leviathan-driver 0.2.0

Windows kernel-mode EDR/XDR driver framework in Rust - callbacks, filters, detection, forensics
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338

//! Kernel Timers, DPCs, and Work Items
//!
//! Provides mechanisms for deferred and scheduled execution in kernel mode.
//!
//! # Components
//! - **DPC (Deferred Procedure Call)**: High-priority kernel execution at DISPATCH_LEVEL
//! - **Timer + DPC**: Schedule code to run after a delay
//! - **Work Items**: Execute code at PASSIVE_LEVEL (can use blocking operations)
//!
//! # IRQL Considerations
//! - DPC routines run at DISPATCH_LEVEL (cannot page fault, no blocking)
//! - Work items run at PASSIVE_LEVEL (full kernel functionality)
//! - Timer callbacks run as DPCs (DISPATCH_LEVEL)
//!
//! # Use Cases
//! - Periodic polling/monitoring
//! - Deferred interrupt processing
//! - Background cleanup tasks
//! - Delayed operations

use wdk::println;
use wdk_sys::{
    ntddk::{
        KeInitializeDpc, KeInitializeTimer, KeSetTimerEx, KeCancelTimer,
        IoAllocateWorkItem, IoQueueWorkItem, IoFreeWorkItem,
    },
    KDPC, KTIMER, LARGE_INTEGER, PKDPC, PVOID, PDEVICE_OBJECT,
    PIO_WORKITEM, WORK_QUEUE_TYPE,
};

/// IO_WORKITEM is an opaque type - only used as a pointer
#[repr(C)]
pub struct IO_WORKITEM {
    _opaque: [u8; 0],
}

/// Wrapper for a kernel timer with associated DPC
pub struct KernelTimer {
    timer: KTIMER,
    dpc: KDPC,
    active: bool,
}

impl KernelTimer {
    /// Create a new uninitialized timer
    ///
    /// # Safety
    /// Must call `init` before using the timer
    pub const unsafe fn new_uninit() -> Self {
        Self {
            timer: unsafe { core::mem::zeroed() },
            dpc: unsafe { core::mem::zeroed() },
            active: false,
        }
    }

    /// Initialize the timer with a DPC callback
    ///
    /// # Safety
    /// - Must be called at IRQL <= DISPATCH_LEVEL
    /// - Callback will be invoked at DISPATCH_LEVEL
    pub unsafe fn init(&mut self, callback: unsafe extern "C" fn(PKDPC, PVOID, PVOID, PVOID), context: PVOID) {
        unsafe {
            KeInitializeTimer(&mut self.timer);
            KeInitializeDpc(&mut self.dpc, Some(callback), context);
        }
    }

    /// Start the timer with specified interval
    ///
    /// # Parameters
    /// - `due_time_ms`: Initial delay in milliseconds (negative = relative)
    /// - `period_ms`: Repeat period in milliseconds (0 = one-shot)
    ///
    /// # Safety
    /// Timer must be initialized
    pub unsafe fn start(&mut self, due_time_ms: i64, period_ms: u32) {
        // Convert to 100-nanosecond units (negative = relative time)
        let due_time = LARGE_INTEGER {
            QuadPart: -due_time_ms * 10_000,
        };

        unsafe {
            KeSetTimerEx(&mut self.timer, due_time, period_ms as i32, &mut self.dpc);
        }
        self.active = true;

        println!(
            "[Leviathan] Timer started: due={}ms, period={}ms",
            due_time_ms, period_ms
        );
    }

    /// Cancel the timer
    ///
    /// # Safety
    /// Timer must be initialized
    pub unsafe fn cancel(&mut self) -> bool {
        if !self.active {
            return false;
        }

        let was_queued = unsafe { KeCancelTimer(&mut self.timer) };
        self.active = false;
        println!("[Leviathan] Timer cancelled");
        was_queued != 0
    }

    /// Check if timer is active
    pub fn is_active(&self) -> bool {
        self.active
    }
}

/// Example DPC callback function
///
/// # Safety
/// Called at DISPATCH_LEVEL - cannot page fault or block!
pub unsafe extern "C" fn example_dpc_callback(
    _dpc: PKDPC,
    context: PVOID,
    _arg1: PVOID,
    _arg2: PVOID,
) {
    // context contains the user-provided data
    let _ = context;

    // DPC rules:
    // - Cannot access paged memory
    // - Cannot call blocking functions
    // - Cannot acquire mutex/fast mutex
    // - Keep execution time short
    // - If lengthy work needed, queue a work item

    println!("[Leviathan] DPC callback executed");
}

/// Work item wrapper for PASSIVE_LEVEL execution
pub struct WorkItem {
    work_item: PIO_WORKITEM,
    device: PDEVICE_OBJECT,
}

impl WorkItem {
    /// Allocate a new work item
    ///
    /// # Safety
    /// - Must be called at IRQL <= DISPATCH_LEVEL
    /// - Device object must remain valid while work item exists
    pub unsafe fn new(device: PDEVICE_OBJECT) -> Option<Self> {
        let work_item = unsafe { IoAllocateWorkItem(device) };
        if work_item.is_null() {
            return None;
        }

        Some(Self { work_item, device })
    }

    /// Queue the work item for execution
    ///
    /// # Parameters
    /// - `callback`: Function to execute at PASSIVE_LEVEL
    /// - `context`: User-provided context
    /// - `queue_type`: DelayedWorkQueue (normal) or CriticalWorkQueue (higher priority)
    ///
    /// # Safety
    /// Work item must be valid and not already queued
    pub unsafe fn queue(
        &self,
        callback: unsafe extern "C" fn(PDEVICE_OBJECT, PVOID),
        context: PVOID,
        queue_type: WORK_QUEUE_TYPE,
    ) {
        unsafe {
            IoQueueWorkItem(
                self.work_item,
                Some(callback),
                queue_type,
                context,
            );
        }
        println!("[Leviathan] Work item queued");
    }
}

impl Drop for WorkItem {
    fn drop(&mut self) {
        if !self.work_item.is_null() {
            unsafe { IoFreeWorkItem(self.work_item) };
        }
    }
}

/// Example work item callback
///
/// Runs at PASSIVE_LEVEL - can perform any kernel operation
pub unsafe extern "C" fn example_work_callback(
    device: PDEVICE_OBJECT,
    context: PVOID,
) {
    let _ = (device, context);

    // At PASSIVE_LEVEL, we can:
    // - Access paged memory
    // - Call blocking functions
    // - Acquire mutexes
    // - Perform file I/O
    // - Sleep

    println!("[Leviathan] Work item callback executed at PASSIVE_LEVEL");
}

/// One-shot timer that automatically queues a work item
///
/// Useful pattern: DPC (fast) triggers work item (full functionality)
pub struct DeferredWork {
    timer: KTIMER,
    dpc: KDPC,
}

impl DeferredWork {
    /// Create deferred work that runs after a delay
    ///
    /// # Safety
    /// Must be called at PASSIVE_LEVEL
    pub unsafe fn schedule_after_ms(
        delay_ms: u64,
        _work_callback: unsafe extern "C" fn(PDEVICE_OBJECT, PVOID),
        _device: PDEVICE_OBJECT,
        context: PVOID,
    ) -> Option<Self> {
        let mut deferred = Self {
            timer: unsafe { core::mem::zeroed() },
            dpc: unsafe { core::mem::zeroed() },
        };

        // Store callback info in DPC context
        // In production, would allocate a context structure

        unsafe {
            KeInitializeTimer(&mut deferred.timer);
            // DPC would queue the work item
            KeInitializeDpc(&mut deferred.dpc, Some(deferred_dpc_handler), context);
        }

        let due_time = LARGE_INTEGER {
            QuadPart: -(delay_ms as i64 * 10_000),
        };

        unsafe {
            KeSetTimerEx(&mut deferred.timer, due_time, 0, &mut deferred.dpc);
        }

        Some(deferred)
    }
}

/// DPC handler that queues a work item
unsafe extern "C" fn deferred_dpc_handler(
    _dpc: PKDPC,
    context: PVOID,
    _arg1: PVOID,
    _arg2: PVOID,
) {
    // In production:
    // 1. Extract work item info from context
    // 2. Queue work item using IoQueueWorkItem
    // 3. Clean up timer resources

    let _ = context;
    println!("[Leviathan] Deferred DPC -> queueing work item");
}

/// Periodic task runner
///
/// Runs a callback at regular intervals using timer + DPC
pub struct PeriodicTask {
    timer: KernelTimer,
    interval_ms: u32,
}

impl PeriodicTask {
    /// Create a new periodic task
    ///
    /// # Safety
    /// Must be called at PASSIVE_LEVEL
    pub unsafe fn new(
        interval_ms: u32,
        callback: unsafe extern "C" fn(PKDPC, PVOID, PVOID, PVOID),
        context: PVOID,
    ) -> Self {
        let mut timer = unsafe { KernelTimer::new_uninit() };
        unsafe { timer.init(callback, context) };

        Self { timer, interval_ms }
    }

    /// Start the periodic task
    pub unsafe fn start(&mut self) {
        unsafe {
            self.timer.start(self.interval_ms as i64, self.interval_ms);
        }
    }

    /// Stop the periodic task
    pub unsafe fn stop(&mut self) {
        unsafe { self.timer.cancel() };
    }
}

/// Common periodic task implementations
pub mod tasks {
    use super::*;

    /// Heartbeat task - logs driver status periodically
    pub unsafe extern "C" fn heartbeat_callback(
        _dpc: PKDPC,
        _context: PVOID,
        _arg1: PVOID,
        _arg2: PVOID,
    ) {
        // Quick status check at DISPATCH_LEVEL
        // In production: update statistics, check health
        println!("[Leviathan] Heartbeat - driver alive");
    }

    /// Cleanup task - periodic resource cleanup
    pub unsafe extern "C" fn cleanup_callback(
        _dpc: PKDPC,
        context: PVOID,
        _arg1: PVOID,
        _arg2: PVOID,
    ) {
        // Queue a work item for actual cleanup (needs PASSIVE_LEVEL)
        let _ = context;
        println!("[Leviathan] Cleanup task triggered");
    }
}