sum stuff c:

driver/callbacks.c

@@ -6,6 +6,17 @@
 #include "pool.h"
 #include "thread.h"
 
+STATIC BOOLEAN EnumHandleCallback(_In_ PHANDLE_TABLE HandleTable, _In_ PHANDLE_TABLE_ENTRY Entry,
+	_In_ HANDLE Handle, _In_ PVOID Context);
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, ObPostOpCallbackRoutine)
+#pragma alloc_text(PAGE, ObPreOpCallbackRoutine)
+#pragma alloc_text(PAGE, EnumHandleCallback)
+#pragma alloc_text(PAGE, EnumerateProcessHandles)
+#pragma alloc_text(PAGE, EnumerateProcessListWithCallbackFunction)
+#endif
+
 VOID
 ObPostOpCallbackRoutine(
 	_In_ PVOID RegistrationContext,

driver/cpp.hint

@@ -0,0 +1,9 @@
+// Hint files help the Visual Studio IDE interpret Visual C++ identifiers
+// such as names of functions and macros.
+// For more information see https://go.microsoft.com/fwlink/?linkid=865984
+#define _Inout_ _SAL2_Source_(_Inout_, (), _Prepost_valid_)
+#define _Inout_
+#define _In_ _SAL2_Source_(_In_, (), _Pre1_impl_(__notnull_impl_notref) _Pre_valid_impl_ _Deref_pre1_impl_(__readaccess_impl_notref))
+#define _In_
+#define STATIC
+#define VOID

driver/driver.c

@@ -307,14 +307,12 @@ IncrementApcCount(
 
 VOID
 FreeApcAndDecrementApcCount(
-	_In_ PRKAPC Apc,
+	_Inout_ PRKAPC Apc,
 	_In_ LONG ContextId
 )
 {
 	PAPC_CONTEXT_HEADER context = NULL;
-
 	ExFreePoolWithTag(Apc, POOL_TAG_APC);
-
 	GetApcContext(&context, ContextId);
 
 	if (!context)
@@ -322,7 +320,6 @@ FreeApcAndDecrementApcCount(
 
 	KeAcquireGuardedMutex(&driver_config.lock);
 	context->count -= 1;
-
 end:
 	KeReleaseGuardedMutex(&driver_config.lock);
 }

driver/driver.h

@@ -80,7 +80,7 @@ IncrementApcCount(
 
 VOID
 FreeApcAndDecrementApcCount(
-	_In_ PRKAPC Apc,
+	_Inout_ PRKAPC Apc,
 	_In_ LONG ContextId
 );
 

driver/driver.vcxproj

@@ -153,6 +153,9 @@
   <ItemGroup>
     <MASM Include="asm.asm" />
   </ItemGroup>
+  <ItemGroup>
+    <None Include="cpp.hint" />
+  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
     <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />

driver/driver.vcxproj.filters

@@ -89,4 +89,7 @@
       <Filter>Source Files</Filter>
     </MASM>
   </ItemGroup>
+  <ItemGroup>
+    <None Include="cpp.hint" />
+  </ItemGroup>
 </Project>

driver/hv.c

@@ -4,6 +4,10 @@
 
 #include "common.h"
 
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, PerformVirtualizationDetection)
+#endif
+
 #define TOTAL_ITERATION_COUNT 20
 
 /*
@@ -30,7 +34,7 @@ APERFMsrTimingCheck()
 	* First thing we do is we lock the current thread to the logical processor
 	* its executing on.
 	*/
-	new_affinity = (KAFFINITY)(1 << KeGetCurrentProcessorNumber());
+	new_affinity = (KAFFINITY)(1ul << KeGetCurrentProcessorNumber());
 	old_affinity = KeSetSystemAffinityThreadEx(new_affinity);
 
 	/*
@@ -80,7 +84,7 @@ APERFMsrTimingCheck()
 
 NTSTATUS
 PerformVirtualizationDetection(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 )
 {
 	HYPERVISOR_DETECTION_REPORT report;

driver/hv.h

@@ -13,7 +13,7 @@ typedef struct _HYPERVISOR_DETECTION_REPORT
 
 NTSTATUS
 PerformVirtualizationDetection(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 extern

driver/integrity.c

@@ -8,6 +8,47 @@
 #include <initguid.h>
 #include <devpkey.h>
 
+STATIC NTSTATUS GetModuleInformationByName(_Inout_ PRTL_MODULE_EXTENDED_INFO ModuleInfo, 
+        _In_ LPCSTR ModuleName);
+STATIC NTSTATUS StoreModuleExecutableRegionsInBuffer(_Inout_ PVOID* Buffer, _In_ PVOID ModuleBase,
+        _In_ SIZE_T ModuleSize, _Inout_ PSIZE_T BytesWritten);
+STATIC NTSTATUS MapDiskImageIntoVirtualAddressSpace(_Inout_ PHANDLE SectionHandle, _Inout_ PVOID* Section,
+        _In_ PUNICODE_STRING Path, _Inout_ PSIZE_T Size);
+STATIC NTSTATUS ComputeHashOfBuffer(_In_ PVOID Buffer, _In_ ULONG BufferSize, _Inout_ PVOID* HashResult,
+        _Inout_ PULONG HashResultSize);
+STATIC VOID GetNextSMBIOSStructureInTable(_Inout_ PSMBIOS_TABLE_HEADER* CurrentStructure);
+STATIC NTSTATUS GetStringAtIndexFromSMBIOSTable(_In_ PSMBIOS_TABLE_HEADER Table, _In_ INT Index,
+        _In_ PVOID Buffer, _In_ SIZE_T BufferSize);
+STATIC UINT64 MeasureInstructionRead(_In_ PVOID InstructionAddress);
+STATIC UINT64 MeasureReads(_In_ PVOID Address, _In_ ULONG Count);
+STATIC NTSTATUS GetAverageReadTimeAtRoutine(_In_ PVOID RoutineAddress, _Inout_ PUINT64 AverageTime);
+STATIC NTSTATUS InitiateEptFunctionAddressArrays();
+STATIC NTSTATUS RegistryPathQueryTestSigningCallback(IN PWSTR ValueName, IN ULONG ValueType,
+        IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext);
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, GetDriverImageSize)
+#pragma alloc_text(PAGE, GetModuleInformationByName)
+#pragma alloc_text(PAGE, StoreModuleExecutableRegionsInBuffer)
+#pragma alloc_text(PAGE, MapDiskImageIntoVirtualAddressSpace)
+#pragma alloc_text(PAGE, ComputeHashOfBuffer)
+#pragma alloc_text(PAGE, VerifyInMemoryImageVsDiskImage)
+#pragma alloc_text(PAGE, RetrieveInMemoryModuleExecutableSections)
+#pragma alloc_text(PAGE, GetNextSMBIOSStructureInTable)
+#pragma alloc_text(PAGE, GetStringAtIndexFromSMBIOSTable)
+#pragma alloc_text(PAGE, ParseSMBIOSTable)
+#pragma alloc_text(PAGE, ValidateProcessLoadedModule)
+#pragma alloc_text(PAGE, GetHardDiskDriveSerialNumber)
+#pragma alloc_text(PAGE, ScanForSignature)
+#pragma alloc_text(PAGE, MeasureInstructionRead)
+#pragma alloc_text(PAGE, MeasureReads)
+#pragma alloc_text(PAGE, GetAverageReadTimeAtRoutine)
+#pragma alloc_text(PAGE, InitiateEptFunctionAddressArrays)
+#pragma alloc_text(PAGE, DetectEptHooksInKeyFunctions)
+#pragma alloc_text(PAGE, RegistryPathQueryTestSigningCallback)
+#pragma alloc_text(PAGE, DetermineIfTestSigningIsEnabled)
+#endif
+
 #define SMBIOS_TABLE 'RSMB'
 
 /* for generic intel */
@@ -49,7 +90,7 @@ typedef struct _PROCESS_MODULE_VALIDATION_RESULT
 */
 NTSTATUS
 GetDriverImageSize(
-        _In_ PIRP Irp
+        _Inout_ PIRP Irp
 )
 {
         NTSTATUS status;
@@ -81,7 +122,7 @@ GetDriverImageSize(
 STATIC
 NTSTATUS
 GetModuleInformationByName(
-        _In_ PRTL_MODULE_EXTENDED_INFO ModuleInfo,
+        _Inout_ PRTL_MODULE_EXTENDED_INFO ModuleInfo,
         _In_ LPCSTR ModuleName
 )
 {
@@ -122,10 +163,10 @@ GetModuleInformationByName(
 STATIC
 NTSTATUS
 StoreModuleExecutableRegionsInBuffer(
-        _In_ PVOID* Buffer,
+        _Inout_ PVOID* Buffer,
         _In_ PVOID ModuleBase,
         _In_ SIZE_T ModuleSize,
-        _In_ PSIZE_T BytesWritten
+        _Inout_ PSIZE_T BytesWritten
 )
 {
         NTSTATUS status = STATUS_SUCCESS;
@@ -247,10 +288,10 @@ StoreModuleExecutableRegionsInBuffer(
 STATIC
 NTSTATUS
 MapDiskImageIntoVirtualAddressSpace(
-        _In_ PHANDLE SectionHandle,
-        _In_ PVOID* Section,
+        _Inout_ PHANDLE SectionHandle,
+        _Inout_ PVOID* Section,
         _In_ PUNICODE_STRING Path,
-        _In_ PSIZE_T Size
+        _Inout_ PSIZE_T Size
 )
 {
         NTSTATUS status;
@@ -356,8 +397,8 @@ NTSTATUS
 ComputeHashOfBuffer(
         _In_ PVOID Buffer,
         _In_ ULONG BufferSize,
-        _In_ PVOID* HashResult,
-        _In_ PULONG HashResultSize
+        _Inout_ PVOID* HashResult,
+        _Inout_ PULONG HashResultSize
 )
 {
         /*
@@ -714,7 +755,7 @@ end:
 
 NTSTATUS
 RetrieveInMemoryModuleExecutableSections(
-        _In_ PIRP Irp
+        _Inout_ PIRP Irp
 )
 {
         NTSTATUS status;
@@ -776,7 +817,7 @@ RetrieveInMemoryModuleExecutableSections(
 STATIC
 VOID
 GetNextSMBIOSStructureInTable(
-        _In_ PSMBIOS_TABLE_HEADER* CurrentStructure
+        _Inout_ PSMBIOS_TABLE_HEADER* CurrentStructure
 )
 {
         PCHAR string_section_start = (PCHAR)((UINT64)*CurrentStructure + (*CurrentStructure)->Length);
@@ -954,7 +995,7 @@ end:
 */
 NTSTATUS
 ValidateProcessLoadedModule(
-        _In_ PIRP Irp
+        _Inout_ PIRP Irp
 )
 {
         NTSTATUS status;
@@ -1103,7 +1144,7 @@ end:
 */
 NTSTATUS
 GetHardDiskDriveSerialNumber(
-        _In_ PVOID ConfigDrive0Serial,
+        _Inout_ PVOID ConfigDrive0Serial,
         _In_ SIZE_T ConfigDrive0MaxSize
 )
 {

driver/integrity.h

@@ -6,7 +6,7 @@
 
 NTSTATUS
 GetDriverImageSize(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 NTSTATUS
@@ -16,17 +16,17 @@ VerifyInMemoryImageVsDiskImage(
 
 NTSTATUS
 RetrieveInMemoryModuleExecutableSections(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 NTSTATUS
 ValidateProcessLoadedModule(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 NTSTATUS
 GetHardDiskDriveSerialNumber(
-	_In_ PVOID ConfigDrive0Serial,
+	_Inout_ PVOID ConfigDrive0Serial,
 	_In_ SIZE_T ConfigDrive0MaxSize
 );
 
@@ -42,4 +42,17 @@ EnumeratePciDevices();
 NTSTATUS
 DetectEptHooksInKeyFunctions();
 
+PVOID
+ScanForSignature(
+	_In_ PVOID BaseAddress,
+	_In_ SIZE_T MaxLength,
+	_In_ LPCSTR Signature,
+	_In_ SIZE_T SignatureLength
+);
+
+NTSTATUS
+DetermineIfTestSigningIsEnabled(
+	_Inout_ PBOOLEAN Result
+);
+
 #endif

driver/ioctl.c

@@ -68,7 +68,7 @@ DispatchApcOperation(PAPC_OPERATION_ID Operation)
 NTSTATUS
 DeviceControl(
 	_In_ PDRIVER_OBJECT DriverObject,
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 )
 {
 	UNREFERENCED_PARAMETER(DriverObject);
@@ -369,9 +369,11 @@ end:
 NTSTATUS
 DeviceClose(
 	_In_ PDEVICE_OBJECT DeviceObject,
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 )
 {
+	UNREFERENCED_PARAMETER(DeviceObject);
+
 	DEBUG_LOG("Handle closed to DonnaAC");
 
 	/*
@@ -391,7 +393,7 @@ DeviceClose(
 NTSTATUS
 DeviceCreate(
 	_In_ PDEVICE_OBJECT DeviceObject,
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 )
 {
 	DEBUG_LOG("Handle opened to DonnaAC");

driver/ioctl.h

@@ -15,19 +15,19 @@ typedef struct _DRIVER_INITIATION_INFORMATION
 NTSTATUS
 DeviceControl(
 	_In_ PDRIVER_OBJECT DriverObject,
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 NTSTATUS
 DeviceClose(
 	_In_ PDEVICE_OBJECT DeviceObject,
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 NTSTATUS
 DeviceCreate(
 	_In_ PDEVICE_OBJECT DeviceObject,
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 #endif

driver/modules.c

@@ -3,40 +3,6 @@
 #include "callbacks.h"
 #include "driver.h"
 
-#define WHITELISTED_MODULE_TAG 'whte'
-
-#define NMI_DELAY 200 * 10000
-
-#define WHITELISTED_MODULE_COUNT 7
-#define MODULE_MAX_STRING_SIZE 256
-
-#define NTOSKRNL 0
-#define CLASSPNP 1
-#define WDF01000 2
-
-/*
-* The modules seen in the array below have been seen to commonly hook other drivers'
-* IOCTL dispatch routines. Its possible to see this by using WinObjEx64 and checking which
-* module each individual dispatch routine lies in. These modules are then addded to the list
-* (in addition to either the driver itself or ntoskrnl) which is seen as a valid region
-* for a drivers dispatch routine to lie within.
-*/
-CHAR WHITELISTED_MODULES[WHITELISTED_MODULE_COUNT][MODULE_MAX_STRING_SIZE] =
-{
-	"ntoskrnl.exe",
-	"CLASSPNP.SYS",
-	"Wdf01000.sys",
-	"HIDCLASS.sys",
-	"storport.sys",
-	"dxgkrnl.sys",
-	"ndis.sys"
-};
-
-#define MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE 128
-
-#define REASON_NO_BACKING_MODULE 1
-#define REASON_INVALID_IOCTL_DISPATCH 2
-
 typedef struct _WHITELISTED_REGIONS
 {
 	UINT64 base;
@@ -101,6 +67,88 @@ typedef struct _INVALID_DRIVERS_HEAD
 
 }INVALID_DRIVERS_HEAD, * PINVALID_DRIVERS_HEAD;
 
+STATIC NTSTATUS PopulateWhitelistedModuleBuffer(_Inout_ PVOID Buffer, _In_ PSYSTEM_MODULES SystemModules);
+STATIC NTSTATUS ValidateDriverIOCTLDispatchRegion(_In_ PDRIVER_OBJECT Driver, _In_ PSYSTEM_MODULES Modules,
+	_In_ PWHITELISTED_REGIONS WhitelistedRegions, _Out_ PBOOLEAN Flag);
+STATIC VOID InitDriverList(_Inout_ PINVALID_DRIVERS_HEAD ListHead);
+STATIC VOID AddDriverToList(_Inout_ PINVALID_DRIVERS_HEAD InvalidDriversHead, _In_ PDRIVER_OBJECT Driver,
+	_In_ INT Reason);
+STATIC VOID RemoveInvalidDriverFromList(_Inout_ PINVALID_DRIVERS_HEAD InvalidDriversHead);
+STATIC VOID EnumerateInvalidDrivers(_In_ PINVALID_DRIVERS_HEAD InvalidDriversHead);
+STATIC NTSTATUS ValidateDriverObjectHasBackingModule(_In_ PSYSTEM_MODULES ModuleInformation,
+	_In_ PDRIVER_OBJECT DriverObject, _Out_ PBOOLEAN Result);
+STATIC NTSTATUS ValidateDriverObjects(_In_ PSYSTEM_MODULES SystemModules,
+	_Inout_ PINVALID_DRIVERS_HEAD InvalidDriverListHead);
+STATIC NTSTATUS AnalyseNmiData(_In_ PNMI_CONTEXT NmiContext, _In_ PSYSTEM_MODULES SystemModules,
+	_Inout_ PIRP Irp);
+STATIC NTSTATUS LaunchNonMaskableInterrupt(_Inout_ PNMI_CONTEXT NmiContext);
+STATIC VOID ApcRundownRoutine(_In_ PRKAPC Apc);
+STATIC VOID ApcKernelRoutine(_In_ PRKAPC Apc, _Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine,
+	_Inout_ _Deref_pre_maybenull_ PVOID* NormalContext, _Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1,
+	_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2);
+STATIC VOID ApcNormalRoutine(_In_opt_ PVOID NormalContext, _In_opt_ PVOID SystemArgument1,
+	_In_opt_ PVOID SystemArgument2);
+STATIC VOID ValidateThreadViaKernelApcCallback(_In_ PEPROCESS Process, _Inout_opt_ PVOID Context);
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, FindSystemModuleByName)
+#pragma alloc_text(PAGE, PopulateWhitelistedModuleBuffer)
+#pragma alloc_text(PAGE, ValidateDriverIOCTLDispatchRegion)
+#pragma alloc_text(PAGE, InitDriverList)
+#pragma alloc_text(PAGE, AddDriverToList)
+#pragma alloc_text(PAGE, RemoveInvalidDriverFromList)
+#pragma alloc_text(PAGE, EnumerateInvalidDrivers)
+#pragma alloc_text(PAGE, ValidateDriverObjectHasBackingModule)
+#pragma alloc_text(PAGE, GetSystemModuleInformation)
+#pragma alloc_text(PAGE, ValidateDriverObjects)
+#pragma alloc_text(PAGE, HandleValidateDriversIOCTL)
+#pragma alloc_text(PAGE, IsInstructionPointerInInvalidRegion)
+#pragma alloc_text(PAGE, AnalyseNmiData)
+#pragma alloc_text(PAGE, LaunchNonMaskableInterrupt)
+#pragma alloc_text(PAGE, HandleNmiIOCTL)
+#pragma alloc_text(PAGE, ApcRundownRoutine)
+#pragma alloc_text(PAGE, ApcKernelRoutine)
+#pragma alloc_text(PAGE, ApcNormalRoutine)
+#pragma alloc_text(PAGE, FlipKThreadMiscFlagsFlag)
+#pragma alloc_text(PAGE, ValidateThreadViaKernelApcCallback)
+#pragma alloc_text(PAGE, ValidateThreadsViaKernelApc)
+#pragma alloc_text(PAGE, FreeApcStackwalkApcContextInformation)
+#endif
+
+#define WHITELISTED_MODULE_TAG 'whte'
+
+#define NMI_DELAY 200 * 10000
+
+#define WHITELISTED_MODULE_COUNT 7
+#define MODULE_MAX_STRING_SIZE 256
+
+#define NTOSKRNL 0
+#define CLASSPNP 1
+#define WDF01000 2
+
+/*
+* The modules seen in the array below have been seen to commonly hook other drivers'
+* IOCTL dispatch routines. Its possible to see this by using WinObjEx64 and checking which
+* module each individual dispatch routine lies in. These modules are then addded to the list
+* (in addition to either the driver itself or ntoskrnl) which is seen as a valid region
+* for a drivers dispatch routine to lie within.
+*/
+CHAR WHITELISTED_MODULES[WHITELISTED_MODULE_COUNT][MODULE_MAX_STRING_SIZE] =
+{
+	"ntoskrnl.exe",
+	"CLASSPNP.SYS",
+	"Wdf01000.sys",
+	"HIDCLASS.sys",
+	"storport.sys",
+	"dxgkrnl.sys",
+	"ndis.sys"
+};
+
+#define MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE 128
+
+#define REASON_NO_BACKING_MODULE 1
+#define REASON_INVALID_IOCTL_DISPATCH 2
+
 #define SYSTEM_IDLE_PROCESS_ID 0
 #define SYSTEM_PROCESS_ID 4
 #define SVCHOST_PROCESS_ID 8
@@ -132,7 +180,7 @@ FindSystemModuleByName(
 STATIC
 NTSTATUS
 PopulateWhitelistedModuleBuffer(
-	_In_ PVOID Buffer,
+	_Inout_ PVOID Buffer,
 	_In_ PSYSTEM_MODULES SystemModules
 )
 {
@@ -145,6 +193,10 @@ PopulateWhitelistedModuleBuffer(
 
 		PRTL_MODULE_EXTENDED_INFO module = FindSystemModuleByName(name, SystemModules);
 
+		/* not everyone will contain all whitelisted modules */
+		if (!module)
+			continue;
+
 		WHITELISTED_REGIONS region;
 		region.base = (UINT64)module->ImageBase;
 		region.end = region.base + module->ImageSize;
@@ -165,7 +217,7 @@ ValidateDriverIOCTLDispatchRegion(
 	_In_ PDRIVER_OBJECT Driver,
 	_In_ PSYSTEM_MODULES Modules,
 	_In_ PWHITELISTED_REGIONS WhitelistedRegions,
-	_In_ PBOOLEAN Flag
+	_Out_ PBOOLEAN Flag
 )
 {
 	if (!Modules || !Driver || !Flag || !WhitelistedRegions)
@@ -237,7 +289,7 @@ ValidateDriverIOCTLDispatchRegion(
 STATIC
 VOID
 InitDriverList(
-	_In_ PINVALID_DRIVERS_HEAD ListHead
+	_Inout_ PINVALID_DRIVERS_HEAD ListHead
 )
 {
 	ListHead->count = 0;
@@ -247,7 +299,7 @@ InitDriverList(
 STATIC
 VOID
 AddDriverToList(
-	_In_ PINVALID_DRIVERS_HEAD InvalidDriversHead,
+	_Inout_ PINVALID_DRIVERS_HEAD InvalidDriversHead,
 	_In_ PDRIVER_OBJECT Driver,
 	_In_ INT Reason
 )
@@ -270,7 +322,7 @@ AddDriverToList(
 STATIC
 VOID
 RemoveInvalidDriverFromList(
-	_In_ PINVALID_DRIVERS_HEAD InvalidDriversHead
+	_Inout_ PINVALID_DRIVERS_HEAD InvalidDriversHead
 )
 {
 	if (InvalidDriversHead->first_entry)
@@ -385,7 +437,7 @@ STATIC
 NTSTATUS
 ValidateDriverObjects(
 	_In_ PSYSTEM_MODULES SystemModules,
-	_In_ PINVALID_DRIVERS_HEAD InvalidDriverListHead
+	_Inout_ PINVALID_DRIVERS_HEAD InvalidDriverListHead
 )
 {
 	if (!SystemModules || !InvalidDriverListHead)
@@ -542,7 +594,7 @@ end:
 
 NTSTATUS
 HandleValidateDriversIOCTL(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 )
 {
 	NTSTATUS status;
@@ -704,7 +756,7 @@ NTSTATUS
 AnalyseNmiData(
 	_In_ PNMI_CONTEXT NmiContext,
 	_In_ PSYSTEM_MODULES SystemModules,
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 )
 {
 	if (!NmiContext || !SystemModules)
@@ -789,7 +841,7 @@ AnalyseNmiData(
 STATIC
 BOOLEAN
 NmiCallback(
-	_In_ PVOID Context,
+	_Inout_opt_ PVOID Context,
 	_In_ BOOLEAN Handled
 )
 {
@@ -800,6 +852,9 @@ NmiCallback(
 	PNMI_CONTEXT nmi_context = (PNMI_CONTEXT)Context;
 	ULONG proc_num = KeGetCurrentProcessorNumber();
 
+	if (!nmi_context)
+		return TRUE;
+
 	/*
 	* Cannot allocate pool in this function as it runs at IRQL >= dispatch level
 	* so ive just allocated a global pool with size equal to 0x200 * num_procs
@@ -841,7 +896,7 @@ NmiCallback(
 STATIC
 NTSTATUS
 LaunchNonMaskableInterrupt(
-	_In_ PNMI_CONTEXT NmiContext
+	_Inout_ PNMI_CONTEXT NmiContext
 )
 {
 	if (!NmiContext)
@@ -896,7 +951,7 @@ LaunchNonMaskableInterrupt(
 
 NTSTATUS
 HandleNmiIOCTL(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 )
 {
 	NTSTATUS status;
@@ -1107,7 +1162,7 @@ STATIC
 VOID
 ValidateThreadViaKernelApcCallback(
 	_In_ PEPROCESS Process,
-	_In_ PVOID Context
+	_Inout_opt_ PVOID Context
 )
 {
 	NTSTATUS status;
@@ -1257,7 +1312,7 @@ ValidateThreadsViaKernelApc()
 
 VOID
 FreeApcStackwalkApcContextInformation(
-	_In_ PAPC_STACKWALK_CONTEXT Context
+	_Inout_ PAPC_STACKWALK_CONTEXT Context
 )
 {
 	if (Context->modules->address)

driver/modules.h

@@ -76,7 +76,7 @@ GetSystemModuleInformation(
 
 NTSTATUS
 HandleValidateDriversIOCTL(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 PRTL_MODULE_EXTENDED_INFO
@@ -87,7 +87,7 @@ FindSystemModuleByName(
 
 NTSTATUS
 HandleNmiIOCTL(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 BOOLEAN
@@ -100,7 +100,21 @@ ValidateThreadsViaKernelApc();
 
 VOID
 FreeApcStackwalkApcContextInformation(
-	_In_ PAPC_STACKWALK_CONTEXT Context
+	_Inout_ PAPC_STACKWALK_CONTEXT Context
+);
+
+NTSTATUS
+IsInstructionPointerInInvalidRegion(
+	_In_ UINT64 RIP,
+	_In_ PSYSTEM_MODULES SystemModules,
+	_Out_ PBOOLEAN Result
+);
+
+BOOLEAN
+FlipKThreadMiscFlagsFlag(
+	_In_ PKTHREAD Thread,
+	_In_ LONG FlagIndex,
+	_In_ BOOLEAN NewValue
 );
 
 #endif

driver/pool.c

@@ -5,6 +5,37 @@
 #include "callbacks.h"
 #include "queue.h"
 
+typedef struct _PROCESS_SCAN_CONTEXT
+{
+	ULONG process_count;
+	PVOID process_buffer;
+
+}PROCESS_SCAN_CONTEXT, * PPROCESS_SCAN_CONTEXT;
+
+STATIC BOOLEAN ValidateIfAddressIsProcessStructure(_In_ PVOID Address, _In_ PPOOL_HEADER PoolHeader);
+STATIC VOID ScanPageForKernelObjectAllocation(_In_ UINT64 PageBase, _In_ ULONG PageSize,
+	_In_ ULONG ObjectIndex, _Inout_ PPROCESS_SCAN_CONTEXT Context);
+STATIC BOOLEAN IsPhysicalAddressInPhysicalMemoryRange(_In_ UINT64 PhysicalAddress,
+	_In_ PPHYSICAL_MEMORY_RANGE PhysicalMemoryRanges);
+STATIC VOID EnumerateKernelLargePages(_In_ UINT64 PageBase, _In_ ULONG PageSize,
+	_In_ PPROCESS_SCAN_CONTEXT Context, _In_ ULONG ObjectIndex);
+STATIC VOID WalkKernelPageTables(_In_ PPROCESS_SCAN_CONTEXT Context);
+STATIC VOID IncrementProcessCounter(_In_ PEPROCESS Process, _Inout_opt_ PVOID Context);
+STATIC VOID CheckIfProcessAllocationIsInProcessList(_In_ PEPROCESS Process, _Inout_opt_ PVOID Context);
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, GetGlobalDebuggerData)
+#pragma alloc_text(PAGE, GetPsActiveProcessHead)
+#pragma alloc_text(PAGE, ValidateIfAddressIsProcessStructure)
+#pragma alloc_text(PAGE, ScanPageForKernelObjectAllocation)
+#pragma alloc_text(PAGE, IsPhysicalAddressInPhysicalMemoryRange)
+#pragma alloc_text(PAGE, EnumerateKernelLargePages)
+#pragma alloc_text(PAGE, WalkKernelPageTables)
+#pragma alloc_text(PAGE, IncrementProcessCounter)
+#pragma alloc_text(PAGE, CheckIfProcessAllocationIsInProcessList)
+#pragma alloc_text(PAGE, FindUnlinkedProcesses)
+#endif
+
 #define PAGE_BASE_SIZE 0x1000
 #define POOL_TAG_SIZE 0x004
 
@@ -44,13 +75,6 @@ CHAR EXECUTIVE_OBJECT_POOL_TAGS[EXECUTIVE_OBJECT_COUNT][POOL_TAG_LENGTH] =
 	"\x4C\x69\x6E\x6B"		/* Symbolic links */
 };
 
-typedef struct _PROCESS_SCAN_CONTEXT
-{
-	ULONG process_count;
-	PVOID process_buffer;
-
-}PROCESS_SCAN_CONTEXT, * PPROCESS_SCAN_CONTEXT;
-
 PKDDEBUGGER_DATA64
 GetGlobalDebuggerData()
 {
@@ -96,7 +120,7 @@ end:
 
 VOID
 GetPsActiveProcessHead(
-	_In_ PUINT64 Address
+	_Out_ PUINT64 Address
 )
 {
 	PKDDEBUGGER_DATA64 debugger_data = GetGlobalDebuggerData();
@@ -215,7 +239,7 @@ ScanPageForKernelObjectAllocation(
 	_In_ UINT64 PageBase,
 	_In_ ULONG PageSize,
 	_In_ ULONG ObjectIndex,
-	_In_ PPROCESS_SCAN_CONTEXT Context
+	_Inout_ PPROCESS_SCAN_CONTEXT Context
 )
 {
 	INT length = 0;
@@ -557,7 +581,7 @@ STATIC
 VOID
 IncrementProcessCounter(
 	_In_ PEPROCESS Process,
-	_In_opt_ PVOID Context
+	_Inout_opt_ PVOID Context
 )
 {
 	PPROCESS_SCAN_CONTEXT context = (PPROCESS_SCAN_CONTEXT)Context;
@@ -572,7 +596,7 @@ STATIC
 VOID
 CheckIfProcessAllocationIsInProcessList(
 	_In_ PEPROCESS Process,
-	_In_opt_ PVOID Context
+	_Inout_opt_ PVOID Context
 )
 {
 	PUINT64 allocation_address;
@@ -595,7 +619,7 @@ CheckIfProcessAllocationIsInProcessList(
 
 NTSTATUS
 FindUnlinkedProcesses(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 )
 {
 	PUINT64 allocation_address;
@@ -607,7 +631,7 @@ FindUnlinkedProcesses(
 		&context
 	);
 
-	if (context.process_count == NULL)
+	if (context.process_count == 0)
 	{
 		DEBUG_ERROR("Failed to get process count");
 		return STATUS_ABANDONED;
@@ -617,13 +641,13 @@ FindUnlinkedProcesses(
 		ExAllocatePool2(POOL_FLAG_NON_PAGED, context.process_count * 2 * sizeof(UINT64), PROCESS_ADDRESS_LIST_TAG);
 
 	if (!context.process_buffer)
-		return STATUS_ABANDONED;
+		return STATUS_MEMORY_NOT_ALLOCATED;
 
 	WalkKernelPageTables(&context);
 
 	EnumerateProcessListWithCallbackFunction(
 		CheckIfProcessAllocationIsInProcessList,
-		NULL
+		&context
 	);
 
 	allocation_address = (PUINT64)context.process_buffer;

driver/pool.h

@@ -15,12 +15,12 @@ typedef struct _INVALID_PROCESS_ALLOCATION_REPORT
 
 NTSTATUS
 FindUnlinkedProcesses(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 VOID
 GetPsActiveProcessHead(
-	_In_ PUINT64 Address
+	_Out_ PUINT64 Address
 );
 
 PKDDEBUGGER_DATA64

driver/queue.c

@@ -28,7 +28,7 @@ REPORT_QUEUE_CONFIGURATION report_queue_config = { 0 };
 
 VOID
 InitialiseGlobalReportQueue(
-	_In_ PBOOLEAN Status
+	_Out_ PBOOLEAN Status
 )
 {
 	report_queue_config.head.start = NULL;
@@ -59,7 +59,7 @@ InitialiseGlobalReportQueue(
 
 VOID
 QueuePush(
-	_In_ PQUEUE_HEAD Head,
+	_Inout_ PQUEUE_HEAD Head,
 	_In_ PVOID Data
 )
 {
@@ -89,7 +89,7 @@ end:
 
 PVOID
 QueuePop(
-	_In_ PQUEUE_HEAD Head
+	_Inout_ PQUEUE_HEAD Head
 )
 {
 	KIRQL irql = KeGetCurrentIrql();
@@ -153,7 +153,7 @@ end:
 */
 NTSTATUS
 HandlePeriodicGlobalReportQueueQuery(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 )
 {
 	PVOID report = NULL;
@@ -285,7 +285,7 @@ end:
 
 VOID
 ListInit(
-	_In_ PLIST_HEAD ListHead
+	_Inout_ PLIST_HEAD ListHead
 )
 {
 	KeInitializeSpinLock(&ListHead->lock);
@@ -294,8 +294,8 @@ ListInit(
 
 PLIST_ITEM
 ListInsert(
-	_In_ PLIST_HEAD ListHead,
-	_In_ PLIST_ITEM NewEntry
+	_Inout_ PLIST_HEAD ListHead,
+	_Inout_ PLIST_ITEM NewEntry
 )
 {
 	KIRQL irql = KeGetCurrentIrql();
@@ -311,7 +311,7 @@ ListInsert(
 
 PVOID
 ListRemoveFirst(
-	_In_ PLIST_HEAD ListHead
+	_Inout_ PLIST_HEAD ListHead
 )
 {
 	KIRQL irql = KeGetCurrentIrql();
@@ -329,7 +329,7 @@ ListRemoveFirst(
 
 PVOID
 ListRemoveItem(
-	_In_ PLIST_HEAD ListHead,
+	_Inout_ PLIST_HEAD ListHead,
 	_Inout_ PLIST_ITEM ListItem
 )
 {

driver/queue.h

@@ -51,18 +51,18 @@ typedef struct _LIST_HEAD
 
 VOID
 QueuePush(
-	_In_ PQUEUE_HEAD Head,
+	_Inout_ PQUEUE_HEAD Head,
 	_In_ PVOID Data
 );
 
 PVOID
 QueuePop(
-	_In_ PQUEUE_HEAD Head
+	_Inout_ PQUEUE_HEAD Head
 );
 
 VOID
 InitialiseGlobalReportQueue(
-	_In_ PBOOLEAN Status
+	_Out_ PBOOLEAN Status
 );
 
 VOID
@@ -72,7 +72,7 @@ InsertReportToQueue(
 
 NTSTATUS
 HandlePeriodicGlobalReportQueueQuery(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 VOID
@@ -80,23 +80,23 @@ FreeGlobalReportQueueObjects();
 
 VOID
 ListInit(
-	_In_ PLIST_HEAD ListHead
+	_Inout_ PLIST_HEAD ListHead
 );
 
 PLIST_ITEM
 ListInsert(
-	_In_ PLIST_HEAD ListHead,
-	_In_ PLIST_ITEM Data
+	_Inout_ PLIST_HEAD ListHead,
+	_Inout_ PLIST_ITEM Data
 );
 
 PVOID
 ListRemoveFirst(
-	_In_ PLIST_HEAD ListHead
+	_Inout_ PLIST_HEAD ListHead
 );
 
 PVOID
 ListRemoveItem(
-	_In_ PLIST_HEAD ListHead,
+	_Inout_ PLIST_HEAD ListHead,
 	_Inout_ PLIST_ITEM ListItem
 );
 

driver/thread.c

@@ -7,6 +7,16 @@
 #include "driver.h"
 #include "queue.h"
 
+STATIC VOID KPRCBThreadValidationProcessCallback(_In_ PEPROCESS Process, _Inout_opt_ PVOID Context);
+STATIC VOID DetectAttachedThreadsProcessCallback(_In_ PEPROCESS Process, _Inout_opt_ PVOID Context);
+
+#ifdef ALLOC_PRAGMA
+#pragma alloc_text(PAGE, KPRCBThreadValidationProcessCallback)
+#pragma alloc_text(PAGE, ValidateKPCRBThreads)
+#pragma alloc_text(PAGE, DetectAttachedThreadsProcessCallback)
+#pragma alloc_text(PAGE, DetectThreadsAttachedToProtectedProcess)
+#endif
+
 typedef struct _KPRCB_THREAD_VALIDATION_CTX
 {
 	UINT64 current_kpcrb_thread;
@@ -20,7 +30,7 @@ STATIC
 VOID
 KPRCBThreadValidationProcessCallback(
 	_In_ PEPROCESS Process,
-	_Inout_ PVOID Context
+	_Inout_opt_ PVOID Context
 )
 {
 	NTSTATUS status;
@@ -30,7 +40,7 @@ KPRCBThreadValidationProcessCallback(
 	UINT32 thread_id;
 	PKPRCB_THREAD_VALIDATION_CTX context = (PKPRCB_THREAD_VALIDATION_CTX)Context;
 
-	if (context->finished == TRUE)
+	if (!Context || context->finished == TRUE)
 		return;
 
 	thread_list_head = (PLIST_ENTRY)((UINT64)Process + KPROCESS_THREADLIST_OFFSET);
@@ -81,7 +91,7 @@ KPRCBThreadValidationProcessCallback(
 
 VOID
 ValidateKPCRBThreads(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 )
 {
 	NTSTATUS status;
@@ -99,6 +109,11 @@ ValidateKPCRBThreads(
 
 		kpcr = __readmsr(IA32_GS_BASE);
 		kprcb = kpcr + KPRCB_OFFSET_FROM_GS_BASE;
+
+		/* sanity check */
+		if (!MmIsAddressValid(kprcb + KPCRB_CURRENT_THREAD))
+			continue;
+
 		context.current_kpcrb_thread = *(UINT64*)(kprcb + KPCRB_CURRENT_THREAD);
 
 		DEBUG_LOG("Proc number: %lx, Current thread: %llx", processor_index, context.current_kpcrb_thread);
@@ -144,7 +159,7 @@ STATIC
 VOID
 DetectAttachedThreadsProcessCallback(
 	_In_ PEPROCESS Process,
-	_In_ PVOID Context
+	_Inout_opt_ PVOID Context
 )
 {
 	UNREFERENCED_PARAMETER(Context);

driver/thread.h

@@ -26,7 +26,7 @@ typedef struct _ATTACH_PROCESS_REPORT
 
 VOID
 ValidateKPCRBThreads(
-	_In_ PIRP Irp
+	_Inout_ PIRP Irp
 );
 
 VOID