nganhkhoa/lpus-driver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

correct code to get ntoskrnl.exe

Browse Source
This commit is contained in:
nganhkhoa 2020-02-18 22:54:22 +07:00
parent de531703ab
commit 9a39e6f3c1
2 changed files with 165 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
KMDF Driver2/Driver.cpp
View File

@ -111,17 +111,30 @@ DriverEntry(
// seems like this shellcode is wrong for Windows insider Feb 2020 upgrade
// shellcode: https://gist.github.com/Barakat/34e9924217ed81fd78c9c92d746ec9c6
static const UCHAR shellcode[] = {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x38, 0x00, 0x00, 0x00, 0xB9, 0x4D, 0x5A, 0x00, 0x00, 0x48, 0x8B,
0x40, 0x04, 0x48, 0x25, 0x00, 0xF0, 0xFF, 0xFF, 0xEB, 0x06, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00,
0x66, 0x39, 0x08, 0x75, 0xF5, 0xC3
};
const auto shellPool = ExAllocatePoolWithTag(NonPagedPoolExecute, sizeof(getNtoskrnlBaseShellcode), 'NakD');
RtlCopyMemory(shellPool, getNtoskrnlBaseShellcode, sizeof(getNtoskrnlBaseShellcode));
const auto get_ntoskrnl_base_address = reinterpret_cast<void *(*)()>(shellPool);
PVOID ntosbase = get_ntoskrnl_base_address();
// shellcode is useless in Windows internal 2020
// static const UCHAR getNtoskrnlBaseShellcode[] = {
// 0x65, 0x48, 0x8B, 0x04, 0x25, 0x38, 0x00, 0x00, 0x00, 0xB9, 0x4D, 0x5A, 0x00, 0x00, 0x48, 0x8B,
// 0x40, 0x04, 0x48, 0x25, 0x00, 0xF0, 0xFF, 0xFF, 0xEB, 0x06, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00,
// 0x66, 0x39, 0x08, 0x75, 0xF5, 0xC3
// };
// const auto shellPool = ExAllocatePoolWithTag(NonPagedPoolExecute, sizeof(getNtoskrnlBaseShellcode), 'NakD');
// RtlCopyMemory(shellPool, getNtoskrnlBaseShellcode, sizeof(getNtoskrnlBaseShellcode));
// const auto get_ntoskrnl_base_address = reinterpret_cast<void *(*)()>(shellPool);
// PVOID ntosbase = get_ntoskrnl_base_address();
// IoGetCurrentProcess -> PEPROCESS -> ActiveProcessLinks -> FLINK until ImageFileName == "ntoskrnl.exe", get Peb->ImageBaseAddress
// because this is driver, so it will return the System, as the system loads the driver
// system is the first key in ProcessLinks so go back to get the PsActiveProcessHead
// minus the offset from pdb to get the ntoskrnl
PVOID eprocess = (PVOID)IoGetCurrentProcess();
DbgPrint("[NAK] :: [ ] eprocess : 0x%p, [%15s]\n", eprocess, (char*)((ULONG64)eprocess + 0x5a8));
PVOID processHead = (PVOID)(*(ULONG64*)((ULONG64)eprocess + 0x448 + 0x8));
DbgPrint("[NAK] :: [ ] PsActiveProcessHead : 0x%p\n", processHead);
PVOID ntosbase = (PVOID)((ULONG64)processHead - 0xc1f970);
DbgPrint("[NAK] :: [ ] ntoskrnl.exe : 0x%p\n", ntosbase);
ExFreePoolWithTag(shellPool, 'NakD');
// ExFreePoolWithTag(shellPool, 'NakD');
// parsing PE file
// https://stackoverflow.com/a/4316804
@ -149,22 +162,21 @@ DriverEntry(
// +0x070 SystemNodeInformation : 0xffffe58f`9283b050 _MI_SYSTEM_NODE_INFORMATION
PVOID miState = (PVOID)((ULONG64)ntosbase + 0xc4f200);
_MI_SYSTEM_NODE_NONPAGED_POOL* systemNonPageInfo =
(_MI_SYSTEM_NODE_NONPAGED_POOL*)((ULONG64)miState + 0x1580 + 0x20);
DbgPrint("[NAK] :: [ ] MiState : 0x%p\n", miState);
DbgPrint("[NAK] :: [ ] systemNonPageInfo : 0x%p\n", systemNonPageInfo);
DbgPrint("[NAK] :: [ ] NonPagedPoolFirstVa : 0x%p\n", systemNonPageInfo->NonPagedPoolFirstVa);
DbgPrint("[NAK] :: [ ] NonPagedPoolLastVa : 0x%p\n", systemNonPageInfo->NonPagedPoolLastVa);
// nonPagedPoolStart = *(ULONG64*)(systemNonPageInfo->NonPagedPoolFirstVa);
// nonPagedPoolEnd = *(ULONG64*)(systemNonPageInfo->NonPagedPoolLastVa);
PVOID systemNonPageInfo = (PVOID)*(ULONG64*)((ULONG64)miState + 0x1580 + 0x20);
DbgPrint("[NAK] :: [ ] nt!MiState : 0x%p\n", miState);
DbgPrint("[NAK] :: [ ] &systemNonPageInfo : 0x%p\n", systemNonPageInfo);
DbgPrint("[NAK] :: [ ] &NonPagedPoolFirstVa : 0x%p\n", (ULONG64*)((ULONG64)systemNonPageInfo + 0x60));
DbgPrint("[NAK] :: [ ] &NonPagedPoolLastVa : 0x%p\n", (ULONG64*)((ULONG64)systemNonPageInfo + 0x68));
nonPagedPoolStart = *(ULONG64*)((ULONG64)systemNonPageInfo + 0x60);
nonPagedPoolEnd = *(ULONG64*)((ULONG64)systemNonPageInfo + 0x68);
} else {
// x32 windows, KdVersionBlock get is usable
DbgPrint("[NAK] :: [ ] Successfully get KdVersionBlock, not sure whether this works\n");
// dbgBlock = (PKDDEBUGGER_DATA64) ((PLIST_ENTRY)kdVersionBlock->DebuggerDataList)->Flink;
}
DbgPrint("[NAK] :: [ ] MmNonPagedPoolStart : 0x%llx\n", nonPagedPoolStart);
DbgPrint("[NAK] :: [ ] MmNonPagedPoolEnd : 0x%llx\n", nonPagedPoolEnd);
DbgPrint("[NAK] :: [ ] nonPagedPoolStart : 0x%llx\n", nonPagedPoolStart);
DbgPrint("[NAK] :: [ ] nonPagedPoolEnd : 0x%llx\n", nonPagedPoolEnd);
// now wait for user call to scan
// current debug mode, scan now

133
KMDF Driver2/kernel-shellcode.cpp Normal file
View File

@ -0,0 +1,133 @@
#include <wdm.h>
__declspec(dllexport)
__declspec(noinline)
void*
GetNtoskrnlBaseAddress()
{
//
// From Windows Internals part 1, chapter 2:
//
// "The kernel uses a data structure called the processor control region, or KPCR, to store
// processor-specific data. The KPCR contains basic information such as the processor's interrupt
// dispatch table(IDT), task - state segment(TSS), and global descriptor table(GDT). It also includes the
// interrupt controller state, which it shares with other modules, such as the ACPI driver and the HAL. To
// provide easy access to the KPCR, the kernel stores a pointer to it in the fs register on 32-bit Windows
// and in the gs register on an x64 Windows system."
//
//
// Let's view the address of KPCR of the current processor:
//
// 1: kd> dg gs
// P Si Gr Pr Lo
// Sel Base Limit Type l ze an es ng Flags
// ---- ---------------- - ---------------- - ---------- - -- -- -- -- --------
// 002B ffffd001`1972e000 00000000`ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3
//
// We only care about one field in KPCR which is IdtBase (it has been always at the offset 0x38):
//
// 1: kd> dt nt!_KPCR 0xffffd001`1972e000
// + 0x000 NtTib : _NT_TIB
// + 0x000 GdtBase : 0xffffd001`1973b8c0 _KGDTENTRY64
// + 0x008 TssBase : 0xffffd001`19734b40 _KTSS64
// + 0x010 UserRsp : 0x000000c0`87cffc18
// + 0x018 Self : 0xffffd001`1972e000 _KPCR
// + 0x020 CurrentPrcb : 0xffffd001`1972e180 _KPRCB
// + 0x028 LockArray : 0xffffd001`1972e7f0 _KSPIN_LOCK_QUEUE
// + 0x030 Used_Self : 0x000000c0`86875000 Void
// + 0x038 IdtBase : 0xffffd001`1973b930 _KIDTENTRY64 <- pointer to the IDT array
// ...
//
// The field is a pointer to an array of interrupt service routines in the following format:
//
// 1: kd> dt nt!_KIDTENTRY64
// +0x000 OffsetLow : Uint2B
// +0x002 Selector : Uint2B
// +0x004 IstIndex : Pos 0, 3 Bits --+
// +0x004 Reserved0 : Pos 3, 5 Bits |
// +0x004 Type : Pos 8, 5 Bits |
// +0x004 Dpl : Pos 13, 2 Bits |-> the interrupt service routine as a bitfield
// +0x004 Present : Pos 15, 1 Bit |
// +0x006 OffsetMiddle : Uint2B |
// +0x008 OffsetHigh : Uint4B --+
// +0x00c Reserved1 : Uint4B
// +0x000 Alignment : Uint8B
//
//
// These interrupt service routines are functions defined within the address space of ntoskrnl.exe. We will
// use this fact for searching for the base address of ntoskrnl.exe.
//
// Ensure that the structure is aligned on 1 byte boundary.
#pragma pack(push, 1)
typedef struct
{
UCHAR Padding[4];
PVOID InterruptServiceRoutine;
} IDT_ENTRY;
#pragma pack(pop)
// Find the address of IdtBase using gs register.
const auto idt_base = reinterpret_cast<IDT_ENTRY *>(__readgsqword(0x38));
// Find the address of the first (or any) interrupt service routine.
const auto first_isr_address = idt_base[0].InterruptServiceRoutine;
// Align the address on page boundary.
auto page_within_ntoskrnl = reinterpret_cast<uintptr_t>(first_isr_address) & ~static_cast<uintptr_t>(0xfff);
// Traverse pages backward until we find the PE signature (MZ) of ntoskrnl.exe in the beginning of some page.
while (*reinterpret_cast<const USHORT *>(page_within_ntoskrnl) != 0x5a4d)
{
page_within_ntoskrnl -= 0x1000;
}
// Now we have the base address of ntoskrnl.exe
return reinterpret_cast<void*>(page_within_ntoskrnl);
}
VOID
DriverUnload(PDRIVER_OBJECT driver_object)
{
UNREFERENCED_PARAMETER(driver_object);
}
EXTERN_C
NTSTATUS
DriverEntry(PDRIVER_OBJECT driver_object, PUNICODE_STRING registry_path)
{
UNREFERENCED_PARAMETER(registry_path);
driver_object->DriverUnload = DriverUnload;
// 0 : 65 48 8b 04 25 38 00 mov rax, QWORD PTR gs : 0x38
// 7 : 00 00
// 9 : b9 4d 5a 00 00 mov ecx, 0x5a4d
// e : 48 8b 40 04 mov rax, QWORD PTR[rax + 0x4]
// 12: 48 25 00 f0 ff ff and rax, 0xfffffffffffff000
// 18: eb 06 jmp 0x20
// 1a: 48 2d 00 10 00 00 sub rax, 0x1000
// 20: 66 39 08 cmp WORD PTR[rax], cx
// 23: 75 f5 jne 0x1a
// 25: c3 ret
static const UCHAR shellcode[] = {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x38, 0x00, 0x00, 0x00, 0xB9, 0x4D, 0x5A, 0x00, 0x00, 0x48, 0x8B,
0x40, 0x04, 0x48, 0x25, 0x00, 0xF0, 0xFF, 0xFF, 0xEB, 0x06, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00,
0x66, 0x39, 0x08, 0x75, 0xF5, 0xC3
};
const auto ntoskrnl_base_address = GetNtoskrnlBaseAddress();
const auto pool = ExAllocatePoolWithTag(NonPagedPoolExecute, sizeof(shellcode), 'KMSL');
if (pool != nullptr)
{
RtlCopyMemory(pool, shellcode, sizeof(shellcode));
const auto get_ntoskrnl_base_address = reinterpret_cast<void *(*)()>(pool);
ASSERT(get_ntoskrnl_base_address() == ntoskrnl_base_address);
ExFreePoolWithTag(pool, 'KMSL');
}
return STATUS_SUCCESS;
}