-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdriver.nim
74 lines (54 loc) · 2.47 KB
/
driver.nim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
import winim/[com, clr], std/strformat
import dinvoke
import obf
type NtLoadDriver_t = proc(DriverServiceName : PUNICODE_STRING) : HANDLE {.stdcall.}
proc load_driver*() =
var hNtdll = GetModuleHandleA(obf("Ntdll.dll"))
if (hNtdll == 0):
echo obf("[-] error can't find ntdll")
quit(-1)
var NtLoadDriver : NtLoadDriver_t
NtLoadDriver = cast[NtLoadDriver_t](cast[LPVOID](get_function_address(cast[HMODULE](get_library_address(obf("ntdll.dll"), FALSE)), obf("NtLoadDriver"), 0, TRUE)))
if (NtLoadDriver == nil):
echo obf("[-] error can't find NtLoadDriver")
quit(-1)
var name : UNICODE_STRING
RtlInitUnicodeString(addr(name), obf("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\eschaton"))
var ret = NtLoadDriver(addr(name))
if (ret != STATUS_SUCCESS and ret != STATUS_IMAGE_ALREADY_LOADED and ret != STATUS_OBJECT_NAME_COLLISION) :
echo "[-] ntloaddriver error, can't load driver"
quit()
elif (ret == STATUS_SUCCESS) :
echo "[+] driver loaded"
elif (ret == STATUS_IMAGE_ALREADY_LOADED) :
echo "already loaded"
else :
echo "should be working"
proc unload_driver*() =
var hNtdll = GetModuleHandleA(obf("Ntdll.dll"))
if (hNtdll == 0):
echo "[-] error can't find ntdll"
quit(-1)
var NtLoadDriver : NtLoadDriver_t
NtLoadDriver = cast[NtLoadDriver_t](cast[LPVOID](get_function_address(cast[HMODULE](get_library_address(obf("ntdll.dll"), FALSE)), obf("NtUnloadDriver"), 0, TRUE)))
if (NtLoadDriver == nil):
echo "[-] error can't find NtUnLoadDriver"
quit(-1)
var name : UNICODE_STRING
RtlInitUnicodeString(addr(name), obf("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\eschaton"))
var ret = NtLoadDriver(addr(name))
if (ret != STATUS_SUCCESS and ret != STATUS_IMAGE_ALREADY_LOADED and ret != STATUS_OBJECT_NAME_COLLISION) :
echo fmt"[-]NtUnloadDriver: {ret}"
echo "[-] ntunloaddriver error"
elif (ret == STATUS_SUCCESS) :
echo "[+] driver unloaded"
proc connect_to_driver*(driver_name : string) : HANDLE =
var driver_handle = CreateFileA(fmt"\\.\{driver_name}", GENERIC_ALL, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)
#dump hProcExpDevice
if (driver_handle == INVALID_HANDLE_VALUE) :
echo "[-] invalid handle"
echo "[-] cant connect to driver"
quit()
else :
echo "[+] connected to driver"
return driver_handle