got server working :)

2024-11-21 22:24:08 +01:00 · 2023-09-03 01:56:46 +10:00 · 2023-09-03 01:56:46 +10:00 · d8acee4104
commit d8acee4104
parent af45bc923f
11 changed files with 235 additions and 72 deletions
--- a/driver/callbacks.c
+++ b/driver/callbacks.c
@ -82,6 +82,8 @@ OB_PREOP_CALLBACK_STATUS ObPreOpCallbackRoutine(
 			report->thread_id = PsGetCurrentThreadId();
 			RtlCopyMemory( report->process_name, process_creator_name, HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH );

+			DEBUG_LOG( "Process ID: %lx", report->process_id );
+
 			InsertReportToQueue( report );
 		}
 	}
--- a/server/Dispatch.cs
+++ b/server/Dispatch.cs
@ -1,30 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Net.Sockets;
-using System.Text;
-using System.Threading.Tasks;
-
-namespace server
-{
-    public class Dispatch
-    {
-        private TcpClient _client;
-        private NetworkStream _stream;
-        private byte[] _buffer;
-
-        public Dispatch(TcpClient client, NetworkStream stream)
-        {
-            _client = client;
-            _stream = stream;
-            _buffer = new byte[1024];
-
-            this.AcceptMessage();
-        }
-
-        private void AcceptMessage()
-        {
-            _stream.BeginRead(_buffer, 0, 1024, null, null);
-        }
-    }
-}
--- a/server/Helper.cs
+++ b/server/Helper.cs
@ -0,0 +1,34 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Runtime.InteropServices;
+using System.Text;
+using System.Threading.Tasks;
+
+#pragma warning disable CS8600
+#pragma warning disable CS8603
+
+namespace server
+{
+	public class Helper
+	{
+		unsafe public static T BytesToStructure<T>(ref byte[] buffer)
+		{
+			int typeSize = Marshal.SizeOf(typeof(T));
+			IntPtr ptr = Marshal.AllocHGlobal(typeSize);
+
+			try
+			{
+				Marshal.Copy(buffer, 0, ptr, typeSize);
+				return (T)Marshal.PtrToStructure(ptr, typeof(T));
+			}
+			finally
+			{
+				Marshal.FreeHGlobal(ptr);
+			}
+		}
+	}
+}
+
+#pragma warning restore CS8600
+#pragma warning restore CS8603
--- a/server/Message.cs
+++ b/server/Message.cs
@ -2,9 +2,12 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Reflection.Metadata.Ecma335;
+using System.Runtime.CompilerServices;
 using System.Text;
 using System.Threading.Tasks;
 using Serilog;
+using server;
+using service;

 namespace server
 {
@ -13,6 +16,7 @@ namespace server
        private byte[] _buffer;
        private int _bufferSize;
        private int _messageType;
+        private ILogger _logger;

        private enum MESSAGE_TYPE
        {
@ -31,20 +35,23 @@ namespace server
            int reportId;
        }

-        public Message(byte[] buffer, int bufferSize)
+        public Message(byte[] buffer, int bufferSize, ILogger logger)
        {
            _buffer = buffer;
            _bufferSize = bufferSize;
+            _logger = logger;

            this.GetMessageType();

+            _logger.Information("Message type: {0}", _messageType);
+
            switch (_messageType)
            {
                case (int)MESSAGE_TYPE.MESSAGE_TYPE_REPORT:
                    this.HandleReportMessage(this.GetReportType());
                    break;
                default:
-                    Log.Logger.Information("This message type is not accepted at the moment.");
+                    _logger.Information("This message type is not accepted at the moment.");
                    break;
            }
        }
@ -61,7 +68,16 @@ namespace server

        private void HandleReportMessage(int reportId)
        {
-            Log.Logger.Information("Report id: {0}", reportId);
+            _logger.Information("Report id: {0}", reportId);
+
+            var openHandleFailure = Helper.BytesToStructure<Types.Reports.OPEN_HANDLE_FAILURE_REPORT>(ref _buffer);
+
+            _logger.Information("Report code: {0}, ProcessID: {1:x}, ThreadId: {2:x}, DesiredAccess{3:x}",
+                openHandleFailure.ReportCode,
+                openHandleFailure.ProcessId,
+                openHandleFailure.ThreadId,
+                openHandleFailure.DesiredAccess);
+
        }
    }
 }
--- a/server/Program.cs
+++ b/server/Program.cs
@ -1,9 +1,26 @@
-using System.Net;
+using Serilog;
+using System.Net;
 using System.Net.Sockets;
 using System.Reflection.Metadata.Ecma335;
 using System.Text;

 namespace server
+{
+    public class Program
+    {
+        public static async Task Main(string[] args)
+        {
+            using var logger = new LoggerConfiguration()
+                .WriteTo.Console()
+                .CreateLogger();
+
+            Server server = new Server(logger);
+            await server.Listen();
+        }
+    }
+}
+
+/*namespace server
 {
    public class Program
    {
@ -41,4 +58,4 @@ namespace server
            Console.WriteLine("Is ocmpleted: {0}", ar.IsCompleted);
        }
    }
-}
+}*/
--- a/server/Server.cs
+++ b/server/Server.cs
@ -1,8 +1,11 @@
-using System.Net;
+using System.IO;
+using System;
+using System.Net;
 using System.Net.Sockets;
 using System.Reflection.Metadata.Ecma335;
 using System.Text;
 using server;
+using Serilog;

 namespace server
 {
@ -10,21 +13,35 @@ namespace server
    {
        private IPEndPoint _ipEndPoint;
        private TcpListener _tcpListener;
+        private ILogger _logger;
+        private byte[] _buffer;
+        private int _bufferSize;

-        public Server()
+        private const int MAX_BUFFER_SIZE = 8192;
+
+        public Server(ILogger logger)
        {
            _ipEndPoint = new IPEndPoint(IPAddress.Any, 8888);
            _tcpListener = new TcpListener(_ipEndPoint);
+            _buffer = new byte[MAX_BUFFER_SIZE];
+            _logger = logger;
        }

        public async Task Listen()
        {
            _tcpListener.Start();

-            using TcpClient _client = await _tcpListener.AcceptTcpClientAsync();
+            _logger.Information("Listening for incoming connections...");

-            Thread dispatchThread = new Thread(() => new Dispatch(_client, _client.GetStream()));
-            dispatchThread.Start();
+            while (true)
+            {
+                using TcpClient _client = await _tcpListener.AcceptTcpClientAsync();
+                NetworkStream _stream = _client.GetStream();
+
+                _stream.Read(_buffer, 0, MAX_BUFFER_SIZE);
+
+                Message message = new Message(_buffer, _bufferSize, _logger);
+            }
        }
    }
 }
--- a/server/Types.cs
+++ b/server/Types.cs
@ -0,0 +1,91 @@
+using Serilog;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Numerics;
+using System.Runtime.InteropServices;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace server
+{
+    namespace Types
+    {
+        namespace Receive
+        {
+            struct PIPE_PACKET_SEND_EXTENSION_HEADER
+            {
+                public int request_id;
+                public int current_packet_number;
+                public int total_incoming_packet_count;
+                public uint packet_size;
+                public uint total_incoming_packet_size;
+            };
+        }
+
+        namespace Reports
+        {
+            [StructLayout(LayoutKind.Sequential)]
+            public unsafe struct MODULE_VERIFICATION_CHECKSUM_FAILURE
+            {
+                public int ReportCode;
+                public UInt64 ModuleBaseAddress;
+                public UInt64 ModuleSize;
+                public fixed char ModuleName[512];
+            }
+
+            public struct PROCESS_THREAD_START_FAILURE
+            {
+                public int ReportCode;
+                public long ThreadId;
+                public UInt64 StartAddress;
+            }
+
+            public struct PAGE_PROTECTION_FAILURE
+            {
+                public int ReportCode;
+                public UInt64 PageBaseAddress;
+                public long AllocationProtection;
+                public long AllocationState;
+                public long AllocationType;
+            }
+
+            public struct PATTERN_SCAN_FAILURE
+            {
+                public int ReportCode;
+                public int SignatureId;
+                public UInt64 Address;
+            }
+
+            public struct NMI_CALLBACK_FAILURE
+            {
+                public int ReportCode;
+                public int WereNmisDisabled;
+                public UInt64 KThreadAddress;
+                public UInt64 InvalidRip;
+            }
+
+            [StructLayout(LayoutKind.Sequential)]
+            public unsafe struct MODULE_VALIDATION_FAILURE
+            {
+                public int ReportCode;
+                public int ReportType;
+                public long DriverBaseAddress;
+                public long DriverSize;
+                public fixed char ModuleName[128];
+            }
+
+            [StructLayout(LayoutKind.Sequential)]
+            public unsafe struct OPEN_HANDLE_FAILURE_REPORT
+            {
+                public int ReportCode;
+                public int IsKernelHandle;
+                public uint ProcessId;
+                public uint ThreadId;
+                public uint DesiredAccess;
+                public fixed char ProcessName[64];
+
+            }
+        }
+    }
+}
--- a/server/server.csproj
+++ b/server/server.csproj
@ -5,10 +5,25 @@
    <TargetFramework>net7.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
+    <AllowUnsafeBlocks>True</AllowUnsafeBlocks>
  </PropertyGroup>

+  <ItemGroup>
+    <Compile Remove="Helper.cs" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <None Include="Helper.cs" />
+  </ItemGroup>
+
  <ItemGroup>
    <PackageReference Include="Serilog" Version="3.0.1" />
+    <PackageReference Include="Serilog.Sinks.Console" Version="4.1.0" />
+    <PackageReference Include="Serilog.Sinks.File" Version="5.0.0" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\service\service.csproj" />
  </ItemGroup>

 </Project>
--- a/service/Message.cs
+++ b/service/Message.cs
@ -11,19 +11,12 @@ namespace service
 {
    public class Message
    {
-        private NamedPipeServerStream _pipeServer;
        private byte[] _buffer;
        private int _bufferSize;
-        public Message(NamedPipeServerStream pipeServer)
+        public Message(byte[] buffer, int bufferSize)
        {
-            _pipeServer = pipeServer;
-            _bufferSize = _pipeServer.InBufferSize;
-            _buffer = new byte[_bufferSize];
-        }
-
-        public async Task ReadPipeBuffer()
-        {
-            await _pipeServer.ReadAsync(_buffer, 0, _bufferSize);
+            _bufferSize = bufferSize;
+            _buffer = buffer;
        }

        public void SendMessageToServer()
--- a/service/Worker.cs
+++ b/service/Worker.cs
@ -4,6 +4,9 @@ using System.Runtime.InteropServices;
 using service.Types;
 using System;
 using System.Reflection.PortableExecutable;
+using System.Net.Sockets;
+using System.Net;
+using System.Net.Http;

 #pragma warning disable CS1998 // Async method lacks 'await' operators and will run synchronously
 #pragma warning disable CS8600
@ -16,8 +19,10 @@ namespace service
        private readonly ILogger<Worker> _logger;
        private NamedPipeServerStream _pipeServer;

-        private byte[] _header;
-        private int _headerSize;
+        private byte[] _buffer;
+        private int _bufferSize;
+
+        private static int MAX_BUFFER_SIZE = 8192;

        private enum MESSAGE_TYPE
        {
@ -35,13 +40,8 @@ namespace service
        {
            _logger = logger;
            _pipeServer = new NamedPipeServerStream("DonnaACPipe", PipeDirection.InOut, 1);
-
-            unsafe 
-            {
-                _headerSize = sizeof(PIPE_PACKET_HEADER); 
-            }
-
-            _header = new byte[_headerSize];
+            _bufferSize = MAX_BUFFER_SIZE;
+            _buffer = new byte[_bufferSize];
        }

        protected override async Task ExecuteAsync(CancellationToken stoppingToken)
@ -54,15 +54,16 @@ namespace service
            _logger.LogInformation("Client connected to the pipe server");

            while (!stoppingToken.IsCancellationRequested)
-            { 
+            {
                try
                {
-                    if (_pipeServer.InBufferSize > 0)
-                    {
-                        _logger.LogInformation("Message received at pipe server");
+                    int numBytesRead = _pipeServer.Read(_buffer, 0, _bufferSize);

-                        Message message = new Message(_pipeServer);
-                        await message.ReadPipeBuffer();
+                    if (numBytesRead > 0)
+                    {
+                        _logger.LogInformation("Message received at pipe server with size: {0}", numBytesRead);
+
+                        Message message = new Message(_buffer, numBytesRead);
                        message.SendMessageToServer();
                    }
                }
@ -71,7 +72,7 @@ namespace service
                    _logger.LogError("Reading buffer from pipe failed with message: {0}", ex.Message);
                }

-                Array.Clear(_header, 0, _headerSize);
+                Array.Clear(_buffer, 0, _bufferSize);
            }
        }

--- a/user/km/driver.cpp
+++ b/user/km/driver.cpp
@ -198,6 +198,8 @@ VOID kernelmode::Driver::QueryReportQueue()
 	if ( !header )
 		goto end;

+	LOG_INFO( "Report count: %d", header->count );
+
 	if ( header->count == 0 )
 		goto end;

@ -206,25 +208,30 @@ VOID kernelmode::Driver::QueryReportQueue()
 		report_header = (REPORT_ID*)( ( UINT64 )buffer + 
 			sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER ) + total_size );

-		switch ( report_header->report_id )
-		{
-		case REPORT_ILLEGAL_ATTACH_PROCESS:
+		LOG_INFO( "Report id: %d", report_header->report_id );

-			attach_report = (global::report_structures::ATTACH_PROCESS_REPORT*)( 
+		if ( report_header->report_id == REPORT_ILLEGAL_ATTACH_PROCESS )
+		{
+			attach_report = ( global::report_structures::ATTACH_PROCESS_REPORT* )(
 				( UINT64 )buffer + sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER ) + total_size );

 			this->report_interface->ReportViolation( attach_report );

 			total_size += sizeof( global::report_structures::ATTACH_PROCESS_REPORT );

-		case REPORT_ILLEGAL_HANDLE_OPERATION:
-
+			continue;
+		}
+		
+		if ( report_header->report_id == REPORT_ILLEGAL_HANDLE_OPERATION )
+		{
 			handle_report = ( global::report_structures::OPEN_HANDLE_FAILURE_REPORT* )(
 				( UINT64 )buffer + sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT_HEADER ) + total_size );

 			this->report_interface->ReportViolation( handle_report );

 			total_size += sizeof( global::report_structures::OPEN_HANDLE_FAILURE_REPORT );
+
+			continue;
 		}
 	}