add BYOVD blacklist, re-enable device enumeration & listing drivers

Environment/Services.cpp

@@ -1,3 +1,4 @@
+//By AlSch092 @ Github
 #include "Services.hpp"
 
 #ifdef _MSC_VER
@@ -108,6 +109,15 @@ BOOL Services::GetLoadedDrivers()
         if (GetDeviceDriverBaseName(drivers[i], driverName, MAX_PATH) && GetDeviceDriverFileName(drivers[i], driverPath, MAX_PATH))
         {
             DriverPaths.push_back(driverPath);
+
+            for (wstring blacklisted : this->BlacklistedDrivers) //enumerate blacklisted drivers, check if driverPath contains a blacklisted driver
+            {
+                if (Utility::ContainsWStringInsensitive(driverPath, blacklisted))
+                {
+                    Logger::logfw("UltimateAnticheat.log", Detection, L"Found Vulnerable loaded driver @ GetLoadedDrivers: %s", driverPath);
+                    this->FoundBlacklistedDrivers.push_back(driverPath);
+                }
+            }
         }
         else 
         {
@@ -139,7 +149,7 @@ list<wstring> Services::GetUnsignedDrivers()
     {
         if (!Authenticode::HasSignature(driverPath.c_str()))
         {
-            Logger::logfw("UltimateAnticheat.log", Warning, L"Found unsigned or outdated certificate on driver: %s\n", driverPath.c_str());
+            Logger::logfw("UltimateAnticheat.log", Detection, L"Found unsigned or outdated certificate on driver: %s\n", driverPath.c_str());
             unsignedDrivers.push_back(driverPath);
         }
         else
@@ -496,6 +506,7 @@ list<DeviceW> Services::GetHardwareDevicesW()
             continue;
         }
 
+        Logger::logfw("UltimateAnticheat.log", Info, L"Found Device: %s\n", d.Description.c_str());
         deviceList.push_back(d);
     }
 
@@ -509,6 +520,9 @@ list<DeviceW> Services::GetHardwareDevicesW()
     return deviceList;
 }
 
+/*
+    Services::IsSecureBootEnabled_RegKey - another method for checking secure boot without using a powershell process
+*/
 BOOL Services::IsSecureBootEnabled_RegKey()
 {
     HKEY hKey;

Environment/Services.hpp

@@ -1,3 +1,4 @@
+//By AlSch092 @ Github
 #pragma once
 #include <iostream>
 #include <Windows.h>
@@ -7,6 +8,7 @@
 #include <list>
 #include "../AntiTamper/NAuthenticode.hpp"
 #include "../Common/Logger.hpp"
+#include "../Common/Utility.hpp"
 #include <setupapi.h>
 #include <cfgmgr32.h>
 #include <tchar.h>
@@ -53,7 +55,7 @@ enum WindowsVersion
 };
 
 /*
-The Services class deals with keeping track of loaded drivers & services/recurring tasks on the system, along with misc windows functions
+The Services class deals with keeping track of loaded drivers & services/recurring tasks on the system, along with misc helpful windows functions such as DSE checks, secure boot, device enumeration, etc
 */
 class Services final
 {
@@ -63,6 +65,19 @@ class Services final
 	{
 		if (Initialize)
 		{
+			HardwareDevices = GetHardwareDevicesW(); //fetch PCI devices
+
+			//in a real world application we would of course obfuscate these strings at compile time
+			BlacklistedDrivers.push_back(L"ntguard.sys"); //Net-Ease anti-cheat -> Vulnerable
+			BlacklistedDrivers.push_back(L"BEDaisy.sys"); //battleEye older versions are vulnerable to read/write kernel memory
+			BlacklistedDrivers.push_back(L"Gdrv.sys"); //gigabyte, vulnerable IOCTLs to r/w to physical memory
+			BlacklistedDrivers.push_back(L"AsIO.sys"); //asus utilities
+			BlacklistedDrivers.push_back(L"AsUpIO.sys");  //asus utilities
+			BlacklistedDrivers.push_back(L"CPUID.sys"); //direct memory access & manipulation
+			BlacklistedDrivers.push_back(L"ENE.sys"); //older versions vulnerable
+			BlacklistedDrivers.push_back(L"iqvw64e.sys"); //direct memory access
+			BlacklistedDrivers.push_back(L"hxctl.sys"); //Huorong Security, allow execute kernel code
+
 		    GetLoadedDrivers();
 		    GetServiceModules();
 		}
@@ -109,4 +124,9 @@ class Services final
 
 	list<Service*> ServiceList;
 	list <wstring> DriverPaths;
+
+	list<DeviceW> HardwareDevices;
+
+	list<wstring> BlacklistedDrivers; //vulnerable driver list (BYOVD concept) which allow an attacker to read/write mem while having test signing/secure boot enabled 
+	list<wstring> FoundBlacklistedDrivers; //any drivers which are loaded and blacklisted
 };