Merge pull request #23 from tarterp/21_driver_plugin_architecture

attempt to blackbox link in cpp through a static lib, backup file works

C/FileDeleteRecordPluginDriver/FileDeleteRecordPluginDriver.cpp

@@ -3,9 +3,10 @@
 
 #include "interface.h"
 
-#include "utils.h"
+#include "..\Utils\Utils.h"
 
 const unsigned long PLUGIN_POOL_TAG = 'LEDS';
+const wchar_t* backup_directory = L"\\??\\C:\\deleted";
 
 #pragma warning(disable: 6011)
 PluginApis g_Apis;
@@ -68,29 +69,6 @@ void PrintStackTrace(CallerInfo& callerinfo) {
     }
 }
 
-OBJECT_NAME_INFORMATION* getFilePathFromHandle(HANDLE hFile) {
-    ULONG dwSize = 0;
-    OBJECT_NAME_INFORMATION* pObjectName = nullptr;
-    NTSTATUS status = ZwQueryObject(hFile, (OBJECT_INFORMATION_CLASS)1 /*ObjectNameInformation*/, pObjectName, 0, &dwSize);
-    if (dwSize)
-    {
-        pObjectName = (OBJECT_NAME_INFORMATION*)ExAllocatePoolWithTag(NonPagedPoolNx, dwSize, PLUGIN_POOL_TAG);
-        if (pObjectName) {
-            status = ZwQueryObject(hFile, (OBJECT_INFORMATION_CLASS)1 /*ObjectNameInformation*/, pObjectName, dwSize, &dwSize);
-        }
-    }
-
-    if (status == STATUS_SUCCESS && pObjectName) {
-        return pObjectName;
-    }
-
-    if (pObjectName) {
-        ExFreePoolWithTag(pObjectName, PLUGIN_POOL_TAG);
-        pObjectName = nullptr;
-    }
-    return nullptr;
-}
-
 extern "C" __declspec(dllexport) void StpCallbackEntry(ULONG64 pService, ULONG32 probeId, MachineState & ctx, CallerInfo & callerinfo)
 {
     //LOG_INFO("[ENTRY] %s[0x%x](%d) Id: %d Parameters: [%d]\r\n", callerinfo.processName, callerinfo.processId, callerinfo.isWow64 ? 32 : 64, pService, probeId, ctx.paramCount);
@@ -109,9 +87,9 @@ extern "C" __declspec(dllexport) void StpCallbackEntry(ULONG64 pService, ULONG32
 
                     if (pFilePath) {
                         LOG_INFO("File %wZ deleted\r\n", pFilePath->Name);
-                        //backupFile((wchar_t*)backup_directory, pFilePath->Name, hFile);
-                        //ExFreePoolWithTag(pFilePath, PLUGIN_POOL_TAG);
-                        //pFilePath = nullptr;
+                        backupFile((wchar_t*)backup_directory, pFilePath->Name, hFile);
+                        ExFreePoolWithTag(pFilePath, PLUGIN_POOL_TAG);
+                        pFilePath = nullptr;
                         LOG_INFO("File Backup Complete\r\n");
                     }
                     else {

C/FileDeleteRecordPluginDriver/FileDeleteRecordPluginDriver.vcxproj

@@ -92,10 +92,13 @@
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <ControlFlowGuard>false</ControlFlowGuard>
       <LanguageStandard>stdcpp20</LanguageStandard>
-      <PreprocessorDefinitions>_WIN64;_AMD64_;AMD64;ENABLE_LOG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>KERNEL_MODE;_WIN64;_AMD64_;AMD64;ENABLE_LOG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>false</SDLCheck>
     </ClCompile>
     <Link>
       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+      <AdditionalDependencies>%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib;Utils.lib</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(outdir)</AdditionalLibraryDirectories>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@@ -107,9 +110,13 @@
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <StructMemberAlignment>Default</StructMemberAlignment>
       <LanguageStandard>stdcpp20</LanguageStandard>
+      <PreprocessorDefinitions>KERNEL_MODE;_WIN64;_AMD64_;AMD64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>false</SDLCheck>
     </ClCompile>
     <Link>
       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+      <AdditionalDependencies>%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib;Utils.lib</AdditionalDependencies>
+      <AdditionalLibraryDirectories>$(outdir)</AdditionalLibraryDirectories>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">

C/STrace.sln

@@ -7,6 +7,7 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "STrace", "STrace\STrace.vcx
 	ProjectSection(ProjectDependencies) = postProject
 		{4349310C-30F9-48A9-9AE7-13D181F958B5} = {4349310C-30F9-48A9-9AE7-13D181F958B5}
 		{C09F1082-CDCA-4320-AB91-CC3EAB12560C} = {C09F1082-CDCA-4320-AB91-CC3EAB12560C}
+		{D237889B-F553-478C-857A-A6BF4B883AE9} = {D237889B-F553-478C-857A-A6BF4B883AE9}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "STraceCLI", "STraceCLI\STraceCLI.vcxproj", "{4349310C-30F9-48A9-9AE7-13D181F958B5}"
@@ -21,6 +22,8 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AddNewEtwEventPlugin", "Add
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FileDeleteRecordPluginDriver", "FileDeleteRecordPluginDriver\FileDeleteRecordPluginDriver.vcxproj", "{CD47158C-73E3-4197-AE90-92DC38D8BC0E}"
 EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Utils", "Utils\Utils.vcxproj", "{D237889B-F553-478C-857A-A6BF4B883AE9}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|ARM64 = Debug|ARM64
@@ -127,6 +130,18 @@ Global
 		{CD47158C-73E3-4197-AE90-92DC38D8BC0E}.Release|x86.ActiveCfg = Release|x64
 		{CD47158C-73E3-4197-AE90-92DC38D8BC0E}.Release|x86.Build.0 = Release|x64
 		{CD47158C-73E3-4197-AE90-92DC38D8BC0E}.Release|x86.Deploy.0 = Release|x64
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|ARM64.ActiveCfg = Debug|x64
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|ARM64.Build.0 = Debug|x64
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|x64.ActiveCfg = Debug|x64
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|x64.Build.0 = Debug|x64
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|x86.ActiveCfg = Debug|Win32
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|x86.Build.0 = Debug|Win32
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|ARM64.ActiveCfg = Release|x64
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|ARM64.Build.0 = Release|x64
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|x64.ActiveCfg = Release|x64
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|x64.Build.0 = Release|x64
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|x86.ActiveCfg = Release|Win32
+		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|x86.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE

C/STraceCLI/STraceCLI.cpp

@@ -10,6 +10,7 @@
 #include <memory>
 
 HANDLE g_Driver;
+SC_HANDLE g_Scm;
 
 std::filesystem::path AskForFile() {
     wchar_t szFileName[MAX_PATH] = { 0 };
@@ -99,11 +100,21 @@ int main()
     printf("[+] Opening driver\n");
     g_Driver = CreateFileW(L"\\\\.\\STrace", GENERIC_ALL, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM, 0);
     if (g_Driver == INVALID_HANDLE_VALUE) {
-        printf("[!] Handle open to driver failed\n");
+        printf("[!] Handle open to driver failed: %d\n", GetLastError());
         return 1;
     }
     printf("[+] Driver Opened Successfully\n");
 
+    printf("[+] Opening Service Manager\n");
+    g_Scm = OpenSCManagerA(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+    if (NULL == g_Scm)
+    {
+        printf("[!] OpenServiceManager failed with: %d\n", GetLastError());
+        return 1;
+    }
+    printf("[+] Service Manager Opened Successfully\n");
+
+
     while (true) {
         std::cout << "Input command: load, unload, exit" << std::endl;
         std::string input;