forked from harryanon/r0ak
-
Notifications
You must be signed in to change notification settings - Fork 0
/
r0akrun.c
83 lines (67 loc) · 1.6 KB
/
r0akrun.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
/*++
Copyright (c) Alex Ionescu. All rights reserved.
Module Name:
r0akrun.c
Abstract:
This module implements run capabilities for r0ak
Author:
Alex Ionescu (@aionescu) 21-Jul-2018 - First public version
Environment:
User mode only.
--*/
#include "r0ak.h"
_Success_(return != 0)
BOOL
CmdExecuteKernel (
_In_ PKERNEL_EXECUTE KernelExecute,
_In_ PVOID FunctionPointer,
_In_ ULONG_PTR FunctionParameter
)
{
PETW_DATA etwData;
BOOL b;
//
// Initialize a work item for the caller-supplied function and argument
//
printf("[+] Calling function pointer 0x%p\n", FunctionPointer);
b = KernelExecuteSetCallback(KernelExecute,
FunctionPointer,
(PVOID)FunctionParameter);
if (b == FALSE)
{
printf("[-] Failed to initialize work item trampoline\n");
return b;
}
//
// Begin ETW tracing to look for the work item executing
//
etwData = NULL;
b = EtwStartSession(&etwData, FunctionPointer);
if (b == FALSE)
{
printf("[-] Failed to start ETW trace\n");
return b;
}
//
// Execute it!
//
b = KernelExecuteRun(KernelExecute);
if (b == FALSE)
{
printf("[-] Failed to execute work item\n");
return b;
}
//
// Wait for execution to finish
//
b = EtwParseSession(etwData);
if (b == FALSE)
{
//
// We have no idea if execution finished -- block forever
//
printf("[-] Failed to parse ETW trace\n");
Sleep(INFINITE);
}
return b;
}