mirror of
https://github.com/donnaskiez/ac.git
synced 2024-11-21 22:24:08 +01:00
completely refactor pool.c
This commit is contained in:
parent
197796d004
commit
87ffb31b83
8 changed files with 269 additions and 819 deletions
12
README.md
12
README.md
|
@ -7,20 +7,18 @@ open source anti cheat (lol) which I made for fun.
|
|||
- Attached thread detection
|
||||
- Process module .text section integrity checks
|
||||
- NMI stackwalking via isr iretq
|
||||
- APC stackwalking via RtlCaptureStackBackTrace
|
||||
- DPC stackwalking via RtlCaptureStackBackTrace
|
||||
- APC, DPC stackwalking
|
||||
- Return address exception hooking detection
|
||||
- Chained .data pointer detection (iffy)
|
||||
- Handle stripping via obj callbacks
|
||||
- Process handle table enumeration
|
||||
- System module device object verification
|
||||
- System module .text integrity checks
|
||||
- Unlinked process detection
|
||||
- Removed thread PspCidTable entry detection
|
||||
- Dispatch routine validation
|
||||
- Extraction of hardware identifiers
|
||||
- Removal of threads cid table entry detection
|
||||
- Driver dispatch routine validation
|
||||
- Extraction of various hardware identifiers
|
||||
- EPT hook detection
|
||||
- Driver integrity checks both locally and over server
|
||||
- Various image integrity checks both of driver + module
|
||||
- Hypervisor detection
|
||||
- HalDispatch and HalPrivateDispatch routine validation
|
||||
- Dynamic import resolving & encryption
|
||||
|
|
|
@ -414,8 +414,6 @@ typedef struct _ACTIVE_SESSION {
|
|||
* Some nice macros courtesy of:
|
||||
* https://www.unknowncheats.me/forum/general-programming-and-reversing/523359-introduction-physical-memory.html
|
||||
*/
|
||||
#define IS_LARGE_PAGE(x) ((BOOLEAN)((x >> 7) & 1))
|
||||
#define IS_PAGE_PRESENT(x) ((BOOLEAN)(x & 1))
|
||||
|
||||
#define PAGE_1GB_SHIFT 30
|
||||
#define PAGE_1GB_OFFSET(x) (x & (~(MAXUINT64 << PAGE_1GB_SHIFT)))
|
||||
|
|
|
@ -10,6 +10,12 @@ RtlHashmapDelete(_In_ PRTL_HASHMAP Hashmap)
|
|||
ExDeleteLookasideListEx(&Hashmap->pool);
|
||||
}
|
||||
|
||||
VOID
|
||||
RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap)
|
||||
{
|
||||
Hashmap->active = FALSE;
|
||||
}
|
||||
|
||||
NTSTATUS
|
||||
RtlHashmapCreate(
|
||||
_In_ UINT32 BucketCount,
|
||||
|
|
|
@ -85,11 +85,7 @@ RtlHashmapHashKeyAndAcquireBucket(_Inout_ PRTL_HASHMAP Hashmap,
|
|||
VOID
|
||||
RtlHashmapReleaseBucket(_Inout_ PRTL_HASHMAP Hashmap, _In_ UINT32 Index);
|
||||
|
||||
FORCEINLINE
|
||||
VOID
|
||||
RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap)
|
||||
{
|
||||
Hashmap->active = FALSE;
|
||||
}
|
||||
RtlHashmapSetInactive(_Inout_ PRTL_HASHMAP Hashmap);
|
||||
|
||||
#endif
|
|
@ -466,6 +466,7 @@ DriverUnload(_In_ PDRIVER_OBJECT DriverObject)
|
|||
UnregisterProcessCreateNotifyRoutine();
|
||||
UnregisterImageLoadNotifyRoutine();
|
||||
|
||||
|
||||
DrvUnloadFreeThreadList();
|
||||
DrvUnloadFreeProcessList();
|
||||
DrvUnloadFreeDriverList();
|
||||
|
@ -1048,6 +1049,7 @@ DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
|
|||
|
||||
SetDriverLoadedFlag();
|
||||
TpmExtractEndorsementKey();
|
||||
//PoolScanForManualMappedDrivers();
|
||||
|
||||
DEBUG_INFO("Driver Entry Complete.");
|
||||
return STATUS_SUCCESS;
|
||||
|
|
16
driver/hv.c
16
driver/hv.c
|
@ -30,6 +30,9 @@ APERFMsrTimingCheck()
|
|||
KAFFINITY new_affinity = {0};
|
||||
KAFFINITY old_affinity = {0};
|
||||
UINT64 old_irql = 0;
|
||||
UINT64 aperf_delta = 0;
|
||||
UINT64 aperf_before = 0;
|
||||
UINT64 aperf_after = 0;
|
||||
INT cpuid_result[4];
|
||||
|
||||
/*
|
||||
|
@ -59,9 +62,9 @@ APERFMsrTimingCheck()
|
|||
* which we don't really care about and immediately after read the APERF
|
||||
* counter once again and store it in a seperate variable.
|
||||
*/
|
||||
UINT64 aperf_before = __readmsr(IA32_APERF_MSR) << 32;
|
||||
aperf_before = __readmsr(IA32_APERF_MSR) << 32;
|
||||
__cpuid(cpuid_result, 1);
|
||||
UINT64 aperf_after = __readmsr(IA32_APERF_MSR) << 32;
|
||||
aperf_after = __readmsr(IA32_APERF_MSR) << 32;
|
||||
|
||||
/*
|
||||
* Once we have performed our test, we want to make sure we are not
|
||||
|
@ -79,7 +82,7 @@ APERFMsrTimingCheck()
|
|||
* VMs such as VMWARE the aperf value will be 0, meaning the change will
|
||||
* be 0. This is a dead giveaway we are executing in a VM.
|
||||
*/
|
||||
UINT64 aperf_delta = aperf_after - aperf_before;
|
||||
aperf_delta = aperf_after - aperf_before;
|
||||
|
||||
return aperf_delta == 0 ? TRUE : FALSE;
|
||||
}
|
||||
|
@ -89,15 +92,16 @@ PerformVirtualizationDetection(_Inout_ PIRP Irp)
|
|||
{
|
||||
PAGED_CODE();
|
||||
|
||||
NTSTATUS status =
|
||||
ValidateIrpOutputBuffer(Irp, sizeof(HYPERVISOR_DETECTION_REPORT));
|
||||
NTSTATUS status = STATUS_UNSUCCESSFUL;
|
||||
HYPERVISOR_DETECTION_REPORT report = {0};
|
||||
|
||||
status = ValidateIrpOutputBuffer(Irp, sizeof(HYPERVISOR_DETECTION_REPORT));
|
||||
|
||||
if (!NT_SUCCESS(status)) {
|
||||
DEBUG_ERROR("ValidateIrpOutputBuffer failed with status %x", status);
|
||||
return status;
|
||||
}
|
||||
|
||||
HYPERVISOR_DETECTION_REPORT report = {0};
|
||||
report.aperf_msr_timing_check = APERFMsrTimingCheck();
|
||||
report.invd_emulation_check = TestINVDEmulation();
|
||||
|
||||
|
|
1032
driver/pool.c
1032
driver/pool.c
File diff suppressed because it is too large
Load diff
|
@ -4,16 +4,12 @@
|
|||
#include <ntifs.h>
|
||||
#include "common.h"
|
||||
|
||||
NTSTATUS
|
||||
FindUnlinkedProcesses();
|
||||
|
||||
VOID
|
||||
GetPsActiveProcessHead(_Out_ PUINT64 Address);
|
||||
|
||||
PKDDEBUGGER_DATA64
|
||||
GetGlobalDebuggerData();
|
||||
typedef BOOLEAN (*PAGE_CALLBACK)(_In_ UINT64 Page, _In_ UINT32 PageSize, _In_opt_ PVOID Context);
|
||||
|
||||
NTSTATUS
|
||||
EnumerateBigPoolAllocations();
|
||||
PoolScanSystemSpace(_In_ PAGE_CALLBACK Callback, _In_opt_ PVOID Context);
|
||||
|
||||
NTSTATUS
|
||||
PoolScanForManualMappedDrivers();
|
||||
|
||||
#endif
|
Loading…
Reference in a new issue