noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

some stuffffffff

Browse source
This commit is contained in:
lhodges1 2023-09-24 21:13:20 +10:00
parent 310357e9c2
commit c0243f2e85
11 changed files with 275 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
driver/common.h
View file

@ -11,6 +11,7 @@
#define STACK_FRAMES_POOL 'loop'
#define INVALID_DRIVER_LIST_HEAD_POOL 'rwar'
#define INVALID_DRIVER_LIST_ENTRY_POOL 'gaah'
#define POOL_TAG_APC 'apcc'
#define SYSTEM_MODULES_POOL 'halb'
#define THREAD_DATA_POOL 'doof'
#define PROC_AFFINITY_POOL 'eeee'
@ -1196,6 +1197,77 @@ BOOLEAN NTAPI RtlDosPathNameToRelativeNtPathName_U(
_Out_opt_ PRTL_RELATIVE_NAME RelativeName
);
typedef
_Function_class_( KNORMAL_ROUTINE )
_IRQL_requires_( PASSIVE_LEVEL )
_IRQL_requires_same_
VOID
NTAPI
KNORMAL_ROUTINE(
_In_opt_ PVOID NormalContext,
_In_opt_ PVOID SystemArgument1,
_In_opt_ PVOID SystemArgument2
);
typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;
typedef
_Function_class_( KRUNDOWN_ROUTINE )
_IRQL_requires_( PASSIVE_LEVEL )
_IRQL_requires_same_
VOID
NTAPI
KRUNDOWN_ROUTINE(
_In_ PRKAPC Apc
);
typedef KRUNDOWN_ROUTINE* PKRUNDOWN_ROUTINE;
typedef
_Function_class_( KKERNEL_ROUTINE )
_IRQL_requires_( APC_LEVEL )
_IRQL_requires_same_
VOID
NTAPI
KKERNEL_ROUTINE(
_In_ PRKAPC Apc,
_Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine,
_Inout_ _Deref_pre_maybenull_ PVOID* NormalContext,
_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1,
_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2
);
typedef KKERNEL_ROUTINE* PKKERNEL_ROUTINE;
typedef enum _KAPC_ENVIRONMENT
{
OriginalApcEnvironment,
AttachedApcEnvironment,
CurrentApcEnvironment,
InsertApcEnvironment
} KAPC_ENVIRONMENT, * PKAPC_ENVIRONMENT;
NTKERNELAPI
VOID
NTAPI
KeInitializeApc(
_Out_ PRKAPC Apc,
_In_ PRKTHREAD Thread,
_In_ KAPC_ENVIRONMENT Environment,
_In_ PKKERNEL_ROUTINE KernelRoutine,
_In_opt_ PKRUNDOWN_ROUTINE RundownRoutine,
_In_opt_ PKNORMAL_ROUTINE NormalRoutine,
_In_ KPROCESSOR_MODE Mode,
_In_opt_ PVOID NormalContext
);
NTKERNELAPI
BOOLEAN
NTAPI
KeInsertQueueApc(
_Inout_ PRKAPC Apc,
_In_opt_ PVOID SystemArgument1,
_In_opt_ PVOID SystemArgument2,
_In_ KPRIORITY Increment
);
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, Signature ) == 0 );
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, ValidDump ) == 4 );
C_ASSERT( FIELD_OFFSET( DUMP_HEADER, MajorVersion ) == 8 );

2
driver/driver.c
View file

@ -428,6 +428,8 @@ NTSTATUS DriverEntry(
return STATUS_FAILED_DRIVER_ENTRY;
}
ValidateThreadsViaKernelApc();
DEBUG_LOG( "DonnaAC Driver Entry Complete" );
return STATUS_SUCCESS;

110
driver/modules.c
View file

@ -1,5 +1,7 @@
#include "modules.h"
#include "callbacks.h"
#define WHITELISTED_MODULE_TAG 'whte'
#define NMI_DELAY 200 * 10000
@ -861,4 +863,112 @@ NTSTATUS HandleNmiIOCTL(
KeDeregisterNmiCallback( callback_handle );
return status;
}
/*
* The RundownRoutine is executed if the thread terminates before the APC was delivered to
* user mode.
*/
VOID ApcRundownRoutine(
_In_ PRKAPC Apc
)
{
DEBUG_LOG( "Thread discarding APC queue, freeing APC object" );
ExFreePoolWithTag( Apc, POOL_TAG_APC );
}
/*
* The KernelRoutine is executed in kernel mode at APC_LEVEL before the APC is delivered.
*/
VOID ApcKernelRoutine(
_In_ PRKAPC Apc,
_Inout_ _Deref_pre_maybenull_ PKNORMAL_ROUTINE* NormalRoutine,
_Inout_ _Deref_pre_maybenull_ PVOID* NormalContext,
_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument1,
_Inout_ _Deref_pre_maybenull_ PVOID* SystemArgument2
)
{
DEBUG_LOG( "Hello from apc routine! ThreadId: %lx", (LONG)PsGetCurrentThreadId() );
}
/*
* The NormalRoutine is executed in user mode when the APC is delivered.
*/
VOID ApcNormalRoutine(
_In_opt_ PVOID NormalContext,
_In_opt_ PVOID SystemArgument1,
_In_opt_ PVOID SystemArgument2
)
{
}
VOID ValidateThreadViaKernelApcCallback(
_In_ PEPROCESS Process,
_In_ PVOID Context
)
{
UNREFERENCED_PARAMETER( Context );
NTSTATUS status;
PLIST_ENTRY thread_list_head;
PLIST_ENTRY thread_list_entry;
PETHREAD current_thread;
PKAPC apc = NULL;
BOOLEAN apc_status;
thread_list_head = ( PLIST_ENTRY )( ( UINT64 )Process + KPROCESS_THREADLIST_OFFSET );
thread_list_entry = thread_list_head->Flink;
while ( thread_list_entry != thread_list_head )
{
current_thread = ( PETHREAD )( ( UINT64 )thread_list_entry - KTHREAD_THREADLIST_OFFSET );
/* sanity check */
if ( PsGetThreadId( current_thread ) == NULL )
goto increment;
apc = ( PKAPC )ExAllocatePool2( POOL_FLAG_NON_PAGED, sizeof( KAPC ), POOL_TAG_APC );
if ( !apc )
goto increment;
KeInitializeApc(
apc,
current_thread,
OriginalApcEnvironment,
ApcKernelRoutine,
ApcRundownRoutine,
ApcNormalRoutine,
KernelMode,
NULL
);
apc_status = KeInsertQueueApc(
apc,
NULL,
NULL,
IO_NO_INCREMENT
);
if ( !apc_status )
DEBUG_ERROR( "KeInsertQueueApc failed" );
increment:
thread_list_entry = thread_list_entry->Flink;
}
}
/*
* Since NMIs are only executed on the thread that is running on each logical core, it makes
* sense to make use of APCs that, while can be masked off, provide us to easily issue a callback
* routine to threads we want a stack trace of. Hence by utilising both APCs and NMIs we get
* excellent coverage of the entire system.
*/
NTSTATUS ValidateThreadsViaKernelApc()
{
EnumerateProcessListWithCallbackFunction(
ValidateThreadViaKernelApcCallback,
NULL
);
}

2
driver/modules.h
View file

@ -104,4 +104,6 @@ NTSTATUS HandleNmiIOCTL(
_In_ PIRP Irp
);
NTSTATUS ValidateThreadsViaKernelApc();
#endif

33
server/Message/ClientReport.cs
View file

@ -78,41 +78,12 @@ namespace server.Message
this._responsePacket.success = success;
}
private unsafe int GetPacketSize(int reportCode)
{
switch (reportCode)
{
case (int)CLIENT_SEND_REPORT_ID.PROCESS_MODULE_VERIFICATION:
//return Marshal.SizeOf(typeof(PROCESS_MODULE_VERIFICATION));
return 0;
case (int)CLIENT_SEND_REPORT_ID.START_ADDRESS_VERIFICATION:
return Marshal.SizeOf(typeof(PROCESS_THREAD_START_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.PAGE_PROTECTION_VERIFICATION:
return Marshal.SizeOf(typeof(PAGE_PROTECTION_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.PATTERN_SCAN_FAILURE:
return Marshal.SizeOf(typeof(PATTERN_SCAN_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.NMI_CALLBACK_FAILURE:
return Marshal.SizeOf(typeof(NMI_CALLBACK_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.MODULE_VALIDATION_FAILURE:
return Marshal.SizeOf(typeof(MODULE_VALIDATION_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.ILLEGAL_HANDLE_OPERATION:
return Marshal.SizeOf(typeof(OPEN_HANDLE_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.INVALID_PROCESS_ALLOCATION:
return Marshal.SizeOf(typeof(INVALID_PROCESS_ALLOCATION_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.HIDDEN_SYSTEM_THREAD:
return Marshal.SizeOf(typeof(HIDDEN_SYSTEM_THREAD_FAILURE));
case (int)CLIENT_SEND_REPORT_ID.ILLEGAL_ATTACH_PROCESS:
return Marshal.SizeOf(typeof(ATTACH_PROCESS_FAILURE));
default:
return 0;
}
}
unsafe public bool HandleMessage()
{
if (this._currentReportHeader.reportCode == 0)
{
_logger.Error("Failed to get the report packet code");
SetResponsePacketData(1);
return false;
}
@ -120,6 +91,8 @@ namespace server.Message
{
this.GetPacketHeader();
_logger.Information("Report code: {0}", this._currentReportHeader.reportCode);
switch (this._currentReportHeader.reportCode)
{
case (int)CLIENT_SEND_REPORT_ID.PROCESS_MODULE_VERIFICATION:

45
server/Message/ClientRequest.cs
View file

@ -1,12 +1,53 @@
using System;
using Serilog;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
using static server.Message.MessageHandler;
namespace server.Message
{
internal class ClientRequest
public class ClientRequest : IClientMessage
{
private readonly ILogger _logger;
private byte[] _buffer;
private int _bufferSize;
private CLIENT_REQUEST_HEADER _header;
private enum CLIENT_REQUEST_ID
{
BLACKLISTED_SIGNATURES = 10,
WINDOWS_VERSION_STRUCTURE_OFFSETS = 20
}
private struct CLIENT_REQUEST_HEADER
{
public int RequestId;
}
public ClientRequest(ILogger logger, ref byte[] buffer, int bufferSize)
{
this._logger = logger;
this._buffer = buffer;
this._bufferSize = bufferSize;
}
public bool HandleMessage()
{
throw new NotImplementedException();
}
public unsafe void GetPacketHeader()
{
this._header =
Helper.BytesToStructure<CLIENT_REQUEST_HEADER>(this._buffer, Marshal.SizeOf(typeof(PACKET_HEADER)));
}
public byte[] GetResponsePacket()
{
throw new NotImplementedException();
}
}
}

4
server/Message/MessageHandler.cs
View file

@ -79,7 +79,7 @@ namespace server.Message
return;
}
_logger.Error("Failed to handle the report message.");
_logger.Warning("Failed to handle client sent report");
}
private void HandleClientSendMessage()
@ -92,6 +92,8 @@ namespace server.Message
this.SendResponsePacketToClient(responsePacket);
return;
}
_logger.Warning("Failed to handle client send message");
}
private PACKET_HEADER GetMessageHeader()
{

11
server/Server.cs
View file

@ -6,6 +6,8 @@ using System.Reflection.Metadata.Ecma335;
using System.Text;
using Serilog;
using server.Message;
using Microsoft.EntityFrameworkCore.Metadata.Conventions;
using K4os.Compression.LZ4.Streams.Adapters;
namespace server
{
@ -43,11 +45,20 @@ namespace server
while (_stream.DataAvailable)
{
bytesRead = _stream.Read(buffer, 0, buffer.Length);
_logger.Information("bytes read: {0}", bytesRead);
stream.Write(buffer, 0, bytesRead);
}
byte[] message = stream.ToArray();
if (message.Length == 0)
{
_logger.Error("Null message received at server");
continue;
}
ThreadPool.QueueUserWorkItem(state => DispatchMessage(state, clientReference, message, message.Length));
}
}

28
service/Client.cs
View file

@ -4,6 +4,7 @@ using System.Net.Sockets;
using System.Text;
using Serilog;
using Microsoft.AspNetCore.Http;
using System.Linq.Expressions;
namespace service
{
@ -29,20 +30,35 @@ namespace service
public void SendMessageToServer()
{
_stream.BeginWrite(_buffer, 0, _bufferSize, null, null);
try
{
_stream.Write(_buffer, 0, _bufferSize);
}
catch(Exception ex)
{
_logger.Error("{0}", ex.Message);
}
}
public byte[] GetResponseFromServer()
public byte[]? GetResponseFromServer()
{
byte[] buffer = new byte[1024];
using (MemoryStream memoryStream = new MemoryStream())
try
{
int bytesRead = _stream.Read(buffer, 0, 1024);
using (MemoryStream memoryStream = new MemoryStream())
{
int bytesRead = _stream.Read(buffer, 0, 1024);
memoryStream.Write(buffer, 0, bytesRead);
memoryStream.Write(buffer, 0, bytesRead);
return memoryStream.ToArray();
return memoryStream.ToArray();
}
}
catch(Exception ex)
{
_logger.Error("{0}", ex.Message);
return null;
}
}
}

5
service/Worker.cs
View file

@ -80,8 +80,11 @@ namespace service
{
byte[] responseMessage = message.GetResponseFromServer();
if (responseMessage.Length == OK_RESPONSE_SIZE)
if (responseMessage == null)
{
_logger.Warning("Response message is null");
return;
}
_logger.Information("Sending response message to client with size: {0}", responseMessage.Length);

6
user/main.cpp
View file

@ -34,10 +34,10 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
global::report_structures::SYSTEM_INFORMATION_REQUEST_RESPONSE response;
client_interface->ServerReceive( &response, sizeof( response ) );
//client_interface->ServerReceive( &response, sizeof( response ) );
std::cout << "RequestID: " << response.RequestId << " CanUserProceed: " <<
response.CanUserProceed << " Reason: " << response.reason << std::endl;
//std::cout << "RequestID: " << response.RequestId << " CanUserProceed: " <<
// response.CanUserProceed << " Reason: " << response.reason << std::endl;
srand( time( NULL ) );