nopriest
/
TDL
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #33 from hfiref0x/dev115 

v 1.1.5
This commit is contained in:
hfiref0x 2019-04-20 01:22:26 +07:00 committed by GitHub
parent 8cb23174a1 d2431f60db
commit cc4b46ae1c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 615 additions and 254 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Compiled/Furutaka.exe
View File

Binary file not shown.

2
Source/Furutaka/Furutaka.vcxproj.user
View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> <Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>C:\MAKEEXE\TurlaDriverLoader\Loader\drv\Tsugumi.sys</LocalDebuggerCommandArguments> <LocalDebuggerCommandArguments>C:\MAKEEXE\TDL\Furutaka\drv\dummy.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

123
Source/Furutaka/main.c
View File

@ -4,9 +4,9 @@
* *
* TITLE: MAIN.C * TITLE: MAIN.C
* *
* VERSION: 1.14 * VERSION: 1.15
* *
* DATE: 05 Jan 2019 * DATE: 19 Apr 2019
* *
* Furutaka entry point. * Furutaka entry point.
* *
@ -36,11 +36,11 @@ ULONG g_NtBuildNumber = 0;
#define supImageName "furutaka" #define supImageName "furutaka"
#define supImageHandle 0x1a000 #define supImageHandle 0x1a000
#define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.4 (05/01/19)") #define T_LOADERTITLE TEXT("Turla Driver Loader v1.1.5 (19/04/19)")
#define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n") #define T_LOADERUNSUP TEXT("Unsupported WinNT version\r\n")
#define T_LOADERRUN TEXT("Another instance running, close it before\r\n") #define T_LOADERRUN TEXT("Another instance running, close it before\r\n")
#define T_LOADERUSAGE TEXT("Usage: loader DriverToLoad\n\re.g. loader mydrv.sys\r\n") #define T_LOADERUSAGE TEXT("Usage: loader DriverToLoad\n\re.g. loader mydrv.sys\r\n")
#define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.4 started\r\n(c) 2016 - 2019 TDL Project\r\nSupported x64 OS : 7 and above\r\n") #define T_LOADERINTRO TEXT("Turla Driver Loader v1.1.5 started\r\n(c) 2016 - 2019 TDL Project\r\nSupported x64 OS : 7 and above\r\n")
#define T_VBOXDETECT TEXT("Ldr: Detected VirtualBox software installation, driver backup will be done") #define T_VBOXDETECT TEXT("Ldr: Detected VirtualBox software installation, driver backup will be done")
/* /*
@ -71,62 +71,6 @@ BOOL TDLVBoxInstalled(
return bPresent; return bPresent;
} }
/*
* TDLRelocImage
*
* Purpose:
*
* Process image relocs.
*
*/
void TDLRelocImage(
_In_ ULONG_PTR Image,
_In_ ULONG_PTR NewImageBase
)
{
PIMAGE_OPTIONAL_HEADER popth;
PIMAGE_BASE_RELOCATION rel;
DWORD_PTR delta;
LPWORD chains;
DWORD c, p, rsz;
popth = &RtlImageNtHeader((PVOID)Image)->OptionalHeader;
if (popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC)
if (popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0)
{
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)Image +
popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
delta = (DWORD_PTR)NewImageBase - popth->ImageBase;
c = 0;
while (c < rsz) {
p = sizeof(IMAGE_BASE_RELOCATION);
chains = (LPWORD)((PBYTE)rel + p);
while (p < rel->SizeOfBlock) {
switch (*chains >> 12) {
case IMAGE_REL_BASED_HIGHLOW:
*(LPDWORD)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += (DWORD)delta;
break;
case IMAGE_REL_BASED_DIR64:
*(PULONGLONG)((ULONG_PTR)Image + rel->VirtualAddress + (*chains & 0x0fff)) += delta;
break;
}
chains++;
p += sizeof(WORD);
}
c += rel->SizeOfBlock;
rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock);
}
}
}
/* /*
* TDLGetProcAddress * TDLGetProcAddress
* *
@ -539,6 +483,10 @@ UINT TDLMapDriver(
return result; return result;
} }
#define VBOXNETADP_SVC L"VBoxNetAdp"
#define VBOXNETLWF_SVC L"VBoxNetLwf"
#define VBOXUSBMON_SVC L"VBoxUSBMon"
/* /*
* TDLStartVulnerableDriver * TDLStartVulnerableDriver
* *
@ -554,12 +502,16 @@ HANDLE TDLStartVulnerableDriver(
PBYTE DrvBuffer; PBYTE DrvBuffer;
ULONG DataSize = 0, bytesIO; ULONG DataSize = 0, bytesIO;
HANDLE hDevice = INVALID_HANDLE_VALUE; HANDLE hDevice = INVALID_HANDLE_VALUE;
WCHAR szDriverFileName[MAX_PATH * 2];
SC_HANDLE schSCManager = NULL; SC_HANDLE schSCManager = NULL;
LPWSTR msg; LPWSTR msg;
WCHAR szDriverFileName[MAX_PATH * 2];
DrvBuffer = supQueryResourceData(1, g_hInstance, &DataSize); DrvBuffer = supQueryResourceData(1, g_hInstance, &DataSize);
while (DrvBuffer != NULL) { if (DrvBuffer == NULL)
return INVALID_HANDLE_VALUE;
do {
//lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere. //lets give scm nice looking path so this piece of shit code from early 90x wont fuckup somewhere.
RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName)); RtlSecureZeroMemory(szDriverFileName, sizeof(szDriverFileName));
@ -568,43 +520,41 @@ HANDLE TDLStartVulnerableDriver(
break; break;
} }
schSCManager = OpenSCManager(NULL, schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
NULL,
SC_MANAGER_ALL_ACCESS
);
if (schSCManager == NULL) { if (schSCManager == NULL) {
cuiPrintText(TEXT("Ldr: Error opening SCM database"), TRUE); cuiPrintText(TEXT("Ldr: Error opening SCM database"), TRUE);
break; break;
} }
//lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive //
if (supIsObjectExists(L"\\Device", L"VBoxDrv")) { // Lookup main vbox driver device, if found, try to unload all possible, unload order is sensitive
//
if (supIsObjectExists(L"\\Device", VBoxDrvSvc)) {
cuiPrintText(TEXT("Ldr: Active VirtualBox found in system, attempt unload it"), TRUE); cuiPrintText(TEXT("Ldr: Active VirtualBox found in system, attempt stop (unload) it drivers"), TRUE);
if (scmStopDriver(schSCManager, TEXT("VBoxNetAdp"))) {
cuiPrintText(TEXT("SCM: VBoxNetAdp driver unloaded"), TRUE);
if (!supStopVBoxService(schSCManager, VBOXUSBMON_SVC)) {
cuiPrintText(TEXT("SCM: Error stopping VBoxUSBMon, cannot continue"), TRUE);
break;
} }
if (scmStopDriver(schSCManager, TEXT("VBoxNetLwf"))) {
cuiPrintText(TEXT("SCM: VBoxNetLwf driver unloaded"), TRUE);
if (!supStopVBoxService(schSCManager, VBOXNETADP_SVC)) {
cuiPrintText(TEXT("SCM: Error stopping VBoxNetAdp, cannot continue"), TRUE);
break;
} }
if (scmStopDriver(schSCManager, TEXT("VBoxUSBMon"))) {
cuiPrintText(TEXT("SCM: VBoxUSBMon driver unloaded"), TRUE);
if (!supStopVBoxService(schSCManager, VBOXNETLWF_SVC)) {
cuiPrintText(TEXT("SCM: Error stopping VBoxNetLwf, cannot continue"), TRUE);
break;
} }
Sleep(1000); Sleep(1000);
if (scmStopDriver(schSCManager, TEXT("VBoxDrv"))) { if (!supStopVBoxService(schSCManager, VBoxDrvSvc)) {
cuiPrintText(TEXT("SCM: Error stopping VBoxDrv, cannot continue"), TRUE);
cuiPrintText(TEXT("SCM: VBoxDrv driver unloaded"), TRUE); break;
} }
} }
// //
@ -649,8 +599,8 @@ HANDLE TDLStartVulnerableDriver(
} }
cuiPrintText(msg, TRUE); cuiPrintText(msg, TRUE);
break;
} } while (FALSE);
//post cleanup //post cleanup
if (schSCManager != NULL) { if (schSCManager != NULL) {
@ -783,7 +733,6 @@ UINT TDLProcessCommandLine(
void TDLMain() void TDLMain()
{ {
BOOL cond = FALSE;
UINT uResult = 0; UINT uResult = 0;
LONG x; LONG x;
OSVERSIONINFO osv; OSVERSIONINFO osv;
@ -837,7 +786,7 @@ void TDLMain()
uResult = TDLProcessCommandLine(GetCommandLine()); uResult = TDLProcessCommandLine(GetCommandLine());
} while (cond); } while (FALSE);
InterlockedDecrement((PLONG)&g_lApplicationInstances); InterlockedDecrement((PLONG)&g_lApplicationInstances);
ExitProcess(uResult); ExitProcess(uResult);

507
Source/Furutaka/ntos.h
View File

@ -1,12 +1,12 @@
/************************************************************************************ /************************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2015 - 2018, translated from Microsoft sources/debugger * (C) COPYRIGHT AUTHORS, 2015 - 2019, translated from Microsoft sources/debugger
* *
* TITLE: NTOS.H * TITLE: NTOS.H
* *
* VERSION: 1.98 * VERSION: 1.111
* *
* DATE: 28 Dec 2018 * DATE: 30 Mar 2019
* *
* Common header file for the ntos API functions and definitions. * Common header file for the ntos API functions and definitions.
* *
@ -28,6 +28,7 @@
#ifndef NTOS_RTL #ifndef NTOS_RTL
#define NTOS_RTL #define NTOS_RTL
// //
// NTOS_RTL HEADER BEGIN // NTOS_RTL HEADER BEGIN
// //
@ -39,6 +40,7 @@ extern "C" {
#pragma comment(lib, "ntdll.lib") #pragma comment(lib, "ntdll.lib")
#pragma warning(push) #pragma warning(push)
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
#pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int #pragma warning(disable: 4214) // nonstandard extension used : bit field types other than int
#ifndef PAGE_SIZE #ifndef PAGE_SIZE
@ -78,6 +80,19 @@ typedef unsigned char UCHAR;
typedef CCHAR KPROCESSOR_MODE; typedef CCHAR KPROCESSOR_MODE;
typedef UCHAR KIRQL; typedef UCHAR KIRQL;
typedef KIRQL *PKIRQL; typedef KIRQL *PKIRQL;
typedef ULONG CLONG;
typedef LONG KPRIORITY;
typedef short CSHORT;
typedef ULONGLONG REGHANDLE, *PREGHANDLE;
typedef PVOID *PDEVICE_MAP;
typedef PVOID PHEAD;
#ifndef _WIN32_WINNT_WIN10
#define _WIN32_WINNT_WIN10 0x0A00
#endif
#if (_WIN32_WINNT < _WIN32_WINNT_WIN10)
typedef PVOID PMEM_EXTENDED_PARAMETER;
#endif
#ifndef IN_REGION #ifndef IN_REGION
#define IN_REGION(x, Base, Size) (((ULONG_PTR)(x) >= (ULONG_PTR)(Base)) && \ #define IN_REGION(x, Base, Size) (((ULONG_PTR)(x) >= (ULONG_PTR)(Base)) && \
@ -163,26 +178,26 @@ char _RTL_CONSTANT_STRING_type_check(const void *s);
} }
#endif #endif
#ifndef RTL_CONSTANT_OBJECT_ATTRIBUTES
#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) \ #define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) \
{ sizeof(OBJECT_ATTRIBUTES), NULL, RTL_CONST_CAST(PUNICODE_STRING)(n), a, NULL, NULL } { sizeof(OBJECT_ATTRIBUTES), NULL, RTL_CONST_CAST(PUNICODE_STRING)(n), a, NULL, NULL }
#endif
// This synonym is more appropriate for initializing what isn't actually const. // This synonym is more appropriate for initializing what isn't actually const.
#ifndef RTL_INIT_OBJECT_ATTRIBUTES
#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)
#endif
// //
// ntdef.h end // ntdef.h end
// //
#ifndef RtlOffsetToPointer
#define RtlOffsetToPointer(Base, Offset) ((PCHAR)( ((PCHAR)(Base)) + ((ULONG_PTR)(Offset)) )) #define RtlOffsetToPointer(Base, Offset) ((PCHAR)( ((PCHAR)(Base)) + ((ULONG_PTR)(Offset)) ))
#endif
#ifndef RtlPointerToOffset
#define RtlPointerToOffset(Base, Pointer) ((ULONG)( ((PCHAR)(Pointer)) - ((PCHAR)(Base)) )) #define RtlPointerToOffset(Base, Pointer) ((ULONG)( ((PCHAR)(Pointer)) - ((PCHAR)(Base)) ))
#endif
typedef ULONG CLONG;
typedef LONG KPRIORITY;
typedef short CSHORT;
typedef ULONGLONG REGHANDLE, *PREGHANDLE;
typedef PVOID *PDEVICE_MAP;
typedef PVOID PHEAD;
// //
// Valid values for the OBJECT_ATTRIBUTES.Attributes field // Valid values for the OBJECT_ATTRIBUTES.Attributes field
@ -203,6 +218,21 @@ typedef PVOID PHEAD;
#define CALLBACK_MODIFY_STATE 0x0001 #define CALLBACK_MODIFY_STATE 0x0001
#define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE ) #define CALLBACK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE|CALLBACK_MODIFY_STATE )
//
// CompositionSurface Access Rights
//
#ifndef COMPOSITIONSURFACE_READ
#define COMPOSITIONSURFACE_READ 0x0001L
#endif
#ifndef COMPOSITIONSURFACE_WRITE
#define COMPOSITIONSURFACE_WRITE 0x0002L
#endif
#ifndef COMPOSITIONSURFACE_ALL_ACCESS
#define COMPOSITIONSURFACE_ALL_ACCESS (COMPOSITIONSURFACE_READ | COMPOSITIONSURFACE_WRITE)
#endif
// //
// Debug Object Access Rights // Debug Object Access Rights
// //
@ -286,22 +316,22 @@ typedef PVOID PHEAD;
// //
#define THREAD_ALERT (0x0004) #define THREAD_ALERT (0x0004)
#define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001 #define THREAD_CREATE_FLAGS_CREATE_SUSPENDED 0x00000001
#define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002 #define THREAD_CREATE_FLAGS_SKIP_THREAD_ATTACH 0x00000002
#define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004 #define THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER 0x00000004
#define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010 #define THREAD_CREATE_FLAGS_HAS_SECURITY_DESCRIPTOR 0x00000010
#define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020 #define THREAD_CREATE_FLAGS_ACCESS_CHECK_IN_TARGET 0x00000020
#define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080 #define THREAD_CREATE_FLAGS_INITIAL_THREAD 0x00000080
// //
// Worker Factory Object Access Rights // Worker Factory Object Access Rights
// //
#define WORKER_FACTORY_RELEASE_WORKER 0x0001 #define WORKER_FACTORY_RELEASE_WORKER 0x0001
#define WORKER_FACTORY_WAIT 0x0002 #define WORKER_FACTORY_WAIT 0x0002
#define WORKER_FACTORY_SET_INFORMATION 0x0004 #define WORKER_FACTORY_SET_INFORMATION 0x0004
#define WORKER_FACTORY_QUERY_INFORMATION 0x0008 #define WORKER_FACTORY_QUERY_INFORMATION 0x0008
#define WORKER_FACTORY_READY_WORKER 0x0010 #define WORKER_FACTORY_READY_WORKER 0x0010
#define WORKER_FACTORY_SHUTDOWN 0x0020 #define WORKER_FACTORY_SHUTDOWN 0x0020
#define WORKER_FACTORY_ALL_ACCESS ( \ #define WORKER_FACTORY_ALL_ACCESS ( \
STANDARD_RIGHTS_REQUIRED | \ STANDARD_RIGHTS_REQUIRED | \
@ -334,6 +364,7 @@ typedef PVOID PHEAD;
#define TRACELOG_CREATE_INPROC 0x0200 #define TRACELOG_CREATE_INPROC 0x0200
#define TRACELOG_ACCESS_REALTIME 0x0400 #define TRACELOG_ACCESS_REALTIME 0x0400
#define TRACELOG_REGISTER_GUIDS 0x0800 #define TRACELOG_REGISTER_GUIDS 0x0800
#define TRACELOG_JOIN_GROUP 0x1000
// //
// Memory Partition Object Access Rights // Memory Partition Object Access Rights
@ -361,14 +392,22 @@ typedef PVOID PHEAD;
// //
// Define special ByteOffset parameters for read and write operations // Define special ByteOffset parameters for read and write operations
// //
#ifndef FILE_WRITE_TO_END_OF_FILE
#define FILE_WRITE_TO_END_OF_FILE 0xffffffff #define FILE_WRITE_TO_END_OF_FILE 0xffffffff
#endif
#ifndef FILE_USE_FILE_POINTER_POSITION
#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe #define FILE_USE_FILE_POINTER_POSITION 0xfffffffe
#endif
// //
// This is the maximum MaximumLength for a UNICODE_STRING. // This is the maximum MaximumLength for a UNICODE_STRING.
// //
#ifndef MAXUSHORT
#define MAXUSHORT 0xffff #define MAXUSHORT 0xffff
#endif
#ifndef MAX_USTRING
#define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) ) #define MAX_USTRING ( sizeof(WCHAR) * (MAXUSHORT/sizeof(WCHAR)) )
#endif
typedef struct _EX_RUNDOWN_REF { typedef struct _EX_RUNDOWN_REF {
union union
@ -400,8 +439,7 @@ typedef struct _UNICODE_STRING {
USHORT Length; USHORT Length;
USHORT MaximumLength; USHORT MaximumLength;
PWSTR Buffer; PWSTR Buffer;
} UNICODE_STRING; } UNICODE_STRING, *PUNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING; typedef const UNICODE_STRING *PCUNICODE_STRING;
#ifndef STATIC_UNICODE_STRING #ifndef STATIC_UNICODE_STRING
@ -524,7 +562,7 @@ typedef enum _KWAIT_REASON {
WrDelayExecution, WrDelayExecution,
WrSuspended, WrSuspended,
WrUserRequest, WrUserRequest,
WrEventPair, WrEventPair, //has no effect after 7
WrQueue, WrQueue,
WrLpcReceive, WrLpcReceive,
WrLpcReply, WrLpcReply,
@ -549,6 +587,7 @@ typedef enum _KWAIT_REASON {
WrRundown, WrRundown,
WrAlertByThreadId, WrAlertByThreadId,
WrDeferredPreempt, WrDeferredPreempt,
WrPhysicalFault,
MaximumWaitReason MaximumWaitReason
} KWAIT_REASON; } KWAIT_REASON;
@ -982,6 +1021,18 @@ typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION {
PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1]; PROCESS_HANDLE_TABLE_ENTRY_INFO Handles[1];
} PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION; } PROCESS_HANDLE_SNAPSHOT_INFORMATION, *PPROCESS_HANDLE_SNAPSHOT_INFORMATION;
//
// Process/Thread System and User Time
// NtQueryInformationProcess using ProcessTimes
// NtQueryInformationThread using ThreadTimes
//
typedef struct _KERNEL_USER_TIMES {
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
} KERNEL_USER_TIMES, *PKERNEL_USER_TIMES;
typedef enum _PS_MITIGATION_OPTION { typedef enum _PS_MITIGATION_OPTION {
PS_MITIGATION_OPTION_NX, PS_MITIGATION_OPTION_NX,
PS_MITIGATION_OPTION_SEHOP, PS_MITIGATION_OPTION_SEHOP,
@ -3190,10 +3241,10 @@ typedef struct _OBJECT_TYPE_RS2 {
*/ */
typedef struct _OBJECT_HEADER { typedef struct _OBJECT_HEADER {
LONG PointerCount; LONG_PTR PointerCount;
union union
{ {
LONG HandleCount; LONG_PTR HandleCount;
PVOID NextToFree; PVOID NextToFree;
}; };
EX_PUSH_LOCK Lock; EX_PUSH_LOCK Lock;
@ -5072,88 +5123,6 @@ __inline struct _PEB * NtCurrentPeb() { return NtCurrentTeb()->ProcessEnvironmen
** PEB/TEB END ** PEB/TEB END
*/ */
/*
** ALPC START
*/
typedef struct _PORT_MESSAGE {
union {
struct {
CSHORT DataLength;
CSHORT TotalLength;
} s1;
ULONG Length;
} u1;
union {
struct {
CSHORT Type;
CSHORT DataInfoOffset;
} s2;
ULONG ZeroInit;
} u2;
union {
CLIENT_ID ClientId;
double DoNotUseThisField; // Force quadword alignment
} u3;
ULONG MessageId;
union {
ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
ULONG CallbackId; // Only valid on LPC_REQUEST message
} u4;
UCHAR Reserved[8];
} PORT_MESSAGE, *PPORT_MESSAGE;
// end_ntsrv
typedef struct _PORT_DATA_ENTRY {
PVOID Base;
ULONG Size;
} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
typedef struct _PORT_DATA_INFORMATION {
ULONG CountDataEntries;
PORT_DATA_ENTRY DataEntries[1];
} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
#define LPC_REQUEST 1
#define LPC_REPLY 2
#define LPC_DATAGRAM 3
#define LPC_LOST_REPLY 4
#define LPC_PORT_CLOSED 5
#define LPC_CLIENT_DIED 6
#define LPC_EXCEPTION 7
#define LPC_DEBUG_EVENT 8
#define LPC_ERROR_EVENT 9
#define LPC_CONNECTION_REQUEST 10
#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
#define PORT_MAXIMUM_MESSAGE_LENGTH 256
typedef struct _LPC_CLIENT_DIED_MSG {
PORT_MESSAGE PortMsg;
LARGE_INTEGER CreateTime;
} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
//#pragma pack(push, 1)
typedef struct _PORT_VIEW {
ULONG Length;
HANDLE SectionHandle;
ULONG SectionOffset;
SIZE_T ViewSize;
PVOID ViewBase;
PVOID ViewRemoteBase;
} PORT_VIEW, *PPORT_VIEW;
typedef struct _REMOTE_PORT_VIEW {
ULONG Length;
SIZE_T ViewSize;
PVOID ViewBase;
} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
//#pragma pack(pop)
/*
** ALPC END
*/
/* /*
** MITIGATION POLICY START ** MITIGATION POLICY START
*/ */
@ -5283,13 +5252,37 @@ typedef struct tagPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 {
} DUMMYUNIONNAME; } DUMMYUNIONNAME;
} PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10; } PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10, *PPROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10;
typedef struct _PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD SmtBranchTargetIsolation : 1;
DWORD IsolateSecurityDomain : 1;
DWORD DisablePageCombine : 1;
DWORD SpeculativeStoreBypassDisable : 1;
DWORD ReservedFlags : 28;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10, *PPROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10;
typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 {
union {
DWORD Flags;
struct {
DWORD DisallowWin32kSystemCalls : 1;
DWORD AuditDisallowWin32kSystemCalls : 1;
DWORD ReservedFlags : 30;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10;
typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION { typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_POLICY Policy; PROCESS_MITIGATION_POLICY Policy;
union union
{ {
PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy; PROCESS_MITIGATION_ASLR_POLICY ASLRPolicy;
PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy; PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY StrictHandleCheckPolicy;
PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY SystemCallDisablePolicy; PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY_W10 SystemCallDisablePolicy;
PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy; PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY ExtensionPointDisablePolicy;
PROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10 DynamicCodePolicy; PROCESS_MITIGATION_DYNAMIC_CODE_POLICY_W10 DynamicCodePolicy;
PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10 ControlFlowGuardPolicy; PROCESS_MITIGATION_CONTROL_FLOW_GUARD_POLICY_W10 ControlFlowGuardPolicy;
@ -5299,6 +5292,7 @@ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 SystemCallFilterPolicy; PROCESS_MITIGATION_SYSTEM_CALL_FILTER_POLICY_W10 SystemCallFilterPolicy;
PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 PayloadRestrictionPolicy; PROCESS_MITIGATION_PAYLOAD_RESTRICTION_POLICY_W10 PayloadRestrictionPolicy;
PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 ChildProcessPolicy; PROCESS_MITIGATION_CHILD_PROCESS_POLICY_W10 ChildProcessPolicy;
PROCESS_MITIGATION_SIDE_CHANNEL_ISOLATION_POLICY_W10 SideChannelIsolationPolicy;
}; };
} PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION; } PROCESS_MITIGATION_POLICY_INFORMATION, *PPROCESS_MITIGATION_POLICY_INFORMATION;
@ -5592,6 +5586,32 @@ typedef struct _ESERVERSILO_GLOBALS {
/* /*
** LDR START ** LDR START
*/ */
//
// Dll Characteristics for LdrLoadDll
//
#define LDR_IGNORE_CODE_AUTHZ_LEVEL 0x00001000
//
// LdrAddRef Flags
//
#define LDR_ADDREF_DLL_PIN 0x00000001
//
// LdrLockLoaderLock Flags
//
#define LDR_LOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
#define LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY 0x00000002
//
// LdrUnlockLoaderLock Flags
//
#define LDR_UNLOCK_LOADER_LOCK_FLAG_RAISE_ON_ERRORS 0x00000001
//
// LdrGetDllHandleEx Flags
//
#define LDR_GET_DLL_HANDLE_EX_UNCHANGED_REFCOUNT 0x00000001
#define LDR_GET_DLL_HANDLE_EX_PIN 0x00000002
typedef VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)( typedef VOID(NTAPI *PLDR_LOADED_MODULE_ENUMERATION_CALLBACK_FUNCTION)(
_In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry, _In_ PCLDR_DATA_TABLE_ENTRY DataTableEntry,
@ -5961,6 +5981,9 @@ CsrClientConnectToServer(
* *
************************************************************************************/ ************************************************************************************/
#define RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE (0x00000001)
#define RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING (0x00000002)
#ifndef RtlInitEmptyUnicodeString #ifndef RtlInitEmptyUnicodeString
#define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) \ #define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) \
((_ucStr)->Buffer = (_buf), \ ((_ucStr)->Buffer = (_buf), \
@ -8633,6 +8656,41 @@ NtDeletePrivateNamespace(
* *
************************************************************************************/ ************************************************************************************/
typedef struct _OBJECT_SYMBOLIC_LINK_V1 { //pre Win10 TH1
LARGE_INTEGER CreationTime;
UNICODE_STRING LinkTarget;
ULONG DosDeviceDriveIndex;
} OBJECT_SYMBOLIC_LINK_V1, *POBJECT_SYMBOLIC_LINK_V1;
typedef struct _OBJECT_SYMBOLIC_LINK_V2 { //Win10 TH1/TH2
LARGE_INTEGER CreationTime;
UNICODE_STRING LinkTarget;
ULONG DosDeviceDriveIndex;
ULONG Flags;
} OBJECT_SYMBOLIC_LINK_V2, *POBJECT_SYMBOLIC_LINK_V2;
typedef struct _OBJECT_SYMBOLIC_LINK_V3 { //Win10 RS1
LARGE_INTEGER CreationTime;
UNICODE_STRING LinkTarget;
ULONG DosDeviceDriveIndex;
ULONG Flags;
ULONG AccessMask;
} OBJECT_SYMBOLIC_LINK_V3, *POBJECT_SYMBOLIC_LINK_V3;
typedef struct _OBJECT_SYMBOLIC_LINK_V4 { //Win10 RS2+
LARGE_INTEGER CreationTime;
union {
UNICODE_STRING LinkTarget;
struct {
PVOID Callback;
PVOID CallbackContext;
};
} u1;
ULONG DosDeviceDriveIndex;
ULONG Flags;
ULONG AccessMask;
} OBJECT_SYMBOLIC_LINK_V4, *POBJECT_SYMBOLIC_LINK_V4;
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
@ -8712,7 +8770,7 @@ NtCreateMailslotFile(
_In_ ULONG MaximumMessageSize, _In_ ULONG MaximumMessageSize,
_In_ PLARGE_INTEGER ReadTimeout); _In_ PLARGE_INTEGER ReadTimeout);
NTSYSCALLAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
NtDeviceIoControlFile( NtDeviceIoControlFile(
@ -8984,7 +9042,8 @@ NtLoadDriver(
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NtUnloadDriver( NTAPI
NtUnloadDriver(
_In_ PUNICODE_STRING DriverServiceName); _In_ PUNICODE_STRING DriverServiceName);
NTSYSAPI NTSYSAPI
@ -9000,6 +9059,14 @@ NtLoadHotPatch(
* *
************************************************************************************/ ************************************************************************************/
#define MEM_EXECUTE_OPTION_DISABLE 0x1
#define MEM_EXECUTE_OPTION_ENABLE 0x2
#define MEM_EXECUTE_OPTION_DISABLE_THUNK_EMULATION 0x4
#define MEM_EXECUTE_OPTION_PERMANENT 0x8
#define MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE 0x10
#define MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE 0x20
#define MEM_EXECUTE_OPTION_VALID_FLAGS 0x3f
typedef enum _MEMORY_PARTITION_INFORMATION_CLASS { typedef enum _MEMORY_PARTITION_INFORMATION_CLASS {
SystemMemoryPartitionInformation, SystemMemoryPartitionInformation,
SystemMemoryPartitionMoveMemory, SystemMemoryPartitionMoveMemory,
@ -9069,6 +9136,21 @@ NtCreateSection(
_In_ ULONG AllocationAttributes, _In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle); _In_opt_ HANDLE FileHandle);
//taken from ph2
NTSYSAPI
NTSTATUS
NTAPI
NtCreateSectionEx(
_Out_ PHANDLE SectionHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PLARGE_INTEGER MaximumSize,
_In_ ULONG SectionPageProtection,
_In_ ULONG AllocationAttributes,
_In_opt_ HANDLE FileHandle,
_In_ PMEM_EXTENDED_PARAMETER ExtendedParameters,
_In_ ULONG ExtendedParameterCount);
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
@ -9083,7 +9165,7 @@ NTAPI
NtMapViewOfSection( NtMapViewOfSection(
_In_ HANDLE SectionHandle, _In_ HANDLE SectionHandle,
_In_ HANDLE ProcessHandle, _In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress, _Inout_ _At_(*BaseAddress, _Readable_bytes_(*ViewSize) _Writable_bytes_(*ViewSize) _Post_readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits, _In_ ULONG_PTR ZeroBits,
_In_ SIZE_T CommitSize, _In_ SIZE_T CommitSize,
_Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_opt_ PLARGE_INTEGER SectionOffset,
@ -9092,22 +9174,12 @@ NtMapViewOfSection(
_In_ ULONG AllocationType, _In_ ULONG AllocationType,
_In_ ULONG Win32Protect); _In_ ULONG Win32Protect);
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySection(
_In_ HANDLE SectionHandle,
_In_ SECTION_INFORMATION_CLASS SectionInformationClass,
_Out_ PVOID SectionInformation,
_In_ SIZE_T SectionInformationLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
NtUnmapViewOfSection( NtUnmapViewOfSection(
_In_ HANDLE ProcessHandle, _In_ HANDLE ProcessHandle,
_In_ PVOID BaseAddress); _In_opt_ PVOID BaseAddress);
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
@ -9117,6 +9189,16 @@ NtUnmapViewOfSectionEx(
_In_opt_ PVOID BaseAddress, _In_opt_ PVOID BaseAddress,
_In_ ULONG Flags); _In_ ULONG Flags);
NTSYSAPI
NTSTATUS
NTAPI
NtQuerySection(
_In_ HANDLE SectionHandle,
_In_ SECTION_INFORMATION_CLASS SectionInformationClass,
_Out_writes_bytes_(SectionInformationLength) PVOID SectionInformation,
_In_ SIZE_T SectionInformationLength,
_Out_opt_ PSIZE_T ReturnLength);
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
@ -9156,6 +9238,13 @@ NtFreeUserPhysicalPages(
_Inout_ PULONG_PTR NumberOfPages, _Inout_ PULONG_PTR NumberOfPages,
_In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray); _In_reads_(*NumberOfPages) PULONG_PTR UserPfnArray);
NTSYSAPI
NTSTATUS
NTAPI
NtAreMappedFilesTheSame(
_In_ PVOID File1MappedAsAnImage,
_In_ PVOID File2MappedAsFile);
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
@ -9234,6 +9323,39 @@ NtAccessCheckByTypeResultList(
_Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess, _Out_writes_(ObjectTypeListLength) PACCESS_MASK GrantedAccess,
_Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus); _Out_writes_(ObjectTypeListLength) PNTSTATUS AccessStatus);
NTSYSAPI
NTSTATUS
NTAPI
NtOpenObjectAuditAlarm(
_In_ PUNICODE_STRING SubsystemName,
_In_opt_ PVOID HandleId,
_In_ PUNICODE_STRING ObjectTypeName,
_In_ PUNICODE_STRING ObjectName,
_In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ HANDLE ClientToken,
_In_ ACCESS_MASK DesiredAccess,
_In_ ACCESS_MASK GrantedAccess,
_In_opt_ PPRIVILEGE_SET Privileges,
_In_ BOOLEAN ObjectCreation,
_In_ BOOLEAN AccessGranted,
_Out_ PBOOLEAN GenerateOnClose);
NTSYSAPI
NTSTATUS
NTAPI
NtCloseObjectAuditAlarm(
_In_ PUNICODE_STRING SubsystemName,
_In_opt_ PVOID HandleId,
_In_ BOOLEAN GenerateOnClose);
NTSYSAPI
NTSTATUS
NTAPI
NtDeleteObjectAuditAlarm(
_In_ PUNICODE_STRING SubsystemName,
_In_opt_ PVOID HandleId,
_In_ BOOLEAN GenerateOnClose);
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
@ -9747,14 +9869,52 @@ NtTerminateJobObject(
* *
************************************************************************************/ ************************************************************************************/
//taken from ph2
typedef enum _IO_SESSION_EVENT {
IoSessionEventIgnore,
IoSessionEventCreated,
IoSessionEventTerminated,
IoSessionEventConnected,
IoSessionEventDisconnected,
IoSessionEventLogon,
IoSessionEventLogoff,
IoSessionEventMax
} IO_SESSION_EVENT;
typedef enum _IO_SESSION_STATE {
IoSessionStateCreated,
IoSessionStateInitialized,
IoSessionStateConnected,
IoSessionStateDisconnected,
IoSessionStateDisconnectedLoggedOn,
IoSessionStateLoggedOn,
IoSessionStateLoggedOff,
IoSessionStateTerminated,
IoSessionStateMax
} IO_SESSION_STATE;
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
NtOpenSession( NtOpenSession(
_Out_ PHANDLE SessionHandle, _Out_ PHANDLE SessionHandle,
_In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes); _In_ POBJECT_ATTRIBUTES ObjectAttributes);
NTSYSAPI
NTSTATUS
NTAPI
NtNotifyChangeSession(
_In_ HANDLE SessionHandle,
_In_ ULONG ChangeSequenceNumber,
_In_ PLARGE_INTEGER ChangeTimeStamp,
_In_ IO_SESSION_EVENT Event,
_In_ IO_SESSION_STATE NewState,
_In_ IO_SESSION_STATE PreviousState,
_In_reads_bytes_opt_(PayloadSize) PVOID Payload,
_In_ ULONG PayloadSize);
/************************************************************************************ /************************************************************************************
* *
* IO Completion API. * IO Completion API.
@ -10152,17 +10312,17 @@ NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI
NtCreateThreadEx( NtCreateThreadEx(
_Out_ PHANDLE hThread, _Out_ PHANDLE ThreadHandle,
_In_ ACCESS_MASK DesiredAccess, _In_ ACCESS_MASK DesiredAccess,
_In_ LPVOID ObjectAttributes, _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ProcessHandle, _In_ HANDLE ProcessHandle,
_In_ LPTHREAD_START_ROUTINE lpStartAddress, _In_ PVOID StartRoutine,
_In_ LPVOID lpParameter, _In_opt_ PVOID Argument,
_In_ BOOL CreateSuspended, _In_ ULONG CreateFlags, //THREAD_CREATE_FLAGS_*
_In_ DWORD StackZeroBits, _In_opt_ ULONG_PTR ZeroBits,
_In_ DWORD SizeOfStackCommit, _In_opt_ SIZE_T StackSize,
_In_ DWORD SizeOfStackReserve, _In_opt_ SIZE_T MaximumStackSize,
_Out_ LPVOID lpBytesBuffer); _In_opt_ PPS_ATTRIBUTE_LIST AttributeList);
NTSYSAPI NTSYSAPI
ULONG ULONG
@ -10305,6 +10465,77 @@ NtCreatePagingFile(
* *
************************************************************************************/ ************************************************************************************/
typedef struct _PORT_VIEW {
ULONG Length;
HANDLE SectionHandle;
ULONG SectionOffset;
SIZE_T ViewSize;
PVOID ViewBase;
PVOID ViewRemoteBase;
} PORT_VIEW, *PPORT_VIEW;
typedef struct _REMOTE_PORT_VIEW {
ULONG Length;
SIZE_T ViewSize;
PVOID ViewBase;
} REMOTE_PORT_VIEW, *PREMOTE_PORT_VIEW;
typedef struct _PORT_MESSAGE {
union {
struct {
CSHORT DataLength;
CSHORT TotalLength;
} s1;
ULONG Length;
} u1;
union {
struct {
CSHORT Type;
CSHORT DataInfoOffset;
} s2;
ULONG ZeroInit;
} u2;
union {
CLIENT_ID ClientId;
double DoNotUseThisField; // Force quadword alignment
} u3;
ULONG MessageId;
union {
ULONG ClientViewSize; // Only valid on LPC_CONNECTION_REQUEST message
ULONG CallbackId; // Only valid on LPC_REQUEST message
} u4;
UCHAR Reserved[8];
} PORT_MESSAGE, *PPORT_MESSAGE;
typedef struct _PORT_DATA_ENTRY {
PVOID Base;
ULONG Size;
} PORT_DATA_ENTRY, *PPORT_DATA_ENTRY;
typedef struct _PORT_DATA_INFORMATION {
ULONG CountDataEntries;
PORT_DATA_ENTRY DataEntries[1];
} PORT_DATA_INFORMATION, *PPORT_DATA_INFORMATION;
#define LPC_REQUEST 1
#define LPC_REPLY 2
#define LPC_DATAGRAM 3
#define LPC_LOST_REPLY 4
#define LPC_PORT_CLOSED 5
#define LPC_CLIENT_DIED 6
#define LPC_EXCEPTION 7
#define LPC_DEBUG_EVENT 8
#define LPC_ERROR_EVENT 9
#define LPC_CONNECTION_REQUEST 10
#define PORT_VALID_OBJECT_ATTRIBUTES (OBJ_CASE_INSENSITIVE)
#define PORT_MAXIMUM_MESSAGE_LENGTH 256
typedef struct _LPC_CLIENT_DIED_MSG {
PORT_MESSAGE PortMsg;
LARGE_INTEGER CreateTime;
} LPC_CLIENT_DIED_MSG, *PLPC_CLIENT_DIED_MSG;
NTSYSAPI NTSYSAPI
NTSTATUS NTSTATUS
NTAPI NTAPI

BIN
Source/Furutaka/resource.rc
View File

Binary file not shown.

193
Source/Furutaka/sup.c
View File

@ -4,9 +4,9 @@
* *
* TITLE: SUP.C * TITLE: SUP.C
* *
* VERSION: 1.14 * VERSION: 1.15
* *
* DATE: 05 Jan 2019 * DATE: 19 Apr 2019
* *
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@ -81,10 +81,9 @@ ULONG_PTR supGetNtOsBase(
ULONG_PTR NtOsBase = 0; ULONG_PTR NtOsBase = 0;
miSpace = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation); miSpace = (PRTL_PROCESS_MODULES)supGetSystemInfo(SystemModuleInformation);
while (miSpace != NULL) { if (miSpace) {
NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase; NtOsBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace); RtlFreeHeap(NtCurrentPeb()->ProcessHeap, 0, miSpace);
break;
} }
return NtOsBase; return NtOsBase;
} }
@ -405,7 +404,7 @@ NTSTATUS NTAPI supEnumSystemObjects(
* Return TRUE if the given object exists, FALSE otherwise. * Return TRUE if the given object exists, FALSE otherwise.
* *
*/ */
BOOL supIsObjectExists( BOOLEAN supIsObjectExists(
_In_ LPWSTR RootDirectory, _In_ LPWSTR RootDirectory,
_In_ LPWSTR ObjectName _In_ LPWSTR ObjectName
) )
@ -421,3 +420,187 @@ BOOL supIsObjectExists(
return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param)); return NT_SUCCESS(supEnumSystemObjects(RootDirectory, NULL, supDetectObjectCallback, &Param));
} }
/*
* supxStopServiceShowError
*
* Purpose:
*
* Display Function + LastError message for SCM part, Function limited to MAX_PATH.
*
*/
VOID supxStopServiceShowError(
_In_ LPWSTR Function,
_In_ DWORD ErrorCode)
{
WCHAR szMessage[300];
_strcpy(szMessage, TEXT("SCM: "));
_strcat(szMessage, Function);
_strcat(szMessage, TEXT(" failed ("));
ultostr(ErrorCode, _strend(szMessage));
_strcat(szMessage, TEXT(")"));
cuiPrintText(szMessage, TRUE);
}
/*
* supStopVBoxService
*
* Purpose:
*
* Stop given VirtualBox service (unload kernel driver).
*
*/
BOOLEAN supStopVBoxService(
_In_ SC_HANDLE schSCManager,
_In_ LPWSTR szSvcName //MAX_PATH limit
)
{
BOOLEAN bResult = FALSE;
SC_HANDLE schService;
SERVICE_STATUS_PROCESS ssp;
DWORD dwStartTime = GetTickCount();
DWORD dwBytesNeeded;
DWORD dwTimeout = 30000; //30 seconds timeout for this proc.
DWORD dwWaitTime;
DWORD dwLastError;
WCHAR szMessage[MAX_PATH * 2];
_strcpy(szMessage, TEXT("SCM: Attempt to stop "));
_strcat(szMessage, szSvcName);
cuiPrintText(szMessage, TRUE);
//
// Open service, if service does not exist consider this as success and leave.
//
schService = OpenService(
schSCManager,
szSvcName,
SERVICE_STOP |
SERVICE_QUERY_STATUS);
if (schService == NULL) {
dwLastError = GetLastError();
if (dwLastError == ERROR_SERVICE_DOES_NOT_EXIST) {
cuiPrintText(TEXT("SCM: Service does not exist, skip"), TRUE);
return TRUE;
}
else {
supxStopServiceShowError(TEXT("OpenService"), GetLastError());
return FALSE;
}
}
//
// Query service status.
//
if (!QueryServiceStatusEx(
schService,
SC_STATUS_PROCESS_INFO,
(LPBYTE)&ssp,
sizeof(SERVICE_STATUS_PROCESS),
&dwBytesNeeded))
{
supxStopServiceShowError(TEXT("QueryServiceStatusEx"), GetLastError());
goto stop_cleanup;
}
if (ssp.dwCurrentState == SERVICE_STOPPED) {
cuiPrintText(TEXT("SCM: Service is already stopped"), TRUE);
bResult = TRUE;
goto stop_cleanup;
}
//
// If service already in stop pending state, wait a little.
//
while (ssp.dwCurrentState == SERVICE_STOP_PENDING)
{
cuiPrintText(TEXT("SCM: Service stop pending..."), TRUE);
dwWaitTime = ssp.dwWaitHint / 10;
if (dwWaitTime < 1000)
dwWaitTime = 1000;
else if (dwWaitTime > 10000)
dwWaitTime = 10000;
Sleep(dwWaitTime);
if (!QueryServiceStatusEx(
schService,
SC_STATUS_PROCESS_INFO,
(LPBYTE)&ssp,
sizeof(SERVICE_STATUS_PROCESS),
&dwBytesNeeded))
{
supxStopServiceShowError(TEXT("QueryServiceStatusEx"), GetLastError());
goto stop_cleanup;
}
if (ssp.dwCurrentState == SERVICE_STOPPED)
{
cuiPrintText(TEXT("SCM: Service stopped successfully"), TRUE);
bResult = TRUE;
goto stop_cleanup;
}
//
// 30 seconds execution timeout reached.
//
if (GetTickCount() - dwStartTime > dwTimeout) {
cuiPrintText(TEXT("SCM: Service stop timed out.\n"), TRUE);
goto stop_cleanup;
}
}
//
// Stop service.
//
if (!ControlService(
schService,
SERVICE_CONTROL_STOP,
(LPSERVICE_STATUS)&ssp))
{
supxStopServiceShowError(TEXT("ControlService"), GetLastError());
goto stop_cleanup;
}
//
// Check whatever we need to wait for service stop.
//
while (ssp.dwCurrentState != SERVICE_STOPPED)
{
Sleep(ssp.dwWaitHint);
if (!QueryServiceStatusEx(
schService,
SC_STATUS_PROCESS_INFO,
(LPBYTE)&ssp,
sizeof(SERVICE_STATUS_PROCESS),
&dwBytesNeeded))
{
supxStopServiceShowError(TEXT("QueryServiceStatusEx"), GetLastError());
goto stop_cleanup;
}
if (ssp.dwCurrentState == SERVICE_STOPPED)
break;
//
// 30 seconds execution timeout reached.
//
if (GetTickCount() - dwStartTime > dwTimeout) {
cuiPrintText(TEXT("SCM: Wait timed out"), TRUE);
goto stop_cleanup;
}
}
cuiPrintText(TEXT("SCM: Service stopped successfully"), TRUE);
bResult = TRUE;
stop_cleanup:
CloseServiceHandle(schService);
return bResult;
}

30
Source/Furutaka/sup.h
View File

@ -1,12 +1,12 @@
/******************************************************************************* /*******************************************************************************
* *
* (C) COPYRIGHT AUTHORS, 2016 - 2017 * (C) COPYRIGHT AUTHORS, 2016 - 2019
* *
* TITLE: SUP.H * TITLE: SUP.H
* *
* VERSION: 1.10 * VERSION: 1.15
* *
* DATE: 17 Apr 2017 * DATE: 19 Apr 2019
* *
* Common header file for the program support routines. * Common header file for the program support routines.
* *
@ -26,34 +26,32 @@ typedef struct _OBJSCANPARAM {
} OBJSCANPARAM, *POBJSCANPARAM; } OBJSCANPARAM, *POBJSCANPARAM;
ULONG_PTR supGetNtOsBase( ULONG_PTR supGetNtOsBase(
VOID VOID);
);
PVOID supGetSystemInfo( PVOID supGetSystemInfo(
_In_ SYSTEM_INFORMATION_CLASS InfoClass _In_ SYSTEM_INFORMATION_CLASS InfoClass);
);
PBYTE supQueryResourceData( PBYTE supQueryResourceData(
_In_ ULONG_PTR ResourceId, _In_ ULONG_PTR ResourceId,
_In_ PVOID DllHandle, _In_ PVOID DllHandle,
_In_ PULONG DataSize _In_ PULONG DataSize);
);
BOOL supBackupVBoxDrv( BOOL supBackupVBoxDrv(
_In_ BOOL bRestore _In_ BOOL bRestore);
);
SIZE_T supWriteBufferToFile( SIZE_T supWriteBufferToFile(
_In_ PWSTR lpFileName, _In_ PWSTR lpFileName,
_In_ PVOID Buffer, _In_ PVOID Buffer,
_In_ SIZE_T Size, _In_ SIZE_T Size,
_In_ BOOL Flush, _In_ BOOL Flush,
_In_ BOOL Append _In_ BOOL Append);
);
BOOL supIsObjectExists( BOOLEAN supIsObjectExists(
_In_ LPWSTR RootDirectory, _In_ LPWSTR RootDirectory,
_In_ LPWSTR ObjectName _In_ LPWSTR ObjectName);
);
BOOLEAN supStopVBoxService(
_In_ SC_HANDLE schSCManager,
_In_ LPWSTR szSvcName);
#define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1) #define PathFileExists(lpszPath) (GetFileAttributes(lpszPath) != (DWORD)-1)

14
TDL.sha256
View File

@ -1,6 +1,6 @@
a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys a761bbb4a1b7813132dc8d8ed526d24289dc603bc706da238e1f23d75dbd66aa *Compiled\dummy.sys
f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys f6610691bc3b9f96dad8bfc00b3ceb939ebcb17844d1ca5ee26f8364944ca110 *Compiled\dummy2.sys
0d1e0c1e14b614ed3b156d0f43ed7cdb872cb5b967ed70c0ba501e3cbc2daca2 *Compiled\Furutaka.exe 37805cc7ae226647753aca1a32d7106d804556a98e1a21ac324e5b880b9a04da *Compiled\Furutaka.exe
14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln 14eec2753d0e9b432c54c4a70fc59e3be75674313b6308a7a820e6682f775eb9 *Source\DummyDrv\dummy.sln
d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj d61ebda2674d2db05a235478f89fed02c2de049b00ac5648fcebd4c4e638f71c *Source\DummyDrv\dummy\dummy.vcxproj
2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters 2d469aafdb7e37a2d58d4e7875abbfd27599762333cba8e28376c16fa7446e9c *Source\DummyDrv\dummy\dummy.vcxproj.filters
@ -18,17 +18,17 @@ f0732da25aa6b0a64eb0ebfc730c0902ed6fd1cc51f43f66813adbc5283de6ec *Source\DummyDr
24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln 24bd86affa81071e8e4ba82368e6004ede1c4dd5234c21098c4e7563ee25721a *Source\Furutaka\Furutaka.sln
fa3af80e10c1824e99fcf2e4d5cec3cb4974d1eb35035f5a62fac67a44170c68 *Source\Furutaka\Furutaka.vcxproj fa3af80e10c1824e99fcf2e4d5cec3cb4974d1eb35035f5a62fac67a44170c68 *Source\Furutaka\Furutaka.vcxproj
b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters b28c810f46cd167ac65996dd850ac0743756a76a928ea445bb3d255d5200c5b7 *Source\Furutaka\Furutaka.vcxproj.filters
fc708eb26d32a785ab15f502140928985a1bd0113c0c9640eb25d6f2e0b4e7cd *Source\Furutaka\Furutaka.vcxproj.user feebf1c788d97bd616267c136e88fdf21f4ba09f528507cdf8a2659d1dd0a8cd *Source\Furutaka\Furutaka.vcxproj.user
4b16411f96538d38f05b5d949710ace54839d4a9aee9dcc2a61a4b2f4dbfc9cc *Source\Furutaka\global.h 4b16411f96538d38f05b5d949710ace54839d4a9aee9dcc2a61a4b2f4dbfc9cc *Source\Furutaka\global.h
94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c 94cbbb81022dbd0205a3e7ede89775b43f9f45e934a3079fdb7f5217d8794fe0 *Source\Furutaka\instdrv.c
33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h 33b8666748f027ff93707e6e2a1b52303c3664399000ff18b4a8fe864b731640 *Source\Furutaka\instdrv.h
64a8028d51454e2c831a81b68fcaf7348653830c010fb190451028c302f0574e *Source\Furutaka\main.c 2525f63ec3f9fb008edaffb7ff7f970d6777ddaf8511f60a95326f60f6ed80f0 *Source\Furutaka\main.c
d0debd4f7db2ef941f0b02e9d7d1b85d873f0a01dcb4537b5e112c68443aaaa6 *Source\Furutaka\ntos.h 5b0b4376df8fb5b43d8a0d4130ad3523d4325718ea4991d11498961f33e7e38d *Source\Furutaka\ntos.h
fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h fe6f865af4e22a2f7e1349891e935d7825caf08a06993d4e24d1596dab77963e *Source\Furutaka\resource.h
530c157ddb971692aacd0252694a8a752f95c1759f6d8ae468477e0676a37d08 *Source\Furutaka\resource.rc 140441e10f8ff80be91ed5d1fa30cd099bb6e02b97434926d14048006bdaec8f *Source\Furutaka\resource.rc
6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h 6f8ae02b3a6da025d5f918080e70245760d472dd5eb23fcc3964d425bee41336 *Source\Furutaka\shellcode.h
fe4cf565002d1b4a33b5f5fb81c656141f6bc758c94d861391e93a089515cbf8 *Source\Furutaka\sup.c 109d895924e1b581ad42374b7bf0307fe62ab352f7dee082161f9066e3778d5d *Source\Furutaka\sup.c
059014233efa8963d28b21f77aa37ae1c0ed3e152a9737ae8ec45338dee1d860 *Source\Furutaka\sup.h 526bb1070e50c733ae931ea4bfb48d8aba0b1efbd2818818d2af2b6d160b5673 *Source\Furutaka\sup.h
12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h 12a9c986e4589a613e4d8e0e30a7bfa41191283a53b2eafab3483b0884a93d82 *Source\Furutaka\vbox.h
cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986 *Source\Furutaka\drv\vboxdrv_exploitable.sys
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Furutaka\minirtl\cmdline.c 893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Furutaka\minirtl\cmdline.c