Merge branch 'master' of https://github.com/WolverinDEV/valthrun-driver

Valthrun · Oct 25, 2024 · 205524c · 205524c
2 parents 354b1c8 + d923315
commit 205524c
Show file tree

Hide file tree

Showing 8 changed files with 69 additions and 21 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/driver-standalone/rust-toolchain.toml b/driver-standalone/rust-toolchain.toml
@@ -0,0 +1,2 @@
+[toolchain]
+channel = "nightly"
diff --git a/driver-standalone/src/panic_hook.rs b/driver-standalone/src/panic_hook.rs
@@ -58,3 +58,10 @@ pub unsafe extern "C" fn __CxxFrameHandler3() {
         KeBugCheck(BUGCHECK_CODE_CXX_FRAME);
     }
 }
+
+#[no_mangle]
+extern "C" fn __chkstk() {
+    use core::arch::asm;
+
+    // unsafe { asm!("int 3") };
+}
diff --git a/driver-uefi/Cargo.toml b/driver-uefi/Cargo.toml
@@ -29,6 +29,7 @@ lazy_link = "0.1.1"
 
 [dependencies.compiler_builtins]
 git = "https://github.com/rust-lang/compiler-builtins"
+version = "0.1.132"
 features = ["mem"]
 
 [dependencies.winapi]

diff --git a/driver-uefi/rust-toolchain.toml b/driver-uefi/rust-toolchain.toml
@@ -0,0 +1,2 @@
+[toolchain]
+channel = "nightly-2024-09-25"
diff --git a/driver-uefi/src/panic_hook.rs b/driver-uefi/src/panic_hook.rs
@@ -58,3 +58,10 @@ pub unsafe extern "C" fn __CxxFrameHandler3() {
         KeBugCheck(BUGCHECK_CODE_CXX_FRAME);
     }
 }
+
+#[no_mangle]
+extern "C" fn __chkstk() {
+    use core::arch::asm;
+
+    // unsafe { asm!("int 3") };
+}
diff --git a/driver/src/mouse.rs b/driver/src/mouse.rs
@@ -124,12 +124,22 @@ fn find_mouse_service_callback() -> anyhow::Result<MouseClassServiceCallbackFn>
     let module_kdbclass = KModule::find_by_name(obfstr!("mouclass.sys"))?
         .with_context(|| anyhow!("failed to locate {} module", obfstr!("mouclass.sys")))?;
 
-    [/* Windows 11 */ Signature::relative_address(
-        obfstr!("MouseClassServiceCallback"),
-        obfstr!("48 8D 05 ? ? ? ? 48 89 44"),
-        0x03,
-        0x07,
-    )]
+    // 48 8D 05 ? ? ? ? 48 89 44
+    [
+        Signature::relative_address(
+            obfstr!("MouseClassServiceCallback"),
+            obfstr!("48 8D 05 ? ? ? ? 48 89 44"),
+            0x03,
+            0x07,
+        ),
+        /* Windows 11 */
+        Signature::relative_address(
+            obfstr!("MouseClassServiceCallback"),
+            obfstr!("48 8D 05 ? ? ? ? 48 89 44"),
+            0x03,
+            0x07,
+        ),
+    ]
     .iter()
     .find_map(|sig| NtOffsets::locate_signature(&module_kdbclass, sig).ok())
     .map(|v| unsafe { core::mem::transmute_copy(&v) })

diff --git a/driver/src/offsets.rs b/driver/src/offsets.rs
@@ -95,6 +95,12 @@ pub fn initialize_nt_offsets() -> anyhow::Result<()> {
 
     let ps_get_next_process = {
         [
+            Signature::relative_address(
+                obfstr!("PsGetNextProcess (2600.1252)"),
+                obfstr!("E8 ? ? ? ? 48 8B D8 48 89 44 24 ? 48 85 C0 48"),
+                0x01,
+                0x05,
+            ),
             /* Windows 11 */
             Signature::relative_address(
                 obfstr!("PsGetNextProcess (Win 11)"),
@@ -117,19 +123,26 @@ pub fn initialize_nt_offsets() -> anyhow::Result<()> {
     };
 
     let mm_verify_callback_function_flags = {
-        if let Ok(target) = find_mm_verify_callback_function_flags_new(&ntoskrnl) {
-            unsafe { core::mem::transmute_copy::<_, _>(&target) }
-        } else {
-            log::debug!("{}", obfstr!("Failed to resolve MmVerifyCallbackFunctionFlags by instruction pattern. Try old pattern."));
-            if let Ok(target) = find_mm_verify_callback_function_flags_old(&ntoskrnl) {
-                unsafe { core::mem::transmute_copy::<_, _>(&target) }
-            } else {
-                anyhow::bail!(
-                    "{}",
-                    obfstr!("Failed to resolve MmVerifyCallbackFunctionFlags")
-                )
-            }
-        }
+        [
+            Signature::relative_address(
+                obfstr!("MmVerifyCallbackFunctionFlags (2600.1252)"),
+                obfstr!("E8 ? ? ? ? 85 C0 74 6F 48 8B 4E"),
+                0x01,
+                0x05,
+            ),
+            Signature::pattern(
+                obfstr!("MmVerifyCallbackFunctionFlags (Win 11)"),
+                obfstr!("48 89 5C 24 ? 48 89 6C 24 ? 48 89 74 24 ? 57 48 83 EC 20 8B FA 48 8B F1"),
+            ),
+            Signature::pattern(
+                obfstr!("MmVerifyCallbackFunctionFlags"),
+                obfstr!("E8 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 48 8B 4D 00"),
+            ),
+        ]
+        .iter()
+        .find_map(|sig| NtOffsets::locate_signature(&ntoskrnl, sig).ok())
+        .map(|v| unsafe { core::mem::transmute_copy(&v) })
+        .with_context(|| obfstr!("Failed to find MmVerifyCallbackFunctionFlags").to_string())?
     };
 
     log::debug!(
@@ -141,6 +154,12 @@ pub fn initialize_nt_offsets() -> anyhow::Result<()> {
     );
     let eprocess_thread_list_head = {
         [
+            Signature::offset(
+                obfstr!("_EPROCESS.ThreadListHead (2600.1252)"),
+                obfstr!("4C 8D B1 ? ? ? ? 33 ED 45"),
+                0x03,
+            ),
+
             /* Windows 11 */
             Signature::offset(
                 obfstr!("_EPROCESS.ThreadListHead (Win 11)"),