fix paging

2024-11-21 22:24:08 +01:00 · 2023-10-08 15:24:54 +11:00 · 2023-10-08 15:24:54 +11:00 · 7dab235001
commit 7dab235001
parent abef56f5ab
7 changed files with 365 additions and 158 deletions
--- a/driver/callbacks.c
+++ b/driver/callbacks.c
@ -6,8 +6,13 @@
 #include "pool.h"
 #include "thread.h"

-STATIC BOOLEAN EnumHandleCallback(_In_ PHANDLE_TABLE HandleTable, _In_ PHANDLE_TABLE_ENTRY Entry,
-	_In_ HANDLE Handle, _In_ PVOID Context);
+STATIC 
+BOOLEAN 
+EnumHandleCallback(
+	_In_ PHANDLE_TABLE HandleTable, 
+	_In_ PHANDLE_TABLE_ENTRY Entry,
+	_In_ HANDLE Handle, 
+	_In_ PVOID Context);

 #ifdef ALLOC_PRAGMA
 #pragma alloc_text(PAGE, ObPostOpCallbackRoutine)
--- a/driver/driver.c
+++ b/driver/driver.c
@ -10,17 +10,53 @@
 #include "modules.h"
 #include "integrity.h"

-STATIC NTSTATUS AllocateCallbackStructure();
-STATIC VOID CleanupDriverCallbacksOnDriverUnload();
-STATIC NTSTATUS RegistryPathQueryCallbackRoutine(IN PWSTR ValueName, IN ULONG ValueType, IN PVOID ValueData, 
-	IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext);
-STATIC VOID FreeDriverConfigurationStringBuffers();
-STATIC BOOLEAN FreeAllApcContextStructures();
-STATIC VOID DriverUnload(_In_ PDRIVER_OBJECT DriverObject);
-STATIC VOID InitialiseProcessConfigOnDriverEntry();
-STATIC VOID CleanupDriverConfigOnUnload();
-STATIC NTSTATUS InitialiseDriverConfigOnDriverEntry(_In_ PUNICODE_STRING RegistryPath);
-NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath);
+STATIC 
+NTSTATUS 
+AllocateCallbackStructure();
+
+STATIC 
+VOID 
+CleanupDriverCallbacksOnDriverUnload();
+
+STATIC 
+VOID 
+FreeDriverConfigurationStringBuffers();
+
+STATIC 
+BOOLEAN 
+FreeAllApcContextStructures();
+
+STATIC 
+VOID 
+InitialiseProcessConfigOnDriverEntry();
+
+STATIC 
+VOID 
+CleanupDriverConfigOnUnload();
+
+STATIC 
+VOID 
+DriverUnload(
+	_In_ PDRIVER_OBJECT DriverObject);
+
+STATIC 
+NTSTATUS 
+InitialiseDriverConfigOnDriverEntry(
+	_In_ PUNICODE_STRING RegistryPath);
+
+NTSTATUS 
+DriverEntry(
+	_In_ PDRIVER_OBJECT DriverObject, 
+	_In_ PUNICODE_STRING RegistryPath);
+
+STATIC 
+NTSTATUS RegistryPathQueryCallbackRoutine(
+	IN PWSTR ValueName,
+	IN ULONG ValueType,
+	IN PVOID ValueData,
+	IN ULONG ValueLength,
+	IN PVOID Context,
+	IN PVOID EntryContext);

 #ifdef ALLOC_PRAGMA
 #pragma alloc_text(INIT, DriverEntry)
@ -195,7 +231,9 @@ GetCallbackConfigStructure(
 		return;

 	*CallbackConfiguration = NULL;
-	InterlockedExchangePointer(CallbackConfiguration, &driver_config.callback_config);
+	KeAcquireGuardedMutex(&driver_config.lock);
+	*CallbackConfiguration = &driver_config.callback_config;
+	KeReleaseGuardedMutex(&driver_config.lock);
 }

 /*
@ -446,7 +484,9 @@ GetApcContextByIndex(
 		return;

 	*Context = NULL;
-	InterlockedExchangePointer(Context, driver_config.apc_contexts[Index]);
+	KeAcquireGuardedMutex(&driver_config.lock);
+	*Context = driver_config.apc_contexts[Index];
+	KeReleaseGuardedMutex(&driver_config.lock);
 }

 VOID
@ -471,7 +511,9 @@ GetProtectedProcessEProcess(
 		return;

 	*Process = NULL;
-	InterlockedExchangePointer(Process, process_config.protected_process_eprocess);
+	KeAcquireGuardedMutex(&process_config.lock);
+	*Process = process_config.protected_process_eprocess;
+	KeReleaseGuardedMutex(&process_config.lock);
 }

 VOID
@ -506,7 +548,9 @@ GetDriverName(
 		return;

 	*DriverName = NULL;
-	InterlockedExchangePointer(DriverName, driver_config.ansi_driver_name.Buffer);
+	KeAcquireGuardedMutex(&driver_config.lock);
+	*DriverName = driver_config.ansi_driver_name.Buffer;
+	KeReleaseGuardedMutex(&driver_config.lock);
 }

 VOID
@ -562,7 +606,9 @@ GetDriverConfigSystemInformation(
 		return;

 	*SystemInformation = NULL;
-	InterlockedExchangePointer(SystemInformation, &driver_config.system_information);
+	KeAcquireGuardedMutex(&driver_config.lock);
+	*SystemInformation = &driver_config.system_information;
+	KeReleaseGuardedMutex(&driver_config.lock);
 }

 STATIC
--- a/driver/integrity.c
+++ b/driver/integrity.c
@ -8,47 +8,6 @@
 #include <initguid.h>
 #include <devpkey.h>

-STATIC NTSTATUS GetModuleInformationByName(_Inout_ PRTL_MODULE_EXTENDED_INFO ModuleInfo, 
-        _In_ LPCSTR ModuleName);
-STATIC NTSTATUS StoreModuleExecutableRegionsInBuffer(_Inout_ PVOID* Buffer, _In_ PVOID ModuleBase,
-        _In_ SIZE_T ModuleSize, _Inout_ PSIZE_T BytesWritten);
-STATIC NTSTATUS MapDiskImageIntoVirtualAddressSpace(_Inout_ PHANDLE SectionHandle, _Inout_ PVOID* Section,
-        _In_ PUNICODE_STRING Path, _Inout_ PSIZE_T Size);
-STATIC NTSTATUS ComputeHashOfBuffer(_In_ PVOID Buffer, _In_ ULONG BufferSize, _Inout_ PVOID* HashResult,
-        _Inout_ PULONG HashResultSize);
-STATIC VOID GetNextSMBIOSStructureInTable(_Inout_ PSMBIOS_TABLE_HEADER* CurrentStructure);
-STATIC NTSTATUS GetStringAtIndexFromSMBIOSTable(_In_ PSMBIOS_TABLE_HEADER Table, _In_ INT Index,
-        _In_ PVOID Buffer, _In_ SIZE_T BufferSize);
-STATIC UINT64 MeasureInstructionRead(_In_ PVOID InstructionAddress);
-STATIC UINT64 MeasureReads(_In_ PVOID Address, _In_ ULONG Count);
-STATIC NTSTATUS GetAverageReadTimeAtRoutine(_In_ PVOID RoutineAddress, _Inout_ PUINT64 AverageTime);
-STATIC NTSTATUS InitiateEptFunctionAddressArrays();
-STATIC NTSTATUS RegistryPathQueryTestSigningCallback(IN PWSTR ValueName, IN ULONG ValueType,
-        IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext);
-
-#ifdef ALLOC_PRAGMA
-#pragma alloc_text(PAGE, GetDriverImageSize)
-#pragma alloc_text(PAGE, GetModuleInformationByName)
-#pragma alloc_text(PAGE, StoreModuleExecutableRegionsInBuffer)
-#pragma alloc_text(PAGE, MapDiskImageIntoVirtualAddressSpace)
-#pragma alloc_text(PAGE, ComputeHashOfBuffer)
-#pragma alloc_text(PAGE, VerifyInMemoryImageVsDiskImage)
-#pragma alloc_text(PAGE, RetrieveInMemoryModuleExecutableSections)
-#pragma alloc_text(PAGE, GetNextSMBIOSStructureInTable)
-#pragma alloc_text(PAGE, GetStringAtIndexFromSMBIOSTable)
-#pragma alloc_text(PAGE, ParseSMBIOSTable)
-#pragma alloc_text(PAGE, ValidateProcessLoadedModule)
-#pragma alloc_text(PAGE, GetHardDiskDriveSerialNumber)
-#pragma alloc_text(PAGE, ScanForSignature)
-#pragma alloc_text(PAGE, MeasureInstructionRead)
-#pragma alloc_text(PAGE, MeasureReads)
-#pragma alloc_text(PAGE, GetAverageReadTimeAtRoutine)
-#pragma alloc_text(PAGE, InitiateEptFunctionAddressArrays)
-#pragma alloc_text(PAGE, DetectEptHooksInKeyFunctions)
-#pragma alloc_text(PAGE, RegistryPathQueryTestSigningCallback)
-#pragma alloc_text(PAGE, DetermineIfTestSigningIsEnabled)
-#endif
-
 #define SMBIOS_TABLE 'RSMB'

 /* for generic intel */
@ -84,6 +43,90 @@ typedef struct _PROCESS_MODULE_VALIDATION_RESULT

 }PROCESS_MODULE_VALIDATION_RESULT, * PPROCESS_MODULE_VALIDATION_RESULT;

+STATIC 
+NTSTATUS 
+InitiateEptFunctionAddressArrays();
+
+STATIC 
+NTSTATUS 
+GetModuleInformationByName(
+        _Inout_ PRTL_MODULE_EXTENDED_INFO ModuleInfo, 
+        _In_ LPCSTR ModuleName);
+
+STATIC 
+NTSTATUS 
+StoreModuleExecutableRegionsInBuffer(
+        _Inout_ PVOID* Buffer, 
+        _In_ PVOID ModuleBase,
+        _In_ SIZE_T ModuleSize, 
+        _Inout_ PSIZE_T BytesWritten);
+
+STATIC 
+NTSTATUS 
+MapDiskImageIntoVirtualAddressSpace(
+        _Inout_ PHANDLE SectionHandle,
+        _Inout_ PVOID* Section,
+        _In_ PUNICODE_STRING Path, 
+        _Inout_ PSIZE_T Size);
+
+STATIC 
+NTSTATUS 
+ComputeHashOfBuffer(
+        _In_ PVOID Buffer, 
+        _In_ ULONG BufferSize, 
+        _Inout_ PVOID* HashResult,
+        _Inout_ PULONG HashResultSize);
+
+STATIC 
+VOID 
+GetNextSMBIOSStructureInTable(
+        _Inout_ PSMBIOS_TABLE_HEADER* CurrentStructure);
+
+STATIC 
+NTSTATUS 
+GetStringAtIndexFromSMBIOSTable(
+        _In_ PSMBIOS_TABLE_HEADER Table, 
+        _In_ INT Index,
+        _In_ PVOID Buffer, 
+        _In_ SIZE_T BufferSize);
+
+STATIC 
+NTSTATUS 
+GetAverageReadTimeAtRoutine(
+        _In_ PVOID RoutineAddress, 
+        _Inout_ PUINT64 AverageTime);
+
+STATIC 
+NTSTATUS 
+RegistryPathQueryTestSigningCallback(
+        IN PWSTR ValueName, 
+        IN ULONG ValueType,
+        IN PVOID ValueData, 
+        IN ULONG ValueLength, 
+        IN PVOID Context, 
+        IN PVOID EntryContext);
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, GetDriverImageSize)
+#pragma alloc_text(PAGE, GetModuleInformationByName)
+#pragma alloc_text(PAGE, StoreModuleExecutableRegionsInBuffer)
+#pragma alloc_text(PAGE, MapDiskImageIntoVirtualAddressSpace)
+#pragma alloc_text(PAGE, ComputeHashOfBuffer)
+#pragma alloc_text(PAGE, VerifyInMemoryImageVsDiskImage)
+#pragma alloc_text(PAGE, RetrieveInMemoryModuleExecutableSections)
+#pragma alloc_text(PAGE, GetNextSMBIOSStructureInTable)
+#pragma alloc_text(PAGE, GetStringAtIndexFromSMBIOSTable)
+#pragma alloc_text(PAGE, ParseSMBIOSTable)
+#pragma alloc_text(PAGE, ValidateProcessLoadedModule)
+#pragma alloc_text(PAGE, GetHardDiskDriveSerialNumber)
+#pragma alloc_text(PAGE, ScanForSignature)
+#pragma alloc_text(PAGE, GetAverageReadTimeAtRoutine)
+#pragma alloc_text(PAGE, InitiateEptFunctionAddressArrays)
+#pragma alloc_text(PAGE, DetectEptHooksInKeyFunctions)
+#pragma alloc_text(PAGE, RegistryPathQueryTestSigningCallback)
+#pragma alloc_text(PAGE, DetermineIfTestSigningIsEnabled)
+#endif
+
 /*
 * note: this can be put into its own function wihtout an IRP as argument then it can be used
 * in both the get driver image ioctl handler and the CopyDriverExecvutableRegions func
--- a/driver/ioctl.c
+++ b/driver/ioctl.c
@ -9,7 +9,10 @@
 #include "queue.h"
 #include "hv.h"

-STATIC NTSTATUS DispatchApcOperation(PAPC_OPERATION_ID Operation);
+STATIC 
+NTSTATUS 
+DispatchApcOperation(
+	_In_ PAPC_OPERATION_ID Operation);

 #ifdef ALLOC_PRAGMA
 #pragma alloc_text(PAGE, DispatchApcOperation)
@ -40,7 +43,9 @@ STATIC NTSTATUS DispatchApcOperation(PAPC_OPERATION_ID Operation);

 STATIC
 NTSTATUS
-DispatchApcOperation(PAPC_OPERATION_ID Operation)
+DispatchApcOperation(
+	_In_ PAPC_OPERATION_ID Operation
+)
 {
 	NTSTATUS status;

--- a/driver/modules.c
+++ b/driver/modules.c
@ -3,6 +3,44 @@
 #include "callbacks.h"
 #include "driver.h"

+#define WHITELISTED_MODULE_TAG 'whte'
+
+#define NMI_DELAY 200 * 10000
+
+#define WHITELISTED_MODULE_COUNT 7
+#define MODULE_MAX_STRING_SIZE 256
+
+#define NTOSKRNL 0
+#define CLASSPNP 1
+#define WDF01000 2
+
+/*
+* The modules seen in the array below have been seen to commonly hook other drivers'
+* IOCTL dispatch routines. Its possible to see this by using WinObjEx64 and checking which
+* module each individual dispatch routine lies in. These modules are then addded to the list
+* (in addition to either the driver itself or ntoskrnl) which is seen as a valid region
+* for a drivers dispatch routine to lie within.
+*/
+CHAR WHITELISTED_MODULES[WHITELISTED_MODULE_COUNT][MODULE_MAX_STRING_SIZE] =
+{
+	"ntoskrnl.exe",
+	"CLASSPNP.SYS",
+	"Wdf01000.sys",
+	"HIDCLASS.sys",
+	"storport.sys",
+	"dxgkrnl.sys",
+	"ndis.sys"
+};
+
+#define MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE 128
+
+#define REASON_NO_BACKING_MODULE 1
+#define REASON_INVALID_IOCTL_DISPATCH 2
+
+#define SYSTEM_IDLE_PROCESS_ID 0
+#define SYSTEM_PROCESS_ID 4
+#define SVCHOST_PROCESS_ID 8
+
 typedef struct _WHITELISTED_REGIONS
 {
 	UINT64 base;
@ -47,7 +85,7 @@ typedef struct _NMI_CALLBACK_DATA
 	UINT64		stack_limit;
 	UINT64		stack_base;
 	uintptr_t	stack_frames_offset;
-	INT			num_frames_captured;
+	INT		num_frames_captured;
 	UINT64		cr3;

 }NMI_CALLBACK_DATA, * PNMI_CALLBACK_DATA;
@ -67,28 +105,93 @@ typedef struct _INVALID_DRIVERS_HEAD

 }INVALID_DRIVERS_HEAD, * PINVALID_DRIVERS_HEAD;

-STATIC NTSTATUS PopulateWhitelistedModuleBuffer(_Inout_ PVOID Buffer, _In_ PSYSTEM_MODULES SystemModules);
-STATIC NTSTATUS ValidateDriverIOCTLDispatchRegion(_In_ PDRIVER_OBJECT Driver, _In_ PSYSTEM_MODULES Modules,
-	_In_ PWHITELISTED_REGIONS WhitelistedRegions, _Out_ PBOOLEAN Flag);
-STATIC VOID InitDriverList(_Inout_ PINVALID_DRIVERS_HEAD ListHead);
-STATIC VOID AddDriverToList(_Inout_ PINVALID_DRIVERS_HEAD InvalidDriversHead, _In_ PDRIVER_OBJECT Driver,
+STATIC 
+NTSTATUS 
+PopulateWhitelistedModuleBuffer(
+	_Inout_ PVOID Buffer, 
+	_In_ PSYSTEM_MODULES SystemModules);
+
+STATIC 
+NTSTATUS 
+ValidateDriverIOCTLDispatchRegion(
+	_In_ PDRIVER_OBJECT Driver, 
+	_In_ PSYSTEM_MODULES Modules,
+	_In_ PWHITELISTED_REGIONS WhitelistedRegions, 
+	_Out_ PBOOLEAN Flag);
+
+STATIC 
+VOID 
+InitDriverList(
+	_Inout_ PINVALID_DRIVERS_HEAD ListHead);
+
+STATIC 
+VOID 
+AddDriverToList(
+	_Inout_ PINVALID_DRIVERS_HEAD InvalidDriversHead, 
+	_In_ PDRIVER_OBJECT Driver,
 	_In_ INT Reason);
-STATIC VOID RemoveInvalidDriverFromList(_Inout_ PINVALID_DRIVERS_HEAD InvalidDriversHead);
-STATIC VOID EnumerateInvalidDrivers(_In_ PINVALID_DRIVERS_HEAD InvalidDriversHead);
-STATIC NTSTATUS ValidateDriverObjectHasBackingModule(_In_ PSYSTEM_MODULES ModuleInformation,
-	_In_ PDRIVER_OBJECT DriverObject, _Out_ PBOOLEAN Result);
-STATIC NTSTATUS ValidateDriverObjects(_In_ PSYSTEM_MODULES SystemModules,
+
+STATIC 
+VOID 
+RemoveInvalidDriverFromList(
+	_Inout_ PINVALID_DRIVERS_HEAD InvalidDriversHead);
+
+STATIC 
+VOID 
+EnumerateInvalidDrivers(
+	_In_ PINVALID_DRIVERS_HEAD InvalidDriversHead);
+
+STATIC 
+NTSTATUS 
+ValidateDriverObjectHasBackingModule(
+	_In_ PSYSTEM_MODULES ModuleInformation,
+	_In_ PDRIVER_OBJECT DriverObject, 
+	_Out_ PBOOLEAN Result);
+
+STATIC 
+NTSTATUS 
+ValidateDriverObjects(
+	_In_ PSYSTEM_MODULES SystemModules,
 	_Inout_ PINVALID_DRIVERS_HEAD InvalidDriverListHead);
-STATIC NTSTATUS AnalyseNmiData(_In_ PNMI_CONTEXT NmiContext, _In_ PSYSTEM_MODULES SystemModules,
+
+STATIC 
+NTSTATUS 
+AnalyseNmiData(
+	_In_ PNMI_CONTEXT NmiContext, 
+	_In_ PSYSTEM_MODULES SystemModules,
 	_Inout_ PIRP Irp);
-STATIC NTSTATUS LaunchNonMaskableInterrupt(_Inout_ PNMI_CONTEXT NmiContext);
-STATIC VOID ApcRundownRoutine(_In_ PRKAPC Apc);
-STATIC VOID ApcKernelRoutine(_In_ PRKAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine,
-	_Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1,
+
+STATIC 
+NTSTATUS 
+LaunchNonMaskableInterrupt(
+	_Inout_ PNMI_CONTEXT NmiContext);
+
+STATIC 
+VOID 
+ApcRundownRoutine(
+	_In_ PRKAPC Apc);
+
+STATIC 
+VOID 
+ApcKernelRoutine(
+	_In_ PRKAPC Apc, 
+	_Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine,
+	_Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, 
+	_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1,
 	_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2);
-STATIC VOID ApcNormalRoutine(_In_opt_ PVOID NormalContext, _In_opt_ PVOID SystemArgument1,
+
+STATIC 
+VOID 
+ApcNormalRoutine(
+	_In_opt_ PVOID NormalContext, 
+	_In_opt_ PVOID SystemArgument1,
 	_In_opt_ PVOID SystemArgument2);
-STATIC VOID ValidateThreadViaKernelApcCallback(_In_ PEPROCESS Process, _Inout_opt_ PVOID Context);
+
+STATIC 
+VOID 
+ValidateThreadViaKernelApcCallback(
+	_In_ PEPROCESS Process, 
+	_Inout_opt_ PVOID Context);

 #ifdef ALLOC_PRAGMA
 #pragma alloc_text(PAGE, FindSystemModuleByName)
@ -115,44 +218,6 @@ STATIC VOID ValidateThreadViaKernelApcCallback(_In_ PEPROCESS Process, _Inout_op
 #pragma alloc_text(PAGE, FreeApcStackwalkApcContextInformation)
 #endif

-#define WHITELISTED_MODULE_TAG 'whte'
-
-#define NMI_DELAY 200 * 10000
-
-#define WHITELISTED_MODULE_COUNT 7
-#define MODULE_MAX_STRING_SIZE 256
-
-#define NTOSKRNL 0
-#define CLASSPNP 1
-#define WDF01000 2
-
-/*
-* The modules seen in the array below have been seen to commonly hook other drivers'
-* IOCTL dispatch routines. Its possible to see this by using WinObjEx64 and checking which
-* module each individual dispatch routine lies in. These modules are then addded to the list
-* (in addition to either the driver itself or ntoskrnl) which is seen as a valid region
-* for a drivers dispatch routine to lie within.
-*/
-CHAR WHITELISTED_MODULES[WHITELISTED_MODULE_COUNT][MODULE_MAX_STRING_SIZE] =
-{
-	"ntoskrnl.exe",
-	"CLASSPNP.SYS",
-	"Wdf01000.sys",
-	"HIDCLASS.sys",
-	"storport.sys",
-	"dxgkrnl.sys",
-	"ndis.sys"
-};
-
-#define MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE 128
-
-#define REASON_NO_BACKING_MODULE 1
-#define REASON_INVALID_IOCTL_DISPATCH 2
-
-#define SYSTEM_IDLE_PROCESS_ID 0
-#define SYSTEM_PROCESS_ID 4
-#define SVCHOST_PROCESS_ID 8
-
 /*
 * TODO: this needs to be refactored to just return the entry not the whole fukin thing
 */
--- a/driver/pool.c
+++ b/driver/pool.c
@ -5,37 +5,6 @@
 #include "callbacks.h"
 #include "queue.h"

-typedef struct _PROCESS_SCAN_CONTEXT
-{
-	ULONG process_count;
-	PVOID process_buffer;
-
-}PROCESS_SCAN_CONTEXT, * PPROCESS_SCAN_CONTEXT;
-
-STATIC BOOLEAN ValidateIfAddressIsProcessStructure(_In_ PVOID Address, _In_ PPOOL_HEADER PoolHeader);
-STATIC VOID ScanPageForKernelObjectAllocation(_In_ UINT64 PageBase, _In_ ULONG PageSize,
-	_In_ ULONG ObjectIndex, _Inout_ PPROCESS_SCAN_CONTEXT Context);
-STATIC BOOLEAN IsPhysicalAddressInPhysicalMemoryRange(_In_ UINT64 PhysicalAddress,
-	_In_ PPHYSICAL_MEMORY_RANGE PhysicalMemoryRanges);
-STATIC VOID EnumerateKernelLargePages(_In_ UINT64 PageBase, _In_ ULONG PageSize,
-	_In_ PPROCESS_SCAN_CONTEXT Context, _In_ ULONG ObjectIndex);
-STATIC VOID WalkKernelPageTables(_In_ PPROCESS_SCAN_CONTEXT Context);
-STATIC VOID IncrementProcessCounter(_In_ PEPROCESS Process, _Inout_opt_ PVOID Context);
-STATIC VOID CheckIfProcessAllocationIsInProcessList(_In_ PEPROCESS Process, _Inout_opt_ PVOID Context);
-
-#ifdef ALLOC_PRAGMA
-#pragma alloc_text(PAGE, GetGlobalDebuggerData)
-#pragma alloc_text(PAGE, GetPsActiveProcessHead)
-#pragma alloc_text(PAGE, ValidateIfAddressIsProcessStructure)
-#pragma alloc_text(PAGE, ScanPageForKernelObjectAllocation)
-#pragma alloc_text(PAGE, IsPhysicalAddressInPhysicalMemoryRange)
-#pragma alloc_text(PAGE, EnumerateKernelLargePages)
-#pragma alloc_text(PAGE, WalkKernelPageTables)
-#pragma alloc_text(PAGE, IncrementProcessCounter)
-#pragma alloc_text(PAGE, CheckIfProcessAllocationIsInProcessList)
-#pragma alloc_text(PAGE, FindUnlinkedProcesses)
-#endif
-
 #define PAGE_BASE_SIZE 0x1000
 #define POOL_TAG_SIZE 0x004

@ -75,6 +44,71 @@ CHAR EXECUTIVE_OBJECT_POOL_TAGS[EXECUTIVE_OBJECT_COUNT][POOL_TAG_LENGTH] =
 	"\x4C\x69\x6E\x6B"		/* Symbolic links */
 };

+typedef struct _PROCESS_SCAN_CONTEXT
+{
+	ULONG process_count;
+	PVOID process_buffer;
+
+}PROCESS_SCAN_CONTEXT, * PPROCESS_SCAN_CONTEXT;
+
+STATIC 
+BOOLEAN 
+ValidateIfAddressIsProcessStructure(
+	_In_ PVOID Address, 
+	_In_ PPOOL_HEADER PoolHeader);
+
+STATIC 
+VOID 
+ScanPageForKernelObjectAllocation(
+	_In_ UINT64 PageBase, 
+	_In_ ULONG PageSize,
+	_In_ ULONG ObjectIndex, 
+	_Inout_ PPROCESS_SCAN_CONTEXT Context);
+
+STATIC 
+BOOLEAN 
+IsPhysicalAddressInPhysicalMemoryRange(
+	_In_ UINT64 PhysicalAddress,
+	_In_ PPHYSICAL_MEMORY_RANGE PhysicalMemoryRanges);
+
+STATIC 
+VOID 
+EnumerateKernelLargePages(
+	_In_ UINT64 PageBase, 
+	_In_ ULONG PageSize,
+	_In_ PPROCESS_SCAN_CONTEXT Context, 
+	_In_ ULONG ObjectIndex);
+
+STATIC 
+VOID 
+WalkKernelPageTables(
+	_In_ PPROCESS_SCAN_CONTEXT Context);
+
+STATIC 
+VOID 
+IncrementProcessCounter(
+	_In_ PEPROCESS Process, 
+	_Inout_opt_ PVOID Context);
+
+STATIC 
+VOID 
+CheckIfProcessAllocationIsInProcessList(
+	_In_ PEPROCESS Process, 
+	_Inout_opt_ PVOID Context);
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, GetGlobalDebuggerData)
+#pragma alloc_text(PAGE, GetPsActiveProcessHead)
+#pragma alloc_text(PAGE, ValidateIfAddressIsProcessStructure)
+#pragma alloc_text(PAGE, ScanPageForKernelObjectAllocation)
+#pragma alloc_text(PAGE, IsPhysicalAddressInPhysicalMemoryRange)
+#pragma alloc_text(PAGE, EnumerateKernelLargePages)
+#pragma alloc_text(PAGE, WalkKernelPageTables)
+#pragma alloc_text(PAGE, IncrementProcessCounter)
+#pragma alloc_text(PAGE, CheckIfProcessAllocationIsInProcessList)
+#pragma alloc_text(PAGE, FindUnlinkedProcesses)
+#endif
+
 PKDDEBUGGER_DATA64
 GetGlobalDebuggerData()
 {
--- a/driver/thread.c
+++ b/driver/thread.c
@ -7,16 +7,6 @@
 #include "driver.h"
 #include "queue.h"

-STATIC VOID KPRCBThreadValidationProcessCallback(_In_ PEPROCESS Process, _Inout_opt_ PVOID Context);
-STATIC VOID DetectAttachedThreadsProcessCallback(_In_ PEPROCESS Process, _Inout_opt_ PVOID Context);
-
-#ifdef ALLOC_PRAGMA
-#pragma alloc_text(PAGE, KPRCBThreadValidationProcessCallback)
-#pragma alloc_text(PAGE, ValidateKPCRBThreads)
-#pragma alloc_text(PAGE, DetectAttachedThreadsProcessCallback)
-#pragma alloc_text(PAGE, DetectThreadsAttachedToProtectedProcess)
-#endif
-
 typedef struct _KPRCB_THREAD_VALIDATION_CTX
 {
 	UINT64 current_kpcrb_thread;
@ -26,6 +16,25 @@ typedef struct _KPRCB_THREAD_VALIDATION_CTX

 }KPRCB_THREAD_VALIDATION_CTX, * PKPRCB_THREAD_VALIDATION_CTX;

+STATIC 
+VOID 
+KPRCBThreadValidationProcessCallback(
+	_In_ PEPROCESS Process, 
+	_Inout_opt_ PVOID Context);
+
+STATIC 
+VOID 
+DetectAttachedThreadsProcessCallback(
+	_In_ PEPROCESS Process, 
+	_Inout_opt_ PVOID Context);
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, KPRCBThreadValidationProcessCallback)
+#pragma alloc_text(PAGE, ValidateKPCRBThreads)
+#pragma alloc_text(PAGE, DetectAttachedThreadsProcessCallback)
+#pragma alloc_text(PAGE, DetectThreadsAttachedToProtectedProcess)
+#endif
+
 STATIC
 VOID
 KPRCBThreadValidationProcessCallback(