lpus/src/bin/file_object_scan.rs

use std::error::Error;

use lpus::{
    driver_state::{DriverState}
};

fn main() -> Result<(), Box<dyn Error>> {
    let mut driver = DriverState::new();
    println!("NtLoadDriver()   -> 0x{:x}", driver.startup());

    driver.scan_pool(b"File", |pool_addr, header, data_addr| {
        let chunk_size = (header[2] as u64) * 16u64;

        let fob_size = driver.pdb_store.get_offset_r("_FILE_OBJECT.struct_size")?;
        let fob_size_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.Size")?;
        let fob_read_access_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.ReadAccess")?;
        let fob_filename_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.FileName")?;

        let valid_end = (pool_addr + chunk_size) - fob_size;
        let mut try_ptr = data_addr;

        let mut ftype = 0u16;
        let mut size = 0u16;
        while try_ptr <= valid_end {
            driver.deref_addr(try_ptr, &mut ftype);
            driver.deref_addr(try_ptr + fob_size_offset, &mut size);
            if (size as u64) == fob_size && ftype == 5u16 {
                break;
            }
            try_ptr += 0x4;        // search exhaustively
        }
        if try_ptr > valid_end {
            println!("pool: 0x{:x} cannot detect file object", pool_addr);
            return Ok(false);
        }
        let fob_addr = try_ptr;
        let mut read_ok = 0u8;
        driver.deref_addr(fob_addr + fob_read_access_offset, &mut read_ok);

        println!("pool: 0x{:x} | file object: 0x{:x} | offsetby: 0x{:x}", pool_addr, fob_addr, fob_addr - pool_addr);
        if read_ok == 0 {
            println!("      [NOT READABLE]");
            return Ok(true);
        }
        if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset, true) {
            println!("      {}", filename);
            return Ok(true);
        }
        Ok(false)
    })?;

    println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());
    Ok(())
}
Update scan frontend Reject invalid block size Unicode string handle for empty ptr, empty size Add _FILE_OBJECT scan Add FileImage dump of _EPROCESS scan 2020-05-22 14:44:47 +07:00			`use std::error::Error;`

			`use lpus::{`
			`driver_state::{DriverState}`
			`};`

			`fn main() -> Result<(), Box<dyn Error>> {`
			`let mut driver = DriverState::new();`
			`println!("NtLoadDriver() -> 0x{:x}", driver.startup());`

			`driver.scan_pool(b"File", \|pool_addr, header, data_addr\| {`
			`let chunk_size = (header[2] as u64) * 16u64;`

			`let fob_size = driver.pdb_store.get_offset_r("_FILE_OBJECT.struct_size")?;`
			`let fob_size_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.Size")?;`
check read access when dump file name in _FILE_OBJECT 2020-05-29 01:39:32 +07:00			`let fob_read_access_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.ReadAccess")?;`
Update scan frontend Reject invalid block size Unicode string handle for empty ptr, empty size Add _FILE_OBJECT scan Add FileImage dump of _EPROCESS scan 2020-05-22 14:44:47 +07:00			`let fob_filename_offset = driver.pdb_store.get_offset_r("_FILE_OBJECT.FileName")?;`

			`let valid_end = (pool_addr + chunk_size) - fob_size;`
			`let mut try_ptr = data_addr;`

			`let mut ftype = 0u16;`
			`let mut size = 0u16;`
			`while try_ptr <= valid_end {`
			`driver.deref_addr(try_ptr, &mut ftype);`
			`driver.deref_addr(try_ptr + fob_size_offset, &mut size);`
			`if (size as u64) == fob_size && ftype == 5u16 {`
			`break;`
			`}`
			`try_ptr += 0x4; // search exhaustively`
			`}`
			`if try_ptr > valid_end {`
check read access when dump file name in _FILE_OBJECT 2020-05-29 01:39:32 +07:00			`println!("pool: 0x{:x} cannot detect file object", pool_addr);`
Update scan frontend Reject invalid block size Unicode string handle for empty ptr, empty size Add _FILE_OBJECT scan Add FileImage dump of _EPROCESS scan 2020-05-22 14:44:47 +07:00			`return Ok(false);`
			`}`
			`let fob_addr = try_ptr;`
check read access when dump file name in _FILE_OBJECT 2020-05-29 01:39:32 +07:00			`let mut read_ok = 0u8;`
			`driver.deref_addr(fob_addr + fob_read_access_offset, &mut read_ok);`

			`println!("pool: 0x{:x} \| file object: 0x{:x} \| offsetby: 0x{:x}", pool_addr, fob_addr, fob_addr - pool_addr);`
			`if read_ok == 0 {`
			`println!(" [NOT READABLE]");`
			`return Ok(true);`
			`}`
			`if let Ok(filename) = driver.get_unicode_string(fob_addr + fob_filename_offset, true) {`
			`println!(" {}", filename);`
Update scan frontend Reject invalid block size Unicode string handle for empty ptr, empty size Add _FILE_OBJECT scan Add FileImage dump of _EPROCESS scan 2020-05-22 14:44:47 +07:00			`return Ok(true);`
			`}`
			`Ok(false)`
			`})?;`

			`println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());`
			`Ok(())`
			`}`