API tools faq
paste
Guest User

Untitled

a guest
Nov 19th, 2018
2,934
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.75 KB | None | 0 0
raw download clone embed print report
  1. // Author: Omdihar
  2.  
  3. #include "HwidSpoofer.h"
  4. #include "SystemRoutines.h"
  5.  
  6. #include <ntddstor.h>
  7. #include <Ntdddisk.h>
  8.  
  9. PDRIVER_DISPATCH OldIrpMj;
  10. char NumTable[] = "123456789";
  11. char SpoofedHWID[] = " XXXYYYYYYX\0";
  12. bool HWIDGenerated = false;
  13.  
  14. VOID SpoofSerialNumber(char* serialNumber)
  15. {
  16. // Random HWID not generated -> Generate one
  17. if (!HWIDGenerated)
  18. {
  19. HWIDGenerated = true;
  20.  
  21. //Generate random hwid
  22. LARGE_INTEGER Seed;
  23. KeQuerySystemTimePrecise(&Seed);
  24.  
  25. for (int i = 0; i < strlen(SpoofedHWID); ++i)
  26. {
  27. if (SpoofedHWID[i] == 'Y')
  28. {
  29. SpoofedHWID[i] = RtlRandomEx(&Seed.LowPart) % 26 + 65;
  30. }
  31.  
  32. if (SpoofedHWID[i] == 'X')
  33. {
  34. SpoofedHWID[i] = NumTable[RtlRandomEx(&Seed.LowPart) % (strlen(NumTable) - 1)];
  35. }
  36. }
  37. }
  38.  
  39. //DbgPrint("SpoofedHWID: %s\n", SpoofedHWID);
  40. memcpy((void*)serialNumber,
  41. (void*)SpoofedHWID,
  42. 21);
  43. }
  44.  
  45. struct REQUEST_STRUCT
  46. {
  47. PIO_COMPLETION_ROUTINE OldRoutine;
  48. PVOID OldContext;
  49. ULONG OutputBufferLength;
  50. PSTORAGE_DEVICE_DESCRIPTOR StorageDescriptor;
  51. };
  52.  
  53. NTSTATUS StorageQueryCompletionRoutine(
  54. PDEVICE_OBJECT DeviceObject,
  55. PIRP Irp,
  56. PVOID Context
  57. )
  58. {
  59. UNREFERENCED_PARAMETER(DeviceObject);
  60. UNREFERENCED_PARAMETER(Context);
  61.  
  62. //Grab old routine and free buffer
  63. PIO_COMPLETION_ROUTINE OldCompletionRoutine = NULL;
  64. PVOID OldContext = NULL;
  65. ULONG OutputBufferLength = 0;
  66. PSTORAGE_DEVICE_DESCRIPTOR descriptor = NULL;
  67.  
  68. if (Context != NULL)
  69. {
  70. REQUEST_STRUCT* pRequest = (REQUEST_STRUCT*)Context;
  71. OldCompletionRoutine = pRequest->OldRoutine;
  72. OldContext = pRequest->OldContext;
  73. OutputBufferLength = pRequest->OutputBufferLength;
  74. descriptor = pRequest->StorageDescriptor;
  75.  
  76. ExFreePool(Context);
  77. }
  78.  
  79. //DbgPrint("SerialNumberOffset: %i, OutputBufferLength: %i\n", descriptor->SerialNumberOffset, OutputBufferLength);
  80.  
  81. if (FIELD_OFFSET(STORAGE_DEVICE_DESCRIPTOR, SerialNumberOffset) < OutputBufferLength &&
  82. descriptor->SerialNumberOffset > 0 &&
  83. descriptor->SerialNumberOffset < OutputBufferLength)
  84. {
  85. char* SerialNumber = ((char*)descriptor) + descriptor->SerialNumberOffset;
  86. //DbgPrint("%s: SerialNumber: %s\n", __FUNCTION__,
  87. // SerialNumber);
  88.  
  89. SpoofSerialNumber(SerialNumber);
  90.  
  91. //DbgPrint("%s: Spoofed: %s (%i)\n", __FUNCTION__,
  92. // SerialNumber, strlen(SerialNumber));
  93. }
  94. else
  95. {
  96. //DbgPrint("%s: Invalid PSTORAGE_DEVICE_DESCRIPTOR\n", __FUNCTION__);
  97. }
  98.  
  99. // Call next completion routine (if any)
  100. if ((Irp->StackCount > (ULONG)1) && (OldCompletionRoutine != NULL))
  101. return OldCompletionRoutine(DeviceObject, Irp, OldContext);
  102.  
  103. return STATUS_SUCCESS;
  104. }
  105.  
  106. NTSTATUS SmartCompletionRoutine(
  107. PDEVICE_OBJECT DeviceObject,
  108. PIRP Irp,
  109. PVOID Context
  110. )
  111. {
  112. UNREFERENCED_PARAMETER(DeviceObject);
  113.  
  114. //Grab old routine and free buffer
  115. PIO_COMPLETION_ROUTINE OldCompletionRoutine = NULL;
  116. PVOID OldContext = NULL;
  117.  
  118. if (Context != NULL)
  119. {
  120. REQUEST_STRUCT* pRequest = (REQUEST_STRUCT*)Context;
  121. OldCompletionRoutine = pRequest->OldRoutine;
  122. OldContext = pRequest->OldContext;
  123. ExFreePool(Context);
  124. }
  125.  
  126. //DbgPrint("%s: Returning STATUS_NOT_SUPPORTED\n", __FUNCTION__);
  127.  
  128. // We deny access by returning an ERROR code
  129. Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;
  130.  
  131. // Call next completion routine (if any)
  132. //if ((Irp->StackCount > (ULONG)1) && (OldCompletionRoutine != NULL))
  133. // return OldCompletionRoutine(DeviceObject, Irp, OldContext);
  134.  
  135. return Irp->IoStatus.Status;
  136. }
  137.  
  138. NTSTATUS HookedMjDeviceControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
  139. {
  140. PIO_STACK_LOCATION Ioc = IoGetCurrentIrpStackLocation(Irp);
  141.  
  142. switch (Ioc->Parameters.DeviceIoControl.IoControlCode)
  143. {
  144. case IOCTL_STORAGE_QUERY_PROPERTY:
  145. {
  146. PSTORAGE_PROPERTY_QUERY query = (PSTORAGE_PROPERTY_QUERY)Irp->AssociatedIrp.SystemBuffer;
  147.  
  148. if (query->PropertyId == StorageDeviceProperty)
  149. {
  150. // Register CompletionRotuine
  151. Ioc->Control = 0;
  152. Ioc->Control |= SL_INVOKE_ON_SUCCESS;
  153.  
  154. // Save old completion routine
  155. PVOID OldContext = Ioc->Context;
  156. Ioc->Context = (PVOID)ExAllocatePool(NonPagedPool, sizeof(REQUEST_STRUCT));
  157. REQUEST_STRUCT *pRequest = (REQUEST_STRUCT*)Ioc->Context;
  158. pRequest->OldRoutine = Ioc->CompletionRoutine;
  159. pRequest->OldContext = OldContext;
  160. pRequest->OutputBufferLength = Ioc->Parameters.DeviceIoControl.OutputBufferLength;
  161. pRequest->StorageDescriptor = (PSTORAGE_DEVICE_DESCRIPTOR)Irp->AssociatedIrp.SystemBuffer;
  162.  
  163. // Setup our function to be called
  164. // upon completion of the IRP
  165. Ioc->CompletionRoutine = (PIO_COMPLETION_ROUTINE)StorageQueryCompletionRoutine;
  166. }
  167.  
  168. break;
  169.  
  170. }
  171. case SMART_RCV_DRIVE_DATA:
  172. {
  173. Ioc->Control = 0;
  174. Ioc->Control |= SL_INVOKE_ON_SUCCESS;
  175.  
  176. // Save old completion routine
  177. PVOID OldContext = Ioc->Context;
  178. Ioc->Context = (PVOID)ExAllocatePool(NonPagedPool, sizeof(REQUEST_STRUCT));
  179. REQUEST_STRUCT *pRequest = (REQUEST_STRUCT*)Ioc->Context;
  180. pRequest->OldRoutine = Ioc->CompletionRoutine;
  181. pRequest->OldContext = OldContext;
  182.  
  183. // Setup our function to be called
  184. // upon completion of the IRP
  185. Ioc->CompletionRoutine = (PIO_COMPLETION_ROUTINE)SmartCompletionRoutine;
  186.  
  187. break;
  188. }
  189. }
  190.  
  191. return OldIrpMj(DeviceObject, Irp);
  192.  
  193. }
  194.  
  195. NTSTATUS IrpHookDisk()
  196. {
  197. PDRIVER_OBJECT hookDriver = NULL;
  198.  
  199. UNICODE_STRING unDriverName;
  200. RtlInitUnicodeString(&unDriverName, L"\\Driver\\Disk");
  201.  
  202. auto Status = ObReferenceObjectByName(&unDriverName,
  203. OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL,
  204. (PVOID*)&hookDriver);
  205.  
  206. if (!NT_SUCCESS(Status))
  207. {
  208. //DbgPrint("Failed to get driver object ptr: %X\n", Status);
  209. return Status;
  210. }
  211.  
  212. OldIrpMj = hookDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL];
  213. hookDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = (PDRIVER_DISPATCH)HookedMjDeviceControl;
  214.  
  215. return Status;
  216.  
  217. }
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!