/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
VOID main(
VOID
)
{
__security_init_cookie();
if (
MessageBox(GetDesktopWindow(),
TEXT("Virtual Machine Detector, continue?"),
PROGRAM_NAME, MB_ICONINFORMATION | MB_YESNO) == IDYES
)
{
DetectSystemInfo();
#ifdef _DEBUG
DumpFirmwareTable();
#endif
InitializeListHead(&VendorsListHead);
EnumPCIDevsReg();
DetectVMS();
vFreeList();
}
ExitProcess((UINT)0);
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
void main()
{
__security_init_cookie();
WinObjExMain();
ExitProcess(0);
}
/*
* SfMain
*
* Purpose:
*
* Murasame main.
*
*/
void SfMain(
VOID
)
{
BOOL cond = FALSE;
UINT uResult = 0;
DWORD dwTemp;
HANDLE StdIn;
INPUT_RECORD inp1;
__security_init_cookie();
do {
g_ConOut = GetStdHandle(STD_OUTPUT_HANDLE);
if (g_ConOut == INVALID_HANDLE_VALUE) {
uResult = (UINT)-1;
break;
}
g_ConsoleOutput = TRUE;
if (!GetConsoleMode(g_ConOut, &dwTemp)) {
g_ConsoleOutput = FALSE;
}
SetConsoleTitle(T_SFEXTRACTTITLE);
SetConsoleMode(g_ConOut, ENABLE_LINE_INPUT | ENABLE_ECHO_INPUT | ENABLE_PROCESSED_OUTPUT);
if (g_ConsoleOutput == FALSE) {
WriteFile(g_ConOut, &BE, sizeof(WCHAR), &dwTemp, NULL);
}
if (SfInitGdiPlus()) {
uResult = SfExtractDropper(GetCommandLine());
}
else {
SfcuiPrintText(g_ConOut,
T_SFINITFAILED,
g_ConsoleOutput, FALSE);
}
if (g_ConsoleOutput) {
SfcuiPrintText(g_ConOut,
T_SFPRESSANYKEY,
TRUE, FALSE);
StdIn = GetStdHandle(STD_INPUT_HANDLE);
if (StdIn != INVALID_HANDLE_VALUE) {
RtlSecureZeroMemory(&inp1, sizeof(inp1));
ReadConsoleInput(StdIn, &inp1, 1, &dwTemp);
ReadConsole(StdIn, &BE, sizeof(BE), &dwTemp, NULL);
}
}
} while (cond);
ExitProcess(uResult);
}
// For the CoreClr, this is the real DLL entrypoint. We make ourselves the first entrypoint as
// we need to capture coreclr's hInstance before the C runtine initializes. This function
// will capture hInstance, let the C runtime initialize and then invoke the "classic"
// DllMain that initializes everything else.
extern "C" BOOL WINAPI CoreDllMain(HANDLE hInstance, DWORD dwReason, LPVOID lpReserved)
{
STATIC_CONTRACT_NOTHROW;
BOOL result;
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
#ifndef FEATURE_PAL
// Make sure the /GS security cookie is initialized before we call anything else.
// BinScope detects the call to __security_init_cookie in its "Has Non-GS-friendly
// Initialization" check and makes it pass.
__security_init_cookie();
#endif // FEATURE_PAL
// It's critical that we invoke InitUtilCode() before the CRT initializes.
// We have a lot of global ctors that will break if we let the CRT initialize without
// this step having been done.
CoreClrCallbacks cccallbacks;
cccallbacks.m_hmodCoreCLR = (HINSTANCE)hInstance;
cccallbacks.m_pfnIEE = IEE;
cccallbacks.m_pfnGetCORSystemDirectory = GetCORSystemDirectoryInternal;
cccallbacks.m_pfnGetCLRFunction = GetCLRFunction;
InitUtilcode(cccallbacks);
if (!(result = _CRT_INIT(hInstance, dwReason, lpReserved)))
{
// CRT_INIT may fail to initialize the CRT heap. Make sure we don't continue
// down a path that would trigger an AV and tear down the host process
break;
}
result = DllMain(hInstance, dwReason, lpReserved);
break;
case DLL_THREAD_ATTACH:
_CRT_INIT(hInstance, dwReason, lpReserved);
result = DllMain(hInstance, dwReason, lpReserved);
break;
case DLL_PROCESS_DETACH: // intentional fallthru
case DLL_THREAD_DETACH:
result = DllMain(hInstance, dwReason, lpReserved);
_CRT_INIT(hInstance, dwReason, lpReserved);
break;
default:
result = FALSE; // it'd be an OS bug if we got here - not much we can do.
break;
}
return result;
}
WINBOOL WINAPI
DllMainCRTStartup (HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved)
{
mingw_app_type = 0;
if (dwReason == DLL_PROCESS_ATTACH)
{
__security_init_cookie ();
#ifdef _WIN64
__mingw_init_ehandler ();
#endif
}
return __DllMainCRTStartup (hDllHandle, dwReason, lpreserved);
}
int
_tmainCRTStartup(
void
) {
/*
* The /GS security cookie must be initialized before any exception
* handling targetting the current image is registered. No function
* using exception handling can be called in the current image until
* after __security_init_cookie has been called.
*/
__security_init_cookie();
return __tmainCRTStartup();
}
/*
* SfMain
*
* Purpose:
*
* Yuudachi main.
*
*/
void SfMain(
VOID
)
{
WSADATA wsaData;
__security_init_cookie();
if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
ExitProcess((UINT)-1);
}
SfUImain();
WSACleanup();
ExitProcess(0);
}
BOOL WINAPI
_DllMainCRTStartup(
HANDLE hDllHandle,
DWORD dwReason,
LPVOID lpreserved
) {
if (dwReason == DLL_PROCESS_ATTACH) {
/*
* The /GS security cookie must be initialized before any exception
* handling targetting the current image is registered. No function
* using exception handling can be called in the current image until
* after __security_init_cookie has been called.
*/
__security_init_cookie();
}
return __DllMainCRTStartup(hDllHandle, dwReason, lpreserved);
}
BOOL APIENTRY DllMain(HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID /*lpReserved*/)
{
ul_reason_for_call;
#ifdef NEEDS_CRT_INIT
if (ul_reason_for_call == DLL_PROCESS_ATTACH || ul_reason_for_call == DLL_THREAD_ATTACH)
{
__security_init_cookie();
__crt_dll_initialize();
}
#endif
currentInstance = static_cast<HINSTANCE>(hModule);
return true;
}
EXTERN_C int wseh_EntryPoint()
{
#ifdef NEED_COOKIE_INIT
// 2006-02-16 workaround for R6035 on VC8:
//
// SEH code compiled with /GS pushes a "security cookie" onto the
// stack. since we're called before CRT init, the cookie won't have
// been initialized yet, which would cause the CRT to FatalAppExit.
// to solve this, we must call __security_init_cookie before any
// hidden compiler-generated SEH registration code runs,
// which means the __try block must be moved into a helper function.
//
// NB: wseh_EntryPoint() must not contain local string buffers,
// either - /GS would install a cookie here as well (same problem).
//
// see http://msdn2.microsoft.com/en-US/library/ms235603.aspx
__security_init_cookie();
#endif
return CallStartupWithinTryBlock();
}
int mainCRTStartup (void)
{
mingw_app_type = 0;
__security_init_cookie ();
return __tmainCRTStartup ();
}
/*
* ldrMain
*
* Purpose:
*
* Program entry point.
*
*/
void ldrMain(
VOID
)
{
BOOL cond = FALSE;
LONG x;
ULONG l = 0, dwCmd;
HANDLE hDevice;
PVOID DataBuffer;
BOOL bConDisabled, bUsbMonDisabled;
WCHAR cmdLineParam[MAX_PATH + 1];
WCHAR szDriverBuffer[MAX_PATH * 2];
__security_init_cookie();
bConDisabled = FALSE;
bUsbMonDisabled = FALSE;
DataBuffer = NULL;
hDevice = NULL;
dwCmd = 0;
do {
//
// Check OS version.
//
RtlSecureZeroMemory(&g_osv, sizeof(g_osv));
g_osv.dwOSVersionInfoSize = sizeof(g_osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&g_osv);
//
// We support only Vista based OS.
//
if (g_osv.dwMajorVersion < 6) {
MessageBox(GetDesktopWindow(), TEXT("Unsupported OS."),
T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Check number of instances running.
//
x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) {
break;
}
//
// Check if any VBox instances are running, they must be closed before our usage.
//
if (supProcessExist(L"VirtualBox.exe")) {
MessageBox(GetDesktopWindow(), TEXT("VirtualBox is running, close it before."),
T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Query command line.
//
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &l);
if (l == 0) {
//
// Nothing in command line, simple display help and leave.
//
MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Check known command.
//
if (_strcmpi(cmdLineParam, TEXT("-l")) == 0) {
dwCmd = TSMI_INSTALL;
}
else {
if (_strcmpi(cmdLineParam, TEXT("-u")) == 0) {
dwCmd = TSMI_REMOVE;
}
}
if (dwCmd == 0) {
MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Init ldr and DSEFix.
//
if (!ldrInit(dwCmd)) {
break;
}
//
// Process command.
//
switch (dwCmd) {
case TSMI_INSTALL:
// Backup vboxdrv if exists.
supBackupVBoxDrv(FALSE);
// Stop VBox Networking and USB driver.
bConDisabled = (SUCCEEDED(supNetworkConnectionEnable(VBoxNetConnect, FALSE)));
bUsbMonDisabled = dsfStopDriver(VBoxUsbMon);
dsfStopDriver(VBoxDrvSvc);
// Load vulnerable VBoxDrv, disable VBox Network if exist.
RtlSecureZeroMemory(szDriverBuffer, sizeof(szDriverBuffer));
if (GetSystemDirectory(szDriverBuffer, MAX_PATH) == 0) {
MessageBox(GetDesktopWindow(), TEXT("Cannot find System32 directory."),
NULL, MB_ICONINFORMATION);
break;
}
_strcat(szDriverBuffer, TEXT("\\drivers\\VBoxDrv.sys"));
hDevice = dsfLoadVulnerableDriver(szDriverBuffer);
if (hDevice) {
//
// Disable DSE so we can load monitor.
// Device handle closed by DSEFix routine.
//
if (ldrPatchDSE(hDevice, TRUE)) {
// Stop our VBoxDrv, need reloading for 2nd usage.
dsfStopDriver(VBoxDrvSvc);
// Load custom patch table, if present.
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 2, cmdLineParam, MAX_PATH, &l);
if (l > 0) {
l = 0;
DataBuffer = ldrFetchCustomPatchData(cmdLineParam, &l);
if ((DataBuffer != NULL) && (l > 0)) {
g_TsmiPatchDataValue = DataBuffer;
g_TsmiPatchDataValueSize = l;
}
}
// Install and run monitor.
if (!ldrSetMonitor()) {
MessageBox(GetDesktopWindow(),
TEXT("Error loading Tsugumi"), NULL, MB_ICONERROR);
}
// Enable DSE back.
hDevice = NULL;
if (dsfStartDriver(VBoxDrvSvc, &hDevice)) {
ldrPatchDSE(hDevice, FALSE);
}
}
else { //ldrPatchDSE failure case
// Unknown error during DSE disabling attempt.
MessageBox(GetDesktopWindow(),
TEXT("Error disabling DSE"), NULL, MB_ICONERROR);
}
// Finally, remove our vboxdrv file and restore backup.
dsfStopDriver(VBoxDrvSvc);
DeleteFile(szDriverBuffer);
supBackupVBoxDrv(TRUE);
// Restart installed VBoxDrv.
dsfStartDriver(VBoxDrvSvc, NULL);
}
else { //dsfLoadVulnerableDriver failure case.
// Load error, show error message and restore backup.
supBackupVBoxDrv(TRUE);
MessageBox(GetDesktopWindow(),
TEXT("Error loading VBoxDrv"), NULL, MB_ICONERROR);
}
break;
//
// Remove command, unload our driver and purge file/memory list cache.
//
case TSMI_REMOVE:
scmUnloadDeviceDriver(TsmiDrvName);
supPurgeSystemCache();
break;
}
} while (cond);
//
// Cleanup after install.
//
if (dwCmd == TSMI_INSTALL) {
// Re-enable VBox Network, UsbMonitor if they're disabled.
if (bConDisabled) {
supNetworkConnectionEnable(VBoxNetConnect, TRUE);
}
if (bUsbMonDisabled) {
dsfStartDriver(VBoxUsbMon, NULL);
}
// Free memory allocated for custom patch table.
if (DataBuffer != NULL) {
HeapFree(GetProcessHeap(), 0, DataBuffer);
}
}
InterlockedDecrement((PLONG)&g_lApplicationInstances);
ExitProcess(0);
return;
}
void main()
{
LONG x;
ULONG ParamLen;
HANDLE hDevice = NULL;
WCHAR cmdLineParam[MAX_PATH + 1];
BOOL bDisable = TRUE, cond = FALSE;
__security_init_cookie();
//
// Output DSEFix banner.
//
ShowServiceMessage("DSEFix v1.1.0 started");
ShowServiceMessage("(c) 2014 - 2015 DSEFix Project");
ShowServiceMessage("Supported x64 OS : Vista / 7 / 8 / 8.1 / 10");
do {
//
// Check single instance.
//
x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) {
ShowServiceMessage("Another instance running, close it before");
break;
}
//
// Check supported OS.
//
RtlSecureZeroMemory(&osv, sizeof(osv));
osv.dwOSVersionInfoSize = sizeof(osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);
if (osv.dwMajorVersion < 6) {
ShowServiceMessage("Unsupported OS");
break;
}
//
// Query command line parameters.
//
ParamLen = 0;
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &ParamLen);
if (_strcmpi(cmdLineParam, TEXT("-e")) == 0) {
ShowServiceMessage("DSE will be (re)enabled");
bDisable = FALSE;
}
else {
ShowServiceMessage("DSE will be disabled");
bDisable = TRUE;
}
//
// Load vulnerable driver and open it device.
//
hDevice = LoadVulnerableDriver();
if (hDevice == NULL) {
ShowServiceMessage("Failed to load vulnerable driver");
break;
}
else {
ShowServiceMessage("Vulnerable VirtualBox driver loaded");
}
//
// Manipulate kernel variable.
//
if (DoWork(hDevice, bDisable)) {
ShowServiceMessage("Kernel memory patched");
}
else {
ShowServiceMessage("Failed to patch kernel memory");
}
//
// Do basic cleanup.
//
ShowServiceMessage("Cleaning up");
UnloadVulnerableDriver();
ShowServiceMessage("Finish");
} while (cond);
InterlockedDecrement((PLONG)&g_lApplicationInstances);
ExitProcess(0);
}
