_xeroxz
/
kdstinker
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

v1.0

master
xerox 2 years ago
parent
f90f97c803
commit
d8d809f93b
12 changed files with 978 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 51
      kdstinker.sln
  2. BIN
      kdstinker.sys
  3. 62
      kdstinker/callback.cpp
  4. 22
      kdstinker/callback.h
  5. 197
      kdstinker/driver_util.cpp
  6. 11
      kdstinker/driver_util.h
  7. 53
      kdstinker/hooks.cpp
  8. 12
      kdstinker/hooks.h
  9. 240
      kdstinker/kdstinker.vcxproj
  10. 41
      kdstinker/kdstinker.vcxproj.filters
  11. 39
      kdstinker/main.cpp
  12. 250
      kdstinker/types.h

51
kdstinker.sln
Unescape View File

@ -0,0 +1,51 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30011.22
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kdstinker", "kdstinker\kdstinker.vcxproj", "{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|ARM.ActiveCfg = Debug|ARM
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|ARM.Build.0 = Debug|ARM
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|ARM.Deploy.0 = Debug|ARM
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|ARM64.ActiveCfg = Debug|ARM64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|ARM64.Build.0 = Debug|ARM64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|ARM64.Deploy.0 = Debug|ARM64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|x64.ActiveCfg = Debug|x64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|x64.Build.0 = Debug|x64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|x64.Deploy.0 = Debug|x64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|x86.ActiveCfg = Debug|Win32
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|x86.Build.0 = Debug|Win32
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Debug|x86.Deploy.0 = Debug|Win32
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|ARM.ActiveCfg = Release|ARM
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|ARM.Build.0 = Release|ARM
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|ARM.Deploy.0 = Release|ARM
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|ARM64.ActiveCfg = Release|ARM64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|ARM64.Build.0 = Release|ARM64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|ARM64.Deploy.0 = Release|ARM64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|x64.ActiveCfg = Release|x64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|x64.Build.0 = Release|x64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|x64.Deploy.0 = Release|x64
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|x86.ActiveCfg = Release|Win32
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|x86.Build.0 = Release|Win32
{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}.Release|x86.Deploy.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {7DEC848B-E4D5-4C7F-A4B8-55379682BBDE}
EndGlobalSection
EndGlobal

BIN
kdstinker.sys
View File

Binary file not shown.

62
kdstinker/callback.cpp
Unescape View File

@ -0,0 +1,62 @@
#include "callback.h"
#include "hooks.h"
namespace callback
{
NTSTATUS gh_create_device(
PDRIVER_OBJECT driver_obj,
ULONG device_ext,
PUNICODE_STRING device_name,
DEVICE_TYPE device_type,
ULONG device_char,
BOOLEAN exclusive,
PDEVICE_OBJECT* lpdevice_obj
)
{
DBG_PRINT("=============== IoCreateDevice Called ===============");
DBG_PRINT(" - driver object: 0x%p", driver_obj);
//
// swap ioctl pointer
//
hooks::orig_device_control = driver_obj->MajorFunction[IRP_MJ_DEVICE_CONTROL];
driver_obj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &hooks::device_control;
DBG_PRINT(" - swapped ioctl function from 0x%p to 0x%p", driver_obj->MajorFunction[IRP_MJ_DEVICE_CONTROL], &hooks::device_control);
return IoCreateDevice(
driver_obj,
device_ext,
device_name,
device_type,
device_char,
exclusive,
lpdevice_obj
);
}
void on_image_load(
PUNICODE_STRING image_path,
HANDLE pid,
PIMAGE_INFO image_info
)
{
if (!pid)
{
DBG_PRINT("driver loaded from: %ws", image_path->Buffer);
DBG_PRINT(" - driver timestamp: 0x%p", driver_util::get_file_header(image_info->ImageBase)->TimeDateStamp);
//
// if its intel lan driver then we hook IoCreateDevice and swap ioctl pointer.
//
if (driver_util::get_file_header(image_info->ImageBase)->TimeDateStamp == INTEL_LAN_DRIVER_TIMESTAMP)
{
DBG_PRINT("=============== Intel Lan Driver Loaded ===============");
driver_util::iat_hook(
image_info->ImageBase,
"IoCreateDevice",
&gh_create_device
);
}
}
}
}

22
kdstinker/callback.h
Unescape View File

@ -0,0 +1,22 @@
#pragma once
#include "types.h"
#include "driver_util.h"
namespace callback
{
void on_image_load(
PUNICODE_STRING image_path,
HANDLE pid,
PIMAGE_INFO image_info
);
NTSTATUS gh_create_device(
PDRIVER_OBJECT driver_obj,
ULONG device_ext,
PUNICODE_STRING device_name,
DEVICE_TYPE device_type,
ULONG device_char,
BOOLEAN exclusive,
PDEVICE_OBJECT* lpdevice_obj
);
}

197
kdstinker/driver_util.cpp
Unescape View File

@ -0,0 +1,197 @@
#include "driver_util.h"
namespace driver_util
{
void* get_driver_base(const char* module_name)
{
ULONG bytes{};
NTSTATUS status = ZwQuerySystemInformation(
SystemModuleInformation,
NULL,
bytes,
&bytes
);
if (!bytes)
return NULL;
PRTL_PROCESS_MODULES modules =
(PRTL_PROCESS_MODULES)ExAllocatePool(NonPagedPool, bytes);
if (modules)
{
status = ZwQuerySystemInformation(
SystemModuleInformation,
modules,
bytes,
&bytes
);
if (!NT_SUCCESS(status))
{
ExFreePool(modules);
return NULL;
}
PRTL_PROCESS_MODULE_INFORMATION module = modules->Modules;
PVOID module_base{}, module_size{};
for (ULONG i = 0; i < modules->NumberOfModules; i++)
{
if (strcmp(reinterpret_cast<char*>(module[i].FullPathName + module[i].OffsetToFileName), module_name) == 0)
{
module_base = module[i].ImageBase;
module_size = (PVOID)module[i].ImageSize;
break;
}
}
ExFreePool(modules);
return module_base;
}
return NULL;
}
void* get_kmode_export(const char* mod_name, const char* proc_name)
{
if (!mod_name || !proc_name)
return NULL;
void* result = get_driver_base(mod_name);
if (!result)
return NULL;
return RtlFindExportedRoutineByName(result, proc_name);
}
PIMAGE_FILE_HEADER get_file_header(void* base_addr)
{
if (!base_addr || *(short*)base_addr != 0x5A4D)
return NULL;
PIMAGE_DOS_HEADER dos_headers =
reinterpret_cast<PIMAGE_DOS_HEADER>(base_addr);
PIMAGE_NT_HEADERS nt_headers =
reinterpret_cast<PIMAGE_NT_HEADERS>(
reinterpret_cast<DWORD_PTR>(base_addr) + dos_headers->e_lfanew);
return &nt_headers->FileHeader;
}
void* iat_hook(void* base_addr, const char* import, void* func_addr)
{
if (!base_addr || *(short*)base_addr != 0x5A4D || !import || !func_addr)
return NULL;
PIMAGE_DOS_HEADER dos_headers =
reinterpret_cast<PIMAGE_DOS_HEADER>(base_addr);
PIMAGE_NT_HEADERS nt_headers =
reinterpret_cast<PIMAGE_NT_HEADERS>(
reinterpret_cast<DWORD_PTR>(base_addr) + dos_headers->e_lfanew);
IMAGE_DATA_DIRECTORY import_dir =
nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
PIMAGE_IMPORT_DESCRIPTOR import_des =
reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(import_dir.VirtualAddress + (DWORD_PTR)base_addr);
LPCSTR lib_name = NULL;
PVOID result = NULL;
PIMAGE_IMPORT_BY_NAME func_name = NULL;
if (!import_des)
return NULL;
while (import_des->Name != NULL)
{
lib_name = (LPCSTR)import_des->Name + (DWORD_PTR)base_addr;
if (get_driver_base(lib_name))
{
PIMAGE_THUNK_DATA org_first_thunk = NULL, first_thunk = NULL;
org_first_thunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)base_addr + import_des->OriginalFirstThunk);
first_thunk = (PIMAGE_THUNK_DATA)((DWORD_PTR)base_addr + import_des->FirstThunk);
while (org_first_thunk->u1.AddressOfData != NULL)
{
func_name = (PIMAGE_IMPORT_BY_NAME)((DWORD_PTR)base_addr + org_first_thunk->u1.AddressOfData);
if (strcmp(func_name->Name, import) == 0)
{
// save old function pointer
result = reinterpret_cast<PVOID>(first_thunk->u1.Function);
{
//
// disable write protection
//
auto cr0 = __readcr0();
cr0 &= 0xfffffffffffeffff;
__writecr0(cr0);
_disable();
}
// swap address
first_thunk->u1.Function = reinterpret_cast<ULONG64>(func_addr);
{
//
// enable write protection
//
auto cr0 = __readcr0();
cr0 |= 0x10000;
_enable();
__writecr0(cr0);
}
return result;
}
++org_first_thunk;
++first_thunk;
}
}
++import_des;
}
return NULL;
}
void mem_dump(void* base_addr, unsigned len)
{
if (!base_addr || !len)
return;
HANDLE h_file;
UNICODE_STRING name;
OBJECT_ATTRIBUTES attr;
IO_STATUS_BLOCK status_block;
LARGE_INTEGER offset{ NULL };
RtlInitUnicodeString(&name, L"\\DosDevices\\C:\\dump.bin");
InitializeObjectAttributes(&attr, &name,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL, NULL
);
auto status = ZwCreateFile(
&h_file,
GENERIC_WRITE,
&attr,
&status_block,
NULL,
FILE_ATTRIBUTE_NORMAL,
NULL,
FILE_OVERWRITE_IF,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
NULL
);
status = ZwWriteFile(
h_file,
NULL,
NULL,
NULL,
&status_block,
base_addr,
len,
&offset,
NULL
);
ZwClose(h_file);
}
}

11
kdstinker/driver_util.h
Unescape View File

@ -0,0 +1,11 @@
#pragma once
#include "types.h"
namespace driver_util
{
void* get_driver_base(const char* module_name);
void* iat_hook(void* base_addr, const char* import, void* func_addr);
void mem_dump(void* base_addr, unsigned len);
void* get_kmode_export(const char* mod_name, const char* proc_name);
PIMAGE_FILE_HEADER get_file_header(void* base_addr);
}

53
kdstinker/hooks.cpp
Unescape View File

@ -0,0 +1,53 @@
#include "hooks.h"
namespace hooks
{
NTSTATUS device_control(
PDEVICE_OBJECT device_obj,
PIRP irp
)
{
UNREFERENCED_PARAMETER(device_obj);
PIO_STACK_LOCATION stack_location = IoGetCurrentIrpStackLocation(irp);
if (stack_location->Parameters.DeviceIoControl.IoControlCode == INTEL_LAN_DRIVER_IOCTL)
{
if (stack_location->Parameters.DeviceIoControl.InputBufferLength)
{
PCOPY_MEMORY_BUFFER_INFO copy_memory_buffer = reinterpret_cast<PCOPY_MEMORY_BUFFER_INFO>(stack_location->Parameters.SetFile.DeleteHandle);
//
// if case is memmove and the destination is in the kernel (pml4 index is > 255)
//
if (copy_memory_buffer->case_number == INTEL_LAN_COPY_CASE_NUMBER)
{
if (virt_addr_t{ copy_memory_buffer->destination }.pml4_index > 255)
{
//
// there are a few writes of size 0xC (inline jump code) we can skip those.
//
if (copy_memory_buffer->length > 0x20)
{
DBG_PRINT("=============== Dumping Memory ==============");
DBG_PRINT(
"Copying memory from 0x%p to 0x%p of size 0x%x",
copy_memory_buffer->source,
copy_memory_buffer->destination,
copy_memory_buffer->length
);
//
// dump memory from inside of the PE to disk.
//
driver_util::mem_dump(
copy_memory_buffer->source,
copy_memory_buffer->length
);
}
}
}
}
}
return reinterpret_cast<decltype(&device_control)>(orig_device_control)(device_obj, irp);
}
}

12
kdstinker/hooks.h
Unescape View File

@ -0,0 +1,12 @@
#pragma once
#include "types.h"
#include "driver_util.h"
namespace hooks
{
inline void* orig_device_control = NULL;
NTSTATUS device_control(
PDEVICE_OBJECT device_obj,
PIRP irp
);
}

240
kdstinker/kdstinker.vcxproj
Unescape View File

@ -0,0 +1,240 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM">
<Configuration>Debug</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM">
<Configuration>Release</Configuration>
<Platform>ARM</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|ARM64">
<Configuration>Debug</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|ARM64">
<Configuration>Release</Configuration>
<Platform>ARM64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{30E2F686-FC9D-4A2E-8AD2-FD8E9E5229E1}</ProjectGuid>
<TemplateGuid>{1bc93793-694f-48fe-9372-81e2b05556fd}</TemplateGuid>
<TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
<MinimumVisualStudioVersion>12.0</MinimumVisualStudioVersion>
<Configuration>Debug</Configuration>
<Platform Condition="'$(Platform)' == ''">Win32</Platform>
<RootNamespace>kdstinker</RootNamespace>
<WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<TargetVersion>Windows10</TargetVersion>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
<ConfigurationType>Driver</ConfigurationType>
<DriverType>KMDF</DriverType>
<DriverTargetPlatform>Universal</DriverTargetPlatform>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
<Link>
<EntryPointSymbol>driver_entry</EntryPointSymbol>
</Link>
<ClCompile>
<LanguageStandard>stdcpp17</LanguageStandard>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
<Link>
<EntryPointSymbol>driver_entry</EntryPointSymbol>
</Link>
<ClCompile>
<LanguageStandard>stdcpp17</LanguageStandard>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
<Link>
<EntryPointSymbol>driver_entry</EntryPointSymbol>
</Link>
<ClCompile>
<LanguageStandard>stdcpp17</LanguageStandard>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
<Link>
<EntryPointSymbol>driver_entry</EntryPointSymbol>
</Link>
<ClCompile>
<LanguageStandard>stdcpp17</LanguageStandard>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Link>
<EntryPointSymbol>driver_entry</EntryPointSymbol>
</Link>
<ClCompile>
<LanguageStandard>stdcpp17</LanguageStandard>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Link>
<EntryPointSymbol>driver_entry</EntryPointSymbol>
</Link>
<ClCompile>
<LanguageStandard>stdcpp17</LanguageStandard>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Link>
<EntryPointSymbol>driver_entry</EntryPointSymbol>
</Link>
<ClCompile>
<LanguageStandard>stdcpp17</LanguageStandard>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Link>
<EntryPointSymbol>driver_entry</EntryPointSymbol>
</Link>
<ClCompile>
<LanguageStandard>stdcpp17</LanguageStandard>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemGroup>
<FilesToPackage Include="$(TargetPath)" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="callback.h" />
<ClInclude Include="driver_util.h" />
<ClInclude Include="hooks.h" />
<ClInclude Include="types.h" />
</ItemGroup>
<ItemGroup>
<ClCompile Include="callback.cpp" />
<ClCompile Include="driver_util.cpp" />
<ClCompile Include="hooks.cpp" />
<ClCompile Include="main.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

41
kdstinker/kdstinker.vcxproj.filters
Unescape View File

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="callback.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="types.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="driver_util.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="hooks.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="callback.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="driver_util.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="hooks.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
</Project>

39
kdstinker/main.cpp
Unescape View File

@ -0,0 +1,39 @@
#include "types.h"
#include "callback.h"
void driver_unload(
DRIVER_OBJECT* driver_obj
)
{
UNREFERENCED_PARAMETER(driver_obj);
PsRemoveLoadImageNotifyRoutine(&callback::on_image_load);
}
NTSTATUS driver_close(
IN PDEVICE_OBJECT device_obj,
IN PIRP lp_irp
)
{
UNREFERENCED_PARAMETER(device_obj);
lp_irp->IoStatus.Status = STATUS_SUCCESS;
lp_irp->IoStatus.Information = NULL;
IoCompleteRequest(lp_irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
//
// This driver is not to be manually mapped in its current form.
// If you choose to manually map this driver please remove "driver_close" and "driver_unload".
//
NTSTATUS __cdecl driver_entry(
_In_ PDRIVER_OBJECT driver_obj,
_In_ PUNICODE_STRING reg_path
)
{
UNREFERENCED_PARAMETER(reg_path);
driver_obj->MajorFunction[IRP_MJ_CLOSE] = &driver_close;
driver_obj->DriverUnload = &driver_unload;
DBG_PRINT("callbacks registered, waiting for intel lan driver....");
return PsSetLoadImageNotifyRoutine(&callback::on_image_load);
}

250
kdstinker/types.h
Unescape View File

@ -0,0 +1,250 @@
#pragma once
#include <ntifs.h>
#include <intrin.h>
#if true
#define DBG_PRINT(...) DbgPrintEx( DPFLTR_SYSTEM_ID, DPFLTR_ERROR_LEVEL, "[kdstinker]" __VA_ARGS__);
#else
#define DBG_PRINT(...)
#endif
#ifndef DWORD
#define DWORD unsigned
#endif
#ifndef WORD
#define WORD unsigned short
#endif
#ifndef uint64_t
#define uint64_t ULONGLONG
#endif
#ifndef uint32_t
#define uint32_t DWORD
#endif
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define INTEL_LAN_DRIVER_TIMESTAMP 0x5284EAC3
#define INTEL_LAN_DRIVER_IOCTL 0x80862007
#define INTEL_LAN_COPY_CASE_NUMBER 0x33
extern "C" NTSTATUS ZwQuerySystemInformation(
ULONG InfoClass,
PVOID Buffer,
ULONG Length,
PULONG ReturnLength
);
extern "C" NTKERNELAPI
PVOID
NTAPI
RtlFindExportedRoutineByName(
_In_ PVOID ImageBase,
_In_ PCCH RoutineName
);
typedef struct _COPY_MEMORY_BUFFER_INFO
{
uint64_t case_number;
uint64_t reserved;
void* source;
void* destination;
uint64_t length;
}COPY_MEMORY_BUFFER_INFO, * PCOPY_MEMORY_BUFFER_INFO;
typedef struct _FILL_MEMORY_BUFFER_INFO
{
uint64_t case_number;
uint64_t reserved1;
uint32_t value;
uint32_t reserved2;
uint64_t destination;
uint64_t length;
}FILL_MEMORY_BUFFER_INFO, * PFILL_MEMORY_BUFFER_INFO;
typedef struct _GET_PHYS_ADDRESS_BUFFER_INFO
{
uint64_t case_number;
uint64_t reserved;
uint64_t return_physical_address;
uint64_t address_to_translate;
}GET_PHYS_ADDRESS_BUFFER_INFO, * PGET_PHYS_ADDRESS_BUFFER_INFO;
typedef struct _MAP_IO_SPACE_BUFFER_INFO
{
uint64_t case_number;
uint64_t reserved;
uint64_t return_value;
uint64_t return_virtual_address;
uint64_t physical_address_to_map;
uint32_t size;
}MAP_IO_SPACE_BUFFER_INFO, * PMAP_IO_SPACE_BUFFER_INFO;
typedef struct _UNMAP_IO_SPACE_BUFFER_INFO
{
uint64_t case_number;
uint64_t reserved1;
uint64_t reserved2;
uint64_t virt_address;
uint64_t reserved3;
uint32_t number_of_bytes;
}UNMAP_IO_SPACE_BUFFER_INFO, * PUNMAP_IO_SPACE_BUFFER_INFO;
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, * PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES
{
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, * PRTL_PROCESS_MODULES;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation = 0x0B
} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS;
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
USHORT e_magic; // Magic number
USHORT e_cblp; // Bytes on last page of file
USHORT e_cp; // Pages in file
USHORT e_crlc; // Relocations
USHORT e_cparhdr; // Size of header in paragraphs
USHORT e_minalloc; // Minimum extra paragraphs needed
USHORT e_maxalloc; // Maximum extra paragraphs needed
USHORT e_ss; // Initial (relative) SS value
USHORT e_sp; // Initial SP value
USHORT e_csum; // Checksum
USHORT e_ip; // Initial IP value
USHORT e_cs; // Initial (relative) CS value
USHORT e_lfarlc; // File address of relocation table
USHORT e_ovno; // Overlay number
USHORT e_res[4]; // Reserved words
USHORT e_oemid; // OEM identifier (for e_oeminfo)
USHORT e_oeminfo; // OEM information; e_oemid specific
USHORT e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
typedef struct _IMAGE_FILE_HEADER {
short Machine;
short NumberOfSections;
unsigned TimeDateStamp;
unsigned PointerToSymbolTable;
unsigned NumberOfSymbols;
short SizeOfOptionalHeader;
short Characteristics;
} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
unsigned VirtualAddress;
unsigned Size;
} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
typedef struct _IMAGE_OPTIONAL_HEADER64 {
short Magic;
unsigned char MajorLinkerVersion;
unsigned char MinorLinkerVersion;
unsigned SizeOfCode;
unsigned SizeOfInitializedData;
unsigned SizeOfUninitializedData;
unsigned AddressOfEntryPoint;
unsigned BaseOfCode;
ULONGLONG ImageBase;
unsigned SectionAlignment;
unsigned FileAlignment;
short MajorOperatingSystemVersion;
short MinorOperatingSystemVersion;
short MajorImageVersion;
short MinorImageVersion;
short MajorSubsystemVersion;
short MinorSubsystemVersion;
unsigned Win32VersionValue;
unsigned SizeOfImage;
unsigned SizeOfHeaders;
unsigned CheckSum;
short Subsystem;
short DllCharacteristics;
ULONGLONG SizeOfStackReserve;
ULONGLONG SizeOfStackCommit;
ULONGLONG SizeOfHeapReserve;
ULONGLONG SizeOfHeapCommit;
unsigned LoaderFlags;
unsigned NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[16];
} IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
typedef struct _IMAGE_NT_HEADERS64 {
unsigned Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER64 OptionalHeader;
} IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
union {
DWORD Characteristics; // 0 for terminating null import descriptor
DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
} DUMMYUNIONNAME;
DWORD TimeDateStamp; // 0 if not bound,
// -1 if bound, and real date\time stamp
// in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
// O.W. date/time stamp of DLL bound to (Old BIND)
DWORD ForwarderChain; // -1 if no forwarders
DWORD Name;
DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
} IMAGE_IMPORT_DESCRIPTOR;
typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED* PIMAGE_IMPORT_DESCRIPTOR;
typedef struct _IMAGE_IMPORT_BY_NAME {
WORD Hint;
CHAR Name[1];
} IMAGE_IMPORT_BY_NAME, * PIMAGE_IMPORT_BY_NAME;
typedef struct _IMAGE_THUNK_DATA64 {
union {
ULONGLONG ForwarderString; // PBYTE
ULONGLONG Function; // PDWORD
ULONGLONG Ordinal;
ULONGLONG AddressOfData; // PIMAGE_IMPORT_BY_NAME
} u1;
} IMAGE_THUNK_DATA64, * PIMAGE_THUNK_DATA64;
typedef PIMAGE_THUNK_DATA64 PIMAGE_THUNK_DATA;
typedef union _virt_addr_t
{
void* value;
struct
{
ULONG64 offset : 12;
ULONG64 pt_index : 9;
ULONG64 pd_index : 9;
ULONG64 pdpt_index : 9;
ULONG64 pml4_index : 9;
ULONG64 reserved : 16;
};
} virt_addr_t, * pvirt_addr_t;
Write Preview
Loading…
Cancel
Save