Added KMemDriver GetProcesses to enumerate all processes from kernel space.

* fixed missing NUL termination for converted ASCII strings
author: segfault <toni@impl.cc> 2020-12-12 20:08:22 +0100
committer: segfault <toni@impl.cc> 2020-12-12 20:08:22 +0100
commit: 2c2383838ce791392782aeb5ca3cd0607c92e22e (patch)
tree: 477fa41c75fae922c33f7b63ed07c9a23a826a76 /include
parent: 444b885aa818e7a4a91870181950b260a53b8fc9 (diff)
2 files changed, 51 insertions, 27 deletions
diff --git a/include/KInterface.h b/include/KInterface.h
index 540548b..3fee236 100644
--- a/include/KInterface.h
+++ b/include/KInterface.h
@@ -28,17 +28,18 @@ public:
 	bool Init();
 	bool Handshake();
 	bool Ping();
+	bool Processes(std::vector<PROCESS_DATA>& dest);
 	bool Pages(HANDLE targetPID,
 		std::vector<MEMORY_BASIC_INFORMATION>& dest,
 		PVOID start_address = NULL);
 	bool Modules(HANDLE targetPID,
 		std::vector<MODULE_DATA>& dest);
 	bool Exit();
-	bool RPM(HANDLE targetPID, PVOID address, BYTE *buf, SIZE_T size,
+	bool RPM(HANDLE targetPID, PVOID address, BYTE* buf, SIZE_T size,
 		PKERNEL_READ_REQUEST result);
-	bool WPM(HANDLE targetPID, PVOID address, BYTE *buf, SIZE_T size,
+	bool WPM(HANDLE targetPID, PVOID address, BYTE* buf, SIZE_T size,
 		PKERNEL_WRITE_REQUEST result);
-	bool VAlloc(HANDLE targetPID, PVOID *address, SIZE_T *size, ULONG protection);
+	bool VAlloc(HANDLE targetPID, PVOID* address, SIZE_T* size, ULONG protection);
 	bool VFree(HANDLE targetPID, PVOID address, SIZE_T size);
 	bool VUnlink(HANDLE targetPID, PVOID address);
 
@@ -70,8 +71,8 @@ public:
 		return buf;
 	}
 	template <class T>
-	static void Wpm(HANDLE targetPID, PVOID address, T *buf) {
-		if (!KInterface::getInstance().WPM(targetPID, address, (BYTE*)buf, sizeof *buf, NULL))
+	static void Wpm(HANDLE targetPID, PVOID address, T* buf) {
+		if (!KInterface::getInstance().WPM(targetPID, address, (BYTE*)buf, sizeof * buf, NULL))
 			throw std::runtime_error("KMemory WPM failed");
 	}
 };
@@ -80,14 +81,14 @@ class KMemoryBuf
 {
 public:
 	template <size_t SIZE>
-	static SSIZE_T Rpm(HANDLE targetPID, PVOID address, BYTE *dest) {
+	static SSIZE_T Rpm(HANDLE targetPID, PVOID address, BYTE* dest) {
 		KERNEL_READ_REQUEST rr = { 0 };
 		if (!KInterface::getInstance().RPM(targetPID, address, &dest[0], SIZE, &rr))
 			return -1;
 		return rr.SizeRes;
 	}
 	template <size_t SIZE>
-	static SSIZE_T Wpm(HANDLE targetPID, PVOID address, BYTE *dest) {
+	static SSIZE_T Wpm(HANDLE targetPID, PVOID address, BYTE* dest) {
 		KERNEL_WRITE_REQUEST wr = { 0 };
 		if (!KInterface::getInstance().WPM(targetPID, address, &dest[0], SIZE, &wr))
 			return -1;
diff --git a/include/KMemDriver.h b/include/KMemDriver.h
index 90a06f2..bc50d61 100644
--- a/include/KMemDriver.h
+++ b/include/KMemDriver.h
@@ -21,34 +21,35 @@ typedef _Return_type_success_(return >= 0) LONG NTSTATUS;
 
 #define MEM_HANDSHAKE			0x800
 #define MEM_PING				0x801
-#define MEM_MODULES				0x802
-#define MEM_PAGES				0x803
-#define MEM_RPM					0x804
-#define MEM_WPM					0x805
-#define MEM_VALLOC				0x806
-#define MEM_VFREE				0x807
-#define MEM_VUNLINK				0x808
-#define MEM_EXIT				0x809
+#define MEM_PROCESSES			0x802
+#define MEM_MODULES				0x803
+#define MEM_PAGES				0x804
+#define MEM_RPM					0x805
+#define MEM_WPM					0x806
+#define MEM_VALLOC				0x807
+#define MEM_VFREE				0x808
+#define MEM_VUNLINK				0x809
+#define MEM_EXIT				0x810
 
 typedef struct _KERNEL_HEADER
 {
 	UINT32 magic;
 	UINT32 type;
-} KERNEL_HEADER, *PKERNEL_HEADER;
+} KERNEL_HEADER, * PKERNEL_HEADER;
 
 typedef struct _KERNEL_HANDSHAKE
 {
 	KERNEL_HEADER hdr;
 	HANDLE kevent;
 	HANDLE uevent;
-} KERNEL_HANDSHAKE, *PKERNEL_HANDSHAKE;
+} KERNEL_HANDSHAKE, * PKERNEL_HANDSHAKE;
 
 typedef struct _KERNEL_PING
 {
 	KERNEL_HEADER hdr;
 	UINT32 rnd_user;
 	UINT32 rnd_kern;
-} KERNEL_PING, *PKERNEL_PING;
+} KERNEL_PING, * PKERNEL_PING;
 
 typedef struct _KERNEL_PAGE
 {
@@ -59,7 +60,7 @@ typedef struct _KERNEL_PAGE
 	NTSTATUS StatusRes;
 	SIZE_T pages;
 	MEMORY_BASIC_INFORMATION pages_start;
-} KERNEL_PAGE, *PKERNEL_PAGE;
+} KERNEL_PAGE, * PKERNEL_PAGE;
 
 typedef struct _MODULE_DATA
 {
@@ -67,7 +68,7 @@ typedef struct _MODULE_DATA
 	ULONG SizeOfImage;
 	CHAR BaseDllName[64];
 	CHAR FullDllPath[256];
-} MODULE_DATA, *PMODULE_DATA;
+} MODULE_DATA, * PMODULE_DATA;
 
 typedef struct _KERNEL_MODULES
 {
@@ -78,12 +79,12 @@ typedef struct _KERNEL_MODULES
 	NTSTATUS StatusRes;
 	SIZE_T modules;
 	MODULE_DATA modules_start;
-} KERNEL_MODULES, *PKERNEL_MODULES;
+} KERNEL_MODULES, * PKERNEL_MODULES;
 
 typedef struct _KERNEL_EXIT
 {
 	KERNEL_HEADER hdr;
-} KERNEL_EXIT, *PKERNEL_EXIT;
+} KERNEL_EXIT, * PKERNEL_EXIT;
 
 typedef struct _KERNEL_READ_REQUEST
 {
@@ -94,7 +95,7 @@ typedef struct _KERNEL_READ_REQUEST
 
 	NTSTATUS StatusRes;
 	SIZE_T SizeRes;
-} KERNEL_READ_REQUEST, *PKERNEL_READ_REQUEST;
+} KERNEL_READ_REQUEST, * PKERNEL_READ_REQUEST;
 
 typedef struct _KERNEL_WRITE_REQUEST
 {
@@ -105,7 +106,7 @@ typedef struct _KERNEL_WRITE_REQUEST
 
 	NTSTATUS StatusRes;
 	SIZE_T SizeRes;
-} KERNEL_WRITE_REQUEST, *PKERNEL_WRITE_REQUEST;
+} KERNEL_WRITE_REQUEST, * PKERNEL_WRITE_REQUEST;
 
 typedef struct _KERNEL_VALLOC_REQUEST
 {
@@ -118,7 +119,7 @@ typedef struct _KERNEL_VALLOC_REQUEST
 	NTSTATUS StatusRes;
 	PVOID AddressRes;
 	SIZE_T SizeRes;
-} KERNEL_VALLOC_REQUEST, *PKERNEL_VALLOC_REQUEST;
+} KERNEL_VALLOC_REQUEST, * PKERNEL_VALLOC_REQUEST;
 
 typedef struct _KERNEL_VFREE_REQUEST
 {
@@ -128,7 +129,7 @@ typedef struct _KERNEL_VFREE_REQUEST
 	SIZE_T Size;
 
 	NTSTATUS StatusRes;
-} KERNEL_VFREE_REQUEST, *PKERNEL_VFREE_REQUEST;
+} KERNEL_VFREE_REQUEST, * PKERNEL_VFREE_REQUEST;
 
 typedef struct _KERNEL_VUNLINK_REQUEST
 {
@@ -137,7 +138,24 @@ typedef struct _KERNEL_VUNLINK_REQUEST
 	PVOID Address;
 
 	NTSTATUS StatusRes;
-} KERNEL_VUNLINK_REQUEST, *PKERNEL_VUNLINK_REQUEST;
+} KERNEL_VUNLINK_REQUEST, * PKERNEL_VUNLINK_REQUEST;
+
+typedef struct _PROCESS_DATA
+{
+	ULONG NumberOfThreads;
+	CHAR ImageName[80];
+	HANDLE UniqueProcessId;
+	ULONG HandleCount;
+} PROCESS_DATA, * PPROCESS_DATA;
+
+typedef struct _KERNEL_PROCESSES_REQUEST
+{
+	KERNEL_HEADER hdr;
+
+	NTSTATUS StatusRes;
+	SIZE_T ProcessCount;
+	//PROCESS_DATA processes[ProcessCount];
+} KERNEL_PROCESSES_REQUEST, * PKERNEL_PROCESSES_REQUEST;
 
 
 #ifndef KERNEL_MODULE
@@ -149,6 +167,10 @@ static inline VOID prepareRequest(PVOID buf, UINT32 type)
 }
 #endif
 
+#ifndef KERNEL_MODULE
+#define validateResponeEx(buf, status, count) (!status && count <= SHMEM_SIZE) && validateRespone(buf)
+#endif
+
 static inline UINT32
 #ifndef KERNEL_MODULE
 validateRespone
@@ -163,6 +185,7 @@ validateRequest
 	switch (hdr->type) {
 	case MEM_HANDSHAKE:
 	case MEM_PING:
+	case MEM_PROCESSES:
 	case MEM_PAGES:
 	case MEM_MODULES:
 	case MEM_RPM:
author	segfault <toni@impl.cc>	2020-12-12 20:08:22 +0100
committer	segfault <toni@impl.cc>	2020-12-12 20:08:22 +0100
commit	2c2383838ce791392782aeb5ca3cd0607c92e22e (patch)
tree	477fa41c75fae922c33f7b63ed07c9a23a826a76 /include
parent	444b885aa818e7a4a91870181950b260a53b8fc9 (diff)