mirror of
https://github.com/donnaskiez/ac.git
synced 2024-11-21 22:24:08 +01:00
bed time :)
This commit is contained in:
lhodges1
parent
12de715264
commit
85a949bf06
8 changed files with 135 additions and 51 deletions
|
|
@ -129,6 +129,7 @@
|
|||
<ClCompile Include="callbacks.c" />
|
||||
<ClCompile Include="driver.c" />
|
||||
<ClCompile Include="hv.c" />
|
||||
<ClCompile Include="hw.c" />
|
||||
<ClCompile Include="integrity.c" />
|
||||
<ClCompile Include="ioctl.c" />
|
||||
<ClCompile Include="modules.c" />
|
||||
|
|
@ -141,6 +142,7 @@
|
|||
<ClInclude Include="common.h" />
|
||||
<ClInclude Include="driver.h" />
|
||||
<ClInclude Include="hv.h" />
|
||||
<ClInclude Include="hw.h" />
|
||||
<ClInclude Include="integrity.h" />
|
||||
<ClInclude Include="ioctl.h" />
|
||||
<ClInclude Include="modules.h" />
|
||||
|
|
|
|||
|
|
@ -51,6 +51,9 @@
|
|||
<ClCompile Include="thread.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="hw.c">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="driver.h">
|
||||
|
|
@ -83,6 +86,9 @@
|
|||
<ClInclude Include="thread.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
<ClInclude Include="hw.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<MASM Include="asm.asm">
|
||||
|
|
|
|||
18
driver/hw.c
Normal file
18
driver/hw.c
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
#include "common.h"
|
||||
|
||||
/*
|
||||
* Stuff we can get:
|
||||
*
|
||||
* 1. CPU ID
|
||||
* 2. motherboard serial number
|
||||
* 3. MAC address,
|
||||
* 4. NIC
|
||||
*/
|
||||
|
||||
typedef struct _HARDWARE_INFORMATION
|
||||
{
|
||||
CHAR cpu_id[0x20];
|
||||
CHAR motherboard_serial[0x20];
|
||||
CHAR mac_address[0x20];
|
||||
};
|
||||
|
||||
10
driver/hw.h
Normal file
10
driver/hw.h
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
#ifndef HW_H
|
||||
#define HW_H
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#include <ntifs.h>
|
||||
|
||||
|
||||
|
||||
#endif
|
||||
|
|
@ -85,7 +85,8 @@ NTSTATUS GetModuleInformationByName(
|
|||
NTSTATUS StoreModuleExecutableRegionsInBuffer(
|
||||
_In_ PVOID* Buffer,
|
||||
_In_ PVOID ModuleBase,
|
||||
_In_ SIZE_T ModuleSize
|
||||
_In_ SIZE_T ModuleSize,
|
||||
_In_ PSIZE_T BytesWritten
|
||||
)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
|
|
@ -198,19 +199,9 @@ NTSTATUS StoreModuleExecutableRegionsInBuffer(
|
|||
sizeof( INTEGRITY_CHECK_HEADER )
|
||||
);
|
||||
|
||||
return status;
|
||||
}
|
||||
*BytesWritten = total_packet_size + sizeof( INTEGRITY_CHECK_HEADER );
|
||||
|
||||
/*
|
||||
* We want to perform the relocations using the base address of the in memory
|
||||
* module to ensure all offsets are equal across both images.
|
||||
*/
|
||||
NTSTATUS PerformPeHeaderRelocations(
|
||||
_In_ PVOID ImageBase,
|
||||
_In_ PVOID RelocationBase
|
||||
)
|
||||
{
|
||||
NTSTATUS status;
|
||||
return status;
|
||||
}
|
||||
|
||||
NTSTATUS MapDiskImageIntoVirtualAddressSpace(
|
||||
|
|
@ -324,6 +315,7 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
HANDLE section_handle = NULL;
|
||||
PVOID section = NULL;
|
||||
SIZE_T section_size = NULL;
|
||||
SIZE_T bytes_written = NULL;
|
||||
PVOID disk_buffer = NULL;
|
||||
PVOID in_memory_buffer = NULL;
|
||||
RTL_MODULE_EXTENDED_INFO module_info = { 0 };
|
||||
|
|
@ -353,7 +345,8 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
status = StoreModuleExecutableRegionsInBuffer(
|
||||
&disk_buffer,
|
||||
section,
|
||||
section_size
|
||||
section_size,
|
||||
&bytes_written
|
||||
);
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
|
|
@ -380,7 +373,8 @@ NTSTATUS VerifyInMemoryImageVsDiskImage(
|
|||
status = StoreModuleExecutableRegionsInBuffer(
|
||||
&in_memory_buffer,
|
||||
module_info.ImageBase,
|
||||
module_info.ImageSize
|
||||
module_info.ImageSize,
|
||||
&bytes_written
|
||||
);
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
|
|
@ -425,4 +419,51 @@ end:
|
|||
|
||||
if ( in_memory_buffer )
|
||||
ExFreePoolWithTag( in_memory_buffer, POOL_TAG_INTEGRITY );
|
||||
}
|
||||
|
||||
NTSTATUS RetrieveInMemoryModuleExecutableSections(
|
||||
_In_ PIRP Irp
|
||||
)
|
||||
{
|
||||
NTSTATUS status;
|
||||
SIZE_T bytes_written = NULL;
|
||||
PVOID buffer = NULL;
|
||||
RTL_MODULE_EXTENDED_INFO module_info = { 0 };
|
||||
|
||||
status = GetModuleInformationByName(
|
||||
&module_info,
|
||||
"driver.sys"
|
||||
);
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "GetModuleInformationByName failed with status %x", status );
|
||||
return status;
|
||||
}
|
||||
|
||||
status = StoreModuleExecutableRegionsInBuffer(
|
||||
&buffer,
|
||||
module_info.ImageBase,
|
||||
module_info.ImageSize,
|
||||
&bytes_written
|
||||
);
|
||||
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "StoreModuleExecutableRegionsInBuffe failed with status %x", status );
|
||||
return status;
|
||||
}
|
||||
|
||||
Irp->IoStatus.Information = bytes_written;
|
||||
|
||||
RtlCopyMemory(
|
||||
Irp->AssociatedIrp.SystemBuffer,
|
||||
buffer,
|
||||
bytes_written
|
||||
);
|
||||
|
||||
if ( buffer )
|
||||
ExFreePoolWithTag( buffer, POOL_TAG_INTEGRITY );
|
||||
|
||||
return status;
|
||||
}
|
||||
|
|
@ -13,7 +13,13 @@ NTSTATUS GetDriverImageSize(
|
|||
_In_ PIRP Irp
|
||||
);
|
||||
|
||||
NTSTATUS VerifyInMemoryImageVsDiskImage();
|
||||
NTSTATUS VerifyInMemoryImageVsDiskImage(
|
||||
|
||||
);
|
||||
|
||||
NTSTATUS RetrieveInMemoryModuleExecutableSections(
|
||||
_In_ PIRP Irp
|
||||
);
|
||||
|
||||
NTSTATUS
|
||||
NTAPI
|
||||
|
|
|
|||
|
|
@ -150,47 +150,47 @@ NTSTATUS DeviceControl(
|
|||
|
||||
case IOCTL_RETRIEVE_MODULE_EXECUTABLE_REGIONS:
|
||||
|
||||
//status = PsCreateSystemThread(
|
||||
// &handle,
|
||||
// PROCESS_ALL_ACCESS,
|
||||
// NULL,
|
||||
// NULL,
|
||||
// NULL,
|
||||
// CopyDriverExecutableRegions,
|
||||
// Irp
|
||||
//);
|
||||
status = PsCreateSystemThread(
|
||||
&handle,
|
||||
PROCESS_ALL_ACCESS,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
RetrieveInMemoryModuleExecutableSections,
|
||||
Irp
|
||||
);
|
||||
|
||||
//if ( !NT_SUCCESS( status ) )
|
||||
//{
|
||||
// DEBUG_ERROR( "Failed to start system thread to get executable regions" );
|
||||
// goto end;
|
||||
//}
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "Failed to start system thread to get executable regions" );
|
||||
goto end;
|
||||
}
|
||||
|
||||
//status = ObReferenceObjectByHandle(
|
||||
// handle,
|
||||
// THREAD_ALL_ACCESS,
|
||||
// *PsThreadType,
|
||||
// KernelMode,
|
||||
// &thread,
|
||||
// NULL
|
||||
//);
|
||||
status = ObReferenceObjectByHandle(
|
||||
handle,
|
||||
THREAD_ALL_ACCESS,
|
||||
*PsThreadType,
|
||||
KernelMode,
|
||||
&thread,
|
||||
NULL
|
||||
);
|
||||
|
||||
//if ( !NT_SUCCESS( status ) )
|
||||
//{
|
||||
// DEBUG_ERROR( "ObReferenceObjectbyhandle failed with status %lx", status );
|
||||
// ZwClose( handle );
|
||||
// goto end;
|
||||
//}
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
{
|
||||
DEBUG_ERROR( "ObReferenceObjectbyhandle failed with status %lx", status );
|
||||
ZwClose( handle );
|
||||
goto end;
|
||||
}
|
||||
|
||||
//PAGED_CODE();
|
||||
PAGED_CODE();
|
||||
|
||||
//KeWaitForSingleObject( thread, Executive, KernelMode, FALSE, NULL );;
|
||||
KeWaitForSingleObject( thread, Executive, KernelMode, FALSE, NULL );;
|
||||
|
||||
//ZwClose( handle );
|
||||
//ObDereferenceObject( thread );
|
||||
ZwClose( handle );
|
||||
ObDereferenceObject( thread );
|
||||
|
||||
//if ( !NT_SUCCESS( status ) )
|
||||
// DEBUG_ERROR( "Failed to retrieve executable regions" );
|
||||
if ( !NT_SUCCESS( status ) )
|
||||
DEBUG_ERROR( "Failed to retrieve executable regions" );
|
||||
|
||||
break;
|
||||
|
||||
|
|
|
|||
|
|
@ -120,4 +120,5 @@ VOID ValidateKPCRBThreads(
|
|||
|
||||
KeRevertToUserAffinityThreadEx( old_affinity );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue