use core::sync::atomic::{AtomicBool, Ordering};
use wdk::println;
use wdk_sys::{
ntddk::{PsSetLoadImageNotifyRoutine, PsRemoveLoadImageNotifyRoutine},
HANDLE, NTSTATUS, PIMAGE_INFO, PUNICODE_STRING, STATUS_SUCCESS,
};
static REGISTERED: AtomicBool = AtomicBool::new(false);
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ImageType {
UserExe,
UserDll,
KernelDriver,
Unknown,
}
#[repr(C)]
#[derive(Debug)]
pub struct ImageLoadEvent {
pub image_type: ImageType,
pub process_id: usize,
pub image_base: usize,
pub image_size: usize,
pub is_kernel_mode: bool,
}
pub unsafe fn register() -> Result<(), NTSTATUS> {
if REGISTERED.load(Ordering::SeqCst) {
return Ok(());
}
let status = unsafe {
PsSetLoadImageNotifyRoutine(Some(image_load_callback))
};
if status != STATUS_SUCCESS {
println!("[Leviathan] Failed to register image callback: {:#x}", status);
return Err(status);
}
REGISTERED.store(true, Ordering::SeqCst);
println!("[Leviathan] Image load callback registered");
Ok(())
}
pub unsafe fn unregister() {
if !REGISTERED.load(Ordering::SeqCst) {
return;
}
let status = unsafe {
PsRemoveLoadImageNotifyRoutine(Some(image_load_callback))
};
if status == STATUS_SUCCESS {
REGISTERED.store(false, Ordering::SeqCst);
println!("[Leviathan] Image load callback unregistered");
}
}
unsafe extern "C" fn image_load_callback(
full_image_name: PUNICODE_STRING,
process_id: HANDLE,
image_info: PIMAGE_INFO,
) {
if image_info.is_null() {
return;
}
let info = unsafe { &*image_info };
let pid = process_id as usize;
let is_kernel = pid == 0;
let _image_type = if is_kernel {
ImageType::KernelDriver
} else if unsafe { info.__bindgen_anon_1.__bindgen_anon_1.SystemModeImage() } != 0 {
ImageType::KernelDriver
} else {
ImageType::UserDll
};
if is_kernel {
println!(
"[Leviathan] KERNEL Image Load: Base={:#x}, Size={:#x}",
info.ImageBase as usize,
info.ImageSize as usize
);
} else {
println!(
"[Leviathan] USER Image Load: PID={}, Base={:#x}, Size={:#x}",
pid,
info.ImageBase as usize,
info.ImageSize as usize
);
}
if !full_image_name.is_null() {
let name = unsafe { &*full_image_name };
if name.Length > 0 && !name.Buffer.is_null() {
println!("[Leviathan] Image path length: {} chars", name.Length / 2);
}
}
unsafe { check_suspicious_load(pid, info, full_image_name) };
}
unsafe fn check_suspicious_load(
process_id: usize,
info: &wdk_sys::IMAGE_INFO,
_image_name: PUNICODE_STRING,
) {
if process_id == 0 {
println!(
"[Leviathan] Kernel driver loaded at {:#x}",
info.ImageBase as usize
);
}
}
#[allow(dead_code)]
fn is_suspicious_path(path: &[u16]) -> bool {
let suspicious_patterns = [
"\\temp\\",
"\\tmp\\",
"\\downloads\\",
"\\appdata\\local\\temp\\",
];
let _ = (path, suspicious_patterns);
false
}
#[allow(dead_code)]
fn is_vulnerable_driver(_image_base: usize, _image_size: usize) -> bool {
false
}