From 71fd3d3eea71438262b8031d0bd76326d860751b Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Fri, 19 Apr 2019 12:24:11 +0700 Subject: [PATCH 1/2] v 1.1.5 Work around unloading current VBoxDrv and it dependencies (https://github.com/hfiref0x/VBoxHardenedLoader/issues/48) --- Compiled/Furutaka.exe | Bin 131584 -> 133632 bytes Source/Furutaka/Furutaka.vcxproj.user | 2 +- Source/Furutaka/main.c | 123 ++----- Source/Furutaka/ntos.h | 507 +++++++++++++++++++------- Source/Furutaka/resource.rc | Bin 5698 -> 5698 bytes Source/Furutaka/sup.c | 193 +++++++++- Source/Furutaka/sup.h | 30 +- TDL.sha256 | 14 +- 8 files changed, 615 insertions(+), 254 deletions(-) diff --git a/Compiled/Furutaka.exe b/Compiled/Furutaka.exe index 0d8cfef7ed0c02e8c1bbb33da9005f1121018d24..61dddbff1e04b47c19112b45cdc612f70c5daee5 100644 GIT binary patch delta 22217 zcmeI4dtB62{{PQ>1O??g-ygq!zMuB= zI?wlcpZoco&-r|qwrERO(ZgY7<7DH}kO!U4+z+zvNqN+CJ~tQ+t!!Dj9eik|f92D< ze!cQR=y$iYtURsjg_X}hA2nUb{TV89{VN~WwOj6Ey8So0irlYODxR})xnA~z{o@8? zP7xyKx1GdiS$mcUUTtE4=&VJXMGg$RWmnUP@H|b35FsY7lG9D22W|NpnUu5BBr?q= zA*?3xeJFD)$<{<Q0v1FggLta+PswAV16#YW+bz9pW(k zNuCVp>;7V$5E-6>dsVOW8vY7{%hTlA>dU{?*-qdk;-}`P=ZERQN#p-sCZaC>_3Ruc-mAgCI#!QDL@hqK2OiA>q z=9~;zhQN-Yj0#xV5gTvCS}O>BLk+W@oN}w|+{r$#WzFRZGTu<@E%9i;Vnc?E(lncO z?`8LM@bk2xyj}szR#jdvRbF(d>)n9m64HuWO$CSag7>eH_ja0SIxmlO8l*k5UVhyv z?&U$%I*l=y!diipg-P9`2hQ%kX)-y#S z(ZRivpZy8NP7QKA-zs^W{TjP&iMs%T92yyrh_ zRyNDWL7yH$pTDb!rx7l3U38cC4VO5x|9jnl0?!yeGfE=|`K3G-G1}B3O`TImt;FD- z!U(C(u0^(%UYAr$qTWW_Kl8^xKyPF0deB4=7G{}WZtOfdB3EUEqgXFr>wJ~TFF)!$ z#gr?pk+$BM=pG#Rd;ux`F_0e}utdS#RUB3Mh0Kmji)%owYQ<+^&8QpEikl)}d3&XN zGjeR!Em#R3Bp$_`ed0&d`U7rjR8vu;*8M|BG*(7w)SqDSZ~Gw-s8^HP7IPr@;9o8r%`Q0rIA9UmEIgk^_qySz~j=Y?*D;lNqe1 zU$CA9dOaC7hw5$@)Wlj+JwN;BpduGW)e*3KtvaO|Y(YV3p6pCa%nTIfIpZIuyh<$v zdeIrS+(1vu2k_1)Ep0NX$yGZ=uG%(E+$?v;#Jj!0HryM{ioeGaMsaOdTJy<@U$w@0r8TEk$QpB; zYovN6sh*TzX!Xc`74iH-%}#&bm6~7uPVe++JuB`%JlR&rm@aX%7oj%QLy2~%9=c+- zlo(B#9jqogSk07wRgKGkG5m4|Q{=`jN$#g|R9P=JVyX&;s8Nsl4&7_<;X$sGn%0(= zgY^1Z(DNV+!&SjLS7E;Nu05+Fo>Enon#aXg>U!o|wUV|PDaQ{B7vZoR(zUmCPm6SQ z&DSDZ@jKPauS{ipQ+_*Y%YmsS=6@{=u>&cChxvjj}HG<^{cQQxv~x%fi5j z0<~xT^>(}21rKnBaa9guc zL~*71H!3(8aBX`l7xBciX{By0)pOE+PM@GQ+{guCF3*vcv+4%*scpou$BdHphQMI# zCTRC}OVx7IA3DuzFz;n<<&IrHwSJlkR-ne^U3-%Mxm#sdFb5+C0S7K3MC%l76E~HyP=# zGX23T$#1LV&rsPOKL#LRiO^e$liqRv>MLG9E3Y@yes60aFed3WOij$z`;A=cAg6LIG8V(5$fJ+J zc$FEQM+4U*7Z$=cXrF?-ZH)czn(UHOHWzW7NV$CSse~W%pEOqFsZ}$SZq;D^~2??z> z)ZdOa`bX#+r5a<{OQ5v5^t;Wmx}3+WvWRdH-qJ-SgzG{_#EL z%)`+fqv0#)i#H;^2~3$MKj}YYX-}kKGw>|2IbEJLwoF&?A#3Wg8Z1~neCYHQtV2q)Z_kBh+%9V_n{ca^#^7Cfa%)r z=1Sjy9@_hJ<%a|8?#oLOTiU$T1;(~kW^8MDXrs&Xk<0UA;>CdFsq54jSsukUk>+Vr zqm}I+`FAyOINK^H#GyB>^lp>BwJ5{tbILFk$3eWM;brG|rYcVzxe6u*ETt%KyxWF4 z3VIm3(HgZIU5iYqzdO?MJnoKwWhI<&Iw*}QS81!^oZxHOrtdggYcZ{F?0T!CZbNoF42PhAmI=t7HfED;6!tiGY1F+)(lYL`P^_v~lKc}jHsu?HfcTb!+@k5Tyb>PbmDQ7l>c+RwTN=-SP8Z+&*=a^Bk ztMq?rns>IbTyMfDHEoO=b;fMjjw%C|iD-1{(8J>$1w!0DTyIVOJ$l#F@TlA4MLlo9 zN*r(1P?koWR&5`ozjH;EsJJ?m;9hYBEPLSlKewbGJlyKe`4DSfACUYW0n1)kFSjDq z7^mH+>N7li)W-M3r)qwF(AzTzzRuqrRy&?rE5F+DQkSJJ!LEm#nP`~GnT?#SN3adz zh_EdS8)05tnvA?ELEDijomcJG9-l2uwnf?>XUiqFd@Xyn{J^$V`*4fdA>Y;U}rx>`3VznQvUBlfN1IE^HsjLgekQ{lx|4&|EivAPMi+saU(Yx5yh?+w`P zPn?iD1}^Bm2`edmb9)h*8uQy{kQTFd;OnRGDJ7=(oa{Ylto!h>Kp?%ix!+{ZeVb<_ z!MVfHz_~_5zD9T-;ZuaT(Lz`e90*Q?CfM?zMF;|+3?U1l0>OvyH>9gF{(Zm!?Vp|M zUKljTq?wM&OIL3Ui+dlRnquzJ>V9LNtzGqg4rR4z2+z-GV>~?g(C|`@ zyf9>(cGa}Hp+hrGTKF`1*RV&lJEzLnYc^>a2jxT8+@lpvk==*e%;(-l$@xR};2RI- zaa3B}^x@Z-`mT5n7a47UY@I(kJh7*lcbeaugp6_{Vn9+xErY2F$@8tQ_HgL!E}Bmipv74!f4Ef=a^NMYM;sv(~pREwchH9@*!O>_BTjIQtp2#_UABF?9=<@ zmXUTXf4|&4a&p+&iOM#3zx;8eP3y2<_Dis8=l03e1iSY7KDj!^HCv5A{f>HQ1_tRS_s-gJYL>w}2KP>wtc3-^E3766+?=d{h zB8z`C6-0qv2KnFZjpg9-bSO?11>LZ2Z#6s@K>R<(t6Y{2KKJW+6NgWzZ~4lmLtPUuf1tNJjPtnb3f`t5d) zI;Y@Wb1(8>r247HcQWc#c6?e?g{rYt9to`LR7(?hP^#Pgbz)&y8;7$94jBW)*8KV zj~XO3Ux|HwIv@{T`;F#ZAzw>Q>+`k`^VJha^Osb_j7YtT;AA=eF`w))W{`IBbvbcN zUYA#KbGZ&QhopCyf=Z%x=Sbg}{@T#j<)6n)=(c(c1|rbd8m-=74`Wd*9wSGMeb9Wv zK|BljjWuBTX0-gn*pcylVGLMmu_>VIJ^V*3s?|*a%kI(AnsTEy_f1)xvRu3PhV-ZW zRqObMY#f)TeY{9c8b4I4StQquAE|9xB%d30mCSJLVdsY@I}*2W`@(`rrCGIbO7r0HV>vV*tK2vY=MOea2Vhd4340oc|8DyCSQrA9 zPAJcf0$a7jvl*pHH`Zcn-+C4|m*+_Oy<09i(6rXRF3-UrsC8_-0_;QG%5}c0_??jS zl=CrLhvT`7PR*=En{jkKn?F6>^9TL8`GoH4%TLJggbqjYUMKpOs^8&5-~XL#bHxc?^g8Ps#ib5g&l@o@-cwc>!D;E=;6jp$}l6?t0V z{qbPRQb=S;vd z)*XES^3LmTUUX}}{6ivSLIt;}>{Zi2N zNa$CHtEWJ~5;qJ@v=skzsUY@9=$XsraF{XoJ&J$&xuB~HA3NOjpuq^|q4EhcS1T-|op0+TjcSy6IN!!i)03 z=`*!uFUaQU3sRnaS+y(!yY$ah=<2qpyI{cG@s(Fe)R{_UM630*MG*gqzo=t<)Y6yb zZ8N&{nG2Jt)}%I?gP0Y&|M=%>SQ;=R*SsvBoiRX5uaxi1=&#*eE&Ve_YCjE>y)ve2 zj}4T!WNhzqG#wr8iAPDjikK0pR*_DKJen@8Gka)H)ygq5hiXlg^5&Ua`h4ax{QJDG zBJl6yQxW+0sd33pvnH7~$mz3|YJaiG7iN`dr=FE5v*(3hx=QUop&Or-<+G=2L!OnN z&)%bbI#WKAIY;}VN`99)De7z7&-zPGz_P_ECtWvMiya{Eyzc7g)ws2Td*&^>WX*Lw zv<16l!*#vgW{ej$`_LBE-x*d{N>oR~@||C|*kSn@!v~*phQ$HPw}$1UVM&I?Z&=@atzbGhA9uGCc{!-SPEfz&#)}lEuJFGG>iuf<1E8i zVi;dBjAIOAnPIH1lt<>+rhoIi-icqn(7P3eBEB#z=M9S)mQM`JM}{Q}mTpFg4TdEf zmhj5Dq`CK*G|vioaNZZ%r0H_k{L$KwC*|k!%S}b{t_8PiqL;k5V2r6$Iu=gSo_Jj5 zFWhDNxUPRzqRHfy^A|Om9+QI>|7_Wdjn`G0H2F!jDwp7o52c|s&&g}AcWQ4vC-1m^ zT=%P$16~owX!+eeo4q(^Z4Is4E{|W|xBH);{pTe2b{V+7SX*V0TbAtBR>jIuOBW1H zz&&|$dd%7bH^*fAcvQaKjAODN)oL-tH(`)kE5J=p%2$`(>+XvaVK0Pf23CAM8LeYEw$aJ`w*k;`pMK>?-!*O)7K;9B?mpQ08r+`P&Uo zC*p-jITAVx7FF(%P#0oq6Fd?+hq3xFRq$$`+J>g9oJT@T8cbL013gin-H(KA86no7 z)r3>YJ3%9IKD$v~y0LffM7>XS?Z}@P;D`8ZmwL4JH_N1(l6rg_gT5Xq4rrTR!d~XQ zVcGQu0|Q@-k(+Ot+oug_IExuCd3As?S81ubaq#EZ82QajIo<2d;vLV4XRLZGeW{<3 z{jDeE>gD}RcT3OmezTVS%0YkFsps0#mMOnVz#q+Y>xf@jU7jgf9vu0VzeT0sPxIzfwnwmcTp>Jb>mKAL1j!>%L12BGpT9Ru~a)Xjw-1BAB=_^ zqwc0YL4EF`kzT75^^1KpoS=S0Jx~3G8qWfTQzucgsB5Udr5e@X-~TW*>K6s-nhsU< ziv$|%)JWa7?_H5Y2GteA!1oEha@@t>>D(ngfI95FR_>!2GD z!|1#9B3596R_aBlq1_->gYt}W#B9V?!1dR~2yva7C=A3M|Bx~lCEkcofO4jw+~D=E z8{}3kQdL`#X$^{70nI_7S9+wX&p|2wx&W2`O5cs9=AcBi`iATO{ErRjio&lHpjRb_ z-qB0Ht^czs)uO#sZ=w|gTY#Pq7ZI#;GMDvw=$d~RC*^XbOAGZ$H>MNi4f|Dr_z1@v zxA|$~2DUz9Xtq-M)aK=~sMsnCi=1v}g^^N3^-;yMhCP#7OBK%Z6L^Go4yS zZ426;H`2=t?IpZ4_^6H4xXQZ4o1YGiZ?7~mgjE?DN3~bUuJ_Jzix&)Y2sMlvNi|br zsd3caR2$VnO{Ti2^QhU>HPk#qaX-*dNZmv&qHdvMPVYsloCO z>5PSUf(fUo&D1t(J2h;FF;cPAII5NEpt`6gF3K!&HZ_-;r&KNcLK=#wCDbx%1+|vy zqc&07sA4B)m};fksSau~)d^L9zZNbUGO1bAY-%nwk6K7Ap;l09slf_-UwT&9K zOH9l2+>ULM)s3q$!%l{xt-jdEcS6Nk;BM6$!0RXR~v`2I2wA< z!AkB;wv+pi9pt{`WO6^UlWZls$o{Wa9{mXB2sY z(SNJ~8YVJBGucV@lT*oUZeQUa*(@_ zgQtP6b>@{yv&fO;Tyi|Qkem|9=WiJetLacdHu2C_OAaCX$eqZIhwlT|erZ)W6h ztB#_C96>HO*ez0M@CFO885!z>1&|wp1(2J_DP(^zzum~+9?VY;YcP5oL5|ZI^KTkv zWU$jg{qa;?$-xX{7un=6(zAm8^hNdAc2On!;nMy@azW7=d? z@Bkgm94=ysWsI`hvjt0;t;Fp)~^qZ3b+)6nS2+Mt>o9q*~}mO zOpwggWxM&1JgZBFJl8ck(-zvd_yZ|dKlCFO#eNfX`-Emcj*xJkul`E z$Z_POWIOpGax!@@*+qVboJD?xoJ;@8mb~8zKM|LrND>;i?P0l56Bo~sm2cQ2|R@jpcC3LtxSOC)pkjt5#L-vyQ zk?Y9^$qnRMauc~;AAcDAG#sZxJNXFN&IZJj!DlCVm5%zwC>oOK@H9D-{2Ou^3%r_~%k-7xLh?Ft3AqEgoctNt3)bH$%V?;l z!?WZD^2_8V@(!|}JeAyjuI}ynb>@gDlm4YxM4M#F(PbTkN&PA)Hqv{KF@UvD7%b9v ze~7I8)Gnzs+-5ValeJt$Z}rg~`LQK|~l zH7Zm@jhZ8(Oqrr%o*Z;ysypZ!j=d!gVKwSXf$DW7Xqn*=A@~T;QA8wk%nSOyi1cQJ zGWaT0#fRfRs1BKgFB5Eg!gwLZBB(T7V>*hMoK7MJWyK_P&NGE;BK#puww{O@9n5nM z{@)%NP^}FrtixZ;xt0?26^Yn1*-lJPL3X;DpHT0F0ma&Y)-g{ z9Tg^G=a?_g??fCAZ%3H5K_)a#pXF?WFRyREL)IcZLca-Ggoyke1GyRf|N4sU7;FN5 zP5;HO{371{H$T|F`~Uvh^M8Ns`Tz6Rp8fQ7`rrTBvu@R?Ii~374%1fT&s({C_2hL0 zYxCva(~Ui@)2=I6vHp&^E7osZxqQXk{2TKNHcTlLb=&@MdkA)Q-^(ABg=*$M%ZEOl z)}f>R6zCn&{%<4Kbm(L}F=EU9VmvX-Ul{7F(w`io+-0H0BPP3pp_9=A^_E$VoN9;7 zPHxdxY9ejqS1(Ng1&{2 zhPV$Jk3+tS_l7=+kd63u=$1JAcejWu{TQJTaivpmK#ctopY)(7ttbQbMk|iFoBQMc zR1OJSphE{hkuVH;C*He0Mtl?W6TGB-k9adQaS%3N#79Aw;>2M?-fZYw2u{R(&^~yN zR>ICxQ#{#=!_fu-Bf`{&R(BT*pY^Ps;Z;z!4btE1Cz5v;8k4QL&L192ZT2~V$ah^wuCvKudVPCz!a z5Fs1!BIss>9K_3@4KF2yY^;^ihQKXv86C2Rwnl zhdl(Eju3YqpLL);C&CAIcW*?B5!766fo3@|>_|`=Ku{xrpD~LQ2+FQh9UpR0kkWS$ zT!^2BmSMGzLtN=c2rBQ#&}-9-cpCJXDQGl&DxkBbV*XzNWa5Fm7U4d`^PsOIs28Tr9*c#Ff?} zs1Z_nf^nr=m!i?|DS@6xP-QB;dKnskM%bYfZonOexD)EW6aTUSHbLtVR4+v~78Qc3 zK|7BZ7DdwC^gUBW{J>j}V7L41UEgjv=TuaRPb?LGQq7Ax0vo zIDYakW+15Yeb5DK&~xO?gBGoEWAy^c0C{VX0r4W}v~{=x5LXAVTM<;|Jm_%*mAM&e z%ELe*ZiU{4kc)Ue)Qg}hR(i*6$Oro-=mmsA#PJ^^h^`3rt;p*}M4jXtkU?oN!hJ|k zCw6sKRB@&1xUAwz)p1wFm3G`<#Fh4ATxl}nN@p>yG?#I~tFHBnu9}Sga;GiLBzzI3 zpk1^%O(L$tWfTpwG*N<=qi(Y8%Tb;4I)w@o{(;twXbm-WPQtIi)$jfBYyY~5=L>#i zDBgeJ_5Bx2lcL>4=sk+`K3Dr(<8%J!L>U$&*tff3cjNA+-4!+7n%bKB8edIAO=C?{ zO>>RErmd#EMpR%1;3q1=D$Ese71j!Sg`*<5qN%dE(qGwD>8x^9WmaWXWmn}^&K^CaWg5rm&`@rX2mQN1vO}U-Y(Ch*w_UddYO1DY+n(I`eDm{d&x=ZPrM1#g>8#AG%&yF4&x56VYTT#~B6R8Ya z=~xC+AI;pQ3{iTjaTdh`+#`mV#zc8kMG04w`-h38rU}FEJcm*;)L~NcEG9)kIu{`g zJn~c}CPEAj8DDJHh+s`XX`Prg=2fhp8u(s;fO|ZIs5w}1NMxt7`uQg;HEq%V&<Q9{;y_{sytBL+vzJ1+{ut^Kqh>&+iY=asTxd8o+ji?E#+kA*u-Ux>HD zQ@p1!?p)vDgK}hA3-7_;_O-jq14TEweWzgy&QC(c-xbBX{nn0E()&iRvahb&;BuF( zvD=hff3DqCHudhmXce78C)Xfb)HBN$2w8tvp(vfvS^jYJq#O-|tSj|)qtZ`mtzNZK z6h|zvcn~LBj?;{*SBP^FY4QI+*T320mi33MydW;;@O9qy8hl<0~1D#23%wB|h zYglKLR_>?eVs($Slr76;AG>9J37Wl3GrZ+%4_Pahi^d-Ii8EkHKg*yo+35kx%8tU>i`tU^=H{_2Y(HJ zA921e)Ym^`Etd85m-WT@-EW4h-@;ecX)1nAtN6ub;@-&VrgP#*LIqBT*1yw=1wy_p$_I~mpI_)Y}R;|4=F zjvFyUjhG&K3_|R^w2(u3NRlO}7%`v9jIV8uKW2FFad9kqg6Vx>>Y15w6(;u-W=IZp zh3rZHpJh*C_ah&i`$H(C^)Vbn4^9W+!mMl;8+%TO&X)xd*tJT$&~vD%U7YEeZORw6 z82bPhhKIldry*rOgo@%q)(C{V%VO(J3r|c|QVUv@SA0IM8F?exa8rb=`>zr&#Y~#D z1Xsez^rN`5k6%Em-{ZEH&1{g@{ey7oSB5_}4GT-V8hiwP&SEB;W#@g6266e#O9 z#c%&Y%!^I&evMYk?zG!`#BY8PF}^JOXiVUgo6#5lT-Vl!*&m{ckK=U=CSiVkxpuoe zn>*s9(K?o)L5mUe4KfHyl|dWypadhRQ{%a=;0Zm*J6cA~hLwGWD}dnyzwfCiTO*Es zAg_X=UdDhvmjkMntC;o7Vl;)lR%zk>aCuw7<+ zZE|gTC`M7T{OdxQzIU{kqoO0OpLYo+UY;>W`cZj%7P$QnwPM;s)_HKC>WZbPI(Om? zc1Qe{`Fbl;j8-l&T3MmBf=cAH^g}yrBh&X&aNf7_;({+^Ju3$ z?1dL+0?V|VjF!J^RX@S1^F!9f+F8(I<=CCPTH(oEEK)2<311l14>YP@7%Q&m)hELl zjQFkMX{b2!mD7_jn2Fn@tJyMKYqHT)qS4e`G?f_hOVqCoT_$enHGcipg|cWv8+uqgQch#+M;OtC0Jdw5MZ*BcS#P!Zl?|xro^)6D)?~8-IM?{WC z%l_NTM4(TK@LxViT+(M|>UpkDx_KWwxOfhVuln>$Xu}%$3R*$4 zu@|M|y`WzVNEm#17pG*g3pw^aENj7GVoSmZ_0$#O*@ShAhvEt@d&!=UK`X^kXmH$mgin^cF)sA%`HC|6 zaM7^fMcJFJ5ig&BU|TL4tOW%B){W)2JvbaYRc9OuFGpeA`_shrR+suvo@lVnF>Mh) zSSNY!wA&VCF3w!y_V2X^u)Dc8U36iWbo;D#bjaJI+=DvG>g2ylrat&Ge*p-$`HA3< z+SKbyL9S1C^;$S!o`tt*N{Ow$A<4QnhPGV=x#N7Sk%TUOBVUH|^RXej~ zx)P6NVG#oL&0QPzaO~TixI3pVMuR^+j< z2g7kruu#V95yxaixgPP09^nms^3^|wm~mQz*XSWrke8JN{v~3TjL1a9fuNiP>vy?& zzYw_dUjmoQz$65gO&#_QdRa6${b(=)%QE`92|o0xJTRb0F3qQ8=wB~tU61FT?FfD@ z4)yKlJr(SQp-$G$Ly^1?dLy87VcFD|PodIci(I%Ia$?Yd4QP$oU4PYvH4MwGJX<;N z?t`}+Cn(mYHDSF?N_^HaZFkrUkSArK?1g+3J3B{?zT7KI=lXZqNKC3mj3-J@j?>UK8 zviyF%R6mxQi;<&}Gbp1?z$RH3BS#06Wnq{{ophKwy_{RU^&Etd96n^}*X zR&cru^INrtt$6pb&iUujEAa?VRQj$*014ZJVWE(9L?+Z(Jo}Q^q7LM4iF)+9RIdp7V?%~_&)aB|-XS$NvUyab9<@RGxa`w>~ zesGtc)ZQu5+`eP(t>|I!)*nM5x$)TW09ZnK+B@-AN^$-m7m_qmXDqvkt&;W0e% ziu+O*511lvu}$5j@W$V>66ZJm;IN&q;{`Fk>ZB{5d@~f9>D#tx{Wt`M9Swcl zgv?t=`;cBm>PAx1@hXgDLuvu%K|M$v$QMGLNTo>CNbinoK00E7Nge!>7&vO9+4&mY zf#WyNX#T^f`RdRpY-37M3hoaDxnK=CBwz0I$3-9Bel9E&v1wD(^hwQg((+7dze(cJ zF%PNtO%xf9JJlOr7yBKX)e5JWFxGA{y?~mFMjq&kDnr(+%bKqnd#Nd<{1E12Yj(%h zD{#leF2VZc_GP!bx0*pmUlh-ed$8xb0ra6SHq~VZ#Desh=Jgp^5n}(`EFMj_+aGU6 ziLzs%;3Vv+=-c^&t(d|Cm}@2YN4bH=-qkEVPft~^Y!>kucJ+#MF+O8dmV#n(8R;Kf zfbEs9%VuroyQ}j?Uu?&IR(l8BsJ7srs{IMC+P>IV_KVt#RCULGaUx@;xf3(%i_O_D z`i-}%L-&j6<87*GzgRUsRXx2=_+Wf@tk^exh2!`E^en#oar~>jG~65UEG%xH$!9J< zTAYFJ1^xG-s@AfPr(^5fc|c5`khpX`&J*UN^<~_uF=aoPieo`1LBTf%C`zT<7gpv} ziu>RuzDti>2MPX=EK6B$*G<<;(_f^?H`6S`<6e(QJ0PB&FiSn+5Z_OD&HIBxI$M3G zuooeVMY1P)DOa7-W3&f**Oj=-Z1QV?6DxU^-RXND^&gbWE}nOfp$ukfki4gzw1=$Q zWTh~hWj&9Nl`TlOe#@_y&a&5RS06r}oh~LhM-B)!!jk@)duw?I?)pq$x9@A;`|?CZ z1dBzfbGjPq5Qm(J>d#}u`_75#u`wcH;$;&@pnvH{ecd5zJaTfKa)+!j$l|TiQXVRf zDf=;06o~DFVoY&>JANyN)yjdvc=uHS5A^VU+Dw;KQBI=^fxuQNW3>W zYv3o%IA8tT{;6-vj0Kr?nZZUq^~Gj!*_7exS9`?DDTTeh#iOMAP)B%9ST-7o{p&)} zF=eniXO9S*I<3zgqcIVow$3=;8*bn0xG1h0Ef!9Fz~aUIWPJDuSxqCww^PR^PlGXJ z4PclUdf(s?tL$|kypB3ime^G}wimvH}>VVl|wQH36RgT#1 z8mqpPBmU&tq`tjZWM{5Y6B|T*<^VN+zj!_KR&~Q3F@46UQM)lyZhuTG=HUD={gv;U zLok%$9=+!`-(mQ~ChH(umhXpL|M=C1WZ=P0iSB%g^E_ z^Bu{#cguGUbgeVR?K^CMyq@u)3K#SVv@Jsyxy$|>o-_Gke0dt)oiV5zYtZMjazL|l zeD7+pd$ia<(YRb+#5}kUx-h;>?M@%{_I<*V6+cEcbSX*?gS)c@nE}XT`u=o4hL&|q zAJytU^;S;$Kjz%~lAJv;FDuPjn2qHQs{roE2oLfY{PJw^Kvs$xJ521$O12)#LO_Hb z(11Jw8nZ-4R^sBgb{pccrTVR9vXUNpB^!_ru9n|u ze5ZVGX*YMsdOPas#4bK#sL0J8(~ZR)L&V@& z!!PyElu>dKDMRi+BI`#!I8MGo;EKmoNBd5Pth0xTqFLGM%m(qtSx?5*-~y3r$O`Gt z<%`z!>XzN&AD0)#M9IsiI2K>lD(l2Xcj?T5&%jXj<1fX%k3_^FFL#HKHFXfWY%Tlo z=i-DT5#R4I%>7`-wa~Zh$DfLOyYay$^+?3~d&IGfYqA_QsI{i@*KYN(kJ+OJg z>@6nsWZ&kO<}5a;*F7o{=8jc2J|QljJ4^Lei|uo5YU~qY-`u(C-Mb!~w|MfQI@z&Y zEZzftj{$6reG~@VG;zD6#C~5Tjp(%IyA2XN{<(a1iM^{%JTR}%z~8}SYBI_7=P;Jy z)ZiPR$ysW}1kSA!hvp4YudNcF&l{}X^Lt^QKUVG8PfVUaTYV}?+&h2Qz^F+WZ$IoX z-4l_qAah=3B9VD-qHyK)RbQ?VSLKaTyQ{=Kd0Pe!kzT|P?8W$j3gZWUJjVt>aK{_qabvS7A4dxr?W@_;&Mnt1if1#0B)MW2N; zV&ki|l`H*Z$hxDCSiNw9YPX8tFT5nq_uy|!>AjDOw-)wQH$E~A{cQ& zj(3jDJvnx`ZuustSyEvcpj$rHEe=?E>z224ixU>JZh2X^xM2AOla897(JgLR{;pdd z(JckAsB83M_v)rXn7Z|#V%<^#%U^ZNHJZg&iZc!4$GUNzZqz<*Opbj=H%`=zm3rin zDsg_1eReP1_se;0SY}iasar1U77Hvt@6@_{Mz`d{lCHJ|?yBdVGgE#78Q-&iC* zU2st?rB`aL&2M>uyR!m8}Tn6~gxF@PbiM~zs zVc2^jPHh*RD^e1}{*CML?PAc%GWB+|s9o8pZjKZSJ&Q+ujY(LS6Mxg8b@846AAoPQ z;NjQ2T|SSNt%kp|8r*%qc-M39n#SuCYNKYX>hx8iKJ4m%i=a5>Ex{x}MnveoW zZAjHf-AFmUw{dH2d`Lb}Z`m{jmfWz`9Q@yRI5YI|y2@tD>PaT`t_MW!H9OS@`5=lOiFgGTS?`gE7UblTbtK|X%(Y-2RNU7GYe+r^te{8xcYEtSZtX1+uAD!=4plf`pZopKqcM?<#isi4hs{j z)~!hlI~NKacVUObqoeN&?MXK{xlNp1H^_8C{J3tAxAE*h2WVTB+?AGJc<5go_#UrW zz5il$`?B+WcyO2TYo!NGYsc*$>v{uq88w$Wi8|8DOcJ#RwW~v~!1(v;kMx{MyM>xU zO`~=&&P`rHEu`K}-9h!%GxHKP>vKgrPOzevs7=&b>JDlJbpp$mkkeSt0IG!=PW{Jc zS~FfHsArURYJgf#y^nembt!fAr+P;VsdrPiQGZX}OMQiUhWb}cy|}?yVG?yTbrw}` zMp4>1LWAwBD4P29C%Pv{Jx+avx{X>y^+-kg$_!SpmyQ9{7-~1Ki6FI&8ldi{R#7up zUoOi}pc)-7aw;wpp!z1oB?h+*2u~=`G6~^#uGcd5X3O<~*j~lTP09_*24xlgL~c{A zRf>e^wh`%zl^L*=DD#xHN|BNYUm?6}lv@z75w=@E|6Fn{{s4a0ZI_DD+Y$!-r?{VQ zyY#`^6R!FXVd(mm%1mXhG6_u?-N{138~oMEnyNUI@yZzdJ68N{ zQ>H1SIeqgYHMxn?)9urz$+=C}l5OJ5J+I3XrX3zXXOY@LwcW4V3#n~X+jiaVp;l8n zsJ2S_sZCVN1GMWpRB582mD)k=qBcKzL~@eQ3#L+?RJRac`{#LW59@9_HI+J= z>Y!#&ozyARENUJ#pISgIqLxy(Q7d)zDm!SXqVA$rQ){X9)VT}cG(TU*{RQng_=Z7rDjl_R2MamT0k}N3MnC%QY)yHQss42MME{Up4vnW zP}`^-)NZP!O7F0Z>ZH1;ZfYJipXz~nWiJb8D5RE9OQ{vqN@^9go*JOGQH=&V$X!(B z5zZ_%^$}&dwgfq8$fM#>SF_(hEumIYTc~Z1H2|w31_VRNBa~d;Yy+9wbnVdkjkgen-vV8rOhmD-1qmoMQM|P0$El=OQ zoHX=jfQu}@3dqAv9;l;|M@}Kklo~Y z>)2E7m$~b3(4N4G?dV=mRxECkSoY0E(Dcim0V2@BR7%5$!_kQ5#)gG z_bNSTXk&p$atGN=?jqxzN;}%Pko6=h4f-jIAzR3?WE(k-?9dqVA5Vje0rGFw^2j6i zA{$Qwy~)PYKp(P)@d@NYvXxv)P9#@Kmghf-hH3`%BR7$g$pNzb^_o1|$OFh7zXOi2=S>!HqHd$%X2RMstAzx1R z+Gxn3!9ku)c9G|h^T@em4|yKBkUXDUO3ou!k{9UgRjO%N%z!5H5^{jNl-x#MOYR_F zPwpb$KvwqYGq8zlA)B-(65M|_8p8RAVm$3fk{$F%kzM3yavnK`>>*poh2%cuQgVW1 zdH+|^kjQ{)ax%GzJdoT<9!+j1PbPPfr;(NY`V7n@TgcagW&27h4JJNgImzKGgax~dPP9_(UCzC74CY!vX z@McDivT3N)lcUKkI(wDLG_)EO*!2SKMg`=cQ31J|Jeh2MULUb3RWF}Jjv}X$qsdN< zasExC^#X3A06E_%KrSGg9D00-5l^l#;>lG;e1;xhZ^V;ZB+KhBnub=RfKxBfPL3uA z4gVC~-);EG<`*~vF5RC*jwYuXoTdAn;Cb>THrlNl+(tmI&iMxC>0Ce#zf{VwD6w>)h0^HNY8`@IOUTcWE6DF@^ABSc4Q&jlC(j|bkOSma@+q?MB_@j8 zPXF8FAo&AwH`#ld26L-ECCA7~TgV@iTghk1?c@*1LGt_LZjCYjuhU?BDKWmRn2+i+V!UM=A2y6HBT4k% z!1BhI6XQ!uD*XlY8z0A_$xi8)=RcPQf8u^(5!hzk^&rt|OO_8_5;q zx#TLa_D=Z%4fPCoiEMm`m_}})zk=-GYrgR*r{4*?Q2_9`54FB%G2U^=;l1-6n~$ybuij2}mCr~fu`HR~Tn4${9~XRlJl z06PP^8L*CQenX$3`^jyLA4N{0|3-2uxs2>#2d9#q^xvZ~F4a5+OlE+a0b9u3&*&X+ zkn`z(lw3f*m0UtDCRdObkGzXUIiO#^ zxYB<&{YfmJ0G93JXZw1Oj1Q1D23T33oBkza^Km`Cikw8=MouL^PIi*(4L|EoH1>Zt z1M(T*U_f7TKK)l2yjSnQ6mkLm<>V6bQ{)QrMsgK-m$Co5*kC^f)HC2}qXPPekXz_q zLvAI%LT)D?CI`t)|1xp~AMZaUJL&%uIgk7@ zxq$3_l7>C%K&! zl#*R+U?Mq4|0Z%iJ3N5gP5%nA`GnrVo5&t59`iqth9m~8B-_~FcycQJcalrkppERL ze>J&){uHvCeh)cG)-TV01`YWPc#K>~zJuJv3NIm7(0?ttioAhbPYxrukUt@}g0*+b zN*dZ3@B}$X-cRl(?;)Gt(x-G5Iq9wD-LG!2ME|Utm0uLmzimZWm;QT;sH$6Zd$rhi zU6QDNC|oq1PsM-UKU3J=ez{Ldl#)`kT}jEfUr8}lDDhpf9ir>)fGr8jmh%qIGD~TB~O5%g@c~NqB<5Y)HU&M4pS%|b0 z^*s*#cl8~erbH?yr^yP%J?{)xJFXXv?@X8_t5DIyaoPBh9#S#8v>NB_b|i!UU6uQ1 z;;*_$sBz@GX}yi!JTY5QnvovfAg+6NoNVZ^cT;}#9$1V84V%TY8^nosM-K0}9{(v! zvZ2{oni!4(%)d-4EgZZ+-_S+gFZrd3}Ytjao$YQ2!5p2Ny5f zS900Fgio3`pIKlMpPfC?eC*uD@co}uMyQT9@!7>4V zJKoXNBQ!^bxAI#WzR?xSg(6@1s!&p{jCtG-{(sfWV;AdPsMkAMVdlS4AubeqUGL#W zwvVLiu^9!>1ahZ-r z=2GmB-EcUdHz5@vUkJ6OVdTh5y%|Z4rU?2oQYGy84WY7UEY@G-1JF}QsqGjY)H(qp zMqaMtL!J1k1oAFuzD&q_psT$2XBnUndNYy-dHf7f8H`k6%41Hl*i} zm%0(D3k}yoKSjC-`)AM**hVeyV_?u9kUoR`C+Ia(^i#G5>YR${hutePA0f#RcR=@I z%ajhOpCNfrk<_~B=soh!K?_|N8S+vOBFVBZLHlOvc{|iQ1D!@pDKrgt!CvGY(0NE( zkk5neoQd-Cmj`_eNj6Xo{R{I!=)`$?fho|W z`KS;TX^OnO3ksk^uD~?}yB+!}lAOf=bm{`!8L+#cZAh}CQk(Hkd(I1Z4w;RMapfXk z0(C4whmep?k(7D&(LO+Z4^N?A)4vP(f3ZTCrwIi>r$E}EDIfs!#_aMn@VlVUq zBy9xHUIls{KV?=%A;|`+p%bpfRgSWGP!Ey|`9i3I2cul%Ezr}~dl3MTPfI@|$-?;M zvvM_(EL;eE04X2&CaCE~REB&w)QKcJAvNkIbRPB?=v_#K$m2)W%5J14%!+(amk-)O z#7ph70e1oHw&lpk2RjK;RqUi-whAQH| ze#V|*QUcK?j7~qg93~|x%plY=O;sxJlkh&G>+6i3H{!=kCj1ZDJm#ASQ_l<~O&N>- z3=2P)Zl3=4;(sxez54BouYPNq5$DCTAa)X^YIpVS!0z_lN+~7>-2P0*Gr?!No(b%2 z-P^XeeQ(F!;NGsi-FuY=bAzQJslnEe+Tdt#Hn)^yc$*Lam$bFHN|sn%ATTI;BF z*1BrlwRyGqwVv97+QQnB+S1yJ+RECh+UnZ++NRn-ZEI~?ZF_A;ZLqehw!2oTGuK(_ zlIm=AsdbJzXPv9gU6)svU+1YSs4J{1sVl9ksH?22s;jQ6uWPDnsSDJ#*0t5O*LBnd z>$>W?>y*eR%}-jMOnP$X{vN8`ncq;*P|{G*P}NZ1(9+P_(B2Si=x#7KCN-uuIvd@M z`HcmQC5;u0RgLwHEsd>>?Tx|4?nd*oJ9|W^gTkwE&Am7xLcPKijTvmxCuHaSW>nnt zRN$$$r#hbMdP=Fc)Z6ME^{)E7dQW{}eQAAVeRX|PeW1RrzN5aYUU}N`wC!of)2^rU sp7uPwv!jRlZbSgLrLyy2q`IpgDsIER3X#LD(gp?SQeJ$+td2MR4_#mZ*#H0l diff --git a/Source/Furutaka/Furutaka.vcxproj.user b/Source/Furutaka/Furutaka.vcxproj.user index 7e38018..f674791 100644 --- a/Source/Furutaka/Furutaka.vcxproj.user +++ b/Source/Furutaka/Furutaka.vcxproj.user @@ -1,7 +1,7 @@  - C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys + C:\MAKEEXE\TDL\Furutaka\drv\dummy.sys WindowsLocalDebugger diff --git a/Source/Furutaka/main.c b/Source/Furutaka/main.c index dc40bea..aa6fab3 100644 --- a/Source/Furutaka/main.c +++ b/Source/Furutaka/main.c @@ -4,9 +4,9 @@ * * TITLE: MAIN.C * -* VERSION: 1.14 +* VERSION: 1.15 * -* DATE: 05 Jan 2019 +* DATE: 19 Apr 2019 * * Furutaka entry point. * @@ -36,11 +36,11 @@ ULONG g_NtBuildNumber = 0; #define supImageName "furutaka" #define supImageHandle 0x1a000 -#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.4 (05/01/19)") +#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.5 (19/04/19)") #define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n") #define T_LOADERRUN TEXT("Another instance running, close it before\r\n") #define T_LOADERUSAGE TEXT("Usage: loader DriverToLoad\n\re.g. loader mydrv.sys\r\n") -#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.4 started\r\n(c) 2016 - 2019 TDL Project\r\nSupported x64 OS : 7 and above\r\n") +#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.5 started\r\n(c) 2016 - 2019 TDL Project\r\nSupported x64 OS : 7 and above\r\n") #define T_VBOXDETECT TEXT("Ldr: Detected VirtualBox software installation, driver backup will be done") /* @@ -71,62 +71,6 @@ BOOL TDLVBoxInstalled( return bPresent; } -/* -* TDLRelocImage -* -* Purpose: -* -* Process image relocs. -* -*/ -void TDLRelocImage( - _In_ ULONG_PTR Image, - _In_ ULONG_PTR NewImageBase -) -{ - PIMAGE_OPTIONAL_HEADER popth; - PIMAGE_BASE_RELOCATION rel; - DWORD_PTR delta; - LPWORD chains; - DWORD c, p, rsz; - - popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader; - - if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC) - if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0) - { - rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image + - popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); - - rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - delta = (DWORD_PTR)NewImageBase - popth->ImageBase; - c = 0; - - while (c < rsz) { - p = sizeof(IMAGE_BASE_RELOCATION); - chains = (LPWORD)((PBYTE)rel + p); - - while (p < rel->SizeOfBlock) { - - switch (*chains >> 12) { - case IMAGE_REL_BASED_HIGHLOW: - *(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta; - break; - case IMAGE_REL_BASED_DIR64: - *(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta; - break; - } - - chains++; - p += sizeof(WORD); - } - - c += rel->SizeOfBlock; - rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock); - } - } -} - /* * TDLGetProcAddress * @@ -539,6 +483,10 @@ UINT TDLMapDriver( return result; } +#define VBOXNETADP_SVC L"VBoxNetAdp" +#define VBOXNETLWF_SVC L"VBoxNetLwf" +#define VBOXUSBMON_SVC L"VBoxUSBMon" + /* * TDLStartVulnerableDriver * @@ -554,12 +502,16 @@ HANDLE TDLStartVulnerableDriver( PBYTE DrvBuffer; ULONG DataSize = 0, bytesIO; HANDLE hDevice = INVALID_HANDLE_VALUE; - WCHAR szDriverFileName[MAX_PATH * 2]; SC_HANDLE schSCManager = NULL; LPWSTR msg; + WCHAR szDriverFileName[MAX_PATH * 2]; + DrvBuffer = supQueryResourceData(1, g_hInstance, &DataSize); - while (DrvBuffer != NULL) { + if (DrvBuffer == NULL) + return INVALID_HANDLE_VALUE; + + do { //lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere. RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName)); @@ -568,43 +520,41 @@ HANDLE TDLStartVulnerableDriver( break; } - schSCManager = OpenSCManager(NULL, - NULL, - SC_MANAGER_ALL_ACCESS - ); + schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (schSCManager == NULL) { cuiPrintText(TEXT("Ldr: Error opening SCM database"), TRUE); break; } - //lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive - if (supIsObjectExists(L"\\Device", L"VBoxDrv")) { + // + // Lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive + // + if (supIsObjectExists(L"\\Device", VBoxDrvSvc)) { - cuiPrintText(TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), TRUE); - - if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) { - - cuiPrintText(TEXT("SCM: VBoxNetAdp driver unloaded"), TRUE); + cuiPrintText(TEXT("Ldr: Active VirtualBox found in system, attempt stop (unload) it drivers"), TRUE); + if (!supStopVBoxService(schSCManager, VBOXNETADP_SVC)) { + cuiPrintText(TEXT("SCM: Error stopping VBoxNetAdp, cannot continue"), TRUE); + break; } - if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) { - - cuiPrintText(TEXT("SCM: VBoxNetLwf driver unloaded"), TRUE); + if (!supStopVBoxService(schSCManager, VBOXNETLWF_SVC)) { + cuiPrintText(TEXT("SCM: Error stopping VBoxNetLwf, cannot continue"), TRUE); + break; } - if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) { - - cuiPrintText(TEXT("SCM: VBoxUSBMon driver unloaded"), TRUE); + if (!supStopVBoxService(schSCManager, VBOXUSBMON_SVC)) { + cuiPrintText(TEXT("SCM: Error stopping VBoxUSBMon, cannot continue"), TRUE); + break; } Sleep(1000); - if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) { - - cuiPrintText(TEXT("SCM: VBoxDrv driver unloaded"), TRUE); - + if (!supStopVBoxService(schSCManager, VBoxDrvSvc)) { + cuiPrintText(TEXT("SCM: Error stopping VBoxDrv, cannot continue"), TRUE); + break; } + } // @@ -649,8 +599,8 @@ HANDLE TDLStartVulnerableDriver( } cuiPrintText(msg, TRUE); - break; - } + + } while (FALSE); //post cleanup if (schSCManager != NULL) { @@ -783,7 +733,6 @@ UINT TDLProcessCommandLine( void TDLMain() { - BOOL cond = FALSE; UINT uResult = 0; LONG x; OSVERSIONINFO osv; @@ -837,7 +786,7 @@ void TDLMain() uResult = TDLProcessCommandLine(GetCommandLine()); - } while (cond); + } while (FALSE); InterlockedDecrement((PLONG)&g_lApplicationInstances); ExitProcess(uResult); diff --git a/Source/Furutaka/ntos.h b/Source/Furutaka/ntos.h index 2f1516e..51fa2b2 100644 --- a/Source/Furutaka/ntos.h +++ b/Source/Furutaka/ntos.h @@ -1,12 +1,12 @@ /************************************************************************************ * -* (C) COPYRIGHT AUTHORS, 2015 - 2018, translated from Microsoft sources/debugger +* (C) COPYRIGHT AUTHORS, 2015 - 2019, translated from Microsoft sources/debugger * * TITLE: NTOS.H * -* VERSION: 1.98 +* VERSION: 1.111 * -* DATE: 28 Dec 2018 +* DATE: 30 Mar 2019 * * Common header file for the ntos API functions and definitions. * @@ -28,6 +28,7 @@ #ifndef NTOS_RTL #define NTOS_RTL + // // NTOS_RTL HEADER BEGIN // @@ -39,6 +40,7 @@ extern "C" { #pragma comment(lib, "ntdll.lib") #pragma warning(push) +#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union #pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int #ifndef PAGE_SIZE @@ -78,6 +80,19 @@ typedef unsigned char UCHAR; typedef CCHAR KPROCESSOR_MODE; typedef UCHAR KIRQL; typedef KIRQL *PKIRQL; +typedef ULONG CLONG; +typedef LONG KPRIORITY; +typedef short CSHORT; +typedef ULONGLONG REGHANDLE, *PREGHANDLE; +typedef PVOID *PDEVICE_MAP; +typedef PVOID PHEAD; + +#ifndef _WIN32_WINNT_WIN10 +#define _WIN32_WINNT_WIN10 0x0A00 +#endif +#if (_WIN32_WINNT < _WIN32_WINNT_WIN10) +typedef PVOID PMEM_EXTENDED_PARAMETER; +#endif #ifndef IN_REGION #define IN_REGION(x, Base, Size) (((ULONG_PTR)(x) >= (ULONG_PTR)(Base)) && \ @@ -163,26 +178,26 @@ char _RTL_CONSTANT_STRING_type_check(const void *s); } #endif +#ifndef RTL_CONSTANT_OBJECT_ATTRIBUTES #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) \ { sizeof(OBJECT_ATTRIBUTES), NULL, RTL_CONST_CAST(PUNICODE_STRING)(n), a, NULL, NULL } +#endif // This synonym is more appropriate for initializing what isn't actually const. +#ifndef RTL_INIT_OBJECT_ATTRIBUTES #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) +#endif // // ntdef.h end // - +#ifndef RtlOffsetToPointer #define RtlOffsetToPointer(Base, Offset) ((PCHAR)( ((PCHAR)(Base)) + ((ULONG_PTR)(Offset)) )) +#endif + +#ifndef RtlPointerToOffset #define RtlPointerToOffset(Base, Pointer) ((ULONG)( ((PCHAR)(Pointer)) - ((PCHAR)(Base)) )) - - -typedef ULONG CLONG; -typedef LONG KPRIORITY; -typedef short CSHORT; -typedef ULONGLONG REGHANDLE, *PREGHANDLE; -typedef PVOID *PDEVICE_MAP; -typedef PVOID PHEAD; +#endif // // Valid values for the OBJECT_ATTRIBUTES.Attributes field @@ -203,6 +218,21 @@ typedef PVOID PHEAD; #define CALLBACK_MODIFY_STATE 0x0001 #define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE ) +// +// CompositionSurface Access Rights +// +#ifndef COMPOSITIONSURFACE_READ +#define COMPOSITIONSURFACE_READ 0x0001L +#endif + +#ifndef COMPOSITIONSURFACE_WRITE +#define COMPOSITIONSURFACE_WRITE 0x0002L +#endif + +#ifndef COMPOSITIONSURFACE_ALL_ACCESS +#define COMPOSITIONSURFACE_ALL_ACCESS (COMPOSITIONSURFACE_READ | COMPOSITIONSURFACE_WRITE) +#endif + // // Debug Object Access Rights // @@ -286,22 +316,22 @@ typedef PVOID PHEAD; // #define THREAD_ALERT (0x0004) -#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 -#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 -#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 +#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 +#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 +#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 #define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 -#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 -#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080 +#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 +#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080 // // Worker Factory Object Access Rights // -#define WORKER_FACTORY_RELEASE_WORKER 0x0001 -#define WORKER_FACTORY_WAIT 0x0002 -#define WORKER_FACTORY_SET_INFORMATION 0x0004 -#define WORKER_FACTORY_QUERY_INFORMATION 0x0008 -#define WORKER_FACTORY_READY_WORKER 0x0010 -#define WORKER_FACTORY_SHUTDOWN 0x0020 +#define WORKER_FACTORY_RELEASE_WORKER 0x0001 +#define WORKER_FACTORY_WAIT 0x0002 +#define WORKER_FACTORY_SET_INFORMATION 0x0004 +#define WORKER_FACTORY_QUERY_INFORMATION 0x0008 +#define WORKER_FACTORY_READY_WORKER 0x0010 +#define WORKER_FACTORY_SHUTDOWN 0x0020 #define WORKER_FACTORY_ALL_ACCESS ( \ STANDARD_RIGHTS_REQUIRED | \ @@ -334,6 +364,7 @@ typedef PVOID PHEAD; #define TRACELOG_CREATE_INPROC 0x0200 #define TRACELOG_ACCESS_REALTIME 0x0400 #define TRACELOG_REGISTER_GUIDS 0x0800 +#define TRACELOG_JOIN_GROUP 0x1000 // // Memory Partition Object Access Rights @@ -361,14 +392,22 @@ typedef PVOID PHEAD; // // Define special ByteOffset parameters for read and write operations // +#ifndef FILE_WRITE_TO_END_OF_FILE #define FILE_WRITE_TO_END_OF_FILE 0xffffffff +#endif +#ifndef FILE_USE_FILE_POINTER_POSITION #define FILE_USE_FILE_POINTER_POSITION 0xfffffffe +#endif // // This is the maximum MaximumLength for a UNICODE_STRING. // +#ifndef MAXUSHORT #define MAXUSHORT 0xffff +#endif +#ifndef MAX_USTRING #define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) ) +#endif typedef struct _EX_RUNDOWN_REF { union @@ -400,8 +439,7 @@ typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; -} UNICODE_STRING; -typedef UNICODE_STRING *PUNICODE_STRING; +} UNICODE_STRING, *PUNICODE_STRING; typedef const UNICODE_STRING *PCUNICODE_STRING; #ifndef STATIC_UNICODE_STRING @@ -524,7 +562,7 @@ typedef enum _KWAIT_REASON { WrDelayExecution, WrSuspended, WrUserRequest, - WrEventPair, + WrEventPair, //has no effect after 7 WrQueue, WrLpcReceive, WrLpcReply, @@ -549,6 +587,7 @@ typedef enum _KWAIT_REASON { WrRundown, WrAlertByThreadId, WrDeferredPreempt, + WrPhysicalFault, MaximumWaitReason } KWAIT_REASON; @@ -982,6 +1021,18 @@ typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION { PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1]; } PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION; +// +// Process/Thread System and User Time +// NtQueryInformationProcess using ProcessTimes +// NtQueryInformationThread using ThreadTimes +// +typedef struct _KERNEL_USER_TIMES { + LARGE_INTEGER CreateTime; + LARGE_INTEGER ExitTime; + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; +} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES; + typedef enum _PS_MITIGATION_OPTION { PS_MITIGATION_OPTION_NX, PS_MITIGATION_OPTION_SEHOP, @@ -3190,10 +3241,10 @@ typedef struct _OBJECT_TYPE_RS2 { */ typedef struct _OBJECT_HEADER { - LONG PointerCount; + LONG_PTR PointerCount; union { - LONG HandleCount; + LONG_PTR HandleCount; PVOID NextToFree; }; EX_PUSH_LOCK Lock; @@ -5072,88 +5123,6 @@ __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmen ** PEB/TEB END */ -/* -** ALPC START -*/ - -typedef struct _PORT_MESSAGE { - union { - struct { - CSHORT DataLength; - CSHORT TotalLength; - } s1; - ULONG Length; - } u1; - union { - struct { - CSHORT Type; - CSHORT DataInfoOffset; - } s2; - ULONG ZeroInit; - } u2; - union { - CLIENT_ID ClientId; - double DoNotUseThisField; // Force quadword alignment - } u3; - ULONG MessageId; - union { - ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message - ULONG CallbackId; // Only valid on LPC_REQUEST message - } u4; - UCHAR Reserved[8]; -} PORT_MESSAGE, *PPORT_MESSAGE; - -// end_ntsrv - -typedef struct _PORT_DATA_ENTRY { - PVOID Base; - ULONG Size; -} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY; - -typedef struct _PORT_DATA_INFORMATION { - ULONG CountDataEntries; - PORT_DATA_ENTRY DataEntries[1]; -} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION; - -#define LPC_REQUEST 1 -#define LPC_REPLY 2 -#define LPC_DATAGRAM 3 -#define LPC_LOST_REPLY 4 -#define LPC_PORT_CLOSED 5 -#define LPC_CLIENT_DIED 6 -#define LPC_EXCEPTION 7 -#define LPC_DEBUG_EVENT 8 -#define LPC_ERROR_EVENT 9 -#define LPC_CONNECTION_REQUEST 10 - -#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE) -#define PORT_MAXIMUM_MESSAGE_LENGTH 256 - -typedef struct _LPC_CLIENT_DIED_MSG { - PORT_MESSAGE PortMsg; - LARGE_INTEGER CreateTime; -} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG; - -//#pragma pack(push, 1) -typedef struct _PORT_VIEW { - ULONG Length; - HANDLE SectionHandle; - ULONG SectionOffset; - SIZE_T ViewSize; - PVOID ViewBase; - PVOID ViewRemoteBase; -} PORT_VIEW, *PPORT_VIEW; - -typedef struct _REMOTE_PORT_VIEW { - ULONG Length; - SIZE_T ViewSize; - PVOID ViewBase; -} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; -//#pragma pack(pop) -/* -** ALPC END -*/ - /* ** MITIGATION POLICY START */ @@ -5283,13 +5252,37 @@ typedef struct tagPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 { } DUMMYUNIONNAME; } PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10; +typedef struct _PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 { + union { + DWORD Flags; + struct { + DWORD SmtBranchTargetIsolation : 1; + DWORD IsolateSecurityDomain : 1; + DWORD DisablePageCombine : 1; + DWORD SpeculativeStoreBypassDisable : 1; + DWORD ReservedFlags : 28; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; +} PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10; + +typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 { + union { + DWORD Flags; + struct { + DWORD DisallowWin32kSystemCalls : 1; + DWORD AuditDisallowWin32kSystemCalls : 1; + DWORD ReservedFlags : 30; + } DUMMYSTRUCTNAME; + } DUMMYUNIONNAME; +} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10; + typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION { PROCESS_MITIGATION_POLICY Policy; union { PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy; PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy; - PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy; + PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 SystemCallDisablePolicy; PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy; PROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10 DynamicCodePolicy; PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10 ControlFlowGuardPolicy; @@ -5299,6 +5292,7 @@ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION { PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 SystemCallFilterPolicy; PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 PayloadRestrictionPolicy; PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 ChildProcessPolicy; + PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 SideChannelIsolationPolicy; }; } PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION; @@ -5592,6 +5586,32 @@ typedef struct _ESERVERSILO_GLOBALS { /* ** LDR START */ +// +// Dll Characteristics for LdrLoadDll +// +#define LDR_IGNORE_CODE_AUTHZ_LEVEL 0x00001000 + +// +// LdrAddRef Flags +// +#define LDR_ADDREF_DLL_PIN 0x00000001 + +// +// LdrLockLoaderLock Flags +// +#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 +#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002 + +// +// LdrUnlockLoaderLock Flags +// +#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001 + +// +// LdrGetDllHandleEx Flags +// +#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001 +#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002 typedef VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)( _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, @@ -5961,6 +5981,9 @@ CsrClientConnectToServer( * ************************************************************************************/ +#define RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE (0x00000001) +#define RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING (0x00000002) + #ifndef RtlInitEmptyUnicodeString #define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) \ ((_ucStr)->Buffer = (_buf), \ @@ -8633,6 +8656,41 @@ NtDeletePrivateNamespace( * ************************************************************************************/ +typedef struct _OBJECT_SYMBOLIC_LINK_V1 { //pre Win10 TH1 + LARGE_INTEGER CreationTime; + UNICODE_STRING LinkTarget; + ULONG DosDeviceDriveIndex; +} OBJECT_SYMBOLIC_LINK_V1, *POBJECT_SYMBOLIC_LINK_V1; + +typedef struct _OBJECT_SYMBOLIC_LINK_V2 { //Win10 TH1/TH2 + LARGE_INTEGER CreationTime; + UNICODE_STRING LinkTarget; + ULONG DosDeviceDriveIndex; + ULONG Flags; +} OBJECT_SYMBOLIC_LINK_V2, *POBJECT_SYMBOLIC_LINK_V2; + +typedef struct _OBJECT_SYMBOLIC_LINK_V3 { //Win10 RS1 + LARGE_INTEGER CreationTime; + UNICODE_STRING LinkTarget; + ULONG DosDeviceDriveIndex; + ULONG Flags; + ULONG AccessMask; +} OBJECT_SYMBOLIC_LINK_V3, *POBJECT_SYMBOLIC_LINK_V3; + +typedef struct _OBJECT_SYMBOLIC_LINK_V4 { //Win10 RS2+ + LARGE_INTEGER CreationTime; + union { + UNICODE_STRING LinkTarget; + struct { + PVOID Callback; + PVOID CallbackContext; + }; + } u1; + ULONG DosDeviceDriveIndex; + ULONG Flags; + ULONG AccessMask; +} OBJECT_SYMBOLIC_LINK_V4, *POBJECT_SYMBOLIC_LINK_V4; + NTSYSAPI NTSTATUS NTAPI @@ -8712,7 +8770,7 @@ NtCreateMailslotFile( _In_ ULONG MaximumMessageSize, _In_ PLARGE_INTEGER ReadTimeout); -NTSYSCALLAPI +NTSYSAPI NTSTATUS NTAPI NtDeviceIoControlFile( @@ -8984,7 +9042,8 @@ NtLoadDriver( NTSYSAPI NTSTATUS -NTAPI NtUnloadDriver( +NTAPI +NtUnloadDriver( _In_ PUNICODE_STRING DriverServiceName); NTSYSAPI @@ -9000,6 +9059,14 @@ NtLoadHotPatch( * ************************************************************************************/ +#define MEM_EXECUTE_OPTION_DISABLE 0x1 +#define MEM_EXECUTE_OPTION_ENABLE 0x2 +#define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4 +#define MEM_EXECUTE_OPTION_PERMANENT 0x8 +#define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10 +#define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20 +#define MEM_EXECUTE_OPTION_VALID_FLAGS 0x3f + typedef enum _MEMORY_PARTITION_INFORMATION_CLASS { SystemMemoryPartitionInformation, SystemMemoryPartitionMoveMemory, @@ -9069,6 +9136,21 @@ NtCreateSection( _In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle); +//taken from ph2 +NTSYSAPI +NTSTATUS +NTAPI +NtCreateSectionEx( + _Out_ PHANDLE SectionHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_opt_ PLARGE_INTEGER MaximumSize, + _In_ ULONG SectionPageProtection, + _In_ ULONG AllocationAttributes, + _In_opt_ HANDLE FileHandle, + _In_ PMEM_EXTENDED_PARAMETER ExtendedParameters, + _In_ ULONG ExtendedParameterCount); + NTSYSAPI NTSTATUS NTAPI @@ -9083,7 +9165,7 @@ NTAPI NtMapViewOfSection( _In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle, - _Inout_ PVOID *BaseAddress, + _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _In_ SIZE_T CommitSize, _Inout_opt_ PLARGE_INTEGER SectionOffset, @@ -9092,22 +9174,12 @@ NtMapViewOfSection( _In_ ULONG AllocationType, _In_ ULONG Win32Protect); -NTSYSAPI -NTSTATUS -NTAPI -NtQuerySection( - _In_ HANDLE SectionHandle, - _In_ SECTION_INFORMATION_CLASS SectionInformationClass, - _Out_ PVOID SectionInformation, - _In_ SIZE_T SectionInformationLength, - _Out_opt_ PSIZE_T ReturnLength); - NTSYSAPI NTSTATUS NTAPI NtUnmapViewOfSection( _In_ HANDLE ProcessHandle, - _In_ PVOID BaseAddress); + _In_opt_ PVOID BaseAddress); NTSYSAPI NTSTATUS @@ -9117,6 +9189,16 @@ NtUnmapViewOfSectionEx( _In_opt_ PVOID BaseAddress, _In_ ULONG Flags); +NTSYSAPI +NTSTATUS +NTAPI +NtQuerySection( + _In_ HANDLE SectionHandle, + _In_ SECTION_INFORMATION_CLASS SectionInformationClass, + _Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation, + _In_ SIZE_T SectionInformationLength, + _Out_opt_ PSIZE_T ReturnLength); + NTSYSAPI NTSTATUS NTAPI @@ -9156,6 +9238,13 @@ NtFreeUserPhysicalPages( _Inout_ PULONG_PTR NumberOfPages, _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray); +NTSYSAPI +NTSTATUS +NTAPI +NtAreMappedFilesTheSame( + _In_ PVOID File1MappedAsAnImage, + _In_ PVOID File2MappedAsFile); + NTSYSAPI NTSTATUS NTAPI @@ -9234,6 +9323,39 @@ NtAccessCheckByTypeResultList( _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus); +NTSYSAPI +NTSTATUS +NTAPI +NtOpenObjectAuditAlarm( + _In_ PUNICODE_STRING SubsystemName, + _In_opt_ PVOID HandleId, + _In_ PUNICODE_STRING ObjectTypeName, + _In_ PUNICODE_STRING ObjectName, + _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ HANDLE ClientToken, + _In_ ACCESS_MASK DesiredAccess, + _In_ ACCESS_MASK GrantedAccess, + _In_opt_ PPRIVILEGE_SET Privileges, + _In_ BOOLEAN ObjectCreation, + _In_ BOOLEAN AccessGranted, + _Out_ PBOOLEAN GenerateOnClose); + +NTSYSAPI +NTSTATUS +NTAPI +NtCloseObjectAuditAlarm( + _In_ PUNICODE_STRING SubsystemName, + _In_opt_ PVOID HandleId, + _In_ BOOLEAN GenerateOnClose); + +NTSYSAPI +NTSTATUS +NTAPI +NtDeleteObjectAuditAlarm( + _In_ PUNICODE_STRING SubsystemName, + _In_opt_ PVOID HandleId, + _In_ BOOLEAN GenerateOnClose); + NTSYSAPI NTSTATUS NTAPI @@ -9747,14 +9869,52 @@ NtTerminateJobObject( * ************************************************************************************/ +//taken from ph2 + +typedef enum _IO_SESSION_EVENT { + IoSessionEventIgnore, + IoSessionEventCreated, + IoSessionEventTerminated, + IoSessionEventConnected, + IoSessionEventDisconnected, + IoSessionEventLogon, + IoSessionEventLogoff, + IoSessionEventMax +} IO_SESSION_EVENT; + +typedef enum _IO_SESSION_STATE { + IoSessionStateCreated, + IoSessionStateInitialized, + IoSessionStateConnected, + IoSessionStateDisconnected, + IoSessionStateDisconnectedLoggedOn, + IoSessionStateLoggedOn, + IoSessionStateLoggedOff, + IoSessionStateTerminated, + IoSessionStateMax +} IO_SESSION_STATE; + NTSYSAPI -NTSTATUS -NTAPI +NTSTATUS +NTAPI NtOpenSession( _Out_ PHANDLE SessionHandle, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_ATTRIBUTES ObjectAttributes); +NTSYSAPI +NTSTATUS +NTAPI +NtNotifyChangeSession( + _In_ HANDLE SessionHandle, + _In_ ULONG ChangeSequenceNumber, + _In_ PLARGE_INTEGER ChangeTimeStamp, + _In_ IO_SESSION_EVENT Event, + _In_ IO_SESSION_STATE NewState, + _In_ IO_SESSION_STATE PreviousState, + _In_reads_bytes_opt_(PayloadSize) PVOID Payload, + _In_ ULONG PayloadSize); + /************************************************************************************ * * IO Completion API. @@ -10152,17 +10312,17 @@ NTSYSAPI NTSTATUS NTAPI NtCreateThreadEx( - _Out_ PHANDLE hThread, - _In_ ACCESS_MASK DesiredAccess, - _In_ LPVOID ObjectAttributes, - _In_ HANDLE ProcessHandle, - _In_ LPTHREAD_START_ROUTINE lpStartAddress, - _In_ LPVOID lpParameter, - _In_ BOOL CreateSuspended, - _In_ DWORD StackZeroBits, - _In_ DWORD SizeOfStackCommit, - _In_ DWORD SizeOfStackReserve, - _Out_ LPVOID lpBytesBuffer); + _Out_ PHANDLE ThreadHandle, + _In_ ACCESS_MASK DesiredAccess, + _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, + _In_ HANDLE ProcessHandle, + _In_ PVOID StartRoutine, + _In_opt_ PVOID Argument, + _In_ ULONG CreateFlags, //THREAD_CREATE_FLAGS_* + _In_opt_ ULONG_PTR ZeroBits, + _In_opt_ SIZE_T StackSize, + _In_opt_ SIZE_T MaximumStackSize, + _In_opt_ PPS_ATTRIBUTE_LIST AttributeList); NTSYSAPI ULONG @@ -10305,6 +10465,77 @@ NtCreatePagingFile( * ************************************************************************************/ +typedef struct _PORT_VIEW { + ULONG Length; + HANDLE SectionHandle; + ULONG SectionOffset; + SIZE_T ViewSize; + PVOID ViewBase; + PVOID ViewRemoteBase; +} PORT_VIEW, *PPORT_VIEW; + +typedef struct _REMOTE_PORT_VIEW { + ULONG Length; + SIZE_T ViewSize; + PVOID ViewBase; +} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW; + +typedef struct _PORT_MESSAGE { + union { + struct { + CSHORT DataLength; + CSHORT TotalLength; + } s1; + ULONG Length; + } u1; + union { + struct { + CSHORT Type; + CSHORT DataInfoOffset; + } s2; + ULONG ZeroInit; + } u2; + union { + CLIENT_ID ClientId; + double DoNotUseThisField; // Force quadword alignment + } u3; + ULONG MessageId; + union { + ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message + ULONG CallbackId; // Only valid on LPC_REQUEST message + } u4; + UCHAR Reserved[8]; +} PORT_MESSAGE, *PPORT_MESSAGE; + +typedef struct _PORT_DATA_ENTRY { + PVOID Base; + ULONG Size; +} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY; + +typedef struct _PORT_DATA_INFORMATION { + ULONG CountDataEntries; + PORT_DATA_ENTRY DataEntries[1]; +} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION; + +#define LPC_REQUEST 1 +#define LPC_REPLY 2 +#define LPC_DATAGRAM 3 +#define LPC_LOST_REPLY 4 +#define LPC_PORT_CLOSED 5 +#define LPC_CLIENT_DIED 6 +#define LPC_EXCEPTION 7 +#define LPC_DEBUG_EVENT 8 +#define LPC_ERROR_EVENT 9 +#define LPC_CONNECTION_REQUEST 10 + +#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE) +#define PORT_MAXIMUM_MESSAGE_LENGTH 256 + +typedef struct _LPC_CLIENT_DIED_MSG { + PORT_MESSAGE PortMsg; + LARGE_INTEGER CreateTime; +} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG; + NTSYSAPI NTSTATUS NTAPI diff --git a/Source/Furutaka/resource.rc b/Source/Furutaka/resource.rc index 3246ea228d0c37936a1e8c83b65c82a9df20de4d..b3c1170d31b8c25e01ba3cc7c9c43177e6c7517a 100644 GIT binary patch delta 78 zcmX@4b4X`{4mYModules[0].ImageBase; RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace); - break; } return NtOsBase; } @@ -405,7 +404,7 @@ NTSTATUS NTAPI supEnumSystemObjects( * Return TRUE if the given object exists, FALSE otherwise. * */ -BOOL supIsObjectExists( +BOOLEAN supIsObjectExists( _In_ LPWSTR RootDirectory, _In_ LPWSTR ObjectName ) @@ -421,3 +420,187 @@ BOOL supIsObjectExists( return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param)); } + +/* +* supxStopServiceShowError +* +* Purpose: +* +* Display Function + LastError message for SCM part, Function limited to MAX_PATH. +* +*/ +VOID supxStopServiceShowError( + _In_ LPWSTR Function, + _In_ DWORD ErrorCode) +{ + WCHAR szMessage[300]; + + _strcpy(szMessage, TEXT("SCM: ")); + _strcat(szMessage, Function); + _strcat(szMessage, TEXT(" failed (")); + ultostr(ErrorCode, _strend(szMessage)); + _strcat(szMessage, TEXT(")")); + cuiPrintText(szMessage, TRUE); +} + +/* +* supStopVBoxService +* +* Purpose: +* +* Stop given VirtualBox service (unload kernel driver). +* +*/ +BOOLEAN supStopVBoxService( + _In_ SC_HANDLE schSCManager, + _In_ LPWSTR szSvcName //MAX_PATH limit +) +{ + BOOLEAN bResult = FALSE; + + SC_HANDLE schService; + SERVICE_STATUS_PROCESS ssp; + DWORD dwStartTime = GetTickCount(); + DWORD dwBytesNeeded; + DWORD dwTimeout = 30000; //30 seconds timeout for this proc. + DWORD dwWaitTime; + DWORD dwLastError; + + WCHAR szMessage[MAX_PATH * 2]; + + _strcpy(szMessage, TEXT("SCM: Attempt to stop ")); + _strcat(szMessage, szSvcName); + cuiPrintText(szMessage, TRUE); + + // + // Open service, if service does not exist consider this as success and leave. + // + schService = OpenService( + schSCManager, + szSvcName, + SERVICE_STOP | + SERVICE_QUERY_STATUS); + + if (schService == NULL) { + dwLastError = GetLastError(); + if (dwLastError == ERROR_SERVICE_DOES_NOT_EXIST) { + cuiPrintText(TEXT("SCM: Service does not exist, skip"), TRUE); + return TRUE; + } + else { + supxStopServiceShowError(TEXT("OpenService"), GetLastError()); + return FALSE; + } + } + + // + // Query service status. + // + if (!QueryServiceStatusEx( + schService, + SC_STATUS_PROCESS_INFO, + (LPBYTE)&ssp, + sizeof(SERVICE_STATUS_PROCESS), + &dwBytesNeeded)) + { + supxStopServiceShowError(TEXT("QueryServiceStatusEx"), GetLastError()); + goto stop_cleanup; + } + + if (ssp.dwCurrentState == SERVICE_STOPPED) { + cuiPrintText(TEXT("SCM: Service is already stopped"), TRUE); + bResult = TRUE; + goto stop_cleanup; + } + + // + // If service already in stop pending state, wait a little. + // + while (ssp.dwCurrentState == SERVICE_STOP_PENDING) + { + cuiPrintText(TEXT("SCM: Service stop pending..."), TRUE); + + dwWaitTime = ssp.dwWaitHint / 10; + + if (dwWaitTime < 1000) + dwWaitTime = 1000; + else if (dwWaitTime > 10000) + dwWaitTime = 10000; + + Sleep(dwWaitTime); + + if (!QueryServiceStatusEx( + schService, + SC_STATUS_PROCESS_INFO, + (LPBYTE)&ssp, + sizeof(SERVICE_STATUS_PROCESS), + &dwBytesNeeded)) + { + supxStopServiceShowError(TEXT("QueryServiceStatusEx"), GetLastError()); + goto stop_cleanup; + } + + if (ssp.dwCurrentState == SERVICE_STOPPED) + { + cuiPrintText(TEXT("SCM: Service stopped successfully"), TRUE); + bResult = TRUE; + goto stop_cleanup; + } + + // + // 30 seconds execution timeout reached. + // + if (GetTickCount() - dwStartTime > dwTimeout) { + cuiPrintText(TEXT("SCM: Service stop timed out.\n"), TRUE); + goto stop_cleanup; + } + } + + // + // Stop service. + // + if (!ControlService( + schService, + SERVICE_CONTROL_STOP, + (LPSERVICE_STATUS)&ssp)) + { + supxStopServiceShowError(TEXT("ControlService"), GetLastError()); + goto stop_cleanup; + } + + // + // Check whatever we need to wait for service stop. + // + while (ssp.dwCurrentState != SERVICE_STOPPED) + { + Sleep(ssp.dwWaitHint); + if (!QueryServiceStatusEx( + schService, + SC_STATUS_PROCESS_INFO, + (LPBYTE)&ssp, + sizeof(SERVICE_STATUS_PROCESS), + &dwBytesNeeded)) + { + supxStopServiceShowError(TEXT("QueryServiceStatusEx"), GetLastError()); + goto stop_cleanup; + } + + if (ssp.dwCurrentState == SERVICE_STOPPED) + break; + + // + // 30 seconds execution timeout reached. + // + if (GetTickCount() - dwStartTime > dwTimeout) { + cuiPrintText(TEXT("SCM: Wait timed out"), TRUE); + goto stop_cleanup; + } + } + cuiPrintText(TEXT("SCM: Service stopped successfully"), TRUE); + bResult = TRUE; + +stop_cleanup: + CloseServiceHandle(schService); + + return bResult; +} diff --git a/Source/Furutaka/sup.h b/Source/Furutaka/sup.h index 10bab5d..a08a2e6 100644 --- a/Source/Furutaka/sup.h +++ b/Source/Furutaka/sup.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2016 - 2017 +* (C) COPYRIGHT AUTHORS, 2016 - 2019 * * TITLE: SUP.H * -* VERSION: 1.10 +* VERSION: 1.15 * -* DATE: 17 Apr 2017 +* DATE: 19 Apr 2019 * * Common header file for the program support routines. * @@ -26,34 +26,32 @@ typedef struct _OBJSCANPARAM { } OBJSCANPARAM, *POBJSCANPARAM; ULONG_PTR supGetNtOsBase( - VOID -); + VOID); PVOID supGetSystemInfo( - _In_ SYSTEM_INFORMATION_CLASS InfoClass -); + _In_ SYSTEM_INFORMATION_CLASS InfoClass); PBYTE supQueryResourceData( _In_ ULONG_PTR ResourceId, _In_ PVOID DllHandle, - _In_ PULONG DataSize -); + _In_ PULONG DataSize); BOOL supBackupVBoxDrv( - _In_ BOOL bRestore -); + _In_ BOOL bRestore); SIZE_T supWriteBufferToFile( _In_ PWSTR lpFileName, _In_ PVOID Buffer, _In_ SIZE_T Size, _In_ BOOL Flush, - _In_ BOOL Append -); + _In_ BOOL Append); -BOOL supIsObjectExists( +BOOLEAN supIsObjectExists( _In_ LPWSTR RootDirectory, - _In_ LPWSTR ObjectName -); + _In_ LPWSTR ObjectName); + +BOOLEAN supStopVBoxService( + _In_ SC_HANDLE schSCManager, + _In_ LPWSTR szSvcName); #define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1) diff --git a/TDL.sha256 b/TDL.sha256 index 3679d0b..1a2753f 100644 --- a/TDL.sha256 +++ b/TDL.sha256 @@ -1,6 +1,6 @@ a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys -0d1e0c1e14b614ed3b156d0f43ed7cdb872cb5b967ed70c0ba501e3cbc2daca2 *Compiled\Furutaka.exe +f79353dc1489d7e4059acb948d9c4ad7e6f282e24371972e577bcde89fececcb *Compiled\Furutaka.exe 14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters @@ -18,17 +18,17 @@ f0732da25aa6b0a64eb0ebfc730c0902ed6fd1cc51f43f66813adbc5283de6ec *Source\DummyDr 24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln fa3af80e10c1824e99fcf2e4d5cec3cb4974d1eb35035f5a62fac67a44170c68 *Source\Furutaka\Furutaka.vcxproj b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters -fc708eb26d32a785ab15f502140928985a1bd0113c0c9640eb25d6f2e0b4e7cd *Source\Furutaka\Furutaka.vcxproj.user +feebf1c788d97bd616267c136e88fdf21f4ba09f528507cdf8a2659d1dd0a8cd *Source\Furutaka\Furutaka.vcxproj.user 4b16411f96538d38f05b5d949710ace54839d4a9aee9dcc2a61a4b2f4dbfc9cc *Source\Furutaka\global.h 94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c 33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h -64a8028d51454e2c831a81b68fcaf7348653830c010fb190451028c302f0574e *Source\Furutaka\main.c -d0debd4f7db2ef941f0b02e9d7d1b85d873f0a01dcb4537b5e112c68443aaaa6 *Source\Furutaka\ntos.h +5b074150fd30a7552ab5dfbcd8cdb49c0fbada91b20c4cafe6331120f761a395 *Source\Furutaka\main.c +5b0b4376df8fb5b43d8a0d4130ad3523d4325718ea4991d11498961f33e7e38d *Source\Furutaka\ntos.h fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h -530c157ddb971692aacd0252694a8a752f95c1759f6d8ae468477e0676a37d08 *Source\Furutaka\resource.rc +140441e10f8ff80be91ed5d1fa30cd099bb6e02b97434926d14048006bdaec8f *Source\Furutaka\resource.rc 6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h -fe4cf565002d1b4a33b5f5fb81c656141f6bc758c94d861391e93a089515cbf8 *Source\Furutaka\sup.c -059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h +109d895924e1b581ad42374b7bf0307fe62ab352f7dee082161f9066e3778d5d *Source\Furutaka\sup.c +526bb1070e50c733ae931ea4bfb48d8aba0b1efbd2818818d2af2b6d160b5673 *Source\Furutaka\sup.h 12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys 893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Furutaka\minirtl\cmdline.c From d2431f60db684de5707c9e108c17330aa7a723e3 Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Sat, 20 Apr 2019 01:19:55 +0700 Subject: [PATCH 2/2] Update TDLStartVulnerableDriver unload order Move VBoxUsbMon unload prior to network drivers. --- Compiled/Furutaka.exe | Bin 133632 -> 133632 bytes Source/Furutaka/main.c | 10 +++++----- TDL.sha256 | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Compiled/Furutaka.exe b/Compiled/Furutaka.exe index 61dddbff1e04b47c19112b45cdc612f70c5daee5..edb7c837535e6ae115716476cfc1bdc137ca23b4 100644 GIT binary patch delta 64 zcmZpe!qG5=V*>{x^B(?PlermvndB5VM=@?IpUhDuFj=80VRAzyAFm@r3PS+{6ik+` PeA?VlwY{N=v7sLTbKMh~ delta 70 zcmZpe!qG5=V*>{x^P`BJlermvnVhpWM=@?IpWIO?FnK}cgUJn*9KxXt!3<6ez6|*c Vc??i6S-LW{xuI%%Llt8~KLA237IOdq diff --git a/Source/Furutaka/main.c b/Source/Furutaka/main.c index aa6fab3..71f1fe2 100644 --- a/Source/Furutaka/main.c +++ b/Source/Furutaka/main.c @@ -533,6 +533,11 @@ HANDLE TDLStartVulnerableDriver( cuiPrintText(TEXT("Ldr: Active VirtualBox found in system, attempt stop (unload) it drivers"), TRUE); + if (!supStopVBoxService(schSCManager, VBOXUSBMON_SVC)) { + cuiPrintText(TEXT("SCM: Error stopping VBoxUSBMon, cannot continue"), TRUE); + break; + } + if (!supStopVBoxService(schSCManager, VBOXNETADP_SVC)) { cuiPrintText(TEXT("SCM: Error stopping VBoxNetAdp, cannot continue"), TRUE); break; @@ -543,11 +548,6 @@ HANDLE TDLStartVulnerableDriver( break; } - if (!supStopVBoxService(schSCManager, VBOXUSBMON_SVC)) { - cuiPrintText(TEXT("SCM: Error stopping VBoxUSBMon, cannot continue"), TRUE); - break; - } - Sleep(1000); if (!supStopVBoxService(schSCManager, VBoxDrvSvc)) { diff --git a/TDL.sha256 b/TDL.sha256 index 1a2753f..f2e1bd0 100644 --- a/TDL.sha256 +++ b/TDL.sha256 @@ -1,6 +1,6 @@ a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys -f79353dc1489d7e4059acb948d9c4ad7e6f282e24371972e577bcde89fececcb *Compiled\Furutaka.exe +37805cc7ae226647753aca1a32d7106d804556a98e1a21ac324e5b880b9a04da *Compiled\Furutaka.exe 14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters @@ -22,7 +22,7 @@ feebf1c788d97bd616267c136e88fdf21f4ba09f528507cdf8a2659d1dd0a8cd *Source\Furutak 4b16411f96538d38f05b5d949710ace54839d4a9aee9dcc2a61a4b2f4dbfc9cc *Source\Furutaka\global.h 94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c 33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h -5b074150fd30a7552ab5dfbcd8cdb49c0fbada91b20c4cafe6331120f761a395 *Source\Furutaka\main.c +2525f63ec3f9fb008edaffb7ff7f970d6777ddaf8511f60a95326f60f6ed80f0 *Source\Furutaka\main.c 5b0b4376df8fb5b43d8a0d4130ad3523d4325718ea4991d11498961f33e7e38d *Source\Furutaka\ntos.h fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h 140441e10f8ff80be91ed5d1fa30cd099bb6e02b97434926d14048006bdaec8f *Source\Furutaka\resource.rc