GOT IT WORKING LOL

2024-11-21 22:24:08 +01:00 · 2023-08-21 14:08:57 +10:00 · 2023-08-21 14:08:57 +10:00 · ced805cfba
commit ced805cfba
parent bfb74e2ec2
4 changed files with 33 additions and 21 deletions
--- a/driver/callbacks.c
+++ b/driver/callbacks.c
@ -7,38 +7,45 @@
 PQUEUE_HEAD report_queue = NULL;
 QUEUE_HEAD test_queue = { 0 };
 KGUARDED_MUTEX mutex;
 VOID InitCallbackReportQueue( PBOOLEAN Status )
 {
-	report_queue = QueueCreate();
+	//report_queue = QueueCreate();
-	if ( report_queue == NULL )
+	test_queue.start = NULL;
-	{
+	test_queue.end = NULL;
-		*Status = FALSE;
+	test_queue.entries = 0;
-		return;
+	KeInitializeSpinLock( &test_queue.lock );
-	}
+
 	//if ( report_queue == NULL )
 	//{
 	//	*Status = FALSE;
 	//	return;
 	//}
 	KeInitializeGuardedMutex( &mutex );
 	*Status = TRUE;
 }
-VOID DeleteCallbackReportQueueHead()
+//VOID DeleteCallbackReportQueueHead()
-{
+//{
-	ExFreePoolWithTag( report_queue, QUEUE_POOL_TAG );
+//	ExFreePoolWithTag( report_queue, QUEUE_POOL_TAG );
-}
+//}
 VOID InsertReportToQueue( 
 	_In_ POPEN_HANDLE_FAILURE_REPORT Report 
 )
 {
-	QueuePush( report_queue, Report );
+	QueuePush( &test_queue, Report );
 }
 POPEN_HANDLE_FAILURE_REPORT PopFirstReportFromQueue()
 {
-	return QueuePop( report_queue );
+	return QueuePop( &test_queue );
 }
 NTSTATUS HandlePeriodicCallbackReportQueue( 
@ -78,13 +85,12 @@ NTSTATUS HandlePeriodicCallbackReportQueue(
 		count += 1;
 	}
 end:
 	header.count = count;
 	RtlCopyMemory( Irp->AssociatedIrp.SystemBuffer, &header, sizeof( OPEN_HANDLE_FAILURE_REPORT_HEADER ));
 	KeReleaseGuardedMutex( &mutex );
 	DEBUG_LOG( "Moved all reports into the IRP, sending !" );
 end:
 	KeReleaseGuardedMutex( &mutex );
 	return STATUS_SUCCESS;
 }
@ -162,6 +168,7 @@ OB_PREOP_CALLBACK_STATUS ObPreOpCallbackRoutine(
 			if ( !report )
 				goto end;
 			KeAcquireGuardedMutex( &mutex );
 			report->report_code = REPORT_ILLEGAL_HANDLE_OPERATION;
 			report->desired_access = OperationInformation->Parameters->CreateHandleInformation.DesiredAccess;
 			report->is_kernel_handle = OperationInformation->KernelHandle;
@ -170,6 +177,7 @@ OB_PREOP_CALLBACK_STATUS ObPreOpCallbackRoutine(
 			memcpy( report->process_name, process_creator_name, HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH );
 			InsertReportToQueue( report );
 			KeReleaseGuardedMutex( &mutex );
 		}
 	}
--- a/driver/driver.c
+++ b/driver/driver.c
@ -53,7 +53,8 @@ VOID DriverUnload(
 	_In_ PDRIVER_OBJECT DriverObject
 )
 {
-	ExUnregisterCallback( callback_registration_handle );
+	PsSetCreateProcessNotifyRoutine( ProcessCreateNotifyRoutine, TRUE );
 	ObUnRegisterCallbacks( callback_registration_handle );
 	IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
 	IoDeleteDevice( DriverObject->DeviceObject );
 }
@ -140,6 +141,7 @@ NTSTATUS DriverEntry(
 	KeInitializeGuardedMutex( &mutex );
 	__debugbreak();
 	InitCallbackReportQueue(&flag);
 	if ( !flag )
@ -163,7 +165,7 @@ NTSTATUS DriverEntry(
 	if ( !NT_SUCCESS( status ) )
 	{
 		DEBUG_ERROR( "failed to launch thread to start tings" );
-		DeleteCallbackReportQueueHead();
+		//DeleteCallbackReportQueueHead();
 		IoDeleteSymbolicLink( &DEVICE_SYMBOLIC_LINK );
 		IoDeleteDevice( DriverObject->DeviceObject );
 		return STATUS_FAILED_DRIVER_ENTRY;
--- a/driver/queue.c
+++ b/driver/queue.c
@ -15,7 +15,6 @@ PQUEUE_HEAD QueueCreate()
 	head->start = NULL;
 	head->entries = 0;
 	__debugbreak();
 	KeInitializeSpinLock( &head->lock );
 	return head;
--- a/user/km/driver.cpp
+++ b/user/km/driver.cpp
@ -153,7 +153,9 @@ void kernelmode::Driver::QueryReportQueue()
 	LONG buffer_size;
 	global::report_structures::OPEN_HANDLE_FAILURE_REPORT report;
-	buffer_size = sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT ) * MAX_HANDLE_REPORTS_PER_IRP ;
+	buffer_size = sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT ) * MAX_HANDLE_REPORTS_PER_IRP + 
 		sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER );
 	buffer = malloc( buffer_size );
 	status = DeviceIoControl(
@ -170,6 +172,7 @@ void kernelmode::Driver::QueryReportQueue()
 	if ( status == NULL )
 	{
 		LOG_ERROR( "DeviceIoControl failed with status code 0x%x", GetLastError() );
 		free( buffer );
 		return;
 	}
@ -177,7 +180,7 @@ void kernelmode::Driver::QueryReportQueue()
 		( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER* )buffer;
 	if ( !header )
-		return;
+		goto end;
 	for ( int i = 0; i < header->count; i++ )
 	{
@ -191,8 +194,8 @@ void kernelmode::Driver::QueryReportQueue()
 		this->report_interface->ReportViolation( report );
 	}
 end:
 	free( buffer );
 }
 void kernelmode::Driver::NotifyDriverOnProcessLaunch()