[Win] DKOM Detector

/* [#]Holiam DKOM Detector Using ActiveProcessLinks, ProcessListEntry Windows 10 Universal (20-04-16) BLOG = Holi4m.github.io FeedBack = h01i4m */ #include <ntifs.h> OSVERSIONINFOW osviThis; BOOLEAN bPLEFlag = FALSE, bAPLFlag = FALSE; int iPLECount = 0, iAPLCount = 0; typedef unsigned long DWORD; // define DWORD DWORD GetAPLOffset() // Get ActiveProcessLinks Offset Inside _EPROCESS Structure Func { RtlGetVersion(&osviThis); if (osviThis.dwBuildNumber >= 18362) { return 0x2F0; } else if (osviThis.dwBuildNumber >= 10586) { return 0x2E8; } else { return 0; } } DWORD GetPLEOffset() // Get ProcessListEntry Offset inside _KPROCESS Structure Func { RtlGetVersion(&osviThis); if (osviThis.dwBuildNumber >= 18362) { return 0x248; } else if (osviThis.dwBuildNumber >= 10586) { return 0x240; } else { return 0; } } DWORD GetIFNOffset() Get ImageFileName Offset Inside _EPROCESS Structure Func { RtlGetVersion(&osviThis); if (osviThis.dwBuildNumber == 10240) { return 0x448; } else if (osviThis.dwBuildNumber > 10240) { return 0x450; } else { return 0; } } VOID Unload(_In_ PDRIVER_OBJECT pDriverObject) { UNREFERENCED_PARAMETER(pDriverObject); DbgPrint("Driver Unload\\n"); } NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT pDriverObject, _In_ PUNICODE_STRING pRegistryPath ) { UNREFERENCED_PARAMETER(pDriverObject); UNREFERENCED_PARAMETER(pRegistryPath); pDriverObject->DriverUnload = Unload; DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[#] Holiam Detector Driver\\n"); PEPROCESS kpProcess = NULL; PLIST_ENTRY plPLE = NULL, plAPL = NULL, plPLEHead = NULL, plAPLHead = NULL; DWORD pPLE = 0, pAPL = 0, pIFN = 0; kpProcess = PsGetCurrentProcess(); pPLE = GetPLEOffset(); pAPL = GetAPLOffset(); pIFN = GetIFNOffset(); plPLE = (PLIST_ENTRY)((PCHAR)kpProcess + pPLE); plAPL = (PLIST_ENTRY)((PCHAR)kpProcess + pAPL); plAPLHead = plAPL->Blink; plPLEHead = plPLE->Blink; while (1) { if ((PCHAR)plAPL->Flink - (PCHAR)pAPL != (PCHAR)plPLE->Flink - (PCHAR)pPLE && (PCHAR)(plAPL->Flink) - (PCHAR)pAPL == (PCHAR)(plPLE->Flink->Flink) - (PCHAR)pPLE) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[APL Losted Detected!]\\n"); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[PID is %x, PEPROCESS is %p", PsGetProcessId(((PEPROCESS)((PCHAR)plPLE->Flink - (PCHAR)pPLE))), ((PEPROCESS)((PCHAR)plPLE->Flink - (PCHAR)pPLE))); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ", ImageFIleName is %s]\\n", ((PEPROCESS)((PCHAR)plPLE->Flink - (PCHAR)pPLE + (PCHAR)pIFN))); plPLE = plPLE->Flink; iPLECount++; } else if ((PCHAR)plAPL->Flink - (PCHAR)pAPL != (PCHAR)plPLE->Flink - (PCHAR)pPLE && (PCHAR)(plAPL->Flink->Flink) - (PCHAR)pAPL == (PCHAR)(plPLE->Flink) - (PCHAR)pPLE) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[PLE Losted Detected!]\\n"); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[PID is %x, PEPROCESS is %p", PsGetProcessId(((PEPROCESS)((PCHAR)plAPL->Flink - (PCHAR)pAPL))), ((PEPROCESS)((PCHAR)plAPL->Flink - (PCHAR)pAPL))); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, ", ImageFIleName is %s]\\n", ((PEPROCESS)((PCHAR)plAPL->Flink - (PCHAR)pAPL + (PCHAR)pIFN))); plAPL = plAPL->Flink; iAPLCount++; } if(plPLE->Flink != plPLEHead) { iPLECount++; } else { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[plPLEHead END, PLECount = %d]\\n", iPLECount); bPLEFlag = TRUE; } if (plAPL->Flink != plAPLHead) { iAPLCount++; } else { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[plAPLHead END, APLCount = %d]\\n", iAPLCount); bAPLFlag = TRUE; } if (bPLEFlag == FALSE && bAPLFlag == FALSE) { plAPL = plAPL->Flink; plPLE = plPLE->Flink; } else if (bPLEFlag == TRUE && bAPLFlag == FALSE) { plAPL = plAPL->Flink; } else if (bPLEFlag == FALSE && bAPLFlag == TRUE) { plPLE = plPLE->Flink; } else if (bPLEFlag == TRUE && bAPLFlag == TRUE) { break; } } return STATUS_SUCCESS; }