add driver to registry
This commit is contained in:
parent
30da3fe60a
commit
71b59861c5
@ -10,5 +10,5 @@ edition = "2018"
|
|||||||
hex = "0.4.2"
|
hex = "0.4.2"
|
||||||
pdb = "0.5.0"
|
pdb = "0.5.0"
|
||||||
widestring = "0.4.0"
|
widestring = "0.4.0"
|
||||||
winapi = { version = "0.3.8", features = ["libloaderapi", "processthreadsapi", "winbase", "securitybaseapi", "handleapi", "winnt"] }
|
winapi = { version = "0.3.8", features = ["libloaderapi", "processthreadsapi", "winbase", "securitybaseapi", "handleapi", "winnt", "winreg"] }
|
||||||
reqwest = { version = "0.10.1", features = ["blocking"] }
|
reqwest = { version = "0.10.1", features = ["blocking"] }
|
||||||
|
62
src/main.rs
62
src/main.rs
@ -19,9 +19,13 @@ use pdb::TypeIndex;
|
|||||||
|
|
||||||
use std::ffi::CString;
|
use std::ffi::CString;
|
||||||
use widestring::{U16CString};
|
use widestring::{U16CString};
|
||||||
use winapi::shared::minwindef::{DWORD};
|
use winapi::shared::minwindef::{HKEY};
|
||||||
use winapi::shared::ntdef::*;
|
use winapi::shared::ntdef::*;
|
||||||
use winapi::um::winnt::{SE_PRIVILEGE_ENABLED, TOKEN_PRIVILEGES, TOKEN_ADJUST_PRIVILEGES, LUID_AND_ATTRIBUTES};
|
use winapi::um::winnt::{
|
||||||
|
SE_PRIVILEGE_ENABLED, TOKEN_PRIVILEGES, TOKEN_ADJUST_PRIVILEGES, LUID_AND_ATTRIBUTES,
|
||||||
|
REG_DWORD, REG_SZ, REG_OPTION_NON_VOLATILE, KEY_WRITE
|
||||||
|
};
|
||||||
|
use winapi::um::winreg::*;
|
||||||
use winapi::um::handleapi::*;
|
use winapi::um::handleapi::*;
|
||||||
use winapi::um::winbase::*;
|
use winapi::um::winbase::*;
|
||||||
use winapi::um::processthreadsapi::*;
|
use winapi::um::processthreadsapi::*;
|
||||||
@ -391,7 +395,8 @@ fn main() {
|
|||||||
None => {}
|
None => {}
|
||||||
};
|
};
|
||||||
match store.addr_decompose(0xfffff8005d44f200, "_MI_SYSTEM_INFORMATION.Hardware.SystemNodeNonPagedPool") {
|
match store.addr_decompose(0xfffff8005d44f200, "_MI_SYSTEM_INFORMATION.Hardware.SystemNodeNonPagedPool") {
|
||||||
Ok(offset) => println!("0x{:x}", offset),
|
Ok(offset) =>
|
||||||
|
println!("0x{:x} == ((_MI_SYSTEM_INFORMATION)0xfffff8005d44f200).Hardware.SystemNodeNonPagedPool", offset),
|
||||||
Err(msg) => println!("{}", msg)
|
Err(msg) => println!("{}", msg)
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -401,9 +406,16 @@ fn main() {
|
|||||||
let str_rtl_init_unicode_str = CString::new("RtlInitUnicodeString").expect("");
|
let str_rtl_init_unicode_str = CString::new("RtlInitUnicodeString").expect("");
|
||||||
let str_se_load_driver_privilege = CString::new("SeLoadDriverPrivilege").expect("");
|
let str_se_load_driver_privilege = CString::new("SeLoadDriverPrivilege").expect("");
|
||||||
|
|
||||||
|
let str_driver_path = CString::new("\\SystemRoot\\System32\\DRIVERS\\nganhkhoa.sys").expect("");
|
||||||
|
let str_registry_path = CString::new("System\\CurrentControlSet\\Services\\nganhkhoa").expect("");
|
||||||
let str_driver_reg =
|
let str_driver_reg =
|
||||||
U16CString::from_str("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\nganhkhoa").expect("");
|
U16CString::from_str("\\Registry\\Machine\\System\\CurrentControlSet\\Services\\nganhkhoa").expect("");
|
||||||
|
let str_type = CString::new("Type").expect("");
|
||||||
|
let str_error_control = CString::new("ErrorControl").expect("");
|
||||||
|
let str_start = CString::new("Start").expect("");
|
||||||
|
let str_image_path = CString::new("ImagePath").expect("");
|
||||||
|
|
||||||
|
let mut str_driver_reg_unicode = UNICODE_STRING::default();
|
||||||
let nt_load_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS;
|
let nt_load_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS;
|
||||||
let nt_unload_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS;
|
let nt_unload_driver: extern "stdcall" fn(PUNICODE_STRING) -> NTSTATUS;
|
||||||
let rtl_init_unicode_str: extern "stdcall" fn(PUNICODE_STRING, PCWSTR);
|
let rtl_init_unicode_str: extern "stdcall" fn(PUNICODE_STRING, PCWSTR);
|
||||||
@ -414,23 +426,40 @@ fn main() {
|
|||||||
let nt_unload_driver_ = GetProcAddress(ntdll, str_nt_unload_driver.as_ptr());
|
let nt_unload_driver_ = GetProcAddress(ntdll, str_nt_unload_driver.as_ptr());
|
||||||
let rtl_init_unicode_str_ = GetProcAddress(ntdll, str_rtl_init_unicode_str.as_ptr());
|
let rtl_init_unicode_str_ = GetProcAddress(ntdll, str_rtl_init_unicode_str.as_ptr());
|
||||||
|
|
||||||
// https://github.com/jamalcoder/winapi-dynamic-api-call-using-rust/blob/d0a2386fe590899115442c5e87688ba60013acf7/src/main.rs#L60
|
|
||||||
nt_load_driver = std::mem::transmute(nt_load_driver_);
|
nt_load_driver = std::mem::transmute(nt_load_driver_);
|
||||||
nt_unload_driver = std::mem::transmute(nt_unload_driver_);
|
nt_unload_driver = std::mem::transmute(nt_unload_driver_);
|
||||||
rtl_init_unicode_str = std::mem::transmute(rtl_init_unicode_str_);
|
rtl_init_unicode_str = std::mem::transmute(rtl_init_unicode_str_);
|
||||||
|
|
||||||
println!("ntdll 0x{:x}", ntdll as DWORD);
|
// setup registry
|
||||||
println!("NtLoadDriver 0x{:x}", nt_load_driver_ as DWORD);
|
let mut registry_key: HKEY = std::ptr::null_mut();
|
||||||
println!("NtUnloadDriver 0x{:x}", nt_unload_driver_ as DWORD);
|
RegCreateKeyExA(
|
||||||
println!("RtlInitUnicodeString 0x{:x}", rtl_init_unicode_str_ as DWORD);
|
HKEY_LOCAL_MACHINE, str_registry_path.as_ptr(),
|
||||||
|
0, std::ptr::null_mut(),
|
||||||
|
REG_OPTION_NON_VOLATILE, KEY_WRITE,
|
||||||
|
std::ptr::null_mut(), &mut registry_key, std::ptr::null_mut()
|
||||||
|
);
|
||||||
|
let type_value: [u8; 4] = 1u32.to_le_bytes();
|
||||||
|
let error_control_value: [u8; 4] = 1u32.to_le_bytes();
|
||||||
|
let start_value: [u8; 4] = 3u32.to_le_bytes();
|
||||||
|
let registry_values = [
|
||||||
|
(str_type.as_ptr(), REG_DWORD, type_value.as_ptr(), 4),
|
||||||
|
(str_error_control.as_ptr(), REG_DWORD, error_control_value.as_ptr(), 4),
|
||||||
|
(str_start.as_ptr(), REG_DWORD, start_value.as_ptr(), 4),
|
||||||
|
(str_image_path.as_ptr(), REG_SZ, str_driver_path.as_ptr() as *const u8, str_driver_path.to_bytes().len() + 1)
|
||||||
|
];
|
||||||
|
for &(key, keytype, value_ptr, size_in_bytes) in ®istry_values {
|
||||||
|
RegSetValueExA(
|
||||||
|
registry_key, key, 0,
|
||||||
|
keytype, value_ptr, size_in_bytes as u32
|
||||||
|
);
|
||||||
|
}
|
||||||
|
RegCloseKey(registry_key);
|
||||||
|
|
||||||
// Setup privilege SeLoadDriverPrivilege
|
// Setup privilege SeLoadDriverPrivilege
|
||||||
let mut token_handle: HANDLE = std::ptr::null_mut();
|
let mut token_handle: HANDLE = std::ptr::null_mut();
|
||||||
let mut luid = LUID::default();
|
let mut luid = LUID::default();
|
||||||
println!("OpenProcessToken() -> 0x{:x}",
|
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &mut token_handle);
|
||||||
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &mut token_handle));
|
LookupPrivilegeValueA(std::ptr::null_mut(), str_se_load_driver_privilege.as_ptr(), &mut luid);
|
||||||
println!("LookupPrivilegeValueA() -> 0x{:x}",
|
|
||||||
LookupPrivilegeValueA(std::ptr::null_mut(), str_se_load_driver_privilege.as_ptr(), &mut luid));
|
|
||||||
let mut new_token_state = TOKEN_PRIVILEGES {
|
let mut new_token_state = TOKEN_PRIVILEGES {
|
||||||
PrivilegeCount: 1,
|
PrivilegeCount: 1,
|
||||||
Privileges: [LUID_AND_ATTRIBUTES {
|
Privileges: [LUID_AND_ATTRIBUTES {
|
||||||
@ -438,13 +467,12 @@ fn main() {
|
|||||||
Attributes: SE_PRIVILEGE_ENABLED
|
Attributes: SE_PRIVILEGE_ENABLED
|
||||||
}]
|
}]
|
||||||
};
|
};
|
||||||
println!("AdjustTokenPrivileges() -> 0x{:x}",
|
AdjustTokenPrivileges(token_handle, 0, &mut new_token_state, 16, std::ptr::null_mut(), std::ptr::null_mut());
|
||||||
AdjustTokenPrivileges(token_handle, 0, &mut new_token_state, 16, std::ptr::null_mut(), std::ptr::null_mut()));
|
|
||||||
CloseHandle(token_handle);
|
CloseHandle(token_handle);
|
||||||
|
|
||||||
let mut str_driver_reg_unicode = UNICODE_STRING::default();
|
|
||||||
rtl_init_unicode_str(&mut str_driver_reg_unicode, str_driver_reg.as_ptr() as *const u16);
|
rtl_init_unicode_str(&mut str_driver_reg_unicode, str_driver_reg.as_ptr() as *const u16);
|
||||||
println!("NtLoadDriver() -> 0x{:x}", nt_load_driver(&mut str_driver_reg_unicode));
|
|
||||||
println!("NtUnloadDriver() -> 0x{:x}", nt_unload_driver(&mut str_driver_reg_unicode));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
println!("NtLoadDriver() -> 0x{:x}", nt_load_driver(&mut str_driver_reg_unicode));
|
||||||
|
println!("NtUnloadDriver() -> 0x{:x}", nt_unload_driver(&mut str_driver_reg_unicode));
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user