diff --git a/client/client/client/client.cpp b/client/client/client/client.cpp index ea09d98..d8acc2a 100644 --- a/client/client/client/client.cpp +++ b/client/client/client/client.cpp @@ -22,11 +22,14 @@ */ #include +#include #include "nt.h" #include "driver.h" #include "utils.h" #include "helper.h" +#define EXPLORER_EXE L"explorer.exe" + int main() { std::cout << "[>] Enabling SE_SYSTEM_ENVIRONMENT_PRIVILEGE..." << std::endl; @@ -34,6 +37,7 @@ int main() if (!status) { std::cout << "[-] Failed to enable privilege" << std::endl; + return -1; } std::cout << "[>] Testing driver..." << std::endl; @@ -41,8 +45,47 @@ int main() if (!status) { std::cout << "[-] Driver test failed" << std::endl; + return -1; } - uintptr_t test = Helper::AllocatePool(nt::PagedPool, sizeof(uintptr_t)); - printf("%llx\n", test); + std::cout << "[>] Getting current process PEPROCESS..." << std::endl; + uintptr_t current = Helper::GetCurrentProcessKrnl(); + if (!current) + { + std::cout << "[-] Failed to get current process" << std::endl; + return -1; + } + + std::cout << "[>] Getting explorer.exe PEPROCESS..." << std::endl; + int pid = Utils::Find(EXPLORER_EXE); + if (!pid) + { + std::cout << "[-] Failed to find explorer.exe pid" << std::endl; + return -1; + } + + uintptr_t explorer = 0; + Helper::LookupProcess(pid, &explorer); + if (!explorer) + { + std::cout << "[-] Failed to get explorer.exe PEPROCESS" << std::endl; + return -1; + } + + std::cout << "[>] Reading DOS header..." << std::endl; + uintptr_t baseaddress = Utils::GetModuleBaseAddress(pid, EXPLORER_EXE); + if (!baseaddress) + { + std::cout << "[-] Failed to get explorer.exe base address" << std::endl; + return -1; + } + + IMAGE_DOS_HEADER header = { 0 }; + SIZE_T retsize = 0; + NTSTATUS copystatus = Helper::CopyVirtualMemory(explorer, baseaddress, current, (uintptr_t)&header, sizeof(IMAGE_DOS_HEADER), 0, &retsize); + + std::cout << "[+] Test read:" << std::endl; + std::cout << "\tStatus: " << std::hex << std::setw(8) << std::setfill('0') << std::uppercase << copystatus << std::nouppercase << std::dec << std::endl; + std::cout << "\tDOS magic: " << header.e_magic << std::endl; + std::cout << "\tNT offset: " << header.e_lfanew << std::endl; } diff --git a/client/client/client/client.vcxproj b/client/client/client/client.vcxproj index e0161ec..99b0134 100644 --- a/client/client/client/client.vcxproj +++ b/client/client/client/client.vcxproj @@ -155,6 +155,7 @@ + diff --git a/client/client/client/helper.h b/client/client/client/helper.h index 7d73c5a..f361ee6 100644 --- a/client/client/client/helper.h +++ b/client/client/client/helper.h @@ -32,4 +32,55 @@ namespace Helper return Utils::CallKernelFunction(nullptr, kernel_ExFreePool, address); } + + uint64_t GetCurrentProcessKrnl() + { + static uint64_t kernel_IoGetCurrentProcess = 0; + + if (!kernel_IoGetCurrentProcess) + kernel_IoGetCurrentProcess = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "IoGetCurrentProcess"); + + uint64_t peprocess = 0; + + if (!Utils::CallKernelFunction(&peprocess, kernel_IoGetCurrentProcess)) + return 0; + + return peprocess; + } + + NTSTATUS LookupProcess(uint32_t pid, uintptr_t* peprocess) + { + static uint64_t kernel_PsLookupProcessByProcessId = 0; + + if (!kernel_PsLookupProcessByProcessId) + kernel_PsLookupProcessByProcessId = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "PsLookupProcessByProcessId"); + + NTSTATUS status; + + if (!Utils::CallKernelFunction(&status, kernel_PsLookupProcessByProcessId, pid, peprocess)) + return 0; + + return status; + } + + NTSTATUS CopyVirtualMemory(uintptr_t sourceprocess, + uintptr_t sourceaddress, + uintptr_t destinationprocess, + uintptr_t destinationaddress, + SIZE_T size, + uint8_t mode, + PSIZE_T returnsize) + { + static uint64_t kernel_MmCopyVirtualMemory = 0; + + if (!kernel_MmCopyVirtualMemory) + kernel_MmCopyVirtualMemory = Utils::GetKernelModuleExport(Utils::GetKernelModuleAddress("ntoskrnl.exe"), "MmCopyVirtualMemory"); + + NTSTATUS status; + + if (!Utils::CallKernelFunction(&status, kernel_MmCopyVirtualMemory, sourceprocess, sourceaddress, destinationprocess, destinationaddress, size, mode, returnsize)) + return 0; + + return status; + } } \ No newline at end of file diff --git a/client/client/client/nt.h b/client/client/client/nt.h index 0a980a4..991c90c 100644 --- a/client/client/client/nt.h +++ b/client/client/client/nt.h @@ -1,6 +1,7 @@ #pragma once #include #include +#include #pragma comment(lib, "ntdll.lib") namespace nt diff --git a/client/client/client/utils.h b/client/client/client/utils.h index 9d43112..96c0b77 100644 --- a/client/client/client/utils.h +++ b/client/client/client/utils.h @@ -2,6 +2,47 @@ namespace Utils { + uint32_t Find(const wchar_t* proc) + { + auto snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + auto pe = PROCESSENTRY32{ sizeof(PROCESSENTRY32) }; + + if (Process32First(snapshot, &pe)) { + do { + if (wcscmp(proc, pe.szExeFile) == 0) { + CloseHandle(snapshot); + return pe.th32ProcessID; + } + } while (Process32Next(snapshot, &pe)); + } + CloseHandle(snapshot); + return 0; + } + + uint64_t GetModuleBaseAddress(uint32_t procId, const wchar_t* modName) + { + uintptr_t modBaseAddr = 0; + HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, procId); + if (hSnap != INVALID_HANDLE_VALUE) + { + MODULEENTRY32 modEntry; + modEntry.dwSize = sizeof(modEntry); + if (Module32First(hSnap, &modEntry)) + { + do + { + if (!_wcsicmp(modEntry.szModule, modName)) + { + modBaseAddr = (uintptr_t)modEntry.modBaseAddr; + break; + } + } while (Module32Next(hSnap, &modEntry)); + } + } + CloseHandle(hSnap); + return modBaseAddr; + } + uint64_t GetKernelModuleAddress(const std::string& module_name) { void* buffer = nullptr;