small fix

2024-11-21 22:24:08 +01:00 · 2024-05-06 17:08:39 +10:00 · 2024-05-06 17:08:39 +10:00 · d655cfc5c9
commit d655cfc5c9
parent 08beb2e036
4 changed files with 33 additions and 30 deletions
--- a/driver/callbacks.c
+++ b/driver/callbacks.c
@ -495,7 +495,8 @@ ProcessCreateNotifyRoutine(_In_ HANDLE  ParentId,
         * Notify to our driver that we can hash x86 modules, and hash
         * any x86 modules that werent hashed.
         */
-        if (!strcmp(process_name, "winlogon.exe")) {
+        if (!strcmp(process_name, "winlogon.exe") &&
+            !driver_list->deferred_complete) {
            driver_list->can_hash_x86 = TRUE;
            IoQueueWorkItem(driver_list->deferred_work_item,
                            DeferredModuleHashingCallback,
@ -669,34 +670,34 @@ ObPreOpCallbackRoutine(_In_ PVOID                         RegistrationContext,
            !strcmp(process_creator_name, "explorer.exe"))
            goto end;

-         POPEN_HANDLE_FAILURE_REPORT report =
-             ImpExAllocatePool2(POOL_FLAG_NON_PAGED,
-                                sizeof(OPEN_HANDLE_FAILURE_REPORT),
-                                REPORT_POOL_TAG);
+        POPEN_HANDLE_FAILURE_REPORT report =
+            ImpExAllocatePool2(POOL_FLAG_NON_PAGED,
+                               sizeof(OPEN_HANDLE_FAILURE_REPORT),
+                               REPORT_POOL_TAG);

-         if (!report)
-                 goto end;
+        if (!report)
+            goto end;

-         INIT_PACKET_HEADER(&report->header, PACKET_TYPE_REPORT);
-         INIT_REPORT_HEADER(&report->report_header,
-                            REPORT_ILLEGAL_HANDLE_OPERATION, 0);
+        INIT_PACKET_HEADER(&report->header, PACKET_TYPE_REPORT);
+        INIT_REPORT_HEADER(
+            &report->report_header, REPORT_ILLEGAL_HANDLE_OPERATION, 0);

-         DEBUG_INFO("packet type: %hx", report->header.packet_type);
-         DEBUG_INFO("report code: %lx", report->report_header.report_code);
-         DEBUG_INFO("report subcode: %lx", report->report_header.report_sub_type);
+        DEBUG_INFO("packet type: %hx", report->header.packet_type);
+        DEBUG_INFO("report code: %lx", report->report_header.report_code);
+        DEBUG_INFO("report subcode: %lx",
+                   report->report_header.report_sub_type);

-         report->is_kernel_handle = OperationInformation->KernelHandle;
-         report->process_id       = process_creator_id;
-         report->thread_id        = ImpPsGetCurrentThreadId();
-         report->access =
-             OperationInformation->Parameters->CreateHandleInformation.DesiredAccess;
+        report->is_kernel_handle = OperationInformation->KernelHandle;
+        report->process_id       = process_creator_id;
+        report->thread_id        = ImpPsGetCurrentThreadId();
+        report->access           = OperationInformation->Parameters
+                             ->CreateHandleInformation.DesiredAccess;

-         RtlCopyMemory(report->process_name,
-                       process_creator_name,
-                       HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH);
+        RtlCopyMemory(report->process_name,
+                      process_creator_name,
+                      HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH);

-         IrpQueueCompletePacket(report,
-                 sizeof(OPEN_HANDLE_FAILURE_REPORT));
+        IrpQueueCompletePacket(report, sizeof(OPEN_HANDLE_FAILURE_REPORT));
    }

 end:
@ -870,8 +871,8 @@ EnumHandleCallback(_In_ PHANDLE_TABLE       HandleTable,
                  process_name,
                  HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH);

-    if (!NT_SUCCESS(
-            IrpQueueCompletePacket(report, sizeof(OPEN_HANDLE_FAILURE_REPORT)))) {
+    if (!NT_SUCCESS(IrpQueueCompletePacket(
+            report, sizeof(OPEN_HANDLE_FAILURE_REPORT)))) {
        DEBUG_ERROR("IrpQueueCompleteIrp failed with no status.");
        goto end;
    }
--- a/driver/common.h
+++ b/driver/common.h
@ -82,6 +82,7 @@ typedef struct _DRIVER_LIST_HEAD {
    /* modules that need to be hashed later. */
    PIO_WORKITEM  deferred_work_item;
    LIST_ENTRY    deferred_list;
+    volatile BOOLEAN deferred_complete;
    volatile LONG can_hash_x86;

 } DRIVER_LIST_HEAD, *PDRIVER_LIST_HEAD;
--- a/driver/integrity.c
+++ b/driver/integrity.c
@ -1451,6 +1451,7 @@ DeferredModuleHashingCallback()
    PLIST_ENTRY              list_entry    = NULL;
    PDRIVER_LIST_ENTRY       entry         = NULL;

+    driver_list->deferred_complete = TRUE;
    list_entry = RemoveHeadList(deferred_head);

    if (list_entry == deferred_head)
@ -2094,7 +2095,7 @@ SetHeartbeatActive(_Inout_ PHEARTBEAT_CONFIGURATION Configuration)
 FORCEINLINE
 STATIC
 VOID
-SetheartbeatInactive(_Inout_ PHEARTBEAT_CONFIGURATION Configuration)
+SetHeartbeatInactive(_Inout_ PHEARTBEAT_CONFIGURATION Configuration)
 {
    InterlockedDecrement(&Configuration->active);
 }
@ -2133,7 +2134,7 @@ HeartbeatWorkItem(_In_ PDEVICE_OBJECT DeviceObject, _In_opt_ PVOID Context)
    }

    InitialiseHeartbeatObjects(config);
-    SetheartbeatInactive(config);
+    SetHeartbeatInactive(config);
 }

 FORCEINLINE
--- a/driver/io.c
+++ b/driver/io.c
@ -1164,10 +1164,10 @@ DeviceCreate(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
    UNREFERENCED_PARAMETER(DeviceObject);
    DEBUG_INFO("Handle to driver opened.");

-    NTSTATUS status = ValidatePciDevices();
+    //NTSTATUS status = ValidatePciDevices();

-    if (!NT_SUCCESS(status))
-        DEBUG_ERROR("ValidatePciDevices failed with status %x", status);
+    //if (!NT_SUCCESS(status))
+    //    DEBUG_ERROR("ValidatePciDevices failed with status %x", status);

    IoCompleteRequest(Irp, IO_NO_INCREMENT);
    return Irp->IoStatus.Status;