// A driver entry point _Use_decl_annotations_ NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path) { UNREFERENCED_PARAMETER(registry_path); PAGED_CODE(); static const wchar_t kLogFilePath[] = L"\\SystemRoot\\HyperPlatform.log"; static const auto kLogLevel = (IsReleaseBuild()) ? kLogPutLevelInfo | kLogOptDisableFunctionName : kLogPutLevelDebug | kLogOptDisableFunctionName; auto status = STATUS_UNSUCCESSFUL; driver_object->DriverUnload = DriverpDriverUnload; HYPERPLATFORM_COMMON_DBG_BREAK(); // Initialize log functions bool need_reinitialization = false; status = LogInitialization(kLogLevel, kLogFilePath); if (status == STATUS_REINITIALIZATION_NEEDED) { need_reinitialization = true; } else if (!NT_SUCCESS(status)) { return status; } // Test if the system is supported if (!DriverpIsSuppoetedOS()) { return STATUS_CANCELLED; } // Initialize perf functions status = PerfInitialization(); if (!NT_SUCCESS(status)) { LogTermination(); return status; } // Initialize utility functions status = UtilInitialization(); if (!NT_SUCCESS(status)) { PerfTermination(); LogTermination(); return status; } // Virtualize all processors status = VmInitialization(); if (!NT_SUCCESS(status)) { UtilTermination(); PerfTermination(); LogTermination(); return status; } // Register re-initialization for the log functions if needed if (need_reinitialization) { LogRegisterReinitialization(driver_object); } HYPERPLATFORM_LOG_INFO("The VMM has been installed."); return status; }
_Use_decl_annotations_ EXTERN_C NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { UNREFERENCED_PARAMETER(RegistryPath); PAGED_CODE(); auto status = STATUS_UNSUCCESSFUL; DriverObject->DriverUnload = DriverUnload; DBG_BREAK(); status = LogInitialization(LOG_LEVEL, nullptr); if (!NT_SUCCESS(status)) { return status; } // Build the following code as a SYSENTER handler on NonPagedPool // // FF 25 00 00 00 00 jmp cs:jmp_address // FF FF FF FF FF FF FF FF jmp_address dq 0FFFFFFFFFFFFFFFFh const JMP_CODE jmpCode = {{0xff, 0x25}, __readmsr(IA32_LSTAR)}; g_Trampoline = reinterpret_cast<UCHAR*>(ExAllocatePoolWithTag( NonPagedPoolExecute, sizeof(jmpCode), POOL_TAG_NAME)); if (!g_Trampoline) { LogTermination(); return STATUS_MEMORY_NOT_ALLOCATED; } RtlCopyMemory(g_Trampoline, &jmpCode, sizeof(jmpCode)); // Modify MSR UtilForEachProcessor(MsrHookCallback, nullptr); return status; }
EXTERN_C static NTSTATUS FLTAPI ScvnpUnload(_In_ FLT_FILTER_UNLOAD_FLAGS Flags) { PAGED_CODE(); UNREFERENCED_PARAMETER(Flags); FltUnregisterFilter(g_ScvnpFilterHandle); BCryptCloseAlgorithmProvider(g_ScvnpSha1AlgorithmHandle, 0); LogTermination(nullptr); return STATUS_SUCCESS; }
// Unload handler _Use_decl_annotations_ static void DriverpDriverUnload( PDRIVER_OBJECT driver_object) { UNREFERENCED_PARAMETER(driver_object); PAGED_CODE(); HYPERPLATFORM_COMMON_DBG_BREAK(); VmTermination(); UtilTermination(); PerfTermination(); LogTermination(); }
_Use_decl_annotations_ EXTERN_C static void DriverUnload( PDRIVER_OBJECT DriverObject) { UNREFERENCED_PARAMETER(DriverObject); PAGED_CODE(); DBG_BREAK(); // Restore MSR UtilForEachProcessor(MsrHookCallback, nullptr); ExFreePoolWithTag(g_Trampoline, POOL_TAG_NAME); LogTermination(); }
EXTERN_C NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) { const FLT_OPERATION_REGISTRATION fltCallbacks[] = { { IRP_MJ_CLEANUP, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, nullptr, ScvnpPostCleanupAndFlushBuffers, }, { IRP_MJ_FLUSH_BUFFERS, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, nullptr, ScvnpPostCleanupAndFlushBuffers, }, {IRP_MJ_SET_INFORMATION, FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO, ScvnpPreSetInformation, nullptr}, {IRP_MJ_OPERATION_END}}; const FLT_REGISTRATION filterRegistration = { sizeof(filterRegistration), // Size FLT_REGISTRATION_VERSION, // Version 0, // Flags nullptr, // Context fltCallbacks, // Operation callbacks ScvnpUnload, // FilterUnload nullptr, // InstanceSetup nullptr, // InstanceQueryTeardown nullptr, // InstanceTeardownStart nullptr, // InstanceTeardownComplete nullptr, // GenerateFileName nullptr, // GenerateDestinationFileName nullptr, // NormalizeNameComponent }; PAGED_CODE(); UNREFERENCED_PARAMETER(RegistryPath); // DBG_BREAK(); auto status = ScvnpCreateDirectory(SCVNP_OUT_DIRECTORY_PATH); if (!NT_SUCCESS(status)) { return status; } // Initialize the Log system status = LogInitialization( SCVNP_LOG_LEVEL | LOG_OPT_DISABLE_TIME | LOG_OPT_DISABLE_FUNCTION_NAME, SCVNP_LOG_FILE_PATH, nullptr); if (!NT_SUCCESS(status)) { return status; } // Initialize the crypt APIs. status = BCryptOpenAlgorithmProvider(&g_ScvnpSha1AlgorithmHandle, BCRYPT_SHA1_ALGORITHM, nullptr, 0); if (!NT_SUCCESS(status)) { LOG_ERROR("BCryptOpenAlgorithmProvider failed (%08x)", status); LogTermination(nullptr); return status; } // Register and start a mini filter driver status = FltRegisterFilter(DriverObject, &filterRegistration, &g_ScvnpFilterHandle); if (!NT_SUCCESS(status)) { LOG_ERROR("FltRegisterFilter failed (%08x)", status); BCryptCloseAlgorithmProvider(g_ScvnpSha1AlgorithmHandle, 0); LogTermination(nullptr); return status; } status = FltStartFiltering(g_ScvnpFilterHandle); if (!NT_SUCCESS(status)) { LOG_ERROR("FltStartFiltering failed (%08x)", status); FltUnregisterFilter(g_ScvnpFilterHandle); BCryptCloseAlgorithmProvider(g_ScvnpSha1AlgorithmHandle, 0); LogTermination(nullptr); return status; } LOG_INFO("Scavenger installed"); return status; }