noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

PLZ no CORRUPT :c

Browse source
This commit is contained in:
lhodges1 2023-10-06 16:47:01 +11:00
parent 199f5fe742
commit 76d1cfee46
7 changed files with 145 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
driver/queue.c
View file

@ -237,6 +237,17 @@ HandlePeriodicGlobalReportQueueQuery(
total_size += sizeof(APC_STACKWALK_REPORT);
break;
case REPORT_HIDDEN_SYSTEM_THREAD:
RtlCopyMemory(
(UINT64)report_buffer + sizeof(GLOBAL_REPORT_QUEUE_HEADER) + total_size,
report,
sizeof(HIDDEN_SYSTEM_THREAD_REPORT)
);
total_size += sizeof(HIDDEN_SYSTEM_THREAD_REPORT);
break;
}
/* QueuePop frees the node, but we still need to free the returned data */

40
driver/thread.c
View file

@ -92,12 +92,14 @@ ValidateKPCRBThreads(
for (LONG processor_index = 0; processor_index < KeQueryActiveProcessorCount(0); processor_index++)
{
old_affinity = KeSetSystemAffinityThreadEx((KAFFINITY)(1 << processor_index));
old_affinity = KeSetSystemAffinityThreadEx((KAFFINITY)(1ull << processor_index));
kpcr = __readmsr(IA32_GS_BASE);
kprcb = kpcr + KPRCB_OFFSET_FROM_GS_BASE;
context.current_kpcrb_thread = *(UINT64*)(kprcb + KPCRB_CURRENT_THREAD);
DEBUG_LOG("Current thread: %llx", context.current_kpcrb_thread);
if (!context.current_kpcrb_thread)
continue;
@ -108,26 +110,27 @@ ValidateKPCRBThreads(
if (context.current_kpcrb_thread == FALSE || context.thread_found_in_pspcidtable == FALSE)
{
Irp->IoStatus.Information = sizeof(HIDDEN_SYSTEM_THREAD_REPORT);
PHIDDEN_SYSTEM_THREAD_REPORT report =
ExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(HIDDEN_SYSTEM_THREAD_REPORT), REPORT_POOL_TAG);
HIDDEN_SYSTEM_THREAD_REPORT report;
report.report_code = REPORT_HIDDEN_SYSTEM_THREAD;
report.found_in_kthreadlist = context.thread_found_in_kthreadlist;
report.found_in_pspcidtable = context.thread_found_in_pspcidtable;
report.thread_id = PsGetThreadId(context.current_kpcrb_thread);
report.thread_address = context.current_kpcrb_thread;
if (!report)
goto increment;
report->report_code = REPORT_HIDDEN_SYSTEM_THREAD;
report->found_in_kthreadlist = context.thread_found_in_kthreadlist;
report->found_in_pspcidtable = context.thread_found_in_pspcidtable;
report->thread_id = PsGetThreadId(context.current_kpcrb_thread);
report->thread_address = context.current_kpcrb_thread;
RtlCopyMemory(
report.thread,
report->thread,
context.current_kpcrb_thread,
sizeof(report.thread));
sizeof(report->thread));
RtlCopyMemory(
Irp->AssociatedIrp.SystemBuffer,
&report,
sizeof(HIDDEN_SYSTEM_THREAD_REPORT));
InsertReportToQueue(report);
}
increment:
KeRevertToUserAffinityThreadEx(old_affinity);
}
}
@ -167,13 +170,11 @@ DetectAttachedThreadsProcessCallback(
{
DEBUG_LOG("Program attached to notepad: %llx", (UINT64)current_thread);
PATTACH_PROCESS_REPORT report = ExAllocatePool2(
POOL_FLAG_NON_PAGED,
sizeof(ATTACH_PROCESS_REPORT),
REPORT_POOL_TAG);
PATTACH_PROCESS_REPORT report =
ExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(ATTACH_PROCESS_REPORT), REPORT_POOL_TAG);
if (!report)
return;
goto increment;
report->report_code = REPORT_ILLEGAL_ATTACH_PROCESS;
report->thread_id = PsGetThreadId(current_thread);
@ -182,6 +183,7 @@ DetectAttachedThreadsProcessCallback(
InsertReportToQueue(report);
}
increment:
thread_list_entry = thread_list_entry->Flink;
}
}

28
user/km/driver.cpp
View file

@ -178,6 +178,7 @@ VOID kernelmode::Driver::QueryReportQueue()
global::report_structures::ATTACH_PROCESS_REPORT attach_report;
global::report_structures::INVALID_PROCESS_ALLOCATION_REPORT allocation_report;
global::report_structures::APC_STACKWALK_REPORT apc_report;
global::report_structures::HIDDEN_SYSTEM_THREAD_REPORT hidden_report;
/* allocate enough for the largest report buffer * max reports */
buffer_size =
@ -234,6 +235,9 @@ VOID kernelmode::Driver::QueryReportQueue()
case REPORT_APC_STACKWALK:
ReportTypeFromReportQueue<global::report_structures::APC_STACKWALK_REPORT>( buffer, &total_size, &apc_report );
break;
case REPORT_HIDDEN_SYSTEM_THREAD:
ReportTypeFromReportQueue<global::report_structures::HIDDEN_SYSTEM_THREAD_REPORT>(buffer, &total_size, &hidden_report);
break;
default:
break;
}
@ -483,11 +487,6 @@ VOID kernelmode::Driver::ValidateKPRCBThreads()
LOG_ERROR( "failed to validate kpcrb threads with status %x", GetLastError() );
return;
}
if ( bytes_returned == NULL )
return;
this->report_interface->ServerSend( &report, bytes_returned, CLIENT_REQUEST_MODULE_INTEGRITY_CHECK );
}
VOID kernelmode::Driver::CheckForAttachedThreads()
@ -509,6 +508,25 @@ VOID kernelmode::Driver::CheckForAttachedThreads()
LOG_ERROR( "failed to check for attached threads %x", GetLastError() );
}
VOID kernelmode::Driver::CheckForHiddenThreads()
{
BOOLEAN status;
status = DeviceIoControl(
this->driver_handle,
IOCTL_VALIDATE_KPRCB_CURRENT_THREAD,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
);
if (status == NULL)
LOG_ERROR("failed to check for hidden threads %x", GetLastError());
}
VOID kernelmode::Driver::CheckDriverHeartbeat()
{

1
user/km/driver.h
View file

@ -75,6 +75,7 @@ namespace kernelmode
VOID CheckForAttachedThreads();
VOID VerifyProcessLoadedModuleExecutableRegions();
VOID SendClientHardwareInformation();
VOID CheckForHiddenThreads();
BOOLEAN InitiateApcOperation( INT OperationId );
};

5
user/km/kmanager.cpp
View file

@ -65,3 +65,8 @@ VOID kernelmode::KManager::InitiateApcStackwalkOperation()
{
this->driver_interface->InitiateApcOperation( kernelmode::APC_OPERATION_IDS::operation_stackwalk );
}
VOID kernelmode::KManager::CheckForHiddenThreads()
{
this->thread_pool->QueueJob([this]() { this->driver_interface->CheckForHiddenThreads(); });
}

1
user/km/kmanager.h
View file

@ -29,6 +29,7 @@ namespace kernelmode
VOID ValidateProcessModules();
VOID SendClientHardwareInformation();
VOID InitiateApcStackwalkOperation();
VOID CheckForHiddenThreads();
};
}

161
user/main.cpp
View file

@ -13,104 +13,109 @@
DWORD WINAPI Init(HINSTANCE hinstDLL)
{
AllocConsole();
FILE* file;
freopen_s( &file, "CONOUT$", "w", stdout );
freopen_s( &file, "CONIN$", "r", stdin );
AllocConsole();
FILE* file;
freopen_s(&file, "CONOUT$", "w", stdout);
freopen_s(&file, "CONIN$", "r", stdin);
std::this_thread::sleep_for( std::chrono::seconds( 1 ) );
std::this_thread::sleep_for(std::chrono::seconds(1));
LPTSTR pipe_name = (LPTSTR)L"\\\\.\\pipe\\DonnaACPipe";
LPCWSTR driver_name = L"\\\\.\\DonnaAC";
LPTSTR pipe_name = (LPTSTR)L"\\\\.\\pipe\\DonnaACPipe";
LPCWSTR driver_name = L"\\\\.\\DonnaAC";
std::shared_ptr<global::ThreadPool> thread_pool = std::make_shared<global::ThreadPool>( 4 );
std::shared_ptr<global::Client> client_interface = std::make_shared<global::Client>( thread_pool, pipe_name );
std::shared_ptr<global::ThreadPool> thread_pool = std::make_shared<global::ThreadPool>(4);
std::shared_ptr<global::Client> client_interface = std::make_shared<global::Client>(thread_pool, pipe_name);
usermode::UManager umanager( thread_pool, client_interface );
kernelmode::KManager kmanager( driver_name, thread_pool, client_interface);
usermode::UManager umanager(thread_pool, client_interface);
kernelmode::KManager kmanager(driver_name, thread_pool, client_interface);
global::headers::SYSTEM_INFORMATION system_information;
kmanager.SendClientHardwareInformation();
global::headers::SYSTEM_INFORMATION system_information;
kmanager.SendClientHardwareInformation();
global::report_structures::SYSTEM_INFORMATION_REQUEST_RESPONSE response;
global::report_structures::SYSTEM_INFORMATION_REQUEST_RESPONSE response;
//client_interface->ServerReceive( &response, sizeof( response ) );
//client_interface->ServerReceive( &response, sizeof( response ) );
//std::cout << "RequestID: " << response.RequestId << " CanUserProceed: " <<
// response.CanUserProceed << " Reason: " << response.reason << std::endl;
//std::cout << "RequestID: " << response.RequestId << " CanUserProceed: " <<
// response.CanUserProceed << " Reason: " << response.reason << std::endl;
srand( time( NULL ) );
srand(time(NULL));
while ( !GetAsyncKeyState( VK_DELETE ) )
{
int seed = ( rand() % 8 );
std::cout << "Seed: " << seed << std::endl;
switch ( seed )
while (!GetAsyncKeyState(VK_DELETE))
{
case 0:
kmanager.EnumerateHandleTables();
break;
case 1:
kmanager.PerformIntegrityCheck();
break;
case 2:
kmanager.ScanPoolsForUnlinkedProcesses();
break;
case 3:
kmanager.VerifySystemModules();
break;
case 4:
kmanager.ValidateProcessModules();
break;
case 5:
kmanager.RunNmiCallbacks();
break;
case 6:
kmanager.CheckForAttachedThreads();
break;
case 7:
kmanager.InitiateApcStackwalkOperation();
break;
int seed = (rand() % 9);
std::cout << "Seed: " << seed << std::endl;
switch (seed)
{
case 0:
kmanager.EnumerateHandleTables();
break;
case 1:
kmanager.PerformIntegrityCheck();
break;
case 2:
kmanager.ScanPoolsForUnlinkedProcesses();
break;
case 3:
kmanager.VerifySystemModules();
break;
case 4:
kmanager.ValidateProcessModules();
break;
case 5:
kmanager.RunNmiCallbacks();
break;
case 6:
kmanager.CheckForAttachedThreads();
break;
case 7:
kmanager.InitiateApcStackwalkOperation();
break;
case 8:
kmanager.CheckForHiddenThreads();
break;
}
kmanager.MonitorCallbackReports();
std::this_thread::sleep_for(std::chrono::seconds(10));
}
kmanager.MonitorCallbackReports();
std::this_thread::sleep_for( std::chrono::seconds( 10 ) );
}
fclose( stdout );
fclose( stdin );
FreeConsole();
fclose(stdout);
fclose(stdin);
FreeConsole();
FreeLibraryAndExitThread( hinstDLL, 0);
return 0;
FreeLibraryAndExitThread(hinstDLL, 0);
return 0;
}
BOOL WINAPI DllMain(
HINSTANCE hinstDLL, // handle to DLL module
DWORD fdwReason, // reason for calling function
LPVOID lpvReserved ) // reserved
HINSTANCE hinstDLL, // handle to DLL module
DWORD fdwReason, // reason for calling function
LPVOID lpvReserved) // reserved
{
// Perform actions based on the reason for calling.
switch ( fdwReason )
{
case DLL_PROCESS_ATTACH:
// Perform actions based on the reason for calling.
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls( hinstDLL );
DisableThreadLibraryCalls(hinstDLL);
const auto thread = CreateThread(
nullptr,
0,
reinterpret_cast< LPTHREAD_START_ROUTINE >( Init ),
hinstDLL,
0,
nullptr
);
const auto thread = CreateThread(
nullptr,
0,
reinterpret_cast<LPTHREAD_START_ROUTINE>(Init),
hinstDLL,
0,
nullptr
);
if ( thread )
CloseHandle( thread );
if (thread)
CloseHandle(thread);
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
break;
}
return TRUE; // Successful DLL_PROCESS_ATTACH.
}