e

2024-11-21 22:24:08 +01:00 · 2023-09-04 03:33:27 +10:00 · 2023-09-04 03:33:27 +10:00 · 9596e0e1c8
commit 9596e0e1c8
parent 4da48b7e65
6 changed files with 82 additions and 18 deletions
--- a/driver/driver.c
+++ b/driver/driver.c
@ -16,9 +16,6 @@
 DRIVER_CONFIG driver_config = { 0 };
 PROCESS_CONFIG process_config = { 0 };

-UNICODE_STRING image_path = RTL_CONSTANT_STRING( L"ImagePath" );
-UNICODE_STRING display_name = RTL_CONSTANT_STRING( L"DisplayName" );
-
 VOID ReadProcessInitialisedConfigFlag(
 	_Out_ PBOOLEAN Flag
 )
@ -111,7 +108,9 @@ NTSTATUS RegistryPathQueryCallbackRoutine(
 )
 {
 	UNICODE_STRING value_name;
-	BOOLEAN result;
+	UNICODE_STRING image_path = RTL_CONSTANT_STRING( L"ImagePath" );
+	UNICODE_STRING display_name = RTL_CONSTANT_STRING( L"DisplayName" );
+
 	RtlInitUnicodeString( &value_name, ValueName );

 	if ( RtlCompareUnicodeString(&value_name, &image_path, FALSE) == FALSE )
@ -175,7 +174,7 @@ NTSTATUS InitialiseDriverConfigOnDriverEntry(
 {
 	NTSTATUS status;

-	/* allocate 3 so the as to act as a null terminator */
+	/* 3rd page acts as a null terminator for the callback routine */
 	RTL_QUERY_REGISTRY_TABLE query_table[ 3 ] = { 0 };

 	KeInitializeGuardedMutex( &driver_config.lock );
@ -264,6 +263,11 @@ NTSTATUS InitialiseProcessConfigOnProcessLaunch(
 	return status;
 }

+VOID InitialiseProcessConfigOnDriverEntry()
+{
+	KeInitializeGuardedMutex( &process_config.lock );
+}
+
 VOID CleanupDriverConfigOnUnload()
 {
 	FreeDriverConfigurationStringBuffers();
@ -313,21 +317,19 @@ NTSTATUS DriverEntry(
 	_In_ PUNICODE_STRING RegistryPath
 )
 {
-	UNREFERENCED_PARAMETER( RegistryPath );
-
 	BOOLEAN flag = FALSE;
 	NTSTATUS status;

 	status = InitialiseDriverConfigOnDriverEntry( RegistryPath );

-	KeInitializeGuardedMutex( &process_config.lock );
-
 	if ( !NT_SUCCESS( status ) )
 	{
 		DEBUG_ERROR( "InitialiseDriverConfigOnDriverEntry failed with status %x", status );
 		return status;
 	}

+	InitialiseProcessConfigOnDriverEntry();
+
 	status = IoCreateDevice(
 		DriverObject,
 		NULL,
--- a/driver/integrity.c
+++ b/driver/integrity.c
@ -707,4 +707,5 @@ NTSTATUS RetrieveInMemoryModuleExecutableSections(
 		ExFreePoolWithTag( buffer, POOL_TAG_INTEGRITY );

 	return status;
-}
+}
+
--- a/driver/pool.c
+++ b/driver/pool.c
@ -82,6 +82,9 @@ VOID GetPsActiveProcessHead(
 	/* TODO: have a global debugger pool here since shit aint really change */
 	PKDDEBUGGER_DATA64 debugger_data = GetGlobalDebuggerData();

+	if ( !debugger_data )
+		return;
+
 	*Address = *(UINT64*)( debugger_data->PsActiveProcessHead );

 	ExFreePoolWithTag( debugger_data, POOL_DEBUGGER_DATA_TAG );
@ -203,6 +206,24 @@ VOID ScanPageForKernelObjectAllocation(
 	}
 }

+VOID EnumerateKernelLargePages(
+	_In_ UINT64 PageBase,
+	_In_ ULONG PageSize,
+	_In_ PVOID AddressBuffer,
+	_In_ ULONG ObjectIndex
+)
+{
+	for ( INT page_index = 0; page_index < PageSize; page_index++ )
+	{
+		ScanPageForKernelObjectAllocation( 
+			PageBase + ( page_index * PageSize ), 
+			PAGE_SIZE, 
+			ObjectIndex, 
+			AddressBuffer
+		);
+	}
+}
+
 /*
 * Using MmGetPhysicalMemoryRangesEx2(), we can get a block of structures that
 * describe the physical memory layout. With each physical page base we are going
@ -271,9 +292,10 @@ VOID WalkKernelPageTables(PVOID AddressBuffer)
 	PTE pt_entry;
 	UINT64 base_physical_page;
 	UINT64 base_virtual_page;
+	UINT64 base_2mb_virtual_page;
+	UINT64 base_1gb_virtual_page;
 	PHYSICAL_ADDRESS physical;
 	PPHYSICAL_MEMORY_RANGE physical_memory_ranges;
-	KIRQL irql;

 	physical_memory_ranges = MmGetPhysicalMemoryRangesEx2( NULL, NULL );

@ -321,8 +343,26 @@ VOID WalkKernelPageTables(PVOID AddressBuffer)

 			if ( IS_LARGE_PAGE( pdpt_entry.BitAddress ) )
 			{
-				/* 2GB size page */
+				/* 1gb size page */
 				pdpt_large_entry.BitAddress = pdpt_entry.BitAddress;
+
+				physical.QuadPart = pdpt_large_entry.Bits.PhysicalAddress << PAGE_1GB_SHIFT;
+
+				if ( IsPhysicalAddressInPhysicalMemoryRange( physical.QuadPart, physical_memory_ranges ) == FALSE )
+					continue;
+
+				base_1gb_virtual_page = MmGetVirtualForPhysical( physical );
+
+				if (!base_1gb_virtual_page || !MmIsAddressValid( base_1gb_virtual_page ) )
+					continue;
+
+				EnumerateKernelLargePages(
+					base_1gb_virtual_page,
+					LARGE_PAGE_1GB_ENTRIES,
+					AddressBuffer,
+					INDEX_PROCESS_POOL_TAG
+				);
+
 				continue;
 			}

@ -347,6 +387,24 @@ VOID WalkKernelPageTables(PVOID AddressBuffer)
 				{
 					/* 2MB size page */
 					pd_large_entry.BitAddress = pd_entry.BitAddress;
+
+					physical.QuadPart = pd_large_entry.Bits.PhysicalAddress << PAGE_2MB_SHIFT;
+
+					if ( IsPhysicalAddressInPhysicalMemoryRange( physical.QuadPart, physical_memory_ranges ) == FALSE )
+						continue;
+
+					base_2mb_virtual_page = MmGetVirtualForPhysical( physical );
+
+					if ( !base_2mb_virtual_page || !MmIsAddressValid( base_2mb_virtual_page ) )
+						continue;
+
+					EnumerateKernelLargePages(
+						base_2mb_virtual_page,
+						LARGE_PAGE_2MB_ENTRIES,
+						AddressBuffer,
+						INDEX_PROCESS_POOL_TAG 
+					);
+
 					continue;
 				}

@ -374,13 +432,13 @@ VOID WalkKernelPageTables(PVOID AddressBuffer)

 					/* if the page base isnt in a legit region, go next */
 					if ( IsPhysicalAddressInPhysicalMemoryRange( physical.QuadPart, physical_memory_ranges ) == FALSE )
-					continue;
+						continue;

 					base_virtual_page = MmGetVirtualForPhysical( physical );

 					/* stupid fucking intellisense error GO AWAY! */
 					if ( base_virtual_page == NULL || !MmIsAddressValid( base_virtual_page ) )
-					continue;
+						continue;

 					ScanPageForKernelObjectAllocation(
 						base_virtual_page,
--- a/driver/pool.h
+++ b/driver/pool.h
@ -14,6 +14,9 @@
 #define PD_ENTRY_COUNT 512
 #define PT_ENTRY_COUNT 512

+#define LARGE_PAGE_2MB_ENTRIES 512
+#define LARGE_PAGE_1GB_ENTRIES 0x40000
+
 #define PROCESS_OBJECT_ALLOCATION_MARGIN 0x90

 /* SIZE_2 = first alloc + 0x10 */
--- a/driver/queue.c
+++ b/driver/queue.c
@ -164,7 +164,6 @@ NTSTATUS HandlePeriodicGlobalReportQueueQuery(

 	if ( !report_buffer )
 	{
-		DEBUG_LOG( "Failed to allocate report buffer" );
 		KeReleaseGuardedMutex( &report_queue_config.lock );
 		return STATUS_MEMORY_NOT_ALLOCATED;
 	}
@ -216,6 +215,8 @@ NTSTATUS HandlePeriodicGlobalReportQueueQuery(

 end:

+	KeReleaseGuardedMutex( &report_queue_config.lock );
+
 	Irp->IoStatus.Information = sizeof( GLOBAL_REPORT_QUEUE_HEADER ) + total_size;

 	header.count = count;
@ -231,8 +232,6 @@ end:
 		sizeof( GLOBAL_REPORT_QUEUE_HEADER ) + total_size
 	);

-	KeReleaseGuardedMutex( &report_queue_config.lock );
-
 	if ( report_buffer )
 		ExFreePoolWithTag( report_buffer, REPORT_QUEUE_TEMP_BUFFER_TAG );

--- a/server/Server.cs
+++ b/server/Server.cs
@ -24,6 +24,7 @@ namespace server
            _ipEndPoint = new IPEndPoint(IPAddress.Any, 8888);
            _tcpListener = new TcpListener(_ipEndPoint);
            _buffer = new byte[MAX_BUFFER_SIZE];
+            _bufferSize = 0;
            _logger = logger;
        }

@ -38,7 +39,7 @@ namespace server
                using TcpClient _client = await _tcpListener.AcceptTcpClientAsync();
                NetworkStream _stream = _client.GetStream();

-                _stream.Read(_buffer, 0, MAX_BUFFER_SIZE);
+                _bufferSize = _stream.Read(_buffer, 0, MAX_BUFFER_SIZE);

                Message message = new Message(_buffer, _bufferSize, _logger);
            }