noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

bios

Browse source
This commit is contained in:
lhodges1 2023-09-04 23:36:26 +10:00
parent 9596e0e1c8
commit 911eff67ae
9 changed files with 271 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
driver/common.h
View file

@ -937,6 +937,59 @@ typedef union _PD_ENTRY_LARGE
// };
//} KAPC_STATE, * PKAPC_STATE, * PRKAPC_STATE;
typedef struct _RAW_SMBIOS_DATA
{
BYTE Used20CallingMethod;
BYTE SMBIOSMajorVersion;
BYTE SMBIOSMinorVersion;
BYTE DmiRevision;
UINT32 Length;
BYTE SMBIOSTableData[];
} RAW_SMBIOS_DATA, * PRAW_SMBIOS_DATA;
typedef struct _SMBIOS_TABLE_HEADER
{
UCHAR Type;
UCHAR Length;
USHORT Handle;
PCHAR TableData;
} SMBIOS_TABLE_HEADER, *PSMBIOS_TABLE_HEADER;
typedef struct _RAW_SMBIOS_TABLE_01
{
UCHAR Type;
UCHAR Length;
USHORT Handle;
UCHAR Manufacturer;
UCHAR ProductName;
UCHAR Version;
UCHAR SerialNumber;
UCHAR UUID[ 16 ];
UCHAR WakeUpType;
UCHAR SKUNumber;
UCHAR Family;
} RAW_SMBIOS_TABLE_01, *PRAW_SMBIOS_TABLE_01;
typedef struct _RAW_SMBIOS_TABLE_02 {
UCHAR Type;
UCHAR Length;
USHORT Handle;
BYTE Manufacturer;
BYTE Product;
BYTE Version;
BYTE SerialNumber;
BYTE AssetTag;
BYTE FeatureFlags;
BYTE LocationInChassis;
UINT16 ChassisHandle;
BYTE BoardType;
BYTE NumberOfContainedObjectHandles;
BYTE ContainedObjectHandles[ 256 ];
}RAW_SMBIOS_TABLE_02, *PRAW_SMBIOS_TABLE_02;
NTKERNELAPI
BOOLEAN
ExEnumHandleTable(

16
driver/driver.c
View file

@ -12,7 +12,6 @@
#include "queue.h"
DRIVER_CONFIG driver_config = { 0 };
PROCESS_CONFIG process_config = { 0 };
@ -227,10 +226,23 @@ NTSTATUS InitialiseDriverConfigOnDriverEntry(
return status;
}
status = ParseSMBIOSTable(
&driver_config.system_information.motherboard_uuid,
sizeof(driver_config.system_information.motherboard_uuid)
);
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "ParseSMBIOSTable failed with status %x", status );
FreeDriverConfigurationStringBuffers();
return status;
}
DEBUG_LOG( "Motherboard serial: %s", driver_config.system_information.motherboard_uuid );
return status;
}
NTSTATUS InitialiseProcessConfigOnProcessLaunch(
_In_ PIRP Irp
)

8
driver/driver.h
View file

@ -7,6 +7,13 @@
#include "common.h"
#define DRIVER_PATH_MAX_LENGTH 512
#define MOTHERBOARD_SERIAL_CODE_LENGTH 128
typedef struct _SYSTEM_INFORMATION
{
CHAR motherboard_uuid[ MOTHERBOARD_SERIAL_CODE_LENGTH ];
}SYSTEM_INFORMATION, * PSYSTEM_INFORMATION;
/*
* This structure is strictly for driver related stuff
@ -23,6 +30,7 @@ typedef struct _DRIVER_CONFIG
UNICODE_STRING device_symbolic_link;
UNICODE_STRING driver_path;
UNICODE_STRING registry_path;
SYSTEM_INFORMATION system_information;
KGUARDED_MUTEX lock;
}DRIVER_CONFIG, *PDRIVER_CONFIG;

184
driver/integrity.c
View file

@ -119,7 +119,7 @@ NTSTATUS StoreModuleExecutableRegionsInBuffer(
*Buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, ModuleSize + sizeof( INTEGRITY_CHECK_HEADER ), POOL_TAG_INTEGRITY );
if ( !*Buffer )
return STATUS_ABANDONED;
return STATUS_MEMORY_NOT_ALLOCATED;
/*
* Note: Verifier doesn't like it when we map the module so rather then mapping it to our address
@ -381,6 +381,12 @@ NTSTATUS ComputeHashOfBuffer(
hash_object = ExAllocatePool2( POOL_FLAG_NON_PAGED, hash_object_size, POOL_TAG_INTEGRITY );
if ( !hash_object )
{
status = STATUS_MEMORY_NOT_ALLOCATED;
goto end;
}
/*
* This call gets the size of the resulting hash, which we will use to allocate the
* resulting hash buffer.
@ -404,7 +410,10 @@ NTSTATUS ComputeHashOfBuffer(
resulting_hash = ExAllocatePool2( POOL_FLAG_NON_PAGED, resulting_hash_size, POOL_TAG_INTEGRITY );
if ( !resulting_hash )
{
status = STATUS_MEMORY_NOT_ALLOCATED;
goto end;
}
/*
* Here we create our hash object and store it in the hash_object buffer.
@ -709,3 +718,176 @@ NTSTATUS RetrieveInMemoryModuleExecutableSections(
return status;
}
/*
* From line 727 in the SMBIOS Specification:
*
* 727 Each structure shall be terminated by a double-null (0000h), either directly following the
* 728 formatted area (if no strings are present) or directly following the last string. This includes
* 729 system- and OEM-specific structures and allows upper-level software to easily traverse the
* 730 structure table. (See structure-termination examples later in this clause.)
*
* TLDR is that if the first character proceeding the structure is a null byte, then there are no strings,
* otherwise to find the end of the string section simply iterate until there is a double null terminator.
*
* source: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.7.1.pdf
*/
VOID GetNextSMBIOSStructureInTable(
_In_ PSMBIOS_TABLE_HEADER* CurrentStructure
)
{
PCHAR string_section_start = ( PCHAR )( ( UINT64 )*CurrentStructure + ( *CurrentStructure )->Length );
PCHAR current_char_in_strings = string_section_start;
PCHAR next_char_in_strings = string_section_start + 1;
for ( ;; )
{
if ( *current_char_in_strings == NULL_TERMINATOR && *next_char_in_strings == NULL_TERMINATOR )
{
*CurrentStructure = ( PSMBIOS_TABLE_HEADER )( ( UINT64 )next_char_in_strings + 1 );
return;
}
current_char_in_strings++;
next_char_in_strings++;
}
}
NTSTATUS GetStringAtIndexFromSMBIOSTable(
_In_ PSMBIOS_TABLE_HEADER Table,
_In_ INT Index,
_In_ PVOID Buffer,
_In_ SIZE_T BufferSize
)
{
INT current_string_char_index = 0;
INT string_count = 0;
PCHAR current_string_char = ( PCHAR )( ( UINT64 )Table + Table->Length );
PCHAR next_string_char = current_string_char + 1;
for ( ;; )
{
DEBUG_LOG("Current string count: %lx", string_count);
if ( *current_string_char == NULL_TERMINATOR && *next_string_char == NULL_TERMINATOR )
return STATUS_NOT_FOUND;
if ( current_string_char_index >= BufferSize )
return STATUS_BUFFER_TOO_SMALL;
if ( string_count + 1 == Index )
{
if ( *current_string_char == NULL_TERMINATOR )
return STATUS_SUCCESS;
DEBUG_LOG( "Current char: %c", *current_string_char );
RtlCopyMemory( ( UINT64 )Buffer + current_string_char_index, current_string_char, sizeof( CHAR ) );
current_string_char_index++;
goto increment;
}
if ( *current_string_char == NULL_TERMINATOR )
{
current_string_char_index = 0;
string_count++;
}
increment:
current_string_char++;
next_string_char++;
}
return STATUS_NOT_FOUND;
}
NTSTATUS ParseSMBIOSTable(
_In_ PVOID ConfigMotherboardSerialNumber,
_In_ SIZE_T ConfigMotherboardSerialNumberSize
)
{
NTSTATUS status;
PVOID firmware_table_buffer;
ULONG firmware_table_buffer_size = NULL;
ULONG bytes_returned;
PRAW_SMBIOS_DATA smbios_data;
PSMBIOS_TABLE_HEADER smbios_table_header;
PRAW_SMBIOS_TABLE_01 smbios_baseboard_information;
status = ExGetSystemFirmwareTable(
SMBIOS_TABLE,
NULL,
NULL,
firmware_table_buffer_size,
&firmware_table_buffer_size
);
/*
* Because we pass a null buffer here, the NTSTATUS result will be a BUFFER_TOO_SMALL error, so to validate
* this function call we check the return bytes returned (which indicate required buffer size) is above 0.
*/
if ( firmware_table_buffer_size == NULL )
{
DEBUG_ERROR( "ExGetSystemFirmwareTable call 1 failed to get required buffer size." );
return STATUS_BUFFER_TOO_SMALL;
}
firmware_table_buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, firmware_table_buffer_size, POOL_TAG_INTEGRITY );
if ( !firmware_table_buffer )
return STATUS_MEMORY_NOT_ALLOCATED;
status = ExGetSystemFirmwareTable(
SMBIOS_TABLE,
NULL,
firmware_table_buffer,
firmware_table_buffer_size,
&bytes_returned
);
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "ExGetSystemFirmwareTable call 2 failed with status %x", status );
goto end;
}
smbios_data = ( PRAW_SMBIOS_DATA )firmware_table_buffer;
smbios_table_header = ( PSMBIOS_TABLE_HEADER )(&smbios_data->SMBIOSTableData[0] );
/*
* The System Information table is equal to Type == 1 and contains the UUID of the motherboard
* in the computer among various other things.
*
* source: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.7.1.pdf line 823
*/
while ( smbios_table_header->Type != SMBIOS_SYSTEM_INFORMATION_TYPE_2_TABLE )
{
DEBUG_LOG( "table header: %llx", ( UINT64 )smbios_table_header );
GetNextSMBIOSStructureInTable( &smbios_table_header );
}
DEBUG_LOG( "2nd table header: %llx", ( UINT64 )smbios_table_header );
__debugbreak();
status = GetStringAtIndexFromSMBIOSTable(
smbios_table_header,
MOTHERBOARD_SERIAL_CODE_TABLE_INDEX,
ConfigMotherboardSerialNumber,
ConfigMotherboardSerialNumberSize
);
if ( !NT_SUCCESS( status ) )
{
DEBUG_ERROR( "GetStringAtIndexFromSMBIOSTable failed with status %x", status );
goto end;
}
end:
if ( firmware_table_buffer )
ExFreePoolWithTag( firmware_table_buffer, POOL_TAG_INTEGRITY );
return status;
}

10
driver/integrity.h
View file

@ -4,6 +4,11 @@
#include <ntifs.h>
#include "common.h"
#define SMBIOS_TABLE 'RSMB'
#define SMBIOS_SYSTEM_INFORMATION_TYPE_2_TABLE 2
#define NULL_TERMINATOR '\0'
#define MOTHERBOARD_SERIAL_CODE_TABLE_INDEX 7
NTSTATUS CopyDriverExecutableRegions(
_In_ PIRP Irp
);
@ -20,4 +25,9 @@ NTSTATUS RetrieveInMemoryModuleExecutableSections(
_In_ PIRP Irp
);
NTSTATUS ParseSMBIOSTable(
_In_ PVOID ConfigMotherboardSerialNumber,
_In_ SIZE_T ConfigMotherboardSerialNumberSize
);
#endif

7
driver/modules.c
View file

@ -757,11 +757,8 @@ NTSTATUS LaunchNonMaskableInterrupt(
InterlockedExchange( &ready, lock );
if ( ready > 0 )
{
while ( ready > 0 )
InterlockedExchange( &ready, lock );
}
while ( ready > 0 )
InterlockedExchange( &ready, lock );
InterlockedIncrement( &lock );

3
service/Program.cs
View file

@ -6,10 +6,9 @@ namespace service
{
public class Program
{
public static async Task Main(string[] args)
public static void Main(string[] args)
{
CreateHostBuilder(args).Build().Run();
//await Client.SendToServer();
}
public static IHostBuilder CreateHostBuilder(string[] args) =>

91
service/Types.cs
View file

@ -1,91 +0,0 @@
using Serilog;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Numerics;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
namespace service
{
namespace Types
{
namespace Receive
{
struct PIPE_PACKET_SEND_EXTENSION_HEADER
{
public int request_id;
public int current_packet_number;
public int total_incoming_packet_count;
public uint packet_size;
public uint total_incoming_packet_size;
};
}
namespace Reports
{
[StructLayout(LayoutKind.Sequential)]
public unsafe struct MODULE_VERIFICATION_CHECKSUM_FAILURE
{
public int ReportCode;
public UInt64 ModuleBaseAddress;
public UInt64 ModuleSize;
public fixed char ModuleName[512];
}
public struct PROCESS_THREAD_START_FAILURE
{
public int ReportCode;
public long ThreadId;
public UInt64 StartAddress;
}
public struct PAGE_PROTECTION_FAILURE
{
public int ReportCode;
public UInt64 PageBaseAddress;
public long AllocationProtection;
public long AllocationState;
public long AllocationType;
}
public struct PATTERN_SCAN_FAILURE
{
public int ReportCode;
public int SignatureId;
public UInt64 Address;
}
public struct NMI_CALLBACK_FAILURE
{
public int ReportCode;
public int WereNmisDisabled;
public UInt64 KThreadAddress;
public UInt64 InvalidRip;
}
[StructLayout(LayoutKind.Sequential)]
public unsafe struct MODULE_VALIDATION_FAILURE
{
public int ReportCode;
public int ReportType;
public long DriverBaseAddress;
public long DriverSize;
public fixed char ModuleName[128];
}
[StructLayout(LayoutKind.Sequential)]
public unsafe struct OPEN_HANDLE_FAILURE_REPORT
{
public int ReportCode;
public int IsKernelHandle;
public uint ProcessId;
public uint ThreadId;
public uint DesiredAccess;
public fixed char ProcessName[64];
}
}
}
}

1
service/Worker.cs
View file

@ -1,7 +1,6 @@
using System.IO.Pipes;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using service.Types;
using System;
using System.Reflection.PortableExecutable;
using System.Net.Sockets;