From ca2c7ad4a131f84bbfb6d3adb342cf532a394e3d Mon Sep 17 00:00:00 2001 From: xerox Date: Sat, 13 Jun 2020 22:44:43 -0700 Subject: [PATCH] added more driver_util functions. --- kdstinker.sys | Bin 11528 -> 11528 bytes kdstinker/callback.h | 10 --- kdstinker/driver_util.cpp | 172 ++++++++++++++++++++++++++++++++++++++ kdstinker/driver_util.h | 2 + kdstinker/types.h | 17 ++++ 5 files changed, 191 insertions(+), 10 deletions(-) diff --git a/kdstinker.sys b/kdstinker.sys index 4e077fd72e925cc4556c1cbe1a85978b2712c888..8c30289e15a175db7aa108b55544398fb2dade95 100644 GIT binary patch delta 1287 zcmYjPdrX^E6u-CYN83T$4`>Mtk%Ckho1+mIK?LfCQc@P7$cAfH!~ycykTKXWW>&!Q zXwyl#3n)6ojo}D?%&a6ZnL>FK5L{q_i_T0Y5(+{Bfq+xs^L!nRp5)wf?m6do9`~N= zGDRTHnmBZz*-pj z-{5!lkew~|{|K<)j}q4GL8ydQS*>*ThLvGTaKFkrLeG1EcWkWhKac}_8w#TzgnONt z#u&N5LIiefdEhGNkZF#xPL!jsl_Dj)H5%WM@Z+c%SRp}Z8JOLIBw&a`&Fn_}kDMFC z7J3ud9smqK$dc111U&=_#03IFUMKO{q6m>WQ5oiwTyX_m)usJ1GRLeomFwCw0~RO9 zrr3uUmvuJ3_}xMhK<}5bt@Xm994O8zEe<+ez~XyJ2JJ~rLt{ncJv!g71#AaOGc$@a zKvA&!3-_HXO|ZKstgzHwOHR4BkVm34i_GH_d`t2I=a3v`9eC!++;-4^1)ZH=45^nv zcfP|W=!Iar1k4X|yc?PVoer|Ndl>L7?_92=Dp?!Z5Z~14saQ%gDXiD7UW+KSTzE<+ z)(@{47Vm6_a?Yv7u4|$@&Md7NLKQ+6L1?9_azltQrVzIrqYux-^(5Vo9Q}EvzC9(c zRrghWbJtwV)sBUtuF40awI|$O*VeUAt-d!Rt}G|#eOIqJcqKo#bN8aYyO*dN73u1T zf+6y(((~xtR=y#5wn->9l}x1yMue)A0Ti|T9^S~iqD7Rd*1r+8_~B3G6U#hT9xd}2QcdU!({ z(#3T9ta@qgr#v2hYiK-b!~A0UOmf7kxNTxvI@~eaCfh0<&UyP$X1uO{(6479EFR@d t{i#%P($zl09|x;9Mi&GxO~y8F{S=j^@}Tbwcl{6$YQ)-vAGlsTY(3h-m><*7#OkFkFY z@Fj-IYEldSCB=CF=-RddUc$FMH)5c?XDw;V0|rF9U_Put4bTXkXc5Lk4q`LnAs;2< zv&LP<=!Z_G5S~FIW`yh-1wiU_>ZCvXLMQ-A$6H=JMAgOJ*n+(i)W<^NQCWTtUg$Va6MW^Vfuy{;3N=0}xzE45+a!}D|l8%DaXqgs55u(^)6@}}S zT~sVt>qJg9Y4pK1LUA+JaY^fCnbI%yK4KCG19d^6fK6p^ws4(lb zR{aZx8okJ3)mj@Y=^}ZPv}tpGxlw1a8tROC^I>)4A+zCs(mn3(5IMuitG3z0K{kE{ zF!ERfJ^%w4#bE&O!vTuQ4B*v7SO+;LgO<2o zHNw@rTUemzruRJ$06G{KF+>^Ds zuS3q=%1&%kw%zAK2r0m9fuQ7vyr~(_vHj=#&0ax?c;UdMK6UzSuV;<(>hR2mv6-{l zcMqRUE0Uy`=rsGa?kE>euSKhuc>9Xecvp&0*nbSO$&^Inv z|3s(AI(k)W>l}5~$E>$-?6tLpP+s_N^ap~~DlT8Xf8yes`VN1k*% zIbHn3-XU9ee%#3lcBnHN|TH diff --git a/kdstinker/callback.h b/kdstinker/callback.h index fc4beb7..a4ce725 100644 --- a/kdstinker/callback.h +++ b/kdstinker/callback.h @@ -9,14 +9,4 @@ namespace callback HANDLE pid, PIMAGE_INFO image_info ); - - NTSTATUS gh_create_device( - PDRIVER_OBJECT driver_obj, - ULONG device_ext, - PUNICODE_STRING device_name, - DEVICE_TYPE device_type, - ULONG device_char, - BOOLEAN exclusive, - PDEVICE_OBJECT* lpdevice_obj - ); } \ No newline at end of file diff --git a/kdstinker/driver_util.cpp b/kdstinker/driver_util.cpp index bffb952..79665cb 100644 --- a/kdstinker/driver_util.cpp +++ b/kdstinker/driver_util.cpp @@ -150,6 +150,178 @@ namespace driver_util return NULL; } + PDRIVER_OBJECT get_drv_obj(PUNICODE_STRING driver_name) + { + HANDLE handle{}; + OBJECT_ATTRIBUTES attributes{}; + UNICODE_STRING directory_name{}; + PVOID directory{}; + BOOLEAN success = FALSE; + + RtlInitUnicodeString(&directory_name, L"\\Driver"); + InitializeObjectAttributes( + &attributes, + &directory_name, + OBJ_CASE_INSENSITIVE, + NULL, + NULL + ); + + // open OBJECT_DIRECTORY for \\Driver + auto status = ZwOpenDirectoryObject( + &handle, + DIRECTORY_ALL_ACCESS, + &attributes + ); + + if (!NT_SUCCESS(status)) + { + DBG_PRINT("ZwOpenDirectoryObject Failed"); + return NULL; + } + + // Get OBJECT_DIRECTORY pointer from HANDLE + status = ObReferenceObjectByHandle( + handle, + DIRECTORY_ALL_ACCESS, + nullptr, + KernelMode, + &directory, + nullptr + ); + + if (!NT_SUCCESS(status)) + { + DBG_PRINT("ObReferenceObjectByHandle Failed"); + ZwClose(handle); + return NULL; + } + + const auto directory_object = POBJECT_DIRECTORY(directory); + if (!directory_object) + return NULL; + + ExAcquirePushLockExclusiveEx(&directory_object->Lock, 0); + + // traverse hash table with 37 entries + // when a new object is created, the object manager computes a hash value in the range zero to 36 from the object name and creates an OBJECT_DIRECTORY_ENTRY. + // http://www.informit.com/articles/article.aspx?p=22443&seqNum=7 + for (auto entry : directory_object->HashBuckets) + { + if (!entry) + continue; + + while (entry && entry->Object) + { + auto driver = PDRIVER_OBJECT(entry->Object); + if (!driver) + continue; + + if (wcscmp(driver->DriverExtension->ServiceKeyName.Buffer, driver_name->Buffer) == 0) + return driver; + } + } + + ExReleasePushLockExclusiveEx(&directory_object->Lock, 0); + // Release the acquired resources back to the OS + ObDereferenceObject(directory); + ZwClose(handle); + //TODO remove + return NULL; + } + + void copy_driver(PUNICODE_STRING image_path) + { + HANDLE h_file; + OBJECT_ATTRIBUTES attr; + IO_STATUS_BLOCK status_block; + LARGE_INTEGER offset; + UNICODE_STRING name; + FILE_STANDARD_INFORMATION standard_info; + + RtlZeroMemory(&standard_info, sizeof(standard_info)); + InitializeObjectAttributes( + &attr, + image_path, + OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, + NULL, NULL + ); + + NTSTATUS status = ZwCreateFile( + &h_file, + GENERIC_READ, + &attr, + &status_block, + NULL, + FILE_ATTRIBUTE_NORMAL, + NULL, + FILE_OPEN_IF, + FILE_SYNCHRONOUS_IO_NONALERT, + NULL, + NULL + ); + + ZwQueryInformationFile( + h_file, + &status_block, + &standard_info, + sizeof(FILE_STANDARD_INFORMATION), + FileStandardInformation + ); + + void* drv_buffer = ExAllocatePool( + NonPagedPool, + standard_info.AllocationSize.QuadPart + ); + + status = ZwReadFile( + h_file, + NULL, + NULL, + NULL, + &status_block, + drv_buffer, + standard_info.AllocationSize.QuadPart, + &offset, + NULL + ); + + RtlInitUnicodeString(&name, L"\\DosDevices\\C:\\last_load_drv.sys"); + InitializeObjectAttributes(&attr, &name, + OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, + NULL, NULL + ); + + ZwCreateFile( + &h_file, + GENERIC_WRITE, + &attr, + &status_block, + NULL, + FILE_ATTRIBUTE_NORMAL, + NULL, + FILE_OVERWRITE_IF, + FILE_SYNCHRONOUS_IO_NONALERT, + NULL, + NULL + ); + + ZwWriteFile( + h_file, + NULL, + NULL, + NULL, + &status_block, + drv_buffer, + standard_info.AllocationSize.QuadPart, + &offset, + NULL + ); + + ZwClose(h_file); + ExFreePool(drv_buffer); + } + void mem_dump(void* base_addr, unsigned len) { if (!base_addr || !len) diff --git a/kdstinker/driver_util.h b/kdstinker/driver_util.h index 6d4564b..a99e7a1 100644 --- a/kdstinker/driver_util.h +++ b/kdstinker/driver_util.h @@ -7,5 +7,7 @@ namespace driver_util void* iat_hook(void* base_addr, const char* import, void* func_addr); void mem_dump(void* base_addr, unsigned len); void* get_kmode_export(const char* mod_name, const char* proc_name); + void copy_driver(PUNICODE_STRING image_path); + PDRIVER_OBJECT get_drv_obj(PUNICODE_STRING driver_name); PIMAGE_FILE_HEADER get_file_header(void* base_addr); } \ No newline at end of file diff --git a/kdstinker/types.h b/kdstinker/types.h index c73bbf1..7238ef8 100644 --- a/kdstinker/types.h +++ b/kdstinker/types.h @@ -45,6 +45,23 @@ RtlFindExportedRoutineByName( _In_ PCCH RoutineName ); +typedef struct _OBJECT_DIRECTORY_ENTRY +{ + _OBJECT_DIRECTORY_ENTRY* ChainLink; + PVOID Object; + ULONG HashValue; +} OBJECT_DIRECTORY_ENTRY, * POBJECT_DIRECTORY_ENTRY; + +typedef struct _OBJECT_DIRECTORY +{ + POBJECT_DIRECTORY_ENTRY HashBuckets[37]; + EX_PUSH_LOCK Lock; + void* DeviceMap; + ULONG SessionId; + PVOID NamespaceEntry; + ULONG Flags; +} OBJECT_DIRECTORY, * POBJECT_DIRECTORY; + typedef struct _COPY_MEMORY_BUFFER_INFO { uint64_t case_number;