#include "structs.h"
#include <ntddk.h>
#include <wdf.h>

Classes
struct	_INJECT_SHELL

Macros
#define	MAX_PATH 256

Typedefs
typedef struct _INJECT_SHELL	INJECT_SHELL

typedef struct _INJECT_SHELL *	PINJECT_SHELL

Functions
PVOID NTAPI	RtlImageDirectoryEntryToData (_In_ PVOID BaseOfImage, _In_ BOOLEAN MappedAsImage, _In_ USHORT DirectoryEntry, _Out_ PULONG Size)

BOOLEAN NTAPI	KeTestAlertThread (IN KPROCESSOR_MODE AlertMode)

BOOLEAN NTAPI	PsIsProtectedProcess (_In_ PEPROCESS Process)

EXTERN_C PVOID	RtlImageDirectoryEntryToData (IN PVOID Base, IN BOOLEAN MappedAsImage, IN USHORT DirectoryEntry, OUT PULONG Size)

VOID	RemoveCallbacks ()

NTSTATUS	InitializeKernelCallbacks ()

Variables
POBJECT_TYPE *	IoDeviceObjectType

Macro Definition Documentation

◆ MAX_PATH

#define MAX_PATH 256

Definition at line 6 of file callbacks.h.

Typedef Documentation

◆ INJECT_SHELL

typedef struct _INJECT_SHELL INJECT_SHELL

◆ PINJECT_SHELL

typedef struct _INJECT_SHELL * PINJECT_SHELL

Function Documentation

◆ InitializeKernelCallbacks()

NTSTATUS InitializeKernelCallbacks ( )

Definition at line 558 of file callbacks.cpp.

{
    PAGED_CODE();
    NTSTATUS status;
    //UNICODE_STRING callbackAltitude;
    //RtlInitUnicodeString(&callbackAltitude, L"1931");
 
    //OB_CALLBACK_REGISTRATION callbackRegistration;
    //OB_OPERATION_REGISTRATION operationRegistration;
    //RtlSecureZeroMemory(&operationRegistration, sizeof(OB_OPERATION_REGISTRATION));
    //RtlSecureZeroMemory(&callbackRegistration, sizeof(OB_CALLBACK_REGISTRATION));
    //operationRegistration.ObjectType = PsProcessType;
    //operationRegistration.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
    //operationRegistration.PreOperation = PreOperationCallback;
    //operationRegistration.PostOperation = NULL;
 
    //callbackRegistration.Version = OB_FLT_REGISTRATION_VERSION;
    //callbackRegistration.OperationRegistrationCount = 1;
    //callbackRegistration.Altitude = callbackAltitude;
    //callbackRegistration.OperationRegistration = &operationRegistration;
    //callbackRegistration.RegistrationContext = NULL;
 
    //status = ObRegisterCallbacks(&callbackRegistration, &g_ObRegistrationHandle);
    //if (!NT_SUCCESS(status)) {
    //  DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[!] Panoptes: Driver Failed to Set Object Registration Callbacks - Ensure /INTEGRITYCHECK is added to the linker options\n");
    //  return status;
    //}
    //DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[+] Panoptes: Set Object Registration Callbacks\n");
 
    InitializeListHead(&g_ProcessList);
    //KeInitializeSpinLock(&g_ProcessListLock);
    status = PsSetCreateProcessNotifyRoutineEx(ProcessCreateCallback, FALSE);
    if (!NT_SUCCESS(status)) {
        //ObUnRegisterCallbacks(g_ObRegistrationHandle);
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[!] Panoptes: Driver Failed to Set Process Creation Notify Routine Notify Routine - Ensure /INTEGRITYCHECK is added to the linker options\n");
        return status;
    }
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[+] Panoptes: Set Process Creation Notify Callbacks\n");
 
    status = PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine);
    if (!NT_SUCCESS(status)) {
        NTSTATUS removeStatus = PsSetCreateProcessNotifyRoutineEx(ProcessCreateCallback, TRUE);
        if (!NT_SUCCESS(removeStatus)) {
            DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[!] Panoptes: Driver Failed to remove callback for Set Process Creation Notify Routine Notify Routine\n");
            return removeStatus;
        }
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[!] Panoptes: Driver Failed to Set Process Load Image Notify Routine - Ensure /INTEGRITYCHECK is added to the linker options\n");
        return status;
    }
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[+] Panoptes: Set Image Load Notify Callbacks\n");
 
    return STATUS_SUCCESS;
}

References g_ProcessList, LoadImageNotifyRoutine(), and ProcessCreateCallback().

Referenced by DriverEntry().

◆ KeTestAlertThread()

BOOLEAN NTAPI KeTestAlertThread ( IN KPROCESSOR_MODE AlertMode )

Referenced by InjectDllKernelApc().

◆ PsIsProtectedProcess()

BOOLEAN NTAPI PsIsProtectedProcess ( _In_ PEPROCESS Process )

Referenced by LoadImageNotifyRoutine().

◆ RemoveCallbacks()

VOID RemoveCallbacks ( )

Definition at line 614 of file callbacks.cpp.

                       {
    //ObUnRegisterCallbacks(g_ObRegistrationHandle);
    PsSetCreateProcessNotifyRoutineEx(ProcessCreateCallback, TRUE);
    PsRemoveLoadImageNotifyRoutine(LoadImageNotifyRoutine);
    return;
}

References LoadImageNotifyRoutine(), and ProcessCreateCallback().

Referenced by UnloadPanoptes().

◆ RtlImageDirectoryEntryToData() [1/2]

PVOID NTAPI RtlImageDirectoryEntryToData	(	_In_ PVOID	BaseOfImage,
		_In_ BOOLEAN	MappedAsImage,
		_In_ USHORT	DirectoryEntry,
		_Out_ PULONG	Size
	)

Referenced by RtlxFindExportedRoutineByName().

◆ RtlImageDirectoryEntryToData() [2/2]

EXTERN_C PVOID RtlImageDirectoryEntryToData	(	IN PVOID	Base,
		IN BOOLEAN	MappedAsImage,
		IN USHORT	DirectoryEntry,
		OUT PULONG	Size
	)

Variable Documentation

◆ IoDeviceObjectType

POBJECT_TYPE* IoDeviceObjectType

Definition at line 38 of file callbacks.h.

Classes

Macros

Typedefs

Functions

Variables