apc operation stuff

driver/ioctl.c

@@ -24,6 +24,36 @@
 #define IOCTL_DETECT_ATTACHED_THREADS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2014, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define IOCTL_VALIDATE_PROCESS_LOADED_MODULE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2015, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define IOCTL_REQUEST_HARDWARE_INFORMATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2016, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_INITIATE_APC_OPERATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2017, METHOD_BUFFERED, FILE_ANY_ACCESS)
+
+#define APC_OPERATION_STACKWALK 0x1
+
+STATIC
+NTSTATUS 
+DispatchApcOperation( PAPC_OPERATION_ID Operation )
+{
+	NTSTATUS status = STATUS_SUCCESS;
+
+	switch ( Operation->operation_id )
+	{
+	case APC_OPERATION_STACKWALK:
+
+		DEBUG_LOG( "Initiating APC stackwalk operation with operation id %i", Operation->operation_id );
+
+		status = ValidateThreadsViaKernelApc();
+
+		if ( !NT_SUCCESS( status ) )
+			DEBUG_ERROR( "ValidateThreadsViaKernelApc failed with status %x", status );
+
+		return status;
+
+	default:
+		DEBUG_ERROR( "Invalid operation ID passed" );
+		return STATUS_INVALID_PARAMETER;
+	}
+
+	return status;
+}
 
 NTSTATUS 
 DeviceControl(
@@ -291,6 +321,18 @@ DeviceControl(
 
 		break;
 
+	case IOCTL_INITIATE_APC_OPERATION:;
+
+		PAPC_OPERATION_ID operation = (PAPC_OPERATION_ID)Irp->AssociatedIrp.SystemBuffer;
+
+		status = DispatchApcOperation( operation );
+
+		if ( !NT_SUCCESS( status ) )
+			DEBUG_ERROR( "DispatchApcOperation failed with status %x", status );
+
+		break;
+
+
 	default:
 		DEBUG_ERROR( "Invalid IOCTL passed to driver" );
 		break;

driver/modules.c

@@ -1154,6 +1154,15 @@ ValidateThreadsViaKernelApc()
 	NTSTATUS status;
 	PAPC_STACKWALK_CONTEXT context = NULL;
 
+	/* First, ensure we dont already have an ongoing operation */
+	GetApcContext( &context, APC_CONTEXT_ID_STACKWALK );
+
+	if ( context )
+	{
+		DEBUG_LOG( "Existing APC_STACKWALK operation already in progress." );
+		return STATUS_ALREADY_INITIALIZED;
+	}
+
 	context = ExAllocatePool2( POOL_FLAG_NON_PAGED, sizeof( APC_STACKWALK_CONTEXT ), POOL_TAG_APC );
 
 	if ( !context )

driver/modules.h

@@ -37,6 +37,12 @@ typedef struct _APC_STACKWALK_REPORT
 
 }APC_STACKWALK_REPORT, *PAPC_STACKWALK_REPORT;
 
+typedef struct _APC_OPERATION_ID
+{
+	int operation_id;
+
+}APC_OPERATION_ID, *PAPC_OPERATION_ID;
+
 /* system modules information */
 
 typedef struct _SYSTEM_MODULES

user/km/driver.cpp

@@ -625,6 +625,32 @@ VOID kernelmode::Driver::SendClientHardwareInformation()
 		&system_information, sizeof( global::headers::SYSTEM_INFORMATION ), CLIENT_SEND_SYSTEM_INFORMATION );
 }
 
+BOOLEAN kernelmode::Driver::InitiateApcOperation(INT OperationId)
+{
+	BOOLEAN status;
+	APC_OPERATION_INFORMATION operation = { 0 };
+		
+	operation.operation_id = OperationId;
+
+	status = DeviceIoControl(
+		this->driver_handle,
+		IOCTL_INITIATE_APC_OPERATION,
+		&operation,
+		sizeof( APC_OPERATION_INFORMATION ),
+		NULL,
+		NULL,
+		NULL,
+		NULL
+	);
+
+	if ( status == NULL )
+	{
+		LOG_ERROR( "DeviceIoControl failed with status %x", GetLastError() );
+		return status;
+	}
+}
+
 VOID GetKernelStructureOffsets()
 {
+
 }

user/km/driver.h

@@ -21,6 +21,7 @@
 #define IOCTL_DETECT_ATTACHED_THREADS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2014, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define IOCTL_VALIDATE_PROCESS_LOADED_MODULE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2015, METHOD_BUFFERED, FILE_ANY_ACCESS)
 #define IOCTL_REQUEST_HARDWARE_INFORMATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2016, METHOD_BUFFERED, FILE_ANY_ACCESS)
+#define IOCTL_INITIATE_APC_OPERATION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x2017, METHOD_BUFFERED, FILE_ANY_ACCESS)
 
 #define MAX_REPORTS_PER_IRP 20
 
@@ -28,6 +29,11 @@
 
 namespace kernelmode
 {
+	enum APC_OPERATION_IDS
+	{
+		operation_stackwalk = 0x1
+	};
+
 	class Driver
 	{
 		HANDLE driver_handle;
@@ -58,6 +64,7 @@ namespace kernelmode
 		VOID CheckForAttachedThreads();
 		VOID VerifyProcessLoadedModuleExecutableRegions();
 		VOID SendClientHardwareInformation();
+		BOOLEAN InitiateApcOperation( INT OperationId );
 
 		template <typename T>
 		VOID ReportTypeFromReportQueue(CONST PVOID Buffer, PSIZE_T Offset, PVOID Report)
@@ -93,6 +100,11 @@ namespace kernelmode
 	{
 		INT is_module_valid;
 	};
+
+	struct APC_OPERATION_INFORMATION
+	{
+		int operation_id;
+	};
 }
 
 #endif

user/km/kmanager.cpp

@@ -60,3 +60,8 @@ VOID kernelmode::KManager::SendClientHardwareInformation()
 {
 	this->driver_interface->SendClientHardwareInformation();
 }
+
+VOID kernelmode::KManager::InitiateApcStackwalkOperation()
+{
+	this->driver_interface->InitiateApcOperation( kernelmode::APC_OPERATION_IDS::operation_stackwalk );
+}

user/km/kmanager.h

@@ -28,6 +28,7 @@ namespace kernelmode
 		VOID CheckForAttachedThreads();
 		VOID ValidateProcessModules();
 		VOID SendClientHardwareInformation();
+		VOID InitiateApcStackwalkOperation();
 	};
 }
 

user/main.cpp

@@ -43,7 +43,7 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
 
     while ( !GetAsyncKeyState( VK_DELETE ) )
     {
-        int seed = ( rand() % 7 );
+        int seed = ( rand() % 8 );
 
         std::cout << "Seed: " << seed << std::endl;
 
@@ -70,8 +70,10 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)
         case 6:
             kmanager.CheckForAttachedThreads();
             break;
+        case 7:
+            kmanager.InitiateApcStackwalkOperation();
+            break;
         }
-        kmanager.VerifySystemModules();
         kmanager.MonitorCallbackReports();
         std::this_thread::sleep_for( std::chrono::seconds( 10 ) );
     }