From 762fcaebfd1b7553d53d3bf735d6f6755a6204c0 Mon Sep 17 00:00:00 2001 From: lhodges1 Date: Tue, 30 Jan 2024 03:31:12 +1100 Subject: [PATCH] start working on import encryption. Simple avx xoring atm need 2 learn MORE! --- driver/common.h | 1 + driver/cpp.hint | 1 + driver/crypt.c | 126 +++++- driver/crypt.h | 6 +- driver/driver.c | 18 +- driver/imports.c | 998 +++++++++++++++++++++++++++++++++++++++++++---- driver/imports.h | 684 ++++++++++++++++++++++++-------- driver/io.c | 10 +- driver/modules.c | 6 + 9 files changed, 1578 insertions(+), 272 deletions(-) diff --git a/driver/common.h b/driver/common.h index b384580..d98e56f 100644 --- a/driver/common.h +++ b/driver/common.h @@ -41,6 +41,7 @@ ##__VA_ARGS__) #define STATIC static +#define INLINE inline #define MAX_MODULE_PATH 256 diff --git a/driver/cpp.hint b/driver/cpp.hint index 8a5fbf7..38e6dc5 100644 --- a/driver/cpp.hint +++ b/driver/cpp.hint @@ -7,3 +7,4 @@ #define _In_ #define STATIC #define VOID +#define INLINE diff --git a/driver/crypt.c b/driver/crypt.c index 2c5ed36..458bd26 100644 --- a/driver/crypt.c +++ b/driver/crypt.c @@ -1,22 +1,126 @@ #include "crypt.h" #include +#include "imports.h" -#define TEMP_KEY 0x5a +#define XOR_KEY_1 0x1122334455667788 +#define XOR_KEY_2 0x0011223344556677 +#define XOR_KEY_3 0x5566778899AABBCC +#define XOR_KEY_4 0x66778899AABBCCDD -VOID -CryptEncryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size) +STATIC +__m256i +CryptGenerateSseXorKey() { - PCHAR entry = (PCHAR)Buffer; - - for (UINT32 index = 0; index < Size; index++) - { - entry[index] ^= TEMP_KEY; - } + return _mm256_set_epi64x(XOR_KEY_1, XOR_KEY_2, XOR_KEY_3, XOR_KEY_4); } VOID -CryptDecryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size) +CryptEncryptImportsArray(_In_ PUINT64 Array, _In_ UINT32 Entries) { - CryptEncryptBufferInPlace(Buffer, Size); + UINT32 block_size = sizeof(__m256i) / sizeof(UINT64); + UINT32 block_count = Entries / block_size; + + /* + * Here we break down the import array into blocks of 32 bytes. Each block is loaded into an + * SSE register, xored with the key, and then copied back into the array. + */ + for (UINT32 block_index = 0; block_index < block_count; block_index++) + { + __m256i current_block = {0}; + __m256i load_block = {0}; + __m256i xored_block = {0}; + + RtlCopyMemory(¤t_block, &Array[block_index * block_size], sizeof(__m256i)); + + load_block = _mm256_loadu_si256(¤t_block); + xored_block = _mm256_xor_si256(load_block, CryptGenerateSseXorKey()); + + RtlCopyMemory(&Array[block_index * block_size], &xored_block, sizeof(__m256i)); + } +} + +STATIC +INLINE +__m256i +CryptDecryptImportBlock(_In_ PUINT64 Array, _In_ UINT32 BlockIndex) +{ + __m256i load_block = {0}; + UINT32 block_size = sizeof(__m256i) / sizeof(UINT64); + + RtlCopyMemory(&load_block, &Array[BlockIndex * block_size], sizeof(__m256i)); + + return _mm256_xor_si256(load_block, CryptGenerateSseXorKey()); +} + +STATIC +INLINE +VOID +CryptFindContainingBlockForArrayIndex(_In_ UINT32 EntryIndex, + _In_ UINT32 BlockSize, + _Out_ PUINT32 ContainingBlockIndex, + _Out_ PUINT32 BlockSubIndex) +{ + UINT32 containing_block = EntryIndex; + UINT32 block_index = 0; + + if (EntryIndex < BlockSize) + { + *ContainingBlockIndex = 0; + *BlockSubIndex = EntryIndex; + return; + } + + if (EntryIndex == BlockSize) + { + *ContainingBlockIndex = 1; + *BlockSubIndex = 0; + return; + } + + while (containing_block % BlockSize != 0) + { + containing_block--; + block_index++; + } + + *ContainingBlockIndex = containing_block / BlockSize; + *BlockSubIndex = block_index; +} + +UINT64 +CryptDecryptImportsArrayEntry(_In_ PUINT64 Array, _In_ UINT32 Entries, _In_ UINT32 EntryIndex) +{ + __m256i original_block = {0}; + __m128i original_half = {0}; + UINT32 block_size = sizeof(__m256i) / sizeof(UINT64); + UINT32 containing_block_index = 0; + UINT32 block_sub_index = 0; + UINT64 pointer = 0; + + CryptFindContainingBlockForArrayIndex( + EntryIndex, block_size, &containing_block_index, &block_sub_index); + + original_block = CryptDecryptImportBlock(Array, containing_block_index); + + if (block_sub_index < 2) + { + original_half = _mm256_extracti128_si256(original_block, 0); + + if (block_sub_index < 1) + pointer = _mm_extract_epi64(original_half, 0); + else + pointer = _mm_extract_epi64(original_half, 1); + } + else + { + original_half = _mm256_extracti128_si256(original_block, 1); + + if (block_sub_index == 2) + pointer = _mm_extract_epi64(original_half, 0); + else + pointer = _mm_extract_epi64(original_half, 1); + } + + return pointer; } \ No newline at end of file diff --git a/driver/crypt.h b/driver/crypt.h index 3990eed..fa87ab2 100644 --- a/driver/crypt.h +++ b/driver/crypt.h @@ -4,9 +4,9 @@ #include "common.h" VOID -CryptEncryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size); +CryptEncryptImportsArray(_In_ PUINT64 Array, _In_ UINT32 Entries); -VOID -CryptDecryptBufferInPlace(_In_ PVOID Buffer, _In_ UINT32 Size); +UINT64 +CryptDecryptImportsArrayEntry(_In_ PUINT64 Array, _In_ UINT32 Entries, _In_ UINT32 EntryIndex); #endif \ No newline at end of file diff --git a/driver/driver.c b/driver/driver.c index e656842..d9105a3 100644 --- a/driver/driver.c +++ b/driver/driver.c @@ -11,6 +11,7 @@ #include "integrity.h" #include "imports.h" #include "apc.h" +#include "crypt.h" STATIC VOID @@ -50,7 +51,7 @@ NTSTATUS DrvLoadEnableNotifyRoutines(); STATIC -NTSTATUS +VOID DrvLoadInitialiseObCbConfig(); STATIC @@ -525,6 +526,8 @@ DrvLoadSetupDriverLists() if (!NT_SUCCESS(status)) { + UnregisterProcessCreateNotifyRoutine(); + UnregisterThreadCreateNotifyRoutine(); UnregisterImageLoadNotifyRoutine(); DEBUG_ERROR("InitialiseDriverList failed with status %x", status); return status; @@ -535,6 +538,7 @@ DrvLoadSetupDriverLists() if (!NT_SUCCESS(status)) { DEBUG_ERROR("InitialiseThreadList failed with status %x", status); + UnregisterProcessCreateNotifyRoutine(); UnregisterThreadCreateNotifyRoutine(); UnregisterImageLoadNotifyRoutine(); CleanupDriverListOnDriverUnload(); @@ -566,7 +570,7 @@ DrvLoadInitialiseProcessConfig() } STATIC -NTSTATUS +VOID DrvLoadInitialiseObCbConfig() { PAGED_CODE(); @@ -895,7 +899,9 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST NTSTATUS status = STATUS_UNSUCCESSFUL; ImpKeInitializeGuardedMutex(&g_DriverConfig->lock); + IrpQueueInitialise(); + DrvLoadInitialiseObCbConfig(); g_DriverConfig->unload_in_progress = FALSE; g_DriverConfig->system_information.virtualised_environment = FALSE; @@ -918,14 +924,6 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST return status; } - status = DrvLoadInitialiseObCbConfig(); - - if (!NT_SUCCESS(status)) - { - DEBUG_ERROR("AllocateCallbackStructure failed with status %x", status); - return status; - } - status = InitialiseTimerObject(&g_DriverConfig->timer); if (!NT_SUCCESS(status)) diff --git a/driver/imports.c b/driver/imports.c index 5e7ec52..91b1b52 100644 --- a/driver/imports.c +++ b/driver/imports.c @@ -2,13 +2,15 @@ #include "common.h" #include "driver.h" +#include "crypt.h" +#include DRIVER_IMPORTS driver_imports = {0}; PVOID FindDriverBaseNoApi(_In_ PDRIVER_OBJECT DriverObject, _In_ PWCH Name) { - PKLDR_DATA_TABLE_ENTRY first = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection; + PKLDR_DATA_TABLE_ENTRY first = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection; /* first entry contains invalid data, 2nd entry is the kernel */ PKLDR_DATA_TABLE_ENTRY entry = @@ -81,11 +83,7 @@ FindNtExport(PDRIVER_OBJECT DriverObject, PCZPSTR ExportName) ordinal = ordinals_table[index]; export_offset = export_addr_table[ordinal]; - target_function_addr = (PVOID)((UINT64)image_base + export_offset); - - DEBUG_VERBOSE("Function: %s, Address: %llx", name, target_function_addr); - return target_function_addr; } @@ -172,86 +170,7 @@ ResolveDynamicImports(_In_ PDRIVER_OBJECT DriverObject) driver_imports.DrvImpRtlCompareUnicodeString = FindNtExport(DriverObject, "RtlCompareUnicodeString"); driver_imports.DrvImpRtlFreeUnicodeString = FindNtExport(DriverObject, "RtlFreeUnicodeString"); driver_imports.DrvImpPsLookupThreadByThreadId = FindNtExport(DriverObject, "PsLookupThreadByThreadId"); - driver_imports.DrvImpMmIsAddressValid = FindNtExport(DriverObject, "MmIsAddressValid"); - - DEBUG_VERBOSE("DrvImpObDereferenceObject); %llx", (UINT64)driver_imports.DrvImpObDereferenceObject); - DEBUG_VERBOSE("DrvImpPsGetProcessImageFileName); %llx", (UINT64)driver_imports.DrvImpPsGetProcessImageFileName); - DEBUG_VERBOSE("DrvImpPsSetCreateProcessNotifyRoutine); %llx", (UINT64)driver_imports.DrvImpPsSetCreateProcessNotifyRoutine); - DEBUG_VERBOSE("DrvImpPsRemoveCreateThreadNotifyRoutine); %llx", (UINT64)driver_imports.DrvImpPsRemoveCreateThreadNotifyRoutine); - DEBUG_VERBOSE("DrvImpPsGetCurrentThreadId); %llx", (UINT64)driver_imports.DrvImpPsGetCurrentThreadId); - DEBUG_VERBOSE("DrvImpPsGetProcessId); %llx", (UINT64)driver_imports.DrvImpPsGetProcessId); - DEBUG_VERBOSE("DrvImpPsLookupProcessByProcessId);%llx", (UINT64)driver_imports.DrvImpPsLookupProcessByProcessId); - DEBUG_VERBOSE("DrvImpExEnumHandleTable);%llx", (UINT64)driver_imports.DrvImpExEnumHandleTable); - DEBUG_VERBOSE("DrvImpObGetObjectType);%llx", (UINT64)driver_imports.DrvImpObGetObjectType); - DEBUG_VERBOSE("DrvImpExfUnblockPushLock);%llx", (UINT64)driver_imports.DrvImpExfUnblockPushLock); - DEBUG_VERBOSE("DrvImpstrstr);%llx", (UINT64)driver_imports.DrvImpstrstr); - DEBUG_VERBOSE("DrvImpRtlInitUnicodeString);%llx", (UINT64)driver_imports.DrvImpRtlInitUnicodeString); - DEBUG_VERBOSE("DrvImpMmGetSystemRoutineAddress);%llx", (UINT64)driver_imports.DrvImpMmGetSystemRoutineAddress); - DEBUG_VERBOSE("DrvImpRtlUnicodeStringToAnsiString);%llx", (UINT64)driver_imports.DrvImpRtlUnicodeStringToAnsiString); - DEBUG_VERBOSE("DrvImpRtlCopyUnicodeString);%llx", (UINT64)driver_imports.DrvImpRtlCopyUnicodeString); - DEBUG_VERBOSE("DrvImpRtlFreeAnsiString);%llx", (UINT64)driver_imports.DrvImpRtlFreeAnsiString); - DEBUG_VERBOSE("DrvImpKeInitializeGuardedMutex);%llx", (UINT64)driver_imports.DrvImpKeInitializeGuardedMutex); - DEBUG_VERBOSE("DrvImpIoCreateDevice);%llx", (UINT64)driver_imports.DrvImpIoCreateDevice); - DEBUG_VERBOSE("DrvImpIoCreateSymbolicLink);%llx", (UINT64)driver_imports.DrvImpIoCreateSymbolicLink); - DEBUG_VERBOSE("DrvImpIoDeleteDevice);%llx", (UINT64)driver_imports.DrvImpIoDeleteDevice); - DEBUG_VERBOSE("DrvImpIoDeleteSymbolicLink);%llx", (UINT64)driver_imports.DrvImpIoDeleteSymbolicLink); - DEBUG_VERBOSE("DrvImpObRegisterCallbacks);%llx", (UINT64)driver_imports.DrvImpObRegisterCallbacks); - DEBUG_VERBOSE("DrvImpObUnRegisterCallbacks);%llx", (UINT64)driver_imports.DrvImpObUnRegisterCallbacks); - DEBUG_VERBOSE("DrvImpPsSetCreateThreadNotifyRoutine);%llx", (UINT64)driver_imports.DrvImpPsSetCreateThreadNotifyRoutine); - DEBUG_VERBOSE("DrvImpKeRevertToUserAffinityThreadEx);%llx", (UINT64)driver_imports.DrvImpKeRevertToUserAffinityThreadEx); - DEBUG_VERBOSE("DrvImpKeSetSystemAffinityThreadEx);%llx", (UINT64)driver_imports.DrvImpKeSetSystemAffinityThreadEx); - DEBUG_VERBOSE("DrvImpstrnlen );%llx", (UINT64)driver_imports.DrvImpstrnlen ); - DEBUG_VERBOSE("DrvImpRtlInitAnsiString);%llx", (UINT64)driver_imports.DrvImpRtlInitAnsiString); - DEBUG_VERBOSE("DrvImpRtlAnsiStringToUnicodeString);%llx", (UINT64)driver_imports.DrvImpRtlAnsiStringToUnicodeString); - DEBUG_VERBOSE("DrvImpIoGetCurrentProcess);%llx", (UINT64)driver_imports.DrvImpIoGetCurrentProcess); - DEBUG_VERBOSE("DrvImpRtlGetVersion);%llx", (UINT64)driver_imports.DrvImpRtlGetVersion); - DEBUG_VERBOSE("DrvImpRtlCompareMemory);%llx", (UINT64)driver_imports.DrvImpRtlCompareMemory); - DEBUG_VERBOSE("DrvImpExGetSystemFirmwareTable);%llx", (UINT64)driver_imports.DrvImpExGetSystemFirmwareTable); - DEBUG_VERBOSE("DrvImpIoAllocateWorkItem);%llx", (UINT64)driver_imports.DrvImpIoAllocateWorkItem); - DEBUG_VERBOSE("DrvImpIoFreeWorkItem);%llx", (UINT64)driver_imports.DrvImpIoFreeWorkItem); - DEBUG_VERBOSE("DrvImpIoQueueWorkItem);%llx", (UINT64)driver_imports.DrvImpIoQueueWorkItem); - DEBUG_VERBOSE("DrvImpZwOpenFile );%llx", (UINT64)driver_imports.DrvImpZwOpenFile ); - DEBUG_VERBOSE("DrvImpZwClose );%llx", (UINT64)driver_imports.DrvImpZwClose ); - DEBUG_VERBOSE("DrvImpZwCreateSection);%llx", (UINT64)driver_imports.DrvImpZwCreateSection); - DEBUG_VERBOSE("DrvImpZwMapViewOfSection);%llx", (UINT64)driver_imports.DrvImpZwMapViewOfSection); - DEBUG_VERBOSE("DrvImpZwUnmapViewOfSection);%llx", (UINT64)driver_imports.DrvImpZwUnmapViewOfSection); - DEBUG_VERBOSE("DrvImpMmCopyMemory);%llx", (UINT64)driver_imports.DrvImpMmCopyMemory); - DEBUG_VERBOSE("DrvImpZwDeviceIoControlFile);%llx", (UINT64)driver_imports.DrvImpZwDeviceIoControlFile); - DEBUG_VERBOSE("DrvImpKeStackAttachProcess);%llx", (UINT64)driver_imports.DrvImpKeStackAttachProcess); - DEBUG_VERBOSE("DrvImpKeUnstackDetachProcess);%llx", (UINT64)driver_imports.DrvImpKeUnstackDetachProcess); - DEBUG_VERBOSE("DrvImpKeWaitForSingleObject);%llx", (UINT64)driver_imports.DrvImpKeWaitForSingleObject); - DEBUG_VERBOSE("DrvImpPsCreateSystemThread);%llx", (UINT64)driver_imports.DrvImpPsCreateSystemThread); - DEBUG_VERBOSE("DrvImpIofCompleteRequest);%llx", (UINT64)driver_imports.DrvImpIofCompleteRequest); - DEBUG_VERBOSE("DrvImpObReferenceObjectByHandle);%llx", (UINT64)driver_imports.DrvImpObReferenceObjectByHandle); - DEBUG_VERBOSE("DrvImpKeDelayExecutionThread);%llx", (UINT64)driver_imports.DrvImpKeDelayExecutionThread); - DEBUG_VERBOSE("DrvImpKeRegisterNmiCallback);%llx", (UINT64)driver_imports.DrvImpKeRegisterNmiCallback); - DEBUG_VERBOSE("DrvImpKeDeregisterNmiCallback);%llx", (UINT64)driver_imports.DrvImpKeDeregisterNmiCallback); - DEBUG_VERBOSE("DrvImpKeQueryActiveProcessorCount);%llx", (UINT64)driver_imports.DrvImpKeQueryActiveProcessorCount); - DEBUG_VERBOSE("DrvImpExAcquirePushLockExclusiveEx);%llx", (UINT64)driver_imports.DrvImpExAcquirePushLockExclusiveEx); - DEBUG_VERBOSE("DrvImpExReleasePushLockExclusiveEx);%llx", (UINT64)driver_imports.DrvImpExReleasePushLockExclusiveEx); - DEBUG_VERBOSE("DrvImpPsGetThreadId);%llx", (UINT64)driver_imports.DrvImpPsGetThreadId); - DEBUG_VERBOSE("DrvImpRtlCaptureStackBackTrace);%llx", (UINT64)driver_imports.DrvImpRtlCaptureStackBackTrace); - DEBUG_VERBOSE("DrvImpZwOpenDirectoryObject);%llx", (UINT64)driver_imports.DrvImpZwOpenDirectoryObject); - DEBUG_VERBOSE("DrvImpKeInitializeAffinityEx);%llx", (UINT64)driver_imports.DrvImpKeInitializeAffinityEx); - DEBUG_VERBOSE("DrvImpKeAddProcessorAffinityEx);%llx", (UINT64)driver_imports.DrvImpKeAddProcessorAffinityEx); - DEBUG_VERBOSE("DrvImpRtlQueryModuleInformation);%llx", (UINT64)driver_imports.DrvImpRtlQueryModuleInformation); - DEBUG_VERBOSE("DrvImpKeInitializeApc);%llx", (UINT64)driver_imports.DrvImpKeInitializeApc); - DEBUG_VERBOSE("DrvImpKeInsertQueueApc);%llx", (UINT64)driver_imports.DrvImpKeInsertQueueApc); - DEBUG_VERBOSE("DrvImpKeGenericCallDpc);%llx", (UINT64)driver_imports.DrvImpKeGenericCallDpc); - DEBUG_VERBOSE("DrvImpKeSignalCallDpcDone);%llx", (UINT64)driver_imports.DrvImpKeSignalCallDpcDone); - DEBUG_VERBOSE("DrvImpMmGetPhysicalMemoryRangesEx2);%llx", (UINT64)driver_imports.DrvImpMmGetPhysicalMemoryRangesEx2); - DEBUG_VERBOSE("DrvImpMmGetVirtualForPhysical);%llx", (UINT64)driver_imports.DrvImpMmGetVirtualForPhysical); - DEBUG_VERBOSE("DrvImpObfReferenceObject);%llx", (UINT64)driver_imports.DrvImpObfReferenceObject); - DEBUG_VERBOSE("DrvImpExFreePoolWithTag);%llx", (UINT64)driver_imports.DrvImpExFreePoolWithTag); - DEBUG_VERBOSE("DrvImpExAllocatePool2);%llx", (UINT64)driver_imports.DrvImpExAllocatePool2); - DEBUG_VERBOSE("DrvImpKeReleaseGuardedMutex);%llx", (UINT64)driver_imports.DrvImpKeReleaseGuardedMutex); - DEBUG_VERBOSE("DrvImpKeAcquireGuardedMutex);%llx", (UINT64)driver_imports.DrvImpKeAcquireGuardedMutex); - DEBUG_VERBOSE("DrvImpDbgPrintEx );%llx", (UINT64)driver_imports.DrvImpDbgPrintEx ); - DEBUG_VERBOSE("DrvImpRtlCompareUnicodeString);%llx", (UINT64)driver_imports.DrvImpRtlCompareUnicodeString); - DEBUG_VERBOSE("DrvImpRtlFreeUnicodeString);%llx", (UINT64)driver_imports.DrvImpRtlFreeUnicodeString); - DEBUG_VERBOSE("DrvImpPsLookupThreadByThreadId);%llx", (UINT64)driver_imports.DrvImpPsLookupThreadByThreadId); - DEBUG_VERBOSE("DrvImpIoGetCurrentIrpStackLocation);%llx", (UINT64)driver_imports.DrvImpIoGetCurrentIrpStackLocation); - DEBUG_VERBOSE("DrvImpMmIsAddressValid); %llx", (UINT64)driver_imports.DrvImpMmIsAddressValid); + driver_imports.DrvImpMmIsAddressValid = FindNtExport(DriverObject, "MmIsAddressValid"); if (!driver_imports.DrvImpObDereferenceObject) return STATUS_UNSUCCESSFUL; if (!driver_imports.DrvImpPsGetProcessImageFileName) return STATUS_UNSUCCESSFUL; @@ -332,5 +251,914 @@ ResolveDynamicImports(_In_ PDRIVER_OBJECT DriverObject) if (!driver_imports.DrvImpMmIsAddressValid) return STATUS_UNSUCCESSFUL; // clang-format on + CryptEncryptImportsArray(&driver_imports, IMPORTS_LENGTH); + return STATUS_SUCCESS; +} + +VOID +ImpObDereferenceObject(_In_ PVOID Object) +{ + pObDereferenceObject impObDereferenceObject = + (pObDereferenceObject)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, OB_DEREFERENCE_OBJECT_INDEX); + + impObDereferenceObject(Object); +} + +NTSTATUS +ImpPsLookupThreadByThreadId(_In_ HANDLE ThreadId, _Out_ PETHREAD* Thread) +{ + pPsLookupThreadByThreadId impPsLookupThreadByThreadId = + (pPsLookupThreadByThreadId)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, PS_LOOKUP_THREAD_BY_THREAD_ID_INDEX); + + return impPsLookupThreadByThreadId(ThreadId, Thread); +} + +BOOLEAN +ImpMmIsAddressValid(_In_ PVOID VirtualAddress) +{ + pMmIsAddressValid impMmIsAddressValid = (pMmIsAddressValid)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, MM_IS_ADDRESS_VALID_INDEX); + + return impMmIsAddressValid(VirtualAddress); +} + +NTSTATUS +ImpPsSetCreateProcessNotifyRoutine(_In_ PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, + _In_ BOOLEAN Remove) +{ + pPsSetCreateProcessNotifyRoutine impPsSetCreateProcessNotifyRoutine = + (pPsSetCreateProcessNotifyRoutine)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, PS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_INDEX); + + return impPsSetCreateProcessNotifyRoutine(NotifyRoutine, Remove); +} + +NTSTATUS +ImpPsRemoveCreateThreadNotifyRoutine(_In_ PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine) +{ + pPsRemoveCreateThreadNotifyRoutine impPsRemoveCreateThreadNotifyRoutine = + (pPsRemoveCreateThreadNotifyRoutine)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, PS_REMOVE_CREATE_THREAD_NOTIFY_ROUTINE_INDEX); + + return impPsRemoveCreateThreadNotifyRoutine(NotifyRoutine); +} + +HANDLE +ImpPsGetCurrentThreadId() +{ + pPsGetCurrentThreadId impPsGetCurrentThreadId = + (pPsGetCurrentThreadId)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, PS_GET_CURRENT_THREAD_ID_INDEX); + + return impPsGetCurrentThreadId(); +} + +HANDLE +ImpPsGetProcessId(_In_ PEPROCESS Process) +{ + pPsGetProcessId impPsGetProcessId = (pPsGetProcessId)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, PS_GET_PROCESS_ID_INDEX); + + return impPsGetProcessId(Process); +} + +NTSTATUS +ImpPsLookupProcessByProcessId(_In_ HANDLE ProcessId, _Out_ PEPROCESS* Process) +{ + pPsLookupProcessByProcessId impPsLookupProcessByProcessId = + (pPsLookupProcessByProcessId)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, PS_LOOKUP_PROCESS_BY_PROCESS_ID_INDEX); + + return impPsLookupProcessByProcessId(ProcessId, Process); +} + +PVOID +ImpExEnumHandleTable(_In_ PHANDLE_TABLE HandleTable, + _In_ PVOID Callback, + _In_opt_ PVOID Context, + _Out_opt_ PHANDLE Handle) +{ + pExEnumHandleTable impExEnumHandleTable = (pExEnumHandleTable)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, EX_ENUM_HANDLE_TABLE_INDEX); + + return impExEnumHandleTable(HandleTable, Callback, Context, Handle); +} + +POBJECT_TYPE +ImpObGetObjectType(_In_ PVOID Object) +{ + pObGetObjectType impObGetObjectType = (pObGetObjectType)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, OB_GET_OBJECT_TYPE_INDEX); + + return impObGetObjectType(Object); +} + +VOID +ImpExfUnblockPushLock(_In_ PEX_PUSH_LOCK PushLock, _In_ PVOID WaitBlock) +{ + pExfUnblockPushLock impExfUnblockPushLock = + (pExfUnblockPushLock)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, EXF_UNBLOCK_PUSH_LOCK_INDEX); + + impExfUnblockPushLock(PushLock, WaitBlock); +} + +LPCSTR +ImpPsGetProcessImageFileName(_In_ PEPROCESS Process) +{ + pPsGetProcessImageFileName impPsGetProcessImageFileName = + (pPsGetProcessImageFileName)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, PS_GET_PROCESS_IMAGE_FILE_NAME_INDEX); + + return impPsGetProcessImageFileName(Process); +} + +INT +ImpStrStr(_In_ CHAR* haystack, _In_ CHAR* needle) +{ + pstrstr impStrStr = + (pstrstr)CryptDecryptImportsArrayEntry(&driver_imports, IMPORTS_LENGTH, STRSTR_INDEX); + + return impStrStr(haystack, needle); +} + +VOID +ImpRtlInitUnicodeString(_In_ PUNICODE_STRING DestinationString, _In_ PCWSTR SourceString) +{ + pRtlInitUnicodeString impRtlInitUnicodeString = + (pRtlInitUnicodeString)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_INIT_UNICODE_STRING_INDEX); + + impRtlInitUnicodeString(DestinationString, SourceString); +} + +NTSTATUS +ImpRtlQueryRegistryValues(_In_ ULONG RelativeTo, + _In_ PCWSTR Path, + _In_ PRTL_QUERY_REGISTRY_TABLE QueryTable, + _In_opt_ void* Context, + _In_ void* Environment) +{ + pRtlQueryRegistryValues impRtlQueryRegistryValues = + (pRtlQueryRegistryValues)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_QUERY_REGISTRY_VALUES_INDEX); + + return impRtlQueryRegistryValues(RelativeTo, Path, QueryTable, Context, Environment); +} + +PVOID +ImpMmGetSystemRoutineAddress(_In_ PUNICODE_STRING SystemRoutineName) +{ + pMmGetSystemRoutineAddress impMmGetSystemRoutineAddress = + (pMmGetSystemRoutineAddress)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, MM_GET_SYSTEM_ROUTINE_ADDRESS_INDEX); + + return impMmGetSystemRoutineAddress(SystemRoutineName); +} + +NTSTATUS +ImpRtlUnicodeStringToAnsiString(_In_ PANSI_STRING DestinationString, + _In_ PCUNICODE_STRING SourceString, + _In_ BOOLEAN AllocateDestinationString) +{ + pRtlUnicodeStringToAnsiString impRtlUnicodeStringToAnsiString = + (pRtlUnicodeStringToAnsiString)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_UNICODE_STRING_TO_ANSI_STRING_INDEX); + + return impRtlUnicodeStringToAnsiString( + DestinationString, SourceString, AllocateDestinationString); +} + +VOID +ImpRtlCopyUnicodeString(_In_ PUNICODE_STRING DestinationString, _In_ PCUNICODE_STRING SourceString) +{ + pRtlCopyUnicodeString impRtlCopyUnicodeString = + (pRtlCopyUnicodeString)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_COPY_UNICODE_STRING_INDEX); + + impRtlCopyUnicodeString(DestinationString, SourceString); +} + +VOID +ImpRtlFreeAnsiString(_In_ PANSI_STRING AnsiString) +{ + pRtlFreeAnsiString impRtlFreeAnsiString = (pRtlFreeAnsiString)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_FREE_ANSI_STRING_INDEX); + + impRtlFreeAnsiString(AnsiString); +} + +VOID +ImpKeInitializeGuardedMutex(_In_ PKGUARDED_MUTEX GuardedMutex) +{ + pKeInitializeGuardedMutex impKeInitializeGuardedMutex = + (pKeInitializeGuardedMutex)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_INITIALIZE_GUARDED_MUTEX_INDEX); + + impKeInitializeGuardedMutex(GuardedMutex); +} + +NTSTATUS +ImpIoCreateDevice(_In_ PDRIVER_OBJECT DriverObject, + _In_ ULONG DeviceExtensionSize, + _In_opt_ PUNICODE_STRING DeviceName, + _In_ DEVICE_TYPE DeviceType, + _In_ ULONG DeviceCharacteristics, + _In_ BOOLEAN Exclusive, + _Out_ PDEVICE_OBJECT* DeviceObject) +{ + pIoCreateDevice impIoCreateDevice = (pIoCreateDevice)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, IO_CREATE_DEVICE_INDEX); + + return impIoCreateDevice(DriverObject, + DeviceExtensionSize, + DeviceName, + DeviceType, + DeviceCharacteristics, + Exclusive, + DeviceObject); +} + +NTSTATUS +ImpIoCreateSymbolicLink(_In_ PUNICODE_STRING SymbolicLinkName, _In_ PUNICODE_STRING DeviceName) +{ + pIoCreateSymbolicLink impIoCreateSymbolicLink = + (pIoCreateSymbolicLink)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, IO_CREATE_SYMBOLIC_LINK_INDEX); + + return impIoCreateSymbolicLink(SymbolicLinkName, DeviceName); +} + +VOID +ImpIoDeleteDevice(_In_ PDEVICE_OBJECT DeviceObject) +{ + pIoDeleteDevice impIoDeleteDevice = (pIoDeleteDevice)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, IO_DELETE_DEVICE_INDEX); + + impIoDeleteDevice(DeviceObject); +} + +VOID +ImpIoDeleteSymbolicLink(_In_ PUNICODE_STRING SymbolicLinkName) +{ + pIoDeleteSymbolicLink impIoDeleteSymbolicLink = + (pIoDeleteSymbolicLink)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, IO_DELETE_SYMBOLIC_LINK_INDEX); + + impIoDeleteSymbolicLink(SymbolicLinkName); +} + +NTSTATUS +ImpObRegisterCallbacks(_In_ POB_CALLBACK_REGISTRATION CallbackRegistration, + _Out_ PVOID* RegistrationHandle) +{ + pObRegisterCallbacks impObRegisterCallbacks = + (pObRegisterCallbacks)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, OB_REGISTER_CALLBACKS_INDEX); + + return impObRegisterCallbacks(CallbackRegistration, RegistrationHandle); +} + +VOID +ImpObUnRegisterCallbacks(_In_ PVOID RegistrationHandle) +{ + pObUnRegisterCallbacks impObUnRegisterCallbacks = + (pObUnRegisterCallbacks)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, OB_UNREGISTER_CALLBACKS_INDEX); + + impObUnRegisterCallbacks(RegistrationHandle); +} + +NTSTATUS +ImpPsSetCreateThreadNotifyRoutine(_In_ PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine) +{ + pPsSetCreateThreadNotifyRoutine impPsSetCreateThreadNotifyRoutine = + (pPsSetCreateThreadNotifyRoutine)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, PS_SET_CREATE_THREAD_NOTIFY_ROUTINE_INDEX); + + return impPsSetCreateThreadNotifyRoutine(NotifyRoutine); +} + +VOID +ImpKeRevertToUserAffinityThreadEx(_In_ KAFFINITY Affinity) +{ + pKeRevertToUserAffinityThreadEx impKeRevertToUserAffinityThreadEx = + (pKeRevertToUserAffinityThreadEx)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_REVERT_TO_USER_AFFINITY_THREAD_EX_INDEX); + + impKeRevertToUserAffinityThreadEx(Affinity); +} + +KAFFINITY +ImpKeSetSystemAffinityThreadEx(_In_ KAFFINITY Affinity) +{ + pKeSetSystemAffinityThreadEx impKeSetSystemAffinityThreadEx = + (pKeSetSystemAffinityThreadEx)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_SET_SYSTEM_AFFINITY_THREAD_EX_INDEX); + + return impKeSetSystemAffinityThreadEx(Affinity); +} + +SIZE_T +ImpStrnlen(_In_ CHAR* str, _In_ SIZE_T maxCount) +{ + pstrnlen impStrnlen = + (pstrnlen)CryptDecryptImportsArrayEntry(&driver_imports, IMPORTS_LENGTH, STRNLEN_INDEX); + + return impStrnlen(str, maxCount); +} + +VOID +ImpRtlInitAnsiString(_In_ PANSI_STRING DestinationString, _In_ PCSZ SourceString) +{ + pRtlInitAnsiString impRtlInitAnsiString = (pRtlInitAnsiString)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_INIT_ANSI_STRING_INDEX); + + impRtlInitAnsiString(DestinationString, SourceString); +} + +NTSTATUS +ImpRtlAnsiStringToUnicodeString(_In_ PUNICODE_STRING DestinationString, + _In_ PCANSI_STRING SourceString, + _In_ BOOLEAN AllocateDestinationString) +{ + pRtlAnsiStringToUnicodeString impRtlAnsiStringToUnicodeString = + (pRtlAnsiStringToUnicodeString)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_ANSI_STRING_TO_UNICODE_STRING_INDEX); + + return impRtlAnsiStringToUnicodeString( + DestinationString, SourceString, AllocateDestinationString); +} + +PEPROCESS +ImpIoGetCurrentProcess() +{ + pIoGetCurrentProcess impIoGetCurrentProcess = + (pIoGetCurrentProcess)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, IO_GET_CURRENT_PROCESS_INDEX); + + return impIoGetCurrentProcess(); +} + +NTSTATUS +ImpRtlGetVersion(_Out_ PRTL_OSVERSIONINFOW lpVersionInformation) +{ + pRtlGetVersion impRtlGetVersion = (pRtlGetVersion)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_GET_VERSION_INDEX); + + return impRtlGetVersion(lpVersionInformation); +} + +SIZE_T +ImpRtlCompareMemory(_In_ PVOID Source1, _In_ PVOID Source2, _In_ SIZE_T Length) +{ + pRtlCompareMemory impRtlCompareMemory = (pRtlCompareMemory)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_COMPARE_MEMORY_INDEX); + + return impRtlCompareMemory(Source1, Source2, Length); +} + +NTSTATUS +ImpExGetSystemFirmwareTable(_In_ ULONG FirmwareTableProviderSignature, + _In_ ULONG FirmwareTableID, + _In_ PVOID pFirmwareTableBuffer, + _In_ ULONG BufferLength, + _Out_ PULONG ReturnLength) +{ + pExGetSystemFirmwareTable impExGetSystemFirmwareTable = + (pExGetSystemFirmwareTable)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, EX_GET_SYSTEM_FIRMWARE_TABLE_INDEX); + + return impExGetSystemFirmwareTable(FirmwareTableProviderSignature, + FirmwareTableID, + pFirmwareTableBuffer, + BufferLength, + ReturnLength); +} + +PIO_WORKITEM +ImpIoAllocateWorkItem(_In_ PDEVICE_OBJECT DeviceObject) +{ + pIoAllocateWorkItem impIoAllocateWorkItem = + (pIoAllocateWorkItem)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, IO_ALLOCATE_WORK_ITEM_INDEX); + + return impIoAllocateWorkItem(DeviceObject); +} + +VOID +ImpIoFreeWorkItem(_In_ PIO_WORKITEM WorkItem) +{ + pIoFreeWorkItem impIoFreeWorkItem = (pIoFreeWorkItem)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, IO_FREE_WORK_ITEM_INDEX); + + impIoFreeWorkItem(WorkItem); +} + +VOID +ImpIoQueueWorkItem(_In_ PIO_WORKITEM IoWorkItem, + _In_ PIO_WORKITEM_ROUTINE WorkerRoutine, + _In_ WORK_QUEUE_TYPE QueueType, + _In_opt_ PVOID Context) +{ + pIoQueueWorkItem impIoQueueWorkItem = (pIoQueueWorkItem)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, IO_QUEUE_WORK_ITEM_INDEX); + + impIoQueueWorkItem(IoWorkItem, WorkerRoutine, QueueType, Context); +} + +NTSTATUS +ImpZwOpenFile(_Out_ PHANDLE FileHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG ShareAccess, + _In_ ULONG OpenOptions) +{ + pZwOpenFile impZwOpenFile = (pZwOpenFile)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, ZW_OPEN_FILE_INDEX); + + return impZwOpenFile( + FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); +} + +NTSTATUS +ImpZwClose(_In_ HANDLE Handle) +{ + pZwClose impZwClose = (pZwClose)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, ZW_CLOSE_INDEX); + + return impZwClose(Handle); +} + +NTSTATUS +ImpZwCreateSection(_Out_ PHANDLE SectionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PLARGE_INTEGER MaximumSize, + _In_ ULONG SectionPageProtection, + _In_ ULONG AllocationAttributes, + _In_opt_ HANDLE FileHandle) +{ + pZwCreateSection impZwCreateSection = (pZwCreateSection)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, ZW_CREATE_SECTION_INDEX); + + return impZwCreateSection(SectionHandle, + DesiredAccess, + ObjectAttributes, + MaximumSize, + SectionPageProtection, + AllocationAttributes, + FileHandle); +} + +NTSTATUS +ImpZwMapViewOfSection(_In_ HANDLE SectionHandle, + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _In_ ULONG_PTR ZeroBits, + _In_ SIZE_T CommitSize, + _Inout_opt_ PLARGE_INTEGER SectionOffset, + _Inout_ PSIZE_T ViewSize, + _In_ SECTION_INHERIT InheritDisposition, + _In_ ULONG AllocationType, + _In_ ULONG Win32Protect) +{ + pZwMapViewOfSection impZwMapViewOfSection = + (pZwMapViewOfSection)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, ZW_MAP_VIEW_OF_SECTION_INDEX); + + return impZwMapViewOfSection(SectionHandle, + ProcessHandle, + BaseAddress, + ZeroBits, + CommitSize, + SectionOffset, + ViewSize, + InheritDisposition, + AllocationType, + Win32Protect); +} + +NTSTATUS +ImpZwUnmapViewOfSection(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress) +{ + pZwUnmapViewOfSection impZwUnmapViewOfSection = + (pZwUnmapViewOfSection)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, ZW_UNMAP_VIEW_OF_SECTION_INDEX); + + return impZwUnmapViewOfSection(ProcessHandle, BaseAddress); +} + +NTSTATUS +ImpMmCopyMemory(_In_ PVOID TargetAddress, + _In_ MM_COPY_ADDRESS SourceAddress, + _In_ SIZE_T NumberOfBytes, + _In_ ULONG Flags, + _Out_ PSIZE_T NumberOfBytesTransferred) +{ + pMmCopyMemory impMmCopyMemory = (pMmCopyMemory)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, MM_COPY_MEMORY_INDEX); + + return impMmCopyMemory( + TargetAddress, SourceAddress, NumberOfBytes, Flags, NumberOfBytesTransferred); +} + +NTSTATUS +ImpZwDeviceIoControlFile(_In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG IoControlCode, + _In_opt_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_opt_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength) +{ + pZwDeviceIoControlFile impZwDeviceIoControlFile = + (pZwDeviceIoControlFile)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, ZW_DEVICE_IO_CONTROL_FILE_INDEX); + + return impZwDeviceIoControlFile(FileHandle, + Event, + ApcRoutine, + ApcContext, + IoStatusBlock, + IoControlCode, + InputBuffer, + InputBufferLength, + OutputBuffer, + OutputBufferLength); +} + +VOID +ImpKeStackAttachProcess(_In_ PRKPROCESS Process, _Out_ PKAPC_STATE ApcState) +{ + pKeStackAttachProcess impKeStackAttachProcess = + (pKeStackAttachProcess)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_STACK_ATTACH_PROCESS_INDEX); + + impKeStackAttachProcess(Process, ApcState); +} + +VOID +ImpKeUnstackDetachProcess(_In_ PKAPC_STATE ApcState) +{ + pKeUnstackDetachProcess impKeUnstackDetachProcess = + (pKeUnstackDetachProcess)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_UNSTACK_DETACH_PROCESS_INDEX); + + impKeUnstackDetachProcess(ApcState); +} + +NTSTATUS +ImpKeWaitForSingleObject(_In_ PVOID Object, + _In_ KWAIT_REASON WaitReason, + _In_ KPROCESSOR_MODE WaitMode, + _In_ BOOLEAN Alertable, + _In_ PLARGE_INTEGER Timeout) +{ + pKeWaitForSingleObject impKeWaitForSingleObject = + (pKeWaitForSingleObject)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_WAIT_FOR_SINGLE_OBJECT_INDEX); + + return impKeWaitForSingleObject(Object, WaitReason, WaitMode, Alertable, Timeout); +} + +NTSTATUS +ImpPsCreateSystemThread(_Out_ PHANDLE ThreadHandle, + _In_ ULONG DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ HANDLE ProcessHandle, + _Out_opt_ PCLIENT_ID ClientId, + _In_ PKSTART_ROUTINE StartRoutine, + _In_opt_ PVOID StartContext) +{ + pPsCreateSystemThread impPsCreateSystemThread = + (pPsCreateSystemThread)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, PS_CREATE_SYSTEM_THREAD_INDEX); + + return impPsCreateSystemThread(ThreadHandle, + DesiredAccess, + ObjectAttributes, + ProcessHandle, + ClientId, + StartRoutine, + StartContext); +} + +VOID +ImpIofCompleteRequest(_In_ PIRP Irp, _In_ CCHAR PriorityBoost) +{ + pIofCompleteRequest impIofCompleteRequest = + (pIofCompleteRequest)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, IOF_COMPLETE_REQUEST_INDEX); + + impIofCompleteRequest(Irp, PriorityBoost); +} + +NTSTATUS +ImpObReferenceObjectByHandle(_In_ HANDLE Handle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_TYPE ObjectType, + _In_ KPROCESSOR_MODE AccessMode, + _Out_ PVOID* Object, + _Out_opt_ POBJECT_HANDLE_INFORMATION HandleInformation) +{ + pObReferenceObjectByHandle impObReferenceObjectByHandle = + (pObReferenceObjectByHandle)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, OB_REFERENCE_OBJECT_BY_HANDLE_INDEX); + + return impObReferenceObjectByHandle( + Handle, DesiredAccess, ObjectType, AccessMode, Object, HandleInformation); +} + +NTSTATUS +ImpKeDelayExecutionThread(_In_ KPROCESSOR_MODE WaitMode, + _In_ BOOLEAN Alertable, + _In_ PLARGE_INTEGER Interval) +{ + pKeDelayExecutionThread impKeDelayExecutionThread = + (pKeDelayExecutionThread)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_DELAY_EXECUTION_THREAD_INDEX); + + return impKeDelayExecutionThread(WaitMode, Alertable, Interval); +} + +PVOID +ImpKeRegisterNmiCallback(_In_ PVOID CallbackRoutine, _In_opt_ PVOID Context) +{ + pKeRegisterNmiCallback impKeRegisterNmiCallback = + (pKeRegisterNmiCallback)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_REGISTER_NMI_CALLBACK_INDEX); + + return impKeRegisterNmiCallback(CallbackRoutine, Context); +} + +NTSTATUS +ImpKeDeregisterNmiCallback(_In_ PVOID Handle) +{ + pKeDeregisterNmiCallback impKeDeregisterNmiCallback = + (pKeDeregisterNmiCallback)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_DEREGISTER_NMI_CALLBACK_INDEX); + + return impKeDeregisterNmiCallback(Handle); +} + +ULONG +ImpKeQueryActiveProcessorCount(_In_ PKAFFINITY ActiveProcessors) +{ + pKeQueryActiveProcessorCount impKeQueryActiveProcessorCount = + (pKeQueryActiveProcessorCount)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_QUERY_ACTIVE_PROCESSOR_COUNT_INDEX); + + return impKeQueryActiveProcessorCount(ActiveProcessors); +} + +VOID +ImpExAcquirePushLockExclusiveEx(_Inout_ PEX_PUSH_LOCK PushLock, _In_ ULONG Flags) +{ + pExAcquirePushLockExclusiveEx impExAcquirePushLockExclusiveEx = + (pExAcquirePushLockExclusiveEx)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, EX_ACQUIRE_PUSH_LOCK_EXCLUSIVE_EX_INDEX); + + impExAcquirePushLockExclusiveEx(PushLock, Flags); +} + +VOID +ImpExReleasePushLockExclusiveEx(_Inout_ PEX_PUSH_LOCK PushLock, _In_ ULONG Flags) +{ + pExReleasePushLockExclusiveEx impExReleasePushLockExclusiveEx = + (pExReleasePushLockExclusiveEx)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, EX_RELEASE_PUSH_LOCK_EXCLUSIVE_EX_INDEX); + + impExReleasePushLockExclusiveEx(PushLock, Flags); +} + +HANDLE +ImpPsGetThreadId(_In_ PETHREAD Thread) +{ + pPsGetThreadId impPsGetThreadId = (pPsGetThreadId)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, PS_GET_THREAD_ID_INDEX); + + return impPsGetThreadId(Thread); +} + +USHORT +ImpRtlCaptureStackBackTrace(_In_ ULONG FramesToSkip, + _In_ ULONG FramesToCapture, + _Out_ PVOID* BackTrace, + _Out_opt_ PULONG BackTraceHash) +{ + pRtlCaptureStackBackTrace impRtlCaptureStackBackTrace = + (pRtlCaptureStackBackTrace)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_CAPTURE_STACK_BACK_TRACE_INDEX); + + return impRtlCaptureStackBackTrace(FramesToSkip, FramesToCapture, BackTrace, BackTraceHash); +} + +NTSTATUS +ImpZwOpenDirectoryObject(_Out_ PHANDLE DirectoryHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_ POBJECT_ATTRIBUTES ObjectAttributes) +{ + pZwOpenDirectoryObject impZwOpenDirectoryObject = + (pZwOpenDirectoryObject)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, ZW_OPEN_DIRECTORY_OBJECT_INDEX); + + return impZwOpenDirectoryObject(DirectoryHandle, DesiredAccess, ObjectAttributes); +} + +VOID +ImpKeInitializeAffinityEx(_In_ PKAFFINITY_EX AffinityMask) +{ + pKeInitializeAffinityEx impKeInitializeAffinityEx = + (pKeInitializeAffinityEx)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_INITIALIZE_AFFINITY_EX_INDEX); + + impKeInitializeAffinityEx(AffinityMask); +} + +VOID +ImpKeAddProcessorAffinityEx(_In_ PKAFFINITY_EX Affinity, _In_ INT CoreNumber) +{ + pKeAddProcessorAffinityEx impKeAddProcessorAffinityEx = + (pKeAddProcessorAffinityEx)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_ADD_PROCESSOR_AFFINITY_EX_INDEX); + + impKeAddProcessorAffinityEx(Affinity, CoreNumber); +} + +NTSTATUS +ImpRtlQueryModuleInformation(_Inout_ ULONG* InformationLength, + _In_ ULONG SizePerModule, + _In_ PVOID InformationBuffer) +{ + pRtlQueryModuleInformation impRtlQueryModuleInformation = + (pRtlQueryModuleInformation)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_QUERY_MODULE_INFORMATION_INDEX); + + return impRtlQueryModuleInformation(InformationLength, SizePerModule, InformationBuffer); +} + +VOID +ImpKeInitializeApc(_In_ PKAPC Apc, + _In_ PKTHREAD Thread, + _In_ KAPC_ENVIRONMENT Environment, + _In_ PKKERNEL_ROUTINE KernelRoutine, + _In_ PKRUNDOWN_ROUTINE RundownRoutine, + _In_ PKNORMAL_ROUTINE NormalRoutine, + _In_ KPROCESSOR_MODE ApcMode, + _In_ PVOID NormalContext) +{ + pKeInitializeApc impKeInitializeApc = (pKeInitializeApc)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_INITIALIZE_APC_INDEX); + + impKeInitializeApc(Apc, + Thread, + Environment, + KernelRoutine, + RundownRoutine, + NormalRoutine, + ApcMode, + NormalContext); +} + +BOOLEAN +ImpKeInsertQueueApc(_In_ PKAPC Apc, + _In_ PVOID SystemArgument1, + _In_ PVOID SystemArgument2, + _In_ KPRIORITY Increment) +{ + pKeInsertQueueApc impKeInsertQueueApc = (pKeInsertQueueApc)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_INSERT_QUEUE_APC_INDEX); + + return impKeInsertQueueApc(Apc, SystemArgument1, SystemArgument2, Increment); +} + +VOID +ImpKeGenericCallDpc(_In_ PKDEFERRED_ROUTINE DpcRoutine, _In_ PVOID Context) +{ + pKeGenericCallDpc impKeGenericCallDpc = (pKeGenericCallDpc)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_GENERIC_CALL_DPC_INDEX); + + impKeGenericCallDpc(DpcRoutine, Context); +} + +VOID +ImpKeSignalCallDpcDone(_In_ PVOID SystemArgument1) +{ + pKeSignalCallDpcDone impKeSignalCallDpcDone = + (pKeSignalCallDpcDone)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_SIGNAL_CALL_DPC_DONE_INDEX); + + impKeSignalCallDpcDone(SystemArgument1); +} + +PPHYSICAL_MEMORY_RANGE +ImpMmGetPhysicalMemoryRangesEx2(_In_ PVOID PartitionObject, _In_ ULONG Flags) +{ + pMmGetPhysicalMemoryRangesEx2 impMmGetPhysicalMemoryRangesEx2 = + (pMmGetPhysicalMemoryRangesEx2)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, MM_GET_PHYSICAL_MEMORY_RANGES_EX2_INDEX); + + return impMmGetPhysicalMemoryRangesEx2(PartitionObject, Flags); +} + +PVOID +ImpMmGetVirtualForPhysical(_In_ PHYSICAL_ADDRESS PhysicalAddress) +{ + pMmGetVirtualForPhysical impMmGetVirtualForPhysical = + (pMmGetVirtualForPhysical)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, MM_GET_VIRTUAL_FOR_PHYSICAL_INDEX); + + return impMmGetVirtualForPhysical(PhysicalAddress); +} + +LONG_PTR +ImpObfReferenceObject(_In_ PVOID Object) +{ + pObfReferenceObject impObfReferenceObject = + (pObfReferenceObject)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, OBF_REFERENCE_OBJECT_INDEX); + + return impObfReferenceObject(Object); +} + +VOID +ImpExFreePoolWithTag(_In_ PVOID P, _In_ ULONG Tag) +{ + pExFreePoolWithTag impExFreePoolWithTag = (pExFreePoolWithTag)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, EX_FREE_POOL_WITH_TAG_INDEX); + + impExFreePoolWithTag(P, Tag); +} + +PVOID +ImpExAllocatePool2(_In_ POOL_FLAGS Flags, _In_ SIZE_T NumberOfBytes, _In_ ULONG Tag) +{ + pExAllocatePool2 impExAllocatePool2 = (pExAllocatePool2)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, EX_ALLOCATE_POOL2_INDEX); + + return impExAllocatePool2(Flags, NumberOfBytes, Tag); +} + +VOID +ImpKeReleaseGuardedMutex(_In_ PKGUARDED_MUTEX GuardedMutex) +{ + pKeReleaseGuardedMutex impKeReleaseGuardedMutex = + (pKeReleaseGuardedMutex)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_RELEASE_GUARDED_MUTEX_INDEX); + + impKeReleaseGuardedMutex(GuardedMutex); +} + +VOID +ImpKeAcquireGuardedMutex(_In_ PKGUARDED_MUTEX GuardedMutex) +{ + pKeAcquireGuardedMutex impKeAcquireGuardedMutex = + (pKeAcquireGuardedMutex)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, KE_ACQUIRE_GUARDED_MUTEX_INDEX); + + impKeAcquireGuardedMutex(GuardedMutex); +} + +ULONG +ImpDbgPrintEx(_In_ ULONG ComponentId, _In_ ULONG Level, _In_ PCSTR Format, ...) +{ + pDbgPrintEx impDbgPrintEx = (pDbgPrintEx)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, DBG_PRINT_EX_INDEX); + + va_list args; + va_start(args, Format); + ULONG result = impDbgPrintEx(ComponentId, Level, Format, args); + va_end(args); + + return result; +} + +LONG +ImpRtlCompareUnicodeString(_In_ PCUNICODE_STRING String1, + _In_ PCUNICODE_STRING String2, + _In_ BOOLEAN CaseInSensitive) +{ + pRtlCompareUnicodeString impRtlCompareUnicodeString = + (pRtlCompareUnicodeString)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_COMPARE_UNICODE_STRING_INDEX); + + return impRtlCompareUnicodeString(String1, String2, CaseInSensitive); +} + +VOID +ImpRtlFreeUnicodeString(_In_ PUNICODE_STRING UnicodeString) +{ + pRtlFreeUnicodeString impRtlFreeUnicodeString = + (pRtlFreeUnicodeString)CryptDecryptImportsArrayEntry( + &driver_imports, IMPORTS_LENGTH, RTL_FREE_UNICODE_STRING_INDEX); + + impRtlFreeUnicodeString(UnicodeString); } \ No newline at end of file diff --git a/driver/imports.h b/driver/imports.h index d112e90..56e317d 100644 --- a/driver/imports.h +++ b/driver/imports.h @@ -434,8 +434,8 @@ void (*pKeInitializeAffinityEx)( typedef void (*pKeAddProcessorAffinityEx)( - PKAFFINITY_EX affinity, - INT num + PKAFFINITY_EX Affinity, + INT CoreNumber ); typedef @@ -542,175 +542,535 @@ void (*pRtlFreeUnicodeString)( // clang-format on +#define OB_DEREFERENCE_OBJECT_INDEX 0 +#define PS_LOOKUP_THREAD_BY_THREAD_ID_INDEX 1 +#define MM_IS_ADDRESS_VALID_INDEX 2 +#define PS_SET_CREATE_PROCESS_NOTIFY_ROUTINE_INDEX 3 + +#define PS_REMOVE_CREATE_THREAD_NOTIFY_ROUTINE_INDEX 4 +#define PS_GET_CURRENT_THREAD_ID_INDEX 5 +#define PS_GET_PROCESS_ID_INDEX 6 +#define PS_LOOKUP_PROCESS_BY_PROCESS_ID_INDEX 7 + +#define EX_ENUM_HANDLE_TABLE_INDEX 8 +#define OB_GET_OBJECT_TYPE_INDEX 9 +#define EXF_UNBLOCK_PUSH_LOCK_INDEX 10 +#define PS_GET_PROCESS_IMAGE_FILE_NAME_INDEX 11 + +#define STRSTR_INDEX 12 +#define RTL_INIT_UNICODE_STRING_INDEX 13 +#define RTL_QUERY_REGISTRY_VALUES_INDEX 14 +#define MM_GET_SYSTEM_ROUTINE_ADDRESS_INDEX 15 + +#define RTL_UNICODE_STRING_TO_ANSI_STRING_INDEX 16 +#define RTL_COPY_UNICODE_STRING_INDEX 17 +#define RTL_FREE_ANSI_STRING_INDEX 18 +#define KE_INITIALIZE_GUARDED_MUTEX_INDEX 19 + +#define IO_CREATE_DEVICE_INDEX 20 +#define IO_CREATE_SYMBOLIC_LINK_INDEX 21 +#define IO_DELETE_DEVICE_INDEX 22 +#define IO_DELETE_SYMBOLIC_LINK_INDEX 23 + +#define OB_REGISTER_CALLBACKS_INDEX 24 +#define OB_UNREGISTER_CALLBACKS_INDEX 25 +#define PS_SET_CREATE_THREAD_NOTIFY_ROUTINE_INDEX 26 +#define KE_REVERT_TO_USER_AFFINITY_THREAD_EX_INDEX 27 + +#define KE_SET_SYSTEM_AFFINITY_THREAD_EX_INDEX 28 +#define STRNLEN_INDEX 29 +#define RTL_INIT_ANSI_STRING_INDEX 30 +#define RTL_ANSI_STRING_TO_UNICODE_STRING_INDEX 31 + +#define IO_GET_CURRENT_PROCESS_INDEX 32 +#define RTL_GET_VERSION_INDEX 33 +#define RTL_COMPARE_MEMORY_INDEX 34 +#define EX_GET_SYSTEM_FIRMWARE_TABLE_INDEX 35 + +#define IO_ALLOCATE_WORK_ITEM_INDEX 36 +#define IO_FREE_WORK_ITEM_INDEX 37 +#define IO_QUEUE_WORK_ITEM_INDEX 38 +#define ZW_OPEN_FILE_INDEX 39 + +#define ZW_CLOSE_INDEX 40 +#define ZW_CREATE_SECTION_INDEX 41 +#define ZW_MAP_VIEW_OF_SECTION_INDEX 42 +#define ZW_UNMAP_VIEW_OF_SECTION_INDEX 43 + +#define MM_COPY_MEMORY_INDEX 44 +#define ZW_DEVICE_IO_CONTROL_FILE_INDEX 45 +#define KE_STACK_ATTACH_PROCESS_INDEX 46 +#define KE_UNSTACK_DETACH_PROCESS_INDEX 47 + +#define KE_WAIT_FOR_SINGLE_OBJECT_INDEX 48 +#define PS_CREATE_SYSTEM_THREAD_INDEX 49 +#define IOF_COMPLETE_REQUEST_INDEX 50 +#define OB_REFERENCE_OBJECT_BY_HANDLE_INDEX 51 + +#define KE_DELAY_EXECUTION_THREAD_INDEX 52 +#define KE_REGISTER_NMI_CALLBACK_INDEX 53 +#define KE_DEREGISTER_NMI_CALLBACK_INDEX 54 +#define KE_QUERY_ACTIVE_PROCESSOR_COUNT_INDEX 55 + +#define EX_ACQUIRE_PUSH_LOCK_EXCLUSIVE_EX_INDEX 56 +#define EX_RELEASE_PUSH_LOCK_EXCLUSIVE_EX_INDEX 57 +#define PS_GET_THREAD_ID_INDEX 58 +#define RTL_CAPTURE_STACK_BACK_TRACE_INDEX 59 + +#define ZW_OPEN_DIRECTORY_OBJECT_INDEX 60 +#define KE_INITIALIZE_AFFINITY_EX_INDEX 61 +#define KE_ADD_PROCESSOR_AFFINITY_EX_INDEX 62 +#define RTL_QUERY_MODULE_INFORMATION_INDEX 63 + +#define KE_INITIALIZE_APC_INDEX 64 +#define KE_INSERT_QUEUE_APC_INDEX 65 +#define KE_GENERIC_CALL_DPC_INDEX 66 +#define KE_SIGNAL_CALL_DPC_DONE_INDEX 67 + +#define MM_GET_PHYSICAL_MEMORY_RANGES_EX2_INDEX 68 +#define MM_GET_VIRTUAL_FOR_PHYSICAL_INDEX 69 +#define OBF_REFERENCE_OBJECT_INDEX 70 +#define EX_FREE_POOL_WITH_TAG_INDEX 71 + +#define EX_ALLOCATE_POOL2_INDEX 72 +#define KE_RELEASE_GUARDED_MUTEX_INDEX 73 +#define KE_ACQUIRE_GUARDED_MUTEX_INDEX 74 +#define DBG_PRINT_EX_INDEX 75 + +#define RTL_COMPARE_UNICODE_STRING_INDEX 76 +#define RTL_FREE_UNICODE_STRING_INDEX 77 +#define PS_GET_PROCESS_IMAGE_FILE_NAME_INDEX 78 + typedef struct _DRIVER_IMPORTS { - pObDereferenceObject DrvImpObDereferenceObject; - pIoGetCurrentIrpStackLocation DrvImpIoGetCurrentIrpStackLocation; - pPsLookupThreadByThreadId DrvImpPsLookupThreadByThreadId; - pMmIsAddressValid DrvImpMmIsAddressValid; - pPsSetCreateProcessNotifyRoutine DrvImpPsSetCreateProcessNotifyRoutine; + pObDereferenceObject DrvImpObDereferenceObject; + pPsLookupThreadByThreadId DrvImpPsLookupThreadByThreadId; + pMmIsAddressValid DrvImpMmIsAddressValid; + pPsSetCreateProcessNotifyRoutine DrvImpPsSetCreateProcessNotifyRoutine; + pPsRemoveCreateThreadNotifyRoutine DrvImpPsRemoveCreateThreadNotifyRoutine; pPsGetCurrentThreadId DrvImpPsGetCurrentThreadId; pPsGetProcessId DrvImpPsGetProcessId; pPsLookupProcessByProcessId DrvImpPsLookupProcessByProcessId; - pExEnumHandleTable DrvImpExEnumHandleTable; - pObGetObjectType DrvImpObGetObjectType; - pExfUnblockPushLock DrvImpExfUnblockPushLock; - pPsGetProcessImageFileName DrvImpPsGetProcessImage; - pstrstr DrvImpstrstr; - pRtlInitUnicodeString DrvImpRtlInitUnicodeString; - pRtlQueryRegistryValues DrvImpRtlQueryRegistryValues; - pMmGetSystemRoutineAddress DrvImpMmGetSystemRoutineAddress; - pRtlUnicodeStringToAnsiString DrvImpRtlUnicodeStringToAnsiString; - pRtlCopyUnicodeString DrvImpRtlCopyUnicodeString; - pRtlFreeAnsiString DrvImpRtlFreeAnsiString; - pKeInitializeGuardedMutex DrvImpKeInitializeGuardedMutex; - pIoCreateDevice DrvImpIoCreateDevice; - pIoCreateSymbolicLink DrvImpIoCreateSymbolicLink; - pIoDeleteDevice DrvImpIoDeleteDevice; - pIoDeleteSymbolicLink DrvImpIoDeleteSymbolicLink; - pObRegisterCallbacks DrvImpObRegisterCallbacks; - pObUnRegisterCallbacks DrvImpObUnRegisterCallbacks; - pPsSetCreateThreadNotifyRoutine DrvImpPsSetCreateThreadNotifyRoutine; - pKeRevertToUserAffinityThreadEx DrvImpKeRevertToUserAffinityThreadEx; - pKeSetSystemAffinityThreadEx DrvImpKeSetSystemAffinityThreadEx; - pstrnlen DrvImpstrnlen; - pRtlInitAnsiString DrvImpRtlInitAnsiString; - pRtlAnsiStringToUnicodeString DrvImpRtlAnsiStringToUnicodeString; - pIoGetCurrentProcess DrvImpIoGetCurrentProcess; - pRtlGetVersion DrvImpRtlGetVersion; - pRtlCompareMemory DrvImpRtlCompareMemory; - pExGetSystemFirmwareTable DrvImpExGetSystemFirmwareTable; - pIoAllocateWorkItem DrvImpIoAllocateWorkItem; - pIoFreeWorkItem DrvImpIoFreeWorkItem; - pIoQueueWorkItem DrvImpIoQueueWorkItem; - pZwOpenFile DrvImpZwOpenFile; - pZwClose DrvImpZwClose; - pZwCreateSection DrvImpZwCreateSection; - pZwMapViewOfSection DrvImpZwMapViewOfSection; - pZwUnmapViewOfSection DrvImpZwUnmapViewOfSection; - pMmCopyMemory DrvImpMmCopyMemory; - pZwDeviceIoControlFile DrvImpZwDeviceIoControlFile; - pKeStackAttachProcess DrvImpKeStackAttachProcess; - pKeUnstackDetachProcess DrvImpKeUnstackDetachProcess; - pKeWaitForSingleObject DrvImpKeWaitForSingleObject; - pPsCreateSystemThread DrvImpPsCreateSystemThread; - pIofCompleteRequest DrvImpIofCompleteRequest; - pObReferenceObjectByHandle DrvImpObReferenceObjectByHandle; - pKeDelayExecutionThread DrvImpKeDelayExecutionThread; - pKeRegisterNmiCallback DrvImpKeRegisterNmiCallback; - pKeDeregisterNmiCallback DrvImpKeDeregisterNmiCallback; - pKeQueryActiveProcessorCount DrvImpKeQueryActiveProcessorCount; - pExAcquirePushLockExclusiveEx DrvImpExAcquirePushLockExclusiveEx; - pExReleasePushLockExclusiveEx DrvImpExReleasePushLockExclusiveEx; - pPsGetThreadId DrvImpPsGetThreadId; - pRtlCaptureStackBackTrace DrvImpRtlCaptureStackBackTrace; - pZwOpenDirectoryObject DrvImpZwOpenDirectoryObject; - pKeInitializeAffinityEx DrvImpKeInitializeAffinityEx; - pKeAddProcessorAffinityEx DrvImpKeAddProcessorAffinityEx; - pRtlQueryModuleInformation DrvImpRtlQueryModuleInformation; - pKeInitializeApc DrvImpKeInitializeApc; - pKeInsertQueueApc DrvImpKeInsertQueueApc; - pKeGenericCallDpc DrvImpKeGenericCallDpc; - pKeSignalCallDpcDone DrvImpKeSignalCallDpcDone; - pMmGetPhysicalMemoryRangesEx2 DrvImpMmGetPhysicalMemoryRangesEx2; - pMmGetVirtualForPhysical DrvImpMmGetVirtualForPhysical; - pObfReferenceObject DrvImpObfReferenceObject; - pExFreePoolWithTag DrvImpExFreePoolWithTag; - pExAllocatePool2 DrvImpExAllocatePool2; - pKeReleaseGuardedMutex DrvImpKeReleaseGuardedMutex; - pKeAcquireGuardedMutex DrvImpKeAcquireGuardedMutex; - pDbgPrintEx DrvImpDbgPrintEx; - pRtlCompareUnicodeString DrvImpRtlCompareUnicodeString; - pRtlFreeUnicodeString DrvImpRtlFreeUnicodeString; - pPsGetProcessImageFileName DrvImpPsGetProcessImageFileName; + + pExEnumHandleTable DrvImpExEnumHandleTable; + pObGetObjectType DrvImpObGetObjectType; + pExfUnblockPushLock DrvImpExfUnblockPushLock; + pPsGetProcessImageFileName DrvImpPsGetProcessImage; + + pstrstr DrvImpstrstr; + pRtlInitUnicodeString DrvImpRtlInitUnicodeString; + pRtlQueryRegistryValues DrvImpRtlQueryRegistryValues; + pMmGetSystemRoutineAddress DrvImpMmGetSystemRoutineAddress; + + pRtlUnicodeStringToAnsiString DrvImpRtlUnicodeStringToAnsiString; + pRtlCopyUnicodeString DrvImpRtlCopyUnicodeString; + pRtlFreeAnsiString DrvImpRtlFreeAnsiString; + pKeInitializeGuardedMutex DrvImpKeInitializeGuardedMutex; + + pIoCreateDevice DrvImpIoCreateDevice; + pIoCreateSymbolicLink DrvImpIoCreateSymbolicLink; + pIoDeleteDevice DrvImpIoDeleteDevice; + pIoDeleteSymbolicLink DrvImpIoDeleteSymbolicLink; + + pObRegisterCallbacks DrvImpObRegisterCallbacks; + pObUnRegisterCallbacks DrvImpObUnRegisterCallbacks; + pPsSetCreateThreadNotifyRoutine DrvImpPsSetCreateThreadNotifyRoutine; + pKeRevertToUserAffinityThreadEx DrvImpKeRevertToUserAffinityThreadEx; + + pKeSetSystemAffinityThreadEx DrvImpKeSetSystemAffinityThreadEx; + pstrnlen DrvImpstrnlen; + pRtlInitAnsiString DrvImpRtlInitAnsiString; + pRtlAnsiStringToUnicodeString DrvImpRtlAnsiStringToUnicodeString; + + pIoGetCurrentProcess DrvImpIoGetCurrentProcess; + pRtlGetVersion DrvImpRtlGetVersion; + pRtlCompareMemory DrvImpRtlCompareMemory; + pExGetSystemFirmwareTable DrvImpExGetSystemFirmwareTable; + + pIoAllocateWorkItem DrvImpIoAllocateWorkItem; + pIoFreeWorkItem DrvImpIoFreeWorkItem; + pIoQueueWorkItem DrvImpIoQueueWorkItem; + pZwOpenFile DrvImpZwOpenFile; + + pZwClose DrvImpZwClose; + pZwCreateSection DrvImpZwCreateSection; + pZwMapViewOfSection DrvImpZwMapViewOfSection; + pZwUnmapViewOfSection DrvImpZwUnmapViewOfSection; + + pMmCopyMemory DrvImpMmCopyMemory; + pZwDeviceIoControlFile DrvImpZwDeviceIoControlFile; + pKeStackAttachProcess DrvImpKeStackAttachProcess; + pKeUnstackDetachProcess DrvImpKeUnstackDetachProcess; + + pKeWaitForSingleObject DrvImpKeWaitForSingleObject; + pPsCreateSystemThread DrvImpPsCreateSystemThread; + pIofCompleteRequest DrvImpIofCompleteRequest; + pObReferenceObjectByHandle DrvImpObReferenceObjectByHandle; + + pKeDelayExecutionThread DrvImpKeDelayExecutionThread; + pKeRegisterNmiCallback DrvImpKeRegisterNmiCallback; + pKeDeregisterNmiCallback DrvImpKeDeregisterNmiCallback; + pKeQueryActiveProcessorCount DrvImpKeQueryActiveProcessorCount; + + pExAcquirePushLockExclusiveEx DrvImpExAcquirePushLockExclusiveEx; + pExReleasePushLockExclusiveEx DrvImpExReleasePushLockExclusiveEx; + pPsGetThreadId DrvImpPsGetThreadId; + pRtlCaptureStackBackTrace DrvImpRtlCaptureStackBackTrace; + + pZwOpenDirectoryObject DrvImpZwOpenDirectoryObject; + pKeInitializeAffinityEx DrvImpKeInitializeAffinityEx; + pKeAddProcessorAffinityEx DrvImpKeAddProcessorAffinityEx; + pRtlQueryModuleInformation DrvImpRtlQueryModuleInformation; + + pKeInitializeApc DrvImpKeInitializeApc; + pKeInsertQueueApc DrvImpKeInsertQueueApc; + pKeGenericCallDpc DrvImpKeGenericCallDpc; + pKeSignalCallDpcDone DrvImpKeSignalCallDpcDone; + + pMmGetPhysicalMemoryRangesEx2 DrvImpMmGetPhysicalMemoryRangesEx2; + pMmGetVirtualForPhysical DrvImpMmGetVirtualForPhysical; + pObfReferenceObject DrvImpObfReferenceObject; + pExFreePoolWithTag DrvImpExFreePoolWithTag; + + pExAllocatePool2 DrvImpExAllocatePool2; + pKeReleaseGuardedMutex DrvImpKeReleaseGuardedMutex; + pKeAcquireGuardedMutex DrvImpKeAcquireGuardedMutex; + pDbgPrintEx DrvImpDbgPrintEx; + + pRtlCompareUnicodeString DrvImpRtlCompareUnicodeString; + pRtlFreeUnicodeString DrvImpRtlFreeUnicodeString; + pPsGetProcessImageFileName DrvImpPsGetProcessImageFileName; + UINT64 dummy; + } DRIVER_IMPORTS, *PDRIVER_IMPORTS; -extern DRIVER_IMPORTS driver_imports; +#define IMPORTS_LENGTH sizeof(DRIVER_IMPORTS) / sizeof(UINT64) -#define DRVIMPORTS driver_imports +VOID +ImpObDereferenceObject(_In_ PVOID Object); -#define ImpIoGetCurrentIrpStackLocation DRVIMPORTS.DrvImpIoGetCurrentIrpStackLocation -#define ImpObDereferenceObject DRVIMPORTS.DrvImpObDereferenceObject -#define ImpPsLookupThreadByThreadId DRVIMPORTS.DrvImpPsLookupThreadByThreadId -#define ImpMmIsAddressValid DRVIMPORTS.DrvImpMmIsAddressValid -#define ImpPsSetCreateProcessNotifyRoutine DRVIMPORTS.DrvImpPsSetCreateProcessNotifyRoutine -#define ImpPsRemoveCreateThreadNotifyRoutine DRVIMPORTS.DrvImpPsRemoveCreateThreadNotifyRoutine -#define ImpPsGetCurrentThreadId DRVIMPORTS.DrvImpPsGetCurrentThreadId -#define ImpPsGetProcessId DRVIMPORTS.DrvImpPsGetProcessId -#define ImpPsLookupProcessByProcessId DRVIMPORTS.DrvImpPsLookupProcessByProcessId -#define ImpExEnumHandleTable DRVIMPORTS.DrvImpExEnumHandleTable -#define ImpObGetObjectType DRVIMPORTS.DrvImpObGetObjectType -#define ImpExfUnblockPushLock DRVIMPORTS.DrvImpExfUnblockPushLock -#define ImpPsGetProcessImageFileName DRVIMPORTS.DrvImpPsGetProcessImageFileName -#define Impstrstr DRVIMPORTS.DrvImpstrstr -#define ImpRtlInitUnicodeString DRVIMPORTS.DrvImpRtlInitUnicodeString -#define ImpRtlQueryRegistryValues DRVIMPORTS.DrvImpRtlQueryRegistryValues -#define ImpMmGetSystemRoutineAddress DRVIMPORTS.DrvImpMmGetSystemRoutineAddress -#define ImpRtlUnicodeStringToAnsiString DRVIMPORTS.DrvImpRtlUnicodeStringToAnsiString -#define ImpRtlCopyUnicodeString DRVIMPORTS.DrvImpRtlCopyUnicodeString -#define ImpRtlFreeAnsiString DRVIMPORTS.DrvImpRtlFreeAnsiString -#define ImpKeInitializeGuardedMutex DRVIMPORTS.DrvImpKeInitializeGuardedMutex -#define ImpIoCreateDevice DRVIMPORTS.DrvImpIoCreateDevice -#define ImpIoCreateSymbolicLink DRVIMPORTS.DrvImpIoCreateSymbolicLink -#define ImpIoDeleteDevice DRVIMPORTS.DrvImpIoDeleteDevice -#define ImpIoDeleteSymbolicLink DRVIMPORTS.DrvImpIoDeleteSymbolicLink -#define ImpObRegisterCallbacks DRVIMPORTS.DrvImpObRegisterCallbacks -#define ImpObUnRegisterCallbacks DRVIMPORTS.DrvImpObUnRegisterCallbacks -#define ImpPsSetCreateThreadNotifyRoutine DRVIMPORTS.DrvImpPsSetCreateThreadNotifyRoutine -#define ImpPsProcessType DRVIMPORTS.DrvImpPsProcessType -#define ImpKeRevertToUserAffinityThreadEx DRVIMPORTS.DrvImpKeRevertToUserAffinityThreadEx -#define ImpKeSetSystemAffinityThreadEx DRVIMPORTS.DrvImpKeSetSystemAffinityThreadEx -#define Impstrnlen DRVIMPORTS.DrvImpstrnlen -#define ImpRtlInitAnsiString DRVIMPORTS.DrvImpRtlInitAnsiString -#define ImpRtlAnsiStringToUnicodeString DRVIMPORTS.DrvImpRtlAnsiStringToUnicodeString -#define ImpIoGetCurrentProcess DRVIMPORTS.DrvImpIoGetCurrentProcess -#define ImpRtlGetVersion DRVIMPORTS.DrvImpRtlGetVersion -#define ImpRtlCompareMemory DRVIMPORTS.DrvImpRtlCompareMemory -#define ImpExGetSystemFirmwareTable DRVIMPORTS.DrvImpExGetSystemFirmwareTable -#define ImpIoAllocateWorkItem DRVIMPORTS.DrvImpIoAllocateWorkItem -#define ImpIoFreeWorkItem DRVIMPORTS.DrvImpIoFreeWorkItem -#define ImpIoQueueWorkItem DRVIMPORTS.DrvImpIoQueueWorkItem -#define ImpZwOpenFile DRVIMPORTS.DrvImpZwOpenFile -#define ImpZwClose DRVIMPORTS.DrvImpZwClose -#define ImpZwCreateSection DRVIMPORTS.DrvImpZwCreateSection -#define ImpZwMapViewOfSection DRVIMPORTS.DrvImpZwMapViewOfSection -#define ImpZwUnmapViewOfSection DRVIMPORTS.DrvImpZwUnmapViewOfSection -#define ImpMmCopyMemory DRVIMPORTS.DrvImpMmCopyMemory -#define ImpZwDeviceIoControlFile DRVIMPORTS.DrvImpZwDeviceIoControlFile -#define ImpKeStackAttachProcess DRVIMPORTS.DrvImpKeStackAttachProcess -#define ImpKeUnstackDetachProcess DRVIMPORTS.DrvImpKeUnstackDetachProcess -#define ImpKeWaitForSingleObject DRVIMPORTS.DrvImpKeWaitForSingleObject -#define ImpPsCreateSystemThread DRVIMPORTS.DrvImpPsCreateSystemThread -#define ImpIofCompleteRequest DRVIMPORTS.DrvImpIofCompleteRequest -#define ImpObReferenceObjectByHandle DRVIMPORTS.DrvImpObReferenceObjectByHandle -#define ImpPsThreadType DRVIMPORTS.DrvImpPsThreadType -#define ImpKeDelayExecutionThread DRVIMPORTS.DrvImpKeDelayExecutionThread -#define ImpKeRegisterNmiCallback DRVIMPORTS.DrvImpKeRegisterNmiCallback -#define ImpKeDeregisterNmiCallback DRVIMPORTS.DrvImpKeDeregisterNmiCallback -#define ImpKeQueryActiveProcessorCount DRVIMPORTS.DrvImpKeQueryActiveProcessorCount -#define ImpExAcquirePushLockExclusiveEx DRVIMPORTS.DrvImpExAcquirePushLockExclusiveEx -#define ImpExReleasePushLockExclusiveEx DRVIMPORTS.DrvImpExReleasePushLockExclusiveEx -#define ImpPsGetThreadId DRVIMPORTS.DrvImpPsGetThreadId -#define ImpRtlCaptureStackBackTrace DRVIMPORTS.DrvImpRtlCaptureStackBackTrace -#define ImpZwOpenDirectoryObject DRVIMPORTS.DrvImpZwOpenDirectoryObject -#define ImpKeInitializeAffinityEx DRVIMPORTS.DrvImpKeInitializeAffinityEx -#define ImpKeAddProcessorAffinityEx DRVIMPORTS.DrvImpKeAddProcessorAffinityEx -#define ImpRtlQueryModuleInformation DRVIMPORTS.DrvImpRtlQueryModuleInformation -#define ImpKeInitializeApc DRVIMPORTS.DrvImpKeInitializeApc -#define ImpKeInsertQueueApc DRVIMPORTS.DrvImpKeInsertQueueApc -#define ImpKeGenericCallDpc DRVIMPORTS.DrvImpKeGenericCallDpc -#define ImpKeSignalCallDpcDone DRVIMPORTS.DrvImpKeSignalCallDpcDone -#define ImpMmGetPhysicalMemoryRangesEx2 DRVIMPORTS.DrvImpMmGetPhysicalMemoryRangesEx2 -#define ImpMmGetVirtualForPhysical DRVIMPORTS.DrvImpMmGetVirtualForPhysical -#define ImpObfReferenceObject DRVIMPORTS.DrvImpObfReferenceObject -#define ImpExFreePoolWithTag DRVIMPORTS.DrvImpExFreePoolWithTag -#define ImpExAllocatePool2 DRVIMPORTS.DrvImpExAllocatePool2 -#define ImpKeReleaseGuardedMutex DRVIMPORTS.DrvImpKeReleaseGuardedMutex -#define ImpKeAcquireGuardedMutex DRVIMPORTS.DrvImpKeAcquireGuardedMutex -#define ImpDbgPrintEx DRVIMPORTS.DrvImpDbgPrintEx -#define ImpRtlCompareUnicodeString DRVIMPORTS.DrvImpRtlCompareUnicodeString -#define ImpRtlFreeUnicodeString DRVIMPORTS.DrvImpRtlFreeUnicodeString -#define ImpPsGetProcessImageFileName DRVIMPORTS.DrvImpPsGetProcessImageFileName +NTSTATUS +ImpPsLookupThreadByThreadId(HANDLE ThreadId, PETHREAD* Thread); + +BOOLEAN +ImpMmIsAddressValid(_In_ PVOID VirtualAddress); + +NTSTATUS +ImpPsSetCreateProcessNotifyRoutine(PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, BOOLEAN Remove); + +NTSTATUS +ImpPsRemoveCreateThreadNotifyRoutine(PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine); + +HANDLE +ImpPsGetCurrentThreadId(); + +HANDLE +ImpPsGetProcessId(PEPROCESS Process); + +NTSTATUS +ImpPsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS* Process); + +PVOID +ImpExEnumHandleTable(_In_ PHANDLE_TABLE HandleTable, + _In_ PVOID Callback, + _In_opt_ PVOID Context, + _Out_opt_ PHANDLE Handle); + +POBJECT_TYPE +ImpObGetObjectType(_In_ PVOID Object); + +VOID +ImpExfUnblockPushLock(_In_ PEX_PUSH_LOCK PushLock, _In_ PVOID WaitBlock); + +LPCSTR +ImpPsGetProcessImageFileName(PEPROCESS Process); + +INT +ImpStrStr(_In_ CHAR* haystack, _In_ CHAR* needle); + +void +ImpRtlInitUnicodeString(PUNICODE_STRING DestinationString, PCWSTR SourceString); + +NTSTATUS +ImpRtlQueryRegistryValues(ULONG RelativeTo, + PCWSTR Path, + PRTL_QUERY_REGISTRY_TABLE QueryTable, + void* Context, + void* Environment); + +void* +ImpMmGetSystemRoutineAddress(PUNICODE_STRING SystemRoutineName); + +NTSTATUS +ImpRtlUnicodeStringToAnsiString(PANSI_STRING DestinationString, + PCUNICODE_STRING SourceString, + BOOLEAN AllocateDestinationString); + +void +ImpRtlCopyUnicodeString(PUNICODE_STRING DestinationString, PCUNICODE_STRING SourceString); + +void +ImpRtlFreeAnsiString(PANSI_STRING AnsiString); + +void +ImpKeInitializeGuardedMutex(PKGUARDED_MUTEX GuardedMutex); + +NTSTATUS +ImpIoCreateDevice(PDRIVER_OBJECT DriverObject, + ULONG DeviceExtensionSize, + PUNICODE_STRING DeviceName, + DEVICE_TYPE DeviceType, + ULONG DeviceCharacteristics, + BOOLEAN Exclusive, + PDEVICE_OBJECT* DeviceObject); + +NTSTATUS +ImpIoCreateSymbolicLink(PUNICODE_STRING SymbolicLinkName, PUNICODE_STRING DeviceName); + +void +ImpIoDeleteDevice(PDEVICE_OBJECT DeviceObject); + +void +ImpIoDeleteSymbolicLink(PUNICODE_STRING SymbolicLinkName); + +NTSTATUS +ImpObRegisterCallbacks(_In_ POB_CALLBACK_REGISTRATION CallbackRegistration, + _Out_ PVOID* RegistrationHandle); + +VOID +ImpObUnRegisterCallbacks(_In_ PVOID RegistrationHandle); + +NTSTATUS +ImpPsSetCreateThreadNotifyRoutine(PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine); + +void +ImpKeRevertToUserAffinityThreadEx(KAFFINITY Affinity); + +KAFFINITY +ImpKeSetSystemAffinityThreadEx(KAFFINITY Affinity); + +SIZE_T +ImpStrnlen(_In_ CHAR* str, _In_ SIZE_T maxCount); + +void +ImpRtlInitAnsiString(PANSI_STRING DestinationString, PCSZ SourceString); + +NTSTATUS +ImpRtlAnsiStringToUnicodeString(PUNICODE_STRING DestinationString, + PCANSI_STRING SourceString, + BOOLEAN AllocateDestinationString); + +PEPROCESS +ImpIoGetCurrentProcess(void); + +NTSTATUS +ImpRtlGetVersion(PRTL_OSVERSIONINFOW lpVersionInformation); + +SIZE_T +ImpRtlCompareMemory(_In_ PVOID Source1, _In_ PVOID Source2, _In_ SIZE_T Length); + +NTSTATUS +ImpExGetSystemFirmwareTable(_In_ ULONG FirmwareTableProviderSignature, + _In_ ULONG FirmwareTableID, + _In_ PVOID pFirmwareTableBuffer, + _In_ ULONG BufferLength, + _Out_ PULONG ReturnLength); + +PIO_WORKITEM +ImpIoAllocateWorkItem(PDEVICE_OBJECT DeviceObject); + +void +ImpIoFreeWorkItem(PIO_WORKITEM WorkItem); + +VOID +ImpIoQueueWorkItem(_In_ PIO_WORKITEM IoWorkItem, + _In_ PIO_WORKITEM_ROUTINE WorkerRoutine, + _In_ WORK_QUEUE_TYPE QueueType, + _In_opt_ PVOID Context); + +NTSTATUS +ImpZwOpenFile(PHANDLE FileHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PIO_STATUS_BLOCK IoStatusBlock, + ULONG ShareAccess, + ULONG OpenOptions); + +NTSTATUS +ImpZwClose(HANDLE Handle); + +NTSTATUS +ImpZwCreateSection(PHANDLE SectionHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes, + PLARGE_INTEGER MaximumSize, + ULONG SectionPageProtection, + ULONG AllocationAttributes, + HANDLE FileHandle); + +NTSTATUS +ImpZwMapViewOfSection(_In_ HANDLE SectionHandle, + _In_ HANDLE ProcessHandle, + _Inout_ PVOID* BaseAddress, + _In_ ULONG_PTR ZeroBits, + _In_ SIZE_T CommitSize, + _Inout_opt_ PLARGE_INTEGER SectionOffset, + _Inout_ PSIZE_T ViewSize, + _In_ SECTION_INHERIT InheritDisposition, + _In_ ULONG AllocationType, + _In_ ULONG Win32Protect); + +NTSTATUS +ImpZwUnmapViewOfSection(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress); + +NTSTATUS +ImpMmCopyMemory(PVOID TargetAddress, + MM_COPY_ADDRESS SourceAddress, + SIZE_T NumberOfBytes, + ULONG Flags, + PSIZE_T NumberOfBytesTransferred); + +NTSTATUS +ImpZwDeviceIoControlFile(_In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _In_ ULONG IoControlCode, + _In_opt_ PVOID InputBuffer, + _In_ ULONG InputBufferLength, + _Out_opt_ PVOID OutputBuffer, + _In_ ULONG OutputBufferLength); + +void +ImpKeStackAttachProcess(PRKPROCESS Process, PKAPC_STATE ApcState); + +void +ImpKeUnstackDetachProcess(PKAPC_STATE ApcState); + +NTSTATUS +ImpKeWaitForSingleObject(_In_ PVOID Object, + _In_ KWAIT_REASON WaitReason, + _In_ KPROCESSOR_MODE WaitMode, + _In_ BOOLEAN Alertable, + _In_ PLARGE_INTEGER Timeout); + +NTSTATUS +ImpPsCreateSystemThread(_Out_ PHANDLE ThreadHandle, + _In_ ULONG DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ HANDLE ProcessHandle, + _Out_opt_ PCLIENT_ID ClientId, + _In_ PKSTART_ROUTINE StartRoutine, + _In_opt_ PVOID StartContext); + +void +ImpIofCompleteRequest(PIRP Irp, CCHAR PriorityBoost); + +NTSTATUS +ImpObReferenceObjectByHandle(_In_ HANDLE Handle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_TYPE ObjectType, + _In_ KPROCESSOR_MODE AccessMode, + _Out_ PVOID* Object, + _Out_opt_ POBJECT_HANDLE_INFORMATION HandleInformation); + +NTSTATUS +ImpKeDelayExecutionThread(KPROCESSOR_MODE WaitMode, BOOLEAN Alertable, PLARGE_INTEGER Interval); + +PVOID +ImpKeRegisterNmiCallback(_In_ PVOID CallbackRoutine, _In_opt_ PVOID Context); + +NTSTATUS +ImpKeDeregisterNmiCallback(_In_ PVOID Handle); + +ULONG +ImpKeQueryActiveProcessorCount(PKAFFINITY ActiveProcessors); + +void +ImpExAcquirePushLockExclusiveEx(PEX_PUSH_LOCK PushLock, ULONG Flags); + +void +ImpExReleasePushLockExclusiveEx(PEX_PUSH_LOCK PushLock, ULONG Flags); + +HANDLE +ImpPsGetThreadId(PETHREAD Thread); + +USHORT +ImpRtlCaptureStackBackTrace(_In_ ULONG FramesToSkip, + _In_ ULONG FramesToCapture, + _Out_ PVOID* BackTrace, + _Out_opt_ PULONG BackTraceHash); + +NTSTATUS +ImpZwOpenDirectoryObject(PHANDLE DirectoryHandle, + ACCESS_MASK DesiredAccess, + POBJECT_ATTRIBUTES ObjectAttributes); + +void +ImpKeInitializeAffinityEx(PKAFFINITY_EX AffinityMask); + +VOID +ImpKeAddProcessorAffinityEx(_In_ PKAFFINITY_EX affinity, _In_ INT num); + +NTSTATUS +ImpRtlQueryModuleInformation(_Inout_ ULONG* InformationLength, + _In_ ULONG SizePerModule, + _In_ PVOID InformationBuffer); + +VOID +ImpKeInitializeApc(_In_ PKAPC Apc, + _In_ PKTHREAD Thread, + _In_ KAPC_ENVIRONMENT Environment, + _In_ PKKERNEL_ROUTINE KernelRoutine, + _In_ PKRUNDOWN_ROUTINE RundownRoutine, + _In_ PKNORMAL_ROUTINE NormalRoutine, + _In_ KPROCESSOR_MODE ApcMode, + _In_ PVOID NormalContext); + +BOOLEAN +ImpKeInsertQueueApc(_In_ PKAPC Apc, + _In_ PVOID SystemArgument1, + _In_ PVOID SystemArgument2, + _In_ KPRIORITY Increment); + +VOID +ImpKeGenericCallDpc(_In_ PKDEFERRED_ROUTINE DpcRoutine, _In_ PVOID Context); + +VOID +ImpKeSignalCallDpcDone(_In_ PVOID SystemArgument1); + +PPHYSICAL_MEMORY_RANGE +ImpMmGetPhysicalMemoryRangesEx2(_In_ PVOID PartitionObject, _In_ ULONG Flags); + +void* +ImpMmGetVirtualForPhysical(_In_ PHYSICAL_ADDRESS PhysicalAddress); + +LONG_PTR +ImpObfReferenceObject(_In_ PVOID Object); + +VOID +ImpExFreePoolWithTag(_In_ PVOID P, _In_ ULONG Tag); + +void* +ImpExAllocatePool2(_In_ POOL_FLAGS Flags, _In_ SIZE_T NumberOfBytes, _In_ ULONG Tag); + +VOID +ImpKeReleaseGuardedMutex(_In_ PKGUARDED_MUTEX GuardedMutex); + +VOID +ImpKeAcquireGuardedMutex(_In_ PKGUARDED_MUTEX GuardedMutex); + +ULONG +ImpDbgPrintEx(_In_ ULONG ComponentId, _In_ ULONG Level, _In_ PCSTR Format, ...); + +LONG +ImpRtlCompareUnicodeString(_In_ PCUNICODE_STRING String1, + _In_ PCUNICODE_STRING String2, + _In_ BOOLEAN CaseInSensitive); + +VOID +ImpRtlFreeUnicodeString(_In_ PUNICODE_STRING UnicodeString); #endif \ No newline at end of file diff --git a/driver/io.c b/driver/io.c index 0a38773..6cc5952 100644 --- a/driver/io.c +++ b/driver/io.c @@ -270,11 +270,16 @@ IrpQueueFreeDeferredReports() PIRP_QUEUE_HEAD queue = GetIrpQueueHead(); PDEFERRED_REPORT report = NULL; + /* just in case... */ + KeAcquireGuardedMutex(&queue->reports.lock); + while (IrpQueueIsThereDeferredReport(queue)) { report = IrpQueueRemoveDeferredReport(queue); - ExFreePoolWithTag(report, REPORT_POOL_TAG); + IrpQueueFreeDeferredReport(report); } + + KeReleaseGuardedMutex(&queue->reports.lock); } NTSTATUS @@ -450,6 +455,9 @@ SharedMappingTerminate() { PSHARED_MAPPING mapping = GetSharedMappingConfig(); + if (!mapping->active) + return; + while (mapping->work_item_status) YieldProcessor(); diff --git a/driver/modules.c b/driver/modules.c index e7e76d8..be7c6da 100644 --- a/driver/modules.c +++ b/driver/modules.c @@ -1033,7 +1033,10 @@ HandleNmiIOCTL() NMI_CONTEXT_POOL); if (!nmi_context) + { + UnsetNmiInProgressFlag(); return STATUS_MEMORY_NOT_ALLOCATED; + } /* * We want to register and unregister our callback each time so it becomes harder @@ -1045,6 +1048,7 @@ HandleNmiIOCTL() { DEBUG_ERROR("KeRegisterNmiCallback failed with no status."); ImpExFreePoolWithTag(nmi_context, NMI_CONTEXT_POOL); + UnsetNmiInProgressFlag(); return STATUS_UNSUCCESSFUL; } @@ -1059,6 +1063,7 @@ HandleNmiIOCTL() ImpKeDeregisterNmiCallback(callback_handle); ImpExFreePoolWithTag(nmi_context, NMI_CONTEXT_POOL); DEBUG_ERROR("Error retriving system module information"); + UnsetNmiInProgressFlag(); return status; } @@ -1070,6 +1075,7 @@ HandleNmiIOCTL() ImpKeDeregisterNmiCallback(callback_handle); ImpExFreePoolWithTag(system_modules.address, SYSTEM_MODULES_POOL); ImpExFreePoolWithTag(nmi_context, NMI_CONTEXT_POOL); + UnsetNmiInProgressFlag(); return status; }