leviathan-driver 0.3.0

Windows kernel-mode EDR/XDR driver framework in Rust - callbacks, filters, detection, forensics
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353

//! Process and Thread Enumeration
//!
//! Multiple methods for enumerating kernel objects to detect
//! hidden processes and threads via cross-referencing.
//!
//! # Enumeration Methods
//! 1. ActiveProcessLinks walking (standard)
//! 2. PspCidTable handle table scanning
//! 3. Thread scheduler queues
//! 4. Pool tag scanning
//! 5. HandleTableList walking
//!
//! # Detection Technique
//! Compare results from multiple methods. Objects that appear
//! in some methods but not others may be hidden via DKOM.

use alloc::collections::BTreeSet;
use alloc::vec::Vec;
use core::ptr;
use wdk::println;
use wdk_sys::{
    ntddk::{
        PsLookupProcessByProcessId,
    },
    NTSTATUS, PEPROCESS, HANDLE, STATUS_SUCCESS,
};

/// System information class for ZwQuerySystemInformation
/// Note: ZwQuerySystemInformation is not exported in wdk-sys 0.5 default bindings.
/// These are well-known values from NT internals.
pub const SYSTEM_PROCESS_INFORMATION: u32 = 5;

/// Get current process - use IoGetCurrentProcess which is available
/// Note: PsGetCurrentProcess is not exported in wdk-sys 0.5, use IoGetCurrentProcess
pub unsafe fn ps_get_current_process() -> PEPROCESS {
    unsafe { wdk_sys::ntddk::IoGetCurrentProcess() }
}

/// Get process image file name
/// Note: PsGetProcessImageFileName is not exported in wdk-sys 0.5.
/// This returns a pointer to the image filename stored in EPROCESS.
/// In production, use SeLocateProcessImageName or query via ZwQueryInformationProcess.
pub unsafe fn ps_get_process_image_filename(process: PEPROCESS) -> *mut i8 {
    // EPROCESS.ImageFileName offset varies by Windows version.
    // On Windows 10/11 x64, it's typically at offset 0x5A8.
    // This is a placeholder - in production, use a proper approach.
    let _ = process;
    ptr::null_mut()
}

/// Process information from enumeration
#[derive(Debug, Clone)]
pub struct ProcessInfo {
    /// Process ID
    pub pid: usize,
    /// Parent process ID
    pub ppid: usize,
    /// Process name (up to 15 chars)
    pub name: [u8; 16],
    /// EPROCESS address
    pub eprocess: usize,
    /// Session ID
    pub session_id: u32,
    /// Is process terminated
    pub is_terminated: bool,
    /// Which enumeration methods found this process
    pub found_by: EnumerationMethods,
}

/// Bit flags for enumeration methods
#[derive(Debug, Clone, Copy, Default)]
pub struct EnumerationMethods {
    /// Found via ActiveProcessLinks
    pub active_process_links: bool,
    /// Found via PspCidTable
    pub cid_table: bool,
    /// Found via thread->process links
    pub thread_process: bool,
    /// Found via pool tag scanning
    pub pool_scan: bool,
    /// Found via ZwQuerySystemInformation
    pub system_info: bool,
}

impl EnumerationMethods {
    /// Check if process was found by all methods
    pub fn found_by_all(&self) -> bool {
        self.active_process_links
            && self.cid_table
            && self.thread_process
            && self.pool_scan
            && self.system_info
    }

    /// Check if process might be hidden (found by some but not all)
    pub fn possibly_hidden(&self) -> bool {
        let count = [
            self.active_process_links,
            self.cid_table,
            self.thread_process,
            self.pool_scan,
            self.system_info,
        ]
        .iter()
        .filter(|&&x| x)
        .count();

        // If found by some but not all methods, might be hidden
        count > 0 && count < 5
    }
}

/// Thread information from enumeration
#[derive(Debug, Clone)]
pub struct ThreadInfo {
    /// Thread ID
    pub tid: usize,
    /// Owning process ID
    pub pid: usize,
    /// ETHREAD address
    pub ethread: usize,
    /// Thread state
    pub state: u8,
    /// Start address
    pub start_address: usize,
    /// Is orphan thread (no valid process)
    pub is_orphan: bool,
}

/// Full process enumeration using multiple methods
pub struct ProcessEnumerator {
    /// Collected process info
    processes: Vec<ProcessInfo>,
    /// Set of seen PIDs
    seen_pids: BTreeSet<usize>,
}

impl ProcessEnumerator {
    /// Create new enumerator
    pub fn new() -> Self {
        Self {
            processes: Vec::new(),
            seen_pids: BTreeSet::new(),
        }
    }

    /// Run all enumeration methods
    ///
    /// # Safety
    /// Must be called at PASSIVE_LEVEL
    pub unsafe fn enumerate_all(&mut self) -> Result<(), NTSTATUS> {
        println!("[Leviathan] Starting multi-method process enumeration");

        // Method 1: ZwQuerySystemInformation (user-mode visible)
        unsafe { self.enumerate_via_system_info()? };

        // Method 2: ActiveProcessLinks walking
        unsafe { self.enumerate_via_active_links()? };

        // Method 3: PspCidTable (handle table)
        unsafe { self.enumerate_via_cid_table()? };

        // Method 4: Thread->Process links
        unsafe { self.enumerate_via_threads()? };

        // Method 5: Pool tag scanning (find unlinked)
        unsafe { self.enumerate_via_pool_scan()? };

        println!(
            "[Leviathan] Enumeration complete: {} processes found",
            self.processes.len()
        );

        Ok(())
    }

    /// Enumerate using ZwQuerySystemInformation
    ///
    /// This is what Task Manager and most user-mode tools use.
    unsafe fn enumerate_via_system_info(&mut self) -> Result<(), NTSTATUS> {
        // Would use SystemProcessInformation (5)
        // This returns SYSTEM_PROCESS_INFORMATION structures

        // In production:
        // 1. Query required buffer size
        // 2. Allocate buffer
        // 3. Call ZwQuerySystemInformation
        // 4. Walk linked list of SYSTEM_PROCESS_INFORMATION

        println!("[Leviathan] Enumeration via SystemProcessInformation");
        Ok(())
    }

    /// Enumerate by walking ActiveProcessLinks
    ///
    /// Walks the EPROCESS.ActiveProcessLinks doubly-linked list
    /// starting from PsActiveProcessHead.
    unsafe fn enumerate_via_active_links(&mut self) -> Result<(), NTSTATUS> {
        // In production:
        // 1. Get PsActiveProcessHead (exported symbol)
        // 2. Walk FLINK through all entries
        // 3. Extract process info from each EPROCESS

        println!("[Leviathan] Enumeration via ActiveProcessLinks");
        Ok(())
    }

    /// Enumerate via PspCidTable (Client ID table)
    ///
    /// The CID table maps PIDs to EPROCESS pointers.
    /// More reliable than linked list walking.
    unsafe fn enumerate_via_cid_table(&mut self) -> Result<(), NTSTATUS> {
        // In production:
        // 1. Get PspCidTable address
        // 2. Walk the handle table structure
        // 3. Extract EPROCESS pointers from handles

        // This table is used by PsLookupProcessByProcessId

        println!("[Leviathan] Enumeration via PspCidTable");
        Ok(())
    }

    /// Enumerate via thread->process links
    ///
    /// Every thread points to its owning process.
    /// Find all threads and collect their processes.
    unsafe fn enumerate_via_threads(&mut self) -> Result<(), NTSTATUS> {
        // In production:
        // 1. Enumerate all threads (similar methods)
        // 2. For each thread, get ETHREAD.Tcb.Process
        // 3. Add process to list if not seen

        // Also detects orphan threads (threads with invalid process)

        println!("[Leviathan] Enumeration via thread->process links");
        Ok(())
    }

    /// Enumerate via pool tag scanning
    ///
    /// Scan kernel pool for EPROCESS structures by pool tag.
    /// Finds even completely unlinked processes.
    unsafe fn enumerate_via_pool_scan(&mut self) -> Result<(), NTSTATUS> {
        // Uses the pool_scanner module

        println!("[Leviathan] Enumeration via pool tag scanning");
        Ok(())
    }

    /// Get all enumerated processes
    pub fn get_processes(&self) -> &[ProcessInfo] {
        &self.processes
    }

    /// Find potentially hidden processes
    ///
    /// Returns processes that weren't found by all methods.
    pub fn find_hidden(&self) -> Vec<&ProcessInfo> {
        self.processes
            .iter()
            .filter(|p| p.found_by.possibly_hidden())
            .collect()
    }

    /// Find orphan threads (threads without valid process)
    pub fn find_orphan_threads(&self) -> Vec<ThreadInfo> {
        // Threads that point to invalid or non-existent processes
        Vec::new()
    }
}

/// Quick process lookup by PID
///
/// # Safety
/// Returns EPROCESS pointer - must dereference when done
pub unsafe fn lookup_process(pid: usize) -> Option<PEPROCESS> {
    let mut process: PEPROCESS = ptr::null_mut();

    let status = unsafe {
        PsLookupProcessByProcessId(pid as HANDLE, &mut process)
    };

    if status == STATUS_SUCCESS && !process.is_null() {
        Some(process)
    } else {
        None
    }
}

/// Get process name from EPROCESS
///
/// # Safety
/// EPROCESS must be valid
pub unsafe fn get_process_name(process: PEPROCESS) -> [u8; 16] {
    let mut name = [0u8; 16];

    // Use our helper function to get the image filename
    let name_ptr = unsafe { ps_get_process_image_filename(process) };

    if !name_ptr.is_null() {
        for i in 0..15 {
            let byte = unsafe { *name_ptr.add(i) };
            if byte == 0 {
                break;
            }
            name[i] = byte as u8;
        }
    }

    name
}

/// EPROCESS structure offsets (Windows 10/11 x64)
///
/// These offsets vary by Windows version!
pub mod offsets {
    /// EPROCESS.ActiveProcessLinks offset (Windows 11 24H2)
    pub const ACTIVE_PROCESS_LINKS: usize = 0x448;

    /// EPROCESS.UniqueProcessId offset
    pub const UNIQUE_PROCESS_ID: usize = 0x440;

    /// EPROCESS.InheritedFromUniqueProcessId offset
    pub const INHERITED_FROM_UNIQUE_PROCESS_ID: usize = 0x540;

    /// EPROCESS.ImageFileName offset
    pub const IMAGE_FILE_NAME: usize = 0x5A8;

    /// EPROCESS.ThreadListHead offset
    pub const THREAD_LIST_HEAD: usize = 0x5E0;

    /// ETHREAD.ThreadListEntry offset
    pub const THREAD_LIST_ENTRY: usize = 0x4E8;

    /// ETHREAD.Cid offset (CLIENT_ID)
    pub const ETHREAD_CID: usize = 0x478;
}

/// Detect DKOM by comparing enumeration results
pub fn detect_dkom(enumerator: &ProcessEnumerator) -> Vec<&ProcessInfo> {
    let hidden = enumerator.find_hidden();

    for process in &hidden {
        println!(
            "[Leviathan] Potentially hidden process: PID={} Name={}",
            process.pid,
            core::str::from_utf8(&process.name).unwrap_or("<invalid>")
        );
    }

    hidden
}