noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

completely refactor pool.c

Browse source
This commit is contained in:
donnaskiez 2024-08-04 15:15:37 +10:00
parent 197796d004
commit 87ffb31b83
8 changed files with 269 additions and 819 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
README.md
View file

@ -7,20 +7,18 @@ open source anti cheat (lol) which I made for fun.
- Attached thread detection - Attached thread detection
- Process module .text section integrity checks - Process module .text section integrity checks
- NMI stackwalking via isr iretq - NMI stackwalking via isr iretq
- APC stackwalking via RtlCaptureStackBackTrace - APC, DPC stackwalking
- DPC stackwalking via RtlCaptureStackBackTrace
- Return address exception hooking detection - Return address exception hooking detection
- Chained .data pointer detection (iffy) - Chained .data pointer detection (iffy)
- Handle stripping via obj callbacks - Handle stripping via obj callbacks
- Process handle table enumeration - Process handle table enumeration
- System module device object verification - System module device object verification
- System module .text integrity checks - System module .text integrity checks
- Unlinked process detection - Removal of threads cid table entry detection
- Removed thread PspCidTable entry detection - Driver dispatch routine validation
- Dispatch routine validation - Extraction of various hardware identifiers
- Extraction of hardware identifiers
- EPT hook detection - EPT hook detection
- Driver integrity checks both locally and over server - Various image integrity checks both of driver + module
- Hypervisor detection - Hypervisor detection
- HalDispatch and HalPrivateDispatch routine validation - HalDispatch and HalPrivateDispatch routine validation
- Dynamic import resolving & encryption - Dynamic import resolving & encryption

2
driver/common.h
View file

@ -414,8 +414,6 @@ typedef struct _ACTIVE_SESSION {
* Some nice macros courtesy of: * Some nice macros courtesy of:
* https://www.unknowncheats.me/forum/general-programming-and-reversing/523359-introduction-physical-memory.html * https://www.unknowncheats.me/forum/general-programming-and-reversing/523359-introduction-physical-memory.html
*/ */
#define IS_LARGE_PAGE(x) ((BOOLEAN)((x >> 7) & 1))
#define IS_PAGE_PRESENT(x) ((BOOLEAN)(x & 1))
#define PAGE_1GB_SHIFT 30 #define PAGE_1GB_SHIFT 30
#define PAGE_1GB_OFFSET(x) (x & (~(MAXUINT64 << PAGE_1GB_SHIFT))) #define PAGE_1GB_OFFSET(x) (x & (~(MAXUINT64 << PAGE_1GB_SHIFT)))

6
driver/containers/map.c
View file

@ -10,6 +10,12 @@ RtlHashmapDelete(_In_ PRTL_HASHMAP Hashmap)
ExDeleteLookasideListEx(&Hashmap->pool); ExDeleteLookasideListEx(&Hashmap->pool);
} }
VOID
RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap)
{
Hashmap->active = FALSE;
}
NTSTATUS NTSTATUS
RtlHashmapCreate( RtlHashmapCreate(
_In_ UINT32 BucketCount, _In_ UINT32 BucketCount,

6
driver/containers/map.h
View file

@ -85,11 +85,7 @@ RtlHashmapHashKeyAndAcquireBucket(_Inout_ PRTL_HASHMAP Hashmap,
VOID VOID
RtlHashmapReleaseBucket(_Inout_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index); RtlHashmapReleaseBucket(_Inout_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index);
FORCEINLINE
VOID VOID
RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap) RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap);
{
Hashmap->active = FALSE;
}
#endif #endif

2
driver/driver.c
View file

@ -466,6 +466,7 @@ DriverUnload(_In_ PDRIVER_OBJECT DriverObject)
UnregisterProcessCreateNotifyRoutine(); UnregisterProcessCreateNotifyRoutine();
UnregisterImageLoadNotifyRoutine(); UnregisterImageLoadNotifyRoutine();
DrvUnloadFreeThreadList(); DrvUnloadFreeThreadList();
DrvUnloadFreeProcessList(); DrvUnloadFreeProcessList();
DrvUnloadFreeDriverList(); DrvUnloadFreeDriverList();
@ -1048,6 +1049,7 @@ DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
SetDriverLoadedFlag(); SetDriverLoadedFlag();
TpmExtractEndorsementKey(); TpmExtractEndorsementKey();
//PoolScanForManualMappedDrivers();
DEBUG_INFO("Driver Entry Complete."); DEBUG_INFO("Driver Entry Complete.");
return STATUS_SUCCESS; return STATUS_SUCCESS;

16
driver/hv.c
View file

@ -30,6 +30,9 @@ APERFMsrTimingCheck()
KAFFINITY new_affinity = {0}; KAFFINITY new_affinity = {0};
KAFFINITY old_affinity = {0}; KAFFINITY old_affinity = {0};
UINT64 old_irql = 0; UINT64 old_irql = 0;
UINT64 aperf_delta = 0;
UINT64 aperf_before = 0;
UINT64 aperf_after = 0;
INT cpuid_result[4]; INT cpuid_result[4];
/* /*
@ -59,9 +62,9 @@ APERFMsrTimingCheck()
* which we don't really care about and immediately after read the APERF * which we don't really care about and immediately after read the APERF
* counter once again and store it in a seperate variable. * counter once again and store it in a seperate variable.
*/ */
UINT64 aperf_before = __readmsr(IA32_APERF_MSR) << 32; aperf_before = __readmsr(IA32_APERF_MSR) << 32;
__cpuid(cpuid_result, 1); __cpuid(cpuid_result, 1);
UINT64 aperf_after = __readmsr(IA32_APERF_MSR) << 32; aperf_after = __readmsr(IA32_APERF_MSR) << 32;
/* /*
* Once we have performed our test, we want to make sure we are not * Once we have performed our test, we want to make sure we are not
@ -79,7 +82,7 @@ APERFMsrTimingCheck()
* VMs such as VMWARE the aperf value will be 0, meaning the change will * VMs such as VMWARE the aperf value will be 0, meaning the change will
* be 0. This is a dead giveaway we are executing in a VM. * be 0. This is a dead giveaway we are executing in a VM.
*/ */
UINT64 aperf_delta = aperf_after - aperf_before; aperf_delta = aperf_after - aperf_before;
return aperf_delta == 0 ? TRUE : FALSE; return aperf_delta == 0 ? TRUE : FALSE;
} }
@ -89,15 +92,16 @@ PerformVirtualizationDetection(_Inout_ PIRP Irp)
{ {
PAGED_CODE(); PAGED_CODE();
NTSTATUS status = NTSTATUS status = STATUS_UNSUCCESSFUL;
ValidateIrpOutputBuffer(Irp, sizeof(HYPERVISOR_DETECTION_REPORT)); HYPERVISOR_DETECTION_REPORT report = {0};
status = ValidateIrpOutputBuffer(Irp, sizeof(HYPERVISOR_DETECTION_REPORT));
if (!NT_SUCCESS(status)) { if (!NT_SUCCESS(status)) {
DEBUG_ERROR("ValidateIrpOutputBuffer failed with status %x", status); DEBUG_ERROR("ValidateIrpOutputBuffer failed with status %x", status);
return status; return status;
} }
HYPERVISOR_DETECTION_REPORT report = {0};
report.aperf_msr_timing_check = APERFMsrTimingCheck(); report.aperf_msr_timing_check = APERFMsrTimingCheck();
report.invd_emulation_check = TestINVDEmulation(); report.invd_emulation_check = TestINVDEmulation();

1030
driver/pool.c
View file

File diff suppressed because it is too large Load diff

14
driver/pool.h
View file

@ -4,16 +4,12 @@
#include <ntifs.h> #include <ntifs.h>
#include "common.h" #include "common.h"
NTSTATUS typedef BOOLEAN (*PAGE_CALLBACK)(_In_ UINT64 Page, _In_ UINT32 PageSize, _In_opt_ PVOID Context);
FindUnlinkedProcesses();
VOID
GetPsActiveProcessHead(_Out_ PUINT64 Address);
PKDDEBUGGER_DATA64
GetGlobalDebuggerData();
NTSTATUS NTSTATUS
EnumerateBigPoolAllocations(); PoolScanSystemSpace(_In_ PAGE_CALLBACK Callback, _In_opt_ PVOID Context);
NTSTATUS
PoolScanForManualMappedDrivers();
#endif #endif