gmh5225
2 years ago
commit
f0c8a80be6
@ -0,0 +1,101 @@
|
||||
AccessModifierOffset: -4
|
||||
AlignAfterOpenBracket: AlwaysBreak
|
||||
AlignConsecutiveAssignments: false
|
||||
AlignConsecutiveDeclarations: false
|
||||
AlignEscapedNewlines: DontAlign
|
||||
AlignOperands: true
|
||||
AllowAllParametersOfDeclarationOnNextLine: false
|
||||
AllowShortBlocksOnASingleLine: false
|
||||
AllowShortCaseLabelsOnASingleLine: false
|
||||
AllowShortFunctionsOnASingleLine: Inline
|
||||
AllowShortIfStatementsOnASingleLine: false
|
||||
AllowShortLoopsOnASingleLine: false
|
||||
AlwaysBreakAfterReturnType: TopLevel
|
||||
AlwaysBreakBeforeMultilineStrings: false
|
||||
AlwaysBreakTemplateDeclarations: true
|
||||
BinPackArguments: false
|
||||
BinPackParameters: false
|
||||
BraceWrapping:
|
||||
AfterClass: true
|
||||
AfterControlStatement: true
|
||||
AfterEnum: true
|
||||
AfterFunction: true
|
||||
AfterNamespace: false
|
||||
AfterStruct: true
|
||||
AfterUnion: true
|
||||
AfterExternBlock: false
|
||||
BeforeCatch: true
|
||||
BeforeElse: true
|
||||
BreakBeforeBraces: Custom
|
||||
BreakBeforeBinaryOperators: None
|
||||
BreakBeforeTernaryOperators: true
|
||||
BreakConstructorInitializers: AfterColon
|
||||
BreakStringLiterals: false
|
||||
ColumnLimit: 120
|
||||
CommentPragmas: '^begin_wpp|^end_wpp|^FUNC |^USESUFFIX |^USESUFFIX '
|
||||
ConstructorInitializerAllOnOneLineOrOnePerLine: true
|
||||
ConstructorInitializerIndentWidth: 4
|
||||
ContinuationIndentWidth: 4
|
||||
Cpp11BracedListStyle: true
|
||||
DerivePointerAlignment: false
|
||||
ExperimentalAutoDetectBinPacking: false
|
||||
IndentCaseLabels: false
|
||||
IndentPPDirectives: AfterHash
|
||||
IndentWidth: 4
|
||||
KeepEmptyLinesAtTheStartOfBlocks: false
|
||||
Language: Cpp
|
||||
MacroBlockBegin: '^BEGIN_MODULE$|^BEGIN_TEST_CLASS$|^BEGIN_TEST_METHOD$'
|
||||
MacroBlockEnd: '^END_MODULE$|^END_TEST_CLASS$|^END_TEST_METHOD$'
|
||||
MaxEmptyLinesToKeep: 1
|
||||
NamespaceIndentation: None
|
||||
PointerAlignment: Right
|
||||
ReflowComments: true
|
||||
SortIncludes: false
|
||||
SpaceAfterCStyleCast: false
|
||||
SpaceBeforeAssignmentOperators: true
|
||||
SpaceBeforeCtorInitializerColon: true
|
||||
SpaceBeforeCtorInitializerColon: true
|
||||
SpaceBeforeParens: ControlStatements
|
||||
SpaceBeforeRangeBasedForLoopColon: true
|
||||
SpaceInEmptyParentheses: false
|
||||
SpacesInAngles: false
|
||||
SpacesInCStyleCastParentheses: false
|
||||
SpacesInParentheses: false
|
||||
SpacesInSquareBrackets: false
|
||||
Standard: Cpp11
|
||||
StatementMacros: [
|
||||
'EXTERN_C',
|
||||
'PAGED',
|
||||
'PAGEDX',
|
||||
'NONPAGED',
|
||||
'PNPCODE',
|
||||
'INITCODE',
|
||||
'_At_',
|
||||
'_When_',
|
||||
'_Success_',
|
||||
'_Check_return_',
|
||||
'_Must_inspect_result_',
|
||||
'_IRQL_requires_',
|
||||
'_IRQL_requires_max_',
|
||||
'_IRQL_requires_min_',
|
||||
'_IRQL_saves_',
|
||||
'_IRQL_restores_',
|
||||
'_IRQL_saves_global_',
|
||||
'_IRQL_restores_global_',
|
||||
'_IRQL_raises_',
|
||||
'_IRQL_lowers_',
|
||||
'_Acquires_lock_',
|
||||
'_Releases_lock_',
|
||||
'_Acquires_exclusive_lock_',
|
||||
'_Releases_exclusive_lock_',
|
||||
'_Acquires_shared_lock_',
|
||||
'_Releases_shared_lock_',
|
||||
'_Requires_lock_held_',
|
||||
'_Use_decl_annotations_',
|
||||
'_Guarded_by_',
|
||||
'__drv_preferredFunction',
|
||||
'__drv_allocatesMem',
|
||||
'__drv_freesMem',
|
||||
]
|
||||
TabWidth: '4'
|
||||
UseTab: Never
|
||||
@ -0,0 +1,91 @@
|
||||
#include "Common.h"
|
||||
#include <ntimage.h>
|
||||
|
||||
EXTERN_C
|
||||
__int64 __fastcall fnMmLoadSystemImage(
|
||||
struct _UNICODE_STRING *DrvName,
|
||||
const UNICODE_STRING *a2,
|
||||
UNICODE_STRING *a3,
|
||||
unsigned int a4_win32k_status,
|
||||
ULONG64 *SectionPointer,
|
||||
ULONG64 *BaseAddress);
|
||||
|
||||
EXTERN_C
|
||||
PIMAGE_NT_HEADERS
|
||||
NTAPI
|
||||
RtlImageNtHeader(PVOID Base);
|
||||
|
||||
__declspec(
|
||||
noinline) long CallMeWin32kDriver(wchar_t *DriverPath, unsigned long DriverPathLength, bool NeedPrefix /*= true*/)
|
||||
{
|
||||
long lStatus = -1;
|
||||
|
||||
unsigned long uDriverPathAllLength = DriverPathLength;
|
||||
|
||||
do
|
||||
{
|
||||
if (!DriverPath || !DriverPathLength)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
wchar_t wszDriverPath[MAX_PATH + 1];
|
||||
RtlSecureZeroMemory(wszDriverPath, sizeof(wszDriverPath));
|
||||
|
||||
if (NeedPrefix)
|
||||
{
|
||||
strcat_w(wszDriverPath, (L"\\??\\"));
|
||||
}
|
||||
|
||||
if (DriverPathLength < MAX_PATH * sizeof(wchar_t))
|
||||
{
|
||||
strcat_w(wszDriverPath, DriverPath);
|
||||
if (NeedPrefix)
|
||||
{
|
||||
uDriverPathAllLength += 4 * sizeof(wchar_t);
|
||||
}
|
||||
}
|
||||
|
||||
UNICODE_STRING usDriverName;
|
||||
usDriverName.Buffer = wszDriverPath;
|
||||
usDriverName.Length = (USHORT)uDriverPathAllLength;
|
||||
usDriverName.MaximumLength = MAX_PATH * sizeof(wchar_t);
|
||||
|
||||
UNICODE_STRING usMmLoadSystemImage;
|
||||
RtlInitUnicodeString(&usMmLoadSystemImage, L"MmLoadSystemImage");
|
||||
|
||||
auto pMmLoadSystemImage = (decltype(&fnMmLoadSystemImage))(MmGetSystemRoutineAddress(&usMmLoadSystemImage));
|
||||
if (pMmLoadSystemImage)
|
||||
{
|
||||
ULONG64 uSectionPointer = 0, uBaseAddress = 0;
|
||||
lStatus = pMmLoadSystemImage(&usDriverName, 0, 0, 1, &uSectionPointer, &uBaseAddress);
|
||||
if (NT_SUCCESS(lStatus) && uBaseAddress)
|
||||
{
|
||||
auto pImageNtHeader = RtlImageNtHeader((void *)uBaseAddress);
|
||||
if (pImageNtHeader)
|
||||
{
|
||||
// Fake Driver Object
|
||||
auto pNewDrvObj = (PDRIVER_OBJECT)ExAllocatePool(NonPagedPool, 0x1000);
|
||||
if (!pNewDrvObj)
|
||||
{
|
||||
__asm {int 3 }
|
||||
}
|
||||
|
||||
RtlSecureZeroMemory(pNewDrvObj, 0x1000);
|
||||
pNewDrvObj->DriverStart = (PVOID)uBaseAddress;
|
||||
|
||||
// Call OEP
|
||||
auto pOEP = (PDRIVER_INITIALIZE)(uBaseAddress + pImageNtHeader->OptionalHeader.AddressOfEntryPoint);
|
||||
lStatus = pOEP(pNewDrvObj, nullptr);
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
lStatus = STATUS_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
} while (0);
|
||||
|
||||
return lStatus;
|
||||
}
|
||||
@ -0,0 +1,26 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="Source.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
<ClCompile Include="CallMeWWWWWWin32k.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="Common.h">
|
||||
<Filter>Header Files</Filter>
|
||||
</ClInclude>
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
@ -0,0 +1,28 @@
|
||||
#pragma once
|
||||
|
||||
#include <fltKernel.h>
|
||||
|
||||
#define MAX_PATH 260
|
||||
|
||||
#define dprintf(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
|
||||
|
||||
FORCEINLINE
|
||||
wchar_t *
|
||||
strcat_w(wchar_t *dest, const wchar_t *src)
|
||||
{
|
||||
if ((dest == 0) || (src == 0))
|
||||
return dest;
|
||||
|
||||
while (*dest != 0)
|
||||
dest++;
|
||||
|
||||
while (*src != 0)
|
||||
{
|
||||
*dest = *src;
|
||||
dest++;
|
||||
src++;
|
||||
}
|
||||
|
||||
*dest = 0;
|
||||
return dest;
|
||||
}
|
||||
@ -0,0 +1,50 @@
|
||||
#include "Common.h"
|
||||
|
||||
EXTERN_C
|
||||
PCCHAR
|
||||
NTAPI
|
||||
PsGetProcessImageFileName(IN PEPROCESS Process);
|
||||
|
||||
__declspec(
|
||||
noinline) long CallMeWin32kDriver(wchar_t *DriverPath, unsigned long DriverPathLength, bool NeedPrefix = true);
|
||||
|
||||
EXTERN_C
|
||||
NTSTATUS
|
||||
DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
|
||||
{
|
||||
dprintf("new world!\n");
|
||||
|
||||
PEPROCESS pEpLsass = nullptr;
|
||||
for (ULONG i = 0; i < 0x5000; i += 4)
|
||||
{
|
||||
PEPROCESS pEp = nullptr;
|
||||
auto lStatus = PsLookupProcessByProcessId((HANDLE)i, &pEp);
|
||||
if (!NT_SUCCESS(lStatus) || !pEp)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
auto pName = PsGetProcessImageFileName(pEp);
|
||||
// A more casual code
|
||||
if (pName && strstr(pName, "lsass"))
|
||||
{
|
||||
pEpLsass = pEp;
|
||||
}
|
||||
ObDereferenceObject(pEp);
|
||||
|
||||
if (pEpLsass)
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (pEpLsass)
|
||||
{
|
||||
KAPC_STATE ks;
|
||||
KeStackAttachProcess(pEpLsass, &ks);
|
||||
CallMeWin32kDriver(L"C:\\win32kbro.sys", wcslen(L"C:\\win32kbro.sys") * 2);
|
||||
KeUnstackDetachProcess(&ks);
|
||||
}
|
||||
|
||||
return STATUS_VIRUS_DELETED;
|
||||
}
|
||||
@ -0,0 +1,13 @@
|
||||
# CallMeWin32kDriver
|
||||
Load your driver like win32k.sys
|
||||
|
||||
|
||||
|
||||
|
||||
## Motivation
|
||||
This feature was analyzed from a certain PUBG cheat driver.
|
||||
|
||||
|
||||
## Compile
|
||||
- Visual Studio 2022 & WDK10
|
||||
- llvm-msvc [[link]](https://github.com/NewWorldComingSoon/llvm-msvc-build)
|
||||
@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2022 gmh5225
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@ -0,0 +1,12 @@
|
||||
|
||||
#include <fltKernel.h>
|
||||
|
||||
#define dprintf(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
|
||||
|
||||
EXTERN_C
|
||||
NTSTATUS
|
||||
DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
|
||||
{
|
||||
dprintf("end world!\n");
|
||||
return 0;
|
||||
}
|
||||
@ -0,0 +1,18 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup>
|
||||
<Filter Include="Source Files">
|
||||
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
|
||||
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
|
||||
</Filter>
|
||||
<Filter Include="Header Files">
|
||||
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
|
||||
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
|
||||
</Filter>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="Source.cpp">
|
||||
<Filter>Source Files</Filter>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
Loading…
Reference in new issue