completely refactor pool.c

2024-11-21 22:24:08 +01:00 · 2024-08-04 15:15:37 +10:00 · 2024-08-04 15:15:37 +10:00 · 87ffb31b83
commit 87ffb31b83
parent 197796d004
8 changed files with 269 additions and 819 deletions
--- a/README.md
+++ b/README.md
@ -7,20 +7,18 @@ open source anti cheat (lol) which I made for fun.
 - Attached thread detection
 - Process module .text section integrity checks
 - NMI stackwalking via isr iretq
- APC stackwalking via RtlCaptureStackBackTrace
- DPC stackwalking via RtlCaptureStackBackTrace
+- APC, DPC stackwalking
 - Return address exception hooking detection
 - Chained .data pointer detection (iffy)
 - Handle stripping via obj callbacks
 - Process handle table enumeration
 - System module device object verification
 - System module .text integrity checks
- Unlinked process detection
- Removed thread PspCidTable entry detection
- Dispatch routine validation
- Extraction of hardware identifiers
+- Removal of threads cid table entry detection
+- Driver dispatch routine validation
+- Extraction of various hardware identifiers
 - EPT hook detection
- Driver integrity checks both locally and over server
+- Various image integrity checks both of driver + module
 - Hypervisor detection
 - HalDispatch and HalPrivateDispatch routine validation
 - Dynamic import resolving & encryption
--- a/driver/common.h
+++ b/driver/common.h
@ -414,8 +414,6 @@ typedef struct _ACTIVE_SESSION {
 * Some nice macros courtesy of:
 * https://www.unknowncheats.me/forum/general-programming-and-reversing/523359-introduction-physical-memory.html
 */
-#define IS_LARGE_PAGE(x)   ((BOOLEAN)((x >> 7) & 1))
-#define IS_PAGE_PRESENT(x) ((BOOLEAN)(x & 1))

 #define PAGE_1GB_SHIFT     30
 #define PAGE_1GB_OFFSET(x) (x & (~(MAXUINT64 << PAGE_1GB_SHIFT)))
--- a/driver/containers/map.c
+++ b/driver/containers/map.c
@ -10,6 +10,12 @@ RtlHashmapDelete(_In_ PRTL_HASHMAP Hashmap)
    ExDeleteLookasideListEx(&Hashmap->pool);
 }

+VOID
+RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap)
+{
+    Hashmap->active = FALSE;
+}
+
 NTSTATUS
 RtlHashmapCreate(
    _In_ UINT32 BucketCount,
--- a/driver/containers/map.h
+++ b/driver/containers/map.h
@ -85,11 +85,7 @@ RtlHashmapHashKeyAndAcquireBucket(_Inout_ PRTL_HASHMAP Hashmap,
 VOID
 RtlHashmapReleaseBucket(_Inout_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index);

-FORCEINLINE
 VOID
-RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap)
-{
-    Hashmap->active = FALSE;
-}
+RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap);

 #endif
--- a/driver/driver.c
+++ b/driver/driver.c
@ -466,6 +466,7 @@ DriverUnload(_In_ PDRIVER_OBJECT DriverObject)
    UnregisterProcessCreateNotifyRoutine();
    UnregisterImageLoadNotifyRoutine();

+
    DrvUnloadFreeThreadList();
    DrvUnloadFreeProcessList();
    DrvUnloadFreeDriverList();
@ -1048,6 +1049,7 @@ DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)

    SetDriverLoadedFlag();
    TpmExtractEndorsementKey();
+    //PoolScanForManualMappedDrivers();

    DEBUG_INFO("Driver Entry Complete.");
    return STATUS_SUCCESS;
--- a/driver/hv.c
+++ b/driver/hv.c
@ -30,6 +30,9 @@ APERFMsrTimingCheck()
    KAFFINITY new_affinity = {0};
    KAFFINITY old_affinity = {0};
    UINT64 old_irql = 0;
+    UINT64 aperf_delta = 0;
+    UINT64 aperf_before = 0;
+    UINT64 aperf_after = 0;
    INT cpuid_result[4];

    /*
@ -59,9 +62,9 @@ APERFMsrTimingCheck()
     * which we don't really care about and immediately after read the APERF
     * counter once again and store it in a seperate variable.
     */
-    UINT64 aperf_before = __readmsr(IA32_APERF_MSR) << 32;
+    aperf_before = __readmsr(IA32_APERF_MSR) << 32;
    __cpuid(cpuid_result, 1);
-    UINT64 aperf_after = __readmsr(IA32_APERF_MSR) << 32;
+    aperf_after = __readmsr(IA32_APERF_MSR) << 32;

    /*
     * Once we have performed our test, we want to make sure we are not
@ -79,7 +82,7 @@ APERFMsrTimingCheck()
     * VMs such as VMWARE the aperf value will be 0, meaning the change will
     * be 0. This is a dead giveaway we are executing in a VM.
     */
-    UINT64 aperf_delta = aperf_after - aperf_before;
+    aperf_delta = aperf_after - aperf_before;

    return aperf_delta == 0 ? TRUE : FALSE;
 }
@ -89,15 +92,16 @@ PerformVirtualizationDetection(_Inout_ PIRP Irp)
 {
    PAGED_CODE();

-    NTSTATUS status =
-        ValidateIrpOutputBuffer(Irp, sizeof(HYPERVISOR_DETECTION_REPORT));
+    NTSTATUS status = STATUS_UNSUCCESSFUL;
+    HYPERVISOR_DETECTION_REPORT report = {0};
+
+    status = ValidateIrpOutputBuffer(Irp, sizeof(HYPERVISOR_DETECTION_REPORT));

    if (!NT_SUCCESS(status)) {
        DEBUG_ERROR("ValidateIrpOutputBuffer failed with status %x", status);
        return status;
    }

-    HYPERVISOR_DETECTION_REPORT report = {0};
    report.aperf_msr_timing_check = APERFMsrTimingCheck();
    report.invd_emulation_check = TestINVDEmulation();

--- a/driver/pool.c
+++ b/driver/pool.c
--- a/driver/pool.h
+++ b/driver/pool.h
@ -4,16 +4,12 @@
 #include <ntifs.h>
 #include "common.h"

-NTSTATUS
-FindUnlinkedProcesses();
-
-VOID
-GetPsActiveProcessHead(_Out_ PUINT64 Address);
-
-PKDDEBUGGER_DATA64
-GetGlobalDebuggerData();
+typedef BOOLEAN (*PAGE_CALLBACK)(_In_ UINT64 Page, _In_ UINT32 PageSize, _In_opt_ PVOID Context);

 NTSTATUS
-EnumerateBigPoolAllocations();
+PoolScanSystemSpace(_In_ PAGE_CALLBACK Callback, _In_opt_ PVOID Context);
+
+NTSTATUS
+PoolScanForManualMappedDrivers();

 #endif