leviathan-driver 0.3.0

Windows kernel-mode EDR/XDR driver framework in Rust - callbacks, filters, detection, forensics
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318

//! Early Launch Anti-Malware (ELAM) Driver Support
//!
//! ELAM is a Microsoft technology that allows anti-malware drivers to
//! load before any other third-party drivers during Windows boot.
//!
//! # Boot Order with ELAM
//! ```text
//! 1. UEFI Firmware (Secure Boot verification)
//! 2. Windows Boot Manager (bootmgfw.efi)
//! 3. Windows Boot Loader (winload.efi)
//! 4. Windows Kernel (ntoskrnl.exe)
//! 5. ELAM Driver (leviathan_elam.sys) <-- Loads here!
//! 6. Other Boot-Start Drivers
//! 7. System-Start Drivers
//! ```
//!
//! # ELAM Capabilities
//! - Evaluate boot drivers before they load
//! - Classify drivers as Good, Bad, Bad but Critical, or Unknown
//! - Block malicious drivers from loading
//! - Protect boot process from rootkits
//!
//! # Requirements
//! - Driver must be signed with ELAM certificate
//! - Must be registered under HKLM\ELAM\<VendorName>
//! - Contains malware signatures for boot driver evaluation
//!
//! # Limitations
//! - Cannot protect against bootkits (pre-bootloader attacks)
//! - Must execute quickly (simple signature checks only)
//! - Limited to boot driver classification

use wdk::println;
use wdk_sys::{NTSTATUS, STATUS_SUCCESS};

/// ELAM driver classification results
#[repr(u32)]
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ElamClassification {
    /// Driver is known to be good
    Good = 0,
    /// Driver is known to be malicious
    Bad = 1,
    /// Driver is malicious but critical for boot
    BadButCritical = 2,
    /// Driver status is unknown
    Unknown = 3,
}

/// Boot driver information for ELAM evaluation
#[repr(C)]
pub struct BootDriverInfo {
    /// Driver image path
    pub image_path: [u16; 260],
    /// Driver registry path
    pub registry_path: [u16; 260],
    /// Driver image hash (SHA256)
    pub image_hash: [u8; 32],
    /// Certificate thumbprint
    pub cert_thumbprint: [u8; 20],
    /// Driver image size
    pub image_size: u32,
    /// Classification result
    pub classification: ElamClassification,
}

/// ELAM configuration stored in registry
/// Located at: HKLM\ELAM\<VendorName>
#[repr(C)]
pub struct ElamConfig {
    /// Measured (hashed) signature data
    pub measured: [u8; 256],
    /// Policy configuration
    pub policy: [u8; 256],
    /// Configuration data
    pub config: [u8; 256],
}

/// ELAM callback registration
///
/// In a full ELAM driver, this would be registered during DriverEntry
/// and called by the boot loader for each boot driver.
pub struct ElamCallbacks {
    /// Callback for evaluating boot drivers
    pub boot_driver_callback: Option<unsafe extern "C" fn(*const BootDriverInfo) -> ElamClassification>,
    /// Callback for status updates
    pub status_update_callback: Option<unsafe extern "C" fn(u32, NTSTATUS)>,
}

/// Registry path for ELAM configuration
pub const ELAM_REGISTRY_PATH: &str = "\\Registry\\Machine\\ELAM\\Leviathan";

/// Initialize ELAM functionality
///
/// # Note
/// A full ELAM driver must:
/// 1. Be a separate boot-start driver
/// 2. Be signed with Microsoft ELAM certificate
/// 3. Register callbacks with IoRegisterBootDriverCallback
///
/// This module provides the structure for ELAM support.
///
/// # Safety
/// Must be called from DriverEntry at PASSIVE_LEVEL
pub unsafe fn init_elam_support() -> Result<(), NTSTATUS> {
    println!("[Leviathan] Initializing ELAM support structures");

    // In a real ELAM driver:
    // 1. Register with IoRegisterBootDriverCallback
    // 2. Load signature data from registry
    // 3. Prepare for boot driver evaluation

    // Verify ELAM registry configuration exists
    // let config = load_elam_config()?;

    println!("[Leviathan] ELAM support initialized");
    Ok(())
}

/// Load ELAM configuration from registry
///
/// ELAM drivers store their signature data in:
/// HKLM\ELAM\<VendorName>\Measured
/// HKLM\ELAM\<VendorName>\Policy
/// HKLM\ELAM\<VendorName>\Config
#[allow(dead_code)]
unsafe fn load_elam_config() -> Result<ElamConfig, NTSTATUS> {
    // In production:
    // 1. Open registry key HKLM\ELAM\Leviathan
    // 2. Read Measured, Policy, and Config values
    // 3. Parse signature database

    let config = ElamConfig {
        measured: [0u8; 256],
        policy: [0u8; 256],
        config: [0u8; 256],
    };

    Ok(config)
}

/// Evaluate a boot driver against known signatures
///
/// This is the core ELAM functionality - determine if a boot driver
/// should be allowed to load.
///
/// # Parameters
/// - `driver_info`: Information about the boot driver
///
/// # Returns
/// Classification result determining if driver loads
pub fn evaluate_boot_driver(driver_info: &BootDriverInfo) -> ElamClassification {
    // Check against known bad hashes
    if is_known_malicious(&driver_info.image_hash) {
        println!("[Leviathan] ELAM: Malicious boot driver detected!");
        return ElamClassification::Bad;
    }

    // Check against known good hashes
    if is_known_good(&driver_info.image_hash) {
        return ElamClassification::Good;
    }

    // Check certificate validity
    if !is_valid_certificate(&driver_info.cert_thumbprint) {
        println!("[Leviathan] ELAM: Invalid certificate on boot driver");
        return ElamClassification::Unknown;
    }

    // Default to unknown for unrecognized drivers
    ElamClassification::Unknown
}

/// Check if driver hash matches known malicious signatures
fn is_known_malicious(hash: &[u8; 32]) -> bool {
    // In production:
    // Compare against malware signature database
    // loaded from ELAM registry configuration

    // Example known bad hashes (placeholder)
    let known_bad_hashes: &[[u8; 32]] = &[
        // Add known malicious driver hashes
    ];

    for bad_hash in known_bad_hashes {
        if hash == bad_hash {
            return true;
        }
    }

    false
}

/// Check if driver hash matches known good signatures
fn is_known_good(hash: &[u8; 32]) -> bool {
    // In production:
    // Compare against whitelist of known good drivers
    // Microsoft drivers, known AV products, etc.

    let _ = hash;
    false
}

/// Validate driver certificate
fn is_valid_certificate(thumbprint: &[u8; 20]) -> bool {
    // In production:
    // 1. Verify certificate chain
    // 2. Check against revocation list
    // 3. Verify Microsoft or trusted CA signature

    let _ = thumbprint;
    true
}

/// Boot driver callback function type
///
/// Called by Windows Boot Loader for each boot-start driver
pub type BootDriverCallback = unsafe extern "C" fn(
    driver_list: *const BootDriverInfo,
    driver_count: u32,
) -> NTSTATUS;

/// Example boot driver callback implementation
///
/// # Safety
/// Called by the Windows Boot Loader at early boot
pub unsafe extern "C" fn boot_driver_callback(
    driver_list: *const BootDriverInfo,
    driver_count: u32,
) -> NTSTATUS {
    if driver_list.is_null() {
        return wdk_sys::STATUS_INVALID_PARAMETER;
    }

    for i in 0..driver_count {
        let driver_info = unsafe { &*driver_list.add(i as usize) };

        let classification = evaluate_boot_driver(driver_info);

        // Log the classification
        match classification {
            ElamClassification::Good => {
                println!("[Leviathan] ELAM: Boot driver classified as GOOD");
            }
            ElamClassification::Bad => {
                println!("[Leviathan] ELAM: Boot driver classified as BAD - blocking!");
            }
            ElamClassification::BadButCritical => {
                println!("[Leviathan] ELAM: Boot driver BAD but CRITICAL - allowing");
            }
            ElamClassification::Unknown => {
                println!("[Leviathan] ELAM: Boot driver UNKNOWN");
            }
        }
    }

    STATUS_SUCCESS
}

/// ELAM IoControl codes for communication
pub mod ioctl {
    use wdk_sys::ULONG;

    /// Update ELAM signature database
    pub const IOCTL_UPDATE_SIGNATURES: ULONG = 0x80003000;

    /// Query ELAM status
    pub const IOCTL_QUERY_STATUS: ULONG = 0x80003004;

    /// Get boot driver list
    pub const IOCTL_GET_BOOT_DRIVERS: ULONG = 0x80003008;
}

/// Measured Boot integration
///
/// Measured Boot extends ELAM by logging measurements to TPM PCRs,
/// allowing remote attestation of boot integrity.
pub mod measured_boot {
    use super::*;

    /// PCR indices used for boot measurements
    pub mod pcr {
        /// UEFI firmware measurements
        pub const FIRMWARE: u32 = 0;
        /// Boot loader measurements
        pub const BOOT_LOADER: u32 = 4;
        /// Boot driver measurements
        pub const BOOT_DRIVERS: u32 = 12;
        /// ELAM driver measurements
        pub const ELAM: u32 = 13;
    }

    /// Log measurement to TPM PCR
    ///
    /// This extends the specified PCR with the measurement hash.
    #[allow(dead_code)]
    pub fn extend_pcr(_pcr_index: u32, _hash: &[u8; 32]) -> Result<(), NTSTATUS> {
        // In production:
        // 1. Open TPM device
        // 2. Call TPM2_PCR_Extend
        // 3. Log event to TCG event log

        Ok(())
    }

    /// Verify boot integrity via remote attestation
    ///
    /// Compares current PCR values against expected good values.
    #[allow(dead_code)]
    pub fn verify_boot_integrity() -> bool {
        // In production:
        // 1. Read current PCR values
        // 2. Compare against known good baseline
        // 3. Check TPM quote signature

        true
    }
}