From 0c587f9dc538674008507d47321df78958ff1a5a Mon Sep 17 00:00:00 2001 From: Huoji's <1296564236@qq.com> Date: Fri, 1 Jan 2021 13:54:35 +0800 Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E9=A1=B9=E7=9B=AE=E6=96=87?= =?UTF-8?q?=E4=BB=B6=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CowInject.sln | 51 ++++++ CowInject/CowInject.inf | 32 ++++ CowInject/CowInject.vcxproj | 166 +++++++++++++++++++ CowInject/CowInject.vcxproj.filters | 54 +++++++ CowInject/head.h | 232 +++++++++++++++++++++++++++ CowInject/helper.cpp | 143 +++++++++++++++++ CowInject/main.cpp | 240 ++++++++++++++++++++++++++++ CowInject/main.h | 11 ++ CowInject/shell_code_end.cpp | 1 + CowInject/shell_code_start.cpp | 28 ++++ 10 files changed, 958 insertions(+) create mode 100644 CowInject.sln create mode 100644 CowInject/CowInject.inf create mode 100644 CowInject/CowInject.vcxproj create mode 100644 CowInject/CowInject.vcxproj.filters create mode 100644 CowInject/head.h create mode 100644 CowInject/helper.cpp create mode 100644 CowInject/main.cpp create mode 100644 CowInject/main.h create mode 100644 CowInject/shell_code_end.cpp create mode 100644 CowInject/shell_code_start.cpp diff --git a/CowInject.sln b/CowInject.sln new file mode 100644 index 0000000..79e514f --- /dev/null +++ b/CowInject.sln @@ -0,0 +1,51 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 16 +VisualStudioVersion = 16.0.29613.14 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CowInject", "CowInject\CowInject.vcxproj", "{8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|ARM = Debug|ARM + Debug|ARM64 = Debug|ARM64 + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|ARM = Release|ARM + Release|ARM64 = Release|ARM64 + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM.ActiveCfg = Debug|ARM + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM.Build.0 = Debug|ARM + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM.Deploy.0 = Debug|ARM + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM64.ActiveCfg = Debug|ARM64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM64.Build.0 = Debug|ARM64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|ARM64.Deploy.0 = Debug|ARM64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x64.ActiveCfg = Debug|x64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x64.Build.0 = Debug|x64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x64.Deploy.0 = Debug|x64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x86.ActiveCfg = Debug|Win32 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x86.Build.0 = Debug|Win32 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Debug|x86.Deploy.0 = Debug|Win32 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM.ActiveCfg = Release|ARM + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM.Build.0 = Release|ARM + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM.Deploy.0 = Release|ARM + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM64.ActiveCfg = Release|ARM64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM64.Build.0 = Release|ARM64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|ARM64.Deploy.0 = Release|ARM64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x64.ActiveCfg = Release|x64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x64.Build.0 = Release|x64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x64.Deploy.0 = Release|x64 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x86.ActiveCfg = Release|Win32 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x86.Build.0 = Release|Win32 + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB}.Release|x86.Deploy.0 = Release|Win32 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {8B54FB70-B3D2-4C49-87D4-AED93842E605} + EndGlobalSection +EndGlobal diff --git a/CowInject/CowInject.inf b/CowInject/CowInject.inf new file mode 100644 index 0000000..3921319 --- /dev/null +++ b/CowInject/CowInject.inf @@ -0,0 +1,32 @@ +; +; CowInject.inf +; + +[Version] +Signature="$WINDOWS NT$" +Class=System +ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} +Provider=%ManufacturerName% +DriverVer= +CatalogFile=CowInject.cat + +[DestinationDirs] +DefaultDestDir = 12 + + +[SourceDisksNames] +1 = %DiskName%,,,"" + +[SourceDisksFiles] + + +[Manufacturer] +%ManufacturerName%=Standard,NT$ARCH$ + +[Standard.NT$ARCH$] + + +[Strings] +ManufacturerName="" ;TODO: Replace with your manufacturer name +ClassName="" +DiskName="CowInject Source Disk" diff --git a/CowInject/CowInject.vcxproj b/CowInject/CowInject.vcxproj new file mode 100644 index 0000000..a20e787 --- /dev/null +++ b/CowInject/CowInject.vcxproj @@ -0,0 +1,166 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + Debug + ARM + + + Release + ARM + + + Debug + ARM64 + + + Release + ARM64 + + + + {8E8EC6B8-E5C6-4B06-A8F2-9F0F5EA685BB} + {dd38f7fc-d7bd-488b-9242-7d8754cde80d} + v4.5 + 12.0 + Debug + Win32 + CowInject + + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows7 + false + WindowsKernelModeDriver10.0 + Driver + WDM + false + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + true + WindowsKernelModeDriver10.0 + Driver + WDM + + + Windows10 + false + WindowsKernelModeDriver10.0 + Driver + WDM + + + + + + + + + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + false + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + DbgengKernelDebugger + + + + false + false + MinSpace + Size + true + false + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/CowInject/CowInject.vcxproj.filters b/CowInject/CowInject.vcxproj.filters new file mode 100644 index 0000000..34a82c2 --- /dev/null +++ b/CowInject/CowInject.vcxproj.filters @@ -0,0 +1,54 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hpp;hxx;hm;inl;inc;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + {8E41214B-6785-4CFE-B992-037D68949A14} + inf;inv;inx;mof;mc; + + + {41db35f4-72e8-49d7-81ea-9a18fea3e160} + + + {9e17b26d-f5cd-4288-962a-5943271da071} + + + + + Driver Files + + + + + Header Files + + + Header Files + + + + + Source Files + + + Source Files\Shellcode + + + Source Files\Shellcode + + + Source Files\ThirdParty + + + \ No newline at end of file diff --git a/CowInject/head.h b/CowInject/head.h new file mode 100644 index 0000000..8a5d589 --- /dev/null +++ b/CowInject/head.h @@ -0,0 +1,232 @@ +#pragma once +#include +#include +#include +#include +#include +#define DebugPrintA(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,__VA_ARGS__) +#define HUOJI_POOL_TAG 'huoJ' +#define CALCSIZE(n,f) (ULONG_PTR)f - (ULONG_PTR)n +#define PAGE_ALIGN(Va) ((PVOID)((ULONG_PTR)(Va) & ~(PAGE_SIZE - 1))) +#define DEREF( name )*(UINT_PTR *)(name) +#define DEREF_64( name )*(unsigned __int64 *)(name) +#define DEREF_32( name )*(unsigned long *)(name) +#define DEREF_16( name )*(unsigned short *)(name) +#define DEREF_8( name )*(UCHAR *)(name) +typedef HMODULE(WINAPI* LOADLIBRARYA)(LPCSTR); +typedef FARPROC(WINAPI* GETPROCADDRESS)(HMODULE, LPCSTR); +typedef LPVOID(WINAPI* VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD); +typedef DWORD(NTAPI* NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG); + +typedef BOOL(WINAPI* ReadFileT)(HANDLE, LPVOID, DWORD, LPDWORD, PVOID); +typedef DWORD(WINAPI* GetFileSizeT)(HANDLE, LPDWORD); +typedef BOOL(WINAPI* CloseHandleT)(HANDLE); + +#define KERNEL32DLL_HASH 0x6A4ABC5B +#define NTDLLDLL_HASH 0x3CFA685D +#define LOADLIBRARYA_HASH 0xEC0E4E8E +#define GETPROCADDRESS_HASH 0x7C0DFCAA +#define VIRTUALALLOC_HASH 0x91AFCA54 +#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 +#define HASH_KEY 13 +#define DLL_PROCESS_ATTACH 1 +#define DLL_THREAD_ATTACH 2 +#define DLL_THREAD_DETACH 3 +#define DLL_PROCESS_DETACH 0 + +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation, // 0x00 SYSTEM_BASIC_INFORMATION + SystemProcessorInformation, // 0x01 SYSTEM_PROCESSOR_INFORMATION + SystemPerformanceInformation, // 0x02 + SystemTimeOfDayInformation, // 0x03 + SystemPathInformation, // 0x04 + SystemProcessInformation, // 0x05 + SystemCallCountInformation, // 0x06 + SystemDeviceInformation, // 0x07 + SystemProcessorPerformanceInformation, // 0x08 + SystemFlagsInformation, // 0x09 + SystemCallTimeInformation, // 0x0A + SystemModuleInformation, // 0x0B SYSTEM_MODULE_INFORMATION + SystemLocksInformation, // 0x0C + SystemStackTraceInformation, // 0x0D + SystemPagedPoolInformation, // 0x0E + SystemNonPagedPoolInformation, // 0x0F + SystemHandleInformation, // 0x10 + SystemObjectInformation, // 0x11 + SystemPageFileInformation, // 0x12 + SystemVdmInstemulInformation, // 0x13 + SystemVdmBopInformation, // 0x14 + SystemFileCacheInformation, // 0x15 + SystemPoolTagInformation, // 0x16 + SystemInterruptInformation, // 0x17 + SystemDpcBehaviorInformation, // 0x18 + SystemFullMemoryInformation, // 0x19 + SystemLoadGdiDriverInformation, // 0x1A + SystemUnloadGdiDriverInformation, // 0x1B + SystemTimeAdjustmentInformation, // 0x1C + SystemSummaryMemoryInformation, // 0x1D + SystemNextEventIdInformation, // 0x1E + SystemEventIdsInformation, // 0x1F + SystemCrashDumpInformation, // 0x20 + SystemExceptionInformation, // 0x21 + SystemCrashDumpStateInformation, // 0x22 + SystemKernelDebuggerInformation, // 0x23 + SystemContextSwitchInformation, // 0x24 + SystemRegistryQuotaInformation, // 0x25 + SystemExtendServiceTableInformation, // 0x26 + SystemPrioritySeperation, // 0x27 + SystemPlugPlayBusInformation, // 0x28 + SystemDockInformation, // 0x29 + //SystemPowerInformation, // 0x2A + //SystemProcessorSpeedInformation, // 0x2B + //SystemCurrentTimeZoneInformation, // 0x2C + //SystemLookasideInformation // 0x2D + +} SYSTEM_INFORMATION_CLASS, * PSYSTEM_INFORMATION_CLASS; + +typedef BOOL(WINAPI* DLLMAIN)(HINSTANCE, DWORD, LPVOID); +typedef struct _LDR_DATA_TABLE_ENTRY { + LIST_ENTRY InLoadOrderLinks; + LIST_ENTRY InMemoryOrderLinks; + LIST_ENTRY InInitializationOrderLinks; + PVOID DllBase; + PVOID EntryPoint; + ULONG SizeOfImages; + UNICODE_STRING FullDllName; + UNICODE_STRING BaseDllName; + ULONG Flags; + USHORT LoadCount; + USHORT TlsIndex; + union { + LIST_ENTRY HashLinks; + struct { + PVOID SectionPointer; + ULONG CheckSum; + }; + }; + union { + struct { + ULONG TimeDateStamp; + }; + struct { + PVOID LoadedImports; + }; + }; +}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY; + +typedef struct +{ + WORD offset : 12; + WORD type : 4; +} IMAGE_RELOC, * PIMAGE_RELOC; +typedef struct _NT_PROC_THREAD_ATTRIBUTE_ENTRY +{ + ULONG Attribute; // PROC_THREAD_ATTRIBUTE_XXX + SIZE_T Size; + ULONG_PTR Value; + ULONG Unknown; +} NT_PROC_THREAD_ATTRIBUTE_ENTRY, * NT_PPROC_THREAD_ATTRIBUTE_ENTRY; +typedef struct _NT_PROC_THREAD_ATTRIBUTE_LIST +{ + ULONG Length; + NT_PROC_THREAD_ATTRIBUTE_ENTRY Entry[1]; +} NT_PROC_THREAD_ATTRIBUTE_LIST, * PNT_PROC_THREAD_ATTRIBUTE_LIST; + +typedef struct _SECURITY_ATTRIBUTES { + DWORD nLength; + LPVOID lpSecurityDescriptor; + BOOL bInheritHandle; +} SECURITY_ATTRIBUTES, * PSECURITY_ATTRIBUTES, * LPSECURITY_ATTRIBUTES; +typedef HANDLE(WINAPI* CreateFileWT)( + _In_ LPCWSTR lpFileName, + _In_ DWORD dwDesiredAccess, + _In_ DWORD dwShareMode, + _In_opt_ LPSECURITY_ATTRIBUTES lpSecurityAttributes, + _In_ DWORD dwCreationDisposition, + _In_ DWORD dwFlagsAndAttributes, + _In_opt_ HANDLE hTemplateFile + ); +typedef DWORD(WINAPI* GetModuleFileNameWT)(HMODULE hModule, LPCWSTR lpFilename, DWORD nSize); +typedef wchar_t* (WINAPI* wcsstrAt)(wchar_t const* _String1, wchar_t const* _String); +typedef HMODULE(WINAPI* LoadLibraryWT)(_In_ LPCWSTR lpLibFileName); +#ifdef __cplusplus +extern "C" +{ +#endif +#include + NTSYSAPI + NTSTATUS + NTAPI + ZwQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL + ); + NTKERNELAPI + NTSTATUS + ObReferenceObjectByName( + IN PUNICODE_STRING ObjectName, + IN ULONG Attributes, + IN PACCESS_STATE PassedAccessState, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_TYPE ObjectType, + IN KPROCESSOR_MODE AccessMode, + IN OUT PVOID ParseContext, + OUT PVOID* Object + ); + extern POBJECT_TYPE* IoDriverObjectType; + + ULONG + NTAPI + KeCapturePersistentThreadState( + IN PCONTEXT Context, + IN PKTHREAD Thread, + IN ULONG BugCheckCode, + IN ULONG BugCheckParameter1, + IN ULONG BugCheckParameter2, + IN ULONG BugCheckParameter3, + IN ULONG BugCheckParameter4, + OUT PVOID VirtualAddress + ); + NTSYSAPI + PVOID + NTAPI + RtlImageDirectoryEntryToData( + PVOID ImageBase, + BOOLEAN MappedAsImage, + USHORT DirectoryEntry, + PULONG Size + ); + NTKERNELAPI + PPEB + NTAPI + PsGetProcessPeb(IN PEPROCESS Process); + NTKERNELAPI PVOID NTAPI PsGetProcessWow64Process(IN PEPROCESS Process); + NTSYSAPI + NTSTATUS + NTAPI + ZwProtectVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID* BaseAddress, + IN OUT SIZE_T* NumberOfBytesToProtect, + IN ULONG NewAccessProtection, + OUT PULONG OldAccessProtection + ); + + NTSYSAPI + NTSTATUS + NTAPI + ZwQueryInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + OUT PVOID ThreadInformation, + IN ULONG ThreadInformationLength, + OUT PULONG ReturnLength OPTIONAL + ); + + +#ifdef __cplusplus +} +#endif \ No newline at end of file diff --git a/CowInject/helper.cpp b/CowInject/helper.cpp new file mode 100644 index 0000000..b249eeb --- /dev/null +++ b/CowInject/helper.cpp @@ -0,0 +1,143 @@ +#include "head.h" +/* + from google +*/ +ULONG_PTR GetProcAddressR(ULONG_PTR hModule, const char* lpProcName, BOOL x64Module) +{ + UINT_PTR uiLibraryAddress = 0; + ULONG_PTR fpResult = NULL; + if (hModule == NULL) + return NULL; + // a module handle is really its base address + uiLibraryAddress = (UINT_PTR)hModule; + __try + { + UINT_PTR uiAddressArray = 0; + UINT_PTR uiNameArray = 0; + UINT_PTR uiNameOrdinals = 0; + PIMAGE_NT_HEADERS32 pNtHeaders32 = NULL; + PIMAGE_NT_HEADERS64 pNtHeaders64 = NULL; + PIMAGE_DATA_DIRECTORY pDataDirectory = NULL; + PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL; + + // get the VA of the modules NT Header + pNtHeaders32 = (PIMAGE_NT_HEADERS32)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew); + pNtHeaders64 = (PIMAGE_NT_HEADERS64)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew); + if (x64Module) + { + pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; + } + else + { + pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; + } + + + // get the VA of the export directory + pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(uiLibraryAddress + pDataDirectory->VirtualAddress); + + // get the VA for the array of addresses + uiAddressArray = (uiLibraryAddress + pExportDirectory->AddressOfFunctions); + + // get the VA for the array of name pointers + uiNameArray = (uiLibraryAddress + pExportDirectory->AddressOfNames); + + // get the VA for the array of name ordinals + uiNameOrdinals = (uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals); + + // test if we are importing by name or by ordinal... + if ((PtrToUlong(lpProcName) & 0xFFFF0000) == 0x00000000) + { + // import by ordinal... + + // use the import ordinal (- export ordinal base) as an index into the array of addresses + uiAddressArray += ((IMAGE_ORDINAL(PtrToUlong(lpProcName)) - pExportDirectory->Base) * sizeof(unsigned long)); + + // resolve the address for this imported function + fpResult = (ULONG_PTR)(uiLibraryAddress + DEREF_32(uiAddressArray)); + } + else + { + // import by name... + unsigned long dwCounter = pExportDirectory->NumberOfNames; + while (dwCounter--) + { + char* cpExportedFunctionName = (char*)(uiLibraryAddress + DEREF_32(uiNameArray)); + + // test if we have a match... + if (strcmp(cpExportedFunctionName, lpProcName) == 0) + { + // use the functions name ordinal as an index into the array of name pointers + uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(unsigned long)); + + // calculate the virtual address for the function + fpResult = (ULONG_PTR)(uiLibraryAddress + DEREF_32(uiAddressArray)); + + // finish... + break; + } + + // get the next exported function name + uiNameArray += sizeof(unsigned long); + + // get the next exported function name ordinal + uiNameOrdinals += sizeof(unsigned short); + } + } + } + __except (EXCEPTION_EXECUTE_HANDLER) + { + fpResult = NULL; + } + return fpResult; +} +/* + from blackbone +*/ +LONG BlackBoneSafeSearchString(IN PUNICODE_STRING source, IN PUNICODE_STRING target, IN BOOLEAN CaseInSensitive) +{ + ASSERT(source != NULL && target != NULL); + if (source == NULL || target == NULL || source->Buffer == NULL || target->Buffer == NULL) + return STATUS_INVALID_PARAMETER; + + // Size mismatch + if (source->Length < target->Length) + return -1; + + USHORT diff = source->Length - target->Length; + for (USHORT i = 0; i <= (diff / sizeof(WCHAR)); i++) + { + if (RtlCompareUnicodeStrings( + source->Buffer + i, + target->Length / sizeof(WCHAR), + target->Buffer, + target->Length / sizeof(WCHAR), + CaseInSensitive + ) == 0) + { + return i; + } + } + + return -1; +} +/* + from windows explorer +*/ +bool _memcpy(PVOID address, PVOID target_address, ULONG length) +{ + bool result = false; + PHYSICAL_ADDRESS physicial_address; + physicial_address = MmGetPhysicalAddress(address); + if (physicial_address.QuadPart) + { + PVOID maped_mem = MmMapIoSpace(physicial_address, length, MmNonCached); + if (maped_mem) + { + memcpy(maped_mem, target_address, length); + MmUnmapIoSpace(maped_mem, length); + result = true; + } + } + return result; +} \ No newline at end of file diff --git a/CowInject/main.cpp b/CowInject/main.cpp new file mode 100644 index 0000000..3d5a9db --- /dev/null +++ b/CowInject/main.cpp @@ -0,0 +1,240 @@ +#include "head.h" +#include "main.h" +struct moudle_info +{ + uintptr_t bsae; + uintptr_t size; +}; +bool get_moudle_base(PEPROCESS process, moudle_info* kernel32, moudle_info* ntdll, moudle_info* kernelbase) { + PPEB peb = PsGetProcessPeb(process); + bool result = false; + if (peb == NULL) + return result; + DebugPrintA("process peb: %p \n", peb); + //PEB + 0x18 = PEB.Ldr + auto peb_ldr = *(PDWORD64)((PUCHAR)peb + 0x18); + //Pebldr + 0x10 = InLoadOrderModuleList + PLIST_ENTRY module_list_head = (PLIST_ENTRY)((PUCHAR)peb_ldr + 0x10); + PLIST_ENTRY moudle = module_list_head->Flink; + /* + win7: kernel32.dll + win10: KERNEL32.DLL + */ + wchar_t moudle_list[][15] = { + {L"kernel32.dll"}, + {L"ntdll.dll"}, + {L"kernelbase.dll"}, + }; + while (module_list_head != moudle) + { + PLDR_DATA_TABLE_ENTRY info = (PLDR_DATA_TABLE_ENTRY)moudle; + UNICODE_STRING str_moudle_name; + for (size_t i = 0; i < sizeof(moudle_list); i++) + { + RtlInitUnicodeString(&str_moudle_name, moudle_list[i]); + if (BlackBoneSafeSearchString(&info->BaseDllName, &str_moudle_name, true) != -1) + { + DebugPrintA("MoudleBase %p Size %p Name %wZ\n", info->DllBase, info->SizeOfImages, info->BaseDllName); + if (i == 0) { + kernel32->bsae = (uintptr_t)info->DllBase; + kernel32->size = (uintptr_t)info->SizeOfImages; + } + if (i == 1) { + ntdll->bsae = (uintptr_t)info->DllBase; + ntdll->size = (uintptr_t)info->SizeOfImages; + } + if (i == 2) { + kernelbase->bsae = (uintptr_t)info->DllBase; + kernelbase->size = (uintptr_t)info->SizeOfImages; + } + break; + } + } + if (kernel32->bsae && ntdll->bsae && kernelbase->bsae) + break; + moudle = moudle->Flink; + } + result = kernel32->bsae != NULL && ntdll->bsae != NULL && kernelbase->bsae != NULL; + DebugPrintA("kernel32->bsae %p sizeof:%p ntdll->bsae %p kernelbase->bsae %p result: %d \n", kernel32->bsae, kernel32->size, ntdll->bsae, kernelbase->bsae, result); + + return result; +} +uintptr_t get_free_speace(uintptr_t base, size_t size, size_t need_size) { + size_t return_length; + + for (uintptr_t address = (uintptr_t)base; address <= (uintptr_t)base + size; address += sizeof(uintptr_t)) { + __try + { + ProbeForRead((void*)address, need_size, 0x1); + if (*(uintptr_t*)address == 0x00 || *(uintptr_t*)address == 0x90) + { + MEMORY_BASIC_INFORMATION memory_information = { 0 }; + NTSTATUS status = ZwQueryVirtualMemory(NtCurrentProcess(), (PVOID)address, (MEMORY_INFORMATION_CLASS)0, &memory_information, need_size, &return_length); + if (NT_SUCCESS(status)) { + if ((memory_information.Protect == PAGE_EXECUTE || memory_information.Protect == PAGE_EXECUTE_READ || memory_information.Protect == PAGE_EXECUTE_READWRITE || memory_information.Protect == PAGE_EXECUTE_WRITECOPY) == false) { + continue; + } + } + DebugPrintA("address : %p \n", address); + uintptr_t count = 0; + bool is_good = true; + uintptr_t max_count = 0; + for (; count < need_size && is_good; count += sizeof(uintptr_t)) + { + max_count++; + auto check_ptr = (uintptr_t*)((PUCHAR)address + count); + if (*check_ptr != 0x0 && *check_ptr != 0x90) + { + is_good = false; + break; + } + } + if (is_good) { + DebugPrintA("location Cow virtual address : %p \n", address); + return address; + } + } + } + __except (EXCEPTION_EXECUTE_HANDLER) + { + continue; + } + } + return NULL; +} + + +VOID DriverUnload(PDRIVER_OBJECT driver) +{ + DebugPrintA("[DebugMessage] Unload Driver"); +} + +extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path) +{ + DebugPrintA("init Driver \n"); + /* + ³õʼ»¯shellcode + */ + //uintptr_t size_of_shellcode = CALCSIZE(HkCreateFileW, ShellCodeEnd); + uintptr_t size_of_shellcode = sizeof(HookCode); + DebugPrintA("shell code size: %p \n", size_of_shellcode); + /* + get a x64 process + */ + for (uintptr_t i = 8; i < 100000000; i = i + 4) + { + PEPROCESS _eprocess = NULL; + NTSTATUS nt_status = PsLookupProcessByProcessId((HANDLE)i, &_eprocess); + if (NT_SUCCESS(nt_status) && _eprocess != NULL) + { + ObDereferenceObject(_eprocess); + bool is_x64_process = PsGetProcessWow64Process(_eprocess) == NULL; + if (is_x64_process) { + KAPC_STATE apc; + KeStackAttachProcess(_eprocess, &apc); + moudle_info kernel32 = {0}; + moudle_info ntdll = { 0 }; + moudle_info kernelbase = { 0 }; + /* + is x64 process, get kernel32.dll and kernelbase.dll and ntdll.dll base + */ + if (get_moudle_base(_eprocess, &kernel32, &ntdll, &kernelbase)) { + uintptr_t kernel32_loadlibrary = GetProcAddressR(kernel32.bsae, "LoadLibraryW", TRUE); + uintptr_t ntdll_wcsstr = GetProcAddressR(ntdll.bsae, "wcsstr", TRUE); + uintptr_t kernelbase_GetModuleFileNameW = GetProcAddressR(kernelbase.bsae, "GetModuleFileNameW", TRUE); + uintptr_t kernelbase_CreateFileW = GetProcAddressR(kernelbase.bsae, "CreateFileW", TRUE); + + if (kernel32_loadlibrary && ntdll_wcsstr && kernelbase_GetModuleFileNameW && kernelbase_CreateFileW) { + uintptr_t hook_function = get_free_speace(kernel32.bsae, kernel32.size, size_of_shellcode + sizeof(void*) + sizeof(CreateFileWT)); + if (hook_function) { + /* + Copy shellcode to freespeace + */ + _memcpy((PVOID)hook_function, (PVOID)HookCode, size_of_shellcode); + /* + hook + */ + BYTE _mov_rax[] = { + 0x48, 0xB8 // mov rax, [xxx] + }; + BYTE _jmp_rax[] = { + 0xFF, 0xE0, // jmp rax + }; + BYTE shell_code_jmp_back[] = { + 0xCC, 0xCC, //mov rax + 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, //void* + 0xCC, 0xCC, //jmp rax + }; + uintptr_t function_offset = kernelbase_CreateFileW; + //backup + _memcpy(shell_code_jmp_back, (void*)function_offset, sizeof(shell_code_jmp_back)); + /* + hook_function -> origin_code + */ + function_offset = hook_function + size_of_shellcode; + uintptr_t jmp_back = function_offset; + _memcpy((void*)function_offset, shell_code_jmp_back, sizeof(shell_code_jmp_back)); + function_offset += sizeof(shell_code_jmp_back); + /* + origin_code -> jmp CreateFileW + */ + uintptr_t jmp_offset = kernelbase_CreateFileW + sizeof(_mov_rax) + sizeof(_jmp_rax) + sizeof(void*); + _memcpy((void*)function_offset, _mov_rax, sizeof(_mov_rax)); + function_offset += sizeof(_mov_rax); + _memcpy((void*)function_offset, &jmp_offset, sizeof(void*)); + function_offset += sizeof(void*); + _memcpy((void*)function_offset, _jmp_rax, sizeof(_jmp_rax)); + /* + location shellcode function + */ + for (int i = 0; i < size_of_shellcode; i++) + { + auto write_ptr = (uintptr_t*)((PUCHAR)hook_function + i); + if (*write_ptr == 0x1234567812345678) + { + _memcpy((void*)write_ptr, (void*)&jmp_back, sizeof(uintptr_t)); + DebugPrintA("[jmp_back]Fix KernelBase.CreateFileW %p \n", jmp_back); + } + if (*write_ptr == 0x1234567891ABCDEF) + { + _memcpy((void*)write_ptr, (void*)&ntdll_wcsstr, sizeof(uintptr_t)); + DebugPrintA("Fix Ntdll.wcsstr %p \n", ntdll_wcsstr); + } + if (*write_ptr == 0x1337567891ABCDEF) + { + _memcpy((void*)write_ptr, (void*)&kernelbase_GetModuleFileNameW, sizeof(uintptr_t)); + DebugPrintA("Fix KernelBase.GetModuleFileNameW %p \n", kernelbase_GetModuleFileNameW); + } + if (*write_ptr == 0x1234567891AB1337) + { + _memcpy((void*)write_ptr, (void*)&kernel32_loadlibrary, sizeof(uintptr_t)); + DebugPrintA("Fix kernel32.loadlibrary %p \n", kernel32_loadlibrary); + } + } + /* + CreateFileW -> hook_function + */ + function_offset = kernelbase_CreateFileW; + _memcpy((void*)function_offset, _mov_rax, sizeof(_mov_rax)); + function_offset += sizeof(_mov_rax); + _memcpy((void*)function_offset, &hook_function, sizeof(void*)); + function_offset += sizeof(void*); + _memcpy((void*)function_offset, _jmp_rax, sizeof(_jmp_rax)); + DebugPrintA("success hooked at: %p \n", hook_function); + + } else { + DebugPrintA("can not get free speace for shellcode \n"); + } + } + else { + DebugPrintA("can not get export function\n"); + } + } + KeUnstackDetachProcess(&apc); + break; + } + } + } + driver->DriverUnload = DriverUnload; + return STATUS_UNSUCCESSFUL; +} \ No newline at end of file diff --git a/CowInject/main.h b/CowInject/main.h new file mode 100644 index 0000000..63759b7 --- /dev/null +++ b/CowInject/main.h @@ -0,0 +1,11 @@ +#pragma once + +extern HANDLE __stdcall HkCreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); +extern int __stdcall ShellCodeEnd(); +extern ULONG_PTR GetProcAddressR(ULONG_PTR hModule, const char* lpProcName, BOOL x64Module); +extern LONG BlackBoneSafeSearchString(IN PUNICODE_STRING source, IN PUNICODE_STRING target, IN BOOLEAN CaseInSensitive); +extern bool _memcpy(PVOID address, PVOID target_address, ULONG length); +//see shell_code_start ,fuck gcc, aways broken shellcode +static BYTE HookCode[] = { +0x48,0x8B,0xC4,0x48,0x89,0x58,0x08,0x48,0x89,0x70,0x10,0x48,0x89,0x78,0x18,0x55,0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57,0x48,0x8D,0xA8,0xF8,0xFD,0xFF,0xFF,0x48,0x81,0xEC,0xE0,0x02,0x00,0x00,0x45,0x33,0xED,0xC7,0x44,0x24,0x40,0x43,0x00,0x3A,0x00,0x41,0x8B,0xF0,0x66,0x44,0x89,0x6C,0x24,0x58,0x44,0x8B,0xF2,0x66,0x44,0x89,0x6C,0x24,0x78,0x48,0x8B,0xD9,0x66,0x44,0x89,0x6D,0xC0,0x41,0xB8,0x04,0x01,0x00,0x00,0xC7,0x44,0x24,0x44,0x5C,0x00,0x68,0x00,0x48,0x8D,0x55,0xD0,0xC7,0x44,0x24,0x48,0x75,0x00,0x6F,0x00,0x33,0xC9,0xC7,0x44,0x24,0x4C,0x6A,0x00,0x69,0x00,0x48,0xB8,0xEF,0xCD,0xAB,0x91,0x78,0x56,0x37,0x13,0xC7,0x44,0x24,0x50,0x2E,0x00,0x64,0x00,0x49,0x8B,0xF9,0xC7,0x44,0x24,0x54,0x6C,0x00,0x6C,0x00,0xC7,0x44,0x24,0x60,0x43,0x00,0x3A,0x00,0xC7,0x44,0x24,0x64,0x5C,0x00,0x6E,0x00,0xC7,0x44,0x24,0x68,0x74,0x00,0x64,0x00,0xC7,0x44,0x24,0x6C,0x6C,0x00,0x6C,0x00,0xC7,0x44,0x24,0x70,0x2E,0x00,0x64,0x00,0xC7,0x44,0x24,0x74,0x6C,0x00,0x6C,0x00,0xC7,0x45,0xA0,0x43,0x00,0x6F,0x00,0xC7,0x45,0xA4,0x6E,0x00,0x61,0x00,0xC7,0x45,0xA8,0x6E,0x00,0x53,0x00,0xC7,0x45,0xAC,0x61,0x00,0x6E,0x00,0xC7,0x45,0xB0,0x64,0x00,0x62,0x00,0xC7,0x45,0xB4,0x6F,0x00,0x78,0x00,0xC7,0x45,0xB8,0x2E,0x00,0x65,0x00,0xC7,0x45,0xBC,0x78,0x00,0x65,0x00,0xC7,0x45,0x80,0x42,0x00,0x45,0x00,0xC7,0x45,0x84,0x53,0x00,0x65,0x00,0xC7,0x45,0x88,0x72,0x00,0x76,0x00,0xC7,0x45,0x8C,0x69,0x00,0x63,0x00,0xC7,0x45,0x90,0x65,0x00,0x2E,0x00,0xC7,0x45,0x94,0x65,0x00,0x78,0x00,0xC7,0x45,0x98,0x65,0x00,0x00,0x00,0xFF,0xD0,0x48,0x8D,0x55,0xA0,0x49,0xBF,0xEF,0xCD,0xAB,0x91,0x78,0x56,0x34,0x12,0x48,0x8D,0x4D,0xD0,0x41,0xFF,0xD7,0x48,0x85,0xC0,0x74,0x11,0x48,0x8D,0x4C,0x24,0x40,0x48,0xB8,0x37,0x13,0xAB,0x91,0x78,0x56,0x34,0x12,0xFF,0xD0,0x48,0x8D,0x55,0x80,0x48,0x8D,0x4D,0xD0,0x41,0xFF,0xD7,0x48,0x8B,0xCB,0x48,0x85,0xC0,0x74,0x14,0x48,0x8D,0x54,0x24,0x40,0x41,0xFF,0xD7,0x48,0x85,0xC0,0x48,0x8D,0x4C,0x24,0x60,0x48,0x0F,0x44,0xCB,0x48,0x8B,0x85,0x40,0x02,0x00,0x00,0x4C,0x8B,0xCF,0x48,0x89,0x44,0x24,0x30,0x44,0x8B,0xC6,0x8B,0x85,0x38,0x02,0x00,0x00,0x41,0x8B,0xD6,0x89,0x44,0x24,0x28,0x8B,0x85,0x30,0x02,0x00,0x00,0x89,0x44,0x24,0x20,0x48,0xB8,0x78,0x56,0x34,0x12,0x78,0x56,0x34,0x12,0xFF,0xD0,0x4C,0x8D,0x9C,0x24,0xE0,0x02,0x00,0x00,0x49,0x8B,0x5B,0x30,0x49,0x8B,0x73,0x38,0x49,0x8B,0x7B,0x40,0x49,0x8B,0xE3,0x41,0x5F,0x41,0x5E,0x41,0x5D,0x41,0x5C,0x5D,0xC3,0xCC, +}; \ No newline at end of file diff --git a/CowInject/shell_code_end.cpp b/CowInject/shell_code_end.cpp new file mode 100644 index 0000000..9783445 --- /dev/null +++ b/CowInject/shell_code_end.cpp @@ -0,0 +1 @@ +#include "head.h" diff --git a/CowInject/shell_code_start.cpp b/CowInject/shell_code_start.cpp new file mode 100644 index 0000000..8dbe7b6 --- /dev/null +++ b/CowInject/shell_code_start.cpp @@ -0,0 +1,28 @@ +#include "head.h" + +//shellcode just like: +/* +HANDLE __stdcall HookCreateFileW(LPCWSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile) { + CreateFileWT oCreateFileW = (CreateFileWT)0x1234567812345678; + wcsstrAt oWcsstr = (wcsstrAt)0x1234567891ABCDEF; + GetModuleFileNameWT oGetModuleFileNameW = (GetModuleFileNameWT)0x1337567891ABCDEF; + LoadLibraryWT oLoadLibraryW = (LoadLibraryWT)0x1234567891AB1337; + wchar_t CheatPath[] = { 'C',':','\\','h','u','o','j','i','.','d','l','l','\0' }; + wchar_t NtdllName[] = { 'C',':','\\','n','t','d','l','l','.','d','l','l','\0' }; + //RainbowSix.exe + wchar_t GameName[] = { 'C','o','n','a','n','S','a','n','d','b','o','x','.','e','x','e','\0' }; + //BEService.exe + wchar_t AntiCheatName[] = { 'B','E','S','e','r','v','i','c','e','.','e','x','e','\0' }; + wchar_t ExeFile[MAX_PATH]; + oGetModuleFileNameW(NULL, ExeFile, MAX_PATH); + if (oWcsstr(ExeFile, GameName) != NULL) { + oLoadLibraryW(CheatPath); + } + if (oWcsstr(ExeFile, AntiCheatName) != NULL) { + return oCreateFileW(oWcsstr(lpFileName, CheatPath) != NULL ? NtdllName : lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile); + } + return oCreateFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile); +} +int __stdcall ShellCodeEnd() { + return 0x1337; +}*/ \ No newline at end of file