1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
/******************************************************
* FILENAME:
* Utils.c
*
* DESCRIPTION:
* Driver utility functions.
*
* Copyright Toni Uhlig 2019. All rights reserved.
*
* AUTHOR:
* Toni Uhlig START DATE : 27 Mar 19
*/
#include "Driver.h"
#include "Imports.h"
#include <ntstrsafe.h>
#pragma alloc_text(PAGE, CheckVersion)
#pragma alloc_text(PAGE, GetKernelBase)
#pragma alloc_text(PAGE, RandomMemory32)
PVOID g_KernelBase = NULL;
ULONG g_KernelSize = 0;
NTSTATUS CheckVersion(void)
{
NTSTATUS status;
RTL_OSVERSIONINFOW osver = { 0 };
status = RtlGetVersion(&osver);
if (NT_SUCCESS(status))
{
KDBG("Os version........: %d.%d.%d",
osver.dwMajorVersion,
osver.dwMinorVersion,
osver.dwBuildNumber);
if (osver.dwMajorVersion != 10 ||
osver.dwMinorVersion != 0 ||
osver.dwBuildNumber != 17134)
{
/* TODO: Verify on other builds */
KDBG("WARNING: ONLY Windows 10.0.17134 (1803/RS4) supported at the moment!\n");
}
}
return status;
}
PVOID GetKernelBase(OUT PULONG pSize)
{
NTSTATUS status = STATUS_SUCCESS;
ULONG bytes = 0;
PRTL_PROCESS_MODULES pMods = NULL;
PVOID checkPtr = NULL;
UNICODE_STRING routineName;
// Already found
if (g_KernelBase != NULL)
{
if (pSize)
*pSize = g_KernelSize;
return g_KernelBase;
}
RtlUnicodeStringInit(&routineName, L"NtOpenFile");
checkPtr = MmGetSystemRoutineAddress(&routineName);
if (checkPtr == NULL)
return NULL;
// Protect from UserMode AV
status = ZwQuerySystemInformation(SystemModuleInformation, 0, bytes, &bytes);
if (bytes == 0)
{
KDBG("Invalid SystemModuleInformation size\n");
return NULL;
}
pMods = (PRTL_PROCESS_MODULES)ExAllocatePoolWithTag(NonPagedPool, bytes, PASTDSE_POOL_TAG);
RtlZeroMemory(pMods, bytes);
status = ZwQuerySystemInformation(SystemModuleInformation, pMods, bytes, &bytes);
if (NT_SUCCESS(status))
{
PRTL_PROCESS_MODULE_INFORMATION pMod = pMods->Modules;
for (ULONG i = 0; i < pMods->NumberOfModules; i++)
{
// System routine is inside module
if (checkPtr >= pMod[i].ImageBase &&
checkPtr < (PVOID)((PUCHAR)pMod[i].ImageBase + pMod[i].ImageSize))
{
g_KernelBase = pMod[i].ImageBase;
g_KernelSize = pMod[i].ImageSize;
if (pSize)
*pSize = g_KernelSize;
break;
}
}
}
if (pMods)
ExFreePoolWithTag(pMods, PASTDSE_POOL_TAG);
return g_KernelBase;
}
NTSTATUS RandomMemory32(PVOID buf, SIZE_T siz)
{
PUINT32 ptr = (PUINT32)buf;
SIZE_T i;
ULONG seed = RtlRandomEx(buf);
if (siz < 4)
return STATUS_INFO_LENGTH_MISMATCH;
for (i = 0; i < siz; i += 4) {
ptr[i] = seed;
seed = RtlRandomEx(&seed);
}
ptr[i - 4] = seed;
return STATUS_SUCCESS;
}
|