ight she stable :)

master
_xeroxz 4 years ago
parent d382cf80cc
commit ac14fbce56

@ -6,7 +6,7 @@
namespace mapper namespace mapper
{ {
auto map_driver(std::uint8_t* drv_image, std::size_t image_size, void** entry_data) -> std::pair<mapper_error, void*> auto map_driver(std::uint32_t pid, std::uint8_t* drv_image, std::size_t image_size, void** entry_data) -> std::pair<mapper_error, void*>
{ {
std::vector<std::uint8_t> drv_buffer(drv_image, image_size + drv_image); std::vector<std::uint8_t> drv_buffer(drv_image, image_size + drv_image);
if (!drv_buffer.size()) if (!drv_buffer.size())
@ -16,10 +16,9 @@ namespace mapper
if (drv_handle == INVALID_HANDLE_VALUE || drv_key.empty()) if (drv_handle == INVALID_HANDLE_VALUE || drv_key.empty())
return { mapper_error::load_error, nullptr }; return { mapper_error::load_error, nullptr };
const auto runtime_broker_pid = const auto context_pid = util::create_context();
util::start_runtime_broker();
if (!runtime_broker_pid) if (!context_pid)
return { mapper_error::failed_to_create_proc, nullptr }; return { mapper_error::failed_to_create_proc, nullptr };
vdm::read_phys_t _read_phys = vdm::read_phys_t _read_phys =
@ -35,10 +34,13 @@ namespace mapper
}; };
vdm::vdm_ctx v_ctx(_read_phys, _write_phys); vdm::vdm_ctx v_ctx(_read_phys, _write_phys);
nasa::mem_ctx my_proc(&v_ctx, GetCurrentProcessId()); nasa::mem_ctx desired_ctx(&v_ctx, GetCurrentProcessId());
nasa::mem_ctx runtime_broker(&v_ctx, runtime_broker_pid); nasa::mem_ctx zombie_ctx(&v_ctx, context_pid);
nasa::mapper_ctx mapper(&my_proc, &runtime_broker); nasa::mapper_ctx mapper(&desired_ctx, &zombie_ctx);
// disable the working set manager thread
// this thread loops forever and tries to
// page stuff to disk that is not accessed alot...
const auto result = const auto result =
set_mgr::stop_setmgr(v_ctx, set_mgr::stop_setmgr(v_ctx,
set_mgr::get_setmgr_pethread(v_ctx)); set_mgr::get_setmgr_pethread(v_ctx));
@ -46,6 +48,15 @@ namespace mapper
if (result != STATUS_SUCCESS) if (result != STATUS_SUCCESS)
return { mapper_error::set_mgr_failure, nullptr }; return { mapper_error::set_mgr_failure, nullptr };
// increment a process terminate counter
// then terminate the process... this makes it
// so the process can never actually fully close...
const auto [inc_ref_result, terminated] =
v_ctx.zombie_process(context_pid);
if (inc_ref_result != STATUS_SUCCESS || !terminated)
return { mapper_error::zombie_process_failed, nullptr };
const auto [drv_base, drv_entry] = mapper.map(drv_buffer); const auto [drv_base, drv_entry] = mapper.map(drv_buffer);
if (!drv_base || !drv_entry) if (!drv_base || !drv_entry)
return { mapper_error::init_failed, nullptr }; return { mapper_error::init_failed, nullptr };

@ -9,12 +9,13 @@ namespace mapper
{ {
error_success, // everything is good! error_success, // everything is good!
image_invalid, // the driver your trying to map is invalid (are you importing things that arent in ntoskrnl?) image_invalid, // the driver your trying to map is invalid (are you importing things that arent in ntoskrnl?)
load_error, // unable to load signed driver into the kernel (are you running as admin?) load_error, // unable to load signed driver into the kernel (are you running as admin?)
unload_error, // unable to unload signed driver from kernel (are all handles to this driver closes?) unload_error, // unable to unload signed driver from kernel (are all handles to this driver closes?)
piddb_fail, // piddb cache clearing failed... (are you using this code below windows 10?) piddb_fail, // piddb cache clearing failed... (are you using this code below windows 10?)
init_failed, // setting up library dependancies failed! init_failed, // setting up library dependancies failed!
failed_to_create_proc, // was unable to create a new process to inject driver into! (RuntimeBroker.exe) failed_to_create_proc, // was unable to create a new process to inject driver into! (RuntimeBroker.exe)
set_mgr_failure // unable to stop working set manager thread... this thread can cause issues with PTM... set_mgr_failure, // unable to stop working set manager thread... this thread can cause issues with PTM...
zombie_process_failed
}; };
/// <summary> /// <summary>
@ -24,5 +25,5 @@ namespace mapper
/// <param name="image_size">size of the driver buffer</param> /// <param name="image_size">size of the driver buffer</param>
/// <param name="entry_data">data to be sent to the entry point of the driver...</param> /// <param name="entry_data">data to be sent to the entry point of the driver...</param>
/// <returns>status of the driver being mapped, and base address of the driver...</returns> /// <returns>status of the driver being mapped, and base address of the driver...</returns>
auto map_driver(std::uint8_t* drv_image, std::size_t image_size, void** entry_data)->std::pair<mapper_error, void*>; auto map_driver(std::uint32_t pid, std::uint8_t* drv_image, std::size_t image_size, void** entry_data)->std::pair<mapper_error, void*>;
} }

@ -13,6 +13,8 @@
#include <atomic> #include <atomic>
#include "nt.hpp" #include "nt.hpp"
#define ZOMBIE_PROCESS "C:\\Windows\\System32\\RuntimeBroker.exe"
namespace util namespace util
{ {
//--- ranges of physical memory //--- ranges of physical memory
@ -48,7 +50,8 @@ namespace util
return true; return true;
})(); })();
__forceinline auto start_runtime_broker() -> std::uint32_t // it doesnt matter what process we create, we just need a 64bit context...
__forceinline auto create_context() -> std::uint32_t
{ {
STARTUPINFO si; STARTUPINFO si;
PROCESS_INFORMATION pi; PROCESS_INFORMATION pi;
@ -57,9 +60,9 @@ namespace util
si.cb = sizeof(si); si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi)); ZeroMemory(&pi, sizeof(pi));
CreateProcessA( if (!CreateProcessA(
NULL, NULL,
"C:\\Windows\\System32\\RuntimeBroker.exe", ZOMBIE_PROCESS,
NULL, NULL,
NULL, NULL,
FALSE, FALSE,
@ -68,7 +71,8 @@ namespace util
NULL, NULL,
&si, &si,
&pi &pi
); ))
return {};
SuspendThread(pi.hThread); SuspendThread(pi.hThread);
return pi.dwProcessId; return pi.dwProcessId;

@ -105,6 +105,32 @@ namespace vdm
ntoskrnl_get_virtual, addr); ntoskrnl_get_virtual, addr);
} }
__forceinline auto zombie_process(std::uint32_t pid) -> std::pair<NTSTATUS, bool>
{
// zombie the the process by incrementing an exit counter
// then calling TerminateProcess so the process never closes...
const auto peproc =
reinterpret_cast<std::uintptr_t>(
this->get_peprocess(pid));
if (!peproc) return { {}, {} };
static const auto inc_ref_counter =
util::get_kmodule_export(
"ntoskrnl.exe",
"PsAcquireProcessExitSynchronization"
);
const auto terminated =
TerminateProcess(OpenProcess(
PROCESS_TERMINATE, FALSE, pid), NULL);
const auto result =
this->syscall<NTSTATUS(*)(std::uintptr_t)>(
inc_ref_counter, peproc);
return { result, terminated };
}
private: private:
void locate_syscall(std::uintptr_t begin, std::uintptr_t end) const; void locate_syscall(std::uintptr_t begin, std::uintptr_t end) const;
bool valid_syscall(void* syscall_addr) const; bool valid_syscall(void* syscall_addr) const;

Binary file not shown.

@ -1,4 +1,5 @@
#include <iostream> #include <iostream>
#include <Windows.h>
#include "utils.h" #include "utils.h"
#include "map_driver.hpp" #include "map_driver.hpp"
@ -18,12 +19,13 @@ int __cdecl main(int argc, char** argv)
const auto [result, driver_base] = const auto [result, driver_base] =
mapper::map_driver mapper::map_driver
( (
GetCurrentProcessId(), // you can map the driver into whatever context you want...
driver_data.data(), driver_data.data(),
driver_data.size(), driver_data.size(),
nullptr // you can pass your structure here... nullptr // you can pass your structure here...
); );
std::printf("[+] driver mapping result -> 0x%x (0 == STATUS_SUCCESS)\n", result); std::printf("[+] driver mapping result -> 0x%x (0 == mapper_error::error_success)\n", result);
std::printf("[+] driver base address (usermode) -> 0x%p\n", driver_base); std::printf("[+] driver base address (usermode) -> 0x%p\n", driver_base);
std::getchar(); std::getchar();
} }

@ -9,12 +9,13 @@ namespace mapper
{ {
error_success, // everything is good! error_success, // everything is good!
image_invalid, // the driver your trying to map is invalid (are you importing things that arent in ntoskrnl?) image_invalid, // the driver your trying to map is invalid (are you importing things that arent in ntoskrnl?)
load_error, // unable to load signed driver into the kernel (are you running as admin?) load_error, // unable to load signed driver into the kernel (are you running as admin?)
unload_error, // unable to unload signed driver from kernel (are all handles to this driver closes?) unload_error, // unable to unload signed driver from kernel (are all handles to this driver closes?)
piddb_fail, // piddb cache clearing failed... (are you using this code below windows 10?) piddb_fail, // piddb cache clearing failed... (are you using this code below windows 10?)
init_failed, // setting up library dependancies failed! init_failed, // setting up library dependancies failed!
failed_to_create_proc, // was unable to create a new process to inject driver into! (RuntimeBroker.exe) failed_to_create_proc, // was unable to create a new process to inject driver into! (RuntimeBroker.exe)
set_mgr_failure // unable to stop working set manager thread... this thread can cause issues with PTM... set_mgr_failure, // unable to stop working set manager thread... this thread can cause issues with PTM...
zombie_process_failed
}; };
/// <summary> /// <summary>
@ -24,5 +25,5 @@ namespace mapper
/// <param name="image_size">size of the driver buffer</param> /// <param name="image_size">size of the driver buffer</param>
/// <param name="entry_data">data to be sent to the entry point of the driver...</param> /// <param name="entry_data">data to be sent to the entry point of the driver...</param>
/// <returns>status of the driver being mapped, and base address of the driver...</returns> /// <returns>status of the driver being mapped, and base address of the driver...</returns>
auto map_driver(std::uint8_t* drv_image, std::size_t image_size, void** entry_data) -> std::pair<mapper_error, void*>; auto map_driver(std::uint32_t pid, std::uint8_t* drv_image, std::size_t image_size, void** entry_data) -> std::pair<mapper_error, void*>;
} }
Loading…
Cancel
Save