update tutorial readme

README.md

@@ -48,7 +48,9 @@ feel free to open any issues if you find more.
 
 1. use the osr loader to load the driver at "system" load.
 	- NOTE: its important that you only click "Register" in the OSR loader, dont actually load the driver only register it. Then restart. This is very important as the driver needs an accurate representation of system threads and processes in order for many of the detection methods to work.
-2. inject dll into program you want to protect, i used notepad for testing
-3. logs will be printed to dbgview and the usermode dll via stdout
+2. inject dll into program you want to protect, i used notepad for testing. 
+	- NOTE: it is important that this process is started as administrator, which in turn means the injector you use must also be started as administrator. This is a design flaw. Will be fixed in the future.
+3. Logs can be seen both in the terminal and either dbgview or WinDbg depending on what you use. 
+	- If for some reason you can't see logs in DbgView, you may need to properly set your debugging mask. Tutorial here: https://www.osronline.com/article.cfm%5Earticle=295.htm
 
 driver must be named "driver.sys" (sorry.. will be fixed soon (i am lazy))

driver/driver.c

@@ -938,8 +938,9 @@ DriverUnload(
 	DEBUG_LOG("Unloading driver...");
 
 	/* 
-	* This blocks the thread dispatching the unload action, which I don't think is ideal.
-	* This is the issue with using 
+	* This blocks the thread dispatching the unload routine, which I don't think is ideal.
+	* This is the issue with using APCs, we have very little safe control over when they
+	* complete and thus when we can free them.. For now, thisl do.
 	*/
 	while (DrvUnloadFreeAllApcContextStructures() == FALSE)
 		YieldProcessor();
@@ -1156,7 +1157,7 @@ DriverEntry(
 )
 {
 	BOOLEAN flag = FALSE;
-	NTSTATUS status;
+	NTSTATUS status = STATUS_SUCCESS;
 
 	DEBUG_LOG("Beginning driver entry lolz");
 

driver/integrity.c

@@ -709,11 +709,17 @@ VerifyInMemoryImageVsDiskImage(
                 goto end;
         }
 
-        disk_base = (UINT64)((UINT64)disk_buffer + sizeof(INTEGRITY_CHECK_HEADER) + sizeof(IMAGE_SECTION_HEADER));
-        memory_base = (UINT64)((UINT64)in_memory_buffer + sizeof(INTEGRITY_CHECK_HEADER) + sizeof(IMAGE_SECTION_HEADER));
+        disk_text_header = (PIMAGE_SECTION_HEADER)disk_buffer;
+        memory_text_header = (PIMAGE_SECTION_HEADER)in_memory_buffer;
 
-        disk_text_header = (PIMAGE_SECTION_HEADER)((UINT64)disk_buffer + sizeof(INTEGRITY_CHECK_HEADER));
-        memory_text_header = (PIMAGE_SECTION_HEADER)((UINT64)in_memory_buffer + sizeof(INTEGRITY_CHECK_HEADER));
+        WDF_PTR_ADD_OFFSET(disk_text_header, sizeof(INTEGRITY_CHECK_HEADER));
+        WDF_PTR_ADD_OFFSET(memory_text_header, sizeof(INTEGRITY_CHECK_HEADER));
+
+        disk_base = (UINT64)disk_text_header;
+        memory_base = (UINT64)memory_text_header;
+
+        WDF_PTR_ADD_OFFSET(disk_base, sizeof(IMAGE_SECTION_HEADER));
+        WDF_PTR_ADD_OFFSET(memory_base, sizeof(IMAGE_SECTION_HEADER));
 
         if (!disk_base || !memory_base || !disk_buffer || !in_memory_buffer)
         {
@@ -1792,11 +1798,17 @@ ValidateSystemModules()
                         goto free_iteration;
                 }
 
-                disk_text_base = (UINT64)((UINT64)disk_buffer + sizeof(INTEGRITY_CHECK_HEADER) + sizeof(IMAGE_SECTION_HEADER));
-                memory_text_base = (UINT64)((UINT64)memory_buffer + sizeof(INTEGRITY_CHECK_HEADER) + sizeof(IMAGE_SECTION_HEADER));
+                disk_text_header = (PIMAGE_SECTION_HEADER)disk_buffer;
+                memory_text_header = (PIMAGE_SECTION_HEADER)memory_buffer;
 
-                disk_text_header = (PIMAGE_SECTION_HEADER)((UINT64)disk_buffer + sizeof(INTEGRITY_CHECK_HEADER));
-                memory_text_header = (PIMAGE_SECTION_HEADER)((UINT64)memory_buffer + sizeof(INTEGRITY_CHECK_HEADER));
+                WDF_PTR_ADD_OFFSET(disk_text_header, sizeof(INTEGRITY_CHECK_HEADER));
+                WDF_PTR_ADD_OFFSET(memory_text_header, sizeof(INTEGRITY_CHECK_HEADER));
+
+                disk_text_base = (UINT64)disk_text_header;
+                memory_text_base = (UINT64)memory_text_header;
+
+                WDF_PTR_ADD_OFFSET(disk_text_base, sizeof(IMAGE_SECTION_HEADER));
+                WDF_PTR_ADD_OFFSET(memory_text_base, sizeof(IMAGE_SECTION_HEADER));
 
                 if (!disk_text_base || !memory_text_base || !disk_buffer || !memory_buffer)
                 {

testcli/driver.h

@@ -0,0 +1,38 @@
+#pragma once
+
+#include <string>
+#include <iostream>
+
+#include <Windows.h>
+
+class DriverInterface
+{
+	HANDLE driver_handle;
+
+	bool validate_process_name()
+	{
+
+	}
+	
+public:
+	DriverInterface(std::string& process_name)
+	{
+		this->driver_handle = CreateFileW(
+			L"donna-ac-test",
+			GENERIC_WRITE | GENERIC_READ | GENERIC_EXECUTE,
+			0,
+			0,
+			OPEN_EXISTING,
+			FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
+			0
+		);
+
+		if (this->driver_handle == INVALID_HANDLE_VALUE)
+		{
+			std::cerr << "Failed to open handle to driver" << std::endl;
+			return;
+		}
+
+
+	}
+};

testcli/main.cpp

@@ -6,7 +6,12 @@
 #include <Windows.h>
 #include <tlhelp32.h>
 
-DWORD find_process_by_id(int id)
+std::wstring cstr_to_wstr(std::string cstr)
+{
+        return std::wstring(cstr.begin(), cstr.end());
+}
+
+DWORD get_proc_id_by_name(std::string& process_name)
 {
         PROCESSENTRY32 entry = { 0 };
         entry.dwSize = sizeof(PROCESSENTRY32);
@@ -15,36 +20,38 @@ DWORD find_process_by_id(int id)
 
         while (Process32Next(snapshot, &entry))
         {
-                if (entry.th32ProcessID == id)
+                if (entry.szExeFile == cstr_to_wstr(process_name))
                 {
                         return entry.th32ProcessID;
                 }
         }
 
         CloseHandle(snapshot);
+
+        return 0;
 }
 
 int main(int argc, char* argv[])
 {
         if (argc < 2)
         {
-                std::cerr << "Please enter a valid Process ID.";
+                std::cerr << "Please enter a valid Process Name";
                 return EXIT_FAILURE;
         }
 
         const std::vector<std::string_view> args(argv + 1, argv + argc);
 
-        DWORD id = find_process_by_id(std::stoi(args[0].data()));
+        std::string process_name = std::string(args[0].data());
 
-        if (!id)
+        DWORD proc_id = get_proc_id_by_name(process_name);
+
+        if (!proc_id)
         {
-                std::cerr << "Process for the given process ID does not exist" << std::endl;
+                std::cerr << "Process does not exist, please enter a valid running process name." << std::endl;
                 return EXIT_FAILURE;
         }
 
-        std::cout << id << std::endl;
 
 
-        
         return EXIT_SUCCESS;
 }

testcli/testcli.vcxproj

@@ -131,6 +131,9 @@
   <ItemGroup>
     <ClCompile Include="main.cpp" />
   </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="driver.h" />
+  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

testcli/testcli.vcxproj.filters

@@ -19,4 +19,9 @@
       <Filter>Source Files</Filter>
     </ClCompile>
   </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="driver.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
 </Project>

testdrv/driver.c

@@ -65,7 +65,7 @@ DriverEntry(
 )
 {
 	NTSTATUS status;
-
+	
 	status = IoCreateDevice(
 		DriverObject,
 		NULL,

testdrv/driver.h

@@ -1,7 +1,7 @@
 #ifndef DRIVER_H
 #define DRIVER_H
 
-#include <ntddk.h>
+#include <ntifs.h>
 
 #define STATIC static
 #define VOID void