noury/mirror-ac
1
0
Fork 0
mirror of https://github.com/donnaskiez/ac.git synced 2024-11-21 22:24:08 +01:00
Code Issues Projects Releases Packages Wiki Activity

e

Browse source
This commit is contained in:
lhodges1 2023-12-27 14:35:46 +11:00
parent 1eff01c8e1
commit c68473090b
16 changed files with 492 additions and 164 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
README.md
View file

@ -35,6 +35,12 @@ open source anti cheat (lol) which I made for fun.
- pcileech firmware detection
- testing program to test the features
# example
- I have recorded an example of the program running with CS2. Note that vac was obviously disabled. *If you decide to test with a steam game do not forget to launch in insecure mode*
- Shown are the kernel `VERBOSE` level logs in DebugView along with the usermode application console.
- You can find the video here
# known issues
- [See the issues page](https://github.com/donnaskiez/ac/issues)
@ -49,20 +55,23 @@ open source anti cheat (lol) which I made for fun.
Requires [Visual Studio](https://visualstudio.microsoft.com/downloads/) and the [WDK](https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk) for compilation.
1. Build the project in visual studio, if you experience any build issues - check the drivers project settings are the following:
add test signing thing here
1. Open the project in visual studio
2. Select `Release - No Server`
3. Build the project in visual studio, if you experience any build issues - check the drivers project settings are the following:
- `Inf2Cat -> General -> Use Local Time` to `Yes`
- `C/C++ -> Treat Warnings As Errors` to `No`
- `C/C++ -> Spectre Mitigation` to `Disabled`
2. Move the `driver.sys` file located in `ac\x64\Release` into the `Windows\System32\Drivers` directory
3. Use the [OSR Loader](https://www.osronline.com/article.cfm%5Earticle=157.htm) and select `driver.sys` that you moved to the Windows drivers folder. DO NOT REGISTER THE SERVICE YET.
- driver must be named "driver.sys" (sorry.. will be fixed soon (i am lazy))
4. Under `Service Start` select `System`. This is VERY important!
5. Click `Register Service`. *Do NOT click* `Start Service`!
6. Restart Windows.
7. Once restarted, open the program you would like to protect as Administrator.
- Yes I understand this is not realistic
8. Open your dll injector program of choice as administrator (I simply use [Process Hacker](https://processhacker.sourceforge.io/))
9. Inject the dll found in `ac\x64\Release` named `user.dll` into the target program
4. Move the `driver.sys` file located in `ac\x64\Release` into the `Windows\System32\Drivers` directory
- You can rename the driver if you would like
5. Use the [OSR Loader](https://www.osronline.com/article.cfm%5Earticle=157.htm) and select `driver.sys` (or whatever you named it) that you moved to the Windows drivers folder. DO NOT REGISTER THE SERVICE YET.
6. Under `Service Start` select `System`. This is VERY important!
7. Click `Register Service`. *Do NOT click* `Start Service`!
8. Restart Windows.
9. Once restarted, open the program you would like to protect. This could be anything i.e game, notepad etc.
10. Open your dll injector program of choice as administrator (I simply use [Process Hacker](https://processhacker.sourceforge.io/))
11. Inject the dll found in `ac\x64\Release` named `user.dll` into the target program
Logs will be printed to both the terminal output and the kernel debugger. See below for configuring kernel debugger output.
@ -73,10 +82,10 @@ Note: The server is not needed for the program to function properly.
The kernel driver is setup to log at 4 distinct levels:
```C
#define DPFLTR_ERROR_LEVEL
#define DPFLTR_WARNING_LEVEL
#define DPFLTR_INFO_LEVEL
#define DPFLTR_VERBOSE_LEVEL
#define LOG_ERROR_LEVEL
#define LOG_WARNING_LEVEL
#define LOG_INFO_LEVEL
#define LOG_VERBOSE_LEVEL
```
As the names suggest, `ERROR_LEVEL` is for errors, `WARNING_LEVEL` is for warnings. `INFO_LEVEL` is for general information regarding what requests the driver is processing and `VERBOSE_LEVEL` contains very detailed information for each request.

60
ac.sln
View file

@ -21,6 +21,10 @@ Global
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release - No Server|Any CPU = Release - No Server|Any CPU
Release - No Server|ARM64 = Release - No Server|ARM64
Release - No Server|x64 = Release - No Server|x64
Release - No Server|x86 = Release - No Server|x86
Release|Any CPU = Release|Any CPU
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
@ -35,6 +39,14 @@ Global
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Debug|x64.Build.0 = Debug|x64
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Debug|x86.ActiveCfg = Debug|Win32
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Debug|x86.Build.0 = Debug|Win32
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release - No Server|Any CPU.ActiveCfg = Release - No Server|x64
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release - No Server|Any CPU.Build.0 = Release - No Server|x64
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release - No Server|ARM64.ActiveCfg = Release - No Server|x64
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release - No Server|ARM64.Build.0 = Release - No Server|x64
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release - No Server|x64.ActiveCfg = Release - No Server|x64
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release - No Server|x64.Build.0 = Release - No Server|x64
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release - No Server|x86.ActiveCfg = Release - No Server|Win32
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release - No Server|x86.Build.0 = Release - No Server|Win32
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release|Any CPU.ActiveCfg = Release|x64
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release|Any CPU.Build.0 = Release|x64
{3C8194C7-9F20-4FF8-8C4C-B26C3D053611}.Release|ARM64.ActiveCfg = Release|x64
@ -55,6 +67,18 @@ Global
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|x86.ActiveCfg = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|x86.Build.0 = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Debug|x86.Deploy.0 = Debug|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|Any CPU.ActiveCfg = Release - No Server|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|Any CPU.Build.0 = Release - No Server|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|Any CPU.Deploy.0 = Release - No Server|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|ARM64.ActiveCfg = Release - No Server|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|ARM64.Build.0 = Release - No Server|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|ARM64.Deploy.0 = Release - No Server|ARM64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|x64.ActiveCfg = Release - No Server|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|x64.Build.0 = Release - No Server|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|x64.Deploy.0 = Release - No Server|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|x86.ActiveCfg = Release - No Server|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|x86.Build.0 = Release - No Server|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release - No Server|x86.Deploy.0 = Release - No Server|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|Any CPU.ActiveCfg = Release|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|Any CPU.Build.0 = Release|x64
{0AE83EC6-DDEA-4EDE-B1B2-1B2AB1E8BB54}.Release|Any CPU.Deploy.0 = Release|x64
@ -75,6 +99,14 @@ Global
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Debug|x64.Build.0 = Debug|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Debug|x86.ActiveCfg = Debug|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Debug|x86.Build.0 = Debug|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release - No Server|Any CPU.ActiveCfg = Release - No Server|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release - No Server|Any CPU.Build.0 = Release - No Server|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release - No Server|ARM64.ActiveCfg = Release - No Server|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release - No Server|ARM64.Build.0 = Release - No Server|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release - No Server|x64.ActiveCfg = Release - No Server|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release - No Server|x64.Build.0 = Release - No Server|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release - No Server|x86.ActiveCfg = Release - No Server|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release - No Server|x86.Build.0 = Release - No Server|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release|Any CPU.ActiveCfg = Release|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release|Any CPU.Build.0 = Release|Any CPU
{6228E9DD-E1EA-45D8-8054-A00FC2D63414}.Release|ARM64.ActiveCfg = Release|Any CPU
@ -91,6 +123,14 @@ Global
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|x64.Build.0 = Debug|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|x86.ActiveCfg = Debug|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Debug|x86.Build.0 = Debug|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release - No Server|Any CPU.ActiveCfg = Release - No Server|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release - No Server|Any CPU.Build.0 = Release - No Server|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release - No Server|ARM64.ActiveCfg = Release - No Server|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release - No Server|ARM64.Build.0 = Release - No Server|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release - No Server|x64.ActiveCfg = Release - No Server|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release - No Server|x64.Build.0 = Release - No Server|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release - No Server|x86.ActiveCfg = Release - No Server|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release - No Server|x86.Build.0 = Release - No Server|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|Any CPU.ActiveCfg = Release|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|Any CPU.Build.0 = Release|Any CPU
{4D0777F0-2D3D-4FD7-9C0F-CD4DEC1A99E9}.Release|ARM64.ActiveCfg = Release|Any CPU
@ -111,6 +151,18 @@ Global
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Debug|x86.ActiveCfg = Debug|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Debug|x86.Build.0 = Debug|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Debug|x86.Deploy.0 = Debug|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|Any CPU.ActiveCfg = Release - No Server|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|Any CPU.Build.0 = Release - No Server|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|Any CPU.Deploy.0 = Release - No Server|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|ARM64.ActiveCfg = Release - No Server|ARM64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|ARM64.Build.0 = Release - No Server|ARM64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|ARM64.Deploy.0 = Release - No Server|ARM64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|x64.ActiveCfg = Release - No Server|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|x64.Build.0 = Release - No Server|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|x64.Deploy.0 = Release - No Server|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|x86.ActiveCfg = Release - No Server|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|x86.Build.0 = Release - No Server|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release - No Server|x86.Deploy.0 = Release - No Server|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release|Any CPU.ActiveCfg = Release|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release|Any CPU.Build.0 = Release|x64
{3CE9C9B1-1FB1-4770-ABBB-EE4E6AA949B0}.Release|Any CPU.Deploy.0 = Release|x64
@ -131,6 +183,14 @@ Global
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Debug|x64.Build.0 = Debug|x64
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Debug|x86.ActiveCfg = Debug|Win32
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Debug|x86.Build.0 = Debug|Win32
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release - No Server|Any CPU.ActiveCfg = Release - No Server|x64
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release - No Server|Any CPU.Build.0 = Release - No Server|x64
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release - No Server|ARM64.ActiveCfg = Release - No Server|x64
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release - No Server|ARM64.Build.0 = Release - No Server|x64
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release - No Server|x64.ActiveCfg = Release - No Server|x64
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release - No Server|x64.Build.0 = Release - No Server|x64
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release - No Server|x86.ActiveCfg = Release - No Server|Win32
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release - No Server|x86.Build.0 = Release - No Server|Win32
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release|Any CPU.ActiveCfg = Release|x64
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release|Any CPU.Build.0 = Release|x64
{BB9E4B6E-81E3-4D39-8928-0BA3F947C479}.Release|ARM64.ActiveCfg = Release|x64

134
driver/driver.c
View file

@ -167,7 +167,7 @@ TerminateProtectedProcessOnViolation()
{
PAGED_CODE();
NTSTATUS status = STATUS_ABANDONED;
NTSTATUS status = STATUS_UNSUCCESSFUL;
ULONG process_id = 0;
GetProtectedProcessId(&process_id);
@ -226,21 +226,28 @@ RegistryPathQueryCallbackRoutine(IN PWSTR ValueName,
driver_config.driver_path.Buffer = (PWCH)temp_buffer;
driver_config.driver_path.Length = ValueLength;
driver_config.driver_path.MaximumLength = ValueLength + 1;
driver_config.driver_path.MaximumLength = ValueLength;
}
if (RtlCompareUnicodeString(&value_name, &display_name, FALSE) == FALSE)
{
temp_buffer = ExAllocatePool2(POOL_FLAG_PAGED, ValueLength, POOL_TAG_STRINGS);
temp_buffer = ExAllocatePool2(POOL_FLAG_PAGED, ValueLength + 20, POOL_TAG_STRINGS);
if (!temp_buffer)
return STATUS_MEMORY_NOT_ALLOCATED;
/*
* The registry path driver name does not contain the .sys extension which is
* required for us since when we enumerate the system modules we are comparing the
* entire path including the .sys extension. Hence we add it to the end of the
* buffer here.
*/
RtlCopyMemory(temp_buffer, ValueData, ValueLength);
wcscpy((UINT64)temp_buffer + ValueLength - 2, L".sys");
driver_config.unicode_driver_name.Buffer = (PWCH)temp_buffer;
driver_config.unicode_driver_name.Length = ValueLength;
driver_config.unicode_driver_name.MaximumLength = ValueLength + 1;
driver_config.unicode_driver_name.Length = ValueLength + 20;
driver_config.unicode_driver_name.MaximumLength = ValueLength + 20;
}
return STATUS_SUCCESS;
@ -253,33 +260,6 @@ RegistryPathQueryCallbackRoutine(IN PWSTR ValueName,
*
*/
NTSTATUS
SelfReferenceDriver()
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE handle = NULL;
UNICODE_STRING path = {0};
OBJECT_ATTRIBUTES oa = {0};
IO_STATUS_BLOCK io = {0};
DEBUG_VERBOSE("Opening self referencing handle");
GetDriverPath(&path);
__debugbreak();
InitializeObjectAttributes(
&oa, &path, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenFile(&handle, GENERIC_READ, &oa, &io, NULL, NULL);
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("ZwOpenFile failed with status %x", status);
return status;
}
__debugbreak();
return status;
}
/*
* No need to hold the lock here as the thread freeing the APCs will
* already hold the configuration lock. We also dont want to release and
@ -306,8 +286,6 @@ FreeApcContextStructure(_Inout_ PAPC_CONTEXT_HEADER Context)
ExFreePoolWithTag(Context, POOL_TAG_APC);
entry[index] = NULL;
result = TRUE;
ObDereferenceObject(driver_config.driver_object);
ObDereferenceObject(driver_config.device_object);
goto unlock;
}
}
@ -445,18 +423,6 @@ InsertApcContext(_In_ PVOID Context)
if (entry[index] == NULL)
{
entry[index] = Context;
/*
* When we insert a new APC context, lets increment our drivers reference
* count. When we remove an APC context, we will decrement this reference
* count. This allows us to queue the driver for deletion but the unload
* routine wont execute until all APC contexts have been completed, allowing
* us to cleanup everything properly. The old strategy of blocking the
* unload routine method was not very nice and I think this is a much better
* method of going about it.
*/
ObReferenceObject(driver_config.driver_object);
ObReferenceObject(driver_config.device_object);
goto end;
}
}
@ -1113,6 +1079,10 @@ DrvLoadInitialiseProcessConfig()
#define CPUID_GENUINE_INTEL_EDX 0x49656e69
#define CPUID_GENUINE_INTEL_ECX 0x6c65746e
#define EBX_REGISTER 1
#define ECX_REGISTER 2
#define EDX_REGISTER 3
STATIC
NTSTATUS
GetSystemProcessorType()
@ -1123,14 +1093,16 @@ GetSystemProcessorType()
DEBUG_VERBOSE("Cpuid: EBX: %lx, ECX: %lx, EDX: %lx", cpuid[1], cpuid[2], cpuid[3]);
if (cpuid[1] == CPUID_AUTHENTIC_AMD_EBX && cpuid[2] == CPUID_AUTHENTIC_AMD_ECX &&
cpuid[3] == CPUID_AUTHENTIC_AMD_EDX)
if (cpuid[EBX_REGISTER] == CPUID_AUTHENTIC_AMD_EBX &&
cpuid[ECX_REGISTER] == CPUID_AUTHENTIC_AMD_ECX &&
cpuid[EDX_REGISTER] == CPUID_AUTHENTIC_AMD_EDX)
{
driver_config.system_information.processor = GenuineIntel;
return STATUS_SUCCESS;
}
else if (cpuid[1] == CPUID_GENUINE_INTEL_EBX && cpuid[2] == CPUID_GENUINE_INTEL_ECX &&
cpuid[3] == CPUID_GENUINE_INTEL_EDX)
else if (cpuid[EBX_REGISTER] == CPUID_GENUINE_INTEL_EBX &&
cpuid[ECX_REGISTER] == CPUID_GENUINE_INTEL_ECX &&
cpuid[EDX_REGISTER] == CPUID_GENUINE_INTEL_EDX)
{
driver_config.system_information.processor = AuthenticAmd;
return STATUS_SUCCESS;
@ -1175,6 +1147,10 @@ ParseSmbiosForGivenSystemEnvironment()
{
case NativeWindows:
{
/*
* TODO: double check that amd indexes are the same should be, but should check just
* in case
*/
status = ParseSMBIOSTable(&driver_config.system_information.motherboard_serial,
MOTHERBOARD_SERIAL_CODE_LENGTH,
VendorSpecificInformation,
@ -1197,7 +1173,7 @@ ParseSmbiosForGivenSystemEnvironment()
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("ParseSMBIOSTable failed with status %x", status);
DEBUG_ERROR("ParseSMBIOSTable 2 failed with status %x", status);
return status;
}
@ -1267,24 +1243,11 @@ DrvLoadGatherSystemEnvironmentSettings()
STATIC
NTSTATUS
DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
DrvLoadRetrieveDriverNameFromRegistry(_In_ PUNICODE_STRING RegistryPath)
{
PAGED_CODE();
NTSTATUS status = STATUS_UNSUCCESSFUL;
RTL_QUERY_REGISTRY_TABLE query_table[3] = {0};
DEBUG_VERBOSE("Initialising driver configuration");
KeInitializeGuardedMutex(&driver_config.lock);
driver_config.unload_in_progress = FALSE;
driver_config.system_information.virtualised_environment = FALSE;
RtlInitUnicodeString(&driver_config.device_name, L"\\Device\\DonnaAC");
RtlInitUnicodeString(&driver_config.device_symbolic_link, L"\\??\\DonnaAC");
RtlCopyUnicodeString(&driver_config.registry_path, RegistryPath);
query_table[0].Flags = RTL_QUERY_REGISTRY_NOEXPAND;
query_table[0].Name = L"ImagePath";
query_table[0].DefaultType = REG_MULTI_SZ;
@ -1307,16 +1270,49 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("RtlxQueryRegistryValues failed with status %x", status);
DrvUnloadFreeConfigStrings();
return status;
}
/*
* The registry path contains the name of the driver i.e Driver, but does not contain the
* .sys extension. Lets add it to our stored driver name since we need the .sys extension
* when querying the system modules for our driver.
*/
status = RtlUnicodeStringToAnsiString(
&driver_config.ansi_driver_name, &driver_config.unicode_driver_name, TRUE);
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("RtlUnicodeStringToAnsiString failed with status %x", status);
return status;
}
}
STATIC
NTSTATUS
DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
PAGED_CODE();
NTSTATUS status = STATUS_UNSUCCESSFUL;
DEBUG_VERBOSE("Initialising driver configuration");
KeInitializeGuardedMutex(&driver_config.lock);
driver_config.unload_in_progress = FALSE;
driver_config.system_information.virtualised_environment = FALSE;
RtlInitUnicodeString(&driver_config.device_name, L"\\Device\\DonnaAC");
RtlInitUnicodeString(&driver_config.device_symbolic_link, L"\\??\\DonnaAC");
RtlCopyUnicodeString(&driver_config.registry_path, RegistryPath);
status = DrvLoadRetrieveDriverNameFromRegistry(RegistryPath);
if (!NT_SUCCESS(status))
{
DEBUG_ERROR("DrvLoadRetrieveDriverNameFromRegistry failed with status %x", status);
DrvUnloadFreeConfigStrings();
return status;
}
@ -1339,6 +1335,8 @@ DrvLoadInitialiseDriverConfig(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_ST
return status;
}
DEBUG_VERBOSE("driver name: %s", driver_config.ansi_driver_name.Buffer);
return status;
}
@ -1418,6 +1416,10 @@ DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
return STATUS_FAILED_DRIVER_ENTRY;
}
LPCSTR driver_name = NULL;
GetDriverName(&driver_name);
DEBUG_VERBOSE("Driver name: %s", driver_name);
// ValidateSystemModules();
// ValidateNtoskrnl();
// LaunchInterProcessInterrupt(NULL);

54
driver/driver.vcxproj
View file

@ -5,6 +5,14 @@
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release - No Server|ARM64">
<Configuration>Release - No Server</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release - No Server|x64">
<Configuration>Release - No Server</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
@ -46,6 +54,15 @@
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
@ -62,6 +79,14 @@
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
@ -82,12 +107,22 @@
<EnableClangTidyCodeAnalysis>false</EnableClangTidyCodeAnalysis>
<EnableMicrosoftCodeAnalysis>false</EnableMicrosoftCodeAnalysis>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<Inf2CatUseLocalTime>true</Inf2CatUseLocalTime>
<RunCodeAnalysis>true</RunCodeAnalysis>
<EnableClangTidyCodeAnalysis>false</EnableClangTidyCodeAnalysis>
<EnableMicrosoftCodeAnalysis>false</EnableMicrosoftCodeAnalysis>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
@ -115,11 +150,30 @@
<AdditionalDependencies>Cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
<EnablePREfast>true</EnablePREfast>
</ClCompile>
<Link />
<Link>
<AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
<AdditionalDependencies>Cng.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|ARM64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>

63
driver/integrity.c
View file

@ -115,10 +115,19 @@ GetDriverImageSize(_Inout_ PIRP Irp)
{
PAGED_CODE();
NTSTATUS status = STATUS_ABANDONED;
NTSTATUS status = STATUS_UNSUCCESSFUL;
LPCSTR driver_name = NULL;
SYSTEM_MODULES modules = {0};
PRTL_MODULE_EXTENDED_INFO driver_info = NULL;
GetDriverName(&driver_name);
if (!driver_name)
{
DEBUG_ERROR("GetDriverName failed with no status.");
return status;
}
status = GetSystemModuleInformation(&modules);
if (!NT_SUCCESS(status))
@ -127,7 +136,7 @@ GetDriverImageSize(_Inout_ PIRP Irp)
return status;
}
driver_info = FindSystemModuleByName("driver.sys", &modules);
driver_info = FindSystemModuleByName(driver_name, &modules);
if (!driver_info)
{
@ -161,10 +170,19 @@ GetModuleInformationByName(_Out_ PRTL_MODULE_EXTENDED_INFO ModuleInfo, _In_ LPCS
{
PAGED_CODE();
NTSTATUS status = STATUS_ABANDONED;
NTSTATUS status = STATUS_UNSUCCESSFUL;
LPCSTR driver_name = NULL;
SYSTEM_MODULES modules = {0};
PRTL_MODULE_EXTENDED_INFO driver_info = NULL;
GetDriverName(&driver_name);
if (!driver_name)
{
DEBUG_ERROR("GetDriverName failed with no status.");
return status;
}
status = GetSystemModuleInformation(&modules);
if (!NT_SUCCESS(status))
@ -173,7 +191,7 @@ GetModuleInformationByName(_Out_ PRTL_MODULE_EXTENDED_INFO ModuleInfo, _In_ LPCS
return status;
}
driver_info = FindSystemModuleByName("driver.sys", &modules);
driver_info = FindSystemModuleByName(driver_name, &modules);
if (!driver_info)
{
@ -572,7 +590,7 @@ VerifyInMemoryImageVsDiskImage(
{
PAGED_CODE();
NTSTATUS status = STATUS_ABANDONED;
NTSTATUS status = STATUS_UNSUCCESSFUL;
UNICODE_STRING path = {0};
HANDLE section_handle = NULL;
PVOID section = NULL;
@ -590,8 +608,16 @@ VerifyInMemoryImageVsDiskImage(
ULONG disk_text_hash_size = 0;
ULONG memory_text_hash_size = 0;
SIZE_T result = 0;
LPCSTR driver_name = NULL;
GetDriverPath(&path);
GetDriverName(&driver_name);
if (!driver_name)
{
DEBUG_ERROR("GetDriverName failed with no status");
return status;
}
status =
MapDiskImageIntoVirtualAddressSpace(&section_handle, &section, &path, &section_size);
@ -614,7 +640,7 @@ VerifyInMemoryImageVsDiskImage(
/*
* Parse the in-memory module
*/
status = GetModuleInformationByName(&module_info, "driver.sys");
status = GetModuleInformationByName(&module_info, driver_name);
if (!NT_SUCCESS(status) || !module_info.ImageBase || !module_info.ImageSize)
{
@ -721,11 +747,20 @@ RetrieveInMemoryModuleExecutableSections(_Inout_ PIRP Irp)
PAGED_CODE();
NTSTATUS status = STATUS_UNSUCCESSFUL;
LPCSTR driver_name = NULL;
SIZE_T bytes_written = NULL;
PVOID buffer = NULL;
RTL_MODULE_EXTENDED_INFO module_info = {0};
status = GetModuleInformationByName(&module_info, "driver.sys");
GetDriverName(&driver_name);
if (!driver_name)
{
DEBUG_ERROR("GetDriverName failed with no status");
return status;
}
status = GetModuleInformationByName(&module_info, driver_name);
if (!NT_SUCCESS(status) || !module_info.ImageBase || !module_info.ImageSize)
{
@ -866,18 +901,18 @@ GetStringAtIndexFromSMBIOSTable(_In_ PSMBIOS_TABLE_HEADER Table,
}
/* for generic intel */
//#define SMBIOS_SYSTEM_INFORMATION_TYPE_2_TABLE 2
//#define MOTHERBOARD_SERIAL_CODE_TABLE_INDEX 4
// #define SMBIOS_SYSTEM_INFORMATION_TYPE_2_TABLE 2
// #define MOTHERBOARD_SERIAL_CODE_TABLE_INDEX 4
/* for testing purposes in vmware */
//#define VMWARE_SMBIOS_TABLE 1
//#define VMWARE_SMBIOS_TABLE_INDEX 3
// #define VMWARE_SMBIOS_TABLE 1
// #define VMWARE_SMBIOS_TABLE_INDEX 3
NTSTATUS
ParseSMBIOSTable(_Out_ PVOID Buffer,
_In_ SIZE_T BufferSize,
ParseSMBIOSTable(_Out_ PVOID Buffer,
_In_ SIZE_T BufferSize,
_In_ SMBIOS_TABLE_INDEX TableIndex,
_In_ ULONG TableSubIndex)
_In_ ULONG TableSubIndex)
{
PAGED_CODE();

1
server/server.csproj
View file

@ -6,6 +6,7 @@
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<AllowUnsafeBlocks>True</AllowUnsafeBlocks>
<Configurations>Debug;Release;Release - No Server</Configurations>
</PropertyGroup>
<ItemGroup>

1
service/service.csproj
View file

@ -6,6 +6,7 @@
<ImplicitUsings>enable</ImplicitUsings>
<UserSecretsId>dotnet-service-ab667d6f-8728-45a8-a87c-ae511852674a</UserSecretsId>
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
<Configurations>Debug;Release;Release - No Server</Configurations>
</PropertyGroup>
<ItemGroup>

61
testcli/testcli.vcxproj
View file

@ -5,6 +5,14 @@
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release - No Server|Win32">
<Configuration>Release - No Server</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release - No Server|x64">
<Configuration>Release - No Server</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
@ -39,6 +47,13 @@
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
@ -52,6 +67,13 @@
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
@ -63,12 +85,18 @@
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@ -98,6 +126,22 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
@ -128,6 +172,23 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<LanguageStandard>stdcpp17</LanguageStandard>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.cpp" />
</ItemGroup>

45
testdrv/testdrv.vcxproj
View file

@ -5,6 +5,14 @@
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release - No Server|ARM64">
<Configuration>Release - No Server</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release - No Server|x64">
<Configuration>Release - No Server</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
@ -45,6 +53,15 @@
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<Driver_SpectreMitigation>false</Driver_SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
@ -61,6 +78,14 @@
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
@ -76,12 +101,19 @@
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<Inf2CatUseLocalTime>true</Inf2CatUseLocalTime>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<Inf2CatUseLocalTime>true</Inf2CatUseLocalTime>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
@ -95,11 +127,24 @@
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|ARM64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>
</DriverSign>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DriverSign>
<FileDigestAlgorithm>sha256</FileDigestAlgorithm>

15
user/client.cpp
View file

@ -9,7 +9,11 @@
global::Client::Client(std::shared_ptr<global::ThreadPool> ThreadPool, LPTSTR PipeName)
{
this->thread_pool = ThreadPool;
#if NO_SERVER
LOG_INFO("No_Server build used. Not opening named pipe.");
#else
this->pipe = std::make_shared<global::Pipe>(PipeName);
#endif
}
/*
@ -27,6 +31,9 @@ global::Client::ServerReceive(PVOID Buffer, SIZE_T Size)
void
global::Client::ServerSend(PVOID Buffer, SIZE_T Size, INT RequestId)
{
#if NO_SERVER
return;
#else
mutex.lock();
SIZE_T total_header_size = sizeof(global::headers::CLIENT_SEND_PACKET_HEADER) +
@ -49,9 +56,9 @@ global::Client::ServerSend(PVOID Buffer, SIZE_T Size, INT RequestId)
RtlZeroMemory(send_buffer, total_header_size + Size);
global::headers::PIPE_PACKET_HEADER header;
header.message_type = MESSAGE_TYPE_CLIENT_SEND;
header.steam64_id = TEST_STEAM_64_ID;
global::headers::PIPE_PACKET_HEADER header = {0};
header.message_type = MESSAGE_TYPE_CLIENT_SEND;
header.steam64_id = TEST_STEAM_64_ID;
memcpy(send_buffer, &header, sizeof(global::headers::PIPE_PACKET_HEADER));
@ -71,4 +78,6 @@ global::Client::ServerSend(PVOID Buffer, SIZE_T Size, INT RequestId)
mutex.unlock();
free(send_buffer);
#endif
}

4
user/client.h
View file

@ -69,6 +69,9 @@ class Client
template <typename T>
void ReportViolation(T* Report)
{
#if NO_SERVER
return;
#else
mutex.lock();
global::headers::PIPE_PACKET_HEADER header = {0};
@ -85,6 +88,7 @@ class Client
RtlZeroMemory(this->report_buffer, REPORT_BUFFER_SIZE);
mutex.unlock();
#endif
}
void ServerReceive(PVOID Buffer, SIZE_T Size);

2
user/common.h
View file

@ -6,4 +6,6 @@
#define LOG_INFO(fmt, ...) printf("[+] " fmt "\n", ##__VA_ARGS__)
#define LOG_ERROR(fmt, ...) printf("[-] " fmt "\n", ##__VA_ARGS__)
#endif

9
user/km/driver.cpp
View file

@ -184,6 +184,7 @@ kernelmode::Driver::QueryReportQueue()
buffer_size =
sizeof(APC_STACKWALK_REPORT) * MAX_REPORTS_PER_IRP + sizeof(REPORT_QUEUE_HEADER);
/* this isnt very c++ of us... */
buffer = malloc(buffer_size);
status = DeviceIoControl(this->driver_handle,
@ -586,7 +587,13 @@ kernelmode::Driver::VerifyProcessLoadedModuleExecutableRegions()
module_information.module_base = module_entry.modBaseAddr;
module_information.module_size = module_entry.modBaseSize;
(*pRtlDosPathNameToNtPathName_U)(module_entry.szExePath, &nt_path_name, NULL, NULL);
status = (*pRtlDosPathNameToNtPathName_U)(module_entry.szExePath, &nt_path_name, NULL, NULL);
if (!status)
{
LOG_ERROR("RtlDosPathNameToNtPathName_U failed with no status.");
continue;
}
memcpy(module_information.module_path, nt_path_name.Buffer, MAX_MODULE_PATH);

80
user/main.cpp
View file

@ -58,7 +58,7 @@ Init(HINSTANCE hinstDLL)
global::headers::SYSTEM_INFORMATION system_information = {0};
kmanager.SendClientHardwareInformation();
global::report_structures::SYSTEM_INFORMATION_REQUEST_RESPONSE response;
global::report_structures::SYSTEM_INFORMATION_REQUEST_RESPONSE response = {0};
// client_interface->ServerReceive( &response, sizeof( response ) );
@ -68,8 +68,10 @@ Init(HINSTANCE hinstDLL)
/*
* Note that this is really just for testing the methods for extended periods of time.
* The "real business logic" would execute the methods with varying degrees of uncertaintity
* but still allow for bias, i.e we don't want NMI callbacks to be running every 10 seconds
* since they are "dangerous" for the CPU given the IRQL they run at.
* but still allow for bias, i.e we don't want NMI callbacks to be running every 10 seconds.
* We also need to take into account the performance penalty that some of these routines
* have, such as the process module validation. At the end of the day an anti cheat that
* imposes a significant performance pentalty on the game its protecting is useless.
*/
srand(time(NULL));
@ -82,66 +84,18 @@ Init(HINSTANCE hinstDLL)
switch (seed)
{
case 0:
{
kmanager.EnumerateHandleTables();
break;
}
case 1:
{
kmanager.PerformIntegrityCheck();
break;
}
case 2:
{
kmanager.ScanPoolsForUnlinkedProcesses();
break;
}
case 3:
{
kmanager.VerifySystemModuleDriverObjects();
break;
}
case 4:
{
kmanager.ValidateProcessModules();
break;
}
case 5:
{
kmanager.RunNmiCallbacks();
break;
}
case 6:
{
kmanager.CheckForAttachedThreads();
break;
}
case 7:
{
kmanager.InitiateApcStackwalkOperation();
break;
}
case 8:
{
kmanager.CheckForHiddenThreads();
break;
}
case 9:
{
kmanager.CheckForEptHooks();
break;
}
case 10:
{
kmanager.LaunchIpiInterrupt();
break;
}
case 11:
{
kmanager.ValidateSystemModules();
break;
}
case 0: kmanager.EnumerateHandleTables(); break;
case 1: kmanager.PerformIntegrityCheck(); break;
case 2: kmanager.ScanPoolsForUnlinkedProcesses(); break;
case 3: kmanager.VerifySystemModuleDriverObjects(); break;
case 4: kmanager.ValidateProcessModules(); break;
case 5: kmanager.RunNmiCallbacks(); break;
case 6: kmanager.CheckForAttachedThreads(); break;
case 7: kmanager.InitiateApcStackwalkOperation(); break;
case 8: kmanager.CheckForHiddenThreads(); break;
case 9: kmanager.CheckForEptHooks(); break;
case 10: kmanager.LaunchIpiInterrupt(); break;
case 11: kmanager.ValidateSystemModules(); break;
}
kmanager.MonitorCallbackReports();

26
user/pipe.h
View file

@ -24,10 +24,32 @@ class Pipe
};
namespace headers {
typedef enum _ENVIRONMENT_TYPE
{
NativeWindows = 0,
Vmware,
VirtualBox
} ENVIRONMENT_TYPE;
typedef enum _PROCESSOR_TYPE
{
Unknown = 0,
GenuineIntel,
AuthenticAmd
} PROCESSOR_TYPE;
#define VENDOR_STRING_MAX_LENGTH 256
struct SYSTEM_INFORMATION
{
CHAR motherboard_serial[MOTHERBOARD_SERIAL_CODE_LENGTH];
CHAR drive_0_serial[DEVICE_DRIVE_0_SERIAL_CODE_LENGTH];
CHAR motherboard_serial[MOTHERBOARD_SERIAL_CODE_LENGTH];
CHAR drive_0_serial[DEVICE_DRIVE_0_SERIAL_CODE_LENGTH];
CHAR vendor[VENDOR_STRING_MAX_LENGTH];
BOOLEAN virtualised_environment;
ENVIRONMENT_TYPE environment;
PROCESSOR_TYPE processor;
RTL_OSVERSIONINFOW os_information;
};
struct PIPE_PACKET_HEADER

62
user/user.vcxproj
View file

@ -5,6 +5,14 @@
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release - No Server|Win32">
<Configuration>Release - No Server</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release - No Server|x64">
<Configuration>Release - No Server</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
@ -39,6 +47,13 @@
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
@ -52,6 +67,13 @@
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v143</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
@ -63,12 +85,18 @@
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@ -98,6 +126,22 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
@ -130,6 +174,24 @@
<AdditionalLibraryDirectories>C:\Users\lachuie\source\repos\ac\x64\Debug;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release - No Server|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;NO_SERVER;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>Imagehlp.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>C:\Users\lachuie\source\repos\ac\x64\Debug;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="pipe.cpp" />
<ClCompile Include="km\driver.cpp" />