start big pool scan stuf

2024-11-21 22:24:08 +01:00 · 2023-11-09 02:02:17 +11:00 · 2023-11-09 02:02:17 +11:00 · e0c44632cb
commit e0c44632cb
parent 9c97f66e41
5 changed files with 110 additions and 8 deletions
--- a/driver/common.h
+++ b/driver/common.h
@ -635,6 +635,36 @@ typedef struct _DBGKD_DEBUG_DATA_HEADER64
    ULONG        Size;
 } DBGKD_DEBUG_DATA_HEADER64, * PDBGKD_DEBUG_DATA_HEADER64;

+typedef NTSTATUS(__stdcall* ZwQuerySystemInformation)(
+        _In_ UINT32 SystemInformationClass,
+        _Inout_ PVOID SystemInformation,
+        _In_ ULONG SystemInformationLength,
+        _Out_opt_ PULONG ReturnLength
+        );
+
+#define SYSTEM_BIGPOOL_INFORMATION_ID 0x42
+
+typedef struct _SYSTEM_BIGPOOL_ENTRY
+{
+        union
+        {
+                PVOID VirtualAddress;
+                ULONG_PTR NonPaged : 1;
+        };
+        SIZE_T SizeInBytes;
+        union
+        {
+                UCHAR Tag[4];
+                ULONG TagUlong;
+        };
+} SYSTEM_BIGPOOL_ENTRY, * PSYSTEM_BIGPOOL_ENTRY;
+
+typedef struct _SYSTEM_BIGPOOL_INFORMATION
+{
+        ULONG Count;
+        _Field_size_(Count) SYSTEM_BIGPOOL_ENTRY AllocatedInfo[1];
+} SYSTEM_BIGPOOL_INFORMATION, * PSYSTEM_BIGPOOL_INFORMATION;
+
 typedef struct _KDDEBUGGER_DATA64
 {
    DBGKD_DEBUG_DATA_HEADER64 Header;
--- a/driver/driver.c
+++ b/driver/driver.c
@ -1232,6 +1232,7 @@ DriverEntry(
 	//ValidateSystemModules();
 	//ValidateNtoskrnl();
 	//LaunchInterProcessInterrupt(NULL);
+	//EnumerateBigPoolAllocations();
 	DEBUG_LOG("DonnaAC Driver Entry Complete");

 	return STATUS_SUCCESS;
--- a/driver/integrity.c
+++ b/driver/integrity.c
@ -873,7 +873,7 @@ GetNextSMBIOSStructureInTable(
        PCHAR current_char_in_strings = string_section_start;
        PCHAR next_char_in_strings = string_section_start + 1;

-        for (;; )
+        for (;;)
        {
                if (*current_char_in_strings == NULL_TERMINATOR && *next_char_in_strings == NULL_TERMINATOR)
                {
@ -953,11 +953,11 @@ ParseSMBIOSTable(
 {
        PAGED_CODE();

-        NTSTATUS status;
-        PVOID firmware_table_buffer;
-        ULONG firmware_table_buffer_size = NULL;
-        ULONG bytes_returned;
-        PRAW_SMBIOS_DATA smbios_data;
+        NTSTATUS status = STATUS_SUCCESS;
+        PVOID firmware_table_buffer = NULL;
+        ULONG firmware_table_buffer_size = 0;
+        ULONG bytes_returned = 0;
+        PRAW_SMBIOS_DATA smbios_data = NULL;
        PSMBIOS_TABLE_HEADER smbios_table_header = NULL;
        PRAW_SMBIOS_TABLE_01 smbios_baseboard_information = NULL;

@ -1792,7 +1792,7 @@ ValidateSystemModules()
                        goto free_iteration;
                }

-                disk_text_base = (UINT64)((UINT64)disk_buffer + sizeof(INTEGRITY_CHECK_HEADER) + sizeof(IMAGE_SECTION_HEADER));
+                disk_text_base = (UINT64)disk_buffer + sizeof(INTEGRITY_CHECK_HEADER) + sizeof(IMAGE_SECTION_HEADER);
                memory_text_base = (UINT64)((UINT64)memory_buffer + sizeof(INTEGRITY_CHECK_HEADER) + sizeof(IMAGE_SECTION_HEADER));

                disk_text_header = (PIMAGE_SECTION_HEADER)((UINT64)disk_buffer + sizeof(INTEGRITY_CHECK_HEADER));
--- a/driver/pool.c
+++ b/driver/pool.c
@ -732,4 +732,74 @@ end:
 		ExFreePoolWithTag(context.process_buffer, PROCESS_ADDRESS_LIST_TAG);

 	return STATUS_SUCCESS;
+}
+
+/*
+* Allocations greater then a page in size are stored in a linked list and are called
+* big pool allocations.
+*/
+
+NTSTATUS
+EnumerateBigPoolAllocations()
+{
+	ULONG return_length = 0;
+	NTSTATUS status = STATUS_SUCCESS;
+	PSYSTEM_BIGPOOL_ENTRY entry = NULL;
+	SYSTEM_BIGPOOL_INFORMATION pool_information = { 0 };
+	PSYSTEM_BIGPOOL_INFORMATION pool_entries = NULL;
+	UNICODE_STRING routine = RTL_CONSTANT_STRING(L"ZwQuerySystemInformation");
+	ZwQuerySystemInformation pZwQuerySystemInformation = MmGetSystemRoutineAddress(&routine);
+
+	if (!pZwQuerySystemInformation)
+	{
+		DEBUG_ERROR("MmGetSystemRoutineAddress failed.");
+		return STATUS_ABANDONED;
+	}
+
+	status = pZwQuerySystemInformation(
+		SYSTEM_BIGPOOL_INFORMATION_ID,
+		&pool_information,
+		sizeof(pool_information),
+		&return_length
+	);
+
+	if (status != STATUS_INFO_LENGTH_MISMATCH)
+	{
+		DEBUG_ERROR("ZwQuerySystemInformation failed with status %x", status);
+		return status;
+	}
+
+	return_length += sizeof(SYSTEM_BIGPOOL_INFORMATION);
+
+	pool_entries = ExAllocatePool2(POOL_FLAG_NON_PAGED, return_length, POOL_TAG_INTEGRITY);
+
+	if (!pool_entries)
+		return STATUS_MEMORY_NOT_ALLOCATED;
+
+	status = pZwQuerySystemInformation(
+		SYSTEM_BIGPOOL_INFORMATION_ID,
+		pool_entries,
+		return_length,
+		&return_length
+	);
+
+	if (!NT_SUCCESS(status))
+	{
+		DEBUG_ERROR("ZwQuerySystemInformation 2 failed with status %x", status);
+		goto end;
+	}
+
+	for (INT index = 0; index < pool_entries->Count; index++)
+	{
+		entry = &pool_entries->AllocatedInfo[index];
+		
+	}
+	//MiGetPteAddress of va
+	//check if page is executaable
+end:
+
+	if (pool_entries)
+		ExFreePoolWithTag(pool_entries, POOL_TAG_INTEGRITY);
+
+	return status;
 }
--- a/driver/pool.h
+++ b/driver/pool.h
@ -26,6 +26,7 @@ GetPsActiveProcessHead(
 PKDDEBUGGER_DATA64
 GetGlobalDebuggerData();

-
+NTSTATUS
+EnumerateBigPoolAllocations();

 #endif