added pattern checker and memory mapping method callbacks and managment functions

author: Toni Uhlig <matzeton@googlemail.com> 2019-09-24 00:17:17 +0200
committer: Toni Uhlig <matzeton@googlemail.com> 2019-09-24 00:17:17 +0200
commit: b7bb1a6a8ecfb20dd53a874a76ad87100455c98c (patch)
tree: e1c1cdb46596175306763586786304f2851de4a7 /MemDriverLib
parent: 673cec06fab76718ade9b3763b8d43daddeaeeda (diff)
4 files changed, 182 insertions, 86 deletions
diff --git a/MemDriverLib/MemDriverLib.cpp b/MemDriverLib/MemDriverLib.cpp
index e1d56d1..4244232 100644
--- a/MemDriverLib/MemDriverLib.cpp
+++ b/MemDriverLib/MemDriverLib.cpp
@@ -321,90 +321,4 @@ SendRecvReturn KInterface::RecvWait(DWORD timeout)
 		return SRR_TIMEOUT;
 	}
 	return SRR_ERR_UEVENT;
-}
-
-SSIZE_T KScan::KScanSimple(HANDLE targetPID, PVOID start_address, SIZE_T max_scansize,
-	PVOID scanbuf, SIZE_T scanbuf_size)
-{
-	ULONG_PTR max_addr;
-	ULONG_PTR cur_addr = (ULONG_PTR)start_address;
-	BYTE tmp_rpmbuf[SHMEM_SIZE];
-	SIZE_T scan_index, processed, real_size, diff_size;
-	std::vector<MEMORY_BASIC_INFORMATION> mbis;
-	KERNEL_READ_REQUEST rr = { 0 };
-
-	if (max_scansize < scanbuf_size)
-		return -1;
-	if (!KInterface::getInstance().Pages(targetPID, mbis, start_address))
-		return -1;
-
-	diff_size = (ULONG_PTR)start_address - (ULONG_PTR)mbis.at(0).BaseAddress;
-	real_size = (mbis.at(0).RegionSize - diff_size > max_scansize ?
-		max_scansize : (ULONG_PTR)mbis.at(0).RegionSize - diff_size);
-	max_addr = (ULONG_PTR)start_address + real_size;
-
-	while (cur_addr < max_addr) {
-		if (!KInterface::getInstance().RPM(targetPID, (PVOID)cur_addr,
-			tmp_rpmbuf, (sizeof tmp_rpmbuf > real_size ? real_size : sizeof tmp_rpmbuf), &rr))
-		{
-			break;
-		}
-
-		if (rr.StatusRes || rr.SizeRes < scanbuf_size)
-			break;
-
-		for (processed = 0, scan_index = 0; processed < rr.SizeRes; ++processed) {
-			if (tmp_rpmbuf[processed] != *((BYTE*)scanbuf + scan_index)) {
-				scan_index = 0;
-			}
-			else {
-				scan_index++;
-				if (scan_index == scanbuf_size) {
-					return cur_addr + processed - scanbuf_size + 1;
-				}
-			}
-		}
-		cur_addr += processed;
-		real_size -= processed;
-	}
-	return -1;
-}
-
-SSIZE_T KScan::KBinDiffSimple(HANDLE targetPID, PVOID start_address,
-	BYTE *curbuf, BYTE *oldbuf, SIZE_T siz, std::vector<std::pair<SIZE_T, SIZE_T>> *diffs)
-{
-	SSIZE_T scanned, diff_start;
-	SIZE_T diff_size;
-	KERNEL_READ_REQUEST rr = { 0 };
-
-	if (!KInterface::getInstance().RPM(targetPID, start_address,
-		curbuf, siz, &rr))
-	{
-		scanned = -1;
-	}
-	else scanned = rr.SizeRes;
-
-	if (scanned > 0) {
-		diffs->clear();
-		diff_start = -1;
-		diff_size = 0;
-		for (SIZE_T i = 0; i < (SIZE_T)scanned; ++i) {
-			if (curbuf[i] != oldbuf[i]) {
-				if (diff_start < 0)
-					diff_start = i;
-				diff_size++;
-			}
-			else if (diff_start >= 0) {
-				diffs->push_back(std::pair<SIZE_T, SIZE_T>
-					(diff_start, diff_size));
-				diff_start = -1;
-				diff_size = 0;
-			}
-		}
-		memcpy(oldbuf, curbuf, scanned);
-		if ((SIZE_T)scanned < siz)
-			memset(oldbuf + scanned, 0, siz - scanned);
-	}
-
-	return scanned;
 }
 \ No newline at end of file
diff --git a/MemDriverLib/MemDriverLib.vcxproj b/MemDriverLib/MemDriverLib.vcxproj
index 85713f1..95042aa 100644
--- a/MemDriverLib/MemDriverLib.vcxproj
+++ b/MemDriverLib/MemDriverLib.vcxproj
@@ -156,6 +156,7 @@
     <ClInclude Include="..\include\DLLHelper.h" />
     <ClInclude Include="..\include\KMemDriver.h" />
     <ClInclude Include="..\include\KInterface.h" />
+    <ClInclude Include="..\include\PatternScanner.h" />
     <ClInclude Include="stdafx.h" />
     <ClInclude Include="targetver.h" />
   </ItemGroup>
@@ -163,6 +164,7 @@
     <ClCompile Include="DLLHelper.cpp" />
     <ClCompile Include="dllmain.cpp" />
     <ClCompile Include="MemDriverLib.cpp" />
+    <ClCompile Include="PatternScanner.cpp" />
     <ClCompile Include="stdafx.cpp">
       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
diff --git a/MemDriverLib/MemDriverLib.vcxproj.filters b/MemDriverLib/MemDriverLib.vcxproj.filters
index c69cd86..94e0b8d 100644
--- a/MemDriverLib/MemDriverLib.vcxproj.filters
+++ b/MemDriverLib/MemDriverLib.vcxproj.filters
@@ -30,6 +30,9 @@
     <ClInclude Include="..\include\DLLHelper.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\include\PatternScanner.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="stdafx.cpp">
@@ -44,5 +47,8 @@
     <ClCompile Include="DLLHelper.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="PatternScanner.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>
 \ No newline at end of file
diff --git a/MemDriverLib/PatternScanner.cpp b/MemDriverLib/PatternScanner.cpp
new file mode 100644
index 0000000..0bfc7e5
--- /dev/null
+++ b/MemDriverLib/PatternScanner.cpp
@@ -0,0 +1,174 @@
+#include "stdafx.h"
+
+#include "DLLHelper.h"
+#include "PatternScanner.h"
+
+#include <algorithm>
+#include <stdexcept>
+#include <sstream>
+#include <string>
+#include <vector>
+#include <Windows.h>
+
+
+const struct map_file_data loadlib_data = {
+	map_file_loadlib, map_file_loadlib_cleanup, true
+};
+
+const struct map_file_data kmem_data = {
+	map_file_kmem, map_file_kmem_cleanup, false
+};
+
+bool map_file_loadlib(MODULE_DATA& module, PVOID * const buffer,
+	SIZE_T * const size, PVOID const user_ptr)
+{
+	HMODULE hMod;
+	struct loadlib_user_data * const user_data = (struct loadlib_user_data * const) user_ptr;
+
+	if (user_data) {
+		for (auto& searchDir : user_data->additionalDllSearchDirectories) {
+			AddDllDirectory(std::wstring(searchDir.begin(), searchDir.end()).c_str());
+		}
+	}
+
+	hMod = LoadLibraryA(module.FullDllPath);
+	if (!hMod) {
+		*buffer = NULL;
+		*size = 0;
+		return false;
+	}
+	else {
+		*buffer = hMod;
+		*size = module.SizeOfImage;
+		return true;
+	}
+}
+
+bool map_file_loadlib_cleanup(MODULE_DATA& module, PVOID buffer, PVOID const user_ptr)
+{
+	return FreeLibrary((HMODULE)buffer);
+}
+
+bool map_file_kmem(MODULE_DATA& module, PVOID * const buffer,
+	SIZE_T * const size, PVOID const user_ptr)
+{
+	return false;
+}
+
+bool map_file_kmem_cleanup(MODULE_DATA& module, PVOID buffer, PVOID const user_ptr)
+{
+	return false;
+}
+
+PatternScanner::PatternScanner(struct map_file_data const * const mfd, PVOID map_file_user_data)
+	: mfd(mfd), map_file_user_data(map_file_user_data)
+{
+	if (!mfd) {
+		throw std::runtime_error("MapFileData was NULL");
+	}
+}
+
+PatternScanner::~PatternScanner()
+{
+}
+
+static void findAndReplaceAll(std::string& data, const char * const search, const char * const replace)
+{
+	std::string toSearch(search);
+	std::string replaceStr(replace);
+
+	size_t pos = data.find(toSearch);
+
+	while (pos != std::string::npos)
+	{
+		data.replace(pos, toSearch.size(), replaceStr);
+		pos = data.find(toSearch, pos + replaceStr.size());
+	}
+}
+
+bool PatternScanner::checkPattern(MODULE_DATA& module, const char * const pattern, std::string& result)
+{
+	const char * const hexalnum = "0123456789abcdefABCDEF ?";
+	std::string str_pattern(pattern);
+
+	std::size_t found = str_pattern.find_first_not_of(hexalnum);
+	if (found != std::string::npos) {
+		std::stringstream err_str;
+		err_str << "Found an invalid character at " << found
+			<< " (allowed characters: \"" << hexalnum << "\")";
+		throw std::runtime_error(err_str.str());
+		return false;
+	}
+
+	findAndReplaceAll(str_pattern, " ", "");
+	if (str_pattern.length() % 2 != 0) {
+		std::stringstream err_str;
+		err_str << "Pattern length is not a multiple of 2";
+		throw std::runtime_error(err_str.str());
+		return false;
+	}
+
+	result = str_pattern;
+	return true;
+}
+
+bool PatternScanner::doScan(UINT8 *buf, SIZE_T size, std::vector<UINT64>& foundOffsets)
+{
+	return false;
+}
+
+#include <iostream>
+bool PatternScanner::Scan(MODULE_DATA& module, const char * const pattern)
+{
+	std::string validPattern;
+	IMAGE_NT_HEADERS *ntHeader;
+	IMAGE_SECTION_HEADER *secHeader;
+	UINT8 *mappedBuffer = NULL;
+	SIZE_T mappedSize = 0;
+	std::vector<UINT64> foundOffsets;
+
+	if (!checkPattern(module, pattern, validPattern)) {
+		return false;
+	}
+
+	if (!mfd->map_file(module, (PVOID *)&mappedBuffer, &mappedSize, map_file_user_data))
+	{
+		return false;
+	}
+
+	if (mfd->in_memory_module) {
+		if (!VerifyPeHeader(mappedBuffer, mappedSize, &ntHeader) || !ntHeader) {
+			return false;
+		}
+
+		DWORD nBytes = 0, virtualSize;
+		secHeader = IMAGE_FIRST_SECTION(ntHeader);
+		for (SIZE_T i = 0; ntHeader->FileHeader.NumberOfSections; i++)
+		{
+			if (nBytes >= ntHeader->OptionalHeader.SizeOfImage)
+				break;
+
+
+
+			virtualSize = secHeader->VirtualAddress;
+			secHeader++;
+			virtualSize = secHeader->VirtualAddress - virtualSize;
+			nBytes += virtualSize;
+		}
+	}
+	else {
+		doScan(mappedBuffer, mappedSize, foundOffsets);
+	}
+
+	if (!mfd->map_file_cleanup(module, mappedBuffer, map_file_user_data))
+	{
+		return false;
+	}
+
+	//std::wcout << "BLAAAAAAAAAAAAA" << std::endl;
+	//std::wstring bla(str_pattern.begin(), str_pattern.end());
+	//std::wcout << bla << std::endl;
+	std::cout << validPattern << std::endl;
+
+	return true;
+}
+\ No newline at end of file
author	Toni Uhlig <matzeton@googlemail.com>	2019-09-24 00:17:17 +0200
committer	Toni Uhlig <matzeton@googlemail.com>	2019-09-24 00:17:17 +0200
commit	b7bb1a6a8ecfb20dd53a874a76ad87100455c98c (patch)
tree	e1c1cdb46596175306763586786304f2851de4a7 /MemDriverLib
parent	673cec06fab76718ade9b3763b8d43daddeaeeda (diff)