diff --git a/driver/common.h b/driver/common.h index cda2e9c..c4e8fec 100644 --- a/driver/common.h +++ b/driver/common.h @@ -15,6 +15,7 @@ #define SYSTEM_MODULES_POOL 'halb' #define THREAD_DATA_POOL 'doof' #define PROC_AFFINITY_POOL 'eeee' +#define TEMP_BUFFER_POOL 'ffff' #define ERROR -1 #define STACK_FRAME_POOL_SIZE 0x200 diff --git a/driver/ioctl.c b/driver/ioctl.c index 774805c..6caff1b 100644 --- a/driver/ioctl.c +++ b/driver/ioctl.c @@ -30,9 +30,6 @@ NTSTATUS DeviceControl( case IOCTL_VALIDATE_DRIVER_OBJECTS: - /* KeWaitForSingleObject with infinite time must be called from IRQL <= APC_LEVEL */ - PAGED_CODE(); - /* * The reason this function is run in a new thread and not the thread * issuing the IOCTL is because ZwOpenDirectoryObject issues a @@ -40,6 +37,9 @@ NTSTATUS DeviceControl( * This is a problem because when we pass said handle to ObReferenceObjectByHandle * it will issue a bug check under windows driver verifier. */ + + DEBUG_LOG( "irp addr: %p", ( void* )Irp ); + status = PsCreateSystemThread( &handle, PROCESS_ALL_ACCESS, @@ -78,8 +78,11 @@ NTSTATUS DeviceControl( goto end; } + /* KeWaitForSingleObject with infinite time must be called from IRQL <= APC_LEVEL */ + PAGED_CODE(); + DEBUG_LOG( "waiting for thread to finish" ); KeWaitForSingleObject( thread, Executive, KernelMode, FALSE, NULL ); - + DEBUG_LOG( "THREAD FINISHED" ); ZwClose( handle ); ObDereferenceObject( thread ); @@ -91,9 +94,9 @@ NTSTATUS DeviceControl( } end: - - IoCompleteRequest( Irp, IO_NO_INCREMENT ); + DEBUG_LOG( "completing irp request" ); Irp->IoStatus.Status = status; + IoCompleteRequest( Irp, IO_NO_INCREMENT ); return status; } diff --git a/driver/modules.c b/driver/modules.c index 850b915..6b5db69 100644 --- a/driver/modules.c +++ b/driver/modules.c @@ -411,11 +411,6 @@ NTSTATUS HandleValidateDriversIOCTL( Irp->IoStatus.Information = sizeof( MODULE_VALIDATION_FAILURE_HEADER ) + MODULE_VALIDATION_FAILURE_MAX_REPORT_COUNT * sizeof( MODULE_VALIDATION_FAILURE ); - RtlCopyMemory( - Irp->AssociatedIrp.SystemBuffer, - &header, - sizeof( MODULE_VALIDATION_FAILURE_HEADER ) ); - for ( INT i = 0; i < head->count; i++ ) { /* make sure we free any non reported modules */ @@ -431,10 +426,20 @@ NTSTATUS HandleValidateDriversIOCTL( report.driver_base_address = head->first_entry->driver->DriverStart; report.driver_size = head->first_entry->driver->Size; - RtlCopyMemory( - &report.driver_name, - head->first_entry->driver->DriverName.Buffer, - MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE ); + ANSI_STRING string; + string.Length = 0; + string.MaximumLength = MODULE_REPORT_DRIVER_NAME_BUFFER_SIZE; + string.Buffer = &report.driver_name; + + status = RtlUnicodeStringToAnsiString( + &string, + &head->first_entry->driver->DriverName, + FALSE + ); + + /* still continue if we fail to get the driver name */ + if ( !NT_SUCCESS( status ) ) + DEBUG_ERROR( "RtlUnicodeStringToAnsiString failed with statsu %x", status ); RtlCopyMemory( ( UINT64 )Irp->AssociatedIrp.SystemBuffer + sizeof( MODULE_VALIDATION_FAILURE_HEADER ) + i * sizeof( MODULE_VALIDATION_FAILURE ), @@ -452,12 +457,5 @@ NTSTATUS HandleValidateDriversIOCTL( ExFreePoolWithTag( head, INVALID_DRIVER_LIST_HEAD_POOL ); ExFreePoolWithTag( system_modules.address, SYSTEM_MODULES_POOL ); - /* - * Complete the IRP here so we don't have to implement a waiting mechanism - * to prevent an early completion of the IRP. - */ - //IoCompleteRequest( Irp, IO_NO_INCREMENT ); - //Irp->IoStatus.Status = status; - return status; } \ No newline at end of file diff --git a/driver/modules.h b/driver/modules.h index 3716bb5..5af89bf 100644 --- a/driver/modules.h +++ b/driver/modules.h @@ -24,7 +24,7 @@ typedef struct _MODULE_VALIDATION_FAILURE INT report_type; UINT64 driver_base_address; UINT64 driver_size; - PCHAR driver_name[ 128 ]; + CHAR driver_name[ 128 ]; }MODULE_VALIDATION_FAILURE, *PMODULE_VALIDATION_FAILURE;