Merge pull request #25 from tarterp/21_driver_plugin_architecture

Driver Plugin Architecture
mandiant · Dec 1, 2023 · 7e248fd · 7e248fd
2 parents 95fa194 + c4f5ece
commit 7e248fd
Show file tree

Hide file tree

Showing 95 changed files with 6,481 additions and 5,397 deletions.
diff --git a/C/AddNewEtwEventPlugin/AddNewEtwEventPlugin.filters b/C/AddNewEtwEventPlugin/AddNewEtwEventPlugin.filters
diff --git a/C/AddNewEtwEventPlugin/AddNewEtwEventPlugin.vcxproj b/C/AddNewEtwEventPlugin/AddNewEtwEventPlugin.vcxproj
diff --git a/C/AddNewEtwEventPlugin/AddNewEtwEventPlugin.vcxproj.filters b/C/AddNewEtwEventPlugin/AddNewEtwEventPlugin.vcxproj.filters
@@ -1,45 +1,54 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
-    <ClCompile Include="dllmain.cpp" />
-    <ClCompile Include="crt.cpp" />
-    <ClCompile Include="Interface.cpp" />
+    <ClCompile Include="Interface.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="main.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
-    <ClInclude Include="Interface.h">
+    <ClInclude Include="vector.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="probedefs.h">
+    <ClInclude Include="utils.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="crt.h">
+    <ClInclude Include="string.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="KernelApis.h">
+    <ClInclude Include="probedefs.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="magic_enum.hpp">
+    <ClInclude Include="phantom_type.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="phantom_type.h">
+    <ClInclude Include="NtStructs.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="utils.h">
+    <ClInclude Include="NtBuild.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="config.h">
+    <ClInclude Include="MyStdint.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="string.h">
+    <ClInclude Include="magic_enum.hpp">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="vector.h">
+    <ClInclude Include="Interface.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Constants.h">
       <Filter>Header Files</Filter>
     </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="Header Files">
-      <UniqueIdentifier>{32d6c38a-89f4-4b0b-8ca9-dfc546c0b85d}</UniqueIdentifier>
+      <UniqueIdentifier>{df217687-6792-459a-a47a-10eb99f20cfc}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{5c149437-b147-4ba0-a1b5-c0d2fbf710ae}</UniqueIdentifier>
     </Filter>
   </ItemGroup>
 </Project>
diff --git a/C/FileDeleteRecordPluginDriver/Constants.h → C/AddNewEtwEventPlugin/Constants.h b/C/FileDeleteRecordPluginDriver/Constants.h → C/AddNewEtwEventPlugin/Constants.h
diff --git a/C/AddNewEtwEventPlugin/Interface.cpp b/C/AddNewEtwEventPlugin/Interface.cpp
@@ -14,7 +14,8 @@ UNICODE_STRING WideToUnicodeString(PCWSTR SourceString)
 			Size = MaxSize;
 		DestinationString.Length = (USHORT)Size;
 		DestinationString.MaximumLength = (USHORT)Size + sizeof(UNICODE_NULL);
-	} else {
+	}
+	else {
 		DestinationString.Length = 0;
 		DestinationString.MaximumLength = 0;
 	}

diff --git a/C/AddNewEtwEventPlugin/Interface.h b/C/AddNewEtwEventPlugin/Interface.h
@@ -1,10 +1,12 @@
 #pragma once
-#define WIN32_LEAN_AND_MEAN
-#include <Windows.h>
-#include <subauth.h>
-#include <stdint.h>
-#include <type_traits>
-#include "crt.h"
+#include <ntifs.h>
+#include <ntstatus.h>
+#define NTSTRSAFE_NO_CB_FUNCTIONS
+#include <ntstrsafe.h>
+
+#include "MyStdint.h"
+#include "Constants.h"
+#include "NtStructs.h"
 
 class MachineState
 {
@@ -57,6 +59,14 @@ class MachineState
 	}
 };
 
+typedef enum _LOG_LEVEL_OPTIONS
+{
+	LogLevelDebug = 0x10ul,
+	LogLevelInfo = 0x20ul,
+	LogLevelWarn = 0x40ul,
+	LogLevelError = 0x80ul,
+} LOG_LEVEL_OPTIONS;
+
 typedef LONG NTSTATUS;
 typedef bool(*tSetTlsData)(uint64_t value, uint8_t slot);
 typedef bool(*tGetTlsData)(uint64_t& value, uint8_t slot);
@@ -66,7 +76,6 @@ typedef NTSTATUS(*tSetCallbackApi)(const char* syscallName, ULONG64 probeId);
 typedef NTSTATUS(*tUnSetCallbackApi)(const char* syscallName);
 typedef NTSTATUS(*tSetEtwCallbackApi)(GUID providerGuid);
 typedef NTSTATUS(*tUnSetEtwCallbackApi)();
-typedef PVOID(NTAPI* tMmGetSystemRoutineAddress)(PUNICODE_STRING SystemRoutineName);
 typedef BOOLEAN(*tTraceAccessMemory)(PVOID SafeAddress, ULONG_PTR UnsafeAddress, SIZE_T NumberOfBytes, SIZE_T ChunkSize, BOOLEAN DoRead);
 
 class PluginApis {
@@ -81,10 +90,10 @@ class PluginApis {
 	tUnSetCallbackApi pUnsetCallback;
 	tSetEtwCallbackApi pEtwSetCallback;
 	tUnSetEtwCallbackApi pEtwUnSetCallback;
-	tMmGetSystemRoutineAddress pGetSystemRoutineAddress;
 	tTraceAccessMemory pTraceAccessMemory;
 };
 
+#define MAX_PATH    260
 #define MINCHAR     0x80        // winnt
 #define MAXCHAR     0x7f        // winnt
 #define MINSHORT    0x8000      // winnt
@@ -96,11 +105,12 @@ class PluginApis {
 #define MAXULONG    0xffffffff  // winnt
 
 UNICODE_STRING WideToUnicodeString(PCWSTR SourceString);
+NTSTATUS MbToUnicodeString(PSTR SourceString, PUNICODE_STRING DestinationString);
 
 template<typename T>
 T ResolveApi(const wchar_t* name, PluginApis& apis) {
 	auto ustr = WideToUnicodeString(name);
-	return (T)apis.pGetSystemRoutineAddress(&ustr);
+	return (T)MmGetSystemRoutineAddress(&ustr);
 }
 
 class CallerInfo
@@ -125,13 +135,6 @@ typedef void(*tStpCallbackReturnPlugin)(ULONG64 pService, ULONG32 probeId, Machi
 typedef void(*tStpInitialize)(PluginApis& pApis);
 typedef void(*tStpDeInitialize)();
 
-typedef enum _LOG_LEVEL_OPTIONS
-{
-	LogLevelDebug = 0x10ul,
-	LogLevelInfo = 0x20ul,
-	LogLevelWarn = 0x40ul,
-	LogLevelError = 0x80ul,
-} LOG_LEVEL_OPTIONS;
 
 // ETW field type definitions, see TlgIn_t and TlgOut_t in TraceLoggingProvider.h
 #define ETW_FIELD(in, out)  (in | 0x80 | out << 8)
@@ -233,4 +236,4 @@ typedef enum _ETW_FIELD_TYPE
 } ETW_FIELD_TYPE;
 
 // Assert a function is the same type as a function pointer typedef, or throw msg as a compiler error
-#define ASSERT_INTERFACE_IMPLEMENTED(Implementer, tFnTypeDef, msg) static_assert(std::is_same_v<decltype(&Implementer), tFnTypeDef>, msg); 
+#define ASSERT_INTERFACE_IMPLEMENTED(Implementer, tFnTypeDef, msg) static_assert(is_same_v<decltype(&Implementer), tFnTypeDef>, msg);