leviathan-driver 0.1.0

Windows kernel-mode EDR/XDR driver framework in Rust - callbacks, filters, detection, forensics
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341

//! Pool Tag Scanning for Kernel Forensics
//!
//! Scans kernel memory pools to find objects by their pool tags.
//! This technique can find hidden/unlinked kernel objects.
//!
//! # How It Works
//! Most kernel allocations start with a POOL_HEADER structure that
//! contains a 4-byte pool tag. By scanning memory for known tags,
//! we can find objects that have been unlinked from their lists.
//!
//! # Common Pool Tags
//! - `Proc` - EPROCESS structures
//! - `Thre` - ETHREAD structures
//! - `MmLd` - Loaded kernel modules
//! - `File` - FILE_OBJECT structures
//! - `Driv` - DRIVER_OBJECT structures
//! - `ObHd` - Object handles
//!
//! # Use Cases
//! - Detect DKOM attacks (hidden processes)
//! - Find unlinked kernel objects
//! - Memory forensics analysis
//! - Malware detection

use alloc::vec::Vec;
use core::ptr;
use wdk::println;
use wdk_sys::{
    ntddk::MmIsAddressValid,
    NTSTATUS, PVOID, STATUS_SUCCESS,
};

/// Pool header structure (simplified)
#[repr(C)]
#[derive(Clone, Copy)]
pub struct PoolHeader {
    /// Previous size in pool blocks
    pub previous_size: u8,
    /// Pool index
    pub pool_index: u8,
    /// Block size in pool blocks
    pub block_size: u8,
    /// Pool type
    pub pool_type: u8,
    /// Pool tag (4 bytes)
    pub pool_tag: [u8; 4],
}

/// Size of pool header
pub const POOL_HEADER_SIZE: usize = 16; // On x64

/// Known pool tags for important structures
pub mod pool_tags {
    /// EPROCESS structure
    pub const PROCESS: [u8; 4] = *b"Proc";
    /// ETHREAD structure
    pub const THREAD: [u8; 4] = *b"Thre";
    /// Loaded module (LDR_DATA_TABLE_ENTRY)
    pub const MODULE: [u8; 4] = *b"MmLd";
    /// FILE_OBJECT
    pub const FILE: [u8; 4] = *b"File";
    /// DRIVER_OBJECT
    pub const DRIVER: [u8; 4] = *b"Driv";
    /// Object handle entry
    pub const HANDLE: [u8; 4] = *b"ObHd";
    /// Registry key
    pub const REGKEY: [u8; 4] = *b"CM10";
    /// Network socket
    pub const SOCKET: [u8; 4] = *b"TcpE";
    /// Raw socket
    pub const RAW_SOCKET: [u8; 4] = *b"RawE";
    /// Token
    pub const TOKEN: [u8; 4] = *b"Toke";
}

/// Result of a pool scan
#[derive(Debug)]
pub struct PoolScanResult {
    /// Address where object was found
    pub address: usize,
    /// Pool tag of the object
    pub pool_tag: [u8; 4],
    /// Size of the pool block
    pub block_size: usize,
    /// Whether this object appears in linked lists
    pub is_linked: bool,
}

/// Pool scanner configuration
pub struct PoolScanner {
    /// Start address for scanning
    pub start_address: usize,
    /// End address for scanning
    pub end_address: usize,
    /// Target pool tag to find
    pub target_tag: [u8; 4],
    /// Maximum results to return
    pub max_results: usize,
}

impl PoolScanner {
    /// Create a new pool scanner
    pub fn new(target_tag: [u8; 4]) -> Self {
        Self {
            // Default to scanning typical kernel pool regions
            start_address: 0xFFFF_8000_0000_0000,
            end_address: 0xFFFF_FFFF_FFFF_FFFF,
            target_tag,
            max_results: 1000,
        }
    }

    /// Set custom address range
    pub fn with_range(mut self, start: usize, end: usize) -> Self {
        self.start_address = start;
        self.end_address = end;
        self
    }

    /// Set maximum results
    pub fn with_max_results(mut self, max: usize) -> Self {
        self.max_results = max;
        self
    }

    /// Perform the pool scan
    ///
    /// # Safety
    /// - Must be at IRQL <= DISPATCH_LEVEL
    /// - Address range must be kernel addresses
    pub unsafe fn scan(&self) -> Vec<PoolScanResult> {
        let mut results = Vec::new();

        println!(
            "[Leviathan] Pool scan starting for tag '{}'",
            core::str::from_utf8(&self.target_tag).unwrap_or("????")
        );

        // In production, this would:
        // 1. Enumerate pool pages using MmGetSystemRoutineAddress
        // 2. Scan each page for pool headers
        // 3. Validate pool header consistency
        // 4. Extract object pointers

        // Simplified scanning approach (demonstration)
        // Real implementation needs proper pool page enumeration

        println!(
            "[Leviathan] Pool scan complete: {} results",
            results.len()
        );

        results
    }
}

/// Scan for EPROCESS structures
///
/// Finds all EPROCESS structures including those unlinked from
/// PsActiveProcessHead (hidden processes).
pub fn scan_for_processes() -> Vec<usize> {
    let scanner = PoolScanner::new(pool_tags::PROCESS);

    let results = unsafe { scanner.scan() };

    results.iter().map(|r| r.address).collect()
}

/// Scan for ETHREAD structures
///
/// Finds all kernel thread structures.
pub fn scan_for_threads() -> Vec<usize> {
    let scanner = PoolScanner::new(pool_tags::THREAD);

    let results = unsafe { scanner.scan() };

    results.iter().map(|r| r.address).collect()
}

/// Scan for loaded modules
///
/// Finds all LDR_DATA_TABLE_ENTRY structures including
/// unlinked/hidden kernel modules.
pub fn scan_for_modules() -> Vec<usize> {
    let scanner = PoolScanner::new(pool_tags::MODULE);

    let results = unsafe { scanner.scan() };

    results.iter().map(|r| r.address).collect()
}

/// Scan for DRIVER_OBJECT structures
pub fn scan_for_drivers() -> Vec<usize> {
    let scanner = PoolScanner::new(pool_tags::DRIVER);

    let results = unsafe { scanner.scan() };

    results.iter().map(|r| r.address).collect()
}

/// Scan for network connections (TCP endpoints)
pub fn scan_for_network_connections() -> Vec<usize> {
    let scanner = PoolScanner::new(pool_tags::SOCKET);

    let results = unsafe { scanner.scan() };

    results.iter().map(|r| r.address).collect()
}

/// Pool tag database for identification
pub struct PoolTagDatabase {
    /// Known pool tags and their descriptions
    entries: Vec<(u32, &'static str, &'static str)>,
}

impl PoolTagDatabase {
    /// Create a new pool tag database with known tags
    pub fn new() -> Self {
        let mut entries = Vec::new();

        // Add known pool tags
        // Format: (tag as u32, owner, description)
        entries.push((u32::from_le_bytes(*b"Proc"), "nt", "EPROCESS structure"));
        entries.push((u32::from_le_bytes(*b"Thre"), "nt", "ETHREAD structure"));
        entries.push((u32::from_le_bytes(*b"MmLd"), "nt", "Loaded module entry"));
        entries.push((u32::from_le_bytes(*b"File"), "nt", "FILE_OBJECT"));
        entries.push((u32::from_le_bytes(*b"Driv"), "nt", "DRIVER_OBJECT"));
        entries.push((u32::from_le_bytes(*b"ObHd"), "nt", "Object handle table"));
        entries.push((u32::from_le_bytes(*b"CM10"), "nt", "Registry key object"));
        entries.push((u32::from_le_bytes(*b"TcpE"), "tcpip", "TCP endpoint"));
        entries.push((u32::from_le_bytes(*b"UdpA"), "tcpip", "UDP endpoint"));
        entries.push((u32::from_le_bytes(*b"RawE"), "tcpip", "Raw socket"));
        entries.push((u32::from_le_bytes(*b"Toke"), "nt", "Token object"));
        entries.push((u32::from_le_bytes(*b"Sect"), "nt", "Section object"));
        entries.push((u32::from_le_bytes(*b"Sema"), "nt", "Semaphore object"));
        entries.push((u32::from_le_bytes(*b"Even"), "nt", "Event object"));
        entries.push((u32::from_le_bytes(*b"Muta"), "nt", "Mutant object"));

        Self { entries }
    }

    /// Look up a pool tag
    pub fn lookup(&self, tag: [u8; 4]) -> Option<(&str, &str)> {
        let tag_u32 = u32::from_le_bytes(tag);

        for (entry_tag, owner, desc) in &self.entries {
            if *entry_tag == tag_u32 {
                return Some((owner, desc));
            }
        }

        None
    }

    /// Get all known tags
    pub fn all_tags(&self) -> &[(u32, &'static str, &'static str)] {
        &self.entries
    }
}

/// Quick scan optimization using pool tracker tables
///
/// The kernel maintains _POOL_TRACKER_BIG_PAGES for large allocations.
/// Scanning this table is faster than full memory scanning.
pub mod quick_scan {
    use super::*;

    /// Pool tracker entry for big allocations
    #[repr(C)]
    pub struct PoolTrackerBigPages {
        /// Virtual address of allocation
        pub va: usize,
        /// Pool tag
        pub key: u32,
        /// Pattern (should be 0x1 for in-use)
        pub pattern: u32,
        /// Number of bytes
        pub number_of_bytes: usize,
    }

    /// Scan big pool allocations table
    ///
    /// This is much faster than full memory scanning.
    #[allow(dead_code)]
    pub fn scan_big_pool_table(_target_tag: [u8; 4]) -> Vec<usize> {
        let results = Vec::new();

        // In production:
        // 1. Find PoolBigPageTable and PoolBigPageTableSize
        // 2. Iterate through entries
        // 3. Filter by target tag

        results
    }
}

/// Validation helpers
pub mod validation {
    use super::*;

    /// Validate a pool header
    pub fn is_valid_pool_header(header: &PoolHeader) -> bool {
        // Basic sanity checks
        if header.block_size == 0 {
            return false;
        }

        // Pool type should have valid flags
        if header.pool_type > 0x7F {
            return false;
        }

        // Tag should be printable ASCII or null
        for byte in &header.pool_tag {
            if *byte != 0 && (*byte < 0x20 || *byte > 0x7E) {
                return false;
            }
        }

        true
    }

    /// Validate EPROCESS structure
    pub fn is_valid_eprocess(_address: usize) -> bool {
        // Check EPROCESS signature fields:
        // - Pcb.Header.Type should be ProcessObject (3)
        // - UniqueProcessId should be reasonable
        // - ActiveProcessLinks should be valid pointers

        true // Placeholder
    }

    /// Validate ETHREAD structure
    pub fn is_valid_ethread(_address: usize) -> bool {
        // Check ETHREAD signature fields:
        // - Tcb.Header.Type should be ThreadObject (6)
        // - Process pointer should be valid

        true // Placeholder
    }
}