Driver: image filename erasure

DarthTon · DarthTon · commit 60c7e35b06d1 · 2016-12-20T20:16:11.000+02:00
diff --git a/src/BlackBoneDrv/NativeStructs.h b/src/BlackBoneDrv/NativeStructs.h
@@ -143,6 +143,36 @@ typedef struct _OBJECT_HEADER // Size=56
     struct _QUAD Body; // Size=8 Offset=48
 } OBJECT_HEADER, *POBJECT_HEADER;
 
+typedef union _EX_FAST_REF // Size=8
+{
+    void * Object;
+    struct
+    {
+        unsigned __int64 RefCnt : 4; 
+    };
+    unsigned __int64 Value;
+} EX_FAST_REF, *PEX_FAST_REF;
+
+typedef struct _CONTROL_AREA // Size=120
+{
+    struct _SEGMENT * Segment;
+    struct _LIST_ENTRY ListHead;
+    unsigned __int64 NumberOfSectionReferences;
+    unsigned __int64 NumberOfPfnReferences; 
+    unsigned __int64 NumberOfMappedViews;
+    unsigned __int64 NumberOfUserReferences;
+    unsigned long f1; 
+    unsigned long f2;
+    EX_FAST_REF FilePointer;
+    // Other fields
+} CONTROL_AREA, *PCONTROL_AREA;
+
+typedef struct _SUBSECTION // Size=56
+{
+    PCONTROL_AREA ControlArea;
+    // Other fields
+} SUBSECTION, *PSUBSECTION;
+
 typedef struct _MEMORY_BASIC_INFORMATION_EX
 {
     PVOID BaseAddress;
diff --git a/src/BlackBoneDrv/NativeStructs10.h b/src/BlackBoneDrv/NativeStructs10.h
@@ -127,6 +127,7 @@ typedef struct _MMVAD // Size=128
 {
     struct _MMVAD_SHORT Core; // Size=64 Offset=0
     union ___unnamed2047 u2; // Size=4 Offset=64
+    unsigned long pad0;  // Size=4 Offset=68
     struct _SUBSECTION * Subsection; // Size=8 Offset=72
     struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80
     struct _MMPTE * LastContiguousPte; // Size=8 Offset=88
diff --git a/src/BlackBoneDrv/NativeStructs7.h b/src/BlackBoneDrv/NativeStructs7.h
@@ -138,11 +138,8 @@ typedef struct _MMVAD // Size=120
 {
     MMVAD_SHORT vadShort;
     union ___unnamed715 u2; // Size=4 Offset=64
-    union
-    {
-        struct _SUBSECTION * Subsection; // Size=8 Offset=72
-        struct _MSUBSECTION * MappedSubsection; // Size=8 Offset=72
-    };
+    unsigned long pad0; // Size=4 Offset=68
+    struct _SUBSECTION * Subsection; // Size=8 Offset=72
     struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80
     struct _MMPTE * LastContiguousPte; // Size=8 Offset=88
     struct _LIST_ENTRY ViewLinks; // Size=16 Offset=96
diff --git a/src/BlackBoneDrv/NativeStructs8.h b/src/BlackBoneDrv/NativeStructs8.h
@@ -128,11 +128,7 @@ typedef struct _MMVAD // Size=128
 {
     struct _MMVAD_SHORT Core; // Size=64 Offset=0
     union ___unnamed1883 u2; // Size=4 Offset=64
-    union
-    {
-        struct _SUBSECTION * Subsection; // Size=8 Offset=72
-        struct _MSUBSECTION * MappedSubsection; // Size=8 Offset=72
-    };
+    struct _SUBSECTION * Subsection; // Size=8 Offset=72
     struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80
     struct _MMPTE * LastContiguousPte; // Size=8 Offset=88
     struct _LIST_ENTRY ViewLinks; // Size=16 Offset=96
diff --git a/src/BlackBoneDrv/NativeStructs81.h b/src/BlackBoneDrv/NativeStructs81.h
@@ -124,6 +124,7 @@ typedef struct _MMVAD // Size=128
 {
     struct _MMVAD_SHORT Core; // Size=64 Offset=0
     union ___unnamed1956 u2; // Size=4 Offset=64
+    unsigned long pad0; // Size=4 Offset=68
     struct _SUBSECTION * Subsection; // Size=8 Offset=72
     struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80
     struct _MMPTE * LastContiguousPte; // Size=8 Offset=88
diff --git a/src/BlackBoneDrv/Routines.c b/src/BlackBoneDrv/Routines.c
@@ -546,7 +546,7 @@ NTSTATUS BBHideVAD( IN PHIDE_VAD pData )
 
     status = PsLookupProcessByProcessId( (HANDLE)pData->pid, &pProcess );
     if (NT_SUCCESS( status ))
-        status = BBProtectVAD( pProcess, pData->base, MM_ZERO_ACCESS );
+        status = BBUnlinkVAD( pProcess, pData->base );
     else
         DPRINT( "BlackBone: %s: PsLookupProcessByProcessId failed with status 0x%X\n", __FUNCTION__, status );
 
diff --git a/src/BlackBoneDrv/VadHelpers.c b/src/BlackBoneDrv/VadHelpers.c
@@ -3,7 +3,6 @@
 
 #pragma alloc_text(PAGE, MiPromoteNode)
 #pragma alloc_text(PAGE, MiRebalanceNode)
-#pragma alloc_text(PAGE, MiInsertNode)
 #pragma alloc_text(PAGE, MiRemoveNode)
 #pragma alloc_text(PAGE, MiFindNodeOrParent)
 
diff --git a/src/BlackBoneDrv/VadHelpers.h b/src/BlackBoneDrv/VadHelpers.h
@@ -62,5 +62,4 @@
 TABLE_SEARCH_RESULT MiFindNodeOrParent( IN PMM_AVL_TABLE Table, IN ULONG_PTR StartingVpn, OUT PMMADDRESS_NODE *NodeOrParent );
 VOID MiPromoteNode( IN PMMADDRESS_NODE C );
 ULONG MiRebalanceNode( IN PMMADDRESS_NODE S );
-VOID MiInsertNode( IN PMMADDRESS_NODE NodeToInsert, IN PMM_AVL_TABLE Table );
 VOID MiRemoveNode( IN PMMADDRESS_NODE NodeToDelete, IN PMM_AVL_TABLE Table );
diff --git a/src/BlackBoneDrv/VadRoutines.c b/src/BlackBoneDrv/VadRoutines.c
@@ -54,13 +54,11 @@ ULONG MmProtectToValue[32] =
 NTSTATUS BBProtectVAD( IN PEPROCESS pProcess, IN ULONG_PTR address, IN ULONG prot )
 {
     NTSTATUS status = STATUS_SUCCESS;
-    PMMVAD_SHORT pVad = NULL;
-
-    status = BBFindVAD( pProcess, address, &pVad );
-    if (!NT_SUCCESS( status ))
-        return status;
+    PMMVAD_SHORT pVadShort = NULL;
 
-    pVad->u.VadFlags.Protection = prot;
+    status = BBFindVAD( pProcess, address, &pVadShort );
+    if (NT_SUCCESS( status ))
+        pVadShort->u.VadFlags.Protection = prot;
 
     return status;
 }
@@ -75,15 +73,36 @@ NTSTATUS BBProtectVAD( IN PEPROCESS pProcess, IN ULONG_PTR address, IN ULONG pro
 /// <returns>Status code</returns>
 NTSTATUS BBUnlinkVAD( IN PEPROCESS pProcess, IN ULONG_PTR address )
 {
-    return BBProtectVAD( pProcess, address, MM_ZERO_ACCESS );  
-
-    /*
-#ifdef _WIN81_
-    RtlAvlRemoveNode( (PMM_AVL_TABLE)((PUCHAR)pProcess + dynData.VadRoot), (PMMADDRESS_NODE)pVad );
-#else
-    MiRemoveNode( (PMMADDRESS_NODE)pVad, (PMM_AVL_TABLE)((PUCHAR)pProcess + dynData.VadRoot) );
-#endif
-    */
+    NTSTATUS status = STATUS_SUCCESS;
+    PMMVAD_SHORT pVadShort = NULL;
+
+    status = BBFindVAD( pProcess, address, &pVadShort );
+    if (!NT_SUCCESS( status ))
+        return status;
+
+    // Erase image name
+    if (pVadShort->u.VadFlags.VadType == VadImageMap)
+    {
+        PMMVAD pVadLong = (PMMVAD)pVadShort;
+        if (pVadLong->Subsection && pVadLong->Subsection->ControlArea && pVadLong->Subsection->ControlArea->FilePointer.Object)
+        {
+            PFILE_OBJECT pFile = (PFILE_OBJECT)(pVadLong->Subsection->ControlArea->FilePointer.Value & ~0xF);
+            pFile->FileName.Buffer[0] = L'\0';
+            pFile->FileName.Length = 0;
+        }
+        else
+            return STATUS_INVALID_ADDRESS;
+    }
+    // Make NO_ACCESS
+    else if (pVadShort->u.VadFlags.VadType == VadDevicePhysicalMemory)
+    {
+        pVadShort->u.VadFlags.Protection = MM_ZERO_ACCESS;
+    }
+    // Invalid VAD type
+    else
+        status = STATUS_INVALID_PARAMETER;
+
+    return status;
 }
 
 #pragma warning(default : 4055)

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,7 @@ typedef struct _MMVAD // Size=128`
`127`	`127`	`{`
`128`	`128`	`struct _MMVAD_SHORT Core; // Size=64 Offset=0`
`129`	`129`	`union ___unnamed2047 u2; // Size=4 Offset=64`
	`130`	`+ unsigned long pad0; // Size=4 Offset=68`
`130`	`131`	`struct _SUBSECTION * Subsection; // Size=8 Offset=72`
`131`	`132`	`struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80`
`132`	`133`	`struct _MMPTE * LastContiguousPte; // Size=8 Offset=88`
Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,7 @@ typedef struct _MMVAD // Size=128`
`124`	`124`	`{`
`125`	`125`	`struct _MMVAD_SHORT Core; // Size=64 Offset=0`
`126`	`126`	`union ___unnamed1956 u2; // Size=4 Offset=64`
	`127`	`+ unsigned long pad0; // Size=4 Offset=68`
`127`	`128`	`struct _SUBSECTION * Subsection; // Size=8 Offset=72`
`128`	`129`	`struct _MMPTE * FirstPrototypePte; // Size=8 Offset=80`
`129`	`130`	`struct _MMPTE * LastContiguousPte; // Size=8 Offset=88`