noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

e

Browse source
This commit is contained in:
lhodges1 2023-09-23 22:27:02 +10:00
parent cf19c06cec
commit a55d82ac71
4 changed files with 43 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
driver/pool.c
View file

@ -584,7 +584,11 @@ NTSTATUS FindUnlinkedProcesses(
if ( allocation_address[ i ] == NULL )
continue;
/* report / do some further analysis etc. */
/*
* It's important to remember that at this point it is still not guaranteed that we have found
* an unlinked process allocation. It is better to have a few false positives that can be later
* analysed rather then enforce a strict signature and potentially miss a real unlinked process.
*/
DEBUG_ERROR( "INVALID POOL proc OMGGG" );
report_buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, sizeof( INVALID_PROCESS_ALLOCATION_REPORT ), REPORT_POOL_TAG );

25
server/Message/ClientReport.cs
View file

@ -76,16 +76,6 @@ namespace server.Message
this._responsePacket.success = success;
}
private unsafe int GetPacketCount<T>()
{
return this._bufferSize / Marshal.SizeOf(typeof(T));
}
private unsafe T GetPacketData<T>(int index)
{
return Helper.BytesToStructure<T>(this._buffer, index * Marshal.SizeOf(typeof(T)));
}
private unsafe int GetPacketCount(int reportCode)
{
switch (this._clientReportPacketHeader.reportCode)
@ -106,7 +96,7 @@ namespace server.Message
case (int)CLIENT_SEND_REPORT_ID.ILLEGAL_HANDLE_OPERATION:
return this._bufferSize / Marshal.SizeOf(typeof(OPEN_HANDLE_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.INVALID_PROCESS_ALLOCATION:
return 1;
return this._bufferSize / Marshal.SizeOf(typeof(INVALID_PROCESS_ALLOCATION_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.HIDDEN_SYSTEM_THREAD:
return this._bufferSize / Marshal.SizeOf(typeof(HIDDEN_SYSTEM_THREAD_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.ILLEGAL_ATTACH_PROCESS:
@ -486,7 +476,8 @@ namespace server.Message
FoundInKThreadList = report.FoundInKThreadList,
FoundInPspCidTable = report.FoundInPspCidTable,
ThreadAddress = report.ThreadAddress,
ThreadId = report.ThreadId
ThreadId = report.ThreadId,
ThreadStructure = report.ThreadStructure
};
reportTypeHiddenSystemThread.InsertReport();
@ -531,12 +522,8 @@ namespace server.Message
unsafe public void HandleInvalidProcessAllocation(int offset)
{
/* INVALID_PROCESS_ALLOCATION_FAILURE report =
Helper.BytesToStructure<INVALID_PROCESS_ALLOCATION_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);*/
byte[] processStructure = new byte[4096];
Helper.CopyMemory(ref _buffer, ref processStructure, 4096, sizeof(PACKET_HEADER) + offset);
INVALID_PROCESS_ALLOCATION_FAILURE report =
Helper.BytesToStructure<INVALID_PROCESS_ALLOCATION_FAILURE>(_buffer, sizeof(PACKET_HEADER) + offset);
_logger.Information("received invalid process allocation structure");
@ -555,7 +542,7 @@ namespace server.Message
var reportTypeInvalidProcessAllocation = new InvalidProcessAllocationEntity(context)
{
Report = newReport,
ProcessStructure = processStructure
ProcessStructure = report.ProcessStructure
};
reportTypeInvalidProcessAllocation.InsertReport();

6
server/Types.cs
View file

@ -103,12 +103,15 @@ namespace server
}
public struct INVALID_PROCESS_ALLOCATION_FAILURE
[StructLayout(LayoutKind.Sequential)]
public unsafe struct INVALID_PROCESS_ALLOCATION_FAILURE
{
public int ReportCode;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4096)]
public byte[] ProcessStructure;
}
[StructLayout(LayoutKind.Sequential)]
public struct HIDDEN_SYSTEM_THREAD_FAILURE
{
public int ReportCode;
@ -116,6 +119,7 @@ namespace server
public int FoundInPspCidTable;
public long ThreadAddress;
public int ThreadId;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4096)]
public byte[] ThreadStructure;
}

56
user/main.cpp
View file

@ -41,38 +41,36 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
while ( !GetAsyncKeyState( VK_DELETE ) )
{
//srand( time( NULL ) );
//int seed = ( rand() % 7 );
srand( time( NULL ) );
int seed = ( rand() % 7 );
//std::cout << "Seed: " << seed << std::endl;
std::cout << "Seed: " << seed << std::endl;
//switch ( seed )
//{
//case 0:
// kmanager.EnumerateHandleTables();
// break;
//case 1:
// kmanager.PerformIntegrityCheck();
// break;
//case 2:
// kmanager.ScanPoolsForUnlinkedProcesses();
// break;
//case 3:
// kmanager.VerifySystemModules();
// break;
//case 4:
// kmanager.ValidateProcessModules();
// break;
//case 5:
// kmanager.RunNmiCallbacks();
// break;
//case 6:
// kmanager.CheckForAttachedThreads();
// break;
//}
switch ( seed )
{
case 0:
kmanager.EnumerateHandleTables();
break;
case 1:
kmanager.PerformIntegrityCheck();
break;
case 2:
kmanager.ScanPoolsForUnlinkedProcesses();
break;
case 3:
kmanager.VerifySystemModules();
break;
case 4:
kmanager.ValidateProcessModules();
break;
case 5:
kmanager.RunNmiCallbacks();
break;
case 6:
kmanager.CheckForAttachedThreads();
break;
}
//kmanager.MonitorCallbackReports();
kmanager.ScanPoolsForUnlinkedProcesses();
kmanager.MonitorCallbackReports();
std::this_thread::sleep_for( std::chrono::seconds( 10 ) );
}