#include "driver.h" #include "common.h" #include "ioctl.h" #include "callbacks.h" #include "hv.h" #include "pool.h" #include "thread.h" #include "modules.h" #include "integrity.h" /* * This structure is strictly for driver related stuff * that should only be written at driver entry. * * Note that the lock isnt really needed here but Im using one * just in case c: */ #define MAXIMUM_APC_CONTEXTS 10 typedef struct _DRIVER_CONFIG { UNICODE_STRING unicode_driver_name; ANSI_STRING ansi_driver_name; UNICODE_STRING device_name; UNICODE_STRING device_symbolic_link; UNICODE_STRING driver_path; UNICODE_STRING registry_path; SYSTEM_INFORMATION system_information; PVOID apc_contexts[ MAXIMUM_APC_CONTEXTS ]; KGUARDED_MUTEX lock; }DRIVER_CONFIG, * PDRIVER_CONFIG; /* * This structure can change at anytime based on whether * the target process to protect is open / closed / changes etc. */ typedef struct _PROCESS_CONFIG { BOOLEAN initialised; LONG um_handle; LONG km_handle; PEPROCESS protected_process_eprocess; KGUARDED_MUTEX lock; }PROCESS_CONFIG, * PPROCESS_CONFIG; DRIVER_CONFIG driver_config = { 0 }; PROCESS_CONFIG process_config = { 0 }; /* * The driver config structure holds an array of pointers to APC context structures. These * APC context structures are unique to each APC operation that this driver will perform. For * example, a single context will manage all APCs that are used to stackwalk, whilst another * context will be used to manage all APCs used to query a threads memory for example. * * Due to the nature of APCs, its important to keep a total or count of the number of APCs we * have allocated and queued to threads. This information is stored in the APC_CONTEXT_HEADER which * all APC context structures will contain as the first entry in their structure. It holds the ContextId * which is a unique identifier for the type of APC operation it is managing aswell as the number of * currently queued APCs. * * When an APC is allocated a queued, we increment this count. When an APC is completed and freed, we * decrement this counter and free the APC itself. If all APCs have been freed and the counter is 0,the * following objects will be freed: * * 1. Any additional allocations used by the APC stored in the context structure * 2. The APC context structure for the given APC operation * 3. The APC context entry in driver_config->apc_contexts will be zero'd. * * It's important to remember that the driver can unload when pending APC's have not been freed due to the * limitations windows places on APCs, however I am in the process of finding a solution for this. */ STATIC VOID FreeAllApcContextStructures() { KeAcquireGuardedMutex( &driver_config.lock ); for ( INT index = 0; index < MAXIMUM_APC_CONTEXTS; index++ ) { PUINT64 entry = driver_config.apc_contexts; if ( entry[ index ] != NULL ) { ExFreePoolWithTag( entry, POOL_TAG_APC ); } } unlock: KeReleaseGuardedMutex( &driver_config.lock ); } /* * No need to hold the lock here as the thread freeing the APCs will * already hold the configuration lock. We also dont want to release and * reclaim the lock before calling this function since we need to ensure * we hold the lock during the entire decrement and free process. */ STATIC BOOLEAN FreeApcContextStructure( _Inout_ PAPC_CONTEXT_HEADER Context ) { BOOLEAN result = FALSE; DEBUG_LOG( "All APCs executed, freeing context structure" ); for ( INT index = 0; index < MAXIMUM_APC_CONTEXTS; index++ ) { PUINT64 entry = driver_config.apc_contexts; if ( entry[ index ] == Context ) { if ( Context->count != 0 ) goto unlock; ExFreePoolWithTag( Context, POOL_TAG_APC ); entry[ index ] = NULL; result = TRUE; goto unlock; } } unlock: return result; } VOID IncrementApcCount( _In_ LONG ContextId ) { PAPC_CONTEXT_HEADER header = NULL; GetApcContext( &header, ContextId ); if ( !header ) return; KeAcquireGuardedMutex( &driver_config.lock ); header->count += 1; KeReleaseGuardedMutex( &driver_config.lock ); } VOID FreeApcAndDecrementApcCount( _In_ PRKAPC Apc, _In_ LONG ContextId ) { PAPC_CONTEXT_HEADER context = NULL; ExFreePoolWithTag( Apc, POOL_TAG_APC ); GetApcContext( &context, ContextId ); if ( !context ) goto end; KeAcquireGuardedMutex( &driver_config.lock ); context->count -= 1; end: KeReleaseGuardedMutex( &driver_config.lock ); } /* * The reason we use a query model rather then checking the count of queued APCs * after each APC free and decrement is that the lock will be recursively acquired by * freeing threads (i.e executing APCs) rather then APC allocation threads. The reason for this * being that freeing threads are executing at a higher IRQL then the APC allocation * thread, hence they are granted higher priority by the scheduler when determining * which thread will accquire the lock next: * * [+] Freeing thread -> ApcKernelRoutine IRQL: 1 (APC_LEVEL) * [+] Allocation thread -> ValidateThreadViaKernelApcCallback IRQL: 0 (PASSIVE_LEVEL) * * As a result, once an APC is executed and reaches the freeing stage, it will acquire the * lock and decrement it. Then, if atleast 1 APC execution thread is waiting on the lock, * it will be prioritised due to its higher IRQL and the cycle will continue. Eventually, * the count will reach 0 due to recursive acquisition by the executing APC threads and then * the function will free the APC context structure. This will then cause a bug check the next * time a thread accesses the context structure and hence not good :c. * * So to combat this, we add in a flag specifying whether or not an allocation of APCs is * in progress, and even if the count is 0 we will not free the context structure until * the count is 0 and allocation_in_progress is 0. We can then call this function alongside * other query callbacks via IOCTL to constantly monitor the status of open APC contexts. */ NTSTATUS QueryActiveApcContextsForCompletion() { for ( INT index = 0; index < MAXIMUM_APC_CONTEXTS; index++ ) { PAPC_CONTEXT_HEADER entry = NULL; GetApcContextByIndex( &entry, index ); /* acquire mutex after we get the context to prevent thread deadlock */ KeAcquireGuardedMutex( &driver_config.lock ); if ( entry == NULL ) { KeReleaseGuardedMutex( &driver_config.lock ); continue; } DEBUG_LOG( "APC Context Id: %lx", entry->context_id ); DEBUG_LOG( "Active APC Count: %i", entry->count ); if ( entry->count > 0 || entry->allocation_in_progress == TRUE ) { KeReleaseGuardedMutex( &driver_config.lock ); continue; } switch ( entry->context_id ) { case APC_CONTEXT_ID_STACKWALK: FreeApcStackwalkApcContextInformation( entry ); FreeApcContextStructure( entry ); break; } KeReleaseGuardedMutex( &driver_config.lock ); } return STATUS_SUCCESS; } VOID InsertApcContext( _In_ PVOID Context ) { KeAcquireGuardedMutex( &driver_config.lock ); PAPC_CONTEXT_HEADER header = Context; for ( INT index = 0; index < MAXIMUM_APC_CONTEXTS; index++ ) { PUINT64 entry = driver_config.apc_contexts; if ( entry[ index ] == NULL ) { entry[ index ] = Context; goto end; } } end: KeReleaseGuardedMutex( &driver_config.lock ); } VOID GetApcContext( _Inout_ PVOID* Context, _In_ LONG ContextIdentifier ) { KeAcquireGuardedMutex( &driver_config.lock ); for ( INT index = 0; index < MAXIMUM_APC_CONTEXTS; index++ ) { PAPC_CONTEXT_HEADER header = driver_config.apc_contexts[ index ]; if ( header == NULL ) continue; if ( header->context_id == ContextIdentifier ) { *Context = header; goto unlock; } } unlock: KeReleaseGuardedMutex( &driver_config.lock ); } VOID GetApcContextByIndex( _Inout_ PVOID* Context, _In_ INT Index ) { KeAcquireGuardedMutex( &driver_config.lock ); *Context = driver_config.apc_contexts[ Index ]; KeReleaseGuardedMutex( &driver_config.lock ); } VOID ReadProcessInitialisedConfigFlag( _Out_ PBOOLEAN Flag ) { if ( Flag == NULL ) return; KeAcquireGuardedMutex( &process_config.lock ); *Flag = process_config.initialised; KeReleaseGuardedMutex( &process_config.lock ); } VOID GetProtectedProcessEProcess( _Out_ PEPROCESS* Process ) { if ( Process == NULL ) return; KeAcquireGuardedMutex( &process_config.lock ); *Process = process_config.protected_process_eprocess; KeReleaseGuardedMutex( &process_config.lock ); } VOID GetProtectedProcessId( _Out_ PLONG ProcessId ) { KeAcquireGuardedMutex( &process_config.lock ); RtlZeroMemory( ProcessId, sizeof( LONG ) ); *ProcessId = process_config.km_handle; KeReleaseGuardedMutex( &process_config.lock ); } VOID ClearProcessConfigOnProcessTermination() { DEBUG_LOG( "Process closed, clearing driver process_configuration" ); KeAcquireGuardedMutex( &process_config.lock ); process_config.km_handle = NULL; process_config.um_handle = NULL; process_config.protected_process_eprocess = NULL; process_config.initialised = FALSE; KeReleaseGuardedMutex( &process_config.lock ); } VOID GetDriverName( _Out_ LPCSTR* DriverName ) { if ( DriverName == NULL ) return; KeAcquireGuardedMutex( &driver_config.lock ); *DriverName = driver_config.ansi_driver_name.Buffer; KeReleaseGuardedMutex( &driver_config.lock ); } VOID GetDriverPath( _Out_ PUNICODE_STRING DriverPath ) { KeAcquireGuardedMutex( &driver_config.lock ); RtlZeroMemory( DriverPath, sizeof( UNICODE_STRING ) ); RtlInitUnicodeString( DriverPath, driver_config.driver_path.Buffer ); KeReleaseGuardedMutex( &driver_config.lock ); } VOID GetDriverRegistryPath( _Out_ PUNICODE_STRING RegistryPath ) { KeAcquireGuardedMutex( &driver_config.lock ); RtlZeroMemory( RegistryPath, sizeof( UNICODE_STRING ) ); RtlCopyUnicodeString( RegistryPath, &driver_config.registry_path ); KeReleaseGuardedMutex( &driver_config.lock ); } VOID GetDriverDeviceName( _Out_ PUNICODE_STRING DeviceName ) { KeAcquireGuardedMutex( &driver_config.lock ); RtlZeroMemory( DeviceName, sizeof( UNICODE_STRING ) ); RtlCopyUnicodeString( DeviceName, &driver_config.device_name ); KeReleaseGuardedMutex( &driver_config.lock ); } VOID GetDriverSymbolicLink( _Out_ PUNICODE_STRING DeviceSymbolicLink ) { KeAcquireGuardedMutex( &driver_config.lock ); RtlZeroMemory( DeviceSymbolicLink, sizeof( UNICODE_STRING ) ); RtlCopyUnicodeString( DeviceSymbolicLink, &driver_config.device_symbolic_link ); KeReleaseGuardedMutex( &driver_config.lock ); } VOID GetDriverConfigSystemInformation( _Out_ PSYSTEM_INFORMATION* SystemInformation ) { if ( SystemInformation == NULL ) return; KeAcquireGuardedMutex( &driver_config.lock ); *SystemInformation = &driver_config.system_information; KeReleaseGuardedMutex( &driver_config.lock ); } STATIC NTSTATUS RegistryPathQueryCallbackRoutine( IN PWSTR ValueName, IN ULONG ValueType, IN PVOID ValueData, IN ULONG ValueLength, IN PVOID Context, IN PVOID EntryContext ) { UNICODE_STRING value_name; UNICODE_STRING image_path = RTL_CONSTANT_STRING( L"ImagePath" ); UNICODE_STRING display_name = RTL_CONSTANT_STRING( L"DisplayName" ); UNICODE_STRING value; PVOID temp_buffer; RtlInitUnicodeString( &value_name, ValueName ); if ( RtlCompareUnicodeString(&value_name, &image_path, FALSE) == FALSE ) { temp_buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, ValueLength, POOL_TAG_STRINGS ); if ( !temp_buffer ) return STATUS_MEMORY_NOT_ALLOCATED; RtlCopyMemory( temp_buffer, ValueData, ValueLength ); driver_config.driver_path.Buffer = (PWCH)temp_buffer; driver_config.driver_path.Length = ValueLength; driver_config.driver_path.MaximumLength = ValueLength + 1; } if ( RtlCompareUnicodeString( &value_name, &display_name, FALSE ) == FALSE ) { temp_buffer = ExAllocatePool2( POOL_FLAG_NON_PAGED, ValueLength, POOL_TAG_STRINGS ); if ( !temp_buffer ) return STATUS_MEMORY_NOT_ALLOCATED; RtlCopyMemory( temp_buffer, ValueData, ValueLength ); driver_config.unicode_driver_name.Buffer = ( PWCH )temp_buffer; driver_config.unicode_driver_name.Length = ValueLength; driver_config.unicode_driver_name.MaximumLength = ValueLength + 1; } return STATUS_SUCCESS; } STATIC VOID FreeDriverConfigurationStringBuffers() { if ( driver_config.unicode_driver_name.Buffer ) ExFreePoolWithTag( driver_config.unicode_driver_name.Buffer, POOL_TAG_STRINGS ); if ( driver_config.driver_path.Buffer ) ExFreePoolWithTag( driver_config.driver_path.Buffer, POOL_TAG_STRINGS ); if (driver_config.ansi_driver_name.Buffer ) RtlFreeAnsiString( &driver_config.ansi_driver_name ); } STATIC NTSTATUS InitialiseDriverConfigOnDriverEntry( _In_ PUNICODE_STRING RegistryPath ) { NTSTATUS status; /* 3rd page acts as a null terminator for the callback routine */ RTL_QUERY_REGISTRY_TABLE query_table[ 3 ] = { 0 }; KeInitializeGuardedMutex( &driver_config.lock ); RtlInitUnicodeString( &driver_config.device_name, L"\\Device\\DonnaAC" ); RtlInitUnicodeString( &driver_config.device_symbolic_link, L"\\??\\DonnaAC" ); RtlCopyUnicodeString( &driver_config.registry_path, RegistryPath ); query_table[ 0 ].Flags = RTL_QUERY_REGISTRY_NOEXPAND; query_table[ 0 ].Name = L"ImagePath"; query_table[ 0 ].DefaultType = REG_MULTI_SZ; query_table[ 0 ].DefaultLength = 0; query_table[ 0 ].DefaultData = NULL; query_table[ 0 ].EntryContext = NULL; query_table[ 0 ].QueryRoutine = RegistryPathQueryCallbackRoutine; query_table[ 1 ].Flags = RTL_QUERY_REGISTRY_NOEXPAND; query_table[ 1 ].Name = L"DisplayName"; query_table[ 1 ].DefaultType = REG_SZ; query_table[ 1 ].DefaultLength = 0; query_table[ 1 ].DefaultData = NULL; query_table[ 1 ].EntryContext = NULL; query_table[ 1 ].QueryRoutine = RegistryPathQueryCallbackRoutine; status = RtlxQueryRegistryValues( RTL_REGISTRY_ABSOLUTE, RegistryPath->Buffer, &query_table, NULL, NULL ); if ( !NT_SUCCESS( status ) ) { DEBUG_ERROR( "RtlxQueryRegistryValues failed with status %x", status ); FreeDriverConfigurationStringBuffers(); return status; } status = RtlUnicodeStringToAnsiString( &driver_config.ansi_driver_name, &driver_config.unicode_driver_name, TRUE ); if ( !NT_SUCCESS( status ) ) { DEBUG_ERROR( "Failed to convert unicode string to ansi string" ); FreeDriverConfigurationStringBuffers(); return status; } status = ParseSMBIOSTable( &driver_config.system_information.motherboard_serial, sizeof(driver_config.system_information.motherboard_serial) ); if ( !NT_SUCCESS( status ) ) { DEBUG_ERROR( "ParseSMBIOSTable failed with status %x", status ); FreeDriverConfigurationStringBuffers(); return status; } status = GetHardDiskDriveSerialNumber( &driver_config.system_information.drive_0_serial, sizeof( driver_config.system_information.drive_0_serial ) ); if ( !NT_SUCCESS( status ) ) { DEBUG_ERROR( "GetHardDiskDriverSerialNumber failed with status %x", status ); FreeDriverConfigurationStringBuffers(); return status; } DEBUG_LOG( "Motherboard serial: %s", driver_config.system_information.motherboard_serial ); DEBUG_LOG( "Drive 0 serial: %s", driver_config.system_information.drive_0_serial ); return status; } NTSTATUS InitialiseProcessConfigOnProcessLaunch( _In_ PIRP Irp ) { NTSTATUS status; PDRIVER_INITIATION_INFORMATION information; PEPROCESS eprocess; information = ( PDRIVER_INITIATION_INFORMATION )Irp->AssociatedIrp.SystemBuffer; status = PsLookupProcessByProcessId( information->protected_process_id, &eprocess ); if ( !NT_SUCCESS( status ) ) return status; /* * acquire the mutex here to prevent a race condition if an unknown party trys * to fuzz our IOCTL codes whilst the target process launches. */ KeAcquireGuardedMutex( &process_config.lock ); process_config.protected_process_eprocess = eprocess; process_config.um_handle = information->protected_process_id; process_config.km_handle = PsGetProcessId( eprocess ); process_config.initialised = TRUE; KeReleaseGuardedMutex( &process_config.lock ); return status; } STATIC VOID InitialiseProcessConfigOnDriverEntry() { KeInitializeGuardedMutex( &process_config.lock ); } STATIC VOID CleanupDriverConfigOnUnload() { FreeDriverConfigurationStringBuffers(); FreeGlobalReportQueueObjects(); IoDeleteSymbolicLink( &driver_config.device_symbolic_link ); } STATIC VOID DriverUnload( _In_ PDRIVER_OBJECT DriverObject ) { //PsSetCreateProcessNotifyRoutine( ProcessCreateNotifyRoutine, TRUE ); //QueryActiveApcContextsForCompletion(); //FreeAllApcContextStructures(); CleanupDriverConfigOnUnload(); IoDeleteDevice( DriverObject->DeviceObject ); } VOID TerminateProtectedProcessOnViolation() { NTSTATUS status; ULONG process_id; GetProtectedProcessId( &process_id ); if ( !process_id ) { DEBUG_ERROR( "Failed to terminate process as process id is null" ); return; } /* * Make sure we pass a km handle to ZwTerminateProcess and NOT a usermode handle. */ status = ZwTerminateProcess( process_id, STATUS_SYSTEM_INTEGRITY_POLICY_VIOLATION ); if ( !NT_SUCCESS( status ) ) { /* * We don't want to clear the process config if ZwTerminateProcess fails * so we can try again. */ DEBUG_ERROR( "ZwTerminateProcess failed with status %x", status ); return; } ClearProcessConfigOnProcessTermination(); } NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ) { BOOLEAN flag = FALSE; NTSTATUS status; status = InitialiseDriverConfigOnDriverEntry( RegistryPath ); if ( !NT_SUCCESS( status ) ) { DEBUG_ERROR( "InitialiseDriverConfigOnDriverEntry failed with status %x", status ); return status; } InitialiseProcessConfigOnDriverEntry(); status = IoCreateDevice( DriverObject, NULL, &driver_config.device_name, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &DriverObject->DeviceObject ); if ( !NT_SUCCESS( status ) ) { DEBUG_ERROR( "IoCreateDevice failed with status %x", status ); FreeDriverConfigurationStringBuffers(); return STATUS_FAILED_DRIVER_ENTRY; } status = IoCreateSymbolicLink( &driver_config.device_symbolic_link, &driver_config.device_name ); if ( !NT_SUCCESS( status ) ) { DEBUG_ERROR( "failed to create symbolic link" ); FreeDriverConfigurationStringBuffers(); IoDeleteDevice( DriverObject->DeviceObject ); return STATUS_FAILED_DRIVER_ENTRY; } DriverObject->MajorFunction[ IRP_MJ_CREATE ] = DeviceCreate; DriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DeviceClose; DriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DeviceControl; DriverObject->DriverUnload = DriverUnload; InitialiseGlobalReportQueue(&flag); if ( !flag ) { DEBUG_ERROR( "failed to init report queue" ); FreeDriverConfigurationStringBuffers(); IoDeleteSymbolicLink( &driver_config.device_symbolic_link ); IoDeleteDevice( DriverObject->DeviceObject ); return STATUS_FAILED_DRIVER_ENTRY; } DEBUG_LOG( "DonnaAC Driver Entry Complete" ); return STATUS_SUCCESS; }