ee

2024-11-21 22:24:08 +01:00 · 2023-09-11 03:32:12 +10:00 · 2023-09-11 03:32:12 +10:00 · fb10f9ac6f
commit fb10f9ac6f
parent da1dca21a1
8 changed files with 101 additions and 21 deletions
--- a/driver/callbacks.c
+++ b/driver/callbacks.c
@ -70,6 +70,15 @@ OB_PREOP_CALLBACK_STATUS ObPreOpCallbackRoutine(
 			OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = deny_access;
 			DEBUG_LOG( "handle stripped from: %s", process_creator_name );

+			/*
+			* These processes will constantly open handles to any open process for various reasons,
+			* so we will still strip them but we won't report them.. for now atleast.
+			*/
+			if ( process_creator_name == "Discord.exe" ||
+				process_creator_name == "svchost.exe" ||
+				process_creator_name == "explorer.exe" )
+				goto end;
+
 			POPEN_HANDLE_FAILURE_REPORT report = ExAllocatePool2( POOL_FLAG_NON_PAGED, sizeof( OPEN_HANDLE_FAILURE_REPORT ), REPORT_POOL_TAG );

 			if ( !report )
@ -294,7 +303,7 @@ BOOLEAN EnumHandleCallback(
 		report->process_id = PsGetProcessId( process );
 		report->thread_id = NULL;
 		report->access = handle_access_mask;
-		RtlCopyMemory( report->process_name, protected_process_name, HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH );
+		RtlCopyMemory( report->process_name, process_name, HANDLE_REPORT_PROCESS_NAME_MAX_LENGTH );

 		InsertReportToQueue( report );
 	}
--- a/server/Message.cs
+++ b/server/Message.cs
@ -68,6 +68,20 @@ namespace server
            USER_BAN = 20
        }

+        private enum ReportCodes
+        {
+            REPORT_CODE_MODULE_VERIFICATION = 10,
+            REPORT_CODE_START_ADDRESS_VERIFICATION = 20,
+            REPORT_PAGE_PROTECTION_VERIFICATION = 30,
+            REPORT_PATTERN_SCAN_FAILURE = 40,
+            REPORT_NMI_CALLBACK_FAILURE = 50,
+            REPORT_MODULE_VALIDATION_FAILURE = 60,
+            REPORT_ILLEGAL_HANDLE_OPERATION = 70,
+            REPORT_INVALID_PROCESS_ALLOCATION = 80,
+            REPORT_HIDDEN_SYSTEM_THREAD = 90,
+            REPORT_ILLEGAL_ATTACH_PROCESS = 100
+        }
+
        public Message(TcpClient client, byte[] buffer, int bufferSize, ILogger logger)
        {
            _tcpClient = client;
@ -110,14 +124,33 @@ namespace server

        unsafe private void HandleReportMessage(int reportId)
        { 
-            OPEN_HANDLE_FAILURE_REPORT openHandleFailure = 
-                Helper.BytesToStructure<OPEN_HANDLE_FAILURE_REPORT>(_buffer, sizeof(PACKET_HEADER));
+            switch (reportId)
+            {
+                case (int)ReportCodes.REPORT_ILLEGAL_HANDLE_OPERATION:
+                    _logger.Information("REPORT_ILLEGAL_HANDLE_OPERATION");
+                    break;
+                case (int)ReportCodes.REPORT_CODE_MODULE_VERIFICATION:
+                    _logger.Information("REPORT_CODE_MODULE_VERIFICATION");
+                    break;
+                case (int)ReportCodes.REPORT_NMI_CALLBACK_FAILURE:
+                    _logger.Information("REPORT_NMI_CALLBACK_FAILURE");
+                    break;
+                case (int)ReportCodes.REPORT_MODULE_VALIDATION_FAILURE:
+                    _logger.Information("REPORT_MODULE_VALIDATION_FAILURE");
+                    break;
+                default:
+                    _logger.Information("Report code not handled yet");
+                    break;
+            }

-            _logger.Information("Report code: {0}, ProcessID: {1:x}, ThreadId: {2:x}, DesiredAccess{3:x}",
+/*            OPEN_HANDLE_FAILURE_REPORT openHandleFailure = 
+                Helper.BytesToStructure<OPEN_HANDLE_FAILURE_REPORT>(_buffer, sizeof(PACKET_HEADER));*/
+
+/*            _logger.Information("Report code: {0}, ProcessID: {1:x}, ThreadId: {2:x}, DesiredAccess{3:x}",
                openHandleFailure.ReportCode,
                openHandleFailure.ProcessId,
                openHandleFailure.ThreadId,
-                openHandleFailure.DesiredAccess);
+                openHandleFailure.DesiredAccess);*/

            BuildReportResponseMessage(1);
        }
--- a/server/Types.cs
+++ b/server/Types.cs
@ -32,13 +32,14 @@ namespace server

        namespace ClientReport
        {
-            [StructLayout(LayoutKind.Sequential)]
-            public unsafe struct MODULE_VERIFICATION_CHECKSUM_FAILURE
+            [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
+            public unsafe struct PROCESS_MODULE_INTEGRITY_CHECK_FAILURE
            {
                public int ReportCode;
                public UInt64 ModuleBaseAddress;
                public UInt64 ModuleSize;
-                public fixed char ModuleName[512];
+                [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)]
+                public string ModuleName;
            }

            public struct PROCESS_THREAD_START_FAILURE
@ -72,14 +73,15 @@ namespace server
                public UInt64 InvalidRip;
            }

-            [StructLayout(LayoutKind.Sequential)]
+            [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
            public unsafe struct MODULE_VALIDATION_FAILURE
            {
                public int ReportCode;
                public int ReportType;
                public long DriverBaseAddress;
                public long DriverSize;
-                public fixed char ModuleName[128];
+                [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 128)]
+                public string ModuleName;
            }

            [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
--- a/service/Worker.cs
+++ b/service/Worker.cs
@ -22,6 +22,8 @@ namespace service
        private int _bufferSize;
        private static int MAX_BUFFER_SIZE = 8192;

+        private static int OK_RESPONSE_SIZE = 4;
+
        public Worker(Serilog.ILogger logger)
        {
            _logger = logger;
@ -69,11 +71,12 @@ namespace service
        {
            byte[] responseMessage = message.GetResponseFromServer();

+            if (responseMessage.Length == OK_RESPONSE_SIZE)
+                return;
+
            _logger.Information("Sending response message to client with size: {0}", responseMessage.Length);

            _pipeServer.Write(responseMessage, 0, responseMessage.Length);
-
-            _logger.Information("written to pipe");
        }

        [DllImport("kernel32.dll", SetLastError = true)]
--- a/service/helper.cs
+++ b/service/helper.cs
@ -1,4 +1,5 @@
-using System;
+using Serilog;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Runtime.InteropServices;
@ -12,19 +13,26 @@ namespace service
 {
    public class Helper
    {
-        unsafe public static T BytesToStructure<T>(ref byte[] buffer, int offset)
+        unsafe public static T BytesToStructure<T>(byte[] buffer, int offset)
        {
            int typeSize = Marshal.SizeOf(typeof(T));
+
+            if (buffer.Length == 0)
+                return default(T);
+
            IntPtr ptr = Marshal.AllocHGlobal(typeSize);

            try
            {
                Marshal.Copy(buffer, offset, ptr, typeSize);
-                return (T)Marshal.PtrToStructure(ptr, typeof(T));
-            }
-            finally
-            {
+                T result = (T)Marshal.PtrToStructure(ptr, typeof(T));
                Marshal.FreeHGlobal(ptr);
+                return result;
+            }
+            catch (Exception ex)
+            {
+                Log.Information(ex.Message);
+                return default(T);
            }
        }
    }
--- a/user/client.h
+++ b/user/client.h
@ -95,7 +95,7 @@ namespace global
 			INT report_code;
 			UINT64 module_base_address;
 			UINT64 module_size;
-			std::string module_name;
+			CHAR module_name[ 256 ];
 		};

 		struct PROCESS_THREAD_START_FAILURE
--- a/user/km/driver.cpp
+++ b/user/km/driver.cpp
@ -585,7 +585,8 @@ VOID kernelmode::Driver::VerifyProcessLoadedModuleExecutableRegions()
 			report.module_base_address = (UINT64)module_entry.modBaseAddr;
 			report.module_size = module_entry.modBaseSize;
 			std::wstring wstr( module_entry.szModule );
-			report.module_name = std::string( wstr.begin(), wstr.end() );
+			std::string module_name_string = std::string( wstr.begin(), wstr.end() );
+			memcpy( &report.module_name, &module_name_string, module_name_string.length() );
 			this->report_interface->ReportViolation( &report );
 		}

--- a/user/main.cpp
+++ b/user/main.cpp
@ -40,9 +40,33 @@ DWORD WINAPI Init(HINSTANCE hinstDLL)

    while ( !GetAsyncKeyState( VK_DELETE ) )
    {
+        srand( time( NULL ) );
+        int seed = ( rand() % 5 );
+
+        LOG_INFO( "Seed: %i", seed );
+
+        switch ( seed )
+        {
+        case 0:
+            kmanager.EnumerateHandleTables();
+            break;
+        case 1:
+            kmanager.PerformIntegrityCheck();
+            break;
+        case 2:
+            kmanager.RunNmiCallbacks();
+            break;
+        case 3:
+            kmanager.VerifySystemModules();
+            break;
+        case 4:
+            kmanager.ValidateProcessModules();
+            break;
+        }
+
        kmanager.MonitorCallbackReports();

-        std::this_thread::sleep_for( std::chrono::milliseconds( 5000 ) );
+        std::this_thread::sleep_for( std::chrono::seconds( 10 ) );
    }

    fclose( stdout );