Fix STL imports by changing include paths

mandiant · Nov 20, 2023 · e7e45ab · e7e45ab
1 parent 36693d7
commit e7e45ab
Show file tree

Hide file tree

Showing 8 changed files with 60 additions and 546 deletions.
diff --git a/C/FileDeleteRecordPluginDriver/FileDeleteRecordPluginDriver.cpp b/C/FileDeleteRecordPluginDriver/FileDeleteRecordPluginDriver.cpp
@@ -3,10 +3,9 @@
 
 #include "interface.h"
 
-#include "..\Utils\Utils.h"
+#include "utils.h"
 
 const unsigned long PLUGIN_POOL_TAG = 'LEDS';
-const wchar_t* backup_directory = L"\\??\\C:\\deleted";
 
 #pragma warning(disable: 6011)
 PluginApis g_Apis;
@@ -24,7 +23,7 @@ enum PROBE_IDS : ULONG64 {
 extern "C" __declspec(dllexport) void StpInitialize(PluginApis & pApis) {
     g_Apis = pApis;
     LOG_INFO("Plugin Initializing...\r\n");
-    
+
     g_Apis.pSetCallback("SetInformationFile", PROBE_IDS::IdSetInformationFile);
     LOG_INFO("Plugin Initialized\r\n");
 }
@@ -69,6 +68,29 @@ void PrintStackTrace(CallerInfo& callerinfo) {
     }
 }
 
+OBJECT_NAME_INFORMATION* getFilePathFromHandle(HANDLE hFile) {
+    ULONG dwSize = 0;
+    OBJECT_NAME_INFORMATION* pObjectName = nullptr;
+    NTSTATUS status = ZwQueryObject(hFile, (OBJECT_INFORMATION_CLASS)1 /*ObjectNameInformation*/, pObjectName, 0, &dwSize);
+    if (dwSize)
+    {
+        pObjectName = (OBJECT_NAME_INFORMATION*)ExAllocatePoolWithTag(NonPagedPoolNx, dwSize, PLUGIN_POOL_TAG);
+        if (pObjectName) {
+            status = ZwQueryObject(hFile, (OBJECT_INFORMATION_CLASS)1 /*ObjectNameInformation*/, pObjectName, dwSize, &dwSize);
+        }
+    }
+
+    if (status == STATUS_SUCCESS && pObjectName) {
+        return pObjectName;
+    }
+
+    if (pObjectName) {
+        ExFreePoolWithTag(pObjectName, PLUGIN_POOL_TAG);
+        pObjectName = nullptr;
+    }
+    return nullptr;
+}
+
 extern "C" __declspec(dllexport) void StpCallbackEntry(ULONG64 pService, ULONG32 probeId, MachineState & ctx, CallerInfo & callerinfo)
 {
     //LOG_INFO("[ENTRY] %s[0x%x](%d) Id: %d Parameters: [%d]\r\n", callerinfo.processName, callerinfo.processId, callerinfo.isWow64 ? 32 : 64, pService, probeId, ctx.paramCount);
@@ -77,30 +99,30 @@ extern "C" __declspec(dllexport) void StpCallbackEntry(ULONG64 pService, ULONG32
     UNREFERENCED_PARAMETER(ctx);
     UNREFERENCED_PARAMETER(callerinfo);
     switch (probeId) {
-        case PROBE_IDS::IdSetInformationFile: {
-            auto hFile = (HANDLE)ctx.read_argument(0);
-            auto InformationClass = ctx.read_argument(4);
-            if (InformationClass == 13) { // FileDispositionInformation
-                auto pInformation = (char*)ctx.read_argument(2); // 1 == DeleteFile
-                if (*pInformation == 1) {
-                    auto pFilePath = getFilePathFromHandle(hFile);
-
-                    if (pFilePath) {
-                        LOG_INFO("File %wZ deleted\r\n", pFilePath->Name);
-                        backupFile((wchar_t*)backup_directory, pFilePath->Name, hFile);
-                        ExFreePoolWithTag(pFilePath, PLUGIN_POOL_TAG);
-                        pFilePath = nullptr;
-                        LOG_INFO("File Backup Complete\r\n");
-                    }
-                    else {
-                        LOG_INFO("File [unknown] deleted\r\n");
-                    }
-
-                    PrintStackTrace(callerinfo);
+    case PROBE_IDS::IdSetInformationFile: {
+        auto hFile = (HANDLE)ctx.read_argument(0);
+        auto InformationClass = ctx.read_argument(4);
+        if (InformationClass == 13) { // FileDispositionInformation
+            auto pInformation = (char*)ctx.read_argument(2); // 1 == DeleteFile
+            if (*pInformation == 1) {
+                auto pFilePath = getFilePathFromHandle(hFile);
+
+                if (pFilePath) {
+                    LOG_INFO("File %wZ deleted\r\n", pFilePath->Name);
+                    //backupFile((wchar_t*)backup_directory, pFilePath->Name, hFile);
+                    //ExFreePoolWithTag(pFilePath, PLUGIN_POOL_TAG);
+                    //pFilePath = nullptr;
+                    LOG_INFO("File Backup Complete\r\n");
                 }
+                else {
+                    LOG_INFO("File [unknown] deleted\r\n");
+                }
+
+                PrintStackTrace(callerinfo);
             }
-            break;
         }
+        break;
+    }
     }
 }
 ASSERT_INTERFACE_IMPLEMENTED(StpCallbackEntry, tStpCallbackEntryPlugin, "StpCallbackEntry does not match the interface type");
@@ -132,8 +154,7 @@ VOID DeviceUnload(_In_ PDRIVER_OBJECT DriverObject)
     DBGPRINT("FileDeleteRecord::DeviceUnload");
 }
 
-
-/* 
+/*
 *   /GS- must be set to disable stack cookies and have DriverEntry
 *   be the entrypoint. GsDriverEntry sets up stack cookie and calls
 *   Driver Entry normally.
@@ -144,7 +165,7 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 
     DBGPRINT("FileDeleteRecord::DriverEntry()");
 
-    
+
     DriverObject->MajorFunction[IRP_MJ_CREATE] = DeviceCreateClose;
     DriverObject->MajorFunction[IRP_MJ_CLOSE] = DeviceCreateClose;
     DriverObject->DriverUnload = DeviceUnload;

diff --git a/C/FileDeleteRecordPluginDriver/FileDeleteRecordPluginDriver.vcxproj b/C/FileDeleteRecordPluginDriver/FileDeleteRecordPluginDriver.vcxproj
@@ -70,10 +70,12 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
     <EnableInf2cat>false</EnableInf2cat>
+    <IncludePath>$(VC_IncludePath);$(CRT_IncludePath);$(KM_IncludePath);$(KIT_SHARED_IncludePath)</IncludePath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
     <EnableInf2cat>false</EnableInf2cat>
+    <IncludePath>$(VC_IncludePath);$(CRT_IncludePath);$(KM_IncludePath);$(KIT_SHARED_IncludePath)</IncludePath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
@@ -97,7 +99,7 @@
     </ClCompile>
     <Link>
       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
-      <AdditionalDependencies>%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib;Utils.lib</AdditionalDependencies>
+      <AdditionalDependencies>%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib</AdditionalDependencies>
       <AdditionalLibraryDirectories>$(outdir)</AdditionalLibraryDirectories>
     </Link>
   </ItemDefinitionGroup>
@@ -115,7 +117,7 @@
     </ClCompile>
     <Link>
       <EntryPointSymbol>DriverEntry</EntryPointSymbol>
-      <AdditionalDependencies>%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib;Utils.lib</AdditionalDependencies>
+      <AdditionalDependencies>%(AdditionalDependencies);$(KernelBufferOverflowLib);$(DDK_LIB_PATH)ntoskrnl.lib;$(DDK_LIB_PATH)hal.lib;$(DDK_LIB_PATH)wmilib.lib</AdditionalDependencies>
       <AdditionalLibraryDirectories>$(outdir)</AdditionalLibraryDirectories>
     </Link>
   </ItemDefinitionGroup>

diff --git a/C/FileDeleteRecordPluginDriver/utils.h b/C/FileDeleteRecordPluginDriver/utils.h
@@ -5,26 +5,12 @@
 #include "Interface.h"
 #include "string.h"
 
-namespace kstl {
-    template<typename T> struct remove_reference { typedef T type; };
-    template<typename T> struct remove_reference<T&> { typedef T type; };
-    template<typename T> struct remove_reference<T&&> { typedef T type; };
-
-    template <class _Ty>
-    using remove_reference_t = typename remove_reference<_Ty>::type;
-
-    template <class _Ty>
-    constexpr _Ty&& forward(remove_reference_t<_Ty>& _Arg) noexcept {
-        return static_cast<_Ty&&>(_Arg);
-    };
-
-    // <https://stackoverflow.com/a/7518365>
-    template<typename T>
-    typename remove_reference<T>::type&& move(T&& arg)
-    {
-        return static_cast<typename remove_reference<T>::type&&>(arg);
-    }
-}
+// $(VC_IncludePath); required for these imports to work in the driver
+#define _ITERATOR_DEBUG_LEVEL 0
+#include <utility>
+#include <array>
+#include <span>
+#include <type_traits>
 
 #define ObjectNameInformation (OBJECT_INFORMATION_CLASS)1
 
@@ -35,7 +21,7 @@ template<typename T, typename... Args>
 int string_printf(String& str, T printer, Args&&... args) {
     char tmp[512] = { 0 };
 
-    int size = printer(tmp, sizeof(tmp), kstl::forward<Args>(args)...);
+    int size = printer(tmp, sizeof(tmp), std::forward<Args>(args)...);
     if (size < 0) {
         return -1;
     }
@@ -67,7 +53,7 @@ consteval uint64_t get_type_id() {
 template<typename Func>
 class FinalAction {
 public:
-    FinalAction(Func f) :FinalActionFunc(kstl::move(f)) {}
+    FinalAction(Func f) :FinalActionFunc(std::move(f)) {}
     ~FinalAction()
     {
         FinalActionFunc();

diff --git a/C/STrace.sln b/C/STrace.sln
@@ -7,7 +7,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "STrace", "STrace\STrace.vcx
 	ProjectSection(ProjectDependencies) = postProject
 		{4349310C-30F9-48A9-9AE7-13D181F958B5} = {4349310C-30F9-48A9-9AE7-13D181F958B5}
 		{C09F1082-CDCA-4320-AB91-CC3EAB12560C} = {C09F1082-CDCA-4320-AB91-CC3EAB12560C}
-		{D237889B-F553-478C-857A-A6BF4B883AE9} = {D237889B-F553-478C-857A-A6BF4B883AE9}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "STraceCLI", "STraceCLI\STraceCLI.vcxproj", "{4349310C-30F9-48A9-9AE7-13D181F958B5}"
@@ -22,8 +21,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AddNewEtwEventPlugin", "Add
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FileDeleteRecordPluginDriver", "FileDeleteRecordPluginDriver\FileDeleteRecordPluginDriver.vcxproj", "{CD47158C-73E3-4197-AE90-92DC38D8BC0E}"
 EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Utils", "Utils\Utils.vcxproj", "{D237889B-F553-478C-857A-A6BF4B883AE9}"
-EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|ARM64 = Debug|ARM64
@@ -130,18 +127,6 @@ Global
 		{CD47158C-73E3-4197-AE90-92DC38D8BC0E}.Release|x86.ActiveCfg = Release|x64
 		{CD47158C-73E3-4197-AE90-92DC38D8BC0E}.Release|x86.Build.0 = Release|x64
 		{CD47158C-73E3-4197-AE90-92DC38D8BC0E}.Release|x86.Deploy.0 = Release|x64
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|ARM64.ActiveCfg = Debug|x64
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|ARM64.Build.0 = Debug|x64
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|x64.ActiveCfg = Debug|x64
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|x64.Build.0 = Debug|x64
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|x86.ActiveCfg = Debug|Win32
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Debug|x86.Build.0 = Debug|Win32
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|ARM64.ActiveCfg = Release|x64
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|ARM64.Build.0 = Release|x64
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|x64.ActiveCfg = Release|x64
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|x64.Build.0 = Release|x64
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|x86.ActiveCfg = Release|Win32
-		{D237889B-F553-478C-857A-A6BF4B883AE9}.Release|x86.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE