#include "integrity.h" #include "common.h" #include "driver.h" #include "modules.h" #include "callbacks.h" #include "ioctl.h" #include "imports.h" #include #include #include typedef struct _INTEGRITY_CHECK_HEADER { INT executable_section_count; LONG total_packet_size; } INTEGRITY_CHECK_HEADER, *PINTEGRITY_CHECK_HEADER; #define MAX_MODULE_PATH 256 typedef struct _PROCESS_MODULE_INFORMATION { PVOID module_base; SIZE_T module_size; WCHAR module_path[MAX_MODULE_PATH]; } PROCESS_MODULE_INFORMATION, *PPROCESS_MODULE_INFORMATION; typedef struct _PROCESS_MODULE_VALIDATION_RESULT { INT is_module_valid; } PROCESS_MODULE_VALIDATION_RESULT, *PPROCESS_MODULE_VALIDATION_RESULT; STATIC NTSTATUS InitiateEptFunctionAddressArrays(); STATIC NTSTATUS GetModuleInformationByName(_Out_ PRTL_MODULE_EXTENDED_INFO ModuleInfo, _In_ LPCSTR ModuleName); STATIC NTSTATUS StoreModuleExecutableRegionsInBuffer(_Outptr_result_bytebuffer_(*BytesWritten) PVOID* Buffer, _In_ PVOID ModuleBase, _In_ SIZE_T ModuleSize, _Out_ _Deref_out_range_(>, 0) PSIZE_T BytesWritten); STATIC NTSTATUS MapDiskImageIntoVirtualAddressSpace(_Inout_ PHANDLE SectionHandle, _Outptr_result_bytebuffer_(*Size) PVOID* Section, _In_ PUNICODE_STRING Path, _Out_ _Deref_out_range_(>, 0) PSIZE_T Size); STATIC NTSTATUS ComputeHashOfBuffer(_In_ PVOID Buffer, _In_ ULONG BufferSize, _Outptr_result_bytebuffer_(*HashResultSize) PVOID* HashResult, _Out_ _Deref_out_range_(>, 0) PULONG HashResultSize); STATIC VOID GetNextSMBIOSStructureInTable(_Inout_ PSMBIOS_TABLE_HEADER* CurrentStructure); STATIC NTSTATUS GetStringAtIndexFromSMBIOSTable(_In_ PSMBIOS_TABLE_HEADER Table, _In_ INT Index, _In_ PVOID Buffer, _In_ SIZE_T BufferSize); STATIC NTSTATUS GetAverageReadTimeAtRoutine(_In_ PVOID RoutineAddress, _Out_ PUINT64 AverageTime); STATIC NTSTATUS RegistryPathQueryTestSigningCallback(IN PWSTR ValueName, IN ULONG ValueType, IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext); #ifdef ALLOC_PRAGMA # pragma alloc_text(PAGE, GetDriverImageSize) # pragma alloc_text(PAGE, GetModuleInformationByName) # pragma alloc_text(PAGE, StoreModuleExecutableRegionsInBuffer) # pragma alloc_text(PAGE, MapDiskImageIntoVirtualAddressSpace) # pragma alloc_text(PAGE, ComputeHashOfBuffer) // # pragma alloc_text(PAGE, VerifyInMemoryImageVsDiskImage) # pragma alloc_text(PAGE, RetrieveInMemoryModuleExecutableSections) # pragma alloc_text(PAGE, GetNextSMBIOSStructureInTable) # pragma alloc_text(PAGE, GetStringAtIndexFromSMBIOSTable) # pragma alloc_text(PAGE, ParseSMBIOSTable) # pragma alloc_text(PAGE, ValidateProcessLoadedModule) # pragma alloc_text(PAGE, GetHardDiskDriveSerialNumber) # pragma alloc_text(PAGE, ScanForSignature) # pragma alloc_text(PAGE, InitiateEptFunctionAddressArrays) # pragma alloc_text(PAGE, DetectEptHooksInKeyFunctions) # pragma alloc_text(PAGE, RegistryPathQueryTestSigningCallback) // #pragma alloc_text(PAGE, DetermineIfTestSigningIsEnabled) #endif /* * note: this can be put into its own function wihtout an IRP as argument then it can be used * in both the get driver image ioctl handler and the CopyDriverExecvutableRegions func */ NTSTATUS GetDriverImageSize(_Inout_ PIRP Irp) { PAGED_CODE(); NTSTATUS status = STATUS_UNSUCCESSFUL; LPCSTR driver_name = NULL; SYSTEM_MODULES modules = {0}; PRTL_MODULE_EXTENDED_INFO driver_info = NULL; GetDriverName(&driver_name); if (!driver_name) { DEBUG_ERROR("GetDriverName failed with no status."); return status; } status = GetSystemModuleInformation(&modules); if (!NT_SUCCESS(status)) { DEBUG_ERROR("GetSystemModuleInformation failed with status %x", status); return status; } driver_info = FindSystemModuleByName(driver_name, &modules); if (!driver_info) { DEBUG_ERROR("FindSystemModuleByName failed with no status code"); ImpExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL); return STATUS_NOT_FOUND; } status = ValidateIrpOutputBuffer(Irp, sizeof(ULONG)); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ValidateIrpOutputBuffer failed with status %x", status); goto end; } Irp->IoStatus.Information = sizeof(ULONG); RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer, &driver_info->ImageSize, sizeof(ULONG)); end: if (modules.address) ImpExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL); return status; } STATIC NTSTATUS GetModuleInformationByName(_Out_ PRTL_MODULE_EXTENDED_INFO ModuleInfo, _In_ LPCSTR ModuleName) { PAGED_CODE(); NTSTATUS status = STATUS_UNSUCCESSFUL; LPCSTR driver_name = NULL; SYSTEM_MODULES modules = {0}; PRTL_MODULE_EXTENDED_INFO driver_info = NULL; GetDriverName(&driver_name); if (!driver_name) { DEBUG_ERROR("GetDriverName failed with no status."); return status; } status = GetSystemModuleInformation(&modules); if (!NT_SUCCESS(status)) { DEBUG_ERROR("GetSystemModuleInformation failed with status %x", status); return status; } driver_info = FindSystemModuleByName(driver_name, &modules); if (!driver_info) { DEBUG_ERROR("FindSystemModuleByName failed with no status"); ImpExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL); return STATUS_NOT_FOUND; } ModuleInfo->FileNameOffset = driver_info->FileNameOffset; ModuleInfo->ImageBase = driver_info->ImageBase; ModuleInfo->ImageSize = driver_info->ImageSize; RtlCopyMemory( ModuleInfo->FullPathName, driver_info->FullPathName, sizeof(ModuleInfo->FullPathName)); if (modules.address) ImpExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL); return status; } #define PE_TYPE_32_BIT 0x10b STATIC NTSTATUS StoreModuleExecutableRegionsInBuffer(_Outptr_result_bytebuffer_(*BytesWritten) PVOID* Buffer, _In_ PVOID ModuleBase, _In_ SIZE_T ModuleSize, _Out_ _Deref_out_range_(>, 0) PSIZE_T BytesWritten) { PAGED_CODE(); NTSTATUS status = STATUS_UNSUCCESSFUL; PIMAGE_DOS_HEADER dos_header = NULL; PLOCAL_NT_HEADER nt_header = NULL; PIMAGE_SECTION_HEADER section = NULL; ULONG total_packet_size = 0; ULONG num_sections = 0; ULONG num_executable_sections = 0; UINT64 buffer_base = 0; ULONG bytes_returned = 0; MM_COPY_ADDRESS address = {0}; ULONG buffer_size = 0; if (!ModuleBase || !ModuleSize) return STATUS_INVALID_PARAMETER; /* * The reason we allocate a buffer to temporarily hold the section data is that * we don't know the total size until after we iterate over the sections meaning * we cant set Irp->IoStatus.Information to the size of our reponse until we * enumerate and count all executable sections for the file. */ buffer_size = ModuleSize + sizeof(INTEGRITY_CHECK_HEADER); *BytesWritten = 0; *Buffer = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, buffer_size, POOL_TAG_INTEGRITY); if (*Buffer == NULL) return STATUS_MEMORY_NOT_ALLOCATED; /* * Note: Verifier doesn't like it when we map the module so rather then mapping it to our * address space we will simply use MmCopyMemory on the module to avoid upsetting verifier * :) */ dos_header = (PIMAGE_DOS_HEADER)ModuleBase; /* * The IMAGE_DOS_HEADER.e_lfanew stores the offset of the IMAGE_NT_HEADER from the base * of the image. */ nt_header = (struct _IMAGE_NT_HEADERS64*)((UINT64)ModuleBase + dos_header->e_lfanew); num_sections = nt_header->FileHeader.NumberOfSections; /* * The IMAGE_FIRST_SECTION macro takes in an IMAGE_NT_HEADER and returns the address of * the first section of the PE file. */ section = IMAGE_FIRST_SECTION(nt_header); buffer_base = (UINT64)*Buffer + sizeof(INTEGRITY_CHECK_HEADER); for (ULONG index = 0; index < num_sections - 1; index++) { /* create a function for this instead, check for writeable sections use !*/ if (section->Characteristics & IMAGE_SCN_MEM_EXECUTE) { /* * Note: MmCopyMemory will fail on discardable sections. */ address.VirtualAddress = section; status = ImpMmCopyMemory((UINT64)buffer_base + total_packet_size, address, sizeof(IMAGE_SECTION_HEADER), MM_COPY_MEMORY_VIRTUAL, &bytes_returned); if (!NT_SUCCESS(status)) { DEBUG_ERROR("MmCopyMemory failed with status %x", status); ImpExFreePoolWithTag(*Buffer, POOL_TAG_INTEGRITY); *Buffer = NULL; return status; } address.VirtualAddress = (UINT64)ModuleBase + section->PointerToRawData; status = ImpMmCopyMemory((UINT64)buffer_base + total_packet_size + sizeof(IMAGE_SECTION_HEADER), address, section->SizeOfRawData, MM_COPY_MEMORY_VIRTUAL, &bytes_returned); if (!NT_SUCCESS(status)) { DEBUG_ERROR("MmCopyMemory failed with status %x", status); ImpExFreePoolWithTag(*Buffer, POOL_TAG_INTEGRITY); *Buffer = NULL; return status; } total_packet_size += section->SizeOfRawData + sizeof(IMAGE_SECTION_HEADER); num_executable_sections += 1; } section++; } INTEGRITY_CHECK_HEADER header = {0}; header.executable_section_count = num_executable_sections; header.total_packet_size = total_packet_size + sizeof(INTEGRITY_CHECK_HEADER); RtlCopyMemory(*Buffer, &header, sizeof(INTEGRITY_CHECK_HEADER)); *BytesWritten = total_packet_size + sizeof(INTEGRITY_CHECK_HEADER); return status; } STATIC NTSTATUS MapDiskImageIntoVirtualAddressSpace(_Inout_ PHANDLE SectionHandle, _Outptr_result_bytebuffer_(*Size) PVOID* Section, _In_ PUNICODE_STRING Path, _Out_ _Deref_out_range_(>, 0) PSIZE_T Size) { PAGED_CODE(); NTSTATUS status = STATUS_UNSUCCESSFUL; HANDLE file_handle = NULL; OBJECT_ATTRIBUTES object_attributes = {0}; PIO_STATUS_BLOCK pio_block = NULL; UNICODE_STRING path = {0}; *Section = NULL; *Size = 0; ImpRtlInitUnicodeString(&path, Path->Buffer); InitializeObjectAttributes(&object_attributes, &path, OBJ_KERNEL_HANDLE, NULL, NULL); status = ImpZwOpenFile(&file_handle, GENERIC_READ, &object_attributes, &pio_block, NULL, NULL); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ZwOpenFile failed with status %x", status); return status; } object_attributes.ObjectName = NULL; /* * Its important that we set the SEC_IMAGE flag with the PAGE_READONLY * flag as we are mapping an executable image. */ status = ImpZwCreateSection(SectionHandle, SECTION_ALL_ACCESS, &object_attributes, NULL, PAGE_READONLY, SEC_IMAGE, file_handle); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ZwCreateSection failed with status %x", status); ImpZwClose(file_handle); *SectionHandle = NULL; return status; } if (!NT_SUCCESS(status)) { DEBUG_ERROR("ObReferenceObjectByHandle failed with status %x", status); return status; } /* * Mapping a section with the flag SEC_IMAGE (see function above) tells the os we * are mapping an executable image. This then allows the OS to take care of parsing * the PE header and dealing with all relocations for us, meaning the mapped image * will be identical to the in memory image. */ status = ZwMapViewOfSection(*SectionHandle, ZwCurrentProcess(), Section, NULL, NULL, NULL, Size, ViewUnmap, MEM_TOP_DOWN, PAGE_READONLY); if (!NT_SUCCESS(status)) { /* caller is responsible for closing handle on success, therefore null it */ DEBUG_ERROR("ZwMapViewOfSection failed with status %x", status); ImpZwClose(file_handle); ImpZwClose(*SectionHandle); *SectionHandle = NULL; return status; } ImpZwClose(file_handle); return status; } STATIC NTSTATUS ComputeHashOfBuffer(_In_ PVOID Buffer, _In_ ULONG BufferSize, _Outptr_result_bytebuffer_(*HashResultSize) PVOID* HashResult, _Out_ _Deref_out_range_(>, 0) PULONG HashResultSize) { PAGED_CODE(); NTSTATUS status = STATUS_UNSUCCESSFUL; BCRYPT_ALG_HANDLE algo_handle = NULL; BCRYPT_HASH_HANDLE hash_handle = NULL; ULONG bytes_copied = 0; ULONG resulting_hash_size = 0; ULONG hash_object_size = 0; PCHAR hash_object = NULL; PCHAR resulting_hash = NULL; *HashResult = NULL; *HashResultSize = 0; status = BCryptOpenAlgorithmProvider(&algo_handle, BCRYPT_SHA256_ALGORITHM, NULL, NULL); if (!NT_SUCCESS(status)) { DEBUG_ERROR("BCryptOpenAlogrithmProvider failed with status %x", status); goto end; } /* * Request the size of the hash object buffer, this is different then the buffer that * will store the resulting hash, instead this will be used to store the hash object * used to create the hash. */ status = BCryptGetProperty(algo_handle, BCRYPT_OBJECT_LENGTH, (PCHAR)&hash_object_size, sizeof(ULONG), &bytes_copied, NULL); if (!NT_SUCCESS(status)) { DEBUG_ERROR("BCryptGetProperty failed with status %x", status); goto end; } hash_object = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, hash_object_size, POOL_TAG_INTEGRITY); if (!hash_object) { status = STATUS_MEMORY_NOT_ALLOCATED; goto end; } /* * This call gets the size of the resulting hash, which we will use to allocate the * resulting hash buffer. */ status = BCryptGetProperty(algo_handle, BCRYPT_HASH_LENGTH, (PCHAR)&resulting_hash_size, sizeof(ULONG), &bytes_copied, NULL); if (!NT_SUCCESS(status)) { DEBUG_ERROR("BCryptGetProperty failed with status %x", status); goto end; } resulting_hash = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, resulting_hash_size, POOL_TAG_INTEGRITY); if (!resulting_hash) { status = STATUS_MEMORY_NOT_ALLOCATED; goto end; } /* * Here we create our hash object and store it in the hash_object buffer. */ status = BCryptCreateHash( algo_handle, &hash_handle, hash_object, hash_object_size, NULL, NULL, NULL); if (!NT_SUCCESS(status)) { DEBUG_ERROR("BCryptCreateHash failed with status %x", status); goto end; } /* * This function hashes the buffer, but does NOT store it in our resulting buffer yet, * we need to call BCryptFinishHash to retrieve the final hash. */ status = BCryptHashData(hash_handle, Buffer, BufferSize, NULL); if (!NT_SUCCESS(status)) { DEBUG_ERROR("BCryptHashData failed with status %x", status); goto end; } /* * As said in the previous comment, this is where we retrieve the final hash and store * it in our output buffer. */ status = BCryptFinishHash(hash_handle, resulting_hash, resulting_hash_size, NULL); if (!NT_SUCCESS(status)) { DEBUG_ERROR("BCryptFinishHash failed with status %x", status); goto end; } *HashResult = resulting_hash; *HashResultSize = resulting_hash_size; end: if (algo_handle) BCryptCloseAlgorithmProvider(algo_handle, NULL); if (hash_handle) BCryptDestroyHash(hash_handle); if (hash_object) ImpExFreePoolWithTag(hash_object, POOL_TAG_INTEGRITY); return status; } NTSTATUS RetrieveInMemoryModuleExecutableSections(_Inout_ PIRP Irp) { PAGED_CODE(); NTSTATUS status = STATUS_UNSUCCESSFUL; LPCSTR driver_name = NULL; SIZE_T bytes_written = NULL; PVOID buffer = NULL; RTL_MODULE_EXTENDED_INFO module_info = {0}; GetDriverName(&driver_name); if (!driver_name) { DEBUG_ERROR("GetDriverName failed with no status"); return status; } status = GetModuleInformationByName(&module_info, driver_name); if (!NT_SUCCESS(status) || !module_info.ImageBase || !module_info.ImageSize) { DEBUG_ERROR("GetModuleInformationByName failed with status %x", status); return status; } status = StoreModuleExecutableRegionsInBuffer( &buffer, module_info.ImageBase, module_info.ImageSize, &bytes_written); if (!NT_SUCCESS(status)) { DEBUG_ERROR("StoreModuleExecutableRegionsInBuffe failed with status %x", status); return status; } status = ValidateIrpOutputBuffer(Irp, bytes_written); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ValidateIrpOutputBuffer failed with status %x", status); goto end; } Irp->IoStatus.Information = bytes_written; RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer, buffer, bytes_written); end: if (buffer) ImpExFreePoolWithTag(buffer, POOL_TAG_INTEGRITY); return status; } #define SMBIOS_TABLE 'RSMB' #define NULL_TERMINATOR '\0' /* * From line 727 in the SMBIOS Specification: * * 727 • Each structure shall be terminated by a double-null (0000h), either directly following * the 728 formatted area (if no strings are present) or directly following the last string. This * includes 729 system- and OEM-specific structures and allows upper-level software to easily * traverse the 730 structure table. (See structure-termination examples later in this clause.) * * TLDR is that if the first two characters proceeding the structure are null terminators, then * there are no strings, otherwise to find the end of the string section simply iterate until there * is a double null terminator. * * source: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.7.1.pdf */ STATIC VOID GetNextSMBIOSStructureInTable(_Inout_ PSMBIOS_TABLE_HEADER* CurrentStructure) { PAGED_CODE(); PCHAR string_section_start = (PCHAR)((UINT64)*CurrentStructure + (*CurrentStructure)->Length); PCHAR current_char_in_strings = string_section_start; PCHAR next_char_in_strings = string_section_start + 1; for (;;) { if (*current_char_in_strings == NULL_TERMINATOR && *next_char_in_strings == NULL_TERMINATOR) { *CurrentStructure = (PSMBIOS_TABLE_HEADER)((UINT64)next_char_in_strings + 1); return; } current_char_in_strings++; next_char_in_strings++; } } /* * Remember that the string index does not start from the beginning of the struct. For example, lets * take RAW_SMBIOS_TABLE_02: the first string is NOT "Type" at index 0, the first string is * Manufacturer. So if we want to find the SerialNumber, the string index would be 4, as the * previous 3 values (after the header) are all strings. So remember, the index is into the number * of strings that exist for the given table, NOT the size of the structure or a values index into * the struct. * * Here we count the number of strings by incrementing the string_count each time we pass a null * terminator so we know when we're at the beginning of the target string. */ STATIC NTSTATUS GetStringAtIndexFromSMBIOSTable(_In_ PSMBIOS_TABLE_HEADER Table, _In_ INT Index, _In_ PVOID Buffer, _In_ SIZE_T BufferSize) { PAGED_CODE(); INT current_string_char_index = 0; INT string_count = 0; PCHAR current_string_char = (PCHAR)((UINT64)Table + Table->Length); PCHAR next_string_char = current_string_char + 1; for (;;) { if (*current_string_char == NULL_TERMINATOR && *next_string_char == NULL_TERMINATOR) return STATUS_NOT_FOUND; if (current_string_char_index >= BufferSize) return STATUS_BUFFER_TOO_SMALL; if (string_count + 1 == Index) { if (*current_string_char == NULL_TERMINATOR) return STATUS_SUCCESS; RtlCopyMemory((UINT64)Buffer + current_string_char_index, current_string_char, sizeof(CHAR)); current_string_char_index++; goto increment; } if (*current_string_char == NULL_TERMINATOR) { current_string_char_index = 0; string_count++; } increment: current_string_char++; next_string_char++; } return STATUS_NOT_FOUND; } /* for generic intel */ // #define SMBIOS_SYSTEM_INFORMATION_TYPE_2_TABLE 2 // #define MOTHERBOARD_SERIAL_CODE_TABLE_INDEX 4 /* for testing purposes in vmware */ // #define VMWARE_SMBIOS_TABLE 1 // #define VMWARE_SMBIOS_TABLE_INDEX 3 NTSTATUS ParseSMBIOSTable(_Out_ PVOID Buffer, _In_ SIZE_T BufferSize, _In_ SMBIOS_TABLE_INDEX TableIndex, _In_ ULONG TableSubIndex) { PAGED_CODE(); NTSTATUS status = STATUS_UNSUCCESSFUL; PVOID firmware_table_buffer = NULL; ULONG firmware_table_buffer_size = 0; ULONG bytes_returned = 0; PRAW_SMBIOS_DATA smbios_data = NULL; PSMBIOS_TABLE_HEADER smbios_table_header = NULL; PRAW_SMBIOS_TABLE_01 smbios_baseboard_information = NULL; status = ImpExGetSystemFirmwareTable(SMBIOS_TABLE, 0, NULL, 0, &firmware_table_buffer_size); /* * Because we pass a null buffer here, the NTSTATUS result will be a BUFFER_TOO_SMALL error, * so to validate this function call we check the return bytes returned (which indicate * required buffer size) is above 0. */ if (firmware_table_buffer_size == NULL) { DEBUG_ERROR("ExGetSystemFirmwareTable call 1 failed to get required buffer size."); return STATUS_BUFFER_TOO_SMALL; } firmware_table_buffer = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, firmware_table_buffer_size, POOL_TAG_INTEGRITY); if (!firmware_table_buffer) return STATUS_MEMORY_NOT_ALLOCATED; status = ImpExGetSystemFirmwareTable( SMBIOS_TABLE, NULL, firmware_table_buffer, firmware_table_buffer_size, &bytes_returned); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ExGetSystemFirmwareTable call 2 failed with status %x", status); goto end; } smbios_data = (PRAW_SMBIOS_DATA)firmware_table_buffer; smbios_table_header = (PSMBIOS_TABLE_HEADER)(&smbios_data->SMBIOSTableData[0]); /* * The System Information table is equal to Type == 2 and contains the serial number of the * motherboard in the computer among various other things. * * source: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.7.1.pdf * line 823 */ while (smbios_table_header->Type != TableIndex) GetNextSMBIOSStructureInTable(&smbios_table_header); status = GetStringAtIndexFromSMBIOSTable(smbios_table_header, TableSubIndex, Buffer, BufferSize); if (!NT_SUCCESS(status)) { DEBUG_ERROR("GetStringAtIndexFromSMBIOSTable failed with status %x", status); goto end; } end: if (firmware_table_buffer) ImpExFreePoolWithTag(firmware_table_buffer, POOL_TAG_INTEGRITY); return status; } STATIC NTSTATUS ComputeHashOfSections(_In_ PIMAGE_SECTION_HEADER DiskSection, _In_ PIMAGE_SECTION_HEADER MemorySection, _Out_ PVOID* DiskHash, _Out_ PULONG DiskHashSize, _Out_ PVOID* MemoryHash, _Out_ PULONG MemoryHashSize) { NTSTATUS status = STATUS_UNSUCCESSFUL; if (DiskSection->SizeOfRawData != MemorySection->SizeOfRawData) { DEBUG_WARNING("Executable section sizes differ between images."); return STATUS_INVALID_BUFFER_SIZE; } status = ComputeHashOfBuffer((UINT64)DiskSection + sizeof(IMAGE_SECTION_HEADER), DiskSection->SizeOfRawData, DiskHash, DiskHashSize); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ComputeHashOfBuffer failed with status %x", status); return status; } status = ComputeHashOfBuffer((UINT64)MemorySection + sizeof(IMAGE_SECTION_HEADER), MemorySection->SizeOfRawData, MemoryHash, MemoryHashSize); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ComputeHashOfBuffer 2 failed with status %x", status); return status; } return status; } STATIC BOOLEAN CompareHashes(_In_ PVOID Hash1, _In_ PVOID Hash2, _In_ UINT32 Length) { if (RtlCompareMemory(Hash1, Hash2, Length) == Length) return TRUE; else return FALSE; } typedef struct _VAL_INTEGRITY_HEADER { INTEGRITY_CHECK_HEADER integrity_check_header; IMAGE_SECTION_HEADER section_header; CHAR section_base[]; } VAL_INTEGRITY_HEADER, *PVAL_INTEGRITY_HEADER; /* * Because the infrastructure has already been setup to validate modules in the driver, that * is how I will validate the usermode modules as well. Another reason is that the win32 api * makes it very easy to take a snapshot of the modules and enumerate them with easy to use * functions and macros. * * 1. Take a snapshot of the modules in the process from our dll * 2. pass the image base, image size and the image path to our driver via an IRP * 3. from our driver, to first verify the in memory module, attach to our protected process * and using the base + size simply use StoreModuleExecutableRegionsInBuffer() * 4. Next we use the path to map the image on disk into memory, and pass the image to * StoreModuleExecutableRegionsInBuffer() just as we did before. * 5. With the 2 buffers that contain both images executable regions, we hash them and compare * for anomalies. * * note: Its important to realise that since these are user mode modules, they are often hooked * by various legitimate programs - such as discord, nvidia etc. So this needs to be rethinked. */ NTSTATUS ValidateProcessLoadedModule(_Inout_ PIRP Irp) { PAGED_CODE(); NTSTATUS status = STATUS_UNSUCCESSFUL; PROCESS_MODULE_VALIDATION_RESULT validation_result = {0}; PPROCESS_MODULE_INFORMATION module_info = NULL; PKPROCESS process = NULL; KAPC_STATE apc_state = {0}; PVAL_INTEGRITY_HEADER memory_buffer = NULL; PVAL_INTEGRITY_HEADER disk_buffer = NULL; PVOID memory_hash = NULL; PVOID disk_hash = NULL; ULONG memory_hash_size = 0; ULONG disk_hash_size = 0; SIZE_T bytes_written = 0; UNICODE_STRING module_path = {0}; HANDLE section_handle = NULL; PVOID section = NULL; ULONG section_size = 0; status = ValidateIrpInputBuffer(Irp, sizeof(PROCESS_MODULE_INFORMATION)); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ValidateIrpInputBuffer failed with status %x", status); return status; } module_info = (PPROCESS_MODULE_INFORMATION)Irp->AssociatedIrp.SystemBuffer; GetProtectedProcessEProcess(&process); ImpRtlInitUnicodeString(&module_path, &module_info->module_path); /* * Attach because the offsets given are from the process' context. */ ImpKeStackAttachProcess(process, &apc_state); status = StoreModuleExecutableRegionsInBuffer( &memory_buffer, module_info->module_base, module_info->module_size, &bytes_written); ImpKeUnstackDetachProcess(&apc_state); if (!NT_SUCCESS(status)) { DEBUG_ERROR("StoreModuleExecutableRegionsInBuffer failed with status %x", status); goto end; } status = MapDiskImageIntoVirtualAddressSpace( §ion_handle, §ion, &module_path, §ion_size, 0); if (!NT_SUCCESS(status)) { DEBUG_ERROR("MapDiskImageIntoVirtualAddressSpace failed with status %x", status); goto end; } status = StoreModuleExecutableRegionsInBuffer( &disk_buffer, section, section_size, &bytes_written); if (!NT_SUCCESS(status)) { DEBUG_ERROR("StoreModuleExecutableRegionsInbuffer 2 failed with status %x", status); goto end; } status = ComputeHashOfSections(&memory_buffer->section_header, &disk_buffer->section_header, &disk_hash, &disk_hash_size, &memory_hash, &memory_hash_size); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ComputeHashOfSections failed with status %x", status); goto end; } /* * Because each module is passed per IRP we don't need to send any reports * to the queue we can simply pass it back to usermode via the same IRP. * We also don't need to send any module information since usermode has everything * needed to file the report. */ validation_result.is_module_valid = CompareHashes(disk_hash, memory_hash, memory_hash_size); status = ValidateIrpOutputBuffer(Irp, sizeof(PROCESS_MODULE_VALIDATION_RESULT)); if (!NT_SUCCESS(status)) { DEBUG_ERROR("Failed to validate IRP output buffer"); goto end; } Irp->IoStatus.Information = sizeof(PROCESS_MODULE_VALIDATION_RESULT); RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer, &validation_result, sizeof(PROCESS_MODULE_VALIDATION_RESULT)); end: if (section_handle) ImpZwClose(section_handle); if (section) ImpZwUnmapViewOfSection(ZwCurrentProcess(), section); if (memory_buffer) ImpExFreePoolWithTag(memory_buffer, POOL_TAG_INTEGRITY); if (memory_hash) ImpExFreePoolWithTag(memory_hash, POOL_TAG_INTEGRITY); if (disk_buffer) ImpExFreePoolWithTag(disk_buffer, POOL_TAG_INTEGRITY); if (disk_hash) ImpExFreePoolWithTag(disk_hash, POOL_TAG_INTEGRITY); return status; } /* * TODO: Query PhysicalDrive%n to get the serial numbers for all harddrives, can use the command * "wmic diskdrive" check in console. */ NTSTATUS GetHardDiskDriveSerialNumber(_Inout_ PVOID ConfigDrive0Serial, _In_ SIZE_T ConfigDrive0MaxSize) { PAGED_CODE(); NTSTATUS status = STATUS_UNSUCCESSFUL; HANDLE handle = NULL; OBJECT_ATTRIBUTES attributes = {0}; IO_STATUS_BLOCK status_block = {0}; STORAGE_PROPERTY_QUERY storage_property = {0}; STORAGE_DESCRIPTOR_HEADER storage_descriptor_header = {0}; PSTORAGE_DEVICE_DESCRIPTOR device_descriptor = NULL; UNICODE_STRING physical_drive_path = {0}; PCHAR serial_number = NULL; SIZE_T serial_length = 0; ImpRtlInitUnicodeString(&physical_drive_path, L"\\DosDevices\\PhysicalDrive0"); /* * No need to use the flag OBJ_FORCE_ACCESS_CHECK since we arent passing a handle given * to us from usermode. */ InitializeObjectAttributes(&attributes, &physical_drive_path, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = ImpZwOpenFile(&handle, GENERIC_READ, &attributes, &status_block, NULL, NULL); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ZwOpenFile on PhysicalDrive0 failed with status %x", status); goto end; } storage_property.PropertyId = StorageDeviceProperty; storage_property.QueryType = PropertyStandardQuery; status = ImpZwDeviceIoControlFile(handle, NULL, NULL, NULL, &status_block, IOCTL_STORAGE_QUERY_PROPERTY, &storage_property, sizeof(STORAGE_PROPERTY_QUERY), &storage_descriptor_header, sizeof(STORAGE_DESCRIPTOR_HEADER)); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ZwDeviceIoControlFile first call failed with status %x", status); goto end; } device_descriptor = ImpExAllocatePool2( POOL_FLAG_NON_PAGED, storage_descriptor_header.Size, POOL_TAG_INTEGRITY); if (!device_descriptor) { status = STATUS_MEMORY_NOT_ALLOCATED; goto end; } status = ImpZwDeviceIoControlFile(handle, NULL, NULL, NULL, &status_block, IOCTL_STORAGE_QUERY_PROPERTY, &storage_property, sizeof(STORAGE_PROPERTY_QUERY), device_descriptor, storage_descriptor_header.Size); if (!NT_SUCCESS(status)) { DEBUG_ERROR("ZwDeviceIoControlFile second call failed with status %x", status); goto end; } if (device_descriptor->SerialNumberOffset > 0) { serial_number = (PCHAR)((UINT64)device_descriptor + device_descriptor->SerialNumberOffset); serial_length = strnlen_s(serial_number, DEVICE_DRIVE_0_SERIAL_CODE_LENGTH) + 1; if (serial_length > ConfigDrive0MaxSize) { DEBUG_ERROR( "Serial length is greater then the allocated buffer size for the drives serial number."); status = STATUS_BUFFER_TOO_SMALL; goto end; } RtlCopyMemory(ConfigDrive0Serial, serial_number, serial_length); DEBUG_VERBOSE("Successfully retrieved hard disk serial number."); } end: if (handle) ImpZwClose(handle); if (device_descriptor) ImpExFreePoolWithTag(device_descriptor, POOL_TAG_INTEGRITY); return status; } // VOID // EnumeratePciDevices() //{ // NTSTATUS status; // PZZWSTR device_interfaces; // PWSTR list_base; // DEVPROPKEY key = { 0 }; // UNICODE_STRING symbolic_link = { 0 }; // WCHAR device_id[ 512 ]; // PZZWSTR current_string = NULL; // SIZE_T string_length = 0; // // /* PCI guid */ // CONST GUID guid = { 0x5b45201d, 0xf2f2, 0x4f3b, 0x85, 0xbb, 0x30, 0xff, 0x1f, 0x95, 0x35, // 0x99 }; // // status = IoGetDeviceInterfaces( // &guid, // NULL, // NULL, // &device_interfaces // ); // // if ( !NT_SUCCESS( status ) ) // { // DEBUG_VERBOSE( "IoGetDeviceInterfaces failed with status %x", status ); // return; // } // // current_string = device_interfaces; // // while ( *current_string != NULL_TERMINATOR ) // { // string_length = wcslen( current_string ); // // symbolic_link.Buffer = current_string; // symbolic_link.Length = string_length; // symbolic_link.MaximumLength = string_length; // // DEBUG_VERBOSE( "Device Interface: %wZ", symbolic_link ); // // current_string += symbolic_link.Length + 1; // } // // ImpExFreePoolWithTag( device_interfaces, NULL ); // } PVOID ScanForSignature(_In_ PVOID BaseAddress, _In_ SIZE_T MaxLength, _In_ LPCSTR Signature, _In_ SIZE_T SignatureLength) { PAGED_CODE(); CHAR current_char = 0; CHAR current_sig_char = 0; for (INT index = 0; index < MaxLength; index++) { for (INT sig_index = 0; sig_index < SignatureLength + 1; sig_index++) { current_char = *(PCHAR)((UINT64)BaseAddress + index + sig_index); current_sig_char = Signature[sig_index]; if (sig_index == SignatureLength) return (PVOID)((UINT64)BaseAddress + index); if (current_char != current_sig_char) break; } } return NULL; } /* * Lets ensure to the compiler doens't optimise out our useless instructions... */ #pragma optimize("", off) STATIC UINT64 MeasureInstructionRead(_In_ PVOID InstructionAddress) { CONST UINT64 start = __readmsr(IA32_APERF_MSR) << 32; CHAR value = *(PCHAR)InstructionAddress; return (__readmsr(IA32_APERF_MSR) << 32) - start; } #pragma optimize("", on) STATIC UINT64 MeasureReads(_In_ PVOID Address, _In_ ULONG Count) { UINT64 read_average = 0; UINT64 old_irql = 0; MeasureInstructionRead(Address); old_irql = __readcr8(); __writecr8(HIGH_LEVEL); _disable(); for (ULONG iteration = 0; iteration < Count; iteration++) read_average += MeasureInstructionRead(Address); _enable(); __writecr8(old_irql); DEBUG_VERBOSE("EPT Detection - Read Average: %llx", read_average); return read_average / Count; } #define EPT_CHECK_NUM_ITERATIONS 30 #define EPT_CONTROL_FUNCTIONS_COUNT 4 #define EPT_PROTECTED_FUNCTIONS_COUNT 2 #define EPT_MAX_FUNCTION_NAME_LENGTH 128 #define EPT_EXECUTION_TIME_MULTIPLIER 10 /* * Even though we test for the presence of a hypervisor, we should still test for the presence * of EPT hooks on key functions as this is a primary method for reversing AC's. * * Credits to momo5502 for the idea: https://momo5502.com/blog/?p=255 * * [+] EPT: Read average: 14991c28f5c2 * [+] no EPT: Read average: 28828f5c28 * * On average a read when HyperDbg's !epthook is active is around ~125x longer. Will need to * continue testing with other HV's, however it is a good start. */ STATIC NTSTATUS GetAverageReadTimeAtRoutine(_In_ PVOID RoutineAddress, _Out_ PUINT64 AverageTime) { if (!RoutineAddress || !AverageTime) return STATUS_UNSUCCESSFUL; *AverageTime = MeasureReads(RoutineAddress, EPT_CHECK_NUM_ITERATIONS); return *AverageTime == 0 ? STATUS_UNSUCCESSFUL : STATUS_SUCCESS; } /* * todo: encrypt both arrays * * The goal with the control functions is to find a reference time for an average read on a * function that is not EPT hooked. To accomplish this I've selected some arbitrary, rarely * used functions that shouldn't really ever have an EPT hook active on them. This will give * us a baseline that we can then average out to find a relatively accurate average read time. * * From here, we have an array of protected functions which are commonly hooked via EPT to * reverse anti cheats. We then check the read times of these functions and compare them to * the average of the read times for the control functions. If the read threshold exceeds a * multiple of 10, we can be fairly certain an EPT hook is active. * * Each time we measure the read we perform 30 iterations to ensure we get a consistent result * aswell as disabling interrupts + raising IRQL to ensure the test is as accurate as possible. * * The following open source Intel VT-X hv's w/ EPT functionality have been tested and detected * in a non vm environment: * * HyperDbg !epthook (https://github.com/HyperDbg/HyperDbg): detected * DdiMon (https://github.com/tandasat/DdiMon): detected */ WCHAR CONTROL_FUNCTIONS[EPT_CONTROL_FUNCTIONS_COUNT][EPT_MAX_FUNCTION_NAME_LENGTH] = { L"RtlAssert", L"PsAcquireSiloHardReference", L"PsDereferencePrimaryToken", L"ZwCommitEnlistment"}; WCHAR PROTECTED_FUNCTIONS[EPT_PROTECTED_FUNCTIONS_COUNT][EPT_MAX_FUNCTION_NAME_LENGTH] = { L"ExAllocatePoolWithTag", L"MmCopyMemory"}; /* * For whatever reason MmGetSystemRoutineAddress only works once, then every call * thereafter fails. So will be storing the routine addresses in arrays since they * dont change once the kernel is loaded. */ UINT64 CONTROL_FUNCTION_ADDRESSES[EPT_CONTROL_FUNCTIONS_COUNT] = {0}; UINT64 PROTECTED_FUNCTION_ADDRESSES[EPT_PROTECTED_FUNCTIONS_COUNT] = {0}; STATIC NTSTATUS InitiateEptFunctionAddressArrays() { PAGED_CODE(); UNICODE_STRING current_function; for (INT index = 0; index < EPT_CONTROL_FUNCTIONS_COUNT; index++) { ImpRtlInitUnicodeString(¤t_function, CONTROL_FUNCTIONS[index]); CONTROL_FUNCTION_ADDRESSES[index] = ImpMmGetSystemRoutineAddress(¤t_function); if (!CONTROL_FUNCTION_ADDRESSES[index]) return STATUS_UNSUCCESSFUL; } for (INT index = 0; index < EPT_PROTECTED_FUNCTIONS_COUNT; index++) { ImpRtlInitUnicodeString(¤t_function, CONTROL_FUNCTIONS[index]); PROTECTED_FUNCTION_ADDRESSES[index] = ImpMmGetSystemRoutineAddress(¤t_function); if (!PROTECTED_FUNCTION_ADDRESSES[index]) return STATUS_UNSUCCESSFUL; } return STATUS_SUCCESS; } NTSTATUS DetectEptHooksInKeyFunctions() { PAGED_CODE(); NTSTATUS status = STATUS_UNSUCCESSFUL; UINT32 control_fails = 0; UINT64 instruction_time = 0; UINT64 control_time_sum = 0; UINT64 control_average = 0; /* todo: once we call this, we need to set a flag to skip this, otherwise we just return * early */ status = InitiateEptFunctionAddressArrays(); if (!NT_SUCCESS(status)) { DEBUG_ERROR("InitiateEptFunctionAddressArrays failed with status %x", status); return status; } for (INT index = 0; index < EPT_CONTROL_FUNCTIONS_COUNT; index++) { status = GetAverageReadTimeAtRoutine(CONTROL_FUNCTION_ADDRESSES[index], &instruction_time); if (!NT_SUCCESS(status)) { DEBUG_ERROR("DetectEptPresentOnFunction failed with status %x", status); control_fails += 1; continue; } control_time_sum += instruction_time; } if (control_time_sum == 0) return STATUS_UNSUCCESSFUL; control_average = control_time_sum / (EPT_CONTROL_FUNCTIONS_COUNT - control_fails); if (control_average == 0) return STATUS_UNSUCCESSFUL; for (INT index = 0; index < EPT_PROTECTED_FUNCTIONS_COUNT; index++) { status = GetAverageReadTimeAtRoutine(PROTECTED_FUNCTION_ADDRESSES[index], &instruction_time); if (!NT_SUCCESS(status)) { DEBUG_ERROR("DetectEptPresentOnFunction failed with status %x", status); continue; } /* [+] EPT hook detected at function: ExAllocatePoolWithTag with execution time of: * 149b7777777 */ if (control_average * EPT_EXECUTION_TIME_MULTIPLIER < instruction_time) { DEBUG_WARNING( "EPT hook detected at function: %llx with execution time of: %llx", PROTECTED_FUNCTION_ADDRESSES[index], instruction_time); /* close game etc. */ } else { DEBUG_INFO("No ept hook detected at function: %llx", PROTECTED_FUNCTION_ADDRESSES[index]); } } return status; } STATIC VOID FindWinLogonProcess(_In_ PPROCESS_LIST_ENTRY Entry, _In_opt_ PVOID Context) { LPCSTR process_name = NULL; PEPROCESS* process = (PEPROCESS*)Context; if (!Context) return; process_name = ImpPsGetProcessImageFileName(Entry->process); if (!strcmp(process_name, "winlogon.exe")) { DEBUG_VERBOSE("32 bit WinLogon.exe process found at address: %llx", (UINT64)Entry->process); *process = Entry->process; } } NTSTATUS HashModule(_In_ PRTL_MODULE_EXTENDED_INFO Module, _Out_ PVOID Hash) { NTSTATUS status = STATUS_UNSUCCESSFUL; ANSI_STRING ansi_string = {0}; UNICODE_STRING path = {0}; ULONG memory_text_size = 0; PVOID memory_hash = NULL; ULONG memory_hash_size = 0; PVAL_INTEGRITY_HEADER memory_buffer = NULL; ULONG memory_buffer_size = 0; PEPROCESS process = NULL; KAPC_STATE apc_state = {0}; ImpRtlInitAnsiString(&ansi_string, Module->FullPathName); if (!ansi_string.Buffer) { DEBUG_ERROR("RtlInitAnsiString failed with status %x", status); return; } status = ImpRtlAnsiStringToUnicodeString(&path, &ansi_string, TRUE); if (!NT_SUCCESS(status)) { DEBUG_ERROR("RtlAnsiStringToUnicodeString failed with status %x", status); goto end; } /* * For win32k and related modules, because they are 32bit for us to read the * memory we need to attach to a 32 bit process. A simple check is that the * 32 bit image base wont be a valid address, while this is hacky it works. * Then we simply attach to a 32 bit address space, in our case winlogon, * which will allow us to perform the copy. */ if (!ImpMmIsAddressValid(Module->ImageBase)) { // DEBUG_VERBOSE("Win32k related module found, acquiring 32 bit address space..."); // EnumerateProcessListWithCallbackRoutine(FindWinLogonProcess, &process); // if (!process) // goto end; // ImpKeStackAttachProcess(process, &apc_state); // status = StoreModuleExecutableRegionsInBuffer((PVOID)&memory_buffer, // Module->ImageBase, // Module->ImageSize, // &memory_buffer_size); // ImpKeUnstackDetachProcess(&apc_state); status = STATUS_INVALID_IMAGE_WIN_32; goto end; } else { status = StoreModuleExecutableRegionsInBuffer((PVOID)&memory_buffer, Module->ImageBase, Module->ImageSize, &memory_buffer_size); } if (!NT_SUCCESS(status)) { DEBUG_ERROR("StoreModuleExecutableRegionsInbuffer 2 failed with status %x", status); goto end; } status = ComputeHashOfBuffer(memory_buffer->section_base, memory_buffer->section_header.SizeOfRawData, &memory_hash, &memory_hash_size); if (!NT_SUCCESS(status)) { DEBUG_VERBOSE("ComputeHashOfSections failed with status %x", status); goto end; } RtlCopyMemory(Hash, memory_hash, memory_hash_size); end: if (memory_buffer) ImpExFreePoolWithTag(memory_buffer, POOL_TAG_INTEGRITY); if (memory_hash) ImpExFreePoolWithTag(memory_hash, POOL_TAG_INTEGRITY); if (path.Buffer) ImpRtlFreeUnicodeString(&path); return status; } VOID ValidateSystemModule(_In_ PRTL_MODULE_EXTENDED_INFO Module) { NTSTATUS status = STATUS_UNSUCCESSFUL; PDRIVER_LIST_ENTRY entry = NULL; PVOID hash = NULL; hash = ExAllocatePool2(POOL_FLAG_NON_PAGED, 32, POOL_TAG_INTEGRITY); if (!hash) return; FindDriverEntryByBaseAddress(Module->ImageBase, &entry); if (!entry) { DEBUG_ERROR("FindDriverEntryByBaseAddress failed with no status"); goto end; } status = HashModule(Module, hash); if (!NT_SUCCESS(status)) { DEBUG_ERROR("HashModule failed with status %x", status); goto end; } if (CompareHashes(hash, entry->text_hash, sizeof(entry->text_hash))) DEBUG_VERBOSE("Module: %s text regions are valid.", Module->FullPathName); else DEBUG_WARNING("**!!** Module: %s text regions are not valid **!!**", Module->FullPathName); end: if (hash) ExFreePoolWithTag(hash, POOL_TAG_INTEGRITY); } NTSTATUS ValidateOurDriverImage() { NTSTATUS status = STATUS_UNSUCCESSFUL; LPCSTR driver_name = NULL; UNICODE_STRING path = {0}; SYSTEM_MODULES modules = {0}; PRTL_MODULE_EXTENDED_INFO module_info = NULL; PVOID section = NULL; HANDLE section_handle = NULL; ULONG section_size = 0; PVAL_INTEGRITY_HEADER disk_buffer = NULL; ULONG disk_buffer_size = 0; PVOID disk_hash = NULL; ULONG disk_hash_size = 0; ULONG memory_text_size = 0; PVOID memory_hash = NULL; ULONG memory_hash_size = 0; PVAL_INTEGRITY_HEADER memory_buffer = NULL; ULONG memory_buffer_size = 0; GetDriverPath(&path); GetDriverName(&driver_name); if (!driver_name) { DEBUG_ERROR("GetDriverName failed with no status"); return status; } status = GetSystemModuleInformation(&modules); if (!NT_SUCCESS(status)) { DEBUG_ERROR("GetSystemModuleInformation failed with status %x", status); return status; } module_info = FindSystemModuleByName(driver_name, &modules); if (!module_info) { DEBUG_ERROR("FindSystemModuleByName failed with no status."); goto end; } /* here we need to map our disk image, like the previous integ checks */ status = MapDiskImageIntoVirtualAddressSpace(§ion_handle, §ion, &path, §ion_size); if (!NT_SUCCESS(status)) { DEBUG_ERROR("MapDiskImageIntoVirtualAddressSpace failed with status %x", status); goto end; } status = StoreModuleExecutableRegionsInBuffer( (PVOID)&disk_buffer, section, section_size, &disk_buffer_size); if (!NT_SUCCESS(status)) { DEBUG_ERROR("StoreModuleExecutableRegionsInBuffer failed with status %x", status); goto end; } status = StoreModuleExecutableRegionsInBuffer((PVOID)&memory_buffer, module_info->ImageBase, module_info->ImageSize, &memory_buffer_size); if (!NT_SUCCESS(status)) { DEBUG_ERROR("StoreModuleExecutableRegionsInBuffer 2 failed with status %x", status); goto end; } status = ComputeHashOfSections(&memory_buffer->section_header, &disk_buffer->section_header, &disk_hash, &disk_hash_size, &memory_hash, &memory_hash_size); if (!NT_SUCCESS(status)) { DEBUG_VERBOSE("ComputeHashOfSections failed with status %x", status); goto end; } /* * Since we don't pass a return value, I think we would raise an invalid module error and * stop the users game session ? since module .text section error would be a large red flag */ if (CompareHashes(disk_hash, memory_hash, memory_hash_size)) DEBUG_VERBOSE("Driver image is valid. Integrity check complete"); else DEBUG_WARNING("Drive image is NOT valid. !!!"); end: if (memory_buffer) ExFreePoolWithTag(memory_buffer, POOL_TAG_INTEGRITY); if (disk_buffer) ExFreePoolWithTag(disk_buffer, POOL_TAG_INTEGRITY); if (memory_hash) ExFreePoolWithTag(memory_hash, POOL_TAG_INTEGRITY); if (disk_hash) ExFreePoolWithTag(disk_hash, POOL_TAG_INTEGRITY); if (section_handle) ZwClose(section_handle); if (section) ZwUnmapViewOfSection(ZwCurrentProcess(), section); if (modules.address) ExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL); return status; } STATIC VOID SystemModuleVerificationDispatchFunction(_In_ PDEVICE_OBJECT DeviceObject, _In_ PSYS_MODULE_VAL_CONTEXT Context) { InterlockedIncrement(&Context->active_thread_count); LONG count = InterlockedExchange(&Context->current_count, Context->current_count); LONG max = count + Context->block_size; for (; count < max && count < Context->total_count; count++) { if (!InterlockedCompareExchange( &Context->dispatcher_info[count].validated, TRUE, FALSE)) { ValidateSystemModule(&Context->module_info[count]); } } if (count == Context->total_count) InterlockedExchange(&Context->complete, TRUE); InterlockedExchange(&Context->current_count, count); InterlockedDecrement(&Context->active_thread_count); } #define VALIDATION_BLOCK_SIZE 25 /* * Multithreaded delayed priority work items improve 1% lows by 25% and reduces average PC latency * by 10% compared to traditional multithreading. This is important as having high average fps but * low 1% lows just leads to stuttery gameplay which in competitive multiplayer games is simply not * alright. Overall still room for improvement but from a statistical and feel standpoint which the * gameplay is much smoother (tested in cs2). * * A potential idea for further improvement is finding the cores with the least cpu usages and * setting the worker threads affinity accordingly. */ STATIC NTSTATUS InitialiseSystemModuleVerificationContext(PSYS_MODULE_VAL_CONTEXT Context) { NTSTATUS status = STATUS_UNSUCCESSFUL; SYSTEM_MODULES modules = {0}; PMODULE_DISPATCHER_HEADER dispatcher_array = NULL; status = GetSystemModuleInformation(&modules); if (!NT_SUCCESS(status)) { DEBUG_ERROR("GetSystemModuleInformation failed with status %x", status); return status; } DEBUG_VERBOSE("driver count: %lx", modules.module_count); dispatcher_array = ImpExAllocatePool2(POOL_FLAG_NON_PAGED, modules.module_count * sizeof(MODULE_DISPATCHER_HEADER), POOL_TAG_INTEGRITY); if (!dispatcher_array) { ImpExFreePoolWithTag(modules.address, SYSTEM_MODULES_POOL); return STATUS_MEMORY_NOT_ALLOCATED; } Context->active_thread_count = 0; Context->active = TRUE; Context->complete = FALSE; Context->dispatcher_info = dispatcher_array; Context->module_info = modules.address; Context->total_count = modules.module_count; Context->block_size = VALIDATION_BLOCK_SIZE; /* skip hal.dll and ntosrnl.exe */ Context->current_count = 2; return status; } VOID FreeWorkItems(_In_ PSYS_MODULE_VAL_CONTEXT Context) { for (INT index = 0; index < VERIFICATION_THREAD_COUNT; index++) { if (Context->work_items[index]) { ImpIoFreeWorkItem(Context->work_items[index]); Context->work_items[index] = NULL; } } } STATIC VOID FreeModuleVerificationItems(_In_ PSYS_MODULE_VAL_CONTEXT Context) { /* if a thread hasnt completed by this point, something catastrophic has gone wrong and * maybe its better not to yield..*/ while (Context->active_thread_count) YieldProcessor(); if (Context->module_info) { ImpExFreePoolWithTag(Context->module_info, SYSTEM_MODULES_POOL); Context->module_info = NULL; } if (Context->dispatcher_info) { ImpExFreePoolWithTag(Context->dispatcher_info, POOL_TAG_INTEGRITY); Context->dispatcher_info = NULL; } } VOID CleanupValidationContextOnUnload(_In_ PSYS_MODULE_VAL_CONTEXT Context) { Context->active = FALSE; Context->complete = TRUE; FreeWorkItems(Context); FreeModuleVerificationItems(Context); } NTSTATUS SystemModuleVerificationDispatcher() { NTSTATUS status = STATUS_UNSUCCESSFUL; PSYS_MODULE_VAL_CONTEXT context = NULL; PIO_WORKITEM work_item = NULL; GetSystemModuleValidationContext(&context); if (context->complete) { DEBUG_VERBOSE("System modules integrity check complete. Freeing items."); context->active = FALSE; context->complete = FALSE; FreeModuleVerificationItems(context); FreeWorkItems(context); return STATUS_SUCCESS; } if (!context->active) { DEBUG_VERBOSE("Context not active, generating new one"); status = InitialiseSystemModuleVerificationContext(context); if (!NT_SUCCESS(status)) { DEBUG_ERROR( "InitialiseSystemModuleVerificationContext failed with status %x", status); return status; } } else { FreeWorkItems(context); } for (INT index = 0; index < VERIFICATION_THREAD_COUNT; index++) { work_item = ImpIoAllocateWorkItem(GetDriverDeviceObject()); if (!work_item) continue; ImpIoQueueWorkItem( work_item, SystemModuleVerificationDispatchFunction, DelayedWorkQueue, context); context->work_items[index] = work_item; } DEBUG_VERBOSE("All worker threads dispatched for system module validation."); return STATUS_SUCCESS; } NTSTATUS GetOsVersionInformation(_Out_ PRTL_OSVERSIONINFOW VersionInfo) { NTSTATUS status = STATUS_ABANDONED; RTL_OSVERSIONINFOW info = {0}; if (!VersionInfo) return STATUS_INVALID_PARAMETER; status = ImpRtlGetVersion(&info); if (!NT_SUCCESS(status)) { DEBUG_ERROR("RtlGetVersion failed with status %x", status); return status; } VersionInfo->dwBuildNumber = info.dwBuildNumber; VersionInfo->dwMajorVersion = info.dwMajorVersion; VersionInfo->dwMinorVersion = info.dwMinorVersion; VersionInfo->dwOSVersionInfoSize = info.dwOSVersionInfoSize; VersionInfo->dwPlatformId = info.dwPlatformId; RtlCopyMemory( VersionInfo->szCSDVersion, info.szCSDVersion, sizeof(VersionInfo->szCSDVersion)); return status; } #define KPCR_KPRCB_OFFSET 0x180 #define KPCRB_IDLE_THREAD_OFFSET 0x018 #define KTHREAD_IDLE_TIME_OFFSET 0x28c #define KPCRB_KERNEL_TIME_OFFSET 0x7e84 #define KPCRB_USER_TIME_OFFSET 0x7e88 UINT32 CalculateCpuCoreUsage(_In_ UINT32 Core) { PVOID kpcr = NULL; PVOID kpcrb = NULL; PVOID idle_thread = NULL; UINT32 idle_time = 0; UINT32 kernel_time = 0; UINT32 user_time = 0; KeSetSystemAffinityThread(1ull << Core); while (Core != KeGetCurrentProcessorNumber()) YieldProcessor(); kpcr = __readmsr(IA32_GS_BASE); kpcrb = (UINT64)kpcr + KPCR_KPRCB_OFFSET; idle_thread = *(UINT64*)((UINT64)kpcrb + KPCRB_IDLE_THREAD_OFFSET); idle_time = *(UINT32*)((UINT64)idle_thread + KTHREAD_IDLE_TIME_OFFSET); kernel_time = *(UINT32*)((UINT64)kpcrb + KPCRB_KERNEL_TIME_OFFSET); user_time = *(UINT32*)((UINT64)kpcrb + KPCRB_USER_TIME_OFFSET); return (100 - (UINT32)(UInt32x32To64(idle_time, 100) / (UINT64)(kernel_time + user_time))); }