API tools faq
paste
Guest User

Untitled

a guest
Apr 19th, 2018
103
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.30 KB | None | 0 0
raw download clone embed print report
  1. #include <ntddk.h>
  2.  
  3.  
  4. #define DEBUG_ALL_ACCESS (0x1F000F)
  5. #define DEBUG_PROCESS_ASSIGN (0x0002)
  6.  
  7. KTIMER TimerObject;
  8. KDPC DpcObject;
  9. LARGE_INTEGER NextTime;
  10. ULONGLONG ValidAccessMaskAdr;
  11.  
  12. const ULONG kNtCreateDebugObjectIndex = 0x90;
  13. const ULONG kTypeInfoOffset = 0x40;
  14. const ULONG kValidAccessMaskOffset = 0x1c;
  15. const LONG kDbgkDebugObjectOffsetW7 = 0x7c;
  16. const LONG kInstructLen = 0x7;
  17.  
  18.  
  19. typedef struct _KSERVICE_TABLE_DESCRIPTOR {
  20. unsigned long *ServiceTableBase;
  21. unsigned long *ServiceCounterTableBase;
  22. unsigned long NumberOfServices;
  23. unsigned char *ParamTableBase;
  24. } ServiceDescriptorTableEntry, *pServiceDescriptorTableEntry;
  25.  
  26. ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  27. // Description :
  28. // Retrieve KeServiceDescriptorTable address
  29. // Parameters :
  30. // None
  31. // Return value :
  32. // ULONGLONG : The service descriptor table address
  33. // Process :
  34. // Since KeServiceDescriptorTable isn't an exported symbol anymore, we have to retrieve it.
  35. // When looking at the disassembly version of nt!KiSystemServiceRepeat, we can see interesting instructions :
  36. // 4c8d15c7202300 lea r10, [nt!KeServiceDescriptorTable (addr)] => it's the address we are looking for (:
  37. // 4c8d1d00212300 lea r11, [nt!KeServiceDescriptorTableShadow (addr)]
  38. // f7830001000080 test dword ptr[rbx+100h], 80h
  39. //
  40. // Furthermore, the LSTAR MSR value (at 0xC0000082) is initialized with nt!KiSystemCall64, which is a function
  41. // close to nt!KiSystemServiceRepeat. We will begin to search from this address, the opcodes 0x83f7, the ones
  42. // after the two lea instructions, once we get here, we can finally retrieve the KeServiceDescriptorTable address
  43. ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  44. ULONGLONG GetKeServiceDescriptorTable64()
  45. {
  46. PUCHAR pStartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
  47. PUCHAR pEndSearchAddress = (PUCHAR)(((ULONG_PTR)pStartSearchAddress + PAGE_SIZE) & (~0x0FFF));
  48. PULONG pFindCodeAddress = NULL;
  49.  
  50. while (++pStartSearchAddress < pEndSearchAddress)
  51. {
  52. if ((*(PULONG)pStartSearchAddress & 0xFFFFFF00) == 0x83f70000)
  53. {
  54. pFindCodeAddress = (PULONG)(pStartSearchAddress - 12);
  55. return (ULONG_PTR)pFindCodeAddress + (((*(PULONG)pFindCodeAddress) >> 24) + 7) + (ULONG_PTR)(((*(PULONG)(pFindCodeAddress + 1)) & 0x0FFFF) << 8);
  56. }
  57. }
  58. return 0;
  59. }
  60.  
  61. ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  62. // Description :
  63. // Retrieve the Nt* address function given its syscall number in the SSDT
  64. // Parameters :
  65. // PULONG KiServiceTable : the SSDT base address
  66. // ULONG ServiceId : a syscall number
  67. // Return value :
  68. // ULONGLONG : the address of the function which has the syscall number given in argument
  69. // Process :
  70. // Because the addresses contained in the SSDT have the last four bits reserved to store the number of arguments,
  71. // in order to retrieve only the address, we shift four bits to the right
  72. ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
  73. ULONGLONG GetNTAddressFromSSDT(PULONG KiServiceTable, ULONG ServiceId)
  74. {
  75. return (LONGLONG)(KiServiceTable[ServiceId] >> 4)
  76. + (ULONGLONG)KiServiceTable;
  77. }
  78.  
  79.  
  80. /*
  81. DbgkDebugObjectType
  82.  
  83. kd> dt nt!_OBJECT_TYPE
  84. +0x000 TypeList : _LIST_ENTRY
  85. +0x010 Name : _UNICODE_STRING
  86. +0x020 DefaultObject : Ptr64 Void
  87. +0x028 Index : UChar
  88. +0x02c TotalNumberOfObjects : Uint4B
  89. +0x030 TotalNumberOfHandles : Uint4B
  90. +0x034 HighWaterNumberOfObjects : Uint4B
  91. +0x038 HighWaterNumberOfHandles : Uint4B
  92. +0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
  93. +0x0b0 TypeLock : _EX_PUSH_LOCK
  94. +0x0b8 Key : Uint4B
  95. +0x0c0 CallbackList : _LIST_ENTRY
  96.  
  97. fffff800`02eade1c 488b151db1daff mov rdx,qword ptr [nt!DbgkDebugObjectType (fffff800`02c58f40)]
  98.  
  99. */
  100. ULONGLONG GetDbgkDebugObjectTypeAddr()
  101. {
  102. LONGLONG Result = 0;
  103.  
  104. pServiceDescriptorTableEntry KeSericeDescriptorTable = (pServiceDescriptorTableEntry)GetKeServiceDescriptorTable64();
  105. ULONGLONG NtCreateDebugObject = GetNTAddressFromSSDT(KeSericeDescriptorTable->ServiceTableBase, kNtCreateDebugObjectIndex);
  106. LONG DbgkDebugObjectTypeOffset = *(LONG*)(NtCreateDebugObject + kDbgkDebugObjectOffsetW7 + 0x3);
  107.  
  108. Result = DbgkDebugObjectTypeOffset + (LONGLONG)NtCreateDebugObject + kDbgkDebugObjectOffsetW7 + kInstructLen;
  109.  
  110. KdPrint(("NtCreateDebugObject:%p:%p:%x\n",NtCreateDebugObject, Result, DbgkDebugObjectTypeOffset));
  111.  
  112. return Result;
  113. }
  114.  
  115. //MmIsAddressValid ProbeForRead
  116. VOID SetValidAccessMaskDpc(
  117. __in struct _KDPC *Dpc,
  118. __in_opt PVOID DeferredContext,
  119. __in_opt PVOID SystemArgument1,
  120. __in_opt PVOID SystemArgument2
  121. )
  122. {
  123. UNREFERENCED_PARAMETER(Dpc);
  124. UNREFERENCED_PARAMETER(SystemArgument1);
  125. UNREFERENCED_PARAMETER(SystemArgument2);
  126. __try
  127. {
  128. if (MmIsAddressValid((PVOID)ValidAccessMaskAdr))
  129. {
  130. *((ULONG*)ValidAccessMaskAdr) = (ULONG)DeferredContext;
  131. KdPrint(("Validaccessmask==%p\n", *(ULONGLONG*)ValidAccessMaskAdr));
  132. }
  133.  
  134. }
  135. __except (EXCEPTION_EXECUTE_HANDLER)
  136. {
  137. NTSTATUS Status = GetExceptionCode();
  138. KeCancelTimer(&TimerObject);
  139. KdPrint(("SetValidAccessMaskDpc Exception:%x\n",Status));
  140. return;
  141. }
  142. KeSetTimer(&TimerObject, NextTime, &DpcObject);
  143. return;
  144. }
  145. /*
  146. kd> dt _OBJECT_TYPE_INITIALIZER
  147. ntdll!_OBJECT_TYPE_INITIALIZER
  148. +0x000 Length : Uint2B
  149. +0x002 ObjectTypeFlags : UChar
  150. +0x002 CaseInsensitive : Pos 0, 1 Bit
  151. +0x002 UnnamedObjectsOnly : Pos 1, 1 Bit
  152. +0x002 UseDefaultObject : Pos 2, 1 Bit
  153. +0x002 SecurityRequired : Pos 3, 1 Bit
  154. +0x002 MaintainHandleCount : Pos 4, 1 Bit
  155. +0x002 MaintainTypeList : Pos 5, 1 Bit
  156. +0x002 SupportsObjectCallbacks : Pos 6, 1 Bit
  157. +0x004 ObjectTypeCode : Uint4B
  158. +0x008 InvalidAttributes : Uint4B
  159. +0x00c GenericMapping : _GENERIC_MAPPING
  160. +0x01c ValidAccessMask : Uint4B
  161. +0x020 RetainAccess : Uint4B
  162. +0x024 PoolType : _POOL_TYPE
  163. +0x028 DefaultPagedPoolCharge : Uint4B
  164. +0x02c DefaultNonPagedPoolCharge : Uint4B
  165. +0x030 DumpProcedure : Ptr64 void
  166. +0x038 OpenProcedure : Ptr64 long
  167. +0x040 CloseProcedure : Ptr64 void
  168. +0x048 DeleteProcedure : Ptr64 void
  169. +0x050 ParseProcedure : Ptr64 long
  170. +0x058 SecurityProcedure : Ptr64 long
  171. +0x060 QueryNameProcedure : Ptr64 long
  172. +0x068 OkayToCloseProcedure : Ptr64 unsigned char
  173. */
  174.  
  175. VOID SetValidAccessMask(ULONG DebugAccess)
  176. {
  177.  
  178. ValidAccessMaskAdr = *(ULONGLONG*)GetDbgkDebugObjectTypeAddr() + kTypeInfoOffset + kValidAccessMaskOffset;
  179.  
  180. KdPrint(("ValidAccessMask==%p\n", *(ULONGLONG*)ValidAccessMaskAdr));
  181.  
  182. NextTime.QuadPart = -10000 * 100;
  183. KeInitializeTimer(&TimerObject);
  184. KeInitializeDpc(&DpcObject, &SetValidAccessMaskDpc, (PVOID)DebugAccess);
  185. KeSetTimer(&TimerObject, NextTime, &DpcObject);
  186. }
  187.  
  188.  
  189. VOID Unload(PDRIVER_OBJECT DriverObject)
  190. {
  191. UNREFERENCED_PARAMETER(DriverObject);
  192. KeCancelTimer(&TimerObject);
  193. }
  194. NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegPath)
  195. {
  196.  
  197. UNREFERENCED_PARAMETER(DriverObject);
  198. UNREFERENCED_PARAMETER(RegPath);
  199.  
  200. RTL_OSVERSIONINFOW OsVer = { 0 };
  201. OsVer.dwOSVersionInfoSize = sizeof(OsVer);
  202. RtlGetVersion(&OsVer);
  203.  
  204. if (OsVer.dwMajorVersion != 6)
  205. return STATUS_UNSUCCESSFUL;
  206.  
  207. //DEBUG_ALL_ACCESS & ~DEBUG_PROCESS_ASSIGN
  208. ULONG DebugAccess = DEBUG_ALL_ACCESS;
  209. SetValidAccessMask(DebugAccess);
  210. DriverObject->DriverUnload = Unload;
  211. return STATUS_SUCCESS;
  212. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!