#ifndef DRIVER_H #define DRIVER_H #include #include #include #include "common.h" #include "queue.h" #include "modules.h" #include "integrity.h" #define DRIVER_PATH_MAX_LENGTH 512 #define MOTHERBOARD_SERIAL_CODE_LENGTH 64 #define DEVICE_DRIVE_0_SERIAL_CODE_LENGTH 64 #define MAX_REPORTS_PER_IRP 20 #define POOL_TAG_STRINGS 'strs' #define IOCTL_STORAGE_QUERY_PROPERTY 0x002D1400 typedef enum _ENVIRONMENT_TYPE { NativeWindows = 0, Vmware, VirtualBox } ENVIRONMENT_TYPE; typedef enum _PROCESSOR_TYPE { Unknown = 0, GenuineIntel, AuthenticAmd } PROCESSOR_TYPE; #define VENDOR_STRING_MAX_LENGTH 256 typedef struct _SYSTEM_INFORMATION { CHAR motherboard_serial[MOTHERBOARD_SERIAL_CODE_LENGTH]; CHAR drive_0_serial[DEVICE_DRIVE_0_SERIAL_CODE_LENGTH]; CHAR vendor[VENDOR_STRING_MAX_LENGTH]; BOOLEAN virtualised_environment; ENVIRONMENT_TYPE environment; PROCESSOR_TYPE processor; RTL_OSVERSIONINFOW os_information; } SYSTEM_INFORMATION, *PSYSTEM_INFORMATION; typedef struct _OB_CALLBACKS_CONFIG { PVOID registration_handle; KGUARDED_MUTEX lock; } OB_CALLBACKS_CONFIG, *POB_CALLBACKS_CONFIG; _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) NTSTATUS ProcLoadInitialiseProcessConfig(_In_ PIRP Irp); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetProtectedProcessEProcess(_Out_ PEPROCESS* Process); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetProtectedProcessId(_Out_ PLONG ProcessId); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID ReadProcessInitialisedConfigFlag(_Out_ PBOOLEAN Flag); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetDriverPath(_Out_ PUNICODE_STRING DriverPath); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetDriverConfigSystemInformation(_Out_ PSYSTEM_INFORMATION* SystemInformation); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetApcContext(_Inout_ PVOID* Context, _In_ LONG ContextIdentifier); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) NTSTATUS InsertApcContext(_In_ PVOID Context); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetApcContextByIndex(_Inout_ PVOID* Context, _In_ INT Index); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID IncrementApcCount(_In_ LONG ContextId); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID FreeApcAndDecrementApcCount(_Inout_ PRKAPC Apc, _In_ LONG ContextId); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) NTSTATUS QueryActiveApcContextsForCompletion(); VOID TerminateProtectedProcessOnViolation(); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) NTSTATUS ProcLoadEnableObCallbacks(); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID ProcCloseDisableObCallbacks(); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID ProcCloseClearProcessConfiguration(); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetCallbackConfigStructure(_Out_ POB_CALLBACKS_CONFIG* CallbackConfiguration); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID ImageLoadSetProcessId(_In_ HANDLE ProcessId); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetDriverDeviceName(_Out_ PUNICODE_STRING DeviceName); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetDriverRegistryPath(_Out_ PUNICODE_STRING RegistryPath); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetDriverName(_Out_ LPCSTR* DriverName); _IRQL_requires_max_(APC_LEVEL) _Acquires_lock_(_Lock_kind_mutex_) _Releases_lock_(_Lock_kind_mutex_) VOID GetDriverSymbolicLink(_Out_ PUNICODE_STRING DeviceSymbolicLink); PDEVICE_OBJECT GetDriverDeviceObject(); GetSystemModuleValidationContext(_Out_ PSYS_MODULE_VAL_CONTEXT* Context); PDRIVER_OBJECT GetDriverObject(); #endif