noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

fix attached thread offset

Browse source
This commit is contained in:
lhodges1 2023-12-30 19:41:09 +11:00
parent 47adcab90f
commit 7b15c10ca1
7 changed files with 5 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
driver/common.h
View file

@ -77,7 +77,7 @@
#define KTHREAD_STACK_BASE_OFFSET 0x030
#define KTHREAD_STACK_LIMIT_OFFSET 0x038
#define KTHREAD_THREADLIST_OFFSET 0x2f8
#define KTHREAD_APC_STATE_OFFSET 0x258
#define KTHREAD_APC_STATE_OFFSET 0x098
#define KTHREAD_START_ADDRESS_OFFSET 0x450
#define KTHREAD_MISC_FLAGS_OFFSET 0x074
#define KTHREAD_WAIT_IRQL_OFFSET 0x186

12
driver/ioctl.c
View file

@ -40,8 +40,6 @@ DispatchApcOperation(_In_ PAPC_OPERATION_ID Operation);
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20010, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_SCAN_FOR_UNLINKED_PROCESS \
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20011, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_VALIDATE_KPRCB_CURRENT_THREAD \
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20012, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PERFORM_INTEGRITY_CHECK \
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20013, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_DETECT_ATTACHED_THREADS \
@ -354,14 +352,6 @@ DeviceControl(_In_ PDRIVER_OBJECT DriverObject, _Inout_ PIRP Irp)
break;
case IOCTL_VALIDATE_KPRCB_CURRENT_THREAD:
DEBUG_INFO("IOCTL_VALIDATE_KPRCB_CURRENT_THREAD Received");
//ValidateKPCRBThreads();
break;
case IOCTL_PERFORM_INTEGRITY_CHECK:
DEBUG_INFO("IOCTL_PERFORM_INTEGRITY_CHECK Received");
@ -518,8 +508,6 @@ _Dispatch_type_(IRP_MJ_CREATE) NTSTATUS
PAGED_CODE();
DEBUG_INFO("Handle to driver opened.");
DEBUG_VERBOSE("HELOO??");
HandleNmiIOCTL(Irp);
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}

41
user/km/driver.cpp
View file

@ -459,29 +459,6 @@ kernelmode::Driver::NotifyDriverOnProcessTermination()
LOG_ERROR("NotifyDriverOnProcessTermination failed with status %x", status);
}
VOID
kernelmode::Driver::ValidateKPRCBThreads()
{
BOOLEAN status = FALSE;
DWORD bytes_returned = 0;
HIDDEN_SYSTEM_THREAD_REPORT report = {0};
status = DeviceIoControl(this->driver_handle,
IOCTL_VALIDATE_KPRCB_CURRENT_THREAD,
NULL,
NULL,
&report,
sizeof(report),
&bytes_returned,
NULL);
if (status == NULL)
{
LOG_ERROR("failed to validate kpcrb threads with status %x", GetLastError());
return;
}
}
VOID
kernelmode::Driver::CheckForAttachedThreads()
{
@ -494,24 +471,6 @@ kernelmode::Driver::CheckForAttachedThreads()
LOG_ERROR("failed to check for attached threads %x", GetLastError());
}
VOID
kernelmode::Driver::CheckForHiddenThreads()
{
BOOLEAN status = FALSE;
status = DeviceIoControl(this->driver_handle,
IOCTL_VALIDATE_KPRCB_CURRENT_THREAD,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL);
if (status == NULL)
LOG_ERROR("failed to check for hidden threads %x", GetLastError());
}
VOID
kernelmode::Driver::CheckForEptHooks()
{

4
user/km/driver.h
View file

@ -26,8 +26,6 @@
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20010, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_SCAN_FOR_UNLINKED_PROCESS \
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20011, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_VALIDATE_KPRCB_CURRENT_THREAD \
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20012, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_PERFORM_INTEGRITY_CHECK \
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x20013, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_DETECT_ATTACHED_THREADS \
@ -87,7 +85,6 @@ class Driver
VOID RunCallbackReportQueue();
VOID DetectSystemVirtualization();
VOID QueryReportQueue();
VOID ValidateKPRCBThreads();
VOID CheckHandleTableEntries();
VOID RequestModuleExecutableRegions();
VOID ScanForUnlinkedProcess();
@ -95,7 +92,6 @@ class Driver
VOID CheckForAttachedThreads();
VOID VerifyProcessLoadedModuleExecutableRegions();
VOID SendClientHardwareInformation();
VOID CheckForHiddenThreads();
VOID CheckForEptHooks();
VOID StackwalkThreadsViaDpc();
VOID ValidateSystemModules();

6
user/km/kmanager.cpp
View file

@ -87,12 +87,6 @@ kernelmode::KManager::InitiateApcStackwalkOperation()
kernelmode::APC_OPERATION_IDS::operation_stackwalk);
}
VOID
kernelmode::KManager::CheckForHiddenThreads()
{
this->thread_pool->QueueJob([this]() { this->driver_interface->CheckForHiddenThreads(); });
}
VOID
kernelmode::KManager::CheckForEptHooks()
{

1
user/km/kmanager.h
View file

@ -31,7 +31,6 @@ class KManager
VOID ValidateProcessModules();
VOID SendClientHardwareInformation();
VOID InitiateApcStackwalkOperation();
VOID CheckForHiddenThreads();
VOID CheckForEptHooks();
VOID StackwalkThreadsViaDpc();
VOID ValidateSystemModules();

9
user/main.cpp
View file

@ -78,7 +78,7 @@ Init(HINSTANCE hinstDLL)
while (!GetAsyncKeyState(VK_DELETE))
{
int seed = (rand() % 12);
int seed = (rand() % 11);
std::cout << "Seed: " << seed << std::endl;
@ -92,10 +92,9 @@ Init(HINSTANCE hinstDLL)
case 5: kmanager.RunNmiCallbacks(); break;
case 6: kmanager.CheckForAttachedThreads(); break;
case 7: kmanager.InitiateApcStackwalkOperation(); break;
case 8: kmanager.CheckForHiddenThreads(); break;
case 9: kmanager.CheckForEptHooks(); break;
case 10: kmanager.StackwalkThreadsViaDpc(); break;
case 11: kmanager.ValidateSystemModules(); break;
case 8: kmanager.CheckForEptHooks(); break;
case 9: kmanager.StackwalkThreadsViaDpc(); break;
case 10: kmanager.ValidateSystemModules(); break;
}
kmanager.MonitorCallbackReports();