Update loadup.hpp

master
xerox 5 years ago
parent eca3dd5d17
commit 01e5b87901

@ -35,154 +35,154 @@ using nt_unload_driver_t = NTSTATUS(__fastcall*)(PUNICODE_STRING);
namespace driver namespace driver
{ {
namespace util namespace util
{ {
inline bool delete_service_entry(const std::string& service_name) inline bool delete_service_entry(const std::string& service_name)
{ {
HKEY reg_handle; HKEY reg_handle;
static const std::string reg_key("System\\CurrentControlSet\\Services\\"); static const std::string reg_key("System\\CurrentControlSet\\Services\\");
auto result = RegOpenKeyA( auto result = RegOpenKeyA(
HKEY_LOCAL_MACHINE, HKEY_LOCAL_MACHINE,
reg_key.c_str(), reg_key.c_str(),
&reg_handle &reg_handle
); );
RegCloseKey(reg_handle); return ERROR_SUCCESS == RegDeleteKeyA(reg_handle, service_name.data()) && ERROR_SUCCESS == RegCloseKey(reg_handle);;
return ERROR_SUCCESS == RegDeleteKeyA(reg_handle, service_name.data()); }
}
inline bool create_service_entry(const std::string& drv_path, const std::string& service_name)
inline bool create_service_entry(const std::string& drv_path, const std::string& service_name) {
{ HKEY reg_handle;
HKEY reg_handle; std::string reg_key("System\\CurrentControlSet\\Services\\");
std::string reg_key("System\\CurrentControlSet\\Services\\"); reg_key += service_name;
reg_key += service_name;
auto result = RegCreateKeyA(
auto result = RegCreateKeyA( HKEY_LOCAL_MACHINE,
HKEY_LOCAL_MACHINE, reg_key.c_str(),
reg_key.c_str(), &reg_handle
&reg_handle );
);
if (result != ERROR_SUCCESS)
if (result != ERROR_SUCCESS) return false;
return false;
//
// // set type to 1 (kernel)
// set type to 1 (kernel) //
// constexpr std::uint8_t type_value = 1;
constexpr std::uint8_t type_value = 1; result = RegSetValueExA(
result = RegSetValueExA( reg_handle,
reg_handle, "Type",
"Type", NULL,
NULL, REG_DWORD,
REG_DWORD, &type_value,
&type_value, 4u
4u );
);
if (result != ERROR_SUCCESS)
if (result != ERROR_SUCCESS) return false;
return false;
//
// // set error control to 3
// set error control to 3 //
// constexpr std::uint8_t error_control_value = 3;
constexpr std::uint8_t error_control_value = 3; result = RegSetValueExA(
result = RegSetValueExA( reg_handle,
reg_handle, "ErrorControl",
"ErrorControl", NULL,
NULL, REG_DWORD,
REG_DWORD, &error_control_value,
&error_control_value, 4u
4u );
);
if (result != ERROR_SUCCESS)
if (result != ERROR_SUCCESS) return false;
return false;
//
// // set start to 3
// set start to 3 //
// constexpr std::uint8_t start_value = 3;
constexpr std::uint8_t start_value = 3; result = RegSetValueExA(
result = RegSetValueExA( reg_handle,
reg_handle, "Start",
"Start", NULL,
NULL, REG_DWORD,
REG_DWORD, &start_value,
&start_value, 4u
4u );
);
if (result != ERROR_SUCCESS)
if (result != ERROR_SUCCESS) return false;
return false;
//
// // set image path to the driver on disk
// set image path to the driver on disk //
// result = RegSetValueExA(
result = RegSetValueExA( reg_handle,
reg_handle, "ImagePath",
"ImagePath", NULL,
NULL, REG_SZ,
REG_SZ, (std::uint8_t*) drv_path.c_str(),
(std::uint8_t*) drv_path.c_str(), drv_path.size()
drv_path.size() );
);
if (result != ERROR_SUCCESS)
if (result != ERROR_SUCCESS) return false;
return false;
return ERROR_SUCCESS == RegCloseKey(reg_handle);
return ERROR_SUCCESS == RegCloseKey(reg_handle); }
}
// this function was coded by paracord: https://githacks.org/snippets/4#L94
// this function was coded by paracord: https://githacks.org/snippets/4#L94 inline bool enable_privilege(const std::wstring& privilege_name)
inline bool enable_privilege(const std::wstring& privilege_name) {
{ HANDLE token_handle = nullptr;
HANDLE token_handle = nullptr; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle))
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle)) return false;
return false;
LUID luid{};
LUID luid{}; if (!LookupPrivilegeValueW(nullptr, privilege_name.data(), &luid))
if (!LookupPrivilegeValueW(nullptr, privilege_name.data(), &luid)) return false;
return false;
TOKEN_PRIVILEGES token_state{};
TOKEN_PRIVILEGES token_state{}; token_state.PrivilegeCount = 1;
token_state.PrivilegeCount = 1; token_state.Privileges[0].Luid = luid;
token_state.Privileges[0].Luid = luid; token_state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
token_state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(token_handle, FALSE, &token_state, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr))
if (!AdjustTokenPrivileges(token_handle, FALSE, &token_state, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr)) return false;
return false;
CloseHandle(token_handle);
CloseHandle(token_handle); return true;
return true; }
}
inline std::string get_service_image_path(const std::string& service_name)
inline std::string get_service_image_path(const std::string& service_name) {
{ HKEY reg_handle;
HKEY reg_handle; DWORD bytes_read;
DWORD bytes_read; char image_path[0xFF];
char image_path[0xFF]; static const std::string reg_key("System\\CurrentControlSet\\Services\\");
static const std::string reg_key("System\\CurrentControlSet\\Services\\");
auto result = RegOpenKeyA(
auto result = RegOpenKeyA( HKEY_LOCAL_MACHINE,
HKEY_LOCAL_MACHINE, reg_key.c_str(),
reg_key.c_str(), &reg_handle
&reg_handle );
);
result = RegGetValueA(
result = RegGetValueA( reg_handle,
reg_handle, service_name.c_str(),
"ImagePath", "ImagePath",
service_name.c_str(), REG_SZ,
REG_SZ, NULL, NULL,
image_path, image_path,
&bytes_read &bytes_read
); );
RegCloseKey(reg_handle); RegCloseKey(reg_handle);
return std::string(image_path); return std::string(image_path);
} }
} }
inline bool load(const std::string& drv_path, const std::string& service_name) inline bool load(const std::string& drv_path, const std::string& service_name)
{ {
if (!util::enable_privilege(L"SeLoadDriverPrivilege")) if (!util::enable_privilege(L"SeLoadDriverPrivilege"))
@ -266,7 +266,8 @@ namespace driver
RtlAnsiStringToUnicodeString(&driver_reg_path_unicode, &driver_rep_path_cstr, true); RtlAnsiStringToUnicodeString(&driver_reg_path_unicode, &driver_rep_path_cstr, true);
const bool unload_drv = !reinterpret_cast<nt_unload_driver_t>(lp_nt_unload_drv)(&driver_reg_path_unicode); const bool unload_drv = !reinterpret_cast<nt_unload_driver_t>(lp_nt_unload_drv)(&driver_reg_path_unicode);
const bool delete_drv = std::filesystem::remove(util::get_service_image_path(service_name)); const auto image_path = util::get_service_image_path(service_name);
const bool delete_drv = std::filesystem::remove(image_path);
const bool delete_reg = util::delete_service_entry(service_name); const bool delete_reg = util::delete_service_entry(service_name);
return unload_drv && delete_drv && delete_reg; return unload_drv && delete_drv && delete_reg;

Loading…
Cancel
Save