verifier fix.

theSecHunter · Jun 30, 2024 · dd43d66 · dd43d66
1 parent 8b064b3
commit dd43d66
Show file tree

Hide file tree

Showing 13 changed files with 183 additions and 22 deletions.
diff --git a/HadSvc/knetwork.cpp b/HadSvc/knetwork.cpp
@@ -45,6 +45,9 @@ void KNetWork::ReLoadIpPortConnectRule()
 
 	if (!pDenyRule || !pConnectRule || !pDnsRule)
 		return;
+
+	// Clear
+	NetNdrRuleClear();
 	RtlSecureZeroMemory(pDenyRule, sizeof(DENY_RULE) * g_MaxRuleCounter);
 	RtlSecureZeroMemory(pConnectRule, sizeof(REDIRECT_RULE) * g_MaxRuleCounter);
 	RtlSecureZeroMemory(pDnsRule, sizeof(DNS_RULE) * g_MaxRuleCounter);
@@ -53,9 +56,6 @@ void KNetWork::ReLoadIpPortConnectRule()
 	ConfigNetWorkYamlRuleParsing(pDenyRule, &iDenyCounter, pConnectRule, &iConnectCounter, g_MaxRuleCounter);
 	ConfigNetWorkYamlDnsRuleParsing(pDnsRule, &iDnsCounter, g_MaxRuleCounter);
 
-	// Clear
-	NetNdrRuleClear();
-
 	// DENY
 	{
 		for (int i = 0; i < iDenyCounter; ++i)

diff --git a/HadSvc/main.cpp b/HadSvc/main.cpp
@@ -14,10 +14,10 @@
 #include <DirectoryRuleAssist.h>
 
 // Debug调试
-static bool kerne_mon = true;		// kernel采集
+static bool kerne_mon = false;		// kernel采集
 static bool kerne_rootkit = false;	// rootkit接口
-static bool user_mod = true;		// user接口
-static bool etw_mon = true;		// user采集
+static bool user_mod = false;		// user接口
+static bool etw_mon = false;		// user采集
 
 static bool gpip_send = false;		// pip上报
 static char g_chNameGuid[64] = { 0 };	// agentid

diff --git a/HadSvc/mcfilter.rc b/HadSvc/mcfilter.rc
@@ -61,7 +61,7 @@ IDI_ICON1               ICON                    "firearms.ico"
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 23,10,12,1
+ FILEVERSION 23,6,30,1
  PRODUCTVERSION 1,0,0,1
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
@@ -79,7 +79,7 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "theSecHunter"
             VALUE "FileDescription", "HadesWin"
-            VALUE "FileVersion", "23.10.12.1"
+            VALUE "FileVersion", "23.6.30.1"
             VALUE "InternalName", "HadesSvc.exe"
             VALUE "LegalCopyright", "Copyright (C) 2022"
             VALUE "OriginalFilename", "HadesSvc.exe"

diff --git a/HadesContrl/HadesContrl.vcxproj b/HadesContrl/HadesContrl.vcxproj
@@ -254,6 +254,7 @@
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClInclude Include="..\HadesSdk\hpsocket\Include\HPSocket\HPSocket.h" />
+    <ClInclude Include="..\HadesSdk\include\sysinfo.h" />
     <ClInclude Include="crashreport.h" />
     <ClInclude Include="framework.h" />
     <ClInclude Include="HadesContrl.h" />

diff --git a/HadesContrl/HadesContrl.vcxproj.filters b/HadesContrl/HadesContrl.vcxproj.filters
@@ -90,6 +90,9 @@
     <ClInclude Include="Interface.h">
       <Filter>Interface</Filter>
     </ClInclude>
+    <ClInclude Include="..\HadesSdk\include\sysinfo.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="HadesContrl.cpp">

diff --git a/MonitorEvent/netdrv/NetDrv.rc b/MonitorEvent/netdrv/NetDrv.rc
@@ -51,7 +51,7 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 24,6,23,1
+ FILEVERSION 24,6,30,1
  PRODUCTVERSION 1,0,0,1
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
@@ -69,7 +69,7 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "Hades"
             VALUE "FileDescription", "Hades For Windows NetDrv"
-            VALUE "FileVersion", "24.6.23.1"
+            VALUE "FileVersion", "24.6.30.1"
             VALUE "InternalName", "NetDrv.sys"
             VALUE "LegalCopyright", "Copyright (C) 2024"
             VALUE "OriginalFilename", "NetDrv.sys"

diff --git a/MonitorEvent/netdrv/devctrl.c b/MonitorEvent/netdrv/devctrl.c
@@ -80,8 +80,60 @@ NTSTATUS devctrl_create(PIRP irp, PIO_STACK_LOCATION irpSp)
 
 	return status;
 }
+VOID devctrl_freeSharedMemoryThread(_In_ PVOID Parameter)
+{
+	PSHARED_MEMORY pSharedMemory = (PSHARED_MEMORY)Parameter;
+	if (pSharedMemory) {
+		if (pSharedMemory->mdl)
+		{
+			__try
+			{
+				if (pSharedMemory->userVa)
+				{
+					MmUnmapLockedPages(pSharedMemory->userVa, pSharedMemory->mdl);
+				}
+				if (pSharedMemory->kernelVa)
+				{
+					MmUnmapLockedPages(pSharedMemory->kernelVa, pSharedMemory->mdl);
+				}
+			}
+			__except (EXCEPTION_EXECUTE_HANDLER)
+			{
+			}
+
+			MmFreePagesFromMdl(pSharedMemory->mdl);
+			IoFreeMdl(pSharedMemory->mdl);
+			pSharedMemory->mdl = NULL;
+			memset(pSharedMemory, 0, sizeof(SHARED_MEMORY));
+		}
+	}
+	PsTerminateSystemThread(STATUS_SUCCESS);
+}
 void devctrl_freeSharedMemory(PSHARED_MEMORY pSharedMemory)
 {
+	if (KeGetCurrentIrql() > APC_LEVEL)
+	{
+		HANDLE threadHandle = NULL;
+		NTSTATUS status = STATUS_SUCCESS;
+		status = PsCreateSystemThread(
+			&threadHandle,
+			THREAD_ALL_ACCESS,
+			NULL,
+			NULL,
+			NULL,
+			devctrl_freeSharedMemoryThread,
+			pSharedMemory
+		);
+
+		if (NT_SUCCESS(status) && threadHandle)
+		{
+			KPRIORITY priority = HIGH_PRIORITY;
+			ZwSetInformationThread(threadHandle, ThreadPriority, &priority, sizeof(priority));
+			ZwClose(threadHandle);
+		}
+		return;
+	}
+
 	if (pSharedMemory->mdl)
 	{
 		__try
@@ -101,6 +153,7 @@ void devctrl_freeSharedMemory(PSHARED_MEMORY pSharedMemory)
 
 		MmFreePagesFromMdl(pSharedMemory->mdl);
 		IoFreeMdl(pSharedMemory->mdl);
+		pSharedMemory->mdl = NULL;
 
 		memset(pSharedMemory, 0, sizeof(SHARED_MEMORY));
 	}
@@ -1086,7 +1139,7 @@ NTSTATUS devctrl_init(PDRIVER_OBJECT pDriverObject)
 	InitializeListHead(&g_IoQueryHead);
 	VerifiExInitializeNPagedLookasideList(&g_IoQueryList, NULL, NULL, 0, sizeof(NF_QUEUE_ENTRY), 'NFQU', 0);
 	KeInitializeSpinLock(&g_sIolock);
-	
+
 	// Init I/O handler Thread
 	KeInitializeEvent(
 		&g_ioThreadEvent,

diff --git a/MonitorEvent/netdrv/hashtable.c b/MonitorEvent/netdrv/hashtable.c
@@ -35,35 +35,35 @@ void hash_table_free(PHASH_TABLE pTable)
 }
 
 int ht_add_entry(PHASH_TABLE pTable, PHASH_TABLE_ENTRY pEntry)
-{
+{ 
+	if (pTable == NULL || (!pTable))
+		return 0;
+	if (pEntry == NULL || (!pEntry))
+		return 0;
 	UINT64 hash = pEntry->id % pTable->size;
-
 	if (ht_find_entry(pTable, pEntry->id))
 		return 0;
-
 	pEntry->pNext = pTable->pEntries[hash];
 	pTable->pEntries[hash] = pEntry;
-
 	return 1;
 }
 
 
 PHASH_TABLE_ENTRY ht_find_entry(PHASH_TABLE pTable, UINT64 id)
 {
-	PHASH_TABLE_ENTRY pEntry;
+	if (pTable == NULL || (!pTable))
+		return 0;
 
+	PHASH_TABLE_ENTRY pEntry = NULL;
 	pEntry = pTable->pEntries[id % pTable->size];
-
 	while (pEntry)
 	{
 		if (pEntry->id == id)
 		{
 			return pEntry;
 		}
-
 		pEntry = pEntry->pNext;
 	}
-
 	return NULL;
 }
 

diff --git a/MonitorEvent/sysmondrv/devctrl.c b/MonitorEvent/sysmondrv/devctrl.c
@@ -588,8 +588,59 @@ NTSTATUS devctrl_DrDevEnum(PDEVICE_OBJECT DeviceObject, PIRP irp, PIO_STACK_LOCA
 }
 
 // ☆ Share Memory MDL
+VOID devctrl_freeSharedMemoryThread(_In_ PVOID Parameter)
+{
+	PSHARED_MEMORY pSharedMemory = (PSHARED_MEMORY)Parameter;
+	if (pSharedMemory) {
+		if (pSharedMemory->mdl)
+		{
+			__try
+			{
+				if (pSharedMemory->userVa)
+				{
+					MmUnmapLockedPages(pSharedMemory->userVa, pSharedMemory->mdl);
+				}
+				if (pSharedMemory->kernelVa)
+				{
+					MmUnmapLockedPages(pSharedMemory->kernelVa, pSharedMemory->mdl);
+				}
+			}
+			__except (EXCEPTION_EXECUTE_HANDLER)
+			{
+			}
+
+			MmFreePagesFromMdl(pSharedMemory->mdl);
+			IoFreeMdl(pSharedMemory->mdl);
+			pSharedMemory->mdl = NULL;
+			memset(pSharedMemory, 0, sizeof(SHARED_MEMORY));
+		}
+	}
+	PsTerminateSystemThread(STATUS_SUCCESS);
+}
 void devctrl_freeSharedMemory(PSHARED_MEMORY pSharedMemory)
 {
+	if (KeGetCurrentIrql() > APC_LEVEL)
+	{
+		HANDLE threadHandle = NULL;
+		NTSTATUS status = STATUS_SUCCESS;
+		status = PsCreateSystemThread(
+			&threadHandle,
+			THREAD_ALL_ACCESS,
+			NULL,
+			NULL,
+			NULL,
+			devctrl_freeSharedMemoryThread,
+			pSharedMemory
+		);
+
+		if (NT_SUCCESS(status) && threadHandle)
+		{
+			KPRIORITY priority = HIGH_PRIORITY;
+			ZwSetInformationThread(threadHandle, ThreadPriority, &priority, sizeof(priority));
+			ZwClose(threadHandle);
+		}
+		return;
+	}
 	if (pSharedMemory->mdl)
 	{
 		__try

diff --git a/MonitorEvent/sysmonuserlib/sysmonuser.vcxproj b/MonitorEvent/sysmonuserlib/sysmonuser.vcxproj
@@ -110,7 +110,7 @@
     <LinkIncremental>true</LinkIncremental>
     <OutDir>..\..\HadesSdk\sysmonuser\lib</OutDir>
     <TargetName>$(ProjectName)_d</TargetName>
-    <IncludePath>D:\Hades\Hades-Windows\HadesSdk\include;$(IncludePath)</IncludePath>
+    <IncludePath>..\..\HadesSdk\include;$(IncludePath)</IncludePath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <LinkIncremental>false</LinkIncremental>

diff --git a/RuleEngineSvc/RuleEngineSvc.rc b/RuleEngineSvc/RuleEngineSvc.rc
@@ -51,7 +51,7 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 23,10,12,1
+ FILEVERSION 24,6,30,1
  PRODUCTVERSION 1,0,0,1
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
@@ -67,7 +67,7 @@ BEGIN
     BEGIN
         BLOCK "080404b0"
         BEGIN
-            VALUE "FileVersion", "23.10.12.1"
+            VALUE "FileVersion", "24.6.30.1"
             VALUE "InternalName", "RuleEngi.dll"
             VALUE "LegalCopyright", "Copyright (C) 2023"
             VALUE "OriginalFilename", "RuleEngi.dll"

diff --git a/UnitTest/UntsRule.cpp b/UnitTest/UntsRule.cpp
@@ -1,4 +1,9 @@
 #include "UntsRule.h"
+#include <NetWorkRuleAssist.h>
+#include <sysinfo.h>
+#include <NetApi.h>
+
+static const int g_MaxRuleCounter = 100;
 
 UntsRule::UntsRule()
 {
@@ -10,5 +15,51 @@ UntsRule::~UntsRule()
 
 void UntsRule::UnTs_ReLoadIpPortConnectRule()
 {
+	PDENY_RULE pDenyRule = nullptr;
+	PREDIRECT_RULE pConnectRule = nullptr;
+	PDNS_RULE pDnsRule = nullptr;
+
+	pDenyRule = (PDENY_RULE)new DENY_RULE[g_MaxRuleCounter];
+	pConnectRule = (PREDIRECT_RULE)new REDIRECT_RULE[g_MaxRuleCounter];
+	pDnsRule = (PDNS_RULE)new DNS_RULE[g_MaxRuleCounter];
+
+	if (!pDenyRule || !pConnectRule || !pDnsRule)
+		return;
+
+	// Clear
+	NetNdrRuleClear();
+	RtlSecureZeroMemory(pDenyRule, sizeof(DENY_RULE) * g_MaxRuleCounter);
+	RtlSecureZeroMemory(pConnectRule, sizeof(REDIRECT_RULE) * g_MaxRuleCounter);
+	RtlSecureZeroMemory(pDnsRule, sizeof(DNS_RULE) * g_MaxRuleCounter);
+
+	int iDenyCounter = 0;	int iConnectCounter = 0; int iDnsCounter = 0;
+	ConfigNetWorkYamlRuleParsing(pDenyRule, &iDenyCounter, pConnectRule, &iConnectCounter, g_MaxRuleCounter);
+	ConfigNetWorkYamlDnsRuleParsing(pDnsRule, &iDnsCounter, g_MaxRuleCounter);
+
+	// DENY
+	{
+		for (int i = 0; i < iDenyCounter; ++i)
+			NetNdrSetDenyRule(pDenyRule[i].strRuleName, pDenyRule[i].strIpAddress, pDenyRule[i].strProtocol, pDenyRule[i].strPorts, pDenyRule[i].strAction);
+	}
+
+	// REDIRECT
+	{
+		for (int i = 0; i < iConnectCounter; ++i)
+			NetNdrSetRediRectRule(pConnectRule[i].strRuleName, pConnectRule[i].strRedirectIp, pConnectRule[i].RedrectPort, pConnectRule[i].strProtocol, pConnectRule[i].strProcessName);
+	}
+
+	// DNS
+	{
+		for (int i = 0; i < iDnsCounter; ++i)
+			NetNdrSetDnsRule(pDnsRule[i].strRuleName, pDnsRule[i].strProtocol, pDnsRule[i].sDnsName.c_str(), pDnsRule[i].strAction);
+	}
 
+	if (pDenyRule) {
+		delete[] pDenyRule;
+		pDenyRule = nullptr;
+	}
+	if (pConnectRule) {
+		delete[] pConnectRule;
+		pConnectRule = nullptr;
+	}
 }
diff --git a/UnitTest/unitts.vcxproj b/UnitTest/unitts.vcxproj
@@ -45,13 +45,15 @@
     <UseDebugLibraries>true</UseDebugLibraries>
     <PlatformToolset>v142</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
+    <SpectreMitigation>false</SpectreMitigation>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>v142</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
+    <SpectreMitigation>false</SpectreMitigation>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">