From d655cfc5c9b20e8c3bbbdef05cb660c2dbd3f50c Mon Sep 17 00:00:00 2001 From: donnaskiez Date: Mon, 6 May 2024 17:08:39 +1000 Subject: [PATCH] small fix --- driver/callbacks.c | 51 +++++++++++++++++++++++----------------------- driver/common.h | 1 + driver/integrity.c | 5 +++-- driver/io.c | 6 +++--- 4 files changed, 33 insertions(+), 30 deletions(-) diff --git a/driver/callbacks.c b/driver/callbacks.c index 646e0f1..5ba7bc6 100644 --- a/driver/callbacks.c +++ b/driver/callbacks.c @@ -495,7 +495,8 @@ ProcessCreateNotifyRoutine(_In_ HANDLE ParentId, * Notify to our driver that we can hash x86 modules, and hash * any x86 modules that werent hashed. */ - if (!strcmp(process_name, "winlogon.exe")) { + if (!strcmp(process_name, "winlogon.exe") && + !driver_list->deferred_complete) { driver_list->can_hash_x86 = TRUE; IoQueueWorkItem(driver_list->deferred_work_item, DeferredModuleHashingCallback, @@ -669,34 +670,34 @@ ObPreOpCallbackRoutine(_In_ PVOID RegistrationContext, !strcmp(process_creator_name, "explorer.exe")) goto end; - POPEN_HANDLE_FAILURE_REPORT report = - ImpExAllocatePool2(POOL_FLAG_NON_PAGED, - sizeof(OPEN_HANDLE_FAILURE_REPORT), - REPORT_POOL_TAG); + POPEN_HANDLE_FAILURE_REPORT report = + ImpExAllocatePool2(POOL_FLAG_NON_PAGED, + sizeof(OPEN_HANDLE_FAILURE_REPORT), + REPORT_POOL_TAG); - if (!report) - goto end; + if (!report) + goto end; - INIT_PACKET_HEADER(&report->header, PACKET_TYPE_REPORT); - INIT_REPORT_HEADER(&report->report_header, - REPORT_ILLEGAL_HANDLE_OPERATION, 0); + INIT_PACKET_HEADER(&report->header, PACKET_TYPE_REPORT); + INIT_REPORT_HEADER( + &report->report_header, REPORT_ILLEGAL_HANDLE_OPERATION, 0); - DEBUG_INFO("packet type: %hx", report->header.packet_type); - DEBUG_INFO("report code: %lx", report->report_header.report_code); - DEBUG_INFO("report subcode: %lx", report->report_header.report_sub_type); + DEBUG_INFO("packet type: %hx", report->header.packet_type); + DEBUG_INFO("report code: %lx", report->report_header.report_code); + DEBUG_INFO("report subcode: %lx", + report->report_header.report_sub_type); - report->is_kernel_handle = OperationInformation->KernelHandle; - report->process_id = process_creator_id; - report->thread_id = ImpPsGetCurrentThreadId(); - report->access = - OperationInformation->Parameters->CreateHandleInformation.DesiredAccess; + report->is_kernel_handle = OperationInformation->KernelHandle; + report->process_id = process_creator_id; + report->thread_id = ImpPsGetCurrentThreadId(); + report->access = OperationInformation->Parameters + ->CreateHandleInformation.DesiredAccess; - RtlCopyMemory(report->process_name, - process_creator_name, - HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH); + RtlCopyMemory(report->process_name, + process_creator_name, + HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH); - IrpQueueCompletePacket(report, - sizeof(OPEN_HANDLE_FAILURE_REPORT)); + IrpQueueCompletePacket(report, sizeof(OPEN_HANDLE_FAILURE_REPORT)); } end: @@ -870,8 +871,8 @@ EnumHandleCallback(_In_ PHANDLE_TABLE HandleTable, process_name, HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH); - if (!NT_SUCCESS( - IrpQueueCompletePacket(report, sizeof(OPEN_HANDLE_FAILURE_REPORT)))) { + if (!NT_SUCCESS(IrpQueueCompletePacket( + report, sizeof(OPEN_HANDLE_FAILURE_REPORT)))) { DEBUG_ERROR("IrpQueueCompleteIrp failed with no status."); goto end; } diff --git a/driver/common.h b/driver/common.h index 86ec442..330b95d 100644 --- a/driver/common.h +++ b/driver/common.h @@ -82,6 +82,7 @@ typedef struct _DRIVER_LIST_HEAD { /* modules that need to be hashed later. */ PIO_WORKITEM deferred_work_item; LIST_ENTRY deferred_list; + volatile BOOLEAN deferred_complete; volatile LONG can_hash_x86; } DRIVER_LIST_HEAD, *PDRIVER_LIST_HEAD; diff --git a/driver/integrity.c b/driver/integrity.c index 367e336..d5d5027 100644 --- a/driver/integrity.c +++ b/driver/integrity.c @@ -1451,6 +1451,7 @@ DeferredModuleHashingCallback() PLIST_ENTRY list_entry = NULL; PDRIVER_LIST_ENTRY entry = NULL; + driver_list->deferred_complete = TRUE; list_entry = RemoveHeadList(deferred_head); if (list_entry == deferred_head) @@ -2094,7 +2095,7 @@ SetHeartbeatActive(_Inout_ PHEARTBEAT_CONFIGURATION Configuration) FORCEINLINE STATIC VOID -SetheartbeatInactive(_Inout_ PHEARTBEAT_CONFIGURATION Configuration) +SetHeartbeatInactive(_Inout_ PHEARTBEAT_CONFIGURATION Configuration) { InterlockedDecrement(&Configuration->active); } @@ -2133,7 +2134,7 @@ HeartbeatWorkItem(_In_ PDEVICE_OBJECT DeviceObject, _In_opt_ PVOID Context) } InitialiseHeartbeatObjects(config); - SetheartbeatInactive(config); + SetHeartbeatInactive(config); } FORCEINLINE diff --git a/driver/io.c b/driver/io.c index 7f3e521..6dca57d 100644 --- a/driver/io.c +++ b/driver/io.c @@ -1164,10 +1164,10 @@ DeviceCreate(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp) UNREFERENCED_PARAMETER(DeviceObject); DEBUG_INFO("Handle to driver opened."); - NTSTATUS status = ValidatePciDevices(); + //NTSTATUS status = ValidatePciDevices(); - if (!NT_SUCCESS(status)) - DEBUG_ERROR("ValidatePciDevices failed with status %x", status); + //if (!NT_SUCCESS(status)) + // DEBUG_ERROR("ValidatePciDevices failed with status %x", status); IoCompleteRequest(Irp, IO_NO_INCREMENT); return Irp->IoStatus.Status;