|
|
|
@ -1,25 +1,25 @@
|
|
|
|
/*
|
|
|
|
/*
|
|
|
|
MIT License
|
|
|
|
MIT License
|
|
|
|
|
|
|
|
|
|
|
|
Copyright (c) 2020 xerox
|
|
|
|
Copyright (c) 2020 xerox
|
|
|
|
|
|
|
|
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
|
|
of this software and associated documentation files (the "Software"), to deal
|
|
|
|
of this software and associated documentation files (the "Software"), to deal
|
|
|
|
in the Software without restriction, including without limitation the rights
|
|
|
|
in the Software without restriction, including without limitation the rights
|
|
|
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
|
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
|
|
copies of the Software, and to permit persons to whom the Software is
|
|
|
|
copies of the Software, and to permit persons to whom the Software is
|
|
|
|
furnished to do so, subject to the following conditions:
|
|
|
|
furnished to do so, subject to the following conditions:
|
|
|
|
|
|
|
|
|
|
|
|
The above copyright notice and this permission notice shall be included in all
|
|
|
|
The above copyright notice and this permission notice shall be included in all
|
|
|
|
copies or substantial portions of the Software.
|
|
|
|
copies or substantial portions of the Software.
|
|
|
|
|
|
|
|
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
|
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
|
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
|
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
|
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
|
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
|
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
|
|
SOFTWARE.
|
|
|
|
SOFTWARE.
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -38,7 +38,7 @@ namespace driver
|
|
|
|
{
|
|
|
|
{
|
|
|
|
namespace util
|
|
|
|
namespace util
|
|
|
|
{
|
|
|
|
{
|
|
|
|
inline bool delete_service_entry(const std::string& service_name)
|
|
|
|
__forceinline auto delete_service_entry(const std::string& service_name) -> bool
|
|
|
|
{
|
|
|
|
{
|
|
|
|
HKEY reg_handle;
|
|
|
|
HKEY reg_handle;
|
|
|
|
static const std::string reg_key("System\\CurrentControlSet\\Services\\");
|
|
|
|
static const std::string reg_key("System\\CurrentControlSet\\Services\\");
|
|
|
|
@ -49,10 +49,11 @@ namespace driver
|
|
|
|
®_handle
|
|
|
|
®_handle
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
return ERROR_SUCCESS == RegDeleteKeyA(reg_handle, service_name.data()) && ERROR_SUCCESS == RegCloseKey(reg_handle);;
|
|
|
|
return ERROR_SUCCESS == RegDeleteKeyA(reg_handle, service_name.data()) &&
|
|
|
|
|
|
|
|
ERROR_SUCCESS == RegCloseKey(reg_handle);;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
inline bool create_service_entry(const std::string& drv_path, const std::string& service_name)
|
|
|
|
__forceinline auto create_service_entry(const std::string& drv_path, const std::string& service_name) -> bool
|
|
|
|
{
|
|
|
|
{
|
|
|
|
HKEY reg_handle;
|
|
|
|
HKEY reg_handle;
|
|
|
|
std::string reg_key("System\\CurrentControlSet\\Services\\");
|
|
|
|
std::string reg_key("System\\CurrentControlSet\\Services\\");
|
|
|
|
@ -67,10 +68,7 @@ namespace driver
|
|
|
|
if (result != ERROR_SUCCESS)
|
|
|
|
if (result != ERROR_SUCCESS)
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
std::uint8_t type_value = 1;
|
|
|
|
// set type to 1 (kernel)
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
constexpr std::uint8_t type_value = 1;
|
|
|
|
|
|
|
|
result = RegSetValueExA(
|
|
|
|
result = RegSetValueExA(
|
|
|
|
reg_handle,
|
|
|
|
reg_handle,
|
|
|
|
"Type",
|
|
|
|
"Type",
|
|
|
|
@ -83,10 +81,7 @@ namespace driver
|
|
|
|
if (result != ERROR_SUCCESS)
|
|
|
|
if (result != ERROR_SUCCESS)
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
std::uint8_t error_control_value = 3;
|
|
|
|
// set error control to 3
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
constexpr std::uint8_t error_control_value = 3;
|
|
|
|
|
|
|
|
result = RegSetValueExA(
|
|
|
|
result = RegSetValueExA(
|
|
|
|
reg_handle,
|
|
|
|
reg_handle,
|
|
|
|
"ErrorControl",
|
|
|
|
"ErrorControl",
|
|
|
|
@ -99,10 +94,7 @@ namespace driver
|
|
|
|
if (result != ERROR_SUCCESS)
|
|
|
|
if (result != ERROR_SUCCESS)
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
std::uint8_t start_value = 3;
|
|
|
|
// set start to 3
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
constexpr std::uint8_t start_value = 3;
|
|
|
|
|
|
|
|
result = RegSetValueExA(
|
|
|
|
result = RegSetValueExA(
|
|
|
|
reg_handle,
|
|
|
|
reg_handle,
|
|
|
|
"Start",
|
|
|
|
"Start",
|
|
|
|
@ -115,9 +107,6 @@ namespace driver
|
|
|
|
if (result != ERROR_SUCCESS)
|
|
|
|
if (result != ERROR_SUCCESS)
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
// set image path to the driver on disk
|
|
|
|
|
|
|
|
//
|
|
|
|
|
|
|
|
result = RegSetValueExA(
|
|
|
|
result = RegSetValueExA(
|
|
|
|
reg_handle,
|
|
|
|
reg_handle,
|
|
|
|
"ImagePath",
|
|
|
|
"ImagePath",
|
|
|
|
@ -133,8 +122,7 @@ namespace driver
|
|
|
|
return ERROR_SUCCESS == RegCloseKey(reg_handle);
|
|
|
|
return ERROR_SUCCESS == RegCloseKey(reg_handle);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// this function was coded by paracord: https://githacks.org/snippets/4#L94
|
|
|
|
__forceinline auto enable_privilege(const std::wstring& privilege_name) -> bool
|
|
|
|
inline bool enable_privilege(const std::wstring& privilege_name)
|
|
|
|
|
|
|
|
{
|
|
|
|
{
|
|
|
|
HANDLE token_handle = nullptr;
|
|
|
|
HANDLE token_handle = nullptr;
|
|
|
|
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle))
|
|
|
|
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle))
|
|
|
|
@ -156,7 +144,7 @@ namespace driver
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
inline std::string get_service_image_path(const std::string& service_name)
|
|
|
|
__forceinline auto get_service_image_path(const std::string& service_name) -> std::string
|
|
|
|
{
|
|
|
|
{
|
|
|
|
HKEY reg_handle;
|
|
|
|
HKEY reg_handle;
|
|
|
|
DWORD bytes_read;
|
|
|
|
DWORD bytes_read;
|
|
|
|
@ -184,12 +172,13 @@ namespace driver
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
inline bool load(const std::string& drv_path, const std::string& service_name)
|
|
|
|
__forceinline auto load(const std::string& drv_path, const std::string& service_name) -> bool
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (!util::enable_privilege(L"SeLoadDriverPrivilege"))
|
|
|
|
if (!util::enable_privilege(L"SeLoadDriverPrivilege"))
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
if (!util::create_service_entry("\\??\\" + std::filesystem::absolute(std::filesystem::path(drv_path)).string(), service_name))
|
|
|
|
if (!util::create_service_entry("\\??\\" +
|
|
|
|
|
|
|
|
std::filesystem::absolute(std::filesystem::path(drv_path)).string(), service_name))
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
|
|
|
|
std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
|
|
|
|
@ -213,7 +202,7 @@ namespace driver
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
inline std::tuple<bool, std::string> load(const std::vector<std::uint8_t>& drv_buffer)
|
|
|
|
__forceinline auto load(const std::vector<std::uint8_t>& drv_buffer) -> std::tuple<bool, std::string>
|
|
|
|
{
|
|
|
|
{
|
|
|
|
static const auto random_file_name = [](std::size_t length) -> std::string
|
|
|
|
static const auto random_file_name = [](std::size_t length) -> std::string
|
|
|
|
{
|
|
|
|
{
|
|
|
|
@ -232,7 +221,7 @@ namespace driver
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
const auto service_name = random_file_name(16);
|
|
|
|
const auto service_name = random_file_name(16);
|
|
|
|
const auto file_path = std::filesystem::temp_directory_path().string() + random_file_name(16);
|
|
|
|
const auto file_path = std::filesystem::temp_directory_path().string() + service_name;
|
|
|
|
std::ofstream output_file(file_path.c_str(), std::ios::binary);
|
|
|
|
std::ofstream output_file(file_path.c_str(), std::ios::binary);
|
|
|
|
|
|
|
|
|
|
|
|
output_file.write((char*)drv_buffer.data(), drv_buffer.size());
|
|
|
|
output_file.write((char*)drv_buffer.data(), drv_buffer.size());
|
|
|
|
@ -241,13 +230,13 @@ namespace driver
|
|
|
|
return { load(file_path, service_name), service_name };
|
|
|
|
return { load(file_path, service_name), service_name };
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
inline std::tuple<bool, std::string> load(const std::uint8_t* buffer, const std::size_t size)
|
|
|
|
__forceinline auto load(const std::uint8_t* buffer, const std::size_t size) -> std::tuple<bool, std::string>
|
|
|
|
{
|
|
|
|
{
|
|
|
|
std::vector<std::uint8_t> image(buffer, buffer + size);
|
|
|
|
std::vector<std::uint8_t> image(buffer, buffer + size);
|
|
|
|
return load(image);
|
|
|
|
return load(image);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
inline bool unload(const std::string& service_name)
|
|
|
|
__forceinline auto unload(const std::string& service_name) -> bool
|
|
|
|
{
|
|
|
|
{
|
|
|
|
std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
|
|
|
|
std::string reg_path("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
|
|
|
|
reg_path += service_name;
|
|
|
|
reg_path += service_name;
|
|
|
|
@ -269,11 +258,15 @@ namespace driver
|
|
|
|
const bool unload_drv = !reinterpret_cast<nt_unload_driver_t>(lp_nt_unload_drv)(&driver_reg_path_unicode);
|
|
|
|
const bool unload_drv = !reinterpret_cast<nt_unload_driver_t>(lp_nt_unload_drv)(&driver_reg_path_unicode);
|
|
|
|
const auto image_path = std::filesystem::temp_directory_path().string() + service_name;
|
|
|
|
const auto image_path = std::filesystem::temp_directory_path().string() + service_name;
|
|
|
|
const bool delete_reg = util::delete_service_entry(service_name);
|
|
|
|
const bool delete_reg = util::delete_service_entry(service_name);
|
|
|
|
|
|
|
|
|
|
|
|
try
|
|
|
|
try
|
|
|
|
{
|
|
|
|
{
|
|
|
|
const bool delete_drv = std::filesystem::remove(image_path);
|
|
|
|
const bool delete_drv = std::filesystem::remove(image_path);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
catch (std::exception& e) {}
|
|
|
|
catch (std::exception& e)
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
std::printf("[!] failed to delete vulnerable driver...\n");
|
|
|
|
|
|
|
|
}
|
|
|
|
return unload_drv && delete_reg;
|
|
|
|
return unload_drv && delete_reg;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|
|
xerox
4 years ago