small update
This commit is contained in:
hfiref0x 2017-04-17 18:45:41 +07:00
parent 20a4e9b210
commit 7e4aec975f
17 changed files with 1248 additions and 1295 deletions

17
.gitattributes vendored
View File

@ -1,17 +0,0 @@
# Auto detect text files and perform LF normalization
* text=auto
# Custom for Visual Studio
*.cs diff=csharp
# Standard to msysgit
*.doc diff=astextplain
*.DOC diff=astextplain
*.docx diff=astextplain
*.DOCX diff=astextplain
*.dot diff=astextplain
*.DOT diff=astextplain
*.pdf diff=astextplain
*.PDF diff=astextplain
*.rtf diff=astextplain
*.RTF diff=astextplain

Binary file not shown.

View File

@ -32,7 +32,7 @@ In order to build from source you need Microsoft Visual Studio 2015 U1 and later
# Authors
(c) 2016 TDL Project
(c) 2016 - 2017 TDL Project
# Credits

View File

@ -1,7 +1,7 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14
VisualStudioVersion = 14.0.24720.0
VisualStudioVersion = 14.0.25420.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Furutaka", "Furutaka.vcxproj", "{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}"
EndProject

View File

@ -1,14 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
@ -26,19 +18,6 @@
<ProjectName>Furutaka</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
@ -57,12 +36,6 @@
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
@ -70,20 +43,10 @@
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@ -93,23 +56,6 @@
<CodeAnalysisRuleSet>NativeRecommendedRules.ruleset</CodeAnalysisRuleSet>
<RunCodeAnalysis>false</RunCodeAnalysis>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>
</PrecompiledHeader>
<WarningLevel>Level4</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EntryPointSymbol>TDLMain</EntryPointSymbol>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<PrecompiledHeader>
@ -124,30 +70,7 @@
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EntryPointSymbol>TDLMain</EntryPointSymbol>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level4</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs>
<MultiProcessorCompilation>true</MultiProcessorCompilation>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EntryPointSymbol>TDLMain</EntryPointSymbol>
<SetChecksum>true</SetChecksum>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
<UACExecutionLevel>AsInvoker</UACExecutionLevel>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@ -164,6 +87,8 @@
<MultiProcessorCompilation>true</MultiProcessorCompilation>
<StringPooling>true</StringPooling>
<EnablePREfast>false</EnablePREfast>
<ControlFlowGuard>Guard</ControlFlowGuard>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>

View File

@ -4,14 +4,6 @@
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>

View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: CUI.C
*
* VERSION: 1.00
* VERSION: 1.10
*
* DATE: 18 Jan 2016
* DATE: 20 Mar 2017
*
* Console output.
*
@ -19,19 +19,68 @@
#include "global.h"
/*
* cuiPrintText
* cuiPrintTextA
*
* Purpose:
*
* Output text to the console or file.
*
* ANSI variant
*
*/
VOID cuiPrintText(
VOID cuiPrintTextA(
_In_ HANDLE hOutConsole,
_In_ LPSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
)
{
SIZE_T consoleIO;
DWORD bytesIO;
LPSTR Buffer;
if (lpText == NULL)
return;
consoleIO = _strlen_a(lpText);
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return;
consoleIO = (5 + consoleIO);
Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) {
_strcpy_a(Buffer, lpText);
if (UseReturn) _strcat_a(Buffer, "\r\n");
consoleIO = _strlen_a(Buffer);
if (ConsoleOutputEnabled != FALSE) {
WriteConsoleA(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(CHAR)), &bytesIO, NULL);
}
HeapFree(GetProcessHeap(), 0, Buffer);
}
}
/*
* cuiPrintTextW
*
* Purpose:
*
* Output text to the console or file.
*
* UNICODE variant
*
*/
VOID cuiPrintTextW(
_In_ HANDLE hOutConsole,
_In_ LPWSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
)
)
{
SIZE_T consoleIO;
DWORD bytesIO;
@ -44,8 +93,8 @@ VOID cuiPrintText(
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return;
consoleIO = consoleIO * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL);
Buffer = (LPWSTR)RtlAllocateHeap(RtlGetCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, consoleIO);
consoleIO = (5 + consoleIO) * sizeof(WCHAR);
Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) {
_strcpy(Buffer, lpText);
@ -53,12 +102,12 @@ VOID cuiPrintText(
consoleIO = _strlen(Buffer);
if (ConsoleOutputEnabled == TRUE) {
if (ConsoleOutputEnabled != FALSE) {
WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);
}
RtlFreeHeap(RtlGetCurrentPeb()->ProcessHeap, 0, Buffer);
HeapFree(GetProcessHeap(), 0, Buffer);
}
}

View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: CUI.H
*
* VERSION: 1.00
* VERSION: 1.10
*
* DATE: 18 Jan 2016
* DATE: 04 Feb 2017
*
* Common header file for console ui.
*
@ -18,11 +18,22 @@
*******************************************************************************/
#pragma once
#include "global.h"
VOID cuiPrintTextA(
_In_ HANDLE hOutConsole,
_In_ LPSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
);
VOID cuiPrintText(
VOID cuiPrintTextW(
_In_ HANDLE hOutConsole,
_In_ LPWSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
);
);
#ifdef UNICODE
#define cuiPrintText cuiPrintTextW
#else
#define cuiPrintText cuiPrintTextA
#endif

View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: GLOBAL.H
*
* VERSION: 1.00
* VERSION: 1.10
*
* DATE: 01 Feb 2016
* DATE: 17 Apr 2017
*
* Common header file for the program support routines.
*

View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015 - 2016, portions (C) Mark Russinovich, FileMon
* (C) COPYRIGHT AUTHORS, 2015 - 2017, portions (C) Mark Russinovich, FileMon
*
* TITLE: INSTDRV.C
*
* VERSION: 1.11
* VERSION: 1.10
*
* DATE: 01 Feb 2016
* DATE: 17 Apr 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -28,7 +28,7 @@ BOOL scmInstallDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName,
_In_opt_ LPCTSTR ServiceExe
)
)
{
SC_HANDLE schService;
@ -65,7 +65,7 @@ BOOL scmInstallDriver(
BOOL scmStartDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
)
)
{
SC_HANDLE schService;
BOOL ret;
@ -96,7 +96,7 @@ BOOL scmStartDriver(
BOOL scmOpenDevice(
_In_ LPCTSTR DriverName,
_Inout_opt_ PHANDLE lphDevice
)
)
{
TCHAR completeDeviceName[64];
HANDLE hDevice;
@ -136,11 +136,11 @@ BOOL scmOpenDevice(
BOOL scmStopDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
)
)
{
BOOL ret;
INT iRetryCount;
SC_HANDLE schService;
BOOL ret;
SERVICE_STATUS serviceStatus;
ret = FALSE;
@ -154,7 +154,7 @@ BOOL scmStopDriver(
SetLastError(0);
ret = ControlService(schService, SERVICE_CONTROL_STOP, &serviceStatus);
if (ret == TRUE)
if (ret != FALSE)
break;
if (GetLastError() != ERROR_DEPENDENT_SERVICES_RUNNING)
@ -180,24 +180,16 @@ BOOL scmStopDriver(
BOOL scmRemoveDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
)
)
{
SC_HANDLE schService;
BOOL bResult = FALSE;
schService = OpenService(SchSCManager,
DriverName,
DELETE
);
if (schService == NULL) {
return bResult;
}
schService = OpenService(SchSCManager, DriverName, SERVICE_ALL_ACCESS);
if (schService) {
bResult = DeleteService(schService);
CloseServiceHandle(schService);
}
return bResult;
}
@ -211,7 +203,7 @@ BOOL scmRemoveDriver(
*/
BOOL scmUnloadDeviceDriver(
_In_ LPCTSTR Name
)
)
{
SC_HANDLE schSCManager;
BOOL bResult = FALSE;
@ -220,10 +212,7 @@ BOOL scmUnloadDeviceDriver(
return bResult;
}
schSCManager = OpenSCManager(NULL,
NULL,
SC_MANAGER_ALL_ACCESS
);
schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (schSCManager) {
scmStopDriver(schSCManager, Name);
bResult = scmRemoveDriver(schSCManager, Name);
@ -244,7 +233,7 @@ BOOL scmLoadDeviceDriver(
_In_ LPCTSTR Name,
_In_opt_ LPCTSTR Path,
_Inout_ PHANDLE lphDevice
)
)
{
SC_HANDLE schSCManager;
BOOL bResult = FALSE;

View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2015, portions (C) Mark Russinovich, FileMon
* (C) COPYRIGHT AUTHORS, 2015 - 2017, portions (C) Mark Russinovich, FileMon
*
* TITLE: INSTDRV.H
*
* VERSION: 1.10
*
* DATE: 10 Mar 2015
* DATE: 17 Apr 2017
*
* Common header file for the program SCM usage.
*
@ -16,39 +16,40 @@
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#pragma once
BOOL scmInstallDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName,
_In_opt_ LPCTSTR ServiceExe
);
);
BOOL scmStartDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
);
);
BOOL scmOpenDevice(
_In_ LPCTSTR DriverName,
_Inout_opt_ PHANDLE lphDevice
);
);
BOOL scmStopDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
);
);
BOOL scmRemoveDriver(
_In_ SC_HANDLE SchSCManager,
_In_ LPCTSTR DriverName
);
);
BOOL scmUnloadDeviceDriver(
_In_ LPCTSTR Name
);
);
BOOL scmLoadDeviceDriver(
_In_ LPCTSTR Name,
_In_opt_ LPCTSTR Path,
_Inout_ PHANDLE lphDevice
);
);

View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: MAIN.C
*
* VERSION: 1.00
* VERSION: 1.10
*
* DATE: 04 Feb 2016
* DATE: 17 Apr 2017
*
* Furutaka entry point.
*
@ -32,7 +32,7 @@ HANDLE g_ConOut = NULL;
HANDLE g_hVBox = INVALID_HANDLE_VALUE;
BOOL g_ConsoleOutput = FALSE;
BOOL g_VBoxInstalled = FALSE;
WCHAR BE = 0xFEFF;
WCHAR g_BE = 0xFEFF;
#define VBoxDrvSvc TEXT("VBoxDrv")
#define supImageName "furutaka"
@ -40,11 +40,11 @@ WCHAR BE = 0xFEFF;
#define PAGE_SIZE 0x1000
#define scDataOffset 0x214 //shellcode data offset
#define T_LOADERTITLE TEXT("Turla Driver Loader v1.0 (04/02/16)")
#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1 (17/04/17)")
#define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n")
#define T_LOADERRUN TEXT("Another instance running, close it before\r\n")
#define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n")
#define T_LOADERINTRO TEXT("Turla Driver Loader v1.0.0 started\r\n(c) 2016 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.0 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
/*
* TDLVBoxInstalled
@ -56,7 +56,7 @@ WCHAR BE = 0xFEFF;
*/
BOOL TDLVBoxInstalled(
VOID
)
)
{
BOOL bPresent = FALSE;
LRESULT lRet;
@ -85,7 +85,7 @@ BOOL TDLVBoxInstalled(
void TDLRelocImage(
ULONG_PTR Image,
ULONG_PTR NewImageBase
)
)
{
PIMAGE_OPTIONAL_HEADER popth;
PIMAGE_BASE_RELOCATION rel;
@ -142,7 +142,7 @@ ULONG_PTR TDLGetProcAddress(
ULONG_PTR KernelBase,
ULONG_PTR KernelImage,
LPCSTR FunctionName
)
)
{
ANSI_STRING cStr;
ULONG_PTR pfn = 0;
@ -166,7 +166,7 @@ void TDLResolveKernelImport(
ULONG_PTR Image,
ULONG_PTR KernelImage,
ULONG_PTR KernelBase
)
)
{
PIMAGE_OPTIONAL_HEADER popth;
ULONG_PTR ITableVA, *nextthunk;
@ -213,7 +213,7 @@ void TDLResolveKernelImport(
void TDLExploit(
LPVOID Shellcode,
ULONG CodeSize
)
)
{
SUPCOOKIE Cookie;
SUPLDROPEN OpenLdr;
@ -377,7 +377,7 @@ void TDLExploit(
*/
UINT TDLMapDriver(
LPWSTR lpDriverFullName
)
)
{
UINT result = (UINT)-1;
ULONG isz;
@ -511,7 +511,7 @@ UINT TDLMapDriver(
*/
HANDLE TDLStartVulnerableDriver(
VOID
)
)
{
PBYTE DrvBuffer;
ULONG DataSize = 0, bytesIO;
@ -606,7 +606,7 @@ HANDLE TDLStartVulnerableDriver(
}
//run driver
if (scmStartDriver(schSCManager, VBoxDrvSvc) == TRUE) {
if (scmStartDriver(schSCManager, VBoxDrvSvc) != FALSE) {
if (scmOpenDevice(VBoxDrvSvc, &hDevice))
msg = TEXT("SCM: Vulnerable driver loaded and opened");
@ -639,7 +639,7 @@ HANDLE TDLStartVulnerableDriver(
*/
void TDLStopVulnerableDriver(
VOID
)
)
{
SC_HANDLE schSCManager;
LPWSTR msg;
@ -665,7 +665,6 @@ void TDLStopVulnerableDriver(
return;
}
//stop driver in any case
if (scmStopDriver(schSCManager, VBoxDrvSvc))
msg = TEXT("SCM: Vulnerable driver successfully unloaded");
@ -684,6 +683,9 @@ void TDLStopVulnerableDriver(
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
uStr.Buffer = NULL;
uStr.Length = 0;
uStr.MaximumLength = 0;
RtlInitUnicodeString(&uStr, L"\\??\\globalroot\\systemroot\\system32\\drivers\\VBoxDrv.sys");
InitializeObjectAttributes(&ObjectAttributes, &uStr, OBJ_CASE_INSENSITIVE, NULL, NULL);
if (NT_SUCCESS(NtDeleteFile(&ObjectAttributes)))
@ -716,7 +718,7 @@ void TDLStopVulnerableDriver(
*/
UINT TDLProcessCommandLine(
LPWSTR lpCommandLine
)
)
{
UINT retVal = (UINT)-1;
WCHAR szInputFile[MAX_PATH + 1];
@ -769,6 +771,7 @@ void TDLMain()
__security_init_cookie();
do {
g_hInstance = GetModuleHandle(NULL);
g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);
@ -785,7 +788,7 @@ void TDLMain()
SetConsoleTitle(T_LOADERTITLE);
SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
if (g_ConsoleOutput == FALSE) {
WriteFile(g_ConOut, &BE, sizeof(WCHAR), &dwTemp, NULL);
WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dwTemp, NULL);
}
cuiPrintText(g_ConOut,
@ -825,7 +828,7 @@ void TDLMain()
g_VBoxInstalled = TDLVBoxInstalled();
if (g_VBoxInstalled) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Warning VirtualBox software installed, conficts possible"),
TEXT("Ldr: Warning, VirtualBox software installed, conflicts are possible"),
g_ConsoleOutput, TRUE);
}

Binary file not shown.

View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: SHELLCODE.H
*
* VERSION: 1.00
* VERSION: 1.10
*
* DATE: 30 Jan 2016
* DATE: 17 Apr 2017
*
* Loader bootstrap shellcode.
*

View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: SUP.C
*
* VERSION: 1.00
* VERSION: 1.10
*
* DATE: 01 Feb 2016
* DATE: 17 Apr 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -26,7 +26,7 @@
*/
PVOID supGetSystemInfo(
_In_ SYSTEM_INFORMATION_CLASS InfoClass
)
)
{
INT c = 0;
PVOID Buffer = NULL;
@ -74,7 +74,7 @@ PVOID supGetSystemInfo(
*/
ULONG_PTR supGetNtOsBase(
VOID
)
)
{
PRTL_PROCESS_MODULES miSpace;
ULONG_PTR NtOsBase = 0;
@ -100,7 +100,7 @@ PBYTE supQueryResourceData(
_In_ ULONG_PTR ResourceId,
_In_ PVOID DllHandle,
_In_ PULONG DataSize
)
)
{
NTSTATUS status;
ULONG_PTR IdPath[3];
@ -137,7 +137,7 @@ PBYTE supQueryResourceData(
*/
BOOL supBackupVBoxDrv(
_In_ BOOL bRestore
)
)
{
BOOL bResult = FALSE;
WCHAR szOldDriverName[MAX_PATH * 2];
@ -185,7 +185,7 @@ SIZE_T supWriteBufferToFile(
_In_ SIZE_T Size,
_In_ BOOL Flush,
_In_ BOOL Append
)
)
{
NTSTATUS Status;
DWORD dwFlag;
@ -207,7 +207,7 @@ SIZE_T supWriteBufferToFile(
DesiredAccess = FILE_WRITE_ACCESS | SYNCHRONIZE;
dwFlag = FILE_OVERWRITE_IF;
if (Append == TRUE) {
if (Append != FALSE) {
DesiredAccess |= FILE_READ_ACCESS;
dwFlag = FILE_OPEN_IF;
}
@ -224,7 +224,7 @@ SIZE_T supWriteBufferToFile(
pPosition = NULL;
if (Append == TRUE) {
if (Append != FALSE) {
Position.LowPart = FILE_WRITE_TO_END_OF_FILE;
Position.HighPart = -1;
pPosition = &Position;
@ -250,7 +250,7 @@ SIZE_T supWriteBufferToFile(
ptr += BlockSize;
BytesWritten += IoStatus.Information;
}
RemainingSize = Size % BlockSize;
RemainingSize = (ULONG)(Size % BlockSize);
if (RemainingSize != 0) {
Status = NtWriteFile(hFile, 0, NULL, NULL, &IoStatus, ptr, RemainingSize, pPosition, NULL);
if (!NT_SUCCESS(Status))
@ -261,7 +261,7 @@ SIZE_T supWriteBufferToFile(
}
__finally {
if (hFile != NULL) {
if (Flush == TRUE) NtFlushBuffersFile(hFile, &IoStatus);
if (Flush != FALSE) NtFlushBuffersFile(hFile, &IoStatus);
NtClose(hFile);
}
RtlFreeUnicodeString(&NtFileName);
@ -280,7 +280,7 @@ SIZE_T supWriteBufferToFile(
NTSTATUS NTAPI supDetectObjectCallback(
_In_ POBJECT_DIRECTORY_INFORMATION Entry,
_In_ PVOID CallbackParam
)
)
{
POBJSCANPARAM Param = (POBJSCANPARAM)CallbackParam;
@ -317,7 +317,7 @@ NTSTATUS NTAPI supEnumSystemObjects(
_In_opt_ HANDLE hRootDirectory,
_In_ PENUMOBJECTSCALLBACK CallbackProc,
_In_opt_ PVOID CallbackParam
)
)
{
BOOL cond = TRUE;
ULONG ctx, rlen;
@ -407,7 +407,7 @@ NTSTATUS NTAPI supEnumSystemObjects(
BOOL supIsObjectExists(
_In_ LPWSTR RootDirectory,
_In_ LPWSTR ObjectName
)
)
{
OBJSCANPARAM Param;

View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: SUP.H
*
* VERSION: 1.00
* VERSION: 1.10
*
* DATE: 01 Feb 2016
* DATE: 17 Apr 2017
*
* Common header file for the program support routines.
*
@ -27,21 +27,21 @@ typedef struct _OBJSCANPARAM {
ULONG_PTR supGetNtOsBase(
VOID
);
);
PVOID supGetSystemInfo(
_In_ SYSTEM_INFORMATION_CLASS InfoClass
);
);
PBYTE supQueryResourceData(
_In_ ULONG_PTR ResourceId,
_In_ PVOID DllHandle,
_In_ PULONG DataSize
);
);
BOOL supBackupVBoxDrv(
_In_ BOOL bRestore
);
);
SIZE_T supWriteBufferToFile(
_In_ PWSTR lpFileName,
@ -49,11 +49,11 @@ SIZE_T supWriteBufferToFile(
_In_ SIZE_T Size,
_In_ BOOL Flush,
_In_ BOOL Append
);
);
BOOL supIsObjectExists(
_In_ LPWSTR RootDirectory,
_In_ LPWSTR ObjectName
);
);
#define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1)

View File

@ -1,29 +1,36 @@
c371453e2eb9edab0949472d14871f09a6c60e4bab647910da83943bb4d3104c *Compiled\dummy.sys
4c8d13b1693c77bc4b75ae0f6262260cbc1478f3da33d039930d265db5d7eb3e *Compiled\dummy2.sys
48820631b430a40f296b17280bc18736f8ac428514ffd931b4b529dc5cc04136 *Compiled\Furutaka.exe
9c81608bea1766f195ddf49f9a07b23da96dbf17a5e2d66405492eaa3155996e *Compiled\Furutaka.exe
c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln
01662c807519eac05d7082c151be3824418ccf1716216895680fe5598093d245 *Source\DummyDrv\dummy\dummy.vcxproj
2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters
d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv\dummy\dummy.vcxproj.user
da9e4121c5a6970b0e10e6cca6fa6065e758f5b54b46c33ff99e7f98d98d00bc *Source\DummyDrv\dummy\main.c
c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln
c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln
2fd78ce2843d7c77b1249bb7288d87605a4b3979b150a982eae56ecbabdcfb32 *Source\DummyDrv2\dummy\dummy.vcxproj
f53e8133a9d12b751445ed57f4574bbeba722d26096196f544ed1794adf699f4 *Source\DummyDrv2\dummy\dummy.vcxproj.filters
d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv2\dummy\dummy.vcxproj.user
a23f846a6321b8e411dce50c61c5d2675ee7dc6fef0e3b69d8a671120cd27b76 *Source\DummyDrv2\dummy\main.c
cc5dab13546ffcb16e97b664783e6a9121c99f89ece7dd63300714246e9622fa *Source\DummyDrv2\dummy\main.h
10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c
c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln
746efc13f8d0f96856876e4027a6c7d1f28f2791173c492ef185a436fd464bf6 *Source\Furutaka\cui.c
3a5e784c79832cd497782267212edf8118431a38e16c11f890e413a12e3cb68c *Source\Furutaka\cui.h
cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys
01e8b1256c0ea978f3f100602732e1314a5108a2aa4563f1d4c98e0d5faebb85 *Source\Furutaka\Furutaka.sln
c7eaba7f4bb49fceac5c13d1a2abd23782c14c167ea6c57a7f65407cd7034149 *Source\Furutaka\Furutaka.vcxproj
e25d0088a6c73c51243aac3a21e9384b24844e54f0a093d75fbf0ef44c2ff83d *Source\Furutaka\cui.c
6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\Furutaka\cui.h
24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln
16bd5cb1f9114683a8f5b91d8f5492319b64f5b1dd5103b56c9c29c39b06237b *Source\Furutaka\Furutaka.vcxproj
b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters
2b04b5603a1ad01bf21aadb13539b7de81e4a6c414b187c4a021dc8356da3e37 *Source\Furutaka\Furutaka.vcxproj.user
1f1f6d73a914729da08ad347c3bdb7d031c51a354339d0a26b72efcb799dfde1 *Source\Furutaka\global.h
c90a5fa589457ed25641ec8bd7da6b3be603ad5001fa9c4c8c378a47068737d2 *Source\Furutaka\instdrv.c
964d46b2540f1e91797750eb1f2b9c4c0f037792c2066d653727e223222b6208 *Source\Furutaka\instdrv.h
8f309aca118c967f283db492cfda3493bded9dbafebf580a4b5ce8bfd22ce318 *Source\Furutaka\main.c
b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutaka\Furutaka.vcxproj.user
1a80c208b491fcd2704761490a12067ae8aa73d8bde834a20920cbd231affaf7 *Source\Furutaka\global.h
94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c
33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h
c1747f460d8e42e18f3fce8c30c51be75fe382332f586756bbb86af81e8a5a45 *Source\Furutaka\main.c
8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h
fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h
2dad59a7d37bfc28fc1e0f3599584454084e5837649facde829373f41b86e08f *Source\Furutaka\resource.rc
f8cafd307ba14b60970fe8caf73fbb2f178d3877a3d8b51f507b431e3bf5506e *Source\Furutaka\shellcode.h
fd0fc26c051a852fe3eaf9cb44615543b92e642274fc1eb58b53f23457fd4e89 *Source\Furutaka\sup.c
059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h
12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h
cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Furutaka\minirtl\cmdline.c
bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Furutaka\minirtl\cmdline.h
107245437ed86b6f1e839b2d3d9bbadb3d9980046cb5c7001f985fed3627962f *Source\Furutaka\minirtl\minirtl.h
@ -38,10 +45,3 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Furutak
27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\Furutaka\minirtl\_strend.c
60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\Furutaka\minirtl\_strlen.c
87cc72bb8e3f1534bee09ee278ecd928d975ebb94aeffc767b67249815a0bf3a *Source\Furutaka\minirtl\_strncmpi.c
8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h
fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h
8a28b38ff5a64f0d2a52c019ce8a77ed1f098cfa499c2f27208b0621690022fc *Source\Furutaka\resource.rc
a12de2f7e249ea16519644494c7724e8d5aee23e3744a98019cf9821f054db75 *Source\Furutaka\shellcode.h
2978d95a800f049956b0e3ef53d398003d94e051a463e79796aff4247959e93e *Source\Furutaka\sup.c
d131357000587b1c25adb90dece9558afc38c4fbe77d04e8acb3e6c84a5e2fd1 *Source\Furutaka\sup.h
12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h