrayEntry(_In_ PUINT64 Array, _In_ UINT32 Entries, _In_ UINT32 EntryIndex)
{
__m256i original_block = {0};
__m128i original_half = {0};
UINT32 block_size = sizeof(__m256i) / sizeof(UINT64);
UINT32 containing_block_index = 0;
UINT32 block_sub_index = 0;
UINT64 pointer = 0;
CryptFindContainingBlockForArrayIndex(
EntryIndex, block_size, &containing_block_index, &block_sub_index);
original_block = CryptDecryptImportBlock(Array, containing_block_index);
if (block_sub_index < 2)
{
original_half = _mm256_extracti128_si256(original_block, 0);
if (block_sub_index < 1)
pointer = _mm_extract_epi64(original_half, 0);
else
pointer = _mm_extract_epi64(original_half, 1);
}
else
{
original_half = _mm256_extracti128_si256(original_block, 1);
if (block_sub_index == 2)
pointer = _mm_extract_epi64(original_half, 0);
else
pointer = _mm_extract_epi64(original_half, 1);
}
return pointer;
}

6
driver/crypt.h
View file

@ -4,9 +4,9 @@
#include "common.h"
VOID
CryptEncryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size);
CryptEncryptImportsArray(_In_ PUINT64 Array, _In_ UINT32 Entries);
VOID
CryptDecryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size);
UINT64
CryptDecryptImportsArrayEntry(_In_ PUINT64 Array, _In_ UINT32 Entries, _In_ UINT32 EntryIndex);
#endif

18
driver/driver.c
View file

@ -11,6 +11,7 @@
#include "integrity.h"
#include "imports.h"
#include "apc.h"
#include "crypt.h"
STATIC
VOID
@ -50,7 +51,7 @@ NTSTATUS
DrvLoadEnableNotifyRoutines();
STATIC
NTSTATUS
VOID
DrvLoadInitialiseObCbConfig();
STATIC
@ -525,6 +526,8 @@ DrvLoadSetupDriverLists()
if (!NT_SUCCESS(status))
{
UnregisterProcessCreateNotifyRoutine();
UnregisterThreadCreateNotifyRoutine();
UnregisterImageLoadNotifyRoutine();
DEBUG_ERROR("InitialiseDriverList failed with status %x", status);
return status;
@ -535,6 +538,7 @@ DrvLoadSetupDriverLists()
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("InitialiseThreadList failed with status %x", status);
UnregisterProcessCreateNotifyRoutine();
UnregisterThreadCreateNotifyRoutine();
UnregisterImageLoadNotifyRoutine();
CleanupDriverListOnDriverUnload();
@ -566,7 +570,7 @@ DrvLoadInitialiseProcessConfig()
}
STATIC
NTSTATUS
VOID
DrvLoadInitialiseObCbConfig()
{
PAGED_CODE();
@ -895,7 +899,9 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
NTSTATUS status = STATUS_UNSUCCESSFUL;
ImpKeInitializeGuardedMutex(&g_DriverConfig->lock);
IrpQueueInitialise();
DrvLoadInitialiseObCbConfig();
g_DriverConfig->unload_in_progress = FALSE;
g_DriverConfig->system_information.virtualised_environment = FALSE;
@ -918,14 +924,6 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
return status;
}
status = DrvLoadInitialiseObCbConfig();
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("AllocateCallbackStructure failed with status %x", status);
return status;
}
status = InitialiseTimerObject(&g_DriverConfig->timer);
if (!NT_SUCCESS(status))

998
driver/imports.c
View file

File diff suppressed because it is too large Load diff

684
driver/imports.h
View file

@ -434,8 +434,8 @@ void (*pKeInitializeAffinityEx)(
typedef
void (*pKeAddProcessorAffinityEx)(
PKAFFINITY_EX affinity,
INT num
PKAFFINITY_EX Affinity,
INT CoreNumber
);
typedef
@ -542,175 +542,535 @@ void (*pRtlFreeUnicodeString)(
// clang-format on
#define OB_DEREFERENCE_OBJECT_INDEX 0
#define PS_LOOKUP_THREAD_BY_THREAD_ID_INDEX 1
#define MM_IS_ADDRESS_VALID_INDEX 2
#define PS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_INDEX 3
#define PS_REMOVE_CREATE_THREAD_NOTIFY_ROUTINE_INDEX 4
#define PS_GET_CURRENT_THREAD_ID_INDEX 5
#define PS_GET_PROCESS_ID_INDEX 6
#define PS_LOOKUP_PROCESS_BY_PROCESS_ID_INDEX 7
#define EX_ENUM_HANDLE_TABLE_INDEX 8
#define OB_GET_OBJECT_TYPE_INDEX 9
#define EXF_UNBLOCK_PUSH_LOCK_INDEX 10
#define PS_GET_PROCESS_IMAGE_FILE_NAME_INDEX 11
#define STRSTR_INDEX 12
#define RTL_INIT_UNICODE_STRING_INDEX 13
#define RTL_QUERY_REGISTRY_VALUES_INDEX 14
#define MM_GET_SYSTEM_ROUTINE_ADDRESS_INDEX 15
#define RTL_UNICODE_STRING_TO_ANSI_STRING_INDEX 16
#define RTL_COPY_UNICODE_STRING_INDEX 17
#define RTL_FREE_ANSI_STRING_INDEX 18
#define KE_INITIALIZE_GUARDED_MUTEX_INDEX 19
#define IO_CREATE_DEVICE_INDEX 20
#define IO_CREATE_SYMBOLIC_LINK_INDEX 21
#define IO_DELETE_DEVICE_INDEX 22
#define IO_DELETE_SYMBOLIC_LINK_INDEX 23
#define OB_REGISTER_CALLBACKS_INDEX 24
#define OB_UNREGISTER_CALLBACKS_INDEX 25
#define PS_SET_CREATE_THREAD_NOTIFY_ROUTINE_INDEX 26
#define KE_REVERT_TO_USER_AFFINITY_THREAD_EX_INDEX 27
#define KE_SET_SYSTEM_AFFINITY_THREAD_EX_INDEX 28
#define STRNLEN_INDEX 29
#define RTL_INIT_ANSI_STRING_INDEX 30
#define RTL_ANSI_STRING_TO_UNICODE_STRING_INDEX 31
#define IO_GET_CURRENT_PROCESS_INDEX 32
#define RTL_GET_VERSION_INDEX 33
#define RTL_COMPARE_MEMORY_INDEX 34
#define EX_GET_SYSTEM_FIRMWARE_TABLE_INDEX 35
#define IO_ALLOCATE_WORK_ITEM_INDEX 36
#define IO_FREE_WORK_ITEM_INDEX 37
#define IO_QUEUE_WORK_ITEM_INDEX 38
#define ZW_OPEN_FILE_INDEX 39
#define ZW_CLOSE_INDEX 40
#define ZW_CREATE_SECTION_INDEX 41
#define ZW_MAP_VIEW_OF_SECTION_INDEX 42
#define ZW_UNMAP_VIEW_OF_SECTION_INDEX 43
#define MM_COPY_MEMORY_INDEX 44
#define ZW_DEVICE_IO_CONTROL_FILE_INDEX 45
#define KE_STACK_ATTACH_PROCESS_INDEX 46
#define KE_UNSTACK_DETACH_PROCESS_INDEX 47
#define KE_WAIT_FOR_SINGLE_OBJECT_INDEX 48
#define PS_CREATE_SYSTEM_THREAD_INDEX 49
#define IOF_COMPLETE_REQUEST_INDEX 50
#define OB_REFERENCE_OBJECT_BY_HANDLE_INDEX 51
#define KE_DELAY_EXECUTION_THREAD_INDEX 52
#define KE_REGISTER_NMI_CALLBACK_INDEX 53
#define KE_DEREGISTER_NMI_CALLBACK_INDEX 54
#define KE_QUERY_ACTIVE_PROCESSOR_COUNT_INDEX 55
#define EX_ACQUIRE_PUSH_LOCK_EXCLUSIVE_EX_INDEX 56
#define EX_RELEASE_PUSH_LOCK_EXCLUSIVE_EX_INDEX 57
#define PS_GET_THREAD_ID_INDEX 58
#define RTL_CAPTURE_STACK_BACK_TRACE_INDEX 59
#define ZW_OPEN_DIRECTORY_OBJECT_INDEX 60
#define KE_INITIALIZE_AFFINITY_EX_INDEX 61
#define KE_ADD_PROCESSOR_AFFINITY_EX_INDEX 62
#define RTL_QUERY_MODULE_INFORMATION_INDEX 63
#define KE_INITIALIZE_APC_INDEX 64
#define KE_INSERT_QUEUE_APC_INDEX 65
#define KE_GENERIC_CALL_DPC_INDEX 66
#define KE_SIGNAL_CALL_DPC_DONE_INDEX 67
#define MM_GET_PHYSICAL_MEMORY_RANGES_EX2_INDEX 68
#define MM_GET_VIRTUAL_FOR_PHYSICAL_INDEX 69
#define OBF_REFERENCE_OBJECT_INDEX 70
#define EX_FREE_POOL_WITH_TAG_INDEX 71
#define EX_ALLOCATE_POOL2_INDEX 72
#define KE_RELEASE_GUARDED_MUTEX_INDEX 73
#define KE_ACQUIRE_GUARDED_MUTEX_INDEX 74
#define DBG_PRINT_EX_INDEX 75
#define RTL_COMPARE_UNICODE_STRING_INDEX 76
#define RTL_FREE_UNICODE_STRING_INDEX 77
#define PS_GET_PROCESS_IMAGE_FILE_NAME_INDEX 78
typedef struct _DRIVER_IMPORTS
{
pObDereferenceObject DrvImpObDereferenceObject;
pIoGetCurrentIrpStackLocation DrvImpIoGetCurrentIrpStackLocation;
pPsLookupThreadByThreadId DrvImpPsLookupThreadByThreadId;
pMmIsAddressValid DrvImpMmIsAddressValid;
pPsSetCreateProcessNotifyRoutine DrvImpPsSetCreateProcessNotifyRoutine;
pObDereferenceObject DrvImpObDereferenceObject;
pPsLookupThreadByThreadId DrvImpPsLookupThreadByThreadId;
pMmIsAddressValid DrvImpMmIsAddressValid;
pPsSetCreateProcessNotifyRoutine DrvImpPsSetCreateProcessNotifyRoutine;
pPsRemoveCreateThreadNotifyRoutine DrvImpPsRemoveCreateThreadNotifyRoutine;
pPsGetCurrentThreadId DrvImpPsGetCurrentThreadId;
pPsGetProcessId DrvImpPsGetProcessId;
pPsLookupProcessByProcessId DrvImpPsLookupProcessByProcessId;
pExEnumHandleTable DrvImpExEnumHandleTable;
pObGetObjectType DrvImpObGetObjectType;
pExfUnblockPushLock DrvImpExfUnblockPushLock;
pPsGetProcessImageFileName DrvImpPsGetProcessImage;
pstrstr DrvImpstrstr;
pRtlInitUnicodeString DrvImpRtlInitUnicodeString;
pRtlQueryRegistryValues DrvImpRtlQueryRegistryValues;
pMmGetSystemRoutineAddress DrvImpMmGetSystemRoutineAddress;
pRtlUnicodeStringToAnsiString DrvImpRtlUnicodeStringToAnsiString;
pRtlCopyUnicodeString DrvImpRtlCopyUnicodeString;
pRtlFreeAnsiString DrvImpRtlFreeAnsiString;
pKeInitializeGuardedMutex DrvImpKeInitializeGuardedMutex;
pIoCreateDevice DrvImpIoCreateDevice;
pIoCreateSymbolicLink DrvImpIoCreateSymbolicLink;
pIoDeleteDevice DrvImpIoDeleteDevice;
pIoDeleteSymbolicLink DrvImpIoDeleteSymbolicLink;
pObRegisterCallbacks DrvImpObRegisterCallbacks;
pObUnRegisterCallbacks DrvImpObUnRegisterCallbacks;
pPsSetCreateThreadNotifyRoutine DrvImpPsSetCreateThreadNotifyRoutine;
pKeRevertToUserAffinityThreadEx DrvImpKeRevertToUserAffinityThreadEx;
pKeSetSystemAffinityThreadEx DrvImpKeSetSystemAffinityThreadEx;
pstrnlen DrvImpstrnlen;
pRtlInitAnsiString DrvImpRtlInitAnsiString;
pRtlAnsiStringToUnicodeString DrvImpRtlAnsiStringToUnicodeString;
pIoGetCurrentProcess DrvImpIoGetCurrentProcess;
pRtlGetVersion DrvImpRtlGetVersion;
pRtlCompareMemory DrvImpRtlCompareMemory;
pExGetSystemFirmwareTable DrvImpExGetSystemFirmwareTable;
pIoAllocateWorkItem DrvImpIoAllocateWorkItem;
pIoFreeWorkItem DrvImpIoFreeWorkItem;
pIoQueueWorkItem DrvImpIoQueueWorkItem;
pZwOpenFile DrvImpZwOpenFile;
pZwClose DrvImpZwClose;
pZwCreateSection DrvImpZwCreateSection;
pZwMapViewOfSection DrvImpZwMapViewOfSection;
pZwUnmapViewOfSection DrvImpZwUnmapViewOfSection;
pMmCopyMemory DrvImpMmCopyMemory;
pZwDeviceIoControlFile DrvImpZwDeviceIoControlFile;
pKeStackAttachProcess DrvImpKeStackAttachProcess;
pKeUnstackDetachProcess DrvImpKeUnstackDetachProcess;
pKeWaitForSingleObject DrvImpKeWaitForSingleObject;
pPsCreateSystemThread DrvImpPsCreateSystemThread;
pIofCompleteRequest DrvImpIofCompleteRequest;
pObReferenceObjectByHandle DrvImpObReferenceObjectByHandle;
pKeDelayExecutionThread DrvImpKeDelayExecutionThread;
pKeRegisterNmiCallback DrvImpKeRegisterNmiCallback;
pKeDeregisterNmiCallback DrvImpKeDeregisterNmiCallback;
pKeQueryActiveProcessorCount DrvImpKeQueryActiveProcessorCount;
pExAcquirePushLockExclusiveEx DrvImpExAcquirePushLockExclusiveEx;
pExReleasePushLockExclusiveEx DrvImpExReleasePushLockExclusiveEx;
pPsGetThreadId DrvImpPsGetThreadId;
pRtlCaptureStackBackTrace DrvImpRtlCaptureStackBackTrace;
pZwOpenDirectoryObject DrvImpZwOpenDirectoryObject;
pKeInitializeAffinityEx DrvImpKeInitializeAffinityEx;
pKeAddProcessorAffinityEx DrvImpKeAddProcessorAffinityEx;
pRtlQueryModuleInformation DrvImpRtlQueryModuleInformation;
pKeInitializeApc DrvImpKeInitializeApc;
pKeInsertQueueApc DrvImpKeInsertQueueApc;
pKeGenericCallDpc DrvImpKeGenericCallDpc;
pKeSignalCallDpcDone DrvImpKeSignalCallDpcDone;
pMmGetPhysicalMemoryRangesEx2 DrvImpMmGetPhysicalMemoryRangesEx2;
pMmGetVirtualForPhysical DrvImpMmGetVirtualForPhysical;
pObfReferenceObject DrvImpObfReferenceObject;
pExFreePoolWithTag DrvImpExFreePoolWithTag;
pExAllocatePool2 DrvImpExAllocatePool2;
pKeReleaseGuardedMutex DrvImpKeReleaseGuardedMutex;
pKeAcquireGuardedMutex DrvImpKeAcquireGuardedMutex;
pDbgPrintEx DrvImpDbgPrintEx;
pRtlCompareUnicodeString DrvImpRtlCompareUnicodeString;
pRtlFreeUnicodeString DrvImpRtlFreeUnicodeString;
pPsGetProcessImageFileName DrvImpPsGetProcessImageFileName;
pExEnumHandleTable DrvImpExEnumHandleTable;
pObGetObjectType DrvImpObGetObjectType;
pExfUnblockPushLock DrvImpExfUnblockPushLock;
pPsGetProcessImageFileName DrvImpPsGetProcessImage;
pstrstr DrvImpstrstr;
pRtlInitUnicodeString DrvImpRtlInitUnicodeString;
pRtlQueryRegistryValues DrvImpRtlQueryRegistryValues;
pMmGetSystemRoutineAddress DrvImpMmGetSystemRoutineAddress;
pRtlUnicodeStringToAnsiString DrvImpRtlUnicodeStringToAnsiString;
pRtlCopyUnicodeString DrvImpRtlCopyUnicodeString;
pRtlFreeAnsiString DrvImpRtlFreeAnsiString;
pKeInitializeGuardedMutex DrvImpKeInitializeGuardedMutex;
pIoCreateDevice DrvImpIoCreateDevice;
pIoCreateSymbolicLink DrvImpIoCreateSymbolicLink;
pIoDeleteDevice DrvImpIoDeleteDevice;
pIoDeleteSymbolicLink DrvImpIoDeleteSymbolicLink;
pObRegisterCallbacks DrvImpObRegisterCallbacks;
pObUnRegisterCallbacks DrvImpObUnRegisterCallbacks;
pPsSetCreateThreadNotifyRoutine DrvImpPsSetCreateThreadNotifyRoutine;
pKeRevertToUserAffinityThreadEx DrvImpKeRevertToUserAffinityThreadEx;
pKeSetSystemAffinityThreadEx DrvImpKeSetSystemAffinityThreadEx;
pstrnlen DrvImpstrnlen;
pRtlInitAnsiString DrvImpRtlInitAnsiString;
pRtlAnsiStringToUnicodeString DrvImpRtlAnsiStringToUnicodeString;
pIoGetCurrentProcess DrvImpIoGetCurrentProcess;
pRtlGetVersion DrvImpRtlGetVersion;
pRtlCompareMemory DrvImpRtlCompareMemory;
pExGetSystemFirmwareTable DrvImpExGetSystemFirmwareTable;
pIoAllocateWorkItem DrvImpIoAllocateWorkItem;
pIoFreeWorkItem DrvImpIoFreeWorkItem;
pIoQueueWorkItem DrvImpIoQueueWorkItem;
pZwOpenFile DrvImpZwOpenFile;
pZwClose DrvImpZwClose;
pZwCreateSection DrvImpZwCreateSection;
pZwMapViewOfSection DrvImpZwMapViewOfSection;
pZwUnmapViewOfSection DrvImpZwUnmapViewOfSection;
pMmCopyMemory DrvImpMmCopyMemory;
pZwDeviceIoControlFile DrvImpZwDeviceIoControlFile;
pKeStackAttachProcess DrvImpKeStackAttachProcess;
pKeUnstackDetachProcess DrvImpKeUnstackDetachProcess;
pKeWaitForSingleObject DrvImpKeWaitForSingleObject;
pPsCreateSystemThread DrvImpPsCreateSystemThread;
pIofCompleteRequest DrvImpIofCompleteRequest;
pObReferenceObjectByHandle DrvImpObReferenceObjectByHandle;
pKeDelayExecutionThread DrvImpKeDelayExecutionThread;
pKeRegisterNmiCallback DrvImpKeRegisterNmiCallback;
pKeDeregisterNmiCallback DrvImpKeDeregisterNmiCallback;
pKeQueryActiveProcessorCount DrvImpKeQueryActiveProcessorCount;
pExAcquirePushLockExclusiveEx DrvImpExAcquirePushLockExclusiveEx;
pExReleasePushLockExclusiveEx DrvImpExReleasePushLockExclusiveEx;
pPsGetThreadId DrvImpPsGetThreadId;
pRtlCaptureStackBackTrace DrvImpRtlCaptureStackBackTrace;
pZwOpenDirectoryObject DrvImpZwOpenDirectoryObject;
pKeInitializeAffinityEx DrvImpKeInitializeAffinityEx;
pKeAddProcessorAffinityEx DrvImpKeAddProcessorAffinityEx;
pRtlQueryModuleInformation DrvImpRtlQueryModuleInformation;
pKeInitializeApc DrvImpKeInitializeApc;
pKeInsertQueueApc DrvImpKeInsertQueueApc;
pKeGenericCallDpc DrvImpKeGenericCallDpc;
pKeSignalCallDpcDone DrvImpKeSignalCallDpcDone;
pMmGetPhysicalMemoryRangesEx2 DrvImpMmGetPhysicalMemoryRangesEx2;
pMmGetVirtualForPhysical DrvImpMmGetVirtualForPhysical;
pObfReferenceObject DrvImpObfReferenceObject;
pExFreePoolWithTag DrvImpExFreePoolWithTag;
pExAllocatePool2 DrvImpExAllocatePool2;
pKeReleaseGuardedMutex DrvImpKeReleaseGuardedMutex;
pKeAcquireGuardedMutex DrvImpKeAcquireGuardedMutex;
pDbgPrintEx DrvImpDbgPrintEx;
pRtlCompareUnicodeString DrvImpRtlCompareUnicodeString;
pRtlFreeUnicodeString DrvImpRtlFreeUnicodeString;
pPsGetProcessImageFileName DrvImpPsGetProcessImageFileName;
UINT64 dummy;
} DRIVER_IMPORTS, *PDRIVER_IMPORTS;
extern DRIVER_IMPORTS driver_imports;
#define IMPORTS_LENGTH sizeof(DRIVER_IMPORTS) / sizeof(UINT64)
#define DRVIMPORTS driver_imports
VOID
ImpObDereferenceObject(_In_ PVOID Object);
#define ImpIoGetCurrentIrpStackLocation DRVIMPORTS.DrvImpIoGetCurrentIrpStackLocation
#define ImpObDereferenceObject DRVIMPORTS.DrvImpObDereferenceObject
#define ImpPsLookupThreadByThreadId DRVIMPORTS.DrvImpPsLookupThreadByThreadId
#define ImpMmIsAddressValid DRVIMPORTS.DrvImpMmIsAddressValid
#define ImpPsSetCreateProcessNotifyRoutine DRVIMPORTS.DrvImpPsSetCreateProcessNotifyRoutine
#define ImpPsRemoveCreateThreadNotifyRoutine DRVIMPORTS.DrvImpPsRemoveCreateThreadNotifyRoutine
#define ImpPsGetCurrentThreadId DRVIMPORTS.DrvImpPsGetCurrentThreadId
#define ImpPsGetProcessId DRVIMPORTS.DrvImpPsGetProcessId
#define ImpPsLookupProcessByProcessId DRVIMPORTS.DrvImpPsLookupProcessByProcessId
#define ImpExEnumHandleTable DRVIMPORTS.DrvImpExEnumHandleTable
#define ImpObGetObjectType DRVIMPORTS.DrvImpObGetObjectType
#define ImpExfUnblockPushLock DRVIMPORTS.DrvImpExfUnblockPushLock
#define ImpPsGetProcessImageFileName DRVIMPORTS.DrvImpPsGetProcessImageFileName
#define Impstrstr DRVIMPORTS.DrvImpstrstr
#define ImpRtlInitUnicodeString DRVIMPORTS.DrvImpRtlInitUnicodeString
#define ImpRtlQueryRegistryValues DRVIMPORTS.DrvImpRtlQueryRegistryValues
#define ImpMmGetSystemRoutineAddress DRVIMPORTS.DrvImpMmGetSystemRoutineAddress
#define ImpRtlUnicodeStringToAnsiString DRVIMPORTS.DrvImpRtlUnicodeStringToAnsiString
#define ImpRtlCopyUnicodeString DRVIMPORTS.DrvImpRtlCopyUnicodeString
#define ImpRtlFreeAnsiString DRVIMPORTS.DrvImpRtlFreeAnsiString
#define ImpKeInitializeGuardedMutex DRVIMPORTS.DrvImpKeInitializeGuardedMutex
#define ImpIoCreateDevice DRVIMPORTS.DrvImpIoCreateDevice
#define ImpIoCreateSymbolicLink DRVIMPORTS.DrvImpIoCreateSymbolicLink
#define ImpIoDeleteDevice DRVIMPORTS.DrvImpIoDeleteDevice
#define ImpIoDeleteSymbolicLink DRVIMPORTS.DrvImpIoDeleteSymbolicLink
#define ImpObRegisterCallbacks DRVIMPORTS.DrvImpObRegisterCallbacks
#define ImpObUnRegisterCallbacks DRVIMPORTS.DrvImpObUnRegisterCallbacks
#define ImpPsSetCreateThreadNotifyRoutine DRVIMPORTS.DrvImpPsSetCreateThreadNotifyRoutine
#define ImpPsProcessType DRVIMPORTS.DrvImpPsProcessType
#define ImpKeRevertToUserAffinityThreadEx DRVIMPORTS.DrvImpKeRevertToUserAffinityThreadEx
#define ImpKeSetSystemAffinityThreadEx DRVIMPORTS.DrvImpKeSetSystemAffinityThreadEx
#define Impstrnlen DRVIMPORTS.DrvImpstrnlen
#define ImpRtlInitAnsiString DRVIMPORTS.DrvImpRtlInitAnsiString
#define ImpRtlAnsiStringToUnicodeString DRVIMPORTS.DrvImpRtlAnsiStringToUnicodeString
#define ImpIoGetCurrentProcess DRVIMPORTS.DrvImpIoGetCurrentProcess
#define ImpRtlGetVersion DRVIMPORTS.DrvImpRtlGetVersion
#define ImpRtlCompareMemory DRVIMPORTS.DrvImpRtlCompareMemory
#define ImpExGetSystemFirmwareTable DRVIMPORTS.DrvImpExGetSystemFirmwareTable
#define ImpIoAllocateWorkItem DRVIMPORTS.DrvImpIoAllocateWorkItem
#define ImpIoFreeWorkItem DRVIMPORTS.DrvImpIoFreeWorkItem
#define ImpIoQueueWorkItem DRVIMPORTS.DrvImpIoQueueWorkItem
#define ImpZwOpenFile DRVIMPORTS.DrvImpZwOpenFile
#define ImpZwClose DRVIMPORTS.DrvImpZwClose
#define ImpZwCreateSection DRVIMPORTS.DrvImpZwCreateSection
#define ImpZwMapViewOfSection DRVIMPORTS.DrvImpZwMapViewOfSection
#define ImpZwUnmapViewOfSection DRVIMPORTS.DrvImpZwUnmapViewOfSection
#define ImpMmCopyMemory DRVIMPORTS.DrvImpMmCopyMemory
#define ImpZwDeviceIoControlFile DRVIMPORTS.DrvImpZwDeviceIoControlFile
#define ImpKeStackAttachProcess DRVIMPORTS.DrvImpKeStackAttachProcess
#define ImpKeUnstackDetachProcess DRVIMPORTS.DrvImpKeUnstackDetachProcess
#define ImpKeWaitForSingleObject DRVIMPORTS.DrvImpKeWaitForSingleObject
#define ImpPsCreateSystemThread DRVIMPORTS.DrvImpPsCreateSystemThread
#define ImpIofCompleteRequest DRVIMPORTS.DrvImpIofCompleteRequest
#define ImpObReferenceObjectByHandle DRVIMPORTS.DrvImpObReferenceObjectByHandle
#define ImpPsThreadType DRVIMPORTS.DrvImpPsThreadType
#define ImpKeDelayExecutionThread DRVIMPORTS.DrvImpKeDelayExecutionThread
#define ImpKeRegisterNmiCallback DRVIMPORTS.DrvImpKeRegisterNmiCallback
#define ImpKeDeregisterNmiCallback DRVIMPORTS.DrvImpKeDeregisterNmiCallback
#define ImpKeQueryActiveProcessorCount DRVIMPORTS.DrvImpKeQueryActiveProcessorCount
#define ImpExAcquirePushLockExclusiveEx DRVIMPORTS.DrvImpExAcquirePushLockExclusiveEx
#define ImpExReleasePushLockExclusiveEx DRVIMPORTS.DrvImpExReleasePushLockExclusiveEx
#define ImpPsGetThreadId DRVIMPORTS.DrvImpPsGetThreadId
#define ImpRtlCaptureStackBackTrace DRVIMPORTS.DrvImpRtlCaptureStackBackTrace
#define ImpZwOpenDirectoryObject DRVIMPORTS.DrvImpZwOpenDirectoryObject
#define ImpKeInitializeAffinityEx DRVIMPORTS.DrvImpKeInitializeAffinityEx
#define ImpKeAddProcessorAffinityEx DRVIMPORTS.DrvImpKeAddProcessorAffinityEx
#define ImpRtlQueryModuleInformation DRVIMPORTS.DrvImpRtlQueryModuleInformation
#define ImpKeInitializeApc DRVIMPORTS.DrvImpKeInitializeApc
#define ImpKeInsertQueueApc DRVIMPORTS.DrvImpKeInsertQueueApc
#define ImpKeGenericCallDpc DRVIMPORTS.DrvImpKeGenericCallDpc
#define ImpKeSignalCallDpcDone DRVIMPORTS.DrvImpKeSignalCallDpcDone
#define ImpMmGetPhysicalMemoryRangesEx2 DRVIMPORTS.DrvImpMmGetPhysicalMemoryRangesEx2
#define ImpMmGetVirtualForPhysical DRVIMPORTS.DrvImpMmGetVirtualForPhysical
#define ImpObfReferenceObject DRVIMPORTS.DrvImpObfReferenceObject
#define ImpExFreePoolWithTag DRVIMPORTS.DrvImpExFreePoolWithTag
#define ImpExAllocatePool2 DRVIMPORTS.DrvImpExAllocatePool2
#define ImpKeReleaseGuardedMutex DRVIMPORTS.DrvImpKeReleaseGuardedMutex
#define ImpKeAcquireGuardedMutex DRVIMPORTS.DrvImpKeAcquireGuardedMutex
#define ImpDbgPrintEx DRVIMPORTS.DrvImpDbgPrintEx
#define ImpRtlCompareUnicodeString DRVIMPORTS.DrvImpRtlCompareUnicodeString
#define ImpRtlFreeUnicodeString DRVIMPORTS.DrvImpRtlFreeUnicodeString
#define ImpPsGetProcessImageFileName DRVIMPORTS.DrvImpPsGetProcessImageFileName
NTSTATUS
ImpPsLookupThreadByThreadId(HANDLE ThreadId, PETHREAD* Thread);
BOOLEAN
ImpMmIsAddressValid(_In_ PVOID VirtualAddress);
NTSTATUS
ImpPsSetCreateProcessNotifyRoutine(PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, BOOLEAN Remove);
NTSTATUS
ImpPsRemoveCreateThreadNotifyRoutine(PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine);
HANDLE
ImpPsGetCurrentThreadId();
HANDLE
ImpPsGetProcessId(PEPROCESS Process);
NTSTATUS
ImpPsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS* Process);
PVOID
ImpExEnumHandleTable(_In_ PHANDLE_TABLE HandleTable,
_In_ PVOID Callback,
_In_opt_ PVOID Context,
_Out_opt_ PHANDLE Handle);
POBJECT_TYPE
ImpObGetObjectType(_In_ PVOID Object);
VOID
ImpExfUnblockPushLock(_In_ PEX_PUSH_LOCK PushLock, _In_ PVOID WaitBlock);
LPCSTR
ImpPsGetProcessImageFileName(PEPROCESS Process);
INT
ImpStrStr(_In_ CHAR* haystack, _In_ CHAR* needle);
void
ImpRtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString);
NTSTATUS
ImpRtlQueryRegistryValues(ULONG RelativeTo,
PCWSTR Path,
PRTL_QUERY_REGISTRY_TABLE QueryTable,
void* Context,
void* Environment);
void*
ImpMmGetSystemRoutineAddress(PUNICODE_STRING SystemRoutineName);
NTSTATUS
ImpRtlUnicodeStringToAnsiString(PANSI_STRING DestinationString,
PCUNICODE_STRING SourceString,
BOOLEAN AllocateDestinationString);
void
ImpRtlCopyUnicodeString(PUNICODE_STRING DestinationString, PCUNICODE_STRING SourceString);
void
ImpRtlFreeAnsiString(PANSI_STRING AnsiString);
void
ImpKeInitializeGuardedMutex(PKGUARDED_MUTEX GuardedMutex);
NTSTATUS
ImpIoCreateDevice(PDRIVER_OBJECT DriverObject,
ULONG DeviceExtensionSize,
PUNICODE_STRING DeviceName,
DEVICE_TYPE DeviceType,
ULONG DeviceCharacteristics,
BOOLEAN Exclusive,
PDEVICE_OBJECT* DeviceObject);
NTSTATUS
ImpIoCreateSymbolicLink(PUNICODE_STRING SymbolicLinkName, PUNICODE_STRING DeviceName);
void
ImpIoDeleteDevice(PDEVICE_OBJECT DeviceObject);
void
ImpIoDeleteSymbolicLink(PUNICODE_STRING SymbolicLinkName);
NTSTATUS
ImpObRegisterCallbacks(_In_ POB_CALLBACK_REGISTRATION CallbackRegistration,
_Out_ PVOID* RegistrationHandle);
VOID
ImpObUnRegisterCallbacks(_In_ PVOID RegistrationHandle);
NTSTATUS
ImpPsSetCreateThreadNotifyRoutine(PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine);
void
ImpKeRevertToUserAffinityThreadEx(KAFFINITY Affinity);
KAFFINITY
ImpKeSetSystemAffinityThreadEx(KAFFINITY Affinity);
SIZE_T
ImpStrnlen(_In_ CHAR* str, _In_ SIZE_T maxCount);
void
ImpRtlInitAnsiString(PANSI_STRING DestinationString, PCSZ SourceString);
NTSTATUS
ImpRtlAnsiStringToUnicodeString(PUNICODE_STRING DestinationString,
PCANSI_STRING SourceString,
BOOLEAN AllocateDestinationString);
PEPROCESS
ImpIoGetCurrentProcess(void);
NTSTATUS
ImpRtlGetVersion(PRTL_OSVERSIONINFOW lpVersionInformation);
SIZE_T
ImpRtlCompareMemory(_In_ PVOID Source1, _In_ PVOID Source2, _In_ SIZE_T Length);
NTSTATUS
ImpExGetSystemFirmwareTable(_In_ ULONG FirmwareTableProviderSignature,
_In_ ULONG FirmwareTableID,
_In_ PVOID pFirmwareTableBuffer,
_In_ ULONG BufferLength,
_Out_ PULONG ReturnLength);
PIO_WORKITEM
ImpIoAllocateWorkItem(PDEVICE_OBJECT DeviceObject);
void
ImpIoFreeWorkItem(PIO_WORKITEM WorkItem);
VOID
ImpIoQueueWorkItem(_In_ PIO_WORKITEM IoWorkItem,
_In_ PIO_WORKITEM_ROUTINE WorkerRoutine,
_In_ WORK_QUEUE_TYPE QueueType,
_In_opt_ PVOID Context);
NTSTATUS
ImpZwOpenFile(PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG ShareAccess,
ULONG OpenOptions);
NTSTATUS
ImpZwClose(HANDLE Handle);
NTSTATUS
ImpZwCreateSection(PHANDLE SectionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PLARGE_INTEGER MaximumSize,
ULONG SectionPageProtection,
ULONG AllocationAttributes,
HANDLE FileHandle);
NTSTATUS
ImpZwMapViewOfSection(_In_ HANDLE SectionHandle,
_In_ HANDLE ProcessHandle,
_Inout_ PVOID* BaseAddress,
_In_ ULONG_PTR ZeroBits,
_In_ SIZE_T CommitSize,
_Inout_opt_ PLARGE_INTEGER SectionOffset,
_Inout_ PSIZE_T ViewSize,
_In_ SECTION_INHERIT InheritDisposition,
_In_ ULONG AllocationType,
_In_ ULONG Win32Protect);
NTSTATUS
ImpZwUnmapViewOfSection(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress);
NTSTATUS
ImpMmCopyMemory(PVOID TargetAddress,
MM_COPY_ADDRESS SourceAddress,
SIZE_T NumberOfBytes,
ULONG Flags,
PSIZE_T NumberOfBytesTransferred);
NTSTATUS
ImpZwDeviceIoControlFile(_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_In_ ULONG IoControlCode,
_In_opt_ PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_Out_opt_ PVOID OutputBuffer,
_In_ ULONG OutputBufferLength);
void
ImpKeStackAttachProcess(PRKPROCESS Process, PKAPC_STATE ApcState);
void
ImpKeUnstackDetachProcess(PKAPC_STATE ApcState);
NTSTATUS
ImpKeWaitForSingleObject(_In_ PVOID Object,
_In_ KWAIT_REASON WaitReason,
_In_ KPROCESSOR_MODE WaitMode,
_In_ BOOLEAN Alertable,
_In_ PLARGE_INTEGER Timeout);
NTSTATUS
ImpPsCreateSystemThread(_Out_ PHANDLE ThreadHandle,
_In_ ULONG DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ HANDLE ProcessHandle,
_Out_opt_ PCLIENT_ID ClientId,
_In_ PKSTART_ROUTINE StartRoutine,
_In_opt_ PVOID StartContext);
void
ImpIofCompleteRequest(PIRP Irp, CCHAR PriorityBoost);
NTSTATUS
ImpObReferenceObjectByHandle(_In_ HANDLE Handle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_TYPE ObjectType,
_In_ KPROCESSOR_MODE AccessMode,
_Out_ PVOID* Object,
_Out_opt_ POBJECT_HANDLE_INFORMATION HandleInformation);
NTSTATUS
ImpKeDelayExecutionThread(KPROCESSOR_MODE WaitMode, BOOLEAN Alertable, PLARGE_INTEGER Interval);
PVOID
ImpKeRegisterNmiCallback(_In_ PVOID CallbackRoutine, _In_opt_ PVOID Context);
NTSTATUS
ImpKeDeregisterNmiCallback(_In_ PVOID Handle);
ULONG
ImpKeQueryActiveProcessorCount(PKAFFINITY ActiveProcessors);
void
ImpExAcquirePushLockExclusiveEx(PEX_PUSH_LOCK PushLock, ULONG Flags);
void
ImpExReleasePushLockExclusiveEx(PEX_PUSH_LOCK PushLock, ULONG Flags);
HANDLE
ImpPsGetThreadId(PETHREAD Thread);
USHORT
ImpRtlCaptureStackBackTrace(_In_ ULONG FramesToSkip,
_In_ ULONG FramesToCapture,
_Out_ PVOID* BackTrace,
_Out_opt_ PULONG BackTraceHash);
NTSTATUS
ImpZwOpenDirectoryObject(PHANDLE DirectoryHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes);
void
ImpKeInitializeAffinityEx(PKAFFINITY_EX AffinityMask);
VOID
ImpKeAddProcessorAffinityEx(_In_ PKAFFINITY_EX affinity, _In_ INT num);
NTSTATUS
ImpRtlQueryModuleInformation(_Inout_ ULONG* InformationLength,
_In_ ULONG SizePerModule,
_In_ PVOID InformationBuffer);
VOID
ImpKeInitializeApc(_In_ PKAPC Apc,
_In_ PKTHREAD Thread,
_In_ KAPC_ENVIRONMENT Environment,
_In_ PKKERNEL_ROUTINE KernelRoutine,
_In_ PKRUNDOWN_ROUTINE RundownRoutine,
_In_ PKNORMAL_ROUTINE NormalRoutine,
_In_ KPROCESSOR_MODE ApcMode,
_In_ PVOID NormalContext);
BOOLEAN
ImpKeInsertQueueApc(_In_ PKAPC Apc,
_In_ PVOID SystemArgument1,
_In_ PVOID SystemArgument2,
_In_ KPRIORITY Increment);
VOID
ImpKeGenericCallDpc(_In_ PKDEFERRED_ROUTINE DpcRoutine, _In_ PVOID Context);
VOID
ImpKeSignalCallDpcDone(_In_ PVOID SystemArgument1);
PPHYSICAL_MEMORY_RANGE
ImpMmGetPhysicalMemoryRangesEx2(_In_ PVOID PartitionObject, _In_ ULONG Flags);
void*
ImpMmGetVirtualForPhysical(_In_ PHYSICAL_ADDRESS PhysicalAddress);
LONG_PTR
ImpObfReferenceObject(_In_ PVOID Object);
VOID
ImpExFreePoolWithTag(_In_ PVOID P, _In_ ULONG Tag);
void*
ImpExAllocatePool2(_In_ POOL_FLAGS Flags, _In_ SIZE_T NumberOfBytes, _In_ ULONG Tag);
VOID
ImpKeReleaseGuardedMutex(_In_ PKGUARDED_MUTEX GuardedMutex);
VOID
ImpKeAcquireGuardedMutex(_In_ PKGUARDED_MUTEX GuardedMutex);
ULONG
ImpDbgPrintEx(_In_ ULONG ComponentId, _In_ ULONG Level, _In_ PCSTR Format, ...);
LONG
ImpRtlCompareUnicodeString(_In_ PCUNICODE_STRING String1,
_In_ PCUNICODE_STRING String2,
_In_ BOOLEAN CaseInSensitive);
VOID
ImpRtlFreeUnicodeString(_In_ PUNICODE_STRING UnicodeString);
#endif

10
driver/io.c
View file

@ -270,11 +270,16 @@ IrpQueueFreeDeferredReports()
PIRP_QUEUE_HEAD queue = GetIrpQueueHead();
PDEFERRED_REPORT report = NULL;
/* just in case... */
KeAcquireGuardedMutex(&queue->reports.lock);
while (IrpQueueIsThereDeferredReport(queue))
{
report = IrpQueueRemoveDeferredReport(queue);
ExFreePoolWithTag(report, REPORT_POOL_TAG);
IrpQueueFreeDeferredReport(report);
}
KeReleaseGuardedMutex(&queue->reports.lock);
}
NTSTATUS
@ -450,6 +455,9 @@ SharedMappingTerminate()
{
PSHARED_MAPPING mapping = GetSharedMappingConfig();
if (!mapping->active)
return;
while (mapping->work_item_status)
YieldProcessor();

6
driver/modules.c
View file

@ -1033,7 +1033,10 @@ HandleNmiIOCTL()
NMI_CONTEXT_POOL);
if (!nmi_context)
{
UnsetNmiInProgressFlag();
return STATUS_MEMORY_NOT_ALLOCATED;
}
/*
* We want to register and unregister our callback each time so it becomes harder
@ -1045,6 +1048,7 @@ HandleNmiIOCTL()
{
DEBUG_ERROR("KeRegisterNmiCallback failed with no status.");
ImpExFreePoolWithTag(nmi_context, NMI_CONTEXT_POOL);
UnsetNmiInProgressFlag();
return STATUS_UNSUCCESSFUL;
}
@ -1059,6 +1063,7 @@ HandleNmiIOCTL()
ImpKeDeregisterNmiCallback(callback_handle);
ImpExFreePoolWithTag(nmi_context, NMI_CONTEXT_POOL);
DEBUG_ERROR("Error retriving system module information");
UnsetNmiInProgressFlag();
return status;
}
@ -1070,6 +1075,7 @@ HandleNmiIOCTL()
ImpKeDeregisterNmiCallback(callback_handle);
ImpExFreePoolWithTag(system_modules.address, SYSTEM_MODULES_POOL);
ImpExFreePoolWithTag(nmi_context, NMI_CONTEXT_POOL);
UnsetNmiInProgressFlag();
return status;
}