add IOCTL_CE_ENABLE_DRM

DBKKernel/DBKDrvr.c

@@ -387,9 +387,8 @@ Return Value:
 
 	//Processlist init
 #ifndef CETC
-
 	ProcessEventCount=0;
-	KeInitializeSpinLock(&ProcesslistSL);
+	ExInitializeResourceLite(&ProcesslistR);	
 #endif
 
 	CreateProcessNotifyRoutineEnabled=FALSE;
@@ -673,7 +672,15 @@ void UnloadDriver(PDRIVER_OBJECT DriverObject)
 
 			if (CreateProcessNotifyRoutineEnabled)
 			{
+				DbgPrint("Removing process watch");
+#if (NTDDI_VERSION >= NTDDI_VISTASP1)
+				PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutineEx,TRUE);
+#else
 				PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,TRUE);
+#endif
+
+				
+				DbgPrint("Removing thread watch");
 				PsRemoveCreateThreadNotifyRoutine2(CreateThreadNotifyRoutine);
 			}
 
@@ -700,4 +707,16 @@ void UnloadDriver(PDRIVER_OBJECT DriverObject)
 	ExFreePool(BufDeviceString);
 #endif
 
+	CleanProcessList();
+
+	ExDeleteResourceLite(&ProcesslistR);
+
+	RtlZeroMemory(&ProcesslistR, sizeof(ProcesslistR));
+
+	if (DRMHandle)
+	{
+		DbgPrint("Unregistering DRM handle");
+		ObUnRegisterCallbacks(DRMHandle);
+		DRMHandle = NULL;
+	}
 }

DBKKernel/DBKDrvr.h

@@ -3,7 +3,7 @@
 
 
 
-#define dbkversion 2000021
+#define dbkversion 2000022
 
 
 

DBKKernel/DBKFunc.h

@@ -2,6 +2,9 @@
 #define DBKFUNC_H
 
 #include "ntifs.h"
+//#include <ntifs.h>
+#include <ntstrsafe.h>
+
 #include <windef.h>
 
 #include "interruptHook.h"

DBKKernel/IOPLDispatcher.c

@@ -1,5 +1,6 @@
 #pragma warning( disable: 4103)
 
+
 #include "IOPLDispatcher.h"
 #include "DBKFunc.h"
 #include "DBKDrvr.h"
@@ -20,9 +21,14 @@
 #include "ultimap.h"
 #include "ultimap2.h"
 
+
+
 UINT64 PhysicalMemoryRanges=0; //initialized once, and used thereafter. If the user adds/removes ram at runtime, screw him and make him the reload the driver
 UINT64 PhysicalMemoryRangesListSize=0;
 
+PVOID DRMHandle = NULL;
+PEPROCESS DRMProcess = NULL;
+
 PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTableShadow=NULL;
 PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable=NULL;
 
@@ -130,10 +136,121 @@ void CreateRemoteAPC(ULONG threadid,PVOID addresstoexecute)
                     );
 
 	KeInsertQueueApc (kApc, addresstoexecute, addresstoexecute, 0);
-	
-	
 }
 
+#define PROCESS_TERMINATE                  (0x0001)  
+#define PROCESS_CREATE_THREAD              (0x0002)  
+#define PROCESS_SET_SESSIONID              (0x0004)  
+#define PROCESS_VM_OPERATION               (0x0008)  
+#define PROCESS_VM_READ                    (0x0010)  
+#define PROCESS_VM_WRITE                   (0x0020)  
+#define PROCESS_DUP_HANDLE                 (0x0040)  
+#define PROCESS_CREATE_PROCESS             (0x0080)  
+#define PROCESS_SET_QUOTA                  (0x0100)  
+#define PROCESS_SET_INFORMATION            (0x0200)  
+#define PROCESS_QUERY_INFORMATION          (0x0400)  
+#define PROCESS_SUSPEND_RESUME             (0x0800)  
+#define PROCESS_QUERY_LIMITED_INFORMATION  (0x1000)  
+
+
+
+OB_PREOP_CALLBACK_STATUS ThreadPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
+{		
+	if (DRMProcess == NULL)
+		return OB_PREOP_SUCCESS;
+
+	if (PsGetCurrentProcess() == DRMProcess)
+		return OB_PREOP_SUCCESS;
+
+	if (OperationInformation->ObjectType == *PsThreadType)
+	{
+
+		if (PsGetProcessId(DRMProcess) == PsGetThreadProcessId(OperationInformation->Object))
+		{
+			//probably block it
+
+			if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
+			{
+				//create handle			
+
+				ACCESS_MASK da = OperationInformation->Parameters->CreateHandleInformation.DesiredAccess;
+
+				DbgPrint("PID %d opened a handle to the a CE thread with access mask %x", PsGetCurrentProcessId(), da);
+
+				da = da & (THREAD_SET_LIMITED_INFORMATION | THREAD_QUERY_LIMITED_INFORMATION);
+
+				OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = da;
+			}
+			else if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
+			{
+				//duplicate handle
+				ACCESS_MASK da = OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess;
+
+				DbgPrint("PID %d duplicated a handle to a CE thread with access mask %x", PsGetCurrentProcessId(), da);
+
+				da = da & (THREAD_SET_LIMITED_INFORMATION | THREAD_QUERY_LIMITED_INFORMATION);
+				OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = da;
+			}
+		}
+	}
+	return OB_PREOP_SUCCESS;
+}
+
+
+VOID ThreadPostCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation)
+{
+	//DbgPrint("ProcessPostCallback");
+}
+
+
+OB_PREOP_CALLBACK_STATUS ProcessPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
+{
+	if (DRMProcess == NULL)
+		return OB_PREOP_SUCCESS;
+
+	if (PsGetCurrentProcess() == DRMProcess)
+		return OB_PREOP_SUCCESS;
+
+	if (OperationInformation->ObjectType == *PsProcessType)
+	{
+		if (OperationInformation->Object == DRMProcess)
+		{
+			//probably block it
+
+			if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
+			{
+				//create handle			
+				
+				ACCESS_MASK da = OperationInformation->Parameters->CreateHandleInformation.DesiredAccess;
+
+				DbgPrint("PID %d opened a handle to the CE process with access mask %x", PsGetCurrentProcessId(), da);
+
+				da = da & (PROCESS_TERMINATE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SUSPEND_RESUME);
+
+				OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = da;
+			}
+			else if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
+			{
+				//duplicate handle
+				ACCESS_MASK da = OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess;
+
+				DbgPrint("PID %d duplicated a handle to the CE process with access mask %x", PsGetCurrentProcessId(), da);
+
+				da = da & (PROCESS_TERMINATE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_SUSPEND_RESUME);
+				OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = da;
+			}
+		}
+	}
+	return OB_PREOP_SUCCESS;
+}
+
+
+VOID ProcessPostCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation)
+{
+	//DbgPrint("ProcessPostCallback");
+}
+
+
 BOOL DispatchIoctlDBVM(IN PDEVICE_OBJECT DeviceObject, ULONG IoControlCode, PVOID lpInBuffer, DWORD nInBufferSize, PVOID lpOutBuffer, DWORD nOutBufferSize, PDWORD lpBytesReturned)
 /*
 Called if dbvm has loaded the driver. Use this to setup a fake irp
@@ -247,20 +364,20 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 			{					
 				PEPROCESS selectedprocess;
 				ULONG processid=*(PULONG)Irp->AssociatedIrp.SystemBuffer;
-				HANDLE ProcessHandle;
+				HANDLE ProcessHandle = GetHandleForProcessID((HANDLE)processid);
-
-
-				ntStatus=STATUS_SUCCESS;
 
+				ntStatus = STATUS_SUCCESS;
+				if (ProcessHandle == 0)
+				{
 					__try
 					{
-					ProcessHandle=0;
+						ProcessHandle = 0;
 
-					if (PsLookupProcessByProcessId((PVOID)(UINT_PTR)(processid),&selectedprocess)==STATUS_SUCCESS)
+						if (PsLookupProcessByProcessId((PVOID)(UINT_PTR)(processid), &selectedprocess) == STATUS_SUCCESS)
 						{
 
 							//DbgPrint("Calling ObOpenObjectByPointer\n");
-							ntStatus=ObOpenObjectByPointer ( 
+							ntStatus = ObOpenObjectByPointer(
 								selectedprocess,
 								0,
 								NULL,
@@ -272,9 +389,10 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 							//DbgPrint("ntStatus=%x",ntStatus);
 						}
 					}
-				__except(1)
+					__except (1)
 					{
-					ntStatus=STATUS_UNSUCCESSFUL;
+						ntStatus = STATUS_UNSUCCESSFUL;
+					}
 				}
 				
 				*(PUINT64)Irp->AssociatedIrp.SystemBuffer=(UINT64)ProcessHandle;
@@ -928,21 +1046,31 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 
 		case IOCTL_CE_STARTPROCESSWATCH:
 			{
-				KIRQL OldIrql;
+				NTSTATUS r;
 
-
+				ExAcquireResourceExclusiveLite(&ProcesslistR, TRUE);				
-				KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
 				ProcessEventCount=0;				
-				KeReleaseSpinLock(&ProcesslistSL,OldIrql);
+				ExReleaseResourceLite(&ProcesslistR);
-				
 				
 				DbgPrint("IOCTL_CE_STARTPROCESSWATCH\n");
 
+				CleanProcessList();
+				WatcherProcess = PsGetCurrentProcess();
+				
 				if (CreateProcessNotifyRoutineEnabled==FALSE)
 				{
+					
 					DbgPrint("calling PsSetCreateProcessNotifyRoutine\n");
-				    CreateProcessNotifyRoutineEnabled=(PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,FALSE)==STATUS_SUCCESS);
+
-					CreateThreadNotifyRoutineEnabled=(PsSetCreateThreadNotifyRoutine(CreateThreadNotifyRoutine)==STATUS_SUCCESS);
+					
+#if (NTDDI_VERSION >= NTDDI_VISTASP1) 
+					r=PsSetCreateProcessNotifyRoutineEx(CreateProcessNotifyRoutineEx, FALSE);
+					CreateProcessNotifyRoutineEnabled = r== STATUS_SUCCESS;
+#else
+				    CreateProcessNotifyRoutineEnabled = (PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,FALSE)==STATUS_SUCCESS);					
+#endif
+					if (CreateProcessNotifyRoutineEnabled)
+						CreateThreadNotifyRoutineEnabled = (PsSetCreateThreadNotifyRoutine(CreateThreadNotifyRoutine) == STATUS_SUCCESS);
 				}
 
 				ntStatus=(CreateProcessNotifyRoutineEnabled) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
@@ -950,7 +1078,7 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 				if (ntStatus==STATUS_SUCCESS)
 					DbgPrint("CreateProcessNotifyRoutineEnabled worked\n");
 				else
-					DbgPrint("CreateProcessNotifyRoutineEnabled failed\n");
+					DbgPrint("CreateProcessNotifyRoutineEnabled failed (r=%x)\n",r);
 					
 
 				break;
@@ -960,15 +1088,14 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 
 		case IOCTL_CE_GETPROCESSEVENTS:
 			{
-				KIRQL OldIrql;
 				
-				KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
+				ExAcquireResourceExclusiveLite(&ProcesslistR, TRUE);
 
 				*(PUCHAR)Irp->AssociatedIrp.SystemBuffer=ProcessEventCount;	
 				RtlCopyMemory((PVOID)((UINT_PTR)Irp->AssociatedIrp.SystemBuffer+1),&ProcessEventdata[0],ProcessEventCount*sizeof(ProcessEventdta));
 				ProcessEventCount=0; //there's room for new events
 
-				KeReleaseSpinLock(&ProcesslistSL,OldIrql);
+				ExReleaseResourceLite(&ProcesslistR);
 
 				ntStatus=STATUS_SUCCESS;
 				break;
@@ -977,15 +1104,13 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 
 		case IOCTL_CE_GETTHREADEVENTS:
 			{
-				KIRQL OldIrql;
+				ExAcquireResourceExclusiveLite(&ProcesslistR, TRUE);
-				
-				KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
 
 				*(PUCHAR)Irp->AssociatedIrp.SystemBuffer=ThreadEventCount;	
 				RtlCopyMemory((PVOID)((UINT_PTR)Irp->AssociatedIrp.SystemBuffer+1),&ThreadEventData[0],ThreadEventCount*sizeof(ThreadEventDta));
 				ThreadEventCount=0; //there's room for new events
 
-				KeReleaseSpinLock(&ProcesslistSL,OldIrql);
+				ExReleaseResourceLite(&ProcesslistR);
 
 				ntStatus=STATUS_SUCCESS;
 				break;
@@ -2034,6 +2159,59 @@ NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
 				break;
 			}
 
+		case IOCTL_CE_ENABLE_DRM:
+			{
+				DRMProcess = PsGetCurrentProcess();
+
+				if (DRMHandle == NULL)
+				{
+					WCHAR wcAltitude[10];
+					UNICODE_STRING usAltitude;
+					OB_CALLBACK_REGISTRATION r;
+					LARGE_INTEGER tc;
+					OB_OPERATION_REGISTRATION obr[2];
+					int RandomVal;
+
+					tc.QuadPart = 0;
+					KeQueryTickCount(&tc);
+					RandomVal = 1000 + (tc.QuadPart % 50000);
+
+					DbgPrint("Activating CE's super advanced DRM"); //yeah right....
+
+					DbgPrint("RandomVal=%d", RandomVal);
+					RtlStringCbPrintfW(wcAltitude, sizeof(wcAltitude) - 2, L"%d", RandomVal);
+
+					DbgPrint("wcAltitude=%S", wcAltitude);
+					RtlInitUnicodeString(&usAltitude, wcAltitude);
+
+					r.Version = OB_FLT_REGISTRATION_VERSION;
+					r.Altitude = usAltitude;
+					r.RegistrationContext = NULL;
+
+
+					obr[0].ObjectType = PsProcessType;
+					obr[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
+					obr[0].PreOperation = ProcessPreCallback;
+					obr[0].PostOperation = ProcessPostCallback;
+
+					obr[1].ObjectType = PsThreadType;
+					obr[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
+					obr[1].PreOperation = ThreadPreCallback;
+					obr[1].PostOperation = ThreadPostCallback;
+
+					r.OperationRegistration = obr;
+					r.OperationRegistrationCount = 2;
+
+					ntStatus = ObRegisterCallbacks(&r, &DRMHandle);
+					DbgPrint("ntStatus=%X", ntStatus);
+				}
+				else
+					ntStatus = STATUS_SUCCESS;
+
+				
+				break;
+			}
+
         default:
 			DbgPrint("Unhandled IO request: %x\n", IoControlCode);			
             break;

DBKKernel/IOPLDispatcher.h

@@ -108,10 +108,13 @@
 #define IOCTL_CE_ULTIMAP2_GETTRACESIZE			CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085a, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
 #define IOCTL_CE_ULTIMAP2_RESETTRACESIZE		CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085b, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
 
+#define IOCTL_CE_ENABLE_DRM						CTL_CODE(IOCTL_UNKNOWN_BASE, 0x085c, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
 
 extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTableShadow;
 extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
 
+extern PVOID DRMHandle;
+
 #define SYSTEMSERVICE(_function)		KeServiceDescriptorTable->ServiceTable[ *(PULONG)((PUCHAR)_function+1)]
 #define SYSTEMSERVICELINK(_function)	KeServiceDescriptorTable->ServiceTable[*((PUCHAR)(*(PULONG)*((PULONG)((PUCHAR)_function+2)))+1)]
 

DBKKernel/SOURCES

@@ -5,3 +5,4 @@ TARGETLIBS=$(DDK_LIB_PATH)\Ntstrsafe.lib
 AMD64_SOURCES=dbkfunca.asm vmxhelpera.asm debuggera.asm vmxoffloada.asm ultimapa.asm noexceptionsa.asm
 I386_SOURCES=noexceptionsa.asm
 SOURCES=DBKDrvr.c DBKFunc.c IOPLDispatcher.c memscan.c threads.c processlist.c vmxhelper.c interrupthook.c debugger.c vmxoffload.c deepkernel.c ultimap.c ultimap2.c noexceptions.c
+LINK=/INTEGRITYCHECK

DBKKernel/ces.bat

@@ -1,6 +1,7 @@
 @echo off
 command /C echo changing to dos-16 file structure
 set C_DEFINES=
+set LINKER_FLAGS=/INTEGRITYCHECK
 
 set copycmd=/Y
 copy sources.cesigned sources

DBKKernel/processlist.c

@@ -5,6 +5,34 @@
 #include "threads.h"
 #include "memscan.h"
 
+PRTL_GENERIC_TABLE InternalProcessList = NULL;
+
+
+RTL_GENERIC_COMPARE_RESULTS NTAPI ProcessListCompare(__in struct _RTL_GENERIC_TABLE *Table, __in PProcessListData FirstStruct, __in PProcessListData SecondStruct)
+{
+	if (FirstStruct->ProcessID  == SecondStruct->ProcessID)
+		return GenericEqual;
+	else
+	{
+		if (SecondStruct->ProcessID < FirstStruct->ProcessID)
+			return GenericLessThan;
+		else
+			return GenericGreaterThan;
+	}
+}
+
+PVOID NTAPI ProcessListAlloc(__in struct _RTL_GENERIC_TABLE *Table, __in CLONG ByteSize)
+{
+	PVOID r=ExAllocatePoolWithTag(PagedPool, ByteSize, 0);
+	RtlZeroMemory(r, ByteSize);
+}
+
+VOID NTAPI ProcessListDealloc(__in struct _RTL_GENERIC_TABLE *Table, __in __drv_freesMem(Mem) __post_invalid PVOID Buffer)
+{
+	ExFreePoolWithTag(Buffer, 0);
+}
+
+
 VOID GetThreadData(IN PDEVICE_OBJECT  DeviceObject, IN PVOID  Context)
 {
 	KIRQL OldIrql;
@@ -23,14 +51,16 @@ VOID GetThreadData(IN PDEVICE_OBJECT  DeviceObject, IN PVOID  Context)
 
 	selectedthread=NULL;
 
-	KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
+	if (ExAcquireResourceSharedLite(&ProcesslistR, TRUE))
-	tid=tempThreadEntry->ThreadID;
+	{
-	AP=&tempThreadEntry->SuspendApc;
+
-	PsLookupThreadByThreadId((PVOID)tid,&selectedthread);
+		tid = tempThreadEntry->ThreadID;
+		AP = &tempThreadEntry->SuspendApc;
+		PsLookupThreadByThreadId((PVOID)tid, &selectedthread);
 
 		if (selectedthread)
 		{
-		DbgPrint("PEThread=%p\n",selectedthread);
+			DbgPrint("PEThread=%p\n", selectedthread);
 			KeInitializeApc(AP,
 				(PKTHREAD)selectedthread,
 				0,
@@ -46,13 +76,12 @@ VOID GetThreadData(IN PDEVICE_OBJECT  DeviceObject, IN PVOID  Context)
 		{
 			DbgPrint("Failed getting the pethread.\n");
 		}
-
+	}
-	KeReleaseSpinLock(&ProcesslistSL,OldIrql);
+	ExReleaseResourceLite(&ProcesslistR);
 }
 
 VOID CreateThreadNotifyRoutine(IN HANDLE  ProcessId,IN HANDLE  ThreadId,IN BOOLEAN  Create)
 {
-	KIRQL OldIrql;
 	PETHREAD CurrentThread;	
 
 	if (KeGetCurrentIrql()==PASSIVE_LEVEL)
@@ -62,14 +91,13 @@ VOID CreateThreadNotifyRoutine(IN HANDLE  ProcessId,IN HANDLE  ThreadId,IN BOOLE
 		//	PsSetContextThread (bah, xp only)
 		}*/
 
-        KeAcquireSpinLock(&ProcesslistSL,&OldIrql);  //perhaps a check for winxp and then call KeAcquireInStackQueuedSpinLock instead....
+		if (ExAcquireResourceExclusiveLite(&ProcesslistR, TRUE))
-		
-
-		if (ThreadEventCount<50)
 		{
-			ThreadEventData[ThreadEventCount].Created=Create;
+			if (ThreadEventCount < 50)
-			ThreadEventData[ThreadEventCount].ProcessID=(UINT_PTR)ProcessId;
+			{
-			ThreadEventData[ThreadEventCount].ThreadID=(UINT_PTR)ThreadId;
+				ThreadEventData[ThreadEventCount].Created = Create;
+				ThreadEventData[ThreadEventCount].ProcessID = (UINT_PTR)ProcessId;
+				ThreadEventData[ThreadEventCount].ThreadID = (UINT_PTR)ThreadId;
 
 				/*	if (Create)
 						DbgPrint("Create ProcessID=%x\nThreadID=%x\n",(UINT_PTR)ProcessId,(UINT_PTR)ThreadId);
@@ -79,49 +107,114 @@ VOID CreateThreadNotifyRoutine(IN HANDLE  ProcessId,IN HANDLE  ThreadId,IN BOOLE
 
 				ThreadEventCount++;
 			}
+		}
+		ExReleaseResourceLite(&ProcesslistR);
 
-
-		KeReleaseSpinLock(&ProcesslistSL,OldIrql);
-		
-		/*
-		if (CurrentThread!=NULL)
-		{
-			DbgPrint("Dereferencing thread\n");
-		}*/
-
-		//signal thread event (if there's one waiting for a signal)
 		KeSetEvent(ThreadEvent, 0, FALSE);
 		KeClearEvent(ThreadEvent);
-
 	}
 }
 
 VOID CreateProcessNotifyRoutine( IN HANDLE  ParentId, IN HANDLE  ProcessId, IN BOOLEAN  Create)
 {	
-	//LARGE_INTEGER wt;
+	PEPROCESS CurrentProcess = NULL;
-	//HANDLE TH;
+	HANDLE ProcessHandle = 0;
-	KIRQL OldIrql;
-	PEPROCESS CurrentProcess;
-	//CLIENT_ID CI;
 
-	//DbgPrint("CreateProcessNotifyRoutine called (ParentID=%x ProcessID=%d Create=%d\n",ParentId, ProcessId, Create);
 	
 	if (KeGetCurrentIrql()==PASSIVE_LEVEL)
 	{
 		struct ProcessData *tempProcessEntry;
 
-		CurrentProcess=NULL;
-		PsLookupProcessByProcessId((PVOID)ProcessId,&CurrentProcess);
-
 		//aquire a spinlock
-		KeAcquireSpinLock(&ProcesslistSL,&OldIrql);  //perhaps a check for winxp and then call KeAcquireInStackQueuedSpinLock instead....
+		if (ExAcquireResourceExclusiveLite(&ProcesslistR, TRUE))
+		{
+			if (WatcherProcess)
+			{
+				if (PsLookupProcessByProcessId((PVOID)ProcessId, &CurrentProcess) == STATUS_SUCCESS)
+				{
+					if (Create)
+					{
+						//Open a handle to this process
+						KAPC_STATE oldstate;
+						KeStackAttachProcess(WatcherProcess, &oldstate);						
+						__try
+						{
+							__try
+							{
+								NTSTATUS r = ObOpenObjectByPointer(CurrentProcess, 0, NULL, PROCESS_ALL_ACCESS, *PsProcessType, KernelMode, &ProcessHandle);
+								if (r == STATUS_SUCCESS)
+									DbgPrint("Opened handle for pid %d", ProcessId);
+								else
+									DbgPrint("Failed opening handle for pid %d");
+							}
+							__except (1)
+							{
+								DbgPrint("Exception during ObOpenObjectByPointer");
+							}
+						}
+						__finally
+						{
+							KeUnstackDetachProcess(&oldstate);
+						}
+					}
+				}
+
+				if (InternalProcessList == NULL)
+				{
+					InternalProcessList = ExAllocatePoolWithTag(PagedPool, sizeof(RTL_GENERIC_TABLE), 0);
+					if (InternalProcessList)
+						RtlInitializeGenericTable(InternalProcessList, ProcessListCompare, ProcessListAlloc, ProcessListDealloc, NULL);
+				}
+
+				if (InternalProcessList)
+				{
+					ProcessListData d, *r;
+
+					d.ProcessID = ProcessId;
+					d.PEProcess = CurrentProcess;
+					d.ProcessHandle = ProcessHandle;
+
+					r = RtlLookupElementGenericTable(InternalProcessList, &d);
+
+					if (Create)
+					{
+						//add it to the list
+						if (r) //weird
+							RtlDeleteElementGenericTable(InternalProcessList, r);
+
+						RtlInsertElementGenericTable(InternalProcessList, &d, sizeof(ProcessListData), NULL);
+					}
+					else
+					{
+						//remove it from the list (if it's there)
+						if (r)
+						{
+							if (r->ProcessHandle)
+								ZwClose(r->ProcessHandle);
+
+							RtlDeleteElementGenericTable(InternalProcessList, r);
+						}
+
+						if (CurrentProcess == WatcherProcess)
+						{
+							DbgPrint("CE Closed");
+							WatcherProcess = 0;
+
+							CleanProcessList(); //CE closed
+						}
+					}
+				}
+				else
+					ZwClose(ProcessHandle);
+			}
+
 
 			//fill in a processcreateblock with data
-		if (ProcessEventCount<50)
+			if (ProcessEventCount < 50)
 			{
-			ProcessEventdata[ProcessEventCount].Created=Create;
+				ProcessEventdata[ProcessEventCount].Created = Create;
-			ProcessEventdata[ProcessEventCount].ProcessID=(UINT_PTR)ProcessId;
+				ProcessEventdata[ProcessEventCount].ProcessID = (UINT_PTR)ProcessId;
-			ProcessEventdata[ProcessEventCount].PEProcess=(UINT_PTR)CurrentProcess;
+				ProcessEventdata[ProcessEventCount].PEProcess = (UINT_PTR)CurrentProcess;
 				ProcessEventCount++;
 			}
 
@@ -133,43 +226,43 @@ VOID CreateProcessNotifyRoutine( IN HANDLE  ParentId, IN HANDLE  ProcessId, IN B
 
 					//allocate a block of memory for the processlist
 
-				tempProcessEntry=ExAllocatePoolWithTag(NonPagedPool,sizeof(struct ProcessData),0);
+					tempProcessEntry = ExAllocatePoolWithTag(PagedPool, sizeof(struct ProcessData), 0);
-				tempProcessEntry->ProcessID=ProcessId;
+					tempProcessEntry->ProcessID = ProcessId;
-				tempProcessEntry->PEProcess=CurrentProcess;
+					tempProcessEntry->PEProcess = CurrentProcess;
-				tempProcessEntry->Threads=NULL;
+					tempProcessEntry->Threads = NULL;
 
-				DbgPrint("Allocated a process at:%p\n",tempProcessEntry);
+					DbgPrint("Allocated a process at:%p\n", tempProcessEntry);
 
 					if (!processlist)
 					{
-					processlist=tempProcessEntry;
+						processlist = tempProcessEntry;
-					processlist->next=NULL;
+						processlist->next = NULL;
-					processlist->previous=NULL;
+						processlist->previous = NULL;
 					}
 					else
 					{
-					tempProcessEntry->next=processlist;
+						tempProcessEntry->next = processlist;
-					tempProcessEntry->previous=NULL;
+						tempProcessEntry->previous = NULL;
-					processlist->previous=tempProcessEntry;
+						processlist->previous = tempProcessEntry;
-					processlist=tempProcessEntry;
+						processlist = tempProcessEntry;
 					}
 				}
 				else
 				{
 					//find this process and delete it
-				tempProcessEntry=processlist;
+					tempProcessEntry = processlist;
 					while (tempProcessEntry)
 					{
-					if (tempProcessEntry->ProcessID==ProcessId)
+						if (tempProcessEntry->ProcessID == ProcessId)
 						{
 							int i;
 							if (tempProcessEntry->next)
-							tempProcessEntry->next->previous=tempProcessEntry->previous;
+								tempProcessEntry->next->previous = tempProcessEntry->previous;
 
 							if (tempProcessEntry->previous)
-							tempProcessEntry->previous->next=tempProcessEntry->next;
+								tempProcessEntry->previous->next = tempProcessEntry->next;
 							else
-							processlist=tempProcessEntry->next;	//it had no previous entry, so it's the root
+								processlist = tempProcessEntry->next;	//it had no previous entry, so it's the root
 
 
 
@@ -197,28 +290,27 @@ VOID CreateProcessNotifyRoutine( IN HANDLE  ParentId, IN HANDLE  ProcessId, IN B
 
 							ExFreePool(tempProcessEntry);*/
 
-						i=0;
+							i = 0;
-						tempProcessEntry=processlist;
+							tempProcessEntry = processlist;
 							while (tempProcessEntry)
 							{
 								i++;
-							tempProcessEntry=tempProcessEntry->next;
+								tempProcessEntry = tempProcessEntry->next;
 							}
 
-						DbgPrint("There are %d processes in the list\n",i);
+							DbgPrint("There are %d processes in the list\n", i);
 
 							break;
 						}
-					tempProcessEntry=tempProcessEntry->next;
+						tempProcessEntry = tempProcessEntry->next;
 					}
 
 
 				}
 
 			}
-
+		}
-		//release spinlock
+		ExReleaseResourceLite(&ProcesslistR);
-		KeReleaseSpinLock(&ProcesslistSL,OldIrql);
 
 		if (CurrentProcess!=NULL)
 			ObDereferenceObject(CurrentProcess);
@@ -230,7 +322,45 @@ VOID CreateProcessNotifyRoutine( IN HANDLE  ParentId, IN HANDLE  ProcessId, IN B
 			KeClearEvent(ProcessEvent);
 		}
 	}
-
-
 }
 
+VOID CreateProcessNotifyRoutineEx(IN HANDLE  ParentId, IN HANDLE  ProcessId, __in_opt PPS_CREATE_NOTIFY_INFO CreateInfo)
+{
+	DbgPrint("CreateProcessNotifyRoutineEx");
+	CreateProcessNotifyRoutine(ParentId, ProcessId, CreateInfo!=NULL);
+}
+
+HANDLE GetHandleForProcessID(IN HANDLE ProcessID)
+{
+	if (InternalProcessList)
+	{
+		ProcessListData d, *r;
+
+		d.ProcessID = ProcessID;
+		r = RtlLookupElementGenericTable(InternalProcessList, &d);
+		if (r)
+			return r->ProcessHandle;
+	}
+	else
+		return 0;
+}
+
+VOID CleanProcessList()
+{
+	if (InternalProcessList)
+	{
+		PProcessListData li;
+
+		while (li = RtlGetElementGenericTable(InternalProcessList, 0))
+		{
+			if (li->ProcessHandle)
+				ZwClose(li->ProcessHandle);
+
+			RtlDeleteElementGenericTable(InternalProcessList, li);
+		}
+
+		ExFreePoolWithTag(InternalProcessList, 0);
+		InternalProcessList = NULL;
+	}
+
+}

DBKKernel/processlist.h

@@ -4,6 +4,7 @@
 
 
 VOID CreateProcessNotifyRoutine(IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create);
+VOID CreateProcessNotifyRoutineEx(IN HANDLE  ParentId, IN HANDLE  ProcessId, __in_opt PPS_CREATE_NOTIFY_INFO CreateInfo);
 
 struct ThreadData
 {
@@ -16,6 +17,14 @@ struct ThreadData
 	struct ThreadData *next;
 };
 
+typedef struct
+{
+	HANDLE ProcessID;
+	PEPROCESS PEProcess;
+	HANDLE ProcessHandle;
+} ProcessListData, *PProcessListData;
+
+
 struct ProcessData
 {
     HANDLE ProcessID;
@@ -37,7 +46,7 @@ PKEVENT ProcessEvent;
 //HANDLE  ProcessEventHandle;
 
 BOOLEAN CreateProcessNotifyRoutineEnabled;
-KSPIN_LOCK ProcesslistSL;
+ERESOURCE ProcesslistR;
 
 
 VOID CreateThreadNotifyRoutine(IN HANDLE ProcessId, IN HANDLE ThreadId, IN BOOLEAN Create);
@@ -52,4 +61,7 @@ UCHAR ThreadEventCount;
 PKEVENT ThreadEvent;
 //HANDLE  ThreadEventHandle;
 
+PEPROCESS WatcherProcess;
 BOOLEAN CreateThreadNotifyRoutineEnabled;
+VOID CleanProcessList();
+HANDLE GetHandleForProcessID(IN HANDLE ProcessID);

DBKKernel/sources.ce

@@ -5,3 +5,4 @@ TARGETLIBS=$(DDK_LIB_PATH)\Ntstrsafe.lib
 AMD64_SOURCES=dbkfunca.asm vmxhelpera.asm debuggera.asm vmxoffloada.asm ultimapa.asm noexceptionsa.asm
 I386_SOURCES=noexceptionsa.asm
 SOURCES=DBKDrvr.c DBKFunc.c IOPLDispatcher.c memscan.c threads.c processlist.c vmxhelper.c interrupthook.c debugger.c vmxoffload.c deepkernel.c ultimap.c ultimap2.c noexceptions.c
+LINK=/INTEGRITYCHECK

DBKKernel/sources.cesigned

@@ -3,5 +3,6 @@ TARGETPATH=obj
 TARGETTYPE=DRIVER
 TARGETLIBS=$(DDK_LIB_PATH)\ksecdd.lib $(DDK_LIB_PATH)\Ntstrsafe.lib
 C_DEFINES=/DTOBESIGNED
-AMD64_SOURCES=dbkfunca.asm vmxhelpera.asm debuggera.asm vmxoffloada.asm ultimapa.asm
+AMD64_SOURCES=dbkfunca.asm vmxhelpera.asm debuggera.asm vmxoffloada.asm ultimapa.asm noexceptionsa.asm
-SOURCES=DBKDrvr.c DBKFunc.c IOPLDispatcher.c memscan.c threads.c processlist.c vmxhelper.c interrupthook.c debugger.c vmxoffload.c deepkernel.c ultimap.c ultimap2.c sigcheck.c
+I386_SOURCES=noexceptionsa.asm
+SOURCES=DBKDrvr.c DBKFunc.c IOPLDispatcher.c memscan.c threads.c processlist.c vmxhelper.c interrupthook.c debugger.c vmxoffload.c deepkernel.c ultimap.c ultimap2.c sigcheck.c noexceptions.c

DBKKernel/threads.c

@@ -60,15 +60,15 @@ void DBKSuspendThread(ULONG ThreadID)
 	struct ThreadData *t_data;
 
 
-    KeAcquireSpinLock(&ProcesslistSL,&OldIrql); 
+	if (ExAcquireResourceSharedLite(&ProcesslistR, TRUE))
-
+	{
 		DbgPrint("Going to suspend this thread\n");
 
 		//find the thread in the threadlist
 
 
 		//find the threadid in the processlist
-	t_data=GetThreaddata(ThreadID);
+		t_data = GetThreaddata(ThreadID);
 		if (t_data)
 		{
 			DbgPrint("Suspending thread....\n");
@@ -78,7 +78,7 @@ void DBKSuspendThread(ULONG ThreadID)
 			if (!t_data->PEThread)
 			{
 				//not yet initialized
-			t_data->PEThread=(PETHREAD)getPEThread(ThreadID);
+				t_data->PEThread = (PETHREAD)getPEThread(ThreadID);
 				KeInitializeApc(&t_data->SuspendApc,
 					(PKTHREAD)t_data->PEThread,
 					0,
@@ -89,16 +89,16 @@ void DBKSuspendThread(ULONG ThreadID)
 					t_data);
 
 			}
-		DbgPrint("x should be %p",t_data);
+			DbgPrint("x should be %p", t_data);
 			t_data->suspendcount++;
 
-		if (t_data->suspendcount==1) //not yet suspended so suspend it
+			if (t_data->suspendcount == 1) //not yet suspended so suspend it
 				KeInsertQueueApc(&t_data->SuspendApc, t_data, t_data, 0);
 		}
 		else
 			DbgPrint("Thread not found in the list\n");
-
+	}
-	KeReleaseSpinLock(&ProcesslistSL,OldIrql);
+	ExReleaseResourceLite(&ProcesslistR);
 }
 
 void DBKResumeThread(ULONG ThreadID)
@@ -108,8 +108,8 @@ void DBKResumeThread(ULONG ThreadID)
 	struct ThreadData *t_data;
 
 
-    KeAcquireSpinLock(&ProcesslistSL,&OldIrql); 
+	if (ExAcquireResourceSharedLite(&ProcesslistR, TRUE))
-
+	{
 
 		DbgPrint("Going to resume this thread\n");
 
@@ -117,20 +117,20 @@ void DBKResumeThread(ULONG ThreadID)
 
 
 		//find the threadid in the processlist
-	t_data=GetThreaddata(ThreadID);
+		t_data = GetThreaddata(ThreadID);
 		if (t_data)
 		{
 			if (t_data->suspendcount)
 			{
 				t_data->suspendcount--;
 				if (!t_data->suspendcount) //suspendcount=0 so resume
-				KeReleaseSemaphore(&t_data->SuspendSemaphore,0,1,FALSE);
+					KeReleaseSemaphore(&t_data->SuspendSemaphore, 0, 1, FALSE);
 			}
 		}
 		else
 			DbgPrint("Thread not found in the list\n");
-
+	}
-	KeReleaseSpinLock(&ProcesslistSL,OldIrql);
+	ExReleaseResourceLite(&ProcesslistR);
 
 }
 
@@ -142,28 +142,29 @@ void DBKSuspendProcess(ULONG ProcessID)
 	struct ProcessData *tempProcessData=NULL;
 
 
-    KeAcquireSpinLock(&ProcesslistSL,&OldIrql); 
+	if (ExAcquireResourceSharedLite(&ProcesslistR, TRUE))
+	{
 
 
 		DbgPrint("Going to suspend this process\n");
 
 		//find the process in the threadlist
 
-	tempProcessData=processlist;
+		tempProcessData = processlist;
 		while (tempProcessData)
 		{
-		if (tempProcessData->ProcessID==(HANDLE)(UINT_PTR)ProcessID)
+			if (tempProcessData->ProcessID == (HANDLE)(UINT_PTR)ProcessID)
 			{
-			t_data=tempProcessData->Threads;
+				t_data = tempProcessData->Threads;
 				break;
 			}
-		tempProcessData=tempProcessData->next;
+			tempProcessData = tempProcessData->next;
 		}
 
 		if (!t_data)
 		{
 			DbgPrint("This process was not found\n");
-		KeReleaseSpinLock(&ProcesslistSL,OldIrql);
+			ExReleaseResourceLite(&ProcesslistR);
 			return; //no process found
 		}
 
@@ -175,7 +176,7 @@ void DBKSuspendProcess(ULONG ProcessID)
 			if (!t_data->PEThread)
 			{
 				//not yet initialized
-			t_data->PEThread=(PETHREAD)getPEThread((UINT_PTR)t_data->ThreadID);
+				t_data->PEThread = (PETHREAD)getPEThread((UINT_PTR)t_data->ThreadID);
 				KeInitializeApc(&t_data->SuspendApc,
 					(PKTHREAD)t_data->PEThread,
 					0,
@@ -186,16 +187,16 @@ void DBKSuspendProcess(ULONG ProcessID)
 					t_data);
 
 			}
-		DbgPrint("x should be %p",t_data); 
+			DbgPrint("x should be %p", t_data);
 			t_data->suspendcount++;
 
-		if (t_data->suspendcount==1) //not yet suspended so suspend it
+			if (t_data->suspendcount == 1) //not yet suspended so suspend it
 				KeInsertQueueApc(&t_data->SuspendApc, t_data, t_data, 0);
 
-		t_data=t_data->next; //next thread
+			t_data = t_data->next; //next thread
 		}
-
+	}
-	KeReleaseSpinLock(&ProcesslistSL,OldIrql);
+	ExReleaseResourceLite(&ProcesslistR);
 
 }
 
@@ -207,28 +208,28 @@ void DBKResumeProcess(ULONG ProcessID)
 	struct ProcessData *tempProcessData=NULL;
 
 
-	KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
+	if (ExAcquireResourceSharedLite(&ProcesslistR, TRUE))
-	
+	{
 
 		DbgPrint("Going to suspend this process\n");
 
 		//find the process in the threadlist
 
-	tempProcessData=processlist;
+		tempProcessData = processlist;
 		while (tempProcessData)
 		{
-		if (tempProcessData->ProcessID==(HANDLE)(UINT_PTR)ProcessID)
+			if (tempProcessData->ProcessID == (HANDLE)(UINT_PTR)ProcessID)
 			{
-			t_data=tempProcessData->Threads;
+				t_data = tempProcessData->Threads;
 				break;
 			}
-		tempProcessData=tempProcessData->next;
+			tempProcessData = tempProcessData->next;
 		}
 
 		if (!t_data)
 		{
 			DbgPrint("This process was not found\n");
-		KeReleaseSpinLock(&ProcesslistSL,OldIrql);
+			ExReleaseResourceLite(&ProcesslistR);
 			return; //no process found
 		}
 
@@ -241,13 +242,13 @@ void DBKResumeProcess(ULONG ProcessID)
 			{
 				t_data->suspendcount--;
 				if (!t_data->suspendcount) //suspendcount=0 so resume
-				KeReleaseSemaphore(&t_data->SuspendSemaphore,0,1,FALSE);
+					KeReleaseSemaphore(&t_data->SuspendSemaphore, 0, 1, FALSE);
 			}
 
 
-		t_data=t_data->next; //next thread
+			t_data = t_data->next; //next thread
 		}
-
+	}
-	KeReleaseSpinLock(&ProcesslistSL,OldIrql);
+	ExReleaseResourceLite(&ProcesslistR);
 }
 

DBKKernel/ultimap2.c

@@ -8,17 +8,6 @@
 #include "ultimap2.h"
 
 
-typedef ULONG(NTUSERSETWINDOWSHOOKEX)(
-	IN HANDLE hmod,
-	IN PUNICODE_STRING pstrLib OPTIONAL,
-	IN DWORD idThread,
-	IN int nFilterType,
-	IN PVOID pfnFilterProc,
-	IN DWORD dwFlags
-	);
-NTUSERSETWINDOWSHOOKEX OldNtUserSetWindowsHookEx;
-
-
 typedef NTSTATUS(*PSSUSPENDPROCESS)(PEPROCESS p);
 
 
@@ -937,7 +926,7 @@ RTL_GENERIC_COMPARE_RESULTS NTAPI ToPACompare(__in struct _RTL_GENERIC_TABLE *Ta
 {
 	//DbgPrint("Comparing %p with %p", FirstStruct->PhysicalAddress, FirstStruct->PhysicalAddress);
 
-	if (FirstStruct->PhysicalAddress == FirstStruct->PhysicalAddress)
+	if (FirstStruct->PhysicalAddress == SecondStruct->PhysicalAddress)
 		return GenericEqual;
 	else
 	{