You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
262 lines
7.0 KiB
262 lines
7.0 KiB
4 years ago
|
/*
|
||
|
MIT License
|
||
|
|
||
|
Copyright (c) 2020 xerox
|
||
|
|
||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||
|
of this software and associated documentation files (the "Software"), to deal
|
||
|
in the Software without restriction, including without limitation the rights
|
||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||
|
copies of the Software, and to permit persons to whom the Software is
|
||
|
furnished to do so, subject to the following conditions:
|
||
|
|
||
|
The above copyright notice and this permission notice shall be included in all
|
||
|
copies or substantial portions of the Software.
|
||
|
|
||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||
|
SOFTWARE.
|
||
|
*/
|
||
|
|
||
|
|
||
|
#pragma once
|
||
|
#include <Windows.h>
|
||
|
#include <Winternl.h>
|
||
|
#include <string>
|
||
|
#include <fstream>
|
||
|
#include <filesystem>
|
||
|
#include <ntstatus.h>
|
||
|
|
||
|
#pragma comment(lib, "ntdll.lib")
|
||
|
extern "C" NTSTATUS NtLoadDriver(PUNICODE_STRING);
|
||
|
extern "C" NTSTATUS NtUnloadDriver(PUNICODE_STRING);
|
||
|
|
||
|
namespace driver
|
||
|
{
|
||
|
namespace util
|
||
|
{
|
||
|
__forceinline auto delete_service_entry(const std::string& service_name) -> bool
|
||
|
{
|
||
|
HKEY reg_handle;
|
||
|
static const std::string reg_key("System\\CurrentControlSet\\Services\\");
|
||
|
|
||
|
auto result = RegOpenKeyA(
|
||
|
HKEY_LOCAL_MACHINE,
|
||
|
reg_key.c_str(),
|
||
|
®_handle
|
||
|
);
|
||
|
|
||
|
return ERROR_SUCCESS == RegDeleteKeyA(reg_handle, service_name.data()) &&
|
||
|
ERROR_SUCCESS == RegCloseKey(reg_handle);;
|
||
|
}
|
||
|
|
||
|
__forceinline auto create_service_entry(const std::string& drv_path, const std::string& service_name) -> bool
|
||
|
{
|
||
|
HKEY reg_handle;
|
||
|
std::string reg_key("System\\CurrentControlSet\\Services\\");
|
||
|
reg_key += service_name;
|
||
|
|
||
|
auto result = RegCreateKeyA(
|
||
|
HKEY_LOCAL_MACHINE,
|
||
|
reg_key.c_str(),
|
||
|
®_handle
|
||
|
);
|
||
|
|
||
|
if (result != ERROR_SUCCESS)
|
||
|
return false;
|
||
|
|
||
|
std::uint8_t type_value = 1;
|
||
|
result = RegSetValueExA(
|
||
|
reg_handle,
|
||
|
"Type",
|
||
|
NULL,
|
||
|
REG_DWORD,
|
||
|
&type_value,
|
||
|
4u
|
||
|
);
|
||
|
|
||
|
if (result != ERROR_SUCCESS)
|
||
|
return false;
|
||
|
|
||
|
std::uint8_t error_control_value = 3;
|
||
|
result = RegSetValueExA(
|
||
|
reg_handle,
|
||
|
"ErrorControl",
|
||
|
NULL,
|
||
|
REG_DWORD,
|
||
|
&error_control_value,
|
||
|
4u
|
||
|
);
|
||
|
|
||
|
if (result != ERROR_SUCCESS)
|
||
|
return false;
|
||
|
|
||
|
std::uint8_t start_value = 3;
|
||
|
result = RegSetValueExA(
|
||
|
reg_handle,
|
||
|
"Start",
|
||
|
NULL,
|
||
|
REG_DWORD,
|
||
|
&start_value,
|
||
|
4u
|
||
|
);
|
||
|
|
||
|
if (result != ERROR_SUCCESS)
|
||
|
return false;
|
||
|
|
||
|
result = RegSetValueExA(
|
||
|
reg_handle,
|
||
|
"ImagePath",
|
||
|
NULL,
|
||
|
REG_SZ,
|
||
|
(std::uint8_t*) drv_path.c_str(),
|
||
|
drv_path.size()
|
||
|
);
|
||
|
|
||
|
if (result != ERROR_SUCCESS)
|
||
|
return false;
|
||
|
|
||
|
return ERROR_SUCCESS == RegCloseKey(reg_handle);
|
||
|
}
|
||
|
|
||
|
__forceinline auto enable_privilege(const std::wstring& privilege_name) -> bool
|
||
|
{
|
||
|
HANDLE token_handle = nullptr;
|
||
|
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle))
|
||
|
return false;
|
||
|
|
||
|
LUID luid{};
|
||
|
if (!LookupPrivilegeValueW(nullptr, privilege_name.data(), &luid))
|
||
|
return false;
|
||
|
|
||
|
TOKEN_PRIVILEGES token_state{};
|
||
|
token_state.PrivilegeCount = 1;
|
||
|
token_state.Privileges[0].Luid = luid;
|
||
|
token_state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||
|
|
||
|
if (!AdjustTokenPrivileges(token_handle, FALSE, &token_state, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr))
|
||
|
return false;
|
||
|
|
||
|
CloseHandle(token_handle);
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
__forceinline auto get_service_image_path(const std::string& service_name) -> std::string
|
||
|
{
|
||
|
HKEY reg_handle;
|
||
|
DWORD bytes_read;
|
||
|
char image_path[0xFF];
|
||
|
static const std::string reg_key("System\\CurrentControlSet\\Services\\");
|
||
|
|
||
|
auto result = RegOpenKeyA(
|
||
|
HKEY_LOCAL_MACHINE,
|
||
|
reg_key.c_str(),
|
||
|
®_handle
|
||
|
);
|
||
|
|
||
|
result = RegGetValueA(
|
||
|
reg_handle,
|
||
|
service_name.c_str(),
|
||
|
"ImagePath",
|
||
|
REG_SZ,
|
||
|
NULL,
|
||
|
image_path,
|
||
|
&bytes_read
|
||
|
);
|
||
|
|
||
|
RegCloseKey(reg_handle);
|
||
|
return std::string(image_path);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
__forceinline auto load(const std::string& drv_path, const std::string& service_name) -> NTSTATUS
|
||
|
{
|
||
|
if (!util::enable_privilege(L"SeLoadDriverPrivilege"))
|
||
|
return false;
|
||
|
|
||
|
if (!util::create_service_entry("\\??\\" +
|
||
|
std::filesystem::absolute(std::filesystem::path(drv_path)).string(), service_name))
|
||
|
return false;
|
||
|
|
||
|
std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
|
||
|
reg_path += service_name;
|
||
|
|
||
|
ANSI_STRING driver_rep_path_cstr;
|
||
|
UNICODE_STRING driver_reg_path_unicode;
|
||
|
|
||
|
RtlInitAnsiString(&driver_rep_path_cstr, reg_path.c_str());
|
||
|
RtlAnsiStringToUnicodeString(&driver_reg_path_unicode, &driver_rep_path_cstr, true);
|
||
|
return NtLoadDriver(&driver_reg_path_unicode);
|
||
|
}
|
||
|
|
||
|
__forceinline auto load(const std::vector<std::uint8_t>& drv_buffer) -> std::pair<NTSTATUS, std::string>
|
||
|
{
|
||
|
static const auto random_file_name = [](std::size_t length) -> std::string
|
||
|
{
|
||
|
std::srand(std::time(0));
|
||
|
static const auto randchar = []() -> char
|
||
|
{
|
||
|
const char charset[] =
|
||
|
"0123456789"
|
||
|
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||
|
"abcdefghijklmnopqrstuvwxyz";
|
||
|
const std::size_t max_index = (sizeof(charset) - 1);
|
||
|
return charset[rand() % max_index];
|
||
|
};
|
||
|
|
||
|
std::string str(length, 0);
|
||
|
std::generate_n(str.begin(), length, randchar);
|
||
|
return str;
|
||
|
};
|
||
|
|
||
|
const auto service_name = random_file_name(16);
|
||
|
const auto file_path = std::filesystem::temp_directory_path().string() + service_name;
|
||
|
std::ofstream output_file(file_path.c_str(), std::ios::binary);
|
||
|
|
||
|
output_file.write((char*)drv_buffer.data(), drv_buffer.size());
|
||
|
output_file.close();
|
||
|
|
||
|
return { load(file_path, service_name), service_name };
|
||
|
}
|
||
|
|
||
|
__forceinline auto load(const std::uint8_t* buffer, const std::size_t size) -> std::pair<NTSTATUS, std::string>
|
||
|
{
|
||
|
std::vector<std::uint8_t> image(buffer, buffer + size);
|
||
|
return load(image);
|
||
|
}
|
||
|
|
||
|
__forceinline auto unload(const std::string& service_name) -> NTSTATUS
|
||
|
{
|
||
|
std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
|
||
|
reg_path += service_name;
|
||
|
|
||
|
ANSI_STRING driver_rep_path_cstr;
|
||
|
UNICODE_STRING driver_reg_path_unicode;
|
||
|
|
||
|
RtlInitAnsiString(&driver_rep_path_cstr, reg_path.c_str());
|
||
|
RtlAnsiStringToUnicodeString(
|
||
|
&driver_reg_path_unicode, &driver_rep_path_cstr, true);
|
||
|
|
||
|
const bool unload_result =
|
||
|
NtUnloadDriver(&driver_reg_path_unicode);
|
||
|
|
||
|
util::delete_service_entry(service_name);
|
||
|
// sometimes you cannot delete the driver off disk because there are still handles open
|
||
|
// to the driver, this means the driver is still loaded into the kernel...
|
||
|
try
|
||
|
{
|
||
|
std::filesystem::remove(
|
||
|
std::filesystem::temp_directory_path()
|
||
|
.string() + service_name);
|
||
|
}
|
||
|
catch (std::exception& e)
|
||
|
{
|
||
|
return STATUS_ABANDONED;
|
||
|
}
|
||
|
return unload_result;
|
||
|
}
|
||
|
}
|