/// <summary>
/// Initialize loader stuff
/// </summary>
/// <param name="pThisModule">Any valid system module</param>
/// <returns>Status code</returns>
NTSTATUS BBInitLdrData( IN PKLDR_DATA_TABLE_ENTRY pThisModule )
{
PVOID kernelBase = GetKernelBase();
if (kernelBase == NULL)
{
DPRINT( "BlackBone: %s: Failed to retrieve Kernel base address. Aborting\n", __FUNCTION__ );
return STATUS_NOT_FOUND;
}
// Get PsLoadedModuleList address
for (PLIST_ENTRY pListEntry = pThisModule->InLoadOrderLinks.Flink; pListEntry != &pThisModule->InLoadOrderLinks; pListEntry = pListEntry->Flink)
{
// Search for Ntoskrnl entry
PKLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD( pListEntry, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks );
if (kernelBase == pEntry->DllBase)
{
// Ntoskrnl is always first entry in the list
// Check if found pointer belongs to Ntoskrnl module
if ((PVOID)pListEntry->Blink >= pEntry->DllBase && (PUCHAR)pListEntry->Blink < (PUCHAR)pEntry->DllBase + pEntry->SizeOfImage)
{
PsLoadedModuleList = pListEntry->Blink;
break;
}
}
}
if (!PsLoadedModuleList)
{
DPRINT( "BlackBone: %s: Failed to retrieve PsLoadedModuleList address. Aborting\n", __FUNCTION__ );
return STATUS_NOT_FOUND;
}
return STATUS_SUCCESS;
}
int main()
{
HMODULE dll = GetModuleHandle("kernel32.dll");
HMODULE dll2 = GetKernelBase();
HMODULE dll3 = GetModuleHandle("ntdll.dll");
printf( "%08x %08x %08x", dll, dll2, dll3 );
}
/// <summary>
/// Change handle granted access
/// </summary>
/// <param name="pAccess">Request params</param>
/// <returns>Status code</returns>
NTSTATUS BBUnlinkHandleTable( IN PUNLINK_HTABLE pUnlink )
{
NTSTATUS status = STATUS_SUCCESS;
PEPROCESS pProcess = NULL;
// Validate dynamic offset
if (dynData.ExRemoveTable == 0 || dynData.ObjTable == 0)
{
DPRINT( "BlackBone: %s: Invalid ExRemoveTable/ObjTable address\n", __FUNCTION__ );
return STATUS_INVALID_ADDRESS;
}
// Validate build
if (dynData.correctBuild == FALSE)
{
DPRINT( "BlackBone: %s: Unsupported kernel build version\n", __FUNCTION__ );
return STATUS_INVALID_KERNEL_INFO_VERSION;
}
status = PsLookupProcessByProcessId( (HANDLE)pUnlink->pid, &pProcess );
if (NT_SUCCESS( status ))
{
PHANDLE_TABLE pTable = *(PHANDLE_TABLE*)((PUCHAR)pProcess + dynData.ObjTable);
// Unlink process handle table
fnExRemoveHandleTable ExRemoveHandleTable = (fnExRemoveHandleTable)((ULONG_PTR)GetKernelBase( NULL ) + dynData.ExRemoveTable);
//DPRINT( "BlackBone: %s: ExRemoveHandleTable address 0x%p. Object Table offset: 0x%X\n",
// __FUNCTION__, ExRemoveHandleTable, dynData.ObjTable );
ExRemoveHandleTable( pTable );
}
else
DPRINT( "BlackBone: %s: PsLookupProcessByProcessId failed with status 0x%X\n", __FUNCTION__, status );
if (pProcess)
ObDereferenceObject( pProcess );
return status;
}
//--------------------------------------------------------------------------------------
NTSTATUS DriverEntry(
PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath)
{
#ifdef USE_DSE_BYPASS
// check if driver image was loaded by DSE bypass exploit
if (RegistryPath == NULL && m_Driver)
{
if (GetKernelBase() == NULL)
{
return STATUS_UNSUCCESSFUL;
}
/*
IMPORTANT:
Here we need to process our own import table because image
was loaded using libdsebypass instead of kernel PE loader.
*/
if (!RuntimeProcessImports(m_Driver))
{
return STATUS_UNSUCCESSFUL;
}
// ok, now it's safe to use imported functions as usual
}
else
#endif // USE_DSE_BYPASS
{
DriverObject->DriverUnload = DriverUnload;
}
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Driver loaded\n");
PVOID KernelBase = KernelGetModuleBase("ntoskrnl.exe");
if (KernelBase)
{
if (f_MmGetPhysicalMemoryRanges = (func_MmGetPhysicalMemoryRanges)
KernelGetExportAddress(KernelBase, "MmGetPhysicalMemoryRanges"))
{
DbgMsg(
__FILE__, __LINE__, "nt!MmGetPhysicalMemoryRanges() is at "IFMT"\n",
f_MmGetPhysicalMemoryRanges
);
}
}
RtlInitUnicodeString(&m_usDeviceName, L"\\Device\\" DEVICE_NAME);
RtlInitUnicodeString(&m_usDosDeviceName, L"\\DosDevices\\" DEVICE_NAME);
// create driver communication device
NTSTATUS ns = IoCreateDevice(
DriverObject,
0,
&m_usDeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&m_DeviceObject
);
if (NT_SUCCESS(ns))
{
for (int i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
DriverObject->MajorFunction[i] = DriverDispatch;
}
#ifdef USE_DSE_BYPASS
/*
This flag must be removed when the driver has been loaded
by our own loader that using nt!IoCreateDriver().
*/
m_DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
#endif
ns = IoCreateSymbolicLink(&m_usDosDeviceName, &m_usDeviceName);
if (NT_SUCCESS(ns))
{
return STATUS_SUCCESS;
}
else
{
DbgMsg(__FILE__, __LINE__, "IoCreateSymbolicLink() fails: 0x%.8x\n", ns);
}
IoDeleteDevice(m_DeviceObject);
}
else
{
DbgMsg(__FILE__, __LINE__, "IoCreateDevice() fails: 0x%.8x\n", ns);
}
return STATUS_UNSUCCESSFUL;
}
