/// <summary> /// Initialize loader stuff /// </summary> /// <param name="pThisModule">Any valid system module</param> /// <returns>Status code</returns> NTSTATUS BBInitLdrData( IN PKLDR_DATA_TABLE_ENTRY pThisModule ) { PVOID kernelBase = GetKernelBase(); if (kernelBase == NULL) { DPRINT( "BlackBone: %s: Failed to retrieve Kernel base address. Aborting\n", __FUNCTION__ ); return STATUS_NOT_FOUND; } // Get PsLoadedModuleList address for (PLIST_ENTRY pListEntry = pThisModule->InLoadOrderLinks.Flink; pListEntry != &pThisModule->InLoadOrderLinks; pListEntry = pListEntry->Flink) { // Search for Ntoskrnl entry PKLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD( pListEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks ); if (kernelBase == pEntry->DllBase) { // Ntoskrnl is always first entry in the list // Check if found pointer belongs to Ntoskrnl module if ((PVOID)pListEntry->Blink >= pEntry->DllBase && (PUCHAR)pListEntry->Blink < (PUCHAR)pEntry->DllBase + pEntry->SizeOfImage) { PsLoadedModuleList = pListEntry->Blink; break; } } } if (!PsLoadedModuleList) { DPRINT( "BlackBone: %s: Failed to retrieve PsLoadedModuleList address. Aborting\n", __FUNCTION__ ); return STATUS_NOT_FOUND; } return STATUS_SUCCESS; }
int main() { HMODULE dll = GetModuleHandle("kernel32.dll"); HMODULE dll2 = GetKernelBase(); HMODULE dll3 = GetModuleHandle("ntdll.dll"); printf( "%08x %08x %08x", dll, dll2, dll3 ); }
/// <summary> /// Change handle granted access /// </summary> /// <param name="pAccess">Request params</param> /// <returns>Status code</returns> NTSTATUS BBUnlinkHandleTable( IN PUNLINK_HTABLE pUnlink ) { NTSTATUS status = STATUS_SUCCESS; PEPROCESS pProcess = NULL; // Validate dynamic offset if (dynData.ExRemoveTable == 0 || dynData.ObjTable == 0) { DPRINT( "BlackBone: %s: Invalid ExRemoveTable/ObjTable address\n", __FUNCTION__ ); return STATUS_INVALID_ADDRESS; } // Validate build if (dynData.correctBuild == FALSE) { DPRINT( "BlackBone: %s: Unsupported kernel build version\n", __FUNCTION__ ); return STATUS_INVALID_KERNEL_INFO_VERSION; } status = PsLookupProcessByProcessId( (HANDLE)pUnlink->pid, &pProcess ); if (NT_SUCCESS( status )) { PHANDLE_TABLE pTable = *(PHANDLE_TABLE*)((PUCHAR)pProcess + dynData.ObjTable); // Unlink process handle table fnExRemoveHandleTable ExRemoveHandleTable = (fnExRemoveHandleTable)((ULONG_PTR)GetKernelBase( NULL ) + dynData.ExRemoveTable); //DPRINT( "BlackBone: %s: ExRemoveHandleTable address 0x%p. Object Table offset: 0x%X\n", // __FUNCTION__, ExRemoveHandleTable, dynData.ObjTable ); ExRemoveHandleTable( pTable ); } else DPRINT( "BlackBone: %s: PsLookupProcessByProcessId failed with status 0x%X\n", __FUNCTION__, status ); if (pProcess) ObDereferenceObject( pProcess ); return status; }
//-------------------------------------------------------------------------------------- NTSTATUS DriverEntry( PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { #ifdef USE_DSE_BYPASS // check if driver image was loaded by DSE bypass exploit if (RegistryPath == NULL && m_Driver) { if (GetKernelBase() == NULL) { return STATUS_UNSUCCESSFUL; } /* IMPORTANT: Here we need to process our own import table because image was loaded using libdsebypass instead of kernel PE loader. */ if (!RuntimeProcessImports(m_Driver)) { return STATUS_UNSUCCESSFUL; } // ok, now it's safe to use imported functions as usual } else #endif // USE_DSE_BYPASS { DriverObject->DriverUnload = DriverUnload; } DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Driver loaded\n"); PVOID KernelBase = KernelGetModuleBase("ntoskrnl.exe"); if (KernelBase) { if (f_MmGetPhysicalMemoryRanges = (func_MmGetPhysicalMemoryRanges) KernelGetExportAddress(KernelBase, "MmGetPhysicalMemoryRanges")) { DbgMsg( __FILE__, __LINE__, "nt!MmGetPhysicalMemoryRanges() is at "IFMT"\n", f_MmGetPhysicalMemoryRanges ); } } RtlInitUnicodeString(&m_usDeviceName, L"\\Device\\" DEVICE_NAME); RtlInitUnicodeString(&m_usDosDeviceName, L"\\DosDevices\\" DEVICE_NAME); // create driver communication device NTSTATUS ns = IoCreateDevice( DriverObject, 0, &m_usDeviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &m_DeviceObject ); if (NT_SUCCESS(ns)) { for (int i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) { DriverObject->MajorFunction[i] = DriverDispatch; } #ifdef USE_DSE_BYPASS /* This flag must be removed when the driver has been loaded by our own loader that using nt!IoCreateDriver(). */ m_DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING; #endif ns = IoCreateSymbolicLink(&m_usDosDeviceName, &m_usDeviceName); if (NT_SUCCESS(ns)) { return STATUS_SUCCESS; } else { DbgMsg(__FILE__, __LINE__, "IoCreateSymbolicLink() fails: 0x%.8x\n", ns); } IoDeleteDevice(m_DeviceObject); } else { DbgMsg(__FILE__, __LINE__, "IoCreateDevice() fails: 0x%.8x\n", ns); } return STATUS_UNSUCCESSFUL; }