forked from baiyfcu/DriverNoImage
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathshellcode.c
155 lines (129 loc) · 4.62 KB
/
shellcode.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
#include <ntddk.h>
#include <ntifs.h>
extern PVOID OrgiDispatch;
extern PVOID DriverDisPath;
INT CalcShellcodeSize(UCHAR* adr)
{
UCHAR *orgi = adr;
while (*adr != 0xC3)
{
adr++;
}
return adr - orgi;
}
BOOLEAN replacedata(ULONG64 *Original, ULONG64 Now)
{
while (*Original != Now)
{
Original = Original + 8;
}
if (Original)
{
*Original = Now;
}
}
INT CalcWdkoptimizationCodeSize(UCHAR *adr) {
UCHAR *orgi = adr;
// C3 CC CC CC CC
//ffff880`0307c3db c3 ret
// fffff880`0307c3dc cc int 3
// fffff880`0307c3dd cc int 3
//fffff880`0307c3de cc int 3
//fffff880`0307c3df cc int 3
while (adr[0] != 0XC3 && adr[1] != 0xCC && adr[2] != 0xCC && adr[3] != 0xCC && adr[4] != 0xCC)
{
adr++;
}
return (adr - orgi) + 3;
}
BOOLEAN replacedata(UCHAR *Original, ULONG64 Orig, ULONG64 Now)
{
UCHAR *UL = &Orig;
INT Count = 0x1000;
INT NowCount = 0;
while (NowCount <= Count)
{
NowCount++;
if (Original[0] == UL[0] && Original[1] == UL[1] && Original[2] == UL[2] && Original[3] == UL[3] && Original[4] == UL[4])
{
break;
}
Original++;
}
if (Original)
{
*(ULONG64*)Original = Now;
return TRUE;
}
return FALSE;
}
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID *Object
);
extern POBJECT_TYPE* IoDriverObjectType;
typedef NTSTATUS (*MmCopyVirtualMemoryx)(IN ULONG FromProcess, IN CONST VOID *FromAddress, IN ULONG ToProcess, OUT PVOID ToAddress, IN SIZE_T BufferSize, IN KPROCESSOR_MODE PreviousMode, OUT PSIZE_T NumberOfBytesCopied);
PDRIVER_DISPATCH gfn_OrigReadCompleteRoutine;
PDRIVER_OBJECT g_FilterDriverObject = NULL;
void startTask()
{
NTSTATUS Status;
UNICODE_STRING DestinationString;
RtlInitUnicodeString(&DestinationString, L"\\Driver\\ComputerZ");
Status = ObReferenceObjectByName(&DestinationString,
OBJ_CASE_INSENSITIVE, NULL, NULL,
*IoDriverObjectType, KernelMode, NULL, (PVOID)&g_FilterDriverObject);
//result = IoGetDeviceObjectPointer( &DestinationString, FILE_ALL_ACCESS, &FileObject, &pDriver);
DbgPrint("hookLudashiFsk pDriver:%p result:%lx IoDeviceObjectType:%p\n", g_FilterDriverObject, Status, IoDriverObjectType);
if (NT_SUCCESS(Status))
{
UNICODE_STRING routineName;
RtlInitUnicodeString(&routineName, L"MmCopyVirtualMemory");
MmCopyVirtualMemoryx MmCopyVirtualMemoryRoutine = (MmCopyVirtualMemoryx)MmGetSystemRoutineAddress(&routineName);
//计算原函数并且填充
PVOID Orgi = ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE, 0);
SIZE_T codesize = CalcShellcodeSize(&OrgiDispatch);
memcpy(Orgi, &OrgiDispatch, codesize); //计算大小且复制Orgishellcode
gfn_OrigReadCompleteRoutine = g_FilterDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL];
gfn_OrigReadCompleteRoutine = (ULONG64)gfn_OrigReadCompleteRoutine + 0x18;
replacedata(Orgi, 0x98888800c9e8f000, gfn_OrigReadCompleteRoutine);
//////////////////////////////////////////////////////////////////////////
///填充功能函数
PVOID read = ExAllocatePoolWithTag(NonPagedPool, 0x1000, 0);
codesize = CalcShellcodeSize(&write);
memcpy(read, &Write, codesize);
replacedata(read, 0x788777009e8f000, &PsLookupProcessByProcessId);
replacedata(read, 0x688777009e8f000, &PsLookupProcessByProcessId);
replacedata(read, 0x588777009e8f000, &MmCopyVirtualMemoryRoutine);
replacedata(read, 0x488777009e8f000, &ObfDereferenceObject);
replacedata(read, 0x388777009e8f000, &ObfDereferenceObject);
replacedata(read, 0x288777009e8f000, &ObfDereferenceObject);
//计算ShellCodeFunc 填充 Read Write 修正
PVOID driverdis = ExAllocatePoolWithTag(NonPagedPool, 0x1000, 0);
codesize = CalcShellcodeSize(&DriverDisPath);
memcpy(driverdis, &DriverDisPath, codesize);
replacedata(driverdis, 0x78888800c9e8f000, read);//read
replacedata(driverdis, 0x68888800c9e8f000, write);//write
replacedata(driverdis, 0x88888800c9e8f000, Orgi);//orig dis
DbgPrint("shellcode:%p\n", driverdis);
//Hook Com..z
memcpy(jmp_code + 6, &driverdis, 8);;
PDRIVER_DISPATCH Adr = g_FilterDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL];
KernelMemCopy(Adr, jmp_code, 14, 0x18);
ObDereferenceObject(g_FilterDriverObject); //清除引用计数
}
}
void stopTask()
{
mem_protect_close();
memcpy((PVOID)lpHookInfo->fnOrigAddress, lpHookInfo->origCode, HOOK_INST_LEN);
mem_protect_open();
}