admin/efi-memory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tue, Apr 14, 2020 7:45:30 PM

Browse Source
This commit is contained in:
Samuel Tulach
2020-04-14 19:45:30 +02:00
parent a2641bfa11
commit a4f4e7b654
5 changed files with 139 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
client/client/client/client.cpp
View File

@@ -22,11 +22,14 @@
*/
#include <iostream>
#include <iomanip>
#include "nt.h"
#include "driver.h"
#include "utils.h"
#include "helper.h"
#define EXPLORER_EXE L"explorer.exe"
int main()
{
std::cout << "[>] Enabling SE_SYSTEM_ENVIRONMENT_PRIVILEGE..." << std::endl;
@@ -34,6 +37,7 @@ int main()
if (!status)
{
std::cout << "[-] Failed to enable privilege" << std::endl;
return -1;
}
std::cout << "[>] Testing driver..." << std::endl;
@@ -41,8 +45,47 @@ int main()
if (!status)
{
std::cout << "[-] Driver test failed" << std::endl;
return -1;
}
uintptr_t test = Helper::AllocatePool(nt::PagedPool, sizeof(uintptr_t));
printf("%llx\n", test);
std::cout << "[>] Getting current process PEPROCESS..." << std::endl;
uintptr_t current = Helper::GetCurrentProcessKrnl();
if (!current)
{
std::cout << "[-] Failed to get current process" << std::endl;
return -1;
}
std::cout << "[>] Getting explorer.exe PEPROCESS..." << std::endl;
int pid = Utils::Find(EXPLORER_EXE);
if (!pid)
{
std::cout << "[-] Failed to find explorer.exe pid" << std::endl;
return -1;
}
uintptr_t explorer = 0;
Helper::LookupProcess(pid, &explorer);
if (!explorer)
{
std::cout << "[-] Failed to get explorer.exe PEPROCESS" << std::endl;
return -1;
}
std::cout << "[>] Reading DOS header..." << std::endl;
uintptr_t baseaddress = Utils::GetModuleBaseAddress(pid, EXPLORER_EXE);
if (!baseaddress)
{
std::cout << "[-] Failed to get explorer.exe base address" << std::endl;
return -1;
}
IMAGE_DOS_HEADER header = { 0 };
SIZE_T retsize = 0;
NTSTATUS copystatus = Helper::CopyVirtualMemory(explorer, baseaddress, current, (uintptr_t)&header, sizeof(IMAGE_DOS_HEADER), 0, &retsize);
std::cout << "[+] Test read:" << std::endl;
std::cout << "\tStatus: " << std::hex << std::setw(8) << std::setfill('0') << std::uppercase << copystatus << std::nouppercase << std::dec << std::endl;
std::cout << "\tDOS magic: " << header.e_magic << std::endl;
std::cout << "\tNT offset: " << header.e_lfanew << std::endl;
}

1
client/client/client/client.vcxproj
View File

@@ -155,6 +155,7 @@
</ItemGroup>
<ItemGroup>
<ClInclude Include="driver.h" />
<ClInclude Include="helper.h" />
<ClInclude Include="nt.h" />
<ClInclude Include="utils.h" />
</ItemGroup>

51
client/client/client/helper.h
View File

@@ -32,4 +32,55 @@ namespace Helper
return Utils::CallKernelFunction<void>(nullptr, kernel_ExFreePool, address);
}
uint64_t GetCurrentProcessKrnl()
{
static uint64_t kernel_IoGetCurrentProcess = 0;
if (!kernel_IoGetCurrentProcess)
kernel_IoGetCurrentProcess = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "IoGetCurrentProcess");
uint64_t peprocess = 0;
if (!Utils::CallKernelFunction<uint64_t>(&peprocess, kernel_IoGetCurrentProcess))
return 0;
return peprocess;
}
NTSTATUS LookupProcess(uint32_t pid, uintptr_t* peprocess)
{
static uint64_t kernel_PsLookupProcessByProcessId = 0;
if (!kernel_PsLookupProcessByProcessId)
kernel_PsLookupProcessByProcessId = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "PsLookupProcessByProcessId");
NTSTATUS status;
if (!Utils::CallKernelFunction(&status, kernel_PsLookupProcessByProcessId, pid, peprocess))
return 0;
return status;
}
NTSTATUS CopyVirtualMemory(uintptr_t sourceprocess,
uintptr_t sourceaddress,
uintptr_t destinationprocess,
uintptr_t destinationaddress,
SIZE_T size,
uint8_t mode,
PSIZE_T returnsize)
{
static uint64_t kernel_MmCopyVirtualMemory = 0;
if (!kernel_MmCopyVirtualMemory)
kernel_MmCopyVirtualMemory = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "MmCopyVirtualMemory");
NTSTATUS status;
if (!Utils::CallKernelFunction(&status, kernel_MmCopyVirtualMemory, sourceprocess, sourceaddress, destinationprocess, destinationaddress, size, mode, returnsize))
return 0;
return status;
}
}

1
client/client/client/nt.h
View File

@@ -1,6 +1,7 @@
#pragma once
#include <Windows.h>
#include <winternl.h>
#include <Tlhelp32.h>
#pragma comment(lib, "ntdll.lib")
namespace nt

41
client/client/client/utils.h
View File

@@ -2,6 +2,47 @@
namespace Utils
{
uint32_t Find(const wchar_t* proc)
{
auto snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
auto pe = PROCESSENTRY32{ sizeof(PROCESSENTRY32) };
if (Process32First(snapshot, &pe)) {
do {
if (wcscmp(proc, pe.szExeFile) == 0) {
CloseHandle(snapshot);
return pe.th32ProcessID;
}
} while (Process32Next(snapshot, &pe));
}
CloseHandle(snapshot);
return 0;
}
uint64_t GetModuleBaseAddress(uint32_t procId, const wchar_t* modName)
{
uintptr_t modBaseAddr = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId);
if (hSnap != INVALID_HANDLE_VALUE)
{
MODULEENTRY32 modEntry;
modEntry.dwSize = sizeof(modEntry);
if (Module32First(hSnap, &modEntry))
{
do
{
if (!_wcsicmp(modEntry.szModule, modName))
{
modBaseAddr = (uintptr_t)modEntry.modBaseAddr;
break;
}
} while (Module32Next(hSnap, &modEntry));
}
}
CloseHandle(hSnap);
return modBaseAddr;
}
uint64_t GetKernelModuleAddress(const std::string& module_name)
{
void* buffer = nullptr;