API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 9th, 2015
266
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 8.74 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.  
  3. simple ring0 hd serial spoofer by Orkblutt aka s@t@nic@
  4.  
  5. credits:
  6.  
  7. Taurine for his sample on NtDeviceIoControlFile
  8.  
  9. jiurl for port hidder method
  10.  
  11. Bruce Allen & smartmontools devs
  12.  
  13. */
  14.  
  15.  
  16.  
  17. #include <ntddk.h>
  18.  
  19.  
  20.  
  21. #define IOCTL_STORAGE_BASE 0x0000002d
  22.  
  23. #define IOCTL_DISK_BASE 0x00000007
  24.  
  25.  
  26.  
  27. #define IOCTL_STORAGE_QUERY_PROPERTY \
  28.  
  29. CTL_CODE(IOCTL_STORAGE_BASE, 0x0500,METHOD_BUFFERED, FILE_ANY_ACCESS)
  30.  
  31.  
  32.  
  33. #define SMART_RCV_DRIVE_DATA \
  34.  
  35. CTL_CODE(IOCTL_DISK_BASE, 0x0022, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
  36.  
  37.  
  38.  
  39. #define ATA_IDENTIFY_DEVICE 0xec
  40.  
  41.  
  42.  
  43. #pragma pack(1)
  44.  
  45.  
  46.  
  47. typedef struct ServiceDescriptorEntry {
  48.  
  49. unsigned int *ServiceTableBase;
  50.  
  51. unsigned int *ServiceCounterTableBase; //Used only in checked build
  52.  
  53. unsigned int NumberOfServices;
  54.  
  55. unsigned char *ParamTableBase;
  56.  
  57. } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
  58.  
  59.  
  60.  
  61. struct ata_identify_device {
  62.  
  63. unsigned short words000_009[10];
  64.  
  65. unsigned char serial_no[20];
  66.  
  67. unsigned short words020_022[3];
  68.  
  69. unsigned char fw_rev[8];
  70.  
  71. unsigned char model[40];
  72.  
  73. unsigned short words047_079[33];
  74.  
  75. unsigned short major_rev_num;
  76.  
  77. unsigned short minor_rev_num;
  78.  
  79. unsigned short command_set_1;
  80.  
  81. unsigned short command_set_2;
  82.  
  83. unsigned short command_set_extension;
  84.  
  85. unsigned short cfs_enable_1;
  86.  
  87. unsigned short word086;
  88.  
  89. unsigned short csf_default;
  90.  
  91. unsigned short words088_255[168];
  92.  
  93. };
  94.  
  95.  
  96.  
  97. typedef enum _STORAGE_BUS_TYPE {
  98.  
  99. BusTypeUnknown = 0x00,
  100.  
  101. BusTypeScsi,
  102.  
  103. BusTypeAtapi,
  104.  
  105. BusTypeAta,
  106.  
  107. BusType1394,
  108.  
  109. BusTypeSsa,
  110.  
  111. BusTypeFibre,
  112.  
  113. BusTypeUsb,
  114.  
  115. BusTypeRAID,
  116.  
  117. BusTypeMaxReserved = 0x7F
  118.  
  119. } STORAGE_BUS_TYPE, *PSTORAGE_BUS_TYPE;
  120.  
  121.  
  122.  
  123. // retrieve the storage device descriptor data for a device.
  124.  
  125. typedef struct _STORAGE_DEVICE_DESCRIPTOR {
  126.  
  127. ULONG Version;
  128.  
  129. ULONG Size;
  130.  
  131. UCHAR DeviceType;
  132.  
  133. UCHAR DeviceTypeModifier;
  134.  
  135. BOOLEAN RemovableMedia;
  136.  
  137. BOOLEAN CommandQueueing;
  138.  
  139. ULONG VendorIdOffset;
  140.  
  141. ULONG ProductIdOffset;
  142.  
  143. ULONG ProductRevisionOffset;
  144.  
  145. ULONG SerialNumberOffset;
  146.  
  147. STORAGE_BUS_TYPE BusType;
  148.  
  149. ULONG RawPropertiesLength;
  150.  
  151. UCHAR RawDeviceProperties[1];
  152.  
  153.  
  154.  
  155. } STORAGE_DEVICE_DESCRIPTOR, *PSTORAGE_DEVICE_DESCRIPTOR;
  156.  
  157.  
  158.  
  159.  
  160.  
  161. #pragma pack()
  162.  
  163.  
  164.  
  165. #pragma pack(1)
  166.  
  167.  
  168.  
  169. typedef struct _GETVERSIONOUTPARAMS {
  170.  
  171. UCHAR bVersion;
  172.  
  173. UCHAR bRevision;
  174.  
  175. UCHAR bReserved;
  176.  
  177. UCHAR bIDEDeviceMap;
  178.  
  179. ULONG fCapabilities;
  180.  
  181. ULONG dwReserved[4];
  182.  
  183. } GETVERSIONOUTPARAMS, *PGETVERSIONOUTPARAMS, *LPGETVERSIONOUTPARAMS;
  184.  
  185.  
  186.  
  187.  
  188.  
  189. typedef struct _IDEREGS {
  190.  
  191. UCHAR bFeaturesReg;
  192.  
  193. UCHAR bSectorCountReg;
  194.  
  195. UCHAR bSectorNumberReg;
  196.  
  197. UCHAR bCylLowReg;
  198.  
  199. UCHAR bCylHighReg;
  200.  
  201. UCHAR bDriveHeadReg;
  202.  
  203. UCHAR bCommandReg;
  204.  
  205. UCHAR bReserved;
  206.  
  207. } IDEREGS, *PIDEREGS, *LPIDEREGS;
  208.  
  209.  
  210.  
  211. typedef struct _SENDCMDINPARAMS {
  212.  
  213. ULONG cBufferSize;
  214.  
  215. IDEREGS irDriveRegs;
  216.  
  217. UCHAR bDriveNumber;
  218.  
  219. UCHAR bReserved[3];
  220.  
  221. ULONG dwReserved[4];
  222.  
  223. UCHAR bBuffer[1];
  224.  
  225. } SENDCMDINPARAMS, *PSENDCMDINPARAMS, *LPSENDCMDINPARAMS;
  226.  
  227.  
  228.  
  229.  
  230.  
  231. typedef struct _DRIVERSTATUS {
  232.  
  233. UCHAR bDriverError;
  234.  
  235. UCHAR bIDEError;
  236.  
  237. UCHAR bReserved[2];
  238.  
  239. ULONG dwReserved[2];
  240.  
  241. } DRIVERSTATUS, *PDRIVERSTATUS, *LPDRIVERSTATUS;
  242.  
  243.  
  244.  
  245. typedef struct _SENDCMDOUTPARAMS {
  246.  
  247. ULONG cBufferSize;
  248.  
  249. DRIVERSTATUS DriverStatus;
  250.  
  251. UCHAR bBuffer[1];
  252.  
  253. } SENDCMDOUTPARAMS, *PSENDCMDOUTPARAMS, *LPSENDCMDOUTPARAMS;
  254.  
  255.  
  256.  
  257.  
  258.  
  259. #pragma pack()
  260.  
  261.  
  262.  
  263.  
  264.  
  265. __declspec(dllimport) ServiceDescriptorTableEntry_t
  266.  
  267. KeServiceDescriptorTable;
  268.  
  269.  
  270.  
  271.  
  272.  
  273. // smartmontools code to deal with non big endian system
  274.  
  275.  
  276.  
  277. // Copies n bytes (or n-1 if n is odd) from in to out, but swaps adjacents
  278.  
  279. // bytes.
  280.  
  281. void swapbytes(char *out, const char *in, size_t n)
  282.  
  283. {
  284.  
  285. size_t i;
  286.  
  287.  
  288.  
  289. for (i = 0; i < n; i += 2) {
  290.  
  291. out[i] = in[i+1];
  292.  
  293. out[i+1] = in[i];
  294.  
  295. }
  296.  
  297. }
  298.  
  299.  
  300.  
  301. // Copies in to out, but removes leading and trailing whitespace.
  302.  
  303. void trim(char *out, const char *in)
  304.  
  305. {
  306.  
  307. int i, first, last;
  308.  
  309.  
  310.  
  311. // Find the first non-space character (maybe none).
  312.  
  313. first = -1;
  314.  
  315. for (i = 0; in[i]; i++)
  316.  
  317. if (!isspace((int)in[i])) {
  318.  
  319. first = i;
  320.  
  321. break;
  322.  
  323. }
  324.  
  325.  
  326.  
  327. if (first == -1) {
  328.  
  329. // There are no non-space characters.
  330.  
  331. out[0] = '\0';
  332.  
  333. return;
  334.  
  335. }
  336.  
  337.  
  338.  
  339. // Find the last non-space character.
  340.  
  341. for (i = strlen(in)-1; i >= first && isspace((int)in[i]); i--)
  342.  
  343. ;
  344.  
  345. last = i;
  346.  
  347.  
  348.  
  349. strncpy(out, in+first, last-first+1);
  350.  
  351. out[last-first+1] = '\0';
  352.  
  353. }
  354.  
  355.  
  356.  
  357. // Convenience function for formatting strings from ata_identify_device
  358.  
  359. void formatdriveidstring(char *out, const char *in, int n)
  360.  
  361. {
  362.  
  363. char tmp[65];
  364.  
  365. n = n > 64 ? 64 : n;
  366.  
  367. swapbytes(tmp, in, n);
  368.  
  369. tmp[n] = '\0';
  370.  
  371. trim(out, tmp);
  372.  
  373. }
  374.  
  375.  
  376.  
  377.  
  378.  
  379.  
  380.  
  381. NTSYSAPI
  382.  
  383. NTSTATUS
  384.  
  385. NTAPI ZwDeviceIoControlFile(
  386.  
  387. IN HANDLE FileHandle,
  388.  
  389. IN HANDLE Event OPTIONAL,
  390.  
  391. IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
  392.  
  393. IN PVOID ApcContext OPTIONAL,
  394.  
  395. OUT PIO_STATUS_BLOCK IoStatusBlock,
  396.  
  397. IN ULONG IoControlCode,
  398.  
  399. IN PVOID InputBuffer OPTIONAL,
  400.  
  401. IN ULONG InputBufferLength,
  402.  
  403. OUT PVOID OutputBuffer OPTIONAL,
  404.  
  405. IN ULONG OutputBufferLength
  406.  
  407. );
  408.  
  409.  
  410.  
  411.  
  412.  
  413. typedef NTSTATUS (*ZWDEVICEIOCONTROLFILE)(
  414.  
  415. IN HANDLE FileHandle,
  416.  
  417. IN HANDLE Event OPTIONAL,
  418.  
  419. IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
  420.  
  421. IN PVOID ApcContext OPTIONAL,
  422.  
  423. OUT PIO_STATUS_BLOCK IoStatusBlock,
  424.  
  425. IN ULONG IoControlCode,
  426.  
  427. IN PVOID InputBuffer OPTIONAL,
  428.  
  429. IN ULONG InputBufferLength,
  430.  
  431. OUT PVOID OutputBuffer OPTIONAL,
  432.  
  433. IN ULONG OutputBufferLength
  434.  
  435. );
  436.  
  437.  
  438.  
  439.  
  440.  
  441. ZWDEVICEIOCONTROLFILE OldZwDeviceIoControlFile;
  442.  
  443.  
  444.  
  445. NTSTATUS NewZwDeviceIoControlFile(
  446.  
  447. IN HANDLE FileHandle,
  448.  
  449. IN HANDLE Event OPTIONAL,
  450.  
  451. IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
  452.  
  453. IN PVOID ApcContext OPTIONAL,
  454.  
  455. OUT PIO_STATUS_BLOCK IoStatusBlock,
  456.  
  457. IN ULONG IoControlCode,
  458.  
  459. IN PVOID InputBuffer OPTIONAL,
  460.  
  461. IN ULONG InputBufferLength,
  462.  
  463. OUT PVOID OutputBuffer OPTIONAL,
  464.  
  465. IN ULONG OutputBufferLength)
  466.  
  467. {
  468.  
  469.  
  470.  
  471. PSTORAGE_DEVICE_DESCRIPTOR output;
  472.  
  473. PSENDCMDINPARAMS cmdinput;
  474.  
  475. PSENDCMDOUTPARAMS cmdoutput;
  476.  
  477. struct ata_identify_device *hdid;
  478.  
  479.  
  480.  
  481. NTSTATUS rc;
  482.  
  483. rc = ((ZWDEVICEIOCONTROLFILE)(OldZwDeviceIoControlFile)) (
  484.  
  485. FileHandle,
  486.  
  487. Event,
  488.  
  489. ApcRoutine,
  490.  
  491. ApcContext,
  492.  
  493. IoStatusBlock,
  494.  
  495. IoControlCode,
  496.  
  497. InputBuffer,
  498.  
  499. InputBufferLength,
  500.  
  501. OutputBuffer,
  502.  
  503. OutputBufferLength
  504.  
  505. );
  506.  
  507.  
  508.  
  509.  
  510.  
  511.  
  512.  
  513. if(IoControlCode != IOCTL_STORAGE_QUERY_PROPERTY && IoControlCode != SMART_RCV_DRIVE_DATA)
  514.  
  515. return(rc);
  516.  
  517.  
  518.  
  519. if(NT_SUCCESS(rc))
  520.  
  521. {
  522.  
  523. switch( IoControlCode )
  524.  
  525. {
  526.  
  527. case IOCTL_STORAGE_QUERY_PROPERTY:
  528.  
  529.  
  530.  
  531. output = (PSTORAGE_DEVICE_DESCRIPTOR) OutputBuffer;
  532.  
  533. if( output->SerialNumberOffset )
  534.  
  535. {
  536.  
  537. char* serialnum = (char*)output + output->SerialNumberOffset;
  538.  
  539. formatdriveidstring(serialnum, "FAKE SERIAL", 40);
  540.  
  541. }
  542.  
  543.  
  544.  
  545. if( output->ProductIdOffset )
  546.  
  547. {
  548.  
  549. char* productid = (char*)output + output->ProductIdOffset;
  550.  
  551. strncpy( productid, "STUPID PB", strlen(productid) );
  552.  
  553. }
  554.  
  555.  
  556.  
  557. if( output->VendorIdOffset )
  558.  
  559. {
  560.  
  561. char* vendorid = (char*)output + output->VendorIdOffset;
  562.  
  563. strncpy( vendorid, "asdfghjkl", strlen(vendorid) );
  564.  
  565. }
  566.  
  567.  
  568.  
  569. break;
  570.  
  571.  
  572.  
  573. case SMART_RCV_DRIVE_DATA:
  574.  
  575.  
  576.  
  577. cmdinput = (PSENDCMDINPARAMS) InputBuffer;
  578.  
  579. cmdoutput = (PSENDCMDOUTPARAMS) OutputBuffer;
  580.  
  581.  
  582.  
  583. if (cmdinput->irDriveRegs.bCommandReg == ATA_IDENTIFY_DEVICE)
  584.  
  585. {
  586.  
  587. hdid = (struct ata_identify_device*) (cmdoutput->bBuffer);
  588.  
  589. formatdriveidstring(hdid->model, "spoofed model!", 40 );
  590.  
  591. formatdriveidstring( hdid->serial_no, "serial goes here", 20 );
  592.  
  593. }
  594.  
  595. break;
  596.  
  597. }
  598.  
  599. }
  600.  
  601.  
  602.  
  603. return(rc);
  604.  
  605. }
  606.  
  607.  
  608.  
  609. void DriverUnload(IN PDRIVER_OBJECT DriverObject)
  610.  
  611. {
  612.  
  613.  
  614.  
  615. _asm
  616.  
  617. {
  618.  
  619. CLI //dissable interrupt
  620.  
  621. MOV EAX, CR0 //move CR0 register into EAX
  622.  
  623. AND EAX, NOT 10000H //disable WP bit
  624.  
  625. MOV CR0, EAX //write register back
  626.  
  627. }
  628.  
  629.  
  630.  
  631. (KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)ZwDeviceIoControlFile+1)])
  632.  
  633. = (ULONG)OldZwDeviceIoControlFile;
  634.  
  635.  
  636.  
  637. _asm
  638.  
  639.  
  640.  
  641. {
  642.  
  643. MOV EAX, CR0 //move CR0 register into EAX
  644.  
  645. OR EAX, 10000H //enable WP bit
  646.  
  647. MOV CR0, EAX //write register back
  648.  
  649. STI //enable interrupt
  650.  
  651. }
  652.  
  653. }
  654.  
  655.  
  656.  
  657.  
  658.  
  659. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
  660.  
  661. {
  662.  
  663.  
  664.  
  665. DriverObject->DriverUnload = DriverUnload;
  666.  
  667.  
  668.  
  669. // save old system call locations
  670.  
  671.  
  672.  
  673. OldZwDeviceIoControlFile = (ZWDEVICEIOCONTROLFILE)(KeServiceDescriptorTable.ServiceTableBase[
  674.  
  675. *(PULONG)((PUCHAR)ZwDeviceIoControlFile+1)]);
  676.  
  677.  
  678.  
  679. _asm
  680.  
  681. {
  682.  
  683. CLI //dissable interrupt
  684.  
  685. MOV EAX, CR0 //move CR0 register into EAX
  686.  
  687. AND EAX, NOT 10000H //disable WP bit
  688.  
  689. MOV CR0, EAX //write register back
  690.  
  691. }
  692.  
  693.  
  694.  
  695. (KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)ZwDeviceIoControlFile+1)])
  696.  
  697. = (ULONG)NewZwDeviceIoControlFile;
  698.  
  699.  
  700.  
  701. _asm
  702.  
  703. {
  704.  
  705. MOV EAX, CR0 //move CR0 register into EAX
  706.  
  707. OR EAX, 10000H //enable WP bit
  708.  
  709. MOV CR0, EAX //write register back
  710.  
  711. STI //enable interrupt
  712.  
  713. }
  714.  
  715.  
  716.  
  717. return STATUS_SUCCESS;
  718.  
  719. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!