updated code

master
xerox 4 years ago
parent 490299f877
commit 693aca7b3d

@ -38,7 +38,7 @@ namespace driver
{ {
namespace util namespace util
{ {
inline bool delete_service_entry(const std::string& service_name) __forceinline auto delete_service_entry(const std::string& service_name) -> bool
{ {
HKEY reg_handle; HKEY reg_handle;
static const std::string reg_key("System\\CurrentControlSet\\Services\\"); static const std::string reg_key("System\\CurrentControlSet\\Services\\");
@ -49,10 +49,11 @@ namespace driver
&reg_handle &reg_handle
); );
return ERROR_SUCCESS == RegDeleteKeyA(reg_handle, service_name.data()) && ERROR_SUCCESS == RegCloseKey(reg_handle);; return ERROR_SUCCESS == RegDeleteKeyA(reg_handle, service_name.data()) &&
ERROR_SUCCESS == RegCloseKey(reg_handle);;
} }
inline bool create_service_entry(const std::string& drv_path, const std::string& service_name) __forceinline auto create_service_entry(const std::string& drv_path, const std::string& service_name) -> bool
{ {
HKEY reg_handle; HKEY reg_handle;
std::string reg_key("System\\CurrentControlSet\\Services\\"); std::string reg_key("System\\CurrentControlSet\\Services\\");
@ -67,10 +68,7 @@ namespace driver
if (result != ERROR_SUCCESS) if (result != ERROR_SUCCESS)
return false; return false;
// std::uint8_t type_value = 1;
// set type to 1 (kernel)
//
constexpr std::uint8_t type_value = 1;
result = RegSetValueExA( result = RegSetValueExA(
reg_handle, reg_handle,
"Type", "Type",
@ -83,10 +81,7 @@ namespace driver
if (result != ERROR_SUCCESS) if (result != ERROR_SUCCESS)
return false; return false;
// std::uint8_t error_control_value = 3;
// set error control to 3
//
constexpr std::uint8_t error_control_value = 3;
result = RegSetValueExA( result = RegSetValueExA(
reg_handle, reg_handle,
"ErrorControl", "ErrorControl",
@ -99,10 +94,7 @@ namespace driver
if (result != ERROR_SUCCESS) if (result != ERROR_SUCCESS)
return false; return false;
// std::uint8_t start_value = 3;
// set start to 3
//
constexpr std::uint8_t start_value = 3;
result = RegSetValueExA( result = RegSetValueExA(
reg_handle, reg_handle,
"Start", "Start",
@ -115,9 +107,6 @@ namespace driver
if (result != ERROR_SUCCESS) if (result != ERROR_SUCCESS)
return false; return false;
//
// set image path to the driver on disk
//
result = RegSetValueExA( result = RegSetValueExA(
reg_handle, reg_handle,
"ImagePath", "ImagePath",
@ -133,8 +122,7 @@ namespace driver
return ERROR_SUCCESS == RegCloseKey(reg_handle); return ERROR_SUCCESS == RegCloseKey(reg_handle);
} }
// this function was coded by paracord: https://githacks.org/snippets/4#L94 __forceinline auto enable_privilege(const std::wstring& privilege_name) -> bool
inline bool enable_privilege(const std::wstring& privilege_name)
{ {
HANDLE token_handle = nullptr; HANDLE token_handle = nullptr;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle)) if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle))
@ -156,7 +144,7 @@ namespace driver
return true; return true;
} }
inline std::string get_service_image_path(const std::string& service_name) __forceinline auto get_service_image_path(const std::string& service_name) -> std::string
{ {
HKEY reg_handle; HKEY reg_handle;
DWORD bytes_read; DWORD bytes_read;
@ -184,12 +172,13 @@ namespace driver
} }
} }
inline bool load(const std::string& drv_path, const std::string& service_name) __forceinline auto load(const std::string& drv_path, const std::string& service_name) -> bool
{ {
if (!util::enable_privilege(L"SeLoadDriverPrivilege")) if (!util::enable_privilege(L"SeLoadDriverPrivilege"))
return false; return false;
if (!util::create_service_entry("\\??\\" + std::filesystem::absolute(std::filesystem::path(drv_path)).string(), service_name)) if (!util::create_service_entry("\\??\\" +
std::filesystem::absolute(std::filesystem::path(drv_path)).string(), service_name))
return false; return false;
std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\"); std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
@ -213,7 +202,7 @@ namespace driver
return false; return false;
} }
inline std::tuple<bool, std::string> load(const std::vector<std::uint8_t>& drv_buffer) __forceinline auto load(const std::vector<std::uint8_t>& drv_buffer) -> std::tuple<bool, std::string>
{ {
static const auto random_file_name = [](std::size_t length) -> std::string static const auto random_file_name = [](std::size_t length) -> std::string
{ {
@ -232,7 +221,7 @@ namespace driver
}; };
const auto service_name = random_file_name(16); const auto service_name = random_file_name(16);
const auto file_path = std::filesystem::temp_directory_path().string() + random_file_name(16); const auto file_path = std::filesystem::temp_directory_path().string() + service_name;
std::ofstream output_file(file_path.c_str(), std::ios::binary); std::ofstream output_file(file_path.c_str(), std::ios::binary);
output_file.write((char*)drv_buffer.data(), drv_buffer.size()); output_file.write((char*)drv_buffer.data(), drv_buffer.size());
@ -241,13 +230,13 @@ namespace driver
return { load(file_path, service_name), service_name }; return { load(file_path, service_name), service_name };
} }
inline std::tuple<bool, std::string> load(const std::uint8_t* buffer, const std::size_t size) __forceinline auto load(const std::uint8_t* buffer, const std::size_t size) -> std::tuple<bool, std::string>
{ {
std::vector<std::uint8_t> image(buffer, buffer + size); std::vector<std::uint8_t> image(buffer, buffer + size);
return load(image); return load(image);
} }
inline bool unload(const std::string& service_name) __forceinline auto unload(const std::string& service_name) -> bool
{ {
std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\"); std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
reg_path += service_name; reg_path += service_name;
@ -269,11 +258,15 @@ namespace driver
const bool unload_drv = !reinterpret_cast<nt_unload_driver_t>(lp_nt_unload_drv)(&driver_reg_path_unicode); const bool unload_drv = !reinterpret_cast<nt_unload_driver_t>(lp_nt_unload_drv)(&driver_reg_path_unicode);
const auto image_path = std::filesystem::temp_directory_path().string() + service_name; const auto image_path = std::filesystem::temp_directory_path().string() + service_name;
const bool delete_reg = util::delete_service_entry(service_name); const bool delete_reg = util::delete_service_entry(service_name);
try try
{ {
const bool delete_drv = std::filesystem::remove(image_path); const bool delete_drv = std::filesystem::remove(image_path);
} }
catch (std::exception& e) {} catch (std::exception& e)
{
std::printf("[!] failed to delete vulnerable driver...\n");
}
return unload_drv && delete_reg; return unload_drv && delete_reg;
} }
return false; return false;

Loading…
Cancel
Save